| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 4 Feb 2019 19:22:56 +0000
From: "Singh, Brijesh" <brijesh.singh@....com>
To: Jim Mattson <jmattson@...gle.com>
CC: "Singh, Brijesh" <brijesh.singh@....com>,
kvm list <kvm@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>,
the arch/x86 maintainers <x86@...nel.org>,
Borislav Petkov <bp@...en8.de>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>,
"H. Peter Anvin" <hpa@...or.com>,
Paolo Bonzini <pbonzini@...hat.com>,
Radim Krčmář <rkrcmar@...hat.com>,
Joerg Roedel <joro@...tes.org>, Borislav Petkov <bp@...e.de>,
"Lendacky, Thomas" <Thomas.Lendacky@....com>
Subject: Re: [Part2 PATCH v9 38/38] KVM: X86: Restart the guest when insn_len
is zero and SEV is enabled
On 2/1/19 2:21 PM, Jim Mattson wrote:
> On Mon, Dec 4, 2017 at 5:07 PM Brijesh Singh <brijesh.singh@....com> wrote:
>>
>> On AMD platforms, under certain conditions insn_len may be zero on #NPF.
>> This can happen if a guest gets a page-fault on data access but the HW
>> table walker is not able to read the instruction page (e.g instruction
>> page is not present in memory).
>>
>> Typically, when insn_len is zero, x86_emulate_instruction() walks the
>> guest page table and fetches the instruction bytes from guest memory.
>> When SEV is enabled, the guest memory is encrypted with guest-specific
>> key hence hypervisor will not able to fetch the instruction bytes.
>> In those cases we simply restart the guest.
>>
>> I have encountered this issue when running kernbench inside the guest.
>>
>> Cc: Thomas Gleixner <tglx@...utronix.de>
>> Cc: Ingo Molnar <mingo@...hat.com>
>> Cc: "H. Peter Anvin" <hpa@...or.com>
>> Cc: Paolo Bonzini <pbonzini@...hat.com>
>> Cc: "Radim Krčmář" <rkrcmar@...hat.com>
>> Cc: Joerg Roedel <joro@...tes.org>
>> Cc: Borislav Petkov <bp@...e.de>
>> Cc: Tom Lendacky <thomas.lendacky@....com>
>> Cc: x86@...nel.org
>> Cc: kvm@...r.kernel.org
>> Cc: linux-kernel@...r.kernel.org
>> Signed-off-by: Brijesh Singh <brijesh.singh@....com>
>> ---
>> arch/x86/kvm/mmu.c | 10 ++++++++++
>> arch/x86/kvm/svm.c | 6 ++++--
>> 2 files changed, 14 insertions(+), 2 deletions(-)
>>
>> diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
>> index e5e66e5c6640..d5e5dbd0e5ad 100644
>> --- a/arch/x86/kvm/mmu.c
>> +++ b/arch/x86/kvm/mmu.c
>> @@ -4950,6 +4950,16 @@ int kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gva_t cr2, u64 error_code,
>> if (mmio_info_in_cache(vcpu, cr2, direct))
>> emulation_type = 0;
>> emulate:
>> + /*
>> + * On AMD platforms, under certain conditions insn_len may be zero on #NPF.
>> + * This can happen if a guest gets a page-fault on data access but the HW
>> + * table walker is not able to read the instruction page (e.g instruction
>> + * page is not present in memory). In those cases we simply restart the
>> + * guest.
>> + */
>> + if (unlikely(insn && !insn_len))
>> + return 1;
>> +
>
> How does this work, for instance, with MMIO at CPL3 with SMAP enabled?
>
The processor will still attempt to supply correct instruction
bytes in this case (basically it disables SMAP temporarily during
this read). *HOWEVER*, looking through Zen docs, there is an
errata about this on Zen. See errata 1096 in
https://www.amd.com/system/files/TechDocs/55449_Fam_17h_M_00h0Fh_Rev_Guide.pdf
Looking at errata it seems on Zen processors, the CPU will not
supply instruction bytes in this scenario (MMIO at CPL3 with
SMAP=1). I will reach out to HW folks to see if there is any
plans to fix in upcoming CPU cores.
We probably need to workaround for this errata. In non SEV case
we can let the host read the instruction bytes but in SEV case
we can disable SMAP temporarily in CR4, then retry the guest,
and then restore the CR4.SMAP settings. I will work on patch
and post on mailing list.
-Brijesh
Powered by blists - more mailing lists