lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <YxCGstvTOwwLF8q/@kroah.com>
Date:   Thu, 1 Sep 2022 12:17:22 +0200
From:   Greg KH <gregkh@...uxfoundation.org>
To:     Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>
Cc:     stable@...r.kernel.org, andrew.cooper3@...rix.com, bp@...e.de,
        tony.luck@...el.com, antonio.gomez.iglesias@...ux.intel.com,
        Daniel Sneddon <daniel.sneddon@...ux.intel.com>,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH 4.9 2/2] x86/bugs: Add "unknown" reporting for MMIO Stale
 Data

On Tue, Aug 30, 2022 at 04:03:24PM -0700, Pawan Gupta wrote:
> [ Upstream commit 7df548840c496b0141fb2404b889c346380c2b22 ]
> 
> Older Intel CPUs that are not in the affected processor list for MMIO
> Stale Data vulnerabilities currently report "Not affected" in sysfs,
> which may not be correct. Vulnerability status for these older CPUs is
> unknown.
> 
> Add known-not-affected CPUs to the whitelist. Report "unknown"
> mitigation status for CPUs that are not in blacklist, whitelist and also
> don't enumerate MSR ARCH_CAPABILITIES bits that reflect hardware
> immunity to MMIO Stale Data vulnerabilities.
> 
> Mitigation is not deployed when the status is unknown.
> 
>   [ bp: Massage, fixup. ]
> 
> Fixes: 8d50cdf8b834 ("x86/speculation/mmio: Add sysfs reporting for Processor MMIO Stale Data")
> Suggested-by: Andrew Cooper <andrew.cooper3@...rix.com>
> Suggested-by: Tony Luck <tony.luck@...el.com>
> Signed-off-by: Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>
> Signed-off-by: Borislav Petkov <bp@...e.de>
> Cc: stable@...r.kernel.org
> Link: https://lore.kernel.org/r/a932c154772f2121794a5f2eded1a11013114711.1657846269.git.pawan.kumar.gupta@linux.intel.com
> ---
>  .../hw-vuln/processor_mmio_stale_data.rst     | 14 ++++++++
>  arch/x86/include/asm/cpufeatures.h            |  1 +
>  arch/x86/kernel/cpu/bugs.c                    | 14 ++++++--
>  arch/x86/kernel/cpu/common.c                  | 34 +++++++++++++------
>  4 files changed, 50 insertions(+), 13 deletions(-)
> 
> diff --git a/Documentation/hw-vuln/processor_mmio_stale_data.rst b/Documentation/hw-vuln/processor_mmio_stale_data.rst
> index 9393c50b5afc..c98fd11907cc 100644
> --- a/Documentation/hw-vuln/processor_mmio_stale_data.rst
> +++ b/Documentation/hw-vuln/processor_mmio_stale_data.rst
> @@ -230,6 +230,20 @@ The possible values in this file are:
>       * - 'Mitigation: Clear CPU buffers'
>         - The processor is vulnerable and the CPU buffer clearing mitigation is
>           enabled.
> +     * - 'Unknown: No mitigations'
> +       - The processor vulnerability status is unknown because it is
> +	 out of Servicing period. Mitigation is not attempted.
> +
> +Definitions:
> +------------
> +
> +Servicing period: The process of providing functional and security updates to
> +Intel processors or platforms, utilizing the Intel Platform Update (IPU)
> +process or other similar mechanisms.
> +
> +End of Servicing Updates (ESU): ESU is the date at which Intel will no
> +longer provide Servicing, such as through IPU or other similar update
> +processes. ESU dates will typically be aligned to end of quarter.
>  
>  If the processor is vulnerable then the following information is appended to
>  the above information:
> diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
> index 910304aec2e6..a033fa5c596d 100644
> --- a/arch/x86/include/asm/cpufeatures.h
> +++ b/arch/x86/include/asm/cpufeatures.h
> @@ -363,5 +363,6 @@
>  #define X86_BUG_ITLB_MULTIHIT		X86_BUG(23) /* CPU may incur MCE during certain page attribute changes */
>  #define X86_BUG_SRBDS			X86_BUG(24) /* CPU may leak RNG bits if not mitigated */
>  #define X86_BUG_MMIO_STALE_DATA		X86_BUG(25) /* CPU is affected by Processor MMIO Stale Data vulnerabilities */
> +#define X86_BUG_MMIO_UNKNOWN		X86_BUG(26) /* CPU is too old and its MMIO Stale Data status is unknown */
>  
>  #endif /* _ASM_X86_CPUFEATURES_H */
> diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> index b4416df41d63..d8ba0b60e088 100644
> --- a/arch/x86/kernel/cpu/bugs.c
> +++ b/arch/x86/kernel/cpu/bugs.c
> @@ -395,7 +395,8 @@ static void __init mmio_select_mitigation(void)
>  	u64 ia32_cap;
>  
>  	if (!boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA) ||
> -	    cpu_mitigations_off()) {
> +	     boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN) ||
> +	     cpu_mitigations_off()) {
>  		mmio_mitigation = MMIO_MITIGATION_OFF;
>  		return;
>  	}
> @@ -500,6 +501,8 @@ static void __init md_clear_update_mitigation(void)
>  		pr_info("TAA: %s\n", taa_strings[taa_mitigation]);
>  	if (boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA))
>  		pr_info("MMIO Stale Data: %s\n", mmio_strings[mmio_mitigation]);
> +	else if (boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN))
> +		pr_info("MMIO Stale Data: Unknown: No mitigations\n");
>  }
>  
>  static void __init md_clear_select_mitigation(void)
> @@ -1824,6 +1827,9 @@ static ssize_t tsx_async_abort_show_state(char *buf)
>  
>  static ssize_t mmio_stale_data_show_state(char *buf)
>  {
> +	if (boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN))
> +		return sysfs_emit(buf, "Unknown: No mitigations\n");
> +
>  	if (mmio_mitigation == MMIO_MITIGATION_OFF)
>  		return sysfs_emit(buf, "%s\n", mmio_strings[mmio_mitigation]);
>  
> @@ -1934,6 +1940,7 @@ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr
>  		return srbds_show_state(buf);
>  
>  	case X86_BUG_MMIO_STALE_DATA:
> +	case X86_BUG_MMIO_UNKNOWN:
>  		return mmio_stale_data_show_state(buf);
>  
>  	default:
> @@ -1990,6 +1997,9 @@ ssize_t cpu_show_srbds(struct device *dev, struct device_attribute *attr, char *
>  
>  ssize_t cpu_show_mmio_stale_data(struct device *dev, struct device_attribute *attr, char *buf)
>  {
> -	return cpu_show_common(dev, attr, buf, X86_BUG_MMIO_STALE_DATA);
> +	if (boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN))
> +		return cpu_show_common(dev, attr, buf, X86_BUG_MMIO_UNKNOWN);
> +	else
> +		return cpu_show_common(dev, attr, buf, X86_BUG_MMIO_STALE_DATA);
>  }
>  #endif
> diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
> index 48843fc76695..656f336074a3 100644
> --- a/arch/x86/kernel/cpu/common.c
> +++ b/arch/x86/kernel/cpu/common.c
> @@ -899,6 +899,7 @@ static void identify_cpu_without_cpuid(struct cpuinfo_x86 *c)
>  #define MSBDS_ONLY		BIT(5)
>  #define NO_SWAPGS		BIT(6)
>  #define NO_ITLB_MULTIHIT	BIT(7)
> +#define NO_MMIO			BIT(8)
>  
>  #define VULNWL(_vendor, _family, _model, _whitelist)	\
>  	{ X86_VENDOR_##_vendor, _family, _model, X86_FEATURE_ANY, _whitelist }
> @@ -916,6 +917,11 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = {
>  	VULNWL(NSC,	5, X86_MODEL_ANY,	NO_SPECULATION),
>  
>  	/* Intel Family 6 */
> +	VULNWL_INTEL(TIGERLAKE,			NO_MMIO),
> +	VULNWL_INTEL(TIGERLAKE_L,		NO_MMIO),
> +	VULNWL_INTEL(ALDERLAKE,			NO_MMIO),
> +	VULNWL_INTEL(ALDERLAKE_L,		NO_MMIO),
> +
>  	VULNWL_INTEL(ATOM_SALTWELL,		NO_SPECULATION | NO_ITLB_MULTIHIT),
>  	VULNWL_INTEL(ATOM_SALTWELL_TABLET,	NO_SPECULATION | NO_ITLB_MULTIHIT),
>  	VULNWL_INTEL(ATOM_SALTWELL_MID,		NO_SPECULATION | NO_ITLB_MULTIHIT),
> @@ -933,9 +939,9 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = {
>  
>  	VULNWL_INTEL(ATOM_AIRMONT_MID,		NO_L1TF | MSBDS_ONLY | NO_SWAPGS | NO_ITLB_MULTIHIT),
>  
> -	VULNWL_INTEL(ATOM_GOLDMONT,		NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT),
> -	VULNWL_INTEL(ATOM_GOLDMONT_X,		NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT),
> -	VULNWL_INTEL(ATOM_GOLDMONT_PLUS,	NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT),
> +	VULNWL_INTEL(ATOM_GOLDMONT,		NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO),
> +	VULNWL_INTEL(ATOM_GOLDMONT_X,		NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO),
> +	VULNWL_INTEL(ATOM_GOLDMONT_PLUS,	NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO),
>  
>  	/*
>  	 * Technically, swapgs isn't serializing on AMD (despite it previously
> @@ -946,13 +952,13 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = {
>  	 */
>  
>  	/* AMD Family 0xf - 0x12 */
> -	VULNWL_AMD(0x0f,	NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT),
> -	VULNWL_AMD(0x10,	NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT),
> -	VULNWL_AMD(0x11,	NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT),
> -	VULNWL_AMD(0x12,	NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT),
> +	VULNWL_AMD(0x0f,	NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO),
> +	VULNWL_AMD(0x10,	NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO),
> +	VULNWL_AMD(0x11,	NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO),
> +	VULNWL_AMD(0x12,	NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO),
>  
>  	/* FAMILY_ANY must be last, otherwise 0x0f - 0x12 matches won't work */
> -	VULNWL_AMD(X86_FAMILY_ANY,	NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT),
> +	VULNWL_AMD(X86_FAMILY_ANY,	NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO),
>  	{}
>  };
>  
> @@ -1092,10 +1098,16 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
>  	 * Affected CPU list is generally enough to enumerate the vulnerability,
>  	 * but for virtualization case check for ARCH_CAP MSR bits also, VMM may
>  	 * not want the guest to enumerate the bug.
> +	 *
> +	 * Set X86_BUG_MMIO_UNKNOWN for CPUs that are neither in the blacklist,
> +	 * nor in the whitelist and also don't enumerate MSR ARCH_CAP MMIO bits.
>  	 */
> -	if (cpu_matches(cpu_vuln_blacklist, MMIO) &&
> -	    !arch_cap_mmio_immune(ia32_cap))
> -		setup_force_cpu_bug(X86_BUG_MMIO_STALE_DATA);
> +	if (!arch_cap_mmio_immune(ia32_cap)) {
> +		if (cpu_matches(cpu_vuln_blacklist, MMIO))
> +			setup_force_cpu_bug(X86_BUG_MMIO_STALE_DATA);
> +		else if (!cpu_matches(cpu_vuln_whitelist, NO_MMIO))
> +			setup_force_cpu_bug(X86_BUG_MMIO_UNKNOWN);
> +	}
>  
>  	if (cpu_matches(cpu_vuln_whitelist, NO_MELTDOWN))
>  		return;
> -- 
> 2.37.2
> 
> 

All now queued up, thanks.

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ