system/xen: XSA 317-328 update.

Signed-off-by: Mario Preksavec <mario@slackware.hr>

Signed-off-by: Willy Sudiarto Raharjo <willysr@slackbuilds.org>

1 files changed, 179 insertions, 0 deletions

diff --git a/system/xen/xsa/xsa320-4.13-2.patch b/system/xen/xsa/xsa320-4.13-2.patch
new file mode 100644
index 0000000000000..8a8080a312c8b
--- /dev/null
+++ b/system/xen/xsa/xsa320-4.13-2.patch
@@ -0,0 +1,179 @@
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Subject: x86/spec-ctrl: Mitigate the Special Register Buffer Data Sampling sidechannel
+
+See patch documentation and comments.
+
+This is part of XSA-320 / CVE-2020-0543
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+
+diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc
+index 9268454297..c780312531 100644
+--- a/docs/misc/xen-command-line.pandoc
++++ b/docs/misc/xen-command-line.pandoc
+@@ -1991,7 +1991,7 @@ By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`).
+ ### spec-ctrl (x86)
+ > `= List of [ <bool>, xen=<bool>, {pv,hvm,msr-sc,rsb,md-clear}=<bool>,
+ >              bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,eager-fpu,
+->              l1d-flush,branch-harden}=<bool> ]`
++>              l1d-flush,branch-harden,srb-lock}=<bool> ]`
+ 
+ Controls for speculative execution sidechannel mitigations.  By default, Xen
+ will pick the most appropriate mitigations based on compiled in support,
+@@ -2068,6 +2068,12 @@ If Xen is compiled with `CONFIG_SPECULATIVE_HARDEN_BRANCH`, the
+ speculation barriers to protect selected conditional branches.  By default,
+ Xen will enable this mitigation.
+ 
++On hardware supporting SRBDS_CTRL, the `srb-lock=` option can be used to force
++or prevent Xen from protect the Special Register Buffer from leaking stale
++data. By default, Xen will enable this mitigation, except on parts where MDS
++is fixed and TAA is fixed/mitigated (in which case, there is believed to be no
++way for an attacker to obtain the stale data).
++
+ ### sync_console
+ > `= <boolean>`
+ 
+diff --git a/xen/arch/x86/acpi/power.c b/xen/arch/x86/acpi/power.c
+index feb0f6ce20..75c6e34164 100644
+--- a/xen/arch/x86/acpi/power.c
++++ b/xen/arch/x86/acpi/power.c
+@@ -295,6 +295,9 @@ static int enter_state(u32 state)
+     ci->spec_ctrl_flags |= (default_spec_ctrl_flags & SCF_ist_wrmsr);
+     spec_ctrl_exit_idle(ci);
+ 
++    if ( boot_cpu_has(X86_FEATURE_SRBDS_CTRL) )
++        wrmsrl(MSR_MCU_OPT_CTRL, default_xen_mcu_opt_ctrl);
++
+  done:
+     spin_debug_enable();
+     local_irq_restore(flags);
+diff --git a/xen/arch/x86/smpboot.c b/xen/arch/x86/smpboot.c
+index dc8fdac1a1..b1e51b3aff 100644
+--- a/xen/arch/x86/smpboot.c
++++ b/xen/arch/x86/smpboot.c
+@@ -361,12 +361,14 @@ void start_secondary(void *unused)
+     microcode_update_one(false);
+ 
+     /*
+-     * If MSR_SPEC_CTRL is available, apply Xen's default setting and discard
+-     * any firmware settings.  Note: MSR_SPEC_CTRL may only become available
+-     * after loading microcode.
++     * If any speculative control MSRs are available, apply Xen's default
++     * settings.  Note: These MSRs may only become available after loading
++     * microcode.
+      */
+     if ( boot_cpu_has(X86_FEATURE_IBRSB) )
+         wrmsrl(MSR_SPEC_CTRL, default_xen_spec_ctrl);
++    if ( boot_cpu_has(X86_FEATURE_SRBDS_CTRL) )
++        wrmsrl(MSR_MCU_OPT_CTRL, default_xen_mcu_opt_ctrl);
+ 
+     tsx_init(); /* Needs microcode.  May change HLE/RTM feature bits. */
+ 
+diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
+index 5fc1c6827e..33343062a7 100644
+--- a/xen/arch/x86/spec_ctrl.c
++++ b/xen/arch/x86/spec_ctrl.c
+@@ -65,6 +65,9 @@ static unsigned int __initdata l1d_maxphysaddr;
+ static bool __initdata cpu_has_bug_msbds_only; /* => minimal HT impact. */
+ static bool __initdata cpu_has_bug_mds; /* Any other M{LP,SB,FB}DS combination. */
+ 
++static int8_t __initdata opt_srb_lock = -1;
++uint64_t __read_mostly default_xen_mcu_opt_ctrl;
++
+ static int __init parse_spec_ctrl(const char *s)
+ {
+     const char *ss;
+@@ -112,6 +115,7 @@ static int __init parse_spec_ctrl(const char *s)
+             opt_ssbd = false;
+             opt_l1d_flush = 0;
+             opt_branch_harden = false;
++            opt_srb_lock = 0;
+         }
+         else if ( val > 0 )
+             rc = -EINVAL;
+@@ -178,6 +182,8 @@ static int __init parse_spec_ctrl(const char *s)
+             opt_l1d_flush = val;
+         else if ( (val = parse_boolean("branch-harden", s, ss)) >= 0 )
+             opt_branch_harden = val;
++        else if ( (val = parse_boolean("srb-lock", s, ss)) >= 0 )
++            opt_srb_lock = val;
+         else
+             rc = -EINVAL;
+ 
+@@ -341,7 +347,7 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps)
+                "\n");
+ 
+     /* Settings for Xen's protection, irrespective of guests. */
+-    printk("  Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s, Other:%s%s%s%s\n",
++    printk("  Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s, Other:%s%s%s%s%s\n",
+            thunk == THUNK_NONE      ? "N/A" :
+            thunk == THUNK_RETPOLINE ? "RETPOLINE" :
+            thunk == THUNK_LFENCE    ? "LFENCE" :
+@@ -352,6 +358,8 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps)
+            (default_xen_spec_ctrl & SPEC_CTRL_SSBD)  ? " SSBD+" : " SSBD-",
+            !(caps & ARCH_CAPS_TSX_CTRL)              ? "" :
+            (opt_tsx & 1)                             ? " TSX+" : " TSX-",
++           !boot_cpu_has(X86_FEATURE_SRBDS_CTRL)     ? "" :
++           opt_srb_lock                              ? " SRB_LOCK+" : " SRB_LOCK-",
+            opt_ibpb                                  ? " IBPB"  : "",
+            opt_l1d_flush                             ? " L1D_FLUSH" : "",
+            opt_md_clear_pv || opt_md_clear_hvm       ? " VERW"  : "",
+@@ -1149,6 +1157,34 @@ void __init init_speculation_mitigations(void)
+         tsx_init();
+     }
+ 
++    /* Calculate suitable defaults for MSR_MCU_OPT_CTRL */
++    if ( boot_cpu_has(X86_FEATURE_SRBDS_CTRL) )
++    {
++        uint64_t val;
++
++        rdmsrl(MSR_MCU_OPT_CTRL, val);
++
++        /*
++         * On some SRBDS-affected hardware, it may be safe to relax srb-lock
++         * by default.
++         *
++         * On parts which enumerate MDS_NO and not TAA_NO, TSX is the only way
++         * to access the Fill Buffer.  If TSX isn't available (inc. SKU
++         * reasons on some models), or TSX is explicitly disabled, then there
++         * is no need for the extra overhead to protect RDRAND/RDSEED.
++         */
++        if ( opt_srb_lock == -1 &&
++             (caps & (ARCH_CAPS_MDS_NO|ARCH_CAPS_TAA_NO)) == ARCH_CAPS_MDS_NO &&
++             (!cpu_has_hle || ((caps & ARCH_CAPS_TSX_CTRL) && opt_tsx == 0)) )
++            opt_srb_lock = 0;
++
++        val &= ~MCU_OPT_CTRL_RNGDS_MITG_DIS;
++        if ( !opt_srb_lock )
++            val |= MCU_OPT_CTRL_RNGDS_MITG_DIS;
++
++        default_xen_mcu_opt_ctrl = val;
++    }
++
+     print_details(thunk, caps);
+ 
+     /*
+@@ -1180,6 +1216,9 @@ void __init init_speculation_mitigations(void)
+ 
+         wrmsrl(MSR_SPEC_CTRL, bsp_delay_spec_ctrl ? 0 : default_xen_spec_ctrl);
+     }
++
++    if ( boot_cpu_has(X86_FEATURE_SRBDS_CTRL) )
++        wrmsrl(MSR_MCU_OPT_CTRL, default_xen_mcu_opt_ctrl);
+ }
+ 
+ static void __init __maybe_unused build_assertions(void)
+diff --git a/xen/include/asm-x86/spec_ctrl.h b/xen/include/asm-x86/spec_ctrl.h
+index 9caecddfec..b252bb8631 100644
+--- a/xen/include/asm-x86/spec_ctrl.h
++++ b/xen/include/asm-x86/spec_ctrl.h
+@@ -54,6 +54,8 @@ extern int8_t opt_pv_l1tf_hwdom, opt_pv_l1tf_domu;
+  */
+ extern paddr_t l1tf_addr_mask, l1tf_safe_maddr;
+ 
++extern uint64_t default_xen_mcu_opt_ctrl;
++
+ static inline void init_shadow_spec_ctrl_state(void)
+ {
+     struct cpu_info *info = get_cpu_info();