File 5dcae816-x86-spec-ctrl-mitigate-TAA.patch of Package xen.16821
# Commit 8c4330818f6ee70cbf7428a40a28a73df1272d10
# Date 2019-11-12 17:12:54 +0000
# Author Andrew Cooper <andrew.cooper3@citrix.com>
# Committer Andrew Cooper <andrew.cooper3@citrix.com>
x86/spec-ctrl: Mitigate the TSX Asynchronous Abort sidechannel
See patch documentation and comments.
This is part of XSA-305 / CVE-2019-11135
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
--- a/docs/misc/xen-command-line.markdown
+++ b/docs/misc/xen-command-line.markdown
@@ -1849,7 +1849,7 @@ extreme care.**
An overall boolean value, `spec-ctrl=no`, can be specified to turn off all
mitigations, including pieces of infrastructure used to virtualise certain
mitigation features for guests. This also includes settings which `xpti`,
-`smt`, `pv-l1tf` control, unless the respective option(s) have been
+`smt`, `pv-l1tf`, `tsx` control, unless the respective option(s) have been
specified earlier on the command line.
Alternatively, a slightly more restricted `spec-ctrl=no-xen` can be used to
@@ -1960,7 +1960,7 @@ pages) must also be specified via the tb
= <bool>
Applicability: x86
- Default: true
+ Default: false on parts vulnerable to TAA, true otherwise
Controls for the use of Transactional Synchronization eXtensions.
@@ -1970,6 +1970,19 @@ a control has been introduced which allo
On systems with the ability to turn TSX off, this boolean offers system wide
control of whether TSX is enabled or disabled.
+On parts vulnerable to CVE-2019-11135 / TSX Asynchronous Abort, the following
+logic applies:
+
+ * An explicit `tsx=` choice is honoured, even if it is `true` and would
+ result in a vulnerable system.
+
+ * When no explicit `tsx=` choice is given, parts vulnerable to TAA will be
+ mitigated by disabling TSX, as this is the lowest overhead option.
+
+ * If the use of TSX is important, the more expensive TAA mitigations can be
+ opted in to with `smt=0 spec-ctrl=md-clear`, at which point TSX will remain
+ active by default.
+
### ucode
> `= [<integer> | scan]`
--- a/xen/arch/x86/spec_ctrl.c
+++ b/xen/arch/x86/spec_ctrl.c
@@ -136,6 +136,9 @@ static int __init parse_spec_ctrl(const
if ( opt_pv_l1tf_domu < 0 )
opt_pv_l1tf_domu = 0;
+ if ( opt_tsx == -1 )
+ opt_tsx = -3;
+
disable_common:
opt_rsb_pv = false;
opt_rsb_hvm = false;
@@ -346,7 +349,7 @@ static void __init print_details(enum in
printk("Speculative mitigation facilities:\n");
/* Hardware features which pertain to speculative mitigations. */
- printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s\n",
+ printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n",
(_7d0 & cpufeat_mask(X86_FEATURE_IBRSB)) ? " IBRS/IBPB" : "",
(_7d0 & cpufeat_mask(X86_FEATURE_STIBP)) ? " STIBP" : "",
(_7d0 & cpufeat_mask(X86_FEATURE_L1D_FLUSH)) ? " L1D_FLUSH" : "",
@@ -358,7 +361,9 @@ static void __init print_details(enum in
(caps & ARCH_CAPS_RSBA) ? " RSBA" : "",
(caps & ARCH_CAPS_SKIP_L1DFL) ? " SKIP_L1DFL": "",
(caps & ARCH_CAPS_SSB_NO) ? " SSB_NO" : "",
- (caps & ARCH_CAPS_MDS_NO) ? " MDS_NO" : "");
+ (caps & ARCH_CAPS_MDS_NO) ? " MDS_NO" : "",
+ (caps & ARCH_CAPS_TSX_CTRL) ? " TSX_CTRL" : "",
+ (caps & ARCH_CAPS_TAA_NO) ? " TAA_NO" : "");
/* Compiled-in support which pertains to mitigations. */
if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) )
@@ -372,7 +377,7 @@ static void __init print_details(enum in
"\n");
/* Settings for Xen's protection, irrespective of guests. */
- printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s, Other:%s%s%s\n",
+ printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s, Other:%s%s%s\n",
thunk == THUNK_NONE ? "N/A" :
thunk == THUNK_RETPOLINE ? "RETPOLINE" :
thunk == THUNK_LFENCE ? "LFENCE" :
@@ -381,6 +386,8 @@ static void __init print_details(enum in
(default_xen_spec_ctrl & SPEC_CTRL_IBRS) ? "IBRS+" : "IBRS-",
!boot_cpu_has(X86_FEATURE_SSBD) ? "" :
(default_xen_spec_ctrl & SPEC_CTRL_SSBD) ? " SSBD+" : " SSBD-",
+ !(caps & ARCH_CAPS_TSX_CTRL) ? "" :
+ (opt_tsx & 1) ? " TSX+" : " TSX-",
opt_ibpb ? " IBPB" : "",
opt_l1d_flush ? " L1D_FLUSH" : "",
opt_md_clear_pv || opt_md_clear_hvm ? " VERW" : "");
@@ -895,6 +902,7 @@ void __init init_speculation_mitigations
{
enum ind_thunk thunk = THUNK_DEFAULT;
bool use_spec_ctrl = false, ibrs = false, hw_smt_enabled;
+ bool cpu_has_bug_taa;
uint64_t caps = 0;
if ( boot_cpu_has(X86_FEATURE_ARCH_CAPS) )
@@ -1124,6 +1132,53 @@ void __init init_speculation_mitigations
"enabled. Mitigations will not be fully effective. Please\n"
"choose an explicit smt=<bool> setting. See XSA-297.\n");
+ /*
+ * Vulnerability to TAA is a little complicated to quantify.
+ *
+ * In the pipeline, it is just another way to get speculative access to
+ * stale load port, store buffer or fill buffer data, and therefore can be
+ * considered a superset of MDS (on TSX-capable parts). On parts which
+ * predate MDS_NO, the existing VERW flushing will mitigate this
+ * sidechannel as well.
+ *
+ * On parts which contain MDS_NO, the lack of VERW flushing means that an
+ * attacker can still use TSX to target microarchitectural buffers to leak
+ * secrets. Therefore, we consider TAA to be the set of TSX-capable parts
+ * which have MDS_NO but lack TAA_NO.
+ *
+ * Note: cpu_has_rtm (== hle) could already be hidden by `tsx=0` on the
+ * cmdline. MSR_TSX_CTRL will only appear on TSX-capable parts, so
+ * we check both to spot TSX in a microcode/cmdline independent way.
+ */
+ cpu_has_bug_taa =
+ (cpu_has_rtm || (caps & ARCH_CAPS_TSX_CTRL)) &&
+ (caps & (ARCH_CAPS_MDS_NO | ARCH_CAPS_TAA_NO)) == ARCH_CAPS_MDS_NO;
+
+ /*
+ * On TAA-affected hardware, disabling TSX is the preferred mitigation, vs
+ * the MDS mitigation of disabling HT and using VERW flushing.
+ *
+ * On CPUs which advertise MDS_NO, VERW has no flushing side effect until
+ * the TSX_CTRL microcode is loaded, despite the MD_CLEAR CPUID bit being
+ * advertised, and there isn't a MD_CLEAR_2 flag to use...
+ *
+ * If we're on affected hardware, able to do something about it (which
+ * implies that VERW now works), no explicit TSX choice and traditional
+ * MDS mitigations (no-SMT, VERW) not obviosuly in use (someone might
+ * plausibly value TSX higher than Hyperthreading...), disable TSX to
+ * mitigate TAA.
+ */
+ if ( opt_tsx == -1 && cpu_has_bug_taa && (caps & ARCH_CAPS_TSX_CTRL) &&
+ ((hw_smt_enabled && opt_smt) ||
+ !boot_cpu_has(X86_FEATURE_SC_VERW_IDLE)) )
+ {
+ setup_clear_cpu_cap(X86_FEATURE_HLE);
+ setup_clear_cpu_cap(X86_FEATURE_RTM);
+
+ opt_tsx = 0;
+ tsx_init();
+ }
+
print_details(thunk, caps);
/*
--- a/xen/arch/x86/tsx.c
+++ b/xen/arch/x86/tsx.c
@@ -5,7 +5,8 @@
* Valid values:
* 1 => Explicit tsx=1
* 0 => Explicit tsx=0
- * -1 => Default, implicit tsx=1
+ * -1 => Default, implicit tsx=1, may change to 0 to mitigate TAA
+ * -3 => Implicit tsx=1 (feed-through from spec-ctrl=0)
*/
int8_t __read_mostly opt_tsx = -1;
int8_t __read_mostly cpu_has_tsx_ctrl = -1;
--- a/xen/include/asm-x86/msr-index.h
+++ b/xen/include/asm-x86/msr-index.h
@@ -56,6 +56,7 @@
#define ARCH_CAPS_MDS_NO (_AC(1, ULL) << 5)
#define ARCH_CAPS_IF_PSCHANGE_MC_NO (_AC(1, ULL) << 6)
#define ARCH_CAPS_TSX_CTRL (_AC(1, ULL) << 7)
+#define ARCH_CAPS_TAA_NO (_AC(1, ULL) << 8)
#define MSR_FLUSH_CMD 0x0000010b
#define FLUSH_CMD_L1D (_AC(1, ULL) << 0)
