[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v10 06/11] x86/entry: Organise the clobbering of the RSB/RAS on entry to Xen

To: Jan Beulich <JBeulich@xxxxxxxx>
From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Date: Thu, 25 Jan 2018 14:17:32 +0000
Cc: Xen-devel <xen-devel@xxxxxxxxxxxxx>
Delivery-date: Thu, 25 Jan 2018 14:17:39 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 25/01/18 13:19, Jan Beulich wrote:
>>>> On 24.01.18 at 14:12, <andrew.cooper3@xxxxxxxxxx> wrote:
>> --- a/xen/include/asm-x86/spec_ctrl_asm.h
>> +++ b/xen/include/asm-x86/spec_ctrl_asm.h
>> @@ -74,6 +74,43 @@
>>   *  - SPEC_CTRL_EXIT_TO_GUEST
>>   */
>>  
>> +.macro DO_OVERWRITE_RSB
>> +/*
>> + * Requires nothing
>> + * Clobbers %rax, %rcx
>> + *
>> + * Requires 256 bytes of stack space, but %rsp has no net change. Based on
>> + * Google's performance numbers, the loop is unrolled to 16 iterations and 
>> two
>> + * calls per iteration.
>> + *
>> + * The call filling the RSB needs a nonzero displacement.  A nop would do, 
>> but
>> + * we use "1: pause, jmp 1b" to safely contains any ret-based speculation,
>> + * even if the loop is speculatively executed prematurely.
>> + *
>> + * %rsp is preserved by using an extra GPR because a) we've got plenty 
>> spare,
>> + * b) the two movs are shorter to encode than `add $32*8, %rsp`, and c) can 
>> be
>> + * optimised with mov-elimination in modern cores.
>> + */
>> +    mov $16, %ecx                   /* 16 iterations, two calls per loop */
>> +    mov %rsp, %rax                  /* Store the current %rsp */
>> +
>> +.L\@_fill_rsb_loop:
>> +
>> +    .irp n, 1, 2                    /* Unrolled twice. */
>> +    call .L\@_insert_rsb_entry_\n   /* Create an RSB entry. */
>> +
>> +.L\@_capture_speculation_\n:
>> +    pause
>> +    jmp .L\@_capture_speculation_\n /* Capture rogue speculation. */
> Have you seen Linux commit 28d437d550e1e39f805d99f9f8ac399c778827b7
> ("x86/retpoline: Add LFENCE to the retpoline/RSB filling RSB
> macros")?

I saw the patch, but hadn't realised it had gone in.  There was quite a
long discussion.

>  I think we want to have the same, to please AMD. I'd
> suggest to use alternative patching though (except again on the
> IST paths), but then again maybe in a follow-up patch.

I trust the later patches are suitable in the IST regard?

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH v10 06/11] x86/entry: Organise the clobbering of the RSB/RAS on entry to Xen
  - From: Jan Beulich

References:
- [Xen-devel] [PATCH v10 00/11] x86: Mitigations for SP2/CVE-2017-5715/Branch Target Injection
  - From: Andrew Cooper
- [Xen-devel] [PATCH v10 06/11] x86/entry: Organise the clobbering of the RSB/RAS on entry to Xen
  - From: Andrew Cooper
- Re: [Xen-devel] [PATCH v10 06/11] x86/entry: Organise the clobbering of the RSB/RAS on entry to Xen
  - From: Jan Beulich

Prev by Date: Re: [Xen-devel] [RFC v2] xen/arm: Suspend to RAM Support in Xen for ARM
Next by Date: Re: [Xen-devel] [PATCH] MAINTAINERS: add the iommu list for swiotlb and xen-swiotlb
Previous by thread: Re: [Xen-devel] [PATCH v10 06/11] x86/entry: Organise the clobbering of the RSB/RAS on entry to Xen
Next by thread: Re: [Xen-devel] [PATCH v10 06/11] x86/entry: Organise the clobbering of the RSB/RAS on entry to Xen
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.