nodes using a device tree overlay binary (.dtbo).
- Introduce two new hypercalls to map the vCPU runstate and time areas by
physical rather than linear/virtual addresses.
+ - On x86, support for enforcing system-wide operation in Data Operand
+ Independent Timing Mode.
### Removed
- On x86, the "pku" command line option has been removed. It has never
additionally a trace buffer of the specified size is allocated per cpu.
The debug trace feature is only enabled in debugging builds of Xen.
+### dit (x86/Intel)
+> `= <boolean>`
+
+> Default: `CONFIG_DIT_DEFAULT`
+
+Specify whether Xen and guests should operate in Data Independent Timing
+mode (Intel calls this DOITM, Data Operand Independent Timing Mode). Note
+that enabling this option cannot guarantee anything beyond what underlying
+hardware guarantees (with, where available and known to Xen, respective
+tweaks applied).
+
### dma_bits
> `= <integer>`
select HAS_ALTERNATIVE
select HAS_COMPAT
select HAS_CPUFREQ
+ select HAS_DIT
select HAS_EHCI
select HAS_EX_TABLE
select HAS_FAST_MULTIPLY
alternative_vcall(ctxt_switch_masking, next);
}
+static void setup_doitm(void)
+{
+ uint64_t msr;
+
+ if ( !cpu_has_doitm )
+ return;
+
+ /*
+ * We don't currently enumerate DOITM to guests. As a conseqeuence, guest
+ * kernels will believe they're safe even when they are not.
+ *
+ * For now, set it unilaterally. This prevents otherwise-correct crypto
+ * code from becoming vulnerable to timing sidechannels.
+ */
+
+ rdmsrl(MSR_UARCH_MISC_CTRL, msr);
+ msr |= UARCH_CTRL_DOITM;
+ if ( !opt_dit )
+ msr &= ~UARCH_CTRL_DOITM;
+ wrmsrl(MSR_UARCH_MISC_CTRL, msr);
+}
+
bool opt_cpu_info;
boolean_param("cpuinfo", opt_cpu_info);
mtrr_bp_init();
}
+
+ setup_doitm();
}
/* leaf 0xb SMT level */
#define cpu_has_tsx_ctrl boot_cpu_has(X86_FEATURE_TSX_CTRL)
#define cpu_has_taa_no boot_cpu_has(X86_FEATURE_TAA_NO)
#define cpu_has_mcu_ctrl boot_cpu_has(X86_FEATURE_MCU_CTRL)
+#define cpu_has_doitm boot_cpu_has(X86_FEATURE_DOITM)
#define cpu_has_fb_clear boot_cpu_has(X86_FEATURE_FB_CLEAR)
#define cpu_has_rrsba boot_cpu_has(X86_FEATURE_RRSBA)
#define cpu_has_gds_ctrl boot_cpu_has(X86_FEATURE_GDS_CTRL)
config HAS_DEVICE_TREE
bool
+config HAS_DIT # Data Independent Timing
+ bool
+
config HAS_EX_TABLE
bool
endmenu
+config DIT_DEFAULT
+ bool "Data Independent Timing default"
+ depends on HAS_DIT
+ help
+ Hardware often surfaces instructions the timing of which is dependent
+ on the data they process. Some of these instructions may be used in
+ timing sensitive environments, e.g. cryptography. When such
+ instructions exist, hardware may further surface a control allowing
+ to make the behavior of such instructions independent of the data
+ they act upon. Note the build time value can be overridden at runtime
+ using the "dit" command line option.
+
+ NB: Intel calls the feature DOITM (Data Operand Independent Timing
+ Mode).
+
config HYPFS
bool "Hypervisor file system support"
default y
enum system_state system_state = SYS_STATE_early_boot;
+#ifdef CONFIG_HAS_DIT
+bool __ro_after_init opt_dit = IS_ENABLED(CONFIG_DIT_DEFAULT);
+boolean_param("dit", opt_dit);
+#endif
+
static xen_commandline_t saved_cmdline;
static const char __initconst opt_builtin_cmdline[] = CONFIG_CMDLINE;
string_param(_name, _var); \
string_runtime_only_param(_name, _var)
+extern bool opt_dit;
+
static inline void no_config_param(const char *cfg, const char *param,
const char *s, const char *e)
{
projects / people / royger / xen.git / commitdiff