All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH for-4.14] x86/spec-ctrl: Protect against CALL/JMP straight-line speculation
@ 2020-07-01 11:58 Andrew Cooper
  2020-07-01 12:26 ` Jan Beulich
  0 siblings, 1 reply; 3+ messages in thread
From: Andrew Cooper @ 2020-07-01 11:58 UTC (permalink / raw)
  To: Xen-devel
  Cc: Andrew Cooper, Paul Durrant, Wei Liu, Jan Beulich, Roger Pau Monné

Some x86 CPUs speculatively execute beyond indirect CALL/JMP instructions.

With CONFIG_INDIRECT_THUNK / Retpolines, indirect CALL/JMP instructions are
converted to direct CALL/JMP's to __x86_indirect_thunk_REG(), leaving just a
handful of indirect JMPs implementing those stubs.

There is no architectrual execution beyond an indirect JMP, so use INT3 as
recommended by vendors to halt speculative execution.  This is shorter than
LFENCE (which would also work fine), but also shows up in logs if we do
unexpected execute them.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Wei Liu <wl@xen.org>
CC: Roger Pau Monné <roger.pau@citrix.com>
CC: Paul Durrant <paul@xen.org>

This wants backporting to all release, possibly even into the security trees,
and should therefore be considered for 4.14 at this point.
---
 xen/arch/x86/indirect-thunk.S | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/xen/arch/x86/indirect-thunk.S b/xen/arch/x86/indirect-thunk.S
index 3c17f75c23..7392aee127 100644
--- a/xen/arch/x86/indirect-thunk.S
+++ b/xen/arch/x86/indirect-thunk.S
@@ -24,10 +24,12 @@
 .macro IND_THUNK_LFENCE reg:req
         lfence
         jmp *%\reg
+        int3 /* Halt straight-line speculation */
 .endm
 
 .macro IND_THUNK_JMP reg:req
         jmp *%\reg
+        int3 /* Halt straight-line speculation */
 .endm
 
 /*
-- 
2.11.0



^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH for-4.14] x86/spec-ctrl: Protect against CALL/JMP straight-line speculation
  2020-07-01 11:58 [PATCH for-4.14] x86/spec-ctrl: Protect against CALL/JMP straight-line speculation Andrew Cooper
@ 2020-07-01 12:26 ` Jan Beulich
  2020-07-01 13:23   ` Paul Durrant
  0 siblings, 1 reply; 3+ messages in thread
From: Jan Beulich @ 2020-07-01 12:26 UTC (permalink / raw)
  To: Andrew Cooper; +Cc: Xen-devel, Paul Durrant, Wei Liu, Roger Pau Monné

On 01.07.2020 13:58, Andrew Cooper wrote:
> Some x86 CPUs speculatively execute beyond indirect CALL/JMP instructions.
> 
> With CONFIG_INDIRECT_THUNK / Retpolines, indirect CALL/JMP instructions are
> converted to direct CALL/JMP's to __x86_indirect_thunk_REG(), leaving just a
> handful of indirect JMPs implementing those stubs.
> 
> There is no architectrual execution beyond an indirect JMP, so use INT3 as
> recommended by vendors to halt speculative execution.  This is shorter than
> LFENCE (which would also work fine), but also shows up in logs if we do
> unexpected execute them.
> 
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Reviewed-by: Jan Beulich <jbeulich@suse.com>


^ permalink raw reply	[flat|nested] 3+ messages in thread
* RE: [PATCH for-4.14] x86/spec-ctrl: Protect against CALL/JMP straight-line speculation
  2020-07-01 12:26 ` Jan Beulich
@ 2020-07-01 13:23   ` Paul Durrant
  0 siblings, 0 replies; 3+ messages in thread
From: Paul Durrant @ 2020-07-01 13:23 UTC (permalink / raw)
  To: 'Jan Beulich', 'Andrew Cooper'
  Cc: 'Xen-devel', 'Wei Liu', 'Roger Pau Monné'

> -----Original Message-----
> From: Jan Beulich <jbeulich@suse.com>
> Sent: 01 July 2020 13:27
> To: Andrew Cooper <andrew.cooper3@citrix.com>
> Cc: Xen-devel <xen-devel@lists.xenproject.org>; Wei Liu <wl@xen.org>; Roger Pau Monné
> <roger.pau@citrix.com>; Paul Durrant <paul@xen.org>
> Subject: Re: [PATCH for-4.14] x86/spec-ctrl: Protect against CALL/JMP straight-line speculation
> 
> On 01.07.2020 13:58, Andrew Cooper wrote:
> > Some x86 CPUs speculatively execute beyond indirect CALL/JMP instructions.
> >
> > With CONFIG_INDIRECT_THUNK / Retpolines, indirect CALL/JMP instructions are
> > converted to direct CALL/JMP's to __x86_indirect_thunk_REG(), leaving just a
> > handful of indirect JMPs implementing those stubs.
> >
> > There is no architectrual execution beyond an indirect JMP, so use INT3 as
> > recommended by vendors to halt speculative execution.  This is shorter than
> > LFENCE (which would also work fine), but also shows up in logs if we do
> > unexpected execute them.
> >
> > Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
> 
> Reviewed-by: Jan Beulich <jbeulich@suse.com>

Release-acked-by: Paul Durrant <paul@xen.org>



^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-07-01 13:24 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-01 11:58 [PATCH for-4.14] x86/spec-ctrl: Protect against CALL/JMP straight-line speculation Andrew Cooper
2020-07-01 12:26 ` Jan Beulich
2020-07-01 13:23   ` Paul Durrant

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.