From patchwork Tue Oct 1 14:32:06 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Andrew Cooper X-Patchwork-Id: 11168929 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8744B1747 for ; Tue, 1 Oct 2019 14:33:41 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 62C9B2070B for ; Tue, 1 Oct 2019 14:33:41 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=citrix.com header.i=@citrix.com header.b="P30iHMOb" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 62C9B2070B Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=citrix.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iFJCN-0001eE-TP; Tue, 01 Oct 2019 14:32:19 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iFJCM-0001e0-9W for xen-devel@lists.xenproject.org; Tue, 01 Oct 2019 14:32:18 +0000 X-Inumbo-ID: 4070fb46-e458-11e9-9701-12813bfff9fa Received: from esa3.hc3370-68.iphmx.com (unknown [216.71.145.155]) by localhost (Halon) with ESMTPS id 4070fb46-e458-11e9-9701-12813bfff9fa; Tue, 01 Oct 2019 14:32:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1569940332; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=Z+QHYW8IPEEIm03k86KOSgwcQwB2XLe9JqCbyycENoo=; b=P30iHMObp7468Oiv1oFqpnwJBRBhGE+ao8Z+2QY383eFRqGMB20109t9 NeSLXTcx9UZf7zDhfZLak4i9AJOriLjD0pHO2EHRbVNPSX+qvgjWQNsIS e+s3di7gvmFenXGJyeUExymMkIB0k/GZJtNGQBGFJdmP0j27oGoZIu8wy M=; Authentication-Results: esa3.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=andrew.cooper3@citrix.com; spf=Pass smtp.mailfrom=Andrew.Cooper3@citrix.com; spf=None smtp.helo=postmaster@mail.citrix.com Received-SPF: None (esa3.hc3370-68.iphmx.com: no sender authenticity information available from domain of andrew.cooper3@citrix.com) identity=pra; client-ip=162.221.158.21; receiver=esa3.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="andrew.cooper3@citrix.com"; x-conformance=sidf_compatible Received-SPF: Pass (esa3.hc3370-68.iphmx.com: domain of Andrew.Cooper3@citrix.com designates 162.221.158.21 as permitted sender) identity=mailfrom; client-ip=162.221.158.21; receiver=esa3.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="Andrew.Cooper3@citrix.com"; x-conformance=sidf_compatible; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:209.167.231.154 ip4:178.63.86.133 ip4:195.66.111.40/30 ip4:85.115.9.32/28 ip4:199.102.83.4 ip4:192.28.146.160 ip4:192.28.146.107 ip4:216.52.6.88 ip4:216.52.6.188 ip4:162.221.158.21 ip4:162.221.156.83 ~all" Received-SPF: None (esa3.hc3370-68.iphmx.com: no sender authenticity information available from domain of postmaster@mail.citrix.com) identity=helo; client-ip=162.221.158.21; receiver=esa3.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="postmaster@mail.citrix.com"; x-conformance=sidf_compatible IronPort-SDR: Gli+TqwGxC/GYrRPCgNGxhfqKTVCvoT7k0/Pen5Lh1UUFrS/risYlnTDJoPX7tmq4BFJt6QAUq hr8IeK+EwJ5qCMZGkhzuvogSdKxNltfBgFQJbRQVQkCA766CjHBWRZCmdJRiuZBSe6AfOtTlwS 9LCuGogQ6Z4iEuV3MrV7hNBz3Ztq0UqvIBJaWhn3/O5UREMFPdLpidSh8Q3JUzbtdpPPHZSW3L ObnBhwNAeg4yVcwGOra0eedqQhDS8yTGB0dkK/VHSc0mu5I5mYmcVE/RLoCdPJ8rssr+7USspn Wvg= X-SBRS: 2.7 X-MesageID: 6317000 X-Ironport-Server: esa3.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.64,571,1559534400"; d="scan'208";a="6317000" From: Andrew Cooper To: Xen-devel Date: Tue, 1 Oct 2019 15:32:06 +0100 Message-ID: <20191001143207.15844-2-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20191001143207.15844-1-andrew.cooper3@citrix.com> References: <20191001143207.15844-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 Subject: [Xen-devel] [PATCH v2 1/2] xen/nospec: Introduce CONFIG_SPECULATIVE_HARDEN_ARRAY X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Juergen Gross , Andrew Cooper , Wei Liu , Jan Beulich , =?utf-8?q?Roger_Pau_Monn=C3=A9?= Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" There are legitimate circumstance where array hardening is not wanted or needed. Allow it to be turned off. Signed-off-by: Andrew Cooper Release-acked-by: Juergen Gross Reviewed-by: Jan Beulich --- CC: Jan Beulich CC: Wei Liu CC: Roger Pau Monné CC: Juergen Gross v2: * Rename to CONFIG_SPECULATIVE_HARDEN_ARRAY * Simplify the stub array_index_nospec() --- xen/common/Kconfig | 24 ++++++++++++++++++++++++ xen/include/xen/nospec.h | 5 +++++ 2 files changed, 29 insertions(+) diff --git a/xen/common/Kconfig b/xen/common/Kconfig index 16829f6274..911333357a 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -77,6 +77,30 @@ config HAS_CHECKPOLICY string option env="XEN_HAS_CHECKPOLICY" +menu "Speculative hardening" + +config SPECULATIVE_HARDEN_ARRAY + bool "Speculative Array Hardening" + default y + ---help--- + Contemporary processors may use speculative execution as a + performance optimisation, but this can potentially be abused by an + attacker to leak data via speculative sidechannels. + + One source of data leakage is via speculative out-of-bounds array + accesses. + + When enabled, specific array accesses which have been deemed liable + to be speculatively abused will be hardened to avoid out-of-bounds + accesses. + + This is a best-effort mitigation. There are no guarantees that all + areas of code open to abuse have been hardened. + + If unsure, say Y. + +endmenu + config KEXEC bool "kexec support" default y diff --git a/xen/include/xen/nospec.h b/xen/include/xen/nospec.h index 2ac8feccc2..76255bc46e 100644 --- a/xen/include/xen/nospec.h +++ b/xen/include/xen/nospec.h @@ -33,6 +33,7 @@ static inline unsigned long array_index_mask_nospec(unsigned long index, } #endif +#ifdef CONFIG_SPECULATIVE_HARDEN_ARRAY /* * array_index_nospec - sanitize an array index after a bounds check * @@ -58,6 +59,10 @@ static inline unsigned long array_index_mask_nospec(unsigned long index, \ (typeof(_i)) (_i & _mask); \ }) +#else +/* No index hardening. */ +#define array_index_nospec(index, size) ((void)(size), (index)) +#endif /* CONFIG_SPECULATIVE_HARDEN_ARRAY */ /* * array_access_nospec - allow nospec access for static size arrays