| Message ID | 20240517075728.9722-1-yuxuan.luo@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2024-2201 | expand |
On 5/17/24 09:57, Yuxuan Luo wrote: > [Impact] > Native BHI have shown that Linux on Intel CPUs is still vulnerable to > Spectre v2 attack even with eIBRS enabled, making it possible for > malicious userspace programs to leak kernel memory. > > [Backport] > This patchset consist of 4 parts: > 1. Native BHI patchset > 2. Config update > 3. Native BHI follow up fix round 1 > 4. Native BHI follow up fix round 2 > > [Test] > Boot tested with confirmation that the VMexit SW loop is called. > > [Where things could go wrong] > Kernel crashes on affected CPUs, likely at boot. VMexit is also patched > so booting a VM on an affected host could cause host kernel crashes as > well. > > > Daniel Sneddon (1): > x86/bhi: Define SPEC_CTRL_BHI_DIS_S > > Ingo Molnar (1): > x86/bugs: Rename various 'ia32_cap' variables to 'x86_arch_cap_msr' > > Josh Poimboeuf (6): > x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file > x86/bugs: Fix BHI documentation > x86/bugs: Cache the value of MSR_IA32_ARCH_CAPABILITIES > x86/bugs: Fix BHI handling of RRSBA > x86/bugs: Clarify that syscall hardening isn't a BHI mitigation > x86/bugs: Fix BHI retpoline check > > Pawan Gupta (4): > x86/bhi: Add support for clearing branch history at syscall entry > x86/bhi: Enumerate Branch History Injection (BHI) bug > x86/bhi: Add BHI mitigation knob > x86/bhi: Mitigate KVM by default > > Sandipan Das (1): > x86/cpufeatures: Add new word for scattered features > > Sean Christopherson (1): > x86/cpufeatures: Add CPUID_LNX_5 to track recently added Linux-defined > word > > Yuxuan Luo (1): > UBUNTU: [Config] updateconfigs for CONFIG_BHI_{AUTO|ON|OFF} > > Documentation/admin-guide/hw-vuln/spectre.rst | 44 ++++- > .../admin-guide/kernel-parameters.txt | 13 ++ > arch/x86/Kconfig | 25 +++ > arch/x86/entry/entry_64.S | 58 ++++++ > arch/x86/entry/entry_64_compat.S | 3 + > arch/x86/include/asm/cpufeature.h | 8 +- > arch/x86/include/asm/cpufeatures.h | 14 +- > arch/x86/include/asm/disabled-features.h | 3 +- > arch/x86/include/asm/msr-index.h | 9 +- > arch/x86/include/asm/nospec-branch.h | 17 ++ > arch/x86/include/asm/required-features.h | 3 +- > arch/x86/kernel/cpu/bugs.c | 176 ++++++++++++++---- > arch/x86/kernel/cpu/common.c | 62 +++--- > arch/x86/kernel/cpu/scattered.c | 1 + > arch/x86/kvm/cpuid.h | 2 + > arch/x86/kvm/vmx/vmenter.S | 2 + > debian.master/config/annotations | 3 + > 17 files changed, 365 insertions(+), 78 deletions(-) > Acked-by: Tim Gardner <tim.gardner@canonical.com>
On 17/05/2024 09:57, Yuxuan Luo wrote: > [Impact] > Native BHI have shown that Linux on Intel CPUs is still vulnerable to > Spectre v2 attack even with eIBRS enabled, making it possible for > malicious userspace programs to leak kernel memory. > > [Backport] > This patchset consist of 4 parts: > 1. Native BHI patchset > 2. Config update > 3. Native BHI follow up fix round 1 > 4. Native BHI follow up fix round 2 > > [Test] > Boot tested with confirmation that the VMexit SW loop is called. > > [Where things could go wrong] > Kernel crashes on affected CPUs, likely at boot. VMexit is also patched > so booting a VM on an affected host could cause host kernel crashes as > well. > > > Daniel Sneddon (1): > x86/bhi: Define SPEC_CTRL_BHI_DIS_S > > Ingo Molnar (1): > x86/bugs: Rename various 'ia32_cap' variables to 'x86_arch_cap_msr' > > Josh Poimboeuf (6): > x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file > x86/bugs: Fix BHI documentation > x86/bugs: Cache the value of MSR_IA32_ARCH_CAPABILITIES > x86/bugs: Fix BHI handling of RRSBA > x86/bugs: Clarify that syscall hardening isn't a BHI mitigation > x86/bugs: Fix BHI retpoline check > > Pawan Gupta (4): > x86/bhi: Add support for clearing branch history at syscall entry > x86/bhi: Enumerate Branch History Injection (BHI) bug > x86/bhi: Add BHI mitigation knob > x86/bhi: Mitigate KVM by default > > Sandipan Das (1): > x86/cpufeatures: Add new word for scattered features > > Sean Christopherson (1): > x86/cpufeatures: Add CPUID_LNX_5 to track recently added Linux-defined > word > > Yuxuan Luo (1): > UBUNTU: [Config] updateconfigs for CONFIG_BHI_{AUTO|ON|OFF} > > Documentation/admin-guide/hw-vuln/spectre.rst | 44 ++++- > .../admin-guide/kernel-parameters.txt | 13 ++ > arch/x86/Kconfig | 25 +++ > arch/x86/entry/entry_64.S | 58 ++++++ > arch/x86/entry/entry_64_compat.S | 3 + > arch/x86/include/asm/cpufeature.h | 8 +- > arch/x86/include/asm/cpufeatures.h | 14 +- > arch/x86/include/asm/disabled-features.h | 3 +- > arch/x86/include/asm/msr-index.h | 9 +- > arch/x86/include/asm/nospec-branch.h | 17 ++ > arch/x86/include/asm/required-features.h | 3 +- > arch/x86/kernel/cpu/bugs.c | 176 ++++++++++++++---- > arch/x86/kernel/cpu/common.c | 62 +++--- > arch/x86/kernel/cpu/scattered.c | 1 + > arch/x86/kvm/cpuid.h | 2 + > arch/x86/kvm/vmx/vmenter.S | 2 + > debian.master/config/annotations | 3 + > 17 files changed, 365 insertions(+), 78 deletions(-) > For noble and jammy this is enabled by default by having one option `CONFIG_MITIGATION_SPECTRE_BHI = y`. II wonder if we should follow a similar approach here too. Nevertheless, the patchset looks good and we can also change it to default later. Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
On 24/05/17 03:57am, Yuxuan Luo wrote: > [Impact] > Native BHI have shown that Linux on Intel CPUs is still vulnerable to > Spectre v2 attack even with eIBRS enabled, making it possible for > malicious userspace programs to leak kernel memory. > > [Backport] > This patchset consist of 4 parts: > 1. Native BHI patchset > 2. Config update > 3. Native BHI follow up fix round 1 > 4. Native BHI follow up fix round 2 > > [Test] > Boot tested with confirmation that the VMexit SW loop is called. > > [Where things could go wrong] > Kernel crashes on affected CPUs, likely at boot. VMexit is also patched > so booting a VM on an affected host could cause host kernel crashes as > well. > > > Daniel Sneddon (1): > x86/bhi: Define SPEC_CTRL_BHI_DIS_S > > Ingo Molnar (1): > x86/bugs: Rename various 'ia32_cap' variables to 'x86_arch_cap_msr' > > Josh Poimboeuf (6): > x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file > x86/bugs: Fix BHI documentation > x86/bugs: Cache the value of MSR_IA32_ARCH_CAPABILITIES > x86/bugs: Fix BHI handling of RRSBA > x86/bugs: Clarify that syscall hardening isn't a BHI mitigation > x86/bugs: Fix BHI retpoline check > > Pawan Gupta (4): > x86/bhi: Add support for clearing branch history at syscall entry > x86/bhi: Enumerate Branch History Injection (BHI) bug > x86/bhi: Add BHI mitigation knob > x86/bhi: Mitigate KVM by default > > Sandipan Das (1): > x86/cpufeatures: Add new word for scattered features > > Sean Christopherson (1): > x86/cpufeatures: Add CPUID_LNX_5 to track recently added Linux-defined > word > > Yuxuan Luo (1): > UBUNTU: [Config] updateconfigs for CONFIG_BHI_{AUTO|ON|OFF} > > Documentation/admin-guide/hw-vuln/spectre.rst | 44 ++++- > .../admin-guide/kernel-parameters.txt | 13 ++ > arch/x86/Kconfig | 25 +++ > arch/x86/entry/entry_64.S | 58 ++++++ > arch/x86/entry/entry_64_compat.S | 3 + > arch/x86/include/asm/cpufeature.h | 8 +- > arch/x86/include/asm/cpufeatures.h | 14 +- > arch/x86/include/asm/disabled-features.h | 3 +- > arch/x86/include/asm/msr-index.h | 9 +- > arch/x86/include/asm/nospec-branch.h | 17 ++ > arch/x86/include/asm/required-features.h | 3 +- > arch/x86/kernel/cpu/bugs.c | 176 ++++++++++++++---- > arch/x86/kernel/cpu/common.c | 62 +++--- > arch/x86/kernel/cpu/scattered.c | 1 + > arch/x86/kvm/cpuid.h | 2 + > arch/x86/kvm/vmx/vmenter.S | 2 + > debian.master/config/annotations | 3 + > 17 files changed, 365 insertions(+), 78 deletions(-) Acked-by: Andrei Gherzan <andrei.gherzan@canonical.com>
On 17.05.24 09:57, Yuxuan Luo wrote: > [Impact] > Native BHI have shown that Linux on Intel CPUs is still vulnerable to > Spectre v2 attack even with eIBRS enabled, making it possible for > malicious userspace programs to leak kernel memory. > > [Backport] > This patchset consist of 4 parts: > 1. Native BHI patchset > 2. Config update > 3. Native BHI follow up fix round 1 > 4. Native BHI follow up fix round 2 > > [Test] > Boot tested with confirmation that the VMexit SW loop is called. > > [Where things could go wrong] > Kernel crashes on affected CPUs, likely at boot. VMexit is also patched > so booting a VM on an affected host could cause host kernel crashes as > well. > > > Daniel Sneddon (1): > x86/bhi: Define SPEC_CTRL_BHI_DIS_S > > Ingo Molnar (1): > x86/bugs: Rename various 'ia32_cap' variables to 'x86_arch_cap_msr' > > Josh Poimboeuf (6): > x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file > x86/bugs: Fix BHI documentation > x86/bugs: Cache the value of MSR_IA32_ARCH_CAPABILITIES > x86/bugs: Fix BHI handling of RRSBA > x86/bugs: Clarify that syscall hardening isn't a BHI mitigation > x86/bugs: Fix BHI retpoline check > > Pawan Gupta (4): > x86/bhi: Add support for clearing branch history at syscall entry > x86/bhi: Enumerate Branch History Injection (BHI) bug > x86/bhi: Add BHI mitigation knob > x86/bhi: Mitigate KVM by default > > Sandipan Das (1): > x86/cpufeatures: Add new word for scattered features > > Sean Christopherson (1): > x86/cpufeatures: Add CPUID_LNX_5 to track recently added Linux-defined > word > > Yuxuan Luo (1): > UBUNTU: [Config] updateconfigs for CONFIG_BHI_{AUTO|ON|OFF} > > Documentation/admin-guide/hw-vuln/spectre.rst | 44 ++++- > .../admin-guide/kernel-parameters.txt | 13 ++ > arch/x86/Kconfig | 25 +++ > arch/x86/entry/entry_64.S | 58 ++++++ > arch/x86/entry/entry_64_compat.S | 3 + > arch/x86/include/asm/cpufeature.h | 8 +- > arch/x86/include/asm/cpufeatures.h | 14 +- > arch/x86/include/asm/disabled-features.h | 3 +- > arch/x86/include/asm/msr-index.h | 9 +- > arch/x86/include/asm/nospec-branch.h | 17 ++ > arch/x86/include/asm/required-features.h | 3 +- > arch/x86/kernel/cpu/bugs.c | 176 ++++++++++++++---- > arch/x86/kernel/cpu/common.c | 62 +++--- > arch/x86/kernel/cpu/scattered.c | 1 + > arch/x86/kvm/cpuid.h | 2 + > arch/x86/kvm/vmx/vmenter.S | 2 + > debian.master/config/annotations | 3 + > 17 files changed, 365 insertions(+), 78 deletions(-) > Applied to focal:linux/master-next. Thanks. -Stefan
[Impact] Native BHI have shown that Linux on Intel CPUs is still vulnerable to Spectre v2 attack even with eIBRS enabled, making it possible for malicious userspace programs to leak kernel memory. [Backport] This patchset consist of 4 parts: 1. Native BHI patchset 2. Config update 3. Native BHI follow up fix round 1 4. Native BHI follow up fix round 2 [Test] Boot tested with confirmation that the VMexit SW loop is called. [Where things could go wrong] Kernel crashes on affected CPUs, likely at boot. VMexit is also patched so booting a VM on an affected host could cause host kernel crashes as well. Daniel Sneddon (1): x86/bhi: Define SPEC_CTRL_BHI_DIS_S Ingo Molnar (1): x86/bugs: Rename various 'ia32_cap' variables to 'x86_arch_cap_msr' Josh Poimboeuf (6): x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file x86/bugs: Fix BHI documentation x86/bugs: Cache the value of MSR_IA32_ARCH_CAPABILITIES x86/bugs: Fix BHI handling of RRSBA x86/bugs: Clarify that syscall hardening isn't a BHI mitigation x86/bugs: Fix BHI retpoline check Pawan Gupta (4): x86/bhi: Add support for clearing branch history at syscall entry x86/bhi: Enumerate Branch History Injection (BHI) bug x86/bhi: Add BHI mitigation knob x86/bhi: Mitigate KVM by default Sandipan Das (1): x86/cpufeatures: Add new word for scattered features Sean Christopherson (1): x86/cpufeatures: Add CPUID_LNX_5 to track recently added Linux-defined word Yuxuan Luo (1): UBUNTU: [Config] updateconfigs for CONFIG_BHI_{AUTO|ON|OFF} Documentation/admin-guide/hw-vuln/spectre.rst | 44 ++++- .../admin-guide/kernel-parameters.txt | 13 ++ arch/x86/Kconfig | 25 +++ arch/x86/entry/entry_64.S | 58 ++++++ arch/x86/entry/entry_64_compat.S | 3 + arch/x86/include/asm/cpufeature.h | 8 +- arch/x86/include/asm/cpufeatures.h | 14 +- arch/x86/include/asm/disabled-features.h | 3 +- arch/x86/include/asm/msr-index.h | 9 +- arch/x86/include/asm/nospec-branch.h | 17 ++ arch/x86/include/asm/required-features.h | 3 +- arch/x86/kernel/cpu/bugs.c | 176 ++++++++++++++---- arch/x86/kernel/cpu/common.c | 62 +++--- arch/x86/kernel/cpu/scattered.c | 1 + arch/x86/kvm/cpuid.h | 2 + arch/x86/kvm/vmx/vmenter.S | 2 + debian.master/config/annotations | 3 + 17 files changed, 365 insertions(+), 78 deletions(-)