Update to 4.16.11
Revert "[x86] Add support for disabling Speculative Store Bypass (CVE-2018-3639)" Cleanup debian/changelog file
This commit is contained in:
parent
975e4433ed
commit
0e0b695e53
|
@ -1,4 +1,4 @@
|
||||||
linux (4.16.10-1) UNRELEASED; urgency=medium
|
linux (4.16.11-1) UNRELEASED; urgency=medium
|
||||||
|
|
||||||
* New upstream stable update:
|
* New upstream stable update:
|
||||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.16.6
|
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.16.6
|
||||||
|
@ -366,16 +366,72 @@ linux (4.16.10-1) UNRELEASED; urgency=medium
|
||||||
- scsi: aacraid: Correct hba_send to include iu_type
|
- scsi: aacraid: Correct hba_send to include iu_type
|
||||||
- proc: do not access cmdline nor environ from file-backed areas
|
- proc: do not access cmdline nor environ from file-backed areas
|
||||||
(CVE-2018-1120)
|
(CVE-2018-1120)
|
||||||
|
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.16.11
|
||||||
[ Romain Perier ]
|
- xhci: Fix USB3 NULL pointer dereference at logical disconnect.
|
||||||
* [armhf] DRM: Enable DW_HDMI_AHB_AUDIO and DW_HDMI_CEC (Closes: #897204)
|
- usbip: usbip_host: refine probe and disconnect debug msgs to be useful
|
||||||
* [armhf] MFD: Enable MFD_TPS65217 (Closes: #897590)
|
- usbip: usbip_host: delete device from busid_table after rebind
|
||||||
|
- usbip: usbip_host: run rebind from exit when module is removed
|
||||||
[ Ben Hutchings ]
|
- usbip: usbip_host: fix NULL-ptr deref and use-after-free errors
|
||||||
* kbuild: use -fmacro-prefix-map to make __FILE__ a relative path
|
- usbip: usbip_host: fix bad unlock balance during stub_probe()
|
||||||
* Bump ABI to 2
|
- ALSA: usb: mixer: volume quirk for CM102-A+/102S+
|
||||||
* [rt] Update to 4.16.8-rt3
|
- ALSA: hda/realtek - Clevo P950ER ALC1220 Fixup
|
||||||
* [x86] Add support for disabling Speculative Store Bypass (CVE-2018-3639):
|
- ALSA: hda: Add Lenovo C50 All in one to the power_save blacklist
|
||||||
|
- ALSA: control: fix a redundant-copy issue
|
||||||
|
- [amd64] spi: pxa2xx: Allow 64-bit DMA
|
||||||
|
- KVM: vmx: update sec exec controls for UMIP iff emulating UMIP
|
||||||
|
- [armhf,arm64] KVM: Properly protect VGIC locks from IRQs
|
||||||
|
- [armhf,arm64] KVM: VGIC/ITS: Promote irq_lock() in update_affinity
|
||||||
|
- [armhf,arm64] KVM: VGIC/ITS save/restore: protect kvm_read_guest() calls
|
||||||
|
- [armhf,arm64] KVM: VGIC/ITS: protect kvm_read_guest() calls with SRCU
|
||||||
|
lock
|
||||||
|
- hwmon: (k10temp) Fix reading critical temperature register
|
||||||
|
- hwmon: (k10temp) Use API function to access System Management Network
|
||||||
|
- [s390x] vfio: ccw: fix cleanup if cp_prefetch fails
|
||||||
|
- tracing/x86/xen: Remove zero data size trace events
|
||||||
|
trace_xen_mmu_flush_tlb{_all}
|
||||||
|
- vsprintf: Replace memory barrier with static_key for random_ptr_key
|
||||||
|
update
|
||||||
|
- [x86] amd_nb: Add support for Raven Ridge CPUs
|
||||||
|
- [arm64] tee: shm: fix use-after-free via temporarily dropped reference
|
||||||
|
- netfilter: nf_tables: free set name in error path
|
||||||
|
- netfilter: nf_tables: can't fail after linking rule into active rule
|
||||||
|
list
|
||||||
|
- netfilter: nf_tables: nf_tables_obj_lookup_byhandle() can be static
|
||||||
|
- [arm64] dts: marvell: armada-cp110: Add clocks for the xmdio node
|
||||||
|
- [arm64] dts: marvell: armada-cp110: Add mg_core_clk for ethernet node
|
||||||
|
- i2c: designware: fix poll-after-enable regression
|
||||||
|
- mtd: rawnand: marvell: Fix read logic for layouts with ->nchunks > 2
|
||||||
|
- [powerpc*] powerpc/powernv: Fix NVRAM sleep in invalid context when
|
||||||
|
crashing
|
||||||
|
- drm: Match sysfs name in link removal to link creation
|
||||||
|
- radix tree: fix multi-order iteration race
|
||||||
|
- mm: don't allow deferred pages with NEED_PER_CPU_KM
|
||||||
|
- [x86] drm/i915/gen9: Add WaClearHIZ_WM_CHICKEN3 for bxt and glk
|
||||||
|
- [s390x] qdio: fix access to uninitialized qdio_q fields
|
||||||
|
- [s390x] cpum_sf: ensure sample frequency of perf event attributes is
|
||||||
|
non-zero
|
||||||
|
- [s390x] qdio: don't release memory in qdio_setup_irq()
|
||||||
|
- [s390x] remove indirect branch from do_softirq_own_stack
|
||||||
|
- bcache: return 0 from bch_debug_init() if CONFIG_DEBUG_FS=n
|
||||||
|
- [x86] pkeys: Override pkey when moving away from PROT_EXEC
|
||||||
|
- [x86] pkeys: Do not special case protection key 0
|
||||||
|
- efi: Avoid potential crashes, fix the 'struct efi_pci_io_protocol_32'
|
||||||
|
definition for mixed mode
|
||||||
|
- [arm*] 8771/1: kprobes: Prohibit kprobes on do_undefinstr
|
||||||
|
- [x86] apic/x2apic: Initialize cluster ID properly
|
||||||
|
- [x86] mm: Drop TS_COMPAT on 64-bit exec() syscall
|
||||||
|
- tick/broadcast: Use for_each_cpu() specially on UP kernels
|
||||||
|
- [arm*] 8769/1: kprobes: Fix to use get_kprobe_ctlblk after irq-disabed
|
||||||
|
- [arm*] 8770/1: kprobes: Prohibit probing on optimized_callback
|
||||||
|
- [arm*] 8772/1: kprobes: Prohibit kprobes on get_user functions
|
||||||
|
- Btrfs: fix xattr loss after power failure
|
||||||
|
- Btrfs: send, fix invalid access to commit roots due to concurrent
|
||||||
|
snapshotting
|
||||||
|
- btrfs: property: Set incompat flag if lzo/zstd compression is set
|
||||||
|
- btrfs: fix crash when trying to resume balance without the resume flag
|
||||||
|
- btrfs: Split btrfs_del_delalloc_inode into 2 functions
|
||||||
|
- btrfs: Fix delalloc inodes invalidation during transaction abort
|
||||||
|
- btrfs: fix reading stale metadata blocks after degraded raid1 mounts
|
||||||
- x86/nospec: Simplify alternative_msr_write()
|
- x86/nospec: Simplify alternative_msr_write()
|
||||||
- x86/bugs: Concentrate bug detection into a separate function
|
- x86/bugs: Concentrate bug detection into a separate function
|
||||||
- x86/bugs: Concentrate bug reporting into a separate function
|
- x86/bugs: Concentrate bug reporting into a separate function
|
||||||
|
@ -417,7 +473,8 @@ linux (4.16.10-1) UNRELEASED; urgency=medium
|
||||||
- x86/cpufeatures: Add FEATURE_ZEN
|
- x86/cpufeatures: Add FEATURE_ZEN
|
||||||
- x86/speculation: Handle HT correctly on AMD
|
- x86/speculation: Handle HT correctly on AMD
|
||||||
- x86/bugs, KVM: Extend speculation control for VIRT_SPEC_CTRL
|
- x86/bugs, KVM: Extend speculation control for VIRT_SPEC_CTRL
|
||||||
- x86/speculation: Add virtualized speculative store bypass disable support
|
- x86/speculation: Add virtualized speculative store bypass disable
|
||||||
|
support
|
||||||
- x86/speculation: Rework speculative_store_bypass_update()
|
- x86/speculation: Rework speculative_store_bypass_update()
|
||||||
- x86/bugs: Unify x86_spec_ctrl_{set_guest,restore_host}
|
- x86/bugs: Unify x86_spec_ctrl_{set_guest,restore_host}
|
||||||
- x86/bugs: Expose x86_spec_ctrl_base directly
|
- x86/bugs: Expose x86_spec_ctrl_base directly
|
||||||
|
@ -428,6 +485,15 @@ linux (4.16.10-1) UNRELEASED; urgency=medium
|
||||||
- x86/bugs: Rename SSBD_NO to SSB_NO
|
- x86/bugs: Rename SSBD_NO to SSB_NO
|
||||||
- bpf: Prevent memory disambiguation attack
|
- bpf: Prevent memory disambiguation attack
|
||||||
|
|
||||||
|
[ Romain Perier ]
|
||||||
|
* [armhf] DRM: Enable DW_HDMI_AHB_AUDIO and DW_HDMI_CEC (Closes: #897204)
|
||||||
|
* [armhf] MFD: Enable MFD_TPS65217 (Closes: #897590)
|
||||||
|
|
||||||
|
[ Ben Hutchings ]
|
||||||
|
* kbuild: use -fmacro-prefix-map to make __FILE__ a relative path
|
||||||
|
* Bump ABI to 2
|
||||||
|
* [rt] Update to 4.16.8-rt3
|
||||||
|
|
||||||
[ Salvatore Bonaccorso ]
|
[ Salvatore Bonaccorso ]
|
||||||
* [rt] Update to 4.16.7-rt1 and reenable
|
* [rt] Update to 4.16.7-rt1 and reenable
|
||||||
* [rt] certs: Reference certificate for test key used in Debian signing
|
* [rt] certs: Reference certificate for test key used in Debian signing
|
||||||
|
|
|
@ -1,138 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Alexei Starovoitov <ast@kernel.org>
|
|
||||||
Date: Tue, 15 May 2018 09:27:05 -0700
|
|
||||||
Subject: bpf: Prevent memory disambiguation attack
|
|
||||||
|
|
||||||
From: Alexei Starovoitov <ast@kernel.org>
|
|
||||||
|
|
||||||
commit af86ca4e3088fe5eacf2f7e58c01fa68ca067672 upstream
|
|
||||||
|
|
||||||
Detect code patterns where malicious 'speculative store bypass' can be used
|
|
||||||
and sanitize such patterns.
|
|
||||||
|
|
||||||
39: (bf) r3 = r10
|
|
||||||
40: (07) r3 += -216
|
|
||||||
41: (79) r8 = *(u64 *)(r7 +0) // slow read
|
|
||||||
42: (7a) *(u64 *)(r10 -72) = 0 // verifier inserts this instruction
|
|
||||||
43: (7b) *(u64 *)(r8 +0) = r3 // this store becomes slow due to r8
|
|
||||||
44: (79) r1 = *(u64 *)(r6 +0) // cpu speculatively executes this load
|
|
||||||
45: (71) r2 = *(u8 *)(r1 +0) // speculatively arbitrary 'load byte'
|
|
||||||
// is now sanitized
|
|
||||||
|
|
||||||
Above code after x86 JIT becomes:
|
|
||||||
e5: mov %rbp,%rdx
|
|
||||||
e8: add $0xffffffffffffff28,%rdx
|
|
||||||
ef: mov 0x0(%r13),%r14
|
|
||||||
f3: movq $0x0,-0x48(%rbp)
|
|
||||||
fb: mov %rdx,0x0(%r14)
|
|
||||||
ff: mov 0x0(%rbx),%rdi
|
|
||||||
103: movzbq 0x0(%rdi),%rsi
|
|
||||||
|
|
||||||
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
include/linux/bpf_verifier.h | 1
|
|
||||||
kernel/bpf/verifier.c | 59 ++++++++++++++++++++++++++++++++++++++++---
|
|
||||||
2 files changed, 57 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
--- a/include/linux/bpf_verifier.h
|
|
||||||
+++ b/include/linux/bpf_verifier.h
|
|
||||||
@@ -146,6 +146,7 @@ struct bpf_insn_aux_data {
|
|
||||||
s32 call_imm; /* saved imm field of call insn */
|
|
||||||
};
|
|
||||||
int ctx_field_size; /* the ctx field size for load insn, maybe 0 */
|
|
||||||
+ int sanitize_stack_off; /* stack slot to be cleared */
|
|
||||||
bool seen; /* this insn was processed by the verifier */
|
|
||||||
};
|
|
||||||
|
|
||||||
--- a/kernel/bpf/verifier.c
|
|
||||||
+++ b/kernel/bpf/verifier.c
|
|
||||||
@@ -970,7 +970,7 @@ static bool register_is_null(struct bpf_
|
|
||||||
*/
|
|
||||||
static int check_stack_write(struct bpf_verifier_env *env,
|
|
||||||
struct bpf_func_state *state, /* func where register points to */
|
|
||||||
- int off, int size, int value_regno)
|
|
||||||
+ int off, int size, int value_regno, int insn_idx)
|
|
||||||
{
|
|
||||||
struct bpf_func_state *cur; /* state of the current function */
|
|
||||||
int i, slot = -off - 1, spi = slot / BPF_REG_SIZE, err;
|
|
||||||
@@ -1009,8 +1009,33 @@ static int check_stack_write(struct bpf_
|
|
||||||
state->stack[spi].spilled_ptr = cur->regs[value_regno];
|
|
||||||
state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN;
|
|
||||||
|
|
||||||
- for (i = 0; i < BPF_REG_SIZE; i++)
|
|
||||||
+ for (i = 0; i < BPF_REG_SIZE; i++) {
|
|
||||||
+ if (state->stack[spi].slot_type[i] == STACK_MISC &&
|
|
||||||
+ !env->allow_ptr_leaks) {
|
|
||||||
+ int *poff = &env->insn_aux_data[insn_idx].sanitize_stack_off;
|
|
||||||
+ int soff = (-spi - 1) * BPF_REG_SIZE;
|
|
||||||
+
|
|
||||||
+ /* detected reuse of integer stack slot with a pointer
|
|
||||||
+ * which means either llvm is reusing stack slot or
|
|
||||||
+ * an attacker is trying to exploit CVE-2018-3639
|
|
||||||
+ * (speculative store bypass)
|
|
||||||
+ * Have to sanitize that slot with preemptive
|
|
||||||
+ * store of zero.
|
|
||||||
+ */
|
|
||||||
+ if (*poff && *poff != soff) {
|
|
||||||
+ /* disallow programs where single insn stores
|
|
||||||
+ * into two different stack slots, since verifier
|
|
||||||
+ * cannot sanitize them
|
|
||||||
+ */
|
|
||||||
+ verbose(env,
|
|
||||||
+ "insn %d cannot access two stack slots fp%d and fp%d",
|
|
||||||
+ insn_idx, *poff, soff);
|
|
||||||
+ return -EINVAL;
|
|
||||||
+ }
|
|
||||||
+ *poff = soff;
|
|
||||||
+ }
|
|
||||||
state->stack[spi].slot_type[i] = STACK_SPILL;
|
|
||||||
+ }
|
|
||||||
} else {
|
|
||||||
u8 type = STACK_MISC;
|
|
||||||
|
|
||||||
@@ -1685,7 +1710,7 @@ static int check_mem_access(struct bpf_v
|
|
||||||
|
|
||||||
if (t == BPF_WRITE)
|
|
||||||
err = check_stack_write(env, state, off, size,
|
|
||||||
- value_regno);
|
|
||||||
+ value_regno, insn_idx);
|
|
||||||
else
|
|
||||||
err = check_stack_read(env, state, off, size,
|
|
||||||
value_regno);
|
|
||||||
@@ -5156,6 +5181,34 @@ static int convert_ctx_accesses(struct b
|
|
||||||
else
|
|
||||||
continue;
|
|
||||||
|
|
||||||
+ if (type == BPF_WRITE &&
|
|
||||||
+ env->insn_aux_data[i + delta].sanitize_stack_off) {
|
|
||||||
+ struct bpf_insn patch[] = {
|
|
||||||
+ /* Sanitize suspicious stack slot with zero.
|
|
||||||
+ * There are no memory dependencies for this store,
|
|
||||||
+ * since it's only using frame pointer and immediate
|
|
||||||
+ * constant of zero
|
|
||||||
+ */
|
|
||||||
+ BPF_ST_MEM(BPF_DW, BPF_REG_FP,
|
|
||||||
+ env->insn_aux_data[i + delta].sanitize_stack_off,
|
|
||||||
+ 0),
|
|
||||||
+ /* the original STX instruction will immediately
|
|
||||||
+ * overwrite the same stack slot with appropriate value
|
|
||||||
+ */
|
|
||||||
+ *insn,
|
|
||||||
+ };
|
|
||||||
+
|
|
||||||
+ cnt = ARRAY_SIZE(patch);
|
|
||||||
+ new_prog = bpf_patch_insn_data(env, i + delta, patch, cnt);
|
|
||||||
+ if (!new_prog)
|
|
||||||
+ return -ENOMEM;
|
|
||||||
+
|
|
||||||
+ delta += cnt - 1;
|
|
||||||
+ env->prog = new_prog;
|
|
||||||
+ insn = new_prog->insnsi + i + delta;
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (env->insn_aux_data[i + delta].ptr_type != PTR_TO_CTX)
|
|
||||||
continue;
|
|
||||||
|
|
|
@ -1,83 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Borislav Petkov <bp@suse.de>
|
|
||||||
Date: Tue, 8 May 2018 15:43:45 +0200
|
|
||||||
Subject: Documentation/spec_ctrl: Do some minor cleanups
|
|
||||||
|
|
||||||
From: Borislav Petkov <bp@suse.de>
|
|
||||||
|
|
||||||
commit dd0792699c4058e63c0715d9a7c2d40226fcdddc upstream
|
|
||||||
|
|
||||||
Fix some typos, improve formulations, end sentences with a fullstop.
|
|
||||||
|
|
||||||
Signed-off-by: Borislav Petkov <bp@suse.de>
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
Documentation/userspace-api/spec_ctrl.rst | 24 ++++++++++++------------
|
|
||||||
1 file changed, 12 insertions(+), 12 deletions(-)
|
|
||||||
|
|
||||||
--- a/Documentation/userspace-api/spec_ctrl.rst
|
|
||||||
+++ b/Documentation/userspace-api/spec_ctrl.rst
|
|
||||||
@@ -2,13 +2,13 @@
|
|
||||||
Speculation Control
|
|
||||||
===================
|
|
||||||
|
|
||||||
-Quite some CPUs have speculation related misfeatures which are in fact
|
|
||||||
-vulnerabilites causing data leaks in various forms even accross privilege
|
|
||||||
-domains.
|
|
||||||
+Quite some CPUs have speculation-related misfeatures which are in
|
|
||||||
+fact vulnerabilities causing data leaks in various forms even across
|
|
||||||
+privilege domains.
|
|
||||||
|
|
||||||
The kernel provides mitigation for such vulnerabilities in various
|
|
||||||
-forms. Some of these mitigations are compile time configurable and some on
|
|
||||||
-the kernel command line.
|
|
||||||
+forms. Some of these mitigations are compile-time configurable and some
|
|
||||||
+can be supplied on the kernel command line.
|
|
||||||
|
|
||||||
There is also a class of mitigations which are very expensive, but they can
|
|
||||||
be restricted to a certain set of processes or tasks in controlled
|
|
||||||
@@ -32,18 +32,18 @@ the following meaning:
|
|
||||||
Bit Define Description
|
|
||||||
==== ===================== ===================================================
|
|
||||||
0 PR_SPEC_PRCTL Mitigation can be controlled per task by
|
|
||||||
- PR_SET_SPECULATION_CTRL
|
|
||||||
+ PR_SET_SPECULATION_CTRL.
|
|
||||||
1 PR_SPEC_ENABLE The speculation feature is enabled, mitigation is
|
|
||||||
- disabled
|
|
||||||
+ disabled.
|
|
||||||
2 PR_SPEC_DISABLE The speculation feature is disabled, mitigation is
|
|
||||||
- enabled
|
|
||||||
+ enabled.
|
|
||||||
3 PR_SPEC_FORCE_DISABLE Same as PR_SPEC_DISABLE, but cannot be undone. A
|
|
||||||
subsequent prctl(..., PR_SPEC_ENABLE) will fail.
|
|
||||||
==== ===================== ===================================================
|
|
||||||
|
|
||||||
If all bits are 0 the CPU is not affected by the speculation misfeature.
|
|
||||||
|
|
||||||
-If PR_SPEC_PRCTL is set, then the per task control of the mitigation is
|
|
||||||
+If PR_SPEC_PRCTL is set, then the per-task control of the mitigation is
|
|
||||||
available. If not set, prctl(PR_SET_SPECULATION_CTRL) for the speculation
|
|
||||||
misfeature will fail.
|
|
||||||
|
|
||||||
@@ -61,9 +61,9 @@ Common error codes
|
|
||||||
Value Meaning
|
|
||||||
======= =================================================================
|
|
||||||
EINVAL The prctl is not implemented by the architecture or unused
|
|
||||||
- prctl(2) arguments are not 0
|
|
||||||
+ prctl(2) arguments are not 0.
|
|
||||||
|
|
||||||
-ENODEV arg2 is selecting a not supported speculation misfeature
|
|
||||||
+ENODEV arg2 is selecting a not supported speculation misfeature.
|
|
||||||
======= =================================================================
|
|
||||||
|
|
||||||
PR_SET_SPECULATION_CTRL error codes
|
|
||||||
@@ -74,7 +74,7 @@ Value Meaning
|
|
||||||
0 Success
|
|
||||||
|
|
||||||
ERANGE arg3 is incorrect, i.e. it's neither PR_SPEC_ENABLE nor
|
|
||||||
- PR_SPEC_DISABLE nor PR_SPEC_FORCE_DISABLE
|
|
||||||
+ PR_SPEC_DISABLE nor PR_SPEC_FORCE_DISABLE.
|
|
||||||
|
|
||||||
ENXIO Control of the selected speculation misfeature is not possible.
|
|
||||||
See PR_GET_SPECULATION_CTRL.
|
|
|
@ -1,206 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Tom Lendacky <thomas.lendacky@amd.com>
|
|
||||||
Date: Thu, 10 May 2018 22:06:39 +0200
|
|
||||||
Subject: KVM: SVM: Implement VIRT_SPEC_CTRL support for SSBD
|
|
||||||
|
|
||||||
From: Tom Lendacky <thomas.lendacky@amd.com>
|
|
||||||
|
|
||||||
commit bc226f07dcd3c9ef0b7f6236fe356ea4a9cb4769 upstream
|
|
||||||
|
|
||||||
Expose the new virtualized architectural mechanism, VIRT_SSBD, for using
|
|
||||||
speculative store bypass disable (SSBD) under SVM. This will allow guests
|
|
||||||
to use SSBD on hardware that uses non-architectural mechanisms for enabling
|
|
||||||
SSBD.
|
|
||||||
|
|
||||||
[ tglx: Folded the migration fixup from Paolo Bonzini ]
|
|
||||||
|
|
||||||
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/include/asm/kvm_host.h | 2 +-
|
|
||||||
arch/x86/kernel/cpu/common.c | 3 ++-
|
|
||||||
arch/x86/kvm/cpuid.c | 11 +++++++++--
|
|
||||||
arch/x86/kvm/svm.c | 21 +++++++++++++++++++--
|
|
||||||
arch/x86/kvm/vmx.c | 18 +++++++++++++++---
|
|
||||||
arch/x86/kvm/x86.c | 13 ++++---------
|
|
||||||
6 files changed, 50 insertions(+), 18 deletions(-)
|
|
||||||
|
|
||||||
--- a/arch/x86/include/asm/kvm_host.h
|
|
||||||
+++ b/arch/x86/include/asm/kvm_host.h
|
|
||||||
@@ -933,7 +933,7 @@ struct kvm_x86_ops {
|
|
||||||
int (*hardware_setup)(void); /* __init */
|
|
||||||
void (*hardware_unsetup)(void); /* __exit */
|
|
||||||
bool (*cpu_has_accelerated_tpr)(void);
|
|
||||||
- bool (*cpu_has_high_real_mode_segbase)(void);
|
|
||||||
+ bool (*has_emulated_msr)(int index);
|
|
||||||
void (*cpuid_update)(struct kvm_vcpu *vcpu);
|
|
||||||
|
|
||||||
int (*vm_init)(struct kvm *kvm);
|
|
||||||
--- a/arch/x86/kernel/cpu/common.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/common.c
|
|
||||||
@@ -767,7 +767,8 @@ static void init_speculation_control(str
|
|
||||||
if (cpu_has(c, X86_FEATURE_INTEL_STIBP))
|
|
||||||
set_cpu_cap(c, X86_FEATURE_STIBP);
|
|
||||||
|
|
||||||
- if (cpu_has(c, X86_FEATURE_SPEC_CTRL_SSBD))
|
|
||||||
+ if (cpu_has(c, X86_FEATURE_SPEC_CTRL_SSBD) ||
|
|
||||||
+ cpu_has(c, X86_FEATURE_VIRT_SSBD))
|
|
||||||
set_cpu_cap(c, X86_FEATURE_SSBD);
|
|
||||||
|
|
||||||
if (cpu_has(c, X86_FEATURE_AMD_IBRS)) {
|
|
||||||
--- a/arch/x86/kvm/cpuid.c
|
|
||||||
+++ b/arch/x86/kvm/cpuid.c
|
|
||||||
@@ -374,7 +374,7 @@ static inline int __do_cpuid_ent(struct
|
|
||||||
|
|
||||||
/* cpuid 0x80000008.ebx */
|
|
||||||
const u32 kvm_cpuid_8000_0008_ebx_x86_features =
|
|
||||||
- F(AMD_IBPB) | F(AMD_IBRS);
|
|
||||||
+ F(AMD_IBPB) | F(AMD_IBRS) | F(VIRT_SSBD);
|
|
||||||
|
|
||||||
/* cpuid 0xC0000001.edx */
|
|
||||||
const u32 kvm_cpuid_C000_0001_edx_x86_features =
|
|
||||||
@@ -642,13 +642,20 @@ static inline int __do_cpuid_ent(struct
|
|
||||||
g_phys_as = phys_as;
|
|
||||||
entry->eax = g_phys_as | (virt_as << 8);
|
|
||||||
entry->edx = 0;
|
|
||||||
- /* IBRS and IBPB aren't necessarily present in hardware cpuid */
|
|
||||||
+ /*
|
|
||||||
+ * IBRS, IBPB and VIRT_SSBD aren't necessarily present in
|
|
||||||
+ * hardware cpuid
|
|
||||||
+ */
|
|
||||||
if (boot_cpu_has(X86_FEATURE_AMD_IBPB))
|
|
||||||
entry->ebx |= F(AMD_IBPB);
|
|
||||||
if (boot_cpu_has(X86_FEATURE_AMD_IBRS))
|
|
||||||
entry->ebx |= F(AMD_IBRS);
|
|
||||||
+ if (boot_cpu_has(X86_FEATURE_VIRT_SSBD))
|
|
||||||
+ entry->ebx |= F(VIRT_SSBD);
|
|
||||||
entry->ebx &= kvm_cpuid_8000_0008_ebx_x86_features;
|
|
||||||
cpuid_mask(&entry->ebx, CPUID_8000_0008_EBX);
|
|
||||||
+ if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD))
|
|
||||||
+ entry->ebx |= F(VIRT_SSBD);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
case 0x80000019:
|
|
||||||
--- a/arch/x86/kvm/svm.c
|
|
||||||
+++ b/arch/x86/kvm/svm.c
|
|
||||||
@@ -3971,6 +3971,13 @@ static int svm_get_msr(struct kvm_vcpu *
|
|
||||||
|
|
||||||
msr_info->data = svm->spec_ctrl;
|
|
||||||
break;
|
|
||||||
+ case MSR_AMD64_VIRT_SPEC_CTRL:
|
|
||||||
+ if (!msr_info->host_initiated &&
|
|
||||||
+ !guest_cpuid_has(vcpu, X86_FEATURE_VIRT_SSBD))
|
|
||||||
+ return 1;
|
|
||||||
+
|
|
||||||
+ msr_info->data = svm->virt_spec_ctrl;
|
|
||||||
+ break;
|
|
||||||
case MSR_F15H_IC_CFG: {
|
|
||||||
|
|
||||||
int family, model;
|
|
||||||
@@ -4105,6 +4112,16 @@ static int svm_set_msr(struct kvm_vcpu *
|
|
||||||
break;
|
|
||||||
set_msr_interception(svm->msrpm, MSR_IA32_PRED_CMD, 0, 1);
|
|
||||||
break;
|
|
||||||
+ case MSR_AMD64_VIRT_SPEC_CTRL:
|
|
||||||
+ if (!msr->host_initiated &&
|
|
||||||
+ !guest_cpuid_has(vcpu, X86_FEATURE_VIRT_SSBD))
|
|
||||||
+ return 1;
|
|
||||||
+
|
|
||||||
+ if (data & ~SPEC_CTRL_SSBD)
|
|
||||||
+ return 1;
|
|
||||||
+
|
|
||||||
+ svm->virt_spec_ctrl = data;
|
|
||||||
+ break;
|
|
||||||
case MSR_STAR:
|
|
||||||
svm->vmcb->save.star = data;
|
|
||||||
break;
|
|
||||||
@@ -5635,7 +5652,7 @@ static bool svm_cpu_has_accelerated_tpr(
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static bool svm_has_high_real_mode_segbase(void)
|
|
||||||
+static bool svm_has_emulated_msr(int index)
|
|
||||||
{
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
@@ -6859,7 +6876,7 @@ static struct kvm_x86_ops svm_x86_ops __
|
|
||||||
.hardware_enable = svm_hardware_enable,
|
|
||||||
.hardware_disable = svm_hardware_disable,
|
|
||||||
.cpu_has_accelerated_tpr = svm_cpu_has_accelerated_tpr,
|
|
||||||
- .cpu_has_high_real_mode_segbase = svm_has_high_real_mode_segbase,
|
|
||||||
+ .has_emulated_msr = svm_has_emulated_msr,
|
|
||||||
|
|
||||||
.vcpu_create = svm_create_vcpu,
|
|
||||||
.vcpu_free = svm_free_vcpu,
|
|
||||||
--- a/arch/x86/kvm/vmx.c
|
|
||||||
+++ b/arch/x86/kvm/vmx.c
|
|
||||||
@@ -9223,9 +9223,21 @@ static void vmx_handle_external_intr(str
|
|
||||||
}
|
|
||||||
STACK_FRAME_NON_STANDARD(vmx_handle_external_intr);
|
|
||||||
|
|
||||||
-static bool vmx_has_high_real_mode_segbase(void)
|
|
||||||
+static bool vmx_has_emulated_msr(int index)
|
|
||||||
{
|
|
||||||
- return enable_unrestricted_guest || emulate_invalid_guest_state;
|
|
||||||
+ switch (index) {
|
|
||||||
+ case MSR_IA32_SMBASE:
|
|
||||||
+ /*
|
|
||||||
+ * We cannot do SMM unless we can run the guest in big
|
|
||||||
+ * real mode.
|
|
||||||
+ */
|
|
||||||
+ return enable_unrestricted_guest || emulate_invalid_guest_state;
|
|
||||||
+ case MSR_AMD64_VIRT_SPEC_CTRL:
|
|
||||||
+ /* This is AMD only. */
|
|
||||||
+ return false;
|
|
||||||
+ default:
|
|
||||||
+ return true;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
static bool vmx_mpx_supported(void)
|
|
||||||
@@ -12295,7 +12307,7 @@ static struct kvm_x86_ops vmx_x86_ops __
|
|
||||||
.hardware_enable = hardware_enable,
|
|
||||||
.hardware_disable = hardware_disable,
|
|
||||||
.cpu_has_accelerated_tpr = report_flexpriority,
|
|
||||||
- .cpu_has_high_real_mode_segbase = vmx_has_high_real_mode_segbase,
|
|
||||||
+ .has_emulated_msr = vmx_has_emulated_msr,
|
|
||||||
|
|
||||||
.vcpu_create = vmx_create_vcpu,
|
|
||||||
.vcpu_free = vmx_free_vcpu,
|
|
||||||
--- a/arch/x86/kvm/x86.c
|
|
||||||
+++ b/arch/x86/kvm/x86.c
|
|
||||||
@@ -1045,6 +1045,7 @@ static u32 emulated_msrs[] = {
|
|
||||||
MSR_SMI_COUNT,
|
|
||||||
MSR_PLATFORM_INFO,
|
|
||||||
MSR_MISC_FEATURES_ENABLES,
|
|
||||||
+ MSR_AMD64_VIRT_SPEC_CTRL,
|
|
||||||
};
|
|
||||||
|
|
||||||
static unsigned num_emulated_msrs;
|
|
||||||
@@ -2843,7 +2844,7 @@ int kvm_vm_ioctl_check_extension(struct
|
|
||||||
* fringe case that is not enabled except via specific settings
|
|
||||||
* of the module parameters.
|
|
||||||
*/
|
|
||||||
- r = kvm_x86_ops->cpu_has_high_real_mode_segbase();
|
|
||||||
+ r = kvm_x86_ops->has_emulated_msr(MSR_IA32_SMBASE);
|
|
||||||
break;
|
|
||||||
case KVM_CAP_VAPIC:
|
|
||||||
r = !kvm_x86_ops->cpu_has_accelerated_tpr();
|
|
||||||
@@ -4522,14 +4523,8 @@ static void kvm_init_msr_list(void)
|
|
||||||
num_msrs_to_save = j;
|
|
||||||
|
|
||||||
for (i = j = 0; i < ARRAY_SIZE(emulated_msrs); i++) {
|
|
||||||
- switch (emulated_msrs[i]) {
|
|
||||||
- case MSR_IA32_SMBASE:
|
|
||||||
- if (!kvm_x86_ops->cpu_has_high_real_mode_segbase())
|
|
||||||
- continue;
|
|
||||||
- break;
|
|
||||||
- default:
|
|
||||||
- break;
|
|
||||||
- }
|
|
||||||
+ if (!kvm_x86_ops->has_emulated_msr(emulated_msrs[i]))
|
|
||||||
+ continue;
|
|
||||||
|
|
||||||
if (j < i)
|
|
||||||
emulated_msrs[j] = emulated_msrs[i];
|
|
|
@ -1,66 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Date: Fri, 11 May 2018 15:21:01 +0200
|
|
||||||
Subject: KVM: SVM: Move spec control call after restore of GS
|
|
||||||
|
|
||||||
From: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
|
|
||||||
commit 15e6c22fd8e5a42c5ed6d487b7c9fe44c2517765 upstream
|
|
||||||
|
|
||||||
svm_vcpu_run() invokes x86_spec_ctrl_restore_host() after VMEXIT, but
|
|
||||||
before the host GS is restored. x86_spec_ctrl_restore_host() uses 'current'
|
|
||||||
to determine the host SSBD state of the thread. 'current' is GS based, but
|
|
||||||
host GS is not yet restored and the access causes a triple fault.
|
|
||||||
|
|
||||||
Move the call after the host GS restore.
|
|
||||||
|
|
||||||
Fixes: 885f82bfbc6f x86/process: Allow runtime control of Speculative Store Bypass
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Reviewed-by: Borislav Petkov <bp@suse.de>
|
|
||||||
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/kvm/svm.c | 24 ++++++++++++------------
|
|
||||||
1 file changed, 12 insertions(+), 12 deletions(-)
|
|
||||||
|
|
||||||
--- a/arch/x86/kvm/svm.c
|
|
||||||
+++ b/arch/x86/kvm/svm.c
|
|
||||||
@@ -5495,6 +5495,18 @@ static void svm_vcpu_run(struct kvm_vcpu
|
|
||||||
#endif
|
|
||||||
);
|
|
||||||
|
|
||||||
+ /* Eliminate branch target predictions from guest mode */
|
|
||||||
+ vmexit_fill_RSB();
|
|
||||||
+
|
|
||||||
+#ifdef CONFIG_X86_64
|
|
||||||
+ wrmsrl(MSR_GS_BASE, svm->host.gs_base);
|
|
||||||
+#else
|
|
||||||
+ loadsegment(fs, svm->host.fs);
|
|
||||||
+#ifndef CONFIG_X86_32_LAZY_GS
|
|
||||||
+ loadsegment(gs, svm->host.gs);
|
|
||||||
+#endif
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* We do not use IBRS in the kernel. If this vCPU has used the
|
|
||||||
* SPEC_CTRL MSR it may have left it on; save the value and
|
|
||||||
@@ -5515,18 +5527,6 @@ static void svm_vcpu_run(struct kvm_vcpu
|
|
||||||
|
|
||||||
x86_spec_ctrl_restore_host(svm->spec_ctrl);
|
|
||||||
|
|
||||||
- /* Eliminate branch target predictions from guest mode */
|
|
||||||
- vmexit_fill_RSB();
|
|
||||||
-
|
|
||||||
-#ifdef CONFIG_X86_64
|
|
||||||
- wrmsrl(MSR_GS_BASE, svm->host.gs_base);
|
|
||||||
-#else
|
|
||||||
- loadsegment(fs, svm->host.fs);
|
|
||||||
-#ifndef CONFIG_X86_32_LAZY_GS
|
|
||||||
- loadsegment(gs, svm->host.gs);
|
|
||||||
-#endif
|
|
||||||
-#endif
|
|
||||||
-
|
|
||||||
reload_tss(vcpu);
|
|
||||||
|
|
||||||
local_irq_disable();
|
|
|
@ -1,154 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Kees Cook <keescook@chromium.org>
|
|
||||||
Date: Tue, 1 May 2018 15:19:04 -0700
|
|
||||||
Subject: nospec: Allow getting/setting on non-current task
|
|
||||||
|
|
||||||
From: Kees Cook <keescook@chromium.org>
|
|
||||||
|
|
||||||
commit 7bbf1373e228840bb0295a2ca26d548ef37f448e upstream
|
|
||||||
|
|
||||||
Adjust arch_prctl_get/set_spec_ctrl() to operate on tasks other than
|
|
||||||
current.
|
|
||||||
|
|
||||||
This is needed both for /proc/$pid/status queries and for seccomp (since
|
|
||||||
thread-syncing can trigger seccomp in non-current threads).
|
|
||||||
|
|
||||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/kernel/cpu/bugs.c | 27 ++++++++++++++++-----------
|
|
||||||
include/linux/nospec.h | 7 +++++--
|
|
||||||
kernel/sys.c | 9 +++++----
|
|
||||||
3 files changed, 26 insertions(+), 17 deletions(-)
|
|
||||||
|
|
||||||
--- a/arch/x86/kernel/cpu/bugs.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/bugs.c
|
|
||||||
@@ -530,31 +530,35 @@ static void ssb_select_mitigation()
|
|
||||||
|
|
||||||
#undef pr_fmt
|
|
||||||
|
|
||||||
-static int ssb_prctl_set(unsigned long ctrl)
|
|
||||||
+static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl)
|
|
||||||
{
|
|
||||||
- bool rds = !!test_tsk_thread_flag(current, TIF_RDS);
|
|
||||||
+ bool rds = !!test_tsk_thread_flag(task, TIF_RDS);
|
|
||||||
|
|
||||||
if (ssb_mode != SPEC_STORE_BYPASS_PRCTL)
|
|
||||||
return -ENXIO;
|
|
||||||
|
|
||||||
if (ctrl == PR_SPEC_ENABLE)
|
|
||||||
- clear_tsk_thread_flag(current, TIF_RDS);
|
|
||||||
+ clear_tsk_thread_flag(task, TIF_RDS);
|
|
||||||
else
|
|
||||||
- set_tsk_thread_flag(current, TIF_RDS);
|
|
||||||
+ set_tsk_thread_flag(task, TIF_RDS);
|
|
||||||
|
|
||||||
- if (rds != !!test_tsk_thread_flag(current, TIF_RDS))
|
|
||||||
+ /*
|
|
||||||
+ * If being set on non-current task, delay setting the CPU
|
|
||||||
+ * mitigation until it is next scheduled.
|
|
||||||
+ */
|
|
||||||
+ if (task == current && rds != !!test_tsk_thread_flag(task, TIF_RDS))
|
|
||||||
speculative_store_bypass_update();
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static int ssb_prctl_get(void)
|
|
||||||
+static int ssb_prctl_get(struct task_struct *task)
|
|
||||||
{
|
|
||||||
switch (ssb_mode) {
|
|
||||||
case SPEC_STORE_BYPASS_DISABLE:
|
|
||||||
return PR_SPEC_DISABLE;
|
|
||||||
case SPEC_STORE_BYPASS_PRCTL:
|
|
||||||
- if (test_tsk_thread_flag(current, TIF_RDS))
|
|
||||||
+ if (test_tsk_thread_flag(task, TIF_RDS))
|
|
||||||
return PR_SPEC_PRCTL | PR_SPEC_DISABLE;
|
|
||||||
return PR_SPEC_PRCTL | PR_SPEC_ENABLE;
|
|
||||||
default:
|
|
||||||
@@ -564,24 +568,25 @@ static int ssb_prctl_get(void)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
-int arch_prctl_spec_ctrl_set(unsigned long which, unsigned long ctrl)
|
|
||||||
+int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which,
|
|
||||||
+ unsigned long ctrl)
|
|
||||||
{
|
|
||||||
if (ctrl != PR_SPEC_ENABLE && ctrl != PR_SPEC_DISABLE)
|
|
||||||
return -ERANGE;
|
|
||||||
|
|
||||||
switch (which) {
|
|
||||||
case PR_SPEC_STORE_BYPASS:
|
|
||||||
- return ssb_prctl_set(ctrl);
|
|
||||||
+ return ssb_prctl_set(task, ctrl);
|
|
||||||
default:
|
|
||||||
return -ENODEV;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
-int arch_prctl_spec_ctrl_get(unsigned long which)
|
|
||||||
+int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which)
|
|
||||||
{
|
|
||||||
switch (which) {
|
|
||||||
case PR_SPEC_STORE_BYPASS:
|
|
||||||
- return ssb_prctl_get();
|
|
||||||
+ return ssb_prctl_get(task);
|
|
||||||
default:
|
|
||||||
return -ENODEV;
|
|
||||||
}
|
|
||||||
--- a/include/linux/nospec.h
|
|
||||||
+++ b/include/linux/nospec.h
|
|
||||||
@@ -7,6 +7,8 @@
|
|
||||||
#define _LINUX_NOSPEC_H
|
|
||||||
#include <asm/barrier.h>
|
|
||||||
|
|
||||||
+struct task_struct;
|
|
||||||
+
|
|
||||||
/**
|
|
||||||
* array_index_mask_nospec() - generate a ~0 mask when index < size, 0 otherwise
|
|
||||||
* @index: array element index
|
|
||||||
@@ -57,7 +59,8 @@ static inline unsigned long array_index_
|
|
||||||
})
|
|
||||||
|
|
||||||
/* Speculation control prctl */
|
|
||||||
-int arch_prctl_spec_ctrl_get(unsigned long which);
|
|
||||||
-int arch_prctl_spec_ctrl_set(unsigned long which, unsigned long ctrl);
|
|
||||||
+int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which);
|
|
||||||
+int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which,
|
|
||||||
+ unsigned long ctrl);
|
|
||||||
|
|
||||||
#endif /* _LINUX_NOSPEC_H */
|
|
||||||
--- a/kernel/sys.c
|
|
||||||
+++ b/kernel/sys.c
|
|
||||||
@@ -2192,12 +2192,13 @@ static int propagate_has_child_subreaper
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
-int __weak arch_prctl_spec_ctrl_get(unsigned long which)
|
|
||||||
+int __weak arch_prctl_spec_ctrl_get(struct task_struct *t, unsigned long which)
|
|
||||||
{
|
|
||||||
return -EINVAL;
|
|
||||||
}
|
|
||||||
|
|
||||||
-int __weak arch_prctl_spec_ctrl_set(unsigned long which, unsigned long ctrl)
|
|
||||||
+int __weak arch_prctl_spec_ctrl_set(struct task_struct *t, unsigned long which,
|
|
||||||
+ unsigned long ctrl)
|
|
||||||
{
|
|
||||||
return -EINVAL;
|
|
||||||
}
|
|
||||||
@@ -2413,12 +2414,12 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
|
|
||||||
case PR_GET_SPECULATION_CTRL:
|
|
||||||
if (arg3 || arg4 || arg5)
|
|
||||||
return -EINVAL;
|
|
||||||
- error = arch_prctl_spec_ctrl_get(arg2);
|
|
||||||
+ error = arch_prctl_spec_ctrl_get(me, arg2);
|
|
||||||
break;
|
|
||||||
case PR_SET_SPECULATION_CTRL:
|
|
||||||
if (arg4 || arg5)
|
|
||||||
return -EINVAL;
|
|
||||||
- error = arch_prctl_spec_ctrl_set(arg2, arg3);
|
|
||||||
+ error = arch_prctl_spec_ctrl_set(me, arg2, arg3);
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
error = -EINVAL;
|
|
|
@ -1,207 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Date: Thu, 3 May 2018 22:09:15 +0200
|
|
||||||
Subject: prctl: Add force disable speculation
|
|
||||||
|
|
||||||
From: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
|
|
||||||
commit 356e4bfff2c5489e016fdb925adbf12a1e3950ee upstream
|
|
||||||
|
|
||||||
For certain use cases it is desired to enforce mitigations so they cannot
|
|
||||||
be undone afterwards. That's important for loader stubs which want to
|
|
||||||
prevent a child from disabling the mitigation again. Will also be used for
|
|
||||||
seccomp(). The extra state preserving of the prctl state for SSB is a
|
|
||||||
preparatory step for EBPF dymanic speculation control.
|
|
||||||
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
Documentation/userspace-api/spec_ctrl.rst | 34 ++++++++++++++++++-----------
|
|
||||||
arch/x86/kernel/cpu/bugs.c | 35 +++++++++++++++++++++---------
|
|
||||||
fs/proc/array.c | 3 ++
|
|
||||||
include/linux/sched.h | 10 +++++++-
|
|
||||||
include/uapi/linux/prctl.h | 1
|
|
||||||
5 files changed, 59 insertions(+), 24 deletions(-)
|
|
||||||
|
|
||||||
--- a/Documentation/userspace-api/spec_ctrl.rst
|
|
||||||
+++ b/Documentation/userspace-api/spec_ctrl.rst
|
|
||||||
@@ -25,19 +25,21 @@ PR_GET_SPECULATION_CTRL
|
|
||||||
-----------------------
|
|
||||||
|
|
||||||
PR_GET_SPECULATION_CTRL returns the state of the speculation misfeature
|
|
||||||
-which is selected with arg2 of prctl(2). The return value uses bits 0-2 with
|
|
||||||
+which is selected with arg2 of prctl(2). The return value uses bits 0-3 with
|
|
||||||
the following meaning:
|
|
||||||
|
|
||||||
-==== ================ ===================================================
|
|
||||||
-Bit Define Description
|
|
||||||
-==== ================ ===================================================
|
|
||||||
-0 PR_SPEC_PRCTL Mitigation can be controlled per task by
|
|
||||||
- PR_SET_SPECULATION_CTRL
|
|
||||||
-1 PR_SPEC_ENABLE The speculation feature is enabled, mitigation is
|
|
||||||
- disabled
|
|
||||||
-2 PR_SPEC_DISABLE The speculation feature is disabled, mitigation is
|
|
||||||
- enabled
|
|
||||||
-==== ================ ===================================================
|
|
||||||
+==== ===================== ===================================================
|
|
||||||
+Bit Define Description
|
|
||||||
+==== ===================== ===================================================
|
|
||||||
+0 PR_SPEC_PRCTL Mitigation can be controlled per task by
|
|
||||||
+ PR_SET_SPECULATION_CTRL
|
|
||||||
+1 PR_SPEC_ENABLE The speculation feature is enabled, mitigation is
|
|
||||||
+ disabled
|
|
||||||
+2 PR_SPEC_DISABLE The speculation feature is disabled, mitigation is
|
|
||||||
+ enabled
|
|
||||||
+3 PR_SPEC_FORCE_DISABLE Same as PR_SPEC_DISABLE, but cannot be undone. A
|
|
||||||
+ subsequent prctl(..., PR_SPEC_ENABLE) will fail.
|
|
||||||
+==== ===================== ===================================================
|
|
||||||
|
|
||||||
If all bits are 0 the CPU is not affected by the speculation misfeature.
|
|
||||||
|
|
||||||
@@ -47,9 +49,11 @@ misfeature will fail.
|
|
||||||
|
|
||||||
PR_SET_SPECULATION_CTRL
|
|
||||||
-----------------------
|
|
||||||
+
|
|
||||||
PR_SET_SPECULATION_CTRL allows to control the speculation misfeature, which
|
|
||||||
is selected by arg2 of :manpage:`prctl(2)` per task. arg3 is used to hand
|
|
||||||
-in the control value, i.e. either PR_SPEC_ENABLE or PR_SPEC_DISABLE.
|
|
||||||
+in the control value, i.e. either PR_SPEC_ENABLE or PR_SPEC_DISABLE or
|
|
||||||
+PR_SPEC_FORCE_DISABLE.
|
|
||||||
|
|
||||||
Common error codes
|
|
||||||
------------------
|
|
||||||
@@ -70,10 +74,13 @@ Value Meaning
|
|
||||||
0 Success
|
|
||||||
|
|
||||||
ERANGE arg3 is incorrect, i.e. it's neither PR_SPEC_ENABLE nor
|
|
||||||
- PR_SPEC_DISABLE
|
|
||||||
+ PR_SPEC_DISABLE nor PR_SPEC_FORCE_DISABLE
|
|
||||||
|
|
||||||
ENXIO Control of the selected speculation misfeature is not possible.
|
|
||||||
See PR_GET_SPECULATION_CTRL.
|
|
||||||
+
|
|
||||||
+EPERM Speculation was disabled with PR_SPEC_FORCE_DISABLE and caller
|
|
||||||
+ tried to enable it again.
|
|
||||||
======= =================================================================
|
|
||||||
|
|
||||||
Speculation misfeature controls
|
|
||||||
@@ -84,3 +91,4 @@ Speculation misfeature controls
|
|
||||||
* prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, 0, 0, 0);
|
|
||||||
* prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_ENABLE, 0, 0);
|
|
||||||
* prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
|
|
||||||
+ * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0);
|
|
||||||
--- a/arch/x86/kernel/cpu/bugs.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/bugs.c
|
|
||||||
@@ -533,21 +533,37 @@ static void ssb_select_mitigation()
|
|
||||||
|
|
||||||
static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl)
|
|
||||||
{
|
|
||||||
- bool rds = !!test_tsk_thread_flag(task, TIF_RDS);
|
|
||||||
+ bool update;
|
|
||||||
|
|
||||||
if (ssb_mode != SPEC_STORE_BYPASS_PRCTL)
|
|
||||||
return -ENXIO;
|
|
||||||
|
|
||||||
- if (ctrl == PR_SPEC_ENABLE)
|
|
||||||
- clear_tsk_thread_flag(task, TIF_RDS);
|
|
||||||
- else
|
|
||||||
- set_tsk_thread_flag(task, TIF_RDS);
|
|
||||||
+ switch (ctrl) {
|
|
||||||
+ case PR_SPEC_ENABLE:
|
|
||||||
+ /* If speculation is force disabled, enable is not allowed */
|
|
||||||
+ if (task_spec_ssb_force_disable(task))
|
|
||||||
+ return -EPERM;
|
|
||||||
+ task_clear_spec_ssb_disable(task);
|
|
||||||
+ update = test_and_clear_tsk_thread_flag(task, TIF_RDS);
|
|
||||||
+ break;
|
|
||||||
+ case PR_SPEC_DISABLE:
|
|
||||||
+ task_set_spec_ssb_disable(task);
|
|
||||||
+ update = !test_and_set_tsk_thread_flag(task, TIF_RDS);
|
|
||||||
+ break;
|
|
||||||
+ case PR_SPEC_FORCE_DISABLE:
|
|
||||||
+ task_set_spec_ssb_disable(task);
|
|
||||||
+ task_set_spec_ssb_force_disable(task);
|
|
||||||
+ update = !test_and_set_tsk_thread_flag(task, TIF_RDS);
|
|
||||||
+ break;
|
|
||||||
+ default:
|
|
||||||
+ return -ERANGE;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
/*
|
|
||||||
* If being set on non-current task, delay setting the CPU
|
|
||||||
* mitigation until it is next scheduled.
|
|
||||||
*/
|
|
||||||
- if (task == current && rds != !!test_tsk_thread_flag(task, TIF_RDS))
|
|
||||||
+ if (task == current && update)
|
|
||||||
speculative_store_bypass_update();
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
@@ -559,7 +575,9 @@ static int ssb_prctl_get(struct task_str
|
|
||||||
case SPEC_STORE_BYPASS_DISABLE:
|
|
||||||
return PR_SPEC_DISABLE;
|
|
||||||
case SPEC_STORE_BYPASS_PRCTL:
|
|
||||||
- if (test_tsk_thread_flag(task, TIF_RDS))
|
|
||||||
+ if (task_spec_ssb_force_disable(task))
|
|
||||||
+ return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE;
|
|
||||||
+ if (task_spec_ssb_disable(task))
|
|
||||||
return PR_SPEC_PRCTL | PR_SPEC_DISABLE;
|
|
||||||
return PR_SPEC_PRCTL | PR_SPEC_ENABLE;
|
|
||||||
default:
|
|
||||||
@@ -572,9 +590,6 @@ static int ssb_prctl_get(struct task_str
|
|
||||||
int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which,
|
|
||||||
unsigned long ctrl)
|
|
||||||
{
|
|
||||||
- if (ctrl != PR_SPEC_ENABLE && ctrl != PR_SPEC_DISABLE)
|
|
||||||
- return -ERANGE;
|
|
||||||
-
|
|
||||||
switch (which) {
|
|
||||||
case PR_SPEC_STORE_BYPASS:
|
|
||||||
return ssb_prctl_set(task, ctrl);
|
|
||||||
--- a/fs/proc/array.c
|
|
||||||
+++ b/fs/proc/array.c
|
|
||||||
@@ -356,6 +356,9 @@ static inline void task_seccomp(struct s
|
|
||||||
case PR_SPEC_NOT_AFFECTED:
|
|
||||||
seq_printf(m, "not vulnerable");
|
|
||||||
break;
|
|
||||||
+ case PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE:
|
|
||||||
+ seq_printf(m, "thread force mitigated");
|
|
||||||
+ break;
|
|
||||||
case PR_SPEC_PRCTL | PR_SPEC_DISABLE:
|
|
||||||
seq_printf(m, "thread mitigated");
|
|
||||||
break;
|
|
||||||
--- a/include/linux/sched.h
|
|
||||||
+++ b/include/linux/sched.h
|
|
||||||
@@ -1365,7 +1365,8 @@ static inline bool is_percpu_thread(void
|
|
||||||
#define PFA_NO_NEW_PRIVS 0 /* May not gain new privileges. */
|
|
||||||
#define PFA_SPREAD_PAGE 1 /* Spread page cache over cpuset */
|
|
||||||
#define PFA_SPREAD_SLAB 2 /* Spread some slab caches over cpuset */
|
|
||||||
-
|
|
||||||
+#define PFA_SPEC_SSB_DISABLE 3 /* Speculative Store Bypass disabled */
|
|
||||||
+#define PFA_SPEC_SSB_FORCE_DISABLE 4 /* Speculative Store Bypass force disabled*/
|
|
||||||
|
|
||||||
#define TASK_PFA_TEST(name, func) \
|
|
||||||
static inline bool task_##func(struct task_struct *p) \
|
|
||||||
@@ -1390,6 +1391,13 @@ TASK_PFA_TEST(SPREAD_SLAB, spread_slab)
|
|
||||||
TASK_PFA_SET(SPREAD_SLAB, spread_slab)
|
|
||||||
TASK_PFA_CLEAR(SPREAD_SLAB, spread_slab)
|
|
||||||
|
|
||||||
+TASK_PFA_TEST(SPEC_SSB_DISABLE, spec_ssb_disable)
|
|
||||||
+TASK_PFA_SET(SPEC_SSB_DISABLE, spec_ssb_disable)
|
|
||||||
+TASK_PFA_CLEAR(SPEC_SSB_DISABLE, spec_ssb_disable)
|
|
||||||
+
|
|
||||||
+TASK_PFA_TEST(SPEC_SSB_FORCE_DISABLE, spec_ssb_force_disable)
|
|
||||||
+TASK_PFA_SET(SPEC_SSB_FORCE_DISABLE, spec_ssb_force_disable)
|
|
||||||
+
|
|
||||||
static inline void
|
|
||||||
current_restore_flags(unsigned long orig_flags, unsigned long flags)
|
|
||||||
{
|
|
||||||
--- a/include/uapi/linux/prctl.h
|
|
||||||
+++ b/include/uapi/linux/prctl.h
|
|
||||||
@@ -217,5 +217,6 @@ struct prctl_mm_map {
|
|
||||||
# define PR_SPEC_PRCTL (1UL << 0)
|
|
||||||
# define PR_SPEC_ENABLE (1UL << 1)
|
|
||||||
# define PR_SPEC_DISABLE (1UL << 2)
|
|
||||||
+# define PR_SPEC_FORCE_DISABLE (1UL << 3)
|
|
||||||
|
|
||||||
#endif /* _LINUX_PRCTL_H */
|
|
|
@ -1,239 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Date: Sun, 29 Apr 2018 15:20:11 +0200
|
|
||||||
Subject: prctl: Add speculation control prctls
|
|
||||||
|
|
||||||
From: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
|
|
||||||
commit b617cfc858161140d69cc0b5cc211996b557a1c7 upstream
|
|
||||||
|
|
||||||
Add two new prctls to control aspects of speculation related vulnerabilites
|
|
||||||
and their mitigations to provide finer grained control over performance
|
|
||||||
impacting mitigations.
|
|
||||||
|
|
||||||
PR_GET_SPECULATION_CTRL returns the state of the speculation misfeature
|
|
||||||
which is selected with arg2 of prctl(2). The return value uses bit 0-2 with
|
|
||||||
the following meaning:
|
|
||||||
|
|
||||||
Bit Define Description
|
|
||||||
0 PR_SPEC_PRCTL Mitigation can be controlled per task by
|
|
||||||
PR_SET_SPECULATION_CTRL
|
|
||||||
1 PR_SPEC_ENABLE The speculation feature is enabled, mitigation is
|
|
||||||
disabled
|
|
||||||
2 PR_SPEC_DISABLE The speculation feature is disabled, mitigation is
|
|
||||||
enabled
|
|
||||||
|
|
||||||
If all bits are 0 the CPU is not affected by the speculation misfeature.
|
|
||||||
|
|
||||||
If PR_SPEC_PRCTL is set, then the per task control of the mitigation is
|
|
||||||
available. If not set, prctl(PR_SET_SPECULATION_CTRL) for the speculation
|
|
||||||
misfeature will fail.
|
|
||||||
|
|
||||||
PR_SET_SPECULATION_CTRL allows to control the speculation misfeature, which
|
|
||||||
is selected by arg2 of prctl(2) per task. arg3 is used to hand in the
|
|
||||||
control value, i.e. either PR_SPEC_ENABLE or PR_SPEC_DISABLE.
|
|
||||||
|
|
||||||
The common return values are:
|
|
||||||
|
|
||||||
EINVAL prctl is not implemented by the architecture or the unused prctl()
|
|
||||||
arguments are not 0
|
|
||||||
ENODEV arg2 is selecting a not supported speculation misfeature
|
|
||||||
|
|
||||||
PR_SET_SPECULATION_CTRL has these additional return values:
|
|
||||||
|
|
||||||
ERANGE arg3 is incorrect, i.e. it's not either PR_SPEC_ENABLE or PR_SPEC_DISABLE
|
|
||||||
ENXIO prctl control of the selected speculation misfeature is disabled
|
|
||||||
|
|
||||||
The first supported controlable speculation misfeature is
|
|
||||||
PR_SPEC_STORE_BYPASS. Add the define so this can be shared between
|
|
||||||
architectures.
|
|
||||||
|
|
||||||
Based on an initial patch from Tim Chen and mostly rewritten.
|
|
||||||
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Reviewed-by: Ingo Molnar <mingo@kernel.org>
|
|
||||||
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
Documentation/userspace-api/index.rst | 1
|
|
||||||
Documentation/userspace-api/spec_ctrl.rst | 86 ++++++++++++++++++++++++++++++
|
|
||||||
include/linux/nospec.h | 5 +
|
|
||||||
include/uapi/linux/prctl.h | 11 +++
|
|
||||||
kernel/sys.c | 22 +++++++
|
|
||||||
5 files changed, 125 insertions(+)
|
|
||||||
create mode 100644 Documentation/userspace-api/spec_ctrl.rst
|
|
||||||
|
|
||||||
--- a/Documentation/userspace-api/index.rst
|
|
||||||
+++ b/Documentation/userspace-api/index.rst
|
|
||||||
@@ -19,6 +19,7 @@ place where this information is gathered
|
|
||||||
no_new_privs
|
|
||||||
seccomp_filter
|
|
||||||
unshare
|
|
||||||
+ spec_ctrl
|
|
||||||
|
|
||||||
.. only:: subproject and html
|
|
||||||
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/Documentation/userspace-api/spec_ctrl.rst
|
|
||||||
@@ -0,0 +1,86 @@
|
|
||||||
+===================
|
|
||||||
+Speculation Control
|
|
||||||
+===================
|
|
||||||
+
|
|
||||||
+Quite some CPUs have speculation related misfeatures which are in fact
|
|
||||||
+vulnerabilites causing data leaks in various forms even accross privilege
|
|
||||||
+domains.
|
|
||||||
+
|
|
||||||
+The kernel provides mitigation for such vulnerabilities in various
|
|
||||||
+forms. Some of these mitigations are compile time configurable and some on
|
|
||||||
+the kernel command line.
|
|
||||||
+
|
|
||||||
+There is also a class of mitigations which are very expensive, but they can
|
|
||||||
+be restricted to a certain set of processes or tasks in controlled
|
|
||||||
+environments. The mechanism to control these mitigations is via
|
|
||||||
+:manpage:`prctl(2)`.
|
|
||||||
+
|
|
||||||
+There are two prctl options which are related to this:
|
|
||||||
+
|
|
||||||
+ * PR_GET_SPECULATION_CTRL
|
|
||||||
+
|
|
||||||
+ * PR_SET_SPECULATION_CTRL
|
|
||||||
+
|
|
||||||
+PR_GET_SPECULATION_CTRL
|
|
||||||
+-----------------------
|
|
||||||
+
|
|
||||||
+PR_GET_SPECULATION_CTRL returns the state of the speculation misfeature
|
|
||||||
+which is selected with arg2 of prctl(2). The return value uses bits 0-2 with
|
|
||||||
+the following meaning:
|
|
||||||
+
|
|
||||||
+==== ================ ===================================================
|
|
||||||
+Bit Define Description
|
|
||||||
+==== ================ ===================================================
|
|
||||||
+0 PR_SPEC_PRCTL Mitigation can be controlled per task by
|
|
||||||
+ PR_SET_SPECULATION_CTRL
|
|
||||||
+1 PR_SPEC_ENABLE The speculation feature is enabled, mitigation is
|
|
||||||
+ disabled
|
|
||||||
+2 PR_SPEC_DISABLE The speculation feature is disabled, mitigation is
|
|
||||||
+ enabled
|
|
||||||
+==== ================ ===================================================
|
|
||||||
+
|
|
||||||
+If all bits are 0 the CPU is not affected by the speculation misfeature.
|
|
||||||
+
|
|
||||||
+If PR_SPEC_PRCTL is set, then the per task control of the mitigation is
|
|
||||||
+available. If not set, prctl(PR_SET_SPECULATION_CTRL) for the speculation
|
|
||||||
+misfeature will fail.
|
|
||||||
+
|
|
||||||
+PR_SET_SPECULATION_CTRL
|
|
||||||
+-----------------------
|
|
||||||
+PR_SET_SPECULATION_CTRL allows to control the speculation misfeature, which
|
|
||||||
+is selected by arg2 of :manpage:`prctl(2)` per task. arg3 is used to hand
|
|
||||||
+in the control value, i.e. either PR_SPEC_ENABLE or PR_SPEC_DISABLE.
|
|
||||||
+
|
|
||||||
+Common error codes
|
|
||||||
+------------------
|
|
||||||
+======= =================================================================
|
|
||||||
+Value Meaning
|
|
||||||
+======= =================================================================
|
|
||||||
+EINVAL The prctl is not implemented by the architecture or unused
|
|
||||||
+ prctl(2) arguments are not 0
|
|
||||||
+
|
|
||||||
+ENODEV arg2 is selecting a not supported speculation misfeature
|
|
||||||
+======= =================================================================
|
|
||||||
+
|
|
||||||
+PR_SET_SPECULATION_CTRL error codes
|
|
||||||
+-----------------------------------
|
|
||||||
+======= =================================================================
|
|
||||||
+Value Meaning
|
|
||||||
+======= =================================================================
|
|
||||||
+0 Success
|
|
||||||
+
|
|
||||||
+ERANGE arg3 is incorrect, i.e. it's neither PR_SPEC_ENABLE nor
|
|
||||||
+ PR_SPEC_DISABLE
|
|
||||||
+
|
|
||||||
+ENXIO Control of the selected speculation misfeature is not possible.
|
|
||||||
+ See PR_GET_SPECULATION_CTRL.
|
|
||||||
+======= =================================================================
|
|
||||||
+
|
|
||||||
+Speculation misfeature controls
|
|
||||||
+-------------------------------
|
|
||||||
+- PR_SPEC_STORE_BYPASS: Speculative Store Bypass
|
|
||||||
+
|
|
||||||
+ Invocations:
|
|
||||||
+ * prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, 0, 0, 0);
|
|
||||||
+ * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_ENABLE, 0, 0);
|
|
||||||
+ * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
|
|
||||||
--- a/include/linux/nospec.h
|
|
||||||
+++ b/include/linux/nospec.h
|
|
||||||
@@ -55,4 +55,9 @@ static inline unsigned long array_index_
|
|
||||||
\
|
|
||||||
(typeof(_i)) (_i & _mask); \
|
|
||||||
})
|
|
||||||
+
|
|
||||||
+/* Speculation control prctl */
|
|
||||||
+int arch_prctl_spec_ctrl_get(unsigned long which);
|
|
||||||
+int arch_prctl_spec_ctrl_set(unsigned long which, unsigned long ctrl);
|
|
||||||
+
|
|
||||||
#endif /* _LINUX_NOSPEC_H */
|
|
||||||
--- a/include/uapi/linux/prctl.h
|
|
||||||
+++ b/include/uapi/linux/prctl.h
|
|
||||||
@@ -207,4 +207,15 @@ struct prctl_mm_map {
|
|
||||||
# define PR_SVE_VL_LEN_MASK 0xffff
|
|
||||||
# define PR_SVE_VL_INHERIT (1 << 17) /* inherit across exec */
|
|
||||||
|
|
||||||
+/* Per task speculation control */
|
|
||||||
+#define PR_GET_SPECULATION_CTRL 52
|
|
||||||
+#define PR_SET_SPECULATION_CTRL 53
|
|
||||||
+/* Speculation control variants */
|
|
||||||
+# define PR_SPEC_STORE_BYPASS 0
|
|
||||||
+/* Return and control values for PR_SET/GET_SPECULATION_CTRL */
|
|
||||||
+# define PR_SPEC_NOT_AFFECTED 0
|
|
||||||
+# define PR_SPEC_PRCTL (1UL << 0)
|
|
||||||
+# define PR_SPEC_ENABLE (1UL << 1)
|
|
||||||
+# define PR_SPEC_DISABLE (1UL << 2)
|
|
||||||
+
|
|
||||||
#endif /* _LINUX_PRCTL_H */
|
|
||||||
--- a/kernel/sys.c
|
|
||||||
+++ b/kernel/sys.c
|
|
||||||
@@ -61,6 +61,8 @@
|
|
||||||
#include <linux/uidgid.h>
|
|
||||||
#include <linux/cred.h>
|
|
||||||
|
|
||||||
+#include <linux/nospec.h>
|
|
||||||
+
|
|
||||||
#include <linux/kmsg_dump.h>
|
|
||||||
/* Move somewhere else to avoid recompiling? */
|
|
||||||
#include <generated/utsrelease.h>
|
|
||||||
@@ -2190,6 +2192,16 @@ static int propagate_has_child_subreaper
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
+int __weak arch_prctl_spec_ctrl_get(unsigned long which)
|
|
||||||
+{
|
|
||||||
+ return -EINVAL;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int __weak arch_prctl_spec_ctrl_set(unsigned long which, unsigned long ctrl)
|
|
||||||
+{
|
|
||||||
+ return -EINVAL;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
|
|
||||||
unsigned long, arg4, unsigned long, arg5)
|
|
||||||
{
|
|
||||||
@@ -2398,6 +2410,16 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
|
|
||||||
case PR_SVE_GET_VL:
|
|
||||||
error = SVE_GET_VL();
|
|
||||||
break;
|
|
||||||
+ case PR_GET_SPECULATION_CTRL:
|
|
||||||
+ if (arg3 || arg4 || arg5)
|
|
||||||
+ return -EINVAL;
|
|
||||||
+ error = arch_prctl_spec_ctrl_get(arg2);
|
|
||||||
+ break;
|
|
||||||
+ case PR_SET_SPECULATION_CTRL:
|
|
||||||
+ if (arg4 || arg5)
|
|
||||||
+ return -EINVAL;
|
|
||||||
+ error = arch_prctl_spec_ctrl_set(arg2, arg3);
|
|
||||||
+ break;
|
|
||||||
default:
|
|
||||||
error = -EINVAL;
|
|
||||||
break;
|
|
|
@ -1,57 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Kees Cook <keescook@chromium.org>
|
|
||||||
Date: Tue, 1 May 2018 15:31:45 -0700
|
|
||||||
Subject: proc: Provide details on speculation flaw mitigations
|
|
||||||
|
|
||||||
From: Kees Cook <keescook@chromium.org>
|
|
||||||
|
|
||||||
commit fae1fa0fc6cca8beee3ab8ed71d54f9a78fa3f64 upstream
|
|
||||||
|
|
||||||
As done with seccomp and no_new_privs, also show speculation flaw
|
|
||||||
mitigation state in /proc/$pid/status.
|
|
||||||
|
|
||||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
fs/proc/array.c | 22 ++++++++++++++++++++++
|
|
||||||
1 file changed, 22 insertions(+)
|
|
||||||
|
|
||||||
--- a/fs/proc/array.c
|
|
||||||
+++ b/fs/proc/array.c
|
|
||||||
@@ -85,6 +85,7 @@
|
|
||||||
#include <linux/delayacct.h>
|
|
||||||
#include <linux/seq_file.h>
|
|
||||||
#include <linux/pid_namespace.h>
|
|
||||||
+#include <linux/prctl.h>
|
|
||||||
#include <linux/ptrace.h>
|
|
||||||
#include <linux/tracehook.h>
|
|
||||||
#include <linux/string_helpers.h>
|
|
||||||
@@ -347,6 +348,27 @@ static inline void task_seccomp(struct s
|
|
||||||
#ifdef CONFIG_SECCOMP
|
|
||||||
seq_put_decimal_ull(m, "\nSeccomp:\t", p->seccomp.mode);
|
|
||||||
#endif
|
|
||||||
+ seq_printf(m, "\nSpeculation Store Bypass:\t");
|
|
||||||
+ switch (arch_prctl_spec_ctrl_get(p, PR_SPEC_STORE_BYPASS)) {
|
|
||||||
+ case -EINVAL:
|
|
||||||
+ seq_printf(m, "unknown");
|
|
||||||
+ break;
|
|
||||||
+ case PR_SPEC_NOT_AFFECTED:
|
|
||||||
+ seq_printf(m, "not vulnerable");
|
|
||||||
+ break;
|
|
||||||
+ case PR_SPEC_PRCTL | PR_SPEC_DISABLE:
|
|
||||||
+ seq_printf(m, "thread mitigated");
|
|
||||||
+ break;
|
|
||||||
+ case PR_SPEC_PRCTL | PR_SPEC_ENABLE:
|
|
||||||
+ seq_printf(m, "thread vulnerable");
|
|
||||||
+ break;
|
|
||||||
+ case PR_SPEC_DISABLE:
|
|
||||||
+ seq_printf(m, "globally mitigated");
|
|
||||||
+ break;
|
|
||||||
+ default:
|
|
||||||
+ seq_printf(m, "vulnerable");
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
seq_putc(m, '\n');
|
|
||||||
}
|
|
||||||
|
|
|
@ -1,30 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Date: Wed, 9 May 2018 21:41:38 +0200
|
|
||||||
Subject: proc: Use underscores for SSBD in 'status'
|
|
||||||
|
|
||||||
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
|
|
||||||
commit e96f46ee8587607a828f783daa6eb5b44d25004d upstream
|
|
||||||
|
|
||||||
The style for the 'status' file is CamelCase or this. _.
|
|
||||||
|
|
||||||
Fixes: fae1fa0fc ("proc: Provide details on speculation flaw mitigations")
|
|
||||||
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
fs/proc/array.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
--- a/fs/proc/array.c
|
|
||||||
+++ b/fs/proc/array.c
|
|
||||||
@@ -348,7 +348,7 @@ static inline void task_seccomp(struct s
|
|
||||||
#ifdef CONFIG_SECCOMP
|
|
||||||
seq_put_decimal_ull(m, "\nSeccomp:\t", p->seccomp.mode);
|
|
||||||
#endif
|
|
||||||
- seq_printf(m, "\nSpeculation Store Bypass:\t");
|
|
||||||
+ seq_printf(m, "\nSpeculation_Store_Bypass:\t");
|
|
||||||
switch (arch_prctl_spec_ctrl_get(p, PR_SPEC_STORE_BYPASS)) {
|
|
||||||
case -EINVAL:
|
|
||||||
seq_printf(m, "unknown");
|
|
|
@ -1,169 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Kees Cook <keescook@chromium.org>
|
|
||||||
Date: Thu, 3 May 2018 14:56:12 -0700
|
|
||||||
Subject: seccomp: Add filter flag to opt-out of SSB mitigation
|
|
||||||
|
|
||||||
From: Kees Cook <keescook@chromium.org>
|
|
||||||
|
|
||||||
commit 00a02d0c502a06d15e07b857f8ff921e3e402675 upstream
|
|
||||||
|
|
||||||
If a seccomp user is not interested in Speculative Store Bypass mitigation
|
|
||||||
by default, it can set the new SECCOMP_FILTER_FLAG_SPEC_ALLOW flag when
|
|
||||||
adding filters.
|
|
||||||
|
|
||||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
include/linux/seccomp.h | 5 +++--
|
|
||||||
include/uapi/linux/seccomp.h | 5 +++--
|
|
||||||
kernel/seccomp.c | 19 +++++++++++--------
|
|
||||||
tools/testing/selftests/seccomp/seccomp_bpf.c | 22 +++++++++++++++++++---
|
|
||||||
4 files changed, 36 insertions(+), 15 deletions(-)
|
|
||||||
|
|
||||||
--- a/include/linux/seccomp.h
|
|
||||||
+++ b/include/linux/seccomp.h
|
|
||||||
@@ -4,8 +4,9 @@
|
|
||||||
|
|
||||||
#include <uapi/linux/seccomp.h>
|
|
||||||
|
|
||||||
-#define SECCOMP_FILTER_FLAG_MASK (SECCOMP_FILTER_FLAG_TSYNC | \
|
|
||||||
- SECCOMP_FILTER_FLAG_LOG)
|
|
||||||
+#define SECCOMP_FILTER_FLAG_MASK (SECCOMP_FILTER_FLAG_TSYNC | \
|
|
||||||
+ SECCOMP_FILTER_FLAG_LOG | \
|
|
||||||
+ SECCOMP_FILTER_FLAG_SPEC_ALLOW)
|
|
||||||
|
|
||||||
#ifdef CONFIG_SECCOMP
|
|
||||||
|
|
||||||
--- a/include/uapi/linux/seccomp.h
|
|
||||||
+++ b/include/uapi/linux/seccomp.h
|
|
||||||
@@ -17,8 +17,9 @@
|
|
||||||
#define SECCOMP_GET_ACTION_AVAIL 2
|
|
||||||
|
|
||||||
/* Valid flags for SECCOMP_SET_MODE_FILTER */
|
|
||||||
-#define SECCOMP_FILTER_FLAG_TSYNC 1
|
|
||||||
-#define SECCOMP_FILTER_FLAG_LOG 2
|
|
||||||
+#define SECCOMP_FILTER_FLAG_TSYNC (1UL << 0)
|
|
||||||
+#define SECCOMP_FILTER_FLAG_LOG (1UL << 1)
|
|
||||||
+#define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1UL << 2)
|
|
||||||
|
|
||||||
/*
|
|
||||||
* All BPF programs must return a 32-bit value.
|
|
||||||
--- a/kernel/seccomp.c
|
|
||||||
+++ b/kernel/seccomp.c
|
|
||||||
@@ -243,7 +243,8 @@ static inline void spec_mitigate(struct
|
|
||||||
}
|
|
||||||
|
|
||||||
static inline void seccomp_assign_mode(struct task_struct *task,
|
|
||||||
- unsigned long seccomp_mode)
|
|
||||||
+ unsigned long seccomp_mode,
|
|
||||||
+ unsigned long flags)
|
|
||||||
{
|
|
||||||
assert_spin_locked(&task->sighand->siglock);
|
|
||||||
|
|
||||||
@@ -253,8 +254,9 @@ static inline void seccomp_assign_mode(s
|
|
||||||
* filter) is set.
|
|
||||||
*/
|
|
||||||
smp_mb__before_atomic();
|
|
||||||
- /* Assume seccomp processes want speculation flaw mitigation. */
|
|
||||||
- spec_mitigate(task, PR_SPEC_STORE_BYPASS);
|
|
||||||
+ /* Assume default seccomp processes want spec flaw mitigation. */
|
|
||||||
+ if ((flags & SECCOMP_FILTER_FLAG_SPEC_ALLOW) == 0)
|
|
||||||
+ spec_mitigate(task, PR_SPEC_STORE_BYPASS);
|
|
||||||
set_tsk_thread_flag(task, TIF_SECCOMP);
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -322,7 +324,7 @@ static inline pid_t seccomp_can_sync_thr
|
|
||||||
* without dropping the locks.
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
-static inline void seccomp_sync_threads(void)
|
|
||||||
+static inline void seccomp_sync_threads(unsigned long flags)
|
|
||||||
{
|
|
||||||
struct task_struct *thread, *caller;
|
|
||||||
|
|
||||||
@@ -363,7 +365,8 @@ static inline void seccomp_sync_threads(
|
|
||||||
* allow one thread to transition the other.
|
|
||||||
*/
|
|
||||||
if (thread->seccomp.mode == SECCOMP_MODE_DISABLED)
|
|
||||||
- seccomp_assign_mode(thread, SECCOMP_MODE_FILTER);
|
|
||||||
+ seccomp_assign_mode(thread, SECCOMP_MODE_FILTER,
|
|
||||||
+ flags);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -486,7 +489,7 @@ static long seccomp_attach_filter(unsign
|
|
||||||
|
|
||||||
/* Now that the new filter is in place, synchronize to all threads. */
|
|
||||||
if (flags & SECCOMP_FILTER_FLAG_TSYNC)
|
|
||||||
- seccomp_sync_threads();
|
|
||||||
+ seccomp_sync_threads(flags);
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
@@ -835,7 +838,7 @@ static long seccomp_set_mode_strict(void
|
|
||||||
#ifdef TIF_NOTSC
|
|
||||||
disable_TSC();
|
|
||||||
#endif
|
|
||||||
- seccomp_assign_mode(current, seccomp_mode);
|
|
||||||
+ seccomp_assign_mode(current, seccomp_mode, 0);
|
|
||||||
ret = 0;
|
|
||||||
|
|
||||||
out:
|
|
||||||
@@ -893,7 +896,7 @@ static long seccomp_set_mode_filter(unsi
|
|
||||||
/* Do not free the successfully attached filter. */
|
|
||||||
prepared = NULL;
|
|
||||||
|
|
||||||
- seccomp_assign_mode(current, seccomp_mode);
|
|
||||||
+ seccomp_assign_mode(current, seccomp_mode, flags);
|
|
||||||
out:
|
|
||||||
spin_unlock_irq(¤t->sighand->siglock);
|
|
||||||
if (flags & SECCOMP_FILTER_FLAG_TSYNC)
|
|
||||||
--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
|
|
||||||
+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
|
|
||||||
@@ -134,11 +134,15 @@ struct seccomp_data {
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#ifndef SECCOMP_FILTER_FLAG_TSYNC
|
|
||||||
-#define SECCOMP_FILTER_FLAG_TSYNC 1
|
|
||||||
+#define SECCOMP_FILTER_FLAG_TSYNC (1UL << 0)
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#ifndef SECCOMP_FILTER_FLAG_LOG
|
|
||||||
-#define SECCOMP_FILTER_FLAG_LOG 2
|
|
||||||
+#define SECCOMP_FILTER_FLAG_LOG (1UL << 1)
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+#ifndef SECCOMP_FILTER_FLAG_SPEC_ALLOW
|
|
||||||
+#define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1UL << 2)
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#ifndef PTRACE_SECCOMP_GET_METADATA
|
|
||||||
@@ -2072,14 +2076,26 @@ TEST(seccomp_syscall_mode_lock)
|
|
||||||
TEST(detect_seccomp_filter_flags)
|
|
||||||
{
|
|
||||||
unsigned int flags[] = { SECCOMP_FILTER_FLAG_TSYNC,
|
|
||||||
- SECCOMP_FILTER_FLAG_LOG };
|
|
||||||
+ SECCOMP_FILTER_FLAG_LOG,
|
|
||||||
+ SECCOMP_FILTER_FLAG_SPEC_ALLOW };
|
|
||||||
unsigned int flag, all_flags;
|
|
||||||
int i;
|
|
||||||
long ret;
|
|
||||||
|
|
||||||
/* Test detection of known-good filter flags */
|
|
||||||
for (i = 0, all_flags = 0; i < ARRAY_SIZE(flags); i++) {
|
|
||||||
+ int bits = 0;
|
|
||||||
+
|
|
||||||
flag = flags[i];
|
|
||||||
+ /* Make sure the flag is a single bit! */
|
|
||||||
+ while (flag) {
|
|
||||||
+ if (flag & 0x1)
|
|
||||||
+ bits ++;
|
|
||||||
+ flag >>= 1;
|
|
||||||
+ }
|
|
||||||
+ ASSERT_EQ(1, bits);
|
|
||||||
+ flag = flags[i];
|
|
||||||
+
|
|
||||||
ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
|
|
||||||
ASSERT_NE(ENOSYS, errno) {
|
|
||||||
TH_LOG("Kernel does not support seccomp syscall!");
|
|
|
@ -1,60 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Kees Cook <keescook@chromium.org>
|
|
||||||
Date: Tue, 1 May 2018 15:07:31 -0700
|
|
||||||
Subject: seccomp: Enable speculation flaw mitigations
|
|
||||||
|
|
||||||
From: Kees Cook <keescook@chromium.org>
|
|
||||||
|
|
||||||
commit 5c3070890d06ff82eecb808d02d2ca39169533ef upstream
|
|
||||||
|
|
||||||
When speculation flaw mitigations are opt-in (via prctl), using seccomp
|
|
||||||
will automatically opt-in to these protections, since using seccomp
|
|
||||||
indicates at least some level of sandboxing is desired.
|
|
||||||
|
|
||||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
kernel/seccomp.c | 17 +++++++++++++++++
|
|
||||||
1 file changed, 17 insertions(+)
|
|
||||||
|
|
||||||
--- a/kernel/seccomp.c
|
|
||||||
+++ b/kernel/seccomp.c
|
|
||||||
@@ -19,6 +19,8 @@
|
|
||||||
#include <linux/compat.h>
|
|
||||||
#include <linux/coredump.h>
|
|
||||||
#include <linux/kmemleak.h>
|
|
||||||
+#include <linux/nospec.h>
|
|
||||||
+#include <linux/prctl.h>
|
|
||||||
#include <linux/sched.h>
|
|
||||||
#include <linux/sched/task_stack.h>
|
|
||||||
#include <linux/seccomp.h>
|
|
||||||
@@ -227,6 +229,19 @@ static inline bool seccomp_may_assign_mo
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * If a given speculation mitigation is opt-in (prctl()-controlled),
|
|
||||||
+ * select it, by disabling speculation (enabling mitigation).
|
|
||||||
+ */
|
|
||||||
+static inline void spec_mitigate(struct task_struct *task,
|
|
||||||
+ unsigned long which)
|
|
||||||
+{
|
|
||||||
+ int state = arch_prctl_spec_ctrl_get(task, which);
|
|
||||||
+
|
|
||||||
+ if (state > 0 && (state & PR_SPEC_PRCTL))
|
|
||||||
+ arch_prctl_spec_ctrl_set(task, which, PR_SPEC_DISABLE);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static inline void seccomp_assign_mode(struct task_struct *task,
|
|
||||||
unsigned long seccomp_mode)
|
|
||||||
{
|
|
||||||
@@ -238,6 +253,8 @@ static inline void seccomp_assign_mode(s
|
|
||||||
* filter) is set.
|
|
||||||
*/
|
|
||||||
smp_mb__before_atomic();
|
|
||||||
+ /* Assume seccomp processes want speculation flaw mitigation. */
|
|
||||||
+ spec_mitigate(task, PR_SPEC_STORE_BYPASS);
|
|
||||||
set_tsk_thread_flag(task, TIF_SECCOMP);
|
|
||||||
}
|
|
||||||
|
|
|
@ -1,112 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Date: Fri, 4 May 2018 15:12:06 +0200
|
|
||||||
Subject: seccomp: Move speculation migitation control to arch code
|
|
||||||
|
|
||||||
From: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
|
|
||||||
commit 8bf37d8c067bb7eb8e7c381bdadf9bd89182b6bc upstream
|
|
||||||
|
|
||||||
The migitation control is simpler to implement in architecture code as it
|
|
||||||
avoids the extra function call to check the mode. Aside of that having an
|
|
||||||
explicit seccomp enabled mode in the architecture mitigations would require
|
|
||||||
even more workarounds.
|
|
||||||
|
|
||||||
Move it into architecture code and provide a weak function in the seccomp
|
|
||||||
code. Remove the 'which' argument as this allows the architecture to decide
|
|
||||||
which mitigations are relevant for seccomp.
|
|
||||||
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/kernel/cpu/bugs.c | 29 ++++++++++++++++++-----------
|
|
||||||
include/linux/nospec.h | 2 ++
|
|
||||||
kernel/seccomp.c | 15 ++-------------
|
|
||||||
3 files changed, 22 insertions(+), 24 deletions(-)
|
|
||||||
|
|
||||||
--- a/arch/x86/kernel/cpu/bugs.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/bugs.c
|
|
||||||
@@ -569,6 +569,24 @@ static int ssb_prctl_set(struct task_str
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which,
|
|
||||||
+ unsigned long ctrl)
|
|
||||||
+{
|
|
||||||
+ switch (which) {
|
|
||||||
+ case PR_SPEC_STORE_BYPASS:
|
|
||||||
+ return ssb_prctl_set(task, ctrl);
|
|
||||||
+ default:
|
|
||||||
+ return -ENODEV;
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#ifdef CONFIG_SECCOMP
|
|
||||||
+void arch_seccomp_spec_mitigate(struct task_struct *task)
|
|
||||||
+{
|
|
||||||
+ ssb_prctl_set(task, PR_SPEC_FORCE_DISABLE);
|
|
||||||
+}
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
static int ssb_prctl_get(struct task_struct *task)
|
|
||||||
{
|
|
||||||
switch (ssb_mode) {
|
|
||||||
@@ -587,17 +605,6 @@ static int ssb_prctl_get(struct task_str
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
-int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which,
|
|
||||||
- unsigned long ctrl)
|
|
||||||
-{
|
|
||||||
- switch (which) {
|
|
||||||
- case PR_SPEC_STORE_BYPASS:
|
|
||||||
- return ssb_prctl_set(task, ctrl);
|
|
||||||
- default:
|
|
||||||
- return -ENODEV;
|
|
||||||
- }
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which)
|
|
||||||
{
|
|
||||||
switch (which) {
|
|
||||||
--- a/include/linux/nospec.h
|
|
||||||
+++ b/include/linux/nospec.h
|
|
||||||
@@ -62,5 +62,7 @@ static inline unsigned long array_index_
|
|
||||||
int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which);
|
|
||||||
int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which,
|
|
||||||
unsigned long ctrl);
|
|
||||||
+/* Speculation control for seccomp enforced mitigation */
|
|
||||||
+void arch_seccomp_spec_mitigate(struct task_struct *task);
|
|
||||||
|
|
||||||
#endif /* _LINUX_NOSPEC_H */
|
|
||||||
--- a/kernel/seccomp.c
|
|
||||||
+++ b/kernel/seccomp.c
|
|
||||||
@@ -229,18 +229,7 @@ static inline bool seccomp_may_assign_mo
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
-/*
|
|
||||||
- * If a given speculation mitigation is opt-in (prctl()-controlled),
|
|
||||||
- * select it, by disabling speculation (enabling mitigation).
|
|
||||||
- */
|
|
||||||
-static inline void spec_mitigate(struct task_struct *task,
|
|
||||||
- unsigned long which)
|
|
||||||
-{
|
|
||||||
- int state = arch_prctl_spec_ctrl_get(task, which);
|
|
||||||
-
|
|
||||||
- if (state > 0 && (state & PR_SPEC_PRCTL))
|
|
||||||
- arch_prctl_spec_ctrl_set(task, which, PR_SPEC_FORCE_DISABLE);
|
|
||||||
-}
|
|
||||||
+void __weak arch_seccomp_spec_mitigate(struct task_struct *task) { }
|
|
||||||
|
|
||||||
static inline void seccomp_assign_mode(struct task_struct *task,
|
|
||||||
unsigned long seccomp_mode,
|
|
||||||
@@ -256,7 +245,7 @@ static inline void seccomp_assign_mode(s
|
|
||||||
smp_mb__before_atomic();
|
|
||||||
/* Assume default seccomp processes want spec flaw mitigation. */
|
|
||||||
if ((flags & SECCOMP_FILTER_FLAG_SPEC_ALLOW) == 0)
|
|
||||||
- spec_mitigate(task, PR_SPEC_STORE_BYPASS);
|
|
||||||
+ arch_seccomp_spec_mitigate(task);
|
|
||||||
set_tsk_thread_flag(task, TIF_SECCOMP);
|
|
||||||
}
|
|
||||||
|
|
|
@ -1,29 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Date: Fri, 4 May 2018 09:40:03 +0200
|
|
||||||
Subject: seccomp: Use PR_SPEC_FORCE_DISABLE
|
|
||||||
|
|
||||||
From: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
|
|
||||||
commit b849a812f7eb92e96d1c8239b06581b2cfd8b275 upstream
|
|
||||||
|
|
||||||
Use PR_SPEC_FORCE_DISABLE in seccomp() because seccomp does not allow to
|
|
||||||
widen restrictions.
|
|
||||||
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
kernel/seccomp.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
--- a/kernel/seccomp.c
|
|
||||||
+++ b/kernel/seccomp.c
|
|
||||||
@@ -239,7 +239,7 @@ static inline void spec_mitigate(struct
|
|
||||||
int state = arch_prctl_spec_ctrl_get(task, which);
|
|
||||||
|
|
||||||
if (state > 0 && (state & PR_SPEC_PRCTL))
|
|
||||||
- arch_prctl_spec_ctrl_set(task, which, PR_SPEC_DISABLE);
|
|
||||||
+ arch_prctl_spec_ctrl_set(task, which, PR_SPEC_FORCE_DISABLE);
|
|
||||||
}
|
|
||||||
|
|
||||||
static inline void seccomp_assign_mode(struct task_struct *task,
|
|
|
@ -1,187 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Date: Wed, 25 Apr 2018 22:04:24 -0400
|
|
||||||
Subject: x86/bugs/AMD: Add support to disable RDS on Fam[15,16,17]h if requested
|
|
||||||
|
|
||||||
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
|
|
||||||
commit 764f3c21588a059cd783c6ba0734d4db2d72822d upstream
|
|
||||||
|
|
||||||
AMD does not need the Speculative Store Bypass mitigation to be enabled.
|
|
||||||
|
|
||||||
The parameters for this are already available and can be done via MSR
|
|
||||||
C001_1020. Each family uses a different bit in that MSR for this.
|
|
||||||
|
|
||||||
[ tglx: Expose the bit mask via a variable and move the actual MSR fiddling
|
|
||||||
into the bugs code as that's the right thing to do and also required
|
|
||||||
to prepare for dynamic enable/disable ]
|
|
||||||
|
|
||||||
Suggested-by: Borislav Petkov <bp@suse.de>
|
|
||||||
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Reviewed-by: Ingo Molnar <mingo@kernel.org>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/include/asm/cpufeatures.h | 1 +
|
|
||||||
arch/x86/include/asm/nospec-branch.h | 4 ++++
|
|
||||||
arch/x86/kernel/cpu/amd.c | 26 ++++++++++++++++++++++++++
|
|
||||||
arch/x86/kernel/cpu/bugs.c | 27 ++++++++++++++++++++++++++-
|
|
||||||
arch/x86/kernel/cpu/common.c | 4 ++++
|
|
||||||
5 files changed, 61 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
--- a/arch/x86/include/asm/cpufeatures.h
|
|
||||||
+++ b/arch/x86/include/asm/cpufeatures.h
|
|
||||||
@@ -215,6 +215,7 @@
|
|
||||||
#define X86_FEATURE_USE_IBPB ( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled */
|
|
||||||
#define X86_FEATURE_USE_IBRS_FW ( 7*32+22) /* "" Use IBRS during runtime firmware calls */
|
|
||||||
#define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE ( 7*32+23) /* "" Disable Speculative Store Bypass. */
|
|
||||||
+#define X86_FEATURE_AMD_RDS (7*32+24) /* "" AMD RDS implementation */
|
|
||||||
|
|
||||||
/* Virtualization flags: Linux defined, word 8 */
|
|
||||||
#define X86_FEATURE_TPR_SHADOW ( 8*32+ 0) /* Intel TPR Shadow */
|
|
||||||
--- a/arch/x86/include/asm/nospec-branch.h
|
|
||||||
+++ b/arch/x86/include/asm/nospec-branch.h
|
|
||||||
@@ -244,6 +244,10 @@ enum ssb_mitigation {
|
|
||||||
SPEC_STORE_BYPASS_DISABLE,
|
|
||||||
};
|
|
||||||
|
|
||||||
+/* AMD specific Speculative Store Bypass MSR data */
|
|
||||||
+extern u64 x86_amd_ls_cfg_base;
|
|
||||||
+extern u64 x86_amd_ls_cfg_rds_mask;
|
|
||||||
+
|
|
||||||
extern char __indirect_thunk_start[];
|
|
||||||
extern char __indirect_thunk_end[];
|
|
||||||
|
|
||||||
--- a/arch/x86/kernel/cpu/amd.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/amd.c
|
|
||||||
@@ -10,6 +10,7 @@
|
|
||||||
#include <asm/processor.h>
|
|
||||||
#include <asm/apic.h>
|
|
||||||
#include <asm/cpu.h>
|
|
||||||
+#include <asm/nospec-branch.h>
|
|
||||||
#include <asm/smp.h>
|
|
||||||
#include <asm/pci-direct.h>
|
|
||||||
#include <asm/delay.h>
|
|
||||||
@@ -554,6 +555,26 @@ static void bsp_init_amd(struct cpuinfo_
|
|
||||||
rdmsrl(MSR_FAM10H_NODE_ID, value);
|
|
||||||
nodes_per_socket = ((value >> 3) & 7) + 1;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ if (c->x86 >= 0x15 && c->x86 <= 0x17) {
|
|
||||||
+ unsigned int bit;
|
|
||||||
+
|
|
||||||
+ switch (c->x86) {
|
|
||||||
+ case 0x15: bit = 54; break;
|
|
||||||
+ case 0x16: bit = 33; break;
|
|
||||||
+ case 0x17: bit = 10; break;
|
|
||||||
+ default: return;
|
|
||||||
+ }
|
|
||||||
+ /*
|
|
||||||
+ * Try to cache the base value so further operations can
|
|
||||||
+ * avoid RMW. If that faults, do not enable RDS.
|
|
||||||
+ */
|
|
||||||
+ if (!rdmsrl_safe(MSR_AMD64_LS_CFG, &x86_amd_ls_cfg_base)) {
|
|
||||||
+ setup_force_cpu_cap(X86_FEATURE_RDS);
|
|
||||||
+ setup_force_cpu_cap(X86_FEATURE_AMD_RDS);
|
|
||||||
+ x86_amd_ls_cfg_rds_mask = 1ULL << bit;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
static void early_detect_mem_encrypt(struct cpuinfo_x86 *c)
|
|
||||||
@@ -898,6 +919,11 @@ static void init_amd(struct cpuinfo_x86
|
|
||||||
/* AMD CPUs don't reset SS attributes on SYSRET, Xen does. */
|
|
||||||
if (!cpu_has(c, X86_FEATURE_XENPV))
|
|
||||||
set_cpu_bug(c, X86_BUG_SYSRET_SS_ATTRS);
|
|
||||||
+
|
|
||||||
+ if (boot_cpu_has(X86_FEATURE_AMD_RDS)) {
|
|
||||||
+ set_cpu_cap(c, X86_FEATURE_RDS);
|
|
||||||
+ set_cpu_cap(c, X86_FEATURE_AMD_RDS);
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef CONFIG_X86_32
|
|
||||||
--- a/arch/x86/kernel/cpu/bugs.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/bugs.c
|
|
||||||
@@ -41,6 +41,13 @@ static u64 __ro_after_init x86_spec_ctrl
|
|
||||||
*/
|
|
||||||
static u64 __ro_after_init x86_spec_ctrl_mask = ~SPEC_CTRL_IBRS;
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * AMD specific MSR info for Speculative Store Bypass control.
|
|
||||||
+ * x86_amd_ls_cfg_rds_mask is initialized in identify_boot_cpu().
|
|
||||||
+ */
|
|
||||||
+u64 __ro_after_init x86_amd_ls_cfg_base;
|
|
||||||
+u64 __ro_after_init x86_amd_ls_cfg_rds_mask;
|
|
||||||
+
|
|
||||||
void __init check_bugs(void)
|
|
||||||
{
|
|
||||||
identify_boot_cpu();
|
|
||||||
@@ -52,7 +59,8 @@ void __init check_bugs(void)
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Read the SPEC_CTRL MSR to account for reserved bits which may
|
|
||||||
- * have unknown values.
|
|
||||||
+ * have unknown values. AMD64_LS_CFG MSR is cached in the early AMD
|
|
||||||
+ * init code as it is not enumerated and depends on the family.
|
|
||||||
*/
|
|
||||||
if (boot_cpu_has(X86_FEATURE_IBRS))
|
|
||||||
rdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
|
|
||||||
@@ -154,6 +162,14 @@ void x86_spec_ctrl_restore_host(u64 gues
|
|
||||||
}
|
|
||||||
EXPORT_SYMBOL_GPL(x86_spec_ctrl_restore_host);
|
|
||||||
|
|
||||||
+static void x86_amd_rds_enable(void)
|
|
||||||
+{
|
|
||||||
+ u64 msrval = x86_amd_ls_cfg_base | x86_amd_ls_cfg_rds_mask;
|
|
||||||
+
|
|
||||||
+ if (boot_cpu_has(X86_FEATURE_AMD_RDS))
|
|
||||||
+ wrmsrl(MSR_AMD64_LS_CFG, msrval);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
#ifdef RETPOLINE
|
|
||||||
static bool spectre_v2_bad_module;
|
|
||||||
|
|
||||||
@@ -443,6 +459,11 @@ static enum ssb_mitigation_cmd __init __
|
|
||||||
|
|
||||||
switch (cmd) {
|
|
||||||
case SPEC_STORE_BYPASS_CMD_AUTO:
|
|
||||||
+ /*
|
|
||||||
+ * AMD platforms by default don't need SSB mitigation.
|
|
||||||
+ */
|
|
||||||
+ if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD)
|
|
||||||
+ break;
|
|
||||||
case SPEC_STORE_BYPASS_CMD_ON:
|
|
||||||
mode = SPEC_STORE_BYPASS_DISABLE;
|
|
||||||
break;
|
|
||||||
@@ -469,6 +490,7 @@ static enum ssb_mitigation_cmd __init __
|
|
||||||
x86_spec_ctrl_set(SPEC_CTRL_RDS);
|
|
||||||
break;
|
|
||||||
case X86_VENDOR_AMD:
|
|
||||||
+ x86_amd_rds_enable();
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -490,6 +512,9 @@ void x86_spec_ctrl_setup_ap(void)
|
|
||||||
{
|
|
||||||
if (boot_cpu_has(X86_FEATURE_IBRS))
|
|
||||||
x86_spec_ctrl_set(x86_spec_ctrl_base & ~x86_spec_ctrl_mask);
|
|
||||||
+
|
|
||||||
+ if (ssb_mode == SPEC_STORE_BYPASS_DISABLE)
|
|
||||||
+ x86_amd_rds_enable();
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef CONFIG_SYSFS
|
|
||||||
--- a/arch/x86/kernel/cpu/common.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/common.c
|
|
||||||
@@ -934,6 +934,10 @@ static const __initconst struct x86_cpu_
|
|
||||||
{ X86_VENDOR_CENTAUR, 5, },
|
|
||||||
{ X86_VENDOR_INTEL, 5, },
|
|
||||||
{ X86_VENDOR_NSC, 5, },
|
|
||||||
+ { X86_VENDOR_AMD, 0x12, },
|
|
||||||
+ { X86_VENDOR_AMD, 0x11, },
|
|
||||||
+ { X86_VENDOR_AMD, 0x10, },
|
|
||||||
+ { X86_VENDOR_AMD, 0xf, },
|
|
||||||
{ X86_VENDOR_ANY, 4, },
|
|
||||||
{}
|
|
||||||
};
|
|
|
@ -1,70 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Date: Wed, 25 Apr 2018 22:04:16 -0400
|
|
||||||
Subject: x86/bugs: Concentrate bug detection into a separate function
|
|
||||||
|
|
||||||
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
|
|
||||||
commit 4a28bfe3267b68e22c663ac26185aa16c9b879ef upstream
|
|
||||||
|
|
||||||
Combine the various logic which goes through all those
|
|
||||||
x86_cpu_id matching structures in one function.
|
|
||||||
|
|
||||||
Suggested-by: Borislav Petkov <bp@suse.de>
|
|
||||||
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Reviewed-by: Borislav Petkov <bp@suse.de>
|
|
||||||
Reviewed-by: Ingo Molnar <mingo@kernel.org>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/kernel/cpu/common.c | 21 +++++++++++----------
|
|
||||||
1 file changed, 11 insertions(+), 10 deletions(-)
|
|
||||||
|
|
||||||
--- a/arch/x86/kernel/cpu/common.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/common.c
|
|
||||||
@@ -918,21 +918,27 @@ static const __initconst struct x86_cpu_
|
|
||||||
{}
|
|
||||||
};
|
|
||||||
|
|
||||||
-static bool __init cpu_vulnerable_to_meltdown(struct cpuinfo_x86 *c)
|
|
||||||
+static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
|
|
||||||
{
|
|
||||||
u64 ia32_cap = 0;
|
|
||||||
|
|
||||||
+ if (x86_match_cpu(cpu_no_speculation))
|
|
||||||
+ return;
|
|
||||||
+
|
|
||||||
+ setup_force_cpu_bug(X86_BUG_SPECTRE_V1);
|
|
||||||
+ setup_force_cpu_bug(X86_BUG_SPECTRE_V2);
|
|
||||||
+
|
|
||||||
if (x86_match_cpu(cpu_no_meltdown))
|
|
||||||
- return false;
|
|
||||||
+ return;
|
|
||||||
|
|
||||||
if (cpu_has(c, X86_FEATURE_ARCH_CAPABILITIES))
|
|
||||||
rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap);
|
|
||||||
|
|
||||||
/* Rogue Data Cache Load? No! */
|
|
||||||
if (ia32_cap & ARCH_CAP_RDCL_NO)
|
|
||||||
- return false;
|
|
||||||
+ return;
|
|
||||||
|
|
||||||
- return true;
|
|
||||||
+ setup_force_cpu_bug(X86_BUG_CPU_MELTDOWN);
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
@@ -982,12 +988,7 @@ static void __init early_identify_cpu(st
|
|
||||||
|
|
||||||
setup_force_cpu_cap(X86_FEATURE_ALWAYS);
|
|
||||||
|
|
||||||
- if (!x86_match_cpu(cpu_no_speculation)) {
|
|
||||||
- if (cpu_vulnerable_to_meltdown(c))
|
|
||||||
- setup_force_cpu_bug(X86_BUG_CPU_MELTDOWN);
|
|
||||||
- setup_force_cpu_bug(X86_BUG_SPECTRE_V1);
|
|
||||||
- setup_force_cpu_bug(X86_BUG_SPECTRE_V2);
|
|
||||||
- }
|
|
||||||
+ cpu_set_bug_bits(c);
|
|
||||||
|
|
||||||
fpu__init_system(c);
|
|
||||||
|
|
|
@ -1,87 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Date: Wed, 25 Apr 2018 22:04:17 -0400
|
|
||||||
Subject: x86/bugs: Concentrate bug reporting into a separate function
|
|
||||||
|
|
||||||
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
|
|
||||||
commit d1059518b4789cabe34bb4b714d07e6089c82ca1 upstream
|
|
||||||
|
|
||||||
Those SysFS functions have a similar preamble, as such make common
|
|
||||||
code to handle them.
|
|
||||||
|
|
||||||
Suggested-by: Borislav Petkov <bp@suse.de>
|
|
||||||
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Reviewed-by: Borislav Petkov <bp@suse.de>
|
|
||||||
Reviewed-by: Ingo Molnar <mingo@kernel.org>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/kernel/cpu/bugs.c | 46 +++++++++++++++++++++++++++++++--------------
|
|
||||||
1 file changed, 32 insertions(+), 14 deletions(-)
|
|
||||||
|
|
||||||
--- a/arch/x86/kernel/cpu/bugs.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/bugs.c
|
|
||||||
@@ -314,30 +314,48 @@ retpoline_auto:
|
|
||||||
#undef pr_fmt
|
|
||||||
|
|
||||||
#ifdef CONFIG_SYSFS
|
|
||||||
-ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf)
|
|
||||||
+
|
|
||||||
+ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr,
|
|
||||||
+ char *buf, unsigned int bug)
|
|
||||||
{
|
|
||||||
- if (!boot_cpu_has_bug(X86_BUG_CPU_MELTDOWN))
|
|
||||||
+ if (!boot_cpu_has_bug(bug))
|
|
||||||
return sprintf(buf, "Not affected\n");
|
|
||||||
- if (boot_cpu_has(X86_FEATURE_PTI))
|
|
||||||
- return sprintf(buf, "Mitigation: PTI\n");
|
|
||||||
+
|
|
||||||
+ switch (bug) {
|
|
||||||
+ case X86_BUG_CPU_MELTDOWN:
|
|
||||||
+ if (boot_cpu_has(X86_FEATURE_PTI))
|
|
||||||
+ return sprintf(buf, "Mitigation: PTI\n");
|
|
||||||
+
|
|
||||||
+ break;
|
|
||||||
+
|
|
||||||
+ case X86_BUG_SPECTRE_V1:
|
|
||||||
+ return sprintf(buf, "Mitigation: __user pointer sanitization\n");
|
|
||||||
+
|
|
||||||
+ case X86_BUG_SPECTRE_V2:
|
|
||||||
+ return sprintf(buf, "%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
|
|
||||||
+ boot_cpu_has(X86_FEATURE_USE_IBPB) ? ", IBPB" : "",
|
|
||||||
+ boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "",
|
|
||||||
+ spectre_v2_module_string());
|
|
||||||
+
|
|
||||||
+ default:
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
return sprintf(buf, "Vulnerable\n");
|
|
||||||
}
|
|
||||||
|
|
||||||
+ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf)
|
|
||||||
+{
|
|
||||||
+ return cpu_show_common(dev, attr, buf, X86_BUG_CPU_MELTDOWN);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, char *buf)
|
|
||||||
{
|
|
||||||
- if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V1))
|
|
||||||
- return sprintf(buf, "Not affected\n");
|
|
||||||
- return sprintf(buf, "Mitigation: __user pointer sanitization\n");
|
|
||||||
+ return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V1);
|
|
||||||
}
|
|
||||||
|
|
||||||
ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, char *buf)
|
|
||||||
{
|
|
||||||
- if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
|
|
||||||
- return sprintf(buf, "Not affected\n");
|
|
||||||
-
|
|
||||||
- return sprintf(buf, "%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
|
|
||||||
- boot_cpu_has(X86_FEATURE_USE_IBPB) ? ", IBPB" : "",
|
|
||||||
- boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "",
|
|
||||||
- spectre_v2_module_string());
|
|
||||||
+ return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V2);
|
|
||||||
}
|
|
||||||
#endif
|
|
|
@ -1,134 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Date: Wed, 25 Apr 2018 22:04:20 -0400
|
|
||||||
Subject: x86/bugs: Expose /sys/../spec_store_bypass
|
|
||||||
|
|
||||||
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
|
|
||||||
commit c456442cd3a59eeb1d60293c26cbe2ff2c4e42cf upstream
|
|
||||||
|
|
||||||
Add the sysfs file for the new vulerability. It does not do much except
|
|
||||||
show the words 'Vulnerable' for recent x86 cores.
|
|
||||||
|
|
||||||
Intel cores prior to family 6 are known not to be vulnerable, and so are
|
|
||||||
some Atoms and some Xeon Phi.
|
|
||||||
|
|
||||||
It assumes that older Cyrix, Centaur, etc. cores are immune.
|
|
||||||
|
|
||||||
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Reviewed-by: Borislav Petkov <bp@suse.de>
|
|
||||||
Reviewed-by: Ingo Molnar <mingo@kernel.org>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
Documentation/ABI/testing/sysfs-devices-system-cpu | 1
|
|
||||||
arch/x86/include/asm/cpufeatures.h | 1
|
|
||||||
arch/x86/kernel/cpu/bugs.c | 5 ++++
|
|
||||||
arch/x86/kernel/cpu/common.c | 23 +++++++++++++++++++++
|
|
||||||
drivers/base/cpu.c | 8 +++++++
|
|
||||||
include/linux/cpu.h | 2 +
|
|
||||||
6 files changed, 40 insertions(+)
|
|
||||||
|
|
||||||
--- a/Documentation/ABI/testing/sysfs-devices-system-cpu
|
|
||||||
+++ b/Documentation/ABI/testing/sysfs-devices-system-cpu
|
|
||||||
@@ -453,6 +453,7 @@ What: /sys/devices/system/cpu/vulnerabi
|
|
||||||
/sys/devices/system/cpu/vulnerabilities/meltdown
|
|
||||||
/sys/devices/system/cpu/vulnerabilities/spectre_v1
|
|
||||||
/sys/devices/system/cpu/vulnerabilities/spectre_v2
|
|
||||||
+ /sys/devices/system/cpu/vulnerabilities/spec_store_bypass
|
|
||||||
Date: January 2018
|
|
||||||
Contact: Linux kernel mailing list <linux-kernel@vger.kernel.org>
|
|
||||||
Description: Information about CPU vulnerabilities
|
|
||||||
--- a/arch/x86/include/asm/cpufeatures.h
|
|
||||||
+++ b/arch/x86/include/asm/cpufeatures.h
|
|
||||||
@@ -362,5 +362,6 @@
|
|
||||||
#define X86_BUG_CPU_MELTDOWN X86_BUG(14) /* CPU is affected by meltdown attack and needs kernel page table isolation */
|
|
||||||
#define X86_BUG_SPECTRE_V1 X86_BUG(15) /* CPU is affected by Spectre variant 1 attack with conditional branches */
|
|
||||||
#define X86_BUG_SPECTRE_V2 X86_BUG(16) /* CPU is affected by Spectre variant 2 attack with indirect branches */
|
|
||||||
+#define X86_BUG_SPEC_STORE_BYPASS X86_BUG(17) /* CPU is affected by speculative store bypass attack */
|
|
||||||
|
|
||||||
#endif /* _ASM_X86_CPUFEATURES_H */
|
|
||||||
--- a/arch/x86/kernel/cpu/bugs.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/bugs.c
|
|
||||||
@@ -404,4 +404,9 @@ ssize_t cpu_show_spectre_v2(struct devic
|
|
||||||
{
|
|
||||||
return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V2);
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ssize_t cpu_show_spec_store_bypass(struct device *dev, struct device_attribute *attr, char *buf)
|
|
||||||
+{
|
|
||||||
+ return cpu_show_common(dev, attr, buf, X86_BUG_SPEC_STORE_BYPASS);
|
|
||||||
+}
|
|
||||||
#endif
|
|
||||||
--- a/arch/x86/kernel/cpu/common.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/common.c
|
|
||||||
@@ -918,10 +918,33 @@ static const __initconst struct x86_cpu_
|
|
||||||
{}
|
|
||||||
};
|
|
||||||
|
|
||||||
+static const __initconst struct x86_cpu_id cpu_no_spec_store_bypass[] = {
|
|
||||||
+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_PINEVIEW },
|
|
||||||
+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_LINCROFT },
|
|
||||||
+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_PENWELL },
|
|
||||||
+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_CLOVERVIEW },
|
|
||||||
+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_CEDARVIEW },
|
|
||||||
+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SILVERMONT1 },
|
|
||||||
+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_AIRMONT },
|
|
||||||
+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SILVERMONT2 },
|
|
||||||
+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_MERRIFIELD },
|
|
||||||
+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_CORE_YONAH },
|
|
||||||
+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_XEON_PHI_KNL },
|
|
||||||
+ { X86_VENDOR_INTEL, 6, INTEL_FAM6_XEON_PHI_KNM },
|
|
||||||
+ { X86_VENDOR_CENTAUR, 5, },
|
|
||||||
+ { X86_VENDOR_INTEL, 5, },
|
|
||||||
+ { X86_VENDOR_NSC, 5, },
|
|
||||||
+ { X86_VENDOR_ANY, 4, },
|
|
||||||
+ {}
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
|
|
||||||
{
|
|
||||||
u64 ia32_cap = 0;
|
|
||||||
|
|
||||||
+ if (!x86_match_cpu(cpu_no_spec_store_bypass))
|
|
||||||
+ setup_force_cpu_bug(X86_BUG_SPEC_STORE_BYPASS);
|
|
||||||
+
|
|
||||||
if (x86_match_cpu(cpu_no_speculation))
|
|
||||||
return;
|
|
||||||
|
|
||||||
--- a/drivers/base/cpu.c
|
|
||||||
+++ b/drivers/base/cpu.c
|
|
||||||
@@ -532,14 +532,22 @@ ssize_t __weak cpu_show_spectre_v2(struc
|
|
||||||
return sprintf(buf, "Not affected\n");
|
|
||||||
}
|
|
||||||
|
|
||||||
+ssize_t __weak cpu_show_spec_store_bypass(struct device *dev,
|
|
||||||
+ struct device_attribute *attr, char *buf)
|
|
||||||
+{
|
|
||||||
+ return sprintf(buf, "Not affected\n");
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL);
|
|
||||||
static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL);
|
|
||||||
static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL);
|
|
||||||
+static DEVICE_ATTR(spec_store_bypass, 0444, cpu_show_spec_store_bypass, NULL);
|
|
||||||
|
|
||||||
static struct attribute *cpu_root_vulnerabilities_attrs[] = {
|
|
||||||
&dev_attr_meltdown.attr,
|
|
||||||
&dev_attr_spectre_v1.attr,
|
|
||||||
&dev_attr_spectre_v2.attr,
|
|
||||||
+ &dev_attr_spec_store_bypass.attr,
|
|
||||||
NULL
|
|
||||||
};
|
|
||||||
|
|
||||||
--- a/include/linux/cpu.h
|
|
||||||
+++ b/include/linux/cpu.h
|
|
||||||
@@ -53,6 +53,8 @@ extern ssize_t cpu_show_spectre_v1(struc
|
|
||||||
struct device_attribute *attr, char *buf);
|
|
||||||
extern ssize_t cpu_show_spectre_v2(struct device *dev,
|
|
||||||
struct device_attribute *attr, char *buf);
|
|
||||||
+extern ssize_t cpu_show_spec_store_bypass(struct device *dev,
|
|
||||||
+ struct device_attribute *attr, char *buf);
|
|
||||||
|
|
||||||
extern __printf(4, 5)
|
|
||||||
struct device *cpu_device_create(struct device *parent, void *drvdata,
|
|
|
@ -1,112 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Date: Sat, 12 May 2018 20:49:16 +0200
|
|
||||||
Subject: x86/bugs: Expose x86_spec_ctrl_base directly
|
|
||||||
|
|
||||||
From: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
|
|
||||||
commit fa8ac4988249c38476f6ad678a4848a736373403 upstream
|
|
||||||
|
|
||||||
x86_spec_ctrl_base is the system wide default value for the SPEC_CTRL MSR.
|
|
||||||
x86_spec_ctrl_get_default() returns x86_spec_ctrl_base and was intended to
|
|
||||||
prevent modification to that variable. Though the variable is read only
|
|
||||||
after init and globaly visible already.
|
|
||||||
|
|
||||||
Remove the function and export the variable instead.
|
|
||||||
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Reviewed-by: Borislav Petkov <bp@suse.de>
|
|
||||||
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/include/asm/nospec-branch.h | 16 +++++-----------
|
|
||||||
arch/x86/include/asm/spec-ctrl.h | 3 ---
|
|
||||||
arch/x86/kernel/cpu/bugs.c | 11 +----------
|
|
||||||
3 files changed, 6 insertions(+), 24 deletions(-)
|
|
||||||
|
|
||||||
--- a/arch/x86/include/asm/nospec-branch.h
|
|
||||||
+++ b/arch/x86/include/asm/nospec-branch.h
|
|
||||||
@@ -217,16 +217,7 @@ enum spectre_v2_mitigation {
|
|
||||||
SPECTRE_V2_IBRS,
|
|
||||||
};
|
|
||||||
|
|
||||||
-/*
|
|
||||||
- * The Intel specification for the SPEC_CTRL MSR requires that we
|
|
||||||
- * preserve any already set reserved bits at boot time (e.g. for
|
|
||||||
- * future additions that this kernel is not currently aware of).
|
|
||||||
- * We then set any additional mitigation bits that we want
|
|
||||||
- * ourselves and always use this as the base for SPEC_CTRL.
|
|
||||||
- * We also use this when handling guest entry/exit as below.
|
|
||||||
- */
|
|
||||||
extern void x86_spec_ctrl_set(u64);
|
|
||||||
-extern u64 x86_spec_ctrl_get_default(void);
|
|
||||||
|
|
||||||
/* The Speculative Store Bypass disable variants */
|
|
||||||
enum ssb_mitigation {
|
|
||||||
@@ -278,6 +269,9 @@ static inline void indirect_branch_predi
|
|
||||||
alternative_msr_write(MSR_IA32_PRED_CMD, val, X86_FEATURE_USE_IBPB);
|
|
||||||
}
|
|
||||||
|
|
||||||
+/* The Intel SPEC CTRL MSR base value cache */
|
|
||||||
+extern u64 x86_spec_ctrl_base;
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* With retpoline, we must use IBRS to restrict branch prediction
|
|
||||||
* before calling into firmware.
|
|
||||||
@@ -286,7 +280,7 @@ static inline void indirect_branch_predi
|
|
||||||
*/
|
|
||||||
#define firmware_restrict_branch_speculation_start() \
|
|
||||||
do { \
|
|
||||||
- u64 val = x86_spec_ctrl_get_default() | SPEC_CTRL_IBRS; \
|
|
||||||
+ u64 val = x86_spec_ctrl_base | SPEC_CTRL_IBRS; \
|
|
||||||
\
|
|
||||||
preempt_disable(); \
|
|
||||||
alternative_msr_write(MSR_IA32_SPEC_CTRL, val, \
|
|
||||||
@@ -295,7 +289,7 @@ do { \
|
|
||||||
|
|
||||||
#define firmware_restrict_branch_speculation_end() \
|
|
||||||
do { \
|
|
||||||
- u64 val = x86_spec_ctrl_get_default(); \
|
|
||||||
+ u64 val = x86_spec_ctrl_base; \
|
|
||||||
\
|
|
||||||
alternative_msr_write(MSR_IA32_SPEC_CTRL, val, \
|
|
||||||
X86_FEATURE_USE_IBRS_FW); \
|
|
||||||
--- a/arch/x86/include/asm/spec-ctrl.h
|
|
||||||
+++ b/arch/x86/include/asm/spec-ctrl.h
|
|
||||||
@@ -47,9 +47,6 @@ void x86_spec_ctrl_restore_host(u64 gues
|
|
||||||
extern u64 x86_amd_ls_cfg_base;
|
|
||||||
extern u64 x86_amd_ls_cfg_ssbd_mask;
|
|
||||||
|
|
||||||
-/* The Intel SPEC CTRL MSR base value cache */
|
|
||||||
-extern u64 x86_spec_ctrl_base;
|
|
||||||
-
|
|
||||||
static inline u64 ssbd_tif_to_spec_ctrl(u64 tifn)
|
|
||||||
{
|
|
||||||
BUILD_BUG_ON(TIF_SSBD < SPEC_CTRL_SSBD_SHIFT);
|
|
||||||
--- a/arch/x86/kernel/cpu/bugs.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/bugs.c
|
|
||||||
@@ -36,6 +36,7 @@ static void __init ssb_select_mitigation
|
|
||||||
* writes to SPEC_CTRL contain whatever reserved bits have been set.
|
|
||||||
*/
|
|
||||||
u64 __ro_after_init x86_spec_ctrl_base;
|
|
||||||
+EXPORT_SYMBOL_GPL(x86_spec_ctrl_base);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* The vendor and possibly platform specific bits which can be modified in
|
|
||||||
@@ -141,16 +142,6 @@ void x86_spec_ctrl_set(u64 val)
|
|
||||||
}
|
|
||||||
EXPORT_SYMBOL_GPL(x86_spec_ctrl_set);
|
|
||||||
|
|
||||||
-u64 x86_spec_ctrl_get_default(void)
|
|
||||||
-{
|
|
||||||
- u64 msrval = x86_spec_ctrl_base;
|
|
||||||
-
|
|
||||||
- if (static_cpu_has(X86_FEATURE_SPEC_CTRL))
|
|
||||||
- msrval |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags);
|
|
||||||
- return msrval;
|
|
||||||
-}
|
|
||||||
-EXPORT_SYMBOL_GPL(x86_spec_ctrl_get_default);
|
|
||||||
-
|
|
||||||
void
|
|
||||||
x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest)
|
|
||||||
{
|
|
|
@ -1,31 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Jiri Kosina <jkosina@suse.cz>
|
|
||||||
Date: Thu, 10 May 2018 22:47:18 +0200
|
|
||||||
Subject: x86/bugs: Fix __ssb_select_mitigation() return type
|
|
||||||
|
|
||||||
From: Jiri Kosina <jkosina@suse.cz>
|
|
||||||
|
|
||||||
commit d66d8ff3d21667b41eddbe86b35ab411e40d8c5f upstream
|
|
||||||
|
|
||||||
__ssb_select_mitigation() returns one of the members of enum ssb_mitigation,
|
|
||||||
not ssb_mitigation_cmd; fix the prototype to reflect that.
|
|
||||||
|
|
||||||
Fixes: 24f7fc83b9204 ("x86/bugs: Provide boot parameters for the spec_store_bypass_disable mitigation")
|
|
||||||
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/kernel/cpu/bugs.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
--- a/arch/x86/kernel/cpu/bugs.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/bugs.c
|
|
||||||
@@ -468,7 +468,7 @@ static enum ssb_mitigation_cmd __init ss
|
|
||||||
return cmd;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static enum ssb_mitigation_cmd __init __ssb_select_mitigation(void)
|
|
||||||
+static enum ssb_mitigation __init __ssb_select_mitigation(void)
|
|
||||||
{
|
|
||||||
enum ssb_mitigation mode = SPEC_STORE_BYPASS_NONE;
|
|
||||||
enum ssb_mitigation_cmd cmd;
|
|
|
@ -1,38 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Date: Fri, 11 May 2018 16:50:35 -0400
|
|
||||||
Subject: x86/bugs: Fix the parameters alignment and missing void
|
|
||||||
|
|
||||||
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
|
|
||||||
commit ffed645e3be0e32f8e9ab068d257aee8d0fe8eec upstream
|
|
||||||
|
|
||||||
Fixes: 7bb4d366c ("x86/bugs: Make cpu_show_common() static")
|
|
||||||
Fixes: 24f7fc83b ("x86/bugs: Provide boot parameters for the spec_store_bypass_disable mitigation")
|
|
||||||
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/kernel/cpu/bugs.c | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
--- a/arch/x86/kernel/cpu/bugs.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/bugs.c
|
|
||||||
@@ -531,7 +531,7 @@ static enum ssb_mitigation __init __ssb_
|
|
||||||
return mode;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static void ssb_select_mitigation()
|
|
||||||
+static void ssb_select_mitigation(void)
|
|
||||||
{
|
|
||||||
ssb_mode = __ssb_select_mitigation();
|
|
||||||
|
|
||||||
@@ -641,7 +641,7 @@ void x86_spec_ctrl_setup_ap(void)
|
|
||||||
#ifdef CONFIG_SYSFS
|
|
||||||
|
|
||||||
static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr,
|
|
||||||
- char *buf, unsigned int bug)
|
|
||||||
+ char *buf, unsigned int bug)
|
|
||||||
{
|
|
||||||
if (!boot_cpu_has_bug(bug))
|
|
||||||
return sprintf(buf, "Not affected\n");
|
|
|
@ -1,170 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Date: Wed, 25 Apr 2018 22:04:22 -0400
|
|
||||||
Subject: x86/bugs/intel: Set proper CPU features and setup RDS
|
|
||||||
|
|
||||||
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
|
|
||||||
commit 772439717dbf703b39990be58d8d4e3e4ad0598a upstream
|
|
||||||
|
|
||||||
Intel CPUs expose methods to:
|
|
||||||
|
|
||||||
- Detect whether RDS capability is available via CPUID.7.0.EDX[31],
|
|
||||||
|
|
||||||
- The SPEC_CTRL MSR(0x48), bit 2 set to enable RDS.
|
|
||||||
|
|
||||||
- MSR_IA32_ARCH_CAPABILITIES, Bit(4) no need to enable RRS.
|
|
||||||
|
|
||||||
With that in mind if spec_store_bypass_disable=[auto,on] is selected set at
|
|
||||||
boot-time the SPEC_CTRL MSR to enable RDS if the platform requires it.
|
|
||||||
|
|
||||||
Note that this does not fix the KVM case where the SPEC_CTRL is exposed to
|
|
||||||
guests which can muck with it, see patch titled :
|
|
||||||
KVM/SVM/VMX/x86/spectre_v2: Support the combination of guest and host IBRS.
|
|
||||||
|
|
||||||
And for the firmware (IBRS to be set), see patch titled:
|
|
||||||
x86/spectre_v2: Read SPEC_CTRL MSR during boot and re-use reserved bits
|
|
||||||
|
|
||||||
[ tglx: Distangled it from the intel implementation and kept the call order ]
|
|
||||||
|
|
||||||
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Reviewed-by: Borislav Petkov <bp@suse.de>
|
|
||||||
Reviewed-by: Ingo Molnar <mingo@kernel.org>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/include/asm/msr-index.h | 6 ++++++
|
|
||||||
arch/x86/kernel/cpu/bugs.c | 30 ++++++++++++++++++++++++++++--
|
|
||||||
arch/x86/kernel/cpu/common.c | 10 ++++++----
|
|
||||||
arch/x86/kernel/cpu/cpu.h | 2 ++
|
|
||||||
arch/x86/kernel/cpu/intel.c | 1 +
|
|
||||||
5 files changed, 43 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
--- a/arch/x86/include/asm/msr-index.h
|
|
||||||
+++ b/arch/x86/include/asm/msr-index.h
|
|
||||||
@@ -42,6 +42,7 @@
|
|
||||||
#define MSR_IA32_SPEC_CTRL 0x00000048 /* Speculation Control */
|
|
||||||
#define SPEC_CTRL_IBRS (1 << 0) /* Indirect Branch Restricted Speculation */
|
|
||||||
#define SPEC_CTRL_STIBP (1 << 1) /* Single Thread Indirect Branch Predictors */
|
|
||||||
+#define SPEC_CTRL_RDS (1 << 2) /* Reduced Data Speculation */
|
|
||||||
|
|
||||||
#define MSR_IA32_PRED_CMD 0x00000049 /* Prediction Command */
|
|
||||||
#define PRED_CMD_IBPB (1 << 0) /* Indirect Branch Prediction Barrier */
|
|
||||||
@@ -68,6 +69,11 @@
|
|
||||||
#define MSR_IA32_ARCH_CAPABILITIES 0x0000010a
|
|
||||||
#define ARCH_CAP_RDCL_NO (1 << 0) /* Not susceptible to Meltdown */
|
|
||||||
#define ARCH_CAP_IBRS_ALL (1 << 1) /* Enhanced IBRS support */
|
|
||||||
+#define ARCH_CAP_RDS_NO (1 << 4) /*
|
|
||||||
+ * Not susceptible to Speculative Store Bypass
|
|
||||||
+ * attack, so no Reduced Data Speculation control
|
|
||||||
+ * required.
|
|
||||||
+ */
|
|
||||||
|
|
||||||
#define MSR_IA32_BBL_CR_CTL 0x00000119
|
|
||||||
#define MSR_IA32_BBL_CR_CTL3 0x0000011e
|
|
||||||
--- a/arch/x86/kernel/cpu/bugs.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/bugs.c
|
|
||||||
@@ -117,7 +117,7 @@ static enum spectre_v2_mitigation spectr
|
|
||||||
|
|
||||||
void x86_spec_ctrl_set(u64 val)
|
|
||||||
{
|
|
||||||
- if (val & ~SPEC_CTRL_IBRS)
|
|
||||||
+ if (val & ~(SPEC_CTRL_IBRS | SPEC_CTRL_RDS))
|
|
||||||
WARN_ONCE(1, "SPEC_CTRL MSR value 0x%16llx is unknown.\n", val);
|
|
||||||
else
|
|
||||||
wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base | val);
|
|
||||||
@@ -444,8 +444,28 @@ static enum ssb_mitigation_cmd __init __
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (mode != SPEC_STORE_BYPASS_NONE)
|
|
||||||
+ /*
|
|
||||||
+ * We have three CPU feature flags that are in play here:
|
|
||||||
+ * - X86_BUG_SPEC_STORE_BYPASS - CPU is susceptible.
|
|
||||||
+ * - X86_FEATURE_RDS - CPU is able to turn off speculative store bypass
|
|
||||||
+ * - X86_FEATURE_SPEC_STORE_BYPASS_DISABLE - engage the mitigation
|
|
||||||
+ */
|
|
||||||
+ if (mode != SPEC_STORE_BYPASS_NONE) {
|
|
||||||
setup_force_cpu_cap(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE);
|
|
||||||
+ /*
|
|
||||||
+ * Intel uses the SPEC CTRL MSR Bit(2) for this, while AMD uses
|
|
||||||
+ * a completely different MSR and bit dependent on family.
|
|
||||||
+ */
|
|
||||||
+ switch (boot_cpu_data.x86_vendor) {
|
|
||||||
+ case X86_VENDOR_INTEL:
|
|
||||||
+ x86_spec_ctrl_base |= SPEC_CTRL_RDS;
|
|
||||||
+ x86_spec_ctrl_set(SPEC_CTRL_RDS);
|
|
||||||
+ break;
|
|
||||||
+ case X86_VENDOR_AMD:
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
return mode;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -459,6 +479,12 @@ static void ssb_select_mitigation()
|
|
||||||
|
|
||||||
#undef pr_fmt
|
|
||||||
|
|
||||||
+void x86_spec_ctrl_setup_ap(void)
|
|
||||||
+{
|
|
||||||
+ if (boot_cpu_has(X86_FEATURE_IBRS))
|
|
||||||
+ x86_spec_ctrl_set(x86_spec_ctrl_base & (SPEC_CTRL_IBRS | SPEC_CTRL_RDS));
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
#ifdef CONFIG_SYSFS
|
|
||||||
|
|
||||||
ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr,
|
|
||||||
--- a/arch/x86/kernel/cpu/common.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/common.c
|
|
||||||
@@ -942,7 +942,11 @@ static void __init cpu_set_bug_bits(stru
|
|
||||||
{
|
|
||||||
u64 ia32_cap = 0;
|
|
||||||
|
|
||||||
- if (!x86_match_cpu(cpu_no_spec_store_bypass))
|
|
||||||
+ if (cpu_has(c, X86_FEATURE_ARCH_CAPABILITIES))
|
|
||||||
+ rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap);
|
|
||||||
+
|
|
||||||
+ if (!x86_match_cpu(cpu_no_spec_store_bypass) &&
|
|
||||||
+ !(ia32_cap & ARCH_CAP_RDS_NO))
|
|
||||||
setup_force_cpu_bug(X86_BUG_SPEC_STORE_BYPASS);
|
|
||||||
|
|
||||||
if (x86_match_cpu(cpu_no_speculation))
|
|
||||||
@@ -954,9 +958,6 @@ static void __init cpu_set_bug_bits(stru
|
|
||||||
if (x86_match_cpu(cpu_no_meltdown))
|
|
||||||
return;
|
|
||||||
|
|
||||||
- if (cpu_has(c, X86_FEATURE_ARCH_CAPABILITIES))
|
|
||||||
- rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap);
|
|
||||||
-
|
|
||||||
/* Rogue Data Cache Load? No! */
|
|
||||||
if (ia32_cap & ARCH_CAP_RDCL_NO)
|
|
||||||
return;
|
|
||||||
@@ -1371,6 +1372,7 @@ void identify_secondary_cpu(struct cpuin
|
|
||||||
#endif
|
|
||||||
mtrr_ap_init();
|
|
||||||
validate_apic_and_package_id(c);
|
|
||||||
+ x86_spec_ctrl_setup_ap();
|
|
||||||
}
|
|
||||||
|
|
||||||
static __init int setup_noclflush(char *arg)
|
|
||||||
--- a/arch/x86/kernel/cpu/cpu.h
|
|
||||||
+++ b/arch/x86/kernel/cpu/cpu.h
|
|
||||||
@@ -50,4 +50,6 @@ extern void cpu_detect_cache_sizes(struc
|
|
||||||
|
|
||||||
unsigned int aperfmperf_get_khz(int cpu);
|
|
||||||
|
|
||||||
+extern void x86_spec_ctrl_setup_ap(void);
|
|
||||||
+
|
|
||||||
#endif /* ARCH_X86_CPU_H */
|
|
||||||
--- a/arch/x86/kernel/cpu/intel.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/intel.c
|
|
||||||
@@ -189,6 +189,7 @@ static void early_init_intel(struct cpui
|
|
||||||
setup_clear_cpu_cap(X86_FEATURE_STIBP);
|
|
||||||
setup_clear_cpu_cap(X86_FEATURE_SPEC_CTRL);
|
|
||||||
setup_clear_cpu_cap(X86_FEATURE_INTEL_STIBP);
|
|
||||||
+ setup_clear_cpu_cap(X86_FEATURE_RDS);
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
|
@ -1,152 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Date: Wed, 9 May 2018 23:01:01 +0200
|
|
||||||
Subject: x86/bugs, KVM: Extend speculation control for VIRT_SPEC_CTRL
|
|
||||||
|
|
||||||
From: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
|
|
||||||
commit ccbcd2674472a978b48c91c1fbfb66c0ff959f24 upstream
|
|
||||||
|
|
||||||
AMD is proposing a VIRT_SPEC_CTRL MSR to handle the Speculative Store
|
|
||||||
Bypass Disable via MSR_AMD64_LS_CFG so that guests do not have to care
|
|
||||||
about the bit position of the SSBD bit and thus facilitate migration.
|
|
||||||
Also, the sibling coordination on Family 17H CPUs can only be done on
|
|
||||||
the host.
|
|
||||||
|
|
||||||
Extend x86_spec_ctrl_set_guest() and x86_spec_ctrl_restore_host() with an
|
|
||||||
extra argument for the VIRT_SPEC_CTRL MSR.
|
|
||||||
|
|
||||||
Hand in 0 from VMX and in SVM add a new virt_spec_ctrl member to the CPU
|
|
||||||
data structure which is going to be used in later patches for the actual
|
|
||||||
implementation.
|
|
||||||
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Reviewed-by: Borislav Petkov <bp@suse.de>
|
|
||||||
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/include/asm/spec-ctrl.h | 9 ++++++---
|
|
||||||
arch/x86/kernel/cpu/bugs.c | 20 ++++++++++++++++++--
|
|
||||||
arch/x86/kvm/svm.c | 11 +++++++++--
|
|
||||||
arch/x86/kvm/vmx.c | 5 +++--
|
|
||||||
4 files changed, 36 insertions(+), 9 deletions(-)
|
|
||||||
|
|
||||||
--- a/arch/x86/include/asm/spec-ctrl.h
|
|
||||||
+++ b/arch/x86/include/asm/spec-ctrl.h
|
|
||||||
@@ -10,10 +10,13 @@
|
|
||||||
* the guest has, while on VMEXIT we restore the host view. This
|
|
||||||
* would be easier if SPEC_CTRL were architecturally maskable or
|
|
||||||
* shadowable for guests but this is not (currently) the case.
|
|
||||||
- * Takes the guest view of SPEC_CTRL MSR as a parameter.
|
|
||||||
+ * Takes the guest view of SPEC_CTRL MSR as a parameter and also
|
|
||||||
+ * the guest's version of VIRT_SPEC_CTRL, if emulated.
|
|
||||||
*/
|
|
||||||
-extern void x86_spec_ctrl_set_guest(u64);
|
|
||||||
-extern void x86_spec_ctrl_restore_host(u64);
|
|
||||||
+extern void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl,
|
|
||||||
+ u64 guest_virt_spec_ctrl);
|
|
||||||
+extern void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl,
|
|
||||||
+ u64 guest_virt_spec_ctrl);
|
|
||||||
|
|
||||||
/* AMD specific Speculative Store Bypass MSR data */
|
|
||||||
extern u64 x86_amd_ls_cfg_base;
|
|
||||||
--- a/arch/x86/kernel/cpu/bugs.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/bugs.c
|
|
||||||
@@ -151,7 +151,15 @@ u64 x86_spec_ctrl_get_default(void)
|
|
||||||
}
|
|
||||||
EXPORT_SYMBOL_GPL(x86_spec_ctrl_get_default);
|
|
||||||
|
|
||||||
-void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl)
|
|
||||||
+/**
|
|
||||||
+ * x86_spec_ctrl_set_guest - Set speculation control registers for the guest
|
|
||||||
+ * @guest_spec_ctrl: The guest content of MSR_SPEC_CTRL
|
|
||||||
+ * @guest_virt_spec_ctrl: The guest controlled bits of MSR_VIRT_SPEC_CTRL
|
|
||||||
+ * (may get translated to MSR_AMD64_LS_CFG bits)
|
|
||||||
+ *
|
|
||||||
+ * Avoids writing to the MSR if the content/bits are the same
|
|
||||||
+ */
|
|
||||||
+void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl)
|
|
||||||
{
|
|
||||||
u64 host = x86_spec_ctrl_base;
|
|
||||||
|
|
||||||
@@ -168,7 +176,15 @@ void x86_spec_ctrl_set_guest(u64 guest_s
|
|
||||||
}
|
|
||||||
EXPORT_SYMBOL_GPL(x86_spec_ctrl_set_guest);
|
|
||||||
|
|
||||||
-void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl)
|
|
||||||
+/**
|
|
||||||
+ * x86_spec_ctrl_restore_host - Restore host speculation control registers
|
|
||||||
+ * @guest_spec_ctrl: The guest content of MSR_SPEC_CTRL
|
|
||||||
+ * @guest_virt_spec_ctrl: The guest controlled bits of MSR_VIRT_SPEC_CTRL
|
|
||||||
+ * (may get translated to MSR_AMD64_LS_CFG bits)
|
|
||||||
+ *
|
|
||||||
+ * Avoids writing to the MSR if the content/bits are the same
|
|
||||||
+ */
|
|
||||||
+void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl)
|
|
||||||
{
|
|
||||||
u64 host = x86_spec_ctrl_base;
|
|
||||||
|
|
||||||
--- a/arch/x86/kvm/svm.c
|
|
||||||
+++ b/arch/x86/kvm/svm.c
|
|
||||||
@@ -192,6 +192,12 @@ struct vcpu_svm {
|
|
||||||
} host;
|
|
||||||
|
|
||||||
u64 spec_ctrl;
|
|
||||||
+ /*
|
|
||||||
+ * Contains guest-controlled bits of VIRT_SPEC_CTRL, which will be
|
|
||||||
+ * translated into the appropriate L2_CFG bits on the host to
|
|
||||||
+ * perform speculative control.
|
|
||||||
+ */
|
|
||||||
+ u64 virt_spec_ctrl;
|
|
||||||
|
|
||||||
u32 *msrpm;
|
|
||||||
|
|
||||||
@@ -1910,6 +1916,7 @@ static void svm_vcpu_reset(struct kvm_vc
|
|
||||||
|
|
||||||
vcpu->arch.microcode_version = 0x01000065;
|
|
||||||
svm->spec_ctrl = 0;
|
|
||||||
+ svm->virt_spec_ctrl = 0;
|
|
||||||
|
|
||||||
if (!init_event) {
|
|
||||||
svm->vcpu.arch.apic_base = APIC_DEFAULT_PHYS_BASE |
|
|
||||||
@@ -5401,7 +5408,7 @@ static void svm_vcpu_run(struct kvm_vcpu
|
|
||||||
* is no need to worry about the conditional branch over the wrmsr
|
|
||||||
* being speculatively taken.
|
|
||||||
*/
|
|
||||||
- x86_spec_ctrl_set_guest(svm->spec_ctrl);
|
|
||||||
+ x86_spec_ctrl_set_guest(svm->spec_ctrl, svm->virt_spec_ctrl);
|
|
||||||
|
|
||||||
asm volatile (
|
|
||||||
"push %%" _ASM_BP "; \n\t"
|
|
||||||
@@ -5525,7 +5532,7 @@ static void svm_vcpu_run(struct kvm_vcpu
|
|
||||||
if (unlikely(!msr_write_intercepted(vcpu, MSR_IA32_SPEC_CTRL)))
|
|
||||||
svm->spec_ctrl = native_read_msr(MSR_IA32_SPEC_CTRL);
|
|
||||||
|
|
||||||
- x86_spec_ctrl_restore_host(svm->spec_ctrl);
|
|
||||||
+ x86_spec_ctrl_restore_host(svm->spec_ctrl, svm->virt_spec_ctrl);
|
|
||||||
|
|
||||||
reload_tss(vcpu);
|
|
||||||
|
|
||||||
--- a/arch/x86/kvm/vmx.c
|
|
||||||
+++ b/arch/x86/kvm/vmx.c
|
|
||||||
@@ -9463,9 +9463,10 @@ static void __noclone vmx_vcpu_run(struc
|
|
||||||
* is no need to worry about the conditional branch over the wrmsr
|
|
||||||
* being speculatively taken.
|
|
||||||
*/
|
|
||||||
- x86_spec_ctrl_set_guest(vmx->spec_ctrl);
|
|
||||||
+ x86_spec_ctrl_set_guest(vmx->spec_ctrl, 0);
|
|
||||||
|
|
||||||
vmx->__launched = vmx->loaded_vmcs->launched;
|
|
||||||
+
|
|
||||||
asm(
|
|
||||||
/* Store host registers */
|
|
||||||
"push %%" _ASM_DX "; push %%" _ASM_BP ";"
|
|
||||||
@@ -9601,7 +9602,7 @@ static void __noclone vmx_vcpu_run(struc
|
|
||||||
if (unlikely(!msr_write_intercepted(vcpu, MSR_IA32_SPEC_CTRL)))
|
|
||||||
vmx->spec_ctrl = native_read_msr(MSR_IA32_SPEC_CTRL);
|
|
||||||
|
|
||||||
- x86_spec_ctrl_restore_host(vmx->spec_ctrl);
|
|
||||||
+ x86_spec_ctrl_restore_host(vmx->spec_ctrl, 0);
|
|
||||||
|
|
||||||
/* Eliminate branch target predictions from guest mode */
|
|
||||||
vmexit_fill_RSB();
|
|
|
@ -1,126 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Date: Wed, 25 Apr 2018 22:04:19 -0400
|
|
||||||
Subject: x86/bugs, KVM: Support the combination of guest and host IBRS
|
|
||||||
|
|
||||||
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
|
|
||||||
commit 5cf687548705412da47c9cec342fd952d71ed3d5 upstream
|
|
||||||
|
|
||||||
A guest may modify the SPEC_CTRL MSR from the value used by the
|
|
||||||
kernel. Since the kernel doesn't use IBRS, this means a value of zero is
|
|
||||||
what is needed in the host.
|
|
||||||
|
|
||||||
But the 336996-Speculative-Execution-Side-Channel-Mitigations.pdf refers to
|
|
||||||
the other bits as reserved so the kernel should respect the boot time
|
|
||||||
SPEC_CTRL value and use that.
|
|
||||||
|
|
||||||
This allows to deal with future extensions to the SPEC_CTRL interface if
|
|
||||||
any at all.
|
|
||||||
|
|
||||||
Note: This uses wrmsrl() instead of native_wrmsl(). I does not make any
|
|
||||||
difference as paravirt will over-write the callq *0xfff.. with the wrmsrl
|
|
||||||
assembler code.
|
|
||||||
|
|
||||||
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Reviewed-by: Borislav Petkov <bp@suse.de>
|
|
||||||
Reviewed-by: Ingo Molnar <mingo@kernel.org>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/include/asm/nospec-branch.h | 10 ++++++++++
|
|
||||||
arch/x86/kernel/cpu/bugs.c | 18 ++++++++++++++++++
|
|
||||||
arch/x86/kvm/svm.c | 6 ++----
|
|
||||||
arch/x86/kvm/vmx.c | 6 ++----
|
|
||||||
4 files changed, 32 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
--- a/arch/x86/include/asm/nospec-branch.h
|
|
||||||
+++ b/arch/x86/include/asm/nospec-branch.h
|
|
||||||
@@ -228,6 +228,16 @@ enum spectre_v2_mitigation {
|
|
||||||
extern void x86_spec_ctrl_set(u64);
|
|
||||||
extern u64 x86_spec_ctrl_get_default(void);
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * On VMENTER we must preserve whatever view of the SPEC_CTRL MSR
|
|
||||||
+ * the guest has, while on VMEXIT we restore the host view. This
|
|
||||||
+ * would be easier if SPEC_CTRL were architecturally maskable or
|
|
||||||
+ * shadowable for guests but this is not (currently) the case.
|
|
||||||
+ * Takes the guest view of SPEC_CTRL MSR as a parameter.
|
|
||||||
+ */
|
|
||||||
+extern void x86_spec_ctrl_set_guest(u64);
|
|
||||||
+extern void x86_spec_ctrl_restore_host(u64);
|
|
||||||
+
|
|
||||||
extern char __indirect_thunk_start[];
|
|
||||||
extern char __indirect_thunk_end[];
|
|
||||||
|
|
||||||
--- a/arch/x86/kernel/cpu/bugs.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/bugs.c
|
|
||||||
@@ -123,6 +123,24 @@ u64 x86_spec_ctrl_get_default(void)
|
|
||||||
}
|
|
||||||
EXPORT_SYMBOL_GPL(x86_spec_ctrl_get_default);
|
|
||||||
|
|
||||||
+void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl)
|
|
||||||
+{
|
|
||||||
+ if (!boot_cpu_has(X86_FEATURE_IBRS))
|
|
||||||
+ return;
|
|
||||||
+ if (x86_spec_ctrl_base != guest_spec_ctrl)
|
|
||||||
+ wrmsrl(MSR_IA32_SPEC_CTRL, guest_spec_ctrl);
|
|
||||||
+}
|
|
||||||
+EXPORT_SYMBOL_GPL(x86_spec_ctrl_set_guest);
|
|
||||||
+
|
|
||||||
+void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl)
|
|
||||||
+{
|
|
||||||
+ if (!boot_cpu_has(X86_FEATURE_IBRS))
|
|
||||||
+ return;
|
|
||||||
+ if (x86_spec_ctrl_base != guest_spec_ctrl)
|
|
||||||
+ wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
|
|
||||||
+}
|
|
||||||
+EXPORT_SYMBOL_GPL(x86_spec_ctrl_restore_host);
|
|
||||||
+
|
|
||||||
#ifdef RETPOLINE
|
|
||||||
static bool spectre_v2_bad_module;
|
|
||||||
|
|
||||||
--- a/arch/x86/kvm/svm.c
|
|
||||||
+++ b/arch/x86/kvm/svm.c
|
|
||||||
@@ -5401,8 +5401,7 @@ static void svm_vcpu_run(struct kvm_vcpu
|
|
||||||
* is no need to worry about the conditional branch over the wrmsr
|
|
||||||
* being speculatively taken.
|
|
||||||
*/
|
|
||||||
- if (svm->spec_ctrl)
|
|
||||||
- native_wrmsrl(MSR_IA32_SPEC_CTRL, svm->spec_ctrl);
|
|
||||||
+ x86_spec_ctrl_set_guest(svm->spec_ctrl);
|
|
||||||
|
|
||||||
asm volatile (
|
|
||||||
"push %%" _ASM_BP "; \n\t"
|
|
||||||
@@ -5514,8 +5513,7 @@ static void svm_vcpu_run(struct kvm_vcpu
|
|
||||||
if (unlikely(!msr_write_intercepted(vcpu, MSR_IA32_SPEC_CTRL)))
|
|
||||||
svm->spec_ctrl = native_read_msr(MSR_IA32_SPEC_CTRL);
|
|
||||||
|
|
||||||
- if (svm->spec_ctrl)
|
|
||||||
- native_wrmsrl(MSR_IA32_SPEC_CTRL, 0);
|
|
||||||
+ x86_spec_ctrl_restore_host(svm->spec_ctrl);
|
|
||||||
|
|
||||||
/* Eliminate branch target predictions from guest mode */
|
|
||||||
vmexit_fill_RSB();
|
|
||||||
--- a/arch/x86/kvm/vmx.c
|
|
||||||
+++ b/arch/x86/kvm/vmx.c
|
|
||||||
@@ -9466,8 +9466,7 @@ static void __noclone vmx_vcpu_run(struc
|
|
||||||
* is no need to worry about the conditional branch over the wrmsr
|
|
||||||
* being speculatively taken.
|
|
||||||
*/
|
|
||||||
- if (vmx->spec_ctrl)
|
|
||||||
- native_wrmsrl(MSR_IA32_SPEC_CTRL, vmx->spec_ctrl);
|
|
||||||
+ x86_spec_ctrl_set_guest(vmx->spec_ctrl);
|
|
||||||
|
|
||||||
vmx->__launched = vmx->loaded_vmcs->launched;
|
|
||||||
asm(
|
|
||||||
@@ -9605,8 +9604,7 @@ static void __noclone vmx_vcpu_run(struc
|
|
||||||
if (unlikely(!msr_write_intercepted(vcpu, MSR_IA32_SPEC_CTRL)))
|
|
||||||
vmx->spec_ctrl = native_read_msr(MSR_IA32_SPEC_CTRL);
|
|
||||||
|
|
||||||
- if (vmx->spec_ctrl)
|
|
||||||
- native_wrmsrl(MSR_IA32_SPEC_CTRL, 0);
|
|
||||||
+ x86_spec_ctrl_restore_host(vmx->spec_ctrl);
|
|
||||||
|
|
||||||
/* Eliminate branch target predictions from guest mode */
|
|
||||||
vmexit_fill_RSB();
|
|
|
@ -1,39 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Kees Cook <keescook@chromium.org>
|
|
||||||
Date: Thu, 3 May 2018 15:03:30 -0700
|
|
||||||
Subject: x86/bugs: Make boot modes __ro_after_init
|
|
||||||
|
|
||||||
From: Kees Cook <keescook@chromium.org>
|
|
||||||
|
|
||||||
commit f9544b2b076ca90d887c5ae5d74fab4c21bb7c13 upstream
|
|
||||||
|
|
||||||
There's no reason for these to be changed after boot.
|
|
||||||
|
|
||||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/kernel/cpu/bugs.c | 5 +++--
|
|
||||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
--- a/arch/x86/kernel/cpu/bugs.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/bugs.c
|
|
||||||
@@ -129,7 +129,8 @@ static const char *spectre_v2_strings[]
|
|
||||||
#undef pr_fmt
|
|
||||||
#define pr_fmt(fmt) "Spectre V2 : " fmt
|
|
||||||
|
|
||||||
-static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE;
|
|
||||||
+static enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init =
|
|
||||||
+ SPECTRE_V2_NONE;
|
|
||||||
|
|
||||||
void x86_spec_ctrl_set(u64 val)
|
|
||||||
{
|
|
||||||
@@ -407,7 +408,7 @@ retpoline_auto:
|
|
||||||
#undef pr_fmt
|
|
||||||
#define pr_fmt(fmt) "Speculative Store Bypass: " fmt
|
|
||||||
|
|
||||||
-static enum ssb_mitigation ssb_mode = SPEC_STORE_BYPASS_NONE;
|
|
||||||
+static enum ssb_mitigation ssb_mode __ro_after_init = SPEC_STORE_BYPASS_NONE;
|
|
||||||
|
|
||||||
/* The kernel command line selection */
|
|
||||||
enum ssb_mitigation_cmd {
|
|
|
@ -1,30 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Jiri Kosina <jkosina@suse.cz>
|
|
||||||
Date: Thu, 10 May 2018 22:47:32 +0200
|
|
||||||
Subject: x86/bugs: Make cpu_show_common() static
|
|
||||||
|
|
||||||
From: Jiri Kosina <jkosina@suse.cz>
|
|
||||||
|
|
||||||
commit 7bb4d366cba992904bffa4820d24e70a3de93e76 upstream
|
|
||||||
|
|
||||||
cpu_show_common() is not used outside of arch/x86/kernel/cpu/bugs.c, so
|
|
||||||
make it static.
|
|
||||||
|
|
||||||
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/kernel/cpu/bugs.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
--- a/arch/x86/kernel/cpu/bugs.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/bugs.c
|
|
||||||
@@ -640,7 +640,7 @@ void x86_spec_ctrl_setup_ap(void)
|
|
||||||
|
|
||||||
#ifdef CONFIG_SYSFS
|
|
||||||
|
|
||||||
-ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr,
|
|
||||||
+static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr,
|
|
||||||
char *buf, unsigned int bug)
|
|
||||||
{
|
|
||||||
if (!boot_cpu_has_bug(bug))
|
|
|
@ -1,261 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Date: Wed, 25 Apr 2018 22:04:21 -0400
|
|
||||||
Subject: x86/bugs: Provide boot parameters for the spec_store_bypass_disable mitigation
|
|
||||||
|
|
||||||
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
|
|
||||||
commit 24f7fc83b9204d20f878c57cb77d261ae825e033 upstream
|
|
||||||
|
|
||||||
Contemporary high performance processors use a common industry-wide
|
|
||||||
optimization known as "Speculative Store Bypass" in which loads from
|
|
||||||
addresses to which a recent store has occurred may (speculatively) see an
|
|
||||||
older value. Intel refers to this feature as "Memory Disambiguation" which
|
|
||||||
is part of their "Smart Memory Access" capability.
|
|
||||||
|
|
||||||
Memory Disambiguation can expose a cache side-channel attack against such
|
|
||||||
speculatively read values. An attacker can create exploit code that allows
|
|
||||||
them to read memory outside of a sandbox environment (for example,
|
|
||||||
malicious JavaScript in a web page), or to perform more complex attacks
|
|
||||||
against code running within the same privilege level, e.g. via the stack.
|
|
||||||
|
|
||||||
As a first step to mitigate against such attacks, provide two boot command
|
|
||||||
line control knobs:
|
|
||||||
|
|
||||||
nospec_store_bypass_disable
|
|
||||||
spec_store_bypass_disable=[off,auto,on]
|
|
||||||
|
|
||||||
By default affected x86 processors will power on with Speculative
|
|
||||||
Store Bypass enabled. Hence the provided kernel parameters are written
|
|
||||||
from the point of view of whether to enable a mitigation or not.
|
|
||||||
The parameters are as follows:
|
|
||||||
|
|
||||||
- auto - Kernel detects whether your CPU model contains an implementation
|
|
||||||
of Speculative Store Bypass and picks the most appropriate
|
|
||||||
mitigation.
|
|
||||||
|
|
||||||
- on - disable Speculative Store Bypass
|
|
||||||
- off - enable Speculative Store Bypass
|
|
||||||
|
|
||||||
[ tglx: Reordered the checks so that the whole evaluation is not done
|
|
||||||
when the CPU does not support RDS ]
|
|
||||||
|
|
||||||
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Reviewed-by: Borislav Petkov <bp@suse.de>
|
|
||||||
Reviewed-by: Ingo Molnar <mingo@kernel.org>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
Documentation/admin-guide/kernel-parameters.txt | 33 +++++++
|
|
||||||
arch/x86/include/asm/cpufeatures.h | 1
|
|
||||||
arch/x86/include/asm/nospec-branch.h | 6 +
|
|
||||||
arch/x86/kernel/cpu/bugs.c | 103 ++++++++++++++++++++++++
|
|
||||||
4 files changed, 143 insertions(+)
|
|
||||||
|
|
||||||
--- a/Documentation/admin-guide/kernel-parameters.txt
|
|
||||||
+++ b/Documentation/admin-guide/kernel-parameters.txt
|
|
||||||
@@ -2647,6 +2647,9 @@
|
|
||||||
allow data leaks with this option, which is equivalent
|
|
||||||
to spectre_v2=off.
|
|
||||||
|
|
||||||
+ nospec_store_bypass_disable
|
|
||||||
+ [HW] Disable all mitigations for the Speculative Store Bypass vulnerability
|
|
||||||
+
|
|
||||||
noxsave [BUGS=X86] Disables x86 extended register state save
|
|
||||||
and restore using xsave. The kernel will fallback to
|
|
||||||
enabling legacy floating-point and sse state.
|
|
||||||
@@ -3997,6 +4000,36 @@
|
|
||||||
Not specifying this option is equivalent to
|
|
||||||
spectre_v2=auto.
|
|
||||||
|
|
||||||
+ spec_store_bypass_disable=
|
|
||||||
+ [HW] Control Speculative Store Bypass (SSB) Disable mitigation
|
|
||||||
+ (Speculative Store Bypass vulnerability)
|
|
||||||
+
|
|
||||||
+ Certain CPUs are vulnerable to an exploit against a
|
|
||||||
+ a common industry wide performance optimization known
|
|
||||||
+ as "Speculative Store Bypass" in which recent stores
|
|
||||||
+ to the same memory location may not be observed by
|
|
||||||
+ later loads during speculative execution. The idea
|
|
||||||
+ is that such stores are unlikely and that they can
|
|
||||||
+ be detected prior to instruction retirement at the
|
|
||||||
+ end of a particular speculation execution window.
|
|
||||||
+
|
|
||||||
+ In vulnerable processors, the speculatively forwarded
|
|
||||||
+ store can be used in a cache side channel attack, for
|
|
||||||
+ example to read memory to which the attacker does not
|
|
||||||
+ directly have access (e.g. inside sandboxed code).
|
|
||||||
+
|
|
||||||
+ This parameter controls whether the Speculative Store
|
|
||||||
+ Bypass optimization is used.
|
|
||||||
+
|
|
||||||
+ on - Unconditionally disable Speculative Store Bypass
|
|
||||||
+ off - Unconditionally enable Speculative Store Bypass
|
|
||||||
+ auto - Kernel detects whether the CPU model contains an
|
|
||||||
+ implementation of Speculative Store Bypass and
|
|
||||||
+ picks the most appropriate mitigation
|
|
||||||
+
|
|
||||||
+ Not specifying this option is equivalent to
|
|
||||||
+ spec_store_bypass_disable=auto.
|
|
||||||
+
|
|
||||||
spia_io_base= [HW,MTD]
|
|
||||||
spia_fio_base=
|
|
||||||
spia_pedr=
|
|
||||||
--- a/arch/x86/include/asm/cpufeatures.h
|
|
||||||
+++ b/arch/x86/include/asm/cpufeatures.h
|
|
||||||
@@ -214,6 +214,7 @@
|
|
||||||
|
|
||||||
#define X86_FEATURE_USE_IBPB ( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled */
|
|
||||||
#define X86_FEATURE_USE_IBRS_FW ( 7*32+22) /* "" Use IBRS during runtime firmware calls */
|
|
||||||
+#define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE ( 7*32+23) /* "" Disable Speculative Store Bypass. */
|
|
||||||
|
|
||||||
/* Virtualization flags: Linux defined, word 8 */
|
|
||||||
#define X86_FEATURE_TPR_SHADOW ( 8*32+ 0) /* Intel TPR Shadow */
|
|
||||||
--- a/arch/x86/include/asm/nospec-branch.h
|
|
||||||
+++ b/arch/x86/include/asm/nospec-branch.h
|
|
||||||
@@ -238,6 +238,12 @@ extern u64 x86_spec_ctrl_get_default(voi
|
|
||||||
extern void x86_spec_ctrl_set_guest(u64);
|
|
||||||
extern void x86_spec_ctrl_restore_host(u64);
|
|
||||||
|
|
||||||
+/* The Speculative Store Bypass disable variants */
|
|
||||||
+enum ssb_mitigation {
|
|
||||||
+ SPEC_STORE_BYPASS_NONE,
|
|
||||||
+ SPEC_STORE_BYPASS_DISABLE,
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
extern char __indirect_thunk_start[];
|
|
||||||
extern char __indirect_thunk_end[];
|
|
||||||
|
|
||||||
--- a/arch/x86/kernel/cpu/bugs.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/bugs.c
|
|
||||||
@@ -27,6 +27,7 @@
|
|
||||||
#include <asm/intel-family.h>
|
|
||||||
|
|
||||||
static void __init spectre_v2_select_mitigation(void);
|
|
||||||
+static void __init ssb_select_mitigation(void);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Our boot-time value of the SPEC_CTRL MSR. We read it once so that any
|
|
||||||
@@ -53,6 +54,12 @@ void __init check_bugs(void)
|
|
||||||
/* Select the proper spectre mitigation before patching alternatives */
|
|
||||||
spectre_v2_select_mitigation();
|
|
||||||
|
|
||||||
+ /*
|
|
||||||
+ * Select proper mitigation for any exposure to the Speculative Store
|
|
||||||
+ * Bypass vulnerability.
|
|
||||||
+ */
|
|
||||||
+ ssb_select_mitigation();
|
|
||||||
+
|
|
||||||
#ifdef CONFIG_X86_32
|
|
||||||
/*
|
|
||||||
* Check whether we are able to run this kernel safely on SMP.
|
|
||||||
@@ -358,6 +365,99 @@ retpoline_auto:
|
|
||||||
}
|
|
||||||
|
|
||||||
#undef pr_fmt
|
|
||||||
+#define pr_fmt(fmt) "Speculative Store Bypass: " fmt
|
|
||||||
+
|
|
||||||
+static enum ssb_mitigation ssb_mode = SPEC_STORE_BYPASS_NONE;
|
|
||||||
+
|
|
||||||
+/* The kernel command line selection */
|
|
||||||
+enum ssb_mitigation_cmd {
|
|
||||||
+ SPEC_STORE_BYPASS_CMD_NONE,
|
|
||||||
+ SPEC_STORE_BYPASS_CMD_AUTO,
|
|
||||||
+ SPEC_STORE_BYPASS_CMD_ON,
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+static const char *ssb_strings[] = {
|
|
||||||
+ [SPEC_STORE_BYPASS_NONE] = "Vulnerable",
|
|
||||||
+ [SPEC_STORE_BYPASS_DISABLE] = "Mitigation: Speculative Store Bypass disabled"
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+static const struct {
|
|
||||||
+ const char *option;
|
|
||||||
+ enum ssb_mitigation_cmd cmd;
|
|
||||||
+} ssb_mitigation_options[] = {
|
|
||||||
+ { "auto", SPEC_STORE_BYPASS_CMD_AUTO }, /* Platform decides */
|
|
||||||
+ { "on", SPEC_STORE_BYPASS_CMD_ON }, /* Disable Speculative Store Bypass */
|
|
||||||
+ { "off", SPEC_STORE_BYPASS_CMD_NONE }, /* Don't touch Speculative Store Bypass */
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void)
|
|
||||||
+{
|
|
||||||
+ enum ssb_mitigation_cmd cmd = SPEC_STORE_BYPASS_CMD_AUTO;
|
|
||||||
+ char arg[20];
|
|
||||||
+ int ret, i;
|
|
||||||
+
|
|
||||||
+ if (cmdline_find_option_bool(boot_command_line, "nospec_store_bypass_disable")) {
|
|
||||||
+ return SPEC_STORE_BYPASS_CMD_NONE;
|
|
||||||
+ } else {
|
|
||||||
+ ret = cmdline_find_option(boot_command_line, "spec_store_bypass_disable",
|
|
||||||
+ arg, sizeof(arg));
|
|
||||||
+ if (ret < 0)
|
|
||||||
+ return SPEC_STORE_BYPASS_CMD_AUTO;
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < ARRAY_SIZE(ssb_mitigation_options); i++) {
|
|
||||||
+ if (!match_option(arg, ret, ssb_mitigation_options[i].option))
|
|
||||||
+ continue;
|
|
||||||
+
|
|
||||||
+ cmd = ssb_mitigation_options[i].cmd;
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (i >= ARRAY_SIZE(ssb_mitigation_options)) {
|
|
||||||
+ pr_err("unknown option (%s). Switching to AUTO select\n", arg);
|
|
||||||
+ return SPEC_STORE_BYPASS_CMD_AUTO;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return cmd;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static enum ssb_mitigation_cmd __init __ssb_select_mitigation(void)
|
|
||||||
+{
|
|
||||||
+ enum ssb_mitigation mode = SPEC_STORE_BYPASS_NONE;
|
|
||||||
+ enum ssb_mitigation_cmd cmd;
|
|
||||||
+
|
|
||||||
+ if (!boot_cpu_has(X86_FEATURE_RDS))
|
|
||||||
+ return mode;
|
|
||||||
+
|
|
||||||
+ cmd = ssb_parse_cmdline();
|
|
||||||
+ if (!boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS) &&
|
|
||||||
+ (cmd == SPEC_STORE_BYPASS_CMD_NONE ||
|
|
||||||
+ cmd == SPEC_STORE_BYPASS_CMD_AUTO))
|
|
||||||
+ return mode;
|
|
||||||
+
|
|
||||||
+ switch (cmd) {
|
|
||||||
+ case SPEC_STORE_BYPASS_CMD_AUTO:
|
|
||||||
+ case SPEC_STORE_BYPASS_CMD_ON:
|
|
||||||
+ mode = SPEC_STORE_BYPASS_DISABLE;
|
|
||||||
+ break;
|
|
||||||
+ case SPEC_STORE_BYPASS_CMD_NONE:
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (mode != SPEC_STORE_BYPASS_NONE)
|
|
||||||
+ setup_force_cpu_cap(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE);
|
|
||||||
+ return mode;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void ssb_select_mitigation()
|
|
||||||
+{
|
|
||||||
+ ssb_mode = __ssb_select_mitigation();
|
|
||||||
+
|
|
||||||
+ if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS))
|
|
||||||
+ pr_info("%s\n", ssb_strings[ssb_mode]);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#undef pr_fmt
|
|
||||||
|
|
||||||
#ifdef CONFIG_SYSFS
|
|
||||||
|
|
||||||
@@ -383,6 +483,9 @@ ssize_t cpu_show_common(struct device *d
|
|
||||||
boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "",
|
|
||||||
spectre_v2_module_string());
|
|
||||||
|
|
||||||
+ case X86_BUG_SPEC_STORE_BYPASS:
|
|
||||||
+ return sprintf(buf, "%s\n", ssb_strings[ssb_mode]);
|
|
||||||
+
|
|
||||||
default:
|
|
||||||
break;
|
|
||||||
}
|
|
|
@ -1,136 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Date: Wed, 25 Apr 2018 22:04:18 -0400
|
|
||||||
Subject: x86/bugs: Read SPEC_CTRL MSR during boot and re-use reserved bits
|
|
||||||
|
|
||||||
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
|
|
||||||
commit 1b86883ccb8d5d9506529d42dbe1a5257cb30b18 upstream
|
|
||||||
|
|
||||||
The 336996-Speculative-Execution-Side-Channel-Mitigations.pdf refers to all
|
|
||||||
the other bits as reserved. The Intel SDM glossary defines reserved as
|
|
||||||
implementation specific - aka unknown.
|
|
||||||
|
|
||||||
As such at bootup this must be taken it into account and proper masking for
|
|
||||||
the bits in use applied.
|
|
||||||
|
|
||||||
A copy of this document is available at
|
|
||||||
https://bugzilla.kernel.org/show_bug.cgi?id=199511
|
|
||||||
|
|
||||||
[ tglx: Made x86_spec_ctrl_base __ro_after_init ]
|
|
||||||
|
|
||||||
Suggested-by: Jon Masters <jcm@redhat.com>
|
|
||||||
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Reviewed-by: Borislav Petkov <bp@suse.de>
|
|
||||||
Reviewed-by: Ingo Molnar <mingo@kernel.org>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/include/asm/nospec-branch.h | 24 ++++++++++++++++++++----
|
|
||||||
arch/x86/kernel/cpu/bugs.c | 28 ++++++++++++++++++++++++++++
|
|
||||||
2 files changed, 48 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
--- a/arch/x86/include/asm/nospec-branch.h
|
|
||||||
+++ b/arch/x86/include/asm/nospec-branch.h
|
|
||||||
@@ -217,6 +217,17 @@ enum spectre_v2_mitigation {
|
|
||||||
SPECTRE_V2_IBRS,
|
|
||||||
};
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * The Intel specification for the SPEC_CTRL MSR requires that we
|
|
||||||
+ * preserve any already set reserved bits at boot time (e.g. for
|
|
||||||
+ * future additions that this kernel is not currently aware of).
|
|
||||||
+ * We then set any additional mitigation bits that we want
|
|
||||||
+ * ourselves and always use this as the base for SPEC_CTRL.
|
|
||||||
+ * We also use this when handling guest entry/exit as below.
|
|
||||||
+ */
|
|
||||||
+extern void x86_spec_ctrl_set(u64);
|
|
||||||
+extern u64 x86_spec_ctrl_get_default(void);
|
|
||||||
+
|
|
||||||
extern char __indirect_thunk_start[];
|
|
||||||
extern char __indirect_thunk_end[];
|
|
||||||
|
|
||||||
@@ -254,8 +265,9 @@ void alternative_msr_write(unsigned int
|
|
||||||
|
|
||||||
static inline void indirect_branch_prediction_barrier(void)
|
|
||||||
{
|
|
||||||
- alternative_msr_write(MSR_IA32_PRED_CMD, PRED_CMD_IBPB,
|
|
||||||
- X86_FEATURE_USE_IBPB);
|
|
||||||
+ u64 val = PRED_CMD_IBPB;
|
|
||||||
+
|
|
||||||
+ alternative_msr_write(MSR_IA32_PRED_CMD, val, X86_FEATURE_USE_IBPB);
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
@@ -266,14 +278,18 @@ static inline void indirect_branch_predi
|
|
||||||
*/
|
|
||||||
#define firmware_restrict_branch_speculation_start() \
|
|
||||||
do { \
|
|
||||||
+ u64 val = x86_spec_ctrl_get_default() | SPEC_CTRL_IBRS; \
|
|
||||||
+ \
|
|
||||||
preempt_disable(); \
|
|
||||||
- alternative_msr_write(MSR_IA32_SPEC_CTRL, SPEC_CTRL_IBRS, \
|
|
||||||
+ alternative_msr_write(MSR_IA32_SPEC_CTRL, val, \
|
|
||||||
X86_FEATURE_USE_IBRS_FW); \
|
|
||||||
} while (0)
|
|
||||||
|
|
||||||
#define firmware_restrict_branch_speculation_end() \
|
|
||||||
do { \
|
|
||||||
- alternative_msr_write(MSR_IA32_SPEC_CTRL, 0, \
|
|
||||||
+ u64 val = x86_spec_ctrl_get_default(); \
|
|
||||||
+ \
|
|
||||||
+ alternative_msr_write(MSR_IA32_SPEC_CTRL, val, \
|
|
||||||
X86_FEATURE_USE_IBRS_FW); \
|
|
||||||
preempt_enable(); \
|
|
||||||
} while (0)
|
|
||||||
--- a/arch/x86/kernel/cpu/bugs.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/bugs.c
|
|
||||||
@@ -28,6 +28,12 @@
|
|
||||||
|
|
||||||
static void __init spectre_v2_select_mitigation(void);
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * Our boot-time value of the SPEC_CTRL MSR. We read it once so that any
|
|
||||||
+ * writes to SPEC_CTRL contain whatever reserved bits have been set.
|
|
||||||
+ */
|
|
||||||
+static u64 __ro_after_init x86_spec_ctrl_base;
|
|
||||||
+
|
|
||||||
void __init check_bugs(void)
|
|
||||||
{
|
|
||||||
identify_boot_cpu();
|
|
||||||
@@ -37,6 +43,13 @@ void __init check_bugs(void)
|
|
||||||
print_cpu_info(&boot_cpu_data);
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /*
|
|
||||||
+ * Read the SPEC_CTRL MSR to account for reserved bits which may
|
|
||||||
+ * have unknown values.
|
|
||||||
+ */
|
|
||||||
+ if (boot_cpu_has(X86_FEATURE_IBRS))
|
|
||||||
+ rdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
|
|
||||||
+
|
|
||||||
/* Select the proper spectre mitigation before patching alternatives */
|
|
||||||
spectre_v2_select_mitigation();
|
|
||||||
|
|
||||||
@@ -95,6 +108,21 @@ static const char *spectre_v2_strings[]
|
|
||||||
|
|
||||||
static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE;
|
|
||||||
|
|
||||||
+void x86_spec_ctrl_set(u64 val)
|
|
||||||
+{
|
|
||||||
+ if (val & ~SPEC_CTRL_IBRS)
|
|
||||||
+ WARN_ONCE(1, "SPEC_CTRL MSR value 0x%16llx is unknown.\n", val);
|
|
||||||
+ else
|
|
||||||
+ wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base | val);
|
|
||||||
+}
|
|
||||||
+EXPORT_SYMBOL_GPL(x86_spec_ctrl_set);
|
|
||||||
+
|
|
||||||
+u64 x86_spec_ctrl_get_default(void)
|
|
||||||
+{
|
|
||||||
+ return x86_spec_ctrl_base;
|
|
||||||
+}
|
|
||||||
+EXPORT_SYMBOL_GPL(x86_spec_ctrl_get_default);
|
|
||||||
+
|
|
||||||
#ifdef RETPOLINE
|
|
||||||
static bool spectre_v2_bad_module;
|
|
||||||
|
|
|
@ -1,70 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Date: Sat, 12 May 2018 20:53:14 +0200
|
|
||||||
Subject: x86/bugs: Remove x86_spec_ctrl_set()
|
|
||||||
|
|
||||||
From: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
|
|
||||||
commit 4b59bdb569453a60b752b274ca61f009e37f4dae upstream
|
|
||||||
|
|
||||||
x86_spec_ctrl_set() is only used in bugs.c and the extra mask checks there
|
|
||||||
provide no real value as both call sites can just write x86_spec_ctrl_base
|
|
||||||
to MSR_SPEC_CTRL. x86_spec_ctrl_base is valid and does not need any extra
|
|
||||||
masking or checking.
|
|
||||||
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Reviewed-by: Borislav Petkov <bp@suse.de>
|
|
||||||
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/include/asm/nospec-branch.h | 2 --
|
|
||||||
arch/x86/kernel/cpu/bugs.c | 13 ++-----------
|
|
||||||
2 files changed, 2 insertions(+), 13 deletions(-)
|
|
||||||
|
|
||||||
--- a/arch/x86/include/asm/nospec-branch.h
|
|
||||||
+++ b/arch/x86/include/asm/nospec-branch.h
|
|
||||||
@@ -217,8 +217,6 @@ enum spectre_v2_mitigation {
|
|
||||||
SPECTRE_V2_IBRS,
|
|
||||||
};
|
|
||||||
|
|
||||||
-extern void x86_spec_ctrl_set(u64);
|
|
||||||
-
|
|
||||||
/* The Speculative Store Bypass disable variants */
|
|
||||||
enum ssb_mitigation {
|
|
||||||
SPEC_STORE_BYPASS_NONE,
|
|
||||||
--- a/arch/x86/kernel/cpu/bugs.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/bugs.c
|
|
||||||
@@ -133,15 +133,6 @@ static const char *spectre_v2_strings[]
|
|
||||||
static enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init =
|
|
||||||
SPECTRE_V2_NONE;
|
|
||||||
|
|
||||||
-void x86_spec_ctrl_set(u64 val)
|
|
||||||
-{
|
|
||||||
- if (val & x86_spec_ctrl_mask)
|
|
||||||
- WARN_ONCE(1, "SPEC_CTRL MSR value 0x%16llx is unknown.\n", val);
|
|
||||||
- else
|
|
||||||
- wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base | val);
|
|
||||||
-}
|
|
||||||
-EXPORT_SYMBOL_GPL(x86_spec_ctrl_set);
|
|
||||||
-
|
|
||||||
void
|
|
||||||
x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest)
|
|
||||||
{
|
|
||||||
@@ -503,7 +494,7 @@ static enum ssb_mitigation __init __ssb_
|
|
||||||
case X86_VENDOR_INTEL:
|
|
||||||
x86_spec_ctrl_base |= SPEC_CTRL_SSBD;
|
|
||||||
x86_spec_ctrl_mask &= ~SPEC_CTRL_SSBD;
|
|
||||||
- x86_spec_ctrl_set(SPEC_CTRL_SSBD);
|
|
||||||
+ wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
|
|
||||||
break;
|
|
||||||
case X86_VENDOR_AMD:
|
|
||||||
x86_amd_ssb_disable();
|
|
||||||
@@ -615,7 +606,7 @@ int arch_prctl_spec_ctrl_get(struct task
|
|
||||||
void x86_spec_ctrl_setup_ap(void)
|
|
||||||
{
|
|
||||||
if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
|
|
||||||
- x86_spec_ctrl_set(x86_spec_ctrl_base & ~x86_spec_ctrl_mask);
|
|
||||||
+ wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
|
|
||||||
|
|
||||||
if (ssb_mode == SPEC_STORE_BYPASS_DISABLE)
|
|
||||||
x86_amd_ssb_disable();
|
|
|
@ -1,380 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Date: Wed, 9 May 2018 21:41:38 +0200
|
|
||||||
Subject: x86/bugs: Rename _RDS to _SSBD
|
|
||||||
|
|
||||||
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
|
|
||||||
commit 9f65fb29374ee37856dbad847b4e121aab72b510 upstream
|
|
||||||
|
|
||||||
Intel collateral will reference the SSB mitigation bit in IA32_SPEC_CTL[2]
|
|
||||||
as SSBD (Speculative Store Bypass Disable).
|
|
||||||
|
|
||||||
Hence changing it.
|
|
||||||
|
|
||||||
It is unclear yet what the MSR_IA32_ARCH_CAPABILITIES (0x10a) Bit(4) name
|
|
||||||
is going to be. Following the rename it would be SSBD_NO but that rolls out
|
|
||||||
to Speculative Store Bypass Disable No.
|
|
||||||
|
|
||||||
Also fixed the missing space in X86_FEATURE_AMD_SSBD.
|
|
||||||
|
|
||||||
[ tglx: Fixup x86_amd_rds_enable() and rds_tif_to_amd_ls_cfg() as well ]
|
|
||||||
|
|
||||||
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/include/asm/cpufeatures.h | 4 ++--
|
|
||||||
arch/x86/include/asm/msr-index.h | 10 +++++-----
|
|
||||||
arch/x86/include/asm/spec-ctrl.h | 12 ++++++------
|
|
||||||
arch/x86/include/asm/thread_info.h | 6 +++---
|
|
||||||
arch/x86/kernel/cpu/amd.c | 14 +++++++-------
|
|
||||||
arch/x86/kernel/cpu/bugs.c | 36 ++++++++++++++++++------------------
|
|
||||||
arch/x86/kernel/cpu/common.c | 2 +-
|
|
||||||
arch/x86/kernel/cpu/intel.c | 2 +-
|
|
||||||
arch/x86/kernel/process.c | 8 ++++----
|
|
||||||
arch/x86/kvm/cpuid.c | 2 +-
|
|
||||||
arch/x86/kvm/vmx.c | 6 +++---
|
|
||||||
11 files changed, 51 insertions(+), 51 deletions(-)
|
|
||||||
|
|
||||||
--- a/arch/x86/include/asm/cpufeatures.h
|
|
||||||
+++ b/arch/x86/include/asm/cpufeatures.h
|
|
||||||
@@ -215,7 +215,7 @@
|
|
||||||
#define X86_FEATURE_USE_IBPB ( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled */
|
|
||||||
#define X86_FEATURE_USE_IBRS_FW ( 7*32+22) /* "" Use IBRS during runtime firmware calls */
|
|
||||||
#define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE ( 7*32+23) /* "" Disable Speculative Store Bypass. */
|
|
||||||
-#define X86_FEATURE_AMD_RDS (7*32+24) /* "" AMD RDS implementation */
|
|
||||||
+#define X86_FEATURE_AMD_SSBD ( 7*32+24) /* "" AMD SSBD implementation */
|
|
||||||
|
|
||||||
/* Virtualization flags: Linux defined, word 8 */
|
|
||||||
#define X86_FEATURE_TPR_SHADOW ( 8*32+ 0) /* Intel TPR Shadow */
|
|
||||||
@@ -335,7 +335,7 @@
|
|
||||||
#define X86_FEATURE_SPEC_CTRL (18*32+26) /* "" Speculation Control (IBRS + IBPB) */
|
|
||||||
#define X86_FEATURE_INTEL_STIBP (18*32+27) /* "" Single Thread Indirect Branch Predictors */
|
|
||||||
#define X86_FEATURE_ARCH_CAPABILITIES (18*32+29) /* IA32_ARCH_CAPABILITIES MSR (Intel) */
|
|
||||||
-#define X86_FEATURE_RDS (18*32+31) /* Reduced Data Speculation */
|
|
||||||
+#define X86_FEATURE_SSBD (18*32+31) /* Speculative Store Bypass Disable */
|
|
||||||
|
|
||||||
/*
|
|
||||||
* BUG word(s)
|
|
||||||
--- a/arch/x86/include/asm/msr-index.h
|
|
||||||
+++ b/arch/x86/include/asm/msr-index.h
|
|
||||||
@@ -42,8 +42,8 @@
|
|
||||||
#define MSR_IA32_SPEC_CTRL 0x00000048 /* Speculation Control */
|
|
||||||
#define SPEC_CTRL_IBRS (1 << 0) /* Indirect Branch Restricted Speculation */
|
|
||||||
#define SPEC_CTRL_STIBP (1 << 1) /* Single Thread Indirect Branch Predictors */
|
|
||||||
-#define SPEC_CTRL_RDS_SHIFT 2 /* Reduced Data Speculation bit */
|
|
||||||
-#define SPEC_CTRL_RDS (1 << SPEC_CTRL_RDS_SHIFT) /* Reduced Data Speculation */
|
|
||||||
+#define SPEC_CTRL_SSBD_SHIFT 2 /* Speculative Store Bypass Disable bit */
|
|
||||||
+#define SPEC_CTRL_SSBD (1 << SPEC_CTRL_SSBD_SHIFT) /* Speculative Store Bypass Disable */
|
|
||||||
|
|
||||||
#define MSR_IA32_PRED_CMD 0x00000049 /* Prediction Command */
|
|
||||||
#define PRED_CMD_IBPB (1 << 0) /* Indirect Branch Prediction Barrier */
|
|
||||||
@@ -70,10 +70,10 @@
|
|
||||||
#define MSR_IA32_ARCH_CAPABILITIES 0x0000010a
|
|
||||||
#define ARCH_CAP_RDCL_NO (1 << 0) /* Not susceptible to Meltdown */
|
|
||||||
#define ARCH_CAP_IBRS_ALL (1 << 1) /* Enhanced IBRS support */
|
|
||||||
-#define ARCH_CAP_RDS_NO (1 << 4) /*
|
|
||||||
+#define ARCH_CAP_SSBD_NO (1 << 4) /*
|
|
||||||
* Not susceptible to Speculative Store Bypass
|
|
||||||
- * attack, so no Reduced Data Speculation control
|
|
||||||
- * required.
|
|
||||||
+ * attack, so no Speculative Store Bypass
|
|
||||||
+ * control required.
|
|
||||||
*/
|
|
||||||
|
|
||||||
#define MSR_IA32_BBL_CR_CTL 0x00000119
|
|
||||||
--- a/arch/x86/include/asm/spec-ctrl.h
|
|
||||||
+++ b/arch/x86/include/asm/spec-ctrl.h
|
|
||||||
@@ -17,20 +17,20 @@ extern void x86_spec_ctrl_restore_host(u
|
|
||||||
|
|
||||||
/* AMD specific Speculative Store Bypass MSR data */
|
|
||||||
extern u64 x86_amd_ls_cfg_base;
|
|
||||||
-extern u64 x86_amd_ls_cfg_rds_mask;
|
|
||||||
+extern u64 x86_amd_ls_cfg_ssbd_mask;
|
|
||||||
|
|
||||||
/* The Intel SPEC CTRL MSR base value cache */
|
|
||||||
extern u64 x86_spec_ctrl_base;
|
|
||||||
|
|
||||||
-static inline u64 rds_tif_to_spec_ctrl(u64 tifn)
|
|
||||||
+static inline u64 ssbd_tif_to_spec_ctrl(u64 tifn)
|
|
||||||
{
|
|
||||||
- BUILD_BUG_ON(TIF_RDS < SPEC_CTRL_RDS_SHIFT);
|
|
||||||
- return (tifn & _TIF_RDS) >> (TIF_RDS - SPEC_CTRL_RDS_SHIFT);
|
|
||||||
+ BUILD_BUG_ON(TIF_SSBD < SPEC_CTRL_SSBD_SHIFT);
|
|
||||||
+ return (tifn & _TIF_SSBD) >> (TIF_SSBD - SPEC_CTRL_SSBD_SHIFT);
|
|
||||||
}
|
|
||||||
|
|
||||||
-static inline u64 rds_tif_to_amd_ls_cfg(u64 tifn)
|
|
||||||
+static inline u64 ssbd_tif_to_amd_ls_cfg(u64 tifn)
|
|
||||||
{
|
|
||||||
- return (tifn & _TIF_RDS) ? x86_amd_ls_cfg_rds_mask : 0ULL;
|
|
||||||
+ return (tifn & _TIF_SSBD) ? x86_amd_ls_cfg_ssbd_mask : 0ULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
extern void speculative_store_bypass_update(void);
|
|
||||||
--- a/arch/x86/include/asm/thread_info.h
|
|
||||||
+++ b/arch/x86/include/asm/thread_info.h
|
|
||||||
@@ -79,7 +79,7 @@ struct thread_info {
|
|
||||||
#define TIF_SIGPENDING 2 /* signal pending */
|
|
||||||
#define TIF_NEED_RESCHED 3 /* rescheduling necessary */
|
|
||||||
#define TIF_SINGLESTEP 4 /* reenable singlestep on user return*/
|
|
||||||
-#define TIF_RDS 5 /* Reduced data speculation */
|
|
||||||
+#define TIF_SSBD 5 /* Reduced data speculation */
|
|
||||||
#define TIF_SYSCALL_EMU 6 /* syscall emulation active */
|
|
||||||
#define TIF_SYSCALL_AUDIT 7 /* syscall auditing active */
|
|
||||||
#define TIF_SECCOMP 8 /* secure computing */
|
|
||||||
@@ -106,7 +106,7 @@ struct thread_info {
|
|
||||||
#define _TIF_SIGPENDING (1 << TIF_SIGPENDING)
|
|
||||||
#define _TIF_NEED_RESCHED (1 << TIF_NEED_RESCHED)
|
|
||||||
#define _TIF_SINGLESTEP (1 << TIF_SINGLESTEP)
|
|
||||||
-#define _TIF_RDS (1 << TIF_RDS)
|
|
||||||
+#define _TIF_SSBD (1 << TIF_SSBD)
|
|
||||||
#define _TIF_SYSCALL_EMU (1 << TIF_SYSCALL_EMU)
|
|
||||||
#define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT)
|
|
||||||
#define _TIF_SECCOMP (1 << TIF_SECCOMP)
|
|
||||||
@@ -146,7 +146,7 @@ struct thread_info {
|
|
||||||
|
|
||||||
/* flags to check in __switch_to() */
|
|
||||||
#define _TIF_WORK_CTXSW \
|
|
||||||
- (_TIF_IO_BITMAP|_TIF_NOCPUID|_TIF_NOTSC|_TIF_BLOCKSTEP|_TIF_RDS)
|
|
||||||
+ (_TIF_IO_BITMAP|_TIF_NOCPUID|_TIF_NOTSC|_TIF_BLOCKSTEP|_TIF_SSBD)
|
|
||||||
|
|
||||||
#define _TIF_WORK_CTXSW_PREV (_TIF_WORK_CTXSW|_TIF_USER_RETURN_NOTIFY)
|
|
||||||
#define _TIF_WORK_CTXSW_NEXT (_TIF_WORK_CTXSW)
|
|
||||||
--- a/arch/x86/kernel/cpu/amd.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/amd.c
|
|
||||||
@@ -567,12 +567,12 @@ static void bsp_init_amd(struct cpuinfo_
|
|
||||||
}
|
|
||||||
/*
|
|
||||||
* Try to cache the base value so further operations can
|
|
||||||
- * avoid RMW. If that faults, do not enable RDS.
|
|
||||||
+ * avoid RMW. If that faults, do not enable SSBD.
|
|
||||||
*/
|
|
||||||
if (!rdmsrl_safe(MSR_AMD64_LS_CFG, &x86_amd_ls_cfg_base)) {
|
|
||||||
- setup_force_cpu_cap(X86_FEATURE_RDS);
|
|
||||||
- setup_force_cpu_cap(X86_FEATURE_AMD_RDS);
|
|
||||||
- x86_amd_ls_cfg_rds_mask = 1ULL << bit;
|
|
||||||
+ setup_force_cpu_cap(X86_FEATURE_SSBD);
|
|
||||||
+ setup_force_cpu_cap(X86_FEATURE_AMD_SSBD);
|
|
||||||
+ x86_amd_ls_cfg_ssbd_mask = 1ULL << bit;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -920,9 +920,9 @@ static void init_amd(struct cpuinfo_x86
|
|
||||||
if (!cpu_has(c, X86_FEATURE_XENPV))
|
|
||||||
set_cpu_bug(c, X86_BUG_SYSRET_SS_ATTRS);
|
|
||||||
|
|
||||||
- if (boot_cpu_has(X86_FEATURE_AMD_RDS)) {
|
|
||||||
- set_cpu_cap(c, X86_FEATURE_RDS);
|
|
||||||
- set_cpu_cap(c, X86_FEATURE_AMD_RDS);
|
|
||||||
+ if (boot_cpu_has(X86_FEATURE_AMD_SSBD)) {
|
|
||||||
+ set_cpu_cap(c, X86_FEATURE_SSBD);
|
|
||||||
+ set_cpu_cap(c, X86_FEATURE_AMD_SSBD);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
--- a/arch/x86/kernel/cpu/bugs.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/bugs.c
|
|
||||||
@@ -45,10 +45,10 @@ static u64 __ro_after_init x86_spec_ctrl
|
|
||||||
|
|
||||||
/*
|
|
||||||
* AMD specific MSR info for Speculative Store Bypass control.
|
|
||||||
- * x86_amd_ls_cfg_rds_mask is initialized in identify_boot_cpu().
|
|
||||||
+ * x86_amd_ls_cfg_ssbd_mask is initialized in identify_boot_cpu().
|
|
||||||
*/
|
|
||||||
u64 __ro_after_init x86_amd_ls_cfg_base;
|
|
||||||
-u64 __ro_after_init x86_amd_ls_cfg_rds_mask;
|
|
||||||
+u64 __ro_after_init x86_amd_ls_cfg_ssbd_mask;
|
|
||||||
|
|
||||||
void __init check_bugs(void)
|
|
||||||
{
|
|
||||||
@@ -146,7 +146,7 @@ u64 x86_spec_ctrl_get_default(void)
|
|
||||||
u64 msrval = x86_spec_ctrl_base;
|
|
||||||
|
|
||||||
if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL)
|
|
||||||
- msrval |= rds_tif_to_spec_ctrl(current_thread_info()->flags);
|
|
||||||
+ msrval |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags);
|
|
||||||
return msrval;
|
|
||||||
}
|
|
||||||
EXPORT_SYMBOL_GPL(x86_spec_ctrl_get_default);
|
|
||||||
@@ -159,7 +159,7 @@ void x86_spec_ctrl_set_guest(u64 guest_s
|
|
||||||
return;
|
|
||||||
|
|
||||||
if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL)
|
|
||||||
- host |= rds_tif_to_spec_ctrl(current_thread_info()->flags);
|
|
||||||
+ host |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags);
|
|
||||||
|
|
||||||
if (host != guest_spec_ctrl)
|
|
||||||
wrmsrl(MSR_IA32_SPEC_CTRL, guest_spec_ctrl);
|
|
||||||
@@ -174,18 +174,18 @@ void x86_spec_ctrl_restore_host(u64 gues
|
|
||||||
return;
|
|
||||||
|
|
||||||
if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL)
|
|
||||||
- host |= rds_tif_to_spec_ctrl(current_thread_info()->flags);
|
|
||||||
+ host |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags);
|
|
||||||
|
|
||||||
if (host != guest_spec_ctrl)
|
|
||||||
wrmsrl(MSR_IA32_SPEC_CTRL, host);
|
|
||||||
}
|
|
||||||
EXPORT_SYMBOL_GPL(x86_spec_ctrl_restore_host);
|
|
||||||
|
|
||||||
-static void x86_amd_rds_enable(void)
|
|
||||||
+static void x86_amd_ssb_disable(void)
|
|
||||||
{
|
|
||||||
- u64 msrval = x86_amd_ls_cfg_base | x86_amd_ls_cfg_rds_mask;
|
|
||||||
+ u64 msrval = x86_amd_ls_cfg_base | x86_amd_ls_cfg_ssbd_mask;
|
|
||||||
|
|
||||||
- if (boot_cpu_has(X86_FEATURE_AMD_RDS))
|
|
||||||
+ if (boot_cpu_has(X86_FEATURE_AMD_SSBD))
|
|
||||||
wrmsrl(MSR_AMD64_LS_CFG, msrval);
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -473,7 +473,7 @@ static enum ssb_mitigation_cmd __init __
|
|
||||||
enum ssb_mitigation mode = SPEC_STORE_BYPASS_NONE;
|
|
||||||
enum ssb_mitigation_cmd cmd;
|
|
||||||
|
|
||||||
- if (!boot_cpu_has(X86_FEATURE_RDS))
|
|
||||||
+ if (!boot_cpu_has(X86_FEATURE_SSBD))
|
|
||||||
return mode;
|
|
||||||
|
|
||||||
cmd = ssb_parse_cmdline();
|
|
||||||
@@ -507,7 +507,7 @@ static enum ssb_mitigation_cmd __init __
|
|
||||||
/*
|
|
||||||
* We have three CPU feature flags that are in play here:
|
|
||||||
* - X86_BUG_SPEC_STORE_BYPASS - CPU is susceptible.
|
|
||||||
- * - X86_FEATURE_RDS - CPU is able to turn off speculative store bypass
|
|
||||||
+ * - X86_FEATURE_SSBD - CPU is able to turn off speculative store bypass
|
|
||||||
* - X86_FEATURE_SPEC_STORE_BYPASS_DISABLE - engage the mitigation
|
|
||||||
*/
|
|
||||||
if (mode == SPEC_STORE_BYPASS_DISABLE) {
|
|
||||||
@@ -518,12 +518,12 @@ static enum ssb_mitigation_cmd __init __
|
|
||||||
*/
|
|
||||||
switch (boot_cpu_data.x86_vendor) {
|
|
||||||
case X86_VENDOR_INTEL:
|
|
||||||
- x86_spec_ctrl_base |= SPEC_CTRL_RDS;
|
|
||||||
- x86_spec_ctrl_mask &= ~SPEC_CTRL_RDS;
|
|
||||||
- x86_spec_ctrl_set(SPEC_CTRL_RDS);
|
|
||||||
+ x86_spec_ctrl_base |= SPEC_CTRL_SSBD;
|
|
||||||
+ x86_spec_ctrl_mask &= ~SPEC_CTRL_SSBD;
|
|
||||||
+ x86_spec_ctrl_set(SPEC_CTRL_SSBD);
|
|
||||||
break;
|
|
||||||
case X86_VENDOR_AMD:
|
|
||||||
- x86_amd_rds_enable();
|
|
||||||
+ x86_amd_ssb_disable();
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -556,16 +556,16 @@ static int ssb_prctl_set(struct task_str
|
|
||||||
if (task_spec_ssb_force_disable(task))
|
|
||||||
return -EPERM;
|
|
||||||
task_clear_spec_ssb_disable(task);
|
|
||||||
- update = test_and_clear_tsk_thread_flag(task, TIF_RDS);
|
|
||||||
+ update = test_and_clear_tsk_thread_flag(task, TIF_SSBD);
|
|
||||||
break;
|
|
||||||
case PR_SPEC_DISABLE:
|
|
||||||
task_set_spec_ssb_disable(task);
|
|
||||||
- update = !test_and_set_tsk_thread_flag(task, TIF_RDS);
|
|
||||||
+ update = !test_and_set_tsk_thread_flag(task, TIF_SSBD);
|
|
||||||
break;
|
|
||||||
case PR_SPEC_FORCE_DISABLE:
|
|
||||||
task_set_spec_ssb_disable(task);
|
|
||||||
task_set_spec_ssb_force_disable(task);
|
|
||||||
- update = !test_and_set_tsk_thread_flag(task, TIF_RDS);
|
|
||||||
+ update = !test_and_set_tsk_thread_flag(task, TIF_SSBD);
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
return -ERANGE;
|
|
||||||
@@ -635,7 +635,7 @@ void x86_spec_ctrl_setup_ap(void)
|
|
||||||
x86_spec_ctrl_set(x86_spec_ctrl_base & ~x86_spec_ctrl_mask);
|
|
||||||
|
|
||||||
if (ssb_mode == SPEC_STORE_BYPASS_DISABLE)
|
|
||||||
- x86_amd_rds_enable();
|
|
||||||
+ x86_amd_ssb_disable();
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef CONFIG_SYSFS
|
|
||||||
--- a/arch/x86/kernel/cpu/common.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/common.c
|
|
||||||
@@ -950,7 +950,7 @@ static void __init cpu_set_bug_bits(stru
|
|
||||||
rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap);
|
|
||||||
|
|
||||||
if (!x86_match_cpu(cpu_no_spec_store_bypass) &&
|
|
||||||
- !(ia32_cap & ARCH_CAP_RDS_NO))
|
|
||||||
+ !(ia32_cap & ARCH_CAP_SSBD_NO))
|
|
||||||
setup_force_cpu_bug(X86_BUG_SPEC_STORE_BYPASS);
|
|
||||||
|
|
||||||
if (x86_match_cpu(cpu_no_speculation))
|
|
||||||
--- a/arch/x86/kernel/cpu/intel.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/intel.c
|
|
||||||
@@ -189,7 +189,7 @@ static void early_init_intel(struct cpui
|
|
||||||
setup_clear_cpu_cap(X86_FEATURE_STIBP);
|
|
||||||
setup_clear_cpu_cap(X86_FEATURE_SPEC_CTRL);
|
|
||||||
setup_clear_cpu_cap(X86_FEATURE_INTEL_STIBP);
|
|
||||||
- setup_clear_cpu_cap(X86_FEATURE_RDS);
|
|
||||||
+ setup_clear_cpu_cap(X86_FEATURE_SSBD);
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
--- a/arch/x86/kernel/process.c
|
|
||||||
+++ b/arch/x86/kernel/process.c
|
|
||||||
@@ -283,11 +283,11 @@ static __always_inline void __speculativ
|
|
||||||
{
|
|
||||||
u64 msr;
|
|
||||||
|
|
||||||
- if (static_cpu_has(X86_FEATURE_AMD_RDS)) {
|
|
||||||
- msr = x86_amd_ls_cfg_base | rds_tif_to_amd_ls_cfg(tifn);
|
|
||||||
+ if (static_cpu_has(X86_FEATURE_AMD_SSBD)) {
|
|
||||||
+ msr = x86_amd_ls_cfg_base | ssbd_tif_to_amd_ls_cfg(tifn);
|
|
||||||
wrmsrl(MSR_AMD64_LS_CFG, msr);
|
|
||||||
} else {
|
|
||||||
- msr = x86_spec_ctrl_base | rds_tif_to_spec_ctrl(tifn);
|
|
||||||
+ msr = x86_spec_ctrl_base | ssbd_tif_to_spec_ctrl(tifn);
|
|
||||||
wrmsrl(MSR_IA32_SPEC_CTRL, msr);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -329,7 +329,7 @@ void __switch_to_xtra(struct task_struct
|
|
||||||
if ((tifp ^ tifn) & _TIF_NOCPUID)
|
|
||||||
set_cpuid_faulting(!!(tifn & _TIF_NOCPUID));
|
|
||||||
|
|
||||||
- if ((tifp ^ tifn) & _TIF_RDS)
|
|
||||||
+ if ((tifp ^ tifn) & _TIF_SSBD)
|
|
||||||
__speculative_store_bypass_update(tifn);
|
|
||||||
}
|
|
||||||
|
|
||||||
--- a/arch/x86/kvm/cpuid.c
|
|
||||||
+++ b/arch/x86/kvm/cpuid.c
|
|
||||||
@@ -402,7 +402,7 @@ static inline int __do_cpuid_ent(struct
|
|
||||||
|
|
||||||
/* cpuid 7.0.edx*/
|
|
||||||
const u32 kvm_cpuid_7_0_edx_x86_features =
|
|
||||||
- F(AVX512_4VNNIW) | F(AVX512_4FMAPS) | F(SPEC_CTRL) | F(RDS) |
|
|
||||||
+ F(AVX512_4VNNIW) | F(AVX512_4FMAPS) | F(SPEC_CTRL) | F(SSBD) |
|
|
||||||
F(ARCH_CAPABILITIES);
|
|
||||||
|
|
||||||
/* all calls to cpuid_count() should be made on the same cpu */
|
|
||||||
--- a/arch/x86/kvm/vmx.c
|
|
||||||
+++ b/arch/x86/kvm/vmx.c
|
|
||||||
@@ -3271,7 +3271,7 @@ static int vmx_get_msr(struct kvm_vcpu *
|
|
||||||
if (!msr_info->host_initiated &&
|
|
||||||
!guest_cpuid_has(vcpu, X86_FEATURE_IBRS) &&
|
|
||||||
!guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL) &&
|
|
||||||
- !guest_cpuid_has(vcpu, X86_FEATURE_RDS))
|
|
||||||
+ !guest_cpuid_has(vcpu, X86_FEATURE_SSBD))
|
|
||||||
return 1;
|
|
||||||
|
|
||||||
msr_info->data = to_vmx(vcpu)->spec_ctrl;
|
|
||||||
@@ -3393,11 +3393,11 @@ static int vmx_set_msr(struct kvm_vcpu *
|
|
||||||
if (!msr_info->host_initiated &&
|
|
||||||
!guest_cpuid_has(vcpu, X86_FEATURE_IBRS) &&
|
|
||||||
!guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL) &&
|
|
||||||
- !guest_cpuid_has(vcpu, X86_FEATURE_RDS))
|
|
||||||
+ !guest_cpuid_has(vcpu, X86_FEATURE_SSBD))
|
|
||||||
return 1;
|
|
||||||
|
|
||||||
/* The STIBP bit doesn't fault even if it's not advertised */
|
|
||||||
- if (data & ~(SPEC_CTRL_IBRS | SPEC_CTRL_STIBP | SPEC_CTRL_RDS))
|
|
||||||
+ if (data & ~(SPEC_CTRL_IBRS | SPEC_CTRL_STIBP | SPEC_CTRL_SSBD))
|
|
||||||
return 1;
|
|
||||||
|
|
||||||
vmx->spec_ctrl = data;
|
|
|
@ -1,42 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Date: Wed, 16 May 2018 23:18:09 -0400
|
|
||||||
Subject: x86/bugs: Rename SSBD_NO to SSB_NO
|
|
||||||
|
|
||||||
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
|
|
||||||
commit 240da953fcc6a9008c92fae5b1f727ee5ed167ab upstream
|
|
||||||
|
|
||||||
The "336996 Speculative Execution Side Channel Mitigations" from
|
|
||||||
May defines this as SSB_NO, hence lets sync-up.
|
|
||||||
|
|
||||||
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/include/asm/msr-index.h | 2 +-
|
|
||||||
arch/x86/kernel/cpu/common.c | 2 +-
|
|
||||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
--- a/arch/x86/include/asm/msr-index.h
|
|
||||||
+++ b/arch/x86/include/asm/msr-index.h
|
|
||||||
@@ -70,7 +70,7 @@
|
|
||||||
#define MSR_IA32_ARCH_CAPABILITIES 0x0000010a
|
|
||||||
#define ARCH_CAP_RDCL_NO (1 << 0) /* Not susceptible to Meltdown */
|
|
||||||
#define ARCH_CAP_IBRS_ALL (1 << 1) /* Enhanced IBRS support */
|
|
||||||
-#define ARCH_CAP_SSBD_NO (1 << 4) /*
|
|
||||||
+#define ARCH_CAP_SSB_NO (1 << 4) /*
|
|
||||||
* Not susceptible to Speculative Store Bypass
|
|
||||||
* attack, so no Speculative Store Bypass
|
|
||||||
* control required.
|
|
||||||
--- a/arch/x86/kernel/cpu/common.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/common.c
|
|
||||||
@@ -965,7 +965,7 @@ static void __init cpu_set_bug_bits(stru
|
|
||||||
rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap);
|
|
||||||
|
|
||||||
if (!x86_match_cpu(cpu_no_spec_store_bypass) &&
|
|
||||||
- !(ia32_cap & ARCH_CAP_SSBD_NO))
|
|
||||||
+ !(ia32_cap & ARCH_CAP_SSB_NO))
|
|
||||||
setup_force_cpu_bug(X86_BUG_SPEC_STORE_BYPASS);
|
|
||||||
|
|
||||||
if (x86_match_cpu(cpu_no_speculation))
|
|
|
@ -1,91 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Date: Sat, 12 May 2018 20:10:00 +0200
|
|
||||||
Subject: x86/bugs: Rework spec_ctrl base and mask logic
|
|
||||||
|
|
||||||
From: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
|
|
||||||
commit be6fcb5478e95bb1c91f489121238deb3abca46a upstream
|
|
||||||
|
|
||||||
x86_spec_ctrL_mask is intended to mask out bits from a MSR_SPEC_CTRL value
|
|
||||||
which are not to be modified. However the implementation is not really used
|
|
||||||
and the bitmask was inverted to make a check easier, which was removed in
|
|
||||||
"x86/bugs: Remove x86_spec_ctrl_set()"
|
|
||||||
|
|
||||||
Aside of that it is missing the STIBP bit if it is supported by the
|
|
||||||
platform, so if the mask would be used in x86_virt_spec_ctrl() then it
|
|
||||||
would prevent a guest from setting STIBP.
|
|
||||||
|
|
||||||
Add the STIBP bit if supported and use the mask in x86_virt_spec_ctrl() to
|
|
||||||
sanitize the value which is supplied by the guest.
|
|
||||||
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Reviewed-by: Borislav Petkov <bp@suse.de>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/kernel/cpu/bugs.c | 26 +++++++++++++++++++-------
|
|
||||||
1 file changed, 19 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
--- a/arch/x86/kernel/cpu/bugs.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/bugs.c
|
|
||||||
@@ -42,7 +42,7 @@ EXPORT_SYMBOL_GPL(x86_spec_ctrl_base);
|
|
||||||
* The vendor and possibly platform specific bits which can be modified in
|
|
||||||
* x86_spec_ctrl_base.
|
|
||||||
*/
|
|
||||||
-static u64 __ro_after_init x86_spec_ctrl_mask = ~SPEC_CTRL_IBRS;
|
|
||||||
+static u64 __ro_after_init x86_spec_ctrl_mask = SPEC_CTRL_IBRS;
|
|
||||||
|
|
||||||
/*
|
|
||||||
* AMD specific MSR info for Speculative Store Bypass control.
|
|
||||||
@@ -68,6 +68,10 @@ void __init check_bugs(void)
|
|
||||||
if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
|
|
||||||
rdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
|
|
||||||
|
|
||||||
+ /* Allow STIBP in MSR_SPEC_CTRL if supported */
|
|
||||||
+ if (boot_cpu_has(X86_FEATURE_STIBP))
|
|
||||||
+ x86_spec_ctrl_mask |= SPEC_CTRL_STIBP;
|
|
||||||
+
|
|
||||||
/* Select the proper spectre mitigation before patching alternatives */
|
|
||||||
spectre_v2_select_mitigation();
|
|
||||||
|
|
||||||
@@ -136,18 +140,26 @@ static enum spectre_v2_mitigation spectr
|
|
||||||
void
|
|
||||||
x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest)
|
|
||||||
{
|
|
||||||
+ u64 msrval, guestval, hostval = x86_spec_ctrl_base;
|
|
||||||
struct thread_info *ti = current_thread_info();
|
|
||||||
- u64 msr, host = x86_spec_ctrl_base;
|
|
||||||
|
|
||||||
/* Is MSR_SPEC_CTRL implemented ? */
|
|
||||||
if (static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) {
|
|
||||||
+ /*
|
|
||||||
+ * Restrict guest_spec_ctrl to supported values. Clear the
|
|
||||||
+ * modifiable bits in the host base value and or the
|
|
||||||
+ * modifiable bits from the guest value.
|
|
||||||
+ */
|
|
||||||
+ guestval = hostval & ~x86_spec_ctrl_mask;
|
|
||||||
+ guestval |= guest_spec_ctrl & x86_spec_ctrl_mask;
|
|
||||||
+
|
|
||||||
/* SSBD controlled in MSR_SPEC_CTRL */
|
|
||||||
if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD))
|
|
||||||
- host |= ssbd_tif_to_spec_ctrl(ti->flags);
|
|
||||||
+ hostval |= ssbd_tif_to_spec_ctrl(ti->flags);
|
|
||||||
|
|
||||||
- if (host != guest_spec_ctrl) {
|
|
||||||
- msr = setguest ? guest_spec_ctrl : host;
|
|
||||||
- wrmsrl(MSR_IA32_SPEC_CTRL, msr);
|
|
||||||
+ if (hostval != guestval) {
|
|
||||||
+ msrval = setguest ? guestval : hostval;
|
|
||||||
+ wrmsrl(MSR_IA32_SPEC_CTRL, msrval);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -493,7 +505,7 @@ static enum ssb_mitigation __init __ssb_
|
|
||||||
switch (boot_cpu_data.x86_vendor) {
|
|
||||||
case X86_VENDOR_INTEL:
|
|
||||||
x86_spec_ctrl_base |= SPEC_CTRL_SSBD;
|
|
||||||
- x86_spec_ctrl_mask &= ~SPEC_CTRL_SSBD;
|
|
||||||
+ x86_spec_ctrl_mask |= SPEC_CTRL_SSBD;
|
|
||||||
wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
|
|
||||||
break;
|
|
||||||
case X86_VENDOR_AMD:
|
|
|
@ -1,139 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Borislav Petkov <bp@suse.de>
|
|
||||||
Date: Sat, 12 May 2018 00:14:51 +0200
|
|
||||||
Subject: x86/bugs: Unify x86_spec_ctrl_{set_guest,restore_host}
|
|
||||||
|
|
||||||
From: Borislav Petkov <bp@suse.de>
|
|
||||||
|
|
||||||
commit cc69b34989210f067b2c51d5539b5f96ebcc3a01 upstream
|
|
||||||
|
|
||||||
Function bodies are very similar and are going to grow more almost
|
|
||||||
identical code. Add a bool arg to determine whether SPEC_CTRL is being set
|
|
||||||
for the guest or restored to the host.
|
|
||||||
|
|
||||||
No functional changes.
|
|
||||||
|
|
||||||
Signed-off-by: Borislav Petkov <bp@suse.de>
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/include/asm/spec-ctrl.h | 33 ++++++++++++++++++---
|
|
||||||
arch/x86/kernel/cpu/bugs.c | 60 +++++++++------------------------------
|
|
||||||
2 files changed, 44 insertions(+), 49 deletions(-)
|
|
||||||
|
|
||||||
--- a/arch/x86/include/asm/spec-ctrl.h
|
|
||||||
+++ b/arch/x86/include/asm/spec-ctrl.h
|
|
||||||
@@ -13,10 +13,35 @@
|
|
||||||
* Takes the guest view of SPEC_CTRL MSR as a parameter and also
|
|
||||||
* the guest's version of VIRT_SPEC_CTRL, if emulated.
|
|
||||||
*/
|
|
||||||
-extern void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl,
|
|
||||||
- u64 guest_virt_spec_ctrl);
|
|
||||||
-extern void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl,
|
|
||||||
- u64 guest_virt_spec_ctrl);
|
|
||||||
+extern void x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool guest);
|
|
||||||
+
|
|
||||||
+/**
|
|
||||||
+ * x86_spec_ctrl_set_guest - Set speculation control registers for the guest
|
|
||||||
+ * @guest_spec_ctrl: The guest content of MSR_SPEC_CTRL
|
|
||||||
+ * @guest_virt_spec_ctrl: The guest controlled bits of MSR_VIRT_SPEC_CTRL
|
|
||||||
+ * (may get translated to MSR_AMD64_LS_CFG bits)
|
|
||||||
+ *
|
|
||||||
+ * Avoids writing to the MSR if the content/bits are the same
|
|
||||||
+ */
|
|
||||||
+static inline
|
|
||||||
+void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl)
|
|
||||||
+{
|
|
||||||
+ x86_virt_spec_ctrl(guest_spec_ctrl, guest_virt_spec_ctrl, true);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/**
|
|
||||||
+ * x86_spec_ctrl_restore_host - Restore host speculation control registers
|
|
||||||
+ * @guest_spec_ctrl: The guest content of MSR_SPEC_CTRL
|
|
||||||
+ * @guest_virt_spec_ctrl: The guest controlled bits of MSR_VIRT_SPEC_CTRL
|
|
||||||
+ * (may get translated to MSR_AMD64_LS_CFG bits)
|
|
||||||
+ *
|
|
||||||
+ * Avoids writing to the MSR if the content/bits are the same
|
|
||||||
+ */
|
|
||||||
+static inline
|
|
||||||
+void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl)
|
|
||||||
+{
|
|
||||||
+ x86_virt_spec_ctrl(guest_spec_ctrl, guest_virt_spec_ctrl, false);
|
|
||||||
+}
|
|
||||||
|
|
||||||
/* AMD specific Speculative Store Bypass MSR data */
|
|
||||||
extern u64 x86_amd_ls_cfg_base;
|
|
||||||
--- a/arch/x86/kernel/cpu/bugs.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/bugs.c
|
|
||||||
@@ -151,55 +151,25 @@ u64 x86_spec_ctrl_get_default(void)
|
|
||||||
}
|
|
||||||
EXPORT_SYMBOL_GPL(x86_spec_ctrl_get_default);
|
|
||||||
|
|
||||||
-/**
|
|
||||||
- * x86_spec_ctrl_set_guest - Set speculation control registers for the guest
|
|
||||||
- * @guest_spec_ctrl: The guest content of MSR_SPEC_CTRL
|
|
||||||
- * @guest_virt_spec_ctrl: The guest controlled bits of MSR_VIRT_SPEC_CTRL
|
|
||||||
- * (may get translated to MSR_AMD64_LS_CFG bits)
|
|
||||||
- *
|
|
||||||
- * Avoids writing to the MSR if the content/bits are the same
|
|
||||||
- */
|
|
||||||
-void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl)
|
|
||||||
+void
|
|
||||||
+x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest)
|
|
||||||
{
|
|
||||||
- u64 host = x86_spec_ctrl_base;
|
|
||||||
+ struct thread_info *ti = current_thread_info();
|
|
||||||
+ u64 msr, host = x86_spec_ctrl_base;
|
|
||||||
|
|
||||||
/* Is MSR_SPEC_CTRL implemented ? */
|
|
||||||
- if (!static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
|
|
||||||
- return;
|
|
||||||
-
|
|
||||||
- /* SSBD controlled in MSR_SPEC_CTRL */
|
|
||||||
- if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD))
|
|
||||||
- host |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags);
|
|
||||||
-
|
|
||||||
- if (host != guest_spec_ctrl)
|
|
||||||
- wrmsrl(MSR_IA32_SPEC_CTRL, guest_spec_ctrl);
|
|
||||||
-}
|
|
||||||
-EXPORT_SYMBOL_GPL(x86_spec_ctrl_set_guest);
|
|
||||||
-
|
|
||||||
-/**
|
|
||||||
- * x86_spec_ctrl_restore_host - Restore host speculation control registers
|
|
||||||
- * @guest_spec_ctrl: The guest content of MSR_SPEC_CTRL
|
|
||||||
- * @guest_virt_spec_ctrl: The guest controlled bits of MSR_VIRT_SPEC_CTRL
|
|
||||||
- * (may get translated to MSR_AMD64_LS_CFG bits)
|
|
||||||
- *
|
|
||||||
- * Avoids writing to the MSR if the content/bits are the same
|
|
||||||
- */
|
|
||||||
-void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl)
|
|
||||||
-{
|
|
||||||
- u64 host = x86_spec_ctrl_base;
|
|
||||||
-
|
|
||||||
- /* Is MSR_SPEC_CTRL implemented ? */
|
|
||||||
- if (!static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
|
|
||||||
- return;
|
|
||||||
-
|
|
||||||
- /* SSBD controlled in MSR_SPEC_CTRL */
|
|
||||||
- if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD))
|
|
||||||
- host |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags);
|
|
||||||
-
|
|
||||||
- if (host != guest_spec_ctrl)
|
|
||||||
- wrmsrl(MSR_IA32_SPEC_CTRL, host);
|
|
||||||
+ if (static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) {
|
|
||||||
+ /* SSBD controlled in MSR_SPEC_CTRL */
|
|
||||||
+ if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD))
|
|
||||||
+ host |= ssbd_tif_to_spec_ctrl(ti->flags);
|
|
||||||
+
|
|
||||||
+ if (host != guest_spec_ctrl) {
|
|
||||||
+ msr = setguest ? guest_spec_ctrl : host;
|
|
||||||
+ wrmsrl(MSR_IA32_SPEC_CTRL, msr);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
-EXPORT_SYMBOL_GPL(x86_spec_ctrl_restore_host);
|
|
||||||
+EXPORT_SYMBOL_GPL(x86_virt_spec_ctrl);
|
|
||||||
|
|
||||||
static void x86_amd_ssb_disable(void)
|
|
||||||
{
|
|
|
@ -1,66 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Date: Wed, 25 Apr 2018 22:04:23 -0400
|
|
||||||
Subject: x86/bugs: Whitelist allowed SPEC_CTRL MSR values
|
|
||||||
|
|
||||||
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
|
|
||||||
commit 1115a859f33276fe8afb31c60cf9d8e657872558 upstream
|
|
||||||
|
|
||||||
Intel and AMD SPEC_CTRL (0x48) MSR semantics may differ in the
|
|
||||||
future (or in fact use different MSRs for the same functionality).
|
|
||||||
|
|
||||||
As such a run-time mechanism is required to whitelist the appropriate MSR
|
|
||||||
values.
|
|
||||||
|
|
||||||
[ tglx: Made the variable __ro_after_init ]
|
|
||||||
|
|
||||||
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Reviewed-by: Ingo Molnar <mingo@kernel.org>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/kernel/cpu/bugs.c | 11 +++++++++--
|
|
||||||
1 file changed, 9 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
--- a/arch/x86/kernel/cpu/bugs.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/bugs.c
|
|
||||||
@@ -35,6 +35,12 @@ static void __init ssb_select_mitigation
|
|
||||||
*/
|
|
||||||
static u64 __ro_after_init x86_spec_ctrl_base;
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * The vendor and possibly platform specific bits which can be modified in
|
|
||||||
+ * x86_spec_ctrl_base.
|
|
||||||
+ */
|
|
||||||
+static u64 __ro_after_init x86_spec_ctrl_mask = ~SPEC_CTRL_IBRS;
|
|
||||||
+
|
|
||||||
void __init check_bugs(void)
|
|
||||||
{
|
|
||||||
identify_boot_cpu();
|
|
||||||
@@ -117,7 +123,7 @@ static enum spectre_v2_mitigation spectr
|
|
||||||
|
|
||||||
void x86_spec_ctrl_set(u64 val)
|
|
||||||
{
|
|
||||||
- if (val & ~(SPEC_CTRL_IBRS | SPEC_CTRL_RDS))
|
|
||||||
+ if (val & x86_spec_ctrl_mask)
|
|
||||||
WARN_ONCE(1, "SPEC_CTRL MSR value 0x%16llx is unknown.\n", val);
|
|
||||||
else
|
|
||||||
wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base | val);
|
|
||||||
@@ -459,6 +465,7 @@ static enum ssb_mitigation_cmd __init __
|
|
||||||
switch (boot_cpu_data.x86_vendor) {
|
|
||||||
case X86_VENDOR_INTEL:
|
|
||||||
x86_spec_ctrl_base |= SPEC_CTRL_RDS;
|
|
||||||
+ x86_spec_ctrl_mask &= ~SPEC_CTRL_RDS;
|
|
||||||
x86_spec_ctrl_set(SPEC_CTRL_RDS);
|
|
||||||
break;
|
|
||||||
case X86_VENDOR_AMD:
|
|
||||||
@@ -482,7 +489,7 @@ static void ssb_select_mitigation()
|
|
||||||
void x86_spec_ctrl_setup_ap(void)
|
|
||||||
{
|
|
||||||
if (boot_cpu_has(X86_FEATURE_IBRS))
|
|
||||||
- x86_spec_ctrl_set(x86_spec_ctrl_base & (SPEC_CTRL_IBRS | SPEC_CTRL_RDS));
|
|
||||||
+ x86_spec_ctrl_set(x86_spec_ctrl_base & ~x86_spec_ctrl_mask);
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef CONFIG_SYSFS
|
|
|
@ -1,37 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Jim Mattson <jmattson@google.com>
|
|
||||||
Date: Sun, 13 May 2018 17:33:57 -0400
|
|
||||||
Subject: x86/cpu: Make alternative_msr_write work for 32-bit code
|
|
||||||
|
|
||||||
From: Jim Mattson <jmattson@google.com>
|
|
||||||
|
|
||||||
commit 5f2b745f5e1304f438f9b2cd03ebc8120b6e0d3b upstream
|
|
||||||
|
|
||||||
Cast val and (val >> 32) to (u32), so that they fit in a
|
|
||||||
general-purpose register in both 32-bit and 64-bit code.
|
|
||||||
|
|
||||||
[ tglx: Made it u32 instead of uintptr_t ]
|
|
||||||
|
|
||||||
Fixes: c65732e4f721 ("x86/cpu: Restore CPUID_8000_0008_EBX reload")
|
|
||||||
Signed-off-by: Jim Mattson <jmattson@google.com>
|
|
||||||
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/include/asm/nospec-branch.h | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
--- a/arch/x86/include/asm/nospec-branch.h
|
|
||||||
+++ b/arch/x86/include/asm/nospec-branch.h
|
|
||||||
@@ -265,8 +265,8 @@ void alternative_msr_write(unsigned int
|
|
||||||
{
|
|
||||||
asm volatile(ALTERNATIVE("", "wrmsr", %c[feature])
|
|
||||||
: : "c" (msr),
|
|
||||||
- "a" (val),
|
|
||||||
- "d" (val >> 32),
|
|
||||||
+ "a" ((u32)val),
|
|
||||||
+ "d" ((u32)(val >> 32)),
|
|
||||||
[feature] "i" (feature)
|
|
||||||
: "memory");
|
|
||||||
}
|
|
|
@ -1,41 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Date: Thu, 10 May 2018 16:26:00 +0200
|
|
||||||
Subject: x86/cpufeatures: Add FEATURE_ZEN
|
|
||||||
|
|
||||||
From: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
|
|
||||||
commit d1035d971829dcf80e8686ccde26f94b0a069472 upstream
|
|
||||||
|
|
||||||
Add a ZEN feature bit so family-dependent static_cpu_has() optimizations
|
|
||||||
can be built for ZEN.
|
|
||||||
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Reviewed-by: Borislav Petkov <bp@suse.de>
|
|
||||||
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/include/asm/cpufeatures.h | 1 +
|
|
||||||
arch/x86/kernel/cpu/amd.c | 1 +
|
|
||||||
2 files changed, 2 insertions(+)
|
|
||||||
|
|
||||||
--- a/arch/x86/include/asm/cpufeatures.h
|
|
||||||
+++ b/arch/x86/include/asm/cpufeatures.h
|
|
||||||
@@ -218,6 +218,7 @@
|
|
||||||
#define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */
|
|
||||||
#define X86_FEATURE_IBPB ( 7*32+26) /* Indirect Branch Prediction Barrier */
|
|
||||||
#define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */
|
|
||||||
+#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU is AMD family 0x17 (Zen) */
|
|
||||||
|
|
||||||
/* Virtualization flags: Linux defined, word 8 */
|
|
||||||
#define X86_FEATURE_TPR_SHADOW ( 8*32+ 0) /* Intel TPR Shadow */
|
|
||||||
--- a/arch/x86/kernel/cpu/amd.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/amd.c
|
|
||||||
@@ -812,6 +812,7 @@ static void init_amd_bd(struct cpuinfo_x
|
|
||||||
|
|
||||||
static void init_amd_zn(struct cpuinfo_x86 *c)
|
|
||||||
{
|
|
||||||
+ set_cpu_cap(c, X86_FEATURE_ZEN);
|
|
||||||
/*
|
|
||||||
* Fix erratum 1076: CPB feature bit not being set in CPUID. It affects
|
|
||||||
* all up to and including B1.
|
|
|
@ -1,32 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Date: Sat, 28 Apr 2018 22:34:17 +0200
|
|
||||||
Subject: x86/cpufeatures: Add X86_FEATURE_RDS
|
|
||||||
|
|
||||||
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
|
|
||||||
commit 0cc5fa00b0a88dad140b4e5c2cead9951ad36822 upstream
|
|
||||||
|
|
||||||
Add the CPU feature bit CPUID.7.0.EDX[31] which indicates whether the CPU
|
|
||||||
supports Reduced Data Speculation.
|
|
||||||
|
|
||||||
[ tglx: Split it out from a later patch ]
|
|
||||||
|
|
||||||
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Reviewed-by: Ingo Molnar <mingo@kernel.org>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/include/asm/cpufeatures.h | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
--- a/arch/x86/include/asm/cpufeatures.h
|
|
||||||
+++ b/arch/x86/include/asm/cpufeatures.h
|
|
||||||
@@ -333,6 +333,7 @@
|
|
||||||
#define X86_FEATURE_SPEC_CTRL (18*32+26) /* "" Speculation Control (IBRS + IBPB) */
|
|
||||||
#define X86_FEATURE_INTEL_STIBP (18*32+27) /* "" Single Thread Indirect Branch Predictors */
|
|
||||||
#define X86_FEATURE_ARCH_CAPABILITIES (18*32+29) /* IA32_ARCH_CAPABILITIES MSR (Intel) */
|
|
||||||
+#define X86_FEATURE_RDS (18*32+31) /* Reduced Data Speculation */
|
|
||||||
|
|
||||||
/*
|
|
||||||
* BUG word(s)
|
|
|
@ -1,143 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Date: Thu, 10 May 2018 19:13:18 +0200
|
|
||||||
Subject: x86/cpufeatures: Disentangle MSR_SPEC_CTRL enumeration from IBRS
|
|
||||||
|
|
||||||
From: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
|
|
||||||
commit 7eb8956a7fec3c1f0abc2a5517dada99ccc8a961 upstream
|
|
||||||
|
|
||||||
The availability of the SPEC_CTRL MSR is enumerated by a CPUID bit on
|
|
||||||
Intel and implied by IBRS or STIBP support on AMD. That's just confusing
|
|
||||||
and in case an AMD CPU has IBRS not supported because the underlying
|
|
||||||
problem has been fixed but has another bit valid in the SPEC_CTRL MSR,
|
|
||||||
the thing falls apart.
|
|
||||||
|
|
||||||
Add a synthetic feature bit X86_FEATURE_MSR_SPEC_CTRL to denote the
|
|
||||||
availability on both Intel and AMD.
|
|
||||||
|
|
||||||
While at it replace the boot_cpu_has() checks with static_cpu_has() where
|
|
||||||
possible. This prevents late microcode loading from exposing SPEC_CTRL, but
|
|
||||||
late loading is already very limited as it does not reevaluate the
|
|
||||||
mitigation options and other bits and pieces. Having static_cpu_has() is
|
|
||||||
the simplest and least fragile solution.
|
|
||||||
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Reviewed-by: Borislav Petkov <bp@suse.de>
|
|
||||||
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/include/asm/cpufeatures.h | 1 +
|
|
||||||
arch/x86/kernel/cpu/bugs.c | 18 +++++++++++-------
|
|
||||||
arch/x86/kernel/cpu/common.c | 9 +++++++--
|
|
||||||
arch/x86/kernel/cpu/intel.c | 1 +
|
|
||||||
4 files changed, 20 insertions(+), 9 deletions(-)
|
|
||||||
|
|
||||||
--- a/arch/x86/include/asm/cpufeatures.h
|
|
||||||
+++ b/arch/x86/include/asm/cpufeatures.h
|
|
||||||
@@ -206,6 +206,7 @@
|
|
||||||
#define X86_FEATURE_RETPOLINE_AMD ( 7*32+13) /* "" AMD Retpoline mitigation for Spectre variant 2 */
|
|
||||||
#define X86_FEATURE_INTEL_PPIN ( 7*32+14) /* Intel Processor Inventory Number */
|
|
||||||
#define X86_FEATURE_CDP_L2 ( 7*32+15) /* Code and Data Prioritization L2 */
|
|
||||||
+#define X86_FEATURE_MSR_SPEC_CTRL ( 7*32+16) /* "" MSR SPEC_CTRL is implemented */
|
|
||||||
|
|
||||||
#define X86_FEATURE_MBA ( 7*32+18) /* Memory Bandwidth Allocation */
|
|
||||||
#define X86_FEATURE_RSB_CTXSW ( 7*32+19) /* "" Fill RSB on context switches */
|
|
||||||
--- a/arch/x86/kernel/cpu/bugs.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/bugs.c
|
|
||||||
@@ -64,7 +64,7 @@ void __init check_bugs(void)
|
|
||||||
* have unknown values. AMD64_LS_CFG MSR is cached in the early AMD
|
|
||||||
* init code as it is not enumerated and depends on the family.
|
|
||||||
*/
|
|
||||||
- if (boot_cpu_has(X86_FEATURE_IBRS))
|
|
||||||
+ if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
|
|
||||||
rdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
|
|
||||||
|
|
||||||
/* Select the proper spectre mitigation before patching alternatives */
|
|
||||||
@@ -145,7 +145,7 @@ u64 x86_spec_ctrl_get_default(void)
|
|
||||||
{
|
|
||||||
u64 msrval = x86_spec_ctrl_base;
|
|
||||||
|
|
||||||
- if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL)
|
|
||||||
+ if (static_cpu_has(X86_FEATURE_SPEC_CTRL))
|
|
||||||
msrval |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags);
|
|
||||||
return msrval;
|
|
||||||
}
|
|
||||||
@@ -155,10 +155,12 @@ void x86_spec_ctrl_set_guest(u64 guest_s
|
|
||||||
{
|
|
||||||
u64 host = x86_spec_ctrl_base;
|
|
||||||
|
|
||||||
- if (!boot_cpu_has(X86_FEATURE_IBRS))
|
|
||||||
+ /* Is MSR_SPEC_CTRL implemented ? */
|
|
||||||
+ if (!static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
|
|
||||||
return;
|
|
||||||
|
|
||||||
- if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL)
|
|
||||||
+ /* Intel controls SSB in MSR_SPEC_CTRL */
|
|
||||||
+ if (static_cpu_has(X86_FEATURE_SPEC_CTRL))
|
|
||||||
host |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags);
|
|
||||||
|
|
||||||
if (host != guest_spec_ctrl)
|
|
||||||
@@ -170,10 +172,12 @@ void x86_spec_ctrl_restore_host(u64 gues
|
|
||||||
{
|
|
||||||
u64 host = x86_spec_ctrl_base;
|
|
||||||
|
|
||||||
- if (!boot_cpu_has(X86_FEATURE_IBRS))
|
|
||||||
+ /* Is MSR_SPEC_CTRL implemented ? */
|
|
||||||
+ if (!static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
|
|
||||||
return;
|
|
||||||
|
|
||||||
- if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL)
|
|
||||||
+ /* Intel controls SSB in MSR_SPEC_CTRL */
|
|
||||||
+ if (static_cpu_has(X86_FEATURE_SPEC_CTRL))
|
|
||||||
host |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags);
|
|
||||||
|
|
||||||
if (host != guest_spec_ctrl)
|
|
||||||
@@ -631,7 +635,7 @@ int arch_prctl_spec_ctrl_get(struct task
|
|
||||||
|
|
||||||
void x86_spec_ctrl_setup_ap(void)
|
|
||||||
{
|
|
||||||
- if (boot_cpu_has(X86_FEATURE_IBRS))
|
|
||||||
+ if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
|
|
||||||
x86_spec_ctrl_set(x86_spec_ctrl_base & ~x86_spec_ctrl_mask);
|
|
||||||
|
|
||||||
if (ssb_mode == SPEC_STORE_BYPASS_DISABLE)
|
|
||||||
--- a/arch/x86/kernel/cpu/common.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/common.c
|
|
||||||
@@ -761,19 +761,24 @@ static void init_speculation_control(str
|
|
||||||
if (cpu_has(c, X86_FEATURE_SPEC_CTRL)) {
|
|
||||||
set_cpu_cap(c, X86_FEATURE_IBRS);
|
|
||||||
set_cpu_cap(c, X86_FEATURE_IBPB);
|
|
||||||
+ set_cpu_cap(c, X86_FEATURE_MSR_SPEC_CTRL);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (cpu_has(c, X86_FEATURE_INTEL_STIBP))
|
|
||||||
set_cpu_cap(c, X86_FEATURE_STIBP);
|
|
||||||
|
|
||||||
- if (cpu_has(c, X86_FEATURE_AMD_IBRS))
|
|
||||||
+ if (cpu_has(c, X86_FEATURE_AMD_IBRS)) {
|
|
||||||
set_cpu_cap(c, X86_FEATURE_IBRS);
|
|
||||||
+ set_cpu_cap(c, X86_FEATURE_MSR_SPEC_CTRL);
|
|
||||||
+ }
|
|
||||||
|
|
||||||
if (cpu_has(c, X86_FEATURE_AMD_IBPB))
|
|
||||||
set_cpu_cap(c, X86_FEATURE_IBPB);
|
|
||||||
|
|
||||||
- if (cpu_has(c, X86_FEATURE_AMD_STIBP))
|
|
||||||
+ if (cpu_has(c, X86_FEATURE_AMD_STIBP)) {
|
|
||||||
set_cpu_cap(c, X86_FEATURE_STIBP);
|
|
||||||
+ set_cpu_cap(c, X86_FEATURE_MSR_SPEC_CTRL);
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
void get_cpu_cap(struct cpuinfo_x86 *c)
|
|
||||||
--- a/arch/x86/kernel/cpu/intel.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/intel.c
|
|
||||||
@@ -188,6 +188,7 @@ static void early_init_intel(struct cpui
|
|
||||||
setup_clear_cpu_cap(X86_FEATURE_IBPB);
|
|
||||||
setup_clear_cpu_cap(X86_FEATURE_STIBP);
|
|
||||||
setup_clear_cpu_cap(X86_FEATURE_SPEC_CTRL);
|
|
||||||
+ setup_clear_cpu_cap(X86_FEATURE_MSR_SPEC_CTRL);
|
|
||||||
setup_clear_cpu_cap(X86_FEATURE_INTEL_STIBP);
|
|
||||||
setup_clear_cpu_cap(X86_FEATURE_SSBD);
|
|
||||||
}
|
|
|
@ -1,150 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Date: Thu, 10 May 2018 20:21:36 +0200
|
|
||||||
Subject: x86/cpufeatures: Disentangle SSBD enumeration
|
|
||||||
|
|
||||||
From: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
|
|
||||||
commit 52817587e706686fcdb27f14c1b000c92f266c96 upstream
|
|
||||||
|
|
||||||
The SSBD enumeration is similarly to the other bits magically shared
|
|
||||||
between Intel and AMD though the mechanisms are different.
|
|
||||||
|
|
||||||
Make X86_FEATURE_SSBD synthetic and set it depending on the vendor specific
|
|
||||||
features or family dependent setup.
|
|
||||||
|
|
||||||
Change the Intel bit to X86_FEATURE_SPEC_CTRL_SSBD to denote that SSBD is
|
|
||||||
controlled via MSR_SPEC_CTRL and fix up the usage sites.
|
|
||||||
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Reviewed-by: Borislav Petkov <bp@suse.de>
|
|
||||||
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/include/asm/cpufeatures.h | 7 +++----
|
|
||||||
arch/x86/kernel/cpu/amd.c | 7 +------
|
|
||||||
arch/x86/kernel/cpu/bugs.c | 10 +++++-----
|
|
||||||
arch/x86/kernel/cpu/common.c | 3 +++
|
|
||||||
arch/x86/kernel/cpu/intel.c | 1 +
|
|
||||||
arch/x86/kernel/process.c | 2 +-
|
|
||||||
6 files changed, 14 insertions(+), 16 deletions(-)
|
|
||||||
|
|
||||||
--- a/arch/x86/include/asm/cpufeatures.h
|
|
||||||
+++ b/arch/x86/include/asm/cpufeatures.h
|
|
||||||
@@ -207,15 +207,14 @@
|
|
||||||
#define X86_FEATURE_INTEL_PPIN ( 7*32+14) /* Intel Processor Inventory Number */
|
|
||||||
#define X86_FEATURE_CDP_L2 ( 7*32+15) /* Code and Data Prioritization L2 */
|
|
||||||
#define X86_FEATURE_MSR_SPEC_CTRL ( 7*32+16) /* "" MSR SPEC_CTRL is implemented */
|
|
||||||
-
|
|
||||||
+#define X86_FEATURE_SSBD ( 7*32+17) /* Speculative Store Bypass Disable */
|
|
||||||
#define X86_FEATURE_MBA ( 7*32+18) /* Memory Bandwidth Allocation */
|
|
||||||
#define X86_FEATURE_RSB_CTXSW ( 7*32+19) /* "" Fill RSB on context switches */
|
|
||||||
#define X86_FEATURE_SEV ( 7*32+20) /* AMD Secure Encrypted Virtualization */
|
|
||||||
-
|
|
||||||
#define X86_FEATURE_USE_IBPB ( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled */
|
|
||||||
#define X86_FEATURE_USE_IBRS_FW ( 7*32+22) /* "" Use IBRS during runtime firmware calls */
|
|
||||||
#define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE ( 7*32+23) /* "" Disable Speculative Store Bypass. */
|
|
||||||
-#define X86_FEATURE_AMD_SSBD ( 7*32+24) /* "" AMD SSBD implementation */
|
|
||||||
+#define X86_FEATURE_LS_CFG_SSBD ( 7*32+24) /* "" AMD SSBD implementation via LS_CFG MSR */
|
|
||||||
#define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */
|
|
||||||
#define X86_FEATURE_IBPB ( 7*32+26) /* Indirect Branch Prediction Barrier */
|
|
||||||
#define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */
|
|
||||||
@@ -338,7 +337,7 @@
|
|
||||||
#define X86_FEATURE_SPEC_CTRL (18*32+26) /* "" Speculation Control (IBRS + IBPB) */
|
|
||||||
#define X86_FEATURE_INTEL_STIBP (18*32+27) /* "" Single Thread Indirect Branch Predictors */
|
|
||||||
#define X86_FEATURE_ARCH_CAPABILITIES (18*32+29) /* IA32_ARCH_CAPABILITIES MSR (Intel) */
|
|
||||||
-#define X86_FEATURE_SSBD (18*32+31) /* Speculative Store Bypass Disable */
|
|
||||||
+#define X86_FEATURE_SPEC_CTRL_SSBD (18*32+31) /* "" Speculative Store Bypass Disable */
|
|
||||||
|
|
||||||
/*
|
|
||||||
* BUG word(s)
|
|
||||||
--- a/arch/x86/kernel/cpu/amd.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/amd.c
|
|
||||||
@@ -570,8 +570,8 @@ static void bsp_init_amd(struct cpuinfo_
|
|
||||||
* avoid RMW. If that faults, do not enable SSBD.
|
|
||||||
*/
|
|
||||||
if (!rdmsrl_safe(MSR_AMD64_LS_CFG, &x86_amd_ls_cfg_base)) {
|
|
||||||
+ setup_force_cpu_cap(X86_FEATURE_LS_CFG_SSBD);
|
|
||||||
setup_force_cpu_cap(X86_FEATURE_SSBD);
|
|
||||||
- setup_force_cpu_cap(X86_FEATURE_AMD_SSBD);
|
|
||||||
x86_amd_ls_cfg_ssbd_mask = 1ULL << bit;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -919,11 +919,6 @@ static void init_amd(struct cpuinfo_x86
|
|
||||||
/* AMD CPUs don't reset SS attributes on SYSRET, Xen does. */
|
|
||||||
if (!cpu_has(c, X86_FEATURE_XENPV))
|
|
||||||
set_cpu_bug(c, X86_BUG_SYSRET_SS_ATTRS);
|
|
||||||
-
|
|
||||||
- if (boot_cpu_has(X86_FEATURE_AMD_SSBD)) {
|
|
||||||
- set_cpu_cap(c, X86_FEATURE_SSBD);
|
|
||||||
- set_cpu_cap(c, X86_FEATURE_AMD_SSBD);
|
|
||||||
- }
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef CONFIG_X86_32
|
|
||||||
--- a/arch/x86/kernel/cpu/bugs.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/bugs.c
|
|
||||||
@@ -159,8 +159,8 @@ void x86_spec_ctrl_set_guest(u64 guest_s
|
|
||||||
if (!static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
|
|
||||||
return;
|
|
||||||
|
|
||||||
- /* Intel controls SSB in MSR_SPEC_CTRL */
|
|
||||||
- if (static_cpu_has(X86_FEATURE_SPEC_CTRL))
|
|
||||||
+ /* SSBD controlled in MSR_SPEC_CTRL */
|
|
||||||
+ if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD))
|
|
||||||
host |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags);
|
|
||||||
|
|
||||||
if (host != guest_spec_ctrl)
|
|
||||||
@@ -176,8 +176,8 @@ void x86_spec_ctrl_restore_host(u64 gues
|
|
||||||
if (!static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
|
|
||||||
return;
|
|
||||||
|
|
||||||
- /* Intel controls SSB in MSR_SPEC_CTRL */
|
|
||||||
- if (static_cpu_has(X86_FEATURE_SPEC_CTRL))
|
|
||||||
+ /* SSBD controlled in MSR_SPEC_CTRL */
|
|
||||||
+ if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD))
|
|
||||||
host |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags);
|
|
||||||
|
|
||||||
if (host != guest_spec_ctrl)
|
|
||||||
@@ -189,7 +189,7 @@ static void x86_amd_ssb_disable(void)
|
|
||||||
{
|
|
||||||
u64 msrval = x86_amd_ls_cfg_base | x86_amd_ls_cfg_ssbd_mask;
|
|
||||||
|
|
||||||
- if (boot_cpu_has(X86_FEATURE_AMD_SSBD))
|
|
||||||
+ if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD))
|
|
||||||
wrmsrl(MSR_AMD64_LS_CFG, msrval);
|
|
||||||
}
|
|
||||||
|
|
||||||
--- a/arch/x86/kernel/cpu/common.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/common.c
|
|
||||||
@@ -767,6 +767,9 @@ static void init_speculation_control(str
|
|
||||||
if (cpu_has(c, X86_FEATURE_INTEL_STIBP))
|
|
||||||
set_cpu_cap(c, X86_FEATURE_STIBP);
|
|
||||||
|
|
||||||
+ if (cpu_has(c, X86_FEATURE_SPEC_CTRL_SSBD))
|
|
||||||
+ set_cpu_cap(c, X86_FEATURE_SSBD);
|
|
||||||
+
|
|
||||||
if (cpu_has(c, X86_FEATURE_AMD_IBRS)) {
|
|
||||||
set_cpu_cap(c, X86_FEATURE_IBRS);
|
|
||||||
set_cpu_cap(c, X86_FEATURE_MSR_SPEC_CTRL);
|
|
||||||
--- a/arch/x86/kernel/cpu/intel.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/intel.c
|
|
||||||
@@ -191,6 +191,7 @@ static void early_init_intel(struct cpui
|
|
||||||
setup_clear_cpu_cap(X86_FEATURE_MSR_SPEC_CTRL);
|
|
||||||
setup_clear_cpu_cap(X86_FEATURE_INTEL_STIBP);
|
|
||||||
setup_clear_cpu_cap(X86_FEATURE_SSBD);
|
|
||||||
+ setup_clear_cpu_cap(X86_FEATURE_SPEC_CTRL_SSBD);
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
--- a/arch/x86/kernel/process.c
|
|
||||||
+++ b/arch/x86/kernel/process.c
|
|
||||||
@@ -283,7 +283,7 @@ static __always_inline void __speculativ
|
|
||||||
{
|
|
||||||
u64 msr;
|
|
||||||
|
|
||||||
- if (static_cpu_has(X86_FEATURE_AMD_SSBD)) {
|
|
||||||
+ if (static_cpu_has(X86_FEATURE_LS_CFG_SSBD)) {
|
|
||||||
msr = x86_amd_ls_cfg_base | ssbd_tif_to_amd_ls_cfg(tifn);
|
|
||||||
wrmsrl(MSR_AMD64_LS_CFG, msr);
|
|
||||||
} else {
|
|
|
@ -1,64 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Date: Wed, 25 Apr 2018 22:04:25 -0400
|
|
||||||
Subject: x86/KVM/VMX: Expose SPEC_CTRL Bit(2) to the guest
|
|
||||||
|
|
||||||
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
|
|
||||||
commit da39556f66f5cfe8f9c989206974f1cb16ca5d7c upstream
|
|
||||||
|
|
||||||
Expose the CPUID.7.EDX[31] bit to the guest, and also guard against various
|
|
||||||
combinations of SPEC_CTRL MSR values.
|
|
||||||
|
|
||||||
The handling of the MSR (to take into account the host value of SPEC_CTRL
|
|
||||||
Bit(2)) is taken care of in patch:
|
|
||||||
|
|
||||||
KVM/SVM/VMX/x86/spectre_v2: Support the combination of guest and host IBRS
|
|
||||||
|
|
||||||
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Reviewed-by: Ingo Molnar <mingo@kernel.org>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/kvm/cpuid.c | 2 +-
|
|
||||||
arch/x86/kvm/vmx.c | 8 +++++---
|
|
||||||
2 files changed, 6 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
--- a/arch/x86/kvm/cpuid.c
|
|
||||||
+++ b/arch/x86/kvm/cpuid.c
|
|
||||||
@@ -402,7 +402,7 @@ static inline int __do_cpuid_ent(struct
|
|
||||||
|
|
||||||
/* cpuid 7.0.edx*/
|
|
||||||
const u32 kvm_cpuid_7_0_edx_x86_features =
|
|
||||||
- F(AVX512_4VNNIW) | F(AVX512_4FMAPS) | F(SPEC_CTRL) |
|
|
||||||
+ F(AVX512_4VNNIW) | F(AVX512_4FMAPS) | F(SPEC_CTRL) | F(RDS) |
|
|
||||||
F(ARCH_CAPABILITIES);
|
|
||||||
|
|
||||||
/* all calls to cpuid_count() should be made on the same cpu */
|
|
||||||
--- a/arch/x86/kvm/vmx.c
|
|
||||||
+++ b/arch/x86/kvm/vmx.c
|
|
||||||
@@ -3270,7 +3270,8 @@ static int vmx_get_msr(struct kvm_vcpu *
|
|
||||||
case MSR_IA32_SPEC_CTRL:
|
|
||||||
if (!msr_info->host_initiated &&
|
|
||||||
!guest_cpuid_has(vcpu, X86_FEATURE_IBRS) &&
|
|
||||||
- !guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL))
|
|
||||||
+ !guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL) &&
|
|
||||||
+ !guest_cpuid_has(vcpu, X86_FEATURE_RDS))
|
|
||||||
return 1;
|
|
||||||
|
|
||||||
msr_info->data = to_vmx(vcpu)->spec_ctrl;
|
|
||||||
@@ -3391,11 +3392,12 @@ static int vmx_set_msr(struct kvm_vcpu *
|
|
||||||
case MSR_IA32_SPEC_CTRL:
|
|
||||||
if (!msr_info->host_initiated &&
|
|
||||||
!guest_cpuid_has(vcpu, X86_FEATURE_IBRS) &&
|
|
||||||
- !guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL))
|
|
||||||
+ !guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL) &&
|
|
||||||
+ !guest_cpuid_has(vcpu, X86_FEATURE_RDS))
|
|
||||||
return 1;
|
|
||||||
|
|
||||||
/* The STIBP bit doesn't fault even if it's not advertised */
|
|
||||||
- if (data & ~(SPEC_CTRL_IBRS | SPEC_CTRL_STIBP))
|
|
||||||
+ if (data & ~(SPEC_CTRL_IBRS | SPEC_CTRL_STIBP | SPEC_CTRL_RDS))
|
|
||||||
return 1;
|
|
||||||
|
|
||||||
vmx->spec_ctrl = data;
|
|
|
@ -1,67 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Linus Torvalds <torvalds@linux-foundation.org>
|
|
||||||
Date: Tue, 1 May 2018 15:55:51 +0200
|
|
||||||
Subject: x86/nospec: Simplify alternative_msr_write()
|
|
||||||
|
|
||||||
From: Linus Torvalds <torvalds@linux-foundation.org>
|
|
||||||
|
|
||||||
commit 1aa7a5735a41418d8e01fa7c9565eb2657e2ea3f upstream
|
|
||||||
|
|
||||||
The macro is not type safe and I did look for why that "g" constraint for
|
|
||||||
the asm doesn't work: it's because the asm is more fundamentally wrong.
|
|
||||||
|
|
||||||
It does
|
|
||||||
|
|
||||||
movl %[val], %%eax
|
|
||||||
|
|
||||||
but "val" isn't a 32-bit value, so then gcc will pass it in a register,
|
|
||||||
and generate code like
|
|
||||||
|
|
||||||
movl %rsi, %eax
|
|
||||||
|
|
||||||
and gas will complain about a nonsensical 'mov' instruction (it's moving a
|
|
||||||
64-bit register to a 32-bit one).
|
|
||||||
|
|
||||||
Passing it through memory will just hide the real bug - gcc still thinks
|
|
||||||
the memory location is 64-bit, but the "movl" will only load the first 32
|
|
||||||
bits and it all happens to work because x86 is little-endian.
|
|
||||||
|
|
||||||
Convert it to a type safe inline function with a little trick which hands
|
|
||||||
the feature into the ALTERNATIVE macro.
|
|
||||||
|
|
||||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Reviewed-by: Ingo Molnar <mingo@kernel.org>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/include/asm/nospec-branch.h | 19 ++++++++++---------
|
|
||||||
1 file changed, 10 insertions(+), 9 deletions(-)
|
|
||||||
|
|
||||||
--- a/arch/x86/include/asm/nospec-branch.h
|
|
||||||
+++ b/arch/x86/include/asm/nospec-branch.h
|
|
||||||
@@ -241,15 +241,16 @@ static inline void vmexit_fill_RSB(void)
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
-#define alternative_msr_write(_msr, _val, _feature) \
|
|
||||||
- asm volatile(ALTERNATIVE("", \
|
|
||||||
- "movl %[msr], %%ecx\n\t" \
|
|
||||||
- "movl %[val], %%eax\n\t" \
|
|
||||||
- "movl $0, %%edx\n\t" \
|
|
||||||
- "wrmsr", \
|
|
||||||
- _feature) \
|
|
||||||
- : : [msr] "i" (_msr), [val] "i" (_val) \
|
|
||||||
- : "eax", "ecx", "edx", "memory")
|
|
||||||
+static __always_inline
|
|
||||||
+void alternative_msr_write(unsigned int msr, u64 val, unsigned int feature)
|
|
||||||
+{
|
|
||||||
+ asm volatile(ALTERNATIVE("", "wrmsr", %c[feature])
|
|
||||||
+ : : "c" (msr),
|
|
||||||
+ "a" (val),
|
|
||||||
+ "d" (val >> 32),
|
|
||||||
+ [feature] "i" (feature)
|
|
||||||
+ : "memory");
|
|
||||||
+}
|
|
||||||
|
|
||||||
static inline void indirect_branch_prediction_barrier(void)
|
|
||||||
{
|
|
|
@ -1,213 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Date: Sun, 29 Apr 2018 15:21:42 +0200
|
|
||||||
Subject: x86/process: Allow runtime control of Speculative Store Bypass
|
|
||||||
|
|
||||||
From: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
|
|
||||||
commit 885f82bfbc6fefb6664ea27965c3ab9ac4194b8c upstream
|
|
||||||
|
|
||||||
The Speculative Store Bypass vulnerability can be mitigated with the
|
|
||||||
Reduced Data Speculation (RDS) feature. To allow finer grained control of
|
|
||||||
this eventually expensive mitigation a per task mitigation control is
|
|
||||||
required.
|
|
||||||
|
|
||||||
Add a new TIF_RDS flag and put it into the group of TIF flags which are
|
|
||||||
evaluated for mismatch in switch_to(). If these bits differ in the previous
|
|
||||||
and the next task, then the slow path function __switch_to_xtra() is
|
|
||||||
invoked. Implement the TIF_RDS dependent mitigation control in the slow
|
|
||||||
path.
|
|
||||||
|
|
||||||
If the prctl for controlling Speculative Store Bypass is disabled or no
|
|
||||||
task uses the prctl then there is no overhead in the switch_to() fast
|
|
||||||
path.
|
|
||||||
|
|
||||||
Update the KVM related speculation control functions to take TID_RDS into
|
|
||||||
account as well.
|
|
||||||
|
|
||||||
Based on a patch from Tim Chen. Completely rewritten.
|
|
||||||
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Reviewed-by: Ingo Molnar <mingo@kernel.org>
|
|
||||||
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/include/asm/msr-index.h | 3 ++-
|
|
||||||
arch/x86/include/asm/spec-ctrl.h | 17 +++++++++++++++++
|
|
||||||
arch/x86/include/asm/thread_info.h | 4 +++-
|
|
||||||
arch/x86/kernel/cpu/bugs.c | 26 +++++++++++++++++++++-----
|
|
||||||
arch/x86/kernel/process.c | 22 ++++++++++++++++++++++
|
|
||||||
5 files changed, 65 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
--- a/arch/x86/include/asm/msr-index.h
|
|
||||||
+++ b/arch/x86/include/asm/msr-index.h
|
|
||||||
@@ -42,7 +42,8 @@
|
|
||||||
#define MSR_IA32_SPEC_CTRL 0x00000048 /* Speculation Control */
|
|
||||||
#define SPEC_CTRL_IBRS (1 << 0) /* Indirect Branch Restricted Speculation */
|
|
||||||
#define SPEC_CTRL_STIBP (1 << 1) /* Single Thread Indirect Branch Predictors */
|
|
||||||
-#define SPEC_CTRL_RDS (1 << 2) /* Reduced Data Speculation */
|
|
||||||
+#define SPEC_CTRL_RDS_SHIFT 2 /* Reduced Data Speculation bit */
|
|
||||||
+#define SPEC_CTRL_RDS (1 << SPEC_CTRL_RDS_SHIFT) /* Reduced Data Speculation */
|
|
||||||
|
|
||||||
#define MSR_IA32_PRED_CMD 0x00000049 /* Prediction Command */
|
|
||||||
#define PRED_CMD_IBPB (1 << 0) /* Indirect Branch Prediction Barrier */
|
|
||||||
--- a/arch/x86/include/asm/spec-ctrl.h
|
|
||||||
+++ b/arch/x86/include/asm/spec-ctrl.h
|
|
||||||
@@ -2,6 +2,7 @@
|
|
||||||
#ifndef _ASM_X86_SPECCTRL_H_
|
|
||||||
#define _ASM_X86_SPECCTRL_H_
|
|
||||||
|
|
||||||
+#include <linux/thread_info.h>
|
|
||||||
#include <asm/nospec-branch.h>
|
|
||||||
|
|
||||||
/*
|
|
||||||
@@ -18,4 +19,20 @@ extern void x86_spec_ctrl_restore_host(u
|
|
||||||
extern u64 x86_amd_ls_cfg_base;
|
|
||||||
extern u64 x86_amd_ls_cfg_rds_mask;
|
|
||||||
|
|
||||||
+/* The Intel SPEC CTRL MSR base value cache */
|
|
||||||
+extern u64 x86_spec_ctrl_base;
|
|
||||||
+
|
|
||||||
+static inline u64 rds_tif_to_spec_ctrl(u64 tifn)
|
|
||||||
+{
|
|
||||||
+ BUILD_BUG_ON(TIF_RDS < SPEC_CTRL_RDS_SHIFT);
|
|
||||||
+ return (tifn & _TIF_RDS) >> (TIF_RDS - SPEC_CTRL_RDS_SHIFT);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static inline u64 rds_tif_to_amd_ls_cfg(u64 tifn)
|
|
||||||
+{
|
|
||||||
+ return (tifn & _TIF_RDS) ? x86_amd_ls_cfg_rds_mask : 0ULL;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+extern void speculative_store_bypass_update(void);
|
|
||||||
+
|
|
||||||
#endif
|
|
||||||
--- a/arch/x86/include/asm/thread_info.h
|
|
||||||
+++ b/arch/x86/include/asm/thread_info.h
|
|
||||||
@@ -79,6 +79,7 @@ struct thread_info {
|
|
||||||
#define TIF_SIGPENDING 2 /* signal pending */
|
|
||||||
#define TIF_NEED_RESCHED 3 /* rescheduling necessary */
|
|
||||||
#define TIF_SINGLESTEP 4 /* reenable singlestep on user return*/
|
|
||||||
+#define TIF_RDS 5 /* Reduced data speculation */
|
|
||||||
#define TIF_SYSCALL_EMU 6 /* syscall emulation active */
|
|
||||||
#define TIF_SYSCALL_AUDIT 7 /* syscall auditing active */
|
|
||||||
#define TIF_SECCOMP 8 /* secure computing */
|
|
||||||
@@ -105,6 +106,7 @@ struct thread_info {
|
|
||||||
#define _TIF_SIGPENDING (1 << TIF_SIGPENDING)
|
|
||||||
#define _TIF_NEED_RESCHED (1 << TIF_NEED_RESCHED)
|
|
||||||
#define _TIF_SINGLESTEP (1 << TIF_SINGLESTEP)
|
|
||||||
+#define _TIF_RDS (1 << TIF_RDS)
|
|
||||||
#define _TIF_SYSCALL_EMU (1 << TIF_SYSCALL_EMU)
|
|
||||||
#define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT)
|
|
||||||
#define _TIF_SECCOMP (1 << TIF_SECCOMP)
|
|
||||||
@@ -144,7 +146,7 @@ struct thread_info {
|
|
||||||
|
|
||||||
/* flags to check in __switch_to() */
|
|
||||||
#define _TIF_WORK_CTXSW \
|
|
||||||
- (_TIF_IO_BITMAP|_TIF_NOCPUID|_TIF_NOTSC|_TIF_BLOCKSTEP)
|
|
||||||
+ (_TIF_IO_BITMAP|_TIF_NOCPUID|_TIF_NOTSC|_TIF_BLOCKSTEP|_TIF_RDS)
|
|
||||||
|
|
||||||
#define _TIF_WORK_CTXSW_PREV (_TIF_WORK_CTXSW|_TIF_USER_RETURN_NOTIFY)
|
|
||||||
#define _TIF_WORK_CTXSW_NEXT (_TIF_WORK_CTXSW)
|
|
||||||
--- a/arch/x86/kernel/cpu/bugs.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/bugs.c
|
|
||||||
@@ -33,7 +33,7 @@ static void __init ssb_select_mitigation
|
|
||||||
* Our boot-time value of the SPEC_CTRL MSR. We read it once so that any
|
|
||||||
* writes to SPEC_CTRL contain whatever reserved bits have been set.
|
|
||||||
*/
|
|
||||||
-static u64 __ro_after_init x86_spec_ctrl_base;
|
|
||||||
+u64 __ro_after_init x86_spec_ctrl_base;
|
|
||||||
|
|
||||||
/*
|
|
||||||
* The vendor and possibly platform specific bits which can be modified in
|
|
||||||
@@ -140,25 +140,41 @@ EXPORT_SYMBOL_GPL(x86_spec_ctrl_set);
|
|
||||||
|
|
||||||
u64 x86_spec_ctrl_get_default(void)
|
|
||||||
{
|
|
||||||
- return x86_spec_ctrl_base;
|
|
||||||
+ u64 msrval = x86_spec_ctrl_base;
|
|
||||||
+
|
|
||||||
+ if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL)
|
|
||||||
+ msrval |= rds_tif_to_spec_ctrl(current_thread_info()->flags);
|
|
||||||
+ return msrval;
|
|
||||||
}
|
|
||||||
EXPORT_SYMBOL_GPL(x86_spec_ctrl_get_default);
|
|
||||||
|
|
||||||
void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl)
|
|
||||||
{
|
|
||||||
+ u64 host = x86_spec_ctrl_base;
|
|
||||||
+
|
|
||||||
if (!boot_cpu_has(X86_FEATURE_IBRS))
|
|
||||||
return;
|
|
||||||
- if (x86_spec_ctrl_base != guest_spec_ctrl)
|
|
||||||
+
|
|
||||||
+ if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL)
|
|
||||||
+ host |= rds_tif_to_spec_ctrl(current_thread_info()->flags);
|
|
||||||
+
|
|
||||||
+ if (host != guest_spec_ctrl)
|
|
||||||
wrmsrl(MSR_IA32_SPEC_CTRL, guest_spec_ctrl);
|
|
||||||
}
|
|
||||||
EXPORT_SYMBOL_GPL(x86_spec_ctrl_set_guest);
|
|
||||||
|
|
||||||
void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl)
|
|
||||||
{
|
|
||||||
+ u64 host = x86_spec_ctrl_base;
|
|
||||||
+
|
|
||||||
if (!boot_cpu_has(X86_FEATURE_IBRS))
|
|
||||||
return;
|
|
||||||
- if (x86_spec_ctrl_base != guest_spec_ctrl)
|
|
||||||
- wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
|
|
||||||
+
|
|
||||||
+ if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL)
|
|
||||||
+ host |= rds_tif_to_spec_ctrl(current_thread_info()->flags);
|
|
||||||
+
|
|
||||||
+ if (host != guest_spec_ctrl)
|
|
||||||
+ wrmsrl(MSR_IA32_SPEC_CTRL, host);
|
|
||||||
}
|
|
||||||
EXPORT_SYMBOL_GPL(x86_spec_ctrl_restore_host);
|
|
||||||
|
|
||||||
--- a/arch/x86/kernel/process.c
|
|
||||||
+++ b/arch/x86/kernel/process.c
|
|
||||||
@@ -38,6 +38,7 @@
|
|
||||||
#include <asm/switch_to.h>
|
|
||||||
#include <asm/desc.h>
|
|
||||||
#include <asm/prctl.h>
|
|
||||||
+#include <asm/spec-ctrl.h>
|
|
||||||
|
|
||||||
/*
|
|
||||||
* per-CPU TSS segments. Threads are completely 'soft' on Linux,
|
|
||||||
@@ -278,6 +279,24 @@ static inline void switch_to_bitmap(stru
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+static __always_inline void __speculative_store_bypass_update(unsigned long tifn)
|
|
||||||
+{
|
|
||||||
+ u64 msr;
|
|
||||||
+
|
|
||||||
+ if (static_cpu_has(X86_FEATURE_AMD_RDS)) {
|
|
||||||
+ msr = x86_amd_ls_cfg_base | rds_tif_to_amd_ls_cfg(tifn);
|
|
||||||
+ wrmsrl(MSR_AMD64_LS_CFG, msr);
|
|
||||||
+ } else {
|
|
||||||
+ msr = x86_spec_ctrl_base | rds_tif_to_spec_ctrl(tifn);
|
|
||||||
+ wrmsrl(MSR_IA32_SPEC_CTRL, msr);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void speculative_store_bypass_update(void)
|
|
||||||
+{
|
|
||||||
+ __speculative_store_bypass_update(current_thread_info()->flags);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
void __switch_to_xtra(struct task_struct *prev_p, struct task_struct *next_p,
|
|
||||||
struct tss_struct *tss)
|
|
||||||
{
|
|
||||||
@@ -309,6 +328,9 @@ void __switch_to_xtra(struct task_struct
|
|
||||||
|
|
||||||
if ((tifp ^ tifn) & _TIF_NOCPUID)
|
|
||||||
set_cpuid_faulting(!!(tifn & _TIF_NOCPUID));
|
|
||||||
+
|
|
||||||
+ if ((tifp ^ tifn) & _TIF_RDS)
|
|
||||||
+ __speculative_store_bypass_update(tifn);
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
|
@ -1,212 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Date: Sun, 29 Apr 2018 15:26:40 +0200
|
|
||||||
Subject: x86/speculation: Add prctl for Speculative Store Bypass mitigation
|
|
||||||
|
|
||||||
From: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
|
|
||||||
commit a73ec77ee17ec556fe7f165d00314cb7c047b1ac upstream
|
|
||||||
|
|
||||||
Add prctl based control for Speculative Store Bypass mitigation and make it
|
|
||||||
the default mitigation for Intel and AMD.
|
|
||||||
|
|
||||||
Andi Kleen provided the following rationale (slightly redacted):
|
|
||||||
|
|
||||||
There are multiple levels of impact of Speculative Store Bypass:
|
|
||||||
|
|
||||||
1) JITed sandbox.
|
|
||||||
It cannot invoke system calls, but can do PRIME+PROBE and may have call
|
|
||||||
interfaces to other code
|
|
||||||
|
|
||||||
2) Native code process.
|
|
||||||
No protection inside the process at this level.
|
|
||||||
|
|
||||||
3) Kernel.
|
|
||||||
|
|
||||||
4) Between processes.
|
|
||||||
|
|
||||||
The prctl tries to protect against case (1) doing attacks.
|
|
||||||
|
|
||||||
If the untrusted code can do random system calls then control is already
|
|
||||||
lost in a much worse way. So there needs to be system call protection in
|
|
||||||
some way (using a JIT not allowing them or seccomp). Or rather if the
|
|
||||||
process can subvert its environment somehow to do the prctl it can already
|
|
||||||
execute arbitrary code, which is much worse than SSB.
|
|
||||||
|
|
||||||
To put it differently, the point of the prctl is to not allow JITed code
|
|
||||||
to read data it shouldn't read from its JITed sandbox. If it already has
|
|
||||||
escaped its sandbox then it can already read everything it wants in its
|
|
||||||
address space, and do much worse.
|
|
||||||
|
|
||||||
The ability to control Speculative Store Bypass allows to enable the
|
|
||||||
protection selectively without affecting overall system performance.
|
|
||||||
|
|
||||||
Based on an initial patch from Tim Chen. Completely rewritten.
|
|
||||||
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
Documentation/admin-guide/kernel-parameters.txt | 6 +
|
|
||||||
arch/x86/include/asm/nospec-branch.h | 1
|
|
||||||
arch/x86/kernel/cpu/bugs.c | 83 +++++++++++++++++++++---
|
|
||||||
3 files changed, 79 insertions(+), 11 deletions(-)
|
|
||||||
|
|
||||||
--- a/Documentation/admin-guide/kernel-parameters.txt
|
|
||||||
+++ b/Documentation/admin-guide/kernel-parameters.txt
|
|
||||||
@@ -4025,7 +4025,11 @@
|
|
||||||
off - Unconditionally enable Speculative Store Bypass
|
|
||||||
auto - Kernel detects whether the CPU model contains an
|
|
||||||
implementation of Speculative Store Bypass and
|
|
||||||
- picks the most appropriate mitigation
|
|
||||||
+ picks the most appropriate mitigation.
|
|
||||||
+ prctl - Control Speculative Store Bypass per thread
|
|
||||||
+ via prctl. Speculative Store Bypass is enabled
|
|
||||||
+ for a process by default. The state of the control
|
|
||||||
+ is inherited on fork.
|
|
||||||
|
|
||||||
Not specifying this option is equivalent to
|
|
||||||
spec_store_bypass_disable=auto.
|
|
||||||
--- a/arch/x86/include/asm/nospec-branch.h
|
|
||||||
+++ b/arch/x86/include/asm/nospec-branch.h
|
|
||||||
@@ -232,6 +232,7 @@ extern u64 x86_spec_ctrl_get_default(voi
|
|
||||||
enum ssb_mitigation {
|
|
||||||
SPEC_STORE_BYPASS_NONE,
|
|
||||||
SPEC_STORE_BYPASS_DISABLE,
|
|
||||||
+ SPEC_STORE_BYPASS_PRCTL,
|
|
||||||
};
|
|
||||||
|
|
||||||
extern char __indirect_thunk_start[];
|
|
||||||
--- a/arch/x86/kernel/cpu/bugs.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/bugs.c
|
|
||||||
@@ -12,6 +12,8 @@
|
|
||||||
#include <linux/utsname.h>
|
|
||||||
#include <linux/cpu.h>
|
|
||||||
#include <linux/module.h>
|
|
||||||
+#include <linux/nospec.h>
|
|
||||||
+#include <linux/prctl.h>
|
|
||||||
|
|
||||||
#include <asm/spec-ctrl.h>
|
|
||||||
#include <asm/cmdline.h>
|
|
||||||
@@ -412,20 +414,23 @@ enum ssb_mitigation_cmd {
|
|
||||||
SPEC_STORE_BYPASS_CMD_NONE,
|
|
||||||
SPEC_STORE_BYPASS_CMD_AUTO,
|
|
||||||
SPEC_STORE_BYPASS_CMD_ON,
|
|
||||||
+ SPEC_STORE_BYPASS_CMD_PRCTL,
|
|
||||||
};
|
|
||||||
|
|
||||||
static const char *ssb_strings[] = {
|
|
||||||
[SPEC_STORE_BYPASS_NONE] = "Vulnerable",
|
|
||||||
- [SPEC_STORE_BYPASS_DISABLE] = "Mitigation: Speculative Store Bypass disabled"
|
|
||||||
+ [SPEC_STORE_BYPASS_DISABLE] = "Mitigation: Speculative Store Bypass disabled",
|
|
||||||
+ [SPEC_STORE_BYPASS_PRCTL] = "Mitigation: Speculative Store Bypass disabled via prctl"
|
|
||||||
};
|
|
||||||
|
|
||||||
static const struct {
|
|
||||||
const char *option;
|
|
||||||
enum ssb_mitigation_cmd cmd;
|
|
||||||
} ssb_mitigation_options[] = {
|
|
||||||
- { "auto", SPEC_STORE_BYPASS_CMD_AUTO }, /* Platform decides */
|
|
||||||
- { "on", SPEC_STORE_BYPASS_CMD_ON }, /* Disable Speculative Store Bypass */
|
|
||||||
- { "off", SPEC_STORE_BYPASS_CMD_NONE }, /* Don't touch Speculative Store Bypass */
|
|
||||||
+ { "auto", SPEC_STORE_BYPASS_CMD_AUTO }, /* Platform decides */
|
|
||||||
+ { "on", SPEC_STORE_BYPASS_CMD_ON }, /* Disable Speculative Store Bypass */
|
|
||||||
+ { "off", SPEC_STORE_BYPASS_CMD_NONE }, /* Don't touch Speculative Store Bypass */
|
|
||||||
+ { "prctl", SPEC_STORE_BYPASS_CMD_PRCTL }, /* Disable Speculative Store Bypass via prctl */
|
|
||||||
};
|
|
||||||
|
|
||||||
static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void)
|
|
||||||
@@ -475,14 +480,15 @@ static enum ssb_mitigation_cmd __init __
|
|
||||||
|
|
||||||
switch (cmd) {
|
|
||||||
case SPEC_STORE_BYPASS_CMD_AUTO:
|
|
||||||
- /*
|
|
||||||
- * AMD platforms by default don't need SSB mitigation.
|
|
||||||
- */
|
|
||||||
- if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD)
|
|
||||||
- break;
|
|
||||||
+ /* Choose prctl as the default mode */
|
|
||||||
+ mode = SPEC_STORE_BYPASS_PRCTL;
|
|
||||||
+ break;
|
|
||||||
case SPEC_STORE_BYPASS_CMD_ON:
|
|
||||||
mode = SPEC_STORE_BYPASS_DISABLE;
|
|
||||||
break;
|
|
||||||
+ case SPEC_STORE_BYPASS_CMD_PRCTL:
|
|
||||||
+ mode = SPEC_STORE_BYPASS_PRCTL;
|
|
||||||
+ break;
|
|
||||||
case SPEC_STORE_BYPASS_CMD_NONE:
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
@@ -493,7 +499,7 @@ static enum ssb_mitigation_cmd __init __
|
|
||||||
* - X86_FEATURE_RDS - CPU is able to turn off speculative store bypass
|
|
||||||
* - X86_FEATURE_SPEC_STORE_BYPASS_DISABLE - engage the mitigation
|
|
||||||
*/
|
|
||||||
- if (mode != SPEC_STORE_BYPASS_NONE) {
|
|
||||||
+ if (mode == SPEC_STORE_BYPASS_DISABLE) {
|
|
||||||
setup_force_cpu_cap(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE);
|
|
||||||
/*
|
|
||||||
* Intel uses the SPEC CTRL MSR Bit(2) for this, while AMD uses
|
|
||||||
@@ -524,6 +530,63 @@ static void ssb_select_mitigation()
|
|
||||||
|
|
||||||
#undef pr_fmt
|
|
||||||
|
|
||||||
+static int ssb_prctl_set(unsigned long ctrl)
|
|
||||||
+{
|
|
||||||
+ bool rds = !!test_tsk_thread_flag(current, TIF_RDS);
|
|
||||||
+
|
|
||||||
+ if (ssb_mode != SPEC_STORE_BYPASS_PRCTL)
|
|
||||||
+ return -ENXIO;
|
|
||||||
+
|
|
||||||
+ if (ctrl == PR_SPEC_ENABLE)
|
|
||||||
+ clear_tsk_thread_flag(current, TIF_RDS);
|
|
||||||
+ else
|
|
||||||
+ set_tsk_thread_flag(current, TIF_RDS);
|
|
||||||
+
|
|
||||||
+ if (rds != !!test_tsk_thread_flag(current, TIF_RDS))
|
|
||||||
+ speculative_store_bypass_update();
|
|
||||||
+
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int ssb_prctl_get(void)
|
|
||||||
+{
|
|
||||||
+ switch (ssb_mode) {
|
|
||||||
+ case SPEC_STORE_BYPASS_DISABLE:
|
|
||||||
+ return PR_SPEC_DISABLE;
|
|
||||||
+ case SPEC_STORE_BYPASS_PRCTL:
|
|
||||||
+ if (test_tsk_thread_flag(current, TIF_RDS))
|
|
||||||
+ return PR_SPEC_PRCTL | PR_SPEC_DISABLE;
|
|
||||||
+ return PR_SPEC_PRCTL | PR_SPEC_ENABLE;
|
|
||||||
+ default:
|
|
||||||
+ if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS))
|
|
||||||
+ return PR_SPEC_ENABLE;
|
|
||||||
+ return PR_SPEC_NOT_AFFECTED;
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int arch_prctl_spec_ctrl_set(unsigned long which, unsigned long ctrl)
|
|
||||||
+{
|
|
||||||
+ if (ctrl != PR_SPEC_ENABLE && ctrl != PR_SPEC_DISABLE)
|
|
||||||
+ return -ERANGE;
|
|
||||||
+
|
|
||||||
+ switch (which) {
|
|
||||||
+ case PR_SPEC_STORE_BYPASS:
|
|
||||||
+ return ssb_prctl_set(ctrl);
|
|
||||||
+ default:
|
|
||||||
+ return -ENODEV;
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int arch_prctl_spec_ctrl_get(unsigned long which)
|
|
||||||
+{
|
|
||||||
+ switch (which) {
|
|
||||||
+ case PR_SPEC_STORE_BYPASS:
|
|
||||||
+ return ssb_prctl_get();
|
|
||||||
+ default:
|
|
||||||
+ return -ENODEV;
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
void x86_spec_ctrl_setup_ap(void)
|
|
||||||
{
|
|
||||||
if (boot_cpu_has(X86_FEATURE_IBRS))
|
|
|
@ -1,93 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Tom Lendacky <thomas.lendacky@amd.com>
|
|
||||||
Date: Thu, 17 May 2018 17:09:18 +0200
|
|
||||||
Subject: x86/speculation: Add virtualized speculative store bypass disable support
|
|
||||||
|
|
||||||
From: Tom Lendacky <thomas.lendacky@amd.com>
|
|
||||||
|
|
||||||
commit 11fb0683493b2da112cd64c9dada221b52463bf7 upstream
|
|
||||||
|
|
||||||
Some AMD processors only support a non-architectural means of enabling
|
|
||||||
speculative store bypass disable (SSBD). To allow a simplified view of
|
|
||||||
this to a guest, an architectural definition has been created through a new
|
|
||||||
CPUID bit, 0x80000008_EBX[25], and a new MSR, 0xc001011f. With this, a
|
|
||||||
hypervisor can virtualize the existence of this definition and provide an
|
|
||||||
architectural method for using SSBD to a guest.
|
|
||||||
|
|
||||||
Add the new CPUID feature, the new MSR and update the existing SSBD
|
|
||||||
support to use this MSR when present.
|
|
||||||
|
|
||||||
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Reviewed-by: Borislav Petkov <bp@suse.de>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/include/asm/cpufeatures.h | 1 +
|
|
||||||
arch/x86/include/asm/msr-index.h | 2 ++
|
|
||||||
arch/x86/kernel/cpu/bugs.c | 4 +++-
|
|
||||||
arch/x86/kernel/process.c | 13 ++++++++++++-
|
|
||||||
4 files changed, 18 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
--- a/arch/x86/include/asm/cpufeatures.h
|
|
||||||
+++ b/arch/x86/include/asm/cpufeatures.h
|
|
||||||
@@ -282,6 +282,7 @@
|
|
||||||
#define X86_FEATURE_AMD_IBPB (13*32+12) /* "" Indirect Branch Prediction Barrier */
|
|
||||||
#define X86_FEATURE_AMD_IBRS (13*32+14) /* "" Indirect Branch Restricted Speculation */
|
|
||||||
#define X86_FEATURE_AMD_STIBP (13*32+15) /* "" Single Thread Indirect Branch Predictors */
|
|
||||||
+#define X86_FEATURE_VIRT_SSBD (13*32+25) /* Virtualized Speculative Store Bypass Disable */
|
|
||||||
|
|
||||||
/* Thermal and Power Management Leaf, CPUID level 0x00000006 (EAX), word 14 */
|
|
||||||
#define X86_FEATURE_DTHERM (14*32+ 0) /* Digital Thermal Sensor */
|
|
||||||
--- a/arch/x86/include/asm/msr-index.h
|
|
||||||
+++ b/arch/x86/include/asm/msr-index.h
|
|
||||||
@@ -347,6 +347,8 @@
|
|
||||||
#define MSR_AMD64_SEV_ENABLED_BIT 0
|
|
||||||
#define MSR_AMD64_SEV_ENABLED BIT_ULL(MSR_AMD64_SEV_ENABLED_BIT)
|
|
||||||
|
|
||||||
+#define MSR_AMD64_VIRT_SPEC_CTRL 0xc001011f
|
|
||||||
+
|
|
||||||
/* Fam 17h MSRs */
|
|
||||||
#define MSR_F17H_IRPERF 0xc00000e9
|
|
||||||
|
|
||||||
--- a/arch/x86/kernel/cpu/bugs.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/bugs.c
|
|
||||||
@@ -205,7 +205,9 @@ static void x86_amd_ssb_disable(void)
|
|
||||||
{
|
|
||||||
u64 msrval = x86_amd_ls_cfg_base | x86_amd_ls_cfg_ssbd_mask;
|
|
||||||
|
|
||||||
- if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD))
|
|
||||||
+ if (boot_cpu_has(X86_FEATURE_VIRT_SSBD))
|
|
||||||
+ wrmsrl(MSR_AMD64_VIRT_SPEC_CTRL, SPEC_CTRL_SSBD);
|
|
||||||
+ else if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD))
|
|
||||||
wrmsrl(MSR_AMD64_LS_CFG, msrval);
|
|
||||||
}
|
|
||||||
|
|
||||||
--- a/arch/x86/kernel/process.c
|
|
||||||
+++ b/arch/x86/kernel/process.c
|
|
||||||
@@ -388,6 +388,15 @@ static __always_inline void amd_set_core
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+static __always_inline void amd_set_ssb_virt_state(unsigned long tifn)
|
|
||||||
+{
|
|
||||||
+ /*
|
|
||||||
+ * SSBD has the same definition in SPEC_CTRL and VIRT_SPEC_CTRL,
|
|
||||||
+ * so ssbd_tif_to_spec_ctrl() just works.
|
|
||||||
+ */
|
|
||||||
+ wrmsrl(MSR_AMD64_VIRT_SPEC_CTRL, ssbd_tif_to_spec_ctrl(tifn));
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static __always_inline void intel_set_ssb_state(unsigned long tifn)
|
|
||||||
{
|
|
||||||
u64 msr = x86_spec_ctrl_base | ssbd_tif_to_spec_ctrl(tifn);
|
|
||||||
@@ -397,7 +406,9 @@ static __always_inline void intel_set_ss
|
|
||||||
|
|
||||||
static __always_inline void __speculative_store_bypass_update(unsigned long tifn)
|
|
||||||
{
|
|
||||||
- if (static_cpu_has(X86_FEATURE_LS_CFG_SSBD))
|
|
||||||
+ if (static_cpu_has(X86_FEATURE_VIRT_SSBD))
|
|
||||||
+ amd_set_ssb_virt_state(tifn);
|
|
||||||
+ else if (static_cpu_has(X86_FEATURE_LS_CFG_SSBD))
|
|
||||||
amd_set_core_ssb_state(tifn);
|
|
||||||
else
|
|
||||||
intel_set_ssb_state(tifn);
|
|
|
@ -1,125 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Date: Sun, 29 Apr 2018 15:01:37 +0200
|
|
||||||
Subject: x86/speculation: Create spec-ctrl.h to avoid include hell
|
|
||||||
|
|
||||||
From: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
|
|
||||||
commit 28a2775217b17208811fa43a9e96bd1fdf417b86 upstream
|
|
||||||
|
|
||||||
Having everything in nospec-branch.h creates a hell of dependencies when
|
|
||||||
adding the prctl based switching mechanism. Move everything which is not
|
|
||||||
required in nospec-branch.h to spec-ctrl.h and fix up the includes in the
|
|
||||||
relevant files.
|
|
||||||
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Reviewed-by: Ingo Molnar <mingo@kernel.org>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/include/asm/nospec-branch.h | 14 --------------
|
|
||||||
arch/x86/include/asm/spec-ctrl.h | 21 +++++++++++++++++++++
|
|
||||||
arch/x86/kernel/cpu/amd.c | 2 +-
|
|
||||||
arch/x86/kernel/cpu/bugs.c | 2 +-
|
|
||||||
arch/x86/kvm/svm.c | 2 +-
|
|
||||||
arch/x86/kvm/vmx.c | 2 +-
|
|
||||||
6 files changed, 25 insertions(+), 18 deletions(-)
|
|
||||||
create mode 100644 arch/x86/include/asm/spec-ctrl.h
|
|
||||||
|
|
||||||
--- a/arch/x86/include/asm/nospec-branch.h
|
|
||||||
+++ b/arch/x86/include/asm/nospec-branch.h
|
|
||||||
@@ -228,26 +228,12 @@ enum spectre_v2_mitigation {
|
|
||||||
extern void x86_spec_ctrl_set(u64);
|
|
||||||
extern u64 x86_spec_ctrl_get_default(void);
|
|
||||||
|
|
||||||
-/*
|
|
||||||
- * On VMENTER we must preserve whatever view of the SPEC_CTRL MSR
|
|
||||||
- * the guest has, while on VMEXIT we restore the host view. This
|
|
||||||
- * would be easier if SPEC_CTRL were architecturally maskable or
|
|
||||||
- * shadowable for guests but this is not (currently) the case.
|
|
||||||
- * Takes the guest view of SPEC_CTRL MSR as a parameter.
|
|
||||||
- */
|
|
||||||
-extern void x86_spec_ctrl_set_guest(u64);
|
|
||||||
-extern void x86_spec_ctrl_restore_host(u64);
|
|
||||||
-
|
|
||||||
/* The Speculative Store Bypass disable variants */
|
|
||||||
enum ssb_mitigation {
|
|
||||||
SPEC_STORE_BYPASS_NONE,
|
|
||||||
SPEC_STORE_BYPASS_DISABLE,
|
|
||||||
};
|
|
||||||
|
|
||||||
-/* AMD specific Speculative Store Bypass MSR data */
|
|
||||||
-extern u64 x86_amd_ls_cfg_base;
|
|
||||||
-extern u64 x86_amd_ls_cfg_rds_mask;
|
|
||||||
-
|
|
||||||
extern char __indirect_thunk_start[];
|
|
||||||
extern char __indirect_thunk_end[];
|
|
||||||
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/arch/x86/include/asm/spec-ctrl.h
|
|
||||||
@@ -0,0 +1,21 @@
|
|
||||||
+/* SPDX-License-Identifier: GPL-2.0 */
|
|
||||||
+#ifndef _ASM_X86_SPECCTRL_H_
|
|
||||||
+#define _ASM_X86_SPECCTRL_H_
|
|
||||||
+
|
|
||||||
+#include <asm/nospec-branch.h>
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * On VMENTER we must preserve whatever view of the SPEC_CTRL MSR
|
|
||||||
+ * the guest has, while on VMEXIT we restore the host view. This
|
|
||||||
+ * would be easier if SPEC_CTRL were architecturally maskable or
|
|
||||||
+ * shadowable for guests but this is not (currently) the case.
|
|
||||||
+ * Takes the guest view of SPEC_CTRL MSR as a parameter.
|
|
||||||
+ */
|
|
||||||
+extern void x86_spec_ctrl_set_guest(u64);
|
|
||||||
+extern void x86_spec_ctrl_restore_host(u64);
|
|
||||||
+
|
|
||||||
+/* AMD specific Speculative Store Bypass MSR data */
|
|
||||||
+extern u64 x86_amd_ls_cfg_base;
|
|
||||||
+extern u64 x86_amd_ls_cfg_rds_mask;
|
|
||||||
+
|
|
||||||
+#endif
|
|
||||||
--- a/arch/x86/kernel/cpu/amd.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/amd.c
|
|
||||||
@@ -10,7 +10,7 @@
|
|
||||||
#include <asm/processor.h>
|
|
||||||
#include <asm/apic.h>
|
|
||||||
#include <asm/cpu.h>
|
|
||||||
-#include <asm/nospec-branch.h>
|
|
||||||
+#include <asm/spec-ctrl.h>
|
|
||||||
#include <asm/smp.h>
|
|
||||||
#include <asm/pci-direct.h>
|
|
||||||
#include <asm/delay.h>
|
|
||||||
--- a/arch/x86/kernel/cpu/bugs.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/bugs.c
|
|
||||||
@@ -13,7 +13,7 @@
|
|
||||||
#include <linux/cpu.h>
|
|
||||||
#include <linux/module.h>
|
|
||||||
|
|
||||||
-#include <asm/nospec-branch.h>
|
|
||||||
+#include <asm/spec-ctrl.h>
|
|
||||||
#include <asm/cmdline.h>
|
|
||||||
#include <asm/bugs.h>
|
|
||||||
#include <asm/processor.h>
|
|
||||||
--- a/arch/x86/kvm/svm.c
|
|
||||||
+++ b/arch/x86/kvm/svm.c
|
|
||||||
@@ -50,7 +50,7 @@
|
|
||||||
#include <asm/kvm_para.h>
|
|
||||||
#include <asm/irq_remapping.h>
|
|
||||||
#include <asm/microcode.h>
|
|
||||||
-#include <asm/nospec-branch.h>
|
|
||||||
+#include <asm/spec-ctrl.h>
|
|
||||||
|
|
||||||
#include <asm/virtext.h>
|
|
||||||
#include "trace.h"
|
|
||||||
--- a/arch/x86/kvm/vmx.c
|
|
||||||
+++ b/arch/x86/kvm/vmx.c
|
|
||||||
@@ -52,7 +52,7 @@
|
|
||||||
#include <asm/irq_remapping.h>
|
|
||||||
#include <asm/mmu_context.h>
|
|
||||||
#include <asm/microcode.h>
|
|
||||||
-#include <asm/nospec-branch.h>
|
|
||||||
+#include <asm/spec-ctrl.h>
|
|
||||||
|
|
||||||
#include "trace.h"
|
|
||||||
#include "pmu.h"
|
|
|
@ -1,232 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Date: Wed, 9 May 2018 21:53:09 +0200
|
|
||||||
Subject: x86/speculation: Handle HT correctly on AMD
|
|
||||||
|
|
||||||
From: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
|
|
||||||
commit 1f50ddb4f4189243c05926b842dc1a0332195f31 upstream
|
|
||||||
|
|
||||||
The AMD64_LS_CFG MSR is a per core MSR on Family 17H CPUs. That means when
|
|
||||||
hyperthreading is enabled the SSBD bit toggle needs to take both cores into
|
|
||||||
account. Otherwise the following situation can happen:
|
|
||||||
|
|
||||||
CPU0 CPU1
|
|
||||||
|
|
||||||
disable SSB
|
|
||||||
disable SSB
|
|
||||||
enable SSB <- Enables it for the Core, i.e. for CPU0 as well
|
|
||||||
|
|
||||||
So after the SSB enable on CPU1 the task on CPU0 runs with SSB enabled
|
|
||||||
again.
|
|
||||||
|
|
||||||
On Intel the SSBD control is per core as well, but the synchronization
|
|
||||||
logic is implemented behind the per thread SPEC_CTRL MSR. It works like
|
|
||||||
this:
|
|
||||||
|
|
||||||
CORE_SPEC_CTRL = THREAD0_SPEC_CTRL | THREAD1_SPEC_CTRL
|
|
||||||
|
|
||||||
i.e. if one of the threads enables a mitigation then this affects both and
|
|
||||||
the mitigation is only disabled in the core when both threads disabled it.
|
|
||||||
|
|
||||||
Add the necessary synchronization logic for AMD family 17H. Unfortunately
|
|
||||||
that requires a spinlock to serialize the access to the MSR, but the locks
|
|
||||||
are only shared between siblings.
|
|
||||||
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Reviewed-by: Borislav Petkov <bp@suse.de>
|
|
||||||
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/include/asm/spec-ctrl.h | 6 +
|
|
||||||
arch/x86/kernel/process.c | 125 +++++++++++++++++++++++++++++++++++++--
|
|
||||||
arch/x86/kernel/smpboot.c | 5 +
|
|
||||||
3 files changed, 130 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
--- a/arch/x86/include/asm/spec-ctrl.h
|
|
||||||
+++ b/arch/x86/include/asm/spec-ctrl.h
|
|
||||||
@@ -33,6 +33,12 @@ static inline u64 ssbd_tif_to_amd_ls_cfg
|
|
||||||
return (tifn & _TIF_SSBD) ? x86_amd_ls_cfg_ssbd_mask : 0ULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifdef CONFIG_SMP
|
|
||||||
+extern void speculative_store_bypass_ht_init(void);
|
|
||||||
+#else
|
|
||||||
+static inline void speculative_store_bypass_ht_init(void) { }
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
extern void speculative_store_bypass_update(void);
|
|
||||||
|
|
||||||
#endif
|
|
||||||
--- a/arch/x86/kernel/process.c
|
|
||||||
+++ b/arch/x86/kernel/process.c
|
|
||||||
@@ -279,22 +279,135 @@ static inline void switch_to_bitmap(stru
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
-static __always_inline void __speculative_store_bypass_update(unsigned long tifn)
|
|
||||||
+#ifdef CONFIG_SMP
|
|
||||||
+
|
|
||||||
+struct ssb_state {
|
|
||||||
+ struct ssb_state *shared_state;
|
|
||||||
+ raw_spinlock_t lock;
|
|
||||||
+ unsigned int disable_state;
|
|
||||||
+ unsigned long local_state;
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+#define LSTATE_SSB 0
|
|
||||||
+
|
|
||||||
+static DEFINE_PER_CPU(struct ssb_state, ssb_state);
|
|
||||||
+
|
|
||||||
+void speculative_store_bypass_ht_init(void)
|
|
||||||
+{
|
|
||||||
+ struct ssb_state *st = this_cpu_ptr(&ssb_state);
|
|
||||||
+ unsigned int this_cpu = smp_processor_id();
|
|
||||||
+ unsigned int cpu;
|
|
||||||
+
|
|
||||||
+ st->local_state = 0;
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * Shared state setup happens once on the first bringup
|
|
||||||
+ * of the CPU. It's not destroyed on CPU hotunplug.
|
|
||||||
+ */
|
|
||||||
+ if (st->shared_state)
|
|
||||||
+ return;
|
|
||||||
+
|
|
||||||
+ raw_spin_lock_init(&st->lock);
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * Go over HT siblings and check whether one of them has set up the
|
|
||||||
+ * shared state pointer already.
|
|
||||||
+ */
|
|
||||||
+ for_each_cpu(cpu, topology_sibling_cpumask(this_cpu)) {
|
|
||||||
+ if (cpu == this_cpu)
|
|
||||||
+ continue;
|
|
||||||
+
|
|
||||||
+ if (!per_cpu(ssb_state, cpu).shared_state)
|
|
||||||
+ continue;
|
|
||||||
+
|
|
||||||
+ /* Link it to the state of the sibling: */
|
|
||||||
+ st->shared_state = per_cpu(ssb_state, cpu).shared_state;
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * First HT sibling to come up on the core. Link shared state of
|
|
||||||
+ * the first HT sibling to itself. The siblings on the same core
|
|
||||||
+ * which come up later will see the shared state pointer and link
|
|
||||||
+ * themself to the state of this CPU.
|
|
||||||
+ */
|
|
||||||
+ st->shared_state = st;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Logic is: First HT sibling enables SSBD for both siblings in the core
|
|
||||||
+ * and last sibling to disable it, disables it for the whole core. This how
|
|
||||||
+ * MSR_SPEC_CTRL works in "hardware":
|
|
||||||
+ *
|
|
||||||
+ * CORE_SPEC_CTRL = THREAD0_SPEC_CTRL | THREAD1_SPEC_CTRL
|
|
||||||
+ */
|
|
||||||
+static __always_inline void amd_set_core_ssb_state(unsigned long tifn)
|
|
||||||
{
|
|
||||||
- u64 msr;
|
|
||||||
+ struct ssb_state *st = this_cpu_ptr(&ssb_state);
|
|
||||||
+ u64 msr = x86_amd_ls_cfg_base;
|
|
||||||
|
|
||||||
- if (static_cpu_has(X86_FEATURE_LS_CFG_SSBD)) {
|
|
||||||
- msr = x86_amd_ls_cfg_base | ssbd_tif_to_amd_ls_cfg(tifn);
|
|
||||||
+ if (!static_cpu_has(X86_FEATURE_ZEN)) {
|
|
||||||
+ msr |= ssbd_tif_to_amd_ls_cfg(tifn);
|
|
||||||
wrmsrl(MSR_AMD64_LS_CFG, msr);
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (tifn & _TIF_SSBD) {
|
|
||||||
+ /*
|
|
||||||
+ * Since this can race with prctl(), block reentry on the
|
|
||||||
+ * same CPU.
|
|
||||||
+ */
|
|
||||||
+ if (__test_and_set_bit(LSTATE_SSB, &st->local_state))
|
|
||||||
+ return;
|
|
||||||
+
|
|
||||||
+ msr |= x86_amd_ls_cfg_ssbd_mask;
|
|
||||||
+
|
|
||||||
+ raw_spin_lock(&st->shared_state->lock);
|
|
||||||
+ /* First sibling enables SSBD: */
|
|
||||||
+ if (!st->shared_state->disable_state)
|
|
||||||
+ wrmsrl(MSR_AMD64_LS_CFG, msr);
|
|
||||||
+ st->shared_state->disable_state++;
|
|
||||||
+ raw_spin_unlock(&st->shared_state->lock);
|
|
||||||
} else {
|
|
||||||
- msr = x86_spec_ctrl_base | ssbd_tif_to_spec_ctrl(tifn);
|
|
||||||
- wrmsrl(MSR_IA32_SPEC_CTRL, msr);
|
|
||||||
+ if (!__test_and_clear_bit(LSTATE_SSB, &st->local_state))
|
|
||||||
+ return;
|
|
||||||
+
|
|
||||||
+ raw_spin_lock(&st->shared_state->lock);
|
|
||||||
+ st->shared_state->disable_state--;
|
|
||||||
+ if (!st->shared_state->disable_state)
|
|
||||||
+ wrmsrl(MSR_AMD64_LS_CFG, msr);
|
|
||||||
+ raw_spin_unlock(&st->shared_state->lock);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
+#else
|
|
||||||
+static __always_inline void amd_set_core_ssb_state(unsigned long tifn)
|
|
||||||
+{
|
|
||||||
+ u64 msr = x86_amd_ls_cfg_base | ssbd_tif_to_amd_ls_cfg(tifn);
|
|
||||||
+
|
|
||||||
+ wrmsrl(MSR_AMD64_LS_CFG, msr);
|
|
||||||
+}
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+static __always_inline void intel_set_ssb_state(unsigned long tifn)
|
|
||||||
+{
|
|
||||||
+ u64 msr = x86_spec_ctrl_base | ssbd_tif_to_spec_ctrl(tifn);
|
|
||||||
+
|
|
||||||
+ wrmsrl(MSR_IA32_SPEC_CTRL, msr);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static __always_inline void __speculative_store_bypass_update(unsigned long tifn)
|
|
||||||
+{
|
|
||||||
+ if (static_cpu_has(X86_FEATURE_LS_CFG_SSBD))
|
|
||||||
+ amd_set_core_ssb_state(tifn);
|
|
||||||
+ else
|
|
||||||
+ intel_set_ssb_state(tifn);
|
|
||||||
+}
|
|
||||||
|
|
||||||
void speculative_store_bypass_update(void)
|
|
||||||
{
|
|
||||||
+ preempt_disable();
|
|
||||||
__speculative_store_bypass_update(current_thread_info()->flags);
|
|
||||||
+ preempt_enable();
|
|
||||||
}
|
|
||||||
|
|
||||||
void __switch_to_xtra(struct task_struct *prev_p, struct task_struct *next_p,
|
|
||||||
--- a/arch/x86/kernel/smpboot.c
|
|
||||||
+++ b/arch/x86/kernel/smpboot.c
|
|
||||||
@@ -77,6 +77,7 @@
|
|
||||||
#include <asm/i8259.h>
|
|
||||||
#include <asm/misc.h>
|
|
||||||
#include <asm/qspinlock.h>
|
|
||||||
+#include <asm/spec-ctrl.h>
|
|
||||||
|
|
||||||
/* Number of siblings per CPU package */
|
|
||||||
int smp_num_siblings = 1;
|
|
||||||
@@ -242,6 +243,8 @@ static void notrace start_secondary(void
|
|
||||||
*/
|
|
||||||
check_tsc_sync_target();
|
|
||||||
|
|
||||||
+ speculative_store_bypass_ht_init();
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* Lock vector_lock, set CPU online and bring the vector
|
|
||||||
* allocator online. Online must be set with vector_lock held
|
|
||||||
@@ -1257,6 +1260,8 @@ void __init native_smp_prepare_cpus(unsi
|
|
||||||
set_mtrr_aps_delayed_init();
|
|
||||||
|
|
||||||
smp_quirk_init_udelay();
|
|
||||||
+
|
|
||||||
+ speculative_store_bypass_ht_init();
|
|
||||||
}
|
|
||||||
|
|
||||||
void arch_enable_nonboot_cpus_begin(void)
|
|
|
@ -1,77 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Date: Thu, 10 May 2018 20:42:48 +0200
|
|
||||||
Subject: x86/speculation, KVM: Implement support for VIRT_SPEC_CTRL/LS_CFG
|
|
||||||
|
|
||||||
From: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
|
|
||||||
commit 47c61b3955cf712cadfc25635bf9bc174af030ea upstream
|
|
||||||
|
|
||||||
Add the necessary logic for supporting the emulated VIRT_SPEC_CTRL MSR to
|
|
||||||
x86_virt_spec_ctrl(). If either X86_FEATURE_LS_CFG_SSBD or
|
|
||||||
X86_FEATURE_VIRT_SPEC_CTRL is set then use the new guest_virt_spec_ctrl
|
|
||||||
argument to check whether the state must be modified on the host. The
|
|
||||||
update reuses speculative_store_bypass_update() so the ZEN-specific sibling
|
|
||||||
coordination can be reused.
|
|
||||||
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/include/asm/spec-ctrl.h | 6 ++++++
|
|
||||||
arch/x86/kernel/cpu/bugs.c | 30 ++++++++++++++++++++++++++++++
|
|
||||||
2 files changed, 36 insertions(+)
|
|
||||||
|
|
||||||
--- a/arch/x86/include/asm/spec-ctrl.h
|
|
||||||
+++ b/arch/x86/include/asm/spec-ctrl.h
|
|
||||||
@@ -53,6 +53,12 @@ static inline u64 ssbd_tif_to_spec_ctrl(
|
|
||||||
return (tifn & _TIF_SSBD) >> (TIF_SSBD - SPEC_CTRL_SSBD_SHIFT);
|
|
||||||
}
|
|
||||||
|
|
||||||
+static inline unsigned long ssbd_spec_ctrl_to_tif(u64 spec_ctrl)
|
|
||||||
+{
|
|
||||||
+ BUILD_BUG_ON(TIF_SSBD < SPEC_CTRL_SSBD_SHIFT);
|
|
||||||
+ return (spec_ctrl & SPEC_CTRL_SSBD) << (TIF_SSBD - SPEC_CTRL_SSBD_SHIFT);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static inline u64 ssbd_tif_to_amd_ls_cfg(u64 tifn)
|
|
||||||
{
|
|
||||||
return (tifn & _TIF_SSBD) ? x86_amd_ls_cfg_ssbd_mask : 0ULL;
|
|
||||||
--- a/arch/x86/kernel/cpu/bugs.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/bugs.c
|
|
||||||
@@ -162,6 +162,36 @@ x86_virt_spec_ctrl(u64 guest_spec_ctrl,
|
|
||||||
wrmsrl(MSR_IA32_SPEC_CTRL, msrval);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * If SSBD is not handled in MSR_SPEC_CTRL on AMD, update
|
|
||||||
+ * MSR_AMD64_L2_CFG or MSR_VIRT_SPEC_CTRL if supported.
|
|
||||||
+ */
|
|
||||||
+ if (!static_cpu_has(X86_FEATURE_LS_CFG_SSBD) &&
|
|
||||||
+ !static_cpu_has(X86_FEATURE_VIRT_SSBD))
|
|
||||||
+ return;
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * If the host has SSBD mitigation enabled, force it in the host's
|
|
||||||
+ * virtual MSR value. If its not permanently enabled, evaluate
|
|
||||||
+ * current's TIF_SSBD thread flag.
|
|
||||||
+ */
|
|
||||||
+ if (static_cpu_has(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE))
|
|
||||||
+ hostval = SPEC_CTRL_SSBD;
|
|
||||||
+ else
|
|
||||||
+ hostval = ssbd_tif_to_spec_ctrl(ti->flags);
|
|
||||||
+
|
|
||||||
+ /* Sanitize the guest value */
|
|
||||||
+ guestval = guest_virt_spec_ctrl & SPEC_CTRL_SSBD;
|
|
||||||
+
|
|
||||||
+ if (hostval != guestval) {
|
|
||||||
+ unsigned long tif;
|
|
||||||
+
|
|
||||||
+ tif = setguest ? ssbd_spec_ctrl_to_tif(guestval) :
|
|
||||||
+ ssbd_spec_ctrl_to_tif(hostval);
|
|
||||||
+
|
|
||||||
+ speculative_store_bypass_update(tif);
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
EXPORT_SYMBOL_GPL(x86_virt_spec_ctrl);
|
|
||||||
|
|
|
@ -1,157 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Kees Cook <keescook@chromium.org>
|
|
||||||
Date: Thu, 3 May 2018 14:37:54 -0700
|
|
||||||
Subject: x86/speculation: Make "seccomp" the default mode for Speculative Store Bypass
|
|
||||||
|
|
||||||
From: Kees Cook <keescook@chromium.org>
|
|
||||||
|
|
||||||
commit f21b53b20c754021935ea43364dbf53778eeba32 upstream
|
|
||||||
|
|
||||||
Unless explicitly opted out of, anything running under seccomp will have
|
|
||||||
SSB mitigations enabled. Choosing the "prctl" mode will disable this.
|
|
||||||
|
|
||||||
[ tglx: Adjusted it to the new arch_seccomp_spec_mitigate() mechanism ]
|
|
||||||
|
|
||||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
Documentation/admin-guide/kernel-parameters.txt | 26 ++++++++++++-------
|
|
||||||
arch/x86/include/asm/nospec-branch.h | 1
|
|
||||||
arch/x86/kernel/cpu/bugs.c | 32 +++++++++++++++++-------
|
|
||||||
3 files changed, 41 insertions(+), 18 deletions(-)
|
|
||||||
|
|
||||||
--- a/Documentation/admin-guide/kernel-parameters.txt
|
|
||||||
+++ b/Documentation/admin-guide/kernel-parameters.txt
|
|
||||||
@@ -4021,19 +4021,27 @@
|
|
||||||
This parameter controls whether the Speculative Store
|
|
||||||
Bypass optimization is used.
|
|
||||||
|
|
||||||
- on - Unconditionally disable Speculative Store Bypass
|
|
||||||
- off - Unconditionally enable Speculative Store Bypass
|
|
||||||
- auto - Kernel detects whether the CPU model contains an
|
|
||||||
- implementation of Speculative Store Bypass and
|
|
||||||
- picks the most appropriate mitigation.
|
|
||||||
- prctl - Control Speculative Store Bypass per thread
|
|
||||||
- via prctl. Speculative Store Bypass is enabled
|
|
||||||
- for a process by default. The state of the control
|
|
||||||
- is inherited on fork.
|
|
||||||
+ on - Unconditionally disable Speculative Store Bypass
|
|
||||||
+ off - Unconditionally enable Speculative Store Bypass
|
|
||||||
+ auto - Kernel detects whether the CPU model contains an
|
|
||||||
+ implementation of Speculative Store Bypass and
|
|
||||||
+ picks the most appropriate mitigation. If the
|
|
||||||
+ CPU is not vulnerable, "off" is selected. If the
|
|
||||||
+ CPU is vulnerable the default mitigation is
|
|
||||||
+ architecture and Kconfig dependent. See below.
|
|
||||||
+ prctl - Control Speculative Store Bypass per thread
|
|
||||||
+ via prctl. Speculative Store Bypass is enabled
|
|
||||||
+ for a process by default. The state of the control
|
|
||||||
+ is inherited on fork.
|
|
||||||
+ seccomp - Same as "prctl" above, but all seccomp threads
|
|
||||||
+ will disable SSB unless they explicitly opt out.
|
|
||||||
|
|
||||||
Not specifying this option is equivalent to
|
|
||||||
spec_store_bypass_disable=auto.
|
|
||||||
|
|
||||||
+ Default mitigations:
|
|
||||||
+ X86: If CONFIG_SECCOMP=y "seccomp", otherwise "prctl"
|
|
||||||
+
|
|
||||||
spia_io_base= [HW,MTD]
|
|
||||||
spia_fio_base=
|
|
||||||
spia_pedr=
|
|
||||||
--- a/arch/x86/include/asm/nospec-branch.h
|
|
||||||
+++ b/arch/x86/include/asm/nospec-branch.h
|
|
||||||
@@ -233,6 +233,7 @@ enum ssb_mitigation {
|
|
||||||
SPEC_STORE_BYPASS_NONE,
|
|
||||||
SPEC_STORE_BYPASS_DISABLE,
|
|
||||||
SPEC_STORE_BYPASS_PRCTL,
|
|
||||||
+ SPEC_STORE_BYPASS_SECCOMP,
|
|
||||||
};
|
|
||||||
|
|
||||||
extern char __indirect_thunk_start[];
|
|
||||||
--- a/arch/x86/kernel/cpu/bugs.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/bugs.c
|
|
||||||
@@ -416,22 +416,25 @@ enum ssb_mitigation_cmd {
|
|
||||||
SPEC_STORE_BYPASS_CMD_AUTO,
|
|
||||||
SPEC_STORE_BYPASS_CMD_ON,
|
|
||||||
SPEC_STORE_BYPASS_CMD_PRCTL,
|
|
||||||
+ SPEC_STORE_BYPASS_CMD_SECCOMP,
|
|
||||||
};
|
|
||||||
|
|
||||||
static const char *ssb_strings[] = {
|
|
||||||
[SPEC_STORE_BYPASS_NONE] = "Vulnerable",
|
|
||||||
[SPEC_STORE_BYPASS_DISABLE] = "Mitigation: Speculative Store Bypass disabled",
|
|
||||||
- [SPEC_STORE_BYPASS_PRCTL] = "Mitigation: Speculative Store Bypass disabled via prctl"
|
|
||||||
+ [SPEC_STORE_BYPASS_PRCTL] = "Mitigation: Speculative Store Bypass disabled via prctl",
|
|
||||||
+ [SPEC_STORE_BYPASS_SECCOMP] = "Mitigation: Speculative Store Bypass disabled via prctl and seccomp",
|
|
||||||
};
|
|
||||||
|
|
||||||
static const struct {
|
|
||||||
const char *option;
|
|
||||||
enum ssb_mitigation_cmd cmd;
|
|
||||||
} ssb_mitigation_options[] = {
|
|
||||||
- { "auto", SPEC_STORE_BYPASS_CMD_AUTO }, /* Platform decides */
|
|
||||||
- { "on", SPEC_STORE_BYPASS_CMD_ON }, /* Disable Speculative Store Bypass */
|
|
||||||
- { "off", SPEC_STORE_BYPASS_CMD_NONE }, /* Don't touch Speculative Store Bypass */
|
|
||||||
- { "prctl", SPEC_STORE_BYPASS_CMD_PRCTL }, /* Disable Speculative Store Bypass via prctl */
|
|
||||||
+ { "auto", SPEC_STORE_BYPASS_CMD_AUTO }, /* Platform decides */
|
|
||||||
+ { "on", SPEC_STORE_BYPASS_CMD_ON }, /* Disable Speculative Store Bypass */
|
|
||||||
+ { "off", SPEC_STORE_BYPASS_CMD_NONE }, /* Don't touch Speculative Store Bypass */
|
|
||||||
+ { "prctl", SPEC_STORE_BYPASS_CMD_PRCTL }, /* Disable Speculative Store Bypass via prctl */
|
|
||||||
+ { "seccomp", SPEC_STORE_BYPASS_CMD_SECCOMP }, /* Disable Speculative Store Bypass via prctl and seccomp */
|
|
||||||
};
|
|
||||||
|
|
||||||
static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void)
|
|
||||||
@@ -481,8 +484,15 @@ static enum ssb_mitigation_cmd __init __
|
|
||||||
|
|
||||||
switch (cmd) {
|
|
||||||
case SPEC_STORE_BYPASS_CMD_AUTO:
|
|
||||||
- /* Choose prctl as the default mode */
|
|
||||||
- mode = SPEC_STORE_BYPASS_PRCTL;
|
|
||||||
+ case SPEC_STORE_BYPASS_CMD_SECCOMP:
|
|
||||||
+ /*
|
|
||||||
+ * Choose prctl+seccomp as the default mode if seccomp is
|
|
||||||
+ * enabled.
|
|
||||||
+ */
|
|
||||||
+ if (IS_ENABLED(CONFIG_SECCOMP))
|
|
||||||
+ mode = SPEC_STORE_BYPASS_SECCOMP;
|
|
||||||
+ else
|
|
||||||
+ mode = SPEC_STORE_BYPASS_PRCTL;
|
|
||||||
break;
|
|
||||||
case SPEC_STORE_BYPASS_CMD_ON:
|
|
||||||
mode = SPEC_STORE_BYPASS_DISABLE;
|
|
||||||
@@ -530,12 +540,14 @@ static void ssb_select_mitigation()
|
|
||||||
}
|
|
||||||
|
|
||||||
#undef pr_fmt
|
|
||||||
+#define pr_fmt(fmt) "Speculation prctl: " fmt
|
|
||||||
|
|
||||||
static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl)
|
|
||||||
{
|
|
||||||
bool update;
|
|
||||||
|
|
||||||
- if (ssb_mode != SPEC_STORE_BYPASS_PRCTL)
|
|
||||||
+ if (ssb_mode != SPEC_STORE_BYPASS_PRCTL &&
|
|
||||||
+ ssb_mode != SPEC_STORE_BYPASS_SECCOMP)
|
|
||||||
return -ENXIO;
|
|
||||||
|
|
||||||
switch (ctrl) {
|
|
||||||
@@ -583,7 +595,8 @@ int arch_prctl_spec_ctrl_set(struct task
|
|
||||||
#ifdef CONFIG_SECCOMP
|
|
||||||
void arch_seccomp_spec_mitigate(struct task_struct *task)
|
|
||||||
{
|
|
||||||
- ssb_prctl_set(task, PR_SPEC_FORCE_DISABLE);
|
|
||||||
+ if (ssb_mode == SPEC_STORE_BYPASS_SECCOMP)
|
|
||||||
+ ssb_prctl_set(task, PR_SPEC_FORCE_DISABLE);
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
@@ -592,6 +605,7 @@ static int ssb_prctl_get(struct task_str
|
|
||||||
switch (ssb_mode) {
|
|
||||||
case SPEC_STORE_BYPASS_DISABLE:
|
|
||||||
return PR_SPEC_DISABLE;
|
|
||||||
+ case SPEC_STORE_BYPASS_SECCOMP:
|
|
||||||
case SPEC_STORE_BYPASS_PRCTL:
|
|
||||||
if (task_spec_ssb_force_disable(task))
|
|
||||||
return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE;
|
|
|
@ -1,66 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Date: Thu, 10 May 2018 20:31:44 +0200
|
|
||||||
Subject: x86/speculation: Rework speculative_store_bypass_update()
|
|
||||||
|
|
||||||
From: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
|
|
||||||
commit 0270be3e34efb05a88bc4c422572ece038ef3608 upstream
|
|
||||||
|
|
||||||
The upcoming support for the virtual SPEC_CTRL MSR on AMD needs to reuse
|
|
||||||
speculative_store_bypass_update() to avoid code duplication. Add an
|
|
||||||
argument for supplying a thread info (TIF) value and create a wrapper
|
|
||||||
speculative_store_bypass_update_current() which is used at the existing
|
|
||||||
call site.
|
|
||||||
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Reviewed-by: Borislav Petkov <bp@suse.de>
|
|
||||||
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/include/asm/spec-ctrl.h | 7 ++++++-
|
|
||||||
arch/x86/kernel/cpu/bugs.c | 2 +-
|
|
||||||
arch/x86/kernel/process.c | 4 ++--
|
|
||||||
3 files changed, 9 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
--- a/arch/x86/include/asm/spec-ctrl.h
|
|
||||||
+++ b/arch/x86/include/asm/spec-ctrl.h
|
|
||||||
@@ -42,6 +42,11 @@ extern void speculative_store_bypass_ht_
|
|
||||||
static inline void speculative_store_bypass_ht_init(void) { }
|
|
||||||
#endif
|
|
||||||
|
|
||||||
-extern void speculative_store_bypass_update(void);
|
|
||||||
+extern void speculative_store_bypass_update(unsigned long tif);
|
|
||||||
+
|
|
||||||
+static inline void speculative_store_bypass_update_current(void)
|
|
||||||
+{
|
|
||||||
+ speculative_store_bypass_update(current_thread_info()->flags);
|
|
||||||
+}
|
|
||||||
|
|
||||||
#endif
|
|
||||||
--- a/arch/x86/kernel/cpu/bugs.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/bugs.c
|
|
||||||
@@ -598,7 +598,7 @@ static int ssb_prctl_set(struct task_str
|
|
||||||
* mitigation until it is next scheduled.
|
|
||||||
*/
|
|
||||||
if (task == current && update)
|
|
||||||
- speculative_store_bypass_update();
|
|
||||||
+ speculative_store_bypass_update_current();
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
--- a/arch/x86/kernel/process.c
|
|
||||||
+++ b/arch/x86/kernel/process.c
|
|
||||||
@@ -414,10 +414,10 @@ static __always_inline void __speculativ
|
|
||||||
intel_set_ssb_state(tifn);
|
|
||||||
}
|
|
||||||
|
|
||||||
-void speculative_store_bypass_update(void)
|
|
||||||
+void speculative_store_bypass_update(unsigned long tif)
|
|
||||||
{
|
|
||||||
preempt_disable();
|
|
||||||
- __speculative_store_bypass_update(current_thread_info()->flags);
|
|
||||||
+ __speculative_store_bypass_update(tif);
|
|
||||||
preempt_enable();
|
|
||||||
}
|
|
||||||
|
|
|
@ -1,183 +0,0 @@
|
||||||
From foo@baz Mon May 21 21:56:07 CEST 2018
|
|
||||||
From: Borislav Petkov <bp@suse.de>
|
|
||||||
Date: Wed, 2 May 2018 18:15:14 +0200
|
|
||||||
Subject: x86/speculation: Use synthetic bits for IBRS/IBPB/STIBP
|
|
||||||
|
|
||||||
From: Borislav Petkov <bp@suse.de>
|
|
||||||
|
|
||||||
commit e7c587da125291db39ddf1f49b18e5970adbac17 upstream
|
|
||||||
|
|
||||||
Intel and AMD have different CPUID bits hence for those use synthetic bits
|
|
||||||
which get set on the respective vendor's in init_speculation_control(). So
|
|
||||||
that debacles like what the commit message of
|
|
||||||
|
|
||||||
c65732e4f721 ("x86/cpu: Restore CPUID_8000_0008_EBX reload")
|
|
||||||
|
|
||||||
talks about don't happen anymore.
|
|
||||||
|
|
||||||
Signed-off-by: Borislav Petkov <bp@suse.de>
|
|
||||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
||||||
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
||||||
Tested-by: Jörg Otte <jrg.otte@gmail.com>
|
|
||||||
Cc: Linus Torvalds <torvalds@linux-foundation.org>
|
|
||||||
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
|
|
||||||
Link: https://lkml.kernel.org/r/20180504161815.GG9257@pd.tnic
|
|
||||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
||||||
---
|
|
||||||
arch/x86/include/asm/cpufeatures.h | 10 ++++++----
|
|
||||||
arch/x86/kernel/cpu/common.c | 14 ++++++++++----
|
|
||||||
arch/x86/kvm/cpuid.c | 10 +++++-----
|
|
||||||
arch/x86/kvm/svm.c | 6 +++---
|
|
||||||
arch/x86/kvm/vmx.c | 9 ++-------
|
|
||||||
5 files changed, 26 insertions(+), 23 deletions(-)
|
|
||||||
|
|
||||||
--- a/arch/x86/include/asm/cpufeatures.h
|
|
||||||
+++ b/arch/x86/include/asm/cpufeatures.h
|
|
||||||
@@ -198,7 +198,6 @@
|
|
||||||
#define X86_FEATURE_CAT_L2 ( 7*32+ 5) /* Cache Allocation Technology L2 */
|
|
||||||
#define X86_FEATURE_CDP_L3 ( 7*32+ 6) /* Code and Data Prioritization L3 */
|
|
||||||
#define X86_FEATURE_INVPCID_SINGLE ( 7*32+ 7) /* Effectively INVPCID && CR4.PCIDE=1 */
|
|
||||||
-
|
|
||||||
#define X86_FEATURE_HW_PSTATE ( 7*32+ 8) /* AMD HW-PState */
|
|
||||||
#define X86_FEATURE_PROC_FEEDBACK ( 7*32+ 9) /* AMD ProcFeedbackInterface */
|
|
||||||
#define X86_FEATURE_SME ( 7*32+10) /* AMD Secure Memory Encryption */
|
|
||||||
@@ -216,6 +215,9 @@
|
|
||||||
#define X86_FEATURE_USE_IBRS_FW ( 7*32+22) /* "" Use IBRS during runtime firmware calls */
|
|
||||||
#define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE ( 7*32+23) /* "" Disable Speculative Store Bypass. */
|
|
||||||
#define X86_FEATURE_AMD_SSBD ( 7*32+24) /* "" AMD SSBD implementation */
|
|
||||||
+#define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */
|
|
||||||
+#define X86_FEATURE_IBPB ( 7*32+26) /* Indirect Branch Prediction Barrier */
|
|
||||||
+#define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */
|
|
||||||
|
|
||||||
/* Virtualization flags: Linux defined, word 8 */
|
|
||||||
#define X86_FEATURE_TPR_SHADOW ( 8*32+ 0) /* Intel TPR Shadow */
|
|
||||||
@@ -276,9 +278,9 @@
|
|
||||||
#define X86_FEATURE_CLZERO (13*32+ 0) /* CLZERO instruction */
|
|
||||||
#define X86_FEATURE_IRPERF (13*32+ 1) /* Instructions Retired Count */
|
|
||||||
#define X86_FEATURE_XSAVEERPTR (13*32+ 2) /* Always save/restore FP error pointers */
|
|
||||||
-#define X86_FEATURE_IBPB (13*32+12) /* Indirect Branch Prediction Barrier */
|
|
||||||
-#define X86_FEATURE_IBRS (13*32+14) /* Indirect Branch Restricted Speculation */
|
|
||||||
-#define X86_FEATURE_STIBP (13*32+15) /* Single Thread Indirect Branch Predictors */
|
|
||||||
+#define X86_FEATURE_AMD_IBPB (13*32+12) /* "" Indirect Branch Prediction Barrier */
|
|
||||||
+#define X86_FEATURE_AMD_IBRS (13*32+14) /* "" Indirect Branch Restricted Speculation */
|
|
||||||
+#define X86_FEATURE_AMD_STIBP (13*32+15) /* "" Single Thread Indirect Branch Predictors */
|
|
||||||
|
|
||||||
/* Thermal and Power Management Leaf, CPUID level 0x00000006 (EAX), word 14 */
|
|
||||||
#define X86_FEATURE_DTHERM (14*32+ 0) /* Digital Thermal Sensor */
|
|
||||||
--- a/arch/x86/kernel/cpu/common.c
|
|
||||||
+++ b/arch/x86/kernel/cpu/common.c
|
|
||||||
@@ -757,17 +757,23 @@ static void init_speculation_control(str
|
|
||||||
* and they also have a different bit for STIBP support. Also,
|
|
||||||
* a hypervisor might have set the individual AMD bits even on
|
|
||||||
* Intel CPUs, for finer-grained selection of what's available.
|
|
||||||
- *
|
|
||||||
- * We use the AMD bits in 0x8000_0008 EBX as the generic hardware
|
|
||||||
- * features, which are visible in /proc/cpuinfo and used by the
|
|
||||||
- * kernel. So set those accordingly from the Intel bits.
|
|
||||||
*/
|
|
||||||
if (cpu_has(c, X86_FEATURE_SPEC_CTRL)) {
|
|
||||||
set_cpu_cap(c, X86_FEATURE_IBRS);
|
|
||||||
set_cpu_cap(c, X86_FEATURE_IBPB);
|
|
||||||
}
|
|
||||||
+
|
|
||||||
if (cpu_has(c, X86_FEATURE_INTEL_STIBP))
|
|
||||||
set_cpu_cap(c, X86_FEATURE_STIBP);
|
|
||||||
+
|
|
||||||
+ if (cpu_has(c, X86_FEATURE_AMD_IBRS))
|
|
||||||
+ set_cpu_cap(c, X86_FEATURE_IBRS);
|
|
||||||
+
|
|
||||||
+ if (cpu_has(c, X86_FEATURE_AMD_IBPB))
|
|
||||||
+ set_cpu_cap(c, X86_FEATURE_IBPB);
|
|
||||||
+
|
|
||||||
+ if (cpu_has(c, X86_FEATURE_AMD_STIBP))
|
|
||||||
+ set_cpu_cap(c, X86_FEATURE_STIBP);
|
|
||||||
}
|
|
||||||
|
|
||||||
void get_cpu_cap(struct cpuinfo_x86 *c)
|
|
||||||
--- a/arch/x86/kvm/cpuid.c
|
|
||||||
+++ b/arch/x86/kvm/cpuid.c
|
|
||||||
@@ -374,7 +374,7 @@ static inline int __do_cpuid_ent(struct
|
|
||||||
|
|
||||||
/* cpuid 0x80000008.ebx */
|
|
||||||
const u32 kvm_cpuid_8000_0008_ebx_x86_features =
|
|
||||||
- F(IBPB) | F(IBRS);
|
|
||||||
+ F(AMD_IBPB) | F(AMD_IBRS);
|
|
||||||
|
|
||||||
/* cpuid 0xC0000001.edx */
|
|
||||||
const u32 kvm_cpuid_C000_0001_edx_x86_features =
|
|
||||||
@@ -643,10 +643,10 @@ static inline int __do_cpuid_ent(struct
|
|
||||||
entry->eax = g_phys_as | (virt_as << 8);
|
|
||||||
entry->edx = 0;
|
|
||||||
/* IBRS and IBPB aren't necessarily present in hardware cpuid */
|
|
||||||
- if (boot_cpu_has(X86_FEATURE_IBPB))
|
|
||||||
- entry->ebx |= F(IBPB);
|
|
||||||
- if (boot_cpu_has(X86_FEATURE_IBRS))
|
|
||||||
- entry->ebx |= F(IBRS);
|
|
||||||
+ if (boot_cpu_has(X86_FEATURE_AMD_IBPB))
|
|
||||||
+ entry->ebx |= F(AMD_IBPB);
|
|
||||||
+ if (boot_cpu_has(X86_FEATURE_AMD_IBRS))
|
|
||||||
+ entry->ebx |= F(AMD_IBRS);
|
|
||||||
entry->ebx &= kvm_cpuid_8000_0008_ebx_x86_features;
|
|
||||||
cpuid_mask(&entry->ebx, CPUID_8000_0008_EBX);
|
|
||||||
break;
|
|
||||||
--- a/arch/x86/kvm/svm.c
|
|
||||||
+++ b/arch/x86/kvm/svm.c
|
|
||||||
@@ -3959,7 +3959,7 @@ static int svm_get_msr(struct kvm_vcpu *
|
|
||||||
break;
|
|
||||||
case MSR_IA32_SPEC_CTRL:
|
|
||||||
if (!msr_info->host_initiated &&
|
|
||||||
- !guest_cpuid_has(vcpu, X86_FEATURE_IBRS))
|
|
||||||
+ !guest_cpuid_has(vcpu, X86_FEATURE_AMD_IBRS))
|
|
||||||
return 1;
|
|
||||||
|
|
||||||
msr_info->data = svm->spec_ctrl;
|
|
||||||
@@ -4057,7 +4057,7 @@ static int svm_set_msr(struct kvm_vcpu *
|
|
||||||
break;
|
|
||||||
case MSR_IA32_SPEC_CTRL:
|
|
||||||
if (!msr->host_initiated &&
|
|
||||||
- !guest_cpuid_has(vcpu, X86_FEATURE_IBRS))
|
|
||||||
+ !guest_cpuid_has(vcpu, X86_FEATURE_AMD_IBRS))
|
|
||||||
return 1;
|
|
||||||
|
|
||||||
/* The STIBP bit doesn't fault even if it's not advertised */
|
|
||||||
@@ -4084,7 +4084,7 @@ static int svm_set_msr(struct kvm_vcpu *
|
|
||||||
break;
|
|
||||||
case MSR_IA32_PRED_CMD:
|
|
||||||
if (!msr->host_initiated &&
|
|
||||||
- !guest_cpuid_has(vcpu, X86_FEATURE_IBPB))
|
|
||||||
+ !guest_cpuid_has(vcpu, X86_FEATURE_AMD_IBPB))
|
|
||||||
return 1;
|
|
||||||
|
|
||||||
if (data & ~PRED_CMD_IBPB)
|
|
||||||
--- a/arch/x86/kvm/vmx.c
|
|
||||||
+++ b/arch/x86/kvm/vmx.c
|
|
||||||
@@ -3269,9 +3269,7 @@ static int vmx_get_msr(struct kvm_vcpu *
|
|
||||||
break;
|
|
||||||
case MSR_IA32_SPEC_CTRL:
|
|
||||||
if (!msr_info->host_initiated &&
|
|
||||||
- !guest_cpuid_has(vcpu, X86_FEATURE_IBRS) &&
|
|
||||||
- !guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL) &&
|
|
||||||
- !guest_cpuid_has(vcpu, X86_FEATURE_SSBD))
|
|
||||||
+ !guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL))
|
|
||||||
return 1;
|
|
||||||
|
|
||||||
msr_info->data = to_vmx(vcpu)->spec_ctrl;
|
|
||||||
@@ -3391,9 +3389,7 @@ static int vmx_set_msr(struct kvm_vcpu *
|
|
||||||
break;
|
|
||||||
case MSR_IA32_SPEC_CTRL:
|
|
||||||
if (!msr_info->host_initiated &&
|
|
||||||
- !guest_cpuid_has(vcpu, X86_FEATURE_IBRS) &&
|
|
||||||
- !guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL) &&
|
|
||||||
- !guest_cpuid_has(vcpu, X86_FEATURE_SSBD))
|
|
||||||
+ !guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL))
|
|
||||||
return 1;
|
|
||||||
|
|
||||||
/* The STIBP bit doesn't fault even if it's not advertised */
|
|
||||||
@@ -3423,7 +3419,6 @@ static int vmx_set_msr(struct kvm_vcpu *
|
|
||||||
break;
|
|
||||||
case MSR_IA32_PRED_CMD:
|
|
||||||
if (!msr_info->host_initiated &&
|
|
||||||
- !guest_cpuid_has(vcpu, X86_FEATURE_IBPB) &&
|
|
||||||
!guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL))
|
|
||||||
return 1;
|
|
||||||
|
|
|
@ -142,55 +142,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
||||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||||
bugfix/all/xfs-enhance-dinode-verifier.patch
|
bugfix/all/xfs-enhance-dinode-verifier.patch
|
||||||
bugfix/all/xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch
|
bugfix/all/xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch
|
||||||
bugfix/x86/ssb/x86-nospec-simplify-alternative_msr_write.patch
|
|
||||||
bugfix/x86/ssb/x86-bugs-concentrate-bug-detection-into-a-separate-function.patch
|
|
||||||
bugfix/x86/ssb/x86-bugs-concentrate-bug-reporting-into-a-separate-function.patch
|
|
||||||
bugfix/x86/ssb/x86-bugs-read-spec_ctrl-msr-during-boot-and-re-use-reserved-bits.patch
|
|
||||||
bugfix/x86/ssb/x86-bugs-kvm-support-the-combination-of-guest-and-host-ibrs.patch
|
|
||||||
bugfix/x86/ssb/x86-bugs-expose-sys-..-spec_store_bypass.patch
|
|
||||||
bugfix/x86/ssb/x86-cpufeatures-add-x86_feature_rds.patch
|
|
||||||
bugfix/x86/ssb/x86-bugs-provide-boot-parameters-for-the-spec_store_bypass_disable-mitigation.patch
|
|
||||||
bugfix/x86/ssb/x86-bugs-intel-set-proper-cpu-features-and-setup-rds.patch
|
|
||||||
bugfix/x86/ssb/x86-bugs-whitelist-allowed-spec_ctrl-msr-values.patch
|
|
||||||
bugfix/x86/ssb/x86-bugs-amd-add-support-to-disable-rds-on-famh-if-requested.patch
|
|
||||||
bugfix/x86/ssb/x86-kvm-vmx-expose-spec_ctrl-bit-2-to-the-guest.patch
|
|
||||||
bugfix/x86/ssb/x86-speculation-create-spec-ctrl.h-to-avoid-include-hell.patch
|
|
||||||
bugfix/x86/ssb/prctl-add-speculation-control-prctls.patch
|
|
||||||
bugfix/x86/ssb/x86-process-allow-runtime-control-of-speculative-store-bypass.patch
|
|
||||||
bugfix/x86/ssb/x86-speculation-add-prctl-for-speculative-store-bypass-mitigation.patch
|
|
||||||
bugfix/x86/ssb/nospec-allow-getting-setting-on-non-current-task.patch
|
|
||||||
bugfix/x86/ssb/proc-provide-details-on-speculation-flaw-mitigations.patch
|
|
||||||
bugfix/x86/ssb/seccomp-enable-speculation-flaw-mitigations.patch
|
|
||||||
bugfix/x86/ssb/x86-bugs-make-boot-modes-__ro_after_init.patch
|
|
||||||
bugfix/x86/ssb/prctl-add-force-disable-speculation.patch
|
|
||||||
bugfix/x86/ssb/seccomp-use-pr_spec_force_disable.patch
|
|
||||||
bugfix/x86/ssb/seccomp-add-filter-flag-to-opt-out-of-ssb-mitigation.patch
|
|
||||||
bugfix/x86/ssb/seccomp-move-speculation-migitation-control-to-arch-code.patch
|
|
||||||
bugfix/x86/ssb/x86-speculation-make-seccomp-the-default-mode-for-speculative-store-bypass.patch
|
|
||||||
bugfix/x86/ssb/x86-bugs-rename-_rds-to-_ssbd.patch
|
|
||||||
bugfix/x86/ssb/proc-use-underscores-for-ssbd-in-status.patch
|
|
||||||
bugfix/x86/ssb/documentation-spec_ctrl-do-some-minor-cleanups.patch
|
|
||||||
bugfix/x86/ssb/x86-bugs-fix-__ssb_select_mitigation-return-type.patch
|
|
||||||
bugfix/x86/ssb/x86-bugs-make-cpu_show_common-static.patch
|
|
||||||
bugfix/x86/ssb/x86-bugs-fix-the-parameters-alignment-and-missing-void.patch
|
|
||||||
bugfix/x86/ssb/x86-cpu-make-alternative_msr_write-work-for-32-bit-code.patch
|
|
||||||
bugfix/x86/ssb/kvm-svm-move-spec-control-call-after-restore-of-gs.patch
|
|
||||||
bugfix/x86/ssb/x86-speculation-use-synthetic-bits-for-ibrs-ibpb-stibp.patch
|
|
||||||
bugfix/x86/ssb/x86-cpufeatures-disentangle-msr_spec_ctrl-enumeration-from-ibrs.patch
|
|
||||||
bugfix/x86/ssb/x86-cpufeatures-disentangle-ssbd-enumeration.patch
|
|
||||||
bugfix/x86/ssb/x86-cpufeatures-add-feature_zen.patch
|
|
||||||
bugfix/x86/ssb/x86-speculation-handle-ht-correctly-on-amd.patch
|
|
||||||
bugfix/x86/ssb/x86-bugs-kvm-extend-speculation-control-for-virt_spec_ctrl.patch
|
|
||||||
bugfix/x86/ssb/x86-speculation-add-virtualized-speculative-store-bypass-disable-support.patch
|
|
||||||
bugfix/x86/ssb/x86-speculation-rework-speculative_store_bypass_update.patch
|
|
||||||
bugfix/x86/ssb/x86-bugs-unify-x86_spec_ctrl_-set_guest-restore_host.patch
|
|
||||||
bugfix/x86/ssb/x86-bugs-expose-x86_spec_ctrl_base-directly.patch
|
|
||||||
bugfix/x86/ssb/x86-bugs-remove-x86_spec_ctrl_set.patch
|
|
||||||
bugfix/x86/ssb/x86-bugs-rework-spec_ctrl-base-and-mask-logic.patch
|
|
||||||
bugfix/x86/ssb/x86-speculation-kvm-implement-support-for-virt_spec_ctrl-ls_cfg.patch
|
|
||||||
bugfix/x86/ssb/kvm-svm-implement-virt_spec_ctrl-support-for-ssbd.patch
|
|
||||||
bugfix/x86/ssb/x86-bugs-rename-ssbd_no-to-ssb_no.patch
|
|
||||||
bugfix/x86/ssb/bpf-prevent-memory-disambiguation-attack.patch
|
|
||||||
|
|
||||||
# Fix exported symbol versions
|
# Fix exported symbol versions
|
||||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||||
|
|
Loading…
Reference in New Issue