projects / xen.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 9deaf2d) | patch
x86/spec-ctrl: Mitigate Branch Type Confusion when possible
authorAndrew Cooper <andrew.cooper3@citrix.com>
Mon, 27 Jun 2022 18:29:40 +0000 (19:29 +0100)
committerAndrew Cooper <andrew.cooper3@citrix.com>
Tue, 12 Jul 2022 15:23:00 +0000 (16:23 +0100)
commitd8cb7e0f069e0f106d24941355b59b45a731eabe
tree3822851997bc44e64cb7ad72aedbc878a0fdf816tree | snapshot
parent9deaf2d932f08c16c6b96a1c426e4b1142c0cdbecommit | diff
x86/spec-ctrl: Mitigate Branch Type Confusion when possible

Branch Type Confusion affects AMD/Hygon CPUs on Zen2 and earlier.  To
mitigate, we require SMT safety (STIBP on Zen2, no-SMT on Zen1), and to issue
an IBPB on each entry to Xen, to flush the BTB.

Due to performance concerns, dom0 (which is trusted in most configurations) is
excluded from protections by default.

Therefore:
 * Use STIBP by default on Zen2 too, which now means we want it on by default
   on all hardware supporting STIBP.
 * Break the current IBPB logic out into a new function, extending it with
   IBPB-at-entry logic.
 * Change the existing IBPB-at-ctxt-switch boolean to be tristate, and disable
   it by default when IBPB-at-entry is providing sufficient safety.

If all PV guests on the system are trusted, then it is recommended to boot
with `spec-ctrl=ibpb-entry=no-pv`, as this will provide an additional marginal
perf improvement.

This is part of XSA-407 / CVE-2022-23825.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
docs/misc/xen-command-line.pandoc diff | blob | history
xen/arch/x86/include/asm/spec_ctrl.h diff | blob | history
xen/arch/x86/spec_ctrl.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.