[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Revert of the 4.17 hypercall handler changes Re: [PATCH-for-4.17] xen: fix generated code for calling hypercall handlers


  • To: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
  • From: George Dunlap <George.Dunlap@xxxxxxxxxx>
  • Date: Wed, 9 Nov 2022 20:16:10 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=mnwwo6rFXfDvbocKGyBzR6K3h6CcGpWdic+HRT3+kw8=; b=YM/oL2oRYUwt0CoTYOr4vKUXKi9CdhtoTnGUWGlncmt3A6wyn1p/TKJfMRsKuCh7qdFvDBw9yvJimk3yE1tsBp/3jzLyYLwD1F6tcxONw2R7Go9jIOWlUAs5bZuSzU12efzhq1EM3vnANzF5s3H8Ge6hg/7kfKgsoBA1FRce6QU7iihSfZTzRRwCVRbM2GWmyCmH2O5GYFa4qhlWgZ73GU3syR/DL0o5mxTo6ZemLvq8JJo7dozrQ25eTkRpLlbAJxhISmKJEzC1klG55o9yevJUQ7KQjhk8pvRTEmKDqbphn6hX/yqnMtSXSCfH9S9MHEsp77PAIfUWF6UtEXWAxA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=a1hD8IbQuDhliSdhfjUXAM50VcVy88yLzAslW6ComOpRYrQ5BDDlBo0twYBgKRQUoMZuMGJo4h6UNTo7GJnDLKnK+tmQuWzf0LMjbXtxinhCCDgwsQOeU9OHGYQLeLcj7sEYYkmwQmKq6oNIgtWmsgSE0wBxlDcB4qIphWkInNIXB/2TLxQdiB8a/neyYu35ZUHzaVHkvuFsoUHYDtlLUaMKtyAvam2rwrk8Be5eslZMu/0Ttt6qmqDUsxAYe0o7aYWXxMU+ATHF+1bnvbcSeb1DhrlXvdIJ3cZN6gENofHUsU3EuK3Z8E3lnx280tHZYM3xlgElGnCC+QwNuRk4mQ==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: Juergen Gross <jgross@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Henry Wang <Henry.Wang@xxxxxxx>
  • Delivery-date: Wed, 09 Nov 2022 20:16:26 +0000
  • Ironport-data: A9a23:N1wBoaxlv8mMr/w8H/Z6t+dRxirEfRIJ4+MujC+fZmQN5Y8a5oE1v iFGDjfXfrrIN3ykOIpG3L7Go0kCuJTRmt9hTARu+CBjQS0W8saaC4jHJEypZXKbcZXPEhg2s ZxBNonNdJA+FCKE/xmgaOCwpiMljPrZT7D3UYYoVswJqSpMEU/N3jo/y75RbvdUvOWE7yOxV fLa8pSPM1T50jUuajtP5/zSoUM/4quj4G1HtAI0Oa5F5QWPy3VNAJwhfqzgdHGQrqu4vAKZb 72akOzmpDOxEzMFUI7NfmPTKxVSKlLqFVHSzCEQA+362EMqShUais4TLOAbZVpclwKHltVwz MQlnZGrQEIiM7akdN41CnG0KAkje/wYkFP7CSLn65bKlhWXKyCEL8hGVynaA6VJoo6bPkkWn RAoAGhlRgyOgeuw3IW6RoFE7ij0BJC2VG+3kigIIQDxVZ7Kc7iaK0n5zYYwMAMLrtJPBZ7ji /8xMlKDWvhijypnYT/7ALpm9Auha+KWnzdw8Dp5roJvi4TfIZAYPBEA/7M5d/TTLfi5kHp0q UrMp0rbATwrBODP4gai4EP1hbXLwyrkDdd6+L2QrpaGgXW170lKUFg8cwT+pvO0zEmjR9hYN koYvDI0qrQ//1CqSd+7WACkpHmDvVgXXN84/+8SsVnRjPaLpVnBQDFcEFata/R/3CMybRMn0 UWGkpXFGDpruaW9QnOB7LaE6zi1PED5KEdSOXZcHVZcs7EPpqkynE+VSspTKpWRj/+qHh7z8 iu6vCsH0uB7Yckjkv/TEUr8qzCjvJ/SVSYu+x7aGGmi62tRdIOjIoCl91XfxfJBN5qCCEmMu mAenMqT5/xICouC/ASPSugQGLCi596eLSbRx1VoGvEJ9Smp+nOlVZBd5nd5PkgBGt0fZTbjb UvXuAVQzJxeJn2naelweY3ZI9su5bjtE5LiTP+8RvpDZIJgMjCO+i5GbFSVmWvqlSARfboXP J6adYOmCykcAKE+lD6uHb5Fj/ks2zw0wn7VSdbj1RO73LGCZXmTD7AYLF+JaeN/56SByOnIz +ti2wKx4003eIXDjuP/qOb/8XhiwaAHOK3L
  • Ironport-hdrordr: A9a23:VPNIDqzQlqN4bDlasGusKrPxmuskLtp133Aq2lEZdPULSKGlfp GV9sjziyWetN9IYgBapTiBUJPwIk80hqQFm7X5XI3SFjUO3VHFEGgM1/qE/9SNIUzDH6tmpN 9dmstFeZDN5DpB/KDHCWCDer5OruVvsprY/Ns2pE0dLz2CHpsQizuRfTzrd3GeKjMnObMJUL 6nouZXrTupfnoaKu6hAGMeYuTFr9rX0Lr7fB8vHXccmUazpALtzIS/PwmT3x8YXT8K66wl63 L5nwvw4bjmm+2nyyXby3TY4/1t6ZXcI5p4dY2xY/ouW3bRYzWTFcZcsnq5zXUISdSUmRYXeR /30lMd1opImjTslyqO0GbQMkHboUoTAjnZuBOlaDLY0LLEbSN/BMxbiY1DdBzFr0ImodFnya pOm3mUrpxNEHr77W3AD0ihbWAUqqOYmwtUrQcotQ0obaIOLLtK6YAP9kJcF5kNWCr89YA8Ce FrSMXR/uxff1+WZ23Q+jAH+q3mYl0jWhOdBkQSsM2c1DZb2Hh/0ksD3cQa2nMN7og0RZVI7/ nNdq5oiLZNRMkLar8VPpZIfeKnTmjWBR7cOmObJlrqUKkBJnLWspbypK444em7EaZ4uKfaWK 6xJW+wmVRCCH4GU/f+raGj2iq9MFmVTHDq1txU4YR/t/n1WKfrWBfzOmwTrw==
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHY76JzZdOUSWsV/EuMjC67io5Dyq4uNcAAgAjbHYA=
  • Thread-topic: Revert of the 4.17 hypercall handler changes Re: [PATCH-for-4.17] xen: fix generated code for calling hypercall handlers

> On 4 Nov 2022, at 05:01, Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx> wrote:
> 
> On 03/11/2022 16:36, Juergen Gross wrote:
>> The code generated for the call_handlers_*() macros needs to avoid
>> undefined behavior when multiple handlers share the same priority.
>> The issue is the hypercall number being unverified fed into the macros
>> and then used to set a mask via "mask = 1ULL << <hypercall-number>".
>> 
>> Avoid a shift amount of more than 63 by setting mask to zero in case
>> the hypercall number is too large.
>> 
>> Fixes: eca1f00d0227 ("xen: generate hypercall interface related code")
>> Signed-off-by: Juergen Gross <jgross@xxxxxxxx>
> 
> This is not a suitable fix.  There being a security issue is just the
> tip of the iceberg.

At the x86 Maintainer’s meeting on Monday, we (Andrew, Jan, and I) talked about 
this patch.  Here is my summary of the conversation (with the caveat that I may 
get some of the details wrong).

The proposed benefits of the series are:

1. By removing indirect calls, it removes those as a “speculative attack 
surface”.

2. By removing indirect calls, it provides some performance benefit, since 
indirect calls  require an extra memory fetch.

3. It avoids casting function pointers to function pointers of a different 
type.  Our current practice is *technically* UB, and is incompatible with some 
hardware safety mechanisms which we may want to take advantage of at some point 
in the future; the series addresses both.

There were two incidental technical problems pointed out:

1. A potential shift of more than 64 bytes, which is UB; this has been fixed.

2. The prototype for the kexec_op call was changed from unsigned long to 
unsigned int; this is an ABI change which will cause differing behavior.  Jan 
will be looking at how he can fix this, now that it’s been noted.

But the more fundamental costs include:

1. The code is much more difficult now to reason about

2. The code is much larger

3. The long if/else chain could theoretically help hypercalls at the top if the 
chain, but would definitely begin to hurt hypercalls at the bottom of the 
chain; and the more hypercalls we add, the more of a theoretical performance 
penalty this will have

4. By using 64-bit masks, the implementation limits the number of hypercalls to 
64; a number we are likely to exceed if we implement ABIv2 to be compatible 
with AMD SEV.

Additionally, there is a question about whether some of the alleged benefits 
actually help:

1. On AMD processors, we enable IBRS, which completely removes indirect calls 
as a speculative attack surface already.  And on Intel processors, this attack 
surface has already been significantly reduced.  So removing indirect calls is 
not as important an issue.

2. Normal branches are *also* a surface of speculative attacks; so even apart 
from the above, all this series does is change one potential attack surface for 
another one.

3. When we analyze theoretical performance with deep CPU pipelines and 
speculation in mind, the theoretical disadvantage of indirect branches goes 
away; and depending on the hardware, there is a theoretical performance 
degradation.

4. From a practical perspective, the performance tests are very much 
insufficient to show either that this is an improvement, or that does not cause 
a performance regression.  To show that there hasn’t been a performance 
degradation, a battery of tests needs to be done on hardware from a variety of 
different vendors and cpu generations, since each of them will have different 
properties after all speculative mitigations have been applied.

So the argument is as follows:

There is no speculative benefit for the series; there is insufficient 
performance evidence, either to justify a performance benefit or to allay 
doubts about a performance regression; and the benefit that there is 
insufficient to counterbalance the costs, and so the series should be reverted.

At the end of the discussion, Jan and I agreed that Andrew had made a good case 
for the series to be removed at some point.  The discussion needs to be 
concluded on the list, naturally; and if there is a consensus to remove the 
series, the next question would be whether we should revert it now, before 
4.17.0, or wait until after the release and revert it then (perhaps with a 
backport to 4.17.1).

(Jan and Andy, please let me know if I’ve misunderstood anything from that 
meeting.)

I have more details regarding the technical aspects above, but this email is 
already rather long.  Let me know if you need more details and I’ll try to fill 
them in.

Thoughts?
 -George

Attachment: signature.asc
Description: Message signed with OpenPGP


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.