From nobody Fri Dec 19 06:33:54 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=reject dis=none) header.from=citrix.com ARC-Seal: i=1; a=rsa-sha256; t=1746720254; cv=none; d=zohomail.com; s=zohoarc; b=Q0dDVeYxX9/4bWEpCJR82piuiOZl07mHhfO/n+t6WdAotqMn6JUoSsEUUH8itT/L3xfrMxLEPSk+Mq95X7SPivlJHfPhuTdfUQqL+PGsJZxJlwoN+DtOKDPPvGWYcs8CAk4S25qoFEhM2SGpPLDlExB59HGSHbon7LQaH1suJIE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1746720254; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=mD1Fttxwc1KIw4cAsVczbb+IYoS9N4VRg6BR85MLJbA=; b=mUlqgH6XjJgU77sNFqbvXJxPBgc4kMHykvlChPwTPFsaBQiJd95/bSD4Mz7ew1PBvLnt3oiChbna/6a/Y2Idw/KpX18GUGwe1iEmoHidGvdzCD53He7SnSJ2++cjf54PF5ZuqWcjVk97OLzvZXJ7QyVDU9VAJyVmuK3KLFitMyY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1746720254375110.03284161834563; Thu, 8 May 2025 09:04:14 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.979516.1366101 (Exim 4.92) (envelope-from ) id 1uD3is-0006ch-Jp; Thu, 08 May 2025 16:03:46 +0000 Received: by outflank-mailman (output) from mailman id 979516.1366101; Thu, 08 May 2025 16:03:46 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1uD3is-0006ca-H7; Thu, 08 May 2025 16:03:46 +0000 Received: by outflank-mailman (input) for mailman id 979516; Thu, 08 May 2025 16:03:45 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1uD3ir-0006cT-Oi for xen-devel@lists.xenproject.org; Thu, 08 May 2025 16:03:45 +0000 Received: from mail-wm1-x332.google.com (mail-wm1-x332.google.com [2a00:1450:4864:20::332]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 0206b3fa-2c26-11f0-9ffb-bf95429c2676; Thu, 08 May 2025 18:03:40 +0200 (CEST) Received: by mail-wm1-x332.google.com with SMTP id 5b1f17b1804b1-43cfdc2c8c9so5732745e9.2 for ; Thu, 08 May 2025 09:03:40 -0700 (PDT) Received: from localhost.localdomain (host-92-26-98-202.as13285.net. [92.26.98.202]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-442cd350cebsm41331215e9.17.2025.05.08.09.03.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 08 May 2025 09:03:38 -0700 (PDT) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 0206b3fa-2c26-11f0-9ffb-bf95429c2676 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=citrix.com; s=google; t=1746720220; x=1747325020; darn=lists.xenproject.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=mD1Fttxwc1KIw4cAsVczbb+IYoS9N4VRg6BR85MLJbA=; b=DUV2S7ChSofO7NKX9tooClTXrZ9u2GYltOCLGMSQhLCKvgK0RlWOH/UtTv2I91XgIW iasOoVXow+6vpHDfPTYNF/yVc+OQvkFjSBRsrfiil8msLTS6wFcQ2M2o72o3skRGmbN4 4GfwTK+AMsaZ1QMeSfuC6ImmFNj8vFIBZZbng= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1746720220; x=1747325020; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=mD1Fttxwc1KIw4cAsVczbb+IYoS9N4VRg6BR85MLJbA=; b=LC0zsK5gsIeeHSCs4fmMNCE6lLOcOGBof+qo976yabnuVa+sIu59XuHEg3/Xncq4rQ lmj3hSPZd7LlcNHrQBCkqqnkR6R7Dn9O286aDSLK2Rhu0JofW5sAYG0fw9dQo7RHnD6b 7MKZdYlSs6kmqSwD8uqUo6FATrKfj/Ou7XxKAFH0wTyHVilbcTfjft/hs0g2zqvtA0z7 pL0axJjn9hppe+OKxjIlO9jzlTW8g7LCg/9/BLEnUrGMuzb8+k3pAHEOb9JBSGiFHnKs p+9OQpzwd8EVMeXlKY0QS5zpCastOpt3WF+uiz7Csy/ELnc1/+rhJJ21Mt7JYylE+tDA 3hxg== X-Gm-Message-State: AOJu0YyX9rEZU9XpCNYpW7VgBcyo53SLlIqnBZIMOy6Rn7b5x64KcDhA CyhAKN+rAGpxsK+tl2ItgT7BIWjCKJVxBX7oOdToQBZj9THLUEj1SgdfqK2sEM/YXXIOgx5GhJU x X-Gm-Gg: ASbGnctdtn2zTIS8YgbC58wO7Yj21nEArVaql78muYBKQ7uiDZTJ9glWhIZpkpYGR1/ dIWWa1kqv2Kz0qn7MPH6GSQCl/7qma/pft0OuyG176dYaGa7u/R5dArDc4ZdEUKMAFmzHqgUReI Zgr3+q5TwJi0kbu1a+HyJByWuhnGRa/oP/NdL9HbrASWcrozK1oxiCwT4Y+6R1im+us9HtK8nPt dr4jK+BhJ2XdAZT17yGsigJlH4mpVhZ8lpfKLshIDOEqg4t2ZIyR63wLRo9/41TurQnPCM6sw+s BCI2tzA9VogdOQLwaBW2KaMO8BfoyI3rzuJHXAL4pd5/+sPs3vPVpGnUGhmm9Q0lHow4iHMKml+ b89vuesQTGXF1yw== X-Google-Smtp-Source: AGHT+IEKgWW3n5ZojGeTjoQzvcvOOc/DDSnpHeGPPoSC171eFZW2twbVhVK6A2XKithxs61cA0mF5w== X-Received: by 2002:a05:600c:820a:b0:43c:f0ae:da7 with SMTP id 5b1f17b1804b1-441d44bb7f4mr74411555e9.7.1746720219417; Thu, 08 May 2025 09:03:39 -0700 (PDT) From: Andrew Cooper To: Xen-devel Cc: Andrew Cooper , Anthony PERARD , Michal Orzel , Jan Beulich , Julien Grall , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Stefano Stabellini Subject: [PATCH] xen/Kconfig: Improve help test for speculative options Date: Thu, 8 May 2025 17:03:36 +0100 Message-Id: <20250508160336.2232152-1-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.39.5 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @citrix.com) X-ZM-MESSAGEID: 1746720257449019000 The text for CONFIG_INDIRECT_THUNK isn't really correct, and was already st= ale by the time speculative vulnerabilities hit the headlines in 2018. It is specifically an out-of-line-ing mechansim, and repoline is one of several safety sequences used. Some of this boilerplate has been copied into all other options, and isn't interesting for the target audience given that they're all in a "Speculative Hardning" menu. Reword it to be more concise. No functional change. Signed-off-by: Andrew Cooper Acked-by: Roger Pau Monn=C3=A9 --- CC: Anthony PERARD CC: Michal Orzel CC: Jan Beulich CC: Julien Grall CC: Roger Pau Monn=C3=A9 CC: Stefano Stabellini CONFIG_SPECULATIVE_HARDEN_BRANCH really ought to be named CONFIG_SPECULATIVE_HARDEN_CONDITIONAL, but this would be a (minor) function= al change. --- xen/common/Kconfig | 51 +++++++++------------------------------------- 1 file changed, 10 insertions(+), 41 deletions(-) diff --git a/xen/common/Kconfig b/xen/common/Kconfig index 4bec78c6f267..03ef6d87abc0 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -162,29 +162,21 @@ config STATIC_MEMORY menu "Speculative hardening" =20 config INDIRECT_THUNK - bool "Speculative Branch Target Injection Protection" + bool "Out-of-line Indirect Call/Jumps" depends on CC_HAS_INDIRECT_THUNK default y help - Contemporary processors may use speculative execution as a - performance optimisation, but this can potentially be abused by an - attacker to leak data via speculative sidechannels. + Compile Xen with out-of-line indirect call and jumps. =20 - One source of data leakage is via branch target injection. - - When enabled, indirect branches are implemented using a new construct - called "retpoline" that prevents speculation. + This allows Xen to mitigate a variety of speculative vulnerabilities + by choosing a hardware-dependent instruction sequence to implement + (e.g. function pointers) safely. "Retpoline" is one such sequence. =20 config SPECULATIVE_HARDEN_ARRAY bool "Speculative Array Hardening" default y help - Contemporary processors may use speculative execution as a - performance optimisation, but this can potentially be abused by an - attacker to leak data via speculative sidechannels. - - One source of data leakage is via speculative out-of-bounds array - accesses. + Compile Xen with extra hardening for some array accesses. =20 When enabled, specific array accesses which have been deemed liable to be speculatively abused will be hardened to avoid out-of-bounds @@ -193,19 +185,12 @@ config SPECULATIVE_HARDEN_ARRAY This is a best-effort mitigation. There are no guarantees that all areas of code open to abuse have been hardened. =20 - If unsure, say Y. - config SPECULATIVE_HARDEN_BRANCH bool "Speculative Branch Hardening" default y depends on X86 - help - Contemporary processors may use speculative execution as a - performance optimisation, but this can potentially be abused by an - attacker to leak data via speculative sidechannels. - - One source of misbehaviour is by executing the wrong basic block - following a conditional jump. + help + Compile Xen with extra hardening for some conditional branches. =20 When enabled, specific conditions which have been deemed liable to be speculatively abused will be hardened to avoid entering the wrong @@ -216,43 +201,27 @@ config SPECULATIVE_HARDEN_BRANCH optimisations in the compiler haven't subverted the attempts to harden. =20 - If unsure, say Y. - config SPECULATIVE_HARDEN_GUEST_ACCESS bool "Speculative PV Guest Memory Access Hardening" default y depends on PV help - Contemporary processors may use speculative execution as a - performance optimisation, but this can potentially be abused by an - attacker to leak data via speculative sidechannels. - - One source of data leakage is via speculative accesses to hypervisor - memory through guest controlled values used to access guest memory. + Compile Xen with extra hardening for PV guest memory access. =20 When enabled, code paths accessing PV guest memory will have guest controlled addresses massaged such that memory accesses through them won't touch hypervisor address space. =20 - If unsure, say Y. - config SPECULATIVE_HARDEN_LOCK bool "Speculative lock context hardening" default y depends on X86 help - Contemporary processors may use speculative execution as a - performance optimisation, but this can potentially be abused by an - attacker to leak data via speculative sidechannels. - - One source of data leakage is via speculative accesses to lock - critical regions. + Compile Xen with extra hardening for locked regions. =20 This option is disabled by default at run time, and needs to be enabled on the command line. =20 - If unsure, say Y. - endmenu =20 menu "Other hardening" base-commit: aea52ce607fe716acc56ad89f07e1513c89018eb --=20 2.39.5