xenbits.xensource.com Git - xen.git/commit

author	Andrew Cooper <andrew.cooper3@citrix.com>
	Mon, 22 Jan 2018 14:41:33 +0000 (14:41 +0000)
committer	Andrew Cooper <andrew.cooper3@citrix.com>
	Fri, 26 Jan 2018 14:10:21 +0000 (14:10 +0000)
commit	3fffaf9c13e9502f09ad4ab1aac3f8b7b9398f6f
tree	142808447ecb91e3300c9cc90cbab94a835159c5	tree
parent	e6c0128e9ab25bf66df11377a33ee5584d7f99e3	commit \| diff

x86/entry: Avoid using alternatives in NMI/#MC paths

This patch is deliberately arranged to be easy to revert if/when alternatives
patching becomes NMI/#MC safe.

For safety, there must be a dispatch serialising instruction in (what is
logically) DO_SPEC_CTRL_ENTRY so that, in the case that Xen needs IBRS set in
context, an attacker can't speculate around the WRMSR and reach an indirect
branch within the speculation window.

Using conditionals opens this attack vector up, so the else clause gets an
LFENCE to force the pipeline to catch up before continuing. This also covers
the safety of RSB conditional, as execution it is guaranteed to either hit the
WRMSR or LFENCE.

One downside of not using alternatives is that there unconditionally an LFENCE
in the IST path in cases where we are not using the features from IBRS-capable
microcode.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

xen/arch/x86/spec_ctrl.c		diff \| blob \| blame \| history
xen/arch/x86/x86_64/asm-offsets.c		diff \| blob \| blame \| history
xen/arch/x86/x86_64/entry.S		diff \| blob \| blame \| history
xen/include/asm-x86/current.h		diff \| blob \| blame \| history
xen/include/asm-x86/spec_ctrl.h		diff \| blob \| blame \| history
xen/include/asm-x86/spec_ctrl_asm.h		diff \| blob \| blame \| history