Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3b78ce4a authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge branch 'speck-v20' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 

Merge speculative store buffer bypass fixes from Thomas Gleixner:

 - rework of the SPEC_CTRL MSR management to accomodate the new fancy
   SSBD (Speculative Store Bypass Disable) bit handling.

 - the CPU bug and sysfs infrastructure for the exciting new Speculative
   Store Bypass 'feature'.

 - support for disabling SSB via LS_CFG MSR on AMD CPUs including
   Hyperthread synchronization on ZEN.

 - PRCTL support for dynamic runtime control of SSB

 - SECCOMP integration to automatically disable SSB for sandboxed
   processes with a filter flag for opt-out.

 - KVM integration to allow guests fiddling with SSBD including the new
   software MSR VIRT_SPEC_CTRL to handle the LS_CFG based oddities on
   AMD.

 - BPF protection against SSB

.. this is just the core and x86 side, other architecture support will
come separately.

* 'speck-v20' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (49 commits)
  bpf: Prevent memory disambiguation attack
  x86/bugs: Rename SSBD_NO to SSB_NO
  KVM: SVM: Implement VIRT_SPEC_CTRL support for SSBD
  x86/speculation, KVM: Implement support for VIRT_SPEC_CTRL/LS_CFG
  x86/bugs: Rework spec_ctrl base and mask logic
  x86/bugs: Remove x86_spec_ctrl_set()
  x86/bugs: Expose x86_spec_ctrl_base directly
  x86/bugs: Unify x86_spec_ctrl_{set_guest,restore_host}
  x86/speculation: Rework speculative_store_bypass_update()
  x86/speculation: Add virtualized speculative store bypass disable support
  x86/bugs, KVM: Extend speculation control for VIRT_SPEC_CTRL
  x86/speculation: Handle HT correctly on AMD
  x86/cpufeatures: Add FEATURE_ZEN
  x86/cpufeatures: Disentangle SSBD enumeration
  x86/cpufeatures: Disentangle MSR_SPEC_CTRL enumeration from IBRS
  x86/speculation: Use synthetic bits for IBRS/IBPB/STIBP
  KVM: SVM: Move spec control call after restore of GS
  x86/cpu: Make alternative_msr_write work for 32-bit code
  x86/bugs: Fix the parameters alignment and missing void
  x86/bugs: Make cpu_show_common() static
  ...
parents 6741c4bb af86ca4e

Documentation/ABI/testing/sysfs-devices-system-cpu

+1 −0
Original line number Diff line number Diff line
@@ -478,6 +478,7 @@ What: /sys/devices/system/cpu/vulnerabilities 
		/sys/devices/system/cpu/vulnerabilities/meltdown

		/sys/devices/system/cpu/vulnerabilities/spectre_v1

		/sys/devices/system/cpu/vulnerabilities/spectre_v2

		/sys/devices/system/cpu/vulnerabilities/spec_store_bypass

Date:		January 2018

Contact:	Linux kernel mailing list <linux-kernel@vger.kernel.org>

Description:	Information about CPU vulnerabilities

Documentation/admin-guide/kernel-parameters.txt

+45 −0
Original line number Diff line number Diff line
@@ -2680,6 +2680,9 @@ 
			allow data leaks with this option, which is equivalent

			to spectre_v2=off.



	nospec_store_bypass_disable

			[HW] Disable all mitigations for the Speculative Store Bypass vulnerability



	noxsave		[BUGS=X86] Disables x86 extended register state save

			and restore using xsave. The kernel will fallback to

			enabling legacy floating-point and sse state.
@@ -4025,6 +4028,48 @@ 
			Not specifying this option is equivalent to

			spectre_v2=auto.



	spec_store_bypass_disable=

			[HW] Control Speculative Store Bypass (SSB) Disable mitigation

			(Speculative Store Bypass vulnerability)



			Certain CPUs are vulnerable to an exploit against a

			a common industry wide performance optimization known

			as "Speculative Store Bypass" in which recent stores

			to the same memory location may not be observed by

			later loads during speculative execution. The idea

			is that such stores are unlikely and that they can

			be detected prior to instruction retirement at the

			end of a particular speculation execution window.



			In vulnerable processors, the speculatively forwarded

			store can be used in a cache side channel attack, for

			example to read memory to which the attacker does not

			directly have access (e.g. inside sandboxed code).



			This parameter controls whether the Speculative Store

			Bypass optimization is used.



			on      - Unconditionally disable Speculative Store Bypass

			off     - Unconditionally enable Speculative Store Bypass

			auto    - Kernel detects whether the CPU model contains an

				  implementation of Speculative Store Bypass and

				  picks the most appropriate mitigation. If the

				  CPU is not vulnerable, "off" is selected. If the

				  CPU is vulnerable the default mitigation is

				  architecture and Kconfig dependent. See below.

			prctl   - Control Speculative Store Bypass per thread

				  via prctl. Speculative Store Bypass is enabled

				  for a process by default. The state of the control

				  is inherited on fork.

			seccomp - Same as "prctl" above, but all seccomp threads

				  will disable SSB unless they explicitly opt out.



			Not specifying this option is equivalent to

			spec_store_bypass_disable=auto.



			Default mitigations:

			X86:	If CONFIG_SECCOMP=y "seccomp", otherwise "prctl"



	spia_io_base=	[HW,MTD]

	spia_fio_base=

	spia_pedr=

Documentation/userspace-api/index.rst

+1 −0
Original line number Diff line number Diff line
@@ -19,6 +19,7 @@ place where this information is gathered. 
   no_new_privs

   seccomp_filter

   unshare

   spec_ctrl



.. only::  subproject and html

Documentation/userspace-api/spec_ctrl.rst

0 → 100644
+94 −0
Original line number Diff line number Diff line 
===================

Speculation Control

===================



Quite some CPUs have speculation-related misfeatures which are in

fact vulnerabilities causing data leaks in various forms even across

privilege domains.



The kernel provides mitigation for such vulnerabilities in various

forms. Some of these mitigations are compile-time configurable and some

can be supplied on the kernel command line.



There is also a class of mitigations which are very expensive, but they can

be restricted to a certain set of processes or tasks in controlled

environments. The mechanism to control these mitigations is via

:manpage:`prctl(2)`.



There are two prctl options which are related to this:



 * PR_GET_SPECULATION_CTRL



 * PR_SET_SPECULATION_CTRL



PR_GET_SPECULATION_CTRL

-----------------------



PR_GET_SPECULATION_CTRL returns the state of the speculation misfeature

which is selected with arg2 of prctl(2). The return value uses bits 0-3 with

the following meaning:



==== ===================== ===================================================

Bit  Define                Description

==== ===================== ===================================================

0    PR_SPEC_PRCTL         Mitigation can be controlled per task by

                           PR_SET_SPECULATION_CTRL.

1    PR_SPEC_ENABLE        The speculation feature is enabled, mitigation is

                           disabled.

2    PR_SPEC_DISABLE       The speculation feature is disabled, mitigation is

                           enabled.

3    PR_SPEC_FORCE_DISABLE Same as PR_SPEC_DISABLE, but cannot be undone. A

                           subsequent prctl(..., PR_SPEC_ENABLE) will fail.

==== ===================== ===================================================



If all bits are 0 the CPU is not affected by the speculation misfeature.



If PR_SPEC_PRCTL is set, then the per-task control of the mitigation is

available. If not set, prctl(PR_SET_SPECULATION_CTRL) for the speculation

misfeature will fail.



PR_SET_SPECULATION_CTRL

-----------------------



PR_SET_SPECULATION_CTRL allows to control the speculation misfeature, which

is selected by arg2 of :manpage:`prctl(2)` per task. arg3 is used to hand

in the control value, i.e. either PR_SPEC_ENABLE or PR_SPEC_DISABLE or

PR_SPEC_FORCE_DISABLE.



Common error codes

------------------

======= =================================================================

Value   Meaning

======= =================================================================

EINVAL  The prctl is not implemented by the architecture or unused

        prctl(2) arguments are not 0.



ENODEV  arg2 is selecting a not supported speculation misfeature.

======= =================================================================



PR_SET_SPECULATION_CTRL error codes

-----------------------------------

======= =================================================================

Value   Meaning

======= =================================================================

0       Success



ERANGE  arg3 is incorrect, i.e. it's neither PR_SPEC_ENABLE nor

        PR_SPEC_DISABLE nor PR_SPEC_FORCE_DISABLE.



ENXIO   Control of the selected speculation misfeature is not possible.

        See PR_GET_SPECULATION_CTRL.



EPERM   Speculation was disabled with PR_SPEC_FORCE_DISABLE and caller

        tried to enable it again.

======= =================================================================



Speculation misfeature controls

-------------------------------

- PR_SPEC_STORE_BYPASS: Speculative Store Bypass



  Invocations:

   * prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, 0, 0, 0);

   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_ENABLE, 0, 0);

   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);

   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0);

arch/x86/include/asm/cpufeatures.h

+14 −6
Original line number Diff line number Diff line
@@ -198,7 +198,6 @@ 
#define X86_FEATURE_CAT_L2		( 7*32+ 5) /* Cache Allocation Technology L2 */

#define X86_FEATURE_CDP_L3		( 7*32+ 6) /* Code and Data Prioritization L3 */

#define X86_FEATURE_INVPCID_SINGLE	( 7*32+ 7) /* Effectively INVPCID && CR4.PCIDE=1 */



#define X86_FEATURE_HW_PSTATE		( 7*32+ 8) /* AMD HW-PState */

#define X86_FEATURE_PROC_FEEDBACK	( 7*32+ 9) /* AMD ProcFeedbackInterface */

#define X86_FEATURE_SME			( 7*32+10) /* AMD Secure Memory Encryption */
@@ -207,13 +206,19 @@ 
#define X86_FEATURE_RETPOLINE_AMD	( 7*32+13) /* "" AMD Retpoline mitigation for Spectre variant 2 */

#define X86_FEATURE_INTEL_PPIN		( 7*32+14) /* Intel Processor Inventory Number */

#define X86_FEATURE_CDP_L2		( 7*32+15) /* Code and Data Prioritization L2 */



#define X86_FEATURE_MSR_SPEC_CTRL	( 7*32+16) /* "" MSR SPEC_CTRL is implemented */

#define X86_FEATURE_SSBD		( 7*32+17) /* Speculative Store Bypass Disable */

#define X86_FEATURE_MBA			( 7*32+18) /* Memory Bandwidth Allocation */

#define X86_FEATURE_RSB_CTXSW		( 7*32+19) /* "" Fill RSB on context switches */

#define X86_FEATURE_SEV			( 7*32+20) /* AMD Secure Encrypted Virtualization */



#define X86_FEATURE_USE_IBPB		( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled */

#define X86_FEATURE_USE_IBRS_FW		( 7*32+22) /* "" Use IBRS during runtime firmware calls */

#define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE	( 7*32+23) /* "" Disable Speculative Store Bypass. */

#define X86_FEATURE_LS_CFG_SSBD		( 7*32+24)  /* "" AMD SSBD implementation via LS_CFG MSR */

#define X86_FEATURE_IBRS		( 7*32+25) /* Indirect Branch Restricted Speculation */

#define X86_FEATURE_IBPB		( 7*32+26) /* Indirect Branch Prediction Barrier */

#define X86_FEATURE_STIBP		( 7*32+27) /* Single Thread Indirect Branch Predictors */

#define X86_FEATURE_ZEN			( 7*32+28) /* "" CPU is AMD family 0x17 (Zen) */



/* Virtualization flags: Linux defined, word 8 */

#define X86_FEATURE_TPR_SHADOW		( 8*32+ 0) /* Intel TPR Shadow */
@@ -274,9 +279,10 @@ 
#define X86_FEATURE_CLZERO		(13*32+ 0) /* CLZERO instruction */

#define X86_FEATURE_IRPERF		(13*32+ 1) /* Instructions Retired Count */

#define X86_FEATURE_XSAVEERPTR		(13*32+ 2) /* Always save/restore FP error pointers */

#define X86_FEATURE_IBPB		(13*32+12) /* Indirect Branch Prediction Barrier */

#define X86_FEATURE_IBRS		(13*32+14) /* Indirect Branch Restricted Speculation */

#define X86_FEATURE_STIBP		(13*32+15) /* Single Thread Indirect Branch Predictors */

#define X86_FEATURE_AMD_IBPB		(13*32+12) /* "" Indirect Branch Prediction Barrier */

#define X86_FEATURE_AMD_IBRS		(13*32+14) /* "" Indirect Branch Restricted Speculation */

#define X86_FEATURE_AMD_STIBP		(13*32+15) /* "" Single Thread Indirect Branch Predictors */

#define X86_FEATURE_VIRT_SSBD		(13*32+25) /* Virtualized Speculative Store Bypass Disable */



/* Thermal and Power Management Leaf, CPUID level 0x00000006 (EAX), word 14 */

#define X86_FEATURE_DTHERM		(14*32+ 0) /* Digital Thermal Sensor */
@@ -334,6 +340,7 @@ 
#define X86_FEATURE_SPEC_CTRL		(18*32+26) /* "" Speculation Control (IBRS + IBPB) */

#define X86_FEATURE_INTEL_STIBP		(18*32+27) /* "" Single Thread Indirect Branch Predictors */

#define X86_FEATURE_ARCH_CAPABILITIES	(18*32+29) /* IA32_ARCH_CAPABILITIES MSR (Intel) */

#define X86_FEATURE_SPEC_CTRL_SSBD	(18*32+31) /* "" Speculative Store Bypass Disable */



/*

 * BUG word(s)
@@ -363,5 +370,6 @@ 
#define X86_BUG_CPU_MELTDOWN		X86_BUG(14) /* CPU is affected by meltdown attack and needs kernel page table isolation */

#define X86_BUG_SPECTRE_V1		X86_BUG(15) /* CPU is affected by Spectre variant 1 attack with conditional branches */

#define X86_BUG_SPECTRE_V2		X86_BUG(16) /* CPU is affected by Spectre variant 2 attack with indirect branches */

#define X86_BUG_SPEC_STORE_BYPASS	X86_BUG(17) /* CPU is affected by speculative store bypass attack */



#endif /* _ASM_X86_CPUFEATURES_H */