Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:FrontRunner
xen.30330
xsa434-3.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File xsa434-3.patch of Package xen.30330
From 2bbc7f2e5f9b2c32fd5ad55db81e17ebdc2a3d4a Mon Sep 17 00:00:00 2001 From: Andrew Cooper <andrew.cooper3@citrix.com> Date: Thu, 15 Jun 2023 13:46:29 +0100 Subject: x86/spec-ctrl: Mitigate Speculative Return Stack Overflow On native, synthesise the SRSO bits by probing various hardware properties as given by AMD. Extend the IBPB-on-entry mitigations to Zen3/4 CPUs. There is a microcode prerequisite to make this an effective mitigation. This is part of XSA-434 / CVE-2023-20569 Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -2099,9 +2099,10 @@ guests to use. preference to here.* * `ibpb-entry=` offers control over whether IBPB (Indirect Branch Prediction Barrier) is used on entry to Xen. This is used by default on hardware - vulnerable to Branch Type Confusion, but for performance reasons, dom0 is - unprotected by default. If it necessary to protect dom0 too, boot with - `spec-ctrl=ibpb-entry`. + vulnerable to Branch Type Confusion, and hardware vulnerable to Speculative + Return Stack Overflow if appropriate microcode has been loaded, but for + performance reasons dom0 is unprotected by default. If it is necessary to + protect dom0 too, boot with `spec-ctrl=ibpb-entry`. If Xen was compiled with INDIRECT_THUNK support, `bti-thunk=` can be used to select which of the thunks gets patched into the `__x86_indirect_thunk_%reg` --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -871,6 +871,63 @@ static bool __init should_use_eager_fpu( } } +static void __init srso_calculations(bool hw_smt_enabled) +{ + if ( !(boot_cpu_data.x86_vendor & + (X86_VENDOR_AMD | X86_VENDOR_HYGON)) ) + return; + + /* + * If virtualised, none of these heuristics are safe. Trust the + * hypervisor completely. + */ + if ( cpu_has_hypervisor ) + return; + + if ( boot_cpu_data.x86 == 0x19 ) + { + /* + * We could have a table of models/microcode revisions. ...or we + * could just look for the new feature added. + */ + if ( wrmsr_safe(MSR_PRED_CMD, PRED_CMD_SBPB) == 0 ) + { + setup_force_cpu_cap(X86_FEATURE_IBPB_BRTYPE); + setup_force_cpu_cap(X86_FEATURE_SBPB); + } + else + printk(XENLOG_WARNING + "Vulnerable to SRSO, without suitable microcode to mitigate\n"); + } + else if ( boot_cpu_data.x86 < 0x19 ) + { + /* + * Zen1/2 (which have the IBPB microcode) have IBPB_BRTYPE behaviour + * already. + * + * Older CPUs are unknown, but their IBPB likely does flush branch + * types too. As we're synthesising for the benefit of guests, go + * with the likely option - this avoids VMs running on e.g. a Zen3 + * thinking there's no SRSO mitigation available because it may + * migrate to e.g. a Bulldozer. + */ + if ( boot_cpu_has(X86_FEATURE_IBPB) ) + setup_force_cpu_cap(X86_FEATURE_IBPB_BRTYPE); + } + + /* + * In single-thread mode on Zen1/2, microarchitectural limits prevent SRSO + * attacks from being effective. Synthesise SRSO_NO if SMT is disabled in + * hardware. + * + * Booting with smt=0, or using xen-hptool should be effective too, but + * they can be altered at runtime so it's not safe to presume SRSO_NO. + */ + if ( !hw_smt_enabled && + (boot_cpu_data.x86 == 0x17 || boot_cpu_data.x86 == 0x18) ) + setup_force_cpu_cap(X86_FEATURE_SRSO_NO); +} + static void __init ibpb_calculations(void) { bool def_ibpb_entry = false; @@ -899,6 +956,15 @@ static void __init ibpb_calculations(voi */ if ( !boot_cpu_has(X86_FEATURE_BTC_NO) ) def_ibpb_entry = true; + + /* + * Further to BTC, Zen3/4 CPUs suffer from Speculative Return Stack + * Overflow in most configurations. Mitigate with IBPB-on-entry if we + * have the microcode that makes this an effective option. + */ + if ( !boot_cpu_has(X86_FEATURE_SRSO_NO) && + boot_cpu_has(X86_FEATURE_IBPB_BRTYPE) ) + def_ibpb_entry = true; } if ( opt_ibpb_entry_pv == -1 ) @@ -1378,6 +1444,8 @@ void __init init_speculation_mitigations if ( opt_rsb_hvm ) setup_force_cpu_cap(X86_FEATURE_SC_RSB_HVM); + srso_calculations(hw_smt_enabled); + ibpb_calculations(); /* Check whether Eager FPU should be enabled by default. */
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor