>>> On 22.01.18 at 15:18, <jgr...@suse.com> wrote: > On 22/01/18 13:50, Jan Beulich wrote: >>>>> On 22.01.18 at 13:32, <jgr...@suse.com> wrote: >>> As a preparation for doing page table isolation in the Xen hypervisor >>> in order to mitigate "Meltdown" use dedicated stacks, GDT and TSS for >>> 64 bit PV domains mapped to the per-domain virtual area. >>> >>> The per-vcpu stacks are used for early interrupt handling only. After >>> saving the domain's registers stacks are switched back to the normal >>> per physical cpu ones in order to be able to address on-stack data >>> from other cpus e.g. while handling IPIs. >>> >>> Adding %cr3 switching between saving of the registers and switching >>> the stacks will enable the possibility to run guest code without any >>> per physical cpu mapping, i.e. avoiding the threat of a guest being >>> able to access other domains data. >>> >>> Without any further measures it will still be possible for e.g. a >>> guest's user program to read stack data of another vcpu of the same >>> domain, but this can be easily avoided by a little PV-ABI modification >>> introducing per-cpu user address spaces. >>> >>> This series is meant as a replacement for Andrew's patch series: >>> "x86: Prerequisite work for a Xen KAISER solution". >> >> Considering in particular the two reverts, what I'm missing here >> is a clear description of the meaningful additional protection this >> approach provides over the band-aid. For context see also >> https://lists.xenproject.org/archives/html/xen-devel/2018-01/msg01735.html > > My approach supports mapping only the following data while the guest is > running (apart form the guest's own data, of course): > > - the per-vcpu entry stacks of the domain which will contain only the > guest's registers saved when an interrupt occurs > - the per-vcpu GDTs and TSSs of the domain > - the IDT > - the interrupt handler code (arch/x86/x86_64/[compat/]entry.S > > All other hypervisor data and code can be completely hidden from the > guests.
I understand that. What I'm not clear about is: Which parts of the additionally hidden data are actually necessary (or at least very desirable) to hide? Jan _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel