[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3] x86/livepatch: Fix livepatch application when CET is active


  • To: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
  • Date: Tue, 18 Apr 2023 15:21:18 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=RqItxdo61GXy4k94QWiXwDyJBjp/jzETgPuMVBpt7A0=; b=AMDaYsXRwRlnXi1eCDn4iuxMUc8RFdn0I2xAhCNHXpBP3WsWmYxbU6GbupsuqSCkXZ/nUSMG4DEtg+DsA/D+7K+SfUHetGFEfGk0kSLD4VjMpbvKMR1/ODP5uLtyQKiIH260FPUkXyH2KKiTCzwPJXRUG9hm+CMSQJPp1mPMCjmnb8A8dgXVSv+VQ2ybpZUKMoBMM6OI5EhNPnpmc+69yY15RjulmOoohMyF/HwEBTiHAplNsiqSQqmyAa2uptOnISFw3zXB6OK8V04CMxmUSavZZtl5MqsLKC2NG/SNlERP81xqHyO5M0hGCadHK8EannCk+E46TaKyfcjaa3wXRQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JQBFmxtiEV7GPYDOhWiDwMW49+asrAjmYG6KsEFU9k3m6EWTQpWqxsWvhU/KgPER85tiViwSxqOfxjrRec2WLcmiTc+IXkVqFsD43vraxOi7qqB+g+MRf+cBtjjsqGvXnyJ1vv5dzPguOpkWPdENFmyE+geelmCy7rK3m95StzVsdkV7X3akOjGdrmEYdir9j1tSAXpplIwcsQhlNcH0V/O5zt3accxe7vwR+4oIuM39kk+AY0UZKnRdCvasJI7tgyivI6yV4ymuuIl+M39fapK0wsGMU7XqC6+wBMoBsjKgj5Sh+VEVBeB9OIQU76YMjlRr+J8ZGenyNudOuvdJCg==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: Jan Beulich <jbeulich@xxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  • Delivery-date: Tue, 18 Apr 2023 15:21:44 +0000
  • Ironport-data: A9a23:XgdNi60Bm9gj2owK0/bD5RZwkn2cJEfYwER7XKvMYLTBsI5bp2NSm 2MYC2qOOq6PMGukeYtyb9m0p04Gv5fWx9MxQFA+pC1hF35El5HIVI+TRqvS04F+DeWYFR46s J9OAjXkBJppJpMJjk71atANlVEliefTAOK6ULWeUsxIbVcMYD87jh5+kPIOjIdtgNyoayuAo tq3qMDEULOf82cc3lk8tuTS+XuDgNyo4GlD5gBnNagR1LPjvyJ94Kw3dPnZw0TQGuG4LsbiL 87fwbew+H/u/htFIrtJRZ6iLyXm6paLVeS/oiI+t5qK23CulQRrukoPD9IOaF8/ttm8t4sZJ OOhF3CHYVxB0qXkwIzxWvTDes10FfUuFLTveRBTvSEPpqFvnrSFL/hGVSkL0YMkFulfAlhQ0 9NBKC4xfB2vhcyY/KmRG+Nqr5F2RCXrFNt3VnBI6xj8VK5jZK+ZBqLA6JlfwSs6gd1IEbDGf c0FZDFzbRPGJRpSJlMQD5F4l+Ct7pX9W2QA9BTJ+uxqvi6KlF0ZPLvFabI5fvSQQt5O2EKRq W/c4G39BjkRNcCFyCrD+XWp7gPKtXqjCN5LSOPhrZaGhnWw5GcdKjIPd2CeuMujiUC3Bst9J X49r39GQa8asRbDosPGdw21pjuIswARX/JUEvYm80edx6zM+QGbC2MYCDlbZ7QOtsU7WDgr3 V+hhM7yCHpkt7j9YW2Z3qeZq3W1Iyd9BWwFYzUNQU0a4t3giIYphxnLQ5BoF6vdszHuMTT5w jTPqTdkgbwW1JYPz//ipQGBhC+wrJ/USAJz/h/QQm+u8gJ+YsiiepCs7l/Yq/1HKe51U2W8g ZTNoODGhMhmMH1HvHflrDkldF1x28u4DQ==
  • Ironport-hdrordr: A9a23:SsgyJ6C9A+Ko8VPlHelo55DYdb4zR+YMi2TDt3oddfU1SL38qy nKpp4mPHDP5wr5NEtPpTniAtjjfZq/z/5ICOAqVN/PYOCPggCVxepZnOjfKlPbehEX9oRmpN 1dm6oVMqyMMbCt5/yKnDVRELwbsaa6GLjDv5a785/0JzsaE52J6W1Ce2GmO3wzfiZqL7wjGq GR48JWzgDQAkj+PqyAdx84t/GonayzqK7b
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Msip_labels:
  • Thread-index: AQHZceZuos1XEE2/ekWAsw5hIrlFZa8xLr3Z
  • Thread-topic: [PATCH v3] x86/livepatch: Fix livepatch application when CET is active

> From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
> Sent: Tuesday, April 18, 2023 12:10 PM
> To: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
> Cc: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>; Jan Beulich 
> <jbeulich@xxxxxxxx>; Jan Beulich <JBeulich@xxxxxxxx>; Roger Pau Monne 
> <roger.pau@xxxxxxxxxx>; Wei Liu <wl@xxxxxxx>; Konrad Rzeszutek Wilk 
> <konrad.wilk@xxxxxxxxxx>; Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
> Subject: [PATCH v3] x86/livepatch: Fix livepatch application when CET is 
> active 
>  
> Right now, trying to apply a livepatch on any system with CET shstk (AMD Zen3
> or later, Intel Tiger Lake or Sapphire Rapids and later) fails as follows:
> 
>   (XEN) livepatch: lp: Verifying enabled expectations for all functions
>   (XEN) common/livepatch.c:1591: livepatch: lp: timeout is 30000000ns
>   (XEN) common/livepatch.c:1703: livepatch: lp: CPU28 - IPIing the other 127 
> CPUs
>   (XEN) livepatch: lp: Applying 1 functions
>   (XEN) hi_func: Hi! (called 1 times)
>   (XEN) Hook executing.
>   (XEN) Assertion 'local_irq_is_enabled() || cpumask_subset(mask, 
> cpumask_of(cpu))' failed at arch/x86/smp.c:265
>   (XEN) *** DOUBLE FAULT ***
>   <many double faults>
> 
> The assertion failure is from a global (system wide) TLB flush initiated by
> modify_xen_mappings().  I'm not entirely sure when this broke, and I'm not
> sure exactly what causes the #DF's, but it doesn't really matter either
> because they highlight a latent bug that I'd overlooked with the CET-SS vs
> patching work the first place.
> 
> While we're careful to arrange for the patching CPU to avoid encountering
> non-shstk memory with transient shstk perms, other CPUs can pick these
> mappings up too if they need to re-walk for uarch reasons.
> 
> Another bug is that for livepatching, we only disable CET if shadow stacks are
> in use.  Running on Intel CET systems when Xen is only using CET-IBT will
> crash in arch_livepatch_quiesce() when trying to clear CR0.WP with CR4.CET
> still active.
> 
> Also, we never went and cleared the dirty bits on .rodata.  This would
> matter (for the same reason it matters on .text - it becomes a valid target
> for WRSS), but we never actually patch .rodata anyway.
> 
> Therefore rework how we do patching for both alternatives and livepatches.
> 
> Introduce modify_xen_mappings_lite() with a purpose similar to
> modify_xen_mappings(), but stripped down to the bare minimum as it's used in
> weird contexts.  Leave all complexity to the caller to handle.
> 
> Instead of patching by clearing CR0.WP (and having to jump through some
> fragile hoops to disable CET in order to do this), just transiently relax the
> permissions on .text via l2_identmap[].
> 
> Note that neither alternatives nor livepatching edit .rodata, so we don't need
> to relax those permissions at this juncture.
> 
> The perms are relaxed globally, but is safe enough.  Alternatives run before
> we boot APs, and Livepatching runs in a quiesced state where the other CPUs
> are not doing anything interesting.
> 
> This approach is far more robust.
> 
> Fixes: 48cdc15a424f ("x86/alternatives: Clear CR4.CET when clearing CR0.WP")
> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>

Reviewed-by: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx> (live patching bits)


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.