Xen project Mailing List

Re: Setting constant-time mode CPU flag

To: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>

From: Demi Marie Obenour <demi@xxxxxxxxxxxxxxxxxxxxxx>

Date: Tue, 13 Sep 2022 10:22:03 -0400

Cc: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, Simon Gaiser <simon@xxxxxxxxxxxxxxxxxxxxxx>, Xen developer discussion <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Tue, 13 Sep 2022 14:22:50 +0000

Feedback-id: iac594737:Fastmail

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Tue, Sep 06, 2022 at 10:01:00AM +0000, Andrew Cooper wrote: > On 06/09/2022 10:52, Jan Beulich wrote: > > On 02.09.2022 04:05, Demi Marie Obenour wrote: > >> On Intel chips (Ice Lake and later) and ARM64, a bit needs to be set in > >> a CPU register to enforce constant-time execution. Linux plans to set > >> this bit by default; Xen should do the same. See > >> https://lore.kernel.org/lkml/YwgCrqutxmX0W72r@xxxxxxxxx/T/ for details. > >> I recommend setting the bit unconditionally and ignoring guest attempts > >> to change it. > > I don't think we ought to set it by default; I can see reasons why kernels > > may want to set it by default (providing a way to turn it off). In Xen > > what I think we need is exposure of the bit to be guest-controllable. > > We absolutely should not have it set by default. It's a substantial > overhead for something that is only applicable to code which otherwise > crafted to be constant-time. Either Xen needs to set the bit by default, or guests need to both know the bit needs to be set and be able set it. Otherwise code that *is* intended to be constant-time has no way to protect itself. > As for why Xen doesn't enumerate/virtualise it, that's because > virtualising MSR_ARCH_CAPS for guests is still not working yet, so the > feature can't be enumerated yet even if we did support context switching it. Intel and ARM64 guarantee that CPUs that do not enumerate this flag behave as if it is set unconditionally. Therefore, Xen’s current behavior on Intel is incorrect and insecure. On ARM64, it appears that the flag is currently a noop, but as this might change in the future, Xen should fix its behavior there too. Without support for virtualising MSR_ARCH_CAPS, the only secure behavior for Xen on Intel is to unconditionally set the DIT bit. On ARM8.4+, the bit currently appears to be a no-op, but as a precautionary measure, Xen should either set or virtualise it. -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab

Attachment: signature.asc
Description: PGP signature

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.