x86: Multiple speculative security issues


#### ISSUE DESCRIPTION 1) Researchers have discovered that on some AMD CPUs, the implementation of IBPB (Indirect Branch Prediction Barrier) does not behave according to the specification. Specifically, IBPB fails to properly flush the RAS (Return Address Stack, also RSB - Return Stack Buffer - in Intel terminology; one of the hardware prediction structures), allowing attacker controlled values to survive across a deliberate attempt to purge said values. AMD have allocated CVE-2022-23824. For more details, see: <a href="https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1040">https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1040</a> 2) AMD have discovered that under some circumstances, the previous reported information about Branch Type Confusion (XSA-407 / CVE-2022-23825) was inaccurate. Specifically, it was previously reported that the small speculation window was not long enough to contain two dependent loads. It has turned out not to be true, and in some circumstances, the speculation window is long enough to contain two dependent loads. AMD have not allocated a new CVE for this issue. For more details, see: <a href="https://www.amd.com/system/files/documents/technical-guidance-for-mitigating-branch-type-confusion.pdf">https://www.amd.com/system/files/documents/technical-guidance-for-mitigating-branch-type-confusion.pdf</a> #### IMPACT An attacker might be able to infer the contents of memory belonging to other guests. Due to the interaction of this issue with previous speculation fixes in their default configuration, an attacker cannot leverage this vulnerability to infer the content of memory that belongs to Xen itself. #### VULNERABLE SYSTEMS Systems running all versions of Xen are affected. Only AMD CPUs are potentially vulnerable. CPUs from other hardware vendors are not impacted. Whether a CPU is potentially vulnerable depends on its microarchitecture. Consult your hardware vendor. The fix for XSA-407 / CVE-2022-23825 elected, out of an abundance of caution, to use IBPB-on-entry as a Branch Type Confusion mitigation. It is believed that this mitigation is still sufficient, in light of the new discoveries. Therefore, no changes are being provided at this time. For CVE-2022-23824, patches are being provided on all releases as the bug pertains to a specific speculation control not working as documented, but there are a number circumstances where safety is provided as a side effect of other speculative mitigations. * The issue is that IBPB doesn't flush the RAS (Return Address Stack). Also called the RSB (Return Stack Buffer) in Intel terminology. Xen tends to follow Intel's terminology. * By default, Xen uses IBPB on a context switch from one vCPU to another vCPU to prevent guest to guest attacks. This action is not about protecting Xen from a malicious guest; such protections are elsewhere. * By default, Xen flushes the RAS/RSB on VMExit from HVM/PVH vCPUs, in order to protect itself from a malicious vCPU. Therefore, a malicious HVM/PVH guest cannot mount an attack using this vulnerability. * Whether Xen flushes the RAS/RSB by default on exit from PV vCPUs (again, to protect itself) is more complicated. There is an optimisation commonly used by native OSes when the SMEP (Supervisor Mode Execution Prevention) feature is active, which Xen can make use in some cases. - Xen 4.15 and older flush the RAS/RSB by default. - Xen 4.16 introduced an optimisation to skip flushing the RAS/RSB when safe. For CPUs impacted by CVE-2022-23824, this comes down to whether 32-bit PV guest support is enabled or not; *irrespective* of whether any 32-bit PV guests are actively running. If Xen is built with CONFIG_PV32=n, or Xen is booted with `pv=no-32`, or 32-bit PV guests are disabled as a side effect of CET being active (requires a capable toolchain, CONFIG_XEN_SHSTK=y or CONFIG_XEN_IBT=y, and capable hardware), then Xen will by default use the performance optimisation. In this case, a malicious 64-bit PV guest can mount an attack using this issue. Note: This analysis is only applicable for systems which are fully up to date with previous speculation-related XSAs, and have not used `spec-ctrl=` on the Xen command line to tune the speculative mitigations.