Xen project Mailing List

[PATCH 1/3] x86/spec-ctrl: Consistently halt speculation using int3

To: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Mon, 18 Jul 2022 21:50:07 +0100

Authentication-results: esa2.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none

Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>

Delivery-date: Mon, 18 Jul 2022 20:50:48 +0000

Ironport-data: A9a23:ZcyVSqzokyGBA+lJ/up6t4n5zX1e4sY/ZkZSj/bM1gqfGCHpmQ7xbLELH0zjCQM2EUT3yIhaqDbNUz4aq/+7Nahbx0wH00GjTfXMwrY/o/tueGjOdIleLRyLAEtySNUbZmKTaQ9Vkdo/FPeseATPf28m9G/Uogv4NssvxUGUdKvorEtYhuhcQRweQZ4i60FD7Fnr+qG8YcAZNFVqL7sS/+nQqleRV/EDR+WuSxE6WBLQsA1l7vCADXk954Ixb+Oa1esjZb3Zpu+FmTxQFI7lBD+rOlVubESwtFzTuBHRSzP0Iy4/hIiu+vn35ZLuwv4NpFjRkbYdOgQ5PcrOO5BkOJj3bMf2PNPcvo99QMY+mvm3liVNDkKTHb1LDvCeyzk8M2GxvIk9FcnE82o3ZcaDEsQNTadDO3DFpANwTGr1OCerAo3oi+NET2t2cxnVpjX0WQrf/geSxXzrSl5+IWShlJANxGpmozi2DBxERM+cdzrMWmXBjCu2muiQb8CPYoPV/Rhchihxq37UjUI5O+2rStAkTMbDqQqFEJF8MhKpmXL/cFIJVOjM3wtEMtuNLDCFqjQ6ibzoxMeG2g8KjvSXAdh8HBTHA1Uj70kUA64r39+eOd2Yxshb8N6z/B0xVzV9NOXEqmJ7UFHiOYcKH8ieAySVcVRZVk+6HL5VxpUU7SHCM7rmnVEVaNVxhiW1Dcz/xtXHjm9kw9Rm7k9Mh0tcVv8xDpWPE96R4eDwknqS4GiGAxSe4wKwbCqhmRB9Zz0xqFgQjBHPcWUoYUhFAgyMaxbq+RBB7BLnnYrvD196X5nDKKhWTP55YYNKSWhNc15WzpmvbFedImnTa6Z6JIAKfpFKKXX3lnLoTuxV6VnGbKjy2JAjRZmpARg0oAGrLHmoCD2rdKv0LrXZNP0WJkXH+V/yTXe9sVweR4u4iLEilte5OWPw+hfvBPplQgZY4HWQckhjNPld1zy+0fnF+4o+l/ulFxKyt8FM8kA3AuIuD7IgMukcR9hJYxo+Dle5LrJw2Mo8PWm214RZ0H6oHWWg5co3UOEdQPxXcRYCR0ELA5bntnqGLgj++JYdUI46rrj5n0Zyu3MS181JNu5VX4uVXh+CY3z5BYwTP5ZeU71tPjgCj8+ewTvWJ/BDap95VxXOSccbLzTATi2MZ9M65GqaLaT19ojSi/jEzyQArl1EC39jaopTEgoeqBhZ8bwsVSwS0vge9tdJZRik2lRknRPrO0EkPrznEpRcnPbwdPp3BIqZGygkfFkZ0+/JPbGo1ap9cB9WwsdGrpGLwxffi1gklMMEgATLVjr6MdIqTECWWFbZpBn4sMfR1VrRs0Uj/Kh4u53Ba032kXyOb0ScIUoqZi2O/btd4yD1pPI1WtDJQvliA0VyTP8MotwINiU3zS8mJTM0Q+eby0a86RIfeSNCJKiJ8+BTBhKFlLaM2aezfBw20TTRjyXnWWJpd2LQnteEKMyWC/YEoUkzbtDNWt/z5DMV9erjRUNOU1MPN5ignxAWql0oyKf8vZIhIFvSkYXpfCC04V6XgMLNyf6YwJvXLjRu1hKcunuOsRtlbvs3fRjuaU7HNmdTIEhZ/O2MuCHEKq09+z5hC2iwOo4o8Qw8zV9521l4807XgyDdiysB/X2cDOBnTN+btCerdhtaMy8+OWu1YQfDMfDttr/ePyNyHeDD84ExYG6brRfde/LS5tbioeBXEH6Fegm5tvmgLBvO8cdvtNnVVw6iv1ZtFMOcjJ3ew4p9wb9CT/n0D3748rZOa7GAda72AS7/IFl+La2S7lIKC161Xlfv9Osk401GZxlFnBRwrXPKqP4NxtyQE6u6cIenwA0FHhyQP1wTg3LjgvISkn4IMinrqfi6XqY3RzHKao1XFNgnO68VS9cHBeYaM6EpDi7gRsaYAnSKbEA8HhAPNJ925BOdo0NJSiArr7cGGD8ofjFGu1D8S3tmzXnE3PhmURQ3ucUfR5PEXp9rMeSmtW/ii0Y+vRfJ+YVtyUjChR0rvBTVkn6Fmjxv1gzD0kpvYWO7+MI2lwUNmAUaqJ/WUC0L7ceovpTpCFMtLL1/CjoDDsgWfcBSH4wg8SbGabEJv8VEpuFsK8ljZAS2VGlWT+2oEL4jvUwcmlUAsLfvHxP7XclKZ/TBfNrw3MzCpQEIYAtCKW9WavWZOD/dC1nR53mj+P0dVXzz9IR1qrTp5J7cs5JFcFjviZwvPT/+wP71Jc6HPQNSVWeq+6SEsSXoLZen0mqYm5MhwbhBI6HuWPSJvLbAbTY750PhRPG8/oWE+buMOj0CPg/A4OdE858f9T6m22vywMELPQizn5+rHW1NcjocAidXfFT3nr+roYi6hY/c52NWaV6h0P3cGH0+TdI6itOVn02Iba/GIh6FueSbYwZd1Pc26g+IprvHhiYAGSqAohBSKRGi2iF0PiE/ImhBW1hY3qHCWTWP/qmRVRNHduFn9ys/iDsjehWBOAwS908GAwsWRNiCXpKDPUYmabtAX00g1rpZisGBLdFT7o8IHXp+Lctb3S3jKEE6SnnDhgt77Pn1JJp4i9nyLkvMvDQHbFXjfNZNoHdRgKiiXuMVhvlpRw8jTj9Rz+87tgdRFwfybY1elvAFI/tM2hGioLRvkMLfUQssAbC3BZMQ7e4zRCuMMwAUCuKpztGyShNKFdTFRZJZrBsA9FpGycVQnjdj4WH+UmPk9KNYD2b1vHoxa67ebzDZtvrGvGex8dfbjVbAq2JemmVn7ONB3EWazVc=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

The RSB stuffing loop and retpoline thunks date from the very beginning, when halting speculation was a brand new field. These days, we've largely settled on int3 for halting speculation in non-architectural paths. It's a single byte, and is fully serialising - a requirement for delivering #BP if it were to execute. Update the thunks. Mostly for consistency across the codebase, but it does shrink every entrypath in Xen by 6 bytes which is a marginal win. Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> --- CC: Jan Beulich <JBeulich@xxxxxxxx> CC: Roger Pau Monné <roger.pau@xxxxxxxxxx> CC: Wei Liu <wl@xxxxxxx> --- xen/arch/x86/include/asm/spec_ctrl_asm.h | 11 +++-------- xen/arch/x86/indirect-thunk.S | 6 ++---- 2 files changed, 5 insertions(+), 12 deletions(-) diff --git a/xen/arch/x86/include/asm/spec_ctrl_asm.h b/xen/arch/x86/include/asm/spec_ctrl_asm.h index 9eb4ad9ab71d..fab27ff5532b 100644 --- a/xen/arch/x86/include/asm/spec_ctrl_asm.h +++ b/xen/arch/x86/include/asm/spec_ctrl_asm.h @@ -126,9 +126,8 @@ * change. Based on Google's performance numbers, the loop is unrolled to 16 * iterations and two calls per iteration. * - * The call filling the RSB needs a nonzero displacement. A nop would do, but - * we use "1: pause; lfence; jmp 1b" to safely contains any ret-based - * speculation, even if the loop is speculatively executed prematurely. + * The call filling the RSB needs a nonzero displacement, and int3 halts + * speculation. * * %rsp is preserved by using an extra GPR because a) we've got plenty spare, * b) the two movs are shorter to encode than `add $32*8, %rsp`, and c) can be @@ -141,11 +140,7 @@ .irp n, 1, 2 /* Unrolled twice. */ call .L\@_insert_rsb_entry_\n /* Create an RSB entry. */ - -.L\@_capture_speculation_\n: - pause - lfence - jmp .L\@_capture_speculation_\n /* Capture rogue speculation. */ + int3 /* Halt rogue speculation. */ .L\@_insert_rsb_entry_\n: .endr diff --git a/xen/arch/x86/indirect-thunk.S b/xen/arch/x86/indirect-thunk.S index 7cc22da0ef93..de6aef606832 100644 --- a/xen/arch/x86/indirect-thunk.S +++ b/xen/arch/x86/indirect-thunk.S @@ -12,11 +12,9 @@ #include <asm/asm_defns.h> .macro IND_THUNK_RETPOLINE reg:req - call 2f + call 1f + int3 1: - lfence - jmp 1b -2: mov %\reg, (%rsp) ret .endm -- 2.11.0

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.