[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] XSA-60 solutions

To: Jan Beulich <JBeulich@xxxxxxxx>, "Nakajima, Jun" <jun.nakajima@xxxxxxxxx>, Keir Fraser <keir@xxxxxxx>, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
From: "Liu, Jinsong" <jinsong.liu@xxxxxxxxx>
Date: Mon, 7 Oct 2013 14:29:33 +0000
Accept-language: en-US
Cc: "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>, "zhenzhong.duan@xxxxxxxxxx" <zhenzhong.duan@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>, "Auld, Will" <will.auld@xxxxxxxxx>, "suravee.suthikulpanit@xxxxxxx" <suravee.suthikulpanit@xxxxxxx>, "sherry.hurwitz@xxxxxxx" <sherry.hurwitz@xxxxxxx>
Delivery-date: Mon, 07 Oct 2013 14:29:57 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>
Thread-index: Ac6+G61iULkUAOZTS4WGR8o9roAbtwAAYiZQAVL38AA=
Thread-topic: XSA-60 solutions

Hi, All

Any comments/suggestions?

Thanks,
Jinsong


Liu, Jinsong wrote:
> Liu, Jinsong wrote:
>> Hi, All
>> 
>> This email provides 2 solutions for XSA-60 issue found by Konrad
>> (refer attached email for XSA-60 please).
>> 
>> Basically it involves how to emulate guest setting cr0.cd. For
>> shadow, as Jan pointed out in earlier email Xen drop all shadows so
>> that any new ones would be created with UC memory type, _not_
>> involving iteration over the whole address space. For EPT, currently
>> Xen traverse all ept entries via problematic set_uc_mode, resulting
>> in DOS-like behavior, so this email focus on Intel EPT case.
>> 
>> Solution 1 is Dual-EPT tables: When guest setting cr0.cd trapped,
>> stop using normal EPT, switch to a temp EPT table and populate new
>> EPT entries w/ UC type on demand at later EPT violation. When guest
>> clearing cr0.cd, switch back to normal EPT. In this way, _no_
>> unbounded loop involved and hence security hole avoided.
>> 
>> Some concerns for Dual-EPT: the 1st concern comes from cachablity
>> confliction between guest and Xen memory type point of view, though
>> it also exists in current implementation. The 2nd concern comes from
>> Dual EPT tables inconsistency/sync issue: things become complicated
>> when p2m modifying, PoD populating, and super page spliting, etc.
>> 
>> Solution 2 is via PAT emulation: For guest w/o VT-d, and for guest
>> with VT-d but snooped, Xen need do nothing, just simply ignore guest
>> setting cr0.cd, since hardware snoop mechanism has ensured cache
>> coherency (under these cases currently Xen has set EPT iPAT bit,
>> ignore guest's memory type opinion); For guest with VT-d but
>> non-snooped, cache coherency can not be guaranteed by h/w snoop so
>> guest's memory type opinion must be considered (under this case Xen
>> set iPAT bit combining guest and host memory type opinion). Only
> 
> Sorry, under this case Xen _clear_ iPAT, combining guest and host
> memory type opinion. 
> 
> Thanks,
> Jinsong
> 
>> under this case PAT emulation need set all IA32_PAT fields as UC so
>> that guest memory type are all UC.
>> 
>> Concern for PAT solution still comes from cachablity confliction
>> between guest and Xen. 
>> 
>> Thoughts?
>> BTW, today is Chinese National day, I will have several days travel
>> with no email access, but your comments/suggestions are highly
>> appreciated and I will reply ASAP after I come back.
>> 
>> Thanks,
>> Jinsong


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] XSA-60 solutions
  - From: Jan Beulich

Prev by Date: Re: [Xen-devel] [PATCHv1 net] xen-netback: transition to CLOSED when removing a VIF
Next by Date: [Xen-devel] [PATCH] xen/arm32: Call start_xen only on the boot CPU
Previous by thread: Re: [Xen-devel] XSA-60 solutions
Next by thread: Re: [Xen-devel] XSA-60 solutions
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.