From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Mon, 30 Sep 2019 17:25:21 +0000 (+0100)
Subject: x86/nospec: Introduce CONFIG_SPECULATIVE_HARDEN_BRANCH
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=2d6f36daa08640ebb0b658abffaede3a0ae50a20;p=people%2Fsstabellini%2Fxen-unstable.git%2F.git

x86/nospec: Introduce CONFIG_SPECULATIVE_HARDEN_BRANCH

Just as with CONFIG_SPECULATIVE_HARDEN_ARRAY, branch hardening should be
configurable at compile time.

The previous CONFIG_HVM was a consequence of what could be discussed publicly
at the time the patches were submitted, and wasn't actually correct.  Later
patches will make further corrections.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Release-acked-by: Juergen Gross <jgross@suse.com>
---

diff --git a/xen/common/Kconfig b/xen/common/Kconfig
index 7fe538b027..fddb6c1707 100644
--- a/xen/common/Kconfig
+++ b/xen/common/Kconfig
@@ -102,6 +102,29 @@ config SPECULATIVE_HARDEN_ARRAY
 
 	  If unsure, say Y.
 
+config SPECULATIVE_HARDEN_BRANCH
+	bool "Speculative Branch Hardening"
+	default y
+	depends on X86
+        ---help---
+	  Contemporary processors may use speculative execution as a
+	  performance optimisation, but this can potentially be abused by an
+	  attacker to leak data via speculative sidechannels.
+
+	  One source of misbehaviour is by executing the wrong basic block
+	  following a conditional jump.
+
+	  When enabled, specific conditions which have been deemed liable to
+	  be speculatively abused will be hardened to avoid entering the wrong
+	  basic block.
+
+	  This is a best-effort mitigation.  There are no guarantees that all
+	  areas of code open to abuse have been hardened, nor that
+	  optimisations in the compiler haven't subverted the attempts to
+	  harden.
+
+	  If unsure, say Y.
+
 endmenu
 
 config KEXEC
diff --git a/xen/include/asm-x86/nospec.h b/xen/include/asm-x86/nospec.h
index 427b5ff9df..154e92aed8 100644
--- a/xen/include/asm-x86/nospec.h
+++ b/xen/include/asm-x86/nospec.h
@@ -9,7 +9,7 @@
 /* Allow to insert a read memory barrier into conditionals */
 static always_inline bool barrier_nospec_true(void)
 {
-#ifdef CONFIG_HVM
+#ifdef CONFIG_SPECULATIVE_HARDEN_BRANCH
     alternative("", "lfence", X86_FEATURE_SC_L1TF_VULN);
 #endif
     return true;