[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2] x86/hvm: Disallow CR0.PG 1->0 transitions when CS.L=1

  • To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Date: Fri, 14 Apr 2023 12:31:53 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=98vGd4J/+VAnQ78DBVa6BYMBArs4WMIxEMx+E+g17Cw=; b=cyJO+sxM6SaEcpatI7P5rLL95HXHncd3ov3BkMRpi9VpJby1uMGjP1cBBUZ2vu+BmqJ1AQkgoedIZxuwZIzNMOsekWIzBUcdo4P+Stla3ACL7ZIMrkNeNshrwEd27Pa/SWfGCehy+2ShVqHB/ZJ9GzuvJuLuBFbeEyjgvZgTA0MOt4whKU3UaqD6+N4BYUNE/cd5KcP8caPhy2a+WcMz/p0GiONh/rfPbVMTnElRMcCtDYav5b5vTovZ5tq7ZNHTXr5KVsOqQNXpWaXGjytrh7p5OxPiWCrtywfS0WF6bB5TNhucQqFYqTde7g3ePtNkHnyN5EJPprA971onsY9ttA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jA8372tFLxdBw9dvXiFgrmUuUpE7D1PuptSaIK0Dwq4/3HZ4s1utowIdWu7AT0ExnebK7xdzejjjgApmjhh7vGDUvRfGzzSAxy+3lLpK/FoZDsnKASPusLQc/H6jrw6gfi0UrrTlrqJ+NfcVuHbXqSnRr2yv96sxvYqwF6xRvnIkojLhnhenbEd8Bn4E1oMYOXlg5obnsJ2QZBvKgRjK53Rx5rbYvTZW77Gvlp1PAkLrt4fsFVUKWQe7g4hT4r0g5CwaAlyQKPakx3oHmfC27XQNaP6fpa0GjSMKDt5SQRuYIEG65tn/pRqr3xLt2b8GCuObXb9CqzaWYXxg6IluRA==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, Wei Liu <wl@xxxxxxx>
  • Delivery-date: Fri, 14 Apr 2023 10:32:30 +0000
  • Ironport-data: A9a23:aMdQK6hQCGCtLtFdFTEJsSxdX161RhEKZh0ujC45NGQN5FlHY01je htvD2yGa6qOMDemeNolaITjoExSsMXTzIdhSlM/+SFkEiMb9cadCdqndUqhZCn6wu8v7q5Ex 55HNoSfdpBcolv0/ErF3m3J9CEkvU2wbuOgTrWCYmYpHlUMpB4J0XpLg/Q+jpNjne+3CgaMv cKai8DEMRqu1iUc3lg8sspvkzsy+qWj0N8klgZmP6sT4AaCzyB94K83fsldEVOpGuG4IcbiL wrz5OnR1n/U+R4rFuSknt7TGqHdauePVeQmoiM+t5mK2nCulARrukoIHKN0hXNsoyeIh7hMJ OBl7vRcf+uL0prkw4zxWzEAe8130DYvFLXveRBTuuTLp6HKnueFL1yDwyjaMKVBktubD12i+ tRfDSwAQSuBoNu/g+yGRvlzntt8PO3CadZ3VnFIlVk1DN4AaLWaG+Dgw4Ad2z09wMdTAfzZe swVLyJ1awjNaAFOPVFRD48imOCvhT/0dDgwRFC9/PJrpTSMilMpluG1YLI5efTTLSlRtlyfq W/cuXzwHzkRNcCFyCrD+XWp7gPKtXqjBdNLTuDjqJaGhnW14GxKEi00CmeqsL6D0V6BB9hZB R09r39GQa8asRbDosPGdw21pjuIswARX/JUEvYm80edx6zM+QGbC2MYCDlbZ7QOluU7WDgr3 V+hhM7yCHpkt7j9YW2Z3qeZq3W1Iyd9EIMZTSoNTA9A6d+8pog210rLVow6SP7zicDpEzbtx TzMtDI5m7gYkc8M0eO84EzDhDWv4JPOS2bZ+znqY45s1SshDKbNWmBiwQKzASpoRGpBcmS8g Q==
  • Ironport-hdrordr: A9a23:wAS3KqgA5aTuM/n9KelGZ6MbXXBQXuUji2hC6mlwRA09TyVXrb HWoB17726NtN91YhsdcL+7Scy9qB/nhPxICMwqTNSftWrd2VdATrsSibcKqgeIc0bDH6xmtZ uIGJIOb+EYY2IK6/oSIzPVLz/j+rS6GWyT6ts2Bk0CcT1X
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Thu, Apr 13, 2023 at 04:00:09PM +0100, Andrew Cooper wrote:
> The Long Mode consistency checks exist to "ensure that the processor does not
> enter an undefined mode or state that results in unpredictable behavior".  APM
> Vol2 Table 14-5 "Long-Mode Consistency Checks" lists them, but there is no row
> preventing the OS from trying to exit Long mode while in 64bit mode.  This
> could leave the CPU in Protected Mode with an %rip above the 4G boundary.
> 
> Experimentally, AMD CPUs really do permit this state transition.  An OS which
> tries it hits an instant SHUTDOWN, even in cases where the truncation I expect
> to be going on behind the scenes ought to result in sane continued execution.
> 
> Furthermore, right from the very outset, the APM Vol2 14.7 "Leaving Long Mode"
> section instructs peoples to switch to a compatibility mode segment first
> before clearing CR0.PG, which does clear out the upper bits in %rip.  This is
> further backed up by Vol2 Figure 1-6 "Operating Modes of the AMD64
> Architecture".
> 
> Either way, this appears to have been a genuine oversight in the AMD64 spec.
> 
> Intel, on the other hand, rejects this state transition with #GP.
> 
> Between revision 71 (Nov 2019) and 72 (May 2020) of SDM Vol3, a footnote to
> 4.1.2 "Paging-Mode Enable" was altered from:
> 
>   If CR4.PCIDE= 1, an attempt to clear CR0.PG causes a general-protection
>   exception (#GP); software should clear CR4.PCIDE before attempting to
>   disable paging.
> 
> to
> 
>   If the logical processor is in 64-bit mode or if CR4.PCIDE= 1, an attempt to
>   clear CR0.PG causes a general-protection exception (#GP). Software should
>   transition to compatibility mode and clear CR4.PCIDE before attempting to
>   disable paging.
> 
> which acknowledges this corner case, but there doesn't appear to be any other
> discussion even in the relevant Long Mode sections.
> 
> So it appears that Intel spotted and addressed the corner case in IA-32e mode,
> but were 15 years late to document it.
> 
> Xen was written to the AMD spec, and misses the check.  Follow the Intel
> behaviour, because it is more sensible and avoids hitting a VMEntry failure.
> 
> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
> ---
> CC: Jan Beulich <JBeulich@xxxxxxxx>
> CC: Roger Pau Monné <roger.pau@xxxxxxxxxx>
> CC: Wei Liu <wl@xxxxxxx>
> 
> v2:
>  * Restrict to when Long Mode is enabled.

Maybe the subject also needs to be slightly edited to mention CS.L=1
and Long Mode enabled?  Or just mention long mode instead of the code
segment status?

Acked-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Thanks, Roger.

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.