projects / xen.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: c567b05) | patch
x86/pv: Don't have %cr4.fsgsbase active behind a guest kernels back
authorAndrew Cooper <andrew.cooper3@citrix.com>
Tue, 5 Mar 2019 14:05:50 +0000 (15:05 +0100)
committerJan Beulich <jbeulich@suse.com>
Tue, 5 Mar 2019 14:05:50 +0000 (15:05 +0100)
commit4f9ab5f75c120a2cc0b58d651da75e03fc50d9e9
tree7fa06e30ac3aabdb93e1e48a7f7e36a74afabaadtree | snapshot
parentc567b053e807cc3b55c9d8e8b714dee00a0bf4f4commit | diff
x86/pv: Don't have %cr4.fsgsbase active behind a guest kernels back

Currently, a 64bit PV guest can appear to set and clear FSGSBASE in %cr4, but
the bit remains set in hardware.  Therefore, the {RD,WR}{FS,GS}BASE are usable
even when the guest kernel believes that they are disabled.

The FSGSBASE feature isn't currently supported in Linux, and its context
switch path has some optimisations which rely on userspace being unable to use
the WR{FS,GS}BASE instructions.  Xen's current behaviour undermines this
expectation.

In 64bit PV guest context, always load the guest kernels setting of FSGSBASE
into %cr4.  This requires adjusting how Xen uses the {RD,WR}{FS,GS}BASE
instructions.

 * Delete the cpu_has_fsgsbase helper.  It is no longer safe, as users need to
   check %cr4 directly.
 * The raw __rd{fs,gs}base() helpers are only safe to use when %cr4.fsgsbase
   is set.  Comment this property.
 * The {rd,wr}{fs,gs}{base,shadow}() and read_msr() helpers are updated to use
   the current %cr4 value to determine which mechanism to use.
 * toggle_guest_mode() and save_segments() are update to avoid reading
   fs/gsbase if the values in hardware cannot be stale WRT struct vcpu.  A
   consequence of this is that the write_cr() path needs to cache the current
   bases, as subsequent context switches will skip saving the values.
 * write_cr4() is updated to ensure that the shadow %cr4.fsgsbase value is
   observed in a safe way WRT the hardware setting, if an interrupt happens to
   hit in the middle.
 * load_segments() is updated to use the VMLOAD optimisation if FSGSBASE is
   unavailable, even if only gs_shadow needs updating.  As a minor perf
   improvement, check cpu_has_svm first to short circuit a context-dependent
   conditional on Intel hardware.
 * pv_make_cr4() is updated for 64bit PV guests to use the guest kernels
   choice of FSGSBASE.

This is part of XSA-293.

Reported-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
master commit: eccc170053e46b4ab1d9e7485c09e210be15bbd7
master date: 2019-03-05 13:54:05 +0100
xen/arch/x86/domain.c diff | blob | history
xen/arch/x86/pv/domain.c diff | blob | history
xen/arch/x86/pv/emul-priv-op.c diff | blob | history
xen/arch/x86/setup.c diff | blob | history
xen/include/asm-x86/cpufeature.h diff | blob | history
xen/include/asm-x86/msr.h diff | blob | history
xen/include/asm-x86/processor.h diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.