lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Fri,  5 Jan 2018 02:00:56 +0000
From:   David Woodhouse <dwmw@...zon.co.uk>
To:     Andi Kleen <ak@...ux.intel.com>
Cc:     Paul Turner <pjt@...gle.com>, LKML <linux-kernel@...r.kernel.org>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Greg Kroah-Hartman <gregkh@...ux-foundation.org>,
        Tim Chen <tim.c.chen@...ux.intel.com>,
        Dave Hansen <dave.hansen@...el.com>, tglx@...utronix.de,
        Kees Cook <keescook@...gle.com>,
        Rik van Riel <riel@...hat.com>,
        Peter Zijlstra <peterz@...radead.org>,
        Andy Lutomirski <luto@...capital.net>,
        Jiri Kosina <jikos@...nel.org>, gnomes@...rguk.ukuu.org.uk
Subject: [PATCH v4 00/13] Retpoline: Avoid speculative indirect calls in kernel

This is a fix for the 'variant 2' attack described in
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html

Using GCC patches available from the gcc-7_2_0-retpoline branch of
http://git.infradead.org/users/dwmw2/gcc-retpoline.git and by manually
patching assembler code, all indirect branches (that occur after userspace
first runs) are eliminated from the kernel.

They are replaced with a 'retpoline' call sequence which deliberately
prevents speculation.

Now that the thunks are exported, we need to fix MODVERSIONS support,
because genksyms can't generate the crc for the symbols. Still working
on that...

v1: Initial post.
v2: Add CONFIG_RETPOLINE to build kernel without it.
    Change warning messages.
    Hide modpost warning message
v3: Update to the latest CET-capable retpoline version
    Reinstate ALTERNATIVE support
v4: Finish reconciling Andi's and my patch sets, bug fixes.
    Exclude objtool support for now
    Add 'noretpoline' boot option
    Add AMD retpoline alternative

Andi Kleen (4):
  x86/retpoline/irq32: Convert assembler indirect jumps
  retpoline/taint: Taint kernel for missing retpoline in compiler
  x86/retpoline: Add boot time option to disable retpoline
  x86/retpoline: Exclude objtool with retpoline

David Woodhouse (9):
  x86/retpoline: Add initial retpoline support
  x86/retpoline/crypto: Convert crypto assembler indirect jumps
  x86/retpoline/entry: Convert entry assembler indirect jumps
  x86/retpoline/ftrace: Convert ftrace assembler indirect jumps
  x86/retpoline/hyperv: Convert assembler indirect jumps
  x86/retpoline/xen: Convert Xen hypercall indirect jumps
  x86/retpoline/checksum32: Convert assembler indirect jumps
  x86/alternatives: Add missing \n at end of ALTERNATIVE inline asm
  x86/retpoline: Simplify AMD variant of retpoline thunk

 Documentation/admin-guide/kernel-parameters.txt |  3 ++
 Documentation/admin-guide/tainted-kernels.rst   |  3 ++
 arch/x86/Kconfig                                | 17 +++++++-
 arch/x86/Kconfig.debug                          |  6 +--
 arch/x86/Makefile                               | 10 +++++
 arch/x86/crypto/aesni-intel_asm.S               |  5 ++-
 arch/x86/crypto/camellia-aesni-avx-asm_64.S     |  3 +-
 arch/x86/crypto/camellia-aesni-avx2-asm_64.S    |  3 +-
 arch/x86/crypto/crc32c-pcl-intel-asm_64.S       |  4 +-
 arch/x86/entry/entry_32.S                       |  5 ++-
 arch/x86/entry/entry_64.S                       | 22 ++++++++--
 arch/x86/include/asm/alternative.h              |  4 +-
 arch/x86/include/asm/cpufeatures.h              |  1 +
 arch/x86/include/asm/mshyperv.h                 | 18 ++++----
 arch/x86/include/asm/nospec-branch.h            | 58 +++++++++++++++++++++++++
 arch/x86/include/asm/xen/hypercall.h            |  5 ++-
 arch/x86/kernel/cpu/intel.c                     | 10 +++++
 arch/x86/kernel/ftrace_32.S                     |  6 ++-
 arch/x86/kernel/ftrace_64.S                     |  8 ++--
 arch/x86/kernel/irq_32.c                        |  9 ++--
 arch/x86/kernel/setup.c                         |  6 +++
 arch/x86/lib/Makefile                           |  1 +
 arch/x86/lib/checksum_32.S                      |  7 +--
 arch/x86/lib/retpoline.S                        | 53 ++++++++++++++++++++++
 include/linux/kernel.h                          |  4 +-
 kernel/module.c                                 | 11 ++++-
 kernel/panic.c                                  |  1 +
 scripts/mod/modpost.c                           |  9 ++++
 28 files changed, 250 insertions(+), 42 deletions(-)
 create mode 100644 arch/x86/include/asm/nospec-branch.h
 create mode 100644 arch/x86/lib/retpoline.S

-- 
2.7.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ