diff options
Diffstat (limited to 'system/xen/xsa/xsa263-4.10-0010-x86-spec_ctrl-Introduce-a-new-spec-ctrl-command-line.patch')
| -rw-r--r-- | system/xen/xsa/xsa263-4.10-0010-x86-spec_ctrl-Introduce-a-new-spec-ctrl-command-line.patch | 344 |
1 files changed, 344 insertions, 0 deletions
diff --git a/system/xen/xsa/xsa263-4.10-0010-x86-spec_ctrl-Introduce-a-new-spec-ctrl-command-line.patch b/system/xen/xsa/xsa263-4.10-0010-x86-spec_ctrl-Introduce-a-new-spec-ctrl-command-line.patch new file mode 100644 index 0000000000..9c8c3560bd --- /dev/null +++ b/system/xen/xsa/xsa263-4.10-0010-x86-spec_ctrl-Introduce-a-new-spec-ctrl-command-line.patch @@ -0,0 +1,344 @@ +From 952ff9f5590e37952d7dd3d89e16a47a238ab079 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Thu, 26 Apr 2018 10:52:55 +0100 +Subject: [PATCH] x86/spec_ctrl: Introduce a new `spec-ctrl=` command line + argument to replace `bti=` + +In hindsight, the options for `bti=` aren't as flexible or useful as expected +(including several options which don't appear to behave as intended). +Changing the behaviour of an existing option is problematic for compatibility, +so introduce a new `spec-ctrl=` in the hopes that we can do better. + +One common way of deploying Xen is with a single PV dom0 and all domUs being +HVM domains. In such a setup, an administrator who has weighed up the risks +may wish to forgo protection against malicious PV domains, to reduce the +overall performance hit. To cater for this usecase, `spec-ctrl=no-pv` will +disable all speculative protection for PV domains, while leaving all +speculative protection for HVM domains intact. + +For coding clarity as much as anything else, the suboptions are grouped by +logical area; those which affect the alternatives blocks, and those which +affect Xen's in-hypervisor settings. See the xen-command-line.markdown for +full details of the new options. + +While changing the command line options, take the time to change how the data +is reported to the user. The three DEBUG printks are upgraded to unilateral, +as they are all relevant pieces of information, and the old "mitigations:" +line is split in the two logical areas described above. + +Sample output from booting with `spec-ctrl=no-pv` looks like: + + (XEN) Speculative mitigation facilities: + (XEN) Hardware features: IBRS/IBPB STIBP IBPB + (XEN) Compiled-in support: INDIRECT_THUNK + (XEN) Xen settings: BTI-Thunk RETPOLINE, SPEC_CTRL: IBRS-, Other: IBPB + (XEN) Support for VMs: PV: None, HVM: MSR_SPEC_CTRL RSB + (XEN) XPTI (64-bit PV only): Dom0 enabled, DomU enabled + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Wei Liu <wei.liu2@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +Release-acked-by: Juergen Gross <jgross@suse.com> +(cherry picked from commit 3352afc26c497d26ecb70527db3cb29daf7b1422) +--- + docs/misc/xen-command-line.markdown | 49 +++++++++++ + xen/arch/x86/spec_ctrl.c | 160 ++++++++++++++++++++++++++++++------ + 2 files changed, 186 insertions(+), 23 deletions(-) + +diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown +index 6c673ee..43a6ddb 100644 +--- a/docs/misc/xen-command-line.markdown ++++ b/docs/misc/xen-command-line.markdown +@@ -248,6 +248,9 @@ the NMI watchdog is also enabled. + ### bti (x86) + > `= List of [ thunk=retpoline|lfence|jmp, ibrs=<bool>, ibpb=<bool>, rsb_{vmexit,native}=<bool> ]` + ++**WARNING: This command line option is deprecated, and superseded by ++_spec-ctrl=_ - using both options in combination is undefined.** ++ + Branch Target Injection controls. By default, Xen will pick the most + appropriate BTI mitigations based on compiled in support, loaded microcode, + and hardware details. +@@ -1698,6 +1701,52 @@ enforces the maximum theoretically necessary timeout of 670ms. Any number + is being interpreted as a custom timeout in milliseconds. Zero or boolean + false disable the quirk workaround, which is also the default. + ++### spec-ctrl (x86) ++> `= List of [ <bool>, xen=<bool>, {pv,hvm,msr-sc,rsb}=<bool>, ++> bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb}=<bool> ]` ++ ++Controls for speculative execution sidechannel mitigations. By default, Xen ++will pick the most appropriate mitigations based on compiled in support, ++loaded microcode, and hardware details, and will virtualise appropriate ++mitigations for guests to use. ++ ++**WARNING: Any use of this option may interfere with heuristics. Use with ++extreme care.** ++ ++An overall boolean value, `spec-ctrl=no`, can be specified to turn off all ++mitigations, including pieces of infrastructure used to virtualise certain ++mitigation features for guests. Alternatively, a slightly more restricted ++`spec-ctrl=no-xen` can be used to turn off all of Xen's mitigations, while ++leaving the virtualisation support in place for guests to use. Use of a ++positive boolean value for either of these options is invalid. ++ ++The booleans `pv=`, `hvm=`, `msr-sc=` and `rsb=` offer fine grained control ++over the alternative blocks used by Xen. These impact Xen's ability to ++protect itself, and Xen's ability to virtualise support for guests to use. ++ ++* `pv=` and `hvm=` offer control over all suboptions for PV and HVM guests ++ respectively. ++* `msr-sc=` offers control over Xen's support for manipulating MSR\_SPEC\_CTRL ++ on entry and exit. These blocks are necessary to virtualise support for ++ guests and if disabled, guests will be unable to use IBRS/STIBP/etc. ++* `rsb=` offers control over whether to overwrite the Return Stack Buffer / ++ Return Address Stack on entry to Xen. ++ ++If Xen was compiled with INDIRECT\_THUNK support, `bti-thunk=` can be used to ++select which of the thunks gets patched into the `__x86_indirect_thunk_%reg` ++locations. The default thunk is `retpoline` (generally preferred for Intel ++hardware), with the alternatives being `jmp` (a `jmp *%reg` gadget, minimal ++overhead), and `lfence` (an `lfence; jmp *%reg` gadget, preferred for AMD). ++ ++On hardware supporting IBRS (Indirect Branch Restricted Speculation), the ++`ibrs=` option can be used to force or prevent Xen using the feature itself. ++If Xen is not using IBRS itself, functionality is still set up so IBRS can be ++virtualised for guests. ++ ++On hardware supporting IBPB (Indirect Branch Prediction Barrier), the `ibpb=` ++option can be used to force (the default) or prevent Xen from issuing branch ++prediction barriers on vcpu context switches. ++ + ### sync\_console + > `= <boolean>` + +diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c +index 3adec1a..4f9282f 100644 +--- a/xen/arch/x86/spec_ctrl.c ++++ b/xen/arch/x86/spec_ctrl.c +@@ -26,6 +26,13 @@ + #include <asm/spec_ctrl.h> + #include <asm/spec_ctrl_asm.h> + ++/* Cmdline controls for Xen's alternative blocks. */ ++static bool __initdata opt_msr_sc_pv = true; ++static bool __initdata opt_msr_sc_hvm = true; ++static bool __initdata opt_rsb_pv = true; ++static bool __initdata opt_rsb_hvm = true; ++ ++/* Cmdline controls for Xen's speculative settings. */ + static enum ind_thunk { + THUNK_DEFAULT, /* Decide which thunk to use at boot time. */ + THUNK_NONE, /* Missing compiler support for thunks. */ +@@ -35,8 +42,6 @@ static enum ind_thunk { + THUNK_JMP, + } opt_thunk __initdata = THUNK_DEFAULT; + static int8_t __initdata opt_ibrs = -1; +-static bool __initdata opt_rsb_pv = true; +-static bool __initdata opt_rsb_hvm = true; + bool __read_mostly opt_ibpb = true; + + bool __initdata bsp_delay_spec_ctrl; +@@ -84,8 +89,95 @@ static int __init parse_bti(const char *s) + } + custom_param("bti", parse_bti); + ++static int __init parse_spec_ctrl(const char *s) ++{ ++ const char *ss; ++ int val, rc = 0; ++ ++ do { ++ ss = strchr(s, ','); ++ if ( !ss ) ++ ss = strchr(s, '\0'); ++ ++ /* Global and Xen-wide disable. */ ++ val = parse_bool(s, ss); ++ if ( !val ) ++ { ++ opt_msr_sc_pv = false; ++ opt_msr_sc_hvm = false; ++ ++ disable_common: ++ opt_rsb_pv = false; ++ opt_rsb_hvm = false; ++ ++ opt_thunk = THUNK_JMP; ++ opt_ibrs = 0; ++ opt_ibpb = false; ++ } ++ else if ( val > 0 ) ++ rc = -EINVAL; ++ else if ( (val = parse_boolean("xen", s, ss)) >= 0 ) ++ { ++ if ( !val ) ++ goto disable_common; ++ ++ rc = -EINVAL; ++ } ++ ++ /* Xen's alternative blocks. */ ++ else if ( (val = parse_boolean("pv", s, ss)) >= 0 ) ++ { ++ opt_msr_sc_pv = val; ++ opt_rsb_pv = val; ++ } ++ else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) ++ { ++ opt_msr_sc_hvm = val; ++ opt_rsb_hvm = val; ++ } ++ else if ( (val = parse_boolean("msr-sc", s, ss)) >= 0 ) ++ { ++ opt_msr_sc_pv = val; ++ opt_msr_sc_hvm = val; ++ } ++ else if ( (val = parse_boolean("rsb", s, ss)) >= 0 ) ++ { ++ opt_rsb_pv = val; ++ opt_rsb_hvm = val; ++ } ++ ++ /* Xen's speculative sidechannel mitigation settings. */ ++ else if ( !strncmp(s, "bti-thunk=", 10) ) ++ { ++ s += 10; ++ ++ if ( !strncmp(s, "retpoline", ss - s) ) ++ opt_thunk = THUNK_RETPOLINE; ++ else if ( !strncmp(s, "lfence", ss - s) ) ++ opt_thunk = THUNK_LFENCE; ++ else if ( !strncmp(s, "jmp", ss - s) ) ++ opt_thunk = THUNK_JMP; ++ else ++ rc = -EINVAL; ++ } ++ else if ( (val = parse_boolean("ibrs", s, ss)) >= 0 ) ++ opt_ibrs = val; ++ else if ( (val = parse_boolean("ibpb", s, ss)) >= 0 ) ++ opt_ibpb = val; ++ else ++ rc = -EINVAL; ++ ++ s = ss + 1; ++ } while ( *ss ); ++ ++ return rc; ++} ++custom_param("spec-ctrl", parse_spec_ctrl); ++ + static void __init print_details(enum ind_thunk thunk, uint64_t caps) + { ++ bool use_spec_ctrl = (boot_cpu_has(X86_FEATURE_SC_MSR_PV) || ++ boot_cpu_has(X86_FEATURE_SC_MSR_HVM)); + unsigned int _7d0 = 0, e8b = 0, tmp; + + /* Collect diagnostics about available mitigations. */ +@@ -94,10 +186,10 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps) + if ( boot_cpu_data.extended_cpuid_level >= 0x80000008 ) + cpuid(0x80000008, &tmp, &e8b, &tmp, &tmp); + +- printk(XENLOG_DEBUG "Speculative mitigation facilities:\n"); ++ printk("Speculative mitigation facilities:\n"); + + /* Hardware features which pertain to speculative mitigations. */ +- printk(XENLOG_DEBUG " Hardware features:%s%s%s%s%s%s\n", ++ printk(" Hardware features:%s%s%s%s%s%s\n", + (_7d0 & cpufeat_mask(X86_FEATURE_IBRSB)) ? " IBRS/IBPB" : "", + (_7d0 & cpufeat_mask(X86_FEATURE_STIBP)) ? " STIBP" : "", + (e8b & cpufeat_mask(X86_FEATURE_IBPB)) ? " IBPB" : "", +@@ -107,20 +199,31 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps) + + /* Compiled-in support which pertains to BTI mitigations. */ + if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) ) +- printk(XENLOG_DEBUG " Compiled-in support: INDIRECT_THUNK\n"); ++ printk(" Compiled-in support: INDIRECT_THUNK\n"); + +- printk("BTI mitigations: Thunk %s, Others:%s%s%s%s\n", ++ /* Settings for Xen's protection, irrespective of guests. */ ++ printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s, Other:%s\n", + thunk == THUNK_NONE ? "N/A" : + thunk == THUNK_RETPOLINE ? "RETPOLINE" : + thunk == THUNK_LFENCE ? "LFENCE" : + thunk == THUNK_JMP ? "JMP" : "?", ++ !use_spec_ctrl ? "No" : ++ (default_xen_spec_ctrl & SPEC_CTRL_IBRS) ? "IBRS+" : "IBRS-", ++ opt_ibpb ? " IBPB" : ""); ++ ++ /* ++ * Alternatives blocks for protecting against and/or virtualising ++ * mitigation support for guests. ++ */ ++ printk(" Support for VMs: PV:%s%s%s, HVM:%s%s%s\n", + (boot_cpu_has(X86_FEATURE_SC_MSR_PV) || +- boot_cpu_has(X86_FEATURE_SC_MSR_HVM)) ? +- default_xen_spec_ctrl & SPEC_CTRL_IBRS ? " IBRS+" : +- " IBRS-" : "", +- opt_ibpb ? " IBPB" : "", +- boot_cpu_has(X86_FEATURE_SC_RSB_PV) ? " RSB_NATIVE" : "", +- boot_cpu_has(X86_FEATURE_SC_RSB_HVM) ? " RSB_VMEXIT" : ""); ++ boot_cpu_has(X86_FEATURE_SC_RSB_PV)) ? "" : " None", ++ boot_cpu_has(X86_FEATURE_SC_MSR_PV) ? " MSR_SPEC_CTRL" : "", ++ boot_cpu_has(X86_FEATURE_SC_RSB_PV) ? " RSB" : "", ++ (boot_cpu_has(X86_FEATURE_SC_MSR_HVM) || ++ boot_cpu_has(X86_FEATURE_SC_RSB_HVM)) ? "" : " None", ++ boot_cpu_has(X86_FEATURE_SC_MSR_HVM) ? " MSR_SPEC_CTRL" : "", ++ boot_cpu_has(X86_FEATURE_SC_RSB_HVM) ? " RSB" : ""); + + printk("XPTI: %s\n", + boot_cpu_has(X86_FEATURE_NO_XPTI) ? "disabled" : "enabled"); +@@ -212,7 +315,7 @@ static bool __init retpoline_safe(uint64_t caps) + void __init init_speculation_mitigations(void) + { + enum ind_thunk thunk = THUNK_DEFAULT; +- bool ibrs = false; ++ bool use_spec_ctrl = false, ibrs = false; + uint64_t caps = 0; + + if ( boot_cpu_has(X86_FEATURE_ARCH_CAPS) ) +@@ -282,20 +385,31 @@ void __init init_speculation_mitigations(void) + else if ( thunk == THUNK_JMP ) + setup_force_cpu_cap(X86_FEATURE_IND_THUNK_JMP); + ++ /* ++ * If we are on hardware supporting MSR_SPEC_CTRL, see about setting up ++ * the alternatives blocks so we can virtualise support for guests. ++ */ + if ( boot_cpu_has(X86_FEATURE_IBRSB) ) + { +- /* +- * Even if we've chosen to not have IBRS set in Xen context, we still +- * need the IBRS entry/exit logic to virtualise IBRS support for +- * guests. +- */ +- setup_force_cpu_cap(X86_FEATURE_SC_MSR_PV); +- setup_force_cpu_cap(X86_FEATURE_SC_MSR_HVM); ++ if ( opt_msr_sc_pv ) ++ { ++ use_spec_ctrl = true; ++ setup_force_cpu_cap(X86_FEATURE_SC_MSR_PV); ++ } + +- if ( ibrs ) +- default_xen_spec_ctrl |= SPEC_CTRL_IBRS; ++ if ( opt_msr_sc_hvm ) ++ { ++ use_spec_ctrl = true; ++ setup_force_cpu_cap(X86_FEATURE_SC_MSR_HVM); ++ } ++ ++ if ( use_spec_ctrl ) ++ { ++ if ( ibrs ) ++ default_xen_spec_ctrl |= SPEC_CTRL_IBRS; + +- default_spec_ctrl_flags |= SCF_ist_wrmsr; ++ default_spec_ctrl_flags |= SCF_ist_wrmsr; ++ } + } + + /* +-- +2.1.4 + |