| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251119-vmscape-bhb-v4-4-1adad4e69ddc@linux.intel.com> Date: Wed, 19 Nov 2025 22:18:34 -0800 From: Pawan Gupta <pawan.kumar.gupta@...ux.intel.com> To: x86@...nel.org, David Kaplan <david.kaplan@....com>, Nikolay Borisov <nik.borisov@...e.com>, "H. Peter Anvin" <hpa@...or.com>, Josh Poimboeuf <jpoimboe@...nel.org>, Sean Christopherson <seanjc@...gle.com>, Paolo Bonzini <pbonzini@...hat.com>, Borislav Petkov <bp@...en8.de>, Dave Hansen <dave.hansen@...ux.intel.com> Cc: linux-kernel@...r.kernel.org, kvm@...r.kernel.org, Asit Mallick <asit.k.mallick@...el.com>, Tao Zhang <tao1.zhang@...el.com> Subject: [PATCH v4 04/11] x86/bhi: Make clear_bhb_loop() effective on newer CPUs As a mitigation for BHI, clear_bhb_loop() executes branches that overwrites the Branch History Buffer (BHB). On Alder Lake and newer parts this sequence is not sufficient because it doesn't clear enough entries. This was not an issue because these CPUs have a hardware control (BHI_DIS_S) that mitigates BHI in kernel. BHI variant of VMSCAPE requires isolating branch history between guests and userspace. Note that there is no equivalent hardware control for userspace. To effectively isolate branch history on newer CPUs, clear_bhb_loop() should execute sufficient number of branches to clear a larger BHB. Dynamically set the loop count of clear_bhb_loop() such that it is effective on newer CPUs too. Use the hardware control enumeration X86_FEATURE_BHI_CTRL to select the appropriate loop count. Suggested-by: Dave Hansen <dave.hansen@...ux.intel.com> Signed-off-by: Pawan Gupta <pawan.kumar.gupta@...ux.intel.com> --- arch/x86/entry/entry_64.S | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S index a2891af416c874349c065160708752c41bc6ba36..6cddd7d6dc927704357d97346fcbb34559608888 100644 --- a/arch/x86/entry/entry_64.S +++ b/arch/x86/entry/entry_64.S @@ -1563,17 +1563,20 @@ SYM_CODE_END(rewind_stack_and_make_dead) .endm /* - * This should be used on parts prior to Alder Lake. Newer parts should use the - * BHI_DIS_S hardware control instead. If a pre-Alder Lake part is being - * virtualized on newer hardware the VMM should protect against BHI attacks by - * setting BHI_DIS_S for the guests. + * For protecting the kernel against BHI, this should be used on parts prior to + * Alder Lake. Although the sequence works on newer parts, BHI_DIS_S hardware + * control has lower overhead, and should be used instead. If a pre-Alder Lake + * part is being virtualized on newer hardware the VMM should protect against + * BHI attacks by setting BHI_DIS_S for the guests. */ SYM_FUNC_START(clear_bhb_loop) ANNOTATE_NOENDBR push %rbp mov %rsp, %rbp - CLEAR_BHB_LOOP_SEQ 5, 5 + /* loop count differs based on CPU-gen, see Intel's BHI guidance */ + ALTERNATIVE __stringify(CLEAR_BHB_LOOP_SEQ 5, 5), \ + __stringify(CLEAR_BHB_LOOP_SEQ 12, 7), X86_FEATURE_BHI_CTRL pop %rbp RET -- 2.34.1
Powered by blists - more mailing lists