releases/4.4.180/x86-speculation-support-enhanced-ibrs-on-future-cpus.patch

   1 From foo@baz Tue 14 May 2019 08:29:35 PM CEST
   2 From: Sai Praneeth <sai.praneeth.prakhya@intel.com>
   3 Date: Wed, 1 Aug 2018 11:42:25 -0700
   4 Subject: x86/speculation: Support Enhanced IBRS on future CPUs
   5
   6 From: Sai Praneeth <sai.praneeth.prakhya@intel.com>
   7
   8 commit 706d51681d636a0c4a5ef53395ec3b803e45ed4d upstream.
   9
  10 Future Intel processors will support "Enhanced IBRS" which is an "always
  11 on" mode i.e. IBRS bit in SPEC_CTRL MSR is enabled once and never
  12 disabled.
  13
  14 >From the specification [1]:
  15
  16  "With enhanced IBRS, the predicted targets of indirect branches
  17   executed cannot be controlled by software that was executed in a less
  18   privileged predictor mode or on another logical processor. As a
  19   result, software operating on a processor with enhanced IBRS need not
  20   use WRMSR to set IA32_SPEC_CTRL.IBRS after every transition to a more
  21   privileged predictor mode. Software can isolate predictor modes
  22   effectively simply by setting the bit once. Software need not disable
  23   enhanced IBRS prior to entering a sleep state such as MWAIT or HLT."
  24
  25 If Enhanced IBRS is supported by the processor then use it as the
  26 preferred spectre v2 mitigation mechanism instead of Retpoline. Intel's
  27 Retpoline white paper [2] states:
  28
  29  "Retpoline is known to be an effective branch target injection (Spectre
  30   variant 2) mitigation on Intel processors belonging to family 6
  31   (enumerated by the CPUID instruction) that do not have support for
  32   enhanced IBRS. On processors that support enhanced IBRS, it should be
  33   used for mitigation instead of retpoline."
  34
  35 The reason why Enhanced IBRS is the recommended mitigation on processors
  36 which support it is that these processors also support CET which
  37 provides a defense against ROP attacks. Retpoline is very similar to ROP
  38 techniques and might trigger false positives in the CET defense.
  39
  40 If Enhanced IBRS is selected as the mitigation technique for spectre v2,
  41 the IBRS bit in SPEC_CTRL MSR is set once at boot time and never
  42 cleared. Kernel also has to make sure that IBRS bit remains set after
  43 VMEXIT because the guest might have cleared the bit. This is already
  44 covered by the existing x86_spec_ctrl_set_guest() and
  45 x86_spec_ctrl_restore_host() speculation control functions.
  46
  47 Enhanced IBRS still requires IBPB for full mitigation.
  48
  49 [1] Speculative-Execution-Side-Channel-Mitigations.pdf
  50 [2] Retpoline-A-Branch-Target-Injection-Mitigation.pdf
  51 Both documents are available at:
  52 https://bugzilla.kernel.org/show_bug.cgi?id=199511
  53
  54 Originally-by: David Woodhouse <dwmw@amazon.co.uk>
  55 Signed-off-by: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
  56 Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
  57 Cc: Tim C Chen <tim.c.chen@intel.com>
  58 Cc: Dave Hansen <dave.hansen@intel.com>
  59 Cc: Ravi Shankar <ravi.v.shankar@intel.com>
  60 Link: https://lkml.kernel.org/r/1533148945-24095-1-git-send-email-sai.praneeth.prakhya@intel.com
  61 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  62 [bwh: Backported to 4.4:
  63  - Use the next bit from feature word 7
  64  - Adjust context]
  65 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  66 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  67 ---
  68  arch/x86/include/asm/cpufeatures.h   |    1 +
  69  arch/x86/include/asm/nospec-branch.h |    1 +
  70  arch/x86/kernel/cpu/bugs.c           |   20 ++++++++++++++++++--
  71  arch/x86/kernel/cpu/common.c         |    3 +++
  72  4 files changed, 23 insertions(+), 2 deletions(-)
  73
  74 --- a/arch/x86/include/asm/cpufeatures.h
  75 +++ b/arch/x86/include/asm/cpufeatures.h
  76 @@ -214,6 +214,7 @@
  77  #define X86_FEATURE_STIBP      ( 7*32+27) /* Single Thread Indirect Branch Predictors */
  78  #define X86_FEATURE_ZEN                ( 7*32+28) /* "" CPU is AMD family 0x17 (Zen) */
  79  #define X86_FEATURE_L1TF_PTEINV        ( 7*32+29) /* "" L1TF workaround PTE inversion */
  80 +#define X86_FEATURE_IBRS_ENHANCED      ( 7*32+30) /* Enhanced IBRS */
  81
  82  /* Virtualization flags: Linux defined, word 8 */
  83  #define X86_FEATURE_TPR_SHADOW  ( 8*32+ 0) /* Intel TPR Shadow */
  84 --- a/arch/x86/include/asm/nospec-branch.h
  85 +++ b/arch/x86/include/asm/nospec-branch.h
  86 @@ -170,6 +170,7 @@ enum spectre_v2_mitigation {
  87         SPECTRE_V2_RETPOLINE_GENERIC,
  88         SPECTRE_V2_RETPOLINE_AMD,
  89         SPECTRE_V2_IBRS,
  90 +       SPECTRE_V2_IBRS_ENHANCED,
  91  };
  92
  93  /* The Speculative Store Bypass disable variants */
  94 --- a/arch/x86/kernel/cpu/bugs.c
  95 +++ b/arch/x86/kernel/cpu/bugs.c
  96 @@ -132,6 +132,7 @@ static const char *spectre_v2_strings[]
  97         [SPECTRE_V2_RETPOLINE_MINIMAL_AMD]      = "Vulnerable: Minimal AMD ASM retpoline",
  98         [SPECTRE_V2_RETPOLINE_GENERIC]          = "Mitigation: Full generic retpoline",
  99         [SPECTRE_V2_RETPOLINE_AMD]              = "Mitigation: Full AMD retpoline",
 100 +       [SPECTRE_V2_IBRS_ENHANCED]              = "Mitigation: Enhanced IBRS",
 101  };
 102
 103  #undef pr_fmt
 104 @@ -332,6 +333,13 @@ static void __init spectre_v2_select_mit
 105
 106         case SPECTRE_V2_CMD_FORCE:
 107         case SPECTRE_V2_CMD_AUTO:
 108 +               if (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) {
 109 +                       mode = SPECTRE_V2_IBRS_ENHANCED;
 110 +                       /* Force it so VMEXIT will restore correctly */
 111 +                       x86_spec_ctrl_base |= SPEC_CTRL_IBRS;
 112 +                       wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
 113 +                       goto specv2_set_mode;
 114 +               }
 115                 if (IS_ENABLED(CONFIG_RETPOLINE))
 116                         goto retpoline_auto;
 117                 break;
 118 @@ -369,6 +377,7 @@ retpoline_auto:
 119                 setup_force_cpu_cap(X86_FEATURE_RETPOLINE);
 120         }
 121
 122 +specv2_set_mode:
 123         spectre_v2_enabled = mode;
 124         pr_info("%s\n", spectre_v2_strings[mode]);
 125
 126 @@ -391,9 +400,16 @@ retpoline_auto:
 127
 128         /*
 129          * Retpoline means the kernel is safe because it has no indirect
 130 -        * branches. But firmware isn't, so use IBRS to protect that.
 131 +        * branches. Enhanced IBRS protects firmware too, so, enable restricted
 132 +        * speculation around firmware calls only when Enhanced IBRS isn't
 133 +        * supported.
 134 +        *
 135 +        * Use "mode" to check Enhanced IBRS instead of boot_cpu_has(), because
 136 +        * the user might select retpoline on the kernel command line and if
 137 +        * the CPU supports Enhanced IBRS, kernel might un-intentionally not
 138 +        * enable IBRS around firmware calls.
 139          */
 140 -       if (boot_cpu_has(X86_FEATURE_IBRS)) {
 141 +       if (boot_cpu_has(X86_FEATURE_IBRS) && mode != SPECTRE_V2_IBRS_ENHANCED) {
 142                 setup_force_cpu_cap(X86_FEATURE_USE_IBRS_FW);
 143                 pr_info("Enabling Restricted Speculation for firmware calls\n");
 144         }
 145 --- a/arch/x86/kernel/cpu/common.c
 146 +++ b/arch/x86/kernel/cpu/common.c
 147 @@ -915,6 +915,9 @@ static void __init cpu_set_bug_bits(stru
 148         setup_force_cpu_bug(X86_BUG_SPECTRE_V1);
 149         setup_force_cpu_bug(X86_BUG_SPECTRE_V2);
 150
 151 +       if (ia32_cap & ARCH_CAP_IBRS_ALL)
 152 +               setup_force_cpu_cap(X86_FEATURE_IBRS_ENHANCED);
 153 +
 154         if (x86_match_cpu(cpu_no_meltdown))
 155                 return;
 156