|
| 1 | +x86/bugs: Fix BHI handling of RRSBA |
| 2 | + |
| 3 | +jira LE-2015 |
| 4 | +cve CVE-2024-2201 |
| 5 | +Rebuild_History Non-Buildable kernel-5.14.0-427.42.1.el9_4 |
| 6 | +commit-author Josh Poimboeuf <jpoimboe@kernel.org> |
| 7 | +commit 1cea8a280dfd1016148a3820676f2f03e3f5b898 |
| 8 | +Empty-Commit: Cherry-Pick Conflicts during history rebuild. |
| 9 | +Will be included in final tarball splat. Ref for failed cherry-pick at: |
| 10 | +ciq/ciq_backports/kernel-5.14.0-427.42.1.el9_4/1cea8a28.failed |
| 11 | + |
| 12 | +The ARCH_CAP_RRSBA check isn't correct: RRSBA may have already been |
| 13 | +disabled by the Spectre v2 mitigation (or can otherwise be disabled by |
| 14 | +the BHI mitigation itself if needed). In that case retpolines are fine. |
| 15 | + |
| 16 | +Fixes: ec9404e40e8f ("x86/bhi: Add BHI mitigation knob") |
| 17 | + Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org> |
| 18 | + Signed-off-by: Ingo Molnar <mingo@kernel.org> |
| 19 | + Cc: Linus Torvalds <torvalds@linux-foundation.org> |
| 20 | + Cc: Sean Christopherson <seanjc@google.com> |
| 21 | +Link: https://lore.kernel.org/r/6f56f13da34a0834b69163467449be7f58f253dc.1712813475.git.jpoimboe@kernel.org |
| 22 | +(cherry picked from commit 1cea8a280dfd1016148a3820676f2f03e3f5b898) |
| 23 | + Signed-off-by: Jonathan Maple <jmaple@ciq.com> |
| 24 | + |
| 25 | +# Conflicts: |
| 26 | +# arch/x86/kernel/cpu/bugs.c |
| 27 | +diff --cc arch/x86/kernel/cpu/bugs.c |
| 28 | +index d1c0c8f6898b,08dfb94fcb3a..000000000000 |
| 29 | +--- a/arch/x86/kernel/cpu/bugs.c |
| 30 | ++++ b/arch/x86/kernel/cpu/bugs.c |
| 31 | +@@@ -1552,17 -1543,20 +1554,33 @@@ static bool __ro_after_init rrsba_disab |
| 32 | + /* Disable in-kernel use of non-RSB RET predictors */ |
| 33 | + static void __init spec_ctrl_disable_kernel_rrsba(void) |
| 34 | + { |
| 35 | +++<<<<<<< HEAD |
| 36 | + + u64 ia32_cap; |
| 37 | +++======= |
| 38 | ++ if (rrsba_disabled) |
| 39 | ++ return; |
| 40 | ++ |
| 41 | ++ if (!(x86_arch_cap_msr & ARCH_CAP_RRSBA)) { |
| 42 | ++ rrsba_disabled = true; |
| 43 | ++ return; |
| 44 | ++ } |
| 45 | +++>>>>>>> 1cea8a280dfd (x86/bugs: Fix BHI handling of RRSBA) |
| 46 | + |
| 47 | + if (!boot_cpu_has(X86_FEATURE_RRSBA_CTRL)) |
| 48 | + return; |
| 49 | + |
| 50 | +++<<<<<<< HEAD |
| 51 | + + ia32_cap = x86_read_arch_cap_msr(); |
| 52 | + + |
| 53 | + + if (ia32_cap & ARCH_CAP_RRSBA) { |
| 54 | + + x86_spec_ctrl_base |= SPEC_CTRL_RRSBA_DIS_S; |
| 55 | + + update_spec_ctrl(x86_spec_ctrl_base); |
| 56 | + + } |
| 57 | +++======= |
| 58 | ++ x86_spec_ctrl_base |= SPEC_CTRL_RRSBA_DIS_S; |
| 59 | ++ update_spec_ctrl(x86_spec_ctrl_base); |
| 60 | ++ rrsba_disabled = true; |
| 61 | +++>>>>>>> 1cea8a280dfd (x86/bugs: Fix BHI handling of RRSBA) |
| 62 | + } |
| 63 | + |
| 64 | + static void __init spectre_v2_determine_rsb_fill_type_at_vmexit(enum spectre_v2_mitigation mode) |
| 65 | +@@@ -1612,6 -1606,81 +1630,84 @@@ |
| 66 | + dump_stack(); |
| 67 | + } |
| 68 | + |
| 69 | +++<<<<<<< HEAD |
| 70 | +++======= |
| 71 | ++ /* |
| 72 | ++ * Set BHI_DIS_S to prevent indirect branches in kernel to be influenced by |
| 73 | ++ * branch history in userspace. Not needed if BHI_NO is set. |
| 74 | ++ */ |
| 75 | ++ static bool __init spec_ctrl_bhi_dis(void) |
| 76 | ++ { |
| 77 | ++ if (!boot_cpu_has(X86_FEATURE_BHI_CTRL)) |
| 78 | ++ return false; |
| 79 | ++ |
| 80 | ++ x86_spec_ctrl_base |= SPEC_CTRL_BHI_DIS_S; |
| 81 | ++ update_spec_ctrl(x86_spec_ctrl_base); |
| 82 | ++ setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_HW); |
| 83 | ++ |
| 84 | ++ return true; |
| 85 | ++ } |
| 86 | ++ |
| 87 | ++ enum bhi_mitigations { |
| 88 | ++ BHI_MITIGATION_OFF, |
| 89 | ++ BHI_MITIGATION_ON, |
| 90 | ++ BHI_MITIGATION_AUTO, |
| 91 | ++ }; |
| 92 | ++ |
| 93 | ++ static enum bhi_mitigations bhi_mitigation __ro_after_init = |
| 94 | ++ IS_ENABLED(CONFIG_SPECTRE_BHI_ON) ? BHI_MITIGATION_ON : |
| 95 | ++ IS_ENABLED(CONFIG_SPECTRE_BHI_OFF) ? BHI_MITIGATION_OFF : |
| 96 | ++ BHI_MITIGATION_AUTO; |
| 97 | ++ |
| 98 | ++ static int __init spectre_bhi_parse_cmdline(char *str) |
| 99 | ++ { |
| 100 | ++ if (!str) |
| 101 | ++ return -EINVAL; |
| 102 | ++ |
| 103 | ++ if (!strcmp(str, "off")) |
| 104 | ++ bhi_mitigation = BHI_MITIGATION_OFF; |
| 105 | ++ else if (!strcmp(str, "on")) |
| 106 | ++ bhi_mitigation = BHI_MITIGATION_ON; |
| 107 | ++ else if (!strcmp(str, "auto")) |
| 108 | ++ bhi_mitigation = BHI_MITIGATION_AUTO; |
| 109 | ++ else |
| 110 | ++ pr_err("Ignoring unknown spectre_bhi option (%s)", str); |
| 111 | ++ |
| 112 | ++ return 0; |
| 113 | ++ } |
| 114 | ++ early_param("spectre_bhi", spectre_bhi_parse_cmdline); |
| 115 | ++ |
| 116 | ++ static void __init bhi_select_mitigation(void) |
| 117 | ++ { |
| 118 | ++ if (bhi_mitigation == BHI_MITIGATION_OFF) |
| 119 | ++ return; |
| 120 | ++ |
| 121 | ++ /* Retpoline mitigates against BHI unless the CPU has RRSBA behavior */ |
| 122 | ++ if (cpu_feature_enabled(X86_FEATURE_RETPOLINE)) { |
| 123 | ++ spec_ctrl_disable_kernel_rrsba(); |
| 124 | ++ if (rrsba_disabled) |
| 125 | ++ return; |
| 126 | ++ } |
| 127 | ++ |
| 128 | ++ if (spec_ctrl_bhi_dis()) |
| 129 | ++ return; |
| 130 | ++ |
| 131 | ++ if (!IS_ENABLED(CONFIG_X86_64)) |
| 132 | ++ return; |
| 133 | ++ |
| 134 | ++ /* Mitigate KVM by default */ |
| 135 | ++ setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT); |
| 136 | ++ pr_info("Spectre BHI mitigation: SW BHB clearing on vm exit\n"); |
| 137 | ++ |
| 138 | ++ if (bhi_mitigation == BHI_MITIGATION_AUTO) |
| 139 | ++ return; |
| 140 | ++ |
| 141 | ++ /* Mitigate syscalls when the mitigation is forced =on */ |
| 142 | ++ setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP); |
| 143 | ++ pr_info("Spectre BHI mitigation: SW BHB clearing on syscall\n"); |
| 144 | ++ } |
| 145 | ++ |
| 146 | +++>>>>>>> 1cea8a280dfd (x86/bugs: Fix BHI handling of RRSBA) |
| 147 | + static void __init spectre_v2_select_mitigation(void) |
| 148 | + { |
| 149 | + enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline(); |
| 150 | +@@@ -2814,6 -2808,22 +2910,25 @@@ static char *pbrsb_eibrs_state(void |
| 151 | + } |
| 152 | + } |
| 153 | + |
| 154 | +++<<<<<<< HEAD |
| 155 | +++======= |
| 156 | ++ static const char *spectre_bhi_state(void) |
| 157 | ++ { |
| 158 | ++ if (!boot_cpu_has_bug(X86_BUG_BHI)) |
| 159 | ++ return "; BHI: Not affected"; |
| 160 | ++ else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_HW)) |
| 161 | ++ return "; BHI: BHI_DIS_S"; |
| 162 | ++ else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP)) |
| 163 | ++ return "; BHI: SW loop, KVM: SW loop"; |
| 164 | ++ else if (boot_cpu_has(X86_FEATURE_RETPOLINE) && rrsba_disabled) |
| 165 | ++ return "; BHI: Retpoline"; |
| 166 | ++ else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT)) |
| 167 | ++ return "; BHI: Syscall hardening, KVM: SW loop"; |
| 168 | ++ |
| 169 | ++ return "; BHI: Vulnerable (Syscall hardening enabled)"; |
| 170 | ++ } |
| 171 | ++ |
| 172 | +++>>>>>>> 1cea8a280dfd (x86/bugs: Fix BHI handling of RRSBA) |
| 173 | + static ssize_t spectre_v2_show_state(char *buf) |
| 174 | + { |
| 175 | + if (spectre_v2_enabled == SPECTRE_V2_LFENCE) |
| 176 | +* Unmerged path arch/x86/kernel/cpu/bugs.c |
0 commit comments