[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] x86/mm: PGC_page_table is used by shadow code only

To: Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
From: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>
Date: Wed, 30 Nov 2022 09:25:19 -0500
Arc-authentication-results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@xxxxxxxxxxxxxxxxxxxx; dmarc=pass header.from=<dpsmith@xxxxxxxxxxxxxxxxxxxx>
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1669818323; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=g7TipV0I7Gy5yDaSXWreS2VrBfDhMbzklK2sAAD97W4=; b=FmXE7edscpaY07Qt29BCtzKXHuhRQqRTWeo8fdGb4Bn+8zAkrtW8pQLiB33HOPfYKT2OSdz4GzElLw18zfQLpDKJrCHPQXhNaqaF/qd1Cgg8eT7a2Mw4BPE2qvlYK065BoYd/nI1jeW6GTKk2xQ36ISGNnXEqF6Tj2i+WpOurW0=
Arc-seal: i=1; a=rsa-sha256; t=1669818323; cv=none; d=zohomail.com; s=zohoarc; b=DAiV77C3l9KkiRJXUqaVkHfs09E+z81dGBZbmpxlu3OTtTPFSCV0R4iJIliHdctNwO7uc1jWn/+99rZrrGuc2eDk81Y9Sx9V78f4KOgPH/xb8zOxNWydKmMArtnN/Hyhi2V78QEmuc9L4Ro5nXRLwVK3eWd28HfgiQd+ayZlaiY=
Cc: Wei Liu <wl@xxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
Delivery-date: Wed, 30 Nov 2022 14:25:46 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 11/30/22 02:52, Jan Beulich wrote:

On 29.11.2022 21:56, Andrew Cooper wrote:

On 29/11/2022 14:55, Jan Beulich wrote:

By defining the constant to zero when !SHADOW_PAGING we give compilers
the chance to eliminate a little more dead code elsewhere in the tree.
Plus, as a minor benefit, the general reference count can be one bit
wider. (To simplify things, have PGC_page_table change places with
PGC_extra.)

Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>


Ahead of making this change, can we please rename it to something less
confusing, and fix it's comment which is wrong.

PGC_shadowed_pt is the best I can think of.


Can do, sure.

---
tboot.c's update_pagetable_mac() is suspicious: It effectively is a
no-op even prior to this change when !SHADOW_PAGING, which can't be
quite right. If (guest) page tables are relevant to include in the
verification, shouldn't this look for PGT_l<N>_page_table as well? How
to deal with HAP guests there is entirely unclear.


Considering the caller, it MACs every domheap page for domains with
CDF_s3_integrity.

The tboot logical also blindly assumes that any non-idle domain has an
Intel IOMMU context with it.  This only doesn't (trivially) expose
because struct domain_iommu is embedded in struct domain (rather than
allocated separately), and reaching into the wrong part of the arch
union is only mitigated by the tboot logic not being invoked on
non-intel systems.  (Also the idle domain check is useless, given that
it's in a for_each_domain() loop).

It does look a little like the caller is wanting to MAC all Xen data
that describes the guest, but doing this unilaterally for all shadowed
guests seems wrong beside the per-domain s3_integrity setting.


Question is - do we care about addressing this (when, as said, it's
unclear how to deal with HAP domains; maybe their actively used p2m
pages would need including instead)? Or should we rather consider
ripping out tboot support?

This would break a significant number of production deployed OpenXTderivative solutions. I would respectively request that a middle groundbe found that will allow the capability to remain until TrenchBoot hashad time to build a Secure Launch for Xen that mirrors Secure Launch forLinux.

NB: I have a long list of changes for the tboot code but have opted thusfar to let them lie. Mainly as they would be hole patching that wouldmostly be tossed with the clean room implementation that will come from TB.


v/r,
dps

References:
- [PATCH] x86/mm: PGC_page_table is used by shadow code only
  - From: Jan Beulich
- Re: [PATCH] x86/mm: PGC_page_table is used by shadow code only
  - From: Andrew Cooper
- Re: [PATCH] x86/mm: PGC_page_table is used by shadow code only
  - From: Jan Beulich

Prev by Date: Re: [PATCH] ioreq_broadcast(): accept partial broadcast success
Next by Date: Re: [PATCH v5 1/3] automation: Create Yocto docker images
Previous by thread: Re: [PATCH] x86/mm: PGC_page_table is used by shadow code only
Next by thread: [PATCH] drivers/xen/hypervisor: Expose VM SIF flags to userspace
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.