1 files changed, 138 insertions, 0 deletions

diff --git a/system/xen/xsa/xsa263-4.10-0002-x86-spec_ctrl-Express-Xen-s-choice-of-MSR_SPEC_CTRL-.patch b/system/xen/xsa/xsa263-4.10-0002-x86-spec_ctrl-Express-Xen-s-choice-of-MSR_SPEC_CTRL-.patch
new file mode 100644
index 0000000000..a954943b71
--- /dev/null
+++ b/system/xen/xsa/xsa263-4.10-0002-x86-spec_ctrl-Express-Xen-s-choice-of-MSR_SPEC_CTRL-.patch
@@ -0,0 +1,138 @@
+From d7b345e4ca136a995bfaaf2ee20901ee20e63570 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Tue, 17 Apr 2018 14:15:04 +0100
+Subject: [PATCH] x86/spec_ctrl: Express Xen's choice of MSR_SPEC_CTRL value as
+ a variable
+
+At the moment, we have two different encodings of Xen's MSR_SPEC_CTRL value,
+which is a side effect of how the Spectre series developed.  One encoding is
+via an alias with the bottom bit of bti_ist_info, and can encode IBRS or not,
+but not other configurations such as STIBP.
+
+Break Xen's value out into a separate variable (in the top of stack block for
+XPTI reasons) and use this instead of bti_ist_info in the IST path.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Wei Liu <wei.liu2@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Release-acked-by: Juergen Gross <jgross@suse.com>
+(cherry picked from commit 66dfae0f32bfbc899c2f3446d5ee57068cb7f957)
+---
+ xen/arch/x86/spec_ctrl.c            | 8 +++++---
+ xen/arch/x86/x86_64/asm-offsets.c   | 1 +
+ xen/include/asm-x86/current.h       | 1 +
+ xen/include/asm-x86/spec_ctrl.h     | 2 ++
+ xen/include/asm-x86/spec_ctrl_asm.h | 8 ++------
+ 5 files changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
+index dc90743..1143521 100644
+--- a/xen/arch/x86/spec_ctrl.c
++++ b/xen/arch/x86/spec_ctrl.c
+@@ -38,6 +38,7 @@ static int8_t __initdata opt_ibrs = -1;
+ static bool __initdata opt_rsb_native = true;
+ static bool __initdata opt_rsb_vmexit = true;
+ bool __read_mostly opt_ibpb = true;
++uint8_t __read_mostly default_xen_spec_ctrl;
+ uint8_t __read_mostly default_bti_ist_info;
+ 
+ static int __init parse_bti(const char *s)
+@@ -285,11 +286,14 @@ void __init init_speculation_mitigations(void)
+          * guests.
+          */
+         if ( ibrs )
++        {
++            default_xen_spec_ctrl |= SPEC_CTRL_IBRS;
+             setup_force_cpu_cap(X86_FEATURE_XEN_IBRS_SET);
++        }
+         else
+             setup_force_cpu_cap(X86_FEATURE_XEN_IBRS_CLEAR);
+ 
+-        default_bti_ist_info |= BTI_IST_WRMSR | ibrs;
++        default_bti_ist_info |= BTI_IST_WRMSR;
+     }
+ 
+     /*
+@@ -330,8 +334,6 @@ void __init init_speculation_mitigations(void)
+ 
+ static void __init __maybe_unused build_assertions(void)
+ {
+-    /* The optimised assembly relies on this alias. */
+-    BUILD_BUG_ON(BTI_IST_IBRS != SPEC_CTRL_IBRS);
+ }
+ 
+ /*
+diff --git a/xen/arch/x86/x86_64/asm-offsets.c b/xen/arch/x86/x86_64/asm-offsets.c
+index 13478d4..0726147 100644
+--- a/xen/arch/x86/x86_64/asm-offsets.c
++++ b/xen/arch/x86/x86_64/asm-offsets.c
+@@ -142,6 +142,7 @@ void __dummy__(void)
+     OFFSET(CPUINFO_xen_cr3, struct cpu_info, xen_cr3);
+     OFFSET(CPUINFO_pv_cr3, struct cpu_info, pv_cr3);
+     OFFSET(CPUINFO_shadow_spec_ctrl, struct cpu_info, shadow_spec_ctrl);
++    OFFSET(CPUINFO_xen_spec_ctrl, struct cpu_info, xen_spec_ctrl);
+     OFFSET(CPUINFO_use_shadow_spec_ctrl, struct cpu_info, use_shadow_spec_ctrl);
+     OFFSET(CPUINFO_bti_ist_info, struct cpu_info, bti_ist_info);
+     DEFINE(CPUINFO_sizeof, sizeof(struct cpu_info));
+diff --git a/xen/include/asm-x86/current.h b/xen/include/asm-x86/current.h
+index 4678a0f..d10b13c 100644
+--- a/xen/include/asm-x86/current.h
++++ b/xen/include/asm-x86/current.h
+@@ -56,6 +56,7 @@ struct cpu_info {
+ 
+     /* See asm-x86/spec_ctrl_asm.h for usage. */
+     unsigned int shadow_spec_ctrl;
++    uint8_t      xen_spec_ctrl;
+     bool         use_shadow_spec_ctrl;
+     uint8_t      bti_ist_info;
+ 
+diff --git a/xen/include/asm-x86/spec_ctrl.h b/xen/include/asm-x86/spec_ctrl.h
+index 5ab4ff3..5e4fc84 100644
+--- a/xen/include/asm-x86/spec_ctrl.h
++++ b/xen/include/asm-x86/spec_ctrl.h
+@@ -27,6 +27,7 @@
+ void init_speculation_mitigations(void);
+ 
+ extern bool opt_ibpb;
++extern uint8_t default_xen_spec_ctrl;
+ extern uint8_t default_bti_ist_info;
+ 
+ static inline void init_shadow_spec_ctrl_state(void)
+@@ -34,6 +35,7 @@ static inline void init_shadow_spec_ctrl_state(void)
+     struct cpu_info *info = get_cpu_info();
+ 
+     info->shadow_spec_ctrl = info->use_shadow_spec_ctrl = 0;
++    info->xen_spec_ctrl = default_xen_spec_ctrl;
+     info->bti_ist_info = default_bti_ist_info;
+ }
+ 
+diff --git a/xen/include/asm-x86/spec_ctrl_asm.h b/xen/include/asm-x86/spec_ctrl_asm.h
+index 1f2b6f3..697da13 100644
+--- a/xen/include/asm-x86/spec_ctrl_asm.h
++++ b/xen/include/asm-x86/spec_ctrl_asm.h
+@@ -21,7 +21,6 @@
+ #define __X86_SPEC_CTRL_ASM_H__
+ 
+ /* Encoding of the bottom bits in cpuinfo.bti_ist_info */
+-#define BTI_IST_IBRS  (1 << 0)
+ #define BTI_IST_WRMSR (1 << 1)
+ #define BTI_IST_RSB   (1 << 2)
+ 
+@@ -286,12 +285,9 @@
+     setz %dl
+     and %dl, STACK_CPUINFO_FIELD(use_shadow_spec_ctrl)(%r14)
+ 
+-    /*
+-     * Load Xen's intended value.  SPEC_CTRL_IBRS vs 0 is encoded in the
+-     * bottom bit of bti_ist_info, via a deliberate alias with BTI_IST_IBRS.
+-     */
++    /* Load Xen's intended value. */
+     mov $MSR_SPEC_CTRL, %ecx
+-    and $BTI_IST_IBRS, %eax
++    movzbl STACK_CPUINFO_FIELD(xen_spec_ctrl)(%r14), %eax
+     xor %edx, %edx
+     wrmsr
+ 
+-- 
+2.1.4
+