File xsa273-7.patch of Package xen.26348
x86/msr: Virtualise MSR_FLUSH_CMD for guests
Guests (outside of the nested virt case, which isn't supported yet) don't need
L1D_FLUSH for their L1TF mitigations, but offering/emulating MSR_FLUSH_CMD is
easy and doesn't pose an issue for Xen.
The MSR is offered to HVM guests only. PV guests attempting to use it would
trap for emulation, and the L1D cache would fill long before the return to
guest context. As such, PV guests can't make any use of the L1D_FLUSH
functionality.
This is part of XSA-273 / CVE-2018-3646.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -3795,6 +3795,7 @@ int hvm_msr_read_intercept(unsigned int
case MSR_AMD_PATCHLOADER:
case MSR_IA32_UCODE_WRITE:
case MSR_PRED_CMD:
+ case MSR_FLUSH_CMD:
/* Write-only */
goto gp_fault;
@@ -4012,6 +4013,17 @@ int hvm_msr_write_intercept(unsigned int
wrmsrl(MSR_PRED_CMD, msr_content);
break;
+ case MSR_FLUSH_CMD:
+ hvm_cpuid(7, NULL, NULL, NULL, &edx);
+ if ( !(edx & cpufeat_mask(X86_FEATURE_L1D_FLUSH)) )
+ goto gp_fault; /* MSR available? */
+
+ if ( msr_content & ~FLUSH_CMD_L1D )
+ goto gp_fault; /* Rsvd bit set? */
+
+ wrmsrl(MSR_FLUSH_CMD, msr_content);
+ break;
+
case MSR_ARCH_CAPABILITIES:
/* Read-only */
goto gp_fault;
--- a/xen/arch/x86/hvm/vmx/vmx.c
+++ b/xen/arch/x86/hvm/vmx/vmx.c
@@ -574,6 +574,12 @@ static void vmx_cpuid_policy_changed(str
vmx_disable_intercept_for_msr(v, MSR_PRED_CMD, MSR_TYPE_R | MSR_TYPE_W);
else
vmx_enable_intercept_for_msr(v, MSR_PRED_CMD, MSR_TYPE_R | MSR_TYPE_W);
+
+ /* MSR_FLUSH_CMD is safe to pass through if the guest knows about it. */
+ if ( _7d0 & cpufeat_mask(X86_FEATURE_L1D_FLUSH) )
+ vmx_disable_intercept_for_msr(v, MSR_FLUSH_CMD, MSR_TYPE_R | MSR_TYPE_W);
+ else
+ vmx_enable_intercept_for_msr(v, MSR_FLUSH_CMD, MSR_TYPE_R | MSR_TYPE_W);
}
static int vmx_guest_x86_mode(struct vcpu *v)
--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -2924,6 +2924,9 @@ static int emulate_privileged_op(struct
wrmsrl(MSR_PRED_CMD, msr_content);
break;
+ case MSR_FLUSH_CMD:
+ goto fail; /* Not available to PV guests. */
+
case MSR_P6_PERFCTR(0)...MSR_P6_PERFCTR(7):
case MSR_P6_EVNTSEL(0)...MSR_P6_EVNTSEL(3):
case MSR_CORE_PERF_FIXED_CTR0...MSR_CORE_PERF_FIXED_CTR2:
@@ -3055,6 +3058,7 @@ static int emulate_privileged_op(struct
break;
case MSR_PRED_CMD:
+ case MSR_FLUSH_CMD:
/* Write-only */
goto fail;
--- a/xen/include/public/arch-x86/cpufeatureset.h
+++ b/xen/include/public/arch-x86/cpufeatureset.h
@@ -229,7 +229,7 @@ XEN_CPUFEATURE(IBPB, 8*32+12) /
/* Intel-defined CPU features, CPUID level 0x00000007:0.edx, word 9 */
XEN_CPUFEATURE(IBRSB, 9*32+26) /*A IBRS and IBPB support (used by Intel) */
XEN_CPUFEATURE(STIBP, 9*32+27) /*A! STIBP */
-XEN_CPUFEATURE(L1D_FLUSH, 9*32+28) /* MSR_FLUSH_CMD and L1D flush. */
+XEN_CPUFEATURE(L1D_FLUSH, 9*32+28) /*S MSR_FLUSH_CMD and L1D flush. */
XEN_CPUFEATURE(ARCH_CAPS, 9*32+29) /* IA32_ARCH_CAPABILITIES MSR */
XEN_CPUFEATURE(SSBD, 9*32+31) /*A MSR_SPEC_CTRL.SSBD available */
