main/xen: XSA-263 & 267

 - CVE-2018-3639 XSA-263 (depends on 5 patches from stable-4.9)
 - CVE-2018-3665 XSA-267 (depends on 3 patches from stable-4.9)

1 files changed, 273 insertions, 0 deletions

diff --git a/main/xen/0005-x86-spec_ctrl-Rename-bits-of-infrastructure-to-avoid.patch b/main/xen/0005-x86-spec_ctrl-Rename-bits-of-infrastructure-to-avoid.patch
new file mode 100644
index 0000000000..d271bb29fd
--- /dev/null
+++ b/main/xen/0005-x86-spec_ctrl-Rename-bits-of-infrastructure-to-avoid.patch
@@ -0,0 +1,273 @@
+From e00632c06f088bfe4bd110686faa4a7e01a5667b Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Mon, 30 Apr 2018 14:20:23 +0100
+Subject: [PATCH] x86/spec_ctrl: Rename bits of infrastructure to avoid NATIVE
+ and VMEXIT
+
+In hindsight, using NATIVE and VMEXIT as naming terminology was not clever.
+A future change wants to split SPEC_CTRL_EXIT_TO_GUEST into PV and HVM
+specific implementations, and using VMEXIT as a term is completely wrong.
+
+Take the opportunity to fix some stale documentation in spec_ctrl_asm.h.  The
+IST helpers were missing from the large comment block, and since
+SPEC_CTRL_ENTRY_FROM_INTR_IST was introduced, we've gained a new piece of
+functionality which currently depends on the fine grain control, which exists
+in lieu of livepatching.  Note this in the comment.
+
+No functional change.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Wei Liu <wei.liu2@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Release-acked-by: Juergen Gross <jgross@suse.com>
+(cherry picked from commit d9822b8a38114e96e4516dc998f4055249364d5d)
+---
+ xen/arch/x86/hvm/svm/entry.S        |  4 ++--
+ xen/arch/x86/hvm/vmx/entry.S        |  4 ++--
+ xen/arch/x86/spec_ctrl.c            | 20 ++++++++++----------
+ xen/arch/x86/x86_64/compat/entry.S  |  2 +-
+ xen/arch/x86/x86_64/entry.S         |  2 +-
+ xen/include/asm-x86/cpufeatures.h   |  4 ++--
+ xen/include/asm-x86/spec_ctrl_asm.h | 36 +++++++++++++++++++++++++-----------
+ 7 files changed, 43 insertions(+), 29 deletions(-)
+
+diff --git a/xen/arch/x86/hvm/svm/entry.S b/xen/arch/x86/hvm/svm/entry.S
+index 7c91595..d0e9171 100644
+--- a/xen/arch/x86/hvm/svm/entry.S
++++ b/xen/arch/x86/hvm/svm/entry.S
+@@ -80,7 +80,7 @@ UNLIKELY_END(svm_trace)
+         mov VCPU_arch_spec_ctrl(%rbx), %eax
+ 
+         /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */
+-        SPEC_CTRL_EXIT_TO_GUEST /* Req: a=spec_ctrl %rsp=regs/cpuinfo, Clob: cd */
++        SPEC_CTRL_EXIT_TO_HVM   /* Req: a=spec_ctrl %rsp=regs/cpuinfo, Clob: cd */
+ 
+         pop  %r15
+         pop  %r14
+@@ -105,7 +105,7 @@ UNLIKELY_END(svm_trace)
+ 
+         GET_CURRENT(bx)
+ 
+-        SPEC_CTRL_ENTRY_FROM_VMEXIT /* Req: b=curr %rsp=regs/cpuinfo, Clob: acd */
++        SPEC_CTRL_ENTRY_FROM_HVM    /* Req: b=curr %rsp=regs/cpuinfo, Clob: acd */
+         /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */
+ 
+         mov  VCPU_svm_vmcb(%rbx),%rcx
+diff --git a/xen/arch/x86/hvm/vmx/entry.S b/xen/arch/x86/hvm/vmx/entry.S
+index f823850..bdcd3ca 100644
+--- a/xen/arch/x86/hvm/vmx/entry.S
++++ b/xen/arch/x86/hvm/vmx/entry.S
+@@ -36,7 +36,7 @@ ENTRY(vmx_asm_vmexit_handler)
+         movb $1,VCPU_vmx_launched(%rbx)
+         mov  %rax,VCPU_hvm_guest_cr2(%rbx)
+ 
+-        SPEC_CTRL_ENTRY_FROM_VMEXIT /* Req: b=curr %rsp=regs/cpuinfo, Clob: acd */
++        SPEC_CTRL_ENTRY_FROM_HVM    /* Req: b=curr %rsp=regs/cpuinfo, Clob: acd */
+         /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */
+ 
+         mov  %rsp,%rdi
+@@ -71,7 +71,7 @@ UNLIKELY_END(realmode)
+         mov VCPU_arch_spec_ctrl(%rbx), %eax
+ 
+         /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */
+-        SPEC_CTRL_EXIT_TO_GUEST /* Req: a=spec_ctrl %rsp=regs/cpuinfo, Clob: cd */
++        SPEC_CTRL_EXIT_TO_HVM   /* Req: a=spec_ctrl %rsp=regs/cpuinfo, Clob: cd */
+ 
+         mov  VCPU_hvm_guest_cr2(%rbx),%rax
+ 
+diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
+index b62cfcc..015a9e2 100644
+--- a/xen/arch/x86/spec_ctrl.c
++++ b/xen/arch/x86/spec_ctrl.c
+@@ -35,8 +35,8 @@ static enum ind_thunk {
+     THUNK_JMP,
+ } opt_thunk __initdata = THUNK_DEFAULT;
+ static int8_t __initdata opt_ibrs = -1;
+-static bool __initdata opt_rsb_native = true;
+-static bool __initdata opt_rsb_vmexit = true;
++static bool __initdata opt_rsb_pv = true;
++static bool __initdata opt_rsb_hvm = true;
+ bool __read_mostly opt_ibpb = true;
+ uint8_t __read_mostly default_xen_spec_ctrl;
+ uint8_t __read_mostly default_spec_ctrl_flags;
+@@ -69,9 +69,9 @@ static int __init parse_bti(const char *s)
+         else if ( (val = parse_boolean("ibpb", s, ss)) >= 0 )
+             opt_ibpb = val;
+         else if ( (val = parse_boolean("rsb_native", s, ss)) >= 0 )
+-            opt_rsb_native = val;
++            opt_rsb_pv = val;
+         else if ( (val = parse_boolean("rsb_vmexit", s, ss)) >= 0 )
+-            opt_rsb_vmexit = val;
++            opt_rsb_hvm = val;
+         else
+             rc = -EINVAL;
+ 
+@@ -116,8 +116,8 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps)
+            default_xen_spec_ctrl & SPEC_CTRL_IBRS    ? " IBRS+" :
+                                                        " IBRS-"      : "",
+            opt_ibpb                                  ? " IBPB"       : "",
+-           boot_cpu_has(X86_FEATURE_RSB_NATIVE)      ? " RSB_NATIVE" : "",
+-           boot_cpu_has(X86_FEATURE_RSB_VMEXIT)      ? " RSB_VMEXIT" : "");
++           boot_cpu_has(X86_FEATURE_SC_RSB_PV)       ? " RSB_NATIVE" : "",
++           boot_cpu_has(X86_FEATURE_SC_RSB_HVM)      ? " RSB_VMEXIT" : "");
+ 
+     printk("XPTI: %s\n",
+            boot_cpu_has(X86_FEATURE_NO_XPTI) ? "disabled" : "enabled");
+@@ -307,9 +307,9 @@ void __init init_speculation_mitigations(void)
+      * If a processors speculates to 32bit PV guest kernel mappings, it is
+      * speculating in 64bit supervisor mode, and can leak data.
+      */
+-    if ( opt_rsb_native )
++    if ( opt_rsb_pv )
+     {
+-        setup_force_cpu_cap(X86_FEATURE_RSB_NATIVE);
++        setup_force_cpu_cap(X86_FEATURE_SC_RSB_PV);
+         default_spec_ctrl_flags |= SCF_ist_rsb;
+     }
+ 
+@@ -317,8 +317,8 @@ void __init init_speculation_mitigations(void)
+      * HVM guests can always poison the RSB to point at Xen supervisor
+      * mappings.
+      */
+-    if ( opt_rsb_vmexit )
+-        setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT);
++    if ( opt_rsb_hvm )
++        setup_force_cpu_cap(X86_FEATURE_SC_RSB_HVM);
+ 
+     /* Check we have hardware IBPB support before using it... */
+     if ( !boot_cpu_has(X86_FEATURE_IBRSB) && !boot_cpu_has(X86_FEATURE_IBPB) )
+diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S
+index c538643..63cd51f 100644
+--- a/xen/arch/x86/x86_64/compat/entry.S
++++ b/xen/arch/x86/x86_64/compat/entry.S
+@@ -163,7 +163,7 @@ ENTRY(compat_restore_all_guest)
+         mov VCPU_arch_spec_ctrl(%rbx), %eax
+ 
+         /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */
+-        SPEC_CTRL_EXIT_TO_GUEST /* Req: a=spec_ctrl %rsp=regs/cpuinfo, Clob: cd */
++        SPEC_CTRL_EXIT_TO_PV    /* Req: a=spec_ctrl %rsp=regs/cpuinfo, Clob: cd */
+ 
+         RESTORE_ALL adj=8 compat=1
+ .Lft0:  iretq
+diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S
+index 7004f52..cdf5090 100644
+--- a/xen/arch/x86/x86_64/entry.S
++++ b/xen/arch/x86/x86_64/entry.S
+@@ -193,7 +193,7 @@ restore_all_guest:
+         mov   %r15d, %eax
+ 
+         /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */
+-        SPEC_CTRL_EXIT_TO_GUEST /* Req: a=spec_ctrl %rsp=regs/cpuinfo, Clob: cd */
++        SPEC_CTRL_EXIT_TO_PV    /* Req: a=spec_ctrl %rsp=regs/cpuinfo, Clob: cd */
+ 
+         RESTORE_ALL
+         testw $TRAP_syscall,4(%rsp)
+diff --git a/xen/include/asm-x86/cpufeatures.h b/xen/include/asm-x86/cpufeatures.h
+index 6119bab..1353fe5 100644
+--- a/xen/include/asm-x86/cpufeatures.h
++++ b/xen/include/asm-x86/cpufeatures.h
+@@ -29,6 +29,6 @@ XEN_CPUFEATURE(IND_THUNK_LFENCE,(FSCAPINTS+0)*32+15) /* Use IND_THUNK_LFENCE */
+ XEN_CPUFEATURE(IND_THUNK_JMP,   (FSCAPINTS+0)*32+16) /* Use IND_THUNK_JMP */
+ XEN_CPUFEATURE(XEN_IBPB,        (FSCAPINTS+0)*32+17) /* IBRSB || IBPB */
+ XEN_CPUFEATURE(SC_MSR,          (FSCAPINTS+0)*32+18) /* MSR_SPEC_CTRL used by Xen */
+-XEN_CPUFEATURE(RSB_NATIVE,      (FSCAPINTS+0)*32+20) /* RSB overwrite needed for native */
+-XEN_CPUFEATURE(RSB_VMEXIT,      (FSCAPINTS+0)*32+21) /* RSB overwrite needed for vmexit */
++XEN_CPUFEATURE(SC_RSB_PV,       (FSCAPINTS+0)*32+20) /* RSB overwrite needed for PV */
++XEN_CPUFEATURE(SC_RSB_HVM,      (FSCAPINTS+0)*32+21) /* RSB overwrite needed for HVM */
+ XEN_CPUFEATURE(NO_XPTI,         (FSCAPINTS+0)*32+22) /* XPTI mitigation not in use */
+diff --git a/xen/include/asm-x86/spec_ctrl_asm.h b/xen/include/asm-x86/spec_ctrl_asm.h
+index 941aeb7..b330e20 100644
+--- a/xen/include/asm-x86/spec_ctrl_asm.h
++++ b/xen/include/asm-x86/spec_ctrl_asm.h
+@@ -72,11 +72,14 @@
+  *
+  * The following ASM fragments implement this algorithm.  See their local
+  * comments for further details.
+- *  - SPEC_CTRL_ENTRY_FROM_VMEXIT
++ *  - SPEC_CTRL_ENTRY_FROM_HVM
+  *  - SPEC_CTRL_ENTRY_FROM_PV
+  *  - SPEC_CTRL_ENTRY_FROM_INTR
++ *  - SPEC_CTRL_ENTRY_FROM_INTR_IST
++ *  - SPEC_CTRL_EXIT_TO_XEN_IST
+  *  - SPEC_CTRL_EXIT_TO_XEN
+- *  - SPEC_CTRL_EXIT_TO_GUEST
++ *  - SPEC_CTRL_EXIT_TO_PV
++ *  - SPEC_CTRL_EXIT_TO_HVM
+  */
+ 
+ .macro DO_OVERWRITE_RSB tmp=rax
+@@ -117,7 +120,7 @@
+     mov %\tmp, %rsp                 /* Restore old %rsp */
+ .endm
+ 
+-.macro DO_SPEC_CTRL_ENTRY_FROM_VMEXIT
++.macro DO_SPEC_CTRL_ENTRY_FROM_HVM
+ /*
+  * Requires %rbx=current, %rsp=regs/cpuinfo
+  * Clobbers %rax, %rcx, %rdx
+@@ -216,23 +219,23 @@
+ .endm
+ 
+ /* Use after a VMEXIT from an HVM guest. */
+-#define SPEC_CTRL_ENTRY_FROM_VMEXIT                                     \
++#define SPEC_CTRL_ENTRY_FROM_HVM                                        \
+     ALTERNATIVE __stringify(ASM_NOP40),                                 \
+-        DO_OVERWRITE_RSB, X86_FEATURE_RSB_VMEXIT;                       \
++        DO_OVERWRITE_RSB, X86_FEATURE_SC_RSB_HVM;                       \
+     ALTERNATIVE __stringify(ASM_NOP36),                                 \
+-        DO_SPEC_CTRL_ENTRY_FROM_VMEXIT, X86_FEATURE_SC_MSR
++        DO_SPEC_CTRL_ENTRY_FROM_HVM, X86_FEATURE_SC_MSR
+ 
+ /* Use after an entry from PV context (syscall/sysenter/int80/int82/etc). */
+ #define SPEC_CTRL_ENTRY_FROM_PV                                         \
+     ALTERNATIVE __stringify(ASM_NOP40),                                 \
+-        DO_OVERWRITE_RSB, X86_FEATURE_RSB_NATIVE;                       \
++        DO_OVERWRITE_RSB, X86_FEATURE_SC_RSB_PV;                        \
+     ALTERNATIVE __stringify(ASM_NOP25),                                 \
+         __stringify(DO_SPEC_CTRL_ENTRY maybexen=0), X86_FEATURE_SC_MSR
+ 
+ /* Use in interrupt/exception context.  May interrupt Xen or PV context. */
+ #define SPEC_CTRL_ENTRY_FROM_INTR                                       \
+     ALTERNATIVE __stringify(ASM_NOP40),                                 \
+-        DO_OVERWRITE_RSB, X86_FEATURE_RSB_NATIVE;                       \
++        DO_OVERWRITE_RSB, X86_FEATURE_SC_RSB_PV;                        \
+     ALTERNATIVE __stringify(ASM_NOP33),                                 \
+         __stringify(DO_SPEC_CTRL_ENTRY maybexen=1), X86_FEATURE_SC_MSR
+ 
+@@ -241,12 +244,22 @@
+     ALTERNATIVE __stringify(ASM_NOP17),                                 \
+         DO_SPEC_CTRL_EXIT_TO_XEN, X86_FEATURE_SC_MSR
+ 
+-/* Use when exiting to guest context. */
+-#define SPEC_CTRL_EXIT_TO_GUEST                                         \
++/* Use when exiting to PV guest context. */
++#define SPEC_CTRL_EXIT_TO_PV                                            \
+     ALTERNATIVE __stringify(ASM_NOP24),                                 \
+         DO_SPEC_CTRL_EXIT_TO_GUEST, X86_FEATURE_SC_MSR
+ 
+-/* TODO: Drop these when the alternatives infrastructure is NMI/#MC safe. */
++/* Use when exiting to HVM guest context. */
++#define SPEC_CTRL_EXIT_TO_HVM                                           \
++    ALTERNATIVE __stringify(ASM_NOP24),                                 \
++        DO_SPEC_CTRL_EXIT_TO_GUEST, X86_FEATURE_SC_MSR
++
++/*
++ * Use in IST interrupt/exception context.  May interrupt Xen or PV context.
++ * Fine grain control of SCF_ist_wrmsr is needed for safety in the S3 resume
++ * path to avoid using MSR_SPEC_CTRL before the microcode introducing it has
++ * been reloaded.
++ */
+ .macro SPEC_CTRL_ENTRY_FROM_INTR_IST
+ /*
+  * Requires %rsp=regs, %r14=stack_end
+@@ -293,6 +306,7 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise):
+     UNLIKELY_END(\@_serialise)
+ .endm
+ 
++/* Use when exiting to Xen in IST context. */
+ .macro SPEC_CTRL_EXIT_TO_XEN_IST
+ /*
+  * Requires %rbx=stack_end
+-- 
+2.1.4
+