From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: mx.groups.io;
 dkim=missing; spf=pass (domain: redhat.com, ip: 209.132.183.28, mailfrom: pbonzini@redhat.com)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 by groups.io with SMTP; Mon, 19 Aug 2019 07:10:42 -0700
Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id DFE1EC0546F1
	for <devel@edk2.groups.io>; Mon, 19 Aug 2019 14:10:41 +0000 (UTC)
Received: by mail-wr1-f69.google.com with SMTP id b1so5321812wru.4
        for <devel@edk2.groups.io>; Mon, 19 Aug 2019 07:10:41 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:openpgp:message-id
         :date:user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=I2zyjHD2ke/DcDnodzJT7UVFnr3rQjHxfcTBA/cAirU=;
        b=st/xrHWDcGCp9Em7VffCkVbqDj4j295ycI63Ni1pR4/o2kG6BH7aTQ/ACTikR+gzmH
         i4V0KrhJENI9wWbPj01kQBwhRnSwTvIErryGvXZYIcCNpJNLPb4QBKLo6nWj8hpsTzvx
         iBjmZB0TA5p3sajGye2InFeyOsFnU5dnAf5o8yAY0ng8FN1T5Uh7jJ/yk/K5v4n/gBiG
         fVsbxgtDIzIYFPshNfIAJtx8bUBxOGNSq9XKIfs+Cl+NWtCy18D3D0bIURnW6A0zGokx
         Jz2CgD20vcRbIxGDYoXK++TvZK6OQ5etLNFGaRnIatbI+z2NsblfSvQFwsQy7BlxwATh
         OZpQ==
X-Gm-Message-State: APjAAAVLb+MjqToP65gyxmT4F2cF2IDOAtPxhNUHJMoe7GsbSXbzaXLq
	TN9h4DrMUI2IRJ3DM94DSgkee8W9opn/bbvxsgDMlFYHbTcZz1hsTSzjBSjrFSf1dB/Pg0PFAba
	DnPY6ieiQ6LNuJg==
X-Received: by 2002:adf:8004:: with SMTP id 4mr19857760wrk.341.1566223840500;
        Mon, 19 Aug 2019 07:10:40 -0700 (PDT)
X-Google-Smtp-Source: APXvYqy1+iXEK+s0t+/gwGtW+6iKHeKAiWoHR786oRIFNLoQY5otuKoTwXxum9khbhnWWOB4D4t0fw==
X-Received: by 2002:adf:8004:: with SMTP id 4mr19857719wrk.341.1566223840193;
        Mon, 19 Aug 2019 07:10:40 -0700 (PDT)
Received: from ?IPv6:2001:b07:6468:f312:8033:56b6:f047:ba4f? ([2001:b07:6468:f312:8033:56b6:f047:ba4f])
        by smtp.gmail.com with ESMTPSA id c15sm40715342wrb.80.2019.08.19.07.10.38
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Mon, 19 Aug 2019 07:10:39 -0700 (PDT)
Subject: Re: [edk2-devel] CPU hotplug using SMM with QEMU+OVMF
To: "Yao, Jiewen" <jiewen.yao@intel.com>
Cc: Alex Williamson <alex.williamson@redhat.com>,
 Laszlo Ersek <lersek@redhat.com>, "devel@edk2.groups.io"
 <devel@edk2.groups.io>, edk2-rfc-groups-io <rfc@edk2.groups.io>,
 qemu devel list <qemu-devel@nongnu.org>, Igor Mammedov
 <imammedo@redhat.com>, "Chen, Yingwen" <yingwen.chen@intel.com>,
 "Nakajima, Jun" <jun.nakajima@intel.com>,
 Boris Ostrovsky <boris.ostrovsky@oracle.com>,
 Joao Marcal Lemos Martins <joao.m.martins@oracle.com>,
 Phillip Goerl <phillip.goerl@oracle.com>
References: <8091f6e8-b1ec-f017-1430-00b0255729f4@redhat.com>
 <effa5e32-be1e-4703-4419-8866b7754e2d@redhat.com>
 <74D8A39837DF1E4DA445A8C0B3885C503F75B680@shsmsx102.ccr.corp.intel.com>
 <047801f8-624a-2300-3cf7-1daa1395ce59@redhat.com>
 <99219f81-33a3-f447-95f8-f10341d70084@redhat.com>
 <6f8b9507-58d0-5fbd-b827-c7194b3b2948@redhat.com>
 <74D8A39837DF1E4DA445A8C0B3885C503F75FAD3@shsmsx102.ccr.corp.intel.com>
 <7cb458ea-956e-c1df-33f7-025e4f0f22df@redhat.com>
 <74D8A39837DF1E4DA445A8C0B3885C503F7600B9@shsmsx102.ccr.corp.intel.com>
 <bb6fdbe0-2a3b-e586-e9a5-93e1ac0803ec@redhat.com>
 <20190816161933.7d30a881@x1.home>
 <74D8A39837DF1E4DA445A8C0B3885C503F761B96@shsmsx102.ccr.corp.intel.com>
 <35396800-32d2-c25f-b0d0-2d7cd8438687@redhat.com>
 <D2A45071-A097-4642-A34C-6B7C5D7D2466@intel.com>
From: Paolo Bonzini <pbonzini@redhat.com>
Openpgp: preference=signencrypt
Message-ID: <4afa24cb-1ab7-b085-ba84-70271712d62e@redhat.com>
Date: Mon, 19 Aug 2019 16:10:43 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <D2A45071-A097-4642-A34C-6B7C5D7D2466@intel.com>
Content-Type: text/plain; charset=iso-2022-jp
Content-Language: en-US
Content-Transfer-Encoding: 7bit

On 19/08/19 01:00, Yao, Jiewen wrote:
> in real world, we deprecate AB-seg usage because they are vulnerable
> to smm cache poison attack. I assume cache poison is out of scope in
> the virtual world, or there is a way to prevent ABseg cache poison.

Indeed the SMRR would not cover the A-seg on real hardware.  However, if
the chipset allowed aliasing A-seg SMRAM to 0x30000, it would only be
used for SMBASE relocation of hotplugged CPU.  The firmware would still
keep low SMRAM disabled, *except around SMBASE relocation of hotplugged
CPUs*.  To avoid cache poisoning attacks, you only have to issue a
WBINVD before enabling low SMRAM and before disabling it.  Hotplug SMI
is not a performance-sensitive path, so it's not a big deal.

So I guess you agree that PCI DMA attacks are a potential vector also on
real hardware.  As Alex pointed out, VT-d is not a solution because
there could be legitimate DMA happening during CPU hotplug.  For OVMF
we'll probably go with Igor's idea, it would be nice if Intel chipsets
supported it too. :)

Paolo