projects / xen.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 2ebe8fe) | patch
x86/spec-ctrl: Add spec-ctrl=unpriv-mmio
authorAndrew Cooper <andrew.cooper3@citrix.com>
Mon, 13 Jun 2022 18:18:32 +0000 (19:18 +0100)
committerAndrew Cooper <andrew.cooper3@citrix.com>
Thu, 16 Jun 2022 11:10:37 +0000 (12:10 +0100)
commit8c24b70fedcb52633b2370f834d8a2be3f7fa38e
treeabf7884a826efa6d201866974b21c4e3dc0d5083tree | snapshot
parent2ebe8fe9b7e0d36e9ec3cfe4552b2b197ef0dceccommit | diff
x86/spec-ctrl: Add spec-ctrl=unpriv-mmio

Per Xen's support statement, PCI passthrough should be to trusted domains
because the overall system security depends on factors outside of Xen's
control.

As such, Xen, in a supported configuration, is not vulnerable to DRPW/SBDR.

However, users who have risk assessed their configuration may be happy with
the risk of DoS, but unhappy with the risk of cross-domain data leakage.  Such
users should enable this option.

On CPUs vulnerable to MDS, the existing mitigations are the best we can do to
mitigate MMIO cross-domain data leakage.

On CPUs fixed to MDS but vulnerable MMIO stale data leakage, this option:

 * On CPUs susceptible to FBSDP, mitigates cross-domain fill buffer leakage
   using FB_CLEAR.
 * On CPUs susceptible to SBDR, mitigates RNG data recovery by engaging the
   srb-lock, previously used to mitigate SRBDS.

Both mitigations require microcode from IPU 2022.1, May 2022.

This is part of XSA-404.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
docs/misc/xen-command-line.pandoc diff | blob | history
xen/arch/x86/spec_ctrl.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.