Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'x86_bugs_pbrsb' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull x86 eIBRS fixes from Borislav Petkov:
"More from the CPU vulnerability nightmares front:
Intel eIBRS machines do not sufficiently mitigate against RET
mispredictions when doing a VM Exit therefore an additional RSB,
one-entry stuffing is needed"
* tag 'x86_bugs_pbrsb' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86/speculation: Add LFENCE to RSB fill sequence
x86/speculation: Add RSB VM Exit protections
+116
-30
+8
Documentation/admin-guide/hw-vuln/spectre.rst
+8
Documentation/admin-guide/hw-vuln/spectre.rst
···
422
422
'RSB filling' Protection of RSB on context switch enabled
423
423
============= ===========================================
424
424
425
+
- EIBRS Post-barrier Return Stack Buffer (PBRSB) protection status:
426
+
427
+
=========================== =======================================================
428
+
'PBRSB-eIBRS: SW sequence' CPU is affected and protection of RSB on VMEXIT enabled
429
+
'PBRSB-eIBRS: Vulnerable' CPU is vulnerable
430
+
'PBRSB-eIBRS: Not affected' CPU is not affected by PBRSB
431
+
=========================== =======================================================
432
+
425
433
Full mitigation might require a microcode update from the CPU
426
434
vendor. When the necessary microcode is not available, the kernel will
427
435
report vulnerability.
+2
arch/x86/include/asm/cpufeatures.h
+2
arch/x86/include/asm/cpufeatures.h
···
303
303
#define X86_FEATURE_RETHUNK (11*32+14) /* "" Use REturn THUNK */
304
304
#define X86_FEATURE_UNRET (11*32+15) /* "" AMD BTB untrain return */
305
305
#define X86_FEATURE_USE_IBPB_FW (11*32+16) /* "" Use IBPB during runtime firmware calls */
306
+
#define X86_FEATURE_RSB_VMEXIT_LITE (11*32+17) /* "" Fill RSB on VM exit when EIBRS is enabled */
306
307
307
308
/* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */
308
309
#define X86_FEATURE_AVX_VNNI (12*32+ 4) /* AVX VNNI instructions */
···
458
457
#define X86_BUG_SRBDS X86_BUG(24) /* CPU may leak RNG bits if not mitigated */
459
458
#define X86_BUG_MMIO_STALE_DATA X86_BUG(25) /* CPU is affected by Processor MMIO Stale Data vulnerabilities */
460
459
#define X86_BUG_RETBLEED X86_BUG(26) /* CPU is affected by RETBleed */
460
+
#define X86_BUG_EIBRS_PBRSB X86_BUG(27) /* EIBRS is vulnerable to Post Barrier RSB Predictions */
461
461
462
462
#endif /* _ASM_X86_CPUFEATURES_H */
+4
arch/x86/include/asm/msr-index.h
+4
arch/x86/include/asm/msr-index.h
+19
-2
arch/x86/include/asm/nospec-branch.h
+19
-2
arch/x86/include/asm/nospec-branch.h
···
60
60
774: \
61
61
add $(BITS_PER_LONG/8) * 2, sp; \
62
62
dec reg; \
63
-
jnz 771b;
63
+
jnz 771b; \
64
+
/* barrier for jnz misprediction */ \
65
+
lfence;
64
66
65
67
#ifdef __ASSEMBLY__
66
68
···
132
130
#endif
133
131
.endm
134
132
133
+
.macro ISSUE_UNBALANCED_RET_GUARD
134
+
ANNOTATE_INTRA_FUNCTION_CALL
135
+
call .Lunbalanced_ret_guard_\@
136
+
int3
137
+
.Lunbalanced_ret_guard_\@:
138
+
add $(BITS_PER_LONG/8), %_ASM_SP
139
+
lfence
140
+
.endm
141
+
135
142
/*
136
143
* A simpler FILL_RETURN_BUFFER macro. Don't make people use the CPP
137
144
* monstrosity above, manually.
138
145
*/
139
-
.macro FILL_RETURN_BUFFER reg:req nr:req ftr:req
146
+
.macro FILL_RETURN_BUFFER reg:req nr:req ftr:req ftr2
147
+
.ifb \ftr2
140
148
ALTERNATIVE "jmp .Lskip_rsb_\@", "", \ftr
149
+
.else
150
+
ALTERNATIVE_2 "jmp .Lskip_rsb_\@", "", \ftr, "jmp .Lunbalanced_\@", \ftr2
151
+
.endif
141
152
__FILL_RETURN_BUFFER(\reg,\nr,%_ASM_SP)
153
+
.Lunbalanced_\@:
154
+
ISSUE_UNBALANCED_RET_GUARD
142
155
.Lskip_rsb_\@:
143
156
.endm
144
157
+63
-23
arch/x86/kernel/cpu/bugs.c
+63
-23
arch/x86/kernel/cpu/bugs.c
···
1335
1335
}
1336
1336
}
1337
1337
1338
+
static void __init spectre_v2_determine_rsb_fill_type_at_vmexit(enum spectre_v2_mitigation mode)
1339
+
{
1340
+
/*
1341
+
* Similar to context switches, there are two types of RSB attacks
1342
+
* after VM exit:
1343
+
*
1344
+
* 1) RSB underflow
1345
+
*
1346
+
* 2) Poisoned RSB entry
1347
+
*
1348
+
* When retpoline is enabled, both are mitigated by filling/clearing
1349
+
* the RSB.
1350
+
*
1351
+
* When IBRS is enabled, while #1 would be mitigated by the IBRS branch
1352
+
* prediction isolation protections, RSB still needs to be cleared
1353
+
* because of #2. Note that SMEP provides no protection here, unlike
1354
+
* user-space-poisoned RSB entries.
1355
+
*
1356
+
* eIBRS should protect against RSB poisoning, but if the EIBRS_PBRSB
1357
+
* bug is present then a LITE version of RSB protection is required,
1358
+
* just a single call needs to retire before a RET is executed.
1359
+
*/
1360
+
switch (mode) {
1361
+
case SPECTRE_V2_NONE:
1362
+
return;
1363
+
1364
+
case SPECTRE_V2_EIBRS_LFENCE:
1365
+
case SPECTRE_V2_EIBRS:
1366
+
if (boot_cpu_has_bug(X86_BUG_EIBRS_PBRSB)) {
1367
+
setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT_LITE);
1368
+
pr_info("Spectre v2 / PBRSB-eIBRS: Retire a single CALL on VMEXIT\n");
1369
+
}
1370
+
return;
1371
+
1372
+
case SPECTRE_V2_EIBRS_RETPOLINE:
1373
+
case SPECTRE_V2_RETPOLINE:
1374
+
case SPECTRE_V2_LFENCE:
1375
+
case SPECTRE_V2_IBRS:
1376
+
setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT);
1377
+
pr_info("Spectre v2 / SpectreRSB : Filling RSB on VMEXIT\n");
1378
+
return;
1379
+
}
1380
+
1381
+
pr_warn_once("Unknown Spectre v2 mode, disabling RSB mitigation at VM exit");
1382
+
dump_stack();
1383
+
}
1384
+
1338
1385
static void __init spectre_v2_select_mitigation(void)
1339
1386
{
1340
1387
enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline();
···
1532
1485
setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);
1533
1486
pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n");
1534
1487
1535
-
/*
1536
-
* Similar to context switches, there are two types of RSB attacks
1537
-
* after vmexit:
1538
-
*
1539
-
* 1) RSB underflow
1540
-
*
1541
-
* 2) Poisoned RSB entry
1542
-
*
1543
-
* When retpoline is enabled, both are mitigated by filling/clearing
1544
-
* the RSB.
1545
-
*
1546
-
* When IBRS is enabled, while #1 would be mitigated by the IBRS branch
1547
-
* prediction isolation protections, RSB still needs to be cleared
1548
-
* because of #2. Note that SMEP provides no protection here, unlike
1549
-
* user-space-poisoned RSB entries.
1550
-
*
1551
-
* eIBRS, on the other hand, has RSB-poisoning protections, so it
1552
-
* doesn't need RSB clearing after vmexit.
1553
-
*/
1554
-
if (boot_cpu_has(X86_FEATURE_RETPOLINE) ||
1555
-
boot_cpu_has(X86_FEATURE_KERNEL_IBRS))
1556
-
setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT);
1488
+
spectre_v2_determine_rsb_fill_type_at_vmexit(mode);
1557
1489
1558
1490
/*
1559
1491
* Retpoline protects the kernel, but doesn't protect firmware. IBRS
···
2318
2292
return "";
2319
2293
}
2320
2294
2295
+
static char *pbrsb_eibrs_state(void)
2296
+
{
2297
+
if (boot_cpu_has_bug(X86_BUG_EIBRS_PBRSB)) {
2298
+
if (boot_cpu_has(X86_FEATURE_RSB_VMEXIT_LITE) ||
2299
+
boot_cpu_has(X86_FEATURE_RSB_VMEXIT))
2300
+
return ", PBRSB-eIBRS: SW sequence";
2301
+
else
2302
+
return ", PBRSB-eIBRS: Vulnerable";
2303
+
} else {
2304
+
return ", PBRSB-eIBRS: Not affected";
2305
+
}
2306
+
}
2307
+
2321
2308
static ssize_t spectre_v2_show_state(char *buf)
2322
2309
{
2323
2310
if (spectre_v2_enabled == SPECTRE_V2_LFENCE)
···
2343
2304
spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE)
2344
2305
return sprintf(buf, "Vulnerable: eIBRS+LFENCE with unprivileged eBPF and SMT\n");
2345
2306
2346
-
return sprintf(buf, "%s%s%s%s%s%s\n",
2307
+
return sprintf(buf, "%s%s%s%s%s%s%s\n",
2347
2308
spectre_v2_strings[spectre_v2_enabled],
2348
2309
ibpb_state(),
2349
2310
boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "",
2350
2311
stibp_state(),
2351
2312
boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? ", RSB filling" : "",
2313
+
pbrsb_eibrs_state(),
2352
2314
spectre_v2_module_string());
2353
2315
}
2354
2316
+10
-2
arch/x86/kernel/cpu/common.c
+10
-2
arch/x86/kernel/cpu/common.c
···
1135
1135
#define NO_SWAPGS BIT(6)
1136
1136
#define NO_ITLB_MULTIHIT BIT(7)
1137
1137
#define NO_SPECTRE_V2 BIT(8)
1138
+
#define NO_EIBRS_PBRSB BIT(9)
1138
1139
1139
1140
#define VULNWL(vendor, family, model, whitelist) \
1140
1141
X86_MATCH_VENDOR_FAM_MODEL(vendor, family, model, whitelist)
···
1178
1177
1179
1178
VULNWL_INTEL(ATOM_GOLDMONT, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT),
1180
1179
VULNWL_INTEL(ATOM_GOLDMONT_D, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT),
1181
-
VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT),
1180
+
VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_EIBRS_PBRSB),
1182
1181
1183
1182
/*
1184
1183
* Technically, swapgs isn't serializing on AMD (despite it previously
···
1188
1187
* good enough for our purposes.
1189
1188
*/
1190
1189
1191
-
VULNWL_INTEL(ATOM_TREMONT_D, NO_ITLB_MULTIHIT),
1190
+
VULNWL_INTEL(ATOM_TREMONT, NO_EIBRS_PBRSB),
1191
+
VULNWL_INTEL(ATOM_TREMONT_L, NO_EIBRS_PBRSB),
1192
+
VULNWL_INTEL(ATOM_TREMONT_D, NO_ITLB_MULTIHIT | NO_EIBRS_PBRSB),
1192
1193
1193
1194
/* AMD Family 0xf - 0x12 */
1194
1195
VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT),
···
1367
1364
if (cpu_matches(cpu_vuln_blacklist, RETBLEED) || (ia32_cap & ARCH_CAP_RSBA))
1368
1365
setup_force_cpu_bug(X86_BUG_RETBLEED);
1369
1366
}
1367
+
1368
+
if (cpu_has(c, X86_FEATURE_IBRS_ENHANCED) &&
1369
+
!cpu_matches(cpu_vuln_whitelist, NO_EIBRS_PBRSB) &&
1370
+
!(ia32_cap & ARCH_CAP_PBRSB_NO))
1371
+
setup_force_cpu_bug(X86_BUG_EIBRS_PBRSB);
1370
1372
1371
1373
if (cpu_matches(cpu_vuln_whitelist, NO_MELTDOWN))
1372
1374
return;
+5
-3
arch/x86/kvm/vmx/vmenter.S
+5
-3
arch/x86/kvm/vmx/vmenter.S
···
227
227
* entries and (in some cases) RSB underflow.
228
228
*
229
229
* eIBRS has its own protection against poisoned RSB, so it doesn't
230
-
* need the RSB filling sequence. But it does need to be enabled
231
-
* before the first unbalanced RET.
230
+
* need the RSB filling sequence. But it does need to be enabled, and a
231
+
* single call to retire, before the first unbalanced RET.
232
232
*/
233
233
234
-
FILL_RETURN_BUFFER %_ASM_CX, RSB_CLEAR_LOOPS, X86_FEATURE_RSB_VMEXIT
234
+
FILL_RETURN_BUFFER %_ASM_CX, RSB_CLEAR_LOOPS, X86_FEATURE_RSB_VMEXIT,\
235
+
X86_FEATURE_RSB_VMEXIT_LITE
236
+
235
237
236
238
pop %_ASM_ARG2 /* @flags */
237
239
pop %_ASM_ARG1 /* @vmx */
+1
tools/arch/x86/include/asm/cpufeatures.h
+1
tools/arch/x86/include/asm/cpufeatures.h
···
303
303
#define X86_FEATURE_RETHUNK (11*32+14) /* "" Use REturn THUNK */
304
304
#define X86_FEATURE_UNRET (11*32+15) /* "" AMD BTB untrain return */
305
305
#define X86_FEATURE_USE_IBPB_FW (11*32+16) /* "" Use IBPB during runtime firmware calls */
306
+
#define X86_FEATURE_RSB_VMEXIT_LITE (11*32+17) /* "" Fill RSB on VM-Exit when EIBRS is enabled */
306
307
307
308
/* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */
308
309
#define X86_FEATURE_AVX_VNNI (12*32+ 4) /* AVX VNNI instructions */
+4
tools/arch/x86/include/asm/msr-index.h
+4
tools/arch/x86/include/asm/msr-index.h