From nobody Sun May 12 15:40:49 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=reject dis=none) header.from=cloud.com ARC-Seal: i=1; a=rsa-sha256; t=1686843155; cv=none; d=zohomail.com; s=zohoarc; b=d0+wCHiQjsXCi0qITrwwgU9FjIBDyTjPmRUU1JulygkpD3DhZrA7vBFmrXAo2vmFXPrcJv+PRUhqyWHwELO5oFgXznWmpVhBAd8ekRY5csd9hkPPCMO68KAMColTdR/YzghiG6uXfPpzUi6iGX9LqRruN2qORY/vxjB4QN7UImk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1686843155; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=VCA3Pf6f+/2jMpccddEtY1bpoEHdgMvPsL2NvMFA0ds=; b=EhNFWzIA7uDbhp5r4+Q3hPcvbQAT372DSFA2hcZcFNtDqMoFIAOdDRGwfR034ezLFewi2R1ALH8jLMjejZhn4jAKrImtfRDFJeZGN3qUt2QAbR+blgYtgRQodoViM3rMlNhrQRI5ffzZAd2xFXvehXUhd6XagF/rhlzISXniCiQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1686843155275888.7522490893141; Thu, 15 Jun 2023 08:32:35 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.549692.858361 (Exim 4.92) (envelope-from ) id 1q9oxF-0003A0-9X; Thu, 15 Jun 2023 15:32:09 +0000 Received: by outflank-mailman (output) from mailman id 549692.858361; Thu, 15 Jun 2023 15:32:09 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1q9oxF-00039t-6P; Thu, 15 Jun 2023 15:32:09 +0000 Received: by outflank-mailman (input) for mailman id 549692; Thu, 15 Jun 2023 15:32:07 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1q9oxD-00039m-A6 for xen-devel@lists.xenproject.org; Thu, 15 Jun 2023 15:32:07 +0000 Received: from mail-wm1-x332.google.com (mail-wm1-x332.google.com [2a00:1450:4864:20::332]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id c7fb31f9-0b91-11ee-8611-37d641c3527e; Thu, 15 Jun 2023 17:32:05 +0200 (CEST) Received: by mail-wm1-x332.google.com with SMTP id 5b1f17b1804b1-3f8d17639feso21127155e9.2 for ; Thu, 15 Jun 2023 08:32:05 -0700 (PDT) Received: from localhost.localdomain (default-46-102-197-194.interdsl.co.uk. [46.102.197.194]) by smtp.gmail.com with ESMTPSA id c12-20020a05600c0acc00b003f195d540d9sm20829986wmr.14.2023.06.15.08.32.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jun 2023 08:32:03 -0700 (PDT) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: c7fb31f9-0b91-11ee-8611-37d641c3527e DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloud.com; s=cloud; t=1686843124; x=1689435124; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=VCA3Pf6f+/2jMpccddEtY1bpoEHdgMvPsL2NvMFA0ds=; b=eZdtVCr1JhpBPaxe9XBEMlAw+4qe7kNox3jZMl5eGgM89Ndr+4/PPxHNQi9KhHX5R4 ShSIBE560xCNEfW0jXQhLyQz0Vwr3epY8ITcE6nzXqttZjVZw2u1V4fMkEm8AovjSqIG JakfoJq0rtTvOJzDDtWnsAgGvf1PYVFqQBvyw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686843124; x=1689435124; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=VCA3Pf6f+/2jMpccddEtY1bpoEHdgMvPsL2NvMFA0ds=; b=fYZc1PCGb6rjdoHlpdjug+GxNLEKJpDTWCcW1LsL1Y8xRSajuyPOg9d+amHJQUh8YL 4ZKAGhepJz3UgW7rjbg6Ftc0x6bHvdLf+bRQ+OsUjEgMtvYTwKqJab99QLnoA7DRE3x4 7665DO1VXPmMrbC6BNqQTOQMfzuK1STViXfNz+uc7VEzphTnPVf9ysyCCiQoxaBlSofe s6yJQA3hM57XctUbSNlPrI2Yqm7eaX38lCI8LC93TSl5RqMHVwKg8dZHcWfHt3ZrIFaG SO5fNMljYKl54KIX71RfLi9BhNaf7GOxbr/8GNyKXw8dIlgTfOhtuDbc6Fgany5STs2m 1vzw== X-Gm-Message-State: AC+VfDz0o5yhjgmt9iwYA5/zTsziBoIhCwqyWESXR8BipyJL2KlQ55Zl NOUFTtc+Ets2HftnA0peOHhXbHcHGq+RcfoeNT8= X-Google-Smtp-Source: ACHHUZ7j8Mg7a1iQPH7GpjiWhoddlxY/xWGWBScW/EqDDoh/y4Ts5y4CGQjbr9Had6L60tbnY5oPWQ== X-Received: by 2002:a05:600c:2186:b0:3f7:2323:e012 with SMTP id e6-20020a05600c218600b003f72323e012mr14014139wme.5.1686843124127; Thu, 15 Jun 2023 08:32:04 -0700 (PDT) From: Alejandro Vallejo To: Xen-devel Cc: Alejandro Vallejo , Jan Beulich , Andrew Cooper , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Wei Liu Subject: [PATCH v2 1/2] x86/boot: Clear XD_DISABLE from the early boot path Date: Thu, 15 Jun 2023 16:31:56 +0100 Message-Id: <20230615153157.444-2-alejandro.vallejo@cloud.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230615153157.444-1-alejandro.vallejo@cloud.com> References: <20230615153157.444-1-alejandro.vallejo@cloud.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @cloud.com) X-ZM-MESSAGEID: 1686843157473100003 Content-Type: text/plain; charset="utf-8" Intel CPUs have a bit in MSR_IA32_MISC_ENABLE that may prevent the NX bit from being advertised. Clear it unconditionally if we can't find the NX feature right away on boot. The conditions for the MSR being read on early boot are (in this order): * Long Mode is supported * NX isn't advertised * The vendor is Intel The order of checks has been chosen carefully so a virtualized Xen on a hypervisor that doesn't emulate that MSR (but supports NX) doesn't triple fault trying to access the non-existing MSR. While at it, make sure we use rdmsr_safe rather than rdmsrl in the Intel-specific init path so we don't accidentally crash if the MSR isn't emulated while Xen is virtualized. Signed-off-by: Alejandro Vallejo --- xen/arch/x86/boot/head.S | 60 ++++++++++++++++++++++++---- xen/arch/x86/cpu/intel.c | 32 +++++++-------- xen/arch/x86/include/asm/msr-index.h | 2 +- 3 files changed, 69 insertions(+), 25 deletions(-) diff --git a/xen/arch/x86/boot/head.S b/xen/arch/x86/boot/head.S index 09bebf8635..ce62eae6f3 100644 --- a/xen/arch/x86/boot/head.S +++ b/xen/arch/x86/boot/head.S @@ -142,8 +142,8 @@ efi_platform: =20 .section .init.text, "ax", @progbits =20 -bad_cpu: - add $sym_offs(.Lbad_cpu_msg),%esi # Error message +.Lbad_cpu: + add $sym_offs(.Lbad_cpu_msg),%esi jmp .Lget_vtb not_multiboot: add $sym_offs(.Lbad_ldr_msg),%esi # Error message @@ -647,15 +647,59 @@ trampoline_setup: cpuid 1: mov %edx, CPUINFO_FEATURE_OFFSET(X86_FEATURE_LM) + sym_esi(boo= t_cpu_data) =20 - /* Check for NX. Adjust EFER setting if available. */ + /* Check for availability of long mode. */ + bt $cpufeat_bit(X86_FEATURE_LM),%edx + jnc .Lbad_cpu + + /* Check for NX */ bt $cpufeat_bit(X86_FEATURE_NX), %edx + jc .Lhas_nx_bit + + /* + * NX appears to be unsupported, but it might be hidden. + * + * Intel CPUs (may) implement MSR_IA32_MISC_ENABLE. Among other + * things this MSR has a bit that artificially hides NX support in + * CPUID. Xen _really_ wants that feature enabled if present, so we + * have to determine if (a) the MSR exists and if so (b) clear the + * bit. + * + * For native boots this is perfectly fine because the MSR was + * introduced before Netburst, which was the first family to + * provide 64bit support. So we're safe simply accessing it as long + * as long mode support has already been checked. + * + * For the virtualized case the MSR might not be emulated though, + * so we make sure to do an initial check for NX in order to bypass + * this MSR read + */ + xor %eax,%eax + cpuid + cmpl $X86_VENDOR_INTEL_EBX,%ebx + jnz .Lno_nx_bit + cmpl $X86_VENDOR_INTEL_EDX,%edx + jnz .Lno_nx_bit + cmpl $X86_VENDOR_INTEL_ECX,%ecx + jnz .Lno_nx_bit + + /* Clear the XD_DISABLE bit */ + movl $MSR_IA32_MISC_ENABLE, %ecx + rdmsr + btrl $2, %edx jnc 1f - orb $EFER_NXE >> 8, 1 + sym_esi(trampoline_efer) -1: + wrmsr + orb $MSR_IA32_MISC_ENABLE_XD_DISABLE >> 32, 4 + sym_esi(trampo= line_misc_enable_off) =20 - /* Check for availability of long mode. */ - bt $cpufeat_bit(X86_FEATURE_LM),%edx - jnc bad_cpu +1: /* Check again for NX */ + mov $0x80000001,%eax + cpuid + bt $cpufeat_bit(X86_FEATURE_NX), %edx + jnc .Lno_nx_bit + +.Lhas_nx_bit: + /* Adjust EFER is NX is present */ + orb $EFER_NXE >> 8, 1 + sym_esi(trampoline_efer) +.Lno_nx_bit: =20 /* Stash TSC to calculate a good approximation of time-since-boot = */ rdtsc diff --git a/xen/arch/x86/cpu/intel.c b/xen/arch/x86/cpu/intel.c index 168cd58f36..46b0cd8dbb 100644 --- a/xen/arch/x86/cpu/intel.c +++ b/xen/arch/x86/cpu/intel.c @@ -305,23 +305,23 @@ static void cf_check early_init_intel(struct cpuinfo_= x86 *c) c->x86_cache_alignment =3D 128; =20 /* Unmask CPUID levels and NX if masked: */ - rdmsrl(MSR_IA32_MISC_ENABLE, misc_enable); - - disable =3D misc_enable & (MSR_IA32_MISC_ENABLE_LIMIT_CPUID | - MSR_IA32_MISC_ENABLE_XD_DISABLE); - if (disable) { - wrmsrl(MSR_IA32_MISC_ENABLE, misc_enable & ~disable); - bootsym(trampoline_misc_enable_off) |=3D disable; - bootsym(trampoline_efer) |=3D EFER_NXE; - } + if (rdmsr_safe(MSR_IA32_MISC_ENABLE, misc_enable) =3D=3D 0) { + disable =3D misc_enable & (MSR_IA32_MISC_ENABLE_LIMIT_CPUID | + MSR_IA32_MISC_ENABLE_XD_DISABLE); + if (disable) { + wrmsrl(MSR_IA32_MISC_ENABLE, misc_enable & ~disable); + bootsym(trampoline_misc_enable_off) |=3D disable; + bootsym(trampoline_efer) |=3D EFER_NXE; + } =20 - if (disable & MSR_IA32_MISC_ENABLE_LIMIT_CPUID) - printk(KERN_INFO "revised cpuid level: %d\n", - cpuid_eax(0)); - if (disable & MSR_IA32_MISC_ENABLE_XD_DISABLE) { - write_efer(read_efer() | EFER_NXE); - printk(KERN_INFO - "re-enabled NX (Execute Disable) protection\n"); + if (disable & MSR_IA32_MISC_ENABLE_LIMIT_CPUID) + printk(KERN_INFO "revised cpuid level: %d\n", + cpuid_eax(0)); + if (disable & MSR_IA32_MISC_ENABLE_XD_DISABLE) { + write_efer(read_efer() | EFER_NXE); + printk(KERN_INFO + "re-enabled NX (Execute Disable) protection\n"); + } } =20 /* CPUID workaround for Intel 0F33/0F34 CPU */ diff --git a/xen/arch/x86/include/asm/msr-index.h b/xen/arch/x86/include/as= m/msr-index.h index 2749e433d2..4f861c0bb4 100644 --- a/xen/arch/x86/include/asm/msr-index.h +++ b/xen/arch/x86/include/asm/msr-index.h @@ -502,7 +502,7 @@ #define MSR_IA32_MISC_ENABLE_MONITOR_ENABLE (1<<18) #define MSR_IA32_MISC_ENABLE_LIMIT_CPUID (1<<22) #define MSR_IA32_MISC_ENABLE_XTPR_DISABLE (1<<23) -#define MSR_IA32_MISC_ENABLE_XD_DISABLE (1ULL << 34) +#define MSR_IA32_MISC_ENABLE_XD_DISABLE (_AC(1, ULL) << 34) =20 #define MSR_IA32_TSC_DEADLINE 0x000006E0 #define MSR_IA32_ENERGY_PERF_BIAS 0x000001b0 --=20 2.34.1 From nobody Sun May 12 15:40:49 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=reject dis=none) header.from=cloud.com ARC-Seal: i=1; a=rsa-sha256; t=1686843157; cv=none; d=zohomail.com; s=zohoarc; b=NsPtyNjDFUJfs5Ssa5SHgxRBcisj7iWUUUsN3bCvHnop0wqi/FwmEWmpCMG1W0fgUAwbZXxYS2aX9i4GHXTER8BB1AxAAt9dc2x0S1hrzgiriZOgPsHYKedadJmqq6JBYHR0MnCF62YIaan3GW6U12ERUOzRbv2WJeYuooTYFpw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1686843157; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=h9QjuDeIZX/4P8TG4G2HtMpHPapdilzqZaLVcacUT5A=; b=cMiXtUy8dW/LgGxjFwZ95MWkRx7prUBZMlnO5CHVlB7Dabp45IP435sAavF+cTXA5Hfd/I+hiTmD0JHKUQCh4o5qYc98MVksnT1WjUuZFas/BJMe16sFtRYdso4BMIX/SmPm2rhFoetgF2VuhShYQ2MBRfBFN1rFB2IcSfAXPVo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1686843157291894.5021444583715; Thu, 15 Jun 2023 08:32:37 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.549694.858375 (Exim 4.92) (envelope-from ) id 1q9oxH-0003Sv-PG; Thu, 15 Jun 2023 15:32:11 +0000 Received: by outflank-mailman (output) from mailman id 549694.858375; Thu, 15 Jun 2023 15:32:11 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1q9oxH-0003Sb-Li; Thu, 15 Jun 2023 15:32:11 +0000 Received: by outflank-mailman (input) for mailman id 549694; Thu, 15 Jun 2023 15:32:09 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1q9oxF-00039s-N6 for xen-devel@lists.xenproject.org; Thu, 15 Jun 2023 15:32:09 +0000 Received: from mail-wm1-x32e.google.com (mail-wm1-x32e.google.com [2a00:1450:4864:20::32e]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id c9c3b99e-0b91-11ee-b232-6b7b168915f2; Thu, 15 Jun 2023 17:32:08 +0200 (CEST) Received: by mail-wm1-x32e.google.com with SMTP id 5b1f17b1804b1-3f8cc042e2bso18181975e9.2 for ; Thu, 15 Jun 2023 08:32:07 -0700 (PDT) Received: from localhost.localdomain (default-46-102-197-194.interdsl.co.uk. [46.102.197.194]) by smtp.gmail.com with ESMTPSA id c12-20020a05600c0acc00b003f195d540d9sm20829986wmr.14.2023.06.15.08.32.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jun 2023 08:32:04 -0700 (PDT) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: c9c3b99e-0b91-11ee-b232-6b7b168915f2 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloud.com; s=cloud; t=1686843127; x=1689435127; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=h9QjuDeIZX/4P8TG4G2HtMpHPapdilzqZaLVcacUT5A=; b=JWda/emZrdxyPpI6myh4+8ZwvDUx4tFsKVOqpVE62PliCLXRk6IsNdP0eXXVSwXAQY KDXIvyMdn8PQ+D9MSDrzIBkC2Az3LBUJ5nWkX/z4RItxKBfEh4phpDrHQDqhxXKM86cf SFPzwIS866YVU8MMwZ2LC1i/ZM7qoX9AXK5c0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686843127; x=1689435127; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=h9QjuDeIZX/4P8TG4G2HtMpHPapdilzqZaLVcacUT5A=; b=Ca0I6Oz0pJYb2BH/5bGfUCpxdzkbWFRYElVzP2VIKj9Dg4Vhn7vERA92r9dBGhc890 kh/qr0UuuqmhatscgpJygh/BNeTl8qjYoo2F8FpQbN8JD0rGNl1BDtXmZT70eYx2ijzv vEtTxHw3eAXgLWhp7kSWcRydW/Fqot2NTtWRhTxBOnjINAGt9bgkAcCq9MkpegyfbVlP ojCfnoJ3yIDTpuhbXw4k6+oedjc9kUovtUR1bCy7GL2FzUGNZ3Io7vbfm5P6dja93XT3 LJcp3yzTsBV6E4S51kVRo7FznTKp0cTLQjq5/Miwyedhx3ElOj09bXGeMNyo6Tgbefj3 niMg== X-Gm-Message-State: AC+VfDyOqEtWkOJ41chTdhir4BpGoMYkQ49wSpB1PsBi0a60L0bVd+iY denEvjhUiMngWucT5UMLexnAuacpXtHCiwV0FfA= X-Google-Smtp-Source: ACHHUZ5FDQrtyDzEPBl7bp48bBZpDCajSrmhz/uHslPoLUx6X9HWawCQigcplt//FqDzjSX2EeHd3A== X-Received: by 2002:a1c:4c0c:0:b0:3f7:3699:c294 with SMTP id z12-20020a1c4c0c000000b003f73699c294mr12533886wmf.29.1686843127210; Thu, 15 Jun 2023 08:32:07 -0700 (PDT) From: Alejandro Vallejo To: Xen-devel Cc: Alejandro Vallejo , Jan Beulich , Andrew Cooper , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Wei Liu Subject: [PATCH v2 2/2] x86: Add Kconfig option to require NX bit support Date: Thu, 15 Jun 2023 16:31:57 +0100 Message-Id: <20230615153157.444-3-alejandro.vallejo@cloud.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230615153157.444-1-alejandro.vallejo@cloud.com> References: <20230615153157.444-1-alejandro.vallejo@cloud.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @cloud.com) X-ZM-MESSAGEID: 1686843159473100005 Content-Type: text/plain; charset="utf-8" This option hardens Xen by forcing it to write secure (NX-enhanced) PTEs regardless of the runtime NX feature bit in boot_cpu_data. This prevents an attacker with partial write support from affecting Xen's PTE generation logic by overriding the NX feature flag. The patch asserts support for the NX bit in PTEs at boot time and if so short-circuits the cpu_has_nx macro to 1. It has the nice benefit of replacing many instances of runtime checks with folded constants. This has several knock-on effects that improve codegen, saving 2.5KiB off the text section. The config option defaults to OFF for compatibility with previous behaviour. Signed-off-by: Alejandro Vallejo --- xen/arch/x86/Kconfig | 16 ++++++++++++++++ xen/arch/x86/boot/head.S | 15 ++++++++++++++- xen/arch/x86/boot/trampoline.S | 3 ++- xen/arch/x86/efi/efi-boot.h | 9 +++++++++ xen/arch/x86/include/asm/cpufeature.h | 3 ++- 5 files changed, 43 insertions(+), 3 deletions(-) diff --git a/xen/arch/x86/Kconfig b/xen/arch/x86/Kconfig index 406445a358..fa97d4cccc 100644 --- a/xen/arch/x86/Kconfig +++ b/xen/arch/x86/Kconfig @@ -307,6 +307,22 @@ config MEM_SHARING bool "Xen memory sharing support (UNSUPPORTED)" if UNSUPPORTED depends on HVM =20 +config REQUIRE_NX + bool "Require NX bit support" + help + No-eXecute (also called XD "eXecute Disable" and DEP "Data + Execution Prevention") is a security feature designed originally + to combat buffer overflow attacks by marking regions of memory + which the CPU must not interpret as instructions. + + The NX feature exists in every 64bit CPU except for some very + early Pentium 4 Prescott machines. + + Enabling this option will improve Xen's security by removing + cases where Xen could be tricked into thinking that the feature + was unavailable. However, if enabled, Xen will no longer boot on + any CPU which is lacking NX support. + endmenu =20 source "common/Kconfig" diff --git a/xen/arch/x86/boot/head.S b/xen/arch/x86/boot/head.S index ce62eae6f3..ec1e80ef68 100644 --- a/xen/arch/x86/boot/head.S +++ b/xen/arch/x86/boot/head.S @@ -123,6 +123,7 @@ multiboot2_header: .Lbad_ldr_nih: .asciz "ERR: EFI ImageHandle is not provided by bootloader!" .Lbad_efi_msg: .asciz "ERR: EFI IA-32 platforms are not supported!" .Lbag_alg_msg: .asciz "ERR: Xen must be loaded at a 2Mb boundary!" +.Lno_nx_bit_msg: .asciz "ERR: Not an NX-bit capable CPU!" =20 .section .init.data, "aw", @progbits .align 4 @@ -151,6 +152,11 @@ not_multiboot: .Lnot_aligned: add $sym_offs(.Lbag_alg_msg),%esi # Error message jmp .Lget_vtb +#ifdef CONFIG_REQUIRE_NX +.Lno_nx_bit: + add $sym_offs(.Lno_nx_bit_msg),%esi + jmp .Lget_vtb +#endif .Lmb2_no_st: /* * Here we are on EFI platform. vga_text_buffer was zapped earlier @@ -651,7 +657,12 @@ trampoline_setup: bt $cpufeat_bit(X86_FEATURE_LM),%edx jnc .Lbad_cpu =20 - /* Check for NX */ + /* + * Check for NX + * - If Xen was compiled requiring it simply assert it's + * supported. The trampoline already has the right constant. + * - Otherwise, update the trampoline EFER mask accordingly. + */ bt $cpufeat_bit(X86_FEATURE_NX), %edx jc .Lhas_nx_bit =20 @@ -697,9 +708,11 @@ trampoline_setup: jnc .Lno_nx_bit =20 .Lhas_nx_bit: +#ifndef CONFIG_REQUIRE_NX /* Adjust EFER is NX is present */ orb $EFER_NXE >> 8, 1 + sym_esi(trampoline_efer) .Lno_nx_bit: +#endif =20 /* Stash TSC to calculate a good approximation of time-since-boot = */ rdtsc diff --git a/xen/arch/x86/boot/trampoline.S b/xen/arch/x86/boot/trampoline.S index c6005fa33d..b8ab0ffdcb 100644 --- a/xen/arch/x86/boot/trampoline.S +++ b/xen/arch/x86/boot/trampoline.S @@ -147,7 +147,8 @@ GLOBAL(trampoline_misc_enable_off) =20 /* EFER OR-mask for boot paths. SCE conditional on PV support, NX added w= hen available. */ GLOBAL(trampoline_efer) - .long EFER_LME | (EFER_SCE * IS_ENABLED(CONFIG_PV)) + .long EFER_LME | (EFER_SCE * IS_ENABLED(CONFIG_PV)) | \ + (EFER_NXE * IS_ENABLED(CONFIG_REQUIRE_NX)) =20 GLOBAL(trampoline_xen_phys_start) .long 0 diff --git a/xen/arch/x86/efi/efi-boot.h b/xen/arch/x86/efi/efi-boot.h index c94e53d139..84700559bb 100644 --- a/xen/arch/x86/efi/efi-boot.h +++ b/xen/arch/x86/efi/efi-boot.h @@ -751,6 +751,15 @@ static void __init efi_arch_cpu(void) { caps[FEATURESET_e1d] =3D cpuid_edx(0x80000001); =20 + /* + * This check purposefully doesn't use cpu_has_nx because + * cpu_has_nx bypasses the boot_cpu_data read if Xen was compiled + * with CONFIG_REQUIRE_NX + */ + if ( IS_ENABLED(CONFIG_REQUIRE_NX) && + !boot_cpu_has(X86_FEATURE_NX) ) + blexit(L"This Xen build requires NX bit support."); + if ( cpu_has_nx ) trampoline_efer |=3D EFER_NXE; } diff --git a/xen/arch/x86/include/asm/cpufeature.h b/xen/arch/x86/include/a= sm/cpufeature.h index ace31e3b1f..610532da43 100644 --- a/xen/arch/x86/include/asm/cpufeature.h +++ b/xen/arch/x86/include/asm/cpufeature.h @@ -91,7 +91,8 @@ static inline bool boot_cpu_has(unsigned int feat) #define cpu_has_hypervisor boot_cpu_has(X86_FEATURE_HYPERVISOR) =20 /* CPUID level 0x80000001.edx */ -#define cpu_has_nx boot_cpu_has(X86_FEATURE_NX) +#define cpu_has_nx (IS_ENABLED(CONFIG_REQUIRE_NX) || \ + boot_cpu_has(X86_FEATURE_NX)) #define cpu_has_page1gb boot_cpu_has(X86_FEATURE_PAGE1GB) #define cpu_has_rdtscp boot_cpu_has(X86_FEATURE_RDTSCP) #define cpu_has_3dnow_ext boot_cpu_has(X86_FEATURE_3DNOWEXT) --=20 2.34.1 From nobody Sun May 12 15:40:49 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=reject dis=none) header.from=citrix.com ARC-Seal: i=1; a=rsa-sha256; t=1686939826; cv=none; d=zohomail.com; s=zohoarc; b=OErUFXlf9NiHD5TQbyqvUDT35kiVX9cFAon08pjrtZQLIR7Vn2/SAXerKFXcC0aqEVj/3DRnEXg42NpnIAPzkrPH65fH46Uvnx/kqAG1vf45gPRO7e3oPUDfakz6XZsKQ1QAlxoM+rKUzDr/T88uNggP0bCeSsySX/FUifisrK8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1686939826; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=+xBOoUlf7H6hLCSaLn0a8aQX37pGi3AFv6ND11Mp2cM=; b=T+ubdBmJ6tq34Yf+cPAZsnQGCaCbfpKOv+JCUyv/rGSB4AGbbooXmlNDc5EIhxnR9D6rJIWHkHikVCljMNLtefy6w8XUoMSEs8x5tpXFqc/7+prhKNXh/BqbN3+jjdi/g6nAqP/u7w/SFwZzWeVFtzyx6mxMGef2TATAwtZaH18= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 168693982626938.70283866671775; Fri, 16 Jun 2023 11:23:46 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.550364.859393 (Exim 4.92) (envelope-from ) id 1qAE6N-0008Ms-3C; Fri, 16 Jun 2023 18:23:15 +0000 Received: by outflank-mailman (output) from mailman id 550364.859393; Fri, 16 Jun 2023 18:23:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qAE6N-0008Ml-0c; Fri, 16 Jun 2023 18:23:15 +0000 Received: by outflank-mailman (input) for mailman id 550364; Fri, 16 Jun 2023 18:23:13 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1qAE6L-0008Mf-JY for xen-devel@lists.xenproject.org; Fri, 16 Jun 2023 18:23:13 +0000 Received: from esa2.hc3370-68.iphmx.com (esa2.hc3370-68.iphmx.com [216.71.145.153]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id d7f1a88e-0c72-11ee-8611-37d641c3527e; Fri, 16 Jun 2023 20:23:10 +0200 (CEST) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: d7f1a88e-0c72-11ee-8611-37d641c3527e DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1686939790; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=FftawUOo4lgeYeNvfblFloX62u6ugh3iT3j0C8i6E1Q=; b=HL3nRf3ps8+tr8N0c0+hu7qqFcN3hU9b5PAcg2UhrBMJCHxPuUTMduPp B8QF8sVgNrWA0W4sYKioovjg0F0ehdLiiSp4SKVaVhHwMq9D/eT8+26pY UlRXK+JfHkb/Z3qa1RbYTjn8s2nk1/KL+G/DQBjEmYeZ9vKWtCRMj9t7I s=; Authentication-Results: esa2.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none X-SBRS: 4.0 X-MesageID: 112988182 X-Ironport-Server: esa2.hc3370-68.iphmx.com X-Remote-IP: 162.221.156.123 X-Policy: $RELAYED IronPort-Data: A9a23:S2yGTKMxnQ/voPbvrR2ll8FynXyQoLVcMsEvi/4bfWQNrUp23zAPz zEbCjiGP6mJN2byLtknYI6x9BgP7ZPRn9E3Swto+SlhQUwRpJueD7x1DKtS0wC6dZSfER09v 63yTvGacajYm1eF/k/F3oDJ9CU6jufQAOKnUoYoAwgpLSd8UiAtlBl/rOAwh49skLCRDhiE/ Nj/uKUzAnf8s9JPGjxSs/rrRC9H5qyo42tG5wJmPpingXeF/5UrJMNHTU2OByOQrrl8RoaSW +vFxbelyWLVlz9F5gSNy+uTnuUiG9Y+DCDW4pZkc/HKbitq/0Te5p0TJvsEAXq7vh3S9zxHJ HehgrTrIeshFvWkdO3wyHC0GQkmVUFN0OevzXRSLaV/ZqAJGpfh66wGMa04AWEX0s1eX0Jt7 dw1ESsqdRucouadmOzjVuY506zPLOGzVG8eknRpzDWfBvc6W5HTBa7N4Le03h9p2JoIR6yHI ZNEN3w2Nk+ojx5nYz/7DLoXmuuyi2a5WDpfsF+P/oI84nTJzRw327/oWDbQUoXTH5QFzh/I/ Aoq+UzLDE8YH9in7gCHrC2xr+/thjjQZdodQejQGvlC3wTImz175ActfUu2p7y1h1CzX/pbK lcI4Ww+oK4q7kupQ9LhGRqirxasnDQRRt5RGO0S8xyWx+zf5APxLncAZi5MbpohrsBeeNAx/ gbXxZWzX2Up6eDLDyvHrd94sA9eJwA+BDEhRjckYDIexMLov6Q3pUqRFspsRfvdYsLOJd3g/ 9ybhHFg1+tC1pBXh/zTEUPv2Gz1+MWQJuIhzkCOBz/+sFskDGKwT9bwgWU3+8qsO2pworOpm HEf0/aT4+kVZX1mvHzcGb5ddF1FChvsDdE9vbKMN8N7n9hV0yT/Fb28GRknTKuTDu4KeCXyf GjYsh5L6ZlYMROCNPEnPdLsUZhwkvaxSLwJs8w4iPIUOvCdkyfdpklTibO4hTixwCDAb4lhU XtkTSpcJSlDUvk2pNZHb+wczaUq1kgDKZD7HPjGI+Cc+ePGPha9EO5VWGZim8hltMtoVi2Jq YcAXyZLoj0DONDDjt7/q99OfQFWdilhXvgbaaV/L4a+H+avI0l5Y9e5/F/rU9UNc3h9/gsQw kyAZw== IronPort-HdrOrdr: A9a23:BACyIq7Fy+cBoHCeWwPXwPDXdLJyesId70hD6qhwISY6TiX+rb HWoB17726TtN9/YhEdcLy7VJVoBEmskKKdgrNhWotKPjOW21dARbsKheCJrgEIWReOktK1vZ 0QC5SWY+eQMbEVt6nHCXGDYrQd/OU= X-Talos-CUID: 9a23:zyqo3G5WReqtTpch3Nss32dKOeM9UlDk11DLKFCdDU0xFuWJRgrF X-Talos-MUID: 9a23:+bF68QWLDXym1rbq/A3i2jNJMP9P2abwV10kkbcdoOK5bSMlbg== X-IronPort-AV: E=Sophos;i="6.00,248,1681185600"; d="scan'208";a="112988182" From: Andrew Cooper To: Xen-devel CC: Andrew Cooper , Jan Beulich , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Wei Liu , Alejandro Vallejo Subject: [PATCH 0.5/2] x86/boot: Clean up early error asm Date: Fri, 16 Jun 2023 19:23:03 +0100 Message-ID: <20230616182303.3546262-1-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20230615153157.444-1-alejandro.vallejo@cloud.com> References: <20230615153157.444-1-alejandro.vallejo@cloud.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @citrix.com) X-ZM-MESSAGEID: 1686939828350100001 The asm forming early error handling is a mix of local and non-local symbol= s, and has some pointless comments. Drop the "# Error message" comments, tweaking the style on modified lines, and make the symbols local. However, leave behind one real symbol so this logic disassembles nicely without merging in to acpi_boot_init(), which is the thing that happens to = be immediately prior in my build. No functional change. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- CC: Jan Beulich CC: Roger Pau Monn=C3=A9 CC: Wei Liu CC: Alejandro Vallejo Done in order to simplfy Alejandro's NX series a little. --- xen/arch/x86/boot/head.S | 33 +++++++++++++++++++-------------- 1 file changed, 19 insertions(+), 14 deletions(-) diff --git a/xen/arch/x86/boot/head.S b/xen/arch/x86/boot/head.S index 09bebf8635d0..d52dbc752e29 100644 --- a/xen/arch/x86/boot/head.S +++ b/xen/arch/x86/boot/head.S @@ -142,25 +142,27 @@ efi_platform: =20 .section .init.text, "ax", @progbits =20 -bad_cpu: - add $sym_offs(.Lbad_cpu_msg),%esi # Error message +early_error: + +.Lbad_cpu: + add $sym_offs(.Lbad_cpu_msg), %esi jmp .Lget_vtb -not_multiboot: - add $sym_offs(.Lbad_ldr_msg),%esi # Error message +.Lnot_multiboot: + add $sym_offs(.Lbad_ldr_msg), %esi jmp .Lget_vtb .Lnot_aligned: - add $sym_offs(.Lbag_alg_msg),%esi # Error message + add $sym_offs(.Lbag_alg_msg), %esi jmp .Lget_vtb .Lmb2_no_st: /* * Here we are on EFI platform. vga_text_buffer was zapped earlier * because there is pretty good chance that VGA is unavailable. */ - add $sym_offs(.Lbad_ldr_nst),%esi # Error message + add $sym_offs(.Lbad_ldr_nst), %esi jmp .Lget_vtb .Lmb2_no_ih: /* Ditto. */ - add $sym_offs(.Lbad_ldr_nih),%esi # Error message + add $sym_offs(.Lbad_ldr_nih), %esi jmp .Lget_vtb .Lmb2_no_bs: /* @@ -168,7 +170,7 @@ not_multiboot: * via start label. Then reliable vga_text_buffer zap is impossible * in Multiboot2 scanning loop and we have to zero %edi below. */ - add $sym_offs(.Lbad_ldr_nbs),%esi # Error message + add $sym_offs(.Lbad_ldr_nbs), %esi xor %edi,%edi # No VGA text buffer jmp .Lprint_err .Lmb2_efi_ia_32: @@ -176,11 +178,11 @@ not_multiboot: * Here we are on EFI IA-32 platform. Then reliable vga_text_buffe= r zap is * impossible in Multiboot2 scanning loop and we have to zero %edi= below. */ - add $sym_offs(.Lbad_efi_msg),%esi # Error message + add $sym_offs(.Lbad_efi_msg), %esi xor %edi,%edi # No VGA text buffer jmp .Lprint_err .Lget_vtb: - mov sym_esi(vga_text_buffer),%edi + mov sym_esi(vga_text_buffer), %edi .Lprint_err: lodsb test %al,%al # Terminate on '\0' sentinel @@ -202,6 +204,9 @@ not_multiboot: .Lhalt: hlt jmp .Lhalt =20 + .size early_error, . - early_error + .type early_error, @function + .code64 =20 __efi64_mb2_start: @@ -221,8 +226,8 @@ __efi64_mb2_start: cmp $MULTIBOOT2_BOOTLOADER_MAGIC,%eax je .Lefi_multiboot2_proto =20 - /* Jump to not_multiboot after switching CPU to x86_32 mode. */ - lea not_multiboot(%rip),%r15 + /* Jump to .Lnot_multiboot after switching CPU to x86_32 mode. */ + lea .Lnot_multiboot(%rip), %r15 jmp x86_32_switch =20 .Lefi_multiboot2_proto: @@ -464,7 +469,7 @@ __start: =20 /* Check for Multiboot bootloader. */ cmp $MULTIBOOT_BOOTLOADER_MAGIC,%eax - jne not_multiboot + jne .Lnot_multiboot =20 /* Get mem_lower from Multiboot information. */ testb $MBI_MEMLIMITS,MB_flags(%ebx) @@ -655,7 +660,7 @@ trampoline_setup: =20 /* Check for availability of long mode. */ bt $cpufeat_bit(X86_FEATURE_LM),%edx - jnc bad_cpu + jnc .Lbad_cpu =20 /* Stash TSC to calculate a good approximation of time-since-boot = */ rdtsc --=20 2.30.2