Skip to content

Commit ce114c8

Browse files
committed
Merge tag 'x86_bugs_retbleed' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull x86 retbleed fixes from Borislav Petkov: "Just when you thought that all the speculation bugs were addressed and solved and the nightmare is complete, here's the next one: speculating after RET instructions and leaking privileged information using the now pretty much classical covert channels. It is called RETBleed and the mitigation effort and controlling functionality has been modelled similar to what already existing mitigations provide" * tag 'x86_bugs_retbleed' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (54 commits) x86/speculation: Disable RRSBA behavior x86/kexec: Disable RET on kexec x86/bugs: Do not enable IBPB-on-entry when IBPB is not supported x86/entry: Move PUSH_AND_CLEAR_REGS() back into error_entry x86/bugs: Add Cannon lake to RETBleed affected CPU list x86/retbleed: Add fine grained Kconfig knobs x86/cpu/amd: Enumerate BTC_NO x86/common: Stamp out the stepping madness KVM: VMX: Prevent RSB underflow before vmenter x86/speculation: Fill RSB on vmexit for IBRS KVM: VMX: Fix IBRS handling after vmexit KVM: VMX: Prevent guest RSB poisoning attacks with eIBRS KVM: VMX: Convert launched argument to flags KVM: VMX: Flatten __vmx_vcpu_run() objtool: Re-add UNWIND_HINT_{SAVE_RESTORE} x86/speculation: Remove x86_spec_ctrl_mask x86/speculation: Use cached host SPEC_CTRL value for guest entry/exit x86/speculation: Fix SPEC_CTRL write on SMT state change x86/speculation: Fix firmware entry SPEC_CTRL handling x86/speculation: Fix RSB filling with CONFIG_RETPOLINE=n ...
2 parents 5a29232 + 4ad3278 commit ce114c8

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

72 files changed

+1863
-394
lines changed

Documentation/admin-guide/kernel-parameters.txt

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5197,6 +5197,30 @@
51975197

51985198
retain_initrd [RAM] Keep initrd memory after extraction
51995199

5200+
retbleed= [X86] Control mitigation of RETBleed (Arbitrary
5201+
Speculative Code Execution with Return Instructions)
5202+
vulnerability.
5203+
5204+
off - no mitigation
5205+
auto - automatically select a migitation
5206+
auto,nosmt - automatically select a mitigation,
5207+
disabling SMT if necessary for
5208+
the full mitigation (only on Zen1
5209+
and older without STIBP).
5210+
ibpb - mitigate short speculation windows on
5211+
basic block boundaries too. Safe, highest
5212+
perf impact.
5213+
unret - force enable untrained return thunks,
5214+
only effective on AMD f15h-f17h
5215+
based systems.
5216+
unret,nosmt - like unret, will disable SMT when STIBP
5217+
is not available.
5218+
5219+
Selecting 'auto' will choose a mitigation method at run
5220+
time according to the CPU.
5221+
5222+
Not specifying this option is equivalent to retbleed=auto.
5223+
52005224
rfkill.default_state=
52015225
0 "airplane mode". All wifi, bluetooth, wimax, gps, fm,
52025226
etc. communication is blocked by default.
@@ -5568,6 +5592,7 @@
55685592
eibrs - enhanced IBRS
55695593
eibrs,retpoline - enhanced IBRS + Retpolines
55705594
eibrs,lfence - enhanced IBRS + LFENCE
5595+
ibrs - use IBRS to protect kernel
55715596

55725597
Not specifying this option is equivalent to
55735598
spectre_v2=auto.

arch/x86/Kconfig

Lines changed: 85 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -462,29 +462,6 @@ config GOLDFISH
462462
def_bool y
463463
depends on X86_GOLDFISH
464464

465-
config RETPOLINE
466-
bool "Avoid speculative indirect branches in kernel"
467-
select OBJTOOL if HAVE_OBJTOOL
468-
default y
469-
help
470-
Compile kernel with the retpoline compiler options to guard against
471-
kernel-to-user data leaks by avoiding speculative indirect
472-
branches. Requires a compiler with -mindirect-branch=thunk-extern
473-
support for full protection. The kernel may run slower.
474-
475-
config CC_HAS_SLS
476-
def_bool $(cc-option,-mharden-sls=all)
477-
478-
config SLS
479-
bool "Mitigate Straight-Line-Speculation"
480-
depends on CC_HAS_SLS && X86_64
481-
select OBJTOOL if HAVE_OBJTOOL
482-
default n
483-
help
484-
Compile the kernel with straight-line-speculation options to guard
485-
against straight line speculation. The kernel image might be slightly
486-
larger.
487-
488465
config X86_CPU_RESCTRL
489466
bool "x86 CPU resource control support"
490467
depends on X86 && (CPU_SUP_INTEL || CPU_SUP_AMD)
@@ -2453,6 +2430,91 @@ source "kernel/livepatch/Kconfig"
24532430

24542431
endmenu
24552432

2433+
config CC_HAS_SLS
2434+
def_bool $(cc-option,-mharden-sls=all)
2435+
2436+
config CC_HAS_RETURN_THUNK
2437+
def_bool $(cc-option,-mfunction-return=thunk-extern)
2438+
2439+
menuconfig SPECULATION_MITIGATIONS
2440+
bool "Mitigations for speculative execution vulnerabilities"
2441+
default y
2442+
help
2443+
Say Y here to enable options which enable mitigations for
2444+
speculative execution hardware vulnerabilities.
2445+
2446+
If you say N, all mitigations will be disabled. You really
2447+
should know what you are doing to say so.
2448+
2449+
if SPECULATION_MITIGATIONS
2450+
2451+
config PAGE_TABLE_ISOLATION
2452+
bool "Remove the kernel mapping in user mode"
2453+
default y
2454+
depends on (X86_64 || X86_PAE)
2455+
help
2456+
This feature reduces the number of hardware side channels by
2457+
ensuring that the majority of kernel addresses are not mapped
2458+
into userspace.
2459+
2460+
See Documentation/x86/pti.rst for more details.
2461+
2462+
config RETPOLINE
2463+
bool "Avoid speculative indirect branches in kernel"
2464+
select OBJTOOL if HAVE_OBJTOOL
2465+
default y
2466+
help
2467+
Compile kernel with the retpoline compiler options to guard against
2468+
kernel-to-user data leaks by avoiding speculative indirect
2469+
branches. Requires a compiler with -mindirect-branch=thunk-extern
2470+
support for full protection. The kernel may run slower.
2471+
2472+
config RETHUNK
2473+
bool "Enable return-thunks"
2474+
depends on RETPOLINE && CC_HAS_RETURN_THUNK
2475+
select OBJTOOL if HAVE_OBJTOOL
2476+
default y
2477+
help
2478+
Compile the kernel with the return-thunks compiler option to guard
2479+
against kernel-to-user data leaks by avoiding return speculation.
2480+
Requires a compiler with -mfunction-return=thunk-extern
2481+
support for full protection. The kernel may run slower.
2482+
2483+
config CPU_UNRET_ENTRY
2484+
bool "Enable UNRET on kernel entry"
2485+
depends on CPU_SUP_AMD && RETHUNK
2486+
default y
2487+
help
2488+
Compile the kernel with support for the retbleed=unret mitigation.
2489+
2490+
config CPU_IBPB_ENTRY
2491+
bool "Enable IBPB on kernel entry"
2492+
depends on CPU_SUP_AMD
2493+
default y
2494+
help
2495+
Compile the kernel with support for the retbleed=ibpb mitigation.
2496+
2497+
config CPU_IBRS_ENTRY
2498+
bool "Enable IBRS on kernel entry"
2499+
depends on CPU_SUP_INTEL
2500+
default y
2501+
help
2502+
Compile the kernel with support for the spectre_v2=ibrs mitigation.
2503+
This mitigates both spectre_v2 and retbleed at great cost to
2504+
performance.
2505+
2506+
config SLS
2507+
bool "Mitigate Straight-Line-Speculation"
2508+
depends on CC_HAS_SLS && X86_64
2509+
select OBJTOOL if HAVE_OBJTOOL
2510+
default n
2511+
help
2512+
Compile the kernel with straight-line-speculation options to guard
2513+
against straight line speculation. The kernel image might be slightly
2514+
larger.
2515+
2516+
endif
2517+
24562518
config ARCH_HAS_ADD_PAGES
24572519
def_bool y
24582520
depends on ARCH_ENABLE_MEMORY_HOTPLUG

arch/x86/Makefile

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,12 @@ ifdef CONFIG_CC_IS_CLANG
2121
RETPOLINE_CFLAGS := -mretpoline-external-thunk
2222
RETPOLINE_VDSO_CFLAGS := -mretpoline
2323
endif
24+
25+
ifdef CONFIG_RETHUNK
26+
RETHUNK_CFLAGS := -mfunction-return=thunk-extern
27+
RETPOLINE_CFLAGS += $(RETHUNK_CFLAGS)
28+
endif
29+
2430
export RETPOLINE_CFLAGS
2531
export RETPOLINE_VDSO_CFLAGS
2632

arch/x86/entry/Makefile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ CFLAGS_REMOVE_common.o = $(CC_FLAGS_FTRACE)
1111

1212
CFLAGS_common.o += -fno-stack-protector
1313

14-
obj-y := entry_$(BITS).o thunk_$(BITS).o syscall_$(BITS).o
14+
obj-y := entry.o entry_$(BITS).o thunk_$(BITS).o syscall_$(BITS).o
1515
obj-y += common.o
1616

1717
obj-y += vdso/

arch/x86/entry/calling.h

Lines changed: 62 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,8 @@
77
#include <asm/asm-offsets.h>
88
#include <asm/processor-flags.h>
99
#include <asm/ptrace-abi.h>
10+
#include <asm/msr.h>
11+
#include <asm/nospec-branch.h>
1012

1113
/*
1214
@@ -282,6 +284,66 @@ For 32-bit we have the following conventions - kernel is built with
282284

283285
#endif
284286

287+
/*
288+
* IBRS kernel mitigation for Spectre_v2.
289+
*
290+
* Assumes full context is established (PUSH_REGS, CR3 and GS) and it clobbers
291+
* the regs it uses (AX, CX, DX). Must be called before the first RET
292+
* instruction (NOTE! UNTRAIN_RET includes a RET instruction)
293+
*
294+
* The optional argument is used to save/restore the current value,
295+
* which is used on the paranoid paths.
296+
*
297+
* Assumes x86_spec_ctrl_{base,current} to have SPEC_CTRL_IBRS set.
298+
*/
299+
.macro IBRS_ENTER save_reg
300+
#ifdef CONFIG_CPU_IBRS_ENTRY
301+
ALTERNATIVE "jmp .Lend_\@", "", X86_FEATURE_KERNEL_IBRS
302+
movl $MSR_IA32_SPEC_CTRL, %ecx
303+
304+
.ifnb \save_reg
305+
rdmsr
306+
shl $32, %rdx
307+
or %rdx, %rax
308+
mov %rax, \save_reg
309+
test $SPEC_CTRL_IBRS, %eax
310+
jz .Ldo_wrmsr_\@
311+
lfence
312+
jmp .Lend_\@
313+
.Ldo_wrmsr_\@:
314+
.endif
315+
316+
movq PER_CPU_VAR(x86_spec_ctrl_current), %rdx
317+
movl %edx, %eax
318+
shr $32, %rdx
319+
wrmsr
320+
.Lend_\@:
321+
#endif
322+
.endm
323+
324+
/*
325+
* Similar to IBRS_ENTER, requires KERNEL GS,CR3 and clobbers (AX, CX, DX)
326+
* regs. Must be called after the last RET.
327+
*/
328+
.macro IBRS_EXIT save_reg
329+
#ifdef CONFIG_CPU_IBRS_ENTRY
330+
ALTERNATIVE "jmp .Lend_\@", "", X86_FEATURE_KERNEL_IBRS
331+
movl $MSR_IA32_SPEC_CTRL, %ecx
332+
333+
.ifnb \save_reg
334+
mov \save_reg, %rdx
335+
.else
336+
movq PER_CPU_VAR(x86_spec_ctrl_current), %rdx
337+
andl $(~SPEC_CTRL_IBRS), %edx
338+
.endif
339+
340+
movl %edx, %eax
341+
shr $32, %rdx
342+
wrmsr
343+
.Lend_\@:
344+
#endif
345+
.endm
346+
285347
/*
286348
* Mitigate Spectre v1 for conditional swapgs code paths.
287349
*

arch/x86/entry/entry.S

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
/* SPDX-License-Identifier: GPL-2.0 */
2+
/*
3+
* Common place for both 32- and 64-bit entry routines.
4+
*/
5+
6+
#include <linux/linkage.h>
7+
#include <asm/export.h>
8+
#include <asm/msr-index.h>
9+
10+
.pushsection .noinstr.text, "ax"
11+
12+
SYM_FUNC_START(entry_ibpb)
13+
movl $MSR_IA32_PRED_CMD, %ecx
14+
movl $PRED_CMD_IBPB, %eax
15+
xorl %edx, %edx
16+
wrmsr
17+
RET
18+
SYM_FUNC_END(entry_ibpb)
19+
/* For KVM */
20+
EXPORT_SYMBOL_GPL(entry_ibpb);
21+
22+
.popsection

arch/x86/entry/entry_32.S

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -698,7 +698,6 @@ SYM_CODE_START(__switch_to_asm)
698698
movl %ebx, PER_CPU_VAR(__stack_chk_guard)
699699
#endif
700700

701-
#ifdef CONFIG_RETPOLINE
702701
/*
703702
* When switching from a shallower to a deeper call stack
704703
* the RSB may either underflow or use entries populated
@@ -707,7 +706,6 @@ SYM_CODE_START(__switch_to_asm)
707706
* speculative execution to prevent attack.
708707
*/
709708
FILL_RETURN_BUFFER %ebx, RSB_CLEAR_LOOPS, X86_FEATURE_RSB_CTXSW
710-
#endif
711709

712710
/* Restore flags or the incoming task to restore AC state. */
713711
popfl

0 commit comments

Comments
 (0)