lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20211020043131.1222542-1-liyu.yukiteru@bytedance.com>
Date:   Wed, 20 Oct 2021 12:31:27 +0800
From:   Li Yu <liyu.yukiteru@...edance.com>
To:     pbonzini@...hat.com
Cc:     liyu.yukiteru@...edance.com, Jonathan Corbet <corbet@....net>,
        Sean Christopherson <seanjc@...gle.com>,
        Vitaly Kuznetsov <vkuznets@...hat.com>,
        Wanpeng Li <wanpengli@...cent.com>,
        Jim Mattson <jmattson@...gle.com>,
        Joerg Roedel <joro@...tes.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
        x86@...nel.org, "H. Peter Anvin" <hpa@...or.com>,
        "Paul E. McKenney" <paulmck@...nel.org>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Peter Zijlstra <peterz@...radead.org>,
        Lu Baolu <baolu.lu@...ux.intel.com>,
        "Maciej W. Rozycki" <macro@...am.me.uk>,
        Muchun Song <songmuchun@...edance.com>,
        Viresh Kumar <viresh.kumar@...aro.org>,
        Robin Murphy <robin.murphy@....com>,
        Randy Dunlap <rdunlap@...radead.org>,
        linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org,
        kvm@...r.kernel.org
Subject: [PATCH v3] KVM: x86/mmu: Warn on iTLB multi-hit for possible problems

Warn for guest huge pages split if iTLB multi-hit bug is present
and CPU mitigations is enabled.

Warn for possible CPU lockup if iTLB multi-hit bug is present but
CPU mitigations is disabled.

Signed-off-by: Li Yu <liyu.yukiteru@...edance.com>
---
 Documentation/admin-guide/hw-vuln/multihit.rst  |  8 +++--
 Documentation/admin-guide/kernel-parameters.txt | 10 +++---
 arch/x86/kvm/mmu/mmu.c                          | 48 +++++++++++++++++++++----
 3 files changed, 53 insertions(+), 13 deletions(-)

diff --git a/Documentation/admin-guide/hw-vuln/multihit.rst b/Documentation/admin-guide/hw-vuln/multihit.rst
index 140e4cec38c3..7b2cd027d759 100644
--- a/Documentation/admin-guide/hw-vuln/multihit.rst
+++ b/Documentation/admin-guide/hw-vuln/multihit.rst
@@ -129,19 +129,21 @@ boot time with the option "kvm.nx_huge_pages=".
 
 The valid arguments for these options are:
 
-  ==========  ================================================================
+  ==========  =================================================================
   force       Mitigation is enabled. In this case, the mitigation implements
               non-executable huge pages in Linux kernel KVM module. All huge
               pages in the EPT are marked as non-executable.
               If a guest attempts to execute in one of those pages, the page is
               broken down into 4K pages, which are then marked executable.
 
-  off	      Mitigation is disabled.
+  off         Mitigation is disabled.
+
+  off,nowarn  Same as 'off', but hypervisors will not warn when KVM is loaded.
 
   auto        Enable mitigation only if the platform is affected and the kernel
               was not booted with the "mitigations=off" command line parameter.
 	      This is the default option.
-  ==========  ================================================================
+  ==========  =================================================================
 
 
 Mitigation selection guide
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 43dc35fe5bc0..8f014cf462a3 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -2339,10 +2339,12 @@
 	kvm.nx_huge_pages=
 			[KVM] Controls the software workaround for the
 			X86_BUG_ITLB_MULTIHIT bug.
-			force	: Always deploy workaround.
-			off	: Never deploy workaround.
-			auto    : Deploy workaround based on the presence of
-				  X86_BUG_ITLB_MULTIHIT.
+			force	   : Always deploy workaround.
+			off	   : Never deploy workaround.
+			off,nowarn : Same as 'off', but hypervisors will not
+				     warn when KVM is loaded.
+			auto	   : Deploy workaround based on the presence of
+				     X86_BUG_ITLB_MULTIHIT and cpu mitigations.
 
 			Default is 'auto'.
 
diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
index 1a64ba5b9437..b9dc68e3dc2c 100644
--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -6056,20 +6056,41 @@ static void __set_nx_huge_pages(bool val)
 	nx_huge_pages = itlb_multihit_kvm_mitigation = val;
 }
 
+#define ITLB_MULTIHIT_NX_ON  "iTLB multi-hit CPU bug present and cpu mitigations enabled, guest huge pages may split by kernel for security. See CVE-2018-12207 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html for details.\n"
+#define ITLB_MULTIHIT_NX_OFF "iTLB multi-hit CPU bug present but cpu mitigations disabled, malicious guest may cause a CPU lockup. See CVE-2018-12207 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html for details.\n"
+
 static int set_nx_huge_pages(const char *val, const struct kernel_param *kp)
 {
 	bool old_val = nx_huge_pages;
 	bool new_val;
+	bool nowarn = false;
 
 	/* In "auto" mode deploy workaround only if CPU has the bug. */
-	if (sysfs_streq(val, "off"))
+	if (sysfs_streq(val, "off")) {
+		new_val = 0;
+	} else if (sysfs_streq(val, "off,nowarn")) {
 		new_val = 0;
-	else if (sysfs_streq(val, "force"))
+		nowarn = true;
+	} else if (sysfs_streq(val, "force")) {
+		/*
+		 * When `force` is set, admin should know that no matter whether
+		 * CPU has the bug or not, guest pages may split anyway. So warn
+		 * is not needed.
+		 */
 		new_val = 1;
-	else if (sysfs_streq(val, "auto"))
+		nowarn = true;
+	} else if (sysfs_streq(val, "auto")) {
 		new_val = get_nx_auto_mode();
-	else if (strtobool(val, &new_val) < 0)
+	} else if (strtobool(val, &new_val) < 0) {
 		return -EINVAL;
+	}
+
+	if (!nowarn && boot_cpu_has_bug(X86_BUG_ITLB_MULTIHIT)) {
+		if (new_val)
+			pr_warn_once(ITLB_MULTIHIT_NX_ON);
+		else
+			pr_warn_once(ITLB_MULTIHIT_NX_OFF);
+	}
 
 	__set_nx_huge_pages(new_val);
 
@@ -6094,9 +6115,24 @@ static int set_nx_huge_pages(const char *val, const struct kernel_param *kp)
 int kvm_mmu_module_init(void)
 {
 	int ret = -ENOMEM;
+	bool mode;
 
-	if (nx_huge_pages == -1)
-		__set_nx_huge_pages(get_nx_auto_mode());
+	if (nx_huge_pages == -1) {
+		mode = get_nx_auto_mode();
+		if (boot_cpu_has_bug(X86_BUG_ITLB_MULTIHIT)) {
+			/*
+			 * Warn on the CPU multi-hit bug when `nx_huge_pages` is `auto`
+			 * by default. If cpu mitigations was enabled, warn that guest
+			 * huge pages may split, otherwise warn that the bug may cause
+			 * a CPU lockup because of a malicious guest.
+			 */
+			if (mode)
+				pr_warn_once(ITLB_MULTIHIT_NX_ON);
+			else
+				pr_warn_once(ITLB_MULTIHIT_NX_OFF);
+		}
+		__set_nx_huge_pages(mode);
+	}
 
 	/*
 	 * MMU roles use union aliasing which is, generally speaking, an
-- 
2.11.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ