File 5afc13ae-6-x86-cpuid-improve-guest-policies-for-speculative.patch of Package xen.7673

# Commit cb06b308ec71b23f37a44f5e2351fe2cae0306e9
# Date 2018-05-16 12:19:10 +0100
# Author Andrew Cooper <andrew.cooper3@citrix.com>
# Committer Andrew Cooper <andrew.cooper3@citrix.com>
x86/cpuid: Improvements to guest policies for speculative sidechannel features

If Xen isn't virtualising MSR_SPEC_CTRL for guests, IBRSB shouldn't be
advertised.

Another useful option in some usecases is to offer IBPB without IBRS.  When a
guest kernel is known to be compatible (uses retpoline and knows about the AMD
IBPB feature bit), an administrator with pre-Skylake hardware may wish to hide
IBRS.  This allows the VM to have full protection, without Xen or the VM
needing to touch MSR_SPEC_CTRL, which can reduce the overhead of Spectre
mitigations.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -3199,6 +3199,9 @@ void hvm_cpuid(unsigned int input, unsig
 
         if ( count == 0 )
         {
+            if ( !opt_msr_sc_hvm )
+                *edx &= ~cpufeat_mask(X86_FEATURE_IBRSB);
+
             /*
              * Override STIBP to match IBRS.  Guests can safely use STIBP
              * functionality on non-HT hardware, but can't necesserily protect
--- a/xen/arch/x86/spec_ctrl.c
+++ b/xen/arch/x86/spec_ctrl.c
@@ -25,8 +25,8 @@
 #include <asm/spec_ctrl.h>
 
 /* Cmdline controls for Xen's alternative blocks. */
-static bool_t __initdata opt_msr_sc_pv = 1;
-static bool_t __initdata opt_msr_sc_hvm = 1;
+bool_t __read_mostly opt_msr_sc_pv = 1;
+bool_t __read_mostly opt_msr_sc_hvm = 1;
 static bool_t __initdata opt_rsb_pv = 1;
 static bool_t __initdata opt_rsb_hvm = 1;
 
--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -783,6 +783,9 @@ void pv_cpuid(struct cpu_user_regs *regs
         case 0x00000007:
             if ( regs->_ecx == 0 )
             {
+                if ( !opt_msr_sc_pv )
+                    d &= ~cpufeat_mask(X86_FEATURE_IBRSB);
+
                 /*
                  * Override STIBP to match IBRS.  Guests can safely use STIBP
                  * functionality on non-HT hardware, but can't necesserily protect
@@ -867,7 +870,10 @@ void pv_cpuid(struct cpu_user_regs *regs
                   cpufeat_mask(X86_FEATURE_RTM)  |
                   cpufeat_mask(X86_FEATURE_FSGSBASE));
 
-            d &= cpufeat_mask(X86_FEATURE_IBRSB);
+            if ( opt_msr_sc_pv )
+                d &= cpufeat_mask(X86_FEATURE_IBRSB);
+            else
+                d = 0;
 
             /* Override STIBP to match IBRS (see above). */
             if ( d & cpufeat_mask(X86_FEATURE_IBRSB) )
--- a/xen/include/asm-x86/spec_ctrl.h
+++ b/xen/include/asm-x86/spec_ctrl.h
@@ -27,6 +27,7 @@ void init_speculation_mitigations(void);
 
 extern int8_t opt_xpti;
 extern bool_t opt_ibpb;
+extern bool_t opt_msr_sc_pv, opt_msr_sc_hvm;
 
 extern bool_t bsp_delay_spec_ctrl;
 extern int8_t default_xen_spec_ctrl;