linux-stable

mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-03 23:58:05 +00:00

No description

Find a file

Daniel Sneddon f2f41ef035 x86/speculation: Add RSB VM Exit protections commit `2b12993220` upstream. tl;dr: The Enhanced IBRS mitigation for Spectre v2 does not work as documented for RET instructions after VM exits. Mitigate it with a new one-entry RSB stuffing mechanism and a new LFENCE. == Background == Indirect Branch Restricted Speculation (IBRS) was designed to help mitigate Branch Target Injection and Speculative Store Bypass, i.e. Spectre, attacks. IBRS prevents software run in less privileged modes from affecting branch prediction in more privileged modes. IBRS requires the MSR to be written on every privilege level change. To overcome some of the performance issues of IBRS, Enhanced IBRS was introduced. eIBRS is an "always on" IBRS, in other words, just turn it on once instead of writing the MSR on every privilege level change. When eIBRS is enabled, more privileged modes should be protected from less privileged modes, including protecting VMMs from guests. == Problem == Here's a simplification of how guests are run on Linux' KVM: void run_kvm_guest(void) { // Prepare to run guest VMRESUME(); // Clean up after guest runs } The execution flow for that would look something like this to the processor: 1. Host-side: call run_kvm_guest() 2. Host-side: VMRESUME 3. Guest runs, does "CALL guest_function" 4. VM exit, host runs again 5. Host might make some "cleanup" function calls 6. Host-side: RET from run_kvm_guest() Now, when back on the host, there are a couple of possible scenarios of post-guest activity the host needs to do before executing host code: * on pre-eIBRS hardware (legacy IBRS, or nothing at all), the RSB is not touched and Linux has to do a 32-entry stuffing. * on eIBRS hardware, VM exit with IBRS enabled, or restoring the host IBRS=1 shortly after VM exit, has a documented side effect of flushing the RSB except in this PBRSB situation where the software needs to stuff the last RSB entry "by hand". IOW, with eIBRS supported, host RET instructions should no longer be influenced by guest behavior after the host retires a single CALL instruction. However, if the RET instructions are "unbalanced" with CALLs after a VM exit as is the RET in #6, it might speculatively use the address for the instruction after the CALL in #3 as an RSB prediction. This is a problem since the (untrusted) guest controls this address. Balanced CALL/RET instruction pairs such as in step #5 are not affected. == Solution == The PBRSB issue affects a wide variety of Intel processors which support eIBRS. But not all of them need mitigation. Today, X86_FEATURE_RETPOLINE triggers an RSB filling sequence that mitigates PBRSB. Systems setting RETPOLINE need no further mitigation - i.e., eIBRS systems which enable retpoline explicitly. However, such systems (X86_FEATURE_IBRS_ENHANCED) do not set RETPOLINE and most of them need a new mitigation. Therefore, introduce a new feature flag X86_FEATURE_RSB_VMEXIT_LITE which triggers a lighter-weight PBRSB mitigation versus RSB Filling at vmexit. The lighter-weight mitigation performs a CALL instruction which is immediately followed by a speculative execution barrier (INT3). This steers speculative execution to the barrier -- just like a retpoline -- which ensures that speculation can never reach an unbalanced RET. Then, ensure this CALL is retired before continuing execution with an LFENCE. In other words, the window of exposure is opened at VM exit where RET behavior is troublesome. While the window is open, force RSB predictions sampling for RET targets to a dead end at the INT3. Close the window with the LFENCE. There is a subset of eIBRS systems which are not vulnerable to PBRSB. Add these systems to the cpu_vuln_whitelist[] as NO_EIBRS_PBRSB. Future systems that aren't vulnerable will set ARCH_CAP_PBRSB_NO. [ bp: Massage, incorporate review comments from Andy Cooper. ] [ Pawan: Update commit message to replace RSB_VMEXIT with RETPOLINE ] Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com> Co-developed-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com> Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com> Signed-off-by: Borislav Petkov <bp@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2022-08-11 12:57:53 +02:00
arch	x86/speculation: Add RSB VM Exit protections	2022-08-11 12:57:53 +02:00
block	block: fix bio_clone_blkg_association() to associate with proper blkcg_gq	2022-06-14 18:11:50 +02:00
certs	certs/blacklist_hashes.c: fix const confusion in certs blacklist	2022-06-22 14:11:22 +02:00
crypto	crypto: drbg - make reseeding from get_random_bytes() synchronous	2022-06-22 14:11:18 +02:00
Documentation	x86/speculation: Add RSB VM Exit protections	2022-08-11 12:57:53 +02:00
drivers	macintosh/adb: fix oob read in do_adb_query() function	2022-08-11 12:57:53 +02:00
fs	ntfs: fix use-after-free in ntfs_ucsncmp()	2022-08-03 11:59:37 +02:00
include	ipv6/addrconf: fix a null-ptr-deref bug for ip6_ptr	2022-08-03 11:59:39 +02:00
init	random: handle latent entropy and command line from random_init()	2022-06-22 14:11:17 +02:00
ipc
kernel	bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()	2022-08-11 12:57:51 +02:00
lib	locking/refcount: Consolidate implementations of refcount_t	2022-07-29 17:14:17 +02:00
LICENSES
mm	mm/mempolicy: fix uninit-value in mpol_rebind_policy()	2022-07-29 17:14:16 +02:00
net	sctp: leave the err path free in sctp_stream_init to sctp_stream_free	2022-08-03 11:59:41 +02:00
samples
scripts	modpost: fix section mismatch check for exported init/exit sections	2022-06-29 08:58:49 +02:00
security	ima: remove the IMA_TEMPLATE Kconfig option	2022-07-29 17:14:16 +02:00
sound	ALSA: memalloc: Align buffer allocations in page size	2022-07-29 17:14:18 +02:00
tools	x86/speculation: Add RSB VM Exit protections	2022-08-11 12:57:53 +02:00
usr
virt	KVM: Don't null dereference ops->destroy	2022-08-11 12:57:52 +02:00
.clang-format
.cocciconfig
.get_maintainer.ignore
.gitattributes
.gitignore
.mailmap
COPYING
CREDITS
Kbuild
Kconfig
MAINTAINERS	MAINTAINERS: co-maintain random.c	2022-06-22 14:11:05 +02:00
Makefile	Linux 5.4.209	2022-08-03 11:59:42 +02:00
README

README

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.