[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] x86/hvm: Rationalise CS limit handling in arch_set_info_hvm_guest()

  • To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Tue, 2 Sep 2025 12:37:53 +0200
  • Autocrypt: addr=jbeulich@xxxxxxxx; keydata= xsDiBFk3nEQRBADAEaSw6zC/EJkiwGPXbWtPxl2xCdSoeepS07jW8UgcHNurfHvUzogEq5xk hu507c3BarVjyWCJOylMNR98Yd8VqD9UfmX0Hb8/BrA+Hl6/DB/eqGptrf4BSRwcZQM32aZK 7Pj2XbGWIUrZrd70x1eAP9QE3P79Y2oLrsCgbZJfEwCgvz9JjGmQqQkRiTVzlZVCJYcyGGsD /0tbFCzD2h20ahe8rC1gbb3K3qk+LpBtvjBu1RY9drYk0NymiGbJWZgab6t1jM7sk2vuf0Py O9Hf9XBmK0uE9IgMaiCpc32XV9oASz6UJebwkX+zF2jG5I1BfnO9g7KlotcA/v5ClMjgo6Gl MDY4HxoSRu3i1cqqSDtVlt+AOVBJBACrZcnHAUSuCXBPy0jOlBhxPqRWv6ND4c9PH1xjQ3NP nxJuMBS8rnNg22uyfAgmBKNLpLgAGVRMZGaGoJObGf72s6TeIqKJo/LtggAS9qAUiuKVnygo 3wjfkS9A3DRO+SpU7JqWdsveeIQyeyEJ/8PTowmSQLakF+3fote9ybzd880fSmFuIEJldWxp Y2ggPGpiZXVsaWNoQHN1c2UuY29tPsJgBBMRAgAgBQJZN5xEAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4AACgkQoDSui/t3IH4J+wCfQ5jHdEjCRHj23O/5ttg9r9OIruwAn3103WUITZee e7Sbg12UgcQ5lv7SzsFNBFk3nEQQCACCuTjCjFOUdi5Nm244F+78kLghRcin/awv+IrTcIWF hUpSs1Y91iQQ7KItirz5uwCPlwejSJDQJLIS+QtJHaXDXeV6NI0Uef1hP20+y8qydDiVkv6l IreXjTb7DvksRgJNvCkWtYnlS3mYvQ9NzS9PhyALWbXnH6sIJd2O9lKS1Mrfq+y0IXCP10eS FFGg+Av3IQeFatkJAyju0PPthyTqxSI4lZYuJVPknzgaeuJv/2NccrPvmeDg6Coe7ZIeQ8Yj t0ARxu2xytAkkLCel1Lz1WLmwLstV30g80nkgZf/wr+/BXJW/oIvRlonUkxv+IbBM3dX2OV8 AmRv1ySWPTP7AAMFB/9PQK/VtlNUJvg8GXj9ootzrteGfVZVVT4XBJkfwBcpC/XcPzldjv+3 HYudvpdNK3lLujXeA5fLOH+Z/G9WBc5pFVSMocI71I8bT8lIAzreg0WvkWg5V2WZsUMlnDL9 mpwIGFhlbM3gfDMs7MPMu8YQRFVdUvtSpaAs8OFfGQ0ia3LGZcjA6Ik2+xcqscEJzNH+qh8V m5jjp28yZgaqTaRbg3M/+MTbMpicpZuqF4rnB0AQD12/3BNWDR6bmh+EkYSMcEIpQmBM51qM EKYTQGybRCjpnKHGOxG0rfFY1085mBDZCH5Kx0cl0HVJuQKC+dV2ZY5AqjcKwAxpE75MLFkr wkkEGBECAAkFAlk3nEQCGwwACgkQoDSui/t3IH7nnwCfcJWUDUFKdCsBH/E5d+0ZnMQi+G0A nAuWpQkjM1ASeQwSHEeAWPgskBQL
  • Cc: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Tue, 02 Sep 2025 10:38:10 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 01.09.2025 20:08, Andrew Cooper wrote:
> Ever since it's introduction in commit 192df6f9122d ("x86: allow HVM guests to
> use hypercalls to bring up vCPUs"), %cs.g/limit has been handled differently
> to all other segments.
> 
> The hypercall takes full 32bit,

This is an implication from the implementation, but it's not said anywhere in
the public header. Without it saying that .g is ignored when .p is set (due
to ...

> and hvm_set_segment_register() fixes up all
> segments .g to match the limit being 2^20 or more.

... this internal behavior), I'd imply the opposite from what the public
header has right now. IOW I think the public header also needs touching in
the course of consolidating the code.

>  Therefore, treating %cs
> only as having architectural (20-bit) limit field is weird and unexpected.
> 
> Remove the custom handling for %cs.  This is a guest ABI change, but all
> callers are expected to be setting up flat segmentation, at which point limit
> will be ~0U and there will be no change in practice whether .g is set or not.

A legitimate input to achieve flat segmentation would be to pass in a CS
limit of 0xfffff and .g set. Just that people trying to do so would have
learned that this doesn't do what's intended. (This is just to further
emphasize that the public header commentary needs adjusting.)

That said, what hvm_set_segment_register() does isn't quite right for the
purpose here: If we assume the limit to be the full 32-bit value, then
when any of the upper 12 bits is set (meaning we would set .g) really
we'd need to reject values with the lower 12 bits not all ones. (That
could be a separate change to check_segment(), though.)

I'm further puzzled by comments in the header talking of starting a vCPU
in compatibility mode. How would that work sensibly? The guest can't
really set up any of the long mode control structures, unless confining
all of them into the low 4Gb (virtual and, for CR3, physical).

The TR setup for VCPU_HVM_MODE_64B also looks suspicious: What use is it
to set up a TSS at linear address 0, with a limit of 0x67? Wouldn't we
better make the limit as small as possible (0?), such that any implicit
access to it would fault? (I don't recall whether both SVM and VT-x
would permit an entirely invalid TR.) Furthermore to enter a guest in
compat mode, CR0.PG and CR4.PAE would also need to be set, whereas CS.L
would need to be clear.

Finally, why do we check both EFER.LME and EFER.LMA in the 32-bit case,
but only EFER.LME in the 64-bit one?

Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.