Commit ce114c86 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'x86_bugs_retbleed' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 

Pull x86 retbleed fixes from Borislav Petkov:
 "Just when you thought that all the speculation bugs were addressed and
  solved and the nightmare is complete, here's the next one: speculating
  after RET instructions and leaking privileged information using the
  now pretty much classical covert channels.

  It is called RETBleed and the mitigation effort and controlling
  functionality has been modelled similar to what already existing
  mitigations provide"

* tag 'x86_bugs_retbleed' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (54 commits)
  x86/speculation: Disable RRSBA behavior
  x86/kexec: Disable RET on kexec
  x86/bugs: Do not enable IBPB-on-entry when IBPB is not supported
  x86/entry: Move PUSH_AND_CLEAR_REGS() back into error_entry
  x86/bugs: Add Cannon lake to RETBleed affected CPU list
  x86/retbleed: Add fine grained Kconfig knobs
  x86/cpu/amd: Enumerate BTC_NO
  x86/common: Stamp out the stepping madness
  KVM: VMX: Prevent RSB underflow before vmenter
  x86/speculation: Fill RSB on vmexit for IBRS
  KVM: VMX: Fix IBRS handling after vmexit
  KVM: VMX: Prevent guest RSB poisoning attacks with eIBRS
  KVM: VMX: Convert launched argument to flags
  KVM: VMX: Flatten __vmx_vcpu_run()
  objtool: Re-add UNWIND_HINT_{SAVE_RESTORE}
  x86/speculation: Remove x86_spec_ctrl_mask
  x86/speculation: Use cached host SPEC_CTRL value for guest entry/exit
  x86/speculation: Fix SPEC_CTRL write on SMT state change
  x86/speculation: Fix firmware entry SPEC_CTRL handling
  x86/speculation: Fix RSB filling with CONFIG_RETPOLINE=n
  ...
parents 5a29232d 4ad3278d

Documentation/admin-guide/kernel-parameters.txt

+25 −0
Original line number Diff line number Diff line
@@ -5197,6 +5197,30 @@ 


	retain_initrd	[RAM] Keep initrd memory after extraction



	retbleed=	[X86] Control mitigation of RETBleed (Arbitrary

			Speculative Code Execution with Return Instructions)

			vulnerability.



			off          - no mitigation

			auto         - automatically select a migitation

			auto,nosmt   - automatically select a mitigation,

				       disabling SMT if necessary for

				       the full mitigation (only on Zen1

				       and older without STIBP).

			ibpb	     - mitigate short speculation windows on

				       basic block boundaries too. Safe, highest

				       perf impact.

			unret        - force enable untrained return thunks,

				       only effective on AMD f15h-f17h

				       based systems.

			unret,nosmt  - like unret, will disable SMT when STIBP

			               is not available.



			Selecting 'auto' will choose a mitigation method at run

			time according to the CPU.



			Not specifying this option is equivalent to retbleed=auto.



	rfkill.default_state=

		0	"airplane mode".  All wifi, bluetooth, wimax, gps, fm,

			etc. communication is blocked by default.
@@ -5568,6 +5592,7 @@ 
			eibrs		  - enhanced IBRS

			eibrs,retpoline   - enhanced IBRS + Retpolines

			eibrs,lfence      - enhanced IBRS + LFENCE

			ibrs		  - use IBRS to protect kernel



			Not specifying this option is equivalent to

			spectre_v2=auto.

arch/x86/Kconfig

+85 −23
Original line number Diff line number Diff line
@@ -462,29 +462,6 @@ config GOLDFISH 
	def_bool y

	depends on X86_GOLDFISH



config RETPOLINE

	bool "Avoid speculative indirect branches in kernel"

	select OBJTOOL if HAVE_OBJTOOL

	default y

	help

	  Compile kernel with the retpoline compiler options to guard against

	  kernel-to-user data leaks by avoiding speculative indirect

	  branches. Requires a compiler with -mindirect-branch=thunk-extern

	  support for full protection. The kernel may run slower.



config CC_HAS_SLS

	def_bool $(cc-option,-mharden-sls=all)



config SLS

	bool "Mitigate Straight-Line-Speculation"

	depends on CC_HAS_SLS && X86_64

	select OBJTOOL if HAVE_OBJTOOL

	default n

	help

	  Compile the kernel with straight-line-speculation options to guard

	  against straight line speculation. The kernel image might be slightly

	  larger.



config X86_CPU_RESCTRL

	bool "x86 CPU resource control support"

	depends on X86 && (CPU_SUP_INTEL || CPU_SUP_AMD)
@@ -2453,6 +2430,91 @@ source "kernel/livepatch/Kconfig" 


endmenu



config CC_HAS_SLS

	def_bool $(cc-option,-mharden-sls=all)



config CC_HAS_RETURN_THUNK

	def_bool $(cc-option,-mfunction-return=thunk-extern)



menuconfig SPECULATION_MITIGATIONS

	bool "Mitigations for speculative execution vulnerabilities"

	default y

	help

	  Say Y here to enable options which enable mitigations for

	  speculative execution hardware vulnerabilities.



	  If you say N, all mitigations will be disabled. You really

	  should know what you are doing to say so.



if SPECULATION_MITIGATIONS



config PAGE_TABLE_ISOLATION

	bool "Remove the kernel mapping in user mode"

	default y

	depends on (X86_64 || X86_PAE)

	help

	  This feature reduces the number of hardware side channels by

	  ensuring that the majority of kernel addresses are not mapped

	  into userspace.



	  See Documentation/x86/pti.rst for more details.



config RETPOLINE

	bool "Avoid speculative indirect branches in kernel"

	select OBJTOOL if HAVE_OBJTOOL

	default y

	help

	  Compile kernel with the retpoline compiler options to guard against

	  kernel-to-user data leaks by avoiding speculative indirect

	  branches. Requires a compiler with -mindirect-branch=thunk-extern

	  support for full protection. The kernel may run slower.



config RETHUNK

	bool "Enable return-thunks"

	depends on RETPOLINE && CC_HAS_RETURN_THUNK

	select OBJTOOL if HAVE_OBJTOOL

	default y

	help

	  Compile the kernel with the return-thunks compiler option to guard

	  against kernel-to-user data leaks by avoiding return speculation.

	  Requires a compiler with -mfunction-return=thunk-extern

	  support for full protection. The kernel may run slower.



config CPU_UNRET_ENTRY

	bool "Enable UNRET on kernel entry"

	depends on CPU_SUP_AMD && RETHUNK

	default y

	help

	  Compile the kernel with support for the retbleed=unret mitigation.



config CPU_IBPB_ENTRY

	bool "Enable IBPB on kernel entry"

	depends on CPU_SUP_AMD

	default y

	help

	  Compile the kernel with support for the retbleed=ibpb mitigation.



config CPU_IBRS_ENTRY

	bool "Enable IBRS on kernel entry"

	depends on CPU_SUP_INTEL

	default y

	help

	  Compile the kernel with support for the spectre_v2=ibrs mitigation.

	  This mitigates both spectre_v2 and retbleed at great cost to

	  performance.



config SLS

	bool "Mitigate Straight-Line-Speculation"

	depends on CC_HAS_SLS && X86_64

	select OBJTOOL if HAVE_OBJTOOL

	default n

	help

	  Compile the kernel with straight-line-speculation options to guard

	  against straight line speculation. The kernel image might be slightly

	  larger.



endif



config ARCH_HAS_ADD_PAGES

	def_bool y

	depends on ARCH_ENABLE_MEMORY_HOTPLUG

arch/x86/Makefile

+6 −0
Original line number Diff line number Diff line
@@ -21,6 +21,12 @@ ifdef CONFIG_CC_IS_CLANG 
RETPOLINE_CFLAGS	:= -mretpoline-external-thunk

RETPOLINE_VDSO_CFLAGS	:= -mretpoline

endif



ifdef CONFIG_RETHUNK

RETHUNK_CFLAGS		:= -mfunction-return=thunk-extern

RETPOLINE_CFLAGS	+= $(RETHUNK_CFLAGS)

endif



export RETPOLINE_CFLAGS

export RETPOLINE_VDSO_CFLAGS

arch/x86/entry/Makefile

+1 −1
Original line number Diff line number Diff line
@@ -11,7 +11,7 @@ CFLAGS_REMOVE_common.o = $(CC_FLAGS_FTRACE) 


CFLAGS_common.o			+= -fno-stack-protector



obj-y				:= entry_$(BITS).o thunk_$(BITS).o syscall_$(BITS).o

obj-y				:= entry.o entry_$(BITS).o thunk_$(BITS).o syscall_$(BITS).o

obj-y				+= common.o



obj-y				+= vdso/

arch/x86/entry/calling.h

+62 −0
Original line number Diff line number Diff line
@@ -7,6 +7,8 @@ 
#include <asm/asm-offsets.h>

#include <asm/processor-flags.h>

#include <asm/ptrace-abi.h>

#include <asm/msr.h>

#include <asm/nospec-branch.h>



/*
@@ -282,6 +284,66 @@ For 32-bit we have the following conventions - kernel is built with 


#endif



/*

 * IBRS kernel mitigation for Spectre_v2.

 *

 * Assumes full context is established (PUSH_REGS, CR3 and GS) and it clobbers

 * the regs it uses (AX, CX, DX). Must be called before the first RET

 * instruction (NOTE! UNTRAIN_RET includes a RET instruction)

 *

 * The optional argument is used to save/restore the current value,

 * which is used on the paranoid paths.

 *

 * Assumes x86_spec_ctrl_{base,current} to have SPEC_CTRL_IBRS set.

 */

.macro IBRS_ENTER save_reg

#ifdef CONFIG_CPU_IBRS_ENTRY

	ALTERNATIVE "jmp .Lend_\@", "", X86_FEATURE_KERNEL_IBRS

	movl	$MSR_IA32_SPEC_CTRL, %ecx



.ifnb \save_reg

	rdmsr

	shl	$32, %rdx

	or	%rdx, %rax

	mov	%rax, \save_reg

	test	$SPEC_CTRL_IBRS, %eax

	jz	.Ldo_wrmsr_\@

	lfence

	jmp	.Lend_\@

.Ldo_wrmsr_\@:

.endif



	movq	PER_CPU_VAR(x86_spec_ctrl_current), %rdx

	movl	%edx, %eax

	shr	$32, %rdx

	wrmsr

.Lend_\@:

#endif

.endm



/*

 * Similar to IBRS_ENTER, requires KERNEL GS,CR3 and clobbers (AX, CX, DX)

 * regs. Must be called after the last RET.

 */

.macro IBRS_EXIT save_reg

#ifdef CONFIG_CPU_IBRS_ENTRY

	ALTERNATIVE "jmp .Lend_\@", "", X86_FEATURE_KERNEL_IBRS

	movl	$MSR_IA32_SPEC_CTRL, %ecx



.ifnb \save_reg

	mov	\save_reg, %rdx

.else

	movq	PER_CPU_VAR(x86_spec_ctrl_current), %rdx

	andl	$(~SPEC_CTRL_IBRS), %edx

.endif



	movl	%edx, %eax

	shr	$32, %rdx

	wrmsr

.Lend_\@:

#endif

.endm



/*

 * Mitigate Spectre v1 for conditional swapgs code paths.

 *