From patchwork Thu Feb 18 15:01:58 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Norbert Manthey X-Patchwork-Id: 12093619 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0BF14C433DB for ; Thu, 18 Feb 2021 15:02:38 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id A38A464EAE for ; Thu, 18 Feb 2021 15:02:37 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org A38A464EAE Authentication-Results: mail.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=amazon.de Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from list by lists.xenproject.org with outflank-mailman.86672.162869 (Exim 4.92) (envelope-from ) id 1lCkp2-0004BH-K1; Thu, 18 Feb 2021 15:02:28 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 86672.162869; Thu, 18 Feb 2021 15:02:28 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lCkp2-0004BA-GM; Thu, 18 Feb 2021 15:02:28 +0000 Received: by outflank-mailman (input) for mailman id 86672; Thu, 18 Feb 2021 15:02:28 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lCkp2-0004Ax-0m for xen-devel@lists.xenproject.org; Thu, 18 Feb 2021 15:02:28 +0000 Received: from smtp-fw-6001.amazon.com (unknown [52.95.48.154]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id 08f468dd-fcad-4044-ae56-2603f61b7e48; Thu, 18 Feb 2021 15:02:27 +0000 (UTC) Received: from iad12-co-svc-p1-lb1-vlan2.amazon.com (HELO email-inbound-relay-1a-7d76a15f.us-east-1.amazon.com) ([10.43.8.2]) by smtp-border-fw-out-6001.iad6.amazon.com with ESMTP; 18 Feb 2021 15:02:18 +0000 Received: from EX13D02EUB003.ant.amazon.com (iad12-ws-svc-p26-lb9-vlan2.iad.amazon.com [10.40.163.34]) by email-inbound-relay-1a-7d76a15f.us-east-1.amazon.com (Postfix) with ESMTPS id 2E8B9A177C; Thu, 18 Feb 2021 15:02:15 +0000 (UTC) Received: from EX13MTAUWC001.ant.amazon.com (10.43.162.135) by EX13D02EUB003.ant.amazon.com (10.43.166.172) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 18 Feb 2021 15:02:14 +0000 Received: from u6fc700a6f3c650.ant.amazon.com (10.1.213.30) by mail-relay.amazon.com (10.43.162.232) with Microsoft SMTP Server id 15.0.1497.2 via Frontend Transport; Thu, 18 Feb 2021 15:02:11 +0000 X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" X-Inumbo-ID: 08f468dd-fcad-4044-ae56-2603f61b7e48 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.de; i=@amazon.de; q=dns/txt; s=amazon201209; t=1613660547; x=1645196547; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version; bh=j78hOZFqSeIc4Quq5tg7IMbvyJPUwGTss72xF+BItXg=; b=X5oh+4Cuz9641nhe77cvk1i9DfVPZHi9876BFdjYe+GfCIaOdDL+VR9P q/GBtzmDVZAOgm0nkK0dSOg2NsDGegnWGavVbFHE1R9nBhElDVxO9eEiT ij6goSDSS0uv7iyLRzGm1pCidwr+9dOOyvqLlhmEb6uuh5DvgTmG98YA4 g=; X-IronPort-AV: E=Sophos;i="5.81,187,1610409600"; d="scan'208";a="89076133" From: Norbert Manthey To: CC: Jan Beulich , Andrew Cooper , =?utf-8?q?Roger_Pau_Monn=C3=A9?= , Wei Liu , Norbert Manthey , Ian Jackson Subject: [PATCH HVM v4 1/1] hvm: refactor set param Date: Thu, 18 Feb 2021 16:01:58 +0100 Message-ID: <20210218150158.28265-1-nmanthey@amazon.de> X-Mailer: git-send-email 2.17.1 In-Reply-To: <2633df5f-df68-4a16-bc5c-522b2a589b00@amazon.de> References: <2633df5f-df68-4a16-bc5c-522b2a589b00@amazon.de> MIME-Version: 1.0 Precedence: Bulk To prevent leaking HVM params via L1TF and similar issues on a hyperthread pair, let's load values of domains only after performing all relevant checks, and blocking speculative execution. For both get and set, the value of the index is already checked in the outer calling function. The block_speculation calls in hvmop_get_param and hvmop_set_param are removed, because is_hvm_domain already blocks speculation. Furthermore, speculative barriers are re-arranged to make sure we do not allow guests running on co-located VCPUs to leak hvm parameter values of other domains. To improve symmetry between the get and set operations, function hvmop_set_param is made static. This is part of the speculative hardening effort. Signed-off-by: Norbert Manthey Reported-by: Hongyan Xia Release-Acked-by: Ian Jackson Reviewed-by: Jan Beulich --- v4: * add 'static' attribute to hvmop_set_param * drop introduced bound checks, e.g. in hvm_allow_set_param * drop existing bound check from hvm_set_param * do not introduce block_speculation in hvmop_set_param, as is_hvm_domain already blocks speculation * fix comments xen/arch/x86/hvm/hvm.c | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -4060,7 +4060,7 @@ static int hvm_allow_set_param(struct domain *d, uint32_t index, uint64_t new_value) { - uint64_t value = d->arch.hvm.params[index]; + uint64_t value; int rc; rc = xsm_hvm_param(XSM_TARGET, d, HVMOP_set_param); @@ -4108,6 +4108,10 @@ static int hvm_allow_set_param(struct domain *d, if ( rc ) return rc; + /* Make sure we evaluate permissions before loading data of domains. */ + block_speculation(); + + value = d->arch.hvm.params[index]; switch ( index ) { /* The following parameters should only be changed once. */ @@ -4134,13 +4138,13 @@ static int hvm_set_param(struct domain *d, uint32_t index, uint64_t value) struct vcpu *v; int rc; - if ( index >= HVM_NR_PARAMS ) - return -EINVAL; - rc = hvm_allow_set_param(d, index, value); if ( rc ) return rc; + /* Make sure we evaluate permissions before loading data of domains. */ + block_speculation(); + switch ( index ) { case HVM_PARAM_CALLBACK_IRQ: @@ -4305,7 +4309,7 @@ static int hvm_set_param(struct domain *d, uint32_t index, uint64_t value) return rc; } -int hvmop_set_param( +static int hvmop_set_param( XEN_GUEST_HANDLE_PARAM(xen_hvm_param_t) arg) { struct xen_hvm_param a; @@ -4318,9 +4322,6 @@ int hvmop_set_param( if ( a.index >= HVM_NR_PARAMS ) return -EINVAL; - /* Make sure the above bound check is not bypassed during speculation. */ - block_speculation(); - d = rcu_lock_domain_by_any_id(a.domid); if ( d == NULL ) return -ESRCH; @@ -4388,6 +4389,9 @@ int hvm_get_param(struct domain *d, uint32_t index, uint64_t *value) if ( rc ) return rc; + /* Make sure the above domain permissions check is respected. */ + block_speculation(); + switch ( index ) { case HVM_PARAM_ACPI_S_STATE: @@ -4428,9 +4432,6 @@ static int hvmop_get_param( if ( a.index >= HVM_NR_PARAMS ) return -EINVAL; - /* Make sure the above bound check is not bypassed during speculation. */ - block_speculation(); - d = rcu_lock_domain_by_any_id(a.domid); if ( d == NULL ) return -ESRCH;