x86: allow easier disabling of BTI mitigations

Support both a "disable everything" and a "disable all RSB overwriting"
sub-option.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown
index 9c10d3a6e0f555eba589d40f7f3fbddd3d4c68cc..79feba6bcda7615695131c382bc2cf7659976e5e 100644 (file)
--- a/docs/misc/xen-command-line.markdown
+++ b/docs/misc/xen-command-line.markdown
@@ -246,7 +246,7 @@ enough. Setting this to a high value may cause boot failure, particularly if
 the NMI watchdog is also enabled.
 
 ### bti (x86)
-> `= List of [ thunk=retpoline|lfence|jmp, ibrs=<bool>, ibpb=<bool>, rsb_{vmexit,native}=<bool> ]`
+> `= List of [ <bool>, thunk=retpoline|lfence|jmp, ibrs=<bool>, ibpb=<bool>, rsb=<bool>, rsb_{vmexit,native}=<bool> ]`
 
 Branch Target Injection controls.  By default, Xen will pick the most
 appropriate BTI mitigations based on compiled in support, loaded microcode,
@@ -255,6 +255,9 @@ and hardware details.
 **WARNING: Any use of this option may interfere with heuristics.  Use with
 extreme care.**
 
+A (negative) boolean value can be specified to turn off all mitigations.
+(Use of a positive boolean value is invalid.)
+
 If Xen was compiled with INDIRECT_THUNK support, `thunk=` can be used to
 select which of the thunks gets patched into the `__x86_indirect_thunk_%reg`
 locations.  The default thunk is `retpoline` (generally preferred for Intel
@@ -268,9 +271,10 @@ functionality is still set up so IBRS can be virtualised for guests.
 On hardware supporting IBPB, the `ibpb=` option can be used to prevent Xen
 from issuing Branch Prediction Barriers on vcpu context switches.
 
-The `rsb_vmexit=` and `rsb_native=` options can be used to fine tune when the
-RSB gets overwritten.  There are individual controls for an entry from HVM
-context, and an entry from a native (PV or Xen) context.
+The `rsb=`, `rsb_vmexit=` and `rsb_native=` options can be used to control
+when the RSB gets overwritten.  The former control all RSB overwriting, while
+the latter two can be used to fine tune overwriting on from HVM context, and
+an entry from a native (PV or Xen) context.
 
 ### xenheap\_megabytes (arm32)
 > `= <size>`

diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
index 9c1fe1936ebea24509c5cec2697de7fa1b60d5cf..f10ffbf823bb0e0acc39b51e1f7b567d4ac200f2 100644 (file)
--- a/xen/arch/x86/spec_ctrl.c
+++ b/xen/arch/x86/spec_ctrl.c
@@ -50,7 +50,18 @@ static int __init parse_bti(const char *s)
         if ( !ss )
             ss = strchr(s, '\0');
 
-        if ( !strncmp(s, "thunk=", 6) )
+        val = parse_bool(s, ss);
+        if ( !val )
+        {
+            opt_thunk = THUNK_JMP;
+            opt_ibrs = 0;
+            opt_ibpb = false;
+            opt_rsb_native = false;
+            opt_rsb_vmexit = false;
+        }
+        else if ( val > 0 )
+            rc = -EINVAL;
+        else if ( !strncmp(s, "thunk=", 6) )
         {
             s += 6;
 
@@ -71,6 +82,11 @@ static int __init parse_bti(const char *s)
             opt_rsb_native = val;
         else if ( (val = parse_boolean("rsb_vmexit", s, ss)) >= 0 )
             opt_rsb_vmexit = val;
+        else if ( (val = parse_boolean("rsb", s, ss)) >= 0 )
+        {
+            opt_rsb_native = val;
+            opt_rsb_vmexit = val;
+        }
         else
             rc = -EINVAL;