patchbot at xen
Aug 20, 2012, 2:22 PM
Post #1 of 1
(30 views)
Permalink
|
|
[xen-unstable] x86-64: refine the XSA-9 fix
|
|
# HG changeset patch
# User Jan Beulich <jbeulich [at] suse>
# Date 1345445207 -7200
# Node ID e6ca45ca03c2e08af3a74b404166527b68fd1218
# Parent 4b0d263008cdf4585fe30ec2847b0a810db12354
x86-64: refine the XSA-9 fix
Our product management wasn't happy with the "solution" for XSA-9, and
demanded that customer systems must continue to boot. Rather than
having our and perhaps other distros carry non-trivial patches, allow
for more fine grained control (panic on boot, deny guest creation, or
merely warn) by means of a single line change.
Also, as this was found to be a problem with remotely managed systems,
don't default to boot denial (just deny guest creation).
Signed-off-by: Jan Beulich <jbeulich [at] suse>
Acked-by: Keir Fraser <keir [at] xen>
---
diff -r 4b0d263008cd -r e6ca45ca03c2 xen/arch/x86/cpu/amd.c
--- a/xen/arch/x86/cpu/amd.c Mon Aug 20 08:40:01 2012 +0200
+++ b/xen/arch/x86/cpu/amd.c Mon Aug 20 08:46:47 2012 +0200
@@ -32,8 +32,11 @@
static char opt_famrev[14];
string_param("cpuid_mask_cpu", opt_famrev);
-static bool_t opt_allow_unsafe;
+#ifdef __x86_64__
+/* 1 = allow, 0 = don't allow guest creation, -1 = don't allow boot */
+s8 __read_mostly opt_allow_unsafe;
boolean_param("allow_unsafe", opt_allow_unsafe);
+#endif
static inline void wrmsr_amd(unsigned int index, unsigned int lo,
unsigned int hi)
@@ -496,10 +499,19 @@ static void __devinit init_amd(struct cp
clear_bit(X86_FEATURE_MWAIT, c->x86_capability);
#ifdef __x86_64__
- if (cpu_has_amd_erratum(c, AMD_ERRATUM_121) && !opt_allow_unsafe)
+ if (!cpu_has_amd_erratum(c, AMD_ERRATUM_121))
+ opt_allow_unsafe = 1;
+ else if (opt_allow_unsafe < 0)
panic("Xen will not boot on this CPU for security reasons.\n"
"Pass \"allow_unsafe\" if you're trusting all your"
" (PV) guest kernels.\n");
+ else if (!opt_allow_unsafe && c == &boot_cpu_data)
+ printk(KERN_WARNING
+ "*** Xen will not allow creation of DomU-s on"
+ " this CPU for security reasons. ***\n"
+ KERN_WARNING
+ "*** Pass \"allow_unsafe\" if you're trusting"
+ " all your (PV) guest kernels. ***\n");
/* AMD CPUs do not support SYSENTER outside of legacy mode. */
clear_bit(X86_FEATURE_SEP, c->x86_capability);
diff -r 4b0d263008cd -r e6ca45ca03c2 xen/arch/x86/domain.c
--- a/xen/arch/x86/domain.c Mon Aug 20 08:40:01 2012 +0200
+++ b/xen/arch/x86/domain.c Mon Aug 20 08:46:47 2012 +0200
@@ -55,6 +55,7 @@
#include <asm/traps.h>
#include <asm/nmi.h>
#include <asm/mce.h>
+#include <asm/amd.h>
#include <xen/numa.h>
#include <xen/iommu.h>
#ifdef CONFIG_COMPAT
@@ -531,6 +532,20 @@ int arch_domain_create(struct domain *d,
#else /* __x86_64__ */
+ if ( d->domain_id && !is_idle_domain(d) &&
+ cpu_has_amd_erratum(&boot_cpu_data, AMD_ERRATUM_121) )
+ {
+ if ( !opt_allow_unsafe )
+ {
+ printk(XENLOG_G_ERR "Xen does not allow DomU creation on this CPU"
+ " for security reasons.\n");
+ return -EPERM;
+ }
+ printk(XENLOG_G_WARNING
+ "Dom%d may compromise security on this CPU.\n",
+ d->domain_id);
+ }
+
BUILD_BUG_ON(PDPT_L2_ENTRIES * sizeof(*d->arch.mm_perdomain_pt_pages)
!= PAGE_SIZE);
pg = alloc_domheap_page(NULL, MEMF_node(domain_to_node(d)));
diff -r 4b0d263008cd -r e6ca45ca03c2 xen/include/asm-x86/amd.h
--- a/xen/include/asm-x86/amd.h Mon Aug 20 08:40:01 2012 +0200
+++ b/xen/include/asm-x86/amd.h Mon Aug 20 08:46:47 2012 +0200
@@ -147,6 +147,8 @@ struct cpuinfo_x86;
int cpu_has_amd_erratum(const struct cpuinfo_x86 *, int, ...);
#ifdef __x86_64__
+extern s8 opt_allow_unsafe;
+
void fam10h_check_enable_mmcfg(void);
void check_enable_amd_mmconf_dmi(void);
#endif
_______________________________________________
Xen-changelog mailing list
Xen-changelog [at] lists
http://lists.xensource.com/xen-changelog
|
