Xen project Mailing List

Re: [PATCH v2 06/15] x86/HVM: improve CET-IBT pruning of ENDBR

To: Jan Beulich <jbeulich@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Fri, 24 Nov 2023 22:28:48 +0000

Autocrypt: addr=andrew.cooper3@xxxxxxxxxx; keydata= xsFNBFLhNn8BEADVhE+Hb8i0GV6mihnnr/uiQQdPF8kUoFzCOPXkf7jQ5sLYeJa0cQi6Penp VtiFYznTairnVsN5J+ujSTIb+OlMSJUWV4opS7WVNnxHbFTPYZVQ3erv7NKc2iVizCRZ2Kxn srM1oPXWRic8BIAdYOKOloF2300SL/bIpeD+x7h3w9B/qez7nOin5NzkxgFoaUeIal12pXSR Q354FKFoy6Vh96gc4VRqte3jw8mPuJQpfws+Pb+swvSf/i1q1+1I4jsRQQh2m6OTADHIqg2E ofTYAEh7R5HfPx0EXoEDMdRjOeKn8+vvkAwhviWXTHlG3R1QkbE5M/oywnZ83udJmi+lxjJ5 YhQ5IzomvJ16H0Bq+TLyVLO/VRksp1VR9HxCzItLNCS8PdpYYz5TC204ViycobYU65WMpzWe LFAGn8jSS25XIpqv0Y9k87dLbctKKA14Ifw2kq5OIVu2FuX+3i446JOa2vpCI9GcjCzi3oHV e00bzYiHMIl0FICrNJU0Kjho8pdo0m2uxkn6SYEpogAy9pnatUlO+erL4LqFUO7GXSdBRbw5 gNt25XTLdSFuZtMxkY3tq8MFss5QnjhehCVPEpE6y9ZjI4XB8ad1G4oBHVGK5LMsvg22PfMJ ISWFSHoF/B5+lHkCKWkFxZ0gZn33ju5n6/FOdEx4B8cMJt+cWwARAQABzSlBbmRyZXcgQ29v cGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPsLBegQTAQgAJAIbAwULCQgHAwUVCgkI CwUWAgMBAAIeAQIXgAUCWKD95wIZAQAKCRBlw/kGpdefoHbdD/9AIoR3k6fKl+RFiFpyAhvO 59ttDFI7nIAnlYngev2XUR3acFElJATHSDO0ju+hqWqAb8kVijXLops0gOfqt3VPZq9cuHlh IMDquatGLzAadfFx2eQYIYT+FYuMoPZy/aTUazmJIDVxP7L383grjIkn+7tAv+qeDfE+txL4 SAm1UHNvmdfgL2/lcmL3xRh7sub3nJilM93RWX1Pe5LBSDXO45uzCGEdst6uSlzYR/MEr+5Z JQQ32JV64zwvf/aKaagSQSQMYNX9JFgfZ3TKWC1KJQbX5ssoX/5hNLqxMcZV3TN7kU8I3kjK mPec9+1nECOjjJSO/h4P0sBZyIUGfguwzhEeGf4sMCuSEM4xjCnwiBwftR17sr0spYcOpqET ZGcAmyYcNjy6CYadNCnfR40vhhWuCfNCBzWnUW0lFoo12wb0YnzoOLjvfD6OL3JjIUJNOmJy RCsJ5IA/Iz33RhSVRmROu+TztwuThClw63g7+hoyewv7BemKyuU6FTVhjjW+XUWmS/FzknSi dAG+insr0746cTPpSkGl3KAXeWDGJzve7/SBBfyznWCMGaf8E2P1oOdIZRxHgWj0zNr1+ooF /PzgLPiCI4OMUttTlEKChgbUTQ+5o0P080JojqfXwbPAyumbaYcQNiH1/xYbJdOFSiBv9rpt TQTBLzDKXok86M7BTQRS4TZ/ARAAkgqudHsp+hd82UVkvgnlqZjzz2vyrYfz7bkPtXaGb9H4 Rfo7mQsEQavEBdWWjbga6eMnDqtu+FC+qeTGYebToxEyp2lKDSoAsvt8w82tIlP/EbmRbDVn 7bhjBlfRcFjVYw8uVDPptT0TV47vpoCVkTwcyb6OltJrvg/QzV9f07DJswuda1JH3/qvYu0p vjPnYvCq4NsqY2XSdAJ02HrdYPFtNyPEntu1n1KK+gJrstjtw7KsZ4ygXYrsm/oCBiVW/OgU g/XIlGErkrxe4vQvJyVwg6YH653YTX5hLLUEL1NS4TCo47RP+wi6y+TnuAL36UtK/uFyEuPy wwrDVcC4cIFhYSfsO0BumEI65yu7a8aHbGfq2lW251UcoU48Z27ZUUZd2Dr6O/n8poQHbaTd 6bJJSjzGGHZVbRP9UQ3lkmkmc0+XCHmj5WhwNNYjgbbmML7y0fsJT5RgvefAIFfHBg7fTY/i kBEimoUsTEQz+N4hbKwo1hULfVxDJStE4sbPhjbsPCrlXf6W9CxSyQ0qmZ2bXsLQYRj2xqd1 bpA+1o1j2N4/au1R/uSiUFjewJdT/LX1EklKDcQwpk06Af/N7VZtSfEJeRV04unbsKVXWZAk uAJyDDKN99ziC0Wz5kcPyVD1HNf8bgaqGDzrv3TfYjwqayRFcMf7xJaL9xXedMcAEQEAAcLB XwQYAQgACQUCUuE2fwIbDAAKCRBlw/kGpdefoG4XEACD1Qf/er8EA7g23HMxYWd3FXHThrVQ HgiGdk5Yh632vjOm9L4sd/GCEACVQKjsu98e8o3ysitFlznEns5EAAXEbITrgKWXDDUWGYxd pnjj2u+GkVdsOAGk0kxczX6s+VRBhpbBI2PWnOsRJgU2n10PZ3mZD4Xu9kU2IXYmuW+e5KCA vTArRUdCrAtIa1k01sPipPPw6dfxx2e5asy21YOytzxuWFfJTGnVxZZSCyLUO83sh6OZhJkk b9rxL9wPmpN/t2IPaEKoAc0FTQZS36wAMOXkBh24PQ9gaLJvfPKpNzGD8XWR5HHF0NLIJhgg 4ZlEXQ2fVp3XrtocHqhu4UZR4koCijgB8sB7Tb0GCpwK+C4UePdFLfhKyRdSXuvY3AHJd4CP 4JzW0Bzq/WXY3XMOzUTYApGQpnUpdOmuQSfpV9MQO+/jo7r6yPbxT7CwRS5dcQPzUiuHLK9i nvjREdh84qycnx0/6dDroYhp0DFv4udxuAvt1h4wGwTPRQZerSm4xaYegEFusyhbZrI0U9tJ B8WrhBLXDiYlyJT6zOV2yZFuW47VrLsjYnHwn27hmxTC/7tvG3euCklmkn9Sl9IAKFu29RSo d5bD8kMSCYsTqtTfT6W4A3qHGvIDta3ptLYpIAOD2sY3GYq2nf3Bbzx81wZK14JdDDHUX2Rs 6+ahAA==

Cc: Wei Liu <wl@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Kevin Tian <kevin.tian@xxxxxxxxx>, Jun Nakajima <jun.nakajima@xxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>

Delivery-date: Fri, 24 Nov 2023 22:29:07 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 24/11/2023 8:39 am, Jan Beulich wrote: > __init{const,data}_cf_clobber can have an effect only for pointers > actually populated in the respective tables. While not the case for SVM > right now, VMX installs a number of pointers only under certain > conditions. Hence the respective functions would have their ENDBR purged > only when those conditions are met. Invoke "pruning" functions after > having copied the respective tables, for them to install any "missing" > pointers. > > Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> In theory Acked-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, but see later. I have to admit that I'd overlooked this point when putting together __init{}_cf_clobber originally. Then again, I did have more urgent things on my mind at the time. > --- > This is largely cosmetic for present hardware, which when supporting > CET-IBT likely also supports all of the advanced VMX features for which > hook pointers are installed conditionally. The only case this would make > a difference there is when use of respective features was suppressed via > command line option (where available). For future hooks it may end up > relevant even by default, and it also would be if AMD started supporting > CET-IBT; right now it matters only for .pi_update_irte, as iommu_intpost > continues to default to off. > > Originally I had meant to put the SVM and VMX functions in presmp- > initcalls, but hvm/{svm,vmx}/built_in.o are linked into hvm/built_in.o > before hvm/hvm.o. And I don't think I want to fiddle with link order > here. An alternative is the form I used for microcode, where start_{vmx,svm}() fills in fns, and doesn't have to fill in all hooks. That will be more amenable to Kconfig-ing generally, and will probably be less fragile to getting forgotten. > --- > v2: Use cpu_has_xen_ibt in prune_{svm,vmx}(). > > --- a/xen/arch/x86/hvm/hvm.c > +++ b/xen/arch/x86/hvm/hvm.c > @@ -161,10 +161,15 @@ static int __init cf_check hvm_enable(vo > else if ( cpu_has_svm ) > fns = start_svm(); > > + if ( fns ) > + hvm_funcs = *fns; > + > + prune_vmx(); > + prune_svm(); > + > if ( fns == NULL ) > return 0; > > - hvm_funcs = *fns; > hvm_enabled = 1; > > printk("HVM: %s enabled\n", fns->name); > --- a/xen/arch/x86/hvm/svm/svm.c > +++ b/xen/arch/x86/hvm/svm/svm.c > @@ -2587,6 +2587,19 @@ const struct hvm_function_table * __init > return &svm_function_table; > } > > +void __init prune_svm(void) > +{ > + /* > + * Now that svm_function_table was copied, populate all function pointers > + * which may have been left at NULL, for __initdata_cf_clobber to have as > + * much of an effect as possible. > + */ > + if ( !cpu_has_xen_ibt ) > + return; > + > + /* Nothing at present. */ > +} > + > void asmlinkage svm_vmexit_handler(void) > { > struct cpu_user_regs *regs = guest_cpu_user_regs(); > --- a/xen/arch/x86/hvm/vmx/vmx.c > +++ b/xen/arch/x86/hvm/vmx/vmx.c > @@ -3033,6 +3033,30 @@ const struct hvm_function_table * __init > return &vmx_function_table; > } > > +void __init prune_vmx(void) > +{ > + /* > + * Now that vmx_function_table was copied, populate all function pointers > + * which may have been left at NULL, for __initdata_cf_clobber to have as > + * much of an effect as possible. > + */ > + if ( !cpu_has_xen_ibt ) > + return; > + > + vmx_function_table.set_descriptor_access_exiting = > + vmx_set_descriptor_access_exiting; > + > + vmx_function_table.update_eoi_exit_bitmap = vmx_update_eoi_exit_bitmap; > + vmx_function_table.process_isr = vmx_process_isr; > + vmx_function_table.handle_eoi = vmx_handle_eoi; > + > + vmx_function_table.pi_update_irte = vmx_pi_update_irte; > + > + vmx_function_table.deliver_posted_intr = vmx_deliver_posted_intr; > + vmx_function_table.sync_pir_to_irr = vmx_sync_pir_to_irr; > + vmx_function_table.test_pir = vmx_test_pir; That said... This (the hooks being conditional in the first place) is bogus to begin with. Posted interrupts (or not) are a per-VM property even if we don't wire this up properly yet. It will be forced to be done properly in order to support nested virt, as L0 Xen *must* comply with the settings chosen by the L1 hypervisor. So the choice to use the hooks will have to come from per-vCPU state, and not from the conditional-ness of them. Any chance I can talk you into instead making the hooks unconditional? If not, someone (George was volunteering) is going to have to undo this in fairly short order. ~Andrew

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.