From patchwork Tue Feb 14 16:10:42 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Beulich X-Patchwork-Id: 13140461 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 1733BC64EC7 for ; Tue, 14 Feb 2023 16:10:56 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.495268.765582 (Exim 4.92) (envelope-from ) id 1pRxtI-0002T9-Pq; Tue, 14 Feb 2023 16:10:48 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 495268.765582; Tue, 14 Feb 2023 16:10:48 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1pRxtI-0002T2-Mv; Tue, 14 Feb 2023 16:10:48 +0000 Received: by outflank-mailman (input) for mailman id 495268; Tue, 14 Feb 2023 16:10:47 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1pRxtG-0002M8-OA for xen-devel@lists.xenproject.org; Tue, 14 Feb 2023 16:10:46 +0000 Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-db3eur04on062d.outbound.protection.outlook.com [2a01:111:f400:fe0c::62d]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 2331b82b-ac82-11ed-933c-83870f6b2ba8; Tue, 14 Feb 2023 17:10:46 +0100 (CET) Received: from VE1PR04MB6560.eurprd04.prod.outlook.com (2603:10a6:803:122::25) by AM8PR04MB7762.eurprd04.prod.outlook.com (2603:10a6:20b:241::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6086.23; Tue, 14 Feb 2023 16:10:44 +0000 Received: from VE1PR04MB6560.eurprd04.prod.outlook.com ([fe80::e138:4fc3:705c:d178]) by VE1PR04MB6560.eurprd04.prod.outlook.com ([fe80::e138:4fc3:705c:d178%7]) with mapi id 15.20.6086.024; Tue, 14 Feb 2023 16:10:44 +0000 X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 2331b82b-ac82-11ed-933c-83870f6b2ba8 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nHKqHtymeg5pIoAYTaJzCv65oMHyTg50dbwr8+PBPq8W/Z+lrfeqrhF5GmRlX6FqQRuAHq7CGy9p8O7y0FKm2XlwLdd9zCuJt/36OPmJPfIi3G8P/M1Merpl83ix1WV1eixZ8baOJf1KseFIwSrnu7IYUGuEwlMr5Yj0elI90Sat0pU/Mwg/OIJ4RD5hJnqyCDlbGBYPNsjgpL64wcmApwFuSnvQGqq4LWIFRZBz6tKODMgHoJ/GrA53UImEGdwL2+6eo+KmZK/FR7uaKb6fCHRn9CExlfD09UcDwpD3jGi6mMQOFWzQ3wmT5z3aDNlFbEpf6k9LD1xrOSo/2V+cvw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=qINV3D+ZcJrc3TgcCf9Vkqn39yRf5xgMpf87ZeAdksY=; b=MBJdaUF5CZYxI1cBaZt1i0YaIFapmY8uXsZAnwbfpa+cyjDg+pBAtTB0gYaKWP3eR+HWOBVg+xKJkyWo4ZA9u23F2nfMck91v9fcFv0hhpL/1BLlLmjfBGCZhkYhg1X5KJ9E2CmmXQeGEHCm3AhBraAF+wERkFw7A0EXZQc1HtTKW/erCQpTEcqpNMy/Wcx/itIeyJJGmueqvpNaF9pgz7JF9yMR9Gn4Tvqtr8jeMeb22GvR9HDbLbFKtZ5+LUwXdNDrkePYkSgZgwr9nlTiXELER4coy7KJ2pKgpL01gfpMfDDNrILmdxAmyGOQ4QMCOM+i8rX9L6nrc/9wFV3oZQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qINV3D+ZcJrc3TgcCf9Vkqn39yRf5xgMpf87ZeAdksY=; b=JIk6Q64r4XADHN0wkRm+eFGpcSC+ZN/c6EpNS0x3QtZr/+XwBL/cVBj8xV7nmY7EcXAQ/xoVkmWbnoaiqhqHyYVhWinxKAUxeI/kvwu34KrqSOtUr2T0F5VCk/kUnojPGIepbtTsHUIY3iFvY0yfu4r4TTYHG9S3BdKXsPm0++2rmMMKzfLf0qw+QnwxAurRNz6A1Dx7LwZWy0gEwfPNFqwPdVHIYBTT+jTbJe8MCQQHkeTMAJcxnOPlGOT/0LoTVFf8Yn4Nh1TB4zrQz4xI3mGSXeYwWGVQgun+EiwYCfpFZciG/xxaRtX+8k8CH8wPgaMwJqqFMKnK+EsbMNLMeg== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com; Message-ID: <31da79de-bd6b-af95-793a-c16516992bc7@suse.com> Date: Tue, 14 Feb 2023 17:10:42 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.7.2 Subject: [PATCH v4 1/4] x86/spec-ctrl: add logic to issue IBPB on exit to guest Content-Language: en-US From: Jan Beulich To: "xen-devel@lists.xenproject.org" Cc: Andrew Cooper , Wei Liu , =?utf-8?q?Roger_Pau_Monn=C3=A9?= References: <06591b64-2f05-a4cc-a2f3-a74c3c4a76d6@suse.com> In-Reply-To: <06591b64-2f05-a4cc-a2f3-a74c3c4a76d6@suse.com> X-ClientProxiedBy: FR3P281CA0015.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:1d::13) To VE1PR04MB6560.eurprd04.prod.outlook.com (2603:10a6:803:122::25) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: VE1PR04MB6560:EE_|AM8PR04MB7762:EE_ X-MS-Office365-Filtering-Correlation-Id: 1f0435f9-ef97-44bb-2f03-08db0ea60687 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: n86WPBjsffWLWWt3UNQYbrITvMKYI6KPsOnBeEVWiVhy83TzhLqiP7+G7loRTEqbQxSUJlkUO0FH+RhcGysigISHOzxKvD2FEPIlMxsnC1DjfIFixVzjQPYMehEA2zJBIZHelO1vLsRdapktmI+4paxUux0v5Hr6URpWiOvCpwOWOFm2m9S0j19I1yrjsde+T8qzMPuqTDjBYcD+X3YLHtg1TFnUB/ci8jBSeY+ClgUbnoizZ24ZngCFermN3mliMFZ64lgnK2qHgYm8GxUZqOy08fIsAuDPcIvZSYWB+eIFnjOAHG+LHHzOG4njLRIJLHfDHOkKipGO5kOT1+ZFDdDauS0HBm5sG+RaYdxssraGrTBcAKm9W2bY04ET96JIlMf8/dJWp1ZEIOzZ5V+hfPd2WgEwROqmLzHmQumHjboaQKyWYqkLZi8NQ1TxSZ8J5V7Y6es/a7zSdvD53qw+ABX4Z841F00hKxFSWVtiPT0S5CH87Y839JWZQ4/YSAgnETcrx1r7sSMdg+Coj05HwKR+ytuVC7dYIqToR37gEeJn3SVoFxxpKD8kXAEt+HkfinV7Bh6AtRPIa/UUnJ6/MxC1nHSRuvFMl9Q4rYnZkF36HLTraOwC1KBYrClDiB5bSZxN7cBZMji0FyvLAZi8Zy8ekdOgwLMw7uzT93gOp3ri9zjBSJBuvHltYc8221Azs9y55RyGAgel7HcLOZjjTdSkz2LlyvceNhQDUQT+GtQ= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:VE1PR04MB6560.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(376002)(346002)(366004)(136003)(39860400002)(396003)(451199018)(478600001)(36756003)(38100700002)(66946007)(54906003)(66476007)(83380400001)(66556008)(6916009)(4326008)(8676002)(316002)(186003)(26005)(6506007)(5660300002)(6512007)(6486002)(41300700001)(8936002)(2616005)(31696002)(86362001)(2906002)(31686004)(43740500002)(45980500001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?L2AO7T2evwR6kwwWU0r8YtKsCUzI?= =?utf-8?q?LrDiKUXOR78aVfa3ErOAFUyFptLjpC7MCXZKsd9XtTOpT5lfJU4fyDF5kKOWGAm6o?= =?utf-8?q?mt5cmjNddIae8ASzJAbKelhnIYtjKqtY8EALdCdhLdg6gpXpA1qkN1URoAlJFflAr?= =?utf-8?q?5KAHMaAur3WLrFnMdqIOFpUW3/bltgS3R/qJOQVJmsXOpFCVD5lFFPVwXhMa3WU9e?= =?utf-8?q?/UGIGPO1JXxnADcaHPPLJAjIjVxspu9vJY7iRyCBHJrNDIVWEsDEI5RC4Lot3L4QB?= =?utf-8?q?drkEjnx3udMOkxH+TEYpDMG4+o2mZrTuJpoK9TOEAIkHJqIPbHOuMWLM543WgIzu7?= =?utf-8?q?/Ly0JfqQt6GhRV12xXh+CRGWfd9Xas3lI4hoZzPKFoqoG1NW+dJHI89X6zukGIBD0?= =?utf-8?q?pfnlf3Wju8zb+//zbARwVq6D8BJWwIRpZ3wijbzAjFE7zZIvw9lC1ccEGjDlmFPdy?= =?utf-8?q?jkvxfAPxuqy6nVwiRlJDbZFXu8XhWdfSonQpqkI/Blpw37B5ayB+4yG8XKp7cM2H9?= =?utf-8?q?heOkKRSXxxYvUtB/Ug43g+6FAgBrzqrUCafpzEegQCDlbEBqo084LNCD8QptX1Old?= =?utf-8?q?ANZ2h+4sR5J95dGsIF6NCpTZhj5i5HMg1ympyZIVEmR7HaxDB1VuUQjm1eBUxSEeF?= =?utf-8?q?O32MGOzo6BmYwrdqvvsZUij3bznorREw1lquR+f352QXfUHR/pvsaRg18wjuBEovG?= =?utf-8?q?t+DQN5aZEbRo/1MX3k6p6ve1MVf0lJl5U0cb6zhXc1VRnvqHZI5liG+7l2DMZvwYz?= =?utf-8?q?uWYzcIFVMnofaBHBm02ixMO6CbnP5EuCGfvB1JjFjxTNn0GB0Yo8vDOKWbJVkaZdC?= =?utf-8?q?JgPGvhoLCIRf/5ivgHqsV9yvlMvuzfvM9VHAU5Vy4smePVorbGjaC6TLfNW98os8r?= =?utf-8?q?WCcW9y3m3jFy02GJmtcjFdM7lVZKw9XIsTlS4IiLZzSsTMOkGg7D51vmuUR/nvgDo?= =?utf-8?q?JFjKdp4MDaTLHT2Lrj+TI7pekRKYw5I6ymJ40OkT2p6/zHqM8wTwXtkub3+9K7tCr?= =?utf-8?q?Z9IoIfGzTwQXjqAUZJo2d6SMSHai1A8BsjlIPceJUiNHsBG824cbXHk3oeD6aqn1J?= =?utf-8?q?u7H5Aa8M166Xi/ZSukkUbqVyzOxBRnlM645KVJA9SVo/ifOxI+VS/Us46BiNwJnkR?= =?utf-8?q?Epvk0eCHnrV8b7O0tzWZt4sAPwFYwuk64zry1cknTcWCL5LPCtg486P+CluQeumkT?= =?utf-8?q?5GxiduiwmvN6JugA/2PUnJFsure1LPf5Uj0rggr2q+uaD6+Ux+yEfqcq+rtENked7?= =?utf-8?q?/EkRkDp705UsK4aLaiiSAh1rFUmo4dm1z5Ro7sLCwt5ibENSdSP8tFCXKxt/S7+72?= =?utf-8?q?le7ckjxJEoM7B7R9ftInEplnrsRaJhX3ykaKCsAhLFMJUsOUQ4JRY8zw4LygIxR8P?= =?utf-8?q?AnCkHxs3vQrXHkdcfItg41GQtRXFTxI+Qa2m3oA21Vmn9fJPGP9ZmKWkoznwkp23P?= =?utf-8?q?DvrsqYbYRxCMzkFRr861dCLXpy0niiZZ0+ZZBCsyIoPq7Jzy2fEPcfAXrVtjEpyY8?= =?utf-8?q?dbP7SzswKsvX?= X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: 1f0435f9-ef97-44bb-2f03-08db0ea60687 X-MS-Exchange-CrossTenant-AuthSource: VE1PR04MB6560.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Feb 2023 16:10:44.1346 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: HSR4vY6U+bycIlNrgNO352A+Mq3+4nIL9IdVRDSRhDvccPhRwgfZmBdSf5m8IPSC4k+3jqkfudCtOCeC3adbFg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM8PR04MB7762 In order to be able to defer the context switch IBPB to the last possible point, add logic to the exit-to-guest paths to issue the barrier there, including the "IBPB doesn't flush the RSB/RAS" workaround. Since alternatives, for now at least, can't nest, emit JMP to skip past both constructs where both are needed. This may be more efficient anyway, as the sequence of NOPs is pretty long. As with all other conditional blocks on exit-to-guest paths, no Spectre-v1 protections are necessary as execution will imminently be hitting a serialising event. Signed-off-by: Jan Beulich --- I have to admit that I'm not really certain about the placement of the IBPB wrt the MSR_SPEC_CTRL writes. For now I've simply used "opposite of entry". Since we're going to run out of SCF_* bits soon and since the new flag is meaningful only in struct cpu_info's spec_ctrl_flags, we could choose to widen that field to 16 bits right away and then use bit 8 (or higher) for the purpose here. --- v4: Alter parts of the description. Re-word a comment. Rename flag and feature identifiers. v3: New. --- a/xen/arch/x86/hvm/svm/entry.S +++ b/xen/arch/x86/hvm/svm/entry.S @@ -75,6 +75,12 @@ __UNLIKELY_END(nsvm_hap) .endm ALTERNATIVE "", svm_vmentry_spec_ctrl, X86_FEATURE_SC_MSR_HVM + ALTERNATIVE "jmp 2f", __stringify(DO_SPEC_CTRL_EXIT_IBPB disp=(2f-1f)), \ + X86_FEATURE_NEW_PRED_CTXT_HVM +1: + ALTERNATIVE "", DO_OVERWRITE_RSB, X86_BUG_IBPB_NO_RET +2: + pop %r15 pop %r14 pop %r13 --- a/xen/arch/x86/hvm/vmx/entry.S +++ b/xen/arch/x86/hvm/vmx/entry.S @@ -86,7 +86,8 @@ UNLIKELY_END(realmode) jz .Lvmx_vmentry_restart /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */ - /* SPEC_CTRL_EXIT_TO_VMX Req: %rsp=regs/cpuinfo Clob: */ + /* SPEC_CTRL_EXIT_TO_VMX Req: %rsp=regs/cpuinfo Clob: acd */ + ALTERNATIVE "", DO_SPEC_CTRL_EXIT_IBPB, X86_FEATURE_NEW_PRED_CTXT_HVM DO_SPEC_CTRL_COND_VERW mov VCPU_hvm_guest_cr2(%rbx),%rax --- a/xen/arch/x86/include/asm/cpufeatures.h +++ b/xen/arch/x86/include/asm/cpufeatures.h @@ -39,8 +39,10 @@ XEN_CPUFEATURE(XEN_LBR, X86_SY XEN_CPUFEATURE(SC_VERW_IDLE, X86_SYNTH(25)) /* VERW used by Xen for idle */ XEN_CPUFEATURE(XEN_SHSTK, X86_SYNTH(26)) /* Xen uses CET Shadow Stacks */ XEN_CPUFEATURE(XEN_IBT, X86_SYNTH(27)) /* Xen uses CET Indirect Branch Tracking */ -XEN_CPUFEATURE(IBPB_ENTRY_PV, X86_SYNTH(28)) /* MSR_PRED_CMD used by Xen for PV */ -XEN_CPUFEATURE(IBPB_ENTRY_HVM, X86_SYNTH(29)) /* MSR_PRED_CMD used by Xen for HVM */ +XEN_CPUFEATURE(IBPB_ENTRY_PV, X86_SYNTH(28)) /* MSR_PRED_CMD used by Xen when entered from PV */ +XEN_CPUFEATURE(IBPB_ENTRY_HVM, X86_SYNTH(29)) /* MSR_PRED_CMD used by Xen when entered from HVM */ +XEN_CPUFEATURE(NEW_PRED_CTXT_PV, X86_SYNTH(30)) /* issue prediction barrier when exiting to PV */ +XEN_CPUFEATURE(NEW_PRED_CTXT_HVM, X86_SYNTH(31)) /* issue prediction barrier when exiting to HVM */ /* Bug words follow the synthetic words. */ #define X86_NR_BUG 1 --- a/xen/arch/x86/include/asm/current.h +++ b/xen/arch/x86/include/asm/current.h @@ -55,9 +55,13 @@ struct cpu_info { /* See asm/spec_ctrl_asm.h for usage. */ unsigned int shadow_spec_ctrl; + /* + * spec_ctrl_flags is accessed as a 32-bit entity in certain cases. Place + * it accordingly. + */ + uint8_t spec_ctrl_flags; uint8_t xen_spec_ctrl; uint8_t last_spec_ctrl; - uint8_t spec_ctrl_flags; /* * The following field controls copying of the L4 page table of 64-bit --- a/xen/arch/x86/include/asm/spec_ctrl.h +++ b/xen/arch/x86/include/asm/spec_ctrl.h @@ -36,6 +36,8 @@ #define SCF_verw (1 << 3) #define SCF_ist_ibpb (1 << 4) #define SCF_entry_ibpb (1 << 5) +#define SCF_new_pred_ctxt_bit 6 +#define SCF_new_pred_ctxt (1 << SCF_new_pred_ctxt_bit) /* * The IST paths (NMI/#MC) can interrupt any arbitrary context. Some --- a/xen/arch/x86/include/asm/spec_ctrl_asm.h +++ b/xen/arch/x86/include/asm/spec_ctrl_asm.h @@ -117,6 +117,27 @@ .L\@_done: .endm +.macro DO_SPEC_CTRL_EXIT_IBPB disp=0 +/* + * Requires %rsp=regs + * Clobbers %rax, %rcx, %rdx + * + * Conditionally issue IBPB if SCF_new_pred_ctxt is active. The macro + * invocation may be followed by X86_BUG_IBPB_NO_RET workaround code. The + * "disp" argument is to allow invocation sites to pass in the extra amount + * of code which needs skipping in case no action is necessary. + * + * The flag is a "one-shot" indicator, so it is being cleared at the same time. + */ + btrl $SCF_new_pred_ctxt_bit, CPUINFO_spec_ctrl_flags(%rsp) + jnc .L\@_skip + (\disp) + mov $MSR_PRED_CMD, %ecx + mov $PRED_CMD_IBPB, %eax + xor %edx, %edx + wrmsr +.L\@_skip: +.endm + .macro DO_OVERWRITE_RSB tmp=rax /* * Requires nothing @@ -272,6 +293,14 @@ #define SPEC_CTRL_EXIT_TO_PV \ ALTERNATIVE "", \ DO_SPEC_CTRL_EXIT_TO_GUEST, X86_FEATURE_SC_MSR_PV; \ + ALTERNATIVE __stringify(jmp PASTE(.Lscexitpv_done, __LINE__)), \ + __stringify(DO_SPEC_CTRL_EXIT_IBPB \ + disp=(PASTE(.Lscexitpv_done, __LINE__) - \ + PASTE(.Lscexitpv_rsb, __LINE__))), \ + X86_FEATURE_NEW_PRED_CTXT_PV; \ +PASTE(.Lscexitpv_rsb, __LINE__): \ + ALTERNATIVE "", DO_OVERWRITE_RSB, X86_BUG_IBPB_NO_RET; \ +PASTE(.Lscexitpv_done, __LINE__): \ DO_SPEC_CTRL_COND_VERW /* --- a/xen/arch/x86/x86_64/compat/entry.S +++ b/xen/arch/x86/x86_64/compat/entry.S @@ -8,6 +8,7 @@ #include #include #include +#include #include #include @@ -156,7 +157,7 @@ ENTRY(compat_restore_all_guest) mov VCPUMSR_spec_ctrl_raw(%rax), %eax /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */ - SPEC_CTRL_EXIT_TO_PV /* Req: a=spec_ctrl %rsp=regs/cpuinfo, Clob: cd */ + SPEC_CTRL_EXIT_TO_PV /* Req: a=spec_ctrl %rsp=regs/cpuinfo, Clob: acd */ RESTORE_ALL adj=8 compat=1 .Lft0: iretq --- a/xen/arch/x86/x86_64/entry.S +++ b/xen/arch/x86/x86_64/entry.S @@ -9,6 +9,7 @@ #include #include #include +#include #include #include @@ -187,7 +188,7 @@ restore_all_guest: mov %r15d, %eax /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */ - SPEC_CTRL_EXIT_TO_PV /* Req: a=spec_ctrl %rsp=regs/cpuinfo, Clob: cd */ + SPEC_CTRL_EXIT_TO_PV /* Req: a=spec_ctrl %rsp=regs/cpuinfo, Clob: acd */ RESTORE_ALL testw $TRAP_syscall,4(%rsp) From patchwork Tue Feb 14 16:11:05 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Beulich X-Patchwork-Id: 13140462 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 953BAC05027 for ; Tue, 14 Feb 2023 16:11:25 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.495269.765593 (Exim 4.92) (envelope-from ) id 1pRxth-0002uK-38; Tue, 14 Feb 2023 16:11:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 495269.765593; Tue, 14 Feb 2023 16:11:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1pRxtg-0002uD-W6; Tue, 14 Feb 2023 16:11:12 +0000 Received: by outflank-mailman (input) for mailman id 495269; Tue, 14 Feb 2023 16:11:11 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1pRxtf-0002sY-MV for xen-devel@lists.xenproject.org; Tue, 14 Feb 2023 16:11:11 +0000 Received: from EUR02-AM0-obe.outbound.protection.outlook.com (mail-am0eur02on20627.outbound.protection.outlook.com [2a01:111:f400:fe13::627]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 316928c8-ac82-11ed-93b5-47a8fe42b414; Tue, 14 Feb 2023 17:11:09 +0100 (CET) Received: from VE1PR04MB6560.eurprd04.prod.outlook.com (2603:10a6:803:122::25) by AM0PR04MB6884.eurprd04.prod.outlook.com (2603:10a6:208:183::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6086.24; Tue, 14 Feb 2023 16:11:07 +0000 Received: from VE1PR04MB6560.eurprd04.prod.outlook.com ([fe80::e138:4fc3:705c:d178]) by VE1PR04MB6560.eurprd04.prod.outlook.com ([fe80::e138:4fc3:705c:d178%7]) with mapi id 15.20.6086.024; Tue, 14 Feb 2023 16:11:07 +0000 X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 316928c8-ac82-11ed-93b5-47a8fe42b414 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=C99l2jMkVu9rzdHMOsHKmHwNS9BXezQ2iP6vvNFPn7+Ff87icPa6QXJJSf69OqINNj+HFCHRqE1pW5f6y1Podjz4FckXyBrTJrH6NQPBIXHt89JmRkuab+M2fJMTqspvodejXDQrv0Rk2Hzxaz6UWl6+/nC/sC2jdRZuJn3vNOwDHUOVa3NXULbrx+3ZBZ5mTA330aiuykWUL1VdDxEYEeWVqQW7J+BKWRGpeWIk4mU2x1NaWOwwDbwhFFwBl8a5qNWfgSWU4+Tps5YRP5wwwyvjNcoDIHI9aWCG/Ev1KQU4w1Tiw2X+AoH0s0pQDocvvpVmBsTipiROv3ICVra/9g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=d+/DUjrNApE1of8R+q9OMsOXlsFTj99u5P7jS1EbUzw=; b=HlzK3w2z8vDcWlMOVrr3ldmCB5ym69dXwYYUT00Q9Da+RmIC1lzD/YbrFA2lb5yI65+WT9Ohn/LSiffFGlLnr6r+LaJntmrAM/CrWlZlzSufNcK908kkERraUTybrM8koUyX5OTYolKXZxyOgUF9RQbXe9f8ANTGxgT0V3Gu6tcYwQCFsm9P6YWw+oRcTi1tydtGOUfAXLv+fxWL45fTBlV3rQWR7X1AqTXe4NZ+Ud4nOdIzZ1/GidrCBE18V3YGX7vyLUjQfOS7h0bPmVouYbVZEVfNZ/qjY+LHy4CI9nmerebukVq78HXUHW8uh9HRbDL4ZLHRd4FkOtqRiCThUA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=d+/DUjrNApE1of8R+q9OMsOXlsFTj99u5P7jS1EbUzw=; b=mp379rXn8PAvUHg/0/2DNWWpDwNNxjCs8VFu5C9ewGCfl2xvKM91ZhuGzGwioznnlnmK+5ZAd7bc5XcPKkQZt42/61v2ZhD6ICwphB7Qvd0eh7JuAFKBXgmUa4Etf0O6O8e8a6afSqERds85Vk9b1g/n2uXW032z46hEvcMchvVuG3M9YUfKaDxHBasxJxN6Koqj161N/L3WCijP3qDIUY5AkcdWqCWN3/J4Mb9/kSOZK+zM0MX7+/vWhkQnZwO54xJ0i5HSKzmUszprnk0lAt2YvLuRorif8pmcAeLHHX4tVY5SJMU6oS6nuiF73s/HMEfIzjPDr76GrmL7W1/J0Q== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com; Message-ID: <83c2a504-bce4-d3e7-1d9a-76ac0ca17bab@suse.com> Date: Tue, 14 Feb 2023 17:11:05 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.7.2 Subject: [PATCH v4 2/4] x86/spec-ctrl: defer context-switch IBPB until guest entry Content-Language: en-US From: Jan Beulich To: "xen-devel@lists.xenproject.org" Cc: Andrew Cooper , Wei Liu , =?utf-8?q?Roger_Pau_Monn=C3=A9?= References: <06591b64-2f05-a4cc-a2f3-a74c3c4a76d6@suse.com> In-Reply-To: <06591b64-2f05-a4cc-a2f3-a74c3c4a76d6@suse.com> X-ClientProxiedBy: FR3P281CA0013.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:1d::18) To VE1PR04MB6560.eurprd04.prod.outlook.com (2603:10a6:803:122::25) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: VE1PR04MB6560:EE_|AM0PR04MB6884:EE_ X-MS-Office365-Filtering-Correlation-Id: 7d646964-26d3-445f-a041-08db0ea61462 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: Tskmce7OGb43LH2g6WzEvYyOya1BIYP3xbYaiTLPk72ey6rs2j1yXUt0bcKOVtKSPNv8CYQJU1bQ0GFVTu5XXyZJf8SRH2yBiMNj86yI1tlFOvicEkgR1A2ZHTJ8EFgEpacGDab33LrxQmoDI0hjhgjeezlYRRP1k7oufuHDYmpyQ5zCyCklGn5CUSVWs2qFUAEWDeRxXe0TmRyKlESL7vxpVCpn0JOK+L5rsN3KNKzAJ601Nyfj2fuspOiU6YSU2uoGZhVgs1HmOUqtxjBmrNO859vXajhAZVjZeAJ8yOHkyMIwsNpuBSyxWUqk29ihuVO1iN+Q+BwvgbjCXZFP6Sa0d5ZTvg/tLzkb1uy66tHFxyCp6EdDVWdM112UtVuz7rqRILErt7dnaXjhdOn2M9zOGTBd7nv/xvO/U39Ag+04jW+oF2VEg+hsWTOFY/uwP5gHW1010FkEJmsa2hW1IYm9xIuO6Poo5qrUHh1Fz12PXfMI+Lx2i8oQjnwh0OgdWBFL7rAZr3vWKWy/x0oLtD033+8FBbrAJL15ugXfeIiF+wfzXkgS1ny3gLPFIE5mUHBhgMTkTSEFdwrer47mFgp3CbOXFDWuV+NK/2J6dyAq32VpSCAdTmNh4vpKzSHobQbd3XYG5lssxYfDRNt3WC7KgCl/VARjl9w0oVqGYvGWV+EomQ0aG8Lt35TzNehyCuUWjd4H2YIaOwbZq9UFJLwEChBBHFaC0hMgegIGulw= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:VE1PR04MB6560.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(376002)(366004)(39860400002)(396003)(346002)(136003)(451199018)(66476007)(66556008)(66946007)(6916009)(83380400001)(4326008)(31686004)(8676002)(41300700001)(316002)(8936002)(54906003)(36756003)(2906002)(5660300002)(26005)(31696002)(186003)(6486002)(478600001)(86362001)(6506007)(38100700002)(6512007)(2616005)(45980500001)(43740500002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?onlVAyd9Nvga1A1hcO5FIuxVbqPi?= =?utf-8?q?FgnnX4J2SOi6b6S9Ddkn8rUeg98cqScKq/BTv1CKGnPM3PLUBQrd+Q+14W9xknXFF?= =?utf-8?q?ZpgDn7viLFhVmzjWgH1LkGX5v5tuQ/NNUvNxL2OhEaTUTdGIQO08E6me0tvLt9+m5?= =?utf-8?q?cQ+9fY2jO9kqQn7yrwDAl1HSmWHfK853Xzziqyfd7aOY9BjM0OPUYrBbvsQxnin/T?= =?utf-8?q?i0fMj5OBkhQLHip3Rt/jrxy76u077Bh6nGCtgw98jk3AcyqYh47s3iwzUPxVqAUpq?= =?utf-8?q?ahkM6fBPOxdNvyvyqvOc+ABTy0/iwFLF1YS7iQe0klX1XjZZhShoYNbwf2UdVFt2W?= =?utf-8?q?wUg2+apDb0RXSbp7sQRZizth/XCE2cFPCkdVW1fr2t3pHaCNMQRc8RsIqC0b92b+c?= =?utf-8?q?dPGhZHPWGZB+y4Sj8zMIfdRc6PCBUWdqH+OnKubrPkrBi3OYjD3EW4REG5f/ZfkAG?= =?utf-8?q?yjuKytcK2lXQc4aywDUAEl3xEztEhWhaqFIAD/PMtqbuiecCwcPtQDhZAc4pab2LZ?= =?utf-8?q?A2oDxyTlGk8zch0J7iULtcwtIPcYXA44RH6WpjHdxf2j05IwbEyZK6RX9km2nxYsA?= =?utf-8?q?H0PoazREVkn+6H8nvK2IemlwHLP4cYvBp8sf6aT35qfQmS5dxj0zTHQk8mTkHNkd1?= =?utf-8?q?6nHJGyIKlaBjZDnpL1i+kij7Ox2tggvwEG7o1CXi3F1aUiCnTQ5hpiZu4Nemh/PJO?= =?utf-8?q?FkAUJkCTLcVOS6u/JGKFZ/24m++9dvXZxZ5EyzsAKlq/hE1sCEk7Yuw/gtsJAoehH?= =?utf-8?q?qtIHUqXZfw15ekKIgjFER2OS1icjf7ZB/ICfcNGHUE3X9LWzVFN43sAAsnujV3D9g?= =?utf-8?q?RK/yBB21e52QYsSond7epHXgXMkvjPrrJRPxsq6GRoZcls5mEl+pR+hCNzAdaLcJn?= =?utf-8?q?W36j7D065dWc3bTSK2043/GVRZ3bIjlCrBDbPBQP74S7vZ4a0JJSgJlq09vP8r5mw?= =?utf-8?q?K//Jab+m4muf2QCN6FUutMqjmFVMEFOC3Y+3MqDvLahj4POk2MGUssv0SVMMl5RKQ?= =?utf-8?q?n29OX/hOrCfqfSjAbXZcp4Xapc4CtjgXitJIhx35B/trv55UnOOe3rF037r0snVE/?= =?utf-8?q?E4uVEthHMuZzvxkXxkaPpjjU2aacrn0Oc6ykWP9MiuH5bgHR1Q+s71kMSd3EkJ0uX?= =?utf-8?q?aUtEobRnLvgohG8U5GYx2hUfG1l2dvlFha4k7Su0PJzkAFMe5q0/LnZnViEZ6oRtt?= =?utf-8?q?bkTmq0Ux0qQEMpEf25zGsoY/LDDgBCG9q8Ar/KVBlmcc/jv9C1ZEAqulkFjATdKew?= =?utf-8?q?p43qdeBH+PzSa/hVIStXyNomoOEz7/jXVCn9s6ZFALQyTBOz7B5UlntpeMmYE2SFt?= =?utf-8?q?8wu8+UkCQR+PJxDEo8xMnl274cJu0TJHdmDvw3IaVtYWyRgB0krL8CGkrauAd0Qk2?= =?utf-8?q?VPRA5mKrA/bFmpYmXmXoWI7DqU3jWoUQq98LbXFWJcpYId3jKTNhPegW0DtRuyKeG?= =?utf-8?q?i8W+th2xj9743etqfxS/eXQbQpN3q2fVGWCcP3yspmlGL3fKhHQdW4uUW5EVMIB1w?= =?utf-8?q?WlE8jp1aSQ6G?= X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: 7d646964-26d3-445f-a041-08db0ea61462 X-MS-Exchange-CrossTenant-AuthSource: VE1PR04MB6560.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Feb 2023 16:11:07.3987 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: bVEwUtcvQJBdxzOzEFyBX9jSj1PP7UJMXhJxLjaPxUEEG3WcdQ2eleMwQKzAwuqbeIqrTiAVmW5qOyeXGCc/LQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR04MB6884 In order to avoid clobbering Xen's own predictions, defer the barrier as much as possible. Merely mark the CPU as needing a barrier issued the next time we're exiting to guest context. Suggested-by: Andrew Cooper Signed-off-by: Jan Beulich --- I couldn't find any sensible (central/unique) place where to move the comment which is being deleted alongside spec_ctrl_new_guest_context(). (If this patch is to survive in the first place, it was suggested to move to spect_ctrl_asm.h, next to the #define of the controlling bit.) --- v4: Re-base in particular over changes earlier in the series. v3: New. --- a/xen/arch/x86/domain.c +++ b/xen/arch/x86/domain.c @@ -2038,7 +2038,7 @@ void context_switch(struct vcpu *prev, s */ if ( *last_id != next_id ) { - spec_ctrl_new_guest_context(); + info->spec_ctrl_flags |= SCF_new_pred_ctxt; *last_id = next_id; } } --- a/xen/arch/x86/include/asm/spec_ctrl.h +++ b/xen/arch/x86/include/asm/spec_ctrl.h @@ -67,28 +67,6 @@ void init_speculation_mitigations(void); void spec_ctrl_init_domain(struct domain *d); -/* - * Switch to a new guest prediction context. - * - * This flushes all indirect branch predictors (BTB, RSB/RAS), so guest code - * which has previously run on this CPU can't attack subsequent guest code. - * - * As this flushes the RSB/RAS, it destroys the predictions of the calling - * context. For best performace, arrange for this to be used when we're going - * to jump out of the current context, e.g. with reset_stack_and_jump(). - * - * For hardware which mis-implements IBPB, fix up by flushing the RSB/RAS - * manually. - */ -static always_inline void spec_ctrl_new_guest_context(void) -{ - wrmsrl(MSR_PRED_CMD, PRED_CMD_IBPB); - - /* (ab)use alternative_input() to specify clobbers. */ - alternative_input("", "DO_OVERWRITE_RSB", X86_BUG_IBPB_NO_RET, - : "rax", "rcx"); -} - extern int8_t opt_ibpb_ctxt_switch; extern bool opt_ssbd; extern int8_t opt_eager_fpu; --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -854,6 +854,11 @@ static void __init ibpb_calculations(voi */ if ( opt_ibpb_ctxt_switch == -1 ) opt_ibpb_ctxt_switch = !(opt_ibpb_entry_hvm && opt_ibpb_entry_pv); + if ( opt_ibpb_ctxt_switch ) + { + setup_force_cpu_cap(X86_FEATURE_NEW_PRED_CTXT_PV); + setup_force_cpu_cap(X86_FEATURE_NEW_PRED_CTXT_HVM); + } } /* Calculate whether this CPU is vulnerable to L1TF. */ From patchwork Tue Feb 14 16:11:40 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jan Beulich X-Patchwork-Id: 13140463 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id A0DC5C61DA4 for ; Tue, 14 Feb 2023 16:11:51 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.495279.765604 (Exim 4.92) (envelope-from ) id 1pRxuD-0003Y5-G2; Tue, 14 Feb 2023 16:11:45 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 495279.765604; Tue, 14 Feb 2023 16:11:45 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1pRxuD-0003Xk-Bz; Tue, 14 Feb 2023 16:11:45 +0000 Received: by outflank-mailman (input) for mailman id 495279; Tue, 14 Feb 2023 16:11:44 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1pRxuC-0002M8-0A for xen-devel@lists.xenproject.org; Tue, 14 Feb 2023 16:11:44 +0000 Received: from EUR02-AM0-obe.outbound.protection.outlook.com (mail-am0eur02on20621.outbound.protection.outlook.com [2a01:111:f400:fe13::621]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 45a4d807-ac82-11ed-933c-83870f6b2ba8; Tue, 14 Feb 2023 17:11:43 +0100 (CET) Received: from VE1PR04MB6560.eurprd04.prod.outlook.com (2603:10a6:803:122::25) by AM0PR04MB6884.eurprd04.prod.outlook.com (2603:10a6:208:183::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6086.24; Tue, 14 Feb 2023 16:11:42 +0000 Received: from VE1PR04MB6560.eurprd04.prod.outlook.com ([fe80::e138:4fc3:705c:d178]) by VE1PR04MB6560.eurprd04.prod.outlook.com ([fe80::e138:4fc3:705c:d178%7]) with mapi id 15.20.6086.024; Tue, 14 Feb 2023 16:11:42 +0000 X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 45a4d807-ac82-11ed-933c-83870f6b2ba8 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JT8SwaaxGaqOdIlo6G/KwBNB0XjHtaMZzaQ7Y8YSFx8+2OIGnW20U4hPu2lYEs2aNrQf+QsXu79BcYBDZiKs0wVJ5HtLRvk+uX6CNZcALA/OwXBRg07zybGO0r+dnrWhXaPvTeznw893ZrXyDTE5Lb2sam2qgQVnLXAPAl1THgtwLyBaG+ibjiYJAartW8tNSCf+h5R1TJ1unVdx0u5jLNIlwRtiBnX1D9jn8aqtEZsZRH3BuO+UREgP/TQJF4HwVpVeR4xfXWgVr5uqFSzTjvOueemsy610vhp3Pzwze6OQWz1XdKRzd3H1tvLbbMrxkF4DwZJt7tnpoieyRW1LwA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=VsxokRwRk6IFeqdM2G8OVgIpJfgzhXYhcx1m6t7JxXU=; b=hRv+o2iB3ts4eeUUw7Eujg5jTu3qRqL/O2p7jQPPLlFul8LTiQKXFyuBaG+tQlHbjEP3AK/rPoVhAnMbPhI+NQOOUZEAKyhb9PRu7RcR61dcFf0y/fooWqqcvDO18ttuGHUPq50z33xgxqq5kurCm2/8hC7Lkly9MI+hxFVUCbFzVYj1UrWvAv06j/SbZ40tm7b9WkGQzocFm0KkncMZ5wKjQoVg+71b7hRi8QZBfa1T3TZf03g0aZP3NppXEuQltDqPNz4XgfyA2kn/DUhRsge6XibOAKrYABJ1fnbTrYguCWHe3FlesOISNmJKpvWPmzW3XdPZYyBtP+ow6KalRw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VsxokRwRk6IFeqdM2G8OVgIpJfgzhXYhcx1m6t7JxXU=; b=U7XvhegJ8GMO1QT2UKrJfS6i+eB4NSGwMoO1BHUvguONKcFeHs5Ic6KoNjfUsuRMKE7bBXd14KAY9t4hegeo293e1kXWcd4fM1z0s76I011xLKh9xSYtwHLmfHCKnfvp1TX5vmph7ERjJU/KrmTUAo3GCirbF7dKIh3+c0fVLpCymY+Xbb2hyF6XDZQpYz3uLgfIgnL4zGxXnGehrcuhVBl4jtNGczkwBBGeh/rohmSTwBnGeCBxU4qMrfRPZ50juVSMJ+h0zO528STOXQ23+LDtxsedJa5DKb/p5ufmp+paDBESCyIyPcjWXky4EP6ZzhuQmJaQfj/wYncdPocpew== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com; Message-ID: <29e2b527-16b8-e72d-f625-781aedf21bc4@suse.com> Date: Tue, 14 Feb 2023 17:11:40 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.7.2 Subject: [PATCH v4 3/4] x86: limit issuing of IBPB during context switch Content-Language: en-US From: Jan Beulich To: "xen-devel@lists.xenproject.org" Cc: Andrew Cooper , Wei Liu , =?utf-8?q?Roger_Pau_Monn=C3=A9?= References: <06591b64-2f05-a4cc-a2f3-a74c3c4a76d6@suse.com> In-Reply-To: <06591b64-2f05-a4cc-a2f3-a74c3c4a76d6@suse.com> X-ClientProxiedBy: FR0P281CA0093.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:a9::7) To VE1PR04MB6560.eurprd04.prod.outlook.com (2603:10a6:803:122::25) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: VE1PR04MB6560:EE_|AM0PR04MB6884:EE_ X-MS-Office365-Filtering-Correlation-Id: 441e74e2-b448-4ad6-f2ec-08db0ea62913 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: VqAyzyPwo07sJJyQli/aw7moJ+ZLsPQLdQDyk2II2UTRLq2wWLjs9Opf0No9cV+zhn+ftsKi7Tk+0BcqcD2HzlJbhdzMKYjqxfU59//ukDn77VLChp9o3qVErKd2fZ9W9RZe27UHo0g9NWB0lm2BYDAHnrA5iyuCp0eqB4gpE4Sy2bn0Z4O25gEi6oRbbnyuRP3eioy8gsXVbeBuh9yghg3ZyoRmcTZQhfmovuLjvWT53RogQHaaH1nlCHwGwEQmU0Cge7V2zCj0DpsyjaPcCFuWhOHWQo/22KFkngSmcRGoYEG6O6aAF8EmubcyKHDXCyE4yeGYvaWx+2bry+1chNzxY9MMuMNoRmdBTmV3TH9VvH92FWrW9VKB75spZj6yqamGZ5afO78hfa0TNpfaldY46wS+JSkbVE242Vt7M2qaxTXhDUTGpqlcWCSI0hGTOsO1SN8uUVsRNmRPdZ7HMHq151JMHlRPF3BBGDArUlIRBIAaVRlIEaNT3VERooHYSdEzSir15qNqsoSuMZw+F4Dwogs9qL6t469M4h4d8KAkqGEm69e52GGUXRVdgcH8SHBESyKcTzguaTyM+9MyiYOE3vcrUS5dcip9+HOoRjCNixjRp6LdvG/JZJSgq+P5GtuaKkQhMKxIrWz3mqdVEbatcoM/WCnUR4qXMdK1CG/wj+p0q7lWLNhoAuFyX/7zlSQxwYaGR73m2atO1ccT8kTXS1LbpMa6bmpQf0VhFH0= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:VE1PR04MB6560.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(376002)(366004)(39860400002)(396003)(346002)(136003)(451199018)(66476007)(66556008)(66946007)(6916009)(83380400001)(4326008)(31686004)(8676002)(41300700001)(316002)(8936002)(54906003)(36756003)(2906002)(5660300002)(26005)(31696002)(186003)(6486002)(478600001)(86362001)(6506007)(38100700002)(6512007)(2616005)(45980500001)(43740500002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?1K1BqOF30/IRv5+ByvJtubovv8O2?= =?utf-8?q?jUUgM8BUePstWt7yPA//ovIwZ/+Tj6VLHChmrq7E9j/n66vz4TUL0Ff5QHIJm0sIJ?= =?utf-8?q?x/Xh00Xj8Ze9t64CAmTb3404M6eOHqcSU/9oghE+kTpUW3kg0jHfG/Gp5+sCpirLf?= =?utf-8?q?1n1a3WcjnSbHP+56AdDgoEE+2abZfUmFWvFyMPPsdfCH3i+XgJzDuMiekp87Pe5fx?= =?utf-8?q?GlBdiQ4GYUmSAsO1tpmoMo0XHrJvHhnlZhowvScA+MiKXi259JyaDxd8BKu/ebaEZ?= =?utf-8?q?EF75TCUdGIR/6YFekyMNRMniCWq0JOEku5TTbzYvnmU8H1+GidpEacAwyKpvELILQ?= =?utf-8?q?WUH2nYCW8jN66gmSYw0s7dn9zwHl1tMSC3BcefNFqpkvqOmBY0uXEWzCXqxjA27sl?= =?utf-8?q?t7mOhgVKnAwISUH0U6NSMEmqUPE0Zvz5OGR4i4t4AEV8wuaUzadH5bzkZzL2HEzgh?= =?utf-8?q?UO39wNfyLleWIlzWMnH35gqCSxK4wfcYeT+cM38zwWRJZiockSc20A1mLOnVCVEDg?= =?utf-8?q?3aH964QtZUEyiPw1Gluq7Wl35IXoNUfEILACKZNj2UnAxjc1BmrOh3oHq5sjk4+tT?= =?utf-8?q?8/XI341WorQQFK61/DvF+EnWB950JCMTG8dnjP2gy6mAnZbBEgHENfhIDCi3DH+mG?= =?utf-8?q?SdsFkTBkSL8uQnkih5a63hQqyjPxBgOjJ3Kf0HI8E+yuYQWlsvED5bBdSgz6Ok/JF?= =?utf-8?q?mqHM8dvB8siTUAJs6CQbHVBF5IXpUDqK0h1bRbFx1psHEDevxqmQ4vf99IrRXV89O?= =?utf-8?q?wtS0WZvOV9Gnhdk7xsTtIOPV9FqiTnG9520EfYwn5f8dPzosMnkmlE55rVpkALpVs?= =?utf-8?q?sdLtGR1rhqMXRuimrG7B279Py2DY3QbOFbfzYjmMDebVs478m2gl4ndSNUMKv33hj?= =?utf-8?q?/lkrMitfmVwyP+z9VibH3DFfB39jCISZaFslsL4D+SLFn1F4saUE1fVAa2zNErTAU?= =?utf-8?q?BrKhL+4HJyUkRq+gd9Y74egawwEkTEB1L3e79RBbDacnqmZiimWdtjkHLKQF+oI3b?= =?utf-8?q?8YPPEYbbSWQUcNcSsGZ6wqUcUanB1yKmjY05mWfyOqIc4yRgoGqSVYnbTCjM5ObYr?= =?utf-8?q?RFx/JO3is8/YiDUya5FTUvhlp3OYvO6uGlWWmFv57HNsQAyG+RJ2Vbf3fzJUs532i?= =?utf-8?q?AJPaUsPAVrTBtwO/turmKOhqr5SeER2L5Qxv38KaNtQuWk839hj9gKtr8SyJg5W67?= =?utf-8?q?5LWB04p3hUmP2XANaypUhEhH42ZFY5d0JfLnd/yDlAS2mKsCEBWImU6bQUeYPGBrW?= =?utf-8?q?/+jY098B5YkrqpJWih6BIZ6iNfYv/+PiY57b2KsxBAXlSqMkYnUOHpx/yIseIw6F6?= =?utf-8?q?15yEOQ5YxbxtXijBSec7ApCSmYbBByx7JaV0hXmfLdI9YhHxFlGzIlYqGrFcUNjyT?= =?utf-8?q?2vKnsYTUvO3TnVc/V2tch35jaebzvdu8LAd2ln25TqwDifQ/fpsIDzBWBjP/UlLki?= =?utf-8?q?Ns/30DWQVKpjeZAs122O8qrRujAZxyOO2I0/Aa2jZfw0ZHGdoulp3Nr04aSiZVmOa?= =?utf-8?q?0FFlXn8p/7P/?= X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: 441e74e2-b448-4ad6-f2ec-08db0ea62913 X-MS-Exchange-CrossTenant-AuthSource: VE1PR04MB6560.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Feb 2023 16:11:42.1465 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Alwjud9TwSgKoWatYLAs8MvH7BA1JUpP2babXVA/uSwGYMzvwgRUKF0Nr2dRxt7ZgBPlyW6vseW8J4KT1dI8Ow== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR04MB6884 When the outgoing vCPU had IBPB issued and RSB overwritten upon entering Xen, then there's no need for a 2nd barrier during context switch. Note that SCF_entry_ibpb is always clear for the idle domain, so no explicit idle domain check is needed to augment the feature check (which is simply inapplicable to "idle"). Signed-off-by: Jan Beulich Acked-by: Roger Pau Monné --- v4: Tighten the condition. v3: Fold into series. --- I think in principle we could limit the impact from finding the idle domain as "prevd", by having __context_switch() tell us what kind domain's vCPU was switched out (it could still be "idle", but in fewer cases). --- a/xen/arch/x86/domain.c +++ b/xen/arch/x86/domain.c @@ -2005,17 +2005,26 @@ void context_switch(struct vcpu *prev, s } else { + unsigned int feat_sc_rsb = X86_FEATURE_SC_RSB_HVM; + __context_switch(); /* Re-enable interrupts before restoring state which may fault. */ local_irq_enable(); if ( is_pv_domain(nextd) ) + { load_segments(next); + feat_sc_rsb = X86_FEATURE_SC_RSB_PV; + } + ctxt_switch_levelling(next); - if ( opt_ibpb_ctxt_switch && !is_idle_domain(nextd) ) + if ( opt_ibpb_ctxt_switch && !is_idle_domain(nextd) && + (!(prevd->arch.spec_ctrl_flags & SCF_entry_ibpb) || + /* is_idle_domain(prevd) || */ + !boot_cpu_has(feat_sc_rsb)) ) { static DEFINE_PER_CPU(unsigned int, last); unsigned int *last_id = &this_cpu(last); From patchwork Tue Feb 14 16:12:08 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Beulich X-Patchwork-Id: 13140464 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 40D19C677F1 for ; Tue, 14 Feb 2023 16:12:25 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.495283.765615 (Exim 4.92) (envelope-from ) id 1pRxui-000489-PB; Tue, 14 Feb 2023 16:12:16 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 495283.765615; Tue, 14 Feb 2023 16:12:16 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1pRxui-000482-MJ; Tue, 14 Feb 2023 16:12:16 +0000 Received: by outflank-mailman (input) for mailman id 495283; Tue, 14 Feb 2023 16:12:15 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1pRxuh-00047a-HJ for xen-devel@lists.xenproject.org; Tue, 14 Feb 2023 16:12:15 +0000 Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on20627.outbound.protection.outlook.com [2a01:111:f400:7e1a::627]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 57902e97-ac82-11ed-93b5-47a8fe42b414; Tue, 14 Feb 2023 17:12:13 +0100 (CET) Received: from VE1PR04MB6560.eurprd04.prod.outlook.com (2603:10a6:803:122::25) by AM0PR04MB6802.eurprd04.prod.outlook.com (2603:10a6:208:184::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6086.24; Tue, 14 Feb 2023 16:12:10 +0000 Received: from VE1PR04MB6560.eurprd04.prod.outlook.com ([fe80::e138:4fc3:705c:d178]) by VE1PR04MB6560.eurprd04.prod.outlook.com ([fe80::e138:4fc3:705c:d178%7]) with mapi id 15.20.6086.024; Tue, 14 Feb 2023 16:12:10 +0000 X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 57902e97-ac82-11ed-93b5-47a8fe42b414 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BbTV6KCWba1/xkE5SwMveZsXpKFdRmIfWVV5fihN92SKaucp6GS6eYC9Vse5qdutipfoDrj6JIWDUISxBV5P0o4lYmVQDtKiLTWK3PKfSSUbipe0iBPjyYRaben3/E8j5vAgknuB8nSDTyo2wy+PWheL9Oyqg6bmmhzu+Ir/mr79Pr7wkAEYdG52LelEfXOUoqca0hl91CeYQbgb1pXA0D36f/D0qXZCUT6R1HEx9LMYNiu5gYsTdoRM4oCMUib1jifT6AqCOxUTfPh2zbH+eGMUIzpc4jXk75byHpKf2SRsxB3s5+jk4zJfic6z4NHtFNB7N/aU1wtfBjaLG9XIpA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ft+1MjxIGwj0woDLn2mSZmpetZATFnBGj51IVbzpCU8=; b=UEDQU7Rs29oAvn44b3icyDQ8RW/CV91enmVshkZYyncqsbaYGn3fc5WmVwhUCe2dm0b1bsRml/iCvTlpU1BxXL+ZYRAH2Z1V7nkHRPDS41MtbjMxwWHwJpt3fib4SjTs9RLEvn8fKNqZV9pSpc5sUWwIluxcFNcriCZ6M0YnhpCGYC2Iek0N1lDIiFwbQB0F6bswZaiujFSVxblc9vuj/DsGtfKhU8jWaLn8nYKMwV0ztho1NxOhSwPCfE9R52wvYVI6u+7m1wJTC6d251K8NAQRiS4kowCd2YAulpt9XMydpSRJJsFO3a1iAol/0vw6pLFx7VeFIZbzzksOxnZmhA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ft+1MjxIGwj0woDLn2mSZmpetZATFnBGj51IVbzpCU8=; b=4gv63e1zH66qsFB7yleVVihSsrFA98MDy78+MK6wfS6V7JTM0cdWFGlWYYSPz0JCitec8AmeQnQBSfczYr3cpKG4hbk1A8sV0PkhNogJ2WuQ0mT89LH1f3eRzNWZZ7XDKgCY0+GTmL157cvbDeVn61rlX3pDKd2tRoFnE+zfyyGVQH+dp5XbS0q88I9KOr77f1hVLBaJsS43Ep0huilEXYa+AVkFxxBbj0yl6stskU7irUQ8D/I2xkQow26FnAL6KVnF7WXqHbtFxawsYgRH4rETNPpFebMFA8dNNwwSwmoq0Lz70H5ldgHVJQJ6QaemBzJafwTQL+rEJWnOJfNgvA== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com; Message-ID: <2863b0a9-ca7c-3cce-104d-0b6685b0b383@suse.com> Date: Tue, 14 Feb 2023 17:12:08 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.7.2 Subject: [PATCH v4 4/4] x86/PV: issue branch prediction barrier when switching 64-bit guest to kernel mode Content-Language: en-US From: Jan Beulich To: "xen-devel@lists.xenproject.org" Cc: Andrew Cooper , Wei Liu , =?utf-8?q?Roger_Pau_Monn=C3=A9?= References: <06591b64-2f05-a4cc-a2f3-a74c3c4a76d6@suse.com> In-Reply-To: <06591b64-2f05-a4cc-a2f3-a74c3c4a76d6@suse.com> X-ClientProxiedBy: FR3P281CA0171.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:a0::7) To VE1PR04MB6560.eurprd04.prod.outlook.com (2603:10a6:803:122::25) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: VE1PR04MB6560:EE_|AM0PR04MB6802:EE_ X-MS-Office365-Filtering-Correlation-Id: 2176c0ae-0c2e-4a3d-d35b-08db0ea639d4 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: tbGKjhmnIqOu372RLOhYa9HjsThRc1WYJAhwKWMSuevo5L8cRYpG7GjHwRP4Jqjffz1YNfGuqaiRFgg0WhblYzYNroOp4VH3464C8hz9UanJoYrSXX2DRnJp4By5bUVtvog3Y8OGZCSGpcU6OV2x1I2B1Z4VAIXwVKKJq18LrcAaC63LYd8XWY8cPVBqz42uIczxaB0zJizPepOArrH3uG3x8QDFHv6vsx3cgmWzjk0IJ8cDWX9iMz6ejHIWixwGCtmlcOETaQFnHs8+caQSKzh6gyNj3r78HmckuvQ4vaV11zvuLl/YDhWgq4DadJDEO2aHeI2YMOPOe0BAK69y15AZw3OEl/ABAs8wIwH4iLh3G0Wj1jTlh7NQxRvMEqS6Tt/GPgdw7yflrqaWZno6sJtFDPE2ogtY7BNItcjxL41kWd7n9VCtlm1OaDuFMJPq4gC+aRei+1T5tjw0o5CsI1ktBPfwFZ0t+fud5F/dh3A+Te9UPrzhp+n//6ejI5Zhs5Ohtgud9WLW7jdBYZxTklnM8g7P/6l08wwTuw0sugUXX0eV9jWyVDeoknXuR60zW0u5zt7/KLJseggX5KO3XaWT5yStRka8SbqmAwPH6sqtk5l2xxWA+oK8d3X+B12vhCYD8E6G2H9tnR+6efInLFTNdAJJgE2Y3ptcox7OviAwyOlKJfpW+wMAoASDW0RG9JldEXpLFeAqRPvQ7wqBXYbfHuKVdBj4RP+2N1fbhqQ= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:VE1PR04MB6560.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(366004)(346002)(39860400002)(376002)(136003)(396003)(451199018)(31686004)(6486002)(316002)(54906003)(83380400001)(4326008)(478600001)(8676002)(66556008)(2616005)(6916009)(66476007)(66946007)(41300700001)(8936002)(5660300002)(2906002)(38100700002)(6506007)(6512007)(26005)(186003)(86362001)(36756003)(31696002)(43740500002)(45980500001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?+DI7eJMZDbgvwIxkuMJMFSbEGzeW?= =?utf-8?q?a7cr/wt+6OrQhakmwPKGjDJh9pkhIJ11nSt9wUw+QK8zcaV/NuoulUjugTep4yLLT?= =?utf-8?q?QU0EJreQlbRBkDW6b8nv6Pb+sELldQGclwpIhv7wPeTX29QHaBbCE3WayFQXiAn5e?= =?utf-8?q?r2slgEITtu+9Fuu5GziZsC8ELuWiF5xfy9ThawOZ2ma2ifGPH3doSAXGFBfh8WqGZ?= =?utf-8?q?+GFnHXIunQgmN1hEYPg7C7j6Rl3oY/e57kqtHKJCtKdSz2/xaArCxMc5hPhsaluAN?= =?utf-8?q?HJ3W7SQdrGKtWj0AxcCWS1ZTm1+vmroHc8kHMjfKq1CJZbJYnZIeQqFjswWFaTCj8?= =?utf-8?q?f2z0RXFaZR30gjnus2sDz39jk7t5+x/U5SdvGzzEVs8qR8cSrY8wALdXJojMve5bE?= =?utf-8?q?VokczvuwM28otoPwRX6QcdqzKIj9QyROfAtvLR3WDSDBRrrBvgbR5tCuSOvaHflcZ?= =?utf-8?q?SzP0FM1Gp1gJ8R9QJ5SMNDp8EjRMvJOUMBvcaw/FJLrOdc6XzSu1hYc9e2vyRsu73?= =?utf-8?q?+aruPAAU5Xuy0uIWmgRg2AnGKDqtI5CDzj+jCdjbcJV3fcKJK7afdn1O2k1uLo02H?= =?utf-8?q?mfMAji5bFVSLTj/7Px8t5W8NNUxqZUTdBKXEuMwXyE+2L+7U864HydVllP3n93o4o?= =?utf-8?q?QvjRzmBcnkeDcI6naWo3sIHgUXYMoa9tjxqPh8ktOcsHltnExcgffiQ6xcEPBWVKX?= =?utf-8?q?Pst55K6HD2Q5n1ygeIrXjmhJa9K5/sLJoPcZ+49bt4kbNDtK9bR+q930RVuGEemwc?= =?utf-8?q?aSFoKVIT2be96KHmsTpXKiIWKr49Wm9rGE/yppiCSlvLetnoBO6CDjzFYW/imKH+1?= =?utf-8?q?nLMXea202a4ouC+rZp49Tp9J5AzqPtKAh37VXK9Cta0cKjSNiUuyZbsxNQ/hmeq5+?= =?utf-8?q?AzIqQUuKOd11PT61e1lS/W45Xvw1kyvQG3K0vGHhMSLPjJc5GbibiLDH1ALvlMhhH?= =?utf-8?q?K4h8G3uGF+ddx590Ur4StQf/Yr8Jb1WjGqj1riPOLvvl2XxXdn3wtyA7xtuh8h3hq?= =?utf-8?q?lTipEb4dKyQETqqSbHXKgCirr1ngyLaj7ZeEoYbBVS36MAGkaKwdfOq7FJJ8yr+iK?= =?utf-8?q?vflN4gA5heryOCrtShzZHjrNkN139eLfTf4jMdUIxoWcDHfGPEk+rGKDTBOhsmJtI?= =?utf-8?q?CySJRjUp2C7ZhkXqqp2equ517xUlXR85V+uJSIPyu8E3CjXov33uhAOw5cJfDpaaw?= =?utf-8?q?QAVax8N2Y9gvhsPJ5rVm3xkRRsr8VTVwuNP6a4ysTuGAG0lKpqkgBnG4+ZR6cSAOm?= =?utf-8?q?fZvQiQv+r6/3E1LhlV1HfLkKw6bA38rYCuY3lOSfpFKhVBR+2aDuKQtS4rIEha1O8?= =?utf-8?q?rB6Rut9i3BZy1MvulXl9To5KB1BBUooWBLy8HC4QXvBxY9Kw2K5ZvS+M5HW/Tuedv?= =?utf-8?q?beii+DFJLN2uCH4an3eaLKtkKoozeMrJcdMIh+9qIb7urz9vmqUaXFbacGuM1UJO9?= =?utf-8?q?cHIi0g42uwQCBQr75CJ4/oa6lhOgQHVoK3U/9yNnA9cTejBkiOShKzTdw4EfVSeNh?= =?utf-8?q?6D5MdzJ3TyBx?= X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2176c0ae-0c2e-4a3d-d35b-08db0ea639d4 X-MS-Exchange-CrossTenant-AuthSource: VE1PR04MB6560.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Feb 2023 16:12:10.2072 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: oQaQ8gsgz5RRf3j7I2XFAY7RACKAwUPovBIQWh+TpPEJ1JJPdr0pjek1lvNXogV4o2y8YXT+G9KRaBHcKuchkQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR04MB6802 Since both kernel and user mode run in ring 3, they run in the same "predictor mode". While the kernel could take care of this itself, doing so would be yet another item distinguishing PV from native. Additionally we're in a much better position to issue the barrier command, and we can save a #GP (for privileged instruction emulation) this way. To allow to recover performance, introduce a new VM assist allowing the guest kernel to suppress this barrier. Make availability of the assist dependent upon the command line control, such that kernels have a way to know whether their request actually took any effect. Note that because of its use in PV64_VM_ASSIST_MASK, the declaration of opt_ibpb_mode_switch can't live in asm/spec_ctrl.h. Signed-off-by: Jan Beulich --- Is the placement of the clearing of opt_ibpb_ctxt_switch correct in parse_spec_ctrl()? Shouldn't it live ahead of the "disable_common" label, as being about guest protection, not Xen's? Adding setting of the variable to the "pv" sub-case in parse_spec_ctrl() didn't seem quite right to me, considering that we default it to the opposite of opt_ibpb_entry_pv. --- v4: Correct the print_details() change. Re-base in particular over changes earlier in the series. v3: Leverage exit-IBPB. Introduce separate command line control. v2: Leverage entry-IBPB. Add VM assist. Re-base. --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -2320,8 +2320,8 @@ By default SSBD will be mitigated at run ### spec-ctrl (x86) > `= List of [ , xen=, {pv,hvm}=, > {msr-sc,rsb,md-clear,ibpb-entry}=|{pv,hvm}=, -> bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,psfd, -> eager-fpu,l1d-flush,branch-harden,srb-lock, +> bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ibpb-mode-switch, +> ssbd,psfd,eager-fpu,l1d-flush,branch-harden,srb-lock, > unpriv-mmio}= ]` Controls for speculative execution sidechannel mitigations. By default, Xen @@ -2403,7 +2403,10 @@ default. On hardware supporting IBPB (Indirect Branch Prediction Barrier), the `ibpb=` option can be used to force (the default) or prevent Xen from issuing branch -prediction barriers on vcpu context switches. +prediction barriers on vcpu context switches. On such hardware the +`ibpb-mode-switch` option can be used to control whether, by default, Xen +would issue branch prediction barriers when 64-bit PV guests switch from +user to kernel mode. If enabled, guest kernels can op out of this behavior. On all hardware, the `eager-fpu=` option can be used to force or prevent Xen from using fully eager FPU context switches. This is currently implemented as --- a/xen/arch/x86/include/asm/domain.h +++ b/xen/arch/x86/include/asm/domain.h @@ -742,6 +742,8 @@ static inline void pv_inject_sw_interrup pv_inject_event(&event); } +extern int8_t opt_ibpb_mode_switch; + #define PV32_VM_ASSIST_MASK ((1UL << VMASST_TYPE_4gb_segments) | \ (1UL << VMASST_TYPE_4gb_segments_notify) | \ (1UL << VMASST_TYPE_writable_pagetables) | \ @@ -753,7 +755,9 @@ static inline void pv_inject_sw_interrup * but we can't make such requests fail all of the sudden. */ #define PV64_VM_ASSIST_MASK (PV32_VM_ASSIST_MASK | \ - (1UL << VMASST_TYPE_m2p_strict)) + (1UL << VMASST_TYPE_m2p_strict) | \ + ((opt_ibpb_mode_switch + 0UL) << \ + VMASST_TYPE_mode_switch_no_ibpb)) #define HVM_VM_ASSIST_MASK (1UL << VMASST_TYPE_runstate_update_flag) #define arch_vm_assist_valid_mask(d) \ --- a/xen/arch/x86/pv/domain.c +++ b/xen/arch/x86/pv/domain.c @@ -455,6 +455,7 @@ static void _toggle_guest_pt(struct vcpu void toggle_guest_mode(struct vcpu *v) { const struct domain *d = v->domain; + struct cpu_info *cpu_info = get_cpu_info(); unsigned long gs_base; ASSERT(!is_pv_32bit_vcpu(v)); @@ -467,15 +468,21 @@ void toggle_guest_mode(struct vcpu *v) if ( v->arch.flags & TF_kernel_mode ) v->arch.pv.gs_base_kernel = gs_base; else + { v->arch.pv.gs_base_user = gs_base; + + if ( opt_ibpb_mode_switch && + !(d->arch.spec_ctrl_flags & SCF_entry_ibpb) && + !VM_ASSIST(d, mode_switch_no_ibpb) ) + cpu_info->spec_ctrl_flags |= SCF_new_pred_ctxt; + } + asm volatile ( "swapgs" ); _toggle_guest_pt(v); if ( d->arch.pv.xpti ) { - struct cpu_info *cpu_info = get_cpu_info(); - cpu_info->root_pgt_changed = true; cpu_info->pv_cr3 = __pa(this_cpu(root_pgt)) | (d->arch.pv.pcid ? get_pcid_bits(v, true) : 0); --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -60,6 +60,7 @@ bool __ro_after_init opt_ssbd; int8_t __initdata opt_psfd = -1; int8_t __ro_after_init opt_ibpb_ctxt_switch = -1; +int8_t __ro_after_init opt_ibpb_mode_switch = -1; int8_t __read_mostly opt_eager_fpu = -1; int8_t __read_mostly opt_l1d_flush = -1; static bool __initdata opt_branch_harden = true; @@ -111,6 +112,8 @@ static int __init cf_check parse_spec_ct if ( opt_pv_l1tf_domu < 0 ) opt_pv_l1tf_domu = 0; + opt_ibpb_mode_switch = 0; + if ( opt_tsx == -1 ) opt_tsx = -3; @@ -271,6 +274,8 @@ static int __init cf_check parse_spec_ct /* Misc settings. */ else if ( (val = parse_boolean("ibpb", s, ss)) >= 0 ) opt_ibpb_ctxt_switch = val; + else if ( (val = parse_boolean("ibpb-mode-switch", s, ss)) >= 0 ) + opt_ibpb_mode_switch = val; else if ( (val = parse_boolean("eager-fpu", s, ss)) >= 0 ) opt_eager_fpu = val; else if ( (val = parse_boolean("l1d-flush", s, ss)) >= 0 ) @@ -527,16 +532,18 @@ static void __init print_details(enum in #endif #ifdef CONFIG_PV - printk(" Support for PV VMs:%s%s%s%s%s%s\n", + printk(" Support for PV VMs:%s%s%s%s%s%s%s\n", (boot_cpu_has(X86_FEATURE_SC_MSR_PV) || boot_cpu_has(X86_FEATURE_SC_RSB_PV) || boot_cpu_has(X86_FEATURE_IBPB_ENTRY_PV) || - opt_eager_fpu || opt_md_clear_pv) ? "" : " None", + opt_eager_fpu || opt_md_clear_pv || + opt_ibpb_mode_switch) ? "" : " None", boot_cpu_has(X86_FEATURE_SC_MSR_PV) ? " MSR_SPEC_CTRL" : "", boot_cpu_has(X86_FEATURE_SC_RSB_PV) ? " RSB" : "", opt_eager_fpu ? " EAGER_FPU" : "", opt_md_clear_pv ? " MD_CLEAR" : "", - boot_cpu_has(X86_FEATURE_IBPB_ENTRY_PV) ? " IBPB-entry" : ""); + boot_cpu_has(X86_FEATURE_IBPB_ENTRY_PV) ? " IBPB-entry" : "", + opt_ibpb_mode_switch ? " IBPB-mode-switch" : ""); printk(" XPTI (64-bit PV only): Dom0 %s, DomU %s (with%s PCID)\n", opt_xpti_hwdom ? "enabled" : "disabled", @@ -804,7 +811,8 @@ static void __init ibpb_calculations(voi /* Check we have hardware IBPB support before using it... */ if ( !boot_cpu_has(X86_FEATURE_IBRSB) && !boot_cpu_has(X86_FEATURE_IBPB) ) { - opt_ibpb_entry_hvm = opt_ibpb_entry_pv = opt_ibpb_ctxt_switch = 0; + opt_ibpb_entry_hvm = opt_ibpb_entry_pv = 0; + opt_ibpb_mode_switch = opt_ibpb_ctxt_switch = 0; opt_ibpb_entry_dom0 = false; return; } @@ -859,6 +867,18 @@ static void __init ibpb_calculations(voi setup_force_cpu_cap(X86_FEATURE_NEW_PRED_CTXT_PV); setup_force_cpu_cap(X86_FEATURE_NEW_PRED_CTXT_HVM); } + +#ifdef CONFIG_PV + /* + * If we're using IBPB-on-entry to protect against PV guests, then + * there's no need to also issue IBPB on a guest user->kernel switch. + */ + if ( opt_ibpb_mode_switch == -1 ) + opt_ibpb_mode_switch = !opt_ibpb_entry_pv || + (!opt_ibpb_entry_dom0 && !opt_dom0_pvh); + if ( opt_ibpb_mode_switch ) + setup_force_cpu_cap(X86_FEATURE_NEW_PRED_CTXT_PV); +#endif } /* Calculate whether this CPU is vulnerable to L1TF. */ --- a/xen/include/public/xen.h +++ b/xen/include/public/xen.h @@ -554,6 +554,16 @@ DEFINE_XEN_GUEST_HANDLE(mmuext_op_t); */ #define VMASST_TYPE_m2p_strict 32 +/* + * x86-64 guests: Suppress IBPB on guest-user to guest-kernel mode switch. + * + * By default (on affected and capable hardware) as a safety measure Xen, + * to cover for the fact that guest-kernel and guest-user modes are both + * running in ring 3 (and hence share prediction context), would issue a + * barrier for user->kernel mode switches of PV guests. + */ +#define VMASST_TYPE_mode_switch_no_ibpb 33 + #if __XEN_INTERFACE_VERSION__ < 0x00040600 #define MAX_VMASST_TYPE 3 #endif