From 3a6db700619b049564d14688d711e0e69691b181 Mon Sep 17 00:00:00 2001 From: Norbert Manthey Date: Thu, 14 Mar 2019 13:56:00 +0100 Subject: [PATCH] is_control_domain: block speculation Checks of domain properties, such as is_hardware_domain or is_hvm_domain, might be bypassed by speculatively executing these instructions. A reason for bypassing these checks is that these macros access the domain structure via a pointer, and check a certain field. Since this memory access is slow, the CPU assumes a returned value and continues the execution. In case an is_control_domain check is bypassed, for example during a hypercall, data that should only be accessible by the control domain could be loaded into the cache. This is part of the speculative hardening effort. Signed-off-by: Norbert Manthey Acked-by: Jan Beulich --- xen/include/xen/sched.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index 6d23b6d873..0b8d6d492c 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -911,10 +911,10 @@ void watchdog_domain_destroy(struct domain *d); * (that is, this would not be suitable for a driver domain) * - There is never a reason to deny the hardware domain access to this */ -#define is_hardware_domain(_d) ((_d) == hardware_domain) +#define is_hardware_domain(_d) evaluate_nospec((_d) == hardware_domain) /* This check is for functionality specific to a control domain */ -#define is_control_domain(_d) ((_d)->is_privileged) +#define is_control_domain(_d) evaluate_nospec((_d)->is_privileged) #define VM_ASSIST(d, t) (test_bit(VMASST_TYPE_ ## t, &(d)->vm_assist)) -- 2.39.5