]>
Commit | Line | Data |
---|---|---|
09dfd60e GKH |
1 | From 9d8d0294e78a164d407133dea05caf4b84247d6a Mon Sep 17 00:00:00 2001 |
2 | From: Andy Lutomirski <luto@kernel.org> | |
3 | Date: Tue, 14 May 2019 13:24:40 -0700 | |
4 | Subject: x86/speculation/mds: Improve CPU buffer clear documentation | |
5 | ||
6 | From: Andy Lutomirski <luto@kernel.org> | |
7 | ||
8 | commit 9d8d0294e78a164d407133dea05caf4b84247d6a upstream. | |
9 | ||
10 | On x86_64, all returns to usermode go through | |
11 | prepare_exit_to_usermode(), with the sole exception of do_nmi(). | |
12 | This even includes machine checks -- this was added several years | |
13 | ago to support MCE recovery. Update the documentation. | |
14 | ||
15 | Signed-off-by: Andy Lutomirski <luto@kernel.org> | |
16 | Cc: Borislav Petkov <bp@suse.de> | |
17 | Cc: Frederic Weisbecker <frederic@kernel.org> | |
18 | Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
19 | Cc: Jon Masters <jcm@redhat.com> | |
20 | Cc: Linus Torvalds <torvalds@linux-foundation.org> | |
21 | Cc: Peter Zijlstra <peterz@infradead.org> | |
22 | Cc: Thomas Gleixner <tglx@linutronix.de> | |
23 | Cc: stable@vger.kernel.org | |
24 | Fixes: 04dcbdb80578 ("x86/speculation/mds: Clear CPU buffers on exit to user") | |
25 | Link: http://lkml.kernel.org/r/999fa9e126ba6a48e9d214d2f18dbde5c62ac55c.1557865329.git.luto@kernel.org | |
26 | Signed-off-by: Ingo Molnar <mingo@kernel.org> | |
27 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
28 | ||
29 | --- | |
30 | Documentation/x86/mds.rst | 39 +++++++-------------------------------- | |
31 | 1 file changed, 7 insertions(+), 32 deletions(-) | |
32 | ||
33 | --- a/Documentation/x86/mds.rst | |
34 | +++ b/Documentation/x86/mds.rst | |
35 | @@ -142,38 +142,13 @@ Mitigation points | |
36 | mds_user_clear. | |
37 | ||
38 | The mitigation is invoked in prepare_exit_to_usermode() which covers | |
39 | - most of the kernel to user space transitions. There are a few exceptions | |
40 | - which are not invoking prepare_exit_to_usermode() on return to user | |
41 | - space. These exceptions use the paranoid exit code. | |
42 | - | |
43 | - - Non Maskable Interrupt (NMI): | |
44 | - | |
45 | - Access to sensible data like keys, credentials in the NMI context is | |
46 | - mostly theoretical: The CPU can do prefetching or execute a | |
47 | - misspeculated code path and thereby fetching data which might end up | |
48 | - leaking through a buffer. | |
49 | - | |
50 | - But for mounting other attacks the kernel stack address of the task is | |
51 | - already valuable information. So in full mitigation mode, the NMI is | |
52 | - mitigated on the return from do_nmi() to provide almost complete | |
53 | - coverage. | |
54 | - | |
55 | - - Machine Check Exception (#MC): | |
56 | - | |
57 | - Another corner case is a #MC which hits between the CPU buffer clear | |
58 | - invocation and the actual return to user. As this still is in kernel | |
59 | - space it takes the paranoid exit path which does not clear the CPU | |
60 | - buffers. So the #MC handler repopulates the buffers to some | |
61 | - extent. Machine checks are not reliably controllable and the window is | |
62 | - extremly small so mitigation would just tick a checkbox that this | |
63 | - theoretical corner case is covered. To keep the amount of special | |
64 | - cases small, ignore #MC. | |
65 | - | |
66 | - - Debug Exception (#DB): | |
67 | - | |
68 | - This takes the paranoid exit path only when the INT1 breakpoint is in | |
69 | - kernel space. #DB on a user space address takes the regular exit path, | |
70 | - so no extra mitigation required. | |
71 | + all but one of the kernel to user space transitions. The exception | |
72 | + is when we return from a Non Maskable Interrupt (NMI), which is | |
73 | + handled directly in do_nmi(). | |
74 | + | |
75 | + (The reason that NMI is special is that prepare_exit_to_usermode() can | |
76 | + enable IRQs. In NMI context, NMIs are blocked, and we don't want to | |
77 | + enable IRQs with NMIs blocked.) | |
78 | ||
79 | ||
80 | 2. C-State transition |