xenbits.xensource.com Git - xen.git/commit

author	Andrew Cooper <andrew.cooper3@citrix.com>
	Fri, 7 Dec 2018 17:00:47 +0000 (17:00 +0000)
committer	Andrew Cooper <andrew.cooper3@citrix.com>
	Mon, 10 Dec 2018 16:24:08 +0000 (16:24 +0000)
commit	75ce36eb72cb93e8a3c9f60fd5e697067921d712
tree	ef8094100a407167210fbee3823ce140e6ed742d	tree
parent	a3a99df44e5405d2092ec59087681765fa4cdee7	commit \| diff

x86/VT-x: Don't activate VMCS Shadowing outside of nested vmx mode

By default on capable hardware, SECONDARY_EXEC_ENABLE_VMCS_SHADOWING is
activated unilaterally.  The VMCS Link pointer is initialised to ~0, but the
VMREAD/VMWRITE bitmap pointers are not.

This causes the 16bit IVT and Bios Data Area get interpreted as the read/write
permission bitmap for guests which blindly execute VMREAD/VMWRITE
instructions.

This is not a security issue because the VMCS Link pointer being ~0 causes
VMREAD/VMWRITE to complete with VMFailInvalid (rather than modifying a
potential shadow VMCS), and the contents of MFN 0 has already been determined
not to contain any interesting data because of L1TF's ability to read that 4k
frame.

Leave VMCS Shadowing disabled by default, and toggle it in
nvmx_{set,clear}_vmcs_pointer().  This isn't the most efficient course of
action, but it is the most simple way of leaving nested-virt working as it did
before.

While editing construct_vmcs(), collect all default secondary_exec_control
modifications together.  The disabling of PML is latently buggy because it
happens after secondary_exec_control are written into the VMCS, although there
is an unconditional update later which writes the correct value into hardware.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

xen/arch/x86/hvm/vmx/vmcs.c		diff \| blob \| blame \| history
xen/arch/x86/hvm/vmx/vvmx.c		diff \| blob \| blame \| history