Commit 4eebf29f authored by Henrik Riomar's avatar Henrik Riomar

main/xen: security upgrade to 4.13.2

Fixes: XSA-286, XSA-345, XSA-346 & XSA-347. CVEs not yet assigned

musl-hvmloader-fix-stdint.patch rebased
parent cfd90d31
Pipeline #56781 passed with stages
in 10 minutes and 6 seconds
# Contributor: Roger Pau Monne <roger.pau@entel.upc.edu>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=xen
pkgver=4.13.1
pkgrel=4
pkgver=4.13.2
pkgrel=0
pkgdesc="Xen hypervisor"
url="https://www.xenproject.org/"
arch="x86_64 armhf aarch64" # enable armv7 when builds with gcc8
......@@ -189,6 +189,11 @@ options="!strip"
# - CVE-2020-25600 XSA-342
# - CVE-2020-25599 XSA-343
# - CVE-2020-25601 XSA-344
# 4.13.2-r0:
# - CVE-????-????? XSA-286
# - CVE-????-????? XSA-345
# - CVE-????-????? XSA-346
# - CVE-????-????? XSA-347
case "$CARCH" in
......@@ -253,36 +258,6 @@ source="https://downloads.xenproject.org/release/xen/$pkgver/xen-$pkgver.tar.gz
drop-test.py.patch
py3-compat.patch
xsa320-4.13-1.patch
xsa320-4.13-2.patch
xsa317.patch
xsa319.patch
xsa328-4.13-1.patch
xsa328-4.13-2.patch
xsa321-4.13-1.patch
xsa321-4.13-2.patch
xsa321-4.13-3.patch
xsa321-4.13-4.patch
xsa321-4.13-5.patch
xsa321-4.13-6.patch
xsa321-4.13-7.patch
xsa327.patch
xsa335-qemu.patch
xsa333.patch
xsa334.patch
xsa336.patch
xsa337-4.13-1.patch
xsa337-4.13-2.patch
xsa338.patch
xsa339.patch
xsa340.patch
xsa342-4.13.patch
xsa343-1.patch
xsa343-2.patch
xsa343-3.patch
xsa344-4.13-1.patch
xsa344-4.13-2.patch
xenstored.initd
xenstored.confd
xenconsoled.initd
......@@ -506,7 +481,7 @@ EOF
}
sha512sums="b56d20704155d98d803496cba83eb928e0f986a750831cd5600fc88d0ae772fe1456571654375054043d2da8daca255cc98385ebf08b1b1a75ecf7f4b7a0ee90 xen-4.13.1.tar.gz
sha512sums="cd3092281c97e9421e303aa288aac04dcccd5536ba7c0ff4d51fbf3d07b5ffacfe3456ba06f5cf63577dafbf8cf3a5d9825ceb5e9ef8ca1427900cc3e57b50a3 xen-4.13.2.tar.gz
2e0b0fd23e6f10742a5517981e5171c6e88b0a93c83da701b296f5c0861d72c19782daab589a7eac3f9032152a0fc7eff7f5362db8fccc4859564a9aa82329cf gmp-4.3.2.tar.bz2
c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a3628bd00ba4d14a54742bc04848110eb3ae8ca25dbfbaabadb grub-0.97.tar.gz
1465b58279af1647f909450e394fe002ca165f0ff4a0254bfa9fe0e64316f50facdde2729d79a4e632565b4500cf4d6c74192ac0dd3bc9fe09129bbd67ba089d lwip-1.3.0.tar.gz
......@@ -519,7 +494,7 @@ c2bc9ffc8583aeae71cee9ddcc4418969768d4e3764d47307da54f93981c0109fb07d84b061b3a36
b9c754220187955d01ffbb6e030dace9d9aaae755db1765d07e407858c71a2cb0de04e0ab2099cd121d9e1bc1978af06c7dbd2fd805e06eca12ac5d527f15a52 mini-os-__divmoddi4.patch
1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3 qemu-xen_paths.patch
f095ea373f36381491ad36f0662fb4f53665031973721256b23166e596318581da7cbb0146d0beb2446729adfdb321e01468e377793f6563a67d68b8b0f7ffe3 hotplug-vif-vtrill.patch
77b08e9655e091b0352e4630d520b54c6ca6d659d1d38fbb4b3bfc9ff3e66db433a2e194ead32bb10ff962c382d800a670e82b7a62835b238e294b22808290ea musl-hvmloader-fix-stdint.patch
5fc028b5e4eb9b14fd5b27e3470172e3eb1ac63c1443fc0af7ed04efd874db733165e62d41504a547651c4466737303a6a5128f66212a42664ff6c1c9d233f4a musl-hvmloader-fix-stdint.patch
8c3b57eab8641bcee3dbdc1937ea7874f77b9722a5a0aa3ddb8dff8cc0ced7e19703ef5d998621b3809bea7c16f3346cfa47610ec9ab014ad0de12651c94e5ff stdint_local.h
853467a2d055c5bfbdc7bdca175a334241be44a7c5ac3c0a84a4bc5463b5c070b66d37e2a557429ef860727a6b7350683af758cc2494d85b6be4d883143a2c0d elf_local.h
79cb1b6b81b17cb87a064dfe3548949dfb80f64f203cac11ef327102b7a25794549ce2d9c019ebf05f752214da8e05065e9219d069e679c0ae5bee3d090c685e xen-hotplug-lockfd.patch
......@@ -528,35 +503,6 @@ e76816c6ad0e91dc5f81947f266da3429b20e6d976c3e8c41202c6179532eec878a3f0913921ef3a
8c9cfc6afca325df1d8026e21ed03fa8cd2c7e1a21a56cc1968301c5ab634bfe849951899e75d328951d7a41273d1e49a2448edbadec0029ed410c43c0549812 hotplug-Linux-iscsi-block-handle-lun-1.patch
61f66bab603778fb41bfe8e85320c15f2bf3e5d8583e077b56a93784dbdb9b2c7c5e55ce18f06b87501429086f8410d102d3ed5f2a77d54bcfa328bc07681f4d drop-test.py.patch
8cb12dbfc05a53898a97d47d71ab6b8a6f81c5e5579fd765b37303faea95c645cb8dedc05e3d064bdf070e93814e00bf8939767acc1127513375bab0fe2f4436 py3-compat.patch
325f66b008a76ff569fdca430e2926633996511f1bd7dcd375259377e4c88758b13c95ee66b8edaa5ffebc3d927442409dc36bd8e35b2c928e43d82a539583cf xsa317.patch
d57d8cfd749df1816060345bedd9fa7ef2381ea9d85562ddf0c39ffe832ca56834c3e8c1fb67a64fd5631fd219c4d66a3ef655dca0989bf39911c87e0145717f xsa319.patch
be3b2ece73ba625024fd9c85eda0fb04b60dab3533a78a1d768783e242b0d81e4af5b91cfb85245be89d37f26807f3e846054c1e4518d208e4f7768b05a80ba0 xsa320-4.13-1.patch
91ae9b5fb7ba950aa508b2e3fdd1c1618fea3a3d51affc232e4880d6c12d9056bc595a34843d70c7fba8b2ec5f856a97b1dec60bcc4abdf9240df1643fe2184a xsa320-4.13-2.patch
05e23669ce04a6d03a159310756a0d2b71b3abb8b24cffd3a58c84bca1ca8597f293c31945d08a2b95a75dcbd013c9bdd89ba2682433c7d42f4765615d097b45 xsa321-4.13-1.patch
8bae6927a462160c46976f5425cc4c51b6788d86b52ad8cccee576c0f3783ec6af4059365191030909372d8aa229001127c4aeba95d480422a781550657df2da xsa321-4.13-2.patch
0c8e3371e0cc17b1e785cc98d888e6871ad8551c4486afc8450bc56444347a3168700fc77a508d0a2b9545e21aac107bb1ff3cf17be358f45e0bb895806ad14f xsa321-4.13-3.patch
7ebbb7e1a647aa209aa7303964050d29aa4e2c39a4dcd1f5b64d51d20812323b95e48906161f410a46a11a5b94d06c5a6d25551a8d837bf2d099604646870a72 xsa321-4.13-4.patch
90a2ca8bbbac8f82f934ab3bf4bbdc61d23ff87e3d8154d71b794e84df65b81b26b13bd95cc9a66912c98566f33993ab4f222d99756feccdf3309b3e255e2856 xsa321-4.13-5.patch
d7edad538e74d27d877e6393b6a98cd7df44d405d9b99534c16a3e7eee60193b53a1fa983cd90700ea8ffaf74e444327bf92ffb432591ceb963e028ae57c1e8f xsa321-4.13-6.patch
061a6ad3c01de21bb980fd11df38c4f9d4e48288f1a2f28bcbd82c2b01ce85e65c2b3103a84f2f95c87af50ee6344a1c0850f533528f6a32aa0961780f2b0a5a xsa321-4.13-7.patch
83823056dbd0142585d8b0fb9b3179ac8cc099a21ee489008a4cfb1f310daae72dff1fb6c7cd3a1c8ca5cec43a6b964587d8121a2423226baad0bcd302e73263 xsa327.patch
14699f43d8ef857c3ddf17d95a80cfe4234a50349e0220a110c2046a63873037686ddbd3cd06ad708a4a76148fe0b812179e46431f04abb8ac7ae01c37b8cf2b xsa328-4.13-1.patch
a9551daa73a7deb332fcfd647d0df6ebab84699a91eaca43697e182612304910610f80c1edc3c5e3b86e4a580137a4ae178fadba62fe148795a6ab240df174cf xsa328-4.13-2.patch
a18f552845ca105ce846ff8281b6c5b10f45301571f3163a33a6c212b87b742bb039f15c2d346bd34a9fdedd8a007fd9e51f319900cb8ee05febf178ed6ef8b0 xsa335-qemu.patch
7457a53eee28044143800124f422d530c49f7ee976ed5a5ff74e25100fc7ea364b8cd4f690b55dc308fe028bbaaf73164f994abab70d6388901199c8415eded1 xsa333.patch
23b746493180e13cc39e626bcaefa0c306be2f1e1cd12faef9b629676402d1d4d9a8f31cd8dabeba9d9e8a6953f711b075806f2f6468612908d9e262757c1f89 xsa334.patch
b89faf5147706d71ef354d7e6bf290df7d86b9881dfc16e8f591eb9402382a6eef3b2a450f21dfe779f060001114f85ae32ff7ceaa05db6e3c924a0137b3cd1d xsa336.patch
01e9434d3f2494de11193d11b435355f375a84bc9f43b3be55b00524237986871df824a9740641e88791ecfd1438c66d141a9751e82a96d44e4c0dfb42a6d099 xsa337-4.13-1.patch
6c669a773e54db88ef275f219fccc1f5ea8c5dc0c883af2bf4e22f288a10ce22120c88ca392de0b84d18f95949063da5b3ac4b4b0e702d733db67b161e33b236 xsa337-4.13-2.patch
11a637e6de41012046115ed66e95e7fec90a3c274030dc1617dbcee4cc3b88dfa812e21323a628e27356aedfbaa094508fbdedc340dc37db29960ff6d4ef9921 xsa338.patch
7eaa70d891cdfd60001308c6b88f635048babdd1ba2952bcc88322b2096bafd1aee6a3f7dc1f4188fa7c44217c4d9bcaadf4bdd274d95762b0646e65f6b9659e xsa339.patch
2d4b2887f1a779267c15b16bd83d78ca84ceaaf9cad08a64162c28440527d3ac8edf80c8c2916e152bdf9e0e3e768c316d95dfa4c362c7a34dfb3348e8a2c568 xsa340.patch
c61fe4121c7a9314a8c3514dcdd62779dd11a90c2edb33cc1df55131477af7a1ec2c8a6dc15ad6d0975b335170d23c2b0057c55bd9923d20c4d4b31934c2f675 xsa342-4.13.patch
e7112489e230faeac5635ac60dba3cd390a4db39f1902d5369e20865a8aada0a8126108a71cc1ba9084dc3e4fcd88108916d8849982fac0fae1c5c0046a6cdab xsa343-1.patch
b91e8bea8f23aeede16b04a9c9e7fba73c9a5f57fb81859d1cbbd2282c56003b759d8c0e22f8715a5c84d01b2fd2a16baad6301fda6a88b612b89581e781b673 xsa343-2.patch
ed9cb1a718402dbedbca9f5ec2737fc1c6e38328ca44ef60c20482c912e6b3c3c467f39292ada87ff3be9439a139ac00ea916e24f605dc991121be2be81ed6e9 xsa343-3.patch
dba0470f7374c2e0e7901d48017ffa0ec46aa8ff827833b4d36f671b3a3ac7d436e1f14e05c97803aa97dbd34661be75087d0a22d85624b40a7c5d84127bdccc xsa344-4.13-1.patch
770cef99cda6ed3b689f2153229453da0b38049cb6594a80dca6fedc2892e395807b5ee6598f2535653617d1b306fadc626afc2dae0d27f3c920d832f64e967e xsa344-4.13-2.patch
52c43beb2596d645934d0f909f2d21f7587b6898ed5e5e7046799a8ed6d58f7a09c5809e1634fa26152f3fd4f3e7cfa07da7076f01b4a20cc8f5df8b9cb77e50 xenstored.initd
093f7fbd43faf0a16a226486a0776bade5dc1681d281c5946a3191c32d74f9699c6bf5d0ab8de9d1195a2461165d1660788e92a3156c9b3c7054d7b2d52d7ff0 xenstored.confd
3c86ed48fbee0af4051c65c4a3893f131fa66e47bf083caf20c9b6aa4b63fdead8832f84a58d0e27964bc49ec8397251b34e5be5c212c139f556916dc8da9523 xenconsoled.initd
......
......@@ -17,11 +17,11 @@ index 26bbddc..efad58c 100644
$(call cc-options-add,CFLAGS,CC,$(EMBEDDED_EXTRA_CFLAGS))
diff --git a/tools/firmware/hvmloader/32bitbios_support.c b/tools/firmware/hvmloader/32bitbios_support.c
index fe770a3..cdab677 100644
index 1141350..0ba9d38 100644
--- a/tools/firmware/hvmloader/32bitbios_support.c
+++ b/tools/firmware/hvmloader/32bitbios_support.c
@@ -21,8 +21,8 @@
* Place - Suite 330, Boston, MA 02111-1307 USA.
@@ -20,8 +20,8 @@
* this program; If not, see <http://www.gnu.org/licenses/>.
*/
-#include <inttypes.h>
......@@ -31,21 +31,8 @@ index fe770a3..cdab677 100644
#ifdef __sun__
#include <sys/machelf.h>
#endif
diff --git a/tools/firmware/hvmloader/acpi/acpi2_0.h b/tools/firmware/hvmloader/acpi/acpi2_0.h
index 7b22d80..413c930 100644
--- a/tools/firmware/hvmloader/acpi/acpi2_0.h
+++ b/tools/libacpi/acpi2_0.h
@@ -18,7 +18,7 @@
#ifndef _ACPI_2_0_H_
#define _ACPI_2_0_H_
-#include <stdint.h>
+#include <stdint_local.h>
#include <xen/xen.h>
#include <xen/hvm/ioreq.h>
diff --git a/tools/firmware/hvmloader/config.h b/tools/firmware/hvmloader/config.h
index b838cf9..33d48b3 100644
index 844120b..8cb799f 100644
--- a/tools/firmware/hvmloader/config.h
+++ b/tools/firmware/hvmloader/config.h
@@ -1,7 +1,7 @@
......@@ -54,9 +41,9 @@ index b838cf9..33d48b3 100644
-#include <stdint.h>
+#include <stdint_local.h>
#include <stdbool.h>
enum virtual_vga { VGA_none, VGA_std, VGA_cirrus, VGA_pt };
extern enum virtual_vga virtual_vga;
diff --git a/tools/firmware/hvmloader/hypercall.h b/tools/firmware/hvmloader/hypercall.h
index 5368c30..c57bc86 100644
--- a/tools/firmware/hvmloader/hypercall.h
......@@ -71,11 +58,11 @@ index 5368c30..c57bc86 100644
#include "config.h"
diff --git a/tools/firmware/hvmloader/mp_tables.c b/tools/firmware/hvmloader/mp_tables.c
index fd636a0..b3b703e 100644
index d207ecb..6dae38a 100644
--- a/tools/firmware/hvmloader/mp_tables.c
+++ b/tools/firmware/hvmloader/mp_tables.c
@@ -28,7 +28,7 @@
* Place - Suite 330, Boston, MA 02111-1307 USA.
@@ -27,7 +27,7 @@
* this program; If not, see <http://www.gnu.org/licenses/>.
*/
-#include <stdint.h>
......@@ -97,10 +84,10 @@ index 0fefe08..66a93bc 100644
struct option_rom_header {
uint8_t signature[2]; /* "\x55\xaa" */
diff --git a/tools/firmware/hvmloader/pir_types.h b/tools/firmware/hvmloader/pir_types.h
index 6e50822..6134b01 100644
index 9f9259c..7c004c8 100644
--- a/tools/firmware/hvmloader/pir_types.h
+++ b/tools/firmware/hvmloader/pir_types.h
@@ -24,7 +24,7 @@
@@ -23,7 +23,7 @@
#ifndef PIR_TYPES_H
#define PIR_TYPES_H
......@@ -110,10 +97,10 @@ index 6e50822..6134b01 100644
#define NR_PIR_SLOTS 6
diff --git a/tools/firmware/hvmloader/smbios.c b/tools/firmware/hvmloader/smbios.c
index 4d3d692..60d144d 100644
index 97a054e..e1646ee 100644
--- a/tools/firmware/hvmloader/smbios.c
+++ b/tools/firmware/hvmloader/smbios.c
@@ -20,7 +20,7 @@
@@ -19,7 +19,7 @@
* Authors: Andrew D. Ball <aball@us.ibm.com>
*/
......@@ -123,10 +110,10 @@ index 4d3d692..60d144d 100644
#include <xen/version.h>
#include "smbios_types.h"
diff --git a/tools/firmware/hvmloader/smbios_types.h b/tools/firmware/hvmloader/smbios_types.h
index ff36564..1b61d9a 100644
index 7c648ec..6ea0dc8 100644
--- a/tools/firmware/hvmloader/smbios_types.h
+++ b/tools/firmware/hvmloader/smbios_types.h
@@ -26,7 +26,7 @@
@@ -25,7 +25,7 @@
#ifndef SMBIOS_TYPES_H
#define SMBIOS_TYPES_H
......@@ -136,7 +123,7 @@ index ff36564..1b61d9a 100644
/* SMBIOS entry point -- must be written to a 16-bit aligned address
between 0xf0000 and 0xfffff.
diff --git a/tools/firmware/hvmloader/util.c b/tools/firmware/hvmloader/util.c
index 80d822f..671d8cd 100644
index 7da144b..5a96608 100644
--- a/tools/firmware/hvmloader/util.c
+++ b/tools/firmware/hvmloader/util.c
@@ -24,7 +24,7 @@
......@@ -148,9 +135,8 @@ index 80d822f..671d8cd 100644
#include <xen/xen.h>
#include <xen/memory.h>
#include <xen/sched.h>
diff --git a/tools/firmware/hvmloader/util.h b/tools/firmware/hvmloader/util.h
index a70e4aa..a8a2628 100644
index 31889de..4f32283 100644
--- a/tools/firmware/hvmloader/util.h
+++ b/tools/firmware/hvmloader/util.h
@@ -2,7 +2,7 @@
......@@ -160,13 +146,13 @@ index a70e4aa..a8a2628 100644
-#include <stdint.h>
+#include <stdint_local.h>
#include <stddef.h>
#include <stdbool.h>
#include <xen/xen.h>
#include <xen/hvm/hvm_info_table.h>
diff --git a/tools/firmware/rombios/32bit/pmm.c b/tools/firmware/rombios/32bit/pmm.c
index 4a279ca..b90b813 100644
index 09fec42..133cab7 100644
--- a/tools/firmware/rombios/32bit/pmm.c
+++ b/tools/firmware/rombios/32bit/pmm.c
@@ -63,7 +63,7 @@
@@ -62,7 +62,7 @@
* }
*/
......@@ -176,11 +162,11 @@ index 4a279ca..b90b813 100644
#include "config.h"
#include "e820.h"
diff --git a/tools/firmware/rombios/32bit/util.c b/tools/firmware/rombios/32bit/util.c
index a47bb71..777f742 100644
index 6c1c480..52c5878 100644
--- a/tools/firmware/rombios/32bit/util.c
+++ b/tools/firmware/rombios/32bit/util.c
@@ -18,7 +18,7 @@
* Place - Suite 330, Boston, MA 02111-1307 USA.
@@ -17,7 +17,7 @@
* this program; If not, see <http://www.gnu.org/licenses/>.
*/
#include <stdarg.h>
-#include <stdint.h>
......@@ -188,3 +174,16 @@ index a47bb71..777f742 100644
#include "rombios_compat.h"
#include "util.h"
diff --git a/tools/libacpi/acpi2_0.h b/tools/libacpi/acpi2_0.h
index 2619ba3..c0498ca 100644
--- a/tools/libacpi/acpi2_0.h
+++ b/tools/libacpi/acpi2_0.h
@@ -14,7 +14,7 @@
#ifndef _ACPI_2_0_H_
#define _ACPI_2_0_H_
-#include <stdint.h>
+#include <stdint_local.h>
#include <xen/xen.h>
#include <xen/hvm/ioreq.h>
From aeb46e92f915f19a61d5a8a1f4b696793f64e6fb Mon Sep 17 00:00:00 2001
From: Julien Grall <jgrall@amazon.com>
Date: Thu, 19 Mar 2020 13:17:31 +0000
Subject: [PATCH] xen/common: event_channel: Don't ignore error in
get_free_port()
Currently, get_free_port() is assuming that the port has been allocated
when evtchn_allocate_port() is not return -EBUSY.
However, the function may return an error when:
- We exhausted all the event channels. This can happen if the limit
configured by the administrator for the guest ('max_event_channels'
in xl cfg) is higher than the ABI used by the guest. For instance,
if the guest is using 2L, the limit should not be higher than 4095.
- We cannot allocate memory (e.g Xen has not more memory).
Users of get_free_port() (such as EVTCHNOP_alloc_unbound) will validly
assuming the port was valid and will next call evtchn_from_port(). This
will result to a crash as the memory backing the event channel structure
is not present.
Fixes: 368ae9a05fe ("xen/pvshim: forward evtchn ops between L0 Xen and L2 DomU")
Signed-off-by: Julien Grall <jgrall@amazon.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---
xen/common/event_channel.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/xen/common/event_channel.c b/xen/common/event_channel.c
index e86e2bfab0..a8d182b584 100644
--- a/xen/common/event_channel.c
+++ b/xen/common/event_channel.c
@@ -195,10 +195,10 @@ static int get_free_port(struct domain *d)
{
int rc = evtchn_allocate_port(d, port);
- if ( rc == -EBUSY )
- continue;
-
- return port;
+ if ( rc == 0 )
+ return port;
+ else if ( rc != -EBUSY )
+ return rc;
}
return -ENOSPC;
--
2.17.1
From: Jan Beulich <jbeulich@suse.com>
Subject: x86/shadow: correct an inverted conditional in dirty VRAM tracking
This originally was "mfn_x(mfn) == INVALID_MFN". Make it like this
again, taking the opportunity to also drop the unnecessary nearby
braces.
This is XSA-319.
Fixes: 246a5a3377c2 ("xen: Use a typesafe to define INVALID_MFN")
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/xen/arch/x86/mm/shadow/common.c
+++ b/xen/arch/x86/mm/shadow/common.c
@@ -3252,10 +3252,8 @@ int shadow_track_dirty_vram(struct domai
int dirty = 0;
paddr_t sl1ma = dirty_vram->sl1ma[i];
- if ( !mfn_eq(mfn, INVALID_MFN) )
- {
+ if ( mfn_eq(mfn, INVALID_MFN) )
dirty = 1;
- }
else
{
page = mfn_to_page(mfn);
From: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: x86/spec-ctrl: CPUID/MSR definitions for Special Register Buffer Data Sampling
This is part of XSA-320 / CVE-2020-0543
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Wei Liu <wl@xen.org>
diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc
index 1d9d816622..9268454297 100644
--- a/docs/misc/xen-command-line.pandoc
+++ b/docs/misc/xen-command-line.pandoc
@@ -483,10 +483,10 @@ accounting for hardware capabilities as enumerated via CPUID.
Currently accepted:
-The Speculation Control hardware features `md-clear`, `ibrsb`, `stibp`, `ibpb`,
-`l1d-flush` and `ssbd` are used by default if available and applicable. They can
-be ignored, e.g. `no-ibrsb`, at which point Xen won't use them itself, and
-won't offer them to guests.
+The Speculation Control hardware features `srbds-ctrl`, `md-clear`, `ibrsb`,
+`stibp`, `ibpb`, `l1d-flush` and `ssbd` are used by default if available and
+applicable. They can be ignored, e.g. `no-ibrsb`, at which point Xen won't
+use them itself, and won't offer them to guests.
### cpuid_mask_cpu
> `= fam_0f_rev_[cdefg] | fam_10_rev_[bc] | fam_11_rev_b`
diff --git a/tools/libxl/libxl_cpuid.c b/tools/libxl/libxl_cpuid.c
index 6cea4227ba..a78f08b927 100644
--- a/tools/libxl/libxl_cpuid.c
+++ b/tools/libxl/libxl_cpuid.c
@@ -213,6 +213,7 @@ int libxl_cpuid_parse_config(libxl_cpuid_policy_list *cpuid, const char* str)
{"avx512-4vnniw",0x00000007, 0, CPUID_REG_EDX, 2, 1},
{"avx512-4fmaps",0x00000007, 0, CPUID_REG_EDX, 3, 1},
+ {"srbds-ctrl", 0x00000007, 0, CPUID_REG_EDX, 9, 1},
{"md-clear", 0x00000007, 0, CPUID_REG_EDX, 10, 1},
{"cet-ibt", 0x00000007, 0, CPUID_REG_EDX, 20, 1},
{"ibrsb", 0x00000007, 0, CPUID_REG_EDX, 26, 1},
diff --git a/tools/misc/xen-cpuid.c b/tools/misc/xen-cpuid.c
index 603e1d65fd..a09440813b 100644
--- a/tools/misc/xen-cpuid.c
+++ b/tools/misc/xen-cpuid.c
@@ -157,6 +157,7 @@ static const char *const str_7d0[32] =
[ 2] = "avx512_4vnniw", [ 3] = "avx512_4fmaps",
[ 4] = "fsrm",
+ /* 8 */ [ 9] = "srbds-ctrl",
[10] = "md-clear",
/* 12 */ [13] = "tsx-force-abort",
diff --git a/xen/arch/x86/msr.c b/xen/arch/x86/msr.c
index 4b12103482..0cded3c0ad 100644
--- a/xen/arch/x86/msr.c
+++ b/xen/arch/x86/msr.c
@@ -134,6 +134,7 @@ int guest_rdmsr(struct vcpu *v, uint32_t msr, uint64_t *val)
/* Write-only */
case MSR_TSX_FORCE_ABORT:
case MSR_TSX_CTRL:
+ case MSR_MCU_OPT_CTRL:
case MSR_U_CET:
case MSR_S_CET:
case MSR_PL0_SSP ... MSR_INTERRUPT_SSP_TABLE:
@@ -288,6 +289,7 @@ int guest_wrmsr(struct vcpu *v, uint32_t msr, uint64_t val)
/* Read-only */
case MSR_TSX_FORCE_ABORT:
case MSR_TSX_CTRL:
+ case MSR_MCU_OPT_CTRL:
case MSR_U_CET:
case MSR_S_CET:
case MSR_PL0_SSP ... MSR_INTERRUPT_SSP_TABLE:
diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
index 6656c44aec..5fc1c6827e 100644
--- a/xen/arch/x86/spec_ctrl.c
+++ b/xen/arch/x86/spec_ctrl.c
@@ -312,12 +312,13 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps)
printk("Speculative mitigation facilities:\n");
/* Hardware features which pertain to speculative mitigations. */
- printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n",
+ printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n",
(_7d0 & cpufeat_mask(X86_FEATURE_IBRSB)) ? " IBRS/IBPB" : "",
(_7d0 & cpufeat_mask(X86_FEATURE_STIBP)) ? " STIBP" : "",
(_7d0 & cpufeat_mask(X86_FEATURE_L1D_FLUSH)) ? " L1D_FLUSH" : "",
(_7d0 & cpufeat_mask(X86_FEATURE_SSBD)) ? " SSBD" : "",
(_7d0 & cpufeat_mask(X86_FEATURE_MD_CLEAR)) ? " MD_CLEAR" : "",
+ (_7d0 & cpufeat_mask(X86_FEATURE_SRBDS_CTRL)) ? " SRBDS_CTRL" : "",
(e8b & cpufeat_mask(X86_FEATURE_IBPB)) ? " IBPB" : "",
(caps & ARCH_CAPS_IBRS_ALL) ? " IBRS_ALL" : "",
(caps & ARCH_CAPS_RDCL_NO) ? " RDCL_NO" : "",
diff --git a/xen/include/asm-x86/msr-index.h b/xen/include/asm-x86/msr-index.h
index 7693c4a71a..91994669e1 100644
--- a/xen/include/asm-x86/msr-index.h
+++ b/xen/include/asm-x86/msr-index.h
@@ -179,6 +179,9 @@
#define MSR_IA32_VMX_TRUE_ENTRY_CTLS 0x490
#define MSR_IA32_VMX_VMFUNC 0x491
+#define MSR_MCU_OPT_CTRL 0x00000123
+#define MCU_OPT_CTRL_RNGDS_MITG_DIS (_AC(1, ULL) << 0)
+
#define MSR_U_CET 0x000006a0
#define MSR_S_CET 0x000006a2
#define MSR_PL0_SSP 0x000006a4
diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h
index 2835688f1c..a2482c3627 100644
--- a/xen/include/public/arch-x86/cpufeatureset.h
+++ b/xen/include/public/arch-x86/cpufeatureset.h
@@ -252,6 +252,7 @@ XEN_CPUFEATURE(IBPB, 8*32+12) /*A IBPB support only (no IBRS, used by
/* Intel-defined CPU features, CPUID level 0x00000007:0.edx, word 9 */
XEN_CPUFEATURE(AVX512_4VNNIW, 9*32+ 2) /*A AVX512 Neural Network Instructions */
XEN_CPUFEATURE(AVX512_4FMAPS, 9*32+ 3) /*A AVX512 Multiply Accumulation Single Precision */
+XEN_CPUFEATURE(SRBDS_CTRL, 9*32+ 9) /* MSR_MCU_OPT_CTRL and RNGDS_MITG_DIS. */
XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*A VERW clears microarchitectural buffers */
XEN_CPUFEATURE(TSX_FORCE_ABORT, 9*32+13) /* MSR_TSX_FORCE_ABORT.RTM_ABORT */
XEN_CPUFEATURE(CET_IBT, 9*32+20) /* CET - Indirect Branch Tracking */
From: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: x86/spec-ctrl: Mitigate the Special Register Buffer Data Sampling sidechannel
See patch documentation and comments.
This is part of XSA-320 / CVE-2020-0543
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc
index 9268454297..c780312531 100644
--- a/docs/misc/xen-command-line.pandoc
+++ b/docs/misc/xen-command-line.pandoc
@@ -1991,7 +1991,7 @@ By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`).
### spec-ctrl (x86)
> `= List of [ <bool>, xen=<bool>, {pv,hvm,msr-sc,rsb,md-clear}=<bool>,
> bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,eager-fpu,
-> l1d-flush,branch-harden}=<bool> ]`
+> l1d-flush,branch-harden,srb-lock}=<bool> ]`
Controls for speculative execution sidechannel mitigations. By default, Xen
will pick the most appropriate mitigations based on compiled in support,
@@ -2068,6 +2068,12 @@ If Xen is compiled with `CONFIG_SPECULATIVE_HARDEN_BRANCH`, the
speculation barriers to protect selected conditional branches. By default,
Xen will enable this mitigation.
+On hardware supporting SRBDS_CTRL, the `srb-lock=` option can be used to force
+or prevent Xen from protect the Special Register Buffer from leaking stale
+data. By default, Xen will enable this mitigation, except on parts where MDS
+is fixed and TAA is fixed/mitigated (in which case, there is believed to be no
+way for an attacker to obtain the stale data).
+
### sync_console
> `= <boolean>`
diff --git a/xen/arch/x86/acpi/power.c b/xen/arch/x86/acpi/power.c
index feb0f6ce20..75c6e34164 100644
--- a/xen/arch/x86/acpi/power.c
+++ b/xen/arch/x86/acpi/power.c
@@ -295,6 +295,9 @@ static int enter_state(u32 state)
ci->spec_ctrl_flags |= (default_spec_ctrl_flags & SCF_ist_wrmsr);
spec_ctrl_exit_idle(ci);
+ if ( boot_cpu_has(X86_FEATURE_SRBDS_CTRL) )
+ wrmsrl(MSR_MCU_OPT_CTRL, default_xen_mcu_opt_ctrl);
+
done:
spin_debug_enable();
local_irq_restore(flags);
diff --git a/xen/arch/x86/smpboot.c b/xen/arch/x86/smpboot.c
index dc8fdac1a1..b1e51b3aff 100644
--- a/xen/arch/x86/smpboot.c
+++ b/xen/arch/x86/smpboot.c
@@ -361,12 +361,14 @@ void start_secondary(void *unused)
microcode_update_one(false);
/*
- * If MSR_SPEC_CTRL is available, apply Xen's default setting and discard
- * any firmware settings. Note: MSR_SPEC_CTRL may only become available
- * after loading microcode.
+ * If any speculative control MSRs are available, apply Xen's default
+ * settings. Note: These MSRs may only become available after loading
+ * microcode.
*/
if ( boot_cpu_has(X86_FEATURE_IBRSB) )
wrmsrl(MSR_SPEC_CTRL, default_xen_spec_ctrl);
+ if ( boot_cpu_has(X86_FEATURE_SRBDS_CTRL) )
+ wrmsrl(MSR_MCU_OPT_CTRL, default_xen_mcu_opt_ctrl);
tsx_init(); /* Needs microcode. May change HLE/RTM feature bits. */
diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
index 5fc1c6827e..33343062a7 100644
--- a/xen/arch/x86/spec_ctrl.c
+++ b/xen/arch/x86/spec_ctrl.c
@@ -65,6 +65,9 @@ static unsigned int __initdata l1d_maxphysaddr;
static bool __initdata cpu_has_bug_msbds_only; /* => minimal HT impact. */
static bool __initdata cpu_has_bug_mds; /* Any other M{LP,SB,FB}DS combination. */
+static int8_t __initdata opt_srb_lock = -1;
+uint64_t __read_mostly default_xen_mcu_opt_ctrl;
+
static int __init parse_spec_ctrl(const char *s)
{
const char *ss;
@@ -112,6 +115,7 @@ static int __init parse_spec_ctrl(const char *s)
opt_ssbd = false;
opt_l1d_flush = 0;
opt_branch_harden = false;
+ opt_srb_lock = 0;
}
else if ( val > 0 )
rc = -EINVAL;
@@ -178,6 +182,8 @@ static int __init parse_spec_ctrl(const char *s)
opt_l1d_flush = val;
else if ( (val = parse_boolean("branch-harden", s, ss)) >= 0 )
opt_branch_harden = val;
+ else if ( (val = parse_boolean("srb-lock", s, ss)) >= 0 )
+ opt_srb_lock = val;
else
rc = -EINVAL;
@@ -341,7 +347,7 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps)
"\n");
/* Settings for Xen's protection, irrespective of guests. */
- printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s, Other:%s%s%s%s\n",
+ printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s, Other:%s%s%s%s%s\n",
thunk == THUNK_NONE ? "N/A" :
thunk == THUNK_RETPOLINE ? "RETPOLINE" :
thunk == THUNK_LFENCE ? "LFENCE" :
@@ -352,6 +358,8 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps)
(default_xen_spec_ctrl & SPEC_CTRL_SSBD) ? " SSBD+" : " SSBD-",
!(caps & ARCH_CAPS_TSX_CTRL) ? "" :
(opt_tsx & 1) ? " TSX+" : " TSX-",
+ !boot_cpu_has(X86_FEATURE_SRBDS_CTRL) ? "" :
+ opt_srb_lock ? " SRB_LOCK+" : " SRB_LOCK-",
opt_ibpb ? " IBPB" : "",
opt_l1d_flush ? " L1D_FLUSH" : "",
opt_md_clear_pv || opt_md_clear_hvm ? " VERW" : "",
@@ -1149,6 +1157,34 @@ void __init init_speculation_mitigations(void)
tsx_init();
}
+ /* Calculate suitable defaults for MSR_MCU_OPT_CTRL */
+ if ( boot_cpu_has(X86_FEATURE_SRBDS_CTRL) )
+ {
+ uint64_t val;
+
+ rdmsrl(MSR_MCU_OPT_CTRL, val);
+
+ /*
+ * On some SRBDS-affected hardware, it may be safe to relax srb-lock
+ * by default.
+ *
+ * On parts which enumerate MDS_NO and not TAA_NO, TSX is the only way
+ * to access the Fill Buffer. If TSX isn't available (inc. SKU
+ * reasons on some models), or TSX is explicitly disabled, then there
+ * is no need for the extra overhead to protect RDRAND/RDSEED.
+ */
+ if ( opt_srb_lock == -1 &&
+ (caps & (ARCH_CAPS_MDS_NO|ARCH_CAPS_TAA_NO)) == ARCH_CAPS_MDS_NO &&
+ (!cpu_has_hle || ((caps & ARCH_CAPS_TSX_CTRL) && opt_tsx == 0)) )
+ opt_srb_lock = 0;
+
+ val &= ~MCU_OPT_CTRL_RNGDS_MITG_DIS;
+ if ( !opt_srb_lock )
+ val |= MCU_OPT_CTRL_RNGDS_MITG_DIS;
+
+ default_xen_mcu_opt_ctrl = val;
+ }
+
print_details(thunk, caps);
/*
@@ -1180,6 +1216,9 @@ void __init init_speculation_mitigations(void)
wrmsrl(MSR_SPEC_CTRL, bsp_delay_spec_ctrl ? 0 : default_xen_spec_ctrl);
}
+
+ if ( boot_cpu_has(X86_FEATURE_SRBDS_CTRL) )
+ wrmsrl(MSR_MCU_OPT_CTRL, default_xen_mcu_opt_ctrl);
}
static void __init __maybe_unused build_assertions(void)
diff --git a/xen/include/asm-x86/spec_ctrl.h b/xen/include/asm-x86/spec_ctrl.h
index 9caecddfec..b252bb8631 100644
--- a/xen/include/asm-x86/spec_ctrl.h
+++ b/xen/include/asm-x86/spec_ctrl.h
@@ -54,6 +54,8 @@ extern int8_t opt_pv_l1tf_hwdom, opt_pv_l1tf_domu;
*/
extern paddr_t l1tf_addr_mask, l1tf_safe_maddr;
+extern uint64_t default_xen_mcu_opt_ctrl;
+
static inline void init_shadow_spec_ctrl_state(void)
{
struct cpu_info *info = get_cpu_info();
From: Jan Beulich <jbeulich@suse.com>
Subject: vtd: improve IOMMU TLB flush
Do not limit PSI flushes to order 0 pages, in order to avoid doing a
full TLB flush if the passed in page has an order greater than 0 and