From patchwork Fri May 26 11:06:52 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Andrew Cooper X-Patchwork-Id: 13256777 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 676B6C7EE31 for ; Fri, 26 May 2023 11:07:54 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.540061.841540 (Exim 4.92) (envelope-from ) id 1q2VIN-0007gb-1E; Fri, 26 May 2023 11:07:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 540061.841540; Fri, 26 May 2023 11:07:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1q2VIM-0007gR-TW; Fri, 26 May 2023 11:07:42 +0000 Received: by outflank-mailman (input) for mailman id 540061; Fri, 26 May 2023 11:07:40 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1q2VIJ-0006sm-Tl for xen-devel@lists.xenproject.org; Fri, 26 May 2023 11:07:39 +0000 Received: from esa5.hc3370-68.iphmx.com (esa5.hc3370-68.iphmx.com [216.71.155.168]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 84d6f7e6-fbb5-11ed-b230-6b7b168915f2; Fri, 26 May 2023 13:07:37 +0200 (CEST) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 84d6f7e6-fbb5-11ed-b230-6b7b168915f2 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1685099257; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=tRC3UNaCj65Aajc92g1f04RU5FXAg5eRZ78lBWu320s=; b=LM1gi+wmkEVqhGjUQ7uNSs8gDNE+T9yfECPD10vO/zN6lcPbZhf9wxJ0 ArK/L+GdX8fwxvzLj6ZVNRqGGxeBvFd1vKjk5CG/KB+f8YliAIaGbqb0S Z05gtVJakFiqbVsZ90PJP8/dsciMpTDEr2omoWG9VdRFFQxNcqsBaKYRr U=; Authentication-Results: esa5.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none X-SBRS: 4.0 X-MesageID: 109294592 X-Ironport-Server: esa5.hc3370-68.iphmx.com X-Remote-IP: 162.221.156.123 X-Policy: $RELAYED IronPort-Data: A9a23:cBW1faP5CyulEM/vrR21l8FynXyQoLVcMsEvi/4bfWQNrUpz0jAFz WMcXjiDPfeJMGL9ft4nb460oUgF78PTmtZgQQto+SlhQUwRpJueD7x1DKtS0wC6dZSfER09v 63yTvGacajYm1eF/k/F3oDJ9CU6jufQAOKnUoYoAwgpLSd8UiAtlBl/rOAwh49skLCRDhiE/ Nj/uKUzAnf8s9JPGjxSs/rrRC9H5qyo42tF5AJmP5ingXeF/5UrJMNHTU2OByOQrrl8RoaSW +vFxbelyWLVlz9F5gSNy+uTnuUiG9Y+DCDW4pZkc/HKbitq/0Te5p0TJvsEAXq7vh3S9zxHJ HehgrTrIeshFvWkdO3wyHC0GQkmVUFN0OevzXRSLaV/ZqAJGpfh66wGMa04AWEX0s14WE9x9 60pESgENkGDpP2Q3r38Q/Y506zPLOGzVG8eknRpzDWfBvc6W5HTBa7N4Le03h9p2JoIR6yHI ZNEN3w2Nk+ojx5nYz/7DLoXmuuyi2a5WDpfsF+P/oI84nTJzRw327/oWDbQUoXSFJ8EwhvJ/ Aoq+UynLT0YHvKalwOOzViV3umegTvSCawdQejQGvlC3wTImz175ActfUS/iem0jAi5Qd03A 1wZ/G8ioLY/8GSvT8LhRFuorXicpBkeVtFMVeog52ml6IDZ/gKYDWgsVSNaZZots8peeNAx/ gbXxZWzX2Up6eDLDyvHrd94sA9eJwA+IjYsWi1VfDId6oGyoKIsqAzACd98RfvdYsLOJRn8x DWDrS4bjroVjNIW26jTwW0rkw5AtbCSEFdru1y/snaNq1ogOdX7P9DABU3zt64oEWqPcrWWU JHoceC65ftGM5yCnTflrA4lTODwvKbt3NExbDdS83gdG9aFoSbLkWN4umsWyKJV3iEsJ1fUj Lf741852XOqFCLCgVVLS4ywEd826qPrCM7oUPvZBvIXPMgsLFTWoH03Ox/Kt4wIrKTKuftjU Xt8WZ/2ZUv29Iw9lGbmLwvj+eNDKt8CKZP7GsmgkkXPPUu2b3+JU7YVWGazghQCxPrc+m39q o8PX/ZmPj0DCIUSlAGLq99MRb3LRFBnba3LRzt/LLPbeVY+QzhwUpc8A9oJIuRYokicrc+Ql lnVZ6OS4Aak7ZEbAW1mskxeVY4= IronPort-HdrOrdr: A9a23:VFnX+K3Pp0nw9MLWDklb9wqjBEIkLtp133Aq2lEZdPU0SKGlfq GV7ZAmPHrP4gr5N0tOpTntAse9qBDnhPtICOsqTNSftWDd0QPFEGgF1+rfKlXbcBEWndQtt5 uIHZIfNDSKNykcsS77ijPIb+rJwrO8gd+VbTG19QYSceloAZsQnjuQEmygYytLrJEtP+tCKH KbjPA33gaISDAsQemQIGIKZOTHr82jruOaXfZXbyRXkDVnlFmTmcXHLyQ= X-Talos-CUID: 9a23:nFnHrmkr7iIBbMER6dP25rr6IULXOVbSlVnvIR6JMH5gEOyVakC25qwjmtU7zg== X-Talos-MUID: 9a23:jwmPlgkPzsQImLdwUzX6dno8G+tqyYqrVnkGrr8/48/VKTRZahmS2WE= X-IronPort-AV: E=Sophos;i="6.00,194,1681185600"; d="scan'208";a="109294592" From: Andrew Cooper To: Xen-devel CC: Andrew Cooper , Jan Beulich , =?utf-8?q?Roger_Pau_Monn=C3=A9?= , Wei Liu Subject: [PATCH 1/4] x86/spec-ctrl: Rename retpoline_safe() to retpoline_calculations() Date: Fri, 26 May 2023 12:06:52 +0100 Message-ID: <20230526110656.4018711-2-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20230526110656.4018711-1-andrew.cooper3@citrix.com> References: <20230526110656.4018711-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 This is prep work, split out to simply the diff on the following change. * Rename to retpoline_calculations(), and call unconditionally. It is shortly going to synthesize missing enumerations required for guest safety. * For Broadwell, store the ucode revision calculation in a variable and fall out of the bottom of the switch statement. No functional change. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- CC: Jan Beulich CC: Roger Pau Monné CC: Wei Liu --- xen/arch/x86/spec_ctrl.c | 30 ++++++++++++++++++++---------- 1 file changed, 20 insertions(+), 10 deletions(-) diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 50d467f74cf8..0774d40627dd 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -579,9 +579,10 @@ static bool __init check_smt_enabled(void) } /* Calculate whether Retpoline is known-safe on this CPU. */ -static bool __init retpoline_safe(void) +static bool __init retpoline_calculations(void) { unsigned int ucode_rev = this_cpu(cpu_sig).rev; + bool safe = false; if ( boot_cpu_data.x86_vendor & (X86_VENDOR_AMD | X86_VENDOR_HYGON) ) return true; @@ -626,18 +627,18 @@ static bool __init retpoline_safe(void) * versions. */ case 0x3d: /* Broadwell */ - return ucode_rev >= 0x2a; + safe = ucode_rev >= 0x2a; break; case 0x47: /* Broadwell H */ - return ucode_rev >= 0x1d; + safe = ucode_rev >= 0x1d; break; case 0x4f: /* Broadwell EP/EX */ - return ucode_rev >= 0xb000021; + safe = ucode_rev >= 0xb000021; break; case 0x56: /* Broadwell D */ switch ( boot_cpu_data.x86_mask ) { - case 2: return ucode_rev >= 0x15; - case 3: return ucode_rev >= 0x7000012; - case 4: return ucode_rev >= 0xf000011; - case 5: return ucode_rev >= 0xe000009; + case 2: safe = ucode_rev >= 0x15; break; + case 3: safe = ucode_rev >= 0x7000012; break; + case 4: safe = ucode_rev >= 0xf000011; break; + case 5: safe = ucode_rev >= 0xe000009; break; default: printk("Unrecognised CPU stepping %#x - assuming not reptpoline safe\n", boot_cpu_data.x86_mask); @@ -681,6 +682,12 @@ static bool __init retpoline_safe(void) boot_cpu_data.x86_model); return false; } + + /* Only Broadwell gets here. */ + if ( safe ) + return true; + + return false; } /* @@ -1113,7 +1120,7 @@ void __init init_speculation_mitigations(void) { enum ind_thunk thunk = THUNK_DEFAULT; bool has_spec_ctrl, ibrs = false, hw_smt_enabled; - bool cpu_has_bug_taa; + bool cpu_has_bug_taa, retpoline_safe; hw_smt_enabled = check_smt_enabled(); @@ -1139,6 +1146,9 @@ void __init init_speculation_mitigations(void) thunk = THUNK_JMP; } + /* Determine if retpoline is safe on this CPU. */ + retpoline_safe = retpoline_calculations(); + /* * Has the user specified any custom BTI mitigations? If so, follow their * instructions exactly and disable all heuristics. @@ -1160,7 +1170,7 @@ void __init init_speculation_mitigations(void) * On all hardware, we'd like to use retpoline in preference to * IBRS, but only if it is safe on this hardware. */ - if ( retpoline_safe() ) + if ( retpoline_safe ) thunk = THUNK_RETPOLINE; else if ( has_spec_ctrl ) ibrs = true; From patchwork Fri May 26 11:06:53 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrew Cooper X-Patchwork-Id: 13256776 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 1E77CC77B7A for ; Fri, 26 May 2023 11:07:53 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.540057.841500 (Exim 4.92) (envelope-from ) id 1q2VIG-0006ds-Pq; Fri, 26 May 2023 11:07:36 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 540057.841500; Fri, 26 May 2023 11:07:36 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1q2VIG-0006dl-N4; Fri, 26 May 2023 11:07:36 +0000 Received: by outflank-mailman (input) for mailman id 540057; Fri, 26 May 2023 11:07:35 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1q2VIF-0006de-GA for xen-devel@lists.xenproject.org; Fri, 26 May 2023 11:07:35 +0000 Received: from esa4.hc3370-68.iphmx.com (esa4.hc3370-68.iphmx.com [216.71.155.144]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 822189af-fbb5-11ed-8611-37d641c3527e; Fri, 26 May 2023 13:07:32 +0200 (CEST) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 822189af-fbb5-11ed-8611-37d641c3527e DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1685099252; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=anpmt4luKppeT0MDr6VWEfx6VCbmSawCR46DmW0f5Hg=; b=dvJg3jA4R6QyLT8roDDUsv6TxrgBVbrMVBc30EnK7PTmIqpCh+lhwjf6 B5IVdmZX71+kzkGxsm1pXYoJu7vgS4plMl/BfB9txlH9NvhjXgAG5tNd3 B/VSD1dOqWpBndMfPndATRmuyzK+Clnt0SB1Ez9UfcIUXPWr1WHJ84prr Y=; Authentication-Results: esa4.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none X-SBRS: 4.0 X-MesageID: 113007427 X-Ironport-Server: esa4.hc3370-68.iphmx.com X-Remote-IP: 162.221.156.123 X-Policy: $RELAYED IronPort-Data: A9a23:cickcK/WINsFFjzDL4PlDrUD836TJUtcMsCJ2f8bNWPcYEJGY0x3x msdDG/UOfaKYmP0eo0nO97loExTuZSGx4Q3SAtupS88E34SpcT7XtnIdU2Y0wF+jCHgZBk+s 5hBMImowOQcFCK0SsKFa+C5xZVE/fjUAOG6UKicYXoZqTZMEE8JkQhkl/MynrlmiN24BxLlk d7pqojUNUTNNwRcawr40Ird7ks31BjOkGlA5AdmOKoV5AW2e0Q9V/rzG4ngdxMUfaEMdgKKb 76r5K20+Grf4yAsBruN+losWhRXKlJ6FVHmZkt+A8BOsDAbzsAB+v9T2M4nQVVWk120c+VZk 72hg3ASpTABZcUgkMxFO/VR/roX0aduoNcrKlDn2SCfItGvn9IBDJyCAWlvVbD09NqbDkkS5 M4oMWs2ayvS3c6sxou7WM1Vq8k8eZyD0IM34hmMzBncBPciB5vCX7/L9ZlT2zJYasJmRKiEI ZBDMHw2MUqGOkcUUrsUIMtWcOOAr3/zaTBH7nmSorI6+TP7xw1tyrn9dtHSf7RmQO0Mxx3A/ j2apTuR7hcyLfvHlhS94HiVp8DQuT/Ad6gCJJr/z6s/6LGU7jNKU0BHPbehmtGph0j7V99BJ kg8/is1sbN05EGtVsP6XRCzvDiDpBF0ZjZLO7RkskfXkPOSulvHQDFeFVatdeDKqudqVA4az wSymui4XxB1toSVW1ak27qL+Gba1TcuEUcOYioNTA0g6tbloZ0ugh+ncuuPAJJZnfWuR2iun mniQDwWwuxK0JVVj/nTEUXv2WrEm3TfcuIiCuw7tEqB5xgxWoOqbpfABbPzvacZd9bxorVsU RE5dymiAAImV8nleM+lGr9l8FSVCxGtblXhbaZHRcVJythU0yfLkXpsyD9/Plx1Fc0PZCXkZ kTe0SsIus8OZCD7MfMuPdPrYyjP8UQGPY65PhwzRoMUCqWdiSfdpH0+DaJu9zyFfLcQfVEXZ s7ALJfE4YcyAqV71jumL9ogPUsQ7nlmnwv7HMmrpylLJJLCPBZ5v59ZagrRBg34hYvYyDjoH yF3bZbSkEkHC7SvO0E6M+c7dDg3EJTyPriuw+Q/SwJJClE5cI39I5c9GY8cRrE= IronPort-HdrOrdr: A9a23:Yx0NpK1fMEVRptAoccEy6AqjBEQkLtp133Aq2lEZdPU0SKGlfg 6V/MjztCWE7gr5PUtLpTnuAsa9qB/nm6KdpLNhX4tKPzOW31dATrsSjrcKqgeIc0HDH6xmpM JdmsBFY+EYZmIK6foSjjPYLz4hquP3j5xBh43lvglQpdcBUdAQ0+97YDzrYnGfXGN9dOME/A L33Ls7m9KnE05nFviTNz0+cMXogcbEr57iaQ5uPW9a1OHf5QnYk4ITCnKjr20jbw8= X-Talos-CUID: 9a23:cGaxMW9suFZKIxMsw72VvxIFKPA8KUbY9yaKD1W+MGZ7bIS4REDFrQ== X-Talos-MUID: 9a23:FStVZgt3Zg1Ra3R0I82nnRY6a+lQ8a6XKW8StYk9lOOUBQs3AmLI X-IronPort-AV: E=Sophos;i="6.00,194,1681185600"; d="scan'208";a="113007427" From: Andrew Cooper To: Xen-devel CC: Andrew Cooper Subject: [PATCH 2/4] x86/spec-ctrl: Synthesize missing RSBA/RRSBA bits Date: Fri, 26 May 2023 12:06:53 +0100 Message-ID: <20230526110656.4018711-3-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20230526110656.4018711-1-andrew.cooper3@citrix.com> References: <20230526110656.4018711-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 --- xen/arch/x86/include/asm/cpufeature.h | 1 + xen/arch/x86/spec_ctrl.c | 50 +++++++++++++++++++++++---- 2 files changed, 44 insertions(+), 7 deletions(-) diff --git a/xen/arch/x86/include/asm/cpufeature.h b/xen/arch/x86/include/asm/cpufeature.h index 50235f098d70..08e3eedd1280 100644 --- a/xen/arch/x86/include/asm/cpufeature.h +++ b/xen/arch/x86/include/asm/cpufeature.h @@ -192,6 +192,7 @@ static inline bool boot_cpu_has(unsigned int feat) #define cpu_has_tsx_ctrl boot_cpu_has(X86_FEATURE_TSX_CTRL) #define cpu_has_taa_no boot_cpu_has(X86_FEATURE_TAA_NO) #define cpu_has_fb_clear boot_cpu_has(X86_FEATURE_FB_CLEAR) +#define cpu_has_rrsba boot_cpu_has(X86_FEATURE_RRSBA) /* Synthesized. */ #define cpu_has_arch_perfmon boot_cpu_has(X86_FEATURE_ARCH_PERFMON) diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 0774d40627dd..daf77d77e139 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -578,7 +578,10 @@ static bool __init check_smt_enabled(void) return false; } -/* Calculate whether Retpoline is known-safe on this CPU. */ +/* + * Calculate whether Retpoline is known-safe on this CPU. Fixes up missing + * RSBA/RRSBA enumeration from older microcode versions. + */ static bool __init retpoline_calculations(void) { unsigned int ucode_rev = this_cpu(cpu_sig).rev; @@ -592,13 +595,18 @@ static bool __init retpoline_calculations(void) return false; /* - * RSBA may be set by a hypervisor to indicate that we may move to a - * processor which isn't retpoline-safe. - * * Processors offering Enhanced IBRS are not guarenteed to be * repoline-safe. */ - if ( cpu_has_rsba || cpu_has_eibrs ) + if ( cpu_has_eibrs ) + goto unsafe_maybe_fixup_rrsba; + + /* + * RSBA is explicitly enumerated in some cases, but may also be set by a + * hypervisor to indicate that we may move to a processor which isn't + * retpoline-safe. + */ + if ( cpu_has_rsba ) return false; switch ( boot_cpu_data.x86_model ) @@ -648,6 +656,8 @@ static bool __init retpoline_calculations(void) /* * Skylake, Kabylake and Cannonlake processors are not retpoline-safe. + * Note: the eIBRS-capable steppings are filtered out earlier, so the + * remainder here are the ones which suffer only RSBA behaviour. */ case 0x4e: /* Skylake M */ case 0x55: /* Skylake X */ @@ -656,7 +666,7 @@ static bool __init retpoline_calculations(void) case 0x67: /* Cannonlake? */ case 0x8e: /* Kabylake M */ case 0x9e: /* Kabylake D */ - return false; + goto unsafe_maybe_fixup_rsba; /* * Atom processors before Goldmont Plus/Gemini Lake are retpoline-safe. @@ -687,6 +697,32 @@ static bool __init retpoline_calculations(void) if ( safe ) return true; + /* + * The meaning of the RSBA and RRSBA bits have evolved over time. The + * agreed upon meaning at the time of writing (May 2023) is thus: + * + * - RSBA (RSB Alterantive) means that an RSB may fall back to an + * alternative predictor on underflow. Skylake uarch and later all have + * this property. Broadwell too, when running microcode versions prior + * to Jan 2018. + * + * - All eIBRS-capable processors suffer RSBA, but eIBRS also introduces + * tagging of predictions with the mode in which they were learned. So + * when eIBRS is active, RSBA becomes RRSBA (Restricted RSBA). + * + * Some parts (Broadwell) are not expected to ever enumerate this + * behaviour directly. Other parts have differing enumeration with + * microcode version. Fix up Xen's idea, so we can advertise them safely + * to guests, and so toolstacks can level a VM safelty for migration. + */ + unsafe_maybe_fixup_rrsba: + if ( !cpu_has_rrsba ) + setup_force_cpu_cap(X86_FEATURE_RRSBA); + + unsafe_maybe_fixup_rsba: + if ( !cpu_has_rsba ) + setup_force_cpu_cap(X86_FEATURE_RSBA); + return false; } @@ -1146,7 +1182,7 @@ void __init init_speculation_mitigations(void) thunk = THUNK_JMP; } - /* Determine if retpoline is safe on this CPU. */ + /* Determine if retpoline is safe on this CPU. Fix up RSBA/RRSBA enumerations. */ retpoline_safe = retpoline_calculations(); /* From patchwork Fri May 26 11:06:55 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Andrew Cooper X-Patchwork-Id: 13256780 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 6755FC7EE23 for ; Fri, 26 May 2023 11:07:59 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.540062.841546 (Exim 4.92) (envelope-from ) id 1q2VIN-0007ka-F4; Fri, 26 May 2023 11:07:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 540062.841546; Fri, 26 May 2023 11:07:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1q2VIN-0007j7-77; Fri, 26 May 2023 11:07:43 +0000 Received: by outflank-mailman (input) for mailman id 540062; Fri, 26 May 2023 11:07:40 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1q2VIK-0006sm-4j for xen-devel@lists.xenproject.org; Fri, 26 May 2023 11:07:40 +0000 Received: from esa5.hc3370-68.iphmx.com (esa5.hc3370-68.iphmx.com [216.71.155.168]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 86c738e5-fbb5-11ed-b230-6b7b168915f2; Fri, 26 May 2023 13:07:39 +0200 (CEST) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 86c738e5-fbb5-11ed-b230-6b7b168915f2 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1685099258; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=EimvUEFnHc9YAG/yN5Pgzk9rUwYKNv9peudeFTVu77c=; b=PvKL+afdQnaNWhiSZ5B9SnzxTg7o+V21zHDXathmm1JiN3DJLKq+t8Pk LaKKELoh0eF9Hy0JZaEmLyvkTkvz0kdOF7cECWLpJ0AORxlfxB8Pd6vKe 0+ZNHWmngystJIpGpggQ9nxaA6GoeOChk0MIKxca+ABvWuKtFqhrppCER k=; Authentication-Results: esa5.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none X-SBRS: 4.0 X-MesageID: 109294593 X-Ironport-Server: esa5.hc3370-68.iphmx.com X-Remote-IP: 162.221.156.123 X-Policy: $RELAYED IronPort-Data: A9a23:l5hXo6yNE+lXeo8WdSx6t+cnxirEfRIJ4+MujC+fZmUNrF6WrkVUn DMZDWyHOa7ZN2H0e4t1PoWz8E0Ovp7XndRlTQQ/rSAxQypGp/SeCIXCJC8cHc8wwu7rFxs7s ppEOrEsCOhuExcwcz/0auCJQUFUjP3OHfykTrafYEidfCc8IA85kxVvhuUltYBhhNm9Emult Mj75sbSIzdJ4RYtWo4vw/zF8EsHUMja4mtC5QRjP64T5jcyqlFOZH4hDfDpR5fHatE88t6SH 47r0Ly/92XFyBYhYvvNfmHTKxBirhb6ZGBiu1IOM0SQqkEqSh8ai87XAME0e0ZP4whlqvgqo Dl7WT5cfi9yVkHEsLx1vxC1iEiSN4UekFPMCSDXXcB+UyQq2pYjqhljJBheAGEWxgp4KUpBr NInKmE8VwiK37O2462dVOYrj9t2eaEHPKtH0p1h5TTQDPJgSpHfWaTao9Rf2V/chOgXQ6yYP ZBAL2MyMlKZOUYn1lQ/UfrSmM+BgHXlfiIeg1WSvactuEDYzRBr0airO93QEjCPbZwNzxzJ+ j+XpAwVBDkibNWklxuq20uioeXTkQTXYLAyN7q3o6sCbFq7mTVIVUx+uUGAiea9ol6zXZRYM UN80jojq+0++VKmSvH5XgakuziUsxgEQd1SHuYmrgaXxcL8wSyUG2wFRT5pc8E9uYk9QjlC6 7OSt4q3X3o16uTTEC/DsO7O9lteJBT5M0cpanYqcglU0uD7qdlijjHQaMhsV6eq24id9S7L/ xiGqy03hrM2hMEN1rmm8V2vvw9AtqQlXSZuuFyJAzvNAhdRIdf8Otf2sQSzAeNodt7xc7WXg JQTdyFyBsgqBIrFqiGCSf5l8FqBt6fca220bbKC8vAcG9WRF5yLJ9g4DNJWfh0B3iM4ldjBP ifuVft5vsM7AZdTRfYfj3iNI8or17P8Mt/uS+rZaNFDCrAoKl/apHo/ORLJgTG3+KTJrU3ZE c3HGSpLJS9AYZmLMRLsH7tNuVPV7nxWKZzvqWDTkE38jOv2iI+9QrYZKlqeBt0EAFe/iFyNq b53bpLaoyizpcWiOkE7B6ZPdwFVRZX6bLiqw/FqmhmreFc+Qz15UKaAmNvMueVNxsxoqwsBx VnlMmcw9bY1rSGeQelWQhiPsI/SYKs= IronPort-HdrOrdr: A9a23:SC0f8Kufta02ZhVw7QSW8kU07skDhtV00zEX/kB9WHVpm6yj+v xG/c5rsSMc7Qx6ZJhOo7+90cW7L080lqQFhLX5X43SPzUO0VHARO1fBO3ZogEIcxeUygc379 YDT0ERMr3N5CNB/KHHCAnTKadd/DGEmprY+ts3GR1WPH9Xg6IL1XYJNu6CeHcGIjWvnfACZe ChDswsnUvYRV0nKv6VK1MiROb5q9jChPvdEGM7705O0nj3sduwgoSKaCSl4g== X-Talos-CUID: 9a23:baL6FGBHnqecSeb6EwJorWArGJEUS2XUlCbQAFCeF2kuQaLAHA== X-Talos-MUID: 9a23:fcjH6ggysa07Z57y66MR+cMpDJ9h2PqPJ2k0n7IMp8WjGRRCGxSag2Hi X-IronPort-AV: E=Sophos;i="6.00,194,1681185600"; d="scan'208";a="109294593" From: Andrew Cooper To: Xen-devel CC: Andrew Cooper , Jan Beulich , =?utf-8?q?Roger_Pau_Monn=C3=A9?= , Wei Liu Subject: [PATCH 3/4] x86/cpu-policy: Rearrange guest_common_default_feature_adjustments() Date: Fri, 26 May 2023 12:06:55 +0100 Message-ID: <20230526110656.4018711-5-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20230526110656.4018711-1-andrew.cooper3@citrix.com> References: <20230526110656.4018711-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 This is prep work, split out to simply the diff on the following change. * Split the INTEL check out of the IvyBridge RDRAND check, as the former will be reused. * Use asm/intel-family.h to remove a raw 0x3a model number. No functional change. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich --- CC: Jan Beulich CC: Roger Pau Monné CC: Wei Liu --- xen/arch/x86/cpu-policy.c | 34 +++++++++++++++++++--------------- 1 file changed, 19 insertions(+), 15 deletions(-) diff --git a/xen/arch/x86/cpu-policy.c b/xen/arch/x86/cpu-policy.c index 74266d30b551..bdbc5660acd4 100644 --- a/xen/arch/x86/cpu-policy.c +++ b/xen/arch/x86/cpu-policy.c @@ -10,6 +10,7 @@ #include #include #include +#include #include #include #include @@ -429,21 +430,24 @@ static void __init guest_common_max_feature_adjustments(uint32_t *fs) static void __init guest_common_default_feature_adjustments(uint32_t *fs) { - /* - * IvyBridge client parts suffer from leakage of RDRAND data due to SRBDS - * (XSA-320 / CVE-2020-0543), and won't be receiving microcode to - * compensate. - * - * Mitigate by hiding RDRAND from guests by default, unless explicitly - * overridden on the Xen command line (cpuid=rdrand). Irrespective of the - * default setting, guests can use RDRAND if explicitly enabled - * (cpuid="host,rdrand=1") in the VM's config file, and VMs which were - * previously using RDRAND can migrate in. - */ - if ( boot_cpu_data.x86_vendor == X86_VENDOR_INTEL && - boot_cpu_data.x86 == 6 && boot_cpu_data.x86_model == 0x3a && - cpu_has_rdrand && !is_forced_cpu_cap(X86_FEATURE_RDRAND) ) - __clear_bit(X86_FEATURE_RDRAND, fs); + if ( boot_cpu_data.x86_vendor == X86_VENDOR_INTEL ) + { + /* + * IvyBridge client parts suffer from leakage of RDRAND data due to SRBDS + * (XSA-320 / CVE-2020-0543), and won't be receiving microcode to + * compensate. + * + * Mitigate by hiding RDRAND from guests by default, unless explicitly + * overridden on the Xen command line (cpuid=rdrand). Irrespective of the + * default setting, guests can use RDRAND if explicitly enabled + * (cpuid="host,rdrand=1") in the VM's config file, and VMs which were + * previously using RDRAND can migrate in. + */ + if ( boot_cpu_data.x86 == 6 && + boot_cpu_data.x86_model == INTEL_FAM6_IVYBRIDGE && + cpu_has_rdrand && !is_forced_cpu_cap(X86_FEATURE_RDRAND) ) + __clear_bit(X86_FEATURE_RDRAND, fs); + } /* * On certain hardware, speculative or errata workarounds can result in From patchwork Fri May 26 11:06:56 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Andrew Cooper X-Patchwork-Id: 13256775 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 28903C7EE23 for ; Fri, 26 May 2023 11:07:52 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.540059.841515 (Exim 4.92) (envelope-from ) id 1q2VIJ-0006wQ-Cf; Fri, 26 May 2023 11:07:39 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 540059.841515; Fri, 26 May 2023 11:07:39 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1q2VIJ-0006w8-6A; Fri, 26 May 2023 11:07:39 +0000 Received: by outflank-mailman (input) for mailman id 540059; Fri, 26 May 2023 11:07:38 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1q2VII-0006de-F4 for xen-devel@lists.xenproject.org; Fri, 26 May 2023 11:07:38 +0000 Received: from esa4.hc3370-68.iphmx.com (esa4.hc3370-68.iphmx.com [216.71.155.144]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 84a6571e-fbb5-11ed-8611-37d641c3527e; Fri, 26 May 2023 13:07:36 +0200 (CEST) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 84a6571e-fbb5-11ed-8611-37d641c3527e DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1685099256; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=wC2o+30LdUKtUUpwusZsSoxUr8yh/q6D9ho4+eihRUc=; b=gVfLAo0aa7IwytHWZHndmHdlkXSYTN7/yNj8L4kW70EEzAKVURQSRYaB woJZXTbfNfz8H2EAFCtpaRnKiniv5bIKW8O0ngD+6ntuG5v+aUrETWM7R dk/webmxF/tKuYJZH7L/z9Tf3pPQU+knZ8517FjeaeUl/ACJ3aKB2ZM7y c=; Authentication-Results: esa4.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none X-SBRS: 4.0 X-MesageID: 113007431 X-Ironport-Server: esa4.hc3370-68.iphmx.com X-Remote-IP: 162.221.156.123 X-Policy: $RELAYED IronPort-Data: A9a23:Zymny6KieKkIhJKGFE+RwZUlxSXFcZb7ZxGr2PjKsXjdYENS3jFUm jMYUDiCO6zeZWGhL98jOYyypkoAscPdz9cyG1FlqX01Q3x08seUXt7xwmUcnc+xBpaaEB84t ZV2hv3odp1coqr0/0/1WlTZhSAgk/rOHvykU7Ss1hlZHWdMUD0mhQ9oh9k3i4tphcnRKw6Ws Jb5rta31GWNglaYCUpKrfrbwP9TlK6q4mhA4wZgPaojUGL2zBH5MrpOfcldEFOgKmVkNrbSb /rOyri/4lTY838FYj9yuu+mGqGiaue60Tmm0hK6aYD76vRxjnVaPpIAHOgdcS9qZwChxLid/ jnvWauYEm/FNoWU8AgUvoIx/ytWZcWq85efSZSzXFD6I+QrvBIAzt03ZHzaM7H09c4rEFN+7 KcjLQtcNDyZgdu20paCZ+Rz05FLwMnDZOvzu1llxDDdS/0nXYrCU+PB4towMDUY354UW6yEP oxANGQpNU6bC/FMEg5/5JYWteGknHTgNRZfr0qYv/Ef6GnP1g1hlrPqNbI5f/TTHJ4NxhnE/ TuuE2LRJkpHEMeCzjW8tXf0hfORgiHfZL4qG+jtnhJtqALKnTFCYPEMbnOrrP/8hkOgVtZ3L 00P5jFovaU07FasTNT2Q1u/unHsljw2VsdUEuY6wBqQ0aeS6AGcbkAbShZRZdpgs9U5LQHGz XfQwYmvX2Y29uTIFzTErOz8QS6O1TY9cX4wVTZfdg4+soPPuocKjgDrd/tuD/vg5jHqIg3Yz zePpSk4orwci88Xyqm2lWz6byKQSovhFVBsuFiONo6xxkYgPdP+OdT0gbTOxawYRLt1WGVtq 5TtdyK2yOkVRa+AmyWWKAnmNOH4vq3VWNEwbLMGInXAy9hP0yT7FWyzyGskTKuMDirjUWGBX aMrkVkNjKK/xVPzBUONX6q/Ct4x0Y/rHsn/W/bfY7JmO8YhKVfcrX0yPBDBhQgBdXTAd4llZ f93lu71Vx4n5VlPlmLqF4/xL5d3rszB+Y8jbc+ilEn2uVZvTHWUVa0EIDOzUwzN14vd+F+92 48GZ6O3J+B3DLWWjt//rdRCcjjn7BETWfjLliCgXrTeelE6QDp4Wqa5LHFIU9UNopm5X9zgp hmVMnK0AnKk2RUr9S3ihqhfVY7S IronPort-HdrOrdr: A9a23:dVF/867Y88ohT6Z5EgPXwDjXdLJyesId70hD6qkQc3Fom62j5q STdZEgvyMc5wx/ZJhNo7690cq7MBbhHPxOkOos1N6ZNWGLhILPFuBfBOPZqAEIcBeOlNK1u5 0BT0EEMqyWMbB75/yKnDVREbwbsaa6GHbDv5ah859vJzsaGp2J921Ce2Cm+tUdfng9OXI+fq Dsn/Zvln6bVlk8SN+0PXUBV/irnay3qHq3CSR2fyLO8WO1/EiV1II= X-Talos-CUID: 9a23:+tN6sWCs5MboMu76E3V2xn4NQfsgSSyH4G3WGk+qLV9ERaLAHA== X-Talos-MUID: 9a23:Ph3L3Aq2Yv2gxBx1mkgezxU5aeNz/qOhMQcIyZYa5daGERBMAzjI2Q== X-IronPort-AV: E=Sophos;i="6.00,194,1681185600"; d="scan'208";a="113007431" From: Andrew Cooper To: Xen-devel CC: Andrew Cooper , Jan Beulich , =?utf-8?q?Roger_Pau_Monn=C3=A9?= , Wei Liu Subject: [PATCH 4/4] x86/cpu-policy: Derive {,R}RSBA for guest policies Date: Fri, 26 May 2023 12:06:56 +0100 Message-ID: <20230526110656.4018711-6-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20230526110656.4018711-1-andrew.cooper3@citrix.com> References: <20230526110656.4018711-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 The RSBA bit, "RSB Alternative", means that the RSB may use alternative predictors when empty. From a practical point of view, this mean "Retpoline not safe". Enhanced IBRS (officially IBRS_ALL in Intel's docs, previously IBRS_ATT) is a statement that IBRS is implemented in hardware (as opposed to the form retrofitted to existing CPUs in microcode). The RRSBA bit, "Restricted-RSBA", is a combination of RSBA, and the eIBRS property that predictions are tagged with the mode in which they were learnt. Therefore, it means "when eIBRS is active, the RSB may fall back to alternative predictors but restricted to the current prediction mode". As such, it's stronger statement than RSBA, but still means "Retpoline not safe". Add feature dependencies for EIBRS and RRSBA. While technically they're not linked, absolutely nothing good can of letting the guest see RRSBA without EIBRS. Furthermore, we use this dependency to simplify the max/default derivation logic. The max policies gets RSBA and RRSBA unconditionally set (with the EIBRS dependency maybe hiding RRSBA). We can run any VM, even if it has been told "somewhere else, Retpoline isn't safe". The default policies inherit the host settings, because the guest wants to run with as few (anti)features as it can safely get away with. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- CC: Jan Beulich CC: Roger Pau Monné CC: Wei Liu --- xen/arch/x86/cpu-policy.c | 25 +++++++++++++++++++++++++ xen/tools/gen-cpuid.py | 5 ++++- 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/cpu-policy.c b/xen/arch/x86/cpu-policy.c index bdbc5660acd4..eb1ecb75f593 100644 --- a/xen/arch/x86/cpu-policy.c +++ b/xen/arch/x86/cpu-policy.c @@ -423,8 +423,14 @@ static void __init guest_common_max_feature_adjustments(uint32_t *fs) * Retpoline not safe)", so these need to be visible to a guest in all * cases, even when it's only some other server in the pool which * suffers the identified behaviour. + * + * We can always run any VM which has previously (or will + * subsequently) run on hardware where Retpoline is not safe. Note: + * The dependency logic may hide RRSBA for other reasons. */ __set_bit(X86_FEATURE_ARCH_CAPS, fs); + __set_bit(X86_FEATURE_RSBA, fs); + __set_bit(X86_FEATURE_RRSBA, fs); } } @@ -432,6 +438,25 @@ static void __init guest_common_default_feature_adjustments(uint32_t *fs) { if ( boot_cpu_data.x86_vendor == X86_VENDOR_INTEL ) { + /* + * The {,R}RSBA bits under virt mean "you might migrate somewhere + * where retpoline is not safe". In particular, a VM's settings may + * not be applicable to the current host. + * + * Discard the settings inherited from the max policy, and and feed in + * the host values. The ideal case for a VM is for neither of these + * bits to be set, but toolstacks must accumuate them across anywhere + * the VM might migrate to, in case any possible destination happens + * to be unsafe. + * + * Note: The dependency logic might hide RRSBA for other reasons. + */ + fs[FEATURESET_m10Al] &= ~(cpufeat_mask(X86_FEATURE_RSBA) | + cpufeat_mask(X86_FEATURE_RRSBA)); + fs[FEATURESET_m10Al] |= + host_cpu_policy.arch_caps.lo & (cpufeat_mask(X86_FEATURE_RSBA) | + cpufeat_mask(X86_FEATURE_RRSBA)); + /* * IvyBridge client parts suffer from leakage of RDRAND data due to SRBDS * (XSA-320 / CVE-2020-0543), and won't be receiving microcode to diff --git a/xen/tools/gen-cpuid.py b/xen/tools/gen-cpuid.py index f28ff708a2fc..22294a26adc0 100755 --- a/xen/tools/gen-cpuid.py +++ b/xen/tools/gen-cpuid.py @@ -318,7 +318,7 @@ def crunch_numbers(state): # IBRSB/IBRS, and we pass this MSR directly to guests. Treating them # as dependent features simplifies Xen's logic, and prevents the guest # from seeing implausible configurations. - IBRSB: [STIBP, SSBD, INTEL_PSFD], + IBRSB: [STIBP, SSBD, INTEL_PSFD, EIBRS], IBRS: [AMD_STIBP, AMD_SSBD, PSFD, IBRS_ALWAYS, IBRS_FAST, IBRS_SAME_MODE], AMD_STIBP: [STIBP_ALWAYS], @@ -328,6 +328,9 @@ def crunch_numbers(state): # The ARCH_CAPS CPUID bit enumerates the availability of the whole register. ARCH_CAPS: list(range(RDCL_NO, RDCL_NO + 64)), + + # The behaviour described by RRSBA depend on eIBRS being active. + EIBRS: [RRSBA], } deep_features = tuple(sorted(deps.keys()))