[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2] x86/hvm: Disallow CR0.PG 1->0 transitions when CS.L=1

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Date: Mon, 17 Apr 2023 12:15:17 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Rpg6lElZC59lsXCnEog1fWyecGpK9ciM/VpA9qPFSHc=; b=jpi7wiVLMYFOYZs/uPxeHGLbeqc4qS8fhyriPnl6zgi4h352750xgXD/jVR68D8gCPo2ZBt44ghqsafLE6rDzZI3v8buENtSu/OcfTSwHBBipjqyqbueI9o7axthImAlo1VajNLnt5NS6VR9MVVMzYyv5CLJXsfR+WcDRgYoHuj3qYwOscRWYEfiS9ZCSCMiECEtEO1JOSv0ECwy85QTKBKHzeEN/I76EkyJ3CnGFsEyGjKC1In45TkvIZEstiZixfmYbRNK23RV8HfVhCQ5hEZIaRHa3dzg0bj9Wi7gq2t7flbB7lOcQNUdXtH8tImtMD08eqqoIv+bkwp8OXjQbg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lhdYTL3QzmH5xUJ63oCd3NR0Mgc0qWdCK3f2HmRCGxAxcTo8F8JcTbyy2ZntivA99z7w6wLXmLuLvLL4Dyv3OWzjPtt9xOKA/AUSwMIkMMR+ytV0493Cq+NX+CpuHtpKOOsN9bFX69eD6ch8slXJuRc5Yfvv/zbre2mqBTe4QuV9HhxEospj/3Eq3utLOYOoMTlylCzBUZM1j5Afe0tmtCNhdGCjeIPBpvfsQxHvZWOx4U4pSc80IV8EgZoIFcudl6Ih0WB/0rYSIiYsvimsmCeFUVjmf7/b3qFooxaVBEgo/EimzKq4ucD0oSKHtngmYj88I702CrIvseagEb89xQ==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Mon, 17 Apr 2023 11:15:58 +0000
  • Ironport-data: A9a23:raonzKsZAhvz2GCseAhxYJvpROfnVHtfMUV32f8akzHdYApBsoF/q tZmKWqBMv3cZzD8KNBwaIi18UtXvZfdmoJrSgpvpC40ECpA+JbJXdiXEBz9bniYRiHhoOCLz O1FM4Wdc5pkJpP4jk3wWlQ0hSAkjclkfpKlVKiffHg3HVQ+IMsYoUoLs/YjhYJ1isSODQqIu Nfjy+XSI1bg0DNvWo4uw/vrRChH4bKj6Vv0gnRkPaoQ5AOHyCFMZH4iDfrZw0XQE9E88tGSH 44v/JnhlkvF8hEkDM+Sk7qTWiXmlZaLYGBiIlIPM0STqkAqSh4ai87XB9JFAatjsB2bnsgZ9 Tl4ncfYpTHFnEH7sL91vxFwS0mSNEDdkVPNCSDXXce7lyUqf5ZwqhnH4Y5f0YAwo45K7W9yG fMwLWk3Pkm9gLyK/bOYEsJN1v4BNePnBdZK0p1g5Wmx4fcOZ7nmGvyPzvgBmTA6i4ZJAOrUY NcfZXx3dhPcbhZTO1ARTpUjgOOvgXq5eDpdwL6XjfNvvy6Pk0osjv60b4G9lt+iHK25mm6xo G7c8nu/KRYdLNGFkhKO8262h/+JliT+MG4XPOTgpqQx2gDPnAT/DjU3ennlm+WIrHKyVuBGJ GI2xnMX96E9oRnDot7VGkfQTGS/lhwWVsdUEuY6wBqQ0aeS6AGcbkAbShZRZdpgs9U5LRQ62 1nMk973CDhHtLyOVWnb5rqStSm1OyUeMSkFfyBscOcey9zqoYV2hRWWSN9mSfexloesRmq2x C2Wpi8jgblVldQMy6iw4VHAhXSru4TNSQk2oA7QWwpJ8z9EWWJsXKTwgXCz0BqKBN/xooWp1 JTcp/Wj0Q==
  • Ironport-hdrordr: A9a23:eos7r6sO3yO1984sRgET4YJE7skDUNV00zEX/kB9WHVpm62j+/ xG+c5x6faaslkssR0b9+xoQZPwI080l6QU3WBhB9aftWDd0QPDQb2KhrGSoAEIdReOjdJ15O NNdLV/Fc21LXUSt7eB3OG0eexQp+Vu/MqT9IPjJ30Gd3AOV0luhT0JbDpzy3cGPTWu06BJbK ah2g==
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 17/04/2023 9:05 am, Jan Beulich wrote:
> On 13.04.2023 17:00, Andrew Cooper wrote:
>> The Long Mode consistency checks exist to "ensure that the processor does not
>> enter an undefined mode or state that results in unpredictable behavior".  
>> APM
>> Vol2 Table 14-5 "Long-Mode Consistency Checks" lists them, but there is no 
>> row
>> preventing the OS from trying to exit Long mode while in 64bit mode.  This
>> could leave the CPU in Protected Mode with an %rip above the 4G boundary.
>>
>> Experimentally, AMD CPUs really do permit this state transition.  An OS which
>> tries it hits an instant SHUTDOWN, even in cases where the truncation I 
>> expect
>> to be going on behind the scenes ought to result in sane continued execution.
> For my own understanding, which truncation are you referring to here?
> As you're in 1:1 mapped code, %rip can't really be meant. Clearly IDT
> and GDT would need to be (re)loaded to point to 32-bit-style tables, so
> the only thing left would seem to be %rsp. It's not clear to me whether
> after such an illegal mode switch its upper bits would be cleared or
> ignored ...

Outside of 64bit mode, all address generation is truncated to 32 bits.

So when %rip happens to be above 2^32, the fetch of the next instruction
ought to be from a truncated %eip, but my attempts to set up such an
experiment still crashed.

I didn't spend too long investigating.  I've got too many other things
to do.

~Andrew

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.