[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] x86/boot: Clean up the trampoline transition into Long mode

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
From: Jan Beulich <jbeulich@xxxxxxxx>
Date: Fri, 3 Jan 2020 14:52:53 +0100
Cc: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>
Delivery-date: Fri, 03 Jan 2020 13:52:26 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 03.01.2020 14:44, Andrew Cooper wrote:
> On 03/01/2020 13:36, Jan Beulich wrote:
>> On 02.01.2020 15:59, Andrew Cooper wrote:
>>> @@ -111,26 +109,6 @@ trampoline_protmode_entry:
>>>  start64:
>>>          /* Jump to high mappings. */
>>>          movabs  $__high_start, %rdi
>>> -
>>> -#ifdef CONFIG_INDIRECT_THUNK
>>> -        /*
>>> -         * If booting virtualised, or hot-onlining a CPU, sibling threads 
>>> can
>>> -         * attempt Branch Target Injection against this jmp.
>>> -         *
>>> -         * We've got no usable stack so can't use a RETPOLINE thunk, and 
>>> are
>>> -         * further than disp32 from the high mappings so couldn't use
>>> -         * JUMP_THUNK even if it was a non-RETPOLINE thunk.  Furthermore, 
>>> an
>>> -         * LFENCE isn't necessarily safe to use at this point.
>>> -         *
>>> -         * As this isn't a hotpath, use a fully serialising event to reduce
>>> -         * the speculation window as much as possible.  %ebx needs 
>>> preserving
>>> -         * for __high_start.
>>> -         */
>>> -        mov     %ebx, %esi
>>> -        cpuid
>>> -        mov     %esi, %ebx
>>> -#endif
>>> -
>>>          jmpq    *%rdi
>> I can see this being unneeded when running virtualized, as you said
>> in reply to Wei. However, for hot-onlining (when other CPUs may run
>> random vCPU-s) I don't see how this can safely be dropped. There's
>> no similar concern for S3 resume, as thaw_domains() happens only
>> after enable_nonboot_cpus().
> 
> I covered that in the same reply.  Any guest which can use branch target
> injection against this jmp can also poison the regular branch predictor
> and get at data that way.

Aren't you implying then that retpolines could also be dropped?

> Once again, we get to CPU Hotplug being an unused feature in practice,
> which is completely evident now with Intel MCE behaviour.

What does Intel's MCE behavior have to do with whether CPU hotplug
(or hot-onlining) is (un)used in practice?

> A guest can't control/guess when a hotplug even might occur, or where
> exactly this branch is in memory (after all - it is variable based on
> the position of the trampoline), and core scheduling mitigates the risk
> entirely.

"... will mitigate ..." - it's experimental up to now, isn't it?

Jan

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH] x86/boot: Clean up the trampoline transition into Long mode
  - From: Andrew Cooper

References:
- [Xen-devel] [PATCH] x86/boot: Clean up the trampoline transition into Long mode
  - From: Andrew Cooper
- Re: [Xen-devel] [PATCH] x86/boot: Clean up the trampoline transition into Long mode
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH] x86/boot: Clean up the trampoline transition into Long mode
  - From: Andrew Cooper

Prev by Date: Re: [Xen-devel] [PATCH] x86/boot: Clean up the trampoline transition into Long mode
Next by Date: Re: [Xen-devel] [PATCH 7/8] x86/hyperv: retrieve vp_index from Hyper-V
Previous by thread: Re: [Xen-devel] [PATCH] x86/boot: Clean up the trampoline transition into Long mode
Next by thread: Re: [Xen-devel] [PATCH] x86/boot: Clean up the trampoline transition into Long mode
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.