head 1.2; access; symbols; locks; strict; comment @# @; 1.2 date 2018.01.24.23.29.32; author bouyer; state dead; branches; next 1.1; commitid WktdwS8UoS8bvboA; 1.1 date 2018.01.18.10.28.13; author bouyer; state Exp; branches; next ; commitid g4hmLtBKz4wynlnA; desc @@ 1.2 log @Update xen 4.8 packages to 4.8.3. Changes since 4.8.2: include patches from all security advisory up to and including XSA254. While there pass XEN_VENDORVERSION=nb${PKGREVISION} to make so that 'xl info' shows the NetBSD PKGREVISION. If PKGREVISION is not available, define this as 'nb0'. @ text @$NetBSD: patch-XSA254-4,v 1.1 2018/01/18 10:28:13 bouyer Exp $ From 31d38d633a306b2b06767b5a5f5a8a00269f3c92 Mon Sep 17 00:00:00 2001 From: Jan Beulich Date: Wed, 17 Jan 2018 17:17:26 +0100 Subject: [PATCH] x86: allow Meltdown band-aid to be disabled First of all we don't need it on AMD systems. Additionally allow its use to be controlled by command line option. For best backportability, this intentionally doesn't use alternative instruction patching to achieve the intended effect - while we likely want it, this will be later follow-up. Signed-off-by: Jan Beulich Reviewed-by: Andrew Cooper master commit: e871e80c38547d9faefc6604532ba3e985e65873 master date: 2018-01-16 17:50:59 +0100 --- docs/misc/xen-command-line.markdown | 12 ++++++++++++ xen/arch/x86/domain.c | 7 +++++-- xen/arch/x86/mm.c | 2 +- xen/arch/x86/smpboot.c | 17 ++++++++++++++--- xen/arch/x86/x86_64/entry.S | 2 ++ 5 files changed, 34 insertions(+), 6 deletions(-) diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown index 0fcdb7d..768d4f5 100644 --- docs/misc/xen-command-line.markdown.orig +++ docs/misc/xen-command-line.markdown @@@@ -1687,6 +1687,18 @@@@ In the case that x2apic is in use, this option switches between physical and clustered mode. The default, given no hint from the **FADT**, is cluster mode. +### xpti +> `= ` + +> Default: `false` on AMD hardware +> Default: `true` everywhere else + +Override default selection of whether to isolate 64-bit PV guest page +tables. + +** WARNING: Not yet a complete isolation implementation, but better than +nothing. ** + ### xsave > `= ` diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c index bf3590d..8817263 100644 --- xen/arch/x86/domain.c.orig +++ xen/arch/x86/domain.c @@@@ -1947,12 +1947,15 @@@@ static void paravirt_ctxt_switch_from(struct vcpu *v) static void paravirt_ctxt_switch_to(struct vcpu *v) { + root_pgentry_t *root_pgt = this_cpu(root_pgt); unsigned long cr4; switch_kernel_stack(v); - this_cpu(root_pgt)[root_table_offset(PERDOMAIN_VIRT_START)] = - l4e_from_page(v->domain->arch.perdomain_l3_pg, __PAGE_HYPERVISOR_RW); + if ( root_pgt ) + root_pgt[root_table_offset(PERDOMAIN_VIRT_START)] = + l4e_from_page(v->domain->arch.perdomain_l3_pg, + __PAGE_HYPERVISOR_RW); cr4 = pv_guest_cr4_to_real_cr4(v); if ( unlikely(cr4 != read_cr4()) ) diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 69e1ab6..303c551 100644 --- xen/arch/x86/mm.c.orig +++ xen/arch/x86/mm.c @@@@ -3999,7 +3999,7 @@@@ long do_mmu_update( rc = mod_l4_entry(va, l4e_from_intpte(req.val), mfn, cmd == MMU_PT_UPDATE_PRESERVE_AD, v); if ( !rc ) - sync_guest = true; + sync_guest = this_cpu(root_pgt); break; case PGT_writable_page: perfc_incr(writable_mmu_updates); diff --git a/xen/arch/x86/smpboot.c b/xen/arch/x86/smpboot.c index 327c744..c19508f 100644 --- xen/arch/x86/smpboot.c.orig +++ xen/arch/x86/smpboot.c @@@@ -320,7 +320,7 @@@@ void start_secondary(void *unused) spin_debug_disable(); get_cpu_info()->xen_cr3 = 0; - get_cpu_info()->pv_cr3 = __pa(this_cpu(root_pgt)); + get_cpu_info()->pv_cr3 = this_cpu(root_pgt) ? __pa(this_cpu(root_pgt)) : 0; load_system_tables(); @@@@ -729,14 +729,20 @@@@ static int clone_mapping(const void *ptr, root_pgentry_t *rpt) return 0; } +static __read_mostly int8_t opt_xpti = -1; +boolean_param("xpti", opt_xpti); DEFINE_PER_CPU(root_pgentry_t *, root_pgt); static int setup_cpu_root_pgt(unsigned int cpu) { - root_pgentry_t *rpt = alloc_xen_pagetable(); + root_pgentry_t *rpt; unsigned int off; int rc; + if ( !opt_xpti ) + return 0; + + rpt = alloc_xen_pagetable(); if ( !rpt ) return -ENOMEM; @@@@ -977,10 +983,14 @@@@ void __init smp_prepare_cpus(unsigned int max_cpus) stack_base[0] = stack_start; + if ( opt_xpti < 0 ) + opt_xpti = boot_cpu_data.x86_vendor != X86_VENDOR_AMD; + rc = setup_cpu_root_pgt(0); if ( rc ) panic("Error %d setting up PV root page table\n", rc); - get_cpu_info()->pv_cr3 = __pa(per_cpu(root_pgt, 0)); + if ( per_cpu(root_pgt, 0) ) + get_cpu_info()->pv_cr3 = __pa(per_cpu(root_pgt, 0)); set_nr_sockets(); @@@@ -1048,6 +1058,7 @@@@ void __init smp_prepare_boot_cpu(void) cpumask_set_cpu(smp_processor_id(), &cpu_present_map); get_cpu_info()->xen_cr3 = 0; + get_cpu_info()->pv_cr3 = 0; } static void diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S index d1afb3c..505604f 100644 --- xen/arch/x86/x86_64/entry.S.orig +++ xen/arch/x86/x86_64/entry.S @@@@ -45,6 +45,7 @@@@ restore_all_guest: movabs $DIRECTMAP_VIRT_START, %rcx mov %rdi, %rax and %rsi, %rdi + jz .Lrag_keep_cr3 and %r9, %rsi add %rcx, %rdi add %rcx, %rsi @@@@ -61,6 +62,7 @@@@ restore_all_guest: rep movsq mov %r9, STACK_CPUINFO_FIELD(xen_cr3)(%rdx) write_cr3 rax, rdi, rsi +.Lrag_keep_cr3: RESTORE_ALL testw $TRAP_syscall,4(%rsp) -- 2.1.4 @ 1.1 log @Add patches from upstream, from xsa254/README.pti : > This README gives references for one of three mitigation strategies > for Meltdown. > This series is a first-class migitation pagetable isolation series for > Xen. It is available for Xen 4.6 to Xen 4.10 and later. bump PKGREVISION @ text @d1 1 a1 1 $NetBSD: $ @