lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <547D7E6D.6090000@redhat.com>
Date:	Tue, 02 Dec 2014 09:55:09 +0100
From:	Paolo Bonzini <pbonzini@...hat.com>
To:	linux-kernel@...r.kernel.org
Cc:	kvm@...r.kernel.org
Subject: Re: [PATCH v2 1/2] kvm: x86: revert mask out xsaves



On 02/12/2014 07:14, Wanpeng Li wrote:
> xsaves will be exported to guest in the next patch, so revert the
> mask out xsaves patch.
> 
> Signed-off-by: Wanpeng Li <wanpeng.li@...ux.intel.com>
> ---
>  arch/x86/kvm/cpuid.c | 10 +---------
>  1 file changed, 1 insertion(+), 9 deletions(-)
> 
> diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
> index a4f5ac4..7af07571 100644
> --- a/arch/x86/kvm/cpuid.c
> +++ b/arch/x86/kvm/cpuid.c
> @@ -320,10 +320,6 @@ static inline int __do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function,
>  		F(ADX) | F(SMAP) | F(AVX512F) | F(AVX512PF) | F(AVX512ER) |
>  		F(AVX512CD);
>  
> -	/* cpuid 0xD.1.eax */
> -	const u32 kvm_supported_word10_x86_features =
> -		F(XSAVEOPT) | F(XSAVEC) | F(XGETBV1);

Every single bit needs to be whitelisted independently of the others, so
a full revert is not possible.  We need to be careful about post-Skylake
processors introducing new bits in this cpuid leaf.

Also, you cannot just add F(XSAVES) here; you must only do it if XSAVES
is actually supported.  This makes sure that nested virtualization will
_not_ present XSAVES to the guests until specific support is introduced
for XSAVES and XRSTORS exits (including the XSS exit bitmap).

In order to do this, you have to introduce a new member in kvm_x86_ops,
modeling what was done for MPX.  The second patch can then implement
this new member.

Thanks,

Paolo

>  	/* all calls to cpuid_count() should be made on the same cpu */
>  	get_cpu();
>  
> @@ -460,8 +456,6 @@ static inline int __do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function,
>  		entry->eax &= supported;
>  		entry->edx &= supported >> 32;
>  		entry->flags |= KVM_CPUID_FLAG_SIGNIFCANT_INDEX;
> -		if (!supported)
> -			break;
>  
>  		for (idx = 1, i = 1; idx < 64; ++idx) {
>  			u64 mask = ((u64)1 << idx);
> @@ -469,9 +463,7 @@ static inline int __do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function,
>  				goto out;
>  
>  			do_cpuid_1_ent(&entry[i], function, idx);
> -			if (idx == 1)
> -				entry[i].eax &= kvm_supported_word10_x86_features;
> -			else if (entry[i].eax == 0 || !(supported & mask))
> +			if (entry[i].eax == 0 || !(supported & mask))
>  				continue;
>  			entry[i].flags |=
>  			       KVM_CPUID_FLAG_SIGNIFCANT_INDEX;
> 

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ