{emulators,sysutils}/xen-{kernel,tools}: update to 4.17

While there also update SeaBIOS to 1.16.1.

Sponsored by: Citrix Systems R&D
Approved by: bapt (implicit)

emulators/xen-kernel/Makefile

 PORTNAME=	xen
-PORTVERSION=	4.16.0
+PORTVERSION=	4.17.0
 PORTREVISION=	0
 CATEGORIES=	emulators
 MASTER_SITES=	http://downloads.xenproject.org/release/xen/${PORTVERSION}/
@@ -26,17 +26,15 @@ PLIST_FILES=	/boot/xen \
 		lib/debug/boot/xen.debug \
 		lib/debug/boot/xen-debug.debug
 
-# XSA-395
-EXTRA_PATCHES+=	${PATCHDIR}/xsa395.patch:-p1
-
-# XSA-398
-EXTRA_PATCHES+=	${PATCHDIR}/0001-x86-spec-ctrl-Drop-use_spec_ctrl-boolean.patch:-p1 \
-		${PATCHDIR}/0002-x86-spec-ctrl-Introduce-new-has_spec_ctrl-boolean.patch:-p1 \
-		${PATCHDIR}/xsa398-4.16-6-x86-spec-ctrl-Cease-using-thunk-lfence-on-AMD.patch:-p1
-
-# Add retpoline support for clang builds
-EXTRA_PATCHES+=	${PATCHDIR}/0001-x86-retpoline-split-retpoline-compiler-support-into-.patch:-p1 \
-		${PATCHDIR}/0002-x86-clang-add-retpoline-support.patch:-p1
+# XSAs
+EXTRA_PATCHES+=	${PATCHDIR}/xsa425.patch:-p1 \
+		${PATCHDIR}/xsa426.patch:-p1 \
+		${PATCHDIR}/0001-xen-Work-around-Clang-IAS-macro-expansion-bug.patch:-p1
+# Backports
+# clang build fixes
+EXTRA_PATCHES+=	${PATCHDIR}/0001-xen-x86-Remove-the-use-of-K-R-functions.patch:-p1
+# Support for fetching video mode from PVH dom0
+EXTRA_PATCHES+=	${PATCHDIR}/0001-x86-platform-introduce-hypercall-to-get-initial-vide.patch:-p1
 
 .include <bsd.port.options.mk>
 

emulators/xen-kernel/distinfo

-TIMESTAMP = 1648563575
-SHA256 (xen-4.16.0.tar.gz) = adc87a90e614d090a2014b9aebae8d815a7348bf329d169b3cb655256d0ee995
-SIZE (xen-4.16.0.tar.gz) = 44982322
+TIMESTAMP = 1678353105
+SHA256 (xen-4.17.0.tar.gz) = 119fc44fa3f9b581f1929c2ed8e0f97fac59a1828bc5ec5c244df096e7343ef9
+SIZE (xen-4.17.0.tar.gz) = 46484553

emulators/xen-kernel/files/0001-x86-platform-introduce-hypercall-to-get-initial-vide.patch

+From 4dd160583c798d3a5a451ea74633836891d15354 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
+Date: Tue, 6 Dec 2022 13:53:43 +0100
+Subject: [PATCH] x86/platform: introduce hypercall to get initial video
+ console settings
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is required so PVH dom0 can get the initial video console state
+as handled by Xen.  PV dom0 will get this as part of the start_info,
+but it doesn't seem necessary to place such information in the
+HVM start info.
+
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+---
+ xen/arch/x86/platform_hypercall.c | 11 +++++++++++
+ xen/drivers/video/vga.c           |  2 +-
+ xen/include/public/platform.h     |  6 ++++++
+ 3 files changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/xen/arch/x86/platform_hypercall.c b/xen/arch/x86/platform_hypercall.c
+index a7341dc3d7..3f0d0389af 100644
+--- a/xen/arch/x86/platform_hypercall.c
++++ b/xen/arch/x86/platform_hypercall.c
+@@ -839,6 +839,17 @@ ret_t do_platform_op(
+     }
+     break;
+ 
++    case XENPF_get_dom0_console:
++        if ( !fill_console_start_info(&op->u.dom0_console) )
++        {
++            ret = -ENODEV;
++            break;
++        }
++
++        if ( copy_field_to_guest(u_xenpf_op, op, u.dom0_console) )
++            ret = -EFAULT;
++        break;
++
+     default:
+         ret = -ENOSYS;
+         break;
+diff --git a/xen/drivers/video/vga.c b/xen/drivers/video/vga.c
+index 29a88e8241..0a03508bee 100644
+--- a/xen/drivers/video/vga.c
++++ b/xen/drivers/video/vga.c
+@@ -205,7 +205,7 @@ static void cf_check vga_text_puts(const char *s, size_t nr)
+     }
+ }
+ 
+-int __init fill_console_start_info(struct dom0_vga_console_info *ci)
++int fill_console_start_info(struct dom0_vga_console_info *ci)
+ {
+     memcpy(ci, &vga_console_info, sizeof(*ci));
+     return 1;
+diff --git a/xen/include/public/platform.h b/xen/include/public/platform.h
+index 5e1494fe9a..14784dfa77 100644
+--- a/xen/include/public/platform.h
++++ b/xen/include/public/platform.h
+@@ -605,6 +605,11 @@ struct xenpf_symdata {
+ typedef struct xenpf_symdata xenpf_symdata_t;
+ DEFINE_XEN_GUEST_HANDLE(xenpf_symdata_t);
+ 
++/* Fetch the video console information and mode setup by Xen. */
++#define XENPF_get_dom0_console 64
++typedef struct dom0_vga_console_info xenpf_dom0_console_t;
++DEFINE_XEN_GUEST_HANDLE(xenpf_dom0_console_t);
++
+ /*
+  * ` enum neg_errnoval
+  * ` HYPERVISOR_platform_op(const struct xen_platform_op*);
+@@ -635,6 +640,7 @@ struct xen_platform_op {
+         xenpf_core_parking_t          core_parking;
+         xenpf_resource_op_t           resource_op;
+         xenpf_symdata_t               symdata;
++        xenpf_dom0_console_t          dom0_console;
+         uint8_t                       pad[128];
+     } u;
+ };
+-- 
+2.39.0
+

emulators/xen-kernel/files/0001-x86-retpoline-split-retpoline-compiler-support-into-.patch

-From e245bc154300b5d0367b64e8b937c9d1da508ad3 Mon Sep 17 00:00:00 2001
-From: Roger Pau Monne <roger.pau@citrix.com>
-Date: Fri, 18 Feb 2022 15:34:14 +0100
-Subject: [PATCH 1/2] x86/retpoline: split retpoline compiler support into
- separate option
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Keep the previous option as a way to signal generic retpoline support
-regardless of the underlying compiler, while introducing a new
-CC_HAS_INDIRECT_THUNK that signals whether the underlying compiler
-supports retpoline.
-
-No functional change intended.
-
-Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
-Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
----
- xen/arch/x86/Kconfig |  6 +++++-
- xen/arch/x86/arch.mk | 10 ++++++----
- 2 files changed, 11 insertions(+), 5 deletions(-)
-
-diff --git a/xen/arch/x86/Kconfig b/xen/arch/x86/Kconfig
-index b4abfca46f..fe89fa7274 100644
---- a/xen/arch/x86/Kconfig
-+++ b/xen/arch/x86/Kconfig
-@@ -32,9 +32,13 @@ config ARCH_DEFCONFIG
- 	string
- 	default "arch/x86/configs/x86_64_defconfig"
- 
--config INDIRECT_THUNK
-+config CC_HAS_INDIRECT_THUNK
- 	def_bool $(cc-option,-mindirect-branch-register)
- 
-+config INDIRECT_THUNK
-+	def_bool y
-+	depends on CC_HAS_INDIRECT_THUNK
-+
- config HAS_AS_CET_SS
- 	# binutils >= 2.29 or LLVM >= 6
- 	def_bool $(as-instr,wrssq %rax$(comma)0;setssbsy)
-diff --git a/xen/arch/x86/arch.mk b/xen/arch/x86/arch.mk
-index bfd5eaa35f..15d0cbe487 100644
---- a/xen/arch/x86/arch.mk
-+++ b/xen/arch/x86/arch.mk
-@@ -42,10 +42,12 @@ CFLAGS += -mno-red-zone -fpic
- # SSE setup for variadic function calls.
- CFLAGS += -mno-sse $(call cc-option,$(CC),-mskip-rax-setup)
- 
--# Compile with thunk-extern, indirect-branch-register if avaiable.
--CFLAGS-$(CONFIG_INDIRECT_THUNK) += -mindirect-branch=thunk-extern
--CFLAGS-$(CONFIG_INDIRECT_THUNK) += -mindirect-branch-register
--CFLAGS-$(CONFIG_INDIRECT_THUNK) += -fno-jump-tables
-+ifeq ($(CONFIG_INDIRECT_THUNK),y)
-+# Compile with gcc thunk-extern, indirect-branch-register if available.
-+CFLAGS-$(CONFIG_CC_IS_GCC) += -mindirect-branch=thunk-extern
-+CFLAGS-$(CONFIG_CC_IS_GCC) += -mindirect-branch-register
-+CFLAGS-$(CONFIG_CC_IS_GCC) += -fno-jump-tables
-+endif
- 
- # If supported by the compiler, reduce stack alignment to 8 bytes. But allow
- # this to be overridden elsewhere.
--- 
-2.35.1
-

emulators/xen-kernel/files/0001-x86-spec-ctrl-Drop-use_spec_ctrl-boolean.patch

-From 7f34b6a895d10744bab32fc843246c45da444d8b Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Tue, 25 Jan 2022 16:09:59 +0000
-Subject: [PATCH 1/2] x86/spec-ctrl: Drop use_spec_ctrl boolean
-
-Several bugfixes have reduced the utility of this variable from it's original
-purpose, and now all it does is aid in the setup of SCF_ist_wrmsr.
-
-Simplify the logic by drop the variable, and doubling up the setting of
-SCF_ist_wrmsr for the PV and HVM blocks, which will make the AMD SPEC_CTRL
-support easier to follow.  Leave a comment explaining why SCF_ist_wrmsr is
-still necessary for the VMExit case.
-
-No functional change.
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-(cherry picked from commit ec083bf552c35e10347449e21809f4780f8155d2)
----
- xen/arch/x86/spec_ctrl.c | 14 ++++++++------
- 1 file changed, 8 insertions(+), 6 deletions(-)
-
-diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
-index c18cc8aa49..8a550d0a09 100644
---- a/xen/arch/x86/spec_ctrl.c
-+++ b/xen/arch/x86/spec_ctrl.c
-@@ -927,7 +927,7 @@ static __init void mds_calculations(uint64_t caps)
- void __init init_speculation_mitigations(void)
- {
-     enum ind_thunk thunk = THUNK_DEFAULT;
--    bool use_spec_ctrl = false, ibrs = false, hw_smt_enabled;
-+    bool ibrs = false, hw_smt_enabled;
-     bool cpu_has_bug_taa;
-     uint64_t caps = 0;
- 
-@@ -1016,19 +1016,21 @@ void __init init_speculation_mitigations(void)
-     {
-         if ( opt_msr_sc_pv )
-         {
--            use_spec_ctrl = true;
-+            default_spec_ctrl_flags |= SCF_ist_wrmsr;
-             setup_force_cpu_cap(X86_FEATURE_SC_MSR_PV);
-         }
- 
-         if ( opt_msr_sc_hvm )
-         {
--            use_spec_ctrl = true;
-+            /*
-+             * While the guest MSR_SPEC_CTRL value is loaded/saved atomically,
-+             * Xen's value is not restored atomically.  An early NMI hitting
-+             * the VMExit path needs to restore Xen's value for safety.
-+             */
-+            default_spec_ctrl_flags |= SCF_ist_wrmsr;
-             setup_force_cpu_cap(X86_FEATURE_SC_MSR_HVM);
-         }
- 
--        if ( use_spec_ctrl )
--            default_spec_ctrl_flags |= SCF_ist_wrmsr;
--
-         if ( ibrs )
-             default_xen_spec_ctrl |= SPEC_CTRL_IBRS;
-     }
--- 
-2.35.1
-

emulators/xen-kernel/files/0001-xen-Work-around-Clang-IAS-macro-expansion-bug.patch

+From a2adacff0b91cc7b977abb209dc419a2ef15963f Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Fri, 17 Feb 2023 00:12:24 +0000
+Subject: [PATCH] xen: Work around Clang-IAS macro \@ expansion bug
+
+https://github.com/llvm/llvm-project/issues/60792
+
+It turns out that Clang-IAS does not expand \@ uniquely in a translaition
+unit, and the XSA-426 change tickles this bug:
+
+  <instantiation>:4:1: error: invalid symbol redefinition
+  .L1_fill_rsb_loop:
+  ^
+  make[3]: *** [Rules.mk:247: arch/x86/acpi/cpu_idle.o] Error 1
+
+Extend DO_OVERWRITE_RSB with an optional parameter so C callers can mix %= in
+too, which Clang does seem to expand properly.
+
+Fixes: 63305e5392ec ("x86/spec-ctrl: Mitigate Cross-Thread Return Address Predictions")
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+---
+ xen/arch/x86/include/asm/spec_ctrl.h     |  4 ++--
+ xen/arch/x86/include/asm/spec_ctrl_asm.h | 19 ++++++++++++-------
+ 2 files changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/xen/arch/x86/include/asm/spec_ctrl.h b/xen/arch/x86/include/asm/spec_ctrl.h
+index 3cf8a7d304..f718f94088 100644
+--- a/xen/arch/x86/include/asm/spec_ctrl.h
++++ b/xen/arch/x86/include/asm/spec_ctrl.h
+@@ -83,7 +83,7 @@ static always_inline void spec_ctrl_new_guest_context(void)
+     wrmsrl(MSR_PRED_CMD, PRED_CMD_IBPB);
+ 
+     /* (ab)use alternative_input() to specify clobbers. */
+-    alternative_input("", "DO_OVERWRITE_RSB", X86_BUG_IBPB_NO_RET,
++    alternative_input("", "DO_OVERWRITE_RSB xu=%=", X86_BUG_IBPB_NO_RET,
+                       : "rax", "rcx");
+ }
+ 
+@@ -172,7 +172,7 @@ static always_inline void spec_ctrl_enter_idle(struct cpu_info *info)
+      *
+      * (ab)use alternative_input() to specify clobbers.
+      */
+-    alternative_input("", "DO_OVERWRITE_RSB", X86_FEATURE_SC_RSB_IDLE,
++    alternative_input("", "DO_OVERWRITE_RSB xu=%=", X86_FEATURE_SC_RSB_IDLE,
+                       : "rax", "rcx");
+ }
+ 
+diff --git a/xen/arch/x86/include/asm/spec_ctrl_asm.h b/xen/arch/x86/include/asm/spec_ctrl_asm.h
+index fab27ff553..f23bb105c5 100644
+--- a/xen/arch/x86/include/asm/spec_ctrl_asm.h
++++ b/xen/arch/x86/include/asm/spec_ctrl_asm.h
+@@ -117,11 +117,16 @@
+ .L\@_done:
+ .endm
+ 
+-.macro DO_OVERWRITE_RSB tmp=rax
++.macro DO_OVERWRITE_RSB tmp=rax xu
+ /*
+  * Requires nothing
+  * Clobbers \tmp (%rax by default), %rcx
+  *
++ * xu is an optional parameter to add eXtra Uniqueness.  It is intended for
++ * passing %= in from an asm() block, in order to work around
++ * https://github.com/llvm/llvm-project/issues/60792 where Clang-IAS doesn't
++ * expand \@ uniquely.
++ *
+  * Requires 256 bytes of {,shadow}stack space, but %rsp/SSP has no net
+  * change. Based on Google's performance numbers, the loop is unrolled to 16
+  * iterations and two calls per iteration.
+@@ -136,27 +141,27 @@
+     mov $16, %ecx                   /* 16 iterations, two calls per loop */
+     mov %rsp, %\tmp                 /* Store the current %rsp */
+ 
+-.L\@_fill_rsb_loop:
++.L\@_fill_rsb_loop\xu:
+ 
+     .irp n, 1, 2                    /* Unrolled twice. */
+-    call .L\@_insert_rsb_entry_\n   /* Create an RSB entry. */
++    call .L\@_insert_rsb_entry\xu\n /* Create an RSB entry. */
+     int3                            /* Halt rogue speculation. */
+ 
+-.L\@_insert_rsb_entry_\n:
++.L\@_insert_rsb_entry\xu\n:
+     .endr
+ 
+     sub $1, %ecx
+-    jnz .L\@_fill_rsb_loop
++    jnz .L\@_fill_rsb_loop\xu
+     mov %\tmp, %rsp                 /* Restore old %rsp */
+ 
+ #ifdef CONFIG_XEN_SHSTK
+     mov $1, %ecx
+     rdsspd %ecx
+     cmp $1, %ecx
+-    je .L\@_shstk_done
++    je .L\@_shstk_done\xu
+     mov $64, %ecx                   /* 64 * 4 bytes, given incsspd */
+     incsspd %ecx                    /* Restore old SSP */
+-.L\@_shstk_done:
++.L\@_shstk_done\xu:
+ #endif
+ .endm
+ 
+-- 
+2.39.0
+

emulators/xen-kernel/files/0001-xen-x86-Remove-the-use-of-K-R-functions.patch

+From 22b2fa4766728c3057757c00e79da5f7803fff33 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Thu, 16 Feb 2023 22:14:12 +0000
+Subject: [PATCH] xen/x86: Remove the use of K&R functions
+
+Clang-15 (as seen in the FreeBSD 14 tests) complains:
+
+  arch/x86/time.c:1364:20: error: a function declaration without a
+  prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
+  s_time_t get_s_time()
+                     ^
+                      void
+
+The error message is a bit confusing but appears to new as part of
+-Wdeprecated-non-prototype which is part of supporting C2x which formally
+removes K&R syntax.
+
+Either way, fix the identified functions.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+---
+ xen/arch/x86/hvm/vmx/vmcs.c     | 2 +-
+ xen/arch/x86/time.c             | 2 +-
+ xen/drivers/passthrough/iommu.c | 4 ++--
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c
+index 09edbd23b3..e1c268789e 100644
+--- a/xen/arch/x86/hvm/vmx/vmcs.c
++++ b/xen/arch/x86/hvm/vmx/vmcs.c
+@@ -781,7 +781,7 @@ static int _vmx_cpu_up(bool bsp)
+     return 0;
+ }
+ 
+-int cf_check vmx_cpu_up()
++int cf_check vmx_cpu_up(void)
+ {
+     return _vmx_cpu_up(false);
+ }
+diff --git a/xen/arch/x86/time.c b/xen/arch/x86/time.c
+index 782b11c8a9..4e44a43cc5 100644
+--- a/xen/arch/x86/time.c
++++ b/xen/arch/x86/time.c
+@@ -1361,7 +1361,7 @@ s_time_t get_s_time_fixed(u64 at_tsc)
+     return t->stamp.local_stime + scale_delta(delta, &t->tsc_scale);
+ }
+ 
+-s_time_t get_s_time()
++s_time_t get_s_time(void)
+ {
+     return get_s_time_fixed(0);
+ }
+diff --git a/xen/drivers/passthrough/iommu.c b/xen/drivers/passthrough/iommu.c
+index 921b71e819..0e187f6ae3 100644
+--- a/xen/drivers/passthrough/iommu.c
++++ b/xen/drivers/passthrough/iommu.c
+@@ -606,7 +606,7 @@ int __init iommu_setup(void)
+     return rc;
+ }
+ 
+-int iommu_suspend()
++int iommu_suspend(void)
+ {
+     if ( iommu_enabled )
+         return iommu_call(iommu_get_ops(), suspend);
+@@ -614,7 +614,7 @@ int iommu_suspend()
+     return 0;
+ }
+ 
+-void iommu_resume()
++void iommu_resume(void)
+ {
+     if ( iommu_enabled )
+         iommu_vcall(iommu_get_ops(), resume);
+-- 
+2.39.0
+

emulators/xen-kernel/files/0002-x86-clang-add-retpoline-support.patch

-From 9412486707f8f1ca2eb31c2ef330c5e39c0a2f30 Mon Sep 17 00:00:00 2001
-From: Roger Pau Monne <roger.pau@citrix.com>
-Date: Fri, 18 Feb 2022 15:34:15 +0100
-Subject: [PATCH 2/2] x86/clang: add retpoline support
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Detect whether the compiler supports clang retpoline option and enable
-by default if available, just like it's done for gcc.
-
-Note clang already disables jump tables when retpoline is enabled, so
-there's no need to also pass the fno-jump-tables parameter. Also clang
-already passes the return address in a register always on amd64, so
-there's no need for any equivalent mindirect-branch-register
-parameter.
-
-Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
-Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
----
- xen/arch/x86/Kconfig | 3 ++-
- xen/arch/x86/arch.mk | 3 +++
- 2 files changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/xen/arch/x86/Kconfig b/xen/arch/x86/Kconfig
-index fe89fa7274..1465874097 100644
---- a/xen/arch/x86/Kconfig
-+++ b/xen/arch/x86/Kconfig
-@@ -33,7 +33,8 @@ config ARCH_DEFCONFIG
- 	default "arch/x86/configs/x86_64_defconfig"
- 
- config CC_HAS_INDIRECT_THUNK
--	def_bool $(cc-option,-mindirect-branch-register)
-+	def_bool $(cc-option,-mindirect-branch-register) || \
-+	         $(cc-option,-mretpoline-external-thunk)
- 
- config INDIRECT_THUNK
- 	def_bool y
-diff --git a/xen/arch/x86/arch.mk b/xen/arch/x86/arch.mk
-index 15d0cbe487..edfc043dbb 100644
---- a/xen/arch/x86/arch.mk
-+++ b/xen/arch/x86/arch.mk
-@@ -47,6 +47,9 @@ ifeq ($(CONFIG_INDIRECT_THUNK),y)
- CFLAGS-$(CONFIG_CC_IS_GCC) += -mindirect-branch=thunk-extern
- CFLAGS-$(CONFIG_CC_IS_GCC) += -mindirect-branch-register
- CFLAGS-$(CONFIG_CC_IS_GCC) += -fno-jump-tables
-+
-+# Enable clang retpoline support if available.
-+CFLAGS-$(CONFIG_CC_IS_CLANG) += -mretpoline-external-thunk
- endif
- 
- # If supported by the compiler, reduce stack alignment to 8 bytes. But allow
--- 
-2.35.1
-

emulators/xen-kernel/files/0002-x86-spec-ctrl-Introduce-new-has_spec_ctrl-boolean.patch

-From 08fc03c855c071e9b1aaaa96403f2a90433336a7 Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Tue, 25 Jan 2022 17:14:48 +0000
-Subject: [PATCH 2/2] x86/spec-ctrl: Introduce new has_spec_ctrl boolean
-
-Most MSR_SPEC_CTRL setup will be common between Intel and AMD.  Instead of
-opencoding an OR of two features everywhere, introduce has_spec_ctrl instead.
-
-Reword the comment above the Intel specific alternatives block to highlight
-that it is Intel specific, and pull the setting of default_xen_spec_ctrl.IBRS
-out because it will want to be common.
-
-No functional change.
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-(cherry picked from commit 5d9eff3a312763d889cfbf3c8468b6dfb3ab490c)
----
- xen/arch/x86/spec_ctrl.c | 22 +++++++++++-----------
- 1 file changed, 11 insertions(+), 11 deletions(-)
-
-diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
-index 8a550d0a09..2072daf662 100644
---- a/xen/arch/x86/spec_ctrl.c
-+++ b/xen/arch/x86/spec_ctrl.c
-@@ -927,7 +927,7 @@ static __init void mds_calculations(uint64_t caps)
- void __init init_speculation_mitigations(void)
- {
-     enum ind_thunk thunk = THUNK_DEFAULT;
--    bool ibrs = false, hw_smt_enabled;
-+    bool has_spec_ctrl, ibrs = false, hw_smt_enabled;
-     bool cpu_has_bug_taa;
-     uint64_t caps = 0;
- 
-@@ -936,6 +936,8 @@ void __init init_speculation_mitigations(void)
- 
-     hw_smt_enabled = check_smt_enabled();
- 
-+    has_spec_ctrl = boot_cpu_has(X86_FEATURE_IBRSB);
-+
-     /*
-      * First, disable the use of retpolines if Xen is using shadow stacks, as
-      * they are incompatible.
-@@ -973,11 +975,11 @@ void __init init_speculation_mitigations(void)
-              */
-             else if ( retpoline_safe(caps) )
-                 thunk = THUNK_RETPOLINE;
--            else if ( boot_cpu_has(X86_FEATURE_IBRSB) )
-+            else if ( has_spec_ctrl )
-                 ibrs = true;
-         }
-         /* Without compiler thunk support, use IBRS if available. */
--        else if ( boot_cpu_has(X86_FEATURE_IBRSB) )
-+        else if ( has_spec_ctrl )
-             ibrs = true;
-     }
- 
-@@ -1008,10 +1010,7 @@ void __init init_speculation_mitigations(void)
-     else if ( thunk == THUNK_JMP )
-         setup_force_cpu_cap(X86_FEATURE_IND_THUNK_JMP);
- 
--    /*
--     * If we are on hardware supporting MSR_SPEC_CTRL, see about setting up
--     * the alternatives blocks so we can virtualise support for guests.
--     */
-+    /* Intel hardware: MSR_SPEC_CTRL alternatives setup. */
-     if ( boot_cpu_has(X86_FEATURE_IBRSB) )
-     {
-         if ( opt_msr_sc_pv )
-@@ -1030,11 +1029,12 @@ void __init init_speculation_mitigations(void)
-             default_spec_ctrl_flags |= SCF_ist_wrmsr;
-             setup_force_cpu_cap(X86_FEATURE_SC_MSR_HVM);
-         }
--
--        if ( ibrs )
--            default_xen_spec_ctrl |= SPEC_CTRL_IBRS;
-     }
- 
-+    /* If we have IBRS available, see whether we should use it. */
-+    if ( has_spec_ctrl && ibrs )
-+        default_xen_spec_ctrl |= SPEC_CTRL_IBRS;
-+
-     /* If we have SSBD available, see whether we should use it. */
-     if ( boot_cpu_has(X86_FEATURE_SSBD) && opt_ssbd )
-         default_xen_spec_ctrl |= SPEC_CTRL_SSBD;
-@@ -1268,7 +1268,7 @@ void __init init_speculation_mitigations(void)
-      * boot won't have any other code running in a position to mount an
-      * attack.
-      */
--    if ( boot_cpu_has(X86_FEATURE_IBRSB) )
-+    if ( has_spec_ctrl )
-     {
-         bsp_delay_spec_ctrl = !cpu_has_hypervisor && default_xen_spec_ctrl;
- 
--- 
-2.35.1
-

emulators/xen-kernel/files/xsa395.patch

-From 4cc924c3e3a0d53306d08b04720c427d1c298ba8 Mon Sep 17 00:00:00 2001
-From: Julien Grall <jgrall@amazon.com>
-Date: Wed, 5 Jan 2022 18:09:20 +0000
-Subject: [PATCH] passthrough/x86: stop pirq iteration immediately in case of
- error
-
-pt_pirq_iterate() will iterate in batch over all the PIRQs. The outer
-loop will bail out if 'rc' is non-zero but the inner loop will continue.
-
-This means 'rc' will get clobbered and we may miss any errors (such as
--ERESTART in the case of the callback pci_clean_dpci_irq()).
-
-This is CVE-2022-23035 / XSA-395.
-
-Fixes: c24536b636f2 ("replace d->nr_pirqs sized arrays with radix tree")
-Fixes: f6dd295381f4 ("dpci: replace tasklet with softirq")
-Signed-off-by: Julien Grall <jgrall@amazon.com>
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
----
- xen/drivers/passthrough/x86/hvm.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/xen/drivers/passthrough/x86/hvm.c b/xen/drivers/passthrough/x86/hvm.c
-index 351daafdc9bf..0b37cd145b60 100644
---- a/xen/drivers/passthrough/x86/hvm.c
-+++ b/xen/drivers/passthrough/x86/hvm.c
-@@ -732,7 +732,11 @@ int pt_pirq_iterate(struct domain *d,
- 
-             pirq = pirqs[i]->pirq;
-             if ( (pirq_dpci->flags & HVM_IRQ_DPCI_MAPPED) )
-+            {
-                 rc = cb(d, pirq_dpci, arg);
-+                if ( rc )
-+                    break;
-+            }
-         }
-     } while ( !rc && ++pirq < d->nr_pirqs && n == ARRAY_SIZE(pirqs) );
- 
--- 
-2.32.0
-

emulators/xen-kernel/files/xsa398-4.16-6-x86-spec-ctrl-Cease-using-thunk-lfence-on-AMD.patch

-From c374a8c5cc74535e16410b7a0d9e92bf5de54f79 Mon Sep 17 00:00:00 2001
-From: Andrew Cooper <andrew.cooper3@citrix.com>
-Date: Mon, 7 Mar 2022 16:35:52 +0000
-Subject: x86/spec-ctrl: Cease using thunk=lfence on AMD
-
-AMD have updated their Spectre v2 guidance, and lfence/jmp is no longer
-considered safe.  AMD are recommending using retpoline everywhere.
-
-Retpoline is incompatible with CET.  All CET-capable hardware has efficient
-IBRS (specifically, not something retrofitted in microcode), so use IBRS (and
-STIBP for consistency sake).
-
-This is a logical change on AMD, but not on Intel as the default calculations
-would end up with these settings anyway.  Leave behind a message if IBRS is
-found to be missing.
-
-Also update the default heuristics to never select THUNK_LFENCE.  This causes
-AMD CPUs to change their default to retpoline.
-
-Also update the printed message to include the AMD MSR_SPEC_CTRL settings, and
-STIBP now that we set it for consistency sake.
-
-This is part of XSA-398 / CVE-2021-26401.
-
-Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
-Reviewed-by: Jan Beulich <jbeulich@suse.com>
-(cherry picked from commit 8d03080d2a339840d3a59e0932a94f804e45110d)
-
-diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc
-index 995197f4b23e..f606dc0e14c1 100644
---- a/docs/misc/xen-command-line.pandoc
-+++ b/docs/misc/xen-command-line.pandoc
-@@ -2269,9 +2269,9 @@ to use.
- 
- If Xen was compiled with INDIRECT_THUNK support, `bti-thunk=` can be used to
- select which of the thunks gets patched into the `__x86_indirect_thunk_%reg`
--locations.  The default thunk is `retpoline` (generally preferred for Intel
--hardware), with the alternatives being `jmp` (a `jmp *%reg` gadget, minimal
--overhead), and `lfence` (an `lfence; jmp *%reg` gadget, preferred for AMD).
-+locations.  The default thunk is `retpoline` (generally preferred), with the
-+alternatives being `jmp` (a `jmp *%reg` gadget, minimal overhead), and
-+`lfence` (an `lfence; jmp *%reg` gadget).
- 
- On hardware supporting IBRS (Indirect Branch Restricted Speculation), the
- `ibrs=` option can be used to force or prevent Xen using the feature itself.
-diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
-index cbeeb199037e..ae076bec3ab0 100644
---- a/xen/arch/x86/spec_ctrl.c
-+++ b/xen/arch/x86/spec_ctrl.c
-@@ -367,14 +367,19 @@ static void __init print_details(enum ind_thunk thunk, uint64_t caps)
-                "\n");
- 
-     /* Settings for Xen's protection, irrespective of guests. */
--    printk("  Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s, Other:%s%s%s%s%s\n",
-+    printk("  Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s%s, Other:%s%s%s%s%s\n",
-            thunk == THUNK_NONE      ? "N/A" :
-            thunk == THUNK_RETPOLINE ? "RETPOLINE" :
-            thunk == THUNK_LFENCE    ? "LFENCE" :
-            thunk == THUNK_JMP       ? "JMP" : "?",
--           !boot_cpu_has(X86_FEATURE_IBRSB)          ? "No" :
-+           (!boot_cpu_has(X86_FEATURE_IBRSB) &&
-+            !boot_cpu_has(X86_FEATURE_IBRS))         ? "No" :
-            (default_xen_spec_ctrl & SPEC_CTRL_IBRS)  ? "IBRS+" :  "IBRS-",
--           !boot_cpu_has(X86_FEATURE_SSBD)           ? "" :
-+           (!boot_cpu_has(X86_FEATURE_STIBP) &&
-+            !boot_cpu_has(X86_FEATURE_AMD_STIBP))    ? "" :
-+           (default_xen_spec_ctrl & SPEC_CTRL_STIBP) ? " STIBP+" : " STIBP-",
-+           (!boot_cpu_has(X86_FEATURE_SSBD) &&
-+            !boot_cpu_has(X86_FEATURE_AMD_SSBD))     ? "" :
-            (default_xen_spec_ctrl & SPEC_CTRL_SSBD)  ? " SSBD+" : " SSBD-",
-            !(caps & ARCH_CAPS_TSX_CTRL)              ? "" :
-            (opt_tsx & 1)                             ? " TSX+" : " TSX-",
-@@ -945,10 +950,23 @@ void __init init_speculation_mitigations(void)
-     /*
-      * First, disable the use of retpolines if Xen is using shadow stacks, as
-      * they are incompatible.
-+     *
-+     * In the absence of retpolines, IBRS needs to be used for speculative
-+     * safety.  All CET-capable hardware has efficient IBRS.
-      */
--    if ( cpu_has_xen_shstk &&
--         (opt_thunk == THUNK_DEFAULT || opt_thunk == THUNK_RETPOLINE) )
--        thunk = THUNK_JMP;
-+    if ( cpu_has_xen_shstk )
-+    {
-+        if ( !has_spec_ctrl )
-+            printk(XENLOG_WARNING "?!? CET active, but no MSR_SPEC_CTRL?\n");
-+        else if ( opt_ibrs == -1 )
-+        {
-+            opt_ibrs = ibrs = true;
-+            default_xen_spec_ctrl |= SPEC_CTRL_IBRS | SPEC_CTRL_STIBP;
-+        }
-+
-+        if ( opt_thunk == THUNK_DEFAULT || opt_thunk == THUNK_RETPOLINE )
-+            thunk = THUNK_JMP;
-+    }
- 
-     /*
-      * Has the user specified any custom BTI mitigations?  If so, follow their
-@@ -968,16 +986,10 @@ void __init init_speculation_mitigations(void)
-         if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) )
-         {
-             /*
--             * AMD's recommended mitigation is to set lfence as being dispatch
--             * serialising, and to use IND_THUNK_LFENCE.
--             */
--            if ( cpu_has_lfence_dispatch )
--                thunk = THUNK_LFENCE;
--            /*
--             * On Intel hardware, we'd like to use retpoline in preference to
-+             * On all hardware, we'd like to use retpoline in preference to
-              * IBRS, but only if it is safe on this hardware.
-              */
--            else if ( retpoline_safe(caps) )
-+            if ( retpoline_safe(caps) )
-                 thunk = THUNK_RETPOLINE;
-             else if ( has_spec_ctrl )
-                 ibrs = true;

emulators/xen-kernel/files/xsa425.patch

+From: Jason Andryuk <jandryuk@gmail.com>
+Subject: Revert "tools/xenstore: simplify loop handling connection I/O"
+
+I'm observing guest kexec trigger xenstored to abort on a double free.
+
+gdb output:
+Program received signal SIGABRT, Aborted.
+__pthread_kill_implementation (no_tid=0, signo=6, threadid=140645614258112) at ./nptl/pthread_kill.c:44
+44    ./nptl/pthread_kill.c: No such file or directory.
+(gdb) bt
+    at ./nptl/pthread_kill.c:44
+    at ./nptl/pthread_kill.c:78
+    at ./nptl/pthread_kill.c:89
+    at ../sysdeps/posix/raise.c:26
+    at talloc.c:119
+    ptr=ptr@entry=0x559fae724290) at talloc.c:232
+    at xenstored_core.c:2945
+(gdb) frame 5
+    at talloc.c:119
+119            TALLOC_ABORT("Bad talloc magic value - double free");
+(gdb) frame 7
+    at xenstored_core.c:2945
+2945                talloc_increase_ref_count(conn);
+(gdb) p conn
+$1 = (struct connection *) 0x559fae724290
+
+Looking at a xenstore trace, we have:
+IN 0x559fae71f250 20230120 17:40:53 READ (/local/domain/3/image/device-model-dom
+id )
+wrl: dom    0      1  msec      10000 credit     1000000 reserve        100 disc
+ard
+wrl: dom    3      1  msec      10000 credit     1000000 reserve        100 disc
+ard
+wrl: dom    0      0  msec      10000 credit     1000000 reserve          0 disc
+ard
+wrl: dom    3      0  msec      10000 credit     1000000 reserve          0 disc
+ard
+OUT 0x559fae71f250 20230120 17:40:53 ERROR (ENOENT )
+wrl: dom    0      1  msec      10000 credit     1000000 reserve        100 disc
+ard
+wrl: dom    3      1  msec      10000 credit     1000000 reserve        100 disc
+ard
+IN 0x559fae71f250 20230120 17:40:53 RELEASE (3 )
+DESTROY watch 0x559fae73f630
+DESTROY watch 0x559fae75ddf0
+DESTROY watch 0x559fae75ec30
+DESTROY watch 0x559fae75ea60
+DESTROY watch 0x559fae732c00
+DESTROY watch 0x559fae72cea0
+DESTROY watch 0x559fae728fc0
+DESTROY watch 0x559fae729570
+DESTROY connection 0x559fae724290
+orphaned node /local/domain/3/device/suspend/event-channel deleted
+orphaned node /local/domain/3/device/vbd/51712 deleted
+orphaned node /local/domain/3/device/vkbd/0 deleted
+orphaned node /local/domain/3/device/vif/0 deleted
+orphaned node /local/domain/3/control/shutdown deleted
+orphaned node /local/domain/3/control/feature-poweroff deleted
+orphaned node /local/domain/3/control/feature-reboot deleted
+orphaned node /local/domain/3/control/feature-suspend deleted
+orphaned node /local/domain/3/control/feature-s3 deleted
+orphaned node /local/domain/3/control/feature-s4 deleted
+orphaned node /local/domain/3/control/sysrq deleted
+orphaned node /local/domain/3/data deleted
+orphaned node /local/domain/3/drivers deleted
+orphaned node /local/domain/3/feature deleted
+orphaned node /local/domain/3/attr deleted
+orphaned node /local/domain/3/error deleted
+orphaned node /local/domain/3/console/backend-id deleted
+
+and no further output.
+
+The trace shows that DESTROY was called for connection 0x559fae724290,
+but that is the same pointer (conn) main() was looping through from
+connections.  So it wasn't actually removed from the connections list?
+
+Reverting commit e8e6e42279a5 "tools/xenstore: simplify loop handling
+connection I/O" fixes the abort/double free.  I think the use of
+list_for_each_entry_safe is incorrect.  list_for_each_entry_safe makes
+traversal safe for deleting the current iterator, but RELEASE/do_release
+will delete some other entry in the connections list.  I think the
+observed abort is because list_for_each_entry has next pointing to the
+deleted connection, and it is used in the subsequent iteration.
+
+Add a comment explaining the unsuitability of list_for_each_entry_safe.
+Also notice that the old code takes a reference on next which would
+prevents a use-after-free.
+
+This reverts commit e8e6e42279a5723239c5c40ba4c7f579a979465d.
+
+This is XSA-425/CVE-2022-42330.
+
+Fixes: e8e6e42279a5 ("tools/xenstore: simplify loop handling connection I/O")
+Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Julien Grall <jgrall@amazon.com>
+---
+ tools/xenstore/xenstored_core.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
+index 78a3edaa4e..029e3852fc 100644
+--- a/tools/xenstore/xenstored_core.c
++++ b/tools/xenstore/xenstored_core.c
+@@ -2941,8 +2941,23 @@ int main(int argc, char *argv[])
+ 			}
+ 		}
+ 
+-		list_for_each_entry_safe(conn, next, &connections, list) {
+-			talloc_increase_ref_count(conn);
++		/*
++		 * list_for_each_entry_safe is not suitable here because
++		 * handle_input may delete entries besides the current one, but
++		 * those may be in the temporary next which would trigger a
++		 * use-after-free.  list_for_each_entry_safe is only safe for
++		 * deleting the current entry.
++		 */
++		next = list_entry(connections.next, typeof(*conn), list);
++		if (&next->list != &connections)
++			talloc_increase_ref_count(next);
++		while (&next->list != &connections) {
++			conn = next;
++
++			next = list_entry(conn->list.next,
++					  typeof(*conn), list);
++			if (&next->list != &connections)
++				talloc_increase_ref_count(next);
+ 
+ 			if (conn_can_read(conn))
+ 				handle_input(conn);
+-- 
+2.34.1

emulators/xen-kernel/files/xsa426.patch

+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Subject: x86/spec-ctrl: Mitigate Cross-Thread Return Address Predictions
+
+This is XSA-426 / CVE-2022-27672
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+
+diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc
+index 923910f553c5..a2ff38cdebf2 100644
+--- a/docs/misc/xen-command-line.pandoc
++++ b/docs/misc/xen-command-line.pandoc
+@@ -2355,7 +2355,7 @@ guests to use.
+   on entry and exit.  These blocks are necessary to virtualise support for
+   guests and if disabled, guests will be unable to use IBRS/STIBP/SSBD/etc.
+ * `rsb=` offers control over whether to overwrite the Return Stack Buffer /
+-  Return Address Stack on entry to Xen.
++  Return Address Stack on entry to Xen and on idle.
+ * `md-clear=` offers control over whether to use VERW to flush
+   microarchitectural buffers on idle and exit from Xen.  *Note: For
+   compatibility with development versions of this fix, `mds=` is also accepted
+diff --git a/xen/arch/x86/include/asm/cpufeatures.h b/xen/arch/x86/include/asm/cpufeatures.h
+index 865f1109866d..da0593de8542 100644
+--- a/xen/arch/x86/include/asm/cpufeatures.h
++++ b/xen/arch/x86/include/asm/cpufeatures.h
+@@ -35,7 +35,8 @@ XEN_CPUFEATURE(SC_RSB_HVM,        X86_SYNTH(19)) /* RSB overwrite needed for HVM
+ XEN_CPUFEATURE(XEN_SELFSNOOP,     X86_SYNTH(20)) /* SELFSNOOP gets used by Xen itself */
+ XEN_CPUFEATURE(SC_MSR_IDLE,       X86_SYNTH(21)) /* Clear MSR_SPEC_CTRL on idle */
+ XEN_CPUFEATURE(XEN_LBR,           X86_SYNTH(22)) /* Xen uses MSR_DEBUGCTL.LBR */
+-/* Bits 23,24 unused. */
++/* Bits 23 unused. */
++XEN_CPUFEATURE(SC_RSB_IDLE,       X86_SYNTH(24)) /* RSB overwrite needed for idle. */
+ XEN_CPUFEATURE(SC_VERW_IDLE,      X86_SYNTH(25)) /* VERW used by Xen for idle */
+ XEN_CPUFEATURE(XEN_SHSTK,         X86_SYNTH(26)) /* Xen uses CET Shadow Stacks */
+ XEN_CPUFEATURE(XEN_IBT,           X86_SYNTH(27)) /* Xen uses CET Indirect Branch Tracking */
+diff --git a/xen/arch/x86/include/asm/spec_ctrl.h b/xen/arch/x86/include/asm/spec_ctrl.h
+index 6a77c3937844..391973ef6a28 100644
+--- a/xen/arch/x86/include/asm/spec_ctrl.h
++++ b/xen/arch/x86/include/asm/spec_ctrl.h
+@@ -159,6 +159,21 @@ static always_inline void spec_ctrl_enter_idle(struct cpu_info *info)
+      */
+     alternative_input("", "verw %[sel]", X86_FEATURE_SC_VERW_IDLE,
+                       [sel] "m" (info->verw_sel));
++
++    /*
++     * Cross-Thread Return Address Predictions:
++     *
++     * On vulnerable systems, the return predictions (RSB/RAS) are statically
++     * partitioned between active threads.  When entering idle, our entries
++     * are re-partitioned to allow the other threads to use them.
++     *
++     * In some cases, we might still have guest entries in the RAS, so flush
++     * them before injecting them sideways to our sibling thread.
++     *
++     * (ab)use alternative_input() to specify clobbers.
++     */
++    alternative_input("", "DO_OVERWRITE_RSB", X86_FEATURE_SC_RSB_IDLE,
++                      : "rax", "rcx");
+ }
+ 
+ /* WARNING! `ret`, `call *`, `jmp *` not safe before this call. */
+diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c
+index a320b81947c8..e80e2a5ed1a9 100644
+--- a/xen/arch/x86/spec_ctrl.c
++++ b/xen/arch/x86/spec_ctrl.c
+@@ -1327,13 +1327,38 @@ void __init init_speculation_mitigations(void)
+      * 3) Some CPUs have RSBs which are not full width, which allow the
+      *    attacker's entries to alias Xen addresses.
+      *
++     * 4) Some CPUs have RSBs which are re-partitioned based on thread
++     *    idleness, which allows an attacker to inject entries into the other
++     *    thread.  We still active the optimisation in this case, and mitigate
++     *    in the idle path which has lower overhead.
++     *
+      * It is safe to turn off RSB stuffing when Xen is using SMEP itself, and
+      * 32bit PV guests are disabled, and when the RSB is full width.
+      */
+     BUILD_BUG_ON(RO_MPT_VIRT_START != PML4_ADDR(256));
+-    if ( opt_rsb_pv == -1 && boot_cpu_has(X86_FEATURE_XEN_SMEP) &&
+-         !opt_pv32 && rsb_is_full_width() )
+-        opt_rsb_pv = 0;
++    if ( opt_rsb_pv == -1 )
++    {
++        opt_rsb_pv = (opt_pv32 || !boot_cpu_has(X86_FEATURE_XEN_SMEP) ||
++                      !rsb_is_full_width());
++
++        /*
++         * Cross-Thread Return Address Predictions.
++         *
++         * Vulnerable systems are Zen1/Zen2 uarch, which is AMD Fam17 / Hygon
++         * Fam18, when SMT is active.
++         *
++         * To mitigate, we must flush the RSB/RAS/RAP once between entering
++         * Xen and going idle.
++         *
++         * Most cases flush on entry to Xen anyway.  The one case where we
++         * don't is when using the SMEP optimisation for PV guests.  Flushing
++         * before going idle is less overhead than flushing on PV entry.
++         */
++        if ( !opt_rsb_pv && hw_smt_enabled &&
++             (boot_cpu_data.x86_vendor & (X86_VENDOR_AMD|X86_VENDOR_HYGON)) &&
++             (boot_cpu_data.x86 == 0x17 || boot_cpu_data.x86 == 0x18) )
++            setup_force_cpu_cap(X86_FEATURE_SC_RSB_IDLE);
++    }
+ 
+     if ( opt_rsb_pv )
+     {

misc/seabios/Makefile

 PORTNAME=	seabios
-PORTVERSION=	1.16.0
+PORTVERSION=	1.16.1
 PORTREVISION=	0
 CATEGORIES=	misc
 MASTER_SITES=	https://www.seabios.org/downloads/

misc/seabios/distinfo

-TIMESTAMP = 1670623319
-SHA256 (seabios-1.16.0.tar.gz) = d44d8e97ad56f3fd23ed3076077a770d37a5e7bae22daa59656ff41c3334fb34
-SIZE (seabios-1.16.0.tar.gz) = 635419
+TIMESTAMP = 1678354722
+SHA256 (seabios-1.16.1.tar.gz) = ec249942e85a79e7b7706e867b611d6c9e1493405151a8eae905c2f5d44417de
+SIZE (seabios-1.16.1.tar.gz) = 635783

sysutils/xen-tools/Makefile

 PORTNAME=	xen
 PKGNAMESUFFIX=	-tools
-PORTVERSION=	4.16.0
-PORTREVISION=	1
+PORTVERSION=	4.17.0
+PORTREVISION=	0
 CATEGORIES=	sysutils emulators
 MASTER_SITES=	http://downloads.xenproject.org/release/xen/${PORTVERSION}/
 
@@ -61,6 +61,10 @@ DOCS_ALL_TARGET=	docs
 INSTALL_TARGET=		install-tools
 DOCS_INSTALL_TARGET=	install-docs
 
+# clang build fixes
+EXTRA_PATCHES+=	${PATCHDIR}/0001-xen-x86-Remove-the-use-of-K-R-functions.patch:-p1 \
+		${PATCHDIR}/0001-tools-Remove-the-use-of-K-R-functions.patch:-p1
+
 .include <bsd.port.options.mk>
 
 .if ${OPSYS} != FreeBSD

sysutils/xen-tools/distinfo

-TIMESTAMP = 1648563575
-SHA256 (xen-4.16.0.tar.gz) = adc87a90e614d090a2014b9aebae8d815a7348bf329d169b3cb655256d0ee995
-SIZE (xen-4.16.0.tar.gz) = 44982322
+TIMESTAMP = 1678354304
+SHA256 (xen-4.17.0.tar.gz) = 119fc44fa3f9b581f1929c2ed8e0f97fac59a1828bc5ec5c244df096e7343ef9
+SIZE (xen-4.17.0.tar.gz) = 46484553

sysutils/xen-tools/files/0001-tools-Remove-the-use-of-K-R-functions.patch

+From e2312e41f05c0f2e3b714710bd2551a3cd74cedd Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Thu, 16 Feb 2023 22:47:50 +0000
+Subject: [PATCH] tools: Remove the use of K&R functions
+
+Clang-15 (as seen in the FreeBSD 14 tests) complains:
+
+  xg_main.c:1248 error: a function declaration without a
+  prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
+  xg_init()
+         ^
+          void
+
+The error message is a bit confusing but appears to new as part of
+-Wdeprecated-non-prototype which is part of supporting C2x which formally
+removes K&R syntax.
+
+Either way, fix the identified function.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Acked-by: Anthony PERARD <anthony.perard@citrix.com>
+---
+ tools/debugger/gdbsx/xg/xg_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/debugger/gdbsx/xg/xg_main.c b/tools/debugger/gdbsx/xg/xg_main.c
+index 4576c762af..580fe237b2 100644
+--- a/tools/debugger/gdbsx/xg/xg_main.c
++++ b/tools/debugger/gdbsx/xg/xg_main.c
+@@ -121,7 +121,7 @@ xgprt(const char *fn, const char *fmt, ...)
+  *         -1 failure, errno set.
+  */
+ int 
+-xg_init()
++xg_init(void)
+ {
+     int flags, saved_errno;
+ 
+-- 
+2.39.0
+

sysutils/xen-tools/files/0001-xen-x86-Remove-the-use-of-K-R-functions.patch

+From 22b2fa4766728c3057757c00e79da5f7803fff33 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Thu, 16 Feb 2023 22:14:12 +0000
+Subject: [PATCH] xen/x86: Remove the use of K&R functions
+
+Clang-15 (as seen in the FreeBSD 14 tests) complains:
+
+  arch/x86/time.c:1364:20: error: a function declaration without a
+  prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
+  s_time_t get_s_time()
+                     ^
+                      void
+
+The error message is a bit confusing but appears to new as part of
+-Wdeprecated-non-prototype which is part of supporting C2x which formally
+removes K&R syntax.
+
+Either way, fix the identified functions.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+---
+ xen/arch/x86/hvm/vmx/vmcs.c     | 2 +-
+ xen/arch/x86/time.c             | 2 +-
+ xen/drivers/passthrough/iommu.c | 4 ++--
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c
+index 09edbd23b3..e1c268789e 100644
+--- a/xen/arch/x86/hvm/vmx/vmcs.c
++++ b/xen/arch/x86/hvm/vmx/vmcs.c
+@@ -781,7 +781,7 @@ static int _vmx_cpu_up(bool bsp)
+     return 0;
+ }
+ 
+-int cf_check vmx_cpu_up()
++int cf_check vmx_cpu_up(void)
+ {
+     return _vmx_cpu_up(false);
+ }
+diff --git a/xen/arch/x86/time.c b/xen/arch/x86/time.c
+index 782b11c8a9..4e44a43cc5 100644
+--- a/xen/arch/x86/time.c
++++ b/xen/arch/x86/time.c
+@@ -1361,7 +1361,7 @@ s_time_t get_s_time_fixed(u64 at_tsc)
+     return t->stamp.local_stime + scale_delta(delta, &t->tsc_scale);
+ }
+ 
+-s_time_t get_s_time()
++s_time_t get_s_time(void)
+ {
+     return get_s_time_fixed(0);
+ }
+diff --git a/xen/drivers/passthrough/iommu.c b/xen/drivers/passthrough/iommu.c
+index 921b71e819..0e187f6ae3 100644
+--- a/xen/drivers/passthrough/iommu.c
++++ b/xen/drivers/passthrough/iommu.c
+@@ -606,7 +606,7 @@ int __init iommu_setup(void)
+     return rc;
+ }
+ 
+-int iommu_suspend()
++int iommu_suspend(void)
+ {
+     if ( iommu_enabled )
+         return iommu_call(iommu_get_ops(), suspend);
+@@ -614,7 +614,7 @@ int iommu_suspend()
+     return 0;
+ }
+ 
+-void iommu_resume()
++void iommu_resume(void)
+ {
+     if ( iommu_enabled )
+         iommu_vcall(iommu_get_ops(), resume);
+-- 
+2.39.0
+

sysutils/xen-tools/pkg-plist

@@ -27,7 +27,6 @@ etc/rc.d/xendriverdomain
 %%ETCDIR%%/xlexample.hvm
 %%ETCDIR%%/xlexample.pvhlinux
 %%ETCDIR%%/xlexample.pvlinux
-include/_libxl_list.h
 include/_libxl_types.h
 include/_libxl_types_json.h
 include/libxl.h
@@ -42,6 +41,7 @@ include/xen/arch-arm/hvm/save.h
 include/xen/arch-arm/smccc.h
 include/xen/arch-x86/cpufeatureset.h
 include/xen/arch-x86/cpuid.h
+include/xen/arch-x86/guest-acpi.h
 include/xen/arch-x86/hvm/save.h
 include/xen/arch-x86/hvm/start_info.h
 include/xen/arch-x86/pmu.h
@@ -117,6 +117,7 @@ include/xen/xen.h
 include/xen/xencomm.h
 include/xen/xenoprof.h
 include/xen/xsm/flask_op.h
+include/xen_list.h
 include/xencall.h
 include/xenctrl.h
 include/xenctrl_compat.h
@@ -135,7 +136,6 @@ include/xenstore-compat/xs_lib.h
 include/xenstore.h
 include/xenstore_lib.h
 include/xentoolcore.h
-include/xentoolcore_internal.h
 include/xentoollog.h
 include/xs.h
 include/xs_lib.h
@@ -146,8 +146,8 @@ lib/libxencall.so.1
 lib/libxencall.so.1.3
 lib/libxenctrl.a
 lib/libxenctrl.so
-lib/libxenctrl.so.4.16
-lib/libxenctrl.so.4.16.0
+lib/libxenctrl.so.4.17
+lib/libxenctrl.so.4.17.0
 lib/libxendevicemodel.a
 lib/libxendevicemodel.so
 lib/libxendevicemodel.so.1
@@ -161,28 +161,28 @@ lib/libxenforeignmemory.so
 lib/libxenforeignmemory.so.1
 lib/libxenforeignmemory.so.1.4
 lib/libxenfsimage.so
-lib/libxenfsimage.so.4.16
-lib/libxenfsimage.so.4.16.0
+lib/libxenfsimage.so.4.17
+lib/libxenfsimage.so.4.17.0
 lib/libxengnttab.a
 lib/libxengnttab.so
 lib/libxengnttab.so.1
 lib/libxengnttab.so.1.2
 lib/libxenguest.a
 lib/libxenguest.so
-lib/libxenguest.so.4.16
-lib/libxenguest.so.4.16.0
+lib/libxenguest.so.4.17
+lib/libxenguest.so.4.17.0
 lib/libxenhypfs.a
 lib/libxenhypfs.so
 lib/libxenhypfs.so.1
 lib/libxenhypfs.so.1.0
 lib/libxenlight.a
 lib/libxenlight.so
-lib/libxenlight.so.4.16
-lib/libxenlight.so.4.16.0
+lib/libxenlight.so.4.17
+lib/libxenlight.so.4.17.0
 lib/libxenstat.a
 lib/libxenstat.so
-lib/libxenstat.so.4.16
-lib/libxenstat.so.4.16.0
+lib/libxenstat.so.4.17
+lib/libxenstat.so.4.17.0
 lib/libxenstore.a
 lib/libxenstore.so
 lib/libxenstore.so.4
@@ -197,8 +197,8 @@ lib/libxentoollog.so.1
 lib/libxentoollog.so.1.0
 lib/libxlutil.a
 lib/libxlutil.so
-lib/libxlutil.so.4.16
-lib/libxlutil.so.4.16.0
+lib/libxlutil.so.4.17
+lib/libxlutil.so.4.17.0
 %%PYTHON_SITELIBDIR%%/grub/ExtLinuxConf.py
 %%PYTHON_SITELIBDIR%%/grub/ExtLinuxConf.pyc
 %%PYTHON_SITELIBDIR%%/grub/GrubConf.py
@@ -247,6 +247,7 @@ lib/xen/bin/qemu-storage-daemon
 lib/xen/bin/qemu-system-i386
 lib/xen/bin/readnotes
 lib/xen/bin/test-cpu-policy
+lib/xen/bin/test-paging-mempool
 lib/xen/bin/test-resource
 lib/xen/bin/test-tsx
 lib/xen/bin/test-xenstore
@@ -407,6 +408,7 @@ sbin/xl
 %%PORTDOCS%%%%DOCSDIR%%/html/hypercall/x86_32/.deps
 %%PORTDOCS%%%%DOCSDIR%%/html/hypercall/x86_32/include,public,arch-x86,cpufeatureset.h.html
 %%PORTDOCS%%%%DOCSDIR%%/html/hypercall/x86_32/include,public,arch-x86,cpuid.h.html
+%%PORTDOCS%%%%DOCSDIR%%/html/hypercall/x86_32/include,public,arch-x86,guest-acpi.h.html
 %%PORTDOCS%%%%DOCSDIR%%/html/hypercall/x86_32/include,public,arch-x86,hvm,save.h.html
 %%PORTDOCS%%%%DOCSDIR%%/html/hypercall/x86_32/include,public,arch-x86,hvm,start_info.h.html
 %%PORTDOCS%%%%DOCSDIR%%/html/hypercall/x86_32/include,public,arch-x86,pmu.h.html
@@ -478,6 +480,7 @@ sbin/xl
 %%PORTDOCS%%%%DOCSDIR%%/html/hypercall/x86_64/.deps
 %%PORTDOCS%%%%DOCSDIR%%/html/hypercall/x86_64/include,public,arch-x86,cpufeatureset.h.html
 %%PORTDOCS%%%%DOCSDIR%%/html/hypercall/x86_64/include,public,arch-x86,cpuid.h.html
+%%PORTDOCS%%%%DOCSDIR%%/html/hypercall/x86_64/include,public,arch-x86,guest-acpi.h.html
 %%PORTDOCS%%%%DOCSDIR%%/html/hypercall/x86_64/include,public,arch-x86,hvm,save.h.html
 %%PORTDOCS%%%%DOCSDIR%%/html/hypercall/x86_64/include,public,arch-x86,hvm,start_info.h.html
 %%PORTDOCS%%%%DOCSDIR%%/html/hypercall/x86_64/include,public,arch-x86,pmu.h.html
@@ -575,12 +578,14 @@ sbin/xl
 %%PORTDOCS%%%%DOCSDIR%%/html/misc/arm/booting.txt
 %%PORTDOCS%%%%DOCSDIR%%/html/misc/arm/device-tree/acpi.txt
 %%PORTDOCS%%%%DOCSDIR%%/html/misc/arm/device-tree/booting.txt
+%%PORTDOCS%%%%DOCSDIR%%/html/misc/arm/device-tree/cpupools.txt
 %%PORTDOCS%%%%DOCSDIR%%/html/misc/arm/device-tree/guest.txt
 %%PORTDOCS%%%%DOCSDIR%%/html/misc/arm/device-tree/index.html
 %%PORTDOCS%%%%DOCSDIR%%/html/misc/arm/device-tree/passthrough.txt
 %%PORTDOCS%%%%DOCSDIR%%/html/misc/arm/early-printk.txt
 %%PORTDOCS%%%%DOCSDIR%%/html/misc/arm/index.html
 %%PORTDOCS%%%%DOCSDIR%%/html/misc/arm/passthrough.txt
+%%PORTDOCS%%%%DOCSDIR%%/html/misc/arm/passthrough-noiommu.txt
 %%PORTDOCS%%%%DOCSDIR%%/html/misc/arm/silicon-errata.txt
 %%PORTDOCS%%%%DOCSDIR%%/html/misc/block-scripts.txt
 %%PORTDOCS%%%%DOCSDIR%%/html/misc/console.txt
@@ -657,14 +662,13 @@ share/qemu-xen/qemu/kvmvapic.bin
 share/qemu-xen/qemu/linuxboot.bin
 share/qemu-xen/qemu/linuxboot_dma.bin
 share/qemu-xen/qemu/multiboot.bin
+share/qemu-xen/qemu/multiboot_dma.bin
 share/qemu-xen/qemu/npcm7xx_bootrom.bin
 share/qemu-xen/qemu/openbios-ppc
 share/qemu-xen/qemu/openbios-sparc32
 share/qemu-xen/qemu/openbios-sparc64
 share/qemu-xen/qemu/opensbi-riscv32-generic-fw_dynamic.bin
-share/qemu-xen/qemu/opensbi-riscv32-generic-fw_dynamic.elf
 share/qemu-xen/qemu/opensbi-riscv64-generic-fw_dynamic.bin
-share/qemu-xen/qemu/opensbi-riscv64-generic-fw_dynamic.elf
 share/qemu-xen/qemu/palcode-clipper
 share/qemu-xen/qemu/petalogix-ml605.dtb
 share/qemu-xen/qemu/petalogix-s3adsp1800.dtb
@@ -690,6 +694,8 @@ share/qemu-xen/qemu/vgabios-stdvga.bin
 share/qemu-xen/qemu/vgabios-virtio.bin
 share/qemu-xen/qemu/vgabios-vmware.bin
 share/qemu-xen/qemu/vgabios.bin
+share/qemu-xen/qemu/vof.bin
+share/qemu-xen/qemu/vof-nvram.bin
 share/qemu-xen/applications/qemu.desktop
 share/qemu-xen/icons/hicolor/128x128/apps/qemu.png
 share/qemu-xen/icons/hicolor/16x16/apps/qemu.png
@@ -725,7 +731,6 @@ share/qemu-xen/qemu/vgabios-ramfb.bin
 @dir /var/lib/xen/dump
 @dir /var/lib/xen/xenpaging
 @dir /var/lib/xen
-@dir /var/lib/xenstored
 @dir /var/lib
 @dir /var/log/xen
 @dir /var/run/xen