broken AMD FPU FIP/FDP/FOP leak workaround

ISSUE DESCRIPTION

There is a workaround in Xen to deal with the fact that AMD CPUs don’t load the x86 registers FIP (and possibly FCS), FDP (and possibly FDS), and FOP from memory (via XRSTOR or FXRSTOR) when there is no pending unmasked exception. (See XSA-52.)
However, this workaround does not cover all possible input cases. This is because writes to the hardware FSW.ES bit, which the current workaround is based on, are ignored; instead, the CPU calculates FSW.ES from the pending exception and exception mask bits. Xen therefore needs to do the same.
Note that part of said workaround was the subject of XSA-52.
This can leak register contents from one guest to another. The registers in question are the FPU instruction and data pointers and opcode.

IMPACT

A malicious domain is able to obtain address space usage and timing information, about another domain, at a fairly low rate.
The leaked address information might be used to help defeat address space randomisation in order to enable another attack. The leaked address and timing information forms a low-bandwidth covert channel which might be used to gain information about the operation of a target guest.
The affected FPU facility would not normally be used by cryptographic operations, as it does not provide cryptographically-relevant SIMD functions.
It appears to us very unlikely that the leak might directly compromise sensitive information such as cryptographic keys, although (without knowledge of the guest software) this cannot be ruled out. (This is notwithstanding the contrary statement in `Impact’ in XSA-52.)

VULNERABLE SYSTEMS

Xen versions 4.0 and onwards are vulnerable. Any kind of guest can exploit the vulnerability.
The vulnerability is exposed only on AMD x86 systems. Intel and ARM systems do not expose this vulnerability.
Both PV and HVM guests are affected.