Re: svn commit: r329162 - in head/sys/amd64/vmm: amd intel

Mon, 12 Feb 2018 07:38:07 -0800 

On Mon, Feb 12, 2018 at 02:45:27PM +0000, Tycho Nightingale wrote:
> Author: tychon
> Date: Mon Feb 12 14:45:27 2018
> New Revision: 329162
> URL: https://svnweb.freebsd.org/changeset/base/329162
> 
> Log:
>   Provide further mitigation against CVE-2017-5715 by flushing the
>   return stack buffer (RSB) upon returning from the guest.
>   
>   This was inspired by this linux commit:
>   
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/arch/x86/kvm?id=117cc7a908c83697b0b737d15ae1eb5943afe35b
>   
>   Reviewed by:        grehan
>   Sponsored by:       Dell EMC Isilon
>   Differential Revision:      https://reviews.freebsd.org/D14272
> 
> Modified:
>   head/sys/amd64/vmm/amd/svm_support.S
>   head/sys/amd64/vmm/intel/vmcs.c
>   head/sys/amd64/vmm/intel/vmx.h
>   head/sys/amd64/vmm/intel/vmx_support.S
> 
> Modified: head/sys/amd64/vmm/amd/svm_support.S
> ==============================================================================
> --- head/sys/amd64/vmm/amd/svm_support.S      Mon Feb 12 14:44:21 2018        
> (r329161)
> +++ head/sys/amd64/vmm/amd/svm_support.S      Mon Feb 12 14:45:27 2018        
> (r329162)
> @@ -113,6 +113,23 @@ ENTRY(svm_launch)
>       movq %rdi, SCTX_RDI(%rax)
>       movq %rsi, SCTX_RSI(%rax)
>  
> +     /*
> +      * To prevent malicious branch target predictions from
> +      * affecting the host, overwrite all entries in the RSB upon
> +      * exiting a guest.
> +      */
> +     mov $16, %ecx   /* 16 iterations, two calls per loop */
> +     mov %rsp, %rax
> +0:   call 2f         /* create an RSB entry. */
> +1:   pause
> +     call 1b         /* capture rogue speculation. */
> +2:   call 2f         /* create an RSB entry. */
> +1:   pause
> +     call 1b         /* capture rogue speculation. */
> +2:   sub $1, %ecx
> +     jnz 0b
> +     mov %rax, %rsp
> +
>       /* Restore host state */
>       pop %r15
>       pop %r14
> 

For amd systems, isn't use of lfence required for performance
reasons[1]? Or am I conflating two things?

1: https://reviews.llvm.org/D41723

Thanks,

-- 
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

Tor-ified Signal:    +1 443-546-8752
GPG Key ID:          0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE

Attachment: signature.asc
Description: PGP signature

Reply via email to