| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 14 Feb 2018 10:07:02 -0600
From: Tom Lendacky <thomas.lendacky@....com>
To: David Woodhouse <dwmw@...zon.co.uk>, tglx@...utronix.de,
karahmed@...zon.de, x86@...nel.org, kvm@...r.kernel.org,
torvalds@...ux-foundation.org, pbonzini@...hat.com,
linux-kernel@...r.kernel.org, bp@...en8.de, peterz@...radead.org,
jmattson@...gle.com, rkrcmar@...hat.com,
arjan.van.de.ven@...el.com, dave.hansen@...el.com, mingo@...nel.org
Subject: Re: [PATCH 1/4] x86/speculation: Use IBRS if available before calling
into firmware
On 2/14/2018 7:44 AM, David Woodhouse wrote:
> Retpoline means the kernel is safe because it has no indirect branches.
> But firmware isn't, so use IBRS for firmware calls if it's available.
>
> Block preemption while IBRS is set, although in practice the call sites
> already had to be doing that.
>
> Ignore hpwdt.c for now. It's taking spinlocks and calling into firmware
> code, from an NMI handler. I don't want to touch that with a bargepole.
>
> Signed-off-by: David Woodhouse <dwmw@...zon.co.uk>
> ---
> arch/x86/include/asm/apm.h | 6 ++++++
> arch/x86/include/asm/cpufeatures.h | 1 +
> arch/x86/include/asm/efi.h | 17 ++++++++++++++--
> arch/x86/include/asm/nospec-branch.h | 39 +++++++++++++++++++++++++++---------
> arch/x86/kernel/cpu/bugs.c | 12 ++++++++++-
> 5 files changed, 63 insertions(+), 12 deletions(-)
>
... <snip> ...
> +/*
> + * With retpoline, we must use IBRS to restrict branch prediction
> + * before calling into firmware.
> + */
> +static inline void firmware_restrict_branch_speculation_start(void)
> +{
> + preempt_disable();
> + alternative_msr_write(MSR_IA32_SPEC_CTRL, SPEC_CTRL_IBRS,
> + X86_FEATURE_USE_IBRS_FW);
> +}
> +
> +static inline void firmware_restrict_branch_speculation_end(void)
> +{
> + alternative_msr_write(MSR_IA32_SPEC_CTRL, 0,
> + X86_FEATURE_USE_IBRS_FW);
> + preempt_enable();
> }
Shouldn't these writes to the MSR be just for the IBRS bit? The spec
also defines the STIBP bit for this MSR, and if that bit had been set by
BIOS for example, these writes will clear it. And who knows what future
bits may be defined and how they'll be used.
Thanks,
Tom
>
> #endif /* __ASSEMBLY__ */
> diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> index d71c8b5..bfca937 100644
> --- a/arch/x86/kernel/cpu/bugs.c
> +++ b/arch/x86/kernel/cpu/bugs.c
> @@ -300,6 +300,15 @@ static void __init spectre_v2_select_mitigation(void)
> setup_force_cpu_cap(X86_FEATURE_USE_IBPB);
> pr_info("Spectre v2 mitigation: Enabling Indirect Branch Prediction Barrier\n");
> }
> +
> + /*
> + * Retpoline means the kernel is safe because it has no indirect
> + * branches. But firmware isn't, so use IBRS to protect that.
> + */
> + if (boot_cpu_has(X86_FEATURE_IBRS)) {
> + setup_force_cpu_cap(X86_FEATURE_USE_IBRS_FW);
> + pr_info("Enabling Restricted Speculation for firmware calls\n");
> + }
> }
>
> #undef pr_fmt
> @@ -326,8 +335,9 @@ ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, c
> if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
> return sprintf(buf, "Not affected\n");
>
> - return sprintf(buf, "%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
> + return sprintf(buf, "%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
> boot_cpu_has(X86_FEATURE_USE_IBPB) ? ", IBPB" : "",
> + boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "",
> spectre_v2_module_string());
> }
> #endif
>
Powered by blists - more mailing lists