| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 1 Sep 2022 12:17:22 +0200
From: Greg KH <gregkh@...uxfoundation.org>
To: Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>
Cc: stable@...r.kernel.org, andrew.cooper3@...rix.com, bp@...e.de,
tony.luck@...el.com, antonio.gomez.iglesias@...ux.intel.com,
Daniel Sneddon <daniel.sneddon@...ux.intel.com>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH 4.9 2/2] x86/bugs: Add "unknown" reporting for MMIO Stale
Data
On Tue, Aug 30, 2022 at 04:03:24PM -0700, Pawan Gupta wrote:
> [ Upstream commit 7df548840c496b0141fb2404b889c346380c2b22 ]
>
> Older Intel CPUs that are not in the affected processor list for MMIO
> Stale Data vulnerabilities currently report "Not affected" in sysfs,
> which may not be correct. Vulnerability status for these older CPUs is
> unknown.
>
> Add known-not-affected CPUs to the whitelist. Report "unknown"
> mitigation status for CPUs that are not in blacklist, whitelist and also
> don't enumerate MSR ARCH_CAPABILITIES bits that reflect hardware
> immunity to MMIO Stale Data vulnerabilities.
>
> Mitigation is not deployed when the status is unknown.
>
> [ bp: Massage, fixup. ]
>
> Fixes: 8d50cdf8b834 ("x86/speculation/mmio: Add sysfs reporting for Processor MMIO Stale Data")
> Suggested-by: Andrew Cooper <andrew.cooper3@...rix.com>
> Suggested-by: Tony Luck <tony.luck@...el.com>
> Signed-off-by: Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>
> Signed-off-by: Borislav Petkov <bp@...e.de>
> Cc: stable@...r.kernel.org
> Link: https://lore.kernel.org/r/a932c154772f2121794a5f2eded1a11013114711.1657846269.git.pawan.kumar.gupta@linux.intel.com
> ---
> .../hw-vuln/processor_mmio_stale_data.rst | 14 ++++++++
> arch/x86/include/asm/cpufeatures.h | 1 +
> arch/x86/kernel/cpu/bugs.c | 14 ++++++--
> arch/x86/kernel/cpu/common.c | 34 +++++++++++++------
> 4 files changed, 50 insertions(+), 13 deletions(-)
>
> diff --git a/Documentation/hw-vuln/processor_mmio_stale_data.rst b/Documentation/hw-vuln/processor_mmio_stale_data.rst
> index 9393c50b5afc..c98fd11907cc 100644
> --- a/Documentation/hw-vuln/processor_mmio_stale_data.rst
> +++ b/Documentation/hw-vuln/processor_mmio_stale_data.rst
> @@ -230,6 +230,20 @@ The possible values in this file are:
> * - 'Mitigation: Clear CPU buffers'
> - The processor is vulnerable and the CPU buffer clearing mitigation is
> enabled.
> + * - 'Unknown: No mitigations'
> + - The processor vulnerability status is unknown because it is
> + out of Servicing period. Mitigation is not attempted.
> +
> +Definitions:
> +------------
> +
> +Servicing period: The process of providing functional and security updates to
> +Intel processors or platforms, utilizing the Intel Platform Update (IPU)
> +process or other similar mechanisms.
> +
> +End of Servicing Updates (ESU): ESU is the date at which Intel will no
> +longer provide Servicing, such as through IPU or other similar update
> +processes. ESU dates will typically be aligned to end of quarter.
>
> If the processor is vulnerable then the following information is appended to
> the above information:
> diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
> index 910304aec2e6..a033fa5c596d 100644
> --- a/arch/x86/include/asm/cpufeatures.h
> +++ b/arch/x86/include/asm/cpufeatures.h
> @@ -363,5 +363,6 @@
> #define X86_BUG_ITLB_MULTIHIT X86_BUG(23) /* CPU may incur MCE during certain page attribute changes */
> #define X86_BUG_SRBDS X86_BUG(24) /* CPU may leak RNG bits if not mitigated */
> #define X86_BUG_MMIO_STALE_DATA X86_BUG(25) /* CPU is affected by Processor MMIO Stale Data vulnerabilities */
> +#define X86_BUG_MMIO_UNKNOWN X86_BUG(26) /* CPU is too old and its MMIO Stale Data status is unknown */
>
> #endif /* _ASM_X86_CPUFEATURES_H */
> diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> index b4416df41d63..d8ba0b60e088 100644
> --- a/arch/x86/kernel/cpu/bugs.c
> +++ b/arch/x86/kernel/cpu/bugs.c
> @@ -395,7 +395,8 @@ static void __init mmio_select_mitigation(void)
> u64 ia32_cap;
>
> if (!boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA) ||
> - cpu_mitigations_off()) {
> + boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN) ||
> + cpu_mitigations_off()) {
> mmio_mitigation = MMIO_MITIGATION_OFF;
> return;
> }
> @@ -500,6 +501,8 @@ static void __init md_clear_update_mitigation(void)
> pr_info("TAA: %s\n", taa_strings[taa_mitigation]);
> if (boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA))
> pr_info("MMIO Stale Data: %s\n", mmio_strings[mmio_mitigation]);
> + else if (boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN))
> + pr_info("MMIO Stale Data: Unknown: No mitigations\n");
> }
>
> static void __init md_clear_select_mitigation(void)
> @@ -1824,6 +1827,9 @@ static ssize_t tsx_async_abort_show_state(char *buf)
>
> static ssize_t mmio_stale_data_show_state(char *buf)
> {
> + if (boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN))
> + return sysfs_emit(buf, "Unknown: No mitigations\n");
> +
> if (mmio_mitigation == MMIO_MITIGATION_OFF)
> return sysfs_emit(buf, "%s\n", mmio_strings[mmio_mitigation]);
>
> @@ -1934,6 +1940,7 @@ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr
> return srbds_show_state(buf);
>
> case X86_BUG_MMIO_STALE_DATA:
> + case X86_BUG_MMIO_UNKNOWN:
> return mmio_stale_data_show_state(buf);
>
> default:
> @@ -1990,6 +1997,9 @@ ssize_t cpu_show_srbds(struct device *dev, struct device_attribute *attr, char *
>
> ssize_t cpu_show_mmio_stale_data(struct device *dev, struct device_attribute *attr, char *buf)
> {
> - return cpu_show_common(dev, attr, buf, X86_BUG_MMIO_STALE_DATA);
> + if (boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN))
> + return cpu_show_common(dev, attr, buf, X86_BUG_MMIO_UNKNOWN);
> + else
> + return cpu_show_common(dev, attr, buf, X86_BUG_MMIO_STALE_DATA);
> }
> #endif
> diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
> index 48843fc76695..656f336074a3 100644
> --- a/arch/x86/kernel/cpu/common.c
> +++ b/arch/x86/kernel/cpu/common.c
> @@ -899,6 +899,7 @@ static void identify_cpu_without_cpuid(struct cpuinfo_x86 *c)
> #define MSBDS_ONLY BIT(5)
> #define NO_SWAPGS BIT(6)
> #define NO_ITLB_MULTIHIT BIT(7)
> +#define NO_MMIO BIT(8)
>
> #define VULNWL(_vendor, _family, _model, _whitelist) \
> { X86_VENDOR_##_vendor, _family, _model, X86_FEATURE_ANY, _whitelist }
> @@ -916,6 +917,11 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = {
> VULNWL(NSC, 5, X86_MODEL_ANY, NO_SPECULATION),
>
> /* Intel Family 6 */
> + VULNWL_INTEL(TIGERLAKE, NO_MMIO),
> + VULNWL_INTEL(TIGERLAKE_L, NO_MMIO),
> + VULNWL_INTEL(ALDERLAKE, NO_MMIO),
> + VULNWL_INTEL(ALDERLAKE_L, NO_MMIO),
> +
> VULNWL_INTEL(ATOM_SALTWELL, NO_SPECULATION | NO_ITLB_MULTIHIT),
> VULNWL_INTEL(ATOM_SALTWELL_TABLET, NO_SPECULATION | NO_ITLB_MULTIHIT),
> VULNWL_INTEL(ATOM_SALTWELL_MID, NO_SPECULATION | NO_ITLB_MULTIHIT),
> @@ -933,9 +939,9 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = {
>
> VULNWL_INTEL(ATOM_AIRMONT_MID, NO_L1TF | MSBDS_ONLY | NO_SWAPGS | NO_ITLB_MULTIHIT),
>
> - VULNWL_INTEL(ATOM_GOLDMONT, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT),
> - VULNWL_INTEL(ATOM_GOLDMONT_X, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT),
> - VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT),
> + VULNWL_INTEL(ATOM_GOLDMONT, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO),
> + VULNWL_INTEL(ATOM_GOLDMONT_X, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO),
> + VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO),
>
> /*
> * Technically, swapgs isn't serializing on AMD (despite it previously
> @@ -946,13 +952,13 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = {
> */
>
> /* AMD Family 0xf - 0x12 */
> - VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT),
> - VULNWL_AMD(0x10, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT),
> - VULNWL_AMD(0x11, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT),
> - VULNWL_AMD(0x12, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT),
> + VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO),
> + VULNWL_AMD(0x10, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO),
> + VULNWL_AMD(0x11, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO),
> + VULNWL_AMD(0x12, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO),
>
> /* FAMILY_ANY must be last, otherwise 0x0f - 0x12 matches won't work */
> - VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT),
> + VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO),
> {}
> };
>
> @@ -1092,10 +1098,16 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
> * Affected CPU list is generally enough to enumerate the vulnerability,
> * but for virtualization case check for ARCH_CAP MSR bits also, VMM may
> * not want the guest to enumerate the bug.
> + *
> + * Set X86_BUG_MMIO_UNKNOWN for CPUs that are neither in the blacklist,
> + * nor in the whitelist and also don't enumerate MSR ARCH_CAP MMIO bits.
> */
> - if (cpu_matches(cpu_vuln_blacklist, MMIO) &&
> - !arch_cap_mmio_immune(ia32_cap))
> - setup_force_cpu_bug(X86_BUG_MMIO_STALE_DATA);
> + if (!arch_cap_mmio_immune(ia32_cap)) {
> + if (cpu_matches(cpu_vuln_blacklist, MMIO))
> + setup_force_cpu_bug(X86_BUG_MMIO_STALE_DATA);
> + else if (!cpu_matches(cpu_vuln_whitelist, NO_MMIO))
> + setup_force_cpu_bug(X86_BUG_MMIO_UNKNOWN);
> + }
>
> if (cpu_matches(cpu_vuln_whitelist, NO_MELTDOWN))
> return;
> --
> 2.37.2
>
>
All now queued up, thanks.
greg k-h
Powered by blists - more mailing lists