[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH v10 06/11] x86/entry: Organise the clobbering of the RSB/RAS on entry to Xen
ret instructions are speculated directly to values recorded in the Return Stack Buffer/Return Address Stack, as there is no uncertainty in well-formed code. Guests can take advantage of this in two ways: 1) If they can find a path in Xen which executes more ret instructions than call instructions. (At least one in the waitqueue infrastructure, probably others.) 2) Use the fact that the RSB/RAS in hardware is actually a circular stack without a concept of empty. (When it logically empties, stale values will start being used.) To mitigate, overwrite the RSB on entry to Xen with gadgets which will capture and contain rogue speculation. Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> --- CC: Jan Beulich <JBeulich@xxxxxxxx> v7: * Rewritten almost from scratch. See code comments for details. v8: * Use jmp rather than call to contain speculation. It doesn't affect the correctness of containment, but removes 6 bytes. v10: * Spelling/comment improvements. * Split to fit around IST safety. Other half of the patch moved into "x86/boot: Calculate the most appropriate BTI mitigation to use" * Avoid using numeric labels in DO_OVERWRITE_RSB --- xen/include/asm-x86/cpufeatures.h | 2 ++ xen/include/asm-x86/nops.h | 1 + xen/include/asm-x86/spec_ctrl_asm.h | 43 +++++++++++++++++++++++++++++++++++++ 3 files changed, 46 insertions(+) diff --git a/xen/include/asm-x86/cpufeatures.h b/xen/include/asm-x86/cpufeatures.h index dd2388f..0ee4a1f 100644 --- a/xen/include/asm-x86/cpufeatures.h +++ b/xen/include/asm-x86/cpufeatures.h @@ -28,3 +28,5 @@ XEN_CPUFEATURE(IND_THUNK_JMP, (FSCAPINTS+0)*32+14) /* Use IND_THUNK_JMP */ XEN_CPUFEATURE(XEN_IBPB, (FSCAPINTS+0)*32+15) /* IBRSB || IBPB */ XEN_CPUFEATURE(XEN_IBRS_SET, (FSCAPINTS+0)*32+16) /* IBRSB && IRBS set in Xen */ XEN_CPUFEATURE(XEN_IBRS_CLEAR, (FSCAPINTS+0)*32+17) /* IBRSB && IBRS clear in Xen */ +XEN_CPUFEATURE(RSB_NATIVE, (FSCAPINTS+0)*32+18) /* RSB overwrite needed for native */ +XEN_CPUFEATURE(RSB_VMEXIT, (FSCAPINTS+0)*32+20) /* RSB overwrite needed for vmexit */ diff --git a/xen/include/asm-x86/nops.h b/xen/include/asm-x86/nops.h index a35ef96..9806010 100644 --- a/xen/include/asm-x86/nops.h +++ b/xen/include/asm-x86/nops.h @@ -70,6 +70,7 @@ #define ASM_NOP24 ASM_NOP8; ASM_NOP8; ASM_NOP8 #define ASM_NOP29 ASM_NOP8; ASM_NOP8; ASM_NOP8; ASM_NOP5 #define ASM_NOP32 ASM_NOP8; ASM_NOP8; ASM_NOP8; ASM_NOP8 +#define ASM_NOP34 ASM_NOP8; ASM_NOP8; ASM_NOP8; ASM_NOP8; ASM_NOP2 #define ASM_NOP_MAX 9 diff --git a/xen/include/asm-x86/spec_ctrl_asm.h b/xen/include/asm-x86/spec_ctrl_asm.h index e0ddbd9..51d87a9 100644 --- a/xen/include/asm-x86/spec_ctrl_asm.h +++ b/xen/include/asm-x86/spec_ctrl_asm.h @@ -74,6 +74,43 @@ * - SPEC_CTRL_EXIT_TO_GUEST */ +.macro DO_OVERWRITE_RSB +/* + * Requires nothing + * Clobbers %rax, %rcx + * + * Requires 256 bytes of stack space, but %rsp has no net change. Based on + * Google's performance numbers, the loop is unrolled to 16 iterations and two + * calls per iteration. + * + * The call filling the RSB needs a nonzero displacement. A nop would do, but + * we use "1: pause, jmp 1b" to safely contains any ret-based speculation, + * even if the loop is speculatively executed prematurely. + * + * %rsp is preserved by using an extra GPR because a) we've got plenty spare, + * b) the two movs are shorter to encode than `add $32*8, %rsp`, and c) can be + * optimised with mov-elimination in modern cores. + */ + mov $16, %ecx /* 16 iterations, two calls per loop */ + mov %rsp, %rax /* Store the current %rsp */ + +.L\@_fill_rsb_loop: + + .irp n, 1, 2 /* Unrolled twice. */ + call .L\@_insert_rsb_entry_\n /* Create an RSB entry. */ + +.L\@_capture_speculation_\n: + pause + jmp .L\@_capture_speculation_\n /* Capture rogue speculation. */ + +.L\@_insert_rsb_entry_\n: + .endr + + sub $1, %ecx + jnz .L\@_fill_rsb_loop + mov %rax, %rsp /* Restore old %rsp */ +.endm + .macro DO_SPEC_CTRL_ENTRY_FROM_VMEXIT ibrs_val:req /* * Requires %rbx=current, %rsp=regs/cpuinfo @@ -175,6 +212,8 @@ /* Use after a VMEXIT from an HVM guest. */ #define SPEC_CTRL_ENTRY_FROM_VMEXIT \ + ALTERNATIVE __stringify(ASM_NOP34), \ + DO_OVERWRITE_RSB, X86_FEATURE_RSB_VMEXIT; \ ALTERNATIVE_2 __stringify(ASM_NOP32), \ __stringify(DO_SPEC_CTRL_ENTRY_FROM_VMEXIT \ ibrs_val=SPEC_CTRL_IBRS), \ @@ -185,6 +224,8 @@ /* Use after an entry from PV context (syscall/sysenter/int80/int82/etc). */ #define SPEC_CTRL_ENTRY_FROM_PV \ + ALTERNATIVE __stringify(ASM_NOP34), \ + DO_OVERWRITE_RSB, X86_FEATURE_RSB_NATIVE; \ ALTERNATIVE_2 __stringify(ASM_NOP22), \ __stringify(DO_SPEC_CTRL_ENTRY maybexen=0 \ ibrs_val=SPEC_CTRL_IBRS), \ @@ -194,6 +235,8 @@ /* Use in interrupt/exception context. May interrupt Xen or PV context. */ #define SPEC_CTRL_ENTRY_FROM_INTR \ + ALTERNATIVE __stringify(ASM_NOP34), \ + DO_OVERWRITE_RSB, X86_FEATURE_RSB_NATIVE; \ ALTERNATIVE_2 __stringify(ASM_NOP29), \ __stringify(DO_SPEC_CTRL_ENTRY maybexen=1 \ ibrs_val=SPEC_CTRL_IBRS), \ -- 2.1.4 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |