Xen project Mailing List

Re: [PATCH 5/7] x86: detect PIT aliasing on ports other than 0x4[0-3]

From: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Date: Thu, 26 Oct 2023 12:25:58 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GqfHx1i3lbisw850uEHI/HK5zZIIPkKVGBYLqcS0L1Q=; b=UyDEjjcUCsZnvwM2e6+fDAJQBkqbUe+tNlnfy44fnV4qlYXKSTVa1NNRa9zlC4/Z1m/+xgucWsRU5dw7HB+ShDditUvHBDfFM+O5llkg+UxmJVX1zLq14xK9dGCx5eyCIQY1opJ9s5WTGS/GgeJyrMzisfTHii/nd5BkiwKJqfElgzyICumowILOkjc1KGLPOAv06cAjv1SlVu6/AaHU3YmS4o/biqtFM8lgx6E5lhzIOQAcwEHsNg/iWABJkQUlM523Q0+zyNkfCNLGASEoV/JWkPJ371ISR5T3UIL7oJ9DXuzaBHlJ0H+WDOK5twlkXxjW+5O2hZkNlYEAL00wGQ==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fFWi5f1Fe/KKLw16XfeZa2wwfNsiIsumcKd+bPG0+4jyjhHZrZ1EQaODx0MpM4u9ZhOTL1zL1B7CAp4JH9vUtYZT5odaQiuG1VHVLdXQt7cqMAmpQZH7ZFa0hDB61Ne5YQYYywbIVW9WCShN2cpNvBXLCQLUhdiJeAgfvqnHiHelvJgkM1mKAlp8cBqVFzoYw3T4VOl8i5N9ggHEA4gKSI6VJvkuo/zLENuAkm1rGoAwtC43IwQxrt0XgylfC2oG7uzlt8cFuaz12tfqT+N4GV/taicLOH4/3ujFmogdD96CbYXlr3aIh+FTgUTienMQkYPB+ynvF3jh+n1/30hdRg==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;

Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>

Delivery-date: Thu, 26 Oct 2023 10:26:13 +0000

Ironport-data: A9a23:n3Er8azHWro0WbkbBC96t+cRxyrEfRIJ4+MujC+fZmUNrF6WrkVUz DMaWDzVPPyDNjGjctpzbd608UoDscKEndcyGlY6ryAxQypGp/SeCIXCJC8cHc8wwu7rFxs7s ppEOrEsCOhuExcwcz/0auCJQUFUjPzOHvykTrecZkidfCc8IA85kxVvhuUltYBhhNm9Emult Mj75sbSIzdJ4RYtWo4vw/zF8EgHUMja4mtC5QVmP64T5TcyqlFOZH4hDfDpR5fHatE88t6SH 47r0Ly/92XFyBYhYvvNfmHTKxBirhb6ZGBiu1IOM0SQqkEqSh8ai87XAME0e0ZP4whlqvgqo Dl7WT5cfi9yVkHEsLx1vxC1iEiSN4UekFPMCSDXXcB+UyQq2pYjqhljJBheAGEWxgp4KVBv7 dMIdxQ8V0u8xN3p45+EcsdSnO12eaEHPKtH0p1h5RfwKK9/BLzmHeDN79Ie2yosjMdTG/qYf 9AedTdkcBXHZVtIJ0sTD5U92uyvgxETcRUB8A7T+fVxvjeVlVIhuFTuGIO9ltiiX8Jak1zev mvb12/4HgsbJJqUzj/tHneE37WRwnunB99NfFG+3tBkuXbLyk5MMx1VcFrmmsmy1W+BeM0Kf iT4/QJr98De7neDTNPwQhm5q36spQMHVpxbFOhSwBGAzO/Y7hiUAkAATyVdc5o2uckuXzso2 1SV2dTzClRHr7m9WX+bsLCOoluP1TM9KGYDYWoISFUD6ty6+YUr1EuRHpBkDbK/icDzFXfo2 TeWoSMihrIVy8kWy6G8+lOBiDWpznTUcjMICszsdjrNxmtEiESNPuRENXCzAS58Ebuk

Ironport-hdrordr: A9a23:h2RiwKlfqK7wAj3qalcneTbArPXpDfLN3DAbv31ZSRFFG/Fwz/ re7Mjy1XfP+U4ssQIb6KO90ci7MAThHPFOkPUs1NuZLW/bUS6TXfBfBOjZskvd8k/Fh5FgPM 5bGsAOa6yTfD0K6bec3OD7Kadf/DDuytHguQ609QYXcegeUdAc0+4PMHfgLqQZfng+OXK2fK D22iJVzADLRZ1dVLXIOpBMZZm3mzXI/6iKXfdQPXIaAFHlt1yVALmQKXalNhF0aVJyKbNIyw j4eiLCl9Gej80=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Thu, May 11, 2023 at 02:07:12PM +0200, Jan Beulich wrote: > ... in order to also deny Dom0 access through the alias ports. Without > this it is only giving the impression of denying access to PIT. Unlike > for CMOS/RTC, do detection pretty early, to avoid disturbing normal > operation later on (even if typically we won't use much of the PIT). > > Like for CMOS/RTC a fundamental assumption of the probing is that reads > from the probed alias port won't have side effects (beyond such that PIT > reads have anyway) in case it does not alias the PIT's. > > At to the port 0x61 accesses: Unlike other accesses we do, this masks > off the top four bits (in addition to the bottom two ones), following > Intel chipset documentation saying that these (read-only) bits should > only be written with zero. As said in previous patches, I think this is likely too much risk for little benefit. I understand the desire to uniformly deny access to any ports that allow interaction with devices in use by Xen (or not allowed to be used by dom0), but there's certainly a risk in configuring such devices in the way that we do by finding a register that can be read and written to. I think if anything this alias detection should have a command line option in order to disable it. Do you also have figures if the greatly increased amount of accesses add a noticeable boot time regression? We are usually cautious is not performing more accesses than strictly required. > > Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> > --- > If Xen was running on top of another instance of itself (in HVM mode, > not PVH, i.e. not as a shim), I'm afraid our vPIT logic would not allow > the "Try to further make sure ..." check to pass in the Xen running on > top: We don't respect the gate bit being clear when handling counter > reads. (There are more unhandled [and unmentioned as being so] aspects > of PIT behavior though, yet it's unclear in how far addressing at least > some of them would be useful.) > > --- a/xen/arch/x86/dom0_build.c > +++ b/xen/arch/x86/dom0_build.c > @@ -504,7 +504,11 @@ int __init dom0_setup_permissions(struct > } > > /* Interval Timer (PIT). */ > - rc |= ioports_deny_access(d, 0x40, 0x43); > + for ( offs = 0, i = pit_alias_mask & -pit_alias_mask ?: 4; > + offs <= pit_alias_mask; offs += i ) > + if ( !(offs & ~pit_alias_mask) ) > + rc |= ioports_deny_access(d, 0x40 + offs, 0x43 + offs); > + > /* PIT Channel 2 / PC Speaker Control. */ > rc |= ioports_deny_access(d, 0x61, 0x61); > > --- a/xen/arch/x86/include/asm/setup.h > +++ b/xen/arch/x86/include/asm/setup.h > @@ -53,6 +53,7 @@ extern unsigned long highmem_start; > #endif > > extern unsigned int pic_alias_mask; > +extern unsigned int pit_alias_mask; > > extern int8_t opt_smt; > > --- a/xen/arch/x86/time.c > +++ b/xen/arch/x86/time.c > @@ -425,6 +425,69 @@ static struct platform_timesource __init > .resume = resume_pit, > }; > > +unsigned int __initdata pit_alias_mask; > + > +static void __init probe_pit_alias(void) > +{ > + unsigned int mask = 0x1c; > + uint8_t val = 0; > + > + /* > + * Use channel 2 in mode 0 for probing. In this mode even a non-initial > + * count is loaded independent of counting being / becoming enabled. > Thus > + * we have a 16-bit value fully under our control, to write and then > check > + * whether we can also read it back unaltered. > + */ > + > + /* Turn off speaker output and disable channel 2 counting. */ > + outb(inb(0x61) & 0x0c, 0x61); > + > + outb((2 << 6) | (3 << 4) | (0 << 1), PIT_MODE); /* Mode 0, LSB/MSB. */ > + > + do { > + uint8_t val2; > + unsigned int offs; > + > + outb(val, PIT_CH2); > + outb(val ^ 0xff, PIT_CH2); > + > + /* Wait for the Null Count bit to clear. */ > + do { > + /* Latch status. */ > + outb((3 << 6) | (1 << 5) | (1 << 3), PIT_MODE); > + > + /* Try to make sure we're actually having a PIT here. */ > + val2 = inb(PIT_CH2); > + if ( (val2 & ~(3 << 6)) != ((3 << 4) | (0 << 1)) ) > + return; > + } while ( val2 & (1 << 6) ); We should have some kind of timeout here, just in case... > + > + /* > + * Try to further make sure we're actually having a PIT here. > + * > + * NB: Deliberately |, not ||, as we always want both reads. > + */ > + val2 = inb(PIT_CH2); > + if ( (val2 ^ val) | (inb(PIT_CH2) ^ val ^ 0xff) ) > + return; > + > + for ( offs = mask & -mask; offs <= mask; offs <<= 1 ) > + { > + if ( !(mask & offs) ) > + continue; > + val2 = inb(PIT_CH2 + offs); > + if ( (val2 ^ val) | (inb(PIT_CH2 + offs) ^ val ^ 0xff) ) > + mask &= ~offs; > + } > + } while ( mask && (val += 0x0b) ); /* Arbitrary uneven number. */ > + > + if ( mask ) > + { > + dprintk(XENLOG_INFO, "PIT aliasing mask: %02x\n", mask); > + pit_alias_mask = mask; > + } Is it fine to leave counting disabled for channel 2? Shouldn't we restore the previous gate value? Thanks, Roger.

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.