Hello community, here is the log from the commit of package xen for openSUSE:Factory checked in at 2020-06-11 14:46:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/xen (Old) and /work/SRC/openSUSE:Factory/.xen.new.3606 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xen" Thu Jun 11 14:46:57 2020 rev:286 rq:813013 version:4.13.1_02 Changes: -------- --- /work/SRC/openSUSE:Factory/xen/xen.changes 2020-06-04 17:50:50.619962048 +0200 +++ /work/SRC/openSUSE:Factory/.xen.new.3606/xen.changes 2020-06-11 14:47:29.105868961 +0200 @@ -1,0 +2,13 @@ +Fri Jun 5 16:42:16 UTC 2020 - Callum Farmer <callumjfarme...@gmail.com> + +- Fixes for %_libexecdir changing to /usr/libexec + +------------------------------------------------------------------- +Thu May 28 08:35:20 MDT 2020 - carn...@suse.com + +- bsc#1172205 - VUL-0: CVE-2020-0543: xen: Special Register Buffer + Data Sampling (SRBDS) aka "CrossTalk" (XSA-320) + xsa320-1.patch + xsa320-2.patch + +------------------------------------------------------------------- New: ---- xsa320-1.patch xsa320-2.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xen.spec ++++++ --- /var/tmp/diff_new_pack.oYKmv6/_old 2020-06-11 14:47:32.241878097 +0200 +++ /var/tmp/diff_new_pack.oYKmv6/_new 2020-06-11 14:47:32.245878109 +0200 @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # # needssslcertforbuild @@ -165,6 +165,8 @@ Patch1: 5eb51be6-cpupool-fix-removing-cpu-from-pool.patch Patch2: 5eb51caa-sched-vcpu-pause-flags-atomic.patch Patch3: 5ec2a760-x86-determine-MXCSR-mask-always.patch +Patch100: xsa320-1.patch +Patch101: xsa320-2.patch # Our platform specific patches Patch400: xen-destdir.patch Patch401: vif-bridge-no-iptables.patch @@ -299,7 +301,7 @@ %ifarch x86_64 %package tools-xendomains-wait-disk Summary: Adds a new xendomains-wait-disks.service -License: GPL-3.0+ +License: GPL-3.0-or-later Group: System/Kernel Requires: %{name}-tools = %{version}-%{release} Requires: coreutils @@ -393,6 +395,8 @@ %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch100 -p1 +%patch101 -p1 # Our platform specific patches %patch400 -p1 %patch401 -p1 @@ -794,12 +798,12 @@ # /usr/bin/qemu-system-i386 # Using qemu-system-x86_64 will result in an incompatible VM %ifarch x86_64 -cat > %{buildroot}/usr/lib/xen/bin/qemu-system-i386 << 'EOF' +cat > %{buildroot}%{_libexecdir}/xen/bin/qemu-system-i386 << 'EOF' #!/bin/sh exec %{_bindir}/qemu-system-i386 "$@" EOF -chmod 0755 %{buildroot}/usr/lib/xen/bin/qemu-system-i386 +chmod 0755 %{buildroot}%{_libexecdir}/xen/bin/qemu-system-i386 # unit='%{_libexecdir}/%{name}/bin/xendomains-wait-disks' mkdir -vp '%{buildroot}%{_libexecdir}/%{name}/bin' @@ -943,7 +947,7 @@ # 32 bit hypervisor no longer supported. Remove dom0 tools. rm -rf %{buildroot}/%{_datadir}/doc rm -rf %{buildroot}/%{_datadir}/man -rm -rf %{buildroot}/%{_libdir}/xen +rm -rf %{buildroot}/%{_libexecdir}/xen rm -rf %{buildroot}/%{_libdir}/python* rm -rf %{buildroot}/%{_libdir}/ocaml* rm -rf %{buildroot}/%{_unitdir} ++++++ xsa320-1.patch ++++++ x86/spec-ctrl: CPUID/MSR definitions for Special Register Buffer Data Sampling This is part of XSA-320 / CVE-2020-0543 Signed-off-by: Andrew Cooper <andrew.coop...@citrix.com> Reviewed-by: Jan Beulich <jbeul...@suse.com> Acked-by: Wei Liu <w...@xen.org> --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -483,10 +483,10 @@ accounting for hardware capabilities as Currently accepted: -The Speculation Control hardware features `md-clear`, `ibrsb`, `stibp`, `ibpb`, -`l1d-flush` and `ssbd` are used by default if available and applicable. They can -be ignored, e.g. `no-ibrsb`, at which point Xen won't use them itself, and -won't offer them to guests. +The Speculation Control hardware features `srbds-ctrl`, `md-clear`, `ibrsb`, +`stibp`, `ibpb`, `l1d-flush` and `ssbd` are used by default if available and +applicable. They can be ignored, e.g. `no-ibrsb`, at which point Xen won't +use them itself, and won't offer them to guests. ### cpuid_mask_cpu > `= fam_0f_rev_[cdefg] | fam_10_rev_[bc] | fam_11_rev_b` --- a/tools/libxl/libxl_cpuid.c +++ b/tools/libxl/libxl_cpuid.c @@ -213,6 +213,7 @@ int libxl_cpuid_parse_config(libxl_cpuid {"avx512-4vnniw",0x00000007, 0, CPUID_REG_EDX, 2, 1}, {"avx512-4fmaps",0x00000007, 0, CPUID_REG_EDX, 3, 1}, + {"srbds-ctrl", 0x00000007, 0, CPUID_REG_EDX, 9, 1}, {"md-clear", 0x00000007, 0, CPUID_REG_EDX, 10, 1}, {"cet-ibt", 0x00000007, 0, CPUID_REG_EDX, 20, 1}, {"ibrsb", 0x00000007, 0, CPUID_REG_EDX, 26, 1}, --- a/tools/misc/xen-cpuid.c +++ b/tools/misc/xen-cpuid.c @@ -157,6 +157,7 @@ static const char *const str_7d0[32] = [ 2] = "avx512_4vnniw", [ 3] = "avx512_4fmaps", [ 4] = "fsrm", + /* 8 */ [ 9] = "srbds-ctrl", [10] = "md-clear", /* 12 */ [13] = "tsx-force-abort", --- a/xen/arch/x86/msr.c +++ b/xen/arch/x86/msr.c @@ -134,6 +134,7 @@ int guest_rdmsr(struct vcpu *v, uint32_t /* Write-only */ case MSR_TSX_FORCE_ABORT: case MSR_TSX_CTRL: + case MSR_MCU_OPT_CTRL: case MSR_U_CET: case MSR_S_CET: case MSR_PL0_SSP ... MSR_INTERRUPT_SSP_TABLE: @@ -288,6 +289,7 @@ int guest_wrmsr(struct vcpu *v, uint32_t /* Read-only */ case MSR_TSX_FORCE_ABORT: case MSR_TSX_CTRL: + case MSR_MCU_OPT_CTRL: case MSR_U_CET: case MSR_S_CET: case MSR_PL0_SSP ... MSR_INTERRUPT_SSP_TABLE: --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -312,12 +312,13 @@ static void __init print_details(enum in printk("Speculative mitigation facilities:\n"); /* Hardware features which pertain to speculative mitigations. */ - printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", + printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", (_7d0 & cpufeat_mask(X86_FEATURE_IBRSB)) ? " IBRS/IBPB" : "", (_7d0 & cpufeat_mask(X86_FEATURE_STIBP)) ? " STIBP" : "", (_7d0 & cpufeat_mask(X86_FEATURE_L1D_FLUSH)) ? " L1D_FLUSH" : "", (_7d0 & cpufeat_mask(X86_FEATURE_SSBD)) ? " SSBD" : "", (_7d0 & cpufeat_mask(X86_FEATURE_MD_CLEAR)) ? " MD_CLEAR" : "", + (_7d0 & cpufeat_mask(X86_FEATURE_SRBDS_CTRL)) ? " SRBDS_CTRL" : "", (e8b & cpufeat_mask(X86_FEATURE_IBPB)) ? " IBPB" : "", (caps & ARCH_CAPS_IBRS_ALL) ? " IBRS_ALL" : "", (caps & ARCH_CAPS_RDCL_NO) ? " RDCL_NO" : "", --- a/xen/include/asm-x86/msr-index.h +++ b/xen/include/asm-x86/msr-index.h @@ -179,6 +179,9 @@ #define MSR_IA32_VMX_TRUE_ENTRY_CTLS 0x490 #define MSR_IA32_VMX_VMFUNC 0x491 +#define MSR_MCU_OPT_CTRL 0x00000123 +#define MCU_OPT_CTRL_RNGDS_MITG_DIS (_AC(1, ULL) << 0) + #define MSR_U_CET 0x000006a0 #define MSR_S_CET 0x000006a2 #define MSR_PL0_SSP 0x000006a4 --- a/xen/include/public/arch-x86/cpufeatureset.h +++ b/xen/include/public/arch-x86/cpufeatureset.h @@ -252,6 +252,7 @@ XEN_CPUFEATURE(IBPB, 8*32+12) / /* Intel-defined CPU features, CPUID level 0x00000007:0.edx, word 9 */ XEN_CPUFEATURE(AVX512_4VNNIW, 9*32+ 2) /*A AVX512 Neural Network Instructions */ XEN_CPUFEATURE(AVX512_4FMAPS, 9*32+ 3) /*A AVX512 Multiply Accumulation Single Precision */ +XEN_CPUFEATURE(SRBDS_CTRL, 9*32+ 9) /* MSR_MCU_OPT_CTRL and RNGDS_MITG_DIS. */ XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*A VERW clears microarchitectural buffers */ XEN_CPUFEATURE(TSX_FORCE_ABORT, 9*32+13) /* MSR_TSX_FORCE_ABORT.RTM_ABORT */ XEN_CPUFEATURE(CET_IBT, 9*32+20) /* CET - Indirect Branch Tracking */ ++++++ xsa320-2.patch ++++++ x86/spec-ctrl: Mitigate the Special Register Buffer Data Sampling sidechannel See patch documentation and comments. This is part of XSA-320 / CVE-2020-0543 Signed-off-by: Andrew Cooper <andrew.coop...@citrix.com> Reviewed-by: Jan Beulich <jbeul...@suse.com> --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -1991,7 +1991,7 @@ By default SSBD will be mitigated at run ### spec-ctrl (x86) > `= List of [ <bool>, xen=<bool>, {pv,hvm,msr-sc,rsb,md-clear}=<bool>, > bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,eager-fpu, -> l1d-flush,branch-harden}=<bool> ]` +> l1d-flush,branch-harden,srb-lock}=<bool> ]` Controls for speculative execution sidechannel mitigations. By default, Xen will pick the most appropriate mitigations based on compiled in support, @@ -2068,6 +2068,12 @@ If Xen is compiled with `CONFIG_SPECULAT speculation barriers to protect selected conditional branches. By default, Xen will enable this mitigation. +On hardware supporting SRBDS_CTRL, the `srb-lock=` option can be used to force +or prevent Xen from protect the Special Register Buffer from leaking stale +data. By default, Xen will enable this mitigation, except on parts where MDS +is fixed and TAA is fixed/mitigated (in which case, there is believed to be no +way for an attacker to obtain the stale data). + ### sync_console > `= <boolean>` --- a/xen/arch/x86/acpi/power.c +++ b/xen/arch/x86/acpi/power.c @@ -295,6 +295,9 @@ static int enter_state(u32 state) ci->spec_ctrl_flags |= (default_spec_ctrl_flags & SCF_ist_wrmsr); spec_ctrl_exit_idle(ci); + if ( boot_cpu_has(X86_FEATURE_SRBDS_CTRL) ) + wrmsrl(MSR_MCU_OPT_CTRL, default_xen_mcu_opt_ctrl); + done: spin_debug_enable(); local_irq_restore(flags); --- a/xen/arch/x86/smpboot.c +++ b/xen/arch/x86/smpboot.c @@ -361,12 +361,14 @@ void start_secondary(void *unused) microcode_update_one(false); /* - * If MSR_SPEC_CTRL is available, apply Xen's default setting and discard - * any firmware settings. Note: MSR_SPEC_CTRL may only become available - * after loading microcode. + * If any speculative control MSRs are available, apply Xen's default + * settings. Note: These MSRs may only become available after loading + * microcode. */ if ( boot_cpu_has(X86_FEATURE_IBRSB) ) wrmsrl(MSR_SPEC_CTRL, default_xen_spec_ctrl); + if ( boot_cpu_has(X86_FEATURE_SRBDS_CTRL) ) + wrmsrl(MSR_MCU_OPT_CTRL, default_xen_mcu_opt_ctrl); tsx_init(); /* Needs microcode. May change HLE/RTM feature bits. */ --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -65,6 +65,9 @@ static unsigned int __initdata l1d_maxph static bool __initdata cpu_has_bug_msbds_only; /* => minimal HT impact. */ static bool __initdata cpu_has_bug_mds; /* Any other M{LP,SB,FB}DS combination. */ +static int8_t __initdata opt_srb_lock = -1; +uint64_t __read_mostly default_xen_mcu_opt_ctrl; + static int __init parse_spec_ctrl(const char *s) { const char *ss; @@ -112,6 +115,7 @@ static int __init parse_spec_ctrl(const opt_ssbd = false; opt_l1d_flush = 0; opt_branch_harden = false; + opt_srb_lock = 0; } else if ( val > 0 ) rc = -EINVAL; @@ -178,6 +182,8 @@ static int __init parse_spec_ctrl(const opt_l1d_flush = val; else if ( (val = parse_boolean("branch-harden", s, ss)) >= 0 ) opt_branch_harden = val; + else if ( (val = parse_boolean("srb-lock", s, ss)) >= 0 ) + opt_srb_lock = val; else rc = -EINVAL; @@ -341,7 +347,7 @@ static void __init print_details(enum in "\n"); /* Settings for Xen's protection, irrespective of guests. */ - printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s, Other:%s%s%s%s\n", + printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s, Other:%s%s%s%s%s\n", thunk == THUNK_NONE ? "N/A" : thunk == THUNK_RETPOLINE ? "RETPOLINE" : thunk == THUNK_LFENCE ? "LFENCE" : @@ -352,6 +358,8 @@ static void __init print_details(enum in (default_xen_spec_ctrl & SPEC_CTRL_SSBD) ? " SSBD+" : " SSBD-", !(caps & ARCH_CAPS_TSX_CTRL) ? "" : (opt_tsx & 1) ? " TSX+" : " TSX-", + !boot_cpu_has(X86_FEATURE_SRBDS_CTRL) ? "" : + opt_srb_lock ? " SRB_LOCK+" : " SRB_LOCK-", opt_ibpb ? " IBPB" : "", opt_l1d_flush ? " L1D_FLUSH" : "", opt_md_clear_pv || opt_md_clear_hvm ? " VERW" : "", @@ -1149,6 +1157,34 @@ void __init init_speculation_mitigations tsx_init(); } + /* Calculate suitable defaults for MSR_MCU_OPT_CTRL */ + if ( boot_cpu_has(X86_FEATURE_SRBDS_CTRL) ) + { + uint64_t val; + + rdmsrl(MSR_MCU_OPT_CTRL, val); + + /* + * On some SRBDS-affected hardware, it may be safe to relax srb-lock + * by default. + * + * On parts which enumerate MDS_NO and not TAA_NO, TSX is the only way + * to access the Fill Buffer. If TSX isn't available (inc. SKU + * reasons on some models), or TSX is explicitly disabled, then there + * is no need for the extra overhead to protect RDRAND/RDSEED. + */ + if ( opt_srb_lock == -1 && + (caps & (ARCH_CAPS_MDS_NO|ARCH_CAPS_TAA_NO)) == ARCH_CAPS_MDS_NO && + (!cpu_has_hle || ((caps & ARCH_CAPS_TSX_CTRL) && opt_tsx == 0)) ) + opt_srb_lock = 0; + + val &= ~MCU_OPT_CTRL_RNGDS_MITG_DIS; + if ( !opt_srb_lock ) + val |= MCU_OPT_CTRL_RNGDS_MITG_DIS; + + default_xen_mcu_opt_ctrl = val; + } + print_details(thunk, caps); /* @@ -1180,6 +1216,9 @@ void __init init_speculation_mitigations wrmsrl(MSR_SPEC_CTRL, bsp_delay_spec_ctrl ? 0 : default_xen_spec_ctrl); } + + if ( boot_cpu_has(X86_FEATURE_SRBDS_CTRL) ) + wrmsrl(MSR_MCU_OPT_CTRL, default_xen_mcu_opt_ctrl); } static void __init __maybe_unused build_assertions(void) --- a/xen/include/asm-x86/spec_ctrl.h +++ b/xen/include/asm-x86/spec_ctrl.h @@ -54,6 +54,8 @@ extern int8_t opt_pv_l1tf_hwdom, opt_pv_ */ extern paddr_t l1tf_addr_mask, l1tf_safe_maddr; +extern uint64_t default_xen_mcu_opt_ctrl; + static inline void init_shadow_spec_ctrl_state(void) { struct cpu_info *info = get_cpu_info();