Message ID | 20191023135812.21348-4-andrew.cooper3@citrix.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | Unbreak evaluate_nospec() and livepatching | expand |
On 23.10.19 15:58, Andrew Cooper wrote: > Just as with CONFIG_SPECULATIVE_HARDEN_ARRAY, branch hardening should be > configurable at compile time. > > The previous CONFIG_HVM was a consequence of what could be discussed publicly > at the time the patches were submitted, and wasn't actually correct. Later > patches will make further corrections. > > Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Release-acked-by: Juergen Gross <jgross@suse.com> Juergen
On 23.10.2019 15:58, Andrew Cooper wrote: > Just as with CONFIG_SPECULATIVE_HARDEN_ARRAY, branch hardening should be > configurable at compile time. > > The previous CONFIG_HVM was a consequence of what could be discussed publicly > at the time the patches were submitted, and wasn't actually correct. Later > patches will make further corrections. > > Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com>
diff --git a/xen/common/Kconfig b/xen/common/Kconfig index 7b5dd9d495..c9e671869e 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -102,6 +102,29 @@ config SPECULATIVE_HARDEN_ARRAY If unsure, say Y. +config SPECULATIVE_HARDEN_BRANCH + bool "Speculative Branch Hardening" + default y + depends on X86 + ---help--- + Contemporary processors may use speculative execution as a + performance optimisation, but this can potentially be abused by an + attacker to leak data via speculative sidechannels. + + One source of misbehaviour is by executing the wrong basic block + following a conditional jump. + + When enabled, specific conditions which have been deemed liable to + be speculatively abused will be hardened to avoid entering the wrong + basic block. + + This is a best-effort mitigation. There are no guarantees that all + areas of code open to abuse have been hardened, nor that + optimisations in the compiler haven't subverted the attempts to + harden. + + If unsure, say Y. + endmenu config KEXEC diff --git a/xen/include/asm-x86/nospec.h b/xen/include/asm-x86/nospec.h index 427b5ff9df..154e92aed8 100644 --- a/xen/include/asm-x86/nospec.h +++ b/xen/include/asm-x86/nospec.h @@ -9,7 +9,7 @@ /* Allow to insert a read memory barrier into conditionals */ static always_inline bool barrier_nospec_true(void) { -#ifdef CONFIG_HVM +#ifdef CONFIG_SPECULATIVE_HARDEN_BRANCH alternative("", "lfence", X86_FEATURE_SC_L1TF_VULN); #endif return true;
Just as with CONFIG_SPECULATIVE_HARDEN_ARRAY, branch hardening should be configurable at compile time. The previous CONFIG_HVM was a consequence of what could be discussed publicly at the time the patches were submitted, and wasn't actually correct. Later patches will make further corrections. Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> --- CC: Jan Beulich <JBeulich@suse.com> CC: Wei Liu <wl@xen.org> CC: Roger Pau Monné <roger.pau@citrix.com> CC: Juergen Gross <jgross@suse.com> v3: * Reduce to just the Kconfig option. Split other changes out into separate patches. v2: * Expand the commit message to describe how the generated code is broken. * Rename to CONFIG_SPECULATIVE_HARDEN_BRANCH * Switch alternative() to asm() * Fix a comment typo --- xen/common/Kconfig | 23 +++++++++++++++++++++++ xen/include/asm-x86/nospec.h | 2 +- 2 files changed, 24 insertions(+), 1 deletion(-)