Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0af5ae26 authored by Waiman Long's avatar Waiman Long Committed by Greg Kroah-Hartman
Browse files

x86/speculation: Fix incorrect MDS/TAA mitigation status 



commit 64870ed1b12e235cfca3f6c6da75b542c973ff78 upstream.

For MDS vulnerable processors with TSX support, enabling either MDS or
TAA mitigations will enable the use of VERW to flush internal processor
buffers at the right code path. IOW, they are either both mitigated
or both not. However, if the command line options are inconsistent,
the vulnerabilites sysfs files may not report the mitigation status
correctly.

For example, with only the "mds=off" option:

  vulnerabilities/mds:Vulnerable; SMT vulnerable
  vulnerabilities/tsx_async_abort:Mitigation: Clear CPU buffers; SMT vulnerable

The mds vulnerabilities file has wrong status in this case. Similarly,
the taa vulnerability file will be wrong with mds mitigation on, but
taa off.

Change taa_select_mitigation() to sync up the two mitigation status
and have them turned off if both "mds=off" and "tsx_async_abort=off"
are present.

Update documentation to emphasize the fact that both "mds=off" and
"tsx_async_abort=off" have to be specified together for processors that
are affected by both TAA and MDS to be effective.

 [ bp: Massage and add kernel-parameters.txt change too. ]

Fixes: 1b42f017415b ("x86/speculation/taa: Add mitigation for TSX Async Abort")
Signed-off-by: default avatarWaiman Long <longman@redhat.com>
Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jiri Kosina <jkosina@suse.cz>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: linux-doc@vger.kernel.org
Cc: Mark Gross <mgross@linux.intel.com>
Cc: <stable@vger.kernel.org>
Cc: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Tim Chen <tim.c.chen@linux.intel.com>
Cc: Tony Luck <tony.luck@intel.com>
Cc: Tyler Hicks <tyhicks@canonical.com>
Cc: x86-ml <x86@kernel.org>
Link: https://lkml.kernel.org/r/20191115161445.30809-2-longman@redhat.com


Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent ed731209

Documentation/admin-guide/hw-vuln/mds.rst

+5 −2
Original line number Original line Diff line number Diff line
@@ -265,8 +265,11 @@ time with the option "mds=". The valid arguments for this option are: 




  ============  =============================================================

  ============  =============================================================





Not specifying this option is equivalent to "mds=full".

Not specifying this option is equivalent to "mds=full". For processors



that are affected by both TAA (TSX Asynchronous Abort) and MDS,

specifying just "mds=off" without an accompanying "tsx_async_abort=off"

will have no effect as the same mitigation is used for both

vulnerabilities.





Mitigation selection guide

Mitigation selection guide

--------------------------

--------------------------

Documentation/admin-guide/hw-vuln/tsx_async_abort.rst

+4 −1
Original line number Original line Diff line number Diff line
@@ -174,7 +174,10 @@ the option "tsx_async_abort=". The valid arguments for this option are: 
                CPU is not vulnerable to cross-thread TAA attacks.

                CPU is not vulnerable to cross-thread TAA attacks.

  ============  =============================================================

  ============  =============================================================





Not specifying this option is equivalent to "tsx_async_abort=full".

Not specifying this option is equivalent to "tsx_async_abort=full". For

processors that are affected by both TAA and MDS, specifying just

"tsx_async_abort=off" without an accompanying "mds=off" will have no

effect as the same mitigation is used for both vulnerabilities.





The kernel command line also allows to control the TSX feature using the

The kernel command line also allows to control the TSX feature using the

parameter "tsx=" on CPUs which support TSX control. MSR_IA32_TSX_CTRL is used

parameter "tsx=" on CPUs which support TSX control. MSR_IA32_TSX_CTRL is used

Documentation/admin-guide/kernel-parameters.txt

+11 −0
Original line number Original line Diff line number Diff line
@@ -2359,6 +2359,12 @@ 
				     SMT on vulnerable CPUs

				     SMT on vulnerable CPUs

			off        - Unconditionally disable MDS mitigation

			off        - Unconditionally disable MDS mitigation





			On TAA-affected machines, mds=off can be prevented by

			an active TAA mitigation as both vulnerabilities are

			mitigated with the same mechanism so in order to disable

			this mitigation, you need to specify tsx_async_abort=off

			too.



			Not specifying this option is equivalent to

			Not specifying this option is equivalent to

			mds=full.

			mds=full.
@@ -4773,6 +4779,11 @@ 
				     vulnerable to cross-thread TAA attacks.

				     vulnerable to cross-thread TAA attacks.

			off        - Unconditionally disable TAA mitigation

			off        - Unconditionally disable TAA mitigation





			On MDS-affected machines, tsx_async_abort=off can be

			prevented by an active MDS mitigation as both vulnerabilities

			are mitigated with the same mechanism so in order to disable

			this mitigation, you need to specify mds=off too.



			Not specifying this option is equivalent to

			Not specifying this option is equivalent to

			tsx_async_abort=full.  On CPUs which are MDS affected

			tsx_async_abort=full.  On CPUs which are MDS affected

			and deploy MDS mitigation, TAA mitigation is not

			and deploy MDS mitigation, TAA mitigation is not

arch/x86/kernel/cpu/bugs.c

+15 −2
Original line number Original line Diff line number Diff line
@@ -304,8 +304,12 @@ static void __init taa_select_mitigation(void) 
		return;

		return;

	}

	}





	/* TAA mitigation is turned off on the cmdline (tsx_async_abort=off) */

	/*

	if (taa_mitigation == TAA_MITIGATION_OFF)

	 * TAA mitigation via VERW is turned off if both

	 * tsx_async_abort=off and mds=off are specified.

	 */

	if (taa_mitigation == TAA_MITIGATION_OFF &&

	    mds_mitigation == MDS_MITIGATION_OFF)

		goto out;

		goto out;





	if (boot_cpu_has(X86_FEATURE_MD_CLEAR))

	if (boot_cpu_has(X86_FEATURE_MD_CLEAR))
@@ -339,6 +343,15 @@ static void __init taa_select_mitigation(void) 
	if (taa_nosmt || cpu_mitigations_auto_nosmt())

	if (taa_nosmt || cpu_mitigations_auto_nosmt())

		cpu_smt_disable(false);

		cpu_smt_disable(false);





	/*

	 * Update MDS mitigation, if necessary, as the mds_user_clear is

	 * now enabled for TAA mitigation.

	 */

	if (mds_mitigation == MDS_MITIGATION_OFF &&

	    boot_cpu_has_bug(X86_BUG_MDS)) {

		mds_mitigation = MDS_MITIGATION_FULL;

		mds_select_mitigation();

	}

out:

out:

	pr_info("%s\n", taa_strings[taa_mitigation]);

	pr_info("%s\n", taa_strings[taa_mitigation]);

}

}