1. photon
  2. SPECS
  3. linux
  4. Performance-over-security-model.patch
Raw Blame History 
From b677dd28763ec279a7021e9b6347a563489d39c8 Mon Sep 17 00:00:00 2001
From: Alexey Makhalov <amakhalov@vmware.com>
Date: Fri, 3 Feb 2023 16:20:24 -0800
Subject: [PATCH] Performance over security model

Upstream Linux choice is security first at the cost of performance.
Example: IBRS enablement on Skylake CPUs as a Spectre v2 mitigation
against RETBleed attacks. It degrades performance by up to 70% on some
workloads.

Some Photon OS consumers prefer performance over security as such attack
is not possible or the score is lower for their application.

We offer a solution where kernel picks the best performance while not
compromizing security much. Introducing a new kernel parameter
pos=<value>, where <value> is a bit mask (in any base)
This commit adds support for bit #0, defining PoS decision for RETBleed
mitigation. The decision logic is:
1. If EIBRS feature supported by CPU - use it (default kernel behavior)
2. Else if IBRS supported, then do not use IBRS and fallback to retpoline
   technique. It will keep the CPU vulnerable to RETBleed attacks (PoS)
3. Else use retpoline, vulnerable but no other techniques available for
   given CPU type (default kernel behavior)

pos=1 works only if spectre_v2= and retbleed= set to auto (or not set)

Skylake users will observe the following kernel errors is pos=1 set:
[    0.147757] Spectre V2 : IBRS supported, but not enabled. The system is vulnerable to RETBleed attacks! (pos=1)
...
[    0.147773] RETBleed: WARNING: Spectre v2 mitigation leaves CPU vulnerable to RETBleed attacks, data leaks possible!
[    0.147777] RETBleed: Vulnerable

Signed-off-by: Alexey Makhalov <amakhalov@vmware.com>
---
 arch/x86/kernel/cpu/bugs.c | 29 +++++++++++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index a2a087a797ae..5644b32edc48 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -252,6 +252,24 @@ static void x86_amd_ssb_disable(void)
 		wrmsrl(MSR_AMD64_LS_CFG, msrval);
 }
 
+/* Bitmask of switches for security mitigations to follow PoS model. */
+static unsigned int __ro_after_init performance_over_security = 0;
+/* Ignore IBRS (Skylake and older CPUs) and use other techniques instead. */
+#define POS_RETBLEED	(1 << 0)
+#define POS_RETBLEED_MSG "IBRS supported, but not enabled. The system is vulnerable to RETBleed attacks!"
+
+static int __init pos_cmdline(char *str)
+{
+	if (!str)
+		return -EINVAL;
+
+	if (kstrtouint(str, 0, &performance_over_security))
+		return -EINVAL;
+
+	return 0;
+}
+early_param("pos", pos_cmdline);
+
 #undef pr_fmt
 #define pr_fmt(fmt)	"MDS: " fmt
 
@@ -1378,8 +1396,15 @@ static void __init spectre_v2_select_mitigation(void)
 		    retbleed_cmd != RETBLEED_CMD_OFF &&
 		    boot_cpu_has(X86_FEATURE_IBRS) &&
 		    boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) {
-			mode = SPECTRE_V2_IBRS;
-			break;
+			/* Allow pos= only if spectre_v2 is not set (auto). */
+			if ((performance_over_security & POS_RETBLEED) &&
+			    cmd == SPECTRE_V2_CMD_AUTO) {
+				pr_err(POS_RETBLEED_MSG " (pos=%d)\n" , performance_over_security);
+				/* Fallthrough */
+			} else {
+				mode = SPECTRE_V2_IBRS;
+				break;
+			}
 		}
 
 		mode = spectre_v2_select_retpoline();
-- 
2.35.5