[thirdparty/kernel/stable-queue.git] / releases / 6.6.26 / x86-bhi-mitigate-kvm-by-default.patch

From 80010968cc2397fd5c3847497281326732ffa785 Mon Sep 17 00:00:00 2001
From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Date: Mon, 11 Mar 2024 08:57:09 -0700
Subject: x86/bhi: Mitigate KVM by default

From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>

commit 95a6ccbdc7199a14b71ad8901cb788ba7fb5167b upstream.

BHI mitigation mode spectre_bhi=auto does not deploy the software
mitigation by default. In a cloud environment, it is a likely scenario
where userspace is trusted but the guests are not trusted. Deploying
system wide mitigation in such cases is not desirable.

Update the auto mode to unconditionally mitigate against malicious
guests. Deploy the software sequence at VMexit in auto mode also, when
hardware mitigation is not available. Unlike the force =on mode,
software sequence is not deployed at syscalls in auto mode.

Suggested-by: Alexandre Chartre <alexandre.chartre@oracle.com>
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Alexandre Chartre <alexandre.chartre@oracle.com>
Reviewed-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 Documentation/admin-guide/hw-vuln/spectre.rst   |    7 +++++--
 Documentation/admin-guide/kernel-parameters.txt |    5 +++--
 arch/x86/include/asm/cpufeatures.h              |    1 +
 arch/x86/include/asm/nospec-branch.h            |    5 +++++
 arch/x86/kernel/cpu/bugs.c                      |    9 ++++++++-
 arch/x86/kvm/vmx/vmenter.S                      |    2 +-
 6 files changed, 23 insertions(+), 6 deletions(-)

--- a/Documentation/admin-guide/hw-vuln/spectre.rst
+++ b/Documentation/admin-guide/hw-vuln/spectre.rst
@@ -439,10 +439,12 @@ The possible values in this file are:
    - System is protected by retpoline
  * - BHI: BHI_DIS_S
    - System is protected by BHI_DIS_S
- * - BHI: SW loop
+ * - BHI: SW loop; KVM SW loop
    - System is protected by software clearing sequence
  * - BHI: Syscall hardening
    - Syscalls are hardened against BHI
+ * - BHI: Syscall hardening; KVM: SW loop
+   - System is protected from userspace attacks by syscall hardening; KVM is protected by software clearing sequence
 
 Full mitigation might require a microcode update from the CPU
 vendor. When the necessary microcode is not available, the kernel will
@@ -669,7 +671,8 @@ kernel command line.
 			unconditionally disable.
 		auto
 			enable if hardware mitigation
-			control(BHI_DIS_S) is available.
+			control(BHI_DIS_S) is available, otherwise
+			enable alternate mitigation in KVM.
 
 For spectre_v2_user see Documentation/admin-guide/kernel-parameters.txt
 
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -5928,8 +5928,9 @@
 
 			on   - unconditionally enable.
 			off  - unconditionally disable.
-			auto - (default) enable only if hardware mitigation
-			       control(BHI_DIS_S) is available.
+			auto - (default) enable hardware mitigation
+			       (BHI_DIS_S) if available, otherwise enable
+			       alternate mitigation in KVM.
 
 	spectre_v2=	[X86] Control mitigation of Spectre variant 2
 			(indirect branch speculation) vulnerability.
--- a/arch/x86/include/asm/cpufeatures.h
+++ b/arch/x86/include/asm/cpufeatures.h
@@ -466,6 +466,7 @@
 #define X86_FEATURE_CLEAR_BHB_LOOP	(21*32+ 1) /* "" Clear branch history at syscall entry using SW loop */
 #define X86_FEATURE_BHI_CTRL		(21*32+ 2) /* "" BHI_DIS_S HW control available */
 #define X86_FEATURE_CLEAR_BHB_HW	(21*32+ 3) /* "" BHI_DIS_S HW control enabled */
+#define X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT (21*32+ 4) /* "" Clear branch history at vmexit using SW loop */
 
 /*
  * BUG word(s)
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -339,8 +339,13 @@
 .macro CLEAR_BRANCH_HISTORY
 	ALTERNATIVE "", "call clear_bhb_loop", X86_FEATURE_CLEAR_BHB_LOOP
 .endm
+
+.macro CLEAR_BRANCH_HISTORY_VMEXIT
+	ALTERNATIVE "", "call clear_bhb_loop", X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT
+.endm
 #else
 #define CLEAR_BRANCH_HISTORY
+#define CLEAR_BRANCH_HISTORY_VMEXIT
 #endif
 
 #else /* __ASSEMBLY__ */
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -1667,9 +1667,14 @@ static void __init bhi_select_mitigation
 	if (!IS_ENABLED(CONFIG_X86_64))
 		return;
 
+	/* Mitigate KVM by default */
+	setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT);
+	pr_info("Spectre BHI mitigation: SW BHB clearing on vm exit\n");
+
 	if (bhi_mitigation == BHI_MITIGATION_AUTO)
 		return;
 
+	/* Mitigate syscalls when the mitigation is forced =on */
 	setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP);
 	pr_info("Spectre BHI mitigation: SW BHB clearing on syscall\n");
 }
@@ -2810,10 +2815,12 @@ static const char * const spectre_bhi_st
 	else if  (boot_cpu_has(X86_FEATURE_CLEAR_BHB_HW))
 		return "; BHI: BHI_DIS_S";
 	else if  (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP))
-		return "; BHI: SW loop";
+		return "; BHI: SW loop, KVM: SW loop";
 	else if (boot_cpu_has(X86_FEATURE_RETPOLINE) &&
 		 !(x86_read_arch_cap_msr() & ARCH_CAP_RRSBA))
 		return "; BHI: Retpoline";
+	else if  (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT))
+		return "; BHI: Syscall hardening, KVM: SW loop";
 
 	return "; BHI: Vulnerable (Syscall hardening enabled)";
 }
--- a/arch/x86/kvm/vmx/vmenter.S
+++ b/arch/x86/kvm/vmx/vmenter.S
@@ -275,7 +275,7 @@ SYM_INNER_LABEL_ALIGN(vmx_vmexit, SYM_L_
 
 	call vmx_spec_ctrl_restore_host
 
-	CLEAR_BRANCH_HISTORY
+	CLEAR_BRANCH_HISTORY_VMEXIT
 
 	/* Put return value in AX */
 	mov %_ASM_BX, %_ASM_AX
Commit	Line	Data
3a47a0a4 GKH	1	From 80010968cc2397fd5c3847497281326732ffa785 Mon Sep 17 00:00:00 2001
	2	From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
	3	Date: Mon, 11 Mar 2024 08:57:09 -0700
	4	Subject: x86/bhi: Mitigate KVM by default
	5
	6	From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
	7
	8	commit 95a6ccbdc7199a14b71ad8901cb788ba7fb5167b upstream.
	9
	10	BHI mitigation mode spectre_bhi=auto does not deploy the software
	11	mitigation by default. In a cloud environment, it is a likely scenario
	12	where userspace is trusted but the guests are not trusted. Deploying
	13	system wide mitigation in such cases is not desirable.
	14
	15	Update the auto mode to unconditionally mitigate against malicious
	16	guests. Deploy the software sequence at VMexit in auto mode also, when
	17	hardware mitigation is not available. Unlike the force =on mode,
	18	software sequence is not deployed at syscalls in auto mode.
	19
	20	Suggested-by: Alexandre Chartre <alexandre.chartre@oracle.com>
	21	Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
	22	Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
	23	Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
	24	Reviewed-by: Alexandre Chartre <alexandre.chartre@oracle.com>
	25	Reviewed-by: Josh Poimboeuf <jpoimboe@kernel.org>
	26	Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
	27	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	28	---
	29	Documentation/admin-guide/hw-vuln/spectre.rst \| 7 +++++--
	30	Documentation/admin-guide/kernel-parameters.txt \| 5 +++--
	31	arch/x86/include/asm/cpufeatures.h \| 1 +
	32	arch/x86/include/asm/nospec-branch.h \| 5 +++++
	33	arch/x86/kernel/cpu/bugs.c \| 9 ++++++++-
	34	arch/x86/kvm/vmx/vmenter.S \| 2 +-
	35	6 files changed, 23 insertions(+), 6 deletions(-)
	36
	37	--- a/Documentation/admin-guide/hw-vuln/spectre.rst
	38	+++ b/Documentation/admin-guide/hw-vuln/spectre.rst
	39	@@ -439,10 +439,12 @@ The possible values in this file are:
	40	- System is protected by retpoline
	41	* - BHI: BHI_DIS_S
	42	- System is protected by BHI_DIS_S
	43	- * - BHI: SW loop
	44	+ * - BHI: SW loop; KVM SW loop
	45	- System is protected by software clearing sequence
	46	* - BHI: Syscall hardening
	47	- Syscalls are hardened against BHI
	48	+ * - BHI: Syscall hardening; KVM: SW loop
	49	+ - System is protected from userspace attacks by syscall hardening; KVM is protected by software clearing sequence
	50
	51	Full mitigation might require a microcode update from the CPU
	52	vendor. When the necessary microcode is not available, the kernel will
	53	@@ -669,7 +671,8 @@ kernel command line.
	54	unconditionally disable.
	55	auto
	56	enable if hardware mitigation
	57	- control(BHI_DIS_S) is available.
	58	+ control(BHI_DIS_S) is available, otherwise
	59	+ enable alternate mitigation in KVM.
	60
	61	For spectre_v2_user see Documentation/admin-guide/kernel-parameters.txt
	62
	63	--- a/Documentation/admin-guide/kernel-parameters.txt
	64	+++ b/Documentation/admin-guide/kernel-parameters.txt
65	@@ -5928,8 +5928,9 @@
66
67	on - unconditionally enable.
68	off - unconditionally disable.
69	- auto - (default) enable only if hardware mitigation
70	- control(BHI_DIS_S) is available.
71	+ auto - (default) enable hardware mitigation
72	+ (BHI_DIS_S) if available, otherwise enable
73	+ alternate mitigation in KVM.
74
75	spectre_v2= [X86] Control mitigation of Spectre variant 2
76	(indirect branch speculation) vulnerability.
77	--- a/arch/x86/include/asm/cpufeatures.h
78	+++ b/arch/x86/include/asm/cpufeatures.h
79	@@ -466,6 +466,7 @@
80	#define X86_FEATURE_CLEAR_BHB_LOOP (2132+ 1) / "" Clear branch history at syscall entry using SW loop */
81	#define X86_FEATURE_BHI_CTRL (2132+ 2) / "" BHI_DIS_S HW control available */
82	#define X86_FEATURE_CLEAR_BHB_HW (2132+ 3) / "" BHI_DIS_S HW control enabled */
83	+#define X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT (2132+ 4) / "" Clear branch history at vmexit using SW loop */
84
85	/*
86	* BUG word(s)
87	--- a/arch/x86/include/asm/nospec-branch.h
88	+++ b/arch/x86/include/asm/nospec-branch.h
89	@@ -339,8 +339,13 @@
90	.macro CLEAR_BRANCH_HISTORY
91	ALTERNATIVE "", "call clear_bhb_loop", X86_FEATURE_CLEAR_BHB_LOOP
92	.endm
93	+
94	+.macro CLEAR_BRANCH_HISTORY_VMEXIT
95	+ ALTERNATIVE "", "call clear_bhb_loop", X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT
96	+.endm
97	#else
98	#define CLEAR_BRANCH_HISTORY
99	+#define CLEAR_BRANCH_HISTORY_VMEXIT
100	#endif
101
102	#else /* __ASSEMBLY__ */
103	--- a/arch/x86/kernel/cpu/bugs.c
104	+++ b/arch/x86/kernel/cpu/bugs.c
105	@@ -1667,9 +1667,14 @@ static void __init bhi_select_mitigation
106	if (!IS_ENABLED(CONFIG_X86_64))
107	return;
108
109	+ /* Mitigate KVM by default */
110	+ setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT);
111	+ pr_info("Spectre BHI mitigation: SW BHB clearing on vm exit\n");
112	+
113	if (bhi_mitigation == BHI_MITIGATION_AUTO)
114	return;
115
116	+ /* Mitigate syscalls when the mitigation is forced =on */
117	setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP);
118	pr_info("Spectre BHI mitigation: SW BHB clearing on syscall\n");
119	}
120	@@ -2810,10 +2815,12 @@ static const char * const spectre_bhi_st
121	else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_HW))
122	return "; BHI: BHI_DIS_S";
123	else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP))
124	- return "; BHI: SW loop";
125	+ return "; BHI: SW loop, KVM: SW loop";
126	else if (boot_cpu_has(X86_FEATURE_RETPOLINE) &&
127	!(x86_read_arch_cap_msr() & ARCH_CAP_RRSBA))
128	return "; BHI: Retpoline";
129	+ else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT))
130	+ return "; BHI: Syscall hardening, KVM: SW loop";
131
132	return "; BHI: Vulnerable (Syscall hardening enabled)";
133	}
134	--- a/arch/x86/kvm/vmx/vmenter.S
135	+++ b/arch/x86/kvm/vmx/vmenter.S
136	@@ -275,7 +275,7 @@ SYM_INNER_LABEL_ALIGN(vmx_vmexit, SYM_L_
137
138	call vmx_spec_ctrl_restore_host
139
140	- CLEAR_BRANCH_HISTORY
141	+ CLEAR_BRANCH_HISTORY_VMEXIT
142
143	/* Put return value in AX */
144	mov %_ASM_BX, %_ASM_AX