x86/xen: remove hypercall page

The hypercall page is no longer needed. It can be removed, as from the
Xen perspective it is optional.

But, from Linux's perspective, it removes naked RET instructions that
escape the speculative protections that Call Depth Tracking and/or
Untrain Ret are trying to achieve.

This is part of XSA-466 / CVE-2024-53241.

Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

diff --git a/arch/x86/include/asm/xen/hypercall.h b/arch/x86/include/asm/xen/hypercall.h
index 7d5f8ad66774102c8325db27345ecf601e781d02..97771b9d33af30fbaf22ac22fd6f4281b8031fa6 100644 (file)
--- a/arch/x86/include/asm/xen/hypercall.h
+++ b/arch/x86/include/asm/xen/hypercall.h
@@ -88,8 +88,6 @@ struct xen_dm_op_buf;
  * there aren't more than 5 arguments...)
  */
 
-extern struct { char _entry[32]; } hypercall_page[];
-
 void xen_hypercall_func(void);
 DECLARE_STATIC_CALL(xen_hypercall, xen_hypercall_func);
 

diff --git a/arch/x86/kernel/callthunks.c b/arch/x86/kernel/callthunks.c
index 4656474567533bc9398e814ac8fd78df172cfdd1..f17d166078823ca8f1f19e6a792be2e766255e45 100644 (file)
--- a/arch/x86/kernel/callthunks.c
+++ b/arch/x86/kernel/callthunks.c
@@ -142,11 +142,6 @@ static bool skip_addr(void *dest)
        if (dest >= (void *)relocate_kernel &&
            dest < (void*)relocate_kernel + KEXEC_CONTROL_CODE_MAX_SIZE)
                return true;
-#endif
-#ifdef CONFIG_XEN
-       if (dest >= (void *)hypercall_page &&
-           dest < (void*)hypercall_page + PAGE_SIZE)
-               return true;
 #endif
        return false;
 }

diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
index fab3ac9a4574ab406fee90e6c5d86fd4a81af319..6a17396c8174e9329b9af611d2d352a08a99c4dd 100644 (file)
--- a/arch/x86/kernel/vmlinux.lds.S
+++ b/arch/x86/kernel/vmlinux.lds.S
@@ -519,14 +519,10 @@ INIT_PER_CPU(irq_stack_backing_store);
  * linker will never mark as relocatable. (Using just ABSOLUTE() is not
  * sufficient for that).
  */
-#ifdef CONFIG_XEN
 #ifdef CONFIG_XEN_PV
 xen_elfnote_entry_value =
        ABSOLUTE(xen_elfnote_entry) + ABSOLUTE(startup_xen);
 #endif
-xen_elfnote_hypercall_page_value =
-       ABSOLUTE(xen_elfnote_hypercall_page) + ABSOLUTE(hypercall_page);
-#endif
 #ifdef CONFIG_PVH
 xen_elfnote_phys32_entry_value =
        ABSOLUTE(xen_elfnote_phys32_entry) + ABSOLUTE(pvh_start_xen - LOAD_OFFSET);

diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
index 1887435af2fbf57b20fcf5e7c6a892db83744cd2..43dcd8c7badc0850a333715f2ac75eb3a0ba8150 100644 (file)
--- a/arch/x86/xen/enlighten.c
+++ b/arch/x86/xen/enlighten.c
@@ -22,8 +22,6 @@
 
 #include "xen-ops.h"
 
-EXPORT_SYMBOL_GPL(hypercall_page);
-
 DEFINE_STATIC_CALL(xen_hypercall, xen_hypercall_hvm);
 EXPORT_STATIC_CALL_TRAMP(xen_hypercall);
 

diff --git a/arch/x86/xen/enlighten_hvm.c b/arch/x86/xen/enlighten_hvm.c
index 973a74fc966a4548a5f20688475d41bf8c2172dd..fe57ff85d004ba359677f66e0dc5c9337f5c015b 100644 (file)
--- a/arch/x86/xen/enlighten_hvm.c
+++ b/arch/x86/xen/enlighten_hvm.c
@@ -106,15 +106,8 @@ static void __init init_hvm_pv_info(void)
        /* PVH set up hypercall page in xen_prepare_pvh(). */
        if (xen_pvh_domain())
                pv_info.name = "Xen PVH";
-       else {
-               u64 pfn;
-               uint32_t msr;
-
+       else
                pv_info.name = "Xen HVM";
-               msr = cpuid_ebx(base + 2);
-               pfn = __pa(hypercall_page);
-               wrmsr_safe(msr, (u32)pfn, (u32)(pfn >> 32));
-       }
 
        xen_setup_features();
 

diff --git a/arch/x86/xen/enlighten_pvh.c b/arch/x86/xen/enlighten_pvh.c
index bf68c329fc013ee2c25cae9d7bb1d9cd6fa34f93..0e3d930bcb89e8836ae7ba435f958b45da64437c 100644 (file)
--- a/arch/x86/xen/enlighten_pvh.c
+++ b/arch/x86/xen/enlighten_pvh.c
@@ -129,17 +129,10 @@ static void __init pvh_arch_setup(void)
 
 void __init xen_pvh_init(struct boot_params *boot_params)
 {
-       u32 msr;
-       u64 pfn;
-
        xen_pvh = 1;
        xen_domain_type = XEN_HVM_DOMAIN;
        xen_start_flags = pvh_start_info.flags;
 
-       msr = cpuid_ebx(xen_cpuid_base() + 2);
-       pfn = __pa(hypercall_page);
-       wrmsr_safe(msr, (u32)pfn, (u32)(pfn >> 32));
-
        x86_init.oem.arch_setup = pvh_arch_setup;
        x86_init.oem.banner = xen_banner;
 

diff --git a/arch/x86/xen/xen-head.S b/arch/x86/xen/xen-head.S
index c173ba6740e936e74eb202c6be5ef182c4a63e75..9252652afe59640d5affab03d08414205d017d80 100644 (file)
--- a/arch/x86/xen/xen-head.S
+++ b/arch/x86/xen/xen-head.S
@@ -22,28 +22,6 @@
 #include <xen/interface/xen-mca.h>
 #include <asm/xen/interface.h>
 
-.pushsection .noinstr.text, "ax"
-       .balign PAGE_SIZE
-SYM_CODE_START(hypercall_page)
-       .rept (PAGE_SIZE / 32)
-               UNWIND_HINT_FUNC
-               ANNOTATE_NOENDBR
-               ANNOTATE_UNRET_SAFE
-               ret
-               /*
-                * Xen will write the hypercall page, and sort out ENDBR.
-                */
-               .skip 31, 0xcc
-       .endr
-
-#define HYPERCALL(n) \
-       .equ xen_hypercall_##n, hypercall_page + __HYPERVISOR_##n * 32; \
-       .type xen_hypercall_##n, @function; .size xen_hypercall_##n, 32
-#include <asm/xen-hypercalls.h>
-#undef HYPERCALL
-SYM_CODE_END(hypercall_page)
-.popsection
-
 #ifdef CONFIG_XEN_PV
        __INIT
 SYM_CODE_START(startup_xen)
@@ -199,8 +177,6 @@ SYM_FUNC_END(xen_hypercall_intel)
 #else
 # define FEATURES_DOM0 0
 #endif
-       ELFNOTE(Xen, XEN_ELFNOTE_HYPERCALL_PAGE, .globl xen_elfnote_hypercall_page;
-               xen_elfnote_hypercall_page: _ASM_PTR xen_elfnote_hypercall_page_value - .)
        ELFNOTE(Xen, XEN_ELFNOTE_SUPPORTED_FEATURES,
                .long FEATURES_PV | FEATURES_PVH | FEATURES_DOM0)
        ELFNOTE(Xen, XEN_ELFNOTE_LOADER,         .asciz "generic")