diff options
| author |   Florian Schmaus <flow@gentoo.org> | 2022-07-14 08:52:36 +0200 |
|---|---|---|
| committer | Florian Schmaus <flow@gentoo.org> | 2022-07-14 08:52:36 +0200 |
| commit | 4f75fa95bf1779af53982939e85fa5f904f17345 (patch) | |
| tree | 869ec2f7e9526f57b1ba404eb27c5b25e7f44b63 | |
| parent | Always use origin/ when referencing a branch (diff) | |
| download | xen-upstream-patches-4f75fa95bf1779af53982939e85fa5f904f17345.tar.gz xen-upstream-patches-4f75fa95bf1779af53982939e85fa5f904f17345.tar.bz2 xen-upstream-patches-4f75fa95bf1779af53982939e85fa5f904f17345.zip | |
Xen 4.15.4-pre-patchset-04.15.4-pre-patchset-0
Signed-off-by: Florian Schmaus <flow@gentoo.org>
22 files changed, 2205 insertions, 3 deletions
diff --git a/0001-build-fix-exported-variable-name-CFLAGS_stack_bounda.patch b/0001-build-fix-exported-variable-name-CFLAGS_stack_bounda.patch new file mode 100644 index 0000000..96eb282 --- /dev/null +++ b/0001-build-fix-exported-variable-name-CFLAGS_stack_bounda.patch @@ -0,0 +1,67 @@ +From f6e26ce7d9317abc41130ead6dc2443a7e2dde00 Mon Sep 17 00:00:00 2001 +From: Anthony PERARD <anthony.perard@citrix.com> +Date: Tue, 12 Jul 2022 11:20:46 +0200 +Subject: [PATCH 01/21] build: fix exported variable name CFLAGS_stack_boundary + +Exporting a variable with a dash doesn't work reliably, they may be +striped from the environment when calling a sub-make or sub-shell. + +CFLAGS-stack-boundary start to be removed from env in patch "build: +set ALL_OBJS in main Makefile; move prelink.o to main Makefile" when +running `make "ALL_OBJS=.."` due to the addition of the quote. At +least in my empirical tests. + +Fixes: 2740d96efd ("xen/build: have the root Makefile generates the CFLAGS") +Signed-off-by: Anthony PERARD <anthony.perard@citrix.com> +Acked-by: Jan Beulich <jbeulich@suse.com> +master commit: aa390d513a67a6ec0a069eea7478e5ecd54a7ea6 +master date: 2022-01-28 11:44:33 +0100 +--- + xen/arch/x86/Rules.mk | 4 ++-- + xen/arch/x86/arch.mk | 4 ++-- + xen/arch/x86/efi/Makefile | 2 +- + 3 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/xen/arch/x86/Rules.mk b/xen/arch/x86/Rules.mk +index 56fe22c979ea..7aef93f5f3a0 100644 +--- a/xen/arch/x86/Rules.mk ++++ b/xen/arch/x86/Rules.mk +@@ -6,5 +6,5 @@ object_label_flags = '-D__OBJECT_LABEL__=$(subst $(BASEDIR)/,,$(CURDIR))/$@' + else + object_label_flags = '-D__OBJECT_LABEL__=$(subst /,$$,$(subst -,_,$(subst $(BASEDIR)/,,$(CURDIR))/$@))' + endif +-c_flags += $(object_label_flags) $(CFLAGS-stack-boundary) +-a_flags += $(object_label_flags) $(CFLAGS-stack-boundary) ++c_flags += $(object_label_flags) $(CFLAGS_stack_boundary) ++a_flags += $(object_label_flags) $(CFLAGS_stack_boundary) +diff --git a/xen/arch/x86/arch.mk b/xen/arch/x86/arch.mk +index 033048ab6b2d..456e5d5c1ad7 100644 +--- a/xen/arch/x86/arch.mk ++++ b/xen/arch/x86/arch.mk +@@ -57,8 +57,8 @@ endif + + # If supported by the compiler, reduce stack alignment to 8 bytes. But allow + # this to be overridden elsewhere. +-$(call cc-option-add,CFLAGS-stack-boundary,CC,-mpreferred-stack-boundary=3) +-export CFLAGS-stack-boundary ++$(call cc-option-add,CFLAGS_stack_boundary,CC,-mpreferred-stack-boundary=3) ++export CFLAGS_stack_boundary + + ifeq ($(CONFIG_UBSAN),y) + # Don't enable alignment sanitisation. x86 has efficient unaligned accesses, +diff --git a/xen/arch/x86/efi/Makefile b/xen/arch/x86/efi/Makefile +index e857c0f2cc2c..a5b2041f9b96 100644 +--- a/xen/arch/x86/efi/Makefile ++++ b/xen/arch/x86/efi/Makefile +@@ -11,7 +11,7 @@ boot.init.o: buildid.o + EFIOBJ := boot.init.o pe.init.o ebmalloc.o compat.o runtime.o + + $(call cc-option-add,cflags-stack-boundary,CC,-mpreferred-stack-boundary=4) +-$(EFIOBJ): CFLAGS-stack-boundary := $(cflags-stack-boundary) ++$(EFIOBJ): CFLAGS_stack_boundary := $(cflags-stack-boundary) + + obj-y := stub.o + obj-$(XEN_BUILD_EFI) := $(filter-out %.init.o,$(EFIOBJ)) +-- +2.35.1 + diff --git a/0002-IOMMU-x86-work-around-bogus-gcc12-warning-in-hvm_gsi.patch b/0002-IOMMU-x86-work-around-bogus-gcc12-warning-in-hvm_gsi.patch new file mode 100644 index 0000000..45e4cfd --- /dev/null +++ b/0002-IOMMU-x86-work-around-bogus-gcc12-warning-in-hvm_gsi.patch @@ -0,0 +1,52 @@ +From b89b932cfe86556c5de4ad56702aed83142e22a3 Mon Sep 17 00:00:00 2001 +From: Jan Beulich <jbeulich@suse.com> +Date: Tue, 12 Jul 2022 11:21:14 +0200 +Subject: [PATCH 02/21] IOMMU/x86: work around bogus gcc12 warning in + hvm_gsi_eoi() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +As per [1] the expansion of the pirq_dpci() macro causes a -Waddress +controlled warning (enabled implicitly in our builds, if not by default) +tying the middle part of the involved conditional expression to the +surrounding boolean context. Work around this by introducing a local +inline function in the affected source file. + +Reported-by: Andrew Cooper <andrew.cooper3@citrix.com> +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Acked-by: Roger Pau Monné <roger.pau@citrix.com> + +[1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102967 +master commit: 80ad8db8a4d9bb24952f0aea788ce6f47566fa76 +master date: 2022-06-15 10:19:32 +0200 +--- + xen/drivers/passthrough/x86/hvm.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/xen/drivers/passthrough/x86/hvm.c b/xen/drivers/passthrough/x86/hvm.c +index 9544f3234e65..50865eec2c04 100644 +--- a/xen/drivers/passthrough/x86/hvm.c ++++ b/xen/drivers/passthrough/x86/hvm.c +@@ -25,6 +25,18 @@ + #include <asm/hvm/support.h> + #include <asm/io_apic.h> + ++/* ++ * Gcc12 takes issue with pirq_dpci() being used in boolean context (see gcc ++ * bug 102967). While we can't replace the macro definition in the header by an ++ * inline function, we can do so here. ++ */ ++static inline struct hvm_pirq_dpci *_pirq_dpci(struct pirq *pirq) ++{ ++ return pirq_dpci(pirq); ++} ++#undef pirq_dpci ++#define pirq_dpci(pirq) _pirq_dpci(pirq) ++ + static DEFINE_PER_CPU(struct list_head, dpci_list); + + /* +-- +2.35.1 + diff --git a/0003-ehci-dbgp-fix-selecting-n-th-ehci-controller.patch b/0003-ehci-dbgp-fix-selecting-n-th-ehci-controller.patch new file mode 100644 index 0000000..b79f4b3 --- /dev/null +++ b/0003-ehci-dbgp-fix-selecting-n-th-ehci-controller.patch @@ -0,0 +1,36 @@ +From b53df5b4341fa97614ad064a7c8e781c88b6ed71 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= + <marmarek@invisiblethingslab.com> +Date: Tue, 12 Jul 2022 11:22:09 +0200 +Subject: [PATCH 03/21] ehci-dbgp: fix selecting n-th ehci controller +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The ehci<n> number was parsed but ignored. + +Fixes: 322ecbe4ac85 ("console: add EHCI debug port based serial console") +Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +master commit: d6d0cb659fda64430d4649f8680c5cead32da8fd +master date: 2022-06-16 14:23:37 +0100 +--- + xen/drivers/char/ehci-dbgp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xen/drivers/char/ehci-dbgp.c b/xen/drivers/char/ehci-dbgp.c +index c893d246defa..66b4811af24a 100644 +--- a/xen/drivers/char/ehci-dbgp.c ++++ b/xen/drivers/char/ehci-dbgp.c +@@ -1478,7 +1478,7 @@ void __init ehci_dbgp_init(void) + unsigned int num = 0; + + if ( opt_dbgp[4] ) +- simple_strtoul(opt_dbgp + 4, &e, 10); ++ num = simple_strtoul(opt_dbgp + 4, &e, 10); + + dbgp->cap = find_dbgp(dbgp, num); + if ( !dbgp->cap ) +-- +2.35.1 + diff --git a/0004-tools-xenstored-Harden-corrupt.patch b/0004-tools-xenstored-Harden-corrupt.patch new file mode 100644 index 0000000..8b30166 --- /dev/null +++ b/0004-tools-xenstored-Harden-corrupt.patch @@ -0,0 +1,44 @@ +From 7fe638c28fa693d8bb8f9419de1220d4359a1b2d Mon Sep 17 00:00:00 2001 +From: Julien Grall <jgrall@amazon.com> +Date: Tue, 12 Jul 2022 11:23:01 +0200 +Subject: [PATCH 04/21] tools/xenstored: Harden corrupt() + +At the moment, corrupt() is neither checking for allocation failure +nor freeing the allocated memory. + +Harden the code by printing ENOMEM if the allocation failed and +free 'str' after the last use. + +This is not considered to be a security issue because corrupt() should +only be called when Xenstored thinks the database is corrupted. Note +that the trigger (i.e. a guest reliably provoking the call) would be +a security issue. + +Fixes: 06d17943f0cd ("Added a basic integrity checker, and some basic ability to recover from store") +Signed-off-by: Julien Grall <jgrall@amazon.com> +Reviewed-by: Juergen Gross <jgross@suse.com> +master commit: db3382dd4f468c763512d6bf91c96773395058fb +master date: 2022-06-23 13:44:10 +0100 +--- + tools/xenstore/xenstored_core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c +index 8033c1e0eb28..9172dd767140 100644 +--- a/tools/xenstore/xenstored_core.c ++++ b/tools/xenstore/xenstored_core.c +@@ -1988,7 +1988,10 @@ void corrupt(struct connection *conn, const char *fmt, ...) + va_end(arglist); + + log("corruption detected by connection %i: err %s: %s", +- conn ? (int)conn->id : -1, strerror(saved_errno), str); ++ conn ? (int)conn->id : -1, strerror(saved_errno), ++ str ?: "ENOMEM"); ++ ++ talloc_free(str); + + check_store(); + } +-- +2.35.1 + diff --git a/0005-x86-spec-ctrl-Only-adjust-MSR_SPEC_CTRL-for-idle-wit.patch b/0005-x86-spec-ctrl-Only-adjust-MSR_SPEC_CTRL-for-idle-wit.patch new file mode 100644 index 0000000..158e2b0 --- /dev/null +++ b/0005-x86-spec-ctrl-Only-adjust-MSR_SPEC_CTRL-for-idle-wit.patch @@ -0,0 +1,93 @@ +From 799a8d49237a62ea0d33c3756a6a7f665b8389b2 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Tue, 12 Jul 2022 11:23:32 +0200 +Subject: [PATCH 05/21] x86/spec-ctrl: Only adjust MSR_SPEC_CTRL for idle with + legacy IBRS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Back at the time of the original Spectre-v2 fixes, it was recommended to clear +MSR_SPEC_CTRL when going idle. This is because of the side effects on the +sibling thread caused by the microcode IBRS and STIBP implementations which +were retrofitted to existing CPUs. + +However, there are no relevant cross-thread impacts for the hardware +IBRS/STIBP implementations, so this logic should not be used on Intel CPUs +supporting eIBRS, or any AMD CPUs; doing so only adds unnecessary latency to +the idle path. + +Furthermore, there's no point playing with MSR_SPEC_CTRL in the idle paths if +SMT is disabled for other reasons. + +Fixes: 8d03080d2a33 ("x86/spec-ctrl: Cease using thunk=lfence on AMD") +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> +master commit: ffc7694e0c99eea158c32aa164b7d1e1bb1dc46b +master date: 2022-06-30 18:07:13 +0100 +--- + xen/arch/x86/spec_ctrl.c | 10 ++++++++-- + xen/include/asm-x86/cpufeatures.h | 2 +- + xen/include/asm-x86/spec_ctrl.h | 5 +++-- + 3 files changed, 12 insertions(+), 5 deletions(-) + +diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c +index 83b856fa9158..eb7fb70e86f9 100644 +--- a/xen/arch/x86/spec_ctrl.c ++++ b/xen/arch/x86/spec_ctrl.c +@@ -1103,8 +1103,14 @@ void __init init_speculation_mitigations(void) + /* (Re)init BSP state now that default_spec_ctrl_flags has been calculated. */ + init_shadow_spec_ctrl_state(); + +- /* If Xen is using any MSR_SPEC_CTRL settings, adjust the idle path. */ +- if ( default_xen_spec_ctrl ) ++ /* ++ * For microcoded IBRS only (i.e. Intel, pre eIBRS), it is recommended to ++ * clear MSR_SPEC_CTRL before going idle, to avoid impacting sibling ++ * threads. Activate this if SMT is enabled, and Xen is using a non-zero ++ * MSR_SPEC_CTRL setting. ++ */ ++ if ( boot_cpu_has(X86_FEATURE_IBRSB) && !(caps & ARCH_CAPS_IBRS_ALL) && ++ hw_smt_enabled && default_xen_spec_ctrl ) + setup_force_cpu_cap(X86_FEATURE_SC_MSR_IDLE); + + xpti_init_default(caps); +diff --git a/xen/include/asm-x86/cpufeatures.h b/xen/include/asm-x86/cpufeatures.h +index 9eaab7a2a1fa..f7488d3ccbfa 100644 +--- a/xen/include/asm-x86/cpufeatures.h ++++ b/xen/include/asm-x86/cpufeatures.h +@@ -33,7 +33,7 @@ XEN_CPUFEATURE(SC_MSR_HVM, X86_SYNTH(17)) /* MSR_SPEC_CTRL used by Xen fo + XEN_CPUFEATURE(SC_RSB_PV, X86_SYNTH(18)) /* RSB overwrite needed for PV */ + XEN_CPUFEATURE(SC_RSB_HVM, X86_SYNTH(19)) /* RSB overwrite needed for HVM */ + XEN_CPUFEATURE(XEN_SELFSNOOP, X86_SYNTH(20)) /* SELFSNOOP gets used by Xen itself */ +-XEN_CPUFEATURE(SC_MSR_IDLE, X86_SYNTH(21)) /* (SC_MSR_PV || SC_MSR_HVM) && default_xen_spec_ctrl */ ++XEN_CPUFEATURE(SC_MSR_IDLE, X86_SYNTH(21)) /* Clear MSR_SPEC_CTRL on idle */ + XEN_CPUFEATURE(XEN_LBR, X86_SYNTH(22)) /* Xen uses MSR_DEBUGCTL.LBR */ + /* Bits 23,24 unused. */ + XEN_CPUFEATURE(SC_VERW_IDLE, X86_SYNTH(25)) /* VERW used by Xen for idle */ +diff --git a/xen/include/asm-x86/spec_ctrl.h b/xen/include/asm-x86/spec_ctrl.h +index 68f6c46c470c..12283573cdd5 100644 +--- a/xen/include/asm-x86/spec_ctrl.h ++++ b/xen/include/asm-x86/spec_ctrl.h +@@ -78,7 +78,8 @@ static always_inline void spec_ctrl_enter_idle(struct cpu_info *info) + uint32_t val = 0; + + /* +- * Branch Target Injection: ++ * It is recommended in some cases to clear MSR_SPEC_CTRL when going idle, ++ * to avoid impacting sibling threads. + * + * Latch the new shadow value, then enable shadowing, then update the MSR. + * There are no SMP issues here; only local processor ordering concerns. +@@ -114,7 +115,7 @@ static always_inline void spec_ctrl_exit_idle(struct cpu_info *info) + uint32_t val = info->xen_spec_ctrl; + + /* +- * Branch Target Injection: ++ * Restore MSR_SPEC_CTRL on exit from idle. + * + * Disable shadowing before updating the MSR. There are no SMP issues + * here; only local processor ordering concerns. +-- +2.35.1 + diff --git a/0006-x86-spec-ctrl-Knobs-for-STIBP-and-PSFD-and-follow-ha.patch b/0006-x86-spec-ctrl-Knobs-for-STIBP-and-PSFD-and-follow-ha.patch new file mode 100644 index 0000000..65670fd --- /dev/null +++ b/0006-x86-spec-ctrl-Knobs-for-STIBP-and-PSFD-and-follow-ha.patch @@ -0,0 +1,234 @@ +From cd5081e8c31651e623d86532306b4c56bbcb6e6d Mon Sep 17 00:00:00 2001 +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Tue, 12 Jul 2022 11:24:11 +0200 +Subject: [PATCH 06/21] x86/spec-ctrl: Knobs for STIBP and PSFD, and follow + hardware STIBP hint +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +STIBP and PSFD are slightly weird bits, because they're both implied by other +bits in MSR_SPEC_CTRL. Add fine grain controls for them, and take the +implications into account when setting IBRS/SSBD. + +Rearrange the IBPB text/variables/logic to keep all the MSR_SPEC_CTRL bits +together, for consistency. + +However, AMD have a hardware hint CPUID bit recommending that STIBP be set +unilaterally. This is advertised on Zen3, so follow the recommendation. +Furthermore, in such cases, set STIBP behind the guest's back for now. This +has negligible overhead for the guest, but saves a WRMSR on vmentry. This is +the only default change. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> +master commit: fef244b179c06fcdfa581f7d57fa6e578c49ff50 +master date: 2022-06-30 18:07:13 +0100 +--- + docs/misc/xen-command-line.pandoc | 21 +++++++--- + xen/arch/x86/hvm/svm/vmcb.c | 9 +++++ + xen/arch/x86/spec_ctrl.c | 67 ++++++++++++++++++++++++++----- + 3 files changed, 82 insertions(+), 15 deletions(-) + +diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc +index e17a835ed254..1db3da9ef78e 100644 +--- a/docs/misc/xen-command-line.pandoc ++++ b/docs/misc/xen-command-line.pandoc +@@ -2170,8 +2170,9 @@ By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`). + + ### spec-ctrl (x86) + > `= List of [ <bool>, xen=<bool>, {pv,hvm,msr-sc,rsb,md-clear}=<bool>, +-> bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,eager-fpu, +-> l1d-flush,branch-harden,srb-lock,unpriv-mmio}=<bool> ]` ++> bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,psfd, ++> eager-fpu,l1d-flush,branch-harden,srb-lock, ++> unpriv-mmio}=<bool> ]` + + Controls for speculative execution sidechannel mitigations. By default, Xen + will pick the most appropriate mitigations based on compiled in support, +@@ -2221,9 +2222,10 @@ On hardware supporting IBRS (Indirect Branch Restricted Speculation), the + If Xen is not using IBRS itself, functionality is still set up so IBRS can be + virtualised for guests. + +-On hardware supporting IBPB (Indirect Branch Prediction Barrier), the `ibpb=` +-option can be used to force (the default) or prevent Xen from issuing branch +-prediction barriers on vcpu context switches. ++On hardware supporting STIBP (Single Thread Indirect Branch Predictors), the ++`stibp=` option can be used to force or prevent Xen using the feature itself. ++By default, Xen will use STIBP when IBRS is in use (IBRS implies STIBP), and ++when hardware hints recommend using it as a blanket setting. + + On hardware supporting SSBD (Speculative Store Bypass Disable), the `ssbd=` + option can be used to force or prevent Xen using the feature itself. On AMD +@@ -2231,6 +2233,15 @@ hardware, this is a global option applied at boot, and not virtualised for + guest use. On Intel hardware, the feature is virtualised for guests, + independently of Xen's choice of setting. + ++On hardware supporting PSFD (Predictive Store Forwarding Disable), the `psfd=` ++option can be used to force or prevent Xen using the feature itself. By ++default, Xen will not use PSFD. PSFD is implied by SSBD, and SSBD is off by ++default. ++ ++On hardware supporting IBPB (Indirect Branch Prediction Barrier), the `ibpb=` ++option can be used to force (the default) or prevent Xen from issuing branch ++prediction barriers on vcpu context switches. ++ + On all hardware, the `eager-fpu=` option can be used to force or prevent Xen + from using fully eager FPU context switches. This is currently implemented as + a global control. By default, Xen will choose to use fully eager context +diff --git a/xen/arch/x86/hvm/svm/vmcb.c b/xen/arch/x86/hvm/svm/vmcb.c +index 55da9302e5d7..a0bf9f4e056a 100644 +--- a/xen/arch/x86/hvm/svm/vmcb.c ++++ b/xen/arch/x86/hvm/svm/vmcb.c +@@ -29,6 +29,7 @@ + #include <asm/hvm/support.h> + #include <asm/hvm/svm/svm.h> + #include <asm/hvm/svm/svmdebug.h> ++#include <asm/spec_ctrl.h> + + struct vmcb_struct *alloc_vmcb(void) + { +@@ -175,6 +176,14 @@ static int construct_vmcb(struct vcpu *v) + vmcb->_pause_filter_thresh = SVM_PAUSETHRESH_INIT; + } + ++ /* ++ * When default_xen_spec_ctrl simply SPEC_CTRL_STIBP, default this behind ++ * the back of the VM too. Our SMT topology isn't accurate, the overhead ++ * is neglegable, and doing this saves a WRMSR on the vmentry path. ++ */ ++ if ( default_xen_spec_ctrl == SPEC_CTRL_STIBP ) ++ v->arch.msrs->spec_ctrl.raw = SPEC_CTRL_STIBP; ++ + return 0; + } + +diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c +index eb7fb70e86f9..8212227ee02a 100644 +--- a/xen/arch/x86/spec_ctrl.c ++++ b/xen/arch/x86/spec_ctrl.c +@@ -48,9 +48,13 @@ static enum ind_thunk { + THUNK_LFENCE, + THUNK_JMP, + } opt_thunk __initdata = THUNK_DEFAULT; ++ + static int8_t __initdata opt_ibrs = -1; ++int8_t __initdata opt_stibp = -1; ++bool __read_mostly opt_ssbd; ++int8_t __initdata opt_psfd = -1; ++ + bool __read_mostly opt_ibpb = true; +-bool __read_mostly opt_ssbd = false; + int8_t __read_mostly opt_eager_fpu = -1; + int8_t __read_mostly opt_l1d_flush = -1; + bool __read_mostly opt_branch_harden = true; +@@ -172,12 +176,20 @@ static int __init parse_spec_ctrl(const char *s) + else + rc = -EINVAL; + } ++ ++ /* Bits in MSR_SPEC_CTRL. */ + else if ( (val = parse_boolean("ibrs", s, ss)) >= 0 ) + opt_ibrs = val; +- else if ( (val = parse_boolean("ibpb", s, ss)) >= 0 ) +- opt_ibpb = val; ++ else if ( (val = parse_boolean("stibp", s, ss)) >= 0 ) ++ opt_stibp = val; + else if ( (val = parse_boolean("ssbd", s, ss)) >= 0 ) + opt_ssbd = val; ++ else if ( (val = parse_boolean("psfd", s, ss)) >= 0 ) ++ opt_psfd = val; ++ ++ /* Misc settings. */ ++ else if ( (val = parse_boolean("ibpb", s, ss)) >= 0 ) ++ opt_ibpb = val; + else if ( (val = parse_boolean("eager-fpu", s, ss)) >= 0 ) + opt_eager_fpu = val; + else if ( (val = parse_boolean("l1d-flush", s, ss)) >= 0 ) +@@ -376,7 +388,7 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps) + "\n"); + + /* Settings for Xen's protection, irrespective of guests. */ +- printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s%s, Other:%s%s%s%s%s\n", ++ printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s\n", + thunk == THUNK_NONE ? "N/A" : + thunk == THUNK_RETPOLINE ? "RETPOLINE" : + thunk == THUNK_LFENCE ? "LFENCE" : +@@ -390,6 +402,9 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps) + (!boot_cpu_has(X86_FEATURE_SSBD) && + !boot_cpu_has(X86_FEATURE_AMD_SSBD)) ? "" : + (default_xen_spec_ctrl & SPEC_CTRL_SSBD) ? " SSBD+" : " SSBD-", ++ (!boot_cpu_has(X86_FEATURE_PSFD) && ++ !boot_cpu_has(X86_FEATURE_INTEL_PSFD)) ? "" : ++ (default_xen_spec_ctrl & SPEC_CTRL_PSFD) ? " PSFD+" : " PSFD-", + !(caps & ARCH_CAPS_TSX_CTRL) ? "" : + (opt_tsx & 1) ? " TSX+" : " TSX-", + !cpu_has_srbds_ctrl ? "" : +@@ -950,10 +965,7 @@ void __init init_speculation_mitigations(void) + if ( !has_spec_ctrl ) + printk(XENLOG_WARNING "?!? CET active, but no MSR_SPEC_CTRL?\n"); + else if ( opt_ibrs == -1 ) +- { + opt_ibrs = ibrs = true; +- default_xen_spec_ctrl |= SPEC_CTRL_IBRS | SPEC_CTRL_STIBP; +- } + + if ( opt_thunk == THUNK_DEFAULT || opt_thunk == THUNK_RETPOLINE ) + thunk = THUNK_JMP; +@@ -1057,14 +1069,49 @@ void __init init_speculation_mitigations(void) + setup_force_cpu_cap(X86_FEATURE_SC_MSR_HVM); + } + +- /* If we have IBRS available, see whether we should use it. */ ++ /* Figure out default_xen_spec_ctrl. */ + if ( has_spec_ctrl && ibrs ) +- default_xen_spec_ctrl |= SPEC_CTRL_IBRS; ++ { ++ /* IBRS implies STIBP. */ ++ if ( opt_stibp == -1 ) ++ opt_stibp = 1; ++ ++ default_xen_spec_ctrl |= SPEC_CTRL_IBRS; ++ } ++ ++ /* ++ * Use STIBP by default if the hardware hint is set. Otherwise, leave it ++ * off as it a severe performance pentalty on pre-eIBRS Intel hardware ++ * where it was retrofitted in microcode. ++ */ ++ if ( opt_stibp == -1 ) ++ opt_stibp = !!boot_cpu_has(X86_FEATURE_STIBP_ALWAYS); ++ ++ if ( opt_stibp && (boot_cpu_has(X86_FEATURE_STIBP) || ++ boot_cpu_has(X86_FEATURE_AMD_STIBP)) ) ++ default_xen_spec_ctrl |= SPEC_CTRL_STIBP; + +- /* If we have SSBD available, see whether we should use it. */ + if ( opt_ssbd && (boot_cpu_has(X86_FEATURE_SSBD) || + boot_cpu_has(X86_FEATURE_AMD_SSBD)) ) ++ { ++ /* SSBD implies PSFD */ ++ if ( opt_psfd == -1 ) ++ opt_psfd = 1; ++ + default_xen_spec_ctrl |= SPEC_CTRL_SSBD; ++ } ++ ++ /* ++ * Don't use PSFD by default. AMD designed the predictor to ++ * auto-clear on privilege change. PSFD is implied by SSBD, which is ++ * off by default. ++ */ ++ if ( opt_psfd == -1 ) ++ opt_psfd = 0; ++ ++ if ( opt_psfd && (boot_cpu_has(X86_FEATURE_PSFD) || ++ boot_cpu_has(X86_FEATURE_INTEL_PSFD)) ) ++ default_xen_spec_ctrl |= SPEC_CTRL_PSFD; + + /* + * PV guests can poison the RSB to any virtual address from which +-- +2.35.1 + diff --git a/0007-libxc-fix-compilation-error-with-gcc13.patch b/0007-libxc-fix-compilation-error-with-gcc13.patch new file mode 100644 index 0000000..b46552f --- /dev/null +++ b/0007-libxc-fix-compilation-error-with-gcc13.patch @@ -0,0 +1,33 @@ +From 77deab4233b5d9ec5cf214fdc1652424fd4fc9d6 Mon Sep 17 00:00:00 2001 +From: Charles Arnold <carnold@suse.com> +Date: Tue, 12 Jul 2022 11:24:39 +0200 +Subject: [PATCH 07/21] libxc: fix compilation error with gcc13 + +xc_psr.c:161:5: error: conflicting types for 'xc_psr_cmt_get_data' +due to enum/integer mismatch; + +Signed-off-by: Charles Arnold <carnold@suse.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +Acked-by: Anthony PERARD <anthony.perard@citrix.com> +master commit: 8eeae8c2b4efefda8e946461e86cf2ae9c18e5a9 +master date: 2022-07-06 13:06:40 +0200 +--- + tools/include/xenctrl.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/include/xenctrl.h b/tools/include/xenctrl.h +index 318920166c5e..2013200b9eff 100644 +--- a/tools/include/xenctrl.h ++++ b/tools/include/xenctrl.h +@@ -2577,7 +2577,7 @@ int xc_psr_cmt_get_l3_event_mask(xc_interface *xch, uint32_t *event_mask); + int xc_psr_cmt_get_l3_cache_size(xc_interface *xch, uint32_t cpu, + uint32_t *l3_cache_size); + int xc_psr_cmt_get_data(xc_interface *xch, uint32_t rmid, uint32_t cpu, +- uint32_t psr_cmt_type, uint64_t *monitor_data, ++ xc_psr_cmt_type type, uint64_t *monitor_data, + uint64_t *tsc); + int xc_psr_cmt_enabled(xc_interface *xch); + +-- +2.35.1 + diff --git a/0008-x86-spec-ctrl-Honour-spec-ctrl-0-for-unpriv-mmio-sub.patch b/0008-x86-spec-ctrl-Honour-spec-ctrl-0-for-unpriv-mmio-sub.patch new file mode 100644 index 0000000..94f729b --- /dev/null +++ b/0008-x86-spec-ctrl-Honour-spec-ctrl-0-for-unpriv-mmio-sub.patch @@ -0,0 +1,32 @@ +From 5be1f46f435f8b05608b1eae029cb17d8bd3a560 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Tue, 12 Jul 2022 11:25:05 +0200 +Subject: [PATCH 08/21] x86/spec-ctrl: Honour spec-ctrl=0 for unpriv-mmio + sub-option + +This was an oversight from when unpriv-mmio was introduced. + +Fixes: 8c24b70fedcb ("x86/spec-ctrl: Add spec-ctrl=unpriv-mmio") +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +master commit: 4cdb519d797c19ebb8fadc5938cdb47479d5a21b +master date: 2022-07-11 15:21:35 +0100 +--- + xen/arch/x86/spec_ctrl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c +index 8212227ee02a..06790897e496 100644 +--- a/xen/arch/x86/spec_ctrl.c ++++ b/xen/arch/x86/spec_ctrl.c +@@ -122,6 +122,7 @@ static int __init parse_spec_ctrl(const char *s) + opt_l1d_flush = 0; + opt_branch_harden = false; + opt_srb_lock = 0; ++ opt_unpriv_mmio = false; + } + else if ( val > 0 ) + rc = -EINVAL; +-- +2.35.1 + diff --git a/0009-xen-cmdline-Extend-parse_boolean-to-signal-a-name-ma.patch b/0009-xen-cmdline-Extend-parse_boolean-to-signal-a-name-ma.patch new file mode 100644 index 0000000..1b8787f --- /dev/null +++ b/0009-xen-cmdline-Extend-parse_boolean-to-signal-a-name-ma.patch @@ -0,0 +1,87 @@ +From ae417706870333bb52ebcf33c527809cdd2d7265 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Tue, 12 Jul 2022 11:25:40 +0200 +Subject: [PATCH 09/21] xen/cmdline: Extend parse_boolean() to signal a name + match + +This will help parsing a sub-option which has boolean and non-boolean options +available. + +First, rework 'int val' into 'bool has_neg_prefix'. This inverts it's value, +but the resulting logic is far easier to follow. + +Second, reject anything of the form 'no-$FOO=' which excludes ambiguous +constructs such as 'no-$foo=yes' which have never been valid. + +This just leaves the case where everything is otherwise fine, but parse_bool() +can't interpret the provided string. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Juergen Gross <jgross@suse.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +master commit: 382326cac528dd1eb0d04efd5c05363c453e29f4 +master date: 2022-07-11 15:21:35 +0100 +--- + xen/common/kernel.c | 20 ++++++++++++++++---- + xen/include/xen/lib.h | 3 ++- + 2 files changed, 18 insertions(+), 5 deletions(-) + +diff --git a/xen/common/kernel.c b/xen/common/kernel.c +index 7a345ae45e1e..daf965266573 100644 +--- a/xen/common/kernel.c ++++ b/xen/common/kernel.c +@@ -272,9 +272,9 @@ int parse_bool(const char *s, const char *e) + int parse_boolean(const char *name, const char *s, const char *e) + { + size_t slen, nlen; +- int val = !!strncmp(s, "no-", 3); ++ bool has_neg_prefix = !strncmp(s, "no-", 3); + +- if ( !val ) ++ if ( has_neg_prefix ) + s += 3; + + slen = e ? ({ ASSERT(e >= s); e - s; }) : strlen(s); +@@ -286,11 +286,23 @@ int parse_boolean(const char *name, const char *s, const char *e) + + /* Exact, unadorned name? Result depends on the 'no-' prefix. */ + if ( slen == nlen ) +- return val; ++ return !has_neg_prefix; ++ ++ /* Inexact match with a 'no-' prefix? Not valid. */ ++ if ( has_neg_prefix ) ++ return -1; + + /* =$SOMETHING? Defer to the regular boolean parsing. */ + if ( s[nlen] == '=' ) +- return parse_bool(&s[nlen + 1], e); ++ { ++ int b = parse_bool(&s[nlen + 1], e); ++ ++ if ( b >= 0 ) ++ return b; ++ ++ /* Not a boolean, but the name matched. Signal specially. */ ++ return -2; ++ } + + /* Unrecognised. Give up. */ + return -1; +diff --git a/xen/include/xen/lib.h b/xen/include/xen/lib.h +index 1198c7c0b207..be7498135170 100644 +--- a/xen/include/xen/lib.h ++++ b/xen/include/xen/lib.h +@@ -80,7 +80,8 @@ int parse_bool(const char *s, const char *e); + /** + * Given a specific name, parses a string of the form: + * [no-]$NAME[=...] +- * returning 0 or 1 for a recognised boolean, or -1 for an error. ++ * returning 0 or 1 for a recognised boolean. Returns -1 for general errors, ++ * and -2 for "not a boolean, but $NAME= matches". + */ + int parse_boolean(const char *name, const char *s, const char *e); + +-- +2.35.1 + diff --git a/0010-x86-spec-ctrl-Add-fine-grained-cmdline-suboptions-fo.patch b/0010-x86-spec-ctrl-Add-fine-grained-cmdline-suboptions-fo.patch new file mode 100644 index 0000000..a808523 --- /dev/null +++ b/0010-x86-spec-ctrl-Add-fine-grained-cmdline-suboptions-fo.patch @@ -0,0 +1,137 @@ +From 08bfd4d01185e94fda1be9dd79a981d890a9085e Mon Sep 17 00:00:00 2001 +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Tue, 12 Jul 2022 11:26:14 +0200 +Subject: [PATCH 10/21] x86/spec-ctrl: Add fine-grained cmdline suboptions for + primitives + +Support controling the PV/HVM suboption of msr-sc/rsb/md-clear, which +previously wasn't possible. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +master commit: 27357c394ba6e1571a89105b840ce1c6f026485c +master date: 2022-07-11 15:21:35 +0100 +--- + docs/misc/xen-command-line.pandoc | 12 ++++-- + xen/arch/x86/spec_ctrl.c | 66 ++++++++++++++++++++++++++----- + 2 files changed, 66 insertions(+), 12 deletions(-) + +diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc +index 1db3da9ef78e..b06db5f654e5 100644 +--- a/docs/misc/xen-command-line.pandoc ++++ b/docs/misc/xen-command-line.pandoc +@@ -2169,7 +2169,8 @@ not be able to control the state of the mitigation. + By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`). + + ### spec-ctrl (x86) +-> `= List of [ <bool>, xen=<bool>, {pv,hvm,msr-sc,rsb,md-clear}=<bool>, ++> `= List of [ <bool>, xen=<bool>, {pv,hvm}=<bool>, ++> {msr-sc,rsb,md-clear}=<bool>|{pv,hvm}=<bool>, + > bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,psfd, + > eager-fpu,l1d-flush,branch-harden,srb-lock, + > unpriv-mmio}=<bool> ]` +@@ -2194,12 +2195,17 @@ in place for guests to use. + + Use of a positive boolean value for either of these options is invalid. + +-The booleans `pv=`, `hvm=`, `msr-sc=`, `rsb=` and `md-clear=` offer fine ++The `pv=`, `hvm=`, `msr-sc=`, `rsb=` and `md-clear=` options offer fine + grained control over the primitives by Xen. These impact Xen's ability to +-protect itself, and Xen's ability to virtualise support for guests to use. ++protect itself, and/or Xen's ability to virtualise support for guests to use. + + * `pv=` and `hvm=` offer control over all suboptions for PV and HVM guests + respectively. ++* Each other option can be used either as a plain boolean ++ (e.g. `spec-ctrl=rsb` to control both the PV and HVM sub-options), or with ++ `pv=` or `hvm=` subsuboptions (e.g. `spec-ctrl=rsb=no-hvm` to disable HVM ++ RSB only). ++ + * `msr-sc=` offers control over Xen's support for manipulating `MSR_SPEC_CTRL` + on entry and exit. These blocks are necessary to virtualise support for + guests and if disabled, guests will be unable to use IBRS/STIBP/SSBD/etc. +diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c +index 06790897e496..225fe08259b3 100644 +--- a/xen/arch/x86/spec_ctrl.c ++++ b/xen/arch/x86/spec_ctrl.c +@@ -147,20 +147,68 @@ static int __init parse_spec_ctrl(const char *s) + opt_rsb_hvm = val; + opt_md_clear_hvm = val; + } +- else if ( (val = parse_boolean("msr-sc", s, ss)) >= 0 ) ++ else if ( (val = parse_boolean("msr-sc", s, ss)) != -1 ) + { +- opt_msr_sc_pv = val; +- opt_msr_sc_hvm = val; ++ switch ( val ) ++ { ++ case 0: ++ case 1: ++ opt_msr_sc_pv = opt_msr_sc_hvm = val; ++ break; ++ ++ case -2: ++ s += strlen("msr-sc="); ++ if ( (val = parse_boolean("pv", s, ss)) >= 0 ) ++ opt_msr_sc_pv = val; ++ else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) ++ opt_msr_sc_hvm = val; ++ else ++ default: ++ rc = -EINVAL; ++ break; ++ } + } +- else if ( (val = parse_boolean("rsb", s, ss)) >= 0 ) ++ else if ( (val = parse_boolean("rsb", s, ss)) != -1 ) + { +- opt_rsb_pv = val; +- opt_rsb_hvm = val; ++ switch ( val ) ++ { ++ case 0: ++ case 1: ++ opt_rsb_pv = opt_rsb_hvm = val; ++ break; ++ ++ case -2: ++ s += strlen("rsb="); ++ if ( (val = parse_boolean("pv", s, ss)) >= 0 ) ++ opt_rsb_pv = val; ++ else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) ++ opt_rsb_hvm = val; ++ else ++ default: ++ rc = -EINVAL; ++ break; ++ } + } +- else if ( (val = parse_boolean("md-clear", s, ss)) >= 0 ) ++ else if ( (val = parse_boolean("md-clear", s, ss)) != -1 ) + { +- opt_md_clear_pv = val; +- opt_md_clear_hvm = val; ++ switch ( val ) ++ { ++ case 0: ++ case 1: ++ opt_md_clear_pv = opt_md_clear_hvm = val; ++ break; ++ ++ case -2: ++ s += strlen("md-clear="); ++ if ( (val = parse_boolean("pv", s, ss)) >= 0 ) ++ opt_md_clear_pv = val; ++ else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) ++ opt_md_clear_hvm = val; ++ else ++ default: ++ rc = -EINVAL; ++ break; ++ } + } + + /* Xen's speculative sidechannel mitigation settings. */ +-- +2.35.1 + diff --git a/0011-tools-helpers-fix-build-of-xen-init-dom0-with-Werror.patch b/0011-tools-helpers-fix-build-of-xen-init-dom0-with-Werror.patch new file mode 100644 index 0000000..b597673 --- /dev/null +++ b/0011-tools-helpers-fix-build-of-xen-init-dom0-with-Werror.patch @@ -0,0 +1,28 @@ +From f241cc48dabeef6cb0b381db62f2562b0a3970eb Mon Sep 17 00:00:00 2001 +From: Anthony PERARD <anthony.perard@citrix.com> +Date: Tue, 12 Jul 2022 11:26:47 +0200 +Subject: [PATCH 11/21] tools/helpers: fix build of xen-init-dom0 with -Werror + +Missing prototype of asprintf() without _GNU_SOURCE. + +Signed-off-by: Anthony PERARD <anthony.perard@citrix.com> +Reviewed-by: Henry Wang <Henry.Wang@arm.com> +master commit: d693b22733044d68e9974766b5c9e6259c9b1708 +master date: 2022-07-12 08:38:35 +0200 +--- + tools/helpers/xen-init-dom0.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/helpers/xen-init-dom0.c b/tools/helpers/xen-init-dom0.c +index c99224a4b607..b4861c9e8041 100644 +--- a/tools/helpers/xen-init-dom0.c ++++ b/tools/helpers/xen-init-dom0.c +@@ -1,3 +1,5 @@ ++#define _GNU_SOURCE ++ + #include <stdlib.h> + #include <stdint.h> + #include <string.h> +-- +2.35.1 + diff --git a/0012-libxl-check-return-value-of-libxl__xs_directory-in-n.patch b/0012-libxl-check-return-value-of-libxl__xs_directory-in-n.patch new file mode 100644 index 0000000..898889b --- /dev/null +++ b/0012-libxl-check-return-value-of-libxl__xs_directory-in-n.patch @@ -0,0 +1,38 @@ +From d470a54087e0fbd813dae4d773ad0b830eeec4a1 Mon Sep 17 00:00:00 2001 +From: Anthony PERARD <anthony.perard@citrix.com> +Date: Tue, 12 Jul 2022 11:26:58 +0200 +Subject: [PATCH 12/21] libxl: check return value of libxl__xs_directory in + name2bdf + +libxl__xs_directory() can potentially return NULL without setting `n`. +As `n` isn't initialised, we need to check libxl__xs_directory() +return value before checking `n`. Otherwise, `n` might be non-zero +with `bdfs` NULL which would lead to a segv. + +Fixes: 57bff091f4 ("libxl: add 'name' field to 'libxl_device_pci' in the IDL...") +Reported-by: "G.R." <firemeteor@users.sourceforge.net> +Signed-off-by: Anthony PERARD <anthony.perard@citrix.com> +Reviewed-by: Juergen Gross <jgross@suse.com> +Tested-by: "G.R." <firemeteor@users.sourceforge.net> +master commit: d778089ac70e5b8e3bdea0c85fc8c0b9ed0eaf2f +master date: 2022-07-12 08:38:51 +0200 +--- + tools/libs/light/libxl_pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/libs/light/libxl_pci.c b/tools/libs/light/libxl_pci.c +index 92bf86b2bebd..a5f5cdf62b80 100644 +--- a/tools/libs/light/libxl_pci.c ++++ b/tools/libs/light/libxl_pci.c +@@ -859,7 +859,7 @@ static int name2bdf(libxl__gc *gc, libxl_device_pci *pci) + int rc = ERROR_NOTFOUND; + + bdfs = libxl__xs_directory(gc, XBT_NULL, PCI_INFO_PATH, &n); +- if (!n) ++ if (!bdfs || !n) + goto out; + + for (i = 0; i < n; i++) { +-- +2.35.1 + diff --git a/0013-update-Xen-version-to-4.15.4-pre.patch b/0013-update-Xen-version-to-4.15.4-pre.patch new file mode 100644 index 0000000..664e9df --- /dev/null +++ b/0013-update-Xen-version-to-4.15.4-pre.patch @@ -0,0 +1,25 @@ +From 505771bb1dffdf6f763fad18ee49a913b98abfea Mon Sep 17 00:00:00 2001 +From: Jan Beulich <jbeulich@suse.com> +Date: Tue, 12 Jul 2022 11:28:33 +0200 +Subject: [PATCH 13/21] update Xen version to 4.15.4-pre + +--- + xen/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xen/Makefile b/xen/Makefile +index e9a88325c467..cd66bb3b1c84 100644 +--- a/xen/Makefile ++++ b/xen/Makefile +@@ -2,7 +2,7 @@ + # All other places this is stored (eg. compile.h) should be autogenerated. + export XEN_VERSION = 4 + export XEN_SUBVERSION = 15 +-export XEN_EXTRAVERSION ?= .3$(XEN_VENDORVERSION) ++export XEN_EXTRAVERSION ?= .4-pre$(XEN_VENDORVERSION) + export XEN_FULLVERSION = $(XEN_VERSION).$(XEN_SUBVERSION)$(XEN_EXTRAVERSION) + -include xen-version + +-- +2.35.1 + diff --git a/0014-x86-spec-ctrl-Rework-spec_ctrl_flags-context-switchi.patch b/0014-x86-spec-ctrl-Rework-spec_ctrl_flags-context-switchi.patch new file mode 100644 index 0000000..681282e --- /dev/null +++ b/0014-x86-spec-ctrl-Rework-spec_ctrl_flags-context-switchi.patch @@ -0,0 +1,167 @@ +From 156ab775769d39b2dfb048ccd34dee7e86ba83a2 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Fri, 1 Jul 2022 15:59:40 +0100 +Subject: [PATCH 14/21] x86/spec-ctrl: Rework spec_ctrl_flags context switching + +We are shortly going to need to context switch new bits in both the vcpu and +S3 paths. Introduce SCF_IST_MASK and SCF_DOM_MASK, and rework d->arch.verw +into d->arch.spec_ctrl_flags to accommodate. + +No functional change. + +This is part of XSA-407. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +(cherry picked from commit 5796912f7279d9348a3166655588d30eae9f72cc) +--- + xen/arch/x86/acpi/power.c | 8 ++++---- + xen/arch/x86/domain.c | 8 ++++---- + xen/arch/x86/spec_ctrl.c | 9 ++++++--- + xen/include/asm-x86/domain.h | 3 +-- + xen/include/asm-x86/spec_ctrl.h | 30 ++++++++++++++++++++++++++++- + xen/include/asm-x86/spec_ctrl_asm.h | 3 --- + 6 files changed, 44 insertions(+), 17 deletions(-) + +diff --git a/xen/arch/x86/acpi/power.c b/xen/arch/x86/acpi/power.c +index 5eaa77f66a28..dd397f713067 100644 +--- a/xen/arch/x86/acpi/power.c ++++ b/xen/arch/x86/acpi/power.c +@@ -248,8 +248,8 @@ static int enter_state(u32 state) + error = 0; + + ci = get_cpu_info(); +- /* Avoid NMI/#MC using MSR_SPEC_CTRL until we've reloaded microcode. */ +- ci->spec_ctrl_flags &= ~SCF_ist_wrmsr; ++ /* Avoid NMI/#MC using unsafe MSRs until we've reloaded microcode. */ ++ ci->spec_ctrl_flags &= ~SCF_IST_MASK; + + ACPI_FLUSH_CPU_CACHE(); + +@@ -292,8 +292,8 @@ static int enter_state(u32 state) + if ( !recheck_cpu_features(0) ) + panic("Missing previously available feature(s)\n"); + +- /* Re-enabled default NMI/#MC use of MSR_SPEC_CTRL. */ +- ci->spec_ctrl_flags |= (default_spec_ctrl_flags & SCF_ist_wrmsr); ++ /* Re-enabled default NMI/#MC use of MSRs now microcode is loaded. */ ++ ci->spec_ctrl_flags |= (default_spec_ctrl_flags & SCF_IST_MASK); + + if ( boot_cpu_has(X86_FEATURE_IBRSB) || boot_cpu_has(X86_FEATURE_IBRS) ) + { +diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c +index 4a61e951facf..79f2c6ab19b8 100644 +--- a/xen/arch/x86/domain.c ++++ b/xen/arch/x86/domain.c +@@ -2069,10 +2069,10 @@ void context_switch(struct vcpu *prev, struct vcpu *next) + } + } + +- /* Update the top-of-stack block with the VERW disposition. */ +- info->spec_ctrl_flags &= ~SCF_verw; +- if ( nextd->arch.verw ) +- info->spec_ctrl_flags |= SCF_verw; ++ /* Update the top-of-stack block with the new spec_ctrl settings. */ ++ info->spec_ctrl_flags = ++ (info->spec_ctrl_flags & ~SCF_DOM_MASK) | ++ (nextd->arch.spec_ctrl_flags & SCF_DOM_MASK); + } + + sched_context_switched(prev, next); +diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c +index 225fe08259b3..0fabfbe2a9f4 100644 +--- a/xen/arch/x86/spec_ctrl.c ++++ b/xen/arch/x86/spec_ctrl.c +@@ -981,9 +981,12 @@ void spec_ctrl_init_domain(struct domain *d) + { + bool pv = is_pv_domain(d); + +- d->arch.verw = +- (pv ? opt_md_clear_pv : opt_md_clear_hvm) || +- (opt_fb_clear_mmio && is_iommu_enabled(d)); ++ bool verw = ((pv ? opt_md_clear_pv : opt_md_clear_hvm) || ++ (opt_fb_clear_mmio && is_iommu_enabled(d))); ++ ++ d->arch.spec_ctrl_flags = ++ (verw ? SCF_verw : 0) | ++ 0; + } + + void __init init_speculation_mitigations(void) +diff --git a/xen/include/asm-x86/domain.h b/xen/include/asm-x86/domain.h +index d0df7f83aa0c..7d6483f21bb1 100644 +--- a/xen/include/asm-x86/domain.h ++++ b/xen/include/asm-x86/domain.h +@@ -319,8 +319,7 @@ struct arch_domain + uint32_t pci_cf8; + uint8_t cmos_idx; + +- /* Use VERW on return-to-guest for its flushing side effect. */ +- bool verw; ++ uint8_t spec_ctrl_flags; /* See SCF_DOM_MASK */ + + union { + struct pv_domain pv; +diff --git a/xen/include/asm-x86/spec_ctrl.h b/xen/include/asm-x86/spec_ctrl.h +index 12283573cdd5..60d6d2dc9407 100644 +--- a/xen/include/asm-x86/spec_ctrl.h ++++ b/xen/include/asm-x86/spec_ctrl.h +@@ -20,12 +20,40 @@ + #ifndef __X86_SPEC_CTRL_H__ + #define __X86_SPEC_CTRL_H__ + +-/* Encoding of cpuinfo.spec_ctrl_flags */ ++/* ++ * Encoding of: ++ * cpuinfo.spec_ctrl_flags ++ * default_spec_ctrl_flags ++ * domain.spec_ctrl_flags ++ * ++ * Live settings are in the top-of-stack block, because they need to be ++ * accessable when XPTI is active. Some settings are fixed from boot, some ++ * context switched per domain, and some inhibited in the S3 path. ++ */ + #define SCF_use_shadow (1 << 0) + #define SCF_ist_wrmsr (1 << 1) + #define SCF_ist_rsb (1 << 2) + #define SCF_verw (1 << 3) + ++/* ++ * The IST paths (NMI/#MC) can interrupt any arbitrary context. Some ++ * functionality requires updated microcode to work. ++ * ++ * On boot, this is easy; we load microcode before figuring out which ++ * speculative protections to apply. However, on the S3 resume path, we must ++ * be able to disable the configured mitigations until microcode is reloaded. ++ * ++ * These are the controls to inhibit on the S3 resume path until microcode has ++ * been reloaded. ++ */ ++#define SCF_IST_MASK (SCF_ist_wrmsr) ++ ++/* ++ * Some speculative protections are per-domain. These settings are merged ++ * into the top-of-stack block in the context switch path. ++ */ ++#define SCF_DOM_MASK (SCF_verw) ++ + #ifndef __ASSEMBLY__ + + #include <asm/alternative.h> +diff --git a/xen/include/asm-x86/spec_ctrl_asm.h b/xen/include/asm-x86/spec_ctrl_asm.h +index 5a590bac44aa..66b00d511fc6 100644 +--- a/xen/include/asm-x86/spec_ctrl_asm.h ++++ b/xen/include/asm-x86/spec_ctrl_asm.h +@@ -248,9 +248,6 @@ + + /* + * Use in IST interrupt/exception context. May interrupt Xen or PV context. +- * Fine grain control of SCF_ist_wrmsr is needed for safety in the S3 resume +- * path to avoid using MSR_SPEC_CTRL before the microcode introducing it has +- * been reloaded. + */ + .macro SPEC_CTRL_ENTRY_FROM_INTR_IST + /* +-- +2.35.1 + diff --git a/0015-x86-spec-ctrl-Rename-SCF_ist_wrmsr-to-SCF_ist_sc_msr.patch b/0015-x86-spec-ctrl-Rename-SCF_ist_wrmsr-to-SCF_ist_sc_msr.patch new file mode 100644 index 0000000..553dbd2 --- /dev/null +++ b/0015-x86-spec-ctrl-Rename-SCF_ist_wrmsr-to-SCF_ist_sc_msr.patch @@ -0,0 +1,110 @@ +From 2cfbca32b9dc3a8d6520549ff468a7f550daf1b1 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Tue, 28 Jun 2022 14:36:56 +0100 +Subject: [PATCH 15/21] x86/spec-ctrl: Rename SCF_ist_wrmsr to SCF_ist_sc_msr + +We are about to introduce SCF_ist_ibpb, at which point SCF_ist_wrmsr becomes +ambiguous. + +No functional change. + +This is part of XSA-407. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +(cherry picked from commit 76d6a36f645dfdbad8830559d4d52caf36efc75e) +--- + xen/arch/x86/spec_ctrl.c | 6 +++--- + xen/include/asm-x86/spec_ctrl.h | 4 ++-- + xen/include/asm-x86/spec_ctrl_asm.h | 8 ++++---- + 3 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c +index 0fabfbe2a9f4..a6def47061e8 100644 +--- a/xen/arch/x86/spec_ctrl.c ++++ b/xen/arch/x86/spec_ctrl.c +@@ -1086,7 +1086,7 @@ void __init init_speculation_mitigations(void) + { + if ( opt_msr_sc_pv ) + { +- default_spec_ctrl_flags |= SCF_ist_wrmsr; ++ default_spec_ctrl_flags |= SCF_ist_sc_msr; + setup_force_cpu_cap(X86_FEATURE_SC_MSR_PV); + } + +@@ -1097,7 +1097,7 @@ void __init init_speculation_mitigations(void) + * Xen's value is not restored atomically. An early NMI hitting + * the VMExit path needs to restore Xen's value for safety. + */ +- default_spec_ctrl_flags |= SCF_ist_wrmsr; ++ default_spec_ctrl_flags |= SCF_ist_sc_msr; + setup_force_cpu_cap(X86_FEATURE_SC_MSR_HVM); + } + } +@@ -1110,7 +1110,7 @@ void __init init_speculation_mitigations(void) + * on real hardware matches the availability of MSR_SPEC_CTRL in the + * first place. + * +- * No need for SCF_ist_wrmsr because Xen's value is restored ++ * No need for SCF_ist_sc_msr because Xen's value is restored + * atomically WRT NMIs in the VMExit path. + * + * TODO: Adjust cpu_has_svm_spec_ctrl to be usable earlier on boot. +diff --git a/xen/include/asm-x86/spec_ctrl.h b/xen/include/asm-x86/spec_ctrl.h +index 60d6d2dc9407..6f8b0e09348e 100644 +--- a/xen/include/asm-x86/spec_ctrl.h ++++ b/xen/include/asm-x86/spec_ctrl.h +@@ -31,7 +31,7 @@ + * context switched per domain, and some inhibited in the S3 path. + */ + #define SCF_use_shadow (1 << 0) +-#define SCF_ist_wrmsr (1 << 1) ++#define SCF_ist_sc_msr (1 << 1) + #define SCF_ist_rsb (1 << 2) + #define SCF_verw (1 << 3) + +@@ -46,7 +46,7 @@ + * These are the controls to inhibit on the S3 resume path until microcode has + * been reloaded. + */ +-#define SCF_IST_MASK (SCF_ist_wrmsr) ++#define SCF_IST_MASK (SCF_ist_sc_msr) + + /* + * Some speculative protections are per-domain. These settings are merged +diff --git a/xen/include/asm-x86/spec_ctrl_asm.h b/xen/include/asm-x86/spec_ctrl_asm.h +index 66b00d511fc6..0ff1b118f882 100644 +--- a/xen/include/asm-x86/spec_ctrl_asm.h ++++ b/xen/include/asm-x86/spec_ctrl_asm.h +@@ -266,8 +266,8 @@ + + .L\@_skip_rsb: + +- test $SCF_ist_wrmsr, %al +- jz .L\@_skip_wrmsr ++ test $SCF_ist_sc_msr, %al ++ jz .L\@_skip_msr_spec_ctrl + + xor %edx, %edx + testb $3, UREGS_cs(%rsp) +@@ -290,7 +290,7 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise): + * to speculate around the WRMSR. As a result, we need a dispatch + * serialising instruction in the else clause. + */ +-.L\@_skip_wrmsr: ++.L\@_skip_msr_spec_ctrl: + lfence + UNLIKELY_END(\@_serialise) + .endm +@@ -301,7 +301,7 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise): + * Requires %rbx=stack_end + * Clobbers %rax, %rcx, %rdx + */ +- testb $SCF_ist_wrmsr, STACK_CPUINFO_FIELD(spec_ctrl_flags)(%rbx) ++ testb $SCF_ist_sc_msr, STACK_CPUINFO_FIELD(spec_ctrl_flags)(%rbx) + jz .L\@_skip + + DO_SPEC_CTRL_EXIT_TO_XEN +-- +2.35.1 + diff --git a/0016-x86-spec-ctrl-Rename-opt_ibpb-to-opt_ibpb_ctxt_switc.patch b/0016-x86-spec-ctrl-Rename-opt_ibpb-to-opt_ibpb_ctxt_switc.patch new file mode 100644 index 0000000..9ed0093 --- /dev/null +++ b/0016-x86-spec-ctrl-Rename-opt_ibpb-to-opt_ibpb_ctxt_switc.patch @@ -0,0 +1,97 @@ +From c707015bf118df2c43e3a48b3774916322fca50a Mon Sep 17 00:00:00 2001 +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Mon, 4 Jul 2022 21:32:17 +0100 +Subject: [PATCH 16/21] x86/spec-ctrl: Rename opt_ibpb to opt_ibpb_ctxt_switch + +We are about to introduce the use of IBPB at different points in Xen, making +opt_ibpb ambiguous. Rename it to opt_ibpb_ctxt_switch. + +No functional change. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +(cherry picked from commit a8e5ef079d6f5c88c472e3e620db5a8d1402a50d) +--- + xen/arch/x86/domain.c | 2 +- + xen/arch/x86/spec_ctrl.c | 10 +++++----- + xen/include/asm-x86/spec_ctrl.h | 2 +- + 3 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c +index 79f2c6ab19b8..2838f976d729 100644 +--- a/xen/arch/x86/domain.c ++++ b/xen/arch/x86/domain.c +@@ -2041,7 +2041,7 @@ void context_switch(struct vcpu *prev, struct vcpu *next) + + ctxt_switch_levelling(next); + +- if ( opt_ibpb && !is_idle_domain(nextd) ) ++ if ( opt_ibpb_ctxt_switch && !is_idle_domain(nextd) ) + { + static DEFINE_PER_CPU(unsigned int, last); + unsigned int *last_id = &this_cpu(last); +diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c +index a6def47061e8..ced0f8c2aea6 100644 +--- a/xen/arch/x86/spec_ctrl.c ++++ b/xen/arch/x86/spec_ctrl.c +@@ -54,7 +54,7 @@ int8_t __initdata opt_stibp = -1; + bool __read_mostly opt_ssbd; + int8_t __initdata opt_psfd = -1; + +-bool __read_mostly opt_ibpb = true; ++bool __read_mostly opt_ibpb_ctxt_switch = true; + int8_t __read_mostly opt_eager_fpu = -1; + int8_t __read_mostly opt_l1d_flush = -1; + bool __read_mostly opt_branch_harden = true; +@@ -117,7 +117,7 @@ static int __init parse_spec_ctrl(const char *s) + + opt_thunk = THUNK_JMP; + opt_ibrs = 0; +- opt_ibpb = false; ++ opt_ibpb_ctxt_switch = false; + opt_ssbd = false; + opt_l1d_flush = 0; + opt_branch_harden = false; +@@ -238,7 +238,7 @@ static int __init parse_spec_ctrl(const char *s) + + /* Misc settings. */ + else if ( (val = parse_boolean("ibpb", s, ss)) >= 0 ) +- opt_ibpb = val; ++ opt_ibpb_ctxt_switch = val; + else if ( (val = parse_boolean("eager-fpu", s, ss)) >= 0 ) + opt_eager_fpu = val; + else if ( (val = parse_boolean("l1d-flush", s, ss)) >= 0 ) +@@ -458,7 +458,7 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps) + (opt_tsx & 1) ? " TSX+" : " TSX-", + !cpu_has_srbds_ctrl ? "" : + opt_srb_lock ? " SRB_LOCK+" : " SRB_LOCK-", +- opt_ibpb ? " IBPB" : "", ++ opt_ibpb_ctxt_switch ? " IBPB-ctxt" : "", + opt_l1d_flush ? " L1D_FLUSH" : "", + opt_md_clear_pv || opt_md_clear_hvm || + opt_fb_clear_mmio ? " VERW" : "", +@@ -1193,7 +1193,7 @@ void __init init_speculation_mitigations(void) + + /* Check we have hardware IBPB support before using it... */ + if ( !boot_cpu_has(X86_FEATURE_IBRSB) && !boot_cpu_has(X86_FEATURE_IBPB) ) +- opt_ibpb = false; ++ opt_ibpb_ctxt_switch = false; + + /* Check whether Eager FPU should be enabled by default. */ + if ( opt_eager_fpu == -1 ) +diff --git a/xen/include/asm-x86/spec_ctrl.h b/xen/include/asm-x86/spec_ctrl.h +index 6f8b0e09348e..fd8162ca9ab9 100644 +--- a/xen/include/asm-x86/spec_ctrl.h ++++ b/xen/include/asm-x86/spec_ctrl.h +@@ -63,7 +63,7 @@ + void init_speculation_mitigations(void); + void spec_ctrl_init_domain(struct domain *d); + +-extern bool opt_ibpb; ++extern bool opt_ibpb_ctxt_switch; + extern bool opt_ssbd; + extern int8_t opt_eager_fpu; + extern int8_t opt_l1d_flush; +-- +2.35.1 + diff --git a/0017-x86-spec-ctrl-Rework-SPEC_CTRL_ENTRY_FROM_INTR_IST.patch b/0017-x86-spec-ctrl-Rework-SPEC_CTRL_ENTRY_FROM_INTR_IST.patch new file mode 100644 index 0000000..bae2818 --- /dev/null +++ b/0017-x86-spec-ctrl-Rework-SPEC_CTRL_ENTRY_FROM_INTR_IST.patch @@ -0,0 +1,106 @@ +From d7f5fb1e2abd0d56cada9bfcf96ab530d214d9aa Mon Sep 17 00:00:00 2001 +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Fri, 1 Jul 2022 15:59:40 +0100 +Subject: [PATCH 17/21] x86/spec-ctrl: Rework SPEC_CTRL_ENTRY_FROM_INTR_IST + +We are shortly going to add a conditional IBPB in this path. + +Therefore, we cannot hold spec_ctrl_flags in %eax, and rely on only clobbering +it after we're done with its contents. %rbx is available for use, and the +more normal register to hold preserved information in. + +With %rax freed up, use it instead of %rdx for the RSB tmp register, and for +the adjustment to spec_ctrl_flags. + +This leaves no use of %rdx, except as 0 for the upper half of WRMSR. In +practice, %rdx is 0 from SAVE_ALL on all paths and isn't likely to change in +the foreseeable future, so update the macro entry requirements to state this +dependency. This marginal optimisation can be revisited if circumstances +change. + +No practical change. + +This is part of XSA-407. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +(cherry picked from commit e9b8d31981f184c6539f91ec54bd9cae29cdae36) +--- + xen/arch/x86/x86_64/entry.S | 4 ++-- + xen/include/asm-x86/spec_ctrl_asm.h | 21 ++++++++++----------- + 2 files changed, 12 insertions(+), 13 deletions(-) + +diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S +index 2f3f48ff27c3..9bfc5964a911 100644 +--- a/xen/arch/x86/x86_64/entry.S ++++ b/xen/arch/x86/x86_64/entry.S +@@ -874,7 +874,7 @@ ENTRY(double_fault) + + GET_STACK_END(14) + +- SPEC_CTRL_ENTRY_FROM_INTR_IST /* Req: %rsp=regs, %r14=end, Clob: acd */ ++ SPEC_CTRL_ENTRY_FROM_INTR_IST /* Req: %rsp=regs, %r14=end, %rdx=0, Clob: abcd */ + /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */ + + mov STACK_CPUINFO_FIELD(xen_cr3)(%r14), %rbx +@@ -910,7 +910,7 @@ handle_ist_exception: + + GET_STACK_END(14) + +- SPEC_CTRL_ENTRY_FROM_INTR_IST /* Req: %rsp=regs, %r14=end, Clob: acd */ ++ SPEC_CTRL_ENTRY_FROM_INTR_IST /* Req: %rsp=regs, %r14=end, %rdx=0, Clob: abcd */ + /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */ + + mov STACK_CPUINFO_FIELD(xen_cr3)(%r14), %rcx +diff --git a/xen/include/asm-x86/spec_ctrl_asm.h b/xen/include/asm-x86/spec_ctrl_asm.h +index 0ff1b118f882..15e24cde00d1 100644 +--- a/xen/include/asm-x86/spec_ctrl_asm.h ++++ b/xen/include/asm-x86/spec_ctrl_asm.h +@@ -251,34 +251,33 @@ + */ + .macro SPEC_CTRL_ENTRY_FROM_INTR_IST + /* +- * Requires %rsp=regs, %r14=stack_end +- * Clobbers %rax, %rcx, %rdx ++ * Requires %rsp=regs, %r14=stack_end, %rdx=0 ++ * Clobbers %rax, %rbx, %rcx, %rdx + * + * This is logical merge of DO_OVERWRITE_RSB and DO_SPEC_CTRL_ENTRY + * maybexen=1, but with conditionals rather than alternatives. + */ +- movzbl STACK_CPUINFO_FIELD(spec_ctrl_flags)(%r14), %eax ++ movzbl STACK_CPUINFO_FIELD(spec_ctrl_flags)(%r14), %ebx + +- test $SCF_ist_rsb, %al ++ test $SCF_ist_rsb, %bl + jz .L\@_skip_rsb + +- DO_OVERWRITE_RSB tmp=rdx /* Clobbers %rcx/%rdx */ ++ DO_OVERWRITE_RSB /* Clobbers %rax/%rcx */ + + .L\@_skip_rsb: + +- test $SCF_ist_sc_msr, %al ++ test $SCF_ist_sc_msr, %bl + jz .L\@_skip_msr_spec_ctrl + +- xor %edx, %edx ++ xor %eax, %eax + testb $3, UREGS_cs(%rsp) +- setnz %dl +- not %edx +- and %dl, STACK_CPUINFO_FIELD(spec_ctrl_flags)(%r14) ++ setnz %al ++ not %eax ++ and %al, STACK_CPUINFO_FIELD(spec_ctrl_flags)(%r14) + + /* Load Xen's intended value. */ + mov $MSR_SPEC_CTRL, %ecx + movzbl STACK_CPUINFO_FIELD(xen_spec_ctrl)(%r14), %eax +- xor %edx, %edx + wrmsr + + /* Opencoded UNLIKELY_START() with no condition. */ +-- +2.35.1 + diff --git a/0018-x86-spec-ctrl-Support-IBPB-on-entry.patch b/0018-x86-spec-ctrl-Support-IBPB-on-entry.patch new file mode 100644 index 0000000..06efb27 --- /dev/null +++ b/0018-x86-spec-ctrl-Support-IBPB-on-entry.patch @@ -0,0 +1,300 @@ +From f0d78e0c11d3984c74f34a7325f862dee93a5835 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Thu, 24 Feb 2022 13:44:33 +0000 +Subject: [PATCH 18/21] x86/spec-ctrl: Support IBPB-on-entry + +We are going to need this to mitigate Branch Type Confusion on AMD/Hygon CPUs, +but as we've talked about using it in other cases too, arrange to support it +generally. However, this is also very expensive in some cases, so we're going +to want per-domain controls. + +Introduce SCF_ist_ibpb and SCF_entry_ibpb controls, adding them to the IST and +DOM masks as appropriate. Also introduce X86_FEATURE_IBPB_ENTRY_{PV,HVM} to +to patch the code blocks. + +For SVM, the STGI is serialising enough to protect against Spectre-v1 attacks, +so no "else lfence" is necessary. VT-x will use use the MSR host load list, +so doesn't need any code in the VMExit path. + +For the IST path, we can't safely check CPL==0 to skip a flush, as we might +have hit an entry path before it's IBPB. As IST hitting Xen is rare, flush +irrespective of CPL. A later path, SCF_ist_sc_msr, provides Spectre-v1 +safety. + +For the PV paths, we know we're interrupting CPL>0, while for the INTR paths, +we can safely check CPL==0. Only flush when interrupting guest context. + +An "else lfence" is needed for safety, but we want to be able to skip it on +unaffected CPUs, so the block wants to be an alternative, which means the +lfence has to be inline rather than UNLIKELY() (the replacement block doesn't +have displacements fixed up for anything other than the first instruction). + +As with SPEC_CTRL_ENTRY_FROM_INTR_IST, %rdx is 0 on entry so rely on this to +shrink the logic marginally. Update the comments to specify this new +dependency. + +This is part of XSA-407. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +(cherry picked from commit 53a570b285694947776d5190f591a0d5b9b18de7) +--- + xen/arch/x86/hvm/svm/entry.S | 18 ++++++++++- + xen/arch/x86/hvm/vmx/vmcs.c | 4 +++ + xen/arch/x86/x86_64/compat/entry.S | 4 +-- + xen/arch/x86/x86_64/entry.S | 10 +++--- + xen/include/asm-x86/cpufeatures.h | 2 ++ + xen/include/asm-x86/spec_ctrl.h | 6 ++-- + xen/include/asm-x86/spec_ctrl_asm.h | 49 +++++++++++++++++++++++++++-- + 7 files changed, 81 insertions(+), 12 deletions(-) + +diff --git a/xen/arch/x86/hvm/svm/entry.S b/xen/arch/x86/hvm/svm/entry.S +index 4ae55a2ef605..0ff4008060fa 100644 +--- a/xen/arch/x86/hvm/svm/entry.S ++++ b/xen/arch/x86/hvm/svm/entry.S +@@ -97,7 +97,19 @@ __UNLIKELY_END(nsvm_hap) + + GET_CURRENT(bx) + +- /* SPEC_CTRL_ENTRY_FROM_SVM Req: %rsp=regs/cpuinfo Clob: acd */ ++ /* SPEC_CTRL_ENTRY_FROM_SVM Req: %rsp=regs/cpuinfo, %rdx=0 Clob: acd */ ++ ++ .macro svm_vmexit_cond_ibpb ++ testb $SCF_entry_ibpb, CPUINFO_xen_spec_ctrl(%rsp) ++ jz .L_skip_ibpb ++ ++ mov $MSR_PRED_CMD, %ecx ++ mov $PRED_CMD_IBPB, %eax ++ wrmsr ++.L_skip_ibpb: ++ .endm ++ ALTERNATIVE "", svm_vmexit_cond_ibpb, X86_FEATURE_IBPB_ENTRY_HVM ++ + ALTERNATIVE "", DO_OVERWRITE_RSB, X86_FEATURE_SC_RSB_HVM + + .macro svm_vmexit_spec_ctrl +@@ -114,6 +126,10 @@ __UNLIKELY_END(nsvm_hap) + ALTERNATIVE "", svm_vmexit_spec_ctrl, X86_FEATURE_SC_MSR_HVM + /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */ + ++ /* ++ * STGI is executed unconditionally, and is sufficiently serialising ++ * to safely resolve any Spectre-v1 concerns in the above logic. ++ */ + stgi + GLOBAL(svm_stgi_label) + mov %rsp,%rdi +diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c +index f9f9bc18cdbc..dd817cee4e69 100644 +--- a/xen/arch/x86/hvm/vmx/vmcs.c ++++ b/xen/arch/x86/hvm/vmx/vmcs.c +@@ -1345,6 +1345,10 @@ static int construct_vmcs(struct vcpu *v) + rc = vmx_add_msr(v, MSR_FLUSH_CMD, FLUSH_CMD_L1D, + VMX_MSR_GUEST_LOADONLY); + ++ if ( !rc && (d->arch.spec_ctrl_flags & SCF_entry_ibpb) ) ++ rc = vmx_add_msr(v, MSR_PRED_CMD, PRED_CMD_IBPB, ++ VMX_MSR_HOST); ++ + out: + vmx_vmcs_exit(v); + +diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S +index 0cfe95314249..5c999271e617 100644 +--- a/xen/arch/x86/x86_64/compat/entry.S ++++ b/xen/arch/x86/x86_64/compat/entry.S +@@ -20,7 +20,7 @@ ENTRY(entry_int82) + movl $HYPERCALL_VECTOR, 4(%rsp) + SAVE_ALL compat=1 /* DPL1 gate, restricted to 32bit PV guests only. */ + +- SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, Clob: acd */ ++ SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ + /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */ + + CR4_PV32_RESTORE +@@ -216,7 +216,7 @@ ENTRY(cstar_enter) + movl $TRAP_syscall, 4(%rsp) + SAVE_ALL + +- SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, Clob: acd */ ++ SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ + /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */ + + GET_STACK_END(bx) +diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S +index 9bfc5964a911..3c8593325606 100644 +--- a/xen/arch/x86/x86_64/entry.S ++++ b/xen/arch/x86/x86_64/entry.S +@@ -260,7 +260,7 @@ ENTRY(lstar_enter) + movl $TRAP_syscall, 4(%rsp) + SAVE_ALL + +- SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, Clob: acd */ ++ SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ + /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */ + + GET_STACK_END(bx) +@@ -299,7 +299,7 @@ GLOBAL(sysenter_eflags_saved) + movl $TRAP_syscall, 4(%rsp) + SAVE_ALL + +- SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, Clob: acd */ ++ SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ + /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */ + + GET_STACK_END(bx) +@@ -351,7 +351,7 @@ ENTRY(int80_direct_trap) + movl $0x80, 4(%rsp) + SAVE_ALL + +- SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, Clob: acd */ ++ SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ + /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */ + + GET_STACK_END(bx) +@@ -618,7 +618,7 @@ ENTRY(common_interrupt) + + GET_STACK_END(14) + +- SPEC_CTRL_ENTRY_FROM_INTR /* Req: %rsp=regs, %r14=end, Clob: acd */ ++ SPEC_CTRL_ENTRY_FROM_INTR /* Req: %rsp=regs, %r14=end, %rdx=0, Clob: acd */ + /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */ + + mov STACK_CPUINFO_FIELD(xen_cr3)(%r14), %rcx +@@ -652,7 +652,7 @@ GLOBAL(handle_exception) + + GET_STACK_END(14) + +- SPEC_CTRL_ENTRY_FROM_INTR /* Req: %rsp=regs, %r14=end, Clob: acd */ ++ SPEC_CTRL_ENTRY_FROM_INTR /* Req: %rsp=regs, %r14=end, %rdx=0, Clob: acd */ + /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */ + + mov STACK_CPUINFO_FIELD(xen_cr3)(%r14), %rcx +diff --git a/xen/include/asm-x86/cpufeatures.h b/xen/include/asm-x86/cpufeatures.h +index f7488d3ccbfa..b233e5835fb5 100644 +--- a/xen/include/asm-x86/cpufeatures.h ++++ b/xen/include/asm-x86/cpufeatures.h +@@ -39,6 +39,8 @@ XEN_CPUFEATURE(XEN_LBR, X86_SYNTH(22)) /* Xen uses MSR_DEBUGCTL.LBR */ + XEN_CPUFEATURE(SC_VERW_IDLE, X86_SYNTH(25)) /* VERW used by Xen for idle */ + XEN_CPUFEATURE(XEN_SHSTK, X86_SYNTH(26)) /* Xen uses CET Shadow Stacks */ + XEN_CPUFEATURE(XEN_IBT, X86_SYNTH(27)) /* Xen uses CET Indirect Branch Tracking */ ++XEN_CPUFEATURE(IBPB_ENTRY_PV, X86_SYNTH(28)) /* MSR_PRED_CMD used by Xen for PV */ ++XEN_CPUFEATURE(IBPB_ENTRY_HVM, X86_SYNTH(29)) /* MSR_PRED_CMD used by Xen for HVM */ + + /* Bug words follow the synthetic words. */ + #define X86_NR_BUG 1 +diff --git a/xen/include/asm-x86/spec_ctrl.h b/xen/include/asm-x86/spec_ctrl.h +index fd8162ca9ab9..10cd0cd2518f 100644 +--- a/xen/include/asm-x86/spec_ctrl.h ++++ b/xen/include/asm-x86/spec_ctrl.h +@@ -34,6 +34,8 @@ + #define SCF_ist_sc_msr (1 << 1) + #define SCF_ist_rsb (1 << 2) + #define SCF_verw (1 << 3) ++#define SCF_ist_ibpb (1 << 4) ++#define SCF_entry_ibpb (1 << 5) + + /* + * The IST paths (NMI/#MC) can interrupt any arbitrary context. Some +@@ -46,13 +48,13 @@ + * These are the controls to inhibit on the S3 resume path until microcode has + * been reloaded. + */ +-#define SCF_IST_MASK (SCF_ist_sc_msr) ++#define SCF_IST_MASK (SCF_ist_sc_msr | SCF_ist_ibpb) + + /* + * Some speculative protections are per-domain. These settings are merged + * into the top-of-stack block in the context switch path. + */ +-#define SCF_DOM_MASK (SCF_verw) ++#define SCF_DOM_MASK (SCF_verw | SCF_entry_ibpb) + + #ifndef __ASSEMBLY__ + +diff --git a/xen/include/asm-x86/spec_ctrl_asm.h b/xen/include/asm-x86/spec_ctrl_asm.h +index 15e24cde00d1..9eb4ad9ab71d 100644 +--- a/xen/include/asm-x86/spec_ctrl_asm.h ++++ b/xen/include/asm-x86/spec_ctrl_asm.h +@@ -88,6 +88,35 @@ + * - SPEC_CTRL_EXIT_TO_{SVM,VMX} + */ + ++.macro DO_SPEC_CTRL_COND_IBPB maybexen:req ++/* ++ * Requires %rsp=regs (also cpuinfo if !maybexen) ++ * Requires %r14=stack_end (if maybexen), %rdx=0 ++ * Clobbers %rax, %rcx, %rdx ++ * ++ * Conditionally issue IBPB if SCF_entry_ibpb is active. In the maybexen ++ * case, we can safely look at UREGS_cs to skip taking the hit when ++ * interrupting Xen. ++ */ ++ .if \maybexen ++ testb $SCF_entry_ibpb, STACK_CPUINFO_FIELD(spec_ctrl_flags)(%r14) ++ jz .L\@_skip ++ testb $3, UREGS_cs(%rsp) ++ .else ++ testb $SCF_entry_ibpb, CPUINFO_xen_spec_ctrl(%rsp) ++ .endif ++ jz .L\@_skip ++ ++ mov $MSR_PRED_CMD, %ecx ++ mov $PRED_CMD_IBPB, %eax ++ wrmsr ++ jmp .L\@_done ++ ++.L\@_skip: ++ lfence ++.L\@_done: ++.endm ++ + .macro DO_OVERWRITE_RSB tmp=rax + /* + * Requires nothing +@@ -225,12 +254,16 @@ + + /* Use after an entry from PV context (syscall/sysenter/int80/int82/etc). */ + #define SPEC_CTRL_ENTRY_FROM_PV \ ++ ALTERNATIVE "", __stringify(DO_SPEC_CTRL_COND_IBPB maybexen=0), \ ++ X86_FEATURE_IBPB_ENTRY_PV; \ + ALTERNATIVE "", DO_OVERWRITE_RSB, X86_FEATURE_SC_RSB_PV; \ + ALTERNATIVE "", __stringify(DO_SPEC_CTRL_ENTRY maybexen=0), \ + X86_FEATURE_SC_MSR_PV + + /* Use in interrupt/exception context. May interrupt Xen or PV context. */ + #define SPEC_CTRL_ENTRY_FROM_INTR \ ++ ALTERNATIVE "", __stringify(DO_SPEC_CTRL_COND_IBPB maybexen=1), \ ++ X86_FEATURE_IBPB_ENTRY_PV; \ + ALTERNATIVE "", DO_OVERWRITE_RSB, X86_FEATURE_SC_RSB_PV; \ + ALTERNATIVE "", __stringify(DO_SPEC_CTRL_ENTRY maybexen=1), \ + X86_FEATURE_SC_MSR_PV +@@ -254,11 +287,23 @@ + * Requires %rsp=regs, %r14=stack_end, %rdx=0 + * Clobbers %rax, %rbx, %rcx, %rdx + * +- * This is logical merge of DO_OVERWRITE_RSB and DO_SPEC_CTRL_ENTRY +- * maybexen=1, but with conditionals rather than alternatives. ++ * This is logical merge of: ++ * DO_SPEC_CTRL_COND_IBPB maybexen=0 ++ * DO_OVERWRITE_RSB ++ * DO_SPEC_CTRL_ENTRY maybexen=1 ++ * but with conditionals rather than alternatives. + */ + movzbl STACK_CPUINFO_FIELD(spec_ctrl_flags)(%r14), %ebx + ++ test $SCF_ist_ibpb, %bl ++ jz .L\@_skip_ibpb ++ ++ mov $MSR_PRED_CMD, %ecx ++ mov $PRED_CMD_IBPB, %eax ++ wrmsr ++ ++.L\@_skip_ibpb: ++ + test $SCF_ist_rsb, %bl + jz .L\@_skip_rsb + +-- +2.35.1 + diff --git a/0019-x86-cpuid-Enumeration-for-BTC_NO.patch b/0019-x86-cpuid-Enumeration-for-BTC_NO.patch new file mode 100644 index 0000000..91c38ee --- /dev/null +++ b/0019-x86-cpuid-Enumeration-for-BTC_NO.patch @@ -0,0 +1,106 @@ +From 2b29ac476fa0c91655906fac3512202e514ecbed Mon Sep 17 00:00:00 2001 +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Mon, 16 May 2022 15:48:24 +0100 +Subject: [PATCH 19/21] x86/cpuid: Enumeration for BTC_NO + +BTC_NO indicates that hardware is not succeptable to Branch Type Confusion. + +Zen3 CPUs don't suffer BTC. + +This is part of XSA-407. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +(cherry picked from commit 76cb04ad64f3ab9ae785988c40655a71dde9c319) +--- + tools/libs/light/libxl_cpuid.c | 1 + + tools/misc/xen-cpuid.c | 2 +- + xen/arch/x86/cpu/amd.c | 10 ++++++++++ + xen/arch/x86/spec_ctrl.c | 5 +++-- + xen/include/public/arch-x86/cpufeatureset.h | 1 + + 5 files changed, 16 insertions(+), 3 deletions(-) + +diff --git a/tools/libs/light/libxl_cpuid.c b/tools/libs/light/libxl_cpuid.c +index 9a4eb8015a43..2632efc6adb0 100644 +--- a/tools/libs/light/libxl_cpuid.c ++++ b/tools/libs/light/libxl_cpuid.c +@@ -283,6 +283,7 @@ int libxl_cpuid_parse_config(libxl_cpuid_policy_list *cpuid, const char* str) + {"virt-ssbd", 0x80000008, NA, CPUID_REG_EBX, 25, 1}, + {"ssb-no", 0x80000008, NA, CPUID_REG_EBX, 26, 1}, + {"psfd", 0x80000008, NA, CPUID_REG_EBX, 28, 1}, ++ {"btc-no", 0x80000008, NA, CPUID_REG_EBX, 29, 1}, + + {"nc", 0x80000008, NA, CPUID_REG_ECX, 0, 8}, + {"apicidsize", 0x80000008, NA, CPUID_REG_ECX, 12, 4}, +diff --git a/tools/misc/xen-cpuid.c b/tools/misc/xen-cpuid.c +index 12111fe12d16..e83bc4793d6e 100644 +--- a/tools/misc/xen-cpuid.c ++++ b/tools/misc/xen-cpuid.c +@@ -157,7 +157,7 @@ static const char *const str_e8b[32] = + /* [22] */ [23] = "ppin", + [24] = "amd-ssbd", [25] = "virt-ssbd", + [26] = "ssb-no", +- [28] = "psfd", ++ [28] = "psfd", [29] = "btc-no", + }; + + static const char *const str_7d0[32] = +diff --git a/xen/arch/x86/cpu/amd.c b/xen/arch/x86/cpu/amd.c +index 986672a072b7..675b877f193c 100644 +--- a/xen/arch/x86/cpu/amd.c ++++ b/xen/arch/x86/cpu/amd.c +@@ -822,6 +822,16 @@ static void init_amd(struct cpuinfo_x86 *c) + warning_add(text); + } + break; ++ ++ case 0x19: ++ /* ++ * Zen3 (Fam19h model < 0x10) parts are not susceptible to ++ * Branch Type Confusion, but predate the allocation of the ++ * BTC_NO bit. Fill it back in if we're not virtualised. ++ */ ++ if (!cpu_has_hypervisor && !cpu_has(c, X86_FEATURE_BTC_NO)) ++ __set_bit(X86_FEATURE_BTC_NO, c->x86_capability); ++ break; + } + + display_cacheinfo(c); +diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c +index ced0f8c2aea6..9f66c715516c 100644 +--- a/xen/arch/x86/spec_ctrl.c ++++ b/xen/arch/x86/spec_ctrl.c +@@ -388,7 +388,7 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps) + * Hardware read-only information, stating immunity to certain issues, or + * suggestions of which mitigation to use. + */ +- printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", ++ printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", + (caps & ARCH_CAPS_RDCL_NO) ? " RDCL_NO" : "", + (caps & ARCH_CAPS_IBRS_ALL) ? " IBRS_ALL" : "", + (caps & ARCH_CAPS_RSBA) ? " RSBA" : "", +@@ -403,7 +403,8 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps) + (e8b & cpufeat_mask(X86_FEATURE_IBRS_ALWAYS)) ? " IBRS_ALWAYS" : "", + (e8b & cpufeat_mask(X86_FEATURE_STIBP_ALWAYS)) ? " STIBP_ALWAYS" : "", + (e8b & cpufeat_mask(X86_FEATURE_IBRS_FAST)) ? " IBRS_FAST" : "", +- (e8b & cpufeat_mask(X86_FEATURE_IBRS_SAME_MODE)) ? " IBRS_SAME_MODE" : ""); ++ (e8b & cpufeat_mask(X86_FEATURE_IBRS_SAME_MODE)) ? " IBRS_SAME_MODE" : "", ++ (e8b & cpufeat_mask(X86_FEATURE_BTC_NO)) ? " BTC_NO" : ""); + + /* Hardware features which need driving to mitigate issues. */ + printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s\n", +diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h +index 9686c82ed75c..1bbc7da4b53c 100644 +--- a/xen/include/public/arch-x86/cpufeatureset.h ++++ b/xen/include/public/arch-x86/cpufeatureset.h +@@ -265,6 +265,7 @@ XEN_CPUFEATURE(AMD_SSBD, 8*32+24) /*S MSR_SPEC_CTRL.SSBD available */ + XEN_CPUFEATURE(VIRT_SSBD, 8*32+25) /* MSR_VIRT_SPEC_CTRL.SSBD */ + XEN_CPUFEATURE(SSB_NO, 8*32+26) /*A Hardware not vulnerable to SSB */ + XEN_CPUFEATURE(PSFD, 8*32+28) /*S MSR_SPEC_CTRL.PSFD */ ++XEN_CPUFEATURE(BTC_NO, 8*32+29) /*A Hardware not vulnerable to Branch Type Confusion */ + + /* Intel-defined CPU features, CPUID level 0x00000007:0.edx, word 9 */ + XEN_CPUFEATURE(AVX512_4VNNIW, 9*32+ 2) /*A AVX512 Neural Network Instructions */ +-- +2.35.1 + diff --git a/0020-x86-spec-ctrl-Enable-Zen2-chickenbit.patch b/0020-x86-spec-ctrl-Enable-Zen2-chickenbit.patch new file mode 100644 index 0000000..9fd2fe0 --- /dev/null +++ b/0020-x86-spec-ctrl-Enable-Zen2-chickenbit.patch @@ -0,0 +1,105 @@ +From 409976bed91f61fb7b053d536d2fc87cf3ad7018 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Tue, 15 Mar 2022 18:30:25 +0000 +Subject: [PATCH 20/21] x86/spec-ctrl: Enable Zen2 chickenbit + +... as instructed in the Branch Type Confusion whitepaper. + +This is part of XSA-407. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +(cherry picked from commit 9deaf2d932f08c16c6b96a1c426e4b1142c0cdbe) +--- + xen/arch/x86/cpu/amd.c | 28 ++++++++++++++++++++++++++++ + xen/arch/x86/cpu/cpu.h | 1 + + xen/arch/x86/cpu/hygon.c | 6 ++++++ + xen/include/asm-x86/msr-index.h | 1 + + 4 files changed, 36 insertions(+) + +diff --git a/xen/arch/x86/cpu/amd.c b/xen/arch/x86/cpu/amd.c +index 675b877f193c..60dbe61a61ca 100644 +--- a/xen/arch/x86/cpu/amd.c ++++ b/xen/arch/x86/cpu/amd.c +@@ -731,6 +731,31 @@ void amd_init_ssbd(const struct cpuinfo_x86 *c) + printk_once(XENLOG_ERR "No SSBD controls available\n"); + } + ++/* ++ * On Zen2 we offer this chicken (bit) on the altar of Speculation. ++ * ++ * Refer to the AMD Branch Type Confusion whitepaper: ++ * https://XXX ++ * ++ * Setting this unnamed bit supposedly causes prediction information on ++ * non-branch instructions to be ignored. It is to be set unilaterally in ++ * newer microcode. ++ * ++ * This chickenbit is something unrelated on Zen1, and Zen1 vs Zen2 isn't a ++ * simple model number comparison, so use STIBP as a heuristic to separate the ++ * two uarches in Fam17h(AMD)/18h(Hygon). ++ */ ++void amd_init_spectral_chicken(void) ++{ ++ uint64_t val, chickenbit = 1 << 1; ++ ++ if (cpu_has_hypervisor || !boot_cpu_has(X86_FEATURE_AMD_STIBP)) ++ return; ++ ++ if (rdmsr_safe(MSR_AMD64_DE_CFG2, val) == 0 && !(val & chickenbit)) ++ wrmsr_safe(MSR_AMD64_DE_CFG2, val | chickenbit); ++} ++ + static void init_amd(struct cpuinfo_x86 *c) + { + u32 l, h; +@@ -783,6 +808,9 @@ static void init_amd(struct cpuinfo_x86 *c) + + amd_init_ssbd(c); + ++ if (c->x86 == 0x17) ++ amd_init_spectral_chicken(); ++ + /* MFENCE stops RDTSC speculation */ + if (!cpu_has_lfence_dispatch) + __set_bit(X86_FEATURE_MFENCE_RDTSC, c->x86_capability); +diff --git a/xen/arch/x86/cpu/cpu.h b/xen/arch/x86/cpu/cpu.h +index 1a5b3918b37e..e76ab5ce1ae2 100644 +--- a/xen/arch/x86/cpu/cpu.h ++++ b/xen/arch/x86/cpu/cpu.h +@@ -22,3 +22,4 @@ void early_init_amd(struct cpuinfo_x86 *c); + void amd_log_freq(const struct cpuinfo_x86 *c); + void amd_init_lfence(struct cpuinfo_x86 *c); + void amd_init_ssbd(const struct cpuinfo_x86 *c); ++void amd_init_spectral_chicken(void); +diff --git a/xen/arch/x86/cpu/hygon.c b/xen/arch/x86/cpu/hygon.c +index 3845e0cf0e89..0cb0e7d55e61 100644 +--- a/xen/arch/x86/cpu/hygon.c ++++ b/xen/arch/x86/cpu/hygon.c +@@ -36,6 +36,12 @@ static void init_hygon(struct cpuinfo_x86 *c) + + amd_init_ssbd(c); + ++ /* ++ * TODO: Check heuristic safety with Hygon first ++ if (c->x86 == 0x18) ++ amd_init_spectral_chicken(); ++ */ ++ + /* MFENCE stops RDTSC speculation */ + if (!cpu_has_lfence_dispatch) + __set_bit(X86_FEATURE_MFENCE_RDTSC, c->x86_capability); +diff --git a/xen/include/asm-x86/msr-index.h b/xen/include/asm-x86/msr-index.h +index 1e743461e91d..b4a360723b14 100644 +--- a/xen/include/asm-x86/msr-index.h ++++ b/xen/include/asm-x86/msr-index.h +@@ -359,6 +359,7 @@ + #define MSR_AMD64_DE_CFG 0xc0011029 + #define AMD64_DE_CFG_LFENCE_SERIALISE (_AC(1, ULL) << 1) + #define MSR_AMD64_EX_CFG 0xc001102c ++#define MSR_AMD64_DE_CFG2 0xc00110e3 + + #define MSR_AMD64_DR0_ADDRESS_MASK 0xc0011027 + #define MSR_AMD64_DR1_ADDRESS_MASK 0xc0011019 +-- +2.35.1 + diff --git a/0021-x86-spec-ctrl-Mitigate-Branch-Type-Confusion-when-po.patch b/0021-x86-spec-ctrl-Mitigate-Branch-Type-Confusion-when-po.patch new file mode 100644 index 0000000..12ecc5b --- /dev/null +++ b/0021-x86-spec-ctrl-Mitigate-Branch-Type-Confusion-when-po.patch @@ -0,0 +1,305 @@ +From 35bf91d30f1a480dcf5bfd99b79384b2b283da7f Mon Sep 17 00:00:00 2001 +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Mon, 27 Jun 2022 19:29:40 +0100 +Subject: [PATCH 21/21] x86/spec-ctrl: Mitigate Branch Type Confusion when + possible + +Branch Type Confusion affects AMD/Hygon CPUs on Zen2 and earlier. To +mitigate, we require SMT safety (STIBP on Zen2, no-SMT on Zen1), and to issue +an IBPB on each entry to Xen, to flush the BTB. + +Due to performance concerns, dom0 (which is trusted in most configurations) is +excluded from protections by default. + +Therefore: + * Use STIBP by default on Zen2 too, which now means we want it on by default + on all hardware supporting STIBP. + * Break the current IBPB logic out into a new function, extending it with + IBPB-at-entry logic. + * Change the existing IBPB-at-ctxt-switch boolean to be tristate, and disable + it by default when IBPB-at-entry is providing sufficient safety. + +If all PV guests on the system are trusted, then it is recommended to boot +with `spec-ctrl=ibpb-entry=no-pv`, as this will provide an additional marginal +perf improvement. + +This is part of XSA-407 / CVE-2022-23825. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +(cherry picked from commit d8cb7e0f069e0f106d24941355b59b45a731eabe) +--- + docs/misc/xen-command-line.pandoc | 14 ++-- + xen/arch/x86/spec_ctrl.c | 113 ++++++++++++++++++++++++++---- + xen/include/asm-x86/spec_ctrl.h | 2 +- + 3 files changed, 112 insertions(+), 17 deletions(-) + +diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc +index b06db5f654e5..b73c4a605011 100644 +--- a/docs/misc/xen-command-line.pandoc ++++ b/docs/misc/xen-command-line.pandoc +@@ -2170,7 +2170,7 @@ By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`). + + ### spec-ctrl (x86) + > `= List of [ <bool>, xen=<bool>, {pv,hvm}=<bool>, +-> {msr-sc,rsb,md-clear}=<bool>|{pv,hvm}=<bool>, ++> {msr-sc,rsb,md-clear,ibpb-entry}=<bool>|{pv,hvm}=<bool>, + > bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,psfd, + > eager-fpu,l1d-flush,branch-harden,srb-lock, + > unpriv-mmio}=<bool> ]` +@@ -2195,9 +2195,10 @@ in place for guests to use. + + Use of a positive boolean value for either of these options is invalid. + +-The `pv=`, `hvm=`, `msr-sc=`, `rsb=` and `md-clear=` options offer fine +-grained control over the primitives by Xen. These impact Xen's ability to +-protect itself, and/or Xen's ability to virtualise support for guests to use. ++The `pv=`, `hvm=`, `msr-sc=`, `rsb=`, `md-clear=` and `ibpb-entry=` options ++offer fine grained control over the primitives by Xen. These impact Xen's ++ability to protect itself, and/or Xen's ability to virtualise support for ++guests to use. + + * `pv=` and `hvm=` offer control over all suboptions for PV and HVM guests + respectively. +@@ -2216,6 +2217,11 @@ protect itself, and/or Xen's ability to virtualise support for guests to use. + compatibility with development versions of this fix, `mds=` is also accepted + on Xen 4.12 and earlier as an alias. Consult vendor documentation in + preference to here.* ++* `ibpb-entry=` offers control over whether IBPB (Indirect Branch Prediction ++ Barrier) is used on entry to Xen. This is used by default on hardware ++ vulnerable to Branch Type Confusion, but for performance reasons, dom0 is ++ unprotected by default. If it necessary to protect dom0 too, boot with ++ `spec-ctrl=ibpb-entry`. + + If Xen was compiled with INDIRECT_THUNK support, `bti-thunk=` can be used to + select which of the thunks gets patched into the `__x86_indirect_thunk_%reg` +diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c +index 9f66c715516c..563519ce0e31 100644 +--- a/xen/arch/x86/spec_ctrl.c ++++ b/xen/arch/x86/spec_ctrl.c +@@ -39,6 +39,10 @@ static bool __initdata opt_rsb_hvm = true; + static int8_t __read_mostly opt_md_clear_pv = -1; + static int8_t __read_mostly opt_md_clear_hvm = -1; + ++static int8_t __read_mostly opt_ibpb_entry_pv = -1; ++static int8_t __read_mostly opt_ibpb_entry_hvm = -1; ++static bool __read_mostly opt_ibpb_entry_dom0; ++ + /* Cmdline controls for Xen's speculative settings. */ + static enum ind_thunk { + THUNK_DEFAULT, /* Decide which thunk to use at boot time. */ +@@ -54,7 +58,7 @@ int8_t __initdata opt_stibp = -1; + bool __read_mostly opt_ssbd; + int8_t __initdata opt_psfd = -1; + +-bool __read_mostly opt_ibpb_ctxt_switch = true; ++int8_t __read_mostly opt_ibpb_ctxt_switch = -1; + int8_t __read_mostly opt_eager_fpu = -1; + int8_t __read_mostly opt_l1d_flush = -1; + bool __read_mostly opt_branch_harden = true; +@@ -114,6 +118,9 @@ static int __init parse_spec_ctrl(const char *s) + opt_rsb_hvm = false; + opt_md_clear_pv = 0; + opt_md_clear_hvm = 0; ++ opt_ibpb_entry_pv = 0; ++ opt_ibpb_entry_hvm = 0; ++ opt_ibpb_entry_dom0 = false; + + opt_thunk = THUNK_JMP; + opt_ibrs = 0; +@@ -140,12 +147,14 @@ static int __init parse_spec_ctrl(const char *s) + opt_msr_sc_pv = val; + opt_rsb_pv = val; + opt_md_clear_pv = val; ++ opt_ibpb_entry_pv = val; + } + else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) + { + opt_msr_sc_hvm = val; + opt_rsb_hvm = val; + opt_md_clear_hvm = val; ++ opt_ibpb_entry_hvm = val; + } + else if ( (val = parse_boolean("msr-sc", s, ss)) != -1 ) + { +@@ -210,6 +219,28 @@ static int __init parse_spec_ctrl(const char *s) + break; + } + } ++ else if ( (val = parse_boolean("ibpb-entry", s, ss)) != -1 ) ++ { ++ switch ( val ) ++ { ++ case 0: ++ case 1: ++ opt_ibpb_entry_pv = opt_ibpb_entry_hvm = ++ opt_ibpb_entry_dom0 = val; ++ break; ++ ++ case -2: ++ s += strlen("ibpb-entry="); ++ if ( (val = parse_boolean("pv", s, ss)) >= 0 ) ++ opt_ibpb_entry_pv = val; ++ else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) ++ opt_ibpb_entry_hvm = val; ++ else ++ default: ++ rc = -EINVAL; ++ break; ++ } ++ } + + /* Xen's speculative sidechannel mitigation settings. */ + else if ( !strncmp(s, "bti-thunk=", 10) ) +@@ -477,27 +508,31 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps) + * mitigation support for guests. + */ + #ifdef CONFIG_HVM +- printk(" Support for HVM VMs:%s%s%s%s%s\n", ++ printk(" Support for HVM VMs:%s%s%s%s%s%s\n", + (boot_cpu_has(X86_FEATURE_SC_MSR_HVM) || + boot_cpu_has(X86_FEATURE_SC_RSB_HVM) || + boot_cpu_has(X86_FEATURE_MD_CLEAR) || ++ boot_cpu_has(X86_FEATURE_IBPB_ENTRY_HVM) || + opt_eager_fpu) ? "" : " None", + boot_cpu_has(X86_FEATURE_SC_MSR_HVM) ? " MSR_SPEC_CTRL" : "", + boot_cpu_has(X86_FEATURE_SC_RSB_HVM) ? " RSB" : "", + opt_eager_fpu ? " EAGER_FPU" : "", +- boot_cpu_has(X86_FEATURE_MD_CLEAR) ? " MD_CLEAR" : ""); ++ boot_cpu_has(X86_FEATURE_MD_CLEAR) ? " MD_CLEAR" : "", ++ boot_cpu_has(X86_FEATURE_IBPB_ENTRY_HVM) ? " IBPB-entry" : ""); + + #endif + #ifdef CONFIG_PV +- printk(" Support for PV VMs:%s%s%s%s%s\n", ++ printk(" Support for PV VMs:%s%s%s%s%s%s\n", + (boot_cpu_has(X86_FEATURE_SC_MSR_PV) || + boot_cpu_has(X86_FEATURE_SC_RSB_PV) || + boot_cpu_has(X86_FEATURE_MD_CLEAR) || ++ boot_cpu_has(X86_FEATURE_IBPB_ENTRY_PV) || + opt_eager_fpu) ? "" : " None", + boot_cpu_has(X86_FEATURE_SC_MSR_PV) ? " MSR_SPEC_CTRL" : "", + boot_cpu_has(X86_FEATURE_SC_RSB_PV) ? " RSB" : "", + opt_eager_fpu ? " EAGER_FPU" : "", +- boot_cpu_has(X86_FEATURE_MD_CLEAR) ? " MD_CLEAR" : ""); ++ boot_cpu_has(X86_FEATURE_MD_CLEAR) ? " MD_CLEAR" : "", ++ boot_cpu_has(X86_FEATURE_IBPB_ENTRY_PV) ? " IBPB-entry" : ""); + + printk(" XPTI (64-bit PV only): Dom0 %s, DomU %s (with%s PCID)\n", + opt_xpti_hwdom ? "enabled" : "disabled", +@@ -730,6 +765,55 @@ static bool __init should_use_eager_fpu(void) + } + } + ++static void __init ibpb_calculations(void) ++{ ++ /* Check we have hardware IBPB support before using it... */ ++ if ( !boot_cpu_has(X86_FEATURE_IBRSB) && !boot_cpu_has(X86_FEATURE_IBPB) ) ++ { ++ opt_ibpb_entry_hvm = opt_ibpb_entry_pv = opt_ibpb_ctxt_switch = 0; ++ opt_ibpb_entry_dom0 = false; ++ return; ++ } ++ ++ /* ++ * IBPB-on-entry mitigations for Branch Type Confusion. ++ * ++ * IBPB && !BTC_NO selects all AMD/Hygon hardware, not known to be safe, ++ * that we can provide some form of mitigation on. ++ */ ++ if ( opt_ibpb_entry_pv == -1 ) ++ opt_ibpb_entry_pv = (IS_ENABLED(CONFIG_PV) && ++ boot_cpu_has(X86_FEATURE_IBPB) && ++ !boot_cpu_has(X86_FEATURE_BTC_NO)); ++ if ( opt_ibpb_entry_hvm == -1 ) ++ opt_ibpb_entry_hvm = (IS_ENABLED(CONFIG_HVM) && ++ boot_cpu_has(X86_FEATURE_IBPB) && ++ !boot_cpu_has(X86_FEATURE_BTC_NO)); ++ ++ if ( opt_ibpb_entry_pv ) ++ { ++ setup_force_cpu_cap(X86_FEATURE_IBPB_ENTRY_PV); ++ ++ /* ++ * We only need to flush in IST context if we're protecting against PV ++ * guests. HVM IBPB-on-entry protections are both atomic with ++ * NMI/#MC, so can't interrupt Xen ahead of having already flushed the ++ * BTB. ++ */ ++ default_spec_ctrl_flags |= SCF_ist_ibpb; ++ } ++ if ( opt_ibpb_entry_hvm ) ++ setup_force_cpu_cap(X86_FEATURE_IBPB_ENTRY_HVM); ++ ++ /* ++ * If we're using IBPB-on-entry to protect against PV and HVM guests ++ * (ignoring dom0 if trusted), then there's no need to also issue IBPB on ++ * context switch too. ++ */ ++ if ( opt_ibpb_ctxt_switch == -1 ) ++ opt_ibpb_ctxt_switch = !(opt_ibpb_entry_hvm && opt_ibpb_entry_pv); ++} ++ + /* Calculate whether this CPU is vulnerable to L1TF. */ + static __init void l1tf_calculations(uint64_t caps) + { +@@ -985,8 +1069,12 @@ void spec_ctrl_init_domain(struct domain *d) + bool verw = ((pv ? opt_md_clear_pv : opt_md_clear_hvm) || + (opt_fb_clear_mmio && is_iommu_enabled(d))); + ++ bool ibpb = ((pv ? opt_ibpb_entry_pv : opt_ibpb_entry_hvm) && ++ (d->domain_id != 0 || opt_ibpb_entry_dom0)); ++ + d->arch.spec_ctrl_flags = + (verw ? SCF_verw : 0) | ++ (ibpb ? SCF_entry_ibpb : 0) | + 0; + } + +@@ -1133,12 +1221,15 @@ void __init init_speculation_mitigations(void) + } + + /* +- * Use STIBP by default if the hardware hint is set. Otherwise, leave it +- * off as it a severe performance pentalty on pre-eIBRS Intel hardware +- * where it was retrofitted in microcode. ++ * Use STIBP by default on all AMD systems. Zen3 and later enumerate ++ * STIBP_ALWAYS, but STIBP is needed on Zen2 as part of the mitigations ++ * for Branch Type Confusion. ++ * ++ * Leave STIBP off by default on Intel. Pre-eIBRS systems suffer a ++ * substantial perf hit when it was implemented in microcode. + */ + if ( opt_stibp == -1 ) +- opt_stibp = !!boot_cpu_has(X86_FEATURE_STIBP_ALWAYS); ++ opt_stibp = !!boot_cpu_has(X86_FEATURE_AMD_STIBP); + + if ( opt_stibp && (boot_cpu_has(X86_FEATURE_STIBP) || + boot_cpu_has(X86_FEATURE_AMD_STIBP)) ) +@@ -1192,9 +1283,7 @@ void __init init_speculation_mitigations(void) + if ( opt_rsb_hvm ) + setup_force_cpu_cap(X86_FEATURE_SC_RSB_HVM); + +- /* Check we have hardware IBPB support before using it... */ +- if ( !boot_cpu_has(X86_FEATURE_IBRSB) && !boot_cpu_has(X86_FEATURE_IBPB) ) +- opt_ibpb_ctxt_switch = false; ++ ibpb_calculations(); + + /* Check whether Eager FPU should be enabled by default. */ + if ( opt_eager_fpu == -1 ) +diff --git a/xen/include/asm-x86/spec_ctrl.h b/xen/include/asm-x86/spec_ctrl.h +index 10cd0cd2518f..33e845991b0a 100644 +--- a/xen/include/asm-x86/spec_ctrl.h ++++ b/xen/include/asm-x86/spec_ctrl.h +@@ -65,7 +65,7 @@ + void init_speculation_mitigations(void); + void spec_ctrl_init_domain(struct domain *d); + +-extern bool opt_ibpb_ctxt_switch; ++extern int8_t opt_ibpb_ctxt_switch; + extern bool opt_ssbd; + extern int8_t opt_eager_fpu; + extern int8_t opt_l1d_flush; +-- +2.35.1 + @@ -1,6 +1,6 @@ -Xen upstream patchset #1 for 4.16.2-pre +Xen upstream patchset #0 for 4.15.4-pre Containing patches from -RELEASE-4.16.1 (13fee86475f3831d7a1ecf6d7e0acbc2ac779f7e) +RELEASE-4.15.3 (feecaf4abf733e83b7a297190819eca7a7f65168) to -staging-4.16 (0a5387a01165b46c8c85e7f7e2ddbe60a7f5db44) +staging-4.15 (35bf91d30f1a480dcf5bfd99b79384b2b283da7f) |