[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen master] xen/Kconfig: Improve help text for speculative options

commit 9b3a02e66f058ebd77db6628e3144352857bdf2b
Author:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Thu May 8 16:50:38 2025 +0100
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Fri May 9 12:56:48 2025 +0100

    xen/Kconfig: Improve help text for speculative options
    
    The text for CONFIG_INDIRECT_THUNK isn't really correct, and was already 
stale
    by the time speculative vulnerabilities hit the headlines in 2018.  It is
    specifically an out-of-line-ing mechanism, and retpoline is one of several
    safety sequences used.
    
    Some of this boilerplate has been copied into all other options, and isn't
    interesting for the target audience given that they're all in a "Speculative
    Hardening" menu.
    
    Reword it to be more concise.
    
    No functional change.
    
    Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Acked-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
---
 xen/common/Kconfig | 53 +++++++++++------------------------------------------
 1 file changed, 11 insertions(+), 42 deletions(-)

diff --git a/xen/common/Kconfig b/xen/common/Kconfig
index 4bec78c6f2..bf7b081ad0 100644
--- a/xen/common/Kconfig
+++ b/xen/common/Kconfig
@@ -162,29 +162,21 @@ config STATIC_MEMORY
 menu "Speculative hardening"
 
 config INDIRECT_THUNK
-       bool "Speculative Branch Target Injection Protection"
+       bool "Out-of-line Indirect Call/Jumps"
        depends on CC_HAS_INDIRECT_THUNK
        default y
        help
-         Contemporary processors may use speculative execution as a
-         performance optimisation, but this can potentially be abused by an
-         attacker to leak data via speculative sidechannels.
+         Compile Xen with out-of-line indirect call and jumps.
 
-         One source of data leakage is via branch target injection.
-
-         When enabled, indirect branches are implemented using a new construct
-         called "retpoline" that prevents speculation.
+         This allows Xen to mitigate a variety of speculative vulnerabilities
+         by choosing a hardware-dependent instruction sequence to implement
+         (e.g. function pointers) safely.  "Retpoline" is one such sequence.
 
 config SPECULATIVE_HARDEN_ARRAY
        bool "Speculative Array Hardening"
        default y
        help
-         Contemporary processors may use speculative execution as a
-         performance optimisation, but this can potentially be abused by an
-         attacker to leak data via speculative sidechannels.
-
-         One source of data leakage is via speculative out-of-bounds array
-         accesses.
+         Compile Xen with extra hardening for some array accesses.
 
          When enabled, specific array accesses which have been deemed liable
          to be speculatively abused will be hardened to avoid out-of-bounds
@@ -193,19 +185,12 @@ config SPECULATIVE_HARDEN_ARRAY
          This is a best-effort mitigation.  There are no guarantees that all
          areas of code open to abuse have been hardened.
 
-         If unsure, say Y.
-
 config SPECULATIVE_HARDEN_BRANCH
-       bool "Speculative Branch Hardening"
+       bool "Speculative Conditional Branch Hardening"
        default y
        depends on X86
-        help
-         Contemporary processors may use speculative execution as a
-         performance optimisation, but this can potentially be abused by an
-         attacker to leak data via speculative sidechannels.
-
-         One source of misbehaviour is by executing the wrong basic block
-         following a conditional jump.
+       help
+         Compile Xen with extra hardening for some conditional branches.
 
          When enabled, specific conditions which have been deemed liable to
          be speculatively abused will be hardened to avoid entering the wrong
@@ -216,43 +201,27 @@ config SPECULATIVE_HARDEN_BRANCH
          optimisations in the compiler haven't subverted the attempts to
          harden.
 
-         If unsure, say Y.
-
 config SPECULATIVE_HARDEN_GUEST_ACCESS
        bool "Speculative PV Guest Memory Access Hardening"
        default y
        depends on PV
        help
-         Contemporary processors may use speculative execution as a
-         performance optimisation, but this can potentially be abused by an
-         attacker to leak data via speculative sidechannels.
-
-         One source of data leakage is via speculative accesses to hypervisor
-         memory through guest controlled values used to access guest memory.
+         Compile Xen with extra hardening for PV guest memory access.
 
          When enabled, code paths accessing PV guest memory will have guest
          controlled addresses massaged such that memory accesses through them
          won't touch hypervisor address space.
 
-         If unsure, say Y.
-
 config SPECULATIVE_HARDEN_LOCK
        bool "Speculative lock context hardening"
        default y
        depends on X86
        help
-         Contemporary processors may use speculative execution as a
-         performance optimisation, but this can potentially be abused by an
-         attacker to leak data via speculative sidechannels.
-
-         One source of data leakage is via speculative accesses to lock
-         critical regions.
+         Compile Xen with extra hardening for locked regions.
 
          This option is disabled by default at run time, and needs to be
          enabled on the command line.
 
-         If unsure, say Y.
-
 endmenu
 
 menu "Other hardening"
--
generated by git-patchbot for /home/xen/git/xen.git#master

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.