[xen stable-4.10] x86/cpuid: Handling of IBRS/IBPB, STIBP and IBRS for guests

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[xen stable-4.10] x86/cpuid: Handling of IBRS/IBPB, STIBP and IBRS for guests

patchbot
commit 641c11ef293c7f3a58c1856138835c06e09d6b07
Author:     Andrew Cooper <[hidden email]>
AuthorDate: Thu Feb 8 11:47:41 2018 +0100
Commit:     Jan Beulich <[hidden email]>
CommitDate: Thu Feb 8 11:47:41 2018 +0100

    x86/cpuid: Handling of IBRS/IBPB, STIBP and IBRS for guests
   
    Intel specifies IBRS/IBPB (combined, in a single bit) and STIBP as a separate
    bit.  AMD specifies IBPB alone in a 3rd bit.
   
    AMD's IBPB is a subset of Intel's combined IBRS/IBPB.  For performance
    reasons, administrators might wish to express "IBPB only" even on Intel
    hardware, so we allow the AMD bit to be used for this purpose.
   
    The behaviour of STIBP is more complicated.
   
    It is our current understanding that STIBP will be advertised on HT-capable
    hardware irrespective of whether HT is enabled, but not advertised on
    HT-incapable hardware.  However, for ease of virtualisation, STIBP's
    functionality is ignored rather than reserved by microcode/hardware on
    HT-incapable hardware.
   
    For guest safety, we treat STIBP as special, always override the toolstack
    choice, and always advertise STIBP if IBRS is available.  This removes the
    corner case where STIBP is not advertised, but the guest is running on
    HT-capable hardware where it does matter.
   
    Finally as a bugfix, update the libxc CPUID logic to understand the e8b
    feature leaf, which has the side effect of also offering CLZERO to guests on
    applicable hardware.
   
    Signed-off-by: Andrew Cooper <[hidden email]>
    Acked-by: Wei Liu <[hidden email]>
    Reviewed-by: Jan Beulich <[hidden email]>
    master commit: d297b56682e730d598e2529cc6998151d3b6f6f8
    master date: 2018-01-26 14:10:21 +0000
---
 tools/libxc/xc_cpuid_x86.c                  |  4 +++-
 xen/arch/x86/cpuid.c                        | 28 ++++++++++++++++++++++++++++
 xen/include/public/arch-x86/cpufeatureset.h |  2 +-
 3 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/tools/libxc/xc_cpuid_x86.c b/tools/libxc/xc_cpuid_x86.c
index 25b922e..9fa2f7c 100644
--- a/tools/libxc/xc_cpuid_x86.c
+++ b/tools/libxc/xc_cpuid_x86.c
@@ -465,7 +465,9 @@ static void xc_cpuid_hvm_policy(xc_interface *xch,
 
     case 0x80000008:
         regs[0] &= 0x0000ffffu;
-        regs[1] = regs[3] = 0;
+        regs[1] = info->featureset[featureword_of(X86_FEATURE_CLZERO)];
+        /* regs[2] handled in the per-vendor logic. */
+        regs[3] = 0;
         break;
 
     case 0x00000002: /* Intel cache info (dumped by AMD policy) */
diff --git a/xen/arch/x86/cpuid.c b/xen/arch/x86/cpuid.c
index 2ef71d2..b3c9ac6 100644
--- a/xen/arch/x86/cpuid.c
+++ b/xen/arch/x86/cpuid.c
@@ -383,6 +383,16 @@ static void __init calculate_pv_max_policy(void)
     /* Unconditionally claim to be able to set the hypervisor bit. */
     __set_bit(X86_FEATURE_HYPERVISOR, pv_featureset);
 
+    /* On hardware with IBRS/IBPB support, there are further adjustments. */
+    if ( test_bit(X86_FEATURE_IBRSB, pv_featureset) )
+    {
+        /* Offer STIBP unconditionally.  It is a nop on non-HT hardware. */
+        __set_bit(X86_FEATURE_STIBP, pv_featureset);
+
+        /* AMD's IBPB is a subset of IBRS/IBPB. */
+        __set_bit(X86_FEATURE_IBPB, pv_featureset);
+    }
+
     sanitise_featureset(pv_featureset);
     cpuid_featureset_to_policy(pv_featureset, p);
     recalculate_xstate(p);
@@ -440,6 +450,16 @@ static void __init calculate_hvm_max_policy(void)
             __clear_bit(X86_FEATURE_XSAVES, hvm_featureset);
     }
 
+    /* On hardware with IBRS/IBPB support, there are further adjustments. */
+    if ( test_bit(X86_FEATURE_IBRSB, hvm_featureset) )
+    {
+        /* Offer STIBP unconditionally.  It is a nop on non-HT hardware. */
+        __set_bit(X86_FEATURE_STIBP, hvm_featureset);
+
+        /* AMD's IBPB is a subset of IBRS/IBPB. */
+        __set_bit(X86_FEATURE_IBPB, hvm_featureset);
+    }
+
     sanitise_featureset(hvm_featureset);
     cpuid_featureset_to_policy(hvm_featureset, p);
     recalculate_xstate(p);
@@ -581,6 +601,14 @@ void recalculate_cpuid_policy(struct domain *d)
     recalculate_xstate(p);
     recalculate_misc(p);
 
+    /*
+     * Override STIBP to match IBRS.  Guests can safely use STIBP
+     * functionality on non-HT hardware, but can't necesserily protect
+     * themselves from SP2/Spectre/Branch Target Injection if STIBP is hidden
+     * on HT-capable hardware.
+     */
+    p->feat.stibp = p->feat.ibrsb;
+
     for ( i = 0; i < ARRAY_SIZE(p->cache.raw); ++i )
     {
         if ( p->cache.subleaf[i].type >= 1 &&
diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h
index e148755..0f21fed 100644
--- a/xen/include/public/arch-x86/cpufeatureset.h
+++ b/xen/include/public/arch-x86/cpufeatureset.h
@@ -243,7 +243,7 @@ XEN_CPUFEATURE(IBPB,          8*32+12) /*   IBPB support only (no IBRS, used by
 XEN_CPUFEATURE(AVX512_4VNNIW, 9*32+ 2) /*A  AVX512 Neural Network Instructions */
 XEN_CPUFEATURE(AVX512_4FMAPS, 9*32+ 3) /*A  AVX512 Multiply Accumulation Single Precision */
 XEN_CPUFEATURE(IBRSB,         9*32+26) /*   IBRS and IBPB support (used by Intel) */
-XEN_CPUFEATURE(STIBP,         9*32+27) /*   STIBP */
+XEN_CPUFEATURE(STIBP,         9*32+27) /*!  STIBP */
 
 #endif /* XEN_CPUFEATURE */
 
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.10

_______________________________________________
Xen-changelog mailing list
[hidden email]
https://lists.xenproject.org/xen-changelog