Xen project Mailing List

Re: [PATCH 5/7] x86: detect PIT aliasing on ports other than 0x4[0-3]

From: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Date: Thu, 26 Oct 2023 17:13:49 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=7b57vQ+UKpWXFt46GTsAvlt4g5no7bWRnfPfrkWI110=; b=DsEnn6c4WFZ4RcKE5Jh+JGuzVyeNt1e54dwADHe46epI2wbGgAdgQmDGycmQ4ESbi2sSfcWK+BPMfWxFVDWVFlhd4Cq8++z8cnlCR1Bu5encQL2aY4qm3LR0Kam0Q+yIDKpSI6Qxc/uEHkqxnBu02+fQqzo1af+kVTy3dsX5IrOJZ06/maddaRcxMLerNYso6jj53pMTg+sNk57WumwH9/Qsnur0+Q8tFNyF6C4Zrb7HpqoKQLM0tyJ0/kS+HnGG4q7fEIBjUApWcZIjUA6J6wyX3EWu9P124Db+Jv3WAIou/sDN1aivcSO0GIusBCg07R66aNFBxpy3YcZzjkMlXQ==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=N6Kx4dYym8BG+NNJej5fj/NcytU9OTd4Use6F6vKU5chNTQ7J80u2C1ui4Q9GbuQeBVs+abKPhz3wzJ18+7ruo0cvUn5arOJHTgmBMAEQhFv+6pD6SnQKkpcjFHXp9G5UFAEiic7fMxAqYMjS8YqgWY15JpQhC+ScpJmpXU8XXvANEot9C8/c3uQx6nEMnGhIV0+AwYBboVm4K03uvyKtWDp/PcZV1NfWDA6juJsowcxWgc+R/allCQq961acFEEfwhs9JUp0uh6xjZ/Nuoln0M2GCqddSbEvZDcRaT6hZ1F7Am6m7OFrY1DBccCzfOmHPg1hJlPr3kEKQ1J3C37hw==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;

Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>

Delivery-date: Thu, 26 Oct 2023 15:14:23 +0000

Ironport-data: A9a23:DyDpZ6LK+I0Hcu5CFE+R8JQlxSXFcZb7ZxGr2PjKsXjdYENS1zEGn 2sYWD2AbPnZY2rzctwnOouw8BgB6sKBmoA2HgZlqX01Q3x08seUXt7xwmUcnc+xBpaaEB84t ZV2hv3odp1coqr0/0/1WlTZhSAhk/nOHvylULKs1hlZHWdMUD0mhQ9oh9k3i4tphcnRKw6Ws Jb5rta31GWNglaYCUpKrfrYwP9TlK6q4mhB5gZgPakjUGL2zBH5MrpOfcldEFOgKmVkNrbSb /rOyri/4lTY838FYj9yuu+mGqGiaue60Tmm0hK6aYD76vRxjnVaPpIAHOgdcS9qZwChxLid/ jnvWauYEm/FNoWU8AgUvoIx/ytWZcWq85efSZSzXFD6I+QrvBIAzt03ZHzaM7H09c4wJmxXz fITGgsBUVemle6mnrGqG9VF05FLwMnDZOvzu1lG5BSAVbMDfsqGRK/Ho9hFwD03m8ZCW+7EY NYUYiZuaxKGZABTPlAQC9Q1m+LAanvXKmUE7g7K4/dqpTGLlGSd05C0WDbRUsaNSshP2F6Ru 0rN/njjAwFcP9uaodaA2iv227SUw3miBur+EpWcz/9QuHirwVcQNxEsVFqVndSG1k+hDoc3x 0s8v3BGQbIJ3E6hQ8T5Xha4iGWZpRNaUN1Ve8Uq5QfIxqfK7gKxAmkfUiUHeNEgrNUxRzEhy hmOhdyBLSNrmK2YTzSa7Lj8kN+pES0cLGtHYDBeSwIAuoHnuNtq1kqJSct/GqmoiNGzASv33 z2BsCk5gfMUkNIP0KK4u1vAhlpAu6T0c+L83S2PNkrN0++zTND1D2B0wTA3Ncp9Ebs=

Ironport-hdrordr: A9a23:lo01qq+upt4BddlLTKRuk+D6I+orL9Y04lQ7vn2ZKCYlF/Bw8v rF8cjzuiWZtN98Yh4dcKm7Sc69qBDnhPxICOsqXYtKNTOO0FdASrsN0WKI+UyCJ8SRzI9gPJ BbAsxD4Y3LZmSSVfyKmjVQyexQuOVvLZrY49s2E00dNj2CtZsQkjuQZW6gYzRLeDU=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Thu, Oct 26, 2023 at 05:10:41PM +0200, Jan Beulich wrote: > On 26.10.2023 15:57, Roger Pau Monné wrote: > > On Thu, Oct 26, 2023 at 02:31:27PM +0200, Jan Beulich wrote: > >> On 26.10.2023 12:25, Roger Pau Monné wrote: > >>> On Thu, May 11, 2023 at 02:07:12PM +0200, Jan Beulich wrote: > >>>> ... in order to also deny Dom0 access through the alias ports. Without > >>>> this it is only giving the impression of denying access to PIT. Unlike > >>>> for CMOS/RTC, do detection pretty early, to avoid disturbing normal > >>>> operation later on (even if typically we won't use much of the PIT). > >>>> > >>>> Like for CMOS/RTC a fundamental assumption of the probing is that reads > >>>> from the probed alias port won't have side effects (beyond such that PIT > >>>> reads have anyway) in case it does not alias the PIT's. > >>>> > >>>> At to the port 0x61 accesses: Unlike other accesses we do, this masks > >>>> off the top four bits (in addition to the bottom two ones), following > >>>> Intel chipset documentation saying that these (read-only) bits should > >>>> only be written with zero. > >>> > >>> As said in previous patches, I think this is likely too much risk for > >>> little benefit. I understand the desire to uniformly deny access to > >>> any ports that allow interaction with devices in use by Xen (or not > >>> allowed to be used by dom0), but there's certainly a risk in > >>> configuring such devices in the way that we do by finding a register > >>> that can be read and written to. > >>> > >>> I think if anything this alias detection should have a command line > >>> option in order to disable it. > >> > >> Well, we could have command line options (for each of the RTC/CMOS, > >> PIC, and PIT probing allowing the alias masks to be specified (so we > >> don't need to probe). A value of 1 would uniformly mean "no probing, > >> no aliases" (as all three decode the low bit, so aliasing can happen > >> there). We could further make the default of these variables (yes/no, > >> no actual mask values of course) controllable by a Kconfig setting. > > > > If you want to make this more fine grained, or even allow the user to > > provide custom masks that's all fine, but there's already > > dom0_ioports_disable that allows disabling a list of IO port ranges. > > > > What I would require is a way to avoid all the probing, so that we > > could return to the previous behavior. > > > >>>> --- a/xen/arch/x86/time.c > >>>> +++ b/xen/arch/x86/time.c > >>>> @@ -425,6 +425,69 @@ static struct platform_timesource __init > >>>> .resume = resume_pit, > >>>> }; > >>>> > >>>> +unsigned int __initdata pit_alias_mask; > >>>> + > >>>> +static void __init probe_pit_alias(void) > >>>> +{ > >>>> + unsigned int mask = 0x1c; > >>>> + uint8_t val = 0; > >>>> + > >>>> + /* > >>>> + * Use channel 2 in mode 0 for probing. In this mode even a > >>>> non-initial > >>>> + * count is loaded independent of counting being / becoming > >>>> enabled. Thus > >>>> + * we have a 16-bit value fully under our control, to write and > >>>> then check > >>>> + * whether we can also read it back unaltered. > >>>> + */ > >>>> + > >>>> + /* Turn off speaker output and disable channel 2 counting. */ > >>>> + outb(inb(0x61) & 0x0c, 0x61); > >>>> + > >>>> + outb((2 << 6) | (3 << 4) | (0 << 1), PIT_MODE); /* Mode 0, LSB/MSB. > >>>> */ > >>>> + > >>>> + do { > >>>> + uint8_t val2; > >>>> + unsigned int offs; > >>>> + > >>>> + outb(val, PIT_CH2); > >>>> + outb(val ^ 0xff, PIT_CH2); > >>>> + > >>>> + /* Wait for the Null Count bit to clear. */ > >>>> + do { > >>>> + /* Latch status. */ > >>>> + outb((3 << 6) | (1 << 5) | (1 << 3), PIT_MODE); > >>>> + > >>>> + /* Try to make sure we're actually having a PIT here. */ > >>>> + val2 = inb(PIT_CH2); > >>>> + if ( (val2 & ~(3 << 6)) != ((3 << 4) | (0 << 1)) ) > >>>> + return; > >>>> + } while ( val2 & (1 << 6) ); > >>> > >>> We should have some kind of timeout here, just in case... > >> > >> Hmm, I indeed did consider the need for a timeout here. With what > >> we've done up to here we already assume a functioning PIT, verifying > >> simply as we go. The issue with truly using some form of timeout is > >> the determination of how long to wait at most. > > > > I would likely make it based on iterations, could you get some figures > > on how many iterations it takes for the bit to be clear? > > > > I would think something like 1000 should be enough, but really have no > > idea. > > Except that how long a given number of iterations takes is unknown. 1000 > may be enough today or on the systems we test, but may not be tomorrow > or on other peoples' systems. Hence why I'm hesitant ... Hm, but getting stuck in a loop here can't be good either. Let's do it time wise if you prefer, 1s should be more than enough I would think. In any case the worse that could if the timeout is hit is that aliases are not properly detected, but that's way better than the possibility of getting stuck in an infinite loop. Thanks, Roger.

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.