Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4b783176 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge branch 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 

Pull STIBP fallout fixes from Thomas Gleixner:
 "The performance destruction department finally got it's act together
  and came up with a cure for the STIPB regression:

   - Provide a command line option to control the spectre v2 user space
     mitigations. Default is either seccomp or prctl (if seccomp is
     disabled in Kconfig). prctl allows mitigation opt-in, seccomp
     enables the migitation for sandboxed processes.

   - Rework the code to handle the conditional STIBP/IBPB control and
     remove the now unused ptrace_may_access_sched() optimization
     attempt

   - Disable STIBP automatically when SMT is disabled

   - Optimize the switch_to() logic to avoid MSR writes and invocations
     of __switch_to_xtra().

   - Make the asynchronous speculation TIF updates synchronous to
     prevent stale mitigation state.

  As a general cleanup this also makes retpoline directly depend on
  compiler support and removes the 'minimal retpoline' option which just
  pretended to provide some form of security while providing none"

* 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (31 commits)
  x86/speculation: Provide IBPB always command line options
  x86/speculation: Add seccomp Spectre v2 user space protection mode
  x86/speculation: Enable prctl mode for spectre_v2_user
  x86/speculation: Add prctl() control for indirect branch speculation
  x86/speculation: Prepare arch_smt_update() for PRCTL mode
  x86/speculation: Prevent stale SPEC_CTRL msr content
  x86/speculation: Split out TIF update
  ptrace: Remove unused ptrace_may_access_sched() and MODE_IBRS
  x86/speculation: Prepare for conditional IBPB in switch_mm()
  x86/speculation: Avoid __switch_to_xtra() calls
  x86/process: Consolidate and simplify switch_to_xtra() code
  x86/speculation: Prepare for per task indirect branch speculation control
  x86/speculation: Add command line control for indirect branch speculation
  x86/speculation: Unify conditional spectre v2 print functions
  x86/speculataion: Mark command line parser data __initdata
  x86/speculation: Mark string arrays const correctly
  x86/speculation: Reorder the spec_v2 code
  x86/l1tf: Show actual SMT state
  x86/speculation: Rework SMT state change
  sched/smt: Expose sched_smt_present static key
  ...
parents 88058417 55a97402

Documentation/admin-guide/kernel-parameters.txt

+54 −2
Original line number Diff line number Diff line
@@ -4199,9 +4199,13 @@ 


	spectre_v2=	[X86] Control mitigation of Spectre variant 2

			(indirect branch speculation) vulnerability.

			The default operation protects the kernel from

			user space attacks.



			on   - unconditionally enable

			off  - unconditionally disable

			on   - unconditionally enable, implies

			       spectre_v2_user=on

			off  - unconditionally disable, implies

			       spectre_v2_user=off

			auto - kernel detects whether your CPU model is

			       vulnerable
@@ -4211,6 +4215,12 @@ 
			CONFIG_RETPOLINE configuration option, and the

			compiler with which the kernel was built.



			Selecting 'on' will also enable the mitigation

			against user space to user space task attacks.



			Selecting 'off' will disable both the kernel and

			the user space protections.



			Specific mitigations can also be selected manually:



			retpoline	  - replace indirect branches
@@ -4220,6 +4230,48 @@ 
			Not specifying this option is equivalent to

			spectre_v2=auto.



	spectre_v2_user=

			[X86] Control mitigation of Spectre variant 2

		        (indirect branch speculation) vulnerability between

		        user space tasks



			on	- Unconditionally enable mitigations. Is

				  enforced by spectre_v2=on



			off     - Unconditionally disable mitigations. Is

				  enforced by spectre_v2=off



			prctl   - Indirect branch speculation is enabled,

				  but mitigation can be enabled via prctl

				  per thread.  The mitigation control state

				  is inherited on fork.



			prctl,ibpb

				- Like "prctl" above, but only STIBP is

				  controlled per thread. IBPB is issued

				  always when switching between different user

				  space processes.



			seccomp

				- Same as "prctl" above, but all seccomp

				  threads will enable the mitigation unless

				  they explicitly opt out.



			seccomp,ibpb

				- Like "seccomp" above, but only STIBP is

				  controlled per thread. IBPB is issued

				  always when switching between different

				  user space processes.



			auto    - Kernel selects the mitigation depending on

				  the available CPU features and vulnerability.



			Default mitigation:

			If CONFIG_SECCOMP=y then "seccomp", otherwise "prctl"



			Not specifying this option is equivalent to

			spectre_v2_user=auto.



	spec_store_bypass_disable=

			[HW] Control Speculative Store Bypass (SSB) Disable mitigation

			(Speculative Store Bypass vulnerability)

Documentation/userspace-api/spec_ctrl.rst

+9 −0
Original line number Diff line number Diff line
@@ -92,3 +92,12 @@ Speculation misfeature controls 
   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_ENABLE, 0, 0);

   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);

   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0);



- PR_SPEC_INDIR_BRANCH: Indirect Branch Speculation in User Processes

                        (Mitigate Spectre V2 style attacks against user processes)



  Invocations:

   * prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, 0, 0, 0);

   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_ENABLE, 0, 0);

   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_DISABLE, 0, 0);

   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_FORCE_DISABLE, 0, 0);

arch/x86/Kconfig

+1 −11
Original line number Diff line number Diff line
@@ -444,10 +444,6 @@ config RETPOLINE 
	  branches. Requires a compiler with -mindirect-branch=thunk-extern

	  support for full protection. The kernel may run slower.



	  Without compiler support, at least indirect branches in assembler

	  code are eliminated. Since this includes the syscall entry path,

	  it is not entirely pointless.



config INTEL_RDT

	bool "Intel Resource Director Technology support"

	depends on X86 && CPU_SUP_INTEL
@@ -1004,13 +1000,7 @@ config NR_CPUS 
	  to the kernel image.



config SCHED_SMT

	bool "SMT (Hyperthreading) scheduler support"

	depends on SMP

	---help---

	  SMT scheduler support improves the CPU scheduler's decision making

	  when dealing with Intel Pentium 4 chips with HyperThreading at a

	  cost of slightly increased overhead in some places. If unsure say

	  N here.

	def_bool y if SMP



config SCHED_MC

	def_bool y

arch/x86/Makefile

+3 −2
Original line number Diff line number Diff line
@@ -220,9 +220,10 @@ KBUILD_CFLAGS += -fno-asynchronous-unwind-tables 


# Avoid indirect branches in kernel to deal with Spectre

ifdef CONFIG_RETPOLINE

ifneq ($(RETPOLINE_CFLAGS),)

  KBUILD_CFLAGS += $(RETPOLINE_CFLAGS) -DRETPOLINE

ifeq ($(RETPOLINE_CFLAGS),)

  $(error You are building kernel with non-retpoline compiler, please update your compiler.)

endif

  KBUILD_CFLAGS += $(RETPOLINE_CFLAGS)

endif



archscripts: scripts_basic

arch/x86/include/asm/msr-index.h

+3 −2
Original line number Diff line number Diff line
@@ -41,7 +41,8 @@ 


#define MSR_IA32_SPEC_CTRL		0x00000048 /* Speculation Control */

#define SPEC_CTRL_IBRS			(1 << 0)   /* Indirect Branch Restricted Speculation */

#define SPEC_CTRL_STIBP			(1 << 1)   /* Single Thread Indirect Branch Predictors */

#define SPEC_CTRL_STIBP_SHIFT		1	   /* Single Thread Indirect Branch Predictor (STIBP) bit */

#define SPEC_CTRL_STIBP			(1 << SPEC_CTRL_STIBP_SHIFT)	/* STIBP mask */

#define SPEC_CTRL_SSBD_SHIFT		2	   /* Speculative Store Bypass Disable bit */

#define SPEC_CTRL_SSBD			(1 << SPEC_CTRL_SSBD_SHIFT)	/* Speculative Store Bypass Disable */