[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH SpectreV1+L1TF v4 03/11] config: introduce L1TF_LFENCE option

This commit introduces the configuration option L1TF_LFENCE that allows
to control the implementation of the protection of privilege checks via
lfence instructions. The following four alternatives are provided:

 - not injecting lfence instructions
 - inject an lfence instruction for both outcomes of the conditional
 - inject an lfence instruction only if the conditional would evaluate
   to true, so that this case cannot be entered under speculation
 - evaluating the condition and store the result into a local variable.
   before using this value, inject an lfence instruction.

The different options allow to control the level of protection vs the
slowdown the addtional lfence instructions would introduce. The default
value is set to protecting both branches.

For non-x86 platforms, the protection is disabled by default.

Signed-off-by: Norbert Manthey <nmanthey@xxxxxxxxx>

 xen/arch/x86/Kconfig     | 24 ++++++++++++++++++++++++
 xen/include/xen/nospec.h | 12 ++++++++++--
 2 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/xen/arch/x86/Kconfig b/xen/arch/x86/Kconfig
--- a/xen/arch/x86/Kconfig
+++ b/xen/arch/x86/Kconfig
@@ -176,6 +176,30 @@ config PV_SHIM_EXCLUSIVE
          firmware, and will not function correctly in other scenarios.
          If unsure, say N.
+       prompt "Default L1TF Branch Protection?"
+       config L1TF_LFENCE_BOTH
+               bool "Protect both branches of certain conditionals" if HVM
+               ---help---
+                 Inject an lfence instruction after the condition to be
+                 evaluated for both outcomes of the condition
+       config L1TF_LFENCE_TRUE
+               bool "Protect true branch of certain conditionals" if HVM
+               ---help---
+                 Protect only the path where the condition is evaluated to true
+               bool "Protect before using certain conditionals value" if HVM
+               ---help---
+                 Inject an lfence instruction after evaluating the condition
+                 but before forwarding this value from a local variable
+       config L1TF_LFENCE_NONE
+               bool "No conditional protection"
+               ---help---
+                 Do not inject lfences for conditional evaluations
 source "common/Kconfig"
diff --git a/xen/include/xen/nospec.h b/xen/include/xen/nospec.h
--- a/xen/include/xen/nospec.h
+++ b/xen/include/xen/nospec.h
@@ -68,10 +68,18 @@ static inline bool lfence_true(void) { return true; }
- * protect evaluation of conditional with respect to speculation
+ * allow to protect evaluation of conditional with respect to speculation on 
-#define evaluate_nospec(condition)                                      \
+#if defined(CONFIG_L1TF_LFENCE_NONE) || !defined(CONFIG_X86)
+#define evaluate_nospec(condition) (condition)
+#elif defined(CONFIG_L1TF_LFENCE_BOTH)
+#define evaluate_nospec(condition)                                         \
     (((condition) && lfence_true()) || !lfence_true())
+#elif defined(CONFIG_L1TF_LFENCE_TRUE)
+#define evaluate_nospec(condition) ((condition) && lfence_true())
+#define evaluate_nospec(condition) ({ bool res = (condition); rmb(); res; })
 #endif /* XEN_NOSPEC_H */

Amazon Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrer: Christian Schlaeger, Ralf Herbrich
Ust-ID: DE 289 237 879
Eingetragen am Amtsgericht Charlottenburg HRB 149173 B

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.