diff options
Diffstat (limited to '0033-x86-spec-ctrl-Use-IST-RSB-protection-for-SVM-systems.patch')
-rw-r--r-- | 0033-x86-spec-ctrl-Use-IST-RSB-protection-for-SVM-systems.patch | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/0033-x86-spec-ctrl-Use-IST-RSB-protection-for-SVM-systems.patch b/0033-x86-spec-ctrl-Use-IST-RSB-protection-for-SVM-systems.patch new file mode 100644 index 0000000..46780c4 --- /dev/null +++ b/0033-x86-spec-ctrl-Use-IST-RSB-protection-for-SVM-systems.patch @@ -0,0 +1,54 @@ +From 8ae0b4d1331c14fb9e30a42987c0152c9b00f530 Mon Sep 17 00:00:00 2001 +From: Andrew Cooper <andrew.cooper3@citrix.com> +Date: Mon, 15 Aug 2022 15:40:05 +0200 +Subject: [PATCH 33/67] x86/spec-ctrl: Use IST RSB protection for !SVM systems + +There is a corner case where a VT-x guest which manages to reliably trigger +non-fatal #MC's could evade the rogue RSB speculation protections that were +supposed to be in place. + +This is a lack of defence in depth; Xen does not architecturally execute more +RET than CALL instructions, so an attacker would have to locate a different +gadget (e.g. SpectreRSB) first to execute a transient path of excess RET +instructions. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +master commit: e570e8d520ab542d8d35666b95cb3a0125b7b110 +master date: 2022-08-05 12:16:24 +0100 +--- + xen/arch/x86/spec_ctrl.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c +index f7b0251c42bc..ac73806eacd8 100644 +--- a/xen/arch/x86/spec_ctrl.c ++++ b/xen/arch/x86/spec_ctrl.c +@@ -1279,8 +1279,24 @@ void __init init_speculation_mitigations(void) + * mappings. + */ + if ( opt_rsb_hvm ) ++ { + setup_force_cpu_cap(X86_FEATURE_SC_RSB_HVM); + ++ /* ++ * For SVM, Xen's RSB safety actions are performed before STGI, so ++ * behave atomically with respect to IST sources. ++ * ++ * For VT-x, NMIs are atomic with VMExit (the NMI gets queued but not ++ * delivered) whereas other IST sources are not atomic. Specifically, ++ * #MC can hit ahead the RSB safety action in the vmexit path. ++ * ++ * Therefore, it is necessary for the IST logic to protect Xen against ++ * possible rogue RSB speculation. ++ */ ++ if ( !cpu_has_svm ) ++ default_spec_ctrl_flags |= SCF_ist_rsb; ++ } ++ + ibpb_calculations(); + + /* Check whether Eager FPU should be enabled by default. */ +-- +2.37.3 + |