Update to version 4.9.101 and apply patches to fix CVE-2018-3639
(Speculative Store Bypass).
Change-Id: Iafde465bd15d997c6aa5babc9e80e314787320c6
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/5175
Reviewed-by: Sharath George
Tested-by: Sharath George
... | ... |
@@ -1,6 +1,6 @@ |
1 | 1 |
Summary: Linux API header files |
2 | 2 |
Name: linux-api-headers |
3 |
-Version: 4.9.99 |
|
3 |
+Version: 4.9.101 |
|
4 | 4 |
Release: 1%{?dist} |
5 | 5 |
License: GPLv2 |
6 | 6 |
URL: http://www.kernel.org/ |
... | ... |
@@ -8,7 +8,7 @@ Group: System Environment/Kernel |
8 | 8 |
Vendor: VMware, Inc. |
9 | 9 |
Distribution: Photon |
10 | 10 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz |
11 |
-%define sha1 linux=d35adbca6133a7b5a382bd523f63322d0d56aeff |
|
11 |
+%define sha1 linux=12b399649df63355823d482fd91711b1be3e7f1b |
|
12 | 12 |
BuildArch: noarch |
13 | 13 |
%description |
14 | 14 |
The Linux API Headers expose the kernel's API for use by Glibc. |
... | ... |
@@ -25,6 +25,8 @@ find /%{buildroot}%{_includedir} \( -name .install -o -name ..install.cmd \) -de |
25 | 25 |
%defattr(-,root,root) |
26 | 26 |
%{_includedir}/* |
27 | 27 |
%changelog |
28 |
+* Mon May 21 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.101-1 |
|
29 |
+- Update to version 4.9.101 |
|
28 | 30 |
* Wed May 09 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.99-1 |
29 | 31 |
- Update to version 4.9.99 |
30 | 32 |
* Fri May 04 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.98-1 |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
%global security_hardening none |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-aws |
4 |
-Version: 4.9.99 |
|
4 |
+Version: 4.9.101 |
|
5 | 5 |
Release: 1%{?kat_build:.%kat_build}%{?dist} |
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
... | ... |
@@ -9,7 +9,7 @@ Group: System Environment/Kernel |
9 | 9 |
Vendor: VMware, Inc. |
10 | 10 |
Distribution: Photon |
11 | 11 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz |
12 |
-%define sha1 linux=d35adbca6133a7b5a382bd523f63322d0d56aeff |
|
12 |
+%define sha1 linux=12b399649df63355823d482fd91711b1be3e7f1b |
|
13 | 13 |
Source1: config-aws |
14 | 14 |
Source2: initramfs.trigger |
15 | 15 |
# common |
... | ... |
@@ -123,6 +123,61 @@ Patch144: 0052-drivers-amazon-ena-update-to-1.4.0.patch |
123 | 123 |
Patch145: 0053-PM-hibernate-update-the-resume-offset-on-SNAPSHOT_SE.patch |
124 | 124 |
Patch146: 0054-Not-for-upstream-PM-hibernate-Speed-up-hibernation-b.patch |
125 | 125 |
|
126 |
+# Fix CVE-2018-3639 (Speculative Store Bypass) |
|
127 |
+Patch201: 0001-x86-amd-don-t-set-X86_BUG_SYSRET_SS_ATTRS-when-runni.patch |
|
128 |
+Patch202: 0002-x86-nospec-Simplify-alternative_msr_write.patch |
|
129 |
+Patch203: 0003-x86-bugs-Concentrate-bug-detection-into-a-separate-f.patch |
|
130 |
+Patch204: 0004-x86-bugs-Concentrate-bug-reporting-into-a-separate-f.patch |
|
131 |
+Patch205: 0005-x86-bugs-Read-SPEC_CTRL-MSR-during-boot-and-re-use-r.patch |
|
132 |
+Patch206: 0006-x86-bugs-KVM-Support-the-combination-of-guest-and-ho.patch |
|
133 |
+Patch207: 0007-x86-bugs-Expose-sys-.-spec_store_bypass.patch |
|
134 |
+Patch208: 0008-x86-cpufeatures-Add-X86_FEATURE_RDS.patch |
|
135 |
+Patch209: 0009-x86-bugs-Provide-boot-parameters-for-the-spec_store_.patch |
|
136 |
+Patch210: 0010-x86-bugs-intel-Set-proper-CPU-features-and-setup-RDS.patch |
|
137 |
+Patch211: 0011-x86-bugs-Whitelist-allowed-SPEC_CTRL-MSR-values.patch |
|
138 |
+Patch212: 0012-x86-bugs-AMD-Add-support-to-disable-RDS-on-Fam-15-16.patch |
|
139 |
+Patch213: 0013-x86-KVM-VMX-Expose-SPEC_CTRL-Bit-2-to-the-guest.patch |
|
140 |
+Patch214: 0014-x86-speculation-Create-spec-ctrl.h-to-avoid-include-.patch |
|
141 |
+Patch215: 0015-prctl-Add-speculation-control-prctls.patch |
|
142 |
+Patch216: 0016-x86-process-Optimize-TIF-checks-in-__switch_to_xtra.patch |
|
143 |
+Patch217: 0017-x86-process-Correct-and-optimize-TIF_BLOCKSTEP-switc.patch |
|
144 |
+Patch218: 0018-x86-process-Optimize-TIF_NOTSC-switch.patch |
|
145 |
+Patch219: 0019-x86-process-Allow-runtime-control-of-Speculative-Sto.patch |
|
146 |
+Patch220: 0020-x86-speculation-Add-prctl-for-Speculative-Store-Bypa.patch |
|
147 |
+Patch221: 0021-nospec-Allow-getting-setting-on-non-current-task.patch |
|
148 |
+Patch222: 0022-proc-Provide-details-on-speculation-flaw-mitigations.patch |
|
149 |
+Patch223: 0023-seccomp-Enable-speculation-flaw-mitigations.patch |
|
150 |
+Patch224: 0024-x86-bugs-Make-boot-modes-__ro_after_init.patch |
|
151 |
+Patch225: 0025-prctl-Add-force-disable-speculation.patch |
|
152 |
+Patch226: 0026-seccomp-Use-PR_SPEC_FORCE_DISABLE.patch |
|
153 |
+Patch227: 0027-seccomp-Add-filter-flag-to-opt-out-of-SSB-mitigation.patch |
|
154 |
+Patch228: 0028-seccomp-Move-speculation-migitation-control-to-arch-.patch |
|
155 |
+Patch229: 0029-x86-speculation-Make-seccomp-the-default-mode-for-Sp.patch |
|
156 |
+Patch230: 0030-x86-bugs-Rename-_RDS-to-_SSBD.patch |
|
157 |
+Patch231: 0031-proc-Use-underscores-for-SSBD-in-status.patch |
|
158 |
+Patch232: 0032-Documentation-spec_ctrl-Do-some-minor-cleanups.patch |
|
159 |
+Patch233: 0033-x86-bugs-Fix-__ssb_select_mitigation-return-type.patch |
|
160 |
+Patch234: 0034-x86-bugs-Make-cpu_show_common-static.patch |
|
161 |
+Patch235: 0035-x86-bugs-Fix-the-parameters-alignment-and-missing-vo.patch |
|
162 |
+Patch236: 0036-x86-cpu-Make-alternative_msr_write-work-for-32-bit-c.patch |
|
163 |
+Patch237: 0037-KVM-SVM-Move-spec-control-call-after-restore-of-GS.patch |
|
164 |
+Patch238: 0038-x86-speculation-Use-synthetic-bits-for-IBRS-IBPB-STI.patch |
|
165 |
+Patch239: 0039-x86-cpufeatures-Disentangle-MSR_SPEC_CTRL-enumeratio.patch |
|
166 |
+Patch240: 0040-x86-cpufeatures-Disentangle-SSBD-enumeration.patch |
|
167 |
+Patch241: 0041-x86-cpu-AMD-Fix-erratum-1076-CPB-bit.patch |
|
168 |
+Patch242: 0042-x86-cpufeatures-Add-FEATURE_ZEN.patch |
|
169 |
+Patch243: 0043-x86-speculation-Handle-HT-correctly-on-AMD.patch |
|
170 |
+Patch244: 0044-x86-bugs-KVM-Extend-speculation-control-for-VIRT_SPE.patch |
|
171 |
+Patch245: 0045-x86-speculation-Add-virtualized-speculative-store-by.patch |
|
172 |
+Patch246: 0046-x86-speculation-Rework-speculative_store_bypass_upda.patch |
|
173 |
+Patch247: 0047-x86-bugs-Unify-x86_spec_ctrl_-set_guest-restore_host.patch |
|
174 |
+Patch248: 0048-x86-bugs-Expose-x86_spec_ctrl_base-directly.patch |
|
175 |
+Patch249: 0049-x86-bugs-Remove-x86_spec_ctrl_set.patch |
|
176 |
+Patch250: 0050-x86-bugs-Rework-spec_ctrl-base-and-mask-logic.patch |
|
177 |
+Patch251: 0051-x86-speculation-KVM-Implement-support-for-VIRT_SPEC_.patch |
|
178 |
+Patch252: 0052-KVM-SVM-Implement-VIRT_SPEC_CTRL-support-for-SSBD.patch |
|
179 |
+Patch253: 0053-x86-bugs-Rename-SSBD_NO-to-SSB_NO.patch |
|
180 |
+ |
|
126 | 181 |
%if 0%{?kat_build:1} |
127 | 182 |
Patch1000: %{kat_build}.patch |
128 | 183 |
%endif |
... | ... |
@@ -292,6 +347,60 @@ This package contains the 'perf' performance analysis tools for Linux kernel. |
292 | 292 |
%patch145 -p1 |
293 | 293 |
%patch146 -p1 |
294 | 294 |
|
295 |
+%patch201 -p1 |
|
296 |
+%patch202 -p1 |
|
297 |
+%patch203 -p1 |
|
298 |
+%patch204 -p1 |
|
299 |
+%patch205 -p1 |
|
300 |
+%patch206 -p1 |
|
301 |
+%patch207 -p1 |
|
302 |
+%patch208 -p1 |
|
303 |
+%patch209 -p1 |
|
304 |
+%patch210 -p1 |
|
305 |
+%patch211 -p1 |
|
306 |
+%patch212 -p1 |
|
307 |
+%patch213 -p1 |
|
308 |
+%patch214 -p1 |
|
309 |
+%patch215 -p1 |
|
310 |
+%patch216 -p1 |
|
311 |
+%patch217 -p1 |
|
312 |
+%patch218 -p1 |
|
313 |
+%patch219 -p1 |
|
314 |
+%patch220 -p1 |
|
315 |
+%patch221 -p1 |
|
316 |
+%patch222 -p1 |
|
317 |
+%patch223 -p1 |
|
318 |
+%patch224 -p1 |
|
319 |
+%patch225 -p1 |
|
320 |
+%patch226 -p1 |
|
321 |
+%patch227 -p1 |
|
322 |
+%patch228 -p1 |
|
323 |
+%patch229 -p1 |
|
324 |
+%patch230 -p1 |
|
325 |
+%patch231 -p1 |
|
326 |
+%patch232 -p1 |
|
327 |
+%patch233 -p1 |
|
328 |
+%patch234 -p1 |
|
329 |
+%patch235 -p1 |
|
330 |
+%patch236 -p1 |
|
331 |
+%patch237 -p1 |
|
332 |
+%patch238 -p1 |
|
333 |
+%patch239 -p1 |
|
334 |
+%patch240 -p1 |
|
335 |
+%patch241 -p1 |
|
336 |
+%patch242 -p1 |
|
337 |
+%patch243 -p1 |
|
338 |
+%patch244 -p1 |
|
339 |
+%patch245 -p1 |
|
340 |
+%patch246 -p1 |
|
341 |
+%patch247 -p1 |
|
342 |
+%patch248 -p1 |
|
343 |
+%patch249 -p1 |
|
344 |
+%patch250 -p1 |
|
345 |
+%patch251 -p1 |
|
346 |
+%patch252 -p1 |
|
347 |
+%patch253 -p1 |
|
348 |
+ |
|
295 | 349 |
%if 0%{?kat_build:1} |
296 | 350 |
%patch1000 -p1 |
297 | 351 |
%endif |
... | ... |
@@ -448,6 +557,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg |
448 | 448 |
/usr/share/doc/* |
449 | 449 |
|
450 | 450 |
%changelog |
451 |
+* Mon May 21 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.101-1 |
|
452 |
+- Update to version 4.9.101 and fix CVE-2018-3639. |
|
451 | 453 |
* Wed May 09 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.99-1 |
452 | 454 |
- Update to version 4.9.99 |
453 | 455 |
* Fri May 04 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.98-2 |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
%global security_hardening none |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-esx |
4 |
-Version: 4.9.99 |
|
4 |
+Version: 4.9.101 |
|
5 | 5 |
Release: 1%{?dist} |
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
... | ... |
@@ -9,7 +9,7 @@ Group: System Environment/Kernel |
9 | 9 |
Vendor: VMware, Inc. |
10 | 10 |
Distribution: Photon |
11 | 11 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz |
12 |
-%define sha1 linux=d35adbca6133a7b5a382bd523f63322d0d56aeff |
|
12 |
+%define sha1 linux=12b399649df63355823d482fd91711b1be3e7f1b |
|
13 | 13 |
Source1: config-esx |
14 | 14 |
Source2: initramfs.trigger |
15 | 15 |
# common |
... | ... |
@@ -73,6 +73,61 @@ Patch64: 0153-net-mpls-prevent-speculative-execution.patch |
73 | 73 |
Patch65: 0154-udf-prevent-speculative-execution.patch |
74 | 74 |
Patch66: 0155-userns-prevent-speculative-execution.patch |
75 | 75 |
|
76 |
+# Fix CVE-2018-3639 (Speculative Store Bypass) |
|
77 |
+Patch201: 0001-x86-amd-don-t-set-X86_BUG_SYSRET_SS_ATTRS-when-runni.patch |
|
78 |
+Patch202: 0002-x86-nospec-Simplify-alternative_msr_write.patch |
|
79 |
+Patch203: 0003-x86-bugs-Concentrate-bug-detection-into-a-separate-f.patch |
|
80 |
+Patch204: 0004-x86-bugs-Concentrate-bug-reporting-into-a-separate-f.patch |
|
81 |
+Patch205: 0005-x86-bugs-Read-SPEC_CTRL-MSR-during-boot-and-re-use-r.patch |
|
82 |
+Patch206: 0006-x86-bugs-KVM-Support-the-combination-of-guest-and-ho.patch |
|
83 |
+Patch207: 0007-x86-bugs-Expose-sys-.-spec_store_bypass.patch |
|
84 |
+Patch208: 0008-x86-cpufeatures-Add-X86_FEATURE_RDS.patch |
|
85 |
+Patch209: 0009-x86-bugs-Provide-boot-parameters-for-the-spec_store_.patch |
|
86 |
+Patch210: 0010-x86-bugs-intel-Set-proper-CPU-features-and-setup-RDS.patch |
|
87 |
+Patch211: 0011-x86-bugs-Whitelist-allowed-SPEC_CTRL-MSR-values.patch |
|
88 |
+Patch212: 0012-x86-bugs-AMD-Add-support-to-disable-RDS-on-Fam-15-16.patch |
|
89 |
+Patch213: 0013-x86-KVM-VMX-Expose-SPEC_CTRL-Bit-2-to-the-guest.patch |
|
90 |
+Patch214: 0014-x86-speculation-Create-spec-ctrl.h-to-avoid-include-.patch |
|
91 |
+Patch215: 0015-prctl-Add-speculation-control-prctls.patch |
|
92 |
+Patch216: 0016-x86-process-Optimize-TIF-checks-in-__switch_to_xtra.patch |
|
93 |
+Patch217: 0017-x86-process-Correct-and-optimize-TIF_BLOCKSTEP-switc.patch |
|
94 |
+Patch218: 0018-x86-process-Optimize-TIF_NOTSC-switch.patch |
|
95 |
+Patch219: 0019-x86-process-Allow-runtime-control-of-Speculative-Sto.patch |
|
96 |
+Patch220: 0020-x86-speculation-Add-prctl-for-Speculative-Store-Bypa.patch |
|
97 |
+Patch221: 0021-nospec-Allow-getting-setting-on-non-current-task.patch |
|
98 |
+Patch222: 0022-proc-Provide-details-on-speculation-flaw-mitigations.patch |
|
99 |
+Patch223: 0023-seccomp-Enable-speculation-flaw-mitigations.patch |
|
100 |
+Patch224: 0024-x86-bugs-Make-boot-modes-__ro_after_init.patch |
|
101 |
+Patch225: 0025-prctl-Add-force-disable-speculation.patch |
|
102 |
+Patch226: 0026-seccomp-Use-PR_SPEC_FORCE_DISABLE.patch |
|
103 |
+Patch227: 0027-seccomp-Add-filter-flag-to-opt-out-of-SSB-mitigation.patch |
|
104 |
+Patch228: 0028-seccomp-Move-speculation-migitation-control-to-arch-.patch |
|
105 |
+Patch229: 0029-x86-speculation-Make-seccomp-the-default-mode-for-Sp.patch |
|
106 |
+Patch230: 0030-x86-bugs-Rename-_RDS-to-_SSBD.patch |
|
107 |
+Patch231: 0031-proc-Use-underscores-for-SSBD-in-status.patch |
|
108 |
+Patch232: 0032-Documentation-spec_ctrl-Do-some-minor-cleanups.patch |
|
109 |
+Patch233: 0033-x86-bugs-Fix-__ssb_select_mitigation-return-type.patch |
|
110 |
+Patch234: 0034-x86-bugs-Make-cpu_show_common-static.patch |
|
111 |
+Patch235: 0035-x86-bugs-Fix-the-parameters-alignment-and-missing-vo.patch |
|
112 |
+Patch236: 0036-x86-cpu-Make-alternative_msr_write-work-for-32-bit-c.patch |
|
113 |
+Patch237: 0037-KVM-SVM-Move-spec-control-call-after-restore-of-GS.patch |
|
114 |
+Patch238: 0038-x86-speculation-Use-synthetic-bits-for-IBRS-IBPB-STI.patch |
|
115 |
+Patch239: 0039-x86-cpufeatures-Disentangle-MSR_SPEC_CTRL-enumeratio.patch |
|
116 |
+Patch240: 0040-x86-cpufeatures-Disentangle-SSBD-enumeration.patch |
|
117 |
+Patch241: 0041-x86-cpu-AMD-Fix-erratum-1076-CPB-bit.patch |
|
118 |
+Patch242: 0042-x86-cpufeatures-Add-FEATURE_ZEN.patch |
|
119 |
+Patch243: 0043-x86-speculation-Handle-HT-correctly-on-AMD.patch |
|
120 |
+Patch244: 0044-x86-bugs-KVM-Extend-speculation-control-for-VIRT_SPE.patch |
|
121 |
+Patch245: 0045-x86-speculation-Add-virtualized-speculative-store-by.patch |
|
122 |
+Patch246: 0046-x86-speculation-Rework-speculative_store_bypass_upda.patch |
|
123 |
+Patch247: 0047-x86-bugs-Unify-x86_spec_ctrl_-set_guest-restore_host.patch |
|
124 |
+Patch248: 0048-x86-bugs-Expose-x86_spec_ctrl_base-directly.patch |
|
125 |
+Patch249: 0049-x86-bugs-Remove-x86_spec_ctrl_set.patch |
|
126 |
+Patch250: 0050-x86-bugs-Rework-spec_ctrl-base-and-mask-logic.patch |
|
127 |
+Patch251: 0051-x86-speculation-KVM-Implement-support-for-VIRT_SPEC_.patch |
|
128 |
+Patch252: 0052-KVM-SVM-Implement-VIRT_SPEC_CTRL-support-for-SSBD.patch |
|
129 |
+Patch253: 0053-x86-bugs-Rename-SSBD_NO-to-SSB_NO.patch |
|
130 |
+ |
|
76 | 131 |
BuildRequires: bc |
77 | 132 |
BuildRequires: kbd |
78 | 133 |
BuildRequires: kmod-devel |
... | ... |
@@ -160,6 +215,60 @@ The Linux package contains the Linux kernel doc files |
160 | 160 |
%patch65 -p1 |
161 | 161 |
%patch66 -p1 |
162 | 162 |
|
163 |
+%patch201 -p1 |
|
164 |
+%patch202 -p1 |
|
165 |
+%patch203 -p1 |
|
166 |
+%patch204 -p1 |
|
167 |
+%patch205 -p1 |
|
168 |
+%patch206 -p1 |
|
169 |
+%patch207 -p1 |
|
170 |
+%patch208 -p1 |
|
171 |
+%patch209 -p1 |
|
172 |
+%patch210 -p1 |
|
173 |
+%patch211 -p1 |
|
174 |
+%patch212 -p1 |
|
175 |
+%patch213 -p1 |
|
176 |
+%patch214 -p1 |
|
177 |
+%patch215 -p1 |
|
178 |
+%patch216 -p1 |
|
179 |
+%patch217 -p1 |
|
180 |
+%patch218 -p1 |
|
181 |
+%patch219 -p1 |
|
182 |
+%patch220 -p1 |
|
183 |
+%patch221 -p1 |
|
184 |
+%patch222 -p1 |
|
185 |
+%patch223 -p1 |
|
186 |
+%patch224 -p1 |
|
187 |
+%patch225 -p1 |
|
188 |
+%patch226 -p1 |
|
189 |
+%patch227 -p1 |
|
190 |
+%patch228 -p1 |
|
191 |
+%patch229 -p1 |
|
192 |
+%patch230 -p1 |
|
193 |
+%patch231 -p1 |
|
194 |
+%patch232 -p1 |
|
195 |
+%patch233 -p1 |
|
196 |
+%patch234 -p1 |
|
197 |
+%patch235 -p1 |
|
198 |
+%patch236 -p1 |
|
199 |
+%patch237 -p1 |
|
200 |
+%patch238 -p1 |
|
201 |
+%patch239 -p1 |
|
202 |
+%patch240 -p1 |
|
203 |
+%patch241 -p1 |
|
204 |
+%patch242 -p1 |
|
205 |
+%patch243 -p1 |
|
206 |
+%patch244 -p1 |
|
207 |
+%patch245 -p1 |
|
208 |
+%patch246 -p1 |
|
209 |
+%patch247 -p1 |
|
210 |
+%patch248 -p1 |
|
211 |
+%patch249 -p1 |
|
212 |
+%patch250 -p1 |
|
213 |
+%patch251 -p1 |
|
214 |
+%patch252 -p1 |
|
215 |
+%patch253 -p1 |
|
216 |
+ |
|
163 | 217 |
%build |
164 | 218 |
# patch vmw_balloon driver |
165 | 219 |
sed -i 's/module_init/late_initcall/' drivers/misc/vmw_balloon.c |
... | ... |
@@ -255,6 +364,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg |
255 | 255 |
/usr/src/linux-headers-%{uname_r} |
256 | 256 |
|
257 | 257 |
%changelog |
258 |
+* Mon May 21 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.101-1 |
|
259 |
+- Update to version 4.9.101 and fix CVE-2018-3639. |
|
258 | 260 |
* Wed May 09 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.99-1 |
259 | 261 |
- Update to version 4.9.99 |
260 | 262 |
* Fri May 04 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.98-2 |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
%global security_hardening none |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-secure |
4 |
-Version: 4.9.99 |
|
4 |
+Version: 4.9.101 |
|
5 | 5 |
Release: 1%{?kat_build:.%kat_build}%{?dist} |
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
... | ... |
@@ -9,7 +9,7 @@ Group: System Environment/Kernel |
9 | 9 |
Vendor: VMware, Inc. |
10 | 10 |
Distribution: Photon |
11 | 11 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz |
12 |
-%define sha1 linux=d35adbca6133a7b5a382bd523f63322d0d56aeff |
|
12 |
+%define sha1 linux=12b399649df63355823d482fd91711b1be3e7f1b |
|
13 | 13 |
Source1: config-secure |
14 | 14 |
Source2: aufs4.9.tar.gz |
15 | 15 |
%define sha1 aufs=ebe716ce4b638a3772c7cd3161abbfe11d584906 |
... | ... |
@@ -82,6 +82,61 @@ Patch64: 0153-net-mpls-prevent-speculative-execution.patch |
82 | 82 |
Patch65: 0154-udf-prevent-speculative-execution.patch |
83 | 83 |
Patch66: 0155-userns-prevent-speculative-execution.patch |
84 | 84 |
|
85 |
+# Fix CVE-2018-3639 (Speculative Store Bypass) |
|
86 |
+Patch201: 0001-x86-amd-don-t-set-X86_BUG_SYSRET_SS_ATTRS-when-runni.patch |
|
87 |
+Patch202: 0002-x86-nospec-Simplify-alternative_msr_write.patch |
|
88 |
+Patch203: 0003-x86-bugs-Concentrate-bug-detection-into-a-separate-f.patch |
|
89 |
+Patch204: 0004-x86-bugs-Concentrate-bug-reporting-into-a-separate-f.patch |
|
90 |
+Patch205: 0005-x86-bugs-Read-SPEC_CTRL-MSR-during-boot-and-re-use-r.patch |
|
91 |
+Patch206: 0006-x86-bugs-KVM-Support-the-combination-of-guest-and-ho.patch |
|
92 |
+Patch207: 0007-x86-bugs-Expose-sys-.-spec_store_bypass.patch |
|
93 |
+Patch208: 0008-x86-cpufeatures-Add-X86_FEATURE_RDS.patch |
|
94 |
+Patch209: 0009-x86-bugs-Provide-boot-parameters-for-the-spec_store_.patch |
|
95 |
+Patch210: 0010-x86-bugs-intel-Set-proper-CPU-features-and-setup-RDS.patch |
|
96 |
+Patch211: 0011-x86-bugs-Whitelist-allowed-SPEC_CTRL-MSR-values.patch |
|
97 |
+Patch212: 0012-x86-bugs-AMD-Add-support-to-disable-RDS-on-Fam-15-16.patch |
|
98 |
+Patch213: 0013-x86-KVM-VMX-Expose-SPEC_CTRL-Bit-2-to-the-guest.patch |
|
99 |
+Patch214: 0014-x86-speculation-Create-spec-ctrl.h-to-avoid-include-.patch |
|
100 |
+Patch215: 0015-prctl-Add-speculation-control-prctls.patch |
|
101 |
+Patch216: 0016-x86-process-Optimize-TIF-checks-in-__switch_to_xtra.patch |
|
102 |
+Patch217: 0017-x86-process-Correct-and-optimize-TIF_BLOCKSTEP-switc.patch |
|
103 |
+Patch218: 0018-x86-process-Optimize-TIF_NOTSC-switch.patch |
|
104 |
+Patch219: 0019-x86-process-Allow-runtime-control-of-Speculative-Sto.patch |
|
105 |
+Patch220: 0020-x86-speculation-Add-prctl-for-Speculative-Store-Bypa.patch |
|
106 |
+Patch221: 0021-nospec-Allow-getting-setting-on-non-current-task.patch |
|
107 |
+Patch222: 0022-proc-Provide-details-on-speculation-flaw-mitigations.patch |
|
108 |
+Patch223: 0023-seccomp-Enable-speculation-flaw-mitigations.patch |
|
109 |
+Patch224: 0024-x86-bugs-Make-boot-modes-__ro_after_init.patch |
|
110 |
+Patch225: 0025-prctl-Add-force-disable-speculation.patch |
|
111 |
+Patch226: 0026-seccomp-Use-PR_SPEC_FORCE_DISABLE.patch |
|
112 |
+Patch227: 0027-seccomp-Add-filter-flag-to-opt-out-of-SSB-mitigation.patch |
|
113 |
+Patch228: 0028-seccomp-Move-speculation-migitation-control-to-arch-.patch |
|
114 |
+Patch229: 0029-x86-speculation-Make-seccomp-the-default-mode-for-Sp.patch |
|
115 |
+Patch230: 0030-x86-bugs-Rename-_RDS-to-_SSBD.patch |
|
116 |
+Patch231: 0031-proc-Use-underscores-for-SSBD-in-status.patch |
|
117 |
+Patch232: 0032-Documentation-spec_ctrl-Do-some-minor-cleanups.patch |
|
118 |
+Patch233: 0033-x86-bugs-Fix-__ssb_select_mitigation-return-type.patch |
|
119 |
+Patch234: 0034-x86-bugs-Make-cpu_show_common-static.patch |
|
120 |
+Patch235: 0035-x86-bugs-Fix-the-parameters-alignment-and-missing-vo.patch |
|
121 |
+Patch236: 0036-x86-cpu-Make-alternative_msr_write-work-for-32-bit-c.patch |
|
122 |
+Patch237: 0037-KVM-SVM-Move-spec-control-call-after-restore-of-GS.patch |
|
123 |
+Patch238: 0038-x86-speculation-Use-synthetic-bits-for-IBRS-IBPB-STI.patch |
|
124 |
+Patch239: 0039-x86-cpufeatures-Disentangle-MSR_SPEC_CTRL-enumeratio.patch |
|
125 |
+Patch240: 0040-x86-cpufeatures-Disentangle-SSBD-enumeration.patch |
|
126 |
+Patch241: 0041-x86-cpu-AMD-Fix-erratum-1076-CPB-bit.patch |
|
127 |
+Patch242: 0042-x86-cpufeatures-Add-FEATURE_ZEN.patch |
|
128 |
+Patch243: 0043-x86-speculation-Handle-HT-correctly-on-AMD.patch |
|
129 |
+Patch244: 0044-x86-bugs-KVM-Extend-speculation-control-for-VIRT_SPE.patch |
|
130 |
+Patch245: 0045-x86-speculation-Add-virtualized-speculative-store-by.patch |
|
131 |
+Patch246: 0046-x86-speculation-Rework-speculative_store_bypass_upda.patch |
|
132 |
+Patch247: 0047-x86-bugs-Unify-x86_spec_ctrl_-set_guest-restore_host.patch |
|
133 |
+Patch248: 0048-x86-bugs-Expose-x86_spec_ctrl_base-directly.patch |
|
134 |
+Patch249: 0049-x86-bugs-Remove-x86_spec_ctrl_set.patch |
|
135 |
+Patch250: 0050-x86-bugs-Rework-spec_ctrl-base-and-mask-logic.patch |
|
136 |
+Patch251: 0051-x86-speculation-KVM-Implement-support-for-VIRT_SPEC_.patch |
|
137 |
+Patch252: 0052-KVM-SVM-Implement-VIRT_SPEC_CTRL-support-for-SSBD.patch |
|
138 |
+Patch253: 0053-x86-bugs-Rename-SSBD_NO-to-SSB_NO.patch |
|
139 |
+ |
|
85 | 140 |
# NSX requirements (should be removed) |
86 | 141 |
Patch99: LKCM.patch |
87 | 142 |
|
... | ... |
@@ -219,6 +274,60 @@ EOF |
219 | 219 |
%patch14 -p1 |
220 | 220 |
%patch15 -p1 |
221 | 221 |
|
222 |
+%patch201 -p1 |
|
223 |
+%patch202 -p1 |
|
224 |
+%patch203 -p1 |
|
225 |
+%patch204 -p1 |
|
226 |
+%patch205 -p1 |
|
227 |
+%patch206 -p1 |
|
228 |
+%patch207 -p1 |
|
229 |
+%patch208 -p1 |
|
230 |
+%patch209 -p1 |
|
231 |
+%patch210 -p1 |
|
232 |
+%patch211 -p1 |
|
233 |
+%patch212 -p1 |
|
234 |
+%patch213 -p1 |
|
235 |
+%patch214 -p1 |
|
236 |
+%patch215 -p1 |
|
237 |
+%patch216 -p1 |
|
238 |
+%patch217 -p1 |
|
239 |
+%patch218 -p1 |
|
240 |
+%patch219 -p1 |
|
241 |
+%patch220 -p1 |
|
242 |
+%patch221 -p1 |
|
243 |
+%patch222 -p1 |
|
244 |
+%patch223 -p1 |
|
245 |
+%patch224 -p1 |
|
246 |
+%patch225 -p1 |
|
247 |
+%patch226 -p1 |
|
248 |
+%patch227 -p1 |
|
249 |
+%patch228 -p1 |
|
250 |
+%patch229 -p1 |
|
251 |
+%patch230 -p1 |
|
252 |
+%patch231 -p1 |
|
253 |
+%patch232 -p1 |
|
254 |
+%patch233 -p1 |
|
255 |
+%patch234 -p1 |
|
256 |
+%patch235 -p1 |
|
257 |
+%patch236 -p1 |
|
258 |
+%patch237 -p1 |
|
259 |
+%patch238 -p1 |
|
260 |
+%patch239 -p1 |
|
261 |
+%patch240 -p1 |
|
262 |
+%patch241 -p1 |
|
263 |
+%patch242 -p1 |
|
264 |
+%patch243 -p1 |
|
265 |
+%patch244 -p1 |
|
266 |
+%patch245 -p1 |
|
267 |
+%patch246 -p1 |
|
268 |
+%patch247 -p1 |
|
269 |
+%patch248 -p1 |
|
270 |
+%patch249 -p1 |
|
271 |
+%patch250 -p1 |
|
272 |
+%patch251 -p1 |
|
273 |
+%patch252 -p1 |
|
274 |
+%patch253 -p1 |
|
275 |
+ |
|
222 | 276 |
pushd .. |
223 | 277 |
%patch99 -p0 |
224 | 278 |
popd |
... | ... |
@@ -344,6 +453,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg |
344 | 344 |
/usr/src/linux-headers-%{uname_r} |
345 | 345 |
|
346 | 346 |
%changelog |
347 |
+* Mon May 21 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.101-1 |
|
348 |
+- Update to version 4.9.101 and fix CVE-2018-3639. |
|
347 | 349 |
* Wed May 09 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.99-1 |
348 | 350 |
- Update to version 4.9.99 |
349 | 351 |
* Fri May 04 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.98-2 |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
%global security_hardening none |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux |
4 |
-Version: 4.9.99 |
|
4 |
+Version: 4.9.101 |
|
5 | 5 |
Release: 1%{?kat_build:.%kat_build}%{?dist} |
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
... | ... |
@@ -9,7 +9,7 @@ Group: System Environment/Kernel |
9 | 9 |
Vendor: VMware, Inc. |
10 | 10 |
Distribution: Photon |
11 | 11 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz |
12 |
-%define sha1 linux=d35adbca6133a7b5a382bd523f63322d0d56aeff |
|
12 |
+%define sha1 linux=12b399649df63355823d482fd91711b1be3e7f1b |
|
13 | 13 |
Source1: config |
14 | 14 |
Source2: initramfs.trigger |
15 | 15 |
%define ena_version 1.1.3 |
... | ... |
@@ -80,6 +80,61 @@ Patch64: 0153-net-mpls-prevent-speculative-execution.patch |
80 | 80 |
Patch65: 0154-udf-prevent-speculative-execution.patch |
81 | 81 |
Patch66: 0155-userns-prevent-speculative-execution.patch |
82 | 82 |
|
83 |
+# Fix CVE-2018-3639 (Speculative Store Bypass) |
|
84 |
+Patch201: 0001-x86-amd-don-t-set-X86_BUG_SYSRET_SS_ATTRS-when-runni.patch |
|
85 |
+Patch202: 0002-x86-nospec-Simplify-alternative_msr_write.patch |
|
86 |
+Patch203: 0003-x86-bugs-Concentrate-bug-detection-into-a-separate-f.patch |
|
87 |
+Patch204: 0004-x86-bugs-Concentrate-bug-reporting-into-a-separate-f.patch |
|
88 |
+Patch205: 0005-x86-bugs-Read-SPEC_CTRL-MSR-during-boot-and-re-use-r.patch |
|
89 |
+Patch206: 0006-x86-bugs-KVM-Support-the-combination-of-guest-and-ho.patch |
|
90 |
+Patch207: 0007-x86-bugs-Expose-sys-.-spec_store_bypass.patch |
|
91 |
+Patch208: 0008-x86-cpufeatures-Add-X86_FEATURE_RDS.patch |
|
92 |
+Patch209: 0009-x86-bugs-Provide-boot-parameters-for-the-spec_store_.patch |
|
93 |
+Patch210: 0010-x86-bugs-intel-Set-proper-CPU-features-and-setup-RDS.patch |
|
94 |
+Patch211: 0011-x86-bugs-Whitelist-allowed-SPEC_CTRL-MSR-values.patch |
|
95 |
+Patch212: 0012-x86-bugs-AMD-Add-support-to-disable-RDS-on-Fam-15-16.patch |
|
96 |
+Patch213: 0013-x86-KVM-VMX-Expose-SPEC_CTRL-Bit-2-to-the-guest.patch |
|
97 |
+Patch214: 0014-x86-speculation-Create-spec-ctrl.h-to-avoid-include-.patch |
|
98 |
+Patch215: 0015-prctl-Add-speculation-control-prctls.patch |
|
99 |
+Patch216: 0016-x86-process-Optimize-TIF-checks-in-__switch_to_xtra.patch |
|
100 |
+Patch217: 0017-x86-process-Correct-and-optimize-TIF_BLOCKSTEP-switc.patch |
|
101 |
+Patch218: 0018-x86-process-Optimize-TIF_NOTSC-switch.patch |
|
102 |
+Patch219: 0019-x86-process-Allow-runtime-control-of-Speculative-Sto.patch |
|
103 |
+Patch220: 0020-x86-speculation-Add-prctl-for-Speculative-Store-Bypa.patch |
|
104 |
+Patch221: 0021-nospec-Allow-getting-setting-on-non-current-task.patch |
|
105 |
+Patch222: 0022-proc-Provide-details-on-speculation-flaw-mitigations.patch |
|
106 |
+Patch223: 0023-seccomp-Enable-speculation-flaw-mitigations.patch |
|
107 |
+Patch224: 0024-x86-bugs-Make-boot-modes-__ro_after_init.patch |
|
108 |
+Patch225: 0025-prctl-Add-force-disable-speculation.patch |
|
109 |
+Patch226: 0026-seccomp-Use-PR_SPEC_FORCE_DISABLE.patch |
|
110 |
+Patch227: 0027-seccomp-Add-filter-flag-to-opt-out-of-SSB-mitigation.patch |
|
111 |
+Patch228: 0028-seccomp-Move-speculation-migitation-control-to-arch-.patch |
|
112 |
+Patch229: 0029-x86-speculation-Make-seccomp-the-default-mode-for-Sp.patch |
|
113 |
+Patch230: 0030-x86-bugs-Rename-_RDS-to-_SSBD.patch |
|
114 |
+Patch231: 0031-proc-Use-underscores-for-SSBD-in-status.patch |
|
115 |
+Patch232: 0032-Documentation-spec_ctrl-Do-some-minor-cleanups.patch |
|
116 |
+Patch233: 0033-x86-bugs-Fix-__ssb_select_mitigation-return-type.patch |
|
117 |
+Patch234: 0034-x86-bugs-Make-cpu_show_common-static.patch |
|
118 |
+Patch235: 0035-x86-bugs-Fix-the-parameters-alignment-and-missing-vo.patch |
|
119 |
+Patch236: 0036-x86-cpu-Make-alternative_msr_write-work-for-32-bit-c.patch |
|
120 |
+Patch237: 0037-KVM-SVM-Move-spec-control-call-after-restore-of-GS.patch |
|
121 |
+Patch238: 0038-x86-speculation-Use-synthetic-bits-for-IBRS-IBPB-STI.patch |
|
122 |
+Patch239: 0039-x86-cpufeatures-Disentangle-MSR_SPEC_CTRL-enumeratio.patch |
|
123 |
+Patch240: 0040-x86-cpufeatures-Disentangle-SSBD-enumeration.patch |
|
124 |
+Patch241: 0041-x86-cpu-AMD-Fix-erratum-1076-CPB-bit.patch |
|
125 |
+Patch242: 0042-x86-cpufeatures-Add-FEATURE_ZEN.patch |
|
126 |
+Patch243: 0043-x86-speculation-Handle-HT-correctly-on-AMD.patch |
|
127 |
+Patch244: 0044-x86-bugs-KVM-Extend-speculation-control-for-VIRT_SPE.patch |
|
128 |
+Patch245: 0045-x86-speculation-Add-virtualized-speculative-store-by.patch |
|
129 |
+Patch246: 0046-x86-speculation-Rework-speculative_store_bypass_upda.patch |
|
130 |
+Patch247: 0047-x86-bugs-Unify-x86_spec_ctrl_-set_guest-restore_host.patch |
|
131 |
+Patch248: 0048-x86-bugs-Expose-x86_spec_ctrl_base-directly.patch |
|
132 |
+Patch249: 0049-x86-bugs-Remove-x86_spec_ctrl_set.patch |
|
133 |
+Patch250: 0050-x86-bugs-Rework-spec_ctrl-base-and-mask-logic.patch |
|
134 |
+Patch251: 0051-x86-speculation-KVM-Implement-support-for-VIRT_SPEC_.patch |
|
135 |
+Patch252: 0052-KVM-SVM-Implement-VIRT_SPEC_CTRL-support-for-SSBD.patch |
|
136 |
+Patch253: 0053-x86-bugs-Rename-SSBD_NO-to-SSB_NO.patch |
|
137 |
+ |
|
83 | 138 |
%if 0%{?kat_build:1} |
84 | 139 |
Patch1000: %{kat_build}.patch |
85 | 140 |
%endif |
... | ... |
@@ -204,6 +259,60 @@ This package contains the 'perf' performance analysis tools for Linux kernel. |
204 | 204 |
%patch65 -p1 |
205 | 205 |
%patch66 -p1 |
206 | 206 |
|
207 |
+%patch201 -p1 |
|
208 |
+%patch202 -p1 |
|
209 |
+%patch203 -p1 |
|
210 |
+%patch204 -p1 |
|
211 |
+%patch205 -p1 |
|
212 |
+%patch206 -p1 |
|
213 |
+%patch207 -p1 |
|
214 |
+%patch208 -p1 |
|
215 |
+%patch209 -p1 |
|
216 |
+%patch210 -p1 |
|
217 |
+%patch211 -p1 |
|
218 |
+%patch212 -p1 |
|
219 |
+%patch213 -p1 |
|
220 |
+%patch214 -p1 |
|
221 |
+%patch215 -p1 |
|
222 |
+%patch216 -p1 |
|
223 |
+%patch217 -p1 |
|
224 |
+%patch218 -p1 |
|
225 |
+%patch219 -p1 |
|
226 |
+%patch220 -p1 |
|
227 |
+%patch221 -p1 |
|
228 |
+%patch222 -p1 |
|
229 |
+%patch223 -p1 |
|
230 |
+%patch224 -p1 |
|
231 |
+%patch225 -p1 |
|
232 |
+%patch226 -p1 |
|
233 |
+%patch227 -p1 |
|
234 |
+%patch228 -p1 |
|
235 |
+%patch229 -p1 |
|
236 |
+%patch230 -p1 |
|
237 |
+%patch231 -p1 |
|
238 |
+%patch232 -p1 |
|
239 |
+%patch233 -p1 |
|
240 |
+%patch234 -p1 |
|
241 |
+%patch235 -p1 |
|
242 |
+%patch236 -p1 |
|
243 |
+%patch237 -p1 |
|
244 |
+%patch238 -p1 |
|
245 |
+%patch239 -p1 |
|
246 |
+%patch240 -p1 |
|
247 |
+%patch241 -p1 |
|
248 |
+%patch242 -p1 |
|
249 |
+%patch243 -p1 |
|
250 |
+%patch244 -p1 |
|
251 |
+%patch245 -p1 |
|
252 |
+%patch246 -p1 |
|
253 |
+%patch247 -p1 |
|
254 |
+%patch248 -p1 |
|
255 |
+%patch249 -p1 |
|
256 |
+%patch250 -p1 |
|
257 |
+%patch251 -p1 |
|
258 |
+%patch252 -p1 |
|
259 |
+%patch253 -p1 |
|
260 |
+ |
|
207 | 261 |
%if 0%{?kat_build:1} |
208 | 262 |
%patch1000 -p1 |
209 | 263 |
%endif |
... | ... |
@@ -370,6 +479,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg |
370 | 370 |
/usr/share/doc/* |
371 | 371 |
|
372 | 372 |
%changelog |
373 |
+* Mon May 21 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.101-1 |
|
374 |
+- Update to version 4.9.101 and fix CVE-2018-3639. |
|
373 | 375 |
* Wed May 09 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.99-1 |
374 | 376 |
- Update to version 4.9.99 |
375 | 377 |
* Fri May 04 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.98-2 |
376 | 378 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,66 @@ |
0 |
+From 955fb59065c8d4dd1efe70a6d3233f7f2aa925f8 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: David Woodhouse <dwmw@amazon.co.uk> |
|
2 |
+Date: Sun, 20 May 2018 20:51:10 +0100 |
|
3 |
+Subject: [PATCH] x86/amd: don't set X86_BUG_SYSRET_SS_ATTRS when running under |
|
4 |
+ Xen |
|
5 |
+ |
|
6 |
+commit def9331a12977770cc6132d79f8e6565871e8e38 upstream |
|
7 |
+ |
|
8 |
+When running as Xen pv guest X86_BUG_SYSRET_SS_ATTRS must not be set |
|
9 |
+on AMD cpus. |
|
10 |
+ |
|
11 |
+This bug/feature bit is kind of special as it will be used very early |
|
12 |
+when switching threads. Setting the bit and clearing it a little bit |
|
13 |
+later leaves a critical window where things can go wrong. This time |
|
14 |
+window has enlarged a little bit by using setup_clear_cpu_cap() instead |
|
15 |
+of the hypervisor's set_cpu_features callback. It seems this larger |
|
16 |
+window now makes it rather easy to hit the problem. |
|
17 |
+ |
|
18 |
+The proper solution is to never set the bit in case of Xen. |
|
19 |
+ |
|
20 |
+Signed-off-by: Juergen Gross <jgross@suse.com> |
|
21 |
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> |
|
22 |
+Acked-by: Thomas Gleixner <tglx@linutronix.de> |
|
23 |
+Signed-off-by: Juergen Gross <jgross@suse.com> |
|
24 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
25 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
26 |
+--- |
|
27 |
+ arch/x86/kernel/cpu/amd.c | 5 +++-- |
|
28 |
+ arch/x86/xen/enlighten.c | 4 +--- |
|
29 |
+ 2 files changed, 4 insertions(+), 5 deletions(-) |
|
30 |
+ |
|
31 |
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c |
|
32 |
+index c375bc6..747f8a2 100644 |
|
33 |
+--- a/arch/x86/kernel/cpu/amd.c |
|
34 |
+@@ -824,8 +824,9 @@ static void init_amd(struct cpuinfo_x86 *c) |
|
35 |
+ if (cpu_has(c, X86_FEATURE_3DNOW) || cpu_has(c, X86_FEATURE_LM)) |
|
36 |
+ set_cpu_cap(c, X86_FEATURE_3DNOWPREFETCH); |
|
37 |
+ |
|
38 |
+- /* AMD CPUs don't reset SS attributes on SYSRET */ |
|
39 |
+- set_cpu_bug(c, X86_BUG_SYSRET_SS_ATTRS); |
|
40 |
++ /* AMD CPUs don't reset SS attributes on SYSRET, Xen does. */ |
|
41 |
++ if (!cpu_has(c, X86_FEATURE_XENPV)) |
|
42 |
++ set_cpu_bug(c, X86_BUG_SYSRET_SS_ATTRS); |
|
43 |
+ } |
|
44 |
+ |
|
45 |
+ #ifdef CONFIG_X86_32 |
|
46 |
+diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c |
|
47 |
+index 2bea87c..081437b 100644 |
|
48 |
+--- a/arch/x86/xen/enlighten.c |
|
49 |
+@@ -1977,10 +1977,8 @@ EXPORT_SYMBOL_GPL(xen_hvm_need_lapic); |
|
50 |
+ |
|
51 |
+ static void xen_set_cpu_features(struct cpuinfo_x86 *c) |
|
52 |
+ { |
|
53 |
+- if (xen_pv_domain()) { |
|
54 |
+- clear_cpu_bug(c, X86_BUG_SYSRET_SS_ATTRS); |
|
55 |
++ if (xen_pv_domain()) |
|
56 |
+ set_cpu_cap(c, X86_FEATURE_XENPV); |
|
57 |
+- } |
|
58 |
+ } |
|
59 |
+ |
|
60 |
+ static void xen_pin_vcpu(int cpu) |
|
61 |
+-- |
|
62 |
+2.7.4 |
|
63 |
+ |
0 | 64 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,71 @@ |
0 |
+From 50611b175f16c043d2a277faef4dd1a73050bba1 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Linus Torvalds <torvalds@linux-foundation.org> |
|
2 |
+Date: Tue, 1 May 2018 15:55:51 +0200 |
|
3 |
+Subject: [PATCH 02/54] x86/nospec: Simplify alternative_msr_write() |
|
4 |
+ |
|
5 |
+commit 1aa7a5735a41418d8e01fa7c9565eb2657e2ea3f upstream |
|
6 |
+ |
|
7 |
+The macro is not type safe and I did look for why that "g" constraint for |
|
8 |
+the asm doesn't work: it's because the asm is more fundamentally wrong. |
|
9 |
+ |
|
10 |
+It does |
|
11 |
+ |
|
12 |
+ movl %[val], %%eax |
|
13 |
+ |
|
14 |
+but "val" isn't a 32-bit value, so then gcc will pass it in a register, |
|
15 |
+and generate code like |
|
16 |
+ |
|
17 |
+ movl %rsi, %eax |
|
18 |
+ |
|
19 |
+and gas will complain about a nonsensical 'mov' instruction (it's moving a |
|
20 |
+64-bit register to a 32-bit one). |
|
21 |
+ |
|
22 |
+Passing it through memory will just hide the real bug - gcc still thinks |
|
23 |
+the memory location is 64-bit, but the "movl" will only load the first 32 |
|
24 |
+bits and it all happens to work because x86 is little-endian. |
|
25 |
+ |
|
26 |
+Convert it to a type safe inline function with a little trick which hands |
|
27 |
+the feature into the ALTERNATIVE macro. |
|
28 |
+ |
|
29 |
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
|
30 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
31 |
+Reviewed-by: Ingo Molnar <mingo@kernel.org> |
|
32 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
33 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
34 |
+--- |
|
35 |
+ arch/x86/include/asm/nospec-branch.h | 19 ++++++++++--------- |
|
36 |
+ 1 file changed, 10 insertions(+), 9 deletions(-) |
|
37 |
+ |
|
38 |
+diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h |
|
39 |
+index f928ad9..870acfc 100644 |
|
40 |
+--- a/arch/x86/include/asm/nospec-branch.h |
|
41 |
+@@ -241,15 +241,16 @@ static inline void vmexit_fill_RSB(void) |
|
42 |
+ #endif |
|
43 |
+ } |
|
44 |
+ |
|
45 |
+-#define alternative_msr_write(_msr, _val, _feature) \ |
|
46 |
+- asm volatile(ALTERNATIVE("", \ |
|
47 |
+- "movl %[msr], %%ecx\n\t" \ |
|
48 |
+- "movl %[val], %%eax\n\t" \ |
|
49 |
+- "movl $0, %%edx\n\t" \ |
|
50 |
+- "wrmsr", \ |
|
51 |
+- _feature) \ |
|
52 |
+- : : [msr] "i" (_msr), [val] "i" (_val) \ |
|
53 |
+- : "eax", "ecx", "edx", "memory") |
|
54 |
++static __always_inline |
|
55 |
++void alternative_msr_write(unsigned int msr, u64 val, unsigned int feature) |
|
56 |
++{ |
|
57 |
++ asm volatile(ALTERNATIVE("", "wrmsr", %c[feature]) |
|
58 |
++ : : "c" (msr), |
|
59 |
++ "a" (val), |
|
60 |
++ "d" (val >> 32), |
|
61 |
++ [feature] "i" (feature) |
|
62 |
++ : "memory"); |
|
63 |
++} |
|
64 |
+ |
|
65 |
+ static inline void indirect_branch_prediction_barrier(void) |
|
66 |
+ { |
|
67 |
+-- |
|
68 |
+2.7.4 |
|
69 |
+ |
0 | 70 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,75 @@ |
0 |
+From c0fe8ba000900104b0e1d75792cc3b649e2ca5c8 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
2 |
+Date: Wed, 25 Apr 2018 22:04:16 -0400 |
|
3 |
+Subject: [PATCH 03/54] x86/bugs: Concentrate bug detection into a separate |
|
4 |
+ function |
|
5 |
+ |
|
6 |
+commit 4a28bfe3267b68e22c663ac26185aa16c9b879ef upstream |
|
7 |
+ |
|
8 |
+Combine the various logic which goes through all those |
|
9 |
+x86_cpu_id matching structures in one function. |
|
10 |
+ |
|
11 |
+Suggested-by: Borislav Petkov <bp@suse.de> |
|
12 |
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
13 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
14 |
+Reviewed-by: Borislav Petkov <bp@suse.de> |
|
15 |
+Reviewed-by: Ingo Molnar <mingo@kernel.org> |
|
16 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
17 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
18 |
+--- |
|
19 |
+ arch/x86/kernel/cpu/common.c | 21 +++++++++++---------- |
|
20 |
+ 1 file changed, 11 insertions(+), 10 deletions(-) |
|
21 |
+ |
|
22 |
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c |
|
23 |
+index 301bbd1..357c589 100644 |
|
24 |
+--- a/arch/x86/kernel/cpu/common.c |
|
25 |
+@@ -879,21 +879,27 @@ static const __initconst struct x86_cpu_id cpu_no_meltdown[] = { |
|
26 |
+ {} |
|
27 |
+ }; |
|
28 |
+ |
|
29 |
+-static bool __init cpu_vulnerable_to_meltdown(struct cpuinfo_x86 *c) |
|
30 |
++static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) |
|
31 |
+ { |
|
32 |
+ u64 ia32_cap = 0; |
|
33 |
+ |
|
34 |
++ if (x86_match_cpu(cpu_no_speculation)) |
|
35 |
++ return; |
|
36 |
++ |
|
37 |
++ setup_force_cpu_bug(X86_BUG_SPECTRE_V1); |
|
38 |
++ setup_force_cpu_bug(X86_BUG_SPECTRE_V2); |
|
39 |
++ |
|
40 |
+ if (x86_match_cpu(cpu_no_meltdown)) |
|
41 |
+- return false; |
|
42 |
++ return; |
|
43 |
+ |
|
44 |
+ if (cpu_has(c, X86_FEATURE_ARCH_CAPABILITIES)) |
|
45 |
+ rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap); |
|
46 |
+ |
|
47 |
+ /* Rogue Data Cache Load? No! */ |
|
48 |
+ if (ia32_cap & ARCH_CAP_RDCL_NO) |
|
49 |
+- return false; |
|
50 |
++ return; |
|
51 |
+ |
|
52 |
+- return true; |
|
53 |
++ setup_force_cpu_bug(X86_BUG_CPU_MELTDOWN); |
|
54 |
+ } |
|
55 |
+ |
|
56 |
+ /* |
|
57 |
+@@ -942,12 +948,7 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c) |
|
58 |
+ |
|
59 |
+ setup_force_cpu_cap(X86_FEATURE_ALWAYS); |
|
60 |
+ |
|
61 |
+- if (!x86_match_cpu(cpu_no_speculation)) { |
|
62 |
+- if (cpu_vulnerable_to_meltdown(c)) |
|
63 |
+- setup_force_cpu_bug(X86_BUG_CPU_MELTDOWN); |
|
64 |
+- setup_force_cpu_bug(X86_BUG_SPECTRE_V1); |
|
65 |
+- setup_force_cpu_bug(X86_BUG_SPECTRE_V2); |
|
66 |
+- } |
|
67 |
++ cpu_set_bug_bits(c); |
|
68 |
+ |
|
69 |
+ fpu__init_system(c); |
|
70 |
+ |
|
71 |
+-- |
|
72 |
+2.7.4 |
|
73 |
+ |
0 | 74 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,92 @@ |
0 |
+From ff78adefff46730763280872f6c78e9599b58eaf Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
2 |
+Date: Wed, 25 Apr 2018 22:04:17 -0400 |
|
3 |
+Subject: [PATCH 04/54] x86/bugs: Concentrate bug reporting into a separate |
|
4 |
+ function |
|
5 |
+ |
|
6 |
+commit d1059518b4789cabe34bb4b714d07e6089c82ca1 upstream |
|
7 |
+ |
|
8 |
+Those SysFS functions have a similar preamble, as such make common |
|
9 |
+code to handle them. |
|
10 |
+ |
|
11 |
+Suggested-by: Borislav Petkov <bp@suse.de> |
|
12 |
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
13 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
14 |
+Reviewed-by: Borislav Petkov <bp@suse.de> |
|
15 |
+Reviewed-by: Ingo Molnar <mingo@kernel.org> |
|
16 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
17 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
18 |
+--- |
|
19 |
+ arch/x86/kernel/cpu/bugs.c | 46 ++++++++++++++++++++++++++++++++-------------- |
|
20 |
+ 1 file changed, 32 insertions(+), 14 deletions(-) |
|
21 |
+ |
|
22 |
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c |
|
23 |
+index b8b0b6e..4d9c5fe 100644 |
|
24 |
+--- a/arch/x86/kernel/cpu/bugs.c |
|
25 |
+@@ -313,30 +313,48 @@ static void __init spectre_v2_select_mitigation(void) |
|
26 |
+ #undef pr_fmt |
|
27 |
+ |
|
28 |
+ #ifdef CONFIG_SYSFS |
|
29 |
+-ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf) |
|
30 |
++ |
|
31 |
++ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr, |
|
32 |
++ char *buf, unsigned int bug) |
|
33 |
+ { |
|
34 |
+- if (!boot_cpu_has_bug(X86_BUG_CPU_MELTDOWN)) |
|
35 |
++ if (!boot_cpu_has_bug(bug)) |
|
36 |
+ return sprintf(buf, "Not affected\n"); |
|
37 |
+- if (boot_cpu_has(X86_FEATURE_KAISER)) |
|
38 |
+- return sprintf(buf, "Mitigation: PTI\n"); |
|
39 |
++ |
|
40 |
++ switch (bug) { |
|
41 |
++ case X86_BUG_CPU_MELTDOWN: |
|
42 |
++ if (boot_cpu_has(X86_FEATURE_KAISER)) |
|
43 |
++ return sprintf(buf, "Mitigation: PTI\n"); |
|
44 |
++ |
|
45 |
++ break; |
|
46 |
++ |
|
47 |
++ case X86_BUG_SPECTRE_V1: |
|
48 |
++ return sprintf(buf, "Mitigation: __user pointer sanitization\n"); |
|
49 |
++ |
|
50 |
++ case X86_BUG_SPECTRE_V2: |
|
51 |
++ return sprintf(buf, "%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled], |
|
52 |
++ boot_cpu_has(X86_FEATURE_USE_IBPB) ? ", IBPB" : "", |
|
53 |
++ boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "", |
|
54 |
++ spectre_v2_module_string()); |
|
55 |
++ |
|
56 |
++ default: |
|
57 |
++ break; |
|
58 |
++ } |
|
59 |
++ |
|
60 |
+ return sprintf(buf, "Vulnerable\n"); |
|
61 |
+ } |
|
62 |
+ |
|
63 |
++ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf) |
|
64 |
++{ |
|
65 |
++ return cpu_show_common(dev, attr, buf, X86_BUG_CPU_MELTDOWN); |
|
66 |
++} |
|
67 |
++ |
|
68 |
+ ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, char *buf) |
|
69 |
+ { |
|
70 |
+- if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V1)) |
|
71 |
+- return sprintf(buf, "Not affected\n"); |
|
72 |
+- return sprintf(buf, "Mitigation: __user pointer sanitization\n"); |
|
73 |
++ return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V1); |
|
74 |
+ } |
|
75 |
+ |
|
76 |
+ ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, char *buf) |
|
77 |
+ { |
|
78 |
+- if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2)) |
|
79 |
+- return sprintf(buf, "Not affected\n"); |
|
80 |
+- |
|
81 |
+- return sprintf(buf, "%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled], |
|
82 |
+- boot_cpu_has(X86_FEATURE_USE_IBPB) ? ", IBPB" : "", |
|
83 |
+- boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "", |
|
84 |
+- spectre_v2_module_string()); |
|
85 |
++ return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V2); |
|
86 |
+ } |
|
87 |
+ #endif |
|
88 |
+-- |
|
89 |
+2.7.4 |
|
90 |
+ |
0 | 91 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,143 @@ |
0 |
+From 84f69ae87c13c1ab6f0bdf945f5e3710a37bcb6d Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
2 |
+Date: Wed, 25 Apr 2018 22:04:18 -0400 |
|
3 |
+Subject: [PATCH 05/54] x86/bugs: Read SPEC_CTRL MSR during boot and re-use |
|
4 |
+ reserved bits |
|
5 |
+ |
|
6 |
+commit 1b86883ccb8d5d9506529d42dbe1a5257cb30b18 upstream |
|
7 |
+ |
|
8 |
+The 336996-Speculative-Execution-Side-Channel-Mitigations.pdf refers to all |
|
9 |
+the other bits as reserved. The Intel SDM glossary defines reserved as |
|
10 |
+implementation specific - aka unknown. |
|
11 |
+ |
|
12 |
+As such at bootup this must be taken it into account and proper masking for |
|
13 |
+the bits in use applied. |
|
14 |
+ |
|
15 |
+A copy of this document is available at |
|
16 |
+https://bugzilla.kernel.org/show_bug.cgi?id=199511 |
|
17 |
+ |
|
18 |
+[ tglx: Made x86_spec_ctrl_base __ro_after_init ] |
|
19 |
+ |
|
20 |
+Suggested-by: Jon Masters <jcm@redhat.com> |
|
21 |
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
22 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
23 |
+Reviewed-by: Borislav Petkov <bp@suse.de> |
|
24 |
+Reviewed-by: Ingo Molnar <mingo@kernel.org> |
|
25 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
26 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
27 |
+--- |
|
28 |
+ arch/x86/include/asm/nospec-branch.h | 24 ++++++++++++++++++++---- |
|
29 |
+ arch/x86/kernel/cpu/bugs.c | 28 ++++++++++++++++++++++++++++ |
|
30 |
+ 2 files changed, 48 insertions(+), 4 deletions(-) |
|
31 |
+ |
|
32 |
+diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h |
|
33 |
+index 870acfc..9ec3d4d 100644 |
|
34 |
+--- a/arch/x86/include/asm/nospec-branch.h |
|
35 |
+@@ -217,6 +217,17 @@ enum spectre_v2_mitigation { |
|
36 |
+ SPECTRE_V2_IBRS, |
|
37 |
+ }; |
|
38 |
+ |
|
39 |
++/* |
|
40 |
++ * The Intel specification for the SPEC_CTRL MSR requires that we |
|
41 |
++ * preserve any already set reserved bits at boot time (e.g. for |
|
42 |
++ * future additions that this kernel is not currently aware of). |
|
43 |
++ * We then set any additional mitigation bits that we want |
|
44 |
++ * ourselves and always use this as the base for SPEC_CTRL. |
|
45 |
++ * We also use this when handling guest entry/exit as below. |
|
46 |
++ */ |
|
47 |
++extern void x86_spec_ctrl_set(u64); |
|
48 |
++extern u64 x86_spec_ctrl_get_default(void); |
|
49 |
++ |
|
50 |
+ extern char __indirect_thunk_start[]; |
|
51 |
+ extern char __indirect_thunk_end[]; |
|
52 |
+ |
|
53 |
+@@ -254,8 +265,9 @@ void alternative_msr_write(unsigned int msr, u64 val, unsigned int feature) |
|
54 |
+ |
|
55 |
+ static inline void indirect_branch_prediction_barrier(void) |
|
56 |
+ { |
|
57 |
+- alternative_msr_write(MSR_IA32_PRED_CMD, PRED_CMD_IBPB, |
|
58 |
+- X86_FEATURE_USE_IBPB); |
|
59 |
++ u64 val = PRED_CMD_IBPB; |
|
60 |
++ |
|
61 |
++ alternative_msr_write(MSR_IA32_PRED_CMD, val, X86_FEATURE_USE_IBPB); |
|
62 |
+ } |
|
63 |
+ |
|
64 |
+ /* |
|
65 |
+@@ -266,14 +278,18 @@ static inline void indirect_branch_prediction_barrier(void) |
|
66 |
+ */ |
|
67 |
+ #define firmware_restrict_branch_speculation_start() \ |
|
68 |
+ do { \ |
|
69 |
++ u64 val = x86_spec_ctrl_get_default() | SPEC_CTRL_IBRS; \ |
|
70 |
++ \ |
|
71 |
+ preempt_disable(); \ |
|
72 |
+- alternative_msr_write(MSR_IA32_SPEC_CTRL, SPEC_CTRL_IBRS, \ |
|
73 |
++ alternative_msr_write(MSR_IA32_SPEC_CTRL, val, \ |
|
74 |
+ X86_FEATURE_USE_IBRS_FW); \ |
|
75 |
+ } while (0) |
|
76 |
+ |
|
77 |
+ #define firmware_restrict_branch_speculation_end() \ |
|
78 |
+ do { \ |
|
79 |
+- alternative_msr_write(MSR_IA32_SPEC_CTRL, 0, \ |
|
80 |
++ u64 val = x86_spec_ctrl_get_default(); \ |
|
81 |
++ \ |
|
82 |
++ alternative_msr_write(MSR_IA32_SPEC_CTRL, val, \ |
|
83 |
+ X86_FEATURE_USE_IBRS_FW); \ |
|
84 |
+ preempt_enable(); \ |
|
85 |
+ } while (0) |
|
86 |
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c |
|
87 |
+index 4d9c5fe..6ff972a 100644 |
|
88 |
+--- a/arch/x86/kernel/cpu/bugs.c |
|
89 |
+@@ -27,6 +27,12 @@ |
|
90 |
+ |
|
91 |
+ static void __init spectre_v2_select_mitigation(void); |
|
92 |
+ |
|
93 |
++/* |
|
94 |
++ * Our boot-time value of the SPEC_CTRL MSR. We read it once so that any |
|
95 |
++ * writes to SPEC_CTRL contain whatever reserved bits have been set. |
|
96 |
++ */ |
|
97 |
++static u64 __ro_after_init x86_spec_ctrl_base; |
|
98 |
++ |
|
99 |
+ void __init check_bugs(void) |
|
100 |
+ { |
|
101 |
+ identify_boot_cpu(); |
|
102 |
+@@ -36,6 +42,13 @@ void __init check_bugs(void) |
|
103 |
+ print_cpu_info(&boot_cpu_data); |
|
104 |
+ } |
|
105 |
+ |
|
106 |
++ /* |
|
107 |
++ * Read the SPEC_CTRL MSR to account for reserved bits which may |
|
108 |
++ * have unknown values. |
|
109 |
++ */ |
|
110 |
++ if (boot_cpu_has(X86_FEATURE_IBRS)) |
|
111 |
++ rdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); |
|
112 |
++ |
|
113 |
+ /* Select the proper spectre mitigation before patching alternatives */ |
|
114 |
+ spectre_v2_select_mitigation(); |
|
115 |
+ |
|
116 |
+@@ -94,6 +107,21 @@ static const char *spectre_v2_strings[] = { |
|
117 |
+ |
|
118 |
+ static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE; |
|
119 |
+ |
|
120 |
++void x86_spec_ctrl_set(u64 val) |
|
121 |
++{ |
|
122 |
++ if (val & ~SPEC_CTRL_IBRS) |
|
123 |
++ WARN_ONCE(1, "SPEC_CTRL MSR value 0x%16llx is unknown.\n", val); |
|
124 |
++ else |
|
125 |
++ wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base | val); |
|
126 |
++} |
|
127 |
++EXPORT_SYMBOL_GPL(x86_spec_ctrl_set); |
|
128 |
++ |
|
129 |
++u64 x86_spec_ctrl_get_default(void) |
|
130 |
++{ |
|
131 |
++ return x86_spec_ctrl_base; |
|
132 |
++} |
|
133 |
++EXPORT_SYMBOL_GPL(x86_spec_ctrl_get_default); |
|
134 |
++ |
|
135 |
+ #ifdef RETPOLINE |
|
136 |
+ static bool spectre_v2_bad_module; |
|
137 |
+ |
|
138 |
+-- |
|
139 |
+2.7.4 |
|
140 |
+ |
0 | 141 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,137 @@ |
0 |
+From 77da8ae16be7e944aad9306ecb481131ae77bb1f Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
2 |
+Date: Wed, 25 Apr 2018 22:04:19 -0400 |
|
3 |
+Subject: [PATCH 06/54] x86/bugs, KVM: Support the combination of guest and |
|
4 |
+ host IBRS |
|
5 |
+ |
|
6 |
+commit 5cf687548705412da47c9cec342fd952d71ed3d5 upstream |
|
7 |
+ |
|
8 |
+A guest may modify the SPEC_CTRL MSR from the value used by the |
|
9 |
+kernel. Since the kernel doesn't use IBRS, this means a value of zero is |
|
10 |
+what is needed in the host. |
|
11 |
+ |
|
12 |
+But the 336996-Speculative-Execution-Side-Channel-Mitigations.pdf refers to |
|
13 |
+the other bits as reserved so the kernel should respect the boot time |
|
14 |
+SPEC_CTRL value and use that. |
|
15 |
+ |
|
16 |
+This allows to deal with future extensions to the SPEC_CTRL interface if |
|
17 |
+any at all. |
|
18 |
+ |
|
19 |
+Note: This uses wrmsrl() instead of native_wrmsl(). I does not make any |
|
20 |
+difference as paravirt will over-write the callq *0xfff.. with the wrmsrl |
|
21 |
+assembler code. |
|
22 |
+ |
|
23 |
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
24 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
25 |
+Reviewed-by: Borislav Petkov <bp@suse.de> |
|
26 |
+Reviewed-by: Ingo Molnar <mingo@kernel.org> |
|
27 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
28 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
29 |
+--- |
|
30 |
+ arch/x86/include/asm/nospec-branch.h | 10 ++++++++++ |
|
31 |
+ arch/x86/kernel/cpu/bugs.c | 18 ++++++++++++++++++ |
|
32 |
+ arch/x86/kvm/svm.c | 6 ++---- |
|
33 |
+ arch/x86/kvm/vmx.c | 6 ++---- |
|
34 |
+ 4 files changed, 32 insertions(+), 8 deletions(-) |
|
35 |
+ |
|
36 |
+diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h |
|
37 |
+index 9ec3d4d..d1c26309 100644 |
|
38 |
+--- a/arch/x86/include/asm/nospec-branch.h |
|
39 |
+@@ -228,6 +228,16 @@ enum spectre_v2_mitigation { |
|
40 |
+ extern void x86_spec_ctrl_set(u64); |
|
41 |
+ extern u64 x86_spec_ctrl_get_default(void); |
|
42 |
+ |
|
43 |
++/* |
|
44 |
++ * On VMENTER we must preserve whatever view of the SPEC_CTRL MSR |
|
45 |
++ * the guest has, while on VMEXIT we restore the host view. This |
|
46 |
++ * would be easier if SPEC_CTRL were architecturally maskable or |
|
47 |
++ * shadowable for guests but this is not (currently) the case. |
|
48 |
++ * Takes the guest view of SPEC_CTRL MSR as a parameter. |
|
49 |
++ */ |
|
50 |
++extern void x86_spec_ctrl_set_guest(u64); |
|
51 |
++extern void x86_spec_ctrl_restore_host(u64); |
|
52 |
++ |
|
53 |
+ extern char __indirect_thunk_start[]; |
|
54 |
+ extern char __indirect_thunk_end[]; |
|
55 |
+ |
|
56 |
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c |
|
57 |
+index 6ff972a..f5cad2f 100644 |
|
58 |
+--- a/arch/x86/kernel/cpu/bugs.c |
|
59 |
+@@ -122,6 +122,24 @@ u64 x86_spec_ctrl_get_default(void) |
|
60 |
+ } |
|
61 |
+ EXPORT_SYMBOL_GPL(x86_spec_ctrl_get_default); |
|
62 |
+ |
|
63 |
++void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl) |
|
64 |
++{ |
|
65 |
++ if (!boot_cpu_has(X86_FEATURE_IBRS)) |
|
66 |
++ return; |
|
67 |
++ if (x86_spec_ctrl_base != guest_spec_ctrl) |
|
68 |
++ wrmsrl(MSR_IA32_SPEC_CTRL, guest_spec_ctrl); |
|
69 |
++} |
|
70 |
++EXPORT_SYMBOL_GPL(x86_spec_ctrl_set_guest); |
|
71 |
++ |
|
72 |
++void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl) |
|
73 |
++{ |
|
74 |
++ if (!boot_cpu_has(X86_FEATURE_IBRS)) |
|
75 |
++ return; |
|
76 |
++ if (x86_spec_ctrl_base != guest_spec_ctrl) |
|
77 |
++ wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); |
|
78 |
++} |
|
79 |
++EXPORT_SYMBOL_GPL(x86_spec_ctrl_restore_host); |
|
80 |
++ |
|
81 |
+ #ifdef RETPOLINE |
|
82 |
+ static bool spectre_v2_bad_module; |
|
83 |
+ |
|
84 |
+diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c |
|
85 |
+index aaa93b4..eeb8cd3 100644 |
|
86 |
+--- a/arch/x86/kvm/svm.c |
|
87 |
+@@ -4917,8 +4917,7 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu) |
|
88 |
+ * is no need to worry about the conditional branch over the wrmsr |
|
89 |
+ * being speculatively taken. |
|
90 |
+ */ |
|
91 |
+- if (svm->spec_ctrl) |
|
92 |
+- native_wrmsrl(MSR_IA32_SPEC_CTRL, svm->spec_ctrl); |
|
93 |
++ x86_spec_ctrl_set_guest(svm->spec_ctrl); |
|
94 |
+ |
|
95 |
+ asm volatile ( |
|
96 |
+ "push %%" _ASM_BP "; \n\t" |
|
97 |
+@@ -5030,8 +5029,7 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu) |
|
98 |
+ if (unlikely(!msr_write_intercepted(vcpu, MSR_IA32_SPEC_CTRL))) |
|
99 |
+ svm->spec_ctrl = native_read_msr(MSR_IA32_SPEC_CTRL); |
|
100 |
+ |
|
101 |
+- if (svm->spec_ctrl) |
|
102 |
+- native_wrmsrl(MSR_IA32_SPEC_CTRL, 0); |
|
103 |
++ x86_spec_ctrl_restore_host(svm->spec_ctrl); |
|
104 |
+ |
|
105 |
+ /* Eliminate branch target predictions from guest mode */ |
|
106 |
+ vmexit_fill_RSB(); |
|
107 |
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c |
|
108 |
+index b978aec..266db0b 100644 |
|
109 |
+--- a/arch/x86/kvm/vmx.c |
|
110 |
+@@ -8916,8 +8916,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) |
|
111 |
+ * is no need to worry about the conditional branch over the wrmsr |
|
112 |
+ * being speculatively taken. |
|
113 |
+ */ |
|
114 |
+- if (vmx->spec_ctrl) |
|
115 |
+- native_wrmsrl(MSR_IA32_SPEC_CTRL, vmx->spec_ctrl); |
|
116 |
++ x86_spec_ctrl_set_guest(vmx->spec_ctrl); |
|
117 |
+ |
|
118 |
+ vmx->__launched = vmx->loaded_vmcs->launched; |
|
119 |
+ asm( |
|
120 |
+@@ -9055,8 +9054,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) |
|
121 |
+ if (unlikely(!msr_write_intercepted(vcpu, MSR_IA32_SPEC_CTRL))) |
|
122 |
+ vmx->spec_ctrl = native_read_msr(MSR_IA32_SPEC_CTRL); |
|
123 |
+ |
|
124 |
+- if (vmx->spec_ctrl) |
|
125 |
+- native_wrmsrl(MSR_IA32_SPEC_CTRL, 0); |
|
126 |
++ x86_spec_ctrl_restore_host(vmx->spec_ctrl); |
|
127 |
+ |
|
128 |
+ /* Eliminate branch target predictions from guest mode */ |
|
129 |
+ vmexit_fill_RSB(); |
|
130 |
+-- |
|
131 |
+2.7.4 |
|
132 |
+ |
0 | 133 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,148 @@ |
0 |
+From 0e2bf3faef41f14a643e992c4be77fbab56381c1 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
2 |
+Date: Wed, 25 Apr 2018 22:04:20 -0400 |
|
3 |
+Subject: [PATCH 07/54] x86/bugs: Expose /sys/../spec_store_bypass |
|
4 |
+ |
|
5 |
+commit c456442cd3a59eeb1d60293c26cbe2ff2c4e42cf upstream |
|
6 |
+ |
|
7 |
+Add the sysfs file for the new vulerability. It does not do much except |
|
8 |
+show the words 'Vulnerable' for recent x86 cores. |
|
9 |
+ |
|
10 |
+Intel cores prior to family 6 are known not to be vulnerable, and so are |
|
11 |
+some Atoms and some Xeon Phi. |
|
12 |
+ |
|
13 |
+It assumes that older Cyrix, Centaur, etc. cores are immune. |
|
14 |
+ |
|
15 |
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
16 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
17 |
+Reviewed-by: Borislav Petkov <bp@suse.de> |
|
18 |
+Reviewed-by: Ingo Molnar <mingo@kernel.org> |
|
19 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
20 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
21 |
+--- |
|
22 |
+ Documentation/ABI/testing/sysfs-devices-system-cpu | 1 + |
|
23 |
+ arch/x86/include/asm/cpufeatures.h | 1 + |
|
24 |
+ arch/x86/kernel/cpu/bugs.c | 5 +++++ |
|
25 |
+ arch/x86/kernel/cpu/common.c | 23 ++++++++++++++++++++++ |
|
26 |
+ drivers/base/cpu.c | 8 ++++++++ |
|
27 |
+ include/linux/cpu.h | 2 ++ |
|
28 |
+ 6 files changed, 40 insertions(+) |
|
29 |
+ |
|
30 |
+diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu b/Documentation/ABI/testing/sysfs-devices-system-cpu |
|
31 |
+index dfd56ec..6d75a9c 100644 |
|
32 |
+--- a/Documentation/ABI/testing/sysfs-devices-system-cpu |
|
33 |
+@@ -355,6 +355,7 @@ What: /sys/devices/system/cpu/vulnerabilities |
|
34 |
+ /sys/devices/system/cpu/vulnerabilities/meltdown |
|
35 |
+ /sys/devices/system/cpu/vulnerabilities/spectre_v1 |
|
36 |
+ /sys/devices/system/cpu/vulnerabilities/spectre_v2 |
|
37 |
++ /sys/devices/system/cpu/vulnerabilities/spec_store_bypass |
|
38 |
+ Date: January 2018 |
|
39 |
+ Contact: Linux kernel mailing list <linux-kernel@vger.kernel.org> |
|
40 |
+ Description: Information about CPU vulnerabilities |
|
41 |
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h |
|
42 |
+index a248531..a688adb 100644 |
|
43 |
+--- a/arch/x86/include/asm/cpufeatures.h |
|
44 |
+@@ -335,5 +335,6 @@ |
|
45 |
+ #define X86_BUG_CPU_MELTDOWN X86_BUG(14) /* CPU is affected by meltdown attack and needs kernel page table isolation */ |
|
46 |
+ #define X86_BUG_SPECTRE_V1 X86_BUG(15) /* CPU is affected by Spectre variant 1 attack with conditional branches */ |
|
47 |
+ #define X86_BUG_SPECTRE_V2 X86_BUG(16) /* CPU is affected by Spectre variant 2 attack with indirect branches */ |
|
48 |
++#define X86_BUG_SPEC_STORE_BYPASS X86_BUG(17) /* CPU is affected by speculative store bypass attack */ |
|
49 |
+ |
|
50 |
+ #endif /* _ASM_X86_CPUFEATURES_H */ |
|
51 |
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c |
|
52 |
+index f5cad2f..64e17a9 100644 |
|
53 |
+--- a/arch/x86/kernel/cpu/bugs.c |
|
54 |
+@@ -403,4 +403,9 @@ ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, c |
|
55 |
+ { |
|
56 |
+ return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V2); |
|
57 |
+ } |
|
58 |
++ |
|
59 |
++ssize_t cpu_show_spec_store_bypass(struct device *dev, struct device_attribute *attr, char *buf) |
|
60 |
++{ |
|
61 |
++ return cpu_show_common(dev, attr, buf, X86_BUG_SPEC_STORE_BYPASS); |
|
62 |
++} |
|
63 |
+ #endif |
|
64 |
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c |
|
65 |
+index 357c589..4f1050a 100644 |
|
66 |
+--- a/arch/x86/kernel/cpu/common.c |
|
67 |
+@@ -879,10 +879,33 @@ static const __initconst struct x86_cpu_id cpu_no_meltdown[] = { |
|
68 |
+ {} |
|
69 |
+ }; |
|
70 |
+ |
|
71 |
++static const __initconst struct x86_cpu_id cpu_no_spec_store_bypass[] = { |
|
72 |
++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_PINEVIEW }, |
|
73 |
++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_LINCROFT }, |
|
74 |
++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_PENWELL }, |
|
75 |
++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_CLOVERVIEW }, |
|
76 |
++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_CEDARVIEW }, |
|
77 |
++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SILVERMONT1 }, |
|
78 |
++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_AIRMONT }, |
|
79 |
++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_SILVERMONT2 }, |
|
80 |
++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_ATOM_MERRIFIELD }, |
|
81 |
++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_CORE_YONAH }, |
|
82 |
++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_XEON_PHI_KNL }, |
|
83 |
++ { X86_VENDOR_INTEL, 6, INTEL_FAM6_XEON_PHI_KNM }, |
|
84 |
++ { X86_VENDOR_CENTAUR, 5, }, |
|
85 |
++ { X86_VENDOR_INTEL, 5, }, |
|
86 |
++ { X86_VENDOR_NSC, 5, }, |
|
87 |
++ { X86_VENDOR_ANY, 4, }, |
|
88 |
++ {} |
|
89 |
++}; |
|
90 |
++ |
|
91 |
+ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) |
|
92 |
+ { |
|
93 |
+ u64 ia32_cap = 0; |
|
94 |
+ |
|
95 |
++ if (!x86_match_cpu(cpu_no_spec_store_bypass)) |
|
96 |
++ setup_force_cpu_bug(X86_BUG_SPEC_STORE_BYPASS); |
|
97 |
++ |
|
98 |
+ if (x86_match_cpu(cpu_no_speculation)) |
|
99 |
+ return; |
|
100 |
+ |
|
101 |
+diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c |
|
102 |
+index 56b6c85..cbb1cc6 100644 |
|
103 |
+--- a/drivers/base/cpu.c |
|
104 |
+@@ -519,14 +519,22 @@ ssize_t __weak cpu_show_spectre_v2(struct device *dev, |
|
105 |
+ return sprintf(buf, "Not affected\n"); |
|
106 |
+ } |
|
107 |
+ |
|
108 |
++ssize_t __weak cpu_show_spec_store_bypass(struct device *dev, |
|
109 |
++ struct device_attribute *attr, char *buf) |
|
110 |
++{ |
|
111 |
++ return sprintf(buf, "Not affected\n"); |
|
112 |
++} |
|
113 |
++ |
|
114 |
+ static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL); |
|
115 |
+ static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL); |
|
116 |
+ static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL); |
|
117 |
++static DEVICE_ATTR(spec_store_bypass, 0444, cpu_show_spec_store_bypass, NULL); |
|
118 |
+ |
|
119 |
+ static struct attribute *cpu_root_vulnerabilities_attrs[] = { |
|
120 |
+ &dev_attr_meltdown.attr, |
|
121 |
+ &dev_attr_spectre_v1.attr, |
|
122 |
+ &dev_attr_spectre_v2.attr, |
|
123 |
++ &dev_attr_spec_store_bypass.attr, |
|
124 |
+ NULL |
|
125 |
+ }; |
|
126 |
+ |
|
127 |
+diff --git a/include/linux/cpu.h b/include/linux/cpu.h |
|
128 |
+index 2f475ad..917829b 100644 |
|
129 |
+--- a/include/linux/cpu.h |
|
130 |
+@@ -50,6 +50,8 @@ extern ssize_t cpu_show_spectre_v1(struct device *dev, |
|
131 |
+ struct device_attribute *attr, char *buf); |
|
132 |
+ extern ssize_t cpu_show_spectre_v2(struct device *dev, |
|
133 |
+ struct device_attribute *attr, char *buf); |
|
134 |
++extern ssize_t cpu_show_spec_store_bypass(struct device *dev, |
|
135 |
++ struct device_attribute *attr, char *buf); |
|
136 |
+ |
|
137 |
+ extern __printf(4, 5) |
|
138 |
+ struct device *cpu_device_create(struct device *parent, void *drvdata, |
|
139 |
+-- |
|
140 |
+2.7.4 |
|
141 |
+ |
0 | 142 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,36 @@ |
0 |
+From 4cd0acbafcc274cc32fe6aa371e2c444741f66d3 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
2 |
+Date: Sat, 28 Apr 2018 22:34:17 +0200 |
|
3 |
+Subject: [PATCH 08/54] x86/cpufeatures: Add X86_FEATURE_RDS |
|
4 |
+ |
|
5 |
+commit 0cc5fa00b0a88dad140b4e5c2cead9951ad36822 upstream |
|
6 |
+ |
|
7 |
+Add the CPU feature bit CPUID.7.0.EDX[31] which indicates whether the CPU |
|
8 |
+supports Reduced Data Speculation. |
|
9 |
+ |
|
10 |
+[ tglx: Split it out from a later patch ] |
|
11 |
+ |
|
12 |
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
13 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
14 |
+Reviewed-by: Ingo Molnar <mingo@kernel.org> |
|
15 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
16 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
17 |
+--- |
|
18 |
+ arch/x86/include/asm/cpufeatures.h | 1 + |
|
19 |
+ 1 file changed, 1 insertion(+) |
|
20 |
+ |
|
21 |
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h |
|
22 |
+index a688adb..0c05c6c 100644 |
|
23 |
+--- a/arch/x86/include/asm/cpufeatures.h |
|
24 |
+@@ -306,6 +306,7 @@ |
|
25 |
+ #define X86_FEATURE_SPEC_CTRL (18*32+26) /* "" Speculation Control (IBRS + IBPB) */ |
|
26 |
+ #define X86_FEATURE_INTEL_STIBP (18*32+27) /* "" Single Thread Indirect Branch Predictors */ |
|
27 |
+ #define X86_FEATURE_ARCH_CAPABILITIES (18*32+29) /* IA32_ARCH_CAPABILITIES MSR (Intel) */ |
|
28 |
++#define X86_FEATURE_RDS (18*32+31) /* Reduced Data Speculation */ |
|
29 |
+ |
|
30 |
+ /* |
|
31 |
+ * BUG word(s) |
|
32 |
+-- |
|
33 |
+2.7.4 |
|
34 |
+ |
0 | 35 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,272 @@ |
0 |
+From e247cb769c45f3b7faa0efa8d854be2d2b6e52bf Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
2 |
+Date: Wed, 25 Apr 2018 22:04:21 -0400 |
|
3 |
+Subject: [PATCH 09/54] x86/bugs: Provide boot parameters for the |
|
4 |
+ spec_store_bypass_disable mitigation |
|
5 |
+ |
|
6 |
+commit 24f7fc83b9204d20f878c57cb77d261ae825e033 upstream |
|
7 |
+ |
|
8 |
+Contemporary high performance processors use a common industry-wide |
|
9 |
+optimization known as "Speculative Store Bypass" in which loads from |
|
10 |
+addresses to which a recent store has occurred may (speculatively) see an |
|
11 |
+older value. Intel refers to this feature as "Memory Disambiguation" which |
|
12 |
+is part of their "Smart Memory Access" capability. |
|
13 |
+ |
|
14 |
+Memory Disambiguation can expose a cache side-channel attack against such |
|
15 |
+speculatively read values. An attacker can create exploit code that allows |
|
16 |
+them to read memory outside of a sandbox environment (for example, |
|
17 |
+malicious JavaScript in a web page), or to perform more complex attacks |
|
18 |
+against code running within the same privilege level, e.g. via the stack. |
|
19 |
+ |
|
20 |
+As a first step to mitigate against such attacks, provide two boot command |
|
21 |
+line control knobs: |
|
22 |
+ |
|
23 |
+ nospec_store_bypass_disable |
|
24 |
+ spec_store_bypass_disable=[off,auto,on] |
|
25 |
+ |
|
26 |
+By default affected x86 processors will power on with Speculative |
|
27 |
+Store Bypass enabled. Hence the provided kernel parameters are written |
|
28 |
+from the point of view of whether to enable a mitigation or not. |
|
29 |
+The parameters are as follows: |
|
30 |
+ |
|
31 |
+ - auto - Kernel detects whether your CPU model contains an implementation |
|
32 |
+ of Speculative Store Bypass and picks the most appropriate |
|
33 |
+ mitigation. |
|
34 |
+ |
|
35 |
+ - on - disable Speculative Store Bypass |
|
36 |
+ - off - enable Speculative Store Bypass |
|
37 |
+ |
|
38 |
+[ tglx: Reordered the checks so that the whole evaluation is not done |
|
39 |
+ when the CPU does not support RDS ] |
|
40 |
+ |
|
41 |
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
42 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
43 |
+Reviewed-by: Borislav Petkov <bp@suse.de> |
|
44 |
+Reviewed-by: Ingo Molnar <mingo@kernel.org> |
|
45 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
46 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
47 |
+--- |
|
48 |
+ Documentation/kernel-parameters.txt | 33 +++++++++++ |
|
49 |
+ arch/x86/include/asm/cpufeatures.h | 1 + |
|
50 |
+ arch/x86/include/asm/nospec-branch.h | 6 ++ |
|
51 |
+ arch/x86/kernel/cpu/bugs.c | 103 +++++++++++++++++++++++++++++++++++ |
|
52 |
+ 4 files changed, 143 insertions(+) |
|
53 |
+ |
|
54 |
+diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt |
|
55 |
+index 5f9e514..792ac91 100644 |
|
56 |
+--- a/Documentation/kernel-parameters.txt |
|
57 |
+@@ -2699,6 +2699,9 @@ bytes respectively. Such letter suffixes can also be entirely omitted. |
|
58 |
+ allow data leaks with this option, which is equivalent |
|
59 |
+ to spectre_v2=off. |
|
60 |
+ |
|
61 |
++ nospec_store_bypass_disable |
|
62 |
++ [HW] Disable all mitigations for the Speculative Store Bypass vulnerability |
|
63 |
++ |
|
64 |
+ noxsave [BUGS=X86] Disables x86 extended register state save |
|
65 |
+ and restore using xsave. The kernel will fallback to |
|
66 |
+ enabling legacy floating-point and sse state. |
|
67 |
+@@ -3973,6 +3976,36 @@ bytes respectively. Such letter suffixes can also be entirely omitted. |
|
68 |
+ Not specifying this option is equivalent to |
|
69 |
+ spectre_v2=auto. |
|
70 |
+ |
|
71 |
++ spec_store_bypass_disable= |
|
72 |
++ [HW] Control Speculative Store Bypass (SSB) Disable mitigation |
|
73 |
++ (Speculative Store Bypass vulnerability) |
|
74 |
++ |
|
75 |
++ Certain CPUs are vulnerable to an exploit against a |
|
76 |
++ a common industry wide performance optimization known |
|
77 |
++ as "Speculative Store Bypass" in which recent stores |
|
78 |
++ to the same memory location may not be observed by |
|
79 |
++ later loads during speculative execution. The idea |
|
80 |
++ is that such stores are unlikely and that they can |
|
81 |
++ be detected prior to instruction retirement at the |
|
82 |
++ end of a particular speculation execution window. |
|
83 |
++ |
|
84 |
++ In vulnerable processors, the speculatively forwarded |
|
85 |
++ store can be used in a cache side channel attack, for |
|
86 |
++ example to read memory to which the attacker does not |
|
87 |
++ directly have access (e.g. inside sandboxed code). |
|
88 |
++ |
|
89 |
++ This parameter controls whether the Speculative Store |
|
90 |
++ Bypass optimization is used. |
|
91 |
++ |
|
92 |
++ on - Unconditionally disable Speculative Store Bypass |
|
93 |
++ off - Unconditionally enable Speculative Store Bypass |
|
94 |
++ auto - Kernel detects whether the CPU model contains an |
|
95 |
++ implementation of Speculative Store Bypass and |
|
96 |
++ picks the most appropriate mitigation |
|
97 |
++ |
|
98 |
++ Not specifying this option is equivalent to |
|
99 |
++ spec_store_bypass_disable=auto. |
|
100 |
++ |
|
101 |
+ spia_io_base= [HW,MTD] |
|
102 |
+ spia_fio_base= |
|
103 |
+ spia_pedr= |
|
104 |
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h |
|
105 |
+index 0c05c6c..013f3de 100644 |
|
106 |
+--- a/arch/x86/include/asm/cpufeatures.h |
|
107 |
+@@ -204,6 +204,7 @@ |
|
108 |
+ |
|
109 |
+ #define X86_FEATURE_USE_IBPB ( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled */ |
|
110 |
+ #define X86_FEATURE_USE_IBRS_FW ( 7*32+22) /* "" Use IBRS during runtime firmware calls */ |
|
111 |
++#define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE ( 7*32+23) /* "" Disable Speculative Store Bypass. */ |
|
112 |
+ |
|
113 |
+ /* Virtualization flags: Linux defined, word 8 */ |
|
114 |
+ #define X86_FEATURE_TPR_SHADOW ( 8*32+ 0) /* Intel TPR Shadow */ |
|
115 |
+diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h |
|
116 |
+index d1c26309..7b9eacf 100644 |
|
117 |
+--- a/arch/x86/include/asm/nospec-branch.h |
|
118 |
+@@ -238,6 +238,12 @@ extern u64 x86_spec_ctrl_get_default(void); |
|
119 |
+ extern void x86_spec_ctrl_set_guest(u64); |
|
120 |
+ extern void x86_spec_ctrl_restore_host(u64); |
|
121 |
+ |
|
122 |
++/* The Speculative Store Bypass disable variants */ |
|
123 |
++enum ssb_mitigation { |
|
124 |
++ SPEC_STORE_BYPASS_NONE, |
|
125 |
++ SPEC_STORE_BYPASS_DISABLE, |
|
126 |
++}; |
|
127 |
++ |
|
128 |
+ extern char __indirect_thunk_start[]; |
|
129 |
+ extern char __indirect_thunk_end[]; |
|
130 |
+ |
|
131 |
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c |
|
132 |
+index 64e17a9..75146d9 100644 |
|
133 |
+--- a/arch/x86/kernel/cpu/bugs.c |
|
134 |
+@@ -26,6 +26,7 @@ |
|
135 |
+ #include <asm/intel-family.h> |
|
136 |
+ |
|
137 |
+ static void __init spectre_v2_select_mitigation(void); |
|
138 |
++static void __init ssb_select_mitigation(void); |
|
139 |
+ |
|
140 |
+ /* |
|
141 |
+ * Our boot-time value of the SPEC_CTRL MSR. We read it once so that any |
|
142 |
+@@ -52,6 +53,12 @@ void __init check_bugs(void) |
|
143 |
+ /* Select the proper spectre mitigation before patching alternatives */ |
|
144 |
+ spectre_v2_select_mitigation(); |
|
145 |
+ |
|
146 |
++ /* |
|
147 |
++ * Select proper mitigation for any exposure to the Speculative Store |
|
148 |
++ * Bypass vulnerability. |
|
149 |
++ */ |
|
150 |
++ ssb_select_mitigation(); |
|
151 |
++ |
|
152 |
+ #ifdef CONFIG_X86_32 |
|
153 |
+ /* |
|
154 |
+ * Check whether we are able to run this kernel safely on SMP. |
|
155 |
+@@ -357,6 +364,99 @@ static void __init spectre_v2_select_mitigation(void) |
|
156 |
+ } |
|
157 |
+ |
|
158 |
+ #undef pr_fmt |
|
159 |
++#define pr_fmt(fmt) "Speculative Store Bypass: " fmt |
|
160 |
++ |
|
161 |
++static enum ssb_mitigation ssb_mode = SPEC_STORE_BYPASS_NONE; |
|
162 |
++ |
|
163 |
++/* The kernel command line selection */ |
|
164 |
++enum ssb_mitigation_cmd { |
|
165 |
++ SPEC_STORE_BYPASS_CMD_NONE, |
|
166 |
++ SPEC_STORE_BYPASS_CMD_AUTO, |
|
167 |
++ SPEC_STORE_BYPASS_CMD_ON, |
|
168 |
++}; |
|
169 |
++ |
|
170 |
++static const char *ssb_strings[] = { |
|
171 |
++ [SPEC_STORE_BYPASS_NONE] = "Vulnerable", |
|
172 |
++ [SPEC_STORE_BYPASS_DISABLE] = "Mitigation: Speculative Store Bypass disabled" |
|
173 |
++}; |
|
174 |
++ |
|
175 |
++static const struct { |
|
176 |
++ const char *option; |
|
177 |
++ enum ssb_mitigation_cmd cmd; |
|
178 |
++} ssb_mitigation_options[] = { |
|
179 |
++ { "auto", SPEC_STORE_BYPASS_CMD_AUTO }, /* Platform decides */ |
|
180 |
++ { "on", SPEC_STORE_BYPASS_CMD_ON }, /* Disable Speculative Store Bypass */ |
|
181 |
++ { "off", SPEC_STORE_BYPASS_CMD_NONE }, /* Don't touch Speculative Store Bypass */ |
|
182 |
++}; |
|
183 |
++ |
|
184 |
++static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void) |
|
185 |
++{ |
|
186 |
++ enum ssb_mitigation_cmd cmd = SPEC_STORE_BYPASS_CMD_AUTO; |
|
187 |
++ char arg[20]; |
|
188 |
++ int ret, i; |
|
189 |
++ |
|
190 |
++ if (cmdline_find_option_bool(boot_command_line, "nospec_store_bypass_disable")) { |
|
191 |
++ return SPEC_STORE_BYPASS_CMD_NONE; |
|
192 |
++ } else { |
|
193 |
++ ret = cmdline_find_option(boot_command_line, "spec_store_bypass_disable", |
|
194 |
++ arg, sizeof(arg)); |
|
195 |
++ if (ret < 0) |
|
196 |
++ return SPEC_STORE_BYPASS_CMD_AUTO; |
|
197 |
++ |
|
198 |
++ for (i = 0; i < ARRAY_SIZE(ssb_mitigation_options); i++) { |
|
199 |
++ if (!match_option(arg, ret, ssb_mitigation_options[i].option)) |
|
200 |
++ continue; |
|
201 |
++ |
|
202 |
++ cmd = ssb_mitigation_options[i].cmd; |
|
203 |
++ break; |
|
204 |
++ } |
|
205 |
++ |
|
206 |
++ if (i >= ARRAY_SIZE(ssb_mitigation_options)) { |
|
207 |
++ pr_err("unknown option (%s). Switching to AUTO select\n", arg); |
|
208 |
++ return SPEC_STORE_BYPASS_CMD_AUTO; |
|
209 |
++ } |
|
210 |
++ } |
|
211 |
++ |
|
212 |
++ return cmd; |
|
213 |
++} |
|
214 |
++ |
|
215 |
++static enum ssb_mitigation_cmd __init __ssb_select_mitigation(void) |
|
216 |
++{ |
|
217 |
++ enum ssb_mitigation mode = SPEC_STORE_BYPASS_NONE; |
|
218 |
++ enum ssb_mitigation_cmd cmd; |
|
219 |
++ |
|
220 |
++ if (!boot_cpu_has(X86_FEATURE_RDS)) |
|
221 |
++ return mode; |
|
222 |
++ |
|
223 |
++ cmd = ssb_parse_cmdline(); |
|
224 |
++ if (!boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS) && |
|
225 |
++ (cmd == SPEC_STORE_BYPASS_CMD_NONE || |
|
226 |
++ cmd == SPEC_STORE_BYPASS_CMD_AUTO)) |
|
227 |
++ return mode; |
|
228 |
++ |
|
229 |
++ switch (cmd) { |
|
230 |
++ case SPEC_STORE_BYPASS_CMD_AUTO: |
|
231 |
++ case SPEC_STORE_BYPASS_CMD_ON: |
|
232 |
++ mode = SPEC_STORE_BYPASS_DISABLE; |
|
233 |
++ break; |
|
234 |
++ case SPEC_STORE_BYPASS_CMD_NONE: |
|
235 |
++ break; |
|
236 |
++ } |
|
237 |
++ |
|
238 |
++ if (mode != SPEC_STORE_BYPASS_NONE) |
|
239 |
++ setup_force_cpu_cap(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE); |
|
240 |
++ return mode; |
|
241 |
++} |
|
242 |
++ |
|
243 |
++static void ssb_select_mitigation() |
|
244 |
++{ |
|
245 |
++ ssb_mode = __ssb_select_mitigation(); |
|
246 |
++ |
|
247 |
++ if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS)) |
|
248 |
++ pr_info("%s\n", ssb_strings[ssb_mode]); |
|
249 |
++} |
|
250 |
++ |
|
251 |
++#undef pr_fmt |
|
252 |
+ |
|
253 |
+ #ifdef CONFIG_SYSFS |
|
254 |
+ |
|
255 |
+@@ -382,6 +482,9 @@ ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr, |
|
256 |
+ boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "", |
|
257 |
+ spectre_v2_module_string()); |
|
258 |
+ |
|
259 |
++ case X86_BUG_SPEC_STORE_BYPASS: |
|
260 |
++ return sprintf(buf, "%s\n", ssb_strings[ssb_mode]); |
|
261 |
++ |
|
262 |
+ default: |
|
263 |
+ break; |
|
264 |
+ } |
|
265 |
+-- |
|
266 |
+2.7.4 |
|
267 |
+ |
0 | 268 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,183 @@ |
0 |
+From 7b6ef10e387fe35068656595506ff0e80e5dc8cf Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
2 |
+Date: Wed, 25 Apr 2018 22:04:22 -0400 |
|
3 |
+Subject: [PATCH 10/54] x86/bugs/intel: Set proper CPU features and setup RDS |
|
4 |
+ |
|
5 |
+commit 772439717dbf703b39990be58d8d4e3e4ad0598a upstream |
|
6 |
+ |
|
7 |
+Intel CPUs expose methods to: |
|
8 |
+ |
|
9 |
+ - Detect whether RDS capability is available via CPUID.7.0.EDX[31], |
|
10 |
+ |
|
11 |
+ - The SPEC_CTRL MSR(0x48), bit 2 set to enable RDS. |
|
12 |
+ |
|
13 |
+ - MSR_IA32_ARCH_CAPABILITIES, Bit(4) no need to enable RRS. |
|
14 |
+ |
|
15 |
+With that in mind if spec_store_bypass_disable=[auto,on] is selected set at |
|
16 |
+boot-time the SPEC_CTRL MSR to enable RDS if the platform requires it. |
|
17 |
+ |
|
18 |
+Note that this does not fix the KVM case where the SPEC_CTRL is exposed to |
|
19 |
+guests which can muck with it, see patch titled : |
|
20 |
+ KVM/SVM/VMX/x86/spectre_v2: Support the combination of guest and host IBRS. |
|
21 |
+ |
|
22 |
+And for the firmware (IBRS to be set), see patch titled: |
|
23 |
+ x86/spectre_v2: Read SPEC_CTRL MSR during boot and re-use reserved bits |
|
24 |
+ |
|
25 |
+[ tglx: Distangled it from the intel implementation and kept the call order ] |
|
26 |
+ |
|
27 |
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
28 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
29 |
+Reviewed-by: Borislav Petkov <bp@suse.de> |
|
30 |
+Reviewed-by: Ingo Molnar <mingo@kernel.org> |
|
31 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
32 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
33 |
+--- |
|
34 |
+ arch/x86/include/asm/msr-index.h | 6 ++++++ |
|
35 |
+ arch/x86/kernel/cpu/bugs.c | 30 ++++++++++++++++++++++++++++-- |
|
36 |
+ arch/x86/kernel/cpu/common.c | 10 ++++++---- |
|
37 |
+ arch/x86/kernel/cpu/cpu.h | 3 +++ |
|
38 |
+ arch/x86/kernel/cpu/intel.c | 1 + |
|
39 |
+ 5 files changed, 44 insertions(+), 6 deletions(-) |
|
40 |
+ |
|
41 |
+diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h |
|
42 |
+index c768bc1..87103e8 100644 |
|
43 |
+--- a/arch/x86/include/asm/msr-index.h |
|
44 |
+@@ -40,6 +40,7 @@ |
|
45 |
+ #define MSR_IA32_SPEC_CTRL 0x00000048 /* Speculation Control */ |
|
46 |
+ #define SPEC_CTRL_IBRS (1 << 0) /* Indirect Branch Restricted Speculation */ |
|
47 |
+ #define SPEC_CTRL_STIBP (1 << 1) /* Single Thread Indirect Branch Predictors */ |
|
48 |
++#define SPEC_CTRL_RDS (1 << 2) /* Reduced Data Speculation */ |
|
49 |
+ |
|
50 |
+ #define MSR_IA32_PRED_CMD 0x00000049 /* Prediction Command */ |
|
51 |
+ #define PRED_CMD_IBPB (1 << 0) /* Indirect Branch Prediction Barrier */ |
|
52 |
+@@ -61,6 +62,11 @@ |
|
53 |
+ #define MSR_IA32_ARCH_CAPABILITIES 0x0000010a |
|
54 |
+ #define ARCH_CAP_RDCL_NO (1 << 0) /* Not susceptible to Meltdown */ |
|
55 |
+ #define ARCH_CAP_IBRS_ALL (1 << 1) /* Enhanced IBRS support */ |
|
56 |
++#define ARCH_CAP_RDS_NO (1 << 4) /* |
|
57 |
++ * Not susceptible to Speculative Store Bypass |
|
58 |
++ * attack, so no Reduced Data Speculation control |
|
59 |
++ * required. |
|
60 |
++ */ |
|
61 |
+ |
|
62 |
+ #define MSR_IA32_BBL_CR_CTL 0x00000119 |
|
63 |
+ #define MSR_IA32_BBL_CR_CTL3 0x0000011e |
|
64 |
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c |
|
65 |
+index 75146d9..7dd16f4 100644 |
|
66 |
+--- a/arch/x86/kernel/cpu/bugs.c |
|
67 |
+@@ -116,7 +116,7 @@ static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE; |
|
68 |
+ |
|
69 |
+ void x86_spec_ctrl_set(u64 val) |
|
70 |
+ { |
|
71 |
+- if (val & ~SPEC_CTRL_IBRS) |
|
72 |
++ if (val & ~(SPEC_CTRL_IBRS | SPEC_CTRL_RDS)) |
|
73 |
+ WARN_ONCE(1, "SPEC_CTRL MSR value 0x%16llx is unknown.\n", val); |
|
74 |
+ else |
|
75 |
+ wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base | val); |
|
76 |
+@@ -443,8 +443,28 @@ static enum ssb_mitigation_cmd __init __ssb_select_mitigation(void) |
|
77 |
+ break; |
|
78 |
+ } |
|
79 |
+ |
|
80 |
+- if (mode != SPEC_STORE_BYPASS_NONE) |
|
81 |
++ /* |
|
82 |
++ * We have three CPU feature flags that are in play here: |
|
83 |
++ * - X86_BUG_SPEC_STORE_BYPASS - CPU is susceptible. |
|
84 |
++ * - X86_FEATURE_RDS - CPU is able to turn off speculative store bypass |
|
85 |
++ * - X86_FEATURE_SPEC_STORE_BYPASS_DISABLE - engage the mitigation |
|
86 |
++ */ |
|
87 |
++ if (mode != SPEC_STORE_BYPASS_NONE) { |
|
88 |
+ setup_force_cpu_cap(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE); |
|
89 |
++ /* |
|
90 |
++ * Intel uses the SPEC CTRL MSR Bit(2) for this, while AMD uses |
|
91 |
++ * a completely different MSR and bit dependent on family. |
|
92 |
++ */ |
|
93 |
++ switch (boot_cpu_data.x86_vendor) { |
|
94 |
++ case X86_VENDOR_INTEL: |
|
95 |
++ x86_spec_ctrl_base |= SPEC_CTRL_RDS; |
|
96 |
++ x86_spec_ctrl_set(SPEC_CTRL_RDS); |
|
97 |
++ break; |
|
98 |
++ case X86_VENDOR_AMD: |
|
99 |
++ break; |
|
100 |
++ } |
|
101 |
++ } |
|
102 |
++ |
|
103 |
+ return mode; |
|
104 |
+ } |
|
105 |
+ |
|
106 |
+@@ -458,6 +478,12 @@ static void ssb_select_mitigation() |
|
107 |
+ |
|
108 |
+ #undef pr_fmt |
|
109 |
+ |
|
110 |
++void x86_spec_ctrl_setup_ap(void) |
|
111 |
++{ |
|
112 |
++ if (boot_cpu_has(X86_FEATURE_IBRS)) |
|
113 |
++ x86_spec_ctrl_set(x86_spec_ctrl_base & (SPEC_CTRL_IBRS | SPEC_CTRL_RDS)); |
|
114 |
++} |
|
115 |
++ |
|
116 |
+ #ifdef CONFIG_SYSFS |
|
117 |
+ |
|
118 |
+ ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr, |
|
119 |
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c |
|
120 |
+index 4f1050a..ab6b3ad 100644 |
|
121 |
+--- a/arch/x86/kernel/cpu/common.c |
|
122 |
+@@ -903,7 +903,11 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) |
|
123 |
+ { |
|
124 |
+ u64 ia32_cap = 0; |
|
125 |
+ |
|
126 |
+- if (!x86_match_cpu(cpu_no_spec_store_bypass)) |
|
127 |
++ if (cpu_has(c, X86_FEATURE_ARCH_CAPABILITIES)) |
|
128 |
++ rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap); |
|
129 |
++ |
|
130 |
++ if (!x86_match_cpu(cpu_no_spec_store_bypass) && |
|
131 |
++ !(ia32_cap & ARCH_CAP_RDS_NO)) |
|
132 |
+ setup_force_cpu_bug(X86_BUG_SPEC_STORE_BYPASS); |
|
133 |
+ |
|
134 |
+ if (x86_match_cpu(cpu_no_speculation)) |
|
135 |
+@@ -915,9 +919,6 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) |
|
136 |
+ if (x86_match_cpu(cpu_no_meltdown)) |
|
137 |
+ return; |
|
138 |
+ |
|
139 |
+- if (cpu_has(c, X86_FEATURE_ARCH_CAPABILITIES)) |
|
140 |
+- rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap); |
|
141 |
+- |
|
142 |
+ /* Rogue Data Cache Load? No! */ |
|
143 |
+ if (ia32_cap & ARCH_CAP_RDCL_NO) |
|
144 |
+ return; |
|
145 |
+@@ -1339,6 +1340,7 @@ void identify_secondary_cpu(struct cpuinfo_x86 *c) |
|
146 |
+ #endif |
|
147 |
+ mtrr_ap_init(); |
|
148 |
+ validate_apic_and_package_id(c); |
|
149 |
++ x86_spec_ctrl_setup_ap(); |
|
150 |
+ } |
|
151 |
+ |
|
152 |
+ struct msr_range { |
|
153 |
+diff --git a/arch/x86/kernel/cpu/cpu.h b/arch/x86/kernel/cpu/cpu.h |
|
154 |
+index 2584265..3b19d82 100644 |
|
155 |
+--- a/arch/x86/kernel/cpu/cpu.h |
|
156 |
+@@ -46,4 +46,7 @@ extern const struct cpu_dev *const __x86_cpu_dev_start[], |
|
157 |
+ |
|
158 |
+ extern void get_cpu_cap(struct cpuinfo_x86 *c); |
|
159 |
+ extern void cpu_detect_cache_sizes(struct cpuinfo_x86 *c); |
|
160 |
++ |
|
161 |
++extern void x86_spec_ctrl_setup_ap(void); |
|
162 |
++ |
|
163 |
+ #endif /* ARCH_X86_CPU_H */ |
|
164 |
+diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c |
|
165 |
+index 8fb1d65..f15aea6 100644 |
|
166 |
+--- a/arch/x86/kernel/cpu/intel.c |
|
167 |
+@@ -154,6 +154,7 @@ static void early_init_intel(struct cpuinfo_x86 *c) |
|
168 |
+ setup_clear_cpu_cap(X86_FEATURE_STIBP); |
|
169 |
+ setup_clear_cpu_cap(X86_FEATURE_SPEC_CTRL); |
|
170 |
+ setup_clear_cpu_cap(X86_FEATURE_INTEL_STIBP); |
|
171 |
++ setup_clear_cpu_cap(X86_FEATURE_RDS); |
|
172 |
+ } |
|
173 |
+ |
|
174 |
+ /* |
|
175 |
+-- |
|
176 |
+2.7.4 |
|
177 |
+ |
0 | 178 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,70 @@ |
0 |
+From 3cf8074c8d4211e42bb7a57bfbf97bb39160a1d2 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
2 |
+Date: Wed, 25 Apr 2018 22:04:23 -0400 |
|
3 |
+Subject: [PATCH 11/54] x86/bugs: Whitelist allowed SPEC_CTRL MSR values |
|
4 |
+ |
|
5 |
+commit 1115a859f33276fe8afb31c60cf9d8e657872558 upstream |
|
6 |
+ |
|
7 |
+Intel and AMD SPEC_CTRL (0x48) MSR semantics may differ in the |
|
8 |
+future (or in fact use different MSRs for the same functionality). |
|
9 |
+ |
|
10 |
+As such a run-time mechanism is required to whitelist the appropriate MSR |
|
11 |
+values. |
|
12 |
+ |
|
13 |
+[ tglx: Made the variable __ro_after_init ] |
|
14 |
+ |
|
15 |
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
16 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
17 |
+Reviewed-by: Ingo Molnar <mingo@kernel.org> |
|
18 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
19 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
20 |
+--- |
|
21 |
+ arch/x86/kernel/cpu/bugs.c | 11 +++++++++-- |
|
22 |
+ 1 file changed, 9 insertions(+), 2 deletions(-) |
|
23 |
+ |
|
24 |
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c |
|
25 |
+index 7dd16f4..b92c469 100644 |
|
26 |
+--- a/arch/x86/kernel/cpu/bugs.c |
|
27 |
+@@ -34,6 +34,12 @@ static void __init ssb_select_mitigation(void); |
|
28 |
+ */ |
|
29 |
+ static u64 __ro_after_init x86_spec_ctrl_base; |
|
30 |
+ |
|
31 |
++/* |
|
32 |
++ * The vendor and possibly platform specific bits which can be modified in |
|
33 |
++ * x86_spec_ctrl_base. |
|
34 |
++ */ |
|
35 |
++static u64 __ro_after_init x86_spec_ctrl_mask = ~SPEC_CTRL_IBRS; |
|
36 |
++ |
|
37 |
+ void __init check_bugs(void) |
|
38 |
+ { |
|
39 |
+ identify_boot_cpu(); |
|
40 |
+@@ -116,7 +122,7 @@ static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE; |
|
41 |
+ |
|
42 |
+ void x86_spec_ctrl_set(u64 val) |
|
43 |
+ { |
|
44 |
+- if (val & ~(SPEC_CTRL_IBRS | SPEC_CTRL_RDS)) |
|
45 |
++ if (val & x86_spec_ctrl_mask) |
|
46 |
+ WARN_ONCE(1, "SPEC_CTRL MSR value 0x%16llx is unknown.\n", val); |
|
47 |
+ else |
|
48 |
+ wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base | val); |
|
49 |
+@@ -458,6 +464,7 @@ static enum ssb_mitigation_cmd __init __ssb_select_mitigation(void) |
|
50 |
+ switch (boot_cpu_data.x86_vendor) { |
|
51 |
+ case X86_VENDOR_INTEL: |
|
52 |
+ x86_spec_ctrl_base |= SPEC_CTRL_RDS; |
|
53 |
++ x86_spec_ctrl_mask &= ~SPEC_CTRL_RDS; |
|
54 |
+ x86_spec_ctrl_set(SPEC_CTRL_RDS); |
|
55 |
+ break; |
|
56 |
+ case X86_VENDOR_AMD: |
|
57 |
+@@ -481,7 +488,7 @@ static void ssb_select_mitigation() |
|
58 |
+ void x86_spec_ctrl_setup_ap(void) |
|
59 |
+ { |
|
60 |
+ if (boot_cpu_has(X86_FEATURE_IBRS)) |
|
61 |
+- x86_spec_ctrl_set(x86_spec_ctrl_base & (SPEC_CTRL_IBRS | SPEC_CTRL_RDS)); |
|
62 |
++ x86_spec_ctrl_set(x86_spec_ctrl_base & ~x86_spec_ctrl_mask); |
|
63 |
+ } |
|
64 |
+ |
|
65 |
+ #ifdef CONFIG_SYSFS |
|
66 |
+-- |
|
67 |
+2.7.4 |
|
68 |
+ |
0 | 69 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,200 @@ |
0 |
+From 0c6f26d225be4797e07f72a7d05437d0f750b758 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: David Woodhouse <dwmw@amazon.co.uk> |
|
2 |
+Date: Sun, 20 May 2018 20:52:05 +0100 |
|
3 |
+Subject: [PATCH 12/54] x86/bugs/AMD: Add support to disable RDS on |
|
4 |
+ Fam[15,16,17]h if requested |
|
5 |
+ |
|
6 |
+commit 764f3c21588a059cd783c6ba0734d4db2d72822d upstream |
|
7 |
+ |
|
8 |
+AMD does not need the Speculative Store Bypass mitigation to be enabled. |
|
9 |
+ |
|
10 |
+The parameters for this are already available and can be done via MSR |
|
11 |
+C001_1020. Each family uses a different bit in that MSR for this. |
|
12 |
+ |
|
13 |
+[ tglx: Expose the bit mask via a variable and move the actual MSR fiddling |
|
14 |
+ into the bugs code as that's the right thing to do and also required |
|
15 |
+ to prepare for dynamic enable/disable ] |
|
16 |
+ |
|
17 |
+Suggested-by: Borislav Petkov <bp@suse.de> |
|
18 |
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
19 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
20 |
+Reviewed-by: Ingo Molnar <mingo@kernel.org> |
|
21 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
22 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
23 |
+--- |
|
24 |
+ arch/x86/include/asm/cpufeatures.h | 1 + |
|
25 |
+ arch/x86/include/asm/nospec-branch.h | 4 ++++ |
|
26 |
+ arch/x86/kernel/cpu/amd.c | 26 ++++++++++++++++++++++++++ |
|
27 |
+ arch/x86/kernel/cpu/bugs.c | 27 ++++++++++++++++++++++++++- |
|
28 |
+ arch/x86/kernel/cpu/common.c | 4 ++++ |
|
29 |
+ 5 files changed, 61 insertions(+), 1 deletion(-) |
|
30 |
+ |
|
31 |
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h |
|
32 |
+index 013f3de..8797069 100644 |
|
33 |
+--- a/arch/x86/include/asm/cpufeatures.h |
|
34 |
+@@ -205,6 +205,7 @@ |
|
35 |
+ #define X86_FEATURE_USE_IBPB ( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled */ |
|
36 |
+ #define X86_FEATURE_USE_IBRS_FW ( 7*32+22) /* "" Use IBRS during runtime firmware calls */ |
|
37 |
+ #define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE ( 7*32+23) /* "" Disable Speculative Store Bypass. */ |
|
38 |
++#define X86_FEATURE_AMD_RDS (7*32+24) /* "" AMD RDS implementation */ |
|
39 |
+ |
|
40 |
+ /* Virtualization flags: Linux defined, word 8 */ |
|
41 |
+ #define X86_FEATURE_TPR_SHADOW ( 8*32+ 0) /* Intel TPR Shadow */ |
|
42 |
+diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h |
|
43 |
+index 7b9eacf..3a1541c 100644 |
|
44 |
+--- a/arch/x86/include/asm/nospec-branch.h |
|
45 |
+@@ -244,6 +244,10 @@ enum ssb_mitigation { |
|
46 |
+ SPEC_STORE_BYPASS_DISABLE, |
|
47 |
+ }; |
|
48 |
+ |
|
49 |
++/* AMD specific Speculative Store Bypass MSR data */ |
|
50 |
++extern u64 x86_amd_ls_cfg_base; |
|
51 |
++extern u64 x86_amd_ls_cfg_rds_mask; |
|
52 |
++ |
|
53 |
+ extern char __indirect_thunk_start[]; |
|
54 |
+ extern char __indirect_thunk_end[]; |
|
55 |
+ |
|
56 |
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c |
|
57 |
+index 747f8a2..7551d9ad 100644 |
|
58 |
+--- a/arch/x86/kernel/cpu/amd.c |
|
59 |
+@@ -9,6 +9,7 @@ |
|
60 |
+ #include <asm/processor.h> |
|
61 |
+ #include <asm/apic.h> |
|
62 |
+ #include <asm/cpu.h> |
|
63 |
++#include <asm/nospec-branch.h> |
|
64 |
+ #include <asm/smp.h> |
|
65 |
+ #include <asm/pci-direct.h> |
|
66 |
+ #include <asm/delay.h> |
|
67 |
+@@ -542,6 +543,26 @@ static void bsp_init_amd(struct cpuinfo_x86 *c) |
|
68 |
+ rdmsrl(MSR_FAM10H_NODE_ID, value); |
|
69 |
+ nodes_per_socket = ((value >> 3) & 7) + 1; |
|
70 |
+ } |
|
71 |
++ |
|
72 |
++ if (c->x86 >= 0x15 && c->x86 <= 0x17) { |
|
73 |
++ unsigned int bit; |
|
74 |
++ |
|
75 |
++ switch (c->x86) { |
|
76 |
++ case 0x15: bit = 54; break; |
|
77 |
++ case 0x16: bit = 33; break; |
|
78 |
++ case 0x17: bit = 10; break; |
|
79 |
++ default: return; |
|
80 |
++ } |
|
81 |
++ /* |
|
82 |
++ * Try to cache the base value so further operations can |
|
83 |
++ * avoid RMW. If that faults, do not enable RDS. |
|
84 |
++ */ |
|
85 |
++ if (!rdmsrl_safe(MSR_AMD64_LS_CFG, &x86_amd_ls_cfg_base)) { |
|
86 |
++ setup_force_cpu_cap(X86_FEATURE_RDS); |
|
87 |
++ setup_force_cpu_cap(X86_FEATURE_AMD_RDS); |
|
88 |
++ x86_amd_ls_cfg_rds_mask = 1ULL << bit; |
|
89 |
++ } |
|
90 |
++ } |
|
91 |
+ } |
|
92 |
+ |
|
93 |
+ static void early_init_amd(struct cpuinfo_x86 *c) |
|
94 |
+@@ -827,6 +848,11 @@ static void init_amd(struct cpuinfo_x86 *c) |
|
95 |
+ /* AMD CPUs don't reset SS attributes on SYSRET, Xen does. */ |
|
96 |
+ if (!cpu_has(c, X86_FEATURE_XENPV)) |
|
97 |
+ set_cpu_bug(c, X86_BUG_SYSRET_SS_ATTRS); |
|
98 |
++ |
|
99 |
++ if (boot_cpu_has(X86_FEATURE_AMD_RDS)) { |
|
100 |
++ set_cpu_cap(c, X86_FEATURE_RDS); |
|
101 |
++ set_cpu_cap(c, X86_FEATURE_AMD_RDS); |
|
102 |
++ } |
|
103 |
+ } |
|
104 |
+ |
|
105 |
+ #ifdef CONFIG_X86_32 |
|
106 |
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c |
|
107 |
+index b92c469..b3696cc 100644 |
|
108 |
+--- a/arch/x86/kernel/cpu/bugs.c |
|
109 |
+@@ -40,6 +40,13 @@ static u64 __ro_after_init x86_spec_ctrl_base; |
|
110 |
+ */ |
|
111 |
+ static u64 __ro_after_init x86_spec_ctrl_mask = ~SPEC_CTRL_IBRS; |
|
112 |
+ |
|
113 |
++/* |
|
114 |
++ * AMD specific MSR info for Speculative Store Bypass control. |
|
115 |
++ * x86_amd_ls_cfg_rds_mask is initialized in identify_boot_cpu(). |
|
116 |
++ */ |
|
117 |
++u64 __ro_after_init x86_amd_ls_cfg_base; |
|
118 |
++u64 __ro_after_init x86_amd_ls_cfg_rds_mask; |
|
119 |
++ |
|
120 |
+ void __init check_bugs(void) |
|
121 |
+ { |
|
122 |
+ identify_boot_cpu(); |
|
123 |
+@@ -51,7 +58,8 @@ void __init check_bugs(void) |
|
124 |
+ |
|
125 |
+ /* |
|
126 |
+ * Read the SPEC_CTRL MSR to account for reserved bits which may |
|
127 |
+- * have unknown values. |
|
128 |
++ * have unknown values. AMD64_LS_CFG MSR is cached in the early AMD |
|
129 |
++ * init code as it is not enumerated and depends on the family. |
|
130 |
+ */ |
|
131 |
+ if (boot_cpu_has(X86_FEATURE_IBRS)) |
|
132 |
+ rdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); |
|
133 |
+@@ -153,6 +161,14 @@ void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl) |
|
134 |
+ } |
|
135 |
+ EXPORT_SYMBOL_GPL(x86_spec_ctrl_restore_host); |
|
136 |
+ |
|
137 |
++static void x86_amd_rds_enable(void) |
|
138 |
++{ |
|
139 |
++ u64 msrval = x86_amd_ls_cfg_base | x86_amd_ls_cfg_rds_mask; |
|
140 |
++ |
|
141 |
++ if (boot_cpu_has(X86_FEATURE_AMD_RDS)) |
|
142 |
++ wrmsrl(MSR_AMD64_LS_CFG, msrval); |
|
143 |
++} |
|
144 |
++ |
|
145 |
+ #ifdef RETPOLINE |
|
146 |
+ static bool spectre_v2_bad_module; |
|
147 |
+ |
|
148 |
+@@ -442,6 +458,11 @@ static enum ssb_mitigation_cmd __init __ssb_select_mitigation(void) |
|
149 |
+ |
|
150 |
+ switch (cmd) { |
|
151 |
+ case SPEC_STORE_BYPASS_CMD_AUTO: |
|
152 |
++ /* |
|
153 |
++ * AMD platforms by default don't need SSB mitigation. |
|
154 |
++ */ |
|
155 |
++ if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD) |
|
156 |
++ break; |
|
157 |
+ case SPEC_STORE_BYPASS_CMD_ON: |
|
158 |
+ mode = SPEC_STORE_BYPASS_DISABLE; |
|
159 |
+ break; |
|
160 |
+@@ -468,6 +489,7 @@ static enum ssb_mitigation_cmd __init __ssb_select_mitigation(void) |
|
161 |
+ x86_spec_ctrl_set(SPEC_CTRL_RDS); |
|
162 |
+ break; |
|
163 |
+ case X86_VENDOR_AMD: |
|
164 |
++ x86_amd_rds_enable(); |
|
165 |
+ break; |
|
166 |
+ } |
|
167 |
+ } |
|
168 |
+@@ -489,6 +511,9 @@ void x86_spec_ctrl_setup_ap(void) |
|
169 |
+ { |
|
170 |
+ if (boot_cpu_has(X86_FEATURE_IBRS)) |
|
171 |
+ x86_spec_ctrl_set(x86_spec_ctrl_base & ~x86_spec_ctrl_mask); |
|
172 |
++ |
|
173 |
++ if (ssb_mode == SPEC_STORE_BYPASS_DISABLE) |
|
174 |
++ x86_amd_rds_enable(); |
|
175 |
+ } |
|
176 |
+ |
|
177 |
+ #ifdef CONFIG_SYSFS |
|
178 |
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c |
|
179 |
+index ab6b3ad..beb1da8 100644 |
|
180 |
+--- a/arch/x86/kernel/cpu/common.c |
|
181 |
+@@ -895,6 +895,10 @@ static const __initconst struct x86_cpu_id cpu_no_spec_store_bypass[] = { |
|
182 |
+ { X86_VENDOR_CENTAUR, 5, }, |
|
183 |
+ { X86_VENDOR_INTEL, 5, }, |
|
184 |
+ { X86_VENDOR_NSC, 5, }, |
|
185 |
++ { X86_VENDOR_AMD, 0x12, }, |
|
186 |
++ { X86_VENDOR_AMD, 0x11, }, |
|
187 |
++ { X86_VENDOR_AMD, 0x10, }, |
|
188 |
++ { X86_VENDOR_AMD, 0xf, }, |
|
189 |
+ { X86_VENDOR_ANY, 4, }, |
|
190 |
+ {} |
|
191 |
+ }; |
|
192 |
+-- |
|
193 |
+2.7.4 |
|
194 |
+ |
0 | 195 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,120 @@ |
0 |
+From d9234d3b1e19782a47e762987b7bda684c8d6b22 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
2 |
+Date: Wed, 25 Apr 2018 22:04:25 -0400 |
|
3 |
+Subject: [PATCH 13/54] x86/KVM/VMX: Expose SPEC_CTRL Bit(2) to the guest |
|
4 |
+MIME-Version: 1.0 |
|
5 |
+Content-Type: text/plain; charset=UTF-8 |
|
6 |
+Content-Transfer-Encoding: 8bit |
|
7 |
+ |
|
8 |
+commit da39556f66f5cfe8f9c989206974f1cb16ca5d7c upstream |
|
9 |
+ |
|
10 |
+Expose the CPUID.7.EDX[31] bit to the guest, and also guard against various |
|
11 |
+combinations of SPEC_CTRL MSR values. |
|
12 |
+ |
|
13 |
+The handling of the MSR (to take into account the host value of SPEC_CTRL |
|
14 |
+Bit(2)) is taken care of in patch: |
|
15 |
+ |
|
16 |
+ KVM/SVM/VMX/x86/spectre_v2: Support the combination of guest and host IBRS |
|
17 |
+ |
|
18 |
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
19 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
20 |
+Reviewed-by: Ingo Molnar <mingo@kernel.org> |
|
21 |
+ |
|
22 |
+[dwmw2: Handle 4.9 guest CPUID differences, rename |
|
23 |
+ guest_cpu_has_ibrs() → guest_cpu_has_spec_ctrl()] |
|
24 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
25 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
26 |
+--- |
|
27 |
+ arch/x86/kvm/cpuid.c | 2 +- |
|
28 |
+ arch/x86/kvm/cpuid.h | 4 ++-- |
|
29 |
+ arch/x86/kvm/svm.c | 4 ++-- |
|
30 |
+ arch/x86/kvm/vmx.c | 6 +++--- |
|
31 |
+ 4 files changed, 8 insertions(+), 8 deletions(-) |
|
32 |
+ |
|
33 |
+diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c |
|
34 |
+index 93f924d..a9409f0 100644 |
|
35 |
+--- a/arch/x86/kvm/cpuid.c |
|
36 |
+@@ -382,7 +382,7 @@ static inline int __do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function, |
|
37 |
+ |
|
38 |
+ /* cpuid 7.0.edx*/ |
|
39 |
+ const u32 kvm_cpuid_7_0_edx_x86_features = |
|
40 |
+- F(SPEC_CTRL) | F(ARCH_CAPABILITIES); |
|
41 |
++ F(SPEC_CTRL) | F(RDS) | F(ARCH_CAPABILITIES); |
|
42 |
+ |
|
43 |
+ /* all calls to cpuid_count() should be made on the same cpu */ |
|
44 |
+ get_cpu(); |
|
45 |
+diff --git a/arch/x86/kvm/cpuid.h b/arch/x86/kvm/cpuid.h |
|
46 |
+index d1beb71..24187d0 100644 |
|
47 |
+--- a/arch/x86/kvm/cpuid.h |
|
48 |
+@@ -171,7 +171,7 @@ static inline bool guest_cpuid_has_ibpb(struct kvm_vcpu *vcpu) |
|
49 |
+ return best && (best->edx & bit(X86_FEATURE_SPEC_CTRL)); |
|
50 |
+ } |
|
51 |
+ |
|
52 |
+-static inline bool guest_cpuid_has_ibrs(struct kvm_vcpu *vcpu) |
|
53 |
++static inline bool guest_cpuid_has_spec_ctrl(struct kvm_vcpu *vcpu) |
|
54 |
+ { |
|
55 |
+ struct kvm_cpuid_entry2 *best; |
|
56 |
+ |
|
57 |
+@@ -179,7 +179,7 @@ static inline bool guest_cpuid_has_ibrs(struct kvm_vcpu *vcpu) |
|
58 |
+ if (best && (best->ebx & bit(X86_FEATURE_IBRS))) |
|
59 |
+ return true; |
|
60 |
+ best = kvm_find_cpuid_entry(vcpu, 7, 0); |
|
61 |
+- return best && (best->edx & bit(X86_FEATURE_SPEC_CTRL)); |
|
62 |
++ return best && (best->edx & (bit(X86_FEATURE_SPEC_CTRL) | bit(X86_FEATURE_RDS))); |
|
63 |
+ } |
|
64 |
+ |
|
65 |
+ static inline bool guest_cpuid_has_arch_capabilities(struct kvm_vcpu *vcpu) |
|
66 |
+diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c |
|
67 |
+index eeb8cd3..57b886b 100644 |
|
68 |
+--- a/arch/x86/kvm/svm.c |
|
69 |
+@@ -3545,7 +3545,7 @@ static int svm_get_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) |
|
70 |
+ break; |
|
71 |
+ case MSR_IA32_SPEC_CTRL: |
|
72 |
+ if (!msr_info->host_initiated && |
|
73 |
+- !guest_cpuid_has_ibrs(vcpu)) |
|
74 |
++ !guest_cpuid_has_spec_ctrl(vcpu)) |
|
75 |
+ return 1; |
|
76 |
+ |
|
77 |
+ msr_info->data = svm->spec_ctrl; |
|
78 |
+@@ -3643,7 +3643,7 @@ static int svm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr) |
|
79 |
+ break; |
|
80 |
+ case MSR_IA32_SPEC_CTRL: |
|
81 |
+ if (!msr->host_initiated && |
|
82 |
+- !guest_cpuid_has_ibrs(vcpu)) |
|
83 |
++ !guest_cpuid_has_spec_ctrl(vcpu)) |
|
84 |
+ return 1; |
|
85 |
+ |
|
86 |
+ /* The STIBP bit doesn't fault even if it's not advertised */ |
|
87 |
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c |
|
88 |
+index 266db0b..67ed4e9 100644 |
|
89 |
+--- a/arch/x86/kvm/vmx.c |
|
90 |
+@@ -3020,7 +3020,7 @@ static int vmx_get_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) |
|
91 |
+ break; |
|
92 |
+ case MSR_IA32_SPEC_CTRL: |
|
93 |
+ if (!msr_info->host_initiated && |
|
94 |
+- !guest_cpuid_has_ibrs(vcpu)) |
|
95 |
++ !guest_cpuid_has_spec_ctrl(vcpu)) |
|
96 |
+ return 1; |
|
97 |
+ |
|
98 |
+ msr_info->data = to_vmx(vcpu)->spec_ctrl; |
|
99 |
+@@ -3137,11 +3137,11 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) |
|
100 |
+ break; |
|
101 |
+ case MSR_IA32_SPEC_CTRL: |
|
102 |
+ if (!msr_info->host_initiated && |
|
103 |
+- !guest_cpuid_has_ibrs(vcpu)) |
|
104 |
++ !guest_cpuid_has_spec_ctrl(vcpu)) |
|
105 |
+ return 1; |
|
106 |
+ |
|
107 |
+ /* The STIBP bit doesn't fault even if it's not advertised */ |
|
108 |
+- if (data & ~(SPEC_CTRL_IBRS | SPEC_CTRL_STIBP)) |
|
109 |
++ if (data & ~(SPEC_CTRL_IBRS | SPEC_CTRL_STIBP | SPEC_CTRL_RDS)) |
|
110 |
+ return 1; |
|
111 |
+ |
|
112 |
+ vmx->spec_ctrl = data; |
|
113 |
+-- |
|
114 |
+2.7.4 |
|
115 |
+ |
0 | 116 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,141 @@ |
0 |
+From 5e82739dc5290969a34d90066c15241425c4a748 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Thomas Gleixner <tglx@linutronix.de> |
|
2 |
+Date: Sun, 29 Apr 2018 15:01:37 +0200 |
|
3 |
+Subject: [PATCH 14/54] x86/speculation: Create spec-ctrl.h to avoid include |
|
4 |
+ hell |
|
5 |
+ |
|
6 |
+commit 28a2775217b17208811fa43a9e96bd1fdf417b86 upstream |
|
7 |
+ |
|
8 |
+Having everything in nospec-branch.h creates a hell of dependencies when |
|
9 |
+adding the prctl based switching mechanism. Move everything which is not |
|
10 |
+required in nospec-branch.h to spec-ctrl.h and fix up the includes in the |
|
11 |
+relevant files. |
|
12 |
+ |
|
13 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
14 |
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
15 |
+Reviewed-by: Ingo Molnar <mingo@kernel.org> |
|
16 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
17 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
18 |
+--- |
|
19 |
+ arch/x86/include/asm/nospec-branch.h | 14 -------------- |
|
20 |
+ arch/x86/include/asm/spec-ctrl.h | 21 +++++++++++++++++++++ |
|
21 |
+ arch/x86/kernel/cpu/amd.c | 2 +- |
|
22 |
+ arch/x86/kernel/cpu/bugs.c | 2 +- |
|
23 |
+ arch/x86/kvm/svm.c | 2 +- |
|
24 |
+ arch/x86/kvm/vmx.c | 2 +- |
|
25 |
+ 6 files changed, 25 insertions(+), 18 deletions(-) |
|
26 |
+ create mode 100644 arch/x86/include/asm/spec-ctrl.h |
|
27 |
+ |
|
28 |
+diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h |
|
29 |
+index 3a1541c..1119f14 100644 |
|
30 |
+--- a/arch/x86/include/asm/nospec-branch.h |
|
31 |
+@@ -228,26 +228,12 @@ enum spectre_v2_mitigation { |
|
32 |
+ extern void x86_spec_ctrl_set(u64); |
|
33 |
+ extern u64 x86_spec_ctrl_get_default(void); |
|
34 |
+ |
|
35 |
+-/* |
|
36 |
+- * On VMENTER we must preserve whatever view of the SPEC_CTRL MSR |
|
37 |
+- * the guest has, while on VMEXIT we restore the host view. This |
|
38 |
+- * would be easier if SPEC_CTRL were architecturally maskable or |
|
39 |
+- * shadowable for guests but this is not (currently) the case. |
|
40 |
+- * Takes the guest view of SPEC_CTRL MSR as a parameter. |
|
41 |
+- */ |
|
42 |
+-extern void x86_spec_ctrl_set_guest(u64); |
|
43 |
+-extern void x86_spec_ctrl_restore_host(u64); |
|
44 |
+- |
|
45 |
+ /* The Speculative Store Bypass disable variants */ |
|
46 |
+ enum ssb_mitigation { |
|
47 |
+ SPEC_STORE_BYPASS_NONE, |
|
48 |
+ SPEC_STORE_BYPASS_DISABLE, |
|
49 |
+ }; |
|
50 |
+ |
|
51 |
+-/* AMD specific Speculative Store Bypass MSR data */ |
|
52 |
+-extern u64 x86_amd_ls_cfg_base; |
|
53 |
+-extern u64 x86_amd_ls_cfg_rds_mask; |
|
54 |
+- |
|
55 |
+ extern char __indirect_thunk_start[]; |
|
56 |
+ extern char __indirect_thunk_end[]; |
|
57 |
+ |
|
58 |
+diff --git a/arch/x86/include/asm/spec-ctrl.h b/arch/x86/include/asm/spec-ctrl.h |
|
59 |
+new file mode 100644 |
|
60 |
+index 0000000..3ad6442 |
|
61 |
+--- /dev/null |
|
62 |
+@@ -0,0 +1,21 @@ |
|
63 |
++/* SPDX-License-Identifier: GPL-2.0 */ |
|
64 |
++#ifndef _ASM_X86_SPECCTRL_H_ |
|
65 |
++#define _ASM_X86_SPECCTRL_H_ |
|
66 |
++ |
|
67 |
++#include <asm/nospec-branch.h> |
|
68 |
++ |
|
69 |
++/* |
|
70 |
++ * On VMENTER we must preserve whatever view of the SPEC_CTRL MSR |
|
71 |
++ * the guest has, while on VMEXIT we restore the host view. This |
|
72 |
++ * would be easier if SPEC_CTRL were architecturally maskable or |
|
73 |
++ * shadowable for guests but this is not (currently) the case. |
|
74 |
++ * Takes the guest view of SPEC_CTRL MSR as a parameter. |
|
75 |
++ */ |
|
76 |
++extern void x86_spec_ctrl_set_guest(u64); |
|
77 |
++extern void x86_spec_ctrl_restore_host(u64); |
|
78 |
++ |
|
79 |
++/* AMD specific Speculative Store Bypass MSR data */ |
|
80 |
++extern u64 x86_amd_ls_cfg_base; |
|
81 |
++extern u64 x86_amd_ls_cfg_rds_mask; |
|
82 |
++ |
|
83 |
++#endif |
|
84 |
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c |
|
85 |
+index 7551d9ad..a176c81 100644 |
|
86 |
+--- a/arch/x86/kernel/cpu/amd.c |
|
87 |
+@@ -9,7 +9,7 @@ |
|
88 |
+ #include <asm/processor.h> |
|
89 |
+ #include <asm/apic.h> |
|
90 |
+ #include <asm/cpu.h> |
|
91 |
+-#include <asm/nospec-branch.h> |
|
92 |
++#include <asm/spec-ctrl.h> |
|
93 |
+ #include <asm/smp.h> |
|
94 |
+ #include <asm/pci-direct.h> |
|
95 |
+ #include <asm/delay.h> |
|
96 |
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c |
|
97 |
+index b3696cc..46d01fd 100644 |
|
98 |
+--- a/arch/x86/kernel/cpu/bugs.c |
|
99 |
+@@ -12,7 +12,7 @@ |
|
100 |
+ #include <linux/cpu.h> |
|
101 |
+ #include <linux/module.h> |
|
102 |
+ |
|
103 |
+-#include <asm/nospec-branch.h> |
|
104 |
++#include <asm/spec-ctrl.h> |
|
105 |
+ #include <asm/cmdline.h> |
|
106 |
+ #include <asm/bugs.h> |
|
107 |
+ #include <asm/processor.h> |
|
108 |
+diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c |
|
109 |
+index 57b886b..516ddff 100644 |
|
110 |
+--- a/arch/x86/kvm/svm.c |
|
111 |
+@@ -45,7 +45,7 @@ |
|
112 |
+ #include <asm/kvm_para.h> |
|
113 |
+ #include <asm/irq_remapping.h> |
|
114 |
+ #include <asm/microcode.h> |
|
115 |
+-#include <asm/nospec-branch.h> |
|
116 |
++#include <asm/spec-ctrl.h> |
|
117 |
+ |
|
118 |
+ #include <asm/virtext.h> |
|
119 |
+ #include "trace.h" |
|
120 |
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c |
|
121 |
+index 67ed4e9..0eb3863 100644 |
|
122 |
+--- a/arch/x86/kvm/vmx.c |
|
123 |
+@@ -50,7 +50,7 @@ |
|
124 |
+ #include <asm/apic.h> |
|
125 |
+ #include <asm/irq_remapping.h> |
|
126 |
+ #include <asm/microcode.h> |
|
127 |
+-#include <asm/nospec-branch.h> |
|
128 |
++#include <asm/spec-ctrl.h> |
|
129 |
+ |
|
130 |
+ #include "trace.h" |
|
131 |
+ #include "pmu.h" |
|
132 |
+-- |
|
133 |
+2.7.4 |
|
134 |
+ |
0 | 135 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,239 @@ |
0 |
+From 259d613d145206198100baf407e1f41c0e1edf15 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Thomas Gleixner <tglx@linutronix.de> |
|
2 |
+Date: Sun, 29 Apr 2018 15:20:11 +0200 |
|
3 |
+Subject: [PATCH 15/54] prctl: Add speculation control prctls |
|
4 |
+ |
|
5 |
+commit b617cfc858161140d69cc0b5cc211996b557a1c7 upstream |
|
6 |
+ |
|
7 |
+Add two new prctls to control aspects of speculation related vulnerabilites |
|
8 |
+and their mitigations to provide finer grained control over performance |
|
9 |
+impacting mitigations. |
|
10 |
+ |
|
11 |
+PR_GET_SPECULATION_CTRL returns the state of the speculation misfeature |
|
12 |
+which is selected with arg2 of prctl(2). The return value uses bit 0-2 with |
|
13 |
+the following meaning: |
|
14 |
+ |
|
15 |
+Bit Define Description |
|
16 |
+0 PR_SPEC_PRCTL Mitigation can be controlled per task by |
|
17 |
+ PR_SET_SPECULATION_CTRL |
|
18 |
+1 PR_SPEC_ENABLE The speculation feature is enabled, mitigation is |
|
19 |
+ disabled |
|
20 |
+2 PR_SPEC_DISABLE The speculation feature is disabled, mitigation is |
|
21 |
+ enabled |
|
22 |
+ |
|
23 |
+If all bits are 0 the CPU is not affected by the speculation misfeature. |
|
24 |
+ |
|
25 |
+If PR_SPEC_PRCTL is set, then the per task control of the mitigation is |
|
26 |
+available. If not set, prctl(PR_SET_SPECULATION_CTRL) for the speculation |
|
27 |
+misfeature will fail. |
|
28 |
+ |
|
29 |
+PR_SET_SPECULATION_CTRL allows to control the speculation misfeature, which |
|
30 |
+is selected by arg2 of prctl(2) per task. arg3 is used to hand in the |
|
31 |
+control value, i.e. either PR_SPEC_ENABLE or PR_SPEC_DISABLE. |
|
32 |
+ |
|
33 |
+The common return values are: |
|
34 |
+ |
|
35 |
+EINVAL prctl is not implemented by the architecture or the unused prctl() |
|
36 |
+ arguments are not 0 |
|
37 |
+ENODEV arg2 is selecting a not supported speculation misfeature |
|
38 |
+ |
|
39 |
+PR_SET_SPECULATION_CTRL has these additional return values: |
|
40 |
+ |
|
41 |
+ERANGE arg3 is incorrect, i.e. it's not either PR_SPEC_ENABLE or PR_SPEC_DISABLE |
|
42 |
+ENXIO prctl control of the selected speculation misfeature is disabled |
|
43 |
+ |
|
44 |
+The first supported controlable speculation misfeature is |
|
45 |
+PR_SPEC_STORE_BYPASS. Add the define so this can be shared between |
|
46 |
+architectures. |
|
47 |
+ |
|
48 |
+Based on an initial patch from Tim Chen and mostly rewritten. |
|
49 |
+ |
|
50 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
51 |
+Reviewed-by: Ingo Molnar <mingo@kernel.org> |
|
52 |
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
53 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
54 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
55 |
+--- |
|
56 |
+ Documentation/spec_ctrl.txt | 86 +++++++++++++++++++++++++++++++++++++++++++++ |
|
57 |
+ include/linux/nospec.h | 5 +++ |
|
58 |
+ include/uapi/linux/prctl.h | 11 ++++++ |
|
59 |
+ kernel/sys.c | 22 ++++++++++++ |
|
60 |
+ 4 files changed, 124 insertions(+) |
|
61 |
+ create mode 100644 Documentation/spec_ctrl.txt |
|
62 |
+ |
|
63 |
+diff --git a/Documentation/spec_ctrl.txt b/Documentation/spec_ctrl.txt |
|
64 |
+new file mode 100644 |
|
65 |
+index 0000000..ddbebcd |
|
66 |
+--- /dev/null |
|
67 |
+@@ -0,0 +1,86 @@ |
|
68 |
++=================== |
|
69 |
++Speculation Control |
|
70 |
++=================== |
|
71 |
++ |
|
72 |
++Quite some CPUs have speculation related misfeatures which are in fact |
|
73 |
++vulnerabilites causing data leaks in various forms even accross privilege |
|
74 |
++domains. |
|
75 |
++ |
|
76 |
++The kernel provides mitigation for such vulnerabilities in various |
|
77 |
++forms. Some of these mitigations are compile time configurable and some on |
|
78 |
++the kernel command line. |
|
79 |
++ |
|
80 |
++There is also a class of mitigations which are very expensive, but they can |
|
81 |
++be restricted to a certain set of processes or tasks in controlled |
|
82 |
++environments. The mechanism to control these mitigations is via |
|
83 |
++:manpage:`prctl(2)`. |
|
84 |
++ |
|
85 |
++There are two prctl options which are related to this: |
|
86 |
++ |
|
87 |
++ * PR_GET_SPECULATION_CTRL |
|
88 |
++ |
|
89 |
++ * PR_SET_SPECULATION_CTRL |
|
90 |
++ |
|
91 |
++PR_GET_SPECULATION_CTRL |
|
92 |
++----------------------- |
|
93 |
++ |
|
94 |
++PR_GET_SPECULATION_CTRL returns the state of the speculation misfeature |
|
95 |
++which is selected with arg2 of prctl(2). The return value uses bits 0-2 with |
|
96 |
++the following meaning: |
|
97 |
++ |
|
98 |
++==== ================ =================================================== |
|
99 |
++Bit Define Description |
|
100 |
++==== ================ =================================================== |
|
101 |
++0 PR_SPEC_PRCTL Mitigation can be controlled per task by |
|
102 |
++ PR_SET_SPECULATION_CTRL |
|
103 |
++1 PR_SPEC_ENABLE The speculation feature is enabled, mitigation is |
|
104 |
++ disabled |
|
105 |
++2 PR_SPEC_DISABLE The speculation feature is disabled, mitigation is |
|
106 |
++ enabled |
|
107 |
++==== ================ =================================================== |
|
108 |
++ |
|
109 |
++If all bits are 0 the CPU is not affected by the speculation misfeature. |
|
110 |
++ |
|
111 |
++If PR_SPEC_PRCTL is set, then the per task control of the mitigation is |
|
112 |
++available. If not set, prctl(PR_SET_SPECULATION_CTRL) for the speculation |
|
113 |
++misfeature will fail. |
|
114 |
++ |
|
115 |
++PR_SET_SPECULATION_CTRL |
|
116 |
++----------------------- |
|
117 |
++PR_SET_SPECULATION_CTRL allows to control the speculation misfeature, which |
|
118 |
++is selected by arg2 of :manpage:`prctl(2)` per task. arg3 is used to hand |
|
119 |
++in the control value, i.e. either PR_SPEC_ENABLE or PR_SPEC_DISABLE. |
|
120 |
++ |
|
121 |
++Common error codes |
|
122 |
++------------------ |
|
123 |
++======= ================================================================= |
|
124 |
++Value Meaning |
|
125 |
++======= ================================================================= |
|
126 |
++EINVAL The prctl is not implemented by the architecture or unused |
|
127 |
++ prctl(2) arguments are not 0 |
|
128 |
++ |
|
129 |
++ENODEV arg2 is selecting a not supported speculation misfeature |
|
130 |
++======= ================================================================= |
|
131 |
++ |
|
132 |
++PR_SET_SPECULATION_CTRL error codes |
|
133 |
++----------------------------------- |
|
134 |
++======= ================================================================= |
|
135 |
++Value Meaning |
|
136 |
++======= ================================================================= |
|
137 |
++0 Success |
|
138 |
++ |
|
139 |
++ERANGE arg3 is incorrect, i.e. it's neither PR_SPEC_ENABLE nor |
|
140 |
++ PR_SPEC_DISABLE |
|
141 |
++ |
|
142 |
++ENXIO Control of the selected speculation misfeature is not possible. |
|
143 |
++ See PR_GET_SPECULATION_CTRL. |
|
144 |
++======= ================================================================= |
|
145 |
++ |
|
146 |
++Speculation misfeature controls |
|
147 |
++------------------------------- |
|
148 |
++- PR_SPEC_STORE_BYPASS: Speculative Store Bypass |
|
149 |
++ |
|
150 |
++ Invocations: |
|
151 |
++ * prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, 0, 0, 0); |
|
152 |
++ * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_ENABLE, 0, 0); |
|
153 |
++ * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0); |
|
154 |
+diff --git a/include/linux/nospec.h b/include/linux/nospec.h |
|
155 |
+index e791ebc..700bb8a 100644 |
|
156 |
+--- a/include/linux/nospec.h |
|
157 |
+@@ -55,4 +55,9 @@ static inline unsigned long array_index_mask_nospec(unsigned long index, |
|
158 |
+ \ |
|
159 |
+ (typeof(_i)) (_i & _mask); \ |
|
160 |
+ }) |
|
161 |
++ |
|
162 |
++/* Speculation control prctl */ |
|
163 |
++int arch_prctl_spec_ctrl_get(unsigned long which); |
|
164 |
++int arch_prctl_spec_ctrl_set(unsigned long which, unsigned long ctrl); |
|
165 |
++ |
|
166 |
+ #endif /* _LINUX_NOSPEC_H */ |
|
167 |
+diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h |
|
168 |
+index a8d0759..3b316be 100644 |
|
169 |
+--- a/include/uapi/linux/prctl.h |
|
170 |
+@@ -197,4 +197,15 @@ struct prctl_mm_map { |
|
171 |
+ # define PR_CAP_AMBIENT_LOWER 3 |
|
172 |
+ # define PR_CAP_AMBIENT_CLEAR_ALL 4 |
|
173 |
+ |
|
174 |
++/* Per task speculation control */ |
|
175 |
++#define PR_GET_SPECULATION_CTRL 52 |
|
176 |
++#define PR_SET_SPECULATION_CTRL 53 |
|
177 |
++/* Speculation control variants */ |
|
178 |
++# define PR_SPEC_STORE_BYPASS 0 |
|
179 |
++/* Return and control values for PR_SET/GET_SPECULATION_CTRL */ |
|
180 |
++# define PR_SPEC_NOT_AFFECTED 0 |
|
181 |
++# define PR_SPEC_PRCTL (1UL << 0) |
|
182 |
++# define PR_SPEC_ENABLE (1UL << 1) |
|
183 |
++# define PR_SPEC_DISABLE (1UL << 2) |
|
184 |
++ |
|
185 |
+ #endif /* _LINUX_PRCTL_H */ |
|
186 |
+diff --git a/kernel/sys.c b/kernel/sys.c |
|
187 |
+index 89d5be4..312c985 100644 |
|
188 |
+--- a/kernel/sys.c |
|
189 |
+@@ -53,6 +53,8 @@ |
|
190 |
+ #include <linux/uidgid.h> |
|
191 |
+ #include <linux/cred.h> |
|
192 |
+ |
|
193 |
++#include <linux/nospec.h> |
|
194 |
++ |
|
195 |
+ #include <linux/kmsg_dump.h> |
|
196 |
+ /* Move somewhere else to avoid recompiling? */ |
|
197 |
+ #include <generated/utsrelease.h> |
|
198 |
+@@ -2072,6 +2074,16 @@ static int prctl_get_tid_address(struct task_struct *me, int __user **tid_addr) |
|
199 |
+ } |
|
200 |
+ #endif |
|
201 |
+ |
|
202 |
++int __weak arch_prctl_spec_ctrl_get(unsigned long which) |
|
203 |
++{ |
|
204 |
++ return -EINVAL; |
|
205 |
++} |
|
206 |
++ |
|
207 |
++int __weak arch_prctl_spec_ctrl_set(unsigned long which, unsigned long ctrl) |
|
208 |
++{ |
|
209 |
++ return -EINVAL; |
|
210 |
++} |
|
211 |
++ |
|
212 |
+ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3, |
|
213 |
+ unsigned long, arg4, unsigned long, arg5) |
|
214 |
+ { |
|
215 |
+@@ -2270,6 +2282,16 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3, |
|
216 |
+ case PR_GET_FP_MODE: |
|
217 |
+ error = GET_FP_MODE(me); |
|
218 |
+ break; |
|
219 |
++ case PR_GET_SPECULATION_CTRL: |
|
220 |
++ if (arg3 || arg4 || arg5) |
|
221 |
++ return -EINVAL; |
|
222 |
++ error = arch_prctl_spec_ctrl_get(arg2); |
|
223 |
++ break; |
|
224 |
++ case PR_SET_SPECULATION_CTRL: |
|
225 |
++ if (arg4 || arg5) |
|
226 |
++ return -EINVAL; |
|
227 |
++ error = arch_prctl_spec_ctrl_set(arg2, arg3); |
|
228 |
++ break; |
|
229 |
+ default: |
|
230 |
+ error = -EINVAL; |
|
231 |
+ break; |
|
232 |
+-- |
|
233 |
+2.7.4 |
|
234 |
+ |
0 | 235 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,125 @@ |
0 |
+From 0a927d08b636a68b1eaa44edf4ebc1b12e7ca86f Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Kyle Huey <me@kylehuey.com> |
|
2 |
+Date: Tue, 14 Feb 2017 00:11:02 -0800 |
|
3 |
+Subject: [PATCH 16/54] x86/process: Optimize TIF checks in __switch_to_xtra() |
|
4 |
+ |
|
5 |
+commit af8b3cd3934ec60f4c2a420d19a9d416554f140b upstream |
|
6 |
+ |
|
7 |
+Help the compiler to avoid reevaluating the thread flags for each checked |
|
8 |
+bit by reordering the bit checks and providing an explicit xor for |
|
9 |
+evaluation. |
|
10 |
+ |
|
11 |
+With default defconfigs for each arch, |
|
12 |
+ |
|
13 |
+x86_64: arch/x86/kernel/process.o |
|
14 |
+text data bss dec hex |
|
15 |
+3056 8577 16 11649 2d81 Before |
|
16 |
+3024 8577 16 11617 2d61 After |
|
17 |
+ |
|
18 |
+i386: arch/x86/kernel/process.o |
|
19 |
+text data bss dec hex |
|
20 |
+2957 8673 8 11638 2d76 Before |
|
21 |
+2925 8673 8 11606 2d56 After |
|
22 |
+ |
|
23 |
+Originally-by: Thomas Gleixner <tglx@linutronix.de> |
|
24 |
+Signed-off-by: Kyle Huey <khuey@kylehuey.com> |
|
25 |
+Cc: Peter Zijlstra <peterz@infradead.org> |
|
26 |
+Cc: Andy Lutomirski <luto@kernel.org> |
|
27 |
+Link: http://lkml.kernel.org/r/20170214081104.9244-2-khuey@kylehuey.com |
|
28 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
29 |
+ |
|
30 |
+[dwmw2: backported to make TIF_RDS handling simpler. |
|
31 |
+ No deferred TR reload.] |
|
32 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
33 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
34 |
+--- |
|
35 |
+ arch/x86/kernel/process.c | 54 +++++++++++++++++++++++++++-------------------- |
|
36 |
+ 1 file changed, 31 insertions(+), 23 deletions(-) |
|
37 |
+ |
|
38 |
+diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c |
|
39 |
+index a55b320..0e1999e 100644 |
|
40 |
+--- a/arch/x86/kernel/process.c |
|
41 |
+@@ -192,48 +192,56 @@ int set_tsc_mode(unsigned int val) |
|
42 |
+ return 0; |
|
43 |
+ } |
|
44 |
+ |
|
45 |
++static inline void switch_to_bitmap(struct tss_struct *tss, |
|
46 |
++ struct thread_struct *prev, |
|
47 |
++ struct thread_struct *next, |
|
48 |
++ unsigned long tifp, unsigned long tifn) |
|
49 |
++{ |
|
50 |
++ if (tifn & _TIF_IO_BITMAP) { |
|
51 |
++ /* |
|
52 |
++ * Copy the relevant range of the IO bitmap. |
|
53 |
++ * Normally this is 128 bytes or less: |
|
54 |
++ */ |
|
55 |
++ memcpy(tss->io_bitmap, next->io_bitmap_ptr, |
|
56 |
++ max(prev->io_bitmap_max, next->io_bitmap_max)); |
|
57 |
++ } else if (tifp & _TIF_IO_BITMAP) { |
|
58 |
++ /* |
|
59 |
++ * Clear any possible leftover bits: |
|
60 |
++ */ |
|
61 |
++ memset(tss->io_bitmap, 0xff, prev->io_bitmap_max); |
|
62 |
++ } |
|
63 |
++} |
|
64 |
++ |
|
65 |
+ void __switch_to_xtra(struct task_struct *prev_p, struct task_struct *next_p, |
|
66 |
+ struct tss_struct *tss) |
|
67 |
+ { |
|
68 |
+ struct thread_struct *prev, *next; |
|
69 |
++ unsigned long tifp, tifn; |
|
70 |
+ |
|
71 |
+ prev = &prev_p->thread; |
|
72 |
+ next = &next_p->thread; |
|
73 |
+ |
|
74 |
+- if (test_tsk_thread_flag(prev_p, TIF_BLOCKSTEP) ^ |
|
75 |
+- test_tsk_thread_flag(next_p, TIF_BLOCKSTEP)) { |
|
76 |
++ tifn = READ_ONCE(task_thread_info(next_p)->flags); |
|
77 |
++ tifp = READ_ONCE(task_thread_info(prev_p)->flags); |
|
78 |
++ switch_to_bitmap(tss, prev, next, tifp, tifn); |
|
79 |
++ |
|
80 |
++ propagate_user_return_notify(prev_p, next_p); |
|
81 |
++ |
|
82 |
++ if ((tifp ^ tifn) & _TIF_BLOCKSTEP) { |
|
83 |
+ unsigned long debugctl = get_debugctlmsr(); |
|
84 |
+ |
|
85 |
+ debugctl &= ~DEBUGCTLMSR_BTF; |
|
86 |
+- if (test_tsk_thread_flag(next_p, TIF_BLOCKSTEP)) |
|
87 |
++ if (tifn & _TIF_BLOCKSTEP) |
|
88 |
+ debugctl |= DEBUGCTLMSR_BTF; |
|
89 |
+- |
|
90 |
+ update_debugctlmsr(debugctl); |
|
91 |
+ } |
|
92 |
+ |
|
93 |
+- if (test_tsk_thread_flag(prev_p, TIF_NOTSC) ^ |
|
94 |
+- test_tsk_thread_flag(next_p, TIF_NOTSC)) { |
|
95 |
+- /* prev and next are different */ |
|
96 |
+- if (test_tsk_thread_flag(next_p, TIF_NOTSC)) |
|
97 |
++ if ((tifp ^ tifn) & _TIF_NOTSC) { |
|
98 |
++ if (tifn & _TIF_NOTSC) |
|
99 |
+ hard_disable_TSC(); |
|
100 |
+ else |
|
101 |
+ hard_enable_TSC(); |
|
102 |
+ } |
|
103 |
+- |
|
104 |
+- if (test_tsk_thread_flag(next_p, TIF_IO_BITMAP)) { |
|
105 |
+- /* |
|
106 |
+- * Copy the relevant range of the IO bitmap. |
|
107 |
+- * Normally this is 128 bytes or less: |
|
108 |
+- */ |
|
109 |
+- memcpy(tss->io_bitmap, next->io_bitmap_ptr, |
|
110 |
+- max(prev->io_bitmap_max, next->io_bitmap_max)); |
|
111 |
+- } else if (test_tsk_thread_flag(prev_p, TIF_IO_BITMAP)) { |
|
112 |
+- /* |
|
113 |
+- * Clear any possible leftover bits: |
|
114 |
+- */ |
|
115 |
+- memset(tss->io_bitmap, 0xff, prev->io_bitmap_max); |
|
116 |
+- } |
|
117 |
+- propagate_user_return_notify(prev_p, next_p); |
|
118 |
+ } |
|
119 |
+ |
|
120 |
+ /* |
|
121 |
+-- |
|
122 |
+2.7.4 |
|
123 |
+ |
0 | 124 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,84 @@ |
0 |
+From bb8a828adfbc5120a1beec01403e672f36cac5bf Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Kyle Huey <me@kylehuey.com> |
|
2 |
+Date: Tue, 14 Feb 2017 00:11:03 -0800 |
|
3 |
+Subject: [PATCH 17/54] x86/process: Correct and optimize TIF_BLOCKSTEP switch |
|
4 |
+ |
|
5 |
+commit b9894a2f5bd18b1691cb6872c9afe32b148d0132 upstream |
|
6 |
+ |
|
7 |
+The debug control MSR is "highly magical" as the blockstep bit can be |
|
8 |
+cleared by hardware under not well documented circumstances. |
|
9 |
+ |
|
10 |
+So a task switch relying on the bit set by the previous task (according to |
|
11 |
+the previous tasks thread flags) can trip over this and not update the flag |
|
12 |
+for the next task. |
|
13 |
+ |
|
14 |
+To fix this its required to handle DEBUGCTLMSR_BTF when either the previous |
|
15 |
+or the next or both tasks have the TIF_BLOCKSTEP flag set. |
|
16 |
+ |
|
17 |
+While at it avoid branching within the TIF_BLOCKSTEP case and evaluating |
|
18 |
+boot_cpu_data twice in kernels without CONFIG_X86_DEBUGCTLMSR. |
|
19 |
+ |
|
20 |
+x86_64: arch/x86/kernel/process.o |
|
21 |
+text data bss dec hex |
|
22 |
+3024 8577 16 11617 2d61 Before |
|
23 |
+3008 8577 16 11601 2d51 After |
|
24 |
+ |
|
25 |
+i386: No change |
|
26 |
+ |
|
27 |
+[ tglx: Made the shift value explicit, use a local variable to make the |
|
28 |
+code readable and massaged changelog] |
|
29 |
+ |
|
30 |
+Originally-by: Thomas Gleixner <tglx@linutronix.de> |
|
31 |
+Signed-off-by: Kyle Huey <khuey@kylehuey.com> |
|
32 |
+Cc: Peter Zijlstra <peterz@infradead.org> |
|
33 |
+Cc: Andy Lutomirski <luto@kernel.org> |
|
34 |
+Link: http://lkml.kernel.org/r/20170214081104.9244-3-khuey@kylehuey.com |
|
35 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
36 |
+ |
|
37 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
38 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
39 |
+--- |
|
40 |
+ arch/x86/include/asm/msr-index.h | 1 + |
|
41 |
+ arch/x86/kernel/process.c | 12 +++++++----- |
|
42 |
+ 2 files changed, 8 insertions(+), 5 deletions(-) |
|
43 |
+ |
|
44 |
+diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h |
|
45 |
+index 87103e8..076e868 100644 |
|
46 |
+--- a/arch/x86/include/asm/msr-index.h |
|
47 |
+@@ -141,6 +141,7 @@ |
|
48 |
+ |
|
49 |
+ /* DEBUGCTLMSR bits (others vary by model): */ |
|
50 |
+ #define DEBUGCTLMSR_LBR (1UL << 0) /* last branch recording */ |
|
51 |
++#define DEBUGCTLMSR_BTF_SHIFT 1 |
|
52 |
+ #define DEBUGCTLMSR_BTF (1UL << 1) /* single-step on branches */ |
|
53 |
+ #define DEBUGCTLMSR_TR (1UL << 6) |
|
54 |
+ #define DEBUGCTLMSR_BTS (1UL << 7) |
|
55 |
+diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c |
|
56 |
+index 0e1999e..496eef6 100644 |
|
57 |
+--- a/arch/x86/kernel/process.c |
|
58 |
+@@ -227,13 +227,15 @@ void __switch_to_xtra(struct task_struct *prev_p, struct task_struct *next_p, |
|
59 |
+ |
|
60 |
+ propagate_user_return_notify(prev_p, next_p); |
|
61 |
+ |
|
62 |
+- if ((tifp ^ tifn) & _TIF_BLOCKSTEP) { |
|
63 |
+- unsigned long debugctl = get_debugctlmsr(); |
|
64 |
++ if ((tifp & _TIF_BLOCKSTEP || tifn & _TIF_BLOCKSTEP) && |
|
65 |
++ arch_has_block_step()) { |
|
66 |
++ unsigned long debugctl, msk; |
|
67 |
+ |
|
68 |
++ rdmsrl(MSR_IA32_DEBUGCTLMSR, debugctl); |
|
69 |
+ debugctl &= ~DEBUGCTLMSR_BTF; |
|
70 |
+- if (tifn & _TIF_BLOCKSTEP) |
|
71 |
+- debugctl |= DEBUGCTLMSR_BTF; |
|
72 |
+- update_debugctlmsr(debugctl); |
|
73 |
++ msk = tifn & _TIF_BLOCKSTEP; |
|
74 |
++ debugctl |= (msk >> TIF_BLOCKSTEP) << DEBUGCTLMSR_BTF_SHIFT; |
|
75 |
++ wrmsrl(MSR_IA32_DEBUGCTLMSR, debugctl); |
|
76 |
+ } |
|
77 |
+ |
|
78 |
+ if ((tifp ^ tifn) & _TIF_NOTSC) { |
|
79 |
+-- |
|
80 |
+2.7.4 |
|
81 |
+ |
0 | 82 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,112 @@ |
0 |
+From ae00cf150c8b8d9e0ede34bc70499eab625f9e70 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Thomas Gleixner <tglx@linutronix.de> |
|
2 |
+Date: Tue, 14 Feb 2017 00:11:04 -0800 |
|
3 |
+Subject: [PATCH 18/54] x86/process: Optimize TIF_NOTSC switch |
|
4 |
+ |
|
5 |
+commit 5a920155e388ec22a22e0532fb695b9215c9b34d upstream |
|
6 |
+ |
|
7 |
+Provide and use a toggle helper instead of doing it with a branch. |
|
8 |
+ |
|
9 |
+x86_64: arch/x86/kernel/process.o |
|
10 |
+text data bss dec hex |
|
11 |
+3008 8577 16 11601 2d51 Before |
|
12 |
+2976 8577 16 11569 2d31 After |
|
13 |
+ |
|
14 |
+i386: arch/x86/kernel/process.o |
|
15 |
+text data bss dec hex |
|
16 |
+2925 8673 8 11606 2d56 Before |
|
17 |
+2893 8673 8 11574 2d36 After |
|
18 |
+ |
|
19 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
20 |
+Cc: Peter Zijlstra <peterz@infradead.org> |
|
21 |
+Cc: Andy Lutomirski <luto@kernel.org> |
|
22 |
+Link: http://lkml.kernel.org/r/20170214081104.9244-4-khuey@kylehuey.com |
|
23 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
24 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
25 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
26 |
+--- |
|
27 |
+ arch/x86/include/asm/tlbflush.h | 10 ++++++++++ |
|
28 |
+ arch/x86/kernel/process.c | 22 ++++------------------ |
|
29 |
+ 2 files changed, 14 insertions(+), 18 deletions(-) |
|
30 |
+ |
|
31 |
+diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h |
|
32 |
+index 99185a0..686a58d 100644 |
|
33 |
+--- a/arch/x86/include/asm/tlbflush.h |
|
34 |
+@@ -111,6 +111,16 @@ static inline void cr4_clear_bits(unsigned long mask) |
|
35 |
+ } |
|
36 |
+ } |
|
37 |
+ |
|
38 |
++static inline void cr4_toggle_bits(unsigned long mask) |
|
39 |
++{ |
|
40 |
++ unsigned long cr4; |
|
41 |
++ |
|
42 |
++ cr4 = this_cpu_read(cpu_tlbstate.cr4); |
|
43 |
++ cr4 ^= mask; |
|
44 |
++ this_cpu_write(cpu_tlbstate.cr4, cr4); |
|
45 |
++ __write_cr4(cr4); |
|
46 |
++} |
|
47 |
++ |
|
48 |
+ /* Read the CR4 shadow. */ |
|
49 |
+ static inline unsigned long cr4_read_shadow(void) |
|
50 |
+ { |
|
51 |
+diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c |
|
52 |
+index 496eef6..b7e3822 100644 |
|
53 |
+--- a/arch/x86/kernel/process.c |
|
54 |
+@@ -134,11 +134,6 @@ void flush_thread(void) |
|
55 |
+ fpu__clear(&tsk->thread.fpu); |
|
56 |
+ } |
|
57 |
+ |
|
58 |
+-static void hard_disable_TSC(void) |
|
59 |
+-{ |
|
60 |
+- cr4_set_bits(X86_CR4_TSD); |
|
61 |
+-} |
|
62 |
+- |
|
63 |
+ void disable_TSC(void) |
|
64 |
+ { |
|
65 |
+ preempt_disable(); |
|
66 |
+@@ -147,15 +142,10 @@ void disable_TSC(void) |
|
67 |
+ * Must flip the CPU state synchronously with |
|
68 |
+ * TIF_NOTSC in the current running context. |
|
69 |
+ */ |
|
70 |
+- hard_disable_TSC(); |
|
71 |
++ cr4_set_bits(X86_CR4_TSD); |
|
72 |
+ preempt_enable(); |
|
73 |
+ } |
|
74 |
+ |
|
75 |
+-static void hard_enable_TSC(void) |
|
76 |
+-{ |
|
77 |
+- cr4_clear_bits(X86_CR4_TSD); |
|
78 |
+-} |
|
79 |
+- |
|
80 |
+ static void enable_TSC(void) |
|
81 |
+ { |
|
82 |
+ preempt_disable(); |
|
83 |
+@@ -164,7 +154,7 @@ static void enable_TSC(void) |
|
84 |
+ * Must flip the CPU state synchronously with |
|
85 |
+ * TIF_NOTSC in the current running context. |
|
86 |
+ */ |
|
87 |
+- hard_enable_TSC(); |
|
88 |
++ cr4_clear_bits(X86_CR4_TSD); |
|
89 |
+ preempt_enable(); |
|
90 |
+ } |
|
91 |
+ |
|
92 |
+@@ -238,12 +228,8 @@ void __switch_to_xtra(struct task_struct *prev_p, struct task_struct *next_p, |
|
93 |
+ wrmsrl(MSR_IA32_DEBUGCTLMSR, debugctl); |
|
94 |
+ } |
|
95 |
+ |
|
96 |
+- if ((tifp ^ tifn) & _TIF_NOTSC) { |
|
97 |
+- if (tifn & _TIF_NOTSC) |
|
98 |
+- hard_disable_TSC(); |
|
99 |
+- else |
|
100 |
+- hard_enable_TSC(); |
|
101 |
+- } |
|
102 |
++ if ((tifp ^ tifn) & _TIF_NOTSC) |
|
103 |
++ cr4_toggle_bits(X86_CR4_TSD); |
|
104 |
+ } |
|
105 |
+ |
|
106 |
+ /* |
|
107 |
+-- |
|
108 |
+2.7.4 |
|
109 |
+ |
0 | 110 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,229 @@ |
0 |
+From c06c1b2d1725c1f6618d389cffe61cb538ca24b9 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Thomas Gleixner <tglx@linutronix.de> |
|
2 |
+Date: Sun, 29 Apr 2018 15:21:42 +0200 |
|
3 |
+Subject: [PATCH 19/54] x86/process: Allow runtime control of Speculative Store |
|
4 |
+ Bypass |
|
5 |
+ |
|
6 |
+commit 885f82bfbc6fefb6664ea27965c3ab9ac4194b8c upstream |
|
7 |
+ |
|
8 |
+The Speculative Store Bypass vulnerability can be mitigated with the |
|
9 |
+Reduced Data Speculation (RDS) feature. To allow finer grained control of |
|
10 |
+this eventually expensive mitigation a per task mitigation control is |
|
11 |
+required. |
|
12 |
+ |
|
13 |
+Add a new TIF_RDS flag and put it into the group of TIF flags which are |
|
14 |
+evaluated for mismatch in switch_to(). If these bits differ in the previous |
|
15 |
+and the next task, then the slow path function __switch_to_xtra() is |
|
16 |
+invoked. Implement the TIF_RDS dependent mitigation control in the slow |
|
17 |
+path. |
|
18 |
+ |
|
19 |
+If the prctl for controlling Speculative Store Bypass is disabled or no |
|
20 |
+task uses the prctl then there is no overhead in the switch_to() fast |
|
21 |
+path. |
|
22 |
+ |
|
23 |
+Update the KVM related speculation control functions to take TID_RDS into |
|
24 |
+account as well. |
|
25 |
+ |
|
26 |
+Based on a patch from Tim Chen. Completely rewritten. |
|
27 |
+ |
|
28 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
29 |
+Reviewed-by: Ingo Molnar <mingo@kernel.org> |
|
30 |
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
31 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
32 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
33 |
+--- |
|
34 |
+ arch/x86/include/asm/msr-index.h | 3 ++- |
|
35 |
+ arch/x86/include/asm/spec-ctrl.h | 17 +++++++++++++++++ |
|
36 |
+ arch/x86/include/asm/thread_info.h | 6 ++++-- |
|
37 |
+ arch/x86/kernel/cpu/bugs.c | 26 +++++++++++++++++++++----- |
|
38 |
+ arch/x86/kernel/process.c | 22 ++++++++++++++++++++++ |
|
39 |
+ 5 files changed, 66 insertions(+), 8 deletions(-) |
|
40 |
+ |
|
41 |
+diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h |
|
42 |
+index 076e868..5dd28d0 100644 |
|
43 |
+--- a/arch/x86/include/asm/msr-index.h |
|
44 |
+@@ -40,7 +40,8 @@ |
|
45 |
+ #define MSR_IA32_SPEC_CTRL 0x00000048 /* Speculation Control */ |
|
46 |
+ #define SPEC_CTRL_IBRS (1 << 0) /* Indirect Branch Restricted Speculation */ |
|
47 |
+ #define SPEC_CTRL_STIBP (1 << 1) /* Single Thread Indirect Branch Predictors */ |
|
48 |
+-#define SPEC_CTRL_RDS (1 << 2) /* Reduced Data Speculation */ |
|
49 |
++#define SPEC_CTRL_RDS_SHIFT 2 /* Reduced Data Speculation bit */ |
|
50 |
++#define SPEC_CTRL_RDS (1 << SPEC_CTRL_RDS_SHIFT) /* Reduced Data Speculation */ |
|
51 |
+ |
|
52 |
+ #define MSR_IA32_PRED_CMD 0x00000049 /* Prediction Command */ |
|
53 |
+ #define PRED_CMD_IBPB (1 << 0) /* Indirect Branch Prediction Barrier */ |
|
54 |
+diff --git a/arch/x86/include/asm/spec-ctrl.h b/arch/x86/include/asm/spec-ctrl.h |
|
55 |
+index 3ad6442..45ef00a 100644 |
|
56 |
+--- a/arch/x86/include/asm/spec-ctrl.h |
|
57 |
+@@ -2,6 +2,7 @@ |
|
58 |
+ #ifndef _ASM_X86_SPECCTRL_H_ |
|
59 |
+ #define _ASM_X86_SPECCTRL_H_ |
|
60 |
+ |
|
61 |
++#include <linux/thread_info.h> |
|
62 |
+ #include <asm/nospec-branch.h> |
|
63 |
+ |
|
64 |
+ /* |
|
65 |
+@@ -18,4 +19,20 @@ extern void x86_spec_ctrl_restore_host(u64); |
|
66 |
+ extern u64 x86_amd_ls_cfg_base; |
|
67 |
+ extern u64 x86_amd_ls_cfg_rds_mask; |
|
68 |
+ |
|
69 |
++/* The Intel SPEC CTRL MSR base value cache */ |
|
70 |
++extern u64 x86_spec_ctrl_base; |
|
71 |
++ |
|
72 |
++static inline u64 rds_tif_to_spec_ctrl(u64 tifn) |
|
73 |
++{ |
|
74 |
++ BUILD_BUG_ON(TIF_RDS < SPEC_CTRL_RDS_SHIFT); |
|
75 |
++ return (tifn & _TIF_RDS) >> (TIF_RDS - SPEC_CTRL_RDS_SHIFT); |
|
76 |
++} |
|
77 |
++ |
|
78 |
++static inline u64 rds_tif_to_amd_ls_cfg(u64 tifn) |
|
79 |
++{ |
|
80 |
++ return (tifn & _TIF_RDS) ? x86_amd_ls_cfg_rds_mask : 0ULL; |
|
81 |
++} |
|
82 |
++ |
|
83 |
++extern void speculative_store_bypass_update(void); |
|
84 |
++ |
|
85 |
+ #endif |
|
86 |
+diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h |
|
87 |
+index 89978b9..661afac 100644 |
|
88 |
+--- a/arch/x86/include/asm/thread_info.h |
|
89 |
+@@ -83,6 +83,7 @@ struct thread_info { |
|
90 |
+ #define TIF_SIGPENDING 2 /* signal pending */ |
|
91 |
+ #define TIF_NEED_RESCHED 3 /* rescheduling necessary */ |
|
92 |
+ #define TIF_SINGLESTEP 4 /* reenable singlestep on user return*/ |
|
93 |
++#define TIF_RDS 5 /* Reduced data speculation */ |
|
94 |
+ #define TIF_SYSCALL_EMU 6 /* syscall emulation active */ |
|
95 |
+ #define TIF_SYSCALL_AUDIT 7 /* syscall auditing active */ |
|
96 |
+ #define TIF_SECCOMP 8 /* secure computing */ |
|
97 |
+@@ -104,8 +105,9 @@ struct thread_info { |
|
98 |
+ #define _TIF_SYSCALL_TRACE (1 << TIF_SYSCALL_TRACE) |
|
99 |
+ #define _TIF_NOTIFY_RESUME (1 << TIF_NOTIFY_RESUME) |
|
100 |
+ #define _TIF_SIGPENDING (1 << TIF_SIGPENDING) |
|
101 |
+-#define _TIF_SINGLESTEP (1 << TIF_SINGLESTEP) |
|
102 |
+ #define _TIF_NEED_RESCHED (1 << TIF_NEED_RESCHED) |
|
103 |
++#define _TIF_SINGLESTEP (1 << TIF_SINGLESTEP) |
|
104 |
++#define _TIF_RDS (1 << TIF_RDS) |
|
105 |
+ #define _TIF_SYSCALL_EMU (1 << TIF_SYSCALL_EMU) |
|
106 |
+ #define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT) |
|
107 |
+ #define _TIF_SECCOMP (1 << TIF_SECCOMP) |
|
108 |
+@@ -139,7 +141,7 @@ struct thread_info { |
|
109 |
+ |
|
110 |
+ /* flags to check in __switch_to() */ |
|
111 |
+ #define _TIF_WORK_CTXSW \ |
|
112 |
+- (_TIF_IO_BITMAP|_TIF_NOTSC|_TIF_BLOCKSTEP) |
|
113 |
++ (_TIF_IO_BITMAP|_TIF_NOTSC|_TIF_BLOCKSTEP|_TIF_RDS) |
|
114 |
+ |
|
115 |
+ #define _TIF_WORK_CTXSW_PREV (_TIF_WORK_CTXSW|_TIF_USER_RETURN_NOTIFY) |
|
116 |
+ #define _TIF_WORK_CTXSW_NEXT (_TIF_WORK_CTXSW) |
|
117 |
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c |
|
118 |
+index 46d01fd..4f09576 100644 |
|
119 |
+--- a/arch/x86/kernel/cpu/bugs.c |
|
120 |
+@@ -32,7 +32,7 @@ static void __init ssb_select_mitigation(void); |
|
121 |
+ * Our boot-time value of the SPEC_CTRL MSR. We read it once so that any |
|
122 |
+ * writes to SPEC_CTRL contain whatever reserved bits have been set. |
|
123 |
+ */ |
|
124 |
+-static u64 __ro_after_init x86_spec_ctrl_base; |
|
125 |
++u64 __ro_after_init x86_spec_ctrl_base; |
|
126 |
+ |
|
127 |
+ /* |
|
128 |
+ * The vendor and possibly platform specific bits which can be modified in |
|
129 |
+@@ -139,25 +139,41 @@ EXPORT_SYMBOL_GPL(x86_spec_ctrl_set); |
|
130 |
+ |
|
131 |
+ u64 x86_spec_ctrl_get_default(void) |
|
132 |
+ { |
|
133 |
+- return x86_spec_ctrl_base; |
|
134 |
++ u64 msrval = x86_spec_ctrl_base; |
|
135 |
++ |
|
136 |
++ if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) |
|
137 |
++ msrval |= rds_tif_to_spec_ctrl(current_thread_info()->flags); |
|
138 |
++ return msrval; |
|
139 |
+ } |
|
140 |
+ EXPORT_SYMBOL_GPL(x86_spec_ctrl_get_default); |
|
141 |
+ |
|
142 |
+ void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl) |
|
143 |
+ { |
|
144 |
++ u64 host = x86_spec_ctrl_base; |
|
145 |
++ |
|
146 |
+ if (!boot_cpu_has(X86_FEATURE_IBRS)) |
|
147 |
+ return; |
|
148 |
+- if (x86_spec_ctrl_base != guest_spec_ctrl) |
|
149 |
++ |
|
150 |
++ if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) |
|
151 |
++ host |= rds_tif_to_spec_ctrl(current_thread_info()->flags); |
|
152 |
++ |
|
153 |
++ if (host != guest_spec_ctrl) |
|
154 |
+ wrmsrl(MSR_IA32_SPEC_CTRL, guest_spec_ctrl); |
|
155 |
+ } |
|
156 |
+ EXPORT_SYMBOL_GPL(x86_spec_ctrl_set_guest); |
|
157 |
+ |
|
158 |
+ void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl) |
|
159 |
+ { |
|
160 |
++ u64 host = x86_spec_ctrl_base; |
|
161 |
++ |
|
162 |
+ if (!boot_cpu_has(X86_FEATURE_IBRS)) |
|
163 |
+ return; |
|
164 |
+- if (x86_spec_ctrl_base != guest_spec_ctrl) |
|
165 |
+- wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); |
|
166 |
++ |
|
167 |
++ if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) |
|
168 |
++ host |= rds_tif_to_spec_ctrl(current_thread_info()->flags); |
|
169 |
++ |
|
170 |
++ if (host != guest_spec_ctrl) |
|
171 |
++ wrmsrl(MSR_IA32_SPEC_CTRL, host); |
|
172 |
+ } |
|
173 |
+ EXPORT_SYMBOL_GPL(x86_spec_ctrl_restore_host); |
|
174 |
+ |
|
175 |
+diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c |
|
176 |
+index b7e3822..9c48e18 100644 |
|
177 |
+--- a/arch/x86/kernel/process.c |
|
178 |
+@@ -33,6 +33,7 @@ |
|
179 |
+ #include <asm/mce.h> |
|
180 |
+ #include <asm/vm86.h> |
|
181 |
+ #include <asm/switch_to.h> |
|
182 |
++#include <asm/spec-ctrl.h> |
|
183 |
+ |
|
184 |
+ /* |
|
185 |
+ * per-CPU TSS segments. Threads are completely 'soft' on Linux, |
|
186 |
+@@ -202,6 +203,24 @@ static inline void switch_to_bitmap(struct tss_struct *tss, |
|
187 |
+ } |
|
188 |
+ } |
|
189 |
+ |
|
190 |
++static __always_inline void __speculative_store_bypass_update(unsigned long tifn) |
|
191 |
++{ |
|
192 |
++ u64 msr; |
|
193 |
++ |
|
194 |
++ if (static_cpu_has(X86_FEATURE_AMD_RDS)) { |
|
195 |
++ msr = x86_amd_ls_cfg_base | rds_tif_to_amd_ls_cfg(tifn); |
|
196 |
++ wrmsrl(MSR_AMD64_LS_CFG, msr); |
|
197 |
++ } else { |
|
198 |
++ msr = x86_spec_ctrl_base | rds_tif_to_spec_ctrl(tifn); |
|
199 |
++ wrmsrl(MSR_IA32_SPEC_CTRL, msr); |
|
200 |
++ } |
|
201 |
++} |
|
202 |
++ |
|
203 |
++void speculative_store_bypass_update(void) |
|
204 |
++{ |
|
205 |
++ __speculative_store_bypass_update(current_thread_info()->flags); |
|
206 |
++} |
|
207 |
++ |
|
208 |
+ void __switch_to_xtra(struct task_struct *prev_p, struct task_struct *next_p, |
|
209 |
+ struct tss_struct *tss) |
|
210 |
+ { |
|
211 |
+@@ -230,6 +249,9 @@ void __switch_to_xtra(struct task_struct *prev_p, struct task_struct *next_p, |
|
212 |
+ |
|
213 |
+ if ((tifp ^ tifn) & _TIF_NOTSC) |
|
214 |
+ cr4_toggle_bits(X86_CR4_TSD); |
|
215 |
++ |
|
216 |
++ if ((tifp ^ tifn) & _TIF_RDS) |
|
217 |
++ __speculative_store_bypass_update(tifn); |
|
218 |
+ } |
|
219 |
+ |
|
220 |
+ /* |
|
221 |
+-- |
|
222 |
+2.7.4 |
|
223 |
+ |
0 | 224 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,222 @@ |
0 |
+From 38c6d310c9ef423b9c7f4c6490d2086858a4a740 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Thomas Gleixner <tglx@linutronix.de> |
|
2 |
+Date: Sun, 29 Apr 2018 15:26:40 +0200 |
|
3 |
+Subject: [PATCH 20/54] x86/speculation: Add prctl for Speculative Store Bypass |
|
4 |
+ mitigation |
|
5 |
+ |
|
6 |
+commit a73ec77ee17ec556fe7f165d00314cb7c047b1ac upstream |
|
7 |
+ |
|
8 |
+Add prctl based control for Speculative Store Bypass mitigation and make it |
|
9 |
+the default mitigation for Intel and AMD. |
|
10 |
+ |
|
11 |
+Andi Kleen provided the following rationale (slightly redacted): |
|
12 |
+ |
|
13 |
+ There are multiple levels of impact of Speculative Store Bypass: |
|
14 |
+ |
|
15 |
+ 1) JITed sandbox. |
|
16 |
+ It cannot invoke system calls, but can do PRIME+PROBE and may have call |
|
17 |
+ interfaces to other code |
|
18 |
+ |
|
19 |
+ 2) Native code process. |
|
20 |
+ No protection inside the process at this level. |
|
21 |
+ |
|
22 |
+ 3) Kernel. |
|
23 |
+ |
|
24 |
+ 4) Between processes. |
|
25 |
+ |
|
26 |
+ The prctl tries to protect against case (1) doing attacks. |
|
27 |
+ |
|
28 |
+ If the untrusted code can do random system calls then control is already |
|
29 |
+ lost in a much worse way. So there needs to be system call protection in |
|
30 |
+ some way (using a JIT not allowing them or seccomp). Or rather if the |
|
31 |
+ process can subvert its environment somehow to do the prctl it can already |
|
32 |
+ execute arbitrary code, which is much worse than SSB. |
|
33 |
+ |
|
34 |
+ To put it differently, the point of the prctl is to not allow JITed code |
|
35 |
+ to read data it shouldn't read from its JITed sandbox. If it already has |
|
36 |
+ escaped its sandbox then it can already read everything it wants in its |
|
37 |
+ address space, and do much worse. |
|
38 |
+ |
|
39 |
+ The ability to control Speculative Store Bypass allows to enable the |
|
40 |
+ protection selectively without affecting overall system performance. |
|
41 |
+ |
|
42 |
+Based on an initial patch from Tim Chen. Completely rewritten. |
|
43 |
+ |
|
44 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
45 |
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
46 |
+ |
|
47 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
48 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
49 |
+--- |
|
50 |
+ Documentation/kernel-parameters.txt | 6 ++- |
|
51 |
+ arch/x86/include/asm/nospec-branch.h | 1 + |
|
52 |
+ arch/x86/kernel/cpu/bugs.c | 83 +++++++++++++++++++++++++++++++----- |
|
53 |
+ 3 files changed, 79 insertions(+), 11 deletions(-) |
|
54 |
+ |
|
55 |
+diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt |
|
56 |
+index 792ac91..543923b 100644 |
|
57 |
+--- a/Documentation/kernel-parameters.txt |
|
58 |
+@@ -4001,7 +4001,11 @@ bytes respectively. Such letter suffixes can also be entirely omitted. |
|
59 |
+ off - Unconditionally enable Speculative Store Bypass |
|
60 |
+ auto - Kernel detects whether the CPU model contains an |
|
61 |
+ implementation of Speculative Store Bypass and |
|
62 |
+- picks the most appropriate mitigation |
|
63 |
++ picks the most appropriate mitigation. |
|
64 |
++ prctl - Control Speculative Store Bypass per thread |
|
65 |
++ via prctl. Speculative Store Bypass is enabled |
|
66 |
++ for a process by default. The state of the control |
|
67 |
++ is inherited on fork. |
|
68 |
+ |
|
69 |
+ Not specifying this option is equivalent to |
|
70 |
+ spec_store_bypass_disable=auto. |
|
71 |
+diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h |
|
72 |
+index 1119f14..71ad014 100644 |
|
73 |
+--- a/arch/x86/include/asm/nospec-branch.h |
|
74 |
+@@ -232,6 +232,7 @@ extern u64 x86_spec_ctrl_get_default(void); |
|
75 |
+ enum ssb_mitigation { |
|
76 |
+ SPEC_STORE_BYPASS_NONE, |
|
77 |
+ SPEC_STORE_BYPASS_DISABLE, |
|
78 |
++ SPEC_STORE_BYPASS_PRCTL, |
|
79 |
+ }; |
|
80 |
+ |
|
81 |
+ extern char __indirect_thunk_start[]; |
|
82 |
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c |
|
83 |
+index 4f09576..b7d9adf 100644 |
|
84 |
+--- a/arch/x86/kernel/cpu/bugs.c |
|
85 |
+@@ -11,6 +11,8 @@ |
|
86 |
+ #include <linux/utsname.h> |
|
87 |
+ #include <linux/cpu.h> |
|
88 |
+ #include <linux/module.h> |
|
89 |
++#include <linux/nospec.h> |
|
90 |
++#include <linux/prctl.h> |
|
91 |
+ |
|
92 |
+ #include <asm/spec-ctrl.h> |
|
93 |
+ #include <asm/cmdline.h> |
|
94 |
+@@ -411,20 +413,23 @@ enum ssb_mitigation_cmd { |
|
95 |
+ SPEC_STORE_BYPASS_CMD_NONE, |
|
96 |
+ SPEC_STORE_BYPASS_CMD_AUTO, |
|
97 |
+ SPEC_STORE_BYPASS_CMD_ON, |
|
98 |
++ SPEC_STORE_BYPASS_CMD_PRCTL, |
|
99 |
+ }; |
|
100 |
+ |
|
101 |
+ static const char *ssb_strings[] = { |
|
102 |
+ [SPEC_STORE_BYPASS_NONE] = "Vulnerable", |
|
103 |
+- [SPEC_STORE_BYPASS_DISABLE] = "Mitigation: Speculative Store Bypass disabled" |
|
104 |
++ [SPEC_STORE_BYPASS_DISABLE] = "Mitigation: Speculative Store Bypass disabled", |
|
105 |
++ [SPEC_STORE_BYPASS_PRCTL] = "Mitigation: Speculative Store Bypass disabled via prctl" |
|
106 |
+ }; |
|
107 |
+ |
|
108 |
+ static const struct { |
|
109 |
+ const char *option; |
|
110 |
+ enum ssb_mitigation_cmd cmd; |
|
111 |
+ } ssb_mitigation_options[] = { |
|
112 |
+- { "auto", SPEC_STORE_BYPASS_CMD_AUTO }, /* Platform decides */ |
|
113 |
+- { "on", SPEC_STORE_BYPASS_CMD_ON }, /* Disable Speculative Store Bypass */ |
|
114 |
+- { "off", SPEC_STORE_BYPASS_CMD_NONE }, /* Don't touch Speculative Store Bypass */ |
|
115 |
++ { "auto", SPEC_STORE_BYPASS_CMD_AUTO }, /* Platform decides */ |
|
116 |
++ { "on", SPEC_STORE_BYPASS_CMD_ON }, /* Disable Speculative Store Bypass */ |
|
117 |
++ { "off", SPEC_STORE_BYPASS_CMD_NONE }, /* Don't touch Speculative Store Bypass */ |
|
118 |
++ { "prctl", SPEC_STORE_BYPASS_CMD_PRCTL }, /* Disable Speculative Store Bypass via prctl */ |
|
119 |
+ }; |
|
120 |
+ |
|
121 |
+ static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void) |
|
122 |
+@@ -474,14 +479,15 @@ static enum ssb_mitigation_cmd __init __ssb_select_mitigation(void) |
|
123 |
+ |
|
124 |
+ switch (cmd) { |
|
125 |
+ case SPEC_STORE_BYPASS_CMD_AUTO: |
|
126 |
+- /* |
|
127 |
+- * AMD platforms by default don't need SSB mitigation. |
|
128 |
+- */ |
|
129 |
+- if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD) |
|
130 |
+- break; |
|
131 |
++ /* Choose prctl as the default mode */ |
|
132 |
++ mode = SPEC_STORE_BYPASS_PRCTL; |
|
133 |
++ break; |
|
134 |
+ case SPEC_STORE_BYPASS_CMD_ON: |
|
135 |
+ mode = SPEC_STORE_BYPASS_DISABLE; |
|
136 |
+ break; |
|
137 |
++ case SPEC_STORE_BYPASS_CMD_PRCTL: |
|
138 |
++ mode = SPEC_STORE_BYPASS_PRCTL; |
|
139 |
++ break; |
|
140 |
+ case SPEC_STORE_BYPASS_CMD_NONE: |
|
141 |
+ break; |
|
142 |
+ } |
|
143 |
+@@ -492,7 +498,7 @@ static enum ssb_mitigation_cmd __init __ssb_select_mitigation(void) |
|
144 |
+ * - X86_FEATURE_RDS - CPU is able to turn off speculative store bypass |
|
145 |
+ * - X86_FEATURE_SPEC_STORE_BYPASS_DISABLE - engage the mitigation |
|
146 |
+ */ |
|
147 |
+- if (mode != SPEC_STORE_BYPASS_NONE) { |
|
148 |
++ if (mode == SPEC_STORE_BYPASS_DISABLE) { |
|
149 |
+ setup_force_cpu_cap(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE); |
|
150 |
+ /* |
|
151 |
+ * Intel uses the SPEC CTRL MSR Bit(2) for this, while AMD uses |
|
152 |
+@@ -523,6 +529,63 @@ static void ssb_select_mitigation() |
|
153 |
+ |
|
154 |
+ #undef pr_fmt |
|
155 |
+ |
|
156 |
++static int ssb_prctl_set(unsigned long ctrl) |
|
157 |
++{ |
|
158 |
++ bool rds = !!test_tsk_thread_flag(current, TIF_RDS); |
|
159 |
++ |
|
160 |
++ if (ssb_mode != SPEC_STORE_BYPASS_PRCTL) |
|
161 |
++ return -ENXIO; |
|
162 |
++ |
|
163 |
++ if (ctrl == PR_SPEC_ENABLE) |
|
164 |
++ clear_tsk_thread_flag(current, TIF_RDS); |
|
165 |
++ else |
|
166 |
++ set_tsk_thread_flag(current, TIF_RDS); |
|
167 |
++ |
|
168 |
++ if (rds != !!test_tsk_thread_flag(current, TIF_RDS)) |
|
169 |
++ speculative_store_bypass_update(); |
|
170 |
++ |
|
171 |
++ return 0; |
|
172 |
++} |
|
173 |
++ |
|
174 |
++static int ssb_prctl_get(void) |
|
175 |
++{ |
|
176 |
++ switch (ssb_mode) { |
|
177 |
++ case SPEC_STORE_BYPASS_DISABLE: |
|
178 |
++ return PR_SPEC_DISABLE; |
|
179 |
++ case SPEC_STORE_BYPASS_PRCTL: |
|
180 |
++ if (test_tsk_thread_flag(current, TIF_RDS)) |
|
181 |
++ return PR_SPEC_PRCTL | PR_SPEC_DISABLE; |
|
182 |
++ return PR_SPEC_PRCTL | PR_SPEC_ENABLE; |
|
183 |
++ default: |
|
184 |
++ if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS)) |
|
185 |
++ return PR_SPEC_ENABLE; |
|
186 |
++ return PR_SPEC_NOT_AFFECTED; |
|
187 |
++ } |
|
188 |
++} |
|
189 |
++ |
|
190 |
++int arch_prctl_spec_ctrl_set(unsigned long which, unsigned long ctrl) |
|
191 |
++{ |
|
192 |
++ if (ctrl != PR_SPEC_ENABLE && ctrl != PR_SPEC_DISABLE) |
|
193 |
++ return -ERANGE; |
|
194 |
++ |
|
195 |
++ switch (which) { |
|
196 |
++ case PR_SPEC_STORE_BYPASS: |
|
197 |
++ return ssb_prctl_set(ctrl); |
|
198 |
++ default: |
|
199 |
++ return -ENODEV; |
|
200 |
++ } |
|
201 |
++} |
|
202 |
++ |
|
203 |
++int arch_prctl_spec_ctrl_get(unsigned long which) |
|
204 |
++{ |
|
205 |
++ switch (which) { |
|
206 |
++ case PR_SPEC_STORE_BYPASS: |
|
207 |
++ return ssb_prctl_get(); |
|
208 |
++ default: |
|
209 |
++ return -ENODEV; |
|
210 |
++ } |
|
211 |
++} |
|
212 |
++ |
|
213 |
+ void x86_spec_ctrl_setup_ap(void) |
|
214 |
+ { |
|
215 |
+ if (boot_cpu_has(X86_FEATURE_IBRS)) |
|
216 |
+-- |
|
217 |
+2.7.4 |
|
218 |
+ |
0 | 219 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,162 @@ |
0 |
+From b78a78bbe1529796b94416af04e302f872bb9646 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Kees Cook <keescook@chromium.org> |
|
2 |
+Date: Tue, 1 May 2018 15:19:04 -0700 |
|
3 |
+Subject: [PATCH 21/54] nospec: Allow getting/setting on non-current task |
|
4 |
+ |
|
5 |
+commit 7bbf1373e228840bb0295a2ca26d548ef37f448e upstream |
|
6 |
+ |
|
7 |
+Adjust arch_prctl_get/set_spec_ctrl() to operate on tasks other than |
|
8 |
+current. |
|
9 |
+ |
|
10 |
+This is needed both for /proc/$pid/status queries and for seccomp (since |
|
11 |
+thread-syncing can trigger seccomp in non-current threads). |
|
12 |
+ |
|
13 |
+Signed-off-by: Kees Cook <keescook@chromium.org> |
|
14 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
15 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
16 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
17 |
+--- |
|
18 |
+ arch/x86/kernel/cpu/bugs.c | 27 ++++++++++++++++----------- |
|
19 |
+ include/linux/nospec.h | 7 +++++-- |
|
20 |
+ kernel/sys.c | 9 +++++---- |
|
21 |
+ 3 files changed, 26 insertions(+), 17 deletions(-) |
|
22 |
+ |
|
23 |
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c |
|
24 |
+index b7d9adf..3760931 100644 |
|
25 |
+--- a/arch/x86/kernel/cpu/bugs.c |
|
26 |
+@@ -529,31 +529,35 @@ static void ssb_select_mitigation() |
|
27 |
+ |
|
28 |
+ #undef pr_fmt |
|
29 |
+ |
|
30 |
+-static int ssb_prctl_set(unsigned long ctrl) |
|
31 |
++static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl) |
|
32 |
+ { |
|
33 |
+- bool rds = !!test_tsk_thread_flag(current, TIF_RDS); |
|
34 |
++ bool rds = !!test_tsk_thread_flag(task, TIF_RDS); |
|
35 |
+ |
|
36 |
+ if (ssb_mode != SPEC_STORE_BYPASS_PRCTL) |
|
37 |
+ return -ENXIO; |
|
38 |
+ |
|
39 |
+ if (ctrl == PR_SPEC_ENABLE) |
|
40 |
+- clear_tsk_thread_flag(current, TIF_RDS); |
|
41 |
++ clear_tsk_thread_flag(task, TIF_RDS); |
|
42 |
+ else |
|
43 |
+- set_tsk_thread_flag(current, TIF_RDS); |
|
44 |
++ set_tsk_thread_flag(task, TIF_RDS); |
|
45 |
+ |
|
46 |
+- if (rds != !!test_tsk_thread_flag(current, TIF_RDS)) |
|
47 |
++ /* |
|
48 |
++ * If being set on non-current task, delay setting the CPU |
|
49 |
++ * mitigation until it is next scheduled. |
|
50 |
++ */ |
|
51 |
++ if (task == current && rds != !!test_tsk_thread_flag(task, TIF_RDS)) |
|
52 |
+ speculative_store_bypass_update(); |
|
53 |
+ |
|
54 |
+ return 0; |
|
55 |
+ } |
|
56 |
+ |
|
57 |
+-static int ssb_prctl_get(void) |
|
58 |
++static int ssb_prctl_get(struct task_struct *task) |
|
59 |
+ { |
|
60 |
+ switch (ssb_mode) { |
|
61 |
+ case SPEC_STORE_BYPASS_DISABLE: |
|
62 |
+ return PR_SPEC_DISABLE; |
|
63 |
+ case SPEC_STORE_BYPASS_PRCTL: |
|
64 |
+- if (test_tsk_thread_flag(current, TIF_RDS)) |
|
65 |
++ if (test_tsk_thread_flag(task, TIF_RDS)) |
|
66 |
+ return PR_SPEC_PRCTL | PR_SPEC_DISABLE; |
|
67 |
+ return PR_SPEC_PRCTL | PR_SPEC_ENABLE; |
|
68 |
+ default: |
|
69 |
+@@ -563,24 +567,25 @@ static int ssb_prctl_get(void) |
|
70 |
+ } |
|
71 |
+ } |
|
72 |
+ |
|
73 |
+-int arch_prctl_spec_ctrl_set(unsigned long which, unsigned long ctrl) |
|
74 |
++int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which, |
|
75 |
++ unsigned long ctrl) |
|
76 |
+ { |
|
77 |
+ if (ctrl != PR_SPEC_ENABLE && ctrl != PR_SPEC_DISABLE) |
|
78 |
+ return -ERANGE; |
|
79 |
+ |
|
80 |
+ switch (which) { |
|
81 |
+ case PR_SPEC_STORE_BYPASS: |
|
82 |
+- return ssb_prctl_set(ctrl); |
|
83 |
++ return ssb_prctl_set(task, ctrl); |
|
84 |
+ default: |
|
85 |
+ return -ENODEV; |
|
86 |
+ } |
|
87 |
+ } |
|
88 |
+ |
|
89 |
+-int arch_prctl_spec_ctrl_get(unsigned long which) |
|
90 |
++int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which) |
|
91 |
+ { |
|
92 |
+ switch (which) { |
|
93 |
+ case PR_SPEC_STORE_BYPASS: |
|
94 |
+- return ssb_prctl_get(); |
|
95 |
++ return ssb_prctl_get(task); |
|
96 |
+ default: |
|
97 |
+ return -ENODEV; |
|
98 |
+ } |
|
99 |
+diff --git a/include/linux/nospec.h b/include/linux/nospec.h |
|
100 |
+index 700bb8a..a908c95 100644 |
|
101 |
+--- a/include/linux/nospec.h |
|
102 |
+@@ -7,6 +7,8 @@ |
|
103 |
+ #define _LINUX_NOSPEC_H |
|
104 |
+ #include <asm/barrier.h> |
|
105 |
+ |
|
106 |
++struct task_struct; |
|
107 |
++ |
|
108 |
+ /** |
|
109 |
+ * array_index_mask_nospec() - generate a ~0 mask when index < size, 0 otherwise |
|
110 |
+ * @index: array element index |
|
111 |
+@@ -57,7 +59,8 @@ static inline unsigned long array_index_mask_nospec(unsigned long index, |
|
112 |
+ }) |
|
113 |
+ |
|
114 |
+ /* Speculation control prctl */ |
|
115 |
+-int arch_prctl_spec_ctrl_get(unsigned long which); |
|
116 |
+-int arch_prctl_spec_ctrl_set(unsigned long which, unsigned long ctrl); |
|
117 |
++int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which); |
|
118 |
++int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which, |
|
119 |
++ unsigned long ctrl); |
|
120 |
+ |
|
121 |
+ #endif /* _LINUX_NOSPEC_H */ |
|
122 |
+diff --git a/kernel/sys.c b/kernel/sys.c |
|
123 |
+index 312c985..143cd63 100644 |
|
124 |
+--- a/kernel/sys.c |
|
125 |
+@@ -2074,12 +2074,13 @@ static int prctl_get_tid_address(struct task_struct *me, int __user **tid_addr) |
|
126 |
+ } |
|
127 |
+ #endif |
|
128 |
+ |
|
129 |
+-int __weak arch_prctl_spec_ctrl_get(unsigned long which) |
|
130 |
++int __weak arch_prctl_spec_ctrl_get(struct task_struct *t, unsigned long which) |
|
131 |
+ { |
|
132 |
+ return -EINVAL; |
|
133 |
+ } |
|
134 |
+ |
|
135 |
+-int __weak arch_prctl_spec_ctrl_set(unsigned long which, unsigned long ctrl) |
|
136 |
++int __weak arch_prctl_spec_ctrl_set(struct task_struct *t, unsigned long which, |
|
137 |
++ unsigned long ctrl) |
|
138 |
+ { |
|
139 |
+ return -EINVAL; |
|
140 |
+ } |
|
141 |
+@@ -2285,12 +2286,12 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3, |
|
142 |
+ case PR_GET_SPECULATION_CTRL: |
|
143 |
+ if (arg3 || arg4 || arg5) |
|
144 |
+ return -EINVAL; |
|
145 |
+- error = arch_prctl_spec_ctrl_get(arg2); |
|
146 |
++ error = arch_prctl_spec_ctrl_get(me, arg2); |
|
147 |
+ break; |
|
148 |
+ case PR_SET_SPECULATION_CTRL: |
|
149 |
+ if (arg4 || arg5) |
|
150 |
+ return -EINVAL; |
|
151 |
+- error = arch_prctl_spec_ctrl_set(arg2, arg3); |
|
152 |
++ error = arch_prctl_spec_ctrl_set(me, arg2, arg3); |
|
153 |
+ break; |
|
154 |
+ default: |
|
155 |
+ error = -EINVAL; |
|
156 |
+-- |
|
157 |
+2.7.4 |
|
158 |
+ |
0 | 159 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,64 @@ |
0 |
+From 35ac7b7721fcf4ec87ddbcff4cda073bec0175e6 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Kees Cook <keescook@chromium.org> |
|
2 |
+Date: Tue, 1 May 2018 15:31:45 -0700 |
|
3 |
+Subject: [PATCH 22/54] proc: Provide details on speculation flaw mitigations |
|
4 |
+ |
|
5 |
+commit fae1fa0fc6cca8beee3ab8ed71d54f9a78fa3f64 upstream |
|
6 |
+ |
|
7 |
+As done with seccomp and no_new_privs, also show speculation flaw |
|
8 |
+mitigation state in /proc/$pid/status. |
|
9 |
+ |
|
10 |
+Signed-off-by: Kees Cook <keescook@chromium.org> |
|
11 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
12 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
13 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
14 |
+--- |
|
15 |
+ fs/proc/array.c | 24 +++++++++++++++++++++++- |
|
16 |
+ 1 file changed, 23 insertions(+), 1 deletion(-) |
|
17 |
+ |
|
18 |
+diff --git a/fs/proc/array.c b/fs/proc/array.c |
|
19 |
+index 794b52a..64f3f20 100644 |
|
20 |
+--- a/fs/proc/array.c |
|
21 |
+@@ -80,6 +80,7 @@ |
|
22 |
+ #include <linux/delayacct.h> |
|
23 |
+ #include <linux/seq_file.h> |
|
24 |
+ #include <linux/pid_namespace.h> |
|
25 |
++#include <linux/prctl.h> |
|
26 |
+ #include <linux/ptrace.h> |
|
27 |
+ #include <linux/tracehook.h> |
|
28 |
+ #include <linux/string_helpers.h> |
|
29 |
+@@ -345,8 +346,29 @@ static inline void task_seccomp(struct seq_file *m, struct task_struct *p) |
|
30 |
+ { |
|
31 |
+ #ifdef CONFIG_SECCOMP |
|
32 |
+ seq_put_decimal_ull(m, "Seccomp:\t", p->seccomp.mode); |
|
33 |
+- seq_putc(m, '\n'); |
|
34 |
+ #endif |
|
35 |
++ seq_printf(m, "\nSpeculation Store Bypass:\t"); |
|
36 |
++ switch (arch_prctl_spec_ctrl_get(p, PR_SPEC_STORE_BYPASS)) { |
|
37 |
++ case -EINVAL: |
|
38 |
++ seq_printf(m, "unknown"); |
|
39 |
++ break; |
|
40 |
++ case PR_SPEC_NOT_AFFECTED: |
|
41 |
++ seq_printf(m, "not vulnerable"); |
|
42 |
++ break; |
|
43 |
++ case PR_SPEC_PRCTL | PR_SPEC_DISABLE: |
|
44 |
++ seq_printf(m, "thread mitigated"); |
|
45 |
++ break; |
|
46 |
++ case PR_SPEC_PRCTL | PR_SPEC_ENABLE: |
|
47 |
++ seq_printf(m, "thread vulnerable"); |
|
48 |
++ break; |
|
49 |
++ case PR_SPEC_DISABLE: |
|
50 |
++ seq_printf(m, "globally mitigated"); |
|
51 |
++ break; |
|
52 |
++ default: |
|
53 |
++ seq_printf(m, "vulnerable"); |
|
54 |
++ break; |
|
55 |
++ } |
|
56 |
++ seq_putc(m, '\n'); |
|
57 |
+ } |
|
58 |
+ |
|
59 |
+ static inline void task_context_switch_counts(struct seq_file *m, |
|
60 |
+-- |
|
61 |
+2.7.4 |
|
62 |
+ |
0 | 63 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,64 @@ |
0 |
+From 8f4e8b49f542bef6dbdbf8b5373d6222e524d8c9 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Kees Cook <keescook@chromium.org> |
|
2 |
+Date: Tue, 1 May 2018 15:07:31 -0700 |
|
3 |
+Subject: [PATCH 23/54] seccomp: Enable speculation flaw mitigations |
|
4 |
+ |
|
5 |
+commit 5c3070890d06ff82eecb808d02d2ca39169533ef upstream |
|
6 |
+ |
|
7 |
+When speculation flaw mitigations are opt-in (via prctl), using seccomp |
|
8 |
+will automatically opt-in to these protections, since using seccomp |
|
9 |
+indicates at least some level of sandboxing is desired. |
|
10 |
+ |
|
11 |
+Signed-off-by: Kees Cook <keescook@chromium.org> |
|
12 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
13 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
14 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
15 |
+--- |
|
16 |
+ kernel/seccomp.c | 17 +++++++++++++++++ |
|
17 |
+ 1 file changed, 17 insertions(+) |
|
18 |
+ |
|
19 |
+diff --git a/kernel/seccomp.c b/kernel/seccomp.c |
|
20 |
+index af182a6..1d3078b 100644 |
|
21 |
+--- a/kernel/seccomp.c |
|
22 |
+@@ -16,6 +16,8 @@ |
|
23 |
+ #include <linux/atomic.h> |
|
24 |
+ #include <linux/audit.h> |
|
25 |
+ #include <linux/compat.h> |
|
26 |
++#include <linux/nospec.h> |
|
27 |
++#include <linux/prctl.h> |
|
28 |
+ #include <linux/sched.h> |
|
29 |
+ #include <linux/seccomp.h> |
|
30 |
+ #include <linux/slab.h> |
|
31 |
+@@ -214,6 +216,19 @@ static inline bool seccomp_may_assign_mode(unsigned long seccomp_mode) |
|
32 |
+ return true; |
|
33 |
+ } |
|
34 |
+ |
|
35 |
++/* |
|
36 |
++ * If a given speculation mitigation is opt-in (prctl()-controlled), |
|
37 |
++ * select it, by disabling speculation (enabling mitigation). |
|
38 |
++ */ |
|
39 |
++static inline void spec_mitigate(struct task_struct *task, |
|
40 |
++ unsigned long which) |
|
41 |
++{ |
|
42 |
++ int state = arch_prctl_spec_ctrl_get(task, which); |
|
43 |
++ |
|
44 |
++ if (state > 0 && (state & PR_SPEC_PRCTL)) |
|
45 |
++ arch_prctl_spec_ctrl_set(task, which, PR_SPEC_DISABLE); |
|
46 |
++} |
|
47 |
++ |
|
48 |
+ static inline void seccomp_assign_mode(struct task_struct *task, |
|
49 |
+ unsigned long seccomp_mode) |
|
50 |
+ { |
|
51 |
+@@ -225,6 +240,8 @@ static inline void seccomp_assign_mode(struct task_struct *task, |
|
52 |
+ * filter) is set. |
|
53 |
+ */ |
|
54 |
+ smp_mb__before_atomic(); |
|
55 |
++ /* Assume seccomp processes want speculation flaw mitigation. */ |
|
56 |
++ spec_mitigate(task, PR_SPEC_STORE_BYPASS); |
|
57 |
+ set_tsk_thread_flag(task, TIF_SECCOMP); |
|
58 |
+ } |
|
59 |
+ |
|
60 |
+-- |
|
61 |
+2.7.4 |
|
62 |
+ |
0 | 63 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,43 @@ |
0 |
+From bb7394efb622c21daa838048937e0ef45674f413 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Kees Cook <keescook@chromium.org> |
|
2 |
+Date: Thu, 3 May 2018 15:03:30 -0700 |
|
3 |
+Subject: [PATCH 24/54] x86/bugs: Make boot modes __ro_after_init |
|
4 |
+ |
|
5 |
+commit f9544b2b076ca90d887c5ae5d74fab4c21bb7c13 upstream |
|
6 |
+ |
|
7 |
+There's no reason for these to be changed after boot. |
|
8 |
+ |
|
9 |
+Signed-off-by: Kees Cook <keescook@chromium.org> |
|
10 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
11 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
12 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
13 |
+--- |
|
14 |
+ arch/x86/kernel/cpu/bugs.c | 5 +++-- |
|
15 |
+ 1 file changed, 3 insertions(+), 2 deletions(-) |
|
16 |
+ |
|
17 |
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c |
|
18 |
+index 3760931..65114d2 100644 |
|
19 |
+--- a/arch/x86/kernel/cpu/bugs.c |
|
20 |
+@@ -128,7 +128,8 @@ static const char *spectre_v2_strings[] = { |
|
21 |
+ #undef pr_fmt |
|
22 |
+ #define pr_fmt(fmt) "Spectre V2 : " fmt |
|
23 |
+ |
|
24 |
+-static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE; |
|
25 |
++static enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init = |
|
26 |
++ SPECTRE_V2_NONE; |
|
27 |
+ |
|
28 |
+ void x86_spec_ctrl_set(u64 val) |
|
29 |
+ { |
|
30 |
+@@ -406,7 +407,7 @@ static void __init spectre_v2_select_mitigation(void) |
|
31 |
+ #undef pr_fmt |
|
32 |
+ #define pr_fmt(fmt) "Speculative Store Bypass: " fmt |
|
33 |
+ |
|
34 |
+-static enum ssb_mitigation ssb_mode = SPEC_STORE_BYPASS_NONE; |
|
35 |
++static enum ssb_mitigation ssb_mode __ro_after_init = SPEC_STORE_BYPASS_NONE; |
|
36 |
+ |
|
37 |
+ /* The kernel command line selection */ |
|
38 |
+ enum ssb_mitigation_cmd { |
|
39 |
+-- |
|
40 |
+2.7.4 |
|
41 |
+ |
0 | 42 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,218 @@ |
0 |
+From 512e11d2918b279a0f895d6f9eb560d815ce2ea2 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Thomas Gleixner <tglx@linutronix.de> |
|
2 |
+Date: Thu, 3 May 2018 22:09:15 +0200 |
|
3 |
+Subject: [PATCH 25/54] prctl: Add force disable speculation |
|
4 |
+ |
|
5 |
+commit 356e4bfff2c5489e016fdb925adbf12a1e3950ee upstream |
|
6 |
+ |
|
7 |
+For certain use cases it is desired to enforce mitigations so they cannot |
|
8 |
+be undone afterwards. That's important for loader stubs which want to |
|
9 |
+prevent a child from disabling the mitigation again. Will also be used for |
|
10 |
+seccomp(). The extra state preserving of the prctl state for SSB is a |
|
11 |
+preparatory step for EBPF dymanic speculation control. |
|
12 |
+ |
|
13 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
14 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
15 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
16 |
+--- |
|
17 |
+ Documentation/spec_ctrl.txt | 34 +++++++++++++++++++++------------- |
|
18 |
+ arch/x86/kernel/cpu/bugs.c | 35 +++++++++++++++++++++++++---------- |
|
19 |
+ fs/proc/array.c | 3 +++ |
|
20 |
+ include/linux/sched.h | 9 +++++++++ |
|
21 |
+ include/uapi/linux/prctl.h | 1 + |
|
22 |
+ 5 files changed, 59 insertions(+), 23 deletions(-) |
|
23 |
+ |
|
24 |
+diff --git a/Documentation/spec_ctrl.txt b/Documentation/spec_ctrl.txt |
|
25 |
+index ddbebcd..1b3690d 100644 |
|
26 |
+--- a/Documentation/spec_ctrl.txt |
|
27 |
+@@ -25,19 +25,21 @@ PR_GET_SPECULATION_CTRL |
|
28 |
+ ----------------------- |
|
29 |
+ |
|
30 |
+ PR_GET_SPECULATION_CTRL returns the state of the speculation misfeature |
|
31 |
+-which is selected with arg2 of prctl(2). The return value uses bits 0-2 with |
|
32 |
++which is selected with arg2 of prctl(2). The return value uses bits 0-3 with |
|
33 |
+ the following meaning: |
|
34 |
+ |
|
35 |
+-==== ================ =================================================== |
|
36 |
+-Bit Define Description |
|
37 |
+-==== ================ =================================================== |
|
38 |
+-0 PR_SPEC_PRCTL Mitigation can be controlled per task by |
|
39 |
+- PR_SET_SPECULATION_CTRL |
|
40 |
+-1 PR_SPEC_ENABLE The speculation feature is enabled, mitigation is |
|
41 |
+- disabled |
|
42 |
+-2 PR_SPEC_DISABLE The speculation feature is disabled, mitigation is |
|
43 |
+- enabled |
|
44 |
+-==== ================ =================================================== |
|
45 |
++==== ===================== =================================================== |
|
46 |
++Bit Define Description |
|
47 |
++==== ===================== =================================================== |
|
48 |
++0 PR_SPEC_PRCTL Mitigation can be controlled per task by |
|
49 |
++ PR_SET_SPECULATION_CTRL |
|
50 |
++1 PR_SPEC_ENABLE The speculation feature is enabled, mitigation is |
|
51 |
++ disabled |
|
52 |
++2 PR_SPEC_DISABLE The speculation feature is disabled, mitigation is |
|
53 |
++ enabled |
|
54 |
++3 PR_SPEC_FORCE_DISABLE Same as PR_SPEC_DISABLE, but cannot be undone. A |
|
55 |
++ subsequent prctl(..., PR_SPEC_ENABLE) will fail. |
|
56 |
++==== ===================== =================================================== |
|
57 |
+ |
|
58 |
+ If all bits are 0 the CPU is not affected by the speculation misfeature. |
|
59 |
+ |
|
60 |
+@@ -47,9 +49,11 @@ misfeature will fail. |
|
61 |
+ |
|
62 |
+ PR_SET_SPECULATION_CTRL |
|
63 |
+ ----------------------- |
|
64 |
++ |
|
65 |
+ PR_SET_SPECULATION_CTRL allows to control the speculation misfeature, which |
|
66 |
+ is selected by arg2 of :manpage:`prctl(2)` per task. arg3 is used to hand |
|
67 |
+-in the control value, i.e. either PR_SPEC_ENABLE or PR_SPEC_DISABLE. |
|
68 |
++in the control value, i.e. either PR_SPEC_ENABLE or PR_SPEC_DISABLE or |
|
69 |
++PR_SPEC_FORCE_DISABLE. |
|
70 |
+ |
|
71 |
+ Common error codes |
|
72 |
+ ------------------ |
|
73 |
+@@ -70,10 +74,13 @@ Value Meaning |
|
74 |
+ 0 Success |
|
75 |
+ |
|
76 |
+ ERANGE arg3 is incorrect, i.e. it's neither PR_SPEC_ENABLE nor |
|
77 |
+- PR_SPEC_DISABLE |
|
78 |
++ PR_SPEC_DISABLE nor PR_SPEC_FORCE_DISABLE |
|
79 |
+ |
|
80 |
+ ENXIO Control of the selected speculation misfeature is not possible. |
|
81 |
+ See PR_GET_SPECULATION_CTRL. |
|
82 |
++ |
|
83 |
++EPERM Speculation was disabled with PR_SPEC_FORCE_DISABLE and caller |
|
84 |
++ tried to enable it again. |
|
85 |
+ ======= ================================================================= |
|
86 |
+ |
|
87 |
+ Speculation misfeature controls |
|
88 |
+@@ -84,3 +91,4 @@ Speculation misfeature controls |
|
89 |
+ * prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, 0, 0, 0); |
|
90 |
+ * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_ENABLE, 0, 0); |
|
91 |
+ * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0); |
|
92 |
++ * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0); |
|
93 |
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c |
|
94 |
+index 65114d2..fdbd8e5 100644 |
|
95 |
+--- a/arch/x86/kernel/cpu/bugs.c |
|
96 |
+@@ -532,21 +532,37 @@ static void ssb_select_mitigation() |
|
97 |
+ |
|
98 |
+ static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl) |
|
99 |
+ { |
|
100 |
+- bool rds = !!test_tsk_thread_flag(task, TIF_RDS); |
|
101 |
++ bool update; |
|
102 |
+ |
|
103 |
+ if (ssb_mode != SPEC_STORE_BYPASS_PRCTL) |
|
104 |
+ return -ENXIO; |
|
105 |
+ |
|
106 |
+- if (ctrl == PR_SPEC_ENABLE) |
|
107 |
+- clear_tsk_thread_flag(task, TIF_RDS); |
|
108 |
+- else |
|
109 |
+- set_tsk_thread_flag(task, TIF_RDS); |
|
110 |
++ switch (ctrl) { |
|
111 |
++ case PR_SPEC_ENABLE: |
|
112 |
++ /* If speculation is force disabled, enable is not allowed */ |
|
113 |
++ if (task_spec_ssb_force_disable(task)) |
|
114 |
++ return -EPERM; |
|
115 |
++ task_clear_spec_ssb_disable(task); |
|
116 |
++ update = test_and_clear_tsk_thread_flag(task, TIF_RDS); |
|
117 |
++ break; |
|
118 |
++ case PR_SPEC_DISABLE: |
|
119 |
++ task_set_spec_ssb_disable(task); |
|
120 |
++ update = !test_and_set_tsk_thread_flag(task, TIF_RDS); |
|
121 |
++ break; |
|
122 |
++ case PR_SPEC_FORCE_DISABLE: |
|
123 |
++ task_set_spec_ssb_disable(task); |
|
124 |
++ task_set_spec_ssb_force_disable(task); |
|
125 |
++ update = !test_and_set_tsk_thread_flag(task, TIF_RDS); |
|
126 |
++ break; |
|
127 |
++ default: |
|
128 |
++ return -ERANGE; |
|
129 |
++ } |
|
130 |
+ |
|
131 |
+ /* |
|
132 |
+ * If being set on non-current task, delay setting the CPU |
|
133 |
+ * mitigation until it is next scheduled. |
|
134 |
+ */ |
|
135 |
+- if (task == current && rds != !!test_tsk_thread_flag(task, TIF_RDS)) |
|
136 |
++ if (task == current && update) |
|
137 |
+ speculative_store_bypass_update(); |
|
138 |
+ |
|
139 |
+ return 0; |
|
140 |
+@@ -558,7 +574,9 @@ static int ssb_prctl_get(struct task_struct *task) |
|
141 |
+ case SPEC_STORE_BYPASS_DISABLE: |
|
142 |
+ return PR_SPEC_DISABLE; |
|
143 |
+ case SPEC_STORE_BYPASS_PRCTL: |
|
144 |
+- if (test_tsk_thread_flag(task, TIF_RDS)) |
|
145 |
++ if (task_spec_ssb_force_disable(task)) |
|
146 |
++ return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE; |
|
147 |
++ if (task_spec_ssb_disable(task)) |
|
148 |
+ return PR_SPEC_PRCTL | PR_SPEC_DISABLE; |
|
149 |
+ return PR_SPEC_PRCTL | PR_SPEC_ENABLE; |
|
150 |
+ default: |
|
151 |
+@@ -571,9 +589,6 @@ static int ssb_prctl_get(struct task_struct *task) |
|
152 |
+ int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which, |
|
153 |
+ unsigned long ctrl) |
|
154 |
+ { |
|
155 |
+- if (ctrl != PR_SPEC_ENABLE && ctrl != PR_SPEC_DISABLE) |
|
156 |
+- return -ERANGE; |
|
157 |
+- |
|
158 |
+ switch (which) { |
|
159 |
+ case PR_SPEC_STORE_BYPASS: |
|
160 |
+ return ssb_prctl_set(task, ctrl); |
|
161 |
+diff --git a/fs/proc/array.c b/fs/proc/array.c |
|
162 |
+index 64f3f20..3e37195 100644 |
|
163 |
+--- a/fs/proc/array.c |
|
164 |
+@@ -355,6 +355,9 @@ static inline void task_seccomp(struct seq_file *m, struct task_struct *p) |
|
165 |
+ case PR_SPEC_NOT_AFFECTED: |
|
166 |
+ seq_printf(m, "not vulnerable"); |
|
167 |
+ break; |
|
168 |
++ case PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE: |
|
169 |
++ seq_printf(m, "thread force mitigated"); |
|
170 |
++ break; |
|
171 |
+ case PR_SPEC_PRCTL | PR_SPEC_DISABLE: |
|
172 |
+ seq_printf(m, "thread mitigated"); |
|
173 |
+ break; |
|
174 |
+diff --git a/include/linux/sched.h b/include/linux/sched.h |
|
175 |
+index c549c8c..5ebef8c 100644 |
|
176 |
+--- a/include/linux/sched.h |
|
177 |
+@@ -2354,6 +2354,8 @@ static inline void memalloc_noio_restore(unsigned int flags) |
|
178 |
+ #define PFA_SPREAD_PAGE 1 /* Spread page cache over cpuset */ |
|
179 |
+ #define PFA_SPREAD_SLAB 2 /* Spread some slab caches over cpuset */ |
|
180 |
+ #define PFA_LMK_WAITING 3 /* Lowmemorykiller is waiting */ |
|
181 |
++#define PFA_SPEC_SSB_DISABLE 4 /* Speculative Store Bypass disabled */ |
|
182 |
++#define PFA_SPEC_SSB_FORCE_DISABLE 5 /* Speculative Store Bypass force disabled*/ |
|
183 |
+ |
|
184 |
+ |
|
185 |
+ #define TASK_PFA_TEST(name, func) \ |
|
186 |
+@@ -2380,6 +2382,13 @@ TASK_PFA_CLEAR(SPREAD_SLAB, spread_slab) |
|
187 |
+ TASK_PFA_TEST(LMK_WAITING, lmk_waiting) |
|
188 |
+ TASK_PFA_SET(LMK_WAITING, lmk_waiting) |
|
189 |
+ |
|
190 |
++TASK_PFA_TEST(SPEC_SSB_DISABLE, spec_ssb_disable) |
|
191 |
++TASK_PFA_SET(SPEC_SSB_DISABLE, spec_ssb_disable) |
|
192 |
++TASK_PFA_CLEAR(SPEC_SSB_DISABLE, spec_ssb_disable) |
|
193 |
++ |
|
194 |
++TASK_PFA_TEST(SPEC_SSB_FORCE_DISABLE, spec_ssb_force_disable) |
|
195 |
++TASK_PFA_SET(SPEC_SSB_FORCE_DISABLE, spec_ssb_force_disable) |
|
196 |
++ |
|
197 |
+ /* |
|
198 |
+ * task->jobctl flags |
|
199 |
+ */ |
|
200 |
+diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h |
|
201 |
+index 3b316be..64776b7 100644 |
|
202 |
+--- a/include/uapi/linux/prctl.h |
|
203 |
+@@ -207,5 +207,6 @@ struct prctl_mm_map { |
|
204 |
+ # define PR_SPEC_PRCTL (1UL << 0) |
|
205 |
+ # define PR_SPEC_ENABLE (1UL << 1) |
|
206 |
+ # define PR_SPEC_DISABLE (1UL << 2) |
|
207 |
++# define PR_SPEC_FORCE_DISABLE (1UL << 3) |
|
208 |
+ |
|
209 |
+ #endif /* _LINUX_PRCTL_H */ |
|
210 |
+-- |
|
211 |
+2.7.4 |
|
212 |
+ |
0 | 213 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,33 @@ |
0 |
+From 80e6b62a0da8f9769f3480b42998b4fead364e06 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Thomas Gleixner <tglx@linutronix.de> |
|
2 |
+Date: Fri, 4 May 2018 09:40:03 +0200 |
|
3 |
+Subject: [PATCH 26/54] seccomp: Use PR_SPEC_FORCE_DISABLE |
|
4 |
+ |
|
5 |
+commit b849a812f7eb92e96d1c8239b06581b2cfd8b275 upstream |
|
6 |
+ |
|
7 |
+Use PR_SPEC_FORCE_DISABLE in seccomp() because seccomp does not allow to |
|
8 |
+widen restrictions. |
|
9 |
+ |
|
10 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
11 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
12 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
13 |
+--- |
|
14 |
+ kernel/seccomp.c | 2 +- |
|
15 |
+ 1 file changed, 1 insertion(+), 1 deletion(-) |
|
16 |
+ |
|
17 |
+diff --git a/kernel/seccomp.c b/kernel/seccomp.c |
|
18 |
+index 1d3078b..a0bd6ea 100644 |
|
19 |
+--- a/kernel/seccomp.c |
|
20 |
+@@ -226,7 +226,7 @@ static inline void spec_mitigate(struct task_struct *task, |
|
21 |
+ int state = arch_prctl_spec_ctrl_get(task, which); |
|
22 |
+ |
|
23 |
+ if (state > 0 && (state & PR_SPEC_PRCTL)) |
|
24 |
+- arch_prctl_spec_ctrl_set(task, which, PR_SPEC_DISABLE); |
|
25 |
++ arch_prctl_spec_ctrl_set(task, which, PR_SPEC_FORCE_DISABLE); |
|
26 |
+ } |
|
27 |
+ |
|
28 |
+ static inline void seccomp_assign_mode(struct task_struct *task, |
|
29 |
+-- |
|
30 |
+2.7.4 |
|
31 |
+ |
0 | 32 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,222 @@ |
0 |
+From 85ad3fad7eefe018f2400c609658dacb060cfeb1 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Kees Cook <keescook@chromium.org> |
|
2 |
+Date: Thu, 3 May 2018 14:56:12 -0700 |
|
3 |
+Subject: [PATCH 27/54] seccomp: Add filter flag to opt-out of SSB mitigation |
|
4 |
+ |
|
5 |
+commit 00a02d0c502a06d15e07b857f8ff921e3e402675 upstream |
|
6 |
+ |
|
7 |
+If a seccomp user is not interested in Speculative Store Bypass mitigation |
|
8 |
+by default, it can set the new SECCOMP_FILTER_FLAG_SPEC_ALLOW flag when |
|
9 |
+adding filters. |
|
10 |
+ |
|
11 |
+Signed-off-by: Kees Cook <keescook@chromium.org> |
|
12 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
13 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
14 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
15 |
+--- |
|
16 |
+ include/linux/seccomp.h | 3 +- |
|
17 |
+ include/uapi/linux/seccomp.h | 4 +- |
|
18 |
+ kernel/seccomp.c | 19 ++++--- |
|
19 |
+ tools/testing/selftests/seccomp/seccomp_bpf.c | 78 ++++++++++++++++++++++++++- |
|
20 |
+ 4 files changed, 93 insertions(+), 11 deletions(-) |
|
21 |
+ |
|
22 |
+diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h |
|
23 |
+index ecc296c..50c460a 100644 |
|
24 |
+--- a/include/linux/seccomp.h |
|
25 |
+@@ -3,7 +3,8 @@ |
|
26 |
+ |
|
27 |
+ #include <uapi/linux/seccomp.h> |
|
28 |
+ |
|
29 |
+-#define SECCOMP_FILTER_FLAG_MASK (SECCOMP_FILTER_FLAG_TSYNC) |
|
30 |
++#define SECCOMP_FILTER_FLAG_MASK (SECCOMP_FILTER_FLAG_TSYNC | \ |
|
31 |
++ SECCOMP_FILTER_FLAG_SPEC_ALLOW) |
|
32 |
+ |
|
33 |
+ #ifdef CONFIG_SECCOMP |
|
34 |
+ |
|
35 |
+diff --git a/include/uapi/linux/seccomp.h b/include/uapi/linux/seccomp.h |
|
36 |
+index 0f238a4..e4acb61 100644 |
|
37 |
+--- a/include/uapi/linux/seccomp.h |
|
38 |
+@@ -15,7 +15,9 @@ |
|
39 |
+ #define SECCOMP_SET_MODE_FILTER 1 |
|
40 |
+ |
|
41 |
+ /* Valid flags for SECCOMP_SET_MODE_FILTER */ |
|
42 |
+-#define SECCOMP_FILTER_FLAG_TSYNC 1 |
|
43 |
++#define SECCOMP_FILTER_FLAG_TSYNC (1UL << 0) |
|
44 |
++/* In v4.14+ SECCOMP_FILTER_FLAG_LOG is (1UL << 1) */ |
|
45 |
++#define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1UL << 2) |
|
46 |
+ |
|
47 |
+ /* |
|
48 |
+ * All BPF programs must return a 32-bit value. |
|
49 |
+diff --git a/kernel/seccomp.c b/kernel/seccomp.c |
|
50 |
+index a0bd6ea..62a60e7 100644 |
|
51 |
+--- a/kernel/seccomp.c |
|
52 |
+@@ -230,7 +230,8 @@ static inline void spec_mitigate(struct task_struct *task, |
|
53 |
+ } |
|
54 |
+ |
|
55 |
+ static inline void seccomp_assign_mode(struct task_struct *task, |
|
56 |
+- unsigned long seccomp_mode) |
|
57 |
++ unsigned long seccomp_mode, |
|
58 |
++ unsigned long flags) |
|
59 |
+ { |
|
60 |
+ assert_spin_locked(&task->sighand->siglock); |
|
61 |
+ |
|
62 |
+@@ -240,8 +241,9 @@ static inline void seccomp_assign_mode(struct task_struct *task, |
|
63 |
+ * filter) is set. |
|
64 |
+ */ |
|
65 |
+ smp_mb__before_atomic(); |
|
66 |
+- /* Assume seccomp processes want speculation flaw mitigation. */ |
|
67 |
+- spec_mitigate(task, PR_SPEC_STORE_BYPASS); |
|
68 |
++ /* Assume default seccomp processes want spec flaw mitigation. */ |
|
69 |
++ if ((flags & SECCOMP_FILTER_FLAG_SPEC_ALLOW) == 0) |
|
70 |
++ spec_mitigate(task, PR_SPEC_STORE_BYPASS); |
|
71 |
+ set_tsk_thread_flag(task, TIF_SECCOMP); |
|
72 |
+ } |
|
73 |
+ |
|
74 |
+@@ -309,7 +311,7 @@ static inline pid_t seccomp_can_sync_threads(void) |
|
75 |
+ * without dropping the locks. |
|
76 |
+ * |
|
77 |
+ */ |
|
78 |
+-static inline void seccomp_sync_threads(void) |
|
79 |
++static inline void seccomp_sync_threads(unsigned long flags) |
|
80 |
+ { |
|
81 |
+ struct task_struct *thread, *caller; |
|
82 |
+ |
|
83 |
+@@ -350,7 +352,8 @@ static inline void seccomp_sync_threads(void) |
|
84 |
+ * allow one thread to transition the other. |
|
85 |
+ */ |
|
86 |
+ if (thread->seccomp.mode == SECCOMP_MODE_DISABLED) |
|
87 |
+- seccomp_assign_mode(thread, SECCOMP_MODE_FILTER); |
|
88 |
++ seccomp_assign_mode(thread, SECCOMP_MODE_FILTER, |
|
89 |
++ flags); |
|
90 |
+ } |
|
91 |
+ } |
|
92 |
+ |
|
93 |
+@@ -469,7 +472,7 @@ static long seccomp_attach_filter(unsigned int flags, |
|
94 |
+ |
|
95 |
+ /* Now that the new filter is in place, synchronize to all threads. */ |
|
96 |
+ if (flags & SECCOMP_FILTER_FLAG_TSYNC) |
|
97 |
+- seccomp_sync_threads(); |
|
98 |
++ seccomp_sync_threads(flags); |
|
99 |
+ |
|
100 |
+ return 0; |
|
101 |
+ } |
|
102 |
+@@ -729,7 +732,7 @@ static long seccomp_set_mode_strict(void) |
|
103 |
+ #ifdef TIF_NOTSC |
|
104 |
+ disable_TSC(); |
|
105 |
+ #endif |
|
106 |
+- seccomp_assign_mode(current, seccomp_mode); |
|
107 |
++ seccomp_assign_mode(current, seccomp_mode, 0); |
|
108 |
+ ret = 0; |
|
109 |
+ |
|
110 |
+ out: |
|
111 |
+@@ -787,7 +790,7 @@ static long seccomp_set_mode_filter(unsigned int flags, |
|
112 |
+ /* Do not free the successfully attached filter. */ |
|
113 |
+ prepared = NULL; |
|
114 |
+ |
|
115 |
+- seccomp_assign_mode(current, seccomp_mode); |
|
116 |
++ seccomp_assign_mode(current, seccomp_mode, flags); |
|
117 |
+ out: |
|
118 |
+ spin_unlock_irq(¤t->sighand->siglock); |
|
119 |
+ if (flags & SECCOMP_FILTER_FLAG_TSYNC) |
|
120 |
+diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c |
|
121 |
+index f689981..d5be7b5 100644 |
|
122 |
+--- a/tools/testing/selftests/seccomp/seccomp_bpf.c |
|
123 |
+@@ -1692,7 +1692,11 @@ TEST_F_SIGNAL(TRACE_syscall, kill_after_ptrace, SIGSYS) |
|
124 |
+ #endif |
|
125 |
+ |
|
126 |
+ #ifndef SECCOMP_FILTER_FLAG_TSYNC |
|
127 |
+-#define SECCOMP_FILTER_FLAG_TSYNC 1 |
|
128 |
++#define SECCOMP_FILTER_FLAG_TSYNC (1UL << 0) |
|
129 |
++#endif |
|
130 |
++ |
|
131 |
++#ifndef SECCOMP_FILTER_FLAG_SPEC_ALLOW |
|
132 |
++#define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1UL << 2) |
|
133 |
+ #endif |
|
134 |
+ |
|
135 |
+ #ifndef seccomp |
|
136 |
+@@ -1791,6 +1795,78 @@ TEST(seccomp_syscall_mode_lock) |
|
137 |
+ } |
|
138 |
+ } |
|
139 |
+ |
|
140 |
++/* |
|
141 |
++ * Test detection of known and unknown filter flags. Userspace needs to be able |
|
142 |
++ * to check if a filter flag is supported by the current kernel and a good way |
|
143 |
++ * of doing that is by attempting to enter filter mode, with the flag bit in |
|
144 |
++ * question set, and a NULL pointer for the _args_ parameter. EFAULT indicates |
|
145 |
++ * that the flag is valid and EINVAL indicates that the flag is invalid. |
|
146 |
++ */ |
|
147 |
++TEST(detect_seccomp_filter_flags) |
|
148 |
++{ |
|
149 |
++ unsigned int flags[] = { SECCOMP_FILTER_FLAG_TSYNC, |
|
150 |
++ SECCOMP_FILTER_FLAG_SPEC_ALLOW }; |
|
151 |
++ unsigned int flag, all_flags; |
|
152 |
++ int i; |
|
153 |
++ long ret; |
|
154 |
++ |
|
155 |
++ /* Test detection of known-good filter flags */ |
|
156 |
++ for (i = 0, all_flags = 0; i < ARRAY_SIZE(flags); i++) { |
|
157 |
++ int bits = 0; |
|
158 |
++ |
|
159 |
++ flag = flags[i]; |
|
160 |
++ /* Make sure the flag is a single bit! */ |
|
161 |
++ while (flag) { |
|
162 |
++ if (flag & 0x1) |
|
163 |
++ bits ++; |
|
164 |
++ flag >>= 1; |
|
165 |
++ } |
|
166 |
++ ASSERT_EQ(1, bits); |
|
167 |
++ flag = flags[i]; |
|
168 |
++ |
|
169 |
++ ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL); |
|
170 |
++ ASSERT_NE(ENOSYS, errno) { |
|
171 |
++ TH_LOG("Kernel does not support seccomp syscall!"); |
|
172 |
++ } |
|
173 |
++ EXPECT_EQ(-1, ret); |
|
174 |
++ EXPECT_EQ(EFAULT, errno) { |
|
175 |
++ TH_LOG("Failed to detect that a known-good filter flag (0x%X) is supported!", |
|
176 |
++ flag); |
|
177 |
++ } |
|
178 |
++ |
|
179 |
++ all_flags |= flag; |
|
180 |
++ } |
|
181 |
++ |
|
182 |
++ /* Test detection of all known-good filter flags */ |
|
183 |
++ ret = seccomp(SECCOMP_SET_MODE_FILTER, all_flags, NULL); |
|
184 |
++ EXPECT_EQ(-1, ret); |
|
185 |
++ EXPECT_EQ(EFAULT, errno) { |
|
186 |
++ TH_LOG("Failed to detect that all known-good filter flags (0x%X) are supported!", |
|
187 |
++ all_flags); |
|
188 |
++ } |
|
189 |
++ |
|
190 |
++ /* Test detection of an unknown filter flag */ |
|
191 |
++ flag = -1; |
|
192 |
++ ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL); |
|
193 |
++ EXPECT_EQ(-1, ret); |
|
194 |
++ EXPECT_EQ(EINVAL, errno) { |
|
195 |
++ TH_LOG("Failed to detect that an unknown filter flag (0x%X) is unsupported!", |
|
196 |
++ flag); |
|
197 |
++ } |
|
198 |
++ |
|
199 |
++ /* |
|
200 |
++ * Test detection of an unknown filter flag that may simply need to be |
|
201 |
++ * added to this test |
|
202 |
++ */ |
|
203 |
++ flag = flags[ARRAY_SIZE(flags) - 1] << 1; |
|
204 |
++ ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL); |
|
205 |
++ EXPECT_EQ(-1, ret); |
|
206 |
++ EXPECT_EQ(EINVAL, errno) { |
|
207 |
++ TH_LOG("Failed to detect that an unknown filter flag (0x%X) is unsupported! Does a new flag need to be added to this test?", |
|
208 |
++ flag); |
|
209 |
++ } |
|
210 |
++} |
|
211 |
++ |
|
212 |
+ TEST(TSYNC_first) |
|
213 |
+ { |
|
214 |
+ struct sock_filter filter[] = { |
|
215 |
+-- |
|
216 |
+2.7.4 |
|
217 |
+ |
0 | 218 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,121 @@ |
0 |
+From 2dfae1442193d33c0a0de1fa83d37afe6b000fb8 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Thomas Gleixner <tglx@linutronix.de> |
|
2 |
+Date: Fri, 4 May 2018 15:12:06 +0200 |
|
3 |
+Subject: [PATCH 28/54] seccomp: Move speculation migitation control to arch |
|
4 |
+ code |
|
5 |
+ |
|
6 |
+commit 8bf37d8c067bb7eb8e7c381bdadf9bd89182b6bc upstream |
|
7 |
+ |
|
8 |
+The migitation control is simpler to implement in architecture code as it |
|
9 |
+avoids the extra function call to check the mode. Aside of that having an |
|
10 |
+explicit seccomp enabled mode in the architecture mitigations would require |
|
11 |
+even more workarounds. |
|
12 |
+ |
|
13 |
+Move it into architecture code and provide a weak function in the seccomp |
|
14 |
+code. Remove the 'which' argument as this allows the architecture to decide |
|
15 |
+which mitigations are relevant for seccomp. |
|
16 |
+ |
|
17 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
18 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
19 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
20 |
+--- |
|
21 |
+ arch/x86/kernel/cpu/bugs.c | 29 ++++++++++++++++++----------- |
|
22 |
+ include/linux/nospec.h | 2 ++ |
|
23 |
+ kernel/seccomp.c | 15 ++------------- |
|
24 |
+ 3 files changed, 22 insertions(+), 24 deletions(-) |
|
25 |
+ |
|
26 |
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c |
|
27 |
+index fdbd8e5..131617d 100644 |
|
28 |
+--- a/arch/x86/kernel/cpu/bugs.c |
|
29 |
+@@ -568,6 +568,24 @@ static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl) |
|
30 |
+ return 0; |
|
31 |
+ } |
|
32 |
+ |
|
33 |
++int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which, |
|
34 |
++ unsigned long ctrl) |
|
35 |
++{ |
|
36 |
++ switch (which) { |
|
37 |
++ case PR_SPEC_STORE_BYPASS: |
|
38 |
++ return ssb_prctl_set(task, ctrl); |
|
39 |
++ default: |
|
40 |
++ return -ENODEV; |
|
41 |
++ } |
|
42 |
++} |
|
43 |
++ |
|
44 |
++#ifdef CONFIG_SECCOMP |
|
45 |
++void arch_seccomp_spec_mitigate(struct task_struct *task) |
|
46 |
++{ |
|
47 |
++ ssb_prctl_set(task, PR_SPEC_FORCE_DISABLE); |
|
48 |
++} |
|
49 |
++#endif |
|
50 |
++ |
|
51 |
+ static int ssb_prctl_get(struct task_struct *task) |
|
52 |
+ { |
|
53 |
+ switch (ssb_mode) { |
|
54 |
+@@ -586,17 +604,6 @@ static int ssb_prctl_get(struct task_struct *task) |
|
55 |
+ } |
|
56 |
+ } |
|
57 |
+ |
|
58 |
+-int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which, |
|
59 |
+- unsigned long ctrl) |
|
60 |
+-{ |
|
61 |
+- switch (which) { |
|
62 |
+- case PR_SPEC_STORE_BYPASS: |
|
63 |
+- return ssb_prctl_set(task, ctrl); |
|
64 |
+- default: |
|
65 |
+- return -ENODEV; |
|
66 |
+- } |
|
67 |
+-} |
|
68 |
+- |
|
69 |
+ int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which) |
|
70 |
+ { |
|
71 |
+ switch (which) { |
|
72 |
+diff --git a/include/linux/nospec.h b/include/linux/nospec.h |
|
73 |
+index a908c95..0c5ef54 100644 |
|
74 |
+--- a/include/linux/nospec.h |
|
75 |
+@@ -62,5 +62,7 @@ static inline unsigned long array_index_mask_nospec(unsigned long index, |
|
76 |
+ int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which); |
|
77 |
+ int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which, |
|
78 |
+ unsigned long ctrl); |
|
79 |
++/* Speculation control for seccomp enforced mitigation */ |
|
80 |
++void arch_seccomp_spec_mitigate(struct task_struct *task); |
|
81 |
+ |
|
82 |
+ #endif /* _LINUX_NOSPEC_H */ |
|
83 |
+diff --git a/kernel/seccomp.c b/kernel/seccomp.c |
|
84 |
+index 62a60e7..3975856 100644 |
|
85 |
+--- a/kernel/seccomp.c |
|
86 |
+@@ -216,18 +216,7 @@ static inline bool seccomp_may_assign_mode(unsigned long seccomp_mode) |
|
87 |
+ return true; |
|
88 |
+ } |
|
89 |
+ |
|
90 |
+-/* |
|
91 |
+- * If a given speculation mitigation is opt-in (prctl()-controlled), |
|
92 |
+- * select it, by disabling speculation (enabling mitigation). |
|
93 |
+- */ |
|
94 |
+-static inline void spec_mitigate(struct task_struct *task, |
|
95 |
+- unsigned long which) |
|
96 |
+-{ |
|
97 |
+- int state = arch_prctl_spec_ctrl_get(task, which); |
|
98 |
+- |
|
99 |
+- if (state > 0 && (state & PR_SPEC_PRCTL)) |
|
100 |
+- arch_prctl_spec_ctrl_set(task, which, PR_SPEC_FORCE_DISABLE); |
|
101 |
+-} |
|
102 |
++void __weak arch_seccomp_spec_mitigate(struct task_struct *task) { } |
|
103 |
+ |
|
104 |
+ static inline void seccomp_assign_mode(struct task_struct *task, |
|
105 |
+ unsigned long seccomp_mode, |
|
106 |
+@@ -243,7 +232,7 @@ static inline void seccomp_assign_mode(struct task_struct *task, |
|
107 |
+ smp_mb__before_atomic(); |
|
108 |
+ /* Assume default seccomp processes want spec flaw mitigation. */ |
|
109 |
+ if ((flags & SECCOMP_FILTER_FLAG_SPEC_ALLOW) == 0) |
|
110 |
+- spec_mitigate(task, PR_SPEC_STORE_BYPASS); |
|
111 |
++ arch_seccomp_spec_mitigate(task); |
|
112 |
+ set_tsk_thread_flag(task, TIF_SECCOMP); |
|
113 |
+ } |
|
114 |
+ |
|
115 |
+-- |
|
116 |
+2.7.4 |
|
117 |
+ |
0 | 118 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,166 @@ |
0 |
+From e72eb1d28d45418efd77444d3b5935212f6e7e6c Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Kees Cook <keescook@chromium.org> |
|
2 |
+Date: Thu, 3 May 2018 14:37:54 -0700 |
|
3 |
+Subject: [PATCH 29/54] x86/speculation: Make "seccomp" the default mode for |
|
4 |
+ Speculative Store Bypass |
|
5 |
+ |
|
6 |
+commit f21b53b20c754021935ea43364dbf53778eeba32 upstream |
|
7 |
+ |
|
8 |
+Unless explicitly opted out of, anything running under seccomp will have |
|
9 |
+SSB mitigations enabled. Choosing the "prctl" mode will disable this. |
|
10 |
+ |
|
11 |
+[ tglx: Adjusted it to the new arch_seccomp_spec_mitigate() mechanism ] |
|
12 |
+ |
|
13 |
+Signed-off-by: Kees Cook <keescook@chromium.org> |
|
14 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
15 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
16 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
17 |
+--- |
|
18 |
+ Documentation/kernel-parameters.txt | 26 +++++++++++++++++--------- |
|
19 |
+ arch/x86/include/asm/nospec-branch.h | 1 + |
|
20 |
+ arch/x86/kernel/cpu/bugs.c | 32 +++++++++++++++++++++++--------- |
|
21 |
+ 3 files changed, 41 insertions(+), 18 deletions(-) |
|
22 |
+ |
|
23 |
+diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt |
|
24 |
+index 543923b..52240a6 100644 |
|
25 |
+--- a/Documentation/kernel-parameters.txt |
|
26 |
+@@ -3997,19 +3997,27 @@ bytes respectively. Such letter suffixes can also be entirely omitted. |
|
27 |
+ This parameter controls whether the Speculative Store |
|
28 |
+ Bypass optimization is used. |
|
29 |
+ |
|
30 |
+- on - Unconditionally disable Speculative Store Bypass |
|
31 |
+- off - Unconditionally enable Speculative Store Bypass |
|
32 |
+- auto - Kernel detects whether the CPU model contains an |
|
33 |
+- implementation of Speculative Store Bypass and |
|
34 |
+- picks the most appropriate mitigation. |
|
35 |
+- prctl - Control Speculative Store Bypass per thread |
|
36 |
+- via prctl. Speculative Store Bypass is enabled |
|
37 |
+- for a process by default. The state of the control |
|
38 |
+- is inherited on fork. |
|
39 |
++ on - Unconditionally disable Speculative Store Bypass |
|
40 |
++ off - Unconditionally enable Speculative Store Bypass |
|
41 |
++ auto - Kernel detects whether the CPU model contains an |
|
42 |
++ implementation of Speculative Store Bypass and |
|
43 |
++ picks the most appropriate mitigation. If the |
|
44 |
++ CPU is not vulnerable, "off" is selected. If the |
|
45 |
++ CPU is vulnerable the default mitigation is |
|
46 |
++ architecture and Kconfig dependent. See below. |
|
47 |
++ prctl - Control Speculative Store Bypass per thread |
|
48 |
++ via prctl. Speculative Store Bypass is enabled |
|
49 |
++ for a process by default. The state of the control |
|
50 |
++ is inherited on fork. |
|
51 |
++ seccomp - Same as "prctl" above, but all seccomp threads |
|
52 |
++ will disable SSB unless they explicitly opt out. |
|
53 |
+ |
|
54 |
+ Not specifying this option is equivalent to |
|
55 |
+ spec_store_bypass_disable=auto. |
|
56 |
+ |
|
57 |
++ Default mitigations: |
|
58 |
++ X86: If CONFIG_SECCOMP=y "seccomp", otherwise "prctl" |
|
59 |
++ |
|
60 |
+ spia_io_base= [HW,MTD] |
|
61 |
+ spia_fio_base= |
|
62 |
+ spia_pedr= |
|
63 |
+diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h |
|
64 |
+index 71ad014..328ea3c 100644 |
|
65 |
+--- a/arch/x86/include/asm/nospec-branch.h |
|
66 |
+@@ -233,6 +233,7 @@ enum ssb_mitigation { |
|
67 |
+ SPEC_STORE_BYPASS_NONE, |
|
68 |
+ SPEC_STORE_BYPASS_DISABLE, |
|
69 |
+ SPEC_STORE_BYPASS_PRCTL, |
|
70 |
++ SPEC_STORE_BYPASS_SECCOMP, |
|
71 |
+ }; |
|
72 |
+ |
|
73 |
+ extern char __indirect_thunk_start[]; |
|
74 |
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c |
|
75 |
+index 131617d..9a3bb65 100644 |
|
76 |
+--- a/arch/x86/kernel/cpu/bugs.c |
|
77 |
+@@ -415,22 +415,25 @@ enum ssb_mitigation_cmd { |
|
78 |
+ SPEC_STORE_BYPASS_CMD_AUTO, |
|
79 |
+ SPEC_STORE_BYPASS_CMD_ON, |
|
80 |
+ SPEC_STORE_BYPASS_CMD_PRCTL, |
|
81 |
++ SPEC_STORE_BYPASS_CMD_SECCOMP, |
|
82 |
+ }; |
|
83 |
+ |
|
84 |
+ static const char *ssb_strings[] = { |
|
85 |
+ [SPEC_STORE_BYPASS_NONE] = "Vulnerable", |
|
86 |
+ [SPEC_STORE_BYPASS_DISABLE] = "Mitigation: Speculative Store Bypass disabled", |
|
87 |
+- [SPEC_STORE_BYPASS_PRCTL] = "Mitigation: Speculative Store Bypass disabled via prctl" |
|
88 |
++ [SPEC_STORE_BYPASS_PRCTL] = "Mitigation: Speculative Store Bypass disabled via prctl", |
|
89 |
++ [SPEC_STORE_BYPASS_SECCOMP] = "Mitigation: Speculative Store Bypass disabled via prctl and seccomp", |
|
90 |
+ }; |
|
91 |
+ |
|
92 |
+ static const struct { |
|
93 |
+ const char *option; |
|
94 |
+ enum ssb_mitigation_cmd cmd; |
|
95 |
+ } ssb_mitigation_options[] = { |
|
96 |
+- { "auto", SPEC_STORE_BYPASS_CMD_AUTO }, /* Platform decides */ |
|
97 |
+- { "on", SPEC_STORE_BYPASS_CMD_ON }, /* Disable Speculative Store Bypass */ |
|
98 |
+- { "off", SPEC_STORE_BYPASS_CMD_NONE }, /* Don't touch Speculative Store Bypass */ |
|
99 |
+- { "prctl", SPEC_STORE_BYPASS_CMD_PRCTL }, /* Disable Speculative Store Bypass via prctl */ |
|
100 |
++ { "auto", SPEC_STORE_BYPASS_CMD_AUTO }, /* Platform decides */ |
|
101 |
++ { "on", SPEC_STORE_BYPASS_CMD_ON }, /* Disable Speculative Store Bypass */ |
|
102 |
++ { "off", SPEC_STORE_BYPASS_CMD_NONE }, /* Don't touch Speculative Store Bypass */ |
|
103 |
++ { "prctl", SPEC_STORE_BYPASS_CMD_PRCTL }, /* Disable Speculative Store Bypass via prctl */ |
|
104 |
++ { "seccomp", SPEC_STORE_BYPASS_CMD_SECCOMP }, /* Disable Speculative Store Bypass via prctl and seccomp */ |
|
105 |
+ }; |
|
106 |
+ |
|
107 |
+ static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void) |
|
108 |
+@@ -480,8 +483,15 @@ static enum ssb_mitigation_cmd __init __ssb_select_mitigation(void) |
|
109 |
+ |
|
110 |
+ switch (cmd) { |
|
111 |
+ case SPEC_STORE_BYPASS_CMD_AUTO: |
|
112 |
+- /* Choose prctl as the default mode */ |
|
113 |
+- mode = SPEC_STORE_BYPASS_PRCTL; |
|
114 |
++ case SPEC_STORE_BYPASS_CMD_SECCOMP: |
|
115 |
++ /* |
|
116 |
++ * Choose prctl+seccomp as the default mode if seccomp is |
|
117 |
++ * enabled. |
|
118 |
++ */ |
|
119 |
++ if (IS_ENABLED(CONFIG_SECCOMP)) |
|
120 |
++ mode = SPEC_STORE_BYPASS_SECCOMP; |
|
121 |
++ else |
|
122 |
++ mode = SPEC_STORE_BYPASS_PRCTL; |
|
123 |
+ break; |
|
124 |
+ case SPEC_STORE_BYPASS_CMD_ON: |
|
125 |
+ mode = SPEC_STORE_BYPASS_DISABLE; |
|
126 |
+@@ -529,12 +539,14 @@ static void ssb_select_mitigation() |
|
127 |
+ } |
|
128 |
+ |
|
129 |
+ #undef pr_fmt |
|
130 |
++#define pr_fmt(fmt) "Speculation prctl: " fmt |
|
131 |
+ |
|
132 |
+ static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl) |
|
133 |
+ { |
|
134 |
+ bool update; |
|
135 |
+ |
|
136 |
+- if (ssb_mode != SPEC_STORE_BYPASS_PRCTL) |
|
137 |
++ if (ssb_mode != SPEC_STORE_BYPASS_PRCTL && |
|
138 |
++ ssb_mode != SPEC_STORE_BYPASS_SECCOMP) |
|
139 |
+ return -ENXIO; |
|
140 |
+ |
|
141 |
+ switch (ctrl) { |
|
142 |
+@@ -582,7 +594,8 @@ int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which, |
|
143 |
+ #ifdef CONFIG_SECCOMP |
|
144 |
+ void arch_seccomp_spec_mitigate(struct task_struct *task) |
|
145 |
+ { |
|
146 |
+- ssb_prctl_set(task, PR_SPEC_FORCE_DISABLE); |
|
147 |
++ if (ssb_mode == SPEC_STORE_BYPASS_SECCOMP) |
|
148 |
++ ssb_prctl_set(task, PR_SPEC_FORCE_DISABLE); |
|
149 |
+ } |
|
150 |
+ #endif |
|
151 |
+ |
|
152 |
+@@ -591,6 +604,7 @@ static int ssb_prctl_get(struct task_struct *task) |
|
153 |
+ switch (ssb_mode) { |
|
154 |
+ case SPEC_STORE_BYPASS_DISABLE: |
|
155 |
+ return PR_SPEC_DISABLE; |
|
156 |
++ case SPEC_STORE_BYPASS_SECCOMP: |
|
157 |
+ case SPEC_STORE_BYPASS_PRCTL: |
|
158 |
+ if (task_spec_ssb_force_disable(task)) |
|
159 |
+ return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE; |
|
160 |
+-- |
|
161 |
+2.7.4 |
|
162 |
+ |
0 | 163 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,405 @@ |
0 |
+From 3418b83309406d775ef700aefaedd0665e7f7855 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
2 |
+Date: Wed, 9 May 2018 21:41:38 +0200 |
|
3 |
+Subject: [PATCH 30/54] x86/bugs: Rename _RDS to _SSBD |
|
4 |
+ |
|
5 |
+commit 9f65fb29374ee37856dbad847b4e121aab72b510 upstream |
|
6 |
+ |
|
7 |
+Intel collateral will reference the SSB mitigation bit in IA32_SPEC_CTL[2] |
|
8 |
+as SSBD (Speculative Store Bypass Disable). |
|
9 |
+ |
|
10 |
+Hence changing it. |
|
11 |
+ |
|
12 |
+It is unclear yet what the MSR_IA32_ARCH_CAPABILITIES (0x10a) Bit(4) name |
|
13 |
+is going to be. Following the rename it would be SSBD_NO but that rolls out |
|
14 |
+to Speculative Store Bypass Disable No. |
|
15 |
+ |
|
16 |
+Also fixed the missing space in X86_FEATURE_AMD_SSBD. |
|
17 |
+ |
|
18 |
+[ tglx: Fixup x86_amd_rds_enable() and rds_tif_to_amd_ls_cfg() as well ] |
|
19 |
+ |
|
20 |
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
21 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
22 |
+ |
|
23 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
24 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
25 |
+--- |
|
26 |
+ arch/x86/include/asm/cpufeatures.h | 4 ++-- |
|
27 |
+ arch/x86/include/asm/msr-index.h | 10 +++++----- |
|
28 |
+ arch/x86/include/asm/spec-ctrl.h | 12 ++++++------ |
|
29 |
+ arch/x86/include/asm/thread_info.h | 6 +++--- |
|
30 |
+ arch/x86/kernel/cpu/amd.c | 14 +++++++------- |
|
31 |
+ arch/x86/kernel/cpu/bugs.c | 36 ++++++++++++++++++------------------ |
|
32 |
+ arch/x86/kernel/cpu/common.c | 2 +- |
|
33 |
+ arch/x86/kernel/cpu/intel.c | 2 +- |
|
34 |
+ arch/x86/kernel/process.c | 8 ++++---- |
|
35 |
+ arch/x86/kvm/cpuid.c | 2 +- |
|
36 |
+ arch/x86/kvm/cpuid.h | 2 +- |
|
37 |
+ arch/x86/kvm/vmx.c | 2 +- |
|
38 |
+ 12 files changed, 50 insertions(+), 50 deletions(-) |
|
39 |
+ |
|
40 |
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h |
|
41 |
+index 8797069..0ed8ea5 100644 |
|
42 |
+--- a/arch/x86/include/asm/cpufeatures.h |
|
43 |
+@@ -205,7 +205,7 @@ |
|
44 |
+ #define X86_FEATURE_USE_IBPB ( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled */ |
|
45 |
+ #define X86_FEATURE_USE_IBRS_FW ( 7*32+22) /* "" Use IBRS during runtime firmware calls */ |
|
46 |
+ #define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE ( 7*32+23) /* "" Disable Speculative Store Bypass. */ |
|
47 |
+-#define X86_FEATURE_AMD_RDS (7*32+24) /* "" AMD RDS implementation */ |
|
48 |
++#define X86_FEATURE_AMD_SSBD (7*32+24) /* "" AMD SSBD implementation */ |
|
49 |
+ |
|
50 |
+ /* Virtualization flags: Linux defined, word 8 */ |
|
51 |
+ #define X86_FEATURE_TPR_SHADOW ( 8*32+ 0) /* Intel TPR Shadow */ |
|
52 |
+@@ -308,7 +308,7 @@ |
|
53 |
+ #define X86_FEATURE_SPEC_CTRL (18*32+26) /* "" Speculation Control (IBRS + IBPB) */ |
|
54 |
+ #define X86_FEATURE_INTEL_STIBP (18*32+27) /* "" Single Thread Indirect Branch Predictors */ |
|
55 |
+ #define X86_FEATURE_ARCH_CAPABILITIES (18*32+29) /* IA32_ARCH_CAPABILITIES MSR (Intel) */ |
|
56 |
+-#define X86_FEATURE_RDS (18*32+31) /* Reduced Data Speculation */ |
|
57 |
++#define X86_FEATURE_SSBD (18*32+31) /* Speculative Store Bypass Disable */ |
|
58 |
+ |
|
59 |
+ /* |
|
60 |
+ * BUG word(s) |
|
61 |
+diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h |
|
62 |
+index 5dd28d0..b67d57e 100644 |
|
63 |
+--- a/arch/x86/include/asm/msr-index.h |
|
64 |
+@@ -40,8 +40,8 @@ |
|
65 |
+ #define MSR_IA32_SPEC_CTRL 0x00000048 /* Speculation Control */ |
|
66 |
+ #define SPEC_CTRL_IBRS (1 << 0) /* Indirect Branch Restricted Speculation */ |
|
67 |
+ #define SPEC_CTRL_STIBP (1 << 1) /* Single Thread Indirect Branch Predictors */ |
|
68 |
+-#define SPEC_CTRL_RDS_SHIFT 2 /* Reduced Data Speculation bit */ |
|
69 |
+-#define SPEC_CTRL_RDS (1 << SPEC_CTRL_RDS_SHIFT) /* Reduced Data Speculation */ |
|
70 |
++#define SPEC_CTRL_SSBD_SHIFT 2 /* Speculative Store Bypass Disable bit */ |
|
71 |
++#define SPEC_CTRL_SSBD (1 << SPEC_CTRL_SSBD_SHIFT) /* Speculative Store Bypass Disable */ |
|
72 |
+ |
|
73 |
+ #define MSR_IA32_PRED_CMD 0x00000049 /* Prediction Command */ |
|
74 |
+ #define PRED_CMD_IBPB (1 << 0) /* Indirect Branch Prediction Barrier */ |
|
75 |
+@@ -63,10 +63,10 @@ |
|
76 |
+ #define MSR_IA32_ARCH_CAPABILITIES 0x0000010a |
|
77 |
+ #define ARCH_CAP_RDCL_NO (1 << 0) /* Not susceptible to Meltdown */ |
|
78 |
+ #define ARCH_CAP_IBRS_ALL (1 << 1) /* Enhanced IBRS support */ |
|
79 |
+-#define ARCH_CAP_RDS_NO (1 << 4) /* |
|
80 |
++#define ARCH_CAP_SSBD_NO (1 << 4) /* |
|
81 |
+ * Not susceptible to Speculative Store Bypass |
|
82 |
+- * attack, so no Reduced Data Speculation control |
|
83 |
+- * required. |
|
84 |
++ * attack, so no Speculative Store Bypass |
|
85 |
++ * control required. |
|
86 |
+ */ |
|
87 |
+ |
|
88 |
+ #define MSR_IA32_BBL_CR_CTL 0x00000119 |
|
89 |
+diff --git a/arch/x86/include/asm/spec-ctrl.h b/arch/x86/include/asm/spec-ctrl.h |
|
90 |
+index 45ef00a..dc21209 100644 |
|
91 |
+--- a/arch/x86/include/asm/spec-ctrl.h |
|
92 |
+@@ -17,20 +17,20 @@ extern void x86_spec_ctrl_restore_host(u64); |
|
93 |
+ |
|
94 |
+ /* AMD specific Speculative Store Bypass MSR data */ |
|
95 |
+ extern u64 x86_amd_ls_cfg_base; |
|
96 |
+-extern u64 x86_amd_ls_cfg_rds_mask; |
|
97 |
++extern u64 x86_amd_ls_cfg_ssbd_mask; |
|
98 |
+ |
|
99 |
+ /* The Intel SPEC CTRL MSR base value cache */ |
|
100 |
+ extern u64 x86_spec_ctrl_base; |
|
101 |
+ |
|
102 |
+-static inline u64 rds_tif_to_spec_ctrl(u64 tifn) |
|
103 |
++static inline u64 ssbd_tif_to_spec_ctrl(u64 tifn) |
|
104 |
+ { |
|
105 |
+- BUILD_BUG_ON(TIF_RDS < SPEC_CTRL_RDS_SHIFT); |
|
106 |
+- return (tifn & _TIF_RDS) >> (TIF_RDS - SPEC_CTRL_RDS_SHIFT); |
|
107 |
++ BUILD_BUG_ON(TIF_SSBD < SPEC_CTRL_SSBD_SHIFT); |
|
108 |
++ return (tifn & _TIF_SSBD) >> (TIF_SSBD - SPEC_CTRL_SSBD_SHIFT); |
|
109 |
+ } |
|
110 |
+ |
|
111 |
+-static inline u64 rds_tif_to_amd_ls_cfg(u64 tifn) |
|
112 |
++static inline u64 ssbd_tif_to_amd_ls_cfg(u64 tifn) |
|
113 |
+ { |
|
114 |
+- return (tifn & _TIF_RDS) ? x86_amd_ls_cfg_rds_mask : 0ULL; |
|
115 |
++ return (tifn & _TIF_SSBD) ? x86_amd_ls_cfg_ssbd_mask : 0ULL; |
|
116 |
+ } |
|
117 |
+ |
|
118 |
+ extern void speculative_store_bypass_update(void); |
|
119 |
+diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h |
|
120 |
+index 661afac..2d8788a 100644 |
|
121 |
+--- a/arch/x86/include/asm/thread_info.h |
|
122 |
+@@ -83,7 +83,7 @@ struct thread_info { |
|
123 |
+ #define TIF_SIGPENDING 2 /* signal pending */ |
|
124 |
+ #define TIF_NEED_RESCHED 3 /* rescheduling necessary */ |
|
125 |
+ #define TIF_SINGLESTEP 4 /* reenable singlestep on user return*/ |
|
126 |
+-#define TIF_RDS 5 /* Reduced data speculation */ |
|
127 |
++#define TIF_SSBD 5 /* Reduced data speculation */ |
|
128 |
+ #define TIF_SYSCALL_EMU 6 /* syscall emulation active */ |
|
129 |
+ #define TIF_SYSCALL_AUDIT 7 /* syscall auditing active */ |
|
130 |
+ #define TIF_SECCOMP 8 /* secure computing */ |
|
131 |
+@@ -107,7 +107,7 @@ struct thread_info { |
|
132 |
+ #define _TIF_SIGPENDING (1 << TIF_SIGPENDING) |
|
133 |
+ #define _TIF_NEED_RESCHED (1 << TIF_NEED_RESCHED) |
|
134 |
+ #define _TIF_SINGLESTEP (1 << TIF_SINGLESTEP) |
|
135 |
+-#define _TIF_RDS (1 << TIF_RDS) |
|
136 |
++#define _TIF_SSBD (1 << TIF_SSBD) |
|
137 |
+ #define _TIF_SYSCALL_EMU (1 << TIF_SYSCALL_EMU) |
|
138 |
+ #define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT) |
|
139 |
+ #define _TIF_SECCOMP (1 << TIF_SECCOMP) |
|
140 |
+@@ -141,7 +141,7 @@ struct thread_info { |
|
141 |
+ |
|
142 |
+ /* flags to check in __switch_to() */ |
|
143 |
+ #define _TIF_WORK_CTXSW \ |
|
144 |
+- (_TIF_IO_BITMAP|_TIF_NOTSC|_TIF_BLOCKSTEP|_TIF_RDS) |
|
145 |
++ (_TIF_IO_BITMAP|_TIF_NOTSC|_TIF_BLOCKSTEP|_TIF_SSBD) |
|
146 |
+ |
|
147 |
+ #define _TIF_WORK_CTXSW_PREV (_TIF_WORK_CTXSW|_TIF_USER_RETURN_NOTIFY) |
|
148 |
+ #define _TIF_WORK_CTXSW_NEXT (_TIF_WORK_CTXSW) |
|
149 |
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c |
|
150 |
+index a176c81..acb2fcc 100644 |
|
151 |
+--- a/arch/x86/kernel/cpu/amd.c |
|
152 |
+@@ -555,12 +555,12 @@ static void bsp_init_amd(struct cpuinfo_x86 *c) |
|
153 |
+ } |
|
154 |
+ /* |
|
155 |
+ * Try to cache the base value so further operations can |
|
156 |
+- * avoid RMW. If that faults, do not enable RDS. |
|
157 |
++ * avoid RMW. If that faults, do not enable SSBD. |
|
158 |
+ */ |
|
159 |
+ if (!rdmsrl_safe(MSR_AMD64_LS_CFG, &x86_amd_ls_cfg_base)) { |
|
160 |
+- setup_force_cpu_cap(X86_FEATURE_RDS); |
|
161 |
+- setup_force_cpu_cap(X86_FEATURE_AMD_RDS); |
|
162 |
+- x86_amd_ls_cfg_rds_mask = 1ULL << bit; |
|
163 |
++ setup_force_cpu_cap(X86_FEATURE_SSBD); |
|
164 |
++ setup_force_cpu_cap(X86_FEATURE_AMD_SSBD); |
|
165 |
++ x86_amd_ls_cfg_ssbd_mask = 1ULL << bit; |
|
166 |
+ } |
|
167 |
+ } |
|
168 |
+ } |
|
169 |
+@@ -849,9 +849,9 @@ static void init_amd(struct cpuinfo_x86 *c) |
|
170 |
+ if (!cpu_has(c, X86_FEATURE_XENPV)) |
|
171 |
+ set_cpu_bug(c, X86_BUG_SYSRET_SS_ATTRS); |
|
172 |
+ |
|
173 |
+- if (boot_cpu_has(X86_FEATURE_AMD_RDS)) { |
|
174 |
+- set_cpu_cap(c, X86_FEATURE_RDS); |
|
175 |
+- set_cpu_cap(c, X86_FEATURE_AMD_RDS); |
|
176 |
++ if (boot_cpu_has(X86_FEATURE_AMD_SSBD)) { |
|
177 |
++ set_cpu_cap(c, X86_FEATURE_SSBD); |
|
178 |
++ set_cpu_cap(c, X86_FEATURE_AMD_SSBD); |
|
179 |
+ } |
|
180 |
+ } |
|
181 |
+ |
|
182 |
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c |
|
183 |
+index 9a3bb65..ae6f9ba 100644 |
|
184 |
+--- a/arch/x86/kernel/cpu/bugs.c |
|
185 |
+@@ -44,10 +44,10 @@ static u64 __ro_after_init x86_spec_ctrl_mask = ~SPEC_CTRL_IBRS; |
|
186 |
+ |
|
187 |
+ /* |
|
188 |
+ * AMD specific MSR info for Speculative Store Bypass control. |
|
189 |
+- * x86_amd_ls_cfg_rds_mask is initialized in identify_boot_cpu(). |
|
190 |
++ * x86_amd_ls_cfg_ssbd_mask is initialized in identify_boot_cpu(). |
|
191 |
+ */ |
|
192 |
+ u64 __ro_after_init x86_amd_ls_cfg_base; |
|
193 |
+-u64 __ro_after_init x86_amd_ls_cfg_rds_mask; |
|
194 |
++u64 __ro_after_init x86_amd_ls_cfg_ssbd_mask; |
|
195 |
+ |
|
196 |
+ void __init check_bugs(void) |
|
197 |
+ { |
|
198 |
+@@ -145,7 +145,7 @@ u64 x86_spec_ctrl_get_default(void) |
|
199 |
+ u64 msrval = x86_spec_ctrl_base; |
|
200 |
+ |
|
201 |
+ if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) |
|
202 |
+- msrval |= rds_tif_to_spec_ctrl(current_thread_info()->flags); |
|
203 |
++ msrval |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags); |
|
204 |
+ return msrval; |
|
205 |
+ } |
|
206 |
+ EXPORT_SYMBOL_GPL(x86_spec_ctrl_get_default); |
|
207 |
+@@ -158,7 +158,7 @@ void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl) |
|
208 |
+ return; |
|
209 |
+ |
|
210 |
+ if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) |
|
211 |
+- host |= rds_tif_to_spec_ctrl(current_thread_info()->flags); |
|
212 |
++ host |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags); |
|
213 |
+ |
|
214 |
+ if (host != guest_spec_ctrl) |
|
215 |
+ wrmsrl(MSR_IA32_SPEC_CTRL, guest_spec_ctrl); |
|
216 |
+@@ -173,18 +173,18 @@ void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl) |
|
217 |
+ return; |
|
218 |
+ |
|
219 |
+ if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) |
|
220 |
+- host |= rds_tif_to_spec_ctrl(current_thread_info()->flags); |
|
221 |
++ host |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags); |
|
222 |
+ |
|
223 |
+ if (host != guest_spec_ctrl) |
|
224 |
+ wrmsrl(MSR_IA32_SPEC_CTRL, host); |
|
225 |
+ } |
|
226 |
+ EXPORT_SYMBOL_GPL(x86_spec_ctrl_restore_host); |
|
227 |
+ |
|
228 |
+-static void x86_amd_rds_enable(void) |
|
229 |
++static void x86_amd_ssb_disable(void) |
|
230 |
+ { |
|
231 |
+- u64 msrval = x86_amd_ls_cfg_base | x86_amd_ls_cfg_rds_mask; |
|
232 |
++ u64 msrval = x86_amd_ls_cfg_base | x86_amd_ls_cfg_ssbd_mask; |
|
233 |
+ |
|
234 |
+- if (boot_cpu_has(X86_FEATURE_AMD_RDS)) |
|
235 |
++ if (boot_cpu_has(X86_FEATURE_AMD_SSBD)) |
|
236 |
+ wrmsrl(MSR_AMD64_LS_CFG, msrval); |
|
237 |
+ } |
|
238 |
+ |
|
239 |
+@@ -472,7 +472,7 @@ static enum ssb_mitigation_cmd __init __ssb_select_mitigation(void) |
|
240 |
+ enum ssb_mitigation mode = SPEC_STORE_BYPASS_NONE; |
|
241 |
+ enum ssb_mitigation_cmd cmd; |
|
242 |
+ |
|
243 |
+- if (!boot_cpu_has(X86_FEATURE_RDS)) |
|
244 |
++ if (!boot_cpu_has(X86_FEATURE_SSBD)) |
|
245 |
+ return mode; |
|
246 |
+ |
|
247 |
+ cmd = ssb_parse_cmdline(); |
|
248 |
+@@ -506,7 +506,7 @@ static enum ssb_mitigation_cmd __init __ssb_select_mitigation(void) |
|
249 |
+ /* |
|
250 |
+ * We have three CPU feature flags that are in play here: |
|
251 |
+ * - X86_BUG_SPEC_STORE_BYPASS - CPU is susceptible. |
|
252 |
+- * - X86_FEATURE_RDS - CPU is able to turn off speculative store bypass |
|
253 |
++ * - X86_FEATURE_SSBD - CPU is able to turn off speculative store bypass |
|
254 |
+ * - X86_FEATURE_SPEC_STORE_BYPASS_DISABLE - engage the mitigation |
|
255 |
+ */ |
|
256 |
+ if (mode == SPEC_STORE_BYPASS_DISABLE) { |
|
257 |
+@@ -517,12 +517,12 @@ static enum ssb_mitigation_cmd __init __ssb_select_mitigation(void) |
|
258 |
+ */ |
|
259 |
+ switch (boot_cpu_data.x86_vendor) { |
|
260 |
+ case X86_VENDOR_INTEL: |
|
261 |
+- x86_spec_ctrl_base |= SPEC_CTRL_RDS; |
|
262 |
+- x86_spec_ctrl_mask &= ~SPEC_CTRL_RDS; |
|
263 |
+- x86_spec_ctrl_set(SPEC_CTRL_RDS); |
|
264 |
++ x86_spec_ctrl_base |= SPEC_CTRL_SSBD; |
|
265 |
++ x86_spec_ctrl_mask &= ~SPEC_CTRL_SSBD; |
|
266 |
++ x86_spec_ctrl_set(SPEC_CTRL_SSBD); |
|
267 |
+ break; |
|
268 |
+ case X86_VENDOR_AMD: |
|
269 |
+- x86_amd_rds_enable(); |
|
270 |
++ x86_amd_ssb_disable(); |
|
271 |
+ break; |
|
272 |
+ } |
|
273 |
+ } |
|
274 |
+@@ -555,16 +555,16 @@ static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl) |
|
275 |
+ if (task_spec_ssb_force_disable(task)) |
|
276 |
+ return -EPERM; |
|
277 |
+ task_clear_spec_ssb_disable(task); |
|
278 |
+- update = test_and_clear_tsk_thread_flag(task, TIF_RDS); |
|
279 |
++ update = test_and_clear_tsk_thread_flag(task, TIF_SSBD); |
|
280 |
+ break; |
|
281 |
+ case PR_SPEC_DISABLE: |
|
282 |
+ task_set_spec_ssb_disable(task); |
|
283 |
+- update = !test_and_set_tsk_thread_flag(task, TIF_RDS); |
|
284 |
++ update = !test_and_set_tsk_thread_flag(task, TIF_SSBD); |
|
285 |
+ break; |
|
286 |
+ case PR_SPEC_FORCE_DISABLE: |
|
287 |
+ task_set_spec_ssb_disable(task); |
|
288 |
+ task_set_spec_ssb_force_disable(task); |
|
289 |
+- update = !test_and_set_tsk_thread_flag(task, TIF_RDS); |
|
290 |
++ update = !test_and_set_tsk_thread_flag(task, TIF_SSBD); |
|
291 |
+ break; |
|
292 |
+ default: |
|
293 |
+ return -ERANGE; |
|
294 |
+@@ -634,7 +634,7 @@ void x86_spec_ctrl_setup_ap(void) |
|
295 |
+ x86_spec_ctrl_set(x86_spec_ctrl_base & ~x86_spec_ctrl_mask); |
|
296 |
+ |
|
297 |
+ if (ssb_mode == SPEC_STORE_BYPASS_DISABLE) |
|
298 |
+- x86_amd_rds_enable(); |
|
299 |
++ x86_amd_ssb_disable(); |
|
300 |
+ } |
|
301 |
+ |
|
302 |
+ #ifdef CONFIG_SYSFS |
|
303 |
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c |
|
304 |
+index beb1da8..d0dd736 100644 |
|
305 |
+--- a/arch/x86/kernel/cpu/common.c |
|
306 |
+@@ -911,7 +911,7 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) |
|
307 |
+ rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap); |
|
308 |
+ |
|
309 |
+ if (!x86_match_cpu(cpu_no_spec_store_bypass) && |
|
310 |
+- !(ia32_cap & ARCH_CAP_RDS_NO)) |
|
311 |
++ !(ia32_cap & ARCH_CAP_SSBD_NO)) |
|
312 |
+ setup_force_cpu_bug(X86_BUG_SPEC_STORE_BYPASS); |
|
313 |
+ |
|
314 |
+ if (x86_match_cpu(cpu_no_speculation)) |
|
315 |
+diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c |
|
316 |
+index f15aea6..047adaa 100644 |
|
317 |
+--- a/arch/x86/kernel/cpu/intel.c |
|
318 |
+@@ -154,7 +154,7 @@ static void early_init_intel(struct cpuinfo_x86 *c) |
|
319 |
+ setup_clear_cpu_cap(X86_FEATURE_STIBP); |
|
320 |
+ setup_clear_cpu_cap(X86_FEATURE_SPEC_CTRL); |
|
321 |
+ setup_clear_cpu_cap(X86_FEATURE_INTEL_STIBP); |
|
322 |
+- setup_clear_cpu_cap(X86_FEATURE_RDS); |
|
323 |
++ setup_clear_cpu_cap(X86_FEATURE_SSBD); |
|
324 |
+ } |
|
325 |
+ |
|
326 |
+ /* |
|
327 |
+diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c |
|
328 |
+index 9c48e18..c344230 100644 |
|
329 |
+--- a/arch/x86/kernel/process.c |
|
330 |
+@@ -207,11 +207,11 @@ static __always_inline void __speculative_store_bypass_update(unsigned long tifn |
|
331 |
+ { |
|
332 |
+ u64 msr; |
|
333 |
+ |
|
334 |
+- if (static_cpu_has(X86_FEATURE_AMD_RDS)) { |
|
335 |
+- msr = x86_amd_ls_cfg_base | rds_tif_to_amd_ls_cfg(tifn); |
|
336 |
++ if (static_cpu_has(X86_FEATURE_AMD_SSBD)) { |
|
337 |
++ msr = x86_amd_ls_cfg_base | ssbd_tif_to_amd_ls_cfg(tifn); |
|
338 |
+ wrmsrl(MSR_AMD64_LS_CFG, msr); |
|
339 |
+ } else { |
|
340 |
+- msr = x86_spec_ctrl_base | rds_tif_to_spec_ctrl(tifn); |
|
341 |
++ msr = x86_spec_ctrl_base | ssbd_tif_to_spec_ctrl(tifn); |
|
342 |
+ wrmsrl(MSR_IA32_SPEC_CTRL, msr); |
|
343 |
+ } |
|
344 |
+ } |
|
345 |
+@@ -250,7 +250,7 @@ void __switch_to_xtra(struct task_struct *prev_p, struct task_struct *next_p, |
|
346 |
+ if ((tifp ^ tifn) & _TIF_NOTSC) |
|
347 |
+ cr4_toggle_bits(X86_CR4_TSD); |
|
348 |
+ |
|
349 |
+- if ((tifp ^ tifn) & _TIF_RDS) |
|
350 |
++ if ((tifp ^ tifn) & _TIF_SSBD) |
|
351 |
+ __speculative_store_bypass_update(tifn); |
|
352 |
+ } |
|
353 |
+ |
|
354 |
+diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c |
|
355 |
+index a9409f0..18e6db5 100644 |
|
356 |
+--- a/arch/x86/kvm/cpuid.c |
|
357 |
+@@ -382,7 +382,7 @@ static inline int __do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function, |
|
358 |
+ |
|
359 |
+ /* cpuid 7.0.edx*/ |
|
360 |
+ const u32 kvm_cpuid_7_0_edx_x86_features = |
|
361 |
+- F(SPEC_CTRL) | F(RDS) | F(ARCH_CAPABILITIES); |
|
362 |
++ F(SPEC_CTRL) | F(SSBD) | F(ARCH_CAPABILITIES); |
|
363 |
+ |
|
364 |
+ /* all calls to cpuid_count() should be made on the same cpu */ |
|
365 |
+ get_cpu(); |
|
366 |
+diff --git a/arch/x86/kvm/cpuid.h b/arch/x86/kvm/cpuid.h |
|
367 |
+index 24187d0..aedeb6c 100644 |
|
368 |
+--- a/arch/x86/kvm/cpuid.h |
|
369 |
+@@ -179,7 +179,7 @@ static inline bool guest_cpuid_has_spec_ctrl(struct kvm_vcpu *vcpu) |
|
370 |
+ if (best && (best->ebx & bit(X86_FEATURE_IBRS))) |
|
371 |
+ return true; |
|
372 |
+ best = kvm_find_cpuid_entry(vcpu, 7, 0); |
|
373 |
+- return best && (best->edx & (bit(X86_FEATURE_SPEC_CTRL) | bit(X86_FEATURE_RDS))); |
|
374 |
++ return best && (best->edx & (bit(X86_FEATURE_SPEC_CTRL) | bit(X86_FEATURE_SSBD))); |
|
375 |
+ } |
|
376 |
+ |
|
377 |
+ static inline bool guest_cpuid_has_arch_capabilities(struct kvm_vcpu *vcpu) |
|
378 |
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c |
|
379 |
+index 0eb3863..874b661 100644 |
|
380 |
+--- a/arch/x86/kvm/vmx.c |
|
381 |
+@@ -3141,7 +3141,7 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) |
|
382 |
+ return 1; |
|
383 |
+ |
|
384 |
+ /* The STIBP bit doesn't fault even if it's not advertised */ |
|
385 |
+- if (data & ~(SPEC_CTRL_IBRS | SPEC_CTRL_STIBP | SPEC_CTRL_RDS)) |
|
386 |
++ if (data & ~(SPEC_CTRL_IBRS | SPEC_CTRL_STIBP | SPEC_CTRL_SSBD)) |
|
387 |
+ return 1; |
|
388 |
+ |
|
389 |
+ vmx->spec_ctrl = data; |
|
390 |
+-- |
|
391 |
+2.7.4 |
|
392 |
+ |
0 | 393 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,34 @@ |
0 |
+From c33e51ed9fc094af5b2469428a609b5977d783c6 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
2 |
+Date: Wed, 9 May 2018 21:41:38 +0200 |
|
3 |
+Subject: [PATCH 31/54] proc: Use underscores for SSBD in 'status' |
|
4 |
+ |
|
5 |
+commit e96f46ee8587607a828f783daa6eb5b44d25004d upstream |
|
6 |
+ |
|
7 |
+The style for the 'status' file is CamelCase or this. _. |
|
8 |
+ |
|
9 |
+Fixes: fae1fa0fc ("proc: Provide details on speculation flaw mitigations") |
|
10 |
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
11 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
12 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
13 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
14 |
+--- |
|
15 |
+ fs/proc/array.c | 2 +- |
|
16 |
+ 1 file changed, 1 insertion(+), 1 deletion(-) |
|
17 |
+ |
|
18 |
+diff --git a/fs/proc/array.c b/fs/proc/array.c |
|
19 |
+index 3e37195..94f83e7 100644 |
|
20 |
+--- a/fs/proc/array.c |
|
21 |
+@@ -347,7 +347,7 @@ static inline void task_seccomp(struct seq_file *m, struct task_struct *p) |
|
22 |
+ #ifdef CONFIG_SECCOMP |
|
23 |
+ seq_put_decimal_ull(m, "Seccomp:\t", p->seccomp.mode); |
|
24 |
+ #endif |
|
25 |
+- seq_printf(m, "\nSpeculation Store Bypass:\t"); |
|
26 |
++ seq_printf(m, "\nSpeculation_Store_Bypass:\t"); |
|
27 |
+ switch (arch_prctl_spec_ctrl_get(p, PR_SPEC_STORE_BYPASS)) { |
|
28 |
+ case -EINVAL: |
|
29 |
+ seq_printf(m, "unknown"); |
|
30 |
+-- |
|
31 |
+2.7.4 |
|
32 |
+ |
0 | 33 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,87 @@ |
0 |
+From 4d01ab5d2407e797f7dbac38e3adfc5f5169073f Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Borislav Petkov <bp@suse.de> |
|
2 |
+Date: Tue, 8 May 2018 15:43:45 +0200 |
|
3 |
+Subject: [PATCH 32/54] Documentation/spec_ctrl: Do some minor cleanups |
|
4 |
+ |
|
5 |
+commit dd0792699c4058e63c0715d9a7c2d40226fcdddc upstream |
|
6 |
+ |
|
7 |
+Fix some typos, improve formulations, end sentences with a fullstop. |
|
8 |
+ |
|
9 |
+Signed-off-by: Borislav Petkov <bp@suse.de> |
|
10 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
11 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
12 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
13 |
+--- |
|
14 |
+ Documentation/spec_ctrl.txt | 24 ++++++++++++------------ |
|
15 |
+ 1 file changed, 12 insertions(+), 12 deletions(-) |
|
16 |
+ |
|
17 |
+diff --git a/Documentation/spec_ctrl.txt b/Documentation/spec_ctrl.txt |
|
18 |
+index 1b3690d..32f3d55 100644 |
|
19 |
+--- a/Documentation/spec_ctrl.txt |
|
20 |
+@@ -2,13 +2,13 @@ |
|
21 |
+ Speculation Control |
|
22 |
+ =================== |
|
23 |
+ |
|
24 |
+-Quite some CPUs have speculation related misfeatures which are in fact |
|
25 |
+-vulnerabilites causing data leaks in various forms even accross privilege |
|
26 |
+-domains. |
|
27 |
++Quite some CPUs have speculation-related misfeatures which are in |
|
28 |
++fact vulnerabilities causing data leaks in various forms even across |
|
29 |
++privilege domains. |
|
30 |
+ |
|
31 |
+ The kernel provides mitigation for such vulnerabilities in various |
|
32 |
+-forms. Some of these mitigations are compile time configurable and some on |
|
33 |
+-the kernel command line. |
|
34 |
++forms. Some of these mitigations are compile-time configurable and some |
|
35 |
++can be supplied on the kernel command line. |
|
36 |
+ |
|
37 |
+ There is also a class of mitigations which are very expensive, but they can |
|
38 |
+ be restricted to a certain set of processes or tasks in controlled |
|
39 |
+@@ -32,18 +32,18 @@ the following meaning: |
|
40 |
+ Bit Define Description |
|
41 |
+ ==== ===================== =================================================== |
|
42 |
+ 0 PR_SPEC_PRCTL Mitigation can be controlled per task by |
|
43 |
+- PR_SET_SPECULATION_CTRL |
|
44 |
++ PR_SET_SPECULATION_CTRL. |
|
45 |
+ 1 PR_SPEC_ENABLE The speculation feature is enabled, mitigation is |
|
46 |
+- disabled |
|
47 |
++ disabled. |
|
48 |
+ 2 PR_SPEC_DISABLE The speculation feature is disabled, mitigation is |
|
49 |
+- enabled |
|
50 |
++ enabled. |
|
51 |
+ 3 PR_SPEC_FORCE_DISABLE Same as PR_SPEC_DISABLE, but cannot be undone. A |
|
52 |
+ subsequent prctl(..., PR_SPEC_ENABLE) will fail. |
|
53 |
+ ==== ===================== =================================================== |
|
54 |
+ |
|
55 |
+ If all bits are 0 the CPU is not affected by the speculation misfeature. |
|
56 |
+ |
|
57 |
+-If PR_SPEC_PRCTL is set, then the per task control of the mitigation is |
|
58 |
++If PR_SPEC_PRCTL is set, then the per-task control of the mitigation is |
|
59 |
+ available. If not set, prctl(PR_SET_SPECULATION_CTRL) for the speculation |
|
60 |
+ misfeature will fail. |
|
61 |
+ |
|
62 |
+@@ -61,9 +61,9 @@ Common error codes |
|
63 |
+ Value Meaning |
|
64 |
+ ======= ================================================================= |
|
65 |
+ EINVAL The prctl is not implemented by the architecture or unused |
|
66 |
+- prctl(2) arguments are not 0 |
|
67 |
++ prctl(2) arguments are not 0. |
|
68 |
+ |
|
69 |
+-ENODEV arg2 is selecting a not supported speculation misfeature |
|
70 |
++ENODEV arg2 is selecting a not supported speculation misfeature. |
|
71 |
+ ======= ================================================================= |
|
72 |
+ |
|
73 |
+ PR_SET_SPECULATION_CTRL error codes |
|
74 |
+@@ -74,7 +74,7 @@ Value Meaning |
|
75 |
+ 0 Success |
|
76 |
+ |
|
77 |
+ ERANGE arg3 is incorrect, i.e. it's neither PR_SPEC_ENABLE nor |
|
78 |
+- PR_SPEC_DISABLE nor PR_SPEC_FORCE_DISABLE |
|
79 |
++ PR_SPEC_DISABLE nor PR_SPEC_FORCE_DISABLE. |
|
80 |
+ |
|
81 |
+ ENXIO Control of the selected speculation misfeature is not possible. |
|
82 |
+ See PR_GET_SPECULATION_CTRL. |
|
83 |
+-- |
|
84 |
+2.7.4 |
|
85 |
+ |
0 | 86 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,35 @@ |
0 |
+From 721940f2f2f86c7d0303681a6729d67c52276436 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Jiri Kosina <jkosina@suse.cz> |
|
2 |
+Date: Thu, 10 May 2018 22:47:18 +0200 |
|
3 |
+Subject: [PATCH 33/54] x86/bugs: Fix __ssb_select_mitigation() return type |
|
4 |
+ |
|
5 |
+commit d66d8ff3d21667b41eddbe86b35ab411e40d8c5f upstream |
|
6 |
+ |
|
7 |
+__ssb_select_mitigation() returns one of the members of enum ssb_mitigation, |
|
8 |
+not ssb_mitigation_cmd; fix the prototype to reflect that. |
|
9 |
+ |
|
10 |
+Fixes: 24f7fc83b9204 ("x86/bugs: Provide boot parameters for the spec_store_bypass_disable mitigation") |
|
11 |
+Signed-off-by: Jiri Kosina <jkosina@suse.cz> |
|
12 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
13 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
14 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
15 |
+--- |
|
16 |
+ arch/x86/kernel/cpu/bugs.c | 2 +- |
|
17 |
+ 1 file changed, 1 insertion(+), 1 deletion(-) |
|
18 |
+ |
|
19 |
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c |
|
20 |
+index ae6f9ba..c7b4d11 100644 |
|
21 |
+--- a/arch/x86/kernel/cpu/bugs.c |
|
22 |
+@@ -467,7 +467,7 @@ static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void) |
|
23 |
+ return cmd; |
|
24 |
+ } |
|
25 |
+ |
|
26 |
+-static enum ssb_mitigation_cmd __init __ssb_select_mitigation(void) |
|
27 |
++static enum ssb_mitigation __init __ssb_select_mitigation(void) |
|
28 |
+ { |
|
29 |
+ enum ssb_mitigation mode = SPEC_STORE_BYPASS_NONE; |
|
30 |
+ enum ssb_mitigation_cmd cmd; |
|
31 |
+-- |
|
32 |
+2.7.4 |
|
33 |
+ |
0 | 34 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,34 @@ |
0 |
+From 91c8d38470acf7b6b4a26087add879f512305237 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Jiri Kosina <jkosina@suse.cz> |
|
2 |
+Date: Thu, 10 May 2018 22:47:32 +0200 |
|
3 |
+Subject: [PATCH 34/54] x86/bugs: Make cpu_show_common() static |
|
4 |
+ |
|
5 |
+commit 7bb4d366cba992904bffa4820d24e70a3de93e76 upstream |
|
6 |
+ |
|
7 |
+cpu_show_common() is not used outside of arch/x86/kernel/cpu/bugs.c, so |
|
8 |
+make it static. |
|
9 |
+ |
|
10 |
+Signed-off-by: Jiri Kosina <jkosina@suse.cz> |
|
11 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
12 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
13 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
14 |
+--- |
|
15 |
+ arch/x86/kernel/cpu/bugs.c | 2 +- |
|
16 |
+ 1 file changed, 1 insertion(+), 1 deletion(-) |
|
17 |
+ |
|
18 |
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c |
|
19 |
+index c7b4d11..8187642 100644 |
|
20 |
+--- a/arch/x86/kernel/cpu/bugs.c |
|
21 |
+@@ -639,7 +639,7 @@ void x86_spec_ctrl_setup_ap(void) |
|
22 |
+ |
|
23 |
+ #ifdef CONFIG_SYSFS |
|
24 |
+ |
|
25 |
+-ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr, |
|
26 |
++static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr, |
|
27 |
+ char *buf, unsigned int bug) |
|
28 |
+ { |
|
29 |
+ if (!boot_cpu_has_bug(bug)) |
|
30 |
+-- |
|
31 |
+2.7.4 |
|
32 |
+ |
0 | 33 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,42 @@ |
0 |
+From a972acb35aa7282fc471ec9ce4274547f5791460 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
2 |
+Date: Fri, 11 May 2018 16:50:35 -0400 |
|
3 |
+Subject: [PATCH 35/54] x86/bugs: Fix the parameters alignment and missing void |
|
4 |
+ |
|
5 |
+commit ffed645e3be0e32f8e9ab068d257aee8d0fe8eec upstream |
|
6 |
+ |
|
7 |
+Fixes: 7bb4d366c ("x86/bugs: Make cpu_show_common() static") |
|
8 |
+Fixes: 24f7fc83b ("x86/bugs: Provide boot parameters for the spec_store_bypass_disable mitigation") |
|
9 |
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
10 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
11 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
12 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
13 |
+--- |
|
14 |
+ arch/x86/kernel/cpu/bugs.c | 4 ++-- |
|
15 |
+ 1 file changed, 2 insertions(+), 2 deletions(-) |
|
16 |
+ |
|
17 |
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c |
|
18 |
+index 8187642..4f8c88e 100644 |
|
19 |
+--- a/arch/x86/kernel/cpu/bugs.c |
|
20 |
+@@ -530,7 +530,7 @@ static enum ssb_mitigation __init __ssb_select_mitigation(void) |
|
21 |
+ return mode; |
|
22 |
+ } |
|
23 |
+ |
|
24 |
+-static void ssb_select_mitigation() |
|
25 |
++static void ssb_select_mitigation(void) |
|
26 |
+ { |
|
27 |
+ ssb_mode = __ssb_select_mitigation(); |
|
28 |
+ |
|
29 |
+@@ -640,7 +640,7 @@ void x86_spec_ctrl_setup_ap(void) |
|
30 |
+ #ifdef CONFIG_SYSFS |
|
31 |
+ |
|
32 |
+ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr, |
|
33 |
+- char *buf, unsigned int bug) |
|
34 |
++ char *buf, unsigned int bug) |
|
35 |
+ { |
|
36 |
+ if (!boot_cpu_has_bug(bug)) |
|
37 |
+ return sprintf(buf, "Not affected\n"); |
|
38 |
+-- |
|
39 |
+2.7.4 |
|
40 |
+ |
0 | 41 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,42 @@ |
0 |
+From de18dfe897c77e37a955b82998ea832d2d1273ab Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Jim Mattson <jmattson@google.com> |
|
2 |
+Date: Sun, 13 May 2018 17:33:57 -0400 |
|
3 |
+Subject: [PATCH 36/54] x86/cpu: Make alternative_msr_write work for 32-bit |
|
4 |
+ code |
|
5 |
+ |
|
6 |
+commit 5f2b745f5e1304f438f9b2cd03ebc8120b6e0d3b upstream |
|
7 |
+ |
|
8 |
+Cast val and (val >> 32) to (u32), so that they fit in a |
|
9 |
+general-purpose register in both 32-bit and 64-bit code. |
|
10 |
+ |
|
11 |
+[ tglx: Made it u32 instead of uintptr_t ] |
|
12 |
+ |
|
13 |
+Fixes: c65732e4f721 ("x86/cpu: Restore CPUID_8000_0008_EBX reload") |
|
14 |
+Signed-off-by: Jim Mattson <jmattson@google.com> |
|
15 |
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
16 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
17 |
+Acked-by: Linus Torvalds <torvalds@linux-foundation.org> |
|
18 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
19 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
20 |
+--- |
|
21 |
+ arch/x86/include/asm/nospec-branch.h | 4 ++-- |
|
22 |
+ 1 file changed, 2 insertions(+), 2 deletions(-) |
|
23 |
+ |
|
24 |
+diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h |
|
25 |
+index 328ea3c..bc258e6 100644 |
|
26 |
+--- a/arch/x86/include/asm/nospec-branch.h |
|
27 |
+@@ -265,8 +265,8 @@ void alternative_msr_write(unsigned int msr, u64 val, unsigned int feature) |
|
28 |
+ { |
|
29 |
+ asm volatile(ALTERNATIVE("", "wrmsr", %c[feature]) |
|
30 |
+ : : "c" (msr), |
|
31 |
+- "a" (val), |
|
32 |
+- "d" (val >> 32), |
|
33 |
++ "a" ((u32)val), |
|
34 |
++ "d" ((u32)(val >> 32)), |
|
35 |
+ [feature] "i" (feature) |
|
36 |
+ : "memory"); |
|
37 |
+ } |
|
38 |
+-- |
|
39 |
+2.7.4 |
|
40 |
+ |
0 | 41 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,70 @@ |
0 |
+From f30da25e77ba42e685d370e695759910625a885c Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Thomas Gleixner <tglx@linutronix.de> |
|
2 |
+Date: Fri, 11 May 2018 15:21:01 +0200 |
|
3 |
+Subject: [PATCH 37/54] KVM: SVM: Move spec control call after restore of GS |
|
4 |
+ |
|
5 |
+commit 15e6c22fd8e5a42c5ed6d487b7c9fe44c2517765 upstream |
|
6 |
+ |
|
7 |
+svm_vcpu_run() invokes x86_spec_ctrl_restore_host() after VMEXIT, but |
|
8 |
+before the host GS is restored. x86_spec_ctrl_restore_host() uses 'current' |
|
9 |
+to determine the host SSBD state of the thread. 'current' is GS based, but |
|
10 |
+host GS is not yet restored and the access causes a triple fault. |
|
11 |
+ |
|
12 |
+Move the call after the host GS restore. |
|
13 |
+ |
|
14 |
+Fixes: 885f82bfbc6f x86/process: Allow runtime control of Speculative Store Bypass |
|
15 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
16 |
+Reviewed-by: Borislav Petkov <bp@suse.de> |
|
17 |
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
18 |
+Acked-by: Paolo Bonzini <pbonzini@redhat.com> |
|
19 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
20 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
21 |
+--- |
|
22 |
+ arch/x86/kvm/svm.c | 24 ++++++++++++------------ |
|
23 |
+ 1 file changed, 12 insertions(+), 12 deletions(-) |
|
24 |
+ |
|
25 |
+diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c |
|
26 |
+index 516ddff..d1a4321 100644 |
|
27 |
+--- a/arch/x86/kvm/svm.c |
|
28 |
+@@ -5011,6 +5011,18 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu) |
|
29 |
+ #endif |
|
30 |
+ ); |
|
31 |
+ |
|
32 |
++ /* Eliminate branch target predictions from guest mode */ |
|
33 |
++ vmexit_fill_RSB(); |
|
34 |
++ |
|
35 |
++#ifdef CONFIG_X86_64 |
|
36 |
++ wrmsrl(MSR_GS_BASE, svm->host.gs_base); |
|
37 |
++#else |
|
38 |
++ loadsegment(fs, svm->host.fs); |
|
39 |
++#ifndef CONFIG_X86_32_LAZY_GS |
|
40 |
++ loadsegment(gs, svm->host.gs); |
|
41 |
++#endif |
|
42 |
++#endif |
|
43 |
++ |
|
44 |
+ /* |
|
45 |
+ * We do not use IBRS in the kernel. If this vCPU has used the |
|
46 |
+ * SPEC_CTRL MSR it may have left it on; save the value and |
|
47 |
+@@ -5031,18 +5043,6 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu) |
|
48 |
+ |
|
49 |
+ x86_spec_ctrl_restore_host(svm->spec_ctrl); |
|
50 |
+ |
|
51 |
+- /* Eliminate branch target predictions from guest mode */ |
|
52 |
+- vmexit_fill_RSB(); |
|
53 |
+- |
|
54 |
+-#ifdef CONFIG_X86_64 |
|
55 |
+- wrmsrl(MSR_GS_BASE, svm->host.gs_base); |
|
56 |
+-#else |
|
57 |
+- loadsegment(fs, svm->host.fs); |
|
58 |
+-#ifndef CONFIG_X86_32_LAZY_GS |
|
59 |
+- loadsegment(gs, svm->host.gs); |
|
60 |
+-#endif |
|
61 |
+-#endif |
|
62 |
+- |
|
63 |
+ reload_tss(vcpu); |
|
64 |
+ |
|
65 |
+ local_irq_disable(); |
|
66 |
+-- |
|
67 |
+2.7.4 |
|
68 |
+ |
0 | 69 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,156 @@ |
0 |
+From d359a8adfc5e7974969b45eaeb8569621b1dbe12 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Borislav Petkov <bp@suse.de> |
|
2 |
+Date: Wed, 2 May 2018 18:15:14 +0200 |
|
3 |
+Subject: [PATCH 38/54] x86/speculation: Use synthetic bits for IBRS/IBPB/STIBP |
|
4 |
+MIME-Version: 1.0 |
|
5 |
+Content-Type: text/plain; charset=UTF-8 |
|
6 |
+Content-Transfer-Encoding: 8bit |
|
7 |
+ |
|
8 |
+commit e7c587da125291db39ddf1f49b18e5970adbac17 upstream |
|
9 |
+ |
|
10 |
+Intel and AMD have different CPUID bits hence for those use synthetic bits |
|
11 |
+which get set on the respective vendor's in init_speculation_control(). So |
|
12 |
+that debacles like what the commit message of |
|
13 |
+ |
|
14 |
+ c65732e4f721 ("x86/cpu: Restore CPUID_8000_0008_EBX reload") |
|
15 |
+ |
|
16 |
+talks about don't happen anymore. |
|
17 |
+ |
|
18 |
+Signed-off-by: Borislav Petkov <bp@suse.de> |
|
19 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
20 |
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
21 |
+Tested-by: Jörg Otte <jrg.otte@gmail.com> |
|
22 |
+Cc: Linus Torvalds <torvalds@linux-foundation.org> |
|
23 |
+Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com> |
|
24 |
+Link: https://lkml.kernel.org/r/20180504161815.GG9257@pd.tnic |
|
25 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
26 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
27 |
+--- |
|
28 |
+ arch/x86/include/asm/cpufeatures.h | 12 ++++++++---- |
|
29 |
+ arch/x86/kernel/cpu/common.c | 14 ++++++++++---- |
|
30 |
+ arch/x86/kvm/cpuid.c | 10 +++++----- |
|
31 |
+ arch/x86/kvm/cpuid.h | 4 ++-- |
|
32 |
+ 4 files changed, 25 insertions(+), 15 deletions(-) |
|
33 |
+ |
|
34 |
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h |
|
35 |
+index 0ed8ea5..059437a 100644 |
|
36 |
+--- a/arch/x86/include/asm/cpufeatures.h |
|
37 |
+@@ -205,7 +205,10 @@ |
|
38 |
+ #define X86_FEATURE_USE_IBPB ( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled */ |
|
39 |
+ #define X86_FEATURE_USE_IBRS_FW ( 7*32+22) /* "" Use IBRS during runtime firmware calls */ |
|
40 |
+ #define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE ( 7*32+23) /* "" Disable Speculative Store Bypass. */ |
|
41 |
+-#define X86_FEATURE_AMD_SSBD (7*32+24) /* "" AMD SSBD implementation */ |
|
42 |
++#define X86_FEATURE_AMD_SSBD ( 7*32+24) /* "" AMD SSBD implementation */ |
|
43 |
++#define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */ |
|
44 |
++#define X86_FEATURE_IBPB ( 7*32+26) /* Indirect Branch Prediction Barrier */ |
|
45 |
++#define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */ |
|
46 |
+ |
|
47 |
+ /* Virtualization flags: Linux defined, word 8 */ |
|
48 |
+ #define X86_FEATURE_TPR_SHADOW ( 8*32+ 0) /* Intel TPR Shadow */ |
|
49 |
+@@ -263,9 +266,9 @@ |
|
50 |
+ /* AMD-defined CPU features, CPUID level 0x80000008 (ebx), word 13 */ |
|
51 |
+ #define X86_FEATURE_CLZERO (13*32+0) /* CLZERO instruction */ |
|
52 |
+ #define X86_FEATURE_IRPERF (13*32+1) /* Instructions Retired Count */ |
|
53 |
+-#define X86_FEATURE_IBPB (13*32+12) /* Indirect Branch Prediction Barrier */ |
|
54 |
+-#define X86_FEATURE_IBRS (13*32+14) /* Indirect Branch Restricted Speculation */ |
|
55 |
+-#define X86_FEATURE_STIBP (13*32+15) /* Single Thread Indirect Branch Predictors */ |
|
56 |
++#define X86_FEATURE_AMD_IBPB (13*32+12) /* Indirect Branch Prediction Barrier */ |
|
57 |
++#define X86_FEATURE_AMD_IBRS (13*32+14) /* Indirect Branch Restricted Speculation */ |
|
58 |
++#define X86_FEATURE_AMD_STIBP (13*32+15) /* Single Thread Indirect Branch Predictors */ |
|
59 |
+ |
|
60 |
+ /* Thermal and Power Management Leaf, CPUID level 0x00000006 (eax), word 14 */ |
|
61 |
+ #define X86_FEATURE_DTHERM (14*32+ 0) /* Digital Thermal Sensor */ |
|
62 |
+@@ -301,6 +304,7 @@ |
|
63 |
+ #define X86_FEATURE_SUCCOR (17*32+1) /* Uncorrectable error containment and recovery */ |
|
64 |
+ #define X86_FEATURE_SMCA (17*32+3) /* Scalable MCA */ |
|
65 |
+ |
|
66 |
++ |
|
67 |
+ /* Intel-defined CPU features, CPUID level 0x00000007:0 (EDX), word 18 */ |
|
68 |
+ #define X86_FEATURE_AVX512_4VNNIW (18*32+ 2) /* AVX-512 Neural Network Instructions */ |
|
69 |
+ #define X86_FEATURE_AVX512_4FMAPS (18*32+ 3) /* AVX-512 Multiply Accumulation Single precision */ |
|
70 |
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c |
|
71 |
+index d0dd736..67bfa3c 100644 |
|
72 |
+--- a/arch/x86/kernel/cpu/common.c |
|
73 |
+@@ -725,17 +725,23 @@ static void init_speculation_control(struct cpuinfo_x86 *c) |
|
74 |
+ * and they also have a different bit for STIBP support. Also, |
|
75 |
+ * a hypervisor might have set the individual AMD bits even on |
|
76 |
+ * Intel CPUs, for finer-grained selection of what's available. |
|
77 |
+- * |
|
78 |
+- * We use the AMD bits in 0x8000_0008 EBX as the generic hardware |
|
79 |
+- * features, which are visible in /proc/cpuinfo and used by the |
|
80 |
+- * kernel. So set those accordingly from the Intel bits. |
|
81 |
+ */ |
|
82 |
+ if (cpu_has(c, X86_FEATURE_SPEC_CTRL)) { |
|
83 |
+ set_cpu_cap(c, X86_FEATURE_IBRS); |
|
84 |
+ set_cpu_cap(c, X86_FEATURE_IBPB); |
|
85 |
+ } |
|
86 |
++ |
|
87 |
+ if (cpu_has(c, X86_FEATURE_INTEL_STIBP)) |
|
88 |
+ set_cpu_cap(c, X86_FEATURE_STIBP); |
|
89 |
++ |
|
90 |
++ if (cpu_has(c, X86_FEATURE_AMD_IBRS)) |
|
91 |
++ set_cpu_cap(c, X86_FEATURE_IBRS); |
|
92 |
++ |
|
93 |
++ if (cpu_has(c, X86_FEATURE_AMD_IBPB)) |
|
94 |
++ set_cpu_cap(c, X86_FEATURE_IBPB); |
|
95 |
++ |
|
96 |
++ if (cpu_has(c, X86_FEATURE_AMD_STIBP)) |
|
97 |
++ set_cpu_cap(c, X86_FEATURE_STIBP); |
|
98 |
+ } |
|
99 |
+ |
|
100 |
+ void get_cpu_cap(struct cpuinfo_x86 *c) |
|
101 |
+diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c |
|
102 |
+index 18e6db5..910c2db 100644 |
|
103 |
+--- a/arch/x86/kvm/cpuid.c |
|
104 |
+@@ -357,7 +357,7 @@ static inline int __do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function, |
|
105 |
+ |
|
106 |
+ /* cpuid 0x80000008.ebx */ |
|
107 |
+ const u32 kvm_cpuid_8000_0008_ebx_x86_features = |
|
108 |
+- F(IBPB) | F(IBRS); |
|
109 |
++ F(AMD_IBPB) | F(AMD_IBRS); |
|
110 |
+ |
|
111 |
+ /* cpuid 0xC0000001.edx */ |
|
112 |
+ const u32 kvm_cpuid_C000_0001_edx_x86_features = |
|
113 |
+@@ -619,10 +619,10 @@ static inline int __do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function, |
|
114 |
+ entry->eax = g_phys_as | (virt_as << 8); |
|
115 |
+ entry->edx = 0; |
|
116 |
+ /* IBRS and IBPB aren't necessarily present in hardware cpuid */ |
|
117 |
+- if (boot_cpu_has(X86_FEATURE_IBPB)) |
|
118 |
+- entry->ebx |= F(IBPB); |
|
119 |
+- if (boot_cpu_has(X86_FEATURE_IBRS)) |
|
120 |
+- entry->ebx |= F(IBRS); |
|
121 |
++ if (boot_cpu_has(X86_FEATURE_AMD_IBPB)) |
|
122 |
++ entry->ebx |= F(AMD_IBPB); |
|
123 |
++ if (boot_cpu_has(X86_FEATURE_AMD_IBRS)) |
|
124 |
++ entry->ebx |= F(AMD_IBRS); |
|
125 |
+ entry->ebx &= kvm_cpuid_8000_0008_ebx_x86_features; |
|
126 |
+ cpuid_mask(&entry->ebx, CPUID_8000_0008_EBX); |
|
127 |
+ break; |
|
128 |
+diff --git a/arch/x86/kvm/cpuid.h b/arch/x86/kvm/cpuid.h |
|
129 |
+index aedeb6c..eb47c37 100644 |
|
130 |
+--- a/arch/x86/kvm/cpuid.h |
|
131 |
+@@ -165,7 +165,7 @@ static inline bool guest_cpuid_has_ibpb(struct kvm_vcpu *vcpu) |
|
132 |
+ struct kvm_cpuid_entry2 *best; |
|
133 |
+ |
|
134 |
+ best = kvm_find_cpuid_entry(vcpu, 0x80000008, 0); |
|
135 |
+- if (best && (best->ebx & bit(X86_FEATURE_IBPB))) |
|
136 |
++ if (best && (best->ebx & bit(X86_FEATURE_AMD_IBPB))) |
|
137 |
+ return true; |
|
138 |
+ best = kvm_find_cpuid_entry(vcpu, 7, 0); |
|
139 |
+ return best && (best->edx & bit(X86_FEATURE_SPEC_CTRL)); |
|
140 |
+@@ -176,7 +176,7 @@ static inline bool guest_cpuid_has_spec_ctrl(struct kvm_vcpu *vcpu) |
|
141 |
+ struct kvm_cpuid_entry2 *best; |
|
142 |
+ |
|
143 |
+ best = kvm_find_cpuid_entry(vcpu, 0x80000008, 0); |
|
144 |
+- if (best && (best->ebx & bit(X86_FEATURE_IBRS))) |
|
145 |
++ if (best && (best->ebx & bit(X86_FEATURE_AMD_IBRS))) |
|
146 |
+ return true; |
|
147 |
+ best = kvm_find_cpuid_entry(vcpu, 7, 0); |
|
148 |
+ return best && (best->edx & (bit(X86_FEATURE_SPEC_CTRL) | bit(X86_FEATURE_SSBD))); |
|
149 |
+-- |
|
150 |
+2.7.4 |
|
151 |
+ |
0 | 152 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,155 @@ |
0 |
+From 0197f009f7ddca5784d0b4a00529dad84c09cbc6 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Thomas Gleixner <tglx@linutronix.de> |
|
2 |
+Date: Thu, 10 May 2018 19:13:18 +0200 |
|
3 |
+Subject: [PATCH 39/54] x86/cpufeatures: Disentangle MSR_SPEC_CTRL enumeration |
|
4 |
+ from IBRS |
|
5 |
+ |
|
6 |
+commit 7eb8956a7fec3c1f0abc2a5517dada99ccc8a961 upstream |
|
7 |
+ |
|
8 |
+The availability of the SPEC_CTRL MSR is enumerated by a CPUID bit on |
|
9 |
+Intel and implied by IBRS or STIBP support on AMD. That's just confusing |
|
10 |
+and in case an AMD CPU has IBRS not supported because the underlying |
|
11 |
+problem has been fixed but has another bit valid in the SPEC_CTRL MSR, |
|
12 |
+the thing falls apart. |
|
13 |
+ |
|
14 |
+Add a synthetic feature bit X86_FEATURE_MSR_SPEC_CTRL to denote the |
|
15 |
+availability on both Intel and AMD. |
|
16 |
+ |
|
17 |
+While at it replace the boot_cpu_has() checks with static_cpu_has() where |
|
18 |
+possible. This prevents late microcode loading from exposing SPEC_CTRL, but |
|
19 |
+late loading is already very limited as it does not reevaluate the |
|
20 |
+mitigation options and other bits and pieces. Having static_cpu_has() is |
|
21 |
+the simplest and least fragile solution. |
|
22 |
+ |
|
23 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
24 |
+Reviewed-by: Borislav Petkov <bp@suse.de> |
|
25 |
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
26 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
27 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
28 |
+--- |
|
29 |
+ arch/x86/include/asm/cpufeatures.h | 2 ++ |
|
30 |
+ arch/x86/kernel/cpu/bugs.c | 18 +++++++++++------- |
|
31 |
+ arch/x86/kernel/cpu/common.c | 9 +++++++-- |
|
32 |
+ arch/x86/kernel/cpu/intel.c | 1 + |
|
33 |
+ 4 files changed, 21 insertions(+), 9 deletions(-) |
|
34 |
+ |
|
35 |
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h |
|
36 |
+index 059437a..ca0f33f 100644 |
|
37 |
+--- a/arch/x86/include/asm/cpufeatures.h |
|
38 |
+@@ -197,6 +197,8 @@ |
|
39 |
+ #define X86_FEATURE_RETPOLINE ( 7*32+12) /* "" Generic Retpoline mitigation for Spectre variant 2 */ |
|
40 |
+ #define X86_FEATURE_RETPOLINE_AMD ( 7*32+13) /* "" AMD Retpoline mitigation for Spectre variant 2 */ |
|
41 |
+ |
|
42 |
++#define X86_FEATURE_MSR_SPEC_CTRL ( 7*32+16) /* "" MSR SPEC_CTRL is implemented */ |
|
43 |
++ |
|
44 |
+ #define X86_FEATURE_RSB_CTXSW ( 7*32+19) /* "" Fill RSB on context switches */ |
|
45 |
+ |
|
46 |
+ /* Because the ALTERNATIVE scheme is for members of the X86_FEATURE club... */ |
|
47 |
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c |
|
48 |
+index 4f8c88e..59649310 100644 |
|
49 |
+--- a/arch/x86/kernel/cpu/bugs.c |
|
50 |
+@@ -63,7 +63,7 @@ void __init check_bugs(void) |
|
51 |
+ * have unknown values. AMD64_LS_CFG MSR is cached in the early AMD |
|
52 |
+ * init code as it is not enumerated and depends on the family. |
|
53 |
+ */ |
|
54 |
+- if (boot_cpu_has(X86_FEATURE_IBRS)) |
|
55 |
++ if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) |
|
56 |
+ rdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); |
|
57 |
+ |
|
58 |
+ /* Select the proper spectre mitigation before patching alternatives */ |
|
59 |
+@@ -144,7 +144,7 @@ u64 x86_spec_ctrl_get_default(void) |
|
60 |
+ { |
|
61 |
+ u64 msrval = x86_spec_ctrl_base; |
|
62 |
+ |
|
63 |
+- if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) |
|
64 |
++ if (static_cpu_has(X86_FEATURE_SPEC_CTRL)) |
|
65 |
+ msrval |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags); |
|
66 |
+ return msrval; |
|
67 |
+ } |
|
68 |
+@@ -154,10 +154,12 @@ void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl) |
|
69 |
+ { |
|
70 |
+ u64 host = x86_spec_ctrl_base; |
|
71 |
+ |
|
72 |
+- if (!boot_cpu_has(X86_FEATURE_IBRS)) |
|
73 |
++ /* Is MSR_SPEC_CTRL implemented ? */ |
|
74 |
++ if (!static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) |
|
75 |
+ return; |
|
76 |
+ |
|
77 |
+- if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) |
|
78 |
++ /* Intel controls SSB in MSR_SPEC_CTRL */ |
|
79 |
++ if (static_cpu_has(X86_FEATURE_SPEC_CTRL)) |
|
80 |
+ host |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags); |
|
81 |
+ |
|
82 |
+ if (host != guest_spec_ctrl) |
|
83 |
+@@ -169,10 +171,12 @@ void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl) |
|
84 |
+ { |
|
85 |
+ u64 host = x86_spec_ctrl_base; |
|
86 |
+ |
|
87 |
+- if (!boot_cpu_has(X86_FEATURE_IBRS)) |
|
88 |
++ /* Is MSR_SPEC_CTRL implemented ? */ |
|
89 |
++ if (!static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) |
|
90 |
+ return; |
|
91 |
+ |
|
92 |
+- if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) |
|
93 |
++ /* Intel controls SSB in MSR_SPEC_CTRL */ |
|
94 |
++ if (static_cpu_has(X86_FEATURE_SPEC_CTRL)) |
|
95 |
+ host |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags); |
|
96 |
+ |
|
97 |
+ if (host != guest_spec_ctrl) |
|
98 |
+@@ -630,7 +634,7 @@ int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which) |
|
99 |
+ |
|
100 |
+ void x86_spec_ctrl_setup_ap(void) |
|
101 |
+ { |
|
102 |
+- if (boot_cpu_has(X86_FEATURE_IBRS)) |
|
103 |
++ if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) |
|
104 |
+ x86_spec_ctrl_set(x86_spec_ctrl_base & ~x86_spec_ctrl_mask); |
|
105 |
+ |
|
106 |
+ if (ssb_mode == SPEC_STORE_BYPASS_DISABLE) |
|
107 |
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c |
|
108 |
+index 67bfa3c..04362282 100644 |
|
109 |
+--- a/arch/x86/kernel/cpu/common.c |
|
110 |
+@@ -729,19 +729,24 @@ static void init_speculation_control(struct cpuinfo_x86 *c) |
|
111 |
+ if (cpu_has(c, X86_FEATURE_SPEC_CTRL)) { |
|
112 |
+ set_cpu_cap(c, X86_FEATURE_IBRS); |
|
113 |
+ set_cpu_cap(c, X86_FEATURE_IBPB); |
|
114 |
++ set_cpu_cap(c, X86_FEATURE_MSR_SPEC_CTRL); |
|
115 |
+ } |
|
116 |
+ |
|
117 |
+ if (cpu_has(c, X86_FEATURE_INTEL_STIBP)) |
|
118 |
+ set_cpu_cap(c, X86_FEATURE_STIBP); |
|
119 |
+ |
|
120 |
+- if (cpu_has(c, X86_FEATURE_AMD_IBRS)) |
|
121 |
++ if (cpu_has(c, X86_FEATURE_AMD_IBRS)) { |
|
122 |
+ set_cpu_cap(c, X86_FEATURE_IBRS); |
|
123 |
++ set_cpu_cap(c, X86_FEATURE_MSR_SPEC_CTRL); |
|
124 |
++ } |
|
125 |
+ |
|
126 |
+ if (cpu_has(c, X86_FEATURE_AMD_IBPB)) |
|
127 |
+ set_cpu_cap(c, X86_FEATURE_IBPB); |
|
128 |
+ |
|
129 |
+- if (cpu_has(c, X86_FEATURE_AMD_STIBP)) |
|
130 |
++ if (cpu_has(c, X86_FEATURE_AMD_STIBP)) { |
|
131 |
+ set_cpu_cap(c, X86_FEATURE_STIBP); |
|
132 |
++ set_cpu_cap(c, X86_FEATURE_MSR_SPEC_CTRL); |
|
133 |
++ } |
|
134 |
+ } |
|
135 |
+ |
|
136 |
+ void get_cpu_cap(struct cpuinfo_x86 *c) |
|
137 |
+diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c |
|
138 |
+index 047adaa..7f495e8 100644 |
|
139 |
+--- a/arch/x86/kernel/cpu/intel.c |
|
140 |
+@@ -153,6 +153,7 @@ static void early_init_intel(struct cpuinfo_x86 *c) |
|
141 |
+ setup_clear_cpu_cap(X86_FEATURE_IBPB); |
|
142 |
+ setup_clear_cpu_cap(X86_FEATURE_STIBP); |
|
143 |
+ setup_clear_cpu_cap(X86_FEATURE_SPEC_CTRL); |
|
144 |
++ setup_clear_cpu_cap(X86_FEATURE_MSR_SPEC_CTRL); |
|
145 |
+ setup_clear_cpu_cap(X86_FEATURE_INTEL_STIBP); |
|
146 |
+ setup_clear_cpu_cap(X86_FEATURE_SSBD); |
|
147 |
+ } |
|
148 |
+-- |
|
149 |
+2.7.4 |
|
150 |
+ |
0 | 151 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,163 @@ |
0 |
+From c0374a5d3dcefc7e21ae1ebe2343c88f8e0ff121 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Thomas Gleixner <tglx@linutronix.de> |
|
2 |
+Date: Thu, 10 May 2018 20:21:36 +0200 |
|
3 |
+Subject: [PATCH 40/54] x86/cpufeatures: Disentangle SSBD enumeration |
|
4 |
+ |
|
5 |
+commit 52817587e706686fcdb27f14c1b000c92f266c96 upstream |
|
6 |
+ |
|
7 |
+The SSBD enumeration is similarly to the other bits magically shared |
|
8 |
+between Intel and AMD though the mechanisms are different. |
|
9 |
+ |
|
10 |
+Make X86_FEATURE_SSBD synthetic and set it depending on the vendor specific |
|
11 |
+features or family dependent setup. |
|
12 |
+ |
|
13 |
+Change the Intel bit to X86_FEATURE_SPEC_CTRL_SSBD to denote that SSBD is |
|
14 |
+controlled via MSR_SPEC_CTRL and fix up the usage sites. |
|
15 |
+ |
|
16 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
17 |
+Reviewed-by: Borislav Petkov <bp@suse.de> |
|
18 |
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
19 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
20 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
21 |
+--- |
|
22 |
+ arch/x86/include/asm/cpufeatures.h | 5 +++-- |
|
23 |
+ arch/x86/kernel/cpu/amd.c | 7 +------ |
|
24 |
+ arch/x86/kernel/cpu/bugs.c | 10 +++++----- |
|
25 |
+ arch/x86/kernel/cpu/common.c | 3 +++ |
|
26 |
+ arch/x86/kernel/cpu/intel.c | 1 + |
|
27 |
+ arch/x86/kernel/process.c | 2 +- |
|
28 |
+ 6 files changed, 14 insertions(+), 14 deletions(-) |
|
29 |
+ |
|
30 |
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h |
|
31 |
+index ca0f33f..d071767 100644 |
|
32 |
+--- a/arch/x86/include/asm/cpufeatures.h |
|
33 |
+@@ -198,6 +198,7 @@ |
|
34 |
+ #define X86_FEATURE_RETPOLINE_AMD ( 7*32+13) /* "" AMD Retpoline mitigation for Spectre variant 2 */ |
|
35 |
+ |
|
36 |
+ #define X86_FEATURE_MSR_SPEC_CTRL ( 7*32+16) /* "" MSR SPEC_CTRL is implemented */ |
|
37 |
++#define X86_FEATURE_SSBD ( 7*32+17) /* Speculative Store Bypass Disable */ |
|
38 |
+ |
|
39 |
+ #define X86_FEATURE_RSB_CTXSW ( 7*32+19) /* "" Fill RSB on context switches */ |
|
40 |
+ |
|
41 |
+@@ -207,7 +208,7 @@ |
|
42 |
+ #define X86_FEATURE_USE_IBPB ( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled */ |
|
43 |
+ #define X86_FEATURE_USE_IBRS_FW ( 7*32+22) /* "" Use IBRS during runtime firmware calls */ |
|
44 |
+ #define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE ( 7*32+23) /* "" Disable Speculative Store Bypass. */ |
|
45 |
+-#define X86_FEATURE_AMD_SSBD ( 7*32+24) /* "" AMD SSBD implementation */ |
|
46 |
++#define X86_FEATURE_LS_CFG_SSBD ( 7*32+24) /* "" AMD SSBD implementation */ |
|
47 |
+ #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */ |
|
48 |
+ #define X86_FEATURE_IBPB ( 7*32+26) /* Indirect Branch Prediction Barrier */ |
|
49 |
+ #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */ |
|
50 |
+@@ -314,7 +315,7 @@ |
|
51 |
+ #define X86_FEATURE_SPEC_CTRL (18*32+26) /* "" Speculation Control (IBRS + IBPB) */ |
|
52 |
+ #define X86_FEATURE_INTEL_STIBP (18*32+27) /* "" Single Thread Indirect Branch Predictors */ |
|
53 |
+ #define X86_FEATURE_ARCH_CAPABILITIES (18*32+29) /* IA32_ARCH_CAPABILITIES MSR (Intel) */ |
|
54 |
+-#define X86_FEATURE_SSBD (18*32+31) /* Speculative Store Bypass Disable */ |
|
55 |
++#define X86_FEATURE_SPEC_CTRL_SSBD (18*32+31) /* "" Speculative Store Bypass Disable */ |
|
56 |
+ |
|
57 |
+ /* |
|
58 |
+ * BUG word(s) |
|
59 |
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c |
|
60 |
+index acb2fcc..179d572 100644 |
|
61 |
+--- a/arch/x86/kernel/cpu/amd.c |
|
62 |
+@@ -558,8 +558,8 @@ static void bsp_init_amd(struct cpuinfo_x86 *c) |
|
63 |
+ * avoid RMW. If that faults, do not enable SSBD. |
|
64 |
+ */ |
|
65 |
+ if (!rdmsrl_safe(MSR_AMD64_LS_CFG, &x86_amd_ls_cfg_base)) { |
|
66 |
++ setup_force_cpu_cap(X86_FEATURE_LS_CFG_SSBD); |
|
67 |
+ setup_force_cpu_cap(X86_FEATURE_SSBD); |
|
68 |
+- setup_force_cpu_cap(X86_FEATURE_AMD_SSBD); |
|
69 |
+ x86_amd_ls_cfg_ssbd_mask = 1ULL << bit; |
|
70 |
+ } |
|
71 |
+ } |
|
72 |
+@@ -848,11 +848,6 @@ static void init_amd(struct cpuinfo_x86 *c) |
|
73 |
+ /* AMD CPUs don't reset SS attributes on SYSRET, Xen does. */ |
|
74 |
+ if (!cpu_has(c, X86_FEATURE_XENPV)) |
|
75 |
+ set_cpu_bug(c, X86_BUG_SYSRET_SS_ATTRS); |
|
76 |
+- |
|
77 |
+- if (boot_cpu_has(X86_FEATURE_AMD_SSBD)) { |
|
78 |
+- set_cpu_cap(c, X86_FEATURE_SSBD); |
|
79 |
+- set_cpu_cap(c, X86_FEATURE_AMD_SSBD); |
|
80 |
+- } |
|
81 |
+ } |
|
82 |
+ |
|
83 |
+ #ifdef CONFIG_X86_32 |
|
84 |
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c |
|
85 |
+index 59649310..15a6c58 100644 |
|
86 |
+--- a/arch/x86/kernel/cpu/bugs.c |
|
87 |
+@@ -158,8 +158,8 @@ void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl) |
|
88 |
+ if (!static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) |
|
89 |
+ return; |
|
90 |
+ |
|
91 |
+- /* Intel controls SSB in MSR_SPEC_CTRL */ |
|
92 |
+- if (static_cpu_has(X86_FEATURE_SPEC_CTRL)) |
|
93 |
++ /* SSBD controlled in MSR_SPEC_CTRL */ |
|
94 |
++ if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD)) |
|
95 |
+ host |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags); |
|
96 |
+ |
|
97 |
+ if (host != guest_spec_ctrl) |
|
98 |
+@@ -175,8 +175,8 @@ void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl) |
|
99 |
+ if (!static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) |
|
100 |
+ return; |
|
101 |
+ |
|
102 |
+- /* Intel controls SSB in MSR_SPEC_CTRL */ |
|
103 |
+- if (static_cpu_has(X86_FEATURE_SPEC_CTRL)) |
|
104 |
++ /* SSBD controlled in MSR_SPEC_CTRL */ |
|
105 |
++ if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD)) |
|
106 |
+ host |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags); |
|
107 |
+ |
|
108 |
+ if (host != guest_spec_ctrl) |
|
109 |
+@@ -188,7 +188,7 @@ static void x86_amd_ssb_disable(void) |
|
110 |
+ { |
|
111 |
+ u64 msrval = x86_amd_ls_cfg_base | x86_amd_ls_cfg_ssbd_mask; |
|
112 |
+ |
|
113 |
+- if (boot_cpu_has(X86_FEATURE_AMD_SSBD)) |
|
114 |
++ if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD)) |
|
115 |
+ wrmsrl(MSR_AMD64_LS_CFG, msrval); |
|
116 |
+ } |
|
117 |
+ |
|
118 |
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c |
|
119 |
+index 04362282..945e841 100644 |
|
120 |
+--- a/arch/x86/kernel/cpu/common.c |
|
121 |
+@@ -735,6 +735,9 @@ static void init_speculation_control(struct cpuinfo_x86 *c) |
|
122 |
+ if (cpu_has(c, X86_FEATURE_INTEL_STIBP)) |
|
123 |
+ set_cpu_cap(c, X86_FEATURE_STIBP); |
|
124 |
+ |
|
125 |
++ if (cpu_has(c, X86_FEATURE_SPEC_CTRL_SSBD)) |
|
126 |
++ set_cpu_cap(c, X86_FEATURE_SSBD); |
|
127 |
++ |
|
128 |
+ if (cpu_has(c, X86_FEATURE_AMD_IBRS)) { |
|
129 |
+ set_cpu_cap(c, X86_FEATURE_IBRS); |
|
130 |
+ set_cpu_cap(c, X86_FEATURE_MSR_SPEC_CTRL); |
|
131 |
+diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c |
|
132 |
+index 7f495e8..93781e3 100644 |
|
133 |
+--- a/arch/x86/kernel/cpu/intel.c |
|
134 |
+@@ -156,6 +156,7 @@ static void early_init_intel(struct cpuinfo_x86 *c) |
|
135 |
+ setup_clear_cpu_cap(X86_FEATURE_MSR_SPEC_CTRL); |
|
136 |
+ setup_clear_cpu_cap(X86_FEATURE_INTEL_STIBP); |
|
137 |
+ setup_clear_cpu_cap(X86_FEATURE_SSBD); |
|
138 |
++ setup_clear_cpu_cap(X86_FEATURE_SPEC_CTRL_SSBD); |
|
139 |
+ } |
|
140 |
+ |
|
141 |
+ /* |
|
142 |
+diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c |
|
143 |
+index c344230..b3cd08e 100644 |
|
144 |
+--- a/arch/x86/kernel/process.c |
|
145 |
+@@ -207,7 +207,7 @@ static __always_inline void __speculative_store_bypass_update(unsigned long tifn |
|
146 |
+ { |
|
147 |
+ u64 msr; |
|
148 |
+ |
|
149 |
+- if (static_cpu_has(X86_FEATURE_AMD_SSBD)) { |
|
150 |
++ if (static_cpu_has(X86_FEATURE_LS_CFG_SSBD)) { |
|
151 |
+ msr = x86_amd_ls_cfg_base | ssbd_tif_to_amd_ls_cfg(tifn); |
|
152 |
+ wrmsrl(MSR_AMD64_LS_CFG, msr); |
|
153 |
+ } else { |
|
154 |
+-- |
|
155 |
+2.7.4 |
|
156 |
+ |
0 | 157 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,55 @@ |
0 |
+From be3e692ab1eb72a96b4b46a63384fbe2e5bac2f8 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Borislav Petkov <bp@suse.de> |
|
2 |
+Date: Thu, 7 Sep 2017 19:08:21 +0200 |
|
3 |
+Subject: [PATCH 41/54] x86/cpu/AMD: Fix erratum 1076 (CPB bit) |
|
4 |
+ |
|
5 |
+commit f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9 upstream |
|
6 |
+ |
|
7 |
+CPUID Fn8000_0007_EDX[CPB] is wrongly 0 on models up to B1. But they do |
|
8 |
+support CPB (AMD's Core Performance Boosting cpufreq CPU feature), so fix that. |
|
9 |
+ |
|
10 |
+Signed-off-by: Borislav Petkov <bp@suse.de> |
|
11 |
+Cc: Linus Torvalds <torvalds@linux-foundation.org> |
|
12 |
+Cc: Peter Zijlstra <peterz@infradead.org> |
|
13 |
+Cc: Sherry Hurwitz <sherry.hurwitz@amd.com> |
|
14 |
+Cc: Thomas Gleixner <tglx@linutronix.de> |
|
15 |
+Link: http://lkml.kernel.org/r/20170907170821.16021-1-bp@alien8.de |
|
16 |
+Signed-off-by: Ingo Molnar <mingo@kernel.org> |
|
17 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
18 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
19 |
+--- |
|
20 |
+ arch/x86/kernel/cpu/amd.c | 11 +++++++++++ |
|
21 |
+ 1 file changed, 11 insertions(+) |
|
22 |
+ |
|
23 |
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c |
|
24 |
+index 179d572..21367b5 100644 |
|
25 |
+--- a/arch/x86/kernel/cpu/amd.c |
|
26 |
+@@ -749,6 +749,16 @@ static void init_amd_bd(struct cpuinfo_x86 *c) |
|
27 |
+ } |
|
28 |
+ } |
|
29 |
+ |
|
30 |
++static void init_amd_zn(struct cpuinfo_x86 *c) |
|
31 |
++{ |
|
32 |
++ /* |
|
33 |
++ * Fix erratum 1076: CPB feature bit not being set in CPUID. It affects |
|
34 |
++ * all up to and including B1. |
|
35 |
++ */ |
|
36 |
++ if (c->x86_model <= 1 && c->x86_stepping <= 1) |
|
37 |
++ set_cpu_cap(c, X86_FEATURE_CPB); |
|
38 |
++} |
|
39 |
++ |
|
40 |
+ static void init_amd(struct cpuinfo_x86 *c) |
|
41 |
+ { |
|
42 |
+ u32 dummy; |
|
43 |
+@@ -779,6 +789,7 @@ static void init_amd(struct cpuinfo_x86 *c) |
|
44 |
+ case 0x10: init_amd_gh(c); break; |
|
45 |
+ case 0x12: init_amd_ln(c); break; |
|
46 |
+ case 0x15: init_amd_bd(c); break; |
|
47 |
++ case 0x17: init_amd_zn(c); break; |
|
48 |
+ } |
|
49 |
+ |
|
50 |
+ /* Enable workaround for FXSAVE leak */ |
|
51 |
+-- |
|
52 |
+2.7.4 |
|
53 |
+ |
0 | 54 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,48 @@ |
0 |
+From 3532efa1474efa07d13c3b8022bc84e07f94b55b Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Thomas Gleixner <tglx@linutronix.de> |
|
2 |
+Date: Thu, 10 May 2018 16:26:00 +0200 |
|
3 |
+Subject: [PATCH 42/54] x86/cpufeatures: Add FEATURE_ZEN |
|
4 |
+ |
|
5 |
+commit d1035d971829dcf80e8686ccde26f94b0a069472 upstream |
|
6 |
+ |
|
7 |
+Add a ZEN feature bit so family-dependent static_cpu_has() optimizations |
|
8 |
+can be built for ZEN. |
|
9 |
+ |
|
10 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
11 |
+Reviewed-by: Borislav Petkov <bp@suse.de> |
|
12 |
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
13 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
14 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
15 |
+--- |
|
16 |
+ arch/x86/include/asm/cpufeatures.h | 2 ++ |
|
17 |
+ arch/x86/kernel/cpu/amd.c | 1 + |
|
18 |
+ 2 files changed, 3 insertions(+) |
|
19 |
+ |
|
20 |
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h |
|
21 |
+index d071767..ec87b8c 100644 |
|
22 |
+--- a/arch/x86/include/asm/cpufeatures.h |
|
23 |
+@@ -212,6 +212,8 @@ |
|
24 |
+ #define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */ |
|
25 |
+ #define X86_FEATURE_IBPB ( 7*32+26) /* Indirect Branch Prediction Barrier */ |
|
26 |
+ #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */ |
|
27 |
++#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU is AMD family 0x17 (Zen) */ |
|
28 |
++ |
|
29 |
+ |
|
30 |
+ /* Virtualization flags: Linux defined, word 8 */ |
|
31 |
+ #define X86_FEATURE_TPR_SHADOW ( 8*32+ 0) /* Intel TPR Shadow */ |
|
32 |
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c |
|
33 |
+index 21367b5..4c2be99 100644 |
|
34 |
+--- a/arch/x86/kernel/cpu/amd.c |
|
35 |
+@@ -751,6 +751,7 @@ static void init_amd_bd(struct cpuinfo_x86 *c) |
|
36 |
+ |
|
37 |
+ static void init_amd_zn(struct cpuinfo_x86 *c) |
|
38 |
+ { |
|
39 |
++ set_cpu_cap(c, X86_FEATURE_ZEN); |
|
40 |
+ /* |
|
41 |
+ * Fix erratum 1076: CPB feature bit not being set in CPUID. It affects |
|
42 |
+ * all up to and including B1. |
|
43 |
+-- |
|
44 |
+2.7.4 |
|
45 |
+ |
0 | 46 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,240 @@ |
0 |
+From dd42e8f6dc439a771e8864502f1404ecec2b031b Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Thomas Gleixner <tglx@linutronix.de> |
|
2 |
+Date: Wed, 9 May 2018 21:53:09 +0200 |
|
3 |
+Subject: [PATCH 43/54] x86/speculation: Handle HT correctly on AMD |
|
4 |
+ |
|
5 |
+commit 1f50ddb4f4189243c05926b842dc1a0332195f31 upstream |
|
6 |
+ |
|
7 |
+The AMD64_LS_CFG MSR is a per core MSR on Family 17H CPUs. That means when |
|
8 |
+hyperthreading is enabled the SSBD bit toggle needs to take both cores into |
|
9 |
+account. Otherwise the following situation can happen: |
|
10 |
+ |
|
11 |
+CPU0 CPU1 |
|
12 |
+ |
|
13 |
+disable SSB |
|
14 |
+ disable SSB |
|
15 |
+ enable SSB <- Enables it for the Core, i.e. for CPU0 as well |
|
16 |
+ |
|
17 |
+So after the SSB enable on CPU1 the task on CPU0 runs with SSB enabled |
|
18 |
+again. |
|
19 |
+ |
|
20 |
+On Intel the SSBD control is per core as well, but the synchronization |
|
21 |
+logic is implemented behind the per thread SPEC_CTRL MSR. It works like |
|
22 |
+this: |
|
23 |
+ |
|
24 |
+ CORE_SPEC_CTRL = THREAD0_SPEC_CTRL | THREAD1_SPEC_CTRL |
|
25 |
+ |
|
26 |
+i.e. if one of the threads enables a mitigation then this affects both and |
|
27 |
+the mitigation is only disabled in the core when both threads disabled it. |
|
28 |
+ |
|
29 |
+Add the necessary synchronization logic for AMD family 17H. Unfortunately |
|
30 |
+that requires a spinlock to serialize the access to the MSR, but the locks |
|
31 |
+are only shared between siblings. |
|
32 |
+ |
|
33 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
34 |
+Reviewed-by: Borislav Petkov <bp@suse.de> |
|
35 |
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
36 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
37 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
38 |
+--- |
|
39 |
+ arch/x86/include/asm/spec-ctrl.h | 6 ++ |
|
40 |
+ arch/x86/kernel/process.c | 125 +++++++++++++++++++++++++++++++++++++-- |
|
41 |
+ arch/x86/kernel/smpboot.c | 5 ++ |
|
42 |
+ 3 files changed, 130 insertions(+), 6 deletions(-) |
|
43 |
+ |
|
44 |
+diff --git a/arch/x86/include/asm/spec-ctrl.h b/arch/x86/include/asm/spec-ctrl.h |
|
45 |
+index dc21209..0cb49c4 100644 |
|
46 |
+--- a/arch/x86/include/asm/spec-ctrl.h |
|
47 |
+@@ -33,6 +33,12 @@ static inline u64 ssbd_tif_to_amd_ls_cfg(u64 tifn) |
|
48 |
+ return (tifn & _TIF_SSBD) ? x86_amd_ls_cfg_ssbd_mask : 0ULL; |
|
49 |
+ } |
|
50 |
+ |
|
51 |
++#ifdef CONFIG_SMP |
|
52 |
++extern void speculative_store_bypass_ht_init(void); |
|
53 |
++#else |
|
54 |
++static inline void speculative_store_bypass_ht_init(void) { } |
|
55 |
++#endif |
|
56 |
++ |
|
57 |
+ extern void speculative_store_bypass_update(void); |
|
58 |
+ |
|
59 |
+ #endif |
|
60 |
+diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c |
|
61 |
+index b3cd08e..1e9d155 100644 |
|
62 |
+--- a/arch/x86/kernel/process.c |
|
63 |
+@@ -203,22 +203,135 @@ static inline void switch_to_bitmap(struct tss_struct *tss, |
|
64 |
+ } |
|
65 |
+ } |
|
66 |
+ |
|
67 |
+-static __always_inline void __speculative_store_bypass_update(unsigned long tifn) |
|
68 |
++#ifdef CONFIG_SMP |
|
69 |
++ |
|
70 |
++struct ssb_state { |
|
71 |
++ struct ssb_state *shared_state; |
|
72 |
++ raw_spinlock_t lock; |
|
73 |
++ unsigned int disable_state; |
|
74 |
++ unsigned long local_state; |
|
75 |
++}; |
|
76 |
++ |
|
77 |
++#define LSTATE_SSB 0 |
|
78 |
++ |
|
79 |
++static DEFINE_PER_CPU(struct ssb_state, ssb_state); |
|
80 |
++ |
|
81 |
++void speculative_store_bypass_ht_init(void) |
|
82 |
+ { |
|
83 |
+- u64 msr; |
|
84 |
++ struct ssb_state *st = this_cpu_ptr(&ssb_state); |
|
85 |
++ unsigned int this_cpu = smp_processor_id(); |
|
86 |
++ unsigned int cpu; |
|
87 |
++ |
|
88 |
++ st->local_state = 0; |
|
89 |
++ |
|
90 |
++ /* |
|
91 |
++ * Shared state setup happens once on the first bringup |
|
92 |
++ * of the CPU. It's not destroyed on CPU hotunplug. |
|
93 |
++ */ |
|
94 |
++ if (st->shared_state) |
|
95 |
++ return; |
|
96 |
++ |
|
97 |
++ raw_spin_lock_init(&st->lock); |
|
98 |
+ |
|
99 |
+- if (static_cpu_has(X86_FEATURE_LS_CFG_SSBD)) { |
|
100 |
+- msr = x86_amd_ls_cfg_base | ssbd_tif_to_amd_ls_cfg(tifn); |
|
101 |
++ /* |
|
102 |
++ * Go over HT siblings and check whether one of them has set up the |
|
103 |
++ * shared state pointer already. |
|
104 |
++ */ |
|
105 |
++ for_each_cpu(cpu, topology_sibling_cpumask(this_cpu)) { |
|
106 |
++ if (cpu == this_cpu) |
|
107 |
++ continue; |
|
108 |
++ |
|
109 |
++ if (!per_cpu(ssb_state, cpu).shared_state) |
|
110 |
++ continue; |
|
111 |
++ |
|
112 |
++ /* Link it to the state of the sibling: */ |
|
113 |
++ st->shared_state = per_cpu(ssb_state, cpu).shared_state; |
|
114 |
++ return; |
|
115 |
++ } |
|
116 |
++ |
|
117 |
++ /* |
|
118 |
++ * First HT sibling to come up on the core. Link shared state of |
|
119 |
++ * the first HT sibling to itself. The siblings on the same core |
|
120 |
++ * which come up later will see the shared state pointer and link |
|
121 |
++ * themself to the state of this CPU. |
|
122 |
++ */ |
|
123 |
++ st->shared_state = st; |
|
124 |
++} |
|
125 |
++ |
|
126 |
++/* |
|
127 |
++ * Logic is: First HT sibling enables SSBD for both siblings in the core |
|
128 |
++ * and last sibling to disable it, disables it for the whole core. This how |
|
129 |
++ * MSR_SPEC_CTRL works in "hardware": |
|
130 |
++ * |
|
131 |
++ * CORE_SPEC_CTRL = THREAD0_SPEC_CTRL | THREAD1_SPEC_CTRL |
|
132 |
++ */ |
|
133 |
++static __always_inline void amd_set_core_ssb_state(unsigned long tifn) |
|
134 |
++{ |
|
135 |
++ struct ssb_state *st = this_cpu_ptr(&ssb_state); |
|
136 |
++ u64 msr = x86_amd_ls_cfg_base; |
|
137 |
++ |
|
138 |
++ if (!static_cpu_has(X86_FEATURE_ZEN)) { |
|
139 |
++ msr |= ssbd_tif_to_amd_ls_cfg(tifn); |
|
140 |
+ wrmsrl(MSR_AMD64_LS_CFG, msr); |
|
141 |
++ return; |
|
142 |
++ } |
|
143 |
++ |
|
144 |
++ if (tifn & _TIF_SSBD) { |
|
145 |
++ /* |
|
146 |
++ * Since this can race with prctl(), block reentry on the |
|
147 |
++ * same CPU. |
|
148 |
++ */ |
|
149 |
++ if (__test_and_set_bit(LSTATE_SSB, &st->local_state)) |
|
150 |
++ return; |
|
151 |
++ |
|
152 |
++ msr |= x86_amd_ls_cfg_ssbd_mask; |
|
153 |
++ |
|
154 |
++ raw_spin_lock(&st->shared_state->lock); |
|
155 |
++ /* First sibling enables SSBD: */ |
|
156 |
++ if (!st->shared_state->disable_state) |
|
157 |
++ wrmsrl(MSR_AMD64_LS_CFG, msr); |
|
158 |
++ st->shared_state->disable_state++; |
|
159 |
++ raw_spin_unlock(&st->shared_state->lock); |
|
160 |
+ } else { |
|
161 |
+- msr = x86_spec_ctrl_base | ssbd_tif_to_spec_ctrl(tifn); |
|
162 |
+- wrmsrl(MSR_IA32_SPEC_CTRL, msr); |
|
163 |
++ if (!__test_and_clear_bit(LSTATE_SSB, &st->local_state)) |
|
164 |
++ return; |
|
165 |
++ |
|
166 |
++ raw_spin_lock(&st->shared_state->lock); |
|
167 |
++ st->shared_state->disable_state--; |
|
168 |
++ if (!st->shared_state->disable_state) |
|
169 |
++ wrmsrl(MSR_AMD64_LS_CFG, msr); |
|
170 |
++ raw_spin_unlock(&st->shared_state->lock); |
|
171 |
+ } |
|
172 |
+ } |
|
173 |
++#else |
|
174 |
++static __always_inline void amd_set_core_ssb_state(unsigned long tifn) |
|
175 |
++{ |
|
176 |
++ u64 msr = x86_amd_ls_cfg_base | ssbd_tif_to_amd_ls_cfg(tifn); |
|
177 |
++ |
|
178 |
++ wrmsrl(MSR_AMD64_LS_CFG, msr); |
|
179 |
++} |
|
180 |
++#endif |
|
181 |
++ |
|
182 |
++static __always_inline void intel_set_ssb_state(unsigned long tifn) |
|
183 |
++{ |
|
184 |
++ u64 msr = x86_spec_ctrl_base | ssbd_tif_to_spec_ctrl(tifn); |
|
185 |
++ |
|
186 |
++ wrmsrl(MSR_IA32_SPEC_CTRL, msr); |
|
187 |
++} |
|
188 |
++ |
|
189 |
++static __always_inline void __speculative_store_bypass_update(unsigned long tifn) |
|
190 |
++{ |
|
191 |
++ if (static_cpu_has(X86_FEATURE_LS_CFG_SSBD)) |
|
192 |
++ amd_set_core_ssb_state(tifn); |
|
193 |
++ else |
|
194 |
++ intel_set_ssb_state(tifn); |
|
195 |
++} |
|
196 |
+ |
|
197 |
+ void speculative_store_bypass_update(void) |
|
198 |
+ { |
|
199 |
++ preempt_disable(); |
|
200 |
+ __speculative_store_bypass_update(current_thread_info()->flags); |
|
201 |
++ preempt_enable(); |
|
202 |
+ } |
|
203 |
+ |
|
204 |
+ void __switch_to_xtra(struct task_struct *prev_p, struct task_struct *next_p, |
|
205 |
+diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c |
|
206 |
+index 83929cc4..cb94514 100644 |
|
207 |
+--- a/arch/x86/kernel/smpboot.c |
|
208 |
+@@ -75,6 +75,7 @@ |
|
209 |
+ #include <asm/i8259.h> |
|
210 |
+ #include <asm/realmode.h> |
|
211 |
+ #include <asm/misc.h> |
|
212 |
++#include <asm/spec-ctrl.h> |
|
213 |
+ |
|
214 |
+ /* Number of siblings per CPU package */ |
|
215 |
+ int smp_num_siblings = 1; |
|
216 |
+@@ -229,6 +230,8 @@ static void notrace start_secondary(void *unused) |
|
217 |
+ */ |
|
218 |
+ check_tsc_sync_target(); |
|
219 |
+ |
|
220 |
++ speculative_store_bypass_ht_init(); |
|
221 |
++ |
|
222 |
+ /* |
|
223 |
+ * Lock vector_lock and initialize the vectors on this cpu |
|
224 |
+ * before setting the cpu online. We must set it online with |
|
225 |
+@@ -1325,6 +1328,8 @@ void __init native_smp_prepare_cpus(unsigned int max_cpus) |
|
226 |
+ set_mtrr_aps_delayed_init(); |
|
227 |
+ |
|
228 |
+ smp_quirk_init_udelay(); |
|
229 |
++ |
|
230 |
++ speculative_store_bypass_ht_init(); |
|
231 |
+ } |
|
232 |
+ |
|
233 |
+ void arch_enable_nonboot_cpus_begin(void) |
|
234 |
+-- |
|
235 |
+2.7.4 |
|
236 |
+ |
0 | 237 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,163 @@ |
0 |
+From 56e877154f4bae42342edf644f77d446e102690d Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Thomas Gleixner <tglx@linutronix.de> |
|
2 |
+Date: Wed, 9 May 2018 23:01:01 +0200 |
|
3 |
+Subject: [PATCH 44/54] x86/bugs, KVM: Extend speculation control for |
|
4 |
+ VIRT_SPEC_CTRL |
|
5 |
+ |
|
6 |
+commit ccbcd2674472a978b48c91c1fbfb66c0ff959f24 upstream |
|
7 |
+ |
|
8 |
+AMD is proposing a VIRT_SPEC_CTRL MSR to handle the Speculative Store |
|
9 |
+Bypass Disable via MSR_AMD64_LS_CFG so that guests do not have to care |
|
10 |
+about the bit position of the SSBD bit and thus facilitate migration. |
|
11 |
+Also, the sibling coordination on Family 17H CPUs can only be done on |
|
12 |
+the host. |
|
13 |
+ |
|
14 |
+Extend x86_spec_ctrl_set_guest() and x86_spec_ctrl_restore_host() with an |
|
15 |
+extra argument for the VIRT_SPEC_CTRL MSR. |
|
16 |
+ |
|
17 |
+Hand in 0 from VMX and in SVM add a new virt_spec_ctrl member to the CPU |
|
18 |
+data structure which is going to be used in later patches for the actual |
|
19 |
+implementation. |
|
20 |
+ |
|
21 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
22 |
+Reviewed-by: Borislav Petkov <bp@suse.de> |
|
23 |
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
24 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
25 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
26 |
+--- |
|
27 |
+ arch/x86/include/asm/spec-ctrl.h | 9 ++++++--- |
|
28 |
+ arch/x86/kernel/cpu/bugs.c | 20 ++++++++++++++++++-- |
|
29 |
+ arch/x86/kvm/svm.c | 11 +++++++++-- |
|
30 |
+ arch/x86/kvm/vmx.c | 5 +++-- |
|
31 |
+ 4 files changed, 36 insertions(+), 9 deletions(-) |
|
32 |
+ |
|
33 |
+diff --git a/arch/x86/include/asm/spec-ctrl.h b/arch/x86/include/asm/spec-ctrl.h |
|
34 |
+index 0cb49c4..6e28740 100644 |
|
35 |
+--- a/arch/x86/include/asm/spec-ctrl.h |
|
36 |
+@@ -10,10 +10,13 @@ |
|
37 |
+ * the guest has, while on VMEXIT we restore the host view. This |
|
38 |
+ * would be easier if SPEC_CTRL were architecturally maskable or |
|
39 |
+ * shadowable for guests but this is not (currently) the case. |
|
40 |
+- * Takes the guest view of SPEC_CTRL MSR as a parameter. |
|
41 |
++ * Takes the guest view of SPEC_CTRL MSR as a parameter and also |
|
42 |
++ * the guest's version of VIRT_SPEC_CTRL, if emulated. |
|
43 |
+ */ |
|
44 |
+-extern void x86_spec_ctrl_set_guest(u64); |
|
45 |
+-extern void x86_spec_ctrl_restore_host(u64); |
|
46 |
++extern void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl, |
|
47 |
++ u64 guest_virt_spec_ctrl); |
|
48 |
++extern void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl, |
|
49 |
++ u64 guest_virt_spec_ctrl); |
|
50 |
+ |
|
51 |
+ /* AMD specific Speculative Store Bypass MSR data */ |
|
52 |
+ extern u64 x86_amd_ls_cfg_base; |
|
53 |
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c |
|
54 |
+index 15a6c58..d00e246 100644 |
|
55 |
+--- a/arch/x86/kernel/cpu/bugs.c |
|
56 |
+@@ -150,7 +150,15 @@ u64 x86_spec_ctrl_get_default(void) |
|
57 |
+ } |
|
58 |
+ EXPORT_SYMBOL_GPL(x86_spec_ctrl_get_default); |
|
59 |
+ |
|
60 |
+-void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl) |
|
61 |
++/** |
|
62 |
++ * x86_spec_ctrl_set_guest - Set speculation control registers for the guest |
|
63 |
++ * @guest_spec_ctrl: The guest content of MSR_SPEC_CTRL |
|
64 |
++ * @guest_virt_spec_ctrl: The guest controlled bits of MSR_VIRT_SPEC_CTRL |
|
65 |
++ * (may get translated to MSR_AMD64_LS_CFG bits) |
|
66 |
++ * |
|
67 |
++ * Avoids writing to the MSR if the content/bits are the same |
|
68 |
++ */ |
|
69 |
++void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl) |
|
70 |
+ { |
|
71 |
+ u64 host = x86_spec_ctrl_base; |
|
72 |
+ |
|
73 |
+@@ -167,7 +175,15 @@ void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl) |
|
74 |
+ } |
|
75 |
+ EXPORT_SYMBOL_GPL(x86_spec_ctrl_set_guest); |
|
76 |
+ |
|
77 |
+-void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl) |
|
78 |
++/** |
|
79 |
++ * x86_spec_ctrl_restore_host - Restore host speculation control registers |
|
80 |
++ * @guest_spec_ctrl: The guest content of MSR_SPEC_CTRL |
|
81 |
++ * @guest_virt_spec_ctrl: The guest controlled bits of MSR_VIRT_SPEC_CTRL |
|
82 |
++ * (may get translated to MSR_AMD64_LS_CFG bits) |
|
83 |
++ * |
|
84 |
++ * Avoids writing to the MSR if the content/bits are the same |
|
85 |
++ */ |
|
86 |
++void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl) |
|
87 |
+ { |
|
88 |
+ u64 host = x86_spec_ctrl_base; |
|
89 |
+ |
|
90 |
+diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c |
|
91 |
+index d1a4321..57c96f1 100644 |
|
92 |
+--- a/arch/x86/kvm/svm.c |
|
93 |
+@@ -185,6 +185,12 @@ struct vcpu_svm { |
|
94 |
+ } host; |
|
95 |
+ |
|
96 |
+ u64 spec_ctrl; |
|
97 |
++ /* |
|
98 |
++ * Contains guest-controlled bits of VIRT_SPEC_CTRL, which will be |
|
99 |
++ * translated into the appropriate L2_CFG bits on the host to |
|
100 |
++ * perform speculative control. |
|
101 |
++ */ |
|
102 |
++ u64 virt_spec_ctrl; |
|
103 |
+ |
|
104 |
+ u32 *msrpm; |
|
105 |
+ |
|
106 |
+@@ -1561,6 +1567,7 @@ static void svm_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event) |
|
107 |
+ u32 eax = 1; |
|
108 |
+ |
|
109 |
+ svm->spec_ctrl = 0; |
|
110 |
++ svm->virt_spec_ctrl = 0; |
|
111 |
+ |
|
112 |
+ if (!init_event) { |
|
113 |
+ svm->vcpu.arch.apic_base = APIC_DEFAULT_PHYS_BASE | |
|
114 |
+@@ -4917,7 +4924,7 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu) |
|
115 |
+ * is no need to worry about the conditional branch over the wrmsr |
|
116 |
+ * being speculatively taken. |
|
117 |
+ */ |
|
118 |
+- x86_spec_ctrl_set_guest(svm->spec_ctrl); |
|
119 |
++ x86_spec_ctrl_set_guest(svm->spec_ctrl, svm->virt_spec_ctrl); |
|
120 |
+ |
|
121 |
+ asm volatile ( |
|
122 |
+ "push %%" _ASM_BP "; \n\t" |
|
123 |
+@@ -5041,7 +5048,7 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu) |
|
124 |
+ if (unlikely(!msr_write_intercepted(vcpu, MSR_IA32_SPEC_CTRL))) |
|
125 |
+ svm->spec_ctrl = native_read_msr(MSR_IA32_SPEC_CTRL); |
|
126 |
+ |
|
127 |
+- x86_spec_ctrl_restore_host(svm->spec_ctrl); |
|
128 |
++ x86_spec_ctrl_restore_host(svm->spec_ctrl, svm->virt_spec_ctrl); |
|
129 |
+ |
|
130 |
+ reload_tss(vcpu); |
|
131 |
+ |
|
132 |
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c |
|
133 |
+index 874b661..f1d158a 100644 |
|
134 |
+--- a/arch/x86/kvm/vmx.c |
|
135 |
+@@ -8916,9 +8916,10 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) |
|
136 |
+ * is no need to worry about the conditional branch over the wrmsr |
|
137 |
+ * being speculatively taken. |
|
138 |
+ */ |
|
139 |
+- x86_spec_ctrl_set_guest(vmx->spec_ctrl); |
|
140 |
++ x86_spec_ctrl_set_guest(vmx->spec_ctrl, 0); |
|
141 |
+ |
|
142 |
+ vmx->__launched = vmx->loaded_vmcs->launched; |
|
143 |
++ |
|
144 |
+ asm( |
|
145 |
+ /* Store host registers */ |
|
146 |
+ "push %%" _ASM_DX "; push %%" _ASM_BP ";" |
|
147 |
+@@ -9054,7 +9055,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) |
|
148 |
+ if (unlikely(!msr_write_intercepted(vcpu, MSR_IA32_SPEC_CTRL))) |
|
149 |
+ vmx->spec_ctrl = native_read_msr(MSR_IA32_SPEC_CTRL); |
|
150 |
+ |
|
151 |
+- x86_spec_ctrl_restore_host(vmx->spec_ctrl); |
|
152 |
++ x86_spec_ctrl_restore_host(vmx->spec_ctrl, 0); |
|
153 |
+ |
|
154 |
+ /* Eliminate branch target predictions from guest mode */ |
|
155 |
+ vmexit_fill_RSB(); |
|
156 |
+-- |
|
157 |
+2.7.4 |
|
158 |
+ |
0 | 159 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,104 @@ |
0 |
+From 1aa0d4cbe3810b3161bad906163e198bb6f3f753 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Tom Lendacky <thomas.lendacky@amd.com> |
|
2 |
+Date: Thu, 17 May 2018 17:09:18 +0200 |
|
3 |
+Subject: [PATCH 45/54] x86/speculation: Add virtualized speculative store |
|
4 |
+ bypass disable support |
|
5 |
+ |
|
6 |
+commit 11fb0683493b2da112cd64c9dada221b52463bf7 upstream |
|
7 |
+ |
|
8 |
+Some AMD processors only support a non-architectural means of enabling |
|
9 |
+speculative store bypass disable (SSBD). To allow a simplified view of |
|
10 |
+this to a guest, an architectural definition has been created through a new |
|
11 |
+CPUID bit, 0x80000008_EBX[25], and a new MSR, 0xc001011f. With this, a |
|
12 |
+hypervisor can virtualize the existence of this definition and provide an |
|
13 |
+architectural method for using SSBD to a guest. |
|
14 |
+ |
|
15 |
+Add the new CPUID feature, the new MSR and update the existing SSBD |
|
16 |
+support to use this MSR when present. |
|
17 |
+ |
|
18 |
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> |
|
19 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
20 |
+Reviewed-by: Borislav Petkov <bp@suse.de> |
|
21 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
22 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
23 |
+--- |
|
24 |
+ arch/x86/include/asm/cpufeatures.h | 1 + |
|
25 |
+ arch/x86/include/asm/msr-index.h | 2 ++ |
|
26 |
+ arch/x86/kernel/cpu/bugs.c | 4 +++- |
|
27 |
+ arch/x86/kernel/process.c | 13 ++++++++++++- |
|
28 |
+ 4 files changed, 18 insertions(+), 2 deletions(-) |
|
29 |
+ |
|
30 |
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h |
|
31 |
+index ec87b8c..c278f27 100644 |
|
32 |
+--- a/arch/x86/include/asm/cpufeatures.h |
|
33 |
+@@ -274,6 +274,7 @@ |
|
34 |
+ #define X86_FEATURE_AMD_IBPB (13*32+12) /* Indirect Branch Prediction Barrier */ |
|
35 |
+ #define X86_FEATURE_AMD_IBRS (13*32+14) /* Indirect Branch Restricted Speculation */ |
|
36 |
+ #define X86_FEATURE_AMD_STIBP (13*32+15) /* Single Thread Indirect Branch Predictors */ |
|
37 |
++#define X86_FEATURE_VIRT_SSBD (13*32+25) /* Virtualized Speculative Store Bypass Disable */ |
|
38 |
+ |
|
39 |
+ /* Thermal and Power Management Leaf, CPUID level 0x00000006 (eax), word 14 */ |
|
40 |
+ #define X86_FEATURE_DTHERM (14*32+ 0) /* Digital Thermal Sensor */ |
|
41 |
+diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h |
|
42 |
+index b67d57e..9fd9dcf 100644 |
|
43 |
+--- a/arch/x86/include/asm/msr-index.h |
|
44 |
+@@ -323,6 +323,8 @@ |
|
45 |
+ #define MSR_AMD64_IBSOPDATA4 0xc001103d |
|
46 |
+ #define MSR_AMD64_IBS_REG_COUNT_MAX 8 /* includes MSR_AMD64_IBSBRTARGET */ |
|
47 |
+ |
|
48 |
++#define MSR_AMD64_VIRT_SPEC_CTRL 0xc001011f |
|
49 |
++ |
|
50 |
+ /* Fam 17h MSRs */ |
|
51 |
+ #define MSR_F17H_IRPERF 0xc00000e9 |
|
52 |
+ |
|
53 |
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c |
|
54 |
+index d00e246..97987b5 100644 |
|
55 |
+--- a/arch/x86/kernel/cpu/bugs.c |
|
56 |
+@@ -204,7 +204,9 @@ static void x86_amd_ssb_disable(void) |
|
57 |
+ { |
|
58 |
+ u64 msrval = x86_amd_ls_cfg_base | x86_amd_ls_cfg_ssbd_mask; |
|
59 |
+ |
|
60 |
+- if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD)) |
|
61 |
++ if (boot_cpu_has(X86_FEATURE_VIRT_SSBD)) |
|
62 |
++ wrmsrl(MSR_AMD64_VIRT_SPEC_CTRL, SPEC_CTRL_SSBD); |
|
63 |
++ else if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD)) |
|
64 |
+ wrmsrl(MSR_AMD64_LS_CFG, msrval); |
|
65 |
+ } |
|
66 |
+ |
|
67 |
+diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c |
|
68 |
+index 1e9d155..6d9e1ee 100644 |
|
69 |
+--- a/arch/x86/kernel/process.c |
|
70 |
+@@ -312,6 +312,15 @@ static __always_inline void amd_set_core_ssb_state(unsigned long tifn) |
|
71 |
+ } |
|
72 |
+ #endif |
|
73 |
+ |
|
74 |
++static __always_inline void amd_set_ssb_virt_state(unsigned long tifn) |
|
75 |
++{ |
|
76 |
++ /* |
|
77 |
++ * SSBD has the same definition in SPEC_CTRL and VIRT_SPEC_CTRL, |
|
78 |
++ * so ssbd_tif_to_spec_ctrl() just works. |
|
79 |
++ */ |
|
80 |
++ wrmsrl(MSR_AMD64_VIRT_SPEC_CTRL, ssbd_tif_to_spec_ctrl(tifn)); |
|
81 |
++} |
|
82 |
++ |
|
83 |
+ static __always_inline void intel_set_ssb_state(unsigned long tifn) |
|
84 |
+ { |
|
85 |
+ u64 msr = x86_spec_ctrl_base | ssbd_tif_to_spec_ctrl(tifn); |
|
86 |
+@@ -321,7 +330,9 @@ static __always_inline void intel_set_ssb_state(unsigned long tifn) |
|
87 |
+ |
|
88 |
+ static __always_inline void __speculative_store_bypass_update(unsigned long tifn) |
|
89 |
+ { |
|
90 |
+- if (static_cpu_has(X86_FEATURE_LS_CFG_SSBD)) |
|
91 |
++ if (static_cpu_has(X86_FEATURE_VIRT_SSBD)) |
|
92 |
++ amd_set_ssb_virt_state(tifn); |
|
93 |
++ else if (static_cpu_has(X86_FEATURE_LS_CFG_SSBD)) |
|
94 |
+ amd_set_core_ssb_state(tifn); |
|
95 |
+ else |
|
96 |
+ intel_set_ssb_state(tifn); |
|
97 |
+-- |
|
98 |
+2.7.4 |
|
99 |
+ |
0 | 100 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,75 @@ |
0 |
+From 5be915f638a3c90d5b8ee435f586377438bd4c05 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Thomas Gleixner <tglx@linutronix.de> |
|
2 |
+Date: Thu, 10 May 2018 20:31:44 +0200 |
|
3 |
+Subject: [PATCH 46/54] x86/speculation: Rework |
|
4 |
+ speculative_store_bypass_update() |
|
5 |
+ |
|
6 |
+commit 0270be3e34efb05a88bc4c422572ece038ef3608 upstream |
|
7 |
+ |
|
8 |
+The upcoming support for the virtual SPEC_CTRL MSR on AMD needs to reuse |
|
9 |
+speculative_store_bypass_update() to avoid code duplication. Add an |
|
10 |
+argument for supplying a thread info (TIF) value and create a wrapper |
|
11 |
+speculative_store_bypass_update_current() which is used at the existing |
|
12 |
+call site. |
|
13 |
+ |
|
14 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
15 |
+Reviewed-by: Borislav Petkov <bp@suse.de> |
|
16 |
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
17 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
18 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
19 |
+--- |
|
20 |
+ arch/x86/include/asm/spec-ctrl.h | 7 ++++++- |
|
21 |
+ arch/x86/kernel/cpu/bugs.c | 2 +- |
|
22 |
+ arch/x86/kernel/process.c | 4 ++-- |
|
23 |
+ 3 files changed, 9 insertions(+), 4 deletions(-) |
|
24 |
+ |
|
25 |
+diff --git a/arch/x86/include/asm/spec-ctrl.h b/arch/x86/include/asm/spec-ctrl.h |
|
26 |
+index 6e28740..82b6c5a 100644 |
|
27 |
+--- a/arch/x86/include/asm/spec-ctrl.h |
|
28 |
+@@ -42,6 +42,11 @@ extern void speculative_store_bypass_ht_init(void); |
|
29 |
+ static inline void speculative_store_bypass_ht_init(void) { } |
|
30 |
+ #endif |
|
31 |
+ |
|
32 |
+-extern void speculative_store_bypass_update(void); |
|
33 |
++extern void speculative_store_bypass_update(unsigned long tif); |
|
34 |
++ |
|
35 |
++static inline void speculative_store_bypass_update_current(void) |
|
36 |
++{ |
|
37 |
++ speculative_store_bypass_update(current_thread_info()->flags); |
|
38 |
++} |
|
39 |
+ |
|
40 |
+ #endif |
|
41 |
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c |
|
42 |
+index 97987b5..eddbdc8 100644 |
|
43 |
+--- a/arch/x86/kernel/cpu/bugs.c |
|
44 |
+@@ -597,7 +597,7 @@ static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl) |
|
45 |
+ * mitigation until it is next scheduled. |
|
46 |
+ */ |
|
47 |
+ if (task == current && update) |
|
48 |
+- speculative_store_bypass_update(); |
|
49 |
++ speculative_store_bypass_update_current(); |
|
50 |
+ |
|
51 |
+ return 0; |
|
52 |
+ } |
|
53 |
+diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c |
|
54 |
+index 6d9e1ee..00a9047 100644 |
|
55 |
+--- a/arch/x86/kernel/process.c |
|
56 |
+@@ -338,10 +338,10 @@ static __always_inline void __speculative_store_bypass_update(unsigned long tifn |
|
57 |
+ intel_set_ssb_state(tifn); |
|
58 |
+ } |
|
59 |
+ |
|
60 |
+-void speculative_store_bypass_update(void) |
|
61 |
++void speculative_store_bypass_update(unsigned long tif) |
|
62 |
+ { |
|
63 |
+ preempt_disable(); |
|
64 |
+- __speculative_store_bypass_update(current_thread_info()->flags); |
|
65 |
++ __speculative_store_bypass_update(tif); |
|
66 |
+ preempt_enable(); |
|
67 |
+ } |
|
68 |
+ |
|
69 |
+-- |
|
70 |
+2.7.4 |
|
71 |
+ |
0 | 72 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,145 @@ |
0 |
+From 7b74e5e60aab9eb69f6e7df757292da84bdbee36 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Borislav Petkov <bp@suse.de> |
|
2 |
+Date: Sat, 12 May 2018 00:14:51 +0200 |
|
3 |
+Subject: [PATCH 47/54] x86/bugs: Unify x86_spec_ctrl_{set_guest,restore_host} |
|
4 |
+ |
|
5 |
+commit cc69b34989210f067b2c51d5539b5f96ebcc3a01 upstream |
|
6 |
+ |
|
7 |
+Function bodies are very similar and are going to grow more almost |
|
8 |
+identical code. Add a bool arg to determine whether SPEC_CTRL is being set |
|
9 |
+for the guest or restored to the host. |
|
10 |
+ |
|
11 |
+No functional changes. |
|
12 |
+ |
|
13 |
+Signed-off-by: Borislav Petkov <bp@suse.de> |
|
14 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
15 |
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
16 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
17 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
18 |
+--- |
|
19 |
+ arch/x86/include/asm/spec-ctrl.h | 33 +++++++++++++++++++--- |
|
20 |
+ arch/x86/kernel/cpu/bugs.c | 60 ++++++++++------------------------------ |
|
21 |
+ 2 files changed, 44 insertions(+), 49 deletions(-) |
|
22 |
+ |
|
23 |
+diff --git a/arch/x86/include/asm/spec-ctrl.h b/arch/x86/include/asm/spec-ctrl.h |
|
24 |
+index 82b6c5a..9cecbe5 100644 |
|
25 |
+--- a/arch/x86/include/asm/spec-ctrl.h |
|
26 |
+@@ -13,10 +13,35 @@ |
|
27 |
+ * Takes the guest view of SPEC_CTRL MSR as a parameter and also |
|
28 |
+ * the guest's version of VIRT_SPEC_CTRL, if emulated. |
|
29 |
+ */ |
|
30 |
+-extern void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl, |
|
31 |
+- u64 guest_virt_spec_ctrl); |
|
32 |
+-extern void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl, |
|
33 |
+- u64 guest_virt_spec_ctrl); |
|
34 |
++extern void x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool guest); |
|
35 |
++ |
|
36 |
++/** |
|
37 |
++ * x86_spec_ctrl_set_guest - Set speculation control registers for the guest |
|
38 |
++ * @guest_spec_ctrl: The guest content of MSR_SPEC_CTRL |
|
39 |
++ * @guest_virt_spec_ctrl: The guest controlled bits of MSR_VIRT_SPEC_CTRL |
|
40 |
++ * (may get translated to MSR_AMD64_LS_CFG bits) |
|
41 |
++ * |
|
42 |
++ * Avoids writing to the MSR if the content/bits are the same |
|
43 |
++ */ |
|
44 |
++static inline |
|
45 |
++void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl) |
|
46 |
++{ |
|
47 |
++ x86_virt_spec_ctrl(guest_spec_ctrl, guest_virt_spec_ctrl, true); |
|
48 |
++} |
|
49 |
++ |
|
50 |
++/** |
|
51 |
++ * x86_spec_ctrl_restore_host - Restore host speculation control registers |
|
52 |
++ * @guest_spec_ctrl: The guest content of MSR_SPEC_CTRL |
|
53 |
++ * @guest_virt_spec_ctrl: The guest controlled bits of MSR_VIRT_SPEC_CTRL |
|
54 |
++ * (may get translated to MSR_AMD64_LS_CFG bits) |
|
55 |
++ * |
|
56 |
++ * Avoids writing to the MSR if the content/bits are the same |
|
57 |
++ */ |
|
58 |
++static inline |
|
59 |
++void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl) |
|
60 |
++{ |
|
61 |
++ x86_virt_spec_ctrl(guest_spec_ctrl, guest_virt_spec_ctrl, false); |
|
62 |
++} |
|
63 |
+ |
|
64 |
+ /* AMD specific Speculative Store Bypass MSR data */ |
|
65 |
+ extern u64 x86_amd_ls_cfg_base; |
|
66 |
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c |
|
67 |
+index eddbdc8..9203150 100644 |
|
68 |
+--- a/arch/x86/kernel/cpu/bugs.c |
|
69 |
+@@ -150,55 +150,25 @@ u64 x86_spec_ctrl_get_default(void) |
|
70 |
+ } |
|
71 |
+ EXPORT_SYMBOL_GPL(x86_spec_ctrl_get_default); |
|
72 |
+ |
|
73 |
+-/** |
|
74 |
+- * x86_spec_ctrl_set_guest - Set speculation control registers for the guest |
|
75 |
+- * @guest_spec_ctrl: The guest content of MSR_SPEC_CTRL |
|
76 |
+- * @guest_virt_spec_ctrl: The guest controlled bits of MSR_VIRT_SPEC_CTRL |
|
77 |
+- * (may get translated to MSR_AMD64_LS_CFG bits) |
|
78 |
+- * |
|
79 |
+- * Avoids writing to the MSR if the content/bits are the same |
|
80 |
+- */ |
|
81 |
+-void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl) |
|
82 |
++void |
|
83 |
++x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest) |
|
84 |
+ { |
|
85 |
+- u64 host = x86_spec_ctrl_base; |
|
86 |
++ struct thread_info *ti = current_thread_info(); |
|
87 |
++ u64 msr, host = x86_spec_ctrl_base; |
|
88 |
+ |
|
89 |
+ /* Is MSR_SPEC_CTRL implemented ? */ |
|
90 |
+- if (!static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) |
|
91 |
+- return; |
|
92 |
+- |
|
93 |
+- /* SSBD controlled in MSR_SPEC_CTRL */ |
|
94 |
+- if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD)) |
|
95 |
+- host |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags); |
|
96 |
+- |
|
97 |
+- if (host != guest_spec_ctrl) |
|
98 |
+- wrmsrl(MSR_IA32_SPEC_CTRL, guest_spec_ctrl); |
|
99 |
+-} |
|
100 |
+-EXPORT_SYMBOL_GPL(x86_spec_ctrl_set_guest); |
|
101 |
+- |
|
102 |
+-/** |
|
103 |
+- * x86_spec_ctrl_restore_host - Restore host speculation control registers |
|
104 |
+- * @guest_spec_ctrl: The guest content of MSR_SPEC_CTRL |
|
105 |
+- * @guest_virt_spec_ctrl: The guest controlled bits of MSR_VIRT_SPEC_CTRL |
|
106 |
+- * (may get translated to MSR_AMD64_LS_CFG bits) |
|
107 |
+- * |
|
108 |
+- * Avoids writing to the MSR if the content/bits are the same |
|
109 |
+- */ |
|
110 |
+-void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl) |
|
111 |
+-{ |
|
112 |
+- u64 host = x86_spec_ctrl_base; |
|
113 |
+- |
|
114 |
+- /* Is MSR_SPEC_CTRL implemented ? */ |
|
115 |
+- if (!static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) |
|
116 |
+- return; |
|
117 |
+- |
|
118 |
+- /* SSBD controlled in MSR_SPEC_CTRL */ |
|
119 |
+- if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD)) |
|
120 |
+- host |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags); |
|
121 |
+- |
|
122 |
+- if (host != guest_spec_ctrl) |
|
123 |
+- wrmsrl(MSR_IA32_SPEC_CTRL, host); |
|
124 |
++ if (static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) { |
|
125 |
++ /* SSBD controlled in MSR_SPEC_CTRL */ |
|
126 |
++ if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD)) |
|
127 |
++ host |= ssbd_tif_to_spec_ctrl(ti->flags); |
|
128 |
++ |
|
129 |
++ if (host != guest_spec_ctrl) { |
|
130 |
++ msr = setguest ? guest_spec_ctrl : host; |
|
131 |
++ wrmsrl(MSR_IA32_SPEC_CTRL, msr); |
|
132 |
++ } |
|
133 |
++ } |
|
134 |
+ } |
|
135 |
+-EXPORT_SYMBOL_GPL(x86_spec_ctrl_restore_host); |
|
136 |
++EXPORT_SYMBOL_GPL(x86_virt_spec_ctrl); |
|
137 |
+ |
|
138 |
+ static void x86_amd_ssb_disable(void) |
|
139 |
+ { |
|
140 |
+-- |
|
141 |
+2.7.4 |
|
142 |
+ |
0 | 143 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,120 @@ |
0 |
+From deeee7b974828f923efeb93946efc701dd668f78 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Thomas Gleixner <tglx@linutronix.de> |
|
2 |
+Date: Sat, 12 May 2018 20:49:16 +0200 |
|
3 |
+Subject: [PATCH 48/54] x86/bugs: Expose x86_spec_ctrl_base directly |
|
4 |
+ |
|
5 |
+commit fa8ac4988249c38476f6ad678a4848a736373403 upstream |
|
6 |
+ |
|
7 |
+x86_spec_ctrl_base is the system wide default value for the SPEC_CTRL MSR. |
|
8 |
+x86_spec_ctrl_get_default() returns x86_spec_ctrl_base and was intended to |
|
9 |
+prevent modification to that variable. Though the variable is read only |
|
10 |
+after init and globaly visible already. |
|
11 |
+ |
|
12 |
+Remove the function and export the variable instead. |
|
13 |
+ |
|
14 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
15 |
+Reviewed-by: Borislav Petkov <bp@suse.de> |
|
16 |
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
17 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
18 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
19 |
+--- |
|
20 |
+ arch/x86/include/asm/nospec-branch.h | 16 +++++----------- |
|
21 |
+ arch/x86/include/asm/spec-ctrl.h | 3 --- |
|
22 |
+ arch/x86/kernel/cpu/bugs.c | 11 +---------- |
|
23 |
+ 3 files changed, 6 insertions(+), 24 deletions(-) |
|
24 |
+ |
|
25 |
+diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h |
|
26 |
+index bc258e6..8d9deec 100644 |
|
27 |
+--- a/arch/x86/include/asm/nospec-branch.h |
|
28 |
+@@ -217,16 +217,7 @@ enum spectre_v2_mitigation { |
|
29 |
+ SPECTRE_V2_IBRS, |
|
30 |
+ }; |
|
31 |
+ |
|
32 |
+-/* |
|
33 |
+- * The Intel specification for the SPEC_CTRL MSR requires that we |
|
34 |
+- * preserve any already set reserved bits at boot time (e.g. for |
|
35 |
+- * future additions that this kernel is not currently aware of). |
|
36 |
+- * We then set any additional mitigation bits that we want |
|
37 |
+- * ourselves and always use this as the base for SPEC_CTRL. |
|
38 |
+- * We also use this when handling guest entry/exit as below. |
|
39 |
+- */ |
|
40 |
+ extern void x86_spec_ctrl_set(u64); |
|
41 |
+-extern u64 x86_spec_ctrl_get_default(void); |
|
42 |
+ |
|
43 |
+ /* The Speculative Store Bypass disable variants */ |
|
44 |
+ enum ssb_mitigation { |
|
45 |
+@@ -278,6 +269,9 @@ static inline void indirect_branch_prediction_barrier(void) |
|
46 |
+ alternative_msr_write(MSR_IA32_PRED_CMD, val, X86_FEATURE_USE_IBPB); |
|
47 |
+ } |
|
48 |
+ |
|
49 |
++/* The Intel SPEC CTRL MSR base value cache */ |
|
50 |
++extern u64 x86_spec_ctrl_base; |
|
51 |
++ |
|
52 |
+ /* |
|
53 |
+ * With retpoline, we must use IBRS to restrict branch prediction |
|
54 |
+ * before calling into firmware. |
|
55 |
+@@ -286,7 +280,7 @@ static inline void indirect_branch_prediction_barrier(void) |
|
56 |
+ */ |
|
57 |
+ #define firmware_restrict_branch_speculation_start() \ |
|
58 |
+ do { \ |
|
59 |
+- u64 val = x86_spec_ctrl_get_default() | SPEC_CTRL_IBRS; \ |
|
60 |
++ u64 val = x86_spec_ctrl_base | SPEC_CTRL_IBRS; \ |
|
61 |
+ \ |
|
62 |
+ preempt_disable(); \ |
|
63 |
+ alternative_msr_write(MSR_IA32_SPEC_CTRL, val, \ |
|
64 |
+@@ -295,7 +289,7 @@ do { \ |
|
65 |
+ |
|
66 |
+ #define firmware_restrict_branch_speculation_end() \ |
|
67 |
+ do { \ |
|
68 |
+- u64 val = x86_spec_ctrl_get_default(); \ |
|
69 |
++ u64 val = x86_spec_ctrl_base; \ |
|
70 |
+ \ |
|
71 |
+ alternative_msr_write(MSR_IA32_SPEC_CTRL, val, \ |
|
72 |
+ X86_FEATURE_USE_IBRS_FW); \ |
|
73 |
+diff --git a/arch/x86/include/asm/spec-ctrl.h b/arch/x86/include/asm/spec-ctrl.h |
|
74 |
+index 9cecbe5..763d497 100644 |
|
75 |
+--- a/arch/x86/include/asm/spec-ctrl.h |
|
76 |
+@@ -47,9 +47,6 @@ void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl) |
|
77 |
+ extern u64 x86_amd_ls_cfg_base; |
|
78 |
+ extern u64 x86_amd_ls_cfg_ssbd_mask; |
|
79 |
+ |
|
80 |
+-/* The Intel SPEC CTRL MSR base value cache */ |
|
81 |
+-extern u64 x86_spec_ctrl_base; |
|
82 |
+- |
|
83 |
+ static inline u64 ssbd_tif_to_spec_ctrl(u64 tifn) |
|
84 |
+ { |
|
85 |
+ BUILD_BUG_ON(TIF_SSBD < SPEC_CTRL_SSBD_SHIFT); |
|
86 |
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c |
|
87 |
+index 9203150..47b7f4f 100644 |
|
88 |
+--- a/arch/x86/kernel/cpu/bugs.c |
|
89 |
+@@ -35,6 +35,7 @@ static void __init ssb_select_mitigation(void); |
|
90 |
+ * writes to SPEC_CTRL contain whatever reserved bits have been set. |
|
91 |
+ */ |
|
92 |
+ u64 __ro_after_init x86_spec_ctrl_base; |
|
93 |
++EXPORT_SYMBOL_GPL(x86_spec_ctrl_base); |
|
94 |
+ |
|
95 |
+ /* |
|
96 |
+ * The vendor and possibly platform specific bits which can be modified in |
|
97 |
+@@ -140,16 +141,6 @@ void x86_spec_ctrl_set(u64 val) |
|
98 |
+ } |
|
99 |
+ EXPORT_SYMBOL_GPL(x86_spec_ctrl_set); |
|
100 |
+ |
|
101 |
+-u64 x86_spec_ctrl_get_default(void) |
|
102 |
+-{ |
|
103 |
+- u64 msrval = x86_spec_ctrl_base; |
|
104 |
+- |
|
105 |
+- if (static_cpu_has(X86_FEATURE_SPEC_CTRL)) |
|
106 |
+- msrval |= ssbd_tif_to_spec_ctrl(current_thread_info()->flags); |
|
107 |
+- return msrval; |
|
108 |
+-} |
|
109 |
+-EXPORT_SYMBOL_GPL(x86_spec_ctrl_get_default); |
|
110 |
+- |
|
111 |
+ void |
|
112 |
+ x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest) |
|
113 |
+ { |
|
114 |
+-- |
|
115 |
+2.7.4 |
|
116 |
+ |
0 | 117 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,76 @@ |
0 |
+From 5eb348cfda0c0efd41e44ca4ba6e267eb5877a3a Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Thomas Gleixner <tglx@linutronix.de> |
|
2 |
+Date: Sat, 12 May 2018 20:53:14 +0200 |
|
3 |
+Subject: [PATCH 49/54] x86/bugs: Remove x86_spec_ctrl_set() |
|
4 |
+ |
|
5 |
+commit 4b59bdb569453a60b752b274ca61f009e37f4dae upstream |
|
6 |
+ |
|
7 |
+x86_spec_ctrl_set() is only used in bugs.c and the extra mask checks there |
|
8 |
+provide no real value as both call sites can just write x86_spec_ctrl_base |
|
9 |
+to MSR_SPEC_CTRL. x86_spec_ctrl_base is valid and does not need any extra |
|
10 |
+masking or checking. |
|
11 |
+ |
|
12 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
13 |
+Reviewed-by: Borislav Petkov <bp@suse.de> |
|
14 |
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
15 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
16 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
17 |
+--- |
|
18 |
+ arch/x86/include/asm/nospec-branch.h | 2 -- |
|
19 |
+ arch/x86/kernel/cpu/bugs.c | 13 ++----------- |
|
20 |
+ 2 files changed, 2 insertions(+), 13 deletions(-) |
|
21 |
+ |
|
22 |
+diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h |
|
23 |
+index 8d9deec..8b38df9 100644 |
|
24 |
+--- a/arch/x86/include/asm/nospec-branch.h |
|
25 |
+@@ -217,8 +217,6 @@ enum spectre_v2_mitigation { |
|
26 |
+ SPECTRE_V2_IBRS, |
|
27 |
+ }; |
|
28 |
+ |
|
29 |
+-extern void x86_spec_ctrl_set(u64); |
|
30 |
+- |
|
31 |
+ /* The Speculative Store Bypass disable variants */ |
|
32 |
+ enum ssb_mitigation { |
|
33 |
+ SPEC_STORE_BYPASS_NONE, |
|
34 |
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c |
|
35 |
+index 47b7f4f..82a99d0 100644 |
|
36 |
+--- a/arch/x86/kernel/cpu/bugs.c |
|
37 |
+@@ -132,15 +132,6 @@ static const char *spectre_v2_strings[] = { |
|
38 |
+ static enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init = |
|
39 |
+ SPECTRE_V2_NONE; |
|
40 |
+ |
|
41 |
+-void x86_spec_ctrl_set(u64 val) |
|
42 |
+-{ |
|
43 |
+- if (val & x86_spec_ctrl_mask) |
|
44 |
+- WARN_ONCE(1, "SPEC_CTRL MSR value 0x%16llx is unknown.\n", val); |
|
45 |
+- else |
|
46 |
+- wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base | val); |
|
47 |
+-} |
|
48 |
+-EXPORT_SYMBOL_GPL(x86_spec_ctrl_set); |
|
49 |
+- |
|
50 |
+ void |
|
51 |
+ x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest) |
|
52 |
+ { |
|
53 |
+@@ -502,7 +493,7 @@ static enum ssb_mitigation __init __ssb_select_mitigation(void) |
|
54 |
+ case X86_VENDOR_INTEL: |
|
55 |
+ x86_spec_ctrl_base |= SPEC_CTRL_SSBD; |
|
56 |
+ x86_spec_ctrl_mask &= ~SPEC_CTRL_SSBD; |
|
57 |
+- x86_spec_ctrl_set(SPEC_CTRL_SSBD); |
|
58 |
++ wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); |
|
59 |
+ break; |
|
60 |
+ case X86_VENDOR_AMD: |
|
61 |
+ x86_amd_ssb_disable(); |
|
62 |
+@@ -614,7 +605,7 @@ int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which) |
|
63 |
+ void x86_spec_ctrl_setup_ap(void) |
|
64 |
+ { |
|
65 |
+ if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) |
|
66 |
+- x86_spec_ctrl_set(x86_spec_ctrl_base & ~x86_spec_ctrl_mask); |
|
67 |
++ wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); |
|
68 |
+ |
|
69 |
+ if (ssb_mode == SPEC_STORE_BYPASS_DISABLE) |
|
70 |
+ x86_amd_ssb_disable(); |
|
71 |
+-- |
|
72 |
+2.7.4 |
|
73 |
+ |
0 | 74 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,95 @@ |
0 |
+From 899b5d7cb4192d50163bb45e4957df11b4557696 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Thomas Gleixner <tglx@linutronix.de> |
|
2 |
+Date: Sat, 12 May 2018 20:10:00 +0200 |
|
3 |
+Subject: [PATCH 50/54] x86/bugs: Rework spec_ctrl base and mask logic |
|
4 |
+ |
|
5 |
+commit be6fcb5478e95bb1c91f489121238deb3abca46a upstream |
|
6 |
+ |
|
7 |
+x86_spec_ctrL_mask is intended to mask out bits from a MSR_SPEC_CTRL value |
|
8 |
+which are not to be modified. However the implementation is not really used |
|
9 |
+and the bitmask was inverted to make a check easier, which was removed in |
|
10 |
+"x86/bugs: Remove x86_spec_ctrl_set()" |
|
11 |
+ |
|
12 |
+Aside of that it is missing the STIBP bit if it is supported by the |
|
13 |
+platform, so if the mask would be used in x86_virt_spec_ctrl() then it |
|
14 |
+would prevent a guest from setting STIBP. |
|
15 |
+ |
|
16 |
+Add the STIBP bit if supported and use the mask in x86_virt_spec_ctrl() to |
|
17 |
+sanitize the value which is supplied by the guest. |
|
18 |
+ |
|
19 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
20 |
+Reviewed-by: Borislav Petkov <bp@suse.de> |
|
21 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
22 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
23 |
+--- |
|
24 |
+ arch/x86/kernel/cpu/bugs.c | 26 +++++++++++++++++++------- |
|
25 |
+ 1 file changed, 19 insertions(+), 7 deletions(-) |
|
26 |
+ |
|
27 |
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c |
|
28 |
+index 82a99d0..2ae3586 100644 |
|
29 |
+--- a/arch/x86/kernel/cpu/bugs.c |
|
30 |
+@@ -41,7 +41,7 @@ EXPORT_SYMBOL_GPL(x86_spec_ctrl_base); |
|
31 |
+ * The vendor and possibly platform specific bits which can be modified in |
|
32 |
+ * x86_spec_ctrl_base. |
|
33 |
+ */ |
|
34 |
+-static u64 __ro_after_init x86_spec_ctrl_mask = ~SPEC_CTRL_IBRS; |
|
35 |
++static u64 __ro_after_init x86_spec_ctrl_mask = SPEC_CTRL_IBRS; |
|
36 |
+ |
|
37 |
+ /* |
|
38 |
+ * AMD specific MSR info for Speculative Store Bypass control. |
|
39 |
+@@ -67,6 +67,10 @@ void __init check_bugs(void) |
|
40 |
+ if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) |
|
41 |
+ rdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); |
|
42 |
+ |
|
43 |
++ /* Allow STIBP in MSR_SPEC_CTRL if supported */ |
|
44 |
++ if (boot_cpu_has(X86_FEATURE_STIBP)) |
|
45 |
++ x86_spec_ctrl_mask |= SPEC_CTRL_STIBP; |
|
46 |
++ |
|
47 |
+ /* Select the proper spectre mitigation before patching alternatives */ |
|
48 |
+ spectre_v2_select_mitigation(); |
|
49 |
+ |
|
50 |
+@@ -135,18 +139,26 @@ static enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init = |
|
51 |
+ void |
|
52 |
+ x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest) |
|
53 |
+ { |
|
54 |
++ u64 msrval, guestval, hostval = x86_spec_ctrl_base; |
|
55 |
+ struct thread_info *ti = current_thread_info(); |
|
56 |
+- u64 msr, host = x86_spec_ctrl_base; |
|
57 |
+ |
|
58 |
+ /* Is MSR_SPEC_CTRL implemented ? */ |
|
59 |
+ if (static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) { |
|
60 |
++ /* |
|
61 |
++ * Restrict guest_spec_ctrl to supported values. Clear the |
|
62 |
++ * modifiable bits in the host base value and or the |
|
63 |
++ * modifiable bits from the guest value. |
|
64 |
++ */ |
|
65 |
++ guestval = hostval & ~x86_spec_ctrl_mask; |
|
66 |
++ guestval |= guest_spec_ctrl & x86_spec_ctrl_mask; |
|
67 |
++ |
|
68 |
+ /* SSBD controlled in MSR_SPEC_CTRL */ |
|
69 |
+ if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD)) |
|
70 |
+- host |= ssbd_tif_to_spec_ctrl(ti->flags); |
|
71 |
++ hostval |= ssbd_tif_to_spec_ctrl(ti->flags); |
|
72 |
+ |
|
73 |
+- if (host != guest_spec_ctrl) { |
|
74 |
+- msr = setguest ? guest_spec_ctrl : host; |
|
75 |
+- wrmsrl(MSR_IA32_SPEC_CTRL, msr); |
|
76 |
++ if (hostval != guestval) { |
|
77 |
++ msrval = setguest ? guestval : hostval; |
|
78 |
++ wrmsrl(MSR_IA32_SPEC_CTRL, msrval); |
|
79 |
+ } |
|
80 |
+ } |
|
81 |
+ } |
|
82 |
+@@ -492,7 +504,7 @@ static enum ssb_mitigation __init __ssb_select_mitigation(void) |
|
83 |
+ switch (boot_cpu_data.x86_vendor) { |
|
84 |
+ case X86_VENDOR_INTEL: |
|
85 |
+ x86_spec_ctrl_base |= SPEC_CTRL_SSBD; |
|
86 |
+- x86_spec_ctrl_mask &= ~SPEC_CTRL_SSBD; |
|
87 |
++ x86_spec_ctrl_mask |= SPEC_CTRL_SSBD; |
|
88 |
+ wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); |
|
89 |
+ break; |
|
90 |
+ case X86_VENDOR_AMD: |
|
91 |
+-- |
|
92 |
+2.7.4 |
|
93 |
+ |
0 | 94 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,84 @@ |
0 |
+From ea1f82069f5733039a4a535c3f8260c61b0ef793 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Thomas Gleixner <tglx@linutronix.de> |
|
2 |
+Date: Thu, 10 May 2018 20:42:48 +0200 |
|
3 |
+Subject: [PATCH 51/54] x86/speculation, KVM: Implement support for |
|
4 |
+ VIRT_SPEC_CTRL/LS_CFG |
|
5 |
+ |
|
6 |
+commit 47c61b3955cf712cadfc25635bf9bc174af030ea upstream |
|
7 |
+ |
|
8 |
+Add the necessary logic for supporting the emulated VIRT_SPEC_CTRL MSR to |
|
9 |
+x86_virt_spec_ctrl(). If either X86_FEATURE_LS_CFG_SSBD or |
|
10 |
+X86_FEATURE_VIRT_SPEC_CTRL is set then use the new guest_virt_spec_ctrl |
|
11 |
+argument to check whether the state must be modified on the host. The |
|
12 |
+update reuses speculative_store_bypass_update() so the ZEN-specific sibling |
|
13 |
+coordination can be reused. |
|
14 |
+ |
|
15 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
16 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
17 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
18 |
+--- |
|
19 |
+ arch/x86/include/asm/spec-ctrl.h | 6 ++++++ |
|
20 |
+ arch/x86/kernel/cpu/bugs.c | 30 ++++++++++++++++++++++++++++++ |
|
21 |
+ 2 files changed, 36 insertions(+) |
|
22 |
+ |
|
23 |
+diff --git a/arch/x86/include/asm/spec-ctrl.h b/arch/x86/include/asm/spec-ctrl.h |
|
24 |
+index 763d497..ae7c2c5 100644 |
|
25 |
+--- a/arch/x86/include/asm/spec-ctrl.h |
|
26 |
+@@ -53,6 +53,12 @@ static inline u64 ssbd_tif_to_spec_ctrl(u64 tifn) |
|
27 |
+ return (tifn & _TIF_SSBD) >> (TIF_SSBD - SPEC_CTRL_SSBD_SHIFT); |
|
28 |
+ } |
|
29 |
+ |
|
30 |
++static inline unsigned long ssbd_spec_ctrl_to_tif(u64 spec_ctrl) |
|
31 |
++{ |
|
32 |
++ BUILD_BUG_ON(TIF_SSBD < SPEC_CTRL_SSBD_SHIFT); |
|
33 |
++ return (spec_ctrl & SPEC_CTRL_SSBD) << (TIF_SSBD - SPEC_CTRL_SSBD_SHIFT); |
|
34 |
++} |
|
35 |
++ |
|
36 |
+ static inline u64 ssbd_tif_to_amd_ls_cfg(u64 tifn) |
|
37 |
+ { |
|
38 |
+ return (tifn & _TIF_SSBD) ? x86_amd_ls_cfg_ssbd_mask : 0ULL; |
|
39 |
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c |
|
40 |
+index 2ae3586..86af9b1 100644 |
|
41 |
+--- a/arch/x86/kernel/cpu/bugs.c |
|
42 |
+@@ -161,6 +161,36 @@ x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest) |
|
43 |
+ wrmsrl(MSR_IA32_SPEC_CTRL, msrval); |
|
44 |
+ } |
|
45 |
+ } |
|
46 |
++ |
|
47 |
++ /* |
|
48 |
++ * If SSBD is not handled in MSR_SPEC_CTRL on AMD, update |
|
49 |
++ * MSR_AMD64_L2_CFG or MSR_VIRT_SPEC_CTRL if supported. |
|
50 |
++ */ |
|
51 |
++ if (!static_cpu_has(X86_FEATURE_LS_CFG_SSBD) && |
|
52 |
++ !static_cpu_has(X86_FEATURE_VIRT_SSBD)) |
|
53 |
++ return; |
|
54 |
++ |
|
55 |
++ /* |
|
56 |
++ * If the host has SSBD mitigation enabled, force it in the host's |
|
57 |
++ * virtual MSR value. If its not permanently enabled, evaluate |
|
58 |
++ * current's TIF_SSBD thread flag. |
|
59 |
++ */ |
|
60 |
++ if (static_cpu_has(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE)) |
|
61 |
++ hostval = SPEC_CTRL_SSBD; |
|
62 |
++ else |
|
63 |
++ hostval = ssbd_tif_to_spec_ctrl(ti->flags); |
|
64 |
++ |
|
65 |
++ /* Sanitize the guest value */ |
|
66 |
++ guestval = guest_virt_spec_ctrl & SPEC_CTRL_SSBD; |
|
67 |
++ |
|
68 |
++ if (hostval != guestval) { |
|
69 |
++ unsigned long tif; |
|
70 |
++ |
|
71 |
++ tif = setguest ? ssbd_spec_ctrl_to_tif(guestval) : |
|
72 |
++ ssbd_spec_ctrl_to_tif(hostval); |
|
73 |
++ |
|
74 |
++ speculative_store_bypass_update(tif); |
|
75 |
++ } |
|
76 |
+ } |
|
77 |
+ EXPORT_SYMBOL_GPL(x86_virt_spec_ctrl); |
|
78 |
+ |
|
79 |
+-- |
|
80 |
+2.7.4 |
|
81 |
+ |
0 | 82 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,241 @@ |
0 |
+From 2bf8ebaf99e44d838272a02b32501511d716cb64 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Tom Lendacky <thomas.lendacky@amd.com> |
|
2 |
+Date: Thu, 10 May 2018 22:06:39 +0200 |
|
3 |
+Subject: [PATCH 52/54] KVM: SVM: Implement VIRT_SPEC_CTRL support for SSBD |
|
4 |
+ |
|
5 |
+commit bc226f07dcd3c9ef0b7f6236fe356ea4a9cb4769 upstream |
|
6 |
+ |
|
7 |
+Expose the new virtualized architectural mechanism, VIRT_SSBD, for using |
|
8 |
+speculative store bypass disable (SSBD) under SVM. This will allow guests |
|
9 |
+to use SSBD on hardware that uses non-architectural mechanisms for enabling |
|
10 |
+SSBD. |
|
11 |
+ |
|
12 |
+[ tglx: Folded the migration fixup from Paolo Bonzini ] |
|
13 |
+ |
|
14 |
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> |
|
15 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
16 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
17 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
18 |
+--- |
|
19 |
+ arch/x86/include/asm/kvm_host.h | 2 +- |
|
20 |
+ arch/x86/kernel/cpu/common.c | 3 ++- |
|
21 |
+ arch/x86/kvm/cpuid.c | 11 +++++++++-- |
|
22 |
+ arch/x86/kvm/cpuid.h | 9 +++++++++ |
|
23 |
+ arch/x86/kvm/svm.c | 21 +++++++++++++++++++-- |
|
24 |
+ arch/x86/kvm/vmx.c | 18 +++++++++++++++--- |
|
25 |
+ arch/x86/kvm/x86.c | 13 ++++--------- |
|
26 |
+ 7 files changed, 59 insertions(+), 18 deletions(-) |
|
27 |
+ |
|
28 |
+diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h |
|
29 |
+index 20cfeeb..7598a6c 100644 |
|
30 |
+--- a/arch/x86/include/asm/kvm_host.h |
|
31 |
+@@ -864,7 +864,7 @@ struct kvm_x86_ops { |
|
32 |
+ int (*hardware_setup)(void); /* __init */ |
|
33 |
+ void (*hardware_unsetup)(void); /* __exit */ |
|
34 |
+ bool (*cpu_has_accelerated_tpr)(void); |
|
35 |
+- bool (*cpu_has_high_real_mode_segbase)(void); |
|
36 |
++ bool (*has_emulated_msr)(int index); |
|
37 |
+ void (*cpuid_update)(struct kvm_vcpu *vcpu); |
|
38 |
+ |
|
39 |
+ int (*vm_init)(struct kvm *kvm); |
|
40 |
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c |
|
41 |
+index 945e841..40fc748 100644 |
|
42 |
+--- a/arch/x86/kernel/cpu/common.c |
|
43 |
+@@ -735,7 +735,8 @@ static void init_speculation_control(struct cpuinfo_x86 *c) |
|
44 |
+ if (cpu_has(c, X86_FEATURE_INTEL_STIBP)) |
|
45 |
+ set_cpu_cap(c, X86_FEATURE_STIBP); |
|
46 |
+ |
|
47 |
+- if (cpu_has(c, X86_FEATURE_SPEC_CTRL_SSBD)) |
|
48 |
++ if (cpu_has(c, X86_FEATURE_SPEC_CTRL_SSBD) || |
|
49 |
++ cpu_has(c, X86_FEATURE_VIRT_SSBD)) |
|
50 |
+ set_cpu_cap(c, X86_FEATURE_SSBD); |
|
51 |
+ |
|
52 |
+ if (cpu_has(c, X86_FEATURE_AMD_IBRS)) { |
|
53 |
+diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c |
|
54 |
+index 910c2db..a69f18d 100644 |
|
55 |
+--- a/arch/x86/kvm/cpuid.c |
|
56 |
+@@ -357,7 +357,7 @@ static inline int __do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function, |
|
57 |
+ |
|
58 |
+ /* cpuid 0x80000008.ebx */ |
|
59 |
+ const u32 kvm_cpuid_8000_0008_ebx_x86_features = |
|
60 |
+- F(AMD_IBPB) | F(AMD_IBRS); |
|
61 |
++ F(AMD_IBPB) | F(AMD_IBRS) | F(VIRT_SSBD); |
|
62 |
+ |
|
63 |
+ /* cpuid 0xC0000001.edx */ |
|
64 |
+ const u32 kvm_cpuid_C000_0001_edx_x86_features = |
|
65 |
+@@ -618,13 +618,20 @@ static inline int __do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function, |
|
66 |
+ g_phys_as = phys_as; |
|
67 |
+ entry->eax = g_phys_as | (virt_as << 8); |
|
68 |
+ entry->edx = 0; |
|
69 |
+- /* IBRS and IBPB aren't necessarily present in hardware cpuid */ |
|
70 |
++ /* |
|
71 |
++ * IBRS, IBPB and VIRT_SSBD aren't necessarily present in |
|
72 |
++ * hardware cpuid |
|
73 |
++ */ |
|
74 |
+ if (boot_cpu_has(X86_FEATURE_AMD_IBPB)) |
|
75 |
+ entry->ebx |= F(AMD_IBPB); |
|
76 |
+ if (boot_cpu_has(X86_FEATURE_AMD_IBRS)) |
|
77 |
+ entry->ebx |= F(AMD_IBRS); |
|
78 |
++ if (boot_cpu_has(X86_FEATURE_VIRT_SSBD)) |
|
79 |
++ entry->ebx |= F(VIRT_SSBD); |
|
80 |
+ entry->ebx &= kvm_cpuid_8000_0008_ebx_x86_features; |
|
81 |
+ cpuid_mask(&entry->ebx, CPUID_8000_0008_EBX); |
|
82 |
++ if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD)) |
|
83 |
++ entry->ebx |= F(VIRT_SSBD); |
|
84 |
+ break; |
|
85 |
+ } |
|
86 |
+ case 0x80000019: |
|
87 |
+diff --git a/arch/x86/kvm/cpuid.h b/arch/x86/kvm/cpuid.h |
|
88 |
+index eb47c37..c383697 100644 |
|
89 |
+--- a/arch/x86/kvm/cpuid.h |
|
90 |
+@@ -190,6 +190,15 @@ static inline bool guest_cpuid_has_arch_capabilities(struct kvm_vcpu *vcpu) |
|
91 |
+ return best && (best->edx & bit(X86_FEATURE_ARCH_CAPABILITIES)); |
|
92 |
+ } |
|
93 |
+ |
|
94 |
++static inline bool guest_cpuid_has_virt_ssbd(struct kvm_vcpu *vcpu) |
|
95 |
++{ |
|
96 |
++ struct kvm_cpuid_entry2 *best; |
|
97 |
++ |
|
98 |
++ best = kvm_find_cpuid_entry(vcpu, 0x80000008, 0); |
|
99 |
++ return best && (best->ebx & bit(X86_FEATURE_VIRT_SSBD)); |
|
100 |
++} |
|
101 |
++ |
|
102 |
++ |
|
103 |
+ |
|
104 |
+ /* |
|
105 |
+ * NRIPS is provided through cpuidfn 0x8000000a.edx bit 3 |
|
106 |
+diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c |
|
107 |
+index 57c96f1..a27f9e4 100644 |
|
108 |
+--- a/arch/x86/kvm/svm.c |
|
109 |
+@@ -3557,6 +3557,13 @@ static int svm_get_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) |
|
110 |
+ |
|
111 |
+ msr_info->data = svm->spec_ctrl; |
|
112 |
+ break; |
|
113 |
++ case MSR_AMD64_VIRT_SPEC_CTRL: |
|
114 |
++ if (!msr_info->host_initiated && |
|
115 |
++ !guest_cpuid_has_virt_ssbd(vcpu)) |
|
116 |
++ return 1; |
|
117 |
++ |
|
118 |
++ msr_info->data = svm->virt_spec_ctrl; |
|
119 |
++ break; |
|
120 |
+ case MSR_IA32_UCODE_REV: |
|
121 |
+ msr_info->data = 0x01000065; |
|
122 |
+ break; |
|
123 |
+@@ -3691,6 +3698,16 @@ static int svm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr) |
|
124 |
+ break; |
|
125 |
+ set_msr_interception(svm->msrpm, MSR_IA32_PRED_CMD, 0, 1); |
|
126 |
+ break; |
|
127 |
++ case MSR_AMD64_VIRT_SPEC_CTRL: |
|
128 |
++ if (!msr->host_initiated && |
|
129 |
++ !guest_cpuid_has_virt_ssbd(vcpu)) |
|
130 |
++ return 1; |
|
131 |
++ |
|
132 |
++ if (data & ~SPEC_CTRL_SSBD) |
|
133 |
++ return 1; |
|
134 |
++ |
|
135 |
++ svm->virt_spec_ctrl = data; |
|
136 |
++ break; |
|
137 |
+ case MSR_STAR: |
|
138 |
+ svm->vmcb->save.star = data; |
|
139 |
+ break; |
|
140 |
+@@ -5150,7 +5167,7 @@ static bool svm_cpu_has_accelerated_tpr(void) |
|
141 |
+ return false; |
|
142 |
+ } |
|
143 |
+ |
|
144 |
+-static bool svm_has_high_real_mode_segbase(void) |
|
145 |
++static bool svm_has_emulated_msr(int index) |
|
146 |
+ { |
|
147 |
+ return true; |
|
148 |
+ } |
|
149 |
+@@ -5467,7 +5484,7 @@ static struct kvm_x86_ops svm_x86_ops __ro_after_init = { |
|
150 |
+ .hardware_enable = svm_hardware_enable, |
|
151 |
+ .hardware_disable = svm_hardware_disable, |
|
152 |
+ .cpu_has_accelerated_tpr = svm_cpu_has_accelerated_tpr, |
|
153 |
+- .cpu_has_high_real_mode_segbase = svm_has_high_real_mode_segbase, |
|
154 |
++ .has_emulated_msr = svm_has_emulated_msr, |
|
155 |
+ |
|
156 |
+ .vcpu_create = svm_create_vcpu, |
|
157 |
+ .vcpu_free = svm_free_vcpu, |
|
158 |
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c |
|
159 |
+index f1d158a..d92523a 100644 |
|
160 |
+--- a/arch/x86/kvm/vmx.c |
|
161 |
+@@ -8691,9 +8691,21 @@ static void vmx_handle_external_intr(struct kvm_vcpu *vcpu) |
|
162 |
+ } |
|
163 |
+ } |
|
164 |
+ |
|
165 |
+-static bool vmx_has_high_real_mode_segbase(void) |
|
166 |
++static bool vmx_has_emulated_msr(int index) |
|
167 |
+ { |
|
168 |
+- return enable_unrestricted_guest || emulate_invalid_guest_state; |
|
169 |
++ switch (index) { |
|
170 |
++ case MSR_IA32_SMBASE: |
|
171 |
++ /* |
|
172 |
++ * We cannot do SMM unless we can run the guest in big |
|
173 |
++ * real mode. |
|
174 |
++ */ |
|
175 |
++ return enable_unrestricted_guest || emulate_invalid_guest_state; |
|
176 |
++ case MSR_AMD64_VIRT_SPEC_CTRL: |
|
177 |
++ /* This is AMD only. */ |
|
178 |
++ return false; |
|
179 |
++ default: |
|
180 |
++ return true; |
|
181 |
++ } |
|
182 |
+ } |
|
183 |
+ |
|
184 |
+ static bool vmx_mpx_supported(void) |
|
185 |
+@@ -11346,7 +11358,7 @@ static struct kvm_x86_ops vmx_x86_ops __ro_after_init = { |
|
186 |
+ .hardware_enable = hardware_enable, |
|
187 |
+ .hardware_disable = hardware_disable, |
|
188 |
+ .cpu_has_accelerated_tpr = report_flexpriority, |
|
189 |
+- .cpu_has_high_real_mode_segbase = vmx_has_high_real_mode_segbase, |
|
190 |
++ .has_emulated_msr = vmx_has_emulated_msr, |
|
191 |
+ |
|
192 |
+ .vcpu_create = vmx_create_vcpu, |
|
193 |
+ .vcpu_free = vmx_free_vcpu, |
|
194 |
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c |
|
195 |
+index 3aaaf30..a0cb85f 100644 |
|
196 |
+--- a/arch/x86/kvm/x86.c |
|
197 |
+@@ -1002,6 +1002,7 @@ static u32 emulated_msrs[] = { |
|
198 |
+ MSR_IA32_MCG_CTL, |
|
199 |
+ MSR_IA32_MCG_EXT_CTL, |
|
200 |
+ MSR_IA32_SMBASE, |
|
201 |
++ MSR_AMD64_VIRT_SPEC_CTRL, |
|
202 |
+ }; |
|
203 |
+ |
|
204 |
+ static unsigned num_emulated_msrs; |
|
205 |
+@@ -2664,7 +2665,7 @@ int kvm_vm_ioctl_check_extension(struct kvm *kvm, long ext) |
|
206 |
+ * fringe case that is not enabled except via specific settings |
|
207 |
+ * of the module parameters. |
|
208 |
+ */ |
|
209 |
+- r = kvm_x86_ops->cpu_has_high_real_mode_segbase(); |
|
210 |
++ r = kvm_x86_ops->has_emulated_msr(MSR_IA32_SMBASE); |
|
211 |
+ break; |
|
212 |
+ case KVM_CAP_COALESCED_MMIO: |
|
213 |
+ r = KVM_COALESCED_MMIO_PAGE_OFFSET; |
|
214 |
+@@ -4226,14 +4227,8 @@ static void kvm_init_msr_list(void) |
|
215 |
+ num_msrs_to_save = j; |
|
216 |
+ |
|
217 |
+ for (i = j = 0; i < ARRAY_SIZE(emulated_msrs); i++) { |
|
218 |
+- switch (emulated_msrs[i]) { |
|
219 |
+- case MSR_IA32_SMBASE: |
|
220 |
+- if (!kvm_x86_ops->cpu_has_high_real_mode_segbase()) |
|
221 |
+- continue; |
|
222 |
+- break; |
|
223 |
+- default: |
|
224 |
+- break; |
|
225 |
+- } |
|
226 |
++ if (!kvm_x86_ops->has_emulated_msr(emulated_msrs[i])) |
|
227 |
++ continue; |
|
228 |
+ |
|
229 |
+ if (j < i) |
|
230 |
+ emulated_msrs[j] = emulated_msrs[i]; |
|
231 |
+-- |
|
232 |
+2.7.4 |
|
233 |
+ |
0 | 234 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,48 @@ |
0 |
+From 3c8411083c45a3eb9f9b9b381ed553d9fea7e05b Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
2 |
+Date: Wed, 16 May 2018 23:18:09 -0400 |
|
3 |
+Subject: [PATCH 53/54] x86/bugs: Rename SSBD_NO to SSB_NO |
|
4 |
+ |
|
5 |
+commit 240da953fcc6a9008c92fae5b1f727ee5ed167ab upstream |
|
6 |
+ |
|
7 |
+The "336996 Speculative Execution Side Channel Mitigations" from |
|
8 |
+May defines this as SSB_NO, hence lets sync-up. |
|
9 |
+ |
|
10 |
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
|
11 |
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
|
12 |
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> |
|
13 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
14 |
+--- |
|
15 |
+ arch/x86/include/asm/msr-index.h | 2 +- |
|
16 |
+ arch/x86/kernel/cpu/common.c | 2 +- |
|
17 |
+ 2 files changed, 2 insertions(+), 2 deletions(-) |
|
18 |
+ |
|
19 |
+diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h |
|
20 |
+index 9fd9dcf..1ec13e2 100644 |
|
21 |
+--- a/arch/x86/include/asm/msr-index.h |
|
22 |
+@@ -63,7 +63,7 @@ |
|
23 |
+ #define MSR_IA32_ARCH_CAPABILITIES 0x0000010a |
|
24 |
+ #define ARCH_CAP_RDCL_NO (1 << 0) /* Not susceptible to Meltdown */ |
|
25 |
+ #define ARCH_CAP_IBRS_ALL (1 << 1) /* Enhanced IBRS support */ |
|
26 |
+-#define ARCH_CAP_SSBD_NO (1 << 4) /* |
|
27 |
++#define ARCH_CAP_SSB_NO (1 << 4) /* |
|
28 |
+ * Not susceptible to Speculative Store Bypass |
|
29 |
+ * attack, so no Speculative Store Bypass |
|
30 |
+ * control required. |
|
31 |
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c |
|
32 |
+index 40fc748..b0fd028 100644 |
|
33 |
+--- a/arch/x86/kernel/cpu/common.c |
|
34 |
+@@ -926,7 +926,7 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) |
|
35 |
+ rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap); |
|
36 |
+ |
|
37 |
+ if (!x86_match_cpu(cpu_no_spec_store_bypass) && |
|
38 |
+- !(ia32_cap & ARCH_CAP_SSBD_NO)) |
|
39 |
++ !(ia32_cap & ARCH_CAP_SSB_NO)) |
|
40 |
+ setup_force_cpu_bug(X86_BUG_SPEC_STORE_BYPASS); |
|
41 |
+ |
|
42 |
+ if (x86_match_cpu(cpu_no_speculation)) |
|
43 |
+-- |
|
44 |
+2.7.4 |
|
45 |
+ |