| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250925220251.qfn3w6rukhqr4lcs@desk>
Date: Thu, 25 Sep 2025 15:02:51 -0700
From: Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>
To: "Kaplan, David" <David.Kaplan@....com>
Cc: "x86@...nel.org" <x86@...nel.org>, "H. Peter Anvin" <hpa@...or.com>,
Josh Poimboeuf <jpoimboe@...nel.org>,
Sean Christopherson <seanjc@...gle.com>,
Paolo Bonzini <pbonzini@...hat.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"kvm@...r.kernel.org" <kvm@...r.kernel.org>,
Asit Mallick <asit.k.mallick@...el.com>,
Tao Zhang <tao1.zhang@...el.com>
Subject: Re: [PATCH 2/2] x86/vmscape: Replace IBPB with branch history clear
on exit to userspace
On Thu, Sep 25, 2025 at 06:14:54PM +0000, Kaplan, David wrote:
> [AMD Official Use Only - AMD Internal Distribution Only]
>
> > -----Original Message-----
> > From: Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>
> > Sent: Wednesday, September 24, 2025 10:10 PM
> > To: x86@...nel.org; H. Peter Anvin <hpa@...or.com>; Josh Poimboeuf
> > <jpoimboe@...nel.org>; Kaplan, David <David.Kaplan@....com>; Sean
> > Christopherson <seanjc@...gle.com>; Paolo Bonzini <pbonzini@...hat.com>
> > Cc: linux-kernel@...r.kernel.org; kvm@...r.kernel.org; Asit Mallick
> > <asit.k.mallick@...el.com>; Tao Zhang <tao1.zhang@...el.com>
> > Subject: [PATCH 2/2] x86/vmscape: Replace IBPB with branch history clear on exit
> > to userspace
> >
> > Caution: This message originated from an External Source. Use proper caution
> > when opening attachments, clicking links, or responding.
> >
> >
> > IBPB mitigation for VMSCAPE is an overkill for CPUs that are only affected
> > by the BHI variant of VMSCAPE. On such CPUs, eIBRS already provides
> > indirect branch isolation between guest and host userspace. But, a guest
> > could still poison the branch history.
> >
> > To mitigate that, use the recently added clear_bhb_long_loop() to isolate
> > the branch history between guest and userspace. Add cmdline option
> > 'vmscape=auto' that automatically selects the appropriate mitigation based
> > on the CPU.
> >
> > Signed-off-by: Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>
> > ---
> > Documentation/admin-guide/hw-vuln/vmscape.rst | 8 +++++
> > Documentation/admin-guide/kernel-parameters.txt | 4 ++-
> > arch/x86/include/asm/cpufeatures.h | 1 +
> > arch/x86/include/asm/entry-common.h | 12 ++++---
> > arch/x86/include/asm/nospec-branch.h | 2 +-
> > arch/x86/kernel/cpu/bugs.c | 44 ++++++++++++++++++-------
> > arch/x86/kvm/x86.c | 5 +--
> > 7 files changed, 55 insertions(+), 21 deletions(-)
> >
> > diff --git a/Documentation/admin-guide/hw-vuln/vmscape.rst
> > b/Documentation/admin-guide/hw-vuln/vmscape.rst
> > index
> > d9b9a2b6c114c05a7325e5f3c9d42129339b870b..13ca98f952f97daeb28194c3873e
> > 945b85eda6a1 100644
> > --- a/Documentation/admin-guide/hw-vuln/vmscape.rst
> > +++ b/Documentation/admin-guide/hw-vuln/vmscape.rst
> > @@ -86,6 +86,10 @@ The possible values in this file are:
> > run a potentially malicious guest and issues an IBPB before the first
> > exit to userspace after VM-exit.
> >
> > + * 'Mitigation: Clear BHB before exit to userspace':
> > +
> > + As above conditional BHB clearing mitigation is enabled.
> > +
> > * 'Mitigation: IBPB on VMEXIT':
> >
> > IBPB is issued on every VM-exit. This occurs when other mitigations like
> > @@ -108,3 +112,7 @@ The mitigation can be controlled via the ``vmscape=``
> > command line parameter:
> >
> > Force vulnerability detection and mitigation even on processors that are
> > not known to be affected.
> > +
> > + * ``vmscape=auto``:
> > +
> > + Choose the mitigation based on the VMSCAPE variant the CPU is affected by.
> > diff --git a/Documentation/admin-guide/kernel-parameters.txt
> > b/Documentation/admin-guide/kernel-parameters.txt
> > index
> > 5a7a83c411e9c526f8df6d28beb4c784aec3cac9..4596bfcb401f1a89d2dc5ed8c44c8
> > 3628c9c5dfe 100644
> > --- a/Documentation/admin-guide/kernel-parameters.txt
> > +++ b/Documentation/admin-guide/kernel-parameters.txt
> > @@ -8048,9 +8048,11 @@
> >
> > off - disable the mitigation
> > ibpb - use Indirect Branch Prediction Barrier
> > - (IBPB) mitigation (default)
> > + (IBPB) mitigation
> > force - force vulnerability detection even on
> > unaffected processors
> > + auto - (default) automatically select IBPB
> > + or BHB clear mitigation based on CPU
>
> Many of the other bugs (like srso, l1tf, bhi, etc.) do not have explicit
> 'auto' options as 'auto' is implied by the lack of an explicit option.
> Is there really value in creating an explicit 'auto' option here?
Hmm, so to get the BHB clear mitigation do we advise the users to remove
the vmscape= parameter? That feels a bit weird to me. Also, with
CONFIG_MITIGATION_VMSCAPE=n a user can get IBPB mitigation with
vmscape=ibpb, but there is not way to get the BHB clear mitigation.
> > u64 x86_pred_cmd __ro_after_init = PRED_CMD_IBPB;
> >
> > @@ -3270,13 +3269,15 @@ enum vmscape_mitigations {
> > VMSCAPE_MITIGATION_AUTO,
> > VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER,
> > VMSCAPE_MITIGATION_IBPB_ON_VMEXIT,
> > + VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER,
> > };
> >
> > static const char * const vmscape_strings[] = {
> > - [VMSCAPE_MITIGATION_NONE] = "Vulnerable",
> > + [VMSCAPE_MITIGATION_NONE] = "Vulnerable",
> > /* [VMSCAPE_MITIGATION_AUTO] */
> > - [VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER] = "Mitigation: IBPB
> > before exit to userspace",
> > - [VMSCAPE_MITIGATION_IBPB_ON_VMEXIT] = "Mitigation: IBPB on
> > VMEXIT",
> > + [VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER] = "Mitigation: IBPB
> > before exit to userspace",
> > + [VMSCAPE_MITIGATION_IBPB_ON_VMEXIT] = "Mitigation: IBPB on
> > VMEXIT",
> > + [VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER] = "Mitigation:
> > Clear BHB before exit to userspace",
> > };
> >
> > static enum vmscape_mitigations vmscape_mitigation __ro_after_init =
> > @@ -3294,6 +3295,8 @@ static int __init vmscape_parse_cmdline(char *str)
> > } else if (!strcmp(str, "force")) {
> > setup_force_cpu_bug(X86_BUG_VMSCAPE);
> > vmscape_mitigation = VMSCAPE_MITIGATION_AUTO;
> > + } else if (!strcmp(str, "auto")) {
> > + vmscape_mitigation = VMSCAPE_MITIGATION_AUTO;
> > } else {
> > pr_err("Ignoring unknown vmscape=%s option.\n", str);
> > }
> > @@ -3304,14 +3307,28 @@ early_param("vmscape", vmscape_parse_cmdline);
> >
> > static void __init vmscape_select_mitigation(void)
> > {
> > - if (cpu_mitigations_off() ||
> > - !boot_cpu_has_bug(X86_BUG_VMSCAPE) ||
> > - !boot_cpu_has(X86_FEATURE_IBPB)) {
> > + if (cpu_mitigations_off() || !boot_cpu_has_bug(X86_BUG_VMSCAPE)) {
> > vmscape_mitigation = VMSCAPE_MITIGATION_NONE;
> > return;
> > }
>
> It looks like this patch is based on a tree without vmscape attack vector
> support, I think you may want to rebase on top of that since it reworked
> some of this function.
Yes, it is based on upstream. I will rebase it once we are close to a final
version. I tend to base my patches on upstream to avoid any issues when tip
branches get rebased.
> > - if (vmscape_mitigation == VMSCAPE_MITIGATION_AUTO)
> > + if (vmscape_mitigation == VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER
> > &&
> > + !boot_cpu_has(X86_FEATURE_IBPB)) {
> > + pr_err("IBPB not supported, switching to AUTO select\n");
> > + vmscape_mitigation = VMSCAPE_MITIGATION_AUTO;
> > + }
>
> I think there's a bug here in case you (theoretically) had a vulnerable
> CPU that did not have IBPB and did not have BHI_CTRL. In that case, we
> should select VMSCAPE_MITIGATION_NONE as we have no mitigation available.
> But the code below will still re-select IBPB I believe even though there
> is no IBPB.
Yes, you are right. Let me see how to fix that.
Powered by blists - more mailing lists