Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/0033-x86-spec-ctrl-Use-IST-RSB-protection-for-SVM-systems.patch
diff options
context:
space:
mode:
Diffstat (limited to '0033-x86-spec-ctrl-Use-IST-RSB-protection-for-SVM-systems.patch')
-rw-r--r--0033-x86-spec-ctrl-Use-IST-RSB-protection-for-SVM-systems.patch54
1 files changed, 54 insertions, 0 deletions
diff --git a/0033-x86-spec-ctrl-Use-IST-RSB-protection-for-SVM-systems.patch b/0033-x86-spec-ctrl-Use-IST-RSB-protection-for-SVM-systems.patch
new file mode 100644
index 0000000..46780c4
--- /dev/null
+++ b/0033-x86-spec-ctrl-Use-IST-RSB-protection-for-SVM-systems.patch
@@ -0,0 +1,54 @@
+From 8ae0b4d1331c14fb9e30a42987c0152c9b00f530 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Mon, 15 Aug 2022 15:40:05 +0200
+Subject: [PATCH 33/67] x86/spec-ctrl: Use IST RSB protection for !SVM systems
+
+There is a corner case where a VT-x guest which manages to reliably trigger
+non-fatal #MC's could evade the rogue RSB speculation protections that were
+supposed to be in place.
+
+This is a lack of defence in depth; Xen does not architecturally execute more
+RET than CALL instructions, so an attacker would have to locate a different
+gadget (e.g. SpectreRSB) first to execute a transient path of excess RET
+instructions.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+master commit: e570e8d520ab542d8d35666b95cb3a0125b7b110
+master date: 2022-08-05 12:16:24 +0100
+---
+ xen/arch/x86/spec_ctrl.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
+index f7b0251c42bc..ac73806eacd8 100644
+--- a/xen/arch/x86/spec_ctrl.c
++++ b/xen/arch/x86/spec_ctrl.c
+@@ -1279,8 +1279,24 @@ void __init init_speculation_mitigations(void)
+ * mappings.
+ */
+ if ( opt_rsb_hvm )
++ {
+ setup_force_cpu_cap(X86_FEATURE_SC_RSB_HVM);
+
++ /*
++ * For SVM, Xen's RSB safety actions are performed before STGI, so
++ * behave atomically with respect to IST sources.
++ *
++ * For VT-x, NMIs are atomic with VMExit (the NMI gets queued but not
++ * delivered) whereas other IST sources are not atomic. Specifically,
++ * #MC can hit ahead the RSB safety action in the vmexit path.
++ *
++ * Therefore, it is necessary for the IST logic to protect Xen against
++ * possible rogue RSB speculation.
++ */
++ if ( !cpu_has_svm )
++ default_spec_ctrl_flags |= SCF_ist_rsb;
++ }
++
+ ibpb_calculations();
+
+ /* Check whether Eager FPU should be enabled by default. */
+--
+2.37.3
+