From patchwork Mon May 13 11:11:04 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Elias El Yandouzi X-Patchwork-Id: 13663337 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 6FD3AC25B75 for ; Mon, 13 May 2024 11:12:02 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.720809.1123771 (Exim 4.92) (envelope-from ) id 1s6Taz-0004YI-Ob; Mon, 13 May 2024 11:11:53 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 720809.1123771; Mon, 13 May 2024 11:11:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1s6Taz-0004Y3-LI; Mon, 13 May 2024 11:11:53 +0000 Received: by outflank-mailman (input) for mailman id 720809; Mon, 13 May 2024 11:11:52 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1s6Tay-00036L-Jf for xen-devel@lists.xenproject.org; Mon, 13 May 2024 11:11:52 +0000 Received: from smtp-fw-80006.amazon.com (smtp-fw-80006.amazon.com [99.78.197.217]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 97a85db1-1119-11ef-b4bb-af5377834399; Mon, 13 May 2024 13:11:50 +0200 (CEST) Received: from pdx4-co-svc-p1-lb2-vlan3.amazon.com (HELO smtpout.prod.us-east-1.prod.farcaster.email.amazon.dev) ([10.25.36.214]) by smtp-border-fw-80006.pdx80.corp.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 May 2024 11:11:44 +0000 Received: from EX19MTAUEC001.ant.amazon.com [10.0.0.204:34895] by smtpin.naws.us-east-1.prod.farcaster.email.amazon.dev [10.0.20.152:2525] with esmtp (Farcaster) id 40ab5167-bece-4296-856c-e215ecf97d24; Mon, 13 May 2024 11:11:43 +0000 (UTC) Received: from EX19D008UEC003.ant.amazon.com (10.252.135.194) by EX19MTAUEC001.ant.amazon.com (10.252.135.222) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.28; Mon, 13 May 2024 11:11:40 +0000 Received: from EX19MTAUWB001.ant.amazon.com (10.250.64.248) by EX19D008UEC003.ant.amazon.com (10.252.135.194) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.28; Mon, 13 May 2024 11:11:40 +0000 Received: from dev-dsk-eliasely-1a-fd74790f.eu-west-1.amazon.com (10.253.91.118) by mail-relay.amazon.com (10.250.64.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.28 via Frontend Transport; Mon, 13 May 2024 11:11:39 +0000 X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 97a85db1-1119-11ef-b4bb-af5377834399 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1715598711; x=1747134711; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=YiMscZoqlqA2XJ1v3gO3e8DXR6HvvHTgLBqJAfmepmI=; b=qVbWoC8u00vno4vtdVdhIe0vQsEqzRskkIkDSL+Ee7y37BHFVAndT+k/ Os0HWQfRfGp0jWo/OV3WT03jsF6Uc0e58j+ibnY2RXJpOJJUrfDCrOMdf 1hrWUp7VE1qub3RVSXzWloD+AqsUhTws6ZlPFHgm3eLz8qhR8uEhSpoUs 8=; X-IronPort-AV: E=Sophos;i="6.08,158,1712620800"; d="scan'208";a="294662337" X-Farcaster-Flow-ID: 40ab5167-bece-4296-856c-e215ecf97d24 From: Elias El Yandouzi To: CC: , , , Hongyan Xia , Julien Grall , Elias El Yandouzi Subject: [PATCH V3 06/19] x86: Add a boot option to enable and disable the direct map Date: Mon, 13 May 2024 11:11:04 +0000 Message-ID: <20240513111117.68828-7-eliasely@amazon.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20240513111117.68828-1-eliasely@amazon.com> References: <20240513111117.68828-1-eliasely@amazon.com> MIME-Version: 1.0 From: Hongyan Xia Also add a helper function to retrieve it. Change arch_mfns_in_direct_map to check this option before returning. This is added as a Kconfig option as well as a boot command line option. While being generic, the Kconfig option is only usable for x86 at the moment. Note that there remains some users of the directmap at this point. The option is introduced now as it will be needed in follow-up patches. Signed-off-by: Hongyan Xia Signed-off-by: Julien Grall Signed-off-by: Elias El Yandouzi ---- Changes in V2: * Introduce a Kconfig option * Reword the commit message * Make opt_directmap and helper generic Changes since Hongyan's version: * Reword the commit message * opt_directmap is only modified during boot so mark it as __ro_after_init diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index e760f3266e..743d343ffa 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -799,6 +799,18 @@ that enabling this option cannot guarantee anything beyond what underlying hardware guarantees (with, where available and known to Xen, respective tweaks applied). +### directmap (x86) +> `= ` + +> Default: `true` + +Enable or disable the directmap region in Xen. + +By default, Xen creates the directmap region which maps physical memory +in that region. Setting this to no will sparsely populate the directmap, +blocking exploits that leak secrets via speculative memory access in the +directmap. + ### dma_bits > `= ` diff --git a/xen/arch/x86/Kconfig b/xen/arch/x86/Kconfig index 7e03e4bc55..b4ec0e582e 100644 --- a/xen/arch/x86/Kconfig +++ b/xen/arch/x86/Kconfig @@ -28,6 +28,7 @@ config X86 select HAS_PCI_MSI select HAS_PIRQ select HAS_SCHED_GRANULARITY + select HAS_SECRET_HIDING select HAS_UBSAN select HAS_VPCI if HVM select NEEDS_LIBELF diff --git a/xen/arch/x86/include/asm/mm.h b/xen/arch/x86/include/asm/mm.h index 98b66edaca..54d835f156 100644 --- a/xen/arch/x86/include/asm/mm.h +++ b/xen/arch/x86/include/asm/mm.h @@ -622,11 +622,17 @@ void write_32bit_pse_identmap(uint32_t *l2); /* * x86 maps part of physical memory via the directmap region. * Return whether the range of MFN falls in the directmap region. + * + * When boot command line sets directmap=no, the directmap will mostly be empty + * so this will always return false. */ static inline bool arch_mfns_in_directmap(unsigned long mfn, unsigned long nr) { unsigned long eva = min(DIRECTMAP_VIRT_END, HYPERVISOR_VIRT_END); + if ( !has_directmap() ) + return false; + return (mfn + nr) <= (virt_to_mfn(eva - 1) + 1); } diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c index f84e1cd79c..bd6b1184f5 100644 --- a/xen/arch/x86/setup.c +++ b/xen/arch/x86/setup.c @@ -1517,6 +1517,8 @@ void asmlinkage __init noreturn __start_xen(unsigned long mbi_p) if ( highmem_start ) xenheap_max_mfn(PFN_DOWN(highmem_start - 1)); + printk("Booting with directmap %s\n", has_directmap() ? "on" : "off"); + /* * Walk every RAM region and map it in its entirety (on x86/64, at least) * and notify it to the boot allocator. diff --git a/xen/common/Kconfig b/xen/common/Kconfig index 565ceda741..856604068c 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -80,12 +80,29 @@ config HAS_PMAP config HAS_SCHED_GRANULARITY bool +config HAS_SECRET_HIDING + bool + config HAS_UBSAN bool config MEM_ACCESS_ALWAYS_ON bool +config SECRET_HIDING + bool "Secret hiding" + depends on HAS_SECRET_HIDING + help + The directmap contains mapping for most of the RAM which makes domain + memory easily accessible. While making the performance better, it also makes + the hypervisor more vulnerable to speculation attacks. + + Enabling this feature will allow the user to decide whether the memory + is always mapped at boot or mapped only on demand (see the command line + option "directmap"). + + If unsure, say N. + config MEM_ACCESS def_bool MEM_ACCESS_ALWAYS_ON prompt "Memory Access and VM events" if !MEM_ACCESS_ALWAYS_ON diff --git a/xen/common/page_alloc.c b/xen/common/page_alloc.c index 7c1bdfc046..9b7e4721cd 100644 --- a/xen/common/page_alloc.c +++ b/xen/common/page_alloc.c @@ -174,6 +174,11 @@ paddr_t __ro_after_init mem_hotplug; static char __initdata opt_badpage[100] = ""; string_param("badpage", opt_badpage); +bool __ro_after_init opt_directmap = true; +#ifdef CONFIG_HAS_SECRET_HIDING +boolean_param("directmap", opt_directmap); +#endif + /* * no-bootscrub -> Free pages are not zeroed during boot. */ diff --git a/xen/include/xen/mm.h b/xen/include/xen/mm.h index 7561297a75..9d4f1f2d0d 100644 --- a/xen/include/xen/mm.h +++ b/xen/include/xen/mm.h @@ -167,6 +167,13 @@ extern unsigned long max_page; extern unsigned long total_pages; extern paddr_t mem_hotplug; +extern bool opt_directmap; + +static inline bool has_directmap(void) +{ + return opt_directmap; +} + /* * Extra fault info types which are used to further describe * the source of an access violation.