OVMSA-2018-0224
- ULN >
- Oracle Linux Errata repository >
- OVMSA-2018-0224
OVMSA-2018-0224 - xen security update
| Type: | SECURITY |
| Severity: | IMPORTANT |
| Release Date: | 2018-05-24 |
Description
[4.3.0-55.el6.186.143]
- From: Zhenzhong Duan
Date: Wed, 21 Mar 2018 19:05:06 -0700
Subject: x86/boot: Disable IBRS in intr/nmi exit path at bootup
stage
After reset, IBRS is disabled by processor, but a coming intr/nmi leave IBRS
enabled after their exit. It's not necessory for bootup code to run in low
performance with IBRS enabled.
On ORACLE X6-2(500GB/88 cpus, dom0 11GB/20 vcpus), we observed an 200s+ delay
in construct_dom0.
By initializing use_shadow_spec_ctrl with 1, IBRS is disabled in intr/nmi exit
path. Then delay in construct_dom0 is ~50s.
Signed-off-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky
Acked-by: Adnan Misherfi
(cherry picked from commit 52404341e0c4aced6a4ac9897d7b79be512f4e8b)
Note this is a temporary fix, final fix is still under review in
https://lists.xenproject.org/archives/html/xen-devel/2018-03/msg03079.html
Backported-by: Zhenzhong Duan
[4.3.0-55.el6.186.142]
- From: Zhenzhong Duan
Date: Wed, 21 Mar 2018 20:30:22 -0700
Subject: Fix a wrong check in DO_SPEC_CTRL_EXIT_TO_XEN
The testb instruction in DO_SPEC_CTRL_EXIT_TO_XEN is wrong and it always set
ZF, the following je instruction will always jump.
%rsp doesn't point to cpuinfo struct in intr/nmi context, we need to calculate
a correct pointer for cpuinfo struct.
This patch fix above two issues.
Signed-off-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky
Acked-by: Adnan Misherfi
(cherry picked from commit 222bb10d34ac0eae6dd1147ecfa65788f4b9785c)
This is part of XSA-254.
Backported-by: Zhenzhong Duan
[4.3.0-55.el6.186.141]
- From: Jan Beulich
Subject: x86/paging: don't unconditionally BUG() on finding SHARED_M2P_ENTRY
PV guests can fully control the values written into the P2M.
This is XSA-251.
Signed-off-by: Jan Beulich
Reviewed-by: Andrew Cooper
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky
[4.3.0-55.el6.186.140]
- From: Jan Beulich
Subject: x86/shadow: fix ref-counting error handling
The old-Linux handling in shadow_set_l4e() mistakenly ORed together the
results of sh_get_ref() and sh_pin(). As the latter failing is not a
correctness problem, simply ignore its return value.
In sh_set_toplevel_shadow() a failing sh_get_ref() must not be
accompanied by installing the entry, despite the domain being crashed.
This is XSA-250.
Signed-off-by: Jan Beulich
Reviewed-by: Tim Deegan
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky
[4.3.0-55.el6.186.139]
- From: Jan Beulich
Subject: x86/shadow: fix refcount overflow check
Commit c385d27079 ('x86 shadow: for multi-page shadows, explicitly track
the first page') reduced the refcount width to 25, without adjusting the
overflow check. Eliminate the disconnect by using a manifest constant.
Interestingly, up to commit 047782fa01 ('Out-of-sync L1 shadows: OOS
snapshot') the refcount was 27 bits wide, yet the check was already
using 26.
This is XSA-249.
Signed-off-by: Jan Beulich
Reviewed-by: George Dunlap
Reviewed-by: Tim Deegan
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky
[4.3.0-55.el6.186.138]
- From: Jan Beulich
Subject: x86/mm: don't wrongly set page ownership
PV domains can obtain mappings of any pages owned by the correct domain,
including ones that aren't actually assigned as 'normal' RAM, but used
by Xen internally. At the moment such 'internal' pages marked as owned
by a guest include pages used to track logdirty bits, as well as p2m
pages and the 'unpaged pagetable' for HVM guests. Since the PV memory
management and shadow code conflict in their use of struct page_info
fields, and since shadow code is being used for log-dirty handling for
PV domains, pages coming from the shadow pool must, for PV domains, not
have the domain set as their owner.
While the change could be done conditionally for just the PV case in
shadow code, do it unconditionally (and for consistency also for HAP),
just to be on the safe side.
There's one special case though for shadow code: The page table used for
running a HVM guest in unpaged mode is subject to get_page() (in
set_shadow_status()) and hence must have its owner set.
This is XSA-248.
Signed-off-by: Jan Beulich
Reviewed-by: Tim Deegan
Reviewed-by: George Dunlap
Backported-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky
[4.3.0-55.el6.186.137]
- From 52c2ad4c02e0ee603c302a6a3550509906b34c8f Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Wed, 14 Feb 2018 10:38:34 +0000
Subject: [PATCH] x86/spec_ctrl: Fix several bugs in SPEC_CTRL_ENTRY_FROM_INTR_IST
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
DO_OVERWRITE_RSB clobbers %rax, meaning in practice that the bti_ist_info
field gets zeroed. Older versions of this code had the DO_OVERWRITE_RSB
register selectable, so reintroduce this ability and use it to cause the
INTR_IST path to use %rdx instead.
The use of %dl for the %cs.rpl check means that when an IST interrupt hits
Xen, we try to load 1 into the high 32 bits of MSR_SPEC_CTRL, suffering a #GP
fault instead.
Also, drop an unused label which was a copy/paste mistake.
Reported-by: Boris Ostrovsky
Reported-by: Zhenzhong Duan
Signed-off-by: Andrew Cooper
Reviewed-by: Jan Beulich
Reviewed-by: Wei Liu
Reviewed-by: Roger Pau Monne
(cherry picked from commit a2b08fbed388f18235fda5ba1655c1483ef3e215)
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.136]
- From d797e6f4aa53b9d58f87c4ed49472a019108657c Mon Sep 17 00:00:00 2001
From: Jan Beulich
Date: Mon, 12 Feb 2018 01:18:55 +0800
Subject: [PATCH 51/51] x86: allow easier disabling of BTI mitigations
Support both a 'disable everything' and a 'disable all RSB overwriting'
sub-option.
Signed-off-by: Jan Beulich
Reviewed-by: Andrew Cooper
(cherry picked from commit 37f02a06b9d2f9d965b747a6752301314e935571)
Conflicts:
docs/misc/xen-command-line.markdown
Signed-off-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky
[4.3.0-55.el6.186.135]
- From 43591331a3c6814942f6392d2b04b41e9c70ea2e Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Mon, 12 Feb 2018 01:05:16 +0800
Subject: [PATCH 50/51] x86/boot: Make alternative patching NMI-safe
During patching, there is a very slim risk that an NMI or MCE interrupt in the
middle of altering the code in the NMI/MCE paths, in which case bad things
will happen.
The NMI risk can be eliminated by running the patching loop in NMI context, at
which point the CPU will defer further NMIs until patching is complete.
Signed-off-by: Andrew Cooper
Acked-by: Jan Beulich
Reviewed-by: Konrad Rzeszutek Wilk
(cherry picked from commit 5191c1ef51b00ec112206917647faea55be8b02f)
Conflicts:
xen/arch/x86/alternative.c
Add macro ACCESS_ONCE into xen/include/xen/lib.h
Signed-off-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky
[4.3.0-55.el6.186.134]
- From ebb91aad16e7ec207944269a96b504760a85445e Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Wed, 31 Jan 2018 10:35:52 +0000
Subject: [PATCH 49/51] xen/cmdline: Fix parse_boolean() for unadorned values
A command line such as 'cpuid=no-ibrsb,no-stibp' tickles a bug in
parse_boolean() because the separating comma fails the NUL case.
Instead, check for slen == nlen which accounts for the boundary (if any)
passed via the 'e' parameter.
Signed-off-by: Andrew Cooper
Reviewed-by: Jan Beulich
(cherry picked from commit ac37ec1ddef234eeba6f438c29ff687c64962ebd)
Conflicts:
xen/common/kernel.c
Signed-off-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky
[4.3.0-55.el6.186.133]
- From 6a6cc03959d095b3f0f16c0158b13e14ecb63f59 Mon Sep 17 00:00:00 2001
From: Zhenzhong Duan
Date: Tue, 6 Feb 2018 09:16:07 +0800
Subject: [PATCH 48/51] Optimize the context switch code a bit
Based on upstream commit a2ed643ed783020f885035432e9c0919756921d1
'x86/ctxt: Issue a speculation barrier between vcpu contexts'
Only flush Branch Target Buffer when switching to a different vcpu context
or non idle context.
Use opt_ibpb instead of cpu_has_xen_ibpb suggested by Boris.
Signed-off-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky
[4.3.0-55.el6.186.132]
- From 9824717af650fce2f5a24e8e967f127650731b28 Mon Sep 17 00:00:00 2001
From: Zhenzhong Duan
Date: Tue, 6 Feb 2018 08:36:22 +0800
Subject: [PATCH 47/51] Update init_speculation_mitigations() to upstream's
Based on upstream commit 2713715305ca516f698d58cec5e0b322c3b2c4eb
'x86/boot: Calculate the most appropriate BTI mitigation to use'
and combined upstream commit 30cbd0c83ef3d0edac2d5bcc41a9a2b7a843ae58
'x86/spec_ctrl: Fix determination of when to use IBRS'
Tried to port all changes in upstream commit to current code.
This should include all the changes, such as:
Set opt_rsb_native/opt_rsb_vmexit default to true, prefer retpoline without
checking X86_FEATURE_IBRSB, remove redundant variable have_mitigation,
remove *_SS variants for RSB stuff, enable RSB flushing no matter if IBRS is
enabled, etc.
Signed-off-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky
[4.3.0-55.el6.186.131]
- From 42a020d3da30f262c0e4ea4d485c0d555d9fe5e9 Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Tue, 6 Feb 2018 08:00:00 +0800
Subject: [PATCH 46/51] x86/entry: Avoid using alternatives in NMI/#MC paths
This patch is deliberately arranged to be easy to revert if/when alternatives
patching becomes NMI/#MC safe.
For safety, there must be a dispatch serialising instruction in (what is
logically) DO_SPEC_CTRL_ENTRY so that, in the case that Xen needs IBRS set in
context, an attacker can't speculate around the WRMSR and reach an indirect
branch within the speculation window.
Using conditionals opens this attack vector up, so the else clause gets an
LFENCE to force the pipeline to catch up before continuing. This also covers
the safety of RSB conditional, as execution it is guaranteed to either hit the
WRMSR or LFENCE.
One downside of not using alternatives is that there unconditionally an LFENCE
in the IST path in cases where we are not using the features from IBRS-capable
microcode.
Signed-off-by: Andrew Cooper
Reviewed-by: Jan Beulich
(cherry picked from commit 3fffaf9c13e9502f09ad4ab1aac3f8b7b9398f6f)
Conflicts:
xen/arch/x86/spec_ctrl.c
xen/arch/x86/x86_64/entry.S
xen/include/asm-x86/current.h
Add a #define of UNLIKELY_DISPATCH_LABEL in xen/include/asm-x86/asm_defns.h
picked from upstream commit 8e0da8c07f4f80e14314977a11f738bd74a5b62b
'x86: Improve information from domain_crash_synchronous'
Signed-off-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky
[4.3.0-55.el6.186.130]
- From 61739747eafbfe9a1b0380d8abf4bd0302488f4a Mon Sep 17 00:00:00 2001
From: Zhenzhong Duan
Date: Tue, 6 Feb 2018 07:41:13 +0800
Subject: [PATCH 45/51] Update RSB related implementation to upstream ones
Based on upstream commit e6c0128e9ab25bf66df11377a33ee5584d7f99e3
'x86/entry: Organise the clobbering of the RSB/RAS on entry to Xen'
Update DO_OVERWRITE_RSB definition to to upstream's.
Signed-off-by: Zhenzhong Duan
Reviewed-by: Boris Ostrovsky
[4.3.0-55.el6.186.129]
- From a9b5491b2440345767d4adbccb60b28b6bd2b099 Mon Sep 17 00:00:00 2001
From: Elena Ufimtseva
Date: Sat, 3 Feb 2018 04:14:08 +0800
Subject: [PATCH 44/51] x86/domain: Move hvm_vcpu_initialize() before cpuid_policy_changed()
Move hvm_vcpu_initialize() befor cpuid_policy_changed() which
will allocate memory for MSR permission map and can be used in
cpuid_policy_changed without triggering BUG_ON.
OraBug: 27356726
Signed-off-by: Elena Ufimtseva
Reviewed-by: Boris Ostrovsky
(cherry picked from commit 3326ad769f1acc4697a0e608ea9c85ce5a05ca90)
Conflicts:
xen/arch/x86/domain.c
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.128]
- From b3f98d22679af9186a8eae6372d173631058eb3d Mon Sep 17 00:00:00 2001
From: Elena Ufimtseva
Date: Thu, 18 Jan 2018 11:31:49 -0500
Subject: [PATCH 42/51] x86/svm: clear CPUID IBPB when feature is not supported
The CPUID bit which exposes to the guest IBPB support was cleared under incorrect
check of stibp field of CPUID policy, resulting in the guest not seeing this feature.
Fix this by using correct check of ibpb in the cpuid_policy structure.
OraBug: 27356726
Signed-off-by: Elena Ufimtseva
Reviewed-by: Boris Ostrovsky
(cherry picked from commit bb793ca5296e2100f1453f20360f02dfb9c920e5)
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.127]
- From f6ea539df8760d6c765b597ad231670cdd9eac9d Mon Sep 17 00:00:00 2001
From: Boris Ostrovsky
Date: Thu, 11 Jan 2018 10:30:03 -0500
Subject: [PATCH 41/51] x86/Spectre: Set thunk to THUNK_NONE if compiler support is not available
If no microcode patch is available we end up setting thunk to THUNK_JMP.
Which really is equivalent to THUNK_NONE (if CONFIG_INDIRECT_THUNK is not
set, which it is not) but is somewhat misleading in terms of reporting.
With this change the reported mitigation set will look as follows:
(XEN) Speculative mitigation facilities:
(XEN) Hardware features: SMEP IBRS/IBPB STIBP
(XEN) BTI mitigations: Thunk N/A, Others: IBRS+ IBPB SMEP RSB_VMEXIT
Orabug: 27375656
Signed-off-by: Boris Ostrovsky
Reviewed-by: Darren Kenny
Reviewed-by: Bhavesh Davda
(cherry picked from commit 88bf1ed2b377f03de6e6b20283af90be5065b395)
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.126]
- From 27500d93fb5347b6f124ffdf7eacadda9ff97d51 Mon Sep 17 00:00:00 2001
From: Zhenzhong Duan
Date: Thu, 18 Jan 2018 09:36:43 +0800
Subject: [PATCH 40/51] x86: cpuint. Move trap_init and init_idle_domain
commit 'x86: cpuint. Move the detection of CPU capabilities' move
identify_cpu() ahead. On an env without MSR MSR_INTEL_PLATFORM_INFO,
probe_intel_cpuid_faulting() trigger a #GP.
Move trap_init() ahead too so that exception fixup mechanism take over the #GP.
Move init_idle_domain() ahead to prevent #PG when loading GDT.
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.125]
- From f2552332306d0ff5a13e098064d64d65b78244a6 Mon Sep 17 00:00:00 2001
From: Boris Ostrovsky
Date: Sat, 6 Jan 2018 15:39:54 -0500
Subject: [PATCH 39/51] x86: Always print info about speculative mitigation facilities
This is XSA-254.
Orabug: 27352416
Reviewed-by: Bhavesh Davda
Reviewed-by: Konrad Rzeszutek Wilk
Signed-off-by: Boris Ostrovsky
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.124]
- From 8ce8a38615eaf8ae1b4e3ad8256d48f1569a4325 Mon Sep 17 00:00:00 2001
From: Boris Ostrovsky
Date: Sat, 6 Jan 2018 15:06:43 -0500
Subject: [PATCH 38/51] x86: Don't use retpoline if CONFIG_INDIRECT_THUNK is not set
If this config option is not set (which it is not, unless compiler
support is available) the thunk degenerates to the original indirect
call/jmp.
This is XSA-254.
Orabug: 27352416
Reported-by: Bhavesh Davda
Reviewed-by: Konrad Rzeszutek Wilk
Signed-off-by: Boris Ostrovsky
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.123]
- From 0a9e0230c40a4f244b51ab3c75c4a055994564fc Mon Sep 17 00:00:00 2001
From: Konrad Rzeszutek Wilk
Date: Wed, 3 Jan 2018 18:46:17 -0500
Subject: [PATCH 37/51] x86: cpuint. Move the detection of CPU capabilities
right after the microcode has been loaded but before the
speculation check.
Signed-off-by: Konrad Rzeszutek Wilk
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.122]
- From dd753a815210ce11f3a5d3bab503f04da9e455f3 Mon Sep 17 00:00:00 2001
From: Konrad Rzeszutek Wilk
Date: Wed, 3 Jan 2018 18:46:16 -0500
Subject: [PATCH 36/51] migration: Set the CPUID _before_ XEN_DOMCTL_sethvmcontext
As the MSRs depend on the cpuid policies. And if we don't
set them we will always have:
(XEN) HVM6 restore: CPU_MSR 0
(XEN) HVM6 restore: failed to load entry 20/0
Along with:
xc: progress: Reloading memory pages: 262144/1044481 25%
xc: error: error setting the HVM context (1 = Operation not permitted): Internal error
libxl: error: libxl_create.c:942:libxl__xc_domain_restore_done: restoring domain: Resource temporarily unavailable
Signed-off-by: Konrad Rzeszutek Wilk
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.121]
- From 04d9a706f6b6189e076ec81286dbebd6bfbd4098 Mon Sep 17 00:00:00 2001
From: Konrad Rzeszutek Wilk
Date: Wed, 3 Jan 2018 18:46:15 -0500
Subject: [PATCH 35/51] x86/xen: Make cpu_has_[stibp,ibrsp,etc] work.
All of those macros depend on c->x86_capability bits being
set but we don't set them for word 8 and word 9. Which means
they are always set to zero.
Signed-off-by: Konrad Rzeszutek Wilk
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.120]
- From cb8f8c8439ae2c48ef23f37b800862400d774579 Mon Sep 17 00:00:00 2001
From: Konrad Rzeszutek Wilk
Date: Wed, 3 Jan 2018 18:46:14 -0500
Subject: [PATCH 34/51] x86: Expose CPUID.7, EDX.26->27 and CPUID.0x80000008, EBX.12
If the CPU has this exposed _and_ the CPUID policy specifies it
as such.
Signed-off-by: Konrad Rzeszutek Wilk
Signed-off-by: Boris Ostrovsky
Conflicts:
- context
Conflicts with OVM345:
xen/arch/x86/hvm/hvm.c
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.119]
- From 603b020531ff14349d9ed2112f677eb08a0f02bf Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Wed, 3 Jan 2018 18:46:13 -0500
Subject: [PATCH 33/51] x86/idle: Clear SPEC_CTRL while idle
On contemporary hardware, setting IBRS/STIBP has a performance impact on
adjacent hyperthreads. It is therefore recommended to clear the setting
before becoming idle, to avoid an idle core preventing adjacent userspace
execution from running at full performance.
Care must be taken to ensure there are no ret or indirect branch instructions
between spec_ctrl_{enter,exit}_idle() invocations, which are forced always
inline. Care must also be taken to avoid using spec_ctrl_enter_idle() between
flushing caches and becoming idle, in cases where that matters.
Signed-off-by: Andrew Cooper
Signed-off-by: Boris Ostrovsky
Signed-off-by: Konrad Rzeszutek Wilk
Add #include
missing __stringify.
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.118]
- From ed733af08668249829ce7921e37d1eadd01e3dc9 Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Wed, 3 Jan 2018 18:46:12 -0500
Subject: [PATCH 32/51] x86/cpuid: Offer Indirect Branch Controls to guests
With all infrastructure in place, it is now safe to let guests see and use
these features. Allow AMD's IBPB to be set even on Intel hardware, so the
toolstack can express 'IBPB only' to guests.
This also requires updating the libxc logic to understand the e8b feature
leaf, which has the side effect of also offering CLZERO on applicable
hardware.
Signed-off-by: Andrew Cooper
Acked-by: Jan Beulich
Signed-off-by: Boris Ostrovsky
Conflicts:
- No cpuid.c/calculate_host_policy, put the chunk into
update_domain_cpuid_info()
- No need for cpufeature.h changes, they are for auto-generated CPUIDs
- We don't support X86_FEATURE_CLZERO so no related changes in xc_cpuid_hvm_policy()
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.117]
- From 393100a096448d1c61ecb8ac28bc901fb5bab187 Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Wed, 3 Jan 2018 18:46:11 -0500
Subject: [PATCH 31/51] x86/ctxt: Issue a speculation barrier between vcpu contexts
Signed-off-by: Andrew Cooper
Reviewed-by: Jan Beulich
Signed-off-by: Boris Ostrovsky
Conflict:
- cpufeature.h differences
- context
Signed-off-by: Konrad Rzeszutek Wilk
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.116]
- From 437b0afa743e61037138579fb21dde7103779f69 Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Wed, 3 Jan 2018 18:46:10 -0500
Subject: [PATCH 30/51] x86/entry: Clobber the Return Stack Buffer on entry to Xen
ret instructions are unconditionally speculated based on values in the RSB.
If any path in Xen executes more ret than call instructions, speculation can
start following a guest controlled RSB entry.
There is at least one path (wake from waitqueue) which can end up executing
more ret than call instructions. There may be other paths as well.
To mitigate, overwrite the RSB (when appropriate; see code for details) when
entering Xen from guest context.
Signed-off-by: Andrew Cooper
Signed-off-by: Boris Ostrovsky
Conflicts:
- cpufeature.h differences
- context
Signed-off-by: Konrad Rzeszutek Wilk
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.115]
- From 9dccf941d3eaee41a8020c33bbc4e116fa047295 Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Wed, 3 Jan 2018 18:46:09 -0500
Subject: [PATCH 29/51] x86/boot: Calculate the most appropriate BTI mitigation to use
Signed-off-by: Andrew Cooper
Signed-off-by: Boris Ostrovsky
Conflicts:
- context
Signed-off-by: Konrad Rzeszutek Wilk
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.114]
- From: Andrew Cooper
Date: Wed, 3 Jan 2018 18:46:08 -0500
Subject: [PATCH 28/51] x86/entry: Use MSR_SPEC_CTRL at each entry/exit point
Set or clear IBRS in Xen context, and appropriate guest values in guest
context. See the documentation in asm-x86/spec_ctrl_asm.h for details.
Two semi-unrelated bugfixes are that various asm_defn.h macros have a hidden
dependency on PAGE_SIZE, which results in an assembler error if used in a
.macro definition. Secondly, _ASM_MK_NOP() needs a separator at the end,
rather than relying on its calling context for separation.
Signed-off-by: Andrew Cooper
Signed-off-by: Boris Ostrovsky
Conflicts:
- context in entry.S (all of them), different labels, different routines
- various context conflicts
- add ifdef __ASSEMBLY__ to cpufeature.h
- We don't have GET_STACK_END (from commit 4f6aea06) so use
DO_SPEC_CTRL_EXIT_TO_XEN/DO_SPEC_CTRL_ENTRY from v4
Signed-off-by: Konrad Rzeszutek Wilk
Conflicts with OVM345:
xen/arch/x86/hvm/svm/entry.S
xen/arch/x86/hvm/vmx/entry.S
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.113]
- From f7ada379781e578655eb56820414aa549164d9f5 Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Wed, 3 Jan 2018 18:46:07 -0500
Subject: [PATCH 27/51] x86: Protect unaware domains from meddling hyperthreads
Signed-off-by: Andrew Cooper
Reviewed-by: Jan Beulich
Signed-off-by: Boris Ostrovsky
Conflicts:
- cpufeature.h differences
Signed-off-by: Konrad Rzeszutek Wilk
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.112]
- From 1a3cf9bdaae790318ec12f5239336d1c3d75208a Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Wed, 3 Jan 2018 18:46:06 -0500
Subject: [PATCH 26/51] x86/hvm: Permit guests direct access to MSR_{SPEC_CTRL,PRED_CMD}
For performance reasons, HVM guests should have direct access to these MSRs
when possible.
Signed-off-by: Andrew Cooper
Signed-off-by: Boris Ostrovsky
Conflicts:
- Simplified call_policy_changed computation in
update_domain_cpuid_info()
- Adjust for different MSR intercept interface
(vmx_disable_intercept_for_msr() vs vmx_set_msr_intercept())
- context
Signed-off-by: Konrad Rzeszutek Wilk
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.111]
- From 402cc9b0e1144e324eb4f2b9738fe50fc22b0c74 Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Wed, 3 Jan 2018 18:46:05 -0500
Subject: [PATCH 25/51] x86/migrate: Move MSR_SPEC_CTRL on migrate
Signed-off-by: Andrew Cooper
Reviewed-by: Wei Liu
Reviewed-by: Jan Beulich
Signed-off-by: Boris Ostrovsky
Conflicts:
- context in arch/x86/hvm/hvm.c
- No need to port changes to xen/arch/x86/domctl.c (see comment in
'x86: Avoid corruption on migrate for vcpus using CPUID Faulting' patch)
Signed-off-by: Konrad Rzeszutek Wilk
- And expose in msrs_to_send the new MSR.
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.110]
- From 00cf5a13056c4cf690ba8e60655a45b5cf5fab8b Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Wed, 3 Jan 2018 18:46:04 -0500
Subject: [PATCH 24/51] x86/msr: Emulation of MSR_{SPEC_CTRL,PRED_CMD} for guests
Signed-off-by: Andrew Cooper
Reviewed-by: Jan Beulich
Signed-off-by: Boris Ostrovsky
Conflicts:
-context
- (re-)add gp_fault label
Signed-off-by: Konrad Rzeszutek Wilk
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.109]
- From 891f15147af89356bba6f1f0c85d6e643cbc446c Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Wed, 3 Jan 2018 18:46:03 -0500
Subject: [PATCH 23/51] x86: Introduce a common cpuid_policy_updated()
No practical change at the moment, but future changes will need to react
irrespective of guest type.
Signed-off-by: Andrew Cooper
Reviewed-by: Wei Liu
Acked-by: Jan Beulich
Signed-off-by: Boris Ostrovsky
Conflicts
- Different update_domain_cpuid_info implementation
- context differences
Signed-off-by: Konrad Rzeszutek Wilk
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.108]
- From f225e4f6f9dcdcbcd37c77d21febf317f32f5bc2 Mon Sep 17 00:00:00 2001
From: Boris Ostrovsky
Date: Wed, 3 Jan 2018 18:46:02 -0500
Subject: [PATCH 22/51] x86: Introduce framework for cpuid policy updates
And also set cpuid_policy bits.
Signed-off-by: Boris Ostrovsky
Signed-off-by: Konrad Rzeszutek Wilk
Conflicts with OVM345:
xen/arch/x86/domctl.c
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.107]
- From 7bb8630d6529c089f18ce4f679e1c0b3eecd783b Mon Sep 17 00:00:00 2001
From: Boris Ostrovsky
Date: Wed, 3 Jan 2018 18:46:01 -0500
Subject: [PATCH 21/51] x86: Introduce cpuid_policy
Just enough to get by...
Also added the allocation on the idle domain path.
Signed-off-by: Boris Ostrovsky
Signed-off-by: Konrad Rzeszutek Wilk
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.106]
- From 2a5174e221f40367b12da1dafd11edc0d22d68ee Mon Sep 17 00:00:00 2001
From: Gregory Herrero
Date: Thu, 12 Jan 2017 19:56:49 +0100
Subject: [PATCH 20/51] xen: string: add few helpers from kernel side.
strtobool() and strcspn() are needed to parse module parameters.
OraBug: 25752156
Signed-off-by: Blaise Boscaccy
Signed-off-by: Gregory Herrero
Backport from OVM345, need it to fix bool type unrecognized compile error
introduced by 'x86/msr: introduce struct msr_vcpu_policy'
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.105]
- From e40c15c326e3a978366b692b8383a1d3829f92f9 Mon Sep 17 00:00:00 2001
From: Sergey Dyasli
Date: Tue, 16 Jan 2018 08:40:57 +0800
Subject: [PATCH 19/51] x86/msr: introduce struct msr_vcpu_policy
The new structure contains information about guest's MSRs that are
unique to each vCPU. It starts with only 1 MSR:
MSR_INTEL_MISC_FEATURES_ENABLES
Which currently has only 1 usable bit: cpuid_faulting.
Add 2 global policy objects: hvm_max and pv_max that are inited during
boot up. Availability of MSR_INTEL_MISC_FEATURES_ENABLES depends on
availability of MSR_INTEL_PLATFORM_INFO.
Add init_vcpu_msr_policy() which sets initial MSR policy for every vCPU
during domain creation with a special case for Dom0.
Signed-off-by: Sergey Dyasli
Reviewed-by: Andrew Cooper
Reviewed-by: Kevin Tian
(cherry picked from commit 4187f79dc7184d90a1aa7a0439ccee2bc25355c2)
Signed-off-by: Boris Ostrovsky
Conflicts:
- mostly context
Signed-off-by: Konrad Rzeszutek Wilk
[Also no ZERO_BLOCK_PTR, so fix that with xzalloc_bytes]
Signed-off-by: Boris Ostrovsky
Conflicts:
- Free policy in vcpu_destroy (this happens to be XSA-253)
OVM3.3 didn't have is_pv_domain, use is_hvm_domain instead
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.104]
- From f12cc603ef75ba047032db06de829227fb8149f0 Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Wed, 3 Jan 2018 18:45:59 -0500
Subject: [PATCH 18/51] x86/cmdline: Introduce a command line option to disable IBRS/IBPB, STIBP and IBPB
Instead of gaining yet another top level boolean, introduce a more generic
cpuid= option. Also introduce a helper function to parse a generic boolean
value.
Signed-off-by: Andrew Cooper
Signed-off-by: Boris Ostrovsky
Conflicts:
- no arch/x86/cpuid.c, used arch/s86/setup.c for parse_xen_cpuid
- context conflicts
Signed-off-by: Konrad Rzeszutek Wilk
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.103]
- From 4d0490620f92c1c8afd3cc372042a811625b2ce4 Mon Sep 17 00:00:00 2001
From: Juergen Gross
Date: Mon, 15 Jan 2018 04:40:55 +0800
Subject: [PATCH 17/51] xen: add an optional string end parameter to parse_bool()
Add a parameter to parse_bool() to specify the end of the to be
parsed string. Specifying it as NULL will preserve the current
behavior to parse until the end of the input string, while passing
a non-NULL pointer will specify the first character after the input
string.
This will allow to parse boolean sub-strings without having to
write a NUL byte into the input string.
Modify all users of parse_bool() to pass NULL for the new parameter.
(cherry-picked from commit 532dec8e31174ed450adfd36a4b0b41dec27010d)
Reviewed-by: Kevin Tian
Reviewed-by: Wei Liu
Reviewed-by: Jan Beulich
Signed-off-by: Boris Ostrovsky
Conflicts:
-context, some files don't need a backport
Signed-off-by: Konrad Rzeszutek Wilk
Chuck for xen/arch/x86/nmi.c is unnecessory for OVM33trunk and ignored
Updated parse_bool() call in xen/drivers/passthrough/x86/ats.c
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.102]
- From: Andrew Cooper
Date: Wed, 3 Jan 2018 18:45:57 -0500
Subject: [PATCH 16/51] x86/feature: Definitions for Indirect Branch Controls
Contemporary processors are gaining Indirect Branch Controls via microcode
updates. Intel are introducing one bit to indicate IBRS and IBPB support, and
a second bit for STIBP. AMD are introducing IPBP only, so enumerate it with a
separate bit.
Furthermore, depending on compiler and microcode availability, we may want to
run Xen with IBRS set, or clear.
To use these facilities, we synthesise separate IBRS and IBPB bits for
internal use. A lot of infrastructure is required before these features are
safe to offer to guests.
Signed-off-by: Andrew Cooper
Signed-off-by: Boris Ostrovsky
Conflicts:
- No new(-ish) CPUID generation so skip xen-cpuid.c/gen-cpuid.py
- Again, cpufeatures.h is different in OVM
- No boot_cpu_data.extended_cpuid_level, use cpuid_eax(0x80000000)
- context difference in libxl
Signed-off-by: Konrad Rzeszutek Wilk
Conflicts with OVM345:
tools/libxl/libxl_cpuid.c
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.101]
- From d8b4ae425577a1f655c8cff0be293d781de87523 Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Wed, 3 Jan 2018 18:45:56 -0500
Subject: [PATCH 15/51] x86: Introduce alternative indirect thunks
Depending on hardware and microcode availability, we will want to replace
IND_THUNK_REPOLINE with other implementations.
For AMD hardware, choose IND_THUNK_LFENCE in preference to retpoline if lfence
is known to be (or was successfully made) dispatch serialising.
Signed-off-by: Andrew Cooper
Signed-off-by: Boris Ostrovsky
Conflicts:
- Different cpufeature.h implementaion
- docs context conflict
Signed-off-by: Konrad Rzeszutek Wilk
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.100]
- From ab5c0d96ac2ce58e8e53c371d8edb40c56d41219 Mon Sep 17 00:00:00 2001
From: Boris Ostrovsky
Date: Wed, 3 Jan 2018 18:45:55 -0500
Subject: [PATCH 14/51] x86: Backport setup_force_cpu_cap
Signed-off-by: Boris Ostrovsky
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.99]
- From bd9dd63f37af9497dafe99837b0969a4255c01a5 Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Wed, 3 Jan 2018 18:45:54 -0500
Subject: [PATCH 13/51] x86/amd: Try to set lfence as being Dispatch Serialising
This property is required for the AMD's recommended mitigation for Branch
Target Injection, but Xen needs to cope with being unable to detect or modify
the MSR.
Signed-off-by: Andrew Cooper
Signed-off-by: Boris Ostrovsky
Conflicts:
- cpufeatures.h is different
- init_amd(): No X86_FEATURE_MFENCE_RDTSC in OVM
Conflicts with OVM345:
xen/include/asm-x86/cpufeature.h
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.98]
- From a1c057435d00d0a354646ac20a816da86d41d28a Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Wed, 3 Jan 2018 18:45:53 -0500
Subject: [PATCH 12/51] x86/boot: Report details of speculative mitigations
Nothing very interesting at the moment, but the logic will grow as new
mitigations are added.
Signed-off-by: Andrew Cooper
Signed-off-by: Boris Ostrovsky
Conflicts:
- context conflict in setup.c
- No IS_ENABLED in spec_ctl.c
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.97]
- From 18c2570481a34757f3ffb748492419f8c701d4a2 Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Mon, 15 Jan 2018 03:22:27 +0800
Subject: [PATCH 11/51] x86: Support indirect thunks from assembly code
Introduce CALL_THUNK and JMP_THUNK which either degrade to a normal indirect
branch, or dispatch to the __x86.indirect_thunk.* symbols.
Update all the manual indirect branches in to use the new thunks. The
indirect branches in the boot and kexec path are left intact as we can't use
the compiled-in thunks at those points.
Signed-off-by: Andrew Cooper
Signed-off-by: Boris Ostrovsky
Conflicts:
- x86_emulate.c code is different
- Include asm/asm_defns.h in x86_emulate.c
- no IS_ENABLED, so use ifdef
- No changes to extable.c (not needed)
- Added -Wa -I CFLAGS option to help compiler find include for asm('.include ...')
Conflicts:
xen/arch/x86/Rules.mk
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.96]
- From f4320455dda798daeee71016b51d44412a44a090 Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Wed, 3 Jan 2018 18:45:51 -0500
Subject: [PATCH 10/51] common/wait: Clarifications to wait infrastructure
This logic is not as clear as it could be. Add some comments to help.
Rearrange the asm block in __prepare_to_wait() to separate the GPR
saving/restoring from the internal logic.
While tweaking, add an unreachable() following the jmp in
check_wakeup_from_wait().
No functional change.
Signed-off-by: Andrew Cooper
Signed-off-by: Boris Ostrovsky
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.95]
- From 723cfd81c74b542ca39f2eaa4a1ddd0185afb88e Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Wed, 3 Jan 2018 18:45:50 -0500
Subject: [PATCH 09/51] x86: Support compiling with indirect branch thunks
Use -mindirect-branch=thunk-extern/-mindirect-branch-register when available.
To begin with, use the retpoline thunk. Later work will add alternative
thunks which can be selected at boot time.
Signed-off-by: Andrew Cooper
Signed-off-by: Boris Ostrovsky
Conflicts:
- context
conflicts with OVM3.4.5:
xen/arch/x86/xen.lds.S
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.94]
- From 6e590870401bf2d397854be69044dfa4a38d8641 Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Wed, 3 Jan 2018 18:45:49 -0500
Subject: [PATCH 08/51] x86/entry: Erase guest GPR state on entry to Xen
This reduces the number of code gadgets which can can be attacked with
arbitrary guest-controlled GPR values.
Signed-off-by: Andrew Cooper
Reviewed-by: Jan Beulich
Reviewed-by: Wei Liu
Signed-off-by: Boris Ostrovsky
Conflicts:
- the file is include/asm-x86/x86_64/asm_defns.h
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.93]
- From: Andrew Cooper
Date: Wed, 3 Jan 2018 18:45:48 -0500
Subject: [PATCH 07/51] x86/pv: Move hypercall handling up into C
Partial backport of:
939ba61bd376955ae3a519c09364346aed2be070
c99986fa168ef79b1ea6c071f57017e40b367383
5464f1210c6341762ca0457253adfa035ffe666c
51e5d6c7a29640490eeab4e4c3d60b9c2d3d3054
Signed-off-by: Andrew Cooper
Signed-off-by: Boris Ostrovsky
Conflicts with OVM3.4.5:
xen/arch/x86/Makefile
Signed-off-by: Zhenzhong Duan
[4.3.0-55.el6.186.92]
- From f3887d89fab676198fe9b3f8e7320829c0976233 Mon Sep 17 00:00:00 2001
From: Andrew Cooper
Date: Wed, 3 Jan 2018 18:45:47 -0500
Subject: [PATCH 06/51] x86/hvm: Use SAVE_ALL to construct the cpu_user_regs frame after VMExit
No practical change.
One side effect in debug builds is that %rbp is inverted in the manner
expected by the stack unwinder to indicate a interrupt frame.
Signed-off-by: Andrew Cooper