From: Jan Kiszka <jan.kis...@siemens.com> Foreshadow(-NG) has been published, and while we are already pretty well hardened by avoiding to share cores and by hiding sensitive data of remote cells when running in hypervisor mode, we can and probably should do better: I key aspect of CVE-2018-3620 and CVE-2018-3646 is that Intel CPUs ignore the present bit when speculatively using PTEs. Therefore, a simple and practically cost-free mitigation is to ensure that non-present page table entries point to non-present physical addresses. We can easily achieve that by folding invalid address bits into PAGE_NONPRESENT_FLAGS.
This change primarily affects the hiding of the per-CPU mappings in the hypervisor address space after setup. Signed-off-by: Jan Kiszka <jan.kis...@siemens.com> --- Another mitigation measure we should look into is flushing caches after setup or reconfiguration. Possibly, we already do this, but it needs a second check. And then it looks like we are safe according to the assumption described in Documentation/memory-layout.txt (no physical core sharing between different cells). hypervisor/arch/x86/include/asm/paging.h | 7 ++++++- hypervisor/arch/x86/paging.c | 1 - 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/hypervisor/arch/x86/include/asm/paging.h b/hypervisor/arch/x86/include/asm/paging.h index 05bb2808..ef614b02 100644 --- a/hypervisor/arch/x86/include/asm/paging.h +++ b/hypervisor/arch/x86/include/asm/paging.h @@ -14,6 +14,7 @@ #define _JAILHOUSE_ASM_PAGING_H #include <jailhouse/types.h> +#include <jailhouse/utils.h> #include <asm/processor.h> #define PAGE_SHIFT 12 @@ -33,7 +34,11 @@ #define PAGE_DEFAULT_FLAGS (PAGE_FLAG_PRESENT | PAGE_FLAG_RW) #define PAGE_READONLY_FLAGS PAGE_FLAG_PRESENT #define PAGE_PRESENT_FLAGS PAGE_FLAG_PRESENT -#define PAGE_NONPRESENT_FLAGS 0 +/* + * Set the higher physical address bits so that non-present mappings point to a + * non-existing physical address, hardening against the L1TF disaster. + */ +#define PAGE_NONPRESENT_FLAGS (INVALID_PHYS_ADDR & BIT_MASK(51, 30)) #define INVALID_PHYS_ADDR (~0UL) diff --git a/hypervisor/arch/x86/paging.c b/hypervisor/arch/x86/paging.c index 8c9c8b88..272ee1e2 100644 --- a/hypervisor/arch/x86/paging.c +++ b/hypervisor/arch/x86/paging.c @@ -12,7 +12,6 @@ #include <jailhouse/paging.h> #include <jailhouse/string.h> -#include <jailhouse/utils.h> #include <asm/vcpu.h> #define X86_FLAG_HUGEPAGE 0x80 -- 2.16.4 -- You received this message because you are subscribed to the Google Groups "Jailhouse" group. To unsubscribe from this group and stop receiving emails from it, send an email to jailhouse-dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
