From patchwork Mon Aug 26 15:01:17 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Yuxuan Luo <yuxuan.luo@canonical.com>
X-Patchwork-Id: 1976873
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4Wsv5s3t7Yz1yfF
	for <incoming@patchwork.ozlabs.org>; Tue, 27 Aug 2024 01:01:52 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1sibDw-00026V-N0; Mon, 26 Aug 2024 15:01:40 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <yuxuan.luo@canonical.com>)
 id 1sibDv-00026K-4K
 for kernel-team@lists.ubuntu.com; Mon, 26 Aug 2024 15:01:39 +0000
Received: from mail-pg1-f200.google.com (mail-pg1-f200.google.com
 [209.85.215.200])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 50B8E3FE08
 for <kernel-team@lists.ubuntu.com>; Mon, 26 Aug 2024 15:01:38 +0000 (UTC)
Received: by mail-pg1-f200.google.com with SMTP id
 41be03b00d2f7-7cd7614d826so4075555a12.1
 for <kernel-team@lists.ubuntu.com>; Mon, 26 Aug 2024 08:01:38 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1724684496; x=1725289296;
 h=content-transfer-encoding:mime-version:message-id:date:subject:to
 :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=IXG5Vro4OO6qRlsyCBLtwAjlt11bk/55dvVgb3zs/Yc=;
 b=tvS6ohtK9d0zeqvval7ciggt59iHQumJn7B2Ek5R8bt1WFHlc8i+ImjvxFIqmdrAQN
 8Y9dZX5TufAtZMP+CvS7APHTr9pean5qhme/9pjgss9sf+UUvP1RSDwmx5idQW8MJLjL
 TZJaCPKIrqNrEGfOvv3aCBxETFRrFRIaBK5WrvPs7zJGiY3Qi68NwbelCdFjcF+ZZ9BC
 tUIMGiNPV0cnwJDMW0En1bg9kcV6w8bHheNP9pYzj8H+cUHwlflwtCPgO2DXizUph+bA
 dvTQ8WXtQ8f1QgIrwcvdFFMN5hBF7marax/3FiiuLBuB0n60ymWzUsBoMqvkTbzcWfHY
 UqFA==
X-Gm-Message-State: AOJu0YynDzQvv8P80C0WvkFiHPwKyn8pK+e1aa/Bk+mHD+VeYSxzoiOq
 LUQZJYLugcOe6KdoQ6+u08eaBPxzyXBsvJ6DHfO6hJ3+crKHUCRz7NdSt1ICL6rZnBRsRO8n9zv
 uF+2sZNPH8sU24mmNsv35Kg/3Kgf3/hgnGt/UY446kaa9nFV48dVbs2jU8GUXMFjEs1eu3qtube
 GuUlEv8afgwmRe
X-Received: by 2002:a17:902:ea0f:b0:202:4363:b5a9 with SMTP id
 d9443c01a7336-2037fe159acmr230321635ad.21.1724684495951;
 Mon, 26 Aug 2024 08:01:35 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IG3MuO9Eu9yKh2LtWzna1HIRUGSDcKskq1EE0APLsQSfjD4iR4deQCyhLsNIZTdnfoY/TR7zw==
X-Received: by 2002:a17:902:ea0f:b0:202:4363:b5a9 with SMTP id
 d9443c01a7336-2037fe159acmr230321235ad.21.1724684495497;
 Mon, 26 Aug 2024 08:01:35 -0700 (PDT)
Received: from cache-ubuntu.hsd1.nj.comcast.net
 ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2038556667bsm68731295ad.7.2024.08.26.08.01.33
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 26 Aug 2024 08:01:34 -0700 (PDT)
From: Yuxuan Luo <yuxuan.luo@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][J][PATCH v3 0/8] CVE-2024-25744
Date: Mon, 26 Aug 2024 11:01:17 -0400
Message-Id: <20240826150125.1347359-1-yuxuan.luo@canonical.com>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

v2: The v1 patch would make Jammy vulnerable to CVE-2024-2201 Native BHI
again, this v2 patch solves this issue.

v3: Solved some errors for [8/8]: duplicated parts of re-backporting
7390db8aea0d ("x86/bhi: Add support for clearing branch history at
syscall entry") and conflicts with ac8b270b61d4 ("x86/bhi: Avoid warning
in #DB handler due to BHI mitigation").

[Impact]
In x86 environment, untrusted virtual machines are able to send
interrupt that will be mistakenly interpretted by host as INT80
interrupt sent from host userspace programs, posessing threat to
the host's confidentiality.

[Backport]
For Jammy, a prerequisite, 1da5c9bc119d (“x86: Introduce
ia32_enabled()”), for the patch set is needed as denoted in the fix
commit message. And a follow-up fix, 32f5f73b79ff (“x86/fred: Fix INT80
emulation for FRED”), can be ignored because it is FRED specific and
FRED is yet to be introduced by 14619d912b65 (“x86/fred: FRED entry/exit
and dispatch code”).

Since this fix also touches the same code base where the Native BHI fix
modified, 7390db8aea0d ("x86/bhi: Add support for clearing branch
history at syscall entry") needs to be backported again to adjust
certain context, which requires f34f0d3c10eb (“x86/entry: Add
do_SYSENTER_32() prototype“) as a prerequisite.

[Test]
Compile and boot tested in a VM.

[Where things could go wrong]
It affects users running x32 operating system VMs on confidential
computing VMMs.

Arnd Bergmann (1):
  x86/entry: Add do_SYSENTER_32() prototype

Kirill A. Shutemov (1):
  x86/coco: Disable 32-bit emulation by default on TDX and SEV

Kuppuswamy Sathyanarayanan (1):
  x86/sev: Rename mem_encrypt.c to mem_encrypt_amd.c

Lukas Bulwahn (1):
  x86: Fix misspelled Kconfig symbols

Nikolay Borisov (1):
  x86: Introduce ia32_enabled()

Pawan Gupta (1):
  x86/bhi: Add support for clearing branch history at syscall entry

Thomas Gleixner (2):
  x86/entry: Convert INT 0x80 emulation to IDTENTRY
  x86/entry: Do not allow external 0x80 interrupts

 arch/x86/entry/common.c                       |  97 ++++++++++++++-
 arch/x86/entry/entry_64_compat.S              | 114 ++----------------
 arch/x86/include/asm/ia32.h                   |  23 +++-
 arch/x86/include/asm/idtentry.h               |   4 +
 arch/x86/include/asm/irq_stack.h              |   2 +-
 arch/x86/include/asm/nospec-branch.h          |   4 +
 arch/x86/include/asm/page_32.h                |   2 +-
 arch/x86/include/asm/proto.h                  |   4 -
 arch/x86/include/asm/syscall.h                |   7 +-
 arch/x86/include/asm/uaccess.h                |   2 +-
 arch/x86/kernel/idt.c                         |   2 +-
 arch/x86/mm/Makefile                          |   8 +-
 .../mm/{mem_encrypt.c => mem_encrypt_amd.c}   |  11 ++
 arch/x86/xen/enlighten_pv.c                   |   2 +-
 arch/x86/xen/xen-asm.S                        |   2 +-
 15 files changed, 164 insertions(+), 120 deletions(-)
 rename arch/x86/mm/{mem_encrypt.c => mem_encrypt_amd.c} (97%)
Acked-by: Aaron Jauregui <aaron.jauregui@canonical.com>
Acked-by: Philip Cox <philip.cox@canonical.com>