| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID:
<LV3PR12MB9265478E85AA940EF6EA4D7D941FA@LV3PR12MB9265.namprd12.prod.outlook.com>
Date: Thu, 25 Sep 2025 18:14:54 +0000
From: "Kaplan, David" <David.Kaplan@....com>
To: Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>, "x86@...nel.org"
<x86@...nel.org>, "H. Peter Anvin" <hpa@...or.com>, Josh Poimboeuf
<jpoimboe@...nel.org>, Sean Christopherson <seanjc@...gle.com>, Paolo Bonzini
<pbonzini@...hat.com>
CC: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"kvm@...r.kernel.org" <kvm@...r.kernel.org>, Asit Mallick
<asit.k.mallick@...el.com>, Tao Zhang <tao1.zhang@...el.com>
Subject: RE: [PATCH 2/2] x86/vmscape: Replace IBPB with branch history clear
on exit to userspace
[AMD Official Use Only - AMD Internal Distribution Only]
> -----Original Message-----
> From: Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>
> Sent: Wednesday, September 24, 2025 10:10 PM
> To: x86@...nel.org; H. Peter Anvin <hpa@...or.com>; Josh Poimboeuf
> <jpoimboe@...nel.org>; Kaplan, David <David.Kaplan@....com>; Sean
> Christopherson <seanjc@...gle.com>; Paolo Bonzini <pbonzini@...hat.com>
> Cc: linux-kernel@...r.kernel.org; kvm@...r.kernel.org; Asit Mallick
> <asit.k.mallick@...el.com>; Tao Zhang <tao1.zhang@...el.com>
> Subject: [PATCH 2/2] x86/vmscape: Replace IBPB with branch history clear on exit
> to userspace
>
> Caution: This message originated from an External Source. Use proper caution
> when opening attachments, clicking links, or responding.
>
>
> IBPB mitigation for VMSCAPE is an overkill for CPUs that are only affected
> by the BHI variant of VMSCAPE. On such CPUs, eIBRS already provides
> indirect branch isolation between guest and host userspace. But, a guest
> could still poison the branch history.
>
> To mitigate that, use the recently added clear_bhb_long_loop() to isolate
> the branch history between guest and userspace. Add cmdline option
> 'vmscape=auto' that automatically selects the appropriate mitigation based
> on the CPU.
>
> Signed-off-by: Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>
> ---
> Documentation/admin-guide/hw-vuln/vmscape.rst | 8 +++++
> Documentation/admin-guide/kernel-parameters.txt | 4 ++-
> arch/x86/include/asm/cpufeatures.h | 1 +
> arch/x86/include/asm/entry-common.h | 12 ++++---
> arch/x86/include/asm/nospec-branch.h | 2 +-
> arch/x86/kernel/cpu/bugs.c | 44 ++++++++++++++++++-------
> arch/x86/kvm/x86.c | 5 +--
> 7 files changed, 55 insertions(+), 21 deletions(-)
>
> diff --git a/Documentation/admin-guide/hw-vuln/vmscape.rst
> b/Documentation/admin-guide/hw-vuln/vmscape.rst
> index
> d9b9a2b6c114c05a7325e5f3c9d42129339b870b..13ca98f952f97daeb28194c3873e
> 945b85eda6a1 100644
> --- a/Documentation/admin-guide/hw-vuln/vmscape.rst
> +++ b/Documentation/admin-guide/hw-vuln/vmscape.rst
> @@ -86,6 +86,10 @@ The possible values in this file are:
> run a potentially malicious guest and issues an IBPB before the first
> exit to userspace after VM-exit.
>
> + * 'Mitigation: Clear BHB before exit to userspace':
> +
> + As above conditional BHB clearing mitigation is enabled.
> +
> * 'Mitigation: IBPB on VMEXIT':
>
> IBPB is issued on every VM-exit. This occurs when other mitigations like
> @@ -108,3 +112,7 @@ The mitigation can be controlled via the ``vmscape=``
> command line parameter:
>
> Force vulnerability detection and mitigation even on processors that are
> not known to be affected.
> +
> + * ``vmscape=auto``:
> +
> + Choose the mitigation based on the VMSCAPE variant the CPU is affected by.
> diff --git a/Documentation/admin-guide/kernel-parameters.txt
> b/Documentation/admin-guide/kernel-parameters.txt
> index
> 5a7a83c411e9c526f8df6d28beb4c784aec3cac9..4596bfcb401f1a89d2dc5ed8c44c8
> 3628c9c5dfe 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -8048,9 +8048,11 @@
>
> off - disable the mitigation
> ibpb - use Indirect Branch Prediction Barrier
> - (IBPB) mitigation (default)
> + (IBPB) mitigation
> force - force vulnerability detection even on
> unaffected processors
> + auto - (default) automatically select IBPB
> + or BHB clear mitigation based on CPU
Many of the other bugs (like srso, l1tf, bhi, etc.) do not have explicit 'auto' options as 'auto' is implied by the lack of an explicit option. Is there really value in creating an explicit 'auto' option here?
>
> u64 x86_pred_cmd __ro_after_init = PRED_CMD_IBPB;
>
> @@ -3270,13 +3269,15 @@ enum vmscape_mitigations {
> VMSCAPE_MITIGATION_AUTO,
> VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER,
> VMSCAPE_MITIGATION_IBPB_ON_VMEXIT,
> + VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER,
> };
>
> static const char * const vmscape_strings[] = {
> - [VMSCAPE_MITIGATION_NONE] = "Vulnerable",
> + [VMSCAPE_MITIGATION_NONE] = "Vulnerable",
> /* [VMSCAPE_MITIGATION_AUTO] */
> - [VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER] = "Mitigation: IBPB
> before exit to userspace",
> - [VMSCAPE_MITIGATION_IBPB_ON_VMEXIT] = "Mitigation: IBPB on
> VMEXIT",
> + [VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER] = "Mitigation: IBPB
> before exit to userspace",
> + [VMSCAPE_MITIGATION_IBPB_ON_VMEXIT] = "Mitigation: IBPB on
> VMEXIT",
> + [VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER] = "Mitigation:
> Clear BHB before exit to userspace",
> };
>
> static enum vmscape_mitigations vmscape_mitigation __ro_after_init =
> @@ -3294,6 +3295,8 @@ static int __init vmscape_parse_cmdline(char *str)
> } else if (!strcmp(str, "force")) {
> setup_force_cpu_bug(X86_BUG_VMSCAPE);
> vmscape_mitigation = VMSCAPE_MITIGATION_AUTO;
> + } else if (!strcmp(str, "auto")) {
> + vmscape_mitigation = VMSCAPE_MITIGATION_AUTO;
> } else {
> pr_err("Ignoring unknown vmscape=%s option.\n", str);
> }
> @@ -3304,14 +3307,28 @@ early_param("vmscape", vmscape_parse_cmdline);
>
> static void __init vmscape_select_mitigation(void)
> {
> - if (cpu_mitigations_off() ||
> - !boot_cpu_has_bug(X86_BUG_VMSCAPE) ||
> - !boot_cpu_has(X86_FEATURE_IBPB)) {
> + if (cpu_mitigations_off() || !boot_cpu_has_bug(X86_BUG_VMSCAPE)) {
> vmscape_mitigation = VMSCAPE_MITIGATION_NONE;
> return;
> }
It looks like this patch is based on a tree without vmscape attack vector support, I think you may want to rebase on top of that since it reworked some of this function.
>
> - if (vmscape_mitigation == VMSCAPE_MITIGATION_AUTO)
> + if (vmscape_mitigation == VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER
> &&
> + !boot_cpu_has(X86_FEATURE_IBPB)) {
> + pr_err("IBPB not supported, switching to AUTO select\n");
> + vmscape_mitigation = VMSCAPE_MITIGATION_AUTO;
> + }
I think there's a bug here in case you (theoretically) had a vulnerable CPU that did not have IBPB and did not have BHI_CTRL. In that case, we should select VMSCAPE_MITIGATION_NONE as we have no mitigation available. But the code below will still re-select IBPB I believe even though there is no IBPB.
> +
> + if (vmscape_mitigation != VMSCAPE_MITIGATION_AUTO)
> + return;
> +
> + /*
> + * CPUs with BHI_CTRL(ADL and newer) can avoid the IBPB and use BHB
> + * clear sequence. These CPUs are only vulnerable to the BHI variant
> + * of the VMSCAPE attack.
> + */
> + if (boot_cpu_has(X86_FEATURE_BHI_CTRL))
> + vmscape_mitigation =
> VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER;
> + else
> vmscape_mitigation = VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER;
> }
>
> @@ -3331,6 +3348,8 @@ static void __init vmscape_apply_mitigation(void)
> {
> if (vmscape_mitigation == VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER)
> setup_force_cpu_cap(X86_FEATURE_IBPB_EXIT_TO_USER);
> + else if (vmscape_mitigation ==
> VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER)
> +
> setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_EXIT_TO_USER);
> }
>
--David Kaplan
Powered by blists - more mailing lists