Xen project Mailing List

Re: Xen Security Advisory 466 v3 (CVE-2024-53241) - Xen hypercall page unsafe against speculative attacks

To: David Woodhouse <dwmw2@xxxxxxxxxxxxx>

Date: Fri, 27 Dec 2024 10:42:14 +0100

Autocrypt: addr=jbeulich@xxxxxxxx; keydata= xsDiBFk3nEQRBADAEaSw6zC/EJkiwGPXbWtPxl2xCdSoeepS07jW8UgcHNurfHvUzogEq5xk hu507c3BarVjyWCJOylMNR98Yd8VqD9UfmX0Hb8/BrA+Hl6/DB/eqGptrf4BSRwcZQM32aZK 7Pj2XbGWIUrZrd70x1eAP9QE3P79Y2oLrsCgbZJfEwCgvz9JjGmQqQkRiTVzlZVCJYcyGGsD /0tbFCzD2h20ahe8rC1gbb3K3qk+LpBtvjBu1RY9drYk0NymiGbJWZgab6t1jM7sk2vuf0Py O9Hf9XBmK0uE9IgMaiCpc32XV9oASz6UJebwkX+zF2jG5I1BfnO9g7KlotcA/v5ClMjgo6Gl MDY4HxoSRu3i1cqqSDtVlt+AOVBJBACrZcnHAUSuCXBPy0jOlBhxPqRWv6ND4c9PH1xjQ3NP nxJuMBS8rnNg22uyfAgmBKNLpLgAGVRMZGaGoJObGf72s6TeIqKJo/LtggAS9qAUiuKVnygo 3wjfkS9A3DRO+SpU7JqWdsveeIQyeyEJ/8PTowmSQLakF+3fote9ybzd880fSmFuIEJldWxp Y2ggPGpiZXVsaWNoQHN1c2UuY29tPsJgBBMRAgAgBQJZN5xEAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4AACgkQoDSui/t3IH4J+wCfQ5jHdEjCRHj23O/5ttg9r9OIruwAn3103WUITZee e7Sbg12UgcQ5lv7SzsFNBFk3nEQQCACCuTjCjFOUdi5Nm244F+78kLghRcin/awv+IrTcIWF hUpSs1Y91iQQ7KItirz5uwCPlwejSJDQJLIS+QtJHaXDXeV6NI0Uef1hP20+y8qydDiVkv6l IreXjTb7DvksRgJNvCkWtYnlS3mYvQ9NzS9PhyALWbXnH6sIJd2O9lKS1Mrfq+y0IXCP10eS FFGg+Av3IQeFatkJAyju0PPthyTqxSI4lZYuJVPknzgaeuJv/2NccrPvmeDg6Coe7ZIeQ8Yj t0ARxu2xytAkkLCel1Lz1WLmwLstV30g80nkgZf/wr+/BXJW/oIvRlonUkxv+IbBM3dX2OV8 AmRv1ySWPTP7AAMFB/9PQK/VtlNUJvg8GXj9ootzrteGfVZVVT4XBJkfwBcpC/XcPzldjv+3 HYudvpdNK3lLujXeA5fLOH+Z/G9WBc5pFVSMocI71I8bT8lIAzreg0WvkWg5V2WZsUMlnDL9 mpwIGFhlbM3gfDMs7MPMu8YQRFVdUvtSpaAs8OFfGQ0ia3LGZcjA6Ik2+xcqscEJzNH+qh8V m5jjp28yZgaqTaRbg3M/+MTbMpicpZuqF4rnB0AQD12/3BNWDR6bmh+EkYSMcEIpQmBM51qM EKYTQGybRCjpnKHGOxG0rfFY1085mBDZCH5Kx0cl0HVJuQKC+dV2ZY5AqjcKwAxpE75MLFkr wkkEGBECAAkFAlk3nEQCGwwACgkQoDSui/t3IH7nnwCfcJWUDUFKdCsBH/E5d+0ZnMQi+G0A nAuWpQkjM1ASeQwSHEeAWPgskBQL

Cc: xen-devel@xxxxxxxxxxxxx, Juergen Gross <jgross@xxxxxxxx>

Delivery-date: Fri, 27 Dec 2024 09:42:24 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 23.12.2024 15:24, David Woodhouse wrote: > On Tue, 2024-12-17 at 12:18 +0000, Xen.org security team wrote: >> Xen Security Advisory CVE-2024-53241 / XSA-466 >> version 3 >> >> Xen hypercall page unsafe against speculative attacks >> >> UPDATES IN VERSION 3 >> ==================== >> >> Update of patch 5, public release. > > Can't we even use the hypercall page early in boot? Surely we have to > know whether we're running on an Intel or AMD CPU before we get to the > point where we can enable any of the new control-flow integrity > support? Do we need to jump through those hoops do do that early > detection and setup? Yes, putting it e.g. in .init.text ought to be possible and not violate security requirements. > Enabling the hypercall page is also one of the two points where Xen > will 'latch' that the guest is 64-bit, which affects the layout of the > shared_info, vcpu_info and runstate structures. Hmm, this is a side effect which I fear wasn't considered when putting together all of this. Making ourselves dependent upon ... > The other such latching point is when the guest sets > HVM_PARAM_CALLBACK_IRQ, and I *think* that should work in all > implementations of the Xen ABI (including QEMU/KVM and EC2). But would > want to test. ... just this may end up too little, especially when considering transitions between OSes / OS-like environments (boot loader -> OS, OS -> kexec-ed OS). > But perhaps it wouldn't hurt for maximal compatibility for Linux to set > the hypercall page *anyway*, even if Linux doesn't then use it — or > only uses it during early boot? Indeed. Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.