x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation (9ecf57e4) · Commits · e / devices / android_kernel_xiaomi_sm6125

Documentation/ABI/testing/sysfs-devices-system-cpu

+1 −0

Original line number	Original line	Diff line number	Diff line
	@@ -381,6 +381,7 @@ What: /sys/devices/system/cpu/vulnerabilities
	/sys/devices/system/cpu/vulnerabilities/spec_store_bypass		/sys/devices/system/cpu/vulnerabilities/spec_store_bypass
	/sys/devices/system/cpu/vulnerabilities/l1tf		/sys/devices/system/cpu/vulnerabilities/l1tf
	/sys/devices/system/cpu/vulnerabilities/mds		/sys/devices/system/cpu/vulnerabilities/mds
			/sys/devices/system/cpu/vulnerabilities/srbds
	/sys/devices/system/cpu/vulnerabilities/tsx_async_abort		/sys/devices/system/cpu/vulnerabilities/tsx_async_abort
	/sys/devices/system/cpu/vulnerabilities/itlb_multihit		/sys/devices/system/cpu/vulnerabilities/itlb_multihit
	Date: January 2018		Date: January 2018

Documentation/admin-guide/kernel-parameters.txt

+20 −0

Original line number	Original line	Diff line number	Diff line
	@@ -4234,6 +4234,26 @@
	spia_pedr=		spia_pedr=
	spia_peddr=		spia_peddr=

			srbds= [X86,INTEL]
			Control the Special Register Buffer Data Sampling
			(SRBDS) mitigation.

			Certain CPUs are vulnerable to an MDS-like
			exploit which can leak bits from the random
			number generator.

			By default, this issue is mitigated by
			microcode. However, the microcode fix can cause
			the RDRAND and RDSEED instructions to become
			much slower. Among other effects, this will
			result in reduced throughput from /dev/urandom.

			The microcode mitigation can be disabled with
			the following option:

			off: Disable mitigation and remove
			performance impact to RDRAND and RDSEED

	srcutree.counter_wrap_check [KNL]		srcutree.counter_wrap_check [KNL]
	Specifies how frequently to check for		Specifies how frequently to check for
	grace-period sequence counter wrap for the		grace-period sequence counter wrap for the

arch/x86/include/asm/cpufeatures.h

+2 −0

Original line number	Original line	Diff line number	Diff line
	@@ -346,6 +346,7 @@
	/* Intel-defined CPU features, CPUID level 0x00000007:0 (EDX), word 18 */		/* Intel-defined CPU features, CPUID level 0x00000007:0 (EDX), word 18 */
	#define X86_FEATURE_AVX512_4VNNIW (1832+ 2) / AVX-512 Neural Network Instructions */		#define X86_FEATURE_AVX512_4VNNIW (1832+ 2) / AVX-512 Neural Network Instructions */
	#define X86_FEATURE_AVX512_4FMAPS (1832+ 3) / AVX-512 Multiply Accumulation Single precision */		#define X86_FEATURE_AVX512_4FMAPS (1832+ 3) / AVX-512 Multiply Accumulation Single precision */
			#define X86_FEATURE_SRBDS_CTRL (1832+ 9) / "" SRBDS mitigation MSR available */
	#define X86_FEATURE_TSX_FORCE_ABORT (1832+13) / "" TSX_FORCE_ABORT */		#define X86_FEATURE_TSX_FORCE_ABORT (1832+13) / "" TSX_FORCE_ABORT */
	#define X86_FEATURE_MD_CLEAR (1832+10) / VERW clears CPU buffers */		#define X86_FEATURE_MD_CLEAR (1832+10) / VERW clears CPU buffers */
	#define X86_FEATURE_PCONFIG (1832+18) / Intel PCONFIG */		#define X86_FEATURE_PCONFIG (1832+18) / Intel PCONFIG */
	@@ -390,5 +391,6 @@
	#define X86_BUG_SWAPGS X86_BUG(21) /* CPU is affected by speculation through SWAPGS */		#define X86_BUG_SWAPGS X86_BUG(21) /* CPU is affected by speculation through SWAPGS */
	#define X86_BUG_TAA X86_BUG(22) /* CPU is affected by TSX Async Abort(TAA) */		#define X86_BUG_TAA X86_BUG(22) /* CPU is affected by TSX Async Abort(TAA) */
	#define X86_BUG_ITLB_MULTIHIT X86_BUG(23) /* CPU may incur MCE during certain page attribute changes */		#define X86_BUG_ITLB_MULTIHIT X86_BUG(23) /* CPU may incur MCE during certain page attribute changes */
			#define X86_BUG_SRBDS X86_BUG(24) /* CPU may leak RNG bits if not mitigated */

	#endif /* _ASM_X86_CPUFEATURES_H */		#endif /* _ASM_X86_CPUFEATURES_H */

arch/x86/include/asm/msr-index.h

+4 −0

Original line number	Original line	Diff line number	Diff line
	@@ -110,6 +110,10 @@
	#define TSX_CTRL_RTM_DISABLE BIT(0) /* Disable RTM feature */		#define TSX_CTRL_RTM_DISABLE BIT(0) /* Disable RTM feature */
	#define TSX_CTRL_CPUID_CLEAR BIT(1) /* Disable TSX enumeration */		#define TSX_CTRL_CPUID_CLEAR BIT(1) /* Disable TSX enumeration */

			/* SRBDS support */
			#define MSR_IA32_MCU_OPT_CTRL 0x00000123
			#define RNGDS_MITG_DIS BIT(0)

	#define MSR_IA32_SYSENTER_CS 0x00000174		#define MSR_IA32_SYSENTER_CS 0x00000174
	#define MSR_IA32_SYSENTER_ESP 0x00000175		#define MSR_IA32_SYSENTER_ESP 0x00000175
	#define MSR_IA32_SYSENTER_EIP 0x00000176		#define MSR_IA32_SYSENTER_EIP 0x00000176

arch/x86/kernel/cpu/bugs.c

+106 −0

Original line number	Original line	Diff line number	Diff line
	@@ -41,6 +41,7 @@ static void __init l1tf_select_mitigation(void);
	static void __init mds_select_mitigation(void);		static void __init mds_select_mitigation(void);
	static void __init mds_print_mitigation(void);		static void __init mds_print_mitigation(void);
	static void __init taa_select_mitigation(void);		static void __init taa_select_mitigation(void);
			static void __init srbds_select_mitigation(void);

	/* The base value of the SPEC_CTRL MSR that always has to be preserved. */		/* The base value of the SPEC_CTRL MSR that always has to be preserved. */
	u64 x86_spec_ctrl_base;		u64 x86_spec_ctrl_base;
	@@ -108,6 +109,7 @@ void __init check_bugs(void)
	l1tf_select_mitigation();		l1tf_select_mitigation();
	mds_select_mitigation();		mds_select_mitigation();
	taa_select_mitigation();		taa_select_mitigation();
			srbds_select_mitigation();

	/*		/*
	* As MDS and TAA mitigations are inter-related, print MDS		* As MDS and TAA mitigations are inter-related, print MDS
	@@ -390,6 +392,97 @@ static int __init tsx_async_abort_parse_cmdline(char *str)
	}		}
	early_param("tsx_async_abort", tsx_async_abort_parse_cmdline);		early_param("tsx_async_abort", tsx_async_abort_parse_cmdline);

			#undef pr_fmt
			#define pr_fmt(fmt) "SRBDS: " fmt

			enum srbds_mitigations {
			SRBDS_MITIGATION_OFF,
			SRBDS_MITIGATION_UCODE_NEEDED,
			SRBDS_MITIGATION_FULL,
			SRBDS_MITIGATION_TSX_OFF,
			SRBDS_MITIGATION_HYPERVISOR,
			};

			static enum srbds_mitigations srbds_mitigation __ro_after_init = SRBDS_MITIGATION_FULL;

			static const char * const srbds_strings[] = {
			[SRBDS_MITIGATION_OFF] = "Vulnerable",
			[SRBDS_MITIGATION_UCODE_NEEDED] = "Vulnerable: No microcode",
			[SRBDS_MITIGATION_FULL] = "Mitigation: Microcode",
			[SRBDS_MITIGATION_TSX_OFF] = "Mitigation: TSX disabled",
			[SRBDS_MITIGATION_HYPERVISOR] = "Unknown: Dependent on hypervisor status",
			};

			static bool srbds_off;

			void update_srbds_msr(void)
			{
			u64 mcu_ctrl;

			if (!boot_cpu_has_bug(X86_BUG_SRBDS))
			return;

			if (boot_cpu_has(X86_FEATURE_HYPERVISOR))
			return;

			if (srbds_mitigation == SRBDS_MITIGATION_UCODE_NEEDED)
			return;

			rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);

			switch (srbds_mitigation) {
			case SRBDS_MITIGATION_OFF:
			case SRBDS_MITIGATION_TSX_OFF:
			mcu_ctrl \|= RNGDS_MITG_DIS;
			break;
			case SRBDS_MITIGATION_FULL:
			mcu_ctrl &= ~RNGDS_MITG_DIS;
			break;
			default:
			break;
			}

			wrmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
			}

			static void __init srbds_select_mitigation(void)
			{
			u64 ia32_cap;

			if (!boot_cpu_has_bug(X86_BUG_SRBDS))
			return;

			/*
			* Check to see if this is one of the MDS_NO systems supporting
			* TSX that are only exposed to SRBDS when TSX is enabled.
			*/
			ia32_cap = x86_read_arch_cap_msr();
			if ((ia32_cap & ARCH_CAP_MDS_NO) && !boot_cpu_has(X86_FEATURE_RTM))
			srbds_mitigation = SRBDS_MITIGATION_TSX_OFF;
			else if (boot_cpu_has(X86_FEATURE_HYPERVISOR))
			srbds_mitigation = SRBDS_MITIGATION_HYPERVISOR;
			else if (!boot_cpu_has(X86_FEATURE_SRBDS_CTRL))
			srbds_mitigation = SRBDS_MITIGATION_UCODE_NEEDED;
			else if (cpu_mitigations_off() \|\| srbds_off)
			srbds_mitigation = SRBDS_MITIGATION_OFF;

			update_srbds_msr();
			pr_info("%s\n", srbds_strings[srbds_mitigation]);
			}

			static int __init srbds_parse_cmdline(char *str)
			{
			if (!str)
			return -EINVAL;

			if (!boot_cpu_has_bug(X86_BUG_SRBDS))
			return 0;

			srbds_off = !strcmp(str, "off");
			return 0;
			}
			early_param("srbds", srbds_parse_cmdline);

	#undef pr_fmt		#undef pr_fmt
	#define pr_fmt(fmt) "Spectre V1 : " fmt		#define pr_fmt(fmt) "Spectre V1 : " fmt

	@@ -1491,6 +1584,11 @@ static char *ibpb_state(void)
	return "";		return "";
	}		}

			static ssize_t srbds_show_state(char *buf)
			{
			return sprintf(buf, "%s\n", srbds_strings[srbds_mitigation]);
			}

	static ssize_t cpu_show_common(struct device dev, struct device_attribute attr,		static ssize_t cpu_show_common(struct device dev, struct device_attribute attr,
	char *buf, unsigned int bug)		char *buf, unsigned int bug)
	{		{
	@@ -1532,6 +1630,9 @@ static ssize_t cpu_show_common(struct device dev, struct device_attribute attr
	case X86_BUG_ITLB_MULTIHIT:		case X86_BUG_ITLB_MULTIHIT:
	return itlb_multihit_show_state(buf);		return itlb_multihit_show_state(buf);

			case X86_BUG_SRBDS:
			return srbds_show_state(buf);

	default:		default:
	break;		break;
	}		}
	@@ -1578,4 +1679,9 @@ ssize_t cpu_show_itlb_multihit(struct device dev, struct device_attribute attr
	{		{
	return cpu_show_common(dev, attr, buf, X86_BUG_ITLB_MULTIHIT);		return cpu_show_common(dev, attr, buf, X86_BUG_ITLB_MULTIHIT);
	}		}

			ssize_t cpu_show_srbds(struct device dev, struct device_attribute attr, char *buf)
			{
			return cpu_show_common(dev, attr, buf, X86_BUG_SRBDS);
			}
	#endif		#endif