acrn-hypervisor/hypervisor/include/arch/x86/security.h

/*
 * Copyright (C) 2018 Intel Corporation. All rights reserved.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */

#ifndef SECURITY_H
#define SECURITY_H

/* type of speculation control
 * 0 - no speculation control support
 * 1 - raw IBRS + IBPB support
 * 2 - with STIBP optimization support
 */
#define IBRS_NONE	0
#define IBRS_RAW	1
#define IBRS_OPT	2

#ifndef ASSEMBLER
int32_t get_ibrs_type(void);
void cpu_l1d_flush(void);
bool check_cpu_security_cap(void);
void cpu_internal_buffers_clear(void);
bool is_ept_force_4k_ipage(void);

#ifdef STACK_PROTECTOR
struct stack_canary {
	/* Gcc generates extra code, using [fs:40] to access canary */
	uint8_t reserved[40];
	uint64_t canary;
};
void set_fs_base(void);
#endif

#endif /* ASSEMBLER */

#endif /* SECURITY_H */
move security related funcs into security.c there are still some security related funcs in cpu_caps.c & cpu.c, move them out into security.c. Changes to be committed: modified: Makefile modified: arch/x86/cpu.c modified: arch/x86/cpu_caps.c modified: arch/x86/guest/vcpu.c new file: arch/x86/security.c modified: arch/x86/trusty.c modified: arch/x86/vmx_asm.S modified: include/arch/x86/cpu.h modified: include/arch/x86/cpu_caps.h modified: include/arch/x86/per_cpu.h new file: include/arch/x86/security.h Tracked-On: #1842 Signed-off-by: Jason Chen CJ <jason.cj.chen@intel.com> 2018-12-18 09:28:27 +08:00			`/*`
			`* Copyright (C) 2018 Intel Corporation. All rights reserved.`
			`*`
			`* SPDX-License-Identifier: BSD-3-Clause`
			`*/`

			`#ifndef SECURITY_H`
			`#define SECURITY_H`

			`/* type of speculation control`
			`* 0 - no speculation control support`
hv: refine security capability detection function. ACRN hypervisor always print CPU microcode update warning message on KBL NUC platform, even after BIOS was updated to the latest. 'check_cpu_security_cap()' returns false if no ARCH_CAPABILITIES MSR support on current platform, but this MSR may not be available on some platforms. This patch is to remove this pre-condition. Tracked-On: #3317 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Reviewed-by: Jason CJ Chen <jason.cj.chen@intel.com> 2019-07-02 13:21:07 +08:00			`* 1 - raw IBRS + IBPB support`
move security related funcs into security.c there are still some security related funcs in cpu_caps.c & cpu.c, move them out into security.c. Changes to be committed: modified: Makefile modified: arch/x86/cpu.c modified: arch/x86/cpu_caps.c modified: arch/x86/guest/vcpu.c new file: arch/x86/security.c modified: arch/x86/trusty.c modified: arch/x86/vmx_asm.S modified: include/arch/x86/cpu.h modified: include/arch/x86/cpu_caps.h modified: include/arch/x86/per_cpu.h new file: include/arch/x86/security.h Tracked-On: #1842 Signed-off-by: Jason Chen CJ <jason.cj.chen@intel.com> 2018-12-18 09:28:27 +08:00			`* 2 - with STIBP optimization support`
			`*/`
			`#define IBRS_NONE 0`
			`#define IBRS_RAW 1`
			`#define IBRS_OPT 2`

			`#ifndef ASSEMBLER`
Make ibrs_type as internal variable add get_ibrs_type API to get ibrs type. this patch fix Misra C violation: filename:/hypervisor/arch/x86/security.c function:None offset:19: reason:Variable should be declared static. : ibrs_type Tracked-On: #861 Signed-off-by: Jason Chen CJ <jason.cj.chen@intel.com> 2018-12-18 14:18:38 +08:00			`int32_t get_ibrs_type(void);`
move security related funcs into security.c there are still some security related funcs in cpu_caps.c & cpu.c, move them out into security.c. Changes to be committed: modified: Makefile modified: arch/x86/cpu.c modified: arch/x86/cpu_caps.c modified: arch/x86/guest/vcpu.c new file: arch/x86/security.c modified: arch/x86/trusty.c modified: arch/x86/vmx_asm.S modified: include/arch/x86/cpu.h modified: include/arch/x86/cpu_caps.h modified: include/arch/x86/per_cpu.h new file: include/arch/x86/security.h Tracked-On: #1842 Signed-off-by: Jason Chen CJ <jason.cj.chen@intel.com> 2018-12-18 09:28:27 +08:00			`void cpu_l1d_flush(void);`
			`bool check_cpu_security_cap(void);`
hv: Mitigation for CPU MDS vulnerabilities. Microarchitectural Data Sampling (MDS) is a hardware vulnerability which allows unprivileged speculative access to data which is available in various CPU internal buffers. 1. Mitigation on ACRN: 1) Microcode update is required. 2) Clear CPU internal buffers (store buffer, load buffer and load port) if current CPU is affected by MDS, when VM entry to avoid any information leakage to guest thru above buffers. 3) Mitigation is not needed if ARCH_CAP_MDS_NO bit (bit5) is set in IA32_ARCH_CAPABILITIES MSR (10AH), in this case, current processor is no affected by MDS vulnerability, in other cases mitigation for MDS is required. 2. Methods to clear CPU buffers (microcode update is required): 1) L1D cache flush 2) VERW instruction Either of above operations will trigger clearing all CPU internal buffers if this CPU is affected by MDS. Above mechnism is enumerated by: CPUID.(EAX=7H, ECX=0):EDX[MD_CLEAR=10]. 3. Mitigation details on ACRN: if (processor is affected by MDS) if (processor is not affected by L1TF OR L1D flush is not launched on VM Entry) execute VERW instruction when VM entry. endif endif 4. Referrence: Deep Dive: Intel Analysis of Microarchitectural Data Sampling https://software.intel.com/security-software-guidance/insights/ deep-dive-intel-analysis-microarchitectural-data-sampling Deep Dive: CPUID Enumeration and Architectural MSRs https://software.intel.com/security-software-guidance/insights/ deep-dive-cpuid-enumeration-and-architectural-msrs Tracked-On: #3317 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Reviewed-by: Anthony Xu <anthony.xu@intel.com> Reviewed-by: Jason CJ Chen <jason.cj.chen@intel.com> 2019-07-02 14:06:09 +08:00			`void cpu_internal_buffers_clear(void);`
hv: ept: apply MCE on page size change mitigation conditionally Only apply the software workaround on the models that might be affected by MCE on page size change. For these models that are known immune to the issue, the mitigation is turned off. Atom processors are not afftected by the issue. Also check the CPUID & MSR to check whether the model is immune to the issue: CPU is not vulnerable when both CPUID.(EAX=07H,ECX=0H).EDX[29] and IA32_ARCH_CAPABILITIES[IF_PSCHANGE_MC_NO] are 1. Other cases not listed above, CPU may be vulnerable. This patch also changes MACROs for MSR IA32_ARCH_CAPABILITIES bits to UL instead of U since the MSR is 64bit. Tracked-On: #4101 Signed-off-by: Binbin Wu <binbin.wu@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com> 2019-11-08 09:30:06 +08:00			`bool is_ept_force_4k_ipage(void);`
move security related funcs into security.c there are still some security related funcs in cpu_caps.c & cpu.c, move them out into security.c. Changes to be committed: modified: Makefile modified: arch/x86/cpu.c modified: arch/x86/cpu_caps.c modified: arch/x86/guest/vcpu.c new file: arch/x86/security.c modified: arch/x86/trusty.c modified: arch/x86/vmx_asm.S modified: include/arch/x86/cpu.h modified: include/arch/x86/cpu_caps.h modified: include/arch/x86/per_cpu.h new file: include/arch/x86/security.h Tracked-On: #1842 Signed-off-by: Jason Chen CJ <jason.cj.chen@intel.com> 2018-12-18 09:28:27 +08:00
			`#ifdef STACK_PROTECTOR`
			`struct stack_canary {`
			`/* Gcc generates extra code, using [fs:40] to access canary */`
			`uint8_t reserved[40];`
			`uint64_t canary;`
			`};`
			`void set_fs_base(void);`
			`#endif`

			`#endif /* ASSEMBLER */`

			`#endif /* SECURITY_H */`