From nobody Thu Sep 19 01:11:47 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=reject dis=none) header.from=citrix.com ARC-Seal: i=1; a=rsa-sha256; t=1722007936; cv=none; d=zohomail.com; s=zohoarc; b=SQyfb+ZfS6TpbPUMHRzRrxU6jcW+1zhVF9owcewh8DDXGA0HbctWf2EBT6+lmT05kRDOEnadF9Cr0aCoiPRixi2uuVtkOd8RGfw0EMLjGWqVm3EH4jFo67fbylndX5nmmm0QdaBeKCDxq04aeo3Hqykw8WVO8CPatrpzAy+MBto= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1722007936; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=RwqVraHAOEdS2c3l2+7Y1e8iYSimDDq5AdSITnK40sk=; b=Y5vj32yVo5xifQDYIq9+KNexSB3h8hJQWL2Dm4LNEVZ6LCsyxMpDAsvkaxQ0juz1FsaNNSaYpFVczfCc33lKXQ8rGoP+IXS4CuV+DAYdI/TDG+B7uQwuiCdItqrjVjhOVkb60RzTaP8p9dAfEK25tWUrS8JW+LCz+W9q7yK/yU0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1722007936831588.3834623075282; Fri, 26 Jul 2024 08:32:16 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.765531.1176226 (Exim 4.92) (envelope-from ) id 1sXMvG-0003uH-40; Fri, 26 Jul 2024 15:31:58 +0000 Received: by outflank-mailman (output) from mailman id 765531.1176226; Fri, 26 Jul 2024 15:31:58 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1sXMvF-0003ti-VA; Fri, 26 Jul 2024 15:31:57 +0000 Received: by outflank-mailman (input) for mailman id 765531; Fri, 26 Jul 2024 15:31:56 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1sXMvE-00084T-T5 for xen-devel@lists.xenproject.org; Fri, 26 Jul 2024 15:31:56 +0000 Received: from mail-ot1-x333.google.com (mail-ot1-x333.google.com [2607:f8b0:4864:20::333]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 2fd9cbbd-4b64-11ef-8776-851b0ebba9a2; Fri, 26 Jul 2024 17:31:55 +0200 (CEST) Received: by mail-ot1-x333.google.com with SMTP id 46e09a7af769-703ba2477bdso609366a34.2 for ; Fri, 26 Jul 2024 08:31:55 -0700 (PDT) Received: from localhost ([213.195.124.163]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6bb3fac6b6csm17414816d6.116.2024.07.26.08.31.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 26 Jul 2024 08:31:52 -0700 (PDT) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 2fd9cbbd-4b64-11ef-8776-851b0ebba9a2 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=citrix.com; s=google; t=1722007913; x=1722612713; darn=lists.xenproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=RwqVraHAOEdS2c3l2+7Y1e8iYSimDDq5AdSITnK40sk=; b=eXq5YPJ8JeORhYxt8v4nZy1hZ3nSNsdw03RhttIB3usq7Z6UAQ14XGc4f8AJh10syD vrxI0Dig0nA/P2zwIbGDQRDF+ojuz5dnoMoQlJ+0VYS17k0BQU9Y+iUOem3zVEvKL5QY JT0SkrDF8gUbiKK8DQn8snBi7Zr3PktkPXFl4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722007913; x=1722612713; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=RwqVraHAOEdS2c3l2+7Y1e8iYSimDDq5AdSITnK40sk=; b=MvtSz+AypS/P+JaFC04qFtb/hgneqXurNBPWQ82eG0CH+Njc8u7+HTRq16G7U2xKqX kHSC6eiJLqsCU6N0ngn0gi3Fvn/F0xkLdOYS2AKdGJdnaDQGxbRf22yu5iBAOdr5dKsQ djPAHPGRll12+8V4tV2ww6jC1VcaXIV3gy8oUbcPx84rEb8FqdyAZvbFxKKJFgh/UCr6 e6mYci8uvHGXPF09Ny1KJBJH1dXCMM25G8dPl7Ncry0+74Rovo+fxhZI3UJgcgWppEzJ cNN4Bge0zKcJLPLVCZVF87GruQjhncWhbJqMI+zWIobaipAWCcLJBfnUO/ZexljPDqFf f04A== X-Gm-Message-State: AOJu0YxISWJWguPRkE7cQO2FsKJQkln8LmPEPWc9gb5J3RX/bCl7QE/J cs19Mn89+uMipMdkLsXEs9p0DPkZ0cfuaIk3StbrRZOQ4w2QtmQT0ukrOnQgd5OaCagYs1mTEzM q X-Google-Smtp-Source: AGHT+IEqRPmgIWN8QNqdUP8A5AuXysm1C0BZEZj9FBfcL0gwTK9jQh8X0JnqL2bI0Bd/lrn6iSOH3g== X-Received: by 2002:a05:6830:658e:b0:703:5ab1:64d4 with SMTP id 46e09a7af769-7093251b313mr5066647a34.29.1722007912714; Fri, 26 Jul 2024 08:31:52 -0700 (PDT) From: Roger Pau Monne To: xen-devel@lists.xenproject.org Cc: alejandro.vallejo@cloud.com, Roger Pau Monne , Andrew Cooper , Jan Beulich , Julien Grall , Stefano Stabellini Subject: [PATCH 12/22] x86/spec-ctrl: introduce Address Space Isolation command line option Date: Fri, 26 Jul 2024 17:21:56 +0200 Message-ID: <20240726152206.28411-13-roger.pau@citrix.com> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240726152206.28411-1-roger.pau@citrix.com> References: <20240726152206.28411-1-roger.pau@citrix.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @citrix.com) X-ZM-MESSAGEID: 1722007937679116600 No functional change, as the option is not used. Introduced new so newly added functionality is keyed on the option being enabled, even if the feature is non-functional. Signed-off-by: Roger Pau Monn=C3=A9 --- docs/misc/xen-command-line.pandoc | 15 ++++-- xen/arch/x86/include/asm/domain.h | 3 ++ xen/arch/x86/include/asm/spec_ctrl.h | 2 + xen/arch/x86/spec_ctrl.c | 74 +++++++++++++++++++++++++--- 4 files changed, 81 insertions(+), 13 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line= .pandoc index 98a45211556b..0ddc330428d9 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -2387,7 +2387,7 @@ By default SSBD will be mitigated at runtime (i.e `ss= bd=3Druntime`). =20 ### spec-ctrl (x86) > `=3D List of [ , xen=3D, {pv,hvm}=3D, -> {msr-sc,rsb,verw,{ibpb,bhb}-entry}=3D|{pv,hvm}=3D, +> {msr-sc,rsb,verw,{ibpb,bhb}-entry,asi}=3D|{pv,hvm}=3D= , > bti-thunk=3Dretpoline|lfence|jmp,bhb-seq=3Dshort|tsx|long, > {ibrs,ibpb,ssbd,psfd, > eager-fpu,l1d-flush,branch-harden,srb-lock, @@ -2414,10 +2414,10 @@ in place for guests to use. =20 Use of a positive boolean value for either of these options is invalid. =20 -The `pv=3D`, `hvm=3D`, `msr-sc=3D`, `rsb=3D`, `verw=3D`, `ibpb-entry=3D` a= nd `bhb-entry=3D` -options offer fine grained control over the primitives by Xen. These impa= ct -Xen's ability to protect itself, and/or Xen's ability to virtualise support -for guests to use. +The `pv=3D`, `hvm=3D`, `msr-sc=3D`, `rsb=3D`, `verw=3D`, `ibpb-entry=3D`, = `bhb-entry=3D` and +`asi=3D` options offer fine grained control over the primitives by Xen. T= hese +impact Xen's ability to protect itself, and/or Xen's ability to virtualise +support for guests to use. =20 * `pv=3D` and `hvm=3D` offer control over all suboptions for PV and HVM gu= ests respectively. @@ -2449,6 +2449,11 @@ for guests to use. is not available (see `bhi-dis-s`). The choice of scrubbing sequence ca= n be selected using the `bhb-seq=3D` option. If it is necessary to protect d= om0 too, boot with `spec-ctrl=3Dbhb-entry`. +* `asi=3D` offers control over whether the hypervisor will engage in Addre= ss + Space Isolation, by not having sensitive information mapped in the VMM + page-tables. Not having sensitive information on the page-tables avoids + having to perform some mitigations for speculative attacks when + context-switching to the hypervisor. =20 If Xen was compiled with `CONFIG_INDIRECT_THUNK` support, `bti-thunk=3D` c= an be used to select which of the thunks gets patched into the diff --git a/xen/arch/x86/include/asm/domain.h b/xen/arch/x86/include/asm/d= omain.h index 9dd2e047f4de..8c366be8c75f 100644 --- a/xen/arch/x86/include/asm/domain.h +++ b/xen/arch/x86/include/asm/domain.h @@ -458,6 +458,9 @@ struct arch_domain /* Don't unconditionally inject #GP for unhandled MSRs. */ bool msr_relaxed; =20 + /* Run the guest without sensitive information in the VMM page-tables.= */ + bool asi; + /* Emulated devices enabled bitmap. */ uint32_t emulation_flags; } __cacheline_aligned; diff --git a/xen/arch/x86/include/asm/spec_ctrl.h b/xen/arch/x86/include/as= m/spec_ctrl.h index 72347ef2b959..39963c004312 100644 --- a/xen/arch/x86/include/asm/spec_ctrl.h +++ b/xen/arch/x86/include/asm/spec_ctrl.h @@ -88,6 +88,8 @@ extern uint8_t default_scf; =20 extern int8_t opt_xpti_hwdom, opt_xpti_domu; =20 +extern int8_t opt_asi_pv, opt_asi_hwdom, opt_asi_hvm; + extern bool cpu_has_bug_l1tf; extern int8_t opt_pv_l1tf_hwdom, opt_pv_l1tf_domu; =20 diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 5dc7a17b9354..2e403aad791c 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -84,6 +84,11 @@ static bool __ro_after_init opt_verw_mmio; static int8_t __initdata opt_gds_mit =3D -1; static int8_t __initdata opt_div_scrub =3D -1; =20 +/* Address Space Isolation for PV/HVM. */ +int8_t __ro_after_init opt_asi_pv =3D -1; +int8_t __ro_after_init opt_asi_hwdom =3D -1; +int8_t __ro_after_init opt_asi_hvm =3D -1; + static int __init cf_check parse_spec_ctrl(const char *s) { const char *ss; @@ -143,6 +148,10 @@ static int __init cf_check parse_spec_ctrl(const char = *s) opt_unpriv_mmio =3D false; opt_gds_mit =3D 0; opt_div_scrub =3D 0; + + opt_asi_pv =3D 0; + opt_asi_hwdom =3D 0; + opt_asi_hvm =3D 0; } else if ( val > 0 ) rc =3D -EINVAL; @@ -162,6 +171,7 @@ static int __init cf_check parse_spec_ctrl(const char *= s) opt_verw_pv =3D val; opt_ibpb_entry_pv =3D val; opt_bhb_entry_pv =3D val; + opt_asi_pv =3D val; } else if ( (val =3D parse_boolean("hvm", s, ss)) >=3D 0 ) { @@ -170,6 +180,7 @@ static int __init cf_check parse_spec_ctrl(const char *= s) opt_verw_hvm =3D val; opt_ibpb_entry_hvm =3D val; opt_bhb_entry_hvm =3D val; + opt_asi_hvm =3D val; } else if ( (val =3D parse_boolean("msr-sc", s, ss)) !=3D -1 ) { @@ -279,6 +290,27 @@ static int __init cf_check parse_spec_ctrl(const char = *s) break; } } + else if ( (val =3D parse_boolean("asi", s, ss)) !=3D -1 ) + { + switch ( val ) + { + case 0: + case 1: + opt_asi_pv =3D opt_asi_hwdom =3D opt_asi_hvm =3D val; + break; + + case -2: + s +=3D strlen("asi=3D"); + if ( (val =3D parse_boolean("pv", s, ss)) >=3D 0 ) + opt_asi_pv =3D val; + else if ( (val =3D parse_boolean("hvm", s, ss)) >=3D 0 ) + opt_asi_hvm =3D val; + else + default: + rc =3D -EINVAL; + break; + } + } =20 /* Xen's speculative sidechannel mitigation settings. */ else if ( !strncmp(s, "bti-thunk=3D", 10) ) @@ -378,6 +410,13 @@ int8_t __ro_after_init opt_xpti_domu =3D -1; =20 static __init void xpti_init_default(void) { + ASSERT(opt_asi_pv >=3D 0 && opt_asi_hwdom >=3D 0); + if ( (opt_xpti_hwdom =3D=3D 1 || opt_xpti_domu =3D=3D 1) && opt_asi_pv= =3D=3D 1 ) + { + printk(XENLOG_ERR + "XPTI is incompatible with Address Space Isolation - disabl= ing ASI\n"); + opt_asi_pv =3D 0; + } if ( (boot_cpu_data.x86_vendor & (X86_VENDOR_AMD | X86_VENDOR_HYGON)) = || cpu_has_rdcl_no ) { @@ -389,9 +428,9 @@ static __init void xpti_init_default(void) else { if ( opt_xpti_hwdom < 0 ) - opt_xpti_hwdom =3D 1; + opt_xpti_hwdom =3D !opt_asi_hwdom; if ( opt_xpti_domu < 0 ) - opt_xpti_domu =3D 1; + opt_xpti_domu =3D !opt_asi_pv; } } =20 @@ -630,12 +669,13 @@ static void __init print_details(enum ind_thunk thunk) * mitigation support for guests. */ #ifdef CONFIG_HVM - printk(" Support for HVM VMs:%s%s%s%s%s%s%s%s\n", + printk(" Support for HVM VMs:%s%s%s%s%s%s%s%s%s\n", (boot_cpu_has(X86_FEATURE_SC_MSR_HVM) || boot_cpu_has(X86_FEATURE_SC_RSB_HVM) || boot_cpu_has(X86_FEATURE_IBPB_ENTRY_HVM) || opt_bhb_entry_hvm || amd_virt_spec_ctrl || - opt_eager_fpu || opt_verw_hvm) ? "" : = " None", + opt_eager_fpu || opt_verw_hvm || + opt_asi_hvm) ? "" : = " None", boot_cpu_has(X86_FEATURE_SC_MSR_HVM) ? " MSR_SPEC_CTRL" : = "", (boot_cpu_has(X86_FEATURE_SC_MSR_HVM) || amd_virt_spec_ctrl) ? " MSR_VIRT_SPEC_CTR= L" : "", @@ -643,22 +683,24 @@ static void __init print_details(enum ind_thunk thunk) opt_eager_fpu ? " EAGER_FPU" : = "", opt_verw_hvm ? " VERW" : = "", boot_cpu_has(X86_FEATURE_IBPB_ENTRY_HVM) ? " IBPB-entry" : = "", - opt_bhb_entry_hvm ? " BHB-entry" : = ""); + opt_bhb_entry_hvm ? " BHB-entry" : = "", + opt_asi_hvm ? " ASI" : = ""); =20 #endif #ifdef CONFIG_PV - printk(" Support for PV VMs:%s%s%s%s%s%s%s\n", + printk(" Support for PV VMs:%s%s%s%s%s%s%s%s\n", (boot_cpu_has(X86_FEATURE_SC_MSR_PV) || boot_cpu_has(X86_FEATURE_SC_RSB_PV) || boot_cpu_has(X86_FEATURE_IBPB_ENTRY_PV) || - opt_bhb_entry_pv || + opt_bhb_entry_pv || opt_asi_pv || opt_eager_fpu || opt_verw_pv) ? "" : = " None", boot_cpu_has(X86_FEATURE_SC_MSR_PV) ? " MSR_SPEC_CTRL" : = "", boot_cpu_has(X86_FEATURE_SC_RSB_PV) ? " RSB" : = "", opt_eager_fpu ? " EAGER_FPU" : = "", opt_verw_pv ? " VERW" : = "", boot_cpu_has(X86_FEATURE_IBPB_ENTRY_PV) ? " IBPB-entry" : = "", - opt_bhb_entry_pv ? " BHB-entry" : = ""); + opt_bhb_entry_pv ? " BHB-entry" : = "", + opt_asi_pv ? " ASI" : = ""); =20 printk(" XPTI (64-bit PV only): Dom0 %s, DomU %s (with%s PCID)\n", opt_xpti_hwdom ? "enabled" : "disabled", @@ -1773,6 +1815,9 @@ void spec_ctrl_init_domain(struct domain *d) if ( pv ) d->arch.pv.xpti =3D is_hardware_domain(d) ? opt_xpti_hwdom : opt_xpti_domu; + + d->arch.asi =3D is_hardware_domain(d) ? opt_asi_hwdom + : pv ? opt_asi_pv : opt_asi_hvm; } =20 void __init init_speculation_mitigations(void) @@ -2069,6 +2114,19 @@ void __init init_speculation_mitigations(void) hw_smt_enabled && default_xen_spec_ctrl ) setup_force_cpu_cap(X86_FEATURE_SC_MSR_IDLE); =20 + /* Disable ASI by default until feature is finished. */ + if ( opt_asi_pv =3D=3D -1 ) + opt_asi_pv =3D 0; + if ( opt_asi_hwdom =3D=3D -1 ) + opt_asi_hwdom =3D 0; + if ( opt_asi_hvm =3D=3D -1 ) + opt_asi_hvm =3D 0; + + if ( opt_asi_pv || opt_asi_hvm ) + warning_add( + "Address Space Isolation is not functional, this option is\n" + "intended to be used only for development purposes.\n"); + xpti_init_default(); =20 l1tf_calculations(); --=20 2.45.2