From nobody Tue Nov 11 05:42:31 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org ARC-Seal: i=1; a=rsa-sha256; t=1569940410; cv=none; d=zoho.com; s=zohoarc; b=AvnpSsbdNQWv+/ERRC69mh5iOTnqv/j5khtWOolYd917D9Ko8l0c4Q6rxOZct0A72IcD7+W2HaZ/LQxo+mynJEZUzBiiVB/gV1ZviYTpQo3SEe3H/MEgondGwsaixpYVHQpPs/RMdzUXdeDiPjDQQ8m/ofpHjs7Ln6vghyzDf3I= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1569940410; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=m6RScIN8OyEtDU4zZ3jmxWrry8H9bmjvpzB+vaDpSco=; b=AA8M0iBCwjeR1Sj1fiER21yFbQecPifZnK8OgA0hhQ5v3izIorPomgT4WGFI5oo8PBozN0k7vwhHNTyEK4dCwXBCno7pUCwapXhP8NeQgg8b1BlWastuLfd34iTLGZCg9CVuNvlCN0/29PP1AvGazWtPpWsLX7gH8IrFi3ULnrw= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=fail; spf=none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1569940410154290.5236153875302; Tue, 1 Oct 2019 07:33:30 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iFJCN-0001eE-TP; Tue, 01 Oct 2019 14:32:19 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iFJCM-0001e0-9W for xen-devel@lists.xenproject.org; Tue, 01 Oct 2019 14:32:18 +0000 Received: from esa3.hc3370-68.iphmx.com (unknown [216.71.145.155]) by localhost (Halon) with ESMTPS id 4070fb46-e458-11e9-9701-12813bfff9fa; Tue, 01 Oct 2019 14:32:11 +0000 (UTC) X-Inumbo-ID: 4070fb46-e458-11e9-9701-12813bfff9fa DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1569940332; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=Z+QHYW8IPEEIm03k86KOSgwcQwB2XLe9JqCbyycENoo=; b=P30iHMObp7468Oiv1oFqpnwJBRBhGE+ao8Z+2QY383eFRqGMB20109t9 NeSLXTcx9UZf7zDhfZLak4i9AJOriLjD0pHO2EHRbVNPSX+qvgjWQNsIS e+s3di7gvmFenXGJyeUExymMkIB0k/GZJtNGQBGFJdmP0j27oGoZIu8wy M=; Authentication-Results: esa3.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=andrew.cooper3@citrix.com; spf=Pass smtp.mailfrom=Andrew.Cooper3@citrix.com; spf=None smtp.helo=postmaster@mail.citrix.com Received-SPF: none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Received-SPF: None (esa3.hc3370-68.iphmx.com: no sender authenticity information available from domain of andrew.cooper3@citrix.com) identity=pra; client-ip=162.221.158.21; receiver=esa3.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="andrew.cooper3@citrix.com"; x-conformance=sidf_compatible Received-SPF: Pass (esa3.hc3370-68.iphmx.com: domain of Andrew.Cooper3@citrix.com designates 162.221.158.21 as permitted sender) identity=mailfrom; client-ip=162.221.158.21; receiver=esa3.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="Andrew.Cooper3@citrix.com"; x-conformance=sidf_compatible; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:209.167.231.154 ip4:178.63.86.133 ip4:195.66.111.40/30 ip4:85.115.9.32/28 ip4:199.102.83.4 ip4:192.28.146.160 ip4:192.28.146.107 ip4:216.52.6.88 ip4:216.52.6.188 ip4:162.221.158.21 ip4:162.221.156.83 ~all" Received-SPF: None (esa3.hc3370-68.iphmx.com: no sender authenticity information available from domain of postmaster@mail.citrix.com) identity=helo; client-ip=162.221.158.21; receiver=esa3.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="postmaster@mail.citrix.com"; x-conformance=sidf_compatible IronPort-SDR: Gli+TqwGxC/GYrRPCgNGxhfqKTVCvoT7k0/Pen5Lh1UUFrS/risYlnTDJoPX7tmq4BFJt6QAUq hr8IeK+EwJ5qCMZGkhzuvogSdKxNltfBgFQJbRQVQkCA766CjHBWRZCmdJRiuZBSe6AfOtTlwS 9LCuGogQ6Z4iEuV3MrV7hNBz3Ztq0UqvIBJaWhn3/O5UREMFPdLpidSh8Q3JUzbtdpPPHZSW3L ObnBhwNAeg4yVcwGOra0eedqQhDS8yTGB0dkK/VHSc0mu5I5mYmcVE/RLoCdPJ8rssr+7USspn Wvg= X-SBRS: 2.7 X-MesageID: 6317000 X-Ironport-Server: esa3.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.64,571,1559534400"; d="scan'208";a="6317000" From: Andrew Cooper To: Xen-devel Date: Tue, 1 Oct 2019 15:32:06 +0100 Message-ID: <20191001143207.15844-2-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20191001143207.15844-1-andrew.cooper3@citrix.com> References: <20191001143207.15844-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 Subject: [Xen-devel] [PATCH v2 1/2] xen/nospec: Introduce CONFIG_SPECULATIVE_HARDEN_ARRAY X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Juergen Gross , Andrew Cooper , Wei Liu , Jan Beulich , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) There are legitimate circumstance where array hardening is not wanted or needed. Allow it to be turned off. Signed-off-by: Andrew Cooper Release-acked-by: Juergen Gross Reviewed-by: Jan Beulich --- CC: Jan Beulich CC: Wei Liu CC: Roger Pau Monn=C3=A9 CC: Juergen Gross v2: * Rename to CONFIG_SPECULATIVE_HARDEN_ARRAY * Simplify the stub array_index_nospec() --- xen/common/Kconfig | 24 ++++++++++++++++++++++++ xen/include/xen/nospec.h | 5 +++++ 2 files changed, 29 insertions(+) diff --git a/xen/common/Kconfig b/xen/common/Kconfig index 16829f6274..911333357a 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -77,6 +77,30 @@ config HAS_CHECKPOLICY string option env=3D"XEN_HAS_CHECKPOLICY" =20 +menu "Speculative hardening" + +config SPECULATIVE_HARDEN_ARRAY + bool "Speculative Array Hardening" + default y + ---help--- + Contemporary processors may use speculative execution as a + performance optimisation, but this can potentially be abused by an + attacker to leak data via speculative sidechannels. + + One source of data leakage is via speculative out-of-bounds array + accesses. + + When enabled, specific array accesses which have been deemed liable + to be speculatively abused will be hardened to avoid out-of-bounds + accesses. + + This is a best-effort mitigation. There are no guarantees that all + areas of code open to abuse have been hardened. + + If unsure, say Y. + +endmenu + config KEXEC bool "kexec support" default y diff --git a/xen/include/xen/nospec.h b/xen/include/xen/nospec.h index 2ac8feccc2..76255bc46e 100644 --- a/xen/include/xen/nospec.h +++ b/xen/include/xen/nospec.h @@ -33,6 +33,7 @@ static inline unsigned long array_index_mask_nospec(unsig= ned long index, } #endif =20 +#ifdef CONFIG_SPECULATIVE_HARDEN_ARRAY /* * array_index_nospec - sanitize an array index after a bounds check * @@ -58,6 +59,10 @@ static inline unsigned long array_index_mask_nospec(unsi= gned long index, \ (typeof(_i)) (_i & _mask); \ }) +#else +/* No index hardening. */ +#define array_index_nospec(index, size) ((void)(size), (index)) +#endif /* CONFIG_SPECULATIVE_HARDEN_ARRAY */ =20 /* * array_access_nospec - allow nospec access for static size arrays --=20 2.11.0 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel From nobody Tue Nov 11 05:42:31 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org ARC-Seal: i=1; a=rsa-sha256; t=1569940411; cv=none; d=zoho.com; s=zohoarc; b=PtJaEsHTOmkywH52nbuXeeEmOlOQppFACI60ou4n7yRTkjXIoMLPSXAIRlImtZvmiXtRFYcz9zcoGR1j6bs5wogKrd7xcZbOMqXx6Zp2gFW+QA/mAA51JbAWvQTxv+6CSdA3WY+loKmg37LFY37WZniopq63SRAY2O5sSUrbTYE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1569940411; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=o/oJtKJQHzhZVI6mKTzofner9WqvkAsqdcfaX/3CXTU=; b=Mvp8INYBMfcKeO0ryr6AdcjeNRse0dOL3Ghg1N0RnDSTLm3tynbC2GW2aQkolbjwfbb35Ijna2DziFMQiLbjshOzw4o09EFDixhTq0FZ24Dj8wt6DOFkzr4eYB2X1Rejss9TrdMpVjyMWjfo03pjSbBwNmZHuYNXjJXMFkkmRWU= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=fail; spf=none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1569940411126988.1455272643983; Tue, 1 Oct 2019 07:33:31 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iFJCS-0001fe-7G; Tue, 01 Oct 2019 14:32:24 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iFJCR-0001fH-92 for xen-devel@lists.xenproject.org; Tue, 01 Oct 2019 14:32:23 +0000 Received: from esa2.hc3370-68.iphmx.com (unknown [216.71.145.153]) by localhost (Halon) with ESMTPS id 41491723-e458-11e9-9701-12813bfff9fa; Tue, 01 Oct 2019 14:32:12 +0000 (UTC) X-Inumbo-ID: 41491723-e458-11e9-9701-12813bfff9fa DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1569940333; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=AqIOEm+nzP4XZxBlbSrwAmyzNaFVcTpZ0ZfC5lAKhFo=; b=M3AJBD6ugBlkw6MzAbEG9JMqXjvDNsv2TIZbDi9cWtaIMq4voR31uIIk 0b3HpaZVhKDlkwz4ZabHmqSv8Vn+H6ggoq+VcpPw2qaz8XExzFxYjFUIK 3lOb1eyNtpvFvaiZgFTeqSgOA8lMnYMVb9eJjmFI0p7SWneLY/hFDSVwq Q=; Authentication-Results: esa2.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=andrew.cooper3@citrix.com; spf=Pass smtp.mailfrom=Andrew.Cooper3@citrix.com; spf=None smtp.helo=postmaster@mail.citrix.com Received-SPF: none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Received-SPF: None (esa2.hc3370-68.iphmx.com: no sender authenticity information available from domain of andrew.cooper3@citrix.com) identity=pra; client-ip=162.221.158.21; receiver=esa2.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="andrew.cooper3@citrix.com"; x-conformance=sidf_compatible Received-SPF: Pass (esa2.hc3370-68.iphmx.com: domain of Andrew.Cooper3@citrix.com designates 162.221.158.21 as permitted sender) identity=mailfrom; client-ip=162.221.158.21; receiver=esa2.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="Andrew.Cooper3@citrix.com"; x-conformance=sidf_compatible; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:209.167.231.154 ip4:178.63.86.133 ip4:195.66.111.40/30 ip4:85.115.9.32/28 ip4:199.102.83.4 ip4:192.28.146.160 ip4:192.28.146.107 ip4:216.52.6.88 ip4:216.52.6.188 ip4:162.221.158.21 ip4:162.221.156.83 ~all" Received-SPF: None (esa2.hc3370-68.iphmx.com: no sender authenticity information available from domain of postmaster@mail.citrix.com) identity=helo; client-ip=162.221.158.21; receiver=esa2.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="postmaster@mail.citrix.com"; x-conformance=sidf_compatible IronPort-SDR: keDZFjuxS6HrlFfBOsJFCECCkEycSigVM9aBGV/WMRjnyvHpjAOzbRF3Kkb2dWzPVZ8PAQl7ba LRuRQfSmPA7Up3Tel0XGYXEw8x3IHFOOzgcTQRzFSQ/zrCP2WhFmyBHbkRRJ4/flW//CYLYld2 ALTQTk/Gk6vPxb/iYpWqARGXm6qyDlxJlK+oYFPngHHWCcTSfmu5Ba3LkYelWsGBGQbliAO6LC tiMexPnqtvGaBmvW1MMCWpc0aEuSMuhX5PQroFgSJAtrmORe2njokQOv/8Q+reJ2Baho9jQtBq gh4= X-SBRS: 2.7 X-MesageID: 6311442 X-Ironport-Server: esa2.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.64,571,1559534400"; d="scan'208";a="6311442" From: Andrew Cooper To: Xen-devel Date: Tue, 1 Oct 2019 15:32:07 +0100 Message-ID: <20191001143207.15844-3-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20191001143207.15844-1-andrew.cooper3@citrix.com> References: <20191001143207.15844-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 Subject: [Xen-devel] [PATCH v2 2/2] xen/nospec: Introduce CONFIG_SPECULATIVE_HARDEN_BRANCH and disable it X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Juergen Gross , Wei Liu , Andrew Cooper , Norbert Manthey , Jan Beulich , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) The code generation for barrier_nospec_true() is not correct; the lfence instructions are generally too early in the instruction stream, resulting i= n a performance hit but no additional speculative safety. This is caused by inline assembly trying to fight the compiler optimiser, a= nd the optimiser winning. There is no clear way to achieve safety, so turn the perf hit off for now. This also largely reverts 3860d5534df4. The name 'l1tf-barrier', and making barrier_nospec_true() depend on CONFIG_HVM was constrained by what could be discussed publicly at the time. Now that MDS is public, neither aspects are correct. As l1tf-barrier hasn't been in a release of Xen, and CONFIG_SPECULATIVE_HARDEN_BRANCH is disabled until we can find a safe way of implementing the functionality, remove the l1tf-barrier command line option. Fix a typo of 'conditionals' in an adjacent comment. Signed-off-by: Andrew Cooper Release-acked-by: Juergen Gross --- CC: Jan Beulich CC: Wei Liu CC: Roger Pau Monn=C3=A9 CC: Juergen Gross CC: Norbert Manthey v2: * Expand the commit message to describe how the generated code is broken. * Rename to CONFIG_SPECULATIVE_HARDEN_BRANCH * Switch alternative() to asm() * Fix a comment typo --- docs/misc/xen-command-line.pandoc | 8 +------- xen/arch/x86/spec_ctrl.c | 17 ++--------------- xen/common/Kconfig | 21 +++++++++++++++++++++ xen/include/asm-x86/cpufeatures.h | 2 +- xen/include/asm-x86/nospec.h | 6 +++--- xen/include/asm-x86/spec_ctrl.h | 1 - 6 files changed, 28 insertions(+), 27 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line= .pandoc index fc64429064..b9c5b822ca 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -1932,7 +1932,7 @@ By default SSBD will be mitigated at runtime (i.e `ss= bd=3Druntime`). ### spec-ctrl (x86) > `=3D List of [ , xen=3D, {pv,hvm,msr-sc,rsb,md-clear}=3D, > bti-thunk=3Dretpoline|lfence|jmp, {ibrs,ibpb,ssbd,eager-fpu, -> l1d-flush,l1tf-barrier}=3D ]` +> l1d-flush}=3D ]` =20 Controls for speculative execution sidechannel mitigations. By default, X= en will pick the most appropriate mitigations based on compiled in support, @@ -2004,12 +2004,6 @@ Irrespective of Xen's setting, the feature is virtua= lised for HVM guests to use. By default, Xen will enable this mitigation on hardware believed to = be vulnerable to L1TF. =20 -On hardware vulnerable to L1TF, the `l1tf-barrier=3D` option can be used t= o force -or prevent Xen from protecting evaluations inside the hypervisor with a ba= rrier -instruction to not load potentially secret information into L1 cache. By -default, Xen will enable this mitigation on hardware believed to be vulner= able -to L1TF. - ### sync_console > `=3D ` =20 diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 4761be81bd..5ea8870981 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -21,7 +21,6 @@ #include #include =20 -#include #include #include #include @@ -53,7 +52,6 @@ bool __read_mostly opt_ibpb =3D true; bool __read_mostly opt_ssbd =3D false; int8_t __read_mostly opt_eager_fpu =3D -1; int8_t __read_mostly opt_l1d_flush =3D -1; -int8_t __read_mostly opt_l1tf_barrier =3D -1; =20 bool __initdata bsp_delay_spec_ctrl; uint8_t __read_mostly default_xen_spec_ctrl; @@ -98,8 +96,6 @@ static int __init parse_spec_ctrl(const char *s) if ( opt_pv_l1tf_domu < 0 ) opt_pv_l1tf_domu =3D 0; =20 - opt_l1tf_barrier =3D 0; - disable_common: opt_rsb_pv =3D false; opt_rsb_hvm =3D false; @@ -175,8 +171,6 @@ static int __init parse_spec_ctrl(const char *s) opt_eager_fpu =3D val; else if ( (val =3D parse_boolean("l1d-flush", s, ss)) >=3D 0 ) opt_l1d_flush =3D val; - else if ( (val =3D parse_boolean("l1tf-barrier", s, ss)) >=3D 0 ) - opt_l1tf_barrier =3D val; else rc =3D -EINVAL; =20 @@ -337,7 +331,7 @@ static void __init print_details(enum ind_thunk thunk, = uint64_t caps) "\n"); =20 /* Settings for Xen's protection, irrespective of guests. */ - printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s, Other:%s%s%s%s\= n", + printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s, Other:%s%s%s\n", thunk =3D=3D THUNK_NONE ? "N/A" : thunk =3D=3D THUNK_RETPOLINE ? "RETPOLINE" : thunk =3D=3D THUNK_LFENCE ? "LFENCE" : @@ -348,8 +342,7 @@ static void __init print_details(enum ind_thunk thunk, = uint64_t caps) (default_xen_spec_ctrl & SPEC_CTRL_SSBD) ? " SSBD+" : " SSBD-", opt_ibpb ? " IBPB" : "", opt_l1d_flush ? " L1D_FLUSH" : "", - opt_md_clear_pv || opt_md_clear_hvm ? " VERW" : "", - opt_l1tf_barrier ? " L1TF_BARRIER" : "= "); + opt_md_clear_pv || opt_md_clear_hvm ? " VERW" : ""); =20 /* L1TF diagnostics, printed if vulnerable or PV shadowing is in use. = */ if ( cpu_has_bug_l1tf || opt_pv_l1tf_hwdom || opt_pv_l1tf_domu ) @@ -1034,12 +1027,6 @@ void __init init_speculation_mitigations(void) else if ( opt_l1d_flush =3D=3D -1 ) opt_l1d_flush =3D cpu_has_bug_l1tf && !(caps & ARCH_CAPS_SKIP_L1DF= L); =20 - /* By default, enable L1TF_VULN on L1TF-vulnerable hardware */ - if ( opt_l1tf_barrier =3D=3D -1 ) - opt_l1tf_barrier =3D cpu_has_bug_l1tf && (opt_smt || !opt_l1d_flus= h); - if ( opt_l1tf_barrier > 0 ) - setup_force_cpu_cap(X86_FEATURE_SC_L1TF_VULN); - /* * We do not disable HT by default on affected hardware. * diff --git a/xen/common/Kconfig b/xen/common/Kconfig index 911333357a..b0b8aadeb2 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -99,6 +99,27 @@ config SPECULATIVE_HARDEN_ARRAY =20 If unsure, say Y. =20 +config SPECULATIVE_HARDEN_BRANCH + bool "Speculative Branch Hardening" + depends on BROKEN + ---help--- + Contemporary processors may use speculative execution as a + performance optimisation, but this can potentially be abused by an + attacker to leak data via speculative sidechannels. + + One source of misbehaviour is by executing the wrong basic block + following a conditional jump. + + When enabled, specific conditions which have been deemed liable to + be speculatively abused will be hardened to avoid entering the wrong + basic block. + + This is a best-effort mitigation. There are no guarantees that all + areas of code open to abuse have been hardened. + + !!! WARNING - This doesn't function as intended. It does not + generate speculatively safe code !!! + endmenu =20 config KEXEC diff --git a/xen/include/asm-x86/cpufeatures.h b/xen/include/asm-x86/cpufea= tures.h index 91eccf5161..ecb651c35d 100644 --- a/xen/include/asm-x86/cpufeatures.h +++ b/xen/include/asm-x86/cpufeatures.h @@ -27,7 +27,7 @@ XEN_CPUFEATURE(XEN_SMAP, X86_SYNTH(11)) /* SMAP = gets used by Xen itself XEN_CPUFEATURE(LFENCE_DISPATCH, X86_SYNTH(12)) /* lfence set as Dispatch= Serialising */ XEN_CPUFEATURE(IND_THUNK_LFENCE, X86_SYNTH(13)) /* Use IND_THUNK_LFENCE */ XEN_CPUFEATURE(IND_THUNK_JMP, X86_SYNTH(14)) /* Use IND_THUNK_JMP */ -XEN_CPUFEATURE(SC_L1TF_VULN, X86_SYNTH(15)) /* L1TF protection requir= ed */ +/* 15 unused. */ XEN_CPUFEATURE(SC_MSR_PV, X86_SYNTH(16)) /* MSR_SPEC_CTRL used by = Xen for PV */ XEN_CPUFEATURE(SC_MSR_HVM, X86_SYNTH(17)) /* MSR_SPEC_CTRL used by = Xen for HVM */ XEN_CPUFEATURE(SC_RSB_PV, X86_SYNTH(18)) /* RSB overwrite needed f= or PV */ diff --git a/xen/include/asm-x86/nospec.h b/xen/include/asm-x86/nospec.h index 2aa47b3455..03748abbd3 100644 --- a/xen/include/asm-x86/nospec.h +++ b/xen/include/asm-x86/nospec.h @@ -9,13 +9,13 @@ /* Allow to insert a read memory barrier into conditionals */ static always_inline bool barrier_nospec_true(void) { -#ifdef CONFIG_HVM - alternative("", "lfence", X86_FEATURE_SC_L1TF_VULN); +#ifdef CONFIG_SPECULATIVE_HARDEN_BRANCH + asm volatile ( "lfence" ::: "memory" ); #endif return true; } =20 -/* Allow to protect evaluation of conditionasl with respect to speculation= */ +/* Allow to protect evaluation of conditionals with respect to speculation= */ static always_inline bool evaluate_nospec(bool condition) { return condition ? barrier_nospec_true() : !barrier_nospec_true(); diff --git a/xen/include/asm-x86/spec_ctrl.h b/xen/include/asm-x86/spec_ctr= l.h index 1339ddd7ef..ba03bb42e5 100644 --- a/xen/include/asm-x86/spec_ctrl.h +++ b/xen/include/asm-x86/spec_ctrl.h @@ -37,7 +37,6 @@ extern bool opt_ibpb; extern bool opt_ssbd; extern int8_t opt_eager_fpu; extern int8_t opt_l1d_flush; -extern int8_t opt_l1tf_barrier; =20 extern bool bsp_delay_spec_ctrl; extern uint8_t default_xen_spec_ctrl; --=20 2.11.0 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel