[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Wake-up from suspend to RAM broken under `retbleed=stuff`

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
  • Date: Wed, 11 Jan 2023 22:06:56 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=3WC4I1sq6pRJvzk9BQhg0ICzYteAkwLRJ6tfwfxFB0A=; b=NDWpxgGd9ja2Tc3bkeki8cQ4TQ3ncGqxnoIRUF8dID4KNrnHFhkzBMo0iSdSd/Bqy7uorNTb/xZ7FNAU0VF2HOBJoxNmHkC2YRXWt5jQXR26TUb9RSULPfq3htgnfQE6vt5LA95PiUMpfHU+ofqb68/Lpws5EM1lWmlFgbXzdPSH54iZ/70c/V1Hvd21JqIkWoBeVdlC742IlF24cDF1GJDgBkHXcakicALCl30p2+hhrJ3IVKuF0se/qt1Tj//ZPnSlwm6ViTxWiXIt0KZ2mBWhlVw1ETLyjEGaeZK64DFdDzjrCAbhtJqlGeerEbv+rrgD+oH3GHOS7kbxLw1WFQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LByou3vqt3nfqWjejpteOkuKVGQOb7bcu6qohg2xuy/kmckJcEDU+UPzsSenHyH01lUYkv5zcJEOVZovtsx4A2DZZEt6cTUgZd4qg9ieOmlIW+FUJd8dq8fpdT2MT6y4HR57EDF14KZUkvUsjrtLYi/VcpJMVNCY/+v+OH+CgoauD7zoKQDaKGh3gcbaM4Nkdk5ozE0z0puU4nyxenE9lVkF0LLQINY5tmoamMNHr0WepHM3Ja601nnTpdlbLRA+ksw2CVr9Cg/0fFe6oNHFtuVOFuL8+yZVyZbMt4TypkkrwfG3GMqCkHec9VGKniSZkrIVR2wwkbDQMELNTNFFow==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: "linux-kernel@xxxxxxxxxxxxxxx" <linux-kernel@xxxxxxxxxxxxxxx>, "x86@xxxxxxxxxx" <x86@xxxxxxxxxx>, Thomas Gleixner <tglx@xxxxxxxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>, "Rafael J. Wysocki" <rafael@xxxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>, Peter Zijlstra <peterz@xxxxxxxxxxxxx>, Joan Bruguera <joanbrugueram@xxxxxxxxx>
  • Delivery-date: Wed, 11 Jan 2023 22:07:20 +0000
  • Ironport-data: A9a23:XRDpJKhxB9pCb10JH+qNxXm2X1611REKZh0ujC45NGQN5FlHY01je htvXmqEa6yJZWOjLdh0PYuwpkoAvsSEm9UyTlA6/Hg9ESob9cadCdqndUqhZCn6wu8v7q5Ex 55HNoSfdpBcolv0/ErF3m3J9CEkvU2wbuOgTrWCYmUpH1QMpB4J0XpLg/Q+jpNjne+3CgaMv cKai8DEMRqu1iUc3lg8sspvkzsy+qWs0N8klgZmP6sT5QaHzyJ94K83fsldEVOpGuG4IcbiL wrz5OnR1n/U+R4rFuSknt7TGqHdauePVeQmoiM+t5mK2nCulARrukoIHKN0hXNsoyeIh7hMJ OBl7vRcf+uL0prkw4zxWzEAe8130DYvFLXveRBTuuTLp6HKnueFL1yDwyjaMKVBktubD12i+ tQGLgIvbzyN2tuqg5CxG8ZrtJ4DMu/CadZ3VnFIlVk1DN4AaLWaGeDmwIEd2z09wMdTAfzZe swVLyJ1awjNaAFOPVFRD48imOCvhT/0dDgwRFC9/PJrpTSMilEgluGyb7I5efTTLSlRtm+eq njL4CLSBRYCOcbE4TGE7mitlqnEmiaTtIc6RefiqqEw2gT7Kmo7UzwyZVym/OGFjE+/e41ed 2ob6zUtov1nnKCsZpynN/Gim1aGtBMBX9tbE8Uh9RqAjKHT5m6xAmkCUy4Ea9E8ssIybSIl2 0XPnN7zAzFr9rqPRhq15ufKhTC/Iy4YKSkFfyBsZRcK58nLpIA1kw7VSdBiAOi5g7XdGz7qx CuRhDMjnLhVhskOv42h9F7OjjaEpZXTSAMxoALNUQqN/g5/IYKoeYGswVza9upbapaUSEGbu 3oJkNTY6/oBZbmVmTCAWvclHben/f+JPTTQx1l1EPEJ9TOk/XS5YI9N7St3IW9mN88FfXniZ 0q7hO9KzJpaPX/vYaopZYu0Up4u1fK5SoujUe3IZN1TZJQ3bBWA4CxleU+X2SbqjVQolqY8f 5ycdK5AEEonNEiu9xLuL8917FPh7nlWKb/7LXwj8yma7A==
  • Ironport-hdrordr: A9a23:S9kQEqvz0wktzuBfuHU4OIwz7skDeNV00zEX/kB9WHVpm62j+/ xG+c5x6faaslkssR0b9+xoWpPhfZqsz/9ICOAqVN/JMTUO01HYT72Kg7GSpgHIKmnT8fNcyL clU4UWMqyVMbGit7eZ3DWF
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHZJa6+C7zgK+BmnkyxcC0/cTTk966ZF36AgAABmICAAK2VAA==
  • Thread-topic: Wake-up from suspend to RAM broken under `retbleed=stuff`
On 11/01/2023 11:45 am, Jan Beulich wrote:
> On 11.01.2023 12:39, Andrew Cooper wrote:
>> The bigger issue with stuff accounting is that nothing AFAICT accounts
>> for the fact that any hypercall potentially empties the RSB in otherwise
>> synchronous program flow.
> But that's not just at hypercall boundaries, but effectively anywhere
> (i.e. whenever the hypervisor decides to de-schedule the vCPU)?

Correct, but it's only the RET instructions that reliably underflow the
RSB which can be usefully attacked.

The %rip at which Xen decides to de-schedule a vCPU are random from the
point of view of an attacker.

~Andrew

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.