1 files changed, 35 insertions, 0 deletions

diff --git a/5efcb354-x86-protect-CALL-JMP-straight-line-speculation.patch b/5efcb354-x86-protect-CALL-JMP-straight-line-speculation.patch
new file mode 100644
index 0000000..6951789
--- /dev/null
+++ b/5efcb354-x86-protect-CALL-JMP-straight-line-speculation.patch
@@ -0,0 +1,35 @@
+# Commit 3b7dab93f2401b08c673244c9ae0f92e08bd03ba
+# Date 2020-07-01 17:01:24 +0100
+# Author Andrew Cooper <andrew.cooper3@citrix.com>
+# Committer Andrew Cooper <andrew.cooper3@citrix.com>
+x86/spec-ctrl: Protect against CALL/JMP straight-line speculation
+
+Some x86 CPUs speculatively execute beyond indirect CALL/JMP instructions.
+
+With CONFIG_INDIRECT_THUNK / Retpolines, indirect CALL/JMP instructions are
+converted to direct CALL/JMP's to __x86_indirect_thunk_REG(), leaving just a
+handful of indirect JMPs implementing those stubs.
+
+There is no architectrual execution beyond an indirect JMP, so use INT3 as
+recommended by vendors to halt speculative execution.  This is shorter than
+LFENCE (which would also work fine), but also shows up in logs if we do
+unexpected execute them.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/indirect-thunk.S
++++ b/xen/arch/x86/indirect-thunk.S
+@@ -24,10 +24,12 @@
+ .macro IND_THUNK_LFENCE reg:req
+         lfence
+         jmp *%\reg
++        int3 /* Halt straight-line speculation */
+ .endm
+ 
+ .macro IND_THUNK_JMP reg:req
+         jmp *%\reg
++        int3 /* Halt straight-line speculation */
+ .endm
+ 
+ /*