From patchwork Fri May 17 07:57:13 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1936296 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VgfTl0JHSz20dj for ; Fri, 17 May 2024 17:58:18 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1s7sTc-0005SS-VQ; Fri, 17 May 2024 07:58:05 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1s7sTZ-0005S7-QP for kernel-team@lists.ubuntu.com; Fri, 17 May 2024 07:58:01 +0000 Received: from mail-ed1-f72.google.com (mail-ed1-f72.google.com [209.85.208.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 005233F363 for ; Fri, 17 May 2024 07:58:00 +0000 (UTC) Received: by mail-ed1-f72.google.com with SMTP id 4fb4d7f45d1cf-5725fffb621so1833633a12.0 for ; Fri, 17 May 2024 00:58:00 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715932679; x=1716537479; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=/EHt2a+56BCo/pF/jB/mkGxz//8yeqU43ZFSrzAX0Y0=; b=OhMN7GklNs+CAfHej7gqArRO8eBEHu/ei3YAWLBKr62EN/pfpE5Sos5hNIvVnktlQc Ntl2uiDa3XfdHIWUzAonrcEQkLReF0abYdef6Aj0zEDubDq18jPx/oLrZgqY0tO3GIJm LaSHz4H9snHnyiiLm6nIwY1mHCwk++AIQYt+67Qw4elssILBS+d4xLrLDsPEqpsORDa0 ATWTXxtKYVPhfyt6IFNxa7uCbBrp4JnMi1ZIrNT9BsJGMk7lF1rGhy1HNGIk/lgVDULv rh/9ORGRd5CrhyQS2jnpjX2ZH+7Ip9zdn9tGTROQ/12Rmj+vd+SeI4ZbXghDiGqZVaSH BD7g== X-Gm-Message-State: AOJu0YzWUmmXZiH5aYCPHL70/xEzmUHVQZAuFzOqBq8yL5xUimyPDOjM EuFAMZ2wUen5tCVK3fvnyMqNypTo0cKU41roePAH3ueyDUFs014nsDLezu8zkt066UhsanCSfKO pUyKDrq+qGjHmaHl34DVxaLTdbTCJEpIgtbP1SVpNGibvuIG0OKLf894TAhi/fMK3hgqniS575k Ip8wvYNiK0RkTo X-Received: by 2002:a17:906:4a95:b0:a59:cb29:3fb2 with SMTP id a640c23a62f3a-a5a2d66a354mr1432246366b.57.1715932679599; Fri, 17 May 2024 00:57:59 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEe+8FbkD5b4+EvyqZEtYWaNVSaoqtj8Laj6y3OK6ZGZmSYCq1SpQsYDuk65JWfb9/6QX23Kw== X-Received: by 2002:a17:906:4a95:b0:a59:cb29:3fb2 with SMTP id a640c23a62f3a-a5a2d66a354mr1432244666b.57.1715932679216; Fri, 17 May 2024 00:57:59 -0700 (PDT) Received: from localhost.localdomain ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a5a17b179f1sm1080016966b.212.2024.05.17.00.57.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 May 2024 00:57:58 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [SRU][Focal][PATCH 00/15] CVE-2024-2201 Date: Fri, 17 May 2024 03:57:13 -0400 Message-Id: <20240517075728.9722-1-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" [Impact] Native BHI have shown that Linux on Intel CPUs is still vulnerable to Spectre v2 attack even with eIBRS enabled, making it possible for malicious userspace programs to leak kernel memory. [Backport] This patchset consist of 4 parts: 1. Native BHI patchset 2. Config update 3. Native BHI follow up fix round 1 4. Native BHI follow up fix round 2 [Test] Boot tested with confirmation that the VMexit SW loop is called. [Where things could go wrong] Kernel crashes on affected CPUs, likely at boot. VMexit is also patched so booting a VM on an affected host could cause host kernel crashes as well. Daniel Sneddon (1): x86/bhi: Define SPEC_CTRL_BHI_DIS_S Ingo Molnar (1): x86/bugs: Rename various 'ia32_cap' variables to 'x86_arch_cap_msr' Josh Poimboeuf (6): x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file x86/bugs: Fix BHI documentation x86/bugs: Cache the value of MSR_IA32_ARCH_CAPABILITIES x86/bugs: Fix BHI handling of RRSBA x86/bugs: Clarify that syscall hardening isn't a BHI mitigation x86/bugs: Fix BHI retpoline check Pawan Gupta (4): x86/bhi: Add support for clearing branch history at syscall entry x86/bhi: Enumerate Branch History Injection (BHI) bug x86/bhi: Add BHI mitigation knob x86/bhi: Mitigate KVM by default Sandipan Das (1): x86/cpufeatures: Add new word for scattered features Sean Christopherson (1): x86/cpufeatures: Add CPUID_LNX_5 to track recently added Linux-defined word Yuxuan Luo (1): UBUNTU: [Config] updateconfigs for CONFIG_BHI_{AUTO|ON|OFF} Documentation/admin-guide/hw-vuln/spectre.rst | 44 ++++- .../admin-guide/kernel-parameters.txt | 13 ++ arch/x86/Kconfig | 25 +++ arch/x86/entry/entry_64.S | 58 ++++++ arch/x86/entry/entry_64_compat.S | 3 + arch/x86/include/asm/cpufeature.h | 8 +- arch/x86/include/asm/cpufeatures.h | 14 +- arch/x86/include/asm/disabled-features.h | 3 +- arch/x86/include/asm/msr-index.h | 9 +- arch/x86/include/asm/nospec-branch.h | 17 ++ arch/x86/include/asm/required-features.h | 3 +- arch/x86/kernel/cpu/bugs.c | 176 ++++++++++++++---- arch/x86/kernel/cpu/common.c | 62 +++--- arch/x86/kernel/cpu/scattered.c | 1 + arch/x86/kvm/cpuid.h | 2 + arch/x86/kvm/vmx/vmenter.S | 2 + debian.master/config/annotations | 3 + 17 files changed, 365 insertions(+), 78 deletions(-) Acked-by: Tim Gardner Acked-by: Roxana Nicolescu Acked-by: Andrei Gherzan