[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3 5/7] x86: guard against straight-line speculation past RET

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Date: Wed, 11 Nov 2020 12:15:04 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/8NKIoQS2S86uhyFZ2/dOmcBEiEleM/wLw3QW8a8L9U=; b=K6HqNkaA/WGC4ZHBnqKFCPhwiNUjEMKuo2a00xuEsr3/t4VCPbKAcqMVjAVkiibHix5ucXFIcSCEazEcX35DuYkmB5whGp82yQ86IrJ8WtyeOf/SnQ/n/JVkhHpMesw/z/UtStvQ60HSdsky+1tiF6QTxt1fKvt/P+/Lqtnbd2y2qjCwgdhemrZmEvS98v20J9JhnlaNp8WxHIt54HV/b2vLwhtnp+/6DhJN1ya9YyPT8ivYhkaj+Jo0M+/LeLAAJUuyiWyKeP8ZZabqQfTY0fbDcY1Z54DsbJylIkQ15PUNic2RKofmzYcMVe7Z4uGPepu0dOkqoIf8QCNtSMy2/Q==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LRCtg4j0jd8RP3MqZ5tqxOy+JZGYKwLY4X/UkqYSOSrJBRiVNZcUFhz+qAr/U0an6t/FqHKldzc2+LE56kPOffikNiOXsldKTiBKHRNQ0mUU+6zGOATNPoO9mzJcqnnVB6ckISTsnPkE/P0wcjmeE2nczGMfRBc7bkK/ReE8YDr8Aap834QLztloyeykqLknu83UmJ2TD2J5LWc5WNujE7j8cvzYC/g2YXuGI34u7LjomVAXOjvs27BNZcowou4fBESA6yn7nkME5h7o6x2ljkQqf1Cum38uVJzBATytmFnCcm9SiazwAL5CpNGu4ImZlSG+Nr6JoBfhDQwsQJ57MA==
  • Authentication-results: esa1.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, "Andrew Cooper" <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>
  • Delivery-date: Wed, 11 Nov 2020 11:15:18 +0000
  • Ironport-sdr: v6UgKnQOtgauWvFaxGyafM0Ys5ihbE0V8wRH7IrF/NUFEPjG+jboxBAXtTQU+mG9H6i+YMyHDf GAK5S+yyGeaOvipQy/4XQyyIzVJieSsvOvB5IkJe1pT6g5tRH3KZnIV3aARa7cJeCR9o4TAS39 k1s924ak6Eoa2E7g7kYZUfXRK6ZlOvYOtZO0CsU4vitxnsP0GlGD8UfJqEp6lu2FsNPTW5xp1W i+OK6R5y1JCCbj+hYnBFVHh26SHncT3HELipczTo1qQ3kiY4s0HNYCGfrXJrM8E8UDgZRCYJhN /XA=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Fri, Oct 23, 2020 at 10:38:04AM +0200, Jan Beulich wrote:
> Under certain conditions CPUs can speculate into the instruction stream
> past a RET instruction. Guard against this just like 3b7dab93f240
> ("x86/spec-ctrl: Protect against CALL/JMP straight-line speculation")
> did - by inserting an "INT $3" insn. It's merely the mechanics of how to
> achieve this that differ: A set of macros gets introduced to post-
> process RET insns issued by the compiler (or living in assembly files).
> 
> Unfortunately for clang this requires further features their built-in
> assembler doesn't support: We need to be able to override insn mnemonics
> produced by the compiler (which may be impossible, if internally
> assembly mnemonics never get generated), and we want to use \(text)
> escaping / quoting in the auxiliary macro.
> 
> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
> Acked-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
> ---
> TBD: Would be nice to avoid the additions in .init.text, but a query to
>      the binutils folks regarding the ability to identify the section
>      stuff is in (by Peter Zijlstra over a year ago:
>      https://sourceware.org/pipermail/binutils/2019-July/107528.html)
>      has been left without helpful replies.
> ---
> v3: Use .byte 0xc[23] instead of the nested macros.
> v2: Fix build with newer clang. Use int3 mnemonic. Also override retq.
> 
> --- a/xen/Makefile
> +++ b/xen/Makefile
> @@ -145,7 +145,15 @@ t2 = $(call as-insn,$(CC) -I$(BASEDIR)/i
>  # https://bugs.llvm.org/show_bug.cgi?id=36110
>  t3 = $(call as-insn,$(CC),".macro FOO;.endm"$(close); asm volatile 
> $(open)".macro FOO;.endm",-no-integrated-as)
>  
> -CLANG_FLAGS += $(call or,$(t1),$(t2),$(t3))
> +# Check whether \(text) escaping in macro bodies is supported.
> +t4 = $(call as-insn,$(CC),".macro m ret:req; \\(ret) $$\\ret; .endm; m 
> 8",,-no-integrated-as)
> +
> +# Check whether macros can override insn mnemonics in inline assembly.
> +t5 = $(call as-insn,$(CC),".macro ret; .error; .endm; .macro retq; .error; 
> .endm",-no-integrated-as)

I was going over this to post a bug report to LLVM, but it seems like
gcc also doesn't overwrite ret when using the above snippet:

https://godbolt.org/z/oqsPTv

Roger.

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.