From patchwork Fri May 17 07:57:14 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1936297 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VgfTl0F2tz20dg for ; Fri, 17 May 2024 17:58:18 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1s7sTg-0005T1-7K; Fri, 17 May 2024 07:58:08 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1s7sTb-0005SE-Mv for kernel-team@lists.ubuntu.com; Fri, 17 May 2024 07:58:03 +0000 Received: from mail-ej1-f71.google.com (mail-ej1-f71.google.com [209.85.218.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 7CF7B3F363 for ; Fri, 17 May 2024 07:58:02 +0000 (UTC) Received: by mail-ej1-f71.google.com with SMTP id a640c23a62f3a-a5a05c4e0efso555431466b.1 for ; Fri, 17 May 2024 00:58:02 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715932681; x=1716537481; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=qNLuICEYDB4Lvj0ism73+k0XhRhhNDtqIJWSMRm6noo=; b=p1BECf1kqGd2ZjTt5VtUiy+6kiMQPbqLLutrJma5alApOxKL1WKV+KHrfPbvJwOPgu 6P7zKjXk3IBiJfqgcC4BYs7YosNklJczTrTsrnJT6+TlEb8sz/gSqFGFMFnc/G2SibkZ T0LTyeOjUm2o4PMr6BJfylGwfr4t9ONOhVSqyZBgryLlF+2xGCD2KzLDLg2rBN+A37VN WQzKkUxDoZWVMxIqVplzXkKQuRMSDRJW79ee2rTLzGwG5FxCRfugvO8K4EAUilwCxndr Nq4N2AZqZNfbbO9edEYFtZ65jbRZae6U0lnfUfS3HF3oklAtLWMGTs2sK/IP2Emh2Cvs Js+g== X-Gm-Message-State: AOJu0YwZm/DkDSnhaIOd8STY5FoFz69rvhZkQUTDhpgpvvbams9I23JP WEVJCbNAFH1TS+i//mLaPyZueym2AXfp3k+uCxArblOxllce9UZ4YSzWzrZQ7BwEeW661D5Geio 6G0FAvZiGdU8E+LF4wzyRmChAc8WK2X/zl8kakOY7sed7rPS3dO3emHkCyd4L211lU5XZobtzK8 jnVNda9G22oiSo X-Received: by 2002:a17:906:d14d:b0:a5c:db60:903e with SMTP id a640c23a62f3a-a5cdb6098a0mr390115166b.37.1715932681312; Fri, 17 May 2024 00:58:01 -0700 (PDT) X-Google-Smtp-Source: AGHT+IG7PCyq1tfFUoy3nM5NW5T4belz+Ol73YoTARj+Php7IL2PMdeORjzvHMzp5dYBY5lSvXTf3A== X-Received: by 2002:a17:906:d14d:b0:a5c:db60:903e with SMTP id a640c23a62f3a-a5cdb6098a0mr390113866b.37.1715932680973; Fri, 17 May 2024 00:58:00 -0700 (PDT) Received: from localhost.localdomain ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a5a17b179f1sm1080016966b.212.2024.05.17.00.57.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 May 2024 00:58:00 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [PATCH 01/15] x86/cpufeatures: Add new word for scattered features Date: Fri, 17 May 2024 03:57:14 -0400 Message-Id: <20240517075728.9722-2-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240517075728.9722-1-yuxuan.luo@canonical.com> References: <20240517075728.9722-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Sandipan Das Add a new word for scattered features because all free bits among the existing Linux-defined auxiliary flags have been exhausted. Signed-off-by: Sandipan Das Signed-off-by: Ingo Molnar Link: https://lore.kernel.org/r/8380d2a0da469a1f0ad75b8954a79fb689599ff6.1711091584.git.sandipan.das@amd.com (cherry picked from commit 7f274e609f3d5f45c22b1dd59053f6764458b492) CVE-2024-2201 Signed-off-by: Yuxuan Luo --- arch/x86/include/asm/cpufeature.h | 6 ++++-- arch/x86/include/asm/cpufeatures.h | 2 +- arch/x86/include/asm/disabled-features.h | 3 ++- arch/x86/include/asm/required-features.h | 3 ++- 4 files changed, 9 insertions(+), 5 deletions(-) diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h index 4466a47b76080..41cb0cbbfdebf 100644 --- a/arch/x86/include/asm/cpufeature.h +++ b/arch/x86/include/asm/cpufeature.h @@ -92,8 +92,9 @@ extern const char * const x86_bug_flags[NBUGINTS*32]; CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 18, feature_bit) || \ CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 19, feature_bit) || \ CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 20, feature_bit) || \ + CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 21, feature_bit) || \ REQUIRED_MASK_CHECK || \ - BUILD_BUG_ON_ZERO(NCAPINTS != 21)) + BUILD_BUG_ON_ZERO(NCAPINTS != 22)) #define DISABLED_MASK_BIT_SET(feature_bit) \ ( CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 0, feature_bit) || \ @@ -117,8 +118,9 @@ extern const char * const x86_bug_flags[NBUGINTS*32]; CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 18, feature_bit) || \ CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 19, feature_bit) || \ CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 20, feature_bit) || \ + CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 21, feature_bit) || \ DISABLED_MASK_CHECK || \ - BUILD_BUG_ON_ZERO(NCAPINTS != 21)) + BUILD_BUG_ON_ZERO(NCAPINTS != 22)) #define cpu_has(c, bit) \ (__builtin_constant_p(bit) && REQUIRED_MASK_BIT_SET(bit) ? 1 : \ diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h index 1ccdc67151453..68fd012e9df6e 100644 --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -13,7 +13,7 @@ /* * Defines x86 CPU feature bits */ -#define NCAPINTS 21 /* N 32-bit words worth of info */ +#define NCAPINTS 22 /* N 32-bit words worth of info */ #define NBUGINTS 2 /* N 32-bit bug flags */ /* diff --git a/arch/x86/include/asm/disabled-features.h b/arch/x86/include/asm/disabled-features.h index 8453260f6d9f9..b51b937beea37 100644 --- a/arch/x86/include/asm/disabled-features.h +++ b/arch/x86/include/asm/disabled-features.h @@ -86,6 +86,7 @@ #define DISABLED_MASK18 0 #define DISABLED_MASK19 0 #define DISABLED_MASK20 0 -#define DISABLED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 21) +#define DISABLED_MASK21 0 +#define DISABLED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 22) #endif /* _ASM_X86_DISABLED_FEATURES_H */ diff --git a/arch/x86/include/asm/required-features.h b/arch/x86/include/asm/required-features.h index fb3d81347e333..06fb6b66a093b 100644 --- a/arch/x86/include/asm/required-features.h +++ b/arch/x86/include/asm/required-features.h @@ -103,6 +103,7 @@ #define REQUIRED_MASK18 0 #define REQUIRED_MASK19 0 #define REQUIRED_MASK20 0 -#define REQUIRED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 21) +#define REQUIRED_MASK21 0 +#define REQUIRED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 22) #endif /* _ASM_X86_REQUIRED_FEATURES_H */ From patchwork Fri May 17 07:57:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1936295 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VgfTl0BZhz1ydW for ; Fri, 17 May 2024 17:58:18 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1s7sTh-0005TW-Fa; Fri, 17 May 2024 07:58:09 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1s7sTd-0005SR-2l for kernel-team@lists.ubuntu.com; Fri, 17 May 2024 07:58:05 +0000 Received: from mail-ej1-f70.google.com (mail-ej1-f70.google.com [209.85.218.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id CD6893F363 for ; Fri, 17 May 2024 07:58:03 +0000 (UTC) Received: by mail-ej1-f70.google.com with SMTP id a640c23a62f3a-a59eea00cafso577026866b.1 for ; Fri, 17 May 2024 00:58:03 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715932683; x=1716537483; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=WJ33IyI1UoK9jqdPfng8Dr07tqIwKMMOuYIs3hbiq6c=; b=IUongPw/ScmCqGAgIRXKCeKeTDco5zi48szqtfgQYwn7R2aAyMtnDwvqV/HstaqIHc M51m3AUbRDkK5bGYwhODybjvBAx6bmNL8TxkllECglWz4VsB4fCGi29zCLXp46Jp4QCW 7d+c2f3wAjHyU9QQP0WUOpviqAZPLeS0xJ2TOv2wP0ffJbhPvAkXxltQQj/Pid1HdoRG 4h9uaQUs+y8+Jz2oAzO/iGCAGJW3uCrVKqsboDRMqLsy1Lot5/MHg6sZh9AvcdcRx0EP UQto+aWp4cnR0L1/JvB5J2rFXYe/wuk+W1gnAvkfOSqJvBJLaO8mQP0jpqA8ff7dENht 2vZg== X-Gm-Message-State: AOJu0YxPcj7V9grRjYV1rHJJDMkX5gJpXWh0V2oG4yce7w4e8mnL1H86 ZlaNjKycZx0FBfaf2BB1XNxWkrQG2KHsUW0jZ8emKZcF8T4MM9G5P7SGkiX6L0G4BCWE6/onIx2 /FctHxUbZosAiRtcRjjDJ0ZdL82e+MW5QKYEJkLpVamK5bH07mGgOa9I7xzn6wLaRPZZ2KSpaa6 0k8a2FD0qWoAhD X-Received: by 2002:a17:907:12cb:b0:a5a:893a:a73a with SMTP id a640c23a62f3a-a5a893aa833mr906870666b.10.1715932683088; Fri, 17 May 2024 00:58:03 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFvMvOy7DnTqjh6NzFMZQYMT9WLi/ogj3xW7qV8b1Zbp7cHKRPT1nUOP/121X+3YI4qLlKXRA== X-Received: by 2002:a17:907:12cb:b0:a5a:893a:a73a with SMTP id a640c23a62f3a-a5a893aa833mr906868966b.10.1715932682688; Fri, 17 May 2024 00:58:02 -0700 (PDT) Received: from localhost.localdomain ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a5a17b179f1sm1080016966b.212.2024.05.17.00.58.01 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 May 2024 00:58:02 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [PATCH 02/15] x86/cpufeatures: Add CPUID_LNX_5 to track recently added Linux-defined word Date: Fri, 17 May 2024 03:57:15 -0400 Message-Id: <20240517075728.9722-3-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240517075728.9722-1-yuxuan.luo@canonical.com> References: <20240517075728.9722-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Sean Christopherson Add CPUID_LNX_5 to track cpufeatures' word 21, and add the appropriate compile-time assert in KVM to prevent direct lookups on the features in CPUID_LNX_5. KVM uses X86_FEATURE_* flags to manage guest CPUID, and so must translate features that are scattered by Linux from the Linux-defined bit to the hardware-defined bit, i.e. should never try to directly access scattered features in guest CPUID. Opportunistically add NR_CPUID_WORDS to enum cpuid_leafs, along with a compile-time assert in KVM's CPUID infrastructure to ensure that future additions update cpuid_leafs along with NCAPINTS. No functional change intended. Fixes: 7f274e609f3d ("x86/cpufeatures: Add new word for scattered features") Cc: Sandipan Das Signed-off-by: Sean Christopherson Acked-by: Dave Hansen Signed-off-by: Linus Torvalds (backported from commit 8cb4a9a82b21623dbb4b3051dd30d98356cf95bc) [yuxuan.luo: crops the build checks from reverse_cpuid.h to cpuid.h since reverse_cpuid is yet to be introduced. ] CVE-2024-2201 Signed-off-by: Yuxuan Luo --- arch/x86/include/asm/cpufeature.h | 2 ++ arch/x86/kvm/cpuid.h | 2 ++ 2 files changed, 4 insertions(+) diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h index 41cb0cbbfdebf..6611478530810 100644 --- a/arch/x86/include/asm/cpufeature.h +++ b/arch/x86/include/asm/cpufeature.h @@ -32,6 +32,8 @@ enum cpuid_leafs CPUID_7_EDX, CPUID_8000_001F_EAX, CPUID_8000_0021_EAX, + CPUID_LNX_5, + NR_CPUID_WORDS, }; #ifdef CONFIG_X86_FEATURE_NAMES diff --git a/arch/x86/kvm/cpuid.h b/arch/x86/kvm/cpuid.h index defae8082789f..50d426d3af08f 100644 --- a/arch/x86/kvm/cpuid.h +++ b/arch/x86/kvm/cpuid.h @@ -60,6 +60,8 @@ static __always_inline struct cpuid_reg x86_feature_cpuid(unsigned x86_feature) { unsigned x86_leaf = x86_feature / 32; + BUILD_BUG_ON(NR_CPUID_WORDS != NCAPINTS); + BUILD_BUG_ON(x86_leaf == CPUID_LNX_5); BUILD_BUG_ON(x86_leaf >= ARRAY_SIZE(reverse_cpuid)); BUILD_BUG_ON(reverse_cpuid[x86_leaf].function == 0); From patchwork Fri May 17 07:57:16 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1936298 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VgfTl0TTfz23tx for ; Fri, 17 May 2024 17:58:18 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1s7sTh-0005Tp-M6; Fri, 17 May 2024 07:58:09 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1s7sTe-0005Sn-JT for kernel-team@lists.ubuntu.com; Fri, 17 May 2024 07:58:06 +0000 Received: from mail-ej1-f69.google.com (mail-ej1-f69.google.com [209.85.218.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 101883F366 for ; Fri, 17 May 2024 07:58:05 +0000 (UTC) Received: by mail-ej1-f69.google.com with SMTP id a640c23a62f3a-a59caea8836so592690566b.1 for ; Fri, 17 May 2024 00:58:05 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715932684; x=1716537484; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=v6dcQbzooMQ8/G79UvWJF0416OkE0SYT1dzYIeKxtDc=; b=Y/cQFnmhov3nsyaYp8t+Xjd9d+GNWMIeUNWl8YZ5AmOyMBo3Y7DysNao0+lLezxDfT OE0PhdwscEkNMVCGQT/kn1ho6+5izVye7o/1YeKb0oPskpEWuZikfBXrKKtIqmxriGYe 21U656PKaK7puYFaKIOTmcwyDRqVUVriQvHPwICPIxuNQZKMs6sWLdjlEc6HMtppxxJu pgdUcWgozqSvPEGBCegJaOyF6qPkQN2j1VynxPJAKajpMSoW2gjPL+Bf0JGku2VS7xIt rqUzP1OhJJKrEOwW/FZvUdyB7Vy4ZWt2P3Yr46yIfc05j8mlKrq+Md6rh7zYv7kkEdi5 SlgQ== X-Gm-Message-State: AOJu0YzajsNbvWFmTTzZaAQdy26upIeWFkmN6xJm7U18E4JkGrWHoWQI 304gPWhjsKChxu+Inps/eZkO5s4mRpLb6tLPWvAj4S9EM5Veqga47Ey4G3hHgEuS9QSYgZATRZh ggfwQTwzr264/ad6YdnKFnCWa3SfvPtkl9ZttJiqiafkhBjVGvLGxZzBJqcARfQDq3hY8vUYp2q Mtqna8USicJos4 X-Received: by 2002:a17:907:86a8:b0:a59:a282:5db7 with SMTP id a640c23a62f3a-a5a2d67e024mr1681583466b.65.1715932684605; Fri, 17 May 2024 00:58:04 -0700 (PDT) X-Google-Smtp-Source: AGHT+IG/Xz8WN3IGmqXQ0PJu0net933ErftHLR5eZ7pKcH3yCd1jqdcFPKovVmNxKIyWCWST4Bs1OQ== X-Received: by 2002:a17:907:86a8:b0:a59:a282:5db7 with SMTP id a640c23a62f3a-a5a2d67e024mr1681582366b.65.1715932684317; Fri, 17 May 2024 00:58:04 -0700 (PDT) Received: from localhost.localdomain ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a5a17b179f1sm1080016966b.212.2024.05.17.00.58.03 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 May 2024 00:58:04 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [PATCH 03/15] x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file Date: Fri, 17 May 2024 03:57:16 -0400 Message-Id: <20240517075728.9722-4-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240517075728.9722-1-yuxuan.luo@canonical.com> References: <20240517075728.9722-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Josh Poimboeuf Change the format of the 'spectre_v2' vulnerabilities sysfs file slightly by converting the commas to semicolons, so that mitigations for future variants can be grouped together and separated by commas. Signed-off-by: Josh Poimboeuf Signed-off-by: Daniel Sneddon Signed-off-by: Thomas Gleixner (backported from commit 0cd01ac5dcb1e18eb18df0f0d05b5de76522a437) [yuxuan.luo: ignored conflicts and changed ',' to ';'] CVE-2024-2201 Signed-off-by: Yuxuan Luo Acked-by: Juerg Haefliger --- arch/x86/kernel/cpu/bugs.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index a0d2ace1877a5..be2c0cf95f3f3 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -2233,15 +2233,15 @@ static char *stibp_state(void) switch (spectre_v2_user_stibp) { case SPECTRE_V2_USER_NONE: - return ", STIBP: disabled"; + return "; STIBP: disabled"; case SPECTRE_V2_USER_STRICT: - return ", STIBP: forced"; + return "; STIBP: forced"; case SPECTRE_V2_USER_STRICT_PREFERRED: - return ", STIBP: always-on"; + return "; STIBP: always-on"; case SPECTRE_V2_USER_PRCTL: case SPECTRE_V2_USER_SECCOMP: if (static_key_enabled(&switch_to_cond_stibp)) - return ", STIBP: conditional"; + return "; STIBP: conditional"; } return ""; } @@ -2250,10 +2250,10 @@ static char *ibpb_state(void) { if (boot_cpu_has(X86_FEATURE_IBPB)) { if (static_key_enabled(&switch_mm_always_ibpb)) - return ", IBPB: always-on"; + return "; IBPB: always-on"; if (static_key_enabled(&switch_mm_cond_ibpb)) - return ", IBPB: conditional"; - return ", IBPB: disabled"; + return "; IBPB: conditional"; + return "; IBPB: disabled"; } return ""; } @@ -2263,11 +2263,11 @@ static char *pbrsb_eibrs_state(void) if (boot_cpu_has_bug(X86_BUG_EIBRS_PBRSB)) { if (boot_cpu_has(X86_FEATURE_RSB_VMEXIT_LITE) || boot_cpu_has(X86_FEATURE_RSB_VMEXIT)) - return ", PBRSB-eIBRS: SW sequence"; + return "; PBRSB-eIBRS: SW sequence"; else - return ", PBRSB-eIBRS: Vulnerable"; + return "; PBRSB-eIBRS: Vulnerable"; } else { - return ", PBRSB-eIBRS: Not affected"; + return "; PBRSB-eIBRS: Not affected"; } } @@ -2286,9 +2286,9 @@ static ssize_t spectre_v2_show_state(char *buf) return sprintf(buf, "%s%s%s%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled], ibpb_state(), - boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "", + boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? "; IBRS_FW" : "", stibp_state(), - boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? ", RSB filling" : "", + boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? "; RSB filling" : "", pbrsb_eibrs_state(), spectre_v2_module_string()); } From patchwork Fri May 17 07:57:17 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1936300 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VgfTl0RQgz23tw for ; Fri, 17 May 2024 17:58:18 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1s7sTi-0005V4-7K; Fri, 17 May 2024 07:58:10 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1s7sTg-0005T6-Cz for kernel-team@lists.ubuntu.com; Fri, 17 May 2024 07:58:08 +0000 Received: from mail-ej1-f71.google.com (mail-ej1-f71.google.com [209.85.218.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id CBC153F363 for ; Fri, 17 May 2024 07:58:07 +0000 (UTC) Received: by mail-ej1-f71.google.com with SMTP id a640c23a62f3a-a5a84e7c884so266195066b.3 for ; Fri, 17 May 2024 00:58:07 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715932686; x=1716537486; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=yc5m/FmsLx7HRg6Yf+/5fSnvyK+dNg5SgjodaBdTSnI=; b=O1W1DCZ+BthnDtqR91EhVfdWs3XCNSCFKJGWyioaoNYYtjc8naRqVnQwfPYDX+zdXS R3EN63am1iAbQ0DsLIzalOB9cs9nwmnd0cbvuJffYcF5l+09z60FXBOHaeuIoDgShjq7 9Jo/O5nGTNGuRNwYD6TFy7DqNpZOJiglsZCsu7wuoV4MYqGr76b9oTzhgCbdwXFgol6e lbaFCNnLXQexD3djshNrgrLHAHhx6U0J647xi444ICgNM0wVy2yLApQA3eFXi0XuAADB br5q0s/A2DAt8QlSjtgMBXFiJqx2Sj6gkaKEpE4wEuC2TGOiVWn5CfP6o+eixRULeNJd eRjg== X-Gm-Message-State: AOJu0YxwqgHmDRzXwsGhTmnC8pseb9MR1Cchcjgw3ZsdVoDlxTnOKolj CTz05qsbElfjA3SA1NxcaXKNBQJtmGv257JBQeG94HhsuJbvDk+aUh27RGFh952wy7FoZQy0d7a xszeXmqu92npWOq8FCSTTgdK9ZX4kNhEUFo09pKEo2uZcPBomsf8qzUenQ+3utmiapBVqIyrI6r 0Rnx3C4t946qcl X-Received: by 2002:a17:907:9c04:b0:a5d:edb:6d60 with SMTP id a640c23a62f3a-a5d0edb7992mr52302166b.19.1715932686675; Fri, 17 May 2024 00:58:06 -0700 (PDT) X-Google-Smtp-Source: AGHT+IF/XiulRfMDO7MMsDYVqqHLfRXozNDwmBIuy00pwqayI8sd23SlFQOKOolT6l9IwR2dNRivTA== X-Received: by 2002:a17:907:9c04:b0:a5d:edb:6d60 with SMTP id a640c23a62f3a-a5d0edb7992mr52299666b.19.1715932686010; Fri, 17 May 2024 00:58:06 -0700 (PDT) Received: from localhost.localdomain ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a5a17b179f1sm1080016966b.212.2024.05.17.00.58.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 May 2024 00:58:05 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [PATCH 04/15] x86/bhi: Add support for clearing branch history at syscall entry Date: Fri, 17 May 2024 03:57:17 -0400 Message-Id: <20240517075728.9722-5-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240517075728.9722-1-yuxuan.luo@canonical.com> References: <20240517075728.9722-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Pawan Gupta commit 7390db8aea0d64e9deb28b8e1ce716f5020c7ee5 upstream. Branch History Injection (BHI) attacks may allow a malicious application to influence indirect branch prediction in kernel by poisoning the branch history. eIBRS isolates indirect branch targets in ring0. The BHB can still influence the choice of indirect branch predictor entry, and although branch predictor entries are isolated between modes when eIBRS is enabled, the BHB itself is not isolated between modes. Alder Lake and new processors supports a hardware control BHI_DIS_S to mitigate BHI. For older processors Intel has released a software sequence to clear the branch history on parts that don't support BHI_DIS_S. Add support to execute the software sequence at syscall entry and VMexit to overwrite the branch history. For now, branch history is not cleared at interrupt entry, as malicious applications are not believed to have sufficient control over the registers, since previous register state is cleared at interrupt entry. Researchers continue to poke at this area and it may become necessary to clear at interrupt entry as well in the future. This mitigation is only defined here. It is enabled later. Signed-off-by: Pawan Gupta Co-developed-by: Daniel Sneddon Signed-off-by: Daniel Sneddon Signed-off-by: Thomas Gleixner Reviewed-by: Alexandre Chartre Reviewed-by: Josh Poimboeuf Signed-off-by: Daniel Sneddon Signed-off-by: Greg Kroah-Hartman (backported from commit bd53ec80f21839cfd4d852a6088279d602d67e5b linux-5.15.y) [yuxuan.luo: - entry_64.S: - Since bc7b11c04ee9 (“x86/asm/64: Change all ENTRY+END to SYM_CODE_*”) is not in the tree, substitute SYM_FUNC_START/SYM_FUNC_END with ENTRY/END - Dropped STACK_FRAME_NON_STANDARD and ANNOTATE_INTRA_FUNCTION_CALL (not supported by objtool). - entry_64_compat.S - nospec-branch.S - Applied patches with some tweaks on context. ] CVE-2024-2201 Signed-off-by: Yuxuan Luo --- arch/x86/entry/entry_64.S | 58 ++++++++++++++++++++++++++++ arch/x86/entry/entry_64_compat.S | 3 ++ arch/x86/include/asm/cpufeatures.h | 8 ++++ arch/x86/include/asm/nospec-branch.h | 12 ++++++ arch/x86/kvm/vmx/vmenter.S | 2 + 5 files changed, 83 insertions(+) diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S index 640c7d36c26c7..c3806919cca63 100644 --- a/arch/x86/entry/entry_64.S +++ b/arch/x86/entry/entry_64.S @@ -175,6 +175,7 @@ GLOBAL(entry_SYSCALL_64_after_hwframe) /* clobbers %rax, make sure it is after saving the syscall nr */ IBRS_ENTER + CLEAR_BRANCH_HISTORY call do_syscall_64 /* returns with IRQs disabled */ @@ -1768,3 +1769,60 @@ ENTRY(rewind_stack_and_make_dead) call make_task_dead END(rewind_stack_and_make_dead) + +/* + * This sequence executes branches in order to remove user branch information + * from the branch history tracker in the Branch Predictor, therefore removing + * user influence on subsequent BTB lookups. + * + * It should be used on parts prior to Alder Lake. Newer parts should use the + * BHI_DIS_S hardware control instead. If a pre-Alder Lake part is being + * virtualized on newer hardware the VMM should protect against BHI attacks by + * setting BHI_DIS_S for the guests. + * + * CALLs/RETs are necessary to prevent Loop Stream Detector(LSD) from engaging + * and not clearing the branch history. The call tree looks like: + * + * call 1 + * call 2 + * call 2 + * call 2 + * call 2 + * call 2 + * ret + * ret + * ret + * ret + * ret + * ret + * + * This means that the stack is non-constant and ORC can't unwind it with %rsp + * alone. Therefore we unconditionally set up the frame pointer, which allows + * ORC to unwind properly. + * + * The alignment is for performance and not for safety, and may be safely + * refactored in the future if needed. + */ +ENTRY(clear_bhb_loop) + push %rbp + mov %rsp, %rbp + movl $5, %ecx + call 1f + jmp 5f + .align 64, 0xcc +1: call 2f + RET + .align 64, 0xcc +2: movl $5, %eax +3: jmp 4f + nop +4: sub $1, %eax + jnz 3b + sub $1, %ecx + jnz 1b + RET +5: lfence + pop %rbp + RET +END(clear_bhb_loop) +EXPORT_SYMBOL_GPL(clear_bhb_loop) diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S index c3c4ea4a6711a..fe6e25951d408 100644 --- a/arch/x86/entry/entry_64_compat.S +++ b/arch/x86/entry/entry_64_compat.S @@ -108,6 +108,7 @@ ENTRY(entry_SYSENTER_compat) cld IBRS_ENTER + CLEAR_BRANCH_HISTORY /* * SYSENTER doesn't filter flags, so we need to clear NT and AC @@ -257,6 +258,7 @@ GLOBAL(entry_SYSCALL_compat_after_hwframe) TRACE_IRQS_OFF IBRS_ENTER + CLEAR_BRANCH_HISTORY movq %rsp, %rdi call do_fast_syscall_32 @@ -417,6 +419,7 @@ ENTRY(entry_INT80_compat) */ TRACE_IRQS_OFF IBRS_ENTER + CLEAR_BRANCH_HISTORY movq %rsp, %rdi call do_int80_syscall_32 diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h index 68fd012e9df6e..0e7df37a74399 100644 --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -382,6 +382,14 @@ #define X86_FEATURE_SEV_ES (19*32+ 3) /* AMD Secure Encrypted Virtualization - Encrypted State */ #define X86_FEATURE_SME_COHERENT (19*32+10) /* "" AMD hardware-enforced cache coherency */ +/* + * Extended auxiliary flags: Linux defined - for features scattered in various + * CPUID levels like 0x80000022, etc and Linux defined features. + * + * Reuse free bits when adding new feature flags! + */ +#define X86_FEATURE_CLEAR_BHB_LOOP (21*32+ 1) /* "" Clear branch history at syscall entry using SW loop */ + /* * BUG word(s) */ diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h index c8819358a332c..d6824fb49080d 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -175,6 +175,14 @@ .Lskip_rsb_\@: .endm +#ifdef CONFIG_X86_64 +.macro CLEAR_BRANCH_HISTORY + ALTERNATIVE "", "call clear_bhb_loop", X86_FEATURE_CLEAR_BHB_LOOP +.endm +#else +#define CLEAR_BRANCH_HISTORY +#endif + #else /* __ASSEMBLY__ */ #define ANNOTATE_RETPOLINE_SAFE \ @@ -183,6 +191,10 @@ _ASM_PTR " 999b\n\t" \ ".popsection\n\t" +#ifdef CONFIG_X86_64 +extern void clear_bhb_loop(void); +#endif + #ifdef CONFIG_RETPOLINE #ifdef CONFIG_X86_64 diff --git a/arch/x86/kvm/vmx/vmenter.S b/arch/x86/kvm/vmx/vmenter.S index 2850670c38bb0..8cbebde85a4f6 100644 --- a/arch/x86/kvm/vmx/vmenter.S +++ b/arch/x86/kvm/vmx/vmenter.S @@ -198,6 +198,8 @@ SYM_INNER_LABEL(vmx_vmexit, SYM_L_GLOBAL) call vmx_spec_ctrl_restore_host + CLEAR_BRANCH_HISTORY + /* Put return value in AX */ mov %_ASM_BX, %_ASM_AX From patchwork Fri May 17 07:57:18 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1936299 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VgfTl0NW3z213w for ; Fri, 17 May 2024 17:58:18 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1s7sTk-0005Xy-Ko; Fri, 17 May 2024 07:58:12 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1s7sTh-0005TX-Gx for kernel-team@lists.ubuntu.com; Fri, 17 May 2024 07:58:09 +0000 Received: from mail-ed1-f71.google.com (mail-ed1-f71.google.com [209.85.208.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 046383F363 for ; Fri, 17 May 2024 07:58:09 +0000 (UTC) Received: by mail-ed1-f71.google.com with SMTP id 4fb4d7f45d1cf-572babec6c6so4344039a12.0 for ; Fri, 17 May 2024 00:58:09 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715932688; x=1716537488; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=N8IXccA9MgfRABFs4Pu7rWCzvbrvntUN+hik2TWjww4=; b=XJWifh8kKHU+sdcAhJonWj8upQF7AfYyJHDO0PQHe/3jrrqkPr6e8e93s01hP9Oy2D D19J3fhqJOOYRW3i0wb3jqMnT7ro9nYUBNCq8pQFNfRjdFYgjY8Z2Q94iDZB/RQdf2g8 LdQZ9vNvxIgkbsox72lxNTLKSpWyAVG0/NfmcYteAsDwX2niuEd2u/02NYAJpP/KVOfy INmAfdCt92eqRXTtUOT6j7/8NPUYsEU2dHTDKZFhmLlyvc2ggjQID1bjUApi3HwPz1Sp ebYCwWkz68jqteU5IQRX1sIQprKG4JwJJAx3fvJgf9e2hK5mKUs40ficeu19a/Hu8Qiy 7/mQ== X-Gm-Message-State: AOJu0Yxa6YamgYSYvyLwP3ECaEAGqcks77tmvr4AqmIu74rK0IHqAMu0 SB2HMCaTIkMIQ01EjoLxc5qAMEg0ru2d1D2LmZhf/ROdQOS6slG90DpaTQsxLjM78m5uO0Jv+bb oJC7L94NPtB//Hq6KIxbkznJm/lkn2MCq+XAVHxpN/7yQXHYyVrncM+rnuVYKno0v1pExFpGPfU 6PZTdqyE3LFLNI X-Received: by 2002:a17:906:6a22:b0:a5a:5bc8:9fcf with SMTP id a640c23a62f3a-a5a5bc8a0c9mr1533222766b.36.1715932688343; Fri, 17 May 2024 00:58:08 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEF0E+/U1uxCOH14pxDDeHSS3gZvpvcxg8W8wHVXNaAQnyinVU5Mb2r31trqB+A7TeXp6SREA== X-Received: by 2002:a17:906:6a22:b0:a5a:5bc8:9fcf with SMTP id a640c23a62f3a-a5a5bc8a0c9mr1533221866b.36.1715932688119; Fri, 17 May 2024 00:58:08 -0700 (PDT) Received: from localhost.localdomain ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a5a17b179f1sm1080016966b.212.2024.05.17.00.58.06 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 May 2024 00:58:07 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [PATCH 05/15] x86/bhi: Define SPEC_CTRL_BHI_DIS_S Date: Fri, 17 May 2024 03:57:18 -0400 Message-Id: <20240517075728.9722-6-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240517075728.9722-1-yuxuan.luo@canonical.com> References: <20240517075728.9722-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Daniel Sneddon Newer processors supports a hardware control BHI_DIS_S to mitigate Branch History Injection (BHI). Setting BHI_DIS_S protects the kernel from userspace BHI attacks without having to manually overwrite the branch history. Define MSR_SPEC_CTRL bit BHI_DIS_S and its enumeration CPUID.BHI_CTRL. Mitigation is enabled later. Signed-off-by: Daniel Sneddon Signed-off-by: Pawan Gupta Signed-off-by: Daniel Sneddon Signed-off-by: Thomas Gleixner Reviewed-by: Alexandre Chartre Reviewed-by: Josh Poimboeuf (backported from commit 0f4a837615ff925ba62648d280a861adf1582df7) [yuxuan.luo: - reverse_cpuid.h: since 4e66c0cb79b7 (“KVM: x86: Add support for reverse CPUID lookup of scattered features“) is not in the tree, there is no point backporting reverse_cpuid.h related changes. ] CVE-2024-2201 Signed-off-by: Yuxuan Luo --- arch/x86/include/asm/cpufeatures.h | 1 + arch/x86/include/asm/msr-index.h | 5 ++++- arch/x86/kernel/cpu/scattered.c | 1 + 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h index 0e7df37a74399..c43cf19c340da 100644 --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -389,6 +389,7 @@ * Reuse free bits when adding new feature flags! */ #define X86_FEATURE_CLEAR_BHB_LOOP (21*32+ 1) /* "" Clear branch history at syscall entry using SW loop */ +#define X86_FEATURE_BHI_CTRL (21*32+ 2) /* "" BHI_DIS_S HW control available */ /* * BUG word(s) diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h index 5a4a391f556ab..cf4a269a056a7 100644 --- a/arch/x86/include/asm/msr-index.h +++ b/arch/x86/include/asm/msr-index.h @@ -49,10 +49,13 @@ #define SPEC_CTRL_SSBD BIT(SPEC_CTRL_SSBD_SHIFT) /* Speculative Store Bypass Disable */ #define SPEC_CTRL_RRSBA_DIS_S_SHIFT 6 /* Disable RRSBA behavior */ #define SPEC_CTRL_RRSBA_DIS_S BIT(SPEC_CTRL_RRSBA_DIS_S_SHIFT) +#define SPEC_CTRL_BHI_DIS_S_SHIFT 10 /* Disable Branch History Injection behavior */ +#define SPEC_CTRL_BHI_DIS_S BIT(SPEC_CTRL_BHI_DIS_S_SHIFT) /* A mask for bits which the kernel toggles when controlling mitigations */ #define SPEC_CTRL_MITIGATIONS_MASK (SPEC_CTRL_IBRS | SPEC_CTRL_STIBP | SPEC_CTRL_SSBD \ - | SPEC_CTRL_RRSBA_DIS_S) + | SPEC_CTRL_RRSBA_DIS_S \ + | SPEC_CTRL_BHI_DIS_S) #define MSR_IA32_PRED_CMD 0x00000049 /* Prediction Command */ #define PRED_CMD_IBPB BIT(0) /* Indirect Branch Prediction Barrier */ diff --git a/arch/x86/kernel/cpu/scattered.c b/arch/x86/kernel/cpu/scattered.c index 37f716eaf0e6d..f9e9cb4ca40fb 100644 --- a/arch/x86/kernel/cpu/scattered.c +++ b/arch/x86/kernel/cpu/scattered.c @@ -27,6 +27,7 @@ static const struct cpuid_bit cpuid_bits[] = { { X86_FEATURE_APERFMPERF, CPUID_ECX, 0, 0x00000006, 0 }, { X86_FEATURE_EPB, CPUID_ECX, 3, 0x00000006, 0 }, { X86_FEATURE_RRSBA_CTRL, CPUID_EDX, 2, 0x00000007, 2 }, + { X86_FEATURE_BHI_CTRL, CPUID_EDX, 4, 0x00000007, 2 }, { X86_FEATURE_CQM_LLC, CPUID_EDX, 1, 0x0000000f, 0 }, { X86_FEATURE_CQM_OCCUP_LLC, CPUID_EDX, 0, 0x0000000f, 1 }, { X86_FEATURE_CQM_MBM_TOTAL, CPUID_EDX, 1, 0x0000000f, 1 }, From patchwork Fri May 17 07:57:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1936301 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VgfTl1JqKz23v2 for ; Fri, 17 May 2024 17:58:19 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1s7sTm-0005Zk-3m; Fri, 17 May 2024 07:58:14 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1s7sTk-0005XZ-CK for kernel-team@lists.ubuntu.com; Fri, 17 May 2024 07:58:12 +0000 Received: from mail-ej1-f72.google.com (mail-ej1-f72.google.com [209.85.218.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 85F113FA5E for ; Fri, 17 May 2024 07:58:11 +0000 (UTC) Received: by mail-ej1-f72.google.com with SMTP id a640c23a62f3a-a59ad2436f8so539237966b.2 for ; Fri, 17 May 2024 00:58:11 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715932690; x=1716537490; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=0Nqd5Qzt/Us8LpkkSiwm69sKlgzFKPGVKXoQXrA7vBc=; b=GC1N0fzfOuWdk/MRCiNDHxvM+dbN6/VBL9KUqEm7GH3/93P4GkqvwNAPN143HWHBfx +atqvcDgoOvWXkBzL1MCdn7SvSXvS1y/luBRY/FTWfKnEMFQDQveNGHQOSwJHN8Gbc0s 2/Zo74mUiKcD2XnZFXApUB3WqebNQETKlxXhWJ2SjZ5G5mLcMzgW2qCYFYWeqJ7cnRWN y9WUiTVYVQV4Iqq2gV/X2rgcHOq0Mj2TW4BfBfo6tgdPkbPCA7Z75MLLDYV0H3Mds/p/ S8SIYFwDCriHsHCCi/ED3qund9ufDMOFn6gzp+3l2FYygrbYS2lYzQEKYUCbBgU0thu2 B2ww== X-Gm-Message-State: AOJu0Ywg0kPSlzMa7sPkCOUTmBXzbJT6AcJyFObeoU4oRIDTWJEZbkWk PzSzYrrIfkGP/8wlvRDSQDnoZOi5ZR86Ec/VlJZY1K3EAlsqOWvlkDMMSm8raWnhZ15298DtUKf 3C1LSCG5W8xdBzNNR3J2hNTOzx89Urm4zxCHQ2Jglh3NTnDJ+d5lebu94WpDyII/IJUFqH31XeO pz+peiJJ6vC3ct X-Received: by 2002:a17:906:27d2:b0:a59:b37d:da4c with SMTP id a640c23a62f3a-a5a2d65f3bemr1306625066b.55.1715932690352; Fri, 17 May 2024 00:58:10 -0700 (PDT) X-Google-Smtp-Source: AGHT+IE+sUQYUnCqNQZZTBtfZwjBerbYS7bYwZySvIXITPIGMV+Fr19YOymAa9pevWXS31o/qfQNtw== X-Received: by 2002:a17:906:27d2:b0:a59:b37d:da4c with SMTP id a640c23a62f3a-a5a2d65f3bemr1306624366b.55.1715932690101; Fri, 17 May 2024 00:58:10 -0700 (PDT) Received: from localhost.localdomain ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a5a17b179f1sm1080016966b.212.2024.05.17.00.58.08 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 May 2024 00:58:09 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [PATCH 06/15] x86/bhi: Enumerate Branch History Injection (BHI) bug Date: Fri, 17 May 2024 03:57:19 -0400 Message-Id: <20240517075728.9722-7-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240517075728.9722-1-yuxuan.luo@canonical.com> References: <20240517075728.9722-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Pawan Gupta Mitigation for BHI is selected based on the bug enumeration. Add bits needed to enumerate BHI bug. Signed-off-by: Pawan Gupta Signed-off-by: Daniel Sneddon Signed-off-by: Thomas Gleixner Reviewed-by: Alexandre Chartre Reviewed-by: Josh Poimboeuf (backported from commit be482ff9500999f56093738f9219bbabc729d163) [yuxuan.luo: ignored context conflicts and applied the patch] CVE-2024-2201 Signed-off-by: Yuxuan Luo --- arch/x86/include/asm/cpufeatures.h | 1 + arch/x86/include/asm/msr-index.h | 4 ++++ arch/x86/kernel/cpu/common.c | 24 ++++++++++++++++-------- 3 files changed, 21 insertions(+), 8 deletions(-) diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h index c43cf19c340da..10bb6d4c3a6b4 100644 --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -436,4 +436,5 @@ /* BUG word 2 */ #define X86_BUG_DIV0 X86_BUG(1*32 + 1) /* AMD DIV0 speculation bug */ +#define X86_BUG_BHI X86_BUG(1*32 + 3) /* CPU is affected by Branch History Injection */ #endif /* _ASM_X86_CPUFEATURES_H */ diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h index cf4a269a056a7..7375a874cf384 100644 --- a/arch/x86/include/asm/msr-index.h +++ b/arch/x86/include/asm/msr-index.h @@ -146,6 +146,10 @@ * are restricted to targets in * kernel. */ +#define ARCH_CAP_BHI_NO BIT(20) /* + * CPU is not affected by Branch + * History Injection. + */ #define ARCH_CAP_PBRSB_NO BIT(24) /* * Not susceptible to Post-Barrier * Return Stack Buffer Predictions. diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c index d0b223e5e4806..5a58b26be286f 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -1033,6 +1033,7 @@ static void identify_cpu_without_cpuid(struct cpuinfo_x86 *c) #define NO_SPECTRE_V2 BIT(8) #define NO_EIBRS_PBRSB BIT(9) #define NO_MMIO BIT(10) +#define NO_BHI BIT(11) #define VULNWL(_vendor, _family, _model, _whitelist) \ { X86_VENDOR_##_vendor, _family, _model, X86_FEATURE_ANY, _whitelist } @@ -1093,18 +1094,18 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = { VULNWL_INTEL(ATOM_TREMONT_D, NO_ITLB_MULTIHIT | NO_EIBRS_PBRSB), /* AMD Family 0xf - 0x12 */ - VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO), - VULNWL_AMD(0x10, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO), - VULNWL_AMD(0x11, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO), - VULNWL_AMD(0x12, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO), + VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO | NO_BHI), + VULNWL_AMD(0x10, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO | NO_BHI), + VULNWL_AMD(0x11, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO | NO_BHI), + VULNWL_AMD(0x12, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO | NO_BHI), /* FAMILY_ANY must be last, otherwise 0x0f - 0x12 matches won't work */ - VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO), - VULNWL_HYGON(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO), + VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO | NO_BHI), + VULNWL_HYGON(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO | NO_BHI), /* Zhaoxin Family 7 */ - VULNWL(CENTAUR, 7, X86_MODEL_ANY, NO_SPECTRE_V2 | NO_MMIO), - VULNWL(ZHAOXIN, 7, X86_MODEL_ANY, NO_SPECTRE_V2 | NO_MMIO), + VULNWL(CENTAUR, 7, X86_MODEL_ANY, NO_SPECTRE_V2 | NO_MMIO | NO_BHI), + VULNWL(ZHAOXIN, 7, X86_MODEL_ANY, NO_SPECTRE_V2 | NO_MMIO | NO_BHI), {} }; @@ -1298,6 +1299,13 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) boot_cpu_has(X86_FEATURE_AVX)) setup_force_cpu_bug(X86_BUG_GDS); + /* When virtualized, eIBRS could be hidden, assume vulnerable */ + if (!(ia32_cap & ARCH_CAP_BHI_NO) && + !cpu_matches(cpu_vuln_whitelist, NO_BHI) && + (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED) || + boot_cpu_has(X86_FEATURE_HYPERVISOR))) + setup_force_cpu_bug(X86_BUG_BHI); + if (cpu_matches(cpu_vuln_whitelist, NO_MELTDOWN)) return; From patchwork Fri May 17 07:57:20 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1936302 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VgfTp4f37z1ydW for ; Fri, 17 May 2024 17:58:22 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1s7sTo-0005h7-SL; Fri, 17 May 2024 07:58:16 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1s7sTn-0005bm-0V for kernel-team@lists.ubuntu.com; Fri, 17 May 2024 07:58:15 +0000 Received: from mail-lj1-f198.google.com (mail-lj1-f198.google.com [209.85.208.198]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id C50AC3F363 for ; Fri, 17 May 2024 07:58:13 +0000 (UTC) Received: by mail-lj1-f198.google.com with SMTP id 38308e7fff4ca-2e2c59a053cso66150021fa.0 for ; Fri, 17 May 2024 00:58:13 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715932692; x=1716537492; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=iHrulOog66UKVUcaWVeezx/bjpClK66ok5Y+9ewaG58=; b=GCTXOZl+pMs3RJVerVmMSB74pzF5c64H+8HOQt/+/3TriT2eP482jrcReYcd53jTtF olj/qupfNng9cPOAIQgebSedjPNfkLX0r8V5a3uAAq8sdJlM5eqrTiUr1MAdmm88p30+ bwwtKToPYXMzN2nO8an8Nku/wGGMSUZW/ol9QWr3nbIPcP36d/KuGTsj0eTFaoBDpLUR JK004vqPZhf1EH/OgpRcnJusBDsRIvEyi0yTmE1xruweUzIu9abzo/OT2ULFzQ9PAOBy KVYuC+i1HS3HYJIlgo5AUQcxIxfkud/T4nX1hssAEhH4HcBsUf6yhd5Zl6+XJQby5Zon zuyQ== X-Gm-Message-State: AOJu0Yx3MP76ONEzzNqanLTNEc5lK5iiKIFbz29EL2GzpI9Ou1Jvowl9 YItWU1a1DOhbsbyzuA2TAzNSzoHCxaXXjCRSGpq18xzkZKnZr85+iIkpxSbSTCSxNmMlQE6cvwe BAIP859vMQ+4YzSp1LxdXuDOm4uLUgueO5BAL90TBuyvVlkriGpMXHw1z7GdrIUyClaBCZzXycp YtBRlszIrlDcgJ X-Received: by 2002:a2e:8404:0:b0:2e7:b9d:31da with SMTP id 38308e7fff4ca-2e70b9d327fmr15189831fa.16.1715932692356; Fri, 17 May 2024 00:58:12 -0700 (PDT) X-Google-Smtp-Source: AGHT+IH3b6YDttfnn/6uw9Vr4dpuh/yU3ppZMf83uzUsPtR6La2iM9f9dgPUmAfiwx6tWEhuwbtnHA== X-Received: by 2002:a2e:8404:0:b0:2e7:b9d:31da with SMTP id 38308e7fff4ca-2e70b9d327fmr15189521fa.16.1715932691844; Fri, 17 May 2024 00:58:11 -0700 (PDT) Received: from localhost.localdomain ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a5a17b179f1sm1080016966b.212.2024.05.17.00.58.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 May 2024 00:58:11 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [PATCH 07/15] x86/bhi: Add BHI mitigation knob Date: Fri, 17 May 2024 03:57:20 -0400 Message-Id: <20240517075728.9722-8-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240517075728.9722-1-yuxuan.luo@canonical.com> References: <20240517075728.9722-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Pawan Gupta commit ec9404e40e8f36421a2b66ecb76dc2209fe7f3ef upstream. Branch history clearing software sequences and hardware control BHI_DIS_S were defined to mitigate Branch History Injection (BHI). Add cmdline spectre_bhi={on|off|auto} to control BHI mitigation: auto - Deploy the hardware mitigation BHI_DIS_S, if available. on - Deploy the hardware mitigation BHI_DIS_S, if available, otherwise deploy the software sequence at syscall entry and VMexit. off - Turn off BHI mitigation. The default is auto mode which does not deploy the software sequence mitigation. This is because of the hardening done in the syscall dispatch path, which is the likely target of BHI. Signed-off-by: Pawan Gupta Signed-off-by: Daniel Sneddon Signed-off-by: Thomas Gleixner Reviewed-by: Alexandre Chartre Reviewed-by: Josh Poimboeuf Signed-off-by: Daniel Sneddon Signed-off-by: Greg Kroah-Hartman (backported from commit f825494f2c6fab421c5c59b5def321775c825818 linux-5.15.y) [yuxuan.luo: - Kconfig - Manually applied the new option. - bugs.c - Ignored the context conflicts and added the new lines. ] CVE-2024-2201 Signed-off-by: Yuxuan Luo --- Documentation/admin-guide/hw-vuln/spectre.rst | 41 +++++++-- .../admin-guide/kernel-parameters.txt | 11 +++ arch/x86/Kconfig | 25 ++++++ arch/x86/include/asm/cpufeatures.h | 1 + arch/x86/kernel/cpu/bugs.c | 90 ++++++++++++++++++- 5 files changed, 162 insertions(+), 6 deletions(-) diff --git a/Documentation/admin-guide/hw-vuln/spectre.rst b/Documentation/admin-guide/hw-vuln/spectre.rst index 0fba3758d0da8..1cf9356bbfe28 100644 --- a/Documentation/admin-guide/hw-vuln/spectre.rst +++ b/Documentation/admin-guide/hw-vuln/spectre.rst @@ -138,11 +138,10 @@ associated with the source address of the indirect branch. Specifically, the BHB might be shared across privilege levels even in the presence of Enhanced IBRS. -Currently the only known real-world BHB attack vector is via -unprivileged eBPF. Therefore, it's highly recommended to not enable -unprivileged eBPF, especially when eIBRS is used (without retpolines). -For a full mitigation against BHB attacks, it's recommended to use -retpolines (or eIBRS combined with retpolines). +Previously the only known real-world BHB attack vector was via unprivileged +eBPF. Further research has found attacks that don't require unprivileged eBPF. +For a full mitigation against BHB attacks it is recommended to set BHI_DIS_S or +use the BHB clearing sequence. Attack scenarios ---------------- @@ -430,6 +429,21 @@ The possible values in this file are: 'PBRSB-eIBRS: Not affected' CPU is not affected by PBRSB =========================== ======================================================= + - Branch History Injection (BHI) protection status: + +.. list-table:: + + * - BHI: Not affected + - System is not affected + * - BHI: Retpoline + - System is protected by retpoline + * - BHI: BHI_DIS_S + - System is protected by BHI_DIS_S + * - BHI: SW loop + - System is protected by software clearing sequence + * - BHI: Syscall hardening + - Syscalls are hardened against BHI + Full mitigation might require a microcode update from the CPU vendor. When the necessary microcode is not available, the kernel will report vulnerability. @@ -684,6 +698,23 @@ For user space mitigation: spectre_v2=off. Spectre variant 1 mitigations cannot be disabled. + spectre_bhi= + + [X86] Control mitigation of Branch History Injection + (BHI) vulnerability. Syscalls are hardened against BHI + regardless of this setting. This setting affects the deployment + of the HW BHI control and the SW BHB clearing sequence. + + on + unconditionally enable. + off + unconditionally disable. + auto + enable if hardware mitigation + control(BHI_DIS_S) is available. + +For spectre_v2_user see Documentation/admin-guide/kernel-parameters.txt + Mitigation selection guide -------------------------- diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index a578ec85c26c8..c97f8435f86c7 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -4605,6 +4605,17 @@ sonypi.*= [HW] Sony Programmable I/O Control Device driver See Documentation/admin-guide/laptops/sonypi.rst + spectre_bhi= [X86] Control mitigation of Branch History Injection + (BHI) vulnerability. Syscalls are hardened against BHI + reglardless of this setting. This setting affects the + deployment of the HW BHI control and the SW BHB + clearing sequence. + + on - unconditionally enable. + off - unconditionally disable. + auto - (default) enable only if hardware mitigation + control(BHI_DIS_S) is available. + spectre_v2= [X86] Control mitigation of Spectre variant 2 (indirect branch speculation) vulnerability. The default operation protects the kernel from diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 74f469dc13d38..c89a1360773aa 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2520,6 +2520,31 @@ config ARCH_ENABLE_SPLIT_PMD_PTLOCK def_bool y depends on X86_64 || X86_PAE +choice + prompt "Clear branch history" + depends on CPU_SUP_INTEL + default SPECTRE_BHI_AUTO + help + Enable BHI mitigations. BHI attacks are a form of Spectre V2 attacks + where the branch history buffer is poisoned to speculatively steer + indirect branches. + See + +config SPECTRE_BHI_ON + bool "on" + help + Equivalent to setting spectre_bhi=on command line parameter. +config SPECTRE_BHI_OFF + bool "off" + help + Equivalent to setting spectre_bhi=off command line parameter. +config SPECTRE_BHI_AUTO + bool "auto" + help + Equivalent to setting spectre_bhi=auto command line parameter. + +endchoice + config ARCH_ENABLE_HUGEPAGE_MIGRATION def_bool y depends on X86_64 && HUGETLB_PAGE && MIGRATION diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h index 10bb6d4c3a6b4..2e823723c2b42 100644 --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -390,6 +390,7 @@ */ #define X86_FEATURE_CLEAR_BHB_LOOP (21*32+ 1) /* "" Clear branch history at syscall entry using SW loop */ #define X86_FEATURE_BHI_CTRL (21*32+ 2) /* "" BHI_DIS_S HW control available */ +#define X86_FEATURE_CLEAR_BHB_HW (21*32+ 3) /* "" BHI_DIS_S HW control enabled */ /* * BUG word(s) diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index be2c0cf95f3f3..b43c29c3f0a72 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -1367,6 +1367,74 @@ static void __init spectre_v2_determine_rsb_fill_type_at_vmexit(enum spectre_v2_ dump_stack(); } +/* + * Set BHI_DIS_S to prevent indirect branches in kernel to be influenced by + * branch history in userspace. Not needed if BHI_NO is set. + */ +static bool __init spec_ctrl_bhi_dis(void) +{ + if (!boot_cpu_has(X86_FEATURE_BHI_CTRL)) + return false; + + x86_spec_ctrl_base |= SPEC_CTRL_BHI_DIS_S; + update_spec_ctrl(x86_spec_ctrl_base); + setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_HW); + + return true; +} + +enum bhi_mitigations { + BHI_MITIGATION_OFF, + BHI_MITIGATION_ON, + BHI_MITIGATION_AUTO, +}; + +static enum bhi_mitigations bhi_mitigation __ro_after_init = + IS_ENABLED(CONFIG_SPECTRE_BHI_ON) ? BHI_MITIGATION_ON : + IS_ENABLED(CONFIG_SPECTRE_BHI_OFF) ? BHI_MITIGATION_OFF : + BHI_MITIGATION_AUTO; + +static int __init spectre_bhi_parse_cmdline(char *str) +{ + if (!str) + return -EINVAL; + + if (!strcmp(str, "off")) + bhi_mitigation = BHI_MITIGATION_OFF; + else if (!strcmp(str, "on")) + bhi_mitigation = BHI_MITIGATION_ON; + else if (!strcmp(str, "auto")) + bhi_mitigation = BHI_MITIGATION_AUTO; + else + pr_err("Ignoring unknown spectre_bhi option (%s)", str); + + return 0; +} +early_param("spectre_bhi", spectre_bhi_parse_cmdline); + +static void __init bhi_select_mitigation(void) +{ + if (bhi_mitigation == BHI_MITIGATION_OFF) + return; + + /* Retpoline mitigates against BHI unless the CPU has RRSBA behavior */ + if (cpu_feature_enabled(X86_FEATURE_RETPOLINE) && + !(x86_read_arch_cap_msr() & ARCH_CAP_RRSBA)) + return; + + if (spec_ctrl_bhi_dis()) + return; + + if (!IS_ENABLED(CONFIG_X86_64)) + return; + + if (bhi_mitigation == BHI_MITIGATION_AUTO) + return; + + setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP); + pr_info("Spectre BHI mitigation: SW BHB clearing on syscall\n"); +} + static void __init spectre_v2_select_mitigation(void) { enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline(); @@ -1472,6 +1540,9 @@ static void __init spectre_v2_select_mitigation(void) mode == SPECTRE_V2_RETPOLINE) spec_ctrl_disable_kernel_rrsba(); + if (boot_cpu_has(X86_BUG_BHI)) + bhi_select_mitigation(); + spectre_v2_enabled = mode; pr_info("%s\n", spectre_v2_strings[mode]); @@ -2271,6 +2342,21 @@ static char *pbrsb_eibrs_state(void) } } +static const char * const spectre_bhi_state(void) +{ + if (!boot_cpu_has_bug(X86_BUG_BHI)) + return "; BHI: Not affected"; + else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_HW)) + return "; BHI: BHI_DIS_S"; + else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP)) + return "; BHI: SW loop"; + else if (boot_cpu_has(X86_FEATURE_RETPOLINE) && + !(x86_read_arch_cap_msr() & ARCH_CAP_RRSBA)) + return "; BHI: Retpoline"; + + return "; BHI: Vulnerable (Syscall hardening enabled)"; +} + static ssize_t spectre_v2_show_state(char *buf) { if (spectre_v2_enabled == SPECTRE_V2_LFENCE) @@ -2283,13 +2369,15 @@ static ssize_t spectre_v2_show_state(char *buf) spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE) return sprintf(buf, "Vulnerable: eIBRS+LFENCE with unprivileged eBPF and SMT\n"); - return sprintf(buf, "%s%s%s%s%s%s%s\n", + return sprintf(buf, "%s%s%s%s%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled], ibpb_state(), boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? "; IBRS_FW" : "", stibp_state(), boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? "; RSB filling" : "", pbrsb_eibrs_state(), + spectre_bhi_state(), + /* this should always be at the end */ spectre_v2_module_string()); } From patchwork Fri May 17 07:57:21 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1936304 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VgfTr05R6z1ydW for ; Fri, 17 May 2024 17:58:24 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1s7sTr-0005l9-1Q; Fri, 17 May 2024 07:58:19 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1s7sTp-0005hD-8j for kernel-team@lists.ubuntu.com; Fri, 17 May 2024 07:58:17 +0000 Received: from mail-ej1-f71.google.com (mail-ej1-f71.google.com [209.85.218.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 3C89E3F363 for ; Fri, 17 May 2024 07:58:15 +0000 (UTC) Received: by mail-ej1-f71.google.com with SMTP id a640c23a62f3a-a59a17f35c8so544460766b.0 for ; Fri, 17 May 2024 00:58:15 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715932694; x=1716537494; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=MfIN7DDJmgNd+ZjkMMwGoQozdPmlNW2rJhXz9rgb9kA=; b=fFVzhA53Pvmq5z5pIK0QJhaSX7g6HixODnWkgtM0gDuWgcOKWHqSmalZb4FTyDD57/ O+hdIVhvvx84Xwf7Kf7/d++TJ/QRH+AQ8bbKspTpAX2cDQrt9hNa3MhWKmxgf2SpQTKR Z818Xh0tZ6mHzk4bx04Uy0hDLFTWqscAOVpidMzRQe4CD9QgghEmlk3q3gkfNAvjiUa3 fRo4jr6FJQgcR13WJ96ESj+KWFF5OUuMSZJSx2+35oijgvcczlFVZRcy+04AgvCRPy2E 4heCjNZy9IZ+3tPI9dOV93Zfb2GY3VK0tLIKbCD4HN61s9HLPbnWPe2360TRkOlWqp0v bwUw== X-Gm-Message-State: AOJu0YxhplzSolfDPVZeS7b1vcjttbGlhmKPdme6izopCA5rNvALnFSo 9T6H4e1GBTa4ny7TbyPHks4j2OvS2Wvm9veQ9mAmo/mHWNe+svafdtVmhqdhcSh4wInuxwj4FZQ E8Eowpl4d51eJLyk3kUw9RsqT2b7Wu1SBhTUqRGzb4JBHOA2BeBnvVhAAjg4kDZ5TCZz5yhUDhR Mb2i9RlA2McGKw X-Received: by 2002:a17:907:76d3:b0:a59:c7d7:8b0f with SMTP id a640c23a62f3a-a5a2d57a717mr1266141666b.29.1715932694057; Fri, 17 May 2024 00:58:14 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHdsUK/6wF3V6zg9X/e6i01zPdBLC7yDC9h39HUcNTqiLMQ3CKMlTvTGMlHuloIZtyCC2UpPg== X-Received: by 2002:a17:907:76d3:b0:a59:c7d7:8b0f with SMTP id a640c23a62f3a-a5a2d57a717mr1266141066b.29.1715932693734; Fri, 17 May 2024 00:58:13 -0700 (PDT) Received: from localhost.localdomain ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a5a17b179f1sm1080016966b.212.2024.05.17.00.58.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 May 2024 00:58:12 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [PATCH 08/15] x86/bhi: Mitigate KVM by default Date: Fri, 17 May 2024 03:57:21 -0400 Message-Id: <20240517075728.9722-9-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240517075728.9722-1-yuxuan.luo@canonical.com> References: <20240517075728.9722-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Pawan Gupta BHI mitigation mode spectre_bhi=auto does not deploy the software mitigation by default. In a cloud environment, it is a likely scenario where userspace is trusted but the guests are not trusted. Deploying system wide mitigation in such cases is not desirable. Update the auto mode to unconditionally mitigate against malicious guests. Deploy the software sequence at VMexit in auto mode also, when hardware mitigation is not available. Unlike the force =on mode, software sequence is not deployed at syscalls in auto mode. Suggested-by: Alexandre Chartre Signed-off-by: Pawan Gupta Signed-off-by: Daniel Sneddon Signed-off-by: Thomas Gleixner Reviewed-by: Alexandre Chartre Reviewed-by: Josh Poimboeuf (cherry picked from commit 95a6ccbdc7199a14b71ad8901cb788ba7fb5167b) CVE-2024-2201 Signed-off-by: Yuxuan Luo --- Documentation/admin-guide/hw-vuln/spectre.rst | 7 +++++-- Documentation/admin-guide/kernel-parameters.txt | 5 +++-- arch/x86/include/asm/cpufeatures.h | 1 + arch/x86/include/asm/nospec-branch.h | 5 +++++ arch/x86/kernel/cpu/bugs.c | 9 ++++++++- arch/x86/kvm/vmx/vmenter.S | 2 +- 6 files changed, 23 insertions(+), 6 deletions(-) diff --git a/Documentation/admin-guide/hw-vuln/spectre.rst b/Documentation/admin-guide/hw-vuln/spectre.rst index 1cf9356bbfe28..8e003eb6ac0fd 100644 --- a/Documentation/admin-guide/hw-vuln/spectre.rst +++ b/Documentation/admin-guide/hw-vuln/spectre.rst @@ -439,10 +439,12 @@ The possible values in this file are: - System is protected by retpoline * - BHI: BHI_DIS_S - System is protected by BHI_DIS_S - * - BHI: SW loop + * - BHI: SW loop; KVM SW loop - System is protected by software clearing sequence * - BHI: Syscall hardening - Syscalls are hardened against BHI + * - BHI: Syscall hardening; KVM: SW loop + - System is protected from userspace attacks by syscall hardening; KVM is protected by software clearing sequence Full mitigation might require a microcode update from the CPU vendor. When the necessary microcode is not available, the kernel will @@ -711,7 +713,8 @@ For user space mitigation: unconditionally disable. auto enable if hardware mitigation - control(BHI_DIS_S) is available. + control(BHI_DIS_S) is available, otherwise + enable alternate mitigation in KVM. For spectre_v2_user see Documentation/admin-guide/kernel-parameters.txt diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index c97f8435f86c7..9b38050fdf5f0 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -4613,8 +4613,9 @@ on - unconditionally enable. off - unconditionally disable. - auto - (default) enable only if hardware mitigation - control(BHI_DIS_S) is available. + auto - (default) enable hardware mitigation + (BHI_DIS_S) if available, otherwise enable + alternate mitigation in KVM. spectre_v2= [X86] Control mitigation of Spectre variant 2 (indirect branch speculation) vulnerability. diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h index 2e823723c2b42..9db06d306f5d7 100644 --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -391,6 +391,7 @@ #define X86_FEATURE_CLEAR_BHB_LOOP (21*32+ 1) /* "" Clear branch history at syscall entry using SW loop */ #define X86_FEATURE_BHI_CTRL (21*32+ 2) /* "" BHI_DIS_S HW control available */ #define X86_FEATURE_CLEAR_BHB_HW (21*32+ 3) /* "" BHI_DIS_S HW control enabled */ +#define X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT (21*32+ 4) /* "" Clear branch history at vmexit using SW loop */ /* * BUG word(s) diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h index d6824fb49080d..6ba7faf8b938c 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -179,8 +179,13 @@ .macro CLEAR_BRANCH_HISTORY ALTERNATIVE "", "call clear_bhb_loop", X86_FEATURE_CLEAR_BHB_LOOP .endm + +.macro CLEAR_BRANCH_HISTORY_VMEXIT + ALTERNATIVE "", "call clear_bhb_loop", X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT +.endm #else #define CLEAR_BRANCH_HISTORY +#define CLEAR_BRANCH_HISTORY_VMEXIT #endif #else /* __ASSEMBLY__ */ diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index b43c29c3f0a72..cd69490b65722 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -1428,9 +1428,14 @@ static void __init bhi_select_mitigation(void) if (!IS_ENABLED(CONFIG_X86_64)) return; + /* Mitigate KVM by default */ + setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT); + pr_info("Spectre BHI mitigation: SW BHB clearing on vm exit\n"); + if (bhi_mitigation == BHI_MITIGATION_AUTO) return; + /* Mitigate syscalls when the mitigation is forced =on */ setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP); pr_info("Spectre BHI mitigation: SW BHB clearing on syscall\n"); } @@ -2349,10 +2354,12 @@ static const char * const spectre_bhi_state(void) else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_HW)) return "; BHI: BHI_DIS_S"; else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP)) - return "; BHI: SW loop"; + return "; BHI: SW loop, KVM: SW loop"; else if (boot_cpu_has(X86_FEATURE_RETPOLINE) && !(x86_read_arch_cap_msr() & ARCH_CAP_RRSBA)) return "; BHI: Retpoline"; + else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT)) + return "; BHI: Syscall hardening, KVM: SW loop"; return "; BHI: Vulnerable (Syscall hardening enabled)"; } diff --git a/arch/x86/kvm/vmx/vmenter.S b/arch/x86/kvm/vmx/vmenter.S index 8cbebde85a4f6..15737a22d67f7 100644 --- a/arch/x86/kvm/vmx/vmenter.S +++ b/arch/x86/kvm/vmx/vmenter.S @@ -198,7 +198,7 @@ SYM_INNER_LABEL(vmx_vmexit, SYM_L_GLOBAL) call vmx_spec_ctrl_restore_host - CLEAR_BRANCH_HISTORY + CLEAR_BRANCH_HISTORY_VMEXIT /* Put return value in AX */ mov %_ASM_BX, %_ASM_AX From patchwork Fri May 17 07:57:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1936303 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VgfTr0Qqcz20dg for ; Fri, 17 May 2024 17:58:24 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1s7sTr-0005lW-5T; Fri, 17 May 2024 07:58:19 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1s7sTp-0005id-G8 for kernel-team@lists.ubuntu.com; Fri, 17 May 2024 07:58:17 +0000 Received: from mail-ej1-f71.google.com (mail-ej1-f71.google.com [209.85.218.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id D6AA03F366 for ; Fri, 17 May 2024 07:58:16 +0000 (UTC) Received: by mail-ej1-f71.google.com with SMTP id a640c23a62f3a-a59ad486084so446899266b.1 for ; Fri, 17 May 2024 00:58:16 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715932695; x=1716537495; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=FoK5LUkGu70xyEF/eRjjOCvHDdC0S870LbXYpWDciJY=; b=K+jvTaYJ9XDgHgZVgjwi2BYkMI5yi0Gg9mESQycU4jIZAOiHiaSMPkImVrAR/26tOM dCJSW5XLhvBA1TjMJCkInJc3O/aAPMXPfL+8PPUs/vCg4jFPovXUHlhuXrgJQ2FavZc6 xHkTcZAToW2DCk1Dv4764MqxiTFgMyNJBhQBnFj77vxiMPSyO82UvQFLusVJtokWNqHm x+mo8WgOMTb2/ZQd8hPIHRNjsdhhOnAok4NRi64Yh/uf/H4FhCWtZ3ddZcSKpj7kn1H4 FMbXh3jGInl3QbHUSYAtXDIuRC/7kWLvjoNojvR1CG/nA4svlENVggbShRdjUaW3ZsW+ MUVg== X-Gm-Message-State: AOJu0YyizeR9Y3Xd+AVEUNAY+iiRJMiLE9RBI+WBXxJ2JmS0xjEUozQC caWvK02wOnONN/X+RrZ8m/Tp1ZUE43/cYHthnevasMrgB0HVA5ZSdEcPK06BBqiQgzjpWciw1H+ upSIrFJrYfFNMrrLIuWg+MZ5OrkJ+WlTF97FAh8vV6EkTSeVlQguSfgHmHIcNSP5hvOCipiwEfz bljGivlG871rf3 X-Received: by 2002:a17:906:a0d8:b0:a59:aa69:9794 with SMTP id a640c23a62f3a-a5a2d572504mr1389972866b.18.1715932695613; Fri, 17 May 2024 00:58:15 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHmmxJ+XI8r4Am3g0cMAMkMewNHJ6xC7nY76pXPI4mnfBiIE9AQnMF79X7OOdGVsffnu769PQ== X-Received: by 2002:a17:906:a0d8:b0:a59:aa69:9794 with SMTP id a640c23a62f3a-a5a2d572504mr1389972066b.18.1715932695387; Fri, 17 May 2024 00:58:15 -0700 (PDT) Received: from localhost.localdomain ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a5a17b179f1sm1080016966b.212.2024.05.17.00.58.14 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 May 2024 00:58:14 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [PATCH 09/15] UBUNTU: [Config] updateconfigs for CONFIG_BHI_{AUTO|ON|OFF} Date: Fri, 17 May 2024 03:57:22 -0400 Message-Id: <20240517075728.9722-10-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240517075728.9722-1-yuxuan.luo@canonical.com> References: <20240517075728.9722-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" Adds annotation configs to comply new kernel configs. Set AUTO as default to be less intrusive. CVE-2024-2201 Signed-off-by: Yuxuan Luo --- debian.master/config/annotations | 3 +++ 1 file changed, 3 insertions(+) diff --git a/debian.master/config/annotations b/debian.master/config/annotations index 06cf3f9744fa9..12e485640a424 100644 --- a/debian.master/config/annotations +++ b/debian.master/config/annotations @@ -10861,6 +10861,9 @@ CONFIG_SPEAKUP_SYNTH_LTLK policy<{'amd64': 'm', 'arm64': ' CONFIG_SPEAKUP_SYNTH_SOFT policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'i386': 'm', 'ppc64el': 'm'}> CONFIG_SPEAKUP_SYNTH_SPKOUT policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'i386': 'm', 'ppc64el': 'm'}> CONFIG_SPEAKUP_SYNTH_TXPRT policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'i386': 'm', 'ppc64el': 'm'}> +CONFIG_SPECTRE_BHI_AUTO policy<{'amd64': 'y', 'i386': 'y'}> +CONFIG_SPECTRE_BHI_OFF policy<{'amd64': 'n', 'i386': 'n'}> +CONFIG_SPECTRE_BHI_ON policy<{'amd64': 'n', 'i386': 'n'}> CONFIG_SPI policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'n'}> CONFIG_SPI_ALTERA policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'i386': 'm', 'ppc64el': 'm'}> CONFIG_SPI_ARMADA_3700 policy<{'arm64': 'm', 'armhf': 'm'}> From patchwork Fri May 17 07:57:23 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1936305 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VgfTw3lXxz1ydW for ; Fri, 17 May 2024 17:58:28 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1s7sTv-0005xJ-KB; Fri, 17 May 2024 07:58:23 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1s7sTt-0005nE-GW for kernel-team@lists.ubuntu.com; Fri, 17 May 2024 07:58:21 +0000 Received: from mail-ej1-f69.google.com (mail-ej1-f69.google.com [209.85.218.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id E108C3F363 for ; Fri, 17 May 2024 07:58:17 +0000 (UTC) Received: by mail-ej1-f69.google.com with SMTP id a640c23a62f3a-a5a8f3bc8e0so221255766b.1 for ; Fri, 17 May 2024 00:58:17 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715932697; x=1716537497; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3dnF30v5Vry52pL0cPHezEMIGNddrPwBUO91+XlmrvI=; b=WGNnLEUZD8zPX/ErgS3sVCjZPaZPjz/9bI/JmttIzqaJWXWERFKtoK3pYuN/eXHvP6 5+Z2UPIlGs6wbJaMslhi2aL99gOrae//UK3PVe+G3PPyCH8AgyjOkN78uwY5jz1YkekF vVNseqtP0XnKYC1EZ/MEsV4QgcS/UJ4zvnMqqj3dDru8fZwBiO5as55VFzxKzfwLpNxl EafOV5m6HNVdJ4j5yW3NSr/FjcenSCZVQ9Slc1f/g6JX8tFcwiEpXeqGKSg0C9mue8qR PyIezWTyLkzWG4a+ogCEFfny3D9S42EAgqBZUJnonYX9/z/f77ZXlzs+7HjMyNhuY7NX xcnw== X-Gm-Message-State: AOJu0YxNooXzX3soI75ZvT/SZ24Tkvlht+vnEIRsammogS1ZPq1DHwme I1xmvO3KhozBn6Dt2gnSN02cQNLQkAzSAjQ5mb1EI8W+aRqsfRZyWYzn7MhCguMf9pDimzXgyb5 8tz+3xNs3hH0Hxk/xth7dvBNTwDhAjFWjwx8jteKvWoh7BwxXq9SMXLcwOnR08x6GGWhMdAZ1kq Ahcg5dOEd8SOkq X-Received: by 2002:a17:906:289b:b0:a5a:8bc4:f503 with SMTP id a640c23a62f3a-a5a8bc4f988mr522804266b.25.1715932697234; Fri, 17 May 2024 00:58:17 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHgX2fuOF2riaYKcPQUGm7R7meb5G5pUmh84wt5xWFBL/r4iUqdRat4njeaBHz0DWGEd934tQ== X-Received: by 2002:a17:906:289b:b0:a5a:8bc4:f503 with SMTP id a640c23a62f3a-a5a8bc4f988mr522803966b.25.1715932696963; Fri, 17 May 2024 00:58:16 -0700 (PDT) Received: from localhost.localdomain ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a5a17b179f1sm1080016966b.212.2024.05.17.00.58.15 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 May 2024 00:58:16 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [PATCH 10/15] x86/bugs: Fix BHI documentation Date: Fri, 17 May 2024 03:57:23 -0400 Message-Id: <20240517075728.9722-11-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240517075728.9722-1-yuxuan.luo@canonical.com> References: <20240517075728.9722-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Josh Poimboeuf Fix up some inaccuracies in the BHI documentation. Fixes: ec9404e40e8f ("x86/bhi: Add BHI mitigation knob") Signed-off-by: Josh Poimboeuf Signed-off-by: Ingo Molnar Reviewed-by: Nikolay Borisov Cc: Linus Torvalds Cc: Sean Christopherson Link: https://lore.kernel.org/r/8c84f7451bfe0dd08543c6082a383f390d4aa7e2.1712813475.git.jpoimboe@kernel.org (cherry picked from commit dfe648903f42296866d79f10d03f8c85c9dfba30) CVE-2024-2201 Signed-off-by: Yuxuan Luo --- Documentation/admin-guide/hw-vuln/spectre.rst | 15 ++++++++------- Documentation/admin-guide/kernel-parameters.txt | 12 +++++++----- 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/Documentation/admin-guide/hw-vuln/spectre.rst b/Documentation/admin-guide/hw-vuln/spectre.rst index 8e003eb6ac0fd..fe50e9cb00282 100644 --- a/Documentation/admin-guide/hw-vuln/spectre.rst +++ b/Documentation/admin-guide/hw-vuln/spectre.rst @@ -439,11 +439,11 @@ The possible values in this file are: - System is protected by retpoline * - BHI: BHI_DIS_S - System is protected by BHI_DIS_S - * - BHI: SW loop; KVM SW loop + * - BHI: SW loop, KVM SW loop - System is protected by software clearing sequence * - BHI: Syscall hardening - Syscalls are hardened against BHI - * - BHI: Syscall hardening; KVM: SW loop + * - BHI: Syscall hardening, KVM: SW loop - System is protected from userspace attacks by syscall hardening; KVM is protected by software clearing sequence Full mitigation might require a microcode update from the CPU @@ -708,13 +708,14 @@ For user space mitigation: of the HW BHI control and the SW BHB clearing sequence. on - unconditionally enable. + (default) Enable the HW or SW mitigation as + needed. off - unconditionally disable. + Disable the mitigation. auto - enable if hardware mitigation - control(BHI_DIS_S) is available, otherwise - enable alternate mitigation in KVM. + Enable the HW mitigation if needed, but + *don't* enable the SW mitigation except for KVM. + The system may be vulnerable. For spectre_v2_user see Documentation/admin-guide/kernel-parameters.txt diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 9b38050fdf5f0..bccf22d167622 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -2748,6 +2748,7 @@ nospectre_v2 [X86,PPC,S390,ARM64] retbleed=off [X86] spec_store_bypass_disable=off [X86,PPC] + spectre_bhi=off [X86] spectre_v2_user=off [X86] srbds=off [X86,INTEL] ssbd=force-off [ARM64] @@ -4611,11 +4612,12 @@ deployment of the HW BHI control and the SW BHB clearing sequence. - on - unconditionally enable. - off - unconditionally disable. - auto - (default) enable hardware mitigation - (BHI_DIS_S) if available, otherwise enable - alternate mitigation in KVM. + on - (default) Enable the HW or SW mitigation + as needed. + off - Disable the mitigation. + auto - Enable the HW mitigation if needed, but + *don't* enable the SW mitigation except + for KVM. The system may be vulnerable. spectre_v2= [X86] Control mitigation of Spectre variant 2 (indirect branch speculation) vulnerability. From patchwork Fri May 17 07:57:24 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1936308 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VgfV073MRz20dg for ; Fri, 17 May 2024 17:58:32 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1s7sU0-0006Fk-5Y; Fri, 17 May 2024 07:58:28 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1s7sTy-00065K-TF for kernel-team@lists.ubuntu.com; Fri, 17 May 2024 07:58:26 +0000 Received: from mail-ej1-f71.google.com (mail-ej1-f71.google.com [209.85.218.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 11B393F363 for ; Fri, 17 May 2024 07:58:21 +0000 (UTC) Received: by mail-ej1-f71.google.com with SMTP id a640c23a62f3a-a592c35ac06so884587766b.0 for ; Fri, 17 May 2024 00:58:21 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715932699; x=1716537499; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=h9dgS1D/6KJnwLT906kx6GMZ3PVa3O5OU4ZsdLdWWvU=; b=YcRcoF+sZHTRsRKrk/YAzfDDm0kngC1UQ4TbEH3iT93ROc5ANd/JdVwHdyW4C+BgY+ 1vcMQClrHEetZvNJXicGvUQaTS1TIWrdrOWshc6vKT2kV+eo1iI4ujIZxdhfBPGmm7Q3 TY4BRHkZjFJ8VMxOjQznqSa5wWqfbmXdcfC13SOWfVWy+PH2owazOia32AUgWljwev+T 9J6mFL3yHb3oz1y7LSuIDNJKyxQy8V8BCfPh3Ov0EaLBV97LgIW9OHAeIEJH2mXSasTX ykHrkS0AI/hgByxqb7kviyM3I7fAHCmjIKKFEwFaa1x/vu9dtRm4zFi88LaKLPD0wEnM cd4g== X-Gm-Message-State: AOJu0YzE17DmpbFKIbbHuQ6kaCJdvHE659uWKDhz4xRwvi9uQ4z1+P5n Q4bIZC4ln/V5knkUXYre4ad47mb1TnoMQMEBY9qKbyDMukC3v88QfjdnsNfI8qQWy0nWBz9iWUd yiLw/OCOPiu2darHI/EB8bzbRXXDx0FdbRlw9L5kciUgar8LNvdXZpZp4Q18+iW2Em5WbzMx4iK OqkHiaXY+KrJUq X-Received: by 2002:a17:906:57d4:b0:a59:ba34:f047 with SMTP id a640c23a62f3a-a5a2d1de87dmr1697466666b.22.1715932698847; Fri, 17 May 2024 00:58:18 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEDhr0bw3Jmf4tPSFTlospxGC5ulEd8ddzkK/uGKm9t0xAjotx/GvXlOXuZH6+ea0npS7uOjA== X-Received: by 2002:a17:906:57d4:b0:a59:ba34:f047 with SMTP id a640c23a62f3a-a5a2d1de87dmr1697465566b.22.1715932698467; Fri, 17 May 2024 00:58:18 -0700 (PDT) Received: from localhost.localdomain ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a5a17b179f1sm1080016966b.212.2024.05.17.00.58.17 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 May 2024 00:58:18 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [PATCH 11/15] x86/bugs: Cache the value of MSR_IA32_ARCH_CAPABILITIES Date: Fri, 17 May 2024 03:57:24 -0400 Message-Id: <20240517075728.9722-12-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240517075728.9722-1-yuxuan.luo@canonical.com> References: <20240517075728.9722-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Josh Poimboeuf There's no need to keep reading MSR_IA32_ARCH_CAPABILITIES over and over. It's even read in the BHI sysfs function which is a big no-no. Just read it once and cache it. Fixes: ec9404e40e8f ("x86/bhi: Add BHI mitigation knob") Signed-off-by: Josh Poimboeuf Signed-off-by: Ingo Molnar Reviewed-by: Nikolay Borisov Cc: Linus Torvalds Cc: Sean Christopherson Link: https://lore.kernel.org/r/9592a18a814368e75f8f4b9d74d3883aa4fd1eaf.1712813475.git.jpoimboe@kernel.org (backported from commit cb2db5bb04d7f778fbc1a1ea2507aab436f1bff3) [yuxuan.luo: The conflict around rfds_mitigations is caused by missing 8076fcde016c (“x86/rfds: Mitigate Register File Data Sampling (RFDS)”). Since it’s a huge feature patch and is out of the scope of this CVE, ignore this conflict. ] CVE-2024-2201 Signed-off-by: Yuxuan Luo --- arch/x86/kernel/cpu/bugs.c | 20 ++++++-------------- 1 file changed, 6 insertions(+), 14 deletions(-) diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index cd69490b65722..476ee30222578 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -54,6 +54,8 @@ EXPORT_SYMBOL_GPL(x86_spec_ctrl_base); DEFINE_PER_CPU(u64, x86_spec_ctrl_current); EXPORT_SYMBOL_GPL(x86_spec_ctrl_current); +static u64 __ro_after_init ia32_cap; + static DEFINE_MUTEX(spec_ctrl_mutex); /* Update SPEC_CTRL MSR and its cached copy unconditionally */ @@ -131,6 +133,8 @@ void __init cpu_select_mitigations(void) x86_spec_ctrl_base &= ~SPEC_CTRL_MITIGATIONS_MASK; } + ia32_cap = x86_read_arch_cap_msr(); + /* Select the proper CPU mitigations before patching alternatives: */ spectre_v1_select_mitigation(); spectre_v2_select_mitigation(); @@ -281,8 +285,6 @@ static const char * const taa_strings[] = { static void __init taa_select_mitigation(void) { - u64 ia32_cap; - if (!boot_cpu_has_bug(X86_BUG_TAA)) { taa_mitigation = TAA_MITIGATION_OFF; return; @@ -321,7 +323,6 @@ static void __init taa_select_mitigation(void) * On MDS_NO=1 CPUs if ARCH_CAP_TSX_CTRL_MSR is not set, microcode * update is required. */ - ia32_cap = x86_read_arch_cap_msr(); if ( (ia32_cap & ARCH_CAP_MDS_NO) && !(ia32_cap & ARCH_CAP_TSX_CTRL_MSR)) taa_mitigation = TAA_MITIGATION_UCODE_NEEDED; @@ -381,8 +382,6 @@ static const char * const mmio_strings[] = { static void __init mmio_select_mitigation(void) { - u64 ia32_cap; - if (!boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA) || boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN) || cpu_mitigations_off()) { @@ -393,8 +392,6 @@ static void __init mmio_select_mitigation(void) if (mmio_mitigation == MMIO_MITIGATION_OFF) return; - ia32_cap = x86_read_arch_cap_msr(); - /* * Enable CPU buffer clear mitigation for host and VMM, if also affected * by MDS or TAA. Otherwise, enable mitigation for VMM only. @@ -563,8 +560,6 @@ void update_srbds_msr(void) static void __init srbds_select_mitigation(void) { - u64 ia32_cap; - if (!boot_cpu_has_bug(X86_BUG_SRBDS)) return; @@ -573,7 +568,6 @@ static void __init srbds_select_mitigation(void) * are only exposed to SRBDS when TSX is enabled or when CPU is affected * by Processor MMIO Stale Data vulnerability. */ - ia32_cap = x86_read_arch_cap_msr(); if ((ia32_cap & ARCH_CAP_MDS_NO) && !boot_cpu_has(X86_FEATURE_RTM) && !boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA)) srbds_mitigation = SRBDS_MITIGATION_TSX_OFF; @@ -689,7 +683,7 @@ static void __init gds_select_mitigation(void) /* Will verify below that mitigation _can_ be disabled */ /* No microcode */ - if (!(x86_read_arch_cap_msr() & ARCH_CAP_GDS_CTRL)) { + if (!(ia32_cap & ARCH_CAP_GDS_CTRL)) { if (gds_mitigation == GDS_MITIGATION_FORCE) { /* * This only needs to be done on the boot CPU so do it @@ -1652,8 +1646,6 @@ static void update_indir_branch_cond(void) /* Update the static key controlling the MDS CPU buffer clear in idle */ static void update_mds_branch_idle(void) { - u64 ia32_cap = x86_read_arch_cap_msr(); - /* * Enable the idle clearing if SMT is active on CPUs which are * affected only by MSBDS and not any other MDS variant. @@ -2356,7 +2348,7 @@ static const char * const spectre_bhi_state(void) else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP)) return "; BHI: SW loop, KVM: SW loop"; else if (boot_cpu_has(X86_FEATURE_RETPOLINE) && - !(x86_read_arch_cap_msr() & ARCH_CAP_RRSBA)) + !(ia32_cap & ARCH_CAP_RRSBA)) return "; BHI: Retpoline"; else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT)) return "; BHI: Syscall hardening, KVM: SW loop"; From patchwork Fri May 17 07:57:25 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1936306 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VgfTy1lL7z1ydW for ; Fri, 17 May 2024 17:58:30 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1s7sTx-00064C-IJ; Fri, 17 May 2024 07:58:25 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1s7sTv-0005uC-CX for kernel-team@lists.ubuntu.com; Fri, 17 May 2024 07:58:23 +0000 Received: from mail-ej1-f69.google.com (mail-ej1-f69.google.com [209.85.218.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 7DCB03FA5E for ; Fri, 17 May 2024 07:58:21 +0000 (UTC) Received: by mail-ej1-f69.google.com with SMTP id a640c23a62f3a-a59c0ecd59cso607856366b.2 for ; Fri, 17 May 2024 00:58:21 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715932700; x=1716537500; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=MmELO+61aRj2ICvTvpKFcnlPu0CCjq4WA1uJOhNuoks=; b=Jejw9SW+d8oWoh5TThTu5mUr7RSNeAu8IVM5gA3Prrqrn0JztUuj0YHP46Yh9b45/h yNqLZ2HcaFOJr+hW8MHOu0KhxwGMzjM3iCVy/SB3X4f1PMPp1ewPHg6chIkwieTiU4Kp YKl2y/tNxZFik7oe8x+FoXJjxVMFepUfYVq13G2TII4jUPaSLHHXzcWbMECkhO1JMGQp A4oTUp44JwgmjaWd0VVxSH8DqUvNzjsiyE/ZKCXiyKp+ZtAVrbVDw3mVGYCdOIMKOolj z9zxYKEmlR4wTr2gsFIPkEpI+ZSHsqnobt4xJR3PjilKec2a68pZKBSQp10RxrOgZKh7 /vXA== X-Gm-Message-State: AOJu0Yz72ORH8jHf/pbi3QPoSE6H45DOY9qbmDPewoN4wtLFypVhzwEm lPMIDyrFZlSOUbLrkuPQkXBMapHrY4N7LMd9YDyLziWg9K8efeFBwVkLaHbm2ojlyZkF9TfQaI7 1EjdFjREX1gdAv++Kf+4HaewRnDY8Czucm2DX3/YY06ot3B32N5eY/ESMU6Oi7dH9/Z5W58ULmV ++ur8D8qRnUp/m X-Received: by 2002:a17:907:12cb:b0:a5a:893a:a73a with SMTP id a640c23a62f3a-a5a893aa833mr906946566b.10.1715932700690; Fri, 17 May 2024 00:58:20 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHliyGZVuzayYfOwQsmHeHuoePqolRR7auUwcS543O74R0e4yLAo7HkrQru+mwf9x6SvVLDRw== X-Received: by 2002:a17:907:12cb:b0:a5a:893a:a73a with SMTP id a640c23a62f3a-a5a893aa833mr906945266b.10.1715932700451; Fri, 17 May 2024 00:58:20 -0700 (PDT) Received: from localhost.localdomain ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a5a17b179f1sm1080016966b.212.2024.05.17.00.58.18 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 May 2024 00:58:19 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [PATCH 12/15] x86/bugs: Rename various 'ia32_cap' variables to 'x86_arch_cap_msr' Date: Fri, 17 May 2024 03:57:25 -0400 Message-Id: <20240517075728.9722-13-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240517075728.9722-1-yuxuan.luo@canonical.com> References: <20240517075728.9722-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Ingo Molnar So we are using the 'ia32_cap' value in a number of places, which got its name from MSR_IA32_ARCH_CAPABILITIES MSR register. But there's very little 'IA32' about it - this isn't 32-bit only code, nor does it originate from there, it's just a historic quirk that many Intel MSR names are prefixed with IA32_. This is already clear from the helper method around the MSR: x86_read_arch_cap_msr(), which doesn't have the IA32 prefix. So rename 'ia32_cap' to 'x86_arch_cap_msr' to be consistent with its role and with the naming of the helper function. Signed-off-by: Ingo Molnar Cc: Josh Poimboeuf Cc: Nikolay Borisov Cc: Linus Torvalds Cc: Sean Christopherson Link: https://lore.kernel.org/r/9592a18a814368e75f8f4b9d74d3883aa4fd1eaf.1712813475.git.jpoimboe@kernel.org (backported from commit d0485730d2189ffe5d986d4e9e191f1e4d5ffd24) [yuxuan.luo: adjusted context and ignored hunks for functions yet to be introduced. ] CVE-2024-2201 Signed-off-by: Yuxuan Luo --- arch/x86/kernel/cpu/bugs.c | 28 ++++++++++++------------- arch/x86/kernel/cpu/common.c | 40 ++++++++++++++++++------------------ 2 files changed, 34 insertions(+), 34 deletions(-) diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 476ee30222578..d30b8ec0dd915 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -54,7 +54,7 @@ EXPORT_SYMBOL_GPL(x86_spec_ctrl_base); DEFINE_PER_CPU(u64, x86_spec_ctrl_current); EXPORT_SYMBOL_GPL(x86_spec_ctrl_current); -static u64 __ro_after_init ia32_cap; +static u64 __ro_after_init x86_arch_cap_msr; static DEFINE_MUTEX(spec_ctrl_mutex); @@ -133,7 +133,7 @@ void __init cpu_select_mitigations(void) x86_spec_ctrl_base &= ~SPEC_CTRL_MITIGATIONS_MASK; } - ia32_cap = x86_read_arch_cap_msr(); + x86_arch_cap_msr = x86_read_arch_cap_msr(); /* Select the proper CPU mitigations before patching alternatives: */ spectre_v1_select_mitigation(); @@ -323,8 +323,8 @@ static void __init taa_select_mitigation(void) * On MDS_NO=1 CPUs if ARCH_CAP_TSX_CTRL_MSR is not set, microcode * update is required. */ - if ( (ia32_cap & ARCH_CAP_MDS_NO) && - !(ia32_cap & ARCH_CAP_TSX_CTRL_MSR)) + if ( (x86_arch_cap_msr & ARCH_CAP_MDS_NO) && + !(x86_arch_cap_msr & ARCH_CAP_TSX_CTRL_MSR)) taa_mitigation = TAA_MITIGATION_UCODE_NEEDED; /* @@ -407,7 +407,7 @@ static void __init mmio_select_mitigation(void) * be propagated to uncore buffers, clearing the Fill buffers on idle * is required irrespective of SMT state. */ - if (!(ia32_cap & ARCH_CAP_FBSDP_NO)) + if (!(x86_arch_cap_msr & ARCH_CAP_FBSDP_NO)) static_branch_enable(&mds_idle_clear); /* @@ -417,10 +417,10 @@ static void __init mmio_select_mitigation(void) * FB_CLEAR or by the presence of both MD_CLEAR and L1D_FLUSH on MDS * affected systems. */ - if ((ia32_cap & ARCH_CAP_FB_CLEAR) || + if ((x86_arch_cap_msr & ARCH_CAP_FB_CLEAR) || (boot_cpu_has(X86_FEATURE_MD_CLEAR) && boot_cpu_has(X86_FEATURE_FLUSH_L1D) && - !(ia32_cap & ARCH_CAP_MDS_NO))) + !(x86_arch_cap_msr & ARCH_CAP_MDS_NO))) mmio_mitigation = MMIO_MITIGATION_VERW; else mmio_mitigation = MMIO_MITIGATION_UCODE_NEEDED; @@ -568,7 +568,7 @@ static void __init srbds_select_mitigation(void) * are only exposed to SRBDS when TSX is enabled or when CPU is affected * by Processor MMIO Stale Data vulnerability. */ - if ((ia32_cap & ARCH_CAP_MDS_NO) && !boot_cpu_has(X86_FEATURE_RTM) && + if ((x86_arch_cap_msr & ARCH_CAP_MDS_NO) && !boot_cpu_has(X86_FEATURE_RTM) && !boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA)) srbds_mitigation = SRBDS_MITIGATION_TSX_OFF; else if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) @@ -683,7 +683,7 @@ static void __init gds_select_mitigation(void) /* Will verify below that mitigation _can_ be disabled */ /* No microcode */ - if (!(ia32_cap & ARCH_CAP_GDS_CTRL)) { + if (!(x86_arch_cap_msr & ARCH_CAP_GDS_CTRL)) { if (gds_mitigation == GDS_MITIGATION_FORCE) { /* * This only needs to be done on the boot CPU so do it @@ -1301,14 +1301,14 @@ static enum spectre_v2_mitigation __init spectre_v2_select_retpoline(void) /* Disable in-kernel use of non-RSB RET predictors */ static void __init spec_ctrl_disable_kernel_rrsba(void) { - u64 ia32_cap; + u64 x86_arch_cap_msr; if (!boot_cpu_has(X86_FEATURE_RRSBA_CTRL)) return; - ia32_cap = x86_read_arch_cap_msr(); + x86_arch_cap_msr = x86_read_arch_cap_msr(); - if (ia32_cap & ARCH_CAP_RRSBA) { + if (x86_arch_cap_msr & ARCH_CAP_RRSBA) { x86_spec_ctrl_base |= SPEC_CTRL_RRSBA_DIS_S; update_spec_ctrl(x86_spec_ctrl_base); } @@ -1660,7 +1660,7 @@ static void update_mds_branch_idle(void) if (sched_smt_active()) { static_branch_enable(&mds_idle_clear); } else if (mmio_mitigation == MMIO_MITIGATION_OFF || - (ia32_cap & ARCH_CAP_FBSDP_NO)) { + (x86_arch_cap_msr & ARCH_CAP_FBSDP_NO)) { static_branch_disable(&mds_idle_clear); } } @@ -2348,7 +2348,7 @@ static const char * const spectre_bhi_state(void) else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP)) return "; BHI: SW loop, KVM: SW loop"; else if (boot_cpu_has(X86_FEATURE_RETPOLINE) && - !(ia32_cap & ARCH_CAP_RRSBA)) + !(x86_arch_cap_msr & ARCH_CAP_RRSBA)) return "; BHI: Retpoline"; else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT)) return "; BHI: Syscall hardening, KVM: SW loop"; diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c index 5a58b26be286f..51d2aff64171b 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -1181,28 +1181,28 @@ static bool __init cpu_matches(const struct x86_cpu_id *table, unsigned long whi u64 x86_read_arch_cap_msr(void) { - u64 ia32_cap = 0; + u64 x86_arch_cap_msr = 0; if (boot_cpu_has(X86_FEATURE_ARCH_CAPABILITIES)) - rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap); + rdmsrl(MSR_IA32_ARCH_CAPABILITIES, x86_arch_cap_msr); - return ia32_cap; + return x86_arch_cap_msr; } -static bool arch_cap_mmio_immune(u64 ia32_cap) +static bool arch_cap_mmio_immune(u64 x86_arch_cap_msr) { - return (ia32_cap & ARCH_CAP_FBSDP_NO && - ia32_cap & ARCH_CAP_PSDP_NO && - ia32_cap & ARCH_CAP_SBDR_SSDP_NO); + return (x86_arch_cap_msr & ARCH_CAP_FBSDP_NO && + x86_arch_cap_msr & ARCH_CAP_PSDP_NO && + x86_arch_cap_msr & ARCH_CAP_SBDR_SSDP_NO); } static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) { - u64 ia32_cap = x86_read_arch_cap_msr(); + u64 x86_arch_cap_msr = x86_read_arch_cap_msr(); /* Set ITLB_MULTIHIT bug if cpu is not in the whitelist and not mitigated */ if (!cpu_matches(cpu_vuln_whitelist, NO_ITLB_MULTIHIT) && - !(ia32_cap & ARCH_CAP_PSCHANGE_MC_NO)) + !(x86_arch_cap_msr & ARCH_CAP_PSCHANGE_MC_NO)) setup_force_cpu_bug(X86_BUG_ITLB_MULTIHIT); if (cpu_matches(cpu_vuln_whitelist, NO_SPECULATION)) @@ -1214,15 +1214,15 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) setup_force_cpu_bug(X86_BUG_SPECTRE_V2); if (!cpu_matches(cpu_vuln_whitelist, NO_SSB) && - !(ia32_cap & ARCH_CAP_SSB_NO) && + !(x86_arch_cap_msr & ARCH_CAP_SSB_NO) && !cpu_has(c, X86_FEATURE_AMD_SSB_NO)) setup_force_cpu_bug(X86_BUG_SPEC_STORE_BYPASS); - if (ia32_cap & ARCH_CAP_IBRS_ALL) + if (x86_arch_cap_msr & ARCH_CAP_IBRS_ALL) setup_force_cpu_cap(X86_FEATURE_IBRS_ENHANCED); if (!cpu_matches(cpu_vuln_whitelist, NO_MDS) && - !(ia32_cap & ARCH_CAP_MDS_NO)) { + !(x86_arch_cap_msr & ARCH_CAP_MDS_NO)) { setup_force_cpu_bug(X86_BUG_MDS); if (cpu_matches(cpu_vuln_whitelist, MSBDS_ONLY)) setup_force_cpu_bug(X86_BUG_MSBDS_ONLY); @@ -1241,9 +1241,9 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) * TSX_CTRL check alone is not sufficient for cases when the microcode * update is not present or running as guest that don't get TSX_CTRL. */ - if (!(ia32_cap & ARCH_CAP_TAA_NO) && + if (!(x86_arch_cap_msr & ARCH_CAP_TAA_NO) && (cpu_has(c, X86_FEATURE_RTM) || - (ia32_cap & ARCH_CAP_TSX_CTRL_MSR))) + (x86_arch_cap_msr & ARCH_CAP_TSX_CTRL_MSR))) setup_force_cpu_bug(X86_BUG_TAA); /* @@ -1269,7 +1269,7 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) * Set X86_BUG_MMIO_UNKNOWN for CPUs that are neither in the blacklist, * nor in the whitelist and also don't enumerate MSR ARCH_CAP MMIO bits. */ - if (!arch_cap_mmio_immune(ia32_cap)) { + if (!arch_cap_mmio_immune(x86_arch_cap_msr)) { if (cpu_matches(cpu_vuln_blacklist, MMIO)) setup_force_cpu_bug(X86_BUG_MMIO_STALE_DATA); else if (!cpu_matches(cpu_vuln_whitelist, NO_MMIO)) @@ -1277,13 +1277,13 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) } if (!cpu_has(c, X86_FEATURE_BTC_NO)) { - if (cpu_matches(cpu_vuln_blacklist, RETBLEED) || (ia32_cap & ARCH_CAP_RSBA)) + if (cpu_matches(cpu_vuln_blacklist, RETBLEED) || (x86_arch_cap_msr & ARCH_CAP_RSBA)) setup_force_cpu_bug(X86_BUG_RETBLEED); } if (cpu_has(c, X86_FEATURE_IBRS_ENHANCED) && !cpu_matches(cpu_vuln_whitelist, NO_EIBRS_PBRSB) && - !(ia32_cap & ARCH_CAP_PBRSB_NO)) + !(x86_arch_cap_msr & ARCH_CAP_PBRSB_NO)) setup_force_cpu_bug(X86_BUG_EIBRS_PBRSB); if (cpu_matches(cpu_vuln_blacklist, SMT_RSB)) @@ -1295,12 +1295,12 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) * disabling AVX2. The only way to do this in HW is to clear XCR0[2], * which means that AVX will be disabled. */ - if (cpu_matches(cpu_vuln_blacklist, GDS) && !(ia32_cap & ARCH_CAP_GDS_NO) && + if (cpu_matches(cpu_vuln_blacklist, GDS) && !(x86_arch_cap_msr & ARCH_CAP_GDS_NO) && boot_cpu_has(X86_FEATURE_AVX)) setup_force_cpu_bug(X86_BUG_GDS); /* When virtualized, eIBRS could be hidden, assume vulnerable */ - if (!(ia32_cap & ARCH_CAP_BHI_NO) && + if (!(x86_arch_cap_msr & ARCH_CAP_BHI_NO) && !cpu_matches(cpu_vuln_whitelist, NO_BHI) && (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED) || boot_cpu_has(X86_FEATURE_HYPERVISOR))) @@ -1310,7 +1310,7 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) return; /* Rogue Data Cache Load? No! */ - if (ia32_cap & ARCH_CAP_RDCL_NO) + if (x86_arch_cap_msr & ARCH_CAP_RDCL_NO) return; setup_force_cpu_bug(X86_BUG_CPU_MELTDOWN); From patchwork Fri May 17 07:57:26 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1936307 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VgfV03vd7z1ydW for ; Fri, 17 May 2024 17:58:32 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1s7sTz-0006Ez-UI; Fri, 17 May 2024 07:58:27 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1s7sTy-00065L-1d for kernel-team@lists.ubuntu.com; Fri, 17 May 2024 07:58:26 +0000 Received: from mail-ej1-f71.google.com (mail-ej1-f71.google.com [209.85.218.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 1E38E3FB60 for ; Fri, 17 May 2024 07:58:24 +0000 (UTC) Received: by mail-ej1-f71.google.com with SMTP id a640c23a62f3a-a59a5b06802so456136766b.1 for ; Fri, 17 May 2024 00:58:24 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715932702; x=1716537502; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=RdQqB6X7t5Z0p3+6tw2/Qj3ODRWg9oSdZXSuEkiU4DY=; b=U48OdvCcti0bJ6p4jqbED7+Lssk04O4FJ4Q6+Y8VuzWuOBMj/mBQqZjOSJ/O9E+dDu P+bZJIq633lUCg1kbsqVc9HxFMIMWQ1AoM7wRwm/HLcq2liyYtP+9damSMu0+schcDKV HtfKxycg2KvJCrCV6xl+1Z3IH74ZvSAYTEg97pymnQ4JoPSZjSTrW0BO7DZNsjAyUWmM ZdSHVNKiMEeOPJ+t/hAtvqvPZI3ERiFWFPSsEECjJ5mID9XPgbmaP/P5skgNHrPX0zsJ OWljKnA5YUdRatyGLm7EARae5YkBqg9hACMzcAFFCdcw4VjkfV2zvq+QyCUU3m9YTseq m7qw== X-Gm-Message-State: AOJu0YxnazfgD6Lqgn3q683FJoEu8YNHV7BziFIMRFq0n3V+fBi8FcXn yPrZtnaHafZjHhD6/U+phsezzEIuwRjd2teYx3cuIObRAUwenuhyCMIb6+1Q+n846R3Z47IIZnk D941ywtQF0vmv3AFmrvF3V9UyrSZCORNo9KUANq9/bK4mxkRixPTdsPHIw27EFmxYdHDwCBU1QS 1jPJosxDtPjBwo X-Received: by 2002:a17:906:22c7:b0:a59:be21:3577 with SMTP id a640c23a62f3a-a5a2d5cd472mr1371481166b.43.1715932702467; Fri, 17 May 2024 00:58:22 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGcTRRd3SWryVv5GgHwH1SDvD9G3PRb9p7SNd47GHYqpiIoAWehCck/eD/0To2btLX5mHn7rw== X-Received: by 2002:a17:906:22c7:b0:a59:be21:3577 with SMTP id a640c23a62f3a-a5a2d5cd472mr1371480266b.43.1715932702201; Fri, 17 May 2024 00:58:22 -0700 (PDT) Received: from localhost.localdomain ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a5a17b179f1sm1080016966b.212.2024.05.17.00.58.20 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 May 2024 00:58:21 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [PATCH 13/15] x86/bugs: Fix BHI handling of RRSBA Date: Fri, 17 May 2024 03:57:26 -0400 Message-Id: <20240517075728.9722-14-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240517075728.9722-1-yuxuan.luo@canonical.com> References: <20240517075728.9722-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Josh Poimboeuf The ARCH_CAP_RRSBA check isn't correct: RRSBA may have already been disabled by the Spectre v2 mitigation (or can otherwise be disabled by the BHI mitigation itself if needed). In that case retpolines are fine. Fixes: ec9404e40e8f ("x86/bhi: Add BHI mitigation knob") Signed-off-by: Josh Poimboeuf Signed-off-by: Ingo Molnar Cc: Linus Torvalds Cc: Sean Christopherson Link: https://lore.kernel.org/r/6f56f13da34a0834b69163467449be7f58f253dc.1712813475.git.jpoimboe@kernel.org (cherry picked from commit 1cea8a280dfd1016148a3820676f2f03e3f5b898) CVE-2024-2201 Signed-off-by: Yuxuan Luo --- arch/x86/kernel/cpu/bugs.c | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index d30b8ec0dd915..4cdf99c1feafd 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -1298,20 +1298,25 @@ static enum spectre_v2_mitigation __init spectre_v2_select_retpoline(void) return SPECTRE_V2_RETPOLINE; } +static bool __ro_after_init rrsba_disabled; + /* Disable in-kernel use of non-RSB RET predictors */ static void __init spec_ctrl_disable_kernel_rrsba(void) { - u64 x86_arch_cap_msr; + if (rrsba_disabled) + return; - if (!boot_cpu_has(X86_FEATURE_RRSBA_CTRL)) + if (!(x86_arch_cap_msr & ARCH_CAP_RRSBA)) { + rrsba_disabled = true; return; + } - x86_arch_cap_msr = x86_read_arch_cap_msr(); + if (!boot_cpu_has(X86_FEATURE_RRSBA_CTRL)) + return; - if (x86_arch_cap_msr & ARCH_CAP_RRSBA) { - x86_spec_ctrl_base |= SPEC_CTRL_RRSBA_DIS_S; - update_spec_ctrl(x86_spec_ctrl_base); - } + x86_spec_ctrl_base |= SPEC_CTRL_RRSBA_DIS_S; + update_spec_ctrl(x86_spec_ctrl_base); + rrsba_disabled = true; } static void __init spectre_v2_determine_rsb_fill_type_at_vmexit(enum spectre_v2_mitigation mode) @@ -1412,9 +1417,11 @@ static void __init bhi_select_mitigation(void) return; /* Retpoline mitigates against BHI unless the CPU has RRSBA behavior */ - if (cpu_feature_enabled(X86_FEATURE_RETPOLINE) && - !(x86_read_arch_cap_msr() & ARCH_CAP_RRSBA)) - return; + if (cpu_feature_enabled(X86_FEATURE_RETPOLINE)) { + spec_ctrl_disable_kernel_rrsba(); + if (rrsba_disabled) + return; + } if (spec_ctrl_bhi_dis()) return; @@ -2347,8 +2354,7 @@ static const char * const spectre_bhi_state(void) return "; BHI: BHI_DIS_S"; else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP)) return "; BHI: SW loop, KVM: SW loop"; - else if (boot_cpu_has(X86_FEATURE_RETPOLINE) && - !(x86_arch_cap_msr & ARCH_CAP_RRSBA)) + else if (boot_cpu_has(X86_FEATURE_RETPOLINE) && rrsba_disabled) return "; BHI: Retpoline"; else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT)) return "; BHI: Syscall hardening, KVM: SW loop"; From patchwork Fri May 17 07:57:27 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1936310 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VgfV24Yy1z20dg for ; Fri, 17 May 2024 17:58:34 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1s7sU1-0006Jo-E8; Fri, 17 May 2024 07:58:29 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1s7sTy-00068Y-Uw for kernel-team@lists.ubuntu.com; Fri, 17 May 2024 07:58:26 +0000 Received: from mail-ej1-f72.google.com (mail-ej1-f72.google.com [209.85.218.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id CB5DA3F366 for ; Fri, 17 May 2024 07:58:25 +0000 (UTC) Received: by mail-ej1-f72.google.com with SMTP id a640c23a62f3a-a59fbf2bacaso604301266b.0 for ; Fri, 17 May 2024 00:58:25 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715932704; x=1716537504; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=8ljI7C9MadZt5CbgREdK0iJtrFGsR8wlStfxO0jEiKs=; b=jh+BBRc5sXLiMnSiQXC45jQU6QedxgYCD04RKgab7Rm5vquy7WLLQ41+w+gm4Fy7ak Hv1JQxCi8PKxIH7Wre9aGGbryYVddQHu3V/Oy6grrjYvbe6lqGY7anv0fu/+UTvH6pnK wqGCg76GjAFVMKdGgw3SMjJ/kqSwIZb1X4xK3mzcEq8UPKWCLffnfTntefbI0R29pTn3 Whd5PYOqwbiDJrq8t9NbR8AlaNE51DWOFDXVdaKtgabDTRRw/3UkhmtDro6o1qn8IsJr kIWMw4zglyKKmjNAZnPHaAoFCXfALd6x5JUHU1VrRPGvH/9cupC7nmxlYKQXgtTFFnHy nUlQ== X-Gm-Message-State: AOJu0YwuXcy6chN7bHoF1jVdf0W8+Ck6EmRdcAi/qEwxgeje+/RyS/TI Vv65GxpaHPEx52l+b3EtebEX6hh3g0swlEEP9wG2x0Nh7hg3FMocB6GrB+GMocvXBa9CuIN50Xe 6HbbTD4nRLMyniumZV2x96ki8HgYC84L/rdoZS804ICXD4XnFDry/4GgJn96ONmTfAIhSoDImYa Lww0bk22FrD/9i X-Received: by 2002:a17:907:12cb:b0:a5a:893a:a73a with SMTP id a640c23a62f3a-a5a893aa833mr906961566b.10.1715932703918; Fri, 17 May 2024 00:58:23 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEThklmHglcdEZFiWGzy/pp7GhgBUS2FPUpPQBX8bVq2f/71Ol/PQma91VNg3Y+4qHpM4p7nA== X-Received: by 2002:a17:907:12cb:b0:a5a:893a:a73a with SMTP id a640c23a62f3a-a5a893aa833mr906959266b.10.1715932703609; Fri, 17 May 2024 00:58:23 -0700 (PDT) Received: from localhost.localdomain ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a5a17b179f1sm1080016966b.212.2024.05.17.00.58.22 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 May 2024 00:58:23 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [PATCH 14/15] x86/bugs: Clarify that syscall hardening isn't a BHI mitigation Date: Fri, 17 May 2024 03:57:27 -0400 Message-Id: <20240517075728.9722-15-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240517075728.9722-1-yuxuan.luo@canonical.com> References: <20240517075728.9722-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Josh Poimboeuf While syscall hardening helps prevent some BHI attacks, there's still other low-hanging fruit remaining. Don't classify it as a mitigation and make it clear that the system may still be vulnerable if it doesn't have a HW or SW mitigation enabled. Fixes: ec9404e40e8f ("x86/bhi: Add BHI mitigation knob") Signed-off-by: Josh Poimboeuf Signed-off-by: Ingo Molnar Cc: Linus Torvalds Cc: Sean Christopherson Link: https://lore.kernel.org/r/b5951dae3fdee7f1520d5136a27be3bdfe95f88b.1712813475.git.jpoimboe@kernel.org (cherry picked from commit 5f882f3b0a8bf0788d5a0ee44b1191de5319bb8a) CVE-2024-2201 Signed-off-by: Yuxuan Luo --- Documentation/admin-guide/hw-vuln/spectre.rst | 11 +++++------ Documentation/admin-guide/kernel-parameters.txt | 3 +-- arch/x86/kernel/cpu/bugs.c | 6 +++--- 3 files changed, 9 insertions(+), 11 deletions(-) diff --git a/Documentation/admin-guide/hw-vuln/spectre.rst b/Documentation/admin-guide/hw-vuln/spectre.rst index fe50e9cb00282..601be75541bf2 100644 --- a/Documentation/admin-guide/hw-vuln/spectre.rst +++ b/Documentation/admin-guide/hw-vuln/spectre.rst @@ -441,10 +441,10 @@ The possible values in this file are: - System is protected by BHI_DIS_S * - BHI: SW loop, KVM SW loop - System is protected by software clearing sequence - * - BHI: Syscall hardening - - Syscalls are hardened against BHI - * - BHI: Syscall hardening, KVM: SW loop - - System is protected from userspace attacks by syscall hardening; KVM is protected by software clearing sequence + * - BHI: Vulnerable + - System is vulnerable to BHI + * - BHI: Vulnerable, KVM: SW loop + - System is vulnerable; KVM is protected by software clearing sequence Full mitigation might require a microcode update from the CPU vendor. When the necessary microcode is not available, the kernel will @@ -703,8 +703,7 @@ For user space mitigation: spectre_bhi= [X86] Control mitigation of Branch History Injection - (BHI) vulnerability. Syscalls are hardened against BHI - regardless of this setting. This setting affects the deployment + (BHI) vulnerability. This setting affects the deployment of the HW BHI control and the SW BHB clearing sequence. on diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index bccf22d167622..59714ce57f3b1 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -4607,8 +4607,7 @@ See Documentation/admin-guide/laptops/sonypi.rst spectre_bhi= [X86] Control mitigation of Branch History Injection - (BHI) vulnerability. Syscalls are hardened against BHI - reglardless of this setting. This setting affects the + (BHI) vulnerability. This setting affects the deployment of the HW BHI control and the SW BHB clearing sequence. diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 4cdf99c1feafd..fe27ebe95030a 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -2356,10 +2356,10 @@ static const char * const spectre_bhi_state(void) return "; BHI: SW loop, KVM: SW loop"; else if (boot_cpu_has(X86_FEATURE_RETPOLINE) && rrsba_disabled) return "; BHI: Retpoline"; - else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT)) - return "; BHI: Syscall hardening, KVM: SW loop"; + else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT)) + return "; BHI: Vulnerable, KVM: SW loop"; - return "; BHI: Vulnerable (Syscall hardening enabled)"; + return "; BHI: Vulnerable"; } static ssize_t spectre_v2_show_state(char *buf) From patchwork Fri May 17 07:57:28 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1936309 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VgfV23JQVz1ydW for ; Fri, 17 May 2024 17:58:34 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1s7sU1-0006Km-J5; Fri, 17 May 2024 07:58:29 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1s7sTz-0006EI-Nh for kernel-team@lists.ubuntu.com; Fri, 17 May 2024 07:58:27 +0000 Received: from mail-ej1-f72.google.com (mail-ej1-f72.google.com [209.85.218.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 09A4C3F363 for ; Fri, 17 May 2024 07:58:27 +0000 (UTC) Received: by mail-ej1-f72.google.com with SMTP id a640c23a62f3a-a59a63a1f78so534801166b.0 for ; Fri, 17 May 2024 00:58:27 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715932705; x=1716537505; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=sgpkBdzQk28veYuvr3Ha0OALOKbNTJchM5N/jplrSxw=; b=pcGcmRN6tmQuhrkIo3CJ5ogmUsO6MCPNUQe0eKtySgA5YFwFr737k6YUNbsZo0ifSw LqcQA3JvQJmhHkcOR4/5gXUjPlmpoSr//mjFYWxDzsiHrg6rTPKL6tN9LTk2IUnNzvO8 iwPfcJVgysvlXPEjnWEbSdYD9Oo7XaVZePGMez//4aO2bHub9PMattkXJYnTuwW8Vw9k ykuEUAoct/EIFJaYX2iwCKSbUdaCPKl6iFDb5s3F4IhszKq0De+fmy+kCG5orIvO2RDc aLGxbR6YH1PIFAb9SxRefrZA3O+KAykawD3VEzhNsL1Ll2+aUdOOvbTgEwAJGDFA6Kna EJjw== X-Gm-Message-State: AOJu0YxIjVgn40XgNBRnLm7SlG1NqxOdW6M6oePd0D0E32u8TR1EYh3S vJYaYj9j35wCy6fpz43MW7Gxplw8tZzhiR1WeKIacvvEQGhKnRiPc/wBPWsJbPL8vzF9uunpt4v KJoaU9VOfjywdd8sDnk4pG2cheoXBaZeb8jCXSND0iiQSQ4deicfXVIUf64amnZt2pPEn3hZ3NF wjAQ4NR/TAE4Xw X-Received: by 2002:a17:906:8314:b0:a59:a0eb:aeb0 with SMTP id a640c23a62f3a-a5a2d5d0a48mr1300581366b.36.1715932705625; Fri, 17 May 2024 00:58:25 -0700 (PDT) X-Google-Smtp-Source: AGHT+IE4SfphTSMPp2kbSEQJRC6xBvfb1lxjdEyJXxW7xez1ElJJf/OBNLDM/jEcCQysKIKngKkn5g== X-Received: by 2002:a17:906:8314:b0:a59:a0eb:aeb0 with SMTP id a640c23a62f3a-a5a2d5d0a48mr1300580566b.36.1715932705367; Fri, 17 May 2024 00:58:25 -0700 (PDT) Received: from localhost.localdomain ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a5a17b179f1sm1080016966b.212.2024.05.17.00.58.23 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 May 2024 00:58:24 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [PATCH 15/15] x86/bugs: Fix BHI retpoline check Date: Fri, 17 May 2024 03:57:28 -0400 Message-Id: <20240517075728.9722-16-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240517075728.9722-1-yuxuan.luo@canonical.com> References: <20240517075728.9722-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Josh Poimboeuf Confusingly, X86_FEATURE_RETPOLINE doesn't mean retpolines are enabled, as it also includes the original "AMD retpoline" which isn't a retpoline at all. Also replace cpu_feature_enabled() with boot_cpu_has() because this is before alternatives are patched and cpu_feature_enabled()'s fallback path is slower than plain old boot_cpu_has(). Fixes: ec9404e40e8f ("x86/bhi: Add BHI mitigation knob") Signed-off-by: Josh Poimboeuf Signed-off-by: Ingo Molnar Reviewed-by: Pawan Gupta Cc: Borislav Petkov Cc: Linus Torvalds Link: https://lore.kernel.org/r/ad3807424a3953f0323c011a643405619f2a4927.1712944776.git.jpoimboe@kernel.org (cherry picked from commit 69129794d94c544810e68b2b4eaa7e44063f9bf2) CVE-2024-2201 Signed-off-by: Yuxuan Luo --- arch/x86/kernel/cpu/bugs.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index fe27ebe95030a..aa1b8415ef696 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -1417,7 +1417,8 @@ static void __init bhi_select_mitigation(void) return; /* Retpoline mitigates against BHI unless the CPU has RRSBA behavior */ - if (cpu_feature_enabled(X86_FEATURE_RETPOLINE)) { + if (boot_cpu_has(X86_FEATURE_RETPOLINE) && + !boot_cpu_has(X86_FEATURE_RETPOLINE_LFENCE)) { spec_ctrl_disable_kernel_rrsba(); if (rrsba_disabled) return; @@ -2350,11 +2351,13 @@ static const char * const spectre_bhi_state(void) { if (!boot_cpu_has_bug(X86_BUG_BHI)) return "; BHI: Not affected"; - else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_HW)) + else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_HW)) return "; BHI: BHI_DIS_S"; - else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP)) + else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP)) return "; BHI: SW loop, KVM: SW loop"; - else if (boot_cpu_has(X86_FEATURE_RETPOLINE) && rrsba_disabled) + else if (boot_cpu_has(X86_FEATURE_RETPOLINE) && + !boot_cpu_has(X86_FEATURE_RETPOLINE_LFENCE) && + rrsba_disabled) return "; BHI: Retpoline"; else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT)) return "; BHI: Vulnerable, KVM: SW loop";