queue-4.4/x86-speculation-mds-add-mitigation-mode-vmwerv.patch

   1 From foo@baz Tue 14 May 2019 08:29:35 PM CEST
   2 From: Thomas Gleixner <tglx@linutronix.de>
   3 Date: Wed, 20 Feb 2019 09:40:40 +0100
   4 Subject: x86/speculation/mds: Add mitigation mode VMWERV
   5
   6 From: Thomas Gleixner <tglx@linutronix.de>
   7
   8 commit 22dd8365088b6403630b82423cf906491859b65e upstream.
   9
  10 In virtualized environments it can happen that the host has the microcode
  11 update which utilizes the VERW instruction to clear CPU buffers, but the
  12 hypervisor is not yet updated to expose the X86_FEATURE_MD_CLEAR CPUID bit
  13 to guests.
  14
  15 Introduce an internal mitigation mode VMWERV which enables the invocation
  16 of the CPU buffer clearing even if X86_FEATURE_MD_CLEAR is not set. If the
  17 system has no updated microcode this results in a pointless execution of
  18 the VERW instruction wasting a few CPU cycles. If the microcode is updated,
  19 but not exposed to a guest then the CPU buffers will be cleared.
  20
  21 That said: Virtual Machines Will Eventually Receive Vaccine
  22
  23 Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
  24 Reviewed-by: Borislav Petkov <bp@suse.de>
  25 Reviewed-by: Jon Masters <jcm@redhat.com>
  26 Tested-by: Jon Masters <jcm@redhat.com>
  27 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  28 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  29 ---
  30  Documentation/x86/mds.rst        |   27 +++++++++++++++++++++++++++
  31  arch/x86/include/asm/processor.h |    1 +
  32  arch/x86/kernel/cpu/bugs.c       |   18 ++++++++++++------
  33  3 files changed, 40 insertions(+), 6 deletions(-)
  34
  35 --- a/Documentation/x86/mds.rst
  36 +++ b/Documentation/x86/mds.rst
  37 @@ -93,11 +93,38 @@ The kernel provides a function to invoke
  38  The mitigation is invoked on kernel/userspace, hypervisor/guest and C-state
  39  (idle) transitions.
  40
  41 +As a special quirk to address virtualization scenarios where the host has
  42 +the microcode updated, but the hypervisor does not (yet) expose the
  43 +MD_CLEAR CPUID bit to guests, the kernel issues the VERW instruction in the
  44 +hope that it might actually clear the buffers. The state is reflected
  45 +accordingly.
  46 +
  47  According to current knowledge additional mitigations inside the kernel
  48  itself are not required because the necessary gadgets to expose the leaked
  49  data cannot be controlled in a way which allows exploitation from malicious
  50  user space or VM guests.
  51
  52 +Kernel internal mitigation modes
  53 +--------------------------------
  54 +
  55 + ======= ============================================================
  56 + off      Mitigation is disabled. Either the CPU is not affected or
  57 +          mds=off is supplied on the kernel command line
  58 +
  59 + full     Mitigation is eanbled. CPU is affected and MD_CLEAR is
  60 +          advertised in CPUID.
  61 +
  62 + vmwerv          Mitigation is enabled. CPU is affected and MD_CLEAR is not
  63 +         advertised in CPUID. That is mainly for virtualization
  64 +         scenarios where the host has the updated microcode but the
  65 +         hypervisor does not expose MD_CLEAR in CPUID. It's a best
  66 +         effort approach without guarantee.
  67 + ======= ============================================================
  68 +
  69 +If the CPU is affected and mds=off is not supplied on the kernel command
  70 +line then the kernel selects the appropriate mitigation mode depending on
  71 +the availability of the MD_CLEAR CPUID bit.
  72 +
  73  Mitigation points
  74  -----------------
  75
  76 --- a/arch/x86/include/asm/processor.h
  77 +++ b/arch/x86/include/asm/processor.h
  78 @@ -849,6 +849,7 @@ void df_debug(struct pt_regs *regs, long
  79  enum mds_mitigations {
  80         MDS_MITIGATION_OFF,
  81         MDS_MITIGATION_FULL,
  82 +       MDS_MITIGATION_VMWERV,
  83  };
  84
  85  #endif /* _ASM_X86_PROCESSOR_H */
  86 --- a/arch/x86/kernel/cpu/bugs.c
  87 +++ b/arch/x86/kernel/cpu/bugs.c
  88 @@ -213,7 +213,8 @@ static enum mds_mitigations mds_mitigati
  89
  90  static const char * const mds_strings[] = {
  91         [MDS_MITIGATION_OFF]    = "Vulnerable",
  92 -       [MDS_MITIGATION_FULL]   = "Mitigation: Clear CPU buffers"
  93 +       [MDS_MITIGATION_FULL]   = "Mitigation: Clear CPU buffers",
  94 +       [MDS_MITIGATION_VMWERV] = "Vulnerable: Clear CPU buffers attempted, no microcode",
  95  };
  96
  97  static void __init mds_select_mitigation(void)
  98 @@ -224,10 +225,9 @@ static void __init mds_select_mitigation
  99         }
 100
 101         if (mds_mitigation == MDS_MITIGATION_FULL) {
 102 -               if (boot_cpu_has(X86_FEATURE_MD_CLEAR))
 103 -                       static_branch_enable(&mds_user_clear);
 104 -               else
 105 -                       mds_mitigation = MDS_MITIGATION_OFF;
 106 +               if (!boot_cpu_has(X86_FEATURE_MD_CLEAR))
 107 +                       mds_mitigation = MDS_MITIGATION_VMWERV;
 108 +               static_branch_enable(&mds_user_clear);
 109         }
 110         pr_info("%s\n", mds_strings[mds_mitigation]);
 111  }
 112 @@ -687,8 +687,14 @@ void arch_smt_update(void)
 113                 break;
 114         }
 115
 116 -       if (mds_mitigation == MDS_MITIGATION_FULL)
 117 +       switch (mds_mitigation) {
 118 +       case MDS_MITIGATION_FULL:
 119 +       case MDS_MITIGATION_VMWERV:
 120                 update_mds_branch_idle();
 121 +               break;
 122 +       case MDS_MITIGATION_OFF:
 123 +               break;
 124 +       }
 125
 126         mutex_unlock(&spec_ctrl_mutex);
 127  }