|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen staging-4.18] x86/spec-ctrl: Support Intel's new PB-OPT
commit dba0556612922510eb97a5fd7aac659f340c661a
Author: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Thu May 15 09:08:30 2025 +0200
Commit: Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Thu May 15 09:08:30 2025 +0200
x86/spec-ctrl: Support Intel's new PB-OPT
In IPU 2025.2 (May 2025), Intel have released an alternative mitigation for
a
prior security issue (SA-00982) on Sapphire and Emerald Rapids CPUs.
Intel suggest that certain workloads will benefit from using the alternative
mode. This can be selected by booting with `spec-ctrl=ibpb-alt`.
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/cpuid-enumeration-and-architectural-msrs.html
Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
master commit: 5873740e41acb8593f92623ddd03caebda2718f6
master date: 2025-05-13 14:49:12 +0100
---
docs/misc/xen-command-line.pandoc | 6 +++++-
xen/arch/x86/acpi/power.c | 1 +
xen/arch/x86/cpu/intel.c | 28 ++++++++++++++++++++++++++++
xen/arch/x86/include/asm/cpufeature.h | 1 +
xen/arch/x86/include/asm/msr-index.h | 3 +++
xen/arch/x86/include/asm/processor.h | 3 +++
xen/arch/x86/smpboot.c | 1 +
xen/arch/x86/spec_ctrl.c | 7 +++++++
xen/include/public/arch-x86/cpufeatureset.h | 1 +
9 files changed, 50 insertions(+), 1 deletion(-)
diff --git a/docs/misc/xen-command-line.pandoc
b/docs/misc/xen-command-line.pandoc
index 14c0d0a058..bb04d3d124 100644
--- a/docs/misc/xen-command-line.pandoc
+++ b/docs/misc/xen-command-line.pandoc
@@ -2376,7 +2376,7 @@ By default SSBD will be mitigated at runtime (i.e
`ssbd=runtime`).
> {ibrs,ibpb,ssbd,psfd,
> eager-fpu,l1d-flush,branch-harden,srb-lock,
> unpriv-mmio,gds-mit,div-scrub,lock-harden,
-> bhi-dis-s,bp-spec-reduce}=<bool> ]`
+> bhi-dis-s,bp-spec-reduce,ibpb-alt}=<bool> ]`
Controls for speculative execution sidechannel mitigations. By default, Xen
will pick the most appropriate mitigations based on compiled in support,
@@ -2532,6 +2532,10 @@ bp-spec-reduce when available, as it is preferable to
using `ibpb-entry=hvm`
to mitigate SRSO for HVM guests, and because it is a prerequisite to advertise
SRSO_U/S_NO to PV guests.
+On Sappire and Emerald Rapids CPUs with May 2025 microcode or later, the
+`ibpb-alt=` option can be used to switch to the alternative mitigation for
+Intel SA-00982. Intel suggest that some workloads will benefit from this.
+
### sync_console
> `= <boolean>`
diff --git a/xen/arch/x86/acpi/power.c b/xen/arch/x86/acpi/power.c
index f6ab522690..783b4a2f2c 100644
--- a/xen/arch/x86/acpi/power.c
+++ b/xen/arch/x86/acpi/power.c
@@ -299,6 +299,7 @@ static int enter_state(u32 state)
}
update_mcu_opt_ctrl();
+ update_pb_opt_ctrl();
/*
* This should be before restoring CR4, but that is earlier in asm and
diff --git a/xen/arch/x86/cpu/intel.c b/xen/arch/x86/cpu/intel.c
index 076faaa980..6f2b3fffdd 100644
--- a/xen/arch/x86/cpu/intel.c
+++ b/xen/arch/x86/cpu/intel.c
@@ -49,6 +49,34 @@ void __init set_in_mcu_opt_ctrl(uint32_t mask, uint32_t val)
update_mcu_opt_ctrl();
}
+static uint32_t __ro_after_init pb_opt_ctrl_mask;
+static uint32_t __ro_after_init pb_opt_ctrl_val;
+
+void update_pb_opt_ctrl(void)
+{
+ uint32_t mask = pb_opt_ctrl_mask, lo, hi;
+
+ if ( !mask )
+ return;
+
+ rdmsr(MSR_PB_OPT_CTRL, lo, hi);
+
+ lo &= ~mask;
+ lo |= pb_opt_ctrl_val;
+
+ wrmsr(MSR_PB_OPT_CTRL, lo, hi);
+}
+
+void __init set_in_pb_opt_ctrl(uint32_t mask, uint32_t val)
+{
+ pb_opt_ctrl_mask |= mask;
+
+ pb_opt_ctrl_val &= ~mask;
+ pb_opt_ctrl_val |= (val & mask);
+
+ update_pb_opt_ctrl();
+}
+
/*
* Processors which have self-snooping capability can handle conflicting
* memory type across CPUs by snooping its own cache. However, there exists
diff --git a/xen/arch/x86/include/asm/cpufeature.h
b/xen/arch/x86/include/asm/cpufeature.h
index 1048f16e0c..515f3f64d5 100644
--- a/xen/arch/x86/include/asm/cpufeature.h
+++ b/xen/arch/x86/include/asm/cpufeature.h
@@ -211,6 +211,7 @@ static inline bool boot_cpu_has(unsigned int feat)
#define cpu_has_gds_no boot_cpu_has(X86_FEATURE_GDS_NO)
#define cpu_has_rfds_no boot_cpu_has(X86_FEATURE_RFDS_NO)
#define cpu_has_rfds_clear boot_cpu_has(X86_FEATURE_RFDS_CLEAR)
+#define cpu_has_pb_opt_ctrl boot_cpu_has(X86_FEATURE_PB_OPT_CTRL)
#define cpu_has_its_no boot_cpu_has(X86_FEATURE_ITS_NO)
/* Synthesized. */
diff --git a/xen/arch/x86/include/asm/msr-index.h
b/xen/arch/x86/include/asm/msr-index.h
index 3c11d1f43c..c9f980cd57 100644
--- a/xen/arch/x86/include/asm/msr-index.h
+++ b/xen/arch/x86/include/asm/msr-index.h
@@ -56,6 +56,9 @@
#define MSR_MISC_PACKAGE_CTRL 0x000000bc
#define PGK_CTRL_ENERGY_FILTER_EN (_AC(1, ULL) << 0)
+#define MSR_PB_OPT_CTRL 0x000000bf
+#define PB_OPT_IBPB_ALT (_AC(1, ULL) << 0)
+
#define MSR_CORE_CAPABILITIES 0x000000cf
#define CORE_CAPS_SPLITLOCK_DETECT (_AC(1, ULL) << 5)
diff --git a/xen/arch/x86/include/asm/processor.h
b/xen/arch/x86/include/asm/processor.h
index b0d2a62c07..1bba4c5002 100644
--- a/xen/arch/x86/include/asm/processor.h
+++ b/xen/arch/x86/include/asm/processor.h
@@ -506,6 +506,9 @@ void tsx_init(void);
void update_mcu_opt_ctrl(void);
void set_in_mcu_opt_ctrl(uint32_t mask, uint32_t val);
+void update_pb_opt_ctrl(void);
+void set_in_pb_opt_ctrl(uint32_t mask, uint32_t val);
+
enum ap_boot_method {
AP_BOOT_NORMAL,
AP_BOOT_SKINIT,
diff --git a/xen/arch/x86/smpboot.c b/xen/arch/x86/smpboot.c
index f7078130cd..ec4956e104 100644
--- a/xen/arch/x86/smpboot.c
+++ b/xen/arch/x86/smpboot.c
@@ -378,6 +378,7 @@ void start_secondary(void *unused)
info->last_spec_ctrl = default_xen_spec_ctrl;
}
update_mcu_opt_ctrl();
+ update_pb_opt_ctrl();
tsx_init(); /* Needs microcode. May change HLE/RTM feature bits. */
diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
index 46681d10ae..d8702b0e18 100644
--- a/xen/arch/x86/spec_ctrl.c
+++ b/xen/arch/x86/spec_ctrl.c
@@ -85,6 +85,8 @@ static int8_t __initdata opt_gds_mit = -1;
static int8_t __initdata opt_div_scrub = -1;
bool __ro_after_init opt_bp_spec_reduce = true;
+static bool __initdata opt_ibpb_alt;
+
static int __init cf_check parse_spec_ctrl(const char *s)
{
const char *ss;
@@ -367,6 +369,8 @@ static int __init cf_check parse_spec_ctrl(const char *s)
opt_div_scrub = val;
else if ( (val = parse_boolean("bp-spec-reduce", s, ss)) >= 0 )
opt_bp_spec_reduce = val;
+ else if ( (val = parse_boolean("ibpb-alt", s, ss)) >= 0 )
+ opt_ibpb_alt = val;
else
rc = -EINVAL;
@@ -2509,6 +2513,9 @@ void __init init_speculation_mitigations(void)
wrmsrl(MSR_SPEC_CTRL, val);
info->last_spec_ctrl = val;
}
+
+ if ( cpu_has_pb_opt_ctrl )
+ set_in_pb_opt_ctrl(PB_OPT_IBPB_ALT, opt_ibpb_alt);
}
static void __init __maybe_unused build_assertions(void)
diff --git a/xen/include/public/arch-x86/cpufeatureset.h
b/xen/include/public/arch-x86/cpufeatureset.h
index 6fa7777409..e6ed4c02e1 100644
--- a/xen/include/public/arch-x86/cpufeatureset.h
+++ b/xen/include/public/arch-x86/cpufeatureset.h
@@ -345,6 +345,7 @@ XEN_CPUFEATURE(RFDS_NO, 16*32+27) /*A No
Register File Data Sampling
XEN_CPUFEATURE(RFDS_CLEAR, 16*32+28) /*!A Register File(s) cleared by
VERW */
/* Intel-defined CPU features, MSR_ARCH_CAPS 0x10a.edx, word 17 (express in
terms of word 16) */
+XEN_CPUFEATURE(PB_OPT_CTRL, 16*32+32) /* MSR_PB_OPT_CTRL.IBPB_ALT */
XEN_CPUFEATURE(ITS_NO, 16*32+62) /*!A No Indirect Target Selection
*/
#endif /* XEN_CPUFEATURE */
--
generated by git-patchbot for /home/xen/git/xen.git#staging-4.18
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |