On Mon, Feb 12, 2018 at 02:45:27PM +0000, Tycho Nightingale wrote: > Author: tychon > Date: Mon Feb 12 14:45:27 2018 > New Revision: 329162 > URL: https://svnweb.freebsd.org/changeset/base/329162 > > Log: > Provide further mitigation against CVE-2017-5715 by flushing the > return stack buffer (RSB) upon returning from the guest. > > This was inspired by this linux commit: > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/arch/x86/kvm?id=117cc7a908c83697b0b737d15ae1eb5943afe35b > > Reviewed by: grehan > Sponsored by: Dell EMC Isilon > Differential Revision: https://reviews.freebsd.org/D14272 > > Modified: > head/sys/amd64/vmm/amd/svm_support.S > head/sys/amd64/vmm/intel/vmcs.c > head/sys/amd64/vmm/intel/vmx.h > head/sys/amd64/vmm/intel/vmx_support.S > > Modified: head/sys/amd64/vmm/amd/svm_support.S > ============================================================================== > --- head/sys/amd64/vmm/amd/svm_support.S Mon Feb 12 14:44:21 2018 > (r329161) > +++ head/sys/amd64/vmm/amd/svm_support.S Mon Feb 12 14:45:27 2018 > (r329162) > @@ -113,6 +113,23 @@ ENTRY(svm_launch) > movq %rdi, SCTX_RDI(%rax) > movq %rsi, SCTX_RSI(%rax) > > + /* > + * To prevent malicious branch target predictions from > + * affecting the host, overwrite all entries in the RSB upon > + * exiting a guest. > + */ > + mov $16, %ecx /* 16 iterations, two calls per loop */ > + mov %rsp, %rax > +0: call 2f /* create an RSB entry. */ > +1: pause > + call 1b /* capture rogue speculation. */ > +2: call 2f /* create an RSB entry. */ > +1: pause > + call 1b /* capture rogue speculation. */ > +2: sub $1, %ecx > + jnz 0b > + mov %rax, %rsp > + > /* Restore host state */ > pop %r15 > pop %r14 >
For amd systems, isn't use of lfence required for performance reasons[1]? Or am I conflating two things? 1: https://reviews.llvm.org/D41723 Thanks, -- Shawn Webb Cofounder and Security Engineer HardenedBSD Tor-ified Signal: +1 443-546-8752 GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE
signature.asc
Description: PGP signature