[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] x86/mm: PGC_page_table is used by shadow code only
- To: Jan Beulich <jbeulich@xxxxxxxx>
- From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
- Date: Wed, 30 Nov 2022 10:39:43 +0000
- Accept-language: en-GB, en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=LW/gcqgvEAMtOnusw6tnumETsxIkCPFe7qKpDO8QD/Q=; b=RA+5mlj+LpJltBS9mjZKk/koYOyPbDAl5ldz8m83bJetrvlNiR5bhThiXlLCvK9b+6s/Um2Mg3/nAOAYt+UlKsQh7akDYS388fCJaTy+Lo6CCCBmWL4w/SrHZ/OnxQVnNWMPg/11DdEINHI30Ifla6kNr9IUyQX18bTPlzqwpBW6EMMhLhD2I6XcoLuY5EGpKU4wT0ljjAVY6THtws/gw53dY8WgFX/MZww9zSfTN6OPOUwV2mkSL293KUyErKqNnZzCxSQhV6gh9piLYs156SFLZg6HIblIoVQq91rIWOiKuNsfymlCbikwcjGb0g5inJhMWgpU4Tvr0+sKt9MTlQ==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GooTNwjJEZ1Wook78mEUHLRmuFMyubLYibmVYDEHs6yc7I0vck8vAEeQRUj4qW3apf0VrGVYY1RA5UHr4gEUbYxKmQH2N2O5NMyTBLqULH+gsjsnzZ2Te7yXRDB6ZiLj3JxP+2Qu2VBUkfeXM134Al/nAoQov8siUFNtVUNTbxyVsVYUR9Dz+Spo4hq8NgU8bEOSfJbP5wG5NWeEwXkrXuoZkLyXRUp/MG2zJgzHl+9BNspn9NIozJYINdBg7AeFq3FRq3sjSE08OyIMul6B66C1hnSHmef40HpKuBARq6L8nmf3yILOK4+Vl1cNCMpFYS2ujnVl8tmU0N/0oZJBIQ==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
- Cc: Wei Liu <wl@xxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- Delivery-date: Wed, 30 Nov 2022 10:40:00 +0000
- Ironport-data: A9a23:w6UfMq8paxozra/FhnLTDrUDon+TJUtcMsCJ2f8bNWPcYEJGY0x3y mUeCG6EOq2LZzf0edp/b4SxoRsPsZaDy4I1HAtppHw8E34SpcT7XtnIdU2Y0wF+jCHgZBk+s 5hBMImowOQcFCK0SsKFa+C5xZVE/fjUAOG6UKucYHsZqTZMEE8JkQhkl/MynrlmiN24BxLlk d7pqojUNUTNNwRcawr40Ire7kIx1BjOkGlA5AZnPKsT5AW2e0Q9V/rzG4ngdxMUfaEMdgKKb 76r5K20+Grf4yAsBruN+losWhRXKlJ6FVHmZkt+A8BOsDAbzsAB+v9T2M4nQVVWk120c+VZk 72hg3ASpTABZcUgkMxFO/VR/roX0aduoNcrKlDn2SCfItGvn9IBDJyCAWlvVbD09NqbDkkSr sIeDRtUSyrb3fCMka2YF+w1geMaeZyD0IM34hmMzBn/JNN+HdXmfP+P4tVVmjAtmspJAPDSI dIDbiZiZwjBZBsJPUoLDJU5n6GjgXyXnz9w8QrJ4/ZopTeIilUuidABM/KMEjCObexTklyVu STt+GPhDwtBHNee1SCE4jSngeqncSbTCN5CROPgraMCbFu7/U1JJ0A3CkSCvvTj1H6EVuBEC BQT5X97xUQ13AnxJjXnZDW6qnOZuh8XW/JLDvY3rgqKz8L8/AKxFmUCCDlbZ7QOpMIwADAny FKNt9foHiB09q2YT2qH8bWZpi/0PjIaRVLufgcBRAoBptz8+oc6i0qTSs45SfHsyNroBTv33 jaG6jAkgKkehtIK0KP9+k3bhzWrpd7CSQtdChjrY19JJzhRPOaND7FEI3CBhRqcBO51lmW8g UU=
- Ironport-hdrordr: A9a23:dcUeK6vu/TKhXQk8Y+CUB9H97skCXoAji2hC6mlwRA09TyXGra 2TdaUgvyMc1gx7ZJh5o6H6BEGBKUmslqKceeEqTPqftXrdyRGVxeZZnMffKlzbamfDH4tmuZ uIHJIOb+EYYWIasS++2njBLz9C+qjJzEnLv5a5854Fd2gDBM9dBkVCe3+m+yZNNWt77O8CZf 6hD7181l+dkBosDviTNz0gZazuttfLnJXpbVovAAMm0hCHiXeF+aP3CB+R2zYZSndqza05+W bIvgTl7uH72svLiyP05iv21dB7idHhwtxMCIiljdUUECzljkKFdZlsQLqLuREyuaWK5EwxmN fBjh88N4BY6m/XfEuyvRzxsjOQngoG2jvH8xu1kHHjqcv2SHYREMxan79UdRPf9g4JoMx8+L gj5RPbi7NnSTf72Ajt7dnBUB9n0mCup2A5rOIVh3tDFaMDdb5qq5AF9k89KuZDIMu60vFjLA BdNrCa2B9kSyLdU5kfhBg3/DWYZAV2Iv5BeDlbhiXa6UkMoJkz9Tpk+CVWpAZ9yHt6cegF2w 2MCNUXqFkFJPVmEp5VFaMPR9C6BXfKRg+JOGWOIU7/HKVCIH7VrYXriY9Frd1CVaZ4u6faoq 6xJm9wpCo3YQbjGMeO1JpE/lTER3i8Ry3kzoVb64JisrPxSbL3OWnbIWpe2PeIsrEaGInWSv yzMJVZD7vqKnbvA59A20n7V4NJIXcTXcUJspIwWk6IoMjMNor239arOMr7Nf7oC3IpS2n/Cn wMUHz6I9hB9FmiXjvijB3YSxrWCzjCFFJLYd3nFsQoufsw39d3w3koYHyCl7G2ACwHtLAqd0 1jJ76imr+npACNjBT101k=
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
- Thread-index: AQHZBAKvvRJ2heCKJ0SiESCucWQuIK5WYfSAgAC3SICAAC7bgA==
- Thread-topic: [PATCH] x86/mm: PGC_page_table is used by shadow code only
On 30/11/2022 07:52, Jan Beulich wrote:On 29.11.2022 21:56, Andrew
Cooper wrote:
>> On 29/11/2022 14:55, Jan Beulich wrote:
>>> By defining the constant to zero when !SHADOW_PAGING we give compilers
>>> the chance to eliminate a little more dead code elsewhere in the tree.
>>> Plus, as a minor benefit, the general reference count can be one bit
>>> wider. (To simplify things, have PGC_page_table change places with
>>> PGC_extra.)
>>>
>>> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
>> Ahead of making this change, can we please rename it to something less
>> confusing, and fix it's comment which is wrong.
>>
>> PGC_shadowed_pt is the best I can think of.
> Can do, sure.
>
>>> ---
>>> tboot.c's update_pagetable_mac() is suspicious: It effectively is a
>>> no-op even prior to this change when !SHADOW_PAGING, which can't be
>>> quite right. If (guest) page tables are relevant to include in the
>>> verification, shouldn't this look for PGT_l<N>_page_table as well? How
>>> to deal with HAP guests there is entirely unclear.
>> Considering the caller, it MACs every domheap page for domains with
>> CDF_s3_integrity.
>>
>> The tboot logical also blindly assumes that any non-idle domain has an
>> Intel IOMMU context with it. This only doesn't (trivially) expose
>> because struct domain_iommu is embedded in struct domain (rather than
>> allocated separately), and reaching into the wrong part of the arch
>> union is only mitigated by the tboot logic not being invoked on
>> non-intel systems. (Also the idle domain check is useless, given that
>> it's in a for_each_domain() loop).
>>
>> It does look a little like the caller is wanting to MAC all Xen data
>> that describes the guest, but doing this unilaterally for all shadowed
>> guests seems wrong beside the per-domain s3_integrity setting.
> Question is - do we care about addressing this (when, as said, it's
> unclear how to deal with HAP domains; maybe their actively used p2m
> pages would need including instead)? Or should we rather consider
> ripping out tboot support?
Having contemplated this a bit longer...
The principle of MAC-ing pagetables is incompatible with A/D updates.
IOMMUs have A/D support support these days, and older Intel CPUs have
errata where they can set the D bit on a read-only mapping. The things
which are MACed can legally be changed by hardware after the MAC is taken.
The current logic is clearly not doing sensible things. It likely
predates HAP support, but I haven't gone looking.
Also, tboot isn't long for this world. Trenchboot is progressing
(slowly) but the end result will be something that functions, is
supported, and doesn't suffer from several CVEs which Intel have elected
not to fix in their "reference TXT implementation".
I've debated several times about removing the tboot implementation, but
have chosen not to do so thus far because there's almost certainly bits
of infrastructure that trenchboot will want to reuse.
But as far as this goes, I think we can reasonably remove the
clearly-junk aspects while cleaning up / fixing other areas of Xen.
~Andrew
|
