OVMSA-2018-0029
- ULN >
- Oracle Linux Errata repository >
- OVMSA-2018-0029
OVMSA-2018-0029 - xen security update
| Type: | SECURITY |
| Severity: | IMPORTANT |
| Release Date: | 2018-04-05 |
Description
[4.1.3-25.el5.223.166]
- From 1e82fe31ed498bd1881c386a94b505e0c769f7bd Mon Sep 17 00:00:00 2001
From: Zhenzhong Duan
Date: Wed, 21 Mar 2018 19:05:06 -0700
Subject: [PATCH 80/80] x86/boot: Disable IBRS in intr/nmi exit path at bootup stage
After reset, IBRS is disabled by processor, but a coming intr/nmi leave IBRS
enabled after their exit. Its not necessory for bootup code to run in low
performance with IBRS enabled.
On ORACLE X6-2(500GB/88 cpus, dom0 11GB/20 vcpus), we observed an 200s+ delay
in construct_dom0.
By initializing use_shadow_spec_ctrl with 1, IBRS is disabled in intr/nmi exit
path. Then delay in construct_dom0 is ~50s.
Signed-off-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky
Acked-by: Adnan Misherfi
(cherry picked from commit 52404341e0c4aced6a4ac9897d7b79be512f4e8b)
OraBug: 27751103
Signed-off-by: Patrick Colp
Reviewed-by: Boris Ostrovsky
[4.1.3-25.el5.223.165]
- From 2c8d5b6ac15ea746440cdc2dc4a823786c8360cd Mon Sep 17 00:00:00 2001
From: Zhenzhong Duan
Date: Wed, 21 Mar 2018 20:30:22 -0700
Subject: [PATCH 79/80] Fix a wrong check in DO_SPEC_CTRL_EXIT_TO_XEN
The testb instruction in DO_SPEC_CTRL_EXIT_TO_XEN is wrong and it always set
ZF, the following je instruction will always jump.
%rsp doesnt point to cpuinfo struct in intr/nmi context, we need to calculate
a correct pointer for cpuinfo struct.
This patch fix above two issues.
Signed-off-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky
Acked-by: Adnan Misherfi
(cherry picked from commit 222bb10d34ac0eae6dd1147ecfa65788f4b9785c)
OraBug: 27751103
This is part of XSA-254.
Signed-off-by: Patrick Colp
Reviewed-by: Boris Ostrovsky
[4.1.3-25.el5.223.164]
- From 9c04d7b5ac9dd3ea5cb6c9486f21c21fb1e9786e Mon Sep 17 00:00:00 2001
From: Patrick Colp
Date: Thu, 8 Mar 2018 11:08:39 -0800
Subject: [PATCH] x86/hypercall: Add xen/perfc.h to fix compile error
Depending on the setup, compiling xen/arch/x86/hypercall.c will fail
in the following way:
hypercall.c: In function pv_hypercall:
hypercall.c:160: warning: implicit declaration of function perfc_incr
hypercall.c:160: error: hypercalls undeclared (first use in this function)
This adds the xen/perfc.h header to hypercall.c to make the declaration of
perfc_incr() explicit and fix the compile error.
OraBug: 27370020
Signed-off-by: Patrick Colp
Reviewed-by: Konrad Rzeszutek Wilk
[4.1.3-25.el5.223.163]
- From 76733c3723bed282f0e32a1a712970c2bf0c3185 Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Wed, 14 Feb 2018 10:38:34 +0000
Subject: [PATCH 77/77] x86/spec_ctrl: Fix several bugs in
SPEC_CTRL_ENTRY_FROM_INTR_IST
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
DO_OVERWRITE_RSB clobbers %rax, meaning in practice that the bti_ist_info
field gets zeroed. Older versions of this code had the DO_OVERWRITE_RSB
register selectable, so reintroduce this ability and use it to cause the
INTR_IST path to use %rdx instead.
The use of %dl for the %cs.rpl check means that when an IST interrupt hits
Xen, we try to load 1 into the high 32 bits of MSR_SPEC_CTRL, suffering a #GP
fault instead.
Also, drop an unused label which was a copy/paste mistake.
Reported-by: Boris Ostrovsky
Reported-by: Zhenzhong Duan
Signed-off-by: Andrew Cooper
Reviewed-by: Jan Beulich
Reviewed-by: Wei Liu
Reviewed-by: Roger Pau Monne
(cherry picked from commit a2b08fbed388f18235fda5ba1655c1483ef3e215)
Signed-off-by: Patrick Colp
[4.1.3-25.el5.223.162]
- From 557bf14fb98fd83c7e3ff8dbb78a1038deb6f3bb Mon Sep 17 00:00:00 2001
From: Jan Beulich
Date: Fri, 2 Feb 2018 11:56:08 +0100
Subject: [PATCH 76/77] x86: allow easier disabling of BTI mitigations
Support both a disable everything and a disable all RSB overwriting
sub-option.
Signed-off-by: Jan Beulich
Reviewed-by: Andrew Cooper
(cherry picked from commit 37f02a06b9d2f9d965b747a6752301314e935571)
File docs/misc/xen-command-line.markdown doesnt exist, so just ignore
those changes.
Conflicts:
docs/misc/xen-command-line.markdown
Signed-off-by: Patrick Colp
[4.1.3-25.el5.223.161]
- From 4deca58f1324708d4c265fd80a4b80ef504ad5d3 Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Wed, 31 Jan 2018 16:09:39 +0000
Subject: [PATCH 75/77] x86/boot: Make alternative patching NMI-safe
During patching, there is a very slim risk that an NMI or MCE interrupt in the
middle of altering the code in the NMI/MCE paths, in which case bad things
will happen.
The NMI risk can be eliminated by running the patching loop in NMI context, at
which point the CPU will defer further NMIs until patching is complete.
Signed-off-by: Andrew Cooper
Acked-by: Jan Beulich
Reviewed-by: Konrad Rzeszutek Wilk
(cherry picked from commit 5191c1ef51b00ec112206917647faea55be8b02f)
Add ACCESS_ONCE() macro to xen/include/xen/lib.h.
Surrounding code is slightly different.
Conflicts:
xen/arch/x86/alternative.c
Signed-off-by: Patrick Colp
[4.1.3-25.el5.223.160.1]
- From 3e0b5d50f2111fc4682af00ea749634e9b3c4834 Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Tue, 6 Feb 2018 13:45:17 +0000
Subject: [PATCH 74/77] x86/spec_ctrl: Fix determination of when to use IBRS
The original version of this logic was:
/*
* On Intel hardware, wed like to use retpoline in preference to
* IBRS, but only if it is safe on this hardware.
*/
else if ( boot_cpu_has(X86_FEATURE_IBRSB) )
{
if ( retpoline_safe() )
thunk = THUNK_RETPOLINE;
else
ibrs = true;
}
but it was changed by a request during review. Sadly, the result is buggy as
it breaks the later fallback logic by allowing IBRS to appear as available
when in fact it isnt.
This in practice means that on repoline-unsafe hardware without IBRS, we
select THUNK_JUMP despite intending to select THUNK_RETPOLINE.
Reported-by: Zhenzhong Duan
Signed-off-by: Andrew Cooper
Reviewed-by: Jan Beulich
(cherry picked from commit 30cbd0c83ef3d0edac2d5bcc41a9a2b7a843ae58)
The surrounding code is a bit different.
Conflicts:
xen/arch/x86/spec_ctrl.c
OraBug: 27370020
CVE: CVE-2017-5715/CVE-2017-5753/CVE-2017-5754
Signed-off-by: Patrick Colp
Reviewed-by: Boris Ostrovsky
[4.1.3-25.el5.223.160]
- From 26c0ff211367cce560d744896000c1aa5d3e312c Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Tue, 6 Feb 2018 12:11:56 -0800
Subject: [PATCH 73/77] xen/cmdline: Fix parse_boolean() for unadorned values
A command line such as cpuid=no-ibrsb,no-stibp tickles a bug in
parse_boolean() because the separating comma fails the NUL case.
Instead, check for slen == nlen which accounts for the boundary (if any)
passed via the e parameter.
Signed-off-by: Andrew Cooper
Reviewed-by: Jan Beulich
(cherry picked from commit ac37ec1ddef234eeba6f438c29ff687c64962ebd)
Conflicts:
xen/common/kernel.c
Signed-off-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky
OraBug: 27370020
Signed-off-by: Patrick Colp
Reviewed-by: Konrad Rzeszutek Wilk
[4.1.3-25.el5.223.159]
- From 2a5723f473f2dc3f1a041b452d8a84d80664f90d Mon Sep 17 00:00:00 2001
From: Zhenzhong Duan
Date: Tue, 6 Feb 2018 12:07:53 -0800
Subject: [PATCH 72/77] Optimize the context switch code a bit
Based on upstream commit a2ed643ed783020f885035432e9c0919756921d1
x86/ctxt: Issue a speculation barrier between vcpu contexts
Only flush Branch Target Buffer when switching to a different vcpu context
or non idle context.
Use opt_ibpb instead of cpu_has_xen_ibpb suggested by Boris.
Signed-off-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky
Surrounding code was slightly different.
Conflicts:
xen/arch/x86/domain.c
OraBug: 27370020
Signed-off-by: Patrick Colp
Reviewed-by: Konrad Rzeszutek Wilk
[4.1.3-25.el5.223.158.1]
- From 0fe96932785feea27711a7734f335202bc162f7c Mon Sep 17 00:00:00 2001
From: Zhenzhong Duan
Date: Tue, 6 Feb 2018 11:54:40 -0800
Subject: [PATCH 71/77] Update init_speculation_mitigations() to upstreams
Based on upstream commit 2713715305ca516f698d58cec5e0b322c3b2c4eb
x86/boot: Calculate the most appropriate BTI mitigation to use
Tried to port all changes in upstream commit to current code.
This should include all the changes, such as:
Set opt_rsb_native/opt_rsb_vmexit default to true, prefer retpoline without
checking X86_FEATURE_IBRSB, remove redundant variable have_mitigation,
remove *_SS variants for RSB stuff, enable RSB flushing no matter if IBRS is
enabled, etc.
Signed-off-by: Zhenzhong Duan
Change: bool -> bool_t; false -> 0; true -> 1
Conflicts:
xen/arch/x86/spec_ctrl.c
OraBug: 27370020
CVE: CVE-2017-5715/CVE-2017-5753/CVE-2017-5754
Signed-off-by: Patrick Colp
Reviewed-by: Konrad Rzeszutek Wilk
[4.1.3-25.el5.223.158]
- From d2fa0abfae733fbcaa6a9c6b8bd1068ca32d3255 Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Tue, 6 Feb 2018 11:23:05 -0800
Subject: [PATCH 70/77] x86/entry: Avoid using alternatives in NMI/#MC paths
This patch is deliberately arranged to be easy to revert if/when alternatives
patching becomes NMI/#MC safe.
For safety, there must be a dispatch serialising instruction in (what is
logically) DO_SPEC_CTRL_ENTRY so that, in the case that Xen needs IBRS set in
context, an attacker cant speculate around the WRMSR and reach an indirect
branch within the speculation window.
Using conditionals opens this attack vector up, so the else clause gets an
LFENCE to force the pipeline to catch up before continuing. This also covers
the safety of RSB conditional, as execution it is guaranteed to either hit the
WRMSR or LFENCE.
One downside of not using alternatives is that there unconditionally an LFENCE
in the IST path in cases where we are not using the features from IBRS-capable
microcode.
Signed-off-by: Andrew Cooper
Reviewed-by: Jan Beulich
(cherry picked from commit 3fffaf9c13e9502f09ad4ab1aac3f8b7b9398f6f)
Conflicts:
xen/arch/x86/spec_ctrl.c
xen/arch/x86/x86_64/entry.S
xen/include/asm-x86/current.h
Add a #define of UNLIKELY_DISPATCH_LABEL in xen/include/asm-x86/asm_defns.h
picked from upstream commit 8e0da8c07f4f80e14314977a11f738bd74a5b62b
x86: Improve information from domain_crash_synchronous
Signed-off-by: Zhenzhong Duan
Add #define of __maybe_unused to xen/include/xen/compiler.h
OraBug: 27370020
Signed-off-by: Patrick Colp
Reviewed-by: Konrad Rzeszutek Wilk
[4.1.3-25.el5.223.157.1]
- From 9e95e8af5b01f87dec62fcc699a49f48d53f6191 Mon Sep 17 00:00:00 2001
From: Zhenzhong Duan
Date: Tue, 6 Feb 2018 11:13:13 -0800
Subject: [PATCH 69/77] Update RSB related implementation to upstream ones
Based on upstream commit e6c0128e9ab25bf66df11377a33ee5584d7f99e3
x86/entry: Organise the clobbering of the RSB/RAS on entry to Xen
Update DO_OVERWRITE_RSB definition to to upstreams.
Signed-off-by: Zhenzhong Duan
OraBug: 27370020
CVE: CVE-2017-5715/CVE-2017-5753/CVE-2017-5754
Signed-off-by: Patrick Colp
Reviewed-by: Konrad Rzeszutek Wilk
[4.1.3-25.el5.223.157]
- From a07640e9c9f3fd662ba60a2d81eb7114c3a9b632 Mon Sep 17 00:00:00 2001
From: Elena Ufimtseva
Date: Tue, 16 Jan 2018 19:16:36 -0500
Subject: [PATCH 68/77] x86/domain: Move hvm_vcpu_initialize() before
cpuid_policy_changed()
Move hvm_vcpu_initialize() befor cpuid_policy_changed() which
will allocate memory for MSR permission map and can be used in
cpuid_policy_changed without triggering BUG_ON.
Signed-off-by: Elena Ufimtseva
Reviewed-by: Boris Ostrovsky
Use is_hvm_domain() instead of has_hvm_container(), as the latter function
does not exist in older Xen. Instead of going to done on
hvm_vcpu_initialse() failure, call xsave_free_save_area() and return, which
mimics what the original code did.
Conflicts:
xen/arch/x86/domain.c
OraBug: 27370020
Signed-off-by: Patrick Colp
Reviewed-by: Konrad Rzeszutek Wilk
[4.1.3-25.el5.223.156]
- From bfe75c2972c8089fbec28c579fe0e2eb56e5383b Mon Sep 17 00:00:00 2001
From: Elena Ufimtseva
Date: Thu, 18 Jan 2018 11:31:49 -0500
Subject: [PATCH 67/77] x86/svm: clear CPUID IBPB when feature is not supported
The CPUID bit which exposes to the guest IBPB support was cleared under incorrect
check of stibp field of CPUID policy, resulting in the guest not seeing this feature.
Fix this by using correct check of ibpb in the cpuid_policy structure.
Signed-off-by: Elena Ufimtseva
Reviewed-by: Boris Ostrovsky
(cherry picked from commit bb793ca5296e2100f1453f20360f02dfb9c920e5)
OraBug: 27370020
Signed-off-by: Patrick Colp
Reviewed-by: Konrad Rzeszutek Wilk
[4.1.3-25.el5.223.155.1]
- From e7b8d84d8c6220195f83333e1a72ef6ca6f7d9e0 Mon Sep 17 00:00:00 2001
From: Boris Ostrovsky
Date: Thu, 11 Jan 2018 10:30:03 -0500
Subject: [PATCH 66/77] x86/Spectre: Set thunk to THUNK_NONE if compiler
support is not available
If no microcode patch is available we end up setting thunk to THUNK_JMP.
Which really is equivalent to THUNK_NONE (if CONFIG_INDIRECT_THUNK is not
set, which it is not) but is somewhat misleading in terms of reporting.
With this change the reported mitigation set will look as follows:
(XEN) Speculative mitigation facilities:
(XEN) Hardware features: SMEP IBRS/IBPB STIBP
(XEN) BTI mitigations: Thunk N/A, Others: IBRS+ IBPB SMEP RSB_VMEXIT
Signed-off-by: Boris Ostrovsky
Reviewed-by: Darren Kenny
Reviewed-by: Bhavesh Davda
(cherry picked from commit 88bf1ed2b377f03de6e6b20283af90be5065b395)
OraBug: 27370020
CVE: CVE-2017-5715/CVE-2017-5753/CVE-2017-5754
Signed-off-by: Patrick Colp
Reviewed-by: Konrad Rzeszutek Wilk
[4.1.3-25.el5.223.155]
- From 3f0c8c59efbe126f29cf209a32f63ffb29a07ae3 Mon Sep 17 00:00:00 2001
From: Boris Ostrovsky
Date: Sat, 6 Jan 2018 15:39:54 -0500
Subject: [PATCH 65/77] x86: cpuint. Move trap_init and init_idle_domain
commit x86: cpuint. Move the detection of CPU capabilities move
identify_cpu() ahead. On an env without MSR MSR_INTEL_PLATFORM_INFO,
probe_intel_cpuid_faulting() trigger a #GP.
Move trap_init() ahead too so that exception fixup mechanism take over the #GP.
Move init_idle_domain() ahead to prevent #PG when loading GDT.
Signed-off-by: Zhenzhong Duan
OraBug: 27370020
Signed-off-by: Patrick Colp
Reviewed-by: Konrad Rzeszutek Wilk
[4.1.3-25.el5.223.154.1]
- From 55e087117569f09f45e3ea160f1dbef7a46f89e4 Mon Sep 17 00:00:00 2001
From: Boris Ostrovsky
Date: Sat, 6 Jan 2018 15:06:43 -0500
Subject: [PATCH 64/77] x86: Dont use retpoline if CONFIG_INDIRECT_THUNK is
not set
If this config option is not set (which it is not, unless compiler
support is available) the thunk degenerates to the original indirect
call/jmp.
This is XSA-254.
Reported-by: Bhavesh Davda
Reviewed-by: Konrad Rzeszutek Wilk
Signed-off-by: Boris Ostrovsky
Signed-off-by: Zhenzhong Duan
The code surrounding on of the changes is slightly different.
Conflicts:
xen/arch/x86/spec_ctrl.c
OraBug: 27370020
CVE: CVE-2017-5715/CVE-2017-5753/CVE-2017-5754
Signed-off-by: Patrick Colp
Reviewed-by: Konrad Rzeszutek Wilk
[4.1.3-25.el5.223.154]
- From 0a00914b7916dd3fe36d6f1a48d245de9aa5d226 Mon Sep 17 00:00:00 2001
From: Konrad Rzeszutek Wilk
Date: Wed, 3 Jan 2018 18:46:17 -0500
Subject: [PATCH 63/77] x86: cpuint. Move the detection of CPU capabilities
right after the microcode has been loaded but before the
speculation check.
Signed-off-by: Konrad Rzeszutek Wilk
Signed-off-by: Zhenzhong Duan
OraBug: 27370020
Signed-off-by: Patrick Colp
Reviewed-by: Konrad Rzeszutek Wilk
[4.1.3-25.el5.223.153]
- From b73fd2711a3c49da98e6688a7ef1d20a759bc375 Mon Sep 17 00:00:00 2001
From: Konrad Rzeszutek Wilk
Date: Wed, 3 Jan 2018 18:46:16 -0500
Subject: [PATCH 62/77] migration: Set the CPUID _before_
XEN_DOMCTL_sethvmcontext
As the MSRs depend on the cpuid policies. And if we dont
set them we will always have:
(XEN) HVM6 restore: CPU_MSR 0
(XEN) HVM6 restore: failed to load entry 20/0
Along with:
xc: progress: Reloading memory pages: 262144/1044481 25%
xc: error: error setting the HVM context (1 = Operation not permitted): Internal error
libxl: error: libxl_create.c:942:libxl__xc_domain_restore_done: restoring domain: Resource temporarily unavailable
Signed-off-by: Konrad Rzeszutek Wilk
Signed-off-by: Zhenzhong Duan
OraBug: 27370020
Signed-off-by: Patrick Colp
Reviewed-by: Konrad Rzeszutek Wilk
[4.1.3-25.el5.223.152]
- From 92cf65be49042ecc4aca96ee8537e2cc504edcfc Mon Sep 17 00:00:00 2001
From: Konrad Rzeszutek Wilk
Date: Wed, 3 Jan 2018 18:46:15 -0500
Subject: [PATCH 61/77] x86/xen: Make cpu_has_[stibp,ibrsp,etc] work.
All of those macros depend on c->x86_capability bits being
set but we dont set them for word 8 and word 9. Which means
they are always set to zero.
Signed-off-by: Konrad Rzeszutek Wilk
Signed-off-by: Zhenzhong Duan
Conflicts:
xen/arch/x86/cpu/common.c
OraBug: 27370020
Signed-off-by: Patrick Colp
Reviewed-by: Konrad Rzeszutek Wilk
[4.1.3-25.el5.223.151]
- From 60b60b3f4604fa1308a49afda01d69bb6db751ff Mon Sep 17 00:00:00 2001
From: Konrad Rzeszutek Wilk
Date: Wed, 3 Jan 2018 18:46:14 -0500
Subject: [PATCH 60/77] x86: Expose CPUID.7, EDX.26->27 and CPUID.0x80000008,
EBX.12
If the CPU has this exposed _and_ the CPUID policy specifies it
as such.
Signed-off-by: Konrad Rzeszutek Wilk
Signed-off-by: Boris Ostrovsky
Conflicts:
- context
Conflicts with OVM345:
xen/arch/x86/hvm/hvm.c
Signed-off-by: Zhenzhong Duan
The values in tools/libxc/xc_cpufeature.h needed to be changed to be in
the older format (e.g., 12 -> (8*32+12)). Otherwise, the code surrounding
some of the changes is slightly different.
Conflicts:
tools/libxc/xc_cpufeature.h
tools/libxc/xc_cpuid_x86.c
xen/arch/x86/hvm/hvm.c
OraBug: 27370020
Signed-off-by: Patrick Colp
Reviewed-by: Konrad Rzeszutek Wilk
[4.1.3-25.el5.223.150]
- From c020bf5052cf0c0b49f1c4f4e3e9c368be96ad98 Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Wed, 3 Jan 2018 18:46:13 -0500
Subject: [PATCH 59/77] x86/idle: Clear SPEC_CTRL while idle
On contemporary hardware, setting IBRS/STIBP has a performance impact on
adjacent hyperthreads. It is therefore recommended to clear the setting
before becoming idle, to avoid an idle core preventing adjacent userspace
execution from running at full performance.
Care must be taken to ensure there are no ret or indirect branch instructions
between spec_ctrl_{enter,exit}_idle() invocations, which are forced always
inline. Care must also be taken to avoid using spec_ctrl_enter_idle() between
flushing caches and becoming idle, in cases where that matters.
Signed-off-by: Andrew Cooper
Signed-off-by: Boris Ostrovsky
Signed-off-by: Konrad Rzeszutek Wilk
Add #include
missing __stringify.
Signed-off-by: Zhenzhong Duan
The file xen/arch/x86/cpu/mwait-idle.c doesnt exist (nor does its code
exist somewhere else), so just ignore those changes.
The code surrounding some of the changes in cpu_idle.c is slightly
different.
Conflicts:
xen/arch/x86/acpi/cpu_idle.c
xen/arch/x86/cpu/mwait-idle.c
OraBug: 27370020
Signed-off-by: Patrick Colp
Reviewed-by: Konrad Rzeszutek Wilk
[4.1.3-25.el5.223.149]
- From 1916287d71e6b87a9b326509b22035dce3a82207 Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Wed, 3 Jan 2018 18:46:12 -0500
Subject: [PATCH 58/77] x86/cpuid: Offer Indirect Branch Controls to guests
With all infrastructure in place, it is now safe to let guests see and use
these features. Allow AMDs IBPB to be set even on Intel hardware, so the
toolstack can express IBPB only to guests.
This also requires updating the libxc logic to understand the e8b feature
leaf, which has the side effect of also offering CLZERO on applicable
hardware.
Signed-off-by: Andrew Cooper
Acked-by: Jan Beulich
Signed-off-by: Boris Ostrovsky
Conflicts:
- No cpuid.c/calculate_host_policy, put the chunk into
update_domain_cpuid_info()
- No need for cpufeature.h changes, they are for auto-generated CPUIDs
- We dont support X86_FEATURE_CLZERO so no related changes in xc_cpuid_hvm_policy()
Signed-off-by: Zhenzhong Duan
OraBug: 27370020
Signed-off-by: Patrick Colp
Reviewed-by: Konrad Rzeszutek Wilk
[4.1.3-25.el5.223.148]
- From a5639cb066ba5a6ccd4ac3a14ed9af0caf63ad90 Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Wed, 3 Jan 2018 18:46:11 -0500
Subject: [PATCH 57/77] x86/ctxt: Issue a speculation barrier between vcpu
contexts
Signed-off-by: Andrew Cooper
Reviewed-by: Jan Beulich
Signed-off-by: Boris Ostrovsky
Conflict:
- cpufeature.h differences
- context
Signed-off-by: Konrad Rzeszutek Wilk
Signed-off-by: Zhenzhong Duan
The file docs/misc/xen-command-line.markdown doesnt exist, so just ignore
the changes.
Conflicts:
docs/misc/xen-command-line.markdown
OraBug: 27370020
Signed-off-by: Patrick Colp
Reviewed-by: Konrad Rzeszutek Wilk
[4.1.3-25.el5.223.147]
- From 730f1552a8783e32b1df729efb7edd2f22c3ceee Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Fri, 19 Jan 2018 10:49:06 -0800
Subject: [PATCH 56/77] x86/entry: Clobber the Return Stack Buffer on entry to
Xen
ret instructions are unconditionally speculated based on values in the RSB.
If any path in Xen executes more ret than call instructions, speculation can
start following a guest controlled RSB entry.
There is at least one path (wake from waitqueue) which can end up executing
more ret than call instructions. There may be other paths as well.
To mitigate, overwrite the RSB (when appropriate; see code for details) when
entering Xen from guest context.
Signed-off-by: Andrew Cooper
Signed-off-by: Boris Ostrovsky
Conflicts:
- cpufeature.h differences
- context
Signed-off-by: Konrad Rzeszutek Wilk
Signed-off-by: Zhenzhong Duan
The file docs/misc/xen-command-line.markdown doesnt exist, so just ignore
the changes.
Conflicts:
docs/misc/xen-command-line.markdown
OraBug: 27370020
Signed-off-by: Patrick Colp
Reviewed-by: Konrad Rzeszutek Wilk
[4.1.3-25.el5.223.146.1]
- From 9f402c09e29dd4f54a42be030fc34ab85ff2e574 Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Wed, 3 Jan 2018 18:46:09 -0500
Subject: [PATCH 55/77] x86/boot: Calculate the most appropriate BTI mitigation
to use
Signed-off-by: Andrew Cooper
Signed-off-by: Boris Ostrovsky
Conflicts:
- context
Signed-off-by: Konrad Rzeszutek Wilk
Signed-off-by: Zhenzhong Duan
The file docs/misc/xen-command-line.markdown doesnt exist, so just ignore
those changes.
Conflicts:
docs/misc/xen-command-line.markdown
OraBug: 27370020
CVE: CVE-2017-5715/CVE-2017-5753/CVE-2017-5754
Signed-off-by: Patrick Colp
Reviewed-by: Konrad Rzeszutek Wilk
[4.1.3-25.el5.223.146]
- From 107b2cb82456a67f367c6fbe00e444ccb46b2bc4 Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Wed, 3 Jan 2018 18:46:08 -0500
Subject: [PATCH 54/77] x86/entry: Use MSR_SPEC_CTRL at each entry/exit point
Set or clear IBRS in Xen context, and appropriate guest values in guest
context. See the documentation in asm-x86/spec_ctrl_asm.h for details.
Two semi-unrelated bugfixes are that various asm_defn.h macros have a hidden
dependency on PAGE_SIZE, which results in an assembler error if used in a
.macro definition. Secondly, _ASM_MK_NOP() needs a separator at the end,
rather than relying on its calling context for separation.
Signed-off-by: Andrew Cooper
Signed-off-by: Boris Ostrovsky
Conflicts:
- context in entry.S (all of them), different labels, different routines
- various context conflicts
- add ifdef __ASSEMBLY__ to cpufeature.h
- We dont have GET_STACK_END (from commit 4f6aea06) so use
DO_SPEC_CTRL_EXIT_TO_XEN/DO_SPEC_CTRL_ENTRY from v4
Signed-off-by: Konrad Rzeszutek Wilk
Conflicts with OVM345:
xen/arch/x86/hvm/svm/entry.S
xen/arch/x86/hvm/vmx/entry.S
Signed-off-by: Zhenzhong Duan
The surrounding code of the changes is slightly different.
Conflicts:
xen/arch/x86/hvm/svm/entry.S
xen/arch/x86/hvm/vmx/entry.S
xen/arch/x86/x86_64/asm-offsets.c
xen/arch/x86/x86_64/compat/entry.S
xen/include/asm-x86/current.h
OraBug: 27370020
Signed-off-by: Patrick Colp
Reviewed-by: Konrad Rzeszutek Wilk
[4.1.3-25.el5.223.145]
- From 578a6587f9e42061f15c0db1d29aaae18a808948 Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Wed, 3 Jan 2018 18:46:07 -0500
Subject: [PATCH 53/77] x86: Protect unaware domains from meddling hyperthreads
Signed-off-by: Andrew Cooper
Reviewed-by: Jan Beulich
Signed-off-by: Boris Ostrovsky
Conflicts:
- cpufeature.h differences
Signed-off-by: Konrad Rzeszutek Wilk
Signed-off-by: Zhenzhong Duan
OraBug: 27370020
Signed-off-by: Patrick Colp
Reviewed-by: Konrad Rzeszutek Wilk
[4.1.3-25.el5.223.144]
- From fb2d96abb5ab24e8865f05039a187a0a0f5b1ac1 Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Wed, 3 Jan 2018 18:46:06 -0500
Subject: [PATCH 52/77] x86/hvm: Permit guests direct access to
MSR_{SPEC_CTRL,PRED_CMD}
For performance reasons, HVM guests should have direct access to these MSRs
when possible.
Signed-off-by: Andrew Cooper
Signed-off-by: Boris Ostrovsky
Conflicts:
- Simplified call_policy_changed computation in
update_domain_cpuid_info()
- Adjust for different MSR intercept interface
(vmx_disable_intercept_for_msr() vs vmx_set_msr_intercept())
- context
Signed-off-by: Konrad Rzeszutek Wilk
Signed-off-by: Zhenzhong Duan
OraBug: 27370020
Signed-off-by: Patrick Colp
Reviewed-by: Konrad Rzeszutek Wilk
[4.1.3-25.el5.223.143]
- From 33d9d5ad5e911d63f69542bebb86f96ae57c4d94 Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Wed, 3 Jan 2018 18:46:05 -0500
Subject: [PATCH 51/77] x86/migrate: Move MSR_SPEC_CTRL on migrate
Signed-off-by: Andrew Cooper
Reviewed-by: Wei Liu
Reviewed-by: Jan Beulich
Signed-off-by: Boris Ostrovsky
Conflicts:
- context in arch/x86/hvm/hvm.c
- No need to port changes to xen/arch/x86/domctl.c (see comment in
x86: Avoid corruption on migrate for vcpus using CPUID Faulting patch)
Signed-off-by: Konrad Rzeszutek Wilk
- And expose in msrs_to_send the new MSR.
Signed-off-by: Zhenzhong Duan
OraBug: 27370020
Signed-off-by: Patrick Colp
Reviewed-by: Konrad Rzeszutek Wilk
[4.1.3-25.el5.223.142]
- From ce1b2a5ef20fd3a0d501db41c4cdfe0acbf477d0 Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Wed, 3 Jan 2018 18:46:04 -0500
Subject: [PATCH 50/77] x86/msr: Emulation of MSR_{SPEC_CTRL,PRED_CMD} for
guests
Signed-off-by: Andrew Cooper
Reviewed-by: Jan Beulich
Signed-off-by: Boris Ostrovsky
Conflicts:
-context
- (re-)add gp_fault label
Signed-off-by: Konrad Rzeszutek Wilk
Signed-off-by: Zhenzhong Duan
For some reason, old gcc (at least version 4.1.2) does not like shifting
1ULL by 0. SPEC_CTRL_IBRS is defined as ((1ULL) << _SPEC_CTRL_IBRS)
where _SPEC_CTRL_IBRS is defined as 0. This causes the compiler to error
out complaining about unmatched ) and an extra ULL. By removing the ULL
and the extra parentheses around the 1, it compiles fine.
OraBug: 27370020
Signed-off-by: Patrick Colp
Reviewed-by: Konrad Rzeszutek Wilk
[4.1.3-25.el5.223.141]
- From 58a47a06b43e9b09ba16b98bf604fb4f15ab1348 Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Wed, 3 Jan 2018 18:46:03 -0500
Subject: [PATCH 49/77] x86: Introduce a common cpuid_policy_updated()
No practical change at the moment, but future changes will need to react
irrespective of guest type.
Signed-off-by: Andrew Cooper
Reviewed-by: Wei Liu
Acked-by: Jan Beulich
Signed-off-by: Boris Ostrovsky
Conflicts
- Different update_domain_cpuid_info implementation
- context differences
Signed-off-by: Konrad Rzeszutek Wilk
Signed-off-by: Zhenzhong Duan
OraBug: 27370020
Signed-off-by: Patrick Colp
Reviewed-by: Konrad Rzeszutek Wilk
[4.1.3-25.el5.223.140]
- From 6016cb105219bbf3c3228ec414c15e5f05f54cb8 Mon Sep 17 00:00:00 2001
From: Boris Ostrovsky
Date: Wed, 3 Jan 2018 18:46:02 -0500
Subject: [PATCH 48/77] x86: Introduce framework for cpuid policy updates
And also set cpuid_policy bits.
Signed-off-by: Boris Ostrovsky
Signed-off-by: Konrad Rzeszutek Wilk
Conflicts with OVM345:
xen/arch/x86/domctl.c
Signed-off-by: Zhenzhong Duan
Code surrounding the changes is slightly different.
Conflicts:
xen/arch/x86/domctl.c
OraBug: 27370020
Signed-off-by: Patrick Colp
Reviewed-by: Konrad Rzeszutek Wilk
[4.1.3-25.el5.223.139]
- From 410efcdaaf9cf70a1ecbb2b553356d9a8ac18b75 Mon Sep 17 00:00:00 2001
From: Boris Ostrovsky
Date: Wed, 3 Jan 2018 18:46:01 -0500
Subject: [PATCH 47/77] x86: Introduce cpuid_policy
Just enough to get by...
Also added the allocation on the idle domain path.
Signed-off-by: Boris Ostrovsky
Signed-off-by: Konrad Rzeszutek Wilk
Code surrounding the changes is slightly different.
Conflicts:
xen/arch/x86/domain.c
xen/include/asm-x86/domain.h
OraBug: 27370020
Signed-off-by: Patrick Colp
Signed-off-by: Ankur Arora
Reviewed-by: Konrad Rzeszutek Wilk
[4.1.3-25.el5.223.138]
- From 26ac1001c7aecdbdd8e1800e01ebdbded3cdf5aa Mon Sep 17 00:00:00 2001
From: Gregory Herrero
Date: Thu, 12 Jan 2017 19:56:49 +0100
Subject: [PATCH 46/77] xen: string: add few helpers from kernel side.
strtobool() and strcspn() are needed to parse module parameters.
Signed-off-by: Blaise Boscaccy
Signed-off-by: Gregory Herrero
Backport from OVM345, need it to fix bool type unrecognized compile error
introduced by x86/msr: introduce struct msr_vcpu_policy
Signed-off-by: Zhenzhong Duan
OraBug: 27370020
Signed-off-by: Patrick Colp
Reviewed-by: Konrad Rzeszutek Wilk
[4.1.3-25.el5.223.137]
- From a1344ce0f964610379cad8b42e9d74ca50032b55 Mon Sep 17 00:00:00 2001
From: Sergey Dyasli
Date: Tue, 16 Jan 2018 08:40:57 +0800
Subject: [PATCH 45/77] x86/msr: introduce struct msr_vcpu_policy
The new structure contains information about guests MSRs that are
unique to each vCPU. It starts with only 1 MSR:
MSR_INTEL_MISC_FEATURES_ENABLES
Which currently has only 1 usable bit: cpuid_faulting.
Add 2 global policy objects: hvm_max and pv_max that are inited during
boot up. Availability of MSR_INTEL_MISC_FEATURES_ENABLES depends on
availability of MSR_INTEL_PLATFORM_INFO.
Add init_vcpu_msr_policy() which sets initial MSR policy for every vCPU
during domain creation with a special case for Dom0.
Signed-off-by: Sergey Dyasli
Reviewed-by: Andrew Cooper
Reviewed-by: Kevin Tian
(cherry picked from commit 4187f79dc7184d90a1aa7a0439ccee2bc25355c2)
Signed-off-by: Boris Ostrovsky
Conflicts:
- mostly context
Signed-off-by: Konrad Rzeszutek Wilk
[Also no ZERO_BLOCK_PTR, so fix that with xzalloc_bytes]
Signed-off-by: Boris Ostrovsky
Conflicts:
- Free policy in vcpu_destroy (this happens to be XSA-253)
OVM3.3 didnt have is_pv_domain, use is_hvm_domain instead
Signed-off-by: Zhenzhong Duan
Code surrounding the changes is a bit different.
Conflicts:
xen/arch/x86/domain.c
xen/include/asm-x86/domain.h
OraBug: 27370020
Signed-off-by: Patrick Colp
Reviewed-by: Konrad Rzeszutek Wilk
[4.1.3-25.el5.223.136]
- From 5c5b7cb98187a2c21675b9d34789182f6762f3c6 Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Wed, 3 Jan 2018 18:45:59 -0500
Subject: [PATCH 44/77] x86/cmdline: Introduce a command line option to disable
IBRS/IBPB, STIBP and IBPB
Instead of gaining yet another top level boolean, introduce a more generic
cpuid= option. Also introduce a helper function to parse a generic boolean
value.
Signed-off-by: Andrew Cooper
Signed-off-by: Boris Ostrovsky
Conflicts:
- no arch/x86/cpuid.c, used arch/s86/setup.c for parse_xen_cpuid
- context conflicts
Signed-off-by: Konrad Rzeszutek Wilk
Signed-off-by: Zhenzhong Duan
The file docs/misc/xen-command-line.markdown doesnt exist, so just ignore
those changes.
Conflicts:
docs/misc/xen-command-line.markdown
OraBug: 27370020
Signed-off-by: Patrick Colp
Reviewed-by: Konrad Rzeszutek Wilk
[4.1.3-25.el5.223.135]
- From ccedf02175d639d6c752cdec06a9cd1bccb93ef9 Mon Sep 17 00:00:00 2001
From: Juergen Gross
Date: Mon, 15 Jan 2018 04:40:55 +0800
Subject: [PATCH 43/77] xen: add an optional string end parameter to
parse_bool()
Add a parameter to parse_bool() to specify the end of the to be
parsed string. Specifying it as NULL will preserve the current
behavior to parse until the end of the input string, while passing
a non-NULL pointer will specify the first character after the input
string.
This will allow to parse boolean sub-strings without having to
write a NUL byte into the input string.
Modify all users of parse_bool() to pass NULL for the new parameter.
(cherry-picked from commit 532dec8e31174ed450adfd36a4b0b41dec27010d)
Reviewed-by: Kevin Tian
Reviewed-by: Wei Liu
Reviewed-by: Jan Beulich
Signed-off-by: Boris Ostrovsky
Conflicts:
-context, some files dont need a backport
Signed-off-by: Konrad Rzeszutek Wilk
Chuck for xen/arch/x86/nmi.c is unnecessory for OVM33trunk and ignored
Updated parse_bool() call in xen/drivers/passthrough/x86/ats.c
Signed-off-by: Zhenzhong Duan
The file docs/misc/xen-command-line.markdown doesnt exist, so just ignore
those changes. The file xen/drivers/passthrough/x86/atc.c exists, but at a
different location: xen/drivers/passthrough/vtd/x86/atc.c
The parse_vpmu_param() function doesnt exist, so its changes are not
needed. Otherwise, just some surrounding code is different.
Conflicts:
docs/misc/xen-command-line.markdown
xen/arch/x86/hvm/vpmu.c
xen/drivers/passthrough/iommu.c
xen/drivers/passthrough/x86/ats.c
OraBug: 27370020
Signed-off-by: Patrick Colp
Reviewed-by: Konrad Rzeszutek Wilk
[4.1.3-25.el5.223.134]
- From 5675a794664de9b3c28d3f0f03cfa2e15e4af4c6 Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Wed, 3 Jan 2018 18:45:57 -0500
Subject: [PATCH 42/77] x86/feature: Definitions for Indirect Branch Controls
Contemporary processors are gaining Indirect Branch Controls via microcode
updates. Intel are introducing one bit to indicate IBRS and IBPB support, and
a second bit for STIBP. AMD are introducing IPBP only, so enumerate it with a
separate bit.
Furthermore, depending on compiler and microcode availability, we may want to
run Xen with IBRS set, or clear.
To use these facilities, we synthesise separate IBRS and IBPB bits for
internal use. A lot of infrastructure is required before these features are
safe to offer to guests.
Signed-off-by: Andrew Cooper
Signed-off-by: Boris Ostrovsky
Conflicts:
- No new(-ish) CPUID generation so skip xen-cpuid.c/gen-cpuid.py
- Again, cpufeatures.h is different in OVM
- No boot_cpu_data.extended_cpuid_level, use cpuid_eax(0x80000000)
- context difference in libxl
Signed-off-by: Konrad Rzeszutek Wilk
Conflicts with OVM345:
tools/libxl/libxl_cpuid.c
Signed-off-by: Zhenzhong Duan
The cpuid flags are different (there are fewer in this version of Xen).
Conflicts:
tools/libxl/libxl_cpuid.c
OraBug: 27370020
Signed-off-by: Patrick Colp
Reviewed-by: Konrad Rzeszutek Wilk