[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v3 24/52] xen/mpu: build up start-of-day Xen MPU memory region map
- To: Julien Grall <julien@xxxxxxx>, Ayan Kumar Halder <ayankuma@xxxxxxx>, Penny Zheng <Penny.Zheng@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
- From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
- Date: Fri, 30 Jun 2023 11:09:07 +0100
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GmFNp8K8JfE78h1Re9CtcdsI6YYAHm3iCcjPPEbGD7E=; b=Y7sgpLehJ8OwiY1rP/WA23pwUguzqtAleXx0nXWf7UH07jFXKFD2ROearZNh65e2Oi3M+vCawydHcZrs7gRpjy5btY+/CcM4D9ufeBzpR7cIkvOwcmuZBQSPZX4PzZ+6/FAgOIRkCQoS94MKflOb0H1G5Ol74tMZZrjRBECiTiXr15MOKebL7dAzClYIpOOrhcfQnyeljjYqEfZgqhcACN2hXfzdwIbEDkzPk75c2wyrPFgZusagjAqFI+ZVODH559kMuIYKi1iHrmNLIzw9wKQD5j9R2H3FGECayGn5jrnbVLltcUOOmzA8Yex092NNZXaqTBZucqUdsUT9ncLO1w==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Kh6Z5xeaggZf7lZUhPoH0enotqY3yrS78NogjgpGk7zVaWBhimUZO1QWn235IN2jMQJu5ZVS8e6qMMa/bHrBjPMv+3QLdyDrfwChojrU0RUcInugLFNyBOR6E07CwbDF+heu4C51PFBHQCH6TspW4EVGjGsflze8JXXqOOnKDjYonhkBtaQHjOI9/MHimVF7D00jybY8L9qsuMWB4FLeGXRX+WDCfikJ7TCpIBosJPBw24AKd7LEI8kpJCKAGCrNtkXXrEuzQb5Kff9V79aJnpJ9nz5QoGSGE3U31LSiEQsz/gTu41JOLz3VUnI3aQ09HhDDcBAsbSdtUyNIfi7r1A==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
- Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Wei Chen <wei.chen@xxxxxxx>
- Delivery-date: Fri, 30 Jun 2023 10:09:43 +0000
- Ironport-data: A9a23:DTJ9S6KfxahaDyBSFE+RdJQlxSXFcZb7ZxGr2PjKsXjdYENSgWdVy zAdWTiGPavfZmTzc9sla9mw80MAuZHdyIU1QAJlqX01Q3x08seUXt7xwmUcnc+xBpaaEB84t ZV2hv3odp1coqr0/0/1WlTZhSAgk/rOHvykU7Ss1hlZHWdMUD0mhQ9oh9k3i4tphcnRKw6Ws Jb5rta31GWNglaYCUpKrfrawP9TlK6q4mhA4AdmPakjUGL2zBH5MrpOfcldEFOgKmVkNrbSb /rOyri/4lTY838FYj9yuu+mGqGiaue60Tmm0hK6aYD76vRxjnVaPpIAHOgdcS9qZwChxLid/ jnvWauYEm/FNoWU8AgUvoIx/ytWZcWq85efSZSzXFD6I+QrvBIAzt03ZHzaM7H09c5MW35iz NtHdQtQfyyu3duT3ZuLV/Bz05FLwMnDZOvzu1lG5BSAV7MKZM6GRK/Ho9hFwD03m8ZCW+7EY NYUYiZuaxKGZABTPlAQC9Q1m+LAanvXKmUE7g7K4/dmpTGMk2Sd05C0WDbRUvWMSd9YgQCzo WXe8n6iKhobKMae2XyO9XfEaurnxHqgBN5MROPpnhJsqHuBgVxQCycVbn6+r/KTrkCja+MYG 3VBr0LCqoB3riRHVOLVXQC8oXOClg4RXZxXCeJSwAicw6zX/gOQLmEBQnhKb9lOnPc7Qzo7k G2JktXmLTV1tfueTnf13qeZq3a+NDYYKUcGZDQYVk0V7t/7uoYxgxnTCNF5H8adlcbpEDv9x zSLqikWhLgJi8MPkaKh8jjviT+2uoLASAJz4wzNR3+k9StwfovjbIutgXDl6vJHIJecX0O2l nEOkMiD78gDFZiI0ieKRY0lA7yoof2FPTv0iERqWZIm8lyQF2WLeIlR5HRyIRlvO8NdIzvxO haM5kVW+YNZO2asYelveYWtBs82zK/mU9P4SvTTadkIaZ90HOOawBxTiYer9ziFuCARfWsXY P93re7E4a4mNJla
- Ironport-hdrordr: A9a23:CGQKVqC74sFnHcTlHemp55DYdb4zR+YMi2TDtnoBLyC9F/byqy nApoV+6faZslYssRIb6Le90cu7LE80nKQdieMs1NGZLWrbUQCTXeRfBOXZsl/d8hrFmtK1BJ 0AT0AuYOefMbAl5fyU3DWF
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 30/06/2023 10:43 am, Julien Grall wrote:
> On 30/06/2023 10:26, Ayan Kumar Halder wrote:
>> On 29/06/2023 12:55, Julien Grall wrote:
>>>>> Furthermore, from my understanding, at least on Armv8-A, there are
>>>>> caching problem because you will need to save some registers (for
>>>>> the call to set_boot_mpumap()) on the stack with cache disabled.
>>>>> This means the cache will be bypassed. But you may then restore
>>>>> the registers with the cache enabled (the compiler could decide
>>>>> that it is not necessary to read the stack before hand). So you
>>>>> could read the wrong data if there is a stale cacheline.
>>>>
>>>> Yes, this makes some sense. So will the following make it correct :-
>>>
>>> I am confused. In a previous answer, I voiced my concerned with
>>> trying to replace the full MPU table. So it is not clear to me why
>>> you are asking me if the following work. Do you still want to do it?
>>> If so, why?
>>
>> I completely agree with you to set up the MPU table in assembly with
>> the correct permissions for each section (as done by Penny's patch).
>> That would atleast ensure that we don't need to reset the MPU
>> sections for Xen again.
>>
>> What I was trying to understand deeper was some of the objections you
>> had raised and if any sort of mitigations are possible.
>>
>> Again I am not saying that we need to apply the mitigations (if
>> available) in this particular scenario.
>>
>>>
>>>>
>>>> 1. Execute 'dmb' before invoking enable_mpu(). This will ensure
>>>> that the registers are strictly restored in set_boot_mpumap()
>>>> before the HSCTLR is read.
>>>
>>> I am afraid I don't know how the DMB will enforce that. Can you
>>> clarify?
>>
>> pop {r4} /* As part of set_boot_mpumap() */
>>
>> dmb /* This should ensure that r4 is fully restored from the stack
>> before the next instruction. At this point, the D cache is still
>> disabled. */
>
> I don't really see how this helps because the C instruction:
>
> set_boot_mpumap(....)
>
> could also require to read/write the stack for saving r0-r3. And
> AFAIK, you can't control when this would happen.
The argument is far easier than that.
At all point, anywhere in code, the C compiler can emit calls to
memcpy/memset behind your back, including (in principle) for code which
looks like `int foo;` (yes, because of things like -ftrivial-auto-var-init).
With things like UBSAN active, it's a much wider range of functions that
can be called.
If anything is potentially unsafe to the C operating environment, it
*must* be handled in assembly.
~Andrew
|