RE: [PATCH for-4.14] x86/spec-ctrl: Protect against CALL/JMP straight-line speculation

[Paul Durrant]

> -Original Message-
> From: Jan Beulich 
> Sent: 01 July 2020 13:27
> To: Andrew Cooper 
> Cc: Xen-devel ; Wei Liu ; Roger 
> Pau Monné
> ; Paul Durrant 
> Subject: Re: [PATCH for-4.14] x86/spec-ctrl: Protect against CALL/JMP 
> straight-line speculation
> 
> On 01.07.2020 13:58, Andrew Cooper wrote:
> > Some x86 CPUs speculatively execute beyond indirect CALL/JMP instructions.
> >
> > With CONFIG_INDIRECT_THUNK / Retpolines, indirect CALL/JMP instructions are
> > converted to direct CALL/JMP's to __x86_indirect_thunk_REG(), leaving just a
> > handful of indirect JMPs implementing those stubs.
> >
> > There is no architectrual execution beyond an indirect JMP, so use INT3 as
> > recommended by vendors to halt speculative execution.  This is shorter than
> > LFENCE (which would also work fine), but also shows up in logs if we do
> > unexpected execute them.
> >
> > Signed-off-by: Andrew Cooper 
> 
> Reviewed-by: Jan Beulich 

Release-acked-by: Paul Durrant 

Re: [PATCH for-4.14] x86/spec-ctrl: Protect against CALL/JMP straight-line speculation

[Jan Beulich]

On 01.07.2020 13:58, Andrew Cooper wrote:
> Some x86 CPUs speculatively execute beyond indirect CALL/JMP instructions.
> 
> With CONFIG_INDIRECT_THUNK / Retpolines, indirect CALL/JMP instructions are
> converted to direct CALL/JMP's to __x86_indirect_thunk_REG(), leaving just a
> handful of indirect JMPs implementing those stubs.
> 
> There is no architectrual execution beyond an indirect JMP, so use INT3 as
> recommended by vendors to halt speculative execution.  This is shorter than
> LFENCE (which would also work fine), but also shows up in logs if we do
> unexpected execute them.
> 
> Signed-off-by: Andrew Cooper 

Reviewed-by: Jan Beulich