x86/Kconfig: introduce option to select retpoline usage

Add a new Kconfig option under the "Speculative hardening" section
that allows selecting whether to enable retpoline. This depends on the
underlying compiler having retpoline support.

Requested-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>

diff --git a/xen/arch/x86/Kconfig b/xen/arch/x86/Kconfig
index 14658740972337ec482ce2574677015d68643089..41198b0f96eda0cda26f7d17ecf42da8c5e8e7a6 100644 (file)
--- a/xen/arch/x86/Kconfig
+++ b/xen/arch/x86/Kconfig
@@ -36,10 +36,6 @@ config CC_HAS_INDIRECT_THUNK
        def_bool $(cc-option,-mindirect-branch-register) || \
                 $(cc-option,-mretpoline-external-thunk)
 
-config INDIRECT_THUNK
-       def_bool y
-       depends on CC_HAS_INDIRECT_THUNK
-
 config HAS_AS_CET_SS
        # binutils >= 2.29 or LLVM >= 6
        def_bool $(as-instr,wrssq %rax$(comma)0;setssbsy)

diff --git a/xen/common/Kconfig b/xen/common/Kconfig
index db687b1785e77ed79c8fcc6e9386595bcb0cafc6..64439438891c06d063eb6e630c4342b17a30f789 100644 (file)
--- a/xen/common/Kconfig
+++ b/xen/common/Kconfig
@@ -85,6 +85,20 @@ config STATIC_MEMORY
 
 menu "Speculative hardening"
 
+config INDIRECT_THUNK
+       bool "Speculative Branch Target Injection Protection"
+       depends on CC_HAS_INDIRECT_THUNK
+       default y
+       help
+         Contemporary processors may use speculative execution as a
+         performance optimisation, but this can potentially be abused by an
+         attacker to leak data via speculative sidechannels.
+
+         One source of data leakage is via branch target injection.
+
+         When enabled, indirect branches are implemented using a new construct
+         called "retpoline" that prevents speculation.
+
 config SPECULATIVE_HARDEN_ARRAY
        bool "Speculative Array Hardening"
        default y