Xen project Mailing List

Re: [PATCH v2 3/3] x86/Kconfig: introduce option to select retpoline usage

From: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Date: Thu, 17 Feb 2022 11:34:40 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=L5oYhkmLmM+trtw5ccrjv11z5sGlM9gOJ4043XAXVxs=; b=gfIA6ICeSCsc/5Fw1EHLF2t9VfsUMYDBn+rf/4oBgoufMuCh4MinnSqfxqSmBoO2hQ/bZ9T/NGaMDnmaxjXO88McONJDXGc7MVOXwDbjct/ch3uD4LLJKo+M+qiWPw7lDJaiLR49JMcViSq1e1HmewFCcdR/UEUQAzVfqJ+XI0tXqzmkYO0DedhodRJu6CgCjXT6KGtqqyWGjo4RmppxiQGfQp6S4rtP3hxF37MXIHpSIStIFbPexvyBprO53NBvhNJ6wvuGeVKhoCmxvcwdTm27N6RiqCPPJM692GetO2mlkCbLTiWze0yjiBrP2jHRWQxynF5aLHgAFnFOB4+kCw==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Lxgis4sOxLOq/CLc/1A4V65Rz1ivzTY+OxbEApIJfxOXwwqNlmzchh1/hIte+S9NK8cpRPcA8gi6XdJPS5qvWjsyjBAQ6RzpgJaTbN8G/zTLTmvKcu7g4ScDdPq8BLmihWHif5R+fMNdF4E7iIpD8xixjb2bqILG6h298O7YdS1cHxKhR7z+yWPR4OI10REoiZL+JsZUdRxgIsI+JN5wd07Bi5aPcWqSv622N9bsReLRWzUDOn8JjRXSx3j4Yfqxx8Dx51iuGRnNdV0psthxUK2cqD+rDfIpNt0TDebPvjdZQMniBbS1a27dGZhCCduqZ32sY96hPe+MNtWw+IuiHg==

Authentication-results: esa5.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com

Cc: Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, "Andrew Cooper" <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Thu, 17 Feb 2022 10:34:54 +0000

Ironport-data: A9a23:OXDSmqLMNSD9kfcXFE+RT5IlxSXFcZb7ZxGr2PjKsXjdYENS0GQBz DEXWGzXP//eYGX8Ltp2PYnk9BtS6JaDnd9lG1RlqX01Q3x08seUXt7xwmUcns+xwm8vaGo9s q3yv/GZdJhcokcxIn5BC5C5xZVG/fjgqoHUVaiUakideSc+EH170Ug6xLZg6mJVqYPR7z2l6 IuaT/L3YDdJ6xYsWo7Dw/vewP/HlK2aVAIw5jTSV9gS1LPtvyB94KYkDbOwNxPFrrx8RYZWc QphIIaRpQs19z91Yj+sfy2SnkciGtY+NiDW4pZatjTLbrGvaUXe345iXMfwZ3u7hB22rcJ0z 9IX7aaKVFcSP43Vxf05aBpXRnQW0a1uoNcrIFC6uM2XiUbHb2Ht07NlC0Re0Y8wo7gtRzsUr LpBdW5LPkvra+GemdpXTsF2gcsuNo/zNZ43sXB81zDJS/0hRPgvRo2Uvo8GhG5p1qiiG97cV ck2S2FFPS3xOTFiK1hUOaMlzei30yyXnzpw9wvO+PtfD3Lo5AZ8yqT3OdzZPNmDX9xIn12wr 3jDuW/+B3kyK9i32TeDtHW2iYfnjS79HY4fCrC83vprm0GIgHweDgUMUlm2quX/jVSxM/pdI UEJ/islrYAp6VemCNL6WnWQomOAvxMac8pdFas98g7l4rHP/w+TC2wATzhAQN8rrsk7QXotz FDhoj/yLWUx6vvPEyvbr+rK62PpUcQIEYMcTRA2Xw4C5IO7mrsu3inObs8+CYqOjdKgTFkc3 Au2hCQ5grwSi+sC2KO64U3LjlqQm3TZcuImzl6JBzz4t2uVcKbgPtX1sgaDsZ6sOa7EFgHpg ZQSpySJAAni57mpnTfFfugCFarBCx2tYGyF2g4H83XMGl2QF5+fkWJ4vGAWyKRBaJ9sldrVj Kn741w5CHh7ZibCUEOPS9jtY/nGNIC5fTgfatjab8BVfr96fxKd8SdlaCa4hj6xzRB3zv9jZ MzELK5A6Er274w9k1JaoM9HjNcWKt0WnzuPFfgXMTz8uVZhWJJlYehcawbfBgzIxKiFvB/U4 75i2ziikH1ivBnFSnCPq+Y7dAlSRVBiXMyeg5EHJ4arf1s9cEl8WqC5/F/UU9E890ijvryTp S/Vt44x4AeXuEAr3i3ROyo8Nu2+BsckxZ/5VAR1VWuVN7EYSd/HxI8UdoctfKlh8+pmzPVuS OICddnGCfNKIgkrMRxEBXUkhIA9JhmtmyyUOC+pPGo2c5J6HlSb8d74ZAr/siIJC3Pv58c5p rSh0CLdQIYCGFs+XJqHNqr3wgPjp2UZlcJzQ1DMfotZdnLz/dU4MCf2lPI2fZ0BcE2R2juA2 g+KKh4Evu2R8ZQt+dzEiPnc/YekGudzBGRAGGzf4erkPCXW5DP7k4RBTPyJbXbWU2atoPeuY uBczvfdNvwbnQkV79ogQugzla9nvonhvb5XyAhgDU7nVVXzB+MyOGSC0OlOqrZJmu1TtzypV x/d4dJdI7iIZp/oSQZDOAo/Y+2f/vgIgT2Ov+8tKUD36SIrrrqKVUJeY0uFhCBHdeYnNYokx aEqudIM6hz5gR0va47UgidR/mWKD3oBT6R46c1KXN610lImmgNYfJjRKi7q+5XeOdxDP34jL iKQmKef1a9XwVDPciZrGHXAtQaHaU/iZPyeIIc+Gmm0

Ironport-hdrordr: A9a23:fJAqoapb2mWdhtg5sEeWHBkaV5uxL9V00zEX/kB9WHVpm5Oj+f xGzc516farslossREb+expOMG7MBXhHLpOkPQs1NCZLXXbUQqTXftfBO7ZogEIdBeOk9K1uZ 0QF5SWTeeAcmSS7vyKkDVQcexQuOVvmZrA7Yy1ogYPPGNXguNbnnxE426gYzxLrWJ9dOME/f Snl616T23KQwVoUi33PAhOY8Hz4/nw0L72ax8PABAqrCGIkDOT8bb/VzyVxA0XXT9jyaortT GtqX202oyT99WAjjPM3W7a6Jpb3PPn19t4HcSJzuwYMC/lhAqEbJloH5eCoDc2iuey70tCqq iAnz4Qe+BIr1/BdGC8phXgnyHmzTYV8nfnjWSVhHPyyPaJDQ4SOo5kv8Z0YxHZ400vsJVXy6 RQxV+UsJJREFfpgDn9z8KgbWAqqmOE5V4Z1cIDhX1WVoUTLJVLq5YEwU9TGJAcWArn9YEcFv V0Bs203ocZTbqjVQGbgoBT+q3vYpxqdS32B3Tq+/blnAS+pUoJj3fxn6ck7zM9HJFUcegz2w 2LCNUuqFh0dL5lUUtKPpZ3fSKGMB2/ffvyChPmHb3GLtBOB5ufke+93F0KjNvaDKDgiqFC3q j8bA==

Ironport-sdr: jhgwknE7O09vuosLOJewtHlZK1wuY3wm77WxhywGgei7PCvUjl3NxS7MNRSdBafw+Aus0oJRCa UM4XT6vNU9Dcy71oIC9gIN4+sY88zl0UUNMLyRPvlkPUErtQDCz1hKDSGWrnyHHoZ07i5BcGpJ f5fcbiLrffs3KrKpu28rjJ8osiVU/89OP8P6L8XpPOG4Y6SHvnMEtn27pbq3lQEQe9d4yim1lC /Q+clqc0xjMbifDMGb/7vYaAgJY921SlB8vx8mH7cUVPhhF0Aea5wZnXQtEfgvtbn0mSo22NJl Nin27tLDhIm2Qo1ES+D+7lQC

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Thu, Feb 17, 2022 at 10:07:32AM +0100, Jan Beulich wrote: > On 16.02.2022 17:21, Roger Pau Monne wrote: > > Add a new Kconfig option under the "Speculative hardening" section > > that allows selecting whether to enable retpoline. This depends on the > > underlying compiler having retpoline support. > > > > Requested-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> > > Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx> > > Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx> > > There's one aspect though which I would like to see Arm maintainer > input on: > > > --- a/xen/arch/x86/Kconfig > > +++ b/xen/arch/x86/Kconfig > > @@ -38,10 +38,6 @@ config GCC_INDIRECT_THUNK > > config CLANG_INDIRECT_THUNK > > def_bool $(cc-option,-mretpoline-external-thunk) > > > > -config INDIRECT_THUNK > > - def_bool y > > - depends on GCC_INDIRECT_THUNK || CLANG_INDIRECT_THUNK > > Moving this ... > > > --- a/xen/common/Kconfig > > +++ b/xen/common/Kconfig > > @@ -146,6 +146,22 @@ config SPECULATIVE_HARDEN_GUEST_ACCESS > > > > If unsure, say Y. > > > > +config INDIRECT_THUNK > > + bool "Speculative Branch Target Injection Protection" > > + depends on X86 && (GCC_INDIRECT_THUNK || CLANG_INDIRECT_THUNK) > > ... here despite being explicitly marked x86-specific looks a > little odd. Since the dependencies are x86-specific, dropping > X86 from here would make my slight concern go away. Right - I've added the X86 because I was concerned about GCC or CLANG also exposing the repoline options on Arm, but that's not an issue because the compiler tests are only done for x86 anyway. Feel free to drop the 'X86 &&' and the parentheses if you wish. Otherwise I can resend if you prefer. Thanks, Roger.

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.