Xen project Mailing List

Re: [PATCH v2] x86/hvm: Disallow CR0.PG 1->0 transitions when CS.L=1

To: Roger Pau Monné <roger.pau@xxxxxxxxxx>

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Fri, 14 Apr 2023 11:37:30 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GYyf/Bzhwwa+5YfSF6UGO9nYAQLVjLy3kf5xyX+9pYo=; b=ElCcTLaqo1gEJ9ibokBSHV5F+IPuwlwSQzOc5J+YIBjrQo3ppf4Un7Dv9/xlu2CQj54SjjrWwNliQKz6M4lZ8Wv2OtlvrkdBBNjmn7lSkRJgNbi8b2Bmr3zNLSiz8WQV9h5csbk2/qXy6w4SdosyNODRtROybgh0Z/vmOk6dSMWb6kYSd1/ho7ootjDDMgGDKE44QUf7MQ3PfVTt7ViyllUvnnzPsIHVaAC2Yv/jAotiXWaIz0jE6S9X4k6POVcYw33xAwVmgpArS6eNDUU4kZm0ohBnSTOLB0H0Gd7WVsy8tOpXD2+WGquDyRXzBLkdSniiGMqsk7eHtaNeDu+31w==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XeTCHPQPWglVOSTG1NGoJFacphuNobGIdeRIWr06wayTLvMYb4pW5IRW6muojxbexMbP44iREXO4HQ+Q/WSPTqBKsQ32vG1tzHyXW7HK1lukNZMpks86bQanVP59sYqCmguwIbR23T+YXgt7ZWTgVjJ60NVZdnSkLeByyLyfyLfBBL9YesLgsPBisj9So4tUCYxpYkZU6e6WEPLgEXisyYvsnYAA2xS55lS72hAgxL3F5QDrmNDQtb862HsSVLmCqu8ixSfghF/75e0GV3Oqe/Xki9NQpy8rIgAKlHI1PXy3M1GN9LSRHbp3cOG2+p4go4nTSLoxlKjcWCLysiUO4Q==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;

Cc: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, Wei Liu <wl@xxxxxxx>

Delivery-date: Fri, 14 Apr 2023 10:38:05 +0000

Ironport-data: A9a23:12cF5q/pMriKJ8njN5GGDrUDon+TJUtcMsCJ2f8bNWPcYEJGY0x3y WoeXWzQPKuDNmLxc9h0bYS18h8CsMLVmNZgHARt+X08E34SpcT7XtnIdU2Y0wF+jCHgZBk+s 5hBMImowOQcFCK0SsKFa+C5xZVE/fjUAOG6UKicYXoZqTZMEE8JkQhkl/MynrlmiN24BxLlk d7pqojUNUTNNwRcawr40Ire7kI+1BjOkGlA5AdmOakX5Aa2e0Q9V/rzG4ngdxMUfaEMdgKKb 76r5K20+Grf4yAsBruN+losWhRXKlJ6FVHmZkt+A8BOsDAbzsAB+v9T2M4nQVVWk120c+VZk 72hg3ASpTABZcUgkMxFO/VR/roX0aduoNcrKlDn2SCfItGvn9IBDJyCAWlvVbD09NqbDkle3 vEGGAkdPyyPxN+/7Iq2G9U31u48eZyD0IM34hmMzBn/JNN/G9XmfP+P4tVVmjAtmspJAPDSI dIDbiZiZwjBZBsJPUoLDJU5n6GjgXyXnz9w8QrJ4/ZopTaNilAsuFTuGIO9ltiibMNZhEuH4 EnB+Hz0GEoyP92D0zuVtHmrg4cjmAuiAN5IReXhqKcCbFu72lAZJyZGZ2OBjei0tVe4astwM mIS9X97xUQ13AnxJjXnZDWorXjBshMCVt54F+wh9BrL2qfS+xyeBGUPUnhGctNOnO0cSCEu1 1SJt8j0HjEpu7qQIVqC8p+EoDX0PjIaRVLufgcBRAoBptz8+oc6i0uVSs45SPLoyNroBTv33 jaG6jAkgKkehtIK0KP9+k3bhzWrpd7CSQtdChjrY19JJzhRPOaND7FEI3CChRqcBO51lmW8g UU=

Ironport-hdrordr: A9a23:68ja/66MJJO4o4hwlAPXwAzXdLJyesId70hD6qkQc3Fom62j5q WTdZEgvyMc5wx/ZJhNo7690cq7MBHhHPxOgbX5VI3KNGXbUQOTR72KhrGSoAEIdReeygZcv5 0QCZSXCrfLfCVHZRCR2njFLz4iquP3j5xBnY3lvhNQpZkBUdAZ0+9+YDzrdXFedU19KrcSMo GT3cZDryrIQwVtUizqbkN1OdQqvrfw5evbXSI=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 14/04/2023 11:31 am, Roger Pau Monné wrote: > On Thu, Apr 13, 2023 at 04:00:09PM +0100, Andrew Cooper wrote: >> The Long Mode consistency checks exist to "ensure that the processor does not >> enter an undefined mode or state that results in unpredictable behavior". >> APM >> Vol2 Table 14-5 "Long-Mode Consistency Checks" lists them, but there is no >> row >> preventing the OS from trying to exit Long mode while in 64bit mode. This >> could leave the CPU in Protected Mode with an %rip above the 4G boundary. >> >> Experimentally, AMD CPUs really do permit this state transition. An OS which >> tries it hits an instant SHUTDOWN, even in cases where the truncation I >> expect >> to be going on behind the scenes ought to result in sane continued execution. >> >> Furthermore, right from the very outset, the APM Vol2 14.7 "Leaving Long >> Mode" >> section instructs peoples to switch to a compatibility mode segment first >> before clearing CR0.PG, which does clear out the upper bits in %rip. This is >> further backed up by Vol2 Figure 1-6 "Operating Modes of the AMD64 >> Architecture". >> >> Either way, this appears to have been a genuine oversight in the AMD64 spec. >> >> Intel, on the other hand, rejects this state transition with #GP. >> >> Between revision 71 (Nov 2019) and 72 (May 2020) of SDM Vol3, a footnote to >> 4.1.2 "Paging-Mode Enable" was altered from: >> >> If CR4.PCIDE= 1, an attempt to clear CR0.PG causes a general-protection >> exception (#GP); software should clear CR4.PCIDE before attempting to >> disable paging. >> >> to >> >> If the logical processor is in 64-bit mode or if CR4.PCIDE= 1, an attempt >> to >> clear CR0.PG causes a general-protection exception (#GP). Software should >> transition to compatibility mode and clear CR4.PCIDE before attempting to >> disable paging. >> >> which acknowledges this corner case, but there doesn't appear to be any other >> discussion even in the relevant Long Mode sections. >> >> So it appears that Intel spotted and addressed the corner case in IA-32e >> mode, >> but were 15 years late to document it. >> >> Xen was written to the AMD spec, and misses the check. Follow the Intel >> behaviour, because it is more sensible and avoids hitting a VMEntry failure. >> >> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> >> --- >> CC: Jan Beulich <JBeulich@xxxxxxxx> >> CC: Roger Pau Monné <roger.pau@xxxxxxxxxx> >> CC: Wei Liu <wl@xxxxxxx> >> >> v2: >> * Restrict to when Long Mode is enabled. > Maybe the subject also needs to be slightly edited to mention CS.L=1 > and Long Mode enabled? Or just mention long mode instead of the code > segment status? > > Acked-by: Roger Pau Monné <roger.pau@xxxxxxxxxx> Thanks. I think "Disallow CR0.PG 1->0 transitions in 64bit mode" is the most concise way of tweaking the subject. ~Andrew

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.