37 lines
1.5 KiB
Diff
37 lines
1.5 KiB
Diff
From: Andrew Cooper <andrew.cooper3@citrix.com>
|
|
Subject: x86/spec-ctrl: Update docs with SRBDS workaround
|
|
|
|
RDRAND/RDSEED can be hidden using cpuid= to mitigate SRBDS if microcode
|
|
isn't available.
|
|
|
|
This is part of XSA-320 / CVE-2020-0543.
|
|
|
|
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
|
|
Acked-by: Julien Grall <jgrall@amazon.com>
|
|
|
|
diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc
|
|
index c780312531..81e12d053c 100644
|
|
--- a/docs/misc/xen-command-line.pandoc
|
|
+++ b/docs/misc/xen-command-line.pandoc
|
|
@@ -481,12 +481,18 @@ choice of `dom0-kernel` is deprecated and not supported by all Dom0 kernels.
|
|
This option allows for fine tuning of the facilities Xen will use, after
|
|
accounting for hardware capabilities as enumerated via CPUID.
|
|
|
|
+Unless otherwise noted, options only have any effect in their negative form,
|
|
+to hide the named feature(s). Ignoring a feature using this mechanism will
|
|
+cause Xen not to use the feature, nor offer them as usable to guests.
|
|
+
|
|
Currently accepted:
|
|
|
|
The Speculation Control hardware features `srbds-ctrl`, `md-clear`, `ibrsb`,
|
|
`stibp`, `ibpb`, `l1d-flush` and `ssbd` are used by default if available and
|
|
-applicable. They can be ignored, e.g. `no-ibrsb`, at which point Xen won't
|
|
-use them itself, and won't offer them to guests.
|
|
+applicable. They can all be ignored.
|
|
+
|
|
+`rdrand` and `rdseed` can be ignored, as a mitigation to XSA-320 /
|
|
+CVE-2020-0543.
|
|
|
|
### cpuid_mask_cpu
|
|
> `= fam_0f_rev_[cdefg] | fam_10_rev_[bc] | fam_11_rev_b`
|