From nobody Sat May 4 21:18:07 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail(p=none dis=none) header.from=citrix.com ARC-Seal: i=1; a=rsa-sha256; t=1571839164; cv=none; d=zoho.com; s=zohoarc; b=EqRXmgi+t+LIe0BKccHeYyg6onF0l0PinSOf/WGiSmfqVQK7t9V5Lgc5EUkpjRJgzV15JTs/ttcaQ8yr4h3kwvs54oLR4YrdnAKp4pmsjakKgMWv3v5Hr2SsLQzSzY9gNHlVyJ5B2rr5SEQp53ey6Q1rhHSvz63CIGRYQ2Glj9o= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1571839164; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=IhKGvDXVyukjMtS8hK/vF0HpPQkGJJoibRNpLrOLwvQ=; b=GRNk/JFeOaeJ6FENEeQjJI0m/mPjxfCuRN85Q8SJ9Kzo8BolcHW25Z+ML/9ZswpRESJdumOwIbVeSjFUYE4c1UmM92LT8JTtZHmFyLS+Va9ey+prhBGB5bTdXHXqReM2/eMd2ALxNXEf2dRQwmtzNPPx1DjfhapqojEvQORKr3Y= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=fail; spf=none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1571839164388265.3253401550145; Wed, 23 Oct 2019 06:59:24 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iNH9Z-0004gP-1f; Wed, 23 Oct 2019 13:58:21 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iNH9X-0004gB-T3 for xen-devel@lists.xenproject.org; Wed, 23 Oct 2019 13:58:19 +0000 Received: from esa5.hc3370-68.iphmx.com (unknown [216.71.155.168]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id 2904bbad-f59d-11e9-947f-12813bfff9fa; Wed, 23 Oct 2019 13:58:16 +0000 (UTC) X-Inumbo-ID: 2904bbad-f59d-11e9-947f-12813bfff9fa DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1571839096; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=jX/kgFmobe5dzr/6/7Ul/Yf4aYGtQ4icBKv6F5BY814=; b=CWIMTU3aiot9EXrr5cwcJ8Z8G9QaqHkdX7UehBguwoaKtgUtFHYgXZ/u jrAdyIGEhYnp+Unv/ehyfaNlhFHdDbNWPCqy4Kmp0QTRVTdd/K0g2sLa6 m8CSnOrH9PIkS9uYQEQNetB1pHasQY5BxujFsnkxKjEuCu9aYySFmiAZx Y=; Authentication-Results: esa5.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=andrew.cooper3@citrix.com; spf=Pass smtp.mailfrom=Andrew.Cooper3@citrix.com; spf=None smtp.helo=postmaster@mail.citrix.com Received-SPF: none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Received-SPF: None (esa5.hc3370-68.iphmx.com: no sender authenticity information available from domain of andrew.cooper3@citrix.com) identity=pra; client-ip=162.221.158.21; receiver=esa5.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="andrew.cooper3@citrix.com"; x-conformance=sidf_compatible Received-SPF: Pass (esa5.hc3370-68.iphmx.com: domain of Andrew.Cooper3@citrix.com designates 162.221.158.21 as permitted sender) identity=mailfrom; client-ip=162.221.158.21; receiver=esa5.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="Andrew.Cooper3@citrix.com"; x-conformance=sidf_compatible; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:209.167.231.154 ip4:178.63.86.133 ip4:195.66.111.40/30 ip4:85.115.9.32/28 ip4:199.102.83.4 ip4:192.28.146.160 ip4:192.28.146.107 ip4:216.52.6.88 ip4:216.52.6.188 ip4:162.221.158.21 ip4:162.221.156.83 ip4:168.245.78.127 ~all" Received-SPF: None (esa5.hc3370-68.iphmx.com: no sender authenticity information available from domain of postmaster@mail.citrix.com) identity=helo; client-ip=162.221.158.21; receiver=esa5.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="postmaster@mail.citrix.com"; x-conformance=sidf_compatible IronPort-SDR: TBbo1A6HA6Mw+AUkD4hA8WGNT0bnujUPwkoLPpGk30HJW1D4epUk76tWCoUy/WclKw8GZVjM6T Ff1fHzOBtKB+fxQNUYVX0HT2yeoDBUeeVLUnWI1HlINl6/FhOqIAAP0DNTP68Vkv7jmDucpNn6 m/vwQ0FO/3UXgtQWkTeoUOQyaPuCPdl+16M/pM8DfUcnT3l9MUqxfnOUET0fW4Stq7LLeACiuP 1b+wjJ6sd+vFMzD6F1mdC3zbFYLOZIx293ysjpKtkzEpb5JXpqiF+R5xmKAqpWBw6DohW5+Q/I VKA= X-SBRS: 2.7 X-MesageID: 7627975 X-Ironport-Server: esa5.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.68,221,1569297600"; d="scan'208";a="7627975" From: Andrew Cooper To: Xen-devel Date: Wed, 23 Oct 2019 14:58:06 +0100 Message-ID: <20191023135812.21348-2-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20191023135812.21348-1-andrew.cooper3@citrix.com> References: <20191023135812.21348-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 Subject: [Xen-devel] [PATCH v3 1/7] x86/nospec: Two trivial fixes X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Juergen Gross , Andrew Cooper , Wei Liu , Jan Beulich , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) The include of asm/cpuid.h in spec_ctrl.c was an artefact of an older versi= on of c/s 3860d5534df, and is not used in its current incarnation. Fix a typo in a comment. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich --- CC: Jan Beulich CC: Wei Liu CC: Roger Pau Monn=C3=A9 CC: Juergen Gross v3: * New --- xen/arch/x86/spec_ctrl.c | 1 - xen/include/asm-x86/nospec.h | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 731d5a767b..ee5439a371 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -21,7 +21,6 @@ #include #include =20 -#include #include #include #include diff --git a/xen/include/asm-x86/nospec.h b/xen/include/asm-x86/nospec.h index 2aa47b3455..427b5ff9df 100644 --- a/xen/include/asm-x86/nospec.h +++ b/xen/include/asm-x86/nospec.h @@ -15,7 +15,7 @@ static always_inline bool barrier_nospec_true(void) return true; } =20 -/* Allow to protect evaluation of conditionasl with respect to speculation= */ +/* Allow to protect evaluation of conditionals with respect to speculation= */ static always_inline bool evaluate_nospec(bool condition) { return condition ? barrier_nospec_true() : !barrier_nospec_true(); --=20 2.11.0 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel From nobody Sat May 4 21:18:07 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail(p=none dis=none) header.from=citrix.com ARC-Seal: i=1; a=rsa-sha256; t=1571839191; cv=none; d=zoho.com; s=zohoarc; b=LO8cEeoqW6sKS8LPjVlwRYIQ7ZsN7IjscJaHnPziye2d+OV1EV5IUq0E1PtoW/EJlRrp+UIjcgPP6reDGNjwf/wD9xDHrustXjFcOIaVh4Xn+hWGzGch3GEpVHxd3uDUBU+SwBHKVXNbhmmySveiDClie2PjaudUhIeXBXIXDdc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1571839191; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=lO0CNzLyI4HwYD/QC+4iPC9LgVilOFdEWcfLQa8UoTM=; b=D/bCUAC4K0Jcx37gNvgoWxQvzoT8EJr4OeoY6djr1SxYm0xpbi4TSAdO26KE+Njix3Tx7hWuCvbkhwLeiOmccYaSmtrhULQAqcdvSQQu82ZRvkYPfVXP7DqameiGkplrF1PUptOxweSEpA26/4fCVncvz+pUO1cpSEEUh4OQ25s= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=fail; spf=none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1571839191154577.8037250462701; Wed, 23 Oct 2019 06:59:51 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iNH9y-0004tX-5f; Wed, 23 Oct 2019 13:58:46 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iNH9w-0004ss-OD for xen-devel@lists.xenproject.org; Wed, 23 Oct 2019 13:58:44 +0000 Received: from esa5.hc3370-68.iphmx.com (unknown [216.71.155.168]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id 2d076042-f59d-11e9-947f-12813bfff9fa; Wed, 23 Oct 2019 13:58:22 +0000 (UTC) X-Inumbo-ID: 2d076042-f59d-11e9-947f-12813bfff9fa DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1571839102; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version; bh=yxQ5/6HF4S6wOWP4cNN9AgpK/s9kaLRvodHnGyLG7ww=; b=WG7ldNNgccKJFbQL0Y0+y1iQwGOHE/tZG3qm8lMjTS4mPvYi9PVPQFYj vMpDJH6I2kg9wcekrRMzOOo3CMmDKrWwEfi4p1IPwJz0IrDbT3JSvdG9z LgLdoWeqOUiaYgyw12OAOqXURXrSTt6zlzsWKnknkqa+L2xbiX5ETFB9I Y=; Authentication-Results: esa5.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=andrew.cooper3@citrix.com; spf=Pass smtp.mailfrom=Andrew.Cooper3@citrix.com; spf=None smtp.helo=postmaster@mail.citrix.com Received-SPF: none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Received-SPF: None (esa5.hc3370-68.iphmx.com: no sender authenticity information available from domain of andrew.cooper3@citrix.com) identity=pra; client-ip=162.221.158.21; receiver=esa5.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="andrew.cooper3@citrix.com"; x-conformance=sidf_compatible Received-SPF: Pass (esa5.hc3370-68.iphmx.com: domain of Andrew.Cooper3@citrix.com designates 162.221.158.21 as permitted sender) identity=mailfrom; client-ip=162.221.158.21; receiver=esa5.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="Andrew.Cooper3@citrix.com"; x-conformance=sidf_compatible; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:209.167.231.154 ip4:178.63.86.133 ip4:195.66.111.40/30 ip4:85.115.9.32/28 ip4:199.102.83.4 ip4:192.28.146.160 ip4:192.28.146.107 ip4:216.52.6.88 ip4:216.52.6.188 ip4:162.221.158.21 ip4:162.221.156.83 ip4:168.245.78.127 ~all" Received-SPF: None (esa5.hc3370-68.iphmx.com: no sender authenticity information available from domain of postmaster@mail.citrix.com) identity=helo; client-ip=162.221.158.21; receiver=esa5.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="postmaster@mail.citrix.com"; x-conformance=sidf_compatible IronPort-SDR: iUc6/qyRMrU/WRyqUPfDBT/HPnw0sDcE7Gs1kFLR1r9QxEoOzCsUPqba067dIZhqhv5MmicEzw Jx2rE2uFFT/eahXhaMe9mRJuXTRzP/r3+MZLAcK8TIEGsDCQ83z73FT2WBlK//w6gbJ6AtHX4K 19KVvze8P8gN3LD9cS7emsVGY00tVma/bCzWiEXJ9x1jQPko31iM2wRG2MJTzFfHwQ4bP/7mWC D+WXFoddYeD3KI3aawlgzXYZkwHDi2N7iCCxKdDmYYJvHB4GTrLM+sie0t6n1SwaX5qwx3WQtS ng0= X-SBRS: 2.7 X-MesageID: 7627993 X-Ironport-Server: esa5.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.68,221,1569297600"; d="scan'208";a="7627993" From: Andrew Cooper To: Xen-devel Date: Wed, 23 Oct 2019 14:58:07 +0100 Message-ID: <20191023135812.21348-3-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20191023135812.21348-1-andrew.cooper3@citrix.com> References: <20191023135812.21348-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 Subject: [Xen-devel] [PATCH v3 2/7] xen/nospec: Use always_inline to fix code gen for evaluate_nospec X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Juergen Gross , Stefano Stabellini , Julien Grall , Wei Liu , Konrad Rzeszutek Wilk , George Dunlap , Andrew Cooper , Jan Beulich , Ian Jackson Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) evaluate_nospec() is incredibly fragile, and this is one giant bodge. To correctly protect jumps, the generated code needs to be of the form: cmp/test jcc 1f lfence ... 1: lfence ... Critically, the lfence must be at the head of both basic blocks, later in t= he instruction stream than the conditional jump in need of protection. When a static inline is involved, the optimiser decides to be clever and rearranges the code as: pred: lfence ret call pred cmp $0, %eax jcc 1f ... 1: ... which breaks the speculative safety. Any use of evaluate_nospec() needs all static inline predicates which use it to be declared always_inline to prevent the optimiser having the flexibility to generate unsafe code. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich --- CC: George Dunlap CC: Ian Jackson CC: Jan Beulich CC: Konrad Rzeszutek Wilk CC: Stefano Stabellini CC: Wei Liu CC: Julien Grall CC: Juergen Gross This is the transitive set of predicates which I can spot which need protecting. There are probably ones I've missed. Personally, I'm -1 for t= his approach, but the only other option for 4.13 is to revert it all to unbreak livepatching. v3: * New --- xen/arch/x86/domain.c | 2 +- xen/arch/x86/pv/mm.h | 12 ++++++------ xen/include/asm-x86/event.h | 2 +- xen/include/asm-x86/guest_pt.h | 28 ++++++++++++++++------------ xen/include/asm-x86/hvm/nestedhvm.h | 2 +- xen/include/asm-x86/paging.h | 2 +- xen/include/xen/sched.h | 20 ++++++++++---------- 7 files changed, 36 insertions(+), 32 deletions(-) diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c index c8d7f491ea..1b88cc2d68 100644 --- a/xen/arch/x86/domain.c +++ b/xen/arch/x86/domain.c @@ -1699,7 +1699,7 @@ static void _update_runstate_area(struct vcpu *v) * regular per-CPU GDT frame to appear with selectors at the appropriate * offset. */ -static inline bool need_full_gdt(const struct domain *d) +static always_inline bool need_full_gdt(const struct domain *d) { return is_pv_domain(d) && !is_idle_domain(d); } diff --git a/xen/arch/x86/pv/mm.h b/xen/arch/x86/pv/mm.h index 2d427b418d..a1bd473b29 100644 --- a/xen/arch/x86/pv/mm.h +++ b/xen/arch/x86/pv/mm.h @@ -88,8 +88,8 @@ static inline bool update_intpte(intpte_t *p, intpte_t ol= d, intpte_t new, _t ## e_get_intpte(_o), _t ## e_get_intpte(_n), \ (_m), (_v), (_ad)) =20 -static inline l1_pgentry_t adjust_guest_l1e(l1_pgentry_t l1e, - const struct domain *d) +static always_inline l1_pgentry_t adjust_guest_l1e(l1_pgentry_t l1e, + const struct domain *d) { if ( likely(l1e_get_flags(l1e) & _PAGE_PRESENT) && likely(!is_pv_32bit_domain(d)) ) @@ -120,8 +120,8 @@ static inline l2_pgentry_t adjust_guest_l2e(l2_pgentry_= t l2e, return l2e; } =20 -static inline l3_pgentry_t adjust_guest_l3e(l3_pgentry_t l3e, - const struct domain *d) +static always_inline l3_pgentry_t adjust_guest_l3e(l3_pgentry_t l3e, + const struct domain *d) { if ( likely(l3e_get_flags(l3e) & _PAGE_PRESENT) ) l3e_add_flags(l3e, (likely(!is_pv_32bit_domain(d)) @@ -140,8 +140,8 @@ static inline l3_pgentry_t unadjust_guest_l3e(l3_pgentr= y_t l3e, return l3e; } =20 -static inline l4_pgentry_t adjust_guest_l4e(l4_pgentry_t l4e, - const struct domain *d) +static always_inline l4_pgentry_t adjust_guest_l4e(l4_pgentry_t l4e, + const struct domain *d) { /* * When shadowing an L4 behind the guests back (e.g. for per-pcpu diff --git a/xen/include/asm-x86/event.h b/xen/include/asm-x86/event.h index 2f6ea54bcb..98a85233cb 100644 --- a/xen/include/asm-x86/event.h +++ b/xen/include/asm-x86/event.h @@ -20,7 +20,7 @@ static inline int vcpu_event_delivery_is_enabled(struct v= cpu *v) } =20 int hvm_local_events_need_delivery(struct vcpu *v); -static inline int local_events_need_delivery(void) +static always_inline bool local_events_need_delivery(void) { struct vcpu *v =3D current; =20 diff --git a/xen/include/asm-x86/guest_pt.h b/xen/include/asm-x86/guest_pt.h index 8684b83fd6..6ab2041e48 100644 --- a/xen/include/asm-x86/guest_pt.h +++ b/xen/include/asm-x86/guest_pt.h @@ -202,7 +202,7 @@ static inline guest_l4e_t guest_l4e_from_gfn(gfn_t gfn,= u32 flags) =20 /* Which pagetable features are supported on this vcpu? */ =20 -static inline bool guest_can_use_l2_superpages(const struct vcpu *v) +static always_inline bool guest_can_use_l2_superpages(const struct vcpu *v) { /* * PV guests use Xen's paging settings. Being 4-level, 2M @@ -218,7 +218,7 @@ static inline bool guest_can_use_l2_superpages(const st= ruct vcpu *v) (v->arch.hvm.guest_cr[4] & X86_CR4_PSE)); } =20 -static inline bool guest_can_use_l3_superpages(const struct domain *d) +static always_inline bool guest_can_use_l3_superpages(const struct domain = *d) { /* * There are no control register settings for the hardware pagewalk on= the @@ -252,7 +252,7 @@ static inline bool guest_can_use_pse36(const struct dom= ain *d) return paging_mode_hap(d) && cpu_has_pse36; } =20 -static inline bool guest_nx_enabled(const struct vcpu *v) +static always_inline bool guest_nx_enabled(const struct vcpu *v) { if ( GUEST_PAGING_LEVELS =3D=3D 2 ) /* NX has no effect witout CR4.PAE= . */ return false; @@ -261,23 +261,23 @@ static inline bool guest_nx_enabled(const struct vcpu= *v) return is_pv_vcpu(v) ? cpu_has_nx : hvm_nx_enabled(v); } =20 -static inline bool guest_wp_enabled(const struct vcpu *v) +static always_inline bool guest_wp_enabled(const struct vcpu *v) { /* PV guests can't control CR0.WP, and it is unconditionally set by Xe= n. */ return is_pv_vcpu(v) || hvm_wp_enabled(v); } =20 -static inline bool guest_smep_enabled(const struct vcpu *v) +static always_inline bool guest_smep_enabled(const struct vcpu *v) { return !is_pv_vcpu(v) && hvm_smep_enabled(v); } =20 -static inline bool guest_smap_enabled(const struct vcpu *v) +static always_inline bool guest_smap_enabled(const struct vcpu *v) { return !is_pv_vcpu(v) && hvm_smap_enabled(v); } =20 -static inline bool guest_pku_enabled(const struct vcpu *v) +static always_inline bool guest_pku_enabled(const struct vcpu *v) { return !is_pv_vcpu(v) && hvm_pku_enabled(v); } @@ -285,19 +285,21 @@ static inline bool guest_pku_enabled(const struct vcp= u *v) /* Helpers for identifying whether guest entries have reserved bits set. */ =20 /* Bits reserved because of maxphysaddr, and (lack of) EFER.NX */ -static inline uint64_t guest_rsvd_bits(const struct vcpu *v) +static always_inline uint64_t guest_rsvd_bits(const struct vcpu *v) { return ((PADDR_MASK & ~((1ul << v->domain->arch.cpuid->extd.maxphysaddr) - 1)) | (guest_nx_enabled(v) ? 0 : put_pte_flags(_PAGE_NX_BIT))); } =20 -static inline bool guest_l1e_rsvd_bits(const struct vcpu *v, guest_l1e_t l= 1e) +static always_inline bool guest_l1e_rsvd_bits(const struct vcpu *v, + guest_l1e_t l1e) { return l1e.l1 & (guest_rsvd_bits(v) | GUEST_L1_PAGETABLE_RSVD); } =20 -static inline bool guest_l2e_rsvd_bits(const struct vcpu *v, guest_l2e_t l= 2e) +static always_inline bool guest_l2e_rsvd_bits(const struct vcpu *v, + guest_l2e_t l2e) { uint64_t rsvd_bits =3D guest_rsvd_bits(v); =20 @@ -311,7 +313,8 @@ static inline bool guest_l2e_rsvd_bits(const struct vcp= u *v, guest_l2e_t l2e) } =20 #if GUEST_PAGING_LEVELS >=3D 3 -static inline bool guest_l3e_rsvd_bits(const struct vcpu *v, guest_l3e_t l= 3e) +static always_inline bool guest_l3e_rsvd_bits(const struct vcpu *v, + guest_l3e_t l3e) { return ((l3e.l3 & (guest_rsvd_bits(v) | GUEST_L3_PAGETABLE_RSVD | (guest_can_use_l3_superpages(v->domain) ? 0 : _PAGE= _PSE))) || @@ -320,7 +323,8 @@ static inline bool guest_l3e_rsvd_bits(const struct vcp= u *v, guest_l3e_t l3e) } =20 #if GUEST_PAGING_LEVELS >=3D 4 -static inline bool guest_l4e_rsvd_bits(const struct vcpu *v, guest_l4e_t l= 4e) +static always_inline bool guest_l4e_rsvd_bits(const struct vcpu *v, + guest_l4e_t l4e) { return l4e.l4 & (guest_rsvd_bits(v) | GUEST_L4_PAGETABLE_RSVD | ((v->domain->arch.cpuid->x86_vendor =3D=3D X86_VENDOR= _AMD) diff --git a/xen/include/asm-x86/hvm/nestedhvm.h b/xen/include/asm-x86/hvm/= nestedhvm.h index e09fa9d47d..256fed733a 100644 --- a/xen/include/asm-x86/hvm/nestedhvm.h +++ b/xen/include/asm-x86/hvm/nestedhvm.h @@ -33,7 +33,7 @@ enum nestedhvm_vmexits { }; =20 /* Nested HVM on/off per domain */ -static inline bool nestedhvm_enabled(const struct domain *d) +static always_inline bool nestedhvm_enabled(const struct domain *d) { return is_hvm_domain(d) && d->arch.hvm.params && d->arch.hvm.params[HVM_PARAM_NESTEDHVM]; diff --git a/xen/include/asm-x86/paging.h b/xen/include/asm-x86/paging.h index 8c2027c791..7544f73121 100644 --- a/xen/include/asm-x86/paging.h +++ b/xen/include/asm-x86/paging.h @@ -383,7 +383,7 @@ static inline bool gfn_valid(const struct domain *d, gf= n_t gfn) } =20 /* Maxphysaddr supportable by the paging infrastructure. */ -static inline unsigned int paging_max_paddr_bits(const struct domain *d) +static always_inline unsigned int paging_max_paddr_bits(const struct domai= n *d) { unsigned int bits =3D paging_mode_hap(d) ? hap_paddr_bits : paddr_bits; =20 diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index 629a4c52e0..9f7bc69293 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -968,50 +968,50 @@ void watchdog_domain_destroy(struct domain *d); =20 #define VM_ASSIST(d, t) (test_bit(VMASST_TYPE_ ## t, &(d)->vm_assist)) =20 -static inline bool is_pv_domain(const struct domain *d) +static always_inline bool is_pv_domain(const struct domain *d) { return IS_ENABLED(CONFIG_PV) && evaluate_nospec(!(d->options & XEN_DOMCTL_CDF_hvm)); } =20 -static inline bool is_pv_vcpu(const struct vcpu *v) +static always_inline bool is_pv_vcpu(const struct vcpu *v) { return is_pv_domain(v->domain); } =20 #ifdef CONFIG_COMPAT -static inline bool is_pv_32bit_domain(const struct domain *d) +static always_inline bool is_pv_32bit_domain(const struct domain *d) { return is_pv_domain(d) && d->arch.is_32bit_pv; } =20 -static inline bool is_pv_32bit_vcpu(const struct vcpu *v) +static always_inline bool is_pv_32bit_vcpu(const struct vcpu *v) { return is_pv_32bit_domain(v->domain); } =20 -static inline bool is_pv_64bit_domain(const struct domain *d) +static always_inline bool is_pv_64bit_domain(const struct domain *d) { return is_pv_domain(d) && !d->arch.is_32bit_pv; } =20 -static inline bool is_pv_64bit_vcpu(const struct vcpu *v) +static always_inline bool is_pv_64bit_vcpu(const struct vcpu *v) { return is_pv_64bit_domain(v->domain); } #endif -static inline bool is_hvm_domain(const struct domain *d) +static always_inline bool is_hvm_domain(const struct domain *d) { return IS_ENABLED(CONFIG_HVM) && evaluate_nospec(d->options & XEN_DOMCTL_CDF_hvm); } =20 -static inline bool is_hvm_vcpu(const struct vcpu *v) +static always_inline bool is_hvm_vcpu(const struct vcpu *v) { return is_hvm_domain(v->domain); } =20 -static inline bool hap_enabled(const struct domain *d) +static always_inline bool hap_enabled(const struct domain *d) { /* sanitise_domain_config() rejects HAP && !HVM */ return IS_ENABLED(CONFIG_HVM) && @@ -1034,7 +1034,7 @@ static inline bool is_xenstore_domain(const struct do= main *d) return d->options & XEN_DOMCTL_CDF_xs_domain; } =20 -static inline bool is_iommu_enabled(const struct domain *d) +static always_inline bool is_iommu_enabled(const struct domain *d) { return evaluate_nospec(d->options & XEN_DOMCTL_CDF_iommu); } --=20 2.11.0 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel From nobody Sat May 4 21:18:07 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail(p=none dis=none) header.from=citrix.com ARC-Seal: i=1; a=rsa-sha256; t=1571839192; cv=none; d=zoho.com; s=zohoarc; b=GFEovMiUEi/phtiuAVhB7tF2seQA4SuZ9YgiWCWqUA3lolYnuq40/QGrOzMqwkpSIB6tvxP6HsQjd1m8EiUfvKIlmsX6LFcpR50hjn5V7SSU6KyLzmTnujCFYi1yqGGiGjuzyNGwESCGLYfda+qpJbKwTxGJEVwCT9tw4XY+XIg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1571839192; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=Cy0JgbZXtYGg4i5t1X1KEBcbVZfes/PKPJYiQ5jcDrY=; b=KfCEjdad+LVhqpmP1SbIH5RbzL2kCaNew/e2eqS8U9RxxJ1afjd1Axv1vIBdslU5md99owDi/ak/dGO0rtQMzlufKCyocIHXeWMETtGrag1VEU0HFOVnkB4wmS7kmh9DE9JQVNNUeEmWgL97499LpR080Mh2h0rjZUjUNySYbQg= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=fail; spf=none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1571839192058657.687343700412; Wed, 23 Oct 2019 06:59:52 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iNHA2-0004xW-OM; Wed, 23 Oct 2019 13:58:50 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iNHA1-0004wW-OJ for xen-devel@lists.xenproject.org; Wed, 23 Oct 2019 13:58:49 +0000 Received: from esa1.hc3370-68.iphmx.com (unknown [216.71.145.142]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id 337549d0-f59d-11e9-947f-12813bfff9fa; Wed, 23 Oct 2019 13:58:33 +0000 (UTC) X-Inumbo-ID: 337549d0-f59d-11e9-947f-12813bfff9fa DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1571839114; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=PO96FHxwZQffDGMSm7nUzZRMEcvgaDQH+GKPeqSlkL8=; b=PTGr+3ttiGH86vGMCcAQGhlsKA1HD1kspgdSo92+IfgrFCcH9Ezacx+g a47ThmzVd/MWBfHnfoJixAhKs+gKk3vO8anZlTyra0O6rZCjzjRMxUK8W pwVXoyK6g7S+cwdIa4oFnmmsY8XDqbjo0s2xExLbo6+JHa+QvjD01PFgy 0=; Authentication-Results: esa1.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=andrew.cooper3@citrix.com; spf=Pass smtp.mailfrom=Andrew.Cooper3@citrix.com; spf=None smtp.helo=postmaster@mail.citrix.com Received-SPF: none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Received-SPF: None (esa1.hc3370-68.iphmx.com: no sender authenticity information available from domain of andrew.cooper3@citrix.com) identity=pra; client-ip=162.221.158.21; receiver=esa1.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="andrew.cooper3@citrix.com"; x-conformance=sidf_compatible Received-SPF: Pass (esa1.hc3370-68.iphmx.com: domain of Andrew.Cooper3@citrix.com designates 162.221.158.21 as permitted sender) identity=mailfrom; client-ip=162.221.158.21; receiver=esa1.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="Andrew.Cooper3@citrix.com"; x-conformance=sidf_compatible; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:209.167.231.154 ip4:178.63.86.133 ip4:195.66.111.40/30 ip4:85.115.9.32/28 ip4:199.102.83.4 ip4:192.28.146.160 ip4:192.28.146.107 ip4:216.52.6.88 ip4:216.52.6.188 ip4:162.221.158.21 ip4:162.221.156.83 ip4:168.245.78.127 ~all" Received-SPF: None (esa1.hc3370-68.iphmx.com: no sender authenticity information available from domain of postmaster@mail.citrix.com) identity=helo; client-ip=162.221.158.21; receiver=esa1.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="postmaster@mail.citrix.com"; x-conformance=sidf_compatible IronPort-SDR: Oqg7ArGFovo4VN3zwplE5kHzvNxilR4s3Iki7cNFojzHlzsKnU8Uz8Wgl9nsw4o/6RFANKVjp2 8FM+ulurQ+Q+4HcA2D9YjH5SoaP12zBzvjDparzADqzBgVEQNhwVCQtPXX60gYd0iGNh63PZ1M 05e7syCUyo0HZDB2bEX5iTbCP6jlpxSbsT323tQIJFxzSEVrpwk+cxuBt/YehSK/xgvz+5zVWt 30OBSR1vEI844AljV55N2tARmRJJEDKVgfW+tpAdVVtmPxnxCBoFUuFMEWWLYFLUtyB0f0IHon 9KE= X-SBRS: 2.7 X-MesageID: 7415854 X-Ironport-Server: esa1.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.68,221,1569297600"; d="scan'208";a="7415854" From: Andrew Cooper To: Xen-devel Date: Wed, 23 Oct 2019 14:58:08 +0100 Message-ID: <20191023135812.21348-4-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20191023135812.21348-1-andrew.cooper3@citrix.com> References: <20191023135812.21348-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 Subject: [Xen-devel] [PATCH v3 3/7] xen/nospec: Introduce CONFIG_SPECULATIVE_HARDEN_BRANCH X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Juergen Gross , Andrew Cooper , Wei Liu , Jan Beulich , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) Just as with CONFIG_SPECULATIVE_HARDEN_ARRAY, branch hardening should be configurable at compile time. The previous CONFIG_HVM was a consequence of what could be discussed public= ly at the time the patches were submitted, and wasn't actually correct. Later patches will make further corrections. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- CC: Jan Beulich CC: Wei Liu CC: Roger Pau Monn=C3=A9 CC: Juergen Gross v3: * Reduce to just the Kconfig option. Split other changes out into separate patches. v2: * Expand the commit message to describe how the generated code is broken. * Rename to CONFIG_SPECULATIVE_HARDEN_BRANCH * Switch alternative() to asm() * Fix a comment typo --- xen/common/Kconfig | 23 +++++++++++++++++++++++ xen/include/asm-x86/nospec.h | 2 +- 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/xen/common/Kconfig b/xen/common/Kconfig index 7b5dd9d495..c9e671869e 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -102,6 +102,29 @@ config SPECULATIVE_HARDEN_ARRAY =20 If unsure, say Y. =20 +config SPECULATIVE_HARDEN_BRANCH + bool "Speculative Branch Hardening" + default y + depends on X86 + ---help--- + Contemporary processors may use speculative execution as a + performance optimisation, but this can potentially be abused by an + attacker to leak data via speculative sidechannels. + + One source of misbehaviour is by executing the wrong basic block + following a conditional jump. + + When enabled, specific conditions which have been deemed liable to + be speculatively abused will be hardened to avoid entering the wrong + basic block. + + This is a best-effort mitigation. There are no guarantees that all + areas of code open to abuse have been hardened, nor that + optimisations in the compiler haven't subverted the attempts to + harden. + + If unsure, say Y. + endmenu =20 config KEXEC diff --git a/xen/include/asm-x86/nospec.h b/xen/include/asm-x86/nospec.h index 427b5ff9df..154e92aed8 100644 --- a/xen/include/asm-x86/nospec.h +++ b/xen/include/asm-x86/nospec.h @@ -9,7 +9,7 @@ /* Allow to insert a read memory barrier into conditionals */ static always_inline bool barrier_nospec_true(void) { -#ifdef CONFIG_HVM +#ifdef CONFIG_SPECULATIVE_HARDEN_BRANCH alternative("", "lfence", X86_FEATURE_SC_L1TF_VULN); #endif return true; --=20 2.11.0 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel From nobody Sat May 4 21:18:07 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail(p=none dis=none) header.from=citrix.com ARC-Seal: i=1; a=rsa-sha256; t=1571839174; cv=none; d=zoho.com; s=zohoarc; b=HuUbVq9xyWR7+CpH8ztcr0W/dTN8qttuMrcgwIEZVV89zrM+9oZgvcwYwZ9kLGafGPXVIFCfwIs8pQz5I+ZdlPBGa0PmaahNff3EcjTlnagZput4baeQko3XjTho19buQAwUrHGchsBEElBrfyXCWJAjg1cOJF6FHFC/NytY1as= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1571839174; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=mtr4cBSQmbdNIp8UmdI4PdgkPkifMtSYaQjS7zH/kyg=; b=T45z4i7c+wbKMfPJalE1Xn68i/Nsx30dS7Ojq2es+cCCzfbXBbImvOgO9BGRtCaNGi4dJY3C581mKnQc86xQPoCWjclT2dpyTURWsG666hI3wVsLKaw3V97rUllKs7IlJ5XVP6PGTgAzQNZcrbBfHW3ymW7r4WNGG+rppPxAhTk= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=fail; spf=none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1571839174235942.9882764864718; Wed, 23 Oct 2019 06:59:34 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iNH9i-0004jk-U2; Wed, 23 Oct 2019 13:58:30 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iNH9h-0004j7-Nm for xen-devel@lists.xenproject.org; Wed, 23 Oct 2019 13:58:29 +0000 Received: from esa4.hc3370-68.iphmx.com (unknown [216.71.155.144]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id 2ac94fca-f59d-11e9-947f-12813bfff9fa; Wed, 23 Oct 2019 13:58:19 +0000 (UTC) X-Inumbo-ID: 2ac94fca-f59d-11e9-947f-12813bfff9fa DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1571839099; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=4VuKkBqZ2Kta2Y4r87MDlI7noHQgx33B3BrfYmdOdtI=; b=K2AME3WVkqrp63d6Q5dVMJ/yYMutcHSlj/03lDwABwTF6TmVgwigMh9D metlAIw/3UNzFz4WgRmNyMcngu4FarQ6LaOg0IdNDXSxc83SAPCGxsXuE 6iNXroAxxHQhp68bV5mD4+4pHrsmtumJOoqrb2ARLQuCP2HyNWGbrv+GM g=; Authentication-Results: esa4.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=andrew.cooper3@citrix.com; spf=Pass smtp.mailfrom=Andrew.Cooper3@citrix.com; spf=None smtp.helo=postmaster@mail.citrix.com Received-SPF: none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Received-SPF: None (esa4.hc3370-68.iphmx.com: no sender authenticity information available from domain of andrew.cooper3@citrix.com) identity=pra; client-ip=162.221.158.21; receiver=esa4.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="andrew.cooper3@citrix.com"; x-conformance=sidf_compatible Received-SPF: Pass (esa4.hc3370-68.iphmx.com: domain of Andrew.Cooper3@citrix.com designates 162.221.158.21 as permitted sender) identity=mailfrom; client-ip=162.221.158.21; receiver=esa4.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="Andrew.Cooper3@citrix.com"; x-conformance=sidf_compatible; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:209.167.231.154 ip4:178.63.86.133 ip4:195.66.111.40/30 ip4:85.115.9.32/28 ip4:199.102.83.4 ip4:192.28.146.160 ip4:192.28.146.107 ip4:216.52.6.88 ip4:216.52.6.188 ip4:162.221.158.21 ip4:162.221.156.83 ip4:168.245.78.127 ~all" Received-SPF: None (esa4.hc3370-68.iphmx.com: no sender authenticity information available from domain of postmaster@mail.citrix.com) identity=helo; client-ip=162.221.158.21; receiver=esa4.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="postmaster@mail.citrix.com"; x-conformance=sidf_compatible IronPort-SDR: IZib/t/EeiHoxXWGbWQFKYxxaO6mATIdDlrRkU89FjB42teDowVqZSw04zSOlMH3ODuXJKlKEN w8SUC4fz4yTfgNTPO14OgMf6+4BiRhzfZ65Yhhn3fUYjcNuWfRSUC636AoQ5nQ7qsMe8MJqisT p3LUovIzvcXAPFYaMpatkAPQ/erVxak7dfnTFZqDXLXZLmxP3My0P2PRkxowU9Na5ixqc+Ramw Fkdcg9L2LGNc7Y4Iiq+NKbsGUMesY2PQ38mBOam1nEzRPWvbU4tT4GSWS9F9K94UcsdbbtcNq3 hsI= X-SBRS: 2.7 X-MesageID: 7760075 X-Ironport-Server: esa4.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.68,221,1569297600"; d="scan'208";a="7760075" From: Andrew Cooper To: Xen-devel Date: Wed, 23 Oct 2019 14:58:09 +0100 Message-ID: <20191023135812.21348-5-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20191023135812.21348-1-andrew.cooper3@citrix.com> References: <20191023135812.21348-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 Subject: [Xen-devel] [PATCH v3 4/7] x86/nospec: Rename and rework l1tf-barrier as branch-harden X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Juergen Gross , Andrew Cooper , Wei Liu , Jan Beulich , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) l1tf-barrier is an inappropriate name, and came about because of restrictio= ns on could be discussed publicly when the patches were proposed. In practice, it is for general Spectre v1 mitigations, and is necessary in = all cases. An adversary which can control speculation in Xen can leak data in cross-core (BCBS, etc) or remote (NetSpectre) scenarios - the problem is not limited to just L1TF with HT active. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- CC: Jan Beulich CC: Wei Liu CC: Roger Pau Monn=C3=A9 CC: Juergen Gross v3: * New In principle it should be tristate and being disabled by default on parts which don't speculate, but it is too late in 4.13 to organise this. --- docs/misc/xen-command-line.pandoc | 11 +++++------ xen/arch/x86/spec_ctrl.c | 17 +++++++---------- xen/include/asm-x86/cpufeatures.h | 2 +- xen/include/asm-x86/nospec.h | 2 +- xen/include/asm-x86/spec_ctrl.h | 2 +- 5 files changed, 15 insertions(+), 19 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line= .pandoc index 67df80c50d..e37a13ed11 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -1960,7 +1960,7 @@ By default SSBD will be mitigated at runtime (i.e `ss= bd=3Druntime`). ### spec-ctrl (x86) > `=3D List of [ , xen=3D, {pv,hvm,msr-sc,rsb,md-clear}=3D, > bti-thunk=3Dretpoline|lfence|jmp, {ibrs,ibpb,ssbd,eager-fpu, -> l1d-flush,l1tf-barrier}=3D ]` +> l1d-flush,branch-harden}=3D ]` =20 Controls for speculative execution sidechannel mitigations. By default, X= en will pick the most appropriate mitigations based on compiled in support, @@ -2032,11 +2032,10 @@ Irrespective of Xen's setting, the feature is virtu= alised for HVM guests to use. By default, Xen will enable this mitigation on hardware believed to = be vulnerable to L1TF. =20 -On hardware vulnerable to L1TF, the `l1tf-barrier=3D` option can be used t= o force -or prevent Xen from protecting evaluations inside the hypervisor with a ba= rrier -instruction to not load potentially secret information into L1 cache. By -default, Xen will enable this mitigation on hardware believed to be vulner= able -to L1TF. +If Xen is compiled with `CONFIG_SPECULATIVE_HARDEN_BRANCH`, the +`branch-harden=3D` boolean can be used to force or prevent Xen from using +speculation barriers to protect selected conditional branches. By default, +Xen will enabled this mitigation. =20 ### sync_console > `=3D ` diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index ee5439a371..e74e0cc619 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -52,7 +52,7 @@ bool __read_mostly opt_ibpb =3D true; bool __read_mostly opt_ssbd =3D false; int8_t __read_mostly opt_eager_fpu =3D -1; int8_t __read_mostly opt_l1d_flush =3D -1; -int8_t __read_mostly opt_l1tf_barrier =3D -1; +bool __read_mostly opt_branch_harden =3D true; =20 bool __initdata bsp_delay_spec_ctrl; uint8_t __read_mostly default_xen_spec_ctrl; @@ -97,7 +97,7 @@ static int __init parse_spec_ctrl(const char *s) if ( opt_pv_l1tf_domu < 0 ) opt_pv_l1tf_domu =3D 0; =20 - opt_l1tf_barrier =3D 0; + opt_branch_harden =3D false; =20 disable_common: opt_rsb_pv =3D false; @@ -174,8 +174,8 @@ static int __init parse_spec_ctrl(const char *s) opt_eager_fpu =3D val; else if ( (val =3D parse_boolean("l1d-flush", s, ss)) >=3D 0 ) opt_l1d_flush =3D val; - else if ( (val =3D parse_boolean("l1tf-barrier", s, ss)) >=3D 0 ) - opt_l1tf_barrier =3D val; + else if ( (val =3D parse_boolean("branch-harden", s, ss)) >=3D 0 ) + opt_branch_harden =3D val; else rc =3D -EINVAL; =20 @@ -348,7 +348,7 @@ static void __init print_details(enum ind_thunk thunk, = uint64_t caps) opt_ibpb ? " IBPB" : "", opt_l1d_flush ? " L1D_FLUSH" : "", opt_md_clear_pv || opt_md_clear_hvm ? " VERW" : "", - opt_l1tf_barrier ? " L1TF_BARRIER" : "= "); + opt_branch_harden ? " BRANCH_HARDEN" : = ""); =20 /* L1TF diagnostics, printed if vulnerable or PV shadowing is in use. = */ if ( cpu_has_bug_l1tf || opt_pv_l1tf_hwdom || opt_pv_l1tf_domu ) @@ -1033,11 +1033,8 @@ void __init init_speculation_mitigations(void) else if ( opt_l1d_flush =3D=3D -1 ) opt_l1d_flush =3D cpu_has_bug_l1tf && !(caps & ARCH_CAPS_SKIP_L1DF= L); =20 - /* By default, enable L1TF_VULN on L1TF-vulnerable hardware */ - if ( opt_l1tf_barrier =3D=3D -1 ) - opt_l1tf_barrier =3D cpu_has_bug_l1tf && (opt_smt || !opt_l1d_flus= h); - if ( opt_l1tf_barrier > 0 ) - setup_force_cpu_cap(X86_FEATURE_SC_L1TF_VULN); + if ( opt_branch_harden ) + setup_force_cpu_cap(X86_FEATURE_SC_BRANCH_HARDEN); =20 /* * We do not disable HT by default on affected hardware. diff --git a/xen/include/asm-x86/cpufeatures.h b/xen/include/asm-x86/cpufea= tures.h index 91eccf5161..b9d3cac975 100644 --- a/xen/include/asm-x86/cpufeatures.h +++ b/xen/include/asm-x86/cpufeatures.h @@ -27,7 +27,7 @@ XEN_CPUFEATURE(XEN_SMAP, X86_SYNTH(11)) /* SMAP = gets used by Xen itself XEN_CPUFEATURE(LFENCE_DISPATCH, X86_SYNTH(12)) /* lfence set as Dispatch= Serialising */ XEN_CPUFEATURE(IND_THUNK_LFENCE, X86_SYNTH(13)) /* Use IND_THUNK_LFENCE */ XEN_CPUFEATURE(IND_THUNK_JMP, X86_SYNTH(14)) /* Use IND_THUNK_JMP */ -XEN_CPUFEATURE(SC_L1TF_VULN, X86_SYNTH(15)) /* L1TF protection requir= ed */ +XEN_CPUFEATURE(SC_BRANCH_HARDEN, X86_SYNTH(15)) /* Conditional Branch Har= dening */ XEN_CPUFEATURE(SC_MSR_PV, X86_SYNTH(16)) /* MSR_SPEC_CTRL used by = Xen for PV */ XEN_CPUFEATURE(SC_MSR_HVM, X86_SYNTH(17)) /* MSR_SPEC_CTRL used by = Xen for HVM */ XEN_CPUFEATURE(SC_RSB_PV, X86_SYNTH(18)) /* RSB overwrite needed f= or PV */ diff --git a/xen/include/asm-x86/nospec.h b/xen/include/asm-x86/nospec.h index 154e92aed8..f6eb84eee5 100644 --- a/xen/include/asm-x86/nospec.h +++ b/xen/include/asm-x86/nospec.h @@ -10,7 +10,7 @@ static always_inline bool barrier_nospec_true(void) { #ifdef CONFIG_SPECULATIVE_HARDEN_BRANCH - alternative("", "lfence", X86_FEATURE_SC_L1TF_VULN); + alternative("", "lfence", X86_FEATURE_SC_BRANCH_HARDEN); #endif return true; } diff --git a/xen/include/asm-x86/spec_ctrl.h b/xen/include/asm-x86/spec_ctr= l.h index 1339ddd7ef..9caecddfec 100644 --- a/xen/include/asm-x86/spec_ctrl.h +++ b/xen/include/asm-x86/spec_ctrl.h @@ -37,7 +37,7 @@ extern bool opt_ibpb; extern bool opt_ssbd; extern int8_t opt_eager_fpu; extern int8_t opt_l1d_flush; -extern int8_t opt_l1tf_barrier; +extern bool opt_branch_harden; =20 extern bool bsp_delay_spec_ctrl; extern uint8_t default_xen_spec_ctrl; --=20 2.11.0 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel From nobody Sat May 4 21:18:07 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail(p=none dis=none) header.from=citrix.com ARC-Seal: i=1; a=rsa-sha256; t=1571839183; cv=none; d=zoho.com; s=zohoarc; b=BJrYuDoot1OrvMZlXE4YX10Z34sOA+TPHrUuDB+Mfh/ihkEw4+sAvZioMDyk7jdtK5+ESp2s25/jH0IN980p5FjrTA+3nCLqnwU7ZWa4jAX+92fKzVFolDLhyjvBokJeN7QscrrDFo93gyChhXlXfIV8okZwaSxw1HtSqo87glU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1571839183; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=d3xQjweTAViilnHuYQqtyc0Dq8wdVDrdsnWCxUd8s2Q=; b=eikb1G2pbunysZURlv4PWr6S7cxSaUTNBl/iF55sBjdj/7p+bjWCvTBjoEQOHk8f3kx0tQPm6eUftUDic1UmnTgvo2E59emLJMbitsplIJvxRtS0+Il2TUmYdW6zRKlwql04BXeZWtQOmtn8bEfUfDjtNDMT04gpyqSLLNGFK7Q= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=fail; spf=none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1571839183633631.0870836730218; Wed, 23 Oct 2019 06:59:43 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iNH9s-0004qY-RQ; Wed, 23 Oct 2019 13:58:40 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iNH9r-0004py-Nu for xen-devel@lists.xenproject.org; Wed, 23 Oct 2019 13:58:39 +0000 Received: from esa3.hc3370-68.iphmx.com (unknown [216.71.145.155]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id 2b3cf092-f59d-11e9-947f-12813bfff9fa; Wed, 23 Oct 2019 13:58:20 +0000 (UTC) X-Inumbo-ID: 2b3cf092-f59d-11e9-947f-12813bfff9fa DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1571839100; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=m2kh9QpgbBW0t3CfPqyCV8pyy7mWwqyKUQok2IrkiPo=; b=HGGjXnyTF270p7N7zM/A9UGlGzagUxng66tZjJOcQJyiebiyU3e0i9Mv MZAc+exFldhSjS6F0QgVac9rfWcUdlyOW1nuJOKoT+Phr6GnI5GkJYcZI uYZssPs+YVUbFEtGHGDSKI+7v5gNKR2KQG8UU0rlR8Ifn1aUXDtm3FlBs 8=; Authentication-Results: esa3.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=andrew.cooper3@citrix.com; spf=Pass smtp.mailfrom=Andrew.Cooper3@citrix.com; spf=None smtp.helo=postmaster@mail.citrix.com Received-SPF: none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Received-SPF: None (esa3.hc3370-68.iphmx.com: no sender authenticity information available from domain of andrew.cooper3@citrix.com) identity=pra; client-ip=162.221.158.21; receiver=esa3.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="andrew.cooper3@citrix.com"; x-conformance=sidf_compatible Received-SPF: Pass (esa3.hc3370-68.iphmx.com: domain of Andrew.Cooper3@citrix.com designates 162.221.158.21 as permitted sender) identity=mailfrom; client-ip=162.221.158.21; receiver=esa3.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="Andrew.Cooper3@citrix.com"; x-conformance=sidf_compatible; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:209.167.231.154 ip4:178.63.86.133 ip4:195.66.111.40/30 ip4:85.115.9.32/28 ip4:199.102.83.4 ip4:192.28.146.160 ip4:192.28.146.107 ip4:216.52.6.88 ip4:216.52.6.188 ip4:162.221.158.21 ip4:162.221.156.83 ip4:168.245.78.127 ~all" Received-SPF: None (esa3.hc3370-68.iphmx.com: no sender authenticity information available from domain of postmaster@mail.citrix.com) identity=helo; client-ip=162.221.158.21; receiver=esa3.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="postmaster@mail.citrix.com"; x-conformance=sidf_compatible IronPort-SDR: 1Xv42v6vv9H4f21Bp8k5eR3v/Mwfm/KnI79Abul3Wm3J7gMqlTPdIjlDgVvBCg+pbtibGct67q v4HAGsJ3nz82Q5ynZgDfGVbeJe7Hi2sHLJjwvrFuHSisba8wlxFqtO/zQaYWkjaFmyVnPNnLFH /38bg0WC/p/EG7Er9vVHXoQm3ugF2v0l1TWzx9HZYQMm3MMsksMCXG/R+fdXhEmrTxwKaRwRFV sIe1gaOwmJ6sT4bzFNexpsZcK8GMxlWqwMcxDVQxXW/IvK0QVq9e3v10nr2w7SmpeKJ1HQp58g +TU= X-SBRS: 2.7 X-MesageID: 7320436 X-Ironport-Server: esa3.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.68,221,1569297600"; d="scan'208";a="7320436" From: Andrew Cooper To: Xen-devel Date: Wed, 23 Oct 2019 14:58:10 +0100 Message-ID: <20191023135812.21348-6-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20191023135812.21348-1-andrew.cooper3@citrix.com> References: <20191023135812.21348-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 Subject: [Xen-devel] [PATCH v3 5/7] x86/livepatch: Fail the build if duplicate symbols exist X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Juergen Gross , Wei Liu , Konrad Rzeszutek Wilk , Andrew Cooper , Ross Lagerwall , Norbert Manthey , Jan Beulich , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) From: Ross Lagerwall The binary diffing algorithm used by xen-livepatch depends on having unique symbols. Signed-off-by: Ross Lagerwall The livepatch loading algorithm used by Xen resolves relocations by symbol name, and thus also depends on having unique symbols. Introduce CONFIG_ENFORCE_UNIQUE_SYMBOLS to control failing the build if duplicate symbols are found, and disable it in the RANDCONFIG build. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- CC: Jan Beulich CC: Wei Liu CC: Roger Pau Monn=C3=A9 CC: Ross Lagerwall CC: Konrad Rzeszutek Wilk CC: Norbert Manthey CC: Juergen Gross v3: * Use a new config option --- xen/arch/x86/Makefile | 1 + xen/common/Kconfig | 18 ++++++++++++++++-- xen/tools/kconfig/allrandom.config | 1 + xen/tools/symbols.c | 11 +++++++++-- 4 files changed, 27 insertions(+), 4 deletions(-) diff --git a/xen/arch/x86/Makefile b/xen/arch/x86/Makefile index 2443fd2cc5..6b369f21cb 100644 --- a/xen/arch/x86/Makefile +++ b/xen/arch/x86/Makefile @@ -99,6 +99,7 @@ endif =20 syms-warn-dup-y :=3D --warn-dup syms-warn-dup-$(CONFIG_SUPPRESS_DUPLICATE_SYMBOL_WARNINGS) :=3D +syms-warn-dup-$(CONFIG_ENFORCE_UNIQUE_SYMBOLS) :=3D --error-dup =20 $(TARGET): TMP =3D $(@D)/.$(@F).elf32 $(TARGET): $(TARGET)-syms $(efi-y) boot/mkelf32 diff --git a/xen/common/Kconfig b/xen/common/Kconfig index c9e671869e..4c837d6892 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -361,9 +361,23 @@ config FAST_SYMBOL_LOOKUP =20 If unsure, say Y. =20 +config ENFORCE_UNIQUE_SYMBOLS + bool "Enforce unique symbols" if LIVEPATCH + default y if LIVEPATCH + ---help--- + Multiple symbols with the same name aren't generally a problem + unless Live patching is to be used. + + Livepatch loading involves resolving relocations against symbol + names, and attempting to a duplicate symbol in a livepatch will + result in incorrect livepatch application. + + This option should be used to ensure that a build of Xen can have a + livepatch build and apply correctly. + config SUPPRESS_DUPLICATE_SYMBOL_WARNINGS - bool "Suppress duplicate symbol warnings" if !LIVEPATCH - default y if !LIVEPATCH + bool "Suppress duplicate symbol warnings" if !ENFORCE_UNIQUE_SYMBOLS + default y if !ENFORCE_UNIQUE_SYMBOLS ---help--- Multiple symbols with the same name aren't generally a problem unless Live patching is to be used, so these warnings can be diff --git a/xen/tools/kconfig/allrandom.config b/xen/tools/kconfig/allrand= om.config index 76f74320b5..c480896b96 100644 --- a/xen/tools/kconfig/allrandom.config +++ b/xen/tools/kconfig/allrandom.config @@ -2,3 +2,4 @@ =20 CONFIG_GCOV_FORMAT_AUTODETECT=3Dy CONFIG_UBSAN=3Dn +CONFIG_ENFORCE_UNIQUE_SYMBOLS=3Dn diff --git a/xen/tools/symbols.c b/xen/tools/symbols.c index 05139d1600..9f9e2c9900 100644 --- a/xen/tools/symbols.c +++ b/xen/tools/symbols.c @@ -599,7 +599,7 @@ static int compare_name(const void *p1, const void *p2) int main(int argc, char **argv) { unsigned int i; - bool unsorted =3D false, warn_dup =3D false; + bool unsorted =3D false, warn_dup =3D false, error_dup =3D false, found_d= up =3D false; =20 if (argc >=3D 2) { for (i =3D 1; i < argc; i++) { @@ -619,6 +619,8 @@ int main(int argc, char **argv) sort_by_name =3D 1; else if (strcmp(argv[i], "--warn-dup") =3D=3D 0) warn_dup =3D true; + else if (strcmp(argv[i], "--error-dup") =3D=3D 0) + warn_dup =3D error_dup =3D true; else if (strcmp(argv[i], "--xensyms") =3D=3D 0) map_only =3D true; else @@ -634,14 +636,19 @@ int main(int argc, char **argv) for (i =3D 1; i < table_cnt; ++i) if (strcmp(SYMBOL_NAME(table + i - 1), SYMBOL_NAME(table + i)) =3D=3D 0 && - table[i - 1].addr !=3D table[i].addr) + table[i - 1].addr !=3D table[i].addr) { fprintf(stderr, "Duplicate symbol '%s' (%llx !=3D %llx)\n", SYMBOL_NAME(table + i), table[i].addr, table[i - 1].addr); + found_dup =3D true; + } unsorted =3D true; } =20 + if (error_dup && found_dup) + exit(1); + if (unsorted) qsort(table, table_cnt, sizeof(*table), compare_value); =20 --=20 2.11.0 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel From nobody Sat May 4 21:18:07 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail(p=none dis=none) header.from=citrix.com ARC-Seal: i=1; a=rsa-sha256; t=1571839165; cv=none; d=zoho.com; s=zohoarc; b=DGVW1EEAtY+FBfO/i5v2t6Z43Zt3MWuafy8lkhjnqlZBqP6ggc2mkQ9Rgmk/oItyad6JeE6v79dusEJoJfmwDNUg7lHJTnvse9v8IBBGSO4DjDSNDVUXxwdeBBszQOKE4w9kVyS/Z7NqLjnT8nj+eDJysdES23qcJWiC60DXYvs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1571839165; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=P3SjabRE4katI6jt+jABw+GULbXcvI1RRYGtOtVbM50=; b=GyekNWeHo0/0eibFhRL/IiQf4yJ1PQs28y/CHoScBVkp0nfpSqkC2KTjILry3rHmMDCOMqheJ2TLDwTwEt+6owPmDOne6lmAB/kPSBNQ6Gtouuzu8wf0esfJAbWC1qStathugZJ9Nh4U8Sp7flj4JMAGDYo+b66eO0CpzY/AU7M= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=fail; spf=none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1571839165730345.59854084909136; Wed, 23 Oct 2019 06:59:25 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iNH9a-0004gd-AX; Wed, 23 Oct 2019 13:58:22 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iNH9Z-0004gO-1S for xen-devel@lists.xenproject.org; Wed, 23 Oct 2019 13:58:21 +0000 Received: from esa6.hc3370-68.iphmx.com (unknown [216.71.155.175]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id 2b5a2162-f59d-11e9-beca-bc764e2007e4; Wed, 23 Oct 2019 13:58:20 +0000 (UTC) X-Inumbo-ID: 2b5a2162-f59d-11e9-beca-bc764e2007e4 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1571839100; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=7NjtVJxZrMEM2nPKnjjLMnoA7KiIfqyigxYdKXulChY=; b=QdY5FP1PnKbqZstpc/byHVZ1FeOP7QHstnjo+ortYQ+pzrwTTs9cAS6g Ngw9bCTvnsNCMmAF2p1iY615OGfaQ18WKZbRZviQKLEzdfgV7qwjQrLSD i8u6GFfujoa6mDQSbyyNmnYv5o3tyS8/eMwKfeddl0NXWp/a4REgF6aDr M=; Authentication-Results: esa6.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=andrew.cooper3@citrix.com; spf=Pass smtp.mailfrom=Andrew.Cooper3@citrix.com; spf=None smtp.helo=postmaster@mail.citrix.com Received-SPF: none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Received-SPF: None (esa6.hc3370-68.iphmx.com: no sender authenticity information available from domain of andrew.cooper3@citrix.com) identity=pra; client-ip=162.221.158.21; receiver=esa6.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="andrew.cooper3@citrix.com"; x-conformance=sidf_compatible Received-SPF: Pass (esa6.hc3370-68.iphmx.com: domain of Andrew.Cooper3@citrix.com designates 162.221.158.21 as permitted sender) identity=mailfrom; client-ip=162.221.158.21; receiver=esa6.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="Andrew.Cooper3@citrix.com"; x-conformance=sidf_compatible; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:209.167.231.154 ip4:178.63.86.133 ip4:195.66.111.40/30 ip4:85.115.9.32/28 ip4:199.102.83.4 ip4:192.28.146.160 ip4:192.28.146.107 ip4:216.52.6.88 ip4:216.52.6.188 ip4:162.221.158.21 ip4:162.221.156.83 ip4:168.245.78.127 ~all" Received-SPF: None (esa6.hc3370-68.iphmx.com: no sender authenticity information available from domain of postmaster@mail.citrix.com) identity=helo; client-ip=162.221.158.21; receiver=esa6.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="postmaster@mail.citrix.com"; x-conformance=sidf_compatible IronPort-SDR: XHU72YJIJSZaYJiyl/vTIGMtuAX4NaGZXlCp1B2hLn+jDKV8492sZwtAm1wJAxhJZGs4od0FiM OldIJcTv8h6sjSmgf6Isg9dd2skXXs/DBOZ0JLthTnga7f52kqvuAXsGK8jhqaFXeXEEbfzrgA RDd7BUkrDpryDqV5iJPF0Aj2IG/YzfUVTfrwHibxpujcSIvqwWjJ9W9njZB96iy1/AnvQUMrgp rDji37xxDXSn4QbmoHkzQNhi7AVlpOE+PUICi8jK0KHFLNgRBrXFpn6d8PyCofbVvP09NxPV9E LKw= X-SBRS: 2.7 X-MesageID: 7665756 X-Ironport-Server: esa6.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.68,221,1569297600"; d="scan'208";a="7665756" From: Andrew Cooper To: Xen-devel Date: Wed, 23 Oct 2019 14:58:11 +0100 Message-ID: <20191023135812.21348-7-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20191023135812.21348-1-andrew.cooper3@citrix.com> References: <20191023135812.21348-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 Subject: [Xen-devel] [PATCH for-next v3 6/7] x86/nospec: Move array_index_mask_nospec() into nospec.h X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Juergen Gross , Andrew Cooper , Wei Liu , Jan Beulich , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) system.h isn't an appropriate place to live, now that asm/nospec.h exists. This should arguably have been part of c/s db591d6e76e No functional change. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich --- CC: Jan Beulich CC: Wei Liu CC: Roger Pau Monn=C3=A9 CC: Juergen Gross This is probably post-4.13 content --- xen/include/asm-x86/nospec.h | 22 ++++++++++++++++++++++ xen/include/asm-x86/system.h | 24 ------------------------ xen/include/xen/nospec.h | 3 ++- 3 files changed, 24 insertions(+), 25 deletions(-) diff --git a/xen/include/asm-x86/nospec.h b/xen/include/asm-x86/nospec.h index f6eb84eee5..0039cd2713 100644 --- a/xen/include/asm-x86/nospec.h +++ b/xen/include/asm-x86/nospec.h @@ -6,6 +6,28 @@ =20 #include =20 +/** + * array_index_mask_nospec() - generate a mask that is ~0UL when the + * bounds check succeeds and 0 otherwise + * @index: array element index + * @size: number of elements in array + * + * Returns: + * 0 - (index < size) + */ +#define array_index_mask_nospec array_index_mask_nospec +static inline unsigned long array_index_mask_nospec(unsigned long index, + unsigned long size) +{ + unsigned long mask; + + asm volatile ( "cmp %[size], %[index]; sbb %[mask], %[mask];" + : [mask] "=3Dr" (mask) + : [size] "g" (size), [index] "r" (index) ); + + return mask; +} + /* Allow to insert a read memory barrier into conditionals */ static always_inline bool barrier_nospec_true(void) { diff --git a/xen/include/asm-x86/system.h b/xen/include/asm-x86/system.h index 069f422f0d..9f1b296855 100644 --- a/xen/include/asm-x86/system.h +++ b/xen/include/asm-x86/system.h @@ -233,30 +233,6 @@ static always_inline unsigned long __xadd( #define set_mb(var, value) do { xchg(&var, value); } while (0) #define set_wmb(var, value) do { var =3D value; smp_wmb(); } while (0) =20 -/** - * array_index_mask_nospec() - generate a mask that is ~0UL when the - * bounds check succeeds and 0 otherwise - * @index: array element index - * @size: number of elements in array - * - * Returns: - * 0 - (index < size) - */ -static inline unsigned long array_index_mask_nospec(unsigned long index, - unsigned long size) -{ - unsigned long mask; - - asm volatile ( "cmp %[size], %[index]; sbb %[mask], %[mask];" - : [mask] "=3Dr" (mask) - : [size] "g" (size), [index] "r" (index) ); - - return mask; -} - -/* Override default implementation in nospec.h. */ -#define array_index_mask_nospec array_index_mask_nospec - #define local_irq_disable() asm volatile ( "cli" : : : "memory" ) #define local_irq_enable() asm volatile ( "sti" : : : "memory" ) =20 diff --git a/xen/include/xen/nospec.h b/xen/include/xen/nospec.h index 76255bc46e..7578210f16 100644 --- a/xen/include/xen/nospec.h +++ b/xen/include/xen/nospec.h @@ -7,7 +7,8 @@ #ifndef XEN_NOSPEC_H #define XEN_NOSPEC_H =20 -#include +#include + #include =20 /** --=20 2.11.0 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel From nobody Sat May 4 21:18:07 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail(p=none dis=none) header.from=citrix.com ARC-Seal: i=1; a=rsa-sha256; t=1571839179; cv=none; d=zoho.com; s=zohoarc; b=mIrPcQYERz46c4Pqs9HwNK562S3D3DLn0Hu55W4BJ6DAw1IsUu7DKu6NZXQN977dYeVMqYId8J8blkABDq2weXkEKIgb9TRpfD/QfcASw/2jDVzYY1h22vOtbKEjIlADkxyd24EHTsaTjC8Ahga1DgXbZmKsWD7AwzvvcsR8ELY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1571839179; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=sO+GuGSHENU6NdSBDwSuY/MWi1bieT2h6nm3/Hcnz14=; b=GTyZK6Gz0U0I2E6iR5Dempr2ikM0/63o4FlCXOpbJF2tr+/gLpQYKbpI1yhLx/Y60Aubr2uJI1KixuF1LR1Hc6oU/lPrCd/6K6L9d8G9adL0ErdNjbLNUBPgeKeGL1FOP9NY2PrzITWglZTm+PAuZ0BvxaPfzkyTG0W5WYEKOBk= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=fail; spf=none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1571839179239771.5858011872488; Wed, 23 Oct 2019 06:59:39 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iNH9o-0004nH-FV; Wed, 23 Oct 2019 13:58:36 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iNH9m-0004mJ-Np for xen-devel@lists.xenproject.org; Wed, 23 Oct 2019 13:58:34 +0000 Received: from esa2.hc3370-68.iphmx.com (unknown [216.71.145.153]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id 2ba9895a-f59d-11e9-947f-12813bfff9fa; Wed, 23 Oct 2019 13:58:20 +0000 (UTC) X-Inumbo-ID: 2ba9895a-f59d-11e9-947f-12813bfff9fa DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1571839100; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=HKJkSbXcmX/kEnPedYeC0yfTtOaX516ggrC6KOT5BGE=; b=NGRw5Emq08+0nPDZEZ9FR2me7wvU56xvzN4NBxexyJWBpy1wU4+JA6lG SwQXp1V3j3jyvkkAWkzrC4UW86I5Wrd85jZCZcN+hlpJSD9P8mikT2CEC vCLmdg+P2ci9drLOBtdIK51Tx548bMRmfS+SgWU7wlHM7lf7gcdauFaC4 Q=; Authentication-Results: esa2.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=andrew.cooper3@citrix.com; spf=Pass smtp.mailfrom=Andrew.Cooper3@citrix.com; spf=None smtp.helo=postmaster@mail.citrix.com Received-SPF: none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Received-SPF: None (esa2.hc3370-68.iphmx.com: no sender authenticity information available from domain of andrew.cooper3@citrix.com) identity=pra; client-ip=162.221.158.21; receiver=esa2.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="andrew.cooper3@citrix.com"; x-conformance=sidf_compatible Received-SPF: Pass (esa2.hc3370-68.iphmx.com: domain of Andrew.Cooper3@citrix.com designates 162.221.158.21 as permitted sender) identity=mailfrom; client-ip=162.221.158.21; receiver=esa2.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="Andrew.Cooper3@citrix.com"; x-conformance=sidf_compatible; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:209.167.231.154 ip4:178.63.86.133 ip4:195.66.111.40/30 ip4:85.115.9.32/28 ip4:199.102.83.4 ip4:192.28.146.160 ip4:192.28.146.107 ip4:216.52.6.88 ip4:216.52.6.188 ip4:162.221.158.21 ip4:162.221.156.83 ip4:168.245.78.127 ~all" Received-SPF: None (esa2.hc3370-68.iphmx.com: no sender authenticity information available from domain of postmaster@mail.citrix.com) identity=helo; client-ip=162.221.158.21; receiver=esa2.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="postmaster@mail.citrix.com"; x-conformance=sidf_compatible IronPort-SDR: CQlkvqemll8CyTNLaBa5YY25hrha+pcVxYWr7FuzBrS4yROwbYWSrtay5l2JX2yUKRK/qGs0CD K4xv2sdWHJasN2a5elDBf8o9HPAbZNE0ut46r8oA+hi9bPv7jiCCWbXzrNvlzPxDzPjVCPKsvm nSCVxTQJXfvVqsIBNewM0vY44EMhg7TQ08BR1nHV97ttspR+E+VAED45ysRGd7w26ntj1R27Rg FP3n+z+A23lTt+Db1QkKQrpYxR+6F+jbuKOTknWRyIDT+RAU2dNE3Atnk0/ZoAnXn87yd8URA8 rvI= X-SBRS: 2.7 X-MesageID: 7322263 X-Ironport-Server: esa2.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.68,221,1569297600"; d="scan'208";a="7322263" From: Andrew Cooper To: Xen-devel Date: Wed, 23 Oct 2019 14:58:12 +0100 Message-ID: <20191023135812.21348-8-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20191023135812.21348-1-andrew.cooper3@citrix.com> References: <20191023135812.21348-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 Subject: [Xen-devel] [PATCH v3 7/7] x86/nospec: Optimise array_index_mask_nospec() for power-of-2 arrays X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Juergen Gross , Andrew Cooper , Wei Liu , Jan Beulich , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) When the compiler can determine that an array bound is a power of two, the array index can be bounded even under speculation with a single and instruction. Respecify array_index_mask_nospec() to allow for masks other than ~0 and 0, and introduce an IS_POWER_OF_2() helper. Signed-off-by: Andrew Cooper --- CC: Jan Beulich CC: Wei Liu CC: Roger Pau Monn=C3=A9 CC: Juergen Gross This optimisation is not safe on ARM, because some CPUs do data value speculation, which is why the CSDB barrer was introduced. --- xen/include/asm-x86/nospec.h | 25 +++++++++++++++++++------ xen/include/xen/config.h | 1 + xen/include/xen/nospec.h | 3 ++- 3 files changed, 22 insertions(+), 7 deletions(-) diff --git a/xen/include/asm-x86/nospec.h b/xen/include/asm-x86/nospec.h index 0039cd2713..4f36069eac 100644 --- a/xen/include/asm-x86/nospec.h +++ b/xen/include/asm-x86/nospec.h @@ -7,13 +7,20 @@ #include =20 /** - * array_index_mask_nospec() - generate a mask that is ~0UL when the - * bounds check succeeds and 0 otherwise + * array_index_mask_nospec() - generate a mask to bound an array index + * which is safe even under adverse speculation. * @index: array element index * @size: number of elements in array * - * Returns: + * In general, returns: * 0 - (index < size) + * + * This yeild ~0UL in within-bounds case, and 0 in the out-of-bounds + * case. + * + * When the compiler can determine that the array is a power of two, a + * lower overhead option is to mask the index with a single and + * instruction. */ #define array_index_mask_nospec array_index_mask_nospec static inline unsigned long array_index_mask_nospec(unsigned long index, @@ -21,9 +28,15 @@ static inline unsigned long array_index_mask_nospec(unsi= gned long index, { unsigned long mask; =20 - asm volatile ( "cmp %[size], %[index]; sbb %[mask], %[mask];" - : [mask] "=3Dr" (mask) - : [size] "g" (size), [index] "r" (index) ); + if ( __builtin_constant_p(size) && IS_POWER_OF_2(size) ) + { + mask =3D size - 1; + OPTIMIZER_HIDE_VAR(mask); + } + else + asm volatile ( "cmp %[size], %[index]; sbb %[mask], %[mask];" + : [mask] "=3Dr" (mask) + : [size] "g" (size), [index] "r" (index) ); =20 return mask; } diff --git a/xen/include/xen/config.h b/xen/include/xen/config.h index a106380a23..21c763617c 100644 --- a/xen/include/xen/config.h +++ b/xen/include/xen/config.h @@ -75,6 +75,7 @@ #define GB(_gb) (_AC(_gb, ULL) << 30) =20 #define IS_ALIGNED(val, align) (((val) & ((align) - 1)) =3D=3D 0) +#define IS_POWER_OF_2(val) ((val) && IS_ALIGNED(val, val)) =20 #define __STR(...) #__VA_ARGS__ #define STR(...) __STR(__VA_ARGS__) diff --git a/xen/include/xen/nospec.h b/xen/include/xen/nospec.h index 7578210f16..cfc31f11b7 100644 --- a/xen/include/xen/nospec.h +++ b/xen/include/xen/nospec.h @@ -12,7 +12,8 @@ #include =20 /** - * array_index_mask_nospec() - generate a ~0 mask when index < size, 0 oth= erwise + * array_index_mask_nospec() - generate a mask to bound an array index + * which is safe even under adverse speculation. * @index: array element index * @size: number of elements in array * --=20 2.11.0 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel