diff mbox series

[V4] x86/altp2m: Hypercall to set altp2m view visibility

Message ID 20200221083014.29274-1-aisaila@bitdefender.com (mailing list archive)
State Superseded
Headers show
Series [V4] x86/altp2m: Hypercall to set altp2m view visibility | expand

Commit Message

Alexandru Stefan ISAILA Feb. 21, 2020, 8:30 a.m. UTC
At this moment a guest can call vmfunc to change the altp2m view. This
should be limited in order to avoid any unwanted view switch.

The new xc_altp2m_set_visibility() solves this by making views invisible
to vmfunc.
This is done by having a separate arch.altp2m_working_eptp that is
populated and made invalid in the same places as altp2m_eptp. This is
written to EPTP_LIST_ADDR.
The views are made in/visible by marking them with INVALID_MFN or
copying them back from altp2m_eptp.
To have consistency the visibility also applies to
p2m_switch_domain_altp2m_by_id().

Note: If altp2m mode is set to mixed the guest is able to change the view
visibility and then call vmfunc.

Signed-off-by: Alexandru Isaila <aisaila@bitdefender.com>
---
CC: Ian Jackson <ian.jackson@eu.citrix.com>
CC: Wei Liu <wl@xen.org>
CC: Andrew Cooper <andrew.cooper3@citrix.com>
CC: George Dunlap <George.Dunlap@eu.citrix.com>
CC: Jan Beulich <jbeulich@suse.com>
CC: Julien Grall <julien@xen.org>
CC: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: "Roger Pau Monné" <roger.pau@citrix.com>
CC: Jun Nakajima <jun.nakajima@intel.com>
CC: Kevin Tian <kevin.tian@intel.com>
CC: George Dunlap <george.dunlap@eu.citrix.com>
---
Changes since V3:
	- Change var name form altp2m_idx to idx to shorten line length
	- Add bounds check for idx
	- Update commit message
	- Add comment in xenctrl.h.

Changes since V2:
	- Drop hap_enabled() check
	- Reduce the indentation depth in hvm.c
	- Fix assignment indentation
	- Drop pad2.

Changes since V1:
	- Drop double view from title.
---
 tools/libxc/include/xenctrl.h   |  7 +++++++
 tools/libxc/xc_altp2m.c         | 24 ++++++++++++++++++++++++
 xen/arch/x86/hvm/hvm.c          | 21 +++++++++++++++++++++
 xen/arch/x86/hvm/vmx/vmx.c      |  2 +-
 xen/arch/x86/mm/hap/hap.c       | 15 +++++++++++++++
 xen/arch/x86/mm/p2m-ept.c       |  1 +
 xen/arch/x86/mm/p2m.c           |  7 +++++--
 xen/include/asm-x86/domain.h    |  1 +
 xen/include/public/hvm/hvm_op.h |  9 +++++++++
 9 files changed, 84 insertions(+), 3 deletions(-)

Comments

Jan Beulich Feb. 21, 2020, 4:39 p.m. UTC | #1
On 21.02.2020 09:30, Alexandru Stefan ISAILA wrote:
> @@ -4835,6 +4836,26 @@ static int do_altp2m_op(
>          break;
>      }
>  
> +    case HVMOP_altp2m_set_visibility:
> +    {
> +        uint16_t idx = a.u.set_visibility.altp2m_idx;
> +
> +        if ( a.u.set_visibility.pad ||
> +             idx >= min(ARRAY_SIZE(d->arch.altp2m_p2m), MAX_EPTP) ||

Why min() here? You only access MAX_EPTP-dimensioned arrays afaics. If
this is intentional, I think it deserves a comment.

> +             d->arch.altp2m_eptp[array_index_nospec(idx, MAX_EPTP)] ==
> +             mfn_x(INVALID_MFN) )
> +            rc = -EINVAL;
> +        else if ( !altp2m_active(d) )
> +            rc = -EOPNOTSUPP;
> +        else if ( a.u.set_visibility.visible )
> +            d->arch.altp2m_working_eptp[array_index_nospec(idx, MAX_EPTP)] =
> +                d->arch.altp2m_eptp[array_index_nospec(idx, MAX_EPTP)];
> +        else
> +            d->arch.altp2m_working_eptp[array_index_nospec(idx, MAX_EPTP)] =
> +                mfn_x(INVALID_MFN);
> +        break;

You don't seem to be holding any locks. At the very least this means
the in-range-index-is-valid check further up will have become stale
by the time you actually consume the slot.

> @@ -2638,7 +2639,9 @@ int p2m_destroy_altp2m_by_id(struct domain *d, unsigned int idx)
>          {
>              p2m_reset_altp2m(d, idx, ALTP2M_DEACTIVATE);
>              d->arch.altp2m_eptp[array_index_nospec(idx, MAX_EPTP)] =
> -            mfn_x(INVALID_MFN);
> +                mfn_x(INVALID_MFN);
> +            d->arch.altp2m_working_eptp[array_index_nospec(idx, MAX_EPTP)] =
> +                mfn_x(INVALID_MFN);

I appreciate you also adjusting the bogus indentation of the pre-
existing line.

Jan
Alexandru Stefan ISAILA Feb. 24, 2020, 9:06 a.m. UTC | #2
On 21.02.2020 18:39, Jan Beulich wrote:
> On 21.02.2020 09:30, Alexandru Stefan ISAILA wrote:
>> @@ -4835,6 +4836,26 @@ static int do_altp2m_op(
>>           break;
>>       }
>>   
>> +    case HVMOP_altp2m_set_visibility:
>> +    {
>> +        uint16_t idx = a.u.set_visibility.altp2m_idx;
>> +
>> +        if ( a.u.set_visibility.pad ||
>> +             idx >= min(ARRAY_SIZE(d->arch.altp2m_p2m), MAX_EPTP) ||
> 
> Why min() here? You only access MAX_EPTP-dimensioned arrays afaics. If
> this is intentional, I think it deserves a comment.

I have min() here because the altp2m index should not be grater then 
MAX_ALTP2M. I know this is used as altp2m_eptp() index but the two are 
coupled.

> 
>> +             d->arch.altp2m_eptp[array_index_nospec(idx, MAX_EPTP)] ==
>> +             mfn_x(INVALID_MFN) )
>> +            rc = -EINVAL;
>> +        else if ( !altp2m_active(d) )
>> +            rc = -EOPNOTSUPP;
>> +        else if ( a.u.set_visibility.visible )
>> +            d->arch.altp2m_working_eptp[array_index_nospec(idx, MAX_EPTP)] =
>> +                d->arch.altp2m_eptp[array_index_nospec(idx, MAX_EPTP)];
>> +        else
>> +            d->arch.altp2m_working_eptp[array_index_nospec(idx, MAX_EPTP)] =
>> +                mfn_x(INVALID_MFN);
>> +        break;
> 
> You don't seem to be holding any locks. At the very least this means
> the in-range-index-is-valid check further up will have become stale
> by the time you actually consume the slot.
> 

Good thing to point this out here. I will add altp2m_list_lock/unlock(d) 
to guard this check and operation.

>> @@ -2638,7 +2639,9 @@ int p2m_destroy_altp2m_by_id(struct domain *d, unsigned int idx)
>>           {
>>               p2m_reset_altp2m(d, idx, ALTP2M_DEACTIVATE);
>>               d->arch.altp2m_eptp[array_index_nospec(idx, MAX_EPTP)] =
>> -            mfn_x(INVALID_MFN);
>> +                mfn_x(INVALID_MFN);
>> +            d->arch.altp2m_working_eptp[array_index_nospec(idx, MAX_EPTP)] =
>> +                mfn_x(INVALID_MFN);
> 
> I appreciate you also adjusting the bogus indentation of the pre-
> existing line.
> 

Thanks,
Alex
Alexandru Stefan ISAILA Feb. 26, 2020, 9:34 a.m. UTC | #3
On 24.02.2020 11:06, Alexandru Stefan ISAILA wrote:
> 
> 
> On 21.02.2020 18:39, Jan Beulich wrote:
>> On 21.02.2020 09:30, Alexandru Stefan ISAILA wrote:
>>> @@ -4835,6 +4836,26 @@ static int do_altp2m_op(
>>>            break;
>>>        }
>>>    
>>> +    case HVMOP_altp2m_set_visibility:
>>> +    {
>>> +        uint16_t idx = a.u.set_visibility.altp2m_idx;
>>> +
>>> +        if ( a.u.set_visibility.pad ||
>>> +             idx >= min(ARRAY_SIZE(d->arch.altp2m_p2m), MAX_EPTP) ||
>>
>> Why min() here? You only access MAX_EPTP-dimensioned arrays afaics. If
>> this is intentional, I think it deserves a comment.
> 
> I have min() here because the altp2m index should not be grater then
> MAX_ALTP2M. I know this is used as altp2m_eptp() index but the two are
> coupled.
> 
>>
>>> +             d->arch.altp2m_eptp[array_index_nospec(idx, MAX_EPTP)] ==
>>> +             mfn_x(INVALID_MFN) )
>>> +            rc = -EINVAL;
>>> +        else if ( !altp2m_active(d) )
>>> +            rc = -EOPNOTSUPP;
>>> +        else if ( a.u.set_visibility.visible )
>>> +            d->arch.altp2m_working_eptp[array_index_nospec(idx, MAX_EPTP)] =
>>> +                d->arch.altp2m_eptp[array_index_nospec(idx, MAX_EPTP)];
>>> +        else
>>> +            d->arch.altp2m_working_eptp[array_index_nospec(idx, MAX_EPTP)] =
>>> +                mfn_x(INVALID_MFN);
>>> +        break;
>>
>> You don't seem to be holding any locks. At the very least this means
>> the in-range-index-is-valid check further up will have become stale
>> by the time you actually consume the slot.
>>
> 
> Good thing to point this out here. I will add altp2m_list_lock/unlock(d)
> to guard this check and operation.

I think it's better to move all the altp2m things in a new function, 
something like p2m_set_altp2m_view_visibility(), in p2m.c. This way 
there will be no additional include needed.

Alex
diff mbox series

Patch

diff --git a/tools/libxc/include/xenctrl.h b/tools/libxc/include/xenctrl.h
index 99552a5f73..b26fccc989 100644
--- a/tools/libxc/include/xenctrl.h
+++ b/tools/libxc/include/xenctrl.h
@@ -1943,6 +1943,13 @@  int xc_altp2m_change_gfn(xc_interface *handle, uint32_t domid,
                          xen_pfn_t new_gfn);
 int xc_altp2m_get_vcpu_p2m_idx(xc_interface *handle, uint32_t domid,
                                uint32_t vcpuid, uint16_t *p2midx);
+/*
+ * Set view visibility for xc_altp2m_switch_to_view and vmfunc.
+ * Note: If altp2m mode is set to mixed the guest is able to change the view
+ * visibility and then call vmfunc.
+ */
+int xc_altp2m_set_visibility(xc_interface *handle, uint32_t domid,
+                             uint16_t view_id, bool visible);
 
 /** 
  * Mem paging operations.
diff --git a/tools/libxc/xc_altp2m.c b/tools/libxc/xc_altp2m.c
index 46fb725806..6987c9541f 100644
--- a/tools/libxc/xc_altp2m.c
+++ b/tools/libxc/xc_altp2m.c
@@ -410,3 +410,27 @@  int xc_altp2m_get_vcpu_p2m_idx(xc_interface *handle, uint32_t domid,
     xc_hypercall_buffer_free(handle, arg);
     return rc;
 }
+
+int xc_altp2m_set_visibility(xc_interface *handle, uint32_t domid,
+                             uint16_t view_id, bool visible)
+{
+    int rc;
+
+    DECLARE_HYPERCALL_BUFFER(xen_hvm_altp2m_op_t, arg);
+
+    arg = xc_hypercall_buffer_alloc(handle, arg, sizeof(*arg));
+    if ( arg == NULL )
+        return -1;
+
+    arg->version = HVMOP_ALTP2M_INTERFACE_VERSION;
+    arg->cmd = HVMOP_altp2m_set_visibility;
+    arg->domain = domid;
+    arg->u.set_visibility.altp2m_idx = view_id;
+    arg->u.set_visibility.visible = visible;
+
+    rc = xencall2(handle->xcall, __HYPERVISOR_hvm_op, HVMOP_altp2m,
+                  HYPERCALL_BUFFER_AS_ARG(arg));
+
+    xc_hypercall_buffer_free(handle, arg);
+    return rc;
+}
diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
index 00a9e70b7c..d1ce0f869e 100644
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -4558,6 +4558,7 @@  static int do_altp2m_op(
     case HVMOP_altp2m_get_mem_access:
     case HVMOP_altp2m_change_gfn:
     case HVMOP_altp2m_get_p2m_idx:
+    case HVMOP_altp2m_set_visibility:
         break;
 
     default:
@@ -4835,6 +4836,26 @@  static int do_altp2m_op(
         break;
     }
 
+    case HVMOP_altp2m_set_visibility:
+    {
+        uint16_t idx = a.u.set_visibility.altp2m_idx;
+
+        if ( a.u.set_visibility.pad ||
+             idx >= min(ARRAY_SIZE(d->arch.altp2m_p2m), MAX_EPTP) ||
+             d->arch.altp2m_eptp[array_index_nospec(idx, MAX_EPTP)] ==
+             mfn_x(INVALID_MFN) )
+            rc = -EINVAL;
+        else if ( !altp2m_active(d) )
+            rc = -EOPNOTSUPP;
+        else if ( a.u.set_visibility.visible )
+            d->arch.altp2m_working_eptp[array_index_nospec(idx, MAX_EPTP)] =
+                d->arch.altp2m_eptp[array_index_nospec(idx, MAX_EPTP)];
+        else
+            d->arch.altp2m_working_eptp[array_index_nospec(idx, MAX_EPTP)] =
+                mfn_x(INVALID_MFN);
+        break;
+    }
+
     default:
         ASSERT_UNREACHABLE();
     }
diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
index bc2f48bf2c..90de909fec 100644
--- a/xen/arch/x86/hvm/vmx/vmx.c
+++ b/xen/arch/x86/hvm/vmx/vmx.c
@@ -2140,7 +2140,7 @@  static void vmx_vcpu_update_vmfunc_ve(struct vcpu *v)
     {
         v->arch.hvm.vmx.secondary_exec_control |= mask;
         __vmwrite(VM_FUNCTION_CONTROL, VMX_VMFUNC_EPTP_SWITCHING);
-        __vmwrite(EPTP_LIST_ADDR, virt_to_maddr(d->arch.altp2m_eptp));
+        __vmwrite(EPTP_LIST_ADDR, virt_to_maddr(d->arch.altp2m_working_eptp));
 
         if ( cpu_has_vmx_virt_exceptions )
         {
diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c
index 3d93f3451c..5969ec8922 100644
--- a/xen/arch/x86/mm/hap/hap.c
+++ b/xen/arch/x86/mm/hap/hap.c
@@ -488,8 +488,17 @@  int hap_enable(struct domain *d, u32 mode)
             goto out;
         }
 
+        if ( (d->arch.altp2m_working_eptp = alloc_xenheap_page()) == NULL )
+        {
+            rv = -ENOMEM;
+            goto out;
+        }
+
         for ( i = 0; i < MAX_EPTP; i++ )
+        {
             d->arch.altp2m_eptp[i] = mfn_x(INVALID_MFN);
+            d->arch.altp2m_working_eptp[i] = mfn_x(INVALID_MFN);
+        }
 
         for ( i = 0; i < MAX_ALTP2M; i++ )
         {
@@ -523,6 +532,12 @@  void hap_final_teardown(struct domain *d)
             d->arch.altp2m_eptp = NULL;
         }
 
+        if ( d->arch.altp2m_working_eptp )
+        {
+            free_xenheap_page(d->arch.altp2m_working_eptp);
+            d->arch.altp2m_working_eptp = NULL;
+        }
+
         for ( i = 0; i < MAX_ALTP2M; i++ )
             p2m_teardown(d->arch.altp2m_p2m[i]);
     }
diff --git a/xen/arch/x86/mm/p2m-ept.c b/xen/arch/x86/mm/p2m-ept.c
index eb0f0edfef..6539ca619b 100644
--- a/xen/arch/x86/mm/p2m-ept.c
+++ b/xen/arch/x86/mm/p2m-ept.c
@@ -1368,6 +1368,7 @@  void p2m_init_altp2m_ept(struct domain *d, unsigned int i)
     ept = &p2m->ept;
     ept->mfn = pagetable_get_pfn(p2m_get_pagetable(p2m));
     d->arch.altp2m_eptp[array_index_nospec(i, MAX_EPTP)] = ept->eptp;
+    d->arch.altp2m_working_eptp[array_index_nospec(i, MAX_EPTP)] = ept->eptp;
 }
 
 unsigned int p2m_find_altp2m_by_eptp(struct domain *d, uint64_t eptp)
diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c
index 9f1c29d7ef..13b96715ba 100644
--- a/xen/arch/x86/mm/p2m.c
+++ b/xen/arch/x86/mm/p2m.c
@@ -2519,6 +2519,7 @@  void p2m_flush_altp2m(struct domain *d)
     {
         p2m_reset_altp2m(d, i, ALTP2M_DEACTIVATE);
         d->arch.altp2m_eptp[i] = mfn_x(INVALID_MFN);
+        d->arch.altp2m_working_eptp[i] = mfn_x(INVALID_MFN);
     }
 
     altp2m_list_unlock(d);
@@ -2638,7 +2639,9 @@  int p2m_destroy_altp2m_by_id(struct domain *d, unsigned int idx)
         {
             p2m_reset_altp2m(d, idx, ALTP2M_DEACTIVATE);
             d->arch.altp2m_eptp[array_index_nospec(idx, MAX_EPTP)] =
-            mfn_x(INVALID_MFN);
+                mfn_x(INVALID_MFN);
+            d->arch.altp2m_working_eptp[array_index_nospec(idx, MAX_EPTP)] =
+                mfn_x(INVALID_MFN);
             rc = 0;
         }
     }
@@ -2665,7 +2668,7 @@  int p2m_switch_domain_altp2m_by_id(struct domain *d, unsigned int idx)
     rc = -EINVAL;
     altp2m_list_lock(d);
 
-    if ( d->arch.altp2m_eptp[idx] != mfn_x(INVALID_MFN) )
+    if ( d->arch.altp2m_working_eptp[idx] != mfn_x(INVALID_MFN) )
     {
         for_each_vcpu( d, v )
             if ( idx != vcpu_altp2m(v).p2midx )
diff --git a/xen/include/asm-x86/domain.h b/xen/include/asm-x86/domain.h
index 1843c76d1a..b039717778 100644
--- a/xen/include/asm-x86/domain.h
+++ b/xen/include/asm-x86/domain.h
@@ -326,6 +326,7 @@  struct arch_domain
     struct p2m_domain *altp2m_p2m[MAX_ALTP2M];
     mm_lock_t altp2m_list_lock;
     uint64_t *altp2m_eptp;
+    uint64_t *altp2m_working_eptp;
 #endif
 
     /* NB. protected by d->event_lock and by irq_desc[irq].lock */
diff --git a/xen/include/public/hvm/hvm_op.h b/xen/include/public/hvm/hvm_op.h
index b599d3cbd0..870ec52060 100644
--- a/xen/include/public/hvm/hvm_op.h
+++ b/xen/include/public/hvm/hvm_op.h
@@ -318,6 +318,12 @@  struct xen_hvm_altp2m_get_vcpu_p2m_idx {
     uint16_t altp2m_idx;
 };
 
+struct xen_hvm_altp2m_set_visibility {
+    uint16_t altp2m_idx;
+    uint8_t visible;
+    uint8_t pad;
+};
+
 struct xen_hvm_altp2m_op {
     uint32_t version;   /* HVMOP_ALTP2M_INTERFACE_VERSION */
     uint32_t cmd;
@@ -350,6 +356,8 @@  struct xen_hvm_altp2m_op {
 #define HVMOP_altp2m_get_p2m_idx          14
 /* Set the "Supress #VE" bit for a range of pages */
 #define HVMOP_altp2m_set_suppress_ve_multi 15
+/* Set visibility for a given altp2m view */
+#define HVMOP_altp2m_set_visibility       16
     domid_t domain;
     uint16_t pad1;
     uint32_t pad2;
@@ -367,6 +375,7 @@  struct xen_hvm_altp2m_op {
         struct xen_hvm_altp2m_suppress_ve_multi    suppress_ve_multi;
         struct xen_hvm_altp2m_vcpu_disable_notify  disable_notify;
         struct xen_hvm_altp2m_get_vcpu_p2m_idx     get_vcpu_p2m_idx;
+        struct xen_hvm_altp2m_set_visibility       set_visibility;
         uint8_t pad[64];
     } u;
 };