From patchwork Fri May 17 07:57:26 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yuxuan Luo <yuxuan.luo@canonical.com>
X-Patchwork-Id: 1936307
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4VgfV03vd7z1ydW
	for <incoming@patchwork.ozlabs.org>; Fri, 17 May 2024 17:58:32 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1s7sTz-0006Ez-UI; Fri, 17 May 2024 07:58:27 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <yuxuan.luo@canonical.com>)
 id 1s7sTy-00065L-1d
 for kernel-team@lists.ubuntu.com; Fri, 17 May 2024 07:58:26 +0000
Received: from mail-ej1-f71.google.com (mail-ej1-f71.google.com
 [209.85.218.71])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 1E38E3FB60
 for <kernel-team@lists.ubuntu.com>; Fri, 17 May 2024 07:58:24 +0000 (UTC)
Received: by mail-ej1-f71.google.com with SMTP id
 a640c23a62f3a-a59a5b06802so456136766b.1
 for <kernel-team@lists.ubuntu.com>; Fri, 17 May 2024 00:58:24 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1715932702; x=1716537502;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=RdQqB6X7t5Z0p3+6tw2/Qj3ODRWg9oSdZXSuEkiU4DY=;
 b=U48OdvCcti0bJ6p4jqbED7+Lssk04O4FJ4Q6+Y8VuzWuOBMj/mBQqZjOSJ/O9E+dDu
 P+bZJIq633lUCg1kbsqVc9HxFMIMWQ1AoM7wRwm/HLcq2liyYtP+9damSMu0+schcDKV
 HtfKxycg2KvJCrCV6xl+1Z3IH74ZvSAYTEg97pymnQ4JoPSZjSTrW0BO7DZNsjAyUWmM
 ZdSHVNKiMEeOPJ+t/hAtvqvPZI3ERiFWFPSsEECjJ5mID9XPgbmaP/P5skgNHrPX0zsJ
 OWljKnA5YUdRatyGLm7EARae5YkBqg9hACMzcAFFCdcw4VjkfV2zvq+QyCUU3m9YTseq
 m7qw==
X-Gm-Message-State: AOJu0YxnazfgD6Lqgn3q683FJoEu8YNHV7BziFIMRFq0n3V+fBi8FcXn
 yPrZtnaHafZjHhD6/U+phsezzEIuwRjd2teYx3cuIObRAUwenuhyCMIb6+1Q+n846R3Z47IIZnk
 D941ywtQF0vmv3AFmrvF3V9UyrSZCORNo9KUANq9/bK4mxkRixPTdsPHIw27EFmxYdHDwCBU1QS
 1jPJosxDtPjBwo
X-Received: by 2002:a17:906:22c7:b0:a59:be21:3577 with SMTP id
 a640c23a62f3a-a5a2d5cd472mr1371481166b.43.1715932702467;
 Fri, 17 May 2024 00:58:22 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IGcTRRd3SWryVv5GgHwH1SDvD9G3PRb9p7SNd47GHYqpiIoAWehCck/eD/0To2btLX5mHn7rw==
X-Received: by 2002:a17:906:22c7:b0:a59:be21:3577 with SMTP id
 a640c23a62f3a-a5a2d5cd472mr1371480266b.43.1715932702201;
 Fri, 17 May 2024 00:58:22 -0700 (PDT)
Received: from localhost.localdomain ([2001:67c:1562:8007::aac:4795])
 by smtp.gmail.com with ESMTPSA id
 a640c23a62f3a-a5a17b179f1sm1080016966b.212.2024.05.17.00.58.20
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 17 May 2024 00:58:21 -0700 (PDT)
From: Yuxuan Luo <yuxuan.luo@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH 13/15] x86/bugs: Fix BHI handling of RRSBA
Date: Fri, 17 May 2024 03:57:26 -0400
Message-Id: <20240517075728.9722-14-yuxuan.luo@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240517075728.9722-1-yuxuan.luo@canonical.com>
References: <20240517075728.9722-1-yuxuan.luo@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Josh Poimboeuf <jpoimboe@kernel.org>

The ARCH_CAP_RRSBA check isn't correct: RRSBA may have already been
disabled by the Spectre v2 mitigation (or can otherwise be disabled by
the BHI mitigation itself if needed).  In that case retpolines are fine.

Fixes: ec9404e40e8f ("x86/bhi: Add BHI mitigation knob")
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Sean Christopherson <seanjc@google.com>
Link: https://lore.kernel.org/r/6f56f13da34a0834b69163467449be7f58f253dc.1712813475.git.jpoimboe@kernel.org
(cherry picked from commit 1cea8a280dfd1016148a3820676f2f03e3f5b898)
CVE-2024-2201
Signed-off-by: Yuxuan Luo <yuxuan.luo@canonical.com>
---
 arch/x86/kernel/cpu/bugs.c | 30 ++++++++++++++++++------------
 1 file changed, 18 insertions(+), 12 deletions(-)

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index d30b8ec0dd915..4cdf99c1feafd 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -1298,20 +1298,25 @@ static enum spectre_v2_mitigation __init spectre_v2_select_retpoline(void)
 	return SPECTRE_V2_RETPOLINE;
 }
 
+static bool __ro_after_init rrsba_disabled;
+
 /* Disable in-kernel use of non-RSB RET predictors */
 static void __init spec_ctrl_disable_kernel_rrsba(void)
 {
-	u64 x86_arch_cap_msr;
+	if (rrsba_disabled)
+		return;
 
-	if (!boot_cpu_has(X86_FEATURE_RRSBA_CTRL))
+	if (!(x86_arch_cap_msr & ARCH_CAP_RRSBA)) {
+		rrsba_disabled = true;
 		return;
+	}
 
-	x86_arch_cap_msr = x86_read_arch_cap_msr();
+	if (!boot_cpu_has(X86_FEATURE_RRSBA_CTRL))
+		return;
 
-	if (x86_arch_cap_msr & ARCH_CAP_RRSBA) {
-		x86_spec_ctrl_base |= SPEC_CTRL_RRSBA_DIS_S;
-		update_spec_ctrl(x86_spec_ctrl_base);
-	}
+	x86_spec_ctrl_base |= SPEC_CTRL_RRSBA_DIS_S;
+	update_spec_ctrl(x86_spec_ctrl_base);
+	rrsba_disabled = true;
 }
 
 static void __init spectre_v2_determine_rsb_fill_type_at_vmexit(enum spectre_v2_mitigation mode)
@@ -1412,9 +1417,11 @@ static void __init bhi_select_mitigation(void)
 		return;
 
 	/* Retpoline mitigates against BHI unless the CPU has RRSBA behavior */
-	if (cpu_feature_enabled(X86_FEATURE_RETPOLINE) &&
-	    !(x86_read_arch_cap_msr() & ARCH_CAP_RRSBA))
-		return;
+	if (cpu_feature_enabled(X86_FEATURE_RETPOLINE)) {
+		spec_ctrl_disable_kernel_rrsba();
+		if (rrsba_disabled)
+			return;
+	}
 
 	if (spec_ctrl_bhi_dis())
 		return;
@@ -2347,8 +2354,7 @@ static const char * const spectre_bhi_state(void)
 		return "; BHI: BHI_DIS_S";
 	else if  (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP))
 		return "; BHI: SW loop, KVM: SW loop";
-	else if (boot_cpu_has(X86_FEATURE_RETPOLINE) &&
-		 !(x86_arch_cap_msr & ARCH_CAP_RRSBA))
+	else if (boot_cpu_has(X86_FEATURE_RETPOLINE) && rrsba_disabled)
 		return "; BHI: Retpoline";
 	else if  (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT))
 		return "; BHI: Syscall hardening, KVM: SW loop";