From: Thomas Gleixner <tglx@linutronix.de>
To: LKML <linux-kernel@vger.kernel.org>
Cc: x86@kernel.org, Peter Zijlstra <peterz@infradead.org>,
Andy Lutomirski <luto@kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Jiri Kosina <jkosina@suse.cz>,
Tom Lendacky <thomas.lendacky@amd.com>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Andrea Arcangeli <aarcange@redhat.com>,
David Woodhouse <dwmw@amazon.co.uk>,
Andi Kleen <ak@linux.intel.com>,
Dave Hansen <dave.hansen@intel.com>,
Casey Schaufler <casey.schaufler@intel.com>,
Asit Mallick <asit.k.mallick@intel.com>,
Arjan van de Ven <arjan@linux.intel.com>,
Jon Masters <jcm@redhat.com>, Waiman Long <longman9394@gmail.com>,
Greg KH <gregkh@linuxfoundation.org>,
Dave Stewart <david.c.stewart@intel.com>,
Kees Cook <keescook@chromium.org>
Subject: [patch 15/24] x86/speculation: Add command line control for indirect branch speculation
Date: Wed, 21 Nov 2018 21:14:45 +0100 [thread overview]
Message-ID: <20181121201723.764150349@linutronix.de> (raw)
In-Reply-To: 20181121201430.559770965@linutronix.de
[-- Attachment #1: x86-speculation--Add-command-line-control-for-indirect-branch-speculation.patch --]
[-- Type: text/plain, Size: 8543 bytes --]
Add command line control for application to application indirect branch
speculation mitigations.
The initial options are:
- on: Unconditionally enabled
- off: Unconditionally disabled
-auto: Kernel selects mitigation (default off for now)
When the spectre_v2= command line argument is either 'on' or 'off' this
implies that the application to application control follows that state even
if when a contradicting spectre_v2_app2app= argument is supplied.
Originally-by: Tim Chen <tim.c.chen@linux.intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
---
Documentation/admin-guide/kernel-parameters.txt | 22 +++
arch/x86/include/asm/nospec-branch.h | 10 +
arch/x86/kernel/cpu/bugs.c | 133 ++++++++++++++++++++----
3 files changed, 146 insertions(+), 19 deletions(-)
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -4213,8 +4213,10 @@
spectre_v2= [X86] Control mitigation of Spectre variant 2
(indirect branch speculation) vulnerability.
- on - unconditionally enable
- off - unconditionally disable
+ on - unconditionally enable, implies
+ spectre_v2_app2app=on
+ off - unconditionally disable, implies
+ spectre_v2_app2app=off
auto - kernel detects whether your CPU model is
vulnerable
@@ -4233,6 +4235,22 @@
Not specifying this option is equivalent to
spectre_v2=auto.
+ spectre_v2_app2app=
+ [X86] Control mitigation of Spectre variant 2
+ application to application (indirect branch speculation)
+ vulnerability.
+
+ on - Unconditionally enable mitigations. Is enforced
+ by spectre_v2=on
+ off - Unconditionally disable mitigations. Is enforced
+ by spectre_v2=off
+ auto - Kernel selects the mitigation depending on
+ the available CPU features and vulnerability.
+ Default is off.
+
+ Not specifying this option is equivalent to
+ spectre_v2_app2app=auto.
+
spec_store_bypass_disable=
[HW] Control Speculative Store Bypass (SSB) Disable mitigation
(Speculative Store Bypass vulnerability)
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -3,6 +3,8 @@
#ifndef _ASM_X86_NOSPEC_BRANCH_H_
#define _ASM_X86_NOSPEC_BRANCH_H_
+#include <linux/static_key.h>
+
#include <asm/alternative.h>
#include <asm/alternative-asm.h>
#include <asm/cpufeatures.h>
@@ -226,6 +228,12 @@ enum spectre_v2_mitigation {
SPECTRE_V2_IBRS_ENHANCED,
};
+/* The indirect branch speculation control variants */
+enum spectre_v2_app2app_mitigation {
+ SPECTRE_V2_APP2APP_NONE,
+ SPECTRE_V2_APP2APP_STRICT,
+};
+
/* The Speculative Store Bypass disable variants */
enum ssb_mitigation {
SPEC_STORE_BYPASS_NONE,
@@ -303,6 +311,8 @@ do { \
preempt_enable(); \
} while (0)
+DECLARE_STATIC_KEY_FALSE(switch_to_cond_stibp);
+
#endif /* __ASSEMBLY__ */
/*
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -54,6 +54,9 @@ static u64 __ro_after_init x86_spec_ctrl
u64 __ro_after_init x86_amd_ls_cfg_base;
u64 __ro_after_init x86_amd_ls_cfg_ssbd_mask;
+/* Control conditional STIPB in switch_to() */
+DEFINE_STATIC_KEY_FALSE(switch_to_cond_stibp);
+
void __init check_bugs(void)
{
identify_boot_cpu();
@@ -199,6 +202,9 @@ static void x86_amd_ssb_disable(void)
static enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init =
SPECTRE_V2_NONE;
+static enum spectre_v2_app2app_mitigation spectre_v2_app2app __ro_after_init =
+ SPECTRE_V2_APP2APP_NONE;
+
#ifdef RETPOLINE
static bool spectre_v2_bad_module;
@@ -237,6 +243,104 @@ enum spectre_v2_mitigation_cmd {
SPECTRE_V2_CMD_RETPOLINE_AMD,
};
+enum spectre_v2_app2app_cmd {
+ SPECTRE_V2_APP2APP_CMD_NONE,
+ SPECTRE_V2_APP2APP_CMD_AUTO,
+ SPECTRE_V2_APP2APP_CMD_FORCE,
+};
+
+static const char *spectre_v2_app2app_strings[] = {
+ [SPECTRE_V2_APP2APP_NONE] = "App-App Vulnerable",
+ [SPECTRE_V2_APP2APP_STRICT] = "App-App Mitigation: STIBP protection",
+};
+
+static const struct {
+ const char *option;
+ enum spectre_v2_app2app_cmd cmd;
+ bool secure;
+} app2app_options[] = {
+ { "auto", SPECTRE_V2_APP2APP_CMD_AUTO, false },
+ { "off", SPECTRE_V2_APP2APP_CMD_NONE, false },
+ { "on", SPECTRE_V2_APP2APP_CMD_FORCE, true },
+};
+
+static void __init spec_v2_app_print_cond(const char *reason, bool secure)
+{
+ if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2) != secure)
+ pr_info("app2app %s selected on command line.\n", reason);
+}
+
+static enum spectre_v2_app2app_cmd __init
+spectre_v2_parse_app2app_cmdline(enum spectre_v2_mitigation_cmd v2_cmd)
+{
+ char arg[20];
+ int ret, i;
+
+ switch (v2_cmd) {
+ case SPECTRE_V2_CMD_NONE:
+ return SPECTRE_V2_APP2APP_CMD_NONE;
+ case SPECTRE_V2_CMD_FORCE:
+ return SPECTRE_V2_APP2APP_CMD_FORCE;
+ default:
+ break;
+ }
+
+ ret = cmdline_find_option(boot_command_line, "spectre_v2_app2app",
+ arg, sizeof(arg));
+ if (ret < 0)
+ return SPECTRE_V2_APP2APP_CMD_AUTO;
+
+ for (i = 0; i < ARRAY_SIZE(app2app_options); i++) {
+ if (match_option(arg, ret, app2app_options[i].option)) {
+ spec_v2_app_print_cond(app2app_options[i].option,
+ app2app_options[i].secure);
+ return app2app_options[i].cmd;
+ }
+ }
+
+ pr_err("Unknown app to app protection option (%s). Switching to AUTO select\n", arg);
+ return SPECTRE_V2_APP2APP_CMD_AUTO;
+}
+
+static void __init
+spectre_v2_app2app_select_mitigation(enum spectre_v2_mitigation_cmd v2_cmd)
+{
+ enum spectre_v2_app2app_mitigation mode = SPECTRE_V2_APP2APP_NONE;
+ bool smt_possible = IS_ENABLED(CONFIG_SMP);
+
+ if (!boot_cpu_has(X86_FEATURE_IBPB) && !boot_cpu_has(X86_FEATURE_STIBP))
+ return;
+
+ if (cpu_smt_control == CPU_SMT_FORCE_DISABLED ||
+ cpu_smt_control == CPU_SMT_NOT_SUPPORTED)
+ smt_possible = false;
+
+ switch (spectre_v2_parse_app2app_cmdline(v2_cmd)) {
+ case SPECTRE_V2_APP2APP_CMD_AUTO:
+ case SPECTRE_V2_APP2APP_CMD_NONE:
+ goto set_mode;
+ case SPECTRE_V2_APP2APP_CMD_FORCE:
+ mode = SPECTRE_V2_APP2APP_STRICT;
+ break;
+ }
+
+ /* Initialize Indirect Branch Prediction Barrier */
+ if (boot_cpu_has(X86_FEATURE_IBPB)) {
+ setup_force_cpu_cap(X86_FEATURE_USE_IBPB);
+ pr_info("Spectre v2 mitigation: Enabling Indirect Branch Prediction Barrier\n");
+ }
+
+ /* If enhanced IBRS is enabled no STIPB required */
+ if (spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED)
+ return;
+
+set_mode:
+ spectre_v2_app2app = mode;
+ /* Only print the STIBP mode when SMT possible */
+ if (smt_possible)
+ pr_info("%s\n", spectre_v2_app2app_strings[mode]);
+}
+
static const char *spectre_v2_strings[] = {
[SPECTRE_V2_NONE] = "Vulnerable",
[SPECTRE_V2_RETPOLINE_GENERIC] = "Mitigation: Full generic retpoline",
@@ -385,12 +489,6 @@ static void __init spectre_v2_select_mit
setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);
pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n");
- /* Initialize Indirect Branch Prediction Barrier if supported */
- if (boot_cpu_has(X86_FEATURE_IBPB)) {
- setup_force_cpu_cap(X86_FEATURE_USE_IBPB);
- pr_info("Spectre v2 mitigation: Enabling Indirect Branch Prediction Barrier\n");
- }
-
/*
* Retpoline means the kernel is safe because it has no indirect
* branches. Enhanced IBRS protects firmware too, so, enable restricted
@@ -407,23 +505,21 @@ static void __init spectre_v2_select_mit
pr_info("Enabling Restricted Speculation for firmware calls\n");
}
+ /* Set up IBPB and STIBP depending on the general spectre V2 command */
+ spectre_v2_app2app_select_mitigation(cmd);
+
/* Enable STIBP if appropriate */
arch_smt_update();
}
static bool stibp_needed(void)
{
- if (spectre_v2_enabled == SPECTRE_V2_NONE)
- return false;
-
/* Enhanced IBRS makes using STIBP unnecessary. */
if (spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED)
return false;
- if (!boot_cpu_has(X86_FEATURE_STIBP))
- return false;
-
- return true;
+ /* Check for strict app2app mitigation mode */
+ return spectre_v2_app2app == SPECTRE_V2_APP2APP_STRICT;
}
static void update_stibp_msr(void *info)
@@ -844,10 +940,13 @@ static char *stibp_state(void)
if (spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED)
return "";
- if (x86_spec_ctrl_base & SPEC_CTRL_STIBP)
- return ", STIBP";
- else
- return "";
+ switch (spectre_v2_app2app) {
+ case SPECTRE_V2_APP2APP_NONE:
+ return ", STIBP: disabled";
+ case SPECTRE_V2_APP2APP_STRICT:
+ return ", STIBP: forced";
+ }
+ return "";
}
static char *ibpb_state(void)
next prev parent reply other threads:[~2018-11-21 20:19 UTC|newest]
Thread overview: 95+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-21 20:14 [patch 00/24] x86/speculation: Remedy the STIBP/IBPB overhead Thomas Gleixner
2018-11-21 20:14 ` [patch 01/24] x86/speculation: Update the TIF_SSBD comment Thomas Gleixner
2018-11-21 20:28 ` Linus Torvalds
2018-11-21 20:30 ` Thomas Gleixner
2018-11-21 20:33 ` Linus Torvalds
2018-11-21 22:48 ` Thomas Gleixner
2018-11-21 22:53 ` Borislav Petkov
2018-11-21 22:55 ` Thomas Gleixner
2018-11-21 22:55 ` Arjan van de Ven
2018-11-21 22:56 ` Borislav Petkov
2018-11-21 23:07 ` Borislav Petkov
2018-11-21 23:04 ` Josh Poimboeuf
2018-11-21 23:08 ` Borislav Petkov
2018-11-22 17:30 ` Josh Poimboeuf
2018-11-22 17:52 ` Borislav Petkov
2018-11-22 21:17 ` Thomas Gleixner
2018-11-21 20:14 ` [patch 02/24] x86/speculation: Clean up spectre_v2_parse_cmdline() Thomas Gleixner
2018-11-21 20:14 ` [patch 03/24] x86/speculation: Remove unnecessary ret variable in cpu_show_common() Thomas Gleixner
2018-11-21 20:14 ` [patch 04/24] x86/speculation: Reorganize cpu_show_common() Thomas Gleixner
2018-11-21 20:14 ` [patch 05/24] x86/speculation: Disable STIBP when enhanced IBRS is in use Thomas Gleixner
2018-11-21 20:33 ` Borislav Petkov
2018-11-21 20:36 ` Thomas Gleixner
2018-11-21 22:01 ` Thomas Gleixner
2018-11-21 20:14 ` [patch 06/24] x86/speculation: Rename SSBD update functions Thomas Gleixner
2018-11-21 20:14 ` [patch 07/24] x86/speculation: Reorganize speculation control MSRs update Thomas Gleixner
2018-11-21 20:14 ` [patch 08/24] sched/smt: Make sched_smt_present track topology Thomas Gleixner
2018-11-21 20:14 ` [patch 09/24] x86/Kconfig: Select SCHED_SMT if SMP enabled Thomas Gleixner
2018-11-21 20:14 ` [patch 10/24] sched/smt: Expose sched_smt_present static key Thomas Gleixner
2018-11-21 20:41 ` Thomas Gleixner
2018-11-21 20:14 ` [patch 11/24] x86/speculation: Rework SMT state change Thomas Gleixner
2018-11-21 20:14 ` [patch 12/24] x86/l1tf: Show actual SMT state Thomas Gleixner
2018-11-21 20:14 ` [patch 13/24] x86/speculation: Reorder the spec_v2 code Thomas Gleixner
2018-11-21 20:14 ` [patch 14/24] x86/speculation: Unify conditional spectre v2 print functions Thomas Gleixner
2018-11-22 7:59 ` Ingo Molnar
2018-11-21 20:14 ` Thomas Gleixner [this message]
2018-11-21 23:43 ` [patch 15/24] x86/speculation: Add command line control for indirect branch speculation Borislav Petkov
2018-11-22 8:14 ` Thomas Gleixner
2018-11-22 9:07 ` Thomas Gleixner
2018-11-22 9:18 ` Peter Zijlstra
2018-11-22 10:10 ` Borislav Petkov
2018-11-22 10:48 ` Thomas Gleixner
2018-11-21 20:14 ` [patch 16/24] x86/speculation: Prepare for per task indirect branch speculation control Thomas Gleixner
2018-11-22 7:57 ` Ingo Molnar
2018-11-21 20:14 ` [patch 17/24] x86/speculation: Move IBPB control out of switch_mm() Thomas Gleixner
2018-11-22 0:01 ` Andi Kleen
2018-11-22 7:42 ` Jiri Kosina
2018-11-22 9:18 ` Thomas Gleixner
2018-11-22 1:40 ` Tim Chen
2018-11-22 7:52 ` Ingo Molnar
2018-11-22 22:29 ` Thomas Gleixner
2018-11-21 20:14 ` [patch 18/24] x86/speculation: Avoid __switch_to_xtra() calls Thomas Gleixner
2018-11-22 1:23 ` Tim Chen
2018-11-22 7:44 ` Ingo Molnar
2018-11-21 20:14 ` [patch 19/24] ptrace: Remove unused ptrace_may_access_sched() and MODE_IBRS Thomas Gleixner
2018-11-21 20:14 ` [patch 20/24] x86/speculation: Split out TIF update Thomas Gleixner
2018-11-22 2:13 ` Tim Chen
2018-11-22 23:00 ` Thomas Gleixner
2018-11-23 7:37 ` Ingo Molnar
2018-11-26 18:35 ` Tim Chen
2018-11-26 21:55 ` Thomas Gleixner
2018-11-27 7:05 ` Jiri Kosina
2018-11-27 7:13 ` Thomas Gleixner
2018-11-27 7:30 ` Jiri Kosina
2018-11-27 12:52 ` Jiri Kosina
2018-11-27 13:18 ` Jiri Kosina
2018-11-27 21:57 ` Thomas Gleixner
2018-11-27 22:07 ` Jiri Kosina
2018-11-27 22:20 ` Jiri Kosina
2018-11-27 22:36 ` Thomas Gleixner
2018-11-28 1:50 ` Tim Chen
2018-11-28 10:43 ` Thomas Gleixner
2018-11-28 6:05 ` Jiri Kosina
2018-11-28 14:33 ` [tip:x86/pti] x86/speculation: Prevent stale SPEC_CTRL msr content tip-bot for Thomas Gleixner
2018-11-22 7:43 ` [patch 20/24] x86/speculation: Split out TIF update Ingo Molnar
2018-11-22 23:04 ` Thomas Gleixner
2018-11-23 7:37 ` Ingo Molnar
2018-11-21 20:14 ` [patch 21/24] x86/speculation: Prepare arch_smt_update() for PRCTL mode Thomas Gleixner
2018-11-22 7:34 ` Ingo Molnar
2018-11-22 23:17 ` Thomas Gleixner
2018-11-22 23:28 ` Jiri Kosina
2018-11-21 20:14 ` [patch 22/24] x86/speculation: Create PRCTL interface to restrict indirect branch speculation Thomas Gleixner
2018-11-22 7:10 ` Ingo Molnar
2018-11-22 9:03 ` Peter Zijlstra
2018-11-22 9:08 ` Thomas Gleixner
2018-11-22 12:26 ` Borislav Petkov
2018-11-22 12:33 ` Peter Zijlstra
2018-11-21 20:14 ` [patch 23/24] x86/speculation: Enable PRCTL mode for spectre_v2_app2app Thomas Gleixner
2018-11-22 7:17 ` Ingo Molnar
2018-11-21 20:14 ` [patch 24/24] x86/speculation: Add seccomp Spectre v2 app to app protection mode Thomas Gleixner
2018-11-22 2:24 ` Tim Chen
2018-11-22 7:26 ` Ingo Molnar
2018-11-22 23:45 ` Thomas Gleixner
2018-11-21 23:48 ` [patch 00/24] x86/speculation: Remedy the STIBP/IBPB overhead Tim Chen
2018-11-22 9:55 ` Thomas Gleixner
2018-11-22 9:45 ` Peter Zijlstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181121201723.764150349@linutronix.de \
--to=tglx@linutronix.de \
--cc=aarcange@redhat.com \
--cc=ak@linux.intel.com \
--cc=arjan@linux.intel.com \
--cc=asit.k.mallick@intel.com \
--cc=casey.schaufler@intel.com \
--cc=dave.hansen@intel.com \
--cc=david.c.stewart@intel.com \
--cc=dwmw@amazon.co.uk \
--cc=gregkh@linuxfoundation.org \
--cc=jcm@redhat.com \
--cc=jkosina@suse.cz \
--cc=jpoimboe@redhat.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=longman9394@gmail.com \
--cc=luto@kernel.org \
--cc=peterz@infradead.org \
--cc=thomas.lendacky@amd.com \
--cc=torvalds@linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).