debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

[x86] Update TAA patch set to v7

This commit is contained in:
Ben Hutchings 2019-10-24 22:51:45 +01:00
parent b2cc5e7f74
commit 537ad2315a
12 changed files with 514 additions and 589 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
debian/changelog vendored
View File

@ -14,7 +14,16 @@ linux (4.19.67-2+deb10u2) UNRELEASED; urgency=medium
- kvm: mmu: ITLB_MULTIHIT mitigation
- kvm: Add helper function for creating VM worker threads
- kvm: x86: mmu: Recovery of shattered NX large pages
* [x86] Add mitigation for TSX Asynchronous Abort (CVE-2019-11135).
* [x86] Add mitigation for TSX Asynchronous Abort (CVE-2019-11135):
- x86/msr: Add the IA32_TSX_CTRL MSR
- x86/cpu: Add a helper function x86_read_arch_cap_msr()
- x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default
- x86/speculation/taa: Add mitigation for TSX Async Abort
- x86/speculation/taa: Add sysfs reporting for TSX Async Abort
- kvm/x86: Export MDS_NO=0 to guests when TSX is enabled
- x86/tsx: Add "auto" option to the tsx= cmdline parameter
- x86/speculation/taa: Add documentation for TSX Async Abort
- x86/tsx: Add config options to set tsx=on|off|auto
TSX is now disabled by default; see
Documentation/admin-guide/hw-vuln/tsx_async_abort.rst

39
debian/patches/bugfix/x86/taa/0013-TAAv6-1.patch → debian/patches/bugfix/x86/taa/0013-x86-msr-Add-the-IA32_TSX_CTRL-MSR.patch vendored
View File

@ -1,15 +1,17 @@
From: speck for Pawan Gupta <speck@linutronix.de>
Date: Wed, 9 Oct 2019 16:22:56 -0700
Subject: TAAv6 1
From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Date: Wed, 23 Oct 2019 10:45:50 +0200
Subject: x86/msr: Add the IA32_TSX_CTRL MSR
Transactional Synchronization Extensions (TSX) may be used on certain
processors as part of a speculative side channel attack. A microcode
update for existing processors that are vulnerable to this attack will
add a new MSR, IA32_TSX_CTRL to allow the system administrator the
option to disable TSX as one of the possible mitigations. [Note that
future processors that are not vulnerable will also support the
IA32_TSX_CTRL MSR]. Add defines for the new IA32_TSX_CTRL MSR and its
bits.
add a new MSR - IA32_TSX_CTRL to allow the system administrator the
option to disable TSX as one of the possible mitigations.
[ Note that future processors that are not vulnerable will also
support the IA32_TSX_CTRL MSR. ]
Add defines for the new IA32_TSX_CTRL MSR and its bits.
TSX has two sub-features:
@ -23,27 +25,34 @@ IA32_TSX_CTRL MSR.
There are two control bits in IA32_TSX_CTRL MSR:
Bit 0: When set it disables the Restricted Transactional Memory (RTM)
Bit 0: When set, it disables the Restricted Transactional Memory (RTM)
sub-feature of TSX (will force all transactions to abort on the
XBEGIN instruction).
Bit 1: When set it disables the enumeration of the RTM and HLE feature
Bit 1: When set, it disables the enumeration of the RTM and HLE feature
(i.e. it will make CPUID(EAX=7).EBX{bit4} and
CPUID(EAX=7).EBX{bit11} read as 0).
CPUID(EAX=7).EBX{bit11} read as 0).
The other TSX sub-feature, Hardware Lock Elision (HLE), is unconditionally
disabled but still enumerated as present by CPUID(EAX=7).EBX{bit4}.
The other TSX sub-feature, Hardware Lock Elision (HLE), is
unconditionally disabled but still enumerated as present by
CPUID(EAX=7).EBX{bit4}.
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Mark Gross <mgross@linux.intel.com>
Reviewed-by: Tony Luck <tony.luck@intel.com>
Tested-by: Neelima Krishnan <neelima.krishnan@intel.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: x86-ml <x86@kernel.org>
---
arch/x86/include/asm/msr-index.h | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
index f58e6921cbf7..f45ca8aad98f 100644
index f58e6921cbf7..da7887a9f314 100644
--- a/arch/x86/include/asm/msr-index.h
+++ b/arch/x86/include/asm/msr-index.h
@@ -91,6 +91,7 @@
@ -59,7 +68,7 @@ index f58e6921cbf7..f45ca8aad98f 100644
#define MSR_IA32_BBL_CR_CTL3 0x0000011e
+#define MSR_IA32_TSX_CTRL 0x00000122
+#define TSX_CTRL_RTM_DISABLE BIT(0) /* Disable RTM fxeature */
+#define TSX_CTRL_RTM_DISABLE BIT(0) /* Disable RTM feature */
+#define TSX_CTRL_CPUID_CLEAR BIT(1) /* Disable TSX enumeration */
+
#define MSR_IA32_SYSENTER_CS 0x00000174

16
debian/patches/bugfix/x86/taa/0014-TAAv6-2.patch → debian/patches/bugfix/x86/taa/0014-x86-cpu-Add-a-helper-function-x86_read_arch_cap_msr.patch vendored
View File

@ -1,14 +1,20 @@
From: speck for Pawan Gupta <speck@linutronix.de>
Date: Wed, 9 Oct 2019 16:23:56 -0700
Subject: TAAv6 2
From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Date: Wed, 23 Oct 2019 10:52:35 +0200
Subject: x86/cpu: Add a helper function x86_read_arch_cap_msr()
Add a helper function to read IA32_ARCH_CAPABILITIES MSR. If the CPU
doesn't support this MSR return 0.
Add a helper function to read the IA32_ARCH_CAPABILITIES MSR.
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Mark Gross <mgross@linux.intel.com>
Reviewed-by: Tony Luck <tony.luck@intel.com>
Tested-by: Neelima Krishnan <neelima.krishnan@intel.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: x86-ml <x86@kernel.org>
[bwh: Forward-ported on top of NX: Fix conflict (neighbouring changes)
in arch/x86/kernel/cpu/common.c]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

59
debian/patches/bugfix/x86/taa/0015-TAAv6-3.patch → debian/patches/bugfix/x86/taa/0015-x86-cpu-Add-a-tsx-cmdline-option-with-TSX-disabled-b.patch vendored
View File

@ -1,17 +1,40 @@
From: speck for Pawan Gupta <speck@linutronix.de>
Date: Wed, 9 Oct 2019 16:24:56 -0700
Subject: TAAv6 3
From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Date: Wed, 23 Oct 2019 11:01:53 +0200
Subject: x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default
Add kernel cmdline parameter "tsx" to control the Transactional
Synchronization Extensions (TSX) feature. On CPUs that support TSX
control, use "tsx=on|off" to enable or disable TSX. Not specifying this
Add a kernel cmdline parameter "tsx" to control the Transactional
Synchronization Extensions (TSX) feature. On CPUs that support TSX
control, use "tsx=on|off" to enable or disable TSX. Not specifying this
option is equivalent to "tsx=off". This is because on certain processors
TSX may be used as a part of a speculative side channel attack.
Carve out the TSX controlling functionality into a separate compilation
unit because TSX is a CPU feature while the TSX async abort control
machinery will go to cpu/bugs.c.
[ bp: Massage, shorten and clear the arg buffer. ]
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Reviewed-by: Mark Gross <mgross@linux.intel.com>
Reviewed-by: Tony Luck <tony.luck@intel.com>
Tested-by: Neelima Krishnan <neelima.krishnan@intel.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Babu Moger <Babu.Moger@amd.com>
Cc: Fenghua Yu <fenghua.yu@intel.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: linux-doc@vger.kernel.org
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
Cc: Rahul Tanwar <rahul.tanwar@linux.intel.com>
Cc: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
Cc: Sean Christopherson <sean.j.christopherson@intel.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: x86-ml <x86@kernel.org>
Cc: Zhao Yakui <yakui.zhao@intel.com>
[bwh: Backported to 4.19: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
@ -20,8 +43,8 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
arch/x86/kernel/cpu/common.c | 2 +
arch/x86/kernel/cpu/cpu.h | 18 +++
arch/x86/kernel/cpu/intel.c | 5 +
arch/x86/kernel/cpu/tsx.c | 115 ++++++++++++++++++
6 files changed, 152 insertions(+), 1 deletion(-)
arch/x86/kernel/cpu/tsx.c | 119 ++++++++++++++++++
6 files changed, 156 insertions(+), 1 deletion(-)
create mode 100644 arch/x86/kernel/cpu/tsx.c
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
@ -124,10 +147,10 @@ index fc3c07fe7df5..a5287b18a63f 100644
#ifdef CONFIG_X86_32
diff --git a/arch/x86/kernel/cpu/tsx.c b/arch/x86/kernel/cpu/tsx.c
new file mode 100644
index 000000000000..e39b33b7cef8
index 000000000000..e5933ef50add
--- /dev/null
+++ b/arch/x86/kernel/cpu/tsx.c
@@ -0,0 +1,115 @@
@@ -0,0 +1,119 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Intel Transactional Synchronization Extensions (TSX) control.
@ -138,7 +161,6 @@ index 000000000000..e39b33b7cef8
+ * Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+ */
+
+#include <linux/processor.h>
+#include <linux/cpufeature.h>
+
+#include <asm/cmdline.h>
@ -155,6 +177,7 @@ index 000000000000..e39b33b7cef8
+
+ /* Force all transactions to immediately abort */
+ tsx |= TSX_CTRL_RTM_DISABLE;
+
+ /*
+ * Ensure TSX support is not enumerated in CPUID.
+ * This is visible to userspace and will ensure they
@ -174,6 +197,7 @@ index 000000000000..e39b33b7cef8
+
+ /* Enable the RTM feature in the cpu */
+ tsx &= ~TSX_CTRL_RTM_DISABLE;
+
+ /*
+ * Ensure TSX support is enumerated in CPUID.
+ * This is visible to userspace and will ensure they
@ -198,7 +222,7 @@ index 000000000000..e39b33b7cef8
+
+void __init tsx_init(void)
+{
+ char arg[20];
+ char arg[4] = {};
+ int ret;
+
+ if (!tsx_ctrl_is_supported())
@ -212,7 +236,7 @@ index 000000000000..e39b33b7cef8
+ tsx_ctrl_state = TSX_CTRL_DISABLE;
+ } else {
+ tsx_ctrl_state = TSX_CTRL_DISABLE;
+ pr_info("tsx: invalid option, defaulting to off\n");
+ pr_err("tsx: invalid option, defaulting to off\n");
+ }
+ } else {
+ /* tsx= not provided, defaulting to off */
@ -221,6 +245,7 @@ index 000000000000..e39b33b7cef8
+
+ if (tsx_ctrl_state == TSX_CTRL_DISABLE) {
+ tsx_disable();
+
+ /*
+ * tsx_disable() will change the state of the
+ * RTM CPUID bit. Clear it here since it is now
@ -228,6 +253,7 @@ index 000000000000..e39b33b7cef8
+ */
+ setup_clear_cpu_cap(X86_FEATURE_RTM);
+ } else if (tsx_ctrl_state == TSX_CTRL_ENABLE) {
+
+ /*
+ * HW defaults TSX to be enabled at bootup.
+ * We may still need the TSX enable support
@ -235,6 +261,7 @@ index 000000000000..e39b33b7cef8
+ * kexec after TSX is disabled.
+ */
+ tsx_enable();
+
+ /*
+ * tsx_enable() will change the state of the
+ * RTM CPUID bit. Force it here since it is now

169
debian/patches/bugfix/x86/taa/0016-TAAv6-4.patch → debian/patches/bugfix/x86/taa/0016-x86-speculation-taa-Add-mitigation-for-TSX-Async-Abo.patch vendored
View File

@ -1,29 +1,33 @@
From: speck for Pawan Gupta <speck@linutronix.de>
Date: Wed, 9 Oct 2019 16:25:56 -0700
Subject: TAAv6 4
From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Date: Wed, 23 Oct 2019 11:30:45 +0200
Subject: x86/speculation/taa: Add mitigation for TSX Async Abort
TSX Async Abort (TAA) is a side channel vulnerability to the internal
buffers in some Intel processors similar to Microachitectural Data
Sampling (MDS). In this case certain loads may speculatively pass
Sampling (MDS). In this case, certain loads may speculatively pass
invalid data to dependent operations when an asynchronous abort
condition is pending in a TSX transaction. This includes loads with no
fault or assist condition. Such loads may speculatively expose stale
data from the uarch data structures as in MDS. Scope of exposure is
within the same-thread and cross-thread. This issue affects all current
processors that support TSX, but do not have ARCH_CAP_TAA_NO (bit 8) set
in MSR_IA32_ARCH_CAPABILITIES.
condition is pending in a TSX transaction.
This includes loads with no fault or assist condition. Such loads may
speculatively expose stale data from the uarch data structures as in
MDS. Scope of exposure is within the same-thread and cross-thread. This
issue affects all current processors that support TSX, but do not have
ARCH_CAP_TAA_NO (bit 8) set in MSR_IA32_ARCH_CAPABILITIES.
On CPUs which have their IA32_ARCH_CAPABILITIES MSR bit MDS_NO=0,
CPUID.MD_CLEAR=1 and the MDS mitigation is clearing the CPU buffers
using VERW or L1D_FLUSH, there is no additional mitigation needed for
TAA.
TAA. On affected CPUs with MDS_NO=1 this issue can be mitigated by
disabling the Transactional Synchronization Extensions (TSX) feature.
On affected CPUs with MDS_NO=1 this issue can be mitigated by disabling
Transactional Synchronization Extensions (TSX) feature. A new MSR
IA32_TSX_CTRL in future and current processors after a microcode update
can be used to control TSX feature. TSX_CTRL_RTM_DISABLE bit disables
the TSX sub-feature Restricted Transactional Memory (RTM).
TSX_CTRL_CPUID_CLEAR bit clears the RTM enumeration in CPUID. The other
A new MSR IA32_TSX_CTRL in future and current processors after a
microcode update can be used to control the TSX feature. There are two
bits in that MSR:
* TSX_CTRL_RTM_DISABLE disables the TSX sub-feature Restricted
Transactional Memory (RTM).
* TSX_CTRL_CPUID_CLEAR clears the RTM enumeration in CPUID. The other
TSX sub-feature, Hardware Lock Elision (HLE), is unconditionally
disabled with updated microcode but still enumerated as present by
CPUID(EAX=7).EBX{bit4}.
@ -32,17 +36,36 @@ The second mitigation approach is similar to MDS which is clearing the
affected CPU buffers on return to user space and when entering a guest.
Relevant microcode update is required for the mitigation to work. More
details on this approach can be found here:
https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
TSX feature can be controlled by the "tsx" command line parameter. If
the TSX feature is forced to be enabled then "Clear CPU buffers" (MDS
mitigation) is deployed. The effective mitigation state can be read from
sysfs.
https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
The TSX feature can be controlled by the "tsx" command line parameter.
If it is force-enabled then "Clear CPU buffers" (MDS mitigation) is
deployed. The effective mitigation state can be read from sysfs.
[ bp:
- massage + comments cleanup
- s/TAA_MITIGATION_TSX_DISABLE/TAA_MITIGATION_TSX_DISABLED/g - Josh.
- remove partial TAA mitigation in update_mds_branch_idle() - Josh.
- s/tsx_async_abort_cmdline/tsx_async_abort_parse_cmdline/g
]
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Reviewed-by: Mark Gross <mgross@linux.intel.com>
Reviewed-by: Tony Luck <tony.luck@intel.com>
Tested-by: Neelima Krishnan <neelima.krishnan@intel.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Fenghua Yu <fenghua.yu@intel.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Peter Zijlstra (Intel)" <peterz@infradead.org>
Cc: Sean Christopherson <sean.j.christopherson@intel.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Thomas Lendacky <Thomas.Lendacky@amd.com>
Cc: x86-ml <x86@kernel.org>
[bwh: Forward-ported on top of NX: Renumber bug bit after
X86_BUG_ITLB_MULTIHIT]
[bwh: Backported to 4.19: Add #include "cpu.h" in bugs.c]
@ -52,9 +75,9 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
arch/x86/include/asm/msr-index.h | 4 +
arch/x86/include/asm/nospec-branch.h | 4 +-
arch/x86/include/asm/processor.h | 7 ++
arch/x86/kernel/cpu/bugs.c | 129 ++++++++++++++++++++++++++-
arch/x86/kernel/cpu/bugs.c | 112 +++++++++++++++++++++++++++
arch/x86/kernel/cpu/common.c | 15 ++++
6 files changed, 156 insertions(+), 4 deletions(-)
6 files changed, 141 insertions(+), 2 deletions(-)
diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
index ccad4f183400..5a2eecfed727 100644
@ -68,7 +91,7 @@ index ccad4f183400..5a2eecfed727 100644
#endif /* _ASM_X86_CPUFEATURES_H */
diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
index f45ca8aad98f..6d17eb64cc69 100644
index da7887a9f314..0f4feee6d082 100644
--- a/arch/x86/include/asm/msr-index.h
+++ b/arch/x86/include/asm/msr-index.h
@@ -92,6 +92,10 @@
@ -105,7 +128,7 @@ index 28cb2b31527a..09c7466c4880 100644
* Clear CPU buffers if the corresponding static key is enabled
*/
diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
index b54f25697beb..4a163f33a07d 100644
index b54f25697beb..efb44bd3a714 100644
--- a/arch/x86/include/asm/processor.h
+++ b/arch/x86/include/asm/processor.h
@@ -1003,4 +1003,11 @@ enum mds_mitigations {
@ -116,12 +139,12 @@ index b54f25697beb..4a163f33a07d 100644
+ TAA_MITIGATION_OFF,
+ TAA_MITIGATION_UCODE_NEEDED,
+ TAA_MITIGATION_VERW,
+ TAA_MITIGATION_TSX_DISABLE,
+ TAA_MITIGATION_TSX_DISABLED,
+};
+
#endif /* _ASM_X86_PROCESSOR_H */
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 1e764992fa64..841f106a277a 100644
index 1e764992fa64..828b2fe4bc0a 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -32,11 +32,14 @@
@ -147,7 +170,7 @@ index 1e764992fa64..841f106a277a 100644
arch_smt_update();
@@ -266,6 +270,110 @@ static int __init mds_cmdline(char *str)
@@ -266,6 +270,100 @@ static int __init mds_cmdline(char *str)
}
early_param("mds", mds_cmdline);
@ -162,44 +185,32 @@ index 1e764992fa64..841f106a277a 100644
+ [TAA_MITIGATION_OFF] = "Vulnerable",
+ [TAA_MITIGATION_UCODE_NEEDED] = "Vulnerable: Clear CPU buffers attempted, no microcode",
+ [TAA_MITIGATION_VERW] = "Mitigation: Clear CPU buffers",
+ [TAA_MITIGATION_TSX_DISABLE] = "Mitigation: TSX disabled",
+ [TAA_MITIGATION_TSX_DISABLED] = "Mitigation: TSX disabled",
+};
+
+static void __init taa_select_mitigation(void)
+{
+ u64 ia32_cap = x86_read_arch_cap_msr();
+ u64 ia32_cap;
+
+ if (!boot_cpu_has_bug(X86_BUG_TAA)) {
+ taa_mitigation = TAA_MITIGATION_OFF;
+ return;
+ }
+
+ /*
+ * As X86_BUG_TAA=1, TSX feature is supported by the hardware. If
+ * TSX was disabled (X86_FEATURE_RTM=0) earlier during tsx_init().
+ * Select TSX_DISABLE as mitigation.
+ *
+ * This check is ahead of mitigations=off and tsx_async_abort=off
+ * because when TSX is disabled mitigation is already in place. This
+ * ensures sysfs doesn't show "Vulnerable" when TSX is disabled.
+ */
+ /* TSX previously disabled by tsx=off */
+ if (!boot_cpu_has(X86_FEATURE_RTM)) {
+ taa_mitigation = TAA_MITIGATION_TSX_DISABLE;
+ pr_info("%s\n", taa_strings[taa_mitigation]);
+ return;
+ taa_mitigation = TAA_MITIGATION_TSX_DISABLED;
+ goto out;
+ }
+
+ /* All mitigations turned off from cmdline (mitigations=off) */
+ if (cpu_mitigations_off()) {
+ taa_mitigation = TAA_MITIGATION_OFF;
+ return;
+ }
+
+ /* TAA mitigation is turned off from cmdline (tsx_async_abort=off) */
+ if (taa_mitigation == TAA_MITIGATION_OFF) {
+ pr_info("%s\n", taa_strings[taa_mitigation]);
+ return;
+ }
+ /* TAA mitigation is turned off on the cmdline (tsx_async_abort=off) */
+ if (taa_mitigation == TAA_MITIGATION_OFF)
+ goto out;
+
+ if (boot_cpu_has(X86_FEATURE_MD_CLEAR))
+ taa_mitigation = TAA_MITIGATION_VERW;
@ -208,20 +219,21 @@ index 1e764992fa64..841f106a277a 100644
+
+ /*
+ * VERW doesn't clear the CPU buffers when MD_CLEAR=1 and MDS_NO=1.
+ * A microcode update fixes this behavior to clear CPU buffers.
+ * Microcode update also adds support for MSR_IA32_TSX_CTRL which
+ * is enumerated by ARCH_CAP_TSX_CTRL_MSR bit.
+ * A microcode update fixes this behavior to clear CPU buffers. It also
+ * adds support for MSR_IA32_TSX_CTRL which is enumerated by the
+ * ARCH_CAP_TSX_CTRL_MSR bit.
+ *
+ * On MDS_NO=1 CPUs if ARCH_CAP_TSX_CTRL_MSR is not set, microcode
+ * update is required.
+ */
+ if ((ia32_cap & ARCH_CAP_MDS_NO) &&
+ ia32_cap = x86_read_arch_cap_msr();
+ if ( (ia32_cap & ARCH_CAP_MDS_NO) &&
+ !(ia32_cap & ARCH_CAP_TSX_CTRL_MSR))
+ taa_mitigation = TAA_MITIGATION_UCODE_NEEDED;
+
+ /*
+ * TSX is enabled, select alternate mitigation for TAA which is
+ * same as MDS. Enable MDS static branch to clear CPU buffers.
+ * the same as MDS. Enable MDS static branch to clear CPU buffers.
+ *
+ * For guests that can't determine whether the correct microcode is
+ * present on host, enable the mitigation for UCODE_NEEDED as well.
@ -231,10 +243,11 @@ index 1e764992fa64..841f106a277a 100644
+ if (taa_nosmt || cpu_mitigations_auto_nosmt())
+ cpu_smt_disable(false);
+
+out:
+ pr_info("%s\n", taa_strings[taa_mitigation]);
+}
+
+static int __init tsx_async_abort_cmdline(char *str)
+static int __init tsx_async_abort_parse_cmdline(char *str)
+{
+ if (!boot_cpu_has_bug(X86_BUG_TAA))
+ return 0;
@ -253,34 +266,12 @@ index 1e764992fa64..841f106a277a 100644
+
+ return 0;
+}
+early_param("tsx_async_abort", tsx_async_abort_cmdline);
+early_param("tsx_async_abort", tsx_async_abort_parse_cmdline);
+
#undef pr_fmt
#define pr_fmt(fmt) "Spectre V1 : " fmt
@@ -751,7 +859,7 @@ static void update_indir_branch_cond(void)
#undef pr_fmt
#define pr_fmt(fmt) fmt
-/* Update the static key controlling the MDS CPU buffer clear in idle */
+/* Update the static key controlling the MDS and TAA CPU buffer clear in idle */
static void update_mds_branch_idle(void)
{
/*
@@ -761,8 +869,11 @@ static void update_mds_branch_idle(void)
* The other variants cannot be mitigated when SMT is enabled, so
* clearing the buffers on idle just to prevent the Store Buffer
* repartitioning leak would be a window dressing exercise.
+ *
+ * Apply idle buffer clearing to TAA affected CPUs also.
*/
- if (!boot_cpu_has_bug(X86_BUG_MSBDS_ONLY))
+ if (!boot_cpu_has_bug(X86_BUG_MSBDS_ONLY) &&
+ !boot_cpu_has_bug(X86_BUG_TAA))
return;
if (sched_smt_active())
@@ -772,6 +883,7 @@ static void update_mds_branch_idle(void)
@@ -772,6 +870,7 @@ static void update_mds_branch_idle(void)
}
#define MDS_MSG_SMT "MDS CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for more details.\n"
@ -288,7 +279,7 @@ index 1e764992fa64..841f106a277a 100644
void arch_smt_update(void)
{
@@ -804,6 +916,19 @@ void arch_smt_update(void)
@@ -804,6 +903,19 @@ void arch_smt_update(void)
break;
}
@ -300,7 +291,7 @@ index 1e764992fa64..841f106a277a 100644
+ /* TSX is enabled, apply MDS idle buffer clearing. */
+ update_mds_branch_idle();
+ break;
+ case TAA_MITIGATION_TSX_DISABLE:
+ case TAA_MITIGATION_TSX_DISABLED:
+ case TAA_MITIGATION_OFF:
+ break;
+ }
@ -309,7 +300,7 @@ index 1e764992fa64..841f106a277a 100644
}
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index 5f89d78fe132..394bcb0403c9 100644
index 5f89d78fe132..de1e552c9705 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -1058,6 +1058,21 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
@ -317,17 +308,17 @@ index 5f89d78fe132..394bcb0403c9 100644
setup_force_cpu_bug(X86_BUG_SWAPGS);
+ /*
+ * When processor is not mitigated for TAA (TAA_NO=0) set TAA bug when:
+ * When the CPU is not mitigated for TAA (TAA_NO=0) set TAA bug when:
+ * - TSX is supported or
+ * - TSX_CTRL is supported
+ * - TSX_CTRL is present
+ *
+ * TSX_CTRL check is needed for cases when TSX could be disabled before
+ * the kernel boot e.g. kexec
+ * the kernel boot e.g. kexec.
+ * TSX_CTRL check alone is not sufficient for cases when the microcode
+ * update is not present or running as guest that don't get TSX_CTRL.
+ */
+ if (!(ia32_cap & ARCH_CAP_TAA_NO) &&
+ (boot_cpu_has(X86_FEATURE_RTM) ||
+ (cpu_has(c, X86_FEATURE_RTM) ||
+ (ia32_cap & ARCH_CAP_TSX_CTRL_MSR)))
+ setup_force_cpu_bug(X86_BUG_TAA);
+

27
debian/patches/bugfix/x86/taa/0017-TAAv6-5.patch → debian/patches/bugfix/x86/taa/0017-x86-speculation-taa-Add-sysfs-reporting-for-TSX-Asyn.patch vendored
View File

@ -1,18 +1,27 @@
From: speck for Pawan Gupta <speck@linutronix.de>
Date: Wed, 9 Oct 2019 16:26:56 -0700
Subject: TAAv6 5
From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Date: Wed, 23 Oct 2019 12:19:51 +0200
Subject: x86/speculation/taa: Add sysfs reporting for TSX Async Abort
Add the sysfs reporting file for TSX Async Abort. It exposes the
vulnerability and the mitigation state similar to the existing files for
the other hardware vulnerabilities.
sysfs file path is:
Sysfs file path is:
/sys/devices/system/cpu/vulnerabilities/tsx_async_abort
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Mark Gross <mgross@linux.intel.com>
Reviewed-by: Tony Luck <tony.luck@intel.com>
Tested-by: Neelima Krishnan <neelima.krishnan@intel.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jiri Kosina <jkosina@suse.cz>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: x86-ml <x86@kernel.org>
[bwh: Forward-ported on top of NX: Fix conflicts (neighbouring
insertions) in arch/x86/kernel/cpu/bugs.c, drivers/base/cpu.c,
include/linux/cpu.h]
@ -24,16 +33,16 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
3 files changed, 35 insertions(+)
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 841f106a277a..c435bc5dc19b 100644
index 828b2fe4bc0a..1ed43b858c52 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -1439,6 +1439,21 @@ static ssize_t mds_show_state(char *buf)
@@ -1426,6 +1426,21 @@ static ssize_t mds_show_state(char *buf)
sched_smt_active() ? "vulnerable" : "disabled");
}
+static ssize_t tsx_async_abort_show_state(char *buf)
+{
+ if ((taa_mitigation == TAA_MITIGATION_TSX_DISABLE) ||
+ if ((taa_mitigation == TAA_MITIGATION_TSX_DISABLED) ||
+ (taa_mitigation == TAA_MITIGATION_OFF))
+ return sprintf(buf, "%s\n", taa_strings[taa_mitigation]);
+
@ -49,7 +58,7 @@ index 841f106a277a..c435bc5dc19b 100644
static char *stibp_state(void)
{
if (spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED)
@@ -1510,6 +1525,9 @@ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr
@@ -1497,6 +1512,9 @@ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr
case X86_BUG_ITLB_MULTIHIT:
return itlb_multihit_show_state(buf);
@ -59,7 +68,7 @@ index 841f106a277a..c435bc5dc19b 100644
default:
break;
}
@@ -1551,4 +1569,9 @@ ssize_t cpu_show_itlb_multihit(struct device *dev, struct device_attribute *attr
@@ -1538,4 +1556,9 @@ ssize_t cpu_show_itlb_multihit(struct device *dev, struct device_attribute *attr
{
return cpu_show_common(dev, attr, buf, X86_BUG_ITLB_MULTIHIT);
}

36
debian/patches/bugfix/x86/taa/0018-TAAv6-6.patch → debian/patches/bugfix/x86/taa/0018-kvm-x86-Export-MDS_NO-0-to-guests-when-TSX-is-enable.patch vendored
View File

@ -1,12 +1,12 @@
From: speck for Pawan Gupta <speck@linutronix.de>
Date: Wed, 9 Oct 2019 16:27:56 -0700
Subject: TAAv6 6
From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Date: Wed, 23 Oct 2019 12:23:33 +0200
Subject: kvm/x86: Export MDS_NO=0 to guests when TSX is enabled
Export IA32_ARCH_CAPABILITIES MSR bit MDS_NO=0 to guests on TSX Async
Abort(TAA) affected hosts that have TSX enabled and updated microcode.
This is required so that the guests don't complain,
Export the IA32_ARCH_CAPABILITIES MSR bit MDS_NO=0 to guests on TSX
Async Abort(TAA) affected hosts that have TSX enabled and updated
microcode. This is required so that the guests don't complain,
"Vulnerable: Clear CPU buffers attempted, no microcode"
"Vulnerable: Clear CPU buffers attempted, no microcode"
when the host has the updated microcode to clear CPU buffers.
@ -16,29 +16,39 @@ Guests can't do this check themselves when the ARCH_CAP_TSX_CTRL bit is
not exported to the guests.
In this case export MDS_NO=0 to the guests. When guests have
CPUID.MD_CLEAR=1 guests deploy MDS mitigation which also mitigates TAA.
CPUID.MD_CLEAR=1, they deploy MDS mitigation which also mitigates TAA.
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Tony Luck <tony.luck@intel.com>
Tested-by: Neelima Krishnan <neelima.krishnan@intel.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Joerg Roedel <joro@8bytes.org>
Cc: kvm ML <kvm@vger.kernel.org>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Radim Krcmar" <rkrcmar@redhat.com>
Cc: Sean Christopherson <sean.j.christopherson@intel.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: x86-ml <x86@kernel.org>
---
arch/x86/kvm/x86.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 1ecadf51f154..5ccf79739b2b 100644
index da688e726632..c68ee8d1ef8c 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -1143,6 +1143,25 @@ u64 kvm_get_arch_capabilities(void)
@@ -1151,6 +1151,25 @@ u64 kvm_get_arch_capabilities(void)
if (l1tf_vmx_mitigation != VMENTER_L1D_FLUSH_NEVER)
data |= ARCH_CAP_SKIP_VMENTRY_L1DFLUSH;
+ /*
+ * On TAA affected systems, export MDS_NO=0 when:
+ * - TSX is enabled on host, i.e. X86_FEATURE_RTM=1.
+ * - TSX is enabled on the host, i.e. X86_FEATURE_RTM=1.
+ * - Updated microcode is present. This is detected by
+ * the presence of ARCH_CAP_TSX_CTRL_MSR. This ensures
+ * VERW clears CPU buffers.
+ * the presence of ARCH_CAP_TSX_CTRL_MSR and ensures
+ * that VERW clears CPU buffers.
+ *
+ * When MDS_NO=0 is exported, guests deploy clear CPU buffer
+ * mitigation and don't complain:

45
debian/patches/bugfix/x86/taa/0019-TAAv6-7.patch → debian/patches/bugfix/x86/taa/0019-x86-tsx-Add-auto-option-to-the-tsx-cmdline-parameter.patch vendored
View File

@ -1,6 +1,6 @@
From: speck for Pawan Gupta <speck@linutronix.de>
Date: Wed, 9 Oct 2019 16:28:56 -0700
Subject: TAAv6 7
From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Date: Wed, 23 Oct 2019 12:28:57 +0200
Subject: x86/tsx: Add "auto" option to the tsx= cmdline parameter
Platforms which are not affected by X86_BUG_TAA may want the TSX feature
enabled. Add "auto" option to the TSX cmdline parameter. When tsx=auto
@ -9,16 +9,30 @@ disable TSX when X86_BUG_TAA is present, otherwise enable TSX.
More details on X86_BUG_TAA can be found here:
https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html
[ bp: Extend the arg buffer to accommodate "auto\0". ]
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Tony Luck <tony.luck@intel.com>
Tested-by: Neelima Krishnan <neelima.krishnan@intel.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: "Paul E. McKenney" <paulmck@linux.ibm.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: linux-doc@vger.kernel.org
Cc: Mark Gross <mgross@linux.intel.com>
Cc: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: x86-ml <x86@kernel.org>
---
Documentation/admin-guide/kernel-parameters.txt | 5 +++++
arch/x86/kernel/cpu/tsx.c | 5 +++++
2 files changed, 10 insertions(+)
arch/x86/kernel/cpu/tsx.c | 7 ++++++-
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index f03756d2addb..dffdd4d86f4b 100644
index f03756d2addb..e6a58cbbfab8 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -4715,6 +4715,11 @@
@ -28,16 +42,25 @@ index f03756d2addb..dffdd4d86f4b 100644
+ auto - Disable TSX if X86_BUG_TAA is present,
+ otherwise enable TSX on the system.
+
+ More details on X86_BUG_TAA are here:
+ More details on X86_BUG_TAA here:
+ Documentation/admin-guide/hw-vuln/tsx_async_abort.rst
Not specifying this option is equivalent to tsx=off.
diff --git a/arch/x86/kernel/cpu/tsx.c b/arch/x86/kernel/cpu/tsx.c
index e39b33b7cef8..e93abe6f0bb9 100644
index e5933ef50add..89ab91eacd4f 100644
--- a/arch/x86/kernel/cpu/tsx.c
+++ b/arch/x86/kernel/cpu/tsx.c
@@ -80,6 +80,11 @@ void __init tsx_init(void)
@@ -69,7 +69,7 @@ static bool __init tsx_ctrl_is_supported(void)
void __init tsx_init(void)
{
- char arg[4] = {};
+ char arg[5] = {};
int ret;
if (!tsx_ctrl_is_supported())
@@ -81,6 +81,11 @@ void __init tsx_init(void)
tsx_ctrl_state = TSX_CTRL_ENABLE;
} else if (!strcmp(arg, "off")) {
tsx_ctrl_state = TSX_CTRL_DISABLE;
@ -48,4 +71,4 @@ index e39b33b7cef8..e93abe6f0bb9 100644
+ tsx_ctrl_state = TSX_CTRL_ENABLE;
} else {
tsx_ctrl_state = TSX_CTRL_DISABLE;
pr_info("tsx: invalid option, defaulting to off\n");
pr_err("tsx: invalid option, defaulting to off\n");

164
debian/patches/bugfix/x86/taa/0020-TAAv6-8.patch → debian/patches/bugfix/x86/taa/0020-x86-speculation-taa-Add-documentation-for-TSX-Async-.patch vendored
View File

@ -1,16 +1,29 @@
From: speck for Pawan Gupta <speck@linutronix.de>
Date: Wed, 9 Oct 2019 16:29:57 -0700
Subject: TAAv6 8
From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Date: Wed, 23 Oct 2019 12:32:55 +0200
Subject: x86/speculation/taa: Add documentation for TSX Async Abort
Add the documenation for TSX Async Abort. Include the description of
the issue, how to check the mitigation state, control the mitigation,
guidance for system administrators.
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
[ bp: Add proper SPDX tags, touch ups. ]
Co-developed-by: Antonio Gomez Iglesias <antonio.gomez.iglesias@intel.com>
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Antonio Gomez Iglesias <antonio.gomez.iglesias@intel.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Mark Gross <mgross@linux.intel.com>
Reviewed-by: Tony Luck <tony.luck@intel.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Fenghua Yu <fenghua.yu@intel.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: linux-doc@vger.kernel.org
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: x86-ml <x86@kernel.org>
[bwh: Forward-ported on top of NX: Fix conflict (neighbouring
insertions) in Documentation/ABI/testing/sysfs-devices-system-cpu]
[bwh: Backported to 4.19: adjust context]
@ -18,11 +31,11 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
.../ABI/testing/sysfs-devices-system-cpu | 1 +
Documentation/admin-guide/hw-vuln/index.rst | 1 +
.../admin-guide/hw-vuln/tsx_async_abort.rst | 240 ++++++++++++++++++
.../admin-guide/hw-vuln/tsx_async_abort.rst | 256 ++++++++++++++++++
.../admin-guide/kernel-parameters.txt | 36 +++
Documentation/x86/index.rst | 1 +
Documentation/x86/tsx_async_abort.rst | 54 ++++
6 files changed, 333 insertions(+)
Documentation/x86/tsx_async_abort.rst | 117 ++++++++
6 files changed, 412 insertions(+)
create mode 100644 Documentation/admin-guide/hw-vuln/tsx_async_abort.rst
create mode 100644 Documentation/x86/tsx_async_abort.rst
@ -45,7 +58,9 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+ tsx_async_abort
--- /dev/null
+++ b/Documentation/admin-guide/hw-vuln/tsx_async_abort.rst
@@ -0,0 +1,240 @@
@@ -0,0 +1,256 @@
+.. SPDX-License-Identifier: GPL-2.0
+
+TAA - TSX Asynchronous Abort
+======================================
+
@ -59,7 +74,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+This vulnerability only affects Intel processors that support Intel
+Transactional Synchronization Extensions (TSX) when the TAA_NO bit (bit 8)
+is 0 in the IA32_ARCH_CAPABILITIES MSR. On processors where the MDS_NO bit
+(bit 5)is 0 in the IA32_ARCH_CAPABILITIES MSR, the existing MDS mitigations
+(bit 5) is 0 in the IA32_ARCH_CAPABILITIES MSR, the existing MDS mitigations
+also mitigate against TAA.
+
+Whether a processor is affected or not can be read out from the TAA
@ -81,13 +96,13 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Problem
+-------
+
+When performing store, load, L1 refill operations, processors write data into
+temporary microarchitectural structures (buffers). The data in the buffer can
+be forwarded to load operations as an optimization.
+When performing store, load or L1 refill operations, processors write
+data into temporary microarchitectural structures (buffers). The data in
+those buffers can be forwarded to load operations as an optimization.
+
+Intel TSX are an extension to the x86 instruction set architecture that adds
+Intel TSX is an extension to the x86 instruction set architecture that adds
+hardware transactional memory support to improve performance of multi-threaded
+software. TSX lets the processor expose and exploit concurrence hidden in an
+software. TSX lets the processor expose and exploit concurrency hidden in an
+application due to dynamically avoiding unnecessary synchronization.
+
+TSX supports atomic memory transactions that are either committed (success) or
@ -108,8 +123,8 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+attacker needs to begin a TSX transaction and raise an asynchronous abort
+to try to leak some of data stored in the buffers.
+
+Deeper technical information is available in the TAA specific x86 architecture
+section: :ref:`Documentation/x86/tsx_async_abort.rst <tsx_async_abort>`.
+More detailed technical information is available in the TAA specific x86
+architecture section: :ref:`Documentation/x86/tsx_async_abort.rst <tsx_async_abort>`.
+
+
+Attack scenarios
@ -180,8 +195,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+
+
+The mitigation can be controlled at boot time via a kernel command line option.
+See :ref:`taa_mitigation_control_command_line`. It also provides a sysfs
+interface. See :ref:`taa_mitigation_sysfs`.
+See :ref:`taa_mitigation_control_command_line`.
+
+.. _virt_mechanism:
+
@ -254,6 +268,21 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+buffers. For platforms without TSX control "tsx" command line argument has no
+effect.
+
+For the affected platforms below table indicates the mitigation status for the
+combinations of CPUID bit MD_CLEAR and IA32_ARCH_CAPABILITIES MSR bits MDS_NO
+and TSX_CTRL_MSR.
+
+ ======= ========= ============= ========================================
+ MDS_NO MD_CLEAR TSX_CTRL_MSR Status
+ ======= ========= ============= ========================================
+ 0 0 0 Vulnerable (needs ucode)
+ 0 1 0 MDS and TAA mitigated via VERW
+ 1 1 0 MDS fixed, TAA vulnerable if TSX enabled
+ because MD_CLEAR has no meaning and
+ VERW is not guaranteed to clear buffers
+ 1 X 1 MDS fixed, TAA can be mitigated by
+ VERW or TSX_CTRL_MSR
+ ======= ========= ============= ========================================
+
+Mitigation selection guide
+--------------------------
@ -285,7 +314,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+
+The kernel's default action for vulnerable processors is:
+
+ - Deploy TSX disable mitigation (tsx_async_abort=full).
+ - Deploy TSX disable mitigation (tsx_async_abort=full tsx=off).
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -2538,6 +2538,7 @@
@ -304,9 +333,9 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
mminit_loglevel=
[KNL] When CONFIG_DEBUG_MEMORY_INIT is set, this
@@ -4528,6 +4530,40 @@
neutralize any effect of /proc/sys/kernel/sysrq.
Useful for debugging.
@@ -4718,6 +4720,40 @@
Not specifying this option is equivalent to tsx=off.
+ tsx_async_abort= [X86,INTEL] Control mitigation for the TSX Async
+ Abort (TAA) vulnerability.
@ -342,9 +371,9 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+ For details see:
+ Documentation/admin-guide/hw-vuln/tsx_async_abort.rst
+
tcpmhash_entries= [KNL,NET]
Set the number of tcp_metrics_hash slots.
Default value is 8192 or 16384 depending on total
turbografx.map[2|3]= [HW,JOY]
TurboGraFX parallel port interface
Format:
--- a/Documentation/x86/index.rst
+++ b/Documentation/x86/index.rst
@@ -6,3 +6,4 @@ x86 architecture specifics
@ -354,9 +383,11 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+ tsx_async_abort
--- /dev/null
+++ b/Documentation/x86/tsx_async_abort.rst
@@ -0,0 +1,54 @@
@@ -0,0 +1,117 @@
+.. SPDX-License-Identifier: GPL-2.0
+
+TSX Async Abort (TAA) mitigation
+=================================================
+================================
+
+.. _tsx_async_abort:
+
@ -376,15 +407,14 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Mitigation strategy
+-------------------
+
+a) TSX disable - One of the mitigation is to disable TSX feature. A new MSR
+IA32_TSX_CTRL will be available in future and current processors and after a
+microcode update in which can be used to disable TSX. This MSR can be used to
+disable the TSX feature and the enumeration of the TSX feature bits(RTM and
+HLE) in CPUID.
+a) TSX disable - one of the mitigations is to disable TSX. A new MSR
+IA32_TSX_CTRL will be available in future and current processors after
+microcode update which can be used to disable TSX. In addition, it
+controls the enumeration of the TSX feature bits (RTM and HLE) in CPUID.
+
+b) CPU clear buffers - Similar to MDS, clearing the CPU buffers mitigates this
+vulnerability. More details on this approach can be found here
+https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
+b) Clear CPU buffers - similar to MDS, clearing the CPU buffers mitigates this
+vulnerability. More details on this approach can be found in
+:ref:`Documentation/admin-guide/hw-vuln/mds.rst <mds>`.
+
+Kernel internal mitigation modes
+--------------------------------
@ -406,6 +436,68 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+ effort approach without guarantee.
+ ============= ============================================================
+
+If the CPU is affected and "tsx_async_abort" kernel command line parameter is
+If the CPU is affected and the "tsx_async_abort" kernel command line parameter is
+not provided then the kernel selects an appropriate mitigation depending on the
+status of RTM and MD_CLEAR CPUID bits.
+
+Below tables indicate the impact of tsx=on|off|auto cmdline options on state of
+TAA mitigation, VERW behavior and TSX feature for various combinations of
+MSR_IA32_ARCH_CAPABILITIES bits.
+
+1. "tsx=off"
+
+========= ========= ============ ============ ============== =================== ======================
+MSR_IA32_ARCH_CAPABILITIES bits Result with cmdline tsx=off
+---------------------------------- -------------------------------------------------------------------------
+TAA_NO MDS_NO TSX_CTRL_MSR TSX state VERW can clear TAA mitigation TAA mitigation
+ after bootup CPU buffers tsx_async_abort=off tsx_async_abort=full
+========= ========= ============ ============ ============== =================== ======================
+ 0 0 0 HW default Yes Same as MDS Same as MDS
+ 0 0 1 Invalid case Invalid case Invalid case Invalid case
+ 0 1 0 HW default No Need ucode update Need ucode update
+ 0 1 1 Disabled Yes TSX disabled TSX disabled
+ 1 X 1 Disabled X None needed None needed
+========= ========= ============ ============ ============== =================== ======================
+
+2. "tsx=on"
+
+========= ========= ============ ============ ============== =================== ======================
+MSR_IA32_ARCH_CAPABILITIES bits Result with cmdline tsx=on
+---------------------------------- -------------------------------------------------------------------------
+TAA_NO MDS_NO TSX_CTRL_MSR TSX state VERW can clear TAA mitigation TAA mitigation
+ after bootup CPU buffers tsx_async_abort=off tsx_async_abort=full
+========= ========= ============ ============ ============== =================== ======================
+ 0 0 0 HW default Yes Same as MDS Same as MDS
+ 0 0 1 Invalid case Invalid case Invalid case Invalid case
+ 0 1 0 HW default No Need ucode update Need ucode update
+ 0 1 1 Enabled Yes None Same as MDS
+ 1 X 1 Enabled X None needed None needed
+========= ========= ============ ============ ============== =================== ======================
+
+3. "tsx=auto"
+
+========= ========= ============ ============ ============== =================== ======================
+MSR_IA32_ARCH_CAPABILITIES bits Result with cmdline tsx=auto
+---------------------------------- -------------------------------------------------------------------------
+TAA_NO MDS_NO TSX_CTRL_MSR TSX state VERW can clear TAA mitigation TAA mitigation
+ after bootup CPU buffers tsx_async_abort=off tsx_async_abort=full
+========= ========= ============ ============ ============== =================== ======================
+ 0 0 0 HW default Yes Same as MDS Same as MDS
+ 0 0 1 Invalid case Invalid case Invalid case Invalid case
+ 0 1 0 HW default No Need ucode update Need ucode update
+ 0 1 1 Disabled Yes TSX disabled TSX disabled
+ 1 X 1 Enabled X None needed None needed
+========= ========= ============ ============ ============== =================== ======================
+
+In the tables, TSX_CTRL_MSR is a new bit in MSR_IA32_ARCH_CAPABILITIES that
+indicates whether MSR_IA32_TSX_CTRL is supported.
+
+There are two control bits in IA32_TSX_CTRL MSR:
+
+ Bit 0: When set it disables the Restricted Transactional Memory (RTM)
+ sub-feature of TSX (will force all transactions to abort on the
+ XBEGIN instruction).
+
+ Bit 1: When set it disables the enumeration of the RTM and HLE feature
+ (i.e. it will make CPUID(EAX=7).EBX{bit4} and
+ CPUID(EAX=7).EBX{bit11} read as 0).

385
debian/patches/bugfix/x86/taa/0021-TAAv6-9.patch vendored
View File

@ -1,385 +0,0 @@
From: speck for Pawan Gupta <speck@linutronix.de>
Date: Wed, 9 Oct 2019 16:30:57 -0700
Subject: TAAv6 9
Transactional Synchronization Extensions (TSX) is an extension to the
x86 instruction set architecture (ISA) that adds Hardware Transactional
Memory (HTM) support. Changing TSX state currently requires a reboot.
This may not be desirable when rebooting imposes a huge penalty. Add
support to control TSX feature via a new sysfs file:
/sys/devices/system/cpu/hw_tx_mem
- Writing 0|off|N|n to this file disables TSX feature on all the CPUs.
This is equivalent to boot parameter tsx=off.
- Writing 1|on|Y|y to this file enables TSX feature on all the CPUs.
This is equivalent to boot parameter tsx=on.
- Reading from this returns the status of TSX feature.
- When TSX control is not supported this interface is not visible in
sysfs.
Changing the TSX state from this interface also updates CPUID.RTM
feature bit. From the kernel side, this feature bit doesn't result in
any ALTERNATIVE code patching. No memory allocations are done to
save/restore user state. No code paths in outside of the tests for
vulnerability to TAA are dependent on the value of the feature bit. In
general the kernel doesn't care whether RTM is present or not.
Applications typically look at CPUID bits once at startup (or when first
calling into a library that uses the feature). So we have a couple of
cases to cover:
1) An application started and saw that RTM was enabled, so began
to use it. Then TSX was disabled. Net result in this case is that
the application will keep trying to use RTM, but every xbegin() will
immediately abort the transaction. This has a performance impact to
the application, but it doesn't affect correctness because all users
of RTM must have a fallback path for when the transaction aborts. Note
that even if an application is in the middle of a transaction when we
disable RTM, we are safe. The XPI that we use to update the TSX_CTRL
MSR will abort the transaction (just as any interrupt would abort
a transaction).
2) An application starts and sees RTM is not available. So it will
always use alternative paths. Even if TSX is enabled and RTM is set,
applications in general do not re-evaluate their choice so will
continue to run in non-TSX mode.
When the TSX state is changed from the sysfs interface, TSX Async Abort
(TAA) mitigation state also needs to be updated. Set the TAA mitigation
state as per TSX and VERW static branch state.
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Reviewed-by: Mark Gross <mgross@linux.intel.com>
Reviewed-by: Tony Luck <tony.luck@intel.com>
Tested-by: Neelima Krishnan <neelima.krishnan@intel.com>
[bwh: Backported to 4.19: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
.../ABI/testing/sysfs-devices-system-cpu | 23 ++++
.../admin-guide/hw-vuln/tsx_async_abort.rst | 29 +++++
arch/x86/kernel/cpu/bugs.c | 21 +++-
arch/x86/kernel/cpu/cpu.h | 3 +-
arch/x86/kernel/cpu/tsx.c | 100 +++++++++++++++++-
drivers/base/cpu.c | 32 +++++-
include/linux/cpu.h | 6 ++
7 files changed, 210 insertions(+), 4 deletions(-)
diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu b/Documentation/ABI/testing/sysfs-devices-system-cpu
index a1bd0b6766d7..2a98f6c70add 100644
--- a/Documentation/ABI/testing/sysfs-devices-system-cpu
+++ b/Documentation/ABI/testing/sysfs-devices-system-cpu
@@ -513,3 +513,26 @@ Description: Control Symetric Multi Threading (SMT)
If control status is "forceoff" or "notsupported" writes
are rejected.
+
+What: /sys/devices/system/cpu/hw_tx_mem
+Date: August 2019
+Contact: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+ Linux kernel mailing list <linux-kernel@vger.kernel.org>
+Description: Hardware Transactional Memory (HTM) control.
+
+ Read/write interface to control HTM feature for all the CPUs in
+ the system. This interface is only present on platforms that
+ support HTM control. HTM is a hardware feature to speed up the
+ execution of multi-threaded software through lock elision. An
+ example of HTM implementation is Intel Transactional
+ Synchronization Extensions (TSX).
+
+ Read returns the status of HTM feature.
+
+ 0: HTM is disabled
+ 1: HTM is enabled
+
+ Write sets the state of HTM feature.
+
+ 0: Disables HTM
+ 1: Enables HTM
diff --git a/Documentation/admin-guide/hw-vuln/tsx_async_abort.rst b/Documentation/admin-guide/hw-vuln/tsx_async_abort.rst
index 58f24db49615..b62bc749fd8c 100644
--- a/Documentation/admin-guide/hw-vuln/tsx_async_abort.rst
+++ b/Documentation/admin-guide/hw-vuln/tsx_async_abort.rst
@@ -207,6 +207,35 @@ buffers. For platforms without TSX control "tsx" command line argument has no
effect.
+.. _taa_mitigation_sysfs:
+
+Mitigation control using sysfs
+------------------------------
+
+For those affected systems that can not be frequently rebooted to enable or
+disable TSX, sysfs can be used as an alternative after installing the updates.
+The possible values for the file /sys/devices/system/cpu/hw_tx_mem are:
+
+ ============ =============================================================
+ 0 Disable TSX. Upon entering a TSX transactional region, the code
+ will immediately abort, before any instruction executes within
+ the transactional region even speculatively, and continue on
+ the fallback. Equivalent to boot parameter "tsx=off".
+
+ 1 Enable TSX. Equivalent to boot parameter "tsx=on".
+
+ ============ =============================================================
+
+Reading from this file returns the status of TSX feature. This file is only
+present on systems that support TSX control.
+
+When disabling TSX by using the sysfs mechanism, applications that are already
+running and use TSX will see their transactional regions aborted and execution
+flow will be redirected to the fallback, losing the benefits of the
+non-blocking path. TSX needs fallback code to guarantee correct execution
+without transactional regions.
+
+
Mitigation selection guide
--------------------------
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index c435bc5dc19b..f0a998c10056 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -274,7 +274,7 @@ early_param("mds", mds_cmdline);
#define pr_fmt(fmt) "TAA: " fmt
/* Default mitigation for TAA-affected CPUs */
-static enum taa_mitigations taa_mitigation __ro_after_init = TAA_MITIGATION_VERW;
+static enum taa_mitigations taa_mitigation = TAA_MITIGATION_VERW;
static bool taa_nosmt __ro_after_init;
static const char * const taa_strings[] = {
@@ -374,6 +374,25 @@ static int __init tsx_async_abort_cmdline(char *str)
}
early_param("tsx_async_abort", tsx_async_abort_cmdline);
+void taa_update_mitigation(bool tsx_enabled)
+{
+ /*
+ * When userspace changes the TSX state, update taa_mitigation
+ * so that the updated mitigation state is shown in:
+ * /sys/devices/system/cpu/vulnerabilities/tsx_async_abort
+ *
+ * Check if TSX is disabled.
+ * Check if CPU buffer clear is enabled.
+ * else the system is vulnerable.
+ */
+ if (!tsx_enabled)
+ taa_mitigation = TAA_MITIGATION_TSX_DISABLE;
+ else if (static_key_count(&mds_user_clear.key))
+ taa_mitigation = TAA_MITIGATION_VERW;
+ else
+ taa_mitigation = TAA_MITIGATION_OFF;
+}
+
#undef pr_fmt
#define pr_fmt(fmt) "Spectre V1 : " fmt
diff --git a/arch/x86/kernel/cpu/cpu.h b/arch/x86/kernel/cpu/cpu.h
index 236582c90d3f..57fd603d367f 100644
--- a/arch/x86/kernel/cpu/cpu.h
+++ b/arch/x86/kernel/cpu/cpu.h
@@ -52,11 +52,12 @@ enum tsx_ctrl_states {
TSX_CTRL_NOT_SUPPORTED,
};
-extern __ro_after_init enum tsx_ctrl_states tsx_ctrl_state;
+extern enum tsx_ctrl_states tsx_ctrl_state;
extern void __init tsx_init(void);
extern void tsx_enable(void);
extern void tsx_disable(void);
+extern void taa_update_mitigation(bool tsx_enabled);
#else
static inline void tsx_init(void) { }
#endif /* CONFIG_CPU_SUP_INTEL */
diff --git a/arch/x86/kernel/cpu/tsx.c b/arch/x86/kernel/cpu/tsx.c
index e93abe6f0bb9..96320449abb7 100644
--- a/arch/x86/kernel/cpu/tsx.c
+++ b/arch/x86/kernel/cpu/tsx.c
@@ -10,12 +10,15 @@
#include <linux/processor.h>
#include <linux/cpufeature.h>
+#include <linux/cpu.h>
#include <asm/cmdline.h>
#include "cpu.h"
-enum tsx_ctrl_states tsx_ctrl_state __ro_after_init = TSX_CTRL_NOT_SUPPORTED;
+static DEFINE_MUTEX(tsx_mutex);
+
+enum tsx_ctrl_states tsx_ctrl_state = TSX_CTRL_NOT_SUPPORTED;
void tsx_disable(void)
{
@@ -118,3 +121,98 @@ void __init tsx_init(void)
setup_force_cpu_cap(X86_FEATURE_RTM);
}
}
+
+static void tsx_update_this_cpu(void *arg)
+{
+ unsigned long enable = (unsigned long)arg;
+
+ if (enable)
+ tsx_enable();
+ else
+ tsx_disable();
+}
+
+/* Take tsx_mutex lock and update tsx_ctrl_state when calling this function */
+static void tsx_update_on_each_cpu(bool val)
+{
+ get_online_cpus();
+ on_each_cpu(tsx_update_this_cpu, (void *)val, 1);
+ put_online_cpus();
+}
+
+ssize_t hw_tx_mem_show(struct device *dev, struct device_attribute *attr,
+ char *buf)
+{
+ return sprintf(buf, "%d\n", tsx_ctrl_state == TSX_CTRL_ENABLE ? 1 : 0);
+}
+
+ssize_t hw_tx_mem_store(struct device *dev, struct device_attribute *attr,
+ const char *buf, size_t count)
+{
+ enum tsx_ctrl_states requested_state;
+ ssize_t ret;
+ bool val;
+
+ ret = kstrtobool(buf, &val);
+ if (ret)
+ return ret;
+
+ mutex_lock(&tsx_mutex);
+
+ if (val)
+ requested_state = TSX_CTRL_ENABLE;
+ else
+ requested_state = TSX_CTRL_DISABLE;
+
+ /* Current state is same as the requested state, do nothing */
+ if (tsx_ctrl_state == requested_state)
+ goto exit;
+
+ tsx_ctrl_state = requested_state;
+
+ /*
+ * Changing the TSX state from this interface also updates CPUID.RTM
+ * feature bit. From the kernel side, this feature bit doesn't result
+ * in any ALTERNATIVE code patching. No memory allocations are done to
+ * save/restore user state. No code paths in outside of the tests for
+ * vulnerability to TAA are dependent on the value of the feature bit.
+ * In general the kernel doesn't care whether RTM is present or not.
+ *
+ * From the user side it is a bit fuzzier. Applications typically look
+ * at CPUID bits once at startup (or when first calling into a library
+ * that uses the feature). So we have a couple of cases to cover:
+ *
+ * 1) An application started and saw that RTM was enabled, so began
+ * to use it. Then TSX was disabled. Net result in this case is
+ * that the application will keep trying to use RTM, but every
+ * xbegin() will immediately abort the transaction. This has a
+ * performance impact to the application, but it doesn't affect
+ * correctness because all users of RTM must have a fallback path
+ * for when the transaction aborts. Note that even if an application
+ * is in the middle of a transaction when we disable RTM, we are
+ * safe. The XPI that we use to update the TSX_CTRL MSR will abort
+ * the transaction (just as any interrupt would abort a
+ * transaction).
+ *
+ * 2) An application starts and sees RTM is not available. So it will
+ * always use alternative paths. Even if TSX is enabled and RTM is
+ * set, applications in general do not re-evaluate their choice so
+ * will continue to run in non-TSX mode.
+ */
+ tsx_update_on_each_cpu(val);
+
+ if (boot_cpu_has_bug(X86_BUG_TAA))
+ taa_update_mitigation(val);
+exit:
+ mutex_unlock(&tsx_mutex);
+
+ return count;
+}
+
+umode_t hw_tx_mem_is_visible(void)
+{
+ if (tsx_ctrl_state == TSX_CTRL_NOT_SUPPORTED)
+ return 0;
+
+ return 0644;
+}
diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c
index e9e7fde0fe00..ebc46fd81762 100644
--- a/drivers/base/cpu.c
+++ b/drivers/base/cpu.c
@@ -458,6 +458,34 @@ struct device *cpu_device_create(struct device *parent, void *drvdata,
}
EXPORT_SYMBOL_GPL(cpu_device_create);
+ssize_t __weak hw_tx_mem_show(struct device *dev, struct device_attribute *a,
+ char *buf)
+{
+ return -ENODEV;
+}
+
+ssize_t __weak hw_tx_mem_store(struct device *dev, struct device_attribute *a,
+ const char *buf, size_t count)
+{
+ return -ENODEV;
+}
+
+DEVICE_ATTR_RW(hw_tx_mem);
+
+umode_t __weak hw_tx_mem_is_visible(void)
+{
+ return 0;
+}
+
+static umode_t cpu_root_attrs_is_visible(struct kobject *kobj,
+ struct attribute *attr, int index)
+{
+ if (attr == &dev_attr_hw_tx_mem.attr)
+ return hw_tx_mem_is_visible();
+
+ return attr->mode;
+}
+
#ifdef CONFIG_GENERIC_CPU_AUTOPROBE
static DEVICE_ATTR(modalias, 0444, print_cpu_modalias, NULL);
#endif
@@ -479,11 +507,13 @@ static struct attribute *cpu_root_attrs[] = {
#ifdef CONFIG_GENERIC_CPU_AUTOPROBE
&dev_attr_modalias.attr,
#endif
+ &dev_attr_hw_tx_mem.attr,
NULL
};
static struct attribute_group cpu_root_attr_group = {
- .attrs = cpu_root_attrs,
+ .attrs = cpu_root_attrs,
+ .is_visible = cpu_root_attrs_is_visible,
};
static const struct attribute_group *cpu_root_attr_groups[] = {
diff --git a/include/linux/cpu.h b/include/linux/cpu.h
index 9d8dba19844e..7bd8ced5c000 100644
--- a/include/linux/cpu.h
+++ b/include/linux/cpu.h
@@ -65,6 +65,12 @@ extern ssize_t cpu_show_tsx_async_abort(struct device *dev,
struct device_attribute *attr,
char *buf);
+extern ssize_t hw_tx_mem_show(struct device *dev, struct device_attribute *a,
+ char *buf);
+extern ssize_t hw_tx_mem_store(struct device *dev, struct device_attribute *a,
+ const char *buf, size_t count);
+extern umode_t hw_tx_mem_is_visible(void);
+
extern __printf(4, 5)
struct device *cpu_device_create(struct device *parent, void *drvdata,
const struct attribute_group **groups,

134
debian/patches/bugfix/x86/taa/0021-x86-tsx-Add-config-options-to-set-tsx-on-off-auto.patch vendored Normal file
View File

@ -0,0 +1,134 @@
From: Michal Hocko <mhocko@suse.com>
Date: Wed, 23 Oct 2019 12:35:50 +0200
Subject: x86/tsx: Add config options to set tsx=on|off|auto
There is a general consensus that TSX usage is not largely spread while
the history shows there is a non trivial space for side channel attacks
possible. Therefore the tsx is disabled by default even on platforms
that might have a safe implementation of TSX according to the current
knowledge. This is a fair trade off to make.
There are, however, workloads that really do benefit from using TSX and
updating to a newer kernel with TSX disabled might introduce a
noticeable regressions. This would be especially a problem for Linux
distributions which will provide TAA mitigations.
Introduce config options X86_INTEL_TSX_MODE_OFF, X86_INTEL_TSX_MODE_ON
and X86_INTEL_TSX_MODE_AUTO to control the TSX feature. The config
setting can be overridden by the tsx cmdline options.
Suggested-by: Borislav Petkov <bpetkov@suse.de>
Signed-off-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Tony Luck <tony.luck@intel.com>
Cc: x86-ml <x86@kernel.org>
---
arch/x86/Kconfig | 45 +++++++++++++++++++++++++++++++++++++++
arch/x86/kernel/cpu/tsx.c | 22 +++++++++++++------
2 files changed, 61 insertions(+), 6 deletions(-)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index e76d16ac2776..a47343bb439c 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1903,6 +1903,51 @@ config X86_INTEL_MEMORY_PROTECTION_KEYS
If unsure, say y.
+choice
+ prompt "TSX enable mode"
+ depends on CPU_SUP_INTEL
+ default X86_INTEL_TSX_MODE_OFF
+ help
+ Intel's TSX (Transactional Synchronization Extensions) feature
+ allows to optimize locking protocols through lock elision which
+ can lead to a noticeable performance boost.
+
+ On the other hand it has been shown that TSX can be exploited
+ to form side channel attacks (e.g. TAA) and chances are there
+ will be more of those attacks discovered in the future.
+
+ Therefore TSX is not enabled by default (aka tsx=off). An admin
+ might override this decision by tsx=on command line parameter. This
+ has a risk that TSX will get enabled also on platforms which are
+ known to be vulnerable to attacks like TAA and a safer option is to
+ use tsx=auto command line parameter.
+
+ This options allows to set the default tsx mode between tsx=on, off
+ and auto. See Documentation/admin-guide/kernel-parameters.txt for more
+ details.
+
+ Say off if not sure, auto if TSX is in use but it should be used on safe
+ platforms or on if TSX is in use and the security aspect of tsx is not
+ relevant.
+
+config X86_INTEL_TSX_MODE_OFF
+ bool "off"
+ help
+ TSX is always disabled - equals tsx=off command line parameter.
+
+config X86_INTEL_TSX_MODE_ON
+ bool "on"
+ help
+ TSX is always enabled on TSX capable HW - equals tsx=on command line
+ parameter.
+
+config X86_INTEL_TSX_MODE_AUTO
+ bool "auto"
+ help
+ TSX is enabled on TSX capable HW that is believed to be safe against
+ side channel attacks- equals tsx=auto command line parameter.
+endchoice
+
config EFI
bool "EFI runtime service support"
depends on ACPI
diff --git a/arch/x86/kernel/cpu/tsx.c b/arch/x86/kernel/cpu/tsx.c
index 89ab91eacd4f..ab400f8bbfe1 100644
--- a/arch/x86/kernel/cpu/tsx.c
+++ b/arch/x86/kernel/cpu/tsx.c
@@ -67,6 +67,14 @@ static bool __init tsx_ctrl_is_supported(void)
return !!(ia32_cap & ARCH_CAP_TSX_CTRL_MSR);
}
+static enum tsx_ctrl_states x86_get_tsx_auto_mode(void)
+{
+ if (boot_cpu_has_bug(X86_BUG_TAA))
+ return TSX_CTRL_DISABLE;
+
+ return TSX_CTRL_ENABLE;
+}
+
void __init tsx_init(void)
{
char arg[5] = {};
@@ -82,17 +90,19 @@ void __init tsx_init(void)
} else if (!strcmp(arg, "off")) {
tsx_ctrl_state = TSX_CTRL_DISABLE;
} else if (!strcmp(arg, "auto")) {
- if (boot_cpu_has_bug(X86_BUG_TAA))
- tsx_ctrl_state = TSX_CTRL_DISABLE;
- else
- tsx_ctrl_state = TSX_CTRL_ENABLE;
+ tsx_ctrl_state = x86_get_tsx_auto_mode();
} else {
tsx_ctrl_state = TSX_CTRL_DISABLE;
pr_err("tsx: invalid option, defaulting to off\n");
}
} else {
- /* tsx= not provided, defaulting to off */
- tsx_ctrl_state = TSX_CTRL_DISABLE;
+ /* tsx= not provided */
+ if (IS_ENABLED(CONFIG_X86_INTEL_TSX_MODE_AUTO))
+ tsx_ctrl_state = x86_get_tsx_auto_mode();
+ else if (IS_ENABLED(CONFIG_X86_INTEL_TSX_MODE_OFF))
+ tsx_ctrl_state = TSX_CTRL_DISABLE;
+ else
+ tsx_ctrl_state = TSX_CTRL_ENABLE;
}
if (tsx_ctrl_state == TSX_CTRL_DISABLE) {

18
debian/patches/series vendored
View File

@ -270,15 +270,15 @@ bugfix/x86/itlb_multihit/0009-x86-Add-ITLB_MULTIHIT-bug-infrastructure.patch
bugfix/x86/itlb_multihit/0010-kvm-mmu-ITLB_MULTIHIT-mitigation.patch
bugfix/x86/itlb_multihit/0011-kvm-Add-helper-function-for-creating-VM-worker.patch
bugfix/x86/itlb_multihit/0012-kvm-x86-mmu-Recovery-of-shattered-NX-large-pages.patch
bugfix/x86/taa/0013-TAAv6-1.patch
bugfix/x86/taa/0014-TAAv6-2.patch
bugfix/x86/taa/0015-TAAv6-3.patch
bugfix/x86/taa/0016-TAAv6-4.patch
bugfix/x86/taa/0017-TAAv6-5.patch
bugfix/x86/taa/0018-TAAv6-6.patch
bugfix/x86/taa/0019-TAAv6-7.patch
bugfix/x86/taa/0020-TAAv6-8.patch
bugfix/x86/taa/0021-TAAv6-9.patch
bugfix/x86/taa/0013-x86-msr-Add-the-IA32_TSX_CTRL-MSR.patch
bugfix/x86/taa/0014-x86-cpu-Add-a-helper-function-x86_read_arch_cap_msr.patch
bugfix/x86/taa/0015-x86-cpu-Add-a-tsx-cmdline-option-with-TSX-disabled-b.patch
bugfix/x86/taa/0016-x86-speculation-taa-Add-mitigation-for-TSX-Async-Abo.patch
bugfix/x86/taa/0017-x86-speculation-taa-Add-sysfs-reporting-for-TSX-Asyn.patch
bugfix/x86/taa/0018-kvm-x86-Export-MDS_NO-0-to-guests-when-TSX-is-enable.patch
bugfix/x86/taa/0019-x86-tsx-Add-auto-option-to-the-tsx-cmdline-parameter.patch
bugfix/x86/taa/0020-x86-speculation-taa-Add-documentation-for-TSX-Async-.patch
bugfix/x86/taa/0021-x86-tsx-Add-config-options-to-set-tsx-on-off-auto.patch
# ABI maintenance
debian/abi/powerpc-avoid-abi-change-for-disabling-tm.patch