If this VM assist is available (to PV guests only), use it to
- avoid issuing an IBPB ourselves upon entry from user mode (which the
hypervisor would then have to emulate, as the MSR write traps),
- suppress the IBPB in the hypervisor if we don't mean to have one
issued.
As there's no good place to have xen_vm_assist_ibpb() as an inline
function, make it an init-only out-of-line one.
While adjusting the Xen public header, drop the unused and no longer
applicable MAX_VMASST_TYPE (instead of modifying its value).
Signed-off-by: Jan Beulich <jbeul...@suse.com>
--- a/arch/x86/include/asm/xen/hypervisor.h
+++ b/arch/x86/include/asm/xen/hypervisor.h
@@ -43,6 +43,8 @@ static inline uint32_t xen_cpuid_base(vo
return hypervisor_cpuid_base("XenVMMXenVMM", 2);
}
+int xen_vm_assist_ibpb(bool enable);
+
struct pci_dev;
#ifdef CONFIG_XEN_PV_DOM0
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -18,6 +18,8 @@
#include <linux/pgtable.h>
#include <linux/bpf.h>
+#include <xen/xen.h>
+
#include <asm/spec-ctrl.h>
#include <asm/cmdline.h>
#include <asm/bugs.h>
@@ -32,6 +34,7 @@
#include <asm/intel-family.h>
#include <asm/e820/api.h>
#include <asm/hypervisor.h>
+#include <asm/xen/hypervisor.h>
#include <asm/tlbflush.h>
#include "cpu.h"
@@ -934,7 +937,8 @@ do_cmd_auto:
break;
case RETBLEED_MITIGATION_IBPB:
- setup_force_cpu_cap(X86_FEATURE_ENTRY_IBPB);
+ if (!xen_pv_domain() || xen_vm_assist_ibpb(true))
+ setup_force_cpu_cap(X86_FEATURE_ENTRY_IBPB);
mitigate_smt = true;
break;
--- a/arch/x86/xen/enlighten.c
+++ b/arch/x86/xen/enlighten.c
@@ -294,6 +294,17 @@ int xen_panic_handler_init(void)
return 0;
}
+int __init xen_vm_assist_ibpb(bool enable)
+{
+ /*
+ * Note that the VM-assist is a disable, so a request to enable IBPB
+ * on our behalf needs to turn the functionality off (and vice versa).
+ */
+ return HYPERVISOR_vm_assist(enable ? VMASST_CMD_disable
+ : VMASST_CMD_enable,
+ VMASST_TYPE_mode_switch_no_ibpb);
+}
+
void xen_pin_vcpu(int cpu)
{
static bool disable_pinning;
--- a/arch/x86/xen/setup.c
+++ b/arch/x86/xen/setup.c
@@ -940,6 +940,13 @@ static void __init xen_pvmmu_arch_setup(
HYPERVISOR_vm_assist(VMASST_CMD_enable,
VMASST_TYPE_pae_extended_cr3);
+ /*
+ * By default suppress the hypervisor issuing IBPB on our behalf. In
+ * the RETBLEED_MITIGATION_IBPB case the VM assist will be disengaged
+ * again in retbleed_select_mitigation().
+ */
+ xen_vm_assist_ibpb(false);
+
if (register_callback(CALLBACKTYPE_event,
xen_asm_exc_xen_hypervisor_callback) ||
register_callback(CALLBACKTYPE_failsafe, xen_failsafe_callback))
--- a/include/xen/interface/xen.h
+++ b/include/xen/interface/xen.h
@@ -413,7 +413,15 @@ DEFINE_GUEST_HANDLE_STRUCT(mmuext_op);
*/
#define VMASST_TYPE_runstate_update_flag 5
-#define MAX_VMASST_TYPE 5
+/*
+ * x86-64 guests: Suppress IBPB on guest-user to guest-kernel mode switch.
+ *
+ * By default (on affected and capable hardware) as a safety measure Xen,
+ * to cover for the fact that guest-kernel and guest-user modes are both
+ * running in ring 3 (and hence share prediction context), would issue a
+ * barrier for user->kernel mode switches of PV guests.
+ */
+#define VMASST_TYPE_mode_switch_no_ibpb 33
#ifndef __ASSEMBLY__
