[PATCH v6.5 24/26] x86/ctxt: Issue a speculation barrier between vcpu contexts

From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Xen-devel <xen-devel@lists.xen.org>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: [PATCH v6.5 24/26] x86/ctxt: Issue a speculation barrier between vcpu contexts
Date: Thu, 4 Jan 2018 00:15:53 +0000	[thread overview]
Message-ID: <1515024955-13390-25-git-send-email-andrew.cooper3@citrix.com> (raw)
In-Reply-To: <1515024955-13390-1-git-send-email-andrew.cooper3@citrix.com>

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---
v4:
 * Adjust for AMD changes
---
 docs/misc/xen-command-line.markdown |  5 ++++-
 xen/arch/x86/domain.c               |  3 +++
 xen/arch/x86/spec_ctrl.c            | 13 ++++++++++---
 xen/include/asm-x86/cpufeature.h    |  1 +
 4 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown
index 8bffe44..65d94f2 100644
--- a/docs/misc/xen-command-line.markdown
+++ b/docs/misc/xen-command-line.markdown
@@ -246,7 +246,7 @@ enough. Setting this to a high value may cause boot failure, particularly if
 the NMI watchdog is also enabled.
 
 ### bti (x86)
-> `= List of [ thunk=retpoline|lfence|plain, ibrs=<bool>, rsb_{vmexit,native}=bool ]`
+> `= List of [ thunk=retpoline|lfence|plain, ibrs=<bool>, ibpb=<bool>, rsb_{vmexit,native}=bool ]`
 
 Branch Target Injection controls.  By default, Xen will pick the most
 appropriate BTI mitigations based on compiled in support, loaded microcode,
@@ -263,6 +263,9 @@ On hardware supporting IBRS, the `ibrs=` option can be used to force or
 prevent Xen using the feature itself.  If Xen is not using IBRS itself,
 functionality is still set up so IBRS can be virtualised for guests.
 
+On hardware supporting IBPB, the `ibpb=` option can be used to prevent Xen
+from issuing Branch Prediction Barriers on vcpu context switches.
+
 The `rsb_vmexit=` and `rsb_native=` options can be used to fine tune when the
 RSB gets overwritten.  There are individual controls for an entry from HVM
 context, and an entry from a native (PV or Xen) context.
diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c
index 698346e..62002f1 100644
--- a/xen/arch/x86/domain.c
+++ b/xen/arch/x86/domain.c
@@ -1732,6 +1732,9 @@ void context_switch(struct vcpu *prev, struct vcpu *next)
         }
 
         ctxt_switch_levelling(next);
+
+        if ( cpu_has_xen_ibpb )
+            wrmsrl(MSR_PRED_CMD, PRED_CMD_IBPB);
     }
 
     context_saved(prev);
diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
index bbf8f96..79aedf7 100644
--- a/xen/arch/x86/spec_ctrl.c
+++ b/xen/arch/x86/spec_ctrl.c
@@ -32,7 +32,7 @@ enum ind_thunk {
     THUNK_LFENCE,
     THUNK_JMP,
 } opt_thunk __initdata = THUNK_DEFAULT;
-int opt_ibrs __initdata = -1;
+int opt_ibrs __initdata = -1, opt_ibpb __initdata = -1;
 int opt_rsb_native __initdata = -1, opt_rsb_vmexit __initdata = -1;
 
 static int __init parse_bti(const char *s)
@@ -60,6 +60,8 @@ static int __init parse_bti(const char *s)
         }
         else if ( (val = parse_boolean("ibrs", s, ss)) >= 0 )
             opt_ibrs = val;
+        else if ( (val = parse_boolean("ibpb", s, ss)) >= 0 )
+            opt_ibpb = val;
         else if ( (val = parse_boolean("rsb_native", s, ss)) >= 0 )
             opt_rsb_native = val;
         else if ( (val = parse_boolean("rsb_vmexit", s, ss)) >= 0 )
@@ -102,13 +104,14 @@ static void __init print_details(enum ind_thunk thunk)
         printk(XENLOG_DEBUG "  Compiled-in support: INDIRECT_THUNK\n");
 
     printk(XENLOG_INFO
-           "BTI mitigations: Thunk %s, Others:%s%s%s%s\n",
+           "BTI mitigations: Thunk %s, Others:%s%s%s%s%s\n",
            thunk == THUNK_NONE      ? "N/A" :
            thunk == THUNK_RETPOLINE ? "RETPOLINE" :
            thunk == THUNK_LFENCE    ? "LFENCE" :
            thunk == THUNK_JMP       ? "JMP" : "?",
            boot_cpu_has(X86_FEATURE_XEN_IBRS_SET)    ? " IBRS+" :
            boot_cpu_has(X86_FEATURE_XEN_IBRS_CLEAR)  ? " IBRS-"      : "",
+           cpu_has_xen_ibpb                          ? " IBPB"       : "",
            cpu_has_xen_smep                          ? " SMEP"       : "",
            (boot_cpu_has(X86_FEATURE_RSB_VMEXIT) ||
             boot_cpu_has(X86_FEATURE_RSB_VMEXIT_SS)) ? " RSB_VMEXIT" : "",
@@ -179,7 +182,7 @@ void __init init_speculation_mitigations(void)
      * Has the user specified any custom BTI mitigations?  If so, follow their
      * instructions exactly and disable all heuristics.
      */
-    if ( opt_thunk != THUNK_DEFAULT || opt_ibrs != -1 ||
+    if ( opt_thunk != THUNK_DEFAULT || opt_ibrs != -1 || opt_ibrs != -1 ||
          opt_rsb_native != -1 || opt_rsb_vmexit != -1 )
     {
         thunk = opt_thunk;
@@ -307,6 +310,10 @@ void __init init_speculation_mitigations(void)
         }
     }
 
+    if ( (boot_cpu_has(X86_FEATURE_IBRSB) ||
+          boot_cpu_has(X86_FEATURE_IBPB)) && opt_ibpb )
+        setup_force_cpu_cap(X86_FEATURE_XEN_IBPB);
+
     print_details(thunk);
 }
 
diff --git a/xen/include/asm-x86/cpufeature.h b/xen/include/asm-x86/cpufeature.h
index b7667b4..f1c30f1 100644
--- a/xen/include/asm-x86/cpufeature.h
+++ b/xen/include/asm-x86/cpufeature.h
@@ -109,6 +109,7 @@
 #define cpu_has_aperfmperf      boot_cpu_has(X86_FEATURE_APERFMPERF)
 #define cpu_has_xen_smep        boot_cpu_has(X86_FEATURE_XEN_SMEP)
 #define cpu_has_lfence_dispatch boot_cpu_has(X86_FEATURE_LFENCE_DISPATCH)
+#define cpu_has_xen_ibpb        boot_cpu_has(X86_FEATURE_XEN_IBPB)
 
 enum _cache_type {
     CACHE_TYPE_NULL = 0,
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
