[PATCH v6.5 14/26] x86: Introduce alternative indirect thunks

From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Xen-devel <xen-devel@lists.xen.org>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: [PATCH v6.5 14/26] x86: Introduce alternative indirect thunks
Date: Thu, 4 Jan 2018 00:15:43 +0000	[thread overview]
Message-ID: <1515024955-13390-15-git-send-email-andrew.cooper3@citrix.com> (raw)
In-Reply-To: <1515024955-13390-1-git-send-email-andrew.cooper3@citrix.com>

Depending on hardware and microcode availability, we will want to replace
IND_THUNK_REPOLINE with other implementations.

For AMD hardware, choose IND_THUNK_LFENCE in preference to retpoline if lfence
is known to be (or was successfully made) dispatch serialising.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
v4:
 * New
v5:
 * Introduce a command line option
---
 docs/misc/xen-command-line.markdown | 14 +++++++
 xen/arch/x86/indirect_thunk.S       | 13 ++++++-
 xen/arch/x86/spec_ctrl.c            | 73 ++++++++++++++++++++++++++++++++++++-
 xen/include/asm-x86/cpufeatures.h   |  2 +
 4 files changed, 99 insertions(+), 3 deletions(-)

diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown
index 781110d..c9dbfbb 100644
--- a/docs/misc/xen-command-line.markdown
+++ b/docs/misc/xen-command-line.markdown
@@ -245,6 +245,20 @@ and not running softirqs. Reduce this if softirqs are not being run frequently
 enough. Setting this to a high value may cause boot failure, particularly if
 the NMI watchdog is also enabled.
 
+### bti (x86)
+> `= List of [ thunk=retpoline|lfence|plain ]`
+
+Branch Target Injection controls.  By default, Xen will pick the most
+appropriate BTI mitigations based on compiled in support, loaded microcode,
+and hardware details.
+
+**WARNING: Any use of this option inhibits all heristcs.  Use with extreme care.**
+
+If Xen was compiled with INDIRECT_THUNK support, `thunk=` can be used to
+select which of the thunks gets patched into the `__x86.indirect_thunk.%reg`
+locations.  The default thunk is `retpoline`, with the alternatives being
+`plain` (a `jmp *%reg` gadget), and `lfence` (an `lfence; jmp *%reg` gadget).
+
 ### xenheap\_megabytes (arm32)
 > `= <size>`
 
diff --git a/xen/arch/x86/indirect_thunk.S b/xen/arch/x86/indirect_thunk.S
index 4fef1c8..542974a 100644
--- a/xen/arch/x86/indirect_thunk.S
+++ b/xen/arch/x86/indirect_thunk.S
@@ -10,6 +10,15 @@
         ret
 .endm
 
+.macro IND_THUNK_LFENCE reg:req
+        lfence
+        jmp *\reg
+.endm
+
+.macro IND_THUNK_JMP reg:req
+        jmp *\reg
+.endm
+
 /*
  * Build the __x86.indirect_thunk.* symbols.  Execution lands on an
  * alternative patch point which implements one of the above THUNK_*'s
@@ -18,7 +27,9 @@
         .section .text.__x86.indirect_thunk.\name, "ax", @progbits
 
 ENTRY(__x86.indirect_thunk.\name)
-        IND_THUNK_RETPOLINE \reg
+        ALTERNATIVE_2 __stringify(IND_THUNK_RETPOLINE \reg),              \
+        __stringify(IND_THUNK_LFENCE \reg), X86_FEATURE_IND_THUNK_LFENCE, \
+        __stringify(IND_THUNK_JMP \reg),    X86_FEATURE_IND_THUNK_JMP
 .endm
 
 /* Instantiate GEN_INDIRECT_THUNK for each register except %rsp. */
diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
index ffee909..8301648 100644
--- a/xen/arch/x86/spec_ctrl.c
+++ b/xen/arch/x86/spec_ctrl.c
@@ -16,6 +16,7 @@
  *
  * Copyright (c) 2017 Citrix Systems Ltd.
  */
+#include <xen/errno.h>
 #include <xen/init.h>
 #include <xen/lib.h>
 
@@ -27,7 +28,42 @@ enum ind_thunk {
     THUNK_NONE,    /* Missing compiler support for thunks. */
 
     THUNK_RETPOLINE,
-};
+    THUNK_LFENCE,
+    THUNK_JMP,
+} opt_thunk __initdata = THUNK_DEFAULT;
+
+static int __init parse_bti(const char *s)
+{
+    const char *ss;
+    int rc = 0;
+
+    do {
+        ss = strchr(s, ',');
+        if ( !ss )
+            ss = strchr(s, '\0');
+
+        if ( !strncmp(s, "thunk=", 6) )
+        {
+            s += 6;
+
+            if ( !strncmp(s, "retpoline", ss - s) )
+                opt_thunk = THUNK_RETPOLINE;
+            else if ( !strncmp(s, "lfence", ss - s) )
+                opt_thunk = THUNK_LFENCE;
+            else if ( !strncmp(s, "jmp", ss - s) )
+                opt_thunk = THUNK_JMP;
+            else
+                rc = -EINVAL;
+        }
+        else
+            rc = -EINVAL;
+
+        s = ss + 1;
+    } while ( *ss );
+
+    return rc;
+}
+custom_param("bti", parse_bti);
 
 static void __init print_details(enum ind_thunk thunk)
 {
@@ -40,7 +76,9 @@ static void __init print_details(enum ind_thunk thunk)
     printk(XENLOG_INFO
            "BTI mitigations: Thunk %s\n",
            thunk == THUNK_NONE      ? "N/A" :
-           thunk == THUNK_RETPOLINE ? "RETPOLINE" : "?");
+           thunk == THUNK_RETPOLINE ? "RETPOLINE" :
+           thunk == THUNK_LFENCE    ? "LFENCE" :
+           thunk == THUNK_JMP       ? "JMP" : "?");
 }
 
 void __init init_speculation_mitigations(void)
@@ -48,6 +86,31 @@ void __init init_speculation_mitigations(void)
     enum ind_thunk thunk = THUNK_DEFAULT;
 
     /*
+     * Has the user specified any custom BTI mitigations?  If so, follow their
+     * instructions exactly and disable all heuristics.
+     */
+    if ( opt_thunk != THUNK_DEFAULT )
+    {
+        thunk = opt_thunk;
+    }
+    else
+    {
+        /*
+         * Evaluate the safest Branch Target Injection mitigations to use.
+         * First, begin with compiler-aided mitigations.
+         */
+        if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) )
+        {
+            /*
+             * AMD's recommended mitigation is to set lfence as being dispatch
+             * serialising, and to use IND_THUNK_LFENCE.
+             */
+            if ( cpu_has_lfence_dispatch )
+                thunk = THUNK_LFENCE;
+        }
+    }
+
+    /*
      * Supplimentary minor adjustments.  Without compiler support, there are
      * no thunks.
      */
@@ -61,6 +124,12 @@ void __init init_speculation_mitigations(void)
     if ( thunk == THUNK_DEFAULT )
         thunk = THUNK_RETPOLINE;
 
+    /* Apply the chosen settings. */
+    if ( thunk == THUNK_LFENCE )
+        setup_force_cpu_cap(X86_FEATURE_IND_THUNK_LFENCE);
+    else if ( thunk == THUNK_JMP )
+        setup_force_cpu_cap(X86_FEATURE_IND_THUNK_JMP);
+
     print_details(thunk);
 }
 
diff --git a/xen/include/asm-x86/cpufeatures.h b/xen/include/asm-x86/cpufeatures.h
index 58b37d6..ba1771b 100644
--- a/xen/include/asm-x86/cpufeatures.h
+++ b/xen/include/asm-x86/cpufeatures.h
@@ -23,3 +23,5 @@ XEN_CPUFEATURE(MFENCE_RDTSC,    (FSCAPINTS+0)*32+ 9) /* MFENCE synchronizes RDTS
 XEN_CPUFEATURE(XEN_SMEP,        (FSCAPINTS+0)*32+10) /* SMEP gets used by Xen itself */
 XEN_CPUFEATURE(XEN_SMAP,        (FSCAPINTS+0)*32+11) /* SMAP gets used by Xen itself */
 XEN_CPUFEATURE(LFENCE_DISPATCH, (FSCAPINTS+0)*32+12) /* lfence set as Dispatch Serialising */
+XEN_CPUFEATURE(IND_THUNK_LFENCE,(FSCAPINTS+0)*32+13) /* Use IND_THUNK_LFENCE */
+XEN_CPUFEATURE(IND_THUNK_JMP,   (FSCAPINTS+0)*32+14) /* Use IND_THUNK_JMP */
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
