xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed
From: Julien Grall <julien@xen.org>
To: Stefano Stabellini <sstabellini@kernel.org>
Cc: xen-devel@lists.xenproject.org, bertrand.marquis@arm.com,
	Julien Grall <jgrall@amazon.com>,
	Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
Subject: Re: [PATCH v3 2/2] xen/arm64: Place a speculation barrier following an ret instruction
Date: Sun, 18 Apr 2021 19:04:43 +0100	[thread overview]
Message-ID: <84c127d0-557c-9161-8696-f227d6c18658@xen.org> (raw)
In-Reply-To: <alpine.DEB.2.21.2104131558410.4885@sstabellini-ThinkPad-T480s>

Hi Stefano,

On 14/04/2021 00:03, Stefano Stabellini wrote:
> On Thu, 1 Apr 2021, Julien Grall wrote:
>> From: Julien Grall <jgrall@amazon.com>
>>
>> Some CPUs can speculate past a RET instruction and potentially perform
>> speculative accesses to memory before processing the return.
>>
>> There is no known gadget available after the RET instruction today.
>> However some of the registers (such as in check_pending_guest_serror())
>> may contain a value provided by the guest.
>>
>> In order to harden the code, it would be better to add a speculation
>> barrier after each RET instruction. The performance impact is meant to
>> be negligeable as the speculation barrier is not meant to be
>> architecturally executed.
>>
>> Rather than manually inserting a speculation barrier, use a macro
>> which overrides the mnemonic RET and replace with RET + SB. We need to
>> use the opcode for RET to prevent any macro recursion.
>>
>> This patch is only covering the assembly code. C code would need to be
>> covered separately using the compiler support.
>>
>> This is part of the work to mitigate straight-line speculation.
>>
>> Signed-off-by: Julien Grall <jgrall@amazon.com>
>> Reviewed-by: Bertrand Marquis <bertrand.marquis@arm.com>
>>
>> ---
>>
>> It is not clear to me whether Armv7 (we don't officially support 32-bit
>> hypervisor on Armv8) is also affected by straight-line speculation.
>> The LLVM website suggests it is: https://reviews.llvm.org/D92395
>>
>> For now only focus on arm64.
>>
>>      Changes in v3:
>>          -  Add Bertrand's reviewed-by
>>
>>      Changes in v2:
>>          - Use a macro rather than inserting the speculation barrier
>>          manually
>>          - Remove mitigation for arm32
>> ---
>>   xen/arch/arm/arm32/entry.S         |  1 +
>>   xen/arch/arm/arm32/lib/lib1funcs.S |  1 +
>>   xen/include/asm-arm/arm64/macros.h |  6 ++++++
>>   xen/include/asm-arm/macros.h       | 18 +++++++++---------
>>   4 files changed, 17 insertions(+), 9 deletions(-)
>>
>> diff --git a/xen/arch/arm/arm32/entry.S b/xen/arch/arm/arm32/entry.S
>> index f2f1bc7a3158..d0a066484f13 100644
>> --- a/xen/arch/arm/arm32/entry.S
>> +++ b/xen/arch/arm/arm32/entry.S
>> @@ -441,6 +441,7 @@ ENTRY(__context_switch)
>>   
>>           add     r4, r1, #VCPU_arch_saved_context
>>           ldmia   r4, {r4 - sl, fp, sp, pc}       /* Load registers and return */
>> +        sb
>>   
>>   /*
>>    * Local variables:
>> diff --git a/xen/arch/arm/arm32/lib/lib1funcs.S b/xen/arch/arm/arm32/lib/lib1funcs.S
>> index f1278bd6c139..8c33ffbbcc4c 100644
>> --- a/xen/arch/arm/arm32/lib/lib1funcs.S
>> +++ b/xen/arch/arm/arm32/lib/lib1funcs.S
>> @@ -382,5 +382,6 @@ UNWIND(.save {lr})
>>   	bl	__div0
>>   	mov	r0, #0			@ About as wrong as it could be.
>>   	ldr	pc, [sp], #8
>> +	sb
>>   UNWIND(.fnend)
>>   ENDPROC(Ldiv0)
>> diff --git a/xen/include/asm-arm/arm64/macros.h b/xen/include/asm-arm/arm64/macros.h
>> index f981b4f43e84..4614394b3dd5 100644
>> --- a/xen/include/asm-arm/arm64/macros.h
>> +++ b/xen/include/asm-arm/arm64/macros.h
>> @@ -21,6 +21,12 @@
>>       ldr     \dst, [\dst, \tmp]
>>       .endm
>>   
>> +    .macro  ret
>> +        // ret opcode
> 
> This series is very nice Julien! You can add my acked-by to both patches
> and also commit them.

I have realized that I left a couple of arm32 specific code in the 
patch. I will commit the first one and respin this one.

> 
> One minor request: could you please replace this comment with
> 
> /* ret opcode */
> 
> on commit?  // is not part of the coding style.

I have modified it in the new version.

Cheers,

-- 
Julien Grall


      reply	other threads:[~2021-04-18 18:04 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-04-01 16:44 [PATCH v3 0/2] xen/arm: Mitigate straight-line speculation Julien Grall
2021-04-01 16:44 ` [PATCH v3 1/2] xen/arm: Include asm/asm-offsets.h and asm/macros.h on every assembly files Julien Grall
2021-04-01 16:44 ` [PATCH v3 2/2] xen/arm64: Place a speculation barrier following an ret instruction Julien Grall
2021-04-13 23:03   ` Stefano Stabellini
2021-04-18 18:04     ` Julien Grall [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=84c127d0-557c-9161-8696-f227d6c18658@xen.org \
    --to=julien@xen.org \
    --cc=Volodymyr_Babchuk@epam.com \
    --cc=bertrand.marquis@arm.com \
    --cc=jgrall@amazon.com \
    --cc=sstabellini@kernel.org \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).