Message ID | 20240417235401.243631-1-yuxuan.luo@canonical.com |
---|---|
Headers | show |
Series | CVE-2024-2201 | expand |
There's a bunch of follow-on fixes that we probably want/need. They're also missing from jammy but should come in through a regular stable update. ec9404e40e8f x86/bhi: Add BHI mitigation knob 69129794d94c x86/bugs: Fix BHI retpoline check 5f882f3b0a8b x86/bugs: Clarify that syscall hardening isn't a BHI mitigation 1cea8a280dfd x86/bugs: Fix BHI handling of RRSBA cb2db5bb04d7 x86/bugs: Cache the value of MSR_IA32_ARCH_CAPABILITIES dfe648903f42 x86/bugs: Fix BHI documentation ...Juerg On Wed, 17 Apr 2024 19:53:50 -0400 Yuxuan Luo <yuxuan.luo@canonical.com> wrote: > [Impact] > Native BHI attack, a Spectre v2 variant, allows local unprivileged attackers to > obtain kernel memory information without the help of unprivileged eBPF, negating > to the previous belief that unprivileged eBPF is the only real-world source of > such an attack. Also, this vulnerability affects KVM as well. > > [Backport] > [1/8] 0cd01ac5dcb1 (“x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs > file”) > - Since the prerequisite commit, 1d30800c0c0a (“x86/bugs: Use sysfs_emit()”), > introduces more conflict yet it only solve a printing function conflict, > manually substitute ',' with ';'. > > [2/8] 1e3ad78334a6 (“x86/syscall: Don't force use of indirect calls for system > calls”) > - (Details in the patch) > > [3/8] 7390db8aea0d (“x86/bhi: Add support for clearing branch history at syscall > entry”) > - Pick the stable/5.15.y backport since be5341eb0d43 (“x86/entry: Convert INT > 0x80 emulation to IDTENTRY”) is not in the tree, changes made for common.h is > discarded. > - For entry_64.S, because bc7b11c04ee9 (“x86/asm/64: Change all ENTRY+END to > SYM_CODE_*”) is not in the tree, substitute SYM_FUNC_START/SYM_FUNC_END with > ENTRY/END. > - Dependency issue occurs due to ANNOTATE_INTRA_FUNCTION_CALL not defined and > STACK_FRAME_NON_STANDARD is not provided with an assembly code version, the > following dependent commits should be backported: > - 081df94301e3 (“objtool: Add asm version of STACK_FRAME_NON_STANDARD”) > - introduced the needed asm version of STACK_FRAME_NON_STANDARD. > - applied changes for include/linux/objtool.h to include/linux/frame.h and > ignore tools/include/linux/objtool.h. > - 5567c6c39f34 (“objtool: Only include valid definitions depending on source > file type”) > - adds __ASSEMBLY__ macros to differentiate C and ASM. > - 8aa8eb2a8f5b (“objtool: Add support for intra-function calls”) > - use stable/5.4.y: f8f25fde0cc680f6488aea6a0a1f80e689525e18 > - introduced ANNOTATE_INTRA_FUNCTION_CALL. > > [4/8] 0f4a837615ff (“x86/bhi: Define SPEC_CTRL_BHI_DIS_S“) > - reverse_cpuid.h: since 4e66c0cb79b7 (“KVM: x86: Add support for reverse CPUID > lookup of scattered features“) is not in the tree, there is no point > backporting reverse_cpuid.h related changes. > > [5/8] be482ff95009 (“x86/bhi: Enumerate Branch History Injection (BHI) bug”) > - Conflicts in both files can be ignored since they are all context difference. > > [6/8] ec9404e40e8f (“x86/bhi: Add BHI mitigation knob“) > - This commit is backported in the same scheme as Jammy's. > > [7/8] 95a6ccbdc719 ("x86/bhi: Mitigate KVM by default") > - Clean cherry pick. > > [8/8] ed2e8d49b54d (“KVM: x86: Add BHI_NO”) > - Since 0204750bd4c6ccc2fb7417618477f10373b33f56 (“KVM: x86: Mask off > unsupported and unknown bits of IA32_ARCH_CAPABILITIES“) is not in the tree, > the feature is not supported, ignore this patch. > > [Test] > Compiled only. > > [Where things could go wrong] > This patch is more about enabling CPU features and reducing branch history > exposed, therefore, that the system is able to boot and run should denote that > it is not introducing any regression. > > For KVM, the most significant impact is the performance regression due to system > call substitution since branch prediction probably won't perform as fast as the > previous version for users who do not care about the mitigation. > > Alexandre Chartre (1): > objtool: Add support for intra-function calls > > Daniel Sneddon (1): > x86/bhi: Define SPEC_CTRL_BHI_DIS_S > > Josh Poimboeuf (2): > objtool: Add asm version of STACK_FRAME_NON_STANDARD > x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file > > Julien Thierry (1): > objtool: Only include valid definitions depending on source file type > > Linus Torvalds (1): > x86/syscall: Don't force use of indirect calls for system calls > > Pawan Gupta (4): > x86/bhi: Add support for clearing branch history at syscall entry > x86/bhi: Enumerate Branch History Injection (BHI) bug > x86/bhi: Add BHI mitigation knob > x86/bhi: Mitigate KVM by default > > Yuxuan Luo (1): > UBUNTU: [Config] updateconfigs for CONFIG_BHI_{AUTO|OFF|ON} > > Documentation/admin-guide/hw-vuln/spectre.rst | 51 +++++++- > .../admin-guide/kernel-parameters.txt | 12 ++ > arch/x86/Kconfig | 25 ++++ > arch/x86/entry/common.c | 11 +- > arch/x86/entry/entry_64.S | 61 +++++++++ > arch/x86/entry/entry_64_compat.S | 3 + > arch/x86/entry/syscall_32.c | 33 +++++ > arch/x86/entry/syscall_64.c | 27 ++++ > arch/x86/include/asm/cpufeatures.h | 12 ++ > arch/x86/include/asm/msr-index.h | 9 +- > arch/x86/include/asm/nospec-branch.h | 17 +++ > arch/x86/include/asm/syscall.h | 4 + > arch/x86/kernel/cpu/bugs.c | 121 ++++++++++++++++-- > arch/x86/kernel/cpu/common.c | 24 ++-- > arch/x86/kernel/cpu/scattered.c | 1 + > arch/x86/kvm/vmx/vmenter.S | 2 + > debian.master/config/annotations | 3 + > include/linux/frame.h | 26 ++++ > .../Documentation/stack-validation.txt | 8 ++ > tools/objtool/arch/x86/decode.c | 6 + > tools/objtool/check.c | 62 ++++++++- > 21 files changed, 478 insertions(+), 40 deletions(-) >