From fb263ffc1f7fc1975dc072a5ebbd9d6e9021337a Mon Sep 17 00:00:00 2001
From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Fri, 22 Mar 2024 19:29:34 +0000
Subject: [PATCH] x86/spec-ctrl: Support the "long" BHB loop sequence
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Out of an abudnance of caution, implement the long loop too, and allowing for
it to be opted in to.

This is part of XSA-456 / CVE-2024-2201.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Roger Pau Monné <roger.pau@citrix.com>
(cherry picked from commit d5887c0decbd90e798b24ed696628645b04632fb)
---
 docs/misc/xen-command-line.pandoc |  4 ++--
 xen/arch/x86/bhb-thunk.S          |  8 ++++++--
 xen/arch/x86/spec_ctrl.c          | 10 +++++++++-
 xen/include/asm-x86/cpufeatures.h |  1 +
 4 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc
index 98fcfa3fa8..2703e5986f 100644
--- a/docs/misc/xen-command-line.pandoc
+++ b/docs/misc/xen-command-line.pandoc
@@ -2261,7 +2261,7 @@ By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`).
 ### spec-ctrl (x86)
 > `= List of [ <bool>, xen=<bool>, {pv,hvm}=<bool>,
 >              {msr-sc,rsb,verw,{ibpb,bhb}-entry}=<bool>|{pv,hvm}=<bool>,
->              bti-thunk=retpoline|lfence|jmp,bhb-seq=short|tsx,
+>              bti-thunk=retpoline|lfence|jmp,bhb-seq=short|tsx|long,
 >              {ibrs,ibpb,ssbd,psfd,
 >              eager-fpu,l1d-flush,branch-harden,srb-lock,
 >              unpriv-mmio,gds-mit,div-scrub,lock-harden,
@@ -2333,7 +2333,7 @@ On all hardware, `bhb-seq=` can be used to select which of the BHB-clearing
 sequences gets used.  This interacts with the `bhb-entry=` and `bhi-dis-s=`
 options in order to mitigate Branch History Injection on affected hardware.
 The default sequence is `short`, with `tsx` as an alternative available
-capable hardware that can be opted in to.
+capable hardware, and `long` that can be opted in to.
 
 On hardware supporting IBRS (Indirect Branch Restricted Speculation), the
 `ibrs=` option can be used to force or prevent Xen using the feature itself.
diff --git a/xen/arch/x86/bhb-thunk.S b/xen/arch/x86/bhb-thunk.S
index f52cfb9bc2..7e866784f7 100644
--- a/xen/arch/x86/bhb-thunk.S
+++ b/xen/arch/x86/bhb-thunk.S
@@ -56,9 +56,13 @@ ENTRY(clear_bhb_tsx)
  *
  * The "short" sequence (5 and 5) is for CPUs prior to Alder Lake / Sapphire
  * Rapids (i.e. Cores prior to Golden Cove and/or Gracemont).
+ *
+ * The "long" sequence (12 and 7) is for Alder Lake / Sapphire Rapids
+ * (i.e. Golden Cove and/or Gracemont cores).  However, such CPUs are expected
+ * to use BHI_DIS_S in preference.
  */
 ENTRY(clear_bhb_loops)
-        mov     $5, %ecx
+        ALTERNATIVE "mov $5, %ecx", "mov $12, %ecx", X86_SPEC_BHB_LOOPS_LONG
 
         call    1f
         jmp     5f
@@ -70,7 +74,7 @@ ENTRY(clear_bhb_loops)
         int3
 
         .align 64
-2:      mov     $5, %eax
+2:      ALTERNATIVE "mov $5, %eax", "mov $7, %eax", X86_SPEC_BHB_LOOPS_LONG
 
 3:      jmp     4f
         int3
diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
index 4e6f18d0e1..34e174754b 100644
--- a/xen/arch/x86/spec_ctrl.c
+++ b/xen/arch/x86/spec_ctrl.c
@@ -52,6 +52,7 @@ static enum bhb_thunk {
     BHB_NONE,
     BHB_TSX,
     BHB_SHORT,
+    BHB_LONG,
 } opt_bhb_seq __initdata;
 
 /* Cmdline controls for Xen's speculative settings. */
@@ -313,6 +314,8 @@ static int __init parse_spec_ctrl(const char *s)
                 opt_bhb_seq = BHB_TSX;
             else if ( !cmdline_strcmp(s, "short") )
                 opt_bhb_seq = BHB_SHORT;
+            else if ( !cmdline_strcmp(s, "long") )
+                opt_bhb_seq = BHB_LONG;
             else
                 rc = -EINVAL;
         }
@@ -570,7 +573,8 @@ static void __init print_details(enum ind_thunk thunk)
            opt_bhb_seq != BHB_NONE    ? "BHB-Seq: " : "",
            opt_bhb_seq == BHB_NONE    ? "" :
            opt_bhb_seq == BHB_TSX     ? "TSX, " :
-           opt_bhb_seq == BHB_SHORT   ? "SHORT, " : "?, ",
+           opt_bhb_seq == BHB_SHORT   ? "SHORT, " :
+           opt_bhb_seq == BHB_LONG    ? "LONG, " : "?, ",
            (!boot_cpu_has(X86_FEATURE_IBRSB) &&
             !boot_cpu_has(X86_FEATURE_IBRS))         ? "No" :
            (default_xen_spec_ctrl & SPEC_CTRL_IBRS)  ? "IBRS+" :  "IBRS-",
@@ -1707,6 +1711,10 @@ static void __init bhi_calculations(void)
 
     switch ( opt_bhb_seq )
     {
+    case BHB_LONG:
+        setup_force_cpu_cap(X86_SPEC_BHB_LOOPS_LONG);
+        fallthrough;
+
     case BHB_SHORT:
         setup_force_cpu_cap(X86_SPEC_BHB_LOOPS);
         break;
diff --git a/xen/include/asm-x86/cpufeatures.h b/xen/include/asm-x86/cpufeatures.h
index bada8912e0..ba3df174b7 100644
--- a/xen/include/asm-x86/cpufeatures.h
+++ b/xen/include/asm-x86/cpufeatures.h
@@ -58,6 +58,7 @@ XEN_CPUFEATURE(IBPB_ENTRY_HVM,    X86_SYNTH(29)) /* MSR_PRED_CMD used by Xen for
 
 #define X86_SPEC_BHB_TSX          X86_BUG(19) /* Use clear_bhb_tsx for BHI mitigation. */
 #define X86_SPEC_BHB_LOOPS        X86_BUG(20) /* Use clear_bhb_loops for BHI mitigation.*/
+#define X86_SPEC_BHB_LOOPS_LONG   X86_BUG(21) /* Upgrade clear_bhb_loops to the "long" sequence. */
 
 /* Total number of capability words, inc synth and bug words. */
 #define NCAPINTS (FSCAPINTS + X86_NR_SYNTH + X86_NR_BUG) /* N 32-bit words worth of info */
-- 
2.39.5