Xen project Mailing List

Re: [PATCH v3 5/7] x86: guard against straight-line speculation past RET

To: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Date: Wed, 11 Nov 2020 15:24:11 +0100

Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>

Delivery-date: Wed, 11 Nov 2020 14:24:18 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 11.11.2020 15:19, Roger Pau Monné wrote: > On Wed, Nov 11, 2020 at 02:33:34PM +0100, Jan Beulich wrote: >> On 11.11.2020 12:15, Roger Pau Monné wrote: >>> On Fri, Oct 23, 2020 at 10:38:04AM +0200, Jan Beulich wrote: >>>> Under certain conditions CPUs can speculate into the instruction stream >>>> past a RET instruction. Guard against this just like 3b7dab93f240 >>>> ("x86/spec-ctrl: Protect against CALL/JMP straight-line speculation") >>>> did - by inserting an "INT $3" insn. It's merely the mechanics of how to >>>> achieve this that differ: A set of macros gets introduced to post- >>>> process RET insns issued by the compiler (or living in assembly files). >>>> >>>> Unfortunately for clang this requires further features their built-in >>>> assembler doesn't support: We need to be able to override insn mnemonics >>>> produced by the compiler (which may be impossible, if internally >>>> assembly mnemonics never get generated), and we want to use \(text) >>>> escaping / quoting in the auxiliary macro. >>>> >>>> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> >>>> Acked-by: Roger Pau Monné <roger.pau@xxxxxxxxxx> >>>> --- >>>> TBD: Would be nice to avoid the additions in .init.text, but a query to >>>> the binutils folks regarding the ability to identify the section >>>> stuff is in (by Peter Zijlstra over a year ago: >>>> https://sourceware.org/pipermail/binutils/2019-July/107528.html) >>>> has been left without helpful replies. >>>> --- >>>> v3: Use .byte 0xc[23] instead of the nested macros. >>>> v2: Fix build with newer clang. Use int3 mnemonic. Also override retq. >>>> >>>> --- a/xen/Makefile >>>> +++ b/xen/Makefile >>>> @@ -145,7 +145,15 @@ t2 = $(call as-insn,$(CC) -I$(BASEDIR)/i >>>> # https://bugs.llvm.org/show_bug.cgi?id=36110 >>>> t3 = $(call as-insn,$(CC),".macro FOO;.endm"$(close); asm volatile >>>> $(open)".macro FOO;.endm",-no-integrated-as) >>>> >>>> -CLANG_FLAGS += $(call or,$(t1),$(t2),$(t3)) >>>> +# Check whether \(text) escaping in macro bodies is supported. >>>> +t4 = $(call as-insn,$(CC),".macro m ret:req; \\(ret) $$\\ret; .endm; m >>>> 8",,-no-integrated-as) >>>> + >>>> +# Check whether macros can override insn mnemonics in inline assembly. >>>> +t5 = $(call as-insn,$(CC),".macro ret; .error; .endm; .macro retq; >>>> .error; .endm",-no-integrated-as) >>> >>> I was going over this to post a bug report to LLVM, but it seems like >>> gcc also doesn't overwrite ret when using the above snippet: >>> >>> https://godbolt.org/z/oqsPTv >> >> I can't see what's different from >> >> void test(void) { >> asm volatile (".macro ret; .error; .endm; .macro retq; .error; .endm"); >> } >> >> but this one produces "Error: .error directive invoked in source file" >> for me with both old and new gcc. > > You are right, I think godbolt is somehow busted? Or maybe they really only compile to assembly, while the error results from the assembler? Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.