|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH v8 11/17] x86: Protect unaware domains from meddling hyperthreads
Set STIBP behind the guests back if it knows about IBRS but not STIBP, and no
MSR_SPEC_CTRL protection active.
Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
v7:
* Move logic into a static inline helper.
---
xen/arch/x86/domain.c | 8 ++++++++
xen/arch/x86/msr.c | 3 ++-
xen/include/asm-x86/cpufeature.h | 3 +++
xen/include/asm-x86/spec_ctrl.h | 21 +++++++++++++++++++++
4 files changed, 34 insertions(+), 1 deletion(-)
diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c
index da1bf1a..8849e3f 100644
--- a/xen/arch/x86/domain.c
+++ b/xen/arch/x86/domain.c
@@ -65,6 +65,7 @@
#include <asm/psr.h>
#include <asm/pv/domain.h>
#include <asm/pv/mm.h>
+#include <asm/spec_ctrl.h>
DEFINE_PER_CPU(struct vcpu *, curr_vcpu);
@@ -2030,6 +2031,13 @@ int domain_relinquish_resources(struct domain *d)
*/
void cpuid_policy_updated(struct vcpu *v)
{
+ const struct cpuid_policy *cp = v->domain->arch.cpuid;
+ struct msr_vcpu_policy *vp = v->arch.msr;
+
+ /* Calculate a safe host default. */
+ if ( cp->feat.ibrsb )
+ vp->spec_ctrl.host = spec_ctrl_host_val(v->domain,
vp->spec_ctrl.guest);
+
if ( is_hvm_vcpu(v) )
hvm_cpuid_policy_changed(v);
}
diff --git a/xen/arch/x86/msr.c b/xen/arch/x86/msr.c
index 697cc6e..45c4d78 100644
--- a/xen/arch/x86/msr.c
+++ b/xen/arch/x86/msr.c
@@ -23,6 +23,7 @@
#include <xen/lib.h>
#include <xen/sched.h>
#include <asm/msr.h>
+#include <asm/spec_ctrl.h>
struct msr_domain_policy __read_mostly hvm_max_msr_domain_policy,
__read_mostly pv_max_msr_domain_policy;
@@ -181,7 +182,7 @@ int guest_wrmsr(struct vcpu *v, uint32_t msr, uint64_t val)
(cp->feat.stibp ? SPEC_CTRL_STIBP : 0)) )
goto gp_fault; /* Rsvd bit set? */
vp->spec_ctrl.guest = val;
- vp->spec_ctrl.host = val;
+ vp->spec_ctrl.host = spec_ctrl_host_val(d, val);
break;
case MSR_PRED_CMD:
diff --git a/xen/include/asm-x86/cpufeature.h b/xen/include/asm-x86/cpufeature.h
index adc333f..988a834 100644
--- a/xen/include/asm-x86/cpufeature.h
+++ b/xen/include/asm-x86/cpufeature.h
@@ -100,6 +100,9 @@
/* CPUID level 0x80000007.edx */
#define cpu_has_itsc boot_cpu_has(X86_FEATURE_ITSC)
+/* CPUID level 0x00000007:0.edx */
+#define cpu_has_stibp boot_cpu_has(X86_FEATURE_STIBP)
+
/* Synthesized. */
#define cpu_has_arch_perfmon boot_cpu_has(X86_FEATURE_ARCH_PERFMON)
#define cpu_has_cpuid_faulting boot_cpu_has(X86_FEATURE_CPUID_FAULTING)
diff --git a/xen/include/asm-x86/spec_ctrl.h b/xen/include/asm-x86/spec_ctrl.h
index e088a55..77f7c60 100644
--- a/xen/include/asm-x86/spec_ctrl.h
+++ b/xen/include/asm-x86/spec_ctrl.h
@@ -20,8 +20,29 @@
#ifndef __X86_SPEC_CTRL_H__
#define __X86_SPEC_CTRL_H__
+#include <xen/sched.h>
+
void init_speculation_mitigations(void);
+/*
+ * For guests which know about IBRS but are not told about STIBP running on
+ * hardware supporting hyperthreading, the guest doesn't know to protect
+ * itself fully. (Such a guest won't be permitted direct access to the MSR.)
+ * Have Xen fill in the gaps, so an unaware guest can't be interfered with by
+ * a meddling guest on an adjacent hyperthread.
+ */
+static inline unsigned int spec_ctrl_host_val(const struct domain *d,
+ unsigned int guest_val)
+{
+ const struct cpuid_policy *cp = d->arch.cpuid;
+
+ if ( !cp->feat.stibp && cpu_has_stibp &&
+ !(guest_val & (SPEC_CTRL_IBRS | SPEC_CTRL_STIBP)) )
+ return SPEC_CTRL_STIBP;
+ else
+ return guest_val;
+}
+
#endif /* !__X86_SPEC_CTRL_H__ */
/*
--
2.1.4
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |