| Message ID | 0f717e5d-c1f7-ff0d-e136-16cea6b77de3@suse.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | x86: some assembler macro rework | expand |
On 23.11.2020 14:44, Jan Beulich wrote: > Under certain conditions CPUs can speculate into the instruction stream > past a RET instruction. Guard against this just like 3b7dab93f240 > ("x86/spec-ctrl: Protect against CALL/JMP straight-line speculation") > did - by inserting an "INT $3" insn. It's merely the mechanics of how to > achieve this that differ: A set of macros gets introduced to post- > process RET insns issued by the compiler (or living in assembly files). > > Unfortunately for clang this requires further features their built-in > assembler doesn't support: We need to be able to override insn mnemonics > produced by the compiler (which may be impossible, if internally > assembly mnemonics never get generated). > > Signed-off-by: Jan Beulich <jbeulich@suse.com> > Acked-by: Roger Pau Monné <roger.pau@citrix.com> So after committing I noticed that ... > v4: Drop left-over checking of clang for \(text) handling. > v3: Use .byte 0xc[23] instead of the nested macros. ... with this conversion the int3 was lost. Therefore I've reverted the commit, for not having any real effect. On top of this I've also noticed only now that this doesn't cover the issue everywhere - asm-macros.h doesn't get included by some of the files, and hence there the wanted transformation doesn't occur. But I'm not sure we want to force its inclusion uniformly, from e.g. asm-x86/config.h. Jan
--- a/xen/Makefile +++ b/xen/Makefile @@ -145,7 +145,10 @@ t2 = $(call as-insn,$(CC) -I$(BASEDIR)/i # https://bugs.llvm.org/show_bug.cgi?id=36110 t3 = $(call as-insn,$(CC),".macro FOO;.endm"$(close); asm volatile $(open)".macro FOO;.endm",-no-integrated-as) -CLANG_FLAGS += $(call or,$(t1),$(t2),$(t3)) +# Check whether macros can override insn mnemonics in inline assembly. +t4 = $(call as-insn,$(CC),".macro ret; .error; .endm; .macro retq; .error; .endm",-no-integrated-as) + +CLANG_FLAGS += $(call or,$(t1),$(t2),$(t3),$(t4)) endif CLANG_FLAGS += -Werror=unknown-warning-option --- a/xen/include/asm-x86/asm-defns.h +++ b/xen/include/asm-x86/asm-defns.h @@ -44,3 +44,19 @@ .macro INDIRECT_JMP arg:req INDIRECT_BRANCH jmp \arg .endm + +/* + * To guard against speculation past RET, insert a breakpoint insn + * immediately after them. + */ +.macro ret operand:vararg + retq \operand +.endm +.macro retq operand:vararg + .ifb \operand + .byte 0xc3 + .else + .byte 0xc2 + .word \operand + .endif +.endm
Under certain conditions CPUs can speculate into the instruction stream past a RET instruction. Guard against this just like 3b7dab93f240 ("x86/spec-ctrl: Protect against CALL/JMP straight-line speculation") did - by inserting an "INT $3" insn. It's merely the mechanics of how to achieve this that differ: A set of macros gets introduced to post- process RET insns issued by the compiler (or living in assembly files). Unfortunately for clang this requires further features their built-in assembler doesn't support: We need to be able to override insn mnemonics produced by the compiler (which may be impossible, if internally assembly mnemonics never get generated). Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Roger Pau Monné <roger.pau@citrix.com> --- TBD: Would be nice to avoid the additions in .init.text, but a query to the binutils folks regarding the ability to identify the section stuff is in (by Peter Zijlstra over a year ago: https://sourceware.org/pipermail/binutils/2019-July/107528.html) has been left without helpful replies. --- v4: Drop left-over checking of clang for \(text) handling. v3: Use .byte 0xc[23] instead of the nested macros. v2: Fix build with newer clang. Use int3 mnemonic. Also override retq.