diff options
Diffstat (limited to 'main/xen/xsa320-4.11-3.patch')
| -rw-r--r-- | main/xen/xsa320-4.11-3.patch | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/main/xen/xsa320-4.11-3.patch b/main/xen/xsa320-4.11-3.patch new file mode 100644 index 00000000000..ff7990b2027 --- /dev/null +++ b/main/xen/xsa320-4.11-3.patch @@ -0,0 +1,57 @@ +From: Andrew Cooper <andrew.cooper3@citrix.com> +Subject: x86/spec-ctrl: Allow the RDRAND/RDSEED features to be hidden + +RDRAND/RDSEED can be hidden using cpuid= to mitigate SRBDS if microcode +isn't available. + +This is part of XSA-320 / CVE-2020-0543. + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Acked-by: Julien Grall <jgrall@amazon.com> + +diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown +index 3356e59fee..ac397e7de0 100644 +--- a/docs/misc/xen-command-line.markdown ++++ b/docs/misc/xen-command-line.markdown +@@ -487,12 +487,18 @@ choice of `dom0-kernel` is deprecated and not supported by all Dom0 kernels. + This option allows for fine tuning of the facilities Xen will use, after + accounting for hardware capabilities as enumerated via CPUID. + ++Unless otherwise noted, options only have any effect in their negative form, ++to hide the named feature(s). Ignoring a feature using this mechanism will ++cause Xen not to use the feature, nor offer them as usable to guests. ++ + Currently accepted: + + The Speculation Control hardware features `srbds-ctrl`, `md-clear`, `ibrsb`, + `stibp`, `ibpb`, `l1d-flush` and `ssbd` are used by default if available and +-applicable. They can be ignored, e.g. `no-ibrsb`, at which point Xen won't +-use them itself, and won't offer them to guests. ++applicable. They can all be ignored. ++ ++`rdrand` and `rdseed` can be ignored, as a mitigation to XSA-320 / ++CVE-2020-0543. + + ### cpuid\_mask\_cpu (AMD only) + > `= fam_0f_rev_c | fam_0f_rev_d | fam_0f_rev_e | fam_0f_rev_f | fam_0f_rev_g | fam_10_rev_b | fam_10_rev_c | fam_11_rev_b` +diff --git a/xen/arch/x86/cpuid.c b/xen/arch/x86/cpuid.c +index b8e5b6fe67..78d08dbb32 100644 +--- a/xen/arch/x86/cpuid.c ++++ b/xen/arch/x86/cpuid.c +@@ -63,6 +63,16 @@ static int __init parse_xen_cpuid(const char *s) + if ( !val ) + setup_clear_cpu_cap(X86_FEATURE_SRBDS_CTRL); + } ++ else if ( (val = parse_boolean("rdrand", s, ss)) >= 0 ) ++ { ++ if ( !val ) ++ setup_clear_cpu_cap(X86_FEATURE_RDRAND); ++ } ++ else if ( (val = parse_boolean("rdseed", s, ss)) >= 0 ) ++ { ++ if ( !val ) ++ setup_clear_cpu_cap(X86_FEATURE_RDSEED); ++ } + else + rc = -EINVAL; + |