On 22/02/2019 21:58, Boris Ostrovsky wrote: > On 2/22/19 4:13 PM, Andrew Cooper wrote: >> vPMU isn't security supported, and in general guests can't access any of the >> performance counter MSRs. However, the RDPMC instruction isn't intercepted, >> meaning that guest software can read the instantaneous counter values. >> >> When vPMU isn't configured, intercept RDPMC and unconditionally fail it as if >> software has requested a bad counter index (#GP fault). It is model specific >> as to which counters are available to begin with, and in levelled scenarios, >> this information may not be accurate in the first place. >> >> This change isn't expected to have any impact on VMs. Userspace is not >> usually given access to RDPMC (Windows appear to completely prohibit it; >> Linux >> is restricted to root), and kernels won't be executing RDPMC instructions if >> their PMU drivers have failed to start. >> >> Signed-off-by: Andrew Cooper <andrew.coop...@citrix.com> >> --- >> CC: Jan Beulich <jbeul...@suse.com> >> CC: Wei Liu <wei.l...@citrix.com> >> CC: Roger Pau Monné <roger....@citrix.com> >> CC: Jun Nakajima <jun.nakaj...@intel.com> >> CC: Kevin Tian <kevin.t...@intel.com> >> CC: Boris Ostrovsky <boris.ostrov...@oracle.com> >> CC: Suravee Suthikulpanit <suravee.suthikulpa...@amd.com> >> CC: Brian Woods <brian.wo...@amd.com> >> CC: Juergen Gross <jgr...@suse.com> >> >> This should be taken into Xen 4.12 and backported to the stable releases. >> While it isn't an XSA itself, it is an information leak (Xen's NMI watchdog >> in >> particular) which could be advantagous to an attacker trying to exploit a >> race >> condition. >> >> The only other option is to emulate the reported family and offer back all >> 0's >> for the accessable counters. Obviously this is a non-starter. > When VPMU is off MSR reads return zero.
That behaviour isn't long for this world. > While it is debatable whether this the right action, shouldn't rdpmc behave > in the same fashion? I specifically don't want to propagate the "lets complete with zero" behaviour further, because it takes away #GP faults which the guest would otherwise get. ~Andrew _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel
