[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH for-4.14] x86/msr: Disallow access to Processor Trace MSRs


  • To: Michał Leszczyński <michal.leszczynski@xxxxxxx>, "Jan Beulich" <jbeulich@xxxxxxxx>
  • From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Date: Fri, 19 Jun 2020 14:26:37 +0100
  • Authentication-results: esa2.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none
  • Cc: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Paul Durrant <paul@xxxxxxx>, Wei Liu <wl@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Delivery-date: Fri, 19 Jun 2020 13:26:53 +0000
  • Ironport-sdr: +5taL90pSMM1Y4K2q2iQcjiklfgmDetB8Q5UeYJus7vndKpTNNbucnXkStBDhwwfi95O5F6JF3 VpF3Z/AEjR2mL9wZtAiKpvSl603BoiVxiyoWZnTvQEXUvbRdoK0Z67WidrgYkoOBcOgmmSkkBc S/gVNp1S4zd6BEeKdt473Sv4lY0/Mrimd1omR/+hOBHw29yC0sY644jzXBmypqO3d4b6ee1XZT 1jJbYDPbjwWvD3WOF/Ph0iEtRNS+Q3YjAgr1a+W55tF3Sg4bumhR/HsVpgVXVOHMvFa9xMzh6l 3nQ=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 19/06/2020 13:57, Michał Leszczyński wrote:
> ----- 19 cze 2020 o 14:49, Jan Beulich jbeulich@xxxxxxxx napisał(a):
>
>> On 19.06.2020 14:10, Michał Leszczyński wrote:
>>> ----- 19 cze 2020 o 13:58, Andrew Cooper andrew.cooper3@xxxxxxxxxx 
>>> napisał(a):
>>>
>>>> We do not expose the feature to guests, so should disallow access to the
>>>> respective MSRs.
>>>>
>>>> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
>>>> ---
>>>> CC: Jan Beulich <JBeulich@xxxxxxxx>
>>>> CC: Wei Liu <wl@xxxxxxx>
>>>> CC: Roger Pau Monné <roger.pau@xxxxxxxxxx>
>>>> CC: Paul Durrant <paul@xxxxxxx>
>>>> CC: Michał Leszczyński <michal.leszczynski@xxxxxxx>
>>>>
>>>> Paul: For 4.14.  This needs backporting to older trees as well.
>>>>
>>>> Michał: CC'ing, just to keep you in the loop.  Xen has some dubious default
>>>> MSR semantics which we're still in the middle of untangling in a backwards
>>>> compatible way.  Patches like this will eventually not be necessary, but 
>>>> they
>>>> are for now.
>>>
>>> As for external IPT monitoring, it would be best if the VM would think
>>> that IPT is simply not supported at all by the underlying hypervisor.
>> This is already the case, isn't it? Yet not reporting a feature may
>> not keep a guest from trying to access the respective MSRs.
>>
>> Jan
>
> Okay, understood :)

Hiding bits in CPUID doesn't magically make the feature disappear out of
the pipeline.

Some things we can effectively disable (using suitable intercepts to
audit changes to control registers), but for most instruction groups,
its trivial to discover if the pipeline supports them, via fault analysis.

Despite the software manuals being clear on the matter, not all code
checks CPUID properly before poking features.  If anything in your VM
does do this, then it is likely to crash on migrate, so wherever
possible, block access at all levels, not just in CPUID.

(Windows DRM/Anti-cheat systems seem to have a particular knack for
finding features we haven't disabled properly, and architectural corner
cases we don't cope with correctly.)

~Andrew



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.