x86/bugs: Clarify that syscall hardening isn't a BHI mitigation

PlaidCat · PlaidCat · commit 79dac4264474 · 2024-11-01T14:16:20.000-04:00
jira LE-2015 cve CVE-2024-2201 Rebuild_History Non-Buildable kernel-5.14.0-427.42.1.el9_4 commit-author Josh Poimboeuf <jpoimboe@kernel.org> commit 5f882f3 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-5.14.0-427.42.1.el9_4/5f882f3b.failed While syscall hardening helps prevent some BHI attacks, there's still other low-hanging fruit remaining. Don't classify it as a mitigation and make it clear that the system may still be vulnerable if it doesn't have a HW or SW mitigation enabled. Fixes: ec9404e ("x86/bhi: Add BHI mitigation knob") Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org> Signed-off-by: Ingo Molnar <mingo@kernel.org> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Sean Christopherson <seanjc@google.com> Link: https://lore.kernel.org/r/b5951dae3fdee7f1520d5136a27be3bdfe95f88b.1712813475.git.jpoimboe@kernel.org (cherry picked from commit 5f882f3) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # Documentation/admin-guide/hw-vuln/spectre.rst # Documentation/admin-guide/kernel-parameters.txt # arch/x86/kernel/cpu/bugs.c
diff --git a/ciq/ciq_backports/kernel-5.14.0-427.42.1.el9_4/5f882f3b.failed b/ciq/ciq_backports/kernel-5.14.0-427.42.1.el9_4/5f882f3b.failed
@@ -0,0 +1,147 @@
+x86/bugs: Clarify that syscall hardening isn't a BHI mitigation
+
+jira LE-2015
+cve CVE-2024-2201
+Rebuild_History Non-Buildable kernel-5.14.0-427.42.1.el9_4
+commit-author Josh Poimboeuf <jpoimboe@kernel.org>
+commit 5f882f3b0a8bf0788d5a0ee44b1191de5319bb8a
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-5.14.0-427.42.1.el9_4/5f882f3b.failed
+
+While syscall hardening helps prevent some BHI attacks, there's still
+other low-hanging fruit remaining.  Don't classify it as a mitigation
+and make it clear that the system may still be vulnerable if it doesn't
+have a HW or SW mitigation enabled.
+
+Fixes: ec9404e40e8f ("x86/bhi: Add BHI mitigation knob")
+	Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
+	Signed-off-by: Ingo Molnar <mingo@kernel.org>
+	Cc: Linus Torvalds <torvalds@linux-foundation.org>
+	Cc: Sean Christopherson <seanjc@google.com>
+Link: https://lore.kernel.org/r/b5951dae3fdee7f1520d5136a27be3bdfe95f88b.1712813475.git.jpoimboe@kernel.org
+(cherry picked from commit 5f882f3b0a8bf0788d5a0ee44b1191de5319bb8a)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	Documentation/admin-guide/hw-vuln/spectre.rst
+#	Documentation/admin-guide/kernel-parameters.txt
+#	arch/x86/kernel/cpu/bugs.c
+diff --cc Documentation/admin-guide/hw-vuln/spectre.rst
+index 166facdabe9f,5a39acf82483..000000000000
+--- a/Documentation/admin-guide/hw-vuln/spectre.rst
++++ b/Documentation/admin-guide/hw-vuln/spectre.rst
+@@@ -430,6 -429,23 +430,26 @@@ The possible values in this file are
+    'PBRSB-eIBRS: Not affected'  CPU is not affected by PBRSB
+    ===========================  =======================================================
+  
+++<<<<<<< HEAD
+++=======
++   - Branch History Injection (BHI) protection status:
++ 
++ .. list-table::
++ 
++  * - BHI: Not affected
++    - System is not affected
++  * - BHI: Retpoline
++    - System is protected by retpoline
++  * - BHI: BHI_DIS_S
++    - System is protected by BHI_DIS_S
++  * - BHI: SW loop, KVM SW loop
++    - System is protected by software clearing sequence
++  * - BHI: Vulnerable
++    - System is vulnerable to BHI
++  * - BHI: Vulnerable, KVM: SW loop
++    - System is vulnerable; KVM is protected by software clearing sequence
++ 
+++>>>>>>> 5f882f3b0a8b (x86/bugs: Clarify that syscall hardening isn't a BHI mitigation)
+  Full mitigation might require a microcode update from the CPU
+  vendor. When the necessary microcode is not available, the kernel will
+  report vulnerability.
+@@@ -638,6 -658,22 +658,25 @@@ kernel command line
+  		spectre_v2=off. Spectre variant 1 mitigations
+  		cannot be disabled.
+  
+++<<<<<<< HEAD
+++=======
++ 	spectre_bhi=
++ 
++ 		[X86] Control mitigation of Branch History Injection
++ 		(BHI) vulnerability.  This setting affects the deployment
++ 		of the HW BHI control and the SW BHB clearing sequence.
++ 
++ 		on
++ 			(default) Enable the HW or SW mitigation as
++ 			needed.
++ 		off
++ 			Disable the mitigation.
++ 		auto
++ 			Enable the HW mitigation if needed, but
++ 			*don't* enable the SW mitigation except for KVM.
++ 			The system may be vulnerable.
++ 
+++>>>>>>> 5f882f3b0a8b (x86/bugs: Clarify that syscall hardening isn't a BHI mitigation)
+  For spectre_v2_user see Documentation/admin-guide/kernel-parameters.txt
+  
+  Mitigation selection guide
+diff --cc Documentation/admin-guide/kernel-parameters.txt
+index f74f25f00a14,a3874cc97892..000000000000
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@@ -5722,7 -6064,19 +5722,23 @@@
+  	sonypi.*=	[HW] Sony Programmable I/O Control Device driver
+  			See Documentation/admin-guide/laptops/sonypi.rst
+  
+++<<<<<<< HEAD
+ +	spectre_v2=	[X86] Control mitigation of Spectre variant 2
+++=======
++ 	spectre_bhi=	[X86] Control mitigation of Branch History Injection
++ 			(BHI) vulnerability.  This setting affects the
++ 			deployment of the HW BHI control and the SW BHB
++ 			clearing sequence.
++ 
++ 			on   - (default) Enable the HW or SW mitigation
++ 			       as needed.
++ 			off  - Disable the mitigation.
++ 			auto - Enable the HW mitigation if needed, but
++ 			       *don't* enable the SW mitigation except
++ 			       for KVM.  The system may be vulnerable.
++ 
++ 	spectre_v2=	[X86,EARLY] Control mitigation of Spectre variant 2
+++>>>>>>> 5f882f3b0a8b (x86/bugs: Clarify that syscall hardening isn't a BHI mitigation)
+  			(indirect branch speculation) vulnerability.
+  			The default operation protects the kernel from
+  			user space attacks.
+diff --cc arch/x86/kernel/cpu/bugs.c
+index d1c0c8f6898b,9eeb60f5fbb3..000000000000
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@@ -2814,6 -2808,22 +2814,25 @@@ static char *pbrsb_eibrs_state(void
+  	}
+  }
+  
+++<<<<<<< HEAD
+++=======
++ static const char *spectre_bhi_state(void)
++ {
++ 	if (!boot_cpu_has_bug(X86_BUG_BHI))
++ 		return "; BHI: Not affected";
++ 	else if  (boot_cpu_has(X86_FEATURE_CLEAR_BHB_HW))
++ 		return "; BHI: BHI_DIS_S";
++ 	else if  (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP))
++ 		return "; BHI: SW loop, KVM: SW loop";
++ 	else if (boot_cpu_has(X86_FEATURE_RETPOLINE) && rrsba_disabled)
++ 		return "; BHI: Retpoline";
++ 	else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT))
++ 		return "; BHI: Vulnerable, KVM: SW loop";
++ 
++ 	return "; BHI: Vulnerable";
++ }
++ 
+++>>>>>>> 5f882f3b0a8b (x86/bugs: Clarify that syscall hardening isn't a BHI mitigation)
+  static ssize_t spectre_v2_show_state(char *buf)
+  {
+  	if (spectre_v2_enabled == SPECTRE_V2_LFENCE)
+* Unmerged path Documentation/admin-guide/hw-vuln/spectre.rst
+* Unmerged path Documentation/admin-guide/kernel-parameters.txt
+* Unmerged path arch/x86/kernel/cpu/bugs.c
