diff options
52 files changed, 2145 insertions, 34 deletions
diff --git a/0001-update-Xen-version-to-4.16.2-pre.patch b/0001-update-Xen-version-to-4.16.2-pre.patch index 30411de..2e62c21 100644 --- a/0001-update-Xen-version-to-4.16.2-pre.patch +++ b/0001-update-Xen-version-to-4.16.2-pre.patch @@ -1,7 +1,7 @@ From 5be9edb482ab20cf3e7acb05b511465294d1e19b Mon Sep 17 00:00:00 2001 From: Jan Beulich <jbeulich@suse.com> Date: Tue, 7 Jun 2022 13:55:17 +0200 -Subject: [PATCH 01/32] update Xen version to 4.16.2-pre +Subject: [PATCH 01/51] update Xen version to 4.16.2-pre --- xen/Makefile | 2 +- diff --git a/0002-x86-irq-skip-unmap_domain_pirq-XSM-during-destructio.patch b/0002-x86-irq-skip-unmap_domain_pirq-XSM-during-destructio.patch index fc6c2e1..0ba090e 100644 --- a/0002-x86-irq-skip-unmap_domain_pirq-XSM-during-destructio.patch +++ b/0002-x86-irq-skip-unmap_domain_pirq-XSM-during-destructio.patch @@ -1,7 +1,7 @@ From b58fb6e81bd55b6bd946abc3070770f7994c9ef9 Mon Sep 17 00:00:00 2001 From: Jason Andryuk <jandryuk@gmail.com> Date: Tue, 7 Jun 2022 13:55:39 +0200 -Subject: [PATCH 02/32] x86/irq: skip unmap_domain_pirq XSM during destruction +Subject: [PATCH 02/51] x86/irq: skip unmap_domain_pirq XSM during destruction MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit diff --git a/0003-xen-fix-XEN_DOMCTL_gdbsx_guestmemio-crash.patch b/0003-xen-fix-XEN_DOMCTL_gdbsx_guestmemio-crash.patch index 905993b..fa1443c 100644 --- a/0003-xen-fix-XEN_DOMCTL_gdbsx_guestmemio-crash.patch +++ b/0003-xen-fix-XEN_DOMCTL_gdbsx_guestmemio-crash.patch @@ -1,7 +1,7 @@ From 6c6bbfdff9374ef41f84c4ebed7b8a7a40767ef6 Mon Sep 17 00:00:00 2001 From: Juergen Gross <jgross@suse.com> Date: Tue, 7 Jun 2022 13:56:54 +0200 -Subject: [PATCH 03/32] xen: fix XEN_DOMCTL_gdbsx_guestmemio crash +Subject: [PATCH 03/51] xen: fix XEN_DOMCTL_gdbsx_guestmemio crash A hypervisor built without CONFIG_GDBSX will crash in case the XEN_DOMCTL_gdbsx_guestmemio domctl is being called, as the call will diff --git a/0004-VT-d-refuse-to-use-IOMMU-with-reserved-CAP.ND-value.patch b/0004-VT-d-refuse-to-use-IOMMU-with-reserved-CAP.ND-value.patch index c566888..a4d229a 100644 --- a/0004-VT-d-refuse-to-use-IOMMU-with-reserved-CAP.ND-value.patch +++ b/0004-VT-d-refuse-to-use-IOMMU-with-reserved-CAP.ND-value.patch @@ -1,7 +1,7 @@ From b378ee56c7e0bb5eeb35dcc55b3d29e5f50eb566 Mon Sep 17 00:00:00 2001 From: Jan Beulich <jbeulich@suse.com> Date: Tue, 7 Jun 2022 13:58:16 +0200 -Subject: [PATCH 04/32] VT-d: refuse to use IOMMU with reserved CAP.ND value +Subject: [PATCH 04/51] VT-d: refuse to use IOMMU with reserved CAP.ND value MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit diff --git a/0005-x86-mm-avoid-inadvertently-degrading-a-TLB-flush-to-.patch b/0005-x86-mm-avoid-inadvertently-degrading-a-TLB-flush-to-.patch index 6410aaa..45a1825 100644 --- a/0005-x86-mm-avoid-inadvertently-degrading-a-TLB-flush-to-.patch +++ b/0005-x86-mm-avoid-inadvertently-degrading-a-TLB-flush-to-.patch @@ -1,7 +1,7 @@ From 7c003ab4a398ff4ddd54d15d4158cffb463134cc Mon Sep 17 00:00:00 2001 From: David Vrabel <dvrabel@amazon.co.uk> Date: Tue, 7 Jun 2022 13:59:31 +0200 -Subject: [PATCH 05/32] x86/mm: avoid inadvertently degrading a TLB flush to +Subject: [PATCH 05/51] x86/mm: avoid inadvertently degrading a TLB flush to local only MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 diff --git a/0006-xen-build-Fix-dependency-for-the-MAP-rule.patch b/0006-xen-build-Fix-dependency-for-the-MAP-rule.patch index 6489cba..7eb13cd 100644 --- a/0006-xen-build-Fix-dependency-for-the-MAP-rule.patch +++ b/0006-xen-build-Fix-dependency-for-the-MAP-rule.patch @@ -1,7 +1,7 @@ From 4bb8c34ba4241c2bf7845cd8b80c17530dbfb085 Mon Sep 17 00:00:00 2001 From: Andrew Cooper <andrew.cooper3@citrix.com> Date: Tue, 7 Jun 2022 14:00:09 +0200 -Subject: [PATCH 06/32] xen/build: Fix dependency for the MAP rule +Subject: [PATCH 06/51] xen/build: Fix dependency for the MAP rule Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com> diff --git a/0007-tools-libs-evtchn-don-t-set-errno-to-negative-values.patch b/0007-tools-libs-evtchn-don-t-set-errno-to-negative-values.patch index 2f02fcc..ed98922 100644 --- a/0007-tools-libs-evtchn-don-t-set-errno-to-negative-values.patch +++ b/0007-tools-libs-evtchn-don-t-set-errno-to-negative-values.patch @@ -1,7 +1,7 @@ From 13a29f3756bc4cab96c59f46c3875b483553fb8f Mon Sep 17 00:00:00 2001 From: Juergen Gross <jgross@suse.com> Date: Tue, 7 Jun 2022 14:00:31 +0200 -Subject: [PATCH 07/32] tools/libs/evtchn: don't set errno to negative values +Subject: [PATCH 07/51] tools/libs/evtchn: don't set errno to negative values Setting errno to a negative value makes no sense. diff --git a/0008-tools-libs-ctrl-don-t-set-errno-to-a-negative-value.patch b/0008-tools-libs-ctrl-don-t-set-errno-to-a-negative-value.patch index acd7955..166f0ff 100644 --- a/0008-tools-libs-ctrl-don-t-set-errno-to-a-negative-value.patch +++ b/0008-tools-libs-ctrl-don-t-set-errno-to-a-negative-value.patch @@ -1,7 +1,7 @@ From ba62afdbc31a8cfe897191efd25ed4449d9acd94 Mon Sep 17 00:00:00 2001 From: Juergen Gross <jgross@suse.com> Date: Tue, 7 Jun 2022 14:01:03 +0200 -Subject: [PATCH 08/32] tools/libs/ctrl: don't set errno to a negative value +Subject: [PATCH 08/51] tools/libs/ctrl: don't set errno to a negative value The claimed reason for setting errno to -1 is wrong. On x86 xc_domain_pod_target() will set errno to a sane value in the error diff --git a/0009-tools-libs-guest-don-t-set-errno-to-a-negative-value.patch b/0009-tools-libs-guest-don-t-set-errno-to-a-negative-value.patch index 41eb1f1..5d035f6 100644 --- a/0009-tools-libs-guest-don-t-set-errno-to-a-negative-value.patch +++ b/0009-tools-libs-guest-don-t-set-errno-to-a-negative-value.patch @@ -1,7 +1,7 @@ From a2cf30eec08db5df974a9e8bb7366fee8fc7fcd9 Mon Sep 17 00:00:00 2001 From: Juergen Gross <jgross@suse.com> Date: Tue, 7 Jun 2022 14:01:27 +0200 -Subject: [PATCH 09/32] tools/libs/guest: don't set errno to a negative value +Subject: [PATCH 09/51] tools/libs/guest: don't set errno to a negative value Setting errno to a negative error value makes no sense. diff --git a/0010-tools-libs-light-don-t-set-errno-to-a-negative-value.patch b/0010-tools-libs-light-don-t-set-errno-to-a-negative-value.patch index a83e1cc..ac900ae 100644 --- a/0010-tools-libs-light-don-t-set-errno-to-a-negative-value.patch +++ b/0010-tools-libs-light-don-t-set-errno-to-a-negative-value.patch @@ -1,7 +1,7 @@ From 15391de8e2bb6153eadd483154c53044ab53d98d Mon Sep 17 00:00:00 2001 From: Juergen Gross <jgross@suse.com> Date: Tue, 7 Jun 2022 14:01:44 +0200 -Subject: [PATCH 10/32] tools/libs/light: don't set errno to a negative value +Subject: [PATCH 10/51] tools/libs/light: don't set errno to a negative value Setting errno to a negative value makes no sense. diff --git a/0011-xen-iommu-cleanup-iommu-related-domctl-handling.patch b/0011-xen-iommu-cleanup-iommu-related-domctl-handling.patch index b62ae9b..3c60de4 100644 --- a/0011-xen-iommu-cleanup-iommu-related-domctl-handling.patch +++ b/0011-xen-iommu-cleanup-iommu-related-domctl-handling.patch @@ -1,7 +1,7 @@ From a6c32abd144ec6443c6a433b5a2ac00e2615aa86 Mon Sep 17 00:00:00 2001 From: Juergen Gross <jgross@suse.com> Date: Tue, 7 Jun 2022 14:02:08 +0200 -Subject: [PATCH 11/32] xen/iommu: cleanup iommu related domctl handling +Subject: [PATCH 11/51] xen/iommu: cleanup iommu related domctl handling Today iommu_do_domctl() is being called from arch_do_domctl() in the "default:" case of a switch statement. This has led already to crashes diff --git a/0012-IOMMU-make-domctl-handler-tolerate-NULL-domain.patch b/0012-IOMMU-make-domctl-handler-tolerate-NULL-domain.patch index ff26651..37b9005 100644 --- a/0012-IOMMU-make-domctl-handler-tolerate-NULL-domain.patch +++ b/0012-IOMMU-make-domctl-handler-tolerate-NULL-domain.patch @@ -1,7 +1,7 @@ From 4cf9a7c7bdb9d544fbac81105bbc1059ba3dd932 Mon Sep 17 00:00:00 2001 From: Jan Beulich <jbeulich@suse.com> Date: Tue, 7 Jun 2022 14:02:30 +0200 -Subject: [PATCH 12/32] IOMMU: make domctl handler tolerate NULL domain +Subject: [PATCH 12/51] IOMMU: make domctl handler tolerate NULL domain Besides the reporter's issue of hitting a NULL deref when !CONFIG_GDBSX, XEN_DOMCTL_test_assign_device can legitimately end up having NULL passed diff --git a/0013-IOMMU-x86-disallow-device-assignment-to-PoD-guests.patch b/0013-IOMMU-x86-disallow-device-assignment-to-PoD-guests.patch index efadef6..8416c96 100644 --- a/0013-IOMMU-x86-disallow-device-assignment-to-PoD-guests.patch +++ b/0013-IOMMU-x86-disallow-device-assignment-to-PoD-guests.patch @@ -1,7 +1,7 @@ From 838f6c211f7f05f107e1acdfb0977ab61ec0bf2e Mon Sep 17 00:00:00 2001 From: Jan Beulich <jbeulich@suse.com> Date: Tue, 7 Jun 2022 14:03:20 +0200 -Subject: [PATCH 13/32] IOMMU/x86: disallow device assignment to PoD guests +Subject: [PATCH 13/51] IOMMU/x86: disallow device assignment to PoD guests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit diff --git a/0014-x86-msr-handle-reads-to-MSR_P5_MC_-ADDR-TYPE.patch b/0014-x86-msr-handle-reads-to-MSR_P5_MC_-ADDR-TYPE.patch index 09f56f5..69049f1 100644 --- a/0014-x86-msr-handle-reads-to-MSR_P5_MC_-ADDR-TYPE.patch +++ b/0014-x86-msr-handle-reads-to-MSR_P5_MC_-ADDR-TYPE.patch @@ -1,7 +1,7 @@ From 9ebe2ba83644ec6cd33a93c68dab5f551adcbea0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com> Date: Tue, 7 Jun 2022 14:04:16 +0200 -Subject: [PATCH 14/32] x86/msr: handle reads to MSR_P5_MC_{ADDR,TYPE} +Subject: [PATCH 14/51] x86/msr: handle reads to MSR_P5_MC_{ADDR,TYPE} MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit diff --git a/0015-kconfig-detect-LD-implementation.patch b/0015-kconfig-detect-LD-implementation.patch index f2fc24a..4507bc7 100644 --- a/0015-kconfig-detect-LD-implementation.patch +++ b/0015-kconfig-detect-LD-implementation.patch @@ -1,7 +1,7 @@ From 3754bd128d1a6b3d5864d1a3ee5d27b67d35387a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com> Date: Tue, 7 Jun 2022 14:05:06 +0200 -Subject: [PATCH 15/32] kconfig: detect LD implementation +Subject: [PATCH 15/51] kconfig: detect LD implementation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit diff --git a/0016-linker-lld-do-not-generate-quoted-section-names.patch b/0016-linker-lld-do-not-generate-quoted-section-names.patch index a42083e..5b3a8cd 100644 --- a/0016-linker-lld-do-not-generate-quoted-section-names.patch +++ b/0016-linker-lld-do-not-generate-quoted-section-names.patch @@ -1,7 +1,7 @@ From 88b653f73928117461dc250acd1e830a47a14c2b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com> Date: Tue, 7 Jun 2022 14:05:24 +0200 -Subject: [PATCH 16/32] linker/lld: do not generate quoted section names +Subject: [PATCH 16/51] linker/lld: do not generate quoted section names MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit diff --git a/0017-xen-io-Fix-race-between-sending-an-I-O-and-domain-sh.patch b/0017-xen-io-Fix-race-between-sending-an-I-O-and-domain-sh.patch index d226e97..bc48a84 100644 --- a/0017-xen-io-Fix-race-between-sending-an-I-O-and-domain-sh.patch +++ b/0017-xen-io-Fix-race-between-sending-an-I-O-and-domain-sh.patch @@ -1,7 +1,7 @@ From 982a314bd3000a16c3128afadb36a8ff41029adc Mon Sep 17 00:00:00 2001 From: Julien Grall <jgrall@amazon.com> Date: Tue, 7 Jun 2022 14:06:11 +0200 -Subject: [PATCH 17/32] xen: io: Fix race between sending an I/O and domain +Subject: [PATCH 17/51] xen: io: Fix race between sending an I/O and domain shutdown Xen provides hypercalls to shutdown (SCHEDOP_shutdown{,_code}) and diff --git a/0018-build-suppress-GNU-ld-warning-about-RWX-load-segment.patch b/0018-build-suppress-GNU-ld-warning-about-RWX-load-segment.patch index 87a0873..b20a99a 100644 --- a/0018-build-suppress-GNU-ld-warning-about-RWX-load-segment.patch +++ b/0018-build-suppress-GNU-ld-warning-about-RWX-load-segment.patch @@ -1,7 +1,7 @@ From 4890031d224262a6cf43d3bef1af4a16c13db306 Mon Sep 17 00:00:00 2001 From: Jan Beulich <jbeulich@suse.com> Date: Tue, 7 Jun 2022 14:06:51 +0200 -Subject: [PATCH 18/32] build: suppress GNU ld warning about RWX load segments +Subject: [PATCH 18/51] build: suppress GNU ld warning about RWX load segments We cannot really avoid such and we're also not really at risk because of them, as we control page table permissions ourselves rather than relying diff --git a/0019-build-silence-GNU-ld-warning-about-executable-stacks.patch b/0019-build-silence-GNU-ld-warning-about-executable-stacks.patch index 75e9f7e..e4d739b 100644 --- a/0019-build-silence-GNU-ld-warning-about-executable-stacks.patch +++ b/0019-build-silence-GNU-ld-warning-about-executable-stacks.patch @@ -1,7 +1,7 @@ From 1bc669a568a9f4bdab9e9ddb95823ba370dc0baf Mon Sep 17 00:00:00 2001 From: Jan Beulich <jbeulich@suse.com> Date: Tue, 7 Jun 2022 14:07:11 +0200 -Subject: [PATCH 19/32] build: silence GNU ld warning about executable stacks +Subject: [PATCH 19/51] build: silence GNU ld warning about executable stacks While for C files the compiler is supposed to arrange for emitting respective information, for assembly sources we're responsible ourselves. diff --git a/0020-ns16550-use-poll-mode-if-INTERRUPT_LINE-is-0xff.patch b/0020-ns16550-use-poll-mode-if-INTERRUPT_LINE-is-0xff.patch index b83be9a..baa1e15 100644 --- a/0020-ns16550-use-poll-mode-if-INTERRUPT_LINE-is-0xff.patch +++ b/0020-ns16550-use-poll-mode-if-INTERRUPT_LINE-is-0xff.patch @@ -2,7 +2,7 @@ From f1be0b62a03b90a40a03e21f965e4cbb89809bb1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= <marmarek@invisiblethingslab.com> Date: Tue, 7 Jun 2022 14:07:34 +0200 -Subject: [PATCH 20/32] ns16550: use poll mode if INTERRUPT_LINE is 0xff +Subject: [PATCH 20/51] ns16550: use poll mode if INTERRUPT_LINE is 0xff MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit diff --git a/0021-PCI-don-t-allow-pci-phantom-to-mark-real-devices-as-.patch b/0021-PCI-don-t-allow-pci-phantom-to-mark-real-devices-as-.patch index 1264578..1312bda 100644 --- a/0021-PCI-don-t-allow-pci-phantom-to-mark-real-devices-as-.patch +++ b/0021-PCI-don-t-allow-pci-phantom-to-mark-real-devices-as-.patch @@ -1,7 +1,7 @@ From 8e11ec8fbf6f933f8854f4bc54226653316903f2 Mon Sep 17 00:00:00 2001 From: Jan Beulich <jbeulich@suse.com> Date: Tue, 7 Jun 2022 14:08:06 +0200 -Subject: [PATCH 21/32] PCI: don't allow "pci-phantom=" to mark real devices as +Subject: [PATCH 21/51] PCI: don't allow "pci-phantom=" to mark real devices as phantom functions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 diff --git a/0022-x86-pv-Clean-up-_get_page_type.patch b/0022-x86-pv-Clean-up-_get_page_type.patch index a6008b0..0270beb 100644 --- a/0022-x86-pv-Clean-up-_get_page_type.patch +++ b/0022-x86-pv-Clean-up-_get_page_type.patch @@ -1,7 +1,7 @@ From b152dfbc3ad71a788996440b18174d995c3bffc9 Mon Sep 17 00:00:00 2001 From: Andrew Cooper <andrew.cooper3@citrix.com> Date: Thu, 9 Jun 2022 15:27:19 +0200 -Subject: [PATCH 22/32] x86/pv: Clean up _get_page_type() +Subject: [PATCH 22/51] x86/pv: Clean up _get_page_type() Various fixes for clarity, ahead of making complicated changes. diff --git a/0023-x86-pv-Fix-ABAC-cmpxchg-race-in-_get_page_type.patch b/0023-x86-pv-Fix-ABAC-cmpxchg-race-in-_get_page_type.patch index 2f4b734..1e3febd 100644 --- a/0023-x86-pv-Fix-ABAC-cmpxchg-race-in-_get_page_type.patch +++ b/0023-x86-pv-Fix-ABAC-cmpxchg-race-in-_get_page_type.patch @@ -1,7 +1,7 @@ From 8dab3f79b122e69cbcdebca72cdc14f004ee2193 Mon Sep 17 00:00:00 2001 From: Andrew Cooper <andrew.cooper3@citrix.com> Date: Thu, 9 Jun 2022 15:27:37 +0200 -Subject: [PATCH 23/32] x86/pv: Fix ABAC cmpxchg() race in _get_page_type() +Subject: [PATCH 23/51] x86/pv: Fix ABAC cmpxchg() race in _get_page_type() _get_page_type() suffers from a race condition where it incorrectly assumes that because 'x' was read and a subsequent a cmpxchg() succeeds, the type diff --git a/0024-x86-page-Introduce-_PAGE_-constants-for-memory-types.patch b/0024-x86-page-Introduce-_PAGE_-constants-for-memory-types.patch index c8c2dda..409b72f 100644 --- a/0024-x86-page-Introduce-_PAGE_-constants-for-memory-types.patch +++ b/0024-x86-page-Introduce-_PAGE_-constants-for-memory-types.patch @@ -1,7 +1,7 @@ From 9cfd796ae05421ded8e4f70b2c55352491cfa841 Mon Sep 17 00:00:00 2001 From: Andrew Cooper <andrew.cooper3@citrix.com> Date: Thu, 9 Jun 2022 15:27:53 +0200 -Subject: [PATCH 24/32] x86/page: Introduce _PAGE_* constants for memory types +Subject: [PATCH 24/51] x86/page: Introduce _PAGE_* constants for memory types ... rather than opencoding the PAT/PCD/PWT attributes in __PAGE_HYPERVISOR_* constants. These are going to be needed by forthcoming logic. diff --git a/0025-x86-Don-t-change-the-cacheability-of-the-directmap.patch b/0025-x86-Don-t-change-the-cacheability-of-the-directmap.patch index 582fc74..0a24a0a 100644 --- a/0025-x86-Don-t-change-the-cacheability-of-the-directmap.patch +++ b/0025-x86-Don-t-change-the-cacheability-of-the-directmap.patch @@ -1,7 +1,7 @@ From 74193f4292d9cfc2874866e941d9939d8f33fcef Mon Sep 17 00:00:00 2001 From: Andrew Cooper <andrew.cooper3@citrix.com> Date: Thu, 9 Jun 2022 15:28:23 +0200 -Subject: [PATCH 25/32] x86: Don't change the cacheability of the directmap +Subject: [PATCH 25/51] x86: Don't change the cacheability of the directmap Changeset 55f97f49b7ce ("x86: Change cache attributes of Xen 1:1 page mappings in response to guest mapping requests") attempted to keep the cacheability diff --git a/0026-x86-Split-cache_flush-out-of-cache_writeback.patch b/0026-x86-Split-cache_flush-out-of-cache_writeback.patch index ffd8d7c..50f70f4 100644 --- a/0026-x86-Split-cache_flush-out-of-cache_writeback.patch +++ b/0026-x86-Split-cache_flush-out-of-cache_writeback.patch @@ -1,7 +1,7 @@ From 8eafa2d871ae51d461256e4a14175e24df330c70 Mon Sep 17 00:00:00 2001 From: Andrew Cooper <andrew.cooper3@citrix.com> Date: Thu, 9 Jun 2022 15:28:48 +0200 -Subject: [PATCH 26/32] x86: Split cache_flush() out of cache_writeback() +Subject: [PATCH 26/51] x86: Split cache_flush() out of cache_writeback() Subsequent changes will want a fully flushing version. diff --git a/0027-x86-amd-Work-around-CLFLUSH-ordering-on-older-parts.patch b/0027-x86-amd-Work-around-CLFLUSH-ordering-on-older-parts.patch index a3ab379..060bc99 100644 --- a/0027-x86-amd-Work-around-CLFLUSH-ordering-on-older-parts.patch +++ b/0027-x86-amd-Work-around-CLFLUSH-ordering-on-older-parts.patch @@ -1,7 +1,7 @@ From c4815be949aae6583a9a22897beb96b095b4f1a2 Mon Sep 17 00:00:00 2001 From: Andrew Cooper <andrew.cooper3@citrix.com> Date: Thu, 9 Jun 2022 15:29:13 +0200 -Subject: [PATCH 27/32] x86/amd: Work around CLFLUSH ordering on older parts +Subject: [PATCH 27/51] x86/amd: Work around CLFLUSH ordering on older parts On pre-CLFLUSHOPT AMD CPUs, CLFLUSH is weakely ordered with everything, including reads and writes to the address, and LFENCE/SFENCE instructions. diff --git a/0028-x86-pv-Track-and-flush-non-coherent-mappings-of-RAM.patch b/0028-x86-pv-Track-and-flush-non-coherent-mappings-of-RAM.patch index 66cd741..af60348 100644 --- a/0028-x86-pv-Track-and-flush-non-coherent-mappings-of-RAM.patch +++ b/0028-x86-pv-Track-and-flush-non-coherent-mappings-of-RAM.patch @@ -1,7 +1,7 @@ From dc020d8d1ba420e2dd0e7a40f5045db897f3c4f4 Mon Sep 17 00:00:00 2001 From: Andrew Cooper <andrew.cooper3@citrix.com> Date: Thu, 9 Jun 2022 15:29:38 +0200 -Subject: [PATCH 28/32] x86/pv: Track and flush non-coherent mappings of RAM +Subject: [PATCH 28/51] x86/pv: Track and flush non-coherent mappings of RAM There are legitimate uses of WC mappings of RAM, e.g. for DMA buffers with devices that make non-coherent writes. The Linux sound subsystem makes diff --git a/0029-x86-mm-account-for-PGT_pae_xen_l2-in-recently-added-.patch b/0029-x86-mm-account-for-PGT_pae_xen_l2-in-recently-added-.patch index 0076984..90ce4cf 100644 --- a/0029-x86-mm-account-for-PGT_pae_xen_l2-in-recently-added-.patch +++ b/0029-x86-mm-account-for-PGT_pae_xen_l2-in-recently-added-.patch @@ -1,7 +1,7 @@ From 0b4e62847c5af1a59eea8d17093feccd550d1c26 Mon Sep 17 00:00:00 2001 From: Jan Beulich <jbeulich@suse.com> Date: Fri, 10 Jun 2022 10:28:28 +0200 -Subject: [PATCH 29/32] x86/mm: account for PGT_pae_xen_l2 in recently added +Subject: [PATCH 29/51] x86/mm: account for PGT_pae_xen_l2 in recently added assertion While PGT_pae_xen_l2 will be zapped once the type refcount of an L2 page diff --git a/0030-x86-spec-ctrl-Make-VERW-flushing-runtime-conditional.patch b/0030-x86-spec-ctrl-Make-VERW-flushing-runtime-conditional.patch index 8556452..af25b5c 100644 --- a/0030-x86-spec-ctrl-Make-VERW-flushing-runtime-conditional.patch +++ b/0030-x86-spec-ctrl-Make-VERW-flushing-runtime-conditional.patch @@ -1,7 +1,7 @@ From 0e80f9f61168d4e4f008da75762cee0118f802ed Mon Sep 17 00:00:00 2001 From: Andrew Cooper <andrew.cooper3@citrix.com> Date: Mon, 13 Jun 2022 16:19:01 +0100 -Subject: [PATCH 30/32] x86/spec-ctrl: Make VERW flushing runtime conditional +Subject: [PATCH 30/51] x86/spec-ctrl: Make VERW flushing runtime conditional MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit diff --git a/0031-x86-spec-ctrl-Enumeration-for-MMIO-Stale-Data-contro.patch b/0031-x86-spec-ctrl-Enumeration-for-MMIO-Stale-Data-contro.patch index 6934800..3b91fb5 100644 --- a/0031-x86-spec-ctrl-Enumeration-for-MMIO-Stale-Data-contro.patch +++ b/0031-x86-spec-ctrl-Enumeration-for-MMIO-Stale-Data-contro.patch @@ -1,7 +1,7 @@ From a83108736db0ddaa5855f5abda6dcc8ae4fe25e9 Mon Sep 17 00:00:00 2001 From: Andrew Cooper <andrew.cooper3@citrix.com> Date: Mon, 20 Sep 2021 18:47:49 +0100 -Subject: [PATCH 31/32] x86/spec-ctrl: Enumeration for MMIO Stale Data controls +Subject: [PATCH 31/51] x86/spec-ctrl: Enumeration for MMIO Stale Data controls MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit diff --git a/0032-x86-spec-ctrl-Add-spec-ctrl-unpriv-mmio.patch b/0032-x86-spec-ctrl-Add-spec-ctrl-unpriv-mmio.patch index a5ac3e9..c63891a 100644 --- a/0032-x86-spec-ctrl-Add-spec-ctrl-unpriv-mmio.patch +++ b/0032-x86-spec-ctrl-Add-spec-ctrl-unpriv-mmio.patch @@ -1,7 +1,7 @@ From 2e82446cb252f6c8ac697e81f4155872c69afde4 Mon Sep 17 00:00:00 2001 From: Andrew Cooper <andrew.cooper3@citrix.com> Date: Mon, 13 Jun 2022 19:18:32 +0100 -Subject: [PATCH 32/32] x86/spec-ctrl: Add spec-ctrl=unpriv-mmio +Subject: [PATCH 32/51] x86/spec-ctrl: Add spec-ctrl=unpriv-mmio MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit diff --git a/0033-IOMMU-x86-work-around-bogus-gcc12-warning-in-hvm_gsi.patch b/0033-IOMMU-x86-work-around-bogus-gcc12-warning-in-hvm_gsi.patch new file mode 100644 index 0000000..07f488d --- /dev/null +++ b/0033-IOMMU-x86-work-around-bogus-gcc12-warning-in-hvm_gsi.patch @@ -0,0 +1,52 @@ +From 460b08d6c6c16b3f32aa138e772b759ae02a4479 Mon Sep 17 00:00:00 2001 +From: Jan Beulich <jbeulich@suse.com> +Date: Tue, 12 Jul 2022 11:10:34 +0200 +Subject: [PATCH 33/51] IOMMU/x86: work around bogus gcc12 warning in + hvm_gsi_eoi() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +As per [1] the expansion of the pirq_dpci() macro causes a -Waddress +controlled warning (enabled implicitly in our builds, if not by default) +tying the middle part of the involved conditional expression to the +surrounding boolean context. Work around this by introducing a local +inline function in the affected source file. + +Reported-by: Andrew Cooper <andrew.cooper3@citrix.com> +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Acked-by: Roger Pau Monné <roger.pau@citrix.com> + +[1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102967 +master commit: 80ad8db8a4d9bb24952f0aea788ce6f47566fa76 +master date: 2022-06-15 10:19:32 +0200 +--- + xen/drivers/passthrough/x86/hvm.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/xen/drivers/passthrough/x86/hvm.c b/xen/drivers/passthrough/x86/hvm.c +index 0b37cd145b60..ba0f6c53d742 100644 +--- a/xen/drivers/passthrough/x86/hvm.c ++++ b/xen/drivers/passthrough/x86/hvm.c +@@ -25,6 +25,18 @@ + #include <asm/hvm/support.h> + #include <asm/io_apic.h> + ++/* ++ * Gcc12 takes issue with pirq_dpci() being used in boolean context (see gcc ++ * bug 102967). While we can't replace the macro definition in the header by an ++ * inline function, we can do so here. ++ */ ++static inline struct hvm_pirq_dpci *_pirq_dpci(struct pirq *pirq) ++{ ++ return pirq_dpci(pirq); ++} ++#undef pirq_dpci ++#define pirq_dpci(pirq) _pirq_dpci(pirq) ++ + static DEFINE_PER_CPU(struct list_head, dpci_list); + + /* +-- +2.35.1 + diff --git a/0034-ehci-dbgp-fix-selecting-n-th-ehci-controller.patch b/0034-ehci-dbgp-fix-selecting-n-th-ehci-controller.patch new file mode 100644 index 0000000..ac71ab8 --- /dev/null +++ b/0034-ehci-dbgp-fix-selecting-n-th-ehci-controller.patch @@ -0,0 +1,36 @@ +From 5cb8142076ce1ce53eafd7e00acb4d0eac4e7784 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= + <marmarek@invisiblethingslab.com> +Date: Tue, 12 Jul 2022 11:11:35 +0200 +Subject: [PATCH 34/51] ehci-dbgp: fix selecting n-th ehci controller +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The ehci<n> number was parsed but ignored. + +Fixes: 322ecbe4ac85 ("console: add EHCI debug port based serial console") +Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +master commit: d6d0cb659fda64430d4649f8680c5cead32da8fd +master date: 2022-06-16 14:23:37 +0100 +--- + xen/drivers/char/ehci-dbgp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xen/drivers/char/ehci-dbgp.c b/xen/drivers/char/ehci-dbgp.c +index c893d246defa..66b4811af24a 100644 +--- a/xen/drivers/char/ehci-dbgp.c ++++ b/xen/drivers/char/ehci-dbgp.c +@@ -1478,7 +1478,7 @@ void __init ehci_dbgp_init(void) + unsigned int num = 0; + + if ( opt_dbgp[4] ) +- simple_strtoul(opt_dbgp + 4, &e, 10); ++ num = simple_strtoul(opt_dbgp + 4, &e, 10); + + dbgp->cap = find_dbgp(dbgp, num); + if ( !dbgp->cap ) +-- +2.35.1 + diff --git a/0035-tools-xenstored-Harden-corrupt.patch b/0035-tools-xenstored-Harden-corrupt.patch new file mode 100644 index 0000000..bb0f7f1 --- /dev/null +++ b/0035-tools-xenstored-Harden-corrupt.patch @@ -0,0 +1,44 @@ +From 81ee3d08351be1ef2a14d371993604098d6a4673 Mon Sep 17 00:00:00 2001 +From: Julien Grall <jgrall@amazon.com> +Date: Tue, 12 Jul 2022 11:12:13 +0200 +Subject: [PATCH 35/51] tools/xenstored: Harden corrupt() + +At the moment, corrupt() is neither checking for allocation failure +nor freeing the allocated memory. + +Harden the code by printing ENOMEM if the allocation failed and +free 'str' after the last use. + +This is not considered to be a security issue because corrupt() should +only be called when Xenstored thinks the database is corrupted. Note +that the trigger (i.e. a guest reliably provoking the call) would be +a security issue. + +Fixes: 06d17943f0cd ("Added a basic integrity checker, and some basic ability to recover from store") +Signed-off-by: Julien Grall <jgrall@amazon.com> +Reviewed-by: Juergen Gross <jgross@suse.com> +master commit: db3382dd4f468c763512d6bf91c96773395058fb +master date: 2022-06-23 13:44:10 +0100 +--- + tools/xenstore/xenstored_core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c +index 91d093a12ea6..0c8ee276f837 100644 +--- a/tools/xenstore/xenstored_core.c ++++ b/tools/xenstore/xenstored_core.c +@@ -2087,7 +2087,10 @@ void corrupt(struct connection *conn, const char *fmt, ...) + va_end(arglist); + + log("corruption detected by connection %i: err %s: %s", +- conn ? (int)conn->id : -1, strerror(saved_errno), str); ++ conn ? (int)conn->id : -1, strerror(saved_errno), ++ str ?: "ENOMEM"); ++ ++ talloc_free(str); + + check_store(); + } +-- +2.35.1 + diff --git a/0036-x86-spec-ctrl-Only-adjust-MSR_SPEC_CTRL-for-idle-wit.patch b/0036-x86-spec-ctrl-Only-adjust-MSR_SPEC_CTRL-for-idle-wit.patch new file mode 100644 index 0000000..8bc0768 --- /dev/null +++ b/0036-x86-spec-ctrl-Only-adjust-MSR_SPEC_CTRL-for-idle-wit.patch @@ -0,0 +1,93 @@ +From 09d533f4c80b7eaf9fb4e36ebba8259580857a9d Mon Sep 17 00:00:00 2001 +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Tue, 12 Jul 2022 11:12:46 +0200 +Subject: [PATCH 36/51] x86/spec-ctrl: Only adjust MSR_SPEC_CTRL for idle with + legacy IBRS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Back at the time of the original Spectre-v2 fixes, it was recommended to clear +MSR_SPEC_CTRL when going idle. This is because of the side effects on the +sibling thread caused by the microcode IBRS and STIBP implementations which +were retrofitted to existing CPUs. + +However, there are no relevant cross-thread impacts for the hardware +IBRS/STIBP implementations, so this logic should not be used on Intel CPUs +supporting eIBRS, or any AMD CPUs; doing so only adds unnecessary latency to +the idle path. + +Furthermore, there's no point playing with MSR_SPEC_CTRL in the idle paths if +SMT is disabled for other reasons. + +Fixes: 8d03080d2a33 ("x86/spec-ctrl: Cease using thunk=lfence on AMD") +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> +master commit: ffc7694e0c99eea158c32aa164b7d1e1bb1dc46b +master date: 2022-06-30 18:07:13 +0100 +--- + xen/arch/x86/spec_ctrl.c | 10 ++++++++-- + xen/include/asm-x86/cpufeatures.h | 2 +- + xen/include/asm-x86/spec_ctrl.h | 5 +++-- + 3 files changed, 12 insertions(+), 5 deletions(-) + +diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c +index 099113ba41e6..1ed5ceda8b46 100644 +--- a/xen/arch/x86/spec_ctrl.c ++++ b/xen/arch/x86/spec_ctrl.c +@@ -1150,8 +1150,14 @@ void __init init_speculation_mitigations(void) + /* (Re)init BSP state now that default_spec_ctrl_flags has been calculated. */ + init_shadow_spec_ctrl_state(); + +- /* If Xen is using any MSR_SPEC_CTRL settings, adjust the idle path. */ +- if ( default_xen_spec_ctrl ) ++ /* ++ * For microcoded IBRS only (i.e. Intel, pre eIBRS), it is recommended to ++ * clear MSR_SPEC_CTRL before going idle, to avoid impacting sibling ++ * threads. Activate this if SMT is enabled, and Xen is using a non-zero ++ * MSR_SPEC_CTRL setting. ++ */ ++ if ( boot_cpu_has(X86_FEATURE_IBRSB) && !(caps & ARCH_CAPS_IBRS_ALL) && ++ hw_smt_enabled && default_xen_spec_ctrl ) + setup_force_cpu_cap(X86_FEATURE_SC_MSR_IDLE); + + xpti_init_default(caps); +diff --git a/xen/include/asm-x86/cpufeatures.h b/xen/include/asm-x86/cpufeatures.h +index bd45a144ee78..493d338a085e 100644 +--- a/xen/include/asm-x86/cpufeatures.h ++++ b/xen/include/asm-x86/cpufeatures.h +@@ -33,7 +33,7 @@ XEN_CPUFEATURE(SC_MSR_HVM, X86_SYNTH(17)) /* MSR_SPEC_CTRL used by Xen fo + XEN_CPUFEATURE(SC_RSB_PV, X86_SYNTH(18)) /* RSB overwrite needed for PV */ + XEN_CPUFEATURE(SC_RSB_HVM, X86_SYNTH(19)) /* RSB overwrite needed for HVM */ + XEN_CPUFEATURE(XEN_SELFSNOOP, X86_SYNTH(20)) /* SELFSNOOP gets used by Xen itself */ +-XEN_CPUFEATURE(SC_MSR_IDLE, X86_SYNTH(21)) /* (SC_MSR_PV || SC_MSR_HVM) && default_xen_spec_ctrl */ ++XEN_CPUFEATURE(SC_MSR_IDLE, X86_SYNTH(21)) /* Clear MSR_SPEC_CTRL on idle */ + XEN_CPUFEATURE(XEN_LBR, X86_SYNTH(22)) /* Xen uses MSR_DEBUGCTL.LBR */ + /* Bits 23,24 unused. */ + XEN_CPUFEATURE(SC_VERW_IDLE, X86_SYNTH(25)) /* VERW used by Xen for idle */ +diff --git a/xen/include/asm-x86/spec_ctrl.h b/xen/include/asm-x86/spec_ctrl.h +index 751355f471f4..7e83e0179fb9 100644 +--- a/xen/include/asm-x86/spec_ctrl.h ++++ b/xen/include/asm-x86/spec_ctrl.h +@@ -78,7 +78,8 @@ static always_inline void spec_ctrl_enter_idle(struct cpu_info *info) + uint32_t val = 0; + + /* +- * Branch Target Injection: ++ * It is recommended in some cases to clear MSR_SPEC_CTRL when going idle, ++ * to avoid impacting sibling threads. + * + * Latch the new shadow value, then enable shadowing, then update the MSR. + * There are no SMP issues here; only local processor ordering concerns. +@@ -114,7 +115,7 @@ static always_inline void spec_ctrl_exit_idle(struct cpu_info *info) + uint32_t val = info->xen_spec_ctrl; + + /* +- * Branch Target Injection: ++ * Restore MSR_SPEC_CTRL on exit from idle. + * + * Disable shadowing before updating the MSR. There are no SMP issues + * here; only local processor ordering concerns. +-- +2.35.1 + diff --git a/0037-x86-spec-ctrl-Knobs-for-STIBP-and-PSFD-and-follow-ha.patch b/0037-x86-spec-ctrl-Knobs-for-STIBP-and-PSFD-and-follow-ha.patch new file mode 100644 index 0000000..156aa58 --- /dev/null +++ b/0037-x86-spec-ctrl-Knobs-for-STIBP-and-PSFD-and-follow-ha.patch @@ -0,0 +1,234 @@ +From db6ca8176ccc4ff7dfe3c06969af9ebfab0d7b04 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Tue, 12 Jul 2022 11:13:33 +0200 +Subject: [PATCH 37/51] x86/spec-ctrl: Knobs for STIBP and PSFD, and follow + hardware STIBP hint +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +STIBP and PSFD are slightly weird bits, because they're both implied by other +bits in MSR_SPEC_CTRL. Add fine grain controls for them, and take the +implications into account when setting IBRS/SSBD. + +Rearrange the IBPB text/variables/logic to keep all the MSR_SPEC_CTRL bits +together, for consistency. + +However, AMD have a hardware hint CPUID bit recommending that STIBP be set +unilaterally. This is advertised on Zen3, so follow the recommendation. +Furthermore, in such cases, set STIBP behind the guest's back for now. This +has negligible overhead for the guest, but saves a WRMSR on vmentry. This is +the only default change. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> +master commit: fef244b179c06fcdfa581f7d57fa6e578c49ff50 +master date: 2022-06-30 18:07:13 +0100 +--- + docs/misc/xen-command-line.pandoc | 21 +++++++--- + xen/arch/x86/hvm/svm/vmcb.c | 9 +++++ + xen/arch/x86/spec_ctrl.c | 67 ++++++++++++++++++++++++++----- + 3 files changed, 82 insertions(+), 15 deletions(-) + +diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc +index a642e43476a2..46e9c58d35cd 100644 +--- a/docs/misc/xen-command-line.pandoc ++++ b/docs/misc/xen-command-line.pandoc +@@ -2234,8 +2234,9 @@ By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`). + + ### spec-ctrl (x86) + > `= List of [ <bool>, xen=<bool>, {pv,hvm,msr-sc,rsb,md-clear}=<bool>, +-> bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,eager-fpu, +-> l1d-flush,branch-harden,srb-lock,unpriv-mmio}=<bool> ]` ++> bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,psfd, ++> eager-fpu,l1d-flush,branch-harden,srb-lock, ++> unpriv-mmio}=<bool> ]` + + Controls for speculative execution sidechannel mitigations. By default, Xen + will pick the most appropriate mitigations based on compiled in support, +@@ -2285,9 +2286,10 @@ On hardware supporting IBRS (Indirect Branch Restricted Speculation), the + If Xen is not using IBRS itself, functionality is still set up so IBRS can be + virtualised for guests. + +-On hardware supporting IBPB (Indirect Branch Prediction Barrier), the `ibpb=` +-option can be used to force (the default) or prevent Xen from issuing branch +-prediction barriers on vcpu context switches. ++On hardware supporting STIBP (Single Thread Indirect Branch Predictors), the ++`stibp=` option can be used to force or prevent Xen using the feature itself. ++By default, Xen will use STIBP when IBRS is in use (IBRS implies STIBP), and ++when hardware hints recommend using it as a blanket setting. + + On hardware supporting SSBD (Speculative Store Bypass Disable), the `ssbd=` + option can be used to force or prevent Xen using the feature itself. On AMD +@@ -2295,6 +2297,15 @@ hardware, this is a global option applied at boot, and not virtualised for + guest use. On Intel hardware, the feature is virtualised for guests, + independently of Xen's choice of setting. + ++On hardware supporting PSFD (Predictive Store Forwarding Disable), the `psfd=` ++option can be used to force or prevent Xen using the feature itself. By ++default, Xen will not use PSFD. PSFD is implied by SSBD, and SSBD is off by ++default. ++ ++On hardware supporting IBPB (Indirect Branch Prediction Barrier), the `ibpb=` ++option can be used to force (the default) or prevent Xen from issuing branch ++prediction barriers on vcpu context switches. ++ + On all hardware, the `eager-fpu=` option can be used to force or prevent Xen + from using fully eager FPU context switches. This is currently implemented as + a global control. By default, Xen will choose to use fully eager context +diff --git a/xen/arch/x86/hvm/svm/vmcb.c b/xen/arch/x86/hvm/svm/vmcb.c +index 565e997155f2..ef7224eb5dd7 100644 +--- a/xen/arch/x86/hvm/svm/vmcb.c ++++ b/xen/arch/x86/hvm/svm/vmcb.c +@@ -29,6 +29,7 @@ + #include <asm/hvm/support.h> + #include <asm/hvm/svm/svm.h> + #include <asm/hvm/svm/svmdebug.h> ++#include <asm/spec_ctrl.h> + + struct vmcb_struct *alloc_vmcb(void) + { +@@ -176,6 +177,14 @@ static int construct_vmcb(struct vcpu *v) + vmcb->_pause_filter_thresh = SVM_PAUSETHRESH_INIT; + } + ++ /* ++ * When default_xen_spec_ctrl simply SPEC_CTRL_STIBP, default this behind ++ * the back of the VM too. Our SMT topology isn't accurate, the overhead ++ * is neglegable, and doing this saves a WRMSR on the vmentry path. ++ */ ++ if ( default_xen_spec_ctrl == SPEC_CTRL_STIBP ) ++ v->arch.msrs->spec_ctrl.raw = SPEC_CTRL_STIBP; ++ + return 0; + } + +diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c +index 1ed5ceda8b46..dfdd45c358c4 100644 +--- a/xen/arch/x86/spec_ctrl.c ++++ b/xen/arch/x86/spec_ctrl.c +@@ -48,9 +48,13 @@ static enum ind_thunk { + THUNK_LFENCE, + THUNK_JMP, + } opt_thunk __initdata = THUNK_DEFAULT; ++ + static int8_t __initdata opt_ibrs = -1; ++int8_t __initdata opt_stibp = -1; ++bool __read_mostly opt_ssbd; ++int8_t __initdata opt_psfd = -1; ++ + bool __read_mostly opt_ibpb = true; +-bool __read_mostly opt_ssbd = false; + int8_t __read_mostly opt_eager_fpu = -1; + int8_t __read_mostly opt_l1d_flush = -1; + static bool __initdata opt_branch_harden = true; +@@ -172,12 +176,20 @@ static int __init parse_spec_ctrl(const char *s) + else + rc = -EINVAL; + } ++ ++ /* Bits in MSR_SPEC_CTRL. */ + else if ( (val = parse_boolean("ibrs", s, ss)) >= 0 ) + opt_ibrs = val; +- else if ( (val = parse_boolean("ibpb", s, ss)) >= 0 ) +- opt_ibpb = val; ++ else if ( (val = parse_boolean("stibp", s, ss)) >= 0 ) ++ opt_stibp = val; + else if ( (val = parse_boolean("ssbd", s, ss)) >= 0 ) + opt_ssbd = val; ++ else if ( (val = parse_boolean("psfd", s, ss)) >= 0 ) ++ opt_psfd = val; ++ ++ /* Misc settings. */ ++ else if ( (val = parse_boolean("ibpb", s, ss)) >= 0 ) ++ opt_ibpb = val; + else if ( (val = parse_boolean("eager-fpu", s, ss)) >= 0 ) + opt_eager_fpu = val; + else if ( (val = parse_boolean("l1d-flush", s, ss)) >= 0 ) +@@ -376,7 +388,7 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps) + "\n"); + + /* Settings for Xen's protection, irrespective of guests. */ +- printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s%s, Other:%s%s%s%s%s\n", ++ printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s\n", + thunk == THUNK_NONE ? "N/A" : + thunk == THUNK_RETPOLINE ? "RETPOLINE" : + thunk == THUNK_LFENCE ? "LFENCE" : +@@ -390,6 +402,9 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps) + (!boot_cpu_has(X86_FEATURE_SSBD) && + !boot_cpu_has(X86_FEATURE_AMD_SSBD)) ? "" : + (default_xen_spec_ctrl & SPEC_CTRL_SSBD) ? " SSBD+" : " SSBD-", ++ (!boot_cpu_has(X86_FEATURE_PSFD) && ++ !boot_cpu_has(X86_FEATURE_INTEL_PSFD)) ? "" : ++ (default_xen_spec_ctrl & SPEC_CTRL_PSFD) ? " PSFD+" : " PSFD-", + !(caps & ARCH_CAPS_TSX_CTRL) ? "" : + (opt_tsx & 1) ? " TSX+" : " TSX-", + !cpu_has_srbds_ctrl ? "" : +@@ -979,10 +994,7 @@ void __init init_speculation_mitigations(void) + if ( !has_spec_ctrl ) + printk(XENLOG_WARNING "?!? CET active, but no MSR_SPEC_CTRL?\n"); + else if ( opt_ibrs == -1 ) +- { + opt_ibrs = ibrs = true; +- default_xen_spec_ctrl |= SPEC_CTRL_IBRS | SPEC_CTRL_STIBP; +- } + + if ( opt_thunk == THUNK_DEFAULT || opt_thunk == THUNK_RETPOLINE ) + thunk = THUNK_JMP; +@@ -1086,14 +1098,49 @@ void __init init_speculation_mitigations(void) + setup_force_cpu_cap(X86_FEATURE_SC_MSR_HVM); + } + +- /* If we have IBRS available, see whether we should use it. */ ++ /* Figure out default_xen_spec_ctrl. */ + if ( has_spec_ctrl && ibrs ) +- default_xen_spec_ctrl |= SPEC_CTRL_IBRS; ++ { ++ /* IBRS implies STIBP. */ ++ if ( opt_stibp == -1 ) ++ opt_stibp = 1; ++ ++ default_xen_spec_ctrl |= SPEC_CTRL_IBRS; ++ } ++ ++ /* ++ * Use STIBP by default if the hardware hint is set. Otherwise, leave it ++ * off as it a severe performance pentalty on pre-eIBRS Intel hardware ++ * where it was retrofitted in microcode. ++ */ ++ if ( opt_stibp == -1 ) ++ opt_stibp = !!boot_cpu_has(X86_FEATURE_STIBP_ALWAYS); ++ ++ if ( opt_stibp && (boot_cpu_has(X86_FEATURE_STIBP) || ++ boot_cpu_has(X86_FEATURE_AMD_STIBP)) ) ++ default_xen_spec_ctrl |= SPEC_CTRL_STIBP; + +- /* If we have SSBD available, see whether we should use it. */ + if ( opt_ssbd && (boot_cpu_has(X86_FEATURE_SSBD) || + boot_cpu_has(X86_FEATURE_AMD_SSBD)) ) ++ { ++ /* SSBD implies PSFD */ ++ if ( opt_psfd == -1 ) ++ opt_psfd = 1; ++ + default_xen_spec_ctrl |= SPEC_CTRL_SSBD; ++ } ++ ++ /* ++ * Don't use PSFD by default. AMD designed the predictor to ++ * auto-clear on privilege change. PSFD is implied by SSBD, which is ++ * off by default. ++ */ ++ if ( opt_psfd == -1 ) ++ opt_psfd = 0; ++ ++ if ( opt_psfd && (boot_cpu_has(X86_FEATURE_PSFD) || ++ boot_cpu_has(X86_FEATURE_INTEL_PSFD)) ) ++ default_xen_spec_ctrl |= SPEC_CTRL_PSFD; + + /* + * PV guests can create RSB entries for any linear address they control, +-- +2.35.1 + diff --git a/0038-libxc-fix-compilation-error-with-gcc13.patch b/0038-libxc-fix-compilation-error-with-gcc13.patch new file mode 100644 index 0000000..8056742 --- /dev/null +++ b/0038-libxc-fix-compilation-error-with-gcc13.patch @@ -0,0 +1,33 @@ +From cd3d6b4cd46cd05590805b4a6c0b6654af60106e Mon Sep 17 00:00:00 2001 +From: Charles Arnold <carnold@suse.com> +Date: Tue, 12 Jul 2022 11:14:07 +0200 +Subject: [PATCH 38/51] libxc: fix compilation error with gcc13 + +xc_psr.c:161:5: error: conflicting types for 'xc_psr_cmt_get_data' +due to enum/integer mismatch; + +Signed-off-by: Charles Arnold <carnold@suse.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +Acked-by: Anthony PERARD <anthony.perard@citrix.com> +master commit: 8eeae8c2b4efefda8e946461e86cf2ae9c18e5a9 +master date: 2022-07-06 13:06:40 +0200 +--- + tools/include/xenctrl.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/include/xenctrl.h b/tools/include/xenctrl.h +index 07b96e6671a5..893ae39e4a95 100644 +--- a/tools/include/xenctrl.h ++++ b/tools/include/xenctrl.h +@@ -2516,7 +2516,7 @@ int xc_psr_cmt_get_l3_event_mask(xc_interface *xch, uint32_t *event_mask); + int xc_psr_cmt_get_l3_cache_size(xc_interface *xch, uint32_t cpu, + uint32_t *l3_cache_size); + int xc_psr_cmt_get_data(xc_interface *xch, uint32_t rmid, uint32_t cpu, +- uint32_t psr_cmt_type, uint64_t *monitor_data, ++ xc_psr_cmt_type type, uint64_t *monitor_data, + uint64_t *tsc); + int xc_psr_cmt_enabled(xc_interface *xch); + +-- +2.35.1 + diff --git a/0039-x86-spec-ctrl-Honour-spec-ctrl-0-for-unpriv-mmio-sub.patch b/0039-x86-spec-ctrl-Honour-spec-ctrl-0-for-unpriv-mmio-sub.patch new file mode 100644 index 0000000..1797a8f --- /dev/null +++ b/0039-x86-spec-ctrl-Honour-spec-ctrl-0-for-unpriv-mmio-sub.patch @@ -0,0 +1,32 @@ +From 61b9c2ceeb94b0cdaff01023cc5523b1f13e66e2 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Tue, 12 Jul 2022 11:14:34 +0200 +Subject: [PATCH 39/51] x86/spec-ctrl: Honour spec-ctrl=0 for unpriv-mmio + sub-option + +This was an oversight from when unpriv-mmio was introduced. + +Fixes: 8c24b70fedcb ("x86/spec-ctrl: Add spec-ctrl=unpriv-mmio") +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +master commit: 4cdb519d797c19ebb8fadc5938cdb47479d5a21b +master date: 2022-07-11 15:21:35 +0100 +--- + xen/arch/x86/spec_ctrl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c +index dfdd45c358c4..ae74943c1053 100644 +--- a/xen/arch/x86/spec_ctrl.c ++++ b/xen/arch/x86/spec_ctrl.c +@@ -122,6 +122,7 @@ static int __init parse_spec_ctrl(const char *s) + opt_l1d_flush = 0; + opt_branch_harden = false; + opt_srb_lock = 0; ++ opt_unpriv_mmio = false; + } + else if ( val > 0 ) + rc = -EINVAL; +-- +2.35.1 + diff --git a/0040-xen-cmdline-Extend-parse_boolean-to-signal-a-name-ma.patch b/0040-xen-cmdline-Extend-parse_boolean-to-signal-a-name-ma.patch new file mode 100644 index 0000000..3512590 --- /dev/null +++ b/0040-xen-cmdline-Extend-parse_boolean-to-signal-a-name-ma.patch @@ -0,0 +1,87 @@ +From eec5b02403a9df2523527caad24f17af5060fbe7 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Tue, 12 Jul 2022 11:15:03 +0200 +Subject: [PATCH 40/51] xen/cmdline: Extend parse_boolean() to signal a name + match + +This will help parsing a sub-option which has boolean and non-boolean options +available. + +First, rework 'int val' into 'bool has_neg_prefix'. This inverts it's value, +but the resulting logic is far easier to follow. + +Second, reject anything of the form 'no-$FOO=' which excludes ambiguous +constructs such as 'no-$foo=yes' which have never been valid. + +This just leaves the case where everything is otherwise fine, but parse_bool() +can't interpret the provided string. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Juergen Gross <jgross@suse.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +master commit: 382326cac528dd1eb0d04efd5c05363c453e29f4 +master date: 2022-07-11 15:21:35 +0100 +--- + xen/common/kernel.c | 20 ++++++++++++++++---- + xen/include/xen/lib.h | 3 ++- + 2 files changed, 18 insertions(+), 5 deletions(-) + +diff --git a/xen/common/kernel.c b/xen/common/kernel.c +index e119e5401f9d..7ed96521f97a 100644 +--- a/xen/common/kernel.c ++++ b/xen/common/kernel.c +@@ -272,9 +272,9 @@ int parse_bool(const char *s, const char *e) + int parse_boolean(const char *name, const char *s, const char *e) + { + size_t slen, nlen; +- int val = !!strncmp(s, "no-", 3); ++ bool has_neg_prefix = !strncmp(s, "no-", 3); + +- if ( !val ) ++ if ( has_neg_prefix ) + s += 3; + + slen = e ? ({ ASSERT(e >= s); e - s; }) : strlen(s); +@@ -286,11 +286,23 @@ int parse_boolean(const char *name, const char *s, const char *e) + + /* Exact, unadorned name? Result depends on the 'no-' prefix. */ + if ( slen == nlen ) +- return val; ++ return !has_neg_prefix; ++ ++ /* Inexact match with a 'no-' prefix? Not valid. */ ++ if ( has_neg_prefix ) ++ return -1; + + /* =$SOMETHING? Defer to the regular boolean parsing. */ + if ( s[nlen] == '=' ) +- return parse_bool(&s[nlen + 1], e); ++ { ++ int b = parse_bool(&s[nlen + 1], e); ++ ++ if ( b >= 0 ) ++ return b; ++ ++ /* Not a boolean, but the name matched. Signal specially. */ ++ return -2; ++ } + + /* Unrecognised. Give up. */ + return -1; +diff --git a/xen/include/xen/lib.h b/xen/include/xen/lib.h +index c6987973bf88..2296044caf79 100644 +--- a/xen/include/xen/lib.h ++++ b/xen/include/xen/lib.h +@@ -80,7 +80,8 @@ int parse_bool(const char *s, const char *e); + /** + * Given a specific name, parses a string of the form: + * [no-]$NAME[=...] +- * returning 0 or 1 for a recognised boolean, or -1 for an error. ++ * returning 0 or 1 for a recognised boolean. Returns -1 for general errors, ++ * and -2 for "not a boolean, but $NAME= matches". + */ + int parse_boolean(const char *name, const char *s, const char *e); + +-- +2.35.1 + diff --git a/0041-x86-spec-ctrl-Add-fine-grained-cmdline-suboptions-fo.patch b/0041-x86-spec-ctrl-Add-fine-grained-cmdline-suboptions-fo.patch new file mode 100644 index 0000000..9964bb9 --- /dev/null +++ b/0041-x86-spec-ctrl-Add-fine-grained-cmdline-suboptions-fo.patch @@ -0,0 +1,137 @@ +From f066c8bb3e5686141cef6fa1dc86ea9f37c5388a Mon Sep 17 00:00:00 2001 +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Tue, 12 Jul 2022 11:15:37 +0200 +Subject: [PATCH 41/51] x86/spec-ctrl: Add fine-grained cmdline suboptions for + primitives + +Support controling the PV/HVM suboption of msr-sc/rsb/md-clear, which +previously wasn't possible. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +master commit: 27357c394ba6e1571a89105b840ce1c6f026485c +master date: 2022-07-11 15:21:35 +0100 +--- + docs/misc/xen-command-line.pandoc | 12 ++++-- + xen/arch/x86/spec_ctrl.c | 66 ++++++++++++++++++++++++++----- + 2 files changed, 66 insertions(+), 12 deletions(-) + +diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc +index 46e9c58d35cd..1bbdb55129cc 100644 +--- a/docs/misc/xen-command-line.pandoc ++++ b/docs/misc/xen-command-line.pandoc +@@ -2233,7 +2233,8 @@ not be able to control the state of the mitigation. + By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`). + + ### spec-ctrl (x86) +-> `= List of [ <bool>, xen=<bool>, {pv,hvm,msr-sc,rsb,md-clear}=<bool>, ++> `= List of [ <bool>, xen=<bool>, {pv,hvm}=<bool>, ++> {msr-sc,rsb,md-clear}=<bool>|{pv,hvm}=<bool>, + > bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,psfd, + > eager-fpu,l1d-flush,branch-harden,srb-lock, + > unpriv-mmio}=<bool> ]` +@@ -2258,12 +2259,17 @@ in place for guests to use. + + Use of a positive boolean value for either of these options is invalid. + +-The booleans `pv=`, `hvm=`, `msr-sc=`, `rsb=` and `md-clear=` offer fine ++The `pv=`, `hvm=`, `msr-sc=`, `rsb=` and `md-clear=` options offer fine + grained control over the primitives by Xen. These impact Xen's ability to +-protect itself, and Xen's ability to virtualise support for guests to use. ++protect itself, and/or Xen's ability to virtualise support for guests to use. + + * `pv=` and `hvm=` offer control over all suboptions for PV and HVM guests + respectively. ++* Each other option can be used either as a plain boolean ++ (e.g. `spec-ctrl=rsb` to control both the PV and HVM sub-options), or with ++ `pv=` or `hvm=` subsuboptions (e.g. `spec-ctrl=rsb=no-hvm` to disable HVM ++ RSB only). ++ + * `msr-sc=` offers control over Xen's support for manipulating `MSR_SPEC_CTRL` + on entry and exit. These blocks are necessary to virtualise support for + guests and if disabled, guests will be unable to use IBRS/STIBP/SSBD/etc. +diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c +index ae74943c1053..9507e5da60a9 100644 +--- a/xen/arch/x86/spec_ctrl.c ++++ b/xen/arch/x86/spec_ctrl.c +@@ -147,20 +147,68 @@ static int __init parse_spec_ctrl(const char *s) + opt_rsb_hvm = val; + opt_md_clear_hvm = val; + } +- else if ( (val = parse_boolean("msr-sc", s, ss)) >= 0 ) ++ else if ( (val = parse_boolean("msr-sc", s, ss)) != -1 ) + { +- opt_msr_sc_pv = val; +- opt_msr_sc_hvm = val; ++ switch ( val ) ++ { ++ case 0: ++ case 1: ++ opt_msr_sc_pv = opt_msr_sc_hvm = val; ++ break; ++ ++ case -2: ++ s += strlen("msr-sc="); ++ if ( (val = parse_boolean("pv", s, ss)) >= 0 ) ++ opt_msr_sc_pv = val; ++ else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) ++ opt_msr_sc_hvm = val; ++ else ++ default: ++ rc = -EINVAL; ++ break; ++ } + } +- else if ( (val = parse_boolean("rsb", s, ss)) >= 0 ) ++ else if ( (val = parse_boolean("rsb", s, ss)) != -1 ) + { +- opt_rsb_pv = val; +- opt_rsb_hvm = val; ++ switch ( val ) ++ { ++ case 0: ++ case 1: ++ opt_rsb_pv = opt_rsb_hvm = val; ++ break; ++ ++ case -2: ++ s += strlen("rsb="); ++ if ( (val = parse_boolean("pv", s, ss)) >= 0 ) ++ opt_rsb_pv = val; ++ else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) ++ opt_rsb_hvm = val; ++ else ++ default: ++ rc = -EINVAL; ++ break; ++ } + } +- else if ( (val = parse_boolean("md-clear", s, ss)) >= 0 ) ++ else if ( (val = parse_boolean("md-clear", s, ss)) != -1 ) + { +- opt_md_clear_pv = val; +- opt_md_clear_hvm = val; ++ switch ( val ) ++ { ++ case 0: ++ case 1: ++ opt_md_clear_pv = opt_md_clear_hvm = val; ++ break; ++ ++ case -2: ++ s += strlen("md-clear="); ++ if ( (val = parse_boolean("pv", s, ss)) >= 0 ) ++ opt_md_clear_pv = val; ++ else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) ++ opt_md_clear_hvm = val; ++ else ++ default: ++ rc = -EINVAL; ++ break; ++ } + } + + /* Xen's speculative sidechannel mitigation settings. */ +-- +2.35.1 + diff --git a/0042-tools-helpers-fix-build-of-xen-init-dom0-with-Werror.patch b/0042-tools-helpers-fix-build-of-xen-init-dom0-with-Werror.patch new file mode 100644 index 0000000..eea790a --- /dev/null +++ b/0042-tools-helpers-fix-build-of-xen-init-dom0-with-Werror.patch @@ -0,0 +1,28 @@ +From 14fd97e3de939a63a6e467f240efb49fe226a5dc Mon Sep 17 00:00:00 2001 +From: Anthony PERARD <anthony.perard@citrix.com> +Date: Tue, 12 Jul 2022 11:16:10 +0200 +Subject: [PATCH 42/51] tools/helpers: fix build of xen-init-dom0 with -Werror + +Missing prototype of asprintf() without _GNU_SOURCE. + +Signed-off-by: Anthony PERARD <anthony.perard@citrix.com> +Reviewed-by: Henry Wang <Henry.Wang@arm.com> +master commit: d693b22733044d68e9974766b5c9e6259c9b1708 +master date: 2022-07-12 08:38:35 +0200 +--- + tools/helpers/xen-init-dom0.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/helpers/xen-init-dom0.c b/tools/helpers/xen-init-dom0.c +index c99224a4b607..b4861c9e8041 100644 +--- a/tools/helpers/xen-init-dom0.c ++++ b/tools/helpers/xen-init-dom0.c +@@ -1,3 +1,5 @@ ++#define _GNU_SOURCE ++ + #include <stdlib.h> + #include <stdint.h> + #include <string.h> +-- +2.35.1 + diff --git a/0043-libxl-check-return-value-of-libxl__xs_directory-in-n.patch b/0043-libxl-check-return-value-of-libxl__xs_directory-in-n.patch new file mode 100644 index 0000000..0c2470a --- /dev/null +++ b/0043-libxl-check-return-value-of-libxl__xs_directory-in-n.patch @@ -0,0 +1,38 @@ +From 744accad1b73223b3261e3e678e16e030d83b179 Mon Sep 17 00:00:00 2001 +From: Anthony PERARD <anthony.perard@citrix.com> +Date: Tue, 12 Jul 2022 11:16:30 +0200 +Subject: [PATCH 43/51] libxl: check return value of libxl__xs_directory in + name2bdf + +libxl__xs_directory() can potentially return NULL without setting `n`. +As `n` isn't initialised, we need to check libxl__xs_directory() +return value before checking `n`. Otherwise, `n` might be non-zero +with `bdfs` NULL which would lead to a segv. + +Fixes: 57bff091f4 ("libxl: add 'name' field to 'libxl_device_pci' in the IDL...") +Reported-by: "G.R." <firemeteor@users.sourceforge.net> +Signed-off-by: Anthony PERARD <anthony.perard@citrix.com> +Reviewed-by: Juergen Gross <jgross@suse.com> +Tested-by: "G.R." <firemeteor@users.sourceforge.net> +master commit: d778089ac70e5b8e3bdea0c85fc8c0b9ed0eaf2f +master date: 2022-07-12 08:38:51 +0200 +--- + tools/libs/light/libxl_pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/libs/light/libxl_pci.c b/tools/libs/light/libxl_pci.c +index 4bbbfe9f168f..ce3bf7c0ae81 100644 +--- a/tools/libs/light/libxl_pci.c ++++ b/tools/libs/light/libxl_pci.c +@@ -859,7 +859,7 @@ static int name2bdf(libxl__gc *gc, libxl_device_pci *pci) + int rc = ERROR_NOTFOUND; + + bdfs = libxl__xs_directory(gc, XBT_NULL, PCI_INFO_PATH, &n); +- if (!n) ++ if (!bdfs || !n) + goto out; + + for (i = 0; i < n; i++) { +-- +2.35.1 + diff --git a/0044-x86-spec-ctrl-Rework-spec_ctrl_flags-context-switchi.patch b/0044-x86-spec-ctrl-Rework-spec_ctrl_flags-context-switchi.patch new file mode 100644 index 0000000..d8517f8 --- /dev/null +++ b/0044-x86-spec-ctrl-Rework-spec_ctrl_flags-context-switchi.patch @@ -0,0 +1,167 @@ +From 3a280cbae7022b83af91c27a8e2211ba3b1234f5 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Fri, 1 Jul 2022 15:59:40 +0100 +Subject: [PATCH 44/51] x86/spec-ctrl: Rework spec_ctrl_flags context switching + +We are shortly going to need to context switch new bits in both the vcpu and +S3 paths. Introduce SCF_IST_MASK and SCF_DOM_MASK, and rework d->arch.verw +into d->arch.spec_ctrl_flags to accommodate. + +No functional change. + +This is part of XSA-407. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +(cherry picked from commit 5796912f7279d9348a3166655588d30eae9f72cc) +--- + xen/arch/x86/acpi/power.c | 8 ++++---- + xen/arch/x86/domain.c | 8 ++++---- + xen/arch/x86/spec_ctrl.c | 9 ++++++--- + xen/include/asm-x86/domain.h | 3 +-- + xen/include/asm-x86/spec_ctrl.h | 30 ++++++++++++++++++++++++++++- + xen/include/asm-x86/spec_ctrl_asm.h | 3 --- + 6 files changed, 44 insertions(+), 17 deletions(-) + +diff --git a/xen/arch/x86/acpi/power.c b/xen/arch/x86/acpi/power.c +index 5eaa77f66a28..dd397f713067 100644 +--- a/xen/arch/x86/acpi/power.c ++++ b/xen/arch/x86/acpi/power.c +@@ -248,8 +248,8 @@ static int enter_state(u32 state) + error = 0; + + ci = get_cpu_info(); +- /* Avoid NMI/#MC using MSR_SPEC_CTRL until we've reloaded microcode. */ +- ci->spec_ctrl_flags &= ~SCF_ist_wrmsr; ++ /* Avoid NMI/#MC using unsafe MSRs until we've reloaded microcode. */ ++ ci->spec_ctrl_flags &= ~SCF_IST_MASK; + + ACPI_FLUSH_CPU_CACHE(); + +@@ -292,8 +292,8 @@ static int enter_state(u32 state) + if ( !recheck_cpu_features(0) ) + panic("Missing previously available feature(s)\n"); + +- /* Re-enabled default NMI/#MC use of MSR_SPEC_CTRL. */ +- ci->spec_ctrl_flags |= (default_spec_ctrl_flags & SCF_ist_wrmsr); ++ /* Re-enabled default NMI/#MC use of MSRs now microcode is loaded. */ ++ ci->spec_ctrl_flags |= (default_spec_ctrl_flags & SCF_IST_MASK); + + if ( boot_cpu_has(X86_FEATURE_IBRSB) || boot_cpu_has(X86_FEATURE_IBRS) ) + { +diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c +index 1fe6644a71ae..82a0b73cf6ef 100644 +--- a/xen/arch/x86/domain.c ++++ b/xen/arch/x86/domain.c +@@ -2092,10 +2092,10 @@ void context_switch(struct vcpu *prev, struct vcpu *next) + } + } + +- /* Update the top-of-stack block with the VERW disposition. */ +- info->spec_ctrl_flags &= ~SCF_verw; +- if ( nextd->arch.verw ) +- info->spec_ctrl_flags |= SCF_verw; ++ /* Update the top-of-stack block with the new spec_ctrl settings. */ ++ info->spec_ctrl_flags = ++ (info->spec_ctrl_flags & ~SCF_DOM_MASK) | ++ (nextd->arch.spec_ctrl_flags & SCF_DOM_MASK); + } + + sched_context_switched(prev, next); +diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c +index 9507e5da60a9..7e646680f1c7 100644 +--- a/xen/arch/x86/spec_ctrl.c ++++ b/xen/arch/x86/spec_ctrl.c +@@ -1010,9 +1010,12 @@ void spec_ctrl_init_domain(struct domain *d) + { + bool pv = is_pv_domain(d); + +- d->arch.verw = +- (pv ? opt_md_clear_pv : opt_md_clear_hvm) || +- (opt_fb_clear_mmio && is_iommu_enabled(d)); ++ bool verw = ((pv ? opt_md_clear_pv : opt_md_clear_hvm) || ++ (opt_fb_clear_mmio && is_iommu_enabled(d))); ++ ++ d->arch.spec_ctrl_flags = ++ (verw ? SCF_verw : 0) | ++ 0; + } + + void __init init_speculation_mitigations(void) +diff --git a/xen/include/asm-x86/domain.h b/xen/include/asm-x86/domain.h +index 2398a1d99da9..e4c099262cb7 100644 +--- a/xen/include/asm-x86/domain.h ++++ b/xen/include/asm-x86/domain.h +@@ -319,8 +319,7 @@ struct arch_domain + uint32_t pci_cf8; + uint8_t cmos_idx; + +- /* Use VERW on return-to-guest for its flushing side effect. */ +- bool verw; ++ uint8_t spec_ctrl_flags; /* See SCF_DOM_MASK */ + + union { + struct pv_domain pv; +diff --git a/xen/include/asm-x86/spec_ctrl.h b/xen/include/asm-x86/spec_ctrl.h +index 7e83e0179fb9..3cd72e40305f 100644 +--- a/xen/include/asm-x86/spec_ctrl.h ++++ b/xen/include/asm-x86/spec_ctrl.h +@@ -20,12 +20,40 @@ + #ifndef __X86_SPEC_CTRL_H__ + #define __X86_SPEC_CTRL_H__ + +-/* Encoding of cpuinfo.spec_ctrl_flags */ ++/* ++ * Encoding of: ++ * cpuinfo.spec_ctrl_flags ++ * default_spec_ctrl_flags ++ * domain.spec_ctrl_flags ++ * ++ * Live settings are in the top-of-stack block, because they need to be ++ * accessable when XPTI is active. Some settings are fixed from boot, some ++ * context switched per domain, and some inhibited in the S3 path. ++ */ + #define SCF_use_shadow (1 << 0) + #define SCF_ist_wrmsr (1 << 1) + #define SCF_ist_rsb (1 << 2) + #define SCF_verw (1 << 3) + ++/* ++ * The IST paths (NMI/#MC) can interrupt any arbitrary context. Some ++ * functionality requires updated microcode to work. ++ * ++ * On boot, this is easy; we load microcode before figuring out which ++ * speculative protections to apply. However, on the S3 resume path, we must ++ * be able to disable the configured mitigations until microcode is reloaded. ++ * ++ * These are the controls to inhibit on the S3 resume path until microcode has ++ * been reloaded. ++ */ ++#define SCF_IST_MASK (SCF_ist_wrmsr) ++ ++/* ++ * Some speculative protections are per-domain. These settings are merged ++ * into the top-of-stack block in the context switch path. ++ */ ++#define SCF_DOM_MASK (SCF_verw) ++ + #ifndef __ASSEMBLY__ + + #include <asm/alternative.h> +diff --git a/xen/include/asm-x86/spec_ctrl_asm.h b/xen/include/asm-x86/spec_ctrl_asm.h +index 5a590bac44aa..66b00d511fc6 100644 +--- a/xen/include/asm-x86/spec_ctrl_asm.h ++++ b/xen/include/asm-x86/spec_ctrl_asm.h +@@ -248,9 +248,6 @@ + + /* + * Use in IST interrupt/exception context. May interrupt Xen or PV context. +- * Fine grain control of SCF_ist_wrmsr is needed for safety in the S3 resume +- * path to avoid using MSR_SPEC_CTRL before the microcode introducing it has +- * been reloaded. + */ + .macro SPEC_CTRL_ENTRY_FROM_INTR_IST + /* +-- +2.35.1 + diff --git a/0045-x86-spec-ctrl-Rename-SCF_ist_wrmsr-to-SCF_ist_sc_msr.patch b/0045-x86-spec-ctrl-Rename-SCF_ist_wrmsr-to-SCF_ist_sc_msr.patch new file mode 100644 index 0000000..5b841a6 --- /dev/null +++ b/0045-x86-spec-ctrl-Rename-SCF_ist_wrmsr-to-SCF_ist_sc_msr.patch @@ -0,0 +1,110 @@ +From 31aa2a20bfefc3a8a200da54a56471bf99f9630e Mon Sep 17 00:00:00 2001 +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Tue, 28 Jun 2022 14:36:56 +0100 +Subject: [PATCH 45/51] x86/spec-ctrl: Rename SCF_ist_wrmsr to SCF_ist_sc_msr + +We are about to introduce SCF_ist_ibpb, at which point SCF_ist_wrmsr becomes +ambiguous. + +No functional change. + +This is part of XSA-407. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +(cherry picked from commit 76d6a36f645dfdbad8830559d4d52caf36efc75e) +--- + xen/arch/x86/spec_ctrl.c | 6 +++--- + xen/include/asm-x86/spec_ctrl.h | 4 ++-- + xen/include/asm-x86/spec_ctrl_asm.h | 8 ++++---- + 3 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c +index 7e646680f1c7..89f95c083e1b 100644 +--- a/xen/arch/x86/spec_ctrl.c ++++ b/xen/arch/x86/spec_ctrl.c +@@ -1115,7 +1115,7 @@ void __init init_speculation_mitigations(void) + { + if ( opt_msr_sc_pv ) + { +- default_spec_ctrl_flags |= SCF_ist_wrmsr; ++ default_spec_ctrl_flags |= SCF_ist_sc_msr; + setup_force_cpu_cap(X86_FEATURE_SC_MSR_PV); + } + +@@ -1126,7 +1126,7 @@ void __init init_speculation_mitigations(void) + * Xen's value is not restored atomically. An early NMI hitting + * the VMExit path needs to restore Xen's value for safety. + */ +- default_spec_ctrl_flags |= SCF_ist_wrmsr; ++ default_spec_ctrl_flags |= SCF_ist_sc_msr; + setup_force_cpu_cap(X86_FEATURE_SC_MSR_HVM); + } + } +@@ -1139,7 +1139,7 @@ void __init init_speculation_mitigations(void) + * on real hardware matches the availability of MSR_SPEC_CTRL in the + * first place. + * +- * No need for SCF_ist_wrmsr because Xen's value is restored ++ * No need for SCF_ist_sc_msr because Xen's value is restored + * atomically WRT NMIs in the VMExit path. + * + * TODO: Adjust cpu_has_svm_spec_ctrl to be usable earlier on boot. +diff --git a/xen/include/asm-x86/spec_ctrl.h b/xen/include/asm-x86/spec_ctrl.h +index 3cd72e40305f..f8f0ac47e759 100644 +--- a/xen/include/asm-x86/spec_ctrl.h ++++ b/xen/include/asm-x86/spec_ctrl.h +@@ -31,7 +31,7 @@ + * context switched per domain, and some inhibited in the S3 path. + */ + #define SCF_use_shadow (1 << 0) +-#define SCF_ist_wrmsr (1 << 1) ++#define SCF_ist_sc_msr (1 << 1) + #define SCF_ist_rsb (1 << 2) + #define SCF_verw (1 << 3) + +@@ -46,7 +46,7 @@ + * These are the controls to inhibit on the S3 resume path until microcode has + * been reloaded. + */ +-#define SCF_IST_MASK (SCF_ist_wrmsr) ++#define SCF_IST_MASK (SCF_ist_sc_msr) + + /* + * Some speculative protections are per-domain. These settings are merged +diff --git a/xen/include/asm-x86/spec_ctrl_asm.h b/xen/include/asm-x86/spec_ctrl_asm.h +index 66b00d511fc6..0ff1b118f882 100644 +--- a/xen/include/asm-x86/spec_ctrl_asm.h ++++ b/xen/include/asm-x86/spec_ctrl_asm.h +@@ -266,8 +266,8 @@ + + .L\@_skip_rsb: + +- test $SCF_ist_wrmsr, %al +- jz .L\@_skip_wrmsr ++ test $SCF_ist_sc_msr, %al ++ jz .L\@_skip_msr_spec_ctrl + + xor %edx, %edx + testb $3, UREGS_cs(%rsp) +@@ -290,7 +290,7 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise): + * to speculate around the WRMSR. As a result, we need a dispatch + * serialising instruction in the else clause. + */ +-.L\@_skip_wrmsr: ++.L\@_skip_msr_spec_ctrl: + lfence + UNLIKELY_END(\@_serialise) + .endm +@@ -301,7 +301,7 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise): + * Requires %rbx=stack_end + * Clobbers %rax, %rcx, %rdx + */ +- testb $SCF_ist_wrmsr, STACK_CPUINFO_FIELD(spec_ctrl_flags)(%rbx) ++ testb $SCF_ist_sc_msr, STACK_CPUINFO_FIELD(spec_ctrl_flags)(%rbx) + jz .L\@_skip + + DO_SPEC_CTRL_EXIT_TO_XEN +-- +2.35.1 + diff --git a/0046-x86-spec-ctrl-Rename-opt_ibpb-to-opt_ibpb_ctxt_switc.patch b/0046-x86-spec-ctrl-Rename-opt_ibpb-to-opt_ibpb_ctxt_switc.patch new file mode 100644 index 0000000..a950639 --- /dev/null +++ b/0046-x86-spec-ctrl-Rename-opt_ibpb-to-opt_ibpb_ctxt_switc.patch @@ -0,0 +1,97 @@ +From e7671561c84322860875745e57b228a7a310f2bf Mon Sep 17 00:00:00 2001 +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Mon, 4 Jul 2022 21:32:17 +0100 +Subject: [PATCH 46/51] x86/spec-ctrl: Rename opt_ibpb to opt_ibpb_ctxt_switch + +We are about to introduce the use of IBPB at different points in Xen, making +opt_ibpb ambiguous. Rename it to opt_ibpb_ctxt_switch. + +No functional change. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +(cherry picked from commit a8e5ef079d6f5c88c472e3e620db5a8d1402a50d) +--- + xen/arch/x86/domain.c | 2 +- + xen/arch/x86/spec_ctrl.c | 10 +++++----- + xen/include/asm-x86/spec_ctrl.h | 2 +- + 3 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c +index 82a0b73cf6ef..0d39981550ca 100644 +--- a/xen/arch/x86/domain.c ++++ b/xen/arch/x86/domain.c +@@ -2064,7 +2064,7 @@ void context_switch(struct vcpu *prev, struct vcpu *next) + + ctxt_switch_levelling(next); + +- if ( opt_ibpb && !is_idle_domain(nextd) ) ++ if ( opt_ibpb_ctxt_switch && !is_idle_domain(nextd) ) + { + static DEFINE_PER_CPU(unsigned int, last); + unsigned int *last_id = &this_cpu(last); +diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c +index 89f95c083e1b..f4ae36eae2d0 100644 +--- a/xen/arch/x86/spec_ctrl.c ++++ b/xen/arch/x86/spec_ctrl.c +@@ -54,7 +54,7 @@ int8_t __initdata opt_stibp = -1; + bool __read_mostly opt_ssbd; + int8_t __initdata opt_psfd = -1; + +-bool __read_mostly opt_ibpb = true; ++bool __read_mostly opt_ibpb_ctxt_switch = true; + int8_t __read_mostly opt_eager_fpu = -1; + int8_t __read_mostly opt_l1d_flush = -1; + static bool __initdata opt_branch_harden = true; +@@ -117,7 +117,7 @@ static int __init parse_spec_ctrl(const char *s) + + opt_thunk = THUNK_JMP; + opt_ibrs = 0; +- opt_ibpb = false; ++ opt_ibpb_ctxt_switch = false; + opt_ssbd = false; + opt_l1d_flush = 0; + opt_branch_harden = false; +@@ -238,7 +238,7 @@ static int __init parse_spec_ctrl(const char *s) + + /* Misc settings. */ + else if ( (val = parse_boolean("ibpb", s, ss)) >= 0 ) +- opt_ibpb = val; ++ opt_ibpb_ctxt_switch = val; + else if ( (val = parse_boolean("eager-fpu", s, ss)) >= 0 ) + opt_eager_fpu = val; + else if ( (val = parse_boolean("l1d-flush", s, ss)) >= 0 ) +@@ -458,7 +458,7 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps) + (opt_tsx & 1) ? " TSX+" : " TSX-", + !cpu_has_srbds_ctrl ? "" : + opt_srb_lock ? " SRB_LOCK+" : " SRB_LOCK-", +- opt_ibpb ? " IBPB" : "", ++ opt_ibpb_ctxt_switch ? " IBPB-ctxt" : "", + opt_l1d_flush ? " L1D_FLUSH" : "", + opt_md_clear_pv || opt_md_clear_hvm || + opt_fb_clear_mmio ? " VERW" : "", +@@ -1240,7 +1240,7 @@ void __init init_speculation_mitigations(void) + + /* Check we have hardware IBPB support before using it... */ + if ( !boot_cpu_has(X86_FEATURE_IBRSB) && !boot_cpu_has(X86_FEATURE_IBPB) ) +- opt_ibpb = false; ++ opt_ibpb_ctxt_switch = false; + + /* Check whether Eager FPU should be enabled by default. */ + if ( opt_eager_fpu == -1 ) +diff --git a/xen/include/asm-x86/spec_ctrl.h b/xen/include/asm-x86/spec_ctrl.h +index f8f0ac47e759..fb4365575620 100644 +--- a/xen/include/asm-x86/spec_ctrl.h ++++ b/xen/include/asm-x86/spec_ctrl.h +@@ -63,7 +63,7 @@ + void init_speculation_mitigations(void); + void spec_ctrl_init_domain(struct domain *d); + +-extern bool opt_ibpb; ++extern bool opt_ibpb_ctxt_switch; + extern bool opt_ssbd; + extern int8_t opt_eager_fpu; + extern int8_t opt_l1d_flush; +-- +2.35.1 + diff --git a/0047-x86-spec-ctrl-Rework-SPEC_CTRL_ENTRY_FROM_INTR_IST.patch b/0047-x86-spec-ctrl-Rework-SPEC_CTRL_ENTRY_FROM_INTR_IST.patch new file mode 100644 index 0000000..3ce9fd9 --- /dev/null +++ b/0047-x86-spec-ctrl-Rework-SPEC_CTRL_ENTRY_FROM_INTR_IST.patch @@ -0,0 +1,106 @@ +From 2a9e690a0ad5d54dca4166e089089a07bbe7fc85 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Fri, 1 Jul 2022 15:59:40 +0100 +Subject: [PATCH 47/51] x86/spec-ctrl: Rework SPEC_CTRL_ENTRY_FROM_INTR_IST + +We are shortly going to add a conditional IBPB in this path. + +Therefore, we cannot hold spec_ctrl_flags in %eax, and rely on only clobbering +it after we're done with its contents. %rbx is available for use, and the +more normal register to hold preserved information in. + +With %rax freed up, use it instead of %rdx for the RSB tmp register, and for +the adjustment to spec_ctrl_flags. + +This leaves no use of %rdx, except as 0 for the upper half of WRMSR. In +practice, %rdx is 0 from SAVE_ALL on all paths and isn't likely to change in +the foreseeable future, so update the macro entry requirements to state this +dependency. This marginal optimisation can be revisited if circumstances +change. + +No practical change. + +This is part of XSA-407. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +(cherry picked from commit e9b8d31981f184c6539f91ec54bd9cae29cdae36) +--- + xen/arch/x86/x86_64/entry.S | 4 ++-- + xen/include/asm-x86/spec_ctrl_asm.h | 21 ++++++++++----------- + 2 files changed, 12 insertions(+), 13 deletions(-) + +diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S +index 2a86938f1f32..a1810bf4d311 100644 +--- a/xen/arch/x86/x86_64/entry.S ++++ b/xen/arch/x86/x86_64/entry.S +@@ -932,7 +932,7 @@ ENTRY(double_fault) + + GET_STACK_END(14) + +- SPEC_CTRL_ENTRY_FROM_INTR_IST /* Req: %rsp=regs, %r14=end, Clob: acd */ ++ SPEC_CTRL_ENTRY_FROM_INTR_IST /* Req: %rsp=regs, %r14=end, %rdx=0, Clob: abcd */ + /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */ + + mov STACK_CPUINFO_FIELD(xen_cr3)(%r14), %rbx +@@ -968,7 +968,7 @@ handle_ist_exception: + + GET_STACK_END(14) + +- SPEC_CTRL_ENTRY_FROM_INTR_IST /* Req: %rsp=regs, %r14=end, Clob: acd */ ++ SPEC_CTRL_ENTRY_FROM_INTR_IST /* Req: %rsp=regs, %r14=end, %rdx=0, Clob: abcd */ + /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */ + + mov STACK_CPUINFO_FIELD(xen_cr3)(%r14), %rcx +diff --git a/xen/include/asm-x86/spec_ctrl_asm.h b/xen/include/asm-x86/spec_ctrl_asm.h +index 0ff1b118f882..15e24cde00d1 100644 +--- a/xen/include/asm-x86/spec_ctrl_asm.h ++++ b/xen/include/asm-x86/spec_ctrl_asm.h +@@ -251,34 +251,33 @@ + */ + .macro SPEC_CTRL_ENTRY_FROM_INTR_IST + /* +- * Requires %rsp=regs, %r14=stack_end +- * Clobbers %rax, %rcx, %rdx ++ * Requires %rsp=regs, %r14=stack_end, %rdx=0 ++ * Clobbers %rax, %rbx, %rcx, %rdx + * + * This is logical merge of DO_OVERWRITE_RSB and DO_SPEC_CTRL_ENTRY + * maybexen=1, but with conditionals rather than alternatives. + */ +- movzbl STACK_CPUINFO_FIELD(spec_ctrl_flags)(%r14), %eax ++ movzbl STACK_CPUINFO_FIELD(spec_ctrl_flags)(%r14), %ebx + +- test $SCF_ist_rsb, %al ++ test $SCF_ist_rsb, %bl + jz .L\@_skip_rsb + +- DO_OVERWRITE_RSB tmp=rdx /* Clobbers %rcx/%rdx */ ++ DO_OVERWRITE_RSB /* Clobbers %rax/%rcx */ + + .L\@_skip_rsb: + +- test $SCF_ist_sc_msr, %al ++ test $SCF_ist_sc_msr, %bl + jz .L\@_skip_msr_spec_ctrl + +- xor %edx, %edx ++ xor %eax, %eax + testb $3, UREGS_cs(%rsp) +- setnz %dl +- not %edx +- and %dl, STACK_CPUINFO_FIELD(spec_ctrl_flags)(%r14) ++ setnz %al ++ not %eax ++ and %al, STACK_CPUINFO_FIELD(spec_ctrl_flags)(%r14) + + /* Load Xen's intended value. */ + mov $MSR_SPEC_CTRL, %ecx + movzbl STACK_CPUINFO_FIELD(xen_spec_ctrl)(%r14), %eax +- xor %edx, %edx + wrmsr + + /* Opencoded UNLIKELY_START() with no condition. */ +-- +2.35.1 + diff --git a/0048-x86-spec-ctrl-Support-IBPB-on-entry.patch b/0048-x86-spec-ctrl-Support-IBPB-on-entry.patch new file mode 100644 index 0000000..d5ad043 --- /dev/null +++ b/0048-x86-spec-ctrl-Support-IBPB-on-entry.patch @@ -0,0 +1,300 @@ +From 76c5fcee9027fb8823dd501086f0ff3ee3c4231c Mon Sep 17 00:00:00 2001 +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Thu, 24 Feb 2022 13:44:33 +0000 +Subject: [PATCH 48/51] x86/spec-ctrl: Support IBPB-on-entry + +We are going to need this to mitigate Branch Type Confusion on AMD/Hygon CPUs, +but as we've talked about using it in other cases too, arrange to support it +generally. However, this is also very expensive in some cases, so we're going +to want per-domain controls. + +Introduce SCF_ist_ibpb and SCF_entry_ibpb controls, adding them to the IST and +DOM masks as appropriate. Also introduce X86_FEATURE_IBPB_ENTRY_{PV,HVM} to +to patch the code blocks. + +For SVM, the STGI is serialising enough to protect against Spectre-v1 attacks, +so no "else lfence" is necessary. VT-x will use use the MSR host load list, +so doesn't need any code in the VMExit path. + +For the IST path, we can't safely check CPL==0 to skip a flush, as we might +have hit an entry path before it's IBPB. As IST hitting Xen is rare, flush +irrespective of CPL. A later path, SCF_ist_sc_msr, provides Spectre-v1 +safety. + +For the PV paths, we know we're interrupting CPL>0, while for the INTR paths, +we can safely check CPL==0. Only flush when interrupting guest context. + +An "else lfence" is needed for safety, but we want to be able to skip it on +unaffected CPUs, so the block wants to be an alternative, which means the +lfence has to be inline rather than UNLIKELY() (the replacement block doesn't +have displacements fixed up for anything other than the first instruction). + +As with SPEC_CTRL_ENTRY_FROM_INTR_IST, %rdx is 0 on entry so rely on this to +shrink the logic marginally. Update the comments to specify this new +dependency. + +This is part of XSA-407. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +(cherry picked from commit 53a570b285694947776d5190f591a0d5b9b18de7) +--- + xen/arch/x86/hvm/svm/entry.S | 18 ++++++++++- + xen/arch/x86/hvm/vmx/vmcs.c | 4 +++ + xen/arch/x86/x86_64/compat/entry.S | 2 +- + xen/arch/x86/x86_64/entry.S | 12 +++---- + xen/include/asm-x86/cpufeatures.h | 2 ++ + xen/include/asm-x86/spec_ctrl.h | 6 ++-- + xen/include/asm-x86/spec_ctrl_asm.h | 49 +++++++++++++++++++++++++++-- + 7 files changed, 81 insertions(+), 12 deletions(-) + +diff --git a/xen/arch/x86/hvm/svm/entry.S b/xen/arch/x86/hvm/svm/entry.S +index 4ae55a2ef605..0ff4008060fa 100644 +--- a/xen/arch/x86/hvm/svm/entry.S ++++ b/xen/arch/x86/hvm/svm/entry.S +@@ -97,7 +97,19 @@ __UNLIKELY_END(nsvm_hap) + + GET_CURRENT(bx) + +- /* SPEC_CTRL_ENTRY_FROM_SVM Req: %rsp=regs/cpuinfo Clob: acd */ ++ /* SPEC_CTRL_ENTRY_FROM_SVM Req: %rsp=regs/cpuinfo, %rdx=0 Clob: acd */ ++ ++ .macro svm_vmexit_cond_ibpb ++ testb $SCF_entry_ibpb, CPUINFO_xen_spec_ctrl(%rsp) ++ jz .L_skip_ibpb ++ ++ mov $MSR_PRED_CMD, %ecx ++ mov $PRED_CMD_IBPB, %eax ++ wrmsr ++.L_skip_ibpb: ++ .endm ++ ALTERNATIVE "", svm_vmexit_cond_ibpb, X86_FEATURE_IBPB_ENTRY_HVM ++ + ALTERNATIVE "", DO_OVERWRITE_RSB, X86_FEATURE_SC_RSB_HVM + + .macro svm_vmexit_spec_ctrl +@@ -114,6 +126,10 @@ __UNLIKELY_END(nsvm_hap) + ALTERNATIVE "", svm_vmexit_spec_ctrl, X86_FEATURE_SC_MSR_HVM + /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */ + ++ /* ++ * STGI is executed unconditionally, and is sufficiently serialising ++ * to safely resolve any Spectre-v1 concerns in the above logic. ++ */ + stgi + GLOBAL(svm_stgi_label) + mov %rsp,%rdi +diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c +index f9f9bc18cdbc..dd817cee4e69 100644 +--- a/xen/arch/x86/hvm/vmx/vmcs.c ++++ b/xen/arch/x86/hvm/vmx/vmcs.c +@@ -1345,6 +1345,10 @@ static int construct_vmcs(struct vcpu *v) + rc = vmx_add_msr(v, MSR_FLUSH_CMD, FLUSH_CMD_L1D, + VMX_MSR_GUEST_LOADONLY); + ++ if ( !rc && (d->arch.spec_ctrl_flags & SCF_entry_ibpb) ) ++ rc = vmx_add_msr(v, MSR_PRED_CMD, PRED_CMD_IBPB, ++ VMX_MSR_HOST); ++ + out: + vmx_vmcs_exit(v); + +diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S +index 5fd6dbbd4513..b86d38d1c50d 100644 +--- a/xen/arch/x86/x86_64/compat/entry.S ++++ b/xen/arch/x86/x86_64/compat/entry.S +@@ -18,7 +18,7 @@ ENTRY(entry_int82) + movl $HYPERCALL_VECTOR, 4(%rsp) + SAVE_ALL compat=1 /* DPL1 gate, restricted to 32bit PV guests only. */ + +- SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, Clob: acd */ ++ SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ + /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */ + + CR4_PV32_RESTORE +diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S +index a1810bf4d311..fba8ae498f74 100644 +--- a/xen/arch/x86/x86_64/entry.S ++++ b/xen/arch/x86/x86_64/entry.S +@@ -260,7 +260,7 @@ ENTRY(lstar_enter) + movl $TRAP_syscall, 4(%rsp) + SAVE_ALL + +- SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, Clob: acd */ ++ SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ + /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */ + + GET_STACK_END(bx) +@@ -298,7 +298,7 @@ ENTRY(cstar_enter) + movl $TRAP_syscall, 4(%rsp) + SAVE_ALL + +- SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, Clob: acd */ ++ SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ + /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */ + + GET_STACK_END(bx) +@@ -338,7 +338,7 @@ GLOBAL(sysenter_eflags_saved) + movl $TRAP_syscall, 4(%rsp) + SAVE_ALL + +- SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, Clob: acd */ ++ SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ + /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */ + + GET_STACK_END(bx) +@@ -392,7 +392,7 @@ ENTRY(int80_direct_trap) + movl $0x80, 4(%rsp) + SAVE_ALL + +- SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, Clob: acd */ ++ SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ + /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */ + + GET_STACK_END(bx) +@@ -674,7 +674,7 @@ ENTRY(common_interrupt) + + GET_STACK_END(14) + +- SPEC_CTRL_ENTRY_FROM_INTR /* Req: %rsp=regs, %r14=end, Clob: acd */ ++ SPEC_CTRL_ENTRY_FROM_INTR /* Req: %rsp=regs, %r14=end, %rdx=0, Clob: acd */ + /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */ + + mov STACK_CPUINFO_FIELD(xen_cr3)(%r14), %rcx +@@ -708,7 +708,7 @@ GLOBAL(handle_exception) + + GET_STACK_END(14) + +- SPEC_CTRL_ENTRY_FROM_INTR /* Req: %rsp=regs, %r14=end, Clob: acd */ ++ SPEC_CTRL_ENTRY_FROM_INTR /* Req: %rsp=regs, %r14=end, %rdx=0, Clob: acd */ + /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */ + + mov STACK_CPUINFO_FIELD(xen_cr3)(%r14), %rcx +diff --git a/xen/include/asm-x86/cpufeatures.h b/xen/include/asm-x86/cpufeatures.h +index 493d338a085e..672c9ee22ba2 100644 +--- a/xen/include/asm-x86/cpufeatures.h ++++ b/xen/include/asm-x86/cpufeatures.h +@@ -39,6 +39,8 @@ XEN_CPUFEATURE(XEN_LBR, X86_SYNTH(22)) /* Xen uses MSR_DEBUGCTL.LBR */ + XEN_CPUFEATURE(SC_VERW_IDLE, X86_SYNTH(25)) /* VERW used by Xen for idle */ + XEN_CPUFEATURE(XEN_SHSTK, X86_SYNTH(26)) /* Xen uses CET Shadow Stacks */ + XEN_CPUFEATURE(XEN_IBT, X86_SYNTH(27)) /* Xen uses CET Indirect Branch Tracking */ ++XEN_CPUFEATURE(IBPB_ENTRY_PV, X86_SYNTH(28)) /* MSR_PRED_CMD used by Xen for PV */ ++XEN_CPUFEATURE(IBPB_ENTRY_HVM, X86_SYNTH(29)) /* MSR_PRED_CMD used by Xen for HVM */ + + /* Bug words follow the synthetic words. */ + #define X86_NR_BUG 1 +diff --git a/xen/include/asm-x86/spec_ctrl.h b/xen/include/asm-x86/spec_ctrl.h +index fb4365575620..3fc599a817c4 100644 +--- a/xen/include/asm-x86/spec_ctrl.h ++++ b/xen/include/asm-x86/spec_ctrl.h +@@ -34,6 +34,8 @@ + #define SCF_ist_sc_msr (1 << 1) + #define SCF_ist_rsb (1 << 2) + #define SCF_verw (1 << 3) ++#define SCF_ist_ibpb (1 << 4) ++#define SCF_entry_ibpb (1 << 5) + + /* + * The IST paths (NMI/#MC) can interrupt any arbitrary context. Some +@@ -46,13 +48,13 @@ + * These are the controls to inhibit on the S3 resume path until microcode has + * been reloaded. + */ +-#define SCF_IST_MASK (SCF_ist_sc_msr) ++#define SCF_IST_MASK (SCF_ist_sc_msr | SCF_ist_ibpb) + + /* + * Some speculative protections are per-domain. These settings are merged + * into the top-of-stack block in the context switch path. + */ +-#define SCF_DOM_MASK (SCF_verw) ++#define SCF_DOM_MASK (SCF_verw | SCF_entry_ibpb) + + #ifndef __ASSEMBLY__ + +diff --git a/xen/include/asm-x86/spec_ctrl_asm.h b/xen/include/asm-x86/spec_ctrl_asm.h +index 15e24cde00d1..9eb4ad9ab71d 100644 +--- a/xen/include/asm-x86/spec_ctrl_asm.h ++++ b/xen/include/asm-x86/spec_ctrl_asm.h +@@ -88,6 +88,35 @@ + * - SPEC_CTRL_EXIT_TO_{SVM,VMX} + */ + ++.macro DO_SPEC_CTRL_COND_IBPB maybexen:req ++/* ++ * Requires %rsp=regs (also cpuinfo if !maybexen) ++ * Requires %r14=stack_end (if maybexen), %rdx=0 ++ * Clobbers %rax, %rcx, %rdx ++ * ++ * Conditionally issue IBPB if SCF_entry_ibpb is active. In the maybexen ++ * case, we can safely look at UREGS_cs to skip taking the hit when ++ * interrupting Xen. ++ */ ++ .if \maybexen ++ testb $SCF_entry_ibpb, STACK_CPUINFO_FIELD(spec_ctrl_flags)(%r14) ++ jz .L\@_skip ++ testb $3, UREGS_cs(%rsp) ++ .else ++ testb $SCF_entry_ibpb, CPUINFO_xen_spec_ctrl(%rsp) ++ .endif ++ jz .L\@_skip ++ ++ mov $MSR_PRED_CMD, %ecx ++ mov $PRED_CMD_IBPB, %eax ++ wrmsr ++ jmp .L\@_done ++ ++.L\@_skip: ++ lfence ++.L\@_done: ++.endm ++ + .macro DO_OVERWRITE_RSB tmp=rax + /* + * Requires nothing +@@ -225,12 +254,16 @@ + + /* Use after an entry from PV context (syscall/sysenter/int80/int82/etc). */ + #define SPEC_CTRL_ENTRY_FROM_PV \ ++ ALTERNATIVE "", __stringify(DO_SPEC_CTRL_COND_IBPB maybexen=0), \ ++ X86_FEATURE_IBPB_ENTRY_PV; \ + ALTERNATIVE "", DO_OVERWRITE_RSB, X86_FEATURE_SC_RSB_PV; \ + ALTERNATIVE "", __stringify(DO_SPEC_CTRL_ENTRY maybexen=0), \ + X86_FEATURE_SC_MSR_PV + + /* Use in interrupt/exception context. May interrupt Xen or PV context. */ + #define SPEC_CTRL_ENTRY_FROM_INTR \ ++ ALTERNATIVE "", __stringify(DO_SPEC_CTRL_COND_IBPB maybexen=1), \ ++ X86_FEATURE_IBPB_ENTRY_PV; \ + ALTERNATIVE "", DO_OVERWRITE_RSB, X86_FEATURE_SC_RSB_PV; \ + ALTERNATIVE "", __stringify(DO_SPEC_CTRL_ENTRY maybexen=1), \ + X86_FEATURE_SC_MSR_PV +@@ -254,11 +287,23 @@ + * Requires %rsp=regs, %r14=stack_end, %rdx=0 + * Clobbers %rax, %rbx, %rcx, %rdx + * +- * This is logical merge of DO_OVERWRITE_RSB and DO_SPEC_CTRL_ENTRY +- * maybexen=1, but with conditionals rather than alternatives. ++ * This is logical merge of: ++ * DO_SPEC_CTRL_COND_IBPB maybexen=0 ++ * DO_OVERWRITE_RSB ++ * DO_SPEC_CTRL_ENTRY maybexen=1 ++ * but with conditionals rather than alternatives. + */ + movzbl STACK_CPUINFO_FIELD(spec_ctrl_flags)(%r14), %ebx + ++ test $SCF_ist_ibpb, %bl ++ jz .L\@_skip_ibpb ++ ++ mov $MSR_PRED_CMD, %ecx ++ mov $PRED_CMD_IBPB, %eax ++ wrmsr ++ ++.L\@_skip_ibpb: ++ + test $SCF_ist_rsb, %bl + jz .L\@_skip_rsb + +-- +2.35.1 + diff --git a/0049-x86-cpuid-Enumeration-for-BTC_NO.patch b/0049-x86-cpuid-Enumeration-for-BTC_NO.patch new file mode 100644 index 0000000..0e5d119 --- /dev/null +++ b/0049-x86-cpuid-Enumeration-for-BTC_NO.patch @@ -0,0 +1,106 @@ +From 0826c7596d35c887b3b7858137c7ac374d9ef17a Mon Sep 17 00:00:00 2001 +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Mon, 16 May 2022 15:48:24 +0100 +Subject: [PATCH 49/51] x86/cpuid: Enumeration for BTC_NO + +BTC_NO indicates that hardware is not succeptable to Branch Type Confusion. + +Zen3 CPUs don't suffer BTC. + +This is part of XSA-407. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +(cherry picked from commit 76cb04ad64f3ab9ae785988c40655a71dde9c319) +--- + tools/libs/light/libxl_cpuid.c | 1 + + tools/misc/xen-cpuid.c | 2 +- + xen/arch/x86/cpu/amd.c | 10 ++++++++++ + xen/arch/x86/spec_ctrl.c | 5 +++-- + xen/include/public/arch-x86/cpufeatureset.h | 1 + + 5 files changed, 16 insertions(+), 3 deletions(-) + +diff --git a/tools/libs/light/libxl_cpuid.c b/tools/libs/light/libxl_cpuid.c +index d462f9e421ed..bf6fdee360a9 100644 +--- a/tools/libs/light/libxl_cpuid.c ++++ b/tools/libs/light/libxl_cpuid.c +@@ -288,6 +288,7 @@ int libxl_cpuid_parse_config(libxl_cpuid_policy_list *cpuid, const char* str) + {"virt-ssbd", 0x80000008, NA, CPUID_REG_EBX, 25, 1}, + {"ssb-no", 0x80000008, NA, CPUID_REG_EBX, 26, 1}, + {"psfd", 0x80000008, NA, CPUID_REG_EBX, 28, 1}, ++ {"btc-no", 0x80000008, NA, CPUID_REG_EBX, 29, 1}, + + {"nc", 0x80000008, NA, CPUID_REG_ECX, 0, 8}, + {"apicidsize", 0x80000008, NA, CPUID_REG_ECX, 12, 4}, +diff --git a/tools/misc/xen-cpuid.c b/tools/misc/xen-cpuid.c +index bc7dcf55757a..fe22f5f5b68b 100644 +--- a/tools/misc/xen-cpuid.c ++++ b/tools/misc/xen-cpuid.c +@@ -158,7 +158,7 @@ static const char *const str_e8b[32] = + /* [22] */ [23] = "ppin", + [24] = "amd-ssbd", [25] = "virt-ssbd", + [26] = "ssb-no", +- [28] = "psfd", ++ [28] = "psfd", [29] = "btc-no", + }; + + static const char *const str_7d0[32] = +diff --git a/xen/arch/x86/cpu/amd.c b/xen/arch/x86/cpu/amd.c +index b3b9a0df5fed..b158e3acb5c7 100644 +--- a/xen/arch/x86/cpu/amd.c ++++ b/xen/arch/x86/cpu/amd.c +@@ -847,6 +847,16 @@ static void init_amd(struct cpuinfo_x86 *c) + warning_add(text); + } + break; ++ ++ case 0x19: ++ /* ++ * Zen3 (Fam19h model < 0x10) parts are not susceptible to ++ * Branch Type Confusion, but predate the allocation of the ++ * BTC_NO bit. Fill it back in if we're not virtualised. ++ */ ++ if (!cpu_has_hypervisor && !cpu_has(c, X86_FEATURE_BTC_NO)) ++ __set_bit(X86_FEATURE_BTC_NO, c->x86_capability); ++ break; + } + + display_cacheinfo(c); +diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c +index f4ae36eae2d0..0f101c057f3e 100644 +--- a/xen/arch/x86/spec_ctrl.c ++++ b/xen/arch/x86/spec_ctrl.c +@@ -388,7 +388,7 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps) + * Hardware read-only information, stating immunity to certain issues, or + * suggestions of which mitigation to use. + */ +- printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", ++ printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", + (caps & ARCH_CAPS_RDCL_NO) ? " RDCL_NO" : "", + (caps & ARCH_CAPS_IBRS_ALL) ? " IBRS_ALL" : "", + (caps & ARCH_CAPS_RSBA) ? " RSBA" : "", +@@ -403,7 +403,8 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps) + (e8b & cpufeat_mask(X86_FEATURE_IBRS_ALWAYS)) ? " IBRS_ALWAYS" : "", + (e8b & cpufeat_mask(X86_FEATURE_STIBP_ALWAYS)) ? " STIBP_ALWAYS" : "", + (e8b & cpufeat_mask(X86_FEATURE_IBRS_FAST)) ? " IBRS_FAST" : "", +- (e8b & cpufeat_mask(X86_FEATURE_IBRS_SAME_MODE)) ? " IBRS_SAME_MODE" : ""); ++ (e8b & cpufeat_mask(X86_FEATURE_IBRS_SAME_MODE)) ? " IBRS_SAME_MODE" : "", ++ (e8b & cpufeat_mask(X86_FEATURE_BTC_NO)) ? " BTC_NO" : ""); + + /* Hardware features which need driving to mitigate issues. */ + printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s\n", +diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h +index 743b857dcd5c..e7b8167800a2 100644 +--- a/xen/include/public/arch-x86/cpufeatureset.h ++++ b/xen/include/public/arch-x86/cpufeatureset.h +@@ -266,6 +266,7 @@ XEN_CPUFEATURE(AMD_SSBD, 8*32+24) /*S MSR_SPEC_CTRL.SSBD available */ + XEN_CPUFEATURE(VIRT_SSBD, 8*32+25) /* MSR_VIRT_SPEC_CTRL.SSBD */ + XEN_CPUFEATURE(SSB_NO, 8*32+26) /*A Hardware not vulnerable to SSB */ + XEN_CPUFEATURE(PSFD, 8*32+28) /*S MSR_SPEC_CTRL.PSFD */ ++XEN_CPUFEATURE(BTC_NO, 8*32+29) /*A Hardware not vulnerable to Branch Type Confusion */ + + /* Intel-defined CPU features, CPUID level 0x00000007:0.edx, word 9 */ + XEN_CPUFEATURE(AVX512_4VNNIW, 9*32+ 2) /*A AVX512 Neural Network Instructions */ +-- +2.35.1 + diff --git a/0050-x86-spec-ctrl-Enable-Zen2-chickenbit.patch b/0050-x86-spec-ctrl-Enable-Zen2-chickenbit.patch new file mode 100644 index 0000000..c83844d --- /dev/null +++ b/0050-x86-spec-ctrl-Enable-Zen2-chickenbit.patch @@ -0,0 +1,106 @@ +From 5457a6870eb1369b868f7b8e833966ed43a773ad Mon Sep 17 00:00:00 2001 +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Tue, 15 Mar 2022 18:30:25 +0000 +Subject: [PATCH 50/51] x86/spec-ctrl: Enable Zen2 chickenbit + +... as instructed in the Branch Type Confusion whitepaper. + +This is part of XSA-407. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +(cherry picked from commit 9deaf2d932f08c16c6b96a1c426e4b1142c0cdbe) +--- + xen/arch/x86/cpu/amd.c | 28 ++++++++++++++++++++++++++++ + xen/arch/x86/cpu/cpu.h | 1 + + xen/arch/x86/cpu/hygon.c | 6 ++++++ + xen/include/asm-x86/msr-index.h | 1 + + 4 files changed, 36 insertions(+) + +diff --git a/xen/arch/x86/cpu/amd.c b/xen/arch/x86/cpu/amd.c +index b158e3acb5c7..37ac84ddd74d 100644 +--- a/xen/arch/x86/cpu/amd.c ++++ b/xen/arch/x86/cpu/amd.c +@@ -731,6 +731,31 @@ void amd_init_ssbd(const struct cpuinfo_x86 *c) + printk_once(XENLOG_ERR "No SSBD controls available\n"); + } + ++/* ++ * On Zen2 we offer this chicken (bit) on the altar of Speculation. ++ * ++ * Refer to the AMD Branch Type Confusion whitepaper: ++ * https://XXX ++ * ++ * Setting this unnamed bit supposedly causes prediction information on ++ * non-branch instructions to be ignored. It is to be set unilaterally in ++ * newer microcode. ++ * ++ * This chickenbit is something unrelated on Zen1, and Zen1 vs Zen2 isn't a ++ * simple model number comparison, so use STIBP as a heuristic to separate the ++ * two uarches in Fam17h(AMD)/18h(Hygon). ++ */ ++void amd_init_spectral_chicken(void) ++{ ++ uint64_t val, chickenbit = 1 << 1; ++ ++ if (cpu_has_hypervisor || !boot_cpu_has(X86_FEATURE_AMD_STIBP)) ++ return; ++ ++ if (rdmsr_safe(MSR_AMD64_DE_CFG2, val) == 0 && !(val & chickenbit)) ++ wrmsr_safe(MSR_AMD64_DE_CFG2, val | chickenbit); ++} ++ + void __init detect_zen2_null_seg_behaviour(void) + { + uint64_t base; +@@ -796,6 +821,9 @@ static void init_amd(struct cpuinfo_x86 *c) + + amd_init_ssbd(c); + ++ if (c->x86 == 0x17) ++ amd_init_spectral_chicken(); ++ + /* Probe for NSCB on Zen2 CPUs when not virtualised */ + if (!cpu_has_hypervisor && !cpu_has_nscb && c == &boot_cpu_data && + c->x86 == 0x17) +diff --git a/xen/arch/x86/cpu/cpu.h b/xen/arch/x86/cpu/cpu.h +index b593bd85f04f..145bc5156a86 100644 +--- a/xen/arch/x86/cpu/cpu.h ++++ b/xen/arch/x86/cpu/cpu.h +@@ -22,4 +22,5 @@ void early_init_amd(struct cpuinfo_x86 *c); + void amd_log_freq(const struct cpuinfo_x86 *c); + void amd_init_lfence(struct cpuinfo_x86 *c); + void amd_init_ssbd(const struct cpuinfo_x86 *c); ++void amd_init_spectral_chicken(void); + void detect_zen2_null_seg_behaviour(void); +diff --git a/xen/arch/x86/cpu/hygon.c b/xen/arch/x86/cpu/hygon.c +index cdc94130dd2e..6f8d491297e8 100644 +--- a/xen/arch/x86/cpu/hygon.c ++++ b/xen/arch/x86/cpu/hygon.c +@@ -40,6 +40,12 @@ static void init_hygon(struct cpuinfo_x86 *c) + c->x86 == 0x18) + detect_zen2_null_seg_behaviour(); + ++ /* ++ * TODO: Check heuristic safety with Hygon first ++ if (c->x86 == 0x18) ++ amd_init_spectral_chicken(); ++ */ ++ + /* + * Hygon CPUs before Zen2 don't clear segment bases/limits when + * loading a NULL selector. +diff --git a/xen/include/asm-x86/msr-index.h b/xen/include/asm-x86/msr-index.h +index 72bc32ba04ff..d3735e499e0f 100644 +--- a/xen/include/asm-x86/msr-index.h ++++ b/xen/include/asm-x86/msr-index.h +@@ -361,6 +361,7 @@ + #define MSR_AMD64_DE_CFG 0xc0011029 + #define AMD64_DE_CFG_LFENCE_SERIALISE (_AC(1, ULL) << 1) + #define MSR_AMD64_EX_CFG 0xc001102c ++#define MSR_AMD64_DE_CFG2 0xc00110e3 + + #define MSR_AMD64_DR0_ADDRESS_MASK 0xc0011027 + #define MSR_AMD64_DR1_ADDRESS_MASK 0xc0011019 +-- +2.35.1 + diff --git a/0051-x86-spec-ctrl-Mitigate-Branch-Type-Confusion-when-po.patch b/0051-x86-spec-ctrl-Mitigate-Branch-Type-Confusion-when-po.patch new file mode 100644 index 0000000..e313ede --- /dev/null +++ b/0051-x86-spec-ctrl-Mitigate-Branch-Type-Confusion-when-po.patch @@ -0,0 +1,305 @@ +From 0a5387a01165b46c8c85e7f7e2ddbe60a7f5db44 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Mon, 27 Jun 2022 19:29:40 +0100 +Subject: [PATCH 51/51] x86/spec-ctrl: Mitigate Branch Type Confusion when + possible + +Branch Type Confusion affects AMD/Hygon CPUs on Zen2 and earlier. To +mitigate, we require SMT safety (STIBP on Zen2, no-SMT on Zen1), and to issue +an IBPB on each entry to Xen, to flush the BTB. + +Due to performance concerns, dom0 (which is trusted in most configurations) is +excluded from protections by default. + +Therefore: + * Use STIBP by default on Zen2 too, which now means we want it on by default + on all hardware supporting STIBP. + * Break the current IBPB logic out into a new function, extending it with + IBPB-at-entry logic. + * Change the existing IBPB-at-ctxt-switch boolean to be tristate, and disable + it by default when IBPB-at-entry is providing sufficient safety. + +If all PV guests on the system are trusted, then it is recommended to boot +with `spec-ctrl=ibpb-entry=no-pv`, as this will provide an additional marginal +perf improvement. + +This is part of XSA-407 / CVE-2022-23825. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +(cherry picked from commit d8cb7e0f069e0f106d24941355b59b45a731eabe) +--- + docs/misc/xen-command-line.pandoc | 14 ++-- + xen/arch/x86/spec_ctrl.c | 113 ++++++++++++++++++++++++++---- + xen/include/asm-x86/spec_ctrl.h | 2 +- + 3 files changed, 112 insertions(+), 17 deletions(-) + +diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc +index 1bbdb55129cc..bd6826d0ae05 100644 +--- a/docs/misc/xen-command-line.pandoc ++++ b/docs/misc/xen-command-line.pandoc +@@ -2234,7 +2234,7 @@ By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`). + + ### spec-ctrl (x86) + > `= List of [ <bool>, xen=<bool>, {pv,hvm}=<bool>, +-> {msr-sc,rsb,md-clear}=<bool>|{pv,hvm}=<bool>, ++> {msr-sc,rsb,md-clear,ibpb-entry}=<bool>|{pv,hvm}=<bool>, + > bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,psfd, + > eager-fpu,l1d-flush,branch-harden,srb-lock, + > unpriv-mmio}=<bool> ]` +@@ -2259,9 +2259,10 @@ in place for guests to use. + + Use of a positive boolean value for either of these options is invalid. + +-The `pv=`, `hvm=`, `msr-sc=`, `rsb=` and `md-clear=` options offer fine +-grained control over the primitives by Xen. These impact Xen's ability to +-protect itself, and/or Xen's ability to virtualise support for guests to use. ++The `pv=`, `hvm=`, `msr-sc=`, `rsb=`, `md-clear=` and `ibpb-entry=` options ++offer fine grained control over the primitives by Xen. These impact Xen's ++ability to protect itself, and/or Xen's ability to virtualise support for ++guests to use. + + * `pv=` and `hvm=` offer control over all suboptions for PV and HVM guests + respectively. +@@ -2280,6 +2281,11 @@ protect itself, and/or Xen's ability to virtualise support for guests to use. + compatibility with development versions of this fix, `mds=` is also accepted + on Xen 4.12 and earlier as an alias. Consult vendor documentation in + preference to here.* ++* `ibpb-entry=` offers control over whether IBPB (Indirect Branch Prediction ++ Barrier) is used on entry to Xen. This is used by default on hardware ++ vulnerable to Branch Type Confusion, but for performance reasons, dom0 is ++ unprotected by default. If it necessary to protect dom0 too, boot with ++ `spec-ctrl=ibpb-entry`. + + If Xen was compiled with INDIRECT_THUNK support, `bti-thunk=` can be used to + select which of the thunks gets patched into the `__x86_indirect_thunk_%reg` +diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c +index 0f101c057f3e..1d9796c34d71 100644 +--- a/xen/arch/x86/spec_ctrl.c ++++ b/xen/arch/x86/spec_ctrl.c +@@ -39,6 +39,10 @@ static bool __initdata opt_rsb_hvm = true; + static int8_t __read_mostly opt_md_clear_pv = -1; + static int8_t __read_mostly opt_md_clear_hvm = -1; + ++static int8_t __read_mostly opt_ibpb_entry_pv = -1; ++static int8_t __read_mostly opt_ibpb_entry_hvm = -1; ++static bool __read_mostly opt_ibpb_entry_dom0; ++ + /* Cmdline controls for Xen's speculative settings. */ + static enum ind_thunk { + THUNK_DEFAULT, /* Decide which thunk to use at boot time. */ +@@ -54,7 +58,7 @@ int8_t __initdata opt_stibp = -1; + bool __read_mostly opt_ssbd; + int8_t __initdata opt_psfd = -1; + +-bool __read_mostly opt_ibpb_ctxt_switch = true; ++int8_t __read_mostly opt_ibpb_ctxt_switch = -1; + int8_t __read_mostly opt_eager_fpu = -1; + int8_t __read_mostly opt_l1d_flush = -1; + static bool __initdata opt_branch_harden = true; +@@ -114,6 +118,9 @@ static int __init parse_spec_ctrl(const char *s) + opt_rsb_hvm = false; + opt_md_clear_pv = 0; + opt_md_clear_hvm = 0; ++ opt_ibpb_entry_pv = 0; ++ opt_ibpb_entry_hvm = 0; ++ opt_ibpb_entry_dom0 = false; + + opt_thunk = THUNK_JMP; + opt_ibrs = 0; +@@ -140,12 +147,14 @@ static int __init parse_spec_ctrl(const char *s) + opt_msr_sc_pv = val; + opt_rsb_pv = val; + opt_md_clear_pv = val; ++ opt_ibpb_entry_pv = val; + } + else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) + { + opt_msr_sc_hvm = val; + opt_rsb_hvm = val; + opt_md_clear_hvm = val; ++ opt_ibpb_entry_hvm = val; + } + else if ( (val = parse_boolean("msr-sc", s, ss)) != -1 ) + { +@@ -210,6 +219,28 @@ static int __init parse_spec_ctrl(const char *s) + break; + } + } ++ else if ( (val = parse_boolean("ibpb-entry", s, ss)) != -1 ) ++ { ++ switch ( val ) ++ { ++ case 0: ++ case 1: ++ opt_ibpb_entry_pv = opt_ibpb_entry_hvm = ++ opt_ibpb_entry_dom0 = val; ++ break; ++ ++ case -2: ++ s += strlen("ibpb-entry="); ++ if ( (val = parse_boolean("pv", s, ss)) >= 0 ) ++ opt_ibpb_entry_pv = val; ++ else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) ++ opt_ibpb_entry_hvm = val; ++ else ++ default: ++ rc = -EINVAL; ++ break; ++ } ++ } + + /* Xen's speculative sidechannel mitigation settings. */ + else if ( !strncmp(s, "bti-thunk=", 10) ) +@@ -477,27 +508,31 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps) + * mitigation support for guests. + */ + #ifdef CONFIG_HVM +- printk(" Support for HVM VMs:%s%s%s%s%s\n", ++ printk(" Support for HVM VMs:%s%s%s%s%s%s\n", + (boot_cpu_has(X86_FEATURE_SC_MSR_HVM) || + boot_cpu_has(X86_FEATURE_SC_RSB_HVM) || + boot_cpu_has(X86_FEATURE_MD_CLEAR) || ++ boot_cpu_has(X86_FEATURE_IBPB_ENTRY_HVM) || + opt_eager_fpu) ? "" : " None", + boot_cpu_has(X86_FEATURE_SC_MSR_HVM) ? " MSR_SPEC_CTRL" : "", + boot_cpu_has(X86_FEATURE_SC_RSB_HVM) ? " RSB" : "", + opt_eager_fpu ? " EAGER_FPU" : "", +- boot_cpu_has(X86_FEATURE_MD_CLEAR) ? " MD_CLEAR" : ""); ++ boot_cpu_has(X86_FEATURE_MD_CLEAR) ? " MD_CLEAR" : "", ++ boot_cpu_has(X86_FEATURE_IBPB_ENTRY_HVM) ? " IBPB-entry" : ""); + + #endif + #ifdef CONFIG_PV +- printk(" Support for PV VMs:%s%s%s%s%s\n", ++ printk(" Support for PV VMs:%s%s%s%s%s%s\n", + (boot_cpu_has(X86_FEATURE_SC_MSR_PV) || + boot_cpu_has(X86_FEATURE_SC_RSB_PV) || + boot_cpu_has(X86_FEATURE_MD_CLEAR) || ++ boot_cpu_has(X86_FEATURE_IBPB_ENTRY_PV) || + opt_eager_fpu) ? "" : " None", + boot_cpu_has(X86_FEATURE_SC_MSR_PV) ? " MSR_SPEC_CTRL" : "", + boot_cpu_has(X86_FEATURE_SC_RSB_PV) ? " RSB" : "", + opt_eager_fpu ? " EAGER_FPU" : "", +- boot_cpu_has(X86_FEATURE_MD_CLEAR) ? " MD_CLEAR" : ""); ++ boot_cpu_has(X86_FEATURE_MD_CLEAR) ? " MD_CLEAR" : "", ++ boot_cpu_has(X86_FEATURE_IBPB_ENTRY_PV) ? " IBPB-entry" : ""); + + printk(" XPTI (64-bit PV only): Dom0 %s, DomU %s (with%s PCID)\n", + opt_xpti_hwdom ? "enabled" : "disabled", +@@ -759,6 +794,55 @@ static bool __init should_use_eager_fpu(void) + } + } + ++static void __init ibpb_calculations(void) ++{ ++ /* Check we have hardware IBPB support before using it... */ ++ if ( !boot_cpu_has(X86_FEATURE_IBRSB) && !boot_cpu_has(X86_FEATURE_IBPB) ) ++ { ++ opt_ibpb_entry_hvm = opt_ibpb_entry_pv = opt_ibpb_ctxt_switch = 0; ++ opt_ibpb_entry_dom0 = false; ++ return; ++ } ++ ++ /* ++ * IBPB-on-entry mitigations for Branch Type Confusion. ++ * ++ * IBPB && !BTC_NO selects all AMD/Hygon hardware, not known to be safe, ++ * that we can provide some form of mitigation on. ++ */ ++ if ( opt_ibpb_entry_pv == -1 ) ++ opt_ibpb_entry_pv = (IS_ENABLED(CONFIG_PV) && ++ boot_cpu_has(X86_FEATURE_IBPB) && ++ !boot_cpu_has(X86_FEATURE_BTC_NO)); ++ if ( opt_ibpb_entry_hvm == -1 ) ++ opt_ibpb_entry_hvm = (IS_ENABLED(CONFIG_HVM) && ++ boot_cpu_has(X86_FEATURE_IBPB) && ++ !boot_cpu_has(X86_FEATURE_BTC_NO)); ++ ++ if ( opt_ibpb_entry_pv ) ++ { ++ setup_force_cpu_cap(X86_FEATURE_IBPB_ENTRY_PV); ++ ++ /* ++ * We only need to flush in IST context if we're protecting against PV ++ * guests. HVM IBPB-on-entry protections are both atomic with ++ * NMI/#MC, so can't interrupt Xen ahead of having already flushed the ++ * BTB. ++ */ ++ default_spec_ctrl_flags |= SCF_ist_ibpb; ++ } ++ if ( opt_ibpb_entry_hvm ) ++ setup_force_cpu_cap(X86_FEATURE_IBPB_ENTRY_HVM); ++ ++ /* ++ * If we're using IBPB-on-entry to protect against PV and HVM guests ++ * (ignoring dom0 if trusted), then there's no need to also issue IBPB on ++ * context switch too. ++ */ ++ if ( opt_ibpb_ctxt_switch == -1 ) ++ opt_ibpb_ctxt_switch = !(opt_ibpb_entry_hvm && opt_ibpb_entry_pv); ++} ++ + /* Calculate whether this CPU is vulnerable to L1TF. */ + static __init void l1tf_calculations(uint64_t caps) + { +@@ -1014,8 +1098,12 @@ void spec_ctrl_init_domain(struct domain *d) + bool verw = ((pv ? opt_md_clear_pv : opt_md_clear_hvm) || + (opt_fb_clear_mmio && is_iommu_enabled(d))); + ++ bool ibpb = ((pv ? opt_ibpb_entry_pv : opt_ibpb_entry_hvm) && ++ (d->domain_id != 0 || opt_ibpb_entry_dom0)); ++ + d->arch.spec_ctrl_flags = + (verw ? SCF_verw : 0) | ++ (ibpb ? SCF_entry_ibpb : 0) | + 0; + } + +@@ -1162,12 +1250,15 @@ void __init init_speculation_mitigations(void) + } + + /* +- * Use STIBP by default if the hardware hint is set. Otherwise, leave it +- * off as it a severe performance pentalty on pre-eIBRS Intel hardware +- * where it was retrofitted in microcode. ++ * Use STIBP by default on all AMD systems. Zen3 and later enumerate ++ * STIBP_ALWAYS, but STIBP is needed on Zen2 as part of the mitigations ++ * for Branch Type Confusion. ++ * ++ * Leave STIBP off by default on Intel. Pre-eIBRS systems suffer a ++ * substantial perf hit when it was implemented in microcode. + */ + if ( opt_stibp == -1 ) +- opt_stibp = !!boot_cpu_has(X86_FEATURE_STIBP_ALWAYS); ++ opt_stibp = !!boot_cpu_has(X86_FEATURE_AMD_STIBP); + + if ( opt_stibp && (boot_cpu_has(X86_FEATURE_STIBP) || + boot_cpu_has(X86_FEATURE_AMD_STIBP)) ) +@@ -1239,9 +1330,7 @@ void __init init_speculation_mitigations(void) + if ( opt_rsb_hvm ) + setup_force_cpu_cap(X86_FEATURE_SC_RSB_HVM); + +- /* Check we have hardware IBPB support before using it... */ +- if ( !boot_cpu_has(X86_FEATURE_IBRSB) && !boot_cpu_has(X86_FEATURE_IBPB) ) +- opt_ibpb_ctxt_switch = false; ++ ibpb_calculations(); + + /* Check whether Eager FPU should be enabled by default. */ + if ( opt_eager_fpu == -1 ) +diff --git a/xen/include/asm-x86/spec_ctrl.h b/xen/include/asm-x86/spec_ctrl.h +index 3fc599a817c4..9403b81dc7af 100644 +--- a/xen/include/asm-x86/spec_ctrl.h ++++ b/xen/include/asm-x86/spec_ctrl.h +@@ -65,7 +65,7 @@ + void init_speculation_mitigations(void); + void spec_ctrl_init_domain(struct domain *d); + +-extern bool opt_ibpb_ctxt_switch; ++extern int8_t opt_ibpb_ctxt_switch; + extern bool opt_ssbd; + extern int8_t opt_eager_fpu; + extern int8_t opt_l1d_flush; +-- +2.35.1 + @@ -1,6 +1,6 @@ -Xen Upstream Patchset #0 for 4.16.2-pre +Xen upstream patchset #1 for 4.16.2-pre Containing patches from RELEASE-4.16.1 (13fee86475f3831d7a1ecf6d7e0acbc2ac779f7e) to -staging-4.16 (2e82446cb252f6c8ac697e81f4155872c69afde4) +staging-4.16 (0a5387a01165b46c8c85e7f7e2ddbe60a7f5db44) |