Date: Mon, 12 Feb 2018 10:37:00 -0500 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Tycho Nightingale <tychon@FreeBSD.org> Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r329162 - in head/sys/amd64/vmm: amd intel Message-ID: <20180212153700.xbmbctnjtawum76h@mutt-hbsd> In-Reply-To: <201802121445.w1CEjR3n082516@repo.freebsd.org> References: <201802121445.w1CEjR3n082516@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--pknvq5xyabqlqd5w Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Feb 12, 2018 at 02:45:27PM +0000, Tycho Nightingale wrote: > Author: tychon > Date: Mon Feb 12 14:45:27 2018 > New Revision: 329162 > URL: https://svnweb.freebsd.org/changeset/base/329162 >=20 > Log: > Provide further mitigation against CVE-2017-5715 by flushing the > return stack buffer (RSB) upon returning from the guest. > =20 > This was inspired by this linux commit: > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/comm= it/arch/x86/kvm?id=3D117cc7a908c83697b0b737d15ae1eb5943afe35b > =20 > Reviewed by: grehan > Sponsored by: Dell EMC Isilon > Differential Revision: https://reviews.freebsd.org/D14272 >=20 > Modified: > head/sys/amd64/vmm/amd/svm_support.S > head/sys/amd64/vmm/intel/vmcs.c > head/sys/amd64/vmm/intel/vmx.h > head/sys/amd64/vmm/intel/vmx_support.S >=20 > Modified: head/sys/amd64/vmm/amd/svm_support.S > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > --- head/sys/amd64/vmm/amd/svm_support.S Mon Feb 12 14:44:21 2018 (r32916= 1) > +++ head/sys/amd64/vmm/amd/svm_support.S Mon Feb 12 14:45:27 2018 (r32916= 2) > @@ -113,6 +113,23 @@ ENTRY(svm_launch) > movq %rdi, SCTX_RDI(%rax) > movq %rsi, SCTX_RSI(%rax) > =20 > + /* > + * To prevent malicious branch target predictions from > + * affecting the host, overwrite all entries in the RSB upon > + * exiting a guest. > + */ > + mov $16, %ecx /* 16 iterations, two calls per loop */ > + mov %rsp, %rax > +0: call 2f /* create an RSB entry. */ > +1: pause > + call 1b /* capture rogue speculation. */ > +2: call 2f /* create an RSB entry. */ > +1: pause > + call 1b /* capture rogue speculation. */ > +2: sub $1, %ecx > + jnz 0b > + mov %rax, %rsp > + > /* Restore host state */ > pop %r15 > pop %r14 >=20 For amd systems, isn't use of lfence required for performance reasons[1]? Or am I conflating two things? 1: https://reviews.llvm.org/D41723 Thanks, --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD Tor-ified Signal: +1 443-546-8752 GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --pknvq5xyabqlqd5w Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAlqBtJgACgkQaoRlj1JF bu7tYA/+NG5TaLVeH6SHXEJCy3BfCEym7Wa0RfYR87Brgnc/ETKSn/TsQUDeD4Qp qXHb18YnfoFbP7VPxPyL+flUDAndzAGPDZarHymcK9N1sOHH36vGnee0zRa5RAaR 3YOJGWmVqTos1Mvp0eBc5B/xMtxF1l8eO5wzdXIL38/yifhtec7hvGCm7aHx4jmo U3UMsMMd+1MYEx0xb7rj/4XT38dSCgySKiTPrrohD7TYsdUH61yVLb5lpOCAU/Z8 X/qE02RtjajGBKPeC1iJOBCOv1OrpPv7951sKEs0MCiLbCmvhKZep9fj87IpF+br W2E0Y7NIXywVAeyWBbG6S6ucP9YRHszLwc1+MhKvagEfB3dEQiHl9izH4fPavMh8 lk7AHuBrgADfAEWcnkjh4xhdv9PeISJ7kBhmSKumjYm88LtoPjMPzsRsEoKM4bza eiEAQjQjDj5MDaF26bJ0jxwmo7bLDuq5N6Qh+lr1xbqV3wWvwPgebXcv0WytZw3O tKqpOMRHWUFCAplcLrciFk3PAAjmUwKLq/7VuQYUMJz/nJW4hSgFUglFfl2/Mong CbA+LfFLg8IRQkpR8z9cCQ5x1GFwJkcH20T2JjN5SonXw9EESySNgzaj/yFlL2lS o0y9dZLMyGuJ/qfAnfBDxSW4qMedc/JmJ20RiwOlSMgJ53iXHn4= =gOIE -----END PGP SIGNATURE----- --pknvq5xyabqlqd5w--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180212153700.xbmbctnjtawum76h>