From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Xen-devel <xen-devel@lists.xenproject.org>
Cc: "Andrew Cooper" <andrew.cooper3@citrix.com>,
"Jan Beulich" <JBeulich@suse.com>,
"Roger Pau Monné" <roger.pau@citrix.com>, "Wei Liu" <wl@xen.org>
Subject: [PATCH v2 2/3] x86/spec-ctrl: Fix up the RSBA/RRSBA bits as appropriate
Date: Thu, 1 Jun 2023 15:48:44 +0100 [thread overview]
Message-ID: <20230601144845.1554589-3-andrew.cooper3@citrix.com> (raw)
In-Reply-To: <20230601144845.1554589-1-andrew.cooper3@citrix.com>
In order to level a VM safely for migration, the toolstack needs to know the
RSBA/RRSBA properties of the CPU, whether or not they happen to be enumerated.
See the code comment for details.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Roger Pau Monné <roger.pau@citrix.com>
CC: Wei Liu <wl@xen.org>
v2:
* Rewrite almost from scratch.
---
xen/arch/x86/include/asm/cpufeature.h | 1 +
xen/arch/x86/spec_ctrl.c | 92 +++++++++++++++++++++++++--
2 files changed, 88 insertions(+), 5 deletions(-)
diff --git a/xen/arch/x86/include/asm/cpufeature.h b/xen/arch/x86/include/asm/cpufeature.h
index ace31e3b1f1a..e2cb8f3cc728 100644
--- a/xen/arch/x86/include/asm/cpufeature.h
+++ b/xen/arch/x86/include/asm/cpufeature.h
@@ -193,6 +193,7 @@ static inline bool boot_cpu_has(unsigned int feat)
#define cpu_has_tsx_ctrl boot_cpu_has(X86_FEATURE_TSX_CTRL)
#define cpu_has_taa_no boot_cpu_has(X86_FEATURE_TAA_NO)
#define cpu_has_fb_clear boot_cpu_has(X86_FEATURE_FB_CLEAR)
+#define cpu_has_rrsba boot_cpu_has(X86_FEATURE_RRSBA)
/* Synthesized. */
#define cpu_has_arch_perfmon boot_cpu_has(X86_FEATURE_ARCH_PERFMON)
diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
index daee61900afa..29ed410da47a 100644
--- a/xen/arch/x86/spec_ctrl.c
+++ b/xen/arch/x86/spec_ctrl.c
@@ -579,7 +579,10 @@ static bool __init check_smt_enabled(void)
return false;
}
-/* Calculate whether Retpoline is known-safe on this CPU. */
+/*
+ * Calculate whether Retpoline is known-safe on this CPU. Fix up the
+ * RSBA/RRSBA bits as necessary.
+ */
static bool __init retpoline_calculations(void)
{
unsigned int ucode_rev = this_cpu(cpu_sig).rev;
@@ -593,15 +596,85 @@ static bool __init retpoline_calculations(void)
return false;
/*
- * RSBA may be set by a hypervisor to indicate that we may move to a
- * processor which isn't retpoline-safe.
+ * The meaning of the RSBA and RRSBA bits have evolved over time. The
+ * agreed upon meaning at the time of writing (May 2023) is thus:
+ *
+ * - RSBA (RSB Alternative) means that an RSB may fall back to an
+ * alternative predictor on underflow. Skylake uarch and later all have
+ * this property. Broadwell too, when running microcode versions prior
+ * to Jan 2018.
+ *
+ * - All eIBRS-capable processors suffer RSBA, but eIBRS also introduces
+ * tagging of predictions with the mode in which they were learned. So
+ * when eIBRS is active, RSBA becomes RRSBA (Restricted RSBA).
+ *
+ * - CPUs are not expected to enumerate both RSBA and RRSBA.
+ *
+ * Some parts (Broadwell) are not expected to ever enumerate this
+ * behaviour directly. Other parts have differing enumeration with
+ * microcode version. Fix up Xen's idea, so we can advertise them safely
+ * to guests, and so toolstacks can level a VM safety for migration.
+ *
+ * The following states exist:
+ *
+ * | | RSBA | EIBRS | RRSBA | Notes | Action |
+ * |---+------+-------+-------+--------------------+---------------|
+ * | 1 | 0 | 0 | 0 | OK (older parts) | Maybe +RSBA |
+ * | 2 | 0 | 0 | 1 | Broken | +RSBA, -RRSBA |
+ * | 3 | 0 | 1 | 0 | OK (pre-Aug ucode) | +RRSBA |
+ * | 4 | 0 | 1 | 1 | OK | |
+ * | 5 | 1 | 0 | 0 | OK | |
+ * | 6 | 1 | 0 | 1 | Broken | -RRSBA |
+ * | 7 | 1 | 1 | 0 | Broken | -RSBA, +RRSBA |
+ * | 8 | 1 | 1 | 1 | Broken | -RSBA |
*
+ * However, we doesn't need perfect adherence to the spec. Identify the
+ * broken cases (so we stand a chance of spotting violated assumptions),
+ * and fix up Rows 1 and 3 so Xen can use RSBA || RRSBA to identify
+ * "alternative predictors potentially in use".
+ */
+ if ( cpu_has_eibrs ? cpu_has_rsba /* Rows 7, 8 */
+ : cpu_has_rrsba /* Rows 2, 6 */ )
+ printk(XENLOG_ERR
+ "FIRMWARE BUG: CPU %02x-%02x-%02x, ucode 0x%08x: RSBA %u, EIBRS %u, RRSBA %u\n",
+ boot_cpu_data.x86, boot_cpu_data.x86_model,
+ boot_cpu_data.x86_mask, ucode_rev,
+ cpu_has_rsba, cpu_has_eibrs, cpu_has_rrsba);
+
+ /*
* Processors offering Enhanced IBRS are not guarenteed to be
* repoline-safe.
*/
- if ( cpu_has_rsba || cpu_has_eibrs )
+ if ( cpu_has_eibrs )
+ {
+ /*
+ * Prior to the August 2023 microcode, many eIBRS-capable parts did
+ * not enumerate RRSBA.
+ */
+ if ( !cpu_has_rrsba )
+ setup_force_cpu_cap(X86_FEATURE_RRSBA);
+
+ return false;
+ }
+
+ /*
+ * RSBA is explicitly enumerated in some cases, but may also be set by a
+ * hypervisor to indicate that we may move to a processor which isn't
+ * retpoline-safe.
+ */
+ if ( cpu_has_rsba )
return false;
+ /*
+ * At this point, we've filtered all the legal RSBA || RRSBA cases (or the
+ * known non-ideal cases). If ARCH_CAPS is visible, trust the absence of
+ * RSBA || RRSBA. There's no known microcode which advertises ARCH_CAPS
+ * without RSBA or EIBRS, and if we're virtualised we can't rely the model
+ * check anyway.
+ */
+ if ( cpu_has_arch_caps )
+ return true;
+
switch ( boot_cpu_data.x86_model )
{
case 0x17: /* Penryn */
@@ -689,6 +762,15 @@ static bool __init retpoline_calculations(void)
break;
}
+ if ( !safe )
+ {
+ /*
+ * Note: the eIBRS-capable parts are filtered out earlier, so the
+ * remainder here are the ones which suffer only RSBA behaviour.
+ */
+ setup_force_cpu_cap(X86_FEATURE_RSBA);
+ }
+
return safe;
}
@@ -1148,7 +1230,7 @@ void __init init_speculation_mitigations(void)
thunk = THUNK_JMP;
}
- /* Determine if retpoline is safe on this CPU. */
+ /* Determine if retpoline is safe on this CPU. Fix up RSBA/RRSBA enumerations. */
retpoline_safe = retpoline_calculations();
/*
--
2.30.2
next prev parent reply other threads:[~2023-06-01 14:49 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-01 14:48 [PATCH v2 0/3] x86: RSBA and RRSBA handling Andrew Cooper
2023-06-01 14:48 ` [PATCH v2 1/3] x86/spec-ctrl: Rename retpoline_safe() to retpoline_calculations() Andrew Cooper
2023-06-02 9:37 ` Jan Beulich
2023-06-01 14:48 ` Andrew Cooper [this message]
2023-06-02 9:56 ` [PATCH v2 2/3] x86/spec-ctrl: Fix up the RSBA/RRSBA bits as appropriate Jan Beulich
2023-06-02 13:57 ` Andrew Cooper
2023-06-05 7:48 ` Jan Beulich
2023-06-05 7:50 ` Jan Beulich
2023-06-05 9:44 ` Andrew Cooper
2023-06-01 14:48 ` [PATCH v2 3/3] x86/cpu-policy: Derive RSBA/RRSBA for guest policies Andrew Cooper
2023-06-02 10:20 ` Jan Beulich
2023-06-02 15:29 ` Andrew Cooper
2023-06-02 15:38 ` Andrew Cooper
2023-06-05 8:04 ` Jan Beulich
2023-06-05 8:08 ` Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230601144845.1554589-3-andrew.cooper3@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=JBeulich@suse.com \
--cc=roger.pau@citrix.com \
--cc=wl@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.