Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 85a2d939 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge branch 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 

Pull x86 fixes from Thomas Gleixner:
 "Yet another pile of melted spectrum related changes:

   - sanitize the array_index_nospec protection mechanism: Remove the
     overengineered array_index_nospec_mask_check() magic and allow
     const-qualified types as index to avoid temporary storage in a
     non-const local variable.

   - make the microcode loader more robust by properly propagating error
     codes. Provide information about new feature bits after micro code
     was updated so administrators can act upon.

   - optimizations of the entry ASM code which reduce code footprint and
     make the code simpler and faster.

   - fix the {pmd,pud}_{set,clear}_flags() implementations to work
     properly on paravirt kernels by removing the address translation
     operations.

   - revert the harmful vmexit_fill_RSB() optimization

   - use IBRS around firmware calls

   - teach objtool about retpolines and add annotations for indirect
     jumps and calls.

   - explicitly disable jumplabel patching in __init code and handle
     patching failures properly instead of silently ignoring them.

   - remove indirect paravirt calls for writing the speculation control
     MSR as these calls are obviously proving the same attack vector
     which is tried to be mitigated.

   - a few small fixes which address build issues with recent compiler
     and assembler versions"

* 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (38 commits)
  KVM/VMX: Optimize vmx_vcpu_run() and svm_vcpu_run() by marking the RDMSR path as unlikely()
  KVM/x86: Remove indirect MSR op calls from SPEC_CTRL
  objtool, retpolines: Integrate objtool with retpoline support more closely
  x86/entry/64: Simplify ENCODE_FRAME_POINTER
  extable: Make init_kernel_text() global
  jump_label: Warn on failed jump_label patching attempt
  jump_label: Explicitly disable jump labels in __init code
  x86/entry/64: Open-code switch_to_thread_stack()
  x86/entry/64: Move ASM_CLAC to interrupt_entry()
  x86/entry/64: Remove 'interrupt' macro
  x86/entry/64: Move the switch_to_thread_stack() call to interrupt_entry()
  x86/entry/64: Move ENTER_IRQ_STACK from interrupt macro to interrupt_entry
  x86/entry/64: Move PUSH_AND_CLEAR_REGS from interrupt macro to helper function
  x86/speculation: Move firmware_restrict_branch_speculation_*() from C to CPP
  objtool: Add module specific retpoline rules
  objtool: Add retpoline validation
  objtool: Use existing global variables for options
  x86/mm/sme, objtool: Annotate indirect call in sme_encrypt_execute()
  x86/boot, objtool: Annotate indirect jump in secondary_startup_64()
  x86/paravirt, objtool: Annotate indirect calls
  ...
parents d4858aaf 946fbbc1

Makefile

+5 −0
Original line number Original line Diff line number Diff line
@@ -489,6 +489,11 @@ KBUILD_CFLAGS += $(CLANG_TARGET) $(CLANG_GCC_TC) 
KBUILD_AFLAGS += $(CLANG_TARGET) $(CLANG_GCC_TC)

KBUILD_AFLAGS += $(CLANG_TARGET) $(CLANG_GCC_TC)

endif

endif





RETPOLINE_CFLAGS_GCC := -mindirect-branch=thunk-extern -mindirect-branch-register

RETPOLINE_CFLAGS_CLANG := -mretpoline-external-thunk

RETPOLINE_CFLAGS := $(call cc-option,$(RETPOLINE_CFLAGS_GCC),$(call cc-option,$(RETPOLINE_CFLAGS_CLANG)))

export RETPOLINE_CFLAGS



ifeq ($(config-targets),1)

ifeq ($(config-targets),1)

# ===========================================================================

# ===========================================================================

# *config targets only - make sure prerequisites are updated, and descend

# *config targets only - make sure prerequisites are updated, and descend

arch/x86/Kconfig

+1 −0
Original line number Original line Diff line number Diff line
@@ -430,6 +430,7 @@ config GOLDFISH 
config RETPOLINE

config RETPOLINE

	bool "Avoid speculative indirect branches in kernel"

	bool "Avoid speculative indirect branches in kernel"

	default y

	default y

	select STACK_VALIDATION if HAVE_STACK_VALIDATION

	help

	help

	  Compile kernel with the retpoline compiler options to guard against

	  Compile kernel with the retpoline compiler options to guard against

	  kernel-to-user data leaks by avoiding speculative indirect

	  kernel-to-user data leaks by avoiding speculative indirect

arch/x86/Makefile

+3 −4
Original line number Original line Diff line number Diff line
@@ -232,7 +232,6 @@ KBUILD_CFLAGS += -fno-asynchronous-unwind-tables 




# Avoid indirect branches in kernel to deal with Spectre

# Avoid indirect branches in kernel to deal with Spectre

ifdef CONFIG_RETPOLINE

ifdef CONFIG_RETPOLINE

    RETPOLINE_CFLAGS += $(call cc-option,-mindirect-branch=thunk-extern -mindirect-branch-register)

ifneq ($(RETPOLINE_CFLAGS),)

ifneq ($(RETPOLINE_CFLAGS),)

  KBUILD_CFLAGS += $(RETPOLINE_CFLAGS) -DRETPOLINE

  KBUILD_CFLAGS += $(RETPOLINE_CFLAGS) -DRETPOLINE

endif

endif

arch/x86/entry/calling.h

+19 −15
Original line number Original line Diff line number Diff line
@@ -97,7 +97,7 @@ For 32-bit we have the following conventions - kernel is built with 




#define SIZEOF_PTREGS	21*8

#define SIZEOF_PTREGS	21*8





.macro PUSH_AND_CLEAR_REGS rdx=%rdx rax=%rax

.macro PUSH_AND_CLEAR_REGS rdx=%rdx rax=%rax save_ret=0

	/*

	/*

	 * Push registers and sanitize registers of values that a

	 * Push registers and sanitize registers of values that a

	 * speculation attack might otherwise want to exploit. The

	 * speculation attack might otherwise want to exploit. The
@@ -105,32 +105,41 @@ For 32-bit we have the following conventions - kernel is built with 
	 * could be put to use in a speculative execution gadget.

	 * could be put to use in a speculative execution gadget.

	 * Interleave XOR with PUSH for better uop scheduling:

	 * Interleave XOR with PUSH for better uop scheduling:

	 */

	 */

	.if \save_ret

	pushq	%rsi		/* pt_regs->si */

	movq	8(%rsp), %rsi	/* temporarily store the return address in %rsi */

	movq	%rdi, 8(%rsp)	/* pt_regs->di (overwriting original return address) */

	.else

	pushq   %rdi		/* pt_regs->di */

	pushq   %rdi		/* pt_regs->di */

	pushq   %rsi		/* pt_regs->si */

	pushq   %rsi		/* pt_regs->si */

	.endif

	pushq	\rdx		/* pt_regs->dx */

	pushq	\rdx		/* pt_regs->dx */

	pushq   %rcx		/* pt_regs->cx */

	pushq   %rcx		/* pt_regs->cx */

	pushq   \rax		/* pt_regs->ax */

	pushq   \rax		/* pt_regs->ax */

	pushq   %r8		/* pt_regs->r8 */

	pushq   %r8		/* pt_regs->r8 */

	xorq    %r8, %r8	/* nospec   r8 */

	xorl	%r8d, %r8d	/* nospec   r8 */

	pushq   %r9		/* pt_regs->r9 */

	pushq   %r9		/* pt_regs->r9 */

	xorq    %r9, %r9	/* nospec   r9 */

	xorl	%r9d, %r9d	/* nospec   r9 */

	pushq   %r10		/* pt_regs->r10 */

	pushq   %r10		/* pt_regs->r10 */

	xorq    %r10, %r10	/* nospec   r10 */

	xorl	%r10d, %r10d	/* nospec   r10 */

	pushq   %r11		/* pt_regs->r11 */

	pushq   %r11		/* pt_regs->r11 */

	xorq    %r11, %r11	/* nospec   r11*/

	xorl	%r11d, %r11d	/* nospec   r11*/

	pushq	%rbx		/* pt_regs->rbx */

	pushq	%rbx		/* pt_regs->rbx */

	xorl    %ebx, %ebx	/* nospec   rbx*/

	xorl    %ebx, %ebx	/* nospec   rbx*/

	pushq	%rbp		/* pt_regs->rbp */

	pushq	%rbp		/* pt_regs->rbp */

	xorl    %ebp, %ebp	/* nospec   rbp*/

	xorl    %ebp, %ebp	/* nospec   rbp*/

	pushq	%r12		/* pt_regs->r12 */

	pushq	%r12		/* pt_regs->r12 */

	xorq    %r12, %r12	/* nospec   r12*/

	xorl	%r12d, %r12d	/* nospec   r12*/

	pushq	%r13		/* pt_regs->r13 */

	pushq	%r13		/* pt_regs->r13 */

	xorq    %r13, %r13	/* nospec   r13*/

	xorl	%r13d, %r13d	/* nospec   r13*/

	pushq	%r14		/* pt_regs->r14 */

	pushq	%r14		/* pt_regs->r14 */

	xorq    %r14, %r14	/* nospec   r14*/

	xorl	%r14d, %r14d	/* nospec   r14*/

	pushq	%r15		/* pt_regs->r15 */

	pushq	%r15		/* pt_regs->r15 */

	xorq    %r15, %r15	/* nospec   r15*/

	xorl	%r15d, %r15d	/* nospec   r15*/

	UNWIND_HINT_REGS

	UNWIND_HINT_REGS

	.if \save_ret

	pushq	%rsi		/* return address on top of stack */

	.endif

.endm

.endm





.macro POP_REGS pop_rdi=1 skip_r11rcx=0

.macro POP_REGS pop_rdi=1 skip_r11rcx=0
@@ -172,12 +181,7 @@ For 32-bit we have the following conventions - kernel is built with 
 */

 */

.macro ENCODE_FRAME_POINTER ptregs_offset=0

.macro ENCODE_FRAME_POINTER ptregs_offset=0

#ifdef CONFIG_FRAME_POINTER

#ifdef CONFIG_FRAME_POINTER

	.if \ptregs_offset

	leaq 1+\ptregs_offset(%rsp), %rbp

		leaq \ptregs_offset(%rsp), %rbp

	.else

		mov %rsp, %rbp

	.endif

	orq	$0x1, %rbp

#endif

#endif

.endm

.endm

arch/x86/entry/entry_32.S

+1 −2
Original line number Original line Diff line number Diff line
@@ -252,8 +252,7 @@ ENTRY(__switch_to_asm) 
	 * exist, overwrite the RSB with entries which capture

	 * exist, overwrite the RSB with entries which capture

	 * speculative execution to prevent attack.

	 * speculative execution to prevent attack.

	 */

	 */

	/* Clobbers %ebx */

	FILL_RETURN_BUFFER %ebx, RSB_CLEAR_LOOPS, X86_FEATURE_RSB_CTXSW

	FILL_RETURN_BUFFER RSB_CLEAR_LOOPS, X86_FEATURE_RSB_CTXSW

#endif

#endif





	/* restore callee-saved registers */

	/* restore callee-saved registers */