[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Bisected Xen-unstable: "Segment register inaccessible for d1v0" when starting HVM guest on intel

> -----Original Message-----
> From: Jan Beulich [mailto:JBeulich@xxxxxxxx]
> Sent: Wednesday, July 02, 2014 3:02 PM
> To: Wu, Feng
> Cc: Andrew Cooper; Sander Eikelenboom; xen-devel@xxxxxxxxxxxxxxxxxxxx
> Subject: RE: [Xen-devel] Bisected Xen-unstable: "Segment register inaccessible
> for d1v0" when starting HVM guest on intel
> >>> On 02.07.14 at 06:23, <feng.wu@xxxxxxxxx> wrote:
> >> From: Jan Beulich [mailto:JBeulich@xxxxxxxx]
> >> >>> On 01.07.14 at 11:03, <feng.wu@xxxxxxxxx> wrote:
> >> >> From: Jan Beulich [mailto:JBeulich@xxxxxxxx]
> >> >> supervisor mode. That points out another problem here: Accesses
> >> >> like the setting of a segment descriptor's accessed bit or the A/D
> >> >> bit in a page table entry also need to be done as if in supervisor
> >> >> mode, i.e. we need some kind of mode override also for other
> >> >> purposes. Yet I don't think that's going to be too intrusive a
> >> >> change: Everything here happens on "current", i.e. we can set
> >> >> and clear a mode override on the respective call paths.
> >> >
> >> > I am sorry, I don't quite understand about the problem you mentioned
> here,
> >> > Could you please elaborate a bit more on it? Thanks a lot!
> >>
> >> This is referring to exactly what you quote below - implicit supervisor
> >> mode accesses. Except that the paging A/D bit setting is sort of
> >> different because it is physical address based (so I probably would
> >> better not have mentioned it above).
> >>
> >
> > You said "Accesses like the setting of a segment descriptor's accessed bit
> > ...
> > also need to be done as if in supervisor mode". Considering implicit
> > supervisor
> > mode accesses happen when CPL=3,do you mean the following scenario ?
> >
> > Xen uses hvm_get_segment_register()/hvm_set_segment_register() to
> > access guest's segment registers while guest CPL=3.
> No, I mean the emulation of a selector register load operation, which
> needs to set the accessed bit in the referenced segment descriptor.
> But that's a different topic anyway, so let's focus on the issue at hand.

Okay, one more question about this, I go through the relative code, seems the 
bit in segment descriptor is not set when emulation of a selector register load 
by Xen, right?

> >> > Also, for SMAP hardware behaves differently between CPL=3 and CPL<3,
> >> >
> >> > " If CPL < 3, SMAP protections are disabled if EFLAGS.AC = 1. If CPL = 3,
> >> > SMAP applies to all supervisor-mode data accesses (these are implicit
> >> > supervisor accesses) regardless of the value of EFLAGS.AC."
> >>
> >> Ah, right, I mis-read the combination of conditions. Which implies
> >> that in the spirit of this we mustn't bypass the CPL check by way
> >> of the flag suggested by Andrew (or else the hypervisor copy/clear
> >> operations wouldn't be treated as supervisor mode accesses in the
> >> sense above anymore).
> >
> > I am a little confused now. The destination guest virtual address hypervisor
> > will write to/read from
> > is always in a supervisor page, right? If this is the case, SMAP check is
> > not needed since it is only used
> > for accesses to pages that are accessible in user mode.
> But that's the point of SMAP: Avoid supervisor mode accesses to
> anything that's user accessible. Hence all implicitly supervisor mode
> accesses Xen does (whether or not for emulation purposes) should
> be subject to verification when SMAP is enabled.

For native case, when application code running in CPL=3 executes 'movl %eax, 
it will trigger implicit supervisor mode accesses, since this operation will 
also load
the segment descriptor to the hidden part of the segment register.

What kind of implicitly supervisor mode accesses does Xen do? Since implicitly
supervisor mode accesses only happens when CPL=3, the only way I can think of 
is for emulation, like, Xen uses hvm_set_segment_register() to set guest's 
registers while guest CPL=3. But how should we check SMAP for this case? In 
in native case, I don't think there will be SMAP violation for implicitly
supervisor mode accesses, since these data are mapped as supervisor pages.

> > In other words, is it possible for hypervisor to access a guest user page?
> > If this can happen, I think
> > we should check CPL, since SMAP violation may occur during translating guest
> > virtual address to
> > guest physical address.
> Correct. The question just is how to safely get at the guest's CPL, or
> how to override it (to, say, always imply user mode on non-emulation
> Xen accesses like the one here, i.e. to enforce the SMAP check
> regardless of guest CPL/EFLAGS.AC).

So, in fact, the only thing need to do for this issue is find a way to get the
guest's CPL, since the current way doesn't work fine because of the scheduling.
We don't need to change the other logic in the code. Is my understanding right?


> Jan

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.