[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 3/3 V3] XSA-60 security hole: cr0.cd handling

To: "Jinsong Liu" <jinsong.liu@xxxxxxxxx>, "Jun Nakajima" <jun.nakajima@xxxxxxxxx>
From: "Jan Beulich" <JBeulich@xxxxxxxx>
Date: Mon, 28 Oct 2013 09:29:14 +0000
Cc: "tim@xxxxxxx" <tim@xxxxxxx>, "keir@xxxxxxx" <keir@xxxxxxx>, "andrew.cooper3@xxxxxxxxxx" <andrew.cooper3@xxxxxxxxxx>, Eddie Dong <eddie.dong@xxxxxxxxx>, "zhenzhong.duan@xxxxxxxxxx" <zhenzhong.duan@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>, Will Auld <will.auld@xxxxxxxxx>, "suravee.suthikulpanit@xxxxxxx" <suravee.suthikulpanit@xxxxxxx>, "sherry.hurwitz@xxxxxxx" <sherry.hurwitz@xxxxxxx>
Delivery-date: Mon, 28 Oct 2013 09:29:42 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

>>> On 28.10.13 at 09:31, "Liu, Jinsong" <jinsong.liu@xxxxxxxxx> wrote:
> Jan Beulich wrote:
>> While mentally going through this logic again I noticed, however,
>> that the cache flushing your patch is doing is still insufficient:
>> Doing this just when CD gets set and in the context switch path is not
>> enough. This needs to be done prior to each VM entry, unless it
>> can be proven that the hypervisor (or the service domain) didn't
>> touch guest memory.
> 
> I think it's safe: it only need guarantee no vcpu guest context involved 
> into the small window between cache flushing and TLB invalidation -- after 
> that 
> it doesn't care whether hypervisor touch guest memory or not, since cache is 
> clear and old memory type in TLB is invalidated (and is UC afterwards), so no 
> cache line will be polluted by guest context any more.

No - consider a VM exit while in this mode where, in order to process
it, the hypervisor or service domain touch guest memory. Such
touching will happen with caches being used, and hence unwritten
data may be left in the caches when exiting back to the guest when
there's no wbinvd on the VM entry path. I don't think anything is
being said explicitly anywhere on whether cache contents are being
taken into consideration when CD=0 but PAT enforces UC.

Jan

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH 3/3 V3] XSA-60 security hole: cr0.cd handling
  - From: Liu, Jinsong

References:
- [Xen-devel] [PATCH 3/3 V3] XSA-60 security hole: cr0.cd handling
  - From: Liu, Jinsong
- Re: [Xen-devel] [PATCH 3/3 V3] XSA-60 security hole: cr0.cd handling
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH 3/3 V3] XSA-60 security hole: cr0.cd handling
  - From: Nakajima, Jun
- Re: [Xen-devel] [PATCH 3/3 V3] XSA-60 security hole: cr0.cd handling
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH 3/3 V3] XSA-60 security hole: cr0.cd handling
  - From: Liu, Jinsong
- Re: [Xen-devel] [PATCH 3/3 V3] XSA-60 security hole: cr0.cd handling
  - From: Liu, Jinsong
- Re: [Xen-devel] [PATCH 3/3 V3] XSA-60 security hole: cr0.cd handling
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH 3/3 V3] XSA-60 security hole: cr0.cd handling
  - From: Liu, Jinsong

Prev by Date: [Xen-devel] [xen-unstable test] 21262: regressions - FAIL
Next by Date: Re: [Xen-devel] [PATCH] x86/irq: Print direct vector mappings in the 'i' debug key
Previous by thread: Re: [Xen-devel] [PATCH 3/3 V3] XSA-60 security hole: cr0.cd handling
Next by thread: Re: [Xen-devel] [PATCH 3/3 V3] XSA-60 security hole: cr0.cd handling
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.