[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 2/2] x86: Activate Data Operand Invariant Timing Mode by default

  • To: Jan Beulich <jbeulich@xxxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>
  • From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
  • Date: Wed, 5 Oct 2022 13:31:37 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=86JnqBAzAn4eW6aJyozuZfmFs4Yl2qTIJGdbe44vE9k=; b=n8LZytumBRhZCO9CT/z2f3bFc7bZnyCuM6KDkQIYNHzkGhAaLsuOliM+E+iLDxL80T7d0kMSGkBgYf7TvwtJ/vMls55RyPlZJv/ducwF+f/XV33h09kHMNWxXIeGASy2WTf9XiR1GdogoYblfHWbJQfgaCwiZC9lLvH5kdGaJNj7LdY9zu+y05tDuulFZKjLdUjcVtHN/7TDYOeZ7c57hzm0JTc48W2Jn3khwKM45Wf/KtyLC5AAKTNqVrVA+QOP0pIS3nqvO/e825hQY4bDZalJumyi6bqLCLcwbV6V9eeMnisUJS3s4gfTMp3ACH4Dk6X3tYiZHcfSSjukRXuSgw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZdkLL3eoupd+JjPUgGvBKDH9+1H5/xkfXd9Oor2NIBZZcR7SWo3JDcwyiLE0x+jDtgWsCbVHkqf3Izx/jvQSsf/o87/huQNEJEQpZt5h4XxsRawArBacYBnb8Nf/GRRZodjelANVFpIBOHfQwV8MC+v+Lvn8FvSvm3VYXEBWG+P7QcFviIbH50Azp5RIHk9ijahHr4vbHo75dZNTMTx7AjvI8Vfl2Suf75hm3p+u+/6hvwOcFe5k69Krswv9jD3v9cDIr2K/ioxS4KhzQa7lx1HvrKoOuDZVcOFe7LnuDpkWBSvkt80Qf9E9V7m4KmFr2ZhrBf0He6mBBDcuskXAJw==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Henry Wang <Henry.Wang@xxxxxxx>, Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, Demi Marie Obenour <demi@xxxxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Wed, 05 Oct 2022 13:31:50 +0000
  • Ironport-data: A9a23:D8p1kqvwlddzdSpOJHASf630BOfnVKZfMUV32f8akzHdYApBsoF/q tZmKWyHOP6DZTbzKI13a4+08EpSuZXcmNNlHAdkpSBgRSpG+JbJXdiXEBz9bniYRiHhoOCLz O1FM4Wdc5pkJpP4jk3wWlQ0hSAkjclkfpKlVKiefHgZqTZMEE8JkQhkl/MynrlmiN24BxLlk d7pqojUNUTNNwRcawr40Ire7kIy1BjOkGlA5AZnPagW5Aa2e0Q9V/rzG4ngdxMUfaEMdgKKb 76r5K20+Grf4yAsBruN+losWhRXKlJ6FVHmZkt+A8BOsDAbzsAB+v9T2M4nQVVWk120c+VZk 72hg3ASpTABZcUgkMxFO/VR/roX0aduoNcrKlDn2SCfItGvn9IBDJyCAWlvVbD09NqbDkl21 twJdj1Sciqjnt+t6piWV9lyhMk8eZyD0IM34hmMzBn/JNN/GNXvZvuP4tVVmjAtmspJAPDSI dIDbiZiZwjBZBsJPUoLDJU5n6GjgXyXnz9w8QrJ4/ZopTWMilUuiNABM/KMEjCObexTklyVu STt+GPhDwtBHNee1SCE4jSngeqncSbTCNhKTeHnr6MCbFu7ykkJWUYyBFGHu6O3kEm1f/1GL UE59X97xUQ13AnxJjXnZDW6qnOZuh8XW/JLDvY3rgqKz8L88wufQ2QJUDNFQNgnr9MtAywn0 EeTmNHkDiApt6eaIVqC8p+EoDX0PjIaRUciaCkeXE066t/siIgpi1TESdMLOKu8lNj8Azzz6 zGMsiklhr8XgNIL1qO05lTOiXSnoZ2hZgI44wT/X2S77xh4boqoe4yp71fA6f9Kao2eSzG8U GMsnsGf6KUCCM+LnSnUGeEVRuj2v7CCLSHWhkNpE9857TOx9nW/fIdWpjZjOENuNcVCcjjsC KPOhT5sCFZoFCPCRcdKj0iZUqzGEYCI+QzZa83p
  • Ironport-hdrordr: A9a23:2nN5XK6yFVifFTtGJwPXwDLXdLJyesId70hD6qkQc3FomwKj9/ xG/c5rsSMc7Qx6ZJhOo7+90cW7L080lqQFhLX5X43SPzUO0VHARO1fBOPZqAEIcBeOlNK1u5 0AT0B/YueAcGSTj6zBkXWF+wBL+qj5zEiq792usUuEVWtRGsZdB58SMHfhLqVxLjM2Y6YRJd 6nyedsgSGvQngTZtTTPAh+YwCSz+e77a4PeHQ9dmYa1DU=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHY2AuYv4kI/POqCU+FUM3MxB3Uxa3/mA0AgAAei4CAABbmgA==
  • Thread-topic: [PATCH 2/2] x86: Activate Data Operand Invariant Timing Mode by default
On 05/10/2022 13:09, Jan Beulich wrote:
> On 05.10.2022 12:20, Roger Pau Monné wrote:
>> On Tue, Oct 04, 2022 at 05:08:10PM +0100, Andrew Cooper wrote:
>>> --- a/xen/arch/x86/cpu/common.c
>>> +++ b/xen/arch/x86/cpu/common.c
>>> @@ -209,6 +209,34 @@ void ctxt_switch_levelling(const struct vcpu *next)
>>>             alternative_vcall(ctxt_switch_masking, next);
>>>  }
>>>  
>>> +bool __ro_after_init opt_doitm = true;
>>> +
>>> +static void doitm_init(void)
>>> +{
>>> +    uint64_t val;
>>> +
>>> +    if ( !opt_doitm || !cpu_has_arch_caps )
>>> +        return;
>>> +
>>> +    rdmsrl(MSR_ARCH_CAPABILITIES, val);
>>> +    if ( !(val & ARCH_CAPS_DOITM) )
>>> +        return;
>>> +
>>> +    /*
>>> +     * We are currently unable to enumerate MSR_ARCH_CAPS to guest.  As a
>>> +     * consequence, guest kernels will believe they're safe even when they 
>>> are
>>> +     * not.
>>> +     *
>>> +     * Until we can enumerate DOITM properly for guests, set it 
>>> unilaterally.
>>> +     * This prevents otherwise-correct crypto from becoming vulnerable to
>>> +     * timing sidechannels.
>>> +     */
>>> +
>>> +    rdmsrl(MSR_UARCH_MISC_CTRL, val);
>>> +    val |= UARCH_CTRL_DOITM;
>>> +    wrmsrl(MSR_UARCH_MISC_CTRL, val);
>> Is it possible for the firmware to have enabled DOITM and Xen needing to
>> clear it if !opt_doitm?
> I think a firmware setup option is quite plausible to expect, such that
> safety can also be achieved underneath an unaware OS. Note how in my
> earlier patch I did specifically set the bit both ways, for this very
> reason.

Firmware is not likely to set it, but we should cope with the case when
we're somewhere along a kexec chain.

I'll adjust.

~Andrew

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.