lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Sun, 11 Dec 2022 00:00:37 +0800
From:   Zhang Chen <chen.zhang@...el.com>
To:     x86@...nel.org, linux-kernel@...r.kernel.org, kvm@...r.kernel.org
Cc:     Zhang Chen <chen.zhang@...el.com>, Chao Gao <chao.gao@...el.com>,
        Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>,
        Paolo Bonzini <pbonzini@...hat.com>,
        Sean Christopherson <seanjc@...gle.com>,
        "H. Peter Anvin" <hpa@...or.com>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        Borislav Petkov <bp@...en8.de>, Ingo Molnar <mingo@...hat.com>,
        Thomas Gleixner <tglx@...utronix.de>
Subject: [RFC PATCH 0/9] Intel SPEC CTRL virtualization support

This series introduces "virtual IA32_SPEC_CTRL" support. Here are introduction
and use cases of this new feature.

### Virtual IA32_SPEC_CTRL

Virtual IA32_SPEC_CTRL [1] is a new VMX feature on Intel CPUs.
This feature allows VMM to fix some bits of IA32_SPEC_CTRL MSR even when
the MSR is pass-thru'd to a guest.


### Use cases of virtual IA32_SPEC_CTRL

Software mitigations like Retpoline and software BHB-clearing sequence
depend on CPU microarchitectures. And guest cannot know exactly
the underlying microarchitecture. When a guest is migrated between
processors of different microarchitectures, software mitigations which
work perfectly on previous microachitecture may be not effective on the
new one. To fix the problem, some hardware mitigations should be used in
conjunction with software mitigations. Using virtual IA32_SPEC_CTRL,
VMM can enforce hardware mitigations transparently to guests and avoid
those hardware mitigations being accidentally disabled when guest
changes IA32_SPEC_CTRL MSR.


### Intention of this series

This series adds the capability of enforcing hardware mitigations for
guests transparently and efficiently (i.e., without intecepting
IA32_SPEC_CTRL MSR accesses) to kvm. The capability can be used to solve
the VM migration issue in a pool consisting of processors of different
microarchitectures.

Specifically, below are two target scenarios of this series:

Scenario 1: If retpoline is used by a VM to mitigate IMBTI in CPL0, VMM
            can set RRSBA_DIS_S on parts enumerates RRSBA. Note that
            the VM is presented with a microarchitecture doesn't enumerate
            RRSBA.

Scenario 2: If a VM uses software BHB-clearing sequence on transitions
            into CPL0 to mitigate BHI, VMM can use "virtual
            IA32_SPEC_CTRL" to set BHI_DIS_S on newer
            hardware which doesn't enumerate BHI_NO.

Intel defines some virtual MSRs for guests to notify VMM of software
mitigations in use. Such information allows VMM to enable hardware
mitigations only when necessary (i.e., VMs care about the vulnerability
and are using software mitigiation) to minimize the performance impact
to other VMs. The support of the virtual MSRs also added in this series.

### Organization of this series

This series is developed based on v6.1-rc7 (commit ef4d3ea40565a781c25847e9cb96c1bd9f462bc6)

1. Patch 1 introduce Intel SPEC_CTRL BHI related definition.
2. Patch 2/3 advertises {RRSBA/BHI}_CTRL for retpoline/BHB-clearing
sequence mitigations for KVM.
3. Patch 4 introduce Intel virtual IA32_SPEC_CTRL
4. Patch 5-7 virtualize a set of virtual MSRs for guests to communicate
   software mitigations in use.
5. Patch 8-9 enable "virtual IA32_SPEC_CTRL" VMX feature with virtual
   MSRs support in KVM.

### Documentation

Refer to below link for more information:
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/branch-history-injection.html



Pawan Gupta (1):
  x86/bugs: Use Virtual MSRs to request hardware mitigations

Zhang Chen (8):
  x86/speculation: Introduce Intel SPEC_CTRL BHI related definition
  KVM: x86: Add a kvm-only leaf for RRSBA_CTRL
  KVM: x86: Add a kvm-only leaf for BHI_CTRL
  x86/kvm/vmx: Virtualize Intel IA32_SPEC_CTRL
  kvm/x86: Add ARCH_CAP_VIRTUAL_ENUM for guest
    MSR_IA32_ARCH_CAPABILITIES
  kvm/x86: Add MSR_VIRTUAL_MITIGATION_ENUM/CTRL emulation
  x86/kvm/vmx: Initialize SPEC_CTRL MASK for RRSBA
  x86/kvm/vmx: Initialize SPEC_CTRL MASK for BHI

 arch/x86/include/asm/msr-index.h       |  29 +++++++
 arch/x86/include/asm/vmx.h             |   5 ++
 arch/x86/include/asm/vmxfeatures.h     |   2 +
 arch/x86/kernel/cpu/bugs.c             |  24 ++++++
 arch/x86/kvm/cpuid.c                   |   4 +
 arch/x86/kvm/reverse_cpuid.h           |   9 ++
 arch/x86/kvm/vmx/capabilities.h        |   5 ++
 arch/x86/kvm/vmx/vmx.c                 | 109 ++++++++++++++++++++++++-
 arch/x86/kvm/vmx/vmx.h                 |  27 +++++-
 arch/x86/kvm/x86.c                     |  23 +++++-
 tools/arch/x86/include/asm/msr-index.h |   6 ++
 11 files changed, 238 insertions(+), 5 deletions(-)

-- 
2.25.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ