xenbits.xensource.com Git - xen.git/commit

author	Andrew Cooper <andrew.cooper3@citrix.com>
	Mon, 27 Jun 2022 18:29:40 +0000 (19:29 +0100)
committer	Andrew Cooper <andrew.cooper3@citrix.com>
	Tue, 12 Jul 2022 15:28:26 +0000 (16:28 +0100)
commit	35bf91d30f1a480dcf5bfd99b79384b2b283da7f
tree	7d2e5df1d3ce7a5cedf9f4c8a38bf7ded5449521	tree
parent	409976bed91f61fb7b053d536d2fc87cf3ad7018	commit \| diff

x86/spec-ctrl: Mitigate Branch Type Confusion when possible

Branch Type Confusion affects AMD/Hygon CPUs on Zen2 and earlier.  To
mitigate, we require SMT safety (STIBP on Zen2, no-SMT on Zen1), and to issue
an IBPB on each entry to Xen, to flush the BTB.

Due to performance concerns, dom0 (which is trusted in most configurations) is
excluded from protections by default.

Therefore:
* Use STIBP by default on Zen2 too, which now means we want it on by default
   on all hardware supporting STIBP.
* Break the current IBPB logic out into a new function, extending it with
   IBPB-at-entry logic.
* Change the existing IBPB-at-ctxt-switch boolean to be tristate, and disable
   it by default when IBPB-at-entry is providing sufficient safety.

If all PV guests on the system are trusted, then it is recommended to boot
with `spec-ctrl=ibpb-entry=no-pv`, as this will provide an additional marginal
perf improvement.

This is part of XSA-407 / CVE-2022-23825.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
(cherry picked from commit d8cb7e0f069e0f106d24941355b59b45a731eabe)

docs/misc/xen-command-line.pandoc		diff \| blob \| blame \| history
xen/arch/x86/spec_ctrl.c		diff \| blob \| blame \| history
xen/include/asm-x86/spec_ctrl.h		diff \| blob \| blame \| history