* Retpoline not safe)", so these need to be visible to a guest in all
* cases, even when it's only some other server in the pool which
* suffers the identified behaviour.
+ *
+ * We can always run any VM which has previously (or will
+ * subsequently) run on hardware where Retpoline is not safe.
+ * Note:
+ * - The dependency logic may hide RRSBA for other reasons.
+ * - The max policy does not constitute a sensible configuration to
+ * run a guest in.
*/
__set_bit(X86_FEATURE_ARCH_CAPS, fs);
+ __set_bit(X86_FEATURE_RSBA, fs);
+ __set_bit(X86_FEATURE_RRSBA, fs);
}
}
guest_common_default_feature_adjustments(fs);
sanitise_featureset(fs);
+
+ /*
+ * If the host suffers from RSBA of any form, and the guest can see
+ * MSR_ARCH_CAPS, reflect the appropriate RSBA/RRSBA property to the guest
+ * depending on the visibility of eIBRS.
+ */
+ if ( test_bit(X86_FEATURE_ARCH_CAPS, fs) &&
+ (cpu_has_rsba || cpu_has_rrsba) )
+ {
+ bool eibrs = test_bit(X86_FEATURE_EIBRS, fs);
+
+ __set_bit(eibrs ? X86_FEATURE_RRSBA
+ : X86_FEATURE_RSBA, fs);
+ }
+
x86_cpu_featureset_to_policy(fs, p);
recalculate_xstate(p);
}
__set_bit(X86_FEATURE_VIRT_SSBD, fs);
sanitise_featureset(fs);
+
+ /*
+ * If the host suffers from RSBA of any form, and the guest can see
+ * MSR_ARCH_CAPS, reflect the appropriate RSBA/RRSBA property to the guest
+ * depending on the visibility of eIBRS.
+ */
+ if ( test_bit(X86_FEATURE_ARCH_CAPS, fs) &&
+ (cpu_has_rsba || cpu_has_rrsba) )
+ {
+ bool eibrs = test_bit(X86_FEATURE_EIBRS, fs);
+
+ __set_bit(eibrs ? X86_FEATURE_RRSBA
+ : X86_FEATURE_RSBA, fs);
+ }
+
x86_cpu_featureset_to_policy(fs, p);
recalculate_xstate(p);
}
/* Intel-defined CPU features, MSR_ARCH_CAPS 0x10a.eax, word 16 */
XEN_CPUFEATURE(RDCL_NO, 16*32+ 0) /*A No Rogue Data Cache Load (Meltdown) */
XEN_CPUFEATURE(EIBRS, 16*32+ 1) /*A Enhanced IBRS */
-XEN_CPUFEATURE(RSBA, 16*32+ 2) /*!A RSB Alternative (Retpoline not safe) */
+XEN_CPUFEATURE(RSBA, 16*32+ 2) /*! RSB Alternative (Retpoline not safe) */
XEN_CPUFEATURE(SKIP_L1DFL, 16*32+ 3) /* Don't need to flush L1D on VMEntry */
XEN_CPUFEATURE(INTEL_SSB_NO, 16*32+ 4) /*A No Speculative Store Bypass */
XEN_CPUFEATURE(MDS_NO, 16*32+ 5) /*A No Microarchitectural Data Sampling */
XEN_CPUFEATURE(PSDP_NO, 16*32+15) /*A No Primary Stale Data Propagation */
XEN_CPUFEATURE(FB_CLEAR, 16*32+17) /*A Fill Buffers cleared by VERW */
XEN_CPUFEATURE(FB_CLEAR_CTRL, 16*32+18) /* MSR_OPT_CPU_CTRL.FB_CLEAR_DIS */
-XEN_CPUFEATURE(RRSBA, 16*32+19) /*!A Restricted RSB Alternative */
+XEN_CPUFEATURE(RRSBA, 16*32+19) /*! Restricted RSB Alternative */
XEN_CPUFEATURE(BHI_NO, 16*32+20) /*A No Branch History Injection */
XEN_CPUFEATURE(XAPIC_STATUS, 16*32+21) /* MSR_XAPIC_DISABLE_STATUS */
XEN_CPUFEATURE(OVRCLK_STATUS, 16*32+23) /* MSR_OVERCLOCKING_STATUS */
# IBRSB/IBRS, and we pass this MSR directly to guests. Treating them
# as dependent features simplifies Xen's logic, and prevents the guest
# from seeing implausible configurations.
- IBRSB: [STIBP, SSBD, INTEL_PSFD],
+ IBRSB: [STIBP, SSBD, INTEL_PSFD, EIBRS],
IBRS: [AMD_STIBP, AMD_SSBD, PSFD, AUTO_IBRS,
IBRS_ALWAYS, IBRS_FAST, IBRS_SAME_MODE],
AMD_STIBP: [STIBP_ALWAYS],
# The ARCH_CAPS CPUID bit enumerates the availability of the whole register.
ARCH_CAPS: list(range(RDCL_NO, RDCL_NO + 64)),
+
+ # The behaviour described by RRSBA depend on eIBRS being active.
+ EIBRS: [RRSBA],
}
deep_features = tuple(sorted(deps.keys()))
projects / people / aperard / xen-unstable.git / commitdiff