Message ID | 20180225143111.GF4362@brain |
---|---|
State | New |
Headers | show |
Series | [SRU,trusty] retpoline/IBPB combined mitigation | expand |
Positive testing.
On 25/02/18 14:31, Andy Whitcroft wrote: > Add retpoline support to Trusty. This combines a backport of the upstream > retpoline patches from v4.4 to the existing IBRS/IBPB mitigation we > already have applied. It also updates the Intel mitigation to the > latest version. > > This pull request appears more complex than you might otherwise hope as > we are slowly replacing the non-upstream code with upstream code as each > part becomes available. To this end we are taking off our non-upstream > code applying the new upstream code and reapplying the non-upstream code > over the top. This means it is the patches we are looking to replace > that end up with any delta folded into them not the upstream patches. > > Proposing for SRU to trusty. > > -apw > > The following changes since commit fbfa1ca679dd9ede02e1e776e26021c21cae872e: > > powerpc: Do not call ppc_md.panic in fadump panic notifier (2018-02-20 09:47:47 +0100) > > are available in the Git repository at: > > git://git.launchpad.net/~apw/ubuntu/+source/linux/+git/pti pti/trusty-retpoline-intelv1 > > for you to fetch changes up to 901c1131a46ef96e376216d60267e73de5c16232: > > UBUNTU: [Packaging] final-checks -- check for empty retpoline files (2018-02-22 12:09:21 +0000) > > ---------------------------------------------------------------- > * retpoline abi files are empty on i386 (LP: #1751021) > - [Packaging] retpoline-extract -- instantiate retpoline files for i386 > - [Packaging] final-checks -- sanity checking ABI contents > - [Packaging] final-checks -- check for empty retpoline files > > * CVE-2017-5715 (Spectre v2 Intel) > - x86, microcode: Share native MSR accessing variants > - kvm: vmx: Scrub hardware GPRs at VM-exit > - SAUCE: x86/feature: Enable the x86 feature to control Speculation > - SAUCE: x86/feature: Report presence of IBPB and IBRS control > - SAUCE: x86/enter: MACROS to set/clear IBRS and set IBPB > - SAUCE: x86/enter: Use IBRS on syscall and interrupts > - SAUCE: x86/idle: Disable IBRS entering idle and enable it on wakeup > - SAUCE: x86/idle: Disable IBRS when offlining cpu and re-enable on wakeup > - SAUCE: x86/mm: Set IBPB upon context switch > - SAUCE: x86/mm: Only set IBPB when the new thread cannot ptrace current > thread > - SAUCE: x86/entry: Stuff RSB for entry to kernel for non-SMEP platform > - SAUCE: x86/kvm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD to kvm > - SAUCE: x86/kvm: Set IBPB when switching VM > - SAUCE: x86/kvm: Toggle IBRS on VM entry and exit > - SAUCE: x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature > - SAUCE: x86/spec_ctrl: Add lock to serialize changes to ibrs and ibpb control > - SAUCE: x86/cpu/AMD: Add speculative control support for AMD > - SAUCE: x86/microcode: Extend post microcode reload to support IBPB feature > - SAUCE: KVM: SVM: Do not intercept new speculative control MSRs > - SAUCE: x86/svm: Set IBRS value on VM entry and exit > - SAUCE: x86/svm: Set IBPB when running a different VCPU > - SAUCE: KVM: x86: Add speculative control CPUID support for guests > - SAUCE: x86/entry: Fixup 32bit compat call locations > - SAUCE: KVM: Fix spec_ctrl CPUID support for guests > - SAUCE: x86/cpuid: Fix ordering of scattered feature list > - SAUCE: turn off IBRS when full retpoline is present > > * CVE-2017-5753 (Spectre v1 Intel) > - x86: Add another set of MSR accessor functions > - x86/cpu/AMD: Make the LFENCE instruction serialized > - SAUCE: x86/cpu/AMD: switch to lfence rather than mfence > - locking/barriers: introduce new observable speculation barrier > - bpf: prevent speculative execution in eBPF interpreter > - uvcvideo: prevent speculative execution > - carl9170: prevent speculative execution > - qla2xxx: prevent speculative execution > - fs: prevent speculative execution > - udf: prevent speculative execution > - userns: prevent speculative execution > - SAUCE: claim mitigation via observable speculation barrier > - powerpc: add osb barrier > - s390/spinlock: add osb memory barrier > - arm64: no osb() implementation yet > - arm: no osb() implementation yet > > * CVE-2017-5715 (Spectre v2 retpoline) > - x86/alternatives: Fix ALTERNATIVE_2 padding generation properly > - x86/alternatives: Fix alt_max_short macro to really be a max() > - x86/alternatives: Guard NOPs optimization > - x86/alternatives: Switch AMD F15h and later to the P6 NOPs > - x86/alternatives: Make optimize_nops() interrupt safe and synced > - x86/alternatives: Fix optimize_nops() checking > - x86/cpuid: Provide get_scattered_cpuid_leaf() > - x86/cpu: Factor out application of forced CPU caps > - x86/cpufeatures: Make CPU bugs sticky > - x86/cpufeatures: Add X86_BUG_CPU_INSECURE > - x86/pti: Rename BUG_CPU_INSECURE to BUG_CPU_MELTDOWN > - x86/cpufeatures: Add X86_BUG_SPECTRE_V[12] > - x86/cpu, x86/pti: Do not enable PTI on AMD processors > - x86/cpu: Merge bugs.c and bugs_64.c > - sysfs/cpu: Add vulnerability folder > - x86/cpu: Implement CPU vulnerabilites sysfs functions > - x86/alternatives: Add missing '\n' at end of ALTERNATIVE inline asm > - x86/mm/32: Move setup_clear_cpu_cap(X86_FEATURE_PCID) earlier > - x86/asm: Use register variable to get stack pointer value > - x86/kbuild: enable modversions for symbols exported from asm > - x86/asm: Make asm/alternative.h safe from assembly > - EXPORT_SYMBOL() for asm > - kconfig.h: use __is_defined() to check if MODULE is defined > - x86/retpoline: Add initial retpoline support > - x86/spectre: Add boot time option to select Spectre v2 mitigation > - x86/retpoline/crypto: Convert crypto assembler indirect jumps > - x86/retpoline/entry: Convert entry assembler indirect jumps > - x86/retpoline/ftrace: Convert ftrace assembler indirect jumps > - x86/retpoline/hyperv: Convert assembler indirect jumps > - x86/retpoline/xen: Convert Xen hypercall indirect jumps > - x86/retpoline/checksum32: Convert assembler indirect jumps > - x86/retpoline/irq32: Convert assembler indirect jumps > - x86/retpoline: Fill return stack buffer on vmexit > - x86/retpoline: Remove compile time warning > - x86/retpoline: Add LFENCE to the retpoline/RSB filling RSB macros > - module: Add retpoline tag to VERMAGIC > - x86/mce: Make machine check speculation protected > - retpoline: Introduce start/end markers of indirect thunk > - kprobes/x86: Disable optimizing on the function jumps to indirect thunk > - x86/retpoline: Optimize inline assembler for vmexit_fill_RSB > - [Config] CONFIG_RETPOLINE=y > - [Packaging] retpoline -- add call site validation > - [Packaging] retpoline files must be sorted > - [Config] disable retpoline for the first upload > > * CVE-2017-5715 (revert embargoed) // CVE-2017-5753 (revert embargoed) > - Revert "UBUNTU: SAUCE: x86/cpuid: Fix ordering of scattered feature list" > - Revert "UBUNTU: SAUCE: KVM: Fix spec_ctrl CPUID support for guests" > - Revert "UBUNTU: SAUCE: x86/entry: Fixup 32bit compat call locations" > - Revert "UBUNTU: SAUCE: powerpc: no gmb() implementation yet" > - Revert "UBUNTU: SAUCE: arm: no gmb() implementation yet" > - Revert "UBUNTU: SAUCE: arm64: no gmb() implementation yet" > - Revert "UBUNTU: SAUCE: x86/kvm: Fix stuff_RSB() for 32-bit" > - Revert "UBUNTU: SAUCE: x86/cpu/AMD: Remove now unused definition of > MFENCE_RDTSC feature" > - Revert "UBUNTU: SAUCE: x86/cpu/AMD: Make the LFENCE instruction serialized" > - Revert "UBUNTU: SAUCE: x86/svm: Add code to clobber the RSB on VM exit" > - Revert "UBUNTU: SAUCE: KVM: x86: Add speculative control CPUID support for > guests" > - Revert "UBUNTU: SAUCE: x86/svm: Set IBPB when running a different VCPU" > - Revert "UBUNTU: SAUCE: x86/svm: Set IBRS value on VM entry and exit" > - Revert "UBUNTU: SAUCE: KVM: SVM: Do not intercept new speculative control > MSRs" > - Revert "UBUNTU: SAUCE: x86/microcode: Extend post microcode reload to > support IBPB feature" > - Revert "UBUNTU: SAUCE: x86/cpu/AMD: Add speculative control support for AMD" > - Revert "UBUNTU: SAUCE: x86/entry: Use retpoline for syscall's indirect > calls" > - Revert "UBUNTU: SAUCE: x86/spec_ctrl: Add lock to serialize changes to ibrs > and ibpb control" > - Revert "UBUNTU: SAUCE: x86/spec_ctrl: Add sysctl knobs to enable/disable > SPEC_CTRL feature" > - Revert "UBUNTU: SAUCE: x86/kvm: Pad RSB on VM transition" > - Revert "UBUNTU: SAUCE: x86/kvm: Toggle IBRS on VM entry and exit" > - Revert "UBUNTU: SAUCE: x86/kvm: Set IBPB when switching VM" > - Revert "UBUNTU: SAUCE: x86/kvm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD > to kvm" > - Revert "UBUNTU: SAUCE: x86/entry: Stuff RSB for entry to kernel for non-SMEP > platform" > - Revert "UBUNTU: SAUCE: x86/mm: Only set IBPB when the new thread cannot > ptrace current thread" > - Revert "UBUNTU: SAUCE: x86/mm: Set IBPB upon context switch" > - Revert "UBUNTU: SAUCE: x86/idle: Disable IBRS when offlining cpu and re- > enable on wakeup" > - Revert "UBUNTU: SAUCE: x86/idle: Disable IBRS entering idle and enable it on > wakeup" > - Revert "UBUNTU: SAUCE: x86/enter: Use IBRS on syscall and interrupts" > - Revert "UBUNTU: SAUCE: x86/enter: MACROS to set/clear IBRS and set IBPB" > - Revert "UBUNTU: SAUCE: x86/feature: Report presence of IBPB and IBRS > control" > - Revert "UBUNTU: SAUCE: x86/feature: Enable the x86 feature to control > Speculation" > - Revert "UBUNTU: SAUCE: udf: prevent speculative execution" > - Revert "UBUNTU: SAUCE: fs: prevent speculative execution" > - Revert "UBUNTU: SAUCE: userns: prevent speculative execution" > - Revert "UBUNTU: SAUCE: cw1200: prevent speculative execution" > - Revert "UBUNTU: SAUCE: qla2xxx: prevent speculative execution" > - Revert "UBUNTU: SAUCE: p54: prevent speculative execution" > - Revert "UBUNTU: SAUCE: carl9170: prevent speculative execution" > - Revert "UBUNTU: SAUCE: uvcvideo: prevent speculative execution" > - Revert "UBUNTU: SAUCE: locking/barriers: introduce new memory barrier gmb()" > - Revert "kvm: vmx: Scrub hardware GPRs at VM-exit" > - Revert "x86/cpuid: Provide get_scattered_cpuid_leaf()" > - Revert "x86: Add another set of MSR accessor functions" > - Revert "x86, microcode: Share native MSR accessing variants" > I'm happy to ACK these as I had positive testing results on these. Acked-by: Colin Ian King <colin.king@canonical.com>
On 02/25/18 15:31, Andy Whitcroft wrote: > Add retpoline support to Trusty. This combines a backport of the upstream > retpoline patches from v4.4 to the existing IBRS/IBPB mitigation we > already have applied. It also updates the Intel mitigation to the > latest version. > > This pull request appears more complex than you might otherwise hope as > we are slowly replacing the non-upstream code with upstream code as each > part becomes available. To this end we are taking off our non-upstream > code applying the new upstream code and reapplying the non-upstream code > over the top. This means it is the patches we are looking to replace > that end up with any delta folded into them not the upstream patches. > > Proposing for SRU to trusty. > > -apw > > The following changes since commit fbfa1ca679dd9ede02e1e776e26021c21cae872e: > > powerpc: Do not call ppc_md.panic in fadump panic notifier (2018-02-20 09:47:47 +0100) > > are available in the Git repository at: > > git://git.launchpad.net/~apw/ubuntu/+source/linux/+git/pti pti/trusty-retpoline-intelv1 > > for you to fetch changes up to 901c1131a46ef96e376216d60267e73de5c16232: > > UBUNTU: [Packaging] final-checks -- check for empty retpoline files (2018-02-22 12:09:21 +0000) > > ---------------------------------------------------------------- > * retpoline abi files are empty on i386 (LP: #1751021) > - [Packaging] retpoline-extract -- instantiate retpoline files for i386 > - [Packaging] final-checks -- sanity checking ABI contents > - [Packaging] final-checks -- check for empty retpoline files > > * CVE-2017-5715 (Spectre v2 Intel) > - x86, microcode: Share native MSR accessing variants > - kvm: vmx: Scrub hardware GPRs at VM-exit > - SAUCE: x86/feature: Enable the x86 feature to control Speculation > - SAUCE: x86/feature: Report presence of IBPB and IBRS control > - SAUCE: x86/enter: MACROS to set/clear IBRS and set IBPB > - SAUCE: x86/enter: Use IBRS on syscall and interrupts > - SAUCE: x86/idle: Disable IBRS entering idle and enable it on wakeup > - SAUCE: x86/idle: Disable IBRS when offlining cpu and re-enable on wakeup > - SAUCE: x86/mm: Set IBPB upon context switch > - SAUCE: x86/mm: Only set IBPB when the new thread cannot ptrace current > thread > - SAUCE: x86/entry: Stuff RSB for entry to kernel for non-SMEP platform > - SAUCE: x86/kvm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD to kvm > - SAUCE: x86/kvm: Set IBPB when switching VM > - SAUCE: x86/kvm: Toggle IBRS on VM entry and exit > - SAUCE: x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature > - SAUCE: x86/spec_ctrl: Add lock to serialize changes to ibrs and ibpb control > - SAUCE: x86/cpu/AMD: Add speculative control support for AMD > - SAUCE: x86/microcode: Extend post microcode reload to support IBPB feature > - SAUCE: KVM: SVM: Do not intercept new speculative control MSRs > - SAUCE: x86/svm: Set IBRS value on VM entry and exit > - SAUCE: x86/svm: Set IBPB when running a different VCPU > - SAUCE: KVM: x86: Add speculative control CPUID support for guests > - SAUCE: x86/entry: Fixup 32bit compat call locations > - SAUCE: KVM: Fix spec_ctrl CPUID support for guests > - SAUCE: x86/cpuid: Fix ordering of scattered feature list > - SAUCE: turn off IBRS when full retpoline is present > > * CVE-2017-5753 (Spectre v1 Intel) > - x86: Add another set of MSR accessor functions > - x86/cpu/AMD: Make the LFENCE instruction serialized > - SAUCE: x86/cpu/AMD: switch to lfence rather than mfence > - locking/barriers: introduce new observable speculation barrier > - bpf: prevent speculative execution in eBPF interpreter > - uvcvideo: prevent speculative execution > - carl9170: prevent speculative execution > - qla2xxx: prevent speculative execution > - fs: prevent speculative execution > - udf: prevent speculative execution > - userns: prevent speculative execution > - SAUCE: claim mitigation via observable speculation barrier > - powerpc: add osb barrier > - s390/spinlock: add osb memory barrier > - arm64: no osb() implementation yet > - arm: no osb() implementation yet > > * CVE-2017-5715 (Spectre v2 retpoline) > - x86/alternatives: Fix ALTERNATIVE_2 padding generation properly > - x86/alternatives: Fix alt_max_short macro to really be a max() > - x86/alternatives: Guard NOPs optimization > - x86/alternatives: Switch AMD F15h and later to the P6 NOPs > - x86/alternatives: Make optimize_nops() interrupt safe and synced > - x86/alternatives: Fix optimize_nops() checking > - x86/cpuid: Provide get_scattered_cpuid_leaf() > - x86/cpu: Factor out application of forced CPU caps > - x86/cpufeatures: Make CPU bugs sticky > - x86/cpufeatures: Add X86_BUG_CPU_INSECURE > - x86/pti: Rename BUG_CPU_INSECURE to BUG_CPU_MELTDOWN > - x86/cpufeatures: Add X86_BUG_SPECTRE_V[12] > - x86/cpu, x86/pti: Do not enable PTI on AMD processors > - x86/cpu: Merge bugs.c and bugs_64.c > - sysfs/cpu: Add vulnerability folder > - x86/cpu: Implement CPU vulnerabilites sysfs functions > - x86/alternatives: Add missing '\n' at end of ALTERNATIVE inline asm > - x86/mm/32: Move setup_clear_cpu_cap(X86_FEATURE_PCID) earlier > - x86/asm: Use register variable to get stack pointer value > - x86/kbuild: enable modversions for symbols exported from asm > - x86/asm: Make asm/alternative.h safe from assembly > - EXPORT_SYMBOL() for asm > - kconfig.h: use __is_defined() to check if MODULE is defined > - x86/retpoline: Add initial retpoline support > - x86/spectre: Add boot time option to select Spectre v2 mitigation > - x86/retpoline/crypto: Convert crypto assembler indirect jumps > - x86/retpoline/entry: Convert entry assembler indirect jumps > - x86/retpoline/ftrace: Convert ftrace assembler indirect jumps > - x86/retpoline/hyperv: Convert assembler indirect jumps > - x86/retpoline/xen: Convert Xen hypercall indirect jumps > - x86/retpoline/checksum32: Convert assembler indirect jumps > - x86/retpoline/irq32: Convert assembler indirect jumps > - x86/retpoline: Fill return stack buffer on vmexit > - x86/retpoline: Remove compile time warning > - x86/retpoline: Add LFENCE to the retpoline/RSB filling RSB macros > - module: Add retpoline tag to VERMAGIC > - x86/mce: Make machine check speculation protected > - retpoline: Introduce start/end markers of indirect thunk > - kprobes/x86: Disable optimizing on the function jumps to indirect thunk > - x86/retpoline: Optimize inline assembler for vmexit_fill_RSB > - [Config] CONFIG_RETPOLINE=y > - [Packaging] retpoline -- add call site validation > - [Packaging] retpoline files must be sorted > - [Config] disable retpoline for the first upload > > * CVE-2017-5715 (revert embargoed) // CVE-2017-5753 (revert embargoed) > - Revert "UBUNTU: SAUCE: x86/cpuid: Fix ordering of scattered feature list" > - Revert "UBUNTU: SAUCE: KVM: Fix spec_ctrl CPUID support for guests" > - Revert "UBUNTU: SAUCE: x86/entry: Fixup 32bit compat call locations" > - Revert "UBUNTU: SAUCE: powerpc: no gmb() implementation yet" > - Revert "UBUNTU: SAUCE: arm: no gmb() implementation yet" > - Revert "UBUNTU: SAUCE: arm64: no gmb() implementation yet" > - Revert "UBUNTU: SAUCE: x86/kvm: Fix stuff_RSB() for 32-bit" > - Revert "UBUNTU: SAUCE: x86/cpu/AMD: Remove now unused definition of > MFENCE_RDTSC feature" > - Revert "UBUNTU: SAUCE: x86/cpu/AMD: Make the LFENCE instruction serialized" > - Revert "UBUNTU: SAUCE: x86/svm: Add code to clobber the RSB on VM exit" > - Revert "UBUNTU: SAUCE: KVM: x86: Add speculative control CPUID support for > guests" > - Revert "UBUNTU: SAUCE: x86/svm: Set IBPB when running a different VCPU" > - Revert "UBUNTU: SAUCE: x86/svm: Set IBRS value on VM entry and exit" > - Revert "UBUNTU: SAUCE: KVM: SVM: Do not intercept new speculative control > MSRs" > - Revert "UBUNTU: SAUCE: x86/microcode: Extend post microcode reload to > support IBPB feature" > - Revert "UBUNTU: SAUCE: x86/cpu/AMD: Add speculative control support for AMD" > - Revert "UBUNTU: SAUCE: x86/entry: Use retpoline for syscall's indirect > calls" > - Revert "UBUNTU: SAUCE: x86/spec_ctrl: Add lock to serialize changes to ibrs > and ibpb control" > - Revert "UBUNTU: SAUCE: x86/spec_ctrl: Add sysctl knobs to enable/disable > SPEC_CTRL feature" > - Revert "UBUNTU: SAUCE: x86/kvm: Pad RSB on VM transition" > - Revert "UBUNTU: SAUCE: x86/kvm: Toggle IBRS on VM entry and exit" > - Revert "UBUNTU: SAUCE: x86/kvm: Set IBPB when switching VM" > - Revert "UBUNTU: SAUCE: x86/kvm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD > to kvm" > - Revert "UBUNTU: SAUCE: x86/entry: Stuff RSB for entry to kernel for non-SMEP > platform" > - Revert "UBUNTU: SAUCE: x86/mm: Only set IBPB when the new thread cannot > ptrace current thread" > - Revert "UBUNTU: SAUCE: x86/mm: Set IBPB upon context switch" > - Revert "UBUNTU: SAUCE: x86/idle: Disable IBRS when offlining cpu and re- > enable on wakeup" > - Revert "UBUNTU: SAUCE: x86/idle: Disable IBRS entering idle and enable it on > wakeup" > - Revert "UBUNTU: SAUCE: x86/enter: Use IBRS on syscall and interrupts" > - Revert "UBUNTU: SAUCE: x86/enter: MACROS to set/clear IBRS and set IBPB" > - Revert "UBUNTU: SAUCE: x86/feature: Report presence of IBPB and IBRS > control" > - Revert "UBUNTU: SAUCE: x86/feature: Enable the x86 feature to control > Speculation" > - Revert "UBUNTU: SAUCE: udf: prevent speculative execution" > - Revert "UBUNTU: SAUCE: fs: prevent speculative execution" > - Revert "UBUNTU: SAUCE: userns: prevent speculative execution" > - Revert "UBUNTU: SAUCE: cw1200: prevent speculative execution" > - Revert "UBUNTU: SAUCE: qla2xxx: prevent speculative execution" > - Revert "UBUNTU: SAUCE: p54: prevent speculative execution" > - Revert "UBUNTU: SAUCE: carl9170: prevent speculative execution" > - Revert "UBUNTU: SAUCE: uvcvideo: prevent speculative execution" > - Revert "UBUNTU: SAUCE: locking/barriers: introduce new memory barrier gmb()" > - Revert "kvm: vmx: Scrub hardware GPRs at VM-exit" > - Revert "x86/cpuid: Provide get_scattered_cpuid_leaf()" > - Revert "x86: Add another set of MSR accessor functions" > - Revert "x86, microcode: Share native MSR accessing variants" > Applied to trusty/master-next branch. Thanks, Kleber