From: David Woodhouse <dwmw@amazon.co.uk>
To: Andi Kleen <ak@linux.intel.com>
Cc: Paul Turner <pjt@google.com>, LKML <linux-kernel@vger.kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Greg Kroah-Hartman <gregkh@linux-foundation.org>,
Tim Chen <tim.c.chen@linux.intel.com>,
Dave Hansen <dave.hansen@intel.com>,
tglx@linutronix.de, Kees Cook <keescook@google.com>,
Rik van Riel <riel@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
Andy Lutomirski <luto@amacapital.net>,
Jiri Kosina <jikos@kernel.org>,
gnomes@lxorguk.ukuu.org.uk
Subject: [PATCH v5 00/12] Retpoline: Avoid speculative indirect calls in kernel
Date: Sat, 6 Jan 2018 11:49:22 +0000 [thread overview]
Message-ID: <1515239374-23361-1-git-send-email-dwmw@amazon.co.uk> (raw)
This is a mitigation for the 'variant 2' attack described in
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
Using GCC patches available from the gcc-7_2_0-retpoline branch of
http://git.infradead.org/users/dwmw2/gcc-retpoline.git and by manually
patching assembler code, all vulnerable indirect branches (that occur
after userspace first runs) are eliminated from the kernel.
They are replaced with a 'retpoline' call sequence which deliberately
prevents speculation.
v1: Initial post.
v2: Add CONFIG_RETPOLINE to build kernel without it.
Change warning messages.
Hide modpost warning message
v3: Update to the latest CET-capable retpoline version
Reinstate ALTERNATIVE support
v4: Finish reconciling Andi's and my patch sets, bug fixes.
Exclude objtool support for now
Add 'noretpoline' boot option
Add AMD retpoline alternative
v5: Silence MODVERSIONS warnings
Use pause;jmp loop instead of lfence;jmp
Switch to X86_FEATURE_RETPOLINE positive feature logic
Emit thunks inline from assembler macros
Merge AMD support into initial patch
Andi Kleen (4):
x86/retpoline/irq32: Convert assembler indirect jumps
x86/retpoline: Add boot time option to disable retpoline
x86/retpoline: Exclude objtool with retpoline
retpoline/modpost: Quieten MODVERSION retpoline build
David Woodhouse (8):
x86/spectre: Add X86_BUG_SPECTRE_V[12]
x86/retpoline: Add initial retpoline support
x86/retpoline/crypto: Convert crypto assembler indirect jumps
x86/retpoline/entry: Convert entry assembler indirect jumps
x86/retpoline/ftrace: Convert ftrace assembler indirect jumps
x86/retpoline/hyperv: Convert assembler indirect jumps
x86/retpoline/xen: Convert Xen hypercall indirect jumps
x86/retpoline/checksum32: Convert assembler indirect jumps
Documentation/admin-guide/kernel-parameters.txt | 3 +
arch/x86/Kconfig | 17 ++++-
arch/x86/Kconfig.debug | 6 +-
arch/x86/Makefile | 10 +++
arch/x86/crypto/aesni-intel_asm.S | 5 +-
arch/x86/crypto/camellia-aesni-avx-asm_64.S | 3 +-
arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 3 +-
arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 3 +-
arch/x86/entry/entry_32.S | 5 +-
arch/x86/entry/entry_64.S | 12 +++-
arch/x86/include/asm/cpufeatures.h | 4 ++
arch/x86/include/asm/mshyperv.h | 18 ++---
arch/x86/include/asm/nospec-branch.h | 91 +++++++++++++++++++++++++
arch/x86/include/asm/xen/hypercall.h | 5 +-
arch/x86/kernel/cpu/common.c | 8 +++
arch/x86/kernel/cpu/intel.c | 11 +++
arch/x86/kernel/ftrace_32.S | 6 +-
arch/x86/kernel/ftrace_64.S | 8 +--
arch/x86/kernel/irq_32.c | 9 +--
arch/x86/lib/Makefile | 1 +
arch/x86/lib/checksum_32.S | 7 +-
arch/x86/lib/retpoline.S | 30 ++++++++
scripts/mod/modpost.c | 6 +-
23 files changed, 231 insertions(+), 40 deletions(-)
create mode 100644 arch/x86/include/asm/nospec-branch.h
create mode 100644 arch/x86/lib/retpoline.S
--
2.7.4
next reply other threads:[~2018-01-06 11:52 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-06 11:49 David Woodhouse [this message]
2018-01-06 11:49 ` [PATCH v5 01/12] x86/spectre: Add X86_BUG_SPECTRE_V[12] David Woodhouse
2018-01-06 21:05 ` [tip:x86/pti] x86/cpufeatures: " tip-bot for David Woodhouse
2018-01-06 11:49 ` [PATCH v5 02/12] x86/retpoline: Add initial retpoline support David Woodhouse
2018-01-06 17:32 ` David Woodhouse
2018-01-06 18:05 ` [PATCH v5.1 " David Woodhouse
2018-01-06 18:35 ` [PATCH v5 " Eric Biggers
2018-01-06 19:17 ` David Woodhouse
2018-01-06 21:16 ` Andrew Cooper
2018-01-06 21:21 ` Woodhouse, David
2018-01-07 1:44 ` Tom Lendacky
2018-01-06 21:23 ` Thomas Gleixner
2018-01-06 21:34 ` Andrew Cooper
2018-01-06 21:49 ` Woodhouse, David
2018-01-06 11:49 ` [PATCH v5 03/12] x86/retpoline/crypto: Convert crypto assembler indirect jumps David Woodhouse
2018-01-06 11:49 ` [PATCH v5 04/12] x86/retpoline/entry: Convert entry " David Woodhouse
2018-01-06 11:49 ` [PATCH v5 05/12] x86/retpoline/ftrace: Convert ftrace " David Woodhouse
2018-01-06 18:13 ` Linus Torvalds
2018-01-06 19:53 ` Thomas Gleixner
2018-01-07 1:27 ` Linus Torvalds
2018-01-06 11:49 ` [PATCH v5 06/12] x86/retpoline/hyperv: Convert " David Woodhouse
2018-01-06 11:49 ` [PATCH v5 07/12] x86/retpoline/xen: Convert Xen hypercall " David Woodhouse
2018-01-06 11:49 ` [PATCH v5 08/12] x86/retpoline/checksum32: Convert assembler " David Woodhouse
2018-01-06 11:49 ` [PATCH v5 09/12] x86/retpoline/irq32: " David Woodhouse
2018-01-06 11:49 ` [PATCH v5 10/12] x86/retpoline: Add boot time option to disable retpoline David Woodhouse
2018-01-06 11:49 ` [PATCH v5 11/12] x86/retpoline: Exclude objtool with retpoline David Woodhouse
2018-01-06 11:49 ` [PATCH v5 12/12] retpoline/modpost: Quieten MODVERSION retpoline build David Woodhouse
2018-01-07 0:10 ` [RFC PATCH 13/12] Retpoline vs. CONFIG_TRIM_UNUSED_SYMBOLS David Woodhouse
2018-01-07 8:03 ` David Woodhouse
2018-01-07 15:09 ` Lu, Hongjiu
2018-01-07 17:32 ` David Woodhouse
2018-01-07 17:57 ` Lu, Hongjiu
2018-01-07 18:18 ` Thomas Gleixner
2018-01-07 18:32 ` Lu, Hongjiu
2018-01-07 20:57 ` David Woodhouse
2018-01-07 22:16 ` David Woodhouse
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1515239374-23361-1-git-send-email-dwmw@amazon.co.uk \
--to=dwmw@amazon.co.uk \
--cc=ak@linux.intel.com \
--cc=dave.hansen@intel.com \
--cc=gnomes@lxorguk.ukuu.org.uk \
--cc=gregkh@linux-foundation.org \
--cc=jikos@kernel.org \
--cc=keescook@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=peterz@infradead.org \
--cc=pjt@google.com \
--cc=riel@redhat.com \
--cc=tglx@linutronix.de \
--cc=tim.c.chen@linux.intel.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).