1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
|
From 08bfd4d01185e94fda1be9dd79a981d890a9085e Mon Sep 17 00:00:00 2001
From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Tue, 12 Jul 2022 11:26:14 +0200
Subject: [PATCH 10/67] x86/spec-ctrl: Add fine-grained cmdline suboptions for
primitives
Support controling the PV/HVM suboption of msr-sc/rsb/md-clear, which
previously wasn't possible.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
master commit: 27357c394ba6e1571a89105b840ce1c6f026485c
master date: 2022-07-11 15:21:35 +0100
---
docs/misc/xen-command-line.pandoc | 12 ++++--
xen/arch/x86/spec_ctrl.c | 66 ++++++++++++++++++++++++++-----
2 files changed, 66 insertions(+), 12 deletions(-)
diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc
index 1db3da9ef78e..b06db5f654e5 100644
--- a/docs/misc/xen-command-line.pandoc
+++ b/docs/misc/xen-command-line.pandoc
@@ -2169,7 +2169,8 @@ not be able to control the state of the mitigation.
By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`).
### spec-ctrl (x86)
-> `= List of [ <bool>, xen=<bool>, {pv,hvm,msr-sc,rsb,md-clear}=<bool>,
+> `= List of [ <bool>, xen=<bool>, {pv,hvm}=<bool>,
+> {msr-sc,rsb,md-clear}=<bool>|{pv,hvm}=<bool>,
> bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,psfd,
> eager-fpu,l1d-flush,branch-harden,srb-lock,
> unpriv-mmio}=<bool> ]`
@@ -2194,12 +2195,17 @@ in place for guests to use.
Use of a positive boolean value for either of these options is invalid.
-The booleans `pv=`, `hvm=`, `msr-sc=`, `rsb=` and `md-clear=` offer fine
+The `pv=`, `hvm=`, `msr-sc=`, `rsb=` and `md-clear=` options offer fine
grained control over the primitives by Xen. These impact Xen's ability to
-protect itself, and Xen's ability to virtualise support for guests to use.
+protect itself, and/or Xen's ability to virtualise support for guests to use.
* `pv=` and `hvm=` offer control over all suboptions for PV and HVM guests
respectively.
+* Each other option can be used either as a plain boolean
+ (e.g. `spec-ctrl=rsb` to control both the PV and HVM sub-options), or with
+ `pv=` or `hvm=` subsuboptions (e.g. `spec-ctrl=rsb=no-hvm` to disable HVM
+ RSB only).
+
* `msr-sc=` offers control over Xen's support for manipulating `MSR_SPEC_CTRL`
on entry and exit. These blocks are necessary to virtualise support for
guests and if disabled, guests will be unable to use IBRS/STIBP/SSBD/etc.
diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
index 06790897e496..225fe08259b3 100644
--- a/xen/arch/x86/spec_ctrl.c
+++ b/xen/arch/x86/spec_ctrl.c
@@ -147,20 +147,68 @@ static int __init parse_spec_ctrl(const char *s)
opt_rsb_hvm = val;
opt_md_clear_hvm = val;
}
- else if ( (val = parse_boolean("msr-sc", s, ss)) >= 0 )
+ else if ( (val = parse_boolean("msr-sc", s, ss)) != -1 )
{
- opt_msr_sc_pv = val;
- opt_msr_sc_hvm = val;
+ switch ( val )
+ {
+ case 0:
+ case 1:
+ opt_msr_sc_pv = opt_msr_sc_hvm = val;
+ break;
+
+ case -2:
+ s += strlen("msr-sc=");
+ if ( (val = parse_boolean("pv", s, ss)) >= 0 )
+ opt_msr_sc_pv = val;
+ else if ( (val = parse_boolean("hvm", s, ss)) >= 0 )
+ opt_msr_sc_hvm = val;
+ else
+ default:
+ rc = -EINVAL;
+ break;
+ }
}
- else if ( (val = parse_boolean("rsb", s, ss)) >= 0 )
+ else if ( (val = parse_boolean("rsb", s, ss)) != -1 )
{
- opt_rsb_pv = val;
- opt_rsb_hvm = val;
+ switch ( val )
+ {
+ case 0:
+ case 1:
+ opt_rsb_pv = opt_rsb_hvm = val;
+ break;
+
+ case -2:
+ s += strlen("rsb=");
+ if ( (val = parse_boolean("pv", s, ss)) >= 0 )
+ opt_rsb_pv = val;
+ else if ( (val = parse_boolean("hvm", s, ss)) >= 0 )
+ opt_rsb_hvm = val;
+ else
+ default:
+ rc = -EINVAL;
+ break;
+ }
}
- else if ( (val = parse_boolean("md-clear", s, ss)) >= 0 )
+ else if ( (val = parse_boolean("md-clear", s, ss)) != -1 )
{
- opt_md_clear_pv = val;
- opt_md_clear_hvm = val;
+ switch ( val )
+ {
+ case 0:
+ case 1:
+ opt_md_clear_pv = opt_md_clear_hvm = val;
+ break;
+
+ case -2:
+ s += strlen("md-clear=");
+ if ( (val = parse_boolean("pv", s, ss)) >= 0 )
+ opt_md_clear_pv = val;
+ else if ( (val = parse_boolean("hvm", s, ss)) >= 0 )
+ opt_md_clear_hvm = val;
+ else
+ default:
+ rc = -EINVAL;
+ break;
+ }
}
/* Xen's speculative sidechannel mitigation settings. */
--
2.37.3
|