Loading Makefile +5 −0 Original line number Diff line number Diff line Loading @@ -489,6 +489,11 @@ KBUILD_CFLAGS += $(CLANG_TARGET) $(CLANG_GCC_TC) KBUILD_AFLAGS += $(CLANG_TARGET) $(CLANG_GCC_TC) endif RETPOLINE_CFLAGS_GCC := -mindirect-branch=thunk-extern -mindirect-branch-register RETPOLINE_CFLAGS_CLANG := -mretpoline-external-thunk RETPOLINE_CFLAGS := $(call cc-option,$(RETPOLINE_CFLAGS_GCC),$(call cc-option,$(RETPOLINE_CFLAGS_CLANG))) export RETPOLINE_CFLAGS ifeq ($(config-targets),1) # =========================================================================== # *config targets only - make sure prerequisites are updated, and descend Loading arch/x86/Kconfig +2 −10 Original line number Diff line number Diff line Loading @@ -430,6 +430,7 @@ config GOLDFISH config RETPOLINE bool "Avoid speculative indirect branches in kernel" default y select STACK_VALIDATION if HAVE_STACK_VALIDATION help Compile kernel with the retpoline compiler options to guard against kernel-to-user data leaks by avoiding speculative indirect Loading Loading @@ -2315,7 +2316,7 @@ choice it can be used to assist security vulnerability exploitation. This setting can be changed at boot time via the kernel command line parameter vsyscall=[native|emulate|none]. line parameter vsyscall=[emulate|none]. On a system with recent enough glibc (2.14 or newer) and no static binaries, you can say None without a performance penalty Loading @@ -2323,15 +2324,6 @@ choice If unsure, select "Emulate". config LEGACY_VSYSCALL_NATIVE bool "Native" help Actual executable code is located in the fixed vsyscall address mapping, implementing time() efficiently. Since this makes the mapping executable, it can be used during security vulnerability exploitation (traditionally as ROP gadgets). This configuration is not recommended. config LEGACY_VSYSCALL_EMULATE bool "Emulate" help Loading arch/x86/Makefile +3 −4 Original line number Diff line number Diff line Loading @@ -232,7 +232,6 @@ KBUILD_CFLAGS += -fno-asynchronous-unwind-tables # Avoid indirect branches in kernel to deal with Spectre ifdef CONFIG_RETPOLINE RETPOLINE_CFLAGS += $(call cc-option,-mindirect-branch=thunk-extern -mindirect-branch-register) ifneq ($(RETPOLINE_CFLAGS),) KBUILD_CFLAGS += $(RETPOLINE_CFLAGS) -DRETPOLINE endif Loading arch/x86/entry/calling.h +19 −15 Original line number Diff line number Diff line Loading @@ -97,7 +97,7 @@ For 32-bit we have the following conventions - kernel is built with #define SIZEOF_PTREGS 21*8 .macro PUSH_AND_CLEAR_REGS rdx=%rdx rax=%rax .macro PUSH_AND_CLEAR_REGS rdx=%rdx rax=%rax save_ret=0 /* * Push registers and sanitize registers of values that a * speculation attack might otherwise want to exploit. The Loading @@ -105,32 +105,41 @@ For 32-bit we have the following conventions - kernel is built with * could be put to use in a speculative execution gadget. * Interleave XOR with PUSH for better uop scheduling: */ .if \save_ret pushq %rsi /* pt_regs->si */ movq 8(%rsp), %rsi /* temporarily store the return address in %rsi */ movq %rdi, 8(%rsp) /* pt_regs->di (overwriting original return address) */ .else pushq %rdi /* pt_regs->di */ pushq %rsi /* pt_regs->si */ .endif pushq \rdx /* pt_regs->dx */ pushq %rcx /* pt_regs->cx */ pushq \rax /* pt_regs->ax */ pushq %r8 /* pt_regs->r8 */ xorq %r8, %r8 /* nospec r8 */ xorl %r8d, %r8d /* nospec r8 */ pushq %r9 /* pt_regs->r9 */ xorq %r9, %r9 /* nospec r9 */ xorl %r9d, %r9d /* nospec r9 */ pushq %r10 /* pt_regs->r10 */ xorq %r10, %r10 /* nospec r10 */ xorl %r10d, %r10d /* nospec r10 */ pushq %r11 /* pt_regs->r11 */ xorq %r11, %r11 /* nospec r11*/ xorl %r11d, %r11d /* nospec r11*/ pushq %rbx /* pt_regs->rbx */ xorl %ebx, %ebx /* nospec rbx*/ pushq %rbp /* pt_regs->rbp */ xorl %ebp, %ebp /* nospec rbp*/ pushq %r12 /* pt_regs->r12 */ xorq %r12, %r12 /* nospec r12*/ xorl %r12d, %r12d /* nospec r12*/ pushq %r13 /* pt_regs->r13 */ xorq %r13, %r13 /* nospec r13*/ xorl %r13d, %r13d /* nospec r13*/ pushq %r14 /* pt_regs->r14 */ xorq %r14, %r14 /* nospec r14*/ xorl %r14d, %r14d /* nospec r14*/ pushq %r15 /* pt_regs->r15 */ xorq %r15, %r15 /* nospec r15*/ xorl %r15d, %r15d /* nospec r15*/ UNWIND_HINT_REGS .if \save_ret pushq %rsi /* return address on top of stack */ .endif .endm .macro POP_REGS pop_rdi=1 skip_r11rcx=0 Loading Loading @@ -172,12 +181,7 @@ For 32-bit we have the following conventions - kernel is built with */ .macro ENCODE_FRAME_POINTER ptregs_offset=0 #ifdef CONFIG_FRAME_POINTER .if \ptregs_offset leaq \ptregs_offset(%rsp), %rbp .else mov %rsp, %rbp .endif orq $0x1, %rbp leaq 1+\ptregs_offset(%rsp), %rbp #endif .endm Loading arch/x86/entry/entry_32.S +1 −2 Original line number Diff line number Diff line Loading @@ -252,8 +252,7 @@ ENTRY(__switch_to_asm) * exist, overwrite the RSB with entries which capture * speculative execution to prevent attack. */ /* Clobbers %ebx */ FILL_RETURN_BUFFER RSB_CLEAR_LOOPS, X86_FEATURE_RSB_CTXSW FILL_RETURN_BUFFER %ebx, RSB_CLEAR_LOOPS, X86_FEATURE_RSB_CTXSW #endif /* restore callee-saved registers */ Loading Loading
Makefile +5 −0 Original line number Diff line number Diff line Loading @@ -489,6 +489,11 @@ KBUILD_CFLAGS += $(CLANG_TARGET) $(CLANG_GCC_TC) KBUILD_AFLAGS += $(CLANG_TARGET) $(CLANG_GCC_TC) endif RETPOLINE_CFLAGS_GCC := -mindirect-branch=thunk-extern -mindirect-branch-register RETPOLINE_CFLAGS_CLANG := -mretpoline-external-thunk RETPOLINE_CFLAGS := $(call cc-option,$(RETPOLINE_CFLAGS_GCC),$(call cc-option,$(RETPOLINE_CFLAGS_CLANG))) export RETPOLINE_CFLAGS ifeq ($(config-targets),1) # =========================================================================== # *config targets only - make sure prerequisites are updated, and descend Loading
arch/x86/Kconfig +2 −10 Original line number Diff line number Diff line Loading @@ -430,6 +430,7 @@ config GOLDFISH config RETPOLINE bool "Avoid speculative indirect branches in kernel" default y select STACK_VALIDATION if HAVE_STACK_VALIDATION help Compile kernel with the retpoline compiler options to guard against kernel-to-user data leaks by avoiding speculative indirect Loading Loading @@ -2315,7 +2316,7 @@ choice it can be used to assist security vulnerability exploitation. This setting can be changed at boot time via the kernel command line parameter vsyscall=[native|emulate|none]. line parameter vsyscall=[emulate|none]. On a system with recent enough glibc (2.14 or newer) and no static binaries, you can say None without a performance penalty Loading @@ -2323,15 +2324,6 @@ choice If unsure, select "Emulate". config LEGACY_VSYSCALL_NATIVE bool "Native" help Actual executable code is located in the fixed vsyscall address mapping, implementing time() efficiently. Since this makes the mapping executable, it can be used during security vulnerability exploitation (traditionally as ROP gadgets). This configuration is not recommended. config LEGACY_VSYSCALL_EMULATE bool "Emulate" help Loading
arch/x86/Makefile +3 −4 Original line number Diff line number Diff line Loading @@ -232,7 +232,6 @@ KBUILD_CFLAGS += -fno-asynchronous-unwind-tables # Avoid indirect branches in kernel to deal with Spectre ifdef CONFIG_RETPOLINE RETPOLINE_CFLAGS += $(call cc-option,-mindirect-branch=thunk-extern -mindirect-branch-register) ifneq ($(RETPOLINE_CFLAGS),) KBUILD_CFLAGS += $(RETPOLINE_CFLAGS) -DRETPOLINE endif Loading
arch/x86/entry/calling.h +19 −15 Original line number Diff line number Diff line Loading @@ -97,7 +97,7 @@ For 32-bit we have the following conventions - kernel is built with #define SIZEOF_PTREGS 21*8 .macro PUSH_AND_CLEAR_REGS rdx=%rdx rax=%rax .macro PUSH_AND_CLEAR_REGS rdx=%rdx rax=%rax save_ret=0 /* * Push registers and sanitize registers of values that a * speculation attack might otherwise want to exploit. The Loading @@ -105,32 +105,41 @@ For 32-bit we have the following conventions - kernel is built with * could be put to use in a speculative execution gadget. * Interleave XOR with PUSH for better uop scheduling: */ .if \save_ret pushq %rsi /* pt_regs->si */ movq 8(%rsp), %rsi /* temporarily store the return address in %rsi */ movq %rdi, 8(%rsp) /* pt_regs->di (overwriting original return address) */ .else pushq %rdi /* pt_regs->di */ pushq %rsi /* pt_regs->si */ .endif pushq \rdx /* pt_regs->dx */ pushq %rcx /* pt_regs->cx */ pushq \rax /* pt_regs->ax */ pushq %r8 /* pt_regs->r8 */ xorq %r8, %r8 /* nospec r8 */ xorl %r8d, %r8d /* nospec r8 */ pushq %r9 /* pt_regs->r9 */ xorq %r9, %r9 /* nospec r9 */ xorl %r9d, %r9d /* nospec r9 */ pushq %r10 /* pt_regs->r10 */ xorq %r10, %r10 /* nospec r10 */ xorl %r10d, %r10d /* nospec r10 */ pushq %r11 /* pt_regs->r11 */ xorq %r11, %r11 /* nospec r11*/ xorl %r11d, %r11d /* nospec r11*/ pushq %rbx /* pt_regs->rbx */ xorl %ebx, %ebx /* nospec rbx*/ pushq %rbp /* pt_regs->rbp */ xorl %ebp, %ebp /* nospec rbp*/ pushq %r12 /* pt_regs->r12 */ xorq %r12, %r12 /* nospec r12*/ xorl %r12d, %r12d /* nospec r12*/ pushq %r13 /* pt_regs->r13 */ xorq %r13, %r13 /* nospec r13*/ xorl %r13d, %r13d /* nospec r13*/ pushq %r14 /* pt_regs->r14 */ xorq %r14, %r14 /* nospec r14*/ xorl %r14d, %r14d /* nospec r14*/ pushq %r15 /* pt_regs->r15 */ xorq %r15, %r15 /* nospec r15*/ xorl %r15d, %r15d /* nospec r15*/ UNWIND_HINT_REGS .if \save_ret pushq %rsi /* return address on top of stack */ .endif .endm .macro POP_REGS pop_rdi=1 skip_r11rcx=0 Loading Loading @@ -172,12 +181,7 @@ For 32-bit we have the following conventions - kernel is built with */ .macro ENCODE_FRAME_POINTER ptregs_offset=0 #ifdef CONFIG_FRAME_POINTER .if \ptregs_offset leaq \ptregs_offset(%rsp), %rbp .else mov %rsp, %rbp .endif orq $0x1, %rbp leaq 1+\ptregs_offset(%rsp), %rbp #endif .endm Loading
arch/x86/entry/entry_32.S +1 −2 Original line number Diff line number Diff line Loading @@ -252,8 +252,7 @@ ENTRY(__switch_to_asm) * exist, overwrite the RSB with entries which capture * speculative execution to prevent attack. */ /* Clobbers %ebx */ FILL_RETURN_BUFFER RSB_CLEAR_LOOPS, X86_FEATURE_RSB_CTXSW FILL_RETURN_BUFFER %ebx, RSB_CLEAR_LOOPS, X86_FEATURE_RSB_CTXSW #endif /* restore callee-saved registers */ Loading
Ingo Molnar <mingo@kernel.org>Ingo Molnar <mingo@kernel.org>