lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <9f9cfed2830ebf5cce69190409b0716406aeaf22.1542757030.git.tim.c.chen@linux.intel.com>
Date:   Tue, 20 Nov 2018 16:00:03 -0800
From:   Tim Chen <tim.c.chen@...ux.intel.com>
To:     Jiri Kosina <jikos@...nel.org>,
        Thomas Gleixner <tglx@...utronix.de>
Cc:     Tim Chen <tim.c.chen@...ux.intel.com>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Tom Lendacky <thomas.lendacky@....com>,
        Ingo Molnar <mingo@...hat.com>,
        Peter Zijlstra <peterz@...radead.org>,
        Josh Poimboeuf <jpoimboe@...hat.com>,
        Andrea Arcangeli <aarcange@...hat.com>,
        David Woodhouse <dwmw@...zon.co.uk>,
        Andi Kleen <ak@...ux.intel.com>,
        Dave Hansen <dave.hansen@...el.com>,
        Casey Schaufler <casey.schaufler@...el.com>,
        Asit Mallick <asit.k.mallick@...el.com>,
        Arjan van de Ven <arjan@...ux.intel.com>,
        Jon Masters <jcm@...hat.com>,
        Waiman Long <longman9394@...il.com>,
        Greg KH <gregkh@...uxfoundation.org>,
        Dave Stewart <david.c.stewart@...el.com>,
        linux-kernel@...r.kernel.org, x86@...nel.org,
        stable@...r.kernel.org
Subject: [Patch v6 11/16] x86/speculation: Enable IBPB for tasks with TIF_SPEC_BRANCH_SPECULATION

IBPB currently is applied to all tasks.  However,
when spectre_v2_app2app_enabled is set to default
value SPECTRE_V2_APP2APP_PRCTL, only tasks marked with
TIF_SPEC_BRANCH_SPECULATION via prctl are protected against Spectre V2
sibling thread attack to minimize performance impact.

Extend this option to IBPB to protect only
tasks marked with TIF_SPEC_BRANCH_SPECULATION needing
mitigation to minimize performance impact.

Make IBPB usage follow the spectre_v2_app2app_enabled option:
spectre_v2_app2app =
 SPECTRE_V2_APP2APP_PRCTL  : Use IBPB only on tasks with TIF_SPEC_BRANCH_SPECULATION
 SPECTRE_V2_APP2APP_STRICT : Use IBPB on all tasks
 SPECTRE_V2_APP2APP_NONE   : Don't use IBPB

Signed-off-by: Tim Chen <tim.c.chen@...ux.intel.com>
---
 arch/x86/kernel/cpu/bugs.c | 29 ++++++++++++++++++-----------
 arch/x86/mm/tlb.c          | 23 ++++++++++++++++++-----
 2 files changed, 36 insertions(+), 16 deletions(-)

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 26e1a87..44f7127 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -534,12 +534,6 @@ static void __init spectre_v2_select_mitigation(void)
 	setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);
 	pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n");
 
-	/* Initialize Indirect Branch Prediction Barrier if supported */
-	if (boot_cpu_has(X86_FEATURE_IBPB)) {
-		setup_force_cpu_cap(X86_FEATURE_USE_IBPB);
-		pr_info("Spectre v2 mitigation: Enabling Indirect Branch Prediction Barrier\n");
-	}
-
 	/*
 	 * Retpoline means the kernel is safe because it has no indirect
 	 * branches. Enhanced IBRS protects firmware too, so, enable restricted
@@ -558,8 +552,9 @@ static void __init spectre_v2_select_mitigation(void)
 
 	app2app_mode = SPECTRE_V2_APP2APP_NONE;
 
-	/* No mitigation if mitigation feature is unavailable */
-	if (!boot_cpu_has(X86_FEATURE_STIBP))
+	/* No mitigation if all mitigation features are unavailable */
+	if (!boot_cpu_has(X86_FEATURE_IBPB) &&
+	    !boot_cpu_has(X86_FEATURE_STIBP))
 		goto set_app2app_mode;
 
 	app2app_cmd = spectre_v2_parse_app2app_cmdline(cmd);
@@ -587,6 +582,16 @@ static void __init spectre_v2_select_mitigation(void)
 		break;
 	}
 
+	/*
+	 * Initialize Indirect Branch Prediction Barrier if supported
+	 * and not disabled explicitly
+	 */
+	if (boot_cpu_has(X86_FEATURE_IBPB) &&
+	    app2app_mode != SPECTRE_V2_APP2APP_NONE) {
+		setup_force_cpu_cap(X86_FEATURE_USE_IBPB);
+		pr_info("Spectre v2 mitigation: Enabling Indirect Branch Prediction Barrier\n");
+	}
+
 set_app2app_mode:
 	spectre_v2_app2app_enabled = app2app_mode;
 	pr_info("%s\n", spectre_v2_app2app_strings[app2app_mode]);
@@ -1076,10 +1081,12 @@ static char *stibp_state(void)
 
 static char *ibpb_state(void)
 {
-	if (boot_cpu_has(X86_FEATURE_USE_IBPB))
-		return ", IBPB";
-	else
+	if (spectre_v2_app2app_enabled == SPECTRE_V2_APP2APP_NONE)
 		return "";
+	else if (spectre_v2_app2app_enabled == SPECTRE_V2_APP2APP_PRCTL)
+		return ", IBPB-prctl";
+	else
+		return ", IBPB-all";
 }
 
 static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr,
diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
index bddd6b3..616694c 100644
--- a/arch/x86/mm/tlb.c
+++ b/arch/x86/mm/tlb.c
@@ -184,14 +184,27 @@ static void sync_current_stack_to_mm(struct mm_struct *mm)
 static bool ibpb_needed(struct task_struct *tsk, u64 last_ctx_id)
 {
 	/*
-	 * Check if the current (previous) task has access to the memory
-	 * of the @tsk (next) task. If access is denied, make sure to
-	 * issue a IBPB to stop user->user Spectre-v2 attacks.
+	 * Don't issue IBPB when switching to kernel threads or staying in the
+	 * same mm context.
+	 */
+	if (!tsk || !tsk->mm || tsk->mm->context.ctx_id == last_ctx_id)
+		return false;
+
+	/*
+	 * If lite protection mode is enabled, check the STIBP thread flag.
+	 *
+	 * Otherwise check if the current (previous) task has access to the
+	 * the memory of the @tsk (next) task for strict app to app protection.
+	 * If access is denied, make sure to issue a IBPB to stop user->user
+	 * Spectre-v2 attacks.
 	 *
 	 * Note: __ptrace_may_access() returns 0 or -ERRNO.
 	 */
-	return (tsk && tsk->mm && tsk->mm->context.ctx_id != last_ctx_id &&
-		ptrace_may_access_sched(tsk, PTRACE_MODE_SPEC_IBPB));
+
+	if (static_branch_unlikely(&spectre_v2_app_lite))
+		return test_tsk_thread_flag(tsk, TIF_SPEC_INDIR_BRANCH);
+	else
+		return ptrace_may_access_sched(tsk, PTRACE_MODE_SPEC_IBPB);
 }
 
 void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
-- 
2.9.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ