Xen project Mailing List

[Xen-devel] [PATCH v2 1/2] xen/nospec: Introduce CONFIG_SPECULATIVE_HARDEN_ARRAY

To: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Tue, 1 Oct 2019 15:32:06 +0100

Authentication-results: esa3.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=andrew.cooper3@xxxxxxxxxx; spf=Pass smtp.mailfrom=Andrew.Cooper3@xxxxxxxxxx; spf=None smtp.helo=postmaster@xxxxxxxxxxxxxxx

Cc: Juergen Gross <jgross@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>

Delivery-date: Tue, 01 Oct 2019 14:32:20 +0000

Ironport-sdr: Gli+TqwGxC/GYrRPCgNGxhfqKTVCvoT7k0/Pen5Lh1UUFrS/risYlnTDJoPX7tmq4BFJt6QAUq hr8IeK+EwJ5qCMZGkhzuvogSdKxNltfBgFQJbRQVQkCA766CjHBWRZCmdJRiuZBSe6AfOtTlwS 9LCuGogQ6Z4iEuV3MrV7hNBz3Ztq0UqvIBJaWhn3/O5UREMFPdLpidSh8Q3JUzbtdpPPHZSW3L ObnBhwNAeg4yVcwGOra0eedqQhDS8yTGB0dkK/VHSc0mu5I5mYmcVE/RLoCdPJ8rssr+7USspn Wvg=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

There are legitimate circumstance where array hardening is not wanted or needed. Allow it to be turned off. Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Release-acked-by: Juergen Gross <jgross@xxxxxxxx> --- CC: Jan Beulich <JBeulich@xxxxxxxx> CC: Wei Liu <wl@xxxxxxx> CC: Roger Pau Monné <roger.pau@xxxxxxxxxx> CC: Juergen Gross <jgross@xxxxxxxx> v2: * Rename to CONFIG_SPECULATIVE_HARDEN_ARRAY * Simplify the stub array_index_nospec() --- xen/common/Kconfig | 24 ++++++++++++++++++++++++ xen/include/xen/nospec.h | 5 +++++ 2 files changed, 29 insertions(+) diff --git a/xen/common/Kconfig b/xen/common/Kconfig index 16829f6274..911333357a 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -77,6 +77,30 @@ config HAS_CHECKPOLICY string option env="XEN_HAS_CHECKPOLICY" +menu "Speculative hardening" + +config SPECULATIVE_HARDEN_ARRAY + bool "Speculative Array Hardening" + default y + ---help--- + Contemporary processors may use speculative execution as a + performance optimisation, but this can potentially be abused by an + attacker to leak data via speculative sidechannels. + + One source of data leakage is via speculative out-of-bounds array + accesses. + + When enabled, specific array accesses which have been deemed liable + to be speculatively abused will be hardened to avoid out-of-bounds + accesses. + + This is a best-effort mitigation. There are no guarantees that all + areas of code open to abuse have been hardened. + + If unsure, say Y. + +endmenu + config KEXEC bool "kexec support" default y diff --git a/xen/include/xen/nospec.h b/xen/include/xen/nospec.h index 2ac8feccc2..76255bc46e 100644 --- a/xen/include/xen/nospec.h +++ b/xen/include/xen/nospec.h @@ -33,6 +33,7 @@ static inline unsigned long array_index_mask_nospec(unsigned long index, } #endif +#ifdef CONFIG_SPECULATIVE_HARDEN_ARRAY /* * array_index_nospec - sanitize an array index after a bounds check * @@ -58,6 +59,10 @@ static inline unsigned long array_index_mask_nospec(unsigned long index, \ (typeof(_i)) (_i & _mask); \ }) +#else +/* No index hardening. */ +#define array_index_nospec(index, size) ((void)(size), (index)) +#endif /* CONFIG_SPECULATIVE_HARDEN_ARRAY */ /* * array_access_nospec - allow nospec access for static size arrays -- 2.11.0 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.