From nobody Tue Feb 10 04:15:18 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail(p=none dis=none) header.from=citrix.com ARC-Seal: i=1; a=rsa-sha256; t=1571839174; cv=none; d=zoho.com; s=zohoarc; b=HuUbVq9xyWR7+CpH8ztcr0W/dTN8qttuMrcgwIEZVV89zrM+9oZgvcwYwZ9kLGafGPXVIFCfwIs8pQz5I+ZdlPBGa0PmaahNff3EcjTlnagZput4baeQko3XjTho19buQAwUrHGchsBEElBrfyXCWJAjg1cOJF6FHFC/NytY1as= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1571839174; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=mtr4cBSQmbdNIp8UmdI4PdgkPkifMtSYaQjS7zH/kyg=; b=T45z4i7c+wbKMfPJalE1Xn68i/Nsx30dS7Ojq2es+cCCzfbXBbImvOgO9BGRtCaNGi4dJY3C581mKnQc86xQPoCWjclT2dpyTURWsG666hI3wVsLKaw3V97rUllKs7IlJ5XVP6PGTgAzQNZcrbBfHW3ymW7r4WNGG+rppPxAhTk= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=fail; spf=none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1571839174235942.9882764864718; Wed, 23 Oct 2019 06:59:34 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iNH9i-0004jk-U2; Wed, 23 Oct 2019 13:58:30 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iNH9h-0004j7-Nm for xen-devel@lists.xenproject.org; Wed, 23 Oct 2019 13:58:29 +0000 Received: from esa4.hc3370-68.iphmx.com (unknown [216.71.155.144]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id 2ac94fca-f59d-11e9-947f-12813bfff9fa; Wed, 23 Oct 2019 13:58:19 +0000 (UTC) X-Inumbo-ID: 2ac94fca-f59d-11e9-947f-12813bfff9fa DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1571839099; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=4VuKkBqZ2Kta2Y4r87MDlI7noHQgx33B3BrfYmdOdtI=; b=K2AME3WVkqrp63d6Q5dVMJ/yYMutcHSlj/03lDwABwTF6TmVgwigMh9D metlAIw/3UNzFz4WgRmNyMcngu4FarQ6LaOg0IdNDXSxc83SAPCGxsXuE 6iNXroAxxHQhp68bV5mD4+4pHrsmtumJOoqrb2ARLQuCP2HyNWGbrv+GM g=; Authentication-Results: esa4.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=andrew.cooper3@citrix.com; spf=Pass smtp.mailfrom=Andrew.Cooper3@citrix.com; spf=None smtp.helo=postmaster@mail.citrix.com Received-SPF: none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Received-SPF: None (esa4.hc3370-68.iphmx.com: no sender authenticity information available from domain of andrew.cooper3@citrix.com) identity=pra; client-ip=162.221.158.21; receiver=esa4.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="andrew.cooper3@citrix.com"; x-conformance=sidf_compatible Received-SPF: Pass (esa4.hc3370-68.iphmx.com: domain of Andrew.Cooper3@citrix.com designates 162.221.158.21 as permitted sender) identity=mailfrom; client-ip=162.221.158.21; receiver=esa4.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="Andrew.Cooper3@citrix.com"; x-conformance=sidf_compatible; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:209.167.231.154 ip4:178.63.86.133 ip4:195.66.111.40/30 ip4:85.115.9.32/28 ip4:199.102.83.4 ip4:192.28.146.160 ip4:192.28.146.107 ip4:216.52.6.88 ip4:216.52.6.188 ip4:162.221.158.21 ip4:162.221.156.83 ip4:168.245.78.127 ~all" Received-SPF: None (esa4.hc3370-68.iphmx.com: no sender authenticity information available from domain of postmaster@mail.citrix.com) identity=helo; client-ip=162.221.158.21; receiver=esa4.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="postmaster@mail.citrix.com"; x-conformance=sidf_compatible IronPort-SDR: IZib/t/EeiHoxXWGbWQFKYxxaO6mATIdDlrRkU89FjB42teDowVqZSw04zSOlMH3ODuXJKlKEN w8SUC4fz4yTfgNTPO14OgMf6+4BiRhzfZ65Yhhn3fUYjcNuWfRSUC636AoQ5nQ7qsMe8MJqisT p3LUovIzvcXAPFYaMpatkAPQ/erVxak7dfnTFZqDXLXZLmxP3My0P2PRkxowU9Na5ixqc+Ramw Fkdcg9L2LGNc7Y4Iiq+NKbsGUMesY2PQ38mBOam1nEzRPWvbU4tT4GSWS9F9K94UcsdbbtcNq3 hsI= X-SBRS: 2.7 X-MesageID: 7760075 X-Ironport-Server: esa4.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.68,221,1569297600"; d="scan'208";a="7760075" From: Andrew Cooper To: Xen-devel Date: Wed, 23 Oct 2019 14:58:09 +0100 Message-ID: <20191023135812.21348-5-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20191023135812.21348-1-andrew.cooper3@citrix.com> References: <20191023135812.21348-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 Subject: [Xen-devel] [PATCH v3 4/7] x86/nospec: Rename and rework l1tf-barrier as branch-harden X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Juergen Gross , Andrew Cooper , Wei Liu , Jan Beulich , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) l1tf-barrier is an inappropriate name, and came about because of restrictio= ns on could be discussed publicly when the patches were proposed. In practice, it is for general Spectre v1 mitigations, and is necessary in = all cases. An adversary which can control speculation in Xen can leak data in cross-core (BCBS, etc) or remote (NetSpectre) scenarios - the problem is not limited to just L1TF with HT active. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- CC: Jan Beulich CC: Wei Liu CC: Roger Pau Monn=C3=A9 CC: Juergen Gross v3: * New In principle it should be tristate and being disabled by default on parts which don't speculate, but it is too late in 4.13 to organise this. --- docs/misc/xen-command-line.pandoc | 11 +++++------ xen/arch/x86/spec_ctrl.c | 17 +++++++---------- xen/include/asm-x86/cpufeatures.h | 2 +- xen/include/asm-x86/nospec.h | 2 +- xen/include/asm-x86/spec_ctrl.h | 2 +- 5 files changed, 15 insertions(+), 19 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line= .pandoc index 67df80c50d..e37a13ed11 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -1960,7 +1960,7 @@ By default SSBD will be mitigated at runtime (i.e `ss= bd=3Druntime`). ### spec-ctrl (x86) > `=3D List of [ , xen=3D, {pv,hvm,msr-sc,rsb,md-clear}=3D, > bti-thunk=3Dretpoline|lfence|jmp, {ibrs,ibpb,ssbd,eager-fpu, -> l1d-flush,l1tf-barrier}=3D ]` +> l1d-flush,branch-harden}=3D ]` =20 Controls for speculative execution sidechannel mitigations. By default, X= en will pick the most appropriate mitigations based on compiled in support, @@ -2032,11 +2032,10 @@ Irrespective of Xen's setting, the feature is virtu= alised for HVM guests to use. By default, Xen will enable this mitigation on hardware believed to = be vulnerable to L1TF. =20 -On hardware vulnerable to L1TF, the `l1tf-barrier=3D` option can be used t= o force -or prevent Xen from protecting evaluations inside the hypervisor with a ba= rrier -instruction to not load potentially secret information into L1 cache. By -default, Xen will enable this mitigation on hardware believed to be vulner= able -to L1TF. +If Xen is compiled with `CONFIG_SPECULATIVE_HARDEN_BRANCH`, the +`branch-harden=3D` boolean can be used to force or prevent Xen from using +speculation barriers to protect selected conditional branches. By default, +Xen will enabled this mitigation. =20 ### sync_console > `=3D ` diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index ee5439a371..e74e0cc619 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -52,7 +52,7 @@ bool __read_mostly opt_ibpb =3D true; bool __read_mostly opt_ssbd =3D false; int8_t __read_mostly opt_eager_fpu =3D -1; int8_t __read_mostly opt_l1d_flush =3D -1; -int8_t __read_mostly opt_l1tf_barrier =3D -1; +bool __read_mostly opt_branch_harden =3D true; =20 bool __initdata bsp_delay_spec_ctrl; uint8_t __read_mostly default_xen_spec_ctrl; @@ -97,7 +97,7 @@ static int __init parse_spec_ctrl(const char *s) if ( opt_pv_l1tf_domu < 0 ) opt_pv_l1tf_domu =3D 0; =20 - opt_l1tf_barrier =3D 0; + opt_branch_harden =3D false; =20 disable_common: opt_rsb_pv =3D false; @@ -174,8 +174,8 @@ static int __init parse_spec_ctrl(const char *s) opt_eager_fpu =3D val; else if ( (val =3D parse_boolean("l1d-flush", s, ss)) >=3D 0 ) opt_l1d_flush =3D val; - else if ( (val =3D parse_boolean("l1tf-barrier", s, ss)) >=3D 0 ) - opt_l1tf_barrier =3D val; + else if ( (val =3D parse_boolean("branch-harden", s, ss)) >=3D 0 ) + opt_branch_harden =3D val; else rc =3D -EINVAL; =20 @@ -348,7 +348,7 @@ static void __init print_details(enum ind_thunk thunk, = uint64_t caps) opt_ibpb ? " IBPB" : "", opt_l1d_flush ? " L1D_FLUSH" : "", opt_md_clear_pv || opt_md_clear_hvm ? " VERW" : "", - opt_l1tf_barrier ? " L1TF_BARRIER" : "= "); + opt_branch_harden ? " BRANCH_HARDEN" : = ""); =20 /* L1TF diagnostics, printed if vulnerable or PV shadowing is in use. = */ if ( cpu_has_bug_l1tf || opt_pv_l1tf_hwdom || opt_pv_l1tf_domu ) @@ -1033,11 +1033,8 @@ void __init init_speculation_mitigations(void) else if ( opt_l1d_flush =3D=3D -1 ) opt_l1d_flush =3D cpu_has_bug_l1tf && !(caps & ARCH_CAPS_SKIP_L1DF= L); =20 - /* By default, enable L1TF_VULN on L1TF-vulnerable hardware */ - if ( opt_l1tf_barrier =3D=3D -1 ) - opt_l1tf_barrier =3D cpu_has_bug_l1tf && (opt_smt || !opt_l1d_flus= h); - if ( opt_l1tf_barrier > 0 ) - setup_force_cpu_cap(X86_FEATURE_SC_L1TF_VULN); + if ( opt_branch_harden ) + setup_force_cpu_cap(X86_FEATURE_SC_BRANCH_HARDEN); =20 /* * We do not disable HT by default on affected hardware. diff --git a/xen/include/asm-x86/cpufeatures.h b/xen/include/asm-x86/cpufea= tures.h index 91eccf5161..b9d3cac975 100644 --- a/xen/include/asm-x86/cpufeatures.h +++ b/xen/include/asm-x86/cpufeatures.h @@ -27,7 +27,7 @@ XEN_CPUFEATURE(XEN_SMAP, X86_SYNTH(11)) /* SMAP = gets used by Xen itself XEN_CPUFEATURE(LFENCE_DISPATCH, X86_SYNTH(12)) /* lfence set as Dispatch= Serialising */ XEN_CPUFEATURE(IND_THUNK_LFENCE, X86_SYNTH(13)) /* Use IND_THUNK_LFENCE */ XEN_CPUFEATURE(IND_THUNK_JMP, X86_SYNTH(14)) /* Use IND_THUNK_JMP */ -XEN_CPUFEATURE(SC_L1TF_VULN, X86_SYNTH(15)) /* L1TF protection requir= ed */ +XEN_CPUFEATURE(SC_BRANCH_HARDEN, X86_SYNTH(15)) /* Conditional Branch Har= dening */ XEN_CPUFEATURE(SC_MSR_PV, X86_SYNTH(16)) /* MSR_SPEC_CTRL used by = Xen for PV */ XEN_CPUFEATURE(SC_MSR_HVM, X86_SYNTH(17)) /* MSR_SPEC_CTRL used by = Xen for HVM */ XEN_CPUFEATURE(SC_RSB_PV, X86_SYNTH(18)) /* RSB overwrite needed f= or PV */ diff --git a/xen/include/asm-x86/nospec.h b/xen/include/asm-x86/nospec.h index 154e92aed8..f6eb84eee5 100644 --- a/xen/include/asm-x86/nospec.h +++ b/xen/include/asm-x86/nospec.h @@ -10,7 +10,7 @@ static always_inline bool barrier_nospec_true(void) { #ifdef CONFIG_SPECULATIVE_HARDEN_BRANCH - alternative("", "lfence", X86_FEATURE_SC_L1TF_VULN); + alternative("", "lfence", X86_FEATURE_SC_BRANCH_HARDEN); #endif return true; } diff --git a/xen/include/asm-x86/spec_ctrl.h b/xen/include/asm-x86/spec_ctr= l.h index 1339ddd7ef..9caecddfec 100644 --- a/xen/include/asm-x86/spec_ctrl.h +++ b/xen/include/asm-x86/spec_ctrl.h @@ -37,7 +37,7 @@ extern bool opt_ibpb; extern bool opt_ssbd; extern int8_t opt_eager_fpu; extern int8_t opt_l1d_flush; -extern int8_t opt_l1tf_barrier; +extern bool opt_branch_harden; =20 extern bool bsp_delay_spec_ctrl; extern uint8_t default_xen_spec_ctrl; --=20 2.11.0 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel