[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 2/2] x86/vmx: Disallow the use of inactivity states

  • To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • From: Tamas K Lengyel <tamas@xxxxxxxxxxxxx>
  • Date: Thu, 2 Nov 2023 09:17:14 -0400
  • Arc-authentication-results: i=1; mx.zohomail.com; dkim=pass header.i=tklengyel.com; spf=pass smtp.mailfrom=tamas@xxxxxxxxxxxxx; dmarc=pass header.from=<tamas@xxxxxxxxxxxxx>
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1698931074; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=Z/Dfm9D3/b6kTHF4kSxLSu1hkKj2luCtX0NhIqjYorY=; b=JrHgJShKR+UZjAgN55R8nn7zYQ4J6QVFyGyWHjz7LbB691xrRh+Ox0J8Bv+7e4wGyRhio5cxSimgp2YuocX75y+bnhT8dL5NYZZhDE36qzjdDUtyfI+bWISzQ1CtlQLIR2b66PlHJMkt/q6DOeBIdBGScOo1qm6Q/6Oj6vHU0Oo=
  • Arc-seal: i=1; a=rsa-sha256; t=1698931074; cv=none; d=zohomail.com; s=zohoarc; b=EkO8O429mN8NP1pIqdoJQ+cjzcC7yqUr3QHBFOsmgHvpZiFZfEsF/ZKh+h7uUhSCVTe+ZY0MSAWjfUCO72klbt8VmxRhe0sbFfv9RSi4HSpemb6vJ37zV9Flpbc1NSSgsfx7+lXulmCYQcNnD6/FO+ufFV2VUJNwP6/4FW+99go=
  • Cc: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Reima ISHII <ishiir@xxxxxxxxxxxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Jun Nakajima <jun.nakajima@xxxxxxxxx>, Kevin Tian <kevin.tian@xxxxxxxxx>, Takahiro Shinagawa <shina@xxxxxxxxxxxxxxxxx>
  • Delivery-date: Thu, 02 Nov 2023 13:18:03 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Wed, Nov 1, 2023 at 3:21 PM Andrew Cooper <andrew.cooper3@xxxxxxxxxx> wrote:
>
> Right now, vvmx will blindly copy L12's ACTIVITY_STATE into the L02 VMCS and
> enter the vCPU.  Luckily for us, nested-virt is explicitly unsupported for
> security bugs.
>
> The inactivity states are HLT, SHUTDOWN and WAIT-FOR-SIPI, and as noted by the
> SDM in Vol3 27.7 "Special Features of VM Entry":
>
>   If VM entry ends with the logical processor in an inactive activity state,
>   the VM entry generates any special bus cycle that is normally generated when
>   that activity state is entered from the active state.
>
> Also,
>
>   Some activity states unconditionally block certain events.
>
> I.e. A VMEntry with ACTIVITY=SHUTDOWN will initiate a platform reset, while a
> VMEntry with ACTIVITY=WAIT-FOR-SIPI will really block everything other than
> SIPIs.
>
> Both of these activity states are for the TXT ACM to use, not for regular
> hypervisors, and Xen doesn't support dropping the HLT intercept either.
>
> There are two paths in Xen which operate on ACTIVITY_STATE.
>
> 1) The vmx_{get,set}_nonreg_state() helpers for VM-Fork.
>
>    As regular VMs can't use any inactivity states, this is just duplicating
>    the 0 from construct_vmcs().  Drop the field, leaving a comment as to why
>    it is skipped.

I would like to keep the vmx_get_nonreg_state() function being able to
gather this field as it might be an interesting piece of data we want
to keep an eye on during fuzzing. I would prefer just sanitizing the
value in the set() function with perhaps a gdprintk message that it
happened?

Tamas

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.