[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Bisected Xen-unstable: "Segment register inaccessible for d1v0" when starting HVM guest on intel

>>> On 02.07.14 at 06:23, <feng.wu@xxxxxxxxx> wrote:
>> From: Jan Beulich [mailto:JBeulich@xxxxxxxx]
>> >>> On 01.07.14 at 11:03, <feng.wu@xxxxxxxxx> wrote:
>> >> From: Jan Beulich [mailto:JBeulich@xxxxxxxx]
>> >> supervisor mode. That points out another problem here: Accesses
>> >> like the setting of a segment descriptor's accessed bit or the A/D
>> >> bit in a page table entry also need to be done as if in supervisor
>> >> mode, i.e. we need some kind of mode override also for other
>> >> purposes. Yet I don't think that's going to be too intrusive a
>> >> change: Everything here happens on "current", i.e. we can set
>> >> and clear a mode override on the respective call paths.
>> >
>> > I am sorry, I don't quite understand about the problem you mentioned here,
>> > Could you please elaborate a bit more on it? Thanks a lot!
>> This is referring to exactly what you quote below - implicit supervisor
>> mode accesses. Except that the paging A/D bit setting is sort of
>> different because it is physical address based (so I probably would
>> better not have mentioned it above).
> You said "Accesses like the setting of a segment descriptor's accessed bit 
> ...
> also need to be done as if in supervisor mode". Considering implicit 
> supervisor
> mode accesses happen when CPL=3,do you mean the following scenario ?
> Xen uses hvm_get_segment_register()/hvm_set_segment_register() to
> access guest's segment registers while guest CPL=3.

No, I mean the emulation of a selector register load operation, which
needs to set the accessed bit in the referenced segment descriptor.
But that's a different topic anyway, so let's focus on the issue at hand.

>> > Also, for SMAP hardware behaves differently between CPL=3 and CPL<3,
>> >
>> > " If CPL < 3, SMAP protections are disabled if EFLAGS.AC = 1. If CPL = 3,
>> > SMAP applies to all supervisor-mode data accesses (these are implicit
>> > supervisor accesses) regardless of the value of EFLAGS.AC."
>> Ah, right, I mis-read the combination of conditions. Which implies
>> that in the spirit of this we mustn't bypass the CPL check by way
>> of the flag suggested by Andrew (or else the hypervisor copy/clear
>> operations wouldn't be treated as supervisor mode accesses in the
>> sense above anymore).
> I am a little confused now. The destination guest virtual address hypervisor 
> will write to/read from
> is always in a supervisor page, right? If this is the case, SMAP check is 
> not needed since it is only used
> for accesses to pages that are accessible in user mode.

But that's the point of SMAP: Avoid supervisor mode accesses to
anything that's user accessible. Hence all implicitly supervisor mode
accesses Xen does (whether or not for emulation purposes) should
be subject to verification when SMAP is enabled.

> In other words, is it possible for hypervisor to access a guest user page? 
> If this can happen, I think
> we should check CPL, since SMAP violation may occur during translating guest 
> virtual address to
> guest physical address.

Correct. The question just is how to safely get at the guest's CPL, or
how to override it (to, say, always imply user mode on non-emulation
Xen accesses like the one here, i.e. to enforce the SMAP check
regardless of guest CPL/EFLAGS.AC).


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.