[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 4/4] XSA-60 security hole: flush cache when vmentry back to UC guest



Jan Beulich wrote:
>>>> On 30.10.13 at 17:07, "Liu, Jinsong" <jinsong.liu@xxxxxxxxx> wrote:
>> From 159251a04afcdcd8ca08e9f2bdfae279b2aa5471 Mon Sep 17 00:00:00
>> 2001 
>> From: Liu Jinsong <jinsong.liu@xxxxxxxxx>
>> Date: Thu, 31 Oct 2013 06:38:15 +0800
>> Subject: [PATCH 4/4] XSA-60 security hole: flush cache when vmentry
>> back to UC guest 
>> 
>> This patch flush cache when vmentry back to UC guest, to prevent
>> cache polluted by hypervisor access guest memory during UC mode.
>> 
>> The elegant way to do this is, simply add wbinvd just before vmentry.
>> However, currently wbinvd before vmentry will mysteriously trigger
>> lapic timer interrupt storm, hung booting stage for 10s ~ 60s. We
>> still 
>> didn't dig out the root cause of interrupt storm, so currently this
>> patch add flag indicating hypervisor access UC guest memory to
>> prevent 
>> interrupt storm problem. Whenever the interrupt storm got root caused
>> and fixed, the protection flag can be removed.
> 
> Yeah, almost, except that
> - the flag should be per-vCPU
> - you should mention in the description that this still leaves aspects
>   un-addressed (speculative reads at least, and multi-vCPU issues,
>   and I'm sure there are more that I didn't think of so far)
> 
> Jan
> 

Update, thanks! Jinsong
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.