From patchwork Mon Sep 30 18:24:36 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Andrew Cooper X-Patchwork-Id: 11167017 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D8FE913BD for ; Mon, 30 Sep 2019 18:26:13 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id B2D64224D2 for ; Mon, 30 Sep 2019 18:26:13 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=citrix.com header.i=@citrix.com header.b="XNbdCtKc" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B2D64224D2 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=citrix.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iF0Lp-0000by-Lj; Mon, 30 Sep 2019 18:24:49 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iF0Lo-0000bi-H4 for xen-devel@lists.xenproject.org; Mon, 30 Sep 2019 18:24:48 +0000 X-Inumbo-ID: 92e68514-e3af-11e9-97fb-bc764e2007e4 Received: from esa4.hc3370-68.iphmx.com (unknown [216.71.155.144]) by localhost (Halon) with ESMTPS id 92e68514-e3af-11e9-97fb-bc764e2007e4; Mon, 30 Sep 2019 18:24:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1569867883; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=XMdyn+lWoVrfKRvIL6B/G/OTZrSTH2mFHxDVJXSSADk=; b=XNbdCtKc0O/z96yLRNC0bYy8PL+gqQVJSanimJz1FAfMNPtaTYg1DJxO mgZpjurobcrL8bjjpeptqNhPaqXLEYvgchN8EEqhDFuksNfGApkzcIwbY a9SUCS6RaOsSJ32/6FNE1B+eYiHxmhpIZHqRDZFgyPhIsgsN7qglAebsL E=; Authentication-Results: esa4.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=andrew.cooper3@citrix.com; spf=Pass smtp.mailfrom=Andrew.Cooper3@citrix.com; spf=None smtp.helo=postmaster@mail.citrix.com Received-SPF: None (esa4.hc3370-68.iphmx.com: no sender authenticity information available from domain of andrew.cooper3@citrix.com) identity=pra; client-ip=162.221.158.21; receiver=esa4.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="andrew.cooper3@citrix.com"; x-conformance=sidf_compatible Received-SPF: Pass (esa4.hc3370-68.iphmx.com: domain of Andrew.Cooper3@citrix.com designates 162.221.158.21 as permitted sender) identity=mailfrom; client-ip=162.221.158.21; receiver=esa4.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="Andrew.Cooper3@citrix.com"; x-conformance=sidf_compatible; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:209.167.231.154 ip4:178.63.86.133 ip4:195.66.111.40/30 ip4:85.115.9.32/28 ip4:199.102.83.4 ip4:192.28.146.160 ip4:192.28.146.107 ip4:216.52.6.88 ip4:216.52.6.188 ip4:162.221.158.21 ip4:162.221.156.83 ~all" Received-SPF: None (esa4.hc3370-68.iphmx.com: no sender authenticity information available from domain of postmaster@mail.citrix.com) identity=helo; client-ip=162.221.158.21; receiver=esa4.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="postmaster@mail.citrix.com"; x-conformance=sidf_compatible IronPort-SDR: nXe/XpJHLVinRkvDT26EflYdgPqJ6k4MG41OPO9NrDLP0GIc5wwtj7ksK0MT8z615OaM+bV1gt AAYrt+66X7TPhhJH68xzQocxT+SAEq1cVTp2t73QM6HFNjTUN66k6u0RPT2qJ9S+wMV0jh6Cjy xOaOd9euDd/Kdxvly6k9rqHbf8fQCMZy1YxWAOpLQZuIZe5XEj8KrwIf3lAGA8l3rDiPitgKlQ CRINQ7dQcsMXWWMdFUG1v+3mzROTMt9TVE9BtjFVHLKkLX3RH8/ZDlylzF1MiTdeAcc8n+uRCF txQ= X-SBRS: 2.7 X-MesageID: 6621883 X-Ironport-Server: esa4.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.64,568,1559534400"; d="scan'208";a="6621883" From: Andrew Cooper To: Xen-devel Date: Mon, 30 Sep 2019 19:24:36 +0100 Message-ID: <20190930182437.25478-2-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20190930182437.25478-1-andrew.cooper3@citrix.com> References: <20190930182437.25478-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 Subject: [Xen-devel] [PATCH for-4.13 1/2] xen/nospec: Introduce CONFIG_SPECULATIVE_ARRAY_HARDEN X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Juergen Gross , Andrew Cooper , Wei Liu , Jan Beulich , =?utf-8?q?Roger_Pau_Monn=C3=A9?= Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" There are legitimate circumstance where array hardening is not wanted or needed. Allow it to be turned off. Signed-off-by: Andrew Cooper --- CC: Jan Beulich CC: Wei Liu CC: Roger Pau Monné CC: Juergen Gross --- xen/common/Kconfig | 21 +++++++++++++++++++++ xen/include/xen/nospec.h | 12 ++++++++++++ 2 files changed, 33 insertions(+) diff --git a/xen/common/Kconfig b/xen/common/Kconfig index 16829f6274..9644cc9911 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -77,6 +77,27 @@ config HAS_CHECKPOLICY string option env="XEN_HAS_CHECKPOLICY" +menu "Speculative hardening" + +config SPECULATIVE_ARRAY_HARDEN + bool "Speculative Array Hardening" + default y + ---help--- + Contemporary processors may use speculative execution as a + performance optimisation, but this can potentially be abused by an + attacker to leak data via speculative sidechannels. + + One source of data leakage is via speculative out-of-bounds array + accesses. + + When enabled, specific array accesses which have been deemed liable + to be speculatively abused will be hardened to avoid out-of-bounds + accesses. + + If unsure, say Y. + +endmenu + config KEXEC bool "kexec support" default y diff --git a/xen/include/xen/nospec.h b/xen/include/xen/nospec.h index 2ac8feccc2..e627a4da52 100644 --- a/xen/include/xen/nospec.h +++ b/xen/include/xen/nospec.h @@ -33,6 +33,7 @@ static inline unsigned long array_index_mask_nospec(unsigned long index, } #endif +#ifdef CONFIG_SPECULATIVE_ARRAY_HARDEN /* * array_index_nospec - sanitize an array index after a bounds check * @@ -58,6 +59,17 @@ static inline unsigned long array_index_mask_nospec(unsigned long index, \ (typeof(_i)) (_i & _mask); \ }) +#else +/* No index hardening. */ +#define array_index_nospec(index, size) \ +({ \ + typeof(index) _i = (index); \ + typeof(size) _s = (size); \ + \ + (void)_s; \ + _i; \ +}) +#endif /* CONFIG_SPECULATIVE_ARRAY_HARDEN */ /* * array_access_nospec - allow nospec access for static size arrays From patchwork Mon Sep 30 18:24:37 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Andrew Cooper X-Patchwork-Id: 11167015 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BB57815AB for ; Mon, 30 Sep 2019 18:26:11 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 8BD2F224D2 for ; Mon, 30 Sep 2019 18:26:11 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=citrix.com header.i=@citrix.com header.b="YwNW5EBM" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 8BD2F224D2 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=citrix.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iF0Lu-0000ct-WB; Mon, 30 Sep 2019 18:24:54 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iF0Lt-0000cb-Gr for xen-devel@lists.xenproject.org; Mon, 30 Sep 2019 18:24:53 +0000 X-Inumbo-ID: 947fbe68-e3af-11e9-b588-bc764e2007e4 Received: from esa6.hc3370-68.iphmx.com (unknown [216.71.155.175]) by localhost (Halon) with ESMTPS id 947fbe68-e3af-11e9-b588-bc764e2007e4; Mon, 30 Sep 2019 18:24:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1569867886; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=1idr3p5a8VnPDZ3SOOM33R+07YpkWUdakMfFeCERgN8=; b=YwNW5EBMJmpRkhfKoDb+EVVfaliCrPBWvV0UqYPr6Zer9T+4idEiN5cp btwG7Pvaas+oKoOYusVZd755/cl+av6vgXuW8qIzIbyo75++lxjQdPvXo W1yChTerk/XzCj/VAh50XfPmKZI+b8TL6K9yZl34GpWETh27Iw0FEfndr 8=; Authentication-Results: esa6.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=andrew.cooper3@citrix.com; spf=Pass smtp.mailfrom=Andrew.Cooper3@citrix.com; spf=None smtp.helo=postmaster@mail.citrix.com Received-SPF: None (esa6.hc3370-68.iphmx.com: no sender authenticity information available from domain of andrew.cooper3@citrix.com) identity=pra; client-ip=162.221.158.21; receiver=esa6.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="andrew.cooper3@citrix.com"; x-conformance=sidf_compatible Received-SPF: Pass (esa6.hc3370-68.iphmx.com: domain of Andrew.Cooper3@citrix.com designates 162.221.158.21 as permitted sender) identity=mailfrom; client-ip=162.221.158.21; receiver=esa6.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="Andrew.Cooper3@citrix.com"; x-conformance=sidf_compatible; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:209.167.231.154 ip4:178.63.86.133 ip4:195.66.111.40/30 ip4:85.115.9.32/28 ip4:199.102.83.4 ip4:192.28.146.160 ip4:192.28.146.107 ip4:216.52.6.88 ip4:216.52.6.188 ip4:162.221.158.21 ip4:162.221.156.83 ~all" Received-SPF: None (esa6.hc3370-68.iphmx.com: no sender authenticity information available from domain of postmaster@mail.citrix.com) identity=helo; client-ip=162.221.158.21; receiver=esa6.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="postmaster@mail.citrix.com"; x-conformance=sidf_compatible IronPort-SDR: zGDRzt5ve405+IDaJp1rpw8t4rzt1xDRUu4BqFnh7x7mUy0eFO01ArpxQNlpuHBCk3yNN7FT5l gh07f/yAmYF3lMYLMDcmdAKIKDb5TN2GJz4ez4gqj2ncTl0wPwvNaCbv1st7N1vtwPmh6MSDqB MpAnuUoktxcwdLPGP/mxDmmnZIHLb3m1dadYS3pZRCSDThR1dQmOZgKWQDwJtTKksT7n9r+nH8 bpdvgKfKkZasaApmC9V58IkvLOz4CqmYiA2/GW0GDs9YmN8Srhw1q5/u/GpH9Duqhf9Cxp0h7p Hls= X-SBRS: 2.7 X-MesageID: 6556716 X-Ironport-Server: esa6.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.64,568,1559534400"; d="scan'208";a="6556716" From: Andrew Cooper To: Xen-devel Date: Mon, 30 Sep 2019 19:24:37 +0100 Message-ID: <20190930182437.25478-3-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20190930182437.25478-1-andrew.cooper3@citrix.com> References: <20190930182437.25478-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 Subject: [Xen-devel] [PATCH for-4.13 2/2] xen/nospec: Introduce CONFIG_SPECULATIVE_BRANCH_HARDEN and disable it X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Juergen Gross , Wei Liu , Andrew Cooper , Norbert Manthey , Jan Beulich , =?utf-8?q?Roger_Pau_Monn=C3=A9?= Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" The code generation for barrier_nospec_true() is not correct. We are taking a perf it from the added fences, but not gaining any speculative safety. This is caused by inline assembly trying to fight the compiler optimiser, and the optimiser winning. There is no clear way to achieve safety, so turn the perf hit off for now. This also largely reverts 3860d5534df4. The name 'l1tf-barrier', and making barrier_nospec_true() depend on CONFIG_HVM was constrained by what could be discussed publicly at the time. Now that MDS is public, neither aspects are correct. As l1tf-barrier hasn't been in a release of Xen, and CONFIG_SPECULATIVE_BRANCH_HARDEN is disabled until we can find a safe way of implementing the functionality, remove the l1tf-barrier command line option. Signed-off-by: Andrew Cooper --- CC: Jan Beulich CC: Wei Liu CC: Roger Pau Monné CC: Juergen Gross CC: Norbert Manthey --- docs/misc/xen-command-line.pandoc | 8 +------- xen/arch/x86/spec_ctrl.c | 17 ++--------------- xen/common/Kconfig | 17 +++++++++++++++++ xen/include/asm-x86/cpufeatures.h | 2 +- xen/include/asm-x86/nospec.h | 4 ++-- xen/include/asm-x86/spec_ctrl.h | 1 - 6 files changed, 23 insertions(+), 26 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index fc64429064..b9c5b822ca 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -1932,7 +1932,7 @@ By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`). ### spec-ctrl (x86) > `= List of [ , xen=, {pv,hvm,msr-sc,rsb,md-clear}=, > bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,eager-fpu, -> l1d-flush,l1tf-barrier}= ]` +> l1d-flush}= ]` Controls for speculative execution sidechannel mitigations. By default, Xen will pick the most appropriate mitigations based on compiled in support, @@ -2004,12 +2004,6 @@ Irrespective of Xen's setting, the feature is virtualised for HVM guests to use. By default, Xen will enable this mitigation on hardware believed to be vulnerable to L1TF. -On hardware vulnerable to L1TF, the `l1tf-barrier=` option can be used to force -or prevent Xen from protecting evaluations inside the hypervisor with a barrier -instruction to not load potentially secret information into L1 cache. By -default, Xen will enable this mitigation on hardware believed to be vulnerable -to L1TF. - ### sync_console > `= ` diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 4761be81bd..5ea8870981 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -21,7 +21,6 @@ #include #include -#include #include #include #include @@ -53,7 +52,6 @@ bool __read_mostly opt_ibpb = true; bool __read_mostly opt_ssbd = false; int8_t __read_mostly opt_eager_fpu = -1; int8_t __read_mostly opt_l1d_flush = -1; -int8_t __read_mostly opt_l1tf_barrier = -1; bool __initdata bsp_delay_spec_ctrl; uint8_t __read_mostly default_xen_spec_ctrl; @@ -98,8 +96,6 @@ static int __init parse_spec_ctrl(const char *s) if ( opt_pv_l1tf_domu < 0 ) opt_pv_l1tf_domu = 0; - opt_l1tf_barrier = 0; - disable_common: opt_rsb_pv = false; opt_rsb_hvm = false; @@ -175,8 +171,6 @@ static int __init parse_spec_ctrl(const char *s) opt_eager_fpu = val; else if ( (val = parse_boolean("l1d-flush", s, ss)) >= 0 ) opt_l1d_flush = val; - else if ( (val = parse_boolean("l1tf-barrier", s, ss)) >= 0 ) - opt_l1tf_barrier = val; else rc = -EINVAL; @@ -337,7 +331,7 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps) "\n"); /* Settings for Xen's protection, irrespective of guests. */ - printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s, Other:%s%s%s%s\n", + printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s, Other:%s%s%s\n", thunk == THUNK_NONE ? "N/A" : thunk == THUNK_RETPOLINE ? "RETPOLINE" : thunk == THUNK_LFENCE ? "LFENCE" : @@ -348,8 +342,7 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps) (default_xen_spec_ctrl & SPEC_CTRL_SSBD) ? " SSBD+" : " SSBD-", opt_ibpb ? " IBPB" : "", opt_l1d_flush ? " L1D_FLUSH" : "", - opt_md_clear_pv || opt_md_clear_hvm ? " VERW" : "", - opt_l1tf_barrier ? " L1TF_BARRIER" : ""); + opt_md_clear_pv || opt_md_clear_hvm ? " VERW" : ""); /* L1TF diagnostics, printed if vulnerable or PV shadowing is in use. */ if ( cpu_has_bug_l1tf || opt_pv_l1tf_hwdom || opt_pv_l1tf_domu ) @@ -1034,12 +1027,6 @@ void __init init_speculation_mitigations(void) else if ( opt_l1d_flush == -1 ) opt_l1d_flush = cpu_has_bug_l1tf && !(caps & ARCH_CAPS_SKIP_L1DFL); - /* By default, enable L1TF_VULN on L1TF-vulnerable hardware */ - if ( opt_l1tf_barrier == -1 ) - opt_l1tf_barrier = cpu_has_bug_l1tf && (opt_smt || !opt_l1d_flush); - if ( opt_l1tf_barrier > 0 ) - setup_force_cpu_cap(X86_FEATURE_SC_L1TF_VULN); - /* * We do not disable HT by default on affected hardware. * diff --git a/xen/common/Kconfig b/xen/common/Kconfig index 9644cc9911..d851e63083 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -96,6 +96,23 @@ config SPECULATIVE_ARRAY_HARDEN If unsure, say Y. +config SPECULATIVE_BRANCH_HARDEN + bool "Speculative Branch Hardening" + depends on BROKEN + ---help--- + Contemporary processors may use speculative execution as a + performance optimisation, but this can potentially be abused by an + attacker to leak data via speculative sidechannels. + + One source of misbehaviour is by executing the wrong basic block + following a conditional jump. + + When enabled, specific conditions which have been deemed liable to + be speculatively abused will be hardened to avoid entering the wrong + basic block. + + !!! WARNING - This is broken and doesn't generate safe code !!! + endmenu config KEXEC diff --git a/xen/include/asm-x86/cpufeatures.h b/xen/include/asm-x86/cpufeatures.h index 91eccf5161..ecb651c35d 100644 --- a/xen/include/asm-x86/cpufeatures.h +++ b/xen/include/asm-x86/cpufeatures.h @@ -27,7 +27,7 @@ XEN_CPUFEATURE(XEN_SMAP, X86_SYNTH(11)) /* SMAP gets used by Xen itself XEN_CPUFEATURE(LFENCE_DISPATCH, X86_SYNTH(12)) /* lfence set as Dispatch Serialising */ XEN_CPUFEATURE(IND_THUNK_LFENCE, X86_SYNTH(13)) /* Use IND_THUNK_LFENCE */ XEN_CPUFEATURE(IND_THUNK_JMP, X86_SYNTH(14)) /* Use IND_THUNK_JMP */ -XEN_CPUFEATURE(SC_L1TF_VULN, X86_SYNTH(15)) /* L1TF protection required */ +/* 15 unused. */ XEN_CPUFEATURE(SC_MSR_PV, X86_SYNTH(16)) /* MSR_SPEC_CTRL used by Xen for PV */ XEN_CPUFEATURE(SC_MSR_HVM, X86_SYNTH(17)) /* MSR_SPEC_CTRL used by Xen for HVM */ XEN_CPUFEATURE(SC_RSB_PV, X86_SYNTH(18)) /* RSB overwrite needed for PV */ diff --git a/xen/include/asm-x86/nospec.h b/xen/include/asm-x86/nospec.h index 2aa47b3455..df7f9b13d7 100644 --- a/xen/include/asm-x86/nospec.h +++ b/xen/include/asm-x86/nospec.h @@ -9,8 +9,8 @@ /* Allow to insert a read memory barrier into conditionals */ static always_inline bool barrier_nospec_true(void) { -#ifdef CONFIG_HVM - alternative("", "lfence", X86_FEATURE_SC_L1TF_VULN); +#ifdef CONFIG_SPECULATIVE_BRANCH_HARDEN + alternative("", "lfence", X86_FEATURE_ALWAYS); #endif return true; } diff --git a/xen/include/asm-x86/spec_ctrl.h b/xen/include/asm-x86/spec_ctrl.h index 1339ddd7ef..ba03bb42e5 100644 --- a/xen/include/asm-x86/spec_ctrl.h +++ b/xen/include/asm-x86/spec_ctrl.h @@ -37,7 +37,6 @@ extern bool opt_ibpb; extern bool opt_ssbd; extern int8_t opt_eager_fpu; extern int8_t opt_l1d_flush; -extern int8_t opt_l1tf_barrier; extern bool bsp_delay_spec_ctrl; extern uint8_t default_xen_spec_ctrl;