Commit f43b9876 authored by Peter Zijlstra's avatar Peter Zijlstra Committed by Borislav Petkov
Browse files

x86/retbleed: Add fine grained Kconfig knobs 



Do fine-grained Kconfig for all the various retbleed parts.

NOTE: if your compiler doesn't support return thunks this will
silently 'upgrade' your mitigation to IBPB, you might not like this.

Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
parent 26aae8cc

arch/x86/Kconfig

+85 −26
Original line number Diff line number Diff line
@@ -462,32 +462,6 @@ config GOLDFISH 
	def_bool y

	depends on X86_GOLDFISH



config RETPOLINE

	bool "Avoid speculative indirect branches in kernel"

	select OBJTOOL if HAVE_OBJTOOL

	default y

	help

	  Compile kernel with the retpoline compiler options to guard against

	  kernel-to-user data leaks by avoiding speculative indirect

	  branches. Requires a compiler with -mindirect-branch=thunk-extern

	  support for full protection. The kernel may run slower.



config CC_HAS_SLS

	def_bool $(cc-option,-mharden-sls=all)



config CC_HAS_RETURN_THUNK

	def_bool $(cc-option,-mfunction-return=thunk-extern)



config SLS

	bool "Mitigate Straight-Line-Speculation"

	depends on CC_HAS_SLS && X86_64

	select OBJTOOL if HAVE_OBJTOOL

	default n

	help

	  Compile the kernel with straight-line-speculation options to guard

	  against straight line speculation. The kernel image might be slightly

	  larger.



config X86_CPU_RESCTRL

	bool "x86 CPU resource control support"

	depends on X86 && (CPU_SUP_INTEL || CPU_SUP_AMD)
@@ -2456,6 +2430,91 @@ source "kernel/livepatch/Kconfig" 


endmenu



config CC_HAS_SLS

	def_bool $(cc-option,-mharden-sls=all)



config CC_HAS_RETURN_THUNK

	def_bool $(cc-option,-mfunction-return=thunk-extern)



menuconfig SPECULATION_MITIGATIONS

	bool "Mitigations for speculative execution vulnerabilities"

	default y

	help

	  Say Y here to enable options which enable mitigations for

	  speculative execution hardware vulnerabilities.



	  If you say N, all mitigations will be disabled. You really

	  should know what you are doing to say so.



if SPECULATION_MITIGATIONS



config PAGE_TABLE_ISOLATION

	bool "Remove the kernel mapping in user mode"

	default y

	depends on (X86_64 || X86_PAE)

	help

	  This feature reduces the number of hardware side channels by

	  ensuring that the majority of kernel addresses are not mapped

	  into userspace.



	  See Documentation/x86/pti.rst for more details.



config RETPOLINE

	bool "Avoid speculative indirect branches in kernel"

	select OBJTOOL if HAVE_OBJTOOL

	default y

	help

	  Compile kernel with the retpoline compiler options to guard against

	  kernel-to-user data leaks by avoiding speculative indirect

	  branches. Requires a compiler with -mindirect-branch=thunk-extern

	  support for full protection. The kernel may run slower.



config RETHUNK

	bool "Enable return-thunks"

	depends on RETPOLINE && CC_HAS_RETURN_THUNK

	select OBJTOOL if HAVE_OBJTOOL

	default y

	help

	  Compile the kernel with the return-thunks compiler option to guard

	  against kernel-to-user data leaks by avoiding return speculation.

	  Requires a compiler with -mfunction-return=thunk-extern

	  support for full protection. The kernel may run slower.



config CPU_UNRET_ENTRY

	bool "Enable UNRET on kernel entry"

	depends on CPU_SUP_AMD && RETHUNK

	default y

	help

	  Compile the kernel with support for the retbleed=unret mitigation.



config CPU_IBPB_ENTRY

	bool "Enable IBPB on kernel entry"

	depends on CPU_SUP_AMD

	default y

	help

	  Compile the kernel with support for the retbleed=ibpb mitigation.



config CPU_IBRS_ENTRY

	bool "Enable IBRS on kernel entry"

	depends on CPU_SUP_INTEL

	default y

	help

	  Compile the kernel with support for the spectre_v2=ibrs mitigation.

	  This mitigates both spectre_v2 and retbleed at great cost to

	  performance.



config SLS

	bool "Mitigate Straight-Line-Speculation"

	depends on CC_HAS_SLS && X86_64

	select OBJTOOL if HAVE_OBJTOOL

	default n

	help

	  Compile the kernel with straight-line-speculation options to guard

	  against straight line speculation. The kernel image might be slightly

	  larger.



endif



config ARCH_HAS_ADD_PAGES

	def_bool y

	depends on ARCH_ENABLE_MEMORY_HOTPLUG

arch/x86/Makefile

+6 −2
Original line number Diff line number Diff line
@@ -15,14 +15,18 @@ endif 
ifdef CONFIG_CC_IS_GCC

RETPOLINE_CFLAGS	:= $(call cc-option,-mindirect-branch=thunk-extern -mindirect-branch-register)

RETPOLINE_CFLAGS	+= $(call cc-option,-mindirect-branch-cs-prefix)

RETPOLINE_CFLAGS	+= $(call cc-option,-mfunction-return=thunk-extern)

RETPOLINE_VDSO_CFLAGS	:= $(call cc-option,-mindirect-branch=thunk-inline -mindirect-branch-register)

endif

ifdef CONFIG_CC_IS_CLANG

RETPOLINE_CFLAGS	:= -mretpoline-external-thunk

RETPOLINE_VDSO_CFLAGS	:= -mretpoline

RETPOLINE_CFLAGS	+= $(call cc-option,-mfunction-return=thunk-extern)

endif



ifdef CONFIG_RETHUNK

RETHUNK_CFLAGS		:= -mfunction-return=thunk-extern

RETPOLINE_CFLAGS	+= $(RETHUNK_CFLAGS)

endif



export RETPOLINE_CFLAGS

export RETPOLINE_VDSO_CFLAGS

arch/x86/entry/calling.h

+4 −0
Original line number Diff line number Diff line
@@ -297,6 +297,7 @@ For 32-bit we have the following conventions - kernel is built with 
 * Assumes x86_spec_ctrl_{base,current} to have SPEC_CTRL_IBRS set.

 */

.macro IBRS_ENTER save_reg

#ifdef CONFIG_CPU_IBRS_ENTRY

	ALTERNATIVE "jmp .Lend_\@", "", X86_FEATURE_KERNEL_IBRS

	movl	$MSR_IA32_SPEC_CTRL, %ecx
@@ -317,6 +318,7 @@ For 32-bit we have the following conventions - kernel is built with 
	shr	$32, %rdx

	wrmsr

.Lend_\@:

#endif

.endm



/*
@@ -324,6 +326,7 @@ For 32-bit we have the following conventions - kernel is built with 
 * regs. Must be called after the last RET.

 */

.macro IBRS_EXIT save_reg

#ifdef CONFIG_CPU_IBRS_ENTRY

	ALTERNATIVE "jmp .Lend_\@", "", X86_FEATURE_KERNEL_IBRS

	movl	$MSR_IA32_SPEC_CTRL, %ecx
@@ -338,6 +341,7 @@ For 32-bit we have the following conventions - kernel is built with 
	shr	$32, %rdx

	wrmsr

.Lend_\@:

#endif

.endm



/*

arch/x86/include/asm/disabled-features.h

+14 −4
Original line number Diff line number Diff line
@@ -54,9 +54,19 @@ 
# define DISABLE_RETPOLINE	0

#else

# define DISABLE_RETPOLINE	((1 << (X86_FEATURE_RETPOLINE & 31)) | \

				 (1 << (X86_FEATURE_RETPOLINE_LFENCE & 31)) | \

				 (1 << (X86_FEATURE_RETHUNK & 31)) | \

				 (1 << (X86_FEATURE_UNRET & 31)))

				 (1 << (X86_FEATURE_RETPOLINE_LFENCE & 31)))

#endif



#ifdef CONFIG_RETHUNK

# define DISABLE_RETHUNK	0

#else

# define DISABLE_RETHUNK	(1 << (X86_FEATURE_RETHUNK & 31))

#endif



#ifdef CONFIG_CPU_UNRET_ENTRY

# define DISABLE_UNRET		0

#else

# define DISABLE_UNRET		(1 << (X86_FEATURE_UNRET & 31))

#endif



#ifdef CONFIG_INTEL_IOMMU_SVM
@@ -91,7 +101,7 @@ 
#define DISABLED_MASK8	(DISABLE_TDX_GUEST)

#define DISABLED_MASK9	(DISABLE_SGX)

#define DISABLED_MASK10	0

#define DISABLED_MASK11	(DISABLE_RETPOLINE)

#define DISABLED_MASK11	(DISABLE_RETPOLINE|DISABLE_RETHUNK|DISABLE_UNRET)

#define DISABLED_MASK12	0

#define DISABLED_MASK13	0

#define DISABLED_MASK14	0

arch/x86/include/asm/linkage.h

+2 −2
Original line number Diff line number Diff line
@@ -19,7 +19,7 @@ 
#define __ALIGN_STR	__stringify(__ALIGN)

#endif



#if defined(CONFIG_RETPOLINE) && !defined(__DISABLE_EXPORTS) && !defined(BUILD_VDSO)

#if defined(CONFIG_RETHUNK) && !defined(__DISABLE_EXPORTS) && !defined(BUILD_VDSO)

#define RET	jmp __x86_return_thunk

#else /* CONFIG_RETPOLINE */

#ifdef CONFIG_SLS
@@ -31,7 +31,7 @@ 


#else /* __ASSEMBLY__ */



#if defined(CONFIG_RETPOLINE) && !defined(__DISABLE_EXPORTS) && !defined(BUILD_VDSO)

#if defined(CONFIG_RETHUNK) && !defined(__DISABLE_EXPORTS) && !defined(BUILD_VDSO)

#define ASM_RET	"jmp __x86_return_thunk\n\t"

#else /* CONFIG_RETPOLINE */

#ifdef CONFIG_SLS