From nobody Sun Apr 28 15:37:48 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=reject dis=none) header.from=citrix.com ARC-Seal: i=1; a=rsa-sha256; t=1660064518; cv=none; d=zohomail.com; s=zohoarc; b=izIh6YCgITyEriXm7DA/VIjlvD3LDUk/m2GT5qMQDUKx8tbcoNDll3sjenyZMNwrUTndX4x0v2QiBjXwHamV9KXP13ThfpnRyBItH/UlmXBEwL472SGEFBbaPAOkt0bIpQzV1K0yladWDGtweXAxb+ZqLYQD5Pm6buKCQ6EQxqg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1660064518; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=AuS1Q4XZS7VZk31dJ352sHGaZS09a7AdshJf3f85+5U=; b=BGDQ442xYEN+6x/f5CN07gwtODVwu+bFiVgljFklhBy3UX5YTZeZYc/iPtDedToo5w8EMC0IQlmyOuuOnr7iXUQ/QLlPfKLUsfALQJOnnWu/Dr8GlvyBRDPp+xqEf1HxpfdvjRtGikYE5uNYmbBQummrIRt45v2lr5WIh/H6R0k= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1660064518821815.2695264960197; Tue, 9 Aug 2022 10:01:58 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.383101.618225 (Exim 4.92) (envelope-from ) id 1oLSbc-0004rV-BC; Tue, 09 Aug 2022 17:01:24 +0000 Received: by outflank-mailman (output) from mailman id 383101.618225; Tue, 09 Aug 2022 17:01:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1oLSbc-0004rO-8U; Tue, 09 Aug 2022 17:01:24 +0000 Received: by outflank-mailman (input) for mailman id 383101; Tue, 09 Aug 2022 17:01:23 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1oLSba-0003x4-Vy for xen-devel@lists.xenproject.org; Tue, 09 Aug 2022 17:01:23 +0000 Received: from esa4.hc3370-68.iphmx.com (esa4.hc3370-68.iphmx.com [216.71.155.144]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id e3606ba6-1804-11ed-bd2e-47488cf2e6aa; Tue, 09 Aug 2022 19:01:21 +0200 (CEST) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: e3606ba6-1804-11ed-bd2e-47488cf2e6aa DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1660064481; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=BjsbhCrYHcz6DpzW2qJjo+cMWTneVBzlQHfGChbvUbI=; b=ZJSdRKFWQqNPeVZq28AmH/jeXscioh1+viSI4jMyRDGWB0j1KhHrjA6t GmBluLzaNi3ukchJaN0dc3qFF9FwIsH7AOKweEa9FJN7dUFtaRpjxpG1z rnK/3hTeKmToLioEc0sv2PtJ+NiFpW37bjAE4QCQ18XpGiW5pYPS9ukZq c=; Authentication-Results: esa4.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none X-SBRS: 2.7 X-MesageID: 80265504 X-Ironport-Server: esa4.hc3370-68.iphmx.com X-Remote-IP: 162.221.156.83 X-Policy: $RELAYED IronPort-Data: A9a23:b4UPeqwKDmcCgV6YSsd6t+dYxirEfRIJ4+MujC+fZmUNrF6WrkUBm GcYXDiAM/jbNzbxKY0kbYTlp0JV7ZKEn4MwGQM5+CAxQypGp/SeCIXCJC8cHc8zwu4v7q5Dx 59DAjUVBJlsFhcwnj/0bv676yEUOZigHtLUEPTDNj16WThqQSIgjQMLs+Mii8tjjMPR7zml4 LsemOWCfg7+s9JIGjhMsfjb+Es+5K6aVA4w5TTSW9ga5DcyqFFNZH4vDfnZB2f1RIBSAtm7S 47rpF1u1jqEl/uFIorNfofTKiXmcJaLVeS9oiM+t5yZqgpDvkQPPpMTb5LwX6v1ZwKhxLidw P0V3XC5pJxA0qfkwIzxWDEAe81y0DEvFBYq7hFTvOTKp3AqfUcAzN01C0x1I484oN9aJn9A5 dU+FHMfVB+q0rfeLLKTEoGAh+wmJcjveogepmth3XfSCvNOrZLrGvuQo4UChXFp254ITa22i 8kxMFKDaDzpZRFVN0hRI5U5hOqy3VH0ciFCqULTrq0yi4TW5FwpiuawbYKJEjCMbeFOt0GIi HLYwyfoEg4hLP2jxQCd7X3504cjmgukAdlPRdVU7MVCn1m71mEVThoMWjOTg9O0l0q/UNJ3M FEP92wlqq1a3FymSJzxUgO1pFaAvwUAQJxAHusi8gaPx6HIpQGDCQA5oiVpMYJ88pVsHHpzi wHPz4iB6SFTXKO9EnWQtamWjWmLFA8LI38rQxNHXzEKyoy2yG0stS4jXuqPAYbs0IOtQWion m7TxMQtr+5N1JBWjs1X6XiC2mvx/caRE2bZ8y2NBgqYAhVFiJlJjmBCwXzS9r5+IYmQVTFtV 1BUypHFvIji4Xxg/RFhodnh/5nzvp5pyBWG3TZS82AJrlxBAUKLc4FK+y1ZL0x0KMsCcjKBS BaN5FIAtMQDZST7M/cfj2eN5yMCnMDd+SnNDKiIPrKinLAoHON4wM2eTRHJhD28+KTduao+J Y2aYa6RMJruMow+lWLeb7pMjtcWKtUWnzy7qWbTk0v6itJzpRe9Fd84Dbd5Rrlis/3Z/lmNr r6y9aKikn1ibQE3WQGPmaZ7ELzABShT6UzewyCPStO+Hw== IronPort-HdrOrdr: A9a23:Sr5hZ6myQ8GBnryv3UkCa9jHLi7pDfIW3DAbv31ZSRFFG/Fxl6 iV/cjzsiWE8Ar5OUtQ4OxoV5PwIk80maQb3WBVB8bHYOCEghrPEGgB1/qB/9SIIUSXnYQxuZ uIMZIOb+EYZWIK9voSizPZLz9P+re6GdiT9ILj80s= X-IronPort-AV: E=Sophos;i="5.93,225,1654574400"; d="scan'208";a="80265504" From: Andrew Cooper To: Xen-devel CC: Andrew Cooper , Jan Beulich , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Wei Liu Subject: [PATCH 1/2] x86/spec-ctrl: Enumeration for PBRSB_NO Date: Tue, 9 Aug 2022 18:00:15 +0100 Message-ID: <20220809170016.25148-2-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20220809170016.25148-1-andrew.cooper3@citrix.com> References: <20220809170016.25148-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @citrix.com) X-ZM-MESSAGEID: 1660064520168100001 The PBRSB_NO bit indicates that the CPU is not vulnerable to the Post-Barri= er RSB speculative vulnerability. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- CC: Jan Beulich CC: Roger Pau Monn=C3=A9 CC: Wei Liu --- xen/arch/x86/include/asm/msr-index.h | 1 + xen/arch/x86/msr.c | 5 +++-- xen/arch/x86/spec_ctrl.c | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/xen/arch/x86/include/asm/msr-index.h b/xen/arch/x86/include/as= m/msr-index.h index 1a928ea6af2f..0a8852f3c246 100644 --- a/xen/arch/x86/include/asm/msr-index.h +++ b/xen/arch/x86/include/asm/msr-index.h @@ -84,6 +84,7 @@ #define ARCH_CAPS_FB_CLEAR_CTRL (_AC(1, ULL) << 18) #define ARCH_CAPS_RRSBA (_AC(1, ULL) << 19) #define ARCH_CAPS_BHI_NO (_AC(1, ULL) << 20) +#define ARCH_CAPS_PBRSB_NO (_AC(1, ULL) << 24) =20 #define MSR_FLUSH_CMD 0x0000010b #define FLUSH_CMD_L1D (_AC(1, ULL) << 0) diff --git a/xen/arch/x86/msr.c b/xen/arch/x86/msr.c index 170f04179347..d2e2dc2a6b91 100644 --- a/xen/arch/x86/msr.c +++ b/xen/arch/x86/msr.c @@ -74,7 +74,8 @@ static void __init calculate_host_policy(void) ARCH_CAPS_SKIP_L1DFL | ARCH_CAPS_SSB_NO | ARCH_CAPS_MDS_NO | ARCH_CAPS_IF_PSCHANGE_MC_NO | ARCH_CAPS_TSX_CTRL | ARCH_CAPS_TAA_= NO | ARCH_CAPS_SBDR_SSDP_NO | ARCH_CAPS_FBSDP_NO | ARCH_CAPS_PSDP_NO | - ARCH_CAPS_FB_CLEAR | ARCH_CAPS_RRSBA | ARCH_CAPS_BHI_NO); + ARCH_CAPS_FB_CLEAR | ARCH_CAPS_RRSBA | ARCH_CAPS_BHI_NO | + ARCH_CAPS_PBRSB_NO); } =20 static void __init calculate_pv_max_policy(void) @@ -166,7 +167,7 @@ int init_domain_msr_policy(struct domain *d) ARCH_CAPS_SSB_NO | ARCH_CAPS_MDS_NO | ARCH_CAPS_IF_PSCHANGE_M= C_NO | ARCH_CAPS_TAA_NO | ARCH_CAPS_SBDR_SSDP_NO | ARCH_CAPS_FBSDP_N= O | ARCH_CAPS_PSDP_NO | ARCH_CAPS_FB_CLEAR | ARCH_CAPS_RRSBA | - ARCH_CAPS_BHI_NO); + ARCH_CAPS_BHI_NO | ARCH_CAPS_PBRSB_NO); } =20 d->arch.msr =3D mp; diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index d2cd5459739f..160cc68086c6 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -419,7 +419,7 @@ static void __init print_details(enum ind_thunk thunk, = uint64_t caps) * Hardware read-only information, stating immunity to certain issues,= or * suggestions of which mitigation to use. */ - printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", + printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", (caps & ARCH_CAPS_RDCL_NO) ? " RDCL_NO" = : "", (caps & ARCH_CAPS_IBRS_ALL) ? " IBRS_ALL"= : "", (caps & ARCH_CAPS_RSBA) ? " RSBA" = : "", @@ -431,6 +431,7 @@ static void __init print_details(enum ind_thunk thunk, = uint64_t caps) (caps & ARCH_CAPS_SBDR_SSDP_NO) ? " SBDR_SSDP= _NO" : "", (caps & ARCH_CAPS_FBSDP_NO) ? " FBSDP_NO"= : "", (caps & ARCH_CAPS_PSDP_NO) ? " PSDP_NO" = : "", + (caps & ARCH_CAPS_PBRSB_NO) ? " PBRSB_NO"= : "", (e8b & cpufeat_mask(X86_FEATURE_IBRS_ALWAYS)) ? " IBRS_ALWA= YS" : "", (e8b & cpufeat_mask(X86_FEATURE_STIBP_ALWAYS)) ? " STIBP_ALW= AYS" : "", (e8b & cpufeat_mask(X86_FEATURE_IBRS_FAST)) ? " IBRS_FAST= " : "", --=20 2.11.0 From nobody Sun Apr 28 15:37:48 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=reject dis=none) header.from=citrix.com ARC-Seal: i=1; a=rsa-sha256; t=1660064489; cv=none; d=zohomail.com; s=zohoarc; b=annGzvcGB6BzZPuGaH6kDRHEYohhKJ1cxWZOCjHikNr3Hq/1Apild+LkolZ0zfut2EfBzcKBtzGNZQENX/6VxhQ2t4q0W7J+K7JsF8FkfoHsYqCEC6av1UAuxGAXQNoQAEJArpfdIBK76Be1lE/ol3Ao5phC0LF9+lJMRb/K0yI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1660064489; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=yHmeYFY8Upuxc3BOIqjOn4Px07BbEUc/ciJw6nh3V+0=; b=d1ROfBvE3Y86SH5RlYe8uxlRULZ75plxT0ce3YSreUqgkZ1shZT6JQCO+3c2PYYX6a7WqZQ8De3HcdEtgtCLnoPH+1rnBAGypOSkrs2zy8KAYbEG3Z5aGD6JuR0iE9ok+qvJN9f1K4qm4yzhYCy9TeKwf2opVtFpyCBlQ2h87gY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1660064489057738.9214978548134; Tue, 9 Aug 2022 10:01:29 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.383094.618204 (Exim 4.92) (envelope-from ) id 1oLSb8-0003xM-OY; Tue, 09 Aug 2022 17:00:54 +0000 Received: by outflank-mailman (output) from mailman id 383094.618204; Tue, 09 Aug 2022 17:00:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1oLSb8-0003xF-L3; Tue, 09 Aug 2022 17:00:54 +0000 Received: by outflank-mailman (input) for mailman id 383094; Tue, 09 Aug 2022 17:00:53 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1oLSb7-0003x4-3n for xen-devel@lists.xenproject.org; Tue, 09 Aug 2022 17:00:53 +0000 Received: from esa3.hc3370-68.iphmx.com (esa3.hc3370-68.iphmx.com [216.71.145.155]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id d14c2803-1804-11ed-bd2e-47488cf2e6aa; Tue, 09 Aug 2022 19:00:51 +0200 (CEST) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: d14c2803-1804-11ed-bd2e-47488cf2e6aa DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1660064450; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=kzV1NdfmDwjrGppyGg4tphySuRUYrZFiMHQBlfQ9nGk=; b=Biu9oyHUUShEUY33R3GAo2yfZIRqpF6PHXGeFPjw591N/tUfrKR2a7Oq 9xtqmnCvZCWwzKhcNo+hcfITAb4+iyS1yNprs2aQX3L2pQxmTMdHcyC58 XZVT+FqoKplg9dtCVYNNq565f1qQexnrQYM4FCOo1MylJ0q3YYkcan+wA g=; Authentication-Results: esa3.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none X-SBRS: 2.7 X-MesageID: 77711799 X-Ironport-Server: esa3.hc3370-68.iphmx.com X-Remote-IP: 162.221.156.83 X-Policy: $RELAYED IronPort-Data: A9a23:mu+MU6+20BbYGm+Ix/acDrUD736TJUtcMsCJ2f8bNWPcYEJGY0x3m DAcWWuCOv6PZmH3edh3O4y19RwC6pbWmt43SQRl/Hs8E34SpcT7XtnIdU2Y0wF+jyHgoOCLy +1EN7Es+ehtFie0Si+Fa+Sn9z8kvU2xbuKUIPbePSxsThNTRi4kiBZy88Y0mYctitWia++3k YqaT/b3ZRn0gFaYDkpOs/jZ8EM37ayo0N8llgdWic5j7Qe2e0Y9VPrzFYnpR1PkT49dGPKNR uqr5NlVKUuAon/Bovv8+lrKWhViroz6ZGBiuVIPM0SWuTBQpzRa70oOHKF0hXG7Kdm+t4sZJ N1l7fRcQOqyV0HGsLx1vxJwS0mSMUDakVNuzLfWXcG7liX7n3XQL/pGB0I3PqIX4vdMAkYf1 +48GW0tbU2ZrrfjqF67YrEEasULKcDqOMUUu216zCGfBvEjKXzBa/yUv5kChm52350QW6aFD yYaQWMHgBDoShtDIFoITrk5m/+lnCLXeDxEslOF46Ew5gA/ySQuj+e0aYWEK7RmQ+1UnEmFh UHDw13SGy0DM+6wxyqkolej07qncSTTB9tJSezQGuRRqEKX7nweDlsRT1TTiduTh1O6WtlfA 1cJ4Sdopq83nGS7Q9+4UxCmrXqsuh8HR8EWA+A88BuKyKff/0CeHGdsc9JaQIV47olsH2Vsj wLX2YOybdByjFGLYXme97S7oiujAisyfE0QQR5ZbQhY+fC29enfkSnzosZf/L+d14OrQWmpm 23U9UDSlJ1I05dVivzTEUTvxmv1+8OXFlNdChD/BDrN0+9vWGKyi2VEA3D/5O0IEouWR0LpU JMsy5nHt7Bm4X1geUWwrAQx8FKBva/t3MX02wIHInXY323FF4SfVY5R+ipiA0xiL9wJfzTkC GeK514Atc8IbCL1PPEvC25UNyjN5fmIKDgYfqqMMoomjmZZLWdrAx2ClWbPhjuwwSDAYIk0O IuBcNbEMEv2/Z9PlWPuL89AgOBD+8zL7TmMLXwN50j4jOH2ib/8YettDWZimchgt/za/VuJq 4s32gnj40w3bdASqxL/qeY7RW3m51BibXwqg6S7rtK+Hzc= IronPort-HdrOrdr: A9a23:ZY4hCKO1xvLVLcBcTvmjsMiBIKoaSvp037Eqv3oedfUzSL3gqy nOpoV86faaslYssR0b9exofZPwJE80lqQFhrX5X43SPzUO0VHAROoJgLcKgQeQfxEWntQtrZ uIGJIeNDSfNzdHZL7BkWuFL+o= X-IronPort-AV: E=Sophos;i="5.93,225,1654574400"; d="scan'208";a="77711799" From: Andrew Cooper To: Xen-devel CC: Andrew Cooper , Jan Beulich , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Wei Liu Subject: [PATCH 2/2] x86/spec-ctrl: Reduce HVM RSB overhead where possible Date: Tue, 9 Aug 2022 18:00:16 +0100 Message-ID: <20220809170016.25148-3-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20220809170016.25148-1-andrew.cooper3@citrix.com> References: <20220809170016.25148-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @citrix.com) X-ZM-MESSAGEID: 1660064490255100001 The documentation for eIBRS has finally been clarified to state that it is intended to flush the RSB on VMExit. So in principle, we shouldn't have be= en using opt_rsb_hvm on eIBRS hardware. However, dropping the 32 entry RSB stuff makes us vulnerable to Post-Barrier RSB speculation on affected Intel CPUs. Introduce hvm_rsb_calculations() which selects between a 32-entry stuff, a PBRSB specific workaround, or nothing, based on hardware details. To mitigate PBRSB, put an LFENCE at the top of vmx_vmexit_handler(). This forces the necessary safety property, without having to do a 1-entry RSB st= uff and fix up the stack(s) afterwards. Update opt_rsb_hvm to be tristate. On eIBRS-capable CPUs not susceptible to PBRSB, this disables HVM RSB software protections entirely. On eIBRS-capab= le CPUs suceptible to to PBRSB, this reduces a 32-entry RSB stuff down to just one LFENCE. Signed-off-by: Andrew Cooper --- CC: Jan Beulich CC: Roger Pau Monn=C3=A9 CC: Wei Liu --- xen/arch/x86/hvm/vmx/entry.S | 1 + xen/arch/x86/hvm/vmx/vmx.c | 20 ++++++- xen/arch/x86/include/asm/cpufeatures.h | 1 + xen/arch/x86/spec_ctrl.c | 103 +++++++++++++++++++++++++++++= +++- 4 files changed, 120 insertions(+), 5 deletions(-) diff --git a/xen/arch/x86/hvm/vmx/entry.S b/xen/arch/x86/hvm/vmx/entry.S index 5f5de45a1309..222495aed19f 100644 --- a/xen/arch/x86/hvm/vmx/entry.S +++ b/xen/arch/x86/hvm/vmx/entry.S @@ -44,6 +44,7 @@ ENTRY(vmx_asm_vmexit_handler) .endm ALTERNATIVE "", restore_spec_ctrl, X86_FEATURE_SC_MSR_HVM /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */ + /* On PBRSB-vulenrable hardware, `ret` not safe before the start o= f vmx_vmexit_handler() */ =20 /* Hardware clears MSR_DEBUGCTL on VMExit. Reinstate it if debugg= ing Xen. */ .macro restore_lbr diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c index 17e103188a53..8a6a5cf20525 100644 --- a/xen/arch/x86/hvm/vmx/vmx.c +++ b/xen/arch/x86/hvm/vmx/vmx.c @@ -3934,8 +3934,24 @@ void vmx_vmexit_handler(struct cpu_user_regs *regs) { unsigned long exit_qualification, exit_reason, idtv_info, intr_info = =3D 0; unsigned int vector =3D 0, mode; - struct vcpu *v =3D current; - struct domain *currd =3D v->domain; + struct vcpu *v; + struct domain *currd; + + /* + * To mitigate Post-Barrier RSB speculation, we must force one CALL + * instruction to retire before letting a RET instruction execute. + * + * On PBRSB-vulnerable CPUs, it is not safe for a RET to be executed + * before this point. + * + * Defer any non-trivial variable initialisation to avoid problems if = the + * compiler decides to out-of-line any helpers. This depends on + * alternative() being a full compiler barrier too. + */ + alternative("", "lfence", X86_BUG_PBRSB); + + v =3D current; + currd =3D v->domain; =20 __vmread(GUEST_RIP, ®s->rip); __vmread(GUEST_RSP, ®s->rsp); diff --git a/xen/arch/x86/include/asm/cpufeatures.h b/xen/arch/x86/include/= asm/cpufeatures.h index 672c9ee22ba2..fdb9bff833c1 100644 --- a/xen/arch/x86/include/asm/cpufeatures.h +++ b/xen/arch/x86/include/asm/cpufeatures.h @@ -49,6 +49,7 @@ XEN_CPUFEATURE(IBPB_ENTRY_HVM, X86_SYNTH(29)) /* MSR_P= RED_CMD used by Xen for #define X86_BUG_FPU_PTRS X86_BUG( 0) /* (F)X{SAVE,RSTOR} doesn't = save/restore FOP/FIP/FDP. */ #define X86_BUG_NULL_SEG X86_BUG( 1) /* NULL-ing a selector prese= rves the base and limit. */ #define X86_BUG_CLFLUSH_MFENCE X86_BUG( 2) /* MFENCE needed to serialis= e CLFLUSH */ +#define X86_BUG_PBRSB X86_BUG( 3) /* CPU suffers from Post-Bar= rier RSB speculation */ =20 /* Total number of capability words, inc synth and bug words. */ #define NCAPINTS (FSCAPINTS + X86_NR_SYNTH + X86_NR_BUG) /* N 32-bit words= worth of info */ diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 160cc68086c6..ffad202200ad 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -35,7 +35,7 @@ static bool __initdata opt_msr_sc_pv =3D true; static bool __initdata opt_msr_sc_hvm =3D true; static int8_t __initdata opt_rsb_pv =3D -1; -static bool __initdata opt_rsb_hvm =3D true; +static int8_t __initdata opt_rsb_hvm =3D -1; static int8_t __ro_after_init opt_md_clear_pv =3D -1; static int8_t __ro_after_init opt_md_clear_hvm =3D -1; =20 @@ -515,7 +515,8 @@ static void __init print_details(enum ind_thunk thunk, = uint64_t caps) boot_cpu_has(X86_FEATURE_IBPB_ENTRY_HVM) || opt_eager_fpu || opt_md_clear_hvm) ? "" : = " None", boot_cpu_has(X86_FEATURE_SC_MSR_HVM) ? " MSR_SPEC_CTRL" : = "", - boot_cpu_has(X86_FEATURE_SC_RSB_HVM) ? " RSB" : = "", + boot_cpu_has(X86_FEATURE_SC_RSB_HVM) ? " RSB" : + boot_cpu_has(X86_BUG_PBRSB) ? " PBRSB" : = "", opt_eager_fpu ? " EAGER_FPU" : = "", opt_md_clear_hvm ? " MD_CLEAR" : = "", boot_cpu_has(X86_FEATURE_IBPB_ENTRY_HVM) ? " IBPB-entry" : = ""); @@ -718,6 +719,77 @@ static bool __init rsb_is_full_width(void) return true; } =20 +/* + * HVM guests can create arbitrary RSB entries, including ones which point= at + * Xen supervisor mappings. + * + * Traditionally, the RSB is not isolated on vmexit, so Xen needs to take + * safety precautions to prevent RSB speculation from consuming guest valu= es. + * + * Intel eIBRS specifies that the RSB is flushed: + * 1) on VMExit when IBRS=3D1, or + * 2) shortly thereafter when Xen restores the host IBRS=3D1 setting. + * However, a subset of eIBRS-capable parts also suffer PBRSB and need + * software assistance to maintain RSB safety. + */ +static __init enum hvm_rsb { + hvm_rsb_none, + hvm_rsb_pbrsb, + hvm_rsb_stuff32, +} hvm_rsb_calculations(uint64_t caps) +{ + if ( boot_cpu_data.x86_vendor !=3D X86_VENDOR_INTEL || + boot_cpu_data.x86 !=3D 6 ) + return hvm_rsb_stuff32; + + if ( !(caps & ARCH_CAPS_IBRS_ALL) ) + return hvm_rsb_stuff32; + + if ( caps & ARCH_CAPS_PBRSB_NO ) + return hvm_rsb_none; + + /* + * We're choosing between the eIBRS-capable models which don't enumera= te + * PBRSB_NO. Earlier steppings of some models don't enumerate eIBRS a= nd + * are excluded above. + */ + switch ( boot_cpu_data.x86_model ) + { + /* + * Core (inc Hybrid) CPUs to date (August 2022) are vulenrable. + */ + case 0x55: /* Skylake X */ + case 0x6a: /* Ice Lake SP */ + case 0x6c: /* Ice Lake D */ + case 0x7e: /* Ice Lake client */ + case 0x8a: /* Lakefield (SNC/TMT) */ + case 0x8c: /* Tiger Lake U */ + case 0x8d: /* Tiger Lake H */ + case 0x8e: /* Skylake-L */ + case 0x97: /* Alder Lake S */ + case 0x9a: /* Alder Lake H/P/U */ + case 0x9e: /* Skylake */ + case 0xa5: /* Comet Lake */ + case 0xa6: /* Comet Lake U62 */ + case 0xa7: /* Rocket Lake */ + return hvm_rsb_pbrsb; + + /* + * Atom CPUs are not vulnerable. + */ + case 0x7a: /* Gemini Lake */ + case 0x86: /* Snow Ridge (Tremont) */ + case 0x96: /* Elkhart Lake (Tremont) */ + case 0x9c: /* Jasper Lake (Tremont) */ + return hvm_rsb_none; + + default: + printk("Unrecognised CPU model %#x - using software HVM RSB mitiga= tions\n", + boot_cpu_data.x86_model); + return hvm_rsb_stuff32; + } +} + /* Calculate whether this CPU speculates past #NM */ static bool __init should_use_eager_fpu(void) { @@ -1110,6 +1182,7 @@ void spec_ctrl_init_domain(struct domain *d) void __init init_speculation_mitigations(void) { enum ind_thunk thunk =3D THUNK_DEFAULT; + enum hvm_rsb hvm_rsb; bool has_spec_ctrl, ibrs =3D false, hw_smt_enabled; bool cpu_has_bug_taa; uint64_t caps =3D 0; @@ -1327,9 +1400,33 @@ void __init init_speculation_mitigations(void) * HVM guests can always poison the RSB to point at Xen supervisor * mappings. */ + hvm_rsb =3D hvm_rsb_calculations(caps); + if ( opt_rsb_hvm =3D=3D -1 ) + opt_rsb_hvm =3D hvm_rsb !=3D hvm_rsb_none; + if ( opt_rsb_hvm ) { - setup_force_cpu_cap(X86_FEATURE_SC_RSB_HVM); + switch ( hvm_rsb ) + { + case hvm_rsb_pbrsb: + setup_force_cpu_cap(X86_BUG_PBRSB); + break; + + case hvm_rsb_none: + /* + * Somewhat arbitrary. If something is wrong and the user has + * forced HVM RSB protections on a system where we think nothi= ng + * is necessary, they they possibly know something we dont. + * + * Use stuff32 in this case, which is the most protection we c= an + * muster. + */ + fallthrough; + + case hvm_rsb_stuff32: + setup_force_cpu_cap(X86_FEATURE_SC_RSB_HVM); + break; + } =20 /* * For SVM, Xen's RSB safety actions are performed before STGI, so --=20 2.11.0