]>
Commit | Line | Data |
---|---|---|
3a47a0a4 GKH |
1 | From 80010968cc2397fd5c3847497281326732ffa785 Mon Sep 17 00:00:00 2001 |
2 | From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com> | |
3 | Date: Mon, 11 Mar 2024 08:57:09 -0700 | |
4 | Subject: x86/bhi: Mitigate KVM by default | |
5 | ||
6 | From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com> | |
7 | ||
8 | commit 95a6ccbdc7199a14b71ad8901cb788ba7fb5167b upstream. | |
9 | ||
10 | BHI mitigation mode spectre_bhi=auto does not deploy the software | |
11 | mitigation by default. In a cloud environment, it is a likely scenario | |
12 | where userspace is trusted but the guests are not trusted. Deploying | |
13 | system wide mitigation in such cases is not desirable. | |
14 | ||
15 | Update the auto mode to unconditionally mitigate against malicious | |
16 | guests. Deploy the software sequence at VMexit in auto mode also, when | |
17 | hardware mitigation is not available. Unlike the force =on mode, | |
18 | software sequence is not deployed at syscalls in auto mode. | |
19 | ||
20 | Suggested-by: Alexandre Chartre <alexandre.chartre@oracle.com> | |
21 | Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com> | |
22 | Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com> | |
23 | Signed-off-by: Thomas Gleixner <tglx@linutronix.de> | |
24 | Reviewed-by: Alexandre Chartre <alexandre.chartre@oracle.com> | |
25 | Reviewed-by: Josh Poimboeuf <jpoimboe@kernel.org> | |
26 | Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com> | |
27 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
28 | --- | |
29 | Documentation/admin-guide/hw-vuln/spectre.rst | 7 +++++-- | |
30 | Documentation/admin-guide/kernel-parameters.txt | 5 +++-- | |
31 | arch/x86/include/asm/cpufeatures.h | 1 + | |
32 | arch/x86/include/asm/nospec-branch.h | 5 +++++ | |
33 | arch/x86/kernel/cpu/bugs.c | 9 ++++++++- | |
34 | arch/x86/kvm/vmx/vmenter.S | 2 +- | |
35 | 6 files changed, 23 insertions(+), 6 deletions(-) | |
36 | ||
37 | --- a/Documentation/admin-guide/hw-vuln/spectre.rst | |
38 | +++ b/Documentation/admin-guide/hw-vuln/spectre.rst | |
39 | @@ -439,10 +439,12 @@ The possible values in this file are: | |
40 | - System is protected by retpoline | |
41 | * - BHI: BHI_DIS_S | |
42 | - System is protected by BHI_DIS_S | |
43 | - * - BHI: SW loop | |
44 | + * - BHI: SW loop; KVM SW loop | |
45 | - System is protected by software clearing sequence | |
46 | * - BHI: Syscall hardening | |
47 | - Syscalls are hardened against BHI | |
48 | + * - BHI: Syscall hardening; KVM: SW loop | |
49 | + - System is protected from userspace attacks by syscall hardening; KVM is protected by software clearing sequence | |
50 | ||
51 | Full mitigation might require a microcode update from the CPU | |
52 | vendor. When the necessary microcode is not available, the kernel will | |
53 | @@ -669,7 +671,8 @@ kernel command line. | |
54 | unconditionally disable. | |
55 | auto | |
56 | enable if hardware mitigation | |
57 | - control(BHI_DIS_S) is available. | |
58 | + control(BHI_DIS_S) is available, otherwise | |
59 | + enable alternate mitigation in KVM. | |
60 | ||
61 | For spectre_v2_user see Documentation/admin-guide/kernel-parameters.txt | |
62 | ||
63 | --- a/Documentation/admin-guide/kernel-parameters.txt | |
64 | +++ b/Documentation/admin-guide/kernel-parameters.txt | |
65 | @@ -5928,8 +5928,9 @@ | |
66 | ||
67 | on - unconditionally enable. | |
68 | off - unconditionally disable. | |
69 | - auto - (default) enable only if hardware mitigation | |
70 | - control(BHI_DIS_S) is available. | |
71 | + auto - (default) enable hardware mitigation | |
72 | + (BHI_DIS_S) if available, otherwise enable | |
73 | + alternate mitigation in KVM. | |
74 | ||
75 | spectre_v2= [X86] Control mitigation of Spectre variant 2 | |
76 | (indirect branch speculation) vulnerability. | |
77 | --- a/arch/x86/include/asm/cpufeatures.h | |
78 | +++ b/arch/x86/include/asm/cpufeatures.h | |
79 | @@ -466,6 +466,7 @@ | |
80 | #define X86_FEATURE_CLEAR_BHB_LOOP (21*32+ 1) /* "" Clear branch history at syscall entry using SW loop */ | |
81 | #define X86_FEATURE_BHI_CTRL (21*32+ 2) /* "" BHI_DIS_S HW control available */ | |
82 | #define X86_FEATURE_CLEAR_BHB_HW (21*32+ 3) /* "" BHI_DIS_S HW control enabled */ | |
83 | +#define X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT (21*32+ 4) /* "" Clear branch history at vmexit using SW loop */ | |
84 | ||
85 | /* | |
86 | * BUG word(s) | |
87 | --- a/arch/x86/include/asm/nospec-branch.h | |
88 | +++ b/arch/x86/include/asm/nospec-branch.h | |
89 | @@ -339,8 +339,13 @@ | |
90 | .macro CLEAR_BRANCH_HISTORY | |
91 | ALTERNATIVE "", "call clear_bhb_loop", X86_FEATURE_CLEAR_BHB_LOOP | |
92 | .endm | |
93 | + | |
94 | +.macro CLEAR_BRANCH_HISTORY_VMEXIT | |
95 | + ALTERNATIVE "", "call clear_bhb_loop", X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT | |
96 | +.endm | |
97 | #else | |
98 | #define CLEAR_BRANCH_HISTORY | |
99 | +#define CLEAR_BRANCH_HISTORY_VMEXIT | |
100 | #endif | |
101 | ||
102 | #else /* __ASSEMBLY__ */ | |
103 | --- a/arch/x86/kernel/cpu/bugs.c | |
104 | +++ b/arch/x86/kernel/cpu/bugs.c | |
105 | @@ -1667,9 +1667,14 @@ static void __init bhi_select_mitigation | |
106 | if (!IS_ENABLED(CONFIG_X86_64)) | |
107 | return; | |
108 | ||
109 | + /* Mitigate KVM by default */ | |
110 | + setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT); | |
111 | + pr_info("Spectre BHI mitigation: SW BHB clearing on vm exit\n"); | |
112 | + | |
113 | if (bhi_mitigation == BHI_MITIGATION_AUTO) | |
114 | return; | |
115 | ||
116 | + /* Mitigate syscalls when the mitigation is forced =on */ | |
117 | setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP); | |
118 | pr_info("Spectre BHI mitigation: SW BHB clearing on syscall\n"); | |
119 | } | |
120 | @@ -2810,10 +2815,12 @@ static const char * const spectre_bhi_st | |
121 | else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_HW)) | |
122 | return "; BHI: BHI_DIS_S"; | |
123 | else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP)) | |
124 | - return "; BHI: SW loop"; | |
125 | + return "; BHI: SW loop, KVM: SW loop"; | |
126 | else if (boot_cpu_has(X86_FEATURE_RETPOLINE) && | |
127 | !(x86_read_arch_cap_msr() & ARCH_CAP_RRSBA)) | |
128 | return "; BHI: Retpoline"; | |
129 | + else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT)) | |
130 | + return "; BHI: Syscall hardening, KVM: SW loop"; | |
131 | ||
132 | return "; BHI: Vulnerable (Syscall hardening enabled)"; | |
133 | } | |
134 | --- a/arch/x86/kvm/vmx/vmenter.S | |
135 | +++ b/arch/x86/kvm/vmx/vmenter.S | |
136 | @@ -275,7 +275,7 @@ SYM_INNER_LABEL_ALIGN(vmx_vmexit, SYM_L_ | |
137 | ||
138 | call vmx_spec_ctrl_restore_host | |
139 | ||
140 | - CLEAR_BRANCH_HISTORY | |
141 | + CLEAR_BRANCH_HISTORY_VMEXIT | |
142 | ||
143 | /* Put return value in AX */ | |
144 | mov %_ASM_BX, %_ASM_AX |