[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3 2/4] xen: make VMAP only support in MMU system


  • To: Ayan Kumar Halder <ayankuma@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Ayan Kumar Halder <ayan.kumar.halder@xxxxxxx>
  • From: Michal Orzel <michal.orzel@xxxxxxx>
  • Date: Fri, 16 Aug 2024 11:28:05 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=suse.com smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=bra6CCrp3DnE2rw0HNPS4yYAQIPTe+xVNSb3Rx+LVXM=; b=pMgePXrR0GRgK67fxaiR9Khb1Jij0QdcHIGo0cSaBeCwrVEs8Y/oroT5IsqnHjKg8iRND5Ee422GKJHhNAc5wRMnvRk527CdaJdijWQFJEqFubXGLsjwY29nguS0Ba8TqfpBwQsJFuaDjl6tHoNbLPWIJVeBNNapB+onrYJV+mVGPI07hGq5cnbMQP45QhdnebOdOkspG6ujZCVlFKk+LZHkCXx/gIjTYsQYZXkBx2buwFQSkxfu+qsMC9JDn64TBnl5WM39nvpPY3dcjI8styVaptIqC4pqsQeRdm452gXJGQ6RiX0eWSUqW1JrDrkB0HKVLjg3GX+rA3adKFCGjQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=xXbITgBc6smELDw8AZD0zkv+RgwiEbq1CdGOkD1C5oYBn5MTqWCSZagP7Yu3VGocYER4q+6Sv6+Z2Zyena7NbC9ZMKhN+C2L9t0ydHX5soak/m9l/970MqvX/k14T1q7SC5JrZLHTv1+PNffKyYdM1TtJAEQbHf3yccenGvLvpvOgpyFD4HmWrcU7SkAzU2QzkTftfQJ5mKqrZSNwLSRP/uFjunZkrGQD+tq1b25e/BBLJ8W5q2/H6yZP4N4KWEUI97WPVfLfRo3qU7MAKjDFI2Wq+fz1rfLiWHnsrsGZE6B7VEtsNV8Eb11iM8myOAt7/mpebsiIT6ce2eqhs0oQQ==
  • Cc: <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Penny Zheng <penny.zheng@xxxxxxx>, "Wei Chen" <wei.chen@xxxxxxx>, <sstabellini@xxxxxxxxxx>, <bertrand.marquis@xxxxxxx>, <Volodymyr_Babchuk@xxxxxxxx>, <julien@xxxxxxx>
  • Delivery-date: Fri, 16 Aug 2024 09:28:24 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Hi Ayan,

On 14/08/2024 14:33, Ayan Kumar Halder wrote:
> Hi Jan,
> 
> On 14/08/2024 12:35, Jan Beulich wrote:
>> On 14.08.2024 12:55, Ayan Kumar Halder wrote:
>>> Hi Jan,
>>>
>>> On 14/08/2024 07:37, Jan Beulich wrote:
>>>> On 13.08.2024 19:13, Ayan Kumar Halder wrote:
>>>>> From: Penny Zheng <penny.zheng@xxxxxxx>
>>>>>
>>>>> Introduced CONFIG_VMAP which is selected by the architectures that use
>>>>> MMU. vm_init() does not do anything if CONFIG_VMAP is not enabled.
>>>>>
>>>>> VMAP is widely used in ALTERNATIVE feature to remap a range of memory
>>>>> with new memory attributes. Since this is highly dependent on virtual
>>>>> address translation, we choose to fold VMAP in MMU system.
>>>>>
>>>>> In this patch, we introduce a new Kconfig CONFIG_HAS_VMAP, and make it
>>>>> only support in MMU system on ARM architecture. And ALTERNATIVE now
>>>>> depends on VMAP.
>>>>>
>>>>> HARDEN_BRANCH_PREDICTOR is now gated on HAS_VMAP as speculative
>>>>> attacks are not possible on non MMU based systems (ie Cortex-R52, R82).
>>>>> See 
>>>>> https://developer.arm.com/Arm%20Security%20Center/Speculative%20Processor%20Vulnerability.
>>>> While I'm not an Arm expert and hence I'm likely missing aspects, I 
>>>> question
>>>> the one (Spectre-BHB) vulnerability there to be sufficient to draw a
>>>> conclusion towards the usefulness of branch hardening. I would advise
>>>> against encoding such a connection in the Kconfig dependencies.
>>> AFAIU, to address 'Spectre' like vulnerabilities 'branch hardening' was
>>> added.
>>>
>>> See https://lore.kernel.org/all/E1fNadD-0000fz-9r@xxxxxxxxxxxxxxxxxxxxxx/
>>>
>>> And from
>>> https://lists.linaro.org/archives/list/linux-stable-mirror@xxxxxxxxxxxxxxxx/message/F4MGL4WT2R7T54NLRDGKFRQNSXF3DZGD/
>>>
>>> Spectre is valid on MMU based systems.
>> Since then various other issues / flavors were found. I've been focusing
>> on the x86 side of things, but I'd be very surprised if some didn't
>> affect other architectures as well.
> 
> We are talking about Arm here as "HARDEN_BRANCH_PREDICTOR" is specific 
> to Arm.
> 
> https://developer.arm.com/Arm%20Security%20Center/Speculative%20Processor%20Vulnerability
>  
> covers all the flavours and it does not include Cortex-R82 or R52.
> 
> It says the following :-
> 
> "Cortex-R cores typically use a closed software stack. In those 
> environments, applications or processes are strictly controlled, and 
> therefore not exploitable"
> 
>> Plus branch hardening can be a pre-
>> cautionary measure, too, I think.
> 
> The first two Arm non MMU cores that we wish to support in the 
> forthcoming series is Cortex-R82 and R52.
> 
> As seen in https://developer.arm.com/documentation/ka005109/latest/, it 
> explicitly states the following about R82
> 
> The Cortex-R82 implements the faulting feature (FEAT_FPAC) but is not 
> vulnerable. The Cortex-R82 behaves differently than vulnerable A-class 
> CPUs when speculatively executing past an instruction that authenticates 
> PAC, and that behavior does not allow the attack software to create the 
> "oracle".
> 
> We can re-enable branch hardening if we know there is a valid non MMU 
> Arm core which is vulnerable.
> 
> Let me know if you are ok with the rationale.
I'm ok with your rationale.

I have one question for this patch. Why can't we use CONFIG_HAS_VMAP to 
conditionally compile vmap.c, like:
obj-$(CONFIG_HAS_VMAP) += vmap.o
and get rid of VMAP_VIRT_START guard on an entire file?
With this config in place, it seems strange to use VMAP_VIRT_START as a guard.

~Michal




 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.