pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/sysutils/xenkernel413 Add upstream patch for XSA351. B...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/312c4acf5fe7
branches:  trunk
changeset: 441865:312c4acf5fe7
user:      bouyer <bouyer%pkgsrc.org@localhost>
date:      Thu Nov 12 10:34:41 2020 +0000

description:
Add upstream patch for XSA351. Bump PKGREVISION

diffstat:

 sysutils/xenkernel413/Makefile             |    4 +-
 sysutils/xenkernel413/distinfo             |    3 +-
 sysutils/xenkernel413/patches/patch-XSA351 |  285 +++++++++++++++++++++++++++++
 3 files changed, 289 insertions(+), 3 deletions(-)

diffs (truncated from 318 to 300 lines):

diff -r 423baf94c863 -r 312c4acf5fe7 sysutils/xenkernel413/Makefile
--- a/sysutils/xenkernel413/Makefile    Thu Nov 12 10:33:44 2020 +0000
+++ b/sysutils/xenkernel413/Makefile    Thu Nov 12 10:34:41 2020 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.7 2020/11/06 21:45:49 bouyer Exp $
+# $NetBSD: Makefile,v 1.8 2020/11/12 10:34:41 bouyer Exp $
 
 VERSION=       4.13.2
-#PKGREVISION=  0
+PKGREVISION=   1
 DISTNAME=      xen-${VERSION}
 PKGNAME=       xenkernel413-${VERSION}
 CATEGORIES=    sysutils
diff -r 423baf94c863 -r 312c4acf5fe7 sysutils/xenkernel413/distinfo
--- a/sysutils/xenkernel413/distinfo    Thu Nov 12 10:33:44 2020 +0000
+++ b/sysutils/xenkernel413/distinfo    Thu Nov 12 10:34:41 2020 +0000
@@ -1,10 +1,11 @@
-$NetBSD: distinfo,v 1.5 2020/11/06 21:45:49 bouyer Exp $
+$NetBSD: distinfo,v 1.6 2020/11/12 10:34:41 bouyer Exp $
 
 SHA1 (xen413/xen-4.13.2.tar.gz) = d514f1de9582c58676420bb2c9fb1c765b44fbff
 RMD160 (xen413/xen-4.13.2.tar.gz) = 96727c20bd84338f8c67c7c584c01ef877bbcb18
 SHA512 (xen413/xen-4.13.2.tar.gz) = cd3092281c97e9421e303aa288aac04dcccd5536ba7c0ff4d51fbf3d07b5ffacfe3456ba06f5cf63577dafbf8cf3a5d9825ceb5e9ef8ca1427900cc3e57b50a3
 Size (xen413/xen-4.13.2.tar.gz) = 39037826 bytes
 SHA1 (patch-Config.mk) = 9372a09efd05c9fbdbc06f8121e411fcb7c7ba65
+SHA1 (patch-XSA351) = edb0975ab0aa53d7a0ae7816fe170a081eea695e
 SHA1 (patch-xen_Makefile) = 465388d80de414ca3bb84faefa0f52d817e423a6
 SHA1 (patch-xen_Rules.mk) = c743dc63f51fc280d529a7d9e08650292c171dac
 SHA1 (patch-xen_arch_x86_Rules.mk) = 0bedfc53a128a87b6a249ae04fbdf6a053bfb70b
diff -r 423baf94c863 -r 312c4acf5fe7 sysutils/xenkernel413/patches/patch-XSA351
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/xenkernel413/patches/patch-XSA351        Thu Nov 12 10:34:41 2020 +0000
@@ -0,0 +1,285 @@
+$NetBSD: patch-XSA351,v 1.1 2020/11/12 10:34:41 bouyer Exp $
+
+From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau%citrix.com@localhost>
+Subject: x86/msr: fix handling of MSR_IA32_PERF_{STATUS/CTL}
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Currently a PV hardware domain can also be given control over the CPU
+frequency, and such guest is allowed to write to MSR_IA32_PERF_CTL.
+However since commit 322ec7c89f6 the default behavior has been changed
+to reject accesses to not explicitly handled MSRs, preventing PV
+guests that manage CPU frequency from reading
+MSR_IA32_PERF_{STATUS/CTL}.
+
+Additionally some HVM guests (Windows at least) will attempt to read
+MSR_IA32_PERF_CTL and will panic if given back a #GP fault:
+
+  vmx.c:3035:d8v0 RDMSR 0x00000199 unimplemented
+  d8v0 VIRIDIAN CRASH: 3b c0000096 fffff806871c1651 ffffda0253683720 0
+
+Move the handling of MSR_IA32_PERF_{STATUS/CTL} to the common MSR
+handling shared between HVM and PV guests, and add an explicit case
+for reads to MSR_IA32_PERF_{STATUS/CTL}.
+
+Restore previous behavior and allow PV guests with the required
+permissions to read the contents of the mentioned MSRs. Non privileged
+guests will get 0 when trying to read those registers, as writes to
+MSR_IA32_PERF_CTL by such guest will already be silently dropped.
+
+Fixes: 322ec7c89f6 ('x86/pv: disallow access to unknown MSRs')
+Fixes: 84e848fd7a1 ('x86/hvm: disallow access to unknown MSRs')
+Signed-off-by: Roger Pau Monné <roger.pau%citrix.com@localhost>
+Signed-off-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Reviewed-by: Roger Pau Monné <roger.pau%citrix.com@localhost>
+Reviewed-by: Jan Beulich <jbeulich%suse.com@localhost>
+(cherry picked from commit 3059178798a23ba870ff86ff54d442a07e6651fc)
+
+diff --git a/xen/arch/x86/msr.c b/xen/arch/x86/msr.c
+index 875ac39d30..8c969197aa 100644
+--- xen/arch/x86/msr.c.orig
++++ xen/arch/x86/msr.c
+@@ -208,6 +208,25 @@ int guest_rdmsr(struct vcpu *v, uint32_t msr, uint64_t *val)
+         *val = msrs->misc_features_enables.raw;
+         break;
+ 
++        /*
++         * These MSRs are not enumerated in CPUID.  They have been around
++         * since the Pentium 4, and implemented by other vendors.
++         *
++         * Some versions of Windows try reading these before setting up a #GP
++         * handler, and Linux has several unguarded reads as well.  Provide
++         * RAZ semantics, in general, but permit a cpufreq controller dom0 to
++         * have full access.
++         */
++    case MSR_IA32_PERF_STATUS:
++    case MSR_IA32_PERF_CTL:
++        if ( !(cp->x86_vendor & (X86_VENDOR_INTEL | X86_VENDOR_CENTAUR)) )
++            goto gp_fault;
++
++        *val = 0;
++        if ( likely(!is_cpufreq_controller(d)) || rdmsr_safe(msr, *val) == 0 )
++            break;
++        goto gp_fault;
++
+     case MSR_X2APIC_FIRST ... MSR_X2APIC_LAST:
+         if ( !is_hvm_domain(d) || v != curr )
+             goto gp_fault;
+@@ -305,6 +324,7 @@ int guest_wrmsr(struct vcpu *v, uint32_t msr, uint64_t val)
+     case MSR_INTEL_CORE_THREAD_COUNT:
+     case MSR_INTEL_PLATFORM_INFO:
+     case MSR_ARCH_CAPABILITIES:
++    case MSR_IA32_PERF_STATUS:
+         /* Read-only */
+     case MSR_TSX_FORCE_ABORT:
+     case MSR_TSX_CTRL:
+@@ -411,6 +431,21 @@ int guest_wrmsr(struct vcpu *v, uint32_t msr, uint64_t val)
+         break;
+     }
+ 
++        /*
++         * This MSR is not enumerated in CPUID.  It has been around since the
++         * Pentium 4, and implemented by other vendors.
++         *
++         * To match the RAZ semantics, implement as write-discard, except for
++         * a cpufreq controller dom0 which has full access.
++         */
++    case MSR_IA32_PERF_CTL:
++        if ( !(cp->x86_vendor & (X86_VENDOR_INTEL | X86_VENDOR_CENTAUR)) )
++            goto gp_fault;
++
++        if ( likely(!is_cpufreq_controller(d)) || wrmsr_safe(msr, val) == 0 )
++            break;
++        goto gp_fault;
++
+     case MSR_X2APIC_FIRST ... MSR_X2APIC_LAST:
+         if ( !is_hvm_domain(d) || v != curr )
+             goto gp_fault;
+diff --git a/xen/arch/x86/pv/emul-priv-op.c b/xen/arch/x86/pv/emul-priv-op.c
+index 42258c6bf1..6dc4f92a84 100644
+--- xen/arch/x86/pv/emul-priv-op.c.orig
++++ xen/arch/x86/pv/emul-priv-op.c
+@@ -776,12 +776,6 @@ static inline uint64_t guest_misc_enable(uint64_t val)
+     return val;
+ }
+ 
+-static inline bool is_cpufreq_controller(const struct domain *d)
+-{
+-    return ((cpufreq_controller == FREQCTL_dom0_kernel) &&
+-            is_hardware_domain(d));
+-}
+-
+ static int read_msr(unsigned int reg, uint64_t *val,
+                     struct x86_emulate_ctxt *ctxt)
+ {
+@@ -1026,14 +1020,6 @@ static int write_msr(unsigned int reg, uint64_t val,
+             return X86EMUL_OKAY;
+         break;
+ 
+-    case MSR_IA32_PERF_CTL:
+-        if ( boot_cpu_data.x86_vendor != X86_VENDOR_INTEL )
+-            break;
+-        if ( likely(!is_cpufreq_controller(currd)) ||
+-             wrmsr_safe(reg, val) == 0 )
+-            return X86EMUL_OKAY;
+-        break;
+-
+     case MSR_IA32_THERM_CONTROL:
+     case MSR_IA32_ENERGY_PERF_BIAS:
+         if ( boot_cpu_data.x86_vendor != X86_VENDOR_INTEL )
+diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
+index d6e27fc4b8..8bb5bd7b38 100644
+--- xen/include/xen/sched.h.orig
++++ xen/include/xen/sched.h
+@@ -1057,6 +1057,22 @@ extern enum cpufreq_controller {
+     FREQCTL_none, FREQCTL_dom0_kernel, FREQCTL_xen
+ } cpufreq_controller;
+ 
++static always_inline bool is_cpufreq_controller(const struct domain *d)
++{
++    /*
++     * A PV dom0 can be nominated as the cpufreq controller, instead of using
++     * Xen's cpufreq driver, at which point dom0 gets direct access to certain
++     * MSRs.
++     *
++     * This interface only works when dom0 is identity pinned and has the same
++     * number of vCPUs as pCPUs on the system.
++     *
++     * It would be far better to paravirtualise the interface.
++     */
++    return (is_pv_domain(d) && is_hardware_domain(d) &&
++            cpufreq_controller == FREQCTL_dom0_kernel);
++}
++
+ #define CPUPOOLID_NONE    -1
+ 
+ struct cpupool *cpupool_get_by_id(int poolid);
+From: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Subject: x86/msr: Disallow guest access to the RAPL MSRs
+
+Researchers have demonstrated using the RAPL interface to perform a
+differential power analysis attack to recover AES keys used by other cores in
+the system.
+
+Furthermore, even privileged guests cannot use this interface correctly, due
+to MSR scope and vcpu scheduling issues.  The interface would want to be
+paravirtualised to be used sensibly.
+
+Disallow access to the RAPL MSRs completely, as well as other MSRs which
+potentially access fine grain power information.
+
+This is part of XSA-351.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3%citrix.com@localhost>
+Reviewed-by: Jan Beulich <jbeulich%suse.com@localhost>
+
+diff --git a/xen/arch/x86/msr.c b/xen/arch/x86/msr.c
+index 8c969197aa..8ab6949a8e 100644
+--- xen/arch/x86/msr.c.orig
++++ xen/arch/x86/msr.c
+@@ -152,11 +152,20 @@ int guest_rdmsr(struct vcpu *v, uint32_t msr, uint64_t *val)
+     case MSR_TSX_CTRL:
+     case MSR_MCU_OPT_CTRL:
+     case MSR_RTIT_OUTPUT_BASE ... MSR_RTIT_ADDR_B(7):
++    case MSR_RAPL_POWER_UNIT:
++    case MSR_PKG_POWER_LIMIT  ... MSR_PKG_POWER_INFO:
++    case MSR_DRAM_POWER_LIMIT ... MSR_DRAM_POWER_INFO:
++    case MSR_PP0_POWER_LIMIT  ... MSR_PP0_POLICY:
++    case MSR_PP1_POWER_LIMIT  ... MSR_PP1_POLICY:
++    case MSR_PLATFORM_ENERGY_COUNTER:
++    case MSR_PLATFORM_POWER_LIMIT:
+     case MSR_U_CET:
+     case MSR_S_CET:
+     case MSR_PL0_SSP ... MSR_INTERRUPT_SSP_TABLE:
+     case MSR_AMD64_LWP_CFG:
+     case MSR_AMD64_LWP_CBADDR:
++    case MSR_F15H_CU_POWER ... MSR_F15H_CU_MAX_POWER:
++    case MSR_AMD_RAPL_POWER_UNIT ... MSR_AMD_PKG_ENERGY_STATUS:
+         /* Not offered to guests. */
+         goto gp_fault;
+ 
+@@ -330,11 +339,20 @@ int guest_wrmsr(struct vcpu *v, uint32_t msr, uint64_t val)
+     case MSR_TSX_CTRL:
+     case MSR_MCU_OPT_CTRL:
+     case MSR_RTIT_OUTPUT_BASE ... MSR_RTIT_ADDR_B(7):
++    case MSR_RAPL_POWER_UNIT:
++    case MSR_PKG_POWER_LIMIT  ... MSR_PKG_POWER_INFO:
++    case MSR_DRAM_POWER_LIMIT ... MSR_DRAM_POWER_INFO:
++    case MSR_PP0_POWER_LIMIT  ... MSR_PP0_POLICY:
++    case MSR_PP1_POWER_LIMIT  ... MSR_PP1_POLICY:
++    case MSR_PLATFORM_ENERGY_COUNTER:
++    case MSR_PLATFORM_POWER_LIMIT:
+     case MSR_U_CET:
+     case MSR_S_CET:
+     case MSR_PL0_SSP ... MSR_INTERRUPT_SSP_TABLE:
+     case MSR_AMD64_LWP_CFG:
+     case MSR_AMD64_LWP_CBADDR:
++    case MSR_F15H_CU_POWER ... MSR_F15H_CU_MAX_POWER:
++    case MSR_AMD_RAPL_POWER_UNIT ... MSR_AMD_PKG_ENERGY_STATUS:
+         /* Not offered to guests. */
+         goto gp_fault;
+ 
+diff --git a/xen/include/asm-x86/msr-index.h b/xen/include/asm-x86/msr-index.h
+index 0eb6855614..ba9e90af21 100644
+--- xen/include/asm-x86/msr-index.h.orig
++++ xen/include/asm-x86/msr-index.h
+@@ -96,6 +96,38 @@
+ /* Lower 6 bits define the format of the address in the LBR stack */
+ #define MSR_IA32_PERF_CAP_LBR_FORMAT  0x3f
+ 
++/*
++ * Intel Runtime Average Power Limiting (RAPL) interface.  Power plane base
++ * addresses (MSR_*_POWER_LIMIT) are model specific, but have so-far been
++ * consistent since their introduction in SandyBridge.
++ *
++ * Offsets of functionality from the power plane base is architectural, but
++ * not all power planes support all functionality.
++ */
++#define MSR_RAPL_POWER_UNIT           0x00000606
++
++#define MSR_PKG_POWER_LIMIT           0x00000610
++#define MSR_PKG_ENERGY_STATUS         0x00000611
++#define MSR_PKG_PERF_STATUS           0x00000613
++#define MSR_PKG_POWER_INFO            0x00000614
++
++#define MSR_DRAM_POWER_LIMIT          0x00000618
++#define MSR_DRAM_ENERGY_STATUS                0x00000619
++#define MSR_DRAM_PERF_STATUS          0x0000061b
++#define MSR_DRAM_POWER_INFO           0x0000061c
++
++#define MSR_PP0_POWER_LIMIT           0x00000638
++#define MSR_PP0_ENERGY_STATUS         0x00000639
++#define MSR_PP0_POLICY                        0x0000063a
++
++#define MSR_PP1_POWER_LIMIT           0x00000640
++#define MSR_PP1_ENERGY_STATUS         0x00000641
++#define MSR_PP1_POLICY                        0x00000642
++
++/* Intel Platform-wide power interface. */
++#define MSR_PLATFORM_ENERGY_COUNTER   0x0000064d
++#define MSR_PLATFORM_POWER_LIMIT      0x0000065c
++
+ #define MSR_IA32_BNDCFGS              0x00000d90
+ #define IA32_BNDCFGS_ENABLE           0x00000001
+ #define IA32_BNDCFGS_PRESERVE         0x00000002
+@@ -236,6 +268,8 @@
+ #define MSR_K8_VM_CR                  0xc0010114



Home | Main Index | Thread Index | Old Index