lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Tue,  9 Jan 2018 18:26:44 -0800
From:   Tim Chen <tim.c.chen@...ux.intel.com>
To:     Thomas Gleixner <tglx@...utronix.de>,
        Andy Lutomirski <luto@...nel.org>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Greg KH <gregkh@...uxfoundation.org>
Cc:     Tim Chen <tim.c.chen@...ux.intel.com>,
        Dave Hansen <dave.hansen@...el.com>,
        Andrea Arcangeli <aarcange@...hat.com>,
        Andi Kleen <ak@...ux.intel.com>,
        Arjan Van De Ven <arjan.van.de.ven@...el.com>,
        David Woodhouse <dwmw@...zon.co.uk>,
        Peter Zijlstra <peterz@...radead.org>,
        Dan Williams <dan.j.williams@...el.com>,
        Paolo Bonzini <pbonzini@...hat.com>,
        Ashok Raj <ashok.raj@...el.com>, linux-kernel@...r.kernel.org
Subject: [PATCH v3 0/5] IBRS patch series 

Thanks to all the reviewers.  One key feedback I
got was we should make this patch series simple, so we can
put in basic IBRS functionality first.  So I took out
the run time control of IBRS, toggling IBRS to firmware call for retpoline
and recheck of IBRS feature on microcode reload. We will defer dealing
with those complications later.

This patch series is integrated with the retpoline patches
on x86/tip. The user can opt for ibrs by "spectre_v2=ibrs"
instead of "spectre_v2=retpoline" in
boot parameter.  Otherwise retpoline will be used by default
for spectre_v2.

The patchset is applied on top of the latest x86/tip with retpoline patches.

I've tested the patchset mostly on the 4.15-rc6.
As I have just merged the patchset top x86/tip, some bare testing
has been done on the x86/tip. Will be doing more testing there.

Thomas,
I have to switch a check in patch 5 from lockdep_assert_irqs_disabled
to WARN_ON_ONCE as it is not available on x86/tip. We should use
lockdep_assert_irqs_disabled when we merge back to mainline.

+       /* should use lockdep_assert_irqs_disabled() when available */
+       WARN_ON_ONCE(!irqs_disabled());

Thanks.
Tim

v3.
1. Use boot parameter spectre_v2=ibrs to opt in for enabling IBRS.
2. Remove run time control of IBRS usage.
3. Remove the patches for IBRS detection on microcode reload,
enabling of IBRS for firmware call when using retpoline.

v2.
1. Added missing feature enumeration in tools/arch/x86/include/asm/cpufeatures.h  
2. Kernel entry macros label cleanup and move them to calling.h
3. Remove unnecessary irqs_diabled check in the mwait.
4. Don't use a bit field base sys control variable to make ibrs enabling
   simpler and easier to understand.
5. Corrected compile issues for firmware update code.
6. Leave IBPB feature bits out from this patch series and will be added
   in its own set of patches later.

Tim

---patch series details---
This patch series enables the basic detection and usage of x86 indirect
branch speculation feature.  It enables the indirect branch restricted
speculation (IBRS) on kernel entry and disables it on exit.
It enumerates the indirect branch prediction barrier (IBPB).

The x86 IBRS feature requires corresponding microcode support.
It mitigates the variant 2 vulnerability described in
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html

If IBRS is set, near returns and near indirect jumps/calls will not
allow their predicted target address to be controlled by code that
executed in a less privileged prediction mode before the IBRS mode was
last written with a value of 1 or on another logical processor so long
as all RSB entries from the previous less privileged prediction mode
are overwritten.

Both retpoline and IBRS provides mitigation against variant 2 attacks,
with IBRS being the most secured method but could incur more performance
overhead compared to retpoline[1].  If you are paranoid, then set
spectre_v2=ibrs as your boot parameter.

See: https://docs.google.com/document/d/e/2PACX-1vSMrwkaoSUBAFc6Fjd19F18c1O9pudkfAY-7lGYGOTN8mc9ul-J6pWadcAaBJZcVA7W_3jlLKRtKRbd/pub

More detailed description of IBRS is described in the first patch.

The patchset is applied on top of the latest x86/tip with retpoline patches.

Tim Chen (5):
  x86/feature: Detect the x86 IBRS feature to control Speculation
  x86/enter: Create macros to set/clear IBRS
  x86/enter: Use IBRS on syscall and interrupts
  x86/ibrs: Create boot option for IBRS
  x86/idle: Disable IBRS entering idle and enable it on wakeup

 Documentation/admin-guide/kernel-parameters.txt |  3 +
 arch/x86/entry/calling.h                        | 73 +++++++++++++++++++++++++
 arch/x86/entry/entry_64.S                       | 23 ++++++++
 arch/x86/entry/entry_64_compat.S                | 14 ++++-
 arch/x86/include/asm/cpufeatures.h              |  2 +
 arch/x86/include/asm/msr-index.h                |  4 ++
 arch/x86/include/asm/mwait.h                    | 13 +++++
 arch/x86/include/asm/spec_ctrl.h                | 22 ++++++++
 arch/x86/kernel/cpu/Makefile                    |  1 +
 arch/x86/kernel/cpu/scattered.c                 |  3 +
 arch/x86/kernel/cpu/spec_ctrl.c                 | 48 ++++++++++++++++
 arch/x86/kernel/process.c                       |  9 ++-
 tools/arch/x86/include/asm/cpufeatures.h        |  2 +
 13 files changed, 214 insertions(+), 3 deletions(-)
 create mode 100644 arch/x86/include/asm/spec_ctrl.h
 create mode 100644 arch/x86/kernel/cpu/spec_ctrl.c

-- 
2.9.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ