1 files changed, 0 insertions, 179 deletions

diff --git a/system/xen/xsa/xsa320-4.13-2.patch b/system/xen/xsa/xsa320-4.13-2.patch
deleted file mode 100644
index 8a8080a312..0000000000
--- a/system/xen/xsa/xsa320-4.13-2.patch
+++ /dev/null
@@ -1,179 +0,0 @@
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Subject: x86/spec-ctrl: Mitigate the Special Register Buffer Data Sampling sidechannel
-
-See patch documentation and comments.
-
-This is part of XSA-320 / CVE-2020-0543
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-
-diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc
-index 9268454297..c780312531 100644
---- a/docs/misc/xen-command-line.pandoc
-+++ b/docs/misc/xen-command-line.pandoc
-@@ -1991,7 +1991,7 @@ By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`).
- ### spec-ctrl (x86)
- > `= List of [ <bool>, xen=<bool>, {pv,hvm,msr-sc,rsb,md-clear}=<bool>,
- >              bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,eager-fpu,
-->              l1d-flush,branch-harden}=<bool> ]`
-+>              l1d-flush,branch-harden,srb-lock}=<bool> ]`
- 
- Controls for speculative execution sidechannel mitigations.  By default, Xen
- will pick the most appropriate mitigations based on compiled in support,
-@@ -2068,6 +2068,12 @@ If Xen is compiled with `CONFIG_SPECULATIVE_HARDEN_BRANCH`, the
- speculation barriers to protect selected conditional branches.  By default,
- Xen will enable this mitigation.
- 
-+On hardware supporting SRBDS_CTRL, the `srb-lock=` option can be used to force
-+or prevent Xen from protect the Special Register Buffer from leaking stale
-+data. By default, Xen will enable this mitigation, except on parts where MDS
-+is fixed and TAA is fixed/mitigated (in which case, there is believed to be no
-+way for an attacker to obtain the stale data).
-+
- ### sync_console
- > `= <boolean>`
- 
-diff --git a/xen/arch/x86/acpi/power.c b/xen/arch/x86/acpi/power.c
-index feb0f6ce20..75c6e34164 100644
---- a/xen/arch/x86/acpi/power.c
-+++ b/xen/arch/x86/acpi/power.c
-@@ -295,6 +295,9 @@ static int enter_state(u32 state)
-     ci->spec_ctrl_flags |= (default_spec_ctrl_flags & SCF_ist_wrmsr);
-     spec_ctrl_exit_idle(ci);
- 
-+    if ( boot_cpu_has(X86_FEATURE_SRBDS_CTRL) )
-+        wrmsrl(MSR_MCU_OPT_CTRL, default_xen_mcu_opt_ctrl);
-+
-  done:
-     spin_debug_enable();
-     local_irq_restore(flags);
-diff --git a/xen/arch/x86/smpboot.c b/xen/arch/x86/smpboot.c
-index dc8fdac1a1..b1e51b3aff 100644
---- a/xen/arch/x86/smpboot.c
-+++ b/xen/arch/x86/smpboot.c
-@@ -361,12 +361,14 @@ void start_secondary(void *unused)
-     microcode_update_one(false);
- 
-     /*
--     * If MSR_SPEC_CTRL is available, apply Xen's default setting and discard
--     * any firmware settings.  Note: MSR_SPEC_CTRL may only become available
--     * after loading microcode.
-+     * If any speculative control MSRs are available, apply Xen's default
-+     * settings.  Note: These MSRs may only become available after loading
-+     * microcode.
-      */
-     if ( boot_cpu_has(X86_FEATURE_IBRSB) )
-         wrmsrl(MSR_SPEC_CTRL, default_xen_spec_ctrl);
-+    if ( boot_cpu_has(X86_FEATURE_SRBDS_CTRL) )
-+        wrmsrl(MSR_MCU_OPT_CTRL, default_xen_mcu_opt_ctrl);
- 
-     tsx_init(); /* Needs microcode.  May change HLE/RTM feature bits. */
- 
-diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
-index 5fc1c6827e..33343062a7 100644
---- a/xen/arch/x86/spec_ctrl.c
-+++ b/xen/arch/x86/spec_ctrl.c
-@@ -65,6 +65,9 @@ static unsigned int __initdata l1d_maxphysaddr;
- static bool __initdata cpu_has_bug_msbds_only; /* => minimal HT impact. */
- static bool __initdata cpu_has_bug_mds; /* Any other M{LP,SB,FB}DS combination. */
- 
-+static int8_t __initdata opt_srb_lock = -1;
-+uint64_t __read_mostly default_xen_mcu_opt_ctrl;
-+
- static int __init parse_spec_ctrl(const char *s)
- {
-     const char *ss;
-@@ -112,6 +115,7 @@ static int __init parse_spec_ctrl(const char *s)
-             opt_ssbd = false;
-             opt_l1d_flush = 0;
-             opt_branch_harden = false;
-+            opt_srb_lock = 0;
-         }
-         else if ( val > 0 )
-             rc = -EINVAL;
-@@ -178,6 +182,8 @@ static int __init parse_spec_ctrl(const char *s)
-             opt_l1d_flush = val;
-         else if ( (val = parse_boolean("branch-harden", s, ss)) >= 0 )
-             opt_branch_harden = val;
-+        else if ( (val = parse_boolean("srb-lock", s, ss)) >= 0 )
-+            opt_srb_lock = val;
-         else
-             rc = -EINVAL;
- 
-@@ -341,7 +347,7 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps)
-                "\n");
- 
-     /* Settings for Xen's protection, irrespective of guests. */
--    printk("  Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s, Other:%s%s%s%s\n",
-+    printk("  Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s, Other:%s%s%s%s%s\n",
-            thunk == THUNK_NONE      ? "N/A" :
-            thunk == THUNK_RETPOLINE ? "RETPOLINE" :
-            thunk == THUNK_LFENCE    ? "LFENCE" :
-@@ -352,6 +358,8 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps)
-            (default_xen_spec_ctrl & SPEC_CTRL_SSBD)  ? " SSBD+" : " SSBD-",
-            !(caps & ARCH_CAPS_TSX_CTRL)              ? "" :
-            (opt_tsx & 1)                             ? " TSX+" : " TSX-",
-+           !boot_cpu_has(X86_FEATURE_SRBDS_CTRL)     ? "" :
-+           opt_srb_lock                              ? " SRB_LOCK+" : " SRB_LOCK-",
-            opt_ibpb                                  ? " IBPB"  : "",
-            opt_l1d_flush                             ? " L1D_FLUSH" : "",
-            opt_md_clear_pv || opt_md_clear_hvm       ? " VERW"  : "",
-@@ -1149,6 +1157,34 @@ void __init init_speculation_mitigations(void)
-         tsx_init();
-     }
- 
-+    /* Calculate suitable defaults for MSR_MCU_OPT_CTRL */
-+    if ( boot_cpu_has(X86_FEATURE_SRBDS_CTRL) )
-+    {
-+        uint64_t val;
-+
-+        rdmsrl(MSR_MCU_OPT_CTRL, val);
-+
-+        /*
-+         * On some SRBDS-affected hardware, it may be safe to relax srb-lock
-+         * by default.
-+         *
-+         * On parts which enumerate MDS_NO and not TAA_NO, TSX is the only way
-+         * to access the Fill Buffer.  If TSX isn't available (inc. SKU
-+         * reasons on some models), or TSX is explicitly disabled, then there
-+         * is no need for the extra overhead to protect RDRAND/RDSEED.
-+         */
-+        if ( opt_srb_lock == -1 &&
-+             (caps & (ARCH_CAPS_MDS_NO|ARCH_CAPS_TAA_NO)) == ARCH_CAPS_MDS_NO &&
-+             (!cpu_has_hle || ((caps & ARCH_CAPS_TSX_CTRL) && opt_tsx == 0)) )
-+            opt_srb_lock = 0;
-+
-+        val &= ~MCU_OPT_CTRL_RNGDS_MITG_DIS;
-+        if ( !opt_srb_lock )
-+            val |= MCU_OPT_CTRL_RNGDS_MITG_DIS;
-+
-+        default_xen_mcu_opt_ctrl = val;
-+    }
-+
-     print_details(thunk, caps);
- 
-     /*
-@@ -1180,6 +1216,9 @@ void __init init_speculation_mitigations(void)
- 
-         wrmsrl(MSR_SPEC_CTRL, bsp_delay_spec_ctrl ? 0 : default_xen_spec_ctrl);
-     }
-+
-+    if ( boot_cpu_has(X86_FEATURE_SRBDS_CTRL) )
-+        wrmsrl(MSR_MCU_OPT_CTRL, default_xen_mcu_opt_ctrl);
- }
- 
- static void __init __maybe_unused build_assertions(void)
-diff --git a/xen/include/asm-x86/spec_ctrl.h b/xen/include/asm-x86/spec_ctrl.h
-index 9caecddfec..b252bb8631 100644
---- a/xen/include/asm-x86/spec_ctrl.h
-+++ b/xen/include/asm-x86/spec_ctrl.h
-@@ -54,6 +54,8 @@ extern int8_t opt_pv_l1tf_hwdom, opt_pv_l1tf_domu;
-  */
- extern paddr_t l1tf_addr_mask, l1tf_safe_maddr;
- 
-+extern uint64_t default_xen_mcu_opt_ctrl;
-+
- static inline void init_shadow_spec_ctrl_state(void)
- {
-     struct cpu_info *info = get_cpu_info();