|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen master] x86/spec-ctrl: Enumerations for Speculative Return Stack Overflow
commit 2280b0ee2aed6e0fd4af3fa31bf99bc04d038bfe
Author: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Wed Jun 14 09:13:28 2023 +0100
Commit: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Tue Aug 8 15:19:49 2023 +0100
x86/spec-ctrl: Enumerations for Speculative Return Stack Overflow
AMD have specified new CPUID bits relating to SRSO.
* SRSO_NO indicates that hardware is no longer vulnerable to SRSO.
* IBPB_BRTYPE indicates that IBPB flushes branch type information too.
* SBPB indicates support for a relaxed form of IBPB that does not flush
branch type information.
Current CPUs (Zen4 and older) are not expected to enumerate these bits.
Native software is expected to synthesise them for guests using model and
microcode revision checks.
Two are just status bits, and SBPB is trivial to support for guests by
tweaking the reserved bit calculation in guest_wrmsr() and feature
dependencies. Expose all by default to guests, so they start showing up
when
Xen synthesises them.
While adding feature dependenies for IBPB, fix up an overlooked issue from
XSA-422. It's inappropriate to advertise that IBPB flushes RET predictions
if
IBPB is unavailable itself.
This is part of XSA-434 / CVE-2023-20569
Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
Reviewed-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
---
tools/misc/xen-cpuid.c | 3 +++
xen/arch/x86/include/asm/msr-index.h | 1 +
xen/arch/x86/msr.c | 5 ++++-
xen/arch/x86/spec_ctrl.c | 15 ++++++++++-----
xen/include/public/arch-x86/cpufeatureset.h | 3 +++
xen/tools/gen-cpuid.py | 1 +
6 files changed, 22 insertions(+), 6 deletions(-)
diff --git a/tools/misc/xen-cpuid.c b/tools/misc/xen-cpuid.c
index c65d9e01bf..6b8bd624ec 100644
--- a/tools/misc/xen-cpuid.c
+++ b/tools/misc/xen-cpuid.c
@@ -202,6 +202,9 @@ static const char *const str_e21a[32] =
[ 8] = "auto-ibrs",
/* 16 */ [17] = "cpuid-user-dis",
+
+ /* 26 */ [27] = "sbpb",
+ [28] = "ibpb-brtype", [29] = "srso-no",
};
static const char *const str_7b1[32] =
diff --git a/xen/arch/x86/include/asm/msr-index.h
b/xen/arch/x86/include/asm/msr-index.h
index 4d41c171d2..4c59c7e2ae 100644
--- a/xen/arch/x86/include/asm/msr-index.h
+++ b/xen/arch/x86/include/asm/msr-index.h
@@ -46,6 +46,7 @@
#define MSR_PRED_CMD 0x00000049
#define PRED_CMD_IBPB (_AC(1, ULL) << 0)
+#define PRED_CMD_SBPB (_AC(1, ULL) << 7)
#define MSR_PPIN_CTL 0x0000004e
#define PPIN_LOCKOUT (_AC(1, ULL) << 0)
diff --git a/xen/arch/x86/msr.c b/xen/arch/x86/msr.c
index ef55498c1a..3f0450259c 100644
--- a/xen/arch/x86/msr.c
+++ b/xen/arch/x86/msr.c
@@ -409,7 +409,10 @@ int guest_wrmsr(struct vcpu *v, uint32_t msr, uint64_t val)
if ( !cp->feat.ibrsb && !cp->extd.ibpb )
goto gp_fault; /* MSR available? */
- if ( val & ~PRED_CMD_IBPB )
+ rsvd = ~(PRED_CMD_IBPB |
+ (cp->extd.sbpb ? PRED_CMD_SBPB : 0));
+
+ if ( val & rsvd )
goto gp_fault; /* Rsvd bit set? */
if ( v == curr )
diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
index eb9b157692..9ad2ebc0f4 100644
--- a/xen/arch/x86/spec_ctrl.c
+++ b/xen/arch/x86/spec_ctrl.c
@@ -390,7 +390,7 @@ custom_param("pv-l1tf", parse_pv_l1tf);
static void __init print_details(enum ind_thunk thunk)
{
- unsigned int _7d0 = 0, _7d2 = 0, e8b = 0, max = 0, tmp;
+ unsigned int _7d0 = 0, _7d2 = 0, e8b = 0, e21a = 0, max = 0, tmp;
uint64_t caps = 0;
/* Collect diagnostics about available mitigations. */
@@ -400,6 +400,8 @@ static void __init print_details(enum ind_thunk thunk)
cpuid_count(7, 2, &tmp, &tmp, &tmp, &_7d2);
if ( boot_cpu_data.extended_cpuid_level >= 0x80000008 )
cpuid(0x80000008, &tmp, &e8b, &tmp, &tmp);
+ if ( boot_cpu_data.extended_cpuid_level >= 0x80000021 )
+ cpuid(0x80000021, &e21a, &tmp, &tmp, &tmp);
if ( cpu_has_arch_caps )
rdmsrl(MSR_ARCH_CAPABILITIES, caps);
@@ -409,7 +411,7 @@ static void __init print_details(enum ind_thunk thunk)
* Hardware read-only information, stating immunity to certain issues, or
* suggestions of which mitigation to use.
*/
- printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n",
+ printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n",
(caps & ARCH_CAPS_RDCL_NO) ? " RDCL_NO"
: "",
(caps & ARCH_CAPS_EIBRS) ? " EIBRS"
: "",
(caps & ARCH_CAPS_RSBA) ? " RSBA"
: "",
@@ -429,10 +431,12 @@ static void __init print_details(enum ind_thunk thunk)
(e8b & cpufeat_mask(X86_FEATURE_IBRS_FAST)) ? " IBRS_FAST"
: "",
(e8b & cpufeat_mask(X86_FEATURE_IBRS_SAME_MODE)) ? "
IBRS_SAME_MODE" : "",
(e8b & cpufeat_mask(X86_FEATURE_BTC_NO)) ? " BTC_NO"
: "",
- (e8b & cpufeat_mask(X86_FEATURE_IBPB_RET)) ? " IBPB_RET"
: "");
+ (e8b & cpufeat_mask(X86_FEATURE_IBPB_RET)) ? " IBPB_RET"
: "",
+ (e21a & cpufeat_mask(X86_FEATURE_IBPB_BRTYPE)) ? " IBPB_BRTYPE"
: "",
+ (e21a & cpufeat_mask(X86_FEATURE_SRSO_NO)) ? " SRSO_NO"
: "");
/* Hardware features which need driving to mitigate issues. */
- printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s\n",
+ printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s\n",
(e8b & cpufeat_mask(X86_FEATURE_IBPB)) ||
(_7d0 & cpufeat_mask(X86_FEATURE_IBRSB)) ? " IBPB"
: "",
(e8b & cpufeat_mask(X86_FEATURE_IBRS)) ||
@@ -448,7 +452,8 @@ static void __init print_details(enum ind_thunk thunk)
(_7d0 & cpufeat_mask(X86_FEATURE_SRBDS_CTRL)) ? " SRBDS_CTRL"
: "",
(e8b & cpufeat_mask(X86_FEATURE_VIRT_SSBD)) ? " VIRT_SSBD"
: "",
(caps & ARCH_CAPS_TSX_CTRL) ? " TSX_CTRL"
: "",
- (caps & ARCH_CAPS_FB_CLEAR_CTRL) ? "
FB_CLEAR_CTRL" : "");
+ (caps & ARCH_CAPS_FB_CLEAR_CTRL) ? "
FB_CLEAR_CTRL" : "",
+ (e21a & cpufeat_mask(X86_FEATURE_SBPB)) ? " SBPB"
: "");
/* Compiled-in support which pertains to mitigations. */
if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING)
)
diff --git a/xen/include/public/arch-x86/cpufeatureset.h
b/xen/include/public/arch-x86/cpufeatureset.h
index 6d20810cb9..3d13fdbe9a 100644
--- a/xen/include/public/arch-x86/cpufeatureset.h
+++ b/xen/include/public/arch-x86/cpufeatureset.h
@@ -289,6 +289,9 @@ XEN_CPUFEATURE(LFENCE_DISPATCH, 11*32+ 2) /*A LFENCE
always serializing */
XEN_CPUFEATURE(NSCB, 11*32+ 6) /*A Null Selector Clears Base
(and limit too) */
XEN_CPUFEATURE(AUTO_IBRS, 11*32+ 8) /*S Automatic IBRS */
XEN_CPUFEATURE(CPUID_USER_DIS, 11*32+17) /* CPUID disable for CPL > 0
software */
+XEN_CPUFEATURE(SBPB, 11*32+27) /*A Selective Branch Predictor
Barrier */
+XEN_CPUFEATURE(IBPB_BRTYPE, 11*32+28) /*A IBPB flushes Branch Type
predictions too */
+XEN_CPUFEATURE(SRSO_NO, 11*32+29) /*A Hardware not vulenrable to
Speculative Return Stack Overflow */
/* Intel-defined CPU features, CPUID level 0x00000007:1.ebx, word 12 */
XEN_CPUFEATURE(INTEL_PPIN, 12*32+ 0) /* Protected Processor
Inventory Number */
diff --git a/xen/tools/gen-cpuid.py b/xen/tools/gen-cpuid.py
index 4a1ca58905..9aa59ffdb1 100755
--- a/xen/tools/gen-cpuid.py
+++ b/xen/tools/gen-cpuid.py
@@ -321,6 +321,7 @@ def crunch_numbers(state):
IBRSB: [STIBP, SSBD, INTEL_PSFD, EIBRS],
IBRS: [AMD_STIBP, AMD_SSBD, PSFD, AUTO_IBRS,
IBRS_ALWAYS, IBRS_FAST, IBRS_SAME_MODE],
+ IBPB: [IBPB_RET, SBPB, IBPB_BRTYPE],
AMD_STIBP: [STIBP_ALWAYS],
# In principle the TSXLDTRK insns could also be considered independent.
--
generated by git-patchbot for /home/xen/git/xen.git#master
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |