Xen project Mailing List

Re: [PATCH] x86/spec-ctrl: Use IST RSB protection for !SVM systems

To: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>

Date: Mon, 15 Aug 2022 11:41:15 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=EAmZU7r6p+ZUJIoGKvwTzYYqCVvA8CxEB6Rz/NTzT3c=; b=bRmV2ZYgwKaYQchS3/KRM7YvycW+a4DyH5ODbdoShbJuyWHNjpyoVaIUfz8kbDkxyHFZNn+7NDBsD5qz9hmDCRTlxEB/Aws8dmj9LWtW9JJ+bJvdFANt+64+vyHFRq0yYqChPgUmr0EBPu0FNjxRdArjPWeyMDuoOXBDgmzQm93TczF6MVQs0yD/NFUElRYc+Q7b4f5fyS4A+NAmhzqLcRjRIFLHGzyHirILMxP+R913ZRUJT9lIkHXbGPKwtDzmrahFtmfrYHOycWziwUa3EGrbguT+2CYmANZpP54Xw/aq7lDDk9bXrJPH3O3uhhR0hTS/jpKn1faN+cMxWZkHUw==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DnpCyDEZxhKfkT/NlAHLiDus7dO4OxJoS/Q46hgeXSXhYh4X+VwpPkJoPzDmVXk+WXvwAXV8tKPclsElovLui8EVyvx81AdTlUrdoHVvBXCiBcIr6Gz5agcDZ9iqtzHJETKILcRtvu1CSrk2tCFM4Zr8CPpv1WYvAKXLzQg1T1ONgl2AZkKtxvaIa3kkLj8FOTxx3yKy191ZYFuuAk2+NOkdqBnD19Hip9bUYOaH52NDxO0iN7h4cYWTXiqsldo9XT4U3GRalkCfFzaRVJ//Acf/u11KvCx1j+7o3SBMv3RFdIQCaFASXVsiKmZ7GEYpCcn9eqgrzypD6Rh5czphzg==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;

Cc: Roger Pau Monne <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Mon, 15 Aug 2022 09:41:28 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 15.08.2022 11:33, Andrew Cooper wrote: > On 15/08/2022 09:26, Jan Beulich wrote: >> On 05.08.2022 12:38, Andrew Cooper wrote: >>> --- a/xen/arch/x86/spec_ctrl.c >>> +++ b/xen/arch/x86/spec_ctrl.c >>> @@ -1327,8 +1327,24 @@ void __init init_speculation_mitigations(void) >>> * mappings. >>> */ >>> if ( opt_rsb_hvm ) >>> + { >>> setup_force_cpu_cap(X86_FEATURE_SC_RSB_HVM); >>> >>> + /* >>> + * For SVM, Xen's RSB safety actions are performed before STGI, so >>> + * behave atomically with respect to IST sources. >>> + * >>> + * For VT-x, NMIs are atomic with VMExit (the NMI gets queued but >>> not >>> + * delivered) whereas other IST sources are not atomic. >>> Specifically, >>> + * #MC can hit ahead the RSB safety action in the vmexit path. >>> + * >>> + * Therefore, it is necessary for the IST logic to protect Xen >>> against >>> + * possible rogue RSB speculation. >>> + */ >>> + if ( !cpu_has_svm ) >>> + default_spec_ctrl_flags |= SCF_ist_rsb; >> Only now, when I'm about to backport this, it occurs to me to ask: Why >> is this !cpu_has_svm rather than cpu_has_vmx? > > Because it is only SVM known to be safe. Yes. Which amounts to only VT-x being unsafe. And in particular PV alone (e.g. shim, from the perspective of the shim itself) is safe as well, no matter what CPU we're on. >> Plus shouldn't this further >> be gated upon HVM actually being in use (i.e. in particular CONFIG_HVM=y >> in the first place)? > > Perhaps, but not locally here. All of init_speculation_mitigations() > wants reconsidering if you're going down that route. Not sure - many of the settings (like X86_FEATURE_SC_RSB_HVM also being set in the enclosing if()) only affect HVM-specific code paths, so which way they are set wouldn't matter when !CONFIG_HVM. But the one here clearly affects a common code path, for no gains at all. It's not an overly hot code path, sure, but it still strikes me as odd. Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.