[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2 13/18] x86/spec-ctrl: introduce Address Space Isolation command line option

On Fri Jan 10, 2025 at 2:55 PM GMT, Roger Pau Monné wrote:
> On Thu, Jan 09, 2025 at 02:58:29PM +0000, Alejandro Vallejo wrote:
> > On Wed Jan 8, 2025 at 2:26 PM GMT, Roger Pau Monne wrote:
> > > No functional change, as the option is not used.
> > >
> > > Introduced new so newly added functionality is keyed on the option being
> > > enabled, even if the feature is non-functional.
> > >
> > > When ASI is enabled for PV domains, printing the usage of XPTI might be
> > > omitted if it must be uniformly disabled given the usage of ASI.
> > >
> > > Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
> > > ---
> > > Changes since v1:
> > >  - Improve comments and documentation about what ASI provides.
> > >  - Do not print the XPTI information if ASI is used for pv domUs and dom0 
> > > is
> > >    PVH, or if ASI is used for both domU and dom0.
> > >
> > > FWIW, I would print the state of XPTI uniformly, as otherwise I find the 
> > > output
> > > might be confusing for user expecting to assert the state of XPTI.
> > > ---
> > >  docs/misc/xen-command-line.pandoc    |  19 +++++
> > >  xen/arch/x86/include/asm/domain.h    |   3 +
> > >  xen/arch/x86/include/asm/spec_ctrl.h |   2 +
> > >  xen/arch/x86/spec_ctrl.c             | 115 +++++++++++++++++++++++++--
> > >  4 files changed, 133 insertions(+), 6 deletions(-)
> > >
> > > diff --git a/docs/misc/xen-command-line.pandoc 
> > > b/docs/misc/xen-command-line.pandoc
> > > index 08b0053f9ced..3c1ad7b5fe7d 100644
> > > --- a/docs/misc/xen-command-line.pandoc
> > > +++ b/docs/misc/xen-command-line.pandoc
> > > @@ -202,6 +202,25 @@ to appropriate auditing by Xen.  Argo is disabled by 
> > > default.
> > >      This option is disabled by default, to protect domains from a DoS by 
> > > a
> > >      buggy or malicious other domain spamming the ring.
> > >  
> > > +### asi (x86)
> > > +> `= List of [ <bool>, {pv,hvm}=<bool>,
> > > +               {vcpu-pt}=<bool>|{pv,hvm}=<bool> ]`
> > 
> > nit: While this grows later, the braces around vcpu-pt aren't strictly 
> > needed here.
>
> Since I have to modify the whole line I can indeed add the braces
> later.
>
> > > +
> > > +Offers control over whether the hypervisor will engage in Address Space
> > > +Isolation, by not having potentially sensitive information permanently 
> > > mapped
> > > +in the VMM page-tables.  Using this option might avoid the need to apply
> > > +mitigations for certain speculative related attacks, at the cost of 
> > > mapping
> > > +sensitive information on-demand.
> > 
> > Might be worth mentioning that this provides some defense in depth against
> > unmitigated attacks too.
>
> It's IMO a bit too vague to make such promises, but I can add:
>
> Offers control over whether the hypervisor will engage in Address Space
> Isolation, by not having potentially sensitive information permanently mapped
> in the VMM page-tables.  Using this option might avoid the need to apply
> mitigations for certain speculative related attacks, at the cost of mapping
> sensitive information on-demand.  It might also offer some protection
> against unmitigated speculation-related attacks.

SGTM

Cheers,
Alejandro

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.