[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2 3/3] x86/vmx: Disallow the use of inactivity states

  • To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • From: Tamas K Lengyel <tamas@xxxxxxxxxxxxx>
  • Date: Tue, 16 Jan 2024 09:27:18 -0500
  • Arc-authentication-results: i=1; mx.zohomail.com; dkim=pass header.i=tklengyel.com; spf=pass smtp.mailfrom=tamas@xxxxxxxxxxxxx; dmarc=pass header.from=<tamas@xxxxxxxxxxxxx>
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1705415277; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=ACBLp6PzRnK+HS+Py+JpvflIap02I3QAeZBERgjSg+k=; b=Kndq6DqHN1bTtBpWDy4kljYVwlF08Q2vgtrvijMaIJX+ZNfdCZ62W+c/AvAqd78D4DmKqVO38ll7vJ89EvN805S6WM08/qRLzyoiU0LD0v+vga/3Rd/RxP4Sk7wv+chivh+MedvvoTFGPywjvMuXqqQz6aJbcLhqSCS79n0H/jI=
  • Arc-seal: i=1; a=rsa-sha256; t=1705415277; cv=none; d=zohomail.com; s=zohoarc; b=VoUz92F0yuDfDl624k3iz0hJIOH2pmyWXfiuismhze10rLyJ0AjfOSbKhI5byGgqLsT91o8QcE6+xBsJkmdXMcfq4nK0Dr71Hr/w0AkGxd6A971hCFHJZpWbMdqyVdxjDI6cCctNuG4uPPNnq+Ly/kX1H9uOw21lI64XmAxjkOY=
  • Cc: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Reima Ishii <ishiir@xxxxxxxxxxxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Jun Nakajima <jun.nakajima@xxxxxxxxx>, Kevin Tian <kevin.tian@xxxxxxxxx>, Takahiro Shinagawa <shina@xxxxxxxxxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>
  • Delivery-date: Tue, 16 Jan 2024 14:28:04 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Thu, Jan 11, 2024 at 6:13 PM Andrew Cooper <andrew.cooper3@xxxxxxxxxx> wrote:
>
> Right now, vvmx will blindly copy L12's ACTIVITY_STATE into the L02 VMCS and
> enter the vCPU.  Luckily for us, nested-virt is explicitly unsupported for
> security bugs.
>
> The inactivity states are HLT, SHUTDOWN and WAIT-FOR-SIPI, and as noted by the
> SDM in Vol3 27.7 "Special Features of VM Entry":
>
>   If VM entry ends with the logical processor in an inactive activity state,
>   the VM entry generates any special bus cycle that is normally generated when
>   that activity state is entered from the active state.
>
> Also,
>
>   Some activity states unconditionally block certain events.
>
> I.e. A VMEntry with ACTIVITY=SHUTDOWN will initiate a platform reset, while a
> VMEntry with ACTIVITY=WAIT-FOR-SIPI will really block everything other than
> SIPIs.
>
> Both of these activity states are for the TXT ACM to use, not for regular
> hypervisors, and Xen doesn't support dropping the HLT intercept either.
>
> There are two paths in Xen which operate on ACTIVITY_STATE.
>
> 1) The vmx_{get,set}_nonreg_state() helpers for VM-Fork.
>
>    As regular VMs can't use any inactivity states, this is just duplicating
>    the 0 from construct_vmcs().  Retain the ability to query activity_state,
>    but crash the domain on any attempt to set an inactivity state.
>
> 2) Nested virt, because of ACTIVITY_STATE in vmcs_gstate_field[].
>
>    Explicitly hide the inactivity states in the guest's view of MSR_VMX_MISC,
>    and remove ACTIVITY_STATE from vmcs_gstate_field[].
>
>    In virtual_vmentry(), we should trigger a VMEntry failure for the use of
>    any inactivity states, but there's no support for that in the code at all
>    so leave a TODO for when we finally start working on nested-virt in
>    earnest.
>
> Reported-by: Reima Ishii <ishiir@xxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Reviewed-by: Tamas K Lengyel <tamas@xxxxxxxxxxxxx>

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.