xenbits.xensource.com Git - xen.git/commit

author	Andrew Cooper <andrew.cooper3@citrix.com>
	Mon, 13 Jun 2022 15:19:01 +0000 (16:19 +0100)
committer	Andrew Cooper <andrew.cooper3@citrix.com>
	Thu, 16 Jun 2022 12:40:24 +0000 (13:40 +0100)
commit	a84bc5bde583ffe1b9b697a4b1d2006c5614afff
tree	18b91080942425da5a5869d963ef112b49e7d7e2	tree
parent	1575075b2e3ac93e9bb2271f4c26a2fb7d947ade	commit \| diff

x86/spec-ctrl: Make VERW flushing runtime conditional

Currently, VERW flushing to mitigate MDS is boot time conditional per domain
type. However, to provide mitigations for DRPW (CVE-2022-21166), we need to
conditionally use VERW based on the trustworthiness of the guest, and the
devices passed through.

Remove the PV/HVM alternatives and instead issue a VERW on the return-to-guest
path depending on the SCF_verw bit in cpuinfo spec_ctrl_flags.

Introduce spec_ctrl_init_domain() and d->arch.verw to calculate the VERW
disposition at domain creation time, and context switch the SCF_verw bit.

For now, VERW flushing is used and controlled exactly as before, but later
patches will add per-domain cases too.

No change in behaviour.

This is part of XSA-404.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
(cherry picked from commit e06b95c1d44ab80da255219fc9f1e2fc423edcb6)

docs/misc/xen-command-line.pandoc		diff \| blob \| blame \| history
xen/arch/x86/domain.c		diff \| blob \| blame \| history
xen/arch/x86/hvm/vmx/entry.S		diff \| blob \| blame \| history
xen/arch/x86/spec_ctrl.c		diff \| blob \| blame \| history
xen/include/asm-x86/cpufeatures.h		diff \| blob \| blame \| history
xen/include/asm-x86/domain.h		diff \| blob \| blame \| history
xen/include/asm-x86/spec_ctrl.h		diff \| blob \| blame \| history
xen/include/asm-x86/spec_ctrl_asm.h		diff \| blob \| blame \| history