[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [PATCH 4/4] x86/cpu-policy: Derive {,R}RSBA for guest policies
The RSBA bit, "RSB Alternative", means that the RSB may use alternative predictors when empty. From a practical point of view, this mean "Retpoline not safe". Enhanced IBRS (officially IBRS_ALL in Intel's docs, previously IBRS_ATT) is a statement that IBRS is implemented in hardware (as opposed to the form retrofitted to existing CPUs in microcode). The RRSBA bit, "Restricted-RSBA", is a combination of RSBA, and the eIBRS property that predictions are tagged with the mode in which they were learnt. Therefore, it means "when eIBRS is active, the RSB may fall back to alternative predictors but restricted to the current prediction mode". As such, it's stronger statement than RSBA, but still means "Retpoline not safe". Add feature dependencies for EIBRS and RRSBA. While technically they're not linked, absolutely nothing good can of letting the guest see RRSBA without EIBRS. Furthermore, we use this dependency to simplify the max/default derivation logic. The max policies gets RSBA and RRSBA unconditionally set (with the EIBRS dependency maybe hiding RRSBA). We can run any VM, even if it has been told "somewhere else, Retpoline isn't safe". The default policies inherit the host settings, because the guest wants to run with as few (anti)features as it can safely get away with. Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> --- CC: Jan Beulich <JBeulich@xxxxxxxx> CC: Roger Pau Monné <roger.pau@xxxxxxxxxx> CC: Wei Liu <wl@xxxxxxx> --- xen/arch/x86/cpu-policy.c | 25 +++++++++++++++++++++++++ xen/tools/gen-cpuid.py | 5 ++++- 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/cpu-policy.c b/xen/arch/x86/cpu-policy.c index bdbc5660acd4..eb1ecb75f593 100644 --- a/xen/arch/x86/cpu-policy.c +++ b/xen/arch/x86/cpu-policy.c @@ -423,8 +423,14 @@ static void __init guest_common_max_feature_adjustments(uint32_t *fs) * Retpoline not safe)", so these need to be visible to a guest in all * cases, even when it's only some other server in the pool which * suffers the identified behaviour. + * + * We can always run any VM which has previously (or will + * subsequently) run on hardware where Retpoline is not safe. Note: + * The dependency logic may hide RRSBA for other reasons. */ __set_bit(X86_FEATURE_ARCH_CAPS, fs); + __set_bit(X86_FEATURE_RSBA, fs); + __set_bit(X86_FEATURE_RRSBA, fs); } } @@ -432,6 +438,25 @@ static void __init guest_common_default_feature_adjustments(uint32_t *fs) { if ( boot_cpu_data.x86_vendor == X86_VENDOR_INTEL ) { + /* + * The {,R}RSBA bits under virt mean "you might migrate somewhere + * where retpoline is not safe". In particular, a VM's settings may + * not be applicable to the current host. + * + * Discard the settings inherited from the max policy, and and feed in + * the host values. The ideal case for a VM is for neither of these + * bits to be set, but toolstacks must accumuate them across anywhere + * the VM might migrate to, in case any possible destination happens + * to be unsafe. + * + * Note: The dependency logic might hide RRSBA for other reasons. + */ + fs[FEATURESET_m10Al] &= ~(cpufeat_mask(X86_FEATURE_RSBA) | + cpufeat_mask(X86_FEATURE_RRSBA)); + fs[FEATURESET_m10Al] |= + host_cpu_policy.arch_caps.lo & (cpufeat_mask(X86_FEATURE_RSBA) | + cpufeat_mask(X86_FEATURE_RRSBA)); + /* * IvyBridge client parts suffer from leakage of RDRAND data due to SRBDS * (XSA-320 / CVE-2020-0543), and won't be receiving microcode to diff --git a/xen/tools/gen-cpuid.py b/xen/tools/gen-cpuid.py index f28ff708a2fc..22294a26adc0 100755 --- a/xen/tools/gen-cpuid.py +++ b/xen/tools/gen-cpuid.py @@ -318,7 +318,7 @@ def crunch_numbers(state): # IBRSB/IBRS, and we pass this MSR directly to guests. Treating them # as dependent features simplifies Xen's logic, and prevents the guest # from seeing implausible configurations. - IBRSB: [STIBP, SSBD, INTEL_PSFD], + IBRSB: [STIBP, SSBD, INTEL_PSFD, EIBRS], IBRS: [AMD_STIBP, AMD_SSBD, PSFD, IBRS_ALWAYS, IBRS_FAST, IBRS_SAME_MODE], AMD_STIBP: [STIBP_ALWAYS], @@ -328,6 +328,9 @@ def crunch_numbers(state): # The ARCH_CAPS CPUID bit enumerates the availability of the whole register. ARCH_CAPS: list(range(RDCL_NO, RDCL_NO + 64)), + + # The behaviour described by RRSBA depend on eIBRS being active. + EIBRS: [RRSBA], } deep_features = tuple(sorted(deps.keys())) -- 2.30.2
|
![]() |
Lists.xenproject.org is hosted with RackSpace, monitoring our |