[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] x86/svm: Intercept and terminate RDPRU with #UD
- To: Jan Beulich <jbeulich@xxxxxxxx>
- From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
- Date: Thu, 9 Sep 2021 13:18:00 +0100
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=HrrZx/U9kE3EnNeaVe7vUWQx6h2cb3clHB489Nw06hY=; b=hNlcZgztMDKfU7dgICqhmaXG9HnKegmY1ECDo7xAwNN+sOqTLclNevA7amGKI2jPglhNVzA+9kpFgrF9wjVjp3IMAlWqG1yyCFCV0qUrJ23v1IgWk5DRH0Uzyr6sAfXGVJQwhGot63t/WoQebhd3uYI5CV2P47RV+GcGkmzjo3buJXcLxyCqO6Vj6pHGFrNWmkL3xnd8s8CPCY2K+jgeSbf9isZuTejPlNLL8wnUie6TlPHMrJ4I2CNOqXHrJLE0pV+okEQF5xjf1VQKix+KejmayT2PfKZgUM3V6eDwni8igaQx5A9t4Q00Bdz3eUNgeTVe5SBPoFjvKkSXiNsnJA==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=U+COnPC3ouNh6HR1/Nah3xQcW/2HtI1re7DxDuhNnsJuirJy95N8Nj2EPTA8yDAa4v/jBWGNECCYMCgTYjGyS/35QzUh8s/kAKg/qBiANqsMRGOfin4pr39lbFrf5c5E3oB4ZAaK7Q0T0a6S98Y7EgBSU1M++gk5wU6weKcsiQzME4o6P42Aen1m2xvNhhzUDY7Q41axuViAxJt8mcvKXC0TqKAvGyLcp2wscXLw5CuT6Za0ZPbjbl4Iw5KnbjkZ2Az9NqEi23Kfi3T2fVsAx9yOCIkaowI6dBWE9XpjzOtna9i+HZ7GZ7J7KLu2+gE/Np4eKqraxTg+Vj8mklZ+WQ==
- Authentication-results: esa5.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
- Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- Delivery-date: Thu, 09 Sep 2021 12:18:15 +0000
- Ironport-hdrordr: A9a23:1bBKzKNhwgl1gsBcT1b155DYdb4zR+YMi2TDiHofdfUFSKClfp 6V8cjztSWUtN4QMEtQ/exoS5PwPk80kqQFnbX5XI3SITUO3VHHEGgM1/qb/9SNIVyZygcZ79 YbT0EcMqyBMbEZt7eC3ODQKb9Jq7PmgcPY9ts2jU0dKj2CA5sQnjuRYTzrcHGeKjM2YKbRWK Dsnfau8FGbCAoqh4mAdzU4dtmGg+eOuIPtYBYACRJiwA6SjQmw4Lq/NxSDxB8RXx5G3L9nqA H+4kLEz5Tml8v+5g7X1mfV4ZgTsNz9yuFbDMjJrsQOMD3jhiuheYwkcbyfuzIepv2p9T8R4Z bxiiZlG/42x2Laf2mzrxeo8w780Aw243un8lOciWuLm72zeBsKT+56wa5JeBrQ7EQt+Ptm1r hQ4m6fv51LSTvdgSXU/bHzJlJXv3vxhUBnvf8YjnRZX4dbQqRWt5Yj8ERcF4pFND7m6bogDP JlAKjnlbZrmGuhHjXkV1RUsZiRtixZJGbAfqFCgL3V79FupgE686NCr/Zv2Evp9/oGOtF5Dq r/Q/1VfBwndL5gUUtHPpZ1fSKAMB2Fffv9ChPhHb3ZLtByB5vske+83Fxn3pDmRHQ3pKFC7q gpFmko7VIPRw==
- Ironport-sdr: bJwOn1BB4zuZ6WI59OkbbUH3a7CYukbRZaK7hSck0QADhJmJ/ayfh7EWOlfAgJ3A4034esyLtp SpH5RcdOBifyxIPa322DJ6ICJAiVNYZZUvaIWmFDe+MQckbI0DiPgBglmouwvrxBrPiVEg86Hl mVDfzgsCNZQ6N0m6oJXVVYN0bBkmD+rwdcQ53BTKTLCG81IJzz+GK2UJxzUruKbbaXhnLA0GoT WaEBhI8Oi/M81AKZOh3LPhTJ82Hi0uCUvyk7r3CgnKd1cWsmEjOWpS12IRo9Sd/rc3wkzyY5Ca jSayMxh8ZfOyAP5smWP4sexa
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 09/09/2021 12:47, Jan Beulich wrote:
> On 09.09.2021 13:34, Andrew Cooper wrote:
>> On 09/09/2021 10:57, Jan Beulich wrote:
>>> On 08.09.2021 18:19, Andrew Cooper wrote:
>>>> --- a/xen/arch/x86/hvm/svm/vmcb.c
>>>> +++ b/xen/arch/x86/hvm/svm/vmcb.c
>>>> @@ -70,7 +70,8 @@ static int construct_vmcb(struct vcpu *v)
>>>> GENERAL2_INTERCEPT_STGI | GENERAL2_INTERCEPT_CLGI |
>>>> GENERAL2_INTERCEPT_SKINIT | GENERAL2_INTERCEPT_MWAIT |
>>>> GENERAL2_INTERCEPT_WBINVD | GENERAL2_INTERCEPT_MONITOR |
>>>> - GENERAL2_INTERCEPT_XSETBV | GENERAL2_INTERCEPT_ICEBP;
>>>> + GENERAL2_INTERCEPT_XSETBV | GENERAL2_INTERCEPT_ICEBP |
>>>> + GENERAL2_INTERCEPT_RDPRU;
>>> Some of the other intercepts here suggest it is okay to enable ones
>>> in the absence of support in the underlying hardware, but I thought
>>> I'd double check. I couldn't find any statement either way in the PM.
>>> Assuming this is fine
>> They're just bits in memory. Older CPUs will ignore them, and indeed -
>> pre-RDPRU hardware is fine running with this intercept bit set.
>>
>> Honestly, I've got half a mind to default the intercepts to ~0 rather
>> than 0. For running older Xen on new hardware, it will lead to fewer
>> unexpected surprises.
> I, too, was considering this, but then we have
>
> default:
> unexpected_exit_type:
> gprintk(XENLOG_ERR, "Unexpected vmexit: reason %#"PRIx64", "
> "exitinfo1 %#"PRIx64", exitinfo2 %#"PRIx64"\n",
> exit_reason, vmcb->exitinfo1, vmcb->exitinfo2);
> crash_or_fault:
> svm_crash_or_fault(v);
> break;
> }
>
> at the bottom of the switch() statement handling the exit codes.
> Getting crashed (or crashing because of an unexpected fault) is
> surely a surprise as well (to a guest).
It is less bad than the alternative, which was failing to intercept e.g.
XSETBV.
Something's going to crash or malfunction either way. Intercepting
everything makes it far more obvious, and limits the damage to only the
offending guest.
And yes - this is once again why we really need a credible support
statement for CPUs.
~Andrew
|
