From owner-svn-src-all@freebsd.org Mon Feb 12 18:31:12 2018 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E5595F0FCE9; Mon, 12 Feb 2018 18:31:11 +0000 (UTC) (envelope-from tychon@freebsd.org) Received: from pb-smtp1.pobox.com (pb-smtp1.pobox.com [64.147.108.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8C99A83C99; Mon, 12 Feb 2018 18:31:11 +0000 (UTC) (envelope-from tychon@freebsd.org) Received: from pb-smtp1.pobox.com (unknown [127.0.0.1]) by pb-smtp1.pobox.com (Postfix) with ESMTP id C24DDCBA7B; Mon, 12 Feb 2018 13:31:05 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=content-type :mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=sasl; bh= Dt9xzJCkQvs4+fRd2LIkPp/nWo0=; b=ADpYwdnej58Cg5hfZMvifreOI1GUMHMp 3y8jEq498W1jYEX9EI573Kf4kaGVBvQKKhHDrGa7zqgOxPg4k3QdKLorY9QxhfU6 R5SxabIT95Ukadq34e5Ku1rZe3MX8gLpMQEm0bDRNB5WccwGvEuAwNR8xWtC/pbo DXgg7ISiiw0= Received: from pb-smtp1.nyi.icgroup.com (unknown [127.0.0.1]) by pb-smtp1.pobox.com (Postfix) with ESMTP id AF280CBA7A; Mon, 12 Feb 2018 13:31:05 -0500 (EST) Received: from [10.0.1.4] (unknown [146.115.75.63]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pb-smtp1.pobox.com (Postfix) with ESMTPSA id 67E81CBA79; Mon, 12 Feb 2018 13:31:04 -0500 (EST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\)) Subject: Re: svn commit: r329162 - in head/sys/amd64/vmm: amd intel From: Tycho Nightingale In-Reply-To: <20180212153700.xbmbctnjtawum76h@mutt-hbsd> Date: Mon, 12 Feb 2018 13:31:02 -0500 Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <201802121445.w1CEjR3n082516@repo.freebsd.org> <20180212153700.xbmbctnjtawum76h@mutt-hbsd> To: Shawn Webb X-Mailer: Apple Mail (2.3445.5.20) X-Pobox-Relay-ID: E23EF608-1022-11E8-97B5-692D1A68708C-09779102!pb-smtp1.pobox.com X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Feb 2018 18:31:12 -0000 Hi, > On Feb 12, 2018, at 10:37 AM, Shawn Webb = wrote: >=20 > On Mon, Feb 12, 2018 at 02:45:27PM +0000, Tycho Nightingale wrote: >> Author: tychon >> Date: Mon Feb 12 14:45:27 2018 >> New Revision: 329162 >> URL: https://svnweb.freebsd.org/changeset/base/329162 >>=20 >> Log: >> Provide further mitigation against CVE-2017-5715 by flushing the >> return stack buffer (RSB) upon returning from the guest. >>=20 >> This was inspired by this linux commit: >> = https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/= arch/x86/kvm?id=3D117cc7a908c83697b0b737d15ae1eb5943afe35b >>=20 >> Reviewed by: grehan >> Sponsored by: Dell EMC Isilon >> Differential Revision: https://reviews.freebsd.org/D14272 >>=20 >> Modified: >> head/sys/amd64/vmm/amd/svm_support.S >> head/sys/amd64/vmm/intel/vmcs.c >> head/sys/amd64/vmm/intel/vmx.h >> head/sys/amd64/vmm/intel/vmx_support.S >>=20 >> Modified: head/sys/amd64/vmm/amd/svm_support.S >> = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D >> --- head/sys/amd64/vmm/amd/svm_support.S Mon Feb 12 14:44:21 2018 = (r329161) >> +++ head/sys/amd64/vmm/amd/svm_support.S Mon Feb 12 14:45:27 2018 = (r329162) >> @@ -113,6 +113,23 @@ ENTRY(svm_launch) >> movq %rdi, SCTX_RDI(%rax) >> movq %rsi, SCTX_RSI(%rax) >>=20 >> + /* >> + * To prevent malicious branch target predictions from >> + * affecting the host, overwrite all entries in the RSB upon >> + * exiting a guest. >> + */ >> + mov $16, %ecx /* 16 iterations, two calls per loop */ >> + mov %rsp, %rax >> +0: call 2f /* create an RSB entry. */ >> +1: pause >> + call 1b /* capture rogue speculation. */ >> +2: call 2f /* create an RSB entry. */ >> +1: pause >> + call 1b /* capture rogue speculation. */ >> +2: sub $1, %ecx >> + jnz 0b >> + mov %rax, %rsp >> + >> /* Restore host state */ >> pop %r15 >> pop %r14 >>=20 >=20 > For amd systems, isn't use of lfence required for performance > reasons[1]? Or am I conflating two things? >=20 > 1: https://reviews.llvm.org/D41723 For what AMD calls V2 (the window of a speculative execution between = indirect branch predictions and resolution of the correct target) there = are a few mitigations cited in their white paper: = https://developer.amd.com/wp-content/resources/Managing-Speculation-on-AMD= -Processors.pdf depending on the specific code you are trying to =E2=80=9Cfix=E2=80=9D. = In my interpretation lfence is a component of several of the possible = mitigations when one wants to =E2=80=9Cfix=E2=80=9D a specific indirect = branch but does not ensure that subsequent branches will not be = speculated around. In this case we are trying to guard against the more = generic case of "entering more privileged code=E2=80=9D i.e. returning = from the guest to hypervisor aka host and protect all subsequent = indirect branches without needing to apply an lfence to them = individually. To do that, I=E2=80=99ve implemented mitigation V2-3 = where the return address predictor is filled with benign entries. Does that help? Tycho=