1. photon
  2. Commit 4ab22c262769e26e77a92cdd85e7f799599ecc17
Browse code

kernels: Add more spectre mitigations (IBPB/IBRS) and support for SSBD

Add IBPB/IBRS support as an additional mitigation for Spectre variant
2 vulnerability, and fix Speculative Store Bypass vulnerability using
SSBD.

Changes to KVM have been left out from these patches due to challenges
in backporting them to 4.4 -- i.e., the KVM codebase in 4.4.137 looks
vastly different as compared to what the original versions of these
patches expect.

Change-Id: Ia29ec13c6038c58f9b2b7bc228014f00a262bcde
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/5279
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Alexey Makhalov <amakhalov@vmware.com>
Reviewed-by: Srivatsa S. Bhat <srivatsab@vmware.com>

Srivatsa S. Bhat authored on 2018/06/15 07:36:36
Showing 106 changed files
SPECS/linux/linux-esx.spec
History View file @ 4ab22c2
... ... 
@@ -2,7 +2,7 @@
2 2 
 Summary:       Kernel
3 3 
 Name:          linux-esx
4 4 
 Version:       4.4.137
5 
-Release:       1%{?dist}
5 
+Release:       2%{?dist}
6 6 
 License:       GPLv2
7 7 
 URL:           http://www.kernel.org/
8 8 
 Group:         System Environment/Kernel
... ... 
@@ -61,7 +61,114 @@ Patch64: 0153-net-mpls-prevent-speculative-execution.patch
61 61 
 Patch65: 0154-udf-prevent-speculative-execution.patch
62 62 
 Patch66: 0155-userns-prevent-speculative-execution.patch
63 63 
 Patch67: 0169-x86-syscall-Clear-unused-extra-registers-on-syscall-.patch
64 
-Patch68: 0170-x86-syscall-Clear-unused-extra-registers-on-32-bit-c.patch
64 
+
65 
+# Add more Spectre-v2 mitigations (IBPB/IBRS)
66 
+Patch201: 0001-x86-cpufeature-Move-some-of-the-scattered-feature-bi.patch
67 
+Patch202: 0002-x86-cpufeature-Cleanup-get_cpu_cap.patch
68 
+Patch203: 0003-x86-Remove-unused-function-cpu_has_ht_siblings.patch
69 
+Patch204: 0004-x86-cpufeature-Remove-unused-and-seldomly-used-cpu_h.patch
70 
+Patch205: 0005-x86-cpu-Provide-a-config-option-to-disable-static_cp.patch
71 
+Patch206: 0006-x86-fpu-Add-an-XSTATE_OP-macro.patch
72 
+Patch207: 0007-x86-fpu-Get-rid-of-xstate_fault.patch
73 
+Patch208: 0008-x86-headers-Don-t-include-asm-processor.h-in-asm-ato.patch
74 
+Patch209: 0009-x86-cpufeature-Carve-out-X86_FEATURE_.patch
75 
+Patch210: 0010-x86-cpufeature-Replace-the-old-static_cpu_has-with-s.patch
76 
+Patch211: 0011-x86-cpufeature-Get-rid-of-the-non-asm-goto-variant.patch
77 
+Patch212: 0012-x86-alternatives-Add-an-auxilary-section.patch
78 
+Patch213: 0013-x86-alternatives-Discard-dynamic-check-after-init.patch
79 
+Patch214: 0014-x86-vdso-Use-static_cpu_has.patch
80 
+Patch215: 0015-x86-boot-Simplify-kernel-load-address-alignment-chec.patch
81 
+Patch216: 0016-x86-cpufeature-Speed-up-cpu_feature_enabled.patch
82 
+Patch217: 0017-x86-cpufeature-x86-mm-pkeys-Add-protection-keys-rela.patch
83 
+Patch218: 0018-x86-mm-pkeys-Fix-mismerge-of-protection-keys-CPUID-b.patch
84 
+Patch219: 0019-x86-cpu-Add-detection-of-AMD-RAS-Capabilities.patch
85 
+Patch220: 0020-x86-cpufeature-x86-mm-pkeys-Fix-broken-compile-time-.patch
86 
+Patch221: 0021-x86-cpufeature-Update-cpufeaure-macros.patch
87 
+Patch222: 0022-x86-cpufeature-Make-sure-DISABLED-REQUIRED-macros-ar.patch
88 
+Patch223: 0023-x86-cpufeature-Add-helper-macro-for-mask-check-macro.patch
89 
+Patch224: 0024-x86-cpu-Probe-CPUID-leaf-6-even-when-cpuid_level-6.patch
90 
+Patch225: 0025-x86-cpufeatures-Add-CPUID_7_EDX-CPUID-leaf.patch
91 
+Patch226: 0026-x86-cpufeatures-Add-Intel-feature-bits-for-Speculati.patch
92 
+Patch227: 0027-x86-cpufeatures-Add-AMD-feature-bits-for-Speculation.patch
93 
+Patch228: 0028-x86-msr-Add-definitions-for-new-speculation-control-.patch
94 
+Patch229: 0029-x86-pti-Do-not-enable-PTI-on-CPUs-which-are-not-vuln.patch
95 
+Patch230: 0030-x86-cpufeature-Blacklist-SPEC_CTRL-PRED_CMD-on-early.patch
96 
+Patch231: 0031-x86-speculation-Add-basic-IBPB-Indirect-Branch-Predi.patch
97 
+Patch232: 0032-x86-cpufeatures-Clean-up-Spectre-v2-related-CPUID-fl.patch
98 
+Patch233: 0033-x86-cpuid-Fix-up-virtual-IBRS-IBPB-STIBP-feature-bit.patch
99 
+Patch234: 0034-x86-pti-Mark-constant-arrays-as-__initconst.patch
100 
+Patch235: 0035-x86-asm-entry-32-Simplify-pushes-of-zeroed-pt_regs-R.patch
101 
+Patch236: 0036-x86-entry-64-compat-Clear-registers-for-compat-sysca.patch
102 
+Patch237: 0037-x86-speculation-Update-Speculation-Control-microcode.patch
103 
+Patch238: 0038-x86-speculation-Correct-Speculation-Control-microcod.patch
104 
+Patch239: 0039-x86-speculation-Clean-up-various-Spectre-related-det.patch
105 
+Patch240: 0040-x86-speculation-Fix-up-array_index_nospec_mask-asm-c.patch
106 
+Patch241: 0041-x86-speculation-Add-asm-msr-index.h-dependency.patch
107 
+Patch242: 0042-x86-xen-Zero-MSR_IA32_SPEC_CTRL-before-suspend.patch
108 
+Patch243: 0043-x86-mm-Factor-out-LDT-init-from-context-init.patch
109 
+Patch244: 0044-x86-mm-Give-each-mm-TLB-flush-generation-a-unique-ID.patch
110 
+Patch245: 0045-x86-speculation-Use-Indirect-Branch-Prediction-Barri.patch
111 
+Patch246: 0046-x86-spectre_v2-Don-t-check-microcode-versions-when-r.patch
112 
+Patch247: 0047-x86-speculation-Use-IBRS-if-available-before-calling.patch
113 
+Patch248: 0048-x86-speculation-Move-firmware_restrict_branch_specul.patch
114 
+Patch249: 0049-x86-speculation-Remove-Skylake-C2-from-Speculation-C.patch
115 
+Patch250: 0050-selftest-seccomp-Fix-the-flag-name-SECCOMP_FILTER_FL.patch
116 
+Patch251: 0051-selftest-seccomp-Fix-the-seccomp-2-signature.patch
117 
+Patch252: 0052-xen-set-cpu-capabilities-from-xen_start_kernel.patch
118 
+Patch253: 0053-x86-amd-don-t-set-X86_BUG_SYSRET_SS_ATTRS-when-runni.patch
119 
+
120 
+# Fix CVE-2018-3639 (Speculative Store Bypass)
121 
+Patch254: 0054-x86-nospec-Simplify-alternative_msr_write.patch
122 
+Patch255: 0055-x86-bugs-Concentrate-bug-detection-into-a-separate-f.patch
123 
+Patch256: 0056-x86-bugs-Concentrate-bug-reporting-into-a-separate-f.patch
124 
+Patch257: 0057-x86-bugs-Read-SPEC_CTRL-MSR-during-boot-and-re-use-r.patch
125 
+Patch258: 0058-x86-bugs-KVM-Support-the-combination-of-guest-and-ho.patch
126 
+Patch259: 0059-x86-cpu-Rename-Merrifield2-to-Moorefield.patch
127 
+Patch260: 0060-x86-cpu-intel-Add-Knights-Mill-to-Intel-family.patch
128 
+Patch261: 0061-x86-bugs-Expose-sys-.-spec_store_bypass.patch
129 
+Patch262: 0062-x86-cpufeatures-Add-X86_FEATURE_RDS.patch
130 
+Patch263: 0063-x86-bugs-Provide-boot-parameters-for-the-spec_store_.patch
131 
+Patch264: 0064-x86-bugs-intel-Set-proper-CPU-features-and-setup-RDS.patch
132 
+Patch265: 0065-x86-bugs-Whitelist-allowed-SPEC_CTRL-MSR-values.patch
133 
+Patch266: 0066-x86-bugs-AMD-Add-support-to-disable-RDS-on-Fam-15-16.patch
134 
+Patch267: 0067-x86-speculation-Create-spec-ctrl.h-to-avoid-include-.patch
135 
+Patch268: 0068-prctl-Add-speculation-control-prctls.patch
136 
+Patch269: 0069-x86-process-Optimize-TIF-checks-in-__switch_to_xtra.patch
137 
+Patch270: 0070-x86-process-Correct-and-optimize-TIF_BLOCKSTEP-switc.patch
138 
+Patch271: 0071-x86-process-Optimize-TIF_NOTSC-switch.patch
139 
+Patch272: 0072-x86-process-Allow-runtime-control-of-Speculative-Sto.patch
140 
+Patch273: 0073-x86-speculation-Add-prctl-for-Speculative-Store-Bypa.patch
141 
+Patch274: 0074-nospec-Allow-getting-setting-on-non-current-task.patch
142 
+Patch275: 0075-proc-Provide-details-on-speculation-flaw-mitigations.patch
143 
+Patch276: 0076-seccomp-Enable-speculation-flaw-mitigations.patch
144 
+Patch277: 0077-prctl-Add-force-disable-speculation.patch
145 
+Patch278: 0078-seccomp-Use-PR_SPEC_FORCE_DISABLE.patch
146 
+Patch279: 0079-seccomp-Add-filter-flag-to-opt-out-of-SSB-mitigation.patch
147 
+Patch280: 0080-seccomp-Move-speculation-migitation-control-to-arch-.patch
148 
+Patch281: 0081-x86-speculation-Make-seccomp-the-default-mode-for-Sp.patch
149 
+Patch282: 0082-x86-bugs-Rename-_RDS-to-_SSBD.patch
150 
+Patch283: 0083-proc-Use-underscores-for-SSBD-in-status.patch
151 
+Patch284: 0084-Documentation-spec_ctrl-Do-some-minor-cleanups.patch
152 
+Patch285: 0085-x86-bugs-Fix-__ssb_select_mitigation-return-type.patch
153 
+Patch286: 0086-x86-bugs-Make-cpu_show_common-static.patch
154 
+Patch287: 0087-x86-bugs-Fix-the-parameters-alignment-and-missing-vo.patch
155 
+Patch288: 0088-x86-cpu-Make-alternative_msr_write-work-for-32-bit-c.patch
156 
+Patch289: 0089-x86-speculation-Use-synthetic-bits-for-IBRS-IBPB-STI.patch
157 
+Patch290: 0090-x86-cpufeatures-Disentangle-MSR_SPEC_CTRL-enumeratio.patch
158 
+Patch291: 0091-x86-cpufeatures-Disentangle-SSBD-enumeration.patch
159 
+Patch292: 0092-x86-cpu-AMD-Fix-erratum-1076-CPB-bit.patch
160 
+Patch293: 0093-x86-cpufeatures-Add-FEATURE_ZEN.patch
161 
+Patch294: 0094-x86-speculation-Handle-HT-correctly-on-AMD.patch
162 
+Patch295: 0095-x86-bugs-KVM-Extend-speculation-control-for-VIRT_SPE.patch
163 
+Patch296: 0096-x86-speculation-Add-virtualized-speculative-store-by.patch
164 
+Patch297: 0097-x86-speculation-Rework-speculative_store_bypass_upda.patch
165 
+Patch298: 0098-x86-bugs-Unify-x86_spec_ctrl_-set_guest-restore_host.patch
166 
+Patch299: 0099-x86-bugs-Expose-x86_spec_ctrl_base-directly.patch
167 
+Patch300: 0100-x86-bugs-Remove-x86_spec_ctrl_set.patch
168 
+Patch301: 0101-x86-bugs-Rework-spec_ctrl-base-and-mask-logic.patch
169 
+Patch302: 0102-x86-speculation-KVM-Implement-support-for-VIRT_SPEC_.patch
170 
+Patch303: 0103-x86-bugs-Rename-SSBD_NO-to-SSB_NO.patch
171 
+
65 172
66 173 
 BuildRequires: bc
67 174 
 BuildRequires: kbd
... ... 
@@ -143,7 +250,111 @@ The Linux package contains the Linux kernel doc files
143 143 
 %patch65 -p1
144 144 
 %patch66 -p1
145 145 
 %patch67 -p1
146 
-%patch68 -p1
146 
+
147 
+%patch201 -p1
148 
+%patch202 -p1
149 
+%patch203 -p1
150 
+%patch204 -p1
151 
+%patch205 -p1
152 
+%patch206 -p1
153 
+%patch207 -p1
154 
+%patch208 -p1
155 
+%patch209 -p1
156 
+%patch210 -p1
157 
+%patch211 -p1
158 
+%patch212 -p1
159 
+%patch213 -p1
160 
+%patch214 -p1
161 
+%patch215 -p1
162 
+%patch216 -p1
163 
+%patch217 -p1
164 
+%patch218 -p1
165 
+%patch219 -p1
166 
+%patch220 -p1
167 
+%patch221 -p1
168 
+%patch222 -p1
169 
+%patch223 -p1
170 
+%patch224 -p1
171 
+%patch225 -p1
172 
+%patch226 -p1
173 
+%patch227 -p1
174 
+%patch228 -p1
175 
+%patch229 -p1
176 
+%patch230 -p1
177 
+%patch231 -p1
178 
+%patch232 -p1
179 
+%patch233 -p1
180 
+%patch234 -p1
181 
+%patch235 -p1
182 
+%patch236 -p1
183 
+%patch237 -p1
184 
+%patch238 -p1
185 
+%patch239 -p1
186 
+%patch240 -p1
187 
+%patch241 -p1
188 
+%patch242 -p1
189 
+%patch243 -p1
190 
+%patch244 -p1
191 
+%patch245 -p1
192 
+%patch246 -p1
193 
+%patch247 -p1
194 
+%patch248 -p1
195 
+%patch249 -p1
196 
+%patch250 -p1
197 
+%patch251 -p1
198 
+%patch252 -p1
199 
+%patch253 -p1
200 
+%patch254 -p1
201 
+%patch255 -p1
202 
+%patch256 -p1
203 
+%patch257 -p1
204 
+%patch258 -p1
205 
+%patch259 -p1
206 
+%patch260 -p1
207 
+%patch261 -p1
208 
+%patch262 -p1
209 
+%patch263 -p1
210 
+%patch264 -p1
211 
+%patch265 -p1
212 
+%patch266 -p1
213 
+%patch267 -p1
214 
+%patch268 -p1
215 
+%patch269 -p1
216 
+%patch270 -p1
217 
+%patch271 -p1
218 
+%patch272 -p1
219 
+%patch273 -p1
220 
+%patch274 -p1
221 
+%patch275 -p1
222 
+%patch276 -p1
223 
+%patch277 -p1
224 
+%patch278 -p1
225 
+%patch279 -p1
226 
+%patch280 -p1
227 
+%patch281 -p1
228 
+%patch282 -p1
229 
+%patch283 -p1
230 
+%patch284 -p1
231 
+%patch285 -p1
232 
+%patch286 -p1
233 
+%patch287 -p1
234 
+%patch288 -p1
235 
+%patch289 -p1
236 
+%patch290 -p1
237 
+%patch291 -p1
238 
+%patch292 -p1
239 
+%patch293 -p1
240 
+%patch294 -p1
241 
+%patch295 -p1
242 
+%patch296 -p1
243 
+%patch297 -p1
244 
+%patch298 -p1
245 
+%patch299 -p1
246 
+%patch300 -p1
247 
+%patch301 -p1
248 
+%patch302 -p1
249 
+%patch303 -p1
250 
+
147 251
148 252 
 %build
149 253 
 # patch vmw_balloon driver
... ... 
@@ -232,6 +443,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg
232 232 
 /usr/src/linux-headers-%{uname_r}
233 233
234 234 
 %changelog
235 
+*   Thu Jun 14 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.137-2
236 
+-   Add more spectre mitigations (IBPB/IBRS) and support for SSBD.
235 237 
 *   Wed Jun 13 2018 Alexey Makhalov <amakhalov@vmware.com> 4.4.137-1
236 238 
 -   Update to version 4.4.137. Fix panic in kprobe.
237 239 
 *   Fri May 18 2018 Bo Gan <ganb@vmware.com> 4.4.131-3
SPECS/linux/linux.spec
History View file @ 4ab22c2
... ... 
@@ -2,7 +2,7 @@
2 2 
 Summary:        Kernel
3 3 
 Name:           linux
4 4 
 Version:    	4.4.137
5 
-Release:        1%{?kat_build:.%kat_build}%{?dist}
5 
+Release:        2%{?kat_build:.%kat_build}%{?dist}
6 6 
 License:    	GPLv2
7 7 
 URL:        	http://www.kernel.org/
8 8 
 Group:        	System Environment/Kernel
... ... 
@@ -61,7 +61,114 @@ Patch64: 0153-net-mpls-prevent-speculative-execution.patch
61 61 
 Patch65: 0154-udf-prevent-speculative-execution.patch
62 62 
 Patch66: 0155-userns-prevent-speculative-execution.patch
63 63 
 Patch67: 0169-x86-syscall-Clear-unused-extra-registers-on-syscall-.patch
64 
-Patch68: 0170-x86-syscall-Clear-unused-extra-registers-on-32-bit-c.patch
64 
+
65 
+# Add more Spectre-v2 mitigations (IBPB/IBRS)
66 
+Patch201: 0001-x86-cpufeature-Move-some-of-the-scattered-feature-bi.patch
67 
+Patch202: 0002-x86-cpufeature-Cleanup-get_cpu_cap.patch
68 
+Patch203: 0003-x86-Remove-unused-function-cpu_has_ht_siblings.patch
69 
+Patch204: 0004-x86-cpufeature-Remove-unused-and-seldomly-used-cpu_h.patch
70 
+Patch205: 0005-x86-cpu-Provide-a-config-option-to-disable-static_cp.patch
71 
+Patch206: 0006-x86-fpu-Add-an-XSTATE_OP-macro.patch
72 
+Patch207: 0007-x86-fpu-Get-rid-of-xstate_fault.patch
73 
+Patch208: 0008-x86-headers-Don-t-include-asm-processor.h-in-asm-ato.patch
74 
+Patch209: 0009-x86-cpufeature-Carve-out-X86_FEATURE_.patch
75 
+Patch210: 0010-x86-cpufeature-Replace-the-old-static_cpu_has-with-s.patch
76 
+Patch211: 0011-x86-cpufeature-Get-rid-of-the-non-asm-goto-variant.patch
77 
+Patch212: 0012-x86-alternatives-Add-an-auxilary-section.patch
78 
+Patch213: 0013-x86-alternatives-Discard-dynamic-check-after-init.patch
79 
+Patch214: 0014-x86-vdso-Use-static_cpu_has.patch
80 
+Patch215: 0015-x86-boot-Simplify-kernel-load-address-alignment-chec.patch
81 
+Patch216: 0016-x86-cpufeature-Speed-up-cpu_feature_enabled.patch
82 
+Patch217: 0017-x86-cpufeature-x86-mm-pkeys-Add-protection-keys-rela.patch
83 
+Patch218: 0018-x86-mm-pkeys-Fix-mismerge-of-protection-keys-CPUID-b.patch
84 
+Patch219: 0019-x86-cpu-Add-detection-of-AMD-RAS-Capabilities.patch
85 
+Patch220: 0020-x86-cpufeature-x86-mm-pkeys-Fix-broken-compile-time-.patch
86 
+Patch221: 0021-x86-cpufeature-Update-cpufeaure-macros.patch
87 
+Patch222: 0022-x86-cpufeature-Make-sure-DISABLED-REQUIRED-macros-ar.patch
88 
+Patch223: 0023-x86-cpufeature-Add-helper-macro-for-mask-check-macro.patch
89 
+Patch224: 0024-x86-cpu-Probe-CPUID-leaf-6-even-when-cpuid_level-6.patch
90 
+Patch225: 0025-x86-cpufeatures-Add-CPUID_7_EDX-CPUID-leaf.patch
91 
+Patch226: 0026-x86-cpufeatures-Add-Intel-feature-bits-for-Speculati.patch
92 
+Patch227: 0027-x86-cpufeatures-Add-AMD-feature-bits-for-Speculation.patch
93 
+Patch228: 0028-x86-msr-Add-definitions-for-new-speculation-control-.patch
94 
+Patch229: 0029-x86-pti-Do-not-enable-PTI-on-CPUs-which-are-not-vuln.patch
95 
+Patch230: 0030-x86-cpufeature-Blacklist-SPEC_CTRL-PRED_CMD-on-early.patch
96 
+Patch231: 0031-x86-speculation-Add-basic-IBPB-Indirect-Branch-Predi.patch
97 
+Patch232: 0032-x86-cpufeatures-Clean-up-Spectre-v2-related-CPUID-fl.patch
98 
+Patch233: 0033-x86-cpuid-Fix-up-virtual-IBRS-IBPB-STIBP-feature-bit.patch
99 
+Patch234: 0034-x86-pti-Mark-constant-arrays-as-__initconst.patch
100 
+Patch235: 0035-x86-asm-entry-32-Simplify-pushes-of-zeroed-pt_regs-R.patch
101 
+Patch236: 0036-x86-entry-64-compat-Clear-registers-for-compat-sysca.patch
102 
+Patch237: 0037-x86-speculation-Update-Speculation-Control-microcode.patch
103 
+Patch238: 0038-x86-speculation-Correct-Speculation-Control-microcod.patch
104 
+Patch239: 0039-x86-speculation-Clean-up-various-Spectre-related-det.patch
105 
+Patch240: 0040-x86-speculation-Fix-up-array_index_nospec_mask-asm-c.patch
106 
+Patch241: 0041-x86-speculation-Add-asm-msr-index.h-dependency.patch
107 
+Patch242: 0042-x86-xen-Zero-MSR_IA32_SPEC_CTRL-before-suspend.patch
108 
+Patch243: 0043-x86-mm-Factor-out-LDT-init-from-context-init.patch
109 
+Patch244: 0044-x86-mm-Give-each-mm-TLB-flush-generation-a-unique-ID.patch
110 
+Patch245: 0045-x86-speculation-Use-Indirect-Branch-Prediction-Barri.patch
111 
+Patch246: 0046-x86-spectre_v2-Don-t-check-microcode-versions-when-r.patch
112 
+Patch247: 0047-x86-speculation-Use-IBRS-if-available-before-calling.patch
113 
+Patch248: 0048-x86-speculation-Move-firmware_restrict_branch_specul.patch
114 
+Patch249: 0049-x86-speculation-Remove-Skylake-C2-from-Speculation-C.patch
115 
+Patch250: 0050-selftest-seccomp-Fix-the-flag-name-SECCOMP_FILTER_FL.patch
116 
+Patch251: 0051-selftest-seccomp-Fix-the-seccomp-2-signature.patch
117 
+Patch252: 0052-xen-set-cpu-capabilities-from-xen_start_kernel.patch
118 
+Patch253: 0053-x86-amd-don-t-set-X86_BUG_SYSRET_SS_ATTRS-when-runni.patch
119 
+
120 
+# Fix CVE-2018-3639 (Speculative Store Bypass)
121 
+Patch254: 0054-x86-nospec-Simplify-alternative_msr_write.patch
122 
+Patch255: 0055-x86-bugs-Concentrate-bug-detection-into-a-separate-f.patch
123 
+Patch256: 0056-x86-bugs-Concentrate-bug-reporting-into-a-separate-f.patch
124 
+Patch257: 0057-x86-bugs-Read-SPEC_CTRL-MSR-during-boot-and-re-use-r.patch
125 
+Patch258: 0058-x86-bugs-KVM-Support-the-combination-of-guest-and-ho.patch
126 
+Patch259: 0059-x86-cpu-Rename-Merrifield2-to-Moorefield.patch
127 
+Patch260: 0060-x86-cpu-intel-Add-Knights-Mill-to-Intel-family.patch
128 
+Patch261: 0061-x86-bugs-Expose-sys-.-spec_store_bypass.patch
129 
+Patch262: 0062-x86-cpufeatures-Add-X86_FEATURE_RDS.patch
130 
+Patch263: 0063-x86-bugs-Provide-boot-parameters-for-the-spec_store_.patch
131 
+Patch264: 0064-x86-bugs-intel-Set-proper-CPU-features-and-setup-RDS.patch
132 
+Patch265: 0065-x86-bugs-Whitelist-allowed-SPEC_CTRL-MSR-values.patch
133 
+Patch266: 0066-x86-bugs-AMD-Add-support-to-disable-RDS-on-Fam-15-16.patch
134 
+Patch267: 0067-x86-speculation-Create-spec-ctrl.h-to-avoid-include-.patch
135 
+Patch268: 0068-prctl-Add-speculation-control-prctls.patch
136 
+Patch269: 0069-x86-process-Optimize-TIF-checks-in-__switch_to_xtra.patch
137 
+Patch270: 0070-x86-process-Correct-and-optimize-TIF_BLOCKSTEP-switc.patch
138 
+Patch271: 0071-x86-process-Optimize-TIF_NOTSC-switch.patch
139 
+Patch272: 0072-x86-process-Allow-runtime-control-of-Speculative-Sto.patch
140 
+Patch273: 0073-x86-speculation-Add-prctl-for-Speculative-Store-Bypa.patch
141 
+Patch274: 0074-nospec-Allow-getting-setting-on-non-current-task.patch
142 
+Patch275: 0075-proc-Provide-details-on-speculation-flaw-mitigations.patch
143 
+Patch276: 0076-seccomp-Enable-speculation-flaw-mitigations.patch
144 
+Patch277: 0077-prctl-Add-force-disable-speculation.patch
145 
+Patch278: 0078-seccomp-Use-PR_SPEC_FORCE_DISABLE.patch
146 
+Patch279: 0079-seccomp-Add-filter-flag-to-opt-out-of-SSB-mitigation.patch
147 
+Patch280: 0080-seccomp-Move-speculation-migitation-control-to-arch-.patch
148 
+Patch281: 0081-x86-speculation-Make-seccomp-the-default-mode-for-Sp.patch
149 
+Patch282: 0082-x86-bugs-Rename-_RDS-to-_SSBD.patch
150 
+Patch283: 0083-proc-Use-underscores-for-SSBD-in-status.patch
151 
+Patch284: 0084-Documentation-spec_ctrl-Do-some-minor-cleanups.patch
152 
+Patch285: 0085-x86-bugs-Fix-__ssb_select_mitigation-return-type.patch
153 
+Patch286: 0086-x86-bugs-Make-cpu_show_common-static.patch
154 
+Patch287: 0087-x86-bugs-Fix-the-parameters-alignment-and-missing-vo.patch
155 
+Patch288: 0088-x86-cpu-Make-alternative_msr_write-work-for-32-bit-c.patch
156 
+Patch289: 0089-x86-speculation-Use-synthetic-bits-for-IBRS-IBPB-STI.patch
157 
+Patch290: 0090-x86-cpufeatures-Disentangle-MSR_SPEC_CTRL-enumeratio.patch
158 
+Patch291: 0091-x86-cpufeatures-Disentangle-SSBD-enumeration.patch
159 
+Patch292: 0092-x86-cpu-AMD-Fix-erratum-1076-CPB-bit.patch
160 
+Patch293: 0093-x86-cpufeatures-Add-FEATURE_ZEN.patch
161 
+Patch294: 0094-x86-speculation-Handle-HT-correctly-on-AMD.patch
162 
+Patch295: 0095-x86-bugs-KVM-Extend-speculation-control-for-VIRT_SPE.patch
163 
+Patch296: 0096-x86-speculation-Add-virtualized-speculative-store-by.patch
164 
+Patch297: 0097-x86-speculation-Rework-speculative_store_bypass_upda.patch
165 
+Patch298: 0098-x86-bugs-Unify-x86_spec_ctrl_-set_guest-restore_host.patch
166 
+Patch299: 0099-x86-bugs-Expose-x86_spec_ctrl_base-directly.patch
167 
+Patch300: 0100-x86-bugs-Remove-x86_spec_ctrl_set.patch
168 
+Patch301: 0101-x86-bugs-Rework-spec_ctrl-base-and-mask-logic.patch
169 
+Patch302: 0102-x86-speculation-KVM-Implement-support-for-VIRT_SPEC_.patch
170 
+Patch303: 0103-x86-bugs-Rename-SSBD_NO-to-SSB_NO.patch
171 
+
65 172
66 173 
 %if 0%{?kat_build:1}
67 174 
 Patch1000:	%{kat_build}.patch
... ... 
@@ -175,7 +282,111 @@ This package contains the 'perf' performance analysis tools for Linux kernel.
175 175 
 %patch65 -p1
176 176 
 %patch66 -p1
177 177 
 %patch67 -p1
178 
-%patch68 -p1
178 
+
179 
+%patch201 -p1
180 
+%patch202 -p1
181 
+%patch203 -p1
182 
+%patch204 -p1
183 
+%patch205 -p1
184 
+%patch206 -p1
185 
+%patch207 -p1
186 
+%patch208 -p1
187 
+%patch209 -p1
188 
+%patch210 -p1
189 
+%patch211 -p1
190 
+%patch212 -p1
191 
+%patch213 -p1
192 
+%patch214 -p1
193 
+%patch215 -p1
194 
+%patch216 -p1
195 
+%patch217 -p1
196 
+%patch218 -p1
197 
+%patch219 -p1
198 
+%patch220 -p1
199 
+%patch221 -p1
200 
+%patch222 -p1
201 
+%patch223 -p1
202 
+%patch224 -p1
203 
+%patch225 -p1
204 
+%patch226 -p1
205 
+%patch227 -p1
206 
+%patch228 -p1
207 
+%patch229 -p1
208 
+%patch230 -p1
209 
+%patch231 -p1
210 
+%patch232 -p1
211 
+%patch233 -p1
212 
+%patch234 -p1
213 
+%patch235 -p1
214 
+%patch236 -p1
215 
+%patch237 -p1
216 
+%patch238 -p1
217 
+%patch239 -p1
218 
+%patch240 -p1
219 
+%patch241 -p1
220 
+%patch242 -p1
221 
+%patch243 -p1
222 
+%patch244 -p1
223 
+%patch245 -p1
224 
+%patch246 -p1
225 
+%patch247 -p1
226 
+%patch248 -p1
227 
+%patch249 -p1
228 
+%patch250 -p1
229 
+%patch251 -p1
230 
+%patch252 -p1
231 
+%patch253 -p1
232 
+%patch254 -p1
233 
+%patch255 -p1
234 
+%patch256 -p1
235 
+%patch257 -p1
236 
+%patch258 -p1
237 
+%patch259 -p1
238 
+%patch260 -p1
239 
+%patch261 -p1
240 
+%patch262 -p1
241 
+%patch263 -p1
242 
+%patch264 -p1
243 
+%patch265 -p1
244 
+%patch266 -p1
245 
+%patch267 -p1
246 
+%patch268 -p1
247 
+%patch269 -p1
248 
+%patch270 -p1
249 
+%patch271 -p1
250 
+%patch272 -p1
251 
+%patch273 -p1
252 
+%patch274 -p1
253 
+%patch275 -p1
254 
+%patch276 -p1
255 
+%patch277 -p1
256 
+%patch278 -p1
257 
+%patch279 -p1
258 
+%patch280 -p1
259 
+%patch281 -p1
260 
+%patch282 -p1
261 
+%patch283 -p1
262 
+%patch284 -p1
263 
+%patch285 -p1
264 
+%patch286 -p1
265 
+%patch287 -p1
266 
+%patch288 -p1
267 
+%patch289 -p1
268 
+%patch290 -p1
269 
+%patch291 -p1
270 
+%patch292 -p1
271 
+%patch293 -p1
272 
+%patch294 -p1
273 
+%patch295 -p1
274 
+%patch296 -p1
275 
+%patch297 -p1
276 
+%patch298 -p1
277 
+%patch299 -p1
278 
+%patch300 -p1
279 
+%patch301 -p1
280 
+%patch302 -p1
281 
+%patch303 -p1
282 
+
179 283
180 284 
 %if 0%{?kat_build:1}
181 285 
 %patch1000 -p1
... ... 
@@ -332,6 +543,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg
332 332 
 /usr/share/perf-core
333 333
334 334 
 %changelog
335 
+*   Thu Jun 14 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.137-2
336 
+-   Add more spectre mitigations (IBPB/IBRS) and support for SSBD.
335 337 
 *   Wed Jun 13 2018 Alexey Makhalov <amakhalov@vmware.com> 4.4.137-1
336 338 
 -   Update to version 4.4.137. Fix panic in kprobe.
337 339 
 *   Mon May 21 2018 Bo Gan <ganb@vmware.com> 4.4.131-3
SPECS/linux/spectre/0170-x86-syscall-Clear-unused-extra-registers-on-32-bit-c.patch
History View file @ 4ab22c2
338 340 
deleted file mode 100644
... ... 
@@ -1,101 +0,0 @@
1 
-From 2c536e1e9227a94ce8f3fb8e52591a1c4b9e3975 Mon Sep 17 00:00:00 2001
2 
-From: Tim Chen <tim.c.chen@linux.intel.com>
3 
-Date: Fri, 15 Sep 2017 19:41:24 -0700
4 
-Subject: [PATCH 170/194] x86/syscall: Clear unused extra registers on 32-bit
5 
- compatible syscall entrance
6 
-
7 
-To prevent the unused registers %r8-%r15, from being used speculatively,
8 
-we clear them upon syscall entrance for code hygiene in 32 bit compatible
9 
-mode.
10 
-
11 
-Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
12 
- arch/x86/entry/calling.h         | 11 +++++++++++
13 
- arch/x86/entry/entry_64_compat.S | 18 ++++++++++++++----
14 
- 2 files changed, 25 insertions(+), 4 deletions(-)
15 
-
16 
-diff --git a/arch/x86/entry/calling.h b/arch/x86/entry/calling.h
17 
-index 9a9e588..1439429 100644
18 
-+++ b/arch/x86/entry/calling.h
19 
-@@ -129,6 +129,17 @@ For 32-bit we have the following conventions - kernel is built with
20 
- 	SAVE_C_REGS_HELPER 0, 0, 0, 1, 0
21 
- 	.endm
22 
-
23 
-+	.macro CLEAR_R8_TO_R15
24 
-+	xorq %r15, %r15
25 
-+	xorq %r14, %r14
26 
-+	xorq %r13, %r13
27 
-+	xorq %r12, %r12
28 
-+	xorq %r11, %r11
29 
-+	xorq %r10, %r10
30 
-+	xorq %r9, %r9
31 
-+	xorq %r8, %r8
32 
-+	.endm
33 
-+
34 
- 	.macro SAVE_EXTRA_REGS offset=0
35 
- 	movq %r15, 0*8+\offset(%rsp)
36 
- 	movq %r14, 1*8+\offset(%rsp)
37 
-diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S
38 
-index d03bf0e..0c59ac0 100644
39 
-+++ b/arch/x86/entry/entry_64_compat.S
40 
-@@ -93,12 +93,14 @@ ENTRY(entry_SYSENTER_compat)
41 
- 	pushq   %r8                     /* pt_regs->r11 = 0 */
42 
- 	pushq   %rbx                    /* pt_regs->rbx */
43 
- 	pushq   %rbp                    /* pt_regs->rbp (will be overwritten) */
44 
--	pushq   %r8                     /* pt_regs->r12 = 0 */
45 
--	pushq   %r8                     /* pt_regs->r13 = 0 */
46 
--	pushq   %r8                     /* pt_regs->r14 = 0 */
47 
--	pushq   %r8                     /* pt_regs->r15 = 0 */
48 
-+	pushq   %r12                    /* pt_regs->r12 */
49 
-+	pushq   %r13                    /* pt_regs->r13 */
50 
-+	pushq   %r14                    /* pt_regs->r14 */
51 
-+	pushq   %r15                    /* pt_regs->r15 */
52 
- 	cld
53 
-
54 
-+	CLEAR_R8_TO_R15
55 
-+
56 
- 	/*
57 
- 	 * Sysenter doesn't filter flags, so we need to clear NT
58 
- 	 * ourselves.  To save a few cycles, we can check whether
59 
-@@ -192,10 +194,12 @@ ENTRY(entry_SYSCALL_compat)
60 
- 	pushq   %r8                     /* pt_regs->r11 = 0 */
61 
- 	pushq   %rbx                    /* pt_regs->rbx */
62 
- 	pushq   %rbp                    /* pt_regs->rbp (will be overwritten) */
63 
--	pushq   %r8                     /* pt_regs->r12 = 0 */
64 
--	pushq   %r8                     /* pt_regs->r13 = 0 */
65 
--	pushq   %r8                     /* pt_regs->r14 = 0 */
66 
--	pushq   %r8                     /* pt_regs->r15 = 0 */
67 
-+	pushq   %r12                    /* pt_regs->r12 */
68 
-+	pushq   %r13                    /* pt_regs->r13 */
69 
-+	pushq   %r14                    /* pt_regs->r14 */
70 
-+	pushq   %r15                    /* pt_regs->r15 */
71 
-+
72 
-+	CLEAR_R8_TO_R15
73 
-
74 
- 	/*
75 
- 	 * User mode is traced as though IRQs are on, and SYSENTER
76 
-@@ -213,6 +217,10 @@ ENTRY(entry_SYSCALL_compat)
77 
- sysret32_from_system_call:
78 
- 	TRACE_IRQS_ON			/* User mode traces as IRQs on. */
79 
- 	SWITCH_USER_CR3
80 
-+	movq	R15(%rsp), %r15		/* pt_regs->r15 */
81 
-+	movq	R14(%rsp), %r14		/* pt_regs->r14 */
82 
-+	movq	R13(%rsp), %r13		/* pt_regs->r13 */
83 
-+	movq	R12(%rsp), %r12		/* pt_regs->r12 */
84 
- 	movq	RBX(%rsp), %rbx		/* pt_regs->rbx */
85 
- 	movq	RBP(%rsp), %rbp		/* pt_regs->rbp */
86 
- 	movq	EFLAGS(%rsp), %r11	/* pt_regs->flags (in r11) */
87 
-@@ -305,6 +313,8 @@ ENTRY(entry_INT80_compat)
88 
- 	pushq   %r15                    /* pt_regs->r15 */
89 
- 	cld
90 
-
91 
-+	CLEAR_R8_TO_R15
92 
-+
93 
- 	/*
94 
- 	 * User mode is traced as though IRQs are on, and the interrupt
95 
- 	 * gate turned them off.
96 
-2.9.5
97 
-
SPECS/linux/speculative-store-bypass/0001-x86-cpufeature-Move-some-of-the-scattered-feature-bi.patch
History View file @ 4ab22c2
98 1 
new file mode 100644
... ... 
@@ -0,0 +1,176 @@
0 
+From a99f584689c71e5681a9922372ed2b8f0439d3b9 Mon Sep 17 00:00:00 2001
1 
+From: Borislav Petkov <bp@suse.de>
2 
+Date: Thu, 14 Jun 2018 14:56:00 -0700
3 
+Subject: [PATCH 001/103] x86/cpufeature: Move some of the scattered feature
4 
+ bits to x86_capability
5 
+
6 
+commit 2ccd71f1b278d450a6f8c8c737c7fe237ca06dc6 upstream
7 
+
8 
+Turn the CPUID leafs which are proper CPUID feature bit leafs into
9 
+separate ->x86_capability words.
10 
+
11 
+Signed-off-by: Borislav Petkov <bp@suse.de>
12 
+Link: http://lkml.kernel.org/r/1449481182-27541-2-git-send-email-bp@alien8.de
13 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
14 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
15 
+---
16 
+ arch/x86/include/asm/cpufeature.h | 54 +++++++++++++++++++++++----------------
17 
+ arch/x86/kernel/cpu/common.c      |  5 ++++
18 
+ arch/x86/kernel/cpu/scattered.c   | 20 ---------------
19 
+ 3 files changed, 37 insertions(+), 42 deletions(-)
20 
+
21 
+diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
22 
+index 641f0f2..878788f 100644
23 
+--- a/arch/x86/include/asm/cpufeature.h
24 
+@@ -12,7 +12,7 @@
25 
+ #include <asm/disabled-features.h>
26 
+ #endif
27 
+
28 
+-#define NCAPINTS	14	/* N 32-bit words worth of info */
29 
++#define NCAPINTS	16	/* N 32-bit words worth of info */
30 
+ #define NBUGINTS	1	/* N 32-bit bug flags */
31 
+
32 
+ /*
33 
+@@ -181,23 +181,18 @@
34 
+
35 
+ /*
36 
+  * Auxiliary flags: Linux defined - For features scattered in various
37 
+- * CPUID levels like 0x6, 0xA etc, word 7
38 
++ * CPUID levels like 0x6, 0xA etc, word 7.
39 
++ *
40 
++ * Reuse free bits when adding new feature flags!
41 
+  */
42 
+-#define X86_FEATURE_IDA		( 7*32+ 0) /* Intel Dynamic Acceleration */
43 
+-#define X86_FEATURE_ARAT	( 7*32+ 1) /* Always Running APIC Timer */
44 
++
45 
+ #define X86_FEATURE_CPB		( 7*32+ 2) /* AMD Core Performance Boost */
46 
+ #define X86_FEATURE_EPB		( 7*32+ 3) /* IA32_ENERGY_PERF_BIAS support */
47 
+ #define X86_FEATURE_INVPCID_SINGLE ( 7*32+ 4) /* Effectively INVPCID && CR4.PCIDE=1 */
48 
+-#define X86_FEATURE_PLN		( 7*32+ 5) /* Intel Power Limit Notification */
49 
+-#define X86_FEATURE_PTS		( 7*32+ 6) /* Intel Package Thermal Status */
50 
+-#define X86_FEATURE_DTHERM	( 7*32+ 7) /* Digital Thermal Sensor */
51 
++
52 
+ #define X86_FEATURE_HW_PSTATE	( 7*32+ 8) /* AMD HW-PState */
53 
+ #define X86_FEATURE_PROC_FEEDBACK ( 7*32+ 9) /* AMD ProcFeedbackInterface */
54 
+-#define X86_FEATURE_HWP		( 7*32+ 10) /* "hwp" Intel HWP */
55 
+-#define X86_FEATURE_HWP_NOTIFY	( 7*32+ 11) /* Intel HWP_NOTIFY */
56 
+-#define X86_FEATURE_HWP_ACT_WINDOW ( 7*32+ 12) /* Intel HWP_ACT_WINDOW */
57 
+-#define X86_FEATURE_HWP_EPP	( 7*32+13) /* Intel HWP_EPP */
58 
+-#define X86_FEATURE_HWP_PKG_REQ ( 7*32+14) /* Intel HWP_PKG_REQ */
59 
++
60 
+ #define X86_FEATURE_INTEL_PT	( 7*32+15) /* Intel Processor Trace */
61 
+ #define X86_FEATURE_RSB_CTXSW	( 7*32+19) /* Fill RSB on context switches */
62 
+
63 
+@@ -212,16 +207,7 @@
64 
+ #define X86_FEATURE_FLEXPRIORITY ( 8*32+ 2) /* Intel FlexPriority */
65 
+ #define X86_FEATURE_EPT         ( 8*32+ 3) /* Intel Extended Page Table */
66 
+ #define X86_FEATURE_VPID        ( 8*32+ 4) /* Intel Virtual Processor ID */
67 
+-#define X86_FEATURE_NPT		( 8*32+ 5) /* AMD Nested Page Table support */
68 
+-#define X86_FEATURE_LBRV	( 8*32+ 6) /* AMD LBR Virtualization support */
69 
+-#define X86_FEATURE_SVML	( 8*32+ 7) /* "svm_lock" AMD SVM locking MSR */
70 
+-#define X86_FEATURE_NRIPS	( 8*32+ 8) /* "nrip_save" AMD SVM next_rip save */
71 
+-#define X86_FEATURE_TSCRATEMSR  ( 8*32+ 9) /* "tsc_scale" AMD TSC scaling support */
72 
+-#define X86_FEATURE_VMCBCLEAN   ( 8*32+10) /* "vmcb_clean" AMD VMCB clean bits support */
73 
+-#define X86_FEATURE_FLUSHBYASID ( 8*32+11) /* AMD flush-by-ASID support */
74 
+-#define X86_FEATURE_DECODEASSISTS ( 8*32+12) /* AMD Decode Assists support */
75 
+-#define X86_FEATURE_PAUSEFILTER ( 8*32+13) /* AMD filtered pause intercept */
76 
+-#define X86_FEATURE_PFTHRESHOLD ( 8*32+14) /* AMD pause filter threshold */
77 
++
78 
+ #define X86_FEATURE_VMMCALL     ( 8*32+15) /* Prefer vmmcall to vmcall */
79 
+ #define X86_FEATURE_XENPV       ( 8*32+16) /* "" Xen paravirtual guest */
80 
+
81 
+@@ -266,6 +252,30 @@
82 
+ /* AMD-defined CPU features, CPUID level 0x80000008 (ebx), word 13 */
83 
+ #define X86_FEATURE_CLZERO	(13*32+0) /* CLZERO instruction */
84 
+
85 
++/* Thermal and Power Management Leaf, CPUID level 0x00000006 (eax), word 14 */
86 
++#define X86_FEATURE_DTHERM	(14*32+ 0) /* Digital Thermal Sensor */
87 
++#define X86_FEATURE_IDA		(14*32+ 1) /* Intel Dynamic Acceleration */
88 
++#define X86_FEATURE_ARAT	(14*32+ 2) /* Always Running APIC Timer */
89 
++#define X86_FEATURE_PLN		(14*32+ 4) /* Intel Power Limit Notification */
90 
++#define X86_FEATURE_PTS		(14*32+ 6) /* Intel Package Thermal Status */
91 
++#define X86_FEATURE_HWP		(14*32+ 7) /* Intel Hardware P-states */
92 
++#define X86_FEATURE_HWP_NOTIFY	(14*32+ 8) /* HWP Notification */
93 
++#define X86_FEATURE_HWP_ACT_WINDOW (14*32+ 9) /* HWP Activity Window */
94 
++#define X86_FEATURE_HWP_EPP	(14*32+10) /* HWP Energy Perf. Preference */
95 
++#define X86_FEATURE_HWP_PKG_REQ (14*32+11) /* HWP Package Level Request */
96 
++
97 
++/* AMD SVM Feature Identification, CPUID level 0x8000000a (edx), word 15 */
98 
++#define X86_FEATURE_NPT		(15*32+ 0) /* Nested Page Table support */
99 
++#define X86_FEATURE_LBRV	(15*32+ 1) /* LBR Virtualization support */
100 
++#define X86_FEATURE_SVML	(15*32+ 2) /* "svm_lock" SVM locking MSR */
101 
++#define X86_FEATURE_NRIPS	(15*32+ 3) /* "nrip_save" SVM next_rip save */
102 
++#define X86_FEATURE_TSCRATEMSR  (15*32+ 4) /* "tsc_scale" TSC scaling support */
103 
++#define X86_FEATURE_VMCBCLEAN   (15*32+ 5) /* "vmcb_clean" VMCB clean bits support */
104 
++#define X86_FEATURE_FLUSHBYASID (15*32+ 6) /* flush-by-ASID support */
105 
++#define X86_FEATURE_DECODEASSISTS (15*32+ 7) /* Decode Assists support */
106 
++#define X86_FEATURE_PAUSEFILTER (15*32+10) /* filtered pause intercept */
107 
++#define X86_FEATURE_PFTHRESHOLD (15*32+12) /* pause filter threshold */
108 
++
109 
+ /*
110 
+  * BUG word(s)
111 
+  */
112 
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
113 
+index 8eabbaf..5266e40 100644
114 
+--- a/arch/x86/kernel/cpu/common.c
115 
+@@ -695,6 +695,8 @@ void get_cpu_cap(struct cpuinfo_x86 *c)
116 
+ 		cpuid_count(0x00000007, 0, &eax, &ebx, &ecx, &edx);
117 
+
118 
+ 		c->x86_capability[9] = ebx;
119 
++
120 
++		c->x86_capability[14] = cpuid_eax(0x00000006);
121 
+ 	}
122 
+
123 
+ 	/* Extended state features: level 0x0000000d */
124 
+@@ -756,6 +758,9 @@ void get_cpu_cap(struct cpuinfo_x86 *c)
125 
+ 	if (c->extended_cpuid_level >= 0x80000007)
126 
+ 		c->x86_power = cpuid_edx(0x80000007);
127 
+
128 
++	if (c->extended_cpuid_level >= 0x8000000a)
129 
++		c->x86_capability[15] = cpuid_edx(0x8000000a);
130 
++
131 
+ 	init_scattered_cpuid_features(c);
132 
+ }
133 
+
134 
+diff --git a/arch/x86/kernel/cpu/scattered.c b/arch/x86/kernel/cpu/scattered.c
135 
+index 608fb26..8cb57df 100644
136 
+--- a/arch/x86/kernel/cpu/scattered.c
137 
+@@ -31,32 +31,12 @@ void init_scattered_cpuid_features(struct cpuinfo_x86 *c)
138 
+ 	const struct cpuid_bit *cb;
139 
+
140 
+ 	static const struct cpuid_bit cpuid_bits[] = {
141 
+-		{ X86_FEATURE_DTHERM,		CR_EAX, 0, 0x00000006, 0 },
142 
+-		{ X86_FEATURE_IDA,		CR_EAX, 1, 0x00000006, 0 },
143 
+-		{ X86_FEATURE_ARAT,		CR_EAX, 2, 0x00000006, 0 },
144 
+-		{ X86_FEATURE_PLN,		CR_EAX, 4, 0x00000006, 0 },
145 
+-		{ X86_FEATURE_PTS,		CR_EAX, 6, 0x00000006, 0 },
146 
+-		{ X86_FEATURE_HWP,		CR_EAX, 7, 0x00000006, 0 },
147 
+-		{ X86_FEATURE_HWP_NOTIFY,	CR_EAX, 8, 0x00000006, 0 },
148 
+-		{ X86_FEATURE_HWP_ACT_WINDOW,	CR_EAX, 9, 0x00000006, 0 },
149 
+-		{ X86_FEATURE_HWP_EPP,		CR_EAX,10, 0x00000006, 0 },
150 
+-		{ X86_FEATURE_HWP_PKG_REQ,	CR_EAX,11, 0x00000006, 0 },
151 
+ 		{ X86_FEATURE_INTEL_PT,		CR_EBX,25, 0x00000007, 0 },
152 
+ 		{ X86_FEATURE_APERFMPERF,	CR_ECX, 0, 0x00000006, 0 },
153 
+ 		{ X86_FEATURE_EPB,		CR_ECX, 3, 0x00000006, 0 },
154 
+ 		{ X86_FEATURE_HW_PSTATE,	CR_EDX, 7, 0x80000007, 0 },
155 
+ 		{ X86_FEATURE_CPB,		CR_EDX, 9, 0x80000007, 0 },
156 
+ 		{ X86_FEATURE_PROC_FEEDBACK,	CR_EDX,11, 0x80000007, 0 },
157 
+-		{ X86_FEATURE_NPT,		CR_EDX, 0, 0x8000000a, 0 },
158 
+-		{ X86_FEATURE_LBRV,		CR_EDX, 1, 0x8000000a, 0 },
159 
+-		{ X86_FEATURE_SVML,		CR_EDX, 2, 0x8000000a, 0 },
160 
+-		{ X86_FEATURE_NRIPS,		CR_EDX, 3, 0x8000000a, 0 },
161 
+-		{ X86_FEATURE_TSCRATEMSR,	CR_EDX, 4, 0x8000000a, 0 },
162 
+-		{ X86_FEATURE_VMCBCLEAN,	CR_EDX, 5, 0x8000000a, 0 },
163 
+-		{ X86_FEATURE_FLUSHBYASID,	CR_EDX, 6, 0x8000000a, 0 },
164 
+-		{ X86_FEATURE_DECODEASSISTS,	CR_EDX, 7, 0x8000000a, 0 },
165 
+-		{ X86_FEATURE_PAUSEFILTER,	CR_EDX,10, 0x8000000a, 0 },
166 
+-		{ X86_FEATURE_PFTHRESHOLD,	CR_EDX,12, 0x8000000a, 0 },
167 
+ 		{ 0, 0, 0, 0, 0 }
168 
+ 	};
169 
+
170 
+--
171 
+2.7.4
172 
+
SPECS/linux/speculative-store-bypass/0002-x86-cpufeature-Cleanup-get_cpu_cap.patch
History View file @ 4ab22c2
0 173 
new file mode 100644
... ... 
@@ -0,0 +1,200 @@
0 
+From d64c9a53806eacbfc3681184241227cab576bf60 Mon Sep 17 00:00:00 2001
1 
+From: Borislav Petkov <bp@suse.de>
2 
+Date: Thu, 14 Jun 2018 14:56:00 -0700
3 
+Subject: [PATCH 002/103] x86/cpufeature: Cleanup get_cpu_cap()
4 
+
5 
+commit 39c06df4dc10a41de5fe706f4378ee5f09beba73 upstream
6 
+
7 
+Add an enum for the ->x86_capability array indices and cleanup
8 
+get_cpu_cap() by killing some redundant local vars.
9 
+
10 
+Signed-off-by: Borislav Petkov <bp@suse.de>
11 
+Link: http://lkml.kernel.org/r/1449481182-27541-3-git-send-email-bp@alien8.de
12 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
13 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
14 
+---
15 
+ arch/x86/include/asm/cpufeature.h | 20 +++++++++++++++++
16 
+ arch/x86/kernel/cpu/centaur.c     |  2 +-
17 
+ arch/x86/kernel/cpu/common.c      | 47 ++++++++++++++++++---------------------
18 
+ arch/x86/kernel/cpu/transmeta.c   |  4 ++--
19 
+ 4 files changed, 45 insertions(+), 28 deletions(-)
20 
+
21 
+diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
22 
+index 878788f..17e6c25 100644
23 
+--- a/arch/x86/include/asm/cpufeature.h
24 
+@@ -299,6 +299,26 @@
25 
+ #include <asm/asm.h>
26 
+ #include <linux/bitops.h>
27 
+
28 
++enum cpuid_leafs
29 
++{
30 
++	CPUID_1_EDX		= 0,
31 
++	CPUID_8000_0001_EDX,
32 
++	CPUID_8086_0001_EDX,
33 
++	CPUID_LNX_1,
34 
++	CPUID_1_ECX,
35 
++	CPUID_C000_0001_EDX,
36 
++	CPUID_8000_0001_ECX,
37 
++	CPUID_LNX_2,
38 
++	CPUID_LNX_3,
39 
++	CPUID_7_0_EBX,
40 
++	CPUID_D_1_EAX,
41 
++	CPUID_F_0_EDX,
42 
++	CPUID_F_1_EDX,
43 
++	CPUID_8000_0008_EBX,
44 
++	CPUID_6_EAX,
45 
++	CPUID_8000_000A_EDX,
46 
++};
47 
++
48 
+ #ifdef CONFIG_X86_FEATURE_NAMES
49 
+ extern const char * const x86_cap_flags[NCAPINTS*32];
50 
+ extern const char * const x86_power_flags[32];
51 
+diff --git a/arch/x86/kernel/cpu/centaur.c b/arch/x86/kernel/cpu/centaur.c
52 
+index d8fba5c..ae20be6 100644
53 
+--- a/arch/x86/kernel/cpu/centaur.c
54 
+@@ -43,7 +43,7 @@ static void init_c3(struct cpuinfo_x86 *c)
55 
+ 		/* store Centaur Extended Feature Flags as
56 
+ 		 * word 5 of the CPU capability bit array
57 
+ 		 */
58 
+-		c->x86_capability[5] = cpuid_edx(0xC0000001);
59 
++		c->x86_capability[CPUID_C000_0001_EDX] = cpuid_edx(0xC0000001);
60 
+ 	}
61 
+ #ifdef CONFIG_X86_32
62 
+ 	/* Cyrix III family needs CX8 & PGE explicitly enabled. */
63 
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
64 
+index 5266e40..9004dfc 100644
65 
+--- a/arch/x86/kernel/cpu/common.c
66 
+@@ -676,52 +676,47 @@ static void apply_forced_caps(struct cpuinfo_x86 *c)
67 
+
68 
+ void get_cpu_cap(struct cpuinfo_x86 *c)
69 
+ {
70 
+-	u32 tfms, xlvl;
71 
+-	u32 ebx;
72 
++	u32 eax, ebx, ecx, edx;
73 
+
74 
+ 	/* Intel-defined flags: level 0x00000001 */
75 
+ 	if (c->cpuid_level >= 0x00000001) {
76 
+-		u32 capability, excap;
77 
++		cpuid(0x00000001, &eax, &ebx, &ecx, &edx);
78 
+
79 
+-		cpuid(0x00000001, &tfms, &ebx, &excap, &capability);
80 
+-		c->x86_capability[0] = capability;
81 
+-		c->x86_capability[4] = excap;
82 
++		c->x86_capability[CPUID_1_ECX] = ecx;
83 
++		c->x86_capability[CPUID_1_EDX] = edx;
84 
+ 	}
85 
+
86 
+ 	/* Additional Intel-defined flags: level 0x00000007 */
87 
+ 	if (c->cpuid_level >= 0x00000007) {
88 
+-		u32 eax, ebx, ecx, edx;
89 
+-
90 
+ 		cpuid_count(0x00000007, 0, &eax, &ebx, &ecx, &edx);
91 
+
92 
+-		c->x86_capability[9] = ebx;
93 
++		c->x86_capability[CPUID_7_0_EBX] = ebx;
94 
+
95 
+-		c->x86_capability[14] = cpuid_eax(0x00000006);
96 
++		c->x86_capability[CPUID_6_EAX] = cpuid_eax(0x00000006);
97 
+ 	}
98 
+
99 
+ 	/* Extended state features: level 0x0000000d */
100 
+ 	if (c->cpuid_level >= 0x0000000d) {
101 
+-		u32 eax, ebx, ecx, edx;
102 
+-
103 
+ 		cpuid_count(0x0000000d, 1, &eax, &ebx, &ecx, &edx);
104 
+
105 
+-		c->x86_capability[10] = eax;
106 
++		c->x86_capability[CPUID_D_1_EAX] = eax;
107 
+ 	}
108 
+
109 
+ 	/* Additional Intel-defined flags: level 0x0000000F */
110 
+ 	if (c->cpuid_level >= 0x0000000F) {
111 
+-		u32 eax, ebx, ecx, edx;
112 
+
113 
+ 		/* QoS sub-leaf, EAX=0Fh, ECX=0 */
114 
+ 		cpuid_count(0x0000000F, 0, &eax, &ebx, &ecx, &edx);
115 
+-		c->x86_capability[11] = edx;
116 
++		c->x86_capability[CPUID_F_0_EDX] = edx;
117 
++
118 
+ 		if (cpu_has(c, X86_FEATURE_CQM_LLC)) {
119 
+ 			/* will be overridden if occupancy monitoring exists */
120 
+ 			c->x86_cache_max_rmid = ebx;
121 
+
122 
+ 			/* QoS sub-leaf, EAX=0Fh, ECX=1 */
123 
+ 			cpuid_count(0x0000000F, 1, &eax, &ebx, &ecx, &edx);
124 
+-			c->x86_capability[12] = edx;
125 
++			c->x86_capability[CPUID_F_1_EDX] = edx;
126 
++
127 
+ 			if (cpu_has(c, X86_FEATURE_CQM_OCCUP_LLC)) {
128 
+ 				c->x86_cache_max_rmid = ecx;
129 
+ 				c->x86_cache_occ_scale = ebx;
130 
+@@ -733,22 +728,24 @@ void get_cpu_cap(struct cpuinfo_x86 *c)
131 
+ 	}
132 
+
133 
+ 	/* AMD-defined flags: level 0x80000001 */
134 
+-	xlvl = cpuid_eax(0x80000000);
135 
+-	c->extended_cpuid_level = xlvl;
136 
++	eax = cpuid_eax(0x80000000);
137 
++	c->extended_cpuid_level = eax;
138 
++
139 
++	if ((eax & 0xffff0000) == 0x80000000) {
140 
++		if (eax >= 0x80000001) {
141 
++			cpuid(0x80000001, &eax, &ebx, &ecx, &edx);
142 
+
143 
+-	if ((xlvl & 0xffff0000) == 0x80000000) {
144 
+-		if (xlvl >= 0x80000001) {
145 
+-			c->x86_capability[1] = cpuid_edx(0x80000001);
146 
+-			c->x86_capability[6] = cpuid_ecx(0x80000001);
147 
++			c->x86_capability[CPUID_8000_0001_ECX] = ecx;
148 
++			c->x86_capability[CPUID_8000_0001_EDX] = edx;
149 
+ 		}
150 
+ 	}
151 
+
152 
+ 	if (c->extended_cpuid_level >= 0x80000008) {
153 
+-		u32 eax = cpuid_eax(0x80000008);
154 
++		cpuid(0x80000008, &eax, &ebx, &ecx, &edx);
155 
+
156 
+ 		c->x86_virt_bits = (eax >> 8) & 0xff;
157 
+ 		c->x86_phys_bits = eax & 0xff;
158 
+-		c->x86_capability[13] = cpuid_ebx(0x80000008);
159 
++		c->x86_capability[CPUID_8000_0008_EBX] = ebx;
160 
+ 	}
161 
+ #ifdef CONFIG_X86_32
162 
+ 	else if (cpu_has(c, X86_FEATURE_PAE) || cpu_has(c, X86_FEATURE_PSE36))
163 
+@@ -759,7 +756,7 @@ void get_cpu_cap(struct cpuinfo_x86 *c)
164 
+ 		c->x86_power = cpuid_edx(0x80000007);
165 
+
166 
+ 	if (c->extended_cpuid_level >= 0x8000000a)
167 
+-		c->x86_capability[15] = cpuid_edx(0x8000000a);
168 
++		c->x86_capability[CPUID_8000_000A_EDX] = cpuid_edx(0x8000000a);
169 
+
170 
+ 	init_scattered_cpuid_features(c);
171 
+ }
172 
+diff --git a/arch/x86/kernel/cpu/transmeta.c b/arch/x86/kernel/cpu/transmeta.c
173 
+index 3fa0e5a..252da7a 100644
174 
+--- a/arch/x86/kernel/cpu/transmeta.c
175 
+@@ -12,7 +12,7 @@ static void early_init_transmeta(struct cpuinfo_x86 *c)
176 
+ 	xlvl = cpuid_eax(0x80860000);
177 
+ 	if ((xlvl & 0xffff0000) == 0x80860000) {
178 
+ 		if (xlvl >= 0x80860001)
179 
+-			c->x86_capability[2] = cpuid_edx(0x80860001);
180 
++			c->x86_capability[CPUID_8086_0001_EDX] = cpuid_edx(0x80860001);
181 
+ 	}
182 
+ }
183 
+
184 
+@@ -82,7 +82,7 @@ static void init_transmeta(struct cpuinfo_x86 *c)
185 
+ 	/* Unhide possibly hidden capability flags */
186 
+ 	rdmsr(0x80860004, cap_mask, uk);
187 
+ 	wrmsr(0x80860004, ~0, uk);
188 
+-	c->x86_capability[0] = cpuid_edx(0x00000001);
189 
++	c->x86_capability[CPUID_1_EDX] = cpuid_edx(0x00000001);
190 
+ 	wrmsr(0x80860004, cap_mask, uk);
191 
+
192 
+ 	/* All Transmeta CPUs have a constant TSC */
193 
+--
194 
+2.7.4
195 
+
SPECS/linux/speculative-store-bypass/0003-x86-Remove-unused-function-cpu_has_ht_siblings.patch
History View file @ 4ab22c2
0 196 
new file mode 100644
... ... 
@@ -0,0 +1,40 @@
0 
+From be043dd01d7ea355d1cbd483849a28b52362be15 Mon Sep 17 00:00:00 2001
1 
+From: Juergen Gross <jgross@suse.com>
2 
+Date: Thu, 14 Jun 2018 14:56:01 -0700
3 
+Subject: [PATCH 003/103] x86: Remove unused function cpu_has_ht_siblings()
4 
+
5 
+commit ed29210cd6a67425026e78aa298fa434e11a74e3 upstream
6 
+
7 
+It is used nowhere.
8 
+
9 
+Signed-off-by: Juergen Gross <jgross@suse.com>
10 
+Link: http://lkml.kernel.org/r/1447761943-770-1-git-send-email-jgross@suse.com
11 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
12 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
13 
+---
14 
+ arch/x86/include/asm/smp.h | 9 ---------
15 
+ 1 file changed, 9 deletions(-)
16 
+
17 
+diff --git a/arch/x86/include/asm/smp.h b/arch/x86/include/asm/smp.h
18 
+index 222a6a3..a438c55 100644
19 
+--- a/arch/x86/include/asm/smp.h
20 
+@@ -21,15 +21,6 @@
21 
+ extern int smp_num_siblings;
22 
+ extern unsigned int num_processors;
23 
+
24 
+-static inline bool cpu_has_ht_siblings(void)
25 
+-{
26 
+-	bool has_siblings = false;
27 
+-#ifdef CONFIG_SMP
28 
+-	has_siblings = cpu_has_ht && smp_num_siblings > 1;
29 
+-#endif
30 
+-	return has_siblings;
31 
+-}
32 
+-
33 
+ DECLARE_PER_CPU_READ_MOSTLY(cpumask_var_t, cpu_sibling_map);
34 
+ DECLARE_PER_CPU_READ_MOSTLY(cpumask_var_t, cpu_core_map);
35 
+ /* cpus sharing the last level cache: */
36 
+--
37 
+2.7.4
38 
+
SPECS/linux/speculative-store-bypass/0004-x86-cpufeature-Remove-unused-and-seldomly-used-cpu_h.patch
History View file @ 4ab22c2
0 39 
new file mode 100644
... ... 
@@ -0,0 +1,527 @@
0 
+From ad1992d099dd2acef343d466d0e40a630b33fff1 Mon Sep 17 00:00:00 2001
1 
+From: Borislav Petkov <bp@suse.de>
2 
+Date: Thu, 14 Jun 2018 14:56:01 -0700
3 
+Subject: [PATCH 004/103] x86/cpufeature: Remove unused and seldomly used
4 
+ cpu_has_xx macros
5 
+
6 
+commit 362f924b64ba0f4be2ee0cb697690c33d40be721 upstream
7 
+
8 
+Those are stupid and code should use static_cpu_has_safe() or
9 
+boot_cpu_has() instead. Kill the least used and unused ones.
10 
+
11 
+The remaining ones need more careful inspection before a conversion can
12 
+happen. On the TODO.
13 
+
14 
+Signed-off-by: Borislav Petkov <bp@suse.de>
15 
+Link: http://lkml.kernel.org/r/1449481182-27541-4-git-send-email-bp@alien8.de
16 
+Cc: David Sterba <dsterba@suse.com>
17 
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
18 
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
19 
+Cc: Matt Mackall <mpm@selenic.com>
20 
+Cc: Chris Mason <clm@fb.com>
21 
+Cc: Josef Bacik <jbacik@fb.com>
22 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
23 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
24 
+---
25 
+ arch/x86/crypto/chacha20_glue.c             |  2 +-
26 
+ arch/x86/crypto/crc32c-intel_glue.c         |  2 +-
27 
+ arch/x86/include/asm/cmpxchg_32.h           |  2 +-
28 
+ arch/x86/include/asm/cmpxchg_64.h           |  2 +-
29 
+ arch/x86/include/asm/cpufeature.h           | 37 ++++-------------------------
30 
+ arch/x86/include/asm/xor_32.h               |  2 +-
31 
+ arch/x86/kernel/cpu/amd.c                   |  4 ++--
32 
+ arch/x86/kernel/cpu/common.c                |  4 +++-
33 
+ arch/x86/kernel/cpu/intel.c                 |  3 ++-
34 
+ arch/x86/kernel/cpu/intel_cacheinfo.c       |  6 ++---
35 
+ arch/x86/kernel/cpu/mtrr/generic.c          |  2 +-
36 
+ arch/x86/kernel/cpu/mtrr/main.c             |  2 +-
37 
+ arch/x86/kernel/cpu/perf_event_amd.c        |  4 ++--
38 
+ arch/x86/kernel/cpu/perf_event_amd_uncore.c | 11 +++++----
39 
+ arch/x86/kernel/fpu/init.c                  |  4 ++--
40 
+ arch/x86/kernel/hw_breakpoint.c             |  6 +++--
41 
+ arch/x86/kernel/smpboot.c                   |  2 +-
42 
+ arch/x86/kernel/vm86_32.c                   |  4 +++-
43 
+ arch/x86/mm/setup_nx.c                      |  4 ++--
44 
+ drivers/char/hw_random/via-rng.c            |  5 ++--
45 
+ drivers/crypto/padlock-aes.c                |  2 +-
46 
+ drivers/crypto/padlock-sha.c                |  2 +-
47 
+ drivers/iommu/intel_irq_remapping.c         |  2 +-
48 
+ fs/btrfs/disk-io.c                          |  2 +-
49 
+ 24 files changed, 48 insertions(+), 68 deletions(-)
50 
+
51 
+diff --git a/arch/x86/crypto/chacha20_glue.c b/arch/x86/crypto/chacha20_glue.c
52 
+index 722bace..8baaff5 100644
53 
+--- a/arch/x86/crypto/chacha20_glue.c
54 
+@@ -125,7 +125,7 @@ static struct crypto_alg alg = {
55 
+
56 
+ static int __init chacha20_simd_mod_init(void)
57 
+ {
58 
+-	if (!cpu_has_ssse3)
59 
++	if (!boot_cpu_has(X86_FEATURE_SSSE3))
60 
+ 		return -ENODEV;
61 
+
62 
+ #ifdef CONFIG_AS_AVX2
63 
+diff --git a/arch/x86/crypto/crc32c-intel_glue.c b/arch/x86/crypto/crc32c-intel_glue.c
64 
+index 81a595d..0e98716 100644
65 
+--- a/arch/x86/crypto/crc32c-intel_glue.c
66 
+@@ -257,7 +257,7 @@ static int __init crc32c_intel_mod_init(void)
67 
+ 	if (!x86_match_cpu(crc32c_cpu_id))
68 
+ 		return -ENODEV;
69 
+ #ifdef CONFIG_X86_64
70 
+-	if (cpu_has_pclmulqdq) {
71 
++	if (boot_cpu_has(X86_FEATURE_PCLMULQDQ)) {
72 
+ 		alg.update = crc32c_pcl_intel_update;
73 
+ 		alg.finup = crc32c_pcl_intel_finup;
74 
+ 		alg.digest = crc32c_pcl_intel_digest;
75 
+diff --git a/arch/x86/include/asm/cmpxchg_32.h b/arch/x86/include/asm/cmpxchg_32.h
76 
+index f7e1429..e4959d0 100644
77 
+--- a/arch/x86/include/asm/cmpxchg_32.h
78 
+@@ -109,6 +109,6 @@ static inline u64 __cmpxchg64_local(volatile u64 *ptr, u64 old, u64 new)
79 
+
80 
+ #endif
81 
+
82 
+-#define system_has_cmpxchg_double() cpu_has_cx8
83 
++#define system_has_cmpxchg_double() boot_cpu_has(X86_FEATURE_CX8)
84 
+
85 
+ #endif /* _ASM_X86_CMPXCHG_32_H */
86 
+diff --git a/arch/x86/include/asm/cmpxchg_64.h b/arch/x86/include/asm/cmpxchg_64.h
87 
+index 1af9469..caa23a3 100644
88 
+--- a/arch/x86/include/asm/cmpxchg_64.h
89 
+@@ -18,6 +18,6 @@ static inline void set_64bit(volatile u64 *ptr, u64 val)
90 
+ 	cmpxchg_local((ptr), (o), (n));					\
91 
+ })
92 
+
93 
+-#define system_has_cmpxchg_double() cpu_has_cx16
94 
++#define system_has_cmpxchg_double() boot_cpu_has(X86_FEATURE_CX16)
95 
+
96 
+ #endif /* _ASM_X86_CMPXCHG_64_H */
97 
+diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
98 
+index 17e6c25..1b1c0ef 100644
99 
+--- a/arch/x86/include/asm/cpufeature.h
100 
+@@ -398,58 +398,29 @@ extern const char * const x86_bug_flags[NBUGINTS*32];
101 
+ #define setup_force_cpu_bug(bit) setup_force_cpu_cap(bit)
102 
+
103 
+ #define cpu_has_fpu		boot_cpu_has(X86_FEATURE_FPU)
104 
+-#define cpu_has_de		boot_cpu_has(X86_FEATURE_DE)
105 
+ #define cpu_has_pse		boot_cpu_has(X86_FEATURE_PSE)
106 
+ #define cpu_has_tsc		boot_cpu_has(X86_FEATURE_TSC)
107 
+ #define cpu_has_pge		boot_cpu_has(X86_FEATURE_PGE)
108 
+ #define cpu_has_apic		boot_cpu_has(X86_FEATURE_APIC)
109 
+-#define cpu_has_sep		boot_cpu_has(X86_FEATURE_SEP)
110 
+-#define cpu_has_mtrr		boot_cpu_has(X86_FEATURE_MTRR)
111 
+-#define cpu_has_mmx		boot_cpu_has(X86_FEATURE_MMX)
112 
+ #define cpu_has_fxsr		boot_cpu_has(X86_FEATURE_FXSR)
113 
+ #define cpu_has_xmm		boot_cpu_has(X86_FEATURE_XMM)
114 
+ #define cpu_has_xmm2		boot_cpu_has(X86_FEATURE_XMM2)
115 
+-#define cpu_has_xmm3		boot_cpu_has(X86_FEATURE_XMM3)
116 
+-#define cpu_has_ssse3		boot_cpu_has(X86_FEATURE_SSSE3)
117 
+ #define cpu_has_aes		boot_cpu_has(X86_FEATURE_AES)
118 
+ #define cpu_has_avx		boot_cpu_has(X86_FEATURE_AVX)
119 
+ #define cpu_has_avx2		boot_cpu_has(X86_FEATURE_AVX2)
120 
+-#define cpu_has_ht		boot_cpu_has(X86_FEATURE_HT)
121 
+-#define cpu_has_nx		boot_cpu_has(X86_FEATURE_NX)
122 
+-#define cpu_has_xstore		boot_cpu_has(X86_FEATURE_XSTORE)
123 
+-#define cpu_has_xstore_enabled	boot_cpu_has(X86_FEATURE_XSTORE_EN)
124 
+-#define cpu_has_xcrypt		boot_cpu_has(X86_FEATURE_XCRYPT)
125 
+-#define cpu_has_xcrypt_enabled	boot_cpu_has(X86_FEATURE_XCRYPT_EN)
126 
+-#define cpu_has_ace2		boot_cpu_has(X86_FEATURE_ACE2)
127 
+-#define cpu_has_ace2_enabled	boot_cpu_has(X86_FEATURE_ACE2_EN)
128 
+-#define cpu_has_phe		boot_cpu_has(X86_FEATURE_PHE)
129 
+-#define cpu_has_phe_enabled	boot_cpu_has(X86_FEATURE_PHE_EN)
130 
+-#define cpu_has_pmm		boot_cpu_has(X86_FEATURE_PMM)
131 
+-#define cpu_has_pmm_enabled	boot_cpu_has(X86_FEATURE_PMM_EN)
132 
+-#define cpu_has_ds		boot_cpu_has(X86_FEATURE_DS)
133 
+-#define cpu_has_pebs		boot_cpu_has(X86_FEATURE_PEBS)
134 
+ #define cpu_has_clflush		boot_cpu_has(X86_FEATURE_CLFLUSH)
135 
+-#define cpu_has_bts		boot_cpu_has(X86_FEATURE_BTS)
136 
+ #define cpu_has_gbpages		boot_cpu_has(X86_FEATURE_GBPAGES)
137 
+ #define cpu_has_arch_perfmon	boot_cpu_has(X86_FEATURE_ARCH_PERFMON)
138 
+ #define cpu_has_pat		boot_cpu_has(X86_FEATURE_PAT)
139 
+-#define cpu_has_xmm4_1		boot_cpu_has(X86_FEATURE_XMM4_1)
140 
+-#define cpu_has_xmm4_2		boot_cpu_has(X86_FEATURE_XMM4_2)
141 
+ #define cpu_has_x2apic		boot_cpu_has(X86_FEATURE_X2APIC)
142 
+ #define cpu_has_xsave		boot_cpu_has(X86_FEATURE_XSAVE)
143 
+-#define cpu_has_xsaveopt	boot_cpu_has(X86_FEATURE_XSAVEOPT)
144 
+ #define cpu_has_xsaves		boot_cpu_has(X86_FEATURE_XSAVES)
145 
+ #define cpu_has_osxsave		boot_cpu_has(X86_FEATURE_OSXSAVE)
146 
+ #define cpu_has_hypervisor	boot_cpu_has(X86_FEATURE_HYPERVISOR)
147 
+-#define cpu_has_pclmulqdq	boot_cpu_has(X86_FEATURE_PCLMULQDQ)
148 
+-#define cpu_has_perfctr_core	boot_cpu_has(X86_FEATURE_PERFCTR_CORE)
149 
+-#define cpu_has_perfctr_nb	boot_cpu_has(X86_FEATURE_PERFCTR_NB)
150 
+-#define cpu_has_perfctr_l2	boot_cpu_has(X86_FEATURE_PERFCTR_L2)
151 
+-#define cpu_has_cx8		boot_cpu_has(X86_FEATURE_CX8)
152 
+-#define cpu_has_cx16		boot_cpu_has(X86_FEATURE_CX16)
153 
+-#define cpu_has_eager_fpu	boot_cpu_has(X86_FEATURE_EAGER_FPU)
154 
+-#define cpu_has_topoext		boot_cpu_has(X86_FEATURE_TOPOEXT)
155 
+-#define cpu_has_bpext		boot_cpu_has(X86_FEATURE_BPEXT)
156 
++/*
157 
++ * Do not add any more of those clumsy macros - use static_cpu_has_safe() for
158 
++ * fast paths and boot_cpu_has() otherwise!
159 
++ */
160 
+
161 
+ #if __GNUC__ >= 4
162 
+ extern void warn_pre_alternatives(void);
163 
+diff --git a/arch/x86/include/asm/xor_32.h b/arch/x86/include/asm/xor_32.h
164 
+index 5a08bc8..c54beb4 100644
165 
+--- a/arch/x86/include/asm/xor_32.h
166 
+@@ -553,7 +553,7 @@ do {							\
167 
+ 	if (cpu_has_xmm) {				\
168 
+ 		xor_speed(&xor_block_pIII_sse);		\
169 
+ 		xor_speed(&xor_block_sse_pf64);		\
170 
+-	} else if (cpu_has_mmx) {			\
171 
++	} else if (boot_cpu_has(X86_FEATURE_MMX)) {	\
172 
+ 		xor_speed(&xor_block_pII_mmx);		\
173 
+ 		xor_speed(&xor_block_p5_mmx);		\
174 
+ 	} else {					\
175 
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
176 
+index 4bf9e77..f4fb8f5 100644
177 
+--- a/arch/x86/kernel/cpu/amd.c
178 
+@@ -304,7 +304,7 @@ static void amd_get_topology(struct cpuinfo_x86 *c)
179 
+ 	int cpu = smp_processor_id();
180 
+
181 
+ 	/* get information required for multi-node processors */
182 
+-	if (cpu_has_topoext) {
183 
++	if (boot_cpu_has(X86_FEATURE_TOPOEXT)) {
184 
+ 		u32 eax, ebx, ecx, edx;
185 
+
186 
+ 		cpuid(0x8000001e, &eax, &ebx, &ecx, &edx);
187 
+@@ -954,7 +954,7 @@ static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum)
188 
+
189 
+ void set_dr_addr_mask(unsigned long mask, int dr)
190 
+ {
191 
+-	if (!cpu_has_bpext)
192 
++	if (!boot_cpu_has(X86_FEATURE_BPEXT))
193 
+ 		return;
194 
+
195 
+ 	switch (dr) {
196 
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
197 
+index 9004dfc..5b6e43b 100644
198 
+--- a/arch/x86/kernel/cpu/common.c
199 
+@@ -1541,7 +1541,9 @@ void cpu_init(void)
200 
+
201 
+ 	printk(KERN_INFO "Initializing CPU#%d\n", cpu);
202 
+
203 
+-	if (cpu_feature_enabled(X86_FEATURE_VME) || cpu_has_tsc || cpu_has_de)
204 
++	if (cpu_feature_enabled(X86_FEATURE_VME) ||
205 
++	    cpu_has_tsc ||
206 
++	    boot_cpu_has(X86_FEATURE_DE))
207 
+ 		cr4_clear_bits(X86_CR4_VME|X86_CR4_PVI|X86_CR4_TSD|X86_CR4_DE);
208 
+
209 
+ 	load_current_idt();
210 
+diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
211 
+index 209ac1e..565648b 100644
212 
+--- a/arch/x86/kernel/cpu/intel.c
213 
+@@ -445,7 +445,8 @@ static void init_intel(struct cpuinfo_x86 *c)
214 
+
215 
+ 	if (cpu_has_xmm2)
216 
+ 		set_cpu_cap(c, X86_FEATURE_LFENCE_RDTSC);
217 
+-	if (cpu_has_ds) {
218 
++
219 
++	if (boot_cpu_has(X86_FEATURE_DS)) {
220 
+ 		unsigned int l1;
221 
+ 		rdmsr(MSR_IA32_MISC_ENABLE, l1, l2);
222 
+ 		if (!(l1 & (1<<11)))
223 
+diff --git a/arch/x86/kernel/cpu/intel_cacheinfo.c b/arch/x86/kernel/cpu/intel_cacheinfo.c
224 
+index b4ca91c..3fa7231 100644
225 
+--- a/arch/x86/kernel/cpu/intel_cacheinfo.c
226 
+@@ -591,7 +591,7 @@ cpuid4_cache_lookup_regs(int index, struct _cpuid4_info_regs *this_leaf)
227 
+ 	unsigned		edx;
228 
+
229 
+ 	if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD) {
230 
+-		if (cpu_has_topoext)
231 
++		if (boot_cpu_has(X86_FEATURE_TOPOEXT))
232 
+ 			cpuid_count(0x8000001d, index, &eax.full,
233 
+ 				    &ebx.full, &ecx.full, &edx);
234 
+ 		else
235 
+@@ -637,7 +637,7 @@ static int find_num_cache_leaves(struct cpuinfo_x86 *c)
236 
+ void init_amd_cacheinfo(struct cpuinfo_x86 *c)
237 
+ {
238 
+
239 
+-	if (cpu_has_topoext) {
240 
++	if (boot_cpu_has(X86_FEATURE_TOPOEXT)) {
241 
+ 		num_cache_leaves = find_num_cache_leaves(c);
242 
+ 	} else if (c->extended_cpuid_level >= 0x80000006) {
243 
+ 		if (cpuid_edx(0x80000006) & 0xf000)
244 
+@@ -809,7 +809,7 @@ static int __cache_amd_cpumap_setup(unsigned int cpu, int index,
245 
+ 	struct cacheinfo *this_leaf;
246 
+ 	int i, sibling;
247 
+
248 
+-	if (cpu_has_topoext) {
249 
++	if (boot_cpu_has(X86_FEATURE_TOPOEXT)) {
250 
+ 		unsigned int apicid, nshared, first, last;
251 
+
252 
+ 		this_leaf = this_cpu_ci->info_list + index;
253 
+diff --git a/arch/x86/kernel/cpu/mtrr/generic.c b/arch/x86/kernel/cpu/mtrr/generic.c
254 
+index b5624fa..136ae86 100644
255 
+--- a/arch/x86/kernel/cpu/mtrr/generic.c
256 
+@@ -349,7 +349,7 @@ static void get_fixed_ranges(mtrr_type *frs)
257 
+
258 
+ void mtrr_save_fixed_ranges(void *info)
259 
+ {
260 
+-	if (cpu_has_mtrr)
261 
++	if (boot_cpu_has(X86_FEATURE_MTRR))
262 
+ 		get_fixed_ranges(mtrr_state.fixed_ranges);
263 
+ }
264 
+
265 
+diff --git a/arch/x86/kernel/cpu/mtrr/main.c b/arch/x86/kernel/cpu/mtrr/main.c
266 
+index fa77ac8..f924f41 100644
267 
+--- a/arch/x86/kernel/cpu/mtrr/main.c
268 
+@@ -682,7 +682,7 @@ void __init mtrr_bp_init(void)
269 
+
270 
+ 	phys_addr = 32;
271 
+
272 
+-	if (cpu_has_mtrr) {
273 
++	if (boot_cpu_has(X86_FEATURE_MTRR)) {
274 
+ 		mtrr_if = &generic_mtrr_ops;
275 
+ 		size_or_mask = SIZE_OR_MASK_BITS(36);
276 
+ 		size_and_mask = 0x00f00000;
277 
+diff --git a/arch/x86/kernel/cpu/perf_event_amd.c b/arch/x86/kernel/cpu/perf_event_amd.c
278 
+index 1cee5d2..3ea177c 100644
279 
+--- a/arch/x86/kernel/cpu/perf_event_amd.c
280 
+@@ -160,7 +160,7 @@ static inline int amd_pmu_addr_offset(int index, bool eventsel)
281 
+ 	if (offset)
282 
+ 		return offset;
283 
+
284 
+-	if (!cpu_has_perfctr_core)
285 
++	if (!boot_cpu_has(X86_FEATURE_PERFCTR_CORE))
286 
+ 		offset = index;
287 
+ 	else
288 
+ 		offset = index << 1;
289 
+@@ -652,7 +652,7 @@ static __initconst const struct x86_pmu amd_pmu = {
290 
+
291 
+ static int __init amd_core_pmu_init(void)
292 
+ {
293 
+-	if (!cpu_has_perfctr_core)
294 
++	if (!boot_cpu_has(X86_FEATURE_PERFCTR_CORE))
295 
+ 		return 0;
296 
+
297 
+ 	switch (boot_cpu_data.x86) {
298 
+diff --git a/arch/x86/kernel/cpu/perf_event_amd_uncore.c b/arch/x86/kernel/cpu/perf_event_amd_uncore.c
299 
+index cc6cedb..4974274 100644
300 
+--- a/arch/x86/kernel/cpu/perf_event_amd_uncore.c
301 
+@@ -523,10 +523,10 @@ static int __init amd_uncore_init(void)
302 
+ 	if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD)
303 
+ 		goto fail_nodev;
304 
+
305 
+-	if (!cpu_has_topoext)
306 
++	if (!boot_cpu_has(X86_FEATURE_TOPOEXT))
307 
+ 		goto fail_nodev;
308 
+
309 
+-	if (cpu_has_perfctr_nb) {
310 
++	if (boot_cpu_has(X86_FEATURE_PERFCTR_NB)) {
311 
+ 		amd_uncore_nb = alloc_percpu(struct amd_uncore *);
312 
+ 		if (!amd_uncore_nb) {
313 
+ 			ret = -ENOMEM;
314 
+@@ -540,7 +540,7 @@ static int __init amd_uncore_init(void)
315 
+ 		ret = 0;
316 
+ 	}
317 
+
318 
+-	if (cpu_has_perfctr_l2) {
319 
++	if (boot_cpu_has(X86_FEATURE_PERFCTR_L2)) {
320 
+ 		amd_uncore_l2 = alloc_percpu(struct amd_uncore *);
321 
+ 		if (!amd_uncore_l2) {
322 
+ 			ret = -ENOMEM;
323 
+@@ -583,10 +583,11 @@ fail_online:
324 
+
325 
+ 	/* amd_uncore_nb/l2 should have been freed by cleanup_cpu_online */
326 
+ 	amd_uncore_nb = amd_uncore_l2 = NULL;
327 
+-	if (cpu_has_perfctr_l2)
328 
++
329 
++	if (boot_cpu_has(X86_FEATURE_PERFCTR_L2))
330 
+ 		perf_pmu_unregister(&amd_l2_pmu);
331 
+ fail_l2:
332 
+-	if (cpu_has_perfctr_nb)
333 
++	if (boot_cpu_has(X86_FEATURE_PERFCTR_NB))
334 
+ 		perf_pmu_unregister(&amd_nb_pmu);
335 
+ 	if (amd_uncore_l2)
336 
+ 		free_percpu(amd_uncore_l2);
337 
+diff --git a/arch/x86/kernel/fpu/init.c b/arch/x86/kernel/fpu/init.c
338 
+index 1011c05b..42a0b87 100644
339 
+--- a/arch/x86/kernel/fpu/init.c
340 
+@@ -12,7 +12,7 @@
341 
+  */
342 
+ static void fpu__init_cpu_ctx_switch(void)
343 
+ {
344 
+-	if (!cpu_has_eager_fpu)
345 
++	if (!boot_cpu_has(X86_FEATURE_EAGER_FPU))
346 
+ 		stts();
347 
+ 	else
348 
+ 		clts();
349 
+@@ -288,7 +288,7 @@ static void __init fpu__init_system_ctx_switch(void)
350 
+ 	current_thread_info()->status = 0;
351 
+
352 
+ 	/* Auto enable eagerfpu for xsaveopt */
353 
+-	if (cpu_has_xsaveopt && eagerfpu != DISABLE)
354 
++	if (boot_cpu_has(X86_FEATURE_XSAVEOPT) && eagerfpu != DISABLE)
355 
+ 		eagerfpu = ENABLE;
356 
+
357 
+ 	if (xfeatures_mask & XFEATURE_MASK_EAGER) {
358 
+diff --git a/arch/x86/kernel/hw_breakpoint.c b/arch/x86/kernel/hw_breakpoint.c
359 
+index 50a3fad..2bcfb5f 100644
360 
+--- a/arch/x86/kernel/hw_breakpoint.c
361 
+@@ -300,6 +300,10 @@ static int arch_build_bp_info(struct perf_event *bp)
362 
+ 			return -EINVAL;
363 
+ 		if (bp->attr.bp_addr & (bp->attr.bp_len - 1))
364 
+ 			return -EINVAL;
365 
++
366 
++		if (!boot_cpu_has(X86_FEATURE_BPEXT))
367 
++			return -EOPNOTSUPP;
368 
++
369 
+ 		/*
370 
+ 		 * It's impossible to use a range breakpoint to fake out
371 
+ 		 * user vs kernel detection because bp_len - 1 can't
372 
+@@ -307,8 +311,6 @@ static int arch_build_bp_info(struct perf_event *bp)
373 
+ 		 * breakpoints, then we'll have to check for kprobe-blacklisted
374 
+ 		 * addresses anywhere in the range.
375 
+ 		 */
376 
+-		if (!cpu_has_bpext)
377 
+-			return -EOPNOTSUPP;
378 
+ 		info->mask = bp->attr.bp_len - 1;
379 
+ 		info->len = X86_BREAKPOINT_LEN_1;
380 
+ 	}
381 
+diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c
382 
+index 48ca932..1f7aefc 100644
383 
+--- a/arch/x86/kernel/smpboot.c
384 
+@@ -295,7 +295,7 @@ do {									\
385 
+
386 
+ static bool match_smt(struct cpuinfo_x86 *c, struct cpuinfo_x86 *o)
387 
+ {
388 
+-	if (cpu_has_topoext) {
389 
++	if (boot_cpu_has(X86_FEATURE_TOPOEXT)) {
390 
+ 		int cpu1 = c->cpu_index, cpu2 = o->cpu_index;
391 
+
392 
+ 		if (c->phys_proc_id == o->phys_proc_id &&
393 
+diff --git a/arch/x86/kernel/vm86_32.c b/arch/x86/kernel/vm86_32.c
394 
+index af57736..d6d64a5 100644
395 
+--- a/arch/x86/kernel/vm86_32.c
396 
+@@ -357,8 +357,10 @@ static long do_sys_vm86(struct vm86plus_struct __user *user_vm86, bool plus)
397 
+ 	tss = &per_cpu(cpu_tss, get_cpu());
398 
+ 	/* make room for real-mode segments */
399 
+ 	tsk->thread.sp0 += 16;
400 
+-	if (cpu_has_sep)
401 
++
402 
++	if (static_cpu_has_safe(X86_FEATURE_SEP))
403 
+ 		tsk->thread.sysenter_cs = 0;
404 
++
405 
+ 	load_sp0(tss, &tsk->thread);
406 
+ 	put_cpu();
407 
+
408 
+diff --git a/arch/x86/mm/setup_nx.c b/arch/x86/mm/setup_nx.c
409 
+index 90555bf..92e2eac 100644
410 
+--- a/arch/x86/mm/setup_nx.c
411 
+@@ -31,7 +31,7 @@ early_param("noexec", noexec_setup);
412 
+
413 
+ void x86_configure_nx(void)
414 
+ {
415 
+-	if (cpu_has_nx && !disable_nx)
416 
++	if (boot_cpu_has(X86_FEATURE_NX) && !disable_nx)
417 
+ 		__supported_pte_mask |= _PAGE_NX;
418 
+ 	else
419 
+ 		__supported_pte_mask &= ~_PAGE_NX;
420 
+@@ -39,7 +39,7 @@ void x86_configure_nx(void)
421 
+
422 
+ void __init x86_report_nx(void)
423 
+ {
424 
+-	if (!cpu_has_nx) {
425 
++	if (!boot_cpu_has(X86_FEATURE_NX)) {
426 
+ 		printk(KERN_NOTICE "Notice: NX (Execute Disable) protection "
427 
+ 		       "missing in CPU!\n");
428 
+ 	} else {
429 
+diff --git a/drivers/char/hw_random/via-rng.c b/drivers/char/hw_random/via-rng.c
430 
+index 0c98a9d..44ce806 100644
431 
+--- a/drivers/char/hw_random/via-rng.c
432 
+@@ -140,7 +140,7 @@ static int via_rng_init(struct hwrng *rng)
433 
+ 	 * RNG configuration like it used to be the case in this
434 
+ 	 * register */
435 
+ 	if ((c->x86 == 6) && (c->x86_model >= 0x0f)) {
436 
+-		if (!cpu_has_xstore_enabled) {
437 
++		if (!boot_cpu_has(X86_FEATURE_XSTORE_EN)) {
438 
+ 			pr_err(PFX "can't enable hardware RNG "
439 
+ 				"if XSTORE is not enabled\n");
440 
+ 			return -ENODEV;
441 
+@@ -200,8 +200,9 @@ static int __init mod_init(void)
442 
+ {
443 
+ 	int err;
444 
+
445 
+-	if (!cpu_has_xstore)
446 
++	if (!boot_cpu_has(X86_FEATURE_XSTORE))
447 
+ 		return -ENODEV;
448 
++
449 
+ 	pr_info("VIA RNG detected\n");
450 
+ 	err = hwrng_register(&via_rng);
451 
+ 	if (err) {
452 
+diff --git a/drivers/crypto/padlock-aes.c b/drivers/crypto/padlock-aes.c
453 
+index da2d677..97a3646 100644
454 
+--- a/drivers/crypto/padlock-aes.c
455 
+@@ -515,7 +515,7 @@ static int __init padlock_init(void)
456 
+ 	if (!x86_match_cpu(padlock_cpu_id))
457 
+ 		return -ENODEV;
458 
+
459 
+-	if (!cpu_has_xcrypt_enabled) {
460 
++	if (!boot_cpu_has(X86_FEATURE_XCRYPT_EN)) {
461 
+ 		printk(KERN_NOTICE PFX "VIA PadLock detected, but not enabled. Hmm, strange...\n");
462 
+ 		return -ENODEV;
463 
+ 	}
464 
+diff --git a/drivers/crypto/padlock-sha.c b/drivers/crypto/padlock-sha.c
465 
+index 4e154c9..8c5f906 100644
466 
+--- a/drivers/crypto/padlock-sha.c
467 
+@@ -540,7 +540,7 @@ static int __init padlock_init(void)
468 
+ 	struct shash_alg *sha1;
469 
+ 	struct shash_alg *sha256;
470 
+
471 
+-	if (!x86_match_cpu(padlock_sha_ids) || !cpu_has_phe_enabled)
472 
++	if (!x86_match_cpu(padlock_sha_ids) || !boot_cpu_has(X86_FEATURE_PHE_EN))
473 
+ 		return -ENODEV;
474 
+
475 
+ 	/* Register the newly added algorithm module if on *
476 
+diff --git a/drivers/iommu/intel_irq_remapping.c b/drivers/iommu/intel_irq_remapping.c
477 
+index e9b241b..ac59692 100644
478 
+--- a/drivers/iommu/intel_irq_remapping.c
479 
+@@ -753,7 +753,7 @@ static inline void set_irq_posting_cap(void)
480 
+ 		 * should have X86_FEATURE_CX16 support, this has been confirmed
481 
+ 		 * with Intel hardware guys.
482 
+ 		 */
483 
+-		if ( cpu_has_cx16 )
484 
++		if (boot_cpu_has(X86_FEATURE_CX16))
485 
+ 			intel_irq_remap_ops.capability |= 1 << IRQ_POSTING_CAP;
486 
+
487 
+ 		for_each_iommu(iommu, drhd)
488 
+diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
489 
+index 208b3f5..7efd70b 100644
490 
+--- a/fs/btrfs/disk-io.c
491 
+@@ -923,7 +923,7 @@ static int check_async_write(struct inode *inode, unsigned long bio_flags)
492 
+ 	if (bio_flags & EXTENT_BIO_TREE_LOG)
493 
+ 		return 0;
494 
+ #ifdef CONFIG_X86
495 
+-	if (cpu_has_xmm4_2)
496 
++	if (static_cpu_has_safe(X86_FEATURE_XMM4_2))
497 
+ 		return 0;
498 
+ #endif
499 
+ 	return 1;
500 
+--
501 
+2.7.4
502 
+
SPECS/linux/speculative-store-bypass/0005-x86-cpu-Provide-a-config-option-to-disable-static_cp.patch
History View file @ 4ab22c2
0 503 
new file mode 100644
... ... 
@@ -0,0 +1,61 @@
0 
+From 842494a5f8eaf05f182ff2775d119b949124221b Mon Sep 17 00:00:00 2001
1 
+From: Borislav Petkov <bp@suse.de>
2 
+Date: Thu, 14 Jun 2018 14:56:02 -0700
3 
+Subject: [PATCH 005/103] x86/cpu: Provide a config option to disable
4 
+ static_cpu_has
5 
+
6 
+commit 6e1315fe82308cd29e7550eab967262e8bbc71a3 upstream
7 
+
8 
+This brings .text savings of about ~1.6K when building a tinyconfig. It
9 
+is off by default so nothing changes for the default.
10 
+
11 
+Kconfig help text from Josh.
12 
+
13 
+Signed-off-by: Borislav Petkov <bp@suse.de>
14 
+Reviewed-by: Josh Triplett <josh@joshtriplett.org>
15 
+Link: http://lkml.kernel.org/r/1449481182-27541-5-git-send-email-bp@alien8.de
16 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
17 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
18 
+---
19 
+ arch/x86/Kconfig                  | 11 +++++++++++
20 
+ arch/x86/include/asm/cpufeature.h |  2 +-
21 
+ 2 files changed, 12 insertions(+), 1 deletion(-)
22 
+
23 
+diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
24 
+index eab1ef2..d9afe6d 100644
25 
+--- a/arch/x86/Kconfig
26 
+@@ -346,6 +346,17 @@ config X86_FEATURE_NAMES
27 
+
28 
+ 	  If in doubt, say Y.
29 
+
30 
++config X86_FAST_FEATURE_TESTS
31 
++	bool "Fast CPU feature tests" if EMBEDDED
32 
++	default y
33 
++	---help---
34 
++	  Some fast-paths in the kernel depend on the capabilities of the CPU.
35 
++	  Say Y here for the kernel to patch in the appropriate code at runtime
36 
++	  based on the capabilities of the CPU. The infrastructure for patching
37 
++	  code at runtime takes up some additional space; space-constrained
38 
++	  embedded systems may wish to say N here to produce smaller, slightly
39 
++	  slower code.
40 
++
41 
+ config X86_X2APIC
42 
+ 	bool "Support x2apic"
43 
+ 	depends on X86_LOCAL_APIC && X86_64 && (IRQ_REMAP || HYPERVISOR_GUEST)
44 
+diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
45 
+index 1b1c0ef..5ce8759 100644
46 
+--- a/arch/x86/include/asm/cpufeature.h
47 
+@@ -422,7 +422,7 @@ extern const char * const x86_bug_flags[NBUGINTS*32];
48 
+  * fast paths and boot_cpu_has() otherwise!
49 
+  */
50 
+
51 
+-#if __GNUC__ >= 4
52 
++#if __GNUC__ >= 4 && defined(CONFIG_X86_FAST_FEATURE_TESTS)
53 
+ extern void warn_pre_alternatives(void);
54 
+ extern bool __static_cpu_has_safe(u16 bit);
55 
+
56 
+--
57 
+2.7.4
58 
+
SPECS/linux/speculative-store-bypass/0006-x86-fpu-Add-an-XSTATE_OP-macro.patch
History View file @ 4ab22c2
0 59 
new file mode 100644
... ... 
@@ -0,0 +1,156 @@
0 
+From 85b3b0157dc3032f659674e3de604d1a41497b68 Mon Sep 17 00:00:00 2001
1 
+From: Borislav Petkov <bp@suse.de>
2 
+Date: Thu, 14 Jun 2018 14:56:02 -0700
3 
+Subject: [PATCH 006/103] x86/fpu: Add an XSTATE_OP() macro
4 
+
5 
+commit b74a0cf1b3db30173eefa00c411775d2b1697700 upstream
6 
+
7 
+Add an XSTATE_OP() macro which contains the XSAVE* fault handling
8 
+and replace all non-alternatives users of xstate_fault() with
9 
+it.
10 
+
11 
+This fixes also the buglet in copy_xregs_to_user() and
12 
+copy_user_to_xregs() where the inline asm didn't have @xstate as
13 
+memory reference and thus potentially causing unwanted
14 
+reordering of accesses to the extended state.
15 
+
16 
+Signed-off-by: Borislav Petkov <bp@suse.de>
17 
+Cc: Andy Lutomirski <luto@amacapital.net>
18 
+Cc: Borislav Petkov <bp@alien8.de>
19 
+Cc: Brian Gerst <brgerst@gmail.com>
20 
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
21 
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
22 
+Cc: Fenghua Yu <fenghua.yu@intel.com>
23 
+Cc: H. Peter Anvin <hpa@zytor.com>
24 
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
25 
+Cc: Oleg Nesterov <oleg@redhat.com>
26 
+Cc: Peter Zijlstra <peterz@infradead.org>
27 
+Cc: Quentin Casasnovas <quentin.casasnovas@oracle.com>
28 
+Cc: Rik van Riel <riel@redhat.com>
29 
+Cc: Thomas Gleixner <tglx@linutronix.de>
30 
+Link: http://lkml.kernel.org/r/1447932326-4371-2-git-send-email-bp@alien8.de
31 
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
32 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
33 
+---
34 
+ arch/x86/include/asm/fpu/internal.h | 68 +++++++++++++++++--------------------
35 
+ 1 file changed, 31 insertions(+), 37 deletions(-)
36 
+
37 
+diff --git a/arch/x86/include/asm/fpu/internal.h b/arch/x86/include/asm/fpu/internal.h
38 
+index 3c3550c..709a3df 100644
39 
+--- a/arch/x86/include/asm/fpu/internal.h
40 
+@@ -237,6 +237,20 @@ static inline void copy_fxregs_to_kernel(struct fpu *fpu)
41 
+ 	_ASM_EXTABLE(1b, 3b)		\
42 
+ 	: [_err] "=r" (__err)
43 
+
44 
++#define XSTATE_OP(op, st, lmask, hmask, err)				\
45 
++	asm volatile("1:" op "\n\t"					\
46 
++		     "xor %[err], %[err]\n"				\
47 
++		     "2:\n\t"						\
48 
++		     ".pushsection .fixup,\"ax\"\n\t"			\
49 
++		     "3: movl $-2,%[err]\n\t"				\
50 
++		     "jmp 2b\n\t"					\
51 
++		     ".popsection\n\t"					\
52 
++		     _ASM_EXTABLE(1b, 3b)				\
53 
++		     : [err] "=r" (err)					\
54 
++		     : "D" (st), "m" (*st), "a" (lmask), "d" (hmask)	\
55 
++		     : "memory")
56 
++
57 
++
58 
+ /*
59 
+  * This function is called only during boot time when x86 caps are not set
60 
+  * up and alternative can not be used yet.
61 
+@@ -246,22 +260,14 @@ static inline void copy_xregs_to_kernel_booting(struct xregs_state *xstate)
62 
+ 	u64 mask = -1;
63 
+ 	u32 lmask = mask;
64 
+ 	u32 hmask = mask >> 32;
65 
+-	int err = 0;
66 
++	int err;
67 
+
68 
+ 	WARN_ON(system_state != SYSTEM_BOOTING);
69 
+
70 
+-	if (boot_cpu_has(X86_FEATURE_XSAVES))
71 
+-		asm volatile("1:"XSAVES"\n\t"
72 
+-			"2:\n\t"
73 
+-			     xstate_fault(err)
74 
+-			: "D" (xstate), "m" (*xstate), "a" (lmask), "d" (hmask), "0" (err)
75 
+-			: "memory");
76 
++	if (static_cpu_has_safe(X86_FEATURE_XSAVES))
77 
++		XSTATE_OP(XSAVES, xstate, lmask, hmask, err);
78 
+ 	else
79 
+-		asm volatile("1:"XSAVE"\n\t"
80 
+-			"2:\n\t"
81 
+-			     xstate_fault(err)
82 
+-			: "D" (xstate), "m" (*xstate), "a" (lmask), "d" (hmask), "0" (err)
83 
+-			: "memory");
84 
++		XSTATE_OP(XSAVE, xstate, lmask, hmask, err);
85 
+
86 
+ 	/* We should never fault when copying to a kernel buffer: */
87 
+ 	WARN_ON_FPU(err);
88 
+@@ -276,22 +282,14 @@ static inline void copy_kernel_to_xregs_booting(struct xregs_state *xstate)
89 
+ 	u64 mask = -1;
90 
+ 	u32 lmask = mask;
91 
+ 	u32 hmask = mask >> 32;
92 
+-	int err = 0;
93 
++	int err;
94 
+
95 
+ 	WARN_ON(system_state != SYSTEM_BOOTING);
96 
+
97 
+-	if (boot_cpu_has(X86_FEATURE_XSAVES))
98 
+-		asm volatile("1:"XRSTORS"\n\t"
99 
+-			"2:\n\t"
100 
+-			     xstate_fault(err)
101 
+-			: "D" (xstate), "m" (*xstate), "a" (lmask), "d" (hmask), "0" (err)
102 
+-			: "memory");
103 
++	if (static_cpu_has_safe(X86_FEATURE_XSAVES))
104 
++		XSTATE_OP(XRSTORS, xstate, lmask, hmask, err);
105 
+ 	else
106 
+-		asm volatile("1:"XRSTOR"\n\t"
107 
+-			"2:\n\t"
108 
+-			     xstate_fault(err)
109 
+-			: "D" (xstate), "m" (*xstate), "a" (lmask), "d" (hmask), "0" (err)
110 
+-			: "memory");
111 
++		XSTATE_OP(XRSTOR, xstate, lmask, hmask, err);
112 
+
113 
+ 	/* We should never fault when copying from a kernel buffer: */
114 
+ 	WARN_ON_FPU(err);
115 
+@@ -388,12 +386,10 @@ static inline int copy_xregs_to_user(struct xregs_state __user *buf)
116 
+ 	if (unlikely(err))
117 
+ 		return -EFAULT;
118 
+
119 
+-	__asm__ __volatile__(ASM_STAC "\n"
120 
+-			     "1:"XSAVE"\n"
121 
+-			     "2: " ASM_CLAC "\n"
122 
+-			     xstate_fault(err)
123 
+-			     : "D" (buf), "a" (-1), "d" (-1), "0" (err)
124 
+-			     : "memory");
125 
++	stac();
126 
++	XSTATE_OP(XSAVE, buf, -1, -1, err);
127 
++	clac();
128 
++
129 
+ 	return err;
130 
+ }
131 
+
132 
+@@ -405,14 +401,12 @@ static inline int copy_user_to_xregs(struct xregs_state __user *buf, u64 mask)
133 
+ 	struct xregs_state *xstate = ((__force struct xregs_state *)buf);
134 
+ 	u32 lmask = mask;
135 
+ 	u32 hmask = mask >> 32;
136 
+-	int err = 0;
137 
++	int err;
138 
++
139 
++	stac();
140 
++	XSTATE_OP(XRSTOR, xstate, lmask, hmask, err);
141 
++	clac();
142 
+
143 
+-	__asm__ __volatile__(ASM_STAC "\n"
144 
+-			     "1:"XRSTOR"\n"
145 
+-			     "2: " ASM_CLAC "\n"
146 
+-			     xstate_fault(err)
147 
+-			     : "D" (xstate), "a" (lmask), "d" (hmask), "0" (err)
148 
+-			     : "memory");	/* memory required? */
149 
+ 	return err;
150 
+ }
151 
+
152 
+--
153 
+2.7.4
154 
+
SPECS/linux/speculative-store-bypass/0007-x86-fpu-Get-rid-of-xstate_fault.patch
History View file @ 4ab22c2
0 155 
new file mode 100644
... ... 
@@ -0,0 +1,178 @@
0 
+From 9a3a79be722eb28e09733a4612c3df965f7e471c Mon Sep 17 00:00:00 2001
1 
+From: Borislav Petkov <bp@suse.de>
2 
+Date: Thu, 14 Jun 2018 14:56:03 -0700
3 
+Subject: [PATCH 007/103] x86/fpu: Get rid of xstate_fault()
4 
+
5 
+commit b7106fa0f29f9fd83d2d1905ab690d334ef855c1 upstream
6 
+
7 
+Add macros for the alternative XSAVE*/XRSTOR* operations which
8 
+contain the fault handling and use them. Kill xstate_fault().
9 
+
10 
+Also, copy_xregs_to_kernel() didn't have the extended state as
11 
+memory reference in the asm.
12 
+
13 
+Signed-off-by: Borislav Petkov <bp@suse.de>
14 
+Cc: Andy Lutomirski <luto@amacapital.net>
15 
+Cc: Borislav Petkov <bp@alien8.de>
16 
+Cc: Brian Gerst <brgerst@gmail.com>
17 
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
18 
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
19 
+Cc: Fenghua Yu <fenghua.yu@intel.com>
20 
+Cc: H. Peter Anvin <hpa@zytor.com>
21 
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
22 
+Cc: Oleg Nesterov <oleg@redhat.com>
23 
+Cc: Peter Zijlstra <peterz@infradead.org>
24 
+Cc: Quentin Casasnovas <quentin.casasnovas@oracle.com>
25 
+Cc: Rik van Riel <riel@redhat.com>
26 
+Cc: Thomas Gleixner <tglx@linutronix.de>
27 
+Link: http://lkml.kernel.org/r/1447932326-4371-3-git-send-email-bp@alien8.de
28 
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
29 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
30 
+---
31 
+ arch/x86/include/asm/fpu/internal.h | 105 ++++++++++++++++++------------------
32 
+ 1 file changed, 52 insertions(+), 53 deletions(-)
33 
+
34 
+diff --git a/arch/x86/include/asm/fpu/internal.h b/arch/x86/include/asm/fpu/internal.h
35 
+index 709a3df..eadcdd5 100644
36 
+--- a/arch/x86/include/asm/fpu/internal.h
37 
+@@ -224,19 +224,6 @@ static inline void copy_fxregs_to_kernel(struct fpu *fpu)
38 
+ #define XRSTOR		".byte " REX_PREFIX "0x0f,0xae,0x2f"
39 
+ #define XRSTORS		".byte " REX_PREFIX "0x0f,0xc7,0x1f"
40 
+
41 
+-/* xstate instruction fault handler: */
42 
+-#define xstate_fault(__err)		\
43 
+-					\
44 
+-	".section .fixup,\"ax\"\n"	\
45 
+-					\
46 
+-	"3:  movl $-2,%[_err]\n"	\
47 
+-	"    jmp  2b\n"			\
48 
+-					\
49 
+-	".previous\n"			\
50 
+-					\
51 
+-	_ASM_EXTABLE(1b, 3b)		\
52 
+-	: [_err] "=r" (__err)
53 
+-
54 
+ #define XSTATE_OP(op, st, lmask, hmask, err)				\
55 
+ 	asm volatile("1:" op "\n\t"					\
56 
+ 		     "xor %[err], %[err]\n"				\
57 
+@@ -250,6 +237,54 @@ static inline void copy_fxregs_to_kernel(struct fpu *fpu)
58 
+ 		     : "D" (st), "m" (*st), "a" (lmask), "d" (hmask)	\
59 
+ 		     : "memory")
60 
+
61 
++/*
62 
++ * If XSAVES is enabled, it replaces XSAVEOPT because it supports a compact
63 
++ * format and supervisor states in addition to modified optimization in
64 
++ * XSAVEOPT.
65 
++ *
66 
++ * Otherwise, if XSAVEOPT is enabled, XSAVEOPT replaces XSAVE because XSAVEOPT
67 
++ * supports modified optimization which is not supported by XSAVE.
68 
++ *
69 
++ * We use XSAVE as a fallback.
70 
++ *
71 
++ * The 661 label is defined in the ALTERNATIVE* macros as the address of the
72 
++ * original instruction which gets replaced. We need to use it here as the
73 
++ * address of the instruction where we might get an exception at.
74 
++ */
75 
++#define XSTATE_XSAVE(st, lmask, hmask, err)				\
76 
++	asm volatile(ALTERNATIVE_2(XSAVE,				\
77 
++				   XSAVEOPT, X86_FEATURE_XSAVEOPT,	\
78 
++				   XSAVES,   X86_FEATURE_XSAVES)	\
79 
++		     "\n"						\
80 
++		     "xor %[err], %[err]\n"				\
81 
++		     "3:\n"						\
82 
++		     ".pushsection .fixup,\"ax\"\n"			\
83 
++		     "4: movl $-2, %[err]\n"				\
84 
++		     "jmp 3b\n"						\
85 
++		     ".popsection\n"					\
86 
++		     _ASM_EXTABLE(661b, 4b)				\
87 
++		     : [err] "=r" (err)					\
88 
++		     : "D" (st), "m" (*st), "a" (lmask), "d" (hmask)	\
89 
++		     : "memory")
90 
++
91 
++/*
92 
++ * Use XRSTORS to restore context if it is enabled. XRSTORS supports compact
93 
++ * XSAVE area format.
94 
++ */
95 
++#define XSTATE_XRESTORE(st, lmask, hmask, err)				\
96 
++	asm volatile(ALTERNATIVE(XRSTOR,				\
97 
++				 XRSTORS, X86_FEATURE_XSAVES)		\
98 
++		     "\n"						\
99 
++		     "xor %[err], %[err]\n"				\
100 
++		     "3:\n"						\
101 
++		     ".pushsection .fixup,\"ax\"\n"			\
102 
++		     "4: movl $-2, %[err]\n"				\
103 
++		     "jmp 3b\n"						\
104 
++		     ".popsection\n"					\
105 
++		     _ASM_EXTABLE(661b, 4b)				\
106 
++		     : [err] "=r" (err)					\
107 
++		     : "D" (st), "m" (*st), "a" (lmask), "d" (hmask)	\
108 
++		     : "memory")
109 
+
110 
+ /*
111 
+  * This function is called only during boot time when x86 caps are not set
112 
+@@ -303,33 +338,11 @@ static inline void copy_xregs_to_kernel(struct xregs_state *xstate)
113 
+ 	u64 mask = -1;
114 
+ 	u32 lmask = mask;
115 
+ 	u32 hmask = mask >> 32;
116 
+-	int err = 0;
117 
++	int err;
118 
+
119 
+ 	WARN_ON(!alternatives_patched);
120 
+
121 
+-	/*
122 
+-	 * If xsaves is enabled, xsaves replaces xsaveopt because
123 
+-	 * it supports compact format and supervisor states in addition to
124 
+-	 * modified optimization in xsaveopt.
125 
+-	 *
126 
+-	 * Otherwise, if xsaveopt is enabled, xsaveopt replaces xsave
127 
+-	 * because xsaveopt supports modified optimization which is not
128 
+-	 * supported by xsave.
129 
+-	 *
130 
+-	 * If none of xsaves and xsaveopt is enabled, use xsave.
131 
+-	 */
132 
+-	alternative_input_2(
133 
+-		"1:"XSAVE,
134 
+-		XSAVEOPT,
135 
+-		X86_FEATURE_XSAVEOPT,
136 
+-		XSAVES,
137 
+-		X86_FEATURE_XSAVES,
138 
+-		[xstate] "D" (xstate), "a" (lmask), "d" (hmask) :
139 
+-		"memory");
140 
+-	asm volatile("2:\n\t"
141 
+-		     xstate_fault(err)
142 
+-		     : "0" (err)
143 
+-		     : "memory");
144 
++	XSTATE_XSAVE(xstate, lmask, hmask, err);
145 
+
146 
+ 	/* We should never fault when copying to a kernel buffer: */
147 
+ 	WARN_ON_FPU(err);
148 
+@@ -342,23 +355,9 @@ static inline void copy_kernel_to_xregs(struct xregs_state *xstate, u64 mask)
149 
+ {
150 
+ 	u32 lmask = mask;
151 
+ 	u32 hmask = mask >> 32;
152 
+-	int err = 0;
153 
++	int err;
154 
+
155 
+-	/*
156 
+-	 * Use xrstors to restore context if it is enabled. xrstors supports
157 
+-	 * compacted format of xsave area which is not supported by xrstor.
158 
+-	 */
159 
+-	alternative_input(
160 
+-		"1: " XRSTOR,
161 
+-		XRSTORS,
162 
+-		X86_FEATURE_XSAVES,
163 
+-		"D" (xstate), "m" (*xstate), "a" (lmask), "d" (hmask)
164 
+-		: "memory");
165 
+-
166 
+-	asm volatile("2:\n"
167 
+-		     xstate_fault(err)
168 
+-		     : "0" (err)
169 
+-		     : "memory");
170 
++	XSTATE_XRESTORE(xstate, lmask, hmask, err);
171 
+
172 
+ 	/* We should never fault when copying from a kernel buffer: */
173 
+ 	WARN_ON_FPU(err);
174 
+--
175 
+2.7.4
176 
+
SPECS/linux/speculative-store-bypass/0008-x86-headers-Don-t-include-asm-processor.h-in-asm-ato.patch
History View file @ 4ab22c2
0 177 
new file mode 100644
... ... 
@@ -0,0 +1,82 @@
0 
+From 88400b7046a5c207ad25d924fc38a1559594cd70 Mon Sep 17 00:00:00 2001
1 
+From: Andi Kleen <ak@linux.intel.com>
2 
+Date: Thu, 14 Jun 2018 14:56:03 -0700
3 
+Subject: [PATCH 008/103] x86/headers: Don't include asm/processor.h in
4 
+ asm/atomic.h
5 
+
6 
+commit 153a4334c439cfb62e1d31cee0c790ba4157813d upstream
7 
+
8 
+asm/atomic.h doesn't really need asm/processor.h anymore. Everything
9 
+it uses has moved to other header files. So remove that include.
10 
+
11 
+processor.h is a nasty header that includes lots of
12 
+other headers and makes it prone to include loops. Removing the
13 
+include here makes asm/atomic.h a "leaf" header that can
14 
+be safely included in most other headers.
15 
+
16 
+The only fallout is in the lib/atomic tester which relied on
17 
+this implicit include. Give it an explicit include.
18 
+(the include is in ifdef because the user is also in ifdef)
19 
+
20 
+Signed-off-by: Andi Kleen <ak@linux.intel.com>
21 
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
22 
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
23 
+Cc: Jiri Olsa <jolsa@redhat.com>
24 
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
25 
+Cc: Mike Galbraith <efault@gmx.de>
26 
+Cc: Peter Zijlstra <peterz@infradead.org>
27 
+Cc: Stephane Eranian <eranian@google.com>
28 
+Cc: Thomas Gleixner <tglx@linutronix.de>
29 
+Cc: Vince Weaver <vincent.weaver@maine.edu>
30 
+Cc: rostedt@goodmis.org
31 
+Link: http://lkml.kernel.org/r/1449018060-1742-1-git-send-email-andi@firstfloor.org
32 
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
33 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
34 
+---
35 
+ arch/x86/include/asm/atomic.h      | 1 -
36 
+ arch/x86/include/asm/atomic64_32.h | 1 -
37 
+ lib/atomic64_test.c                | 4 ++++
38 
+ 3 files changed, 4 insertions(+), 2 deletions(-)
39 
+
40 
+diff --git a/arch/x86/include/asm/atomic.h b/arch/x86/include/asm/atomic.h
41 
+index ae5fb83..3e86742 100644
42 
+--- a/arch/x86/include/asm/atomic.h
43 
+@@ -3,7 +3,6 @@
44 
+
45 
+ #include <linux/compiler.h>
46 
+ #include <linux/types.h>
47 
+-#include <asm/processor.h>
48 
+ #include <asm/alternative.h>
49 
+ #include <asm/cmpxchg.h>
50 
+ #include <asm/rmwcc.h>
51 
+diff --git a/arch/x86/include/asm/atomic64_32.h b/arch/x86/include/asm/atomic64_32.h
52 
+index a11c30b..a984111 100644
53 
+--- a/arch/x86/include/asm/atomic64_32.h
54 
+@@ -3,7 +3,6 @@
55 
+
56 
+ #include <linux/compiler.h>
57 
+ #include <linux/types.h>
58 
+-#include <asm/processor.h>
59 
+ //#include <asm/cmpxchg.h>
60 
+
61 
+ /* An 64bit atomic type */
62 
+diff --git a/lib/atomic64_test.c b/lib/atomic64_test.c
63 
+index 83c33a5b..d51e25a 100644
64 
+--- a/lib/atomic64_test.c
65 
+@@ -16,6 +16,10 @@
66 
+ #include <linux/kernel.h>
67 
+ #include <linux/atomic.h>
68 
+
69 
++#ifdef CONFIG_X86
70 
++#include <asm/processor.h>	/* for boot_cpu_has below */
71 
++#endif
72 
++
73 
+ #define TEST(bit, op, c_op, val)				\
74 
+ do {								\
75 
+ 	atomic##bit##_set(&v, v0);				\
76 
+--
77 
+2.7.4
78 
+
SPECS/linux/speculative-store-bypass/0009-x86-cpufeature-Carve-out-X86_FEATURE_.patch
History View file @ 4ab22c2
0 79 
new file mode 100644
... ... 
@@ -0,0 +1,1347 @@
0 
+From a4de09194c6a2f0e3059bfadba85a56205a5554e Mon Sep 17 00:00:00 2001
1 
+From: Borislav Petkov <bp@suse.de>
2 
+Date: Thu, 14 Jun 2018 14:56:04 -0700
3 
+Subject: [PATCH 009/103] x86/cpufeature: Carve out X86_FEATURE_*
4 
+
5 
+commit cd4d09ec6f6c12a2cc3db5b7d8876a325a53545b upstream
6 
+
7 
+Move them to a separate header and have the following
8 
+dependency:
9 
+
10 
+  x86/cpufeatures.h <- x86/processor.h <- x86/cpufeature.h
11 
+
12 
+This makes it easier to use the header in asm code and not
13 
+include the whole cpufeature.h and add guards for asm.
14 
+
15 
+Suggested-by: H. Peter Anvin <hpa@zytor.com>
16 
+Signed-off-by: Borislav Petkov <bp@suse.de>
17 
+Cc: Andy Lutomirski <luto@amacapital.net>
18 
+Cc: Borislav Petkov <bp@alien8.de>
19 
+Cc: Brian Gerst <brgerst@gmail.com>
20 
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
21 
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
22 
+Cc: Peter Zijlstra <peterz@infradead.org>
23 
+Cc: Thomas Gleixner <tglx@linutronix.de>
24 
+Link: http://lkml.kernel.org/r/1453842730-28463-5-git-send-email-bp@alien8.de
25 
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
26 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
27 
+---
28 
+ Documentation/kernel-parameters.txt      |   2 +-
29 
+ arch/x86/boot/cpuflags.h                 |   2 +-
30 
+ arch/x86/boot/mkcpustr.c                 |   2 +-
31 
+ arch/x86/crypto/crc32-pclmul_glue.c      |   2 +-
32 
+ arch/x86/crypto/crc32c-intel_glue.c      |   2 +-
33 
+ arch/x86/crypto/crct10dif-pclmul_glue.c  |   2 +-
34 
+ arch/x86/entry/common.c                  |   1 +
35 
+ arch/x86/entry/entry_32.S                |   2 +-
36 
+ arch/x86/entry/vdso/vdso32-setup.c       |   1 -
37 
+ arch/x86/entry/vdso/vdso32/system_call.S |   2 +-
38 
+ arch/x86/entry/vdso/vma.c                |   1 +
39 
+ arch/x86/include/asm/alternative.h       |   6 -
40 
+ arch/x86/include/asm/apic.h              |   1 -
41 
+ arch/x86/include/asm/arch_hweight.h      |   2 +
42 
+ arch/x86/include/asm/cmpxchg.h           |   1 +
43 
+ arch/x86/include/asm/cpufeature.h        | 293 +-----------------------------
44 
+ arch/x86/include/asm/cpufeatures.h       | 297 +++++++++++++++++++++++++++++++
45 
+ arch/x86/include/asm/fpu/internal.h      |   1 +
46 
+ arch/x86/include/asm/irq_work.h          |   2 +-
47 
+ arch/x86/include/asm/mwait.h             |   2 +
48 
+ arch/x86/include/asm/nospec-branch.h     |   2 +-
49 
+ arch/x86/include/asm/processor.h         |   3 +-
50 
+ arch/x86/include/asm/smap.h              |   2 +-
51 
+ arch/x86/include/asm/smp.h               |   1 -
52 
+ arch/x86/include/asm/thread_info.h       |   2 +-
53 
+ arch/x86/include/asm/tlbflush.h          |   1 +
54 
+ arch/x86/include/asm/uaccess_64.h        |   2 +-
55 
+ arch/x86/kernel/cpu/Makefile             |   2 +-
56 
+ arch/x86/kernel/cpu/centaur.c            |   2 +-
57 
+ arch/x86/kernel/cpu/cyrix.c              |   1 +
58 
+ arch/x86/kernel/cpu/intel.c              |   2 +-
59 
+ arch/x86/kernel/cpu/intel_cacheinfo.c    |   2 +-
60 
+ arch/x86/kernel/cpu/match.c              |   2 +-
61 
+ arch/x86/kernel/cpu/mkcapflags.sh        |   6 +-
62 
+ arch/x86/kernel/cpu/mtrr/main.c          |   2 +-
63 
+ arch/x86/kernel/cpu/transmeta.c          |   2 +-
64 
+ arch/x86/kernel/e820.c                   |   1 +
65 
+ arch/x86/kernel/head_32.S                |   2 +-
66 
+ arch/x86/kernel/hpet.c                   |   1 +
67 
+ arch/x86/kernel/msr.c                    |   2 +-
68 
+ arch/x86/kernel/verify_cpu.S             |   2 +-
69 
+ arch/x86/lib/clear_page_64.S             |   2 +-
70 
+ arch/x86/lib/copy_page_64.S              |   2 +-
71 
+ arch/x86/lib/copy_user_64.S              |   2 +-
72 
+ arch/x86/lib/memcpy_64.S                 |   2 +-
73 
+ arch/x86/lib/memmove_64.S                |   2 +-
74 
+ arch/x86/lib/memset_64.S                 |   2 +-
75 
+ arch/x86/lib/retpoline.S                 |   2 +-
76 
+ arch/x86/mm/setup_nx.c                   |   1 +
77 
+ arch/x86/oprofile/op_model_amd.c         |   1 -
78 
+ arch/x86/um/asm/barrier.h                |   2 +-
79 
+ lib/atomic64_test.c                      |   2 +-
80 
+ 52 files changed, 347 insertions(+), 339 deletions(-)
81 
+ create mode 100644 arch/x86/include/asm/cpufeatures.h
82 
+
83 
+diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
84 
+index 4df6bd7..e60d0b5 100644
85 
+--- a/Documentation/kernel-parameters.txt
86 
+@@ -652,7 +652,7 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
87 
+
88 
+ 	clearcpuid=BITNUM [X86]
89 
+ 			Disable CPUID feature X for the kernel. See
90 
+-			arch/x86/include/asm/cpufeature.h for the valid bit
91 
++			arch/x86/include/asm/cpufeatures.h for the valid bit
92 
+ 			numbers. Note the Linux specific bits are not necessarily
93 
+ 			stable over kernel options, but the vendor specific
94 
+ 			ones should be.
95 
+diff --git a/arch/x86/boot/cpuflags.h b/arch/x86/boot/cpuflags.h
96 
+index ea97697..4cb404f 100644
97 
+--- a/arch/x86/boot/cpuflags.h
98 
+@@ -1,7 +1,7 @@
99 
+ #ifndef BOOT_CPUFLAGS_H
100 
+ #define BOOT_CPUFLAGS_H
101 
+
102 
+-#include <asm/cpufeature.h>
103 
++#include <asm/cpufeatures.h>
104 
+ #include <asm/processor-flags.h>
105 
+
106 
+ struct cpu_features {
107 
+diff --git a/arch/x86/boot/mkcpustr.c b/arch/x86/boot/mkcpustr.c
108 
+index 637097e..f72498d 100644
109 
+--- a/arch/x86/boot/mkcpustr.c
110 
+@@ -17,7 +17,7 @@
111 
+
112 
+ #include "../include/asm/required-features.h"
113 
+ #include "../include/asm/disabled-features.h"
114 
+-#include "../include/asm/cpufeature.h"
115 
++#include "../include/asm/cpufeatures.h"
116 
+ #include "../kernel/cpu/capflags.c"
117 
+
118 
+ int main(void)
119 
+diff --git a/arch/x86/crypto/crc32-pclmul_glue.c b/arch/x86/crypto/crc32-pclmul_glue.c
120 
+index 07d2c6c..27226df 100644
121 
+--- a/arch/x86/crypto/crc32-pclmul_glue.c
122 
+@@ -33,7 +33,7 @@
123 
+ #include <linux/crc32.h>
124 
+ #include <crypto/internal/hash.h>
125 
+
126 
+-#include <asm/cpufeature.h>
127 
++#include <asm/cpufeatures.h>
128 
+ #include <asm/cpu_device_id.h>
129 
+ #include <asm/fpu/api.h>
130 
+
131 
+diff --git a/arch/x86/crypto/crc32c-intel_glue.c b/arch/x86/crypto/crc32c-intel_glue.c
132 
+index 0e98716..0857b1a 100644
133 
+--- a/arch/x86/crypto/crc32c-intel_glue.c
134 
+@@ -30,7 +30,7 @@
135 
+ #include <linux/kernel.h>
136 
+ #include <crypto/internal/hash.h>
137 
+
138 
+-#include <asm/cpufeature.h>
139 
++#include <asm/cpufeatures.h>
140 
+ #include <asm/cpu_device_id.h>
141 
+ #include <asm/fpu/internal.h>
142 
+
143 
+diff --git a/arch/x86/crypto/crct10dif-pclmul_glue.c b/arch/x86/crypto/crct10dif-pclmul_glue.c
144 
+index a3fcfc9..cd4df93 100644
145 
+--- a/arch/x86/crypto/crct10dif-pclmul_glue.c
146 
+@@ -30,7 +30,7 @@
147 
+ #include <linux/string.h>
148 
+ #include <linux/kernel.h>
149 
+ #include <asm/fpu/api.h>
150 
+-#include <asm/cpufeature.h>
151 
++#include <asm/cpufeatures.h>
152 
+ #include <asm/cpu_device_id.h>
153 
+
154 
+ asmlinkage __u16 crc_t10dif_pcl(__u16 crc, const unsigned char *buf,
155 
+diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c
156 
+index b5eb1cc..071582a 100644
157 
+--- a/arch/x86/entry/common.c
158 
+@@ -27,6 +27,7 @@
159 
+ #include <asm/traps.h>
160 
+ #include <asm/vdso.h>
161 
+ #include <asm/uaccess.h>
162 
++#include <asm/cpufeature.h>
163 
+
164 
+ #define CREATE_TRACE_POINTS
165 
+ #include <trace/events/syscalls.h>
166 
+diff --git a/arch/x86/entry/entry_32.S b/arch/x86/entry/entry_32.S
167 
+index d437f387..49a8c9f 100644
168 
+--- a/arch/x86/entry/entry_32.S
169 
+@@ -40,7 +40,7 @@
170 
+ #include <asm/processor-flags.h>
171 
+ #include <asm/ftrace.h>
172 
+ #include <asm/irq_vectors.h>
173 
+-#include <asm/cpufeature.h>
174 
++#include <asm/cpufeatures.h>
175 
+ #include <asm/alternative-asm.h>
176 
+ #include <asm/asm.h>
177 
+ #include <asm/smap.h>
178 
+diff --git a/arch/x86/entry/vdso/vdso32-setup.c b/arch/x86/entry/vdso/vdso32-setup.c
179 
+index a7508d7..3f9d1a8 100644
180 
+--- a/arch/x86/entry/vdso/vdso32-setup.c
181 
+@@ -11,7 +11,6 @@
182 
+ #include <linux/kernel.h>
183 
+ #include <linux/mm_types.h>
184 
+
185 
+-#include <asm/cpufeature.h>
186 
+ #include <asm/processor.h>
187 
+ #include <asm/vdso.h>
188 
+
189 
+diff --git a/arch/x86/entry/vdso/vdso32/system_call.S b/arch/x86/entry/vdso/vdso32/system_call.S
190 
+index 3a1d929..0109ac6 100644
191 
+--- a/arch/x86/entry/vdso/vdso32/system_call.S
192 
+@@ -3,7 +3,7 @@
193 
+ */
194 
+
195 
+ #include <asm/dwarf2.h>
196 
+-#include <asm/cpufeature.h>
197 
++#include <asm/cpufeatures.h>
198 
+ #include <asm/alternative-asm.h>
199 
+
200 
+ /*
201 
+diff --git a/arch/x86/entry/vdso/vma.c b/arch/x86/entry/vdso/vma.c
202 
+index b8f69e2..5471ac3 100644
203 
+--- a/arch/x86/entry/vdso/vma.c
204 
+@@ -20,6 +20,7 @@
205 
+ #include <asm/page.h>
206 
+ #include <asm/hpet.h>
207 
+ #include <asm/desc.h>
208 
++#include <asm/cpufeature.h>
209 
+
210 
+ #if defined(CONFIG_X86_64)
211 
+ unsigned int __read_mostly vdso64_enabled = 1;
212 
+diff --git a/arch/x86/include/asm/alternative.h b/arch/x86/include/asm/alternative.h
213 
+index 215ea92..002fcd9 100644
214 
+--- a/arch/x86/include/asm/alternative.h
215 
+@@ -154,12 +154,6 @@ static inline int alternatives_text_reserved(void *start, void *end)
216 
+ 	".popsection\n"
217 
+
218 
+ /*
219 
+- * This must be included *after* the definition of ALTERNATIVE due to
220 
+- * <asm/arch_hweight.h>
221 
+- */
222 
+-#include <asm/cpufeature.h>
223 
+-
224 
+-/*
225 
+  * Alternative instructions for different CPU types or capabilities.
226 
+  *
227 
+  * This allows to use optimized instructions even on generic binary
228 
+diff --git a/arch/x86/include/asm/apic.h b/arch/x86/include/asm/apic.h
229 
+index 163769d..fd810a5 100644
230 
+--- a/arch/x86/include/asm/apic.h
231 
+@@ -6,7 +6,6 @@
232 
+
233 
+ #include <asm/alternative.h>
234 
+ #include <asm/cpufeature.h>
235 
+-#include <asm/processor.h>
236 
+ #include <asm/apicdef.h>
237 
+ #include <linux/atomic.h>
238 
+ #include <asm/fixmap.h>
239 
+diff --git a/arch/x86/include/asm/arch_hweight.h b/arch/x86/include/asm/arch_hweight.h
240 
+index 44f825c..e7cd631 100644
241 
+--- a/arch/x86/include/asm/arch_hweight.h
242 
+@@ -1,6 +1,8 @@
243 
+ #ifndef _ASM_X86_HWEIGHT_H
244 
+ #define _ASM_X86_HWEIGHT_H
245 
+
246 
++#include <asm/cpufeatures.h>
247 
++
248 
+ #ifdef CONFIG_64BIT
249 
+ /* popcnt %edi, %eax */
250 
+ #define POPCNT32 ".byte 0xf3,0x0f,0xb8,0xc7"
251 
+diff --git a/arch/x86/include/asm/cmpxchg.h b/arch/x86/include/asm/cmpxchg.h
252 
+index ad19841..9733361 100644
253 
+--- a/arch/x86/include/asm/cmpxchg.h
254 
+@@ -2,6 +2,7 @@
255 
+ #define ASM_X86_CMPXCHG_H
256 
+
257 
+ #include <linux/compiler.h>
258 
++#include <asm/cpufeatures.h>
259 
+ #include <asm/alternative.h> /* Provides LOCK_PREFIX */
260 
+
261 
+ /*
262 
+diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
263 
+index 5ce8759..f62e872 100644
264 
+--- a/arch/x86/include/asm/cpufeature.h
265 
+@@ -1,298 +1,7 @@
266 
+-/*
267 
+- * Defines x86 CPU feature bits
268 
+- */
269 
+ #ifndef _ASM_X86_CPUFEATURE_H
270 
+ #define _ASM_X86_CPUFEATURE_H
271 
+
272 
+-#ifndef _ASM_X86_REQUIRED_FEATURES_H
273 
+-#include <asm/required-features.h>
274 
+-#endif
275 
+-
276 
+-#ifndef _ASM_X86_DISABLED_FEATURES_H
277 
+-#include <asm/disabled-features.h>
278 
+-#endif
279 
+-
280 
+-#define NCAPINTS	16	/* N 32-bit words worth of info */
281 
+-#define NBUGINTS	1	/* N 32-bit bug flags */
282 
+-
283 
+-/*
284 
+- * Note: If the comment begins with a quoted string, that string is used
285 
+- * in /proc/cpuinfo instead of the macro name.  If the string is "",
286 
+- * this feature bit is not displayed in /proc/cpuinfo at all.
287 
+- */
288 
+-
289 
+-/* Intel-defined CPU features, CPUID level 0x00000001 (edx), word 0 */
290 
+-#define X86_FEATURE_FPU		( 0*32+ 0) /* Onboard FPU */
291 
+-#define X86_FEATURE_VME		( 0*32+ 1) /* Virtual Mode Extensions */
292 
+-#define X86_FEATURE_DE		( 0*32+ 2) /* Debugging Extensions */
293 
+-#define X86_FEATURE_PSE		( 0*32+ 3) /* Page Size Extensions */
294 
+-#define X86_FEATURE_TSC		( 0*32+ 4) /* Time Stamp Counter */
295 
+-#define X86_FEATURE_MSR		( 0*32+ 5) /* Model-Specific Registers */
296 
+-#define X86_FEATURE_PAE		( 0*32+ 6) /* Physical Address Extensions */
297 
+-#define X86_FEATURE_MCE		( 0*32+ 7) /* Machine Check Exception */
298 
+-#define X86_FEATURE_CX8		( 0*32+ 8) /* CMPXCHG8 instruction */
299 
+-#define X86_FEATURE_APIC	( 0*32+ 9) /* Onboard APIC */
300 
+-#define X86_FEATURE_SEP		( 0*32+11) /* SYSENTER/SYSEXIT */
301 
+-#define X86_FEATURE_MTRR	( 0*32+12) /* Memory Type Range Registers */
302 
+-#define X86_FEATURE_PGE		( 0*32+13) /* Page Global Enable */
303 
+-#define X86_FEATURE_MCA		( 0*32+14) /* Machine Check Architecture */
304 
+-#define X86_FEATURE_CMOV	( 0*32+15) /* CMOV instructions */
305 
+-					  /* (plus FCMOVcc, FCOMI with FPU) */
306 
+-#define X86_FEATURE_PAT		( 0*32+16) /* Page Attribute Table */
307 
+-#define X86_FEATURE_PSE36	( 0*32+17) /* 36-bit PSEs */
308 
+-#define X86_FEATURE_PN		( 0*32+18) /* Processor serial number */
309 
+-#define X86_FEATURE_CLFLUSH	( 0*32+19) /* CLFLUSH instruction */
310 
+-#define X86_FEATURE_DS		( 0*32+21) /* "dts" Debug Store */
311 
+-#define X86_FEATURE_ACPI	( 0*32+22) /* ACPI via MSR */
312 
+-#define X86_FEATURE_MMX		( 0*32+23) /* Multimedia Extensions */
313 
+-#define X86_FEATURE_FXSR	( 0*32+24) /* FXSAVE/FXRSTOR, CR4.OSFXSR */
314 
+-#define X86_FEATURE_XMM		( 0*32+25) /* "sse" */
315 
+-#define X86_FEATURE_XMM2	( 0*32+26) /* "sse2" */
316 
+-#define X86_FEATURE_SELFSNOOP	( 0*32+27) /* "ss" CPU self snoop */
317 
+-#define X86_FEATURE_HT		( 0*32+28) /* Hyper-Threading */
318 
+-#define X86_FEATURE_ACC		( 0*32+29) /* "tm" Automatic clock control */
319 
+-#define X86_FEATURE_IA64	( 0*32+30) /* IA-64 processor */
320 
+-#define X86_FEATURE_PBE		( 0*32+31) /* Pending Break Enable */
321 
+-
322 
+-/* AMD-defined CPU features, CPUID level 0x80000001, word 1 */
323 
+-/* Don't duplicate feature flags which are redundant with Intel! */
324 
+-#define X86_FEATURE_SYSCALL	( 1*32+11) /* SYSCALL/SYSRET */
325 
+-#define X86_FEATURE_MP		( 1*32+19) /* MP Capable. */
326 
+-#define X86_FEATURE_NX		( 1*32+20) /* Execute Disable */
327 
+-#define X86_FEATURE_MMXEXT	( 1*32+22) /* AMD MMX extensions */
328 
+-#define X86_FEATURE_FXSR_OPT	( 1*32+25) /* FXSAVE/FXRSTOR optimizations */
329 
+-#define X86_FEATURE_GBPAGES	( 1*32+26) /* "pdpe1gb" GB pages */
330 
+-#define X86_FEATURE_RDTSCP	( 1*32+27) /* RDTSCP */
331 
+-#define X86_FEATURE_LM		( 1*32+29) /* Long Mode (x86-64) */
332 
+-#define X86_FEATURE_3DNOWEXT	( 1*32+30) /* AMD 3DNow! extensions */
333 
+-#define X86_FEATURE_3DNOW	( 1*32+31) /* 3DNow! */
334 
+-
335 
+-/* Transmeta-defined CPU features, CPUID level 0x80860001, word 2 */
336 
+-#define X86_FEATURE_RECOVERY	( 2*32+ 0) /* CPU in recovery mode */
337 
+-#define X86_FEATURE_LONGRUN	( 2*32+ 1) /* Longrun power control */
338 
+-#define X86_FEATURE_LRTI	( 2*32+ 3) /* LongRun table interface */
339 
+-
340 
+-/* Other features, Linux-defined mapping, word 3 */
341 
+-/* This range is used for feature bits which conflict or are synthesized */
342 
+-#define X86_FEATURE_CXMMX	( 3*32+ 0) /* Cyrix MMX extensions */
343 
+-#define X86_FEATURE_K6_MTRR	( 3*32+ 1) /* AMD K6 nonstandard MTRRs */
344 
+-#define X86_FEATURE_CYRIX_ARR	( 3*32+ 2) /* Cyrix ARRs (= MTRRs) */
345 
+-#define X86_FEATURE_CENTAUR_MCR	( 3*32+ 3) /* Centaur MCRs (= MTRRs) */
346 
+-/* cpu types for specific tunings: */
347 
+-#define X86_FEATURE_K8		( 3*32+ 4) /* "" Opteron, Athlon64 */
348 
+-#define X86_FEATURE_K7		( 3*32+ 5) /* "" Athlon */
349 
+-#define X86_FEATURE_P3		( 3*32+ 6) /* "" P3 */
350 
+-#define X86_FEATURE_P4		( 3*32+ 7) /* "" P4 */
351 
+-#define X86_FEATURE_CONSTANT_TSC ( 3*32+ 8) /* TSC ticks at a constant rate */
352 
+-#define X86_FEATURE_UP		( 3*32+ 9) /* smp kernel running on up */
353 
+-/* free, was #define X86_FEATURE_FXSAVE_LEAK ( 3*32+10) * "" FXSAVE leaks FOP/FIP/FOP */
354 
+-#define X86_FEATURE_ARCH_PERFMON ( 3*32+11) /* Intel Architectural PerfMon */
355 
+-#define X86_FEATURE_PEBS	( 3*32+12) /* Precise-Event Based Sampling */
356 
+-#define X86_FEATURE_BTS		( 3*32+13) /* Branch Trace Store */
357 
+-#define X86_FEATURE_SYSCALL32	( 3*32+14) /* "" syscall in ia32 userspace */
358 
+-#define X86_FEATURE_SYSENTER32	( 3*32+15) /* "" sysenter in ia32 userspace */
359 
+-#define X86_FEATURE_REP_GOOD	( 3*32+16) /* rep microcode works well */
360 
+-#define X86_FEATURE_MFENCE_RDTSC ( 3*32+17) /* "" Mfence synchronizes RDTSC */
361 
+-#define X86_FEATURE_LFENCE_RDTSC ( 3*32+18) /* "" Lfence synchronizes RDTSC */
362 
+-/* free, was #define X86_FEATURE_11AP	( 3*32+19) * "" Bad local APIC aka 11AP */
363 
+-#define X86_FEATURE_NOPL	( 3*32+20) /* The NOPL (0F 1F) instructions */
364 
+-#define X86_FEATURE_ALWAYS	( 3*32+21) /* "" Always-present feature */
365 
+-#define X86_FEATURE_XTOPOLOGY	( 3*32+22) /* cpu topology enum extensions */
366 
+-#define X86_FEATURE_TSC_RELIABLE ( 3*32+23) /* TSC is known to be reliable */
367 
+-#define X86_FEATURE_NONSTOP_TSC	( 3*32+24) /* TSC does not stop in C states */
368 
+-/* free, was #define X86_FEATURE_CLFLUSH_MONITOR ( 3*32+25) * "" clflush reqd with monitor */
369 
+-#define X86_FEATURE_EXTD_APICID	( 3*32+26) /* has extended APICID (8 bits) */
370 
+-#define X86_FEATURE_AMD_DCM     ( 3*32+27) /* multi-node processor */
371 
+-#define X86_FEATURE_APERFMPERF	( 3*32+28) /* APERFMPERF */
372 
+-#define X86_FEATURE_EAGER_FPU	( 3*32+29) /* "eagerfpu" Non lazy FPU restore */
373 
+-#define X86_FEATURE_NONSTOP_TSC_S3 ( 3*32+30) /* TSC doesn't stop in S3 state */
374 
+-
375 
+-/* Intel-defined CPU features, CPUID level 0x00000001 (ecx), word 4 */
376 
+-#define X86_FEATURE_XMM3	( 4*32+ 0) /* "pni" SSE-3 */
377 
+-#define X86_FEATURE_PCLMULQDQ	( 4*32+ 1) /* PCLMULQDQ instruction */
378 
+-#define X86_FEATURE_DTES64	( 4*32+ 2) /* 64-bit Debug Store */
379 
+-#define X86_FEATURE_MWAIT	( 4*32+ 3) /* "monitor" Monitor/Mwait support */
380 
+-#define X86_FEATURE_DSCPL	( 4*32+ 4) /* "ds_cpl" CPL Qual. Debug Store */
381 
+-#define X86_FEATURE_VMX		( 4*32+ 5) /* Hardware virtualization */
382 
+-#define X86_FEATURE_SMX		( 4*32+ 6) /* Safer mode */
383 
+-#define X86_FEATURE_EST		( 4*32+ 7) /* Enhanced SpeedStep */
384 
+-#define X86_FEATURE_TM2		( 4*32+ 8) /* Thermal Monitor 2 */
385 
+-#define X86_FEATURE_SSSE3	( 4*32+ 9) /* Supplemental SSE-3 */
386 
+-#define X86_FEATURE_CID		( 4*32+10) /* Context ID */
387 
+-#define X86_FEATURE_SDBG	( 4*32+11) /* Silicon Debug */
388 
+-#define X86_FEATURE_FMA		( 4*32+12) /* Fused multiply-add */
389 
+-#define X86_FEATURE_CX16	( 4*32+13) /* CMPXCHG16B */
390 
+-#define X86_FEATURE_XTPR	( 4*32+14) /* Send Task Priority Messages */
391 
+-#define X86_FEATURE_PDCM	( 4*32+15) /* Performance Capabilities */
392 
+-#define X86_FEATURE_PCID	( 4*32+17) /* Process Context Identifiers */
393 
+-#define X86_FEATURE_DCA		( 4*32+18) /* Direct Cache Access */
394 
+-#define X86_FEATURE_XMM4_1	( 4*32+19) /* "sse4_1" SSE-4.1 */
395 
+-#define X86_FEATURE_XMM4_2	( 4*32+20) /* "sse4_2" SSE-4.2 */
396 
+-#define X86_FEATURE_X2APIC	( 4*32+21) /* x2APIC */
397 
+-#define X86_FEATURE_MOVBE	( 4*32+22) /* MOVBE instruction */
398 
+-#define X86_FEATURE_POPCNT      ( 4*32+23) /* POPCNT instruction */
399 
+-#define X86_FEATURE_TSC_DEADLINE_TIMER	( 4*32+24) /* Tsc deadline timer */
400 
+-#define X86_FEATURE_AES		( 4*32+25) /* AES instructions */
401 
+-#define X86_FEATURE_XSAVE	( 4*32+26) /* XSAVE/XRSTOR/XSETBV/XGETBV */
402 
+-#define X86_FEATURE_OSXSAVE	( 4*32+27) /* "" XSAVE enabled in the OS */
403 
+-#define X86_FEATURE_AVX		( 4*32+28) /* Advanced Vector Extensions */
404 
+-#define X86_FEATURE_F16C	( 4*32+29) /* 16-bit fp conversions */
405 
+-#define X86_FEATURE_RDRAND	( 4*32+30) /* The RDRAND instruction */
406 
+-#define X86_FEATURE_HYPERVISOR	( 4*32+31) /* Running on a hypervisor */
407 
+-
408 
+-/* VIA/Cyrix/Centaur-defined CPU features, CPUID level 0xC0000001, word 5 */
409 
+-#define X86_FEATURE_XSTORE	( 5*32+ 2) /* "rng" RNG present (xstore) */
410 
+-#define X86_FEATURE_XSTORE_EN	( 5*32+ 3) /* "rng_en" RNG enabled */
411 
+-#define X86_FEATURE_XCRYPT	( 5*32+ 6) /* "ace" on-CPU crypto (xcrypt) */
412 
+-#define X86_FEATURE_XCRYPT_EN	( 5*32+ 7) /* "ace_en" on-CPU crypto enabled */
413 
+-#define X86_FEATURE_ACE2	( 5*32+ 8) /* Advanced Cryptography Engine v2 */
414 
+-#define X86_FEATURE_ACE2_EN	( 5*32+ 9) /* ACE v2 enabled */
415 
+-#define X86_FEATURE_PHE		( 5*32+10) /* PadLock Hash Engine */
416 
+-#define X86_FEATURE_PHE_EN	( 5*32+11) /* PHE enabled */
417 
+-#define X86_FEATURE_PMM		( 5*32+12) /* PadLock Montgomery Multiplier */
418 
+-#define X86_FEATURE_PMM_EN	( 5*32+13) /* PMM enabled */
419 
+-
420 
+-/* More extended AMD flags: CPUID level 0x80000001, ecx, word 6 */
421 
+-#define X86_FEATURE_LAHF_LM	( 6*32+ 0) /* LAHF/SAHF in long mode */
422 
+-#define X86_FEATURE_CMP_LEGACY	( 6*32+ 1) /* If yes HyperThreading not valid */
423 
+-#define X86_FEATURE_SVM		( 6*32+ 2) /* Secure virtual machine */
424 
+-#define X86_FEATURE_EXTAPIC	( 6*32+ 3) /* Extended APIC space */
425 
+-#define X86_FEATURE_CR8_LEGACY	( 6*32+ 4) /* CR8 in 32-bit mode */
426 
+-#define X86_FEATURE_ABM		( 6*32+ 5) /* Advanced bit manipulation */
427 
+-#define X86_FEATURE_SSE4A	( 6*32+ 6) /* SSE-4A */
428 
+-#define X86_FEATURE_MISALIGNSSE ( 6*32+ 7) /* Misaligned SSE mode */
429 
+-#define X86_FEATURE_3DNOWPREFETCH ( 6*32+ 8) /* 3DNow prefetch instructions */
430 
+-#define X86_FEATURE_OSVW	( 6*32+ 9) /* OS Visible Workaround */
431 
+-#define X86_FEATURE_IBS		( 6*32+10) /* Instruction Based Sampling */
432 
+-#define X86_FEATURE_XOP		( 6*32+11) /* extended AVX instructions */
433 
+-#define X86_FEATURE_SKINIT	( 6*32+12) /* SKINIT/STGI instructions */
434 
+-#define X86_FEATURE_WDT		( 6*32+13) /* Watchdog timer */
435 
+-#define X86_FEATURE_LWP		( 6*32+15) /* Light Weight Profiling */
436 
+-#define X86_FEATURE_FMA4	( 6*32+16) /* 4 operands MAC instructions */
437 
+-#define X86_FEATURE_TCE		( 6*32+17) /* translation cache extension */
438 
+-#define X86_FEATURE_NODEID_MSR	( 6*32+19) /* NodeId MSR */
439 
+-#define X86_FEATURE_TBM		( 6*32+21) /* trailing bit manipulations */
440 
+-#define X86_FEATURE_TOPOEXT	( 6*32+22) /* topology extensions CPUID leafs */
441 
+-#define X86_FEATURE_PERFCTR_CORE ( 6*32+23) /* core performance counter extensions */
442 
+-#define X86_FEATURE_PERFCTR_NB  ( 6*32+24) /* NB performance counter extensions */
443 
+-#define X86_FEATURE_BPEXT	(6*32+26) /* data breakpoint extension */
444 
+-#define X86_FEATURE_PERFCTR_L2	( 6*32+28) /* L2 performance counter extensions */
445 
+-#define X86_FEATURE_MWAITX	( 6*32+29) /* MWAIT extension (MONITORX/MWAITX) */
446 
+-
447 
+-/*
448 
+- * Auxiliary flags: Linux defined - For features scattered in various
449 
+- * CPUID levels like 0x6, 0xA etc, word 7.
450 
+- *
451 
+- * Reuse free bits when adding new feature flags!
452 
+- */
453 
+-
454 
+-#define X86_FEATURE_CPB		( 7*32+ 2) /* AMD Core Performance Boost */
455 
+-#define X86_FEATURE_EPB		( 7*32+ 3) /* IA32_ENERGY_PERF_BIAS support */
456 
+-#define X86_FEATURE_INVPCID_SINGLE ( 7*32+ 4) /* Effectively INVPCID && CR4.PCIDE=1 */
457 
+-
458 
+-#define X86_FEATURE_HW_PSTATE	( 7*32+ 8) /* AMD HW-PState */
459 
+-#define X86_FEATURE_PROC_FEEDBACK ( 7*32+ 9) /* AMD ProcFeedbackInterface */
460 
+-
461 
+-#define X86_FEATURE_INTEL_PT	( 7*32+15) /* Intel Processor Trace */
462 
+-#define X86_FEATURE_RSB_CTXSW	( 7*32+19) /* Fill RSB on context switches */
463 
+-
464 
+-#define X86_FEATURE_RETPOLINE	( 7*32+29) /* Generic Retpoline mitigation for Spectre variant 2 */
465 
+-#define X86_FEATURE_RETPOLINE_AMD ( 7*32+30) /* AMD Retpoline mitigation for Spectre variant 2 */
466 
+-/* Because the ALTERNATIVE scheme is for members of the X86_FEATURE club... */
467 
+-#define X86_FEATURE_KAISER	( 7*32+31) /* CONFIG_PAGE_TABLE_ISOLATION w/o nokaiser */
468 
+-
469 
+-/* Virtualization flags: Linux defined, word 8 */
470 
+-#define X86_FEATURE_TPR_SHADOW  ( 8*32+ 0) /* Intel TPR Shadow */
471 
+-#define X86_FEATURE_VNMI        ( 8*32+ 1) /* Intel Virtual NMI */
472 
+-#define X86_FEATURE_FLEXPRIORITY ( 8*32+ 2) /* Intel FlexPriority */
473 
+-#define X86_FEATURE_EPT         ( 8*32+ 3) /* Intel Extended Page Table */
474 
+-#define X86_FEATURE_VPID        ( 8*32+ 4) /* Intel Virtual Processor ID */
475 
+-
476 
+-#define X86_FEATURE_VMMCALL     ( 8*32+15) /* Prefer vmmcall to vmcall */
477 
+-#define X86_FEATURE_XENPV       ( 8*32+16) /* "" Xen paravirtual guest */
478 
+-
479 
+-
480 
+-/* Intel-defined CPU features, CPUID level 0x00000007:0 (ebx), word 9 */
481 
+-#define X86_FEATURE_FSGSBASE	( 9*32+ 0) /* {RD/WR}{FS/GS}BASE instructions*/
482 
+-#define X86_FEATURE_TSC_ADJUST	( 9*32+ 1) /* TSC adjustment MSR 0x3b */
483 
+-#define X86_FEATURE_BMI1	( 9*32+ 3) /* 1st group bit manipulation extensions */
484 
+-#define X86_FEATURE_HLE		( 9*32+ 4) /* Hardware Lock Elision */
485 
+-#define X86_FEATURE_AVX2	( 9*32+ 5) /* AVX2 instructions */
486 
+-#define X86_FEATURE_SMEP	( 9*32+ 7) /* Supervisor Mode Execution Protection */
487 
+-#define X86_FEATURE_BMI2	( 9*32+ 8) /* 2nd group bit manipulation extensions */
488 
+-#define X86_FEATURE_ERMS	( 9*32+ 9) /* Enhanced REP MOVSB/STOSB */
489 
+-#define X86_FEATURE_INVPCID	( 9*32+10) /* Invalidate Processor Context ID */
490 
+-#define X86_FEATURE_RTM		( 9*32+11) /* Restricted Transactional Memory */
491 
+-#define X86_FEATURE_CQM		( 9*32+12) /* Cache QoS Monitoring */
492 
+-#define X86_FEATURE_MPX		( 9*32+14) /* Memory Protection Extension */
493 
+-#define X86_FEATURE_AVX512F	( 9*32+16) /* AVX-512 Foundation */
494 
+-#define X86_FEATURE_RDSEED	( 9*32+18) /* The RDSEED instruction */
495 
+-#define X86_FEATURE_ADX		( 9*32+19) /* The ADCX and ADOX instructions */
496 
+-#define X86_FEATURE_SMAP	( 9*32+20) /* Supervisor Mode Access Prevention */
497 
+-#define X86_FEATURE_PCOMMIT	( 9*32+22) /* PCOMMIT instruction */
498 
+-#define X86_FEATURE_CLFLUSHOPT	( 9*32+23) /* CLFLUSHOPT instruction */
499 
+-#define X86_FEATURE_CLWB	( 9*32+24) /* CLWB instruction */
500 
+-#define X86_FEATURE_AVX512PF	( 9*32+26) /* AVX-512 Prefetch */
501 
+-#define X86_FEATURE_AVX512ER	( 9*32+27) /* AVX-512 Exponential and Reciprocal */
502 
+-#define X86_FEATURE_AVX512CD	( 9*32+28) /* AVX-512 Conflict Detection */
503 
+-#define X86_FEATURE_SHA_NI	( 9*32+29) /* SHA1/SHA256 Instruction Extensions */
504 
+-
505 
+-/* Extended state features, CPUID level 0x0000000d:1 (eax), word 10 */
506 
+-#define X86_FEATURE_XSAVEOPT	(10*32+ 0) /* XSAVEOPT */
507 
+-#define X86_FEATURE_XSAVEC	(10*32+ 1) /* XSAVEC */
508 
+-#define X86_FEATURE_XGETBV1	(10*32+ 2) /* XGETBV with ECX = 1 */
509 
+-#define X86_FEATURE_XSAVES	(10*32+ 3) /* XSAVES/XRSTORS */
510 
+-
511 
+-/* Intel-defined CPU QoS Sub-leaf, CPUID level 0x0000000F:0 (edx), word 11 */
512 
+-#define X86_FEATURE_CQM_LLC	(11*32+ 1) /* LLC QoS if 1 */
513 
+-
514 
+-/* Intel-defined CPU QoS Sub-leaf, CPUID level 0x0000000F:1 (edx), word 12 */
515 
+-#define X86_FEATURE_CQM_OCCUP_LLC (12*32+ 0) /* LLC occupancy monitoring if 1 */
516 
+-
517 
+-/* AMD-defined CPU features, CPUID level 0x80000008 (ebx), word 13 */
518 
+-#define X86_FEATURE_CLZERO	(13*32+0) /* CLZERO instruction */
519 
+-
520 
+-/* Thermal and Power Management Leaf, CPUID level 0x00000006 (eax), word 14 */
521 
+-#define X86_FEATURE_DTHERM	(14*32+ 0) /* Digital Thermal Sensor */
522 
+-#define X86_FEATURE_IDA		(14*32+ 1) /* Intel Dynamic Acceleration */
523 
+-#define X86_FEATURE_ARAT	(14*32+ 2) /* Always Running APIC Timer */
524 
+-#define X86_FEATURE_PLN		(14*32+ 4) /* Intel Power Limit Notification */
525 
+-#define X86_FEATURE_PTS		(14*32+ 6) /* Intel Package Thermal Status */
526 
+-#define X86_FEATURE_HWP		(14*32+ 7) /* Intel Hardware P-states */
527 
+-#define X86_FEATURE_HWP_NOTIFY	(14*32+ 8) /* HWP Notification */
528 
+-#define X86_FEATURE_HWP_ACT_WINDOW (14*32+ 9) /* HWP Activity Window */
529 
+-#define X86_FEATURE_HWP_EPP	(14*32+10) /* HWP Energy Perf. Preference */
530 
+-#define X86_FEATURE_HWP_PKG_REQ (14*32+11) /* HWP Package Level Request */
531 
+-
532 
+-/* AMD SVM Feature Identification, CPUID level 0x8000000a (edx), word 15 */
533 
+-#define X86_FEATURE_NPT		(15*32+ 0) /* Nested Page Table support */
534 
+-#define X86_FEATURE_LBRV	(15*32+ 1) /* LBR Virtualization support */
535 
+-#define X86_FEATURE_SVML	(15*32+ 2) /* "svm_lock" SVM locking MSR */
536 
+-#define X86_FEATURE_NRIPS	(15*32+ 3) /* "nrip_save" SVM next_rip save */
537 
+-#define X86_FEATURE_TSCRATEMSR  (15*32+ 4) /* "tsc_scale" TSC scaling support */
538 
+-#define X86_FEATURE_VMCBCLEAN   (15*32+ 5) /* "vmcb_clean" VMCB clean bits support */
539 
+-#define X86_FEATURE_FLUSHBYASID (15*32+ 6) /* flush-by-ASID support */
540 
+-#define X86_FEATURE_DECODEASSISTS (15*32+ 7) /* Decode Assists support */
541 
+-#define X86_FEATURE_PAUSEFILTER (15*32+10) /* filtered pause intercept */
542 
+-#define X86_FEATURE_PFTHRESHOLD (15*32+12) /* pause filter threshold */
543 
+-
544 
+-/*
545 
+- * BUG word(s)
546 
+- */
547 
+-#define X86_BUG(x)		(NCAPINTS*32 + (x))
548 
+-
549 
+-#define X86_BUG_F00F		X86_BUG(0) /* Intel F00F */
550 
+-#define X86_BUG_FDIV		X86_BUG(1) /* FPU FDIV */
551 
+-#define X86_BUG_COMA		X86_BUG(2) /* Cyrix 6x86 coma */
552 
+-#define X86_BUG_AMD_TLB_MMATCH	X86_BUG(3) /* "tlb_mmatch" AMD Erratum 383 */
553 
+-#define X86_BUG_AMD_APIC_C1E	X86_BUG(4) /* "apic_c1e" AMD Erratum 400 */
554 
+-#define X86_BUG_11AP		X86_BUG(5) /* Bad local APIC aka 11AP */
555 
+-#define X86_BUG_FXSAVE_LEAK	X86_BUG(6) /* FXSAVE leaks FOP/FIP/FOP */
556 
+-#define X86_BUG_CLFLUSH_MONITOR	X86_BUG(7) /* AAI65, CLFLUSH required before MONITOR */
557 
+-#define X86_BUG_SYSRET_SS_ATTRS	X86_BUG(8) /* SYSRET doesn't fix up SS attrs */
558 
+-#define X86_BUG_CPU_MELTDOWN	X86_BUG(14) /* CPU is affected by meltdown attack and needs kernel page table isolation */
559 
+-#define X86_BUG_SPECTRE_V1	X86_BUG(15) /* CPU is affected by Spectre variant 1 attack with conditional branches */
560 
+-#define X86_BUG_SPECTRE_V2	X86_BUG(16) /* CPU is affected by Spectre variant 2 attack with indirect branches */
561 
++#include <asm/processor.h>
562 
+
563 
+ #if defined(__KERNEL__) && !defined(__ASSEMBLY__)
564 
+
565 
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
566 
+new file mode 100644
567 
+index 0000000..5dab071
568 
+--- /dev/null
569 
+@@ -0,0 +1,297 @@
570 
++#ifndef _ASM_X86_CPUFEATURES_H
571 
++#define _ASM_X86_CPUFEATURES_H
572 
++
573 
++#ifndef _ASM_X86_REQUIRED_FEATURES_H
574 
++#include <asm/required-features.h>
575 
++#endif
576 
++
577 
++#ifndef _ASM_X86_DISABLED_FEATURES_H
578 
++#include <asm/disabled-features.h>
579 
++#endif
580 
++
581 
++/*
582 
++ * Defines x86 CPU feature bits
583 
++ */
584 
++#define NCAPINTS	16	/* N 32-bit words worth of info */
585 
++#define NBUGINTS	1	/* N 32-bit bug flags */
586 
++
587 
++/*
588 
++ * Note: If the comment begins with a quoted string, that string is used
589 
++ * in /proc/cpuinfo instead of the macro name.  If the string is "",
590 
++ * this feature bit is not displayed in /proc/cpuinfo at all.
591 
++ */
592 
++
593 
++/* Intel-defined CPU features, CPUID level 0x00000001 (edx), word 0 */
594 
++#define X86_FEATURE_FPU		( 0*32+ 0) /* Onboard FPU */
595 
++#define X86_FEATURE_VME		( 0*32+ 1) /* Virtual Mode Extensions */
596 
++#define X86_FEATURE_DE		( 0*32+ 2) /* Debugging Extensions */
597 
++#define X86_FEATURE_PSE		( 0*32+ 3) /* Page Size Extensions */
598 
++#define X86_FEATURE_TSC		( 0*32+ 4) /* Time Stamp Counter */
599 
++#define X86_FEATURE_MSR		( 0*32+ 5) /* Model-Specific Registers */
600 
++#define X86_FEATURE_PAE		( 0*32+ 6) /* Physical Address Extensions */
601 
++#define X86_FEATURE_MCE		( 0*32+ 7) /* Machine Check Exception */
602 
++#define X86_FEATURE_CX8		( 0*32+ 8) /* CMPXCHG8 instruction */
603 
++#define X86_FEATURE_APIC	( 0*32+ 9) /* Onboard APIC */
604 
++#define X86_FEATURE_SEP		( 0*32+11) /* SYSENTER/SYSEXIT */
605 
++#define X86_FEATURE_MTRR	( 0*32+12) /* Memory Type Range Registers */
606 
++#define X86_FEATURE_PGE		( 0*32+13) /* Page Global Enable */
607 
++#define X86_FEATURE_MCA		( 0*32+14) /* Machine Check Architecture */
608 
++#define X86_FEATURE_CMOV	( 0*32+15) /* CMOV instructions */
609 
++					  /* (plus FCMOVcc, FCOMI with FPU) */
610 
++#define X86_FEATURE_PAT		( 0*32+16) /* Page Attribute Table */
611 
++#define X86_FEATURE_PSE36	( 0*32+17) /* 36-bit PSEs */
612 
++#define X86_FEATURE_PN		( 0*32+18) /* Processor serial number */
613 
++#define X86_FEATURE_CLFLUSH	( 0*32+19) /* CLFLUSH instruction */
614 
++#define X86_FEATURE_DS		( 0*32+21) /* "dts" Debug Store */
615 
++#define X86_FEATURE_ACPI	( 0*32+22) /* ACPI via MSR */
616 
++#define X86_FEATURE_MMX		( 0*32+23) /* Multimedia Extensions */
617 
++#define X86_FEATURE_FXSR	( 0*32+24) /* FXSAVE/FXRSTOR, CR4.OSFXSR */
618 
++#define X86_FEATURE_XMM		( 0*32+25) /* "sse" */
619 
++#define X86_FEATURE_XMM2	( 0*32+26) /* "sse2" */
620 
++#define X86_FEATURE_SELFSNOOP	( 0*32+27) /* "ss" CPU self snoop */
621 
++#define X86_FEATURE_HT		( 0*32+28) /* Hyper-Threading */
622 
++#define X86_FEATURE_ACC		( 0*32+29) /* "tm" Automatic clock control */
623 
++#define X86_FEATURE_IA64	( 0*32+30) /* IA-64 processor */
624 
++#define X86_FEATURE_PBE		( 0*32+31) /* Pending Break Enable */
625 
++
626 
++/* AMD-defined CPU features, CPUID level 0x80000001, word 1 */
627 
++/* Don't duplicate feature flags which are redundant with Intel! */
628 
++#define X86_FEATURE_SYSCALL	( 1*32+11) /* SYSCALL/SYSRET */
629 
++#define X86_FEATURE_MP		( 1*32+19) /* MP Capable. */
630 
++#define X86_FEATURE_NX		( 1*32+20) /* Execute Disable */
631 
++#define X86_FEATURE_MMXEXT	( 1*32+22) /* AMD MMX extensions */
632 
++#define X86_FEATURE_FXSR_OPT	( 1*32+25) /* FXSAVE/FXRSTOR optimizations */
633 
++#define X86_FEATURE_GBPAGES	( 1*32+26) /* "pdpe1gb" GB pages */
634 
++#define X86_FEATURE_RDTSCP	( 1*32+27) /* RDTSCP */
635 
++#define X86_FEATURE_LM		( 1*32+29) /* Long Mode (x86-64) */
636 
++#define X86_FEATURE_3DNOWEXT	( 1*32+30) /* AMD 3DNow! extensions */
637 
++#define X86_FEATURE_3DNOW	( 1*32+31) /* 3DNow! */
638 
++
639 
++/* Transmeta-defined CPU features, CPUID level 0x80860001, word 2 */
640 
++#define X86_FEATURE_RECOVERY	( 2*32+ 0) /* CPU in recovery mode */
641 
++#define X86_FEATURE_LONGRUN	( 2*32+ 1) /* Longrun power control */
642 
++#define X86_FEATURE_LRTI	( 2*32+ 3) /* LongRun table interface */
643 
++
644 
++/* Other features, Linux-defined mapping, word 3 */
645 
++/* This range is used for feature bits which conflict or are synthesized */
646 
++#define X86_FEATURE_CXMMX	( 3*32+ 0) /* Cyrix MMX extensions */
647 
++#define X86_FEATURE_K6_MTRR	( 3*32+ 1) /* AMD K6 nonstandard MTRRs */
648 
++#define X86_FEATURE_CYRIX_ARR	( 3*32+ 2) /* Cyrix ARRs (= MTRRs) */
649 
++#define X86_FEATURE_CENTAUR_MCR	( 3*32+ 3) /* Centaur MCRs (= MTRRs) */
650 
++/* cpu types for specific tunings: */
651 
++#define X86_FEATURE_K8		( 3*32+ 4) /* "" Opteron, Athlon64 */
652 
++#define X86_FEATURE_K7		( 3*32+ 5) /* "" Athlon */
653 
++#define X86_FEATURE_P3		( 3*32+ 6) /* "" P3 */
654 
++#define X86_FEATURE_P4		( 3*32+ 7) /* "" P4 */
655 
++#define X86_FEATURE_CONSTANT_TSC ( 3*32+ 8) /* TSC ticks at a constant rate */
656 
++#define X86_FEATURE_UP		( 3*32+ 9) /* smp kernel running on up */
657 
++/* free, was #define X86_FEATURE_FXSAVE_LEAK ( 3*32+10) * "" FXSAVE leaks FOP/FIP/FOP */
658 
++#define X86_FEATURE_ARCH_PERFMON ( 3*32+11) /* Intel Architectural PerfMon */
659 
++#define X86_FEATURE_PEBS	( 3*32+12) /* Precise-Event Based Sampling */
660 
++#define X86_FEATURE_BTS		( 3*32+13) /* Branch Trace Store */
661 
++#define X86_FEATURE_SYSCALL32	( 3*32+14) /* "" syscall in ia32 userspace */
662 
++#define X86_FEATURE_SYSENTER32	( 3*32+15) /* "" sysenter in ia32 userspace */
663 
++#define X86_FEATURE_REP_GOOD	( 3*32+16) /* rep microcode works well */
664 
++#define X86_FEATURE_MFENCE_RDTSC ( 3*32+17) /* "" Mfence synchronizes RDTSC */
665 
++#define X86_FEATURE_LFENCE_RDTSC ( 3*32+18) /* "" Lfence synchronizes RDTSC */
666 
++/* free, was #define X86_FEATURE_11AP	( 3*32+19) * "" Bad local APIC aka 11AP */
667 
++#define X86_FEATURE_NOPL	( 3*32+20) /* The NOPL (0F 1F) instructions */
668 
++#define X86_FEATURE_ALWAYS	( 3*32+21) /* "" Always-present feature */
669 
++#define X86_FEATURE_XTOPOLOGY	( 3*32+22) /* cpu topology enum extensions */
670 
++#define X86_FEATURE_TSC_RELIABLE ( 3*32+23) /* TSC is known to be reliable */
671 
++#define X86_FEATURE_NONSTOP_TSC	( 3*32+24) /* TSC does not stop in C states */
672 
++/* free, was #define X86_FEATURE_CLFLUSH_MONITOR ( 3*32+25) * "" clflush reqd with monitor */
673 
++#define X86_FEATURE_EXTD_APICID	( 3*32+26) /* has extended APICID (8 bits) */
674 
++#define X86_FEATURE_AMD_DCM     ( 3*32+27) /* multi-node processor */
675 
++#define X86_FEATURE_APERFMPERF	( 3*32+28) /* APERFMPERF */
676 
++#define X86_FEATURE_EAGER_FPU	( 3*32+29) /* "eagerfpu" Non lazy FPU restore */
677 
++#define X86_FEATURE_NONSTOP_TSC_S3 ( 3*32+30) /* TSC doesn't stop in S3 state */
678 
++
679 
++/* Intel-defined CPU features, CPUID level 0x00000001 (ecx), word 4 */
680 
++#define X86_FEATURE_XMM3	( 4*32+ 0) /* "pni" SSE-3 */
681 
++#define X86_FEATURE_PCLMULQDQ	( 4*32+ 1) /* PCLMULQDQ instruction */
682 
++#define X86_FEATURE_DTES64	( 4*32+ 2) /* 64-bit Debug Store */
683 
++#define X86_FEATURE_MWAIT	( 4*32+ 3) /* "monitor" Monitor/Mwait support */
684 
++#define X86_FEATURE_DSCPL	( 4*32+ 4) /* "ds_cpl" CPL Qual. Debug Store */
685 
++#define X86_FEATURE_VMX		( 4*32+ 5) /* Hardware virtualization */
686 
++#define X86_FEATURE_SMX		( 4*32+ 6) /* Safer mode */
687 
++#define X86_FEATURE_EST		( 4*32+ 7) /* Enhanced SpeedStep */
688 
++#define X86_FEATURE_TM2		( 4*32+ 8) /* Thermal Monitor 2 */
689 
++#define X86_FEATURE_SSSE3	( 4*32+ 9) /* Supplemental SSE-3 */
690 
++#define X86_FEATURE_CID		( 4*32+10) /* Context ID */
691 
++#define X86_FEATURE_SDBG	( 4*32+11) /* Silicon Debug */
692 
++#define X86_FEATURE_FMA		( 4*32+12) /* Fused multiply-add */
693 
++#define X86_FEATURE_CX16	( 4*32+13) /* CMPXCHG16B */
694 
++#define X86_FEATURE_XTPR	( 4*32+14) /* Send Task Priority Messages */
695 
++#define X86_FEATURE_PDCM	( 4*32+15) /* Performance Capabilities */
696 
++#define X86_FEATURE_PCID	( 4*32+17) /* Process Context Identifiers */
697 
++#define X86_FEATURE_DCA		( 4*32+18) /* Direct Cache Access */
698 
++#define X86_FEATURE_XMM4_1	( 4*32+19) /* "sse4_1" SSE-4.1 */
699 
++#define X86_FEATURE_XMM4_2	( 4*32+20) /* "sse4_2" SSE-4.2 */
700 
++#define X86_FEATURE_X2APIC	( 4*32+21) /* x2APIC */
701 
++#define X86_FEATURE_MOVBE	( 4*32+22) /* MOVBE instruction */
702 
++#define X86_FEATURE_POPCNT      ( 4*32+23) /* POPCNT instruction */
703 
++#define X86_FEATURE_TSC_DEADLINE_TIMER	( 4*32+24) /* Tsc deadline timer */
704 
++#define X86_FEATURE_AES		( 4*32+25) /* AES instructions */
705 
++#define X86_FEATURE_XSAVE	( 4*32+26) /* XSAVE/XRSTOR/XSETBV/XGETBV */
706 
++#define X86_FEATURE_OSXSAVE	( 4*32+27) /* "" XSAVE enabled in the OS */
707 
++#define X86_FEATURE_AVX		( 4*32+28) /* Advanced Vector Extensions */
708 
++#define X86_FEATURE_F16C	( 4*32+29) /* 16-bit fp conversions */
709 
++#define X86_FEATURE_RDRAND	( 4*32+30) /* The RDRAND instruction */
710 
++#define X86_FEATURE_HYPERVISOR	( 4*32+31) /* Running on a hypervisor */
711 
++
712 
++/* VIA/Cyrix/Centaur-defined CPU features, CPUID level 0xC0000001, word 5 */
713 
++#define X86_FEATURE_XSTORE	( 5*32+ 2) /* "rng" RNG present (xstore) */
714 
++#define X86_FEATURE_XSTORE_EN	( 5*32+ 3) /* "rng_en" RNG enabled */
715 
++#define X86_FEATURE_XCRYPT	( 5*32+ 6) /* "ace" on-CPU crypto (xcrypt) */
716 
++#define X86_FEATURE_XCRYPT_EN	( 5*32+ 7) /* "ace_en" on-CPU crypto enabled */
717 
++#define X86_FEATURE_ACE2	( 5*32+ 8) /* Advanced Cryptography Engine v2 */
718 
++#define X86_FEATURE_ACE2_EN	( 5*32+ 9) /* ACE v2 enabled */
719 
++#define X86_FEATURE_PHE		( 5*32+10) /* PadLock Hash Engine */
720 
++#define X86_FEATURE_PHE_EN	( 5*32+11) /* PHE enabled */
721 
++#define X86_FEATURE_PMM		( 5*32+12) /* PadLock Montgomery Multiplier */
722 
++#define X86_FEATURE_PMM_EN	( 5*32+13) /* PMM enabled */
723 
++
724 
++/* More extended AMD flags: CPUID level 0x80000001, ecx, word 6 */
725 
++#define X86_FEATURE_LAHF_LM	( 6*32+ 0) /* LAHF/SAHF in long mode */
726 
++#define X86_FEATURE_CMP_LEGACY	( 6*32+ 1) /* If yes HyperThreading not valid */
727 
++#define X86_FEATURE_SVM		( 6*32+ 2) /* Secure virtual machine */
728 
++#define X86_FEATURE_EXTAPIC	( 6*32+ 3) /* Extended APIC space */
729 
++#define X86_FEATURE_CR8_LEGACY	( 6*32+ 4) /* CR8 in 32-bit mode */
730 
++#define X86_FEATURE_ABM		( 6*32+ 5) /* Advanced bit manipulation */
731 
++#define X86_FEATURE_SSE4A	( 6*32+ 6) /* SSE-4A */
732 
++#define X86_FEATURE_MISALIGNSSE ( 6*32+ 7) /* Misaligned SSE mode */
733 
++#define X86_FEATURE_3DNOWPREFETCH ( 6*32+ 8) /* 3DNow prefetch instructions */
734 
++#define X86_FEATURE_OSVW	( 6*32+ 9) /* OS Visible Workaround */
735 
++#define X86_FEATURE_IBS		( 6*32+10) /* Instruction Based Sampling */
736 
++#define X86_FEATURE_XOP		( 6*32+11) /* extended AVX instructions */
737 
++#define X86_FEATURE_SKINIT	( 6*32+12) /* SKINIT/STGI instructions */
738 
++#define X86_FEATURE_WDT		( 6*32+13) /* Watchdog timer */
739 
++#define X86_FEATURE_LWP		( 6*32+15) /* Light Weight Profiling */
740 
++#define X86_FEATURE_FMA4	( 6*32+16) /* 4 operands MAC instructions */
741 
++#define X86_FEATURE_TCE		( 6*32+17) /* translation cache extension */
742 
++#define X86_FEATURE_NODEID_MSR	( 6*32+19) /* NodeId MSR */
743 
++#define X86_FEATURE_TBM		( 6*32+21) /* trailing bit manipulations */
744 
++#define X86_FEATURE_TOPOEXT	( 6*32+22) /* topology extensions CPUID leafs */
745 
++#define X86_FEATURE_PERFCTR_CORE ( 6*32+23) /* core performance counter extensions */
746 
++#define X86_FEATURE_PERFCTR_NB  ( 6*32+24) /* NB performance counter extensions */
747 
++#define X86_FEATURE_BPEXT	(6*32+26) /* data breakpoint extension */
748 
++#define X86_FEATURE_PERFCTR_L2	( 6*32+28) /* L2 performance counter extensions */
749 
++#define X86_FEATURE_MWAITX	( 6*32+29) /* MWAIT extension (MONITORX/MWAITX) */
750 
++
751 
++/*
752 
++ * Auxiliary flags: Linux defined - For features scattered in various
753 
++ * CPUID levels like 0x6, 0xA etc, word 7.
754 
++ *
755 
++ * Reuse free bits when adding new feature flags!
756 
++ */
757 
++
758 
++#define X86_FEATURE_CPB		( 7*32+ 2) /* AMD Core Performance Boost */
759 
++#define X86_FEATURE_EPB		( 7*32+ 3) /* IA32_ENERGY_PERF_BIAS support */
760 
++#define X86_FEATURE_INVPCID_SINGLE ( 7*32+ 4) /* Effectively INVPCID && CR4.PCIDE=1 */
761 
++
762 
++#define X86_FEATURE_HW_PSTATE	( 7*32+ 8) /* AMD HW-PState */
763 
++#define X86_FEATURE_PROC_FEEDBACK ( 7*32+ 9) /* AMD ProcFeedbackInterface */
764 
++
765 
++#define X86_FEATURE_INTEL_PT	( 7*32+15) /* Intel Processor Trace */
766 
++#define X86_FEATURE_RSB_CTXSW	( 7*32+19) /* Fill RSB on context switches */
767 
++
768 
++#define X86_FEATURE_RETPOLINE	( 7*32+29) /* Generic Retpoline mitigation for Spectre variant 2 */
769 
++#define X86_FEATURE_RETPOLINE_AMD ( 7*32+30) /* AMD Retpoline mitigation for Spectre variant 2 */
770 
++/* Because the ALTERNATIVE scheme is for members of the X86_FEATURE club... */
771 
++#define X86_FEATURE_KAISER	( 7*32+31) /* CONFIG_PAGE_TABLE_ISOLATION w/o nokaiser */
772 
++
773 
++/* Virtualization flags: Linux defined, word 8 */
774 
++#define X86_FEATURE_TPR_SHADOW  ( 8*32+ 0) /* Intel TPR Shadow */
775 
++#define X86_FEATURE_VNMI        ( 8*32+ 1) /* Intel Virtual NMI */
776 
++#define X86_FEATURE_FLEXPRIORITY ( 8*32+ 2) /* Intel FlexPriority */
777 
++#define X86_FEATURE_EPT         ( 8*32+ 3) /* Intel Extended Page Table */
778 
++#define X86_FEATURE_VPID        ( 8*32+ 4) /* Intel Virtual Processor ID */
779 
++
780 
++#define X86_FEATURE_VMMCALL     ( 8*32+15) /* Prefer vmmcall to vmcall */
781 
++#define X86_FEATURE_XENPV       ( 8*32+16) /* "" Xen paravirtual guest */
782 
++
783 
++
784 
++/* Intel-defined CPU features, CPUID level 0x00000007:0 (ebx), word 9 */
785 
++#define X86_FEATURE_FSGSBASE	( 9*32+ 0) /* {RD/WR}{FS/GS}BASE instructions*/
786 
++#define X86_FEATURE_TSC_ADJUST	( 9*32+ 1) /* TSC adjustment MSR 0x3b */
787 
++#define X86_FEATURE_BMI1	( 9*32+ 3) /* 1st group bit manipulation extensions */
788 
++#define X86_FEATURE_HLE		( 9*32+ 4) /* Hardware Lock Elision */
789 
++#define X86_FEATURE_AVX2	( 9*32+ 5) /* AVX2 instructions */
790 
++#define X86_FEATURE_SMEP	( 9*32+ 7) /* Supervisor Mode Execution Protection */
791 
++#define X86_FEATURE_BMI2	( 9*32+ 8) /* 2nd group bit manipulation extensions */
792 
++#define X86_FEATURE_ERMS	( 9*32+ 9) /* Enhanced REP MOVSB/STOSB */
793 
++#define X86_FEATURE_INVPCID	( 9*32+10) /* Invalidate Processor Context ID */
794 
++#define X86_FEATURE_RTM		( 9*32+11) /* Restricted Transactional Memory */
795 
++#define X86_FEATURE_CQM		( 9*32+12) /* Cache QoS Monitoring */
796 
++#define X86_FEATURE_MPX		( 9*32+14) /* Memory Protection Extension */
797 
++#define X86_FEATURE_AVX512F	( 9*32+16) /* AVX-512 Foundation */
798 
++#define X86_FEATURE_RDSEED	( 9*32+18) /* The RDSEED instruction */
799 
++#define X86_FEATURE_ADX		( 9*32+19) /* The ADCX and ADOX instructions */
800 
++#define X86_FEATURE_SMAP	( 9*32+20) /* Supervisor Mode Access Prevention */
801 
++#define X86_FEATURE_PCOMMIT	( 9*32+22) /* PCOMMIT instruction */
802 
++#define X86_FEATURE_CLFLUSHOPT	( 9*32+23) /* CLFLUSHOPT instruction */
803 
++#define X86_FEATURE_CLWB	( 9*32+24) /* CLWB instruction */
804 
++#define X86_FEATURE_AVX512PF	( 9*32+26) /* AVX-512 Prefetch */
805 
++#define X86_FEATURE_AVX512ER	( 9*32+27) /* AVX-512 Exponential and Reciprocal */
806 
++#define X86_FEATURE_AVX512CD	( 9*32+28) /* AVX-512 Conflict Detection */
807 
++#define X86_FEATURE_SHA_NI	( 9*32+29) /* SHA1/SHA256 Instruction Extensions */
808 
++
809 
++/* Extended state features, CPUID level 0x0000000d:1 (eax), word 10 */
810 
++#define X86_FEATURE_XSAVEOPT	(10*32+ 0) /* XSAVEOPT */
811 
++#define X86_FEATURE_XSAVEC	(10*32+ 1) /* XSAVEC */
812 
++#define X86_FEATURE_XGETBV1	(10*32+ 2) /* XGETBV with ECX = 1 */
813 
++#define X86_FEATURE_XSAVES	(10*32+ 3) /* XSAVES/XRSTORS */
814 
++
815 
++/* Intel-defined CPU QoS Sub-leaf, CPUID level 0x0000000F:0 (edx), word 11 */
816 
++#define X86_FEATURE_CQM_LLC	(11*32+ 1) /* LLC QoS if 1 */
817 
++
818 
++/* Intel-defined CPU QoS Sub-leaf, CPUID level 0x0000000F:1 (edx), word 12 */
819 
++#define X86_FEATURE_CQM_OCCUP_LLC (12*32+ 0) /* LLC occupancy monitoring if 1 */
820 
++
821 
++/* AMD-defined CPU features, CPUID level 0x80000008 (ebx), word 13 */
822 
++#define X86_FEATURE_CLZERO	(13*32+0) /* CLZERO instruction */
823 
++
824 
++/* Thermal and Power Management Leaf, CPUID level 0x00000006 (eax), word 14 */
825 
++#define X86_FEATURE_DTHERM	(14*32+ 0) /* Digital Thermal Sensor */
826 
++#define X86_FEATURE_IDA		(14*32+ 1) /* Intel Dynamic Acceleration */
827 
++#define X86_FEATURE_ARAT	(14*32+ 2) /* Always Running APIC Timer */
828 
++#define X86_FEATURE_PLN		(14*32+ 4) /* Intel Power Limit Notification */
829 
++#define X86_FEATURE_PTS		(14*32+ 6) /* Intel Package Thermal Status */
830 
++#define X86_FEATURE_HWP		(14*32+ 7) /* Intel Hardware P-states */
831 
++#define X86_FEATURE_HWP_NOTIFY	(14*32+ 8) /* HWP Notification */
832 
++#define X86_FEATURE_HWP_ACT_WINDOW (14*32+ 9) /* HWP Activity Window */
833 
++#define X86_FEATURE_HWP_EPP	(14*32+10) /* HWP Energy Perf. Preference */
834 
++#define X86_FEATURE_HWP_PKG_REQ (14*32+11) /* HWP Package Level Request */
835 
++
836 
++/* AMD SVM Feature Identification, CPUID level 0x8000000a (edx), word 15 */
837 
++#define X86_FEATURE_NPT		(15*32+ 0) /* Nested Page Table support */
838 
++#define X86_FEATURE_LBRV	(15*32+ 1) /* LBR Virtualization support */
839 
++#define X86_FEATURE_SVML	(15*32+ 2) /* "svm_lock" SVM locking MSR */
840 
++#define X86_FEATURE_NRIPS	(15*32+ 3) /* "nrip_save" SVM next_rip save */
841 
++#define X86_FEATURE_TSCRATEMSR  (15*32+ 4) /* "tsc_scale" TSC scaling support */
842 
++#define X86_FEATURE_VMCBCLEAN   (15*32+ 5) /* "vmcb_clean" VMCB clean bits support */
843 
++#define X86_FEATURE_FLUSHBYASID (15*32+ 6) /* flush-by-ASID support */
844 
++#define X86_FEATURE_DECODEASSISTS (15*32+ 7) /* Decode Assists support */
845 
++#define X86_FEATURE_PAUSEFILTER (15*32+10) /* filtered pause intercept */
846 
++#define X86_FEATURE_PFTHRESHOLD (15*32+12) /* pause filter threshold */
847 
++
848 
++/*
849 
++ * BUG word(s)
850 
++ */
851 
++#define X86_BUG(x)		(NCAPINTS*32 + (x))
852 
++
853 
++#define X86_BUG_F00F		X86_BUG(0) /* Intel F00F */
854 
++#define X86_BUG_FDIV		X86_BUG(1) /* FPU FDIV */
855 
++#define X86_BUG_COMA		X86_BUG(2) /* Cyrix 6x86 coma */
856 
++#define X86_BUG_AMD_TLB_MMATCH	X86_BUG(3) /* "tlb_mmatch" AMD Erratum 383 */
857 
++#define X86_BUG_AMD_APIC_C1E	X86_BUG(4) /* "apic_c1e" AMD Erratum 400 */
858 
++#define X86_BUG_11AP		X86_BUG(5) /* Bad local APIC aka 11AP */
859 
++#define X86_BUG_FXSAVE_LEAK	X86_BUG(6) /* FXSAVE leaks FOP/FIP/FOP */
860 
++#define X86_BUG_CLFLUSH_MONITOR	X86_BUG(7) /* AAI65, CLFLUSH required before MONITOR */
861 
++#define X86_BUG_SYSRET_SS_ATTRS	X86_BUG(8) /* SYSRET doesn't fix up SS attrs */
862 
++#define X86_BUG_CPU_MELTDOWN	X86_BUG(14) /* CPU is affected by meltdown attack and needs kernel page table isolation */
863 
++#define X86_BUG_SPECTRE_V1	X86_BUG(15) /* CPU is affected by Spectre variant 1 attack with conditional branches */
864 
++#define X86_BUG_SPECTRE_V2	X86_BUG(16) /* CPU is affected by Spectre variant 2 attack with indirect branches */
865 
++
866 
++#endif /* _ASM_X86_CPUFEATURES_H */
867 
+diff --git a/arch/x86/include/asm/fpu/internal.h b/arch/x86/include/asm/fpu/internal.h
868 
+index eadcdd5..f9c14ab 100644
869 
+--- a/arch/x86/include/asm/fpu/internal.h
870 
+@@ -17,6 +17,7 @@
871 
+ #include <asm/user.h>
872 
+ #include <asm/fpu/api.h>
873 
+ #include <asm/fpu/xstate.h>
874 
++#include <asm/cpufeature.h>
875 
+
876 
+ /*
877 
+  * High level FPU state handling functions:
878 
+diff --git a/arch/x86/include/asm/irq_work.h b/arch/x86/include/asm/irq_work.h
879 
+index 78162f8..d0afb05 100644
880 
+--- a/arch/x86/include/asm/irq_work.h
881 
+@@ -1,7 +1,7 @@
882 
+ #ifndef _ASM_IRQ_WORK_H
883 
+ #define _ASM_IRQ_WORK_H
884 
+
885 
+-#include <asm/processor.h>
886 
++#include <asm/cpufeature.h>
887 
+
888 
+ static inline bool arch_irq_work_has_interrupt(void)
889 
+ {
890 
+diff --git a/arch/x86/include/asm/mwait.h b/arch/x86/include/asm/mwait.h
891 
+index c70689b..0deeb2d 100644
892 
+--- a/arch/x86/include/asm/mwait.h
893 
+@@ -3,6 +3,8 @@
894 
+
895 
+ #include <linux/sched.h>
896 
+
897 
++#include <asm/cpufeature.h>
898 
++
899 
+ #define MWAIT_SUBSTATE_MASK		0xf
900 
+ #define MWAIT_CSTATE_MASK		0xf
901 
+ #define MWAIT_SUBSTATE_SIZE		4
902 
+diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
903 
+index 249f1c7..8b91041 100644
904 
+--- a/arch/x86/include/asm/nospec-branch.h
905 
+@@ -5,7 +5,7 @@
906 
+
907 
+ #include <asm/alternative.h>
908 
+ #include <asm/alternative-asm.h>
909 
+-#include <asm/cpufeature.h>
910 
++#include <asm/cpufeatures.h>
911 
+
912 
+ /*
913 
+  * Fill the CPU return stack buffer.
914 
+diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
915 
+index 9e77cea..8e415cf 100644
916 
+--- a/arch/x86/include/asm/processor.h
917 
+@@ -13,7 +13,7 @@ struct vm86;
918 
+ #include <asm/types.h>
919 
+ #include <uapi/asm/sigcontext.h>
920 
+ #include <asm/current.h>
921 
+-#include <asm/cpufeature.h>
922 
++#include <asm/cpufeatures.h>
923 
+ #include <asm/page.h>
924 
+ #include <asm/pgtable_types.h>
925 
+ #include <asm/percpu.h>
926 
+@@ -24,7 +24,6 @@ struct vm86;
927 
+ #include <asm/fpu/types.h>
928 
+
929 
+ #include <linux/personality.h>
930 
+-#include <linux/cpumask.h>
931 
+ #include <linux/cache.h>
932 
+ #include <linux/threads.h>
933 
+ #include <linux/math64.h>
934 
+diff --git a/arch/x86/include/asm/smap.h b/arch/x86/include/asm/smap.h
935 
+index ba665eb..db33330 100644
936 
+--- a/arch/x86/include/asm/smap.h
937 
+@@ -15,7 +15,7 @@
938 
+
939 
+ #include <linux/stringify.h>
940 
+ #include <asm/nops.h>
941 
+-#include <asm/cpufeature.h>
942 
++#include <asm/cpufeatures.h>
943 
+
944 
+ /* "Raw" instruction opcodes */
945 
+ #define __ASM_CLAC	.byte 0x0f,0x01,0xca
946 
+diff --git a/arch/x86/include/asm/smp.h b/arch/x86/include/asm/smp.h
947 
+index a438c55..04d6eef 100644
948 
+--- a/arch/x86/include/asm/smp.h
949 
+@@ -16,7 +16,6 @@
950 
+ #endif
951 
+ #include <asm/thread_info.h>
952 
+ #include <asm/cpumask.h>
953 
+-#include <asm/cpufeature.h>
954 
+
955 
+ extern int smp_num_siblings;
956 
+ extern unsigned int num_processors;
957 
+diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h
958 
+index 9b02820..18c9aaa 100644
959 
+--- a/arch/x86/include/asm/thread_info.h
960 
+@@ -49,7 +49,7 @@
961 
+  */
962 
+ #ifndef __ASSEMBLY__
963 
+ struct task_struct;
964 
+-#include <asm/processor.h>
965 
++#include <asm/cpufeature.h>
966 
+ #include <linux/atomic.h>
967 
+
968 
+ struct thread_info {
969 
+diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h
970 
+index a691b66..e2a89d2 100644
971 
+--- a/arch/x86/include/asm/tlbflush.h
972 
+@@ -5,6 +5,7 @@
973 
+ #include <linux/sched.h>
974 
+
975 
+ #include <asm/processor.h>
976 
++#include <asm/cpufeature.h>
977 
+ #include <asm/special_insns.h>
978 
+ #include <asm/smp.h>
979 
+
980 
+diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h
981 
+index f2f9b39..d83a55b 100644
982 
+--- a/arch/x86/include/asm/uaccess_64.h
983 
+@@ -8,7 +8,7 @@
984 
+ #include <linux/errno.h>
985 
+ #include <linux/lockdep.h>
986 
+ #include <asm/alternative.h>
987 
+-#include <asm/cpufeature.h>
988 
++#include <asm/cpufeatures.h>
989 
+ #include <asm/page.h>
990 
+
991 
+ /*
992 
+diff --git a/arch/x86/kernel/cpu/Makefile b/arch/x86/kernel/cpu/Makefile
993 
+index 8f18461..924b657 100644
994 
+--- a/arch/x86/kernel/cpu/Makefile
995 
+@@ -62,7 +62,7 @@ ifdef CONFIG_X86_FEATURE_NAMES
996 
+ quiet_cmd_mkcapflags = MKCAP   $@
997 
+       cmd_mkcapflags = $(CONFIG_SHELL) $(srctree)/$(src)/mkcapflags.sh $< $@
998 
+
999 
+-cpufeature = $(src)/../../include/asm/cpufeature.h
1000 
++cpufeature = $(src)/../../include/asm/cpufeatures.h
1001 
+
1002 
+ targets += capflags.c
1003 
+ $(obj)/capflags.c: $(cpufeature) $(src)/mkcapflags.sh FORCE
1004 
+diff --git a/arch/x86/kernel/cpu/centaur.c b/arch/x86/kernel/cpu/centaur.c
1005 
+index ae20be6..6608c03 100644
1006 
+--- a/arch/x86/kernel/cpu/centaur.c
1007 
+@@ -1,7 +1,7 @@
1008 
+ #include <linux/bitops.h>
1009 
+ #include <linux/kernel.h>
1010 
+
1011 
+-#include <asm/processor.h>
1012 
++#include <asm/cpufeature.h>
1013 
+ #include <asm/e820.h>
1014 
+ #include <asm/mtrr.h>
1015 
+ #include <asm/msr.h>
1016 
+diff --git a/arch/x86/kernel/cpu/cyrix.c b/arch/x86/kernel/cpu/cyrix.c
1017 
+index aaf152e..15e47c1 100644
1018 
+--- a/arch/x86/kernel/cpu/cyrix.c
1019 
+@@ -8,6 +8,7 @@
1020 
+ #include <linux/timer.h>
1021 
+ #include <asm/pci-direct.h>
1022 
+ #include <asm/tsc.h>
1023 
++#include <asm/cpufeature.h>
1024 
+
1025 
+ #include "cpu.h"
1026 
+
1027 
+diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
1028 
+index 565648b..9299e3b 100644
1029 
+--- a/arch/x86/kernel/cpu/intel.c
1030 
+@@ -8,7 +8,7 @@
1031 
+ #include <linux/module.h>
1032 
+ #include <linux/uaccess.h>
1033 
+
1034 
+-#include <asm/processor.h>
1035 
++#include <asm/cpufeature.h>
1036 
+ #include <asm/pgtable.h>
1037 
+ #include <asm/msr.h>
1038 
+ #include <asm/bugs.h>
1039 
+diff --git a/arch/x86/kernel/cpu/intel_cacheinfo.c b/arch/x86/kernel/cpu/intel_cacheinfo.c
1040 
+index 3fa7231..3557b3c 100644
1041 
+--- a/arch/x86/kernel/cpu/intel_cacheinfo.c
1042 
+@@ -14,7 +14,7 @@
1043 
+ #include <linux/sysfs.h>
1044 
+ #include <linux/pci.h>
1045 
+
1046 
+-#include <asm/processor.h>
1047 
++#include <asm/cpufeature.h>
1048 
+ #include <asm/amd_nb.h>
1049 
+ #include <asm/smp.h>
1050 
+
1051 
+diff --git a/arch/x86/kernel/cpu/match.c b/arch/x86/kernel/cpu/match.c
1052 
+index afa9f0d..fbb5e90 100644
1053 
+--- a/arch/x86/kernel/cpu/match.c
1054 
+@@ -1,5 +1,5 @@
1055 
+ #include <asm/cpu_device_id.h>
1056 
+-#include <asm/processor.h>
1057 
++#include <asm/cpufeature.h>
1058 
+ #include <linux/cpu.h>
1059 
+ #include <linux/module.h>
1060 
+ #include <linux/slab.h>
1061 
+diff --git a/arch/x86/kernel/cpu/mkcapflags.sh b/arch/x86/kernel/cpu/mkcapflags.sh
1062 
+index 3f20710..6988c74 100644
1063 
+--- a/arch/x86/kernel/cpu/mkcapflags.sh
1064 
+@@ -1,6 +1,6 @@
1065 
+ #!/bin/sh
1066 
+ #
1067 
+-# Generate the x86_cap/bug_flags[] arrays from include/asm/cpufeature.h
1068 
++# Generate the x86_cap/bug_flags[] arrays from include/asm/cpufeatures.h
1069 
+ #
1070 
+
1071 
+ IN=$1
1072 
+@@ -49,8 +49,8 @@ dump_array()
1073 
+ trap 'rm "$OUT"' EXIT
1074 
+
1075 
+ (
1076 
+-	echo "#ifndef _ASM_X86_CPUFEATURE_H"
1077 
+-	echo "#include <asm/cpufeature.h>"
1078 
++	echo "#ifndef _ASM_X86_CPUFEATURES_H"
1079 
++	echo "#include <asm/cpufeatures.h>"
1080 
+ 	echo "#endif"
1081 
+ 	echo ""
1082 
+
1083 
+diff --git a/arch/x86/kernel/cpu/mtrr/main.c b/arch/x86/kernel/cpu/mtrr/main.c
1084 
+index f924f41..49bd700 100644
1085 
+--- a/arch/x86/kernel/cpu/mtrr/main.c
1086 
+@@ -47,7 +47,7 @@
1087 
+ #include <linux/smp.h>
1088 
+ #include <linux/syscore_ops.h>
1089 
+
1090 
+-#include <asm/processor.h>
1091 
++#include <asm/cpufeature.h>
1092 
+ #include <asm/e820.h>
1093 
+ #include <asm/mtrr.h>
1094 
+ #include <asm/msr.h>
1095 
+diff --git a/arch/x86/kernel/cpu/transmeta.c b/arch/x86/kernel/cpu/transmeta.c
1096 
+index 252da7a..a19a663 100644
1097 
+--- a/arch/x86/kernel/cpu/transmeta.c
1098 
+@@ -1,6 +1,6 @@
1099 
+ #include <linux/kernel.h>
1100 
+ #include <linux/mm.h>
1101 
+-#include <asm/processor.h>
1102 
++#include <asm/cpufeature.h>
1103 
+ #include <asm/msr.h>
1104 
+ #include "cpu.h"
1105 
+
1106 
+diff --git a/arch/x86/kernel/e820.c b/arch/x86/kernel/e820.c
1107 
+index 52a2526..19bc19d 100644
1108 
+--- a/arch/x86/kernel/e820.c
1109 
+@@ -24,6 +24,7 @@
1110 
+ #include <asm/e820.h>
1111 
+ #include <asm/proto.h>
1112 
+ #include <asm/setup.h>
1113 
++#include <asm/cpufeature.h>
1114 
+
1115 
+ /*
1116 
+  * The e820 map is the map that gets modified e.g. with command line parameters
1117 
+diff --git a/arch/x86/kernel/head_32.S b/arch/x86/kernel/head_32.S
1118 
+index 70284d3..1c0b49f 100644
1119 
+--- a/arch/x86/kernel/head_32.S
1120 
+@@ -19,7 +19,7 @@
1121 
+ #include <asm/setup.h>
1122 
+ #include <asm/processor-flags.h>
1123 
+ #include <asm/msr-index.h>
1124 
+-#include <asm/cpufeature.h>
1125 
++#include <asm/cpufeatures.h>
1126 
+ #include <asm/percpu.h>
1127 
+ #include <asm/nops.h>
1128 
+ #include <asm/bootparam.h>
1129 
+diff --git a/arch/x86/kernel/hpet.c b/arch/x86/kernel/hpet.c
1130 
+index f48eb8e..3fdc1e5 100644
1131 
+--- a/arch/x86/kernel/hpet.c
1132 
+@@ -12,6 +12,7 @@
1133 
+ #include <linux/pm.h>
1134 
+ #include <linux/io.h>
1135 
+
1136 
++#include <asm/cpufeature.h>
1137 
+ #include <asm/irqdomain.h>
1138 
+ #include <asm/fixmap.h>
1139 
+ #include <asm/hpet.h>
1140 
+diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
1141 
+index 113e707..f95ac5d 100644
1142 
+--- a/arch/x86/kernel/msr.c
1143 
+@@ -40,7 +40,7 @@
1144 
+ #include <linux/uaccess.h>
1145 
+ #include <linux/gfp.h>
1146 
+
1147 
+-#include <asm/processor.h>
1148 
++#include <asm/cpufeature.h>
1149 
+ #include <asm/msr.h>
1150 
+
1151 
+ static struct class *msr_class;
1152 
+diff --git a/arch/x86/kernel/verify_cpu.S b/arch/x86/kernel/verify_cpu.S
1153 
+index 4cf401f..b7c9db5 100644
1154 
+--- a/arch/x86/kernel/verify_cpu.S
1155 
+@@ -30,7 +30,7 @@
1156 
+  * 	appropriately. Either display a message or halt.
1157 
+  */
1158 
+
1159 
+-#include <asm/cpufeature.h>
1160 
++#include <asm/cpufeatures.h>
1161 
+ #include <asm/msr-index.h>
1162 
+
1163 
+ verify_cpu:
1164 
+diff --git a/arch/x86/lib/clear_page_64.S b/arch/x86/lib/clear_page_64.S
1165 
+index a2fe51b..65be7cf 100644
1166 
+--- a/arch/x86/lib/clear_page_64.S
1167 
+@@ -1,5 +1,5 @@
1168 
+ #include <linux/linkage.h>
1169 
+-#include <asm/cpufeature.h>
1170 
++#include <asm/cpufeatures.h>
1171 
+ #include <asm/alternative-asm.h>
1172 
+
1173 
+ /*
1174 
+diff --git a/arch/x86/lib/copy_page_64.S b/arch/x86/lib/copy_page_64.S
1175 
+index 009f982..24ef1c2 100644
1176 
+--- a/arch/x86/lib/copy_page_64.S
1177 
+@@ -1,7 +1,7 @@
1178 
+ /* Written 2003 by Andi Kleen, based on a kernel by Evandro Menezes */
1179 
+
1180 
+ #include <linux/linkage.h>
1181 
+-#include <asm/cpufeature.h>
1182 
++#include <asm/cpufeatures.h>
1183 
+ #include <asm/alternative-asm.h>
1184 
+
1185 
+ /*
1186 
+diff --git a/arch/x86/lib/copy_user_64.S b/arch/x86/lib/copy_user_64.S
1187 
+index 423644c..accf7f2 100644
1188 
+--- a/arch/x86/lib/copy_user_64.S
1189 
+@@ -10,7 +10,7 @@
1190 
+ #include <asm/current.h>
1191 
+ #include <asm/asm-offsets.h>
1192 
+ #include <asm/thread_info.h>
1193 
+-#include <asm/cpufeature.h>
1194 
++#include <asm/cpufeatures.h>
1195 
+ #include <asm/alternative-asm.h>
1196 
+ #include <asm/asm.h>
1197 
+ #include <asm/smap.h>
1198 
+diff --git a/arch/x86/lib/memcpy_64.S b/arch/x86/lib/memcpy_64.S
1199 
+index 16698bb..a0de849 100644
1200 
+--- a/arch/x86/lib/memcpy_64.S
1201 
+@@ -1,7 +1,7 @@
1202 
+ /* Copyright 2002 Andi Kleen */
1203 
+
1204 
+ #include <linux/linkage.h>
1205 
+-#include <asm/cpufeature.h>
1206 
++#include <asm/cpufeatures.h>
1207 
+ #include <asm/alternative-asm.h>
1208 
+
1209 
+ /*
1210 
+diff --git a/arch/x86/lib/memmove_64.S b/arch/x86/lib/memmove_64.S
1211 
+index ca2afdd..90ce01b 100644
1212 
+--- a/arch/x86/lib/memmove_64.S
1213 
+@@ -6,7 +6,7 @@
1214 
+  *	- Copyright 2011 Fenghua Yu <fenghua.yu@intel.com>
1215 
+  */
1216 
+ #include <linux/linkage.h>
1217 
+-#include <asm/cpufeature.h>
1218 
++#include <asm/cpufeatures.h>
1219 
+ #include <asm/alternative-asm.h>
1220 
+
1221 
+ #undef memmove
1222 
+diff --git a/arch/x86/lib/memset_64.S b/arch/x86/lib/memset_64.S
1223 
+index 2661fad..c9c8122 100644
1224 
+--- a/arch/x86/lib/memset_64.S
1225 
+@@ -1,7 +1,7 @@
1226 
+ /* Copyright 2002 Andi Kleen, SuSE Labs */
1227 
+
1228 
+ #include <linux/linkage.h>
1229 
+-#include <asm/cpufeature.h>
1230 
++#include <asm/cpufeatures.h>
1231 
+ #include <asm/alternative-asm.h>
1232 
+
1233 
+ .weak memset
1234 
+diff --git a/arch/x86/lib/retpoline.S b/arch/x86/lib/retpoline.S
1235 
+index 3d06b48..7bbb853 100644
1236 
+--- a/arch/x86/lib/retpoline.S
1237 
+@@ -3,7 +3,7 @@
1238 
+ #include <linux/stringify.h>
1239 
+ #include <linux/linkage.h>
1240 
+ #include <asm/dwarf2.h>
1241 
+-#include <asm/cpufeature.h>
1242 
++#include <asm/cpufeatures.h>
1243 
+ #include <asm/alternative-asm.h>
1244 
+ #include <asm-generic/export.h>
1245 
+ #include <asm/nospec-branch.h>
1246 
+diff --git a/arch/x86/mm/setup_nx.c b/arch/x86/mm/setup_nx.c
1247 
+index 92e2eac..f65a33f 100644
1248 
+--- a/arch/x86/mm/setup_nx.c
1249 
+@@ -4,6 +4,7 @@
1250 
+
1251 
+ #include <asm/pgtable.h>
1252 
+ #include <asm/proto.h>
1253 
++#include <asm/cpufeature.h>
1254 
+
1255 
+ static int disable_nx;
1256 
+
1257 
+diff --git a/arch/x86/oprofile/op_model_amd.c b/arch/x86/oprofile/op_model_amd.c
1258 
+index 50d86c0..660a83c 100644
1259 
+--- a/arch/x86/oprofile/op_model_amd.c
1260 
+@@ -24,7 +24,6 @@
1261 
+ #include <asm/nmi.h>
1262 
+ #include <asm/apic.h>
1263 
+ #include <asm/processor.h>
1264 
+-#include <asm/cpufeature.h>
1265 
+
1266 
+ #include "op_x86_model.h"
1267 
+ #include "op_counter.h"
1268 
+diff --git a/arch/x86/um/asm/barrier.h b/arch/x86/um/asm/barrier.h
1269 
+index 755481f..764ac2f 100644
1270 
+--- a/arch/x86/um/asm/barrier.h
1271 
+@@ -3,7 +3,7 @@
1272 
+
1273 
+ #include <asm/asm.h>
1274 
+ #include <asm/segment.h>
1275 
+-#include <asm/cpufeature.h>
1276 
++#include <asm/cpufeatures.h>
1277 
+ #include <asm/cmpxchg.h>
1278 
+ #include <asm/nops.h>
1279 
+
1280 
+diff --git a/lib/atomic64_test.c b/lib/atomic64_test.c
1281 
+index d51e25a..de67fea 100644
1282 
+--- a/lib/atomic64_test.c
1283 
+@@ -17,7 +17,7 @@
1284 
+ #include <linux/atomic.h>
1285 
+
1286 
+ #ifdef CONFIG_X86
1287 
+-#include <asm/processor.h>	/* for boot_cpu_has below */
1288 
++#include <asm/cpufeature.h>	/* for boot_cpu_has below */
1289 
+ #endif
1290 
+
1291 
+ #define TEST(bit, op, c_op, val)				\
1292 
+--
1293 
+2.7.4
1294 
+
SPECS/linux/speculative-store-bypass/0010-x86-cpufeature-Replace-the-old-static_cpu_has-with-s.patch
History View file @ 4ab22c2
0 1295 
new file mode 100644
... ... 
@@ -0,0 +1,355 @@
0 
+From 33286aa5af54caad6973960752247b39a6867611 Mon Sep 17 00:00:00 2001
1 
+From: Borislav Petkov <bp@suse.de>
2 
+Date: Thu, 14 Jun 2018 14:56:05 -0700
3 
+Subject: [PATCH 010/103] x86/cpufeature: Replace the old static_cpu_has() with
4 
+ safe variant
5 
+
6 
+commit bc696ca05f5a8927329ec276a892341e006b00ba upstream
7 
+
8 
+So the old one didn't work properly before alternatives had run.
9 
+And it was supposed to provide an optimized JMP because the
10 
+assumption was that the offset it is jumping to is within a
11 
+signed byte and thus a two-byte JMP.
12 
+
13 
+So I did an x86_64 allyesconfig build and dumped all possible
14 
+sites where static_cpu_has() was used. The optimization amounted
15 
+to all in all 12(!) places where static_cpu_has() had generated
16 
+a 2-byte JMP. Which has saved us a whopping 36 bytes!
17 
+
18 
+This clearly is not worth the trouble so we can remove it. The
19 
+only place where the optimization might count - in __switch_to()
20 
+- we will handle differently. But that's not subject of this
21 
+patch.
22 
+
23 
+Signed-off-by: Borislav Petkov <bp@suse.de>
24 
+Cc: Andy Lutomirski <luto@amacapital.net>
25 
+Cc: Borislav Petkov <bp@alien8.de>
26 
+Cc: Brian Gerst <brgerst@gmail.com>
27 
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
28 
+Cc: H. Peter Anvin <hpa@zytor.com>
29 
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
30 
+Cc: Peter Zijlstra <peterz@infradead.org>
31 
+Cc: Thomas Gleixner <tglx@linutronix.de>
32 
+Link: http://lkml.kernel.org/r/1453842730-28463-6-git-send-email-bp@alien8.de
33 
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
34 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
35 
+---
36 
+ arch/x86/Kconfig.debug               |  10 ----
37 
+ arch/x86/include/asm/cpufeature.h    | 100 +++--------------------------------
38 
+ arch/x86/include/asm/fpu/internal.h  |  14 ++---
39 
+ arch/x86/kernel/apic/apic_numachip.c |   4 +-
40 
+ arch/x86/kernel/cpu/common.c         |  12 +----
41 
+ arch/x86/kernel/vm86_32.c            |   2 +-
42 
+ fs/btrfs/disk-io.c                   |   2 +-
43 
+ 7 files changed, 20 insertions(+), 124 deletions(-)
44 
+
45 
+diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug
46 
+index da00fe1..2aa212f 100644
47 
+--- a/arch/x86/Kconfig.debug
48 
+@@ -367,16 +367,6 @@ config DEBUG_IMR_SELFTEST
49 
+
50 
+ 	  If unsure say N here.
51 
+
52 
+-config X86_DEBUG_STATIC_CPU_HAS
53 
+-	bool "Debug alternatives"
54 
+-	depends on DEBUG_KERNEL
55 
+-	---help---
56 
+-	  This option causes additional code to be generated which
57 
+-	  fails if static_cpu_has() is used before alternatives have
58 
+-	  run.
59 
+-
60 
+-	  If unsure, say N.
61 
+-
62 
+ config X86_DEBUG_FPU
63 
+ 	bool "Debug the x86 FPU code"
64 
+ 	depends on DEBUG_KERNEL
65 
+diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
66 
+index f62e872..b60598c 100644
67 
+--- a/arch/x86/include/asm/cpufeature.h
68 
+@@ -127,103 +127,19 @@ extern const char * const x86_bug_flags[NBUGINTS*32];
69 
+ #define cpu_has_osxsave		boot_cpu_has(X86_FEATURE_OSXSAVE)
70 
+ #define cpu_has_hypervisor	boot_cpu_has(X86_FEATURE_HYPERVISOR)
71 
+ /*
72 
+- * Do not add any more of those clumsy macros - use static_cpu_has_safe() for
73 
++ * Do not add any more of those clumsy macros - use static_cpu_has() for
74 
+  * fast paths and boot_cpu_has() otherwise!
75 
+  */
76 
+
77 
+ #if __GNUC__ >= 4 && defined(CONFIG_X86_FAST_FEATURE_TESTS)
78 
+-extern void warn_pre_alternatives(void);
79 
+-extern bool __static_cpu_has_safe(u16 bit);
80 
++extern bool __static_cpu_has(u16 bit);
81 
+
82 
+ /*
83 
+  * Static testing of CPU features.  Used the same as boot_cpu_has().
84 
+  * These are only valid after alternatives have run, but will statically
85 
+  * patch the target code for additional performance.
86 
+  */
87 
+-static __always_inline __pure bool __static_cpu_has(u16 bit)
88 
+-{
89 
+-#ifdef CC_HAVE_ASM_GOTO
90 
+-
91 
+-#ifdef CONFIG_X86_DEBUG_STATIC_CPU_HAS
92 
+-
93 
+-		/*
94 
+-		 * Catch too early usage of this before alternatives
95 
+-		 * have run.
96 
+-		 */
97 
+-		asm_volatile_goto("1: jmp %l[t_warn]\n"
98 
+-			 "2:\n"
99 
+-			 ".section .altinstructions,\"a\"\n"
100 
+-			 " .long 1b - .\n"
101 
+-			 " .long 0\n"		/* no replacement */
102 
+-			 " .word %P0\n"		/* 1: do replace */
103 
+-			 " .byte 2b - 1b\n"	/* source len */
104 
+-			 " .byte 0\n"		/* replacement len */
105 
+-			 " .byte 0\n"		/* pad len */
106 
+-			 ".previous\n"
107 
+-			 /* skipping size check since replacement size = 0 */
108 
+-			 : : "i" (X86_FEATURE_ALWAYS) : : t_warn);
109 
+-
110 
+-#endif
111 
+-
112 
+-		asm_volatile_goto("1: jmp %l[t_no]\n"
113 
+-			 "2:\n"
114 
+-			 ".section .altinstructions,\"a\"\n"
115 
+-			 " .long 1b - .\n"
116 
+-			 " .long 0\n"		/* no replacement */
117 
+-			 " .word %P0\n"		/* feature bit */
118 
+-			 " .byte 2b - 1b\n"	/* source len */
119 
+-			 " .byte 0\n"		/* replacement len */
120 
+-			 " .byte 0\n"		/* pad len */
121 
+-			 ".previous\n"
122 
+-			 /* skipping size check since replacement size = 0 */
123 
+-			 : : "i" (bit) : : t_no);
124 
+-		return true;
125 
+-	t_no:
126 
+-		return false;
127 
+-
128 
+-#ifdef CONFIG_X86_DEBUG_STATIC_CPU_HAS
129 
+-	t_warn:
130 
+-		warn_pre_alternatives();
131 
+-		return false;
132 
+-#endif
133 
+-
134 
+-#else /* CC_HAVE_ASM_GOTO */
135 
+-
136 
+-		u8 flag;
137 
+-		/* Open-coded due to __stringify() in ALTERNATIVE() */
138 
+-		asm volatile("1: movb $0,%0\n"
139 
+-			     "2:\n"
140 
+-			     ".section .altinstructions,\"a\"\n"
141 
+-			     " .long 1b - .\n"
142 
+-			     " .long 3f - .\n"
143 
+-			     " .word %P1\n"		/* feature bit */
144 
+-			     " .byte 2b - 1b\n"		/* source len */
145 
+-			     " .byte 4f - 3f\n"		/* replacement len */
146 
+-			     " .byte 0\n"		/* pad len */
147 
+-			     ".previous\n"
148 
+-			     ".section .discard,\"aw\",@progbits\n"
149 
+-			     " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */
150 
+-			     ".previous\n"
151 
+-			     ".section .altinstr_replacement,\"ax\"\n"
152 
+-			     "3: movb $1,%0\n"
153 
+-			     "4:\n"
154 
+-			     ".previous\n"
155 
+-			     : "=qm" (flag) : "i" (bit));
156 
+-		return flag;
157 
+-
158 
+-#endif /* CC_HAVE_ASM_GOTO */
159 
+-}
160 
+-
161 
+-#define static_cpu_has(bit)					\
162 
+-(								\
163 
+-	__builtin_constant_p(boot_cpu_has(bit)) ?		\
164 
+-		boot_cpu_has(bit) :				\
165 
+-	__builtin_constant_p(bit) ?				\
166 
+-		__static_cpu_has(bit) :				\
167 
+-		boot_cpu_has(bit)				\
168 
+-)
169 
+-
170 
+-static __always_inline __pure bool _static_cpu_has_safe(u16 bit)
171 
++static __always_inline __pure bool _static_cpu_has(u16 bit)
172 
+ {
173 
+ #ifdef CC_HAVE_ASM_GOTO
174 
+ 		asm_volatile_goto("1: jmp %l[t_dynamic]\n"
175 
+@@ -257,7 +173,7 @@ static __always_inline __pure bool _static_cpu_has_safe(u16 bit)
176 
+ 	t_no:
177 
+ 		return false;
178 
+ 	t_dynamic:
179 
+-		return __static_cpu_has_safe(bit);
180 
++		return __static_cpu_has(bit);
181 
+ #else
182 
+ 		u8 flag;
183 
+ 		/* Open-coded due to __stringify() in ALTERNATIVE() */
184 
+@@ -295,22 +211,21 @@ static __always_inline __pure bool _static_cpu_has_safe(u16 bit)
185 
+ 			     ".previous\n"
186 
+ 			     : "=qm" (flag)
187 
+ 			     : "i" (bit), "i" (X86_FEATURE_ALWAYS));
188 
+-		return (flag == 2 ? __static_cpu_has_safe(bit) : flag);
189 
++		return (flag == 2 ? __static_cpu_has(bit) : flag);
190 
+ #endif /* CC_HAVE_ASM_GOTO */
191 
+ }
192 
+
193 
+-#define static_cpu_has_safe(bit)				\
194 
++#define static_cpu_has(bit)					\
195 
+ (								\
196 
+ 	__builtin_constant_p(boot_cpu_has(bit)) ?		\
197 
+ 		boot_cpu_has(bit) :				\
198 
+-		_static_cpu_has_safe(bit)			\
199 
++		_static_cpu_has(bit)				\
200 
+ )
201 
+ #else
202 
+ /*
203 
+  * gcc 3.x is too stupid to do the static test; fall back to dynamic.
204 
+  */
205 
+ #define static_cpu_has(bit)		boot_cpu_has(bit)
206 
+-#define static_cpu_has_safe(bit)	boot_cpu_has(bit)
207 
+ #endif
208 
+
209 
+ #define cpu_has_bug(c, bit)		cpu_has(c, (bit))
210 
+@@ -318,7 +233,6 @@ static __always_inline __pure bool _static_cpu_has_safe(u16 bit)
211 
+ #define clear_cpu_bug(c, bit)		clear_cpu_cap(c, (bit))
212 
+
213 
+ #define static_cpu_has_bug(bit)		static_cpu_has((bit))
214 
+-#define static_cpu_has_bug_safe(bit)	static_cpu_has_safe((bit))
215 
+ #define boot_cpu_has_bug(bit)		cpu_has_bug(&boot_cpu_data, (bit))
216 
+
217 
+ #define MAX_CPU_FEATURES		(NCAPINTS * 32)
218 
+diff --git a/arch/x86/include/asm/fpu/internal.h b/arch/x86/include/asm/fpu/internal.h
219 
+index f9c14ab..36e2d47 100644
220 
+--- a/arch/x86/include/asm/fpu/internal.h
221 
+@@ -58,22 +58,22 @@ extern void fpu__resume_cpu(void);
222 
+  */
223 
+ static __always_inline __pure bool use_eager_fpu(void)
224 
+ {
225 
+-	return static_cpu_has_safe(X86_FEATURE_EAGER_FPU);
226 
++	return static_cpu_has(X86_FEATURE_EAGER_FPU);
227 
+ }
228 
+
229 
+ static __always_inline __pure bool use_xsaveopt(void)
230 
+ {
231 
+-	return static_cpu_has_safe(X86_FEATURE_XSAVEOPT);
232 
++	return static_cpu_has(X86_FEATURE_XSAVEOPT);
233 
+ }
234 
+
235 
+ static __always_inline __pure bool use_xsave(void)
236 
+ {
237 
+-	return static_cpu_has_safe(X86_FEATURE_XSAVE);
238 
++	return static_cpu_has(X86_FEATURE_XSAVE);
239 
+ }
240 
+
241 
+ static __always_inline __pure bool use_fxsr(void)
242 
+ {
243 
+-	return static_cpu_has_safe(X86_FEATURE_FXSR);
244 
++	return static_cpu_has(X86_FEATURE_FXSR);
245 
+ }
246 
+
247 
+ /*
248 
+@@ -300,7 +300,7 @@ static inline void copy_xregs_to_kernel_booting(struct xregs_state *xstate)
249 
+
250 
+ 	WARN_ON(system_state != SYSTEM_BOOTING);
251 
+
252 
+-	if (static_cpu_has_safe(X86_FEATURE_XSAVES))
253 
++	if (static_cpu_has(X86_FEATURE_XSAVES))
254 
+ 		XSTATE_OP(XSAVES, xstate, lmask, hmask, err);
255 
+ 	else
256 
+ 		XSTATE_OP(XSAVE, xstate, lmask, hmask, err);
257 
+@@ -322,7 +322,7 @@ static inline void copy_kernel_to_xregs_booting(struct xregs_state *xstate)
258 
+
259 
+ 	WARN_ON(system_state != SYSTEM_BOOTING);
260 
+
261 
+-	if (static_cpu_has_safe(X86_FEATURE_XSAVES))
262 
++	if (static_cpu_has(X86_FEATURE_XSAVES))
263 
+ 		XSTATE_OP(XRSTORS, xstate, lmask, hmask, err);
264 
+ 	else
265 
+ 		XSTATE_OP(XRSTOR, xstate, lmask, hmask, err);
266 
+@@ -460,7 +460,7 @@ static inline void copy_kernel_to_fpregs(union fpregs_state *fpstate)
267 
+ 	 * pending. Clear the x87 state here by setting it to fixed values.
268 
+ 	 * "m" is a random variable that should be in L1.
269 
+ 	 */
270 
+-	if (unlikely(static_cpu_has_bug_safe(X86_BUG_FXSAVE_LEAK))) {
271 
++	if (unlikely(static_cpu_has_bug(X86_BUG_FXSAVE_LEAK))) {
272 
+ 		asm volatile(
273 
+ 			"fnclex\n\t"
274 
+ 			"emms\n\t"
275 
+diff --git a/arch/x86/kernel/apic/apic_numachip.c b/arch/x86/kernel/apic/apic_numachip.c
276 
+index 2bd2292..bac0805 100644
277 
+--- a/arch/x86/kernel/apic/apic_numachip.c
278 
+@@ -30,7 +30,7 @@ static unsigned int numachip1_get_apic_id(unsigned long x)
279 
+ 	unsigned long value;
280 
+ 	unsigned int id = (x >> 24) & 0xff;
281 
+
282 
+-	if (static_cpu_has_safe(X86_FEATURE_NODEID_MSR)) {
283 
++	if (static_cpu_has(X86_FEATURE_NODEID_MSR)) {
284 
+ 		rdmsrl(MSR_FAM10H_NODE_ID, value);
285 
+ 		id |= (value << 2) & 0xff00;
286 
+ 	}
287 
+@@ -178,7 +178,7 @@ static void fixup_cpu_id(struct cpuinfo_x86 *c, int node)
288 
+ 	this_cpu_write(cpu_llc_id, node);
289 
+
290 
+ 	/* Account for nodes per socket in multi-core-module processors */
291 
+-	if (static_cpu_has_safe(X86_FEATURE_NODEID_MSR)) {
292 
++	if (static_cpu_has(X86_FEATURE_NODEID_MSR)) {
293 
+ 		rdmsrl(MSR_FAM10H_NODE_ID, val);
294 
+ 		nodes = ((val >> 3) & 7) + 1;
295 
+ 	}
296 
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
297 
+index 5b6e43b..f31b26b 100644
298 
+--- a/arch/x86/kernel/cpu/common.c
299 
+@@ -1576,19 +1576,11 @@ void cpu_init(void)
300 
+ }
301 
+ #endif
302 
+
303 
+-#ifdef CONFIG_X86_DEBUG_STATIC_CPU_HAS
304 
+-void warn_pre_alternatives(void)
305 
+-{
306 
+-	WARN(1, "You're using static_cpu_has before alternatives have run!\n");
307 
+-}
308 
+-EXPORT_SYMBOL_GPL(warn_pre_alternatives);
309 
+-#endif
310 
+-
311 
+-inline bool __static_cpu_has_safe(u16 bit)
312 
++inline bool __static_cpu_has(u16 bit)
313 
+ {
314 
+ 	return boot_cpu_has(bit);
315 
+ }
316 
+-EXPORT_SYMBOL_GPL(__static_cpu_has_safe);
317 
++EXPORT_SYMBOL_GPL(__static_cpu_has);
318 
+
319 
+ static void bsp_resume(void)
320 
+ {
321 
+diff --git a/arch/x86/kernel/vm86_32.c b/arch/x86/kernel/vm86_32.c
322 
+index d6d64a5..7f4839e 100644
323 
+--- a/arch/x86/kernel/vm86_32.c
324 
+@@ -358,7 +358,7 @@ static long do_sys_vm86(struct vm86plus_struct __user *user_vm86, bool plus)
325 
+ 	/* make room for real-mode segments */
326 
+ 	tsk->thread.sp0 += 16;
327 
+
328 
+-	if (static_cpu_has_safe(X86_FEATURE_SEP))
329 
++	if (static_cpu_has(X86_FEATURE_SEP))
330 
+ 		tsk->thread.sysenter_cs = 0;
331 
+
332 
+ 	load_sp0(tss, &tsk->thread);
333 
+diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
334 
+index 7efd70b..d106b98 100644
335 
+--- a/fs/btrfs/disk-io.c
336 
+@@ -923,7 +923,7 @@ static int check_async_write(struct inode *inode, unsigned long bio_flags)
337 
+ 	if (bio_flags & EXTENT_BIO_TREE_LOG)
338 
+ 		return 0;
339 
+ #ifdef CONFIG_X86
340 
+-	if (static_cpu_has_safe(X86_FEATURE_XMM4_2))
341 
++	if (static_cpu_has(X86_FEATURE_XMM4_2))
342 
+ 		return 0;
343 
+ #endif
344 
+ 	return 1;
345 
+--
346 
+2.7.4
347 
+
SPECS/linux/speculative-store-bypass/0011-x86-cpufeature-Get-rid-of-the-non-asm-goto-variant.patch
History View file @ 4ab22c2
0 348 
new file mode 100644
... ... 
@@ -0,0 +1,119 @@
0 
+From 424fb84cb7d95bc08e7489e94b508763349208f5 Mon Sep 17 00:00:00 2001
1 
+From: Borislav Petkov <bp@alien8.de>
2 
+Date: Thu, 14 Jun 2018 14:56:05 -0700
3 
+Subject: [PATCH 011/103] x86/cpufeature: Get rid of the non-asm goto variant
4 
+
5 
+commit a362bf9f5e7dd659b96d01382da7b855f4e5a7a1 upstream
6 
+
7 
+I can simply quote hpa from the mail:
8 
+
9 
+  "Get rid of the non-asm goto variant and just fall back to
10 
+   dynamic if asm goto is unavailable. It doesn't make any sense,
11 
+   really, if it is supposed to be safe, and by now the asm
12 
+   goto-capable gcc is in more wide use. (Originally the gcc 3.x
13 
+   fallback to pure dynamic didn't exist, either.)"
14 
+
15 
+Booy, am I lazy.
16 
+
17 
+Cleanup the whole CC_HAVE_ASM_GOTO ifdeffery too, while at it.
18 
+
19 
+Suggested-by: H. Peter Anvin <hpa@zytor.com>
20 
+Signed-off-by: Borislav Petkov <bp@suse.de>
21 
+Cc: Andy Lutomirski <luto@amacapital.net>
22 
+Cc: Borislav Petkov <bp@alien8.de>
23 
+Cc: Brian Gerst <brgerst@gmail.com>
24 
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
25 
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
26 
+Cc: Peter Zijlstra <peterz@infradead.org>
27 
+Cc: Thomas Gleixner <tglx@linutronix.de>
28 
+Link: http://lkml.kernel.org/r/20160127084325.GB30712@pd.tnic
29 
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
30 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
31 
+---
32 
+ arch/x86/include/asm/cpufeature.h | 49 ++++-----------------------------------
33 
+ 1 file changed, 5 insertions(+), 44 deletions(-)
34 
+
35 
+diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
36 
+index b60598c..53de461 100644
37 
+--- a/arch/x86/include/asm/cpufeature.h
38 
+@@ -131,17 +131,16 @@ extern const char * const x86_bug_flags[NBUGINTS*32];
39 
+  * fast paths and boot_cpu_has() otherwise!
40 
+  */
41 
+
42 
+-#if __GNUC__ >= 4 && defined(CONFIG_X86_FAST_FEATURE_TESTS)
43 
++#if defined(CC_HAVE_ASM_GOTO) && defined(CONFIG_X86_FAST_FEATURE_TESTS)
44 
+ extern bool __static_cpu_has(u16 bit);
45 
+
46 
+ /*
47 
+  * Static testing of CPU features.  Used the same as boot_cpu_has().
48 
+- * These are only valid after alternatives have run, but will statically
49 
+- * patch the target code for additional performance.
50 
++ * These will statically patch the target code for additional
51 
++ * performance.
52 
+  */
53 
+ static __always_inline __pure bool _static_cpu_has(u16 bit)
54 
+ {
55 
+-#ifdef CC_HAVE_ASM_GOTO
56 
+ 		asm_volatile_goto("1: jmp %l[t_dynamic]\n"
57 
+ 			 "2:\n"
58 
+ 			 ".skip -(((5f-4f) - (2b-1b)) > 0) * "
59 
+@@ -174,45 +173,6 @@ static __always_inline __pure bool _static_cpu_has(u16 bit)
60 
+ 		return false;
61 
+ 	t_dynamic:
62 
+ 		return __static_cpu_has(bit);
63 
+-#else
64 
+-		u8 flag;
65 
+-		/* Open-coded due to __stringify() in ALTERNATIVE() */
66 
+-		asm volatile("1: movb $2,%0\n"
67 
+-			     "2:\n"
68 
+-			     ".section .altinstructions,\"a\"\n"
69 
+-			     " .long 1b - .\n"		/* src offset */
70 
+-			     " .long 3f - .\n"		/* repl offset */
71 
+-			     " .word %P2\n"		/* always replace */
72 
+-			     " .byte 2b - 1b\n"		/* source len */
73 
+-			     " .byte 4f - 3f\n"		/* replacement len */
74 
+-			     " .byte 0\n"		/* pad len */
75 
+-			     ".previous\n"
76 
+-			     ".section .discard,\"aw\",@progbits\n"
77 
+-			     " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */
78 
+-			     ".previous\n"
79 
+-			     ".section .altinstr_replacement,\"ax\"\n"
80 
+-			     "3: movb $0,%0\n"
81 
+-			     "4:\n"
82 
+-			     ".previous\n"
83 
+-			     ".section .altinstructions,\"a\"\n"
84 
+-			     " .long 1b - .\n"		/* src offset */
85 
+-			     " .long 5f - .\n"		/* repl offset */
86 
+-			     " .word %P1\n"		/* feature bit */
87 
+-			     " .byte 4b - 3b\n"		/* src len */
88 
+-			     " .byte 6f - 5f\n"		/* repl len */
89 
+-			     " .byte 0\n"		/* pad len */
90 
+-			     ".previous\n"
91 
+-			     ".section .discard,\"aw\",@progbits\n"
92 
+-			     " .byte 0xff + (6f-5f) - (4b-3b)\n" /* size check */
93 
+-			     ".previous\n"
94 
+-			     ".section .altinstr_replacement,\"ax\"\n"
95 
+-			     "5: movb $1,%0\n"
96 
+-			     "6:\n"
97 
+-			     ".previous\n"
98 
+-			     : "=qm" (flag)
99 
+-			     : "i" (bit), "i" (X86_FEATURE_ALWAYS));
100 
+-		return (flag == 2 ? __static_cpu_has(bit) : flag);
101 
+-#endif /* CC_HAVE_ASM_GOTO */
102 
+ }
103 
+
104 
+ #define static_cpu_has(bit)					\
105 
+@@ -223,7 +183,8 @@ static __always_inline __pure bool _static_cpu_has(u16 bit)
106 
+ )
107 
+ #else
108 
+ /*
109 
+- * gcc 3.x is too stupid to do the static test; fall back to dynamic.
110 
++ * Fall back to dynamic for gcc versions which don't support asm goto. Should be
111 
++ * a minority now anyway.
112 
+  */
113 
+ #define static_cpu_has(bit)		boot_cpu_has(bit)
114 
+ #endif
115 
+--
116 
+2.7.4
117 
+
SPECS/linux/speculative-store-bypass/0012-x86-alternatives-Add-an-auxilary-section.patch
History View file @ 4ab22c2
0 118 
new file mode 100644
... ... 
@@ -0,0 +1,52 @@
0 
+From 624ffeaf60ea511b0121cdb18b6660b978428d56 Mon Sep 17 00:00:00 2001
1 
+From: Borislav Petkov <bp@suse.de>
2 
+Date: Thu, 14 Jun 2018 14:56:06 -0700
3 
+Subject: [PATCH 012/103] x86/alternatives: Add an auxilary section
4 
+
5 
+commit 337e4cc84021212a87b04b77b65cccc49304909e upstream
6 
+
7 
+Add .altinstr_aux for additional instructions which will be used
8 
+before and/or during patching. All stuff which needs more
9 
+sophisticated patching should go there. See next patch.
10 
+
11 
+Signed-off-by: Borislav Petkov <bp@suse.de>
12 
+Cc: Andy Lutomirski <luto@amacapital.net>
13 
+Cc: Borislav Petkov <bp@alien8.de>
14 
+Cc: Brian Gerst <brgerst@gmail.com>
15 
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
16 
+Cc: H. Peter Anvin <hpa@zytor.com>
17 
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
18 
+Cc: Peter Zijlstra <peterz@infradead.org>
19 
+Cc: Thomas Gleixner <tglx@linutronix.de>
20 
+Link: http://lkml.kernel.org/r/1453842730-28463-8-git-send-email-bp@alien8.de
21 
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
22 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
23 
+---
24 
+ arch/x86/kernel/vmlinux.lds.S | 11 +++++++++++
25 
+ 1 file changed, 11 insertions(+)
26 
+
27 
+diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
28 
+index e065065..a703842 100644
29 
+--- a/arch/x86/kernel/vmlinux.lds.S
30 
+@@ -202,6 +202,17 @@ SECTIONS
31 
+ 	:init
32 
+ #endif
33 
+
34 
++	/*
35 
++	 * Section for code used exclusively before alternatives are run. All
36 
++	 * references to such code must be patched out by alternatives, normally
37 
++	 * by using X86_FEATURE_ALWAYS CPU feature bit.
38 
++	 *
39 
++	 * See static_cpu_has() for an example.
40 
++	 */
41 
++	.altinstr_aux : AT(ADDR(.altinstr_aux) - LOAD_OFFSET) {
42 
++		*(.altinstr_aux)
43 
++	}
44 
++
45 
+ 	INIT_DATA_SECTION(16)
46 
+
47 
+ 	.x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) {
48 
+--
49 
+2.7.4
50 
+
SPECS/linux/speculative-store-bypass/0013-x86-alternatives-Discard-dynamic-check-after-init.patch
History View file @ 4ab22c2
0 51 
new file mode 100644
... ... 
@@ -0,0 +1,110 @@
0 
+From 2e34789188a4734f5d27fba8787b4e3fc3805ae6 Mon Sep 17 00:00:00 2001
1 
+From: Brian Gerst <brgerst@gmail.com>
2 
+Date: Thu, 14 Jun 2018 14:56:06 -0700
3 
+Subject: [PATCH 013/103] x86/alternatives: Discard dynamic check after init
4 
+
5 
+commit 2476f2fa20568bd5d9e09cd35bcd73e99a6f4cc6 upstream
6 
+
7 
+Move the code to do the dynamic check to the altinstr_aux
8 
+section so that it is discarded after alternatives have run and
9 
+a static branch has been chosen.
10 
+
11 
+This way we're changing the dynamic branch from C code to
12 
+assembly, which makes it *substantially* smaller while avoiding
13 
+a completely unnecessary call to an out of line function.
14 
+
15 
+Signed-off-by: Brian Gerst <brgerst@gmail.com>
16 
+[ Changed it to do TESTB, as hpa suggested. ]
17 
+Signed-off-by: Borislav Petkov <bp@suse.de>
18 
+Cc: Andrew Morton <akpm@linux-foundation.org>
19 
+Cc: Andy Lutomirski <luto@amacapital.net>
20 
+Cc: Andy Lutomirski <luto@kernel.org>
21 
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
22 
+Cc: Borislav Petkov <bp@alien8.de>
23 
+Cc: Dave Young <dyoung@redhat.com>
24 
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
25 
+Cc: H. Peter Anvin <hpa@zytor.com>
26 
+Cc: Kristen Carlson Accardi <kristen@linux.intel.com>
27 
+Cc: Laura Abbott <labbott@fedoraproject.org>
28 
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
29 
+Cc: Peter Zijlstra (Intel) <peterz@infradead.org>
30 
+Cc: Peter Zijlstra <peterz@infradead.org>
31 
+Cc: Prarit Bhargava <prarit@redhat.com>
32 
+Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
33 
+Cc: Thomas Gleixner <tglx@linutronix.de>
34 
+Link: http://lkml.kernel.org/r/1452972124-7380-1-git-send-email-brgerst@gmail.com
35 
+Link: http://lkml.kernel.org/r/20160127084525.GC30712@pd.tnic
36 
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
37 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
38 
+---
39 
+ arch/x86/include/asm/cpufeature.h | 19 ++++++++++++-------
40 
+ arch/x86/kernel/cpu/common.c      |  6 ------
41 
+ 2 files changed, 12 insertions(+), 13 deletions(-)
42 
+
43 
+diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
44 
+index 53de461..1c9d6c5 100644
45 
+--- a/arch/x86/include/asm/cpufeature.h
46 
+@@ -132,8 +132,6 @@ extern const char * const x86_bug_flags[NBUGINTS*32];
47 
+  */
48 
+
49 
+ #if defined(CC_HAVE_ASM_GOTO) && defined(CONFIG_X86_FAST_FEATURE_TESTS)
50 
+-extern bool __static_cpu_has(u16 bit);
51 
+-
52 
+ /*
53 
+  * Static testing of CPU features.  Used the same as boot_cpu_has().
54 
+  * These will statically patch the target code for additional
55 
+@@ -141,7 +139,7 @@ extern bool __static_cpu_has(u16 bit);
56 
+  */
57 
+ static __always_inline __pure bool _static_cpu_has(u16 bit)
58 
+ {
59 
+-		asm_volatile_goto("1: jmp %l[t_dynamic]\n"
60 
++		asm_volatile_goto("1: jmp 6f\n"
61 
+ 			 "2:\n"
62 
+ 			 ".skip -(((5f-4f) - (2b-1b)) > 0) * "
63 
+ 			         "((5f-4f) - (2b-1b)),0x90\n"
64 
+@@ -166,13 +164,20 @@ static __always_inline __pure bool _static_cpu_has(u16 bit)
65 
+ 			 " .byte 0\n"			/* repl len */
66 
+ 			 " .byte 0\n"			/* pad len */
67 
+ 			 ".previous\n"
68 
+-			 : : "i" (bit), "i" (X86_FEATURE_ALWAYS)
69 
+-			 : : t_dynamic, t_no);
70 
++			 ".section .altinstr_aux,\"ax\"\n"
71 
++			 "6:\n"
72 
++			 " testb %[bitnum],%[cap_byte]\n"
73 
++			 " jnz %l[t_yes]\n"
74 
++			 " jmp %l[t_no]\n"
75 
++			 ".previous\n"
76 
++			 : : "i" (bit), "i" (X86_FEATURE_ALWAYS),
77 
++			     [bitnum] "i" (1 << (bit & 7)),
78 
++			     [cap_byte] "m" (((const char *)boot_cpu_data.x86_capability)[bit >> 3])
79 
++			 : : t_yes, t_no);
80 
++	t_yes:
81 
+ 		return true;
82 
+ 	t_no:
83 
+ 		return false;
84 
+-	t_dynamic:
85 
+-		return __static_cpu_has(bit);
86 
+ }
87 
+
88 
+ #define static_cpu_has(bit)					\
89 
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
90 
+index f31b26b..58d56c4 100644
91 
+--- a/arch/x86/kernel/cpu/common.c
92 
+@@ -1576,12 +1576,6 @@ void cpu_init(void)
93 
+ }
94 
+ #endif
95 
+
96 
+-inline bool __static_cpu_has(u16 bit)
97 
+-{
98 
+-	return boot_cpu_has(bit);
99 
+-}
100 
+-EXPORT_SYMBOL_GPL(__static_cpu_has);
101 
+-
102 
+ static void bsp_resume(void)
103 
+ {
104 
+ 	if (this_cpu->c_bsp_resume)
105 
+--
106 
+2.7.4
107 
+
SPECS/linux/speculative-store-bypass/0014-x86-vdso-Use-static_cpu_has.patch
History View file @ 4ab22c2
0 108 
new file mode 100644
... ... 
@@ -0,0 +1,41 @@
0 
+From 3284bbc173df3659e9cc2e63da471c7f44f10622 Mon Sep 17 00:00:00 2001
1 
+From: Borislav Petkov <bp@suse.de>
2 
+Date: Thu, 14 Jun 2018 14:56:07 -0700
3 
+Subject: [PATCH 014/103] x86/vdso: Use static_cpu_has()
4 
+
5 
+commit 8c725306993198f845038dc9e45a1267099867a6 upstream
6 
+
7 
+... and simplify and speed up a tad.
8 
+
9 
+Signed-off-by: Borislav Petkov <bp@suse.de>
10 
+Cc: Andy Lutomirski <luto@amacapital.net>
11 
+Cc: Borislav Petkov <bp@alien8.de>
12 
+Cc: Brian Gerst <brgerst@gmail.com>
13 
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
14 
+Cc: H. Peter Anvin <hpa@zytor.com>
15 
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
16 
+Cc: Peter Zijlstra <peterz@infradead.org>
17 
+Cc: Thomas Gleixner <tglx@linutronix.de>
18 
+Link: http://lkml.kernel.org/r/1453842730-28463-10-git-send-email-bp@alien8.de
19 
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
20 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
21 
+---
22 
+ arch/x86/entry/vdso/vma.c | 2 +-
23 
+ 1 file changed, 1 insertion(+), 1 deletion(-)
24 
+
25 
+diff --git a/arch/x86/entry/vdso/vma.c b/arch/x86/entry/vdso/vma.c
26 
+index 5471ac3..6b46648 100644
27 
+--- a/arch/x86/entry/vdso/vma.c
28 
+@@ -255,7 +255,7 @@ static void vgetcpu_cpu_init(void *arg)
29 
+ #ifdef CONFIG_NUMA
30 
+ 	node = cpu_to_node(cpu);
31 
+ #endif
32 
+-	if (cpu_has(&cpu_data(cpu), X86_FEATURE_RDTSCP))
33 
++	if (static_cpu_has(X86_FEATURE_RDTSCP))
34 
+ 		write_rdtscp_aux((node << 12) | cpu);
35 
+
36 
+ 	/*
37 
+--
38 
+2.7.4
39 
+
SPECS/linux/speculative-store-bypass/0015-x86-boot-Simplify-kernel-load-address-alignment-chec.patch
History View file @ 4ab22c2
0 40 
new file mode 100644
... ... 
@@ -0,0 +1,51 @@
0 
+From 48085c7ec07d24f322fbf56dfda77264b31e53b2 Mon Sep 17 00:00:00 2001
1 
+From: Alexander Kuleshov <kuleshovmail@gmail.com>
2 
+Date: Thu, 14 Jun 2018 14:56:07 -0700
3 
+Subject: [PATCH 015/103] x86/boot: Simplify kernel load address alignment
4 
+ check
5 
+
6 
+commit a4733143085d6c782ac1e6c85778655b6bac1d4e upstream
7 
+
8 
+We are using %rax as temporary register to check the kernel
9 
+address alignment. We don't really have to since the TEST
10 
+instruction does not clobber the destination operand.
11 
+
12 
+Suggested-by: Brian Gerst <brgerst@gmail.com>
13 
+Signed-off-by: Alexander Kuleshov <kuleshovmail@gmail.com>
14 
+Signed-off-by: Borislav Petkov <bp@suse.de>
15 
+Cc: Alexander Popov <alpopov@ptsecurity.com>
16 
+Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
17 
+Cc: Andy Lutomirski <luto@amacapital.net>
18 
+Cc: Andy Lutomirski <luto@kernel.org>
19 
+Cc: Borislav Petkov <bp@alien8.de>
20 
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
21 
+Cc: H. Peter Anvin <hpa@zytor.com>
22 
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
23 
+Cc: Peter Zijlstra <peterz@infradead.org>
24 
+Cc: Thomas Gleixner <tglx@linutronix.de>
25 
+Link: http://lkml.kernel.org/r/1453531828-19291-1-git-send-email-kuleshovmail@gmail.com
26 
+Link: http://lkml.kernel.org/r/1453842730-28463-11-git-send-email-bp@alien8.de
27 
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
28 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
29 
+---
30 
+ arch/x86/kernel/head_64.S | 4 +---
31 
+ 1 file changed, 1 insertion(+), 3 deletions(-)
32 
+
33 
+diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
34 
+index 4034e90..734ba1d 100644
35 
+--- a/arch/x86/kernel/head_64.S
36 
+@@ -76,9 +76,7 @@ startup_64:
37 
+ 	subq	$_text - __START_KERNEL_map, %rbp
38 
+
39 
+ 	/* Is the address not 2M aligned? */
40 
+-	movq	%rbp, %rax
41 
+-	andl	$~PMD_PAGE_MASK, %eax
42 
+-	testl	%eax, %eax
43 
++	testl	$~PMD_PAGE_MASK, %ebp
44 
+ 	jnz	bad_address
45 
+
46 
+ 	/*
47 
+--
48 
+2.7.4
49 
+
SPECS/linux/speculative-store-bypass/0016-x86-cpufeature-Speed-up-cpu_feature_enabled.patch
History View file @ 4ab22c2
0 50 
new file mode 100644
... ... 
@@ -0,0 +1,55 @@
0 
+From 3ec44bffb118cda8fb88fe57f5375908d5f1e520 Mon Sep 17 00:00:00 2001
1 
+From: Borislav Petkov <bp@suse.de>
2 
+Date: Thu, 14 Jun 2018 14:56:08 -0700
3 
+Subject: [PATCH 016/103] x86/cpufeature: Speed up cpu_feature_enabled()
4 
+
5 
+commit f2cc8e0791c70833758101d9756609a08dd601ec upstream
6 
+
7 
+When GCC cannot do constant folding for this macro, it falls back to
8 
+cpu_has(). But static_cpu_has() is optimal and it works at all times
9 
+now. So use it and speedup the fallback case.
10 
+
11 
+Before we had this:
12 
+
13 
+  mov    0x99d674(%rip),%rdx        # ffffffff81b0d9f4 <boot_cpu_data+0x34>
14 
+  shr    $0x2e,%rdx
15 
+  and    $0x1,%edx
16 
+  jne    ffffffff811704e9 <do_munmap+0x3f9>
17 
+
18 
+After alternatives patching, it turns into:
19 
+
20 
+		  jmp    0xffffffff81170390
21 
+		  nopl   (%rax)
22 
+		  ...
23 
+		  callq  ffffffff81056e00 <mpx_notify_unmap>
24 
+ffffffff81170390: mov    0x170(%r12),%rdi
25 
+
26 
+Signed-off-by: Borislav Petkov <bp@suse.de>
27 
+Cc: Joerg Roedel <joro@8bytes.org>
28 
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
29 
+Cc: Peter Zijlstra <peterz@infradead.org>
30 
+Cc: Thomas Gleixner <tglx@linutronix.de>
31 
+Link: http://lkml.kernel.org/r/1455578358-28347-1-git-send-email-bp@alien8.de
32 
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
33 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
34 
+---
35 
+ arch/x86/include/asm/cpufeature.h | 3 +--
36 
+ 1 file changed, 1 insertion(+), 2 deletions(-)
37 
+
38 
+diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
39 
+index 1c9d6c5..03ca602 100644
40 
+--- a/arch/x86/include/asm/cpufeature.h
41 
+@@ -88,8 +88,7 @@ extern const char * const x86_bug_flags[NBUGINTS*32];
42 
+  * is not relevant.
43 
+  */
44 
+ #define cpu_feature_enabled(bit)	\
45 
+-	(__builtin_constant_p(bit) && DISABLED_MASK_BIT_SET(bit) ? 0 :	\
46 
+-	 cpu_has(&boot_cpu_data, bit))
47 
++	(__builtin_constant_p(bit) && DISABLED_MASK_BIT_SET(bit) ? 0 : static_cpu_has(bit))
48 
+
49 
+ #define boot_cpu_has(bit)	cpu_has(&boot_cpu_data, bit)
50 
+
51 
+--
52 
+2.7.4
53 
+
SPECS/linux/speculative-store-bypass/0017-x86-cpufeature-x86-mm-pkeys-Add-protection-keys-rela.patch
History View file @ 4ab22c2
0 54 
new file mode 100644
... ... 
@@ -0,0 +1,228 @@
0 
+From aaa4502087947610634210d569fb4ce5960809ca Mon Sep 17 00:00:00 2001
1 
+From: Dave Hansen <dave.hansen@linux.intel.com>
2 
+Date: Thu, 14 Jun 2018 14:56:08 -0700
3 
+Subject: [PATCH 017/103] x86/cpufeature, x86/mm/pkeys: Add protection keys
4 
+ related CPUID definitions
5 
+
6 
+commit dfb4a70f20c5b3880da56ee4c9484bdb4e8f1e65 upstream
7 
+
8 
+There are two CPUID bits for protection keys.  One is for whether
9 
+the CPU contains the feature, and the other will appear set once
10 
+the OS enables protection keys.  Specifically:
11 
+
12 
+	Bit 04: OSPKE. If 1, OS has set CR4.PKE to enable
13 
+	Protection keys (and the RDPKRU/WRPKRU instructions)
14 
+
15 
+This is because userspace can not see CR4 contents, but it can
16 
+see CPUID contents.
17 
+
18 
+X86_FEATURE_PKU is referred to as "PKU" in the hardware documentation:
19 
+
20 
+	CPUID.(EAX=07H,ECX=0H):ECX.PKU [bit 3]
21 
+
22 
+X86_FEATURE_OSPKE is "OSPKU":
23 
+
24 
+	CPUID.(EAX=07H,ECX=0H):ECX.OSPKE [bit 4]
25 
+
26 
+These are the first CPU features which need to look at the
27 
+ECX word in CPUID leaf 0x7, so this patch also includes
28 
+fetching that word in to the cpuinfo->x86_capability[] array.
29 
+
30 
+Add it to the disabled-features mask when its config option is
31 
+off.  Even though we are not using it here, we also extend the
32 
+REQUIRED_MASK_BIT_SET() macro to keep it mirroring the
33 
+DISABLED_MASK_BIT_SET() version.
34 
+
35 
+This means that in almost all code, you should use:
36 
+
37 
+	cpu_has(c, X86_FEATURE_PKU)
38 
+
39 
+and *not* the CONFIG option.
40 
+
41 
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
42 
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
43 
+Cc: Andrew Morton <akpm@linux-foundation.org>
44 
+Cc: Andy Lutomirski <luto@amacapital.net>
45 
+Cc: Borislav Petkov <bp@alien8.de>
46 
+Cc: Brian Gerst <brgerst@gmail.com>
47 
+Cc: Dave Hansen <dave@sr71.net>
48 
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
49 
+Cc: H. Peter Anvin <hpa@zytor.com>
50 
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
51 
+Cc: Peter Zijlstra <peterz@infradead.org>
52 
+Cc: Rik van Riel <riel@redhat.com>
53 
+Cc: linux-mm@kvack.org
54 
+Link: http://lkml.kernel.org/r/20160212210201.7714C250@viggo.jf.intel.com
55 
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
56 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
57 
+---
58 
+ arch/x86/include/asm/cpufeature.h        | 59 +++++++++++++++++++++-----------
59 
+ arch/x86/include/asm/cpufeatures.h       |  2 +-
60 
+ arch/x86/include/asm/disabled-features.h | 15 ++++++++
61 
+ arch/x86/include/asm/required-features.h |  7 ++++
62 
+ arch/x86/kernel/cpu/common.c             |  1 +
63 
+ 5 files changed, 63 insertions(+), 21 deletions(-)
64 
+
65 
+diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
66 
+index 03ca602..7fdd717 100644
67 
+--- a/arch/x86/include/asm/cpufeature.h
68 
+@@ -26,6 +26,7 @@ enum cpuid_leafs
69 
+ 	CPUID_8000_0008_EBX,
70 
+ 	CPUID_6_EAX,
71 
+ 	CPUID_8000_000A_EDX,
72 
++	CPUID_7_ECX,
73 
+ };
74 
+
75 
+ #ifdef CONFIG_X86_FEATURE_NAMES
76 
+@@ -48,28 +49,42 @@ extern const char * const x86_bug_flags[NBUGINTS*32];
77 
+ 	 test_bit(bit, (unsigned long *)((c)->x86_capability))
78 
+
79 
+ #define REQUIRED_MASK_BIT_SET(bit)					\
80 
+-	 ( (((bit)>>5)==0 && (1UL<<((bit)&31) & REQUIRED_MASK0)) ||	\
81 
+-	   (((bit)>>5)==1 && (1UL<<((bit)&31) & REQUIRED_MASK1)) ||	\
82 
+-	   (((bit)>>5)==2 && (1UL<<((bit)&31) & REQUIRED_MASK2)) ||	\
83 
+-	   (((bit)>>5)==3 && (1UL<<((bit)&31) & REQUIRED_MASK3)) ||	\
84 
+-	   (((bit)>>5)==4 && (1UL<<((bit)&31) & REQUIRED_MASK4)) ||	\
85 
+-	   (((bit)>>5)==5 && (1UL<<((bit)&31) & REQUIRED_MASK5)) ||	\
86 
+-	   (((bit)>>5)==6 && (1UL<<((bit)&31) & REQUIRED_MASK6)) ||	\
87 
+-	   (((bit)>>5)==7 && (1UL<<((bit)&31) & REQUIRED_MASK7)) ||	\
88 
+-	   (((bit)>>5)==8 && (1UL<<((bit)&31) & REQUIRED_MASK8)) ||	\
89 
+-	   (((bit)>>5)==9 && (1UL<<((bit)&31) & REQUIRED_MASK9)) )
90 
++	 ( (((bit)>>5)==0  && (1UL<<((bit)&31) & REQUIRED_MASK0 )) ||	\
91 
++	   (((bit)>>5)==1  && (1UL<<((bit)&31) & REQUIRED_MASK1 )) ||	\
92 
++	   (((bit)>>5)==2  && (1UL<<((bit)&31) & REQUIRED_MASK2 )) ||	\
93 
++	   (((bit)>>5)==3  && (1UL<<((bit)&31) & REQUIRED_MASK3 )) ||	\
94 
++	   (((bit)>>5)==4  && (1UL<<((bit)&31) & REQUIRED_MASK4 )) ||	\
95 
++	   (((bit)>>5)==5  && (1UL<<((bit)&31) & REQUIRED_MASK5 )) ||	\
96 
++	   (((bit)>>5)==6  && (1UL<<((bit)&31) & REQUIRED_MASK6 )) ||	\
97 
++	   (((bit)>>5)==7  && (1UL<<((bit)&31) & REQUIRED_MASK7 )) ||	\
98 
++	   (((bit)>>5)==8  && (1UL<<((bit)&31) & REQUIRED_MASK8 )) ||	\
99 
++	   (((bit)>>5)==9  && (1UL<<((bit)&31) & REQUIRED_MASK9 )) ||	\
100 
++	   (((bit)>>5)==10 && (1UL<<((bit)&31) & REQUIRED_MASK10)) ||	\
101 
++	   (((bit)>>5)==11 && (1UL<<((bit)&31) & REQUIRED_MASK11)) ||	\
102 
++	   (((bit)>>5)==12 && (1UL<<((bit)&31) & REQUIRED_MASK12)) ||	\
103 
++	   (((bit)>>5)==13 && (1UL<<((bit)&31) & REQUIRED_MASK13)) ||	\
104 
++	   (((bit)>>5)==13 && (1UL<<((bit)&31) & REQUIRED_MASK14)) ||	\
105 
++	   (((bit)>>5)==13 && (1UL<<((bit)&31) & REQUIRED_MASK15)) ||	\
106 
++	   (((bit)>>5)==14 && (1UL<<((bit)&31) & REQUIRED_MASK16)) )
107 
+
108 
+ #define DISABLED_MASK_BIT_SET(bit)					\
109 
+-	 ( (((bit)>>5)==0 && (1UL<<((bit)&31) & DISABLED_MASK0)) ||	\
110 
+-	   (((bit)>>5)==1 && (1UL<<((bit)&31) & DISABLED_MASK1)) ||	\
111 
+-	   (((bit)>>5)==2 && (1UL<<((bit)&31) & DISABLED_MASK2)) ||	\
112 
+-	   (((bit)>>5)==3 && (1UL<<((bit)&31) & DISABLED_MASK3)) ||	\
113 
+-	   (((bit)>>5)==4 && (1UL<<((bit)&31) & DISABLED_MASK4)) ||	\
114 
+-	   (((bit)>>5)==5 && (1UL<<((bit)&31) & DISABLED_MASK5)) ||	\
115 
+-	   (((bit)>>5)==6 && (1UL<<((bit)&31) & DISABLED_MASK6)) ||	\
116 
+-	   (((bit)>>5)==7 && (1UL<<((bit)&31) & DISABLED_MASK7)) ||	\
117 
+-	   (((bit)>>5)==8 && (1UL<<((bit)&31) & DISABLED_MASK8)) ||	\
118 
+-	   (((bit)>>5)==9 && (1UL<<((bit)&31) & DISABLED_MASK9)) )
119 
++	 ( (((bit)>>5)==0  && (1UL<<((bit)&31) & DISABLED_MASK0 )) ||	\
120 
++	   (((bit)>>5)==1  && (1UL<<((bit)&31) & DISABLED_MASK1 )) ||	\
121 
++	   (((bit)>>5)==2  && (1UL<<((bit)&31) & DISABLED_MASK2 )) ||	\
122 
++	   (((bit)>>5)==3  && (1UL<<((bit)&31) & DISABLED_MASK3 )) ||	\
123 
++	   (((bit)>>5)==4  && (1UL<<((bit)&31) & DISABLED_MASK4 )) ||	\
124 
++	   (((bit)>>5)==5  && (1UL<<((bit)&31) & DISABLED_MASK5 )) ||	\
125 
++	   (((bit)>>5)==6  && (1UL<<((bit)&31) & DISABLED_MASK6 )) ||	\
126 
++	   (((bit)>>5)==7  && (1UL<<((bit)&31) & DISABLED_MASK7 )) ||	\
127 
++	   (((bit)>>5)==8  && (1UL<<((bit)&31) & DISABLED_MASK8 )) ||	\
128 
++	   (((bit)>>5)==9  && (1UL<<((bit)&31) & DISABLED_MASK9 )) ||	\
129 
++	   (((bit)>>5)==10 && (1UL<<((bit)&31) & DISABLED_MASK10)) ||	\
130 
++	   (((bit)>>5)==11 && (1UL<<((bit)&31) & DISABLED_MASK11)) ||	\
131 
++	   (((bit)>>5)==12 && (1UL<<((bit)&31) & DISABLED_MASK12)) ||	\
132 
++	   (((bit)>>5)==13 && (1UL<<((bit)&31) & DISABLED_MASK13)) ||	\
133 
++	   (((bit)>>5)==13 && (1UL<<((bit)&31) & DISABLED_MASK14)) ||	\
134 
++	   (((bit)>>5)==13 && (1UL<<((bit)&31) & DISABLED_MASK15)) ||	\
135 
++	   (((bit)>>5)==14 && (1UL<<((bit)&31) & DISABLED_MASK16)) )
136 
+
137 
+ #define cpu_has(c, bit)							\
138 
+ 	(__builtin_constant_p(bit) && REQUIRED_MASK_BIT_SET(bit) ? 1 :	\
139 
+@@ -79,6 +94,10 @@ extern const char * const x86_bug_flags[NBUGINTS*32];
140 
+ 	(__builtin_constant_p(bit) && REQUIRED_MASK_BIT_SET(bit) ? 1 : 	\
141 
+ 	 x86_this_cpu_test_bit(bit, (unsigned long *)&cpu_info.x86_capability))
142 
+
143 
++/* Intel-defined CPU features, CPUID level 0x00000007:0 (ecx), word 16 */
144 
++#define X86_FEATURE_PKU		(16*32+ 3) /* Protection Keys for Userspace */
145 
++#define X86_FEATURE_OSPKE	(16*32+ 4) /* OS Protection Keys Enable */
146 
++
147 
+ /*
148 
+  * This macro is for detection of features which need kernel
149 
+  * infrastructure to be used.  It may *not* directly test the CPU
150 
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
151 
+index 5dab071..9fc45e0 100644
152 
+--- a/arch/x86/include/asm/cpufeatures.h
153 
+@@ -12,7 +12,7 @@
154 
+ /*
155 
+  * Defines x86 CPU feature bits
156 
+  */
157 
+-#define NCAPINTS	16	/* N 32-bit words worth of info */
158 
++#define NCAPINTS	17	/* N 32-bit words worth of info */
159 
+ #define NBUGINTS	1	/* N 32-bit bug flags */
160 
+
161 
+ /*
162 
+diff --git a/arch/x86/include/asm/disabled-features.h b/arch/x86/include/asm/disabled-features.h
163 
+index 8b17c2a..522a069 100644
164 
+--- a/arch/x86/include/asm/disabled-features.h
165 
+@@ -30,6 +30,14 @@
166 
+ # define DISABLE_PCID		(1<<(X86_FEATURE_PCID & 31))
167 
+ #endif /* CONFIG_X86_64 */
168 
+
169 
++#ifdef CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS
170 
++# define DISABLE_PKU		(1<<(X86_FEATURE_PKU))
171 
++# define DISABLE_OSPKE		(1<<(X86_FEATURE_OSPKE))
172 
++#else
173 
++# define DISABLE_PKU		0
174 
++# define DISABLE_OSPKE		0
175 
++#endif /* CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS */
176 
++
177 
+ /*
178 
+  * Make sure to add features to the correct mask
179 
+  */
180 
+@@ -43,5 +51,12 @@
181 
+ #define DISABLED_MASK7	0
182 
+ #define DISABLED_MASK8	0
183 
+ #define DISABLED_MASK9	(DISABLE_MPX)
184 
++#define DISABLED_MASK10	0
185 
++#define DISABLED_MASK11	0
186 
++#define DISABLED_MASK12	0
187 
++#define DISABLED_MASK13	0
188 
++#define DISABLED_MASK14	0
189 
++#define DISABLED_MASK15	0
190 
++#define DISABLED_MASK16	(DISABLE_PKU|DISABLE_OSPKE)
191 
+
192 
+ #endif /* _ASM_X86_DISABLED_FEATURES_H */
193 
+diff --git a/arch/x86/include/asm/required-features.h b/arch/x86/include/asm/required-features.h
194 
+index 5c6e4fb..4916144 100644
195 
+--- a/arch/x86/include/asm/required-features.h
196 
+@@ -92,5 +92,12 @@
197 
+ #define REQUIRED_MASK7	0
198 
+ #define REQUIRED_MASK8	0
199 
+ #define REQUIRED_MASK9	0
200 
++#define REQUIRED_MASK10	0
201 
++#define REQUIRED_MASK11	0
202 
++#define REQUIRED_MASK12	0
203 
++#define REQUIRED_MASK13	0
204 
++#define REQUIRED_MASK14	0
205 
++#define REQUIRED_MASK15	0
206 
++#define REQUIRED_MASK16	0
207 
+
208 
+ #endif /* _ASM_X86_REQUIRED_FEATURES_H */
209 
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
210 
+index 58d56c4..d6a7b6f2 100644
211 
+--- a/arch/x86/kernel/cpu/common.c
212 
+@@ -693,6 +693,7 @@ void get_cpu_cap(struct cpuinfo_x86 *c)
213 
+ 		c->x86_capability[CPUID_7_0_EBX] = ebx;
214 
+
215 
+ 		c->x86_capability[CPUID_6_EAX] = cpuid_eax(0x00000006);
216 
++		c->x86_capability[CPUID_7_ECX] = ecx;
217 
+ 	}
218 
+
219 
+ 	/* Extended state features: level 0x0000000d */
220 
+--
221 
+2.7.4
222 
+
SPECS/linux/speculative-store-bypass/0018-x86-mm-pkeys-Fix-mismerge-of-protection-keys-CPUID-b.patch
History View file @ 4ab22c2
0 223 
new file mode 100644
... ... 
@@ -0,0 +1,78 @@
0 
+From 2850315329528977e8bbb543f2e2e04b7531b71c Mon Sep 17 00:00:00 2001
1 
+From: Dave Hansen <dave.hansen@linux.intel.com>
2 
+Date: Thu, 14 Jun 2018 14:56:09 -0700
3 
+Subject: [PATCH 018/103] x86/mm/pkeys: Fix mismerge of protection keys CPUID
4 
+ bits
5 
+
6 
+commit 0d47638f80a02b15869f1fe1fc09e5bf996750fd upstream
7 
+
8 
+Kirill Shutemov pointed this out to me.
9 
+
10 
+The tip tree currently has commit:
11 
+
12 
+	dfb4a70f2 [x86/cpufeature, x86/mm/pkeys: Add protection keys related CPUID definitions]
13 
+
14 
+whioch added support for two new CPUID bits: X86_FEATURE_PKU and
15 
+X86_FEATURE_OSPKE.  But, those bits were mis-merged and put in
16 
+cpufeature.h instead of cpufeatures.h.
17 
+
18 
+This didn't cause any breakage *except* it keeps the "ospke" and
19 
+"pku" bits from showing up in cpuinfo.
20 
+
21 
+Now cpuinfo has the two new flags:
22 
+
23 
+	flags	: ...  pku ospke
24 
+
25 
+BTW, is it really wise to have cpufeature.h and cpufeatures.h?
26 
+It seems like they can only cause confusion and mahem with tab
27 
+completion.
28 
+
29 
+Reported-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
30 
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
31 
+Acked-by: Borislav Petkov <bp@suse.de>
32 
+Cc: Andy Lutomirski <luto@kernel.org>
33 
+Cc: Dave Hansen <dave@sr71.net>
34 
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
35 
+Cc: Peter Zijlstra <peterz@infradead.org>
36 
+Cc: Thomas Gleixner <tglx@linutronix.de>
37 
+Link: http://lkml.kernel.org/r/20160310221213.06F9DB53@viggo.jf.intel.com
38 
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
39 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
40 
+---
41 
+ arch/x86/include/asm/cpufeature.h  | 4 ----
42 
+ arch/x86/include/asm/cpufeatures.h | 4 ++++
43 
+ 2 files changed, 4 insertions(+), 4 deletions(-)
44 
+
45 
+diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
46 
+index 7fdd717..b953fb7 100644
47 
+--- a/arch/x86/include/asm/cpufeature.h
48 
+@@ -94,10 +94,6 @@ extern const char * const x86_bug_flags[NBUGINTS*32];
49 
+ 	(__builtin_constant_p(bit) && REQUIRED_MASK_BIT_SET(bit) ? 1 : 	\
50 
+ 	 x86_this_cpu_test_bit(bit, (unsigned long *)&cpu_info.x86_capability))
51 
+
52 
+-/* Intel-defined CPU features, CPUID level 0x00000007:0 (ecx), word 16 */
53 
+-#define X86_FEATURE_PKU		(16*32+ 3) /* Protection Keys for Userspace */
54 
+-#define X86_FEATURE_OSPKE	(16*32+ 4) /* OS Protection Keys Enable */
55 
+-
56 
+ /*
57 
+  * This macro is for detection of features which need kernel
58 
+  * infrastructure to be used.  It may *not* directly test the CPU
59 
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
60 
+index 9fc45e0..98899fb 100644
61 
+--- a/arch/x86/include/asm/cpufeatures.h
62 
+@@ -276,6 +276,10 @@
63 
+ #define X86_FEATURE_PAUSEFILTER (15*32+10) /* filtered pause intercept */
64 
+ #define X86_FEATURE_PFTHRESHOLD (15*32+12) /* pause filter threshold */
65 
+
66 
++/* Intel-defined CPU features, CPUID level 0x00000007:0 (ecx), word 16 */
67 
++#define X86_FEATURE_PKU		(16*32+ 3) /* Protection Keys for Userspace */
68 
++#define X86_FEATURE_OSPKE	(16*32+ 4) /* OS Protection Keys Enable */
69 
++
70 
+ /*
71 
+  * BUG word(s)
72 
+  */
73 
+--
74 
+2.7.4
75 
+
SPECS/linux/speculative-store-bypass/0019-x86-cpu-Add-detection-of-AMD-RAS-Capabilities.patch
History View file @ 4ab22c2
0 76 
new file mode 100644
... ... 
@@ -0,0 +1,105 @@
0 
+From 7901b6afe203453823870200a5d45f0fe35669be Mon Sep 17 00:00:00 2001
1 
+From: Yazen Ghannam <Yazen.Ghannam@amd.com>
2 
+Date: Thu, 14 Jun 2018 14:56:09 -0700
3 
+Subject: [PATCH 019/103] x86/cpu: Add detection of AMD RAS Capabilities
4 
+
5 
+commit 71faad43060d3d2040583635fbf7d1bdb3d04118 upstream
6 
+
7 
+Add a new CPUID leaf to hold the contents of CPUID 0x80000007_EBX (RasCap).
8 
+
9 
+Define bits that are currently in use:
10 
+
11 
+ Bit 0: McaOverflowRecov
12 
+ Bit 1: SUCCOR
13 
+ Bit 3: ScalableMca
14 
+
15 
+Signed-off-by: Yazen Ghannam <Yazen.Ghannam@amd.com>
16 
+[ Shorten comment. ]
17 
+Signed-off-by: Borislav Petkov <bp@suse.de>
18 
+Cc: Andy Lutomirski <luto@amacapital.net>
19 
+Cc: Borislav Petkov <bp@alien8.de>
20 
+Cc: Brian Gerst <brgerst@gmail.com>
21 
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
22 
+Cc: H. Peter Anvin <hpa@zytor.com>
23 
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
24 
+Cc: Peter Zijlstra <peterz@infradead.org>
25 
+Cc: Thomas Gleixner <tglx@linutronix.de>
26 
+Cc: Tony Luck <tony.luck@intel.com>
27 
+Cc: linux-edac <linux-edac@vger.kernel.org>
28 
+Link: http://lkml.kernel.org/r/1462971509-3856-5-git-send-email-bp@alien8.de
29 
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
30 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
31 
+---
32 
+ arch/x86/include/asm/cpufeature.h  |  1 +
33 
+ arch/x86/include/asm/cpufeatures.h |  7 ++++++-
34 
+ arch/x86/kernel/cpu/common.c       | 10 +++++++---
35 
+ 3 files changed, 14 insertions(+), 4 deletions(-)
36 
+
37 
+diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
38 
+index b953fb7..1d02ad6 100644
39 
+--- a/arch/x86/include/asm/cpufeature.h
40 
+@@ -27,6 +27,7 @@ enum cpuid_leafs
41 
+ 	CPUID_6_EAX,
42 
+ 	CPUID_8000_000A_EDX,
43 
+ 	CPUID_7_ECX,
44 
++	CPUID_8000_0007_EBX,
45 
+ };
46 
+
47 
+ #ifdef CONFIG_X86_FEATURE_NAMES
48 
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
49 
+index 98899fb..e133857 100644
50 
+--- a/arch/x86/include/asm/cpufeatures.h
51 
+@@ -12,7 +12,7 @@
52 
+ /*
53 
+  * Defines x86 CPU feature bits
54 
+  */
55 
+-#define NCAPINTS	17	/* N 32-bit words worth of info */
56 
++#define NCAPINTS	18	/* N 32-bit words worth of info */
57 
+ #define NBUGINTS	1	/* N 32-bit bug flags */
58 
+
59 
+ /*
60 
+@@ -280,6 +280,11 @@
61 
+ #define X86_FEATURE_PKU		(16*32+ 3) /* Protection Keys for Userspace */
62 
+ #define X86_FEATURE_OSPKE	(16*32+ 4) /* OS Protection Keys Enable */
63 
+
64 
++/* AMD-defined CPU features, CPUID level 0x80000007 (ebx), word 17 */
65 
++#define X86_FEATURE_OVERFLOW_RECOV (17*32+0) /* MCA overflow recovery support */
66 
++#define X86_FEATURE_SUCCOR	(17*32+1) /* Uncorrectable error containment and recovery */
67 
++#define X86_FEATURE_SMCA	(17*32+3) /* Scalable MCA */
68 
++
69 
+ /*
70 
+  * BUG word(s)
71 
+  */
72 
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
73 
+index d6a7b6f2..814276d 100644
74 
+--- a/arch/x86/kernel/cpu/common.c
75 
+@@ -741,6 +741,13 @@ void get_cpu_cap(struct cpuinfo_x86 *c)
76 
+ 		}
77 
+ 	}
78 
+
79 
++	if (c->extended_cpuid_level >= 0x80000007) {
80 
++		cpuid(0x80000007, &eax, &ebx, &ecx, &edx);
81 
++
82 
++		c->x86_capability[CPUID_8000_0007_EBX] = ebx;
83 
++		c->x86_power = edx;
84 
++	}
85 
++
86 
+ 	if (c->extended_cpuid_level >= 0x80000008) {
87 
+ 		cpuid(0x80000008, &eax, &ebx, &ecx, &edx);
88 
+
89 
+@@ -753,9 +760,6 @@ void get_cpu_cap(struct cpuinfo_x86 *c)
90 
+ 		c->x86_phys_bits = 36;
91 
+ #endif
92 
+
93 
+-	if (c->extended_cpuid_level >= 0x80000007)
94 
+-		c->x86_power = cpuid_edx(0x80000007);
95 
+-
96 
+ 	if (c->extended_cpuid_level >= 0x8000000a)
97 
+ 		c->x86_capability[CPUID_8000_000A_EDX] = cpuid_edx(0x8000000a);
98 
+
99 
+--
100 
+2.7.4
101 
+
SPECS/linux/speculative-store-bypass/0020-x86-cpufeature-x86-mm-pkeys-Fix-broken-compile-time-.patch
History View file @ 4ab22c2
0 102 
new file mode 100644
... ... 
@@ -0,0 +1,100 @@
0 
+From 8951f81671c40361fe1933f83e1d4247b0bc7ed3 Mon Sep 17 00:00:00 2001
1 
+From: Dave Hansen <dave.hansen@linux.intel.com>
2 
+Date: Thu, 14 Jun 2018 14:56:10 -0700
3 
+Subject: [PATCH 020/103] x86/cpufeature, x86/mm/pkeys: Fix broken compile-time
4 
+ disabling of pkeys
5 
+
6 
+commit e8df1a95b685af84a81698199ee206e0e66a8b44 upstream
7 
+
8 
+When I added support for the Memory Protection Keys processor
9 
+feature, I had to reindent the REQUIRED/DISABLED_MASK macros, and
10 
+also consult the later cpufeature words.
11 
+
12 
+I'm not quite sure how I bungled it, but I consulted the wrong
13 
+word at the end.  This only affected required or disabled cpu
14 
+features in cpufeature words 14, 15 and 16.  So, only Protection
15 
+Keys itself was screwed over here.
16 
+
17 
+The result was that if you disabled pkeys in your .config, you
18 
+might still see some code show up that should have been compiled
19 
+out.  There should be no functional problems, though.
20 
+
21 
+In verifying this patch I also realized that the DISABLE_PKU/OSPKE
22 
+macros were defined backwards and that the cpu_has() check in
23 
+setup_pku() was not doing the compile-time disabled checks.
24 
+
25 
+So also fix the macro for DISABLE_PKU/OSPKE and add a compile-time
26 
+check for pkeys being enabled in setup_pku().
27 
+
28 
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
29 
+Cc: <stable@vger.kernel.org>
30 
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
31 
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
32 
+Cc: Dave Hansen <dave@sr71.net>
33 
+Cc: Jiri Olsa <jolsa@redhat.com>
34 
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
35 
+Cc: Peter Zijlstra <peterz@infradead.org>
36 
+Cc: Stephane Eranian <eranian@google.com>
37 
+Cc: Thomas Gleixner <tglx@linutronix.de>
38 
+Cc: Vince Weaver <vincent.weaver@maine.edu>
39 
+Fixes: dfb4a70f20c5 ("x86/cpufeature, x86/mm/pkeys: Add protection keys related CPUID definitions")
40 
+Link: http://lkml.kernel.org/r/20160513221328.C200930B@viggo.jf.intel.com
41 
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
42 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
43 
+---
44 
+ arch/x86/include/asm/cpufeature.h        | 12 ++++++------
45 
+ arch/x86/include/asm/disabled-features.h |  6 +++---
46 
+ 2 files changed, 9 insertions(+), 9 deletions(-)
47 
+
48 
+diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
49 
+index 1d02ad6..aa7785e 100644
50 
+--- a/arch/x86/include/asm/cpufeature.h
51 
+@@ -64,9 +64,9 @@ extern const char * const x86_bug_flags[NBUGINTS*32];
52 
+ 	   (((bit)>>5)==11 && (1UL<<((bit)&31) & REQUIRED_MASK11)) ||	\
53 
+ 	   (((bit)>>5)==12 && (1UL<<((bit)&31) & REQUIRED_MASK12)) ||	\
54 
+ 	   (((bit)>>5)==13 && (1UL<<((bit)&31) & REQUIRED_MASK13)) ||	\
55 
+-	   (((bit)>>5)==13 && (1UL<<((bit)&31) & REQUIRED_MASK14)) ||	\
56 
+-	   (((bit)>>5)==13 && (1UL<<((bit)&31) & REQUIRED_MASK15)) ||	\
57 
+-	   (((bit)>>5)==14 && (1UL<<((bit)&31) & REQUIRED_MASK16)) )
58 
++	   (((bit)>>5)==14 && (1UL<<((bit)&31) & REQUIRED_MASK14)) ||	\
59 
++	   (((bit)>>5)==15 && (1UL<<((bit)&31) & REQUIRED_MASK15)) ||	\
60 
++	   (((bit)>>5)==16 && (1UL<<((bit)&31) & REQUIRED_MASK16)) )
61 
+
62 
+ #define DISABLED_MASK_BIT_SET(bit)					\
63 
+ 	 ( (((bit)>>5)==0  && (1UL<<((bit)&31) & DISABLED_MASK0 )) ||	\
64 
+@@ -83,9 +83,9 @@ extern const char * const x86_bug_flags[NBUGINTS*32];
65 
+ 	   (((bit)>>5)==11 && (1UL<<((bit)&31) & DISABLED_MASK11)) ||	\
66 
+ 	   (((bit)>>5)==12 && (1UL<<((bit)&31) & DISABLED_MASK12)) ||	\
67 
+ 	   (((bit)>>5)==13 && (1UL<<((bit)&31) & DISABLED_MASK13)) ||	\
68 
+-	   (((bit)>>5)==13 && (1UL<<((bit)&31) & DISABLED_MASK14)) ||	\
69 
+-	   (((bit)>>5)==13 && (1UL<<((bit)&31) & DISABLED_MASK15)) ||	\
70 
+-	   (((bit)>>5)==14 && (1UL<<((bit)&31) & DISABLED_MASK16)) )
71 
++	   (((bit)>>5)==14 && (1UL<<((bit)&31) & DISABLED_MASK14)) ||	\
72 
++	   (((bit)>>5)==15 && (1UL<<((bit)&31) & DISABLED_MASK15)) ||	\
73 
++	   (((bit)>>5)==16 && (1UL<<((bit)&31) & DISABLED_MASK16)) )
74 
+
75 
+ #define cpu_has(c, bit)							\
76 
+ 	(__builtin_constant_p(bit) && REQUIRED_MASK_BIT_SET(bit) ? 1 :	\
77 
+diff --git a/arch/x86/include/asm/disabled-features.h b/arch/x86/include/asm/disabled-features.h
78 
+index 522a069..0403b22 100644
79 
+--- a/arch/x86/include/asm/disabled-features.h
80 
+@@ -31,11 +31,11 @@
81 
+ #endif /* CONFIG_X86_64 */
82 
+
83 
+ #ifdef CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS
84 
+-# define DISABLE_PKU		(1<<(X86_FEATURE_PKU))
85 
+-# define DISABLE_OSPKE		(1<<(X86_FEATURE_OSPKE))
86 
+-#else
87 
+ # define DISABLE_PKU		0
88 
+ # define DISABLE_OSPKE		0
89 
++#else
90 
++# define DISABLE_PKU		(1<<(X86_FEATURE_PKU & 31))
91 
++# define DISABLE_OSPKE		(1<<(X86_FEATURE_OSPKE & 31))
92 
+ #endif /* CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS */
93 
+
94 
+ /*
95 
+--
96 
+2.7.4
97 
+
SPECS/linux/speculative-store-bypass/0021-x86-cpufeature-Update-cpufeaure-macros.patch
History View file @ 4ab22c2
0 98 
new file mode 100644
... ... 
@@ -0,0 +1,82 @@
0 
+From db0e0674b41fe6b1fae0668de01623be29af1127 Mon Sep 17 00:00:00 2001
1 
+From: Dave Hansen <dave.hansen@linux.intel.com>
2 
+Date: Thu, 14 Jun 2018 14:56:10 -0700
3 
+Subject: [PATCH 021/103] x86/cpufeature: Update cpufeaure macros
4 
+
5 
+commit 6e17cb9c2d5efd8fcc3934e983733302b9912ff8 upstream
6 
+
7 
+We had a new CPUID "NCAPINT" word added, but the REQUIRED_MASK and
8 
+DISABLED_MASK macros did not get updated.  Update them.
9 
+
10 
+None of the features was needed in these masks, so there was no
11 
+harm, but we should keep them updated anyway.
12 
+
13 
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
14 
+Cc: Andy Lutomirski <luto@kernel.org>
15 
+Cc: Borislav Petkov <bp@alien8.de>
16 
+Cc: Brian Gerst <brgerst@gmail.com>
17 
+Cc: Dave Hansen <dave@sr71.net>
18 
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
19 
+Cc: H. Peter Anvin <hpa@zytor.com>
20 
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
21 
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
22 
+Cc: Peter Zijlstra <peterz@infradead.org>
23 
+Cc: Thomas Gleixner <tglx@linutronix.de>
24 
+Link: http://lkml.kernel.org/r/20160629200107.8D3C9A31@viggo.jf.intel.com
25 
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
26 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
27 
+---
28 
+ arch/x86/include/asm/cpufeature.h        | 6 ++++--
29 
+ arch/x86/include/asm/disabled-features.h | 1 +
30 
+ arch/x86/include/asm/required-features.h | 1 +
31 
+ 3 files changed, 6 insertions(+), 2 deletions(-)
32 
+
33 
+diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
34 
+index aa7785e..c7e38da 100644
35 
+--- a/arch/x86/include/asm/cpufeature.h
36 
+@@ -66,7 +66,8 @@ extern const char * const x86_bug_flags[NBUGINTS*32];
37 
+ 	   (((bit)>>5)==13 && (1UL<<((bit)&31) & REQUIRED_MASK13)) ||	\
38 
+ 	   (((bit)>>5)==14 && (1UL<<((bit)&31) & REQUIRED_MASK14)) ||	\
39 
+ 	   (((bit)>>5)==15 && (1UL<<((bit)&31) & REQUIRED_MASK15)) ||	\
40 
+-	   (((bit)>>5)==16 && (1UL<<((bit)&31) & REQUIRED_MASK16)) )
41 
++	   (((bit)>>5)==16 && (1UL<<((bit)&31) & REQUIRED_MASK16)) ||	\
42 
++	   (((bit)>>5)==17 && (1UL<<((bit)&31) & REQUIRED_MASK17)))
43 
+
44 
+ #define DISABLED_MASK_BIT_SET(bit)					\
45 
+ 	 ( (((bit)>>5)==0  && (1UL<<((bit)&31) & DISABLED_MASK0 )) ||	\
46 
+@@ -85,7 +86,8 @@ extern const char * const x86_bug_flags[NBUGINTS*32];
47 
+ 	   (((bit)>>5)==13 && (1UL<<((bit)&31) & DISABLED_MASK13)) ||	\
48 
+ 	   (((bit)>>5)==14 && (1UL<<((bit)&31) & DISABLED_MASK14)) ||	\
49 
+ 	   (((bit)>>5)==15 && (1UL<<((bit)&31) & DISABLED_MASK15)) ||	\
50 
+-	   (((bit)>>5)==16 && (1UL<<((bit)&31) & DISABLED_MASK16)) )
51 
++	   (((bit)>>5)==16 && (1UL<<((bit)&31) & DISABLED_MASK16)) ||	\
52 
++	   (((bit)>>5)==17 && (1UL<<((bit)&31) & DISABLED_MASK17)))
53 
+
54 
+ #define cpu_has(c, bit)							\
55 
+ 	(__builtin_constant_p(bit) && REQUIRED_MASK_BIT_SET(bit) ? 1 :	\
56 
+diff --git a/arch/x86/include/asm/disabled-features.h b/arch/x86/include/asm/disabled-features.h
57 
+index 0403b22..ab6b05c 100644
58 
+--- a/arch/x86/include/asm/disabled-features.h
59 
+@@ -58,5 +58,6 @@
60 
+ #define DISABLED_MASK14	0
61 
+ #define DISABLED_MASK15	0
62 
+ #define DISABLED_MASK16	(DISABLE_PKU|DISABLE_OSPKE)
63 
++#define DISABLED_MASK17	0
64 
+
65 
+ #endif /* _ASM_X86_DISABLED_FEATURES_H */
66 
+diff --git a/arch/x86/include/asm/required-features.h b/arch/x86/include/asm/required-features.h
67 
+index 4916144..fad4277 100644
68 
+--- a/arch/x86/include/asm/required-features.h
69 
+@@ -99,5 +99,6 @@
70 
+ #define REQUIRED_MASK14	0
71 
+ #define REQUIRED_MASK15	0
72 
+ #define REQUIRED_MASK16	0
73 
++#define REQUIRED_MASK17	0
74 
+
75 
+ #endif /* _ASM_X86_REQUIRED_FEATURES_H */
76 
+--
77 
+2.7.4
78 
+
SPECS/linux/speculative-store-bypass/0022-x86-cpufeature-Make-sure-DISABLED-REQUIRED-macros-ar.patch
History View file @ 4ab22c2
0 79 
new file mode 100644
... ... 
@@ -0,0 +1,97 @@
0 
+From 10a27b926dfeec0a184d72d0d689268b08591382 Mon Sep 17 00:00:00 2001
1 
+From: Dave Hansen <dave.hansen@linux.intel.com>
2 
+Date: Thu, 14 Jun 2018 14:56:11 -0700
3 
+Subject: [PATCH 022/103] x86/cpufeature: Make sure DISABLED/REQUIRED macros
4 
+ are updated
5 
+
6 
+commit 1e61f78baf893c7eb49f633d23ccbb420c8f808e upstream
7 
+
8 
+x86 has two macros which allow us to evaluate some CPUID-based
9 
+features at compile time:
10 
+
11 
+	REQUIRED_MASK_BIT_SET()
12 
+	DISABLED_MASK_BIT_SET()
13 
+
14 
+They're both defined by having the compiler check the bit
15 
+argument against some constant masks of features.
16 
+
17 
+But, when adding new CPUID leaves, we need to check new words
18 
+for these macros.  So make sure that those macros and the
19 
+REQUIRED_MASK* and DISABLED_MASK* get updated when necessary.
20 
+
21 
+This looks kinda silly to have an open-coded value ("18" in
22 
+this case) open-coded in 5 places in the code.  But, we really do
23 
+need 5 places updated when NCAPINTS gets bumped, so now we just
24 
+force the issue.
25 
+
26 
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
27 
+Cc: Andy Lutomirski <luto@kernel.org>
28 
+Cc: Borislav Petkov <bp@alien8.de>
29 
+Cc: Brian Gerst <brgerst@gmail.com>
30 
+Cc: Dave Hansen <dave@sr71.net>
31 
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
32 
+Cc: H. Peter Anvin <hpa@zytor.com>
33 
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
34 
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
35 
+Cc: Peter Zijlstra <peterz@infradead.org>
36 
+Cc: Thomas Gleixner <tglx@linutronix.de>
37 
+Link: http://lkml.kernel.org/r/20160629200108.92466F6F@viggo.jf.intel.com
38 
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
39 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
40 
+---
41 
+ arch/x86/include/asm/cpufeature.h        | 8 ++++++--
42 
+ arch/x86/include/asm/disabled-features.h | 1 +
43 
+ arch/x86/include/asm/required-features.h | 1 +
44 
+ 3 files changed, 8 insertions(+), 2 deletions(-)
45 
+
46 
+diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
47 
+index c7e38da..3d5a6b5 100644
48 
+--- a/arch/x86/include/asm/cpufeature.h
49 
+@@ -67,7 +67,9 @@ extern const char * const x86_bug_flags[NBUGINTS*32];
50 
+ 	   (((bit)>>5)==14 && (1UL<<((bit)&31) & REQUIRED_MASK14)) ||	\
51 
+ 	   (((bit)>>5)==15 && (1UL<<((bit)&31) & REQUIRED_MASK15)) ||	\
52 
+ 	   (((bit)>>5)==16 && (1UL<<((bit)&31) & REQUIRED_MASK16)) ||	\
53 
+-	   (((bit)>>5)==17 && (1UL<<((bit)&31) & REQUIRED_MASK17)))
54 
++	   (((bit)>>5)==17 && (1UL<<((bit)&31) & REQUIRED_MASK17)) ||	\
55 
++	   REQUIRED_MASK_CHECK					   ||	\
56 
++	   BUILD_BUG_ON_ZERO(NCAPINTS != 18))
57 
+
58 
+ #define DISABLED_MASK_BIT_SET(bit)					\
59 
+ 	 ( (((bit)>>5)==0  && (1UL<<((bit)&31) & DISABLED_MASK0 )) ||	\
60 
+@@ -87,7 +89,9 @@ extern const char * const x86_bug_flags[NBUGINTS*32];
61 
+ 	   (((bit)>>5)==14 && (1UL<<((bit)&31) & DISABLED_MASK14)) ||	\
62 
+ 	   (((bit)>>5)==15 && (1UL<<((bit)&31) & DISABLED_MASK15)) ||	\
63 
+ 	   (((bit)>>5)==16 && (1UL<<((bit)&31) & DISABLED_MASK16)) ||	\
64 
+-	   (((bit)>>5)==17 && (1UL<<((bit)&31) & DISABLED_MASK17)))
65 
++	   (((bit)>>5)==17 && (1UL<<((bit)&31) & DISABLED_MASK17)) ||	\
66 
++	   DISABLED_MASK_CHECK					   ||	\
67 
++	   BUILD_BUG_ON_ZERO(NCAPINTS != 18))
68 
+
69 
+ #define cpu_has(c, bit)							\
70 
+ 	(__builtin_constant_p(bit) && REQUIRED_MASK_BIT_SET(bit) ? 1 :	\
71 
+diff --git a/arch/x86/include/asm/disabled-features.h b/arch/x86/include/asm/disabled-features.h
72 
+index ab6b05c..21c5ac1 100644
73 
+--- a/arch/x86/include/asm/disabled-features.h
74 
+@@ -59,5 +59,6 @@
75 
+ #define DISABLED_MASK15	0
76 
+ #define DISABLED_MASK16	(DISABLE_PKU|DISABLE_OSPKE)
77 
+ #define DISABLED_MASK17	0
78 
++#define DISABLED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 18)
79 
+
80 
+ #endif /* _ASM_X86_DISABLED_FEATURES_H */
81 
+diff --git a/arch/x86/include/asm/required-features.h b/arch/x86/include/asm/required-features.h
82 
+index fad4277..fac9a5c 100644
83 
+--- a/arch/x86/include/asm/required-features.h
84 
+@@ -100,5 +100,6 @@
85 
+ #define REQUIRED_MASK15	0
86 
+ #define REQUIRED_MASK16	0
87 
+ #define REQUIRED_MASK17	0
88 
++#define REQUIRED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 18)
89 
+
90 
+ #endif /* _ASM_X86_REQUIRED_FEATURES_H */
91 
+--
92 
+2.7.4
93 
+
SPECS/linux/speculative-store-bypass/0023-x86-cpufeature-Add-helper-macro-for-mask-check-macro.patch
History View file @ 4ab22c2
0 94 
new file mode 100644
... ... 
@@ -0,0 +1,144 @@
0 
+From c8bd7a9948f0fe372d357b1f26ecb82d3ba92cb1 Mon Sep 17 00:00:00 2001
1 
+From: Dave Hansen <dave.hansen@linux.intel.com>
2 
+Date: Thu, 14 Jun 2018 14:56:11 -0700
3 
+Subject: [PATCH 023/103] x86/cpufeature: Add helper macro for mask check
4 
+ macros
5 
+
6 
+commit 8eda072e9d7c3429a372e3635dc5851f4a42dee1 upstream
7 
+
8 
+Every time we add a word to our cpu features, we need to add
9 
+something like this in two places:
10 
+
11 
+	(((bit)>>5)==16 && (1UL<<((bit)&31) & REQUIRED_MASK16))
12 
+
13 
+The trick is getting the "16" in this case in both places.  I've
14 
+now screwed this up twice, so as pennance, I've come up with
15 
+this patch to keep me and other poor souls from doing the same.
16 
+
17 
+I also commented the logic behind the bit manipulation showcased
18 
+above.
19 
+
20 
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
21 
+Cc: Andy Lutomirski <luto@kernel.org>
22 
+Cc: Borislav Petkov <bp@alien8.de>
23 
+Cc: Brian Gerst <brgerst@gmail.com>
24 
+Cc: Dave Hansen <dave@sr71.net>
25 
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
26 
+Cc: H. Peter Anvin <hpa@zytor.com>
27 
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
28 
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
29 
+Cc: Peter Zijlstra <peterz@infradead.org>
30 
+Cc: Thomas Gleixner <tglx@linutronix.de>
31 
+Link: http://lkml.kernel.org/r/20160629200110.1BA8949E@viggo.jf.intel.com
32 
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
33 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
34 
+---
35 
+ arch/x86/include/asm/cpufeature.h | 90 ++++++++++++++++++++++-----------------
36 
+ 1 file changed, 50 insertions(+), 40 deletions(-)
37 
+
38 
+diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
39 
+index 3d5a6b5..dd00898 100644
40 
+--- a/arch/x86/include/asm/cpufeature.h
41 
+@@ -49,48 +49,58 @@ extern const char * const x86_bug_flags[NBUGINTS*32];
42 
+ #define test_cpu_cap(c, bit)						\
43 
+ 	 test_bit(bit, (unsigned long *)((c)->x86_capability))
44 
+
45 
+-#define REQUIRED_MASK_BIT_SET(bit)					\
46 
+-	 ( (((bit)>>5)==0  && (1UL<<((bit)&31) & REQUIRED_MASK0 )) ||	\
47 
+-	   (((bit)>>5)==1  && (1UL<<((bit)&31) & REQUIRED_MASK1 )) ||	\
48 
+-	   (((bit)>>5)==2  && (1UL<<((bit)&31) & REQUIRED_MASK2 )) ||	\
49 
+-	   (((bit)>>5)==3  && (1UL<<((bit)&31) & REQUIRED_MASK3 )) ||	\
50 
+-	   (((bit)>>5)==4  && (1UL<<((bit)&31) & REQUIRED_MASK4 )) ||	\
51 
+-	   (((bit)>>5)==5  && (1UL<<((bit)&31) & REQUIRED_MASK5 )) ||	\
52 
+-	   (((bit)>>5)==6  && (1UL<<((bit)&31) & REQUIRED_MASK6 )) ||	\
53 
+-	   (((bit)>>5)==7  && (1UL<<((bit)&31) & REQUIRED_MASK7 )) ||	\
54 
+-	   (((bit)>>5)==8  && (1UL<<((bit)&31) & REQUIRED_MASK8 )) ||	\
55 
+-	   (((bit)>>5)==9  && (1UL<<((bit)&31) & REQUIRED_MASK9 )) ||	\
56 
+-	   (((bit)>>5)==10 && (1UL<<((bit)&31) & REQUIRED_MASK10)) ||	\
57 
+-	   (((bit)>>5)==11 && (1UL<<((bit)&31) & REQUIRED_MASK11)) ||	\
58 
+-	   (((bit)>>5)==12 && (1UL<<((bit)&31) & REQUIRED_MASK12)) ||	\
59 
+-	   (((bit)>>5)==13 && (1UL<<((bit)&31) & REQUIRED_MASK13)) ||	\
60 
+-	   (((bit)>>5)==14 && (1UL<<((bit)&31) & REQUIRED_MASK14)) ||	\
61 
+-	   (((bit)>>5)==15 && (1UL<<((bit)&31) & REQUIRED_MASK15)) ||	\
62 
+-	   (((bit)>>5)==16 && (1UL<<((bit)&31) & REQUIRED_MASK16)) ||	\
63 
+-	   (((bit)>>5)==17 && (1UL<<((bit)&31) & REQUIRED_MASK17)) ||	\
64 
+-	   REQUIRED_MASK_CHECK					   ||	\
65 
++/*
66 
++ * There are 32 bits/features in each mask word.  The high bits
67 
++ * (selected with (bit>>5) give us the word number and the low 5
68 
++ * bits give us the bit/feature number inside the word.
69 
++ * (1UL<<((bit)&31) gives us a mask for the feature_bit so we can
70 
++ * see if it is set in the mask word.
71 
++ */
72 
++#define CHECK_BIT_IN_MASK_WORD(maskname, word, bit)	\
73 
++	(((bit)>>5)==(word) && (1UL<<((bit)&31) & maskname##word ))
74 
++
75 
++#define REQUIRED_MASK_BIT_SET(feature_bit)		\
76 
++	 ( CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK,  0, feature_bit) ||	\
77 
++	   CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK,  1, feature_bit) ||	\
78 
++	   CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK,  2, feature_bit) ||	\
79 
++	   CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK,  3, feature_bit) ||	\
80 
++	   CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK,  4, feature_bit) ||	\
81 
++	   CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK,  5, feature_bit) ||	\
82 
++	   CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK,  6, feature_bit) ||	\
83 
++	   CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK,  7, feature_bit) ||	\
84 
++	   CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK,  8, feature_bit) ||	\
85 
++	   CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK,  9, feature_bit) ||	\
86 
++	   CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 10, feature_bit) ||	\
87 
++	   CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 11, feature_bit) ||	\
88 
++	   CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 12, feature_bit) ||	\
89 
++	   CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 13, feature_bit) ||	\
90 
++	   CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 14, feature_bit) ||	\
91 
++	   CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 15, feature_bit) ||	\
92 
++	   CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 16, feature_bit) ||	\
93 
++	   CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 17, feature_bit) ||	\
94 
++	   REQUIRED_MASK_CHECK					  ||	\
95 
+ 	   BUILD_BUG_ON_ZERO(NCAPINTS != 18))
96 
+
97 
+-#define DISABLED_MASK_BIT_SET(bit)					\
98 
+-	 ( (((bit)>>5)==0  && (1UL<<((bit)&31) & DISABLED_MASK0 )) ||	\
99 
+-	   (((bit)>>5)==1  && (1UL<<((bit)&31) & DISABLED_MASK1 )) ||	\
100 
+-	   (((bit)>>5)==2  && (1UL<<((bit)&31) & DISABLED_MASK2 )) ||	\
101 
+-	   (((bit)>>5)==3  && (1UL<<((bit)&31) & DISABLED_MASK3 )) ||	\
102 
+-	   (((bit)>>5)==4  && (1UL<<((bit)&31) & DISABLED_MASK4 )) ||	\
103 
+-	   (((bit)>>5)==5  && (1UL<<((bit)&31) & DISABLED_MASK5 )) ||	\
104 
+-	   (((bit)>>5)==6  && (1UL<<((bit)&31) & DISABLED_MASK6 )) ||	\
105 
+-	   (((bit)>>5)==7  && (1UL<<((bit)&31) & DISABLED_MASK7 )) ||	\
106 
+-	   (((bit)>>5)==8  && (1UL<<((bit)&31) & DISABLED_MASK8 )) ||	\
107 
+-	   (((bit)>>5)==9  && (1UL<<((bit)&31) & DISABLED_MASK9 )) ||	\
108 
+-	   (((bit)>>5)==10 && (1UL<<((bit)&31) & DISABLED_MASK10)) ||	\
109 
+-	   (((bit)>>5)==11 && (1UL<<((bit)&31) & DISABLED_MASK11)) ||	\
110 
+-	   (((bit)>>5)==12 && (1UL<<((bit)&31) & DISABLED_MASK12)) ||	\
111 
+-	   (((bit)>>5)==13 && (1UL<<((bit)&31) & DISABLED_MASK13)) ||	\
112 
+-	   (((bit)>>5)==14 && (1UL<<((bit)&31) & DISABLED_MASK14)) ||	\
113 
+-	   (((bit)>>5)==15 && (1UL<<((bit)&31) & DISABLED_MASK15)) ||	\
114 
+-	   (((bit)>>5)==16 && (1UL<<((bit)&31) & DISABLED_MASK16)) ||	\
115 
+-	   (((bit)>>5)==17 && (1UL<<((bit)&31) & DISABLED_MASK17)) ||	\
116 
+-	   DISABLED_MASK_CHECK					   ||	\
117 
++#define DISABLED_MASK_BIT_SET(feature_bit)				\
118 
++	 ( CHECK_BIT_IN_MASK_WORD(DISABLED_MASK,  0, feature_bit) ||	\
119 
++	   CHECK_BIT_IN_MASK_WORD(DISABLED_MASK,  1, feature_bit) ||	\
120 
++	   CHECK_BIT_IN_MASK_WORD(DISABLED_MASK,  2, feature_bit) ||	\
121 
++	   CHECK_BIT_IN_MASK_WORD(DISABLED_MASK,  3, feature_bit) ||	\
122 
++	   CHECK_BIT_IN_MASK_WORD(DISABLED_MASK,  4, feature_bit) ||	\
123 
++	   CHECK_BIT_IN_MASK_WORD(DISABLED_MASK,  5, feature_bit) ||	\
124 
++	   CHECK_BIT_IN_MASK_WORD(DISABLED_MASK,  6, feature_bit) ||	\
125 
++	   CHECK_BIT_IN_MASK_WORD(DISABLED_MASK,  7, feature_bit) ||	\
126 
++	   CHECK_BIT_IN_MASK_WORD(DISABLED_MASK,  8, feature_bit) ||	\
127 
++	   CHECK_BIT_IN_MASK_WORD(DISABLED_MASK,  9, feature_bit) ||	\
128 
++	   CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 10, feature_bit) ||	\
129 
++	   CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 11, feature_bit) ||	\
130 
++	   CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 12, feature_bit) ||	\
131 
++	   CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 13, feature_bit) ||	\
132 
++	   CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 14, feature_bit) ||	\
133 
++	   CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 15, feature_bit) ||	\
134 
++	   CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 16, feature_bit) ||	\
135 
++	   CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 17, feature_bit) ||	\
136 
++	   DISABLED_MASK_CHECK					  ||	\
137 
+ 	   BUILD_BUG_ON_ZERO(NCAPINTS != 18))
138 
+
139 
+ #define cpu_has(c, bit)							\
140 
+--
141 
+2.7.4
142 
+
SPECS/linux/speculative-store-bypass/0024-x86-cpu-Probe-CPUID-leaf-6-even-when-cpuid_level-6.patch
History View file @ 4ab22c2
0 143 
new file mode 100644
... ... 
@@ -0,0 +1,48 @@
0 
+From cbf76bd50764ad6375ce26e9e0ba5c40db8dbf26 Mon Sep 17 00:00:00 2001
1 
+From: Andy Lutomirski <luto@kernel.org>
2 
+Date: Thu, 14 Jun 2018 14:56:12 -0700
3 
+Subject: [PATCH 024/103] x86/cpu: Probe CPUID leaf 6 even when cpuid_level ==
4 
+ 6
5 
+
6 
+commit 3df8d9208569ef0b2313e516566222d745f3b94b upstream.
7 
+
8 
+A typo (or mis-merge?) resulted in leaf 6 only being probed if
9 
+cpuid_level >= 7.
10 
+
11 
+Fixes: 2ccd71f1b278 ("x86/cpufeature: Move some of the scattered feature bits to x86_capability")
12 
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
13 
+Acked-by: Borislav Petkov <bp@alien8.de>
14 
+Cc: Brian Gerst <brgerst@gmail.com>
15 
+Link: http://lkml.kernel.org/r/6ea30c0e9daec21e488b54761881a6dfcf3e04d0.1481825597.git.luto@kernel.org
16 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
17 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
19 
+---
20 
+ arch/x86/kernel/cpu/common.c | 7 ++++---
21 
+ 1 file changed, 4 insertions(+), 3 deletions(-)
22 
+
23 
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
24 
+index 814276d..736e284 100644
25 
+--- a/arch/x86/kernel/cpu/common.c
26 
+@@ -686,13 +686,14 @@ void get_cpu_cap(struct cpuinfo_x86 *c)
27 
+ 		c->x86_capability[CPUID_1_EDX] = edx;
28 
+ 	}
29 
+
30 
++	/* Thermal and Power Management Leaf: level 0x00000006 (eax) */
31 
++	if (c->cpuid_level >= 0x00000006)
32 
++		c->x86_capability[CPUID_6_EAX] = cpuid_eax(0x00000006);
33 
++
34 
+ 	/* Additional Intel-defined flags: level 0x00000007 */
35 
+ 	if (c->cpuid_level >= 0x00000007) {
36 
+ 		cpuid_count(0x00000007, 0, &eax, &ebx, &ecx, &edx);
37 
+-
38 
+ 		c->x86_capability[CPUID_7_0_EBX] = ebx;
39 
+-
40 
+-		c->x86_capability[CPUID_6_EAX] = cpuid_eax(0x00000006);
41 
+ 		c->x86_capability[CPUID_7_ECX] = ecx;
42 
+ 	}
43 
+
44 
+--
45 
+2.7.4
46 
+
SPECS/linux/speculative-store-bypass/0025-x86-cpufeatures-Add-CPUID_7_EDX-CPUID-leaf.patch
History View file @ 4ab22c2
0 47 
new file mode 100644
... ... 
@@ -0,0 +1,138 @@
0 
+From ca830609067d0f66b6116d46b006598d13214761 Mon Sep 17 00:00:00 2001
1 
+From: David Woodhouse <dwmw@amazon.co.uk>
2 
+Date: Thu, 14 Jun 2018 14:56:12 -0700
3 
+Subject: [PATCH 025/103] x86/cpufeatures: Add CPUID_7_EDX CPUID leaf
4 
+
5 
+(cherry picked from commit 95ca0ee8636059ea2800dfbac9ecac6212d6b38f)
6 
+
7 
+This is a pure feature bits leaf. There are two AVX512 feature bits in it
8 
+already which were handled as scattered bits, and three more from this leaf
9 
+are going to be added for speculation control features.
10 
+
11 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
12 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
13 
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
14 
+Reviewed-by: Borislav Petkov <bp@suse.de>
15 
+Cc: gnomes@lxorguk.ukuu.org.uk
16 
+Cc: ak@linux.intel.com
17 
+Cc: ashok.raj@intel.com
18 
+Cc: dave.hansen@intel.com
19 
+Cc: karahmed@amazon.de
20 
+Cc: arjan@linux.intel.com
21 
+Cc: torvalds@linux-foundation.org
22 
+Cc: peterz@infradead.org
23 
+Cc: bp@alien8.de
24 
+Cc: pbonzini@redhat.com
25 
+Cc: tim.c.chen@linux.intel.com
26 
+Cc: gregkh@linux-foundation.org
27 
+Link: https://lkml.kernel.org/r/1516896855-7642-2-git-send-email-dwmw@amazon.co.uk
28 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
29 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
30 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
31 
+---
32 
+ arch/x86/include/asm/cpufeature.h        | 7 +++++--
33 
+ arch/x86/include/asm/cpufeatures.h       | 6 +++++-
34 
+ arch/x86/include/asm/disabled-features.h | 3 ++-
35 
+ arch/x86/include/asm/required-features.h | 3 ++-
36 
+ arch/x86/kernel/cpu/common.c             | 1 +
37 
+ 5 files changed, 15 insertions(+), 5 deletions(-)
38 
+
39 
+diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
40 
+index dd00898..d72c1db 100644
41 
+--- a/arch/x86/include/asm/cpufeature.h
42 
+@@ -28,6 +28,7 @@ enum cpuid_leafs
43 
+ 	CPUID_8000_000A_EDX,
44 
+ 	CPUID_7_ECX,
45 
+ 	CPUID_8000_0007_EBX,
46 
++	CPUID_7_EDX,
47 
+ };
48 
+
49 
+ #ifdef CONFIG_X86_FEATURE_NAMES
50 
+@@ -78,8 +79,9 @@ extern const char * const x86_bug_flags[NBUGINTS*32];
51 
+ 	   CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 15, feature_bit) ||	\
52 
+ 	   CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 16, feature_bit) ||	\
53 
+ 	   CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 17, feature_bit) ||	\
54 
++	   CHECK_BIT_IN_MASK_WORD(REQUIRED_MASK, 18, feature_bit) ||	\
55 
+ 	   REQUIRED_MASK_CHECK					  ||	\
56 
+-	   BUILD_BUG_ON_ZERO(NCAPINTS != 18))
57 
++	   BUILD_BUG_ON_ZERO(NCAPINTS != 19))
58 
+
59 
+ #define DISABLED_MASK_BIT_SET(feature_bit)				\
60 
+ 	 ( CHECK_BIT_IN_MASK_WORD(DISABLED_MASK,  0, feature_bit) ||	\
61 
+@@ -100,8 +102,9 @@ extern const char * const x86_bug_flags[NBUGINTS*32];
62 
+ 	   CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 15, feature_bit) ||	\
63 
+ 	   CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 16, feature_bit) ||	\
64 
+ 	   CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 17, feature_bit) ||	\
65 
++	   CHECK_BIT_IN_MASK_WORD(DISABLED_MASK, 18, feature_bit) ||	\
66 
+ 	   DISABLED_MASK_CHECK					  ||	\
67 
+-	   BUILD_BUG_ON_ZERO(NCAPINTS != 18))
68 
++	   BUILD_BUG_ON_ZERO(NCAPINTS != 19))
69 
+
70 
+ #define cpu_has(c, bit)							\
71 
+ 	(__builtin_constant_p(bit) && REQUIRED_MASK_BIT_SET(bit) ? 1 :	\
72 
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
73 
+index e133857..f5a8374 100644
74 
+--- a/arch/x86/include/asm/cpufeatures.h
75 
+@@ -12,7 +12,7 @@
76 
+ /*
77 
+  * Defines x86 CPU feature bits
78 
+  */
79 
+-#define NCAPINTS	18	/* N 32-bit words worth of info */
80 
++#define NCAPINTS	19	/* N 32-bit words worth of info */
81 
+ #define NBUGINTS	1	/* N 32-bit bug flags */
82 
+
83 
+ /*
84 
+@@ -285,6 +285,10 @@
85 
+ #define X86_FEATURE_SUCCOR	(17*32+1) /* Uncorrectable error containment and recovery */
86 
+ #define X86_FEATURE_SMCA	(17*32+3) /* Scalable MCA */
87 
+
88 
++/* Intel-defined CPU features, CPUID level 0x00000007:0 (EDX), word 18 */
89 
++#define X86_FEATURE_AVX512_4VNNIW	(18*32+ 2) /* AVX-512 Neural Network Instructions */
90 
++#define X86_FEATURE_AVX512_4FMAPS	(18*32+ 3) /* AVX-512 Multiply Accumulation Single precision */
91 
++
92 
+ /*
93 
+  * BUG word(s)
94 
+  */
95 
+diff --git a/arch/x86/include/asm/disabled-features.h b/arch/x86/include/asm/disabled-features.h
96 
+index 21c5ac1..1f8cca4 100644
97 
+--- a/arch/x86/include/asm/disabled-features.h
98 
+@@ -59,6 +59,7 @@
99 
+ #define DISABLED_MASK15	0
100 
+ #define DISABLED_MASK16	(DISABLE_PKU|DISABLE_OSPKE)
101 
+ #define DISABLED_MASK17	0
102 
+-#define DISABLED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 18)
103 
++#define DISABLED_MASK18	0
104 
++#define DISABLED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 19)
105 
+
106 
+ #endif /* _ASM_X86_DISABLED_FEATURES_H */
107 
+diff --git a/arch/x86/include/asm/required-features.h b/arch/x86/include/asm/required-features.h
108 
+index fac9a5c..6847d85 100644
109 
+--- a/arch/x86/include/asm/required-features.h
110 
+@@ -100,6 +100,7 @@
111 
+ #define REQUIRED_MASK15	0
112 
+ #define REQUIRED_MASK16	0
113 
+ #define REQUIRED_MASK17	0
114 
+-#define REQUIRED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 18)
115 
++#define REQUIRED_MASK18	0
116 
++#define REQUIRED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 19)
117 
+
118 
+ #endif /* _ASM_X86_REQUIRED_FEATURES_H */
119 
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
120 
+index 736e284..ac7c526 100644
121 
+--- a/arch/x86/kernel/cpu/common.c
122 
+@@ -695,6 +695,7 @@ void get_cpu_cap(struct cpuinfo_x86 *c)
123 
+ 		cpuid_count(0x00000007, 0, &eax, &ebx, &ecx, &edx);
124 
+ 		c->x86_capability[CPUID_7_0_EBX] = ebx;
125 
+ 		c->x86_capability[CPUID_7_ECX] = ecx;
126 
++		c->x86_capability[CPUID_7_EDX] = edx;
127 
+ 	}
128 
+
129 
+ 	/* Extended state features: level 0x0000000d */
130 
+--
131 
+2.7.4
132 
+
SPECS/linux/speculative-store-bypass/0026-x86-cpufeatures-Add-Intel-feature-bits-for-Speculati.patch
History View file @ 4ab22c2
0 133 
new file mode 100644
... ... 
@@ -0,0 +1,52 @@
0 
+From c7f86b0565e532956c6d24437b55bad1c45f2748 Mon Sep 17 00:00:00 2001
1 
+From: David Woodhouse <dwmw@amazon.co.uk>
2 
+Date: Thu, 14 Jun 2018 14:56:13 -0700
3 
+Subject: [PATCH 026/103] x86/cpufeatures: Add Intel feature bits for
4 
+ Speculation Control
5 
+
6 
+(cherry picked from commit fc67dd70adb711a45d2ef34e12d1a8be75edde61)
7 
+
8 
+Add three feature bits exposed by new microcode on Intel CPUs for
9 
+speculation control.
10 
+
11 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
12 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
13 
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
14 
+Reviewed-by: Borislav Petkov <bp@suse.de>
15 
+Cc: gnomes@lxorguk.ukuu.org.uk
16 
+Cc: ak@linux.intel.com
17 
+Cc: ashok.raj@intel.com
18 
+Cc: dave.hansen@intel.com
19 
+Cc: karahmed@amazon.de
20 
+Cc: arjan@linux.intel.com
21 
+Cc: torvalds@linux-foundation.org
22 
+Cc: peterz@infradead.org
23 
+Cc: bp@alien8.de
24 
+Cc: pbonzini@redhat.com
25 
+Cc: tim.c.chen@linux.intel.com
26 
+Cc: gregkh@linux-foundation.org
27 
+Link: https://lkml.kernel.org/r/1516896855-7642-3-git-send-email-dwmw@amazon.co.uk
28 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
29 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
30 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
31 
+---
32 
+ arch/x86/include/asm/cpufeatures.h | 3 +++
33 
+ 1 file changed, 3 insertions(+)
34 
+
35 
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
36 
+index f5a8374..b32e004 100644
37 
+--- a/arch/x86/include/asm/cpufeatures.h
38 
+@@ -288,6 +288,9 @@
39 
+ /* Intel-defined CPU features, CPUID level 0x00000007:0 (EDX), word 18 */
40 
+ #define X86_FEATURE_AVX512_4VNNIW	(18*32+ 2) /* AVX-512 Neural Network Instructions */
41 
+ #define X86_FEATURE_AVX512_4FMAPS	(18*32+ 3) /* AVX-512 Multiply Accumulation Single precision */
42 
++#define X86_FEATURE_SPEC_CTRL		(18*32+26) /* Speculation Control (IBRS + IBPB) */
43 
++#define X86_FEATURE_STIBP		(18*32+27) /* Single Thread Indirect Branch Predictors */
44 
++#define X86_FEATURE_ARCH_CAPABILITIES	(18*32+29) /* IA32_ARCH_CAPABILITIES MSR (Intel) */
45 
+
46 
+ /*
47 
+  * BUG word(s)
48 
+--
49 
+2.7.4
50 
+
SPECS/linux/speculative-store-bypass/0027-x86-cpufeatures-Add-AMD-feature-bits-for-Speculation.patch
History View file @ 4ab22c2
0 51 
new file mode 100644
... ... 
@@ -0,0 +1,52 @@
0 
+From 88cf776b248e393c986681f1644ae1de24e10be9 Mon Sep 17 00:00:00 2001
1 
+From: David Woodhouse <dwmw@amazon.co.uk>
2 
+Date: Thu, 14 Jun 2018 14:56:14 -0700
3 
+Subject: [PATCH 027/103] x86/cpufeatures: Add AMD feature bits for Speculation
4 
+ Control
5 
+
6 
+(cherry picked from commit 5d10cbc91d9eb5537998b65608441b592eec65e7)
7 
+
8 
+AMD exposes the PRED_CMD/SPEC_CTRL MSRs slightly differently to Intel.
9 
+See http://lkml.kernel.org/r/2b3e25cc-286d-8bd0-aeaf-9ac4aae39de8@amd.com
10 
+
11 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
12 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
13 
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
14 
+Cc: Tom Lendacky <thomas.lendacky@amd.com>
15 
+Cc: gnomes@lxorguk.ukuu.org.uk
16 
+Cc: ak@linux.intel.com
17 
+Cc: ashok.raj@intel.com
18 
+Cc: dave.hansen@intel.com
19 
+Cc: karahmed@amazon.de
20 
+Cc: arjan@linux.intel.com
21 
+Cc: torvalds@linux-foundation.org
22 
+Cc: peterz@infradead.org
23 
+Cc: bp@alien8.de
24 
+Cc: pbonzini@redhat.com
25 
+Cc: tim.c.chen@linux.intel.com
26 
+Cc: gregkh@linux-foundation.org
27 
+Link: https://lkml.kernel.org/r/1516896855-7642-4-git-send-email-dwmw@amazon.co.uk
28 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
29 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
30 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
31 
+---
32 
+ arch/x86/include/asm/cpufeatures.h | 3 +++
33 
+ 1 file changed, 3 insertions(+)
34 
+
35 
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
36 
+index b32e004..4d061e4 100644
37 
+--- a/arch/x86/include/asm/cpufeatures.h
38 
+@@ -251,6 +251,9 @@
39 
+
40 
+ /* AMD-defined CPU features, CPUID level 0x80000008 (ebx), word 13 */
41 
+ #define X86_FEATURE_CLZERO	(13*32+0) /* CLZERO instruction */
42 
++#define X86_FEATURE_AMD_PRED_CMD (13*32+12) /* Prediction Command MSR (AMD) */
43 
++#define X86_FEATURE_AMD_SPEC_CTRL (13*32+14) /* Speculation Control MSR only (AMD) */
44 
++#define X86_FEATURE_AMD_STIBP	(13*32+15) /* Single Thread Indirect Branch Predictors (AMD) */
45 
+
46 
+ /* Thermal and Power Management Leaf, CPUID level 0x00000006 (eax), word 14 */
47 
+ #define X86_FEATURE_DTHERM	(14*32+ 0) /* Digital Thermal Sensor */
48 
+--
49 
+2.7.4
50 
+
SPECS/linux/speculative-store-bypass/0028-x86-msr-Add-definitions-for-new-speculation-control-.patch
History View file @ 4ab22c2
0 51 
new file mode 100644
... ... 
@@ -0,0 +1,68 @@
0 
+From 761cfcd3837aa830595ae4202e00f65857277f86 Mon Sep 17 00:00:00 2001
1 
+From: David Woodhouse <dwmw@amazon.co.uk>
2 
+Date: Thu, 14 Jun 2018 14:56:14 -0700
3 
+Subject: [PATCH 028/103] x86/msr: Add definitions for new speculation control
4 
+ MSRs
5 
+
6 
+(cherry picked from commit 1e340c60d0dd3ae07b5bedc16a0469c14b9f3410)
7 
+
8 
+Add MSR and bit definitions for SPEC_CTRL, PRED_CMD and ARCH_CAPABILITIES.
9 
+
10 
+See Intel's 336996-Speculative-Execution-Side-Channel-Mitigations.pdf
11 
+
12 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
13 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
14 
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
15 
+Cc: gnomes@lxorguk.ukuu.org.uk
16 
+Cc: ak@linux.intel.com
17 
+Cc: ashok.raj@intel.com
18 
+Cc: dave.hansen@intel.com
19 
+Cc: karahmed@amazon.de
20 
+Cc: arjan@linux.intel.com
21 
+Cc: torvalds@linux-foundation.org
22 
+Cc: peterz@infradead.org
23 
+Cc: bp@alien8.de
24 
+Cc: pbonzini@redhat.com
25 
+Cc: tim.c.chen@linux.intel.com
26 
+Cc: gregkh@linux-foundation.org
27 
+Link: https://lkml.kernel.org/r/1516896855-7642-5-git-send-email-dwmw@amazon.co.uk
28 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
29 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
30 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
31 
+---
32 
+ arch/x86/include/asm/msr-index.h | 12 ++++++++++++
33 
+ 1 file changed, 12 insertions(+)
34 
+
35 
+diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
36 
+index b8911ae..f4701f0 100644
37 
+--- a/arch/x86/include/asm/msr-index.h
38 
+@@ -32,6 +32,13 @@
39 
+ #define EFER_FFXSR		(1<<_EFER_FFXSR)
40 
+
41 
+ /* Intel MSRs. Some also available on other CPUs */
42 
++#define MSR_IA32_SPEC_CTRL		0x00000048 /* Speculation Control */
43 
++#define SPEC_CTRL_IBRS			(1 << 0)   /* Indirect Branch Restricted Speculation */
44 
++#define SPEC_CTRL_STIBP			(1 << 1)   /* Single Thread Indirect Branch Predictors */
45 
++
46 
++#define MSR_IA32_PRED_CMD		0x00000049 /* Prediction Command */
47 
++#define PRED_CMD_IBPB			(1 << 0)   /* Indirect Branch Prediction Barrier */
48 
++
49 
+ #define MSR_IA32_PERFCTR0		0x000000c1
50 
+ #define MSR_IA32_PERFCTR1		0x000000c2
51 
+ #define MSR_FSB_FREQ			0x000000cd
52 
+@@ -45,6 +52,11 @@
53 
+ #define SNB_C3_AUTO_UNDEMOTE		(1UL << 28)
54 
+
55 
+ #define MSR_MTRRcap			0x000000fe
56 
++
57 
++#define MSR_IA32_ARCH_CAPABILITIES	0x0000010a
58 
++#define ARCH_CAP_RDCL_NO		(1 << 0)   /* Not susceptible to Meltdown */
59 
++#define ARCH_CAP_IBRS_ALL		(1 << 1)   /* Enhanced IBRS support */
60 
++
61 
+ #define MSR_IA32_BBL_CR_CTL		0x00000119
62 
+ #define MSR_IA32_BBL_CR_CTL3		0x0000011e
63 
+
64 
+--
65 
+2.7.4
66 
+
SPECS/linux/speculative-store-bypass/0029-x86-pti-Do-not-enable-PTI-on-CPUs-which-are-not-vuln.patch
History View file @ 4ab22c2
0 67 
new file mode 100644
... ... 
@@ -0,0 +1,117 @@
0 
+From 6b0aa77ce752ddbea7beaa5b365deda38b7a9946 Mon Sep 17 00:00:00 2001
1 
+From: David Woodhouse <dwmw@amazon.co.uk>
2 
+Date: Thu, 14 Jun 2018 14:56:15 -0700
3 
+Subject: [PATCH 029/103] x86/pti: Do not enable PTI on CPUs which are not
4 
+ vulnerable to Meltdown
5 
+
6 
+(cherry picked from commit fec9434a12f38d3aeafeb75711b71d8a1fdef621)
7 
+
8 
+Also, for CPUs which don't speculate at all, don't report that they're
9 
+vulnerable to the Spectre variants either.
10 
+
11 
+Leave the cpu_no_meltdown[] match table with just X86_VENDOR_AMD in it
12 
+for now, even though that could be done with a simple comparison, on the
13 
+assumption that we'll have more to add.
14 
+
15 
+Based on suggestions from Dave Hansen and Alan Cox.
16 
+
17 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
18 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
19 
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
20 
+Reviewed-by: Borislav Petkov <bp@suse.de>
21 
+Acked-by: Dave Hansen <dave.hansen@intel.com>
22 
+Cc: gnomes@lxorguk.ukuu.org.uk
23 
+Cc: ak@linux.intel.com
24 
+Cc: ashok.raj@intel.com
25 
+Cc: karahmed@amazon.de
26 
+Cc: arjan@linux.intel.com
27 
+Cc: torvalds@linux-foundation.org
28 
+Cc: peterz@infradead.org
29 
+Cc: bp@alien8.de
30 
+Cc: pbonzini@redhat.com
31 
+Cc: tim.c.chen@linux.intel.com
32 
+Cc: gregkh@linux-foundation.org
33 
+Link: https://lkml.kernel.org/r/1516896855-7642-6-git-send-email-dwmw@amazon.co.uk
34 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
35 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
36 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
37 
+---
38 
+ arch/x86/kernel/cpu/common.c | 48 +++++++++++++++++++++++++++++++++++++++-----
39 
+ 1 file changed, 43 insertions(+), 5 deletions(-)
40 
+
41 
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
42 
+index ac7c526..d6c097c 100644
43 
+--- a/arch/x86/kernel/cpu/common.c
44 
+@@ -43,6 +43,8 @@
45 
+ #include <asm/pat.h>
46 
+ #include <asm/microcode.h>
47 
+ #include <asm/microcode_intel.h>
48 
++#include <asm/intel-family.h>
49 
++#include <asm/cpu_device_id.h>
50 
+
51 
+ #ifdef CONFIG_X86_LOCAL_APIC
52 
+ #include <asm/uv/uv.h>
53 
+@@ -794,6 +796,41 @@ static void identify_cpu_without_cpuid(struct cpuinfo_x86 *c)
54 
+ #endif
55 
+ }
56 
+
57 
++static const __initdata struct x86_cpu_id cpu_no_speculation[] = {
58 
++	{ X86_VENDOR_INTEL,	6, INTEL_FAM6_ATOM_CEDARVIEW,	X86_FEATURE_ANY },
59 
++	{ X86_VENDOR_INTEL,	6, INTEL_FAM6_ATOM_CLOVERVIEW,	X86_FEATURE_ANY },
60 
++	{ X86_VENDOR_INTEL,	6, INTEL_FAM6_ATOM_LINCROFT,	X86_FEATURE_ANY },
61 
++	{ X86_VENDOR_INTEL,	6, INTEL_FAM6_ATOM_PENWELL,	X86_FEATURE_ANY },
62 
++	{ X86_VENDOR_INTEL,	6, INTEL_FAM6_ATOM_PINEVIEW,	X86_FEATURE_ANY },
63 
++	{ X86_VENDOR_CENTAUR,	5 },
64 
++	{ X86_VENDOR_INTEL,	5 },
65 
++	{ X86_VENDOR_NSC,	5 },
66 
++	{ X86_VENDOR_ANY,	4 },
67 
++	{}
68 
++};
69 
++
70 
++static const __initdata struct x86_cpu_id cpu_no_meltdown[] = {
71 
++	{ X86_VENDOR_AMD },
72 
++	{}
73 
++};
74 
++
75 
++static bool __init cpu_vulnerable_to_meltdown(struct cpuinfo_x86 *c)
76 
++{
77 
++	u64 ia32_cap = 0;
78 
++
79 
++	if (x86_match_cpu(cpu_no_meltdown))
80 
++		return false;
81 
++
82 
++	if (cpu_has(c, X86_FEATURE_ARCH_CAPABILITIES))
83 
++		rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap);
84 
++
85 
++	/* Rogue Data Cache Load? No! */
86 
++	if (ia32_cap & ARCH_CAP_RDCL_NO)
87 
++		return false;
88 
++
89 
++	return true;
90 
++}
91 
++
92 
+ /*
93 
+  * Do minimum CPU detection early.
94 
+  * Fields really needed: vendor, cpuid_level, family, model, mask,
95 
+@@ -840,11 +877,12 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
96 
+
97 
+ 	setup_force_cpu_cap(X86_FEATURE_ALWAYS);
98 
+
99 
+-	if (c->x86_vendor != X86_VENDOR_AMD)
100 
+-		setup_force_cpu_bug(X86_BUG_CPU_MELTDOWN);
101 
+-
102 
+-	setup_force_cpu_bug(X86_BUG_SPECTRE_V1);
103 
+-	setup_force_cpu_bug(X86_BUG_SPECTRE_V2);
104 
++	if (!x86_match_cpu(cpu_no_speculation)) {
105 
++		if (cpu_vulnerable_to_meltdown(c))
106 
++			setup_force_cpu_bug(X86_BUG_CPU_MELTDOWN);
107 
++		setup_force_cpu_bug(X86_BUG_SPECTRE_V1);
108 
++		setup_force_cpu_bug(X86_BUG_SPECTRE_V2);
109 
++	}
110 
+
111 
+ 	fpu__init_system(c);
112 
+
113 
+--
114 
+2.7.4
115 
+
SPECS/linux/speculative-store-bypass/0030-x86-cpufeature-Blacklist-SPEC_CTRL-PRED_CMD-on-early.patch
History View file @ 4ab22c2
0 116 
new file mode 100644
... ... 
@@ -0,0 +1,178 @@
0 
+From 425757ee8ca54dbe3dbc8180edd806a0d016be4a Mon Sep 17 00:00:00 2001
1 
+From: David Woodhouse <dwmw@amazon.co.uk>
2 
+Date: Thu, 14 Jun 2018 14:56:15 -0700
3 
+Subject: [PATCH 030/103] x86/cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early
4 
+ Spectre v2 microcodes
5 
+
6 
+(cherry picked from commit a5b2966364538a0e68c9fa29bc0a3a1651799035)
7 
+
8 
+This doesn't refuse to load the affected microcodes; it just refuses to
9 
+use the Spectre v2 mitigation features if they're detected, by clearing
10 
+the appropriate feature bits.
11 
+
12 
+The AMD CPUID bits are handled here too, because hypervisors *may* have
13 
+been exposing those bits even on Intel chips, for fine-grained control
14 
+of what's available.
15 
+
16 
+It is non-trivial to use x86_match_cpu() for this table because that
17 
+doesn't handle steppings. And the approach taken in commit bd9240a18
18 
+almost made me lose my lunch.
19 
+
20 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
21 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
22 
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
23 
+Cc: gnomes@lxorguk.ukuu.org.uk
24 
+Cc: ak@linux.intel.com
25 
+Cc: ashok.raj@intel.com
26 
+Cc: dave.hansen@intel.com
27 
+Cc: karahmed@amazon.de
28 
+Cc: arjan@linux.intel.com
29 
+Cc: torvalds@linux-foundation.org
30 
+Cc: peterz@infradead.org
31 
+Cc: bp@alien8.de
32 
+Cc: pbonzini@redhat.com
33 
+Cc: tim.c.chen@linux.intel.com
34 
+Cc: gregkh@linux-foundation.org
35 
+Link: https://lkml.kernel.org/r/1516896855-7642-7-git-send-email-dwmw@amazon.co.uk
36 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
37 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
38 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
39 
+---
40 
+ arch/x86/include/asm/intel-family.h |  5 ++-
41 
+ arch/x86/kernel/cpu/intel.c         | 67 +++++++++++++++++++++++++++++++++++++
42 
+ 2 files changed, 71 insertions(+), 1 deletion(-)
43 
+
44 
+diff --git a/arch/x86/include/asm/intel-family.h b/arch/x86/include/asm/intel-family.h
45 
+index 6999f7d..12fa187 100644
46 
+--- a/arch/x86/include/asm/intel-family.h
47 
+@@ -12,6 +12,7 @@
48 
+  */
49 
+
50 
+ #define INTEL_FAM6_CORE_YONAH		0x0E
51 
++
52 
+ #define INTEL_FAM6_CORE2_MEROM		0x0F
53 
+ #define INTEL_FAM6_CORE2_MEROM_L	0x16
54 
+ #define INTEL_FAM6_CORE2_PENRYN		0x17
55 
+@@ -20,6 +21,7 @@
56 
+ #define INTEL_FAM6_NEHALEM		0x1E
57 
+ #define INTEL_FAM6_NEHALEM_EP		0x1A
58 
+ #define INTEL_FAM6_NEHALEM_EX		0x2E
59 
++
60 
+ #define INTEL_FAM6_WESTMERE		0x25
61 
+ #define INTEL_FAM6_WESTMERE2		0x1F
62 
+ #define INTEL_FAM6_WESTMERE_EP		0x2C
63 
+@@ -36,9 +38,9 @@
64 
+ #define INTEL_FAM6_HASWELL_GT3E		0x46
65 
+
66 
+ #define INTEL_FAM6_BROADWELL_CORE	0x3D
67 
+-#define INTEL_FAM6_BROADWELL_XEON_D	0x56
68 
+ #define INTEL_FAM6_BROADWELL_GT3E	0x47
69 
+ #define INTEL_FAM6_BROADWELL_X		0x4F
70 
++#define INTEL_FAM6_BROADWELL_XEON_D	0x56
71 
+
72 
+ #define INTEL_FAM6_SKYLAKE_MOBILE	0x4E
73 
+ #define INTEL_FAM6_SKYLAKE_DESKTOP	0x5E
74 
+@@ -60,6 +62,7 @@
75 
+ #define INTEL_FAM6_ATOM_MERRIFIELD2	0x5A /* Annidale */
76 
+ #define INTEL_FAM6_ATOM_GOLDMONT	0x5C
77 
+ #define INTEL_FAM6_ATOM_DENVERTON	0x5F /* Goldmont Microserver */
78 
++#define INTEL_FAM6_ATOM_GEMINI_LAKE	0x7A
79 
+
80 
+ /* Xeon Phi */
81 
+
82 
+diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
83 
+index 9299e3b..23ba9cc 100644
84 
+--- a/arch/x86/kernel/cpu/intel.c
85 
+@@ -13,6 +13,7 @@
86 
+ #include <asm/msr.h>
87 
+ #include <asm/bugs.h>
88 
+ #include <asm/cpu.h>
89 
++#include <asm/intel-family.h>
90 
+
91 
+ #ifdef CONFIG_X86_64
92 
+ #include <linux/topology.h>
93 
+@@ -25,6 +26,59 @@
94 
+ #include <asm/apic.h>
95 
+ #endif
96 
+
97 
++/*
98 
++ * Early microcode releases for the Spectre v2 mitigation were broken.
99 
++ * Information taken from;
100 
++ * - https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/microcode-update-guidance.pdf
101 
++ * - https://kb.vmware.com/s/article/52345
102 
++ * - Microcode revisions observed in the wild
103 
++ * - Release note from 20180108 microcode release
104 
++ */
105 
++struct sku_microcode {
106 
++	u8 model;
107 
++	u8 stepping;
108 
++	u32 microcode;
109 
++};
110 
++static const struct sku_microcode spectre_bad_microcodes[] = {
111 
++	{ INTEL_FAM6_KABYLAKE_DESKTOP,	0x0B,	0x84 },
112 
++	{ INTEL_FAM6_KABYLAKE_DESKTOP,	0x0A,	0x84 },
113 
++	{ INTEL_FAM6_KABYLAKE_DESKTOP,	0x09,	0x84 },
114 
++	{ INTEL_FAM6_KABYLAKE_MOBILE,	0x0A,	0x84 },
115 
++	{ INTEL_FAM6_KABYLAKE_MOBILE,	0x09,	0x84 },
116 
++	{ INTEL_FAM6_SKYLAKE_X,		0x03,	0x0100013e },
117 
++	{ INTEL_FAM6_SKYLAKE_X,		0x04,	0x0200003c },
118 
++	{ INTEL_FAM6_SKYLAKE_MOBILE,	0x03,	0xc2 },
119 
++	{ INTEL_FAM6_SKYLAKE_DESKTOP,	0x03,	0xc2 },
120 
++	{ INTEL_FAM6_BROADWELL_CORE,	0x04,	0x28 },
121 
++	{ INTEL_FAM6_BROADWELL_GT3E,	0x01,	0x1b },
122 
++	{ INTEL_FAM6_BROADWELL_XEON_D,	0x02,	0x14 },
123 
++	{ INTEL_FAM6_BROADWELL_XEON_D,	0x03,	0x07000011 },
124 
++	{ INTEL_FAM6_BROADWELL_X,	0x01,	0x0b000025 },
125 
++	{ INTEL_FAM6_HASWELL_ULT,	0x01,	0x21 },
126 
++	{ INTEL_FAM6_HASWELL_GT3E,	0x01,	0x18 },
127 
++	{ INTEL_FAM6_HASWELL_CORE,	0x03,	0x23 },
128 
++	{ INTEL_FAM6_HASWELL_X,		0x02,	0x3b },
129 
++	{ INTEL_FAM6_HASWELL_X,		0x04,	0x10 },
130 
++	{ INTEL_FAM6_IVYBRIDGE_X,	0x04,	0x42a },
131 
++	/* Updated in the 20180108 release; blacklist until we know otherwise */
132 
++	{ INTEL_FAM6_ATOM_GEMINI_LAKE,	0x01,	0x22 },
133 
++	/* Observed in the wild */
134 
++	{ INTEL_FAM6_SANDYBRIDGE_X,	0x06,	0x61b },
135 
++	{ INTEL_FAM6_SANDYBRIDGE_X,	0x07,	0x712 },
136 
++};
137 
++
138 
++static bool bad_spectre_microcode(struct cpuinfo_x86 *c)
139 
++{
140 
++	int i;
141 
++
142 
++	for (i = 0; i < ARRAY_SIZE(spectre_bad_microcodes); i++) {
143 
++		if (c->x86_model == spectre_bad_microcodes[i].model &&
144 
++		    c->x86_mask == spectre_bad_microcodes[i].stepping)
145 
++			return (c->microcode <= spectre_bad_microcodes[i].microcode);
146 
++	}
147 
++	return false;
148 
++}
149 
++
150 
+ static void early_init_intel(struct cpuinfo_x86 *c)
151 
+ {
152 
+ 	u64 misc_enable;
153 
+@@ -51,6 +105,19 @@ static void early_init_intel(struct cpuinfo_x86 *c)
154 
+ 		rdmsr(MSR_IA32_UCODE_REV, lower_word, c->microcode);
155 
+ 	}
156 
+
157 
++	if ((cpu_has(c, X86_FEATURE_SPEC_CTRL) ||
158 
++	     cpu_has(c, X86_FEATURE_STIBP) ||
159 
++	     cpu_has(c, X86_FEATURE_AMD_SPEC_CTRL) ||
160 
++	     cpu_has(c, X86_FEATURE_AMD_PRED_CMD) ||
161 
++	     cpu_has(c, X86_FEATURE_AMD_STIBP)) && bad_spectre_microcode(c)) {
162 
++		pr_warn("Intel Spectre v2 broken microcode detected; disabling SPEC_CTRL\n");
163 
++		clear_cpu_cap(c, X86_FEATURE_SPEC_CTRL);
164 
++		clear_cpu_cap(c, X86_FEATURE_STIBP);
165 
++		clear_cpu_cap(c, X86_FEATURE_AMD_SPEC_CTRL);
166 
++		clear_cpu_cap(c, X86_FEATURE_AMD_PRED_CMD);
167 
++		clear_cpu_cap(c, X86_FEATURE_AMD_STIBP);
168 
++	}
169 
++
170 
+ 	/*
171 
+ 	 * Atom erratum AAE44/AAF40/AAG38/AAH41:
172 
+ 	 *
173 
+--
174 
+2.7.4
175 
+
SPECS/linux/speculative-store-bypass/0031-x86-speculation-Add-basic-IBPB-Indirect-Branch-Predi.patch
History View file @ 4ab22c2
0 176 
new file mode 100644
... ... 
@@ -0,0 +1,104 @@
0 
+From d32de180fc8343dec1653245d184e71d1f35092b Mon Sep 17 00:00:00 2001
1 
+From: David Woodhouse <dwmw@amazon.co.uk>
2 
+Date: Thu, 14 Jun 2018 14:56:16 -0700
3 
+Subject: [PATCH 031/103] x86/speculation: Add basic IBPB (Indirect Branch
4 
+ Prediction Barrier) support
5 
+
6 
+(cherry picked from commit 20ffa1caecca4db8f79fe665acdeaa5af815a24d)
7 
+
8 
+Expose indirect_branch_prediction_barrier() for use in subsequent patches.
9 
+
10 
+[ tglx: Add IBPB status to spectre_v2 sysfs file ]
11 
+
12 
+Co-developed-by: KarimAllah Ahmed <karahmed@amazon.de>
13 
+Signed-off-by: KarimAllah Ahmed <karahmed@amazon.de>
14 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
15 
+Cc: gnomes@lxorguk.ukuu.org.uk
16 
+Cc: ak@linux.intel.com
17 
+Cc: ashok.raj@intel.com
18 
+Cc: dave.hansen@intel.com
19 
+Cc: arjan@linux.intel.com
20 
+Cc: torvalds@linux-foundation.org
21 
+Cc: peterz@infradead.org
22 
+Cc: bp@alien8.de
23 
+Cc: pbonzini@redhat.com
24 
+Cc: tim.c.chen@linux.intel.com
25 
+Cc: gregkh@linux-foundation.org
26 
+Link: https://lkml.kernel.org/r/1516896855-7642-8-git-send-email-dwmw@amazon.co.uk
27 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
28 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
29 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
30 
+---
31 
+ arch/x86/include/asm/cpufeatures.h   |  2 ++
32 
+ arch/x86/include/asm/nospec-branch.h | 13 +++++++++++++
33 
+ arch/x86/kernel/cpu/bugs.c           | 10 +++++++++-
34 
+ 3 files changed, 24 insertions(+), 1 deletion(-)
35 
+
36 
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
37 
+index 4d061e4..1b9d5c5 100644
38 
+--- a/arch/x86/include/asm/cpufeatures.h
39 
+@@ -201,6 +201,8 @@
40 
+ /* Because the ALTERNATIVE scheme is for members of the X86_FEATURE club... */
41 
+ #define X86_FEATURE_KAISER	( 7*32+31) /* CONFIG_PAGE_TABLE_ISOLATION w/o nokaiser */
42 
+
43 
++#define X86_FEATURE_IBPB		( 7*32+21) /* Indirect Branch Prediction Barrier enabled*/
44 
++
45 
+ /* Virtualization flags: Linux defined, word 8 */
46 
+ #define X86_FEATURE_TPR_SHADOW  ( 8*32+ 0) /* Intel TPR Shadow */
47 
+ #define X86_FEATURE_VNMI        ( 8*32+ 1) /* Intel Virtual NMI */
48 
+diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
49 
+index 8b91041..41851af 100644
50 
+--- a/arch/x86/include/asm/nospec-branch.h
51 
+@@ -194,6 +194,19 @@ static inline void vmexit_fill_RSB(void)
52 
+ #endif
53 
+ }
54 
+
55 
++static inline void indirect_branch_prediction_barrier(void)
56 
++{
57 
++	asm volatile(ALTERNATIVE("",
58 
++				 "movl %[msr], %%ecx\n\t"
59 
++				 "movl %[val], %%eax\n\t"
60 
++				 "movl $0, %%edx\n\t"
61 
++				 "wrmsr",
62 
++				 X86_FEATURE_IBPB)
63 
++		     : : [msr] "i" (MSR_IA32_PRED_CMD),
64 
++			 [val] "i" (PRED_CMD_IBPB)
65 
++		     : "eax", "ecx", "edx", "memory");
66 
++}
67 
++
68 
+ #endif /* __ASSEMBLY__ */
69 
+
70 
+ /*
71 
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
72 
+index 2bbc74f..7def33a 100644
73 
+--- a/arch/x86/kernel/cpu/bugs.c
74 
+@@ -296,6 +296,13 @@ retpoline_auto:
75 
+ 		setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);
76 
+ 		pr_info("Filling RSB on context switch\n");
77 
+ 	}
78 
++
79 
++	/* Initialize Indirect Branch Prediction Barrier if supported */
80 
++	if (boot_cpu_has(X86_FEATURE_SPEC_CTRL) ||
81 
++	    boot_cpu_has(X86_FEATURE_AMD_PRED_CMD)) {
82 
++		setup_force_cpu_cap(X86_FEATURE_IBPB);
83 
++		pr_info("Enabling Indirect Branch Prediction Barrier\n");
84 
++	}
85 
+ }
86 
+
87 
+ #undef pr_fmt
88 
+@@ -325,7 +332,8 @@ ssize_t cpu_show_spectre_v2(struct device *dev,
89 
+ 	if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
90 
+ 		return sprintf(buf, "Not affected\n");
91 
+
92 
+-	return sprintf(buf, "%s%s\n", spectre_v2_strings[spectre_v2_enabled],
93 
++	return sprintf(buf, "%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
94 
++		       boot_cpu_has(X86_FEATURE_IBPB) ? ", IBPB" : "",
95 
+ 		       spectre_v2_module_string());
96 
+ }
97 
+ #endif
98 
+--
99 
+2.7.4
100 
+
SPECS/linux/speculative-store-bypass/0032-x86-cpufeatures-Clean-up-Spectre-v2-related-CPUID-fl.patch
History View file @ 4ab22c2
0 101 
new file mode 100644
... ... 
@@ -0,0 +1,181 @@
0 
+From f3823438ee44925115bd3fbe13b8e5be34ebd6f7 Mon Sep 17 00:00:00 2001
1 
+From: David Woodhouse <dwmw@amazon.co.uk>
2 
+Date: Thu, 14 Jun 2018 14:56:16 -0700
3 
+Subject: [PATCH 032/103] x86/cpufeatures: Clean up Spectre v2 related CPUID
4 
+ flags
5 
+
6 
+(cherry picked from commit 2961298efe1ea1b6fc0d7ee8b76018fa6c0bcef2)
7 
+
8 
+We want to expose the hardware features simply in /proc/cpuinfo as "ibrs",
9 
+"ibpb" and "stibp". Since AMD has separate CPUID bits for those, use them
10 
+as the user-visible bits.
11 
+
12 
+When the Intel SPEC_CTRL bit is set which indicates both IBRS and IBPB
13 
+capability, set those (AMD) bits accordingly. Likewise if the Intel STIBP
14 
+bit is set, set the AMD STIBP that's used for the generic hardware
15 
+capability.
16 
+
17 
+Hide the rest from /proc/cpuinfo by putting "" in the comments. Including
18 
+RETPOLINE and RETPOLINE_AMD which shouldn't be visible there. There are
19 
+patches to make the sysfs vulnerabilities information non-readable by
20 
+non-root, and the same should apply to all information about which
21 
+mitigations are actually in use. Those *shouldn't* appear in /proc/cpuinfo.
22 
+
23 
+The feature bit for whether IBPB is actually used, which is needed for
24 
+ALTERNATIVEs, is renamed to X86_FEATURE_USE_IBPB.
25 
+
26 
+Originally-by: Borislav Petkov <bp@suse.de>
27 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
28 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
29 
+Cc: ak@linux.intel.com
30 
+Cc: dave.hansen@intel.com
31 
+Cc: karahmed@amazon.de
32 
+Cc: arjan@linux.intel.com
33 
+Cc: torvalds@linux-foundation.org
34 
+Cc: peterz@infradead.org
35 
+Cc: bp@alien8.de
36 
+Cc: pbonzini@redhat.com
37 
+Cc: tim.c.chen@linux.intel.com
38 
+Cc: gregkh@linux-foundation.org
39 
+Link: https://lkml.kernel.org/r/1517070274-12128-2-git-send-email-dwmw@amazon.co.uk
40 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
41 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
42 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
43 
+---
44 
+ arch/x86/include/asm/cpufeatures.h   | 18 +++++++++---------
45 
+ arch/x86/include/asm/nospec-branch.h |  2 +-
46 
+ arch/x86/kernel/cpu/bugs.c           |  7 +++----
47 
+ arch/x86/kernel/cpu/intel.c          | 31 +++++++++++++++++++++----------
48 
+ 4 files changed, 34 insertions(+), 24 deletions(-)
49 
+
50 
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
51 
+index 1b9d5c5..cb40c83 100644
52 
+--- a/arch/x86/include/asm/cpufeatures.h
53 
+@@ -194,14 +194,14 @@
54 
+ #define X86_FEATURE_PROC_FEEDBACK ( 7*32+ 9) /* AMD ProcFeedbackInterface */
55 
+
56 
+ #define X86_FEATURE_INTEL_PT	( 7*32+15) /* Intel Processor Trace */
57 
+-#define X86_FEATURE_RSB_CTXSW	( 7*32+19) /* Fill RSB on context switches */
58 
++#define X86_FEATURE_RSB_CTXSW	( 7*32+19) /* "" Fill RSB on context switches */
59 
+
60 
+-#define X86_FEATURE_RETPOLINE	( 7*32+29) /* Generic Retpoline mitigation for Spectre variant 2 */
61 
+-#define X86_FEATURE_RETPOLINE_AMD ( 7*32+30) /* AMD Retpoline mitigation for Spectre variant 2 */
62 
++#define X86_FEATURE_RETPOLINE	( 7*32+29) /* "" Generic Retpoline mitigation for Spectre variant 2 */
63 
++#define X86_FEATURE_RETPOLINE_AMD ( 7*32+30) /* "" AMD Retpoline mitigation for Spectre variant 2 */
64 
+ /* Because the ALTERNATIVE scheme is for members of the X86_FEATURE club... */
65 
+ #define X86_FEATURE_KAISER	( 7*32+31) /* CONFIG_PAGE_TABLE_ISOLATION w/o nokaiser */
66 
+
67 
+-#define X86_FEATURE_IBPB		( 7*32+21) /* Indirect Branch Prediction Barrier enabled*/
68 
++#define X86_FEATURE_USE_IBPB	( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled*/
69 
+
70 
+ /* Virtualization flags: Linux defined, word 8 */
71 
+ #define X86_FEATURE_TPR_SHADOW  ( 8*32+ 0) /* Intel TPR Shadow */
72 
+@@ -253,9 +253,9 @@
73 
+
74 
+ /* AMD-defined CPU features, CPUID level 0x80000008 (ebx), word 13 */
75 
+ #define X86_FEATURE_CLZERO	(13*32+0) /* CLZERO instruction */
76 
+-#define X86_FEATURE_AMD_PRED_CMD (13*32+12) /* Prediction Command MSR (AMD) */
77 
+-#define X86_FEATURE_AMD_SPEC_CTRL (13*32+14) /* Speculation Control MSR only (AMD) */
78 
+-#define X86_FEATURE_AMD_STIBP	(13*32+15) /* Single Thread Indirect Branch Predictors (AMD) */
79 
++#define X86_FEATURE_IBPB	(13*32+12) /* Indirect Branch Prediction Barrier */
80 
++#define X86_FEATURE_IBRS	(13*32+14) /* Indirect Branch Restricted Speculation */
81 
++#define X86_FEATURE_STIBP	(13*32+15) /* Single Thread Indirect Branch Predictors */
82 
+
83 
+ /* Thermal and Power Management Leaf, CPUID level 0x00000006 (eax), word 14 */
84 
+ #define X86_FEATURE_DTHERM	(14*32+ 0) /* Digital Thermal Sensor */
85 
+@@ -293,8 +293,8 @@
86 
+ /* Intel-defined CPU features, CPUID level 0x00000007:0 (EDX), word 18 */
87 
+ #define X86_FEATURE_AVX512_4VNNIW	(18*32+ 2) /* AVX-512 Neural Network Instructions */
88 
+ #define X86_FEATURE_AVX512_4FMAPS	(18*32+ 3) /* AVX-512 Multiply Accumulation Single precision */
89 
+-#define X86_FEATURE_SPEC_CTRL		(18*32+26) /* Speculation Control (IBRS + IBPB) */
90 
+-#define X86_FEATURE_STIBP		(18*32+27) /* Single Thread Indirect Branch Predictors */
91 
++#define X86_FEATURE_SPEC_CTRL		(18*32+26) /* "" Speculation Control (IBRS + IBPB) */
92 
++#define X86_FEATURE_INTEL_STIBP		(18*32+27) /* "" Single Thread Indirect Branch Predictors */
93 
+ #define X86_FEATURE_ARCH_CAPABILITIES	(18*32+29) /* IA32_ARCH_CAPABILITIES MSR (Intel) */
94 
+
95 
+ /*
96 
+diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
97 
+index 41851af..8dcecb9 100644
98 
+--- a/arch/x86/include/asm/nospec-branch.h
99 
+@@ -201,7 +201,7 @@ static inline void indirect_branch_prediction_barrier(void)
100 
+ 				 "movl %[val], %%eax\n\t"
101 
+ 				 "movl $0, %%edx\n\t"
102 
+ 				 "wrmsr",
103 
+-				 X86_FEATURE_IBPB)
104 
++				 X86_FEATURE_USE_IBPB)
105 
+ 		     : : [msr] "i" (MSR_IA32_PRED_CMD),
106 
+ 			 [val] "i" (PRED_CMD_IBPB)
107 
+ 		     : "eax", "ecx", "edx", "memory");
108 
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
109 
+index 7def33a..1968baf 100644
110 
+--- a/arch/x86/kernel/cpu/bugs.c
111 
+@@ -298,9 +298,8 @@ retpoline_auto:
112 
+ 	}
113 
+
114 
+ 	/* Initialize Indirect Branch Prediction Barrier if supported */
115 
+-	if (boot_cpu_has(X86_FEATURE_SPEC_CTRL) ||
116 
+-	    boot_cpu_has(X86_FEATURE_AMD_PRED_CMD)) {
117 
+-		setup_force_cpu_cap(X86_FEATURE_IBPB);
118 
++	if (boot_cpu_has(X86_FEATURE_IBPB)) {
119 
++		setup_force_cpu_cap(X86_FEATURE_USE_IBPB);
120 
+ 		pr_info("Enabling Indirect Branch Prediction Barrier\n");
121 
+ 	}
122 
+ }
123 
+@@ -333,7 +332,7 @@ ssize_t cpu_show_spectre_v2(struct device *dev,
124 
+ 		return sprintf(buf, "Not affected\n");
125 
+
126 
+ 	return sprintf(buf, "%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
127 
+-		       boot_cpu_has(X86_FEATURE_IBPB) ? ", IBPB" : "",
128 
++		       boot_cpu_has(X86_FEATURE_USE_IBPB) ? ", IBPB" : "",
129 
+ 		       spectre_v2_module_string());
130 
+ }
131 
+ #endif
132 
+diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
133 
+index 23ba9cc..fee94ee 100644
134 
+--- a/arch/x86/kernel/cpu/intel.c
135 
+@@ -105,17 +105,28 @@ static void early_init_intel(struct cpuinfo_x86 *c)
136 
+ 		rdmsr(MSR_IA32_UCODE_REV, lower_word, c->microcode);
137 
+ 	}
138 
+
139 
+-	if ((cpu_has(c, X86_FEATURE_SPEC_CTRL) ||
140 
+-	     cpu_has(c, X86_FEATURE_STIBP) ||
141 
+-	     cpu_has(c, X86_FEATURE_AMD_SPEC_CTRL) ||
142 
+-	     cpu_has(c, X86_FEATURE_AMD_PRED_CMD) ||
143 
+-	     cpu_has(c, X86_FEATURE_AMD_STIBP)) && bad_spectre_microcode(c)) {
144 
+-		pr_warn("Intel Spectre v2 broken microcode detected; disabling SPEC_CTRL\n");
145 
+-		clear_cpu_cap(c, X86_FEATURE_SPEC_CTRL);
146 
++	/*
147 
++	 * The Intel SPEC_CTRL CPUID bit implies IBRS and IBPB support,
148 
++	 * and they also have a different bit for STIBP support. Also,
149 
++	 * a hypervisor might have set the individual AMD bits even on
150 
++	 * Intel CPUs, for finer-grained selection of what's available.
151 
++	 */
152 
++	if (cpu_has(c, X86_FEATURE_SPEC_CTRL)) {
153 
++		set_cpu_cap(c, X86_FEATURE_IBRS);
154 
++		set_cpu_cap(c, X86_FEATURE_IBPB);
155 
++	}
156 
++	if (cpu_has(c, X86_FEATURE_INTEL_STIBP))
157 
++		set_cpu_cap(c, X86_FEATURE_STIBP);
158 
++
159 
++	/* Now if any of them are set, check the blacklist and clear the lot */
160 
++	if ((cpu_has(c, X86_FEATURE_IBRS) || cpu_has(c, X86_FEATURE_IBPB) ||
161 
++	     cpu_has(c, X86_FEATURE_STIBP)) && bad_spectre_microcode(c)) {
162 
++		pr_warn("Intel Spectre v2 broken microcode detected; disabling Speculation Control\n");
163 
++		clear_cpu_cap(c, X86_FEATURE_IBRS);
164 
++		clear_cpu_cap(c, X86_FEATURE_IBPB);
165 
+ 		clear_cpu_cap(c, X86_FEATURE_STIBP);
166 
+-		clear_cpu_cap(c, X86_FEATURE_AMD_SPEC_CTRL);
167 
+-		clear_cpu_cap(c, X86_FEATURE_AMD_PRED_CMD);
168 
+-		clear_cpu_cap(c, X86_FEATURE_AMD_STIBP);
169 
++		clear_cpu_cap(c, X86_FEATURE_SPEC_CTRL);
170 
++		clear_cpu_cap(c, X86_FEATURE_INTEL_STIBP);
171 
+ 	}
172 
+
173 
+ 	/*
174 
+--
175 
+2.7.4
176 
+
SPECS/linux/speculative-store-bypass/0033-x86-cpuid-Fix-up-virtual-IBRS-IBPB-STIBP-feature-bit.patch
History View file @ 4ab22c2
0 177 
new file mode 100644
... ... 
@@ -0,0 +1,128 @@
0 
+From f30617fe7eab46dd75aeeffc5f76c5fd159ff985 Mon Sep 17 00:00:00 2001
1 
+From: David Woodhouse <dwmw@amazon.co.uk>
2 
+Date: Thu, 14 Jun 2018 14:56:17 -0700
3 
+Subject: [PATCH 033/103] x86/cpuid: Fix up "virtual" IBRS/IBPB/STIBP feature
4 
+ bits on Intel
5 
+
6 
+(cherry picked from commit 7fcae1118f5fd44a862aa5c3525248e35ee67c3b)
7 
+
8 
+Despite the fact that all the other code there seems to be doing it, just
9 
+using set_cpu_cap() in early_intel_init() doesn't actually work.
10 
+
11 
+For CPUs with PKU support, setup_pku() calls get_cpu_cap() after
12 
+c->c_init() has set those feature bits. That resets those bits back to what
13 
+was queried from the hardware.
14 
+
15 
+Turning the bits off for bad microcode is easy to fix. That can just use
16 
+setup_clear_cpu_cap() to force them off for all CPUs.
17 
+
18 
+I was less keen on forcing the feature bits *on* that way, just in case
19 
+of inconsistencies. I appreciate that the kernel is going to get this
20 
+utterly wrong if CPU features are not consistent, because it has already
21 
+applied alternatives by the time secondary CPUs are brought up.
22 
+
23 
+But at least if setup_force_cpu_cap() isn't being used, we might have a
24 
+chance of *detecting* the lack of the corresponding bit and either
25 
+panicking or refusing to bring the offending CPU online.
26 
+
27 
+So ensure that the appropriate feature bits are set within get_cpu_cap()
28 
+regardless of how many extra times it's called.
29 
+
30 
+Fixes: 2961298e ("x86/cpufeatures: Clean up Spectre v2 related CPUID flags")
31 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
32 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
33 
+Cc: karahmed@amazon.de
34 
+Cc: peterz@infradead.org
35 
+Cc: bp@alien8.de
36 
+Link: https://lkml.kernel.org/r/1517322623-15261-1-git-send-email-dwmw@amazon.co.uk
37 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
38 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
39 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
40 
+---
41 
+ arch/x86/kernel/cpu/common.c | 21 +++++++++++++++++++++
42 
+ arch/x86/kernel/cpu/intel.c  | 27 ++++++++-------------------
43 
+ 2 files changed, 29 insertions(+), 19 deletions(-)
44 
+
45 
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
46 
+index d6c097c..72d7e5a 100644
47 
+--- a/arch/x86/kernel/cpu/common.c
48 
+@@ -676,6 +676,26 @@ static void apply_forced_caps(struct cpuinfo_x86 *c)
49 
+ 	}
50 
+ }
51 
+
52 
++static void init_speculation_control(struct cpuinfo_x86 *c)
53 
++{
54 
++	/*
55 
++	 * The Intel SPEC_CTRL CPUID bit implies IBRS and IBPB support,
56 
++	 * and they also have a different bit for STIBP support. Also,
57 
++	 * a hypervisor might have set the individual AMD bits even on
58 
++	 * Intel CPUs, for finer-grained selection of what's available.
59 
++	 *
60 
++	 * We use the AMD bits in 0x8000_0008 EBX as the generic hardware
61 
++	 * features, which are visible in /proc/cpuinfo and used by the
62 
++	 * kernel. So set those accordingly from the Intel bits.
63 
++	 */
64 
++	if (cpu_has(c, X86_FEATURE_SPEC_CTRL)) {
65 
++		set_cpu_cap(c, X86_FEATURE_IBRS);
66 
++		set_cpu_cap(c, X86_FEATURE_IBPB);
67 
++	}
68 
++	if (cpu_has(c, X86_FEATURE_INTEL_STIBP))
69 
++		set_cpu_cap(c, X86_FEATURE_STIBP);
70 
++}
71 
++
72 
+ void get_cpu_cap(struct cpuinfo_x86 *c)
73 
+ {
74 
+ 	u32 eax, ebx, ecx, edx;
75 
+@@ -768,6 +788,7 @@ void get_cpu_cap(struct cpuinfo_x86 *c)
76 
+ 		c->x86_capability[CPUID_8000_000A_EDX] = cpuid_edx(0x8000000a);
77 
+
78 
+ 	init_scattered_cpuid_features(c);
79 
++	init_speculation_control(c);
80 
+ }
81 
+
82 
+ static void identify_cpu_without_cpuid(struct cpuinfo_x86 *c)
83 
+diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
84 
+index fee94ee..0f13189 100644
85 
+--- a/arch/x86/kernel/cpu/intel.c
86 
+@@ -105,28 +105,17 @@ static void early_init_intel(struct cpuinfo_x86 *c)
87 
+ 		rdmsr(MSR_IA32_UCODE_REV, lower_word, c->microcode);
88 
+ 	}
89 
+
90 
+-	/*
91 
+-	 * The Intel SPEC_CTRL CPUID bit implies IBRS and IBPB support,
92 
+-	 * and they also have a different bit for STIBP support. Also,
93 
+-	 * a hypervisor might have set the individual AMD bits even on
94 
+-	 * Intel CPUs, for finer-grained selection of what's available.
95 
+-	 */
96 
+-	if (cpu_has(c, X86_FEATURE_SPEC_CTRL)) {
97 
+-		set_cpu_cap(c, X86_FEATURE_IBRS);
98 
+-		set_cpu_cap(c, X86_FEATURE_IBPB);
99 
+-	}
100 
+-	if (cpu_has(c, X86_FEATURE_INTEL_STIBP))
101 
+-		set_cpu_cap(c, X86_FEATURE_STIBP);
102 
+-
103 
+ 	/* Now if any of them are set, check the blacklist and clear the lot */
104 
+-	if ((cpu_has(c, X86_FEATURE_IBRS) || cpu_has(c, X86_FEATURE_IBPB) ||
105 
++	if ((cpu_has(c, X86_FEATURE_SPEC_CTRL) ||
106 
++	     cpu_has(c, X86_FEATURE_INTEL_STIBP) ||
107 
++	     cpu_has(c, X86_FEATURE_IBRS) || cpu_has(c, X86_FEATURE_IBPB) ||
108 
+ 	     cpu_has(c, X86_FEATURE_STIBP)) && bad_spectre_microcode(c)) {
109 
+ 		pr_warn("Intel Spectre v2 broken microcode detected; disabling Speculation Control\n");
110 
+-		clear_cpu_cap(c, X86_FEATURE_IBRS);
111 
+-		clear_cpu_cap(c, X86_FEATURE_IBPB);
112 
+-		clear_cpu_cap(c, X86_FEATURE_STIBP);
113 
+-		clear_cpu_cap(c, X86_FEATURE_SPEC_CTRL);
114 
+-		clear_cpu_cap(c, X86_FEATURE_INTEL_STIBP);
115 
++		setup_clear_cpu_cap(X86_FEATURE_IBRS);
116 
++		setup_clear_cpu_cap(X86_FEATURE_IBPB);
117 
++		setup_clear_cpu_cap(X86_FEATURE_STIBP);
118 
++		setup_clear_cpu_cap(X86_FEATURE_SPEC_CTRL);
119 
++		setup_clear_cpu_cap(X86_FEATURE_INTEL_STIBP);
120 
+ 	}
121 
+
122 
+ 	/*
123 
+--
124 
+2.7.4
125 
+
SPECS/linux/speculative-store-bypass/0034-x86-pti-Mark-constant-arrays-as-__initconst.patch
History View file @ 4ab22c2
0 126 
new file mode 100644
... ... 
@@ -0,0 +1,56 @@
0 
+From 299eddfafc16b0713c51652ca845d5c590a36d1a Mon Sep 17 00:00:00 2001
1 
+From: Arnd Bergmann <arnd@arndb.de>
2 
+Date: Thu, 14 Jun 2018 14:56:17 -0700
3 
+Subject: [PATCH 034/103] x86/pti: Mark constant arrays as __initconst
4 
+
5 
+(cherry picked from commit 4bf5d56d429cbc96c23d809a08f63cd29e1a702e)
6 
+
7 
+I'm seeing build failures from the two newly introduced arrays that
8 
+are marked 'const' and '__initdata', which are mutually exclusive:
9 
+
10 
+arch/x86/kernel/cpu/common.c:882:43: error: 'cpu_no_speculation' causes a section type conflict with 'e820_table_firmware_init'
11 
+arch/x86/kernel/cpu/common.c:895:43: error: 'cpu_no_meltdown' causes a section type conflict with 'e820_table_firmware_init'
12 
+
13 
+The correct annotation is __initconst.
14 
+
15 
+Fixes: fec9434a12f3 ("x86/pti: Do not enable PTI on CPUs which are not vulnerable to Meltdown")
16 
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
17 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
18 
+Cc: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
19 
+Cc: Andy Lutomirski <luto@kernel.org>
20 
+Cc: Borislav Petkov <bp@suse.de>
21 
+Cc: Thomas Garnier <thgarnie@google.com>
22 
+Cc: David Woodhouse <dwmw@amazon.co.uk>
23 
+Link: https://lkml.kernel.org/r/20180202213959.611210-1-arnd@arndb.de
24 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
25 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
26 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
27 
+---
28 
+ arch/x86/kernel/cpu/common.c | 4 ++--
29 
+ 1 file changed, 2 insertions(+), 2 deletions(-)
30 
+
31 
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
32 
+index 72d7e5a..48499b4 100644
33 
+--- a/arch/x86/kernel/cpu/common.c
34 
+@@ -817,7 +817,7 @@ static void identify_cpu_without_cpuid(struct cpuinfo_x86 *c)
35 
+ #endif
36 
+ }
37 
+
38 
+-static const __initdata struct x86_cpu_id cpu_no_speculation[] = {
39 
++static const __initconst struct x86_cpu_id cpu_no_speculation[] = {
40 
+ 	{ X86_VENDOR_INTEL,	6, INTEL_FAM6_ATOM_CEDARVIEW,	X86_FEATURE_ANY },
41 
+ 	{ X86_VENDOR_INTEL,	6, INTEL_FAM6_ATOM_CLOVERVIEW,	X86_FEATURE_ANY },
42 
+ 	{ X86_VENDOR_INTEL,	6, INTEL_FAM6_ATOM_LINCROFT,	X86_FEATURE_ANY },
43 
+@@ -830,7 +830,7 @@ static const __initdata struct x86_cpu_id cpu_no_speculation[] = {
44 
+ 	{}
45 
+ };
46 
+
47 
+-static const __initdata struct x86_cpu_id cpu_no_meltdown[] = {
48 
++static const __initconst struct x86_cpu_id cpu_no_meltdown[] = {
49 
+ 	{ X86_VENDOR_AMD },
50 
+ 	{}
51 
+ };
52 
+--
53 
+2.7.4
54 
+
SPECS/linux/speculative-store-bypass/0035-x86-asm-entry-32-Simplify-pushes-of-zeroed-pt_regs-R.patch
History View file @ 4ab22c2
0 55 
new file mode 100644
... ... 
@@ -0,0 +1,141 @@
0 
+From 68a18850352482faf9b554d2841495192f68b37b Mon Sep 17 00:00:00 2001
1 
+From: Denys Vlasenko <dvlasenk@redhat.com>
2 
+Date: Thu, 14 Jun 2018 14:56:26 -0700
3 
+Subject: [PATCH 035/103] x86/asm/entry/32: Simplify pushes of zeroed
4 
+ pt_regs->REGs
5 
+
6 
+commit 778843f934e362ed4ed734520f60a44a78a074b4 upstream
7 
+
8 
+Use of a temporary R8 register here seems to be unnecessary.
9 
+
10 
+"push %r8" is a two-byte insn (it needs REX prefix to specify R8),
11 
+"push $0" is two-byte too. It seems just using the latter would be
12 
+no worse.
13 
+
14 
+Thus, code had an unnecessary "xorq %r8,%r8" insn.
15 
+It probably costs nothing in execution time here since we are probably
16 
+limited by store bandwidth at this point, but still.
17 
+
18 
+Run-tested under QEMU: 32-bit calls still work:
19 
+
20 
+ / # ./test_syscall_vdso32
21 
+ [RUN]	Executing 6-argument 32-bit syscall via VDSO
22 
+ [OK]	Arguments are preserved across syscall
23 
+ [NOTE]	R11 has changed:0000000000200ed7 - assuming clobbered by SYSRET insn
24 
+ [OK]	R8..R15 did not leak kernel data
25 
+ [RUN]	Executing 6-argument 32-bit syscall via INT 80
26 
+ [OK]	Arguments are preserved across syscall
27 
+ [OK]	R8..R15 did not leak kernel data
28 
+ [RUN]	Running tests under ptrace
29 
+ [RUN]	Executing 6-argument 32-bit syscall via VDSO
30 
+ [OK]	Arguments are preserved across syscall
31 
+ [NOTE]	R11 has changed:0000000000200ed7 - assuming clobbered by SYSRET insn
32 
+ [OK]	R8..R15 did not leak kernel data
33 
+ [RUN]	Executing 6-argument 32-bit syscall via INT 80
34 
+ [OK]	Arguments are preserved across syscall
35 
+ [OK]	R8..R15 did not leak kernel data
36 
+
37 
+Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
38 
+Acked-by: Andy Lutomirski <luto@kernel.org>
39 
+Cc: Andy Lutomirski <luto@amacapital.net>
40 
+Cc: Borislav Petkov <bp@alien8.de>
41 
+Cc: Brian Gerst <brgerst@gmail.com>
42 
+Cc: Frederic Weisbecker <fweisbec@gmail.com>
43 
+Cc: H. Peter Anvin <hpa@zytor.com>
44 
+Cc: Kees Cook <keescook@chromium.org>
45 
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
46 
+Cc: Peter Zijlstra <peterz@infradead.org>
47 
+Cc: Steven Rostedt <rostedt@goodmis.org>
48 
+Cc: Thomas Gleixner <tglx@linutronix.de>
49 
+Cc: Will Drewry <wad@chromium.org>
50 
+Cc: linux-kernel@vger.kernel.org
51 
+Link: http://lkml.kernel.org/r/1462201010-16846-1-git-send-email-dvlasenk@redhat.com
52 
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
53 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
54 
+---
55 
+ arch/x86/entry/entry_64_compat.S | 45 +++++++++++++++++++---------------------
56 
+ 1 file changed, 21 insertions(+), 24 deletions(-)
57 
+
58 
+diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S
59 
+index d03bf0e..e479ff8 100644
60 
+--- a/arch/x86/entry/entry_64_compat.S
61 
+@@ -79,24 +79,23 @@ ENTRY(entry_SYSENTER_compat)
62 
+ 	ASM_CLAC			/* Clear AC after saving FLAGS */
63 
+
64 
+ 	pushq	$__USER32_CS		/* pt_regs->cs */
65 
+-	xorq    %r8,%r8
66 
+-	pushq	%r8			/* pt_regs->ip = 0 (placeholder) */
67 
++	pushq	$0			/* pt_regs->ip = 0 (placeholder) */
68 
+ 	pushq	%rax			/* pt_regs->orig_ax */
69 
+ 	pushq	%rdi			/* pt_regs->di */
70 
+ 	pushq	%rsi			/* pt_regs->si */
71 
+ 	pushq	%rdx			/* pt_regs->dx */
72 
+ 	pushq	%rcx			/* pt_regs->cx */
73 
+ 	pushq	$-ENOSYS		/* pt_regs->ax */
74 
+-	pushq   %r8                     /* pt_regs->r8  = 0 */
75 
+-	pushq   %r8                     /* pt_regs->r9  = 0 */
76 
+-	pushq   %r8                     /* pt_regs->r10 = 0 */
77 
+-	pushq   %r8                     /* pt_regs->r11 = 0 */
78 
++	pushq   $0			/* pt_regs->r8  = 0 */
79 
++	pushq   $0			/* pt_regs->r9  = 0 */
80 
++	pushq   $0			/* pt_regs->r10 = 0 */
81 
++	pushq   $0			/* pt_regs->r11 = 0 */
82 
+ 	pushq   %rbx                    /* pt_regs->rbx */
83 
+ 	pushq   %rbp                    /* pt_regs->rbp (will be overwritten) */
84 
+-	pushq   %r8                     /* pt_regs->r12 = 0 */
85 
+-	pushq   %r8                     /* pt_regs->r13 = 0 */
86 
+-	pushq   %r8                     /* pt_regs->r14 = 0 */
87 
+-	pushq   %r8                     /* pt_regs->r15 = 0 */
88 
++	pushq   $0			/* pt_regs->r12 = 0 */
89 
++	pushq   $0			/* pt_regs->r13 = 0 */
90 
++	pushq   $0			/* pt_regs->r14 = 0 */
91 
++	pushq   $0			/* pt_regs->r15 = 0 */
92 
+ 	cld
93 
+
94 
+ 	/*
95 
+@@ -185,17 +184,16 @@ ENTRY(entry_SYSCALL_compat)
96 
+ 	pushq	%rdx			/* pt_regs->dx */
97 
+ 	pushq	%rbp			/* pt_regs->cx (stashed in bp) */
98 
+ 	pushq	$-ENOSYS		/* pt_regs->ax */
99 
+-	xorq    %r8,%r8
100 
+-	pushq   %r8                     /* pt_regs->r8  = 0 */
101 
+-	pushq   %r8                     /* pt_regs->r9  = 0 */
102 
+-	pushq   %r8                     /* pt_regs->r10 = 0 */
103 
+-	pushq   %r8                     /* pt_regs->r11 = 0 */
104 
++	pushq   $0			/* pt_regs->r8  = 0 */
105 
++	pushq   $0			/* pt_regs->r9  = 0 */
106 
++	pushq   $0			/* pt_regs->r10 = 0 */
107 
++	pushq   $0			/* pt_regs->r11 = 0 */
108 
+ 	pushq   %rbx                    /* pt_regs->rbx */
109 
+ 	pushq   %rbp                    /* pt_regs->rbp (will be overwritten) */
110 
+-	pushq   %r8                     /* pt_regs->r12 = 0 */
111 
+-	pushq   %r8                     /* pt_regs->r13 = 0 */
112 
+-	pushq   %r8                     /* pt_regs->r14 = 0 */
113 
+-	pushq   %r8                     /* pt_regs->r15 = 0 */
114 
++	pushq   $0			/* pt_regs->r12 = 0 */
115 
++	pushq   $0			/* pt_regs->r13 = 0 */
116 
++	pushq   $0			/* pt_regs->r14 = 0 */
117 
++	pushq   $0			/* pt_regs->r15 = 0 */
118 
+
119 
+ 	/*
120 
+ 	 * User mode is traced as though IRQs are on, and SYSENTER
121 
+@@ -292,11 +290,10 @@ ENTRY(entry_INT80_compat)
122 
+ 	pushq	%rdx			/* pt_regs->dx */
123 
+ 	pushq	%rcx			/* pt_regs->cx */
124 
+ 	pushq	$-ENOSYS		/* pt_regs->ax */
125 
+-	xorq    %r8,%r8
126 
+-	pushq   %r8                     /* pt_regs->r8  = 0 */
127 
+-	pushq   %r8                     /* pt_regs->r9  = 0 */
128 
+-	pushq   %r8                     /* pt_regs->r10 = 0 */
129 
+-	pushq   %r8                     /* pt_regs->r11 = 0 */
130 
++	pushq   $0			/* pt_regs->r8  = 0 */
131 
++	pushq   $0			/* pt_regs->r9  = 0 */
132 
++	pushq   $0			/* pt_regs->r10 = 0 */
133 
++	pushq   $0			/* pt_regs->r11 = 0 */
134 
+ 	pushq   %rbx                    /* pt_regs->rbx */
135 
+ 	pushq   %rbp                    /* pt_regs->rbp */
136 
+ 	pushq   %r12                    /* pt_regs->r12 */
137 
+--
138 
+2.7.4
139 
+
SPECS/linux/speculative-store-bypass/0036-x86-entry-64-compat-Clear-registers-for-compat-sysca.patch
History View file @ 4ab22c2
0 140 
new file mode 100644
... ... 
@@ -0,0 +1,118 @@
0 
+From de180f7a48dcbcc8651e14ed9c767c7905080ef7 Mon Sep 17 00:00:00 2001
1 
+From: Dan Williams <dan.j.williams@intel.com>
2 
+Date: Thu, 14 Jun 2018 14:56:27 -0700
3 
+Subject: [PATCH 036/103] x86/entry/64/compat: Clear registers for compat
4 
+ syscalls, to reduce speculation attack surface
5 
+
6 
+commit 6b8cf5cc9965673951f1ab3f0e3cf23d06e3e2ee upstream.
7 
+
8 
+At entry userspace may have populated registers with values that could
9 
+otherwise be useful in a speculative execution attack. Clear them to
10 
+minimize the kernel's attack surface.
11 
+
12 
+Originally-From: Andi Kleen <ak@linux.intel.com>
13 
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
14 
+Cc: <stable@vger.kernel.org>
15 
+Cc: Andy Lutomirski <luto@kernel.org>
16 
+Cc: Borislav Petkov <bp@alien8.de>
17 
+Cc: Brian Gerst <brgerst@gmail.com>
18 
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
19 
+Cc: H. Peter Anvin <hpa@zytor.com>
20 
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
21 
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
22 
+Cc: Peter Zijlstra <peterz@infradead.org>
23 
+Cc: Thomas Gleixner <tglx@linutronix.de>
24 
+Link: http://lkml.kernel.org/r/151787989697.7847.4083702787288600552.stgit@dwillia2-desk3.amr.corp.intel.com
25 
+[ Made small improvements to the changelog. ]
26 
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
27 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
28 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
29 
+---
30 
+ arch/x86/entry/entry_64_compat.S | 30 ++++++++++++++++++++++++++++++
31 
+ 1 file changed, 30 insertions(+)
32 
+
33 
+diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S
34 
+index e479ff8..48c27c3 100644
35 
+--- a/arch/x86/entry/entry_64_compat.S
36 
+@@ -87,15 +87,25 @@ ENTRY(entry_SYSENTER_compat)
37 
+ 	pushq	%rcx			/* pt_regs->cx */
38 
+ 	pushq	$-ENOSYS		/* pt_regs->ax */
39 
+ 	pushq   $0			/* pt_regs->r8  = 0 */
40 
++	xorq	%r8, %r8		/* nospec   r8 */
41 
+ 	pushq   $0			/* pt_regs->r9  = 0 */
42 
++	xorq	%r9, %r9		/* nospec   r9 */
43 
+ 	pushq   $0			/* pt_regs->r10 = 0 */
44 
++	xorq	%r10, %r10		/* nospec   r10 */
45 
+ 	pushq   $0			/* pt_regs->r11 = 0 */
46 
++	xorq	%r11, %r11		/* nospec   r11 */
47 
+ 	pushq   %rbx                    /* pt_regs->rbx */
48 
++	xorl	%ebx, %ebx		/* nospec   rbx */
49 
+ 	pushq   %rbp                    /* pt_regs->rbp (will be overwritten) */
50 
++	xorl	%ebp, %ebp		/* nospec   rbp */
51 
+ 	pushq   $0			/* pt_regs->r12 = 0 */
52 
++	xorq	%r12, %r12		/* nospec   r12 */
53 
+ 	pushq   $0			/* pt_regs->r13 = 0 */
54 
++	xorq	%r13, %r13		/* nospec   r13 */
55 
+ 	pushq   $0			/* pt_regs->r14 = 0 */
56 
++	xorq	%r14, %r14		/* nospec   r14 */
57 
+ 	pushq   $0			/* pt_regs->r15 = 0 */
58 
++	xorq	%r15, %r15		/* nospec   r15 */
59 
+ 	cld
60 
+
61 
+ 	/*
62 
+@@ -185,15 +195,25 @@ ENTRY(entry_SYSCALL_compat)
63 
+ 	pushq	%rbp			/* pt_regs->cx (stashed in bp) */
64 
+ 	pushq	$-ENOSYS		/* pt_regs->ax */
65 
+ 	pushq   $0			/* pt_regs->r8  = 0 */
66 
++	xorq	%r8, %r8		/* nospec   r8 */
67 
+ 	pushq   $0			/* pt_regs->r9  = 0 */
68 
++	xorq	%r9, %r9		/* nospec   r9 */
69 
+ 	pushq   $0			/* pt_regs->r10 = 0 */
70 
++	xorq	%r10, %r10		/* nospec   r10 */
71 
+ 	pushq   $0			/* pt_regs->r11 = 0 */
72 
++	xorq	%r11, %r11		/* nospec   r11 */
73 
+ 	pushq   %rbx                    /* pt_regs->rbx */
74 
++	xorl	%ebx, %ebx		/* nospec   rbx */
75 
+ 	pushq   %rbp                    /* pt_regs->rbp (will be overwritten) */
76 
++	xorl	%ebp, %ebp		/* nospec   rbp */
77 
+ 	pushq   $0			/* pt_regs->r12 = 0 */
78 
++	xorq	%r12, %r12		/* nospec   r12 */
79 
+ 	pushq   $0			/* pt_regs->r13 = 0 */
80 
++	xorq	%r13, %r13		/* nospec   r13 */
81 
+ 	pushq   $0			/* pt_regs->r14 = 0 */
82 
++	xorq	%r14, %r14		/* nospec   r14 */
83 
+ 	pushq   $0			/* pt_regs->r15 = 0 */
84 
++	xorq	%r15, %r15		/* nospec   r15 */
85 
+
86 
+ 	/*
87 
+ 	 * User mode is traced as though IRQs are on, and SYSENTER
88 
+@@ -291,15 +311,25 @@ ENTRY(entry_INT80_compat)
89 
+ 	pushq	%rcx			/* pt_regs->cx */
90 
+ 	pushq	$-ENOSYS		/* pt_regs->ax */
91 
+ 	pushq   $0			/* pt_regs->r8  = 0 */
92 
++	xorq	%r8, %r8		/* nospec   r8 */
93 
+ 	pushq   $0			/* pt_regs->r9  = 0 */
94 
++	xorq	%r9, %r9		/* nospec   r9 */
95 
+ 	pushq   $0			/* pt_regs->r10 = 0 */
96 
++	xorq	%r10, %r10		/* nospec   r10 */
97 
+ 	pushq   $0			/* pt_regs->r11 = 0 */
98 
++	xorq	%r11, %r11		/* nospec   r11 */
99 
+ 	pushq   %rbx                    /* pt_regs->rbx */
100 
++	xorl	%ebx, %ebx		/* nospec   rbx */
101 
+ 	pushq   %rbp                    /* pt_regs->rbp */
102 
++	xorl	%ebp, %ebp		/* nospec   rbp */
103 
+ 	pushq   %r12                    /* pt_regs->r12 */
104 
++	xorq	%r12, %r12		/* nospec   r12 */
105 
+ 	pushq   %r13                    /* pt_regs->r13 */
106 
++	xorq	%r13, %r13		/* nospec   r13 */
107 
+ 	pushq   %r14                    /* pt_regs->r14 */
108 
++	xorq	%r14, %r14		/* nospec   r14 */
109 
+ 	pushq   %r15                    /* pt_regs->r15 */
110 
++	xorq	%r15, %r15		/* nospec   r15 */
111 
+ 	cld
112 
+
113 
+ 	/*
114 
+--
115 
+2.7.4
116 
+
SPECS/linux/speculative-store-bypass/0037-x86-speculation-Update-Speculation-Control-microcode.patch
History View file @ 4ab22c2
0 117 
new file mode 100644
... ... 
@@ -0,0 +1,70 @@
0 
+From 59eb54678a9818fc2f14c1ec56bd63a00153860d Mon Sep 17 00:00:00 2001
1 
+From: David Woodhouse <dwmw@amazon.co.uk>
2 
+Date: Thu, 14 Jun 2018 14:56:27 -0700
3 
+Subject: [PATCH 037/103] x86/speculation: Update Speculation Control microcode
4 
+ blacklist
5 
+
6 
+commit 1751342095f0d2b36fa8114d8e12c5688c455ac4 upstream.
7 
+
8 
+Intel have retroactively blessed the 0xc2 microcode on Skylake mobile
9 
+and desktop parts, and the Gemini Lake 0x22 microcode is apparently fine
10 
+too. We blacklisted the latter purely because it was present with all
11 
+the other problematic ones in the 2018-01-08 release, but now it's
12 
+explicitly listed as OK.
13 
+
14 
+We still list 0x84 for the various Kaby Lake / Coffee Lake parts, as
15 
+that appeared in one version of the blacklist and then reverted to
16 
+0x80 again. We can change it if 0x84 is actually announced to be safe.
17 
+
18 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
19 
+Cc: Andy Lutomirski <luto@kernel.org>
20 
+Cc: Arjan van de Ven <arjan@linux.intel.com>
21 
+Cc: Borislav Petkov <bp@alien8.de>
22 
+Cc: Dan Williams <dan.j.williams@intel.com>
23 
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
24 
+Cc: David Woodhouse <dwmw2@infradead.org>
25 
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
26 
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
27 
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
28 
+Cc: Peter Zijlstra <peterz@infradead.org>
29 
+Cc: Thomas Gleixner <tglx@linutronix.de>
30 
+Cc: arjan.van.de.ven@intel.com
31 
+Cc: jmattson@google.com
32 
+Cc: karahmed@amazon.de
33 
+Cc: kvm@vger.kernel.org
34 
+Cc: pbonzini@redhat.com
35 
+Cc: rkrcmar@redhat.com
36 
+Cc: sironi@amazon.de
37 
+Link: http://lkml.kernel.org/r/1518305967-31356-2-git-send-email-dwmw@amazon.co.uk
38 
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
39 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
40 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
41 
+---
42 
+ arch/x86/kernel/cpu/intel.c | 4 ----
43 
+ 1 file changed, 4 deletions(-)
44 
+
45 
+diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
46 
+index 0f13189..71492d2 100644
47 
+--- a/arch/x86/kernel/cpu/intel.c
48 
+@@ -47,8 +47,6 @@ static const struct sku_microcode spectre_bad_microcodes[] = {
49 
+ 	{ INTEL_FAM6_KABYLAKE_MOBILE,	0x09,	0x84 },
50 
+ 	{ INTEL_FAM6_SKYLAKE_X,		0x03,	0x0100013e },
51 
+ 	{ INTEL_FAM6_SKYLAKE_X,		0x04,	0x0200003c },
52 
+-	{ INTEL_FAM6_SKYLAKE_MOBILE,	0x03,	0xc2 },
53 
+-	{ INTEL_FAM6_SKYLAKE_DESKTOP,	0x03,	0xc2 },
54 
+ 	{ INTEL_FAM6_BROADWELL_CORE,	0x04,	0x28 },
55 
+ 	{ INTEL_FAM6_BROADWELL_GT3E,	0x01,	0x1b },
56 
+ 	{ INTEL_FAM6_BROADWELL_XEON_D,	0x02,	0x14 },
57 
+@@ -60,8 +58,6 @@ static const struct sku_microcode spectre_bad_microcodes[] = {
58 
+ 	{ INTEL_FAM6_HASWELL_X,		0x02,	0x3b },
59 
+ 	{ INTEL_FAM6_HASWELL_X,		0x04,	0x10 },
60 
+ 	{ INTEL_FAM6_IVYBRIDGE_X,	0x04,	0x42a },
61 
+-	/* Updated in the 20180108 release; blacklist until we know otherwise */
62 
+-	{ INTEL_FAM6_ATOM_GEMINI_LAKE,	0x01,	0x22 },
63 
+ 	/* Observed in the wild */
64 
+ 	{ INTEL_FAM6_SANDYBRIDGE_X,	0x06,	0x61b },
65 
+ 	{ INTEL_FAM6_SANDYBRIDGE_X,	0x07,	0x712 },
66 
+--
67 
+2.7.4
68 
+
SPECS/linux/speculative-store-bypass/0038-x86-speculation-Correct-Speculation-Control-microcod.patch
History View file @ 4ab22c2
0 69 
new file mode 100644
... ... 
@@ -0,0 +1,79 @@
0 
+From a625e16bfbae5a13faeab34de81292ea35e75301 Mon Sep 17 00:00:00 2001
1 
+From: David Woodhouse <dwmw@amazon.co.uk>
2 
+Date: Thu, 14 Jun 2018 14:56:28 -0700
3 
+Subject: [PATCH 038/103] x86/speculation: Correct Speculation Control
4 
+ microcode blacklist again
5 
+
6 
+commit d37fc6d360a404b208547ba112e7dabb6533c7fc upstream.
7 
+
8 
+Arjan points out that the Intel document only clears the 0xc2 microcode
9 
+on *some* parts with CPUID 506E3 (INTEL_FAM6_SKYLAKE_DESKTOP stepping 3).
10 
+For the Skylake H/S platform it's OK but for Skylake E3 which has the
11 
+same CPUID it isn't (yet) cleared.
12 
+
13 
+So removing it from the blacklist was premature. Put it back for now.
14 
+
15 
+Also, Arjan assures me that the 0x84 microcode for Kaby Lake which was
16 
+featured in one of the early revisions of the Intel document was never
17 
+released to the public, and won't be until/unless it is also validated
18 
+as safe. So those can change to 0x80 which is what all *other* versions
19 
+of the doc have identified.
20 
+
21 
+Once the retrospective testing of existing public microcodes is done, we
22 
+should be back into a mode where new microcodes are only released in
23 
+batches and we shouldn't even need to update the blacklist for those
24 
+anyway, so this tweaking of the list isn't expected to be a thing which
25 
+keeps happening.
26 
+
27 
+Requested-by: Arjan van de Ven <arjan.van.de.ven@intel.com>
28 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
29 
+Cc: Andy Lutomirski <luto@kernel.org>
30 
+Cc: Arjan van de Ven <arjan@linux.intel.com>
31 
+Cc: Borislav Petkov <bp@alien8.de>
32 
+Cc: Dan Williams <dan.j.williams@intel.com>
33 
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
34 
+Cc: David Woodhouse <dwmw2@infradead.org>
35 
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
36 
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
37 
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
38 
+Cc: Peter Zijlstra <peterz@infradead.org>
39 
+Cc: Thomas Gleixner <tglx@linutronix.de>
40 
+Cc: arjan.van.de.ven@intel.com
41 
+Cc: dave.hansen@intel.com
42 
+Cc: kvm@vger.kernel.org
43 
+Cc: pbonzini@redhat.com
44 
+Link: http://lkml.kernel.org/r/1518449255-2182-1-git-send-email-dwmw@amazon.co.uk
45 
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
46 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
47 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
48 
+---
49 
+ arch/x86/kernel/cpu/intel.c | 11 ++++++-----
50 
+ 1 file changed, 6 insertions(+), 5 deletions(-)
51 
+
52 
+diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
53 
+index 71492d2..b69d258 100644
54 
+--- a/arch/x86/kernel/cpu/intel.c
55 
+@@ -40,13 +40,14 @@ struct sku_microcode {
56 
+ 	u32 microcode;
57 
+ };
58 
+ static const struct sku_microcode spectre_bad_microcodes[] = {
59 
+-	{ INTEL_FAM6_KABYLAKE_DESKTOP,	0x0B,	0x84 },
60 
+-	{ INTEL_FAM6_KABYLAKE_DESKTOP,	0x0A,	0x84 },
61 
+-	{ INTEL_FAM6_KABYLAKE_DESKTOP,	0x09,	0x84 },
62 
+-	{ INTEL_FAM6_KABYLAKE_MOBILE,	0x0A,	0x84 },
63 
+-	{ INTEL_FAM6_KABYLAKE_MOBILE,	0x09,	0x84 },
64 
++	{ INTEL_FAM6_KABYLAKE_DESKTOP,	0x0B,	0x80 },
65 
++	{ INTEL_FAM6_KABYLAKE_DESKTOP,	0x0A,	0x80 },
66 
++	{ INTEL_FAM6_KABYLAKE_DESKTOP,	0x09,	0x80 },
67 
++	{ INTEL_FAM6_KABYLAKE_MOBILE,	0x0A,	0x80 },
68 
++	{ INTEL_FAM6_KABYLAKE_MOBILE,	0x09,	0x80 },
69 
+ 	{ INTEL_FAM6_SKYLAKE_X,		0x03,	0x0100013e },
70 
+ 	{ INTEL_FAM6_SKYLAKE_X,		0x04,	0x0200003c },
71 
++	{ INTEL_FAM6_SKYLAKE_DESKTOP,	0x03,	0xc2 },
72 
+ 	{ INTEL_FAM6_BROADWELL_CORE,	0x04,	0x28 },
73 
+ 	{ INTEL_FAM6_BROADWELL_GT3E,	0x01,	0x1b },
74 
+ 	{ INTEL_FAM6_BROADWELL_XEON_D,	0x02,	0x14 },
75 
+--
76 
+2.7.4
77 
+
SPECS/linux/speculative-store-bypass/0039-x86-speculation-Clean-up-various-Spectre-related-det.patch
History View file @ 4ab22c2
0 78 
new file mode 100644
... ... 
@@ -0,0 +1,139 @@
0 
+From edc00fa4cb9f65af3a7b9a9c7b6da57c0450250b Mon Sep 17 00:00:00 2001
1 
+From: Ingo Molnar <mingo@kernel.org>
2 
+Date: Thu, 14 Jun 2018 14:56:29 -0700
3 
+Subject: [PATCH 039/103] x86/speculation: Clean up various Spectre related
4 
+ details
5 
+
6 
+commit 21e433bdb95bdf3aa48226fd3d33af608437f293 upstream.
7 
+
8 
+Harmonize all the Spectre messages so that a:
9 
+
10 
+    dmesg | grep -i spectre
11 
+
12 
+... gives us most Spectre related kernel boot messages.
13 
+
14 
+Also fix a few other details:
15 
+
16 
+ - clarify a comment about firmware speculation control
17 
+
18 
+ - s/KPTI/PTI
19 
+
20 
+ - remove various line-breaks that made the code uglier
21 
+
22 
+Acked-by: David Woodhouse <dwmw@amazon.co.uk>
23 
+Cc: Andy Lutomirski <luto@kernel.org>
24 
+Cc: Arjan van de Ven <arjan@linux.intel.com>
25 
+Cc: Borislav Petkov <bp@alien8.de>
26 
+Cc: Dan Williams <dan.j.williams@intel.com>
27 
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
28 
+Cc: David Woodhouse <dwmw2@infradead.org>
29 
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
30 
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
31 
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
32 
+Cc: Peter Zijlstra <peterz@infradead.org>
33 
+Cc: Thomas Gleixner <tglx@linutronix.de>
34 
+Cc: linux-kernel@vger.kernel.org
35 
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
36 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
37 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
38 
+---
39 
+ arch/x86/kernel/cpu/bugs.c | 25 ++++++++++---------------
40 
+ 1 file changed, 10 insertions(+), 15 deletions(-)
41 
+
42 
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
43 
+index 1968baf..fea368d 100644
44 
+--- a/arch/x86/kernel/cpu/bugs.c
45 
+@@ -162,8 +162,7 @@ static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void)
46 
+ 	if (cmdline_find_option_bool(boot_command_line, "nospectre_v2"))
47 
+ 		return SPECTRE_V2_CMD_NONE;
48 
+ 	else {
49 
+-		ret = cmdline_find_option(boot_command_line, "spectre_v2", arg,
50 
+-					  sizeof(arg));
51 
++		ret = cmdline_find_option(boot_command_line, "spectre_v2", arg, sizeof(arg));
52 
+ 		if (ret < 0)
53 
+ 			return SPECTRE_V2_CMD_AUTO;
54 
+
55 
+@@ -184,8 +183,7 @@ static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void)
56 
+ 	     cmd == SPECTRE_V2_CMD_RETPOLINE_AMD ||
57 
+ 	     cmd == SPECTRE_V2_CMD_RETPOLINE_GENERIC) &&
58 
+ 	    !IS_ENABLED(CONFIG_RETPOLINE)) {
59 
+-		pr_err("%s selected but not compiled in. Switching to AUTO select\n",
60 
+-		       mitigation_options[i].option);
61 
++		pr_err("%s selected but not compiled in. Switching to AUTO select\n", mitigation_options[i].option);
62 
+ 		return SPECTRE_V2_CMD_AUTO;
63 
+ 	}
64 
+
65 
+@@ -255,14 +253,14 @@ static void __init spectre_v2_select_mitigation(void)
66 
+ 			goto retpoline_auto;
67 
+ 		break;
68 
+ 	}
69 
+-	pr_err("kernel not compiled with retpoline; no mitigation available!");
70 
++	pr_err("Spectre mitigation: kernel not compiled with retpoline; no mitigation available!");
71 
+ 	return;
72 
+
73 
+ retpoline_auto:
74 
+ 	if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD) {
75 
+ 	retpoline_amd:
76 
+ 		if (!boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) {
77 
+-			pr_err("LFENCE not serializing. Switching to generic retpoline\n");
78 
++			pr_err("Spectre mitigation: LFENCE not serializing, switching to generic retpoline\n");
79 
+ 			goto retpoline_generic;
80 
+ 		}
81 
+ 		mode = retp_compiler() ? SPECTRE_V2_RETPOLINE_AMD :
82 
+@@ -280,7 +278,7 @@ retpoline_auto:
83 
+ 	pr_info("%s\n", spectre_v2_strings[mode]);
84 
+
85 
+ 	/*
86 
+-	 * If neither SMEP or KPTI are available, there is a risk of
87 
++	 * If neither SMEP nor PTI are available, there is a risk of
88 
+ 	 * hitting userspace addresses in the RSB after a context switch
89 
+ 	 * from a shallow call stack to a deeper one. To prevent this fill
90 
+ 	 * the entire RSB, even when using IBRS.
91 
+@@ -294,21 +292,20 @@ retpoline_auto:
92 
+ 	if ((!boot_cpu_has(X86_FEATURE_KAISER) &&
93 
+ 	     !boot_cpu_has(X86_FEATURE_SMEP)) || is_skylake_era()) {
94 
+ 		setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);
95 
+-		pr_info("Filling RSB on context switch\n");
96 
++		pr_info("Spectre v2 mitigation: Filling RSB on context switch\n");
97 
+ 	}
98 
+
99 
+ 	/* Initialize Indirect Branch Prediction Barrier if supported */
100 
+ 	if (boot_cpu_has(X86_FEATURE_IBPB)) {
101 
+ 		setup_force_cpu_cap(X86_FEATURE_USE_IBPB);
102 
+-		pr_info("Enabling Indirect Branch Prediction Barrier\n");
103 
++		pr_info("Spectre v2 mitigation: Enabling Indirect Branch Prediction Barrier\n");
104 
+ 	}
105 
+ }
106 
+
107 
+ #undef pr_fmt
108 
+
109 
+ #ifdef CONFIG_SYSFS
110 
+-ssize_t cpu_show_meltdown(struct device *dev,
111 
+-			  struct device_attribute *attr, char *buf)
112 
++ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf)
113 
+ {
114 
+ 	if (!boot_cpu_has_bug(X86_BUG_CPU_MELTDOWN))
115 
+ 		return sprintf(buf, "Not affected\n");
116 
+@@ -317,16 +314,14 @@ ssize_t cpu_show_meltdown(struct device *dev,
117 
+ 	return sprintf(buf, "Vulnerable\n");
118 
+ }
119 
+
120 
+-ssize_t cpu_show_spectre_v1(struct device *dev,
121 
+-			    struct device_attribute *attr, char *buf)
122 
++ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, char *buf)
123 
+ {
124 
+ 	if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V1))
125 
+ 		return sprintf(buf, "Not affected\n");
126 
+ 	return sprintf(buf, "Mitigation: __user pointer sanitization\n");
127 
+ }
128 
+
129 
+-ssize_t cpu_show_spectre_v2(struct device *dev,
130 
+-			    struct device_attribute *attr, char *buf)
131 
++ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, char *buf)
132 
+ {
133 
+ 	if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
134 
+ 		return sprintf(buf, "Not affected\n");
135 
+--
136 
+2.7.4
137 
+
SPECS/linux/speculative-store-bypass/0040-x86-speculation-Fix-up-array_index_nospec_mask-asm-c.patch
History View file @ 4ab22c2
0 138 
new file mode 100644
... ... 
@@ -0,0 +1,40 @@
0 
+From 2adecefe6e30d49794b22077755d3d1a91ca564c Mon Sep 17 00:00:00 2001
1 
+From: Dan Williams <dan.j.williams@intel.com>
2 
+Date: Thu, 14 Jun 2018 14:56:30 -0700
3 
+Subject: [PATCH 040/103] x86/speculation: Fix up array_index_nospec_mask() asm
4 
+ constraint
5 
+
6 
+commit be3233fbfcb8f5acb6e3bcd0895c3ef9e100d470 upstream.
7 
+
8 
+Allow the compiler to handle @size as an immediate value or memory
9 
+directly rather than allocating a register.
10 
+
11 
+Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
12 
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
13 
+Cc: Andy Lutomirski <luto@kernel.org>
14 
+Cc: Peter Zijlstra <peterz@infradead.org>
15 
+Cc: Thomas Gleixner <tglx@linutronix.de>
16 
+Link: http://lkml.kernel.org/r/151797010204.1289.1510000292250184993.stgit@dwillia2-desk3.amr.corp.intel.com
17 
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
18 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
19 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
20 
+---
21 
+ arch/x86/include/asm/barrier.h | 2 +-
22 
+ 1 file changed, 1 insertion(+), 1 deletion(-)
23 
+
24 
+diff --git a/arch/x86/include/asm/barrier.h b/arch/x86/include/asm/barrier.h
25 
+index 814ef83..c6975e3 100644
26 
+--- a/arch/x86/include/asm/barrier.h
27 
+@@ -40,7 +40,7 @@ static inline unsigned long array_index_mask_nospec(unsigned long index,
28 
+
29 
+ 	asm ("cmp %1,%2; sbb %0,%0;"
30 
+ 			:"=r" (mask)
31 
+-			:"r"(size),"r" (index)
32 
++			:"g"(size),"r" (index)
33 
+ 			:"cc");
34 
+ 	return mask;
35 
+ }
36 
+--
37 
+2.7.4
38 
+
SPECS/linux/speculative-store-bypass/0041-x86-speculation-Add-asm-msr-index.h-dependency.patch
History View file @ 4ab22c2
0 39 
new file mode 100644
... ... 
@@ -0,0 +1,51 @@
0 
+From 3eb651020284b6f60c0e32f0cd443bbefd6cbfff Mon Sep 17 00:00:00 2001
1 
+From: Peter Zijlstra <peterz@infradead.org>
2 
+Date: Thu, 14 Jun 2018 14:56:30 -0700
3 
+Subject: [PATCH 041/103] x86/speculation: Add <asm/msr-index.h> dependency
4 
+
5 
+commit ea00f301285ea2f07393678cd2b6057878320c9d upstream.
6 
+
7 
+Joe Konno reported a compile failure resulting from using an MSR
8 
+without inclusion of <asm/msr-index.h>, and while the current code builds
9 
+fine (by accident) this needs fixing for future patches.
10 
+
11 
+Reported-by: Joe Konno <joe.konno@linux.intel.com>
12 
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
13 
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
14 
+Cc: Peter Zijlstra <peterz@infradead.org>
15 
+Cc: Thomas Gleixner <tglx@linutronix.de>
16 
+Cc: arjan@linux.intel.com
17 
+Cc: bp@alien8.de
18 
+Cc: dan.j.williams@intel.com
19 
+Cc: dave.hansen@linux.intel.com
20 
+Cc: dwmw2@infradead.org
21 
+Cc: dwmw@amazon.co.uk
22 
+Cc: gregkh@linuxfoundation.org
23 
+Cc: hpa@zytor.com
24 
+Cc: jpoimboe@redhat.com
25 
+Cc: linux-tip-commits@vger.kernel.org
26 
+Cc: luto@kernel.org
27 
+Fixes: 20ffa1caecca ("x86/speculation: Add basic IBPB (Indirect Branch Prediction Barrier) support")
28 
+Link: http://lkml.kernel.org/r/20180213132819.GJ25201@hirez.programming.kicks-ass.net
29 
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
30 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
31 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
32 
+---
33 
+ arch/x86/include/asm/nospec-branch.h | 1 +
34 
+ 1 file changed, 1 insertion(+)
35 
+
36 
+diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
37 
+index 8dcecb9..bca2860 100644
38 
+--- a/arch/x86/include/asm/nospec-branch.h
39 
+@@ -6,6 +6,7 @@
40 
+ #include <asm/alternative.h>
41 
+ #include <asm/alternative-asm.h>
42 
+ #include <asm/cpufeatures.h>
43 
++#include <asm/msr-index.h>
44 
+
45 
+ /*
46 
+  * Fill the CPU return stack buffer.
47 
+--
48 
+2.7.4
49 
+
SPECS/linux/speculative-store-bypass/0042-x86-xen-Zero-MSR_IA32_SPEC_CTRL-before-suspend.patch
History View file @ 4ab22c2
0 50 
new file mode 100644
... ... 
@@ -0,0 +1,81 @@
0 
+From ef6c1f3ab05b6732ad1f61c1f0cace2edf1ba8ef Mon Sep 17 00:00:00 2001
1 
+From: Juergen Gross <jgross@suse.com>
2 
+Date: Thu, 14 Jun 2018 14:56:31 -0700
3 
+Subject: [PATCH 042/103] x86/xen: Zero MSR_IA32_SPEC_CTRL before suspend
4 
+
5 
+commit 71c208dd54ab971036d83ff6d9837bae4976e623 upstream.
6 
+
7 
+Older Xen versions (4.5 and before) might have problems migrating pv
8 
+guests with MSR_IA32_SPEC_CTRL having a non-zero value. So before
9 
+suspending zero that MSR and restore it after being resumed.
10 
+
11 
+Signed-off-by: Juergen Gross <jgross@suse.com>
12 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
13 
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
14 
+Cc: stable@vger.kernel.org
15 
+Cc: xen-devel@lists.xenproject.org
16 
+Cc: boris.ostrovsky@oracle.com
17 
+Link: https://lkml.kernel.org/r/20180226140818.4849-1-jgross@suse.com
18 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
19 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
20 
+---
21 
+ arch/x86/xen/suspend.c | 16 ++++++++++++++++
22 
+ 1 file changed, 16 insertions(+)
23 
+
24 
+diff --git a/arch/x86/xen/suspend.c b/arch/x86/xen/suspend.c
25 
+index 7f664c4..4ecd0de 100644
26 
+--- a/arch/x86/xen/suspend.c
27 
+@@ -1,11 +1,14 @@
28 
+ #include <linux/types.h>
29 
+ #include <linux/tick.h>
30 
++#include <linux/percpu-defs.h>
31 
+
32 
+ #include <xen/xen.h>
33 
+ #include <xen/interface/xen.h>
34 
+ #include <xen/grant_table.h>
35 
+ #include <xen/events.h>
36 
+
37 
++#include <asm/cpufeatures.h>
38 
++#include <asm/msr-index.h>
39 
+ #include <asm/xen/hypercall.h>
40 
+ #include <asm/xen/page.h>
41 
+ #include <asm/fixmap.h>
42 
+@@ -68,6 +71,8 @@ static void xen_pv_post_suspend(int suspend_cancelled)
43 
+ 	xen_mm_unpin_all();
44 
+ }
45 
+
46 
++static DEFINE_PER_CPU(u64, spec_ctrl);
47 
++
48 
+ void xen_arch_pre_suspend(void)
49 
+ {
50 
+ 	if (xen_pv_domain())
51 
+@@ -84,6 +89,9 @@ void xen_arch_post_suspend(int cancelled)
52 
+
53 
+ static void xen_vcpu_notify_restore(void *data)
54 
+ {
55 
++	if (xen_pv_domain() && boot_cpu_has(X86_FEATURE_SPEC_CTRL))
56 
++		wrmsrl(MSR_IA32_SPEC_CTRL, this_cpu_read(spec_ctrl));
57 
++
58 
+ 	/* Boot processor notified via generic timekeeping_resume() */
59 
+ 	if (smp_processor_id() == 0)
60 
+ 		return;
61 
+@@ -93,7 +101,15 @@ static void xen_vcpu_notify_restore(void *data)
62 
+
63 
+ static void xen_vcpu_notify_suspend(void *data)
64 
+ {
65 
++	u64 tmp;
66 
++
67 
+ 	tick_suspend_local();
68 
++
69 
++	if (xen_pv_domain() && boot_cpu_has(X86_FEATURE_SPEC_CTRL)) {
70 
++		rdmsrl(MSR_IA32_SPEC_CTRL, tmp);
71 
++		this_cpu_write(spec_ctrl, tmp);
72 
++		wrmsrl(MSR_IA32_SPEC_CTRL, 0);
73 
++	}
74 
+ }
75 
+
76 
+ void xen_arch_resume(void)
77 
+--
78 
+2.7.4
79 
+
SPECS/linux/speculative-store-bypass/0043-x86-mm-Factor-out-LDT-init-from-context-init.patch
History View file @ 4ab22c2
0 80 
new file mode 100644
... ... 
@@ -0,0 +1,110 @@
0 
+From 9cc168774e70de9e4293103660f4f1dab00fdeb2 Mon Sep 17 00:00:00 2001
1 
+From: Dave Hansen <dave.hansen@linux.intel.com>
2 
+Date: Thu, 14 Jun 2018 14:56:32 -0700
3 
+Subject: [PATCH 043/103] x86/mm: Factor out LDT init from context init
4 
+
5 
+commit 39a0526fb3f7d93433d146304278477eb463f8af upstream
6 
+
7 
+The arch-specific mm_context_t is a great place to put
8 
+protection-key allocation state.
9 
+
10 
+But, we need to initialize the allocation state because pkey 0 is
11 
+always "allocated".  All of the runtime initialization of
12 
+mm_context_t is done in *_ldt() manipulation functions.  This
13 
+renames the existing LDT functions like this:
14 
+
15 
+	init_new_context() -> init_new_context_ldt()
16 
+	destroy_context() -> destroy_context_ldt()
17 
+
18 
+and makes init_new_context() and destroy_context() available for
19 
+generic use.
20 
+
21 
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
22 
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
23 
+Cc: Andrew Morton <akpm@linux-foundation.org>
24 
+Cc: Andy Lutomirski <luto@amacapital.net>
25 
+Cc: Borislav Petkov <bp@alien8.de>
26 
+Cc: Brian Gerst <brgerst@gmail.com>
27 
+Cc: Dave Hansen <dave@sr71.net>
28 
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
29 
+Cc: H. Peter Anvin <hpa@zytor.com>
30 
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
31 
+Cc: Peter Zijlstra <peterz@infradead.org>
32 
+Cc: Rik van Riel <riel@redhat.com>
33 
+Cc: linux-mm@kvack.org
34 
+Link: http://lkml.kernel.org/r/20160212210234.DB34FCC5@viggo.jf.intel.com
35 
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
36 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
37 
+---
38 
+ arch/x86/include/asm/mmu_context.h | 21 ++++++++++++++++-----
39 
+ arch/x86/kernel/ldt.c              |  4 ++--
40 
+ 2 files changed, 18 insertions(+), 7 deletions(-)
41 
+
42 
+diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
43 
+index 9bfc5fd..1c4794f 100644
44 
+--- a/arch/x86/include/asm/mmu_context.h
45 
+@@ -52,15 +52,15 @@ struct ldt_struct {
46 
+ /*
47 
+  * Used for LDT copy/destruction.
48 
+  */
49 
+-int init_new_context(struct task_struct *tsk, struct mm_struct *mm);
50 
+-void destroy_context(struct mm_struct *mm);
51 
++int init_new_context_ldt(struct task_struct *tsk, struct mm_struct *mm);
52 
++void destroy_context_ldt(struct mm_struct *mm);
53 
+ #else	/* CONFIG_MODIFY_LDT_SYSCALL */
54 
+-static inline int init_new_context(struct task_struct *tsk,
55 
+-				   struct mm_struct *mm)
56 
++static inline int init_new_context_ldt(struct task_struct *tsk,
57 
++				       struct mm_struct *mm)
58 
+ {
59 
+ 	return 0;
60 
+ }
61 
+-static inline void destroy_context(struct mm_struct *mm) {}
62 
++static inline void destroy_context_ldt(struct mm_struct *mm) {}
63 
+ #endif
64 
+
65 
+ static inline void load_mm_ldt(struct mm_struct *mm)
66 
+@@ -102,6 +102,17 @@ static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
67 
+ 		this_cpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
68 
+ }
69 
+
70 
++static inline int init_new_context(struct task_struct *tsk,
71 
++				   struct mm_struct *mm)
72 
++{
73 
++	init_new_context_ldt(tsk, mm);
74 
++	return 0;
75 
++}
76 
++static inline void destroy_context(struct mm_struct *mm)
77 
++{
78 
++	destroy_context_ldt(mm);
79 
++}
80 
++
81 
+ extern void switch_mm(struct mm_struct *prev, struct mm_struct *next,
82 
+ 		      struct task_struct *tsk);
83 
+
84 
+diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
85 
+index bc42936..8bc68cf 100644
86 
+--- a/arch/x86/kernel/ldt.c
87 
+@@ -119,7 +119,7 @@ static void free_ldt_struct(struct ldt_struct *ldt)
88 
+  * we do not have to muck with descriptors here, that is
89 
+  * done in switch_mm() as needed.
90 
+  */
91 
+-int init_new_context(struct task_struct *tsk, struct mm_struct *mm)
92 
++int init_new_context_ldt(struct task_struct *tsk, struct mm_struct *mm)
93 
+ {
94 
+ 	struct ldt_struct *new_ldt;
95 
+ 	struct mm_struct *old_mm;
96 
+@@ -160,7 +160,7 @@ out_unlock:
97 
+  *
98 
+  * 64bit: Don't touch the LDT register - we're already in the next thread.
99 
+  */
100 
+-void destroy_context(struct mm_struct *mm)
101 
++void destroy_context_ldt(struct mm_struct *mm)
102 
+ {
103 
+ 	free_ldt_struct(mm->context.ldt);
104 
+ 	mm->context.ldt = NULL;
105 
+--
106 
+2.7.4
107 
+
SPECS/linux/speculative-store-bypass/0044-x86-mm-Give-each-mm-TLB-flush-generation-a-unique-ID.patch
History View file @ 4ab22c2
0 108 
new file mode 100644
... ... 
@@ -0,0 +1,117 @@
0 
+From 1a05e9453d1d554c7133e3e89b1ecc0138955fcb Mon Sep 17 00:00:00 2001
1 
+From: Andy Lutomirski <luto@kernel.org>
2 
+Date: Thu, 14 Jun 2018 14:56:33 -0700
3 
+Subject: [PATCH 044/103] x86/mm: Give each mm TLB flush generation a unique ID
4 
+
5 
+commit f39681ed0f48498b80455095376f11535feea332 upstream.
6 
+
7 
+This adds two new variables to mmu_context_t: ctx_id and tlb_gen.
8 
+ctx_id uniquely identifies the mm_struct and will never be reused.
9 
+For a given mm_struct (and hence ctx_id), tlb_gen is a monotonic
10 
+count of the number of times that a TLB flush has been requested.
11 
+The pair (ctx_id, tlb_gen) can be used as an identifier for TLB
12 
+flush actions and will be used in subsequent patches to reliably
13 
+determine whether all needed TLB flushes have occurred on a given
14 
+CPU.
15 
+
16 
+This patch is split out for ease of review.  By itself, it has no
17 
+real effect other than creating and updating the new variables.
18 
+
19 
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
20 
+Reviewed-by: Nadav Amit <nadav.amit@gmail.com>
21 
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
22 
+Cc: Andrew Morton <akpm@linux-foundation.org>
23 
+Cc: Arjan van de Ven <arjan@linux.intel.com>
24 
+Cc: Borislav Petkov <bp@alien8.de>
25 
+Cc: Dave Hansen <dave.hansen@intel.com>
26 
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
27 
+Cc: Mel Gorman <mgorman@suse.de>
28 
+Cc: Peter Zijlstra <peterz@infradead.org>
29 
+Cc: Rik van Riel <riel@redhat.com>
30 
+Cc: linux-mm@kvack.org
31 
+Link: http://lkml.kernel.org/r/413a91c24dab3ed0caa5f4e4d017d87b0857f920.1498751203.git.luto@kernel.org
32 
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
33 
+Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
34 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
35 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
36 
+---
37 
+ arch/x86/include/asm/mmu.h         | 15 +++++++++++++--
38 
+ arch/x86/include/asm/mmu_context.h |  4 ++++
39 
+ arch/x86/mm/tlb.c                  |  2 ++
40 
+ 3 files changed, 19 insertions(+), 2 deletions(-)
41 
+
42 
+diff --git a/arch/x86/include/asm/mmu.h b/arch/x86/include/asm/mmu.h
43 
+index 7680b76..3359dfe 100644
44 
+--- a/arch/x86/include/asm/mmu.h
45 
+@@ -3,12 +3,18 @@
46 
+
47 
+ #include <linux/spinlock.h>
48 
+ #include <linux/mutex.h>
49 
++#include <linux/atomic.h>
50 
+
51 
+ /*
52 
+- * The x86 doesn't have a mmu context, but
53 
+- * we put the segment information here.
54 
++ * x86 has arch-specific MMU state beyond what lives in mm_struct.
55 
+  */
56 
+ typedef struct {
57 
++	/*
58 
++	 * ctx_id uniquely identifies this mm_struct.  A ctx_id will never
59 
++	 * be reused, and zero is not a valid ctx_id.
60 
++	 */
61 
++	u64 ctx_id;
62 
++
63 
+ #ifdef CONFIG_MODIFY_LDT_SYSCALL
64 
+ 	struct ldt_struct *ldt;
65 
+ #endif
66 
+@@ -24,6 +30,11 @@ typedef struct {
67 
+ 	atomic_t perf_rdpmc_allowed;	/* nonzero if rdpmc is allowed */
68 
+ } mm_context_t;
69 
+
70 
++#define INIT_MM_CONTEXT(mm)						\
71 
++	.context = {							\
72 
++		.ctx_id = 1,						\
73 
++	}
74 
++
75 
+ void leave_mm(int cpu);
76 
+
77 
+ #endif /* _ASM_X86_MMU_H */
78 
+diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
79 
+index 1c4794f..effc127 100644
80 
+--- a/arch/x86/include/asm/mmu_context.h
81 
+@@ -11,6 +11,9 @@
82 
+ #include <asm/tlbflush.h>
83 
+ #include <asm/paravirt.h>
84 
+ #include <asm/mpx.h>
85 
++
86 
++extern atomic64_t last_mm_ctx_id;
87 
++
88 
+ #ifndef CONFIG_PARAVIRT
89 
+ static inline void paravirt_activate_mm(struct mm_struct *prev,
90 
+ 					struct mm_struct *next)
91 
+@@ -105,6 +108,7 @@ static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
92 
+ static inline int init_new_context(struct task_struct *tsk,
93 
+ 				   struct mm_struct *mm)
94 
+ {
95 
++	mm->context.ctx_id = atomic64_inc_return(&last_mm_ctx_id);
96 
+ 	init_new_context_ldt(tsk, mm);
97 
+ 	return 0;
98 
+ }
99 
+diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
100 
+index 7cad01af..efec198 100644
101 
+--- a/arch/x86/mm/tlb.c
102 
+@@ -29,6 +29,8 @@
103 
+  *	Implement flush IPI by CALL_FUNCTION_VECTOR, Alex Shi
104 
+  */
105 
+
106 
++atomic64_t last_mm_ctx_id = ATOMIC64_INIT(1);
107 
++
108 
+ struct flush_tlb_info {
109 
+ 	struct mm_struct *flush_mm;
110 
+ 	unsigned long flush_start;
111 
+--
112 
+2.7.4
113 
+
SPECS/linux/speculative-store-bypass/0045-x86-speculation-Use-Indirect-Branch-Prediction-Barri.patch
History View file @ 4ab22c2
0 114 
new file mode 100644
... ... 
@@ -0,0 +1,123 @@
0 
+From 01b1d0dfbba6b22ab9a10798980e3a9a45de13f2 Mon Sep 17 00:00:00 2001
1 
+From: Tim Chen <tim.c.chen@linux.intel.com>
2 
+Date: Thu, 14 Jun 2018 14:56:33 -0700
3 
+Subject: [PATCH 045/103] x86/speculation: Use Indirect Branch Prediction
4 
+ Barrier in context switch
5 
+MIME-Version: 1.0
6 
+Content-Type: text/plain; charset=UTF-8
7 
+Content-Transfer-Encoding: 8bit
8 
+
9 
+commit 18bf3c3ea8ece8f03b6fc58508f2dfd23c7711c7 upstream.
10 
+
11 
+Flush indirect branches when switching into a process that marked itself
12 
+non dumpable. This protects high value processes like gpg better,
13 
+without having too high performance overhead.
14 
+
15 
+If done naïvely, we could switch to a kernel idle thread and then back
16 
+to the original process, such as:
17 
+
18 
+    process A -> idle -> process A
19 
+
20 
+In such scenario, we do not have to do IBPB here even though the process
21 
+is non-dumpable, as we are switching back to the same process after a
22 
+hiatus.
23 
+
24 
+To avoid the redundant IBPB, which is expensive, we track the last mm
25 
+user context ID. The cost is to have an extra u64 mm context id to track
26 
+the last mm we were using before switching to the init_mm used by idle.
27 
+Avoiding the extra IBPB is probably worth the extra memory for this
28 
+common scenario.
29 
+
30 
+For those cases where tlb_defer_switch_to_init_mm() returns true (non
31 
+PCID), lazy tlb will defer switch to init_mm, so we will not be changing
32 
+the mm for the process A -> idle -> process A switch. So IBPB will be
33 
+skipped for this case.
34 
+
35 
+Thanks to the reviewers and Andy Lutomirski for the suggestion of
36 
+using ctx_id which got rid of the problem of mm pointer recycling.
37 
+
38 
+Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
39 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
40 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
41 
+Cc: ak@linux.intel.com
42 
+Cc: karahmed@amazon.de
43 
+Cc: arjan@linux.intel.com
44 
+Cc: torvalds@linux-foundation.org
45 
+Cc: linux@dominikbrodowski.net
46 
+Cc: peterz@infradead.org
47 
+Cc: bp@alien8.de
48 
+Cc: luto@kernel.org
49 
+Cc: pbonzini@redhat.com
50 
+Link: https://lkml.kernel.org/r/1517263487-3708-1-git-send-email-dwmw@amazon.co.uk
51 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
52 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
53 
+---
54 
+ arch/x86/include/asm/tlbflush.h |  2 ++
55 
+ arch/x86/mm/tlb.c               | 31 +++++++++++++++++++++++++++++++
56 
+ 2 files changed, 33 insertions(+)
57 
+
58 
+diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h
59 
+index e2a89d2..8ce07db 100644
60 
+--- a/arch/x86/include/asm/tlbflush.h
61 
+@@ -68,6 +68,8 @@ static inline void invpcid_flush_all_nonglobals(void)
62 
+ struct tlb_state {
63 
+ 	struct mm_struct *active_mm;
64 
+ 	int state;
65 
++	/* last user mm's ctx id */
66 
++	u64 last_ctx_id;
67 
+
68 
+ 	/*
69 
+ 	 * Access to this CR4 shadow and to H/W CR4 is protected by
70 
+diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
71 
+index efec198..6d683bb 100644
72 
+--- a/arch/x86/mm/tlb.c
73 
+@@ -10,6 +10,7 @@
74 
+
75 
+ #include <asm/tlbflush.h>
76 
+ #include <asm/mmu_context.h>
77 
++#include <asm/nospec-branch.h>
78 
+ #include <asm/cache.h>
79 
+ #include <asm/apic.h>
80 
+ #include <asm/uv/uv.h>
81 
+@@ -106,6 +107,36 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
82 
+ 	unsigned cpu = smp_processor_id();
83 
+
84 
+ 	if (likely(prev != next)) {
85 
++		u64 last_ctx_id = this_cpu_read(cpu_tlbstate.last_ctx_id);
86 
++
87 
++		/*
88 
++		 * Avoid user/user BTB poisoning by flushing the branch
89 
++		 * predictor when switching between processes. This stops
90 
++		 * one process from doing Spectre-v2 attacks on another.
91 
++		 *
92 
++		 * As an optimization, flush indirect branches only when
93 
++		 * switching into processes that disable dumping. This
94 
++		 * protects high value processes like gpg, without having
95 
++		 * too high performance overhead. IBPB is *expensive*!
96 
++		 *
97 
++		 * This will not flush branches when switching into kernel
98 
++		 * threads. It will also not flush if we switch to idle
99 
++		 * thread and back to the same process. It will flush if we
100 
++		 * switch to a different non-dumpable process.
101 
++		 */
102 
++		if (tsk && tsk->mm &&
103 
++		    tsk->mm->context.ctx_id != last_ctx_id &&
104 
++		    get_dumpable(tsk->mm) != SUID_DUMP_USER)
105 
++			indirect_branch_prediction_barrier();
106 
++
107 
++		/*
108 
++		 * Record last user mm's context id, so we can avoid
109 
++		 * flushing branch buffer with IBPB if we switch back
110 
++		 * to the same user.
111 
++		 */
112 
++		if (next != &init_mm)
113 
++			this_cpu_write(cpu_tlbstate.last_ctx_id, next->context.ctx_id);
114 
++
115 
+ 		this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK);
116 
+ 		this_cpu_write(cpu_tlbstate.active_mm, next);
117 
+ 		cpumask_set_cpu(cpu, mm_cpumask(next));
118 
+--
119 
+2.7.4
120 
+
SPECS/linux/speculative-store-bypass/0046-x86-spectre_v2-Don-t-check-microcode-versions-when-r.patch
History View file @ 4ab22c2
0 121 
new file mode 100644
... ... 
@@ -0,0 +1,61 @@
0 
+From 4bc2ba09c03a889ce9775dd38ab642b0488e743f Mon Sep 17 00:00:00 2001
1 
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
2 
+Date: Thu, 14 Jun 2018 14:56:34 -0700
3 
+Subject: [PATCH 046/103] x86/spectre_v2: Don't check microcode versions when
4 
+ running under hypervisors
5 
+MIME-Version: 1.0
6 
+Content-Type: text/plain; charset=UTF-8
7 
+Content-Transfer-Encoding: 8bit
8 
+
9 
+commit 36268223c1e9981d6cfc33aff8520b3bde4b8114 upstream.
10 
+
11 
+As:
12 
+
13 
+ 1) It's known that hypervisors lie about the environment anyhow (host
14 
+    mismatch)
15 
+
16 
+ 2) Even if the hypervisor (Xen, KVM, VMWare, etc) provided a valid
17 
+    "correct" value, it all gets to be very murky when migration happens
18 
+    (do you provide the "new" microcode of the machine?).
19 
+
20 
+And in reality the cloud vendors are the ones that should make sure that
21 
+the microcode that is running is correct and we should just sing lalalala
22 
+and trust them.
23 
+
24 
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
25 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
26 
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
27 
+Cc: Wanpeng Li <kernellwp@gmail.com>
28 
+Cc: kvm <kvm@vger.kernel.org>
29 
+Cc: Krčmář <rkrcmar@redhat.com>
30 
+Cc: Borislav Petkov <bp@alien8.de>
31 
+CC: "H. Peter Anvin" <hpa@zytor.com>
32 
+CC: stable@vger.kernel.org
33 
+Link: https://lkml.kernel.org/r/20180226213019.GE9497@char.us.oracle.com
34 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
35 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
36 
+---
37 
+ arch/x86/kernel/cpu/intel.c | 7 +++++++
38 
+ 1 file changed, 7 insertions(+)
39 
+
40 
+diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
41 
+index b69d258..dcc0349 100644
42 
+--- a/arch/x86/kernel/cpu/intel.c
43 
+@@ -68,6 +68,13 @@ static bool bad_spectre_microcode(struct cpuinfo_x86 *c)
44 
+ {
45 
+ 	int i;
46 
+
47 
++	/*
48 
++	 * We know that the hypervisor lie to us on the microcode version so
49 
++	 * we may as well hope that it is running the correct version.
50 
++	 */
51 
++	if (cpu_has(c, X86_FEATURE_HYPERVISOR))
52 
++		return false;
53 
++
54 
+ 	for (i = 0; i < ARRAY_SIZE(spectre_bad_microcodes); i++) {
55 
+ 		if (c->x86_model == spectre_bad_microcodes[i].model &&
56 
+ 		    c->x86_mask == spectre_bad_microcodes[i].stepping)
57 
+--
58 
+2.7.4
59 
+
SPECS/linux/speculative-store-bypass/0047-x86-speculation-Use-IBRS-if-available-before-calling.patch
History View file @ 4ab22c2
0 60 
new file mode 100644
... ... 
@@ -0,0 +1,259 @@
0 
+From aa9bee07f9b20c66b6bc9c3332d528ead21d61d7 Mon Sep 17 00:00:00 2001
1 
+From: David Woodhouse <dwmw@amazon.co.uk>
2 
+Date: Thu, 14 Jun 2018 14:56:34 -0700
3 
+Subject: [PATCH 047/103] x86/speculation: Use IBRS if available before calling
4 
+ into firmware
5 
+
6 
+commit dd84441a797150dcc49298ec95c459a8891d8bb1 upstream.
7 
+
8 
+Retpoline means the kernel is safe because it has no indirect branches.
9 
+But firmware isn't, so use IBRS for firmware calls if it's available.
10 
+
11 
+Block preemption while IBRS is set, although in practice the call sites
12 
+already had to be doing that.
13 
+
14 
+Ignore hpwdt.c for now. It's taking spinlocks and calling into firmware
15 
+code, from an NMI handler. I don't want to touch that with a bargepole.
16 
+
17 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
18 
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
19 
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
20 
+Cc: Peter Zijlstra <peterz@infradead.org>
21 
+Cc: arjan.van.de.ven@intel.com
22 
+Cc: bp@alien8.de
23 
+Cc: dave.hansen@intel.com
24 
+Cc: jmattson@google.com
25 
+Cc: karahmed@amazon.de
26 
+Cc: kvm@vger.kernel.org
27 
+Cc: pbonzini@redhat.com
28 
+Cc: rkrcmar@redhat.com
29 
+Link: http://lkml.kernel.org/r/1519037457-7643-2-git-send-email-dwmw@amazon.co.uk
30 
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
31 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
32 
+[ Srivatsa: Backported to 4.4.y, patching the efi_call_virt() family of functions,
33 
+  which are the 4.4.y-equivalents of arch_efi_call_virt_setup()/teardown() ]
34 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
35 
+---
36 
+ arch/x86/include/asm/apm.h           |  6 ++++++
37 
+ arch/x86/include/asm/cpufeatures.h   |  1 +
38 
+ arch/x86/include/asm/efi.h           |  7 +++++++
39 
+ arch/x86/include/asm/nospec-branch.h | 39 +++++++++++++++++++++++++++---------
40 
+ arch/x86/kernel/cpu/bugs.c           | 12 ++++++++++-
41 
+ arch/x86/platform/efi/efi_64.c       |  3 +++
42 
+ 6 files changed, 58 insertions(+), 10 deletions(-)
43 
+
44 
+diff --git a/arch/x86/include/asm/apm.h b/arch/x86/include/asm/apm.h
45 
+index 20370c6..3d1ec41 100644
46 
+--- a/arch/x86/include/asm/apm.h
47 
+@@ -6,6 +6,8 @@
48 
+ #ifndef _ASM_X86_MACH_DEFAULT_APM_H
49 
+ #define _ASM_X86_MACH_DEFAULT_APM_H
50 
+
51 
++#include <asm/nospec-branch.h>
52 
++
53 
+ #ifdef APM_ZERO_SEGS
54 
+ #	define APM_DO_ZERO_SEGS \
55 
+ 		"pushl %%ds\n\t" \
56 
+@@ -31,6 +33,7 @@ static inline void apm_bios_call_asm(u32 func, u32 ebx_in, u32 ecx_in,
57 
+ 	 * N.B. We do NOT need a cld after the BIOS call
58 
+ 	 * because we always save and restore the flags.
59 
+ 	 */
60 
++	firmware_restrict_branch_speculation_start();
61 
+ 	__asm__ __volatile__(APM_DO_ZERO_SEGS
62 
+ 		"pushl %%edi\n\t"
63 
+ 		"pushl %%ebp\n\t"
64 
+@@ -43,6 +46,7 @@ static inline void apm_bios_call_asm(u32 func, u32 ebx_in, u32 ecx_in,
65 
+ 		  "=S" (*esi)
66 
+ 		: "a" (func), "b" (ebx_in), "c" (ecx_in)
67 
+ 		: "memory", "cc");
68 
++	firmware_restrict_branch_speculation_end();
69 
+ }
70 
+
71 
+ static inline u8 apm_bios_call_simple_asm(u32 func, u32 ebx_in,
72 
+@@ -55,6 +59,7 @@ static inline u8 apm_bios_call_simple_asm(u32 func, u32 ebx_in,
73 
+ 	 * N.B. We do NOT need a cld after the BIOS call
74 
+ 	 * because we always save and restore the flags.
75 
+ 	 */
76 
++	firmware_restrict_branch_speculation_start();
77 
+ 	__asm__ __volatile__(APM_DO_ZERO_SEGS
78 
+ 		"pushl %%edi\n\t"
79 
+ 		"pushl %%ebp\n\t"
80 
+@@ -67,6 +72,7 @@ static inline u8 apm_bios_call_simple_asm(u32 func, u32 ebx_in,
81 
+ 		  "=S" (si)
82 
+ 		: "a" (func), "b" (ebx_in), "c" (ecx_in)
83 
+ 		: "memory", "cc");
84 
++	firmware_restrict_branch_speculation_end();
85 
+ 	return error;
86 
+ }
87 
+
88 
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
89 
+index cb40c83..a123acd 100644
90 
+--- a/arch/x86/include/asm/cpufeatures.h
91 
+@@ -202,6 +202,7 @@
92 
+ #define X86_FEATURE_KAISER	( 7*32+31) /* CONFIG_PAGE_TABLE_ISOLATION w/o nokaiser */
93 
+
94 
+ #define X86_FEATURE_USE_IBPB	( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled*/
95 
++#define X86_FEATURE_USE_IBRS_FW	( 7*32+22) /* "" Use IBRS during runtime firmware calls */
96 
+
97 
+ /* Virtualization flags: Linux defined, word 8 */
98 
+ #define X86_FEATURE_TPR_SHADOW  ( 8*32+ 0) /* Intel TPR Shadow */
99 
+diff --git a/arch/x86/include/asm/efi.h b/arch/x86/include/asm/efi.h
100 
+index 0010c78..7e5a2ff 100644
101 
+--- a/arch/x86/include/asm/efi.h
102 
+@@ -3,6 +3,7 @@
103 
+
104 
+ #include <asm/fpu/api.h>
105 
+ #include <asm/pgtable.h>
106 
++#include <asm/nospec-branch.h>
107 
+
108 
+ /*
109 
+  * We map the EFI regions needed for runtime services non-contiguously,
110 
+@@ -39,8 +40,10 @@ extern unsigned long asmlinkage efi_call_phys(void *, ...);
111 
+ ({									\
112 
+ 	efi_status_t __s;						\
113 
+ 	kernel_fpu_begin();						\
114 
++	firmware_restrict_branch_speculation_start();			\
115 
+ 	__s = ((efi_##f##_t __attribute__((regparm(0)))*)		\
116 
+ 		efi.systab->runtime->f)(args);				\
117 
++	firmware_restrict_branch_speculation_end();			\
118 
+ 	kernel_fpu_end();						\
119 
+ 	__s;								\
120 
+ })
121 
+@@ -49,8 +52,10 @@ extern unsigned long asmlinkage efi_call_phys(void *, ...);
122 
+ #define __efi_call_virt(f, args...) \
123 
+ ({									\
124 
+ 	kernel_fpu_begin();						\
125 
++	firmware_restrict_branch_speculation_start();			\
126 
+ 	((efi_##f##_t __attribute__((regparm(0)))*)			\
127 
+ 		efi.systab->runtime->f)(args);				\
128 
++	firmware_restrict_branch_speculation_end();			\
129 
+ 	kernel_fpu_end();						\
130 
+ })
131 
+
132 
+@@ -71,7 +76,9 @@ extern u64 asmlinkage efi_call(void *fp, ...);
133 
+ 	efi_sync_low_kernel_mappings();					\
134 
+ 	preempt_disable();						\
135 
+ 	__kernel_fpu_begin();						\
136 
++	firmware_restrict_branch_speculation_start();			\
137 
+ 	__s = efi_call((void *)efi.systab->runtime->f, __VA_ARGS__);	\
138 
++	firmware_restrict_branch_speculation_end();			\
139 
+ 	__kernel_fpu_end();						\
140 
+ 	preempt_enable();						\
141 
+ 	__s;								\
142 
+diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
143 
+index bca2860..36ded24 100644
144 
+--- a/arch/x86/include/asm/nospec-branch.h
145 
+@@ -195,17 +195,38 @@ static inline void vmexit_fill_RSB(void)
146 
+ #endif
147 
+ }
148 
+
149 
++#define alternative_msr_write(_msr, _val, _feature)		\
150 
++	asm volatile(ALTERNATIVE("",				\
151 
++				 "movl %[msr], %%ecx\n\t"	\
152 
++				 "movl %[val], %%eax\n\t"	\
153 
++				 "movl $0, %%edx\n\t"		\
154 
++				 "wrmsr",			\
155 
++				 _feature)			\
156 
++		     : : [msr] "i" (_msr), [val] "i" (_val)	\
157 
++		     : "eax", "ecx", "edx", "memory")
158 
++
159 
+ static inline void indirect_branch_prediction_barrier(void)
160 
+ {
161 
+-	asm volatile(ALTERNATIVE("",
162 
+-				 "movl %[msr], %%ecx\n\t"
163 
+-				 "movl %[val], %%eax\n\t"
164 
+-				 "movl $0, %%edx\n\t"
165 
+-				 "wrmsr",
166 
+-				 X86_FEATURE_USE_IBPB)
167 
+-		     : : [msr] "i" (MSR_IA32_PRED_CMD),
168 
+-			 [val] "i" (PRED_CMD_IBPB)
169 
+-		     : "eax", "ecx", "edx", "memory");
170 
++	alternative_msr_write(MSR_IA32_PRED_CMD, PRED_CMD_IBPB,
171 
++			      X86_FEATURE_USE_IBPB);
172 
++}
173 
++
174 
++/*
175 
++ * With retpoline, we must use IBRS to restrict branch prediction
176 
++ * before calling into firmware.
177 
++ */
178 
++static inline void firmware_restrict_branch_speculation_start(void)
179 
++{
180 
++	preempt_disable();
181 
++	alternative_msr_write(MSR_IA32_SPEC_CTRL, SPEC_CTRL_IBRS,
182 
++			      X86_FEATURE_USE_IBRS_FW);
183 
++}
184 
++
185 
++static inline void firmware_restrict_branch_speculation_end(void)
186 
++{
187 
++	alternative_msr_write(MSR_IA32_SPEC_CTRL, 0,
188 
++			      X86_FEATURE_USE_IBRS_FW);
189 
++	preempt_enable();
190 
+ }
191 
+
192 
+ #endif /* __ASSEMBLY__ */
193 
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
194 
+index fea368d..b294fdc 100644
195 
+--- a/arch/x86/kernel/cpu/bugs.c
196 
+@@ -300,6 +300,15 @@ retpoline_auto:
197 
+ 		setup_force_cpu_cap(X86_FEATURE_USE_IBPB);
198 
+ 		pr_info("Spectre v2 mitigation: Enabling Indirect Branch Prediction Barrier\n");
199 
+ 	}
200 
++
201 
++	/*
202 
++	 * Retpoline means the kernel is safe because it has no indirect
203 
++	 * branches. But firmware isn't, so use IBRS to protect that.
204 
++	 */
205 
++	if (boot_cpu_has(X86_FEATURE_IBRS)) {
206 
++		setup_force_cpu_cap(X86_FEATURE_USE_IBRS_FW);
207 
++		pr_info("Enabling Restricted Speculation for firmware calls\n");
208 
++	}
209 
+ }
210 
+
211 
+ #undef pr_fmt
212 
+@@ -326,8 +335,9 @@ ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, c
213 
+ 	if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
214 
+ 		return sprintf(buf, "Not affected\n");
215 
+
216 
+-	return sprintf(buf, "%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
217 
++	return sprintf(buf, "%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
218 
+ 		       boot_cpu_has(X86_FEATURE_USE_IBPB) ? ", IBPB" : "",
219 
++		       boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "",
220 
+ 		       spectre_v2_module_string());
221 
+ }
222 
+ #endif
223 
+diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c
224 
+index a0ac0f9..f5a8cd9 100644
225 
+--- a/arch/x86/platform/efi/efi_64.c
226 
+@@ -40,6 +40,7 @@
227 
+ #include <asm/fixmap.h>
228 
+ #include <asm/realmode.h>
229 
+ #include <asm/time.h>
230 
++#include <asm/nospec-branch.h>
231 
+
232 
+ /*
233 
+  * We allocate runtime services regions bottom-up, starting from -4G, i.e.
234 
+@@ -347,6 +348,7 @@ extern efi_status_t efi64_thunk(u32, ...);
235 
+ 									\
236 
+ 	efi_sync_low_kernel_mappings();					\
237 
+ 	local_irq_save(flags);						\
238 
++	firmware_restrict_branch_speculation_start();			\
239 
+ 									\
240 
+ 	efi_scratch.prev_cr3 = read_cr3();				\
241 
+ 	write_cr3((unsigned long)efi_scratch.efi_pgt);			\
242 
+@@ -357,6 +359,7 @@ extern efi_status_t efi64_thunk(u32, ...);
243 
+ 									\
244 
+ 	write_cr3(efi_scratch.prev_cr3);				\
245 
+ 	__flush_tlb_all();						\
246 
++	firmware_restrict_branch_speculation_end();			\
247 
+ 	local_irq_restore(flags);					\
248 
+ 									\
249 
+ 	__s;								\
250 
+--
251 
+2.7.4
252 
+
SPECS/linux/speculative-store-bypass/0048-x86-speculation-Move-firmware_restrict_branch_specul.patch
History View file @ 4ab22c2
0 253 
new file mode 100644
... ... 
@@ -0,0 +1,77 @@
0 
+From 954deb19c7e5f6d0c37019c56edfc6d172db93cb Mon Sep 17 00:00:00 2001
1 
+From: Ingo Molnar <mingo@kernel.org>
2 
+Date: Thu, 14 Jun 2018 14:56:35 -0700
3 
+Subject: [PATCH 048/103] x86/speculation: Move
4 
+ firmware_restrict_branch_speculation_*() from C to CPP
5 
+
6 
+commit d72f4e29e6d84b7ec02ae93088aa459ac70e733b upstream.
7 
+
8 
+firmware_restrict_branch_speculation_*() recently started using
9 
+preempt_enable()/disable(), but those are relatively high level
10 
+primitives and cause build failures on some 32-bit builds.
11 
+
12 
+Since we want to keep <asm/nospec-branch.h> low level, convert
13 
+them to macros to avoid header hell...
14 
+
15 
+Cc: David Woodhouse <dwmw@amazon.co.uk>
16 
+Cc: Thomas Gleixner <tglx@linutronix.de>
17 
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
18 
+Cc: Peter Zijlstra <peterz@infradead.org>
19 
+Cc: arjan.van.de.ven@intel.com
20 
+Cc: bp@alien8.de
21 
+Cc: dave.hansen@intel.com
22 
+Cc: jmattson@google.com
23 
+Cc: karahmed@amazon.de
24 
+Cc: kvm@vger.kernel.org
25 
+Cc: pbonzini@redhat.com
26 
+Cc: rkrcmar@redhat.com
27 
+Cc: linux-kernel@vger.kernel.org
28 
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
29 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
30 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
31 
+---
32 
+ arch/x86/include/asm/nospec-branch.h | 26 ++++++++++++++------------
33 
+ 1 file changed, 14 insertions(+), 12 deletions(-)
34 
+
35 
+diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
36 
+index 36ded24..b9dd1d9 100644
37 
+--- a/arch/x86/include/asm/nospec-branch.h
38 
+@@ -214,20 +214,22 @@ static inline void indirect_branch_prediction_barrier(void)
39 
+ /*
40 
+  * With retpoline, we must use IBRS to restrict branch prediction
41 
+  * before calling into firmware.
42 
++ *
43 
++ * (Implemented as CPP macros due to header hell.)
44 
+  */
45 
+-static inline void firmware_restrict_branch_speculation_start(void)
46 
+-{
47 
+-	preempt_disable();
48 
+-	alternative_msr_write(MSR_IA32_SPEC_CTRL, SPEC_CTRL_IBRS,
49 
+-			      X86_FEATURE_USE_IBRS_FW);
50 
+-}
51 
++#define firmware_restrict_branch_speculation_start()			\
52 
++do {									\
53 
++	preempt_disable();						\
54 
++	alternative_msr_write(MSR_IA32_SPEC_CTRL, SPEC_CTRL_IBRS,	\
55 
++			      X86_FEATURE_USE_IBRS_FW);			\
56 
++} while (0)
57 
+
58 
+-static inline void firmware_restrict_branch_speculation_end(void)
59 
+-{
60 
+-	alternative_msr_write(MSR_IA32_SPEC_CTRL, 0,
61 
+-			      X86_FEATURE_USE_IBRS_FW);
62 
+-	preempt_enable();
63 
+-}
64 
++#define firmware_restrict_branch_speculation_end()			\
65 
++do {									\
66 
++	alternative_msr_write(MSR_IA32_SPEC_CTRL, 0,			\
67 
++			      X86_FEATURE_USE_IBRS_FW);			\
68 
++	preempt_enable();						\
69 
++} while (0)
70 
+
71 
+ #endif /* __ASSEMBLY__ */
72 
+
73 
+--
74 
+2.7.4
75 
+
SPECS/linux/speculative-store-bypass/0049-x86-speculation-Remove-Skylake-C2-from-Speculation-C.patch
History View file @ 4ab22c2
0 76 
new file mode 100644
... ... 
@@ -0,0 +1,49 @@
0 
+From 4d58d3b37fe8a76ffe4f32c65c2a77206f013b21 Mon Sep 17 00:00:00 2001
1 
+From: Alexander Sergeyev <sergeev917@gmail.com>
2 
+Date: Thu, 14 Jun 2018 14:56:35 -0700
3 
+Subject: [PATCH 049/103] x86/speculation: Remove Skylake C2 from Speculation
4 
+ Control microcode blacklist
5 
+
6 
+commit e3b3121fa8da94cb20f9e0c64ab7981ae47fd085 upstream.
7 
+
8 
+In accordance with Intel's microcode revision guidance from March 6 MCU
9 
+rev 0xc2 is cleared on both Skylake H/S and Skylake Xeon E3 processors
10 
+that share CPUID 506E3.
11 
+
12 
+Signed-off-by: Alexander Sergeyev <sergeev917@gmail.com>
13 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
14 
+Cc: Jia Zhang <qianyue.zj@alibaba-inc.com>
15 
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
16 
+Cc: Kyle Huey <me@kylehuey.com>
17 
+Cc: David Woodhouse <dwmw@amazon.co.uk>
18 
+Link: https://lkml.kernel.org/r/20180313193856.GA8580@localhost.localdomain
19 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
20 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
21 
+---
22 
+ arch/x86/kernel/cpu/intel.c | 3 +--
23 
+ 1 file changed, 1 insertion(+), 2 deletions(-)
24 
+
25 
+diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
26 
+index dcc0349..77d9f68 100644
27 
+--- a/arch/x86/kernel/cpu/intel.c
28 
+@@ -29,7 +29,7 @@
29 
+ /*
30 
+  * Early microcode releases for the Spectre v2 mitigation were broken.
31 
+  * Information taken from;
32 
+- * - https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/microcode-update-guidance.pdf
33 
++ * - https://newsroom.intel.com/wp-content/uploads/sites/11/2018/03/microcode-update-guidance.pdf
34 
+  * - https://kb.vmware.com/s/article/52345
35 
+  * - Microcode revisions observed in the wild
36 
+  * - Release note from 20180108 microcode release
37 
+@@ -47,7 +47,6 @@ static const struct sku_microcode spectre_bad_microcodes[] = {
38 
+ 	{ INTEL_FAM6_KABYLAKE_MOBILE,	0x09,	0x80 },
39 
+ 	{ INTEL_FAM6_SKYLAKE_X,		0x03,	0x0100013e },
40 
+ 	{ INTEL_FAM6_SKYLAKE_X,		0x04,	0x0200003c },
41 
+-	{ INTEL_FAM6_SKYLAKE_DESKTOP,	0x03,	0xc2 },
42 
+ 	{ INTEL_FAM6_BROADWELL_CORE,	0x04,	0x28 },
43 
+ 	{ INTEL_FAM6_BROADWELL_GT3E,	0x01,	0x1b },
44 
+ 	{ INTEL_FAM6_BROADWELL_XEON_D,	0x02,	0x14 },
45 
+--
46 
+2.7.4
47 
+
SPECS/linux/speculative-store-bypass/0050-selftest-seccomp-Fix-the-flag-name-SECCOMP_FILTER_FL.patch
History View file @ 4ab22c2
0 48 
new file mode 100644
... ... 
@@ -0,0 +1,107 @@
0 
+From 80a5e387f3e0e49b5ec55dafb17087e6948eb8c5 Mon Sep 17 00:00:00 2001
1 
+From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@digikod.net>
2 
+Date: Thu, 14 Jun 2018 14:56:36 -0700
3 
+Subject: [PATCH 050/103] selftest/seccomp: Fix the flag name
4 
+ SECCOMP_FILTER_FLAG_TSYNC
5 
+MIME-Version: 1.0
6 
+Content-Type: text/plain; charset=UTF-8
7 
+Content-Transfer-Encoding: 8bit
8 
+
9 
+commit 6c045d07bb305c527140bdec4cf8ab50f7c980d8 upstream
10 
+
11 
+Rename SECCOMP_FLAG_FILTER_TSYNC to SECCOMP_FILTER_FLAG_TSYNC to match
12 
+the UAPI.
13 
+
14 
+Signed-off-by: Mickaël Salaün <mic@digikod.net>
15 
+Cc: Andy Lutomirski <luto@amacapital.net>
16 
+Cc: Kees Cook <keescook@chromium.org>
17 
+Cc: Shuah Khan <shuahkh@osg.samsung.com>
18 
+Cc: Will Drewry <wad@chromium.org>
19 
+Acked-by: Kees Cook <keescook@chromium.org>
20 
+Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
21 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
22 
+---
23 
+ tools/testing/selftests/seccomp/seccomp_bpf.c | 18 +++++++++---------
24 
+ 1 file changed, 9 insertions(+), 9 deletions(-)
25 
+
26 
+diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
27 
+index 882fe83..d446346 100644
28 
+--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
29 
+@@ -1476,8 +1476,8 @@ TEST_F(TRACE_syscall, syscall_dropped)
30 
+ #define SECCOMP_SET_MODE_FILTER 1
31 
+ #endif
32 
+
33 
+-#ifndef SECCOMP_FLAG_FILTER_TSYNC
34 
+-#define SECCOMP_FLAG_FILTER_TSYNC 1
35 
++#ifndef SECCOMP_FILTER_FLAG_TSYNC
36 
++#define SECCOMP_FILTER_FLAG_TSYNC 1
37 
+ #endif
38 
+
39 
+ #ifndef seccomp
40 
+@@ -1592,7 +1592,7 @@ TEST(TSYNC_first)
41 
+ 		TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
42 
+ 	}
43 
+
44 
+-	ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC,
45 
++	ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
46 
+ 		      &prog);
47 
+ 	ASSERT_NE(ENOSYS, errno) {
48 
+ 		TH_LOG("Kernel does not support seccomp syscall!");
49 
+@@ -1810,7 +1810,7 @@ TEST_F(TSYNC, two_siblings_with_ancestor)
50 
+ 		self->sibling_count++;
51 
+ 	}
52 
+
53 
+-	ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC,
54 
++	ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
55 
+ 		      &self->apply_prog);
56 
+ 	ASSERT_EQ(0, ret) {
57 
+ 		TH_LOG("Could install filter on all threads!");
58 
+@@ -1871,7 +1871,7 @@ TEST_F(TSYNC, two_siblings_with_no_filter)
59 
+ 		TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!");
60 
+ 	}
61 
+
62 
+-	ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC,
63 
++	ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
64 
+ 		      &self->apply_prog);
65 
+ 	ASSERT_NE(ENOSYS, errno) {
66 
+ 		TH_LOG("Kernel does not support seccomp syscall!");
67 
+@@ -1919,7 +1919,7 @@ TEST_F(TSYNC, two_siblings_with_one_divergence)
68 
+ 		self->sibling_count++;
69 
+ 	}
70 
+
71 
+-	ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC,
72 
++	ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
73 
+ 		      &self->apply_prog);
74 
+ 	ASSERT_EQ(self->sibling[0].system_tid, ret) {
75 
+ 		TH_LOG("Did not fail on diverged sibling.");
76 
+@@ -1971,7 +1971,7 @@ TEST_F(TSYNC, two_siblings_not_under_filter)
77 
+ 		TH_LOG("Kernel does not support SECCOMP_SET_MODE_FILTER!");
78 
+ 	}
79 
+
80 
+-	ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC,
81 
++	ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
82 
+ 		      &self->apply_prog);
83 
+ 	ASSERT_EQ(ret, self->sibling[0].system_tid) {
84 
+ 		TH_LOG("Did not fail on diverged sibling.");
85 
+@@ -2000,7 +2000,7 @@ TEST_F(TSYNC, two_siblings_not_under_filter)
86 
+ 	/* Switch to the remaining sibling */
87 
+ 	sib = !sib;
88 
+
89 
+-	ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC,
90 
++	ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
91 
+ 		      &self->apply_prog);
92 
+ 	ASSERT_EQ(0, ret) {
93 
+ 		TH_LOG("Expected the remaining sibling to sync");
94 
+@@ -2023,7 +2023,7 @@ TEST_F(TSYNC, two_siblings_not_under_filter)
95 
+ 	while (!kill(self->sibling[sib].system_tid, 0))
96 
+ 		sleep(0.1);
97 
+
98 
+-	ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FLAG_FILTER_TSYNC,
99 
++	ret = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
100 
+ 		      &self->apply_prog);
101 
+ 	ASSERT_EQ(0, ret);  /* just us chickens */
102 
+ }
103 
+--
104 
+2.7.4
105 
+
SPECS/linux/speculative-store-bypass/0051-selftest-seccomp-Fix-the-seccomp-2-signature.patch
History View file @ 4ab22c2
0 106 
new file mode 100644
... ... 
@@ -0,0 +1,42 @@
0 
+From f8c700e732a8ffcb487bf49fdb9d890a9c4b7bc2 Mon Sep 17 00:00:00 2001
1 
+From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@digikod.net>
2 
+Date: Thu, 14 Jun 2018 14:56:36 -0700
3 
+Subject: [PATCH 051/103] selftest/seccomp: Fix the seccomp(2) signature
4 
+MIME-Version: 1.0
5 
+Content-Type: text/plain; charset=UTF-8
6 
+Content-Transfer-Encoding: 8bit
7 
+
8 
+commit 505ce68c6da3432454c62e43c24a22ea5b1d754b upstream
9 
+
10 
+Signed-off-by: Mickaël Salaün <mic@digikod.net>
11 
+Cc: Andy Lutomirski <luto@amacapital.net>
12 
+Cc: Kees Cook <keescook@chromium.org>
13 
+Cc: Shuah Khan <shuahkh@osg.samsung.com>
14 
+Cc: Will Drewry <wad@chromium.org>
15 
+Acked-by: Kees Cook <keescook@chromium.org>
16 
+Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
17 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
18 
+---
19 
+ tools/testing/selftests/seccomp/seccomp_bpf.c | 4 ++--
20 
+ 1 file changed, 2 insertions(+), 2 deletions(-)
21 
+
22 
+diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
23 
+index d446346..29487e0 100644
24 
+--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
25 
+@@ -1481,10 +1481,10 @@ TEST_F(TRACE_syscall, syscall_dropped)
26 
+ #endif
27 
+
28 
+ #ifndef seccomp
29 
+-int seccomp(unsigned int op, unsigned int flags, struct sock_fprog *filter)
30 
++int seccomp(unsigned int op, unsigned int flags, void *args)
31 
+ {
32 
+ 	errno = 0;
33 
+-	return syscall(__NR_seccomp, op, flags, filter);
34 
++	return syscall(__NR_seccomp, op, flags, args);
35 
+ }
36 
+ #endif
37 
+
38 
+--
39 
+2.7.4
40 
+
SPECS/linux/speculative-store-bypass/0052-xen-set-cpu-capabilities-from-xen_start_kernel.patch
History View file @ 4ab22c2
0 41 
new file mode 100644
... ... 
@@ -0,0 +1,73 @@
0 
+From a7d0c021ad35a753c2ca222c9efacc6a7a187596 Mon Sep 17 00:00:00 2001
1 
+From: Juergen Gross <jgross@suse.com>
2 
+Date: Thu, 14 Jun 2018 14:56:37 -0700
3 
+Subject: [PATCH 052/103] xen: set cpu capabilities from xen_start_kernel()
4 
+
5 
+Upstream commit: 0808e80cb760de2733c0527d2090ed2205a1eef8 ("xen: set
6 
+cpu capabilities from xen_start_kernel()")
7 
+
8 
+There is no need to set the same capabilities for each cpu
9 
+individually. This can easily be done for all cpus when starting the
10 
+kernel.
11 
+
12 
+Signed-off-by: Juergen Gross <jgross@suse.com>
13 
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
14 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
15 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
16 
+---
17 
+ arch/x86/xen/enlighten.c | 18 +++++++++---------
18 
+ 1 file changed, 9 insertions(+), 9 deletions(-)
19 
+
20 
+diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
21 
+index cbef64b..2d7ab4e 100644
22 
+--- a/arch/x86/xen/enlighten.c
23 
+@@ -460,6 +460,14 @@ static void __init xen_init_cpuid_mask(void)
24 
+ 		cpuid_leaf1_ecx_set_mask = (1 << (X86_FEATURE_MWAIT % 32));
25 
+ }
26 
+
27 
++static void __init xen_init_capabilities(void)
28 
++{
29 
++	if (xen_pv_domain()) {
30 
++		setup_clear_cpu_cap(X86_BUG_SYSRET_SS_ATTRS);
31 
++		setup_force_cpu_cap(X86_FEATURE_XENPV);
32 
++	}
33 
++}
34 
++
35 
+ static void xen_set_debugreg(int reg, unsigned long val)
36 
+ {
37 
+ 	HYPERVISOR_set_debugreg(reg, val);
38 
+@@ -1587,6 +1595,7 @@ asmlinkage __visible void __init xen_start_kernel(void)
39 
+
40 
+ 	xen_init_irq_ops();
41 
+ 	xen_init_cpuid_mask();
42 
++	xen_init_capabilities();
43 
+
44 
+ #ifdef CONFIG_X86_LOCAL_APIC
45 
+ 	/*
46 
+@@ -1883,14 +1892,6 @@ bool xen_hvm_need_lapic(void)
47 
+ }
48 
+ EXPORT_SYMBOL_GPL(xen_hvm_need_lapic);
49 
+
50 
+-static void xen_set_cpu_features(struct cpuinfo_x86 *c)
51 
+-{
52 
+-	if (xen_pv_domain()) {
53 
+-		clear_cpu_bug(c, X86_BUG_SYSRET_SS_ATTRS);
54 
+-		set_cpu_cap(c, X86_FEATURE_XENPV);
55 
+-	}
56 
+-}
57 
+-
58 
+ const struct hypervisor_x86 x86_hyper_xen = {
59 
+ 	.name			= "Xen",
60 
+ 	.detect			= xen_platform,
61 
+@@ -1898,7 +1899,6 @@ const struct hypervisor_x86 x86_hyper_xen = {
62 
+ 	.init_platform		= xen_hvm_guest_init,
63 
+ #endif
64 
+ 	.x2apic_available	= xen_x2apic_para_available,
65 
+-	.set_cpu_features       = xen_set_cpu_features,
66 
+ };
67 
+ EXPORT_SYMBOL(x86_hyper_xen);
68 
+
69 
+--
70 
+2.7.4
71 
+
SPECS/linux/speculative-store-bypass/0053-x86-amd-don-t-set-X86_BUG_SYSRET_SS_ATTRS-when-runni.patch
History View file @ 4ab22c2
0 72 
new file mode 100644
... ... 
@@ -0,0 +1,67 @@
0 
+From 4ae94fa3125c8f0f8a4318175274fa9505b2e0e3 Mon Sep 17 00:00:00 2001
1 
+From: David Woodhouse <dwmw@amazon.co.uk>
2 
+Date: Thu, 14 Jun 2018 14:56:38 -0700
3 
+Subject: [PATCH 053/103] x86/amd: don't set X86_BUG_SYSRET_SS_ATTRS when
4 
+ running under Xen
5 
+
6 
+commit def9331a12977770cc6132d79f8e6565871e8e38 upstream
7 
+
8 
+When running as Xen pv guest X86_BUG_SYSRET_SS_ATTRS must not be set
9 
+on AMD cpus.
10 
+
11 
+This bug/feature bit is kind of special as it will be used very early
12 
+when switching threads. Setting the bit and clearing it a little bit
13 
+later leaves a critical window where things can go wrong. This time
14 
+window has enlarged a little bit by using setup_clear_cpu_cap() instead
15 
+of the hypervisor's set_cpu_features callback. It seems this larger
16 
+window now makes it rather easy to hit the problem.
17 
+
18 
+The proper solution is to never set the bit in case of Xen.
19 
+
20 
+Signed-off-by: Juergen Gross <jgross@suse.com>
21 
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
22 
+Acked-by: Thomas Gleixner <tglx@linutronix.de>
23 
+Signed-off-by: Juergen Gross <jgross@suse.com>
24 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
25 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
26 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
27 
+---
28 
+ arch/x86/kernel/cpu/amd.c | 5 +++--
29 
+ arch/x86/xen/enlighten.c  | 4 +---
30 
+ 2 files changed, 4 insertions(+), 5 deletions(-)
31 
+
32 
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
33 
+index f4fb8f5..9b29414 100644
34 
+--- a/arch/x86/kernel/cpu/amd.c
35 
+@@ -791,8 +791,9 @@ static void init_amd(struct cpuinfo_x86 *c)
36 
+ 		if (cpu_has(c, X86_FEATURE_3DNOW) || cpu_has(c, X86_FEATURE_LM))
37 
+ 			set_cpu_cap(c, X86_FEATURE_3DNOWPREFETCH);
38 
+
39 
+-	/* AMD CPUs don't reset SS attributes on SYSRET */
40 
+-	set_cpu_bug(c, X86_BUG_SYSRET_SS_ATTRS);
41 
++	/* AMD CPUs don't reset SS attributes on SYSRET, Xen does. */
42 
++	if (!cpu_has(c, X86_FEATURE_XENPV))
43 
++		set_cpu_bug(c, X86_BUG_SYSRET_SS_ATTRS);
44 
+ }
45 
+
46 
+ #ifdef CONFIG_X86_32
47 
+diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
48 
+index 2d7ab4e..82fd84d 100644
49 
+--- a/arch/x86/xen/enlighten.c
50 
+@@ -462,10 +462,8 @@ static void __init xen_init_cpuid_mask(void)
51 
+
52 
+ static void __init xen_init_capabilities(void)
53 
+ {
54 
+-	if (xen_pv_domain()) {
55 
+-		setup_clear_cpu_cap(X86_BUG_SYSRET_SS_ATTRS);
56 
++	if (xen_pv_domain())
57 
+ 		setup_force_cpu_cap(X86_FEATURE_XENPV);
58 
+-	}
59 
+ }
60 
+
61 
+ static void xen_set_debugreg(int reg, unsigned long val)
62 
+--
63 
+2.7.4
64 
+
SPECS/linux/speculative-store-bypass/0054-x86-nospec-Simplify-alternative_msr_write.patch
History View file @ 4ab22c2
0 65 
new file mode 100644
... ... 
@@ -0,0 +1,72 @@
0 
+From 76a3a7429a0da7e1634e1f80ca28f8571508b817 Mon Sep 17 00:00:00 2001
1 
+From: Linus Torvalds <torvalds@linux-foundation.org>
2 
+Date: Thu, 14 Jun 2018 14:56:38 -0700
3 
+Subject: [PATCH 054/103] x86/nospec: Simplify alternative_msr_write()
4 
+
5 
+commit 1aa7a5735a41418d8e01fa7c9565eb2657e2ea3f upstream
6 
+
7 
+The macro is not type safe and I did look for why that "g" constraint for
8 
+the asm doesn't work: it's because the asm is more fundamentally wrong.
9 
+
10 
+It does
11 
+
12 
+        movl %[val], %%eax
13 
+
14 
+but "val" isn't a 32-bit value, so then gcc will pass it in a register,
15 
+and generate code like
16 
+
17 
+        movl %rsi, %eax
18 
+
19 
+and gas will complain about a nonsensical 'mov' instruction (it's moving a
20 
+64-bit register to a 32-bit one).
21 
+
22 
+Passing it through memory will just hide the real bug - gcc still thinks
23 
+the memory location is 64-bit, but the "movl" will only load the first 32
24 
+bits and it all happens to work because x86 is little-endian.
25 
+
26 
+Convert it to a type safe inline function with a little trick which hands
27 
+the feature into the ALTERNATIVE macro.
28 
+
29 
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
30 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
31 
+Reviewed-by: Ingo Molnar <mingo@kernel.org>
32 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
33 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
34 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
35 
+---
36 
+ arch/x86/include/asm/nospec-branch.h | 19 ++++++++++---------
37 
+ 1 file changed, 10 insertions(+), 9 deletions(-)
38 
+
39 
+diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
40 
+index b9dd1d9..6403016 100644
41 
+--- a/arch/x86/include/asm/nospec-branch.h
42 
+@@ -195,15 +195,16 @@ static inline void vmexit_fill_RSB(void)
43 
+ #endif
44 
+ }
45 
+
46 
+-#define alternative_msr_write(_msr, _val, _feature)		\
47 
+-	asm volatile(ALTERNATIVE("",				\
48 
+-				 "movl %[msr], %%ecx\n\t"	\
49 
+-				 "movl %[val], %%eax\n\t"	\
50 
+-				 "movl $0, %%edx\n\t"		\
51 
+-				 "wrmsr",			\
52 
+-				 _feature)			\
53 
+-		     : : [msr] "i" (_msr), [val] "i" (_val)	\
54 
+-		     : "eax", "ecx", "edx", "memory")
55 
++static __always_inline
56 
++void alternative_msr_write(unsigned int msr, u64 val, unsigned int feature)
57 
++{
58 
++	asm volatile(ALTERNATIVE("", "wrmsr", %c[feature])
59 
++		: : "c" (msr),
60 
++		    "a" (val),
61 
++		    "d" (val >> 32),
62 
++		    [feature] "i" (feature)
63 
++		: "memory");
64 
++}
65 
+
66 
+ static inline void indirect_branch_prediction_barrier(void)
67 
+ {
68 
+--
69 
+2.7.4
70 
+
SPECS/linux/speculative-store-bypass/0055-x86-bugs-Concentrate-bug-detection-into-a-separate-f.patch
History View file @ 4ab22c2
0 71 
new file mode 100644
... ... 
@@ -0,0 +1,76 @@
0 
+From 4f933d9c2814662d4dfdd891f45f630582830a06 Mon Sep 17 00:00:00 2001
1 
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
2 
+Date: Thu, 14 Jun 2018 14:56:39 -0700
3 
+Subject: [PATCH 055/103] x86/bugs: Concentrate bug detection into a separate
4 
+ function
5 
+
6 
+commit 4a28bfe3267b68e22c663ac26185aa16c9b879ef upstream
7 
+
8 
+Combine the various logic which goes through all those
9 
+x86_cpu_id matching structures in one function.
10 
+
11 
+Suggested-by: Borislav Petkov <bp@suse.de>
12 
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
13 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
14 
+Reviewed-by: Borislav Petkov <bp@suse.de>
15 
+Reviewed-by: Ingo Molnar <mingo@kernel.org>
16 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
17 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
19 
+---
20 
+ arch/x86/kernel/cpu/common.c | 21 +++++++++++----------
21 
+ 1 file changed, 11 insertions(+), 10 deletions(-)
22 
+
23 
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
24 
+index 48499b4..97558d1 100644
25 
+--- a/arch/x86/kernel/cpu/common.c
26 
+@@ -835,21 +835,27 @@ static const __initconst struct x86_cpu_id cpu_no_meltdown[] = {
27 
+ 	{}
28 
+ };
29 
+
30 
+-static bool __init cpu_vulnerable_to_meltdown(struct cpuinfo_x86 *c)
31 
++static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
32 
+ {
33 
+ 	u64 ia32_cap = 0;
34 
+
35 
++	if (x86_match_cpu(cpu_no_speculation))
36 
++		return;
37 
++
38 
++	setup_force_cpu_bug(X86_BUG_SPECTRE_V1);
39 
++	setup_force_cpu_bug(X86_BUG_SPECTRE_V2);
40 
++
41 
+ 	if (x86_match_cpu(cpu_no_meltdown))
42 
+-		return false;
43 
++		return;
44 
+
45 
+ 	if (cpu_has(c, X86_FEATURE_ARCH_CAPABILITIES))
46 
+ 		rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap);
47 
+
48 
+ 	/* Rogue Data Cache Load? No! */
49 
+ 	if (ia32_cap & ARCH_CAP_RDCL_NO)
50 
+-		return false;
51 
++		return;
52 
+
53 
+-	return true;
54 
++	setup_force_cpu_bug(X86_BUG_CPU_MELTDOWN);
55 
+ }
56 
+
57 
+ /*
58 
+@@ -898,12 +904,7 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
59 
+
60 
+ 	setup_force_cpu_cap(X86_FEATURE_ALWAYS);
61 
+
62 
+-	if (!x86_match_cpu(cpu_no_speculation)) {
63 
+-		if (cpu_vulnerable_to_meltdown(c))
64 
+-			setup_force_cpu_bug(X86_BUG_CPU_MELTDOWN);
65 
+-		setup_force_cpu_bug(X86_BUG_SPECTRE_V1);
66 
+-		setup_force_cpu_bug(X86_BUG_SPECTRE_V2);
67 
+-	}
68 
++	cpu_set_bug_bits(c);
69 
+
70 
+ 	fpu__init_system(c);
71 
+
72 
+--
73 
+2.7.4
74 
+
SPECS/linux/speculative-store-bypass/0056-x86-bugs-Concentrate-bug-reporting-into-a-separate-f.patch
History View file @ 4ab22c2
0 75 
new file mode 100644
... ... 
@@ -0,0 +1,93 @@
0 
+From ee813f4c2f56a3df223b2f9238281ada0fb05131 Mon Sep 17 00:00:00 2001
1 
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
2 
+Date: Thu, 14 Jun 2018 14:56:39 -0700
3 
+Subject: [PATCH 056/103] x86/bugs: Concentrate bug reporting into a separate
4 
+ function
5 
+
6 
+commit d1059518b4789cabe34bb4b714d07e6089c82ca1 upstream
7 
+
8 
+Those SysFS functions have a similar preamble, as such make common
9 
+code to handle them.
10 
+
11 
+Suggested-by: Borislav Petkov <bp@suse.de>
12 
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
13 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
14 
+Reviewed-by: Borislav Petkov <bp@suse.de>
15 
+Reviewed-by: Ingo Molnar <mingo@kernel.org>
16 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
17 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
19 
+---
20 
+ arch/x86/kernel/cpu/bugs.c | 46 ++++++++++++++++++++++++++++++++--------------
21 
+ 1 file changed, 32 insertions(+), 14 deletions(-)
22 
+
23 
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
24 
+index b294fdc..75f3d49 100644
25 
+--- a/arch/x86/kernel/cpu/bugs.c
26 
+@@ -314,30 +314,48 @@ retpoline_auto:
27 
+ #undef pr_fmt
28 
+
29 
+ #ifdef CONFIG_SYSFS
30 
+-ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf)
31 
++
32 
++ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr,
33 
++			char *buf, unsigned int bug)
34 
+ {
35 
+-	if (!boot_cpu_has_bug(X86_BUG_CPU_MELTDOWN))
36 
++	if (!boot_cpu_has_bug(bug))
37 
+ 		return sprintf(buf, "Not affected\n");
38 
+-	if (boot_cpu_has(X86_FEATURE_KAISER))
39 
+-		return sprintf(buf, "Mitigation: PTI\n");
40 
++
41 
++	switch (bug) {
42 
++	case X86_BUG_CPU_MELTDOWN:
43 
++		if (boot_cpu_has(X86_FEATURE_KAISER))
44 
++			return sprintf(buf, "Mitigation: PTI\n");
45 
++
46 
++		break;
47 
++
48 
++	case X86_BUG_SPECTRE_V1:
49 
++		return sprintf(buf, "Mitigation: __user pointer sanitization\n");
50 
++
51 
++	case X86_BUG_SPECTRE_V2:
52 
++		return sprintf(buf, "%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
53 
++			       boot_cpu_has(X86_FEATURE_USE_IBPB) ? ", IBPB" : "",
54 
++			       boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "",
55 
++			       spectre_v2_module_string());
56 
++
57 
++	default:
58 
++		break;
59 
++	}
60 
++
61 
+ 	return sprintf(buf, "Vulnerable\n");
62 
+ }
63 
+
64 
++ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf)
65 
++{
66 
++	return cpu_show_common(dev, attr, buf, X86_BUG_CPU_MELTDOWN);
67 
++}
68 
++
69 
+ ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, char *buf)
70 
+ {
71 
+-	if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V1))
72 
+-		return sprintf(buf, "Not affected\n");
73 
+-	return sprintf(buf, "Mitigation: __user pointer sanitization\n");
74 
++	return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V1);
75 
+ }
76 
+
77 
+ ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, char *buf)
78 
+ {
79 
+-	if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
80 
+-		return sprintf(buf, "Not affected\n");
81 
+-
82 
+-	return sprintf(buf, "%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
83 
+-		       boot_cpu_has(X86_FEATURE_USE_IBPB) ? ", IBPB" : "",
84 
+-		       boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "",
85 
+-		       spectre_v2_module_string());
86 
++	return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V2);
87 
+ }
88 
+ #endif
89 
+--
90 
+2.7.4
91 
+
SPECS/linux/speculative-store-bypass/0057-x86-bugs-Read-SPEC_CTRL-MSR-during-boot-and-re-use-r.patch
History View file @ 4ab22c2
0 92 
new file mode 100644
... ... 
@@ -0,0 +1,144 @@
0 
+From 6fd3c2d059ea69882a434e695859975f635da971 Mon Sep 17 00:00:00 2001
1 
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
2 
+Date: Thu, 14 Jun 2018 14:56:40 -0700
3 
+Subject: [PATCH 057/103] x86/bugs: Read SPEC_CTRL MSR during boot and re-use
4 
+ reserved bits
5 
+
6 
+commit 1b86883ccb8d5d9506529d42dbe1a5257cb30b18 upstream
7 
+
8 
+The 336996-Speculative-Execution-Side-Channel-Mitigations.pdf refers to all
9 
+the other bits as reserved. The Intel SDM glossary defines reserved as
10 
+implementation specific - aka unknown.
11 
+
12 
+As such at bootup this must be taken it into account and proper masking for
13 
+the bits in use applied.
14 
+
15 
+A copy of this document is available at
16 
+https://bugzilla.kernel.org/show_bug.cgi?id=199511
17 
+
18 
+[ tglx: Made x86_spec_ctrl_base __ro_after_init ]
19 
+[ Srivatsa: Removed __ro_after_init for 4.4.y ]
20 
+
21 
+Suggested-by: Jon Masters <jcm@redhat.com>
22 
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
23 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
24 
+Reviewed-by: Borislav Petkov <bp@suse.de>
25 
+Reviewed-by: Ingo Molnar <mingo@kernel.org>
26 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
27 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
28 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
29 
+---
30 
+ arch/x86/include/asm/nospec-branch.h | 24 ++++++++++++++++++++----
31 
+ arch/x86/kernel/cpu/bugs.c           | 27 +++++++++++++++++++++++++++
32 
+ 2 files changed, 47 insertions(+), 4 deletions(-)
33 
+
34 
+diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
35 
+index 6403016..daec318 100644
36 
+--- a/arch/x86/include/asm/nospec-branch.h
37 
+@@ -172,6 +172,17 @@ enum spectre_v2_mitigation {
38 
+ 	SPECTRE_V2_IBRS,
39 
+ };
40 
+
41 
++/*
42 
++ * The Intel specification for the SPEC_CTRL MSR requires that we
43 
++ * preserve any already set reserved bits at boot time (e.g. for
44 
++ * future additions that this kernel is not currently aware of).
45 
++ * We then set any additional mitigation bits that we want
46 
++ * ourselves and always use this as the base for SPEC_CTRL.
47 
++ * We also use this when handling guest entry/exit as below.
48 
++ */
49 
++extern void x86_spec_ctrl_set(u64);
50 
++extern u64 x86_spec_ctrl_get_default(void);
51 
++
52 
+ extern char __indirect_thunk_start[];
53 
+ extern char __indirect_thunk_end[];
54 
+
55 
+@@ -208,8 +219,9 @@ void alternative_msr_write(unsigned int msr, u64 val, unsigned int feature)
56 
+
57 
+ static inline void indirect_branch_prediction_barrier(void)
58 
+ {
59 
+-	alternative_msr_write(MSR_IA32_PRED_CMD, PRED_CMD_IBPB,
60 
+-			      X86_FEATURE_USE_IBPB);
61 
++	u64 val = PRED_CMD_IBPB;
62 
++
63 
++	alternative_msr_write(MSR_IA32_PRED_CMD, val, X86_FEATURE_USE_IBPB);
64 
+ }
65 
+
66 
+ /*
67 
+@@ -220,14 +232,18 @@ static inline void indirect_branch_prediction_barrier(void)
68 
+  */
69 
+ #define firmware_restrict_branch_speculation_start()			\
70 
+ do {									\
71 
++	u64 val = x86_spec_ctrl_get_default() | SPEC_CTRL_IBRS;		\
72 
++									\
73 
+ 	preempt_disable();						\
74 
+-	alternative_msr_write(MSR_IA32_SPEC_CTRL, SPEC_CTRL_IBRS,	\
75 
++	alternative_msr_write(MSR_IA32_SPEC_CTRL, val,			\
76 
+ 			      X86_FEATURE_USE_IBRS_FW);			\
77 
+ } while (0)
78 
+
79 
+ #define firmware_restrict_branch_speculation_end()			\
80 
+ do {									\
81 
+-	alternative_msr_write(MSR_IA32_SPEC_CTRL, 0,			\
82 
++	u64 val = x86_spec_ctrl_get_default();				\
83 
++									\
84 
++	alternative_msr_write(MSR_IA32_SPEC_CTRL, val,			\
85 
+ 			      X86_FEATURE_USE_IBRS_FW);			\
86 
+ 	preempt_enable();						\
87 
+ } while (0)
88 
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
89 
+index 75f3d49..42c2204 100644
90 
+--- a/arch/x86/kernel/cpu/bugs.c
91 
+@@ -27,6 +27,12 @@
92 
+
93 
+ static void __init spectre_v2_select_mitigation(void);
94 
+
95 
++/*
96 
++ * Our boot-time value of the SPEC_CTRL MSR. We read it once so that any
97 
++ * writes to SPEC_CTRL contain whatever reserved bits have been set.
98 
++ */
99 
++static u64 x86_spec_ctrl_base;
100 
++
101 
+ void __init check_bugs(void)
102 
+ {
103 
+ 	identify_boot_cpu();
104 
+@@ -36,6 +42,13 @@ void __init check_bugs(void)
105 
+ 		print_cpu_info(&boot_cpu_data);
106 
+ 	}
107 
+
108 
++	/*
109 
++	 * Read the SPEC_CTRL MSR to account for reserved bits which may
110 
++	 * have unknown values.
111 
++	 */
112 
++	if (boot_cpu_has(X86_FEATURE_IBRS))
113 
++		rdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
114 
++
115 
+ 	/* Select the proper spectre mitigation before patching alternatives */
116 
+ 	spectre_v2_select_mitigation();
117 
+
118 
+@@ -94,6 +107,20 @@ static const char *spectre_v2_strings[] = {
119 
+
120 
+ static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE;
121 
+
122 
++void x86_spec_ctrl_set(u64 val)
123 
++{
124 
++	if (val & ~SPEC_CTRL_IBRS)
125 
++		WARN_ONCE(1, "SPEC_CTRL MSR value 0x%16llx is unknown.\n", val);
126 
++	else
127 
++		wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base | val);
128 
++}
129 
++EXPORT_SYMBOL_GPL(x86_spec_ctrl_set);
130 
++
131 
++u64 x86_spec_ctrl_get_default(void)
132 
++{
133 
++	return x86_spec_ctrl_base;
134 
++}
135 
++EXPORT_SYMBOL_GPL(x86_spec_ctrl_get_default);
136 
+
137 
+ #ifdef RETPOLINE
138 
+ static bool spectre_v2_bad_module;
139 
+--
140 
+2.7.4
141 
+
SPECS/linux/speculative-store-bypass/0058-x86-bugs-KVM-Support-the-combination-of-guest-and-ho.patch
History View file @ 4ab22c2
0 142 
new file mode 100644
... ... 
@@ -0,0 +1,89 @@
0 
+From 51a0627e8d2fa5679c30401e340afae4767f14e7 Mon Sep 17 00:00:00 2001
1 
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
2 
+Date: Thu, 14 Jun 2018 14:56:40 -0700
3 
+Subject: [PATCH 058/103] x86/bugs, KVM: Support the combination of guest and
4 
+ host IBRS
5 
+
6 
+commit 5cf687548705412da47c9cec342fd952d71ed3d5 upstream
7 
+
8 
+A guest may modify the SPEC_CTRL MSR from the value used by the
9 
+kernel. Since the kernel doesn't use IBRS, this means a value of zero is
10 
+what is needed in the host.
11 
+
12 
+But the 336996-Speculative-Execution-Side-Channel-Mitigations.pdf refers to
13 
+the other bits as reserved so the kernel should respect the boot time
14 
+SPEC_CTRL value and use that.
15 
+
16 
+This allows to deal with future extensions to the SPEC_CTRL interface if
17 
+any at all.
18 
+
19 
+Note: This uses wrmsrl() instead of native_wrmsl(). I does not make any
20 
+difference as paravirt will over-write the callq *0xfff.. with the wrmsrl
21 
+assembler code.
22 
+
23 
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
24 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
25 
+Reviewed-by: Borislav Petkov <bp@suse.de>
26 
+Reviewed-by: Ingo Molnar <mingo@kernel.org>
27 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
28 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
29 
+[ Srivatsa: Backported to 4.4.y, skipping the KVM changes in this patch. ]
30 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
31 
+---
32 
+ arch/x86/include/asm/nospec-branch.h | 10 ++++++++++
33 
+ arch/x86/kernel/cpu/bugs.c           | 18 ++++++++++++++++++
34 
+ 2 files changed, 28 insertions(+)
35 
+
36 
+diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
37 
+index daec318..11db69a 100644
38 
+--- a/arch/x86/include/asm/nospec-branch.h
39 
+@@ -183,6 +183,16 @@ enum spectre_v2_mitigation {
40 
+ extern void x86_spec_ctrl_set(u64);
41 
+ extern u64 x86_spec_ctrl_get_default(void);
42 
+
43 
++/*
44 
++ * On VMENTER we must preserve whatever view of the SPEC_CTRL MSR
45 
++ * the guest has, while on VMEXIT we restore the host view. This
46 
++ * would be easier if SPEC_CTRL were architecturally maskable or
47 
++ * shadowable for guests but this is not (currently) the case.
48 
++ * Takes the guest view of SPEC_CTRL MSR as a parameter.
49 
++ */
50 
++extern void x86_spec_ctrl_set_guest(u64);
51 
++extern void x86_spec_ctrl_restore_host(u64);
52 
++
53 
+ extern char __indirect_thunk_start[];
54 
+ extern char __indirect_thunk_end[];
55 
+
56 
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
57 
+index 42c2204..e71e281 100644
58 
+--- a/arch/x86/kernel/cpu/bugs.c
59 
+@@ -122,6 +122,24 @@ u64 x86_spec_ctrl_get_default(void)
60 
+ }
61 
+ EXPORT_SYMBOL_GPL(x86_spec_ctrl_get_default);
62 
+
63 
++void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl)
64 
++{
65 
++	if (!boot_cpu_has(X86_FEATURE_IBRS))
66 
++		return;
67 
++	if (x86_spec_ctrl_base != guest_spec_ctrl)
68 
++		wrmsrl(MSR_IA32_SPEC_CTRL, guest_spec_ctrl);
69 
++}
70 
++EXPORT_SYMBOL_GPL(x86_spec_ctrl_set_guest);
71 
++
72 
++void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl)
73 
++{
74 
++	if (!boot_cpu_has(X86_FEATURE_IBRS))
75 
++		return;
76 
++	if (x86_spec_ctrl_base != guest_spec_ctrl)
77 
++		wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
78 
++}
79 
++EXPORT_SYMBOL_GPL(x86_spec_ctrl_restore_host);
80 
++
81 
+ #ifdef RETPOLINE
82 
+ static bool spectre_v2_bad_module;
83 
+
84 
+--
85 
+2.7.4
86 
+
SPECS/linux/speculative-store-bypass/0059-x86-cpu-Rename-Merrifield2-to-Moorefield.patch
History View file @ 4ab22c2
0 87 
new file mode 100644
... ... 
@@ -0,0 +1,41 @@
0 
+From 407e3e0bce035deccb0539e93efe61c69794ed82 Mon Sep 17 00:00:00 2001
1 
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
2 
+Date: Thu, 14 Jun 2018 14:56:41 -0700
3 
+Subject: [PATCH 059/103] x86/cpu: Rename Merrifield2 to Moorefield
4 
+
5 
+commit f5fbf848303c8704d0e1a1e7cabd08fd0a49552f upstream
6 
+
7 
+Merrifield2 is actually Moorefield.
8 
+
9 
+Rename it accordingly and drop tail digit from Merrifield1.
10 
+
11 
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
12 
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
13 
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
14 
+Cc: Peter Zijlstra <peterz@infradead.org>
15 
+Cc: Thomas Gleixner <tglx@linutronix.de>
16 
+Link: http://lkml.kernel.org/r/20160906184254.94440-1-andriy.shevchenko@linux.intel.com
17 
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
18 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
19 
+---
20 
+ arch/x86/include/asm/intel-family.h | 4 ++--
21 
+ 1 file changed, 2 insertions(+), 2 deletions(-)
22 
+
23 
+diff --git a/arch/x86/include/asm/intel-family.h b/arch/x86/include/asm/intel-family.h
24 
+index 12fa187..0b27c1e 100644
25 
+--- a/arch/x86/include/asm/intel-family.h
26 
+@@ -58,8 +58,8 @@
27 
+ #define INTEL_FAM6_ATOM_SILVERMONT1	0x37 /* BayTrail/BYT / Valleyview */
28 
+ #define INTEL_FAM6_ATOM_SILVERMONT2	0x4D /* Avaton/Rangely */
29 
+ #define INTEL_FAM6_ATOM_AIRMONT		0x4C /* CherryTrail / Braswell */
30 
+-#define INTEL_FAM6_ATOM_MERRIFIELD1	0x4A /* Tangier */
31 
+-#define INTEL_FAM6_ATOM_MERRIFIELD2	0x5A /* Annidale */
32 
++#define INTEL_FAM6_ATOM_MERRIFIELD	0x4A /* Tangier */
33 
++#define INTEL_FAM6_ATOM_MOOREFIELD	0x5A /* Annidale */
34 
+ #define INTEL_FAM6_ATOM_GOLDMONT	0x5C
35 
+ #define INTEL_FAM6_ATOM_DENVERTON	0x5F /* Goldmont Microserver */
36 
+ #define INTEL_FAM6_ATOM_GEMINI_LAKE	0x7A
37 
+--
38 
+2.7.4
39 
+
SPECS/linux/speculative-store-bypass/0060-x86-cpu-intel-Add-Knights-Mill-to-Intel-family.patch
History View file @ 4ab22c2
0 40 
new file mode 100644
... ... 
@@ -0,0 +1,41 @@
0 
+From 23c4baf133a3ddc8088c91eed2d6cc6b0e33ce4e Mon Sep 17 00:00:00 2001
1 
+From: Piotr Luc <piotr.luc@intel.com>
2 
+Date: Thu, 14 Jun 2018 14:56:41 -0700
3 
+Subject: [PATCH 060/103] x86/cpu/intel: Add Knights Mill to Intel family
4 
+
5 
+commit 0047f59834e5947d45f34f5f12eb330d158f700b upstream
6 
+
7 
+Add CPUID of Knights Mill (KNM) processor to Intel family list.
8 
+
9 
+Signed-off-by: Piotr Luc <piotr.luc@intel.com>
10 
+Reviewed-by: Dave Hansen <dave.hansen@intel.com>
11 
+Cc: Andy Lutomirski <luto@kernel.org>
12 
+Cc: Borislav Petkov <bp@alien8.de>
13 
+Cc: Brian Gerst <brgerst@gmail.com>
14 
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
15 
+Cc: H. Peter Anvin <hpa@zytor.com>
16 
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
17 
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
18 
+Cc: Peter Zijlstra <peterz@infradead.org>
19 
+Cc: Thomas Gleixner <tglx@linutronix.de>
20 
+Link: http://lkml.kernel.org/r/20161012180520.30976-1-piotr.luc@intel.com
21 
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
22 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
23 
+---
24 
+ arch/x86/include/asm/intel-family.h | 1 +
25 
+ 1 file changed, 1 insertion(+)
26 
+
27 
+diff --git a/arch/x86/include/asm/intel-family.h b/arch/x86/include/asm/intel-family.h
28 
+index 0b27c1e..e13ff5a 100644
29 
+--- a/arch/x86/include/asm/intel-family.h
30 
+@@ -67,5 +67,6 @@
31 
+ /* Xeon Phi */
32 
+
33 
+ #define INTEL_FAM6_XEON_PHI_KNL		0x57 /* Knights Landing */
34 
++#define INTEL_FAM6_XEON_PHI_KNM		0x85 /* Knights Mill */
35 
+
36 
+ #endif /* _ASM_X86_INTEL_FAMILY_H */
37 
+--
38 
+2.7.4
39 
+
SPECS/linux/speculative-store-bypass/0061-x86-bugs-Expose-sys-.-spec_store_bypass.patch
History View file @ 4ab22c2
0 40 
new file mode 100644
... ... 
@@ -0,0 +1,149 @@
0 
+From 8106608d74ab245d09d45476e264d36f50cd18f5 Mon Sep 17 00:00:00 2001
1 
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
2 
+Date: Thu, 14 Jun 2018 14:56:42 -0700
3 
+Subject: [PATCH 061/103] x86/bugs: Expose /sys/../spec_store_bypass
4 
+
5 
+commit c456442cd3a59eeb1d60293c26cbe2ff2c4e42cf upstream
6 
+
7 
+Add the sysfs file for the new vulerability. It does not do much except
8 
+show the words 'Vulnerable' for recent x86 cores.
9 
+
10 
+Intel cores prior to family 6 are known not to be vulnerable, and so are
11 
+some Atoms and some Xeon Phi.
12 
+
13 
+It assumes that older Cyrix, Centaur, etc. cores are immune.
14 
+
15 
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
16 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
17 
+Reviewed-by: Borislav Petkov <bp@suse.de>
18 
+Reviewed-by: Ingo Molnar <mingo@kernel.org>
19 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
20 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
21 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
22 
+---
23 
+ Documentation/ABI/testing/sysfs-devices-system-cpu |  1 +
24 
+ arch/x86/include/asm/cpufeatures.h                 |  1 +
25 
+ arch/x86/kernel/cpu/bugs.c                         |  5 +++++
26 
+ arch/x86/kernel/cpu/common.c                       | 23 ++++++++++++++++++++++
27 
+ drivers/base/cpu.c                                 |  8 ++++++++
28 
+ include/linux/cpu.h                                |  2 ++
29 
+ 6 files changed, 40 insertions(+)
30 
+
31 
+diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu b/Documentation/ABI/testing/sysfs-devices-system-cpu
32 
+index ea6a043..50f9568 100644
33 
+--- a/Documentation/ABI/testing/sysfs-devices-system-cpu
34 
+@@ -276,6 +276,7 @@ What:		/sys/devices/system/cpu/vulnerabilities
35 
+ 		/sys/devices/system/cpu/vulnerabilities/meltdown
36 
+ 		/sys/devices/system/cpu/vulnerabilities/spectre_v1
37 
+ 		/sys/devices/system/cpu/vulnerabilities/spectre_v2
38 
++		/sys/devices/system/cpu/vulnerabilities/spec_store_bypass
39 
+ Date:		January 2018
40 
+ Contact:	Linux kernel mailing list <linux-kernel@vger.kernel.org>
41 
+ Description:	Information about CPU vulnerabilities
42 
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
43 
+index a123acd..bfbf778 100644
44 
+--- a/arch/x86/include/asm/cpufeatures.h
45 
+@@ -315,5 +315,6 @@
46 
+ #define X86_BUG_CPU_MELTDOWN	X86_BUG(14) /* CPU is affected by meltdown attack and needs kernel page table isolation */
47 
+ #define X86_BUG_SPECTRE_V1	X86_BUG(15) /* CPU is affected by Spectre variant 1 attack with conditional branches */
48 
+ #define X86_BUG_SPECTRE_V2	X86_BUG(16) /* CPU is affected by Spectre variant 2 attack with indirect branches */
49 
++#define X86_BUG_SPEC_STORE_BYPASS X86_BUG(17) /* CPU is affected by speculative store bypass attack */
50 
+
51 
+ #endif /* _ASM_X86_CPUFEATURES_H */
52 
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
53 
+index e71e281..0ad13b1 100644
54 
+--- a/arch/x86/kernel/cpu/bugs.c
55 
+@@ -403,4 +403,9 @@ ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, c
56 
+ {
57 
+ 	return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V2);
58 
+ }
59 
++
60 
++ssize_t cpu_show_spec_store_bypass(struct device *dev, struct device_attribute *attr, char *buf)
61 
++{
62 
++	return cpu_show_common(dev, attr, buf, X86_BUG_SPEC_STORE_BYPASS);
63 
++}
64 
+ #endif
65 
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
66 
+index 97558d1..eb78ddf 100644
67 
+--- a/arch/x86/kernel/cpu/common.c
68 
+@@ -835,10 +835,33 @@ static const __initconst struct x86_cpu_id cpu_no_meltdown[] = {
69 
+ 	{}
70 
+ };
71 
+
72 
++static const __initconst struct x86_cpu_id cpu_no_spec_store_bypass[] = {
73 
++	{ X86_VENDOR_INTEL,	6,	INTEL_FAM6_ATOM_PINEVIEW	},
74 
++	{ X86_VENDOR_INTEL,	6,	INTEL_FAM6_ATOM_LINCROFT	},
75 
++	{ X86_VENDOR_INTEL,	6,	INTEL_FAM6_ATOM_PENWELL		},
76 
++	{ X86_VENDOR_INTEL,	6,	INTEL_FAM6_ATOM_CLOVERVIEW	},
77 
++	{ X86_VENDOR_INTEL,	6,	INTEL_FAM6_ATOM_CEDARVIEW	},
78 
++	{ X86_VENDOR_INTEL,	6,	INTEL_FAM6_ATOM_SILVERMONT1	},
79 
++	{ X86_VENDOR_INTEL,	6,	INTEL_FAM6_ATOM_AIRMONT		},
80 
++	{ X86_VENDOR_INTEL,	6,	INTEL_FAM6_ATOM_SILVERMONT2	},
81 
++	{ X86_VENDOR_INTEL,	6,	INTEL_FAM6_ATOM_MERRIFIELD	},
82 
++	{ X86_VENDOR_INTEL,	6,	INTEL_FAM6_CORE_YONAH		},
83 
++	{ X86_VENDOR_INTEL,	6,	INTEL_FAM6_XEON_PHI_KNL		},
84 
++	{ X86_VENDOR_INTEL,	6,	INTEL_FAM6_XEON_PHI_KNM		},
85 
++	{ X86_VENDOR_CENTAUR,	5,					},
86 
++	{ X86_VENDOR_INTEL,	5,					},
87 
++	{ X86_VENDOR_NSC,	5,					},
88 
++	{ X86_VENDOR_ANY,	4,					},
89 
++	{}
90 
++};
91 
++
92 
+ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
93 
+ {
94 
+ 	u64 ia32_cap = 0;
95 
+
96 
++	if (!x86_match_cpu(cpu_no_spec_store_bypass))
97 
++		setup_force_cpu_bug(X86_BUG_SPEC_STORE_BYPASS);
98 
++
99 
+ 	if (x86_match_cpu(cpu_no_speculation))
100 
+ 		return;
101 
+
102 
+diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c
103 
+index 3db71af..143edea 100644
104 
+--- a/drivers/base/cpu.c
105 
+@@ -518,14 +518,22 @@ ssize_t __weak cpu_show_spectre_v2(struct device *dev,
106 
+ 	return sprintf(buf, "Not affected\n");
107 
+ }
108 
+
109 
++ssize_t __weak cpu_show_spec_store_bypass(struct device *dev,
110 
++					  struct device_attribute *attr, char *buf)
111 
++{
112 
++	return sprintf(buf, "Not affected\n");
113 
++}
114 
++
115 
+ static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL);
116 
+ static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL);
117 
+ static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL);
118 
++static DEVICE_ATTR(spec_store_bypass, 0444, cpu_show_spec_store_bypass, NULL);
119 
+
120 
+ static struct attribute *cpu_root_vulnerabilities_attrs[] = {
121 
+ 	&dev_attr_meltdown.attr,
122 
+ 	&dev_attr_spectre_v1.attr,
123 
+ 	&dev_attr_spectre_v2.attr,
124 
++	&dev_attr_spec_store_bypass.attr,
125 
+ 	NULL
126 
+ };
127 
+
128 
+diff --git a/include/linux/cpu.h b/include/linux/cpu.h
129 
+index 7e04bcd..2f9d120 100644
130 
+--- a/include/linux/cpu.h
131 
+@@ -46,6 +46,8 @@ extern ssize_t cpu_show_spectre_v1(struct device *dev,
132 
+ 				   struct device_attribute *attr, char *buf);
133 
+ extern ssize_t cpu_show_spectre_v2(struct device *dev,
134 
+ 				   struct device_attribute *attr, char *buf);
135 
++extern ssize_t cpu_show_spec_store_bypass(struct device *dev,
136 
++					  struct device_attribute *attr, char *buf);
137 
+
138 
+ extern __printf(4, 5)
139 
+ struct device *cpu_device_create(struct device *parent, void *drvdata,
140 
+--
141 
+2.7.4
142 
+
SPECS/linux/speculative-store-bypass/0062-x86-cpufeatures-Add-X86_FEATURE_RDS.patch
History View file @ 4ab22c2
0 143 
new file mode 100644
... ... 
@@ -0,0 +1,37 @@
0 
+From 465eb0f2dac17d34d0bc86231dfd0cce197e911b Mon Sep 17 00:00:00 2001
1 
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
2 
+Date: Thu, 14 Jun 2018 14:56:42 -0700
3 
+Subject: [PATCH 062/103] x86/cpufeatures: Add X86_FEATURE_RDS
4 
+
5 
+commit 0cc5fa00b0a88dad140b4e5c2cead9951ad36822 upstream
6 
+
7 
+Add the CPU feature bit CPUID.7.0.EDX[31] which indicates whether the CPU
8 
+supports Reduced Data Speculation.
9 
+
10 
+[ tglx: Split it out from a later patch ]
11 
+
12 
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
13 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
14 
+Reviewed-by: Ingo Molnar <mingo@kernel.org>
15 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
16 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
17 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
18 
+---
19 
+ arch/x86/include/asm/cpufeatures.h | 1 +
20 
+ 1 file changed, 1 insertion(+)
21 
+
22 
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
23 
+index bfbf778..2f4791a 100644
24 
+--- a/arch/x86/include/asm/cpufeatures.h
25 
+@@ -297,6 +297,7 @@
26 
+ #define X86_FEATURE_SPEC_CTRL		(18*32+26) /* "" Speculation Control (IBRS + IBPB) */
27 
+ #define X86_FEATURE_INTEL_STIBP		(18*32+27) /* "" Single Thread Indirect Branch Predictors */
28 
+ #define X86_FEATURE_ARCH_CAPABILITIES	(18*32+29) /* IA32_ARCH_CAPABILITIES MSR (Intel) */
29 
++#define X86_FEATURE_RDS			(18*32+31) /* Reduced Data Speculation */
30 
+
31 
+ /*
32 
+  * BUG word(s)
33 
+--
34 
+2.7.4
35 
+
SPECS/linux/speculative-store-bypass/0063-x86-bugs-Provide-boot-parameters-for-the-spec_store_.patch
History View file @ 4ab22c2
0 36 
new file mode 100644
... ... 
@@ -0,0 +1,273 @@
0 
+From f2461acda781fe330a5d17a4e12e7318b2b57657 Mon Sep 17 00:00:00 2001
1 
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
2 
+Date: Thu, 14 Jun 2018 14:56:43 -0700
3 
+Subject: [PATCH 063/103] x86/bugs: Provide boot parameters for the
4 
+ spec_store_bypass_disable mitigation
5 
+
6 
+commit 24f7fc83b9204d20f878c57cb77d261ae825e033 upstream
7 
+
8 
+Contemporary high performance processors use a common industry-wide
9 
+optimization known as "Speculative Store Bypass" in which loads from
10 
+addresses to which a recent store has occurred may (speculatively) see an
11 
+older value. Intel refers to this feature as "Memory Disambiguation" which
12 
+is part of their "Smart Memory Access" capability.
13 
+
14 
+Memory Disambiguation can expose a cache side-channel attack against such
15 
+speculatively read values. An attacker can create exploit code that allows
16 
+them to read memory outside of a sandbox environment (for example,
17 
+malicious JavaScript in a web page), or to perform more complex attacks
18 
+against code running within the same privilege level, e.g. via the stack.
19 
+
20 
+As a first step to mitigate against such attacks, provide two boot command
21 
+line control knobs:
22 
+
23 
+ nospec_store_bypass_disable
24 
+ spec_store_bypass_disable=[off,auto,on]
25 
+
26 
+By default affected x86 processors will power on with Speculative
27 
+Store Bypass enabled. Hence the provided kernel parameters are written
28 
+from the point of view of whether to enable a mitigation or not.
29 
+The parameters are as follows:
30 
+
31 
+ - auto - Kernel detects whether your CPU model contains an implementation
32 
+	  of Speculative Store Bypass and picks the most appropriate
33 
+	  mitigation.
34 
+
35 
+ - on   - disable Speculative Store Bypass
36 
+ - off  - enable Speculative Store Bypass
37 
+
38 
+[ tglx: Reordered the checks so that the whole evaluation is not done
39 
+  	when the CPU does not support RDS ]
40 
+
41 
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
42 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
43 
+Reviewed-by: Borislav Petkov <bp@suse.de>
44 
+Reviewed-by: Ingo Molnar <mingo@kernel.org>
45 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
46 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
47 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
48 
+---
49 
+ Documentation/kernel-parameters.txt  |  33 +++++++++++
50 
+ arch/x86/include/asm/cpufeatures.h   |   1 +
51 
+ arch/x86/include/asm/nospec-branch.h |   6 ++
52 
+ arch/x86/kernel/cpu/bugs.c           | 103 +++++++++++++++++++++++++++++++++++
53 
+ 4 files changed, 143 insertions(+)
54 
+
55 
+diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
56 
+index e60d0b5..dc138b8 100644
57 
+--- a/Documentation/kernel-parameters.txt
58 
+@@ -2460,6 +2460,9 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
59 
+ 			allow data leaks with this option, which is equivalent
60 
+ 			to spectre_v2=off.
61 
+
62 
++	nospec_store_bypass_disable
63 
++			[HW] Disable all mitigations for the Speculative Store Bypass vulnerability
64 
++
65 
+ 	noxsave		[BUGS=X86] Disables x86 extended register state save
66 
+ 			and restore using xsave. The kernel will fallback to
67 
+ 			enabling legacy floating-point and sse state.
68 
+@@ -3623,6 +3626,36 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
69 
+ 			Not specifying this option is equivalent to
70 
+ 			spectre_v2=auto.
71 
+
72 
++	spec_store_bypass_disable=
73 
++			[HW] Control Speculative Store Bypass (SSB) Disable mitigation
74 
++			(Speculative Store Bypass vulnerability)
75 
++
76 
++			Certain CPUs are vulnerable to an exploit against a
77 
++			a common industry wide performance optimization known
78 
++			as "Speculative Store Bypass" in which recent stores
79 
++			to the same memory location may not be observed by
80 
++			later loads during speculative execution. The idea
81 
++			is that such stores are unlikely and that they can
82 
++			be detected prior to instruction retirement at the
83 
++			end of a particular speculation execution window.
84 
++
85 
++			In vulnerable processors, the speculatively forwarded
86 
++			store can be used in a cache side channel attack, for
87 
++			example to read memory to which the attacker does not
88 
++			directly have access (e.g. inside sandboxed code).
89 
++
90 
++			This parameter controls whether the Speculative Store
91 
++			Bypass optimization is used.
92 
++
93 
++			on     - Unconditionally disable Speculative Store Bypass
94 
++			off    - Unconditionally enable Speculative Store Bypass
95 
++			auto   - Kernel detects whether the CPU model contains an
96 
++				 implementation of Speculative Store Bypass and
97 
++				 picks the most appropriate mitigation
98 
++
99 
++			Not specifying this option is equivalent to
100 
++			spec_store_bypass_disable=auto.
101 
++
102 
+ 	spia_io_base=	[HW,MTD]
103 
+ 	spia_fio_base=
104 
+ 	spia_pedr=
105 
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
106 
+index 2f4791a..7cc4937 100644
107 
+--- a/arch/x86/include/asm/cpufeatures.h
108 
+@@ -203,6 +203,7 @@
109 
+
110 
+ #define X86_FEATURE_USE_IBPB	( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled*/
111 
+ #define X86_FEATURE_USE_IBRS_FW	( 7*32+22) /* "" Use IBRS during runtime firmware calls */
112 
++#define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE	( 7*32+23) /* "" Disable Speculative Store Bypass. */
113 
+
114 
+ /* Virtualization flags: Linux defined, word 8 */
115 
+ #define X86_FEATURE_TPR_SHADOW  ( 8*32+ 0) /* Intel TPR Shadow */
116 
+diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
117 
+index 11db69a..c786d01 100644
118 
+--- a/arch/x86/include/asm/nospec-branch.h
119 
+@@ -193,6 +193,12 @@ extern u64 x86_spec_ctrl_get_default(void);
120 
+ extern void x86_spec_ctrl_set_guest(u64);
121 
+ extern void x86_spec_ctrl_restore_host(u64);
122 
+
123 
++/* The Speculative Store Bypass disable variants */
124 
++enum ssb_mitigation {
125 
++	SPEC_STORE_BYPASS_NONE,
126 
++	SPEC_STORE_BYPASS_DISABLE,
127 
++};
128 
++
129 
+ extern char __indirect_thunk_start[];
130 
+ extern char __indirect_thunk_end[];
131 
+
132 
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
133 
+index 0ad13b1..826aa81 100644
134 
+--- a/arch/x86/kernel/cpu/bugs.c
135 
+@@ -26,6 +26,7 @@
136 
+ #include <asm/intel-family.h>
137 
+
138 
+ static void __init spectre_v2_select_mitigation(void);
139 
++static void __init ssb_select_mitigation(void);
140 
+
141 
+ /*
142 
+  * Our boot-time value of the SPEC_CTRL MSR. We read it once so that any
143 
+@@ -52,6 +53,12 @@ void __init check_bugs(void)
144 
+ 	/* Select the proper spectre mitigation before patching alternatives */
145 
+ 	spectre_v2_select_mitigation();
146 
+
147 
++	/*
148 
++	 * Select proper mitigation for any exposure to the Speculative Store
149 
++	 * Bypass vulnerability.
150 
++	 */
151 
++	ssb_select_mitigation();
152 
++
153 
+ #ifdef CONFIG_X86_32
154 
+ 	/*
155 
+ 	 * Check whether we are able to run this kernel safely on SMP.
156 
+@@ -357,6 +364,99 @@ retpoline_auto:
157 
+ }
158 
+
159 
+ #undef pr_fmt
160 
++#define pr_fmt(fmt)	"Speculative Store Bypass: " fmt
161 
++
162 
++static enum ssb_mitigation ssb_mode = SPEC_STORE_BYPASS_NONE;
163 
++
164 
++/* The kernel command line selection */
165 
++enum ssb_mitigation_cmd {
166 
++	SPEC_STORE_BYPASS_CMD_NONE,
167 
++	SPEC_STORE_BYPASS_CMD_AUTO,
168 
++	SPEC_STORE_BYPASS_CMD_ON,
169 
++};
170 
++
171 
++static const char *ssb_strings[] = {
172 
++	[SPEC_STORE_BYPASS_NONE]	= "Vulnerable",
173 
++	[SPEC_STORE_BYPASS_DISABLE]	= "Mitigation: Speculative Store Bypass disabled"
174 
++};
175 
++
176 
++static const struct {
177 
++	const char *option;
178 
++	enum ssb_mitigation_cmd cmd;
179 
++} ssb_mitigation_options[] = {
180 
++	{ "auto",	SPEC_STORE_BYPASS_CMD_AUTO }, /* Platform decides */
181 
++	{ "on",		SPEC_STORE_BYPASS_CMD_ON },   /* Disable Speculative Store Bypass */
182 
++	{ "off",	SPEC_STORE_BYPASS_CMD_NONE }, /* Don't touch Speculative Store Bypass */
183 
++};
184 
++
185 
++static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void)
186 
++{
187 
++	enum ssb_mitigation_cmd cmd = SPEC_STORE_BYPASS_CMD_AUTO;
188 
++	char arg[20];
189 
++	int ret, i;
190 
++
191 
++	if (cmdline_find_option_bool(boot_command_line, "nospec_store_bypass_disable")) {
192 
++		return SPEC_STORE_BYPASS_CMD_NONE;
193 
++	} else {
194 
++		ret = cmdline_find_option(boot_command_line, "spec_store_bypass_disable",
195 
++					  arg, sizeof(arg));
196 
++		if (ret < 0)
197 
++			return SPEC_STORE_BYPASS_CMD_AUTO;
198 
++
199 
++		for (i = 0; i < ARRAY_SIZE(ssb_mitigation_options); i++) {
200 
++			if (!match_option(arg, ret, ssb_mitigation_options[i].option))
201 
++				continue;
202 
++
203 
++			cmd = ssb_mitigation_options[i].cmd;
204 
++			break;
205 
++		}
206 
++
207 
++		if (i >= ARRAY_SIZE(ssb_mitigation_options)) {
208 
++			pr_err("unknown option (%s). Switching to AUTO select\n", arg);
209 
++			return SPEC_STORE_BYPASS_CMD_AUTO;
210 
++		}
211 
++	}
212 
++
213 
++	return cmd;
214 
++}
215 
++
216 
++static enum ssb_mitigation_cmd __init __ssb_select_mitigation(void)
217 
++{
218 
++	enum ssb_mitigation mode = SPEC_STORE_BYPASS_NONE;
219 
++	enum ssb_mitigation_cmd cmd;
220 
++
221 
++	if (!boot_cpu_has(X86_FEATURE_RDS))
222 
++		return mode;
223 
++
224 
++	cmd = ssb_parse_cmdline();
225 
++	if (!boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS) &&
226 
++	    (cmd == SPEC_STORE_BYPASS_CMD_NONE ||
227 
++	     cmd == SPEC_STORE_BYPASS_CMD_AUTO))
228 
++		return mode;
229 
++
230 
++	switch (cmd) {
231 
++	case SPEC_STORE_BYPASS_CMD_AUTO:
232 
++	case SPEC_STORE_BYPASS_CMD_ON:
233 
++		mode = SPEC_STORE_BYPASS_DISABLE;
234 
++		break;
235 
++	case SPEC_STORE_BYPASS_CMD_NONE:
236 
++		break;
237 
++	}
238 
++
239 
++	if (mode != SPEC_STORE_BYPASS_NONE)
240 
++		setup_force_cpu_cap(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE);
241 
++	return mode;
242 
++}
243 
++
244 
++static void ssb_select_mitigation()
245 
++{
246 
++	ssb_mode = __ssb_select_mitigation();
247 
++
248 
++	if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS))
249 
++		pr_info("%s\n", ssb_strings[ssb_mode]);
250 
++}
251 
++
252 
++#undef pr_fmt
253 
+
254 
+ #ifdef CONFIG_SYSFS
255 
+
256 
+@@ -382,6 +482,9 @@ ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr,
257 
+ 			       boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "",
258 
+ 			       spectre_v2_module_string());
259 
+
260 
++	case X86_BUG_SPEC_STORE_BYPASS:
261 
++		return sprintf(buf, "%s\n", ssb_strings[ssb_mode]);
262 
++
263 
+ 	default:
264 
+ 		break;
265 
+ 	}
266 
+--
267 
+2.7.4
268 
+
SPECS/linux/speculative-store-bypass/0064-x86-bugs-intel-Set-proper-CPU-features-and-setup-RDS.patch
History View file @ 4ab22c2
0 269 
new file mode 100644
... ... 
@@ -0,0 +1,184 @@
0 
+From 2ae2796bec338c65c4f5e2463fbcb69b3cfe7062 Mon Sep 17 00:00:00 2001
1 
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
2 
+Date: Thu, 14 Jun 2018 14:56:43 -0700
3 
+Subject: [PATCH 064/103] x86/bugs/intel: Set proper CPU features and setup RDS
4 
+
5 
+commit 772439717dbf703b39990be58d8d4e3e4ad0598a upstream
6 
+
7 
+Intel CPUs expose methods to:
8 
+
9 
+ - Detect whether RDS capability is available via CPUID.7.0.EDX[31],
10 
+
11 
+ - The SPEC_CTRL MSR(0x48), bit 2 set to enable RDS.
12 
+
13 
+ - MSR_IA32_ARCH_CAPABILITIES, Bit(4) no need to enable RRS.
14 
+
15 
+With that in mind if spec_store_bypass_disable=[auto,on] is selected set at
16 
+boot-time the SPEC_CTRL MSR to enable RDS if the platform requires it.
17 
+
18 
+Note that this does not fix the KVM case where the SPEC_CTRL is exposed to
19 
+guests which can muck with it, see patch titled :
20 
+ KVM/SVM/VMX/x86/spectre_v2: Support the combination of guest and host IBRS.
21 
+
22 
+And for the firmware (IBRS to be set), see patch titled:
23 
+ x86/spectre_v2: Read SPEC_CTRL MSR during boot and re-use reserved bits
24 
+
25 
+[ tglx: Distangled it from the intel implementation and kept the call order ]
26 
+
27 
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
28 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
29 
+Reviewed-by: Borislav Petkov <bp@suse.de>
30 
+Reviewed-by: Ingo Molnar <mingo@kernel.org>
31 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
32 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
33 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
34 
+---
35 
+ arch/x86/include/asm/msr-index.h |  6 ++++++
36 
+ arch/x86/kernel/cpu/bugs.c       | 30 ++++++++++++++++++++++++++++--
37 
+ arch/x86/kernel/cpu/common.c     | 10 ++++++----
38 
+ arch/x86/kernel/cpu/cpu.h        |  3 +++
39 
+ arch/x86/kernel/cpu/intel.c      |  1 +
40 
+ 5 files changed, 44 insertions(+), 6 deletions(-)
41 
+
42 
+diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
43 
+index f4701f0..a29edb7 100644
44 
+--- a/arch/x86/include/asm/msr-index.h
45 
+@@ -35,6 +35,7 @@
46 
+ #define MSR_IA32_SPEC_CTRL		0x00000048 /* Speculation Control */
47 
+ #define SPEC_CTRL_IBRS			(1 << 0)   /* Indirect Branch Restricted Speculation */
48 
+ #define SPEC_CTRL_STIBP			(1 << 1)   /* Single Thread Indirect Branch Predictors */
49 
++#define SPEC_CTRL_RDS			(1 << 2)   /* Reduced Data Speculation */
50 
+
51 
+ #define MSR_IA32_PRED_CMD		0x00000049 /* Prediction Command */
52 
+ #define PRED_CMD_IBPB			(1 << 0)   /* Indirect Branch Prediction Barrier */
53 
+@@ -56,6 +57,11 @@
54 
+ #define MSR_IA32_ARCH_CAPABILITIES	0x0000010a
55 
+ #define ARCH_CAP_RDCL_NO		(1 << 0)   /* Not susceptible to Meltdown */
56 
+ #define ARCH_CAP_IBRS_ALL		(1 << 1)   /* Enhanced IBRS support */
57 
++#define ARCH_CAP_RDS_NO			(1 << 4)   /*
58 
++						    * Not susceptible to Speculative Store Bypass
59 
++						    * attack, so no Reduced Data Speculation control
60 
++						    * required.
61 
++						    */
62 
+
63 
+ #define MSR_IA32_BBL_CR_CTL		0x00000119
64 
+ #define MSR_IA32_BBL_CR_CTL3		0x0000011e
65 
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
66 
+index 826aa81..56b84a5 100644
67 
+--- a/arch/x86/kernel/cpu/bugs.c
68 
+@@ -116,7 +116,7 @@ static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE;
69 
+
70 
+ void x86_spec_ctrl_set(u64 val)
71 
+ {
72 
+-	if (val & ~SPEC_CTRL_IBRS)
73 
++	if (val & ~(SPEC_CTRL_IBRS | SPEC_CTRL_RDS))
74 
+ 		WARN_ONCE(1, "SPEC_CTRL MSR value 0x%16llx is unknown.\n", val);
75 
+ 	else
76 
+ 		wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base | val);
77 
+@@ -443,8 +443,28 @@ static enum ssb_mitigation_cmd __init __ssb_select_mitigation(void)
78 
+ 		break;
79 
+ 	}
80 
+
81 
+-	if (mode != SPEC_STORE_BYPASS_NONE)
82 
++	/*
83 
++	 * We have three CPU feature flags that are in play here:
84 
++	 *  - X86_BUG_SPEC_STORE_BYPASS - CPU is susceptible.
85 
++	 *  - X86_FEATURE_RDS - CPU is able to turn off speculative store bypass
86 
++	 *  - X86_FEATURE_SPEC_STORE_BYPASS_DISABLE - engage the mitigation
87 
++	 */
88 
++	if (mode != SPEC_STORE_BYPASS_NONE) {
89 
+ 		setup_force_cpu_cap(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE);
90 
++		/*
91 
++		 * Intel uses the SPEC CTRL MSR Bit(2) for this, while AMD uses
92 
++		 * a completely different MSR and bit dependent on family.
93 
++		 */
94 
++		switch (boot_cpu_data.x86_vendor) {
95 
++		case X86_VENDOR_INTEL:
96 
++			x86_spec_ctrl_base |= SPEC_CTRL_RDS;
97 
++			x86_spec_ctrl_set(SPEC_CTRL_RDS);
98 
++			break;
99 
++		case X86_VENDOR_AMD:
100 
++			break;
101 
++		}
102 
++	}
103 
++
104 
+ 	return mode;
105 
+ }
106 
+
107 
+@@ -458,6 +478,12 @@ static void ssb_select_mitigation()
108 
+
109 
+ #undef pr_fmt
110 
+
111 
++void x86_spec_ctrl_setup_ap(void)
112 
++{
113 
++	if (boot_cpu_has(X86_FEATURE_IBRS))
114 
++		x86_spec_ctrl_set(x86_spec_ctrl_base & (SPEC_CTRL_IBRS | SPEC_CTRL_RDS));
115 
++}
116 
++
117 
+ #ifdef CONFIG_SYSFS
118 
+
119 
+ ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr,
120 
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
121 
+index eb78ddf..2f1d403 100644
122 
+--- a/arch/x86/kernel/cpu/common.c
123 
+@@ -859,7 +859,11 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
124 
+ {
125 
+ 	u64 ia32_cap = 0;
126 
+
127 
+-	if (!x86_match_cpu(cpu_no_spec_store_bypass))
128 
++	if (cpu_has(c, X86_FEATURE_ARCH_CAPABILITIES))
129 
++		rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap);
130 
++
131 
++	if (!x86_match_cpu(cpu_no_spec_store_bypass) &&
132 
++	   !(ia32_cap & ARCH_CAP_RDS_NO))
133 
+ 		setup_force_cpu_bug(X86_BUG_SPEC_STORE_BYPASS);
134 
+
135 
+ 	if (x86_match_cpu(cpu_no_speculation))
136 
+@@ -871,9 +875,6 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
137 
+ 	if (x86_match_cpu(cpu_no_meltdown))
138 
+ 		return;
139 
+
140 
+-	if (cpu_has(c, X86_FEATURE_ARCH_CAPABILITIES))
141 
+-		rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap);
142 
+-
143 
+ 	/* Rogue Data Cache Load? No! */
144 
+ 	if (ia32_cap & ARCH_CAP_RDCL_NO)
145 
+ 		return;
146 
+@@ -1216,6 +1217,7 @@ void identify_secondary_cpu(struct cpuinfo_x86 *c)
147 
+ 	enable_sep_cpu();
148 
+ #endif
149 
+ 	mtrr_ap_init();
150 
++	x86_spec_ctrl_setup_ap();
151 
+ }
152 
+
153 
+ struct msr_range {
154 
+diff --git a/arch/x86/kernel/cpu/cpu.h b/arch/x86/kernel/cpu/cpu.h
155 
+index 2584265..3b19d82 100644
156 
+--- a/arch/x86/kernel/cpu/cpu.h
157 
+@@ -46,4 +46,7 @@ extern const struct cpu_dev *const __x86_cpu_dev_start[],
158 
+
159 
+ extern void get_cpu_cap(struct cpuinfo_x86 *c);
160 
+ extern void cpu_detect_cache_sizes(struct cpuinfo_x86 *c);
161 
++
162 
++extern void x86_spec_ctrl_setup_ap(void);
163 
++
164 
+ #endif /* ARCH_X86_CPU_H */
165 
+diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
166 
+index 77d9f68..ac25d1e5 100644
167 
+--- a/arch/x86/kernel/cpu/intel.c
168 
+@@ -119,6 +119,7 @@ static void early_init_intel(struct cpuinfo_x86 *c)
169 
+ 		setup_clear_cpu_cap(X86_FEATURE_STIBP);
170 
+ 		setup_clear_cpu_cap(X86_FEATURE_SPEC_CTRL);
171 
+ 		setup_clear_cpu_cap(X86_FEATURE_INTEL_STIBP);
172 
++		setup_clear_cpu_cap(X86_FEATURE_RDS);
173 
+ 	}
174 
+
175 
+ 	/*
176 
+--
177 
+2.7.4
178 
+
SPECS/linux/speculative-store-bypass/0065-x86-bugs-Whitelist-allowed-SPEC_CTRL-MSR-values.patch
History View file @ 4ab22c2
0 179 
new file mode 100644
... ... 
@@ -0,0 +1,72 @@
0 
+From 7653c8cd3621983db284145a44acd3b5b0010caf Mon Sep 17 00:00:00 2001
1 
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
2 
+Date: Thu, 14 Jun 2018 14:56:44 -0700
3 
+Subject: [PATCH 065/103] x86/bugs: Whitelist allowed SPEC_CTRL MSR values
4 
+
5 
+commit 1115a859f33276fe8afb31c60cf9d8e657872558 upstream
6 
+
7 
+Intel and AMD SPEC_CTRL (0x48) MSR semantics may differ in the
8 
+future (or in fact use different MSRs for the same functionality).
9 
+
10 
+As such a run-time mechanism is required to whitelist the appropriate MSR
11 
+values.
12 
+
13 
+[ tglx: Made the variable __ro_after_init ]
14 
+[ Srivatsa: Removed __ro_after_init for 4.4.y ]
15 
+
16 
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
17 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
18 
+Reviewed-by: Ingo Molnar <mingo@kernel.org>
19 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
20 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
21 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
22 
+---
23 
+ arch/x86/kernel/cpu/bugs.c | 11 +++++++++--
24 
+ 1 file changed, 9 insertions(+), 2 deletions(-)
25 
+
26 
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
27 
+index 56b84a5..c37e211 100644
28 
+--- a/arch/x86/kernel/cpu/bugs.c
29 
+@@ -34,6 +34,12 @@ static void __init ssb_select_mitigation(void);
30 
+  */
31 
+ static u64 x86_spec_ctrl_base;
32 
+
33 
++/*
34 
++ * The vendor and possibly platform specific bits which can be modified in
35 
++ * x86_spec_ctrl_base.
36 
++ */
37 
++static u64 x86_spec_ctrl_mask = ~SPEC_CTRL_IBRS;
38 
++
39 
+ void __init check_bugs(void)
40 
+ {
41 
+ 	identify_boot_cpu();
42 
+@@ -116,7 +122,7 @@ static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE;
43 
+
44 
+ void x86_spec_ctrl_set(u64 val)
45 
+ {
46 
+-	if (val & ~(SPEC_CTRL_IBRS | SPEC_CTRL_RDS))
47 
++	if (val & x86_spec_ctrl_mask)
48 
+ 		WARN_ONCE(1, "SPEC_CTRL MSR value 0x%16llx is unknown.\n", val);
49 
+ 	else
50 
+ 		wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base | val);
51 
+@@ -458,6 +464,7 @@ static enum ssb_mitigation_cmd __init __ssb_select_mitigation(void)
52 
+ 		switch (boot_cpu_data.x86_vendor) {
53 
+ 		case X86_VENDOR_INTEL:
54 
+ 			x86_spec_ctrl_base |= SPEC_CTRL_RDS;
55 
++			x86_spec_ctrl_mask &= ~SPEC_CTRL_RDS;
56 
+ 			x86_spec_ctrl_set(SPEC_CTRL_RDS);
57 
+ 			break;
58 
+ 		case X86_VENDOR_AMD:
59 
+@@ -481,7 +488,7 @@ static void ssb_select_mitigation()
60 
+ void x86_spec_ctrl_setup_ap(void)
61 
+ {
62 
+ 	if (boot_cpu_has(X86_FEATURE_IBRS))
63 
+-		x86_spec_ctrl_set(x86_spec_ctrl_base & (SPEC_CTRL_IBRS | SPEC_CTRL_RDS));
64 
++		x86_spec_ctrl_set(x86_spec_ctrl_base & ~x86_spec_ctrl_mask);
65 
+ }
66 
+
67 
+ #ifdef CONFIG_SYSFS
68 
+--
69 
+2.7.4
70 
+
SPECS/linux/speculative-store-bypass/0066-x86-bugs-AMD-Add-support-to-disable-RDS-on-Fam-15-16.patch
History View file @ 4ab22c2
0 71 
new file mode 100644
... ... 
@@ -0,0 +1,203 @@
0 
+From 13dfae0ec4bcae824d5d895d05ecf598daf48d34 Mon Sep 17 00:00:00 2001
1 
+From: David Woodhouse <dwmw@amazon.co.uk>
2 
+Date: Thu, 14 Jun 2018 14:56:45 -0700
3 
+Subject: [PATCH 066/103] x86/bugs/AMD: Add support to disable RDS on
4 
+ Fam[15,16,17]h if requested
5 
+
6 
+commit 764f3c21588a059cd783c6ba0734d4db2d72822d upstream
7 
+
8 
+AMD does not need the Speculative Store Bypass mitigation to be enabled.
9 
+
10 
+The parameters for this are already available and can be done via MSR
11 
+C001_1020. Each family uses a different bit in that MSR for this.
12 
+
13 
+[ tglx: Expose the bit mask via a variable and move the actual MSR fiddling
14 
+  	into the bugs code as that's the right thing to do and also required
15 
+	to prepare for dynamic enable/disable ]
16 
+
17 
+[ Srivatsa: Removed __ro_after_init for 4.4.y ]
18 
+
19 
+Suggested-by: Borislav Petkov <bp@suse.de>
20 
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
21 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
22 
+Reviewed-by: Ingo Molnar <mingo@kernel.org>
23 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
24 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
25 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
26 
+---
27 
+ arch/x86/include/asm/cpufeatures.h   |  1 +
28 
+ arch/x86/include/asm/nospec-branch.h |  4 ++++
29 
+ arch/x86/kernel/cpu/amd.c            | 26 ++++++++++++++++++++++++++
30 
+ arch/x86/kernel/cpu/bugs.c           | 27 ++++++++++++++++++++++++++-
31 
+ arch/x86/kernel/cpu/common.c         |  4 ++++
32 
+ 5 files changed, 61 insertions(+), 1 deletion(-)
33 
+
34 
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
35 
+index 7cc4937..b2855ae 100644
36 
+--- a/arch/x86/include/asm/cpufeatures.h
37 
+@@ -204,6 +204,7 @@
38 
+ #define X86_FEATURE_USE_IBPB	( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled*/
39 
+ #define X86_FEATURE_USE_IBRS_FW	( 7*32+22) /* "" Use IBRS during runtime firmware calls */
40 
+ #define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE	( 7*32+23) /* "" Disable Speculative Store Bypass. */
41 
++#define X86_FEATURE_AMD_RDS	(7*32+24)  /* "" AMD RDS implementation */
42 
+
43 
+ /* Virtualization flags: Linux defined, word 8 */
44 
+ #define X86_FEATURE_TPR_SHADOW  ( 8*32+ 0) /* Intel TPR Shadow */
45 
+diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
46 
+index c786d01..ac2fdc96 100644
47 
+--- a/arch/x86/include/asm/nospec-branch.h
48 
+@@ -199,6 +199,10 @@ enum ssb_mitigation {
49 
+ 	SPEC_STORE_BYPASS_DISABLE,
50 
+ };
51 
+
52 
++/* AMD specific Speculative Store Bypass MSR data */
53 
++extern u64 x86_amd_ls_cfg_base;
54 
++extern u64 x86_amd_ls_cfg_rds_mask;
55 
++
56 
+ extern char __indirect_thunk_start[];
57 
+ extern char __indirect_thunk_end[];
58 
+
59 
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
60 
+index 9b29414..4452f38 100644
61 
+--- a/arch/x86/kernel/cpu/amd.c
62 
+@@ -9,6 +9,7 @@
63 
+ #include <asm/processor.h>
64 
+ #include <asm/apic.h>
65 
+ #include <asm/cpu.h>
66 
++#include <asm/nospec-branch.h>
67 
+ #include <asm/smp.h>
68 
+ #include <asm/pci-direct.h>
69 
+ #include <asm/delay.h>
70 
+@@ -519,6 +520,26 @@ static void bsp_init_amd(struct cpuinfo_x86 *c)
71 
+
72 
+ 	if (cpu_has(c, X86_FEATURE_MWAITX))
73 
+ 		use_mwaitx_delay();
74 
++
75 
++	if (c->x86 >= 0x15 && c->x86 <= 0x17) {
76 
++		unsigned int bit;
77 
++
78 
++		switch (c->x86) {
79 
++		case 0x15: bit = 54; break;
80 
++		case 0x16: bit = 33; break;
81 
++		case 0x17: bit = 10; break;
82 
++		default: return;
83 
++		}
84 
++		/*
85 
++		 * Try to cache the base value so further operations can
86 
++		 * avoid RMW. If that faults, do not enable RDS.
87 
++		 */
88 
++		if (!rdmsrl_safe(MSR_AMD64_LS_CFG, &x86_amd_ls_cfg_base)) {
89 
++			setup_force_cpu_cap(X86_FEATURE_RDS);
90 
++			setup_force_cpu_cap(X86_FEATURE_AMD_RDS);
91 
++			x86_amd_ls_cfg_rds_mask = 1ULL << bit;
92 
++		}
93 
++	}
94 
+ }
95 
+
96 
+ static void early_init_amd(struct cpuinfo_x86 *c)
97 
+@@ -794,6 +815,11 @@ static void init_amd(struct cpuinfo_x86 *c)
98 
+ 	/* AMD CPUs don't reset SS attributes on SYSRET, Xen does. */
99 
+ 	if (!cpu_has(c, X86_FEATURE_XENPV))
100 
+ 		set_cpu_bug(c, X86_BUG_SYSRET_SS_ATTRS);
101 
++
102 
++	if (boot_cpu_has(X86_FEATURE_AMD_RDS)) {
103 
++		set_cpu_cap(c, X86_FEATURE_RDS);
104 
++		set_cpu_cap(c, X86_FEATURE_AMD_RDS);
105 
++	}
106 
+ }
107 
+
108 
+ #ifdef CONFIG_X86_32
109 
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
110 
+index c37e211..b8911af 100644
111 
+--- a/arch/x86/kernel/cpu/bugs.c
112 
+@@ -40,6 +40,13 @@ static u64 x86_spec_ctrl_base;
113 
+  */
114 
+ static u64 x86_spec_ctrl_mask = ~SPEC_CTRL_IBRS;
115 
+
116 
++/*
117 
++ * AMD specific MSR info for Speculative Store Bypass control.
118 
++ * x86_amd_ls_cfg_rds_mask is initialized in identify_boot_cpu().
119 
++ */
120 
++u64 x86_amd_ls_cfg_base;
121 
++u64 x86_amd_ls_cfg_rds_mask;
122 
++
123 
+ void __init check_bugs(void)
124 
+ {
125 
+ 	identify_boot_cpu();
126 
+@@ -51,7 +58,8 @@ void __init check_bugs(void)
127 
+
128 
+ 	/*
129 
+ 	 * Read the SPEC_CTRL MSR to account for reserved bits which may
130 
+-	 * have unknown values.
131 
++	 * have unknown values. AMD64_LS_CFG MSR is cached in the early AMD
132 
++	 * init code as it is not enumerated and depends on the family.
133 
+ 	 */
134 
+ 	if (boot_cpu_has(X86_FEATURE_IBRS))
135 
+ 		rdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
136 
+@@ -153,6 +161,14 @@ void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl)
137 
+ }
138 
+ EXPORT_SYMBOL_GPL(x86_spec_ctrl_restore_host);
139 
+
140 
++static void x86_amd_rds_enable(void)
141 
++{
142 
++	u64 msrval = x86_amd_ls_cfg_base | x86_amd_ls_cfg_rds_mask;
143 
++
144 
++	if (boot_cpu_has(X86_FEATURE_AMD_RDS))
145 
++		wrmsrl(MSR_AMD64_LS_CFG, msrval);
146 
++}
147 
++
148 
+ #ifdef RETPOLINE
149 
+ static bool spectre_v2_bad_module;
150 
+
151 
+@@ -442,6 +458,11 @@ static enum ssb_mitigation_cmd __init __ssb_select_mitigation(void)
152 
+
153 
+ 	switch (cmd) {
154 
+ 	case SPEC_STORE_BYPASS_CMD_AUTO:
155 
++		/*
156 
++		 * AMD platforms by default don't need SSB mitigation.
157 
++		 */
158 
++		if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD)
159 
++			break;
160 
+ 	case SPEC_STORE_BYPASS_CMD_ON:
161 
+ 		mode = SPEC_STORE_BYPASS_DISABLE;
162 
+ 		break;
163 
+@@ -468,6 +489,7 @@ static enum ssb_mitigation_cmd __init __ssb_select_mitigation(void)
164 
+ 			x86_spec_ctrl_set(SPEC_CTRL_RDS);
165 
+ 			break;
166 
+ 		case X86_VENDOR_AMD:
167 
++			x86_amd_rds_enable();
168 
+ 			break;
169 
+ 		}
170 
+ 	}
171 
+@@ -489,6 +511,9 @@ void x86_spec_ctrl_setup_ap(void)
172 
+ {
173 
+ 	if (boot_cpu_has(X86_FEATURE_IBRS))
174 
+ 		x86_spec_ctrl_set(x86_spec_ctrl_base & ~x86_spec_ctrl_mask);
175 
++
176 
++	if (ssb_mode == SPEC_STORE_BYPASS_DISABLE)
177 
++		x86_amd_rds_enable();
178 
+ }
179 
+
180 
+ #ifdef CONFIG_SYSFS
181 
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
182 
+index 2f1d403..7405c86 100644
183 
+--- a/arch/x86/kernel/cpu/common.c
184 
+@@ -851,6 +851,10 @@ static const __initconst struct x86_cpu_id cpu_no_spec_store_bypass[] = {
185 
+ 	{ X86_VENDOR_CENTAUR,	5,					},
186 
+ 	{ X86_VENDOR_INTEL,	5,					},
187 
+ 	{ X86_VENDOR_NSC,	5,					},
188 
++	{ X86_VENDOR_AMD,	0x12,					},
189 
++	{ X86_VENDOR_AMD,	0x11,					},
190 
++	{ X86_VENDOR_AMD,	0x10,					},
191 
++	{ X86_VENDOR_AMD,	0xf,					},
192 
+ 	{ X86_VENDOR_ANY,	4,					},
193 
+ 	{}
194 
+ };
195 
+--
196 
+2.7.4
197 
+
SPECS/linux/speculative-store-bypass/0067-x86-speculation-Create-spec-ctrl.h-to-avoid-include-.patch
History View file @ 4ab22c2
0 198 
new file mode 100644
... ... 
@@ -0,0 +1,142 @@
0 
+From fd7e5a75bf526687f332e62d69f284f5c15060a1 Mon Sep 17 00:00:00 2001
1 
+From: Thomas Gleixner <tglx@linutronix.de>
2 
+Date: Thu, 14 Jun 2018 14:56:46 -0700
3 
+Subject: [PATCH 067/103] x86/speculation: Create spec-ctrl.h to avoid include
4 
+ hell
5 
+
6 
+commit 28a2775217b17208811fa43a9e96bd1fdf417b86 upstream
7 
+
8 
+Having everything in nospec-branch.h creates a hell of dependencies when
9 
+adding the prctl based switching mechanism. Move everything which is not
10 
+required in nospec-branch.h to spec-ctrl.h and fix up the includes in the
11 
+relevant files.
12 
+
13 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
14 
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
15 
+Reviewed-by: Ingo Molnar <mingo@kernel.org>
16 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
17 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
19 
+---
20 
+ arch/x86/include/asm/nospec-branch.h | 14 --------------
21 
+ arch/x86/include/asm/spec-ctrl.h     | 21 +++++++++++++++++++++
22 
+ arch/x86/kernel/cpu/amd.c            |  2 +-
23 
+ arch/x86/kernel/cpu/bugs.c           |  2 +-
24 
+ arch/x86/kvm/svm.c                   |  2 +-
25 
+ arch/x86/kvm/vmx.c                   |  2 +-
26 
+ 6 files changed, 25 insertions(+), 18 deletions(-)
27 
+ create mode 100644 arch/x86/include/asm/spec-ctrl.h
28 
+
29 
+diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
30 
+index ac2fdc96..47c454c 100644
31 
+--- a/arch/x86/include/asm/nospec-branch.h
32 
+@@ -183,26 +183,12 @@ enum spectre_v2_mitigation {
33 
+ extern void x86_spec_ctrl_set(u64);
34 
+ extern u64 x86_spec_ctrl_get_default(void);
35 
+
36 
+-/*
37 
+- * On VMENTER we must preserve whatever view of the SPEC_CTRL MSR
38 
+- * the guest has, while on VMEXIT we restore the host view. This
39 
+- * would be easier if SPEC_CTRL were architecturally maskable or
40 
+- * shadowable for guests but this is not (currently) the case.
41 
+- * Takes the guest view of SPEC_CTRL MSR as a parameter.
42 
+- */
43 
+-extern void x86_spec_ctrl_set_guest(u64);
44 
+-extern void x86_spec_ctrl_restore_host(u64);
45 
+-
46 
+ /* The Speculative Store Bypass disable variants */
47 
+ enum ssb_mitigation {
48 
+ 	SPEC_STORE_BYPASS_NONE,
49 
+ 	SPEC_STORE_BYPASS_DISABLE,
50 
+ };
51 
+
52 
+-/* AMD specific Speculative Store Bypass MSR data */
53 
+-extern u64 x86_amd_ls_cfg_base;
54 
+-extern u64 x86_amd_ls_cfg_rds_mask;
55 
+-
56 
+ extern char __indirect_thunk_start[];
57 
+ extern char __indirect_thunk_end[];
58 
+
59 
+diff --git a/arch/x86/include/asm/spec-ctrl.h b/arch/x86/include/asm/spec-ctrl.h
60 
+new file mode 100644
61 
+index 0000000..3ad6442
62 
+--- /dev/null
63 
+@@ -0,0 +1,21 @@
64 
++/* SPDX-License-Identifier: GPL-2.0 */
65 
++#ifndef _ASM_X86_SPECCTRL_H_
66 
++#define _ASM_X86_SPECCTRL_H_
67 
++
68 
++#include <asm/nospec-branch.h>
69 
++
70 
++/*
71 
++ * On VMENTER we must preserve whatever view of the SPEC_CTRL MSR
72 
++ * the guest has, while on VMEXIT we restore the host view. This
73 
++ * would be easier if SPEC_CTRL were architecturally maskable or
74 
++ * shadowable for guests but this is not (currently) the case.
75 
++ * Takes the guest view of SPEC_CTRL MSR as a parameter.
76 
++ */
77 
++extern void x86_spec_ctrl_set_guest(u64);
78 
++extern void x86_spec_ctrl_restore_host(u64);
79 
++
80 
++/* AMD specific Speculative Store Bypass MSR data */
81 
++extern u64 x86_amd_ls_cfg_base;
82 
++extern u64 x86_amd_ls_cfg_rds_mask;
83 
++
84 
++#endif
85 
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
86 
+index 4452f38..14e9849 100644
87 
+--- a/arch/x86/kernel/cpu/amd.c
88 
+@@ -9,7 +9,7 @@
89 
+ #include <asm/processor.h>
90 
+ #include <asm/apic.h>
91 
+ #include <asm/cpu.h>
92 
+-#include <asm/nospec-branch.h>
93 
++#include <asm/spec-ctrl.h>
94 
+ #include <asm/smp.h>
95 
+ #include <asm/pci-direct.h>
96 
+ #include <asm/delay.h>
97 
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
98 
+index b8911af..47a3cc0 100644
99 
+--- a/arch/x86/kernel/cpu/bugs.c
100 
+@@ -12,7 +12,7 @@
101 
+ #include <linux/cpu.h>
102 
+ #include <linux/module.h>
103 
+
104 
+-#include <asm/nospec-branch.h>
105 
++#include <asm/spec-ctrl.h>
106 
+ #include <asm/cmdline.h>
107 
+ #include <asm/bugs.h>
108 
+ #include <asm/processor.h>
109 
+diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
110 
+index 4265437..df7827a 100644
111 
+--- a/arch/x86/kvm/svm.c
112 
+@@ -37,7 +37,7 @@
113 
+ #include <asm/desc.h>
114 
+ #include <asm/debugreg.h>
115 
+ #include <asm/kvm_para.h>
116 
+-#include <asm/nospec-branch.h>
117 
++#include <asm/spec-ctrl.h>
118 
+
119 
+ #include <asm/virtext.h>
120 
+ #include "trace.h"
121 
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
122 
+index a750fc7..017948c 100644
123 
+--- a/arch/x86/kvm/vmx.c
124 
+@@ -48,7 +48,7 @@
125 
+ #include <asm/kexec.h>
126 
+ #include <asm/apic.h>
127 
+ #include <asm/irq_remapping.h>
128 
+-#include <asm/nospec-branch.h>
129 
++#include <asm/spec-ctrl.h>
130 
+
131 
+ #include "trace.h"
132 
+ #include "pmu.h"
133 
+--
134 
+2.7.4
135 
+
SPECS/linux/speculative-store-bypass/0068-prctl-Add-speculation-control-prctls.patch
History View file @ 4ab22c2
0 136 
new file mode 100644
... ... 
@@ -0,0 +1,231 @@
0 
+From defa653b86616b3d1732148af484441852ad759d Mon Sep 17 00:00:00 2001
1 
+From: Thomas Gleixner <tglx@linutronix.de>
2 
+Date: Thu, 14 Jun 2018 14:56:46 -0700
3 
+Subject: [PATCH 068/103] prctl: Add speculation control prctls
4 
+
5 
+commit b617cfc858161140d69cc0b5cc211996b557a1c7 upstream
6 
+
7 
+Add two new prctls to control aspects of speculation related vulnerabilites
8 
+and their mitigations to provide finer grained control over performance
9 
+impacting mitigations.
10 
+
11 
+PR_GET_SPECULATION_CTRL returns the state of the speculation misfeature
12 
+which is selected with arg2 of prctl(2). The return value uses bit 0-2 with
13 
+the following meaning:
14 
+
15 
+Bit  Define           Description
16 
+0    PR_SPEC_PRCTL    Mitigation can be controlled per task by
17 
+                      PR_SET_SPECULATION_CTRL
18 
+1    PR_SPEC_ENABLE   The speculation feature is enabled, mitigation is
19 
+                      disabled
20 
+2    PR_SPEC_DISABLE  The speculation feature is disabled, mitigation is
21 
+                      enabled
22 
+
23 
+If all bits are 0 the CPU is not affected by the speculation misfeature.
24 
+
25 
+If PR_SPEC_PRCTL is set, then the per task control of the mitigation is
26 
+available. If not set, prctl(PR_SET_SPECULATION_CTRL) for the speculation
27 
+misfeature will fail.
28 
+
29 
+PR_SET_SPECULATION_CTRL allows to control the speculation misfeature, which
30 
+is selected by arg2 of prctl(2) per task. arg3 is used to hand in the
31 
+control value, i.e. either PR_SPEC_ENABLE or PR_SPEC_DISABLE.
32 
+
33 
+The common return values are:
34 
+
35 
+EINVAL  prctl is not implemented by the architecture or the unused prctl()
36 
+        arguments are not 0
37 
+ENODEV  arg2 is selecting a not supported speculation misfeature
38 
+
39 
+PR_SET_SPECULATION_CTRL has these additional return values:
40 
+
41 
+ERANGE  arg3 is incorrect, i.e. it's not either PR_SPEC_ENABLE or PR_SPEC_DISABLE
42 
+ENXIO   prctl control of the selected speculation misfeature is disabled
43 
+
44 
+The first supported controlable speculation misfeature is
45 
+PR_SPEC_STORE_BYPASS. Add the define so this can be shared between
46 
+architectures.
47 
+
48 
+Based on an initial patch from Tim Chen and mostly rewritten.
49 
+
50 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
51 
+Reviewed-by: Ingo Molnar <mingo@kernel.org>
52 
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
53 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
54 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
55 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
56 
+---
57 
+ Documentation/spec_ctrl.txt | 86 +++++++++++++++++++++++++++++++++++++++++++++
58 
+ include/linux/nospec.h      |  5 +++
59 
+ include/uapi/linux/prctl.h  | 11 ++++++
60 
+ kernel/sys.c                | 20 +++++++++++
61 
+ 4 files changed, 122 insertions(+)
62 
+ create mode 100644 Documentation/spec_ctrl.txt
63 
+
64 
+diff --git a/Documentation/spec_ctrl.txt b/Documentation/spec_ctrl.txt
65 
+new file mode 100644
66 
+index 0000000..ddbebcd
67 
+--- /dev/null
68 
+@@ -0,0 +1,86 @@
69 
++===================
70 
++Speculation Control
71 
++===================
72 
++
73 
++Quite some CPUs have speculation related misfeatures which are in fact
74 
++vulnerabilites causing data leaks in various forms even accross privilege
75 
++domains.
76 
++
77 
++The kernel provides mitigation for such vulnerabilities in various
78 
++forms. Some of these mitigations are compile time configurable and some on
79 
++the kernel command line.
80 
++
81 
++There is also a class of mitigations which are very expensive, but they can
82 
++be restricted to a certain set of processes or tasks in controlled
83 
++environments. The mechanism to control these mitigations is via
84 
++:manpage:`prctl(2)`.
85 
++
86 
++There are two prctl options which are related to this:
87 
++
88 
++ * PR_GET_SPECULATION_CTRL
89 
++
90 
++ * PR_SET_SPECULATION_CTRL
91 
++
92 
++PR_GET_SPECULATION_CTRL
93 
++-----------------------
94 
++
95 
++PR_GET_SPECULATION_CTRL returns the state of the speculation misfeature
96 
++which is selected with arg2 of prctl(2). The return value uses bits 0-2 with
97 
++the following meaning:
98 
++
99 
++==== ================ ===================================================
100 
++Bit  Define           Description
101 
++==== ================ ===================================================
102 
++0    PR_SPEC_PRCTL    Mitigation can be controlled per task by
103 
++                      PR_SET_SPECULATION_CTRL
104 
++1    PR_SPEC_ENABLE   The speculation feature is enabled, mitigation is
105 
++                      disabled
106 
++2    PR_SPEC_DISABLE  The speculation feature is disabled, mitigation is
107 
++                      enabled
108 
++==== ================ ===================================================
109 
++
110 
++If all bits are 0 the CPU is not affected by the speculation misfeature.
111 
++
112 
++If PR_SPEC_PRCTL is set, then the per task control of the mitigation is
113 
++available. If not set, prctl(PR_SET_SPECULATION_CTRL) for the speculation
114 
++misfeature will fail.
115 
++
116 
++PR_SET_SPECULATION_CTRL
117 
++-----------------------
118 
++PR_SET_SPECULATION_CTRL allows to control the speculation misfeature, which
119 
++is selected by arg2 of :manpage:`prctl(2)` per task. arg3 is used to hand
120 
++in the control value, i.e. either PR_SPEC_ENABLE or PR_SPEC_DISABLE.
121 
++
122 
++Common error codes
123 
++------------------
124 
++======= =================================================================
125 
++Value   Meaning
126 
++======= =================================================================
127 
++EINVAL  The prctl is not implemented by the architecture or unused
128 
++        prctl(2) arguments are not 0
129 
++
130 
++ENODEV  arg2 is selecting a not supported speculation misfeature
131 
++======= =================================================================
132 
++
133 
++PR_SET_SPECULATION_CTRL error codes
134 
++-----------------------------------
135 
++======= =================================================================
136 
++Value   Meaning
137 
++======= =================================================================
138 
++0       Success
139 
++
140 
++ERANGE  arg3 is incorrect, i.e. it's neither PR_SPEC_ENABLE nor
141 
++        PR_SPEC_DISABLE
142 
++
143 
++ENXIO   Control of the selected speculation misfeature is not possible.
144 
++        See PR_GET_SPECULATION_CTRL.
145 
++======= =================================================================
146 
++
147 
++Speculation misfeature controls
148 
++-------------------------------
149 
++- PR_SPEC_STORE_BYPASS: Speculative Store Bypass
150 
++
151 
++  Invocations:
152 
++   * prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, 0, 0, 0);
153 
++   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_ENABLE, 0, 0);
154 
++   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
155 
+diff --git a/include/linux/nospec.h b/include/linux/nospec.h
156 
+index e791ebc..700bb8a 100644
157 
+--- a/include/linux/nospec.h
158 
+@@ -55,4 +55,9 @@ static inline unsigned long array_index_mask_nospec(unsigned long index,
159 
+ 									\
160 
+ 	(typeof(_i)) (_i & _mask);					\
161 
+ })
162 
++
163 
++/* Speculation control prctl */
164 
++int arch_prctl_spec_ctrl_get(unsigned long which);
165 
++int arch_prctl_spec_ctrl_set(unsigned long which, unsigned long ctrl);
166 
++
167 
+ #endif /* _LINUX_NOSPEC_H */
168 
+diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h
169 
+index a8d0759..3b316be 100644
170 
+--- a/include/uapi/linux/prctl.h
171 
+@@ -197,4 +197,15 @@ struct prctl_mm_map {
172 
+ # define PR_CAP_AMBIENT_LOWER		3
173 
+ # define PR_CAP_AMBIENT_CLEAR_ALL	4
174 
+
175 
++/* Per task speculation control */
176 
++#define PR_GET_SPECULATION_CTRL		52
177 
++#define PR_SET_SPECULATION_CTRL		53
178 
++/* Speculation control variants */
179 
++# define PR_SPEC_STORE_BYPASS		0
180 
++/* Return and control values for PR_SET/GET_SPECULATION_CTRL */
181 
++# define PR_SPEC_NOT_AFFECTED		0
182 
++# define PR_SPEC_PRCTL			(1UL << 0)
183 
++# define PR_SPEC_ENABLE			(1UL << 1)
184 
++# define PR_SPEC_DISABLE		(1UL << 2)
185 
++
186 
+ #endif /* _LINUX_PRCTL_H */
187 
+diff --git a/kernel/sys.c b/kernel/sys.c
188 
+index 6624919..d80c33f 100644
189 
+--- a/kernel/sys.c
190 
+@@ -2075,6 +2075,16 @@ static int prctl_get_tid_address(struct task_struct *me, int __user **tid_addr)
191 
+ }
192 
+ #endif
193 
+
194 
++int __weak arch_prctl_spec_ctrl_get(unsigned long which)
195 
++{
196 
++	return -EINVAL;
197 
++}
198 
++
199 
++int __weak arch_prctl_spec_ctrl_set(unsigned long which, unsigned long ctrl)
200 
++{
201 
++	return -EINVAL;
202 
++}
203 
++
204 
+ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
205 
+ 		unsigned long, arg4, unsigned long, arg5)
206 
+ {
207 
+@@ -2269,6 +2279,16 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
208 
+ 	case PR_GET_FP_MODE:
209 
+ 		error = GET_FP_MODE(me);
210 
+ 		break;
211 
++	case PR_GET_SPECULATION_CTRL:
212 
++		if (arg3 || arg4 || arg5)
213 
++			return -EINVAL;
214 
++		error = arch_prctl_spec_ctrl_get(arg2);
215 
++		break;
216 
++	case PR_SET_SPECULATION_CTRL:
217 
++		if (arg4 || arg5)
218 
++			return -EINVAL;
219 
++		error = arch_prctl_spec_ctrl_set(arg2, arg3);
220 
++		break;
221 
+ 	default:
222 
+ 		error = -EINVAL;
223 
+ 		break;
224 
+--
225 
+2.7.4
226 
+
SPECS/linux/speculative-store-bypass/0069-x86-process-Optimize-TIF-checks-in-__switch_to_xtra.patch
History View file @ 4ab22c2
0 227 
new file mode 100644
... ... 
@@ -0,0 +1,127 @@
0 
+From 5f4c7743ab3f94aee6ea29390a99e5c7d0616c8d Mon Sep 17 00:00:00 2001
1 
+From: Kyle Huey <me@kylehuey.com>
2 
+Date: Thu, 14 Jun 2018 14:56:47 -0700
3 
+Subject: [PATCH 069/103] x86/process: Optimize TIF checks in
4 
+ __switch_to_xtra()
5 
+
6 
+commit af8b3cd3934ec60f4c2a420d19a9d416554f140b upstream
7 
+
8 
+Help the compiler to avoid reevaluating the thread flags for each checked
9 
+bit by reordering the bit checks and providing an explicit xor for
10 
+evaluation.
11 
+
12 
+With default defconfigs for each arch,
13 
+
14 
+x86_64: arch/x86/kernel/process.o
15 
+text       data     bss     dec     hex
16 
+3056       8577      16   11649    2d81	Before
17 
+3024	   8577      16	  11617	   2d61	After
18 
+
19 
+i386: arch/x86/kernel/process.o
20 
+text       data     bss     dec     hex
21 
+2957	   8673	      8	  11638	   2d76	Before
22 
+2925	   8673       8	  11606	   2d56	After
23 
+
24 
+Originally-by: Thomas Gleixner <tglx@linutronix.de>
25 
+Signed-off-by: Kyle Huey <khuey@kylehuey.com>
26 
+Cc: Peter Zijlstra <peterz@infradead.org>
27 
+Cc: Andy Lutomirski <luto@kernel.org>
28 
+Link: http://lkml.kernel.org/r/20170214081104.9244-2-khuey@kylehuey.com
29 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
30 
+
31 
+[dwmw2: backported to make TIF_RDS handling simpler.
32 
+        No deferred TR reload.]
33 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
34 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
35 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
36 
+---
37 
+ arch/x86/kernel/process.c | 54 +++++++++++++++++++++++++++--------------------
38 
+ 1 file changed, 31 insertions(+), 23 deletions(-)
39 
+
40 
+diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
41 
+index 7c5c5dc..cc0f288 100644
42 
+--- a/arch/x86/kernel/process.c
43 
+@@ -188,48 +188,56 @@ int set_tsc_mode(unsigned int val)
44 
+ 	return 0;
45 
+ }
46 
+
47 
++static inline void switch_to_bitmap(struct tss_struct *tss,
48 
++				    struct thread_struct *prev,
49 
++				    struct thread_struct *next,
50 
++				    unsigned long tifp, unsigned long tifn)
51 
++{
52 
++	if (tifn & _TIF_IO_BITMAP) {
53 
++		/*
54 
++		 * Copy the relevant range of the IO bitmap.
55 
++		 * Normally this is 128 bytes or less:
56 
++		 */
57 
++		memcpy(tss->io_bitmap, next->io_bitmap_ptr,
58 
++		       max(prev->io_bitmap_max, next->io_bitmap_max));
59 
++	} else if (tifp & _TIF_IO_BITMAP) {
60 
++		/*
61 
++		 * Clear any possible leftover bits:
62 
++		 */
63 
++		memset(tss->io_bitmap, 0xff, prev->io_bitmap_max);
64 
++	}
65 
++}
66 
++
67 
+ void __switch_to_xtra(struct task_struct *prev_p, struct task_struct *next_p,
68 
+ 		      struct tss_struct *tss)
69 
+ {
70 
+ 	struct thread_struct *prev, *next;
71 
++	unsigned long tifp, tifn;
72 
+
73 
+ 	prev = &prev_p->thread;
74 
+ 	next = &next_p->thread;
75 
+
76 
+-	if (test_tsk_thread_flag(prev_p, TIF_BLOCKSTEP) ^
77 
+-	    test_tsk_thread_flag(next_p, TIF_BLOCKSTEP)) {
78 
++	tifn = READ_ONCE(task_thread_info(next_p)->flags);
79 
++	tifp = READ_ONCE(task_thread_info(prev_p)->flags);
80 
++	switch_to_bitmap(tss, prev, next, tifp, tifn);
81 
++
82 
++	propagate_user_return_notify(prev_p, next_p);
83 
++
84 
++	if ((tifp ^ tifn) & _TIF_BLOCKSTEP) {
85 
+ 		unsigned long debugctl = get_debugctlmsr();
86 
+
87 
+ 		debugctl &= ~DEBUGCTLMSR_BTF;
88 
+-		if (test_tsk_thread_flag(next_p, TIF_BLOCKSTEP))
89 
++		if (tifn & _TIF_BLOCKSTEP)
90 
+ 			debugctl |= DEBUGCTLMSR_BTF;
91 
+-
92 
+ 		update_debugctlmsr(debugctl);
93 
+ 	}
94 
+
95 
+-	if (test_tsk_thread_flag(prev_p, TIF_NOTSC) ^
96 
+-	    test_tsk_thread_flag(next_p, TIF_NOTSC)) {
97 
+-		/* prev and next are different */
98 
+-		if (test_tsk_thread_flag(next_p, TIF_NOTSC))
99 
++	if ((tifp ^ tifn) & _TIF_NOTSC) {
100 
++		if (tifn & _TIF_NOTSC)
101 
+ 			hard_disable_TSC();
102 
+ 		else
103 
+ 			hard_enable_TSC();
104 
+ 	}
105 
+-
106 
+-	if (test_tsk_thread_flag(next_p, TIF_IO_BITMAP)) {
107 
+-		/*
108 
+-		 * Copy the relevant range of the IO bitmap.
109 
+-		 * Normally this is 128 bytes or less:
110 
+-		 */
111 
+-		memcpy(tss->io_bitmap, next->io_bitmap_ptr,
112 
+-		       max(prev->io_bitmap_max, next->io_bitmap_max));
113 
+-	} else if (test_tsk_thread_flag(prev_p, TIF_IO_BITMAP)) {
114 
+-		/*
115 
+-		 * Clear any possible leftover bits:
116 
+-		 */
117 
+-		memset(tss->io_bitmap, 0xff, prev->io_bitmap_max);
118 
+-	}
119 
+-	propagate_user_return_notify(prev_p, next_p);
120 
+ }
121 
+
122 
+ /*
123 
+--
124 
+2.7.4
125 
+
SPECS/linux/speculative-store-bypass/0070-x86-process-Correct-and-optimize-TIF_BLOCKSTEP-switc.patch
History View file @ 4ab22c2
0 126 
new file mode 100644
... ... 
@@ -0,0 +1,86 @@
0 
+From 44b79bc3284f1e828fdf6b72346ecf6b4c123dd8 Mon Sep 17 00:00:00 2001
1 
+From: Kyle Huey <me@kylehuey.com>
2 
+Date: Thu, 14 Jun 2018 14:56:47 -0700
3 
+Subject: [PATCH 070/103] x86/process: Correct and optimize TIF_BLOCKSTEP
4 
+ switch
5 
+
6 
+commit b9894a2f5bd18b1691cb6872c9afe32b148d0132 upstream
7 
+
8 
+The debug control MSR is "highly magical" as the blockstep bit can be
9 
+cleared by hardware under not well documented circumstances.
10 
+
11 
+So a task switch relying on the bit set by the previous task (according to
12 
+the previous tasks thread flags) can trip over this and not update the flag
13 
+for the next task.
14 
+
15 
+To fix this its required to handle DEBUGCTLMSR_BTF when either the previous
16 
+or the next or both tasks have the TIF_BLOCKSTEP flag set.
17 
+
18 
+While at it avoid branching within the TIF_BLOCKSTEP case and evaluating
19 
+boot_cpu_data twice in kernels without CONFIG_X86_DEBUGCTLMSR.
20 
+
21 
+x86_64: arch/x86/kernel/process.o
22 
+text	data	bss	dec	 hex
23 
+3024    8577    16      11617    2d61	Before
24 
+3008	8577	16	11601	 2d51	After
25 
+
26 
+i386: No change
27 
+
28 
+[ tglx: Made the shift value explicit, use a local variable to make the
29 
+code readable and massaged changelog]
30 
+
31 
+Originally-by: Thomas Gleixner <tglx@linutronix.de>
32 
+Signed-off-by: Kyle Huey <khuey@kylehuey.com>
33 
+Cc: Peter Zijlstra <peterz@infradead.org>
34 
+Cc: Andy Lutomirski <luto@kernel.org>
35 
+Link: http://lkml.kernel.org/r/20170214081104.9244-3-khuey@kylehuey.com
36 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
37 
+
38 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
39 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
40 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
41 
+---
42 
+ arch/x86/include/asm/msr-index.h |  1 +
43 
+ arch/x86/kernel/process.c        | 12 +++++++-----
44 
+ 2 files changed, 8 insertions(+), 5 deletions(-)
45 
+
46 
+diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
47 
+index a29edb7..71a2c84 100644
48 
+--- a/arch/x86/include/asm/msr-index.h
49 
+@@ -150,6 +150,7 @@
50 
+
51 
+ /* DEBUGCTLMSR bits (others vary by model): */
52 
+ #define DEBUGCTLMSR_LBR			(1UL <<  0) /* last branch recording */
53 
++#define DEBUGCTLMSR_BTF_SHIFT		1
54 
+ #define DEBUGCTLMSR_BTF			(1UL <<  1) /* single-step on branches */
55 
+ #define DEBUGCTLMSR_TR			(1UL <<  6)
56 
+ #define DEBUGCTLMSR_BTS			(1UL <<  7)
57 
+diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
58 
+index cc0f288..166aef3 100644
59 
+--- a/arch/x86/kernel/process.c
60 
+@@ -223,13 +223,15 @@ void __switch_to_xtra(struct task_struct *prev_p, struct task_struct *next_p,
61 
+
62 
+ 	propagate_user_return_notify(prev_p, next_p);
63 
+
64 
+-	if ((tifp ^ tifn) & _TIF_BLOCKSTEP) {
65 
+-		unsigned long debugctl = get_debugctlmsr();
66 
++	if ((tifp & _TIF_BLOCKSTEP || tifn & _TIF_BLOCKSTEP) &&
67 
++	    arch_has_block_step()) {
68 
++		unsigned long debugctl, msk;
69 
+
70 
++		rdmsrl(MSR_IA32_DEBUGCTLMSR, debugctl);
71 
+ 		debugctl &= ~DEBUGCTLMSR_BTF;
72 
+-		if (tifn & _TIF_BLOCKSTEP)
73 
+-			debugctl |= DEBUGCTLMSR_BTF;
74 
+-		update_debugctlmsr(debugctl);
75 
++		msk = tifn & _TIF_BLOCKSTEP;
76 
++		debugctl |= (msk >> TIF_BLOCKSTEP) << DEBUGCTLMSR_BTF_SHIFT;
77 
++		wrmsrl(MSR_IA32_DEBUGCTLMSR, debugctl);
78 
+ 	}
79 
+
80 
+ 	if ((tifp ^ tifn) & _TIF_NOTSC) {
81 
+--
82 
+2.7.4
83 
+
SPECS/linux/speculative-store-bypass/0071-x86-process-Optimize-TIF_NOTSC-switch.patch
History View file @ 4ab22c2
0 84 
new file mode 100644
... ... 
@@ -0,0 +1,113 @@
0 
+From fa7cc912df328811b26a4666919a9c395a2f5c79 Mon Sep 17 00:00:00 2001
1 
+From: Thomas Gleixner <tglx@linutronix.de>
2 
+Date: Thu, 14 Jun 2018 14:56:48 -0700
3 
+Subject: [PATCH 071/103] x86/process: Optimize TIF_NOTSC switch
4 
+
5 
+commit 5a920155e388ec22a22e0532fb695b9215c9b34d upstream
6 
+
7 
+Provide and use a toggle helper instead of doing it with a branch.
8 
+
9 
+x86_64: arch/x86/kernel/process.o
10 
+text	   data	    bss	    dec	    hex
11 
+3008	   8577	     16	  11601	   2d51 Before
12 
+2976       8577      16	  11569	   2d31 After
13 
+
14 
+i386: arch/x86/kernel/process.o
15 
+text	   data	    bss	    dec	    hex
16 
+2925	   8673	      8	  11606	   2d56 Before
17 
+2893	   8673       8	  11574	   2d36 After
18 
+
19 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
20 
+Cc: Peter Zijlstra <peterz@infradead.org>
21 
+Cc: Andy Lutomirski <luto@kernel.org>
22 
+Link: http://lkml.kernel.org/r/20170214081104.9244-4-khuey@kylehuey.com
23 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
24 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
25 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
26 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
27 
+---
28 
+ arch/x86/include/asm/tlbflush.h | 10 ++++++++++
29 
+ arch/x86/kernel/process.c       | 22 ++++------------------
30 
+ 2 files changed, 14 insertions(+), 18 deletions(-)
31 
+
32 
+diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h
33 
+index 8ce07db..72cfe3e 100644
34 
+--- a/arch/x86/include/asm/tlbflush.h
35 
+@@ -111,6 +111,16 @@ static inline void cr4_clear_bits(unsigned long mask)
36 
+ 	}
37 
+ }
38 
+
39 
++static inline void cr4_toggle_bits(unsigned long mask)
40 
++{
41 
++	unsigned long cr4;
42 
++
43 
++	cr4 = this_cpu_read(cpu_tlbstate.cr4);
44 
++	cr4 ^= mask;
45 
++	this_cpu_write(cpu_tlbstate.cr4, cr4);
46 
++	__write_cr4(cr4);
47 
++}
48 
++
49 
+ /* Read the CR4 shadow. */
50 
+ static inline unsigned long cr4_read_shadow(void)
51 
+ {
52 
+diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
53 
+index 166aef3..d112963 100644
54 
+--- a/arch/x86/kernel/process.c
55 
+@@ -130,11 +130,6 @@ void flush_thread(void)
56 
+ 	fpu__clear(&tsk->thread.fpu);
57 
+ }
58 
+
59 
+-static void hard_disable_TSC(void)
60 
+-{
61 
+-	cr4_set_bits(X86_CR4_TSD);
62 
+-}
63 
+-
64 
+ void disable_TSC(void)
65 
+ {
66 
+ 	preempt_disable();
67 
+@@ -143,15 +138,10 @@ void disable_TSC(void)
68 
+ 		 * Must flip the CPU state synchronously with
69 
+ 		 * TIF_NOTSC in the current running context.
70 
+ 		 */
71 
+-		hard_disable_TSC();
72 
++		cr4_set_bits(X86_CR4_TSD);
73 
+ 	preempt_enable();
74 
+ }
75 
+
76 
+-static void hard_enable_TSC(void)
77 
+-{
78 
+-	cr4_clear_bits(X86_CR4_TSD);
79 
+-}
80 
+-
81 
+ static void enable_TSC(void)
82 
+ {
83 
+ 	preempt_disable();
84 
+@@ -160,7 +150,7 @@ static void enable_TSC(void)
85 
+ 		 * Must flip the CPU state synchronously with
86 
+ 		 * TIF_NOTSC in the current running context.
87 
+ 		 */
88 
+-		hard_enable_TSC();
89 
++		cr4_clear_bits(X86_CR4_TSD);
90 
+ 	preempt_enable();
91 
+ }
92 
+
93 
+@@ -234,12 +224,8 @@ void __switch_to_xtra(struct task_struct *prev_p, struct task_struct *next_p,
94 
+ 		wrmsrl(MSR_IA32_DEBUGCTLMSR, debugctl);
95 
+ 	}
96 
+
97 
+-	if ((tifp ^ tifn) & _TIF_NOTSC) {
98 
+-		if (tifn & _TIF_NOTSC)
99 
+-			hard_disable_TSC();
100 
+-		else
101 
+-			hard_enable_TSC();
102 
+-	}
103 
++	if ((tifp ^ tifn) & _TIF_NOTSC)
104 
++		cr4_toggle_bits(X86_CR4_TSD);
105 
+ }
106 
+
107 
+ /*
108 
+--
109 
+2.7.4
110 
+
SPECS/linux/speculative-store-bypass/0072-x86-process-Allow-runtime-control-of-Speculative-Sto.patch
History View file @ 4ab22c2
0 111 
new file mode 100644
... ... 
@@ -0,0 +1,230 @@
0 
+From 627b07256b8886bafe78162b645fc0fc9f80b933 Mon Sep 17 00:00:00 2001
1 
+From: Thomas Gleixner <tglx@linutronix.de>
2 
+Date: Thu, 14 Jun 2018 14:56:48 -0700
3 
+Subject: [PATCH 072/103] x86/process: Allow runtime control of Speculative
4 
+ Store Bypass
5 
+
6 
+commit 885f82bfbc6fefb6664ea27965c3ab9ac4194b8c upstream
7 
+
8 
+The Speculative Store Bypass vulnerability can be mitigated with the
9 
+Reduced Data Speculation (RDS) feature. To allow finer grained control of
10 
+this eventually expensive mitigation a per task mitigation control is
11 
+required.
12 
+
13 
+Add a new TIF_RDS flag and put it into the group of TIF flags which are
14 
+evaluated for mismatch in switch_to(). If these bits differ in the previous
15 
+and the next task, then the slow path function __switch_to_xtra() is
16 
+invoked. Implement the TIF_RDS dependent mitigation control in the slow
17 
+path.
18 
+
19 
+If the prctl for controlling Speculative Store Bypass is disabled or no
20 
+task uses the prctl then there is no overhead in the switch_to() fast
21 
+path.
22 
+
23 
+Update the KVM related speculation control functions to take TID_RDS into
24 
+account as well.
25 
+
26 
+Based on a patch from Tim Chen. Completely rewritten.
27 
+
28 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
29 
+Reviewed-by: Ingo Molnar <mingo@kernel.org>
30 
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
31 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
32 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
33 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
34 
+---
35 
+ arch/x86/include/asm/msr-index.h   |  3 ++-
36 
+ arch/x86/include/asm/spec-ctrl.h   | 17 +++++++++++++++++
37 
+ arch/x86/include/asm/thread_info.h |  6 ++++--
38 
+ arch/x86/kernel/cpu/bugs.c         | 26 +++++++++++++++++++++-----
39 
+ arch/x86/kernel/process.c          | 22 ++++++++++++++++++++++
40 
+ 5 files changed, 66 insertions(+), 8 deletions(-)
41 
+
42 
+diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
43 
+index 71a2c84..883cf0d 100644
44 
+--- a/arch/x86/include/asm/msr-index.h
45 
+@@ -35,7 +35,8 @@
46 
+ #define MSR_IA32_SPEC_CTRL		0x00000048 /* Speculation Control */
47 
+ #define SPEC_CTRL_IBRS			(1 << 0)   /* Indirect Branch Restricted Speculation */
48 
+ #define SPEC_CTRL_STIBP			(1 << 1)   /* Single Thread Indirect Branch Predictors */
49 
+-#define SPEC_CTRL_RDS			(1 << 2)   /* Reduced Data Speculation */
50 
++#define SPEC_CTRL_RDS_SHIFT		2	   /* Reduced Data Speculation bit */
51 
++#define SPEC_CTRL_RDS			(1 << SPEC_CTRL_RDS_SHIFT)   /* Reduced Data Speculation */
52 
+
53 
+ #define MSR_IA32_PRED_CMD		0x00000049 /* Prediction Command */
54 
+ #define PRED_CMD_IBPB			(1 << 0)   /* Indirect Branch Prediction Barrier */
55 
+diff --git a/arch/x86/include/asm/spec-ctrl.h b/arch/x86/include/asm/spec-ctrl.h
56 
+index 3ad6442..45ef00a 100644
57 
+--- a/arch/x86/include/asm/spec-ctrl.h
58 
+@@ -2,6 +2,7 @@
59 
+ #ifndef _ASM_X86_SPECCTRL_H_
60 
+ #define _ASM_X86_SPECCTRL_H_
61 
+
62 
++#include <linux/thread_info.h>
63 
+ #include <asm/nospec-branch.h>
64 
+
65 
+ /*
66 
+@@ -18,4 +19,20 @@ extern void x86_spec_ctrl_restore_host(u64);
67 
+ extern u64 x86_amd_ls_cfg_base;
68 
+ extern u64 x86_amd_ls_cfg_rds_mask;
69 
+
70 
++/* The Intel SPEC CTRL MSR base value cache */
71 
++extern u64 x86_spec_ctrl_base;
72 
++
73 
++static inline u64 rds_tif_to_spec_ctrl(u64 tifn)
74 
++{
75 
++	BUILD_BUG_ON(TIF_RDS < SPEC_CTRL_RDS_SHIFT);
76 
++	return (tifn & _TIF_RDS) >> (TIF_RDS - SPEC_CTRL_RDS_SHIFT);
77 
++}
78 
++
79 
++static inline u64 rds_tif_to_amd_ls_cfg(u64 tifn)
80 
++{
81 
++	return (tifn & _TIF_RDS) ? x86_amd_ls_cfg_rds_mask : 0ULL;
82 
++}
83 
++
84 
++extern void speculative_store_bypass_update(void);
85 
++
86 
+ #endif
87 
+diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h
88 
+index 18c9aaa..36a49b4 100644
89 
+--- a/arch/x86/include/asm/thread_info.h
90 
+@@ -92,6 +92,7 @@ struct thread_info {
91 
+ #define TIF_SIGPENDING		2	/* signal pending */
92 
+ #define TIF_NEED_RESCHED	3	/* rescheduling necessary */
93 
+ #define TIF_SINGLESTEP		4	/* reenable singlestep on user return*/
94 
++#define TIF_RDS			5	/* Reduced data speculation */
95 
+ #define TIF_SYSCALL_EMU		6	/* syscall emulation active */
96 
+ #define TIF_SYSCALL_AUDIT	7	/* syscall auditing active */
97 
+ #define TIF_SECCOMP		8	/* secure computing */
98 
+@@ -114,8 +115,9 @@ struct thread_info {
99 
+ #define _TIF_SYSCALL_TRACE	(1 << TIF_SYSCALL_TRACE)
100 
+ #define _TIF_NOTIFY_RESUME	(1 << TIF_NOTIFY_RESUME)
101 
+ #define _TIF_SIGPENDING		(1 << TIF_SIGPENDING)
102 
+-#define _TIF_SINGLESTEP		(1 << TIF_SINGLESTEP)
103 
+ #define _TIF_NEED_RESCHED	(1 << TIF_NEED_RESCHED)
104 
++#define _TIF_SINGLESTEP		(1 << TIF_SINGLESTEP)
105 
++#define _TIF_RDS		(1 << TIF_RDS)
106 
+ #define _TIF_SYSCALL_EMU	(1 << TIF_SYSCALL_EMU)
107 
+ #define _TIF_SYSCALL_AUDIT	(1 << TIF_SYSCALL_AUDIT)
108 
+ #define _TIF_SECCOMP		(1 << TIF_SECCOMP)
109 
+@@ -147,7 +149,7 @@ struct thread_info {
110 
+
111 
+ /* flags to check in __switch_to() */
112 
+ #define _TIF_WORK_CTXSW							\
113 
+-	(_TIF_IO_BITMAP|_TIF_NOTSC|_TIF_BLOCKSTEP)
114 
++	(_TIF_IO_BITMAP|_TIF_NOTSC|_TIF_BLOCKSTEP|_TIF_RDS)
115 
+
116 
+ #define _TIF_WORK_CTXSW_PREV (_TIF_WORK_CTXSW|_TIF_USER_RETURN_NOTIFY)
117 
+ #define _TIF_WORK_CTXSW_NEXT (_TIF_WORK_CTXSW)
118 
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
119 
+index 47a3cc0..0f8303e 100644
120 
+--- a/arch/x86/kernel/cpu/bugs.c
121 
+@@ -32,7 +32,7 @@ static void __init ssb_select_mitigation(void);
122 
+  * Our boot-time value of the SPEC_CTRL MSR. We read it once so that any
123 
+  * writes to SPEC_CTRL contain whatever reserved bits have been set.
124 
+  */
125 
+-static u64 x86_spec_ctrl_base;
126 
++u64 x86_spec_ctrl_base;
127 
+
128 
+ /*
129 
+  * The vendor and possibly platform specific bits which can be modified in
130 
+@@ -139,25 +139,41 @@ EXPORT_SYMBOL_GPL(x86_spec_ctrl_set);
131 
+
132 
+ u64 x86_spec_ctrl_get_default(void)
133 
+ {
134 
+-	return x86_spec_ctrl_base;
135 
++	u64 msrval = x86_spec_ctrl_base;
136 
++
137 
++	if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL)
138 
++		msrval |= rds_tif_to_spec_ctrl(current_thread_info()->flags);
139 
++	return msrval;
140 
+ }
141 
+ EXPORT_SYMBOL_GPL(x86_spec_ctrl_get_default);
142 
+
143 
+ void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl)
144 
+ {
145 
++	u64 host = x86_spec_ctrl_base;
146 
++
147 
+ 	if (!boot_cpu_has(X86_FEATURE_IBRS))
148 
+ 		return;
149 
+-	if (x86_spec_ctrl_base != guest_spec_ctrl)
150 
++
151 
++	if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL)
152 
++		host |= rds_tif_to_spec_ctrl(current_thread_info()->flags);
153 
++
154 
++	if (host != guest_spec_ctrl)
155 
+ 		wrmsrl(MSR_IA32_SPEC_CTRL, guest_spec_ctrl);
156 
+ }
157 
+ EXPORT_SYMBOL_GPL(x86_spec_ctrl_set_guest);
158 
+
159 
+ void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl)
160 
+ {
161 
++	u64 host = x86_spec_ctrl_base;
162 
++
163 
+ 	if (!boot_cpu_has(X86_FEATURE_IBRS))
164 
+ 		return;
165 
+-	if (x86_spec_ctrl_base != guest_spec_ctrl)
166 
+-		wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
167 
++
168 
++	if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL)
169 
++		host |= rds_tif_to_spec_ctrl(current_thread_info()->flags);
170 
++
171 
++	if (host != guest_spec_ctrl)
172 
++		wrmsrl(MSR_IA32_SPEC_CTRL, host);
173 
+ }
174 
+ EXPORT_SYMBOL_GPL(x86_spec_ctrl_restore_host);
175 
+
176 
+diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
177 
+index d112963..9689e92 100644
178 
+--- a/arch/x86/kernel/process.c
179 
+@@ -31,6 +31,7 @@
180 
+ #include <asm/tlbflush.h>
181 
+ #include <asm/mce.h>
182 
+ #include <asm/vm86.h>
183 
++#include <asm/spec-ctrl.h>
184 
+
185 
+ /*
186 
+  * per-CPU TSS segments. Threads are completely 'soft' on Linux,
187 
+@@ -198,6 +199,24 @@ static inline void switch_to_bitmap(struct tss_struct *tss,
188 
+ 	}
189 
+ }
190 
+
191 
++static __always_inline void __speculative_store_bypass_update(unsigned long tifn)
192 
++{
193 
++	u64 msr;
194 
++
195 
++	if (static_cpu_has(X86_FEATURE_AMD_RDS)) {
196 
++		msr = x86_amd_ls_cfg_base | rds_tif_to_amd_ls_cfg(tifn);
197 
++		wrmsrl(MSR_AMD64_LS_CFG, msr);
198 
++	} else {
199 
++		msr = x86_spec_ctrl_base | rds_tif_to_spec_ctrl(tifn);
200 
++		wrmsrl(MSR_IA32_SPEC_CTRL, msr);
201 
++	}
202 
++}
203 
++
204 
++void speculative_store_bypass_update(void)
205 
++{
206 
++	__speculative_store_bypass_update(current_thread_info()->flags);
207 
++}
208 
++
209 
+ void __switch_to_xtra(struct task_struct *prev_p, struct task_struct *next_p,
210 
+ 		      struct tss_struct *tss)
211 
+ {
212 
+@@ -226,6 +245,9 @@ void __switch_to_xtra(struct task_struct *prev_p, struct task_struct *next_p,
213 
+
214 
+ 	if ((tifp ^ tifn) & _TIF_NOTSC)
215 
+ 		cr4_toggle_bits(X86_CR4_TSD);
216 
++
217 
++	if ((tifp ^ tifn) & _TIF_RDS)
218 
++		__speculative_store_bypass_update(tifn);
219 
+ }
220 
+
221 
+ /*
222 
+--
223 
+2.7.4
224 
+
SPECS/linux/speculative-store-bypass/0073-x86-speculation-Add-prctl-for-Speculative-Store-Bypa.patch
History View file @ 4ab22c2
0 225 
new file mode 100644
... ... 
@@ -0,0 +1,223 @@
0 
+From 34f2544cab4d92a7babfbd51e4278e740da1b544 Mon Sep 17 00:00:00 2001
1 
+From: Thomas Gleixner <tglx@linutronix.de>
2 
+Date: Thu, 14 Jun 2018 14:56:49 -0700
3 
+Subject: [PATCH 073/103] x86/speculation: Add prctl for Speculative Store
4 
+ Bypass mitigation
5 
+
6 
+commit a73ec77ee17ec556fe7f165d00314cb7c047b1ac upstream
7 
+
8 
+Add prctl based control for Speculative Store Bypass mitigation and make it
9 
+the default mitigation for Intel and AMD.
10 
+
11 
+Andi Kleen provided the following rationale (slightly redacted):
12 
+
13 
+ There are multiple levels of impact of Speculative Store Bypass:
14 
+
15 
+ 1) JITed sandbox.
16 
+    It cannot invoke system calls, but can do PRIME+PROBE and may have call
17 
+    interfaces to other code
18 
+
19 
+ 2) Native code process.
20 
+    No protection inside the process at this level.
21 
+
22 
+ 3) Kernel.
23 
+
24 
+ 4) Between processes.
25 
+
26 
+ The prctl tries to protect against case (1) doing attacks.
27 
+
28 
+ If the untrusted code can do random system calls then control is already
29 
+ lost in a much worse way. So there needs to be system call protection in
30 
+ some way (using a JIT not allowing them or seccomp). Or rather if the
31 
+ process can subvert its environment somehow to do the prctl it can already
32 
+ execute arbitrary code, which is much worse than SSB.
33 
+
34 
+ To put it differently, the point of the prctl is to not allow JITed code
35 
+ to read data it shouldn't read from its JITed sandbox. If it already has
36 
+ escaped its sandbox then it can already read everything it wants in its
37 
+ address space, and do much worse.
38 
+
39 
+ The ability to control Speculative Store Bypass allows to enable the
40 
+ protection selectively without affecting overall system performance.
41 
+
42 
+Based on an initial patch from Tim Chen. Completely rewritten.
43 
+
44 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
45 
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
46 
+
47 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
48 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
49 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
50 
+---
51 
+ Documentation/kernel-parameters.txt  |  6 ++-
52 
+ arch/x86/include/asm/nospec-branch.h |  1 +
53 
+ arch/x86/kernel/cpu/bugs.c           | 83 +++++++++++++++++++++++++++++++-----
54 
+ 3 files changed, 79 insertions(+), 11 deletions(-)
55 
+
56 
+diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
57 
+index dc138b8..80202de 100644
58 
+--- a/Documentation/kernel-parameters.txt
59 
+@@ -3651,7 +3651,11 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
60 
+ 			off    - Unconditionally enable Speculative Store Bypass
61 
+ 			auto   - Kernel detects whether the CPU model contains an
62 
+ 				 implementation of Speculative Store Bypass and
63 
+-				 picks the most appropriate mitigation
64 
++				 picks the most appropriate mitigation.
65 
++			prctl  - Control Speculative Store Bypass per thread
66 
++				 via prctl. Speculative Store Bypass is enabled
67 
++				 for a process by default. The state of the control
68 
++				 is inherited on fork.
69 
+
70 
+ 			Not specifying this option is equivalent to
71 
+ 			spec_store_bypass_disable=auto.
72 
+diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
73 
+index 47c454c..155d955 100644
74 
+--- a/arch/x86/include/asm/nospec-branch.h
75 
+@@ -187,6 +187,7 @@ extern u64 x86_spec_ctrl_get_default(void);
76 
+ enum ssb_mitigation {
77 
+ 	SPEC_STORE_BYPASS_NONE,
78 
+ 	SPEC_STORE_BYPASS_DISABLE,
79 
++	SPEC_STORE_BYPASS_PRCTL,
80 
+ };
81 
+
82 
+ extern char __indirect_thunk_start[];
83 
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
84 
+index 0f8303e..bcfccd3 100644
85 
+--- a/arch/x86/kernel/cpu/bugs.c
86 
+@@ -11,6 +11,8 @@
87 
+ #include <linux/utsname.h>
88 
+ #include <linux/cpu.h>
89 
+ #include <linux/module.h>
90 
++#include <linux/nospec.h>
91 
++#include <linux/prctl.h>
92 
+
93 
+ #include <asm/spec-ctrl.h>
94 
+ #include <asm/cmdline.h>
95 
+@@ -411,20 +413,23 @@ enum ssb_mitigation_cmd {
96 
+ 	SPEC_STORE_BYPASS_CMD_NONE,
97 
+ 	SPEC_STORE_BYPASS_CMD_AUTO,
98 
+ 	SPEC_STORE_BYPASS_CMD_ON,
99 
++	SPEC_STORE_BYPASS_CMD_PRCTL,
100 
+ };
101 
+
102 
+ static const char *ssb_strings[] = {
103 
+ 	[SPEC_STORE_BYPASS_NONE]	= "Vulnerable",
104 
+-	[SPEC_STORE_BYPASS_DISABLE]	= "Mitigation: Speculative Store Bypass disabled"
105 
++	[SPEC_STORE_BYPASS_DISABLE]	= "Mitigation: Speculative Store Bypass disabled",
106 
++	[SPEC_STORE_BYPASS_PRCTL]	= "Mitigation: Speculative Store Bypass disabled via prctl"
107 
+ };
108 
+
109 
+ static const struct {
110 
+ 	const char *option;
111 
+ 	enum ssb_mitigation_cmd cmd;
112 
+ } ssb_mitigation_options[] = {
113 
+-	{ "auto",	SPEC_STORE_BYPASS_CMD_AUTO }, /* Platform decides */
114 
+-	{ "on",		SPEC_STORE_BYPASS_CMD_ON },   /* Disable Speculative Store Bypass */
115 
+-	{ "off",	SPEC_STORE_BYPASS_CMD_NONE }, /* Don't touch Speculative Store Bypass */
116 
++	{ "auto",	SPEC_STORE_BYPASS_CMD_AUTO },  /* Platform decides */
117 
++	{ "on",		SPEC_STORE_BYPASS_CMD_ON },    /* Disable Speculative Store Bypass */
118 
++	{ "off",	SPEC_STORE_BYPASS_CMD_NONE },  /* Don't touch Speculative Store Bypass */
119 
++	{ "prctl",	SPEC_STORE_BYPASS_CMD_PRCTL }, /* Disable Speculative Store Bypass via prctl */
120 
+ };
121 
+
122 
+ static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void)
123 
+@@ -474,14 +479,15 @@ static enum ssb_mitigation_cmd __init __ssb_select_mitigation(void)
124 
+
125 
+ 	switch (cmd) {
126 
+ 	case SPEC_STORE_BYPASS_CMD_AUTO:
127 
+-		/*
128 
+-		 * AMD platforms by default don't need SSB mitigation.
129 
+-		 */
130 
+-		if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD)
131 
+-			break;
132 
++		/* Choose prctl as the default mode */
133 
++		mode = SPEC_STORE_BYPASS_PRCTL;
134 
++		break;
135 
+ 	case SPEC_STORE_BYPASS_CMD_ON:
136 
+ 		mode = SPEC_STORE_BYPASS_DISABLE;
137 
+ 		break;
138 
++	case SPEC_STORE_BYPASS_CMD_PRCTL:
139 
++		mode = SPEC_STORE_BYPASS_PRCTL;
140 
++		break;
141 
+ 	case SPEC_STORE_BYPASS_CMD_NONE:
142 
+ 		break;
143 
+ 	}
144 
+@@ -492,7 +498,7 @@ static enum ssb_mitigation_cmd __init __ssb_select_mitigation(void)
145 
+ 	 *  - X86_FEATURE_RDS - CPU is able to turn off speculative store bypass
146 
+ 	 *  - X86_FEATURE_SPEC_STORE_BYPASS_DISABLE - engage the mitigation
147 
+ 	 */
148 
+-	if (mode != SPEC_STORE_BYPASS_NONE) {
149 
++	if (mode == SPEC_STORE_BYPASS_DISABLE) {
150 
+ 		setup_force_cpu_cap(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE);
151 
+ 		/*
152 
+ 		 * Intel uses the SPEC CTRL MSR Bit(2) for this, while AMD uses
153 
+@@ -523,6 +529,63 @@ static void ssb_select_mitigation()
154 
+
155 
+ #undef pr_fmt
156 
+
157 
++static int ssb_prctl_set(unsigned long ctrl)
158 
++{
159 
++	bool rds = !!test_tsk_thread_flag(current, TIF_RDS);
160 
++
161 
++	if (ssb_mode != SPEC_STORE_BYPASS_PRCTL)
162 
++		return -ENXIO;
163 
++
164 
++	if (ctrl == PR_SPEC_ENABLE)
165 
++		clear_tsk_thread_flag(current, TIF_RDS);
166 
++	else
167 
++		set_tsk_thread_flag(current, TIF_RDS);
168 
++
169 
++	if (rds != !!test_tsk_thread_flag(current, TIF_RDS))
170 
++		speculative_store_bypass_update();
171 
++
172 
++	return 0;
173 
++}
174 
++
175 
++static int ssb_prctl_get(void)
176 
++{
177 
++	switch (ssb_mode) {
178 
++	case SPEC_STORE_BYPASS_DISABLE:
179 
++		return PR_SPEC_DISABLE;
180 
++	case SPEC_STORE_BYPASS_PRCTL:
181 
++		if (test_tsk_thread_flag(current, TIF_RDS))
182 
++			return PR_SPEC_PRCTL | PR_SPEC_DISABLE;
183 
++		return PR_SPEC_PRCTL | PR_SPEC_ENABLE;
184 
++	default:
185 
++		if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS))
186 
++			return PR_SPEC_ENABLE;
187 
++		return PR_SPEC_NOT_AFFECTED;
188 
++	}
189 
++}
190 
++
191 
++int arch_prctl_spec_ctrl_set(unsigned long which, unsigned long ctrl)
192 
++{
193 
++	if (ctrl != PR_SPEC_ENABLE && ctrl != PR_SPEC_DISABLE)
194 
++		return -ERANGE;
195 
++
196 
++	switch (which) {
197 
++	case PR_SPEC_STORE_BYPASS:
198 
++		return ssb_prctl_set(ctrl);
199 
++	default:
200 
++		return -ENODEV;
201 
++	}
202 
++}
203 
++
204 
++int arch_prctl_spec_ctrl_get(unsigned long which)
205 
++{
206 
++	switch (which) {
207 
++	case PR_SPEC_STORE_BYPASS:
208 
++		return ssb_prctl_get();
209 
++	default:
210 
++		return -ENODEV;
211 
++	}
212 
++}
213 
++
214 
+ void x86_spec_ctrl_setup_ap(void)
215 
+ {
216 
+ 	if (boot_cpu_has(X86_FEATURE_IBRS))
217 
+--
218 
+2.7.4
219 
+
SPECS/linux/speculative-store-bypass/0074-nospec-Allow-getting-setting-on-non-current-task.patch
History View file @ 4ab22c2
0 220 
new file mode 100644
... ... 
@@ -0,0 +1,163 @@
0 
+From 0ff7cf2073e249010d256dede9e016c9d0481a8a Mon Sep 17 00:00:00 2001
1 
+From: Kees Cook <keescook@chromium.org>
2 
+Date: Thu, 14 Jun 2018 14:56:50 -0700
3 
+Subject: [PATCH 074/103] nospec: Allow getting/setting on non-current task
4 
+
5 
+commit 7bbf1373e228840bb0295a2ca26d548ef37f448e upstream
6 
+
7 
+Adjust arch_prctl_get/set_spec_ctrl() to operate on tasks other than
8 
+current.
9 
+
10 
+This is needed both for /proc/$pid/status queries and for seccomp (since
11 
+thread-syncing can trigger seccomp in non-current threads).
12 
+
13 
+Signed-off-by: Kees Cook <keescook@chromium.org>
14 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
15 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
16 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
17 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
18 
+---
19 
+ arch/x86/kernel/cpu/bugs.c | 27 ++++++++++++++++-----------
20 
+ include/linux/nospec.h     |  7 +++++--
21 
+ kernel/sys.c               |  9 +++++----
22 
+ 3 files changed, 26 insertions(+), 17 deletions(-)
23 
+
24 
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
25 
+index bcfccd3..64b54a4 100644
26 
+--- a/arch/x86/kernel/cpu/bugs.c
27 
+@@ -529,31 +529,35 @@ static void ssb_select_mitigation()
28 
+
29 
+ #undef pr_fmt
30 
+
31 
+-static int ssb_prctl_set(unsigned long ctrl)
32 
++static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl)
33 
+ {
34 
+-	bool rds = !!test_tsk_thread_flag(current, TIF_RDS);
35 
++	bool rds = !!test_tsk_thread_flag(task, TIF_RDS);
36 
+
37 
+ 	if (ssb_mode != SPEC_STORE_BYPASS_PRCTL)
38 
+ 		return -ENXIO;
39 
+
40 
+ 	if (ctrl == PR_SPEC_ENABLE)
41 
+-		clear_tsk_thread_flag(current, TIF_RDS);
42 
++		clear_tsk_thread_flag(task, TIF_RDS);
43 
+ 	else
44 
+-		set_tsk_thread_flag(current, TIF_RDS);
45 
++		set_tsk_thread_flag(task, TIF_RDS);
46 
+
47 
+-	if (rds != !!test_tsk_thread_flag(current, TIF_RDS))
48 
++	/*
49 
++	 * If being set on non-current task, delay setting the CPU
50 
++	 * mitigation until it is next scheduled.
51 
++	 */
52 
++	if (task == current && rds != !!test_tsk_thread_flag(task, TIF_RDS))
53 
+ 		speculative_store_bypass_update();
54 
+
55 
+ 	return 0;
56 
+ }
57 
+
58 
+-static int ssb_prctl_get(void)
59 
++static int ssb_prctl_get(struct task_struct *task)
60 
+ {
61 
+ 	switch (ssb_mode) {
62 
+ 	case SPEC_STORE_BYPASS_DISABLE:
63 
+ 		return PR_SPEC_DISABLE;
64 
+ 	case SPEC_STORE_BYPASS_PRCTL:
65 
+-		if (test_tsk_thread_flag(current, TIF_RDS))
66 
++		if (test_tsk_thread_flag(task, TIF_RDS))
67 
+ 			return PR_SPEC_PRCTL | PR_SPEC_DISABLE;
68 
+ 		return PR_SPEC_PRCTL | PR_SPEC_ENABLE;
69 
+ 	default:
70 
+@@ -563,24 +567,25 @@ static int ssb_prctl_get(void)
71 
+ 	}
72 
+ }
73 
+
74 
+-int arch_prctl_spec_ctrl_set(unsigned long which, unsigned long ctrl)
75 
++int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which,
76 
++			     unsigned long ctrl)
77 
+ {
78 
+ 	if (ctrl != PR_SPEC_ENABLE && ctrl != PR_SPEC_DISABLE)
79 
+ 		return -ERANGE;
80 
+
81 
+ 	switch (which) {
82 
+ 	case PR_SPEC_STORE_BYPASS:
83 
+-		return ssb_prctl_set(ctrl);
84 
++		return ssb_prctl_set(task, ctrl);
85 
+ 	default:
86 
+ 		return -ENODEV;
87 
+ 	}
88 
+ }
89 
+
90 
+-int arch_prctl_spec_ctrl_get(unsigned long which)
91 
++int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which)
92 
+ {
93 
+ 	switch (which) {
94 
+ 	case PR_SPEC_STORE_BYPASS:
95 
+-		return ssb_prctl_get();
96 
++		return ssb_prctl_get(task);
97 
+ 	default:
98 
+ 		return -ENODEV;
99 
+ 	}
100 
+diff --git a/include/linux/nospec.h b/include/linux/nospec.h
101 
+index 700bb8a..a908c95 100644
102 
+--- a/include/linux/nospec.h
103 
+@@ -7,6 +7,8 @@
104 
+ #define _LINUX_NOSPEC_H
105 
+ #include <asm/barrier.h>
106 
+
107 
++struct task_struct;
108 
++
109 
+ /**
110 
+  * array_index_mask_nospec() - generate a ~0 mask when index < size, 0 otherwise
111 
+  * @index: array element index
112 
+@@ -57,7 +59,8 @@ static inline unsigned long array_index_mask_nospec(unsigned long index,
113 
+ })
114 
+
115 
+ /* Speculation control prctl */
116 
+-int arch_prctl_spec_ctrl_get(unsigned long which);
117 
+-int arch_prctl_spec_ctrl_set(unsigned long which, unsigned long ctrl);
118 
++int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which);
119 
++int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which,
120 
++			     unsigned long ctrl);
121 
+
122 
+ #endif /* _LINUX_NOSPEC_H */
123 
+diff --git a/kernel/sys.c b/kernel/sys.c
124 
+index d80c33f..f718742 100644
125 
+--- a/kernel/sys.c
126 
+@@ -2075,12 +2075,13 @@ static int prctl_get_tid_address(struct task_struct *me, int __user **tid_addr)
127 
+ }
128 
+ #endif
129 
+
130 
+-int __weak arch_prctl_spec_ctrl_get(unsigned long which)
131 
++int __weak arch_prctl_spec_ctrl_get(struct task_struct *t, unsigned long which)
132 
+ {
133 
+ 	return -EINVAL;
134 
+ }
135 
+
136 
+-int __weak arch_prctl_spec_ctrl_set(unsigned long which, unsigned long ctrl)
137 
++int __weak arch_prctl_spec_ctrl_set(struct task_struct *t, unsigned long which,
138 
++				    unsigned long ctrl)
139 
+ {
140 
+ 	return -EINVAL;
141 
+ }
142 
+@@ -2282,12 +2283,12 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
143 
+ 	case PR_GET_SPECULATION_CTRL:
144 
+ 		if (arg3 || arg4 || arg5)
145 
+ 			return -EINVAL;
146 
+-		error = arch_prctl_spec_ctrl_get(arg2);
147 
++		error = arch_prctl_spec_ctrl_get(me, arg2);
148 
+ 		break;
149 
+ 	case PR_SET_SPECULATION_CTRL:
150 
+ 		if (arg4 || arg5)
151 
+ 			return -EINVAL;
152 
+-		error = arch_prctl_spec_ctrl_set(arg2, arg3);
153 
++		error = arch_prctl_spec_ctrl_set(me, arg2, arg3);
154 
+ 		break;
155 
+ 	default:
156 
+ 		error = -EINVAL;
157 
+--
158 
+2.7.4
159 
+
SPECS/linux/speculative-store-bypass/0075-proc-Provide-details-on-speculation-flaw-mitigations.patch
History View file @ 4ab22c2
0 160 
new file mode 100644
... ... 
@@ -0,0 +1,63 @@
0 
+From 86180e329dbcd9c3661336ef6ddb1ee4a920ff0f Mon Sep 17 00:00:00 2001
1 
+From: Kees Cook <keescook@chromium.org>
2 
+Date: Thu, 14 Jun 2018 14:56:50 -0700
3 
+Subject: [PATCH 075/103] proc: Provide details on speculation flaw mitigations
4 
+
5 
+commit fae1fa0fc6cca8beee3ab8ed71d54f9a78fa3f64 upstream
6 
+
7 
+As done with seccomp and no_new_privs, also show speculation flaw
8 
+mitigation state in /proc/$pid/status.
9 
+
10 
+Signed-off-by: Kees Cook <keescook@chromium.org>
11 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
12 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
13 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
14 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
15 
+---
16 
+ fs/proc/array.c | 23 +++++++++++++++++++++++
17 
+ 1 file changed, 23 insertions(+)
18 
+
19 
+diff --git a/fs/proc/array.c b/fs/proc/array.c
20 
+index b6c00ce..bb48358 100644
21 
+--- a/fs/proc/array.c
22 
+@@ -79,6 +79,7 @@
23 
+ #include <linux/delayacct.h>
24 
+ #include <linux/seq_file.h>
25 
+ #include <linux/pid_namespace.h>
26 
++#include <linux/prctl.h>
27 
+ #include <linux/ptrace.h>
28 
+ #include <linux/tracehook.h>
29 
+ #include <linux/string_helpers.h>
30 
+@@ -332,6 +333,28 @@ static inline void task_seccomp(struct seq_file *m, struct task_struct *p)
31 
+ #ifdef CONFIG_SECCOMP
32 
+ 	seq_printf(m, "Seccomp:\t%d\n", p->seccomp.mode);
33 
+ #endif
34 
++	seq_printf(m, "\nSpeculation Store Bypass:\t");
35 
++	switch (arch_prctl_spec_ctrl_get(p, PR_SPEC_STORE_BYPASS)) {
36 
++	case -EINVAL:
37 
++		seq_printf(m, "unknown");
38 
++		break;
39 
++	case PR_SPEC_NOT_AFFECTED:
40 
++		seq_printf(m, "not vulnerable");
41 
++		break;
42 
++	case PR_SPEC_PRCTL | PR_SPEC_DISABLE:
43 
++		seq_printf(m, "thread mitigated");
44 
++		break;
45 
++	case PR_SPEC_PRCTL | PR_SPEC_ENABLE:
46 
++		seq_printf(m, "thread vulnerable");
47 
++		break;
48 
++	case PR_SPEC_DISABLE:
49 
++		seq_printf(m, "globally mitigated");
50 
++		break;
51 
++	default:
52 
++		seq_printf(m, "vulnerable");
53 
++		break;
54 
++	}
55 
++	seq_putc(m, '\n');
56 
+ }
57 
+
58 
+ static inline void task_context_switch_counts(struct seq_file *m,
59 
+--
60 
+2.7.4
61 
+
SPECS/linux/speculative-store-bypass/0076-seccomp-Enable-speculation-flaw-mitigations.patch
History View file @ 4ab22c2
0 62 
new file mode 100644
... ... 
@@ -0,0 +1,65 @@
0 
+From 22c0adf93a863d2ca18464e11765290f4def4be9 Mon Sep 17 00:00:00 2001
1 
+From: Kees Cook <keescook@chromium.org>
2 
+Date: Thu, 14 Jun 2018 14:56:51 -0700
3 
+Subject: [PATCH 076/103] seccomp: Enable speculation flaw mitigations
4 
+
5 
+commit 5c3070890d06ff82eecb808d02d2ca39169533ef upstream
6 
+
7 
+When speculation flaw mitigations are opt-in (via prctl), using seccomp
8 
+will automatically opt-in to these protections, since using seccomp
9 
+indicates at least some level of sandboxing is desired.
10 
+
11 
+Signed-off-by: Kees Cook <keescook@chromium.org>
12 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
13 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
14 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
15 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
16 
+---
17 
+ kernel/seccomp.c | 17 +++++++++++++++++
18 
+ 1 file changed, 17 insertions(+)
19 
+
20 
+diff --git a/kernel/seccomp.c b/kernel/seccomp.c
21 
+index efd384f..bfb1ee8 100644
22 
+--- a/kernel/seccomp.c
23 
+@@ -16,6 +16,8 @@
24 
+ #include <linux/atomic.h>
25 
+ #include <linux/audit.h>
26 
+ #include <linux/compat.h>
27 
++#include <linux/nospec.h>
28 
++#include <linux/prctl.h>
29 
+ #include <linux/sched.h>
30 
+ #include <linux/seccomp.h>
31 
+ #include <linux/slab.h>
32 
+@@ -214,6 +216,19 @@ static inline bool seccomp_may_assign_mode(unsigned long seccomp_mode)
33 
+ 	return true;
34 
+ }
35 
+
36 
++/*
37 
++ * If a given speculation mitigation is opt-in (prctl()-controlled),
38 
++ * select it, by disabling speculation (enabling mitigation).
39 
++ */
40 
++static inline void spec_mitigate(struct task_struct *task,
41 
++				 unsigned long which)
42 
++{
43 
++	int state = arch_prctl_spec_ctrl_get(task, which);
44 
++
45 
++	if (state > 0 && (state & PR_SPEC_PRCTL))
46 
++		arch_prctl_spec_ctrl_set(task, which, PR_SPEC_DISABLE);
47 
++}
48 
++
49 
+ static inline void seccomp_assign_mode(struct task_struct *task,
50 
+ 				       unsigned long seccomp_mode)
51 
+ {
52 
+@@ -225,6 +240,8 @@ static inline void seccomp_assign_mode(struct task_struct *task,
53 
+ 	 * filter) is set.
54 
+ 	 */
55 
+ 	smp_mb__before_atomic();
56 
++	/* Assume seccomp processes want speculation flaw mitigation. */
57 
++	spec_mitigate(task, PR_SPEC_STORE_BYPASS);
58 
+ 	set_tsk_thread_flag(task, TIF_SECCOMP);
59 
+ }
60 
+
61 
+--
62 
+2.7.4
63 
+
SPECS/linux/speculative-store-bypass/0077-prctl-Add-force-disable-speculation.patch
History View file @ 4ab22c2
0 64 
new file mode 100644
... ... 
@@ -0,0 +1,219 @@
0 
+From ab2788b04473b3884de31e541973d87c67072505 Mon Sep 17 00:00:00 2001
1 
+From: Thomas Gleixner <tglx@linutronix.de>
2 
+Date: Thu, 14 Jun 2018 14:56:51 -0700
3 
+Subject: [PATCH 077/103] prctl: Add force disable speculation
4 
+
5 
+commit 356e4bfff2c5489e016fdb925adbf12a1e3950ee upstream
6 
+
7 
+For certain use cases it is desired to enforce mitigations so they cannot
8 
+be undone afterwards. That's important for loader stubs which want to
9 
+prevent a child from disabling the mitigation again. Will also be used for
10 
+seccomp(). The extra state preserving of the prctl state for SSB is a
11 
+preparatory step for EBPF dymanic speculation control.
12 
+
13 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
14 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
15 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
16 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
17 
+---
18 
+ Documentation/spec_ctrl.txt | 34 +++++++++++++++++++++-------------
19 
+ arch/x86/kernel/cpu/bugs.c  | 35 +++++++++++++++++++++++++----------
20 
+ fs/proc/array.c             |  3 +++
21 
+ include/linux/sched.h       |  9 +++++++++
22 
+ include/uapi/linux/prctl.h  |  1 +
23 
+ 5 files changed, 59 insertions(+), 23 deletions(-)
24 
+
25 
+diff --git a/Documentation/spec_ctrl.txt b/Documentation/spec_ctrl.txt
26 
+index ddbebcd..1b3690d 100644
27 
+--- a/Documentation/spec_ctrl.txt
28 
+@@ -25,19 +25,21 @@ PR_GET_SPECULATION_CTRL
29 
+ -----------------------
30 
+
31 
+ PR_GET_SPECULATION_CTRL returns the state of the speculation misfeature
32 
+-which is selected with arg2 of prctl(2). The return value uses bits 0-2 with
33 
++which is selected with arg2 of prctl(2). The return value uses bits 0-3 with
34 
+ the following meaning:
35 
+
36 
+-==== ================ ===================================================
37 
+-Bit  Define           Description
38 
+-==== ================ ===================================================
39 
+-0    PR_SPEC_PRCTL    Mitigation can be controlled per task by
40 
+-                      PR_SET_SPECULATION_CTRL
41 
+-1    PR_SPEC_ENABLE   The speculation feature is enabled, mitigation is
42 
+-                      disabled
43 
+-2    PR_SPEC_DISABLE  The speculation feature is disabled, mitigation is
44 
+-                      enabled
45 
+-==== ================ ===================================================
46 
++==== ===================== ===================================================
47 
++Bit  Define                Description
48 
++==== ===================== ===================================================
49 
++0    PR_SPEC_PRCTL         Mitigation can be controlled per task by
50 
++                           PR_SET_SPECULATION_CTRL
51 
++1    PR_SPEC_ENABLE        The speculation feature is enabled, mitigation is
52 
++                           disabled
53 
++2    PR_SPEC_DISABLE       The speculation feature is disabled, mitigation is
54 
++                           enabled
55 
++3    PR_SPEC_FORCE_DISABLE Same as PR_SPEC_DISABLE, but cannot be undone. A
56 
++                           subsequent prctl(..., PR_SPEC_ENABLE) will fail.
57 
++==== ===================== ===================================================
58 
+
59 
+ If all bits are 0 the CPU is not affected by the speculation misfeature.
60 
+
61 
+@@ -47,9 +49,11 @@ misfeature will fail.
62 
+
63 
+ PR_SET_SPECULATION_CTRL
64 
+ -----------------------
65 
++
66 
+ PR_SET_SPECULATION_CTRL allows to control the speculation misfeature, which
67 
+ is selected by arg2 of :manpage:`prctl(2)` per task. arg3 is used to hand
68 
+-in the control value, i.e. either PR_SPEC_ENABLE or PR_SPEC_DISABLE.
69 
++in the control value, i.e. either PR_SPEC_ENABLE or PR_SPEC_DISABLE or
70 
++PR_SPEC_FORCE_DISABLE.
71 
+
72 
+ Common error codes
73 
+ ------------------
74 
+@@ -70,10 +74,13 @@ Value   Meaning
75 
+ 0       Success
76 
+
77 
+ ERANGE  arg3 is incorrect, i.e. it's neither PR_SPEC_ENABLE nor
78 
+-        PR_SPEC_DISABLE
79 
++        PR_SPEC_DISABLE nor PR_SPEC_FORCE_DISABLE
80 
+
81 
+ ENXIO   Control of the selected speculation misfeature is not possible.
82 
+         See PR_GET_SPECULATION_CTRL.
83 
++
84 
++EPERM   Speculation was disabled with PR_SPEC_FORCE_DISABLE and caller
85 
++        tried to enable it again.
86 
+ ======= =================================================================
87 
+
88 
+ Speculation misfeature controls
89 
+@@ -84,3 +91,4 @@ Speculation misfeature controls
90 
+    * prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, 0, 0, 0);
91 
+    * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_ENABLE, 0, 0);
92 
+    * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
93 
++   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0);
94 
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
95 
+index 64b54a4..d6897ca 100644
96 
+--- a/arch/x86/kernel/cpu/bugs.c
97 
+@@ -531,21 +531,37 @@ static void ssb_select_mitigation()
98 
+
99 
+ static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl)
100 
+ {
101 
+-	bool rds = !!test_tsk_thread_flag(task, TIF_RDS);
102 
++	bool update;
103 
+
104 
+ 	if (ssb_mode != SPEC_STORE_BYPASS_PRCTL)
105 
+ 		return -ENXIO;
106 
+
107 
+-	if (ctrl == PR_SPEC_ENABLE)
108 
+-		clear_tsk_thread_flag(task, TIF_RDS);
109 
+-	else
110 
+-		set_tsk_thread_flag(task, TIF_RDS);
111 
++	switch (ctrl) {
112 
++	case PR_SPEC_ENABLE:
113 
++		/* If speculation is force disabled, enable is not allowed */
114 
++		if (task_spec_ssb_force_disable(task))
115 
++			return -EPERM;
116 
++		task_clear_spec_ssb_disable(task);
117 
++		update = test_and_clear_tsk_thread_flag(task, TIF_RDS);
118 
++		break;
119 
++	case PR_SPEC_DISABLE:
120 
++		task_set_spec_ssb_disable(task);
121 
++		update = !test_and_set_tsk_thread_flag(task, TIF_RDS);
122 
++		break;
123 
++	case PR_SPEC_FORCE_DISABLE:
124 
++		task_set_spec_ssb_disable(task);
125 
++		task_set_spec_ssb_force_disable(task);
126 
++		update = !test_and_set_tsk_thread_flag(task, TIF_RDS);
127 
++		break;
128 
++	default:
129 
++		return -ERANGE;
130 
++	}
131 
+
132 
+ 	/*
133 
+ 	 * If being set on non-current task, delay setting the CPU
134 
+ 	 * mitigation until it is next scheduled.
135 
+ 	 */
136 
+-	if (task == current && rds != !!test_tsk_thread_flag(task, TIF_RDS))
137 
++	if (task == current && update)
138 
+ 		speculative_store_bypass_update();
139 
+
140 
+ 	return 0;
141 
+@@ -557,7 +573,9 @@ static int ssb_prctl_get(struct task_struct *task)
142 
+ 	case SPEC_STORE_BYPASS_DISABLE:
143 
+ 		return PR_SPEC_DISABLE;
144 
+ 	case SPEC_STORE_BYPASS_PRCTL:
145 
+-		if (test_tsk_thread_flag(task, TIF_RDS))
146 
++		if (task_spec_ssb_force_disable(task))
147 
++			return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE;
148 
++		if (task_spec_ssb_disable(task))
149 
+ 			return PR_SPEC_PRCTL | PR_SPEC_DISABLE;
150 
+ 		return PR_SPEC_PRCTL | PR_SPEC_ENABLE;
151 
+ 	default:
152 
+@@ -570,9 +588,6 @@ static int ssb_prctl_get(struct task_struct *task)
153 
+ int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which,
154 
+ 			     unsigned long ctrl)
155 
+ {
156 
+-	if (ctrl != PR_SPEC_ENABLE && ctrl != PR_SPEC_DISABLE)
157 
+-		return -ERANGE;
158 
+-
159 
+ 	switch (which) {
160 
+ 	case PR_SPEC_STORE_BYPASS:
161 
+ 		return ssb_prctl_set(task, ctrl);
162 
+diff --git a/fs/proc/array.c b/fs/proc/array.c
163 
+index bb48358..3141478 100644
164 
+--- a/fs/proc/array.c
165 
+@@ -341,6 +341,9 @@ static inline void task_seccomp(struct seq_file *m, struct task_struct *p)
166 
+ 	case PR_SPEC_NOT_AFFECTED:
167 
+ 		seq_printf(m, "not vulnerable");
168 
+ 		break;
169 
++	case PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE:
170 
++		seq_printf(m, "thread force mitigated");
171 
++		break;
172 
+ 	case PR_SPEC_PRCTL | PR_SPEC_DISABLE:
173 
+ 		seq_printf(m, "thread mitigated");
174 
+ 		break;
175 
+diff --git a/include/linux/sched.h b/include/linux/sched.h
176 
+index 90bea39..725498c 100644
177 
+--- a/include/linux/sched.h
178 
+@@ -2167,6 +2167,8 @@ static inline void memalloc_noio_restore(unsigned int flags)
179 
+ #define PFA_NO_NEW_PRIVS 0	/* May not gain new privileges. */
180 
+ #define PFA_SPREAD_PAGE  1      /* Spread page cache over cpuset */
181 
+ #define PFA_SPREAD_SLAB  2      /* Spread some slab caches over cpuset */
182 
++#define PFA_SPEC_SSB_DISABLE		4	/* Speculative Store Bypass disabled */
183 
++#define PFA_SPEC_SSB_FORCE_DISABLE	5	/* Speculative Store Bypass force disabled*/
184 
+
185 
+
186 
+ #define TASK_PFA_TEST(name, func)					\
187 
+@@ -2190,6 +2192,13 @@ TASK_PFA_TEST(SPREAD_SLAB, spread_slab)
188 
+ TASK_PFA_SET(SPREAD_SLAB, spread_slab)
189 
+ TASK_PFA_CLEAR(SPREAD_SLAB, spread_slab)
190 
+
191 
++TASK_PFA_TEST(SPEC_SSB_DISABLE, spec_ssb_disable)
192 
++TASK_PFA_SET(SPEC_SSB_DISABLE, spec_ssb_disable)
193 
++TASK_PFA_CLEAR(SPEC_SSB_DISABLE, spec_ssb_disable)
194 
++
195 
++TASK_PFA_TEST(SPEC_SSB_FORCE_DISABLE, spec_ssb_force_disable)
196 
++TASK_PFA_SET(SPEC_SSB_FORCE_DISABLE, spec_ssb_force_disable)
197 
++
198 
+ /*
199 
+  * task->jobctl flags
200 
+  */
201 
+diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h
202 
+index 3b316be..64776b7 100644
203 
+--- a/include/uapi/linux/prctl.h
204 
+@@ -207,5 +207,6 @@ struct prctl_mm_map {
205 
+ # define PR_SPEC_PRCTL			(1UL << 0)
206 
+ # define PR_SPEC_ENABLE			(1UL << 1)
207 
+ # define PR_SPEC_DISABLE		(1UL << 2)
208 
++# define PR_SPEC_FORCE_DISABLE		(1UL << 3)
209 
+
210 
+ #endif /* _LINUX_PRCTL_H */
211 
+--
212 
+2.7.4
213 
+
SPECS/linux/speculative-store-bypass/0078-seccomp-Use-PR_SPEC_FORCE_DISABLE.patch
History View file @ 4ab22c2
0 214 
new file mode 100644
... ... 
@@ -0,0 +1,34 @@
0 
+From 623352ea96a1fc8dc024aec71f316e9f26ce38bf Mon Sep 17 00:00:00 2001
1 
+From: Thomas Gleixner <tglx@linutronix.de>
2 
+Date: Thu, 14 Jun 2018 14:56:52 -0700
3 
+Subject: [PATCH 078/103] seccomp: Use PR_SPEC_FORCE_DISABLE
4 
+
5 
+commit b849a812f7eb92e96d1c8239b06581b2cfd8b275 upstream
6 
+
7 
+Use PR_SPEC_FORCE_DISABLE in seccomp() because seccomp does not allow to
8 
+widen restrictions.
9 
+
10 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
11 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
12 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
13 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
14 
+---
15 
+ kernel/seccomp.c | 2 +-
16 
+ 1 file changed, 1 insertion(+), 1 deletion(-)
17 
+
18 
+diff --git a/kernel/seccomp.c b/kernel/seccomp.c
19 
+index bfb1ee8..f33539f 100644
20 
+--- a/kernel/seccomp.c
21 
+@@ -226,7 +226,7 @@ static inline void spec_mitigate(struct task_struct *task,
22 
+ 	int state = arch_prctl_spec_ctrl_get(task, which);
23 
+
24 
+ 	if (state > 0 && (state & PR_SPEC_PRCTL))
25 
+-		arch_prctl_spec_ctrl_set(task, which, PR_SPEC_DISABLE);
26 
++		arch_prctl_spec_ctrl_set(task, which, PR_SPEC_FORCE_DISABLE);
27 
+ }
28 
+
29 
+ static inline void seccomp_assign_mode(struct task_struct *task,
30 
+--
31 
+2.7.4
32 
+
SPECS/linux/speculative-store-bypass/0079-seccomp-Add-filter-flag-to-opt-out-of-SSB-mitigation.patch
History View file @ 4ab22c2
0 33 
new file mode 100644
... ... 
@@ -0,0 +1,223 @@
0 
+From c517a3267fd6c34e9bee4434f18fd2448d23534d Mon Sep 17 00:00:00 2001
1 
+From: Kees Cook <keescook@chromium.org>
2 
+Date: Thu, 14 Jun 2018 14:56:52 -0700
3 
+Subject: [PATCH 079/103] seccomp: Add filter flag to opt-out of SSB mitigation
4 
+
5 
+commit 00a02d0c502a06d15e07b857f8ff921e3e402675 upstream
6 
+
7 
+If a seccomp user is not interested in Speculative Store Bypass mitigation
8 
+by default, it can set the new SECCOMP_FILTER_FLAG_SPEC_ALLOW flag when
9 
+adding filters.
10 
+
11 
+Signed-off-by: Kees Cook <keescook@chromium.org>
12 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
13 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
14 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
15 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
16 
+---
17 
+ include/linux/seccomp.h                       |  3 +-
18 
+ include/uapi/linux/seccomp.h                  |  4 +-
19 
+ kernel/seccomp.c                              | 19 ++++---
20 
+ tools/testing/selftests/seccomp/seccomp_bpf.c | 78 ++++++++++++++++++++++++++-
21 
+ 4 files changed, 93 insertions(+), 11 deletions(-)
22 
+
23 
+diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h
24 
+index 2296e6b..5a53d34 100644
25 
+--- a/include/linux/seccomp.h
26 
+@@ -3,7 +3,8 @@
27 
+
28 
+ #include <uapi/linux/seccomp.h>
29 
+
30 
+-#define SECCOMP_FILTER_FLAG_MASK	(SECCOMP_FILTER_FLAG_TSYNC)
31 
++#define SECCOMP_FILTER_FLAG_MASK	(SECCOMP_FILTER_FLAG_TSYNC	| \
32 
++					 SECCOMP_FILTER_FLAG_SPEC_ALLOW)
33 
+
34 
+ #ifdef CONFIG_SECCOMP
35 
+
36 
+diff --git a/include/uapi/linux/seccomp.h b/include/uapi/linux/seccomp.h
37 
+index 0f238a4..e4acb61 100644
38 
+--- a/include/uapi/linux/seccomp.h
39 
+@@ -15,7 +15,9 @@
40 
+ #define SECCOMP_SET_MODE_FILTER	1
41 
+
42 
+ /* Valid flags for SECCOMP_SET_MODE_FILTER */
43 
+-#define SECCOMP_FILTER_FLAG_TSYNC	1
44 
++#define SECCOMP_FILTER_FLAG_TSYNC	(1UL << 0)
45 
++/* In v4.14+ SECCOMP_FILTER_FLAG_LOG is (1UL << 1) */
46 
++#define SECCOMP_FILTER_FLAG_SPEC_ALLOW	(1UL << 2)
47 
+
48 
+ /*
49 
+  * All BPF programs must return a 32-bit value.
50 
+diff --git a/kernel/seccomp.c b/kernel/seccomp.c
51 
+index f33539f..4bb8a5a 100644
52 
+--- a/kernel/seccomp.c
53 
+@@ -230,7 +230,8 @@ static inline void spec_mitigate(struct task_struct *task,
54 
+ }
55 
+
56 
+ static inline void seccomp_assign_mode(struct task_struct *task,
57 
+-				       unsigned long seccomp_mode)
58 
++				       unsigned long seccomp_mode,
59 
++				       unsigned long flags)
60 
+ {
61 
+ 	assert_spin_locked(&task->sighand->siglock);
62 
+
63 
+@@ -240,8 +241,9 @@ static inline void seccomp_assign_mode(struct task_struct *task,
64 
+ 	 * filter) is set.
65 
+ 	 */
66 
+ 	smp_mb__before_atomic();
67 
+-	/* Assume seccomp processes want speculation flaw mitigation. */
68 
+-	spec_mitigate(task, PR_SPEC_STORE_BYPASS);
69 
++	/* Assume default seccomp processes want spec flaw mitigation. */
70 
++	if ((flags & SECCOMP_FILTER_FLAG_SPEC_ALLOW) == 0)
71 
++		spec_mitigate(task, PR_SPEC_STORE_BYPASS);
72 
+ 	set_tsk_thread_flag(task, TIF_SECCOMP);
73 
+ }
74 
+
75 
+@@ -309,7 +311,7 @@ static inline pid_t seccomp_can_sync_threads(void)
76 
+  * without dropping the locks.
77 
+  *
78 
+  */
79 
+-static inline void seccomp_sync_threads(void)
80 
++static inline void seccomp_sync_threads(unsigned long flags)
81 
+ {
82 
+ 	struct task_struct *thread, *caller;
83 
+
84 
+@@ -350,7 +352,8 @@ static inline void seccomp_sync_threads(void)
85 
+ 		 * allow one thread to transition the other.
86 
+ 		 */
87 
+ 		if (thread->seccomp.mode == SECCOMP_MODE_DISABLED)
88 
+-			seccomp_assign_mode(thread, SECCOMP_MODE_FILTER);
89 
++			seccomp_assign_mode(thread, SECCOMP_MODE_FILTER,
90 
++					    flags);
91 
+ 	}
92 
+ }
93 
+
94 
+@@ -469,7 +472,7 @@ static long seccomp_attach_filter(unsigned int flags,
95 
+
96 
+ 	/* Now that the new filter is in place, synchronize to all threads. */
97 
+ 	if (flags & SECCOMP_FILTER_FLAG_TSYNC)
98 
+-		seccomp_sync_threads();
99 
++		seccomp_sync_threads(flags);
100 
+
101 
+ 	return 0;
102 
+ }
103 
+@@ -764,7 +767,7 @@ static long seccomp_set_mode_strict(void)
104 
+ #ifdef TIF_NOTSC
105 
+ 	disable_TSC();
106 
+ #endif
107 
+-	seccomp_assign_mode(current, seccomp_mode);
108 
++	seccomp_assign_mode(current, seccomp_mode, 0);
109 
+ 	ret = 0;
110 
+
111 
+ out:
112 
+@@ -822,7 +825,7 @@ static long seccomp_set_mode_filter(unsigned int flags,
113 
+ 	/* Do not free the successfully attached filter. */
114 
+ 	prepared = NULL;
115 
+
116 
+-	seccomp_assign_mode(current, seccomp_mode);
117 
++	seccomp_assign_mode(current, seccomp_mode, flags);
118 
+ out:
119 
+ 	spin_unlock_irq(&current->sighand->siglock);
120 
+ 	if (flags & SECCOMP_FILTER_FLAG_TSYNC)
121 
+diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
122 
+index 29487e0..b3f3454 100644
123 
+--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
124 
+@@ -1477,7 +1477,11 @@ TEST_F(TRACE_syscall, syscall_dropped)
125 
+ #endif
126 
+
127 
+ #ifndef SECCOMP_FILTER_FLAG_TSYNC
128 
+-#define SECCOMP_FILTER_FLAG_TSYNC 1
129 
++#define SECCOMP_FILTER_FLAG_TSYNC (1UL << 0)
130 
++#endif
131 
++
132 
++#ifndef SECCOMP_FILTER_FLAG_SPEC_ALLOW
133 
++#define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1UL << 2)
134 
+ #endif
135 
+
136 
+ #ifndef seccomp
137 
+@@ -1576,6 +1580,78 @@ TEST(seccomp_syscall_mode_lock)
138 
+ 	}
139 
+ }
140 
+
141 
++/*
142 
++ * Test detection of known and unknown filter flags. Userspace needs to be able
143 
++ * to check if a filter flag is supported by the current kernel and a good way
144 
++ * of doing that is by attempting to enter filter mode, with the flag bit in
145 
++ * question set, and a NULL pointer for the _args_ parameter. EFAULT indicates
146 
++ * that the flag is valid and EINVAL indicates that the flag is invalid.
147 
++ */
148 
++TEST(detect_seccomp_filter_flags)
149 
++{
150 
++	unsigned int flags[] = { SECCOMP_FILTER_FLAG_TSYNC,
151 
++				 SECCOMP_FILTER_FLAG_SPEC_ALLOW };
152 
++	unsigned int flag, all_flags;
153 
++	int i;
154 
++	long ret;
155 
++
156 
++	/* Test detection of known-good filter flags */
157 
++	for (i = 0, all_flags = 0; i < ARRAY_SIZE(flags); i++) {
158 
++		int bits = 0;
159 
++
160 
++		flag = flags[i];
161 
++		/* Make sure the flag is a single bit! */
162 
++		while (flag) {
163 
++			if (flag & 0x1)
164 
++				bits ++;
165 
++			flag >>= 1;
166 
++		}
167 
++		ASSERT_EQ(1, bits);
168 
++		flag = flags[i];
169 
++
170 
++		ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
171 
++		ASSERT_NE(ENOSYS, errno) {
172 
++			TH_LOG("Kernel does not support seccomp syscall!");
173 
++		}
174 
++		EXPECT_EQ(-1, ret);
175 
++		EXPECT_EQ(EFAULT, errno) {
176 
++			TH_LOG("Failed to detect that a known-good filter flag (0x%X) is supported!",
177 
++			       flag);
178 
++		}
179 
++
180 
++		all_flags |= flag;
181 
++	}
182 
++
183 
++	/* Test detection of all known-good filter flags */
184 
++	ret = seccomp(SECCOMP_SET_MODE_FILTER, all_flags, NULL);
185 
++	EXPECT_EQ(-1, ret);
186 
++	EXPECT_EQ(EFAULT, errno) {
187 
++		TH_LOG("Failed to detect that all known-good filter flags (0x%X) are supported!",
188 
++		       all_flags);
189 
++	}
190 
++
191 
++	/* Test detection of an unknown filter flag */
192 
++	flag = -1;
193 
++	ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
194 
++	EXPECT_EQ(-1, ret);
195 
++	EXPECT_EQ(EINVAL, errno) {
196 
++		TH_LOG("Failed to detect that an unknown filter flag (0x%X) is unsupported!",
197 
++		       flag);
198 
++	}
199 
++
200 
++	/*
201 
++	 * Test detection of an unknown filter flag that may simply need to be
202 
++	 * added to this test
203 
++	 */
204 
++	flag = flags[ARRAY_SIZE(flags) - 1] << 1;
205 
++	ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
206 
++	EXPECT_EQ(-1, ret);
207 
++	EXPECT_EQ(EINVAL, errno) {
208 
++		TH_LOG("Failed to detect that an unknown filter flag (0x%X) is unsupported! Does a new flag need to be added to this test?",
209 
++		       flag);
210 
++	}
211 
++}
212 
++
213 
+ TEST(TSYNC_first)
214 
+ {
215 
+ 	struct sock_filter filter[] = {
216 
+--
217 
+2.7.4
218 
+
SPECS/linux/speculative-store-bypass/0080-seccomp-Move-speculation-migitation-control-to-arch-.patch
History View file @ 4ab22c2
0 219 
new file mode 100644
... ... 
@@ -0,0 +1,122 @@
0 
+From b443b93433303fef5b9ee6cff2d306a0fb99faa5 Mon Sep 17 00:00:00 2001
1 
+From: Thomas Gleixner <tglx@linutronix.de>
2 
+Date: Thu, 14 Jun 2018 14:56:53 -0700
3 
+Subject: [PATCH 080/103] seccomp: Move speculation migitation control to arch
4 
+ code
5 
+
6 
+commit 8bf37d8c067bb7eb8e7c381bdadf9bd89182b6bc upstream
7 
+
8 
+The migitation control is simpler to implement in architecture code as it
9 
+avoids the extra function call to check the mode. Aside of that having an
10 
+explicit seccomp enabled mode in the architecture mitigations would require
11 
+even more workarounds.
12 
+
13 
+Move it into architecture code and provide a weak function in the seccomp
14 
+code. Remove the 'which' argument as this allows the architecture to decide
15 
+which mitigations are relevant for seccomp.
16 
+
17 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
18 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
19 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
20 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
21 
+---
22 
+ arch/x86/kernel/cpu/bugs.c | 29 ++++++++++++++++++-----------
23 
+ include/linux/nospec.h     |  2 ++
24 
+ kernel/seccomp.c           | 15 ++-------------
25 
+ 3 files changed, 22 insertions(+), 24 deletions(-)
26 
+
27 
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
28 
+index d6897ca..b005ef7 100644
29 
+--- a/arch/x86/kernel/cpu/bugs.c
30 
+@@ -567,6 +567,24 @@ static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl)
31 
+ 	return 0;
32 
+ }
33 
+
34 
++int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which,
35 
++			     unsigned long ctrl)
36 
++{
37 
++	switch (which) {
38 
++	case PR_SPEC_STORE_BYPASS:
39 
++		return ssb_prctl_set(task, ctrl);
40 
++	default:
41 
++		return -ENODEV;
42 
++	}
43 
++}
44 
++
45 
++#ifdef CONFIG_SECCOMP
46 
++void arch_seccomp_spec_mitigate(struct task_struct *task)
47 
++{
48 
++	ssb_prctl_set(task, PR_SPEC_FORCE_DISABLE);
49 
++}
50 
++#endif
51 
++
52 
+ static int ssb_prctl_get(struct task_struct *task)
53 
+ {
54 
+ 	switch (ssb_mode) {
55 
+@@ -585,17 +603,6 @@ static int ssb_prctl_get(struct task_struct *task)
56 
+ 	}
57 
+ }
58 
+
59 
+-int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which,
60 
+-			     unsigned long ctrl)
61 
+-{
62 
+-	switch (which) {
63 
+-	case PR_SPEC_STORE_BYPASS:
64 
+-		return ssb_prctl_set(task, ctrl);
65 
+-	default:
66 
+-		return -ENODEV;
67 
+-	}
68 
+-}
69 
+-
70 
+ int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which)
71 
+ {
72 
+ 	switch (which) {
73 
+diff --git a/include/linux/nospec.h b/include/linux/nospec.h
74 
+index a908c95..0c5ef54 100644
75 
+--- a/include/linux/nospec.h
76 
+@@ -62,5 +62,7 @@ static inline unsigned long array_index_mask_nospec(unsigned long index,
77 
+ int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which);
78 
+ int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which,
79 
+ 			     unsigned long ctrl);
80 
++/* Speculation control for seccomp enforced mitigation */
81 
++void arch_seccomp_spec_mitigate(struct task_struct *task);
82 
+
83 
+ #endif /* _LINUX_NOSPEC_H */
84 
+diff --git a/kernel/seccomp.c b/kernel/seccomp.c
85 
+index 4bb8a5a..9a9203b 100644
86 
+--- a/kernel/seccomp.c
87 
+@@ -216,18 +216,7 @@ static inline bool seccomp_may_assign_mode(unsigned long seccomp_mode)
88 
+ 	return true;
89 
+ }
90 
+
91 
+-/*
92 
+- * If a given speculation mitigation is opt-in (prctl()-controlled),
93 
+- * select it, by disabling speculation (enabling mitigation).
94 
+- */
95 
+-static inline void spec_mitigate(struct task_struct *task,
96 
+-				 unsigned long which)
97 
+-{
98 
+-	int state = arch_prctl_spec_ctrl_get(task, which);
99 
+-
100 
+-	if (state > 0 && (state & PR_SPEC_PRCTL))
101 
+-		arch_prctl_spec_ctrl_set(task, which, PR_SPEC_FORCE_DISABLE);
102 
+-}
103 
++void __weak arch_seccomp_spec_mitigate(struct task_struct *task) { }
104 
+
105 
+ static inline void seccomp_assign_mode(struct task_struct *task,
106 
+ 				       unsigned long seccomp_mode,
107 
+@@ -243,7 +232,7 @@ static inline void seccomp_assign_mode(struct task_struct *task,
108 
+ 	smp_mb__before_atomic();
109 
+ 	/* Assume default seccomp processes want spec flaw mitigation. */
110 
+ 	if ((flags & SECCOMP_FILTER_FLAG_SPEC_ALLOW) == 0)
111 
+-		spec_mitigate(task, PR_SPEC_STORE_BYPASS);
112 
++		arch_seccomp_spec_mitigate(task);
113 
+ 	set_tsk_thread_flag(task, TIF_SECCOMP);
114 
+ }
115 
+
116 
+--
117 
+2.7.4
118 
+
SPECS/linux/speculative-store-bypass/0081-x86-speculation-Make-seccomp-the-default-mode-for-Sp.patch
History View file @ 4ab22c2
0 119 
new file mode 100644
... ... 
@@ -0,0 +1,167 @@
0 
+From 9da322dfc027c030a624b32829abe23ef58c8a6e Mon Sep 17 00:00:00 2001
1 
+From: Kees Cook <keescook@chromium.org>
2 
+Date: Thu, 14 Jun 2018 14:56:53 -0700
3 
+Subject: [PATCH 081/103] x86/speculation: Make "seccomp" the default mode for
4 
+ Speculative Store Bypass
5 
+
6 
+commit f21b53b20c754021935ea43364dbf53778eeba32 upstream
7 
+
8 
+Unless explicitly opted out of, anything running under seccomp will have
9 
+SSB mitigations enabled. Choosing the "prctl" mode will disable this.
10 
+
11 
+[ tglx: Adjusted it to the new arch_seccomp_spec_mitigate() mechanism ]
12 
+
13 
+Signed-off-by: Kees Cook <keescook@chromium.org>
14 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
15 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
16 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
17 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
18 
+---
19 
+ Documentation/kernel-parameters.txt  | 26 +++++++++++++++++---------
20 
+ arch/x86/include/asm/nospec-branch.h |  1 +
21 
+ arch/x86/kernel/cpu/bugs.c           | 32 +++++++++++++++++++++++---------
22 
+ 3 files changed, 41 insertions(+), 18 deletions(-)
23 
+
24 
+diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
25 
+index 80202de..3fd53e1 100644
26 
+--- a/Documentation/kernel-parameters.txt
27 
+@@ -3647,19 +3647,27 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
28 
+ 			This parameter controls whether the Speculative Store
29 
+ 			Bypass optimization is used.
30 
+
31 
+-			on     - Unconditionally disable Speculative Store Bypass
32 
+-			off    - Unconditionally enable Speculative Store Bypass
33 
+-			auto   - Kernel detects whether the CPU model contains an
34 
+-				 implementation of Speculative Store Bypass and
35 
+-				 picks the most appropriate mitigation.
36 
+-			prctl  - Control Speculative Store Bypass per thread
37 
+-				 via prctl. Speculative Store Bypass is enabled
38 
+-				 for a process by default. The state of the control
39 
+-				 is inherited on fork.
40 
++			on      - Unconditionally disable Speculative Store Bypass
41 
++			off     - Unconditionally enable Speculative Store Bypass
42 
++			auto    - Kernel detects whether the CPU model contains an
43 
++				  implementation of Speculative Store Bypass and
44 
++				  picks the most appropriate mitigation. If the
45 
++				  CPU is not vulnerable, "off" is selected. If the
46 
++				  CPU is vulnerable the default mitigation is
47 
++				  architecture and Kconfig dependent. See below.
48 
++			prctl   - Control Speculative Store Bypass per thread
49 
++				  via prctl. Speculative Store Bypass is enabled
50 
++				  for a process by default. The state of the control
51 
++				  is inherited on fork.
52 
++			seccomp - Same as "prctl" above, but all seccomp threads
53 
++				  will disable SSB unless they explicitly opt out.
54 
+
55 
+ 			Not specifying this option is equivalent to
56 
+ 			spec_store_bypass_disable=auto.
57 
+
58 
++			Default mitigations:
59 
++			X86:	If CONFIG_SECCOMP=y "seccomp", otherwise "prctl"
60 
++
61 
+ 	spia_io_base=	[HW,MTD]
62 
+ 	spia_fio_base=
63 
+ 	spia_pedr=
64 
+diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
65 
+index 155d955..930c1594 100644
66 
+--- a/arch/x86/include/asm/nospec-branch.h
67 
+@@ -188,6 +188,7 @@ enum ssb_mitigation {
68 
+ 	SPEC_STORE_BYPASS_NONE,
69 
+ 	SPEC_STORE_BYPASS_DISABLE,
70 
+ 	SPEC_STORE_BYPASS_PRCTL,
71 
++	SPEC_STORE_BYPASS_SECCOMP,
72 
+ };
73 
+
74 
+ extern char __indirect_thunk_start[];
75 
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
76 
+index b005ef7..6fd3fcf 100644
77 
+--- a/arch/x86/kernel/cpu/bugs.c
78 
+@@ -414,22 +414,25 @@ enum ssb_mitigation_cmd {
79 
+ 	SPEC_STORE_BYPASS_CMD_AUTO,
80 
+ 	SPEC_STORE_BYPASS_CMD_ON,
81 
+ 	SPEC_STORE_BYPASS_CMD_PRCTL,
82 
++	SPEC_STORE_BYPASS_CMD_SECCOMP,
83 
+ };
84 
+
85 
+ static const char *ssb_strings[] = {
86 
+ 	[SPEC_STORE_BYPASS_NONE]	= "Vulnerable",
87 
+ 	[SPEC_STORE_BYPASS_DISABLE]	= "Mitigation: Speculative Store Bypass disabled",
88 
+-	[SPEC_STORE_BYPASS_PRCTL]	= "Mitigation: Speculative Store Bypass disabled via prctl"
89 
++	[SPEC_STORE_BYPASS_PRCTL]	= "Mitigation: Speculative Store Bypass disabled via prctl",
90 
++	[SPEC_STORE_BYPASS_SECCOMP]	= "Mitigation: Speculative Store Bypass disabled via prctl and seccomp",
91 
+ };
92 
+
93 
+ static const struct {
94 
+ 	const char *option;
95 
+ 	enum ssb_mitigation_cmd cmd;
96 
+ } ssb_mitigation_options[] = {
97 
+-	{ "auto",	SPEC_STORE_BYPASS_CMD_AUTO },  /* Platform decides */
98 
+-	{ "on",		SPEC_STORE_BYPASS_CMD_ON },    /* Disable Speculative Store Bypass */
99 
+-	{ "off",	SPEC_STORE_BYPASS_CMD_NONE },  /* Don't touch Speculative Store Bypass */
100 
+-	{ "prctl",	SPEC_STORE_BYPASS_CMD_PRCTL }, /* Disable Speculative Store Bypass via prctl */
101 
++	{ "auto",	SPEC_STORE_BYPASS_CMD_AUTO },    /* Platform decides */
102 
++	{ "on",		SPEC_STORE_BYPASS_CMD_ON },      /* Disable Speculative Store Bypass */
103 
++	{ "off",	SPEC_STORE_BYPASS_CMD_NONE },    /* Don't touch Speculative Store Bypass */
104 
++	{ "prctl",	SPEC_STORE_BYPASS_CMD_PRCTL },   /* Disable Speculative Store Bypass via prctl */
105 
++	{ "seccomp",	SPEC_STORE_BYPASS_CMD_SECCOMP }, /* Disable Speculative Store Bypass via prctl and seccomp */
106 
+ };
107 
+
108 
+ static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void)
109 
+@@ -479,8 +482,15 @@ static enum ssb_mitigation_cmd __init __ssb_select_mitigation(void)
110 
+
111 
+ 	switch (cmd) {
112 
+ 	case SPEC_STORE_BYPASS_CMD_AUTO:
113 
+-		/* Choose prctl as the default mode */
114 
+-		mode = SPEC_STORE_BYPASS_PRCTL;
115 
++	case SPEC_STORE_BYPASS_CMD_SECCOMP:
116 
++		/*
117 
++		 * Choose prctl+seccomp as the default mode if seccomp is
118 
++		 * enabled.
119 
++		 */
120 
++		if (IS_ENABLED(CONFIG_SECCOMP))
121 
++			mode = SPEC_STORE_BYPASS_SECCOMP;
122 
++		else
123 
++			mode = SPEC_STORE_BYPASS_PRCTL;
124 
+ 		break;
125 
+ 	case SPEC_STORE_BYPASS_CMD_ON:
126 
+ 		mode = SPEC_STORE_BYPASS_DISABLE;
127 
+@@ -528,12 +538,14 @@ static void ssb_select_mitigation()
128 
+ }
129 
+
130 
+ #undef pr_fmt
131 
++#define pr_fmt(fmt)     "Speculation prctl: " fmt
132 
+
133 
+ static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl)
134 
+ {
135 
+ 	bool update;
136 
+
137 
+-	if (ssb_mode != SPEC_STORE_BYPASS_PRCTL)
138 
++	if (ssb_mode != SPEC_STORE_BYPASS_PRCTL &&
139 
++	    ssb_mode != SPEC_STORE_BYPASS_SECCOMP)
140 
+ 		return -ENXIO;
141 
+
142 
+ 	switch (ctrl) {
143 
+@@ -581,7 +593,8 @@ int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which,
144 
+ #ifdef CONFIG_SECCOMP
145 
+ void arch_seccomp_spec_mitigate(struct task_struct *task)
146 
+ {
147 
+-	ssb_prctl_set(task, PR_SPEC_FORCE_DISABLE);
148 
++	if (ssb_mode == SPEC_STORE_BYPASS_SECCOMP)
149 
++		ssb_prctl_set(task, PR_SPEC_FORCE_DISABLE);
150 
+ }
151 
+ #endif
152 
+
153 
+@@ -590,6 +603,7 @@ static int ssb_prctl_get(struct task_struct *task)
154 
+ 	switch (ssb_mode) {
155 
+ 	case SPEC_STORE_BYPASS_DISABLE:
156 
+ 		return PR_SPEC_DISABLE;
157 
++	case SPEC_STORE_BYPASS_SECCOMP:
158 
+ 	case SPEC_STORE_BYPASS_PRCTL:
159 
+ 		if (task_spec_ssb_force_disable(task))
160 
+ 			return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE;
161 
+--
162 
+2.7.4
163 
+
SPECS/linux/speculative-store-bypass/0082-x86-bugs-Rename-_RDS-to-_SSBD.patch
History View file @ 4ab22c2
0 164 
new file mode 100644
... ... 
@@ -0,0 +1,365 @@
0 
+From f50db655291234d77792d538e7b3b928aa0baa2a Mon Sep 17 00:00:00 2001
1 
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
2 
+Date: Thu, 14 Jun 2018 14:56:54 -0700
3 
+Subject: [PATCH 082/103] x86/bugs: Rename _RDS to _SSBD
4 
+
5 
+commit 9f65fb29374ee37856dbad847b4e121aab72b510 upstream
6 
+
7 
+Intel collateral will reference the SSB mitigation bit in IA32_SPEC_CTL[2]
8 
+as SSBD (Speculative Store Bypass Disable).
9 
+
10 
+Hence changing it.
11 
+
12 
+It is unclear yet what the MSR_IA32_ARCH_CAPABILITIES (0x10a) Bit(4) name
13 
+is going to be. Following the rename it would be SSBD_NO but that rolls out
14 
+to Speculative Store Bypass Disable No.
15 
+
16 
+Also fixed the missing space in X86_FEATURE_AMD_SSBD.
17 
+
18 
+[ tglx: Fixup x86_amd_rds_enable() and rds_tif_to_amd_ls_cfg() as well ]
19 
+
20 
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
21 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
22 
+
23 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
24 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
25 
+[ Srivatsa: Backported to 4.4.y, skipping the KVM changes in this patch. ]
26 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
27 
+---
28 
+ arch/x86/include/asm/cpufeatures.h |  4 ++--
29 
+ arch/x86/include/asm/msr-index.h   | 10 +++++-----
30 
+ arch/x86/include/asm/spec-ctrl.h   | 12 ++++++------
31 
+ arch/x86/include/asm/thread_info.h |  6 +++---
32 
+ arch/x86/kernel/cpu/amd.c          | 14 +++++++-------
33 
+ arch/x86/kernel/cpu/bugs.c         | 36 ++++++++++++++++++------------------
34 
+ arch/x86/kernel/cpu/common.c       |  2 +-
35 
+ arch/x86/kernel/cpu/intel.c        |  2 +-
36 
+ arch/x86/kernel/process.c          |  8 ++++----
37 
+ 9 files changed, 47 insertions(+), 47 deletions(-)
38 
+
39 
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
40 
+index b2855ae..54c25dd 100644
41 
+--- a/arch/x86/include/asm/cpufeatures.h
42 
+@@ -204,7 +204,7 @@
43 
+ #define X86_FEATURE_USE_IBPB	( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled*/
44 
+ #define X86_FEATURE_USE_IBRS_FW	( 7*32+22) /* "" Use IBRS during runtime firmware calls */
45 
+ #define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE	( 7*32+23) /* "" Disable Speculative Store Bypass. */
46 
+-#define X86_FEATURE_AMD_RDS	(7*32+24)  /* "" AMD RDS implementation */
47 
++#define X86_FEATURE_AMD_SSBD	(7*32+24)  /* "" AMD SSBD implementation */
48 
+
49 
+ /* Virtualization flags: Linux defined, word 8 */
50 
+ #define X86_FEATURE_TPR_SHADOW  ( 8*32+ 0) /* Intel TPR Shadow */
51 
+@@ -299,7 +299,7 @@
52 
+ #define X86_FEATURE_SPEC_CTRL		(18*32+26) /* "" Speculation Control (IBRS + IBPB) */
53 
+ #define X86_FEATURE_INTEL_STIBP		(18*32+27) /* "" Single Thread Indirect Branch Predictors */
54 
+ #define X86_FEATURE_ARCH_CAPABILITIES	(18*32+29) /* IA32_ARCH_CAPABILITIES MSR (Intel) */
55 
+-#define X86_FEATURE_RDS			(18*32+31) /* Reduced Data Speculation */
56 
++#define X86_FEATURE_SSBD		(18*32+31) /* Speculative Store Bypass Disable */
57 
+
58 
+ /*
59 
+  * BUG word(s)
60 
+diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
61 
+index 883cf0d..2ea2ff1 100644
62 
+--- a/arch/x86/include/asm/msr-index.h
63 
+@@ -35,8 +35,8 @@
64 
+ #define MSR_IA32_SPEC_CTRL		0x00000048 /* Speculation Control */
65 
+ #define SPEC_CTRL_IBRS			(1 << 0)   /* Indirect Branch Restricted Speculation */
66 
+ #define SPEC_CTRL_STIBP			(1 << 1)   /* Single Thread Indirect Branch Predictors */
67 
+-#define SPEC_CTRL_RDS_SHIFT		2	   /* Reduced Data Speculation bit */
68 
+-#define SPEC_CTRL_RDS			(1 << SPEC_CTRL_RDS_SHIFT)   /* Reduced Data Speculation */
69 
++#define SPEC_CTRL_SSBD_SHIFT		2	   /* Speculative Store Bypass Disable bit */
70 
++#define SPEC_CTRL_SSBD			(1 << SPEC_CTRL_SSBD_SHIFT)   /* Speculative Store Bypass Disable */
71 
+
72 
+ #define MSR_IA32_PRED_CMD		0x00000049 /* Prediction Command */
73 
+ #define PRED_CMD_IBPB			(1 << 0)   /* Indirect Branch Prediction Barrier */
74 
+@@ -58,10 +58,10 @@
75 
+ #define MSR_IA32_ARCH_CAPABILITIES	0x0000010a
76 
+ #define ARCH_CAP_RDCL_NO		(1 << 0)   /* Not susceptible to Meltdown */
77 
+ #define ARCH_CAP_IBRS_ALL		(1 << 1)   /* Enhanced IBRS support */
78 
+-#define ARCH_CAP_RDS_NO			(1 << 4)   /*
79 
++#define ARCH_CAP_SSBD_NO		(1 << 4)   /*
80 
+ 						    * Not susceptible to Speculative Store Bypass
81 
+-						    * attack, so no Reduced Data Speculation control
82 
+-						    * required.
83 
++						    * attack, so no Speculative Store Bypass
84 
++						    * control required.
85 
+ 						    */
86 
+
87 
+ #define MSR_IA32_BBL_CR_CTL		0x00000119
88 
+diff --git a/arch/x86/include/asm/spec-ctrl.h b/arch/x86/include/asm/spec-ctrl.h
89 
+index 45ef00a..dc21209 100644
90 
+--- a/arch/x86/include/asm/spec-ctrl.h
91 
+@@ -17,20 +17,20 @@ extern void x86_spec_ctrl_restore_host(u64);
92 
+
93 
+ /* AMD specific Speculative Store Bypass MSR data */
94 
+ extern u64 x86_amd_ls_cfg_base;
95 
+-extern u64 x86_amd_ls_cfg_rds_mask;
96 
++extern u64 x86_amd_ls_cfg_ssbd_mask;
97 
+
98 
+ /* The Intel SPEC CTRL MSR base value cache */
99 
+ extern u64 x86_spec_ctrl_base;
100 
+
101 
+-static inline u64 rds_tif_to_spec_ctrl(u64 tifn)
102 
++static inline u64 ssbd_tif_to_spec_ctrl(u64 tifn)
103 
+ {
104 
+-	BUILD_BUG_ON(TIF_RDS < SPEC_CTRL_RDS_SHIFT);
105 
+-	return (tifn & _TIF_RDS) >> (TIF_RDS - SPEC_CTRL_RDS_SHIFT);
106 
++	BUILD_BUG_ON(TIF_SSBD < SPEC_CTRL_SSBD_SHIFT);
107 
++	return (tifn & _TIF_SSBD) >> (TIF_SSBD - SPEC_CTRL_SSBD_SHIFT);
108 
+ }
109 
+
110 
+-static inline u64 rds_tif_to_amd_ls_cfg(u64 tifn)
111 
++static inline u64 ssbd_tif_to_amd_ls_cfg(u64 tifn)
112 
+ {
113 
+-	return (tifn & _TIF_RDS) ? x86_amd_ls_cfg_rds_mask : 0ULL;
114 
++	return (tifn & _TIF_SSBD) ? x86_amd_ls_cfg_ssbd_mask : 0ULL;
115 
+ }
116 
+
117 
+ extern void speculative_store_bypass_update(void);
118 
+diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h
119 
+index 36a49b4..a96e88b 100644
120 
+--- a/arch/x86/include/asm/thread_info.h
121 
+@@ -92,7 +92,7 @@ struct thread_info {
122 
+ #define TIF_SIGPENDING		2	/* signal pending */
123 
+ #define TIF_NEED_RESCHED	3	/* rescheduling necessary */
124 
+ #define TIF_SINGLESTEP		4	/* reenable singlestep on user return*/
125 
+-#define TIF_RDS			5	/* Reduced data speculation */
126 
++#define TIF_SSBD		5	/* Reduced data speculation */
127 
+ #define TIF_SYSCALL_EMU		6	/* syscall emulation active */
128 
+ #define TIF_SYSCALL_AUDIT	7	/* syscall auditing active */
129 
+ #define TIF_SECCOMP		8	/* secure computing */
130 
+@@ -117,7 +117,7 @@ struct thread_info {
131 
+ #define _TIF_SIGPENDING		(1 << TIF_SIGPENDING)
132 
+ #define _TIF_NEED_RESCHED	(1 << TIF_NEED_RESCHED)
133 
+ #define _TIF_SINGLESTEP		(1 << TIF_SINGLESTEP)
134 
+-#define _TIF_RDS		(1 << TIF_RDS)
135 
++#define _TIF_SSBD		(1 << TIF_SSBD)
136 
+ #define _TIF_SYSCALL_EMU	(1 << TIF_SYSCALL_EMU)
137 
+ #define _TIF_SYSCALL_AUDIT	(1 << TIF_SYSCALL_AUDIT)
138 
+ #define _TIF_SECCOMP		(1 << TIF_SECCOMP)
139 
+@@ -149,7 +149,7 @@ struct thread_info {
140 
+
141 
+ /* flags to check in __switch_to() */
142 
+ #define _TIF_WORK_CTXSW							\
143 
+-	(_TIF_IO_BITMAP|_TIF_NOTSC|_TIF_BLOCKSTEP|_TIF_RDS)
144 
++	(_TIF_IO_BITMAP|_TIF_NOTSC|_TIF_BLOCKSTEP|_TIF_SSBD)
145 
+
146 
+ #define _TIF_WORK_CTXSW_PREV (_TIF_WORK_CTXSW|_TIF_USER_RETURN_NOTIFY)
147 
+ #define _TIF_WORK_CTXSW_NEXT (_TIF_WORK_CTXSW)
148 
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
149 
+index 14e9849..bd0edb2 100644
150 
+--- a/arch/x86/kernel/cpu/amd.c
151 
+@@ -532,12 +532,12 @@ static void bsp_init_amd(struct cpuinfo_x86 *c)
152 
+ 		}
153 
+ 		/*
154 
+ 		 * Try to cache the base value so further operations can
155 
+-		 * avoid RMW. If that faults, do not enable RDS.
156 
++		 * avoid RMW. If that faults, do not enable SSBD.
157 
+ 		 */
158 
+ 		if (!rdmsrl_safe(MSR_AMD64_LS_CFG, &x86_amd_ls_cfg_base)) {
159 
+-			setup_force_cpu_cap(X86_FEATURE_RDS);
160 
+-			setup_force_cpu_cap(X86_FEATURE_AMD_RDS);
161 
+-			x86_amd_ls_cfg_rds_mask = 1ULL << bit;
162 
++			setup_force_cpu_cap(X86_FEATURE_SSBD);
163 
++			setup_force_cpu_cap(X86_FEATURE_AMD_SSBD);
164 
++			x86_amd_ls_cfg_ssbd_mask = 1ULL << bit;
165 
+ 		}
166 
+ 	}
167 
+ }
168 
+@@ -816,9 +816,9 @@ static void init_amd(struct cpuinfo_x86 *c)
169 
+ 	if (!cpu_has(c, X86_FEATURE_XENPV))
170 
+ 		set_cpu_bug(c, X86_BUG_SYSRET_SS_ATTRS);
171 
+
172 
+-	if (boot_cpu_has(X86_FEATURE_AMD_RDS)) {
173 
+-		set_cpu_cap(c, X86_FEATURE_RDS);
174 
+-		set_cpu_cap(c, X86_FEATURE_AMD_RDS);
175 
++	if (boot_cpu_has(X86_FEATURE_AMD_SSBD)) {
176 
++		set_cpu_cap(c, X86_FEATURE_SSBD);
177 
++		set_cpu_cap(c, X86_FEATURE_AMD_SSBD);
178 
+ 	}
179 
+ }
180 
+
181 
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
182 
+index 6fd3fcf..812e92a 100644
183 
+--- a/arch/x86/kernel/cpu/bugs.c
184 
+@@ -44,10 +44,10 @@ static u64 x86_spec_ctrl_mask = ~SPEC_CTRL_IBRS;
185 
+
186 
+ /*
187 
+  * AMD specific MSR info for Speculative Store Bypass control.
188 
+- * x86_amd_ls_cfg_rds_mask is initialized in identify_boot_cpu().
189 
++ * x86_amd_ls_cfg_ssbd_mask is initialized in identify_boot_cpu().
190 
+  */
191 
+ u64 x86_amd_ls_cfg_base;
192 
+-u64 x86_amd_ls_cfg_rds_mask;
193 
++u64 x86_amd_ls_cfg_ssbd_mask;
194 
+
195 
+ void __init check_bugs(void)
196 
+ {
197 
+@@ -144,7 +144,7 @@ u64 x86_spec_ctrl_get_default(void)
198 
+ 	u64 msrval = x86_spec_ctrl_base;
199 
+
200 
+ 	if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL)
201 
+-		msrval |= rds_tif_to_spec_ctrl(current_thread_info()->flags);
202 
++		msrval |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags);
203 
+ 	return msrval;
204 
+ }
205 
+ EXPORT_SYMBOL_GPL(x86_spec_ctrl_get_default);
206 
+@@ -157,7 +157,7 @@ void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl)
207 
+ 		return;
208 
+
209 
+ 	if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL)
210 
+-		host |= rds_tif_to_spec_ctrl(current_thread_info()->flags);
211 
++		host |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags);
212 
+
213 
+ 	if (host != guest_spec_ctrl)
214 
+ 		wrmsrl(MSR_IA32_SPEC_CTRL, guest_spec_ctrl);
215 
+@@ -172,18 +172,18 @@ void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl)
216 
+ 		return;
217 
+
218 
+ 	if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL)
219 
+-		host |= rds_tif_to_spec_ctrl(current_thread_info()->flags);
220 
++		host |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags);
221 
+
222 
+ 	if (host != guest_spec_ctrl)
223 
+ 		wrmsrl(MSR_IA32_SPEC_CTRL, host);
224 
+ }
225 
+ EXPORT_SYMBOL_GPL(x86_spec_ctrl_restore_host);
226 
+
227 
+-static void x86_amd_rds_enable(void)
228 
++static void x86_amd_ssb_disable(void)
229 
+ {
230 
+-	u64 msrval = x86_amd_ls_cfg_base | x86_amd_ls_cfg_rds_mask;
231 
++	u64 msrval = x86_amd_ls_cfg_base | x86_amd_ls_cfg_ssbd_mask;
232 
+
233 
+-	if (boot_cpu_has(X86_FEATURE_AMD_RDS))
234 
++	if (boot_cpu_has(X86_FEATURE_AMD_SSBD))
235 
+ 		wrmsrl(MSR_AMD64_LS_CFG, msrval);
236 
+ }
237 
+
238 
+@@ -471,7 +471,7 @@ static enum ssb_mitigation_cmd __init __ssb_select_mitigation(void)
239 
+ 	enum ssb_mitigation mode = SPEC_STORE_BYPASS_NONE;
240 
+ 	enum ssb_mitigation_cmd cmd;
241 
+
242 
+-	if (!boot_cpu_has(X86_FEATURE_RDS))
243 
++	if (!boot_cpu_has(X86_FEATURE_SSBD))
244 
+ 		return mode;
245 
+
246 
+ 	cmd = ssb_parse_cmdline();
247 
+@@ -505,7 +505,7 @@ static enum ssb_mitigation_cmd __init __ssb_select_mitigation(void)
248 
+ 	/*
249 
+ 	 * We have three CPU feature flags that are in play here:
250 
+ 	 *  - X86_BUG_SPEC_STORE_BYPASS - CPU is susceptible.
251 
+-	 *  - X86_FEATURE_RDS - CPU is able to turn off speculative store bypass
252 
++	 *  - X86_FEATURE_SSBD - CPU is able to turn off speculative store bypass
253 
+ 	 *  - X86_FEATURE_SPEC_STORE_BYPASS_DISABLE - engage the mitigation
254 
+ 	 */
255 
+ 	if (mode == SPEC_STORE_BYPASS_DISABLE) {
256 
+@@ -516,12 +516,12 @@ static enum ssb_mitigation_cmd __init __ssb_select_mitigation(void)
257 
+ 		 */
258 
+ 		switch (boot_cpu_data.x86_vendor) {
259 
+ 		case X86_VENDOR_INTEL:
260 
+-			x86_spec_ctrl_base |= SPEC_CTRL_RDS;
261 
+-			x86_spec_ctrl_mask &= ~SPEC_CTRL_RDS;
262 
+-			x86_spec_ctrl_set(SPEC_CTRL_RDS);
263 
++			x86_spec_ctrl_base |= SPEC_CTRL_SSBD;
264 
++			x86_spec_ctrl_mask &= ~SPEC_CTRL_SSBD;
265 
++			x86_spec_ctrl_set(SPEC_CTRL_SSBD);
266 
+ 			break;
267 
+ 		case X86_VENDOR_AMD:
268 
+-			x86_amd_rds_enable();
269 
++			x86_amd_ssb_disable();
270 
+ 			break;
271 
+ 		}
272 
+ 	}
273 
+@@ -554,16 +554,16 @@ static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl)
274 
+ 		if (task_spec_ssb_force_disable(task))
275 
+ 			return -EPERM;
276 
+ 		task_clear_spec_ssb_disable(task);
277 
+-		update = test_and_clear_tsk_thread_flag(task, TIF_RDS);
278 
++		update = test_and_clear_tsk_thread_flag(task, TIF_SSBD);
279 
+ 		break;
280 
+ 	case PR_SPEC_DISABLE:
281 
+ 		task_set_spec_ssb_disable(task);
282 
+-		update = !test_and_set_tsk_thread_flag(task, TIF_RDS);
283 
++		update = !test_and_set_tsk_thread_flag(task, TIF_SSBD);
284 
+ 		break;
285 
+ 	case PR_SPEC_FORCE_DISABLE:
286 
+ 		task_set_spec_ssb_disable(task);
287 
+ 		task_set_spec_ssb_force_disable(task);
288 
+-		update = !test_and_set_tsk_thread_flag(task, TIF_RDS);
289 
++		update = !test_and_set_tsk_thread_flag(task, TIF_SSBD);
290 
+ 		break;
291 
+ 	default:
292 
+ 		return -ERANGE;
293 
+@@ -633,7 +633,7 @@ void x86_spec_ctrl_setup_ap(void)
294 
+ 		x86_spec_ctrl_set(x86_spec_ctrl_base & ~x86_spec_ctrl_mask);
295 
+
296 
+ 	if (ssb_mode == SPEC_STORE_BYPASS_DISABLE)
297 
+-		x86_amd_rds_enable();
298 
++		x86_amd_ssb_disable();
299 
+ }
300 
+
301 
+ #ifdef CONFIG_SYSFS
302 
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
303 
+index 7405c86..6f3a5d7 100644
304 
+--- a/arch/x86/kernel/cpu/common.c
305 
+@@ -867,7 +867,7 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
306 
+ 		rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap);
307 
+
308 
+ 	if (!x86_match_cpu(cpu_no_spec_store_bypass) &&
309 
+-	   !(ia32_cap & ARCH_CAP_RDS_NO))
310 
++	   !(ia32_cap & ARCH_CAP_SSBD_NO))
311 
+ 		setup_force_cpu_bug(X86_BUG_SPEC_STORE_BYPASS);
312 
+
313 
+ 	if (x86_match_cpu(cpu_no_speculation))
314 
+diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
315 
+index ac25d1e5..a34e357 100644
316 
+--- a/arch/x86/kernel/cpu/intel.c
317 
+@@ -119,7 +119,7 @@ static void early_init_intel(struct cpuinfo_x86 *c)
318 
+ 		setup_clear_cpu_cap(X86_FEATURE_STIBP);
319 
+ 		setup_clear_cpu_cap(X86_FEATURE_SPEC_CTRL);
320 
+ 		setup_clear_cpu_cap(X86_FEATURE_INTEL_STIBP);
321 
+-		setup_clear_cpu_cap(X86_FEATURE_RDS);
322 
++		setup_clear_cpu_cap(X86_FEATURE_SSBD);
323 
+ 	}
324 
+
325 
+ 	/*
326 
+diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
327 
+index 9689e92..57d4ba2 100644
328 
+--- a/arch/x86/kernel/process.c
329 
+@@ -203,11 +203,11 @@ static __always_inline void __speculative_store_bypass_update(unsigned long tifn
330 
+ {
331 
+ 	u64 msr;
332 
+
333 
+-	if (static_cpu_has(X86_FEATURE_AMD_RDS)) {
334 
+-		msr = x86_amd_ls_cfg_base | rds_tif_to_amd_ls_cfg(tifn);
335 
++	if (static_cpu_has(X86_FEATURE_AMD_SSBD)) {
336 
++		msr = x86_amd_ls_cfg_base | ssbd_tif_to_amd_ls_cfg(tifn);
337 
+ 		wrmsrl(MSR_AMD64_LS_CFG, msr);
338 
+ 	} else {
339 
+-		msr = x86_spec_ctrl_base | rds_tif_to_spec_ctrl(tifn);
340 
++		msr = x86_spec_ctrl_base | ssbd_tif_to_spec_ctrl(tifn);
341 
+ 		wrmsrl(MSR_IA32_SPEC_CTRL, msr);
342 
+ 	}
343 
+ }
344 
+@@ -246,7 +246,7 @@ void __switch_to_xtra(struct task_struct *prev_p, struct task_struct *next_p,
345 
+ 	if ((tifp ^ tifn) & _TIF_NOTSC)
346 
+ 		cr4_toggle_bits(X86_CR4_TSD);
347 
+
348 
+-	if ((tifp ^ tifn) & _TIF_RDS)
349 
++	if ((tifp ^ tifn) & _TIF_SSBD)
350 
+ 		__speculative_store_bypass_update(tifn);
351 
+ }
352 
+
353 
+--
354 
+2.7.4
355 
+
SPECS/linux/speculative-store-bypass/0083-proc-Use-underscores-for-SSBD-in-status.patch
History View file @ 4ab22c2
0 356 
new file mode 100644
... ... 
@@ -0,0 +1,35 @@
0 
+From ee2998482ccf0cf3820be66c4ff1c4943068eb31 Mon Sep 17 00:00:00 2001
1 
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
2 
+Date: Thu, 14 Jun 2018 14:56:54 -0700
3 
+Subject: [PATCH 083/103] proc: Use underscores for SSBD in 'status'
4 
+
5 
+commit e96f46ee8587607a828f783daa6eb5b44d25004d upstream
6 
+
7 
+The style for the 'status' file is CamelCase or this. _.
8 
+
9 
+Fixes: fae1fa0fc ("proc: Provide details on speculation flaw mitigations")
10 
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
11 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
12 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
13 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
14 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
15 
+---
16 
+ fs/proc/array.c | 2 +-
17 
+ 1 file changed, 1 insertion(+), 1 deletion(-)
18 
+
19 
+diff --git a/fs/proc/array.c b/fs/proc/array.c
20 
+index 3141478..cb71cba 100644
21 
+--- a/fs/proc/array.c
22 
+@@ -333,7 +333,7 @@ static inline void task_seccomp(struct seq_file *m, struct task_struct *p)
23 
+ #ifdef CONFIG_SECCOMP
24 
+ 	seq_printf(m, "Seccomp:\t%d\n", p->seccomp.mode);
25 
+ #endif
26 
+-	seq_printf(m, "\nSpeculation Store Bypass:\t");
27 
++	seq_printf(m, "\nSpeculation_Store_Bypass:\t");
28 
+ 	switch (arch_prctl_spec_ctrl_get(p, PR_SPEC_STORE_BYPASS)) {
29 
+ 	case -EINVAL:
30 
+ 		seq_printf(m, "unknown");
31 
+--
32 
+2.7.4
33 
+
SPECS/linux/speculative-store-bypass/0084-Documentation-spec_ctrl-Do-some-minor-cleanups.patch
History View file @ 4ab22c2
0 34 
new file mode 100644
... ... 
@@ -0,0 +1,88 @@
0 
+From d23ef5ed63a11c739406dc3f96005fa026d09984 Mon Sep 17 00:00:00 2001
1 
+From: Borislav Petkov <bp@suse.de>
2 
+Date: Thu, 14 Jun 2018 14:56:55 -0700
3 
+Subject: [PATCH 084/103] Documentation/spec_ctrl: Do some minor cleanups
4 
+
5 
+commit dd0792699c4058e63c0715d9a7c2d40226fcdddc upstream
6 
+
7 
+Fix some typos, improve formulations, end sentences with a fullstop.
8 
+
9 
+Signed-off-by: Borislav Petkov <bp@suse.de>
10 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
11 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
12 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
13 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
14 
+---
15 
+ Documentation/spec_ctrl.txt | 24 ++++++++++++------------
16 
+ 1 file changed, 12 insertions(+), 12 deletions(-)
17 
+
18 
+diff --git a/Documentation/spec_ctrl.txt b/Documentation/spec_ctrl.txt
19 
+index 1b3690d..32f3d55 100644
20 
+--- a/Documentation/spec_ctrl.txt
21 
+@@ -2,13 +2,13 @@
22 
+ Speculation Control
23 
+ ===================
24 
+
25 
+-Quite some CPUs have speculation related misfeatures which are in fact
26 
+-vulnerabilites causing data leaks in various forms even accross privilege
27 
+-domains.
28 
++Quite some CPUs have speculation-related misfeatures which are in
29 
++fact vulnerabilities causing data leaks in various forms even across
30 
++privilege domains.
31 
+
32 
+ The kernel provides mitigation for such vulnerabilities in various
33 
+-forms. Some of these mitigations are compile time configurable and some on
34 
+-the kernel command line.
35 
++forms. Some of these mitigations are compile-time configurable and some
36 
++can be supplied on the kernel command line.
37 
+
38 
+ There is also a class of mitigations which are very expensive, but they can
39 
+ be restricted to a certain set of processes or tasks in controlled
40 
+@@ -32,18 +32,18 @@ the following meaning:
41 
+ Bit  Define                Description
42 
+ ==== ===================== ===================================================
43 
+ 0    PR_SPEC_PRCTL         Mitigation can be controlled per task by
44 
+-                           PR_SET_SPECULATION_CTRL
45 
++                           PR_SET_SPECULATION_CTRL.
46 
+ 1    PR_SPEC_ENABLE        The speculation feature is enabled, mitigation is
47 
+-                           disabled
48 
++                           disabled.
49 
+ 2    PR_SPEC_DISABLE       The speculation feature is disabled, mitigation is
50 
+-                           enabled
51 
++                           enabled.
52 
+ 3    PR_SPEC_FORCE_DISABLE Same as PR_SPEC_DISABLE, but cannot be undone. A
53 
+                            subsequent prctl(..., PR_SPEC_ENABLE) will fail.
54 
+ ==== ===================== ===================================================
55 
+
56 
+ If all bits are 0 the CPU is not affected by the speculation misfeature.
57 
+
58 
+-If PR_SPEC_PRCTL is set, then the per task control of the mitigation is
59 
++If PR_SPEC_PRCTL is set, then the per-task control of the mitigation is
60 
+ available. If not set, prctl(PR_SET_SPECULATION_CTRL) for the speculation
61 
+ misfeature will fail.
62 
+
63 
+@@ -61,9 +61,9 @@ Common error codes
64 
+ Value   Meaning
65 
+ ======= =================================================================
66 
+ EINVAL  The prctl is not implemented by the architecture or unused
67 
+-        prctl(2) arguments are not 0
68 
++        prctl(2) arguments are not 0.
69 
+
70 
+-ENODEV  arg2 is selecting a not supported speculation misfeature
71 
++ENODEV  arg2 is selecting a not supported speculation misfeature.
72 
+ ======= =================================================================
73 
+
74 
+ PR_SET_SPECULATION_CTRL error codes
75 
+@@ -74,7 +74,7 @@ Value   Meaning
76 
+ 0       Success
77 
+
78 
+ ERANGE  arg3 is incorrect, i.e. it's neither PR_SPEC_ENABLE nor
79 
+-        PR_SPEC_DISABLE nor PR_SPEC_FORCE_DISABLE
80 
++        PR_SPEC_DISABLE nor PR_SPEC_FORCE_DISABLE.
81 
+
82 
+ ENXIO   Control of the selected speculation misfeature is not possible.
83 
+         See PR_GET_SPECULATION_CTRL.
84 
+--
85 
+2.7.4
86 
+
SPECS/linux/speculative-store-bypass/0085-x86-bugs-Fix-__ssb_select_mitigation-return-type.patch
History View file @ 4ab22c2
0 87 
new file mode 100644
... ... 
@@ -0,0 +1,36 @@
0 
+From 1c3945eb19882a09431eaa12c167918287310301 Mon Sep 17 00:00:00 2001
1 
+From: Jiri Kosina <jkosina@suse.cz>
2 
+Date: Thu, 14 Jun 2018 14:56:55 -0700
3 
+Subject: [PATCH 085/103] x86/bugs: Fix __ssb_select_mitigation() return type
4 
+
5 
+commit d66d8ff3d21667b41eddbe86b35ab411e40d8c5f upstream
6 
+
7 
+__ssb_select_mitigation() returns one of the members of enum ssb_mitigation,
8 
+not ssb_mitigation_cmd; fix the prototype to reflect that.
9 
+
10 
+Fixes: 24f7fc83b9204 ("x86/bugs: Provide boot parameters for the spec_store_bypass_disable mitigation")
11 
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
12 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
13 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
14 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
15 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
16 
+---
17 
+ arch/x86/kernel/cpu/bugs.c | 2 +-
18 
+ 1 file changed, 1 insertion(+), 1 deletion(-)
19 
+
20 
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
21 
+index 812e92a..5b58b76 100644
22 
+--- a/arch/x86/kernel/cpu/bugs.c
23 
+@@ -466,7 +466,7 @@ static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void)
24 
+ 	return cmd;
25 
+ }
26 
+
27 
+-static enum ssb_mitigation_cmd __init __ssb_select_mitigation(void)
28 
++static enum ssb_mitigation __init __ssb_select_mitigation(void)
29 
+ {
30 
+ 	enum ssb_mitigation mode = SPEC_STORE_BYPASS_NONE;
31 
+ 	enum ssb_mitigation_cmd cmd;
32 
+--
33 
+2.7.4
34 
+
SPECS/linux/speculative-store-bypass/0086-x86-bugs-Make-cpu_show_common-static.patch
History View file @ 4ab22c2
0 35 
new file mode 100644
... ... 
@@ -0,0 +1,35 @@
0 
+From 81c0d29038f9ff57a13e24b1abb187b349bba6ca Mon Sep 17 00:00:00 2001
1 
+From: Jiri Kosina <jkosina@suse.cz>
2 
+Date: Thu, 14 Jun 2018 14:56:56 -0700
3 
+Subject: [PATCH 086/103] x86/bugs: Make cpu_show_common() static
4 
+
5 
+commit 7bb4d366cba992904bffa4820d24e70a3de93e76 upstream
6 
+
7 
+cpu_show_common() is not used outside of arch/x86/kernel/cpu/bugs.c, so
8 
+make it static.
9 
+
10 
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
11 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
12 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
13 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
14 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
15 
+---
16 
+ arch/x86/kernel/cpu/bugs.c | 2 +-
17 
+ 1 file changed, 1 insertion(+), 1 deletion(-)
18 
+
19 
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
20 
+index 5b58b76..512be68 100644
21 
+--- a/arch/x86/kernel/cpu/bugs.c
22 
+@@ -638,7 +638,7 @@ void x86_spec_ctrl_setup_ap(void)
23 
+
24 
+ #ifdef CONFIG_SYSFS
25 
+
26 
+-ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr,
27 
++static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr,
28 
+ 			char *buf, unsigned int bug)
29 
+ {
30 
+ 	if (!boot_cpu_has_bug(bug))
31 
+--
32 
+2.7.4
33 
+
SPECS/linux/speculative-store-bypass/0087-x86-bugs-Fix-the-parameters-alignment-and-missing-vo.patch
History View file @ 4ab22c2
0 34 
new file mode 100644
... ... 
@@ -0,0 +1,44 @@
0 
+From f9cfa363647518d0f60930b88468f5a480b5323d Mon Sep 17 00:00:00 2001
1 
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
2 
+Date: Thu, 14 Jun 2018 14:56:57 -0700
3 
+Subject: [PATCH 087/103] x86/bugs: Fix the parameters alignment and missing
4 
+ void
5 
+
6 
+commit ffed645e3be0e32f8e9ab068d257aee8d0fe8eec upstream
7 
+
8 
+Fixes: 7bb4d366c ("x86/bugs: Make cpu_show_common() static")
9 
+Fixes: 24f7fc83b ("x86/bugs: Provide boot parameters for the spec_store_bypass_disable mitigation")
10 
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
11 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
12 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
13 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
14 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
15 
+---
16 
+ arch/x86/kernel/cpu/bugs.c | 4 ++--
17 
+ 1 file changed, 2 insertions(+), 2 deletions(-)
18 
+
19 
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
20 
+index 512be68..84de0fc 100644
21 
+--- a/arch/x86/kernel/cpu/bugs.c
22 
+@@ -529,7 +529,7 @@ static enum ssb_mitigation __init __ssb_select_mitigation(void)
23 
+ 	return mode;
24 
+ }
25 
+
26 
+-static void ssb_select_mitigation()
27 
++static void ssb_select_mitigation(void)
28 
+ {
29 
+ 	ssb_mode = __ssb_select_mitigation();
30 
+
31 
+@@ -639,7 +639,7 @@ void x86_spec_ctrl_setup_ap(void)
32 
+ #ifdef CONFIG_SYSFS
33 
+
34 
+ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr,
35 
+-			char *buf, unsigned int bug)
36 
++			       char *buf, unsigned int bug)
37 
+ {
38 
+ 	if (!boot_cpu_has_bug(bug))
39 
+ 		return sprintf(buf, "Not affected\n");
40 
+--
41 
+2.7.4
42 
+
SPECS/linux/speculative-store-bypass/0088-x86-cpu-Make-alternative_msr_write-work-for-32-bit-c.patch
History View file @ 4ab22c2
0 43 
new file mode 100644
... ... 
@@ -0,0 +1,43 @@
0 
+From 803bb532254a96af0b554032f20db1f0a447bbd5 Mon Sep 17 00:00:00 2001
1 
+From: Jim Mattson <jmattson@google.com>
2 
+Date: Thu, 14 Jun 2018 14:56:57 -0700
3 
+Subject: [PATCH 088/103] x86/cpu: Make alternative_msr_write work for 32-bit
4 
+ code
5 
+
6 
+commit 5f2b745f5e1304f438f9b2cd03ebc8120b6e0d3b upstream
7 
+
8 
+Cast val and (val >> 32) to (u32), so that they fit in a
9 
+general-purpose register in both 32-bit and 64-bit code.
10 
+
11 
+[ tglx: Made it u32 instead of uintptr_t ]
12 
+
13 
+Fixes: c65732e4f721 ("x86/cpu: Restore CPUID_8000_0008_EBX reload")
14 
+Signed-off-by: Jim Mattson <jmattson@google.com>
15 
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
16 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
17 
+Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
18 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
19 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
20 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
21 
+---
22 
+ arch/x86/include/asm/nospec-branch.h | 4 ++--
23 
+ 1 file changed, 2 insertions(+), 2 deletions(-)
24 
+
25 
+diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
26 
+index 930c1594..640c11b 100644
27 
+--- a/arch/x86/include/asm/nospec-branch.h
28 
+@@ -219,8 +219,8 @@ void alternative_msr_write(unsigned int msr, u64 val, unsigned int feature)
29 
+ {
30 
+ 	asm volatile(ALTERNATIVE("", "wrmsr", %c[feature])
31 
+ 		: : "c" (msr),
32 
+-		    "a" (val),
33 
+-		    "d" (val >> 32),
34 
++		    "a" ((u32)val),
35 
++		    "d" ((u32)(val >> 32)),
36 
+ 		    [feature] "i" (feature)
37 
+ 		: "memory");
38 
+ }
39 
+--
40 
+2.7.4
41 
+
SPECS/linux/speculative-store-bypass/0089-x86-speculation-Use-synthetic-bits-for-IBRS-IBPB-STI.patch
History View file @ 4ab22c2
0 42 
new file mode 100644
... ... 
@@ -0,0 +1,107 @@
0 
+From 0974741786be9930dfb9d667a15c0a59c2350983 Mon Sep 17 00:00:00 2001
1 
+From: Borislav Petkov <bp@suse.de>
2 
+Date: Thu, 14 Jun 2018 14:56:58 -0700
3 
+Subject: [PATCH 089/103] x86/speculation: Use synthetic bits for
4 
+ IBRS/IBPB/STIBP
5 
+MIME-Version: 1.0
6 
+Content-Type: text/plain; charset=UTF-8
7 
+Content-Transfer-Encoding: 8bit
8 
+
9 
+commit e7c587da125291db39ddf1f49b18e5970adbac17 upstream
10 
+
11 
+Intel and AMD have different CPUID bits hence for those use synthetic bits
12 
+which get set on the respective vendor's in init_speculation_control(). So
13 
+that debacles like what the commit message of
14 
+
15 
+  c65732e4f721 ("x86/cpu: Restore CPUID_8000_0008_EBX reload")
16 
+
17 
+talks about don't happen anymore.
18 
+
19 
+Signed-off-by: Borislav Petkov <bp@suse.de>
20 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
21 
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
22 
+Tested-by: Jörg Otte <jrg.otte@gmail.com>
23 
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
24 
+Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
25 
+Link: https://lkml.kernel.org/r/20180504161815.GG9257@pd.tnic
26 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
27 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
28 
+[ Srivatsa: Backported to 4.4.y, skipping the KVM changes in this patch. ]
29 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
30 
+---
31 
+ arch/x86/include/asm/cpufeatures.h | 12 ++++++++----
32 
+ arch/x86/kernel/cpu/common.c       | 14 ++++++++++----
33 
+ 2 files changed, 18 insertions(+), 8 deletions(-)
34 
+
35 
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
36 
+index 54c25dd..899b089 100644
37 
+--- a/arch/x86/include/asm/cpufeatures.h
38 
+@@ -204,7 +204,10 @@
39 
+ #define X86_FEATURE_USE_IBPB	( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled*/
40 
+ #define X86_FEATURE_USE_IBRS_FW	( 7*32+22) /* "" Use IBRS during runtime firmware calls */
41 
+ #define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE	( 7*32+23) /* "" Disable Speculative Store Bypass. */
42 
+-#define X86_FEATURE_AMD_SSBD	(7*32+24)  /* "" AMD SSBD implementation */
43 
++#define X86_FEATURE_AMD_SSBD	( 7*32+24) /* "" AMD SSBD implementation */
44 
++#define X86_FEATURE_IBRS	( 7*32+25) /* Indirect Branch Restricted Speculation */
45 
++#define X86_FEATURE_IBPB	( 7*32+26) /* Indirect Branch Prediction Barrier */
46 
++#define X86_FEATURE_STIBP	( 7*32+27) /* Single Thread Indirect Branch Predictors */
47 
+
48 
+ /* Virtualization flags: Linux defined, word 8 */
49 
+ #define X86_FEATURE_TPR_SHADOW  ( 8*32+ 0) /* Intel TPR Shadow */
50 
+@@ -256,9 +259,9 @@
51 
+
52 
+ /* AMD-defined CPU features, CPUID level 0x80000008 (ebx), word 13 */
53 
+ #define X86_FEATURE_CLZERO	(13*32+0) /* CLZERO instruction */
54 
+-#define X86_FEATURE_IBPB	(13*32+12) /* Indirect Branch Prediction Barrier */
55 
+-#define X86_FEATURE_IBRS	(13*32+14) /* Indirect Branch Restricted Speculation */
56 
+-#define X86_FEATURE_STIBP	(13*32+15) /* Single Thread Indirect Branch Predictors */
57 
++#define X86_FEATURE_AMD_IBPB	(13*32+12) /* Indirect Branch Prediction Barrier */
58 
++#define X86_FEATURE_AMD_IBRS	(13*32+14) /* Indirect Branch Restricted Speculation */
59 
++#define X86_FEATURE_AMD_STIBP	(13*32+15) /* Single Thread Indirect Branch Predictors */
60 
+
61 
+ /* Thermal and Power Management Leaf, CPUID level 0x00000006 (eax), word 14 */
62 
+ #define X86_FEATURE_DTHERM	(14*32+ 0) /* Digital Thermal Sensor */
63 
+@@ -293,6 +296,7 @@
64 
+ #define X86_FEATURE_SUCCOR	(17*32+1) /* Uncorrectable error containment and recovery */
65 
+ #define X86_FEATURE_SMCA	(17*32+3) /* Scalable MCA */
66 
+
67 
++
68 
+ /* Intel-defined CPU features, CPUID level 0x00000007:0 (EDX), word 18 */
69 
+ #define X86_FEATURE_AVX512_4VNNIW	(18*32+ 2) /* AVX-512 Neural Network Instructions */
70 
+ #define X86_FEATURE_AVX512_4FMAPS	(18*32+ 3) /* AVX-512 Multiply Accumulation Single precision */
71 
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
72 
+index 6f3a5d7..f2b579f 100644
73 
+--- a/arch/x86/kernel/cpu/common.c
74 
+@@ -683,17 +683,23 @@ static void init_speculation_control(struct cpuinfo_x86 *c)
75 
+ 	 * and they also have a different bit for STIBP support. Also,
76 
+ 	 * a hypervisor might have set the individual AMD bits even on
77 
+ 	 * Intel CPUs, for finer-grained selection of what's available.
78 
+-	 *
79 
+-	 * We use the AMD bits in 0x8000_0008 EBX as the generic hardware
80 
+-	 * features, which are visible in /proc/cpuinfo and used by the
81 
+-	 * kernel. So set those accordingly from the Intel bits.
82 
+ 	 */
83 
+ 	if (cpu_has(c, X86_FEATURE_SPEC_CTRL)) {
84 
+ 		set_cpu_cap(c, X86_FEATURE_IBRS);
85 
+ 		set_cpu_cap(c, X86_FEATURE_IBPB);
86 
+ 	}
87 
++
88 
+ 	if (cpu_has(c, X86_FEATURE_INTEL_STIBP))
89 
+ 		set_cpu_cap(c, X86_FEATURE_STIBP);
90 
++
91 
++	if (cpu_has(c, X86_FEATURE_AMD_IBRS))
92 
++		set_cpu_cap(c, X86_FEATURE_IBRS);
93 
++
94 
++	if (cpu_has(c, X86_FEATURE_AMD_IBPB))
95 
++		set_cpu_cap(c, X86_FEATURE_IBPB);
96 
++
97 
++	if (cpu_has(c, X86_FEATURE_AMD_STIBP))
98 
++		set_cpu_cap(c, X86_FEATURE_STIBP);
99 
+ }
100 
+
101 
+ void get_cpu_cap(struct cpuinfo_x86 *c)
102 
+--
103 
+2.7.4
104 
+
SPECS/linux/speculative-store-bypass/0090-x86-cpufeatures-Disentangle-MSR_SPEC_CTRL-enumeratio.patch
History View file @ 4ab22c2
0 105 
new file mode 100644
... ... 
@@ -0,0 +1,157 @@
0 
+From dc24f4d269f54e866c2d6cd2e9161ce56a9004de Mon Sep 17 00:00:00 2001
1 
+From: Thomas Gleixner <tglx@linutronix.de>
2 
+Date: Thu, 14 Jun 2018 14:56:59 -0700
3 
+Subject: [PATCH 090/103] x86/cpufeatures: Disentangle MSR_SPEC_CTRL
4 
+ enumeration from IBRS
5 
+
6 
+commit 7eb8956a7fec3c1f0abc2a5517dada99ccc8a961 upstream
7 
+
8 
+The availability of the SPEC_CTRL MSR is enumerated by a CPUID bit on
9 
+Intel and implied by IBRS or STIBP support on AMD. That's just confusing
10 
+and in case an AMD CPU has IBRS not supported because the underlying
11 
+problem has been fixed but has another bit valid in the SPEC_CTRL MSR,
12 
+the thing falls apart.
13 
+
14 
+Add a synthetic feature bit X86_FEATURE_MSR_SPEC_CTRL to denote the
15 
+availability on both Intel and AMD.
16 
+
17 
+While at it replace the boot_cpu_has() checks with static_cpu_has() where
18 
+possible. This prevents late microcode loading from exposing SPEC_CTRL, but
19 
+late loading is already very limited as it does not reevaluate the
20 
+mitigation options and other bits and pieces. Having static_cpu_has() is
21 
+the simplest and least fragile solution.
22 
+
23 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
24 
+Reviewed-by: Borislav Petkov <bp@suse.de>
25 
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
26 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
27 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
28 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
29 
+---
30 
+ arch/x86/include/asm/cpufeatures.h |  3 +++
31 
+ arch/x86/kernel/cpu/bugs.c         | 18 +++++++++++-------
32 
+ arch/x86/kernel/cpu/common.c       |  9 +++++++--
33 
+ arch/x86/kernel/cpu/intel.c        |  1 +
34 
+ 4 files changed, 22 insertions(+), 9 deletions(-)
35 
+
36 
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
37 
+index 899b089..3d63ba5 100644
38 
+--- a/arch/x86/include/asm/cpufeatures.h
39 
+@@ -198,6 +198,9 @@
40 
+
41 
+ #define X86_FEATURE_RETPOLINE	( 7*32+29) /* "" Generic Retpoline mitigation for Spectre variant 2 */
42 
+ #define X86_FEATURE_RETPOLINE_AMD ( 7*32+30) /* "" AMD Retpoline mitigation for Spectre variant 2 */
43 
++
44 
++#define X86_FEATURE_MSR_SPEC_CTRL ( 7*32+16) /* "" MSR SPEC_CTRL is implemented */
45 
++
46 
+ /* Because the ALTERNATIVE scheme is for members of the X86_FEATURE club... */
47 
+ #define X86_FEATURE_KAISER	( 7*32+31) /* CONFIG_PAGE_TABLE_ISOLATION w/o nokaiser */
48 
+
49 
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
50 
+index 84de0fc..e23e289 100644
51 
+--- a/arch/x86/kernel/cpu/bugs.c
52 
+@@ -63,7 +63,7 @@ void __init check_bugs(void)
53 
+ 	 * have unknown values. AMD64_LS_CFG MSR is cached in the early AMD
54 
+ 	 * init code as it is not enumerated and depends on the family.
55 
+ 	 */
56 
+-	if (boot_cpu_has(X86_FEATURE_IBRS))
57 
++	if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
58 
+ 		rdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
59 
+
60 
+ 	/* Select the proper spectre mitigation before patching alternatives */
61 
+@@ -143,7 +143,7 @@ u64 x86_spec_ctrl_get_default(void)
62 
+ {
63 
+ 	u64 msrval = x86_spec_ctrl_base;
64 
+
65 
+-	if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL)
66 
++	if (static_cpu_has(X86_FEATURE_SPEC_CTRL))
67 
+ 		msrval |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags);
68 
+ 	return msrval;
69 
+ }
70 
+@@ -153,10 +153,12 @@ void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl)
71 
+ {
72 
+ 	u64 host = x86_spec_ctrl_base;
73 
+
74 
+-	if (!boot_cpu_has(X86_FEATURE_IBRS))
75 
++	/* Is MSR_SPEC_CTRL implemented ? */
76 
++	if (!static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
77 
+ 		return;
78 
+
79 
+-	if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL)
80 
++	/* Intel controls SSB in MSR_SPEC_CTRL */
81 
++	if (static_cpu_has(X86_FEATURE_SPEC_CTRL))
82 
+ 		host |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags);
83 
+
84 
+ 	if (host != guest_spec_ctrl)
85 
+@@ -168,10 +170,12 @@ void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl)
86 
+ {
87 
+ 	u64 host = x86_spec_ctrl_base;
88 
+
89 
+-	if (!boot_cpu_has(X86_FEATURE_IBRS))
90 
++	/* Is MSR_SPEC_CTRL implemented ? */
91 
++	if (!static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
92 
+ 		return;
93 
+
94 
+-	if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL)
95 
++	/* Intel controls SSB in MSR_SPEC_CTRL */
96 
++	if (static_cpu_has(X86_FEATURE_SPEC_CTRL))
97 
+ 		host |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags);
98 
+
99 
+ 	if (host != guest_spec_ctrl)
100 
+@@ -629,7 +633,7 @@ int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which)
101 
+
102 
+ void x86_spec_ctrl_setup_ap(void)
103 
+ {
104 
+-	if (boot_cpu_has(X86_FEATURE_IBRS))
105 
++	if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
106 
+ 		x86_spec_ctrl_set(x86_spec_ctrl_base & ~x86_spec_ctrl_mask);
107 
+
108 
+ 	if (ssb_mode == SPEC_STORE_BYPASS_DISABLE)
109 
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
110 
+index f2b579f..1f70ff1 100644
111 
+--- a/arch/x86/kernel/cpu/common.c
112 
+@@ -687,19 +687,24 @@ static void init_speculation_control(struct cpuinfo_x86 *c)
113 
+ 	if (cpu_has(c, X86_FEATURE_SPEC_CTRL)) {
114 
+ 		set_cpu_cap(c, X86_FEATURE_IBRS);
115 
+ 		set_cpu_cap(c, X86_FEATURE_IBPB);
116 
++		set_cpu_cap(c, X86_FEATURE_MSR_SPEC_CTRL);
117 
+ 	}
118 
+
119 
+ 	if (cpu_has(c, X86_FEATURE_INTEL_STIBP))
120 
+ 		set_cpu_cap(c, X86_FEATURE_STIBP);
121 
+
122 
+-	if (cpu_has(c, X86_FEATURE_AMD_IBRS))
123 
++	if (cpu_has(c, X86_FEATURE_AMD_IBRS)) {
124 
+ 		set_cpu_cap(c, X86_FEATURE_IBRS);
125 
++		set_cpu_cap(c, X86_FEATURE_MSR_SPEC_CTRL);
126 
++	}
127 
+
128 
+ 	if (cpu_has(c, X86_FEATURE_AMD_IBPB))
129 
+ 		set_cpu_cap(c, X86_FEATURE_IBPB);
130 
+
131 
+-	if (cpu_has(c, X86_FEATURE_AMD_STIBP))
132 
++	if (cpu_has(c, X86_FEATURE_AMD_STIBP)) {
133 
+ 		set_cpu_cap(c, X86_FEATURE_STIBP);
134 
++		set_cpu_cap(c, X86_FEATURE_MSR_SPEC_CTRL);
135 
++	}
136 
+ }
137 
+
138 
+ void get_cpu_cap(struct cpuinfo_x86 *c)
139 
+diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
140 
+index a34e357..9a84e75 100644
141 
+--- a/arch/x86/kernel/cpu/intel.c
142 
+@@ -118,6 +118,7 @@ static void early_init_intel(struct cpuinfo_x86 *c)
143 
+ 		setup_clear_cpu_cap(X86_FEATURE_IBPB);
144 
+ 		setup_clear_cpu_cap(X86_FEATURE_STIBP);
145 
+ 		setup_clear_cpu_cap(X86_FEATURE_SPEC_CTRL);
146 
++		setup_clear_cpu_cap(X86_FEATURE_MSR_SPEC_CTRL);
147 
+ 		setup_clear_cpu_cap(X86_FEATURE_INTEL_STIBP);
148 
+ 		setup_clear_cpu_cap(X86_FEATURE_SSBD);
149 
+ 	}
150 
+--
151 
+2.7.4
152 
+
SPECS/linux/speculative-store-bypass/0091-x86-cpufeatures-Disentangle-SSBD-enumeration.patch
History View file @ 4ab22c2
0 153 
new file mode 100644
... ... 
@@ -0,0 +1,165 @@
0 
+From fdb66d25c087ca9cf63f8c028502fa2c8f6844cd Mon Sep 17 00:00:00 2001
1 
+From: Thomas Gleixner <tglx@linutronix.de>
2 
+Date: Thu, 14 Jun 2018 14:56:59 -0700
3 
+Subject: [PATCH 091/103] x86/cpufeatures: Disentangle SSBD enumeration
4 
+
5 
+commit 52817587e706686fcdb27f14c1b000c92f266c96 upstream
6 
+
7 
+The SSBD enumeration is similarly to the other bits magically shared
8 
+between Intel and AMD though the mechanisms are different.
9 
+
10 
+Make X86_FEATURE_SSBD synthetic and set it depending on the vendor specific
11 
+features or family dependent setup.
12 
+
13 
+Change the Intel bit to X86_FEATURE_SPEC_CTRL_SSBD to denote that SSBD is
14 
+controlled via MSR_SPEC_CTRL and fix up the usage sites.
15 
+
16 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
17 
+Reviewed-by: Borislav Petkov <bp@suse.de>
18 
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
19 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
20 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
21 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
22 
+---
23 
+ arch/x86/include/asm/cpufeatures.h |  6 ++++--
24 
+ arch/x86/kernel/cpu/amd.c          |  7 +------
25 
+ arch/x86/kernel/cpu/bugs.c         | 10 +++++-----
26 
+ arch/x86/kernel/cpu/common.c       |  3 +++
27 
+ arch/x86/kernel/cpu/intel.c        |  1 +
28 
+ arch/x86/kernel/process.c          |  2 +-
29 
+ 6 files changed, 15 insertions(+), 14 deletions(-)
30 
+
31 
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
32 
+index 3d63ba5..42cc5c9 100644
33 
+--- a/arch/x86/include/asm/cpufeatures.h
34 
+@@ -200,6 +200,7 @@
35 
+ #define X86_FEATURE_RETPOLINE_AMD ( 7*32+30) /* "" AMD Retpoline mitigation for Spectre variant 2 */
36 
+
37 
+ #define X86_FEATURE_MSR_SPEC_CTRL ( 7*32+16) /* "" MSR SPEC_CTRL is implemented */
38 
++#define X86_FEATURE_SSBD	( 7*32+17) /* Speculative Store Bypass Disable */
39 
+
40 
+ /* Because the ALTERNATIVE scheme is for members of the X86_FEATURE club... */
41 
+ #define X86_FEATURE_KAISER	( 7*32+31) /* CONFIG_PAGE_TABLE_ISOLATION w/o nokaiser */
42 
+@@ -207,7 +208,8 @@
43 
+ #define X86_FEATURE_USE_IBPB	( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled*/
44 
+ #define X86_FEATURE_USE_IBRS_FW	( 7*32+22) /* "" Use IBRS during runtime firmware calls */
45 
+ #define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE	( 7*32+23) /* "" Disable Speculative Store Bypass. */
46 
+-#define X86_FEATURE_AMD_SSBD	( 7*32+24) /* "" AMD SSBD implementation */
47 
++#define X86_FEATURE_LS_CFG_SSBD	( 7*32+24) /* "" AMD SSBD implementation */
48 
++
49 
+ #define X86_FEATURE_IBRS	( 7*32+25) /* Indirect Branch Restricted Speculation */
50 
+ #define X86_FEATURE_IBPB	( 7*32+26) /* Indirect Branch Prediction Barrier */
51 
+ #define X86_FEATURE_STIBP	( 7*32+27) /* Single Thread Indirect Branch Predictors */
52 
+@@ -306,7 +308,7 @@
53 
+ #define X86_FEATURE_SPEC_CTRL		(18*32+26) /* "" Speculation Control (IBRS + IBPB) */
54 
+ #define X86_FEATURE_INTEL_STIBP		(18*32+27) /* "" Single Thread Indirect Branch Predictors */
55 
+ #define X86_FEATURE_ARCH_CAPABILITIES	(18*32+29) /* IA32_ARCH_CAPABILITIES MSR (Intel) */
56 
+-#define X86_FEATURE_SSBD		(18*32+31) /* Speculative Store Bypass Disable */
57 
++#define X86_FEATURE_SPEC_CTRL_SSBD	(18*32+31) /* "" Speculative Store Bypass Disable */
58 
+
59 
+ /*
60 
+  * BUG word(s)
61 
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
62 
+index bd0edb2..a97fd67 100644
63 
+--- a/arch/x86/kernel/cpu/amd.c
64 
+@@ -535,8 +535,8 @@ static void bsp_init_amd(struct cpuinfo_x86 *c)
65 
+ 		 * avoid RMW. If that faults, do not enable SSBD.
66 
+ 		 */
67 
+ 		if (!rdmsrl_safe(MSR_AMD64_LS_CFG, &x86_amd_ls_cfg_base)) {
68 
++			setup_force_cpu_cap(X86_FEATURE_LS_CFG_SSBD);
69 
+ 			setup_force_cpu_cap(X86_FEATURE_SSBD);
70 
+-			setup_force_cpu_cap(X86_FEATURE_AMD_SSBD);
71 
+ 			x86_amd_ls_cfg_ssbd_mask = 1ULL << bit;
72 
+ 		}
73 
+ 	}
74 
+@@ -815,11 +815,6 @@ static void init_amd(struct cpuinfo_x86 *c)
75 
+ 	/* AMD CPUs don't reset SS attributes on SYSRET, Xen does. */
76 
+ 	if (!cpu_has(c, X86_FEATURE_XENPV))
77 
+ 		set_cpu_bug(c, X86_BUG_SYSRET_SS_ATTRS);
78 
+-
79 
+-	if (boot_cpu_has(X86_FEATURE_AMD_SSBD)) {
80 
+-		set_cpu_cap(c, X86_FEATURE_SSBD);
81 
+-		set_cpu_cap(c, X86_FEATURE_AMD_SSBD);
82 
+-	}
83 
+ }
84 
+
85 
+ #ifdef CONFIG_X86_32
86 
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
87 
+index e23e289..9be7292 100644
88 
+--- a/arch/x86/kernel/cpu/bugs.c
89 
+@@ -157,8 +157,8 @@ void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl)
90 
+ 	if (!static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
91 
+ 		return;
92 
+
93 
+-	/* Intel controls SSB in MSR_SPEC_CTRL */
94 
+-	if (static_cpu_has(X86_FEATURE_SPEC_CTRL))
95 
++	/* SSBD controlled in MSR_SPEC_CTRL */
96 
++	if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD))
97 
+ 		host |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags);
98 
+
99 
+ 	if (host != guest_spec_ctrl)
100 
+@@ -174,8 +174,8 @@ void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl)
101 
+ 	if (!static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
102 
+ 		return;
103 
+
104 
+-	/* Intel controls SSB in MSR_SPEC_CTRL */
105 
+-	if (static_cpu_has(X86_FEATURE_SPEC_CTRL))
106 
++	/* SSBD controlled in MSR_SPEC_CTRL */
107 
++	if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD))
108 
+ 		host |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags);
109 
+
110 
+ 	if (host != guest_spec_ctrl)
111 
+@@ -187,7 +187,7 @@ static void x86_amd_ssb_disable(void)
112 
+ {
113 
+ 	u64 msrval = x86_amd_ls_cfg_base | x86_amd_ls_cfg_ssbd_mask;
114 
+
115 
+-	if (boot_cpu_has(X86_FEATURE_AMD_SSBD))
116 
++	if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD))
117 
+ 		wrmsrl(MSR_AMD64_LS_CFG, msrval);
118 
+ }
119 
+
120 
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
121 
+index 1f70ff1..1097723 100644
122 
+--- a/arch/x86/kernel/cpu/common.c
123 
+@@ -693,6 +693,9 @@ static void init_speculation_control(struct cpuinfo_x86 *c)
124 
+ 	if (cpu_has(c, X86_FEATURE_INTEL_STIBP))
125 
+ 		set_cpu_cap(c, X86_FEATURE_STIBP);
126 
+
127 
++	if (cpu_has(c, X86_FEATURE_SPEC_CTRL_SSBD))
128 
++		set_cpu_cap(c, X86_FEATURE_SSBD);
129 
++
130 
+ 	if (cpu_has(c, X86_FEATURE_AMD_IBRS)) {
131 
+ 		set_cpu_cap(c, X86_FEATURE_IBRS);
132 
+ 		set_cpu_cap(c, X86_FEATURE_MSR_SPEC_CTRL);
133 
+diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
134 
+index 9a84e75..4dce22d 100644
135 
+--- a/arch/x86/kernel/cpu/intel.c
136 
+@@ -121,6 +121,7 @@ static void early_init_intel(struct cpuinfo_x86 *c)
137 
+ 		setup_clear_cpu_cap(X86_FEATURE_MSR_SPEC_CTRL);
138 
+ 		setup_clear_cpu_cap(X86_FEATURE_INTEL_STIBP);
139 
+ 		setup_clear_cpu_cap(X86_FEATURE_SSBD);
140 
++		setup_clear_cpu_cap(X86_FEATURE_SPEC_CTRL_SSBD);
141 
+ 	}
142 
+
143 
+ 	/*
144 
+diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
145 
+index 57d4ba2..8cefbd2 100644
146 
+--- a/arch/x86/kernel/process.c
147 
+@@ -203,7 +203,7 @@ static __always_inline void __speculative_store_bypass_update(unsigned long tifn
148 
+ {
149 
+ 	u64 msr;
150 
+
151 
+-	if (static_cpu_has(X86_FEATURE_AMD_SSBD)) {
152 
++	if (static_cpu_has(X86_FEATURE_LS_CFG_SSBD)) {
153 
+ 		msr = x86_amd_ls_cfg_base | ssbd_tif_to_amd_ls_cfg(tifn);
154 
+ 		wrmsrl(MSR_AMD64_LS_CFG, msr);
155 
+ 	} else {
156 
+--
157 
+2.7.4
158 
+
SPECS/linux/speculative-store-bypass/0092-x86-cpu-AMD-Fix-erratum-1076-CPB-bit.patch
History View file @ 4ab22c2
0 159 
new file mode 100644
... ... 
@@ -0,0 +1,56 @@
0 
+From d873abc7e84e0a48b254c1542fe34a3509fa8558 Mon Sep 17 00:00:00 2001
1 
+From: Borislav Petkov <bp@suse.de>
2 
+Date: Thu, 14 Jun 2018 14:57:00 -0700
3 
+Subject: [PATCH 092/103] x86/cpu/AMD: Fix erratum 1076 (CPB bit)
4 
+
5 
+commit f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9 upstream
6 
+
7 
+CPUID Fn8000_0007_EDX[CPB] is wrongly 0 on models up to B1. But they do
8 
+support CPB (AMD's Core Performance Boosting cpufreq CPU feature), so fix that.
9 
+
10 
+Signed-off-by: Borislav Petkov <bp@suse.de>
11 
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
12 
+Cc: Peter Zijlstra <peterz@infradead.org>
13 
+Cc: Sherry Hurwitz <sherry.hurwitz@amd.com>
14 
+Cc: Thomas Gleixner <tglx@linutronix.de>
15 
+Link: http://lkml.kernel.org/r/20170907170821.16021-1-bp@alien8.de
16 
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
17 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
18 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
19 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
20 
+---
21 
+ arch/x86/kernel/cpu/amd.c | 11 +++++++++++
22 
+ 1 file changed, 11 insertions(+)
23 
+
24 
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
25 
+index a97fd67..87f4a0d 100644
26 
+--- a/arch/x86/kernel/cpu/amd.c
27 
+@@ -713,6 +713,16 @@ static void init_amd_bd(struct cpuinfo_x86 *c)
28 
+ 	}
29 
+ }
30 
+
31 
++static void init_amd_zn(struct cpuinfo_x86 *c)
32 
++{
33 
++	/*
34 
++	 * Fix erratum 1076: CPB feature bit not being set in CPUID. It affects
35 
++	 * all up to and including B1.
36 
++	 */
37 
++	if (c->x86_model <= 1 && c->x86_mask <= 1)
38 
++		set_cpu_cap(c, X86_FEATURE_CPB);
39 
++}
40 
++
41 
+ static void init_amd(struct cpuinfo_x86 *c)
42 
+ {
43 
+ 	u32 dummy;
44 
+@@ -743,6 +753,7 @@ static void init_amd(struct cpuinfo_x86 *c)
45 
+ 	case 0x10: init_amd_gh(c); break;
46 
+ 	case 0x12: init_amd_ln(c); break;
47 
+ 	case 0x15: init_amd_bd(c); break;
48 
++	case 0x17: init_amd_zn(c); break;
49 
+ 	}
50 
+
51 
+ 	/* Enable workaround for FXSAVE leak */
52 
+--
53 
+2.7.4
54 
+
SPECS/linux/speculative-store-bypass/0093-x86-cpufeatures-Add-FEATURE_ZEN.patch
History View file @ 4ab22c2
0 55 
new file mode 100644
... ... 
@@ -0,0 +1,49 @@
0 
+From 578309f838c1034f29371f937288da2b8033cdf0 Mon Sep 17 00:00:00 2001
1 
+From: Thomas Gleixner <tglx@linutronix.de>
2 
+Date: Thu, 14 Jun 2018 14:57:01 -0700
3 
+Subject: [PATCH 093/103] x86/cpufeatures: Add FEATURE_ZEN
4 
+
5 
+commit d1035d971829dcf80e8686ccde26f94b0a069472 upstream
6 
+
7 
+Add a ZEN feature bit so family-dependent static_cpu_has() optimizations
8 
+can be built for ZEN.
9 
+
10 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
11 
+Reviewed-by: Borislav Petkov <bp@suse.de>
12 
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
13 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
14 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
15 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
16 
+---
17 
+ arch/x86/include/asm/cpufeatures.h | 2 ++
18 
+ arch/x86/kernel/cpu/amd.c          | 1 +
19 
+ 2 files changed, 3 insertions(+)
20 
+
21 
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
22 
+index 42cc5c9..d3a50be 100644
23 
+--- a/arch/x86/include/asm/cpufeatures.h
24 
+@@ -213,6 +213,8 @@
25 
+ #define X86_FEATURE_IBRS	( 7*32+25) /* Indirect Branch Restricted Speculation */
26 
+ #define X86_FEATURE_IBPB	( 7*32+26) /* Indirect Branch Prediction Barrier */
27 
+ #define X86_FEATURE_STIBP	( 7*32+27) /* Single Thread Indirect Branch Predictors */
28 
++#define X86_FEATURE_ZEN		( 7*32+28) /* "" CPU is AMD family 0x17 (Zen) */
29 
++
30 
+
31 
+ /* Virtualization flags: Linux defined, word 8 */
32 
+ #define X86_FEATURE_TPR_SHADOW  ( 8*32+ 0) /* Intel TPR Shadow */
33 
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
34 
+index 87f4a0d..9f61518 100644
35 
+--- a/arch/x86/kernel/cpu/amd.c
36 
+@@ -715,6 +715,7 @@ static void init_amd_bd(struct cpuinfo_x86 *c)
37 
+
38 
+ static void init_amd_zn(struct cpuinfo_x86 *c)
39 
+ {
40 
++	set_cpu_cap(c, X86_FEATURE_ZEN);
41 
+ 	/*
42 
+ 	 * Fix erratum 1076: CPB feature bit not being set in CPUID. It affects
43 
+ 	 * all up to and including B1.
44 
+--
45 
+2.7.4
46 
+
SPECS/linux/speculative-store-bypass/0094-x86-speculation-Handle-HT-correctly-on-AMD.patch
History View file @ 4ab22c2
0 47 
new file mode 100644
... ... 
@@ -0,0 +1,241 @@
0 
+From 06bb4cf3d0b921ff62b3620a9acbef837e8ccde5 Mon Sep 17 00:00:00 2001
1 
+From: Thomas Gleixner <tglx@linutronix.de>
2 
+Date: Thu, 14 Jun 2018 14:57:01 -0700
3 
+Subject: [PATCH 094/103] x86/speculation: Handle HT correctly on AMD
4 
+
5 
+commit 1f50ddb4f4189243c05926b842dc1a0332195f31 upstream
6 
+
7 
+The AMD64_LS_CFG MSR is a per core MSR on Family 17H CPUs. That means when
8 
+hyperthreading is enabled the SSBD bit toggle needs to take both cores into
9 
+account. Otherwise the following situation can happen:
10 
+
11 
+CPU0		CPU1
12 
+
13 
+disable SSB
14 
+		disable SSB
15 
+		enable  SSB <- Enables it for the Core, i.e. for CPU0 as well
16 
+
17 
+So after the SSB enable on CPU1 the task on CPU0 runs with SSB enabled
18 
+again.
19 
+
20 
+On Intel the SSBD control is per core as well, but the synchronization
21 
+logic is implemented behind the per thread SPEC_CTRL MSR. It works like
22 
+this:
23 
+
24 
+  CORE_SPEC_CTRL = THREAD0_SPEC_CTRL | THREAD1_SPEC_CTRL
25 
+
26 
+i.e. if one of the threads enables a mitigation then this affects both and
27 
+the mitigation is only disabled in the core when both threads disabled it.
28 
+
29 
+Add the necessary synchronization logic for AMD family 17H. Unfortunately
30 
+that requires a spinlock to serialize the access to the MSR, but the locks
31 
+are only shared between siblings.
32 
+
33 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
34 
+Reviewed-by: Borislav Petkov <bp@suse.de>
35 
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
36 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
37 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
38 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
39 
+---
40 
+ arch/x86/include/asm/spec-ctrl.h |   6 ++
41 
+ arch/x86/kernel/process.c        | 125 +++++++++++++++++++++++++++++++++++++--
42 
+ arch/x86/kernel/smpboot.c        |   5 ++
43 
+ 3 files changed, 130 insertions(+), 6 deletions(-)
44 
+
45 
+diff --git a/arch/x86/include/asm/spec-ctrl.h b/arch/x86/include/asm/spec-ctrl.h
46 
+index dc21209..0cb49c4 100644
47 
+--- a/arch/x86/include/asm/spec-ctrl.h
48 
+@@ -33,6 +33,12 @@ static inline u64 ssbd_tif_to_amd_ls_cfg(u64 tifn)
49 
+ 	return (tifn & _TIF_SSBD) ? x86_amd_ls_cfg_ssbd_mask : 0ULL;
50 
+ }
51 
+
52 
++#ifdef CONFIG_SMP
53 
++extern void speculative_store_bypass_ht_init(void);
54 
++#else
55 
++static inline void speculative_store_bypass_ht_init(void) { }
56 
++#endif
57 
++
58 
+ extern void speculative_store_bypass_update(void);
59 
+
60 
+ #endif
61 
+diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
62 
+index 8cefbd2..0842869 100644
63 
+--- a/arch/x86/kernel/process.c
64 
+@@ -199,22 +199,135 @@ static inline void switch_to_bitmap(struct tss_struct *tss,
65 
+ 	}
66 
+ }
67 
+
68 
+-static __always_inline void __speculative_store_bypass_update(unsigned long tifn)
69 
++#ifdef CONFIG_SMP
70 
++
71 
++struct ssb_state {
72 
++	struct ssb_state	*shared_state;
73 
++	raw_spinlock_t		lock;
74 
++	unsigned int		disable_state;
75 
++	unsigned long		local_state;
76 
++};
77 
++
78 
++#define LSTATE_SSB	0
79 
++
80 
++static DEFINE_PER_CPU(struct ssb_state, ssb_state);
81 
++
82 
++void speculative_store_bypass_ht_init(void)
83 
+ {
84 
+-	u64 msr;
85 
++	struct ssb_state *st = this_cpu_ptr(&ssb_state);
86 
++	unsigned int this_cpu = smp_processor_id();
87 
++	unsigned int cpu;
88 
++
89 
++	st->local_state = 0;
90 
++
91 
++	/*
92 
++	 * Shared state setup happens once on the first bringup
93 
++	 * of the CPU. It's not destroyed on CPU hotunplug.
94 
++	 */
95 
++	if (st->shared_state)
96 
++		return;
97 
++
98 
++	raw_spin_lock_init(&st->lock);
99 
+
100 
+-	if (static_cpu_has(X86_FEATURE_LS_CFG_SSBD)) {
101 
+-		msr = x86_amd_ls_cfg_base | ssbd_tif_to_amd_ls_cfg(tifn);
102 
++	/*
103 
++	 * Go over HT siblings and check whether one of them has set up the
104 
++	 * shared state pointer already.
105 
++	 */
106 
++	for_each_cpu(cpu, topology_sibling_cpumask(this_cpu)) {
107 
++		if (cpu == this_cpu)
108 
++			continue;
109 
++
110 
++		if (!per_cpu(ssb_state, cpu).shared_state)
111 
++			continue;
112 
++
113 
++		/* Link it to the state of the sibling: */
114 
++		st->shared_state = per_cpu(ssb_state, cpu).shared_state;
115 
++		return;
116 
++	}
117 
++
118 
++	/*
119 
++	 * First HT sibling to come up on the core.  Link shared state of
120 
++	 * the first HT sibling to itself. The siblings on the same core
121 
++	 * which come up later will see the shared state pointer and link
122 
++	 * themself to the state of this CPU.
123 
++	 */
124 
++	st->shared_state = st;
125 
++}
126 
++
127 
++/*
128 
++ * Logic is: First HT sibling enables SSBD for both siblings in the core
129 
++ * and last sibling to disable it, disables it for the whole core. This how
130 
++ * MSR_SPEC_CTRL works in "hardware":
131 
++ *
132 
++ *  CORE_SPEC_CTRL = THREAD0_SPEC_CTRL | THREAD1_SPEC_CTRL
133 
++ */
134 
++static __always_inline void amd_set_core_ssb_state(unsigned long tifn)
135 
++{
136 
++	struct ssb_state *st = this_cpu_ptr(&ssb_state);
137 
++	u64 msr = x86_amd_ls_cfg_base;
138 
++
139 
++	if (!static_cpu_has(X86_FEATURE_ZEN)) {
140 
++		msr |= ssbd_tif_to_amd_ls_cfg(tifn);
141 
+ 		wrmsrl(MSR_AMD64_LS_CFG, msr);
142 
++		return;
143 
++	}
144 
++
145 
++	if (tifn & _TIF_SSBD) {
146 
++		/*
147 
++		 * Since this can race with prctl(), block reentry on the
148 
++		 * same CPU.
149 
++		 */
150 
++		if (__test_and_set_bit(LSTATE_SSB, &st->local_state))
151 
++			return;
152 
++
153 
++		msr |= x86_amd_ls_cfg_ssbd_mask;
154 
++
155 
++		raw_spin_lock(&st->shared_state->lock);
156 
++		/* First sibling enables SSBD: */
157 
++		if (!st->shared_state->disable_state)
158 
++			wrmsrl(MSR_AMD64_LS_CFG, msr);
159 
++		st->shared_state->disable_state++;
160 
++		raw_spin_unlock(&st->shared_state->lock);
161 
+ 	} else {
162 
+-		msr = x86_spec_ctrl_base | ssbd_tif_to_spec_ctrl(tifn);
163 
+-		wrmsrl(MSR_IA32_SPEC_CTRL, msr);
164 
++		if (!__test_and_clear_bit(LSTATE_SSB, &st->local_state))
165 
++			return;
166 
++
167 
++		raw_spin_lock(&st->shared_state->lock);
168 
++		st->shared_state->disable_state--;
169 
++		if (!st->shared_state->disable_state)
170 
++			wrmsrl(MSR_AMD64_LS_CFG, msr);
171 
++		raw_spin_unlock(&st->shared_state->lock);
172 
+ 	}
173 
+ }
174 
++#else
175 
++static __always_inline void amd_set_core_ssb_state(unsigned long tifn)
176 
++{
177 
++	u64 msr = x86_amd_ls_cfg_base | ssbd_tif_to_amd_ls_cfg(tifn);
178 
++
179 
++	wrmsrl(MSR_AMD64_LS_CFG, msr);
180 
++}
181 
++#endif
182 
++
183 
++static __always_inline void intel_set_ssb_state(unsigned long tifn)
184 
++{
185 
++	u64 msr = x86_spec_ctrl_base | ssbd_tif_to_spec_ctrl(tifn);
186 
++
187 
++	wrmsrl(MSR_IA32_SPEC_CTRL, msr);
188 
++}
189 
++
190 
++static __always_inline void __speculative_store_bypass_update(unsigned long tifn)
191 
++{
192 
++	if (static_cpu_has(X86_FEATURE_LS_CFG_SSBD))
193 
++		amd_set_core_ssb_state(tifn);
194 
++	else
195 
++		intel_set_ssb_state(tifn);
196 
++}
197 
+
198 
+ void speculative_store_bypass_update(void)
199 
+ {
200 
++	preempt_disable();
201 
+ 	__speculative_store_bypass_update(current_thread_info()->flags);
202 
++	preempt_enable();
203 
+ }
204 
+
205 
+ void __switch_to_xtra(struct task_struct *prev_p, struct task_struct *next_p,
206 
+diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c
207 
+index 1f7aefc..c017f1c 100644
208 
+--- a/arch/x86/kernel/smpboot.c
209 
+@@ -75,6 +75,7 @@
210 
+ #include <asm/i8259.h>
211 
+ #include <asm/realmode.h>
212 
+ #include <asm/misc.h>
213 
++#include <asm/spec-ctrl.h>
214 
+
215 
+ /* Number of siblings per CPU package */
216 
+ int smp_num_siblings = 1;
217 
+@@ -217,6 +218,8 @@ static void notrace start_secondary(void *unused)
218 
+ 	 */
219 
+ 	check_tsc_sync_target();
220 
+
221 
++	speculative_store_bypass_ht_init();
222 
++
223 
+ 	/*
224 
+ 	 * Lock vector_lock and initialize the vectors on this cpu
225 
+ 	 * before setting the cpu online. We must set it online with
226 
+@@ -1209,6 +1212,8 @@ void __init native_smp_prepare_cpus(unsigned int max_cpus)
227 
+ 	set_mtrr_aps_delayed_init();
228 
+
229 
+ 	smp_quirk_init_udelay();
230 
++
231 
++	speculative_store_bypass_ht_init();
232 
+ }
233 
+
234 
+ void arch_enable_nonboot_cpus_begin(void)
235 
+--
236 
+2.7.4
237 
+
SPECS/linux/speculative-store-bypass/0095-x86-bugs-KVM-Extend-speculation-control-for-VIRT_SPE.patch
History View file @ 4ab22c2
0 238 
new file mode 100644
... ... 
@@ -0,0 +1,95 @@
0 
+From 54560e4eac7ffa377dc9bf05175bfb1f83810cc1 Mon Sep 17 00:00:00 2001
1 
+From: Thomas Gleixner <tglx@linutronix.de>
2 
+Date: Thu, 14 Jun 2018 14:57:02 -0700
3 
+Subject: [PATCH 095/103] x86/bugs, KVM: Extend speculation control for
4 
+ VIRT_SPEC_CTRL
5 
+
6 
+commit ccbcd2674472a978b48c91c1fbfb66c0ff959f24 upstream
7 
+
8 
+AMD is proposing a VIRT_SPEC_CTRL MSR to handle the Speculative Store
9 
+Bypass Disable via MSR_AMD64_LS_CFG so that guests do not have to care
10 
+about the bit position of the SSBD bit and thus facilitate migration.
11 
+Also, the sibling coordination on Family 17H CPUs can only be done on
12 
+the host.
13 
+
14 
+Extend x86_spec_ctrl_set_guest() and x86_spec_ctrl_restore_host() with an
15 
+extra argument for the VIRT_SPEC_CTRL MSR.
16 
+
17 
+Hand in 0 from VMX and in SVM add a new virt_spec_ctrl member to the CPU
18 
+data structure which is going to be used in later patches for the actual
19 
+implementation.
20 
+
21 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
22 
+Reviewed-by: Borislav Petkov <bp@suse.de>
23 
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
24 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
25 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
26 
+[ Srivatsa: Backported to 4.4.y, skipping the KVM changes in this patch. ]
27 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
28 
+---
29 
+ arch/x86/include/asm/spec-ctrl.h |  9 ++++++---
30 
+ arch/x86/kernel/cpu/bugs.c       | 20 ++++++++++++++++++--
31 
+ 2 files changed, 24 insertions(+), 5 deletions(-)
32 
+
33 
+diff --git a/arch/x86/include/asm/spec-ctrl.h b/arch/x86/include/asm/spec-ctrl.h
34 
+index 0cb49c4..6e28740 100644
35 
+--- a/arch/x86/include/asm/spec-ctrl.h
36 
+@@ -10,10 +10,13 @@
37 
+  * the guest has, while on VMEXIT we restore the host view. This
38 
+  * would be easier if SPEC_CTRL were architecturally maskable or
39 
+  * shadowable for guests but this is not (currently) the case.
40 
+- * Takes the guest view of SPEC_CTRL MSR as a parameter.
41 
++ * Takes the guest view of SPEC_CTRL MSR as a parameter and also
42 
++ * the guest's version of VIRT_SPEC_CTRL, if emulated.
43 
+  */
44 
+-extern void x86_spec_ctrl_set_guest(u64);
45 
+-extern void x86_spec_ctrl_restore_host(u64);
46 
++extern void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl,
47 
++				    u64 guest_virt_spec_ctrl);
48 
++extern void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl,
49 
++				       u64 guest_virt_spec_ctrl);
50 
+
51 
+ /* AMD specific Speculative Store Bypass MSR data */
52 
+ extern u64 x86_amd_ls_cfg_base;
53 
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
54 
+index 9be7292..a1c98fd 100644
55 
+--- a/arch/x86/kernel/cpu/bugs.c
56 
+@@ -149,7 +149,15 @@ u64 x86_spec_ctrl_get_default(void)
57 
+ }
58 
+ EXPORT_SYMBOL_GPL(x86_spec_ctrl_get_default);
59 
+
60 
+-void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl)
61 
++/**
62 
++ * x86_spec_ctrl_set_guest - Set speculation control registers for the guest
63 
++ * @guest_spec_ctrl:		The guest content of MSR_SPEC_CTRL
64 
++ * @guest_virt_spec_ctrl:	The guest controlled bits of MSR_VIRT_SPEC_CTRL
65 
++ *				(may get translated to MSR_AMD64_LS_CFG bits)
66 
++ *
67 
++ * Avoids writing to the MSR if the content/bits are the same
68 
++ */
69 
++void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl)
70 
+ {
71 
+ 	u64 host = x86_spec_ctrl_base;
72 
+
73 
+@@ -166,7 +174,15 @@ void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl)
74 
+ }
75 
+ EXPORT_SYMBOL_GPL(x86_spec_ctrl_set_guest);
76 
+
77 
+-void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl)
78 
++/**
79 
++ * x86_spec_ctrl_restore_host - Restore host speculation control registers
80 
++ * @guest_spec_ctrl:		The guest content of MSR_SPEC_CTRL
81 
++ * @guest_virt_spec_ctrl:	The guest controlled bits of MSR_VIRT_SPEC_CTRL
82 
++ *				(may get translated to MSR_AMD64_LS_CFG bits)
83 
++ *
84 
++ * Avoids writing to the MSR if the content/bits are the same
85 
++ */
86 
++void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl)
87 
+ {
88 
+ 	u64 host = x86_spec_ctrl_base;
89 
+
90 
+--
91 
+2.7.4
92 
+
SPECS/linux/speculative-store-bypass/0096-x86-speculation-Add-virtualized-speculative-store-by.patch
History View file @ 4ab22c2
0 93 
new file mode 100644
... ... 
@@ -0,0 +1,105 @@
0 
+From d62d1ebe4b4bbd071b48193d99d2a246cdc1b776 Mon Sep 17 00:00:00 2001
1 
+From: Tom Lendacky <thomas.lendacky@amd.com>
2 
+Date: Thu, 14 Jun 2018 14:57:02 -0700
3 
+Subject: [PATCH 096/103] x86/speculation: Add virtualized speculative store
4 
+ bypass disable support
5 
+
6 
+commit 11fb0683493b2da112cd64c9dada221b52463bf7 upstream
7 
+
8 
+Some AMD processors only support a non-architectural means of enabling
9 
+speculative store bypass disable (SSBD).  To allow a simplified view of
10 
+this to a guest, an architectural definition has been created through a new
11 
+CPUID bit, 0x80000008_EBX[25], and a new MSR, 0xc001011f.  With this, a
12 
+hypervisor can virtualize the existence of this definition and provide an
13 
+architectural method for using SSBD to a guest.
14 
+
15 
+Add the new CPUID feature, the new MSR and update the existing SSBD
16 
+support to use this MSR when present.
17 
+
18 
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
19 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
20 
+Reviewed-by: Borislav Petkov <bp@suse.de>
21 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
22 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
23 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
24 
+---
25 
+ arch/x86/include/asm/cpufeatures.h |  1 +
26 
+ arch/x86/include/asm/msr-index.h   |  2 ++
27 
+ arch/x86/kernel/cpu/bugs.c         |  4 +++-
28 
+ arch/x86/kernel/process.c          | 13 ++++++++++++-
29 
+ 4 files changed, 18 insertions(+), 2 deletions(-)
30 
+
31 
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
32 
+index d3a50be..94043fa 100644
33 
+--- a/arch/x86/include/asm/cpufeatures.h
34 
+@@ -269,6 +269,7 @@
35 
+ #define X86_FEATURE_AMD_IBPB	(13*32+12) /* Indirect Branch Prediction Barrier */
36 
+ #define X86_FEATURE_AMD_IBRS	(13*32+14) /* Indirect Branch Restricted Speculation */
37 
+ #define X86_FEATURE_AMD_STIBP	(13*32+15) /* Single Thread Indirect Branch Predictors */
38 
++#define X86_FEATURE_VIRT_SSBD	(13*32+25) /* Virtualized Speculative Store Bypass Disable */
39 
+
40 
+ /* Thermal and Power Management Leaf, CPUID level 0x00000006 (eax), word 14 */
41 
+ #define X86_FEATURE_DTHERM	(14*32+ 0) /* Digital Thermal Sensor */
42 
+diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
43 
+index 2ea2ff1..22f2dd5 100644
44 
+--- a/arch/x86/include/asm/msr-index.h
45 
+@@ -328,6 +328,8 @@
46 
+ #define MSR_AMD64_IBSOPDATA4		0xc001103d
47 
+ #define MSR_AMD64_IBS_REG_COUNT_MAX	8 /* includes MSR_AMD64_IBSBRTARGET */
48 
+
49 
++#define MSR_AMD64_VIRT_SPEC_CTRL	0xc001011f
50 
++
51 
+ /* Fam 16h MSRs */
52 
+ #define MSR_F16H_L2I_PERF_CTL		0xc0010230
53 
+ #define MSR_F16H_L2I_PERF_CTR		0xc0010231
54 
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
55 
+index a1c98fd..50ab206a 100644
56 
+--- a/arch/x86/kernel/cpu/bugs.c
57 
+@@ -203,7 +203,9 @@ static void x86_amd_ssb_disable(void)
58 
+ {
59 
+ 	u64 msrval = x86_amd_ls_cfg_base | x86_amd_ls_cfg_ssbd_mask;
60 
+
61 
+-	if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD))
62 
++	if (boot_cpu_has(X86_FEATURE_VIRT_SSBD))
63 
++		wrmsrl(MSR_AMD64_VIRT_SPEC_CTRL, SPEC_CTRL_SSBD);
64 
++	else if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD))
65 
+ 		wrmsrl(MSR_AMD64_LS_CFG, msrval);
66 
+ }
67 
+
68 
+diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
69 
+index 0842869..eab9d0c 100644
70 
+--- a/arch/x86/kernel/process.c
71 
+@@ -308,6 +308,15 @@ static __always_inline void amd_set_core_ssb_state(unsigned long tifn)
72 
+ }
73 
+ #endif
74 
+
75 
++static __always_inline void amd_set_ssb_virt_state(unsigned long tifn)
76 
++{
77 
++	/*
78 
++	 * SSBD has the same definition in SPEC_CTRL and VIRT_SPEC_CTRL,
79 
++	 * so ssbd_tif_to_spec_ctrl() just works.
80 
++	 */
81 
++	wrmsrl(MSR_AMD64_VIRT_SPEC_CTRL, ssbd_tif_to_spec_ctrl(tifn));
82 
++}
83 
++
84 
+ static __always_inline void intel_set_ssb_state(unsigned long tifn)
85 
+ {
86 
+ 	u64 msr = x86_spec_ctrl_base | ssbd_tif_to_spec_ctrl(tifn);
87 
+@@ -317,7 +326,9 @@ static __always_inline void intel_set_ssb_state(unsigned long tifn)
88 
+
89 
+ static __always_inline void __speculative_store_bypass_update(unsigned long tifn)
90 
+ {
91 
+-	if (static_cpu_has(X86_FEATURE_LS_CFG_SSBD))
92 
++	if (static_cpu_has(X86_FEATURE_VIRT_SSBD))
93 
++		amd_set_ssb_virt_state(tifn);
94 
++	else if (static_cpu_has(X86_FEATURE_LS_CFG_SSBD))
95 
+ 		amd_set_core_ssb_state(tifn);
96 
+ 	else
97 
+ 		intel_set_ssb_state(tifn);
98 
+--
99 
+2.7.4
100 
+
SPECS/linux/speculative-store-bypass/0097-x86-speculation-Rework-speculative_store_bypass_upda.patch
History View file @ 4ab22c2
0 101 
new file mode 100644
... ... 
@@ -0,0 +1,76 @@
0 
+From 82edc4e904e00b08731dce83faf89f82cf9d11b5 Mon Sep 17 00:00:00 2001
1 
+From: Thomas Gleixner <tglx@linutronix.de>
2 
+Date: Thu, 14 Jun 2018 14:57:03 -0700
3 
+Subject: [PATCH 097/103] x86/speculation: Rework
4 
+ speculative_store_bypass_update()
5 
+
6 
+commit 0270be3e34efb05a88bc4c422572ece038ef3608 upstream
7 
+
8 
+The upcoming support for the virtual SPEC_CTRL MSR on AMD needs to reuse
9 
+speculative_store_bypass_update() to avoid code duplication. Add an
10 
+argument for supplying a thread info (TIF) value and create a wrapper
11 
+speculative_store_bypass_update_current() which is used at the existing
12 
+call site.
13 
+
14 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
15 
+Reviewed-by: Borislav Petkov <bp@suse.de>
16 
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
17 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
18 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
19 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
20 
+---
21 
+ arch/x86/include/asm/spec-ctrl.h | 7 ++++++-
22 
+ arch/x86/kernel/cpu/bugs.c       | 2 +-
23 
+ arch/x86/kernel/process.c        | 4 ++--
24 
+ 3 files changed, 9 insertions(+), 4 deletions(-)
25 
+
26 
+diff --git a/arch/x86/include/asm/spec-ctrl.h b/arch/x86/include/asm/spec-ctrl.h
27 
+index 6e28740..82b6c5a 100644
28 
+--- a/arch/x86/include/asm/spec-ctrl.h
29 
+@@ -42,6 +42,11 @@ extern void speculative_store_bypass_ht_init(void);
30 
+ static inline void speculative_store_bypass_ht_init(void) { }
31 
+ #endif
32 
+
33 
+-extern void speculative_store_bypass_update(void);
34 
++extern void speculative_store_bypass_update(unsigned long tif);
35 
++
36 
++static inline void speculative_store_bypass_update_current(void)
37 
++{
38 
++	speculative_store_bypass_update(current_thread_info()->flags);
39 
++}
40 
+
41 
+ #endif
42 
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
43 
+index 50ab206a..1b29be9 100644
44 
+--- a/arch/x86/kernel/cpu/bugs.c
45 
+@@ -596,7 +596,7 @@ static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl)
46 
+ 	 * mitigation until it is next scheduled.
47 
+ 	 */
48 
+ 	if (task == current && update)
49 
+-		speculative_store_bypass_update();
50 
++		speculative_store_bypass_update_current();
51 
+
52 
+ 	return 0;
53 
+ }
54 
+diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
55 
+index eab9d0c..e18c879 100644
56 
+--- a/arch/x86/kernel/process.c
57 
+@@ -334,10 +334,10 @@ static __always_inline void __speculative_store_bypass_update(unsigned long tifn
58 
+ 		intel_set_ssb_state(tifn);
59 
+ }
60 
+
61 
+-void speculative_store_bypass_update(void)
62 
++void speculative_store_bypass_update(unsigned long tif)
63 
+ {
64 
+ 	preempt_disable();
65 
+-	__speculative_store_bypass_update(current_thread_info()->flags);
66 
++	__speculative_store_bypass_update(tif);
67 
+ 	preempt_enable();
68 
+ }
69 
+
70 
+--
71 
+2.7.4
72 
+
SPECS/linux/speculative-store-bypass/0098-x86-bugs-Unify-x86_spec_ctrl_-set_guest-restore_host.patch
History View file @ 4ab22c2
0 73 
new file mode 100644
... ... 
@@ -0,0 +1,147 @@
0 
+From 815a71fa56c56d7bee99b436ebe276d5ce446f05 Mon Sep 17 00:00:00 2001
1 
+From: Borislav Petkov <bp@suse.de>
2 
+Date: Thu, 14 Jun 2018 14:57:03 -0700
3 
+Subject: [PATCH 098/103] x86/bugs: Unify
4 
+ x86_spec_ctrl_{set_guest,restore_host}
5 
+
6 
+commit cc69b34989210f067b2c51d5539b5f96ebcc3a01 upstream
7 
+
8 
+Function bodies are very similar and are going to grow more almost
9 
+identical code. Add a bool arg to determine whether SPEC_CTRL is being set
10 
+for the guest or restored to the host.
11 
+
12 
+No functional changes.
13 
+
14 
+Signed-off-by: Borislav Petkov <bp@suse.de>
15 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
16 
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
17 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
18 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
19 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
20 
+---
21 
+ arch/x86/include/asm/spec-ctrl.h | 33 +++++++++++++++++++---
22 
+ arch/x86/kernel/cpu/bugs.c       | 60 ++++++++++------------------------------
23 
+ 2 files changed, 44 insertions(+), 49 deletions(-)
24 
+
25 
+diff --git a/arch/x86/include/asm/spec-ctrl.h b/arch/x86/include/asm/spec-ctrl.h
26 
+index 82b6c5a..9cecbe5 100644
27 
+--- a/arch/x86/include/asm/spec-ctrl.h
28 
+@@ -13,10 +13,35 @@
29 
+  * Takes the guest view of SPEC_CTRL MSR as a parameter and also
30 
+  * the guest's version of VIRT_SPEC_CTRL, if emulated.
31 
+  */
32 
+-extern void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl,
33 
+-				    u64 guest_virt_spec_ctrl);
34 
+-extern void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl,
35 
+-				       u64 guest_virt_spec_ctrl);
36 
++extern void x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool guest);
37 
++
38 
++/**
39 
++ * x86_spec_ctrl_set_guest - Set speculation control registers for the guest
40 
++ * @guest_spec_ctrl:		The guest content of MSR_SPEC_CTRL
41 
++ * @guest_virt_spec_ctrl:	The guest controlled bits of MSR_VIRT_SPEC_CTRL
42 
++ *				(may get translated to MSR_AMD64_LS_CFG bits)
43 
++ *
44 
++ * Avoids writing to the MSR if the content/bits are the same
45 
++ */
46 
++static inline
47 
++void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl)
48 
++{
49 
++	x86_virt_spec_ctrl(guest_spec_ctrl, guest_virt_spec_ctrl, true);
50 
++}
51 
++
52 
++/**
53 
++ * x86_spec_ctrl_restore_host - Restore host speculation control registers
54 
++ * @guest_spec_ctrl:		The guest content of MSR_SPEC_CTRL
55 
++ * @guest_virt_spec_ctrl:	The guest controlled bits of MSR_VIRT_SPEC_CTRL
56 
++ *				(may get translated to MSR_AMD64_LS_CFG bits)
57 
++ *
58 
++ * Avoids writing to the MSR if the content/bits are the same
59 
++ */
60 
++static inline
61 
++void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl)
62 
++{
63 
++	x86_virt_spec_ctrl(guest_spec_ctrl, guest_virt_spec_ctrl, false);
64 
++}
65 
+
66 
+ /* AMD specific Speculative Store Bypass MSR data */
67 
+ extern u64 x86_amd_ls_cfg_base;
68 
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
69 
+index 1b29be9..208d44c 100644
70 
+--- a/arch/x86/kernel/cpu/bugs.c
71 
+@@ -149,55 +149,25 @@ u64 x86_spec_ctrl_get_default(void)
72 
+ }
73 
+ EXPORT_SYMBOL_GPL(x86_spec_ctrl_get_default);
74 
+
75 
+-/**
76 
+- * x86_spec_ctrl_set_guest - Set speculation control registers for the guest
77 
+- * @guest_spec_ctrl:		The guest content of MSR_SPEC_CTRL
78 
+- * @guest_virt_spec_ctrl:	The guest controlled bits of MSR_VIRT_SPEC_CTRL
79 
+- *				(may get translated to MSR_AMD64_LS_CFG bits)
80 
+- *
81 
+- * Avoids writing to the MSR if the content/bits are the same
82 
+- */
83 
+-void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl)
84 
++void
85 
++x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest)
86 
+ {
87 
+-	u64 host = x86_spec_ctrl_base;
88 
++	struct thread_info *ti = current_thread_info();
89 
++	u64 msr, host = x86_spec_ctrl_base;
90 
+
91 
+ 	/* Is MSR_SPEC_CTRL implemented ? */
92 
+-	if (!static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
93 
+-		return;
94 
+-
95 
+-	/* SSBD controlled in MSR_SPEC_CTRL */
96 
+-	if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD))
97 
+-		host |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags);
98 
+-
99 
+-	if (host != guest_spec_ctrl)
100 
+-		wrmsrl(MSR_IA32_SPEC_CTRL, guest_spec_ctrl);
101 
+-}
102 
+-EXPORT_SYMBOL_GPL(x86_spec_ctrl_set_guest);
103 
+-
104 
+-/**
105 
+- * x86_spec_ctrl_restore_host - Restore host speculation control registers
106 
+- * @guest_spec_ctrl:		The guest content of MSR_SPEC_CTRL
107 
+- * @guest_virt_spec_ctrl:	The guest controlled bits of MSR_VIRT_SPEC_CTRL
108 
+- *				(may get translated to MSR_AMD64_LS_CFG bits)
109 
+- *
110 
+- * Avoids writing to the MSR if the content/bits are the same
111 
+- */
112 
+-void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl)
113 
+-{
114 
+-	u64 host = x86_spec_ctrl_base;
115 
+-
116 
+-	/* Is MSR_SPEC_CTRL implemented ? */
117 
+-	if (!static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
118 
+-		return;
119 
+-
120 
+-	/* SSBD controlled in MSR_SPEC_CTRL */
121 
+-	if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD))
122 
+-		host |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags);
123 
+-
124 
+-	if (host != guest_spec_ctrl)
125 
+-		wrmsrl(MSR_IA32_SPEC_CTRL, host);
126 
++	if (static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) {
127 
++		/* SSBD controlled in MSR_SPEC_CTRL */
128 
++		if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD))
129 
++			host |= ssbd_tif_to_spec_ctrl(ti->flags);
130 
++
131 
++		if (host != guest_spec_ctrl) {
132 
++			msr = setguest ? guest_spec_ctrl : host;
133 
++			wrmsrl(MSR_IA32_SPEC_CTRL, msr);
134 
++		}
135 
++	}
136 
+ }
137 
+-EXPORT_SYMBOL_GPL(x86_spec_ctrl_restore_host);
138 
++EXPORT_SYMBOL_GPL(x86_virt_spec_ctrl);
139 
+
140 
+ static void x86_amd_ssb_disable(void)
141 
+ {
142 
+--
143 
+2.7.4
144 
+
SPECS/linux/speculative-store-bypass/0099-x86-bugs-Expose-x86_spec_ctrl_base-directly.patch
History View file @ 4ab22c2
0 145 
new file mode 100644
... ... 
@@ -0,0 +1,121 @@
0 
+From b0fc10549453d9794afce505acfbf50949db0ed3 Mon Sep 17 00:00:00 2001
1 
+From: Thomas Gleixner <tglx@linutronix.de>
2 
+Date: Thu, 14 Jun 2018 14:57:04 -0700
3 
+Subject: [PATCH 099/103] x86/bugs: Expose x86_spec_ctrl_base directly
4 
+
5 
+commit fa8ac4988249c38476f6ad678a4848a736373403 upstream
6 
+
7 
+x86_spec_ctrl_base is the system wide default value for the SPEC_CTRL MSR.
8 
+x86_spec_ctrl_get_default() returns x86_spec_ctrl_base and was intended to
9 
+prevent modification to that variable. Though the variable is read only
10 
+after init and globaly visible already.
11 
+
12 
+Remove the function and export the variable instead.
13 
+
14 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
15 
+Reviewed-by: Borislav Petkov <bp@suse.de>
16 
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
17 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
18 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
19 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
20 
+---
21 
+ arch/x86/include/asm/nospec-branch.h | 16 +++++-----------
22 
+ arch/x86/include/asm/spec-ctrl.h     |  3 ---
23 
+ arch/x86/kernel/cpu/bugs.c           | 11 +----------
24 
+ 3 files changed, 6 insertions(+), 24 deletions(-)
25 
+
26 
+diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
27 
+index 640c11b..2757c79 100644
28 
+--- a/arch/x86/include/asm/nospec-branch.h
29 
+@@ -172,16 +172,7 @@ enum spectre_v2_mitigation {
30 
+ 	SPECTRE_V2_IBRS,
31 
+ };
32 
+
33 
+-/*
34 
+- * The Intel specification for the SPEC_CTRL MSR requires that we
35 
+- * preserve any already set reserved bits at boot time (e.g. for
36 
+- * future additions that this kernel is not currently aware of).
37 
+- * We then set any additional mitigation bits that we want
38 
+- * ourselves and always use this as the base for SPEC_CTRL.
39 
+- * We also use this when handling guest entry/exit as below.
40 
+- */
41 
+ extern void x86_spec_ctrl_set(u64);
42 
+-extern u64 x86_spec_ctrl_get_default(void);
43 
+
44 
+ /* The Speculative Store Bypass disable variants */
45 
+ enum ssb_mitigation {
46 
+@@ -232,6 +223,9 @@ static inline void indirect_branch_prediction_barrier(void)
47 
+ 	alternative_msr_write(MSR_IA32_PRED_CMD, val, X86_FEATURE_USE_IBPB);
48 
+ }
49 
+
50 
++/* The Intel SPEC CTRL MSR base value cache */
51 
++extern u64 x86_spec_ctrl_base;
52 
++
53 
+ /*
54 
+  * With retpoline, we must use IBRS to restrict branch prediction
55 
+  * before calling into firmware.
56 
+@@ -240,7 +234,7 @@ static inline void indirect_branch_prediction_barrier(void)
57 
+  */
58 
+ #define firmware_restrict_branch_speculation_start()			\
59 
+ do {									\
60 
+-	u64 val = x86_spec_ctrl_get_default() | SPEC_CTRL_IBRS;		\
61 
++	u64 val = x86_spec_ctrl_base | SPEC_CTRL_IBRS;			\
62 
+ 									\
63 
+ 	preempt_disable();						\
64 
+ 	alternative_msr_write(MSR_IA32_SPEC_CTRL, val,			\
65 
+@@ -249,7 +243,7 @@ do {									\
66 
+
67 
+ #define firmware_restrict_branch_speculation_end()			\
68 
+ do {									\
69 
+-	u64 val = x86_spec_ctrl_get_default();				\
70 
++	u64 val = x86_spec_ctrl_base;					\
71 
+ 									\
72 
+ 	alternative_msr_write(MSR_IA32_SPEC_CTRL, val,			\
73 
+ 			      X86_FEATURE_USE_IBRS_FW);			\
74 
+diff --git a/arch/x86/include/asm/spec-ctrl.h b/arch/x86/include/asm/spec-ctrl.h
75 
+index 9cecbe5..763d497 100644
76 
+--- a/arch/x86/include/asm/spec-ctrl.h
77 
+@@ -47,9 +47,6 @@ void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl)
78 
+ extern u64 x86_amd_ls_cfg_base;
79 
+ extern u64 x86_amd_ls_cfg_ssbd_mask;
80 
+
81 
+-/* The Intel SPEC CTRL MSR base value cache */
82 
+-extern u64 x86_spec_ctrl_base;
83 
+-
84 
+ static inline u64 ssbd_tif_to_spec_ctrl(u64 tifn)
85 
+ {
86 
+ 	BUILD_BUG_ON(TIF_SSBD < SPEC_CTRL_SSBD_SHIFT);
87 
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
88 
+index 208d44c..5391df5 100644
89 
+--- a/arch/x86/kernel/cpu/bugs.c
90 
+@@ -35,6 +35,7 @@ static void __init ssb_select_mitigation(void);
91 
+  * writes to SPEC_CTRL contain whatever reserved bits have been set.
92 
+  */
93 
+ u64 x86_spec_ctrl_base;
94 
++EXPORT_SYMBOL_GPL(x86_spec_ctrl_base);
95 
+
96 
+ /*
97 
+  * The vendor and possibly platform specific bits which can be modified in
98 
+@@ -139,16 +140,6 @@ void x86_spec_ctrl_set(u64 val)
99 
+ }
100 
+ EXPORT_SYMBOL_GPL(x86_spec_ctrl_set);
101 
+
102 
+-u64 x86_spec_ctrl_get_default(void)
103 
+-{
104 
+-	u64 msrval = x86_spec_ctrl_base;
105 
+-
106 
+-	if (static_cpu_has(X86_FEATURE_SPEC_CTRL))
107 
+-		msrval |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags);
108 
+-	return msrval;
109 
+-}
110 
+-EXPORT_SYMBOL_GPL(x86_spec_ctrl_get_default);
111 
+-
112 
+ void
113 
+ x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest)
114 
+ {
115 
+--
116 
+2.7.4
117 
+
SPECS/linux/speculative-store-bypass/0100-x86-bugs-Remove-x86_spec_ctrl_set.patch
History View file @ 4ab22c2
0 118 
new file mode 100644
... ... 
@@ -0,0 +1,77 @@
0 
+From e9db0f6a5246658e9d5a0fccb064a57065fa316e Mon Sep 17 00:00:00 2001
1 
+From: Thomas Gleixner <tglx@linutronix.de>
2 
+Date: Thu, 14 Jun 2018 14:57:04 -0700
3 
+Subject: [PATCH 100/103] x86/bugs: Remove x86_spec_ctrl_set()
4 
+
5 
+commit 4b59bdb569453a60b752b274ca61f009e37f4dae upstream
6 
+
7 
+x86_spec_ctrl_set() is only used in bugs.c and the extra mask checks there
8 
+provide no real value as both call sites can just write x86_spec_ctrl_base
9 
+to MSR_SPEC_CTRL. x86_spec_ctrl_base is valid and does not need any extra
10 
+masking or checking.
11 
+
12 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
13 
+Reviewed-by: Borislav Petkov <bp@suse.de>
14 
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
15 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
16 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
17 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
18 
+---
19 
+ arch/x86/include/asm/nospec-branch.h |  2 --
20 
+ arch/x86/kernel/cpu/bugs.c           | 13 ++-----------
21 
+ 2 files changed, 2 insertions(+), 13 deletions(-)
22 
+
23 
+diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
24 
+index 2757c79..b4c74c2 100644
25 
+--- a/arch/x86/include/asm/nospec-branch.h
26 
+@@ -172,8 +172,6 @@ enum spectre_v2_mitigation {
27 
+ 	SPECTRE_V2_IBRS,
28 
+ };
29 
+
30 
+-extern void x86_spec_ctrl_set(u64);
31 
+-
32 
+ /* The Speculative Store Bypass disable variants */
33 
+ enum ssb_mitigation {
34 
+ 	SPEC_STORE_BYPASS_NONE,
35 
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
36 
+index 5391df5..05eed68 100644
37 
+--- a/arch/x86/kernel/cpu/bugs.c
38 
+@@ -131,15 +131,6 @@ static const char *spectre_v2_strings[] = {
39 
+
40 
+ static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE;
41 
+
42 
+-void x86_spec_ctrl_set(u64 val)
43 
+-{
44 
+-	if (val & x86_spec_ctrl_mask)
45 
+-		WARN_ONCE(1, "SPEC_CTRL MSR value 0x%16llx is unknown.\n", val);
46 
+-	else
47 
+-		wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base | val);
48 
+-}
49 
+-EXPORT_SYMBOL_GPL(x86_spec_ctrl_set);
50 
+-
51 
+ void
52 
+ x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest)
53 
+ {
54 
+@@ -501,7 +492,7 @@ static enum ssb_mitigation __init __ssb_select_mitigation(void)
55 
+ 		case X86_VENDOR_INTEL:
56 
+ 			x86_spec_ctrl_base |= SPEC_CTRL_SSBD;
57 
+ 			x86_spec_ctrl_mask &= ~SPEC_CTRL_SSBD;
58 
+-			x86_spec_ctrl_set(SPEC_CTRL_SSBD);
59 
++			wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
60 
+ 			break;
61 
+ 		case X86_VENDOR_AMD:
62 
+ 			x86_amd_ssb_disable();
63 
+@@ -613,7 +604,7 @@ int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which)
64 
+ void x86_spec_ctrl_setup_ap(void)
65 
+ {
66 
+ 	if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
67 
+-		x86_spec_ctrl_set(x86_spec_ctrl_base & ~x86_spec_ctrl_mask);
68 
++		wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
69 
+
70 
+ 	if (ssb_mode == SPEC_STORE_BYPASS_DISABLE)
71 
+ 		x86_amd_ssb_disable();
72 
+--
73 
+2.7.4
74 
+
SPECS/linux/speculative-store-bypass/0101-x86-bugs-Rework-spec_ctrl-base-and-mask-logic.patch
History View file @ 4ab22c2
0 75 
new file mode 100644
... ... 
@@ -0,0 +1,96 @@
0 
+From bb14ccebd644f1745474afc473b1e72907f087c8 Mon Sep 17 00:00:00 2001
1 
+From: Thomas Gleixner <tglx@linutronix.de>
2 
+Date: Thu, 14 Jun 2018 14:57:05 -0700
3 
+Subject: [PATCH 101/103] x86/bugs: Rework spec_ctrl base and mask logic
4 
+
5 
+commit be6fcb5478e95bb1c91f489121238deb3abca46a upstream
6 
+
7 
+x86_spec_ctrL_mask is intended to mask out bits from a MSR_SPEC_CTRL value
8 
+which are not to be modified. However the implementation is not really used
9 
+and the bitmask was inverted to make a check easier, which was removed in
10 
+"x86/bugs: Remove x86_spec_ctrl_set()"
11 
+
12 
+Aside of that it is missing the STIBP bit if it is supported by the
13 
+platform, so if the mask would be used in x86_virt_spec_ctrl() then it
14 
+would prevent a guest from setting STIBP.
15 
+
16 
+Add the STIBP bit if supported and use the mask in x86_virt_spec_ctrl() to
17 
+sanitize the value which is supplied by the guest.
18 
+
19 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
20 
+Reviewed-by: Borislav Petkov <bp@suse.de>
21 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
22 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
23 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
24 
+---
25 
+ arch/x86/kernel/cpu/bugs.c | 26 +++++++++++++++++++-------
26 
+ 1 file changed, 19 insertions(+), 7 deletions(-)
27 
+
28 
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
29 
+index 05eed68..af11a02 100644
30 
+--- a/arch/x86/kernel/cpu/bugs.c
31 
+@@ -41,7 +41,7 @@ EXPORT_SYMBOL_GPL(x86_spec_ctrl_base);
32 
+  * The vendor and possibly platform specific bits which can be modified in
33 
+  * x86_spec_ctrl_base.
34 
+  */
35 
+-static u64 x86_spec_ctrl_mask = ~SPEC_CTRL_IBRS;
36 
++static u64 x86_spec_ctrl_mask = SPEC_CTRL_IBRS;
37 
+
38 
+ /*
39 
+  * AMD specific MSR info for Speculative Store Bypass control.
40 
+@@ -67,6 +67,10 @@ void __init check_bugs(void)
41 
+ 	if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
42 
+ 		rdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
43 
+
44 
++	/* Allow STIBP in MSR_SPEC_CTRL if supported */
45 
++	if (boot_cpu_has(X86_FEATURE_STIBP))
46 
++		x86_spec_ctrl_mask |= SPEC_CTRL_STIBP;
47 
++
48 
+ 	/* Select the proper spectre mitigation before patching alternatives */
49 
+ 	spectre_v2_select_mitigation();
50 
+
51 
+@@ -134,18 +138,26 @@ static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE;
52 
+ void
53 
+ x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest)
54 
+ {
55 
++	u64 msrval, guestval, hostval = x86_spec_ctrl_base;
56 
+ 	struct thread_info *ti = current_thread_info();
57 
+-	u64 msr, host = x86_spec_ctrl_base;
58 
+
59 
+ 	/* Is MSR_SPEC_CTRL implemented ? */
60 
+ 	if (static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) {
61 
++		/*
62 
++		 * Restrict guest_spec_ctrl to supported values. Clear the
63 
++		 * modifiable bits in the host base value and or the
64 
++		 * modifiable bits from the guest value.
65 
++		 */
66 
++		guestval = hostval & ~x86_spec_ctrl_mask;
67 
++		guestval |= guest_spec_ctrl & x86_spec_ctrl_mask;
68 
++
69 
+ 		/* SSBD controlled in MSR_SPEC_CTRL */
70 
+ 		if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD))
71 
+-			host |= ssbd_tif_to_spec_ctrl(ti->flags);
72 
++			hostval |= ssbd_tif_to_spec_ctrl(ti->flags);
73 
+
74 
+-		if (host != guest_spec_ctrl) {
75 
+-			msr = setguest ? guest_spec_ctrl : host;
76 
+-			wrmsrl(MSR_IA32_SPEC_CTRL, msr);
77 
++		if (hostval != guestval) {
78 
++			msrval = setguest ? guestval : hostval;
79 
++			wrmsrl(MSR_IA32_SPEC_CTRL, msrval);
80 
+ 		}
81 
+ 	}
82 
+ }
83 
+@@ -491,7 +503,7 @@ static enum ssb_mitigation __init __ssb_select_mitigation(void)
84 
+ 		switch (boot_cpu_data.x86_vendor) {
85 
+ 		case X86_VENDOR_INTEL:
86 
+ 			x86_spec_ctrl_base |= SPEC_CTRL_SSBD;
87 
+-			x86_spec_ctrl_mask &= ~SPEC_CTRL_SSBD;
88 
++			x86_spec_ctrl_mask |= SPEC_CTRL_SSBD;
89 
+ 			wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
90 
+ 			break;
91 
+ 		case X86_VENDOR_AMD:
92 
+--
93 
+2.7.4
94 
+
SPECS/linux/speculative-store-bypass/0102-x86-speculation-KVM-Implement-support-for-VIRT_SPEC_.patch
History View file @ 4ab22c2
0 95 
new file mode 100644
... ... 
@@ -0,0 +1,85 @@
0 
+From 526adfbe2ea1a0b8bf4aa8d15019fc3d7c20609d Mon Sep 17 00:00:00 2001
1 
+From: Thomas Gleixner <tglx@linutronix.de>
2 
+Date: Thu, 14 Jun 2018 14:57:05 -0700
3 
+Subject: [PATCH 102/103] x86/speculation, KVM: Implement support for
4 
+ VIRT_SPEC_CTRL/LS_CFG
5 
+
6 
+commit 47c61b3955cf712cadfc25635bf9bc174af030ea upstream
7 
+
8 
+Add the necessary logic for supporting the emulated VIRT_SPEC_CTRL MSR to
9 
+x86_virt_spec_ctrl().  If either X86_FEATURE_LS_CFG_SSBD or
10 
+X86_FEATURE_VIRT_SPEC_CTRL is set then use the new guest_virt_spec_ctrl
11 
+argument to check whether the state must be modified on the host. The
12 
+update reuses speculative_store_bypass_update() so the ZEN-specific sibling
13 
+coordination can be reused.
14 
+
15 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
16 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
17 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
18 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
19 
+---
20 
+ arch/x86/include/asm/spec-ctrl.h |  6 ++++++
21 
+ arch/x86/kernel/cpu/bugs.c       | 30 ++++++++++++++++++++++++++++++
22 
+ 2 files changed, 36 insertions(+)
23 
+
24 
+diff --git a/arch/x86/include/asm/spec-ctrl.h b/arch/x86/include/asm/spec-ctrl.h
25 
+index 763d497..ae7c2c5 100644
26 
+--- a/arch/x86/include/asm/spec-ctrl.h
27 
+@@ -53,6 +53,12 @@ static inline u64 ssbd_tif_to_spec_ctrl(u64 tifn)
28 
+ 	return (tifn & _TIF_SSBD) >> (TIF_SSBD - SPEC_CTRL_SSBD_SHIFT);
29 
+ }
30 
+
31 
++static inline unsigned long ssbd_spec_ctrl_to_tif(u64 spec_ctrl)
32 
++{
33 
++	BUILD_BUG_ON(TIF_SSBD < SPEC_CTRL_SSBD_SHIFT);
34 
++	return (spec_ctrl & SPEC_CTRL_SSBD) << (TIF_SSBD - SPEC_CTRL_SSBD_SHIFT);
35 
++}
36 
++
37 
+ static inline u64 ssbd_tif_to_amd_ls_cfg(u64 tifn)
38 
+ {
39 
+ 	return (tifn & _TIF_SSBD) ? x86_amd_ls_cfg_ssbd_mask : 0ULL;
40 
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
41 
+index af11a02..12a8867 100644
42 
+--- a/arch/x86/kernel/cpu/bugs.c
43 
+@@ -160,6 +160,36 @@ x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest)
44 
+ 			wrmsrl(MSR_IA32_SPEC_CTRL, msrval);
45 
+ 		}
46 
+ 	}
47 
++
48 
++	/*
49 
++	 * If SSBD is not handled in MSR_SPEC_CTRL on AMD, update
50 
++	 * MSR_AMD64_L2_CFG or MSR_VIRT_SPEC_CTRL if supported.
51 
++	 */
52 
++	if (!static_cpu_has(X86_FEATURE_LS_CFG_SSBD) &&
53 
++	    !static_cpu_has(X86_FEATURE_VIRT_SSBD))
54 
++		return;
55 
++
56 
++	/*
57 
++	 * If the host has SSBD mitigation enabled, force it in the host's
58 
++	 * virtual MSR value. If its not permanently enabled, evaluate
59 
++	 * current's TIF_SSBD thread flag.
60 
++	 */
61 
++	if (static_cpu_has(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE))
62 
++		hostval = SPEC_CTRL_SSBD;
63 
++	else
64 
++		hostval = ssbd_tif_to_spec_ctrl(ti->flags);
65 
++
66 
++	/* Sanitize the guest value */
67 
++	guestval = guest_virt_spec_ctrl & SPEC_CTRL_SSBD;
68 
++
69 
++	if (hostval != guestval) {
70 
++		unsigned long tif;
71 
++
72 
++		tif = setguest ? ssbd_spec_ctrl_to_tif(guestval) :
73 
++				 ssbd_spec_ctrl_to_tif(hostval);
74 
++
75 
++		speculative_store_bypass_update(tif);
76 
++	}
77 
+ }
78 
+ EXPORT_SYMBOL_GPL(x86_virt_spec_ctrl);
79 
+
80 
+--
81 
+2.7.4
82 
+
SPECS/linux/speculative-store-bypass/0103-x86-bugs-Rename-SSBD_NO-to-SSB_NO.patch
History View file @ 4ab22c2
0 83 
new file mode 100644
... ... 
@@ -0,0 +1,49 @@
0 
+From ef30c06a43f93e99148356f53a40cafe7f495979 Mon Sep 17 00:00:00 2001
1 
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
2 
+Date: Thu, 14 Jun 2018 14:57:07 -0700
3 
+Subject: [PATCH 103/103] x86/bugs: Rename SSBD_NO to SSB_NO
4 
+
5 
+commit 240da953fcc6a9008c92fae5b1f727ee5ed167ab upstream
6 
+
7 
+The "336996 Speculative Execution Side Channel Mitigations" from
8 
+May defines this as SSB_NO, hence lets sync-up.
9 
+
10 
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
11 
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
12 
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
13 
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
14 
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>
15 
+---
16 
+ arch/x86/include/asm/msr-index.h | 2 +-
17 
+ arch/x86/kernel/cpu/common.c     | 2 +-
18 
+ 2 files changed, 2 insertions(+), 2 deletions(-)
19 
+
20 
+diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
21 
+index 22f2dd5..caa0019 100644
22 
+--- a/arch/x86/include/asm/msr-index.h
23 
+@@ -58,7 +58,7 @@
24 
+ #define MSR_IA32_ARCH_CAPABILITIES	0x0000010a
25 
+ #define ARCH_CAP_RDCL_NO		(1 << 0)   /* Not susceptible to Meltdown */
26 
+ #define ARCH_CAP_IBRS_ALL		(1 << 1)   /* Enhanced IBRS support */
27 
+-#define ARCH_CAP_SSBD_NO		(1 << 4)   /*
28 
++#define ARCH_CAP_SSB_NO			(1 << 4)   /*
29 
+ 						    * Not susceptible to Speculative Store Bypass
30 
+ 						    * attack, so no Speculative Store Bypass
31 
+ 						    * control required.
32 
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
33 
+index 1097723..9ad38ad 100644
34 
+--- a/arch/x86/kernel/cpu/common.c
35 
+@@ -881,7 +881,7 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
36 
+ 		rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap);
37 
+
38 
+ 	if (!x86_match_cpu(cpu_no_spec_store_bypass) &&
39 
+-	   !(ia32_cap & ARCH_CAP_SSBD_NO))
40 
++	   !(ia32_cap & ARCH_CAP_SSB_NO))
41 
+ 		setup_force_cpu_bug(X86_BUG_SPEC_STORE_BYPASS);
42 
+
43 
+ 	if (x86_match_cpu(cpu_no_speculation))
44 
+--
45 
+2.7.4
46 
+