[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20240407230443.912306-1-chang.seok.bae@intel.com>
Date: Sun, 7 Apr 2024 16:04:43 -0700
From: "Chang S. Bae" <chang.seok.bae@...el.com>
To: linux-kernel@...r.kernel.org,
linux-crypto@...r.kernel.org
Cc: ebiggers@...nel.org,
luto@...nel.org,
dave.hansen@...ux.intel.com,
tglx@...utronix.de,
bp@...en8.de,
mingo@...nel.org,
x86@...nel.org,
herbert@...dor.apana.org.au,
ardb@...nel.org,
elliott@....com,
dan.j.williams@...el.com,
bernie.keany@...el.com,
charishma1.gairuboyina@...el.com,
chang.seok.bae@...el.com,
Dave Hansen <dave.hansen@...el.com>,
Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>
Subject: [PATCH v9a 11/14] x86/cpu/keylocker: Check Register File Data Sampling mitigation
The Register File Data Sampling vulnerability may allow malicious
userspace programs to infer stale kernel register data, potentially
exposing sensitive key values, including AES keys.
To address this vulnerability, a microcode update needs to be applied to
the CPU, which modifies the VERW instruction to flush the affected CPU
buffers.
Reference the 'rfds_mitigation' variable to check the mitigation status.
Do not enable Key Locker on CPUs affected by the vulnerability but
lacking mitigation.
Signed-off-by: Chang S. Bae <chang.seok.bae@...el.com>
Cc: Dave Hansen <dave.hansen@...el.com>
Cc: Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>
---
Changes from v9:
* Remove the helper function and simplify the code by directly reading
the status variable. (Pawan Gupta)
Note that this code change aligns with mitigation guidance, which
recommends:
"Software loading Key Locker keys using LOADIWKEY should execute a VERW
to clear registers before transitioning to untrusted code to prevent
later software from inferring the loaded key."
For more information, refer to Intel's guidance on Register File Data
Sampling:
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/register-file-data-sampling.html
---
arch/x86/include/asm/processor.h | 8 ++++++++
arch/x86/kernel/cpu/bugs.c | 8 +-------
arch/x86/kernel/keylocker.c | 3 +++
3 files changed, 12 insertions(+), 7 deletions(-)
diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
index 74eaa3a2b85b..b823163f4786 100644
--- a/arch/x86/include/asm/processor.h
+++ b/arch/x86/include/asm/processor.h
@@ -728,6 +728,14 @@ enum mitigation_info {
extern bool gds_ucode_mitigated(enum mitigation_info mitg);
+enum rfds_mitigations {
+ RFDS_MITIGATION_OFF,
+ RFDS_MITIGATION_VERW,
+ RFDS_MITIGATION_UCODE_NEEDED,
+};
+
+extern enum rfds_mitigations rfds_mitigation;
+
/*
* Make previous memory operations globally visible before
* a WRMSR.
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 80f6e70619cb..a2ba1a0ef872 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -483,14 +483,8 @@ early_param("mmio_stale_data", mmio_stale_data_parse_cmdline);
#undef pr_fmt
#define pr_fmt(fmt) "Register File Data Sampling: " fmt
-enum rfds_mitigations {
- RFDS_MITIGATION_OFF,
- RFDS_MITIGATION_VERW,
- RFDS_MITIGATION_UCODE_NEEDED,
-};
-
/* Default mitigation for Register File Data Sampling */
-static enum rfds_mitigations rfds_mitigation __ro_after_init =
+enum rfds_mitigations rfds_mitigation __ro_after_init =
IS_ENABLED(CONFIG_MITIGATION_RFDS) ? RFDS_MITIGATION_VERW : RFDS_MITIGATION_OFF;
static const char * const rfds_strings[] = {
diff --git a/arch/x86/kernel/keylocker.c b/arch/x86/kernel/keylocker.c
index 23cf4a235f11..09876693414c 100644
--- a/arch/x86/kernel/keylocker.c
+++ b/arch/x86/kernel/keylocker.c
@@ -119,6 +119,9 @@ static bool __init secure_keylocker(void)
if (boot_cpu_has_bug(X86_BUG_GDS) && !gds_ucode_mitigated(MITG_LOCKED))
return false;
+ if (boot_cpu_has_bug(X86_BUG_RFDS) && rfds_mitigation != RFDS_MITIGATION_VERW)
+ return false;
+
return true;
}
--
2.40.1
Powered by blists - more mailing lists