Xen project Mailing List

Re: [PATCH v3] x86/spec-ctrl: Support for SRSO_U/S_NO and SRSO_MSR_FIX

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Fri, 27 Dec 2024 10:34:31 +0100

Autocrypt: addr=jbeulich@xxxxxxxx; keydata= xsDiBFk3nEQRBADAEaSw6zC/EJkiwGPXbWtPxl2xCdSoeepS07jW8UgcHNurfHvUzogEq5xk hu507c3BarVjyWCJOylMNR98Yd8VqD9UfmX0Hb8/BrA+Hl6/DB/eqGptrf4BSRwcZQM32aZK 7Pj2XbGWIUrZrd70x1eAP9QE3P79Y2oLrsCgbZJfEwCgvz9JjGmQqQkRiTVzlZVCJYcyGGsD /0tbFCzD2h20ahe8rC1gbb3K3qk+LpBtvjBu1RY9drYk0NymiGbJWZgab6t1jM7sk2vuf0Py O9Hf9XBmK0uE9IgMaiCpc32XV9oASz6UJebwkX+zF2jG5I1BfnO9g7KlotcA/v5ClMjgo6Gl MDY4HxoSRu3i1cqqSDtVlt+AOVBJBACrZcnHAUSuCXBPy0jOlBhxPqRWv6ND4c9PH1xjQ3NP nxJuMBS8rnNg22uyfAgmBKNLpLgAGVRMZGaGoJObGf72s6TeIqKJo/LtggAS9qAUiuKVnygo 3wjfkS9A3DRO+SpU7JqWdsveeIQyeyEJ/8PTowmSQLakF+3fote9ybzd880fSmFuIEJldWxp Y2ggPGpiZXVsaWNoQHN1c2UuY29tPsJgBBMRAgAgBQJZN5xEAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4AACgkQoDSui/t3IH4J+wCfQ5jHdEjCRHj23O/5ttg9r9OIruwAn3103WUITZee e7Sbg12UgcQ5lv7SzsFNBFk3nEQQCACCuTjCjFOUdi5Nm244F+78kLghRcin/awv+IrTcIWF hUpSs1Y91iQQ7KItirz5uwCPlwejSJDQJLIS+QtJHaXDXeV6NI0Uef1hP20+y8qydDiVkv6l IreXjTb7DvksRgJNvCkWtYnlS3mYvQ9NzS9PhyALWbXnH6sIJd2O9lKS1Mrfq+y0IXCP10eS FFGg+Av3IQeFatkJAyju0PPthyTqxSI4lZYuJVPknzgaeuJv/2NccrPvmeDg6Coe7ZIeQ8Yj t0ARxu2xytAkkLCel1Lz1WLmwLstV30g80nkgZf/wr+/BXJW/oIvRlonUkxv+IbBM3dX2OV8 AmRv1ySWPTP7AAMFB/9PQK/VtlNUJvg8GXj9ootzrteGfVZVVT4XBJkfwBcpC/XcPzldjv+3 HYudvpdNK3lLujXeA5fLOH+Z/G9WBc5pFVSMocI71I8bT8lIAzreg0WvkWg5V2WZsUMlnDL9 mpwIGFhlbM3gfDMs7MPMu8YQRFVdUvtSpaAs8OFfGQ0ia3LGZcjA6Ik2+xcqscEJzNH+qh8V m5jjp28yZgaqTaRbg3M/+MTbMpicpZuqF4rnB0AQD12/3BNWDR6bmh+EkYSMcEIpQmBM51qM EKYTQGybRCjpnKHGOxG0rfFY1085mBDZCH5Kx0cl0HVJuQKC+dV2ZY5AqjcKwAxpE75MLFkr wkkEGBECAAkFAlk3nEQCGwwACgkQoDSui/t3IH7nnwCfcJWUDUFKdCsBH/E5d+0ZnMQi+G0A nAuWpQkjM1ASeQwSHEeAWPgskBQL

Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Fri, 27 Dec 2024 09:34:37 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 20.12.2024 20:34, Andrew Cooper wrote: > AMD have updated the SRSO whitepaper[1] with further information. These > features exist on AMD Zen5 CPUs and are necessary for Xen to use. > > The two features are in principle unrelated: > > * SRSO_U/S_NO is an enumeration saying that SRSO attacks can't cross the > User(CPL3) / Supervisor(CPL<3) boundary. i.e. Xen don't need to use > IBPB-on-entry for PV64. PV32 guests are explicitly unsupported for > speculative issues, and excluded from consideration for simplicity. > > * SRSO_MSR_FIX is an enumeration identifying that the BP_SPEC_REDUCE bit is > available in MSR_BP_CFG. When set, SRSO attacks can't cross the host/guest > boundary. i.e. Xen don't need to use IBPB-on-entry for HVM. > > Extend ibpb_calculations() to account for these when calculating > opt_ibpb_entry_{pv,hvm} defaults. Add a `bp-spec-reduce=<bool>` option to > control the use of BP_SPEC_REDUCE, with it active by default. > > Because MSR_BP_CFG is core-scoped with a race condition updating it, repurpose > amd_check_erratum_1485() into amd_check_bp_cfg() and calculate all updates at > once. > > Xen also needs to to advertise SRSO_U/S_NO to guests to allow the guest kernel > to skip SRSO mitigations too: > > * This is trivial for HVM guests. It is also is accurate for PV32 guests > too, but we have already excluded them from consideration, and do so again > here to simplify the policy logic. > > * As written, SRSO_U/S_NO does not help for the PV64 user->kernel boundary. > However, after discussing with AMD, an implementation detail of having > BP_SPEC_REDUCE active causes the PV64 user->kernel boundary to have the > property described by SRSO_U/S_NO, so we can advertise SRSO_U/S_NO to > guests when the BP_SPEC_REDUCE precondition is met. > > Finally, fix a typo in the SRSO_NO's comment. > > [1] > https://www.amd.com/content/dam/amd/en/documents/corporate/cr/speculative-return-stack-overflow-whitepaper.pdf > Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> > Reviewed-by: Roger Pau Monné <roger.pau@xxxxxxxxxx> > --- > CC: Jan Beulich <JBeulich@xxxxxxxx> > CC: Roger Pau Monné <roger.pau@xxxxxxxxxx> > CC: Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx> > > I cannot say anything more about the SRSO_U/S_NO vs SRSO_MSR_FIX interactions > in public. The safety for PV guests depends on details not covered in the > whitepaper. > > v3: > * Rewrite commit message and comments quite a lot. > > This patch was originally for-4.19. Zen5 CPUs are now in the world and Xen is > unsafe on them without this patch. > > I technically have enough tags to commit it, and it's long overdue, but I > think it would be wise to see if the new wording is clearer to others. It is to me; thanks for making these adjustments. As to said implementation detail: I suppose we can only hope that yet newer implementations won't break this. Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.