diff options
author | Jan Beulich <jbeulich@suse.com> | 2012-09-20 10:53:43 +0200 |
---|---|---|
committer | Jan Beulich <jbeulich@suse.com> | 2012-09-20 10:53:43 +0200 |
commit | 56960fd1bcec88af07a88d78ccfa3a32d78928ff (patch) | |
tree | f64e794e9f02fa41fbf3bc3c7878b50ced6bf4c8 | |
parent | 4f3e421670424fafa21810340a4498138404b923 (diff) | |
download | xen-56960fd1bcec88af07a88d78ccfa3a32d78928ff.tar.gz xen-56960fd1bcec88af07a88d78ccfa3a32d78928ff.tar.bz2 xen-56960fd1bcec88af07a88d78ccfa3a32d78928ff.zip |
x86-64: refine the XSA-9 fix
Our product management wasn't happy with the "solution" for XSA-9, and
demanded that customer systems must continue to boot. Rather than
having our and perhaps other distros carry non-trivial patches, allow
for more fine grained control (panic on boot, deny guest creation, or
merely warn) by means of a single line change.
Also, as this was found to be a problem with remotely managed systems,
don't default to boot denial (just deny guest creation).
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
xen-unstable changeset: 25765:e6ca45ca03c2
xen-unstable date: Mon Aug 20 06:46:47 UTC 2012
-rw-r--r-- | xen/arch/x86/cpu/amd.c | 16 | ||||
-rw-r--r-- | xen/arch/x86/domain.c | 15 | ||||
-rw-r--r-- | xen/include/asm-x86/amd.h | 2 |
3 files changed, 31 insertions, 2 deletions
diff --git a/xen/arch/x86/cpu/amd.c b/xen/arch/x86/cpu/amd.c index d3a44703ee..1e370185cd 100644 --- a/xen/arch/x86/cpu/amd.c +++ b/xen/arch/x86/cpu/amd.c @@ -32,8 +32,11 @@ static char opt_famrev[14]; string_param("cpuid_mask_cpu", opt_famrev); -static int opt_allow_unsafe; +#ifdef __x86_64__ +/* 1 = allow, 0 = don't allow guest creation, -1 = don't allow boot */ +int __read_mostly opt_allow_unsafe; boolean_param("allow_unsafe", opt_allow_unsafe); +#endif static inline void wrmsr_amd(unsigned int index, unsigned int lo, unsigned int hi) @@ -623,10 +626,19 @@ static void __devinit init_amd(struct cpuinfo_x86 *c) clear_bit(X86_FEATURE_MCE, c->x86_capability); #ifdef __x86_64__ - if (cpu_has_amd_erratum(c, AMD_ERRATUM_121) && !opt_allow_unsafe) + if (!cpu_has_amd_erratum(c, AMD_ERRATUM_121)) + opt_allow_unsafe = 1; + else if (opt_allow_unsafe < 0) panic("Xen will not boot on this CPU for security reasons.\n" "Pass \"allow_unsafe\" if you're trusting all your" " (PV) guest kernels.\n"); + else if (!opt_allow_unsafe && c == &boot_cpu_data) + printk(KERN_WARNING + "*** Xen will not allow creation of DomU-s on" + " this CPU for security reasons. ***\n" + KERN_WARNING + "*** Pass \"allow_unsafe\" if you're trusting" + " all your (PV) guest kernels. ***\n"); /* AMD CPUs do not support SYSENTER outside of legacy mode. */ clear_bit(X86_FEATURE_SEP, c->x86_capability); diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c index 7df6d83b1e..4009a60e6d 100644 --- a/xen/arch/x86/domain.c +++ b/xen/arch/x86/domain.c @@ -52,6 +52,7 @@ #include <asm/traps.h> #include <asm/nmi.h> #include <asm/mce.h> +#include <asm/amd.h> #include <xen/numa.h> #include <xen/iommu.h> #ifdef CONFIG_COMPAT @@ -457,6 +458,20 @@ int arch_domain_create(struct domain *d, unsigned int domcr_flags) #else /* __x86_64__ */ + if ( d->domain_id && !is_idle_domain(d) && + cpu_has_amd_erratum(&boot_cpu_data, AMD_ERRATUM_121) ) + { + if ( !opt_allow_unsafe ) + { + printk(XENLOG_G_ERR "Xen does not allow DomU creation on this CPU" + " for security reasons.\n"); + return -EPERM; + } + printk(XENLOG_G_WARNING + "Dom%d may compromise security on this CPU.\n", + d->domain_id); + } + BUILD_BUG_ON(PDPT_L2_ENTRIES * sizeof(*d->arch.mm_perdomain_pt_pages) != PAGE_SIZE); pg = alloc_domheap_page(NULL, MEMF_node(domain_to_node(d))); diff --git a/xen/include/asm-x86/amd.h b/xen/include/asm-x86/amd.h index 44d60f4944..c21a739949 100644 --- a/xen/include/asm-x86/amd.h +++ b/xen/include/asm-x86/amd.h @@ -151,6 +151,8 @@ struct cpuinfo_x86; int cpu_has_amd_erratum(const struct cpuinfo_x86 *, int, ...); #ifdef __x86_64__ +extern int opt_allow_unsafe; + void fam10h_check_enable_mmcfg(void); void check_enable_amd_mmconf_dmi(void); #endif |