| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 1 Feb 2011 00:41:31 +0100
From: Borislav Petkov <bp@...en8.de>
To: Jeremy Fitzhardinge <jeremy@...p.org>
Cc: "H. Peter Anvin" <hpa@...or.com>, Ingo Molnar <mingo@...e.hu>,
the arch/x86 maintainers <x86@...nel.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Xen Devel <Xen-devel@...ts.xensource.com>,
Jeremy Fitzhardinge <jeremy.fitzhardinge@...rix.com>
Subject: Re: [PATCH 0/2] x86/microcode: support for microcode update in Xen
dom0
On Mon, Jan 31, 2011 at 10:17:03AM -0800, Jeremy Fitzhardinge wrote:
> On 01/30/2011 11:02 PM, Borislav Petkov wrote:
> >> Well, I was trying to avoid putting Xen-specific code into the existing
> >> Intel/AMD loaders. That doesn't seem any cleaner.
> >>
> >> I could export "my firmware pathname" functions from them and have the
> >> Xen driver call those, rather than duplicating the pathname construction
> >> code. Would that help address your concerns?
> > Well, I was thinking even more radically than that. How about
> >
> > 1. microcode_xen.c figures out which struct microcode_ops to use based
> > on the hw vendor;
> >
> > 2. overwrites the ->apply_microcode ptr with the hypercall wrapper
> >
> > 3. dom0 uses it to load the firmware image and do all checks to it
>
> That could be made to work, but I don't really see it as being an
> improvement.
WTF? How is
* almost no code duplication
* not adding Xen-specific checks to generic arch code
* relying on already tested codepaths
not an improvement?
> The whole "overwriting bits of other people's ops structures" thing
> seems like a pretty bad idea for long term maintainability.
I don't think that's an issue: you either load microcode_xen in dom0
(x)or the respective vendor driver on baremetal.
> > 4. eventually, the hypervisor gets to apply the _verified_ microcode
> > image (no more checks needed) using the vendor-specific application
> > method.
> >
> > This way there's almost no code duplication, you'll be reusing the
> > vendor-supplied code in baremetal which gets tested and updated
> > everytime it needs to and will save you a bunch of work everytime
> > there's change to it needed to replicate it into the hypervisor.
>
> In general Xen tries to avoid trusting its domains. Admittedly, dom0 is
> special in that it is already somewhat trusted, but even dom0 is
> constrained by Xen. For microcode, Xen just depends on it to provide a
> best-possible microcode file, then Xen+the CPU do the work of fully
> validating it and installing it.
Well, the CPU doesn't trust the microcode provided by the software
either. And why should it?
All I'm saying is, you should try as best as possible to avoid code
duplication and the need for replicating functionality to Xen, thus
doubling - even multiplying - the effort for coding/testing baremetal
and then Xen. Microcode is a perfect example since the vendors do all
their testing/verification on baremetal anyway and the rest should
benefit from that work.
Thanks.
--
Regards/Gruss,
Boris.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists