From 81cdfa328fd2d39cb48ce1c906ef08277b192f86 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 8 Apr 2024 11:45:16 +0200 Subject: [PATCH] 6.1-stable patches added patches: x86-coco-require-seeding-rng-with-rdrand-on-coco-systems.patch x86-mce-make-sure-to-grab-mce_sysfs_mutex-in-set_bank.patch --- queue-6.1/series | 2 + ...ding-rng-with-rdrand-on-coco-systems.patch | 153 ++++++++++++++++++ ...-to-grab-mce_sysfs_mutex-in-set_bank.patch | 67 ++++++++ ...-fix-vm_pat-handling-in-cow-mappings.patch | 25 ++- 4 files changed, 231 insertions(+), 16 deletions(-) create mode 100644 queue-6.1/x86-coco-require-seeding-rng-with-rdrand-on-coco-systems.patch create mode 100644 queue-6.1/x86-mce-make-sure-to-grab-mce_sysfs_mutex-in-set_bank.patch diff --git a/queue-6.1/series b/queue-6.1/series index ce0f9f46e42..44ed3af1460 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -117,3 +117,5 @@ alsa-hda-realtek-update-panasonic-cf-sz6-quirk-to-support-headset-with-microphon driver-core-introduce-device_link_wait_removal.patch of-dynamic-synchronize-of_changeset_destroy-with-the-devlink-removals.patch x86-mm-pat-fix-vm_pat-handling-in-cow-mappings.patch +x86-mce-make-sure-to-grab-mce_sysfs_mutex-in-set_bank.patch +x86-coco-require-seeding-rng-with-rdrand-on-coco-systems.patch diff --git a/queue-6.1/x86-coco-require-seeding-rng-with-rdrand-on-coco-systems.patch b/queue-6.1/x86-coco-require-seeding-rng-with-rdrand-on-coco-systems.patch new file mode 100644 index 00000000000..69e78d12df9 --- /dev/null +++ b/queue-6.1/x86-coco-require-seeding-rng-with-rdrand-on-coco-systems.patch @@ -0,0 +1,153 @@ +From 99485c4c026f024e7cb82da84c7951dbe3deb584 Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Tue, 26 Mar 2024 17:07:35 +0100 +Subject: x86/coco: Require seeding RNG with RDRAND on CoCo systems + +From: Jason A. Donenfeld + +commit 99485c4c026f024e7cb82da84c7951dbe3deb584 upstream. + +There are few uses of CoCo that don't rely on working cryptography and +hence a working RNG. Unfortunately, the CoCo threat model means that the +VM host cannot be trusted and may actively work against guests to +extract secrets or manipulate computation. Since a malicious host can +modify or observe nearly all inputs to guests, the only remaining source +of entropy for CoCo guests is RDRAND. + +If RDRAND is broken -- due to CPU hardware fault -- the RNG as a whole +is meant to gracefully continue on gathering entropy from other sources, +but since there aren't other sources on CoCo, this is catastrophic. +This is mostly a concern at boot time when initially seeding the RNG, as +after that the consequences of a broken RDRAND are much more +theoretical. + +So, try at boot to seed the RNG using 256 bits of RDRAND output. If this +fails, panic(). This will also trigger if the system is booted without +RDRAND, as RDRAND is essential for a safe CoCo boot. + +Add this deliberately to be "just a CoCo x86 driver feature" and not +part of the RNG itself. Many device drivers and platforms have some +desire to contribute something to the RNG, and add_device_randomness() +is specifically meant for this purpose. + +Any driver can call it with seed data of any quality, or even garbage +quality, and it can only possibly make the quality of the RNG better or +have no effect, but can never make it worse. + +Rather than trying to build something into the core of the RNG, consider +the particular CoCo issue just a CoCo issue, and therefore separate it +all out into driver (well, arch/platform) code. + + [ bp: Massage commit message. ] + +Signed-off-by: Jason A. Donenfeld +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Elena Reshetova +Reviewed-by: Kirill A. Shutemov +Reviewed-by: Theodore Ts'o +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240326160735.73531-1-Jason@zx2c4.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/coco/core.c | 41 +++++++++++++++++++++++++++++++++++++++++ + arch/x86/include/asm/coco.h | 2 ++ + arch/x86/kernel/setup.c | 2 ++ + 3 files changed, 45 insertions(+) + +--- a/arch/x86/coco/core.c ++++ b/arch/x86/coco/core.c +@@ -3,13 +3,17 @@ + * Confidential Computing Platform Capability checks + * + * Copyright (C) 2021 Advanced Micro Devices, Inc. ++ * Copyright (C) 2024 Jason A. Donenfeld . All Rights Reserved. + * + * Author: Tom Lendacky + */ + + #include + #include ++#include ++#include + ++#include + #include + #include + +@@ -128,3 +132,40 @@ u64 cc_mkdec(u64 val) + } + } + EXPORT_SYMBOL_GPL(cc_mkdec); ++ ++__init void cc_random_init(void) ++{ ++ /* ++ * The seed is 32 bytes (in units of longs), which is 256 bits, which ++ * is the security level that the RNG is targeting. ++ */ ++ unsigned long rng_seed[32 / sizeof(long)]; ++ size_t i, longs; ++ ++ if (!cc_platform_has(CC_ATTR_GUEST_MEM_ENCRYPT)) ++ return; ++ ++ /* ++ * Since the CoCo threat model includes the host, the only reliable ++ * source of entropy that can be neither observed nor manipulated is ++ * RDRAND. Usually, RDRAND failure is considered tolerable, but since ++ * CoCo guests have no other unobservable source of entropy, it's ++ * important to at least ensure the RNG gets some initial random seeds. ++ */ ++ for (i = 0; i < ARRAY_SIZE(rng_seed); i += longs) { ++ longs = arch_get_random_longs(&rng_seed[i], ARRAY_SIZE(rng_seed) - i); ++ ++ /* ++ * A zero return value means that the guest doesn't have RDRAND ++ * or the CPU is physically broken, and in both cases that ++ * means most crypto inside of the CoCo instance will be ++ * broken, defeating the purpose of CoCo in the first place. So ++ * just panic here because it's absolutely unsafe to continue ++ * executing. ++ */ ++ if (longs == 0) ++ panic("RDRAND is defective."); ++ } ++ add_device_randomness(rng_seed, sizeof(rng_seed)); ++ memzero_explicit(rng_seed, sizeof(rng_seed)); ++} +--- a/arch/x86/include/asm/coco.h ++++ b/arch/x86/include/asm/coco.h +@@ -23,6 +23,7 @@ static inline void cc_set_mask(u64 mask) + + u64 cc_mkenc(u64 val); + u64 cc_mkdec(u64 val); ++void cc_random_init(void); + #else + static inline u64 cc_mkenc(u64 val) + { +@@ -33,6 +34,7 @@ static inline u64 cc_mkdec(u64 val) + { + return val; + } ++static inline void cc_random_init(void) { } + #endif + + #endif /* _ASM_X86_COCO_H */ +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -33,6 +33,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1132,6 +1133,7 @@ void __init setup_arch(char **cmdline_p) + * memory size. + */ + sev_setup_arch(); ++ cc_random_init(); + + efi_fake_memmap(); + efi_find_mirror(); diff --git a/queue-6.1/x86-mce-make-sure-to-grab-mce_sysfs_mutex-in-set_bank.patch b/queue-6.1/x86-mce-make-sure-to-grab-mce_sysfs_mutex-in-set_bank.patch new file mode 100644 index 00000000000..033b99122db --- /dev/null +++ b/queue-6.1/x86-mce-make-sure-to-grab-mce_sysfs_mutex-in-set_bank.patch @@ -0,0 +1,67 @@ +From 3ddf944b32f88741c303f0b21459dbb3872b8bc5 Mon Sep 17 00:00:00 2001 +From: "Borislav Petkov (AMD)" +Date: Wed, 13 Mar 2024 14:48:27 +0100 +Subject: x86/mce: Make sure to grab mce_sysfs_mutex in set_bank() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Borislav Petkov (AMD) + +commit 3ddf944b32f88741c303f0b21459dbb3872b8bc5 upstream. + +Modifying a MCA bank's MCA_CTL bits which control which error types to +be reported is done over + + /sys/devices/system/machinecheck/ + ├── machinecheck0 + │   ├── bank0 + │   ├── bank1 + │   ├── bank10 + │   ├── bank11 + ... + +sysfs nodes by writing the new bit mask of events to enable. + +When the write is accepted, the kernel deletes all current timers and +reinits all banks. + +Doing that in parallel can lead to initializing a timer which is already +armed and in the timer wheel, i.e., in use already: + + ODEBUG: init active (active state 0) object: ffff888063a28000 object + type: timer_list hint: mce_timer_fn+0x0/0x240 arch/x86/kernel/cpu/mce/core.c:2642 + WARNING: CPU: 0 PID: 8120 at lib/debugobjects.c:514 + debug_print_object+0x1a0/0x2a0 lib/debugobjects.c:514 + +Fix that by grabbing the sysfs mutex as the rest of the MCA sysfs code +does. + +Reported by: Yue Sun +Reported by: xingwei lee +Signed-off-by: Borislav Petkov (AMD) +Cc: +Link: https://lore.kernel.org/r/CAEkJfYNiENwQY8yV1LYJ9LjJs%2Bx_-PqMv98gKig55=2vbzffRw@mail.gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/mce/core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/mce/core.c ++++ b/arch/x86/kernel/cpu/mce/core.c +@@ -2471,12 +2471,14 @@ static ssize_t set_bank(struct device *s + return -EINVAL; + + b = &per_cpu(mce_banks_array, s->id)[bank]; +- + if (!b->init) + return -ENODEV; + + b->ctl = new; ++ ++ mutex_lock(&mce_sysfs_mutex); + mce_restart(); ++ mutex_unlock(&mce_sysfs_mutex); + + return size; + } diff --git a/queue-6.1/x86-mm-pat-fix-vm_pat-handling-in-cow-mappings.patch b/queue-6.1/x86-mm-pat-fix-vm_pat-handling-in-cow-mappings.patch index fca5f4e6cf1..417aef8ed45 100644 --- a/queue-6.1/x86-mm-pat-fix-vm_pat-handling-in-cow-mappings.patch +++ b/queue-6.1/x86-mm-pat-fix-vm_pat-handling-in-cow-mappings.patch @@ -126,15 +126,13 @@ Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman --- - arch/x86/mm/pat/memtype.c | 49 ++++++++++++++++++++++++++++----------- - mm/memory.c | 4 ++++ + arch/x86/mm/pat/memtype.c | 49 ++++++++++++++++++++++++++++++++-------------- + mm/memory.c | 4 +++ 2 files changed, 39 insertions(+), 14 deletions(-) -diff --git a/arch/x86/mm/pat/memtype.c b/arch/x86/mm/pat/memtype.c -index 0d72183b5dd0..36b603d0cdde 100644 --- a/arch/x86/mm/pat/memtype.c +++ b/arch/x86/mm/pat/memtype.c -@@ -947,6 +947,38 @@ static void free_pfn_range(u64 paddr, unsigned long size) +@@ -997,6 +997,38 @@ static void free_pfn_range(u64 paddr, un memtype_free(paddr, paddr + size); } @@ -173,7 +171,7 @@ index 0d72183b5dd0..36b603d0cdde 100644 /* * track_pfn_copy is called when vma that is covering the pfnmap gets * copied through copy_page_range(). -@@ -957,20 +989,13 @@ static void free_pfn_range(u64 paddr, unsigned long size) +@@ -1007,20 +1039,13 @@ static void free_pfn_range(u64 paddr, un int track_pfn_copy(struct vm_area_struct *vma) { resource_size_t paddr; @@ -196,15 +194,15 @@ index 0d72183b5dd0..36b603d0cdde 100644 return reserve_pfn_range(paddr, vma_size, &pgprot, 1); } -@@ -1045,7 +1070,6 @@ void untrack_pfn(struct vm_area_struct *vma, unsigned long pfn, - unsigned long size, bool mm_wr_locked) +@@ -1095,7 +1120,6 @@ void untrack_pfn(struct vm_area_struct * + unsigned long size) { resource_size_t paddr; - unsigned long prot; if (vma && !(vma->vm_flags & VM_PAT)) return; -@@ -1053,11 +1077,8 @@ void untrack_pfn(struct vm_area_struct *vma, unsigned long pfn, +@@ -1103,11 +1127,8 @@ void untrack_pfn(struct vm_area_struct * /* free the chunk starting from pfn or the whole chunk */ paddr = (resource_size_t)pfn << PAGE_SHIFT; if (!paddr && !size) { @@ -217,13 +215,11 @@ index 0d72183b5dd0..36b603d0cdde 100644 size = vma->vm_end - vma->vm_start; } free_pfn_range(paddr, size); -diff --git a/mm/memory.c b/mm/memory.c -index 904f70b99498..d2155ced45f8 100644 --- a/mm/memory.c +++ b/mm/memory.c -@@ -5973,6 +5973,10 @@ int follow_phys(struct vm_area_struct *vma, +@@ -5593,6 +5593,10 @@ int follow_phys(struct vm_area_struct *v goto out; - pte = ptep_get(ptep); + pte = *ptep; + /* Never return PFNs of anon folios in COW mappings. */ + if (vm_normal_folio(vma, address, pte)) @@ -232,6 +228,3 @@ index 904f70b99498..d2155ced45f8 100644 if ((flags & FOLL_WRITE) && !pte_write(pte)) goto unlock; --- -2.44.0 - -- 2.47.3