slackbuilds_ponce/system/xen/xsa/xsa263-4.10-0010-x86-spec_ctrl-Introduce-a-new-spec-ctrl-command-line.patch

From 952ff9f5590e37952d7dd3d89e16a47a238ab079 Mon Sep 17 00:00:00 2001
From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Thu, 26 Apr 2018 10:52:55 +0100
Subject: [PATCH] x86/spec_ctrl: Introduce a new `spec-ctrl=` command line
 argument to replace `bti=`

In hindsight, the options for `bti=` aren't as flexible or useful as expected
(including several options which don't appear to behave as intended).
Changing the behaviour of an existing option is problematic for compatibility,
so introduce a new `spec-ctrl=` in the hopes that we can do better.

One common way of deploying Xen is with a single PV dom0 and all domUs being
HVM domains.  In such a setup, an administrator who has weighed up the risks
may wish to forgo protection against malicious PV domains, to reduce the
overall performance hit.  To cater for this usecase, `spec-ctrl=no-pv` will
disable all speculative protection for PV domains, while leaving all
speculative protection for HVM domains intact.

For coding clarity as much as anything else, the suboptions are grouped by
logical area; those which affect the alternatives blocks, and those which
affect Xen's in-hypervisor settings.  See the xen-command-line.markdown for
full details of the new options.

While changing the command line options, take the time to change how the data
is reported to the user.  The three DEBUG printks are upgraded to unilateral,
as they are all relevant pieces of information, and the old "mitigations:"
line is split in the two logical areas described above.

Sample output from booting with `spec-ctrl=no-pv` looks like:

  (XEN) Speculative mitigation facilities:
  (XEN)   Hardware features: IBRS/IBPB STIBP IBPB
  (XEN)   Compiled-in support: INDIRECT_THUNK
  (XEN)   Xen settings: BTI-Thunk RETPOLINE, SPEC_CTRL: IBRS-, Other: IBPB
  (XEN)   Support for VMs: PV: None, HVM: MSR_SPEC_CTRL RSB
  (XEN)   XPTI (64-bit PV only): Dom0 enabled, DomU enabled

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Release-acked-by: Juergen Gross <jgross@suse.com>
(cherry picked from commit 3352afc26c497d26ecb70527db3cb29daf7b1422)
---
 docs/misc/xen-command-line.markdown |  49 +++++++++++
 xen/arch/x86/spec_ctrl.c            | 160 ++++++++++++++++++++++++++++++------
 2 files changed, 186 insertions(+), 23 deletions(-)

diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown
index 6c673ee..43a6ddb 100644
--- a/docs/misc/xen-command-line.markdown
+++ b/docs/misc/xen-command-line.markdown
@@ -248,6 +248,9 @@ the NMI watchdog is also enabled.
 ### bti (x86)
 > `= List of [ thunk=retpoline|lfence|jmp, ibrs=<bool>, ibpb=<bool>, rsb_{vmexit,native}=<bool> ]`
 
+**WARNING: This command line option is deprecated, and superseded by
+_spec-ctrl=_ - using both options in combination is undefined.**
+
 Branch Target Injection controls.  By default, Xen will pick the most
 appropriate BTI mitigations based on compiled in support, loaded microcode,
 and hardware details.
@@ -1698,6 +1701,52 @@ enforces the maximum theoretically necessary timeout of 670ms. Any number
 is being interpreted as a custom timeout in milliseconds. Zero or boolean
 false disable the quirk workaround, which is also the default.
 
+### spec-ctrl (x86)
+> `= List of [ <bool>, xen=<bool>, {pv,hvm,msr-sc,rsb}=<bool>,
+>              bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb}=<bool> ]`
+
+Controls for speculative execution sidechannel mitigations.  By default, Xen
+will pick the most appropriate mitigations based on compiled in support,
+loaded microcode, and hardware details, and will virtualise appropriate
+mitigations for guests to use.
+
+**WARNING: Any use of this option may interfere with heuristics.  Use with
+extreme care.**
+
+An overall boolean value, `spec-ctrl=no`, can be specified to turn off all
+mitigations, including pieces of infrastructure used to virtualise certain
+mitigation features for guests.  Alternatively, a slightly more restricted
+`spec-ctrl=no-xen` can be used to turn off all of Xen's mitigations, while
+leaving the virtualisation support in place for guests to use.  Use of a
+positive boolean value for either of these options is invalid.
+
+The booleans `pv=`, `hvm=`, `msr-sc=` and `rsb=` offer fine grained control
+over the alternative blocks used by Xen.  These impact Xen's ability to
+protect itself, and Xen's ability to virtualise support for guests to use.
+
+* `pv=` and `hvm=` offer control over all suboptions for PV and HVM guests
+  respectively.
+* `msr-sc=` offers control over Xen's support for manipulating MSR\_SPEC\_CTRL
+  on entry and exit.  These blocks are necessary to virtualise support for
+  guests and if disabled, guests will be unable to use IBRS/STIBP/etc.
+* `rsb=` offers control over whether to overwrite the Return Stack Buffer /
+  Return Address Stack on entry to Xen.
+
+If Xen was compiled with INDIRECT\_THUNK support, `bti-thunk=` can be used to
+select which of the thunks gets patched into the `__x86_indirect_thunk_%reg`
+locations.  The default thunk is `retpoline` (generally preferred for Intel
+hardware), with the alternatives being `jmp` (a `jmp *%reg` gadget, minimal
+overhead), and `lfence` (an `lfence; jmp *%reg` gadget, preferred for AMD).
+
+On hardware supporting IBRS (Indirect Branch Restricted Speculation), the
+`ibrs=` option can be used to force or prevent Xen using the feature itself.
+If Xen is not using IBRS itself, functionality is still set up so IBRS can be
+virtualised for guests.
+
+On hardware supporting IBPB (Indirect Branch Prediction Barrier), the `ibpb=`
+option can be used to force (the default) or prevent Xen from issuing branch
+prediction barriers on vcpu context switches.
+
 ### sync\_console
 > `= <boolean>`
 
diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
index 3adec1a..4f9282f 100644
--- a/xen/arch/x86/spec_ctrl.c
+++ b/xen/arch/x86/spec_ctrl.c
@@ -26,6 +26,13 @@
 #include <asm/spec_ctrl.h>
 #include <asm/spec_ctrl_asm.h>
 
+/* Cmdline controls for Xen's alternative blocks. */
+static bool __initdata opt_msr_sc_pv = true;
+static bool __initdata opt_msr_sc_hvm = true;
+static bool __initdata opt_rsb_pv = true;
+static bool __initdata opt_rsb_hvm = true;
+
+/* Cmdline controls for Xen's speculative settings. */
 static enum ind_thunk {
     THUNK_DEFAULT, /* Decide which thunk to use at boot time. */
     THUNK_NONE,    /* Missing compiler support for thunks. */
@@ -35,8 +42,6 @@ static enum ind_thunk {
     THUNK_JMP,
 } opt_thunk __initdata = THUNK_DEFAULT;
 static int8_t __initdata opt_ibrs = -1;
-static bool __initdata opt_rsb_pv = true;
-static bool __initdata opt_rsb_hvm = true;
 bool __read_mostly opt_ibpb = true;
 
 bool __initdata bsp_delay_spec_ctrl;
@@ -84,8 +89,95 @@ static int __init parse_bti(const char *s)
 }
 custom_param("bti", parse_bti);
 
+static int __init parse_spec_ctrl(const char *s)
+{
+    const char *ss;
+    int val, rc = 0;
+
+    do {
+        ss = strchr(s, ',');
+        if ( !ss )
+            ss = strchr(s, '\0');
+
+        /* Global and Xen-wide disable. */
+        val = parse_bool(s, ss);
+        if ( !val )
+        {
+            opt_msr_sc_pv = false;
+            opt_msr_sc_hvm = false;
+
+        disable_common:
+            opt_rsb_pv = false;
+            opt_rsb_hvm = false;
+
+            opt_thunk = THUNK_JMP;
+            opt_ibrs = 0;
+            opt_ibpb = false;
+        }
+        else if ( val > 0 )
+            rc = -EINVAL;
+        else if ( (val = parse_boolean("xen", s, ss)) >= 0 )
+        {
+            if ( !val )
+                goto disable_common;
+
+            rc = -EINVAL;
+        }
+
+        /* Xen's alternative blocks. */
+        else if ( (val = parse_boolean("pv", s, ss)) >= 0 )
+        {
+            opt_msr_sc_pv = val;
+            opt_rsb_pv = val;
+        }
+        else if ( (val = parse_boolean("hvm", s, ss)) >= 0 )
+        {
+            opt_msr_sc_hvm = val;
+            opt_rsb_hvm = val;
+        }
+        else if ( (val = parse_boolean("msr-sc", s, ss)) >= 0 )
+        {
+            opt_msr_sc_pv = val;
+            opt_msr_sc_hvm = val;
+        }
+        else if ( (val = parse_boolean("rsb", s, ss)) >= 0 )
+        {
+            opt_rsb_pv = val;
+            opt_rsb_hvm = val;
+        }
+
+        /* Xen's speculative sidechannel mitigation settings. */
+        else if ( !strncmp(s, "bti-thunk=", 10) )
+        {
+            s += 10;
+
+            if ( !strncmp(s, "retpoline", ss - s) )
+                opt_thunk = THUNK_RETPOLINE;
+            else if ( !strncmp(s, "lfence", ss - s) )
+                opt_thunk = THUNK_LFENCE;
+            else if ( !strncmp(s, "jmp", ss - s) )
+                opt_thunk = THUNK_JMP;
+            else
+                rc = -EINVAL;
+        }
+        else if ( (val = parse_boolean("ibrs", s, ss)) >= 0 )
+            opt_ibrs = val;
+        else if ( (val = parse_boolean("ibpb", s, ss)) >= 0 )
+            opt_ibpb = val;
+        else
+            rc = -EINVAL;
+
+        s = ss + 1;
+    } while ( *ss );
+
+    return rc;
+}
+custom_param("spec-ctrl", parse_spec_ctrl);
+
 static void __init print_details(enum ind_thunk thunk, uint64_t caps)
 {
+    bool use_spec_ctrl = (boot_cpu_has(X86_FEATURE_SC_MSR_PV) ||
+                          boot_cpu_has(X86_FEATURE_SC_MSR_HVM));
     unsigned int _7d0 = 0, e8b = 0, tmp;
 
     /* Collect diagnostics about available mitigations. */
@@ -94,10 +186,10 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps)
     if ( boot_cpu_data.extended_cpuid_level >= 0x80000008 )
         cpuid(0x80000008, &tmp, &e8b, &tmp, &tmp);
 
-    printk(XENLOG_DEBUG "Speculative mitigation facilities:\n");
+    printk("Speculative mitigation facilities:\n");
 
     /* Hardware features which pertain to speculative mitigations. */
-    printk(XENLOG_DEBUG "  Hardware features:%s%s%s%s%s%s\n",
+    printk("  Hardware features:%s%s%s%s%s%s\n",
            (_7d0 & cpufeat_mask(X86_FEATURE_IBRSB)) ? " IBRS/IBPB" : "",
            (_7d0 & cpufeat_mask(X86_FEATURE_STIBP)) ? " STIBP"     : "",
            (e8b  & cpufeat_mask(X86_FEATURE_IBPB))  ? " IBPB"      : "",
@@ -107,20 +199,31 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps)
 
     /* Compiled-in support which pertains to BTI mitigations. */
     if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) )
-        printk(XENLOG_DEBUG "  Compiled-in support: INDIRECT_THUNK\n");
+        printk("  Compiled-in support: INDIRECT_THUNK\n");
 
-    printk("BTI mitigations: Thunk %s, Others:%s%s%s%s\n",
+    /* Settings for Xen's protection, irrespective of guests. */
+    printk("  Xen settings: BTI-Thunk %s, SPEC_CTRL: %s, Other:%s\n",
            thunk == THUNK_NONE      ? "N/A" :
            thunk == THUNK_RETPOLINE ? "RETPOLINE" :
            thunk == THUNK_LFENCE    ? "LFENCE" :
            thunk == THUNK_JMP       ? "JMP" : "?",
+           !use_spec_ctrl                            ?  "No" :
+           (default_xen_spec_ctrl & SPEC_CTRL_IBRS)  ?  "IBRS+" :  "IBRS-",
+           opt_ibpb                                  ? " IBPB"  : "");
+
+    /*
+     * Alternatives blocks for protecting against and/or virtualising
+     * mitigation support for guests.
+     */
+    printk("  Support for VMs: PV:%s%s%s, HVM:%s%s%s\n",
            (boot_cpu_has(X86_FEATURE_SC_MSR_PV) ||
-            boot_cpu_has(X86_FEATURE_SC_MSR_HVM)) ?
-           default_xen_spec_ctrl & SPEC_CTRL_IBRS    ? " IBRS+" :
-                                                       " IBRS-"      : "",
-           opt_ibpb                                  ? " IBPB"       : "",
-           boot_cpu_has(X86_FEATURE_SC_RSB_PV)       ? " RSB_NATIVE" : "",
-           boot_cpu_has(X86_FEATURE_SC_RSB_HVM)      ? " RSB_VMEXIT" : "");
+            boot_cpu_has(X86_FEATURE_SC_RSB_PV))     ? ""               : " None",
+           boot_cpu_has(X86_FEATURE_SC_MSR_PV)       ? " MSR_SPEC_CTRL" : "",
+           boot_cpu_has(X86_FEATURE_SC_RSB_PV)       ? " RSB"           : "",
+           (boot_cpu_has(X86_FEATURE_SC_MSR_HVM) ||
+            boot_cpu_has(X86_FEATURE_SC_RSB_HVM))    ? ""               : " None",
+           boot_cpu_has(X86_FEATURE_SC_MSR_HVM)      ? " MSR_SPEC_CTRL" : "",
+           boot_cpu_has(X86_FEATURE_SC_RSB_HVM)      ? " RSB"           : "");
 
     printk("XPTI: %s\n",
            boot_cpu_has(X86_FEATURE_NO_XPTI) ? "disabled" : "enabled");
@@ -212,7 +315,7 @@ static bool __init retpoline_safe(uint64_t caps)
 void __init init_speculation_mitigations(void)
 {
     enum ind_thunk thunk = THUNK_DEFAULT;
-    bool ibrs = false;
+    bool use_spec_ctrl = false, ibrs = false;
     uint64_t caps = 0;
 
     if ( boot_cpu_has(X86_FEATURE_ARCH_CAPS) )
@@ -282,20 +385,31 @@ void __init init_speculation_mitigations(void)
     else if ( thunk == THUNK_JMP )
         setup_force_cpu_cap(X86_FEATURE_IND_THUNK_JMP);
 
+    /*
+     * If we are on hardware supporting MSR_SPEC_CTRL, see about setting up
+     * the alternatives blocks so we can virtualise support for guests.
+     */
     if ( boot_cpu_has(X86_FEATURE_IBRSB) )
     {
-        /*
-         * Even if we've chosen to not have IBRS set in Xen context, we still
-         * need the IBRS entry/exit logic to virtualise IBRS support for
-         * guests.
-         */
-        setup_force_cpu_cap(X86_FEATURE_SC_MSR_PV);
-        setup_force_cpu_cap(X86_FEATURE_SC_MSR_HVM);
+        if ( opt_msr_sc_pv )
+        {
+            use_spec_ctrl = true;
+            setup_force_cpu_cap(X86_FEATURE_SC_MSR_PV);
+        }
 
-        if ( ibrs )
-            default_xen_spec_ctrl |= SPEC_CTRL_IBRS;
+        if ( opt_msr_sc_hvm )
+        {
+            use_spec_ctrl = true;
+            setup_force_cpu_cap(X86_FEATURE_SC_MSR_HVM);
+        }
+
+        if ( use_spec_ctrl )
+        {
+            if ( ibrs )
+                default_xen_spec_ctrl |= SPEC_CTRL_IBRS;
 
-        default_spec_ctrl_flags |= SCF_ist_wrmsr;
+            default_spec_ctrl_flags |= SCF_ist_wrmsr;
+        }
     }
 
     /*
-- 
2.1.4