Xen project Mailing List

Re: [PATCH v5] x86: detect CMOS aliasing on ports other than 0x70/0x71

From: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Date: Mon, 3 Apr 2023 13:09:05 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=t14AAj2zeHUEhhx/uWYA+ay1WChw3nkDJJQ/8Wx9Pg8=; b=mJ8dVNHlcA+Sy/uERac9nF3krVvp8bOhZNGZAxFP8CmFF7ecw9aZ8qxlnSvQfmf1P5p2d8QLYFrSYD9svbwAdpGJYjJb8f4Ok8nyQ3Z7ufhu/R999vFfk5duKQ9dB2xfCnADeE2JZIZkLsYO56L0/dwfkbAXrCSwnFNnDzV2EcSusU4p9YWaV/ouuJieoX3HdqDnMsksZRKJxACXQWwA9GDXO4cK8B9kwB5/jEIoUIpTKYODp8BVxhfPTcsNnig2Ab3NQOYeJwItv5QSJh4tyqehFcu2E4BKN6RPxx+VmxpS9/pj/x+TvMj/cAl1G87OMnHZY/X3NZr/2okB15KZ9A==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NvvgfIZ7HE4PDCUUdyqVH/IDs0l3vXHznj9PPIL0J9zvMjGbcOJoQy02KBiWEA+P/ehA5GsQvypLTUchucUjvNlNsrRQ08VQui7I682ikN0DjBzUG5Qsl7FpOnBd7cEY3sIvVRR9kb6u+C7YyHCjUObNqCQYMZz9sqI86RO5q/sKZKLYW5GFWSKLwZnJzwTdidkcncw9TIVS1duWzn67Qi5meJM2plEm80X4w3Q+7I/RPTYDz+XEnTOAIy57bNuSLyEnibd+Mfdhs1VcrGHaDhX2sx1n1M1C6B0gwa99lwgr+1r8mw/jaDQy/f/60EYcDI2PgaVDdzT9HCP511jjGw==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;

Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Paul Durrant <paul@xxxxxxx>, Wei Liu <wl@xxxxxxx>

Delivery-date: Mon, 03 Apr 2023 11:09:28 +0000

Ironport-data: A9a23:c6a9tKhJsotYJd8aklRHjhV4X161VREKZh0ujC45NGQN5FlHY01je htvD22OaPvbNDT8eop0a4uz/UwG6sWAzt5gSFQ4rn09Q3sb9cadCdqndUqhZCn6wu8v7q5Ex 55HNoSfdpBcolv0/ErF3m3J9CEkvU2wbuOgTrWCYmYpHlUMpB4J0XpLg/Q+jpNjne+3CgaMv cKai8DEMRqu1iUc3lg8sspvkzsy+qWi0N8klgZmP6sT4AeFzyB94K83fsldEVOpGuG4IcbiL wrz5OnR1n/U+R4rFuSknt7TGqHdauePVeQmoiM+t5mK2nCulARrukoIHKN0hXNsoyeIh7hMJ OBl7vRcf+uL0prkw4zxWzEAe8130DYvFLXveRBTuuTLp6HKnueFL1yDwyjaMKVBktubD12i+ tQyBiokMTGMud6szYiFWM8xps4EMsT0adZ3VnFIlVk1DN4AaLWaGeDv2oUd2z09wMdTAfzZe swVLyJ1awjNaAFOPVFRD48imOCvhT/0dDgwRFC9/PJrpTSMilIvluS0WDbWUoXiqcF9hEGXq 3iA523kKhobKMae2XyO9XfEaurnxHunANhIT+TmnhJsqEXC1C8sI0cYbnC2+9OlhU7mae5bM XVBr0LCqoB3riRHVOLVXRe1vXqFtR40QMdLHqsx7wTl4rrZ5UOVC3YJShZFacc6r4kmSDoyz FiLktj1Qzt1v9W9UXuA8p+EoDX0PjIaRUcdYQcUQA1D5MPsyLzflTrKR9dnVauq1Nv8HGiqx yjQ9HRnwbIOkcQMyqO3u0jdhC6hrYTISQhz4RjLWmWi7UVyY4vNi5GU1GU3JM1odO6xJmRtd lBb8yRCxIji1a2wqRE=

Ironport-hdrordr: A9a23:ALJMR6ww4tx7TFt2b3TPKrPxTegkLtp133Aq2lEZdPULSKGlfp GV9sjziyWetN9wYh4dcB67Scy9qFfnhOZICOgqTM6ftWzd1FdAQ7sD0WKP+UyCJ8S6zJ8n6U 4CSdkDNDSTNykcsS+S2mDRfbcdKZu8gcaVbI/lvgpQpGpRGsVdBmlCe2Sm+hocfng9OXN1Lu vr2iIBzADQCUg/X4CePD0oTuLDr9rEmNbPZgMHPQcu7E2jnC6l87nzFjmfx1M7XylUybkv3G DZm0ihj5/T+c2T+1v57Sv+/p5WkNzuxp9qA9GNsNEcLnHBmxulf4NoXpyFpXQQrPu04Fgnvd HQq1MLPth16VnWYmapyCGdkDXI4XIL0TvP2FWYiXzsrYjQQy87MdNIgcZ8fgHC40Qtkdlg2O YTtljp/6Z/PFflpmDQ9tLIXxZlmg6dpmcjq/caizh6XZEFYLFcgIQD9Ad+EYsGHgj99Ic7ed MeRf301bJzSxe3fnrZtm5gzJiFWWkyJA6PRgw4tsmcw1Ft7QVE5npd4PZasmYL9Zo7RZUBzf /DKL5UmLZHSdJTRb5hBc8aKPHHRFDlcFbpCia/MF7nHKYINzbmsJjs+og44+msZdgh0IYyop LcS1lV3FRCNH4GMff+nKGjzyq9A1lUBV/Wu4NjDtlCy/HBrYPQQGy+oAtEqbrknx0daverKc pbdqgmR8MLFlGeaLqh7zeOJKW6FkNuLvH9muxLL25m8fi7XbHCh6j8TMv5AobLPHINZl7fa0 FzLwQbYv8wo3yWZg==

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Thu, Mar 30, 2023 at 12:40:38PM +0200, Jan Beulich wrote: > ... in order to also intercept Dom0 accesses through the alias ports. > > Also stop intercepting accesses to the CMOS ports if we won't ourselves > use the CMOS RTC, because of there being none. So it's fine for dom0 to switch off NMIs if Xen isn't using the RTC? Seems like a weird side-effect of Xen not using the RTC (seeing as we would otherwise mask bit 8 from dom0 RTC accesses). Also I'm worried that when Xen doesn't intercept RTC ports accesses from dom0 could be interrupted for example by the vCPU being scheduled out, so a vCPU might perform a write to the index port, and be scheduled out, leaving the RTC in an undefined state. I've read claims online that the RTC is not reset by the firmware, and since it has a battery the state is kept across reboots, so interrupting an access like that cold leave the RTC in a broken state across reboots. > Note that rtc_init() deliberately uses 16 as the upper loop bound, > despite probe_cmos_alias() using 8: The higher bound is benign now, but > would save us touching the code (or, worse, missing to touch it) in case > the lower one was doubled. > > Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> > --- > v5: Simplify logic in is_cmos_port(). Limit the scope of a local > variable. Adjust a comment that's being moved. > v4: Also conditionally mask top bit for guest index port accesses. Add > missing adjustments to rtc_init(). Re-work to avoid recursive > read_lock(). Also adjust guest_io_{read,write}(). Re-base. > v3: Re-base over change to earlier patch. > v2: Re-base. > > --- a/xen/arch/x86/hvm/rtc.c > +++ b/xen/arch/x86/hvm/rtc.c > @@ -27,7 +27,7 @@ > #include <asm/hvm/vpt.h> > #include <asm/hvm/io.h> > #include <asm/hvm/save.h> > -#include <asm/current.h> > +#include <asm/iocap.h> > #include <xen/trace.h> > #include <public/hvm/params.h> > > @@ -836,10 +836,18 @@ void rtc_init(struct domain *d) > > if ( !has_vrtc(d) ) > { > - if ( is_hardware_domain(d) ) > - /* Hardware domain gets mediated access to the physical RTC. */ > - register_portio_handler(d, RTC_PORT(0), 2, hw_rtc_io); > - return; > + unsigned int port; > + > + if ( !is_hardware_domain(d) ) > + return; > + > + /* > + * Hardware domain gets mediated access to the physical RTC/CMOS (of > + * course unless we don't use it ourselves, for there being none). > + */ > + for ( port = RTC_PORT(0); port < RTC_PORT(0) + 0x10; port += 2 ) > + if ( is_cmos_port(port, 2, d) ) > + register_portio_handler(d, port, 2, hw_rtc_io); You seem to have dropped a return from here, as for PVH dom0 the initialization below shouldn't be done. > } > > spin_lock_init(&s->lock); > --- a/xen/arch/x86/include/asm/mc146818rtc.h > +++ b/xen/arch/x86/include/asm/mc146818rtc.h > @@ -9,6 +9,10 @@ > > extern spinlock_t rtc_lock; /* serialize CMOS RAM access */ > > +struct domain; > +bool is_cmos_port(unsigned int port, unsigned int bytes, > + const struct domain *d); > + > /********************************************************************** > * register summary > **********************************************************************/ > --- a/xen/arch/x86/pv/emul-priv-op.c > +++ b/xen/arch/x86/pv/emul-priv-op.c > @@ -220,7 +220,7 @@ static bool admin_io_okay(unsigned int p > return false; > > /* We also never permit direct access to the RTC/CMOS registers. */ > - if ( port <= RTC_PORT(1) && port + bytes > RTC_PORT(0) ) > + if ( is_cmos_port(port, bytes, d) ) > return false; > > return ioports_access_permitted(d, port, port + bytes - 1); > @@ -290,7 +290,7 @@ static uint32_t guest_io_read(unsigned i > { > sub_data = pv_pit_handler(port, 0, 0); > } > - else if ( port == RTC_PORT(0) || port == RTC_PORT(1) ) > + else if ( is_cmos_port(port, 1, currd) ) > { > sub_data = rtc_guest_read(port); > } > @@ -436,7 +436,7 @@ static void guest_io_write(unsigned int > { > pv_pit_handler(port, (uint8_t)data, 1); > } > - else if ( port == RTC_PORT(0) || port == RTC_PORT(1) ) > + else if ( is_cmos_port(port, 1, currd) ) > { > rtc_guest_write(port, data); > } > --- a/xen/arch/x86/setup.c > +++ b/xen/arch/x86/setup.c > @@ -2131,37 +2131,36 @@ int __hwdom_init xen_in_range(unsigned l > static int __hwdom_init cf_check io_bitmap_cb( > unsigned long s, unsigned long e, void *ctx) > { > - struct domain *d = ctx; > + const struct domain *d = ctx; > unsigned int i; > > ASSERT(e <= INT_MAX); > for ( i = s; i <= e; i++ ) > - __clear_bit(i, d->arch.hvm.io_bitmap); > + /* > + * Accesses to RTC ports also need to be trapped in order to keep > + * consistency with hypervisor accesses. > + */ > + if ( !is_cmos_port(i, 1, d) ) > + __clear_bit(i, d->arch.hvm.io_bitmap); > > return 0; > } > > void __hwdom_init setup_io_bitmap(struct domain *d) > { > - int rc; > + if ( !is_hvm_domain(d) ) > + return; > > - if ( is_hvm_domain(d) ) > - { > - bitmap_fill(d->arch.hvm.io_bitmap, 0x10000); > - rc = rangeset_report_ranges(d->arch.ioport_caps, 0, 0x10000, > - io_bitmap_cb, d); > - BUG_ON(rc); > - /* > - * NB: we need to trap accesses to 0xcf8 in order to intercept > - * 4 byte accesses, that need to be handled by Xen in order to > - * keep consistency. > - * Access to 1 byte RTC ports also needs to be trapped in order > - * to keep consistency with PV. > - */ > - __set_bit(0xcf8, d->arch.hvm.io_bitmap); > - __set_bit(RTC_PORT(0), d->arch.hvm.io_bitmap); > - __set_bit(RTC_PORT(1), d->arch.hvm.io_bitmap); > - } > + bitmap_fill(d->arch.hvm.io_bitmap, 0x10000); > + if ( rangeset_report_ranges(d->arch.ioport_caps, 0, 0x10000, > + io_bitmap_cb, d) ) > + BUG(); > + > + /* > + * We need to trap 4-byte accesses to 0xcf8 (see admin_io_okay(), > + * guest_io_read(), and guest_io_write()). > + */ > + __set_bit(0xcf8, d->arch.hvm.io_bitmap); > } > > /* > --- a/xen/arch/x86/time.c > +++ b/xen/arch/x86/time.c > @@ -1234,7 +1234,10 @@ static unsigned long get_cmos_time(void) > if ( seconds < 60 ) > { > if ( rtc.sec != seconds ) > + { > cmos_rtc_probe = false; > + acpi_gbl_FADT.boot_flags &= ~ACPI_FADT_NO_CMOS_RTC; > + } > break; > } > > @@ -1249,6 +1252,77 @@ static unsigned long get_cmos_time(void) > return mktime(rtc.year, rtc.mon, rtc.day, rtc.hour, rtc.min, rtc.sec); > } > > +static unsigned int __ro_after_init cmos_alias_mask; > + > +static int __init cf_check probe_cmos_alias(void) > +{ > + unsigned int offs; > + > + if ( acpi_gbl_FADT.boot_flags & ACPI_FADT_NO_CMOS_RTC ) > + return 0; > + > + for ( offs = 2; offs < 8; offs <<= 1 ) > + { > + unsigned int i; > + bool read = true; > + > + for ( i = RTC_REG_D + 1; i < 0x80; ++i ) > + { > + uint8_t normal, alt; > + unsigned long flags; > + > + if ( i == acpi_gbl_FADT.century ) > + continue; > + > + spin_lock_irqsave(&rtc_lock, flags); > + > + normal = CMOS_READ(i); > + if ( inb(RTC_PORT(offs)) != i ) > + read = false; > + > + alt = inb(RTC_PORT(offs + 1)); > + > + spin_unlock_irqrestore(&rtc_lock, flags); > + > + if ( normal != alt ) > + break; > + > + process_pending_softirqs(); > + } > + if ( i == 0x80 ) > + { > + cmos_alias_mask |= offs; > + printk(XENLOG_INFO "CMOS aliased at %02x, index %s\n", > + RTC_PORT(offs), read ? "r/w" : "w/o"); I would consider making this a DEBUG message, not sure it's that useful for a normal end user, and printing to the console can be slow. > + } > + } > + > + return 0; > +} > +__initcall(probe_cmos_alias); > + > +bool is_cmos_port(unsigned int port, unsigned int bytes, const struct domain > *d) > +{ > + unsigned int offs; > + > + if ( !is_hardware_domain(d) || > + !(acpi_gbl_FADT.boot_flags & ACPI_FADT_NO_CMOS_RTC) ) > + return port <= RTC_PORT(1) && port + bytes > RTC_PORT(0); > + > + if ( acpi_gbl_FADT.boot_flags & ACPI_FADT_NO_CMOS_RTC ) > + return false; > + > + for ( offs = 2; offs <= cmos_alias_mask; offs <<= 1 ) > + { > + if ( !(offs & cmos_alias_mask) ) > + continue; > + if ( port <= RTC_PORT(offs | 1) && port + bytes > RTC_PORT(offs) ) > + return true; > + } Maybe I'm confused, but doesn't this loop start at RTC_PORT(2), and hence you need to check for the RTC_PORT(0,1) pair outside of the loop? > + > + return false; > +} > + > /* Helpers for guest accesses to the physical RTC. */ > unsigned int rtc_guest_read(unsigned int port) > { > @@ -1256,23 +1330,25 @@ unsigned int rtc_guest_read(unsigned int > unsigned long flags; > unsigned int data = ~0; > > - switch ( port ) > + switch ( port & ~cmos_alias_mask ) Given that the call is gated with is_cmos_port() it would be clearer to just use RTC_PORT(1) as the mask here IMO. Thanks, Roger.

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.