x86/AMD: Mitigations for GPZ SP4 - Speculative Store Bypass

AMD processors will execute loads and stores with the same base register in
program order, which is typically how a compiler emits code.

Therefore, by default no mitigating actions are taken, despite there being
corner cases which are vulnerable to the issue.

For performance testing, or for users with particularly sensitive workloads,
the `spec-ctrl=ssbd` command line option is available to force Xen to disable
Memory Disambiguation on applicable hardware.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Gbp-Pq: Name x86amd-mitigations-for-gpz-sp4---specula.patch

diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown
index 0f3edafc79941c3f260db0f9cb5f812b15fea945..619db15741978c90e8f081e8b45f88f562a915a7 100644 (file)
--- a/docs/misc/xen-command-line.markdown
+++ b/docs/misc/xen-command-line.markdown
@@ -1520,7 +1520,7 @@ false disable the quirk workaround, which is also the default.
 
 ### spec-ctrl (x86)
 > `= List of [ <bool>, xen=<bool>, {pv,hvm,msr-sc,rsb}=<bool>,
->              bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb}=<bool> ]`
+>              bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd}=<bool> ]`
 
 Controls for speculative execution sidechannel mitigations.  By default, Xen
 will pick the most appropriate mitigations based on compiled in support,
@@ -1564,6 +1564,11 @@ On hardware supporting IBPB (Indirect Branch Prediction Barrier), the `ibpb=`
 option can be used to force (the default) or prevent Xen from issuing branch
 prediction barriers on vcpu context switches.
 
+On hardware supporting SSBD (Speculative Store Bypass Disable), the `ssbd=`
+option can be used to force or prevent Xen using the feature itself.  On AMD
+hardware, this is a global option applied at boot, and not virtualised for
+guest use.
+
 ### sync\_console
 > `= <boolean>`
 

diff --git a/xen/arch/x86/cpu/amd.c b/xen/arch/x86/cpu/amd.c
index 5c1bb1352c1ee6a31dccacb14eff3723781c5691..b04cf6daf3453448867415f6481384effcf8b5e6 100644 (file)
--- a/xen/arch/x86/cpu/amd.c
+++ b/xen/arch/x86/cpu/amd.c
@@ -10,6 +10,7 @@
 #include <asm/amd.h>
 #include <asm/hvm/support.h>
 #include <asm/setup.h> /* amd_init_cpu */
+#include <asm/spec_ctrl.h>
 #include <asm/acpi.h>
 #include <asm/apic.h>
 
@@ -591,6 +592,25 @@ static void init_amd(struct cpuinfo_x86 *c)
                                  c->x86_capability);
        }
 
+       /*
+        * If the user has explicitly chosen to disable Memory Disambiguation
+        * to mitigiate Speculative Store Bypass, poke the appropriate MSR.
+        */
+       if (opt_ssbd) {
+               int bit = -1;
+
+               switch (c->x86) {
+               case 0x15: bit = 54; break;
+               case 0x16: bit = 33; break;
+               case 0x17: bit = 10; break;
+               }
+
+               if (bit >= 0 && !rdmsr_safe(MSR_AMD64_LS_CFG, value)) {
+                       value |= 1ull << bit;
+                       wrmsr_safe(MSR_AMD64_LS_CFG, value);
+               }
+       }
+
        /* MFENCE stops RDTSC speculation */
        if (!cpu_has_lfence_dispatch)
                __set_bit(X86_FEATURE_MFENCE_RDTSC, c->x86_capability);

diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
index 1a59b54b2944f5bd720295f0733732f3d2489c5d..0fb628b6f6e0a2808bb43e5903c0feea8d4ec7d3 100644 (file)
--- a/xen/arch/x86/spec_ctrl.c
+++ b/xen/arch/x86/spec_ctrl.c
@@ -43,6 +43,7 @@ static enum ind_thunk {
 } opt_thunk __initdata = THUNK_DEFAULT;
 static int8_t __initdata opt_ibrs = -1;
 bool __read_mostly opt_ibpb = true;
+bool __read_mostly opt_ssbd = false;
 
 bool __initdata bsp_delay_spec_ctrl;
 uint8_t __read_mostly default_xen_spec_ctrl;
@@ -164,6 +165,8 @@ static int __init parse_spec_ctrl(const char *s)
             opt_ibrs = val;
         else if ( (val = parse_boolean("ibpb", s, ss)) >= 0 )
             opt_ibpb = val;
+        else if ( (val = parse_boolean("ssbd", s, ss)) >= 0 )
+            opt_ssbd = val;
         else
             rc = -EINVAL;
 

diff --git a/xen/include/asm-x86/spec_ctrl.h b/xen/include/asm-x86/spec_ctrl.h
index c6a38f495db20ad0b050aefe7d0adf105682153b..4678a40ba5af4bd316f002e76e53641b08db41d9 100644 (file)
--- a/xen/include/asm-x86/spec_ctrl.h
+++ b/xen/include/asm-x86/spec_ctrl.h
@@ -27,6 +27,7 @@
 void init_speculation_mitigations(void);
 
 extern bool opt_ibpb;
+extern bool opt_ssbd;
 
 extern bool bsp_delay_spec_ctrl;
 extern uint8_t default_xen_spec_ctrl;