[xen master] x86: guard against straight-line speculation past RET

[patchbot@xxxxxxx]

commit 71b0b475d801ebeb83a6ba402425135c314fa2df
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Fri Apr 9 09:16:22 2021 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Fri Apr 9 09:16:22 2021 +0200

    x86: guard against straight-line speculation past RET
    
    Under certain conditions CPUs can speculate into the instruction stream
    past a RET instruction. Guard against this just like 3b7dab93f240
    ("x86/spec-ctrl: Protect against CALL/JMP straight-line speculation")
    did - by inserting an "INT $3" insn. It's merely the mechanics of how to
    achieve this that differ: A set of macros gets introduced to post-
    process RET insns issued by the compiler (or living in assembly files).
    
    Unfortunately for clang this requires further features their built-in
    assembler doesn't support: We need to be able to override insn mnemonics
    produced by the compiler (which may be impossible, if internally
    assembly mnemonics never get generated).
    
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Acked-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
---
 xen/Makefile                    |  5 ++++-
 xen/include/asm-x86/asm-defns.h | 16 ++++++++++++++++
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/xen/Makefile b/xen/Makefile
index 9f3be7766d..3a8fb7ec7e 100644
--- a/xen/Makefile
+++ b/xen/Makefile
@@ -145,7 +145,10 @@ t2 = $(call as-insn,$(CC) -I$(BASEDIR)/include,".include 
\"asm-x86/asm-defns.h\"
 # https://bugs.llvm.org/show_bug.cgi?id=36110
 t3 = $(call as-insn,$(CC),".macro FOO;.endm"$(close); asm volatile 
$(open)".macro FOO;.endm",-no-integrated-as)
 
-CLANG_FLAGS += $(call or,$(t1),$(t2),$(t3))
+# Check whether macros can override insn mnemonics in inline assembly.
+t4 = $(call as-insn,$(CC),".macro ret; .error; .endm; .macro retq; .error; 
.endm",-no-integrated-as)
+
+CLANG_FLAGS += $(call or,$(t1),$(t2),$(t3),$(t4))
 endif
 
 CLANG_FLAGS += -Werror=unknown-warning-option
diff --git a/xen/include/asm-x86/asm-defns.h b/xen/include/asm-x86/asm-defns.h
index 505f39ad5f..e164437798 100644
--- a/xen/include/asm-x86/asm-defns.h
+++ b/xen/include/asm-x86/asm-defns.h
@@ -57,6 +57,22 @@
     INDIRECT_BRANCH jmp \arg
 .endm
 
+/*
+ * To guard against speculation past RET, insert a breakpoint insn
+ * immediately after them.
+ */
+.macro ret operand:vararg
+    retq \operand
+.endm
+.macro retq operand:vararg
+    .ifb \operand
+    .byte 0xc3
+    .else
+    .byte 0xc2
+    .word \operand
+    .endif
+.endm
+
 .macro guest_access_mask_ptr ptr:req, scratch1:req, scratch2:req
 #if defined(CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS)
     /*
--
generated by git-patchbot for /home/xen/git/xen.git#master