From owner-svn-src-head@freebsd.org  Mon Feb 12 15:37:12 2018
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 28E82F017B0
 for <svn-src-head@mailman.ysv.freebsd.org>;
 Mon, 12 Feb 2018 15:37:12 +0000 (UTC)
 (envelope-from shawn.webb@hardenedbsd.org)
Received: from mail-wm0-x22b.google.com (mail-wm0-x22b.google.com
 [IPv6:2a00:1450:400c:c09::22b])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 72B177A58A
 for <svn-src-head@freebsd.org>; Mon, 12 Feb 2018 15:37:11 +0000 (UTC)
 (envelope-from shawn.webb@hardenedbsd.org)
Received: by mail-wm0-x22b.google.com with SMTP id i186so10333899wmi.4
 for <svn-src-head@freebsd.org>; Mon, 12 Feb 2018 07:37:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623;
 h=date:from:to:cc:subject:message-id:references:mime-version
 :content-disposition:in-reply-to:user-agent;
 bh=wd3r5yjhPx7nNpdZHEJjQBZZ11Rq9+5K+fr/BDZzKao=;
 b=q3YvpXnmzE4eg+XEbp9BYdkO+rBzSuFQ5Pa9Yy9VZGGCw5Yb8FIrqSFd+IQOQV0Gy6
 r8petWIGSZmrqK0NJ2c3BEbR95tvBX0Iuhwk36vNm4JgSUoJYPeSMJ0TONauWeXv+HHt
 BfoDLgWE1ESubGq+HB/Qw9kBUe6aTm+wUOpKuSyoMnS/fgqSoQg4CI3ssSMr96cry/qo
 ctZZ4wJKN8TTgWHU5/JYEiz4dKRsEshkUxloQCL+xa1f08f6D68zwGbujIF+QkeaF69j
 NqwbqxPycGrDsw59kqlYVq1k4NgGvkKIpCcfdZGTUmjawNuvIPvnZTdSyBbBsckfnjQM
 WYwA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:from:to:cc:subject:message-id:references
 :mime-version:content-disposition:in-reply-to:user-agent;
 bh=wd3r5yjhPx7nNpdZHEJjQBZZ11Rq9+5K+fr/BDZzKao=;
 b=eagJo3s7Ydgpzv9/N44iz3/+tpi+W3gSsbv5mdstLwdR7yzmC4uRfg67uUP4d6hpSQ
 hPQ13nMiH8rKwsdNH5mghoMaQmL/n9BY1VE9OIQWCeDj+ZA8qogwqt42ms4SJd8KPYk+
 piGfRgIzAQhpvp6dqAY9WhG5X/n9oRlTVXbQO8e9WMPtz1NoYhVZw+tp9xqwkrb8YHFF
 xTm0d1OhT3TfJoJwrrCxoMnKdIP+UfpsG3o/5c29Q1PEWEc88gCfOEIvJil3N4SdB6qC
 X49MnZT7zEJdgBNMOIektL8We8uBftBnuhVmYpN9GrBLuxFky6ESfJRz81ejn7dBaIvt
 h0hw==
X-Gm-Message-State: APf1xPCFg+j5EyzzaVbiXSo/TER8LooNOk4kl0jg7WPHZAxzvUQWmuse
 lW05VIUP69KPHeCw2RPlyuZL6A==
X-Google-Smtp-Source: AH8x224NPMQZzvcFd/Y4+NDKFeiEr2SsRAMza7aJGZYb52UJsEOMNlfnVe2PDPwQukZ+vY5GL1xdUA==
X-Received: by 10.28.171.10 with SMTP id u10mr3761896wme.108.1518449830128;
 Mon, 12 Feb 2018 07:37:10 -0800 (PST)
Received: from mutt-hbsd ([51.15.53.83])
 by smtp.gmail.com with ESMTPSA id h32sm8434833wrf.65.2018.02.12.07.37.07
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Mon, 12 Feb 2018 07:37:09 -0800 (PST)
Date: Mon, 12 Feb 2018 10:37:00 -0500
From: Shawn Webb <shawn.webb@hardenedbsd.org>
To: Tycho Nightingale <tychon@FreeBSD.org>
Cc: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: Re: svn commit: r329162 - in head/sys/amd64/vmm: amd intel
Message-ID: <20180212153700.xbmbctnjtawum76h@mutt-hbsd>
References: <201802121445.w1CEjR3n082516@repo.freebsd.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="pknvq5xyabqlqd5w"
Content-Disposition: inline
In-Reply-To: <201802121445.w1CEjR3n082516@repo.freebsd.org>
X-Operating-System: FreeBSD mutt-hbsd 12.0-CURRENT FreeBSD 12.0-CURRENT 
X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE
User-Agent: NeoMutt/20171215
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Feb 2018 15:37:12 -0000


--pknvq5xyabqlqd5w
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Feb 12, 2018 at 02:45:27PM +0000, Tycho Nightingale wrote:
> Author: tychon
> Date: Mon Feb 12 14:45:27 2018
> New Revision: 329162
> URL: https://svnweb.freebsd.org/changeset/base/329162
>=20
> Log:
>   Provide further mitigation against CVE-2017-5715 by flushing the
>   return stack buffer (RSB) upon returning from the guest.
>  =20
>   This was inspired by this linux commit:
>   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/comm=
it/arch/x86/kvm?id=3D117cc7a908c83697b0b737d15ae1eb5943afe35b
>  =20
>   Reviewed by:	grehan
>   Sponsored by:	Dell EMC Isilon
>   Differential Revision:	https://reviews.freebsd.org/D14272
>=20
> Modified:
>   head/sys/amd64/vmm/amd/svm_support.S
>   head/sys/amd64/vmm/intel/vmcs.c
>   head/sys/amd64/vmm/intel/vmx.h
>   head/sys/amd64/vmm/intel/vmx_support.S
>=20
> Modified: head/sys/amd64/vmm/amd/svm_support.S
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
> --- head/sys/amd64/vmm/amd/svm_support.S	Mon Feb 12 14:44:21 2018	(r32916=
1)
> +++ head/sys/amd64/vmm/amd/svm_support.S	Mon Feb 12 14:45:27 2018	(r32916=
2)
> @@ -113,6 +113,23 @@ ENTRY(svm_launch)
>  	movq %rdi, SCTX_RDI(%rax)
>  	movq %rsi, SCTX_RSI(%rax)
> =20
> +	/*
> +	 * To prevent malicious branch target predictions from
> +	 * affecting the host, overwrite all entries in the RSB upon
> +	 * exiting a guest.
> +	 */
> +	mov $16, %ecx	/* 16 iterations, two calls per loop */
> +	mov %rsp, %rax
> +0:	call 2f		/* create an RSB entry. */
> +1:	pause
> +	call 1b		/* capture rogue speculation. */
> +2:	call 2f		/* create an RSB entry. */
> +1:	pause
> +	call 1b		/* capture rogue speculation. */
> +2:	sub $1, %ecx
> +	jnz 0b
> +	mov %rax, %rsp
> +
>  	/* Restore host state */
>  	pop %r15
>  	pop %r14
>=20

For amd systems, isn't use of lfence required for performance
reasons[1]? Or am I conflating two things?

1: https://reviews.llvm.org/D41723

Thanks,

--=20
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

Tor-ified Signal:    +1 443-546-8752
GPG Key ID:          0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE

--pknvq5xyabqlqd5w
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAlqBtJgACgkQaoRlj1JF
bu7tYA/+NG5TaLVeH6SHXEJCy3BfCEym7Wa0RfYR87Brgnc/ETKSn/TsQUDeD4Qp
qXHb18YnfoFbP7VPxPyL+flUDAndzAGPDZarHymcK9N1sOHH36vGnee0zRa5RAaR
3YOJGWmVqTos1Mvp0eBc5B/xMtxF1l8eO5wzdXIL38/yifhtec7hvGCm7aHx4jmo
U3UMsMMd+1MYEx0xb7rj/4XT38dSCgySKiTPrrohD7TYsdUH61yVLb5lpOCAU/Z8
X/qE02RtjajGBKPeC1iJOBCOv1OrpPv7951sKEs0MCiLbCmvhKZep9fj87IpF+br
W2E0Y7NIXywVAeyWBbG6S6ucP9YRHszLwc1+MhKvagEfB3dEQiHl9izH4fPavMh8
lk7AHuBrgADfAEWcnkjh4xhdv9PeISJ7kBhmSKumjYm88LtoPjMPzsRsEoKM4bza
eiEAQjQjDj5MDaF26bJ0jxwmo7bLDuq5N6Qh+lr1xbqV3wWvwPgebXcv0WytZw3O
tKqpOMRHWUFCAplcLrciFk3PAAjmUwKLq/7VuQYUMJz/nJW4hSgFUglFfl2/Mong
CbA+LfFLg8IRQkpR8z9cCQ5x1GFwJkcH20T2JjN5SonXw9EESySNgzaj/yFlL2lS
o0y9dZLMyGuJ/qfAnfBDxSW4qMedc/JmJ20RiwOlSMgJ53iXHn4=
=gOIE
-----END PGP SIGNATURE-----

--pknvq5xyabqlqd5w--