x86/spec-ctrl: Disable retpolines with CET-IBT

CET-IBT depend on executing indirect branches for protections to apply.
Extend the clobber for CET-SS to all of CET.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
(cherry picked from commit 6e3f36387de566b09aa4145ea0e3bfe4814d68b4)

diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
index ae076bec3ab040e6a06b585437cbabc97359586d..c19464da70ce04b51846ff529c264fe44b3b53d8 100644 (file)
--- a/xen/arch/x86/spec_ctrl.c
+++ b/xen/arch/x86/spec_ctrl.c
@@ -948,13 +948,14 @@ void __init init_speculation_mitigations(void)
                      boot_cpu_has(X86_FEATURE_IBRS));
 
     /*
-     * First, disable the use of retpolines if Xen is using shadow stacks, as
-     * they are incompatible.
+     * First, disable the use of retpolines if Xen is using CET.  Retpolines
+     * are a ROP gadget so incompatbile with Shadow Stacks, while IBT depends
+     * on executing indirect branches for the safety properties to apply.
      *
      * In the absence of retpolines, IBRS needs to be used for speculative
      * safety.  All CET-capable hardware has efficient IBRS.
      */
-    if ( cpu_has_xen_shstk )
+    if ( read_cr4() & X86_CR4_CET )
     {
         if ( !has_spec_ctrl )
             printk(XENLOG_WARNING "?!? CET active, but no MSR_SPEC_CTRL?\n");