x86/boot: Clean up the trampoline transition into Long mode

The jmp after setting %cr0 is redundant with the following ljmp.

The CPUID to protect the jump to higher mappings was inserted due to an
abundance of caution/paranoia before Spectre was public.  It doesn't usefully
protect against an attack, which is able to leak memory with one single
instruction's worth of onward speculation.

Only CPU Hotplug (if used at all) will use this path while guests are
executing.  An attacker would have to be running and primed on an adjacent
thread while a hotplug event occurred, to gain one single data sample, and
have some other way of inferring that a hotplug event has occurred, which it
won't know directly.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>

diff --git a/xen/arch/x86/boot/trampoline.S b/xen/arch/x86/boot/trampoline.S
index 4b9a9697e974e1ff87c485862a31e297c8c931a0..824f45ec0fd552684b61be3addc2cfd2c2b98f38 100644 (file)
--- a/xen/arch/x86/boot/trampoline.S
+++ b/xen/arch/x86/boot/trampoline.S
@@ -101,8 +101,6 @@ trampoline_protmode_entry:
         mov     $(X86_CR0_PG | X86_CR0_AM | X86_CR0_WP | X86_CR0_NE |\
                   X86_CR0_ET | X86_CR0_MP | X86_CR0_PE), %eax
         mov     %eax,%cr0
-        jmp     1f
-1:
 
         /* Now in compatibility mode. Long-jump into 64-bit mode. */
         ljmp    $BOOT_CS64,$bootsym_rel(start64,6)
@@ -111,26 +109,6 @@ trampoline_protmode_entry:
 start64:
         /* Jump to high mappings. */
         movabs  $__high_start, %rdi
-
-#ifdef CONFIG_INDIRECT_THUNK
-        /*
-         * If booting virtualised, or hot-onlining a CPU, sibling threads can
-         * attempt Branch Target Injection against this jmp.
-         *
-         * We've got no usable stack so can't use a RETPOLINE thunk, and are
-         * further than disp32 from the high mappings so couldn't use
-         * JUMP_THUNK even if it was a non-RETPOLINE thunk.  Furthermore, an
-         * LFENCE isn't necessarily safe to use at this point.
-         *
-         * As this isn't a hotpath, use a fully serialising event to reduce
-         * the speculation window as much as possible.  %ebx needs preserving
-         * for __high_start.
-         */
-        mov     %ebx, %esi
-        cpuid
-        mov     %esi, %ebx
-#endif
-
         jmpq    *%rdi
 
 #include "video.h"