[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen stable-4.14] x86/spec-ctrl: Mitigate Speculative Return Stack Overflow
commit e8db771a17c96f3a393ad7929c1c35e17e39972a Author: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> AuthorDate: Thu Jun 15 13:46:29 2023 +0100 Commit: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> CommitDate: Thu Aug 3 19:14:19 2023 +0100 x86/spec-ctrl: Mitigate Speculative Return Stack Overflow On native, synthesise the SRSO bits by probing various hardware properties as given by AMD. Extend the IBPB-on-entry mitigations to Zen3/4 CPUs. There is a microcode prerequisite to make this an effective mitigation. This is part of XSA-434 / CVE-2023-20569 Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx> Reviewed-by: Roger Pau Monné <roger.pau@xxxxxxxxxx> (cherry picked from commit 220c06e6fefe2378f40e2a7391f5e265a2aa50f7) --- docs/misc/xen-command-line.pandoc | 7 ++-- xen/arch/x86/spec_ctrl.c | 68 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 72 insertions(+), 3 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index 2fd6a9a552..88f880177f 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -2170,9 +2170,10 @@ guests to use. preference to here.* * `ibpb-entry=` offers control over whether IBPB (Indirect Branch Prediction Barrier) is used on entry to Xen. This is used by default on hardware - vulnerable to Branch Type Confusion, but for performance reasons, dom0 is - unprotected by default. If it necessary to protect dom0 too, boot with - `spec-ctrl=ibpb-entry`. + vulnerable to Branch Type Confusion, and hardware vulnerable to Speculative + Return Stack Overflow if appropriate microcode has been loaded, but for + performance reasons dom0 is unprotected by default. If it is necessary to + protect dom0 too, boot with `spec-ctrl=ibpb-entry`. If Xen was compiled with INDIRECT_THUNK support, `bti-thunk=` can be used to select which of the thunks gets patched into the `__x86_indirect_thunk_%reg` diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 3659e6800e..2dad423255 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -872,6 +872,63 @@ static bool __init should_use_eager_fpu(void) } } +static void __init srso_calculations(bool hw_smt_enabled) +{ + if ( !(boot_cpu_data.x86_vendor & + (X86_VENDOR_AMD | X86_VENDOR_HYGON)) ) + return; + + /* + * If virtualised, none of these heuristics are safe. Trust the + * hypervisor completely. + */ + if ( cpu_has_hypervisor ) + return; + + if ( boot_cpu_data.x86 == 0x19 ) + { + /* + * We could have a table of models/microcode revisions. ...or we + * could just look for the new feature added. + */ + if ( wrmsr_safe(MSR_PRED_CMD, PRED_CMD_SBPB) == 0 ) + { + setup_force_cpu_cap(X86_FEATURE_IBPB_BRTYPE); + setup_force_cpu_cap(X86_FEATURE_SBPB); + } + else + printk(XENLOG_WARNING + "Vulnerable to SRSO, without suitable microcode to mitigate\n"); + } + else if ( boot_cpu_data.x86 < 0x19 ) + { + /* + * Zen1/2 (which have the IBPB microcode) have IBPB_BRTYPE behaviour + * already. + * + * Older CPUs are unknown, but their IBPB likely does flush branch + * types too. As we're synthesising for the benefit of guests, go + * with the likely option - this avoids VMs running on e.g. a Zen3 + * thinking there's no SRSO mitigation available because it may + * migrate to e.g. a Bulldozer. + */ + if ( boot_cpu_has(X86_FEATURE_IBPB) ) + setup_force_cpu_cap(X86_FEATURE_IBPB_BRTYPE); + } + + /* + * In single-thread mode on Zen1/2, microarchitectural limits prevent SRSO + * attacks from being effective. Synthesise SRSO_NO if SMT is disabled in + * hardware. + * + * Booting with smt=0, or using xen-hptool should be effective too, but + * they can be altered at runtime so it's not safe to presume SRSO_NO. + */ + if ( !hw_smt_enabled && + (boot_cpu_data.x86 == 0x17 || boot_cpu_data.x86 == 0x18) ) + setup_force_cpu_cap(X86_FEATURE_SRSO_NO); +} + static void __init ibpb_calculations(void) { bool def_ibpb_entry = false; @@ -900,6 +957,15 @@ static void __init ibpb_calculations(void) */ if ( !boot_cpu_has(X86_FEATURE_BTC_NO) ) def_ibpb_entry = true; + + /* + * Further to BTC, Zen3/4 CPUs suffer from Speculative Return Stack + * Overflow in most configurations. Mitigate with IBPB-on-entry if we + * have the microcode that makes this an effective option. + */ + if ( !boot_cpu_has(X86_FEATURE_SRSO_NO) && + boot_cpu_has(X86_FEATURE_IBPB_BRTYPE) ) + def_ibpb_entry = true; } if ( opt_ibpb_entry_pv == -1 ) @@ -1402,6 +1468,8 @@ void __init init_speculation_mitigations(void) if ( opt_rsb_hvm ) setup_force_cpu_cap(X86_FEATURE_SC_RSB_HVM); + srso_calculations(hw_smt_enabled); + ibpb_calculations(); /* Check whether Eager FPU should be enabled by default. */ -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.14
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |