Xen project Mailing List

Re: [PATCH 2/2] x86/vmx: Disallow the use of inactivity states

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Thu, 2 Nov 2023 10:06:10 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=+EQxsmFVWlqiyl3Fyp0L0HCQ1p5H1CrT5IXWVocnuT8=; b=T+HC7NH1T7tOp+RNpbcbR1nLvOcGTfg3jHvJ4ATx2Trw+z6zyRZ2MV+70Bifcm01Xf5GEK4LHix2b+kDD+uaU68zA72sRtDx6bFNZ6BeU/KoddhPfxYsq68bhf2hg5Y5m1xeUT471YR/CFSlCFgjuH/Jgb+0sMllZHyoSsK8cMPYp3VNSKMOldP7VWm6yXu4Bp8uqoX834GbYeE55DfGxhLE8Vl0+r2Vnj/k4NYGMB9r1MRL4/QdmV8Lnvn03c7VEl/iGK9QbCnXAcWyBOBlmibqWNS/16yJUntWQ/OnaX4A12SnMuM3XxQOz4h3qtBcScbOeQUGgNd8/yleWiMhQg==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OkTeA9h9C3/8zEBw6JehR+IU9JzTyznQMUunwvjzNoSXDIkqTuQbCOJnSYXUvX2LRJUA62ucze0kiVIgk6wkayaHw7+3OBW+nUZpr4zN/cLIk4kUsMn7InaBhYhQbdY1BGkoFZ7szFhGy27/kl38ANelkyOn1mLvx85czIeW7TKDPx/BVGP2XzNLpKOJF3HFjbviQqXbKlL7ce7m8Zd8xfCNJ2YAbwUV86sPd/lXZuQARMjG6NxQVlvWpqVOrDaAok/5xiKeen5/nmp3Z+IB+Zg28s0TgWyuvMHuHmk79T9phssfIvUV9sjhLpbRDUkF8U0I6BgNpLhm/XFLwFwpnQ==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;

Cc: Reima ISHII <ishiir@xxxxxxxxxxxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Jun Nakajima <jun.nakajima@xxxxxxxxx>, Kevin Tian <kevin.tian@xxxxxxxxx>, Tamas K Lengyel <tamas@xxxxxxxxxxxxx>, Takahiro Shinagawa <shina@xxxxxxxxxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Thu, 02 Nov 2023 09:06:23 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 01.11.2023 20:20, Andrew Cooper wrote: > Right now, vvmx will blindly copy L12's ACTIVITY_STATE into the L02 VMCS and > enter the vCPU. Luckily for us, nested-virt is explicitly unsupported for > security bugs. > > The inactivity states are HLT, SHUTDOWN and WAIT-FOR-SIPI, and as noted by the > SDM in Vol3 27.7 "Special Features of VM Entry": > > If VM entry ends with the logical processor in an inactive activity state, > the VM entry generates any special bus cycle that is normally generated when > that activity state is entered from the active state. > > Also, > > Some activity states unconditionally block certain events. > > I.e. A VMEntry with ACTIVITY=SHUTDOWN will initiate a platform reset, while a > VMEntry with ACTIVITY=WAIT-FOR-SIPI will really block everything other than > SIPIs. > > Both of these activity states are for the TXT ACM to use, not for regular > hypervisors, and Xen doesn't support dropping the HLT intercept either. > > There are two paths in Xen which operate on ACTIVITY_STATE. > > 1) The vmx_{get,set}_nonreg_state() helpers for VM-Fork. > > As regular VMs can't use any inactivity states, this is just duplicating > the 0 from construct_vmcs(). Drop the field, leaving a comment as to why > it is skipped. > > 2) Nested virt, because of ACTIVITY_STATE in vmcs_gstate_field[]. > > Explicitly hide the inactivity states in the guest's view of MSR_VMX_MISC, > and remove ACTIVITY_STATE from vmcs_gstate_field[]. > > In virtual_vmentry(), we should trigger a VMEntry failure for the use of > any inactivity states, but there's no support for that in the code at all > so leave a TODO for when we finally start working on nested-virt in > earnest. > > Reported-by: Reima ISHII <ishiir@xxxxxxxxxxxxxxxxxxx> > Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.