Add a new Kconfig option under the "Speculative hardening" section that allows selecting whether to enable retpoline. This depends on the underlying compiler having retpoline support.
Requested-by: Andrew Cooper <[email protected]> Signed-off-by: Roger Pau Monné <[email protected]> --- xen/arch/x86/Kconfig | 4 ---- xen/arch/x86/arch.mk | 2 ++ xen/common/Kconfig | 16 ++++++++++++++++ 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/xen/arch/x86/Kconfig b/xen/arch/x86/Kconfig index fe00b4598b..7c73802adc 100644 --- a/xen/arch/x86/Kconfig +++ b/xen/arch/x86/Kconfig @@ -38,10 +38,6 @@ config GCC_INDIRECT_THUNK config CLANG_INDIRECT_THUNK def_bool $(cc-option,-mretpoline-external-thunk) -config INDIRECT_THUNK - depends on GCC_INDIRECT_THUNK || CLANG_INDIRECT_THUNK - def_bool y - config HAS_AS_CET_SS # binutils >= 2.29 or LLVM >= 6 def_bool $(as-instr,wrssq %rax$(comma)0;setssbsy) diff --git a/xen/arch/x86/arch.mk b/xen/arch/x86/arch.mk index f2aa2a515f..0597e714f9 100644 --- a/xen/arch/x86/arch.mk +++ b/xen/arch/x86/arch.mk @@ -42,6 +42,7 @@ CFLAGS += -mno-red-zone -fpic # SSE setup for variadic function calls. CFLAGS += -mno-sse $(call cc-option,$(CC),-mskip-rax-setup) +ifeq ($(CONFIG_INDIRECT_THUNK),y) # Compile with gcc thunk-extern, indirect-branch-register if available. CFLAGS-$(CONFIG_GCC_INDIRECT_THUNK) += -mindirect-branch=thunk-extern CFLAGS-$(CONFIG_GCC_INDIRECT_THUNK) += -mindirect-branch-register @@ -49,6 +50,7 @@ CFLAGS-$(CONFIG_GCC_INDIRECT_THUNK) += -fno-jump-tables # Enable clang retpoline support if available. CFLAGS-$(CONFIG_CLANG_INDIRECT_THUNK) += -mretpoline-external-thunk +endif # If supported by the compiler, reduce stack alignment to 8 bytes. But allow # this to be overridden elsewhere. diff --git a/xen/common/Kconfig b/xen/common/Kconfig index db687b1785..3b0ba16a6a 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -146,6 +146,22 @@ config SPECULATIVE_HARDEN_GUEST_ACCESS If unsure, say Y. +config INDIRECT_THUNK + bool "Speculative Branch Target Injection Protection" + depends on X86 && (GCC_INDIRECT_THUNK || CLANG_INDIRECT_THUNK) + default y + help + Contemporary processors may use speculative execution as a + performance optimisation, but this can potentially be abused by an + attacker to leak data via speculative sidechannels. + + One source of data leakage is via branch target injection. + + When enabled, indirect calls are implemented using a new construct + called "retpoline" that prevents speculation. + + If unsure, say Y. + endmenu config HYPFS -- 2.34.1
