1 From 9d8d0294e78a164d407133dea05caf4b84247d6a Mon Sep 17 00:00:00 2001
2 From: Andy Lutomirski <luto@kernel.org>
3 Date: Tue, 14 May 2019 13:24:40 -0700
4 Subject: x86/speculation/mds: Improve CPU buffer clear documentation
6 From: Andy Lutomirski <luto@kernel.org>
8 commit 9d8d0294e78a164d407133dea05caf4b84247d6a upstream.
10 On x86_64, all returns to usermode go through
11 prepare_exit_to_usermode(), with the sole exception of do_nmi().
12 This even includes machine checks -- this was added several years
13 ago to support MCE recovery. Update the documentation.
15 Signed-off-by: Andy Lutomirski <luto@kernel.org>
16 Cc: Borislav Petkov <bp@suse.de>
17 Cc: Frederic Weisbecker <frederic@kernel.org>
18 Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
19 Cc: Jon Masters <jcm@redhat.com>
20 Cc: Linus Torvalds <torvalds@linux-foundation.org>
21 Cc: Peter Zijlstra <peterz@infradead.org>
22 Cc: Thomas Gleixner <tglx@linutronix.de>
23 Cc: stable@vger.kernel.org
24 Fixes: 04dcbdb80578 ("x86/speculation/mds: Clear CPU buffers on exit to user")
25 Link: http://lkml.kernel.org/r/999fa9e126ba6a48e9d214d2f18dbde5c62ac55c.1557865329.git.luto@kernel.org
26 Signed-off-by: Ingo Molnar <mingo@kernel.org>
27 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
30 Documentation/x86/mds.rst | 39 +++++++--------------------------------
31 1 file changed, 7 insertions(+), 32 deletions(-)
33 --- a/Documentation/x86/mds.rst
34 +++ b/Documentation/x86/mds.rst
35 @@ -142,38 +142,13 @@ Mitigation points
38 The mitigation is invoked in prepare_exit_to_usermode() which covers
39 - most of the kernel to user space transitions. There are a few exceptions
40 - which are not invoking prepare_exit_to_usermode() on return to user
41 - space. These exceptions use the paranoid exit code.
43 - - Non Maskable Interrupt (NMI):
45 - Access to sensible data like keys, credentials in the NMI context is
46 - mostly theoretical: The CPU can do prefetching or execute a
47 - misspeculated code path and thereby fetching data which might end up
48 - leaking through a buffer.
50 - But for mounting other attacks the kernel stack address of the task is
51 - already valuable information. So in full mitigation mode, the NMI is
52 - mitigated on the return from do_nmi() to provide almost complete
55 - - Machine Check Exception (#MC):
57 - Another corner case is a #MC which hits between the CPU buffer clear
58 - invocation and the actual return to user. As this still is in kernel
59 - space it takes the paranoid exit path which does not clear the CPU
60 - buffers. So the #MC handler repopulates the buffers to some
61 - extent. Machine checks are not reliably controllable and the window is
62 - extremly small so mitigation would just tick a checkbox that this
63 - theoretical corner case is covered. To keep the amount of special
64 - cases small, ignore #MC.
66 - - Debug Exception (#DB):
68 - This takes the paranoid exit path only when the INT1 breakpoint is in
69 - kernel space. #DB on a user space address takes the regular exit path,
70 - so no extra mitigation required.
71 + all but one of the kernel to user space transitions. The exception
72 + is when we return from a Non Maskable Interrupt (NMI), which is
73 + handled directly in do_nmi().
75 + (The reason that NMI is special is that prepare_exit_to_usermode() can
76 + enable IRQs. In NMI context, NMIs are blocked, and we don't want to
77 + enable IRQs with NMIs blocked.)