Commit 0a096f24 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'x86-cpu-2021-08-30' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 

Pull x86 cache flush updates from Thomas Gleixner:
 "A reworked version of the opt-in L1D flush mechanism.

  This is a stop gap for potential future speculation related hardware
  vulnerabilities and a mechanism for truly security paranoid
  applications.

  It allows a task to request that the L1D cache is flushed when the
  kernel switches to a different mm. This can be requested via prctl().

  Changes vs the previous versions:

   - Get rid of the software flush fallback

   - Make the handling consistent with other mitigations

   - Kill the task when it ends up on a SMT enabled core which defeats
     the purpose of L1D flushing obviously"

* tag 'x86-cpu-2021-08-30' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  Documentation: Add L1D flushing Documentation
  x86, prctl: Hook L1D flushing in via prctl
  x86/mm: Prepare for opt-in based L1D flush in switch_mm()
  x86/process: Make room for TIF_SPEC_L1D_FLUSH
  sched: Add task_work callback for paranoid L1D flush
  x86/mm: Refactor cond_ibpb() to support other use cases
  x86/smp: Add a per-cpu view of SMT state
parents 7d6e3fa8 b7fe54f6

Documentation/admin-guide/hw-vuln/index.rst

+1 −0
Original line number Diff line number Diff line
@@ -16,3 +16,4 @@ are configurable at compile, boot or run time. 
   multihit.rst

   special-register-buffer-data-sampling.rst

   core-scheduling.rst

   l1d_flush.rst

Documentation/admin-guide/hw-vuln/l1d_flush.rst

0 → 100644
+69 −0
Original line number Diff line number Diff line 
L1D Flushing

============



With an increasing number of vulnerabilities being reported around data

leaks from the Level 1 Data cache (L1D) the kernel provides an opt-in

mechanism to flush the L1D cache on context switch.



This mechanism can be used to address e.g. CVE-2020-0550. For applications

the mechanism keeps them safe from vulnerabilities, related to leaks

(snooping of) from the L1D cache.





Related CVEs

------------

The following CVEs can be addressed by this

mechanism



    =============       ========================     ==================

    CVE-2020-0550       Improper Data Forwarding     OS related aspects

    =============       ========================     ==================



Usage Guidelines

----------------



Please see document: :ref:`Documentation/userspace-api/spec_ctrl.rst

<set_spec_ctrl>` for details.



**NOTE**: The feature is disabled by default, applications need to

specifically opt into the feature to enable it.



Mitigation

----------



When PR_SET_L1D_FLUSH is enabled for a task a flush of the L1D cache is

performed when the task is scheduled out and the incoming task belongs to a

different process and therefore to a different address space.



If the underlying CPU supports L1D flushing in hardware, the hardware

mechanism is used, software fallback for the mitigation, is not supported.



Mitigation control on the kernel command line

---------------------------------------------



The kernel command line allows to control the L1D flush mitigations at boot

time with the option "l1d_flush=". The valid arguments for this option are:



  ============  =============================================================

  on            Enables the prctl interface, applications trying to use

                the prctl() will fail with an error if l1d_flush is not

                enabled

  ============  =============================================================



By default the mechanism is disabled.



Limitations

-----------



The mechanism does not mitigate L1D data leaks between tasks belonging to

different processes which are concurrently executing on sibling threads of

a physical CPU core when SMT is enabled on the system.



This can be addressed by controlled placement of processes on physical CPU

cores or by disabling SMT. See the relevant chapter in the L1TF mitigation

document: :ref:`Documentation/admin-guide/hw-vuln/l1tf.rst <smt_control>`.



**NOTE** : The opt-in of a task for L1D flushing works only when the task's

affinity is limited to cores running in non-SMT mode. If a task which

requested L1D flushing is scheduled on a SMT-enabled core the kernel sends

a SIGBUS to the task.

Documentation/admin-guide/kernel-parameters.txt

+17 −0
Original line number Diff line number Diff line
@@ -2421,6 +2421,23 @@ 
			feature (tagged TLBs) on capable Intel chips.

			Default is 1 (enabled)



	l1d_flush=	[X86,INTEL]

			Control mitigation for L1D based snooping vulnerability.



			Certain CPUs are vulnerable to an exploit against CPU

			internal buffers which can forward information to a

			disclosure gadget under certain conditions.



			In vulnerable processors, the speculatively

			forwarded data can be used in a cache side channel

			attack, to access data to which the attacker does

			not have direct access.



			This parameter controls the mitigation. The

			options are:



			on         - enable the interface for the mitigation



	l1tf=           [X86] Control mitigation of the L1TF vulnerability on

			      affected CPUs

Documentation/userspace-api/spec_ctrl.rst

+8 −0
Original line number Diff line number Diff line
@@ -106,3 +106,11 @@ Speculation misfeature controls 
   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_ENABLE, 0, 0);

   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_DISABLE, 0, 0);

   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_FORCE_DISABLE, 0, 0);



- PR_SPEC_L1D_FLUSH: Flush L1D Cache on context switch out of the task

                        (works only when tasks run on non SMT cores)



  Invocations:

   * prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, 0, 0, 0);

   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, PR_SPEC_ENABLE, 0, 0);

   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, PR_SPEC_DISABLE, 0, 0);

arch/Kconfig

+3 −0
Original line number Diff line number Diff line
@@ -1282,6 +1282,9 @@ config ARCH_SPLIT_ARG64 
config ARCH_HAS_ELFCORE_COMPAT

	bool



config ARCH_HAS_PARANOID_L1D_FLUSH

	bool



source "kernel/gcov/Kconfig"



source "scripts/gcc-plugins/Kconfig"