This patch series is meant to be used instead of the "XPTI-light" Meltdown mitigation of Jan. It is using a different approach by using a shadow of the guest's L4 page table and keeping those in a cache in order to avoid the need to create the shadow multiple times. I'll name my approach "XPTI" in the following.
The shadow L4 page table used for running in guest mode maps only the guest (of course) and those parts of the hypervisor memory which are needed for entering and leaving the hypervisor: IDT, GDT, TSS, stacks and early interrupt handling code. To avoid a guest being capable to read other domain's data via the interrupt stacks of other cpus a guest subject to XPTI isn't using the normal stacks for early interrupt handling, but per-vcpu stacks. This allows to map the per-vcpu stacks only when running the guest. For each guest L4 page table there is exactly one shadow L4 page table. This approach avoids the need to do complicated synchronizations between L4 page tables, as the guest already needs to synchronize multiple cpus in case it is using the same address space on multiple processors concurrently. Without any further measures it will still be possible for e.g. a guest's user program to read stack data of another vcpu of the same domain, but this can be easily avoided by a little PV-ABI modification introducing per-cpu user address spaces. I'm planning to add that when Linux kernel is learning to use per-cpu address spaces. This series is available via github: https://github.com/jgross1/xen.git xpti Dario wants to do some performance tests for this series to compare performance with Jan's series with all optimizations posted. Patch 1 is just (IMHO) a bugfix for guest stack dumping. Patches 2 - 3 revert Jan's XPTI-light patches. Patch 4 modifies the trap handling to use %r12 for addressing the guest's saved registers instead of using %rsp. This is a prerequisite for being able to switch the stacks in early trap handling. Patch 5 adds the xpti command line parameter and some basic infrastructure for the XPTI framework. Patches 6 - 8 modify some current infrastructure to support the following XPTI functionality. Patch 9 adds syscall stubs for XPTI as the current stubs can't be used. Patch 10 allocates the per-vcpu stacks and initializes them. Patch 11 modifies interrupt handling to support stack switching in case of XPTI. Patch 12 adds activation of the per-vcpu stacks for domains subject to XPTI. Patch 13 adds the L4 page table shadowing including the L4 shadow cache. Patch 14 does some more modifications needed for keeping the L4 shadows up to date. Patch 15 adds populating the L4 shadow tables with the guest's L4 entries. Patch 16 adds switching between hypervisor and guest L4 page tables when entering/leaving the hypervisor. Patch 17 removes all the hypervisor mappings not needed in the shadow L4 page table. Juergen Gross (17): x86: don't use hypervisor stack size for dumping guest stacks x86: do a revert of e871e80c38547d9faefc6604532ba3e985e65873 x86: revert 5784de3e2067ed73efc2fe42e62831e8ae7f46c4 x86: don't access saved user regs via rsp in trap handlers x86: add a xpti command line parameter x86: allow per-domain mappings without NX bit or with specific mfn xen/x86: split _set_tssldt_desc() into ldt and tss specific functions x86: add support for spectre mitigation with local thunk x86: create syscall stub for per-domain mapping x86: allocate per-vcpu stacks for interrupt entries x86: modify interrupt handlers to support stack switching x86: activate per-vcpu stacks in case of xpti x86: allocate hypervisor L4 page table for XPTI xen: add domain pointer to fill_ro_mpt() and zap_ro_mpt() functions x86: fill XPTI shadow pages and keep them in sync with guest L4 x86: do page table switching when entering/leaving hypervisor x86: hide most hypervisor mappings in XPTI shadow page tables docs/misc/xen-command-line.markdown | 16 +- xen/arch/x86/cpu/common.c | 4 +- xen/arch/x86/domain.c | 113 +++- xen/arch/x86/domctl.c | 4 + xen/arch/x86/indirect-thunk.S | 23 +- xen/arch/x86/mm.c | 92 +-- xen/arch/x86/mm/shadow/multi.c | 9 +- xen/arch/x86/pv/Makefile | 2 + xen/arch/x86/pv/dom0_build.c | 6 + xen/arch/x86/pv/domain.c | 5 + xen/arch/x86/pv/xpti-stub.S | 61 ++ xen/arch/x86/pv/xpti.c | 1028 ++++++++++++++++++++++++++++++ xen/arch/x86/smpboot.c | 211 ------ xen/arch/x86/traps.c | 35 +- xen/arch/x86/x86_64/asm-offsets.c | 6 +- xen/arch/x86/x86_64/compat/entry.S | 27 +- xen/arch/x86/x86_64/entry.S | 315 +++------ xen/arch/x86/x86_64/traps.c | 3 +- xen/common/wait.c | 8 +- xen/include/asm-x86/asm_defns.h | 68 +- xen/include/asm-x86/config.h | 13 +- xen/include/asm-x86/current.h | 86 ++- xen/include/asm-x86/desc.h | 14 +- xen/include/asm-x86/domain.h | 8 + xen/include/asm-x86/indirect_thunk_asm.h | 8 +- xen/include/asm-x86/ldt.h | 2 +- xen/include/asm-x86/mm.h | 4 +- xen/include/asm-x86/nops.h | 2 +- xen/include/asm-x86/processor.h | 13 +- xen/include/asm-x86/pv/mm.h | 35 + xen/include/asm-x86/regs.h | 2 + xen/include/asm-x86/spec_ctrl_asm.h | 13 +- xen/include/asm-x86/system.h | 5 + xen/include/asm-x86/x86_64/page.h | 5 +- 34 files changed, 1632 insertions(+), 614 deletions(-) create mode 100644 xen/arch/x86/pv/xpti-stub.S create mode 100644 xen/arch/x86/pv/xpti.c -- 2.13.6 _______________________________________________ Xen-devel mailing list Xenfirstname.lastname@example.org https://lists.xenproject.org/mailman/listinfo/xen-devel