From patchwork Thu Apr 11 06:24:13 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Righi X-Patchwork-Id: 1922384 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VFVFP1h4Rz1yYL for ; Thu, 11 Apr 2024 16:30:48 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1runxE-0001Z1-KA; Thu, 11 Apr 2024 06:30:36 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1runxC-0001YY-81 for kernel-team@lists.ubuntu.com; Thu, 11 Apr 2024 06:30:34 +0000 Received: from mail-lf1-f69.google.com (mail-lf1-f69.google.com [209.85.167.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id D51D73F17B for ; Thu, 11 Apr 2024 06:30:33 +0000 (UTC) Received: by mail-lf1-f69.google.com with SMTP id 2adb3069b0e04-516da5d2043so4770793e87.3 for ; Wed, 10 Apr 2024 23:30:33 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712817033; x=1713421833; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=06c3bRDhZEujvLau4C+/ZN2opKHoWSfR0Vf3rdb1Ppg=; b=VJoNVJGbZH4gSp9zuCtlV4YUF6KlefC+x7R869WE5SZTO8W5njY2Dxg34PIMxiDtfY IL6nMDc/+nU5Us4wIVdTqkdm761FeabZS66BJZw08AkKD/DP/CAuh7wjmEHEdy7jpzEG OXvPbTvno6fpWZMQUtLo9L3E/SKjSgY8zrJ7d4KEccp9dX7YXLdEm5gPXl6rJ7CTpse0 fWWl7p7qUi7K32PQP1MYqQEI2v2gzD8cBEHy/CrYd//SpF0qn6GTf+PjATIO460R3PCT isHv75VsW3+UfuGhPasvEc7mevgjp3dXKFPNl8ndLVR7K4Kj6BdzgzLnzbZ1z+4C983k EeYA== X-Gm-Message-State: AOJu0Yx1P136jjW3rBeC4nGnZnB+P/V6bDcBimNZHpsOJybM7V1yMAwC WTIbQ9M0TG3GMVi4aBCpa/2BhsXhMqfMYGeYfxOjRH2Yat2PUnwe8yLdQ30G3OD0ieJjyKs1zHW nEiQmfvHmaO9g3sQGI5DoNmqhG3b4UZUs5k+Ek6RCfWBo+JpaGJ9oKFksbKCe3quhOAj63eWPWu zvOi2NGOY5oA== X-Received: by 2002:a05:6512:481:b0:515:bf72:642b with SMTP id v1-20020a056512048100b00515bf72642bmr3459330lfq.16.1712817033055; Wed, 10 Apr 2024 23:30:33 -0700 (PDT) X-Google-Smtp-Source: AGHT+IF/8PT6dkfGULXv/CC+KqLkqbkzPHlRwdpuO/kcKbTHfiL5NhWz1PGTF/PfVz0R9LH+EJ5LfQ== X-Received: by 2002:a05:6512:481:b0:515:bf72:642b with SMTP id v1-20020a056512048100b00515bf72642bmr3459310lfq.16.1712817032510; Wed, 10 Apr 2024 23:30:32 -0700 (PDT) Received: from gpd.homenet.telecomitalia.it (host-82-49-69-7.retail.telecomitalia.it. [82.49.69.7]) by smtp.gmail.com with ESMTPSA id la23-20020a170906ad9700b00a5224d9a596sm148108ejb.11.2024.04.10.23.30.31 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 10 Apr 2024 23:30:32 -0700 (PDT) From: Andrea Righi To: kernel-team@lists.ubuntu.com Subject: [N/U][PATCH 00/11] Apply mitigations for the native BHI hardware vulnerabilty Date: Thu, 11 Apr 2024 08:24:13 +0200 Message-ID: <20240411063027.493165-1-andrea.righi@canonical.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/2060909 [Impact] Branch History Injection (BHI) attacks may allow a malicious application to influence indirect branch prediction in kernel by poisoning the branch history. eIBRS isolates indirect branch targets in ring0. The BHB can still influence the choice of indirect branch predictor entry, and although branch predictor entries are isolated between modes when eIBRS is enabled, the BHB itself is not isolated between modes. Previously the only known real-world BHB attack vector was via unprivileged eBPF. Further research has found attacks that don't require unprivileged eBPF. See also: https://www.phoronix.com/news/Linux-BHI-Branch-History-Inject [Test case] https://www.vusec.net/projects/native-bhi/ [Fix] Backport from upstream the merge that introduces spectre_bhi= boot option to control BHI mitigation: 2bb69f5fc721 ("Merge tag 'nativebhi' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip") ed2e8d49b54d ("KVM: x86: Add BHI_NO") 95a6ccbdc719 ("x86/bhi: Mitigate KVM by default") ec9404e40e8f ("x86/bhi: Add BHI mitigation knob") be482ff95009 ("x86/bhi: Enumerate Branch History Injection (BHI) bug") 0f4a837615ff ("x86/bhi: Define SPEC_CTRL_BHI_DIS_S") 7390db8aea0d ("x86/bhi: Add support for clearing branch history at syscall entry") 1e3ad78334a6 ("x86/syscall: Don't force use of indirect calls for system calls") 0cd01ac5dcb1 ("x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file") Also set spectre_bhi=auto by default, that will rely on the BHI_DIS_S hardware control if it's available on the system CPUs, otherwise a proper software sequence will be executed at VMexit. NOTE: we may get these changes via stable update in 6.8, when that happens we can drop this backport and apply the patch set like any other regular stable update. [Regression potential] We may experience performance regressions with this new mitigation enabled, especially in VMs and CPUs that don't have the BHI hardware support capability (due to the extra software sequence executed at VMexit). ---------------------------------------------------------------- Andrea Righi (1): UBUNTU: [Config] enable spectre_bhi=auto by default Daniel Sneddon (2): x86/bhi: Define SPEC_CTRL_BHI_DIS_S KVM: x86: Add BHI_NO Josh Poimboeuf (1): x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file Linus Torvalds (1): x86/syscall: Don't force use of indirect calls for system calls Pawan Gupta (4): x86/bhi: Add support for clearing branch history at syscall entry x86/bhi: Enumerate Branch History Injection (BHI) bug x86/bhi: Add BHI mitigation knob x86/bhi: Mitigate KVM by default Sandipan Das (2): x86/cpufeatures: Add new word for scattered features perf/x86/amd/lbr: Use freeze based on availability Documentation/admin-guide/hw-vuln/spectre.rst | 48 ++++++++++++++++++++++++++++---- Documentation/admin-guide/kernel-parameters.txt | 12 ++++++++ arch/x86/Kconfig | 25 +++++++++++++++++ arch/x86/entry/common.c | 10 +++---- arch/x86/entry/entry_64.S | 61 +++++++++++++++++++++++++++++++++++++++++ arch/x86/entry/entry_64_compat.S | 16 +++++++++++ arch/x86/entry/syscall_32.c | 21 ++++++++++++-- arch/x86/entry/syscall_64.c | 19 +++++++++++-- arch/x86/entry/syscall_x32.c | 10 +++++-- arch/x86/events/amd/core.c | 4 +-- arch/x86/events/amd/lbr.c | 16 +++++++---- arch/x86/include/asm/cpufeature.h | 6 ++-- arch/x86/include/asm/cpufeatures.h | 15 +++++++++- arch/x86/include/asm/disabled-features.h | 3 +- arch/x86/include/asm/msr-index.h | 9 +++++- arch/x86/include/asm/nospec-branch.h | 17 ++++++++++++ arch/x86/include/asm/required-features.h | 3 +- arch/x86/include/asm/syscall.h | 11 ++++---- arch/x86/kernel/cpu/bugs.c | 121 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--------- arch/x86/kernel/cpu/common.c | 24 ++++++++++------ arch/x86/kernel/cpu/scattered.c | 2 ++ arch/x86/kvm/reverse_cpuid.h | 3 +- arch/x86/kvm/vmx/vmenter.S | 2 ++ arch/x86/kvm/x86.c | 2 +- debian.master/config/annotations | 3 ++ 25 files changed, 402 insertions(+), 61 deletions(-) Acked-by: Stefan Bader