[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3 24/52] xen/mpu: build up start-of-day Xen MPU memory region map

To: Julien Grall <julien@xxxxxxx>, Penny Zheng <Penny.Zheng@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
From: Ayan Kumar Halder <ayankuma@xxxxxxx>
Date: Wed, 28 Jun 2023 14:22:27 +0100
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0IRiwh3T3XE+/vQ6pxKqFOD4DW4v0rEJY0C7FTMjfLc=; b=KRwDfXN5y8/aaSdlgcUiGOThf+EadkHl7RI0klDrTCX/V5XMSJC5mCPWRsKX/liqu98XNB9q1f/SMf/24p5dE0G/tRvExzsIgQyxZvF2qjaHBls9c7DO6BpO5B1C/0LyKFan5B7TavRsTE0MogM5zeIcu1rEZm1/cXFDSVeaqhEbXUylzhf2FRjR/cs7gIgy8/Wh3ZjSg6D9LoQ8GbgzpwW5ampMEwaPUh9b4nocyeJNAIRPAKoJlEwwb2xQuCguHbU6oiFTe3TYgubv0G27gFVd8HqhpVKl+Fu3SM65QosFkImFx8xmwRZtKVzVXi/f8P53/QRBhy/m4WRgtE5HBg==
Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Gf/YZ1GaQlLUQdakMa8GLf/tDYKEJPokdhENXoe8ladeEsog4Zax98sxh5lL6yjCR4YAPBCd/ooE8qi9R4eWRor7bQ2mokG0q2nUMSEu2hs1JgShRurtVVMUN17j3Kk1b9ehKwwK6WtcQskTY6Q1QrWZXxXfrmAg9XsSePWUFKMlFfouh7DqiGVTxZaysB37YHb8ZiXRKPIrgaII0fPNZjuRietIYMX+T/HNwxNI/XpUIkL9kD3SXs4Bbt5XdBtbfoTF+GQQx2iCs/dRZu6Lb6Hp/4sg2h1pQB2QeJaeowPpap3Cn5CZP3o000qZR7LS12R7rAeAIrz24hbmafy7GQ==
Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=amd.com;
Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Wei Chen <wei.chen@xxxxxxx>
Delivery-date: Wed, 28 Jun 2023 13:23:06 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>


On 28/06/2023 12:17, Julien Grall wrote:

Hi,

Hi Julien,


On 28/06/2023 11:55, Ayan Kumar Halder wrote:

On 26/06/2023 04:34, Penny Zheng wrote:

CAUTION: This message has originated from an External Source. Pleaseuse proper judgment and caution when opening attachments, clickinglinks, or responding to this email.



The start-of-day Xen MPU memory region layout shall be like
as follows:

xen_mpumap[0] : Xen text
xen_mpumap[1] : Xen read-only data
xen_mpumap[2] : Xen read-only after init data
xen_mpumap[3] : Xen read-write data
xen_mpumap[4] : Xen BSS
xen_mpumap[5] : Xen init text
xen_mpumap[6] : Xen init data

The layout shall be compliant with what we describe in xen.lds.S,
or the codes need adjustment.

Signed-off-by: Penny Zheng <penny.zheng@xxxxxxx>
Signed-off-by: Wei Chen <wei.chen@xxxxxxx>
---
v3:
- cache maintanence for safety when modifying MPU memory mapping table
- Hardcode index for all data/text sections

- To make sure that alternative instructions are included, use"_einitext"

as the start of the "Init data" section.
---

< snip>

+/*
+ * Static start-of-day Xen EL2 MPU memory region layout:
+ *
+ *     xen_mpumap[0] : Xen text
+ *     xen_mpumap[1] : Xen read-only data
+ *     xen_mpumap[2] : Xen read-only after init data
+ *     xen_mpumap[3] : Xen read-write data
+ *     xen_mpumap[4] : Xen BSS
+ *     xen_mpumap[5] : Xen init text
+ *     xen_mpumap[6] : Xen init data
+ *
+ * Clobbers x0 - x6
+ *

+ * It shall be compliant with what describes in xen.lds.S, or thebelow

+ * codes need adjustment.
+ */
+ENTRY(prepare_early_mappings)
+    /* x0: region sel */
+    mov   x0, xzr
+    /* Xen text section. */
+    load_paddr x1, _stext
+    load_paddr x2, _etext

+ prepare_xen_region x0, x1, x2, x3, x4, x5, x6,attr_prbar=REGION_TEXT_PRBAR

+
+    add   x0, x0, #1
+    /* Xen read-only data section. */
+    load_paddr x1, _srodata
+    load_paddr x2, _erodata

+ prepare_xen_region x0, x1, x2, x3, x4, x5, x6,attr_prbar=REGION_RO_PRBAR

+
+    add   x0, x0, #1
+    /* Xen read-only after init data section. */
+    load_paddr x1, __ro_after_init_start
+    load_paddr x2, __ro_after_init_end
+    prepare_xen_region x0, x1, x2, x3, x4, x5, x6
+
+    add   x0, x0, #1
+    /* Xen read-write data section. */
+    load_paddr x1, __ro_after_init_end
+    load_paddr x2, __init_begin
+    prepare_xen_region x0, x1, x2, x3, x4, x5, x6
+
+    add   x0, x0, #1
+    /* Xen BSS section. */
+    load_paddr x1, __bss_start
+    load_paddr x2, __bss_end
+    prepare_xen_region x0, x1, x2, x3, x4, x5, x6
+
+    add   x0, x0, #1
+    /* Xen init text section. */
+    load_paddr x1, _sinittext
+    load_paddr x2, _einittext

+ prepare_xen_region x0, x1, x2, x3, x4, x5, x6,attr_prbar=REGION_TEXT_PRBAR

+
+    add   x0, x0, #1
+    /* Xen init data section. */
+    /*

+ * Even though we are not using alternative instructions in MPUyet,+ * we want to use "_einitext" for the start of the "Init data"section

+     * to make sure they are included.
+     */
+    load_paddr x1, _einittext
+    roundup_section x1
+    load_paddr x2, __init_end
+    prepare_xen_region x0, x1, x2, x3, x4, x5, x6
+

+ /* Ensure any MPU memory mapping table updates made above haveoccurred. */

+    dsb   nshst
+    ret
+ENDPROC(prepare_early_mappings)


Any reason why this is in assembly ?

I am not Penny. But from my understanding, in your approach, you willrequire to disable to switch the disable the MPU for using the newsections. While I agree...

We have implemented it in Chttps://github.com/Xilinx/xen/blob/d1258f1cefe406a3f91237b8106746c089864651/xen/arch/arm_mpu/mm_mpu.c#L941, so that it can be common between R82 and R52.


... this means you can share the code. It also means:
  * You can't protect Xen properly from the start

Yes, I see what you mean. Referhttps://github.com/Xilinx/xen/blob/d1258f1cefe406a3f91237b8106746c089864651/xen/arch/arm_mpu/arm32/mpu_v8r.S#L82C7-L82C15,

I am mapping CONFIG_XEN_START_ADDRESS + 2 MB. But, probably you meanindividual sections should be properly mapped from the beginning.

  * You need to flush the cache (not great for performance)
* You need to be more cautious as the MPU will be disabled for ashort period of time.

Yes, MPU is disabled when set_boot_mpumap() is invoked. But is thisreally a security issue ?

I mean only a single core is running and it is executing Xen. The MPU isturned off for few cycles.

In fact looking at your switch code in setup_protection_regions(), Iam not convinced you can disable the MPU in C and then callset_boot_mpumap(). I think the enable/disable would need to be movedin the assembly function. There are potentially more issues.

disable_mpu(), enable_mpu() are written in assembly. Seehttps://github.com/Xilinx/xen/blob/d1258f1cefe406a3f91237b8106746c089864651/xen/arch/arm_mpu/arm32/mpu_v8r.S#L128


- Ayan


So overall, I am not convinced of the C/common approach.

Cheers,

Follow-Ups:
- Re: [PATCH v3 24/52] xen/mpu: build up start-of-day Xen MPU memory region map
  - From: Julien Grall

References:
- [PATCH v3 00/52] xen/arm: Add Armv8-R64 MPU support to Xen - Part#1
  - From: Penny Zheng
- [PATCH v3 24/52] xen/mpu: build up start-of-day Xen MPU memory region map
  - From: Penny Zheng
- Re: [PATCH v3 24/52] xen/mpu: build up start-of-day Xen MPU memory region map
  - From: Ayan Kumar Halder
- Re: [PATCH v3 24/52] xen/mpu: build up start-of-day Xen MPU memory region map
  - From: Julien Grall

Prev by Date: Re: [PATCH v3 00/16] accel: Share CPUState accel context (HAX/NVMM/WHPX/HVF)
Next by Date: Re: XenSummit: Empty per-arch files
Previous by thread: Re: [PATCH v3 24/52] xen/mpu: build up start-of-day Xen MPU memory region map
Next by thread: Re: [PATCH v3 24/52] xen/mpu: build up start-of-day Xen MPU memory region map
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.