File 5b21825d-2-x86-spec-ctrl-mitigations-for-LazyFP... of Package xen.8005

Overview Repositories Revisions Requests Users Attributes Meta

File 5b21825d-2-x86-spec-ctrl-mitigations-for-LazyFPU.patch of Package xen.8005

# Commit 243435bf67e8159495194f623b9e4d8c90140384
# Date 2018-06-13 21:45:17 +0100
# Author Andrew Cooper <andrew.cooper3@citrix.com>
# Committer Andrew Cooper <andrew.cooper3@citrix.com>
x86/spec-ctrl: Mitigations for LazyFPU

Intel Core processors since at least Nehalem speculate past #NM, which is the
mechanism by which lazy FPU context switching is implemented.

On affected processors, Xen must use fully eager FPU context switching to
prevent guests from being able to read FPU state (SSE/AVX/etc) from previously
scheduled vcpus.

This is part of XSA-267 / CVE-2018-3665

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

--- a/docs/misc/xen-command-line.markdown
+++ b/docs/misc/xen-command-line.markdown
@@ -1009,7 +1009,7 @@ Flag to enable Supervisor Mode Execution
 
 ### spec-ctrl (x86)
 > `= List of [ <bool>, xen=<bool>, {pv,hvm,msr-sc,rsb}=<bool>,
->              bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd}=<bool> ]`
+>              bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,eager-fpu}=<bool> ]`
 
 Controls for speculative execution sidechannel mitigations.  By default, Xen
 will pick the most appropriate mitigations based on compiled in support,
@@ -1059,6 +1059,11 @@ hardware, this is a global option applie
 guest use.  On Intel hardware, the feature is virtualised for guests,
 independently of Xen's choice of setting.
 
+On all hardware, the `eager-fpu=` option can be used to force or prevent Xen
+from using fully eager FPU context switches.  This is currently implemented as
+a global control.  By default, Xen will choose to use fully eager context
+switches on hardware believed to speculate past #NM exceptions.
+
 ### sync\_console
 > `= <boolean>`
 
--- a/xen/arch/x86/i387.c
+++ b/xen/arch/x86/i387.c
@@ -16,6 +16,7 @@
 #include <asm/i387.h>
 #include <asm/xstate.h>
 #include <asm/asm_defns.h>
+#include <asm/spec_ctrl.h>
 
 /*******************************/
 /*     FPU Restore Functions   */
@@ -313,6 +314,8 @@ int vcpu_init_fpu(struct vcpu *v)
     if ( is_idle_vcpu(v) )
         goto done;
 
+    v->arch.fully_eager_fpu = opt_eager_fpu;
+
     if ( (rc = xstate_alloc_save_area(v)) != 0 )
         return rc;
 
--- a/xen/arch/x86/spec_ctrl.c
+++ b/xen/arch/x86/spec_ctrl.c
@@ -40,6 +40,7 @@ enum ind_thunk {
 static int8_t __initdata opt_ibrs = -1;
 bool_t __read_mostly opt_ibpb = 1;
 bool_t __read_mostly opt_ssbd = 0;
+int8_t __read_mostly opt_eager_fpu = -1;
 
 bool_t __initdata bsp_delay_spec_ctrl;
 int8_t __read_mostly default_xen_spec_ctrl = -1;
@@ -96,6 +97,7 @@ static int __init parse_spec_ctrl(char *
 
             opt_ibrs = 0;
             opt_ibpb = 0;
+            opt_eager_fpu = 0;
         }
         else if ( val > 0 )
             rc = -EINVAL;
@@ -136,6 +138,8 @@ static int __init parse_spec_ctrl(char *
             opt_ibpb = val;
         else if ( (val = parse_boolean("ssbd", s, ss)) >= 0 )
             opt_ssbd = val;
+        else if ( (val = parse_boolean("eager-fpu", s, ss)) >= 0 )
+            opt_eager_fpu = val;
         else
             rc = -EINVAL;
 
@@ -184,13 +188,17 @@ static void __init print_details(enum in
            (default_xen_spec_ctrl & SPEC_CTRL_SSBD)  ? " SSBD+" : " SSBD-",
            opt_ibpb                 ? " IBPB"  : "");
 
-    printk("  Support for VMs: PV:%s%s%s, HVM:%s%s%s\n",
-           opt_msr_sc_pv || opt_rsb_pv   ? ""               : " None",
+    printk("  Support for VMs: PV:%s%s%s%s, HVM:%s%s%s%s\n",
+           (opt_msr_sc_pv || opt_rsb_pv ||
+            opt_eager_fpu)               ? ""               : " None",
            opt_msr_sc_pv                 ? " MSR_SPEC_CTRL" : "",
            opt_rsb_pv                    ? " RSB"           : "",
-           opt_msr_sc_hvm || opt_rsb_hvm ? ""               : " None",
+           opt_eager_fpu                 ? " EAGER_FPU"     : "",
+           (opt_msr_sc_hvm || opt_rsb_hvm ||
+            opt_eager_fpu)               ? ""               : " None",
            opt_msr_sc_hvm                ? " MSR_SPEC_CTRL" : "",
-           opt_rsb_hvm                   ? " RSB"           : "");
+           opt_rsb_hvm                   ? " RSB"           : "",
+           opt_eager_fpu                 ? " EAGER_FPU"     : "");
 
     printk("  XPTI (64-bit PV only): Dom0 %s, DomU %s\n",
            opt_xpti & OPT_XPTI_DOM0 ? "enabled" : "disabled",
@@ -261,6 +269,82 @@ static __init int parse_xpti(char *s)
 }
 custom_param("xpti", parse_xpti);
 
+/* Calculate whether this CPU speculates past #NM */
+static bool_t __init should_use_eager_fpu(void)
+{
+    /*
+     * Assume all unrecognised processors are ok.  This is only known to
+     * affect Intel Family 6 processors.
+     */
+    if ( boot_cpu_data.x86_vendor != X86_VENDOR_INTEL ||
+         boot_cpu_data.x86 != 6 )
+        return 0;
+
+    switch ( boot_cpu_data.x86_model )
+    {
+        /*
+         * Core processors since at least Nehalem are vulnerable.
+         */
+    case 0x1e: /* Nehalem */
+    case 0x1f: /* Auburndale / Havendale */
+    case 0x1a: /* Nehalem EP */
+    case 0x2e: /* Nehalem EX */
+    case 0x25: /* Westmere */
+    case 0x2c: /* Westmere EP */
+    case 0x2f: /* Westmere EX */
+    case 0x2a: /* SandyBridge */
+    case 0x2d: /* SandyBridge EP/EX */
+    case 0x3a: /* IvyBridge */
+    case 0x3e: /* IvyBridge EP/EX */
+    case 0x3c: /* Haswell */
+    case 0x3f: /* Haswell EX/EP */
+    case 0x45: /* Haswell D */
+    case 0x46: /* Haswell H */
+    case 0x3d: /* Broadwell */
+    case 0x47: /* Broadwell H */
+    case 0x4f: /* Broadwell EP/EX */
+    case 0x56: /* Broadwell D */
+    case 0x4e: /* Skylake M */
+    case 0x55: /* Skylake X */
+    case 0x5e: /* Skylake D */
+    case 0x66: /* Cannonlake */
+    case 0x67: /* Cannonlake? */
+    case 0x8e: /* Kabylake M */
+    case 0x9e: /* Kabylake D */
+        return 1;
+
+        /*
+         * Atom processors are not vulnerable.
+         */
+    case 0x1c: /* Pineview */
+    case 0x26: /* Lincroft */
+    case 0x27: /* Penwell */
+    case 0x35: /* Cloverview */
+    case 0x36: /* Cedarview */
+    case 0x37: /* Baytrail / Valleyview (Silvermont) */
+    case 0x4d: /* Avaton / Rangely (Silvermont) */
+    case 0x4c: /* Cherrytrail / Brasswell */
+    case 0x4a: /* Merrifield */
+    case 0x5a: /* Moorefield */
+    case 0x5c: /* Goldmont */
+    case 0x5f: /* Denverton */
+    case 0x7a: /* Gemini Lake */
+        return 0;
+
+        /*
+         * Knights processors are not vulnerable.
+         */
+    case 0x57: /* Knights Landing */
+    case 0x85: /* Knights Mill */
+        return 0;
+
+    default:
+        printk("Unrecognised CPU model %#x - assuming vulnerable to LazyFPU\n",
+               boot_cpu_data.x86_model);
+        return 1;
+    }
+}
+
 void __init init_speculation_mitigations(void)
 {
     enum ind_thunk thunk = THUNK_DEFAULT;
@@ -324,6 +408,10 @@ void __init init_speculation_mitigations
     if ( !boot_cpu_has(X86_FEATURE_IBRSB) && !boot_cpu_has(X86_FEATURE_IBPB) )
         opt_ibpb = 0;
 
+    /* Check whether Eager FPU should be enabled by default. */
+    if ( opt_eager_fpu == -1 )
+        opt_eager_fpu = should_use_eager_fpu();
+
     /* (Re)init BSP state now that default_xen_* have been calculated. */
     init_shadow_spec_ctrl_state();
 
--- a/xen/include/asm-x86/spec_ctrl.h
+++ b/xen/include/asm-x86/spec_ctrl.h
@@ -28,6 +28,7 @@ void init_speculation_mitigations(void);
 extern bool_t opt_ibpb;
 extern bool_t opt_ssbd;
 extern bool_t opt_msr_sc_pv, opt_msr_sc_hvm;
+extern int8_t opt_eager_fpu;
 
 extern bool_t bsp_delay_spec_ctrl;
 extern int8_t default_xen_spec_ctrl;

Places

File 5b21825d-2-x86-spec-ctrl-mitigations-for-LazyFPU.patch of Package xen.8005

Places