On 25/02/2019 14:34, Norbert Manthey wrote: > To control the runtime behavior on L1TF vulnerable platforms better, the > command line option l1tf-barrier is introduced. This option controls > whether on vulnerable x86 platforms the lfence instruction is used to > prevent speculative execution from bypassing the evaluation of > conditionals that are protected with the evaluate_nospec macro. > > By now, Xen is capable of identifying L1TF vulnerable hardware. However, > this information cannot be used for alternative patching, as a CPU feature > is required. To control alternative patching with the command line option, > a new x86 feature "X86_FEATURE_SC_L1TF_VULN" is introduced. This feature > is used to patch the lfence instruction into the arch_barrier_nospec_true > function. The feature is enabled only if L1TF vulnerable hardware is > detected and the command line option does not prevent using this feature. > > The status of hyperthreading is considered when automatically enabling > adding the lfence instruction. Since platforms without hyperthreading can > still be vulnerable to L1TF in case the L1 cache is not flushed properly, > the additional lfence instructions are patched in if either hyperthreading > is enabled, or L1 cache flushing is missing. > > This is part of the speculative hardening effort. > > Signed-off-by: Norbert Manthey <nmant...@amazon.de> > Reviewed-by: Jan Beulich <jbeul...@suse.com>
Release-acked-by: Juergen Gross <jgr...@suse.com> Juergen _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel
