This patch series is meant to be used instead of the "XPTI-light"
Meltdown mitigation of Jan. It is using a different approach by
using a shadow of the guest's L4 page table and keeping those in a
cache in order to avoid the need to create the shadow multiple
times. I'll name my approach "XPTI" in the following.
The shadow L4 page table used for running in guest mode maps only the
guest (of course) and those parts of the hypervisor memory which are
needed for entering and leaving the hypervisor: IDT, GDT, TSS, stacks
and early interrupt handling code.
To avoid a guest being capable to read other domain's data via the
interrupt stacks of other cpus a guest subject to XPTI isn't using the
normal stacks for early interrupt handling, but per-vcpu stacks. This
allows to map the per-vcpu stacks only when running the guest.
For each guest L4 page table there is exactly one shadow L4 page table.
This approach avoids the need to do complicated synchronizations
between L4 page tables, as the guest already needs to synchronize
multiple cpus in case it is using the same address space on multiple
Without any further measures it will still be possible for e.g. a
guest's user program to read stack data of another vcpu of the same
domain, but this can be easily avoided by a little PV-ABI modification
introducing per-cpu user address spaces. I'm planning to add that when
Linux kernel is learning to use per-cpu address spaces.
This series is available via github:
Dario wants to do some performance tests for this series to compare
performance with Jan's series with all optimizations posted.
Patch 1 is just (IMHO) a bugfix for guest stack dumping.
Patches 2 - 3 revert Jan's XPTI-light patches.
Patch 4 modifies the trap handling to use %r12 for addressing the
guest's saved registers instead of using %rsp. This is a prerequisite
for being able to switch the stacks in early trap handling.
Patch 5 adds the xpti command line parameter and some basic
infrastructure for the XPTI framework.
Patches 6 - 8 modify some current infrastructure to support the
following XPTI functionality.
Patch 9 adds syscall stubs for XPTI as the current stubs can't be used.
Patch 10 allocates the per-vcpu stacks and initializes them.
Patch 11 modifies interrupt handling to support stack switching in
case of XPTI.
Patch 12 adds activation of the per-vcpu stacks for domains subject to
Patch 13 adds the L4 page table shadowing including the L4 shadow
Patch 14 does some more modifications needed for keeping the L4 shadows
up to date.
Patch 15 adds populating the L4 shadow tables with the guest's L4
Patch 16 adds switching between hypervisor and guest L4 page tables
when entering/leaving the hypervisor.
Patch 17 removes all the hypervisor mappings not needed in the shadow
L4 page table.
Juergen Gross (17):
x86: don't use hypervisor stack size for dumping guest stacks
x86: do a revert of e871e80c38547d9faefc6604532ba3e985e65873
x86: revert 5784de3e2067ed73efc2fe42e62831e8ae7f46c4
x86: don't access saved user regs via rsp in trap handlers
x86: add a xpti command line parameter
x86: allow per-domain mappings without NX bit or with specific mfn
xen/x86: split _set_tssldt_desc() into ldt and tss specific functions
x86: add support for spectre mitigation with local thunk
x86: create syscall stub for per-domain mapping
x86: allocate per-vcpu stacks for interrupt entries
x86: modify interrupt handlers to support stack switching
x86: activate per-vcpu stacks in case of xpti
x86: allocate hypervisor L4 page table for XPTI
xen: add domain pointer to fill_ro_mpt() and zap_ro_mpt() functions
x86: fill XPTI shadow pages and keep them in sync with guest L4
x86: do page table switching when entering/leaving hypervisor
x86: hide most hypervisor mappings in XPTI shadow page tables
docs/misc/xen-command-line.markdown | 16 +-
xen/arch/x86/cpu/common.c | 4 +-
xen/arch/x86/domain.c | 113 +++-
xen/arch/x86/domctl.c | 4 +
xen/arch/x86/indirect-thunk.S | 23 +-
xen/arch/x86/mm.c | 92 +--
xen/arch/x86/mm/shadow/multi.c | 9 +-
xen/arch/x86/pv/Makefile | 2 +
xen/arch/x86/pv/dom0_build.c | 6 +
xen/arch/x86/pv/domain.c | 5 +
xen/arch/x86/pv/xpti-stub.S | 61 ++
xen/arch/x86/pv/xpti.c | 1028 ++++++++++++++++++++++++++++++
xen/arch/x86/smpboot.c | 211 ------
xen/arch/x86/traps.c | 35 +-
xen/arch/x86/x86_64/asm-offsets.c | 6 +-
xen/arch/x86/x86_64/compat/entry.S | 27 +-
xen/arch/x86/x86_64/entry.S | 315 +++------
xen/arch/x86/x86_64/traps.c | 3 +-
xen/common/wait.c | 8 +-
xen/include/asm-x86/asm_defns.h | 68 +-
xen/include/asm-x86/config.h | 13 +-
xen/include/asm-x86/current.h | 86 ++-
xen/include/asm-x86/desc.h | 14 +-
xen/include/asm-x86/domain.h | 8 +
xen/include/asm-x86/indirect_thunk_asm.h | 8 +-
xen/include/asm-x86/ldt.h | 2 +-
xen/include/asm-x86/mm.h | 4 +-
xen/include/asm-x86/nops.h | 2 +-
xen/include/asm-x86/processor.h | 13 +-
xen/include/asm-x86/pv/mm.h | 35 +
xen/include/asm-x86/regs.h | 2 +
xen/include/asm-x86/spec_ctrl_asm.h | 13 +-
xen/include/asm-x86/system.h | 5 +
xen/include/asm-x86/x86_64/page.h | 5 +-
34 files changed, 1632 insertions(+), 614 deletions(-)
create mode 100644 xen/arch/x86/pv/xpti-stub.S
create mode 100644 xen/arch/x86/pv/xpti.c
Xen-devel mailing list