From 0e0b695e53e90daf639a8bdfeece4890f956e7a3 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Tue, 22 May 2018 20:31:27 +0200 Subject: [PATCH] Update to 4.16.11 Revert "[x86] Add support for disabling Speculative Store Bypass (CVE-2018-3639)" Cleanup debian/changelog file --- debian/changelog | 90 ++++- ...prevent-memory-disambiguation-attack.patch | 138 ------- ...ion-spec_ctrl-do-some-minor-cleanups.patch | 83 ---- ...ment-virt_spec_ctrl-support-for-ssbd.patch | 206 ---------- ...pec-control-call-after-restore-of-gs.patch | 66 --- ...-getting-setting-on-non-current-task.patch | 154 ------- .../prctl-add-force-disable-speculation.patch | 207 ---------- ...prctl-add-speculation-control-prctls.patch | 239 ----------- ...ails-on-speculation-flaw-mitigations.patch | 57 --- ...c-use-underscores-for-ssbd-in-status.patch | 30 -- ...er-flag-to-opt-out-of-ssb-mitigation.patch | 169 -------- ...-enable-speculation-flaw-mitigations.patch | 60 --- ...tion-migitation-control-to-arch-code.patch | 112 ------ .../seccomp-use-pr_spec_force_disable.patch | 29 -- ...-to-disable-rds-on-famh-if-requested.patch | 187 --------- ...g-detection-into-a-separate-function.patch | 70 ---- ...g-reporting-into-a-separate-function.patch | 87 ---- ...bugs-expose-sys-..-spec_store_bypass.patch | 134 ------ ...s-expose-x86_spec_ctrl_base-directly.patch | 112 ------ ...-__ssb_select_mitigation-return-type.patch | 31 -- ...arameters-alignment-and-missing-void.patch | 38 -- ...et-proper-cpu-features-and-setup-rds.patch | 170 -------- ...eculation-control-for-virt_spec_ctrl.patch | 152 ------- ...e-combination-of-guest-and-host-ibrs.patch | 126 ------ ...bugs-make-boot-modes-__ro_after_init.patch | 39 -- ...x86-bugs-make-cpu_show_common-static.patch | 30 -- ...spec_store_bypass_disable-mitigation.patch | 261 ------------ ...during-boot-and-re-use-reserved-bits.patch | 136 ------- .../x86-bugs-remove-x86_spec_ctrl_set.patch | 70 ---- .../ssb/x86-bugs-rename-_rds-to-_ssbd.patch | 380 ------------------ .../x86-bugs-rename-ssbd_no-to-ssb_no.patch | 42 -- ...rework-spec_ctrl-base-and-mask-logic.patch | 91 ----- ...86_spec_ctrl_-set_guest-restore_host.patch | 139 ------- ...itelist-allowed-spec_ctrl-msr-values.patch | 66 --- ...ative_msr_write-work-for-32-bit-code.patch | 37 -- .../ssb/x86-cpufeatures-add-feature_zen.patch | 41 -- .../x86-cpufeatures-add-x86_feature_rds.patch | 32 -- ...-msr_spec_ctrl-enumeration-from-ibrs.patch | 143 ------- ...eatures-disentangle-ssbd-enumeration.patch | 150 ------- ...-expose-spec_ctrl-bit-2-to-the-guest.patch | 64 --- ...ospec-simplify-alternative_msr_write.patch | 67 --- ...-control-of-speculative-store-bypass.patch | 213 ---------- ...-speculative-store-bypass-mitigation.patch | 212 ---------- ...ulative-store-bypass-disable-support.patch | 93 ----- ...te-spec-ctrl.h-to-avoid-include-hell.patch | 125 ------ ...eculation-handle-ht-correctly-on-amd.patch | 232 ----------- ...nt-support-for-virt_spec_ctrl-ls_cfg.patch | 77 ---- ...lt-mode-for-speculative-store-bypass.patch | 157 -------- ...work-speculative_store_bypass_update.patch | 66 --- ...e-synthetic-bits-for-ibrs-ibpb-stibp.patch | 183 --------- debian/patches/series | 49 --- 51 files changed, 78 insertions(+), 5864 deletions(-) delete mode 100644 debian/patches/bugfix/x86/ssb/bpf-prevent-memory-disambiguation-attack.patch delete mode 100644 debian/patches/bugfix/x86/ssb/documentation-spec_ctrl-do-some-minor-cleanups.patch delete mode 100644 debian/patches/bugfix/x86/ssb/kvm-svm-implement-virt_spec_ctrl-support-for-ssbd.patch delete mode 100644 debian/patches/bugfix/x86/ssb/kvm-svm-move-spec-control-call-after-restore-of-gs.patch delete mode 100644 debian/patches/bugfix/x86/ssb/nospec-allow-getting-setting-on-non-current-task.patch delete mode 100644 debian/patches/bugfix/x86/ssb/prctl-add-force-disable-speculation.patch delete mode 100644 debian/patches/bugfix/x86/ssb/prctl-add-speculation-control-prctls.patch delete mode 100644 debian/patches/bugfix/x86/ssb/proc-provide-details-on-speculation-flaw-mitigations.patch delete mode 100644 debian/patches/bugfix/x86/ssb/proc-use-underscores-for-ssbd-in-status.patch delete mode 100644 debian/patches/bugfix/x86/ssb/seccomp-add-filter-flag-to-opt-out-of-ssb-mitigation.patch delete mode 100644 debian/patches/bugfix/x86/ssb/seccomp-enable-speculation-flaw-mitigations.patch delete mode 100644 debian/patches/bugfix/x86/ssb/seccomp-move-speculation-migitation-control-to-arch-code.patch delete mode 100644 debian/patches/bugfix/x86/ssb/seccomp-use-pr_spec_force_disable.patch delete mode 100644 debian/patches/bugfix/x86/ssb/x86-bugs-amd-add-support-to-disable-rds-on-famh-if-requested.patch delete mode 100644 debian/patches/bugfix/x86/ssb/x86-bugs-concentrate-bug-detection-into-a-separate-function.patch delete mode 100644 debian/patches/bugfix/x86/ssb/x86-bugs-concentrate-bug-reporting-into-a-separate-function.patch delete mode 100644 debian/patches/bugfix/x86/ssb/x86-bugs-expose-sys-..-spec_store_bypass.patch delete mode 100644 debian/patches/bugfix/x86/ssb/x86-bugs-expose-x86_spec_ctrl_base-directly.patch delete mode 100644 debian/patches/bugfix/x86/ssb/x86-bugs-fix-__ssb_select_mitigation-return-type.patch delete mode 100644 debian/patches/bugfix/x86/ssb/x86-bugs-fix-the-parameters-alignment-and-missing-void.patch delete mode 100644 debian/patches/bugfix/x86/ssb/x86-bugs-intel-set-proper-cpu-features-and-setup-rds.patch delete mode 100644 debian/patches/bugfix/x86/ssb/x86-bugs-kvm-extend-speculation-control-for-virt_spec_ctrl.patch delete mode 100644 debian/patches/bugfix/x86/ssb/x86-bugs-kvm-support-the-combination-of-guest-and-host-ibrs.patch delete mode 100644 debian/patches/bugfix/x86/ssb/x86-bugs-make-boot-modes-__ro_after_init.patch delete mode 100644 debian/patches/bugfix/x86/ssb/x86-bugs-make-cpu_show_common-static.patch delete mode 100644 debian/patches/bugfix/x86/ssb/x86-bugs-provide-boot-parameters-for-the-spec_store_bypass_disable-mitigation.patch delete mode 100644 debian/patches/bugfix/x86/ssb/x86-bugs-read-spec_ctrl-msr-during-boot-and-re-use-reserved-bits.patch delete mode 100644 debian/patches/bugfix/x86/ssb/x86-bugs-remove-x86_spec_ctrl_set.patch delete mode 100644 debian/patches/bugfix/x86/ssb/x86-bugs-rename-_rds-to-_ssbd.patch delete mode 100644 debian/patches/bugfix/x86/ssb/x86-bugs-rename-ssbd_no-to-ssb_no.patch delete mode 100644 debian/patches/bugfix/x86/ssb/x86-bugs-rework-spec_ctrl-base-and-mask-logic.patch delete mode 100644 debian/patches/bugfix/x86/ssb/x86-bugs-unify-x86_spec_ctrl_-set_guest-restore_host.patch delete mode 100644 debian/patches/bugfix/x86/ssb/x86-bugs-whitelist-allowed-spec_ctrl-msr-values.patch delete mode 100644 debian/patches/bugfix/x86/ssb/x86-cpu-make-alternative_msr_write-work-for-32-bit-code.patch delete mode 100644 debian/patches/bugfix/x86/ssb/x86-cpufeatures-add-feature_zen.patch delete mode 100644 debian/patches/bugfix/x86/ssb/x86-cpufeatures-add-x86_feature_rds.patch delete mode 100644 debian/patches/bugfix/x86/ssb/x86-cpufeatures-disentangle-msr_spec_ctrl-enumeration-from-ibrs.patch delete mode 100644 debian/patches/bugfix/x86/ssb/x86-cpufeatures-disentangle-ssbd-enumeration.patch delete mode 100644 debian/patches/bugfix/x86/ssb/x86-kvm-vmx-expose-spec_ctrl-bit-2-to-the-guest.patch delete mode 100644 debian/patches/bugfix/x86/ssb/x86-nospec-simplify-alternative_msr_write.patch delete mode 100644 debian/patches/bugfix/x86/ssb/x86-process-allow-runtime-control-of-speculative-store-bypass.patch delete mode 100644 debian/patches/bugfix/x86/ssb/x86-speculation-add-prctl-for-speculative-store-bypass-mitigation.patch delete mode 100644 debian/patches/bugfix/x86/ssb/x86-speculation-add-virtualized-speculative-store-bypass-disable-support.patch delete mode 100644 debian/patches/bugfix/x86/ssb/x86-speculation-create-spec-ctrl.h-to-avoid-include-hell.patch delete mode 100644 debian/patches/bugfix/x86/ssb/x86-speculation-handle-ht-correctly-on-amd.patch delete mode 100644 debian/patches/bugfix/x86/ssb/x86-speculation-kvm-implement-support-for-virt_spec_ctrl-ls_cfg.patch delete mode 100644 debian/patches/bugfix/x86/ssb/x86-speculation-make-seccomp-the-default-mode-for-speculative-store-bypass.patch delete mode 100644 debian/patches/bugfix/x86/ssb/x86-speculation-rework-speculative_store_bypass_update.patch delete mode 100644 debian/patches/bugfix/x86/ssb/x86-speculation-use-synthetic-bits-for-ibrs-ibpb-stibp.patch diff --git a/debian/changelog b/debian/changelog index b73d4a67b..3ae0ce1e4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.16.10-1) UNRELEASED; urgency=medium +linux (4.16.11-1) UNRELEASED; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.16.6 @@ -366,16 +366,72 @@ linux (4.16.10-1) UNRELEASED; urgency=medium - scsi: aacraid: Correct hba_send to include iu_type - proc: do not access cmdline nor environ from file-backed areas (CVE-2018-1120) - - [ Romain Perier ] - * [armhf] DRM: Enable DW_HDMI_AHB_AUDIO and DW_HDMI_CEC (Closes: #897204) - * [armhf] MFD: Enable MFD_TPS65217 (Closes: #897590) - - [ Ben Hutchings ] - * kbuild: use -fmacro-prefix-map to make __FILE__ a relative path - * Bump ABI to 2 - * [rt] Update to 4.16.8-rt3 - * [x86] Add support for disabling Speculative Store Bypass (CVE-2018-3639): + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.16.11 + - xhci: Fix USB3 NULL pointer dereference at logical disconnect. + - usbip: usbip_host: refine probe and disconnect debug msgs to be useful + - usbip: usbip_host: delete device from busid_table after rebind + - usbip: usbip_host: run rebind from exit when module is removed + - usbip: usbip_host: fix NULL-ptr deref and use-after-free errors + - usbip: usbip_host: fix bad unlock balance during stub_probe() + - ALSA: usb: mixer: volume quirk for CM102-A+/102S+ + - ALSA: hda/realtek - Clevo P950ER ALC1220 Fixup + - ALSA: hda: Add Lenovo C50 All in one to the power_save blacklist + - ALSA: control: fix a redundant-copy issue + - [amd64] spi: pxa2xx: Allow 64-bit DMA + - KVM: vmx: update sec exec controls for UMIP iff emulating UMIP + - [armhf,arm64] KVM: Properly protect VGIC locks from IRQs + - [armhf,arm64] KVM: VGIC/ITS: Promote irq_lock() in update_affinity + - [armhf,arm64] KVM: VGIC/ITS save/restore: protect kvm_read_guest() calls + - [armhf,arm64] KVM: VGIC/ITS: protect kvm_read_guest() calls with SRCU + lock + - hwmon: (k10temp) Fix reading critical temperature register + - hwmon: (k10temp) Use API function to access System Management Network + - [s390x] vfio: ccw: fix cleanup if cp_prefetch fails + - tracing/x86/xen: Remove zero data size trace events + trace_xen_mmu_flush_tlb{_all} + - vsprintf: Replace memory barrier with static_key for random_ptr_key + update + - [x86] amd_nb: Add support for Raven Ridge CPUs + - [arm64] tee: shm: fix use-after-free via temporarily dropped reference + - netfilter: nf_tables: free set name in error path + - netfilter: nf_tables: can't fail after linking rule into active rule + list + - netfilter: nf_tables: nf_tables_obj_lookup_byhandle() can be static + - [arm64] dts: marvell: armada-cp110: Add clocks for the xmdio node + - [arm64] dts: marvell: armada-cp110: Add mg_core_clk for ethernet node + - i2c: designware: fix poll-after-enable regression + - mtd: rawnand: marvell: Fix read logic for layouts with ->nchunks > 2 + - [powerpc*] powerpc/powernv: Fix NVRAM sleep in invalid context when + crashing + - drm: Match sysfs name in link removal to link creation + - radix tree: fix multi-order iteration race + - mm: don't allow deferred pages with NEED_PER_CPU_KM + - [x86] drm/i915/gen9: Add WaClearHIZ_WM_CHICKEN3 for bxt and glk + - [s390x] qdio: fix access to uninitialized qdio_q fields + - [s390x] cpum_sf: ensure sample frequency of perf event attributes is + non-zero + - [s390x] qdio: don't release memory in qdio_setup_irq() + - [s390x] remove indirect branch from do_softirq_own_stack + - bcache: return 0 from bch_debug_init() if CONFIG_DEBUG_FS=n + - [x86] pkeys: Override pkey when moving away from PROT_EXEC + - [x86] pkeys: Do not special case protection key 0 + - efi: Avoid potential crashes, fix the 'struct efi_pci_io_protocol_32' + definition for mixed mode + - [arm*] 8771/1: kprobes: Prohibit kprobes on do_undefinstr + - [x86] apic/x2apic: Initialize cluster ID properly + - [x86] mm: Drop TS_COMPAT on 64-bit exec() syscall + - tick/broadcast: Use for_each_cpu() specially on UP kernels + - [arm*] 8769/1: kprobes: Fix to use get_kprobe_ctlblk after irq-disabed + - [arm*] 8770/1: kprobes: Prohibit probing on optimized_callback + - [arm*] 8772/1: kprobes: Prohibit kprobes on get_user functions + - Btrfs: fix xattr loss after power failure + - Btrfs: send, fix invalid access to commit roots due to concurrent + snapshotting + - btrfs: property: Set incompat flag if lzo/zstd compression is set + - btrfs: fix crash when trying to resume balance without the resume flag + - btrfs: Split btrfs_del_delalloc_inode into 2 functions + - btrfs: Fix delalloc inodes invalidation during transaction abort + - btrfs: fix reading stale metadata blocks after degraded raid1 mounts - x86/nospec: Simplify alternative_msr_write() - x86/bugs: Concentrate bug detection into a separate function - x86/bugs: Concentrate bug reporting into a separate function @@ -417,7 +473,8 @@ linux (4.16.10-1) UNRELEASED; urgency=medium - x86/cpufeatures: Add FEATURE_ZEN - x86/speculation: Handle HT correctly on AMD - x86/bugs, KVM: Extend speculation control for VIRT_SPEC_CTRL - - x86/speculation: Add virtualized speculative store bypass disable support + - x86/speculation: Add virtualized speculative store bypass disable + support - x86/speculation: Rework speculative_store_bypass_update() - x86/bugs: Unify x86_spec_ctrl_{set_guest,restore_host} - x86/bugs: Expose x86_spec_ctrl_base directly @@ -428,6 +485,15 @@ linux (4.16.10-1) UNRELEASED; urgency=medium - x86/bugs: Rename SSBD_NO to SSB_NO - bpf: Prevent memory disambiguation attack + [ Romain Perier ] + * [armhf] DRM: Enable DW_HDMI_AHB_AUDIO and DW_HDMI_CEC (Closes: #897204) + * [armhf] MFD: Enable MFD_TPS65217 (Closes: #897590) + + [ Ben Hutchings ] + * kbuild: use -fmacro-prefix-map to make __FILE__ a relative path + * Bump ABI to 2 + * [rt] Update to 4.16.8-rt3 + [ Salvatore Bonaccorso ] * [rt] Update to 4.16.7-rt1 and reenable * [rt] certs: Reference certificate for test key used in Debian signing diff --git a/debian/patches/bugfix/x86/ssb/bpf-prevent-memory-disambiguation-attack.patch b/debian/patches/bugfix/x86/ssb/bpf-prevent-memory-disambiguation-attack.patch deleted file mode 100644 index a09c852c6..000000000 --- a/debian/patches/bugfix/x86/ssb/bpf-prevent-memory-disambiguation-attack.patch +++ /dev/null @@ -1,138 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Alexei Starovoitov -Date: Tue, 15 May 2018 09:27:05 -0700 -Subject: bpf: Prevent memory disambiguation attack - -From: Alexei Starovoitov - -commit af86ca4e3088fe5eacf2f7e58c01fa68ca067672 upstream - -Detect code patterns where malicious 'speculative store bypass' can be used -and sanitize such patterns. - - 39: (bf) r3 = r10 - 40: (07) r3 += -216 - 41: (79) r8 = *(u64 *)(r7 +0) // slow read - 42: (7a) *(u64 *)(r10 -72) = 0 // verifier inserts this instruction - 43: (7b) *(u64 *)(r8 +0) = r3 // this store becomes slow due to r8 - 44: (79) r1 = *(u64 *)(r6 +0) // cpu speculatively executes this load - 45: (71) r2 = *(u8 *)(r1 +0) // speculatively arbitrary 'load byte' - // is now sanitized - -Above code after x86 JIT becomes: - e5: mov %rbp,%rdx - e8: add $0xffffffffffffff28,%rdx - ef: mov 0x0(%r13),%r14 - f3: movq $0x0,-0x48(%rbp) - fb: mov %rdx,0x0(%r14) - ff: mov 0x0(%rbx),%rdi -103: movzbq 0x0(%rdi),%rsi - -Signed-off-by: Alexei Starovoitov -Signed-off-by: Thomas Gleixner -Signed-off-by: Greg Kroah-Hartman ---- - include/linux/bpf_verifier.h | 1 - kernel/bpf/verifier.c | 59 ++++++++++++++++++++++++++++++++++++++++--- - 2 files changed, 57 insertions(+), 3 deletions(-) - ---- a/include/linux/bpf_verifier.h -+++ b/include/linux/bpf_verifier.h -@@ -146,6 +146,7 @@ struct bpf_insn_aux_data { - s32 call_imm; /* saved imm field of call insn */ - }; - int ctx_field_size; /* the ctx field size for load insn, maybe 0 */ -+ int sanitize_stack_off; /* stack slot to be cleared */ - bool seen; /* this insn was processed by the verifier */ - }; - ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -970,7 +970,7 @@ static bool register_is_null(struct bpf_ - */ - static int check_stack_write(struct bpf_verifier_env *env, - struct bpf_func_state *state, /* func where register points to */ -- int off, int size, int value_regno) -+ int off, int size, int value_regno, int insn_idx) - { - struct bpf_func_state *cur; /* state of the current function */ - int i, slot = -off - 1, spi = slot / BPF_REG_SIZE, err; -@@ -1009,8 +1009,33 @@ static int check_stack_write(struct bpf_ - state->stack[spi].spilled_ptr = cur->regs[value_regno]; - state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN; - -- for (i = 0; i < BPF_REG_SIZE; i++) -+ for (i = 0; i < BPF_REG_SIZE; i++) { -+ if (state->stack[spi].slot_type[i] == STACK_MISC && -+ !env->allow_ptr_leaks) { -+ int *poff = &env->insn_aux_data[insn_idx].sanitize_stack_off; -+ int soff = (-spi - 1) * BPF_REG_SIZE; -+ -+ /* detected reuse of integer stack slot with a pointer -+ * which means either llvm is reusing stack slot or -+ * an attacker is trying to exploit CVE-2018-3639 -+ * (speculative store bypass) -+ * Have to sanitize that slot with preemptive -+ * store of zero. -+ */ -+ if (*poff && *poff != soff) { -+ /* disallow programs where single insn stores -+ * into two different stack slots, since verifier -+ * cannot sanitize them -+ */ -+ verbose(env, -+ "insn %d cannot access two stack slots fp%d and fp%d", -+ insn_idx, *poff, soff); -+ return -EINVAL; -+ } -+ *poff = soff; -+ } - state->stack[spi].slot_type[i] = STACK_SPILL; -+ } - } else { - u8 type = STACK_MISC; - -@@ -1685,7 +1710,7 @@ static int check_mem_access(struct bpf_v - - if (t == BPF_WRITE) - err = check_stack_write(env, state, off, size, -- value_regno); -+ value_regno, insn_idx); - else - err = check_stack_read(env, state, off, size, - value_regno); -@@ -5156,6 +5181,34 @@ static int convert_ctx_accesses(struct b - else - continue; - -+ if (type == BPF_WRITE && -+ env->insn_aux_data[i + delta].sanitize_stack_off) { -+ struct bpf_insn patch[] = { -+ /* Sanitize suspicious stack slot with zero. -+ * There are no memory dependencies for this store, -+ * since it's only using frame pointer and immediate -+ * constant of zero -+ */ -+ BPF_ST_MEM(BPF_DW, BPF_REG_FP, -+ env->insn_aux_data[i + delta].sanitize_stack_off, -+ 0), -+ /* the original STX instruction will immediately -+ * overwrite the same stack slot with appropriate value -+ */ -+ *insn, -+ }; -+ -+ cnt = ARRAY_SIZE(patch); -+ new_prog = bpf_patch_insn_data(env, i + delta, patch, cnt); -+ if (!new_prog) -+ return -ENOMEM; -+ -+ delta += cnt - 1; -+ env->prog = new_prog; -+ insn = new_prog->insnsi + i + delta; -+ continue; -+ } -+ - if (env->insn_aux_data[i + delta].ptr_type != PTR_TO_CTX) - continue; - diff --git a/debian/patches/bugfix/x86/ssb/documentation-spec_ctrl-do-some-minor-cleanups.patch b/debian/patches/bugfix/x86/ssb/documentation-spec_ctrl-do-some-minor-cleanups.patch deleted file mode 100644 index fe8c1b949..000000000 --- a/debian/patches/bugfix/x86/ssb/documentation-spec_ctrl-do-some-minor-cleanups.patch +++ /dev/null @@ -1,83 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Borislav Petkov -Date: Tue, 8 May 2018 15:43:45 +0200 -Subject: Documentation/spec_ctrl: Do some minor cleanups - -From: Borislav Petkov - -commit dd0792699c4058e63c0715d9a7c2d40226fcdddc upstream - -Fix some typos, improve formulations, end sentences with a fullstop. - -Signed-off-by: Borislav Petkov -Signed-off-by: Thomas Gleixner -Signed-off-by: Greg Kroah-Hartman ---- - Documentation/userspace-api/spec_ctrl.rst | 24 ++++++++++++------------ - 1 file changed, 12 insertions(+), 12 deletions(-) - ---- a/Documentation/userspace-api/spec_ctrl.rst -+++ b/Documentation/userspace-api/spec_ctrl.rst -@@ -2,13 +2,13 @@ - Speculation Control - =================== - --Quite some CPUs have speculation related misfeatures which are in fact --vulnerabilites causing data leaks in various forms even accross privilege --domains. -+Quite some CPUs have speculation-related misfeatures which are in -+fact vulnerabilities causing data leaks in various forms even across -+privilege domains. - - The kernel provides mitigation for such vulnerabilities in various --forms. Some of these mitigations are compile time configurable and some on --the kernel command line. -+forms. Some of these mitigations are compile-time configurable and some -+can be supplied on the kernel command line. - - There is also a class of mitigations which are very expensive, but they can - be restricted to a certain set of processes or tasks in controlled -@@ -32,18 +32,18 @@ the following meaning: - Bit Define Description - ==== ===================== =================================================== - 0 PR_SPEC_PRCTL Mitigation can be controlled per task by -- PR_SET_SPECULATION_CTRL -+ PR_SET_SPECULATION_CTRL. - 1 PR_SPEC_ENABLE The speculation feature is enabled, mitigation is -- disabled -+ disabled. - 2 PR_SPEC_DISABLE The speculation feature is disabled, mitigation is -- enabled -+ enabled. - 3 PR_SPEC_FORCE_DISABLE Same as PR_SPEC_DISABLE, but cannot be undone. A - subsequent prctl(..., PR_SPEC_ENABLE) will fail. - ==== ===================== =================================================== - - If all bits are 0 the CPU is not affected by the speculation misfeature. - --If PR_SPEC_PRCTL is set, then the per task control of the mitigation is -+If PR_SPEC_PRCTL is set, then the per-task control of the mitigation is - available. If not set, prctl(PR_SET_SPECULATION_CTRL) for the speculation - misfeature will fail. - -@@ -61,9 +61,9 @@ Common error codes - Value Meaning - ======= ================================================================= - EINVAL The prctl is not implemented by the architecture or unused -- prctl(2) arguments are not 0 -+ prctl(2) arguments are not 0. - --ENODEV arg2 is selecting a not supported speculation misfeature -+ENODEV arg2 is selecting a not supported speculation misfeature. - ======= ================================================================= - - PR_SET_SPECULATION_CTRL error codes -@@ -74,7 +74,7 @@ Value Meaning - 0 Success - - ERANGE arg3 is incorrect, i.e. it's neither PR_SPEC_ENABLE nor -- PR_SPEC_DISABLE nor PR_SPEC_FORCE_DISABLE -+ PR_SPEC_DISABLE nor PR_SPEC_FORCE_DISABLE. - - ENXIO Control of the selected speculation misfeature is not possible. - See PR_GET_SPECULATION_CTRL. diff --git a/debian/patches/bugfix/x86/ssb/kvm-svm-implement-virt_spec_ctrl-support-for-ssbd.patch b/debian/patches/bugfix/x86/ssb/kvm-svm-implement-virt_spec_ctrl-support-for-ssbd.patch deleted file mode 100644 index f1e54a258..000000000 --- a/debian/patches/bugfix/x86/ssb/kvm-svm-implement-virt_spec_ctrl-support-for-ssbd.patch +++ /dev/null @@ -1,206 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Tom Lendacky -Date: Thu, 10 May 2018 22:06:39 +0200 -Subject: KVM: SVM: Implement VIRT_SPEC_CTRL support for SSBD - -From: Tom Lendacky - -commit bc226f07dcd3c9ef0b7f6236fe356ea4a9cb4769 upstream - -Expose the new virtualized architectural mechanism, VIRT_SSBD, for using -speculative store bypass disable (SSBD) under SVM. This will allow guests -to use SSBD on hardware that uses non-architectural mechanisms for enabling -SSBD. - -[ tglx: Folded the migration fixup from Paolo Bonzini ] - -Signed-off-by: Tom Lendacky -Signed-off-by: Thomas Gleixner -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/kvm_host.h | 2 +- - arch/x86/kernel/cpu/common.c | 3 ++- - arch/x86/kvm/cpuid.c | 11 +++++++++-- - arch/x86/kvm/svm.c | 21 +++++++++++++++++++-- - arch/x86/kvm/vmx.c | 18 +++++++++++++++--- - arch/x86/kvm/x86.c | 13 ++++--------- - 6 files changed, 50 insertions(+), 18 deletions(-) - ---- a/arch/x86/include/asm/kvm_host.h -+++ b/arch/x86/include/asm/kvm_host.h -@@ -933,7 +933,7 @@ struct kvm_x86_ops { - int (*hardware_setup)(void); /* __init */ - void (*hardware_unsetup)(void); /* __exit */ - bool (*cpu_has_accelerated_tpr)(void); -- bool (*cpu_has_high_real_mode_segbase)(void); -+ bool (*has_emulated_msr)(int index); - void (*cpuid_update)(struct kvm_vcpu *vcpu); - - int (*vm_init)(struct kvm *kvm); ---- a/arch/x86/kernel/cpu/common.c -+++ b/arch/x86/kernel/cpu/common.c -@@ -767,7 +767,8 @@ static void init_speculation_control(str - if (cpu_has(c, X86_FEATURE_INTEL_STIBP)) - set_cpu_cap(c, X86_FEATURE_STIBP); - -- if (cpu_has(c, X86_FEATURE_SPEC_CTRL_SSBD)) -+ if (cpu_has(c, X86_FEATURE_SPEC_CTRL_SSBD) || -+ cpu_has(c, X86_FEATURE_VIRT_SSBD)) - set_cpu_cap(c, X86_FEATURE_SSBD); - - if (cpu_has(c, X86_FEATURE_AMD_IBRS)) { ---- a/arch/x86/kvm/cpuid.c -+++ b/arch/x86/kvm/cpuid.c -@@ -374,7 +374,7 @@ static inline int __do_cpuid_ent(struct - - /* cpuid 0x80000008.ebx */ - const u32 kvm_cpuid_8000_0008_ebx_x86_features = -- F(AMD_IBPB) | F(AMD_IBRS); -+ F(AMD_IBPB) | F(AMD_IBRS) | F(VIRT_SSBD); - - /* cpuid 0xC0000001.edx */ - const u32 kvm_cpuid_C000_0001_edx_x86_features = -@@ -642,13 +642,20 @@ static inline int __do_cpuid_ent(struct - g_phys_as = phys_as; - entry->eax = g_phys_as | (virt_as << 8); - entry->edx = 0; -- /* IBRS and IBPB aren't necessarily present in hardware cpuid */ -+ /* -+ * IBRS, IBPB and VIRT_SSBD aren't necessarily present in -+ * hardware cpuid -+ */ - if (boot_cpu_has(X86_FEATURE_AMD_IBPB)) - entry->ebx |= F(AMD_IBPB); - if (boot_cpu_has(X86_FEATURE_AMD_IBRS)) - entry->ebx |= F(AMD_IBRS); -+ if (boot_cpu_has(X86_FEATURE_VIRT_SSBD)) -+ entry->ebx |= F(VIRT_SSBD); - entry->ebx &= kvm_cpuid_8000_0008_ebx_x86_features; - cpuid_mask(&entry->ebx, CPUID_8000_0008_EBX); -+ if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD)) -+ entry->ebx |= F(VIRT_SSBD); - break; - } - case 0x80000019: ---- a/arch/x86/kvm/svm.c -+++ b/arch/x86/kvm/svm.c -@@ -3971,6 +3971,13 @@ static int svm_get_msr(struct kvm_vcpu * - - msr_info->data = svm->spec_ctrl; - break; -+ case MSR_AMD64_VIRT_SPEC_CTRL: -+ if (!msr_info->host_initiated && -+ !guest_cpuid_has(vcpu, X86_FEATURE_VIRT_SSBD)) -+ return 1; -+ -+ msr_info->data = svm->virt_spec_ctrl; -+ break; - case MSR_F15H_IC_CFG: { - - int family, model; -@@ -4105,6 +4112,16 @@ static int svm_set_msr(struct kvm_vcpu * - break; - set_msr_interception(svm->msrpm, MSR_IA32_PRED_CMD, 0, 1); - break; -+ case MSR_AMD64_VIRT_SPEC_CTRL: -+ if (!msr->host_initiated && -+ !guest_cpuid_has(vcpu, X86_FEATURE_VIRT_SSBD)) -+ return 1; -+ -+ if (data & ~SPEC_CTRL_SSBD) -+ return 1; -+ -+ svm->virt_spec_ctrl = data; -+ break; - case MSR_STAR: - svm->vmcb->save.star = data; - break; -@@ -5635,7 +5652,7 @@ static bool svm_cpu_has_accelerated_tpr( - return false; - } - --static bool svm_has_high_real_mode_segbase(void) -+static bool svm_has_emulated_msr(int index) - { - return true; - } -@@ -6859,7 +6876,7 @@ static struct kvm_x86_ops svm_x86_ops __ - .hardware_enable = svm_hardware_enable, - .hardware_disable = svm_hardware_disable, - .cpu_has_accelerated_tpr = svm_cpu_has_accelerated_tpr, -- .cpu_has_high_real_mode_segbase = svm_has_high_real_mode_segbase, -+ .has_emulated_msr = svm_has_emulated_msr, - - .vcpu_create = svm_create_vcpu, - .vcpu_free = svm_free_vcpu, ---- a/arch/x86/kvm/vmx.c -+++ b/arch/x86/kvm/vmx.c -@@ -9223,9 +9223,21 @@ static void vmx_handle_external_intr(str - } - STACK_FRAME_NON_STANDARD(vmx_handle_external_intr); - --static bool vmx_has_high_real_mode_segbase(void) -+static bool vmx_has_emulated_msr(int index) - { -- return enable_unrestricted_guest || emulate_invalid_guest_state; -+ switch (index) { -+ case MSR_IA32_SMBASE: -+ /* -+ * We cannot do SMM unless we can run the guest in big -+ * real mode. -+ */ -+ return enable_unrestricted_guest || emulate_invalid_guest_state; -+ case MSR_AMD64_VIRT_SPEC_CTRL: -+ /* This is AMD only. */ -+ return false; -+ default: -+ return true; -+ } - } - - static bool vmx_mpx_supported(void) -@@ -12295,7 +12307,7 @@ static struct kvm_x86_ops vmx_x86_ops __ - .hardware_enable = hardware_enable, - .hardware_disable = hardware_disable, - .cpu_has_accelerated_tpr = report_flexpriority, -- .cpu_has_high_real_mode_segbase = vmx_has_high_real_mode_segbase, -+ .has_emulated_msr = vmx_has_emulated_msr, - - .vcpu_create = vmx_create_vcpu, - .vcpu_free = vmx_free_vcpu, ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -1045,6 +1045,7 @@ static u32 emulated_msrs[] = { - MSR_SMI_COUNT, - MSR_PLATFORM_INFO, - MSR_MISC_FEATURES_ENABLES, -+ MSR_AMD64_VIRT_SPEC_CTRL, - }; - - static unsigned num_emulated_msrs; -@@ -2843,7 +2844,7 @@ int kvm_vm_ioctl_check_extension(struct - * fringe case that is not enabled except via specific settings - * of the module parameters. - */ -- r = kvm_x86_ops->cpu_has_high_real_mode_segbase(); -+ r = kvm_x86_ops->has_emulated_msr(MSR_IA32_SMBASE); - break; - case KVM_CAP_VAPIC: - r = !kvm_x86_ops->cpu_has_accelerated_tpr(); -@@ -4522,14 +4523,8 @@ static void kvm_init_msr_list(void) - num_msrs_to_save = j; - - for (i = j = 0; i < ARRAY_SIZE(emulated_msrs); i++) { -- switch (emulated_msrs[i]) { -- case MSR_IA32_SMBASE: -- if (!kvm_x86_ops->cpu_has_high_real_mode_segbase()) -- continue; -- break; -- default: -- break; -- } -+ if (!kvm_x86_ops->has_emulated_msr(emulated_msrs[i])) -+ continue; - - if (j < i) - emulated_msrs[j] = emulated_msrs[i]; diff --git a/debian/patches/bugfix/x86/ssb/kvm-svm-move-spec-control-call-after-restore-of-gs.patch b/debian/patches/bugfix/x86/ssb/kvm-svm-move-spec-control-call-after-restore-of-gs.patch deleted file mode 100644 index 5c81b208a..000000000 --- a/debian/patches/bugfix/x86/ssb/kvm-svm-move-spec-control-call-after-restore-of-gs.patch +++ /dev/null @@ -1,66 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Thomas Gleixner -Date: Fri, 11 May 2018 15:21:01 +0200 -Subject: KVM: SVM: Move spec control call after restore of GS - -From: Thomas Gleixner - -commit 15e6c22fd8e5a42c5ed6d487b7c9fe44c2517765 upstream - -svm_vcpu_run() invokes x86_spec_ctrl_restore_host() after VMEXIT, but -before the host GS is restored. x86_spec_ctrl_restore_host() uses 'current' -to determine the host SSBD state of the thread. 'current' is GS based, but -host GS is not yet restored and the access causes a triple fault. - -Move the call after the host GS restore. - -Fixes: 885f82bfbc6f x86/process: Allow runtime control of Speculative Store Bypass -Signed-off-by: Thomas Gleixner -Reviewed-by: Borislav Petkov -Reviewed-by: Konrad Rzeszutek Wilk -Acked-by: Paolo Bonzini -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kvm/svm.c | 24 ++++++++++++------------ - 1 file changed, 12 insertions(+), 12 deletions(-) - ---- a/arch/x86/kvm/svm.c -+++ b/arch/x86/kvm/svm.c -@@ -5495,6 +5495,18 @@ static void svm_vcpu_run(struct kvm_vcpu - #endif - ); - -+ /* Eliminate branch target predictions from guest mode */ -+ vmexit_fill_RSB(); -+ -+#ifdef CONFIG_X86_64 -+ wrmsrl(MSR_GS_BASE, svm->host.gs_base); -+#else -+ loadsegment(fs, svm->host.fs); -+#ifndef CONFIG_X86_32_LAZY_GS -+ loadsegment(gs, svm->host.gs); -+#endif -+#endif -+ - /* - * We do not use IBRS in the kernel. If this vCPU has used the - * SPEC_CTRL MSR it may have left it on; save the value and -@@ -5515,18 +5527,6 @@ static void svm_vcpu_run(struct kvm_vcpu - - x86_spec_ctrl_restore_host(svm->spec_ctrl); - -- /* Eliminate branch target predictions from guest mode */ -- vmexit_fill_RSB(); -- --#ifdef CONFIG_X86_64 -- wrmsrl(MSR_GS_BASE, svm->host.gs_base); --#else -- loadsegment(fs, svm->host.fs); --#ifndef CONFIG_X86_32_LAZY_GS -- loadsegment(gs, svm->host.gs); --#endif --#endif -- - reload_tss(vcpu); - - local_irq_disable(); diff --git a/debian/patches/bugfix/x86/ssb/nospec-allow-getting-setting-on-non-current-task.patch b/debian/patches/bugfix/x86/ssb/nospec-allow-getting-setting-on-non-current-task.patch deleted file mode 100644 index e9b0e7ac9..000000000 --- a/debian/patches/bugfix/x86/ssb/nospec-allow-getting-setting-on-non-current-task.patch +++ /dev/null @@ -1,154 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Kees Cook -Date: Tue, 1 May 2018 15:19:04 -0700 -Subject: nospec: Allow getting/setting on non-current task - -From: Kees Cook - -commit 7bbf1373e228840bb0295a2ca26d548ef37f448e upstream - -Adjust arch_prctl_get/set_spec_ctrl() to operate on tasks other than -current. - -This is needed both for /proc/$pid/status queries and for seccomp (since -thread-syncing can trigger seccomp in non-current threads). - -Signed-off-by: Kees Cook -Signed-off-by: Thomas Gleixner -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kernel/cpu/bugs.c | 27 ++++++++++++++++----------- - include/linux/nospec.h | 7 +++++-- - kernel/sys.c | 9 +++++---- - 3 files changed, 26 insertions(+), 17 deletions(-) - ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -530,31 +530,35 @@ static void ssb_select_mitigation() - - #undef pr_fmt - --static int ssb_prctl_set(unsigned long ctrl) -+static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl) - { -- bool rds = !!test_tsk_thread_flag(current, TIF_RDS); -+ bool rds = !!test_tsk_thread_flag(task, TIF_RDS); - - if (ssb_mode != SPEC_STORE_BYPASS_PRCTL) - return -ENXIO; - - if (ctrl == PR_SPEC_ENABLE) -- clear_tsk_thread_flag(current, TIF_RDS); -+ clear_tsk_thread_flag(task, TIF_RDS); - else -- set_tsk_thread_flag(current, TIF_RDS); -+ set_tsk_thread_flag(task, TIF_RDS); - -- if (rds != !!test_tsk_thread_flag(current, TIF_RDS)) -+ /* -+ * If being set on non-current task, delay setting the CPU -+ * mitigation until it is next scheduled. -+ */ -+ if (task == current && rds != !!test_tsk_thread_flag(task, TIF_RDS)) - speculative_store_bypass_update(); - - return 0; - } - --static int ssb_prctl_get(void) -+static int ssb_prctl_get(struct task_struct *task) - { - switch (ssb_mode) { - case SPEC_STORE_BYPASS_DISABLE: - return PR_SPEC_DISABLE; - case SPEC_STORE_BYPASS_PRCTL: -- if (test_tsk_thread_flag(current, TIF_RDS)) -+ if (test_tsk_thread_flag(task, TIF_RDS)) - return PR_SPEC_PRCTL | PR_SPEC_DISABLE; - return PR_SPEC_PRCTL | PR_SPEC_ENABLE; - default: -@@ -564,24 +568,25 @@ static int ssb_prctl_get(void) - } - } - --int arch_prctl_spec_ctrl_set(unsigned long which, unsigned long ctrl) -+int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which, -+ unsigned long ctrl) - { - if (ctrl != PR_SPEC_ENABLE && ctrl != PR_SPEC_DISABLE) - return -ERANGE; - - switch (which) { - case PR_SPEC_STORE_BYPASS: -- return ssb_prctl_set(ctrl); -+ return ssb_prctl_set(task, ctrl); - default: - return -ENODEV; - } - } - --int arch_prctl_spec_ctrl_get(unsigned long which) -+int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which) - { - switch (which) { - case PR_SPEC_STORE_BYPASS: -- return ssb_prctl_get(); -+ return ssb_prctl_get(task); - default: - return -ENODEV; - } ---- a/include/linux/nospec.h -+++ b/include/linux/nospec.h -@@ -7,6 +7,8 @@ - #define _LINUX_NOSPEC_H - #include - -+struct task_struct; -+ - /** - * array_index_mask_nospec() - generate a ~0 mask when index < size, 0 otherwise - * @index: array element index -@@ -57,7 +59,8 @@ static inline unsigned long array_index_ - }) - - /* Speculation control prctl */ --int arch_prctl_spec_ctrl_get(unsigned long which); --int arch_prctl_spec_ctrl_set(unsigned long which, unsigned long ctrl); -+int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which); -+int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which, -+ unsigned long ctrl); - - #endif /* _LINUX_NOSPEC_H */ ---- a/kernel/sys.c -+++ b/kernel/sys.c -@@ -2192,12 +2192,13 @@ static int propagate_has_child_subreaper - return 1; - } - --int __weak arch_prctl_spec_ctrl_get(unsigned long which) -+int __weak arch_prctl_spec_ctrl_get(struct task_struct *t, unsigned long which) - { - return -EINVAL; - } - --int __weak arch_prctl_spec_ctrl_set(unsigned long which, unsigned long ctrl) -+int __weak arch_prctl_spec_ctrl_set(struct task_struct *t, unsigned long which, -+ unsigned long ctrl) - { - return -EINVAL; - } -@@ -2413,12 +2414,12 @@ SYSCALL_DEFINE5(prctl, int, option, unsi - case PR_GET_SPECULATION_CTRL: - if (arg3 || arg4 || arg5) - return -EINVAL; -- error = arch_prctl_spec_ctrl_get(arg2); -+ error = arch_prctl_spec_ctrl_get(me, arg2); - break; - case PR_SET_SPECULATION_CTRL: - if (arg4 || arg5) - return -EINVAL; -- error = arch_prctl_spec_ctrl_set(arg2, arg3); -+ error = arch_prctl_spec_ctrl_set(me, arg2, arg3); - break; - default: - error = -EINVAL; diff --git a/debian/patches/bugfix/x86/ssb/prctl-add-force-disable-speculation.patch b/debian/patches/bugfix/x86/ssb/prctl-add-force-disable-speculation.patch deleted file mode 100644 index 3c6a44a9f..000000000 --- a/debian/patches/bugfix/x86/ssb/prctl-add-force-disable-speculation.patch +++ /dev/null @@ -1,207 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Thomas Gleixner -Date: Thu, 3 May 2018 22:09:15 +0200 -Subject: prctl: Add force disable speculation - -From: Thomas Gleixner - -commit 356e4bfff2c5489e016fdb925adbf12a1e3950ee upstream - -For certain use cases it is desired to enforce mitigations so they cannot -be undone afterwards. That's important for loader stubs which want to -prevent a child from disabling the mitigation again. Will also be used for -seccomp(). The extra state preserving of the prctl state for SSB is a -preparatory step for EBPF dymanic speculation control. - -Signed-off-by: Thomas Gleixner -Signed-off-by: Greg Kroah-Hartman ---- - Documentation/userspace-api/spec_ctrl.rst | 34 ++++++++++++++++++----------- - arch/x86/kernel/cpu/bugs.c | 35 +++++++++++++++++++++--------- - fs/proc/array.c | 3 ++ - include/linux/sched.h | 10 +++++++- - include/uapi/linux/prctl.h | 1 - 5 files changed, 59 insertions(+), 24 deletions(-) - ---- a/Documentation/userspace-api/spec_ctrl.rst -+++ b/Documentation/userspace-api/spec_ctrl.rst -@@ -25,19 +25,21 @@ PR_GET_SPECULATION_CTRL - ----------------------- - - PR_GET_SPECULATION_CTRL returns the state of the speculation misfeature --which is selected with arg2 of prctl(2). The return value uses bits 0-2 with -+which is selected with arg2 of prctl(2). The return value uses bits 0-3 with - the following meaning: - --==== ================ =================================================== --Bit Define Description --==== ================ =================================================== --0 PR_SPEC_PRCTL Mitigation can be controlled per task by -- PR_SET_SPECULATION_CTRL --1 PR_SPEC_ENABLE The speculation feature is enabled, mitigation is -- disabled --2 PR_SPEC_DISABLE The speculation feature is disabled, mitigation is -- enabled --==== ================ =================================================== -+==== ===================== =================================================== -+Bit Define Description -+==== ===================== =================================================== -+0 PR_SPEC_PRCTL Mitigation can be controlled per task by -+ PR_SET_SPECULATION_CTRL -+1 PR_SPEC_ENABLE The speculation feature is enabled, mitigation is -+ disabled -+2 PR_SPEC_DISABLE The speculation feature is disabled, mitigation is -+ enabled -+3 PR_SPEC_FORCE_DISABLE Same as PR_SPEC_DISABLE, but cannot be undone. A -+ subsequent prctl(..., PR_SPEC_ENABLE) will fail. -+==== ===================== =================================================== - - If all bits are 0 the CPU is not affected by the speculation misfeature. - -@@ -47,9 +49,11 @@ misfeature will fail. - - PR_SET_SPECULATION_CTRL - ----------------------- -+ - PR_SET_SPECULATION_CTRL allows to control the speculation misfeature, which - is selected by arg2 of :manpage:`prctl(2)` per task. arg3 is used to hand --in the control value, i.e. either PR_SPEC_ENABLE or PR_SPEC_DISABLE. -+in the control value, i.e. either PR_SPEC_ENABLE or PR_SPEC_DISABLE or -+PR_SPEC_FORCE_DISABLE. - - Common error codes - ------------------ -@@ -70,10 +74,13 @@ Value Meaning - 0 Success - - ERANGE arg3 is incorrect, i.e. it's neither PR_SPEC_ENABLE nor -- PR_SPEC_DISABLE -+ PR_SPEC_DISABLE nor PR_SPEC_FORCE_DISABLE - - ENXIO Control of the selected speculation misfeature is not possible. - See PR_GET_SPECULATION_CTRL. -+ -+EPERM Speculation was disabled with PR_SPEC_FORCE_DISABLE and caller -+ tried to enable it again. - ======= ================================================================= - - Speculation misfeature controls -@@ -84,3 +91,4 @@ Speculation misfeature controls - * prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, 0, 0, 0); - * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_ENABLE, 0, 0); - * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0); -+ * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0); ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -533,21 +533,37 @@ static void ssb_select_mitigation() - - static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl) - { -- bool rds = !!test_tsk_thread_flag(task, TIF_RDS); -+ bool update; - - if (ssb_mode != SPEC_STORE_BYPASS_PRCTL) - return -ENXIO; - -- if (ctrl == PR_SPEC_ENABLE) -- clear_tsk_thread_flag(task, TIF_RDS); -- else -- set_tsk_thread_flag(task, TIF_RDS); -+ switch (ctrl) { -+ case PR_SPEC_ENABLE: -+ /* If speculation is force disabled, enable is not allowed */ -+ if (task_spec_ssb_force_disable(task)) -+ return -EPERM; -+ task_clear_spec_ssb_disable(task); -+ update = test_and_clear_tsk_thread_flag(task, TIF_RDS); -+ break; -+ case PR_SPEC_DISABLE: -+ task_set_spec_ssb_disable(task); -+ update = !test_and_set_tsk_thread_flag(task, TIF_RDS); -+ break; -+ case PR_SPEC_FORCE_DISABLE: -+ task_set_spec_ssb_disable(task); -+ task_set_spec_ssb_force_disable(task); -+ update = !test_and_set_tsk_thread_flag(task, TIF_RDS); -+ break; -+ default: -+ return -ERANGE; -+ } - - /* - * If being set on non-current task, delay setting the CPU - * mitigation until it is next scheduled. - */ -- if (task == current && rds != !!test_tsk_thread_flag(task, TIF_RDS)) -+ if (task == current && update) - speculative_store_bypass_update(); - - return 0; -@@ -559,7 +575,9 @@ static int ssb_prctl_get(struct task_str - case SPEC_STORE_BYPASS_DISABLE: - return PR_SPEC_DISABLE; - case SPEC_STORE_BYPASS_PRCTL: -- if (test_tsk_thread_flag(task, TIF_RDS)) -+ if (task_spec_ssb_force_disable(task)) -+ return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE; -+ if (task_spec_ssb_disable(task)) - return PR_SPEC_PRCTL | PR_SPEC_DISABLE; - return PR_SPEC_PRCTL | PR_SPEC_ENABLE; - default: -@@ -572,9 +590,6 @@ static int ssb_prctl_get(struct task_str - int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which, - unsigned long ctrl) - { -- if (ctrl != PR_SPEC_ENABLE && ctrl != PR_SPEC_DISABLE) -- return -ERANGE; -- - switch (which) { - case PR_SPEC_STORE_BYPASS: - return ssb_prctl_set(task, ctrl); ---- a/fs/proc/array.c -+++ b/fs/proc/array.c -@@ -356,6 +356,9 @@ static inline void task_seccomp(struct s - case PR_SPEC_NOT_AFFECTED: - seq_printf(m, "not vulnerable"); - break; -+ case PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE: -+ seq_printf(m, "thread force mitigated"); -+ break; - case PR_SPEC_PRCTL | PR_SPEC_DISABLE: - seq_printf(m, "thread mitigated"); - break; ---- a/include/linux/sched.h -+++ b/include/linux/sched.h -@@ -1365,7 +1365,8 @@ static inline bool is_percpu_thread(void - #define PFA_NO_NEW_PRIVS 0 /* May not gain new privileges. */ - #define PFA_SPREAD_PAGE 1 /* Spread page cache over cpuset */ - #define PFA_SPREAD_SLAB 2 /* Spread some slab caches over cpuset */ -- -+#define PFA_SPEC_SSB_DISABLE 3 /* Speculative Store Bypass disabled */ -+#define PFA_SPEC_SSB_FORCE_DISABLE 4 /* Speculative Store Bypass force disabled*/ - - #define TASK_PFA_TEST(name, func) \ - static inline bool task_##func(struct task_struct *p) \ -@@ -1390,6 +1391,13 @@ TASK_PFA_TEST(SPREAD_SLAB, spread_slab) - TASK_PFA_SET(SPREAD_SLAB, spread_slab) - TASK_PFA_CLEAR(SPREAD_SLAB, spread_slab) - -+TASK_PFA_TEST(SPEC_SSB_DISABLE, spec_ssb_disable) -+TASK_PFA_SET(SPEC_SSB_DISABLE, spec_ssb_disable) -+TASK_PFA_CLEAR(SPEC_SSB_DISABLE, spec_ssb_disable) -+ -+TASK_PFA_TEST(SPEC_SSB_FORCE_DISABLE, spec_ssb_force_disable) -+TASK_PFA_SET(SPEC_SSB_FORCE_DISABLE, spec_ssb_force_disable) -+ - static inline void - current_restore_flags(unsigned long orig_flags, unsigned long flags) - { ---- a/include/uapi/linux/prctl.h -+++ b/include/uapi/linux/prctl.h -@@ -217,5 +217,6 @@ struct prctl_mm_map { - # define PR_SPEC_PRCTL (1UL << 0) - # define PR_SPEC_ENABLE (1UL << 1) - # define PR_SPEC_DISABLE (1UL << 2) -+# define PR_SPEC_FORCE_DISABLE (1UL << 3) - - #endif /* _LINUX_PRCTL_H */ diff --git a/debian/patches/bugfix/x86/ssb/prctl-add-speculation-control-prctls.patch b/debian/patches/bugfix/x86/ssb/prctl-add-speculation-control-prctls.patch deleted file mode 100644 index b5798e75c..000000000 --- a/debian/patches/bugfix/x86/ssb/prctl-add-speculation-control-prctls.patch +++ /dev/null @@ -1,239 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Thomas Gleixner -Date: Sun, 29 Apr 2018 15:20:11 +0200 -Subject: prctl: Add speculation control prctls - -From: Thomas Gleixner - -commit b617cfc858161140d69cc0b5cc211996b557a1c7 upstream - -Add two new prctls to control aspects of speculation related vulnerabilites -and their mitigations to provide finer grained control over performance -impacting mitigations. - -PR_GET_SPECULATION_CTRL returns the state of the speculation misfeature -which is selected with arg2 of prctl(2). The return value uses bit 0-2 with -the following meaning: - -Bit Define Description -0 PR_SPEC_PRCTL Mitigation can be controlled per task by - PR_SET_SPECULATION_CTRL -1 PR_SPEC_ENABLE The speculation feature is enabled, mitigation is - disabled -2 PR_SPEC_DISABLE The speculation feature is disabled, mitigation is - enabled - -If all bits are 0 the CPU is not affected by the speculation misfeature. - -If PR_SPEC_PRCTL is set, then the per task control of the mitigation is -available. If not set, prctl(PR_SET_SPECULATION_CTRL) for the speculation -misfeature will fail. - -PR_SET_SPECULATION_CTRL allows to control the speculation misfeature, which -is selected by arg2 of prctl(2) per task. arg3 is used to hand in the -control value, i.e. either PR_SPEC_ENABLE or PR_SPEC_DISABLE. - -The common return values are: - -EINVAL prctl is not implemented by the architecture or the unused prctl() - arguments are not 0 -ENODEV arg2 is selecting a not supported speculation misfeature - -PR_SET_SPECULATION_CTRL has these additional return values: - -ERANGE arg3 is incorrect, i.e. it's not either PR_SPEC_ENABLE or PR_SPEC_DISABLE -ENXIO prctl control of the selected speculation misfeature is disabled - -The first supported controlable speculation misfeature is -PR_SPEC_STORE_BYPASS. Add the define so this can be shared between -architectures. - -Based on an initial patch from Tim Chen and mostly rewritten. - -Signed-off-by: Thomas Gleixner -Reviewed-by: Ingo Molnar -Reviewed-by: Konrad Rzeszutek Wilk -Signed-off-by: Greg Kroah-Hartman ---- - Documentation/userspace-api/index.rst | 1 - Documentation/userspace-api/spec_ctrl.rst | 86 ++++++++++++++++++++++++++++++ - include/linux/nospec.h | 5 + - include/uapi/linux/prctl.h | 11 +++ - kernel/sys.c | 22 +++++++ - 5 files changed, 125 insertions(+) - create mode 100644 Documentation/userspace-api/spec_ctrl.rst - ---- a/Documentation/userspace-api/index.rst -+++ b/Documentation/userspace-api/index.rst -@@ -19,6 +19,7 @@ place where this information is gathered - no_new_privs - seccomp_filter - unshare -+ spec_ctrl - - .. only:: subproject and html - ---- /dev/null -+++ b/Documentation/userspace-api/spec_ctrl.rst -@@ -0,0 +1,86 @@ -+=================== -+Speculation Control -+=================== -+ -+Quite some CPUs have speculation related misfeatures which are in fact -+vulnerabilites causing data leaks in various forms even accross privilege -+domains. -+ -+The kernel provides mitigation for such vulnerabilities in various -+forms. Some of these mitigations are compile time configurable and some on -+the kernel command line. -+ -+There is also a class of mitigations which are very expensive, but they can -+be restricted to a certain set of processes or tasks in controlled -+environments. The mechanism to control these mitigations is via -+:manpage:`prctl(2)`. -+ -+There are two prctl options which are related to this: -+ -+ * PR_GET_SPECULATION_CTRL -+ -+ * PR_SET_SPECULATION_CTRL -+ -+PR_GET_SPECULATION_CTRL -+----------------------- -+ -+PR_GET_SPECULATION_CTRL returns the state of the speculation misfeature -+which is selected with arg2 of prctl(2). The return value uses bits 0-2 with -+the following meaning: -+ -+==== ================ =================================================== -+Bit Define Description -+==== ================ =================================================== -+0 PR_SPEC_PRCTL Mitigation can be controlled per task by -+ PR_SET_SPECULATION_CTRL -+1 PR_SPEC_ENABLE The speculation feature is enabled, mitigation is -+ disabled -+2 PR_SPEC_DISABLE The speculation feature is disabled, mitigation is -+ enabled -+==== ================ =================================================== -+ -+If all bits are 0 the CPU is not affected by the speculation misfeature. -+ -+If PR_SPEC_PRCTL is set, then the per task control of the mitigation is -+available. If not set, prctl(PR_SET_SPECULATION_CTRL) for the speculation -+misfeature will fail. -+ -+PR_SET_SPECULATION_CTRL -+----------------------- -+PR_SET_SPECULATION_CTRL allows to control the speculation misfeature, which -+is selected by arg2 of :manpage:`prctl(2)` per task. arg3 is used to hand -+in the control value, i.e. either PR_SPEC_ENABLE or PR_SPEC_DISABLE. -+ -+Common error codes -+------------------ -+======= ================================================================= -+Value Meaning -+======= ================================================================= -+EINVAL The prctl is not implemented by the architecture or unused -+ prctl(2) arguments are not 0 -+ -+ENODEV arg2 is selecting a not supported speculation misfeature -+======= ================================================================= -+ -+PR_SET_SPECULATION_CTRL error codes -+----------------------------------- -+======= ================================================================= -+Value Meaning -+======= ================================================================= -+0 Success -+ -+ERANGE arg3 is incorrect, i.e. it's neither PR_SPEC_ENABLE nor -+ PR_SPEC_DISABLE -+ -+ENXIO Control of the selected speculation misfeature is not possible. -+ See PR_GET_SPECULATION_CTRL. -+======= ================================================================= -+ -+Speculation misfeature controls -+------------------------------- -+- PR_SPEC_STORE_BYPASS: Speculative Store Bypass -+ -+ Invocations: -+ * prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, 0, 0, 0); -+ * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_ENABLE, 0, 0); -+ * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0); ---- a/include/linux/nospec.h -+++ b/include/linux/nospec.h -@@ -55,4 +55,9 @@ static inline unsigned long array_index_ - \ - (typeof(_i)) (_i & _mask); \ - }) -+ -+/* Speculation control prctl */ -+int arch_prctl_spec_ctrl_get(unsigned long which); -+int arch_prctl_spec_ctrl_set(unsigned long which, unsigned long ctrl); -+ - #endif /* _LINUX_NOSPEC_H */ ---- a/include/uapi/linux/prctl.h -+++ b/include/uapi/linux/prctl.h -@@ -207,4 +207,15 @@ struct prctl_mm_map { - # define PR_SVE_VL_LEN_MASK 0xffff - # define PR_SVE_VL_INHERIT (1 << 17) /* inherit across exec */ - -+/* Per task speculation control */ -+#define PR_GET_SPECULATION_CTRL 52 -+#define PR_SET_SPECULATION_CTRL 53 -+/* Speculation control variants */ -+# define PR_SPEC_STORE_BYPASS 0 -+/* Return and control values for PR_SET/GET_SPECULATION_CTRL */ -+# define PR_SPEC_NOT_AFFECTED 0 -+# define PR_SPEC_PRCTL (1UL << 0) -+# define PR_SPEC_ENABLE (1UL << 1) -+# define PR_SPEC_DISABLE (1UL << 2) -+ - #endif /* _LINUX_PRCTL_H */ ---- a/kernel/sys.c -+++ b/kernel/sys.c -@@ -61,6 +61,8 @@ - #include - #include - -+#include -+ - #include - /* Move somewhere else to avoid recompiling? */ - #include -@@ -2190,6 +2192,16 @@ static int propagate_has_child_subreaper - return 1; - } - -+int __weak arch_prctl_spec_ctrl_get(unsigned long which) -+{ -+ return -EINVAL; -+} -+ -+int __weak arch_prctl_spec_ctrl_set(unsigned long which, unsigned long ctrl) -+{ -+ return -EINVAL; -+} -+ - SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3, - unsigned long, arg4, unsigned long, arg5) - { -@@ -2398,6 +2410,16 @@ SYSCALL_DEFINE5(prctl, int, option, unsi - case PR_SVE_GET_VL: - error = SVE_GET_VL(); - break; -+ case PR_GET_SPECULATION_CTRL: -+ if (arg3 || arg4 || arg5) -+ return -EINVAL; -+ error = arch_prctl_spec_ctrl_get(arg2); -+ break; -+ case PR_SET_SPECULATION_CTRL: -+ if (arg4 || arg5) -+ return -EINVAL; -+ error = arch_prctl_spec_ctrl_set(arg2, arg3); -+ break; - default: - error = -EINVAL; - break; diff --git a/debian/patches/bugfix/x86/ssb/proc-provide-details-on-speculation-flaw-mitigations.patch b/debian/patches/bugfix/x86/ssb/proc-provide-details-on-speculation-flaw-mitigations.patch deleted file mode 100644 index 898ae2b04..000000000 --- a/debian/patches/bugfix/x86/ssb/proc-provide-details-on-speculation-flaw-mitigations.patch +++ /dev/null @@ -1,57 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Kees Cook -Date: Tue, 1 May 2018 15:31:45 -0700 -Subject: proc: Provide details on speculation flaw mitigations - -From: Kees Cook - -commit fae1fa0fc6cca8beee3ab8ed71d54f9a78fa3f64 upstream - -As done with seccomp and no_new_privs, also show speculation flaw -mitigation state in /proc/$pid/status. - -Signed-off-by: Kees Cook -Signed-off-by: Thomas Gleixner -Signed-off-by: Greg Kroah-Hartman ---- - fs/proc/array.c | 22 ++++++++++++++++++++++ - 1 file changed, 22 insertions(+) - ---- a/fs/proc/array.c -+++ b/fs/proc/array.c -@@ -85,6 +85,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -347,6 +348,27 @@ static inline void task_seccomp(struct s - #ifdef CONFIG_SECCOMP - seq_put_decimal_ull(m, "\nSeccomp:\t", p->seccomp.mode); - #endif -+ seq_printf(m, "\nSpeculation Store Bypass:\t"); -+ switch (arch_prctl_spec_ctrl_get(p, PR_SPEC_STORE_BYPASS)) { -+ case -EINVAL: -+ seq_printf(m, "unknown"); -+ break; -+ case PR_SPEC_NOT_AFFECTED: -+ seq_printf(m, "not vulnerable"); -+ break; -+ case PR_SPEC_PRCTL | PR_SPEC_DISABLE: -+ seq_printf(m, "thread mitigated"); -+ break; -+ case PR_SPEC_PRCTL | PR_SPEC_ENABLE: -+ seq_printf(m, "thread vulnerable"); -+ break; -+ case PR_SPEC_DISABLE: -+ seq_printf(m, "globally mitigated"); -+ break; -+ default: -+ seq_printf(m, "vulnerable"); -+ break; -+ } - seq_putc(m, '\n'); - } - diff --git a/debian/patches/bugfix/x86/ssb/proc-use-underscores-for-ssbd-in-status.patch b/debian/patches/bugfix/x86/ssb/proc-use-underscores-for-ssbd-in-status.patch deleted file mode 100644 index aadf8aa33..000000000 --- a/debian/patches/bugfix/x86/ssb/proc-use-underscores-for-ssbd-in-status.patch +++ /dev/null @@ -1,30 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Konrad Rzeszutek Wilk -Date: Wed, 9 May 2018 21:41:38 +0200 -Subject: proc: Use underscores for SSBD in 'status' - -From: Konrad Rzeszutek Wilk - -commit e96f46ee8587607a828f783daa6eb5b44d25004d upstream - -The style for the 'status' file is CamelCase or this. _. - -Fixes: fae1fa0fc ("proc: Provide details on speculation flaw mitigations") -Signed-off-by: Konrad Rzeszutek Wilk -Signed-off-by: Thomas Gleixner -Signed-off-by: Greg Kroah-Hartman ---- - fs/proc/array.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/fs/proc/array.c -+++ b/fs/proc/array.c -@@ -348,7 +348,7 @@ static inline void task_seccomp(struct s - #ifdef CONFIG_SECCOMP - seq_put_decimal_ull(m, "\nSeccomp:\t", p->seccomp.mode); - #endif -- seq_printf(m, "\nSpeculation Store Bypass:\t"); -+ seq_printf(m, "\nSpeculation_Store_Bypass:\t"); - switch (arch_prctl_spec_ctrl_get(p, PR_SPEC_STORE_BYPASS)) { - case -EINVAL: - seq_printf(m, "unknown"); diff --git a/debian/patches/bugfix/x86/ssb/seccomp-add-filter-flag-to-opt-out-of-ssb-mitigation.patch b/debian/patches/bugfix/x86/ssb/seccomp-add-filter-flag-to-opt-out-of-ssb-mitigation.patch deleted file mode 100644 index 3ebe323c4..000000000 --- a/debian/patches/bugfix/x86/ssb/seccomp-add-filter-flag-to-opt-out-of-ssb-mitigation.patch +++ /dev/null @@ -1,169 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Kees Cook -Date: Thu, 3 May 2018 14:56:12 -0700 -Subject: seccomp: Add filter flag to opt-out of SSB mitigation - -From: Kees Cook - -commit 00a02d0c502a06d15e07b857f8ff921e3e402675 upstream - -If a seccomp user is not interested in Speculative Store Bypass mitigation -by default, it can set the new SECCOMP_FILTER_FLAG_SPEC_ALLOW flag when -adding filters. - -Signed-off-by: Kees Cook -Signed-off-by: Thomas Gleixner -Signed-off-by: Greg Kroah-Hartman ---- - include/linux/seccomp.h | 5 +++-- - include/uapi/linux/seccomp.h | 5 +++-- - kernel/seccomp.c | 19 +++++++++++-------- - tools/testing/selftests/seccomp/seccomp_bpf.c | 22 +++++++++++++++++++--- - 4 files changed, 36 insertions(+), 15 deletions(-) - ---- a/include/linux/seccomp.h -+++ b/include/linux/seccomp.h -@@ -4,8 +4,9 @@ - - #include - --#define SECCOMP_FILTER_FLAG_MASK (SECCOMP_FILTER_FLAG_TSYNC | \ -- SECCOMP_FILTER_FLAG_LOG) -+#define SECCOMP_FILTER_FLAG_MASK (SECCOMP_FILTER_FLAG_TSYNC | \ -+ SECCOMP_FILTER_FLAG_LOG | \ -+ SECCOMP_FILTER_FLAG_SPEC_ALLOW) - - #ifdef CONFIG_SECCOMP - ---- a/include/uapi/linux/seccomp.h -+++ b/include/uapi/linux/seccomp.h -@@ -17,8 +17,9 @@ - #define SECCOMP_GET_ACTION_AVAIL 2 - - /* Valid flags for SECCOMP_SET_MODE_FILTER */ --#define SECCOMP_FILTER_FLAG_TSYNC 1 --#define SECCOMP_FILTER_FLAG_LOG 2 -+#define SECCOMP_FILTER_FLAG_TSYNC (1UL << 0) -+#define SECCOMP_FILTER_FLAG_LOG (1UL << 1) -+#define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1UL << 2) - - /* - * All BPF programs must return a 32-bit value. ---- a/kernel/seccomp.c -+++ b/kernel/seccomp.c -@@ -243,7 +243,8 @@ static inline void spec_mitigate(struct - } - - static inline void seccomp_assign_mode(struct task_struct *task, -- unsigned long seccomp_mode) -+ unsigned long seccomp_mode, -+ unsigned long flags) - { - assert_spin_locked(&task->sighand->siglock); - -@@ -253,8 +254,9 @@ static inline void seccomp_assign_mode(s - * filter) is set. - */ - smp_mb__before_atomic(); -- /* Assume seccomp processes want speculation flaw mitigation. */ -- spec_mitigate(task, PR_SPEC_STORE_BYPASS); -+ /* Assume default seccomp processes want spec flaw mitigation. */ -+ if ((flags & SECCOMP_FILTER_FLAG_SPEC_ALLOW) == 0) -+ spec_mitigate(task, PR_SPEC_STORE_BYPASS); - set_tsk_thread_flag(task, TIF_SECCOMP); - } - -@@ -322,7 +324,7 @@ static inline pid_t seccomp_can_sync_thr - * without dropping the locks. - * - */ --static inline void seccomp_sync_threads(void) -+static inline void seccomp_sync_threads(unsigned long flags) - { - struct task_struct *thread, *caller; - -@@ -363,7 +365,8 @@ static inline void seccomp_sync_threads( - * allow one thread to transition the other. - */ - if (thread->seccomp.mode == SECCOMP_MODE_DISABLED) -- seccomp_assign_mode(thread, SECCOMP_MODE_FILTER); -+ seccomp_assign_mode(thread, SECCOMP_MODE_FILTER, -+ flags); - } - } - -@@ -486,7 +489,7 @@ static long seccomp_attach_filter(unsign - - /* Now that the new filter is in place, synchronize to all threads. */ - if (flags & SECCOMP_FILTER_FLAG_TSYNC) -- seccomp_sync_threads(); -+ seccomp_sync_threads(flags); - - return 0; - } -@@ -835,7 +838,7 @@ static long seccomp_set_mode_strict(void - #ifdef TIF_NOTSC - disable_TSC(); - #endif -- seccomp_assign_mode(current, seccomp_mode); -+ seccomp_assign_mode(current, seccomp_mode, 0); - ret = 0; - - out: -@@ -893,7 +896,7 @@ static long seccomp_set_mode_filter(unsi - /* Do not free the successfully attached filter. */ - prepared = NULL; - -- seccomp_assign_mode(current, seccomp_mode); -+ seccomp_assign_mode(current, seccomp_mode, flags); - out: - spin_unlock_irq(¤t->sighand->siglock); - if (flags & SECCOMP_FILTER_FLAG_TSYNC) ---- a/tools/testing/selftests/seccomp/seccomp_bpf.c -+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c -@@ -134,11 +134,15 @@ struct seccomp_data { - #endif - - #ifndef SECCOMP_FILTER_FLAG_TSYNC --#define SECCOMP_FILTER_FLAG_TSYNC 1 -+#define SECCOMP_FILTER_FLAG_TSYNC (1UL << 0) - #endif - - #ifndef SECCOMP_FILTER_FLAG_LOG --#define SECCOMP_FILTER_FLAG_LOG 2 -+#define SECCOMP_FILTER_FLAG_LOG (1UL << 1) -+#endif -+ -+#ifndef SECCOMP_FILTER_FLAG_SPEC_ALLOW -+#define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1UL << 2) - #endif - - #ifndef PTRACE_SECCOMP_GET_METADATA -@@ -2072,14 +2076,26 @@ TEST(seccomp_syscall_mode_lock) - TEST(detect_seccomp_filter_flags) - { - unsigned int flags[] = { SECCOMP_FILTER_FLAG_TSYNC, -- SECCOMP_FILTER_FLAG_LOG }; -+ SECCOMP_FILTER_FLAG_LOG, -+ SECCOMP_FILTER_FLAG_SPEC_ALLOW }; - unsigned int flag, all_flags; - int i; - long ret; - - /* Test detection of known-good filter flags */ - for (i = 0, all_flags = 0; i < ARRAY_SIZE(flags); i++) { -+ int bits = 0; -+ - flag = flags[i]; -+ /* Make sure the flag is a single bit! */ -+ while (flag) { -+ if (flag & 0x1) -+ bits ++; -+ flag >>= 1; -+ } -+ ASSERT_EQ(1, bits); -+ flag = flags[i]; -+ - ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL); - ASSERT_NE(ENOSYS, errno) { - TH_LOG("Kernel does not support seccomp syscall!"); diff --git a/debian/patches/bugfix/x86/ssb/seccomp-enable-speculation-flaw-mitigations.patch b/debian/patches/bugfix/x86/ssb/seccomp-enable-speculation-flaw-mitigations.patch deleted file mode 100644 index 08652a0ad..000000000 --- a/debian/patches/bugfix/x86/ssb/seccomp-enable-speculation-flaw-mitigations.patch +++ /dev/null @@ -1,60 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Kees Cook -Date: Tue, 1 May 2018 15:07:31 -0700 -Subject: seccomp: Enable speculation flaw mitigations - -From: Kees Cook - -commit 5c3070890d06ff82eecb808d02d2ca39169533ef upstream - -When speculation flaw mitigations are opt-in (via prctl), using seccomp -will automatically opt-in to these protections, since using seccomp -indicates at least some level of sandboxing is desired. - -Signed-off-by: Kees Cook -Signed-off-by: Thomas Gleixner -Signed-off-by: Greg Kroah-Hartman ---- - kernel/seccomp.c | 17 +++++++++++++++++ - 1 file changed, 17 insertions(+) - ---- a/kernel/seccomp.c -+++ b/kernel/seccomp.c -@@ -19,6 +19,8 @@ - #include - #include - #include -+#include -+#include - #include - #include - #include -@@ -227,6 +229,19 @@ static inline bool seccomp_may_assign_mo - return true; - } - -+/* -+ * If a given speculation mitigation is opt-in (prctl()-controlled), -+ * select it, by disabling speculation (enabling mitigation). -+ */ -+static inline void spec_mitigate(struct task_struct *task, -+ unsigned long which) -+{ -+ int state = arch_prctl_spec_ctrl_get(task, which); -+ -+ if (state > 0 && (state & PR_SPEC_PRCTL)) -+ arch_prctl_spec_ctrl_set(task, which, PR_SPEC_DISABLE); -+} -+ - static inline void seccomp_assign_mode(struct task_struct *task, - unsigned long seccomp_mode) - { -@@ -238,6 +253,8 @@ static inline void seccomp_assign_mode(s - * filter) is set. - */ - smp_mb__before_atomic(); -+ /* Assume seccomp processes want speculation flaw mitigation. */ -+ spec_mitigate(task, PR_SPEC_STORE_BYPASS); - set_tsk_thread_flag(task, TIF_SECCOMP); - } - diff --git a/debian/patches/bugfix/x86/ssb/seccomp-move-speculation-migitation-control-to-arch-code.patch b/debian/patches/bugfix/x86/ssb/seccomp-move-speculation-migitation-control-to-arch-code.patch deleted file mode 100644 index 9aef76ec4..000000000 --- a/debian/patches/bugfix/x86/ssb/seccomp-move-speculation-migitation-control-to-arch-code.patch +++ /dev/null @@ -1,112 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Thomas Gleixner -Date: Fri, 4 May 2018 15:12:06 +0200 -Subject: seccomp: Move speculation migitation control to arch code - -From: Thomas Gleixner - -commit 8bf37d8c067bb7eb8e7c381bdadf9bd89182b6bc upstream - -The migitation control is simpler to implement in architecture code as it -avoids the extra function call to check the mode. Aside of that having an -explicit seccomp enabled mode in the architecture mitigations would require -even more workarounds. - -Move it into architecture code and provide a weak function in the seccomp -code. Remove the 'which' argument as this allows the architecture to decide -which mitigations are relevant for seccomp. - -Signed-off-by: Thomas Gleixner -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kernel/cpu/bugs.c | 29 ++++++++++++++++++----------- - include/linux/nospec.h | 2 ++ - kernel/seccomp.c | 15 ++------------- - 3 files changed, 22 insertions(+), 24 deletions(-) - ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -569,6 +569,24 @@ static int ssb_prctl_set(struct task_str - return 0; - } - -+int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which, -+ unsigned long ctrl) -+{ -+ switch (which) { -+ case PR_SPEC_STORE_BYPASS: -+ return ssb_prctl_set(task, ctrl); -+ default: -+ return -ENODEV; -+ } -+} -+ -+#ifdef CONFIG_SECCOMP -+void arch_seccomp_spec_mitigate(struct task_struct *task) -+{ -+ ssb_prctl_set(task, PR_SPEC_FORCE_DISABLE); -+} -+#endif -+ - static int ssb_prctl_get(struct task_struct *task) - { - switch (ssb_mode) { -@@ -587,17 +605,6 @@ static int ssb_prctl_get(struct task_str - } - } - --int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which, -- unsigned long ctrl) --{ -- switch (which) { -- case PR_SPEC_STORE_BYPASS: -- return ssb_prctl_set(task, ctrl); -- default: -- return -ENODEV; -- } --} -- - int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which) - { - switch (which) { ---- a/include/linux/nospec.h -+++ b/include/linux/nospec.h -@@ -62,5 +62,7 @@ static inline unsigned long array_index_ - int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which); - int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which, - unsigned long ctrl); -+/* Speculation control for seccomp enforced mitigation */ -+void arch_seccomp_spec_mitigate(struct task_struct *task); - - #endif /* _LINUX_NOSPEC_H */ ---- a/kernel/seccomp.c -+++ b/kernel/seccomp.c -@@ -229,18 +229,7 @@ static inline bool seccomp_may_assign_mo - return true; - } - --/* -- * If a given speculation mitigation is opt-in (prctl()-controlled), -- * select it, by disabling speculation (enabling mitigation). -- */ --static inline void spec_mitigate(struct task_struct *task, -- unsigned long which) --{ -- int state = arch_prctl_spec_ctrl_get(task, which); -- -- if (state > 0 && (state & PR_SPEC_PRCTL)) -- arch_prctl_spec_ctrl_set(task, which, PR_SPEC_FORCE_DISABLE); --} -+void __weak arch_seccomp_spec_mitigate(struct task_struct *task) { } - - static inline void seccomp_assign_mode(struct task_struct *task, - unsigned long seccomp_mode, -@@ -256,7 +245,7 @@ static inline void seccomp_assign_mode(s - smp_mb__before_atomic(); - /* Assume default seccomp processes want spec flaw mitigation. */ - if ((flags & SECCOMP_FILTER_FLAG_SPEC_ALLOW) == 0) -- spec_mitigate(task, PR_SPEC_STORE_BYPASS); -+ arch_seccomp_spec_mitigate(task); - set_tsk_thread_flag(task, TIF_SECCOMP); - } - diff --git a/debian/patches/bugfix/x86/ssb/seccomp-use-pr_spec_force_disable.patch b/debian/patches/bugfix/x86/ssb/seccomp-use-pr_spec_force_disable.patch deleted file mode 100644 index 9a1c8bf27..000000000 --- a/debian/patches/bugfix/x86/ssb/seccomp-use-pr_spec_force_disable.patch +++ /dev/null @@ -1,29 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Thomas Gleixner -Date: Fri, 4 May 2018 09:40:03 +0200 -Subject: seccomp: Use PR_SPEC_FORCE_DISABLE - -From: Thomas Gleixner - -commit b849a812f7eb92e96d1c8239b06581b2cfd8b275 upstream - -Use PR_SPEC_FORCE_DISABLE in seccomp() because seccomp does not allow to -widen restrictions. - -Signed-off-by: Thomas Gleixner -Signed-off-by: Greg Kroah-Hartman ---- - kernel/seccomp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/kernel/seccomp.c -+++ b/kernel/seccomp.c -@@ -239,7 +239,7 @@ static inline void spec_mitigate(struct - int state = arch_prctl_spec_ctrl_get(task, which); - - if (state > 0 && (state & PR_SPEC_PRCTL)) -- arch_prctl_spec_ctrl_set(task, which, PR_SPEC_DISABLE); -+ arch_prctl_spec_ctrl_set(task, which, PR_SPEC_FORCE_DISABLE); - } - - static inline void seccomp_assign_mode(struct task_struct *task, diff --git a/debian/patches/bugfix/x86/ssb/x86-bugs-amd-add-support-to-disable-rds-on-famh-if-requested.patch b/debian/patches/bugfix/x86/ssb/x86-bugs-amd-add-support-to-disable-rds-on-famh-if-requested.patch deleted file mode 100644 index 6015bb5cc..000000000 --- a/debian/patches/bugfix/x86/ssb/x86-bugs-amd-add-support-to-disable-rds-on-famh-if-requested.patch +++ /dev/null @@ -1,187 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Konrad Rzeszutek Wilk -Date: Wed, 25 Apr 2018 22:04:24 -0400 -Subject: x86/bugs/AMD: Add support to disable RDS on Fam[15,16,17]h if requested - -From: Konrad Rzeszutek Wilk - -commit 764f3c21588a059cd783c6ba0734d4db2d72822d upstream - -AMD does not need the Speculative Store Bypass mitigation to be enabled. - -The parameters for this are already available and can be done via MSR -C001_1020. Each family uses a different bit in that MSR for this. - -[ tglx: Expose the bit mask via a variable and move the actual MSR fiddling - into the bugs code as that's the right thing to do and also required - to prepare for dynamic enable/disable ] - -Suggested-by: Borislav Petkov -Signed-off-by: Konrad Rzeszutek Wilk -Signed-off-by: Thomas Gleixner -Reviewed-by: Ingo Molnar -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/cpufeatures.h | 1 + - arch/x86/include/asm/nospec-branch.h | 4 ++++ - arch/x86/kernel/cpu/amd.c | 26 ++++++++++++++++++++++++++ - arch/x86/kernel/cpu/bugs.c | 27 ++++++++++++++++++++++++++- - arch/x86/kernel/cpu/common.c | 4 ++++ - 5 files changed, 61 insertions(+), 1 deletion(-) - ---- a/arch/x86/include/asm/cpufeatures.h -+++ b/arch/x86/include/asm/cpufeatures.h -@@ -215,6 +215,7 @@ - #define X86_FEATURE_USE_IBPB ( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled */ - #define X86_FEATURE_USE_IBRS_FW ( 7*32+22) /* "" Use IBRS during runtime firmware calls */ - #define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE ( 7*32+23) /* "" Disable Speculative Store Bypass. */ -+#define X86_FEATURE_AMD_RDS (7*32+24) /* "" AMD RDS implementation */ - - /* Virtualization flags: Linux defined, word 8 */ - #define X86_FEATURE_TPR_SHADOW ( 8*32+ 0) /* Intel TPR Shadow */ ---- a/arch/x86/include/asm/nospec-branch.h -+++ b/arch/x86/include/asm/nospec-branch.h -@@ -244,6 +244,10 @@ enum ssb_mitigation { - SPEC_STORE_BYPASS_DISABLE, - }; - -+/* AMD specific Speculative Store Bypass MSR data */ -+extern u64 x86_amd_ls_cfg_base; -+extern u64 x86_amd_ls_cfg_rds_mask; -+ - extern char __indirect_thunk_start[]; - extern char __indirect_thunk_end[]; - ---- a/arch/x86/kernel/cpu/amd.c -+++ b/arch/x86/kernel/cpu/amd.c -@@ -10,6 +10,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -554,6 +555,26 @@ static void bsp_init_amd(struct cpuinfo_ - rdmsrl(MSR_FAM10H_NODE_ID, value); - nodes_per_socket = ((value >> 3) & 7) + 1; - } -+ -+ if (c->x86 >= 0x15 && c->x86 <= 0x17) { -+ unsigned int bit; -+ -+ switch (c->x86) { -+ case 0x15: bit = 54; break; -+ case 0x16: bit = 33; break; -+ case 0x17: bit = 10; break; -+ default: return; -+ } -+ /* -+ * Try to cache the base value so further operations can -+ * avoid RMW. If that faults, do not enable RDS. -+ */ -+ if (!rdmsrl_safe(MSR_AMD64_LS_CFG, &x86_amd_ls_cfg_base)) { -+ setup_force_cpu_cap(X86_FEATURE_RDS); -+ setup_force_cpu_cap(X86_FEATURE_AMD_RDS); -+ x86_amd_ls_cfg_rds_mask = 1ULL << bit; -+ } -+ } - } - - static void early_detect_mem_encrypt(struct cpuinfo_x86 *c) -@@ -898,6 +919,11 @@ static void init_amd(struct cpuinfo_x86 - /* AMD CPUs don't reset SS attributes on SYSRET, Xen does. */ - if (!cpu_has(c, X86_FEATURE_XENPV)) - set_cpu_bug(c, X86_BUG_SYSRET_SS_ATTRS); -+ -+ if (boot_cpu_has(X86_FEATURE_AMD_RDS)) { -+ set_cpu_cap(c, X86_FEATURE_RDS); -+ set_cpu_cap(c, X86_FEATURE_AMD_RDS); -+ } - } - - #ifdef CONFIG_X86_32 ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -41,6 +41,13 @@ static u64 __ro_after_init x86_spec_ctrl - */ - static u64 __ro_after_init x86_spec_ctrl_mask = ~SPEC_CTRL_IBRS; - -+/* -+ * AMD specific MSR info for Speculative Store Bypass control. -+ * x86_amd_ls_cfg_rds_mask is initialized in identify_boot_cpu(). -+ */ -+u64 __ro_after_init x86_amd_ls_cfg_base; -+u64 __ro_after_init x86_amd_ls_cfg_rds_mask; -+ - void __init check_bugs(void) - { - identify_boot_cpu(); -@@ -52,7 +59,8 @@ void __init check_bugs(void) - - /* - * Read the SPEC_CTRL MSR to account for reserved bits which may -- * have unknown values. -+ * have unknown values. AMD64_LS_CFG MSR is cached in the early AMD -+ * init code as it is not enumerated and depends on the family. - */ - if (boot_cpu_has(X86_FEATURE_IBRS)) - rdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); -@@ -154,6 +162,14 @@ void x86_spec_ctrl_restore_host(u64 gues - } - EXPORT_SYMBOL_GPL(x86_spec_ctrl_restore_host); - -+static void x86_amd_rds_enable(void) -+{ -+ u64 msrval = x86_amd_ls_cfg_base | x86_amd_ls_cfg_rds_mask; -+ -+ if (boot_cpu_has(X86_FEATURE_AMD_RDS)) -+ wrmsrl(MSR_AMD64_LS_CFG, msrval); -+} -+ - #ifdef RETPOLINE - static bool spectre_v2_bad_module; - -@@ -443,6 +459,11 @@ static enum ssb_mitigation_cmd __init __ - - switch (cmd) { - case SPEC_STORE_BYPASS_CMD_AUTO: -+ /* -+ * AMD platforms by default don't need SSB mitigation. -+ */ -+ if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD) -+ break; - case SPEC_STORE_BYPASS_CMD_ON: - mode = SPEC_STORE_BYPASS_DISABLE; - break; -@@ -469,6 +490,7 @@ static enum ssb_mitigation_cmd __init __ - x86_spec_ctrl_set(SPEC_CTRL_RDS); - break; - case X86_VENDOR_AMD: -+ x86_amd_rds_enable(); - break; - } - } -@@ -490,6 +512,9 @@ void x86_spec_ctrl_setup_ap(void) - { - if (boot_cpu_has(X86_FEATURE_IBRS)) - x86_spec_ctrl_set(x86_spec_ctrl_base & ~x86_spec_ctrl_mask); -+ -+ if (ssb_mode == SPEC_STORE_BYPASS_DISABLE) -+ x86_amd_rds_enable(); - } - - #ifdef CONFIG_SYSFS ---- a/arch/x86/kernel/cpu/common.c -+++ b/arch/x86/kernel/cpu/common.c -@@ -934,6 +934,10 @@ static const __initconst struct x86_cpu_ - { X86_VENDOR_CENTAUR, 5, }, - { X86_VENDOR_INTEL, 5, }, - { X86_VENDOR_NSC, 5, }, -+ { X86_VENDOR_AMD, 0x12, }, -+ { X86_VENDOR_AMD, 0x11, }, -+ { X86_VENDOR_AMD, 0x10, }, -+ { X86_VENDOR_AMD, 0xf, }, - { X86_VENDOR_ANY, 4, }, - {} - }; diff --git a/debian/patches/bugfix/x86/ssb/x86-bugs-concentrate-bug-detection-into-a-separate-function.patch b/debian/patches/bugfix/x86/ssb/x86-bugs-concentrate-bug-detection-into-a-separate-function.patch deleted file mode 100644 index 8177fd8de..000000000 --- a/debian/patches/bugfix/x86/ssb/x86-bugs-concentrate-bug-detection-into-a-separate-function.patch +++ /dev/null @@ -1,70 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Konrad Rzeszutek Wilk -Date: Wed, 25 Apr 2018 22:04:16 -0400 -Subject: x86/bugs: Concentrate bug detection into a separate function - -From: Konrad Rzeszutek Wilk - -commit 4a28bfe3267b68e22c663ac26185aa16c9b879ef upstream - -Combine the various logic which goes through all those -x86_cpu_id matching structures in one function. - -Suggested-by: Borislav Petkov -Signed-off-by: Konrad Rzeszutek Wilk -Signed-off-by: Thomas Gleixner -Reviewed-by: Borislav Petkov -Reviewed-by: Ingo Molnar -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kernel/cpu/common.c | 21 +++++++++++---------- - 1 file changed, 11 insertions(+), 10 deletions(-) - ---- a/arch/x86/kernel/cpu/common.c -+++ b/arch/x86/kernel/cpu/common.c -@@ -918,21 +918,27 @@ static const __initconst struct x86_cpu_ - {} - }; - --static bool __init cpu_vulnerable_to_meltdown(struct cpuinfo_x86 *c) -+static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) - { - u64 ia32_cap = 0; - -+ if (x86_match_cpu(cpu_no_speculation)) -+ return; -+ -+ setup_force_cpu_bug(X86_BUG_SPECTRE_V1); -+ setup_force_cpu_bug(X86_BUG_SPECTRE_V2); -+ - if (x86_match_cpu(cpu_no_meltdown)) -- return false; -+ return; - - if (cpu_has(c, X86_FEATURE_ARCH_CAPABILITIES)) - rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap); - - /* Rogue Data Cache Load? No! */ - if (ia32_cap & ARCH_CAP_RDCL_NO) -- return false; -+ return; - -- return true; -+ setup_force_cpu_bug(X86_BUG_CPU_MELTDOWN); - } - - /* -@@ -982,12 +988,7 @@ static void __init early_identify_cpu(st - - setup_force_cpu_cap(X86_FEATURE_ALWAYS); - -- if (!x86_match_cpu(cpu_no_speculation)) { -- if (cpu_vulnerable_to_meltdown(c)) -- setup_force_cpu_bug(X86_BUG_CPU_MELTDOWN); -- setup_force_cpu_bug(X86_BUG_SPECTRE_V1); -- setup_force_cpu_bug(X86_BUG_SPECTRE_V2); -- } -+ cpu_set_bug_bits(c); - - fpu__init_system(c); - diff --git a/debian/patches/bugfix/x86/ssb/x86-bugs-concentrate-bug-reporting-into-a-separate-function.patch b/debian/patches/bugfix/x86/ssb/x86-bugs-concentrate-bug-reporting-into-a-separate-function.patch deleted file mode 100644 index 102e5341e..000000000 --- a/debian/patches/bugfix/x86/ssb/x86-bugs-concentrate-bug-reporting-into-a-separate-function.patch +++ /dev/null @@ -1,87 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Konrad Rzeszutek Wilk -Date: Wed, 25 Apr 2018 22:04:17 -0400 -Subject: x86/bugs: Concentrate bug reporting into a separate function - -From: Konrad Rzeszutek Wilk - -commit d1059518b4789cabe34bb4b714d07e6089c82ca1 upstream - -Those SysFS functions have a similar preamble, as such make common -code to handle them. - -Suggested-by: Borislav Petkov -Signed-off-by: Konrad Rzeszutek Wilk -Signed-off-by: Thomas Gleixner -Reviewed-by: Borislav Petkov -Reviewed-by: Ingo Molnar -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kernel/cpu/bugs.c | 46 +++++++++++++++++++++++++++++++-------------- - 1 file changed, 32 insertions(+), 14 deletions(-) - ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -314,30 +314,48 @@ retpoline_auto: - #undef pr_fmt - - #ifdef CONFIG_SYSFS --ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf) -+ -+ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr, -+ char *buf, unsigned int bug) - { -- if (!boot_cpu_has_bug(X86_BUG_CPU_MELTDOWN)) -+ if (!boot_cpu_has_bug(bug)) - return sprintf(buf, "Not affected\n"); -- if (boot_cpu_has(X86_FEATURE_PTI)) -- return sprintf(buf, "Mitigation: PTI\n"); -+ -+ switch (bug) { -+ case X86_BUG_CPU_MELTDOWN: -+ if (boot_cpu_has(X86_FEATURE_PTI)) -+ return sprintf(buf, "Mitigation: PTI\n"); -+ -+ break; -+ -+ case X86_BUG_SPECTRE_V1: -+ return sprintf(buf, "Mitigation: __user pointer sanitization\n"); -+ -+ case X86_BUG_SPECTRE_V2: -+ return sprintf(buf, "%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled], -+ boot_cpu_has(X86_FEATURE_USE_IBPB) ? ", IBPB" : "", -+ boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "", -+ spectre_v2_module_string()); -+ -+ default: -+ break; -+ } -+ - return sprintf(buf, "Vulnerable\n"); - } - -+ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf) -+{ -+ return cpu_show_common(dev, attr, buf, X86_BUG_CPU_MELTDOWN); -+} -+ - ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, char *buf) - { -- if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V1)) -- return sprintf(buf, "Not affected\n"); -- return sprintf(buf, "Mitigation: __user pointer sanitization\n"); -+ return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V1); - } - - ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, char *buf) - { -- if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2)) -- return sprintf(buf, "Not affected\n"); -- -- return sprintf(buf, "%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled], -- boot_cpu_has(X86_FEATURE_USE_IBPB) ? ", IBPB" : "", -- boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "", -- spectre_v2_module_string()); -+ return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V2); - } - #endif diff --git a/debian/patches/bugfix/x86/ssb/x86-bugs-expose-sys-..-spec_store_bypass.patch b/debian/patches/bugfix/x86/ssb/x86-bugs-expose-sys-..-spec_store_bypass.patch deleted file mode 100644 index e7be600b3..000000000 --- a/debian/patches/bugfix/x86/ssb/x86-bugs-expose-sys-..-spec_store_bypass.patch +++ /dev/null @@ -1,134 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Konrad Rzeszutek Wilk -Date: Wed, 25 Apr 2018 22:04:20 -0400 -Subject: x86/bugs: Expose /sys/../spec_store_bypass - -From: Konrad Rzeszutek Wilk - -commit c456442cd3a59eeb1d60293c26cbe2ff2c4e42cf upstream - -Add the sysfs file for the new vulerability. It does not do much except -show the words 'Vulnerable' for recent x86 cores. - -Intel cores prior to family 6 are known not to be vulnerable, and so are -some Atoms and some Xeon Phi. - -It assumes that older Cyrix, Centaur, etc. cores are immune. - -Signed-off-by: Konrad Rzeszutek Wilk -Signed-off-by: Thomas Gleixner -Reviewed-by: Borislav Petkov -Reviewed-by: Ingo Molnar -Signed-off-by: Greg Kroah-Hartman ---- - Documentation/ABI/testing/sysfs-devices-system-cpu | 1 - arch/x86/include/asm/cpufeatures.h | 1 - arch/x86/kernel/cpu/bugs.c | 5 ++++ - arch/x86/kernel/cpu/common.c | 23 +++++++++++++++++++++ - drivers/base/cpu.c | 8 +++++++ - include/linux/cpu.h | 2 + - 6 files changed, 40 insertions(+) - ---- a/Documentation/ABI/testing/sysfs-devices-system-cpu -+++ b/Documentation/ABI/testing/sysfs-devices-system-cpu -@@ -453,6 +453,7 @@ What: /sys/devices/system/cpu/vulnerabi - /sys/devices/system/cpu/vulnerabilities/meltdown - /sys/devices/system/cpu/vulnerabilities/spectre_v1 - /sys/devices/system/cpu/vulnerabilities/spectre_v2 -+ /sys/devices/system/cpu/vulnerabilities/spec_store_bypass - Date: January 2018 - Contact: Linux kernel mailing list - Description: Information about CPU vulnerabilities ---- a/arch/x86/include/asm/cpufeatures.h -+++ b/arch/x86/include/asm/cpufeatures.h -@@ -362,5 +362,6 @@ - #define X86_BUG_CPU_MELTDOWN X86_BUG(14) /* CPU is affected by meltdown attack and needs kernel page table isolation */ - #define X86_BUG_SPECTRE_V1 X86_BUG(15) /* CPU is affected by Spectre variant 1 attack with conditional branches */ - #define X86_BUG_SPECTRE_V2 X86_BUG(16) /* CPU is affected by Spectre variant 2 attack with indirect branches */ -+#define X86_BUG_SPEC_STORE_BYPASS X86_BUG(17) /* CPU is affected by speculative store bypass attack */ - - #endif /* _ASM_X86_CPUFEATURES_H */ ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -404,4 +404,9 @@ ssize_t cpu_show_spectre_v2(struct devic - { - return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V2); - } -+ -+ssize_t cpu_show_spec_store_bypass(struct device *dev, struct device_attribute *attr, char *buf) -+{ -+ return cpu_show_common(dev, attr, buf, X86_BUG_SPEC_STORE_BYPASS); -+} - #endif ---- a/arch/x86/kernel/cpu/common.c -+++ b/arch/x86/kernel/cpu/common.c -@@ -918,10 +918,33 @@ static const __initconst struct x86_cpu_ - {} - }; - -+static const __initconst struct x86_cpu_id cpu_no_spec_store_bypass[] = { -+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_PINEVIEW }, -+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_LINCROFT }, -+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_PENWELL }, -+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_CLOVERVIEW }, -+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_CEDARVIEW }, -+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SILVERMONT1 }, -+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_AIRMONT }, -+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SILVERMONT2 }, -+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_MERRIFIELD }, -+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_CORE_YONAH }, -+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_XEON_PHI_KNL }, -+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_XEON_PHI_KNM }, -+ { X86_VENDOR_CENTAUR, 5, }, -+ { X86_VENDOR_INTEL, 5, }, -+ { X86_VENDOR_NSC, 5, }, -+ { X86_VENDOR_ANY, 4, }, -+ {} -+}; -+ - static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) - { - u64 ia32_cap = 0; - -+ if (!x86_match_cpu(cpu_no_spec_store_bypass)) -+ setup_force_cpu_bug(X86_BUG_SPEC_STORE_BYPASS); -+ - if (x86_match_cpu(cpu_no_speculation)) - return; - ---- a/drivers/base/cpu.c -+++ b/drivers/base/cpu.c -@@ -532,14 +532,22 @@ ssize_t __weak cpu_show_spectre_v2(struc - return sprintf(buf, "Not affected\n"); - } - -+ssize_t __weak cpu_show_spec_store_bypass(struct device *dev, -+ struct device_attribute *attr, char *buf) -+{ -+ return sprintf(buf, "Not affected\n"); -+} -+ - static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL); - static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL); - static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL); -+static DEVICE_ATTR(spec_store_bypass, 0444, cpu_show_spec_store_bypass, NULL); - - static struct attribute *cpu_root_vulnerabilities_attrs[] = { - &dev_attr_meltdown.attr, - &dev_attr_spectre_v1.attr, - &dev_attr_spectre_v2.attr, -+ &dev_attr_spec_store_bypass.attr, - NULL - }; - ---- a/include/linux/cpu.h -+++ b/include/linux/cpu.h -@@ -53,6 +53,8 @@ extern ssize_t cpu_show_spectre_v1(struc - struct device_attribute *attr, char *buf); - extern ssize_t cpu_show_spectre_v2(struct device *dev, - struct device_attribute *attr, char *buf); -+extern ssize_t cpu_show_spec_store_bypass(struct device *dev, -+ struct device_attribute *attr, char *buf); - - extern __printf(4, 5) - struct device *cpu_device_create(struct device *parent, void *drvdata, diff --git a/debian/patches/bugfix/x86/ssb/x86-bugs-expose-x86_spec_ctrl_base-directly.patch b/debian/patches/bugfix/x86/ssb/x86-bugs-expose-x86_spec_ctrl_base-directly.patch deleted file mode 100644 index ded599d26..000000000 --- a/debian/patches/bugfix/x86/ssb/x86-bugs-expose-x86_spec_ctrl_base-directly.patch +++ /dev/null @@ -1,112 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Thomas Gleixner -Date: Sat, 12 May 2018 20:49:16 +0200 -Subject: x86/bugs: Expose x86_spec_ctrl_base directly - -From: Thomas Gleixner - -commit fa8ac4988249c38476f6ad678a4848a736373403 upstream - -x86_spec_ctrl_base is the system wide default value for the SPEC_CTRL MSR. -x86_spec_ctrl_get_default() returns x86_spec_ctrl_base and was intended to -prevent modification to that variable. Though the variable is read only -after init and globaly visible already. - -Remove the function and export the variable instead. - -Signed-off-by: Thomas Gleixner -Reviewed-by: Borislav Petkov -Reviewed-by: Konrad Rzeszutek Wilk -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/nospec-branch.h | 16 +++++----------- - arch/x86/include/asm/spec-ctrl.h | 3 --- - arch/x86/kernel/cpu/bugs.c | 11 +---------- - 3 files changed, 6 insertions(+), 24 deletions(-) - ---- a/arch/x86/include/asm/nospec-branch.h -+++ b/arch/x86/include/asm/nospec-branch.h -@@ -217,16 +217,7 @@ enum spectre_v2_mitigation { - SPECTRE_V2_IBRS, - }; - --/* -- * The Intel specification for the SPEC_CTRL MSR requires that we -- * preserve any already set reserved bits at boot time (e.g. for -- * future additions that this kernel is not currently aware of). -- * We then set any additional mitigation bits that we want -- * ourselves and always use this as the base for SPEC_CTRL. -- * We also use this when handling guest entry/exit as below. -- */ - extern void x86_spec_ctrl_set(u64); --extern u64 x86_spec_ctrl_get_default(void); - - /* The Speculative Store Bypass disable variants */ - enum ssb_mitigation { -@@ -278,6 +269,9 @@ static inline void indirect_branch_predi - alternative_msr_write(MSR_IA32_PRED_CMD, val, X86_FEATURE_USE_IBPB); - } - -+/* The Intel SPEC CTRL MSR base value cache */ -+extern u64 x86_spec_ctrl_base; -+ - /* - * With retpoline, we must use IBRS to restrict branch prediction - * before calling into firmware. -@@ -286,7 +280,7 @@ static inline void indirect_branch_predi - */ - #define firmware_restrict_branch_speculation_start() \ - do { \ -- u64 val = x86_spec_ctrl_get_default() | SPEC_CTRL_IBRS; \ -+ u64 val = x86_spec_ctrl_base | SPEC_CTRL_IBRS; \ - \ - preempt_disable(); \ - alternative_msr_write(MSR_IA32_SPEC_CTRL, val, \ -@@ -295,7 +289,7 @@ do { \ - - #define firmware_restrict_branch_speculation_end() \ - do { \ -- u64 val = x86_spec_ctrl_get_default(); \ -+ u64 val = x86_spec_ctrl_base; \ - \ - alternative_msr_write(MSR_IA32_SPEC_CTRL, val, \ - X86_FEATURE_USE_IBRS_FW); \ ---- a/arch/x86/include/asm/spec-ctrl.h -+++ b/arch/x86/include/asm/spec-ctrl.h -@@ -47,9 +47,6 @@ void x86_spec_ctrl_restore_host(u64 gues - extern u64 x86_amd_ls_cfg_base; - extern u64 x86_amd_ls_cfg_ssbd_mask; - --/* The Intel SPEC CTRL MSR base value cache */ --extern u64 x86_spec_ctrl_base; -- - static inline u64 ssbd_tif_to_spec_ctrl(u64 tifn) - { - BUILD_BUG_ON(TIF_SSBD < SPEC_CTRL_SSBD_SHIFT); ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -36,6 +36,7 @@ static void __init ssb_select_mitigation - * writes to SPEC_CTRL contain whatever reserved bits have been set. - */ - u64 __ro_after_init x86_spec_ctrl_base; -+EXPORT_SYMBOL_GPL(x86_spec_ctrl_base); - - /* - * The vendor and possibly platform specific bits which can be modified in -@@ -141,16 +142,6 @@ void x86_spec_ctrl_set(u64 val) - } - EXPORT_SYMBOL_GPL(x86_spec_ctrl_set); - --u64 x86_spec_ctrl_get_default(void) --{ -- u64 msrval = x86_spec_ctrl_base; -- -- if (static_cpu_has(X86_FEATURE_SPEC_CTRL)) -- msrval |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags); -- return msrval; --} --EXPORT_SYMBOL_GPL(x86_spec_ctrl_get_default); -- - void - x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest) - { diff --git a/debian/patches/bugfix/x86/ssb/x86-bugs-fix-__ssb_select_mitigation-return-type.patch b/debian/patches/bugfix/x86/ssb/x86-bugs-fix-__ssb_select_mitigation-return-type.patch deleted file mode 100644 index bf9c432b5..000000000 --- a/debian/patches/bugfix/x86/ssb/x86-bugs-fix-__ssb_select_mitigation-return-type.patch +++ /dev/null @@ -1,31 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Jiri Kosina -Date: Thu, 10 May 2018 22:47:18 +0200 -Subject: x86/bugs: Fix __ssb_select_mitigation() return type - -From: Jiri Kosina - -commit d66d8ff3d21667b41eddbe86b35ab411e40d8c5f upstream - -__ssb_select_mitigation() returns one of the members of enum ssb_mitigation, -not ssb_mitigation_cmd; fix the prototype to reflect that. - -Fixes: 24f7fc83b9204 ("x86/bugs: Provide boot parameters for the spec_store_bypass_disable mitigation") -Signed-off-by: Jiri Kosina -Signed-off-by: Thomas Gleixner -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kernel/cpu/bugs.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -468,7 +468,7 @@ static enum ssb_mitigation_cmd __init ss - return cmd; - } - --static enum ssb_mitigation_cmd __init __ssb_select_mitigation(void) -+static enum ssb_mitigation __init __ssb_select_mitigation(void) - { - enum ssb_mitigation mode = SPEC_STORE_BYPASS_NONE; - enum ssb_mitigation_cmd cmd; diff --git a/debian/patches/bugfix/x86/ssb/x86-bugs-fix-the-parameters-alignment-and-missing-void.patch b/debian/patches/bugfix/x86/ssb/x86-bugs-fix-the-parameters-alignment-and-missing-void.patch deleted file mode 100644 index a23781536..000000000 --- a/debian/patches/bugfix/x86/ssb/x86-bugs-fix-the-parameters-alignment-and-missing-void.patch +++ /dev/null @@ -1,38 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Konrad Rzeszutek Wilk -Date: Fri, 11 May 2018 16:50:35 -0400 -Subject: x86/bugs: Fix the parameters alignment and missing void - -From: Konrad Rzeszutek Wilk - -commit ffed645e3be0e32f8e9ab068d257aee8d0fe8eec upstream - -Fixes: 7bb4d366c ("x86/bugs: Make cpu_show_common() static") -Fixes: 24f7fc83b ("x86/bugs: Provide boot parameters for the spec_store_bypass_disable mitigation") -Signed-off-by: Konrad Rzeszutek Wilk -Signed-off-by: Thomas Gleixner -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kernel/cpu/bugs.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -531,7 +531,7 @@ static enum ssb_mitigation __init __ssb_ - return mode; - } - --static void ssb_select_mitigation() -+static void ssb_select_mitigation(void) - { - ssb_mode = __ssb_select_mitigation(); - -@@ -641,7 +641,7 @@ void x86_spec_ctrl_setup_ap(void) - #ifdef CONFIG_SYSFS - - static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr, -- char *buf, unsigned int bug) -+ char *buf, unsigned int bug) - { - if (!boot_cpu_has_bug(bug)) - return sprintf(buf, "Not affected\n"); diff --git a/debian/patches/bugfix/x86/ssb/x86-bugs-intel-set-proper-cpu-features-and-setup-rds.patch b/debian/patches/bugfix/x86/ssb/x86-bugs-intel-set-proper-cpu-features-and-setup-rds.patch deleted file mode 100644 index 6425b94a8..000000000 --- a/debian/patches/bugfix/x86/ssb/x86-bugs-intel-set-proper-cpu-features-and-setup-rds.patch +++ /dev/null @@ -1,170 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Konrad Rzeszutek Wilk -Date: Wed, 25 Apr 2018 22:04:22 -0400 -Subject: x86/bugs/intel: Set proper CPU features and setup RDS - -From: Konrad Rzeszutek Wilk - -commit 772439717dbf703b39990be58d8d4e3e4ad0598a upstream - -Intel CPUs expose methods to: - - - Detect whether RDS capability is available via CPUID.7.0.EDX[31], - - - The SPEC_CTRL MSR(0x48), bit 2 set to enable RDS. - - - MSR_IA32_ARCH_CAPABILITIES, Bit(4) no need to enable RRS. - -With that in mind if spec_store_bypass_disable=[auto,on] is selected set at -boot-time the SPEC_CTRL MSR to enable RDS if the platform requires it. - -Note that this does not fix the KVM case where the SPEC_CTRL is exposed to -guests which can muck with it, see patch titled : - KVM/SVM/VMX/x86/spectre_v2: Support the combination of guest and host IBRS. - -And for the firmware (IBRS to be set), see patch titled: - x86/spectre_v2: Read SPEC_CTRL MSR during boot and re-use reserved bits - -[ tglx: Distangled it from the intel implementation and kept the call order ] - -Signed-off-by: Konrad Rzeszutek Wilk -Signed-off-by: Thomas Gleixner -Reviewed-by: Borislav Petkov -Reviewed-by: Ingo Molnar -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/msr-index.h | 6 ++++++ - arch/x86/kernel/cpu/bugs.c | 30 ++++++++++++++++++++++++++++-- - arch/x86/kernel/cpu/common.c | 10 ++++++---- - arch/x86/kernel/cpu/cpu.h | 2 ++ - arch/x86/kernel/cpu/intel.c | 1 + - 5 files changed, 43 insertions(+), 6 deletions(-) - ---- a/arch/x86/include/asm/msr-index.h -+++ b/arch/x86/include/asm/msr-index.h -@@ -42,6 +42,7 @@ - #define MSR_IA32_SPEC_CTRL 0x00000048 /* Speculation Control */ - #define SPEC_CTRL_IBRS (1 << 0) /* Indirect Branch Restricted Speculation */ - #define SPEC_CTRL_STIBP (1 << 1) /* Single Thread Indirect Branch Predictors */ -+#define SPEC_CTRL_RDS (1 << 2) /* Reduced Data Speculation */ - - #define MSR_IA32_PRED_CMD 0x00000049 /* Prediction Command */ - #define PRED_CMD_IBPB (1 << 0) /* Indirect Branch Prediction Barrier */ -@@ -68,6 +69,11 @@ - #define MSR_IA32_ARCH_CAPABILITIES 0x0000010a - #define ARCH_CAP_RDCL_NO (1 << 0) /* Not susceptible to Meltdown */ - #define ARCH_CAP_IBRS_ALL (1 << 1) /* Enhanced IBRS support */ -+#define ARCH_CAP_RDS_NO (1 << 4) /* -+ * Not susceptible to Speculative Store Bypass -+ * attack, so no Reduced Data Speculation control -+ * required. -+ */ - - #define MSR_IA32_BBL_CR_CTL 0x00000119 - #define MSR_IA32_BBL_CR_CTL3 0x0000011e ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -117,7 +117,7 @@ static enum spectre_v2_mitigation spectr - - void x86_spec_ctrl_set(u64 val) - { -- if (val & ~SPEC_CTRL_IBRS) -+ if (val & ~(SPEC_CTRL_IBRS | SPEC_CTRL_RDS)) - WARN_ONCE(1, "SPEC_CTRL MSR value 0x%16llx is unknown.\n", val); - else - wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base | val); -@@ -444,8 +444,28 @@ static enum ssb_mitigation_cmd __init __ - break; - } - -- if (mode != SPEC_STORE_BYPASS_NONE) -+ /* -+ * We have three CPU feature flags that are in play here: -+ * - X86_BUG_SPEC_STORE_BYPASS - CPU is susceptible. -+ * - X86_FEATURE_RDS - CPU is able to turn off speculative store bypass -+ * - X86_FEATURE_SPEC_STORE_BYPASS_DISABLE - engage the mitigation -+ */ -+ if (mode != SPEC_STORE_BYPASS_NONE) { - setup_force_cpu_cap(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE); -+ /* -+ * Intel uses the SPEC CTRL MSR Bit(2) for this, while AMD uses -+ * a completely different MSR and bit dependent on family. -+ */ -+ switch (boot_cpu_data.x86_vendor) { -+ case X86_VENDOR_INTEL: -+ x86_spec_ctrl_base |= SPEC_CTRL_RDS; -+ x86_spec_ctrl_set(SPEC_CTRL_RDS); -+ break; -+ case X86_VENDOR_AMD: -+ break; -+ } -+ } -+ - return mode; - } - -@@ -459,6 +479,12 @@ static void ssb_select_mitigation() - - #undef pr_fmt - -+void x86_spec_ctrl_setup_ap(void) -+{ -+ if (boot_cpu_has(X86_FEATURE_IBRS)) -+ x86_spec_ctrl_set(x86_spec_ctrl_base & (SPEC_CTRL_IBRS | SPEC_CTRL_RDS)); -+} -+ - #ifdef CONFIG_SYSFS - - ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr, ---- a/arch/x86/kernel/cpu/common.c -+++ b/arch/x86/kernel/cpu/common.c -@@ -942,7 +942,11 @@ static void __init cpu_set_bug_bits(stru - { - u64 ia32_cap = 0; - -- if (!x86_match_cpu(cpu_no_spec_store_bypass)) -+ if (cpu_has(c, X86_FEATURE_ARCH_CAPABILITIES)) -+ rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap); -+ -+ if (!x86_match_cpu(cpu_no_spec_store_bypass) && -+ !(ia32_cap & ARCH_CAP_RDS_NO)) - setup_force_cpu_bug(X86_BUG_SPEC_STORE_BYPASS); - - if (x86_match_cpu(cpu_no_speculation)) -@@ -954,9 +958,6 @@ static void __init cpu_set_bug_bits(stru - if (x86_match_cpu(cpu_no_meltdown)) - return; - -- if (cpu_has(c, X86_FEATURE_ARCH_CAPABILITIES)) -- rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap); -- - /* Rogue Data Cache Load? No! */ - if (ia32_cap & ARCH_CAP_RDCL_NO) - return; -@@ -1371,6 +1372,7 @@ void identify_secondary_cpu(struct cpuin - #endif - mtrr_ap_init(); - validate_apic_and_package_id(c); -+ x86_spec_ctrl_setup_ap(); - } - - static __init int setup_noclflush(char *arg) ---- a/arch/x86/kernel/cpu/cpu.h -+++ b/arch/x86/kernel/cpu/cpu.h -@@ -50,4 +50,6 @@ extern void cpu_detect_cache_sizes(struc - - unsigned int aperfmperf_get_khz(int cpu); - -+extern void x86_spec_ctrl_setup_ap(void); -+ - #endif /* ARCH_X86_CPU_H */ ---- a/arch/x86/kernel/cpu/intel.c -+++ b/arch/x86/kernel/cpu/intel.c -@@ -189,6 +189,7 @@ static void early_init_intel(struct cpui - setup_clear_cpu_cap(X86_FEATURE_STIBP); - setup_clear_cpu_cap(X86_FEATURE_SPEC_CTRL); - setup_clear_cpu_cap(X86_FEATURE_INTEL_STIBP); -+ setup_clear_cpu_cap(X86_FEATURE_RDS); - } - - /* diff --git a/debian/patches/bugfix/x86/ssb/x86-bugs-kvm-extend-speculation-control-for-virt_spec_ctrl.patch b/debian/patches/bugfix/x86/ssb/x86-bugs-kvm-extend-speculation-control-for-virt_spec_ctrl.patch deleted file mode 100644 index ce65bdb92..000000000 --- a/debian/patches/bugfix/x86/ssb/x86-bugs-kvm-extend-speculation-control-for-virt_spec_ctrl.patch +++ /dev/null @@ -1,152 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Thomas Gleixner -Date: Wed, 9 May 2018 23:01:01 +0200 -Subject: x86/bugs, KVM: Extend speculation control for VIRT_SPEC_CTRL - -From: Thomas Gleixner - -commit ccbcd2674472a978b48c91c1fbfb66c0ff959f24 upstream - -AMD is proposing a VIRT_SPEC_CTRL MSR to handle the Speculative Store -Bypass Disable via MSR_AMD64_LS_CFG so that guests do not have to care -about the bit position of the SSBD bit and thus facilitate migration. -Also, the sibling coordination on Family 17H CPUs can only be done on -the host. - -Extend x86_spec_ctrl_set_guest() and x86_spec_ctrl_restore_host() with an -extra argument for the VIRT_SPEC_CTRL MSR. - -Hand in 0 from VMX and in SVM add a new virt_spec_ctrl member to the CPU -data structure which is going to be used in later patches for the actual -implementation. - -Signed-off-by: Thomas Gleixner -Reviewed-by: Borislav Petkov -Reviewed-by: Konrad Rzeszutek Wilk -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/spec-ctrl.h | 9 ++++++--- - arch/x86/kernel/cpu/bugs.c | 20 ++++++++++++++++++-- - arch/x86/kvm/svm.c | 11 +++++++++-- - arch/x86/kvm/vmx.c | 5 +++-- - 4 files changed, 36 insertions(+), 9 deletions(-) - ---- a/arch/x86/include/asm/spec-ctrl.h -+++ b/arch/x86/include/asm/spec-ctrl.h -@@ -10,10 +10,13 @@ - * the guest has, while on VMEXIT we restore the host view. This - * would be easier if SPEC_CTRL were architecturally maskable or - * shadowable for guests but this is not (currently) the case. -- * Takes the guest view of SPEC_CTRL MSR as a parameter. -+ * Takes the guest view of SPEC_CTRL MSR as a parameter and also -+ * the guest's version of VIRT_SPEC_CTRL, if emulated. - */ --extern void x86_spec_ctrl_set_guest(u64); --extern void x86_spec_ctrl_restore_host(u64); -+extern void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl, -+ u64 guest_virt_spec_ctrl); -+extern void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl, -+ u64 guest_virt_spec_ctrl); - - /* AMD specific Speculative Store Bypass MSR data */ - extern u64 x86_amd_ls_cfg_base; ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -151,7 +151,15 @@ u64 x86_spec_ctrl_get_default(void) - } - EXPORT_SYMBOL_GPL(x86_spec_ctrl_get_default); - --void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl) -+/** -+ * x86_spec_ctrl_set_guest - Set speculation control registers for the guest -+ * @guest_spec_ctrl: The guest content of MSR_SPEC_CTRL -+ * @guest_virt_spec_ctrl: The guest controlled bits of MSR_VIRT_SPEC_CTRL -+ * (may get translated to MSR_AMD64_LS_CFG bits) -+ * -+ * Avoids writing to the MSR if the content/bits are the same -+ */ -+void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl) - { - u64 host = x86_spec_ctrl_base; - -@@ -168,7 +176,15 @@ void x86_spec_ctrl_set_guest(u64 guest_s - } - EXPORT_SYMBOL_GPL(x86_spec_ctrl_set_guest); - --void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl) -+/** -+ * x86_spec_ctrl_restore_host - Restore host speculation control registers -+ * @guest_spec_ctrl: The guest content of MSR_SPEC_CTRL -+ * @guest_virt_spec_ctrl: The guest controlled bits of MSR_VIRT_SPEC_CTRL -+ * (may get translated to MSR_AMD64_LS_CFG bits) -+ * -+ * Avoids writing to the MSR if the content/bits are the same -+ */ -+void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl) - { - u64 host = x86_spec_ctrl_base; - ---- a/arch/x86/kvm/svm.c -+++ b/arch/x86/kvm/svm.c -@@ -192,6 +192,12 @@ struct vcpu_svm { - } host; - - u64 spec_ctrl; -+ /* -+ * Contains guest-controlled bits of VIRT_SPEC_CTRL, which will be -+ * translated into the appropriate L2_CFG bits on the host to -+ * perform speculative control. -+ */ -+ u64 virt_spec_ctrl; - - u32 *msrpm; - -@@ -1910,6 +1916,7 @@ static void svm_vcpu_reset(struct kvm_vc - - vcpu->arch.microcode_version = 0x01000065; - svm->spec_ctrl = 0; -+ svm->virt_spec_ctrl = 0; - - if (!init_event) { - svm->vcpu.arch.apic_base = APIC_DEFAULT_PHYS_BASE | -@@ -5401,7 +5408,7 @@ static void svm_vcpu_run(struct kvm_vcpu - * is no need to worry about the conditional branch over the wrmsr - * being speculatively taken. - */ -- x86_spec_ctrl_set_guest(svm->spec_ctrl); -+ x86_spec_ctrl_set_guest(svm->spec_ctrl, svm->virt_spec_ctrl); - - asm volatile ( - "push %%" _ASM_BP "; \n\t" -@@ -5525,7 +5532,7 @@ static void svm_vcpu_run(struct kvm_vcpu - if (unlikely(!msr_write_intercepted(vcpu, MSR_IA32_SPEC_CTRL))) - svm->spec_ctrl = native_read_msr(MSR_IA32_SPEC_CTRL); - -- x86_spec_ctrl_restore_host(svm->spec_ctrl); -+ x86_spec_ctrl_restore_host(svm->spec_ctrl, svm->virt_spec_ctrl); - - reload_tss(vcpu); - ---- a/arch/x86/kvm/vmx.c -+++ b/arch/x86/kvm/vmx.c -@@ -9463,9 +9463,10 @@ static void __noclone vmx_vcpu_run(struc - * is no need to worry about the conditional branch over the wrmsr - * being speculatively taken. - */ -- x86_spec_ctrl_set_guest(vmx->spec_ctrl); -+ x86_spec_ctrl_set_guest(vmx->spec_ctrl, 0); - - vmx->__launched = vmx->loaded_vmcs->launched; -+ - asm( - /* Store host registers */ - "push %%" _ASM_DX "; push %%" _ASM_BP ";" -@@ -9601,7 +9602,7 @@ static void __noclone vmx_vcpu_run(struc - if (unlikely(!msr_write_intercepted(vcpu, MSR_IA32_SPEC_CTRL))) - vmx->spec_ctrl = native_read_msr(MSR_IA32_SPEC_CTRL); - -- x86_spec_ctrl_restore_host(vmx->spec_ctrl); -+ x86_spec_ctrl_restore_host(vmx->spec_ctrl, 0); - - /* Eliminate branch target predictions from guest mode */ - vmexit_fill_RSB(); diff --git a/debian/patches/bugfix/x86/ssb/x86-bugs-kvm-support-the-combination-of-guest-and-host-ibrs.patch b/debian/patches/bugfix/x86/ssb/x86-bugs-kvm-support-the-combination-of-guest-and-host-ibrs.patch deleted file mode 100644 index e6c34e679..000000000 --- a/debian/patches/bugfix/x86/ssb/x86-bugs-kvm-support-the-combination-of-guest-and-host-ibrs.patch +++ /dev/null @@ -1,126 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Konrad Rzeszutek Wilk -Date: Wed, 25 Apr 2018 22:04:19 -0400 -Subject: x86/bugs, KVM: Support the combination of guest and host IBRS - -From: Konrad Rzeszutek Wilk - -commit 5cf687548705412da47c9cec342fd952d71ed3d5 upstream - -A guest may modify the SPEC_CTRL MSR from the value used by the -kernel. Since the kernel doesn't use IBRS, this means a value of zero is -what is needed in the host. - -But the 336996-Speculative-Execution-Side-Channel-Mitigations.pdf refers to -the other bits as reserved so the kernel should respect the boot time -SPEC_CTRL value and use that. - -This allows to deal with future extensions to the SPEC_CTRL interface if -any at all. - -Note: This uses wrmsrl() instead of native_wrmsl(). I does not make any -difference as paravirt will over-write the callq *0xfff.. with the wrmsrl -assembler code. - -Signed-off-by: Konrad Rzeszutek Wilk -Signed-off-by: Thomas Gleixner -Reviewed-by: Borislav Petkov -Reviewed-by: Ingo Molnar -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/nospec-branch.h | 10 ++++++++++ - arch/x86/kernel/cpu/bugs.c | 18 ++++++++++++++++++ - arch/x86/kvm/svm.c | 6 ++---- - arch/x86/kvm/vmx.c | 6 ++---- - 4 files changed, 32 insertions(+), 8 deletions(-) - ---- a/arch/x86/include/asm/nospec-branch.h -+++ b/arch/x86/include/asm/nospec-branch.h -@@ -228,6 +228,16 @@ enum spectre_v2_mitigation { - extern void x86_spec_ctrl_set(u64); - extern u64 x86_spec_ctrl_get_default(void); - -+/* -+ * On VMENTER we must preserve whatever view of the SPEC_CTRL MSR -+ * the guest has, while on VMEXIT we restore the host view. This -+ * would be easier if SPEC_CTRL were architecturally maskable or -+ * shadowable for guests but this is not (currently) the case. -+ * Takes the guest view of SPEC_CTRL MSR as a parameter. -+ */ -+extern void x86_spec_ctrl_set_guest(u64); -+extern void x86_spec_ctrl_restore_host(u64); -+ - extern char __indirect_thunk_start[]; - extern char __indirect_thunk_end[]; - ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -123,6 +123,24 @@ u64 x86_spec_ctrl_get_default(void) - } - EXPORT_SYMBOL_GPL(x86_spec_ctrl_get_default); - -+void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl) -+{ -+ if (!boot_cpu_has(X86_FEATURE_IBRS)) -+ return; -+ if (x86_spec_ctrl_base != guest_spec_ctrl) -+ wrmsrl(MSR_IA32_SPEC_CTRL, guest_spec_ctrl); -+} -+EXPORT_SYMBOL_GPL(x86_spec_ctrl_set_guest); -+ -+void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl) -+{ -+ if (!boot_cpu_has(X86_FEATURE_IBRS)) -+ return; -+ if (x86_spec_ctrl_base != guest_spec_ctrl) -+ wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); -+} -+EXPORT_SYMBOL_GPL(x86_spec_ctrl_restore_host); -+ - #ifdef RETPOLINE - static bool spectre_v2_bad_module; - ---- a/arch/x86/kvm/svm.c -+++ b/arch/x86/kvm/svm.c -@@ -5401,8 +5401,7 @@ static void svm_vcpu_run(struct kvm_vcpu - * is no need to worry about the conditional branch over the wrmsr - * being speculatively taken. - */ -- if (svm->spec_ctrl) -- native_wrmsrl(MSR_IA32_SPEC_CTRL, svm->spec_ctrl); -+ x86_spec_ctrl_set_guest(svm->spec_ctrl); - - asm volatile ( - "push %%" _ASM_BP "; \n\t" -@@ -5514,8 +5513,7 @@ static void svm_vcpu_run(struct kvm_vcpu - if (unlikely(!msr_write_intercepted(vcpu, MSR_IA32_SPEC_CTRL))) - svm->spec_ctrl = native_read_msr(MSR_IA32_SPEC_CTRL); - -- if (svm->spec_ctrl) -- native_wrmsrl(MSR_IA32_SPEC_CTRL, 0); -+ x86_spec_ctrl_restore_host(svm->spec_ctrl); - - /* Eliminate branch target predictions from guest mode */ - vmexit_fill_RSB(); ---- a/arch/x86/kvm/vmx.c -+++ b/arch/x86/kvm/vmx.c -@@ -9466,8 +9466,7 @@ static void __noclone vmx_vcpu_run(struc - * is no need to worry about the conditional branch over the wrmsr - * being speculatively taken. - */ -- if (vmx->spec_ctrl) -- native_wrmsrl(MSR_IA32_SPEC_CTRL, vmx->spec_ctrl); -+ x86_spec_ctrl_set_guest(vmx->spec_ctrl); - - vmx->__launched = vmx->loaded_vmcs->launched; - asm( -@@ -9605,8 +9604,7 @@ static void __noclone vmx_vcpu_run(struc - if (unlikely(!msr_write_intercepted(vcpu, MSR_IA32_SPEC_CTRL))) - vmx->spec_ctrl = native_read_msr(MSR_IA32_SPEC_CTRL); - -- if (vmx->spec_ctrl) -- native_wrmsrl(MSR_IA32_SPEC_CTRL, 0); -+ x86_spec_ctrl_restore_host(vmx->spec_ctrl); - - /* Eliminate branch target predictions from guest mode */ - vmexit_fill_RSB(); diff --git a/debian/patches/bugfix/x86/ssb/x86-bugs-make-boot-modes-__ro_after_init.patch b/debian/patches/bugfix/x86/ssb/x86-bugs-make-boot-modes-__ro_after_init.patch deleted file mode 100644 index 4aea28707..000000000 --- a/debian/patches/bugfix/x86/ssb/x86-bugs-make-boot-modes-__ro_after_init.patch +++ /dev/null @@ -1,39 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Kees Cook -Date: Thu, 3 May 2018 15:03:30 -0700 -Subject: x86/bugs: Make boot modes __ro_after_init - -From: Kees Cook - -commit f9544b2b076ca90d887c5ae5d74fab4c21bb7c13 upstream - -There's no reason for these to be changed after boot. - -Signed-off-by: Kees Cook -Signed-off-by: Thomas Gleixner -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kernel/cpu/bugs.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -129,7 +129,8 @@ static const char *spectre_v2_strings[] - #undef pr_fmt - #define pr_fmt(fmt) "Spectre V2 : " fmt - --static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE; -+static enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init = -+ SPECTRE_V2_NONE; - - void x86_spec_ctrl_set(u64 val) - { -@@ -407,7 +408,7 @@ retpoline_auto: - #undef pr_fmt - #define pr_fmt(fmt) "Speculative Store Bypass: " fmt - --static enum ssb_mitigation ssb_mode = SPEC_STORE_BYPASS_NONE; -+static enum ssb_mitigation ssb_mode __ro_after_init = SPEC_STORE_BYPASS_NONE; - - /* The kernel command line selection */ - enum ssb_mitigation_cmd { diff --git a/debian/patches/bugfix/x86/ssb/x86-bugs-make-cpu_show_common-static.patch b/debian/patches/bugfix/x86/ssb/x86-bugs-make-cpu_show_common-static.patch deleted file mode 100644 index 7c3b934d0..000000000 --- a/debian/patches/bugfix/x86/ssb/x86-bugs-make-cpu_show_common-static.patch +++ /dev/null @@ -1,30 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Jiri Kosina -Date: Thu, 10 May 2018 22:47:32 +0200 -Subject: x86/bugs: Make cpu_show_common() static - -From: Jiri Kosina - -commit 7bb4d366cba992904bffa4820d24e70a3de93e76 upstream - -cpu_show_common() is not used outside of arch/x86/kernel/cpu/bugs.c, so -make it static. - -Signed-off-by: Jiri Kosina -Signed-off-by: Thomas Gleixner -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kernel/cpu/bugs.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -640,7 +640,7 @@ void x86_spec_ctrl_setup_ap(void) - - #ifdef CONFIG_SYSFS - --ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr, -+static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr, - char *buf, unsigned int bug) - { - if (!boot_cpu_has_bug(bug)) diff --git a/debian/patches/bugfix/x86/ssb/x86-bugs-provide-boot-parameters-for-the-spec_store_bypass_disable-mitigation.patch b/debian/patches/bugfix/x86/ssb/x86-bugs-provide-boot-parameters-for-the-spec_store_bypass_disable-mitigation.patch deleted file mode 100644 index 1f3bc827c..000000000 --- a/debian/patches/bugfix/x86/ssb/x86-bugs-provide-boot-parameters-for-the-spec_store_bypass_disable-mitigation.patch +++ /dev/null @@ -1,261 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Konrad Rzeszutek Wilk -Date: Wed, 25 Apr 2018 22:04:21 -0400 -Subject: x86/bugs: Provide boot parameters for the spec_store_bypass_disable mitigation - -From: Konrad Rzeszutek Wilk - -commit 24f7fc83b9204d20f878c57cb77d261ae825e033 upstream - -Contemporary high performance processors use a common industry-wide -optimization known as "Speculative Store Bypass" in which loads from -addresses to which a recent store has occurred may (speculatively) see an -older value. Intel refers to this feature as "Memory Disambiguation" which -is part of their "Smart Memory Access" capability. - -Memory Disambiguation can expose a cache side-channel attack against such -speculatively read values. An attacker can create exploit code that allows -them to read memory outside of a sandbox environment (for example, -malicious JavaScript in a web page), or to perform more complex attacks -against code running within the same privilege level, e.g. via the stack. - -As a first step to mitigate against such attacks, provide two boot command -line control knobs: - - nospec_store_bypass_disable - spec_store_bypass_disable=[off,auto,on] - -By default affected x86 processors will power on with Speculative -Store Bypass enabled. Hence the provided kernel parameters are written -from the point of view of whether to enable a mitigation or not. -The parameters are as follows: - - - auto - Kernel detects whether your CPU model contains an implementation - of Speculative Store Bypass and picks the most appropriate - mitigation. - - - on - disable Speculative Store Bypass - - off - enable Speculative Store Bypass - -[ tglx: Reordered the checks so that the whole evaluation is not done - when the CPU does not support RDS ] - -Signed-off-by: Konrad Rzeszutek Wilk -Signed-off-by: Thomas Gleixner -Reviewed-by: Borislav Petkov -Reviewed-by: Ingo Molnar -Signed-off-by: Greg Kroah-Hartman ---- - Documentation/admin-guide/kernel-parameters.txt | 33 +++++++ - arch/x86/include/asm/cpufeatures.h | 1 - arch/x86/include/asm/nospec-branch.h | 6 + - arch/x86/kernel/cpu/bugs.c | 103 ++++++++++++++++++++++++ - 4 files changed, 143 insertions(+) - ---- a/Documentation/admin-guide/kernel-parameters.txt -+++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -2647,6 +2647,9 @@ - allow data leaks with this option, which is equivalent - to spectre_v2=off. - -+ nospec_store_bypass_disable -+ [HW] Disable all mitigations for the Speculative Store Bypass vulnerability -+ - noxsave [BUGS=X86] Disables x86 extended register state save - and restore using xsave. The kernel will fallback to - enabling legacy floating-point and sse state. -@@ -3997,6 +4000,36 @@ - Not specifying this option is equivalent to - spectre_v2=auto. - -+ spec_store_bypass_disable= -+ [HW] Control Speculative Store Bypass (SSB) Disable mitigation -+ (Speculative Store Bypass vulnerability) -+ -+ Certain CPUs are vulnerable to an exploit against a -+ a common industry wide performance optimization known -+ as "Speculative Store Bypass" in which recent stores -+ to the same memory location may not be observed by -+ later loads during speculative execution. The idea -+ is that such stores are unlikely and that they can -+ be detected prior to instruction retirement at the -+ end of a particular speculation execution window. -+ -+ In vulnerable processors, the speculatively forwarded -+ store can be used in a cache side channel attack, for -+ example to read memory to which the attacker does not -+ directly have access (e.g. inside sandboxed code). -+ -+ This parameter controls whether the Speculative Store -+ Bypass optimization is used. -+ -+ on - Unconditionally disable Speculative Store Bypass -+ off - Unconditionally enable Speculative Store Bypass -+ auto - Kernel detects whether the CPU model contains an -+ implementation of Speculative Store Bypass and -+ picks the most appropriate mitigation -+ -+ Not specifying this option is equivalent to -+ spec_store_bypass_disable=auto. -+ - spia_io_base= [HW,MTD] - spia_fio_base= - spia_pedr= ---- a/arch/x86/include/asm/cpufeatures.h -+++ b/arch/x86/include/asm/cpufeatures.h -@@ -214,6 +214,7 @@ - - #define X86_FEATURE_USE_IBPB ( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled */ - #define X86_FEATURE_USE_IBRS_FW ( 7*32+22) /* "" Use IBRS during runtime firmware calls */ -+#define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE ( 7*32+23) /* "" Disable Speculative Store Bypass. */ - - /* Virtualization flags: Linux defined, word 8 */ - #define X86_FEATURE_TPR_SHADOW ( 8*32+ 0) /* Intel TPR Shadow */ ---- a/arch/x86/include/asm/nospec-branch.h -+++ b/arch/x86/include/asm/nospec-branch.h -@@ -238,6 +238,12 @@ extern u64 x86_spec_ctrl_get_default(voi - extern void x86_spec_ctrl_set_guest(u64); - extern void x86_spec_ctrl_restore_host(u64); - -+/* The Speculative Store Bypass disable variants */ -+enum ssb_mitigation { -+ SPEC_STORE_BYPASS_NONE, -+ SPEC_STORE_BYPASS_DISABLE, -+}; -+ - extern char __indirect_thunk_start[]; - extern char __indirect_thunk_end[]; - ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -27,6 +27,7 @@ - #include - - static void __init spectre_v2_select_mitigation(void); -+static void __init ssb_select_mitigation(void); - - /* - * Our boot-time value of the SPEC_CTRL MSR. We read it once so that any -@@ -53,6 +54,12 @@ void __init check_bugs(void) - /* Select the proper spectre mitigation before patching alternatives */ - spectre_v2_select_mitigation(); - -+ /* -+ * Select proper mitigation for any exposure to the Speculative Store -+ * Bypass vulnerability. -+ */ -+ ssb_select_mitigation(); -+ - #ifdef CONFIG_X86_32 - /* - * Check whether we are able to run this kernel safely on SMP. -@@ -358,6 +365,99 @@ retpoline_auto: - } - - #undef pr_fmt -+#define pr_fmt(fmt) "Speculative Store Bypass: " fmt -+ -+static enum ssb_mitigation ssb_mode = SPEC_STORE_BYPASS_NONE; -+ -+/* The kernel command line selection */ -+enum ssb_mitigation_cmd { -+ SPEC_STORE_BYPASS_CMD_NONE, -+ SPEC_STORE_BYPASS_CMD_AUTO, -+ SPEC_STORE_BYPASS_CMD_ON, -+}; -+ -+static const char *ssb_strings[] = { -+ [SPEC_STORE_BYPASS_NONE] = "Vulnerable", -+ [SPEC_STORE_BYPASS_DISABLE] = "Mitigation: Speculative Store Bypass disabled" -+}; -+ -+static const struct { -+ const char *option; -+ enum ssb_mitigation_cmd cmd; -+} ssb_mitigation_options[] = { -+ { "auto", SPEC_STORE_BYPASS_CMD_AUTO }, /* Platform decides */ -+ { "on", SPEC_STORE_BYPASS_CMD_ON }, /* Disable Speculative Store Bypass */ -+ { "off", SPEC_STORE_BYPASS_CMD_NONE }, /* Don't touch Speculative Store Bypass */ -+}; -+ -+static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void) -+{ -+ enum ssb_mitigation_cmd cmd = SPEC_STORE_BYPASS_CMD_AUTO; -+ char arg[20]; -+ int ret, i; -+ -+ if (cmdline_find_option_bool(boot_command_line, "nospec_store_bypass_disable")) { -+ return SPEC_STORE_BYPASS_CMD_NONE; -+ } else { -+ ret = cmdline_find_option(boot_command_line, "spec_store_bypass_disable", -+ arg, sizeof(arg)); -+ if (ret < 0) -+ return SPEC_STORE_BYPASS_CMD_AUTO; -+ -+ for (i = 0; i < ARRAY_SIZE(ssb_mitigation_options); i++) { -+ if (!match_option(arg, ret, ssb_mitigation_options[i].option)) -+ continue; -+ -+ cmd = ssb_mitigation_options[i].cmd; -+ break; -+ } -+ -+ if (i >= ARRAY_SIZE(ssb_mitigation_options)) { -+ pr_err("unknown option (%s). Switching to AUTO select\n", arg); -+ return SPEC_STORE_BYPASS_CMD_AUTO; -+ } -+ } -+ -+ return cmd; -+} -+ -+static enum ssb_mitigation_cmd __init __ssb_select_mitigation(void) -+{ -+ enum ssb_mitigation mode = SPEC_STORE_BYPASS_NONE; -+ enum ssb_mitigation_cmd cmd; -+ -+ if (!boot_cpu_has(X86_FEATURE_RDS)) -+ return mode; -+ -+ cmd = ssb_parse_cmdline(); -+ if (!boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS) && -+ (cmd == SPEC_STORE_BYPASS_CMD_NONE || -+ cmd == SPEC_STORE_BYPASS_CMD_AUTO)) -+ return mode; -+ -+ switch (cmd) { -+ case SPEC_STORE_BYPASS_CMD_AUTO: -+ case SPEC_STORE_BYPASS_CMD_ON: -+ mode = SPEC_STORE_BYPASS_DISABLE; -+ break; -+ case SPEC_STORE_BYPASS_CMD_NONE: -+ break; -+ } -+ -+ if (mode != SPEC_STORE_BYPASS_NONE) -+ setup_force_cpu_cap(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE); -+ return mode; -+} -+ -+static void ssb_select_mitigation() -+{ -+ ssb_mode = __ssb_select_mitigation(); -+ -+ if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS)) -+ pr_info("%s\n", ssb_strings[ssb_mode]); -+} -+ -+#undef pr_fmt - - #ifdef CONFIG_SYSFS - -@@ -383,6 +483,9 @@ ssize_t cpu_show_common(struct device *d - boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "", - spectre_v2_module_string()); - -+ case X86_BUG_SPEC_STORE_BYPASS: -+ return sprintf(buf, "%s\n", ssb_strings[ssb_mode]); -+ - default: - break; - } diff --git a/debian/patches/bugfix/x86/ssb/x86-bugs-read-spec_ctrl-msr-during-boot-and-re-use-reserved-bits.patch b/debian/patches/bugfix/x86/ssb/x86-bugs-read-spec_ctrl-msr-during-boot-and-re-use-reserved-bits.patch deleted file mode 100644 index 6b58a3e7b..000000000 --- a/debian/patches/bugfix/x86/ssb/x86-bugs-read-spec_ctrl-msr-during-boot-and-re-use-reserved-bits.patch +++ /dev/null @@ -1,136 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Konrad Rzeszutek Wilk -Date: Wed, 25 Apr 2018 22:04:18 -0400 -Subject: x86/bugs: Read SPEC_CTRL MSR during boot and re-use reserved bits - -From: Konrad Rzeszutek Wilk - -commit 1b86883ccb8d5d9506529d42dbe1a5257cb30b18 upstream - -The 336996-Speculative-Execution-Side-Channel-Mitigations.pdf refers to all -the other bits as reserved. The Intel SDM glossary defines reserved as -implementation specific - aka unknown. - -As such at bootup this must be taken it into account and proper masking for -the bits in use applied. - -A copy of this document is available at -https://bugzilla.kernel.org/show_bug.cgi?id=199511 - -[ tglx: Made x86_spec_ctrl_base __ro_after_init ] - -Suggested-by: Jon Masters -Signed-off-by: Konrad Rzeszutek Wilk -Signed-off-by: Thomas Gleixner -Reviewed-by: Borislav Petkov -Reviewed-by: Ingo Molnar -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/nospec-branch.h | 24 ++++++++++++++++++++---- - arch/x86/kernel/cpu/bugs.c | 28 ++++++++++++++++++++++++++++ - 2 files changed, 48 insertions(+), 4 deletions(-) - ---- a/arch/x86/include/asm/nospec-branch.h -+++ b/arch/x86/include/asm/nospec-branch.h -@@ -217,6 +217,17 @@ enum spectre_v2_mitigation { - SPECTRE_V2_IBRS, - }; - -+/* -+ * The Intel specification for the SPEC_CTRL MSR requires that we -+ * preserve any already set reserved bits at boot time (e.g. for -+ * future additions that this kernel is not currently aware of). -+ * We then set any additional mitigation bits that we want -+ * ourselves and always use this as the base for SPEC_CTRL. -+ * We also use this when handling guest entry/exit as below. -+ */ -+extern void x86_spec_ctrl_set(u64); -+extern u64 x86_spec_ctrl_get_default(void); -+ - extern char __indirect_thunk_start[]; - extern char __indirect_thunk_end[]; - -@@ -254,8 +265,9 @@ void alternative_msr_write(unsigned int - - static inline void indirect_branch_prediction_barrier(void) - { -- alternative_msr_write(MSR_IA32_PRED_CMD, PRED_CMD_IBPB, -- X86_FEATURE_USE_IBPB); -+ u64 val = PRED_CMD_IBPB; -+ -+ alternative_msr_write(MSR_IA32_PRED_CMD, val, X86_FEATURE_USE_IBPB); - } - - /* -@@ -266,14 +278,18 @@ static inline void indirect_branch_predi - */ - #define firmware_restrict_branch_speculation_start() \ - do { \ -+ u64 val = x86_spec_ctrl_get_default() | SPEC_CTRL_IBRS; \ -+ \ - preempt_disable(); \ -- alternative_msr_write(MSR_IA32_SPEC_CTRL, SPEC_CTRL_IBRS, \ -+ alternative_msr_write(MSR_IA32_SPEC_CTRL, val, \ - X86_FEATURE_USE_IBRS_FW); \ - } while (0) - - #define firmware_restrict_branch_speculation_end() \ - do { \ -- alternative_msr_write(MSR_IA32_SPEC_CTRL, 0, \ -+ u64 val = x86_spec_ctrl_get_default(); \ -+ \ -+ alternative_msr_write(MSR_IA32_SPEC_CTRL, val, \ - X86_FEATURE_USE_IBRS_FW); \ - preempt_enable(); \ - } while (0) ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -28,6 +28,12 @@ - - static void __init spectre_v2_select_mitigation(void); - -+/* -+ * Our boot-time value of the SPEC_CTRL MSR. We read it once so that any -+ * writes to SPEC_CTRL contain whatever reserved bits have been set. -+ */ -+static u64 __ro_after_init x86_spec_ctrl_base; -+ - void __init check_bugs(void) - { - identify_boot_cpu(); -@@ -37,6 +43,13 @@ void __init check_bugs(void) - print_cpu_info(&boot_cpu_data); - } - -+ /* -+ * Read the SPEC_CTRL MSR to account for reserved bits which may -+ * have unknown values. -+ */ -+ if (boot_cpu_has(X86_FEATURE_IBRS)) -+ rdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); -+ - /* Select the proper spectre mitigation before patching alternatives */ - spectre_v2_select_mitigation(); - -@@ -95,6 +108,21 @@ static const char *spectre_v2_strings[] - - static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE; - -+void x86_spec_ctrl_set(u64 val) -+{ -+ if (val & ~SPEC_CTRL_IBRS) -+ WARN_ONCE(1, "SPEC_CTRL MSR value 0x%16llx is unknown.\n", val); -+ else -+ wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base | val); -+} -+EXPORT_SYMBOL_GPL(x86_spec_ctrl_set); -+ -+u64 x86_spec_ctrl_get_default(void) -+{ -+ return x86_spec_ctrl_base; -+} -+EXPORT_SYMBOL_GPL(x86_spec_ctrl_get_default); -+ - #ifdef RETPOLINE - static bool spectre_v2_bad_module; - diff --git a/debian/patches/bugfix/x86/ssb/x86-bugs-remove-x86_spec_ctrl_set.patch b/debian/patches/bugfix/x86/ssb/x86-bugs-remove-x86_spec_ctrl_set.patch deleted file mode 100644 index 546ae9773..000000000 --- a/debian/patches/bugfix/x86/ssb/x86-bugs-remove-x86_spec_ctrl_set.patch +++ /dev/null @@ -1,70 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Thomas Gleixner -Date: Sat, 12 May 2018 20:53:14 +0200 -Subject: x86/bugs: Remove x86_spec_ctrl_set() - -From: Thomas Gleixner - -commit 4b59bdb569453a60b752b274ca61f009e37f4dae upstream - -x86_spec_ctrl_set() is only used in bugs.c and the extra mask checks there -provide no real value as both call sites can just write x86_spec_ctrl_base -to MSR_SPEC_CTRL. x86_spec_ctrl_base is valid and does not need any extra -masking or checking. - -Signed-off-by: Thomas Gleixner -Reviewed-by: Borislav Petkov -Reviewed-by: Konrad Rzeszutek Wilk -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/nospec-branch.h | 2 -- - arch/x86/kernel/cpu/bugs.c | 13 ++----------- - 2 files changed, 2 insertions(+), 13 deletions(-) - ---- a/arch/x86/include/asm/nospec-branch.h -+++ b/arch/x86/include/asm/nospec-branch.h -@@ -217,8 +217,6 @@ enum spectre_v2_mitigation { - SPECTRE_V2_IBRS, - }; - --extern void x86_spec_ctrl_set(u64); -- - /* The Speculative Store Bypass disable variants */ - enum ssb_mitigation { - SPEC_STORE_BYPASS_NONE, ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -133,15 +133,6 @@ static const char *spectre_v2_strings[] - static enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init = - SPECTRE_V2_NONE; - --void x86_spec_ctrl_set(u64 val) --{ -- if (val & x86_spec_ctrl_mask) -- WARN_ONCE(1, "SPEC_CTRL MSR value 0x%16llx is unknown.\n", val); -- else -- wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base | val); --} --EXPORT_SYMBOL_GPL(x86_spec_ctrl_set); -- - void - x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest) - { -@@ -503,7 +494,7 @@ static enum ssb_mitigation __init __ssb_ - case X86_VENDOR_INTEL: - x86_spec_ctrl_base |= SPEC_CTRL_SSBD; - x86_spec_ctrl_mask &= ~SPEC_CTRL_SSBD; -- x86_spec_ctrl_set(SPEC_CTRL_SSBD); -+ wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); - break; - case X86_VENDOR_AMD: - x86_amd_ssb_disable(); -@@ -615,7 +606,7 @@ int arch_prctl_spec_ctrl_get(struct task - void x86_spec_ctrl_setup_ap(void) - { - if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) -- x86_spec_ctrl_set(x86_spec_ctrl_base & ~x86_spec_ctrl_mask); -+ wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); - - if (ssb_mode == SPEC_STORE_BYPASS_DISABLE) - x86_amd_ssb_disable(); diff --git a/debian/patches/bugfix/x86/ssb/x86-bugs-rename-_rds-to-_ssbd.patch b/debian/patches/bugfix/x86/ssb/x86-bugs-rename-_rds-to-_ssbd.patch deleted file mode 100644 index 34953f70f..000000000 --- a/debian/patches/bugfix/x86/ssb/x86-bugs-rename-_rds-to-_ssbd.patch +++ /dev/null @@ -1,380 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Konrad Rzeszutek Wilk -Date: Wed, 9 May 2018 21:41:38 +0200 -Subject: x86/bugs: Rename _RDS to _SSBD - -From: Konrad Rzeszutek Wilk - -commit 9f65fb29374ee37856dbad847b4e121aab72b510 upstream - -Intel collateral will reference the SSB mitigation bit in IA32_SPEC_CTL[2] -as SSBD (Speculative Store Bypass Disable). - -Hence changing it. - -It is unclear yet what the MSR_IA32_ARCH_CAPABILITIES (0x10a) Bit(4) name -is going to be. Following the rename it would be SSBD_NO but that rolls out -to Speculative Store Bypass Disable No. - -Also fixed the missing space in X86_FEATURE_AMD_SSBD. - -[ tglx: Fixup x86_amd_rds_enable() and rds_tif_to_amd_ls_cfg() as well ] - -Signed-off-by: Konrad Rzeszutek Wilk -Signed-off-by: Thomas Gleixner -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/cpufeatures.h | 4 ++-- - arch/x86/include/asm/msr-index.h | 10 +++++----- - arch/x86/include/asm/spec-ctrl.h | 12 ++++++------ - arch/x86/include/asm/thread_info.h | 6 +++--- - arch/x86/kernel/cpu/amd.c | 14 +++++++------- - arch/x86/kernel/cpu/bugs.c | 36 ++++++++++++++++++------------------ - arch/x86/kernel/cpu/common.c | 2 +- - arch/x86/kernel/cpu/intel.c | 2 +- - arch/x86/kernel/process.c | 8 ++++---- - arch/x86/kvm/cpuid.c | 2 +- - arch/x86/kvm/vmx.c | 6 +++--- - 11 files changed, 51 insertions(+), 51 deletions(-) - ---- a/arch/x86/include/asm/cpufeatures.h -+++ b/arch/x86/include/asm/cpufeatures.h -@@ -215,7 +215,7 @@ - #define X86_FEATURE_USE_IBPB ( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled */ - #define X86_FEATURE_USE_IBRS_FW ( 7*32+22) /* "" Use IBRS during runtime firmware calls */ - #define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE ( 7*32+23) /* "" Disable Speculative Store Bypass. */ --#define X86_FEATURE_AMD_RDS (7*32+24) /* "" AMD RDS implementation */ -+#define X86_FEATURE_AMD_SSBD ( 7*32+24) /* "" AMD SSBD implementation */ - - /* Virtualization flags: Linux defined, word 8 */ - #define X86_FEATURE_TPR_SHADOW ( 8*32+ 0) /* Intel TPR Shadow */ -@@ -335,7 +335,7 @@ - #define X86_FEATURE_SPEC_CTRL (18*32+26) /* "" Speculation Control (IBRS + IBPB) */ - #define X86_FEATURE_INTEL_STIBP (18*32+27) /* "" Single Thread Indirect Branch Predictors */ - #define X86_FEATURE_ARCH_CAPABILITIES (18*32+29) /* IA32_ARCH_CAPABILITIES MSR (Intel) */ --#define X86_FEATURE_RDS (18*32+31) /* Reduced Data Speculation */ -+#define X86_FEATURE_SSBD (18*32+31) /* Speculative Store Bypass Disable */ - - /* - * BUG word(s) ---- a/arch/x86/include/asm/msr-index.h -+++ b/arch/x86/include/asm/msr-index.h -@@ -42,8 +42,8 @@ - #define MSR_IA32_SPEC_CTRL 0x00000048 /* Speculation Control */ - #define SPEC_CTRL_IBRS (1 << 0) /* Indirect Branch Restricted Speculation */ - #define SPEC_CTRL_STIBP (1 << 1) /* Single Thread Indirect Branch Predictors */ --#define SPEC_CTRL_RDS_SHIFT 2 /* Reduced Data Speculation bit */ --#define SPEC_CTRL_RDS (1 << SPEC_CTRL_RDS_SHIFT) /* Reduced Data Speculation */ -+#define SPEC_CTRL_SSBD_SHIFT 2 /* Speculative Store Bypass Disable bit */ -+#define SPEC_CTRL_SSBD (1 << SPEC_CTRL_SSBD_SHIFT) /* Speculative Store Bypass Disable */ - - #define MSR_IA32_PRED_CMD 0x00000049 /* Prediction Command */ - #define PRED_CMD_IBPB (1 << 0) /* Indirect Branch Prediction Barrier */ -@@ -70,10 +70,10 @@ - #define MSR_IA32_ARCH_CAPABILITIES 0x0000010a - #define ARCH_CAP_RDCL_NO (1 << 0) /* Not susceptible to Meltdown */ - #define ARCH_CAP_IBRS_ALL (1 << 1) /* Enhanced IBRS support */ --#define ARCH_CAP_RDS_NO (1 << 4) /* -+#define ARCH_CAP_SSBD_NO (1 << 4) /* - * Not susceptible to Speculative Store Bypass -- * attack, so no Reduced Data Speculation control -- * required. -+ * attack, so no Speculative Store Bypass -+ * control required. - */ - - #define MSR_IA32_BBL_CR_CTL 0x00000119 ---- a/arch/x86/include/asm/spec-ctrl.h -+++ b/arch/x86/include/asm/spec-ctrl.h -@@ -17,20 +17,20 @@ extern void x86_spec_ctrl_restore_host(u - - /* AMD specific Speculative Store Bypass MSR data */ - extern u64 x86_amd_ls_cfg_base; --extern u64 x86_amd_ls_cfg_rds_mask; -+extern u64 x86_amd_ls_cfg_ssbd_mask; - - /* The Intel SPEC CTRL MSR base value cache */ - extern u64 x86_spec_ctrl_base; - --static inline u64 rds_tif_to_spec_ctrl(u64 tifn) -+static inline u64 ssbd_tif_to_spec_ctrl(u64 tifn) - { -- BUILD_BUG_ON(TIF_RDS < SPEC_CTRL_RDS_SHIFT); -- return (tifn & _TIF_RDS) >> (TIF_RDS - SPEC_CTRL_RDS_SHIFT); -+ BUILD_BUG_ON(TIF_SSBD < SPEC_CTRL_SSBD_SHIFT); -+ return (tifn & _TIF_SSBD) >> (TIF_SSBD - SPEC_CTRL_SSBD_SHIFT); - } - --static inline u64 rds_tif_to_amd_ls_cfg(u64 tifn) -+static inline u64 ssbd_tif_to_amd_ls_cfg(u64 tifn) - { -- return (tifn & _TIF_RDS) ? x86_amd_ls_cfg_rds_mask : 0ULL; -+ return (tifn & _TIF_SSBD) ? x86_amd_ls_cfg_ssbd_mask : 0ULL; - } - - extern void speculative_store_bypass_update(void); ---- a/arch/x86/include/asm/thread_info.h -+++ b/arch/x86/include/asm/thread_info.h -@@ -79,7 +79,7 @@ struct thread_info { - #define TIF_SIGPENDING 2 /* signal pending */ - #define TIF_NEED_RESCHED 3 /* rescheduling necessary */ - #define TIF_SINGLESTEP 4 /* reenable singlestep on user return*/ --#define TIF_RDS 5 /* Reduced data speculation */ -+#define TIF_SSBD 5 /* Reduced data speculation */ - #define TIF_SYSCALL_EMU 6 /* syscall emulation active */ - #define TIF_SYSCALL_AUDIT 7 /* syscall auditing active */ - #define TIF_SECCOMP 8 /* secure computing */ -@@ -106,7 +106,7 @@ struct thread_info { - #define _TIF_SIGPENDING (1 << TIF_SIGPENDING) - #define _TIF_NEED_RESCHED (1 << TIF_NEED_RESCHED) - #define _TIF_SINGLESTEP (1 << TIF_SINGLESTEP) --#define _TIF_RDS (1 << TIF_RDS) -+#define _TIF_SSBD (1 << TIF_SSBD) - #define _TIF_SYSCALL_EMU (1 << TIF_SYSCALL_EMU) - #define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT) - #define _TIF_SECCOMP (1 << TIF_SECCOMP) -@@ -146,7 +146,7 @@ struct thread_info { - - /* flags to check in __switch_to() */ - #define _TIF_WORK_CTXSW \ -- (_TIF_IO_BITMAP|_TIF_NOCPUID|_TIF_NOTSC|_TIF_BLOCKSTEP|_TIF_RDS) -+ (_TIF_IO_BITMAP|_TIF_NOCPUID|_TIF_NOTSC|_TIF_BLOCKSTEP|_TIF_SSBD) - - #define _TIF_WORK_CTXSW_PREV (_TIF_WORK_CTXSW|_TIF_USER_RETURN_NOTIFY) - #define _TIF_WORK_CTXSW_NEXT (_TIF_WORK_CTXSW) ---- a/arch/x86/kernel/cpu/amd.c -+++ b/arch/x86/kernel/cpu/amd.c -@@ -567,12 +567,12 @@ static void bsp_init_amd(struct cpuinfo_ - } - /* - * Try to cache the base value so further operations can -- * avoid RMW. If that faults, do not enable RDS. -+ * avoid RMW. If that faults, do not enable SSBD. - */ - if (!rdmsrl_safe(MSR_AMD64_LS_CFG, &x86_amd_ls_cfg_base)) { -- setup_force_cpu_cap(X86_FEATURE_RDS); -- setup_force_cpu_cap(X86_FEATURE_AMD_RDS); -- x86_amd_ls_cfg_rds_mask = 1ULL << bit; -+ setup_force_cpu_cap(X86_FEATURE_SSBD); -+ setup_force_cpu_cap(X86_FEATURE_AMD_SSBD); -+ x86_amd_ls_cfg_ssbd_mask = 1ULL << bit; - } - } - } -@@ -920,9 +920,9 @@ static void init_amd(struct cpuinfo_x86 - if (!cpu_has(c, X86_FEATURE_XENPV)) - set_cpu_bug(c, X86_BUG_SYSRET_SS_ATTRS); - -- if (boot_cpu_has(X86_FEATURE_AMD_RDS)) { -- set_cpu_cap(c, X86_FEATURE_RDS); -- set_cpu_cap(c, X86_FEATURE_AMD_RDS); -+ if (boot_cpu_has(X86_FEATURE_AMD_SSBD)) { -+ set_cpu_cap(c, X86_FEATURE_SSBD); -+ set_cpu_cap(c, X86_FEATURE_AMD_SSBD); - } - } - ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -45,10 +45,10 @@ static u64 __ro_after_init x86_spec_ctrl - - /* - * AMD specific MSR info for Speculative Store Bypass control. -- * x86_amd_ls_cfg_rds_mask is initialized in identify_boot_cpu(). -+ * x86_amd_ls_cfg_ssbd_mask is initialized in identify_boot_cpu(). - */ - u64 __ro_after_init x86_amd_ls_cfg_base; --u64 __ro_after_init x86_amd_ls_cfg_rds_mask; -+u64 __ro_after_init x86_amd_ls_cfg_ssbd_mask; - - void __init check_bugs(void) - { -@@ -146,7 +146,7 @@ u64 x86_spec_ctrl_get_default(void) - u64 msrval = x86_spec_ctrl_base; - - if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) -- msrval |= rds_tif_to_spec_ctrl(current_thread_info()->flags); -+ msrval |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags); - return msrval; - } - EXPORT_SYMBOL_GPL(x86_spec_ctrl_get_default); -@@ -159,7 +159,7 @@ void x86_spec_ctrl_set_guest(u64 guest_s - return; - - if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) -- host |= rds_tif_to_spec_ctrl(current_thread_info()->flags); -+ host |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags); - - if (host != guest_spec_ctrl) - wrmsrl(MSR_IA32_SPEC_CTRL, guest_spec_ctrl); -@@ -174,18 +174,18 @@ void x86_spec_ctrl_restore_host(u64 gues - return; - - if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) -- host |= rds_tif_to_spec_ctrl(current_thread_info()->flags); -+ host |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags); - - if (host != guest_spec_ctrl) - wrmsrl(MSR_IA32_SPEC_CTRL, host); - } - EXPORT_SYMBOL_GPL(x86_spec_ctrl_restore_host); - --static void x86_amd_rds_enable(void) -+static void x86_amd_ssb_disable(void) - { -- u64 msrval = x86_amd_ls_cfg_base | x86_amd_ls_cfg_rds_mask; -+ u64 msrval = x86_amd_ls_cfg_base | x86_amd_ls_cfg_ssbd_mask; - -- if (boot_cpu_has(X86_FEATURE_AMD_RDS)) -+ if (boot_cpu_has(X86_FEATURE_AMD_SSBD)) - wrmsrl(MSR_AMD64_LS_CFG, msrval); - } - -@@ -473,7 +473,7 @@ static enum ssb_mitigation_cmd __init __ - enum ssb_mitigation mode = SPEC_STORE_BYPASS_NONE; - enum ssb_mitigation_cmd cmd; - -- if (!boot_cpu_has(X86_FEATURE_RDS)) -+ if (!boot_cpu_has(X86_FEATURE_SSBD)) - return mode; - - cmd = ssb_parse_cmdline(); -@@ -507,7 +507,7 @@ static enum ssb_mitigation_cmd __init __ - /* - * We have three CPU feature flags that are in play here: - * - X86_BUG_SPEC_STORE_BYPASS - CPU is susceptible. -- * - X86_FEATURE_RDS - CPU is able to turn off speculative store bypass -+ * - X86_FEATURE_SSBD - CPU is able to turn off speculative store bypass - * - X86_FEATURE_SPEC_STORE_BYPASS_DISABLE - engage the mitigation - */ - if (mode == SPEC_STORE_BYPASS_DISABLE) { -@@ -518,12 +518,12 @@ static enum ssb_mitigation_cmd __init __ - */ - switch (boot_cpu_data.x86_vendor) { - case X86_VENDOR_INTEL: -- x86_spec_ctrl_base |= SPEC_CTRL_RDS; -- x86_spec_ctrl_mask &= ~SPEC_CTRL_RDS; -- x86_spec_ctrl_set(SPEC_CTRL_RDS); -+ x86_spec_ctrl_base |= SPEC_CTRL_SSBD; -+ x86_spec_ctrl_mask &= ~SPEC_CTRL_SSBD; -+ x86_spec_ctrl_set(SPEC_CTRL_SSBD); - break; - case X86_VENDOR_AMD: -- x86_amd_rds_enable(); -+ x86_amd_ssb_disable(); - break; - } - } -@@ -556,16 +556,16 @@ static int ssb_prctl_set(struct task_str - if (task_spec_ssb_force_disable(task)) - return -EPERM; - task_clear_spec_ssb_disable(task); -- update = test_and_clear_tsk_thread_flag(task, TIF_RDS); -+ update = test_and_clear_tsk_thread_flag(task, TIF_SSBD); - break; - case PR_SPEC_DISABLE: - task_set_spec_ssb_disable(task); -- update = !test_and_set_tsk_thread_flag(task, TIF_RDS); -+ update = !test_and_set_tsk_thread_flag(task, TIF_SSBD); - break; - case PR_SPEC_FORCE_DISABLE: - task_set_spec_ssb_disable(task); - task_set_spec_ssb_force_disable(task); -- update = !test_and_set_tsk_thread_flag(task, TIF_RDS); -+ update = !test_and_set_tsk_thread_flag(task, TIF_SSBD); - break; - default: - return -ERANGE; -@@ -635,7 +635,7 @@ void x86_spec_ctrl_setup_ap(void) - x86_spec_ctrl_set(x86_spec_ctrl_base & ~x86_spec_ctrl_mask); - - if (ssb_mode == SPEC_STORE_BYPASS_DISABLE) -- x86_amd_rds_enable(); -+ x86_amd_ssb_disable(); - } - - #ifdef CONFIG_SYSFS ---- a/arch/x86/kernel/cpu/common.c -+++ b/arch/x86/kernel/cpu/common.c -@@ -950,7 +950,7 @@ static void __init cpu_set_bug_bits(stru - rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap); - - if (!x86_match_cpu(cpu_no_spec_store_bypass) && -- !(ia32_cap & ARCH_CAP_RDS_NO)) -+ !(ia32_cap & ARCH_CAP_SSBD_NO)) - setup_force_cpu_bug(X86_BUG_SPEC_STORE_BYPASS); - - if (x86_match_cpu(cpu_no_speculation)) ---- a/arch/x86/kernel/cpu/intel.c -+++ b/arch/x86/kernel/cpu/intel.c -@@ -189,7 +189,7 @@ static void early_init_intel(struct cpui - setup_clear_cpu_cap(X86_FEATURE_STIBP); - setup_clear_cpu_cap(X86_FEATURE_SPEC_CTRL); - setup_clear_cpu_cap(X86_FEATURE_INTEL_STIBP); -- setup_clear_cpu_cap(X86_FEATURE_RDS); -+ setup_clear_cpu_cap(X86_FEATURE_SSBD); - } - - /* ---- a/arch/x86/kernel/process.c -+++ b/arch/x86/kernel/process.c -@@ -283,11 +283,11 @@ static __always_inline void __speculativ - { - u64 msr; - -- if (static_cpu_has(X86_FEATURE_AMD_RDS)) { -- msr = x86_amd_ls_cfg_base | rds_tif_to_amd_ls_cfg(tifn); -+ if (static_cpu_has(X86_FEATURE_AMD_SSBD)) { -+ msr = x86_amd_ls_cfg_base | ssbd_tif_to_amd_ls_cfg(tifn); - wrmsrl(MSR_AMD64_LS_CFG, msr); - } else { -- msr = x86_spec_ctrl_base | rds_tif_to_spec_ctrl(tifn); -+ msr = x86_spec_ctrl_base | ssbd_tif_to_spec_ctrl(tifn); - wrmsrl(MSR_IA32_SPEC_CTRL, msr); - } - } -@@ -329,7 +329,7 @@ void __switch_to_xtra(struct task_struct - if ((tifp ^ tifn) & _TIF_NOCPUID) - set_cpuid_faulting(!!(tifn & _TIF_NOCPUID)); - -- if ((tifp ^ tifn) & _TIF_RDS) -+ if ((tifp ^ tifn) & _TIF_SSBD) - __speculative_store_bypass_update(tifn); - } - ---- a/arch/x86/kvm/cpuid.c -+++ b/arch/x86/kvm/cpuid.c -@@ -402,7 +402,7 @@ static inline int __do_cpuid_ent(struct - - /* cpuid 7.0.edx*/ - const u32 kvm_cpuid_7_0_edx_x86_features = -- F(AVX512_4VNNIW) | F(AVX512_4FMAPS) | F(SPEC_CTRL) | F(RDS) | -+ F(AVX512_4VNNIW) | F(AVX512_4FMAPS) | F(SPEC_CTRL) | F(SSBD) | - F(ARCH_CAPABILITIES); - - /* all calls to cpuid_count() should be made on the same cpu */ ---- a/arch/x86/kvm/vmx.c -+++ b/arch/x86/kvm/vmx.c -@@ -3271,7 +3271,7 @@ static int vmx_get_msr(struct kvm_vcpu * - if (!msr_info->host_initiated && - !guest_cpuid_has(vcpu, X86_FEATURE_IBRS) && - !guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL) && -- !guest_cpuid_has(vcpu, X86_FEATURE_RDS)) -+ !guest_cpuid_has(vcpu, X86_FEATURE_SSBD)) - return 1; - - msr_info->data = to_vmx(vcpu)->spec_ctrl; -@@ -3393,11 +3393,11 @@ static int vmx_set_msr(struct kvm_vcpu * - if (!msr_info->host_initiated && - !guest_cpuid_has(vcpu, X86_FEATURE_IBRS) && - !guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL) && -- !guest_cpuid_has(vcpu, X86_FEATURE_RDS)) -+ !guest_cpuid_has(vcpu, X86_FEATURE_SSBD)) - return 1; - - /* The STIBP bit doesn't fault even if it's not advertised */ -- if (data & ~(SPEC_CTRL_IBRS | SPEC_CTRL_STIBP | SPEC_CTRL_RDS)) -+ if (data & ~(SPEC_CTRL_IBRS | SPEC_CTRL_STIBP | SPEC_CTRL_SSBD)) - return 1; - - vmx->spec_ctrl = data; diff --git a/debian/patches/bugfix/x86/ssb/x86-bugs-rename-ssbd_no-to-ssb_no.patch b/debian/patches/bugfix/x86/ssb/x86-bugs-rename-ssbd_no-to-ssb_no.patch deleted file mode 100644 index 177c29e5b..000000000 --- a/debian/patches/bugfix/x86/ssb/x86-bugs-rename-ssbd_no-to-ssb_no.patch +++ /dev/null @@ -1,42 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Konrad Rzeszutek Wilk -Date: Wed, 16 May 2018 23:18:09 -0400 -Subject: x86/bugs: Rename SSBD_NO to SSB_NO - -From: Konrad Rzeszutek Wilk - -commit 240da953fcc6a9008c92fae5b1f727ee5ed167ab upstream - -The "336996 Speculative Execution Side Channel Mitigations" from -May defines this as SSB_NO, hence lets sync-up. - -Signed-off-by: Konrad Rzeszutek Wilk -Signed-off-by: Thomas Gleixner -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/msr-index.h | 2 +- - arch/x86/kernel/cpu/common.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - ---- a/arch/x86/include/asm/msr-index.h -+++ b/arch/x86/include/asm/msr-index.h -@@ -70,7 +70,7 @@ - #define MSR_IA32_ARCH_CAPABILITIES 0x0000010a - #define ARCH_CAP_RDCL_NO (1 << 0) /* Not susceptible to Meltdown */ - #define ARCH_CAP_IBRS_ALL (1 << 1) /* Enhanced IBRS support */ --#define ARCH_CAP_SSBD_NO (1 << 4) /* -+#define ARCH_CAP_SSB_NO (1 << 4) /* - * Not susceptible to Speculative Store Bypass - * attack, so no Speculative Store Bypass - * control required. ---- a/arch/x86/kernel/cpu/common.c -+++ b/arch/x86/kernel/cpu/common.c -@@ -965,7 +965,7 @@ static void __init cpu_set_bug_bits(stru - rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap); - - if (!x86_match_cpu(cpu_no_spec_store_bypass) && -- !(ia32_cap & ARCH_CAP_SSBD_NO)) -+ !(ia32_cap & ARCH_CAP_SSB_NO)) - setup_force_cpu_bug(X86_BUG_SPEC_STORE_BYPASS); - - if (x86_match_cpu(cpu_no_speculation)) diff --git a/debian/patches/bugfix/x86/ssb/x86-bugs-rework-spec_ctrl-base-and-mask-logic.patch b/debian/patches/bugfix/x86/ssb/x86-bugs-rework-spec_ctrl-base-and-mask-logic.patch deleted file mode 100644 index 240472421..000000000 --- a/debian/patches/bugfix/x86/ssb/x86-bugs-rework-spec_ctrl-base-and-mask-logic.patch +++ /dev/null @@ -1,91 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Thomas Gleixner -Date: Sat, 12 May 2018 20:10:00 +0200 -Subject: x86/bugs: Rework spec_ctrl base and mask logic - -From: Thomas Gleixner - -commit be6fcb5478e95bb1c91f489121238deb3abca46a upstream - -x86_spec_ctrL_mask is intended to mask out bits from a MSR_SPEC_CTRL value -which are not to be modified. However the implementation is not really used -and the bitmask was inverted to make a check easier, which was removed in -"x86/bugs: Remove x86_spec_ctrl_set()" - -Aside of that it is missing the STIBP bit if it is supported by the -platform, so if the mask would be used in x86_virt_spec_ctrl() then it -would prevent a guest from setting STIBP. - -Add the STIBP bit if supported and use the mask in x86_virt_spec_ctrl() to -sanitize the value which is supplied by the guest. - -Signed-off-by: Thomas Gleixner -Reviewed-by: Borislav Petkov -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kernel/cpu/bugs.c | 26 +++++++++++++++++++------- - 1 file changed, 19 insertions(+), 7 deletions(-) - ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -42,7 +42,7 @@ EXPORT_SYMBOL_GPL(x86_spec_ctrl_base); - * The vendor and possibly platform specific bits which can be modified in - * x86_spec_ctrl_base. - */ --static u64 __ro_after_init x86_spec_ctrl_mask = ~SPEC_CTRL_IBRS; -+static u64 __ro_after_init x86_spec_ctrl_mask = SPEC_CTRL_IBRS; - - /* - * AMD specific MSR info for Speculative Store Bypass control. -@@ -68,6 +68,10 @@ void __init check_bugs(void) - if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) - rdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); - -+ /* Allow STIBP in MSR_SPEC_CTRL if supported */ -+ if (boot_cpu_has(X86_FEATURE_STIBP)) -+ x86_spec_ctrl_mask |= SPEC_CTRL_STIBP; -+ - /* Select the proper spectre mitigation before patching alternatives */ - spectre_v2_select_mitigation(); - -@@ -136,18 +140,26 @@ static enum spectre_v2_mitigation spectr - void - x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest) - { -+ u64 msrval, guestval, hostval = x86_spec_ctrl_base; - struct thread_info *ti = current_thread_info(); -- u64 msr, host = x86_spec_ctrl_base; - - /* Is MSR_SPEC_CTRL implemented ? */ - if (static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) { -+ /* -+ * Restrict guest_spec_ctrl to supported values. Clear the -+ * modifiable bits in the host base value and or the -+ * modifiable bits from the guest value. -+ */ -+ guestval = hostval & ~x86_spec_ctrl_mask; -+ guestval |= guest_spec_ctrl & x86_spec_ctrl_mask; -+ - /* SSBD controlled in MSR_SPEC_CTRL */ - if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD)) -- host |= ssbd_tif_to_spec_ctrl(ti->flags); -+ hostval |= ssbd_tif_to_spec_ctrl(ti->flags); - -- if (host != guest_spec_ctrl) { -- msr = setguest ? guest_spec_ctrl : host; -- wrmsrl(MSR_IA32_SPEC_CTRL, msr); -+ if (hostval != guestval) { -+ msrval = setguest ? guestval : hostval; -+ wrmsrl(MSR_IA32_SPEC_CTRL, msrval); - } - } - } -@@ -493,7 +505,7 @@ static enum ssb_mitigation __init __ssb_ - switch (boot_cpu_data.x86_vendor) { - case X86_VENDOR_INTEL: - x86_spec_ctrl_base |= SPEC_CTRL_SSBD; -- x86_spec_ctrl_mask &= ~SPEC_CTRL_SSBD; -+ x86_spec_ctrl_mask |= SPEC_CTRL_SSBD; - wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); - break; - case X86_VENDOR_AMD: diff --git a/debian/patches/bugfix/x86/ssb/x86-bugs-unify-x86_spec_ctrl_-set_guest-restore_host.patch b/debian/patches/bugfix/x86/ssb/x86-bugs-unify-x86_spec_ctrl_-set_guest-restore_host.patch deleted file mode 100644 index 3eac55491..000000000 --- a/debian/patches/bugfix/x86/ssb/x86-bugs-unify-x86_spec_ctrl_-set_guest-restore_host.patch +++ /dev/null @@ -1,139 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Borislav Petkov -Date: Sat, 12 May 2018 00:14:51 +0200 -Subject: x86/bugs: Unify x86_spec_ctrl_{set_guest,restore_host} - -From: Borislav Petkov - -commit cc69b34989210f067b2c51d5539b5f96ebcc3a01 upstream - -Function bodies are very similar and are going to grow more almost -identical code. Add a bool arg to determine whether SPEC_CTRL is being set -for the guest or restored to the host. - -No functional changes. - -Signed-off-by: Borislav Petkov -Signed-off-by: Thomas Gleixner -Reviewed-by: Konrad Rzeszutek Wilk -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/spec-ctrl.h | 33 ++++++++++++++++++--- - arch/x86/kernel/cpu/bugs.c | 60 +++++++++------------------------------ - 2 files changed, 44 insertions(+), 49 deletions(-) - ---- a/arch/x86/include/asm/spec-ctrl.h -+++ b/arch/x86/include/asm/spec-ctrl.h -@@ -13,10 +13,35 @@ - * Takes the guest view of SPEC_CTRL MSR as a parameter and also - * the guest's version of VIRT_SPEC_CTRL, if emulated. - */ --extern void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl, -- u64 guest_virt_spec_ctrl); --extern void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl, -- u64 guest_virt_spec_ctrl); -+extern void x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool guest); -+ -+/** -+ * x86_spec_ctrl_set_guest - Set speculation control registers for the guest -+ * @guest_spec_ctrl: The guest content of MSR_SPEC_CTRL -+ * @guest_virt_spec_ctrl: The guest controlled bits of MSR_VIRT_SPEC_CTRL -+ * (may get translated to MSR_AMD64_LS_CFG bits) -+ * -+ * Avoids writing to the MSR if the content/bits are the same -+ */ -+static inline -+void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl) -+{ -+ x86_virt_spec_ctrl(guest_spec_ctrl, guest_virt_spec_ctrl, true); -+} -+ -+/** -+ * x86_spec_ctrl_restore_host - Restore host speculation control registers -+ * @guest_spec_ctrl: The guest content of MSR_SPEC_CTRL -+ * @guest_virt_spec_ctrl: The guest controlled bits of MSR_VIRT_SPEC_CTRL -+ * (may get translated to MSR_AMD64_LS_CFG bits) -+ * -+ * Avoids writing to the MSR if the content/bits are the same -+ */ -+static inline -+void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl) -+{ -+ x86_virt_spec_ctrl(guest_spec_ctrl, guest_virt_spec_ctrl, false); -+} - - /* AMD specific Speculative Store Bypass MSR data */ - extern u64 x86_amd_ls_cfg_base; ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -151,55 +151,25 @@ u64 x86_spec_ctrl_get_default(void) - } - EXPORT_SYMBOL_GPL(x86_spec_ctrl_get_default); - --/** -- * x86_spec_ctrl_set_guest - Set speculation control registers for the guest -- * @guest_spec_ctrl: The guest content of MSR_SPEC_CTRL -- * @guest_virt_spec_ctrl: The guest controlled bits of MSR_VIRT_SPEC_CTRL -- * (may get translated to MSR_AMD64_LS_CFG bits) -- * -- * Avoids writing to the MSR if the content/bits are the same -- */ --void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl) -+void -+x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest) - { -- u64 host = x86_spec_ctrl_base; -+ struct thread_info *ti = current_thread_info(); -+ u64 msr, host = x86_spec_ctrl_base; - - /* Is MSR_SPEC_CTRL implemented ? */ -- if (!static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) -- return; -- -- /* SSBD controlled in MSR_SPEC_CTRL */ -- if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD)) -- host |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags); -- -- if (host != guest_spec_ctrl) -- wrmsrl(MSR_IA32_SPEC_CTRL, guest_spec_ctrl); --} --EXPORT_SYMBOL_GPL(x86_spec_ctrl_set_guest); -- --/** -- * x86_spec_ctrl_restore_host - Restore host speculation control registers -- * @guest_spec_ctrl: The guest content of MSR_SPEC_CTRL -- * @guest_virt_spec_ctrl: The guest controlled bits of MSR_VIRT_SPEC_CTRL -- * (may get translated to MSR_AMD64_LS_CFG bits) -- * -- * Avoids writing to the MSR if the content/bits are the same -- */ --void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl) --{ -- u64 host = x86_spec_ctrl_base; -- -- /* Is MSR_SPEC_CTRL implemented ? */ -- if (!static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) -- return; -- -- /* SSBD controlled in MSR_SPEC_CTRL */ -- if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD)) -- host |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags); -- -- if (host != guest_spec_ctrl) -- wrmsrl(MSR_IA32_SPEC_CTRL, host); -+ if (static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) { -+ /* SSBD controlled in MSR_SPEC_CTRL */ -+ if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD)) -+ host |= ssbd_tif_to_spec_ctrl(ti->flags); -+ -+ if (host != guest_spec_ctrl) { -+ msr = setguest ? guest_spec_ctrl : host; -+ wrmsrl(MSR_IA32_SPEC_CTRL, msr); -+ } -+ } - } --EXPORT_SYMBOL_GPL(x86_spec_ctrl_restore_host); -+EXPORT_SYMBOL_GPL(x86_virt_spec_ctrl); - - static void x86_amd_ssb_disable(void) - { diff --git a/debian/patches/bugfix/x86/ssb/x86-bugs-whitelist-allowed-spec_ctrl-msr-values.patch b/debian/patches/bugfix/x86/ssb/x86-bugs-whitelist-allowed-spec_ctrl-msr-values.patch deleted file mode 100644 index 608b13d13..000000000 --- a/debian/patches/bugfix/x86/ssb/x86-bugs-whitelist-allowed-spec_ctrl-msr-values.patch +++ /dev/null @@ -1,66 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Konrad Rzeszutek Wilk -Date: Wed, 25 Apr 2018 22:04:23 -0400 -Subject: x86/bugs: Whitelist allowed SPEC_CTRL MSR values - -From: Konrad Rzeszutek Wilk - -commit 1115a859f33276fe8afb31c60cf9d8e657872558 upstream - -Intel and AMD SPEC_CTRL (0x48) MSR semantics may differ in the -future (or in fact use different MSRs for the same functionality). - -As such a run-time mechanism is required to whitelist the appropriate MSR -values. - -[ tglx: Made the variable __ro_after_init ] - -Signed-off-by: Konrad Rzeszutek Wilk -Signed-off-by: Thomas Gleixner -Reviewed-by: Ingo Molnar -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kernel/cpu/bugs.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -35,6 +35,12 @@ static void __init ssb_select_mitigation - */ - static u64 __ro_after_init x86_spec_ctrl_base; - -+/* -+ * The vendor and possibly platform specific bits which can be modified in -+ * x86_spec_ctrl_base. -+ */ -+static u64 __ro_after_init x86_spec_ctrl_mask = ~SPEC_CTRL_IBRS; -+ - void __init check_bugs(void) - { - identify_boot_cpu(); -@@ -117,7 +123,7 @@ static enum spectre_v2_mitigation spectr - - void x86_spec_ctrl_set(u64 val) - { -- if (val & ~(SPEC_CTRL_IBRS | SPEC_CTRL_RDS)) -+ if (val & x86_spec_ctrl_mask) - WARN_ONCE(1, "SPEC_CTRL MSR value 0x%16llx is unknown.\n", val); - else - wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base | val); -@@ -459,6 +465,7 @@ static enum ssb_mitigation_cmd __init __ - switch (boot_cpu_data.x86_vendor) { - case X86_VENDOR_INTEL: - x86_spec_ctrl_base |= SPEC_CTRL_RDS; -+ x86_spec_ctrl_mask &= ~SPEC_CTRL_RDS; - x86_spec_ctrl_set(SPEC_CTRL_RDS); - break; - case X86_VENDOR_AMD: -@@ -482,7 +489,7 @@ static void ssb_select_mitigation() - void x86_spec_ctrl_setup_ap(void) - { - if (boot_cpu_has(X86_FEATURE_IBRS)) -- x86_spec_ctrl_set(x86_spec_ctrl_base & (SPEC_CTRL_IBRS | SPEC_CTRL_RDS)); -+ x86_spec_ctrl_set(x86_spec_ctrl_base & ~x86_spec_ctrl_mask); - } - - #ifdef CONFIG_SYSFS diff --git a/debian/patches/bugfix/x86/ssb/x86-cpu-make-alternative_msr_write-work-for-32-bit-code.patch b/debian/patches/bugfix/x86/ssb/x86-cpu-make-alternative_msr_write-work-for-32-bit-code.patch deleted file mode 100644 index 6b7b3bf83..000000000 --- a/debian/patches/bugfix/x86/ssb/x86-cpu-make-alternative_msr_write-work-for-32-bit-code.patch +++ /dev/null @@ -1,37 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Jim Mattson -Date: Sun, 13 May 2018 17:33:57 -0400 -Subject: x86/cpu: Make alternative_msr_write work for 32-bit code - -From: Jim Mattson - -commit 5f2b745f5e1304f438f9b2cd03ebc8120b6e0d3b upstream - -Cast val and (val >> 32) to (u32), so that they fit in a -general-purpose register in both 32-bit and 64-bit code. - -[ tglx: Made it u32 instead of uintptr_t ] - -Fixes: c65732e4f721 ("x86/cpu: Restore CPUID_8000_0008_EBX reload") -Signed-off-by: Jim Mattson -Signed-off-by: Konrad Rzeszutek Wilk -Signed-off-by: Thomas Gleixner -Acked-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/nospec-branch.h | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/arch/x86/include/asm/nospec-branch.h -+++ b/arch/x86/include/asm/nospec-branch.h -@@ -265,8 +265,8 @@ void alternative_msr_write(unsigned int - { - asm volatile(ALTERNATIVE("", "wrmsr", %c[feature]) - : : "c" (msr), -- "a" (val), -- "d" (val >> 32), -+ "a" ((u32)val), -+ "d" ((u32)(val >> 32)), - [feature] "i" (feature) - : "memory"); - } diff --git a/debian/patches/bugfix/x86/ssb/x86-cpufeatures-add-feature_zen.patch b/debian/patches/bugfix/x86/ssb/x86-cpufeatures-add-feature_zen.patch deleted file mode 100644 index c413900bb..000000000 --- a/debian/patches/bugfix/x86/ssb/x86-cpufeatures-add-feature_zen.patch +++ /dev/null @@ -1,41 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Thomas Gleixner -Date: Thu, 10 May 2018 16:26:00 +0200 -Subject: x86/cpufeatures: Add FEATURE_ZEN - -From: Thomas Gleixner - -commit d1035d971829dcf80e8686ccde26f94b0a069472 upstream - -Add a ZEN feature bit so family-dependent static_cpu_has() optimizations -can be built for ZEN. - -Signed-off-by: Thomas Gleixner -Reviewed-by: Borislav Petkov -Reviewed-by: Konrad Rzeszutek Wilk -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/cpufeatures.h | 1 + - arch/x86/kernel/cpu/amd.c | 1 + - 2 files changed, 2 insertions(+) - ---- a/arch/x86/include/asm/cpufeatures.h -+++ b/arch/x86/include/asm/cpufeatures.h -@@ -218,6 +218,7 @@ - #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */ - #define X86_FEATURE_IBPB ( 7*32+26) /* Indirect Branch Prediction Barrier */ - #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */ -+#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU is AMD family 0x17 (Zen) */ - - /* Virtualization flags: Linux defined, word 8 */ - #define X86_FEATURE_TPR_SHADOW ( 8*32+ 0) /* Intel TPR Shadow */ ---- a/arch/x86/kernel/cpu/amd.c -+++ b/arch/x86/kernel/cpu/amd.c -@@ -812,6 +812,7 @@ static void init_amd_bd(struct cpuinfo_x - - static void init_amd_zn(struct cpuinfo_x86 *c) - { -+ set_cpu_cap(c, X86_FEATURE_ZEN); - /* - * Fix erratum 1076: CPB feature bit not being set in CPUID. It affects - * all up to and including B1. diff --git a/debian/patches/bugfix/x86/ssb/x86-cpufeatures-add-x86_feature_rds.patch b/debian/patches/bugfix/x86/ssb/x86-cpufeatures-add-x86_feature_rds.patch deleted file mode 100644 index 8e333ba34..000000000 --- a/debian/patches/bugfix/x86/ssb/x86-cpufeatures-add-x86_feature_rds.patch +++ /dev/null @@ -1,32 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Konrad Rzeszutek Wilk -Date: Sat, 28 Apr 2018 22:34:17 +0200 -Subject: x86/cpufeatures: Add X86_FEATURE_RDS - -From: Konrad Rzeszutek Wilk - -commit 0cc5fa00b0a88dad140b4e5c2cead9951ad36822 upstream - -Add the CPU feature bit CPUID.7.0.EDX[31] which indicates whether the CPU -supports Reduced Data Speculation. - -[ tglx: Split it out from a later patch ] - -Signed-off-by: Konrad Rzeszutek Wilk -Signed-off-by: Thomas Gleixner -Reviewed-by: Ingo Molnar -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/cpufeatures.h | 1 + - 1 file changed, 1 insertion(+) - ---- a/arch/x86/include/asm/cpufeatures.h -+++ b/arch/x86/include/asm/cpufeatures.h -@@ -333,6 +333,7 @@ - #define X86_FEATURE_SPEC_CTRL (18*32+26) /* "" Speculation Control (IBRS + IBPB) */ - #define X86_FEATURE_INTEL_STIBP (18*32+27) /* "" Single Thread Indirect Branch Predictors */ - #define X86_FEATURE_ARCH_CAPABILITIES (18*32+29) /* IA32_ARCH_CAPABILITIES MSR (Intel) */ -+#define X86_FEATURE_RDS (18*32+31) /* Reduced Data Speculation */ - - /* - * BUG word(s) diff --git a/debian/patches/bugfix/x86/ssb/x86-cpufeatures-disentangle-msr_spec_ctrl-enumeration-from-ibrs.patch b/debian/patches/bugfix/x86/ssb/x86-cpufeatures-disentangle-msr_spec_ctrl-enumeration-from-ibrs.patch deleted file mode 100644 index 37e2ffaad..000000000 --- a/debian/patches/bugfix/x86/ssb/x86-cpufeatures-disentangle-msr_spec_ctrl-enumeration-from-ibrs.patch +++ /dev/null @@ -1,143 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Thomas Gleixner -Date: Thu, 10 May 2018 19:13:18 +0200 -Subject: x86/cpufeatures: Disentangle MSR_SPEC_CTRL enumeration from IBRS - -From: Thomas Gleixner - -commit 7eb8956a7fec3c1f0abc2a5517dada99ccc8a961 upstream - -The availability of the SPEC_CTRL MSR is enumerated by a CPUID bit on -Intel and implied by IBRS or STIBP support on AMD. That's just confusing -and in case an AMD CPU has IBRS not supported because the underlying -problem has been fixed but has another bit valid in the SPEC_CTRL MSR, -the thing falls apart. - -Add a synthetic feature bit X86_FEATURE_MSR_SPEC_CTRL to denote the -availability on both Intel and AMD. - -While at it replace the boot_cpu_has() checks with static_cpu_has() where -possible. This prevents late microcode loading from exposing SPEC_CTRL, but -late loading is already very limited as it does not reevaluate the -mitigation options and other bits and pieces. Having static_cpu_has() is -the simplest and least fragile solution. - -Signed-off-by: Thomas Gleixner -Reviewed-by: Borislav Petkov -Reviewed-by: Konrad Rzeszutek Wilk -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/cpufeatures.h | 1 + - arch/x86/kernel/cpu/bugs.c | 18 +++++++++++------- - arch/x86/kernel/cpu/common.c | 9 +++++++-- - arch/x86/kernel/cpu/intel.c | 1 + - 4 files changed, 20 insertions(+), 9 deletions(-) - ---- a/arch/x86/include/asm/cpufeatures.h -+++ b/arch/x86/include/asm/cpufeatures.h -@@ -206,6 +206,7 @@ - #define X86_FEATURE_RETPOLINE_AMD ( 7*32+13) /* "" AMD Retpoline mitigation for Spectre variant 2 */ - #define X86_FEATURE_INTEL_PPIN ( 7*32+14) /* Intel Processor Inventory Number */ - #define X86_FEATURE_CDP_L2 ( 7*32+15) /* Code and Data Prioritization L2 */ -+#define X86_FEATURE_MSR_SPEC_CTRL ( 7*32+16) /* "" MSR SPEC_CTRL is implemented */ - - #define X86_FEATURE_MBA ( 7*32+18) /* Memory Bandwidth Allocation */ - #define X86_FEATURE_RSB_CTXSW ( 7*32+19) /* "" Fill RSB on context switches */ ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -64,7 +64,7 @@ void __init check_bugs(void) - * have unknown values. AMD64_LS_CFG MSR is cached in the early AMD - * init code as it is not enumerated and depends on the family. - */ -- if (boot_cpu_has(X86_FEATURE_IBRS)) -+ if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) - rdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); - - /* Select the proper spectre mitigation before patching alternatives */ -@@ -145,7 +145,7 @@ u64 x86_spec_ctrl_get_default(void) - { - u64 msrval = x86_spec_ctrl_base; - -- if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) -+ if (static_cpu_has(X86_FEATURE_SPEC_CTRL)) - msrval |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags); - return msrval; - } -@@ -155,10 +155,12 @@ void x86_spec_ctrl_set_guest(u64 guest_s - { - u64 host = x86_spec_ctrl_base; - -- if (!boot_cpu_has(X86_FEATURE_IBRS)) -+ /* Is MSR_SPEC_CTRL implemented ? */ -+ if (!static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) - return; - -- if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) -+ /* Intel controls SSB in MSR_SPEC_CTRL */ -+ if (static_cpu_has(X86_FEATURE_SPEC_CTRL)) - host |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags); - - if (host != guest_spec_ctrl) -@@ -170,10 +172,12 @@ void x86_spec_ctrl_restore_host(u64 gues - { - u64 host = x86_spec_ctrl_base; - -- if (!boot_cpu_has(X86_FEATURE_IBRS)) -+ /* Is MSR_SPEC_CTRL implemented ? */ -+ if (!static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) - return; - -- if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) -+ /* Intel controls SSB in MSR_SPEC_CTRL */ -+ if (static_cpu_has(X86_FEATURE_SPEC_CTRL)) - host |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags); - - if (host != guest_spec_ctrl) -@@ -631,7 +635,7 @@ int arch_prctl_spec_ctrl_get(struct task - - void x86_spec_ctrl_setup_ap(void) - { -- if (boot_cpu_has(X86_FEATURE_IBRS)) -+ if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) - x86_spec_ctrl_set(x86_spec_ctrl_base & ~x86_spec_ctrl_mask); - - if (ssb_mode == SPEC_STORE_BYPASS_DISABLE) ---- a/arch/x86/kernel/cpu/common.c -+++ b/arch/x86/kernel/cpu/common.c -@@ -761,19 +761,24 @@ static void init_speculation_control(str - if (cpu_has(c, X86_FEATURE_SPEC_CTRL)) { - set_cpu_cap(c, X86_FEATURE_IBRS); - set_cpu_cap(c, X86_FEATURE_IBPB); -+ set_cpu_cap(c, X86_FEATURE_MSR_SPEC_CTRL); - } - - if (cpu_has(c, X86_FEATURE_INTEL_STIBP)) - set_cpu_cap(c, X86_FEATURE_STIBP); - -- if (cpu_has(c, X86_FEATURE_AMD_IBRS)) -+ if (cpu_has(c, X86_FEATURE_AMD_IBRS)) { - set_cpu_cap(c, X86_FEATURE_IBRS); -+ set_cpu_cap(c, X86_FEATURE_MSR_SPEC_CTRL); -+ } - - if (cpu_has(c, X86_FEATURE_AMD_IBPB)) - set_cpu_cap(c, X86_FEATURE_IBPB); - -- if (cpu_has(c, X86_FEATURE_AMD_STIBP)) -+ if (cpu_has(c, X86_FEATURE_AMD_STIBP)) { - set_cpu_cap(c, X86_FEATURE_STIBP); -+ set_cpu_cap(c, X86_FEATURE_MSR_SPEC_CTRL); -+ } - } - - void get_cpu_cap(struct cpuinfo_x86 *c) ---- a/arch/x86/kernel/cpu/intel.c -+++ b/arch/x86/kernel/cpu/intel.c -@@ -188,6 +188,7 @@ static void early_init_intel(struct cpui - setup_clear_cpu_cap(X86_FEATURE_IBPB); - setup_clear_cpu_cap(X86_FEATURE_STIBP); - setup_clear_cpu_cap(X86_FEATURE_SPEC_CTRL); -+ setup_clear_cpu_cap(X86_FEATURE_MSR_SPEC_CTRL); - setup_clear_cpu_cap(X86_FEATURE_INTEL_STIBP); - setup_clear_cpu_cap(X86_FEATURE_SSBD); - } diff --git a/debian/patches/bugfix/x86/ssb/x86-cpufeatures-disentangle-ssbd-enumeration.patch b/debian/patches/bugfix/x86/ssb/x86-cpufeatures-disentangle-ssbd-enumeration.patch deleted file mode 100644 index 1e91fff30..000000000 --- a/debian/patches/bugfix/x86/ssb/x86-cpufeatures-disentangle-ssbd-enumeration.patch +++ /dev/null @@ -1,150 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Thomas Gleixner -Date: Thu, 10 May 2018 20:21:36 +0200 -Subject: x86/cpufeatures: Disentangle SSBD enumeration - -From: Thomas Gleixner - -commit 52817587e706686fcdb27f14c1b000c92f266c96 upstream - -The SSBD enumeration is similarly to the other bits magically shared -between Intel and AMD though the mechanisms are different. - -Make X86_FEATURE_SSBD synthetic and set it depending on the vendor specific -features or family dependent setup. - -Change the Intel bit to X86_FEATURE_SPEC_CTRL_SSBD to denote that SSBD is -controlled via MSR_SPEC_CTRL and fix up the usage sites. - -Signed-off-by: Thomas Gleixner -Reviewed-by: Borislav Petkov -Reviewed-by: Konrad Rzeszutek Wilk -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/cpufeatures.h | 7 +++---- - arch/x86/kernel/cpu/amd.c | 7 +------ - arch/x86/kernel/cpu/bugs.c | 10 +++++----- - arch/x86/kernel/cpu/common.c | 3 +++ - arch/x86/kernel/cpu/intel.c | 1 + - arch/x86/kernel/process.c | 2 +- - 6 files changed, 14 insertions(+), 16 deletions(-) - ---- a/arch/x86/include/asm/cpufeatures.h -+++ b/arch/x86/include/asm/cpufeatures.h -@@ -207,15 +207,14 @@ - #define X86_FEATURE_INTEL_PPIN ( 7*32+14) /* Intel Processor Inventory Number */ - #define X86_FEATURE_CDP_L2 ( 7*32+15) /* Code and Data Prioritization L2 */ - #define X86_FEATURE_MSR_SPEC_CTRL ( 7*32+16) /* "" MSR SPEC_CTRL is implemented */ -- -+#define X86_FEATURE_SSBD ( 7*32+17) /* Speculative Store Bypass Disable */ - #define X86_FEATURE_MBA ( 7*32+18) /* Memory Bandwidth Allocation */ - #define X86_FEATURE_RSB_CTXSW ( 7*32+19) /* "" Fill RSB on context switches */ - #define X86_FEATURE_SEV ( 7*32+20) /* AMD Secure Encrypted Virtualization */ -- - #define X86_FEATURE_USE_IBPB ( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled */ - #define X86_FEATURE_USE_IBRS_FW ( 7*32+22) /* "" Use IBRS during runtime firmware calls */ - #define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE ( 7*32+23) /* "" Disable Speculative Store Bypass. */ --#define X86_FEATURE_AMD_SSBD ( 7*32+24) /* "" AMD SSBD implementation */ -+#define X86_FEATURE_LS_CFG_SSBD ( 7*32+24) /* "" AMD SSBD implementation via LS_CFG MSR */ - #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */ - #define X86_FEATURE_IBPB ( 7*32+26) /* Indirect Branch Prediction Barrier */ - #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */ -@@ -338,7 +337,7 @@ - #define X86_FEATURE_SPEC_CTRL (18*32+26) /* "" Speculation Control (IBRS + IBPB) */ - #define X86_FEATURE_INTEL_STIBP (18*32+27) /* "" Single Thread Indirect Branch Predictors */ - #define X86_FEATURE_ARCH_CAPABILITIES (18*32+29) /* IA32_ARCH_CAPABILITIES MSR (Intel) */ --#define X86_FEATURE_SSBD (18*32+31) /* Speculative Store Bypass Disable */ -+#define X86_FEATURE_SPEC_CTRL_SSBD (18*32+31) /* "" Speculative Store Bypass Disable */ - - /* - * BUG word(s) ---- a/arch/x86/kernel/cpu/amd.c -+++ b/arch/x86/kernel/cpu/amd.c -@@ -570,8 +570,8 @@ static void bsp_init_amd(struct cpuinfo_ - * avoid RMW. If that faults, do not enable SSBD. - */ - if (!rdmsrl_safe(MSR_AMD64_LS_CFG, &x86_amd_ls_cfg_base)) { -+ setup_force_cpu_cap(X86_FEATURE_LS_CFG_SSBD); - setup_force_cpu_cap(X86_FEATURE_SSBD); -- setup_force_cpu_cap(X86_FEATURE_AMD_SSBD); - x86_amd_ls_cfg_ssbd_mask = 1ULL << bit; - } - } -@@ -919,11 +919,6 @@ static void init_amd(struct cpuinfo_x86 - /* AMD CPUs don't reset SS attributes on SYSRET, Xen does. */ - if (!cpu_has(c, X86_FEATURE_XENPV)) - set_cpu_bug(c, X86_BUG_SYSRET_SS_ATTRS); -- -- if (boot_cpu_has(X86_FEATURE_AMD_SSBD)) { -- set_cpu_cap(c, X86_FEATURE_SSBD); -- set_cpu_cap(c, X86_FEATURE_AMD_SSBD); -- } - } - - #ifdef CONFIG_X86_32 ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -159,8 +159,8 @@ void x86_spec_ctrl_set_guest(u64 guest_s - if (!static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) - return; - -- /* Intel controls SSB in MSR_SPEC_CTRL */ -- if (static_cpu_has(X86_FEATURE_SPEC_CTRL)) -+ /* SSBD controlled in MSR_SPEC_CTRL */ -+ if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD)) - host |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags); - - if (host != guest_spec_ctrl) -@@ -176,8 +176,8 @@ void x86_spec_ctrl_restore_host(u64 gues - if (!static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) - return; - -- /* Intel controls SSB in MSR_SPEC_CTRL */ -- if (static_cpu_has(X86_FEATURE_SPEC_CTRL)) -+ /* SSBD controlled in MSR_SPEC_CTRL */ -+ if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD)) - host |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags); - - if (host != guest_spec_ctrl) -@@ -189,7 +189,7 @@ static void x86_amd_ssb_disable(void) - { - u64 msrval = x86_amd_ls_cfg_base | x86_amd_ls_cfg_ssbd_mask; - -- if (boot_cpu_has(X86_FEATURE_AMD_SSBD)) -+ if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD)) - wrmsrl(MSR_AMD64_LS_CFG, msrval); - } - ---- a/arch/x86/kernel/cpu/common.c -+++ b/arch/x86/kernel/cpu/common.c -@@ -767,6 +767,9 @@ static void init_speculation_control(str - if (cpu_has(c, X86_FEATURE_INTEL_STIBP)) - set_cpu_cap(c, X86_FEATURE_STIBP); - -+ if (cpu_has(c, X86_FEATURE_SPEC_CTRL_SSBD)) -+ set_cpu_cap(c, X86_FEATURE_SSBD); -+ - if (cpu_has(c, X86_FEATURE_AMD_IBRS)) { - set_cpu_cap(c, X86_FEATURE_IBRS); - set_cpu_cap(c, X86_FEATURE_MSR_SPEC_CTRL); ---- a/arch/x86/kernel/cpu/intel.c -+++ b/arch/x86/kernel/cpu/intel.c -@@ -191,6 +191,7 @@ static void early_init_intel(struct cpui - setup_clear_cpu_cap(X86_FEATURE_MSR_SPEC_CTRL); - setup_clear_cpu_cap(X86_FEATURE_INTEL_STIBP); - setup_clear_cpu_cap(X86_FEATURE_SSBD); -+ setup_clear_cpu_cap(X86_FEATURE_SPEC_CTRL_SSBD); - } - - /* ---- a/arch/x86/kernel/process.c -+++ b/arch/x86/kernel/process.c -@@ -283,7 +283,7 @@ static __always_inline void __speculativ - { - u64 msr; - -- if (static_cpu_has(X86_FEATURE_AMD_SSBD)) { -+ if (static_cpu_has(X86_FEATURE_LS_CFG_SSBD)) { - msr = x86_amd_ls_cfg_base | ssbd_tif_to_amd_ls_cfg(tifn); - wrmsrl(MSR_AMD64_LS_CFG, msr); - } else { diff --git a/debian/patches/bugfix/x86/ssb/x86-kvm-vmx-expose-spec_ctrl-bit-2-to-the-guest.patch b/debian/patches/bugfix/x86/ssb/x86-kvm-vmx-expose-spec_ctrl-bit-2-to-the-guest.patch deleted file mode 100644 index 3df24b42f..000000000 --- a/debian/patches/bugfix/x86/ssb/x86-kvm-vmx-expose-spec_ctrl-bit-2-to-the-guest.patch +++ /dev/null @@ -1,64 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Konrad Rzeszutek Wilk -Date: Wed, 25 Apr 2018 22:04:25 -0400 -Subject: x86/KVM/VMX: Expose SPEC_CTRL Bit(2) to the guest - -From: Konrad Rzeszutek Wilk - -commit da39556f66f5cfe8f9c989206974f1cb16ca5d7c upstream - -Expose the CPUID.7.EDX[31] bit to the guest, and also guard against various -combinations of SPEC_CTRL MSR values. - -The handling of the MSR (to take into account the host value of SPEC_CTRL -Bit(2)) is taken care of in patch: - - KVM/SVM/VMX/x86/spectre_v2: Support the combination of guest and host IBRS - -Signed-off-by: Konrad Rzeszutek Wilk -Signed-off-by: Thomas Gleixner -Reviewed-by: Ingo Molnar -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kvm/cpuid.c | 2 +- - arch/x86/kvm/vmx.c | 8 +++++--- - 2 files changed, 6 insertions(+), 4 deletions(-) - ---- a/arch/x86/kvm/cpuid.c -+++ b/arch/x86/kvm/cpuid.c -@@ -402,7 +402,7 @@ static inline int __do_cpuid_ent(struct - - /* cpuid 7.0.edx*/ - const u32 kvm_cpuid_7_0_edx_x86_features = -- F(AVX512_4VNNIW) | F(AVX512_4FMAPS) | F(SPEC_CTRL) | -+ F(AVX512_4VNNIW) | F(AVX512_4FMAPS) | F(SPEC_CTRL) | F(RDS) | - F(ARCH_CAPABILITIES); - - /* all calls to cpuid_count() should be made on the same cpu */ ---- a/arch/x86/kvm/vmx.c -+++ b/arch/x86/kvm/vmx.c -@@ -3270,7 +3270,8 @@ static int vmx_get_msr(struct kvm_vcpu * - case MSR_IA32_SPEC_CTRL: - if (!msr_info->host_initiated && - !guest_cpuid_has(vcpu, X86_FEATURE_IBRS) && -- !guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL)) -+ !guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL) && -+ !guest_cpuid_has(vcpu, X86_FEATURE_RDS)) - return 1; - - msr_info->data = to_vmx(vcpu)->spec_ctrl; -@@ -3391,11 +3392,12 @@ static int vmx_set_msr(struct kvm_vcpu * - case MSR_IA32_SPEC_CTRL: - if (!msr_info->host_initiated && - !guest_cpuid_has(vcpu, X86_FEATURE_IBRS) && -- !guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL)) -+ !guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL) && -+ !guest_cpuid_has(vcpu, X86_FEATURE_RDS)) - return 1; - - /* The STIBP bit doesn't fault even if it's not advertised */ -- if (data & ~(SPEC_CTRL_IBRS | SPEC_CTRL_STIBP)) -+ if (data & ~(SPEC_CTRL_IBRS | SPEC_CTRL_STIBP | SPEC_CTRL_RDS)) - return 1; - - vmx->spec_ctrl = data; diff --git a/debian/patches/bugfix/x86/ssb/x86-nospec-simplify-alternative_msr_write.patch b/debian/patches/bugfix/x86/ssb/x86-nospec-simplify-alternative_msr_write.patch deleted file mode 100644 index 51e8d5247..000000000 --- a/debian/patches/bugfix/x86/ssb/x86-nospec-simplify-alternative_msr_write.patch +++ /dev/null @@ -1,67 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Linus Torvalds -Date: Tue, 1 May 2018 15:55:51 +0200 -Subject: x86/nospec: Simplify alternative_msr_write() - -From: Linus Torvalds - -commit 1aa7a5735a41418d8e01fa7c9565eb2657e2ea3f upstream - -The macro is not type safe and I did look for why that "g" constraint for -the asm doesn't work: it's because the asm is more fundamentally wrong. - -It does - - movl %[val], %%eax - -but "val" isn't a 32-bit value, so then gcc will pass it in a register, -and generate code like - - movl %rsi, %eax - -and gas will complain about a nonsensical 'mov' instruction (it's moving a -64-bit register to a 32-bit one). - -Passing it through memory will just hide the real bug - gcc still thinks -the memory location is 64-bit, but the "movl" will only load the first 32 -bits and it all happens to work because x86 is little-endian. - -Convert it to a type safe inline function with a little trick which hands -the feature into the ALTERNATIVE macro. - -Signed-off-by: Linus Torvalds -Signed-off-by: Thomas Gleixner -Reviewed-by: Ingo Molnar -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/nospec-branch.h | 19 ++++++++++--------- - 1 file changed, 10 insertions(+), 9 deletions(-) - ---- a/arch/x86/include/asm/nospec-branch.h -+++ b/arch/x86/include/asm/nospec-branch.h -@@ -241,15 +241,16 @@ static inline void vmexit_fill_RSB(void) - #endif - } - --#define alternative_msr_write(_msr, _val, _feature) \ -- asm volatile(ALTERNATIVE("", \ -- "movl %[msr], %%ecx\n\t" \ -- "movl %[val], %%eax\n\t" \ -- "movl $0, %%edx\n\t" \ -- "wrmsr", \ -- _feature) \ -- : : [msr] "i" (_msr), [val] "i" (_val) \ -- : "eax", "ecx", "edx", "memory") -+static __always_inline -+void alternative_msr_write(unsigned int msr, u64 val, unsigned int feature) -+{ -+ asm volatile(ALTERNATIVE("", "wrmsr", %c[feature]) -+ : : "c" (msr), -+ "a" (val), -+ "d" (val >> 32), -+ [feature] "i" (feature) -+ : "memory"); -+} - - static inline void indirect_branch_prediction_barrier(void) - { diff --git a/debian/patches/bugfix/x86/ssb/x86-process-allow-runtime-control-of-speculative-store-bypass.patch b/debian/patches/bugfix/x86/ssb/x86-process-allow-runtime-control-of-speculative-store-bypass.patch deleted file mode 100644 index addd2f5af..000000000 --- a/debian/patches/bugfix/x86/ssb/x86-process-allow-runtime-control-of-speculative-store-bypass.patch +++ /dev/null @@ -1,213 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Thomas Gleixner -Date: Sun, 29 Apr 2018 15:21:42 +0200 -Subject: x86/process: Allow runtime control of Speculative Store Bypass - -From: Thomas Gleixner - -commit 885f82bfbc6fefb6664ea27965c3ab9ac4194b8c upstream - -The Speculative Store Bypass vulnerability can be mitigated with the -Reduced Data Speculation (RDS) feature. To allow finer grained control of -this eventually expensive mitigation a per task mitigation control is -required. - -Add a new TIF_RDS flag and put it into the group of TIF flags which are -evaluated for mismatch in switch_to(). If these bits differ in the previous -and the next task, then the slow path function __switch_to_xtra() is -invoked. Implement the TIF_RDS dependent mitigation control in the slow -path. - -If the prctl for controlling Speculative Store Bypass is disabled or no -task uses the prctl then there is no overhead in the switch_to() fast -path. - -Update the KVM related speculation control functions to take TID_RDS into -account as well. - -Based on a patch from Tim Chen. Completely rewritten. - -Signed-off-by: Thomas Gleixner -Reviewed-by: Ingo Molnar -Reviewed-by: Konrad Rzeszutek Wilk -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/msr-index.h | 3 ++- - arch/x86/include/asm/spec-ctrl.h | 17 +++++++++++++++++ - arch/x86/include/asm/thread_info.h | 4 +++- - arch/x86/kernel/cpu/bugs.c | 26 +++++++++++++++++++++----- - arch/x86/kernel/process.c | 22 ++++++++++++++++++++++ - 5 files changed, 65 insertions(+), 7 deletions(-) - ---- a/arch/x86/include/asm/msr-index.h -+++ b/arch/x86/include/asm/msr-index.h -@@ -42,7 +42,8 @@ - #define MSR_IA32_SPEC_CTRL 0x00000048 /* Speculation Control */ - #define SPEC_CTRL_IBRS (1 << 0) /* Indirect Branch Restricted Speculation */ - #define SPEC_CTRL_STIBP (1 << 1) /* Single Thread Indirect Branch Predictors */ --#define SPEC_CTRL_RDS (1 << 2) /* Reduced Data Speculation */ -+#define SPEC_CTRL_RDS_SHIFT 2 /* Reduced Data Speculation bit */ -+#define SPEC_CTRL_RDS (1 << SPEC_CTRL_RDS_SHIFT) /* Reduced Data Speculation */ - - #define MSR_IA32_PRED_CMD 0x00000049 /* Prediction Command */ - #define PRED_CMD_IBPB (1 << 0) /* Indirect Branch Prediction Barrier */ ---- a/arch/x86/include/asm/spec-ctrl.h -+++ b/arch/x86/include/asm/spec-ctrl.h -@@ -2,6 +2,7 @@ - #ifndef _ASM_X86_SPECCTRL_H_ - #define _ASM_X86_SPECCTRL_H_ - -+#include - #include - - /* -@@ -18,4 +19,20 @@ extern void x86_spec_ctrl_restore_host(u - extern u64 x86_amd_ls_cfg_base; - extern u64 x86_amd_ls_cfg_rds_mask; - -+/* The Intel SPEC CTRL MSR base value cache */ -+extern u64 x86_spec_ctrl_base; -+ -+static inline u64 rds_tif_to_spec_ctrl(u64 tifn) -+{ -+ BUILD_BUG_ON(TIF_RDS < SPEC_CTRL_RDS_SHIFT); -+ return (tifn & _TIF_RDS) >> (TIF_RDS - SPEC_CTRL_RDS_SHIFT); -+} -+ -+static inline u64 rds_tif_to_amd_ls_cfg(u64 tifn) -+{ -+ return (tifn & _TIF_RDS) ? x86_amd_ls_cfg_rds_mask : 0ULL; -+} -+ -+extern void speculative_store_bypass_update(void); -+ - #endif ---- a/arch/x86/include/asm/thread_info.h -+++ b/arch/x86/include/asm/thread_info.h -@@ -79,6 +79,7 @@ struct thread_info { - #define TIF_SIGPENDING 2 /* signal pending */ - #define TIF_NEED_RESCHED 3 /* rescheduling necessary */ - #define TIF_SINGLESTEP 4 /* reenable singlestep on user return*/ -+#define TIF_RDS 5 /* Reduced data speculation */ - #define TIF_SYSCALL_EMU 6 /* syscall emulation active */ - #define TIF_SYSCALL_AUDIT 7 /* syscall auditing active */ - #define TIF_SECCOMP 8 /* secure computing */ -@@ -105,6 +106,7 @@ struct thread_info { - #define _TIF_SIGPENDING (1 << TIF_SIGPENDING) - #define _TIF_NEED_RESCHED (1 << TIF_NEED_RESCHED) - #define _TIF_SINGLESTEP (1 << TIF_SINGLESTEP) -+#define _TIF_RDS (1 << TIF_RDS) - #define _TIF_SYSCALL_EMU (1 << TIF_SYSCALL_EMU) - #define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT) - #define _TIF_SECCOMP (1 << TIF_SECCOMP) -@@ -144,7 +146,7 @@ struct thread_info { - - /* flags to check in __switch_to() */ - #define _TIF_WORK_CTXSW \ -- (_TIF_IO_BITMAP|_TIF_NOCPUID|_TIF_NOTSC|_TIF_BLOCKSTEP) -+ (_TIF_IO_BITMAP|_TIF_NOCPUID|_TIF_NOTSC|_TIF_BLOCKSTEP|_TIF_RDS) - - #define _TIF_WORK_CTXSW_PREV (_TIF_WORK_CTXSW|_TIF_USER_RETURN_NOTIFY) - #define _TIF_WORK_CTXSW_NEXT (_TIF_WORK_CTXSW) ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -33,7 +33,7 @@ static void __init ssb_select_mitigation - * Our boot-time value of the SPEC_CTRL MSR. We read it once so that any - * writes to SPEC_CTRL contain whatever reserved bits have been set. - */ --static u64 __ro_after_init x86_spec_ctrl_base; -+u64 __ro_after_init x86_spec_ctrl_base; - - /* - * The vendor and possibly platform specific bits which can be modified in -@@ -140,25 +140,41 @@ EXPORT_SYMBOL_GPL(x86_spec_ctrl_set); - - u64 x86_spec_ctrl_get_default(void) - { -- return x86_spec_ctrl_base; -+ u64 msrval = x86_spec_ctrl_base; -+ -+ if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) -+ msrval |= rds_tif_to_spec_ctrl(current_thread_info()->flags); -+ return msrval; - } - EXPORT_SYMBOL_GPL(x86_spec_ctrl_get_default); - - void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl) - { -+ u64 host = x86_spec_ctrl_base; -+ - if (!boot_cpu_has(X86_FEATURE_IBRS)) - return; -- if (x86_spec_ctrl_base != guest_spec_ctrl) -+ -+ if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) -+ host |= rds_tif_to_spec_ctrl(current_thread_info()->flags); -+ -+ if (host != guest_spec_ctrl) - wrmsrl(MSR_IA32_SPEC_CTRL, guest_spec_ctrl); - } - EXPORT_SYMBOL_GPL(x86_spec_ctrl_set_guest); - - void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl) - { -+ u64 host = x86_spec_ctrl_base; -+ - if (!boot_cpu_has(X86_FEATURE_IBRS)) - return; -- if (x86_spec_ctrl_base != guest_spec_ctrl) -- wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); -+ -+ if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) -+ host |= rds_tif_to_spec_ctrl(current_thread_info()->flags); -+ -+ if (host != guest_spec_ctrl) -+ wrmsrl(MSR_IA32_SPEC_CTRL, host); - } - EXPORT_SYMBOL_GPL(x86_spec_ctrl_restore_host); - ---- a/arch/x86/kernel/process.c -+++ b/arch/x86/kernel/process.c -@@ -38,6 +38,7 @@ - #include - #include - #include -+#include - - /* - * per-CPU TSS segments. Threads are completely 'soft' on Linux, -@@ -278,6 +279,24 @@ static inline void switch_to_bitmap(stru - } - } - -+static __always_inline void __speculative_store_bypass_update(unsigned long tifn) -+{ -+ u64 msr; -+ -+ if (static_cpu_has(X86_FEATURE_AMD_RDS)) { -+ msr = x86_amd_ls_cfg_base | rds_tif_to_amd_ls_cfg(tifn); -+ wrmsrl(MSR_AMD64_LS_CFG, msr); -+ } else { -+ msr = x86_spec_ctrl_base | rds_tif_to_spec_ctrl(tifn); -+ wrmsrl(MSR_IA32_SPEC_CTRL, msr); -+ } -+} -+ -+void speculative_store_bypass_update(void) -+{ -+ __speculative_store_bypass_update(current_thread_info()->flags); -+} -+ - void __switch_to_xtra(struct task_struct *prev_p, struct task_struct *next_p, - struct tss_struct *tss) - { -@@ -309,6 +328,9 @@ void __switch_to_xtra(struct task_struct - - if ((tifp ^ tifn) & _TIF_NOCPUID) - set_cpuid_faulting(!!(tifn & _TIF_NOCPUID)); -+ -+ if ((tifp ^ tifn) & _TIF_RDS) -+ __speculative_store_bypass_update(tifn); - } - - /* diff --git a/debian/patches/bugfix/x86/ssb/x86-speculation-add-prctl-for-speculative-store-bypass-mitigation.patch b/debian/patches/bugfix/x86/ssb/x86-speculation-add-prctl-for-speculative-store-bypass-mitigation.patch deleted file mode 100644 index 25db57ac1..000000000 --- a/debian/patches/bugfix/x86/ssb/x86-speculation-add-prctl-for-speculative-store-bypass-mitigation.patch +++ /dev/null @@ -1,212 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Thomas Gleixner -Date: Sun, 29 Apr 2018 15:26:40 +0200 -Subject: x86/speculation: Add prctl for Speculative Store Bypass mitigation - -From: Thomas Gleixner - -commit a73ec77ee17ec556fe7f165d00314cb7c047b1ac upstream - -Add prctl based control for Speculative Store Bypass mitigation and make it -the default mitigation for Intel and AMD. - -Andi Kleen provided the following rationale (slightly redacted): - - There are multiple levels of impact of Speculative Store Bypass: - - 1) JITed sandbox. - It cannot invoke system calls, but can do PRIME+PROBE and may have call - interfaces to other code - - 2) Native code process. - No protection inside the process at this level. - - 3) Kernel. - - 4) Between processes. - - The prctl tries to protect against case (1) doing attacks. - - If the untrusted code can do random system calls then control is already - lost in a much worse way. So there needs to be system call protection in - some way (using a JIT not allowing them or seccomp). Or rather if the - process can subvert its environment somehow to do the prctl it can already - execute arbitrary code, which is much worse than SSB. - - To put it differently, the point of the prctl is to not allow JITed code - to read data it shouldn't read from its JITed sandbox. If it already has - escaped its sandbox then it can already read everything it wants in its - address space, and do much worse. - - The ability to control Speculative Store Bypass allows to enable the - protection selectively without affecting overall system performance. - -Based on an initial patch from Tim Chen. Completely rewritten. - -Signed-off-by: Thomas Gleixner -Reviewed-by: Konrad Rzeszutek Wilk -Signed-off-by: Greg Kroah-Hartman ---- - Documentation/admin-guide/kernel-parameters.txt | 6 + - arch/x86/include/asm/nospec-branch.h | 1 - arch/x86/kernel/cpu/bugs.c | 83 +++++++++++++++++++++--- - 3 files changed, 79 insertions(+), 11 deletions(-) - ---- a/Documentation/admin-guide/kernel-parameters.txt -+++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -4025,7 +4025,11 @@ - off - Unconditionally enable Speculative Store Bypass - auto - Kernel detects whether the CPU model contains an - implementation of Speculative Store Bypass and -- picks the most appropriate mitigation -+ picks the most appropriate mitigation. -+ prctl - Control Speculative Store Bypass per thread -+ via prctl. Speculative Store Bypass is enabled -+ for a process by default. The state of the control -+ is inherited on fork. - - Not specifying this option is equivalent to - spec_store_bypass_disable=auto. ---- a/arch/x86/include/asm/nospec-branch.h -+++ b/arch/x86/include/asm/nospec-branch.h -@@ -232,6 +232,7 @@ extern u64 x86_spec_ctrl_get_default(voi - enum ssb_mitigation { - SPEC_STORE_BYPASS_NONE, - SPEC_STORE_BYPASS_DISABLE, -+ SPEC_STORE_BYPASS_PRCTL, - }; - - extern char __indirect_thunk_start[]; ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -12,6 +12,8 @@ - #include - #include - #include -+#include -+#include - - #include - #include -@@ -412,20 +414,23 @@ enum ssb_mitigation_cmd { - SPEC_STORE_BYPASS_CMD_NONE, - SPEC_STORE_BYPASS_CMD_AUTO, - SPEC_STORE_BYPASS_CMD_ON, -+ SPEC_STORE_BYPASS_CMD_PRCTL, - }; - - static const char *ssb_strings[] = { - [SPEC_STORE_BYPASS_NONE] = "Vulnerable", -- [SPEC_STORE_BYPASS_DISABLE] = "Mitigation: Speculative Store Bypass disabled" -+ [SPEC_STORE_BYPASS_DISABLE] = "Mitigation: Speculative Store Bypass disabled", -+ [SPEC_STORE_BYPASS_PRCTL] = "Mitigation: Speculative Store Bypass disabled via prctl" - }; - - static const struct { - const char *option; - enum ssb_mitigation_cmd cmd; - } ssb_mitigation_options[] = { -- { "auto", SPEC_STORE_BYPASS_CMD_AUTO }, /* Platform decides */ -- { "on", SPEC_STORE_BYPASS_CMD_ON }, /* Disable Speculative Store Bypass */ -- { "off", SPEC_STORE_BYPASS_CMD_NONE }, /* Don't touch Speculative Store Bypass */ -+ { "auto", SPEC_STORE_BYPASS_CMD_AUTO }, /* Platform decides */ -+ { "on", SPEC_STORE_BYPASS_CMD_ON }, /* Disable Speculative Store Bypass */ -+ { "off", SPEC_STORE_BYPASS_CMD_NONE }, /* Don't touch Speculative Store Bypass */ -+ { "prctl", SPEC_STORE_BYPASS_CMD_PRCTL }, /* Disable Speculative Store Bypass via prctl */ - }; - - static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void) -@@ -475,14 +480,15 @@ static enum ssb_mitigation_cmd __init __ - - switch (cmd) { - case SPEC_STORE_BYPASS_CMD_AUTO: -- /* -- * AMD platforms by default don't need SSB mitigation. -- */ -- if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD) -- break; -+ /* Choose prctl as the default mode */ -+ mode = SPEC_STORE_BYPASS_PRCTL; -+ break; - case SPEC_STORE_BYPASS_CMD_ON: - mode = SPEC_STORE_BYPASS_DISABLE; - break; -+ case SPEC_STORE_BYPASS_CMD_PRCTL: -+ mode = SPEC_STORE_BYPASS_PRCTL; -+ break; - case SPEC_STORE_BYPASS_CMD_NONE: - break; - } -@@ -493,7 +499,7 @@ static enum ssb_mitigation_cmd __init __ - * - X86_FEATURE_RDS - CPU is able to turn off speculative store bypass - * - X86_FEATURE_SPEC_STORE_BYPASS_DISABLE - engage the mitigation - */ -- if (mode != SPEC_STORE_BYPASS_NONE) { -+ if (mode == SPEC_STORE_BYPASS_DISABLE) { - setup_force_cpu_cap(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE); - /* - * Intel uses the SPEC CTRL MSR Bit(2) for this, while AMD uses -@@ -524,6 +530,63 @@ static void ssb_select_mitigation() - - #undef pr_fmt - -+static int ssb_prctl_set(unsigned long ctrl) -+{ -+ bool rds = !!test_tsk_thread_flag(current, TIF_RDS); -+ -+ if (ssb_mode != SPEC_STORE_BYPASS_PRCTL) -+ return -ENXIO; -+ -+ if (ctrl == PR_SPEC_ENABLE) -+ clear_tsk_thread_flag(current, TIF_RDS); -+ else -+ set_tsk_thread_flag(current, TIF_RDS); -+ -+ if (rds != !!test_tsk_thread_flag(current, TIF_RDS)) -+ speculative_store_bypass_update(); -+ -+ return 0; -+} -+ -+static int ssb_prctl_get(void) -+{ -+ switch (ssb_mode) { -+ case SPEC_STORE_BYPASS_DISABLE: -+ return PR_SPEC_DISABLE; -+ case SPEC_STORE_BYPASS_PRCTL: -+ if (test_tsk_thread_flag(current, TIF_RDS)) -+ return PR_SPEC_PRCTL | PR_SPEC_DISABLE; -+ return PR_SPEC_PRCTL | PR_SPEC_ENABLE; -+ default: -+ if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS)) -+ return PR_SPEC_ENABLE; -+ return PR_SPEC_NOT_AFFECTED; -+ } -+} -+ -+int arch_prctl_spec_ctrl_set(unsigned long which, unsigned long ctrl) -+{ -+ if (ctrl != PR_SPEC_ENABLE && ctrl != PR_SPEC_DISABLE) -+ return -ERANGE; -+ -+ switch (which) { -+ case PR_SPEC_STORE_BYPASS: -+ return ssb_prctl_set(ctrl); -+ default: -+ return -ENODEV; -+ } -+} -+ -+int arch_prctl_spec_ctrl_get(unsigned long which) -+{ -+ switch (which) { -+ case PR_SPEC_STORE_BYPASS: -+ return ssb_prctl_get(); -+ default: -+ return -ENODEV; -+ } -+} -+ - void x86_spec_ctrl_setup_ap(void) - { - if (boot_cpu_has(X86_FEATURE_IBRS)) diff --git a/debian/patches/bugfix/x86/ssb/x86-speculation-add-virtualized-speculative-store-bypass-disable-support.patch b/debian/patches/bugfix/x86/ssb/x86-speculation-add-virtualized-speculative-store-bypass-disable-support.patch deleted file mode 100644 index 38b72e416..000000000 --- a/debian/patches/bugfix/x86/ssb/x86-speculation-add-virtualized-speculative-store-bypass-disable-support.patch +++ /dev/null @@ -1,93 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Tom Lendacky -Date: Thu, 17 May 2018 17:09:18 +0200 -Subject: x86/speculation: Add virtualized speculative store bypass disable support - -From: Tom Lendacky - -commit 11fb0683493b2da112cd64c9dada221b52463bf7 upstream - -Some AMD processors only support a non-architectural means of enabling -speculative store bypass disable (SSBD). To allow a simplified view of -this to a guest, an architectural definition has been created through a new -CPUID bit, 0x80000008_EBX[25], and a new MSR, 0xc001011f. With this, a -hypervisor can virtualize the existence of this definition and provide an -architectural method for using SSBD to a guest. - -Add the new CPUID feature, the new MSR and update the existing SSBD -support to use this MSR when present. - -Signed-off-by: Tom Lendacky -Signed-off-by: Thomas Gleixner -Reviewed-by: Borislav Petkov -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/cpufeatures.h | 1 + - arch/x86/include/asm/msr-index.h | 2 ++ - arch/x86/kernel/cpu/bugs.c | 4 +++- - arch/x86/kernel/process.c | 13 ++++++++++++- - 4 files changed, 18 insertions(+), 2 deletions(-) - ---- a/arch/x86/include/asm/cpufeatures.h -+++ b/arch/x86/include/asm/cpufeatures.h -@@ -282,6 +282,7 @@ - #define X86_FEATURE_AMD_IBPB (13*32+12) /* "" Indirect Branch Prediction Barrier */ - #define X86_FEATURE_AMD_IBRS (13*32+14) /* "" Indirect Branch Restricted Speculation */ - #define X86_FEATURE_AMD_STIBP (13*32+15) /* "" Single Thread Indirect Branch Predictors */ -+#define X86_FEATURE_VIRT_SSBD (13*32+25) /* Virtualized Speculative Store Bypass Disable */ - - /* Thermal and Power Management Leaf, CPUID level 0x00000006 (EAX), word 14 */ - #define X86_FEATURE_DTHERM (14*32+ 0) /* Digital Thermal Sensor */ ---- a/arch/x86/include/asm/msr-index.h -+++ b/arch/x86/include/asm/msr-index.h -@@ -347,6 +347,8 @@ - #define MSR_AMD64_SEV_ENABLED_BIT 0 - #define MSR_AMD64_SEV_ENABLED BIT_ULL(MSR_AMD64_SEV_ENABLED_BIT) - -+#define MSR_AMD64_VIRT_SPEC_CTRL 0xc001011f -+ - /* Fam 17h MSRs */ - #define MSR_F17H_IRPERF 0xc00000e9 - ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -205,7 +205,9 @@ static void x86_amd_ssb_disable(void) - { - u64 msrval = x86_amd_ls_cfg_base | x86_amd_ls_cfg_ssbd_mask; - -- if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD)) -+ if (boot_cpu_has(X86_FEATURE_VIRT_SSBD)) -+ wrmsrl(MSR_AMD64_VIRT_SPEC_CTRL, SPEC_CTRL_SSBD); -+ else if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD)) - wrmsrl(MSR_AMD64_LS_CFG, msrval); - } - ---- a/arch/x86/kernel/process.c -+++ b/arch/x86/kernel/process.c -@@ -388,6 +388,15 @@ static __always_inline void amd_set_core - } - #endif - -+static __always_inline void amd_set_ssb_virt_state(unsigned long tifn) -+{ -+ /* -+ * SSBD has the same definition in SPEC_CTRL and VIRT_SPEC_CTRL, -+ * so ssbd_tif_to_spec_ctrl() just works. -+ */ -+ wrmsrl(MSR_AMD64_VIRT_SPEC_CTRL, ssbd_tif_to_spec_ctrl(tifn)); -+} -+ - static __always_inline void intel_set_ssb_state(unsigned long tifn) - { - u64 msr = x86_spec_ctrl_base | ssbd_tif_to_spec_ctrl(tifn); -@@ -397,7 +406,9 @@ static __always_inline void intel_set_ss - - static __always_inline void __speculative_store_bypass_update(unsigned long tifn) - { -- if (static_cpu_has(X86_FEATURE_LS_CFG_SSBD)) -+ if (static_cpu_has(X86_FEATURE_VIRT_SSBD)) -+ amd_set_ssb_virt_state(tifn); -+ else if (static_cpu_has(X86_FEATURE_LS_CFG_SSBD)) - amd_set_core_ssb_state(tifn); - else - intel_set_ssb_state(tifn); diff --git a/debian/patches/bugfix/x86/ssb/x86-speculation-create-spec-ctrl.h-to-avoid-include-hell.patch b/debian/patches/bugfix/x86/ssb/x86-speculation-create-spec-ctrl.h-to-avoid-include-hell.patch deleted file mode 100644 index e7a7264ac..000000000 --- a/debian/patches/bugfix/x86/ssb/x86-speculation-create-spec-ctrl.h-to-avoid-include-hell.patch +++ /dev/null @@ -1,125 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Thomas Gleixner -Date: Sun, 29 Apr 2018 15:01:37 +0200 -Subject: x86/speculation: Create spec-ctrl.h to avoid include hell - -From: Thomas Gleixner - -commit 28a2775217b17208811fa43a9e96bd1fdf417b86 upstream - -Having everything in nospec-branch.h creates a hell of dependencies when -adding the prctl based switching mechanism. Move everything which is not -required in nospec-branch.h to spec-ctrl.h and fix up the includes in the -relevant files. - -Signed-off-by: Thomas Gleixner -Reviewed-by: Konrad Rzeszutek Wilk -Reviewed-by: Ingo Molnar -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/nospec-branch.h | 14 -------------- - arch/x86/include/asm/spec-ctrl.h | 21 +++++++++++++++++++++ - arch/x86/kernel/cpu/amd.c | 2 +- - arch/x86/kernel/cpu/bugs.c | 2 +- - arch/x86/kvm/svm.c | 2 +- - arch/x86/kvm/vmx.c | 2 +- - 6 files changed, 25 insertions(+), 18 deletions(-) - create mode 100644 arch/x86/include/asm/spec-ctrl.h - ---- a/arch/x86/include/asm/nospec-branch.h -+++ b/arch/x86/include/asm/nospec-branch.h -@@ -228,26 +228,12 @@ enum spectre_v2_mitigation { - extern void x86_spec_ctrl_set(u64); - extern u64 x86_spec_ctrl_get_default(void); - --/* -- * On VMENTER we must preserve whatever view of the SPEC_CTRL MSR -- * the guest has, while on VMEXIT we restore the host view. This -- * would be easier if SPEC_CTRL were architecturally maskable or -- * shadowable for guests but this is not (currently) the case. -- * Takes the guest view of SPEC_CTRL MSR as a parameter. -- */ --extern void x86_spec_ctrl_set_guest(u64); --extern void x86_spec_ctrl_restore_host(u64); -- - /* The Speculative Store Bypass disable variants */ - enum ssb_mitigation { - SPEC_STORE_BYPASS_NONE, - SPEC_STORE_BYPASS_DISABLE, - }; - --/* AMD specific Speculative Store Bypass MSR data */ --extern u64 x86_amd_ls_cfg_base; --extern u64 x86_amd_ls_cfg_rds_mask; -- - extern char __indirect_thunk_start[]; - extern char __indirect_thunk_end[]; - ---- /dev/null -+++ b/arch/x86/include/asm/spec-ctrl.h -@@ -0,0 +1,21 @@ -+/* SPDX-License-Identifier: GPL-2.0 */ -+#ifndef _ASM_X86_SPECCTRL_H_ -+#define _ASM_X86_SPECCTRL_H_ -+ -+#include -+ -+/* -+ * On VMENTER we must preserve whatever view of the SPEC_CTRL MSR -+ * the guest has, while on VMEXIT we restore the host view. This -+ * would be easier if SPEC_CTRL were architecturally maskable or -+ * shadowable for guests but this is not (currently) the case. -+ * Takes the guest view of SPEC_CTRL MSR as a parameter. -+ */ -+extern void x86_spec_ctrl_set_guest(u64); -+extern void x86_spec_ctrl_restore_host(u64); -+ -+/* AMD specific Speculative Store Bypass MSR data */ -+extern u64 x86_amd_ls_cfg_base; -+extern u64 x86_amd_ls_cfg_rds_mask; -+ -+#endif ---- a/arch/x86/kernel/cpu/amd.c -+++ b/arch/x86/kernel/cpu/amd.c -@@ -10,7 +10,7 @@ - #include - #include - #include --#include -+#include - #include - #include - #include ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -13,7 +13,7 @@ - #include - #include - --#include -+#include - #include - #include - #include ---- a/arch/x86/kvm/svm.c -+++ b/arch/x86/kvm/svm.c -@@ -50,7 +50,7 @@ - #include - #include - #include --#include -+#include - - #include - #include "trace.h" ---- a/arch/x86/kvm/vmx.c -+++ b/arch/x86/kvm/vmx.c -@@ -52,7 +52,7 @@ - #include - #include - #include --#include -+#include - - #include "trace.h" - #include "pmu.h" diff --git a/debian/patches/bugfix/x86/ssb/x86-speculation-handle-ht-correctly-on-amd.patch b/debian/patches/bugfix/x86/ssb/x86-speculation-handle-ht-correctly-on-amd.patch deleted file mode 100644 index b532e525e..000000000 --- a/debian/patches/bugfix/x86/ssb/x86-speculation-handle-ht-correctly-on-amd.patch +++ /dev/null @@ -1,232 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Thomas Gleixner -Date: Wed, 9 May 2018 21:53:09 +0200 -Subject: x86/speculation: Handle HT correctly on AMD - -From: Thomas Gleixner - -commit 1f50ddb4f4189243c05926b842dc1a0332195f31 upstream - -The AMD64_LS_CFG MSR is a per core MSR on Family 17H CPUs. That means when -hyperthreading is enabled the SSBD bit toggle needs to take both cores into -account. Otherwise the following situation can happen: - -CPU0 CPU1 - -disable SSB - disable SSB - enable SSB <- Enables it for the Core, i.e. for CPU0 as well - -So after the SSB enable on CPU1 the task on CPU0 runs with SSB enabled -again. - -On Intel the SSBD control is per core as well, but the synchronization -logic is implemented behind the per thread SPEC_CTRL MSR. It works like -this: - - CORE_SPEC_CTRL = THREAD0_SPEC_CTRL | THREAD1_SPEC_CTRL - -i.e. if one of the threads enables a mitigation then this affects both and -the mitigation is only disabled in the core when both threads disabled it. - -Add the necessary synchronization logic for AMD family 17H. Unfortunately -that requires a spinlock to serialize the access to the MSR, but the locks -are only shared between siblings. - -Signed-off-by: Thomas Gleixner -Reviewed-by: Borislav Petkov -Reviewed-by: Konrad Rzeszutek Wilk -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/spec-ctrl.h | 6 + - arch/x86/kernel/process.c | 125 +++++++++++++++++++++++++++++++++++++-- - arch/x86/kernel/smpboot.c | 5 + - 3 files changed, 130 insertions(+), 6 deletions(-) - ---- a/arch/x86/include/asm/spec-ctrl.h -+++ b/arch/x86/include/asm/spec-ctrl.h -@@ -33,6 +33,12 @@ static inline u64 ssbd_tif_to_amd_ls_cfg - return (tifn & _TIF_SSBD) ? x86_amd_ls_cfg_ssbd_mask : 0ULL; - } - -+#ifdef CONFIG_SMP -+extern void speculative_store_bypass_ht_init(void); -+#else -+static inline void speculative_store_bypass_ht_init(void) { } -+#endif -+ - extern void speculative_store_bypass_update(void); - - #endif ---- a/arch/x86/kernel/process.c -+++ b/arch/x86/kernel/process.c -@@ -279,22 +279,135 @@ static inline void switch_to_bitmap(stru - } - } - --static __always_inline void __speculative_store_bypass_update(unsigned long tifn) -+#ifdef CONFIG_SMP -+ -+struct ssb_state { -+ struct ssb_state *shared_state; -+ raw_spinlock_t lock; -+ unsigned int disable_state; -+ unsigned long local_state; -+}; -+ -+#define LSTATE_SSB 0 -+ -+static DEFINE_PER_CPU(struct ssb_state, ssb_state); -+ -+void speculative_store_bypass_ht_init(void) -+{ -+ struct ssb_state *st = this_cpu_ptr(&ssb_state); -+ unsigned int this_cpu = smp_processor_id(); -+ unsigned int cpu; -+ -+ st->local_state = 0; -+ -+ /* -+ * Shared state setup happens once on the first bringup -+ * of the CPU. It's not destroyed on CPU hotunplug. -+ */ -+ if (st->shared_state) -+ return; -+ -+ raw_spin_lock_init(&st->lock); -+ -+ /* -+ * Go over HT siblings and check whether one of them has set up the -+ * shared state pointer already. -+ */ -+ for_each_cpu(cpu, topology_sibling_cpumask(this_cpu)) { -+ if (cpu == this_cpu) -+ continue; -+ -+ if (!per_cpu(ssb_state, cpu).shared_state) -+ continue; -+ -+ /* Link it to the state of the sibling: */ -+ st->shared_state = per_cpu(ssb_state, cpu).shared_state; -+ return; -+ } -+ -+ /* -+ * First HT sibling to come up on the core. Link shared state of -+ * the first HT sibling to itself. The siblings on the same core -+ * which come up later will see the shared state pointer and link -+ * themself to the state of this CPU. -+ */ -+ st->shared_state = st; -+} -+ -+/* -+ * Logic is: First HT sibling enables SSBD for both siblings in the core -+ * and last sibling to disable it, disables it for the whole core. This how -+ * MSR_SPEC_CTRL works in "hardware": -+ * -+ * CORE_SPEC_CTRL = THREAD0_SPEC_CTRL | THREAD1_SPEC_CTRL -+ */ -+static __always_inline void amd_set_core_ssb_state(unsigned long tifn) - { -- u64 msr; -+ struct ssb_state *st = this_cpu_ptr(&ssb_state); -+ u64 msr = x86_amd_ls_cfg_base; - -- if (static_cpu_has(X86_FEATURE_LS_CFG_SSBD)) { -- msr = x86_amd_ls_cfg_base | ssbd_tif_to_amd_ls_cfg(tifn); -+ if (!static_cpu_has(X86_FEATURE_ZEN)) { -+ msr |= ssbd_tif_to_amd_ls_cfg(tifn); - wrmsrl(MSR_AMD64_LS_CFG, msr); -+ return; -+ } -+ -+ if (tifn & _TIF_SSBD) { -+ /* -+ * Since this can race with prctl(), block reentry on the -+ * same CPU. -+ */ -+ if (__test_and_set_bit(LSTATE_SSB, &st->local_state)) -+ return; -+ -+ msr |= x86_amd_ls_cfg_ssbd_mask; -+ -+ raw_spin_lock(&st->shared_state->lock); -+ /* First sibling enables SSBD: */ -+ if (!st->shared_state->disable_state) -+ wrmsrl(MSR_AMD64_LS_CFG, msr); -+ st->shared_state->disable_state++; -+ raw_spin_unlock(&st->shared_state->lock); - } else { -- msr = x86_spec_ctrl_base | ssbd_tif_to_spec_ctrl(tifn); -- wrmsrl(MSR_IA32_SPEC_CTRL, msr); -+ if (!__test_and_clear_bit(LSTATE_SSB, &st->local_state)) -+ return; -+ -+ raw_spin_lock(&st->shared_state->lock); -+ st->shared_state->disable_state--; -+ if (!st->shared_state->disable_state) -+ wrmsrl(MSR_AMD64_LS_CFG, msr); -+ raw_spin_unlock(&st->shared_state->lock); - } - } -+#else -+static __always_inline void amd_set_core_ssb_state(unsigned long tifn) -+{ -+ u64 msr = x86_amd_ls_cfg_base | ssbd_tif_to_amd_ls_cfg(tifn); -+ -+ wrmsrl(MSR_AMD64_LS_CFG, msr); -+} -+#endif -+ -+static __always_inline void intel_set_ssb_state(unsigned long tifn) -+{ -+ u64 msr = x86_spec_ctrl_base | ssbd_tif_to_spec_ctrl(tifn); -+ -+ wrmsrl(MSR_IA32_SPEC_CTRL, msr); -+} -+ -+static __always_inline void __speculative_store_bypass_update(unsigned long tifn) -+{ -+ if (static_cpu_has(X86_FEATURE_LS_CFG_SSBD)) -+ amd_set_core_ssb_state(tifn); -+ else -+ intel_set_ssb_state(tifn); -+} - - void speculative_store_bypass_update(void) - { -+ preempt_disable(); - __speculative_store_bypass_update(current_thread_info()->flags); -+ preempt_enable(); - } - - void __switch_to_xtra(struct task_struct *prev_p, struct task_struct *next_p, ---- a/arch/x86/kernel/smpboot.c -+++ b/arch/x86/kernel/smpboot.c -@@ -77,6 +77,7 @@ - #include - #include - #include -+#include - - /* Number of siblings per CPU package */ - int smp_num_siblings = 1; -@@ -242,6 +243,8 @@ static void notrace start_secondary(void - */ - check_tsc_sync_target(); - -+ speculative_store_bypass_ht_init(); -+ - /* - * Lock vector_lock, set CPU online and bring the vector - * allocator online. Online must be set with vector_lock held -@@ -1257,6 +1260,8 @@ void __init native_smp_prepare_cpus(unsi - set_mtrr_aps_delayed_init(); - - smp_quirk_init_udelay(); -+ -+ speculative_store_bypass_ht_init(); - } - - void arch_enable_nonboot_cpus_begin(void) diff --git a/debian/patches/bugfix/x86/ssb/x86-speculation-kvm-implement-support-for-virt_spec_ctrl-ls_cfg.patch b/debian/patches/bugfix/x86/ssb/x86-speculation-kvm-implement-support-for-virt_spec_ctrl-ls_cfg.patch deleted file mode 100644 index ee9ebcfcc..000000000 --- a/debian/patches/bugfix/x86/ssb/x86-speculation-kvm-implement-support-for-virt_spec_ctrl-ls_cfg.patch +++ /dev/null @@ -1,77 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Thomas Gleixner -Date: Thu, 10 May 2018 20:42:48 +0200 -Subject: x86/speculation, KVM: Implement support for VIRT_SPEC_CTRL/LS_CFG - -From: Thomas Gleixner - -commit 47c61b3955cf712cadfc25635bf9bc174af030ea upstream - -Add the necessary logic for supporting the emulated VIRT_SPEC_CTRL MSR to -x86_virt_spec_ctrl(). If either X86_FEATURE_LS_CFG_SSBD or -X86_FEATURE_VIRT_SPEC_CTRL is set then use the new guest_virt_spec_ctrl -argument to check whether the state must be modified on the host. The -update reuses speculative_store_bypass_update() so the ZEN-specific sibling -coordination can be reused. - -Signed-off-by: Thomas Gleixner -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/spec-ctrl.h | 6 ++++++ - arch/x86/kernel/cpu/bugs.c | 30 ++++++++++++++++++++++++++++++ - 2 files changed, 36 insertions(+) - ---- a/arch/x86/include/asm/spec-ctrl.h -+++ b/arch/x86/include/asm/spec-ctrl.h -@@ -53,6 +53,12 @@ static inline u64 ssbd_tif_to_spec_ctrl( - return (tifn & _TIF_SSBD) >> (TIF_SSBD - SPEC_CTRL_SSBD_SHIFT); - } - -+static inline unsigned long ssbd_spec_ctrl_to_tif(u64 spec_ctrl) -+{ -+ BUILD_BUG_ON(TIF_SSBD < SPEC_CTRL_SSBD_SHIFT); -+ return (spec_ctrl & SPEC_CTRL_SSBD) << (TIF_SSBD - SPEC_CTRL_SSBD_SHIFT); -+} -+ - static inline u64 ssbd_tif_to_amd_ls_cfg(u64 tifn) - { - return (tifn & _TIF_SSBD) ? x86_amd_ls_cfg_ssbd_mask : 0ULL; ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -162,6 +162,36 @@ x86_virt_spec_ctrl(u64 guest_spec_ctrl, - wrmsrl(MSR_IA32_SPEC_CTRL, msrval); - } - } -+ -+ /* -+ * If SSBD is not handled in MSR_SPEC_CTRL on AMD, update -+ * MSR_AMD64_L2_CFG or MSR_VIRT_SPEC_CTRL if supported. -+ */ -+ if (!static_cpu_has(X86_FEATURE_LS_CFG_SSBD) && -+ !static_cpu_has(X86_FEATURE_VIRT_SSBD)) -+ return; -+ -+ /* -+ * If the host has SSBD mitigation enabled, force it in the host's -+ * virtual MSR value. If its not permanently enabled, evaluate -+ * current's TIF_SSBD thread flag. -+ */ -+ if (static_cpu_has(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE)) -+ hostval = SPEC_CTRL_SSBD; -+ else -+ hostval = ssbd_tif_to_spec_ctrl(ti->flags); -+ -+ /* Sanitize the guest value */ -+ guestval = guest_virt_spec_ctrl & SPEC_CTRL_SSBD; -+ -+ if (hostval != guestval) { -+ unsigned long tif; -+ -+ tif = setguest ? ssbd_spec_ctrl_to_tif(guestval) : -+ ssbd_spec_ctrl_to_tif(hostval); -+ -+ speculative_store_bypass_update(tif); -+ } - } - EXPORT_SYMBOL_GPL(x86_virt_spec_ctrl); - diff --git a/debian/patches/bugfix/x86/ssb/x86-speculation-make-seccomp-the-default-mode-for-speculative-store-bypass.patch b/debian/patches/bugfix/x86/ssb/x86-speculation-make-seccomp-the-default-mode-for-speculative-store-bypass.patch deleted file mode 100644 index 3a23bce6c..000000000 --- a/debian/patches/bugfix/x86/ssb/x86-speculation-make-seccomp-the-default-mode-for-speculative-store-bypass.patch +++ /dev/null @@ -1,157 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Kees Cook -Date: Thu, 3 May 2018 14:37:54 -0700 -Subject: x86/speculation: Make "seccomp" the default mode for Speculative Store Bypass - -From: Kees Cook - -commit f21b53b20c754021935ea43364dbf53778eeba32 upstream - -Unless explicitly opted out of, anything running under seccomp will have -SSB mitigations enabled. Choosing the "prctl" mode will disable this. - -[ tglx: Adjusted it to the new arch_seccomp_spec_mitigate() mechanism ] - -Signed-off-by: Kees Cook -Signed-off-by: Thomas Gleixner -Signed-off-by: Greg Kroah-Hartman ---- - Documentation/admin-guide/kernel-parameters.txt | 26 ++++++++++++------- - arch/x86/include/asm/nospec-branch.h | 1 - arch/x86/kernel/cpu/bugs.c | 32 +++++++++++++++++------- - 3 files changed, 41 insertions(+), 18 deletions(-) - ---- a/Documentation/admin-guide/kernel-parameters.txt -+++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -4021,19 +4021,27 @@ - This parameter controls whether the Speculative Store - Bypass optimization is used. - -- on - Unconditionally disable Speculative Store Bypass -- off - Unconditionally enable Speculative Store Bypass -- auto - Kernel detects whether the CPU model contains an -- implementation of Speculative Store Bypass and -- picks the most appropriate mitigation. -- prctl - Control Speculative Store Bypass per thread -- via prctl. Speculative Store Bypass is enabled -- for a process by default. The state of the control -- is inherited on fork. -+ on - Unconditionally disable Speculative Store Bypass -+ off - Unconditionally enable Speculative Store Bypass -+ auto - Kernel detects whether the CPU model contains an -+ implementation of Speculative Store Bypass and -+ picks the most appropriate mitigation. If the -+ CPU is not vulnerable, "off" is selected. If the -+ CPU is vulnerable the default mitigation is -+ architecture and Kconfig dependent. See below. -+ prctl - Control Speculative Store Bypass per thread -+ via prctl. Speculative Store Bypass is enabled -+ for a process by default. The state of the control -+ is inherited on fork. -+ seccomp - Same as "prctl" above, but all seccomp threads -+ will disable SSB unless they explicitly opt out. - - Not specifying this option is equivalent to - spec_store_bypass_disable=auto. - -+ Default mitigations: -+ X86: If CONFIG_SECCOMP=y "seccomp", otherwise "prctl" -+ - spia_io_base= [HW,MTD] - spia_fio_base= - spia_pedr= ---- a/arch/x86/include/asm/nospec-branch.h -+++ b/arch/x86/include/asm/nospec-branch.h -@@ -233,6 +233,7 @@ enum ssb_mitigation { - SPEC_STORE_BYPASS_NONE, - SPEC_STORE_BYPASS_DISABLE, - SPEC_STORE_BYPASS_PRCTL, -+ SPEC_STORE_BYPASS_SECCOMP, - }; - - extern char __indirect_thunk_start[]; ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -416,22 +416,25 @@ enum ssb_mitigation_cmd { - SPEC_STORE_BYPASS_CMD_AUTO, - SPEC_STORE_BYPASS_CMD_ON, - SPEC_STORE_BYPASS_CMD_PRCTL, -+ SPEC_STORE_BYPASS_CMD_SECCOMP, - }; - - static const char *ssb_strings[] = { - [SPEC_STORE_BYPASS_NONE] = "Vulnerable", - [SPEC_STORE_BYPASS_DISABLE] = "Mitigation: Speculative Store Bypass disabled", -- [SPEC_STORE_BYPASS_PRCTL] = "Mitigation: Speculative Store Bypass disabled via prctl" -+ [SPEC_STORE_BYPASS_PRCTL] = "Mitigation: Speculative Store Bypass disabled via prctl", -+ [SPEC_STORE_BYPASS_SECCOMP] = "Mitigation: Speculative Store Bypass disabled via prctl and seccomp", - }; - - static const struct { - const char *option; - enum ssb_mitigation_cmd cmd; - } ssb_mitigation_options[] = { -- { "auto", SPEC_STORE_BYPASS_CMD_AUTO }, /* Platform decides */ -- { "on", SPEC_STORE_BYPASS_CMD_ON }, /* Disable Speculative Store Bypass */ -- { "off", SPEC_STORE_BYPASS_CMD_NONE }, /* Don't touch Speculative Store Bypass */ -- { "prctl", SPEC_STORE_BYPASS_CMD_PRCTL }, /* Disable Speculative Store Bypass via prctl */ -+ { "auto", SPEC_STORE_BYPASS_CMD_AUTO }, /* Platform decides */ -+ { "on", SPEC_STORE_BYPASS_CMD_ON }, /* Disable Speculative Store Bypass */ -+ { "off", SPEC_STORE_BYPASS_CMD_NONE }, /* Don't touch Speculative Store Bypass */ -+ { "prctl", SPEC_STORE_BYPASS_CMD_PRCTL }, /* Disable Speculative Store Bypass via prctl */ -+ { "seccomp", SPEC_STORE_BYPASS_CMD_SECCOMP }, /* Disable Speculative Store Bypass via prctl and seccomp */ - }; - - static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void) -@@ -481,8 +484,15 @@ static enum ssb_mitigation_cmd __init __ - - switch (cmd) { - case SPEC_STORE_BYPASS_CMD_AUTO: -- /* Choose prctl as the default mode */ -- mode = SPEC_STORE_BYPASS_PRCTL; -+ case SPEC_STORE_BYPASS_CMD_SECCOMP: -+ /* -+ * Choose prctl+seccomp as the default mode if seccomp is -+ * enabled. -+ */ -+ if (IS_ENABLED(CONFIG_SECCOMP)) -+ mode = SPEC_STORE_BYPASS_SECCOMP; -+ else -+ mode = SPEC_STORE_BYPASS_PRCTL; - break; - case SPEC_STORE_BYPASS_CMD_ON: - mode = SPEC_STORE_BYPASS_DISABLE; -@@ -530,12 +540,14 @@ static void ssb_select_mitigation() - } - - #undef pr_fmt -+#define pr_fmt(fmt) "Speculation prctl: " fmt - - static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl) - { - bool update; - -- if (ssb_mode != SPEC_STORE_BYPASS_PRCTL) -+ if (ssb_mode != SPEC_STORE_BYPASS_PRCTL && -+ ssb_mode != SPEC_STORE_BYPASS_SECCOMP) - return -ENXIO; - - switch (ctrl) { -@@ -583,7 +595,8 @@ int arch_prctl_spec_ctrl_set(struct task - #ifdef CONFIG_SECCOMP - void arch_seccomp_spec_mitigate(struct task_struct *task) - { -- ssb_prctl_set(task, PR_SPEC_FORCE_DISABLE); -+ if (ssb_mode == SPEC_STORE_BYPASS_SECCOMP) -+ ssb_prctl_set(task, PR_SPEC_FORCE_DISABLE); - } - #endif - -@@ -592,6 +605,7 @@ static int ssb_prctl_get(struct task_str - switch (ssb_mode) { - case SPEC_STORE_BYPASS_DISABLE: - return PR_SPEC_DISABLE; -+ case SPEC_STORE_BYPASS_SECCOMP: - case SPEC_STORE_BYPASS_PRCTL: - if (task_spec_ssb_force_disable(task)) - return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE; diff --git a/debian/patches/bugfix/x86/ssb/x86-speculation-rework-speculative_store_bypass_update.patch b/debian/patches/bugfix/x86/ssb/x86-speculation-rework-speculative_store_bypass_update.patch deleted file mode 100644 index ee988603a..000000000 --- a/debian/patches/bugfix/x86/ssb/x86-speculation-rework-speculative_store_bypass_update.patch +++ /dev/null @@ -1,66 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Thomas Gleixner -Date: Thu, 10 May 2018 20:31:44 +0200 -Subject: x86/speculation: Rework speculative_store_bypass_update() - -From: Thomas Gleixner - -commit 0270be3e34efb05a88bc4c422572ece038ef3608 upstream - -The upcoming support for the virtual SPEC_CTRL MSR on AMD needs to reuse -speculative_store_bypass_update() to avoid code duplication. Add an -argument for supplying a thread info (TIF) value and create a wrapper -speculative_store_bypass_update_current() which is used at the existing -call site. - -Signed-off-by: Thomas Gleixner -Reviewed-by: Borislav Petkov -Reviewed-by: Konrad Rzeszutek Wilk -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/spec-ctrl.h | 7 ++++++- - arch/x86/kernel/cpu/bugs.c | 2 +- - arch/x86/kernel/process.c | 4 ++-- - 3 files changed, 9 insertions(+), 4 deletions(-) - ---- a/arch/x86/include/asm/spec-ctrl.h -+++ b/arch/x86/include/asm/spec-ctrl.h -@@ -42,6 +42,11 @@ extern void speculative_store_bypass_ht_ - static inline void speculative_store_bypass_ht_init(void) { } - #endif - --extern void speculative_store_bypass_update(void); -+extern void speculative_store_bypass_update(unsigned long tif); -+ -+static inline void speculative_store_bypass_update_current(void) -+{ -+ speculative_store_bypass_update(current_thread_info()->flags); -+} - - #endif ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -598,7 +598,7 @@ static int ssb_prctl_set(struct task_str - * mitigation until it is next scheduled. - */ - if (task == current && update) -- speculative_store_bypass_update(); -+ speculative_store_bypass_update_current(); - - return 0; - } ---- a/arch/x86/kernel/process.c -+++ b/arch/x86/kernel/process.c -@@ -414,10 +414,10 @@ static __always_inline void __speculativ - intel_set_ssb_state(tifn); - } - --void speculative_store_bypass_update(void) -+void speculative_store_bypass_update(unsigned long tif) - { - preempt_disable(); -- __speculative_store_bypass_update(current_thread_info()->flags); -+ __speculative_store_bypass_update(tif); - preempt_enable(); - } - diff --git a/debian/patches/bugfix/x86/ssb/x86-speculation-use-synthetic-bits-for-ibrs-ibpb-stibp.patch b/debian/patches/bugfix/x86/ssb/x86-speculation-use-synthetic-bits-for-ibrs-ibpb-stibp.patch deleted file mode 100644 index bf32a5019..000000000 --- a/debian/patches/bugfix/x86/ssb/x86-speculation-use-synthetic-bits-for-ibrs-ibpb-stibp.patch +++ /dev/null @@ -1,183 +0,0 @@ -From foo@baz Mon May 21 21:56:07 CEST 2018 -From: Borislav Petkov -Date: Wed, 2 May 2018 18:15:14 +0200 -Subject: x86/speculation: Use synthetic bits for IBRS/IBPB/STIBP - -From: Borislav Petkov - -commit e7c587da125291db39ddf1f49b18e5970adbac17 upstream - -Intel and AMD have different CPUID bits hence for those use synthetic bits -which get set on the respective vendor's in init_speculation_control(). So -that debacles like what the commit message of - - c65732e4f721 ("x86/cpu: Restore CPUID_8000_0008_EBX reload") - -talks about don't happen anymore. - -Signed-off-by: Borislav Petkov -Signed-off-by: Thomas Gleixner -Reviewed-by: Konrad Rzeszutek Wilk -Tested-by: Jörg Otte -Cc: Linus Torvalds -Cc: "Kirill A. Shutemov" -Link: https://lkml.kernel.org/r/20180504161815.GG9257@pd.tnic -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/cpufeatures.h | 10 ++++++---- - arch/x86/kernel/cpu/common.c | 14 ++++++++++---- - arch/x86/kvm/cpuid.c | 10 +++++----- - arch/x86/kvm/svm.c | 6 +++--- - arch/x86/kvm/vmx.c | 9 ++------- - 5 files changed, 26 insertions(+), 23 deletions(-) - ---- a/arch/x86/include/asm/cpufeatures.h -+++ b/arch/x86/include/asm/cpufeatures.h -@@ -198,7 +198,6 @@ - #define X86_FEATURE_CAT_L2 ( 7*32+ 5) /* Cache Allocation Technology L2 */ - #define X86_FEATURE_CDP_L3 ( 7*32+ 6) /* Code and Data Prioritization L3 */ - #define X86_FEATURE_INVPCID_SINGLE ( 7*32+ 7) /* Effectively INVPCID && CR4.PCIDE=1 */ -- - #define X86_FEATURE_HW_PSTATE ( 7*32+ 8) /* AMD HW-PState */ - #define X86_FEATURE_PROC_FEEDBACK ( 7*32+ 9) /* AMD ProcFeedbackInterface */ - #define X86_FEATURE_SME ( 7*32+10) /* AMD Secure Memory Encryption */ -@@ -216,6 +215,9 @@ - #define X86_FEATURE_USE_IBRS_FW ( 7*32+22) /* "" Use IBRS during runtime firmware calls */ - #define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE ( 7*32+23) /* "" Disable Speculative Store Bypass. */ - #define X86_FEATURE_AMD_SSBD ( 7*32+24) /* "" AMD SSBD implementation */ -+#define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */ -+#define X86_FEATURE_IBPB ( 7*32+26) /* Indirect Branch Prediction Barrier */ -+#define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */ - - /* Virtualization flags: Linux defined, word 8 */ - #define X86_FEATURE_TPR_SHADOW ( 8*32+ 0) /* Intel TPR Shadow */ -@@ -276,9 +278,9 @@ - #define X86_FEATURE_CLZERO (13*32+ 0) /* CLZERO instruction */ - #define X86_FEATURE_IRPERF (13*32+ 1) /* Instructions Retired Count */ - #define X86_FEATURE_XSAVEERPTR (13*32+ 2) /* Always save/restore FP error pointers */ --#define X86_FEATURE_IBPB (13*32+12) /* Indirect Branch Prediction Barrier */ --#define X86_FEATURE_IBRS (13*32+14) /* Indirect Branch Restricted Speculation */ --#define X86_FEATURE_STIBP (13*32+15) /* Single Thread Indirect Branch Predictors */ -+#define X86_FEATURE_AMD_IBPB (13*32+12) /* "" Indirect Branch Prediction Barrier */ -+#define X86_FEATURE_AMD_IBRS (13*32+14) /* "" Indirect Branch Restricted Speculation */ -+#define X86_FEATURE_AMD_STIBP (13*32+15) /* "" Single Thread Indirect Branch Predictors */ - - /* Thermal and Power Management Leaf, CPUID level 0x00000006 (EAX), word 14 */ - #define X86_FEATURE_DTHERM (14*32+ 0) /* Digital Thermal Sensor */ ---- a/arch/x86/kernel/cpu/common.c -+++ b/arch/x86/kernel/cpu/common.c -@@ -757,17 +757,23 @@ static void init_speculation_control(str - * and they also have a different bit for STIBP support. Also, - * a hypervisor might have set the individual AMD bits even on - * Intel CPUs, for finer-grained selection of what's available. -- * -- * We use the AMD bits in 0x8000_0008 EBX as the generic hardware -- * features, which are visible in /proc/cpuinfo and used by the -- * kernel. So set those accordingly from the Intel bits. - */ - if (cpu_has(c, X86_FEATURE_SPEC_CTRL)) { - set_cpu_cap(c, X86_FEATURE_IBRS); - set_cpu_cap(c, X86_FEATURE_IBPB); - } -+ - if (cpu_has(c, X86_FEATURE_INTEL_STIBP)) - set_cpu_cap(c, X86_FEATURE_STIBP); -+ -+ if (cpu_has(c, X86_FEATURE_AMD_IBRS)) -+ set_cpu_cap(c, X86_FEATURE_IBRS); -+ -+ if (cpu_has(c, X86_FEATURE_AMD_IBPB)) -+ set_cpu_cap(c, X86_FEATURE_IBPB); -+ -+ if (cpu_has(c, X86_FEATURE_AMD_STIBP)) -+ set_cpu_cap(c, X86_FEATURE_STIBP); - } - - void get_cpu_cap(struct cpuinfo_x86 *c) ---- a/arch/x86/kvm/cpuid.c -+++ b/arch/x86/kvm/cpuid.c -@@ -374,7 +374,7 @@ static inline int __do_cpuid_ent(struct - - /* cpuid 0x80000008.ebx */ - const u32 kvm_cpuid_8000_0008_ebx_x86_features = -- F(IBPB) | F(IBRS); -+ F(AMD_IBPB) | F(AMD_IBRS); - - /* cpuid 0xC0000001.edx */ - const u32 kvm_cpuid_C000_0001_edx_x86_features = -@@ -643,10 +643,10 @@ static inline int __do_cpuid_ent(struct - entry->eax = g_phys_as | (virt_as << 8); - entry->edx = 0; - /* IBRS and IBPB aren't necessarily present in hardware cpuid */ -- if (boot_cpu_has(X86_FEATURE_IBPB)) -- entry->ebx |= F(IBPB); -- if (boot_cpu_has(X86_FEATURE_IBRS)) -- entry->ebx |= F(IBRS); -+ if (boot_cpu_has(X86_FEATURE_AMD_IBPB)) -+ entry->ebx |= F(AMD_IBPB); -+ if (boot_cpu_has(X86_FEATURE_AMD_IBRS)) -+ entry->ebx |= F(AMD_IBRS); - entry->ebx &= kvm_cpuid_8000_0008_ebx_x86_features; - cpuid_mask(&entry->ebx, CPUID_8000_0008_EBX); - break; ---- a/arch/x86/kvm/svm.c -+++ b/arch/x86/kvm/svm.c -@@ -3959,7 +3959,7 @@ static int svm_get_msr(struct kvm_vcpu * - break; - case MSR_IA32_SPEC_CTRL: - if (!msr_info->host_initiated && -- !guest_cpuid_has(vcpu, X86_FEATURE_IBRS)) -+ !guest_cpuid_has(vcpu, X86_FEATURE_AMD_IBRS)) - return 1; - - msr_info->data = svm->spec_ctrl; -@@ -4057,7 +4057,7 @@ static int svm_set_msr(struct kvm_vcpu * - break; - case MSR_IA32_SPEC_CTRL: - if (!msr->host_initiated && -- !guest_cpuid_has(vcpu, X86_FEATURE_IBRS)) -+ !guest_cpuid_has(vcpu, X86_FEATURE_AMD_IBRS)) - return 1; - - /* The STIBP bit doesn't fault even if it's not advertised */ -@@ -4084,7 +4084,7 @@ static int svm_set_msr(struct kvm_vcpu * - break; - case MSR_IA32_PRED_CMD: - if (!msr->host_initiated && -- !guest_cpuid_has(vcpu, X86_FEATURE_IBPB)) -+ !guest_cpuid_has(vcpu, X86_FEATURE_AMD_IBPB)) - return 1; - - if (data & ~PRED_CMD_IBPB) ---- a/arch/x86/kvm/vmx.c -+++ b/arch/x86/kvm/vmx.c -@@ -3269,9 +3269,7 @@ static int vmx_get_msr(struct kvm_vcpu * - break; - case MSR_IA32_SPEC_CTRL: - if (!msr_info->host_initiated && -- !guest_cpuid_has(vcpu, X86_FEATURE_IBRS) && -- !guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL) && -- !guest_cpuid_has(vcpu, X86_FEATURE_SSBD)) -+ !guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL)) - return 1; - - msr_info->data = to_vmx(vcpu)->spec_ctrl; -@@ -3391,9 +3389,7 @@ static int vmx_set_msr(struct kvm_vcpu * - break; - case MSR_IA32_SPEC_CTRL: - if (!msr_info->host_initiated && -- !guest_cpuid_has(vcpu, X86_FEATURE_IBRS) && -- !guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL) && -- !guest_cpuid_has(vcpu, X86_FEATURE_SSBD)) -+ !guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL)) - return 1; - - /* The STIBP bit doesn't fault even if it's not advertised */ -@@ -3423,7 +3419,6 @@ static int vmx_set_msr(struct kvm_vcpu * - break; - case MSR_IA32_PRED_CMD: - if (!msr_info->host_initiated && -- !guest_cpuid_has(vcpu, X86_FEATURE_IBPB) && - !guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL)) - return 1; - diff --git a/debian/patches/series b/debian/patches/series index bed62621d..4c47e7b68 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -142,55 +142,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch debian/i386-686-pae-pci-set-pci-nobios-by-default.patch bugfix/all/xfs-enhance-dinode-verifier.patch bugfix/all/xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch -bugfix/x86/ssb/x86-nospec-simplify-alternative_msr_write.patch -bugfix/x86/ssb/x86-bugs-concentrate-bug-detection-into-a-separate-function.patch -bugfix/x86/ssb/x86-bugs-concentrate-bug-reporting-into-a-separate-function.patch -bugfix/x86/ssb/x86-bugs-read-spec_ctrl-msr-during-boot-and-re-use-reserved-bits.patch -bugfix/x86/ssb/x86-bugs-kvm-support-the-combination-of-guest-and-host-ibrs.patch -bugfix/x86/ssb/x86-bugs-expose-sys-..-spec_store_bypass.patch -bugfix/x86/ssb/x86-cpufeatures-add-x86_feature_rds.patch -bugfix/x86/ssb/x86-bugs-provide-boot-parameters-for-the-spec_store_bypass_disable-mitigation.patch -bugfix/x86/ssb/x86-bugs-intel-set-proper-cpu-features-and-setup-rds.patch -bugfix/x86/ssb/x86-bugs-whitelist-allowed-spec_ctrl-msr-values.patch -bugfix/x86/ssb/x86-bugs-amd-add-support-to-disable-rds-on-famh-if-requested.patch -bugfix/x86/ssb/x86-kvm-vmx-expose-spec_ctrl-bit-2-to-the-guest.patch -bugfix/x86/ssb/x86-speculation-create-spec-ctrl.h-to-avoid-include-hell.patch -bugfix/x86/ssb/prctl-add-speculation-control-prctls.patch -bugfix/x86/ssb/x86-process-allow-runtime-control-of-speculative-store-bypass.patch -bugfix/x86/ssb/x86-speculation-add-prctl-for-speculative-store-bypass-mitigation.patch -bugfix/x86/ssb/nospec-allow-getting-setting-on-non-current-task.patch -bugfix/x86/ssb/proc-provide-details-on-speculation-flaw-mitigations.patch -bugfix/x86/ssb/seccomp-enable-speculation-flaw-mitigations.patch -bugfix/x86/ssb/x86-bugs-make-boot-modes-__ro_after_init.patch -bugfix/x86/ssb/prctl-add-force-disable-speculation.patch -bugfix/x86/ssb/seccomp-use-pr_spec_force_disable.patch -bugfix/x86/ssb/seccomp-add-filter-flag-to-opt-out-of-ssb-mitigation.patch -bugfix/x86/ssb/seccomp-move-speculation-migitation-control-to-arch-code.patch -bugfix/x86/ssb/x86-speculation-make-seccomp-the-default-mode-for-speculative-store-bypass.patch -bugfix/x86/ssb/x86-bugs-rename-_rds-to-_ssbd.patch -bugfix/x86/ssb/proc-use-underscores-for-ssbd-in-status.patch -bugfix/x86/ssb/documentation-spec_ctrl-do-some-minor-cleanups.patch -bugfix/x86/ssb/x86-bugs-fix-__ssb_select_mitigation-return-type.patch -bugfix/x86/ssb/x86-bugs-make-cpu_show_common-static.patch -bugfix/x86/ssb/x86-bugs-fix-the-parameters-alignment-and-missing-void.patch -bugfix/x86/ssb/x86-cpu-make-alternative_msr_write-work-for-32-bit-code.patch -bugfix/x86/ssb/kvm-svm-move-spec-control-call-after-restore-of-gs.patch -bugfix/x86/ssb/x86-speculation-use-synthetic-bits-for-ibrs-ibpb-stibp.patch -bugfix/x86/ssb/x86-cpufeatures-disentangle-msr_spec_ctrl-enumeration-from-ibrs.patch -bugfix/x86/ssb/x86-cpufeatures-disentangle-ssbd-enumeration.patch -bugfix/x86/ssb/x86-cpufeatures-add-feature_zen.patch -bugfix/x86/ssb/x86-speculation-handle-ht-correctly-on-amd.patch -bugfix/x86/ssb/x86-bugs-kvm-extend-speculation-control-for-virt_spec_ctrl.patch -bugfix/x86/ssb/x86-speculation-add-virtualized-speculative-store-bypass-disable-support.patch -bugfix/x86/ssb/x86-speculation-rework-speculative_store_bypass_update.patch -bugfix/x86/ssb/x86-bugs-unify-x86_spec_ctrl_-set_guest-restore_host.patch -bugfix/x86/ssb/x86-bugs-expose-x86_spec_ctrl_base-directly.patch -bugfix/x86/ssb/x86-bugs-remove-x86_spec_ctrl_set.patch -bugfix/x86/ssb/x86-bugs-rework-spec_ctrl-base-and-mask-logic.patch -bugfix/x86/ssb/x86-speculation-kvm-implement-support-for-virt_spec_ctrl-ls_cfg.patch -bugfix/x86/ssb/kvm-svm-implement-virt_spec_ctrl-support-for-ssbd.patch -bugfix/x86/ssb/x86-bugs-rename-ssbd_no-to-ssb_no.patch -bugfix/x86/ssb/bpf-prevent-memory-disambiguation-attack.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch