Xen project Mailing List

Re: [PATCH v2 3/3] x86/vmx: Disallow the use of inactivity states

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Fri, 12 Jan 2024 11:37:53 +0100

Autocrypt: addr=jbeulich@xxxxxxxx; keydata= xsDiBFk3nEQRBADAEaSw6zC/EJkiwGPXbWtPxl2xCdSoeepS07jW8UgcHNurfHvUzogEq5xk hu507c3BarVjyWCJOylMNR98Yd8VqD9UfmX0Hb8/BrA+Hl6/DB/eqGptrf4BSRwcZQM32aZK 7Pj2XbGWIUrZrd70x1eAP9QE3P79Y2oLrsCgbZJfEwCgvz9JjGmQqQkRiTVzlZVCJYcyGGsD /0tbFCzD2h20ahe8rC1gbb3K3qk+LpBtvjBu1RY9drYk0NymiGbJWZgab6t1jM7sk2vuf0Py O9Hf9XBmK0uE9IgMaiCpc32XV9oASz6UJebwkX+zF2jG5I1BfnO9g7KlotcA/v5ClMjgo6Gl MDY4HxoSRu3i1cqqSDtVlt+AOVBJBACrZcnHAUSuCXBPy0jOlBhxPqRWv6ND4c9PH1xjQ3NP nxJuMBS8rnNg22uyfAgmBKNLpLgAGVRMZGaGoJObGf72s6TeIqKJo/LtggAS9qAUiuKVnygo 3wjfkS9A3DRO+SpU7JqWdsveeIQyeyEJ/8PTowmSQLakF+3fote9ybzd880fSmFuIEJldWxp Y2ggPGpiZXVsaWNoQHN1c2UuY29tPsJgBBMRAgAgBQJZN5xEAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4AACgkQoDSui/t3IH4J+wCfQ5jHdEjCRHj23O/5ttg9r9OIruwAn3103WUITZee e7Sbg12UgcQ5lv7SzsFNBFk3nEQQCACCuTjCjFOUdi5Nm244F+78kLghRcin/awv+IrTcIWF hUpSs1Y91iQQ7KItirz5uwCPlwejSJDQJLIS+QtJHaXDXeV6NI0Uef1hP20+y8qydDiVkv6l IreXjTb7DvksRgJNvCkWtYnlS3mYvQ9NzS9PhyALWbXnH6sIJd2O9lKS1Mrfq+y0IXCP10eS FFGg+Av3IQeFatkJAyju0PPthyTqxSI4lZYuJVPknzgaeuJv/2NccrPvmeDg6Coe7ZIeQ8Yj t0ARxu2xytAkkLCel1Lz1WLmwLstV30g80nkgZf/wr+/BXJW/oIvRlonUkxv+IbBM3dX2OV8 AmRv1ySWPTP7AAMFB/9PQK/VtlNUJvg8GXj9ootzrteGfVZVVT4XBJkfwBcpC/XcPzldjv+3 HYudvpdNK3lLujXeA5fLOH+Z/G9WBc5pFVSMocI71I8bT8lIAzreg0WvkWg5V2WZsUMlnDL9 mpwIGFhlbM3gfDMs7MPMu8YQRFVdUvtSpaAs8OFfGQ0ia3LGZcjA6Ik2+xcqscEJzNH+qh8V m5jjp28yZgaqTaRbg3M/+MTbMpicpZuqF4rnB0AQD12/3BNWDR6bmh+EkYSMcEIpQmBM51qM EKYTQGybRCjpnKHGOxG0rfFY1085mBDZCH5Kx0cl0HVJuQKC+dV2ZY5AqjcKwAxpE75MLFkr wkkEGBECAAkFAlk3nEQCGwwACgkQoDSui/t3IH7nnwCfcJWUDUFKdCsBH/E5d+0ZnMQi+G0A nAuWpQkjM1ASeQwSHEeAWPgskBQL

Cc: Reima Ishii <ishiir@xxxxxxxxxxxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Jun Nakajima <jun.nakajima@xxxxxxxxx>, Kevin Tian <kevin.tian@xxxxxxxxx>, Tamas K Lengyel <tamas@xxxxxxxxxxxxx>, Takahiro Shinagawa <shina@xxxxxxxxxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Fri, 12 Jan 2024 10:38:03 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 12.01.2024 00:13, Andrew Cooper wrote: > Right now, vvmx will blindly copy L12's ACTIVITY_STATE into the L02 VMCS and > enter the vCPU. Luckily for us, nested-virt is explicitly unsupported for > security bugs. > > The inactivity states are HLT, SHUTDOWN and WAIT-FOR-SIPI, and as noted by the > SDM in Vol3 27.7 "Special Features of VM Entry": > > If VM entry ends with the logical processor in an inactive activity state, > the VM entry generates any special bus cycle that is normally generated when > that activity state is entered from the active state. > > Also, > > Some activity states unconditionally block certain events. > > I.e. A VMEntry with ACTIVITY=SHUTDOWN will initiate a platform reset, while a > VMEntry with ACTIVITY=WAIT-FOR-SIPI will really block everything other than > SIPIs. > > Both of these activity states are for the TXT ACM to use, not for regular > hypervisors, and Xen doesn't support dropping the HLT intercept either. > > There are two paths in Xen which operate on ACTIVITY_STATE. > > 1) The vmx_{get,set}_nonreg_state() helpers for VM-Fork. > > As regular VMs can't use any inactivity states, this is just duplicating > the 0 from construct_vmcs(). Retain the ability to query activity_state, > but crash the domain on any attempt to set an inactivity state. > > 2) Nested virt, because of ACTIVITY_STATE in vmcs_gstate_field[]. > > Explicitly hide the inactivity states in the guest's view of MSR_VMX_MISC, > and remove ACTIVITY_STATE from vmcs_gstate_field[]. > > In virtual_vmentry(), we should trigger a VMEntry failure for the use of > any inactivity states, but there's no support for that in the code at all > so leave a TODO for when we finally start working on nested-virt in > earnest. > > Reported-by: Reima Ishii <ishiir@xxxxxxxxxxxxxxxxxxx> > Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx> with one remark/suggestion: > --- a/xen/arch/x86/hvm/vmx/vmx.c > +++ b/xen/arch/x86/hvm/vmx/vmx.c > @@ -1551,7 +1551,10 @@ static void cf_check vmx_set_nonreg_state(struct vcpu > *v, > { > vmx_vmcs_enter(v); > > - __vmwrite(GUEST_ACTIVITY_STATE, nrs->vmx.activity_state); > + if ( nrs->vmx.activity_state ) > + domain_crash(v->domain, "Attempt to set activity_state %#lx\n", > + nrs->vmx.activity_state); Might be useful to log the offending vCPU here? Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.