lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <7477c714-4aa3-5fea-47db-01ccf91f3d6e@suse.com>
Date:   Mon, 26 Sep 2022 17:36:04 +0200
From:   Juergen Gross <jgross@...e.com>
To:     Jan Beulich <jbeulich@...e.com>
Cc:     Jonathan Corbet <corbet@....net>,
        Boris Ostrovsky <boris.ostrovsky@...cle.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        "H. Peter Anvin" <hpa@...or.com>, xen-devel@...ts.xenproject.org,
        x86@...nel.org, linux-doc@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH 3/3] xen/pv: support selecting safe/unsafe msr accesses

On 26.09.22 17:23, Jan Beulich wrote:
> On 26.09.2022 16:18, Juergen Gross wrote:
>> --- a/arch/x86/xen/Kconfig
>> +++ b/arch/x86/xen/Kconfig
>> @@ -92,3 +92,12 @@ config XEN_DOM0
>>   	select X86_X2APIC if XEN_PVH && X86_64
>>   	help
>>   	  Support running as a Xen Dom0 guest.
>> +
>> +config XEN_PV_MSR_SAFE
>> +	bool "Always use safe MSR accesses in PV guests"
>> +	default y
> 
> Is there any time line when this default will change, perhaps first to
> DEBUG and later to N?

I'm not sure. I did an initial test with the safe variants disabled in dom0
and it just worked.

I'm not sure we want an intermediate step, as in critical cases the user can
still use the boot parameter.

> 
>> @@ -1010,22 +1020,16 @@ static int xen_write_msr_safe(unsigned int msr, unsigned int low,
>>   
>>   static u64 xen_read_msr(unsigned int msr)
>>   {
>> -	/*
>> -	 * This will silently swallow a #GP from RDMSR.  It may be worth
>> -	 * changing that.
>> -	 */
>>   	int err;
>>   
>> -	return xen_read_msr_safe(msr, &err);
>> +	return xen_do_read_msr(msr, xen_msr_safe ? &err : NULL);
>>   }
> 
> When we were talking at the session, I think I said that at least there
> is no uninitialized value being passed back. But I did look at
> xen_read_msr_safe() only, which indeed is okay. Whereas
> native_read_msr_safe() isn't (nor is native_read_msr() afaict), so I
> think part of this series should be to also eliminate the undefined-
> ness from this code path (possible now only when xen_msr_safe is true,
> but as per above that'll be the default at least for some time), where
> the caller has no way to know that it shouldn't look at the value.

I can add that.


Juergen

Download attachment "OpenPGP_0xB0DE9DD628BF132F.asc" of type "application/pgp-keys" (3099 bytes)

Download attachment "OpenPGP_signature" of type "application/pgp-signature" (496 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ