### spec-ctrl (x86)
> `= List of [ <bool>, xen=<bool>, {pv,hvm}=<bool>,
-> {msr-sc,rsb,verw,{ibpb,bhb}-entry}=<bool>|{pv,hvm}=<bool>,
+> {msr-sc,rsb,verw,{ibpb,bhb}-entry,asi}=<bool>|{pv,hvm}=<bool>,
> bti-thunk=retpoline|lfence|jmp,bhb-seq=short|tsx|long,
> {ibrs,ibpb,ssbd,psfd,
> eager-fpu,l1d-flush,branch-harden,srb-lock,
Use of a positive boolean value for either of these options is invalid.
-The `pv=`, `hvm=`, `msr-sc=`, `rsb=`, `verw=`, `ibpb-entry=` and `bhb-entry=`
-options offer fine grained control over the primitives by Xen. These impact
-Xen's ability to protect itself, and/or Xen's ability to virtualise support
-for guests to use.
+The `pv=`, `hvm=`, `msr-sc=`, `rsb=`, `verw=`, `ibpb-entry=`, `bhb-entry=` and
+`asi=` options offer fine grained control over the primitives by Xen. These
+impact Xen's ability to protect itself, and/or Xen's ability to virtualise
+support for guests to use.
* `pv=` and `hvm=` offer control over all suboptions for PV and HVM guests
respectively.
is not available (see `bhi-dis-s`). The choice of scrubbing sequence can be
selected using the `bhb-seq=` option. If it is necessary to protect dom0
too, boot with `spec-ctrl=bhb-entry`.
+* `asi=` offers control over whether the hypervisor will engage in Address
+ Space Isolation, by not having sensitive information mapped in the VMM
+ page-tables. Not having sensitive information on the page-tables avoids
+ having to perform some mitigations for speculative attacks when
+ context-switching to the hypervisor.
If Xen was compiled with `CONFIG_INDIRECT_THUNK` support, `bti-thunk=` can be
used to select which of the thunks gets patched into the
static int8_t __initdata opt_gds_mit = -1;
static int8_t __initdata opt_div_scrub = -1;
+/* Address Space Isolation for PV/HVM. */
+int8_t __ro_after_init opt_asi_pv = -1;
+int8_t __ro_after_init opt_asi_hwdom = -1;
+int8_t __ro_after_init opt_asi_hvm = -1;
+
static int __init cf_check parse_spec_ctrl(const char *s)
{
const char *ss;
opt_unpriv_mmio = false;
opt_gds_mit = 0;
opt_div_scrub = 0;
+
+ opt_asi_pv = 0;
+ opt_asi_hwdom = 0;
+ opt_asi_hvm = 0;
}
else if ( val > 0 )
rc = -EINVAL;
opt_verw_pv = val;
opt_ibpb_entry_pv = val;
opt_bhb_entry_pv = val;
+ opt_asi_pv = val;
}
else if ( (val = parse_boolean("hvm", s, ss)) >= 0 )
{
opt_verw_hvm = val;
opt_ibpb_entry_hvm = val;
opt_bhb_entry_hvm = val;
+ opt_asi_hvm = val;
}
else if ( (val = parse_boolean("msr-sc", s, ss)) != -1 )
{
break;
}
}
+ else if ( (val = parse_boolean("asi", s, ss)) != -1 )
+ {
+ switch ( val )
+ {
+ case 0:
+ case 1:
+ opt_asi_pv = opt_asi_hwdom = opt_asi_hvm = val;
+ break;
+
+ case -2:
+ s += strlen("asi=");
+ if ( (val = parse_boolean("pv", s, ss)) >= 0 )
+ opt_asi_pv = val;
+ else if ( (val = parse_boolean("hvm", s, ss)) >= 0 )
+ opt_asi_hvm = val;
+ else
+ default:
+ rc = -EINVAL;
+ break;
+ }
+ }
/* Xen's speculative sidechannel mitigation settings. */
else if ( !strncmp(s, "bti-thunk=", 10) )
static __init void xpti_init_default(void)
{
+ ASSERT(opt_asi_pv >= 0 && opt_asi_hwdom >= 0);
+ if ( (opt_xpti_hwdom == 1 || opt_xpti_domu == 1) && opt_asi_pv == 1 )
+ {
+ printk(XENLOG_ERR
+ "XPTI is incompatible with Address Space Isolation - disabling ASI\n");
+ opt_asi_pv = 0;
+ }
if ( (boot_cpu_data.x86_vendor & (X86_VENDOR_AMD | X86_VENDOR_HYGON)) ||
cpu_has_rdcl_no )
{
else
{
if ( opt_xpti_hwdom < 0 )
- opt_xpti_hwdom = 1;
+ opt_xpti_hwdom = !opt_asi_hwdom;
if ( opt_xpti_domu < 0 )
- opt_xpti_domu = 1;
+ opt_xpti_domu = !opt_asi_pv;
}
}
* mitigation support for guests.
*/
#ifdef CONFIG_HVM
- printk(" Support for HVM VMs:%s%s%s%s%s%s%s%s\n",
+ printk(" Support for HVM VMs:%s%s%s%s%s%s%s%s%s\n",
(boot_cpu_has(X86_FEATURE_SC_MSR_HVM) ||
boot_cpu_has(X86_FEATURE_SC_RSB_HVM) ||
boot_cpu_has(X86_FEATURE_IBPB_ENTRY_HVM) ||
opt_eager_fpu ? " EAGER_FPU" : "",
opt_verw_hvm ? " VERW" : "",
boot_cpu_has(X86_FEATURE_IBPB_ENTRY_HVM) ? " IBPB-entry" : "",
- opt_bhb_entry_hvm ? " BHB-entry" : "");
+ opt_bhb_entry_hvm ? " BHB-entry" : "",
+ opt_asi_hvm ? " ASI" : "");
#endif
#ifdef CONFIG_PV
- printk(" Support for PV VMs:%s%s%s%s%s%s%s\n",
+ printk(" Support for PV VMs:%s%s%s%s%s%s%s%s\n",
(boot_cpu_has(X86_FEATURE_SC_MSR_PV) ||
boot_cpu_has(X86_FEATURE_SC_RSB_PV) ||
boot_cpu_has(X86_FEATURE_IBPB_ENTRY_PV) ||
opt_eager_fpu ? " EAGER_FPU" : "",
opt_verw_pv ? " VERW" : "",
boot_cpu_has(X86_FEATURE_IBPB_ENTRY_PV) ? " IBPB-entry" : "",
- opt_bhb_entry_pv ? " BHB-entry" : "");
+ opt_bhb_entry_pv ? " BHB-entry" : "",
+ opt_asi_pv ? " ASI" : "");
printk(" XPTI (64-bit PV only): Dom0 %s, DomU %s (with%s PCID)\n",
opt_xpti_hwdom ? "enabled" : "disabled",
hw_smt_enabled && default_xen_spec_ctrl )
setup_force_cpu_cap(X86_FEATURE_SC_MSR_IDLE);
+ /* Disable ASI by default until feature is finished. */
+ if ( opt_asi_pv == -1 )
+ opt_asi_pv = 0;
+ if ( opt_asi_hwdom == -1 )
+ opt_asi_hwdom = 0;
+ if ( opt_asi_hvm == -1 )
+ opt_asi_hvm = 0;
+
+ if ( opt_asi_pv || opt_asi_hwdom || opt_asi_hvm )
+ warning_add(
+ "Address Space Isolation is not functional, this option is\n"
+ "intended to be used only for development purposes.\n");
+
xpti_init_default();
l1tf_calculations();
projects / people / royger / xen.git / commitdiff