|
| 1 | +x86/bhi: Mitigate KVM by default |
| 2 | + |
| 3 | +jira LE-2015 |
| 4 | +cve CVE-2024-2201 |
| 5 | +Rebuild_History Non-Buildable kernel-5.14.0-427.42.1.el9_4 |
| 6 | +commit-author Pawan Gupta <pawan.kumar.gupta@linux.intel.com> |
| 7 | +commit 95a6ccbdc7199a14b71ad8901cb788ba7fb5167b |
| 8 | +Empty-Commit: Cherry-Pick Conflicts during history rebuild. |
| 9 | +Will be included in final tarball splat. Ref for failed cherry-pick at: |
| 10 | +ciq/ciq_backports/kernel-5.14.0-427.42.1.el9_4/95a6ccbd.failed |
| 11 | + |
| 12 | +BHI mitigation mode spectre_bhi=auto does not deploy the software |
| 13 | +mitigation by default. In a cloud environment, it is a likely scenario |
| 14 | +where userspace is trusted but the guests are not trusted. Deploying |
| 15 | +system wide mitigation in such cases is not desirable. |
| 16 | + |
| 17 | +Update the auto mode to unconditionally mitigate against malicious |
| 18 | +guests. Deploy the software sequence at VMexit in auto mode also, when |
| 19 | +hardware mitigation is not available. Unlike the force =on mode, |
| 20 | +software sequence is not deployed at syscalls in auto mode. |
| 21 | + |
| 22 | + Suggested-by: Alexandre Chartre <alexandre.chartre@oracle.com> |
| 23 | + Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com> |
| 24 | + Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com> |
| 25 | + Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
| 26 | + Reviewed-by: Alexandre Chartre <alexandre.chartre@oracle.com> |
| 27 | + Reviewed-by: Josh Poimboeuf <jpoimboe@kernel.org> |
| 28 | + |
| 29 | +(cherry picked from commit 95a6ccbdc7199a14b71ad8901cb788ba7fb5167b) |
| 30 | + Signed-off-by: Jonathan Maple <jmaple@ciq.com> |
| 31 | + |
| 32 | +# Conflicts: |
| 33 | +# Documentation/admin-guide/hw-vuln/spectre.rst |
| 34 | +# Documentation/admin-guide/kernel-parameters.txt |
| 35 | +# arch/x86/include/asm/cpufeatures.h |
| 36 | +# arch/x86/include/asm/nospec-branch.h |
| 37 | +# arch/x86/kernel/cpu/bugs.c |
| 38 | +# arch/x86/kvm/vmx/vmenter.S |
| 39 | +diff --cc Documentation/admin-guide/hw-vuln/spectre.rst |
| 40 | +index 166facdabe9f,b70b1d8bd8e6..000000000000 |
| 41 | +--- a/Documentation/admin-guide/hw-vuln/spectre.rst |
| 42 | ++++ b/Documentation/admin-guide/hw-vuln/spectre.rst |
| 43 | +@@@ -430,6 -429,23 +430,26 @@@ The possible values in this file are |
| 44 | + 'PBRSB-eIBRS: Not affected' CPU is not affected by PBRSB |
| 45 | + =========================== ======================================================= |
| 46 | + |
| 47 | +++<<<<<<< HEAD |
| 48 | +++======= |
| 49 | ++ - Branch History Injection (BHI) protection status: |
| 50 | ++ |
| 51 | ++ .. list-table:: |
| 52 | ++ |
| 53 | ++ * - BHI: Not affected |
| 54 | ++ - System is not affected |
| 55 | ++ * - BHI: Retpoline |
| 56 | ++ - System is protected by retpoline |
| 57 | ++ * - BHI: BHI_DIS_S |
| 58 | ++ - System is protected by BHI_DIS_S |
| 59 | ++ * - BHI: SW loop; KVM SW loop |
| 60 | ++ - System is protected by software clearing sequence |
| 61 | ++ * - BHI: Syscall hardening |
| 62 | ++ - Syscalls are hardened against BHI |
| 63 | ++ * - BHI: Syscall hardening; KVM: SW loop |
| 64 | ++ - System is protected from userspace attacks by syscall hardening; KVM is protected by software clearing sequence |
| 65 | ++ |
| 66 | +++>>>>>>> 95a6ccbdc719 (x86/bhi: Mitigate KVM by default) |
| 67 | + Full mitigation might require a microcode update from the CPU |
| 68 | + vendor. When the necessary microcode is not available, the kernel will |
| 69 | + report vulnerability. |
| 70 | +@@@ -638,6 -658,22 +658,25 @@@ kernel command line |
| 71 | + spectre_v2=off. Spectre variant 1 mitigations |
| 72 | + cannot be disabled. |
| 73 | + |
| 74 | +++<<<<<<< HEAD |
| 75 | +++======= |
| 76 | ++ spectre_bhi= |
| 77 | ++ |
| 78 | ++ [X86] Control mitigation of Branch History Injection |
| 79 | ++ (BHI) vulnerability. Syscalls are hardened against BHI |
| 80 | ++ regardless of this setting. This setting affects the deployment |
| 81 | ++ of the HW BHI control and the SW BHB clearing sequence. |
| 82 | ++ |
| 83 | ++ on |
| 84 | ++ unconditionally enable. |
| 85 | ++ off |
| 86 | ++ unconditionally disable. |
| 87 | ++ auto |
| 88 | ++ enable if hardware mitigation |
| 89 | ++ control(BHI_DIS_S) is available, otherwise |
| 90 | ++ enable alternate mitigation in KVM. |
| 91 | ++ |
| 92 | +++>>>>>>> 95a6ccbdc719 (x86/bhi: Mitigate KVM by default) |
| 93 | + For spectre_v2_user see Documentation/admin-guide/kernel-parameters.txt |
| 94 | + |
| 95 | + Mitigation selection guide |
| 96 | +diff --cc Documentation/admin-guide/kernel-parameters.txt |
| 97 | +index f74f25f00a14,4fa46302f436..000000000000 |
| 98 | +--- a/Documentation/admin-guide/kernel-parameters.txt |
| 99 | ++++ b/Documentation/admin-guide/kernel-parameters.txt |
| 100 | +@@@ -5722,7 -6063,19 +5722,23 @@@ |
| 101 | + sonypi.*= [HW] Sony Programmable I/O Control Device driver |
| 102 | + See Documentation/admin-guide/laptops/sonypi.rst |
| 103 | + |
| 104 | +++<<<<<<< HEAD |
| 105 | + + spectre_v2= [X86] Control mitigation of Spectre variant 2 |
| 106 | +++======= |
| 107 | ++ spectre_bhi= [X86] Control mitigation of Branch History Injection |
| 108 | ++ (BHI) vulnerability. Syscalls are hardened against BHI |
| 109 | ++ reglardless of this setting. This setting affects the |
| 110 | ++ deployment of the HW BHI control and the SW BHB |
| 111 | ++ clearing sequence. |
| 112 | ++ |
| 113 | ++ on - unconditionally enable. |
| 114 | ++ off - unconditionally disable. |
| 115 | ++ auto - (default) enable hardware mitigation |
| 116 | ++ (BHI_DIS_S) if available, otherwise enable |
| 117 | ++ alternate mitigation in KVM. |
| 118 | ++ |
| 119 | ++ spectre_v2= [X86,EARLY] Control mitigation of Spectre variant 2 |
| 120 | +++>>>>>>> 95a6ccbdc719 (x86/bhi: Mitigate KVM by default) |
| 121 | + (indirect branch speculation) vulnerability. |
| 122 | + The default operation protects the kernel from |
| 123 | + user space attacks. |
| 124 | +diff --cc arch/x86/include/asm/cpufeatures.h |
| 125 | +index 54d64f0e0199,3c7434329661..000000000000 |
| 126 | +--- a/arch/x86/include/asm/cpufeatures.h |
| 127 | ++++ b/arch/x86/include/asm/cpufeatures.h |
| 128 | +@@@ -462,6 -466,10 +462,13 @@@ |
| 129 | + * Reuse free bits when adding new feature flags! |
| 130 | + */ |
| 131 | + #define X86_FEATURE_AMD_LBR_PMC_FREEZE (21*32+ 0) /* AMD LBR and PMC Freeze */ |
| 132 | +++<<<<<<< HEAD |
| 133 | +++======= |
| 134 | ++ #define X86_FEATURE_CLEAR_BHB_LOOP (21*32+ 1) /* "" Clear branch history at syscall entry using SW loop */ |
| 135 | ++ #define X86_FEATURE_BHI_CTRL (21*32+ 2) /* "" BHI_DIS_S HW control available */ |
| 136 | ++ #define X86_FEATURE_CLEAR_BHB_HW (21*32+ 3) /* "" BHI_DIS_S HW control enabled */ |
| 137 | ++ #define X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT (21*32+ 4) /* "" Clear branch history at vmexit using SW loop */ |
| 138 | +++>>>>>>> 95a6ccbdc719 (x86/bhi: Mitigate KVM by default) |
| 139 | + |
| 140 | + /* |
| 141 | + * BUG word(s) |
| 142 | +diff --cc arch/x86/include/asm/nospec-branch.h |
| 143 | +index ae26633e4bec,ff5f1ecc7d1e..000000000000 |
| 144 | +--- a/arch/x86/include/asm/nospec-branch.h |
| 145 | ++++ b/arch/x86/include/asm/nospec-branch.h |
| 146 | +@@@ -307,9 -323,22 +307,25 @@@ |
| 147 | + * Note: Only the memory operand variant of VERW clears the CPU buffers. |
| 148 | + */ |
| 149 | + .macro CLEAR_CPU_BUFFERS |
| 150 | + - ALTERNATIVE "", __stringify(verw _ASM_RIP(mds_verw_sel)), X86_FEATURE_CLEAR_CPU_BUF |
| 151 | + + ALTERNATIVE __stringify(verw _ASM_RIP(mds_verw_sel)), "", ALT_NOT(X86_FEATURE_CLEAR_CPU_BUF) |
| 152 | + .endm |
| 153 | + |
| 154 | +++<<<<<<< HEAD |
| 155 | +++======= |
| 156 | ++ #ifdef CONFIG_X86_64 |
| 157 | ++ .macro CLEAR_BRANCH_HISTORY |
| 158 | ++ ALTERNATIVE "", "call clear_bhb_loop", X86_FEATURE_CLEAR_BHB_LOOP |
| 159 | ++ .endm |
| 160 | ++ |
| 161 | ++ .macro CLEAR_BRANCH_HISTORY_VMEXIT |
| 162 | ++ ALTERNATIVE "", "call clear_bhb_loop", X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT |
| 163 | ++ .endm |
| 164 | ++ #else |
| 165 | ++ #define CLEAR_BRANCH_HISTORY |
| 166 | ++ #define CLEAR_BRANCH_HISTORY_VMEXIT |
| 167 | ++ #endif |
| 168 | ++ |
| 169 | +++>>>>>>> 95a6ccbdc719 (x86/bhi: Mitigate KVM by default) |
| 170 | + #else /* __ASSEMBLY__ */ |
| 171 | + |
| 172 | + #define ANNOTATE_RETPOLINE_SAFE \ |
| 173 | +diff --cc arch/x86/kernel/cpu/bugs.c |
| 174 | +index d1c0c8f6898b,295463707e68..000000000000 |
| 175 | +--- a/arch/x86/kernel/cpu/bugs.c |
| 176 | ++++ b/arch/x86/kernel/cpu/bugs.c |
| 177 | +@@@ -1612,6 -1607,79 +1612,82 @@@ static void __init spectre_v2_determine |
| 178 | + dump_stack(); |
| 179 | + } |
| 180 | + |
| 181 | +++<<<<<<< HEAD |
| 182 | +++======= |
| 183 | ++ /* |
| 184 | ++ * Set BHI_DIS_S to prevent indirect branches in kernel to be influenced by |
| 185 | ++ * branch history in userspace. Not needed if BHI_NO is set. |
| 186 | ++ */ |
| 187 | ++ static bool __init spec_ctrl_bhi_dis(void) |
| 188 | ++ { |
| 189 | ++ if (!boot_cpu_has(X86_FEATURE_BHI_CTRL)) |
| 190 | ++ return false; |
| 191 | ++ |
| 192 | ++ x86_spec_ctrl_base |= SPEC_CTRL_BHI_DIS_S; |
| 193 | ++ update_spec_ctrl(x86_spec_ctrl_base); |
| 194 | ++ setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_HW); |
| 195 | ++ |
| 196 | ++ return true; |
| 197 | ++ } |
| 198 | ++ |
| 199 | ++ enum bhi_mitigations { |
| 200 | ++ BHI_MITIGATION_OFF, |
| 201 | ++ BHI_MITIGATION_ON, |
| 202 | ++ BHI_MITIGATION_AUTO, |
| 203 | ++ }; |
| 204 | ++ |
| 205 | ++ static enum bhi_mitigations bhi_mitigation __ro_after_init = |
| 206 | ++ IS_ENABLED(CONFIG_SPECTRE_BHI_ON) ? BHI_MITIGATION_ON : |
| 207 | ++ IS_ENABLED(CONFIG_SPECTRE_BHI_OFF) ? BHI_MITIGATION_OFF : |
| 208 | ++ BHI_MITIGATION_AUTO; |
| 209 | ++ |
| 210 | ++ static int __init spectre_bhi_parse_cmdline(char *str) |
| 211 | ++ { |
| 212 | ++ if (!str) |
| 213 | ++ return -EINVAL; |
| 214 | ++ |
| 215 | ++ if (!strcmp(str, "off")) |
| 216 | ++ bhi_mitigation = BHI_MITIGATION_OFF; |
| 217 | ++ else if (!strcmp(str, "on")) |
| 218 | ++ bhi_mitigation = BHI_MITIGATION_ON; |
| 219 | ++ else if (!strcmp(str, "auto")) |
| 220 | ++ bhi_mitigation = BHI_MITIGATION_AUTO; |
| 221 | ++ else |
| 222 | ++ pr_err("Ignoring unknown spectre_bhi option (%s)", str); |
| 223 | ++ |
| 224 | ++ return 0; |
| 225 | ++ } |
| 226 | ++ early_param("spectre_bhi", spectre_bhi_parse_cmdline); |
| 227 | ++ |
| 228 | ++ static void __init bhi_select_mitigation(void) |
| 229 | ++ { |
| 230 | ++ if (bhi_mitigation == BHI_MITIGATION_OFF) |
| 231 | ++ return; |
| 232 | ++ |
| 233 | ++ /* Retpoline mitigates against BHI unless the CPU has RRSBA behavior */ |
| 234 | ++ if (cpu_feature_enabled(X86_FEATURE_RETPOLINE) && |
| 235 | ++ !(x86_read_arch_cap_msr() & ARCH_CAP_RRSBA)) |
| 236 | ++ return; |
| 237 | ++ |
| 238 | ++ if (spec_ctrl_bhi_dis()) |
| 239 | ++ return; |
| 240 | ++ |
| 241 | ++ if (!IS_ENABLED(CONFIG_X86_64)) |
| 242 | ++ return; |
| 243 | ++ |
| 244 | ++ /* Mitigate KVM by default */ |
| 245 | ++ setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT); |
| 246 | ++ pr_info("Spectre BHI mitigation: SW BHB clearing on vm exit\n"); |
| 247 | ++ |
| 248 | ++ if (bhi_mitigation == BHI_MITIGATION_AUTO) |
| 249 | ++ return; |
| 250 | ++ |
| 251 | ++ /* Mitigate syscalls when the mitigation is forced =on */ |
| 252 | ++ setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP); |
| 253 | ++ pr_info("Spectre BHI mitigation: SW BHB clearing on syscall\n"); |
| 254 | ++ } |
| 255 | ++ |
| 256 | +++>>>>>>> 95a6ccbdc719 (x86/bhi: Mitigate KVM by default) |
| 257 | + static void __init spectre_v2_select_mitigation(void) |
| 258 | + { |
| 259 | + enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline(); |
| 260 | +@@@ -2814,6 -2809,23 +2890,26 @@@ static char *pbrsb_eibrs_state(void |
| 261 | + } |
| 262 | + } |
| 263 | + |
| 264 | +++<<<<<<< HEAD |
| 265 | +++======= |
| 266 | ++ static const char * const spectre_bhi_state(void) |
| 267 | ++ { |
| 268 | ++ if (!boot_cpu_has_bug(X86_BUG_BHI)) |
| 269 | ++ return "; BHI: Not affected"; |
| 270 | ++ else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_HW)) |
| 271 | ++ return "; BHI: BHI_DIS_S"; |
| 272 | ++ else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP)) |
| 273 | ++ return "; BHI: SW loop, KVM: SW loop"; |
| 274 | ++ else if (boot_cpu_has(X86_FEATURE_RETPOLINE) && |
| 275 | ++ !(x86_read_arch_cap_msr() & ARCH_CAP_RRSBA)) |
| 276 | ++ return "; BHI: Retpoline"; |
| 277 | ++ else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT)) |
| 278 | ++ return "; BHI: Syscall hardening, KVM: SW loop"; |
| 279 | ++ |
| 280 | ++ return "; BHI: Vulnerable (Syscall hardening enabled)"; |
| 281 | ++ } |
| 282 | ++ |
| 283 | +++>>>>>>> 95a6ccbdc719 (x86/bhi: Mitigate KVM by default) |
| 284 | + static ssize_t spectre_v2_show_state(char *buf) |
| 285 | + { |
| 286 | + if (spectre_v2_enabled == SPECTRE_V2_LFENCE) |
| 287 | +diff --cc arch/x86/kvm/vmx/vmenter.S |
| 288 | +index 139960deb736,f6986dee6f8c..000000000000 |
| 289 | +--- a/arch/x86/kvm/vmx/vmenter.S |
| 290 | ++++ b/arch/x86/kvm/vmx/vmenter.S |
| 291 | +@@@ -275,6 -275,8 +275,11 @@@ SYM_INNER_LABEL_ALIGN(vmx_vmexit, SYM_L |
| 292 | + |
| 293 | + call vmx_spec_ctrl_restore_host |
| 294 | + |
| 295 | +++<<<<<<< HEAD |
| 296 | +++======= |
| 297 | ++ CLEAR_BRANCH_HISTORY_VMEXIT |
| 298 | ++ |
| 299 | +++>>>>>>> 95a6ccbdc719 (x86/bhi: Mitigate KVM by default) |
| 300 | + /* Put return value in AX */ |
| 301 | + mov %_ASM_BX, %_ASM_AX |
| 302 | + |
| 303 | +* Unmerged path Documentation/admin-guide/hw-vuln/spectre.rst |
| 304 | +* Unmerged path Documentation/admin-guide/kernel-parameters.txt |
| 305 | +* Unmerged path arch/x86/include/asm/cpufeatures.h |
| 306 | +* Unmerged path arch/x86/include/asm/nospec-branch.h |
| 307 | +* Unmerged path arch/x86/kernel/cpu/bugs.c |
| 308 | +* Unmerged path arch/x86/kvm/vmx/vmenter.S |
0 commit comments