xenbits.xensource.com Git - xen.git/commit

author	Jan Beulich <JBeulich@suse.com>
	Fri, 9 Aug 2019 13:16:06 +0000 (14:16 +0100)
committer	Andrew Cooper <andrew.cooper3@citrix.com>
	Mon, 12 Aug 2019 13:10:09 +0000 (14:10 +0100)
commit	7888440625617693487495a7842e6a991ead2647
tree	aebe94ec917e97391765e5e4d5cffa124eafe43d	tree
parent	b6b5608b6027fd62ce565ecd72a3422c1223beaf	commit \| diff

x86/xpti: Don't leak TSS-adjacent percpu data via Meltdown

The XPTI work restricted the visibility of most of memory, but missed a few
aspects when it came to the TSS.

Given that the TSS is just an object in percpu data, the 4k mapping for it
created in setup_cpu_root_pgt() maps adjacent percpu data, making it all
leakable via Meltdown, even when XPTI is in use.

Furthermore, no care is taken to check that the TSS doesn't cross a page
boundary.  As it turns out, struct tss_struct is aligned on its size which
does prevent it straddling a page boundary.

Rework the TSS types while making this change.  Rename tss_struct to tss64, to
mirror the existing tss32 structure we have in HVM's Tast Switch logic.  Drop
tss64's alignment and __cacheline_filler[] field.

Introduce tss_page which contains a single tss64 and keeps the rest of the
page clear, so no adjacent data can be leaked.  Move the definition from
setup.c to traps.c, which is a more appropriate place for it to live.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>

xen/arch/x86/cpu/common.c		diff \| blob \| blame \| history
xen/arch/x86/hvm/vmx/vmcs.c		diff \| blob \| blame \| history
xen/arch/x86/setup.c		diff \| blob \| blame \| history
xen/arch/x86/smpboot.c		diff \| blob \| blame \| history
xen/arch/x86/traps.c		diff \| blob \| blame \| history
xen/include/asm-x86/processor.h		diff \| blob \| blame \| history