diff options
Diffstat (limited to 'system/xen/xsa/xsa263-4.10-0009-x86-cpuid-Improvements-to-guest-policies-for-specula.patch')
| -rw-r--r-- | system/xen/xsa/xsa263-4.10-0009-x86-cpuid-Improvements-to-guest-policies-for-specula.patch | 132 |
1 files changed, 132 insertions, 0 deletions
diff --git a/system/xen/xsa/xsa263-4.10-0009-x86-cpuid-Improvements-to-guest-policies-for-specula.patch b/system/xen/xsa/xsa263-4.10-0009-x86-cpuid-Improvements-to-guest-policies-for-specula.patch new file mode 100644 index 0000000000..90b1ffc87f --- /dev/null +++ b/system/xen/xsa/xsa263-4.10-0009-x86-cpuid-Improvements-to-guest-policies-for-specula.patch @@ -0,0 +1,132 @@ +From bce7a2145abc3c7e5bfd7e2168714d194124a3ab Mon Sep 17 00:00:00 2001 +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Tue, 1 May 2018 11:59:03 +0100 +Subject: [PATCH] x86/cpuid: Improvements to guest policies for speculative + sidechannel features + +If Xen isn't virtualising MSR_SPEC_CTRL for guests, IBRSB shouldn't be +advertised. It is not currently possible to express this via the existing +command line options, but such an ability will be introduced. + +Another useful option in some usecases is to offer IBPB without IBRS. When a +guest kernel is known to be compatible (uses retpoline and knows about the AMD +IBPB feature bit), an administrator with pre-Skylake hardware may wish to hide +IBRS. This allows the VM to have full protection, without Xen or the VM +needing to touch MSR_SPEC_CTRL, which can reduce the overhead of Spectre +mitigations. + +Break the logic common to both PV and HVM CPUID calculations into a common +helper, to avoid duplication. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Wei Liu <wei.liu2@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +Release-acked-by: Juergen Gross <jgross@suse.com> +(cherry picked from commit cb06b308ec71b23f37a44f5e2351fe2cae0306e9) +--- + xen/arch/x86/cpuid.c | 60 ++++++++++++++++++++++++++++++++-------------------- + 1 file changed, 37 insertions(+), 23 deletions(-) + +diff --git a/xen/arch/x86/cpuid.c b/xen/arch/x86/cpuid.c +index b3c9ac6..b45b145 100644 +--- a/xen/arch/x86/cpuid.c ++++ b/xen/arch/x86/cpuid.c +@@ -368,6 +368,28 @@ static void __init calculate_host_policy(void) + } + } + ++static void __init guest_common_feature_adjustments(uint32_t *fs) ++{ ++ /* Unconditionally claim to be able to set the hypervisor bit. */ ++ __set_bit(X86_FEATURE_HYPERVISOR, fs); ++ ++ /* ++ * If IBRS is offered to the guest, unconditionally offer STIBP. It is a ++ * nop on non-HT hardware, and has this behaviour to make heterogeneous ++ * setups easier to manage. ++ */ ++ if ( test_bit(X86_FEATURE_IBRSB, fs) ) ++ __set_bit(X86_FEATURE_STIBP, fs); ++ ++ /* ++ * On hardware which supports IBRS/IBPB, we can offer IBPB independently ++ * of IBRS by using the AMD feature bit. An administrator may wish for ++ * performance reasons to offer IBPB without IBRS. ++ */ ++ if ( host_cpuid_policy.feat.ibrsb ) ++ __set_bit(X86_FEATURE_IBPB, fs); ++} ++ + static void __init calculate_pv_max_policy(void) + { + struct cpuid_policy *p = &pv_max_cpuid_policy; +@@ -380,18 +402,14 @@ static void __init calculate_pv_max_policy(void) + for ( i = 0; i < ARRAY_SIZE(pv_featureset); ++i ) + pv_featureset[i] &= pv_featuremask[i]; + +- /* Unconditionally claim to be able to set the hypervisor bit. */ +- __set_bit(X86_FEATURE_HYPERVISOR, pv_featureset); +- +- /* On hardware with IBRS/IBPB support, there are further adjustments. */ +- if ( test_bit(X86_FEATURE_IBRSB, pv_featureset) ) +- { +- /* Offer STIBP unconditionally. It is a nop on non-HT hardware. */ +- __set_bit(X86_FEATURE_STIBP, pv_featureset); ++ /* ++ * If Xen isn't virtualising MSR_SPEC_CTRL for PV guests because of ++ * administrator choice, hide the feature. ++ */ ++ if ( !boot_cpu_has(X86_FEATURE_SC_MSR_PV) ) ++ __clear_bit(X86_FEATURE_IBRSB, pv_featureset); + +- /* AMD's IBPB is a subset of IBRS/IBPB. */ +- __set_bit(X86_FEATURE_IBPB, pv_featureset); +- } ++ guest_common_feature_adjustments(pv_featureset); + + sanitise_featureset(pv_featureset); + cpuid_featureset_to_policy(pv_featureset, p); +@@ -419,9 +437,6 @@ static void __init calculate_hvm_max_policy(void) + for ( i = 0; i < ARRAY_SIZE(hvm_featureset); ++i ) + hvm_featureset[i] &= hvm_featuremask[i]; + +- /* Unconditionally claim to be able to set the hypervisor bit. */ +- __set_bit(X86_FEATURE_HYPERVISOR, hvm_featureset); +- + /* + * Xen can provide an APIC emulation to HVM guests even if the host's APIC + * isn't enabled. +@@ -438,6 +453,13 @@ static void __init calculate_hvm_max_policy(void) + __set_bit(X86_FEATURE_SEP, hvm_featureset); + + /* ++ * If Xen isn't virtualising MSR_SPEC_CTRL for HVM guests because of ++ * administrator choice, hide the feature. ++ */ ++ if ( !boot_cpu_has(X86_FEATURE_SC_MSR_HVM) ) ++ __clear_bit(X86_FEATURE_IBRSB, hvm_featureset); ++ ++ /* + * With VT-x, some features are only supported by Xen if dedicated + * hardware support is also available. + */ +@@ -450,15 +472,7 @@ static void __init calculate_hvm_max_policy(void) + __clear_bit(X86_FEATURE_XSAVES, hvm_featureset); + } + +- /* On hardware with IBRS/IBPB support, there are further adjustments. */ +- if ( test_bit(X86_FEATURE_IBRSB, hvm_featureset) ) +- { +- /* Offer STIBP unconditionally. It is a nop on non-HT hardware. */ +- __set_bit(X86_FEATURE_STIBP, hvm_featureset); +- +- /* AMD's IBPB is a subset of IBRS/IBPB. */ +- __set_bit(X86_FEATURE_IBPB, hvm_featureset); +- } ++ guest_common_feature_adjustments(hvm_featureset); + + sanitise_featureset(hvm_featureset); + cpuid_featureset_to_policy(hvm_featureset, p); +-- +2.1.4 + |