Xen project Mailing List

Re: [Xen-devel] [PATCH] x86-64: refine the XSA-9 fix

To: Jan Beulich <JBeulich@xxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxx>

From: Keir Fraser <keir@xxxxxxx>

Date: Mon, 18 Jun 2012 15:06:35 +0100

Delivery-date: Mon, 18 Jun 2012 14:07:08 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

Thread-index: Ac1NW5H5zkdulotI6UCNquq/ybVutg==

Thread-topic: [Xen-devel] [PATCH] x86-64: refine the XSA-9 fix

On 13/06/2012 11:04, "Jan Beulich" <JBeulich@xxxxxxxx> wrote: > Our product management wasn't happy with the "solution" for XSA-9, and > demanded that customer systems must continue to boot. Rather than > having our and perhaps other distros carry non-trivial patches, allow > for more fine grained control (panic on boot, deny guest creation, or > merely warn) by means of a single line change. All this seems to allow is to boot but not create domU-s. Which seems a bit pointless. -- Keir > Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> > > --- a/xen/arch/x86/cpu/amd.c > +++ b/xen/arch/x86/cpu/amd.c > @@ -32,8 +32,11 @@ > static char opt_famrev[14]; > string_param("cpuid_mask_cpu", opt_famrev); > > -static bool_t opt_allow_unsafe; > +#ifdef __x86_64__ > +/* 1 = allow, 0 = don't allow guest creation, -1 = don't allow boot */ > +s8 __read_mostly opt_allow_unsafe = -1; > boolean_param("allow_unsafe", opt_allow_unsafe); > +#endif > > static inline void wrmsr_amd(unsigned int index, unsigned int lo, > unsigned int hi) > @@ -496,10 +499,19 @@ static void __devinit init_amd(struct cp > clear_bit(X86_FEATURE_MWAIT, c->x86_capability); > > #ifdef __x86_64__ > - if (cpu_has_amd_erratum(c, AMD_ERRATUM_121) && !opt_allow_unsafe) > + if (!cpu_has_amd_erratum(c, AMD_ERRATUM_121)) > + opt_allow_unsafe = 1; > + else if (opt_allow_unsafe < 0) > panic("Xen will not boot on this CPU for security reasons.\n" > "Pass \"allow_unsafe\" if you're trusting all your" > " (PV) guest kernels.\n"); > + else if (!opt_allow_unsafe && c == &boot_cpu_data) > + printk(KERN_WARNING > + "*** Xen will not allow creation of DomU-s on" > + " this CPU for security reasons. ***\n" > + KERN_WARNING > + "*** Pass \"allow_unsafe\" if you're trusting" > + " all your (PV) guest kernels. ***\n"); > > /* AMD CPUs do not support SYSENTER outside of legacy mode. */ > clear_bit(X86_FEATURE_SEP, c->x86_capability); > --- a/xen/arch/x86/domain.c > +++ b/xen/arch/x86/domain.c > @@ -55,6 +55,7 @@ > #include <asm/traps.h> > #include <asm/nmi.h> > #include <asm/mce.h> > +#include <asm/amd.h> > #include <xen/numa.h> > #include <xen/iommu.h> > #ifdef CONFIG_COMPAT > @@ -531,6 +532,20 @@ int arch_domain_create(struct domain *d, > > #else /* __x86_64__ */ > > + if ( d->domain_id && !is_idle_domain(d) && > + cpu_has_amd_erratum(&boot_cpu_data, AMD_ERRATUM_121) ) > + { > + if ( !opt_allow_unsafe ) > + { > + printk(XENLOG_G_ERR "Xen does not allow DomU creation on this > CPU" > + " for security reasons.\n"); > + return -EPERM; > + } > + printk(XENLOG_G_WARNING > + "Dom%d may compromise security on this CPU.\n", > + d->domain_id); > + } > + > BUILD_BUG_ON(PDPT_L2_ENTRIES * sizeof(*d->arch.mm_perdomain_pt_pages) > != PAGE_SIZE); > pg = alloc_domheap_page(NULL, MEMF_node(domain_to_node(d))); > --- a/xen/include/asm-x86/amd.h > +++ b/xen/include/asm-x86/amd.h > @@ -147,6 +147,8 @@ struct cpuinfo_x86; > int cpu_has_amd_erratum(const struct cpuinfo_x86 *, int, ...); > > #ifdef __x86_64__ > +extern s8 opt_allow_unsafe; > + > void fam10h_check_enable_mmcfg(void); > void check_enable_amd_mmconf_dmi(void); > #endif > > > > _______________________________________________ > Xen-devel mailing list > Xen-devel@xxxxxxxxxxxxx > http://lists.xen.org/xen-devel _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.