Xen project Mailing List

Re: [XEN v5 1/3] xen/arm: Introduce CONFIG_PARTIAL_EMULATION and "partial-emulation" cmd option

To: Ayan Kumar Halder <ayankuma@xxxxxxx>, Ayan Kumar Halder <ayan.kumar.halder@xxxxxxx>

Date: Wed, 21 Feb 2024 08:09:18 +0100

Autocrypt: addr=jbeulich@xxxxxxxx; keydata= xsDiBFk3nEQRBADAEaSw6zC/EJkiwGPXbWtPxl2xCdSoeepS07jW8UgcHNurfHvUzogEq5xk hu507c3BarVjyWCJOylMNR98Yd8VqD9UfmX0Hb8/BrA+Hl6/DB/eqGptrf4BSRwcZQM32aZK 7Pj2XbGWIUrZrd70x1eAP9QE3P79Y2oLrsCgbZJfEwCgvz9JjGmQqQkRiTVzlZVCJYcyGGsD /0tbFCzD2h20ahe8rC1gbb3K3qk+LpBtvjBu1RY9drYk0NymiGbJWZgab6t1jM7sk2vuf0Py O9Hf9XBmK0uE9IgMaiCpc32XV9oASz6UJebwkX+zF2jG5I1BfnO9g7KlotcA/v5ClMjgo6Gl MDY4HxoSRu3i1cqqSDtVlt+AOVBJBACrZcnHAUSuCXBPy0jOlBhxPqRWv6ND4c9PH1xjQ3NP nxJuMBS8rnNg22uyfAgmBKNLpLgAGVRMZGaGoJObGf72s6TeIqKJo/LtggAS9qAUiuKVnygo 3wjfkS9A3DRO+SpU7JqWdsveeIQyeyEJ/8PTowmSQLakF+3fote9ybzd880fSmFuIEJldWxp Y2ggPGpiZXVsaWNoQHN1c2UuY29tPsJgBBMRAgAgBQJZN5xEAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4AACgkQoDSui/t3IH4J+wCfQ5jHdEjCRHj23O/5ttg9r9OIruwAn3103WUITZee e7Sbg12UgcQ5lv7SzsFNBFk3nEQQCACCuTjCjFOUdi5Nm244F+78kLghRcin/awv+IrTcIWF hUpSs1Y91iQQ7KItirz5uwCPlwejSJDQJLIS+QtJHaXDXeV6NI0Uef1hP20+y8qydDiVkv6l IreXjTb7DvksRgJNvCkWtYnlS3mYvQ9NzS9PhyALWbXnH6sIJd2O9lKS1Mrfq+y0IXCP10eS FFGg+Av3IQeFatkJAyju0PPthyTqxSI4lZYuJVPknzgaeuJv/2NccrPvmeDg6Coe7ZIeQ8Yj t0ARxu2xytAkkLCel1Lz1WLmwLstV30g80nkgZf/wr+/BXJW/oIvRlonUkxv+IbBM3dX2OV8 AmRv1ySWPTP7AAMFB/9PQK/VtlNUJvg8GXj9ootzrteGfVZVVT4XBJkfwBcpC/XcPzldjv+3 HYudvpdNK3lLujXeA5fLOH+Z/G9WBc5pFVSMocI71I8bT8lIAzreg0WvkWg5V2WZsUMlnDL9 mpwIGFhlbM3gfDMs7MPMu8YQRFVdUvtSpaAs8OFfGQ0ia3LGZcjA6Ik2+xcqscEJzNH+qh8V m5jjp28yZgaqTaRbg3M/+MTbMpicpZuqF4rnB0AQD12/3BNWDR6bmh+EkYSMcEIpQmBM51qM EKYTQGybRCjpnKHGOxG0rfFY1085mBDZCH5Kx0cl0HVJuQKC+dV2ZY5AqjcKwAxpE75MLFkr wkkEGBECAAkFAlk3nEQCGwwACgkQoDSui/t3IH7nnwCfcJWUDUFKdCsBH/E5d+0ZnMQi+G0A nAuWpQkjM1ASeQwSHEeAWPgskBQL

Cc: sstabellini@xxxxxxxxxx, stefano.stabellini@xxxxxxx, julien@xxxxxxx, Volodymyr_Babchuk@xxxxxxxx, bertrand.marquis@xxxxxxx, michal.orzel@xxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxxx

Delivery-date: Wed, 21 Feb 2024 07:09:24 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 20.02.2024 16:22, Ayan Kumar Halder wrote: > On 20/02/2024 12:33, Jan Beulich wrote: >> On 20.02.2024 13:17, Ayan Kumar Halder wrote: >>> --- a/SUPPORT.md >>> +++ b/SUPPORT.md >>> @@ -101,6 +101,18 @@ Extension to the GICv3 interrupt controller to support >>> MSI. >>> >>> Status: Experimental >>> >>> +### ARM/Partial Emulation >>> + >>> +Enable partial emulation of registers, otherwise considered unimplemented, >>> +that would normally trigger a fault injection. >>> + >>> + Status: Supported, with caveats >>> + >>> +Bugs allowing the userspace to attack the guest OS will not be considered >>> +security vulnerabilities. >>> + >>> +Bugs that could compromise Xen will be considered security vulnerabilities. >> ... the odd statement regarding in-guest vulnerabilities that might be >> introduced. I see only two ways of treating this as supported: Either >> you simply refuse emulation when the access is from user space, > > I am wondering how do we enforce that. > > Let me try to understand this with the current implementation of partial > emulation for system registers. > > 1. DBGDTRTX_EL0 :- I understand that EL0 access to this register will > cause a trap to EL2. The reason being MDCR_EL2.TDA == 1. > > In that case, if we refuse emulation then an undef exception is injected > to the guest (this is the behavior as of today even without this patch). > > So, are you saying that the undef exception is to be injected to the > user space process. This may be possible for Arm64 guests > (inject_undef64_exception() needs to be changed). No, injection is always to the guest, not to a specific entity within the guest. That ought to be the same on bare hardware: An exception when raised has an architecturally defined entry point for handling. That'll typically be kernel code. The handler then figures out whether the source of the exception was in user or kernel mode. For user mode code, the kernel may or may not try to handle the exception and then continue the user mode process. If it can't or doesn't want to handle it, it'll raise (in UNIX terms) a signal to the process. That signal, in turn, may or may not be fatal to the process. But such an exception from user mode should never be fatal to the guest as a whole. > However for Arm32 guests, this may not be possible as the mode changes > to PSR_MODE_UND. I'm afraid my Arm foo isn't good enough to understand this. On the surface it looks to violate above outlined principle. > Let me know if I understood you correctly. > >> or you >> support that mode of emulation as much as that of kernel space accesses. > > Do you mean we support partial emulation only for traps from EL1 mode ? Possibly. Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.