Message ID | 20200219091811.9689-1-aisaila@bitdefender.com (mailing list archive) |
---|---|
State | Superseded |
Headers | show |
Series | [V3] x86/altp2m: Hypercall to set altp2m view visibility | expand |
On Wed, Feb 19, 2020 at 2:19 AM Alexandru Stefan ISAILA <aisaila@bitdefender.com> wrote: > > At this moment a guest can call vmfunc to change the altp2m view. This > should be limited in order to avoid any unwanted view switch. > > The new xc_altp2m_set_visibility() solves this by making views invisible > to vmfunc. > This is done by having a separate arch.altp2m_working_eptp that is > populated and made invalid in the same places as altp2m_eptp. This is > written to EPTP_LIST_ADDR. > The views are made in/visible by marking them with INVALID_MFN or > copying them back from altp2m_eptp. > To have consistency the visibility also applies to > p2m_switch_domain_altp2m_by_id(). I'm just wondering, what prevents the guest from calling this HVM op before doing vmfunc? This seems to only make a difference in case the altp2m mode is either set as external or limited (or have a more fine-grained XSM policy loaded). Is that correct? If so, perhaps mention that in the commit message and as a comment on the libxc function so that people don't get a false sense of security when using the mixed mode. Thanks, Tamas
On 19.02.2020 10:18, Alexandru Stefan ISAILA wrote: > @@ -4835,6 +4836,23 @@ static int do_altp2m_op( > break; > } > > + case HVMOP_altp2m_set_visibility: > + { > + uint16_t altp2m_idx = a.u.set_visibility.altp2m_idx; > + > + if ( a.u.set_visibility.pad ) > + rc = -EINVAL; > + else if ( !altp2m_active(d) ) > + rc = -EOPNOTSUPP; > + else if ( a.u.set_visibility.visible ) > + d->arch.altp2m_working_eptp[altp2m_idx] = > + d->arch.altp2m_eptp[altp2m_idx]; > + else > + d->arch.altp2m_working_eptp[altp2m_idx] = > + mfn_x(INVALID_MFN); Don't you need to bounds check the index before its use? And shouldn't you return an error also for in-range ones which aren't actually valid? Jan
On 19.02.2020 18:37, Tamas K Lengyel wrote: > On Wed, Feb 19, 2020 at 2:19 AM Alexandru Stefan ISAILA > <aisaila@bitdefender.com> wrote: >> >> At this moment a guest can call vmfunc to change the altp2m view. This >> should be limited in order to avoid any unwanted view switch. >> >> The new xc_altp2m_set_visibility() solves this by making views invisible >> to vmfunc. >> This is done by having a separate arch.altp2m_working_eptp that is >> populated and made invalid in the same places as altp2m_eptp. This is >> written to EPTP_LIST_ADDR. >> The views are made in/visible by marking them with INVALID_MFN or >> copying them back from altp2m_eptp. >> To have consistency the visibility also applies to >> p2m_switch_domain_altp2m_by_id(). > > I'm just wondering, what prevents the guest from calling this HVM op > before doing vmfunc? This seems to only make a difference in case the > altp2m mode is either set as external or limited (or have a more > fine-grained XSM policy loaded). Is that correct? If so, perhaps Yes, that is correct. > mention that in the commit message and as a comment on the libxc > function so that people don't get a false sense of security when using > the mixed mode. > I will add this fact in the commit message and in libxc. Good thing to point that out. Thanks, Alex
On 19.02.2020 19:00, Jan Beulich wrote: > On 19.02.2020 10:18, Alexandru Stefan ISAILA wrote: >> @@ -4835,6 +4836,23 @@ static int do_altp2m_op( >> break; >> } >> >> + case HVMOP_altp2m_set_visibility: >> + { >> + uint16_t altp2m_idx = a.u.set_visibility.altp2m_idx; >> + >> + if ( a.u.set_visibility.pad ) >> + rc = -EINVAL; >> + else if ( !altp2m_active(d) ) >> + rc = -EOPNOTSUPP; >> + else if ( a.u.set_visibility.visible ) >> + d->arch.altp2m_working_eptp[altp2m_idx] = >> + d->arch.altp2m_eptp[altp2m_idx]; >> + else >> + d->arch.altp2m_working_eptp[altp2m_idx] = >> + mfn_x(INVALID_MFN); > > Don't you need to bounds check the index before its use? Unless we want a index out of bounds from the user. Sorry for not having that, I will add a "altp2m_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)]" in place for the next version. > And > shouldn't you return an error also for in-range ones which > aren't actually valid? That is a good thing. Maybe -EINVAL could fit this? And together with the bounds check it will end up something like this: if ( !altp2m_idx < 0 || altp2m_idx >= min(ARRAY_SIZE(d->arch.altp2m_p2m), MAX_EPTP) || altp2m_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)] == mfn_x(INVALID_MFN) ) return -EINVAL; And looking again, it could be coupled with the a.u.set_visibility.pad. Thanks, Alex
On 20.02.2020 10:59, Alexandru Stefan ISAILA wrote: > On 19.02.2020 19:00, Jan Beulich wrote: >> On 19.02.2020 10:18, Alexandru Stefan ISAILA wrote: >>> @@ -4835,6 +4836,23 @@ static int do_altp2m_op( >>> break; >>> } >>> >>> + case HVMOP_altp2m_set_visibility: >>> + { >>> + uint16_t altp2m_idx = a.u.set_visibility.altp2m_idx; >>> + >>> + if ( a.u.set_visibility.pad ) >>> + rc = -EINVAL; >>> + else if ( !altp2m_active(d) ) >>> + rc = -EOPNOTSUPP; >>> + else if ( a.u.set_visibility.visible ) >>> + d->arch.altp2m_working_eptp[altp2m_idx] = >>> + d->arch.altp2m_eptp[altp2m_idx]; >>> + else >>> + d->arch.altp2m_working_eptp[altp2m_idx] = >>> + mfn_x(INVALID_MFN); >> >> Don't you need to bounds check the index before its use? > > Unless we want a index out of bounds from the user. Sorry for not having > that, I will add a "altp2m_eptp[array_index_nospec(altp2m_idx, > MAX_EPTP)]" in place for the next version. > >> And >> shouldn't you return an error also for in-range ones which >> aren't actually valid? > That is a good thing. Maybe -EINVAL could fit this? Sure. Jan
On 2/19/20 9:18 AM, Alexandru Stefan ISAILA wrote: > At this moment a guest can call vmfunc to change the altp2m view. This > should be limited in order to avoid any unwanted view switch. > > The new xc_altp2m_set_visibility() solves this by making views invisible > to vmfunc. > This is done by having a separate arch.altp2m_working_eptp that is > populated and made invalid in the same places as altp2m_eptp. This is > written to EPTP_LIST_ADDR. > The views are made in/visible by marking them with INVALID_MFN or > copying them back from altp2m_eptp. > To have consistency the visibility also applies to > p2m_switch_domain_altp2m_by_id(). So it looks like by default the views are visible, until they're made non-visible? Also, does the last line mean that the toolstack can't change to a "non-visible" altp2m either? -George
On 20.02.2020 14:21, George Dunlap wrote: > On 2/19/20 9:18 AM, Alexandru Stefan ISAILA wrote: >> At this moment a guest can call vmfunc to change the altp2m view. This >> should be limited in order to avoid any unwanted view switch. >> >> The new xc_altp2m_set_visibility() solves this by making views invisible >> to vmfunc. >> This is done by having a separate arch.altp2m_working_eptp that is >> populated and made invalid in the same places as altp2m_eptp. This is >> written to EPTP_LIST_ADDR. >> The views are made in/visible by marking them with INVALID_MFN or >> copying them back from altp2m_eptp. >> To have consistency the visibility also applies to >> p2m_switch_domain_altp2m_by_id(). > > > So it looks like by default the views are visible, until they're made > non-visible? Yes, by default all the active views are visible until they're made non-visible. > > Also, does the last line mean that the toolstack can't change to a > "non-visible" altp2m either? The last line means that xc_altp2m_switch_to_view() will not be able to switch to a non-visible view. -Alex
diff --git a/tools/libxc/include/xenctrl.h b/tools/libxc/include/xenctrl.h index 99552a5f73..414adb143b 100644 --- a/tools/libxc/include/xenctrl.h +++ b/tools/libxc/include/xenctrl.h @@ -1943,6 +1943,8 @@ int xc_altp2m_change_gfn(xc_interface *handle, uint32_t domid, xen_pfn_t new_gfn); int xc_altp2m_get_vcpu_p2m_idx(xc_interface *handle, uint32_t domid, uint32_t vcpuid, uint16_t *p2midx); +int xc_altp2m_set_visibility(xc_interface *handle, uint32_t domid, + uint16_t view_id, bool visible); /** * Mem paging operations. diff --git a/tools/libxc/xc_altp2m.c b/tools/libxc/xc_altp2m.c index 46fb725806..6987c9541f 100644 --- a/tools/libxc/xc_altp2m.c +++ b/tools/libxc/xc_altp2m.c @@ -410,3 +410,27 @@ int xc_altp2m_get_vcpu_p2m_idx(xc_interface *handle, uint32_t domid, xc_hypercall_buffer_free(handle, arg); return rc; } + +int xc_altp2m_set_visibility(xc_interface *handle, uint32_t domid, + uint16_t view_id, bool visible) +{ + int rc; + + DECLARE_HYPERCALL_BUFFER(xen_hvm_altp2m_op_t, arg); + + arg = xc_hypercall_buffer_alloc(handle, arg, sizeof(*arg)); + if ( arg == NULL ) + return -1; + + arg->version = HVMOP_ALTP2M_INTERFACE_VERSION; + arg->cmd = HVMOP_altp2m_set_visibility; + arg->domain = domid; + arg->u.set_visibility.altp2m_idx = view_id; + arg->u.set_visibility.visible = visible; + + rc = xencall2(handle->xcall, __HYPERVISOR_hvm_op, HVMOP_altp2m, + HYPERCALL_BUFFER_AS_ARG(arg)); + + xc_hypercall_buffer_free(handle, arg); + return rc; +} diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c index 00a9e70b7c..24035261f4 100644 --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -4558,6 +4558,7 @@ static int do_altp2m_op( case HVMOP_altp2m_get_mem_access: case HVMOP_altp2m_change_gfn: case HVMOP_altp2m_get_p2m_idx: + case HVMOP_altp2m_set_visibility: break; default: @@ -4835,6 +4836,23 @@ static int do_altp2m_op( break; } + case HVMOP_altp2m_set_visibility: + { + uint16_t altp2m_idx = a.u.set_visibility.altp2m_idx; + + if ( a.u.set_visibility.pad ) + rc = -EINVAL; + else if ( !altp2m_active(d) ) + rc = -EOPNOTSUPP; + else if ( a.u.set_visibility.visible ) + d->arch.altp2m_working_eptp[altp2m_idx] = + d->arch.altp2m_eptp[altp2m_idx]; + else + d->arch.altp2m_working_eptp[altp2m_idx] = + mfn_x(INVALID_MFN); + break; + } + default: ASSERT_UNREACHABLE(); } diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c index bc2f48bf2c..90de909fec 100644 --- a/xen/arch/x86/hvm/vmx/vmx.c +++ b/xen/arch/x86/hvm/vmx/vmx.c @@ -2140,7 +2140,7 @@ static void vmx_vcpu_update_vmfunc_ve(struct vcpu *v) { v->arch.hvm.vmx.secondary_exec_control |= mask; __vmwrite(VM_FUNCTION_CONTROL, VMX_VMFUNC_EPTP_SWITCHING); - __vmwrite(EPTP_LIST_ADDR, virt_to_maddr(d->arch.altp2m_eptp)); + __vmwrite(EPTP_LIST_ADDR, virt_to_maddr(d->arch.altp2m_working_eptp)); if ( cpu_has_vmx_virt_exceptions ) { diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c index 3d93f3451c..5969ec8922 100644 --- a/xen/arch/x86/mm/hap/hap.c +++ b/xen/arch/x86/mm/hap/hap.c @@ -488,8 +488,17 @@ int hap_enable(struct domain *d, u32 mode) goto out; } + if ( (d->arch.altp2m_working_eptp = alloc_xenheap_page()) == NULL ) + { + rv = -ENOMEM; + goto out; + } + for ( i = 0; i < MAX_EPTP; i++ ) + { d->arch.altp2m_eptp[i] = mfn_x(INVALID_MFN); + d->arch.altp2m_working_eptp[i] = mfn_x(INVALID_MFN); + } for ( i = 0; i < MAX_ALTP2M; i++ ) { @@ -523,6 +532,12 @@ void hap_final_teardown(struct domain *d) d->arch.altp2m_eptp = NULL; } + if ( d->arch.altp2m_working_eptp ) + { + free_xenheap_page(d->arch.altp2m_working_eptp); + d->arch.altp2m_working_eptp = NULL; + } + for ( i = 0; i < MAX_ALTP2M; i++ ) p2m_teardown(d->arch.altp2m_p2m[i]); } diff --git a/xen/arch/x86/mm/p2m-ept.c b/xen/arch/x86/mm/p2m-ept.c index eb0f0edfef..6539ca619b 100644 --- a/xen/arch/x86/mm/p2m-ept.c +++ b/xen/arch/x86/mm/p2m-ept.c @@ -1368,6 +1368,7 @@ void p2m_init_altp2m_ept(struct domain *d, unsigned int i) ept = &p2m->ept; ept->mfn = pagetable_get_pfn(p2m_get_pagetable(p2m)); d->arch.altp2m_eptp[array_index_nospec(i, MAX_EPTP)] = ept->eptp; + d->arch.altp2m_working_eptp[array_index_nospec(i, MAX_EPTP)] = ept->eptp; } unsigned int p2m_find_altp2m_by_eptp(struct domain *d, uint64_t eptp) diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c index 9f1c29d7ef..13b96715ba 100644 --- a/xen/arch/x86/mm/p2m.c +++ b/xen/arch/x86/mm/p2m.c @@ -2519,6 +2519,7 @@ void p2m_flush_altp2m(struct domain *d) { p2m_reset_altp2m(d, i, ALTP2M_DEACTIVATE); d->arch.altp2m_eptp[i] = mfn_x(INVALID_MFN); + d->arch.altp2m_working_eptp[i] = mfn_x(INVALID_MFN); } altp2m_list_unlock(d); @@ -2638,7 +2639,9 @@ int p2m_destroy_altp2m_by_id(struct domain *d, unsigned int idx) { p2m_reset_altp2m(d, idx, ALTP2M_DEACTIVATE); d->arch.altp2m_eptp[array_index_nospec(idx, MAX_EPTP)] = - mfn_x(INVALID_MFN); + mfn_x(INVALID_MFN); + d->arch.altp2m_working_eptp[array_index_nospec(idx, MAX_EPTP)] = + mfn_x(INVALID_MFN); rc = 0; } } @@ -2665,7 +2668,7 @@ int p2m_switch_domain_altp2m_by_id(struct domain *d, unsigned int idx) rc = -EINVAL; altp2m_list_lock(d); - if ( d->arch.altp2m_eptp[idx] != mfn_x(INVALID_MFN) ) + if ( d->arch.altp2m_working_eptp[idx] != mfn_x(INVALID_MFN) ) { for_each_vcpu( d, v ) if ( idx != vcpu_altp2m(v).p2midx ) diff --git a/xen/include/asm-x86/domain.h b/xen/include/asm-x86/domain.h index 1843c76d1a..b039717778 100644 --- a/xen/include/asm-x86/domain.h +++ b/xen/include/asm-x86/domain.h @@ -326,6 +326,7 @@ struct arch_domain struct p2m_domain *altp2m_p2m[MAX_ALTP2M]; mm_lock_t altp2m_list_lock; uint64_t *altp2m_eptp; + uint64_t *altp2m_working_eptp; #endif /* NB. protected by d->event_lock and by irq_desc[irq].lock */ diff --git a/xen/include/public/hvm/hvm_op.h b/xen/include/public/hvm/hvm_op.h index b599d3cbd0..870ec52060 100644 --- a/xen/include/public/hvm/hvm_op.h +++ b/xen/include/public/hvm/hvm_op.h @@ -318,6 +318,12 @@ struct xen_hvm_altp2m_get_vcpu_p2m_idx { uint16_t altp2m_idx; }; +struct xen_hvm_altp2m_set_visibility { + uint16_t altp2m_idx; + uint8_t visible; + uint8_t pad; +}; + struct xen_hvm_altp2m_op { uint32_t version; /* HVMOP_ALTP2M_INTERFACE_VERSION */ uint32_t cmd; @@ -350,6 +356,8 @@ struct xen_hvm_altp2m_op { #define HVMOP_altp2m_get_p2m_idx 14 /* Set the "Supress #VE" bit for a range of pages */ #define HVMOP_altp2m_set_suppress_ve_multi 15 +/* Set visibility for a given altp2m view */ +#define HVMOP_altp2m_set_visibility 16 domid_t domain; uint16_t pad1; uint32_t pad2; @@ -367,6 +375,7 @@ struct xen_hvm_altp2m_op { struct xen_hvm_altp2m_suppress_ve_multi suppress_ve_multi; struct xen_hvm_altp2m_vcpu_disable_notify disable_notify; struct xen_hvm_altp2m_get_vcpu_p2m_idx get_vcpu_p2m_idx; + struct xen_hvm_altp2m_set_visibility set_visibility; uint8_t pad[64]; } u; };
At this moment a guest can call vmfunc to change the altp2m view. This should be limited in order to avoid any unwanted view switch. The new xc_altp2m_set_visibility() solves this by making views invisible to vmfunc. This is done by having a separate arch.altp2m_working_eptp that is populated and made invalid in the same places as altp2m_eptp. This is written to EPTP_LIST_ADDR. The views are made in/visible by marking them with INVALID_MFN or copying them back from altp2m_eptp. To have consistency the visibility also applies to p2m_switch_domain_altp2m_by_id(). Signed-off-by: Alexandru Isaila <aisaila@bitdefender.com> --- CC: Ian Jackson <ian.jackson@eu.citrix.com> CC: Wei Liu <wl@xen.org> CC: Andrew Cooper <andrew.cooper3@citrix.com> CC: George Dunlap <George.Dunlap@eu.citrix.com> CC: Jan Beulich <jbeulich@suse.com> CC: Julien Grall <julien@xen.org> CC: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> CC: Stefano Stabellini <sstabellini@kernel.org> CC: "Roger Pau Monné" <roger.pau@citrix.com> CC: Jun Nakajima <jun.nakajima@intel.com> CC: Kevin Tian <kevin.tian@intel.com> CC: George Dunlap <george.dunlap@eu.citrix.com> --- Changes since V2: - Drop hap_enabled() check - Reduce the indentation depth in hvm.c - Fix assignment indentation - Drop pad2. Changes since V1: - Drop double view from title. --- tools/libxc/include/xenctrl.h | 2 ++ tools/libxc/xc_altp2m.c | 24 ++++++++++++++++++++++++ xen/arch/x86/hvm/hvm.c | 18 ++++++++++++++++++ xen/arch/x86/hvm/vmx/vmx.c | 2 +- xen/arch/x86/mm/hap/hap.c | 15 +++++++++++++++ xen/arch/x86/mm/p2m-ept.c | 1 + xen/arch/x86/mm/p2m.c | 7 +++++-- xen/include/asm-x86/domain.h | 1 + xen/include/public/hvm/hvm_op.h | 9 +++++++++ 9 files changed, 76 insertions(+), 3 deletions(-)