|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen stable-4.14] x86/spec-ctrl: Mitigate Speculative Return Stack Overflow
commit e8db771a17c96f3a393ad7929c1c35e17e39972a
Author: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Thu Jun 15 13:46:29 2023 +0100
Commit: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Thu Aug 3 19:14:19 2023 +0100
x86/spec-ctrl: Mitigate Speculative Return Stack Overflow
On native, synthesise the SRSO bits by probing various hardware properties
as
given by AMD.
Extend the IBPB-on-entry mitigations to Zen3/4 CPUs. There is a microcode
prerequisite to make this an effective mitigation.
This is part of XSA-434 / CVE-2023-20569
Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
Reviewed-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
(cherry picked from commit 220c06e6fefe2378f40e2a7391f5e265a2aa50f7)
---
docs/misc/xen-command-line.pandoc | 7 ++--
xen/arch/x86/spec_ctrl.c | 68 +++++++++++++++++++++++++++++++++++++++
2 files changed, 72 insertions(+), 3 deletions(-)
diff --git a/docs/misc/xen-command-line.pandoc
b/docs/misc/xen-command-line.pandoc
index 2fd6a9a552..88f880177f 100644
--- a/docs/misc/xen-command-line.pandoc
+++ b/docs/misc/xen-command-line.pandoc
@@ -2170,9 +2170,10 @@ guests to use.
preference to here.*
* `ibpb-entry=` offers control over whether IBPB (Indirect Branch Prediction
Barrier) is used on entry to Xen. This is used by default on hardware
- vulnerable to Branch Type Confusion, but for performance reasons, dom0 is
- unprotected by default. If it necessary to protect dom0 too, boot with
- `spec-ctrl=ibpb-entry`.
+ vulnerable to Branch Type Confusion, and hardware vulnerable to Speculative
+ Return Stack Overflow if appropriate microcode has been loaded, but for
+ performance reasons dom0 is unprotected by default. If it is necessary to
+ protect dom0 too, boot with `spec-ctrl=ibpb-entry`.
If Xen was compiled with INDIRECT_THUNK support, `bti-thunk=` can be used to
select which of the thunks gets patched into the `__x86_indirect_thunk_%reg`
diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
index 3659e6800e..2dad423255 100644
--- a/xen/arch/x86/spec_ctrl.c
+++ b/xen/arch/x86/spec_ctrl.c
@@ -872,6 +872,63 @@ static bool __init should_use_eager_fpu(void)
}
}
+static void __init srso_calculations(bool hw_smt_enabled)
+{
+ if ( !(boot_cpu_data.x86_vendor &
+ (X86_VENDOR_AMD | X86_VENDOR_HYGON)) )
+ return;
+
+ /*
+ * If virtualised, none of these heuristics are safe. Trust the
+ * hypervisor completely.
+ */
+ if ( cpu_has_hypervisor )
+ return;
+
+ if ( boot_cpu_data.x86 == 0x19 )
+ {
+ /*
+ * We could have a table of models/microcode revisions. ...or we
+ * could just look for the new feature added.
+ */
+ if ( wrmsr_safe(MSR_PRED_CMD, PRED_CMD_SBPB) == 0 )
+ {
+ setup_force_cpu_cap(X86_FEATURE_IBPB_BRTYPE);
+ setup_force_cpu_cap(X86_FEATURE_SBPB);
+ }
+ else
+ printk(XENLOG_WARNING
+ "Vulnerable to SRSO, without suitable microcode to
mitigate\n");
+ }
+ else if ( boot_cpu_data.x86 < 0x19 )
+ {
+ /*
+ * Zen1/2 (which have the IBPB microcode) have IBPB_BRTYPE behaviour
+ * already.
+ *
+ * Older CPUs are unknown, but their IBPB likely does flush branch
+ * types too. As we're synthesising for the benefit of guests, go
+ * with the likely option - this avoids VMs running on e.g. a Zen3
+ * thinking there's no SRSO mitigation available because it may
+ * migrate to e.g. a Bulldozer.
+ */
+ if ( boot_cpu_has(X86_FEATURE_IBPB) )
+ setup_force_cpu_cap(X86_FEATURE_IBPB_BRTYPE);
+ }
+
+ /*
+ * In single-thread mode on Zen1/2, microarchitectural limits prevent SRSO
+ * attacks from being effective. Synthesise SRSO_NO if SMT is disabled in
+ * hardware.
+ *
+ * Booting with smt=0, or using xen-hptool should be effective too, but
+ * they can be altered at runtime so it's not safe to presume SRSO_NO.
+ */
+ if ( !hw_smt_enabled &&
+ (boot_cpu_data.x86 == 0x17 || boot_cpu_data.x86 == 0x18) )
+ setup_force_cpu_cap(X86_FEATURE_SRSO_NO);
+}
+
static void __init ibpb_calculations(void)
{
bool def_ibpb_entry = false;
@@ -900,6 +957,15 @@ static void __init ibpb_calculations(void)
*/
if ( !boot_cpu_has(X86_FEATURE_BTC_NO) )
def_ibpb_entry = true;
+
+ /*
+ * Further to BTC, Zen3/4 CPUs suffer from Speculative Return Stack
+ * Overflow in most configurations. Mitigate with IBPB-on-entry if we
+ * have the microcode that makes this an effective option.
+ */
+ if ( !boot_cpu_has(X86_FEATURE_SRSO_NO) &&
+ boot_cpu_has(X86_FEATURE_IBPB_BRTYPE) )
+ def_ibpb_entry = true;
}
if ( opt_ibpb_entry_pv == -1 )
@@ -1402,6 +1468,8 @@ void __init init_speculation_mitigations(void)
if ( opt_rsb_hvm )
setup_force_cpu_cap(X86_FEATURE_SC_RSB_HVM);
+ srso_calculations(hw_smt_enabled);
+
ibpb_calculations();
/* Check whether Eager FPU should be enabled by default. */
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.14
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |