|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH v6.5 20/26] x86: Protect unaware domains from meddling hyperthreads
Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
v3:
* Spelling corrections
v4:
* Rebase over AMD changes
v6:
* Fix cpuid_policy_updated() to not corrupt vp->spec_ctrl.host on migrate, or
on older versions of Xen where feature flags start as 0 rather than the
domain maximum.
---
xen/arch/x86/domain.c | 19 +++++++++++++++++++
xen/arch/x86/msr.c | 15 ++++++++++++++-
xen/include/asm-x86/cpufeature.h | 3 +++
3 files changed, 36 insertions(+), 1 deletion(-)
diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c
index d383489..698346e 100644
--- a/xen/arch/x86/domain.c
+++ b/xen/arch/x86/domain.c
@@ -2027,6 +2027,25 @@ int domain_relinquish_resources(struct domain *d)
*/
void cpuid_policy_updated(struct vcpu *v)
{
+ const struct cpuid_policy *cp = v->domain->arch.cpuid;
+ struct msr_vcpu_policy *vp = v->arch.msr;
+
+ /*
+ * For guests which know about IBRS but are not told about STIBP running
+ * on hardware supporting hyperthreading, the guest doesn't know to
+ * protect itself fully. (Such a guest won't be permitted direct access
+ * to the MSR.) Have Xen fill in the gaps, so an unaware guest can't be
+ * interfered with by a meddling guest on an adjacent hyperthread.
+ */
+ if ( cp->feat.ibrsb )
+ {
+ if ( !cp->feat.stibp && cpu_has_stibp &&
+ !(vp->spec_ctrl.guest & (SPEC_CTRL_IBRS | SPEC_CTRL_STIBP)) )
+ vp->spec_ctrl.host = SPEC_CTRL_STIBP;
+ else
+ vp->spec_ctrl.host = vp->spec_ctrl.guest;
+ }
+
if ( is_hvm_vcpu(v) )
hvm_cpuid_policy_changed(v);
}
diff --git a/xen/arch/x86/msr.c b/xen/arch/x86/msr.c
index 697cc6e..2d99c64 100644
--- a/xen/arch/x86/msr.c
+++ b/xen/arch/x86/msr.c
@@ -181,7 +181,20 @@ int guest_wrmsr(struct vcpu *v, uint32_t msr, uint64_t val)
(cp->feat.stibp ? SPEC_CTRL_STIBP : 0)) )
goto gp_fault; /* Rsvd bit set? */
vp->spec_ctrl.guest = val;
- vp->spec_ctrl.host = val;
+
+ /*
+ * For guests which are not told about STIBP, running on hardware
+ * supporting hyperthreading, the guest doesn't know to protect itself
+ * fully. (Such a guest won't be permitted direct access to the MSR.)
+ * When IBRS is not in force, have Xen fill in the gaps, so an unaware
+ * guest can't be interfered with by a meddling guest on an adjacent
+ * hyperthread.
+ */
+ if ( !cp->feat.stibp && cpu_has_stibp &&
+ !(val & (SPEC_CTRL_IBRS | SPEC_CTRL_STIBP)) )
+ vp->spec_ctrl.host = SPEC_CTRL_STIBP;
+ else
+ vp->spec_ctrl.host = val;
break;
case MSR_PRED_CMD:
diff --git a/xen/include/asm-x86/cpufeature.h b/xen/include/asm-x86/cpufeature.h
index adc333f..988a834 100644
--- a/xen/include/asm-x86/cpufeature.h
+++ b/xen/include/asm-x86/cpufeature.h
@@ -100,6 +100,9 @@
/* CPUID level 0x80000007.edx */
#define cpu_has_itsc boot_cpu_has(X86_FEATURE_ITSC)
+/* CPUID level 0x00000007:0.edx */
+#define cpu_has_stibp boot_cpu_has(X86_FEATURE_STIBP)
+
/* Synthesized. */
#define cpu_has_arch_perfmon boot_cpu_has(X86_FEATURE_ARCH_PERFMON)
#define cpu_has_cpuid_faulting boot_cpu_has(X86_FEATURE_CPUID_FAULTING)
--
2.1.4
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |