Project

General

Profile

Feature #13435

bhyve should expose IBPB to guests

Added by Michael Zeller 15 days ago. Updated 9 days ago.

Status:
New
Priority:
Normal
Category:
bhyve
Start date:
Due date:
% Done:

0%

Estimated time:
Difficulty:
Bite-size
Tags:
Gerrit CR:

Description

Bhyve should make guests aware of IBPB via CPUID. We should also allow a guest write only access to MSR_IA32_PRED_CMD.


Related issues

Related to illumos gate - Feature #13437: bhyve should expose IBRS to guestsNewMichael Zeller

Actions
#1

Updated by Electric Monk 13 days ago

  • Gerrit CR set to 1158
#2

Updated by Michael Zeller 9 days ago

Prior to the change, both intel and amd systems output that the guest is not using IBPB or does not support it:

[root@localhost ~]# ./spectre.sh

This script (v3.3) is primarily designed to detect Spectre / Meltdown
on supported Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.

Detected CPU vendor: AMD
CPU: AMD Ryzen Threadripper 1950X 16-Core Processor
CPU model: 1 (0x1)
Running kernel: 3.10.0-1160.11.1.el7.x86_64
Architecture: x86_64
Virtualization: bhyve

Variant #1 (Spectre): Mitigation: Load fences, usercopy/swapgs barriers and __user pointer sanitization
CVE-2017-5753 - speculative execution bounds-check bypass

Variant #2 (Spectre): Vulnerable: Retpoline without IBPB
CVE-2017-5715 - speculative execution branch target injection
* Microcode update not detected
* IBPB disabled or not supported
* Retpoline disabled

Variant #3 (Meltdown): AMD not affected
CVE-2017-5754 - speculative execution permission faults handling

After the change on an AMD system:

[root@localhost ~]# ./spectre.sh

This script (v3.3) is primarily designed to detect Spectre / Meltdown
on supported Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.

Detected CPU vendor: AMD
CPU: AMD Ryzen Threadripper 1950X 16-Core Processor
CPU model: 1 (0x1)
Running kernel: 3.10.0-1160.11.1.el7.x86_64
Architecture: x86_64
Virtualization: bhyve

Variant #1 (Spectre): Mitigation: Load fences, usercopy/swapgs barriers and __user pointer sanitization
CVE-2017-5753 - speculative execution bounds-check bypass

Variant #2 (Spectre): Mitigation: Full retpoline, IBPB
CVE-2017-5715 - speculative execution branch target injection

Variant #3 (Meltdown): AMD not affected
CVE-2017-5754 - speculative execution permission faults handling

After the change on an Intel system:

Detected CPU vendor: Intel
CPU: Intel(R) Xeon(R) CPU D-1541 @ 2.10GHz
CPU model: 86 (0x56)
Running kernel: 3.10.0-1160.11.1.el7.x86_64
Architecture: x86_64
Virtualization: bhyve

Variant #1 (Spectre): Mitigation: Load fences, usercopy/swapgs barriers and __user pointer sanitization
CVE-2017-5753 - speculative execution bounds-check bypass

Variant #2 (Spectre): Mitigation: Full retpoline, IBPB
CVE-2017-5715 - speculative execution branch target injection

Variant #3 (Meltdown): Mitigation: PTI
CVE-2017-5754 - speculative execution permission faults handling

Checking for ibpb on amd/intel systems in cpuinfo:

[root@localhost ~]# grep ibpb /proc/cpuinfo
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fx
sr sse sse2 ht syscall nx mmxext pdpe1gb lm art rep_good nopl extd_apicid eagerfpu pni pclmulqdq ssse3 f
ma cx16 sse4_1 sse4_2 movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm cmp_legacy extapic cr8_l
egacy abm sse4a misalignsse 3dnowprefetch skinit wdt topoext bpext retpoline_amd ssbd ibpb vmmcall fsgsb
ase bmi1 avx2 bmi2 rdseed sha_ni xsaveopt clzero irperf xsaveerptr arat npt lbrv svm_lock nrip_save tsc_
scale vmcb_clean flushbyasid decodeassists pausefilter pfthreshold avic v_vmsave_vmload vgif

[root@0ae9179f-fb09-eb5e-8ea9-f6365834aba6 ~]# grep ibpb /proc/cpuinfo
flags        : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht pbe syscall nx pdpe1gb lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq dtes64 ds_cpl ssse3 sdbg fma cx16 xtpr pcid dca sse4_1 sse4_2 movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch ibrs ibpb fsgsbase bmi1 hle avx2 bmi2 erms rtm rdseed xsaveopt arat md_clear spec_ctrl
#3

Updated by Michael Zeller 9 days ago

The Intel system is looking for IBRS as well:

[2021-01-11T16:57:41.840497000Z]  INFO: zoneadmd/7598 on bob: (stream=stderr)
    rdmsr to register 0x48 on vcpu 0

[2021-01-11T16:57:42.156035000Z]  INFO: zoneadmd/7598 on bob: (stream=stderr)
    wrmsr to register 0x48(0x400040000000000) on vcpu 1

This will be addressed as a separate commit and is filed as #13437

#4

Updated by Michael Zeller 9 days ago

#5

Updated by Michael Zeller 9 days ago

It turns out that IBRS and IBPB on intel use the same CPUID value.

A processor supports IBPB if it enumerates CPUID.(EAX=7H,ECX=0):EDX[26] as 1

A processor supports IBRS if it enumerates CPUID.(EAX=7H,ECX=0):EDX[26] as 1.

In testing Windows was attempting to write to 0x48 (MSR_IA32_SPEC_CTRL) and then blue-screening. Booting the VM with "-w" made things work again, but it seems these two tickets need to go in together now.

Also available in: Atom PDF