From nobody Mon May 6 00:48:05 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=reject dis=none) header.from=citrix.com ARC-Seal: i=1; a=rsa-sha256; t=1672446654; cv=none; d=zohomail.com; s=zohoarc; b=JKaBdkoIFaQ8/u5EvoH7isfhr6+NDT/4JCkseg/Wv99RjPtdFhMmQLSFX5TZmHxVn8iusI+Ven5MGpfAN/bCy6y+ijRWOz4dMEbvu1v3jmX7UtL6BSBEwulxuAHKi5eLryUd2qZxA3uxjmYqf8yMW188FwMxE5hpagw7bSk2y6Q= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1672446654; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=qgxrQ2FMM1O4l61OvAN/5O8yQY8gmvAdbw117hgDpow=; b=OKwtt7LfnQNexPvtK+xmI4e9gA7g1qFSvnDLzt46xeTRoZaZJQLYNWZQo+WYQAugovhibj/ACqluDd5TUtfufX1tkXPC/DrSBSF3Hwf9r1p7BLbSfhH1VkZ2Z54mQmjhugQjD1hhdXvLJKWy8GNjW6+ojth3pVGAUW7t8LpAT8Q= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 167244665443757.40397879337354; Fri, 30 Dec 2022 16:30:54 -0800 (PST) Received: from list by lists.xenproject.org with outflank-mailman.469952.729416 (Exim 4.92) (envelope-from ) id 1pBPlZ-0001y9-Sa; Sat, 31 Dec 2022 00:30:25 +0000 Received: by outflank-mailman (output) from mailman id 469952.729416; Sat, 31 Dec 2022 00:30:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1pBPlZ-0001xy-Os; Sat, 31 Dec 2022 00:30:25 +0000 Received: by outflank-mailman (input) for mailman id 469952; Sat, 31 Dec 2022 00:30:24 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1pBPlY-0001Tf-IL for xen-devel@lists.xenproject.org; Sat, 31 Dec 2022 00:30:24 +0000 Received: from esa6.hc3370-68.iphmx.com (esa6.hc3370-68.iphmx.com [216.71.155.175]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 4e3d10c4-88a2-11ed-8fd4-01056ac49cbb; Sat, 31 Dec 2022 01:30:21 +0100 (CET) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 4e3d10c4-88a2-11ed-8fd4-01056ac49cbb DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1672446621; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=H4aei8fxCJmeHTiWvlRflD56P4is8vavRwFfFPdiM2k=; b=CkckY2QgR/zJsXod0NJJMuKJYg6JjTa7xN7KEbhAkgnF7Xm0YIPi026z KtKkrbHn/Kdpn/ID85BRyxWH2SNRoMbIeDp9/mEIETSQHTy5GbDBXUfw4 qAGrJGQ17HLWjW+r51GdCL1qrrSgrBZ9ELKJSHtNfQoYzYu1rgLQaEKAa o=; Authentication-Results: esa6.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none X-SBRS: 4.0 X-MesageID: 90146733 X-Ironport-Server: esa6.hc3370-68.iphmx.com X-Remote-IP: 162.221.156.83 X-Policy: $RELAYED IronPort-Data: A9a23:uI0LSqM0u8XvmHnvrR2rl8FynXyQoLVcMsEvi/4bfWQNrUpxhWRSy TAcWGjVafmMN2T2edh2a4i+pkhT6p+EzdZrSQto+SlhQUwRpJueD7x1DKtS0wC6dZSfER09v 63yTvGacajYm1eF/k/F3oDJ9CU6jufQA+KmU4YoAwgpLSd8UiAtlBl/rOAwh49skLCRDhiE/ Nj/uKUzAnf8s9JPGj9SuvzrRC9H5qyo4mpC5QRmOZingXeF/5UrJMNHTU2OByOQrrl8RoaSW +vFxbelyWLVlz9F5gSNy+uTnuUiG9Y+DCDW4pZkc/HKbitq/0Te5p0TJvsEAXq7vh3S9zxHJ HehgrTrIeshFvWkdO3wyHC0GQkmVUFN0OevzXRSLaV/ZqAJGpfh66wGMa04AWEX0t5pPFNO1 tECESEAdjaYrM2T+5S3V8A506zPLOGzVG8eknRpzDWfBvc6W5HTBa7N4Le03h9p2JoIR6yHI ZNEN3w/N3wsYDUWUrsTILs4kP2lmT/UdDpApUjOjaE2/3LS3Ep6172F3N/9K4TTGZsKxR3wS mTu0GXeLzwDboamkyOdq02Pj76SgAzZYddHfFG/3qEz2wDCroAJMzUJUXOrrP//jVSxM/p9A UEJ/islrYAp6VemCNL6WnWQsHOC+xIRRddUO+k78x2WjLrZ5R6DAWoJRSIHb8Yp3PLaXhRzi AXPxYmwQ2Uy7vvFEhpx64t4sxuKJxUnLUwvfxYVQBMj+PLMhboVgg/mG4ML/LGOsvX5HjT5w javpSc4hqkOgcNj65hX7WwrkBr3+MGXE1ddChH/Gzv8s1gnPNLNi5mAswCz0BpWEGqOorBtV lAgktPW0u0BBIrleMelELRUR+HBCxpo3VThbb9T83sJrW/FF52LJ9o4DNRCyKBBbK45lcfBO hO7hO+ozMY70IGWRaF2eZmtLM8h0LLtE9/oPtiNMIUUPsIsLlPXrHszDaJ144wKuBF2+ZzTx L/BKZr8ZZrkIf8PIMWKqxc1juZwm3FWKZL7TpHn1RW3uYejiIquYe5dajOmN7lphJ5oVS2Jq 76zwePWkUQAOAA/CwGLmbMuwacidylqXsCq8ZIGL4Zu4GNOQQkcNhMY+pt5E6QNokifvr2gE q2VMqOA9GfCuA== IronPort-HdrOrdr: A9a23:XCjnkKioi15Ys+BqMYs39cmDzHBQXv0ji2hC6mlwRA09TyX+rb HSoB17726PtN91YhodcL+7WZVoLUmsl6KdmLNhW4tKIjOWw1dAXbsD0WKK+VSJdxEWkNQtrJ uIXJIRNDSaNykYsS+V2njcLz48q+PpzEjh7d21858mJTsGV0nghD0JbjpyeydNNW577XpQLu vl2vZ6 X-IronPort-AV: E=Sophos;i="5.96,288,1665460800"; d="scan'208";a="90146733" From: Andrew Cooper To: Xen-devel CC: Andrew Cooper , Jan Beulich , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Wei Liu Subject: [PATCH 1/2] x86/cpuid: Infrastructure for leaves 7:1{ecx,edx} Date: Sat, 31 Dec 2022 00:30:06 +0000 Message-ID: <20221231003007.26916-2-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20221231003007.26916-1-andrew.cooper3@citrix.com> References: <20221231003007.26916-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @citrix.com) X-ZM-MESSAGEID: 1672446655822000004 We don't actually need ecx yet, but adding it in now will reduce the amount= to which leaf 7 is out of order in a featureset. cpufeatureset.h remains in leaf architectrual order for the sanity of anyone trying to locate where to insert new rows. Signed-off-by: Andrew Cooper --- CC: Jan Beulich CC: Roger Pau Monn=C3=A9 CC: Wei Liu --- tools/misc/xen-cpuid.c | 10 ++++++++++ xen/arch/x86/cpu/common.c | 3 ++- xen/include/public/arch-x86/cpufeatureset.h | 3 +++ xen/include/xen/lib/x86/cpuid.h | 15 ++++++++++++++- 4 files changed, 29 insertions(+), 2 deletions(-) diff --git a/tools/misc/xen-cpuid.c b/tools/misc/xen-cpuid.c index d5833e9ce879..0091a11a67bc 100644 --- a/tools/misc/xen-cpuid.c +++ b/tools/misc/xen-cpuid.c @@ -202,6 +202,14 @@ static const char *const str_7b1[32] =3D [ 0] =3D "ppin", }; =20 +static const char *const str_7c1[32] =3D +{ +}; + +static const char *const str_7d1[32] =3D +{ +}; + static const char *const str_7d2[32] =3D { [ 0] =3D "intel-psfd", @@ -229,6 +237,8 @@ static const struct { { "0x80000021.eax", "e21a", str_e21a }, { "0x00000007:1.ebx", "7b1", str_7b1 }, { "0x00000007:2.edx", "7d2", str_7d2 }, + { "0x00000007:1.ecx", "7b1", str_7c1 }, + { "0x00000007:1.edx", "7b1", str_7d1 }, }; =20 #define COL_ALIGN "18" diff --git a/xen/arch/x86/cpu/common.c b/xen/arch/x86/cpu/common.c index 0412dbc915e5..b3fcf4680f3a 100644 --- a/xen/arch/x86/cpu/common.c +++ b/xen/arch/x86/cpu/common.c @@ -450,7 +450,8 @@ static void generic_identify(struct cpuinfo_x86 *c) cpuid_count(7, 1, &c->x86_capability[FEATURESET_7a1], &c->x86_capability[FEATURESET_7b1], - &tmp, &tmp); + &c->x86_capability[FEATURESET_7c1], + &c->x86_capability[FEATURESET_7d1]); if (max_subleaf >=3D 2) cpuid_count(7, 2, &tmp, &tmp, &tmp, diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/publ= ic/arch-x86/cpufeatureset.h index 7915f5826f57..7a896f0e2d92 100644 --- a/xen/include/public/arch-x86/cpufeatureset.h +++ b/xen/include/public/arch-x86/cpufeatureset.h @@ -288,6 +288,9 @@ XEN_CPUFEATURE(NSCB, 11*32+ 6) /*A Null = Selector Clears Base (and /* Intel-defined CPU features, CPUID level 0x00000007:1.ebx, word 12 */ XEN_CPUFEATURE(INTEL_PPIN, 12*32+ 0) /* Protected Processor Inve= ntory Number */ =20 +/* Intel-defined CPU features, CPUID level 0x00000007:1.ecx, word 14 */ +/* Intel-defined CPU features, CPUID level 0x00000007:1.edx, word 15 */ + /* Intel-defined CPU features, CPUID level 0x00000007:2.edx, word 13 */ XEN_CPUFEATURE(INTEL_PSFD, 13*32+ 0) /*A MSR_SPEC_CTRL.PSFD */ XEN_CPUFEATURE(IPRED_CTRL, 13*32+ 1) /* MSR_SPEC_CTRL.IPRED_DIS_= * */ diff --git a/xen/include/xen/lib/x86/cpuid.h b/xen/include/xen/lib/x86/cpui= d.h index 73a5c330365e..fa98b371eef4 100644 --- a/xen/include/xen/lib/x86/cpuid.h +++ b/xen/include/xen/lib/x86/cpuid.h @@ -18,6 +18,8 @@ #define FEATURESET_e21a 11 /* 0x80000021.eax */ #define FEATURESET_7b1 12 /* 0x00000007:1.ebx */ #define FEATURESET_7d2 13 /* 0x00000007:2.edx */ +#define FEATURESET_7c1 14 /* 0x00000007:1.ecx */ +#define FEATURESET_7d1 15 /* 0x00000007:1.edx */ =20 struct cpuid_leaf { @@ -194,7 +196,14 @@ struct cpuid_policy uint32_t _7b1; struct { DECL_BITFIELD(7b1); }; }; - uint32_t /* c */:32, /* d */:32; + union { + uint32_t _7c1; + struct { DECL_BITFIELD(7c1); }; + }; + union { + uint32_t _7d1; + struct { DECL_BITFIELD(7d1); }; + }; =20 /* Subleaf 2. */ uint32_t /* a */:32, /* b */:32, /* c */:32; @@ -343,6 +352,8 @@ static inline void cpuid_policy_to_featureset( fs[FEATURESET_e21a] =3D p->extd.e21a; fs[FEATURESET_7b1] =3D p->feat._7b1; fs[FEATURESET_7d2] =3D p->feat._7d2; + fs[FEATURESET_7c1] =3D p->feat._7c1; + fs[FEATURESET_7d1] =3D p->feat._7d1; } =20 /* Fill in a CPUID policy from a featureset bitmap. */ @@ -363,6 +374,8 @@ static inline void cpuid_featureset_to_policy( p->extd.e21a =3D fs[FEATURESET_e21a]; p->feat._7b1 =3D fs[FEATURESET_7b1]; p->feat._7d2 =3D fs[FEATURESET_7d2]; + p->feat._7c1 =3D fs[FEATURESET_7c1]; + p->feat._7d1 =3D fs[FEATURESET_7d1]; } =20 static inline uint64_t cpuid_policy_xcr0_max(const struct cpuid_policy *p) --=20 2.11.0 From nobody Mon May 6 00:48:05 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=reject dis=none) header.from=citrix.com ARC-Seal: i=1; a=rsa-sha256; t=1672446654; cv=none; d=zohomail.com; s=zohoarc; b=FO7ko+LRMQTohOAFuN4g2ScKIUN82XzaK4i/0JQUCjFOpcUN8+NGGwxtIo+GYKJ/cEQO9gj8TtvlX8ZRmTBBSSD6ZFXEl1eQSNJmAcHJUkrFPdGmI6zHcTBm0ErZmRxumtPiifsiggHCQuoc1c13EGNbF8z9+odCSZ54vVsLANU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1672446654; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=bqv7WtfosTMTnbmbxMEXrYJ6IZ62P/INUBKlg55plB0=; b=LP4zhNvWRKzRxqID0TBDrcTrYqWFnnh0O3GWxBUxRxCQZsKrze6mGkyehxPWiSCxBZNKXZvGJEQEO9PXQHUi7XeeUA60bgbYPDRT+xorleHuLfEndz6SV1Ub/2AI5I9hcogKpDZ4H+SqDdt0e02kkevgup7/udkvP4smecODyHg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1672446654524753.406641667852; Fri, 30 Dec 2022 16:30:54 -0800 (PST) Received: from list by lists.xenproject.org with outflank-mailman.469951.729405 (Exim 4.92) (envelope-from ) id 1pBPlY-0001it-JN; Sat, 31 Dec 2022 00:30:24 +0000 Received: by outflank-mailman (output) from mailman id 469951.729405; Sat, 31 Dec 2022 00:30:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1pBPlY-0001im-GL; Sat, 31 Dec 2022 00:30:24 +0000 Received: by outflank-mailman (input) for mailman id 469951; Sat, 31 Dec 2022 00:30:23 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1pBPlX-0001TX-4y for xen-devel@lists.xenproject.org; Sat, 31 Dec 2022 00:30:23 +0000 Received: from esa2.hc3370-68.iphmx.com (esa2.hc3370-68.iphmx.com [216.71.145.153]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 4db5038e-88a2-11ed-91b6-6bf2151ebd3b; Sat, 31 Dec 2022 01:30:20 +0100 (CET) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 4db5038e-88a2-11ed-91b6-6bf2151ebd3b DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1672446620; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=OgocD+ObouQq8QNH5GDFFIUKa/VfXCi8dkLMnUgQGhc=; b=b8LtxGuw0+VGReQ+AV4hYdCMs+TJzlgTF/GyotjqpgD/R7Mbbc3WPIux 5leYJ/uTiN60WbtLjN3bmBMB9syQlfDhbkr6GcEvRLC/72uj9Vg7L0Esy mXYJKd2+EP0oDN0DQH26+ZyvgTelQi1tWdxxduXlO22W5pXQ3WgZG7ewB k=; Authentication-Results: esa2.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none X-SBRS: 4.0 X-MesageID: 90645874 X-Ironport-Server: esa2.hc3370-68.iphmx.com X-Remote-IP: 162.221.156.83 X-Policy: $RELAYED IronPort-Data: A9a23:eE0waKMgBvY1NFjvrR2rl8FynXyQoLVcMsEvi/4bfWQNrUojgjQHx mQWCjuCP/rYZ2X9KYp+Oo3l9R8O7JbWydY2Swto+SlhQUwRpJueD7x1DKtS0wC6dZSfER09v 63yTvGacajYm1eF/k/F3oDJ9CU6jufQA+KmU4YoAwgpLSd8UiAtlBl/rOAwh49skLCRDhiE/ Nj/uKUzAnf8s9JPGj9SuvzrRC9H5qyo4mpC5QRmOZingXeF/5UrJMNHTU2OByOQrrl8RoaSW +vFxbelyWLVlz9F5gSNy+uTnuUiG9Y+DCDW4pZkc/HKbitq/0Te5p0TJvsEAXq7vh3S9zxHJ HehgrTrIeshFvWkdO3wyHC0GQkmVUFN0OevzXRSLaV/ZqAJGpfh66wGMa04AWEX0utWWWpRp fUFEgocTwzcofyxxK6jFfY506zPLOGzVG8eknRpzDWfBvc6W5HTBa7N4Le03h9p2JoIR6yHI ZNEN3w/N3wsYDUWUrsTILs4kP2lmT/UdDpApUjOjaE2/3LS3Ep6172F3N/9K4TUGZgFwRrwS mTu1DiiIB8wG+Ok7zej72OngM7EoCXaV9dHfFG/3qEz2wDCroAJMzUJUXOrrP//jVSxM/pPJ kpR9icwoKwa8E2wUsK7TxC+uGSDvBMXR5xXCeJSwCOnx7fQ4g2ZLnMZVTMHY9sj3PLaXhRzi AXPxYmwQ2Uy7vvFEhpx64t4sxu/GHAeMj8LeBU+XCoZvP/9p4Uvlk3QG4ML/LGOsvX5HjT5w javpSc4hqkOgcNj65hX7WwrkBr3+MGXE1ddChH/Gzv8s1gnPNLNi5mAswCz0BpWEGqOorBtV lAgktPW0u0BBIrleMelELRUR+HBCxpo3VThbb9T83sJrW/FF52LJ9o4DNRCyKBBbK45lcfBO hO7hO+ozMY70IGWRaF2eZmtLM8h0LLtE9/oPtiNMIUUPsIsLlPXrHszDaJ144wKuBF2+ZzTx L/BKZr8ZZrkIf8PIMWKqxc1juZwm3FWKZL7TpHn1RW3uYejiIquYe5dajOmN7lphJ5oVS2Jq 76zwePWkUQAOAA/CwGLmbMuwacidylqXsCq8ZIGL4Zu4GNOQQkcNhMY+pt5E6QNokifvr6gE q2VMqOA9GfCuA== IronPort-HdrOrdr: A9a23:xkUxF6wxsB1ktMO6h/tJKrPwEr1zdoMgy1knxilNoHtuH/Bw9v rDoB1/73XJYVkqOU3I9erwWpVoa0msjKKdmLNhW4tKPzOHhILLFu9fBOLZqlXd8kvFh4lgPM xbAstD4bPLYmSTtqzBkWyF+twbsb26GfCT7tvj8w== X-IronPort-AV: E=Sophos;i="5.96,288,1665460800"; d="scan'208";a="90645874" From: Andrew Cooper To: Xen-devel CC: Andrew Cooper , Jan Beulich , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Wei Liu Subject: [PATCH 2/2] x86/shskt: Disable CET-SS on parts succeptable to fractured updates Date: Sat, 31 Dec 2022 00:30:07 +0000 Message-ID: <20221231003007.26916-3-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20221231003007.26916-1-andrew.cooper3@citrix.com> References: <20221231003007.26916-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @citrix.com) X-ZM-MESSAGEID: 1672446655262000001 Refer to Intel SDM Rev 70 (Dec 2022), Vol3 17.2.3 "Supervisor Shadow Stack Token". Architecturally, an event delivery which starts in CPL>3 and switches shadow stack will first validate the Supervisor Shstk Token and set the busy bit, then pushes LIP/CS/SSP. One example of this is an NMI interrupting Xen. Some CPUs suffer from an issue called fracturing, whereby a fault/vmexit/etc between setting the busy bit and completing the event injection renders the action non-restartable, because when it comes time to restart, the busy bit= is found to be already set. This is far more easily encountered under virt, yet it is not the fault of = the hypervisor, nor the fault of the guest kernel. The fault lies somewhere between the architectural specification, and the uarch behaviour. Intel have allocated CPUID.7[1].ecx[18] CET_SSS to enumerate that supervisor shadow stacks are safe to use. Because of how Xen lays out its shadow stac= ks, fracturing is not expected to be a problem on native. Detect this case on boot and default to not using shstk if virtualised. Specifying `cet=3Dshstk` on the command line will override this heurstic and enable shadow stacks irrespective. Signed-off-by: Andrew Cooper --- CC: Jan Beulich CC: Roger Pau Monn=C3=A9 CC: Wei Liu I've got a query out with AMD, but so far it is only Intel CPUs known to be impacted. This ideally wants backporting to Xen 4.14. I have no idea how likely it is to need to backport the prerequisite patch for new feature words, but we've already had to do that once for security patches... --- docs/misc/xen-command-line.pandoc | 7 +++++- tools/libs/light/libxl_cpuid.c | 2 ++ tools/misc/xen-cpuid.c | 1 + xen/arch/x86/cpu/common.c | 11 +++++++-- xen/arch/x86/setup.c | 37 +++++++++++++++++++++++++= +--- xen/include/public/arch-x86/cpufeatureset.h | 1 + 6 files changed, 53 insertions(+), 6 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line= .pandoc index 923910f553c5..19d4d815bdee 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -287,10 +287,15 @@ can be maintained with the pv-shim mechanism. protection. =20 The option is available when `CONFIG_XEN_SHSTK` is compiled in, and - defaults to `true` on hardware supporting CET-SS. Specifying + generally defaults to `true` on hardware supporting CET-SS. Specifying `cet=3Dno-shstk` will cause Xen not to use Shadow Stacks even when sup= port is available in hardware. =20 + Some hardware suffers from an issue known as Supervisor Shadow Stack + Fracturing. On such hardware, Xen will default to not using Shadow St= acks + when virtualised. Specifying `cet=3Dshstk` will override this heurist= ic and + enable Shadow Stacks unilaterally. + * The `ibt=3D` boolean controls whether Xen uses Indirect Branch Trackin= g for its own protection. =20 diff --git a/tools/libs/light/libxl_cpuid.c b/tools/libs/light/libxl_cpuid.c index 2aa23225f42c..d97a2f3338bc 100644 --- a/tools/libs/light/libxl_cpuid.c +++ b/tools/libs/light/libxl_cpuid.c @@ -235,6 +235,8 @@ int libxl_cpuid_parse_config(libxl_cpuid_policy_list *c= puid, const char* str) {"fsrs", 0x00000007, 1, CPUID_REG_EAX, 11, 1}, {"fsrcs", 0x00000007, 1, CPUID_REG_EAX, 12, 1}, =20 + {"cet-sss", 0x00000007, 1, CPUID_REG_EDX, 18, 1}, + {"intel-psfd", 0x00000007, 2, CPUID_REG_EDX, 0, 1}, {"mcdt-no", 0x00000007, 2, CPUID_REG_EDX, 5, 1}, =20 diff --git a/tools/misc/xen-cpuid.c b/tools/misc/xen-cpuid.c index 0091a11a67bc..ea33b587665d 100644 --- a/tools/misc/xen-cpuid.c +++ b/tools/misc/xen-cpuid.c @@ -208,6 +208,7 @@ static const char *const str_7c1[32] =3D =20 static const char *const str_7d1[32] =3D { + [18] =3D "cet-sss", }; =20 static const char *const str_7d2[32] =3D diff --git a/xen/arch/x86/cpu/common.c b/xen/arch/x86/cpu/common.c index b3fcf4680f3a..d962f384a995 100644 --- a/xen/arch/x86/cpu/common.c +++ b/xen/arch/x86/cpu/common.c @@ -346,11 +346,18 @@ void __init early_cpu_init(void) x86_cpuid_vendor_to_str(c->x86_vendor), c->x86, c->x86, c->x86_model, c->x86_model, c->x86_mask, eax); =20 - if (c->cpuid_level >=3D 7) - cpuid_count(7, 0, &eax, &ebx, + if (c->cpuid_level >=3D 7) { + uint32_t max_subleaf; + + cpuid_count(7, 0, &max_subleaf, &ebx, &c->x86_capability[FEATURESET_7c0], &c->x86_capability[FEATURESET_7d0]); =20 + if (max_subleaf >=3D 1) + cpuid_count(7, 1, &eax, &ebx, &ecx, + &c->x86_capability[FEATURESET_7d1]); + } + eax =3D cpuid_eax(0x80000000); if ((eax >> 16) =3D=3D 0x8000 && eax >=3D 0x80000008) { ebx =3D eax >=3D 0x8000001f ? cpuid_ebx(0x8000001f) : 0; diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c index 566422600d94..e052b7b748fa 100644 --- a/xen/arch/x86/setup.c +++ b/xen/arch/x86/setup.c @@ -96,7 +96,7 @@ size_param("highmem-start", highmem_start); #endif =20 #ifdef CONFIG_XEN_SHSTK -static bool __initdata opt_xen_shstk =3D true; +static int8_t __initdata opt_xen_shstk =3D -1; #else #define opt_xen_shstk false #endif @@ -1101,9 +1101,40 @@ void __init noreturn __start_xen(unsigned long mbi_p) /* Choose shadow stack early, to set infrastructure up appropriately. = */ if ( opt_xen_shstk && boot_cpu_has(X86_FEATURE_CET_SS) ) { - printk("Enabling Supervisor Shadow Stacks\n"); + /* + * Some CPUs suffer from Shadow Stack Fracturing, an issue whereby= a + * fault/VMExit/etc between setting a Supervisor Busy bit and the + * event delivery completing renders the operation non-restartable. + * On restart, event delivery will find the Busy bit already set. + * + * This is a problem on native, but outside of synthetic cases, on= ly + * with #MC against a stack access (in which case we're dead anywa= y). + * It is a much bigger problem under virt, because we can VMExit f= or a + * number of legitimate reasons and tickle this bug. + * + * CPUs with this addressed enumerate CET-SSS to indicate that + * supervisor shadow stacks are now safe to use. + */ + bool cpu_has_bug_shstk_fracture =3D + boot_cpu_data.x86_vendor =3D=3D X86_VENDOR_INTEL && + !boot_cpu_has(X86_FEATURE_CET_SSS); + + /* + * On native, assume that Xen won't be impacted by shstk fracturing + * problems. Under virt, be more conservative and disable shstk by + * default. + */ + if ( opt_xen_shstk =3D=3D -1 ) + opt_xen_shstk =3D + cpu_has_hypervisor ? !cpu_has_bug_shstk_fracture + : true; + + if ( opt_xen_shstk ) + { + printk("Enabling Supervisor Shadow Stacks\n"); =20 - setup_force_cpu_cap(X86_FEATURE_XEN_SHSTK); + setup_force_cpu_cap(X86_FEATURE_XEN_SHSTK); + } } =20 if ( opt_xen_ibt && boot_cpu_has(X86_FEATURE_CET_IBT) ) diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/publ= ic/arch-x86/cpufeatureset.h index 7a896f0e2d92..f6a46f62a549 100644 --- a/xen/include/public/arch-x86/cpufeatureset.h +++ b/xen/include/public/arch-x86/cpufeatureset.h @@ -290,6 +290,7 @@ XEN_CPUFEATURE(INTEL_PPIN, 12*32+ 0) /* Prote= cted Processor Inventory =20 /* Intel-defined CPU features, CPUID level 0x00000007:1.ecx, word 14 */ /* Intel-defined CPU features, CPUID level 0x00000007:1.edx, word 15 */ +XEN_CPUFEATURE(CET_SSS, 15*32+18) /* CET Supervisor Shadow St= acks safe to use */ =20 /* Intel-defined CPU features, CPUID level 0x00000007:2.edx, word 13 */ XEN_CPUFEATURE(INTEL_PSFD, 13*32+ 0) /*A MSR_SPEC_CTRL.PSFD */ --=20 2.11.0