From mboxrd@z Thu Jan 1 00:00:00 1970 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753477AbeAFLwv (ORCPT + 1 other); Sat, 6 Jan 2018 06:52:51 -0500 Received: from smtp-fw-9101.amazon.com ([207.171.184.25]:5902 "EHLO smtp-fw-9101.amazon.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753417AbeAFLws (ORCPT ); Sat, 6 Jan 2018 06:52:48 -0500 X-IronPort-AV: E=Sophos;i="5.46,321,1511827200"; d="scan'208";a="719840351" From: David Woodhouse To: Andi Kleen Cc: Paul Turner , LKML , Linus Torvalds , Greg Kroah-Hartman , Tim Chen , Dave Hansen , tglx@linutronix.de, Kees Cook , Rik van Riel , Peter Zijlstra , Andy Lutomirski , Jiri Kosina , gnomes@lxorguk.ukuu.org.uk Subject: [PATCH v5 00/12] Retpoline: Avoid speculative indirect calls in kernel Date: Sat, 6 Jan 2018 11:49:22 +0000 Message-Id: <1515239374-23361-1-git-send-email-dwmw@amazon.co.uk> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: This is a mitigation for the 'variant 2' attack described in https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html Using GCC patches available from the gcc-7_2_0-retpoline branch of http://git.infradead.org/users/dwmw2/gcc-retpoline.git and by manually patching assembler code, all vulnerable indirect branches (that occur after userspace first runs) are eliminated from the kernel. They are replaced with a 'retpoline' call sequence which deliberately prevents speculation. v1: Initial post. v2: Add CONFIG_RETPOLINE to build kernel without it. Change warning messages. Hide modpost warning message v3: Update to the latest CET-capable retpoline version Reinstate ALTERNATIVE support v4: Finish reconciling Andi's and my patch sets, bug fixes. Exclude objtool support for now Add 'noretpoline' boot option Add AMD retpoline alternative v5: Silence MODVERSIONS warnings Use pause;jmp loop instead of lfence;jmp Switch to X86_FEATURE_RETPOLINE positive feature logic Emit thunks inline from assembler macros Merge AMD support into initial patch Andi Kleen (4): x86/retpoline/irq32: Convert assembler indirect jumps x86/retpoline: Add boot time option to disable retpoline x86/retpoline: Exclude objtool with retpoline retpoline/modpost: Quieten MODVERSION retpoline build David Woodhouse (8): x86/spectre: Add X86_BUG_SPECTRE_V[12] x86/retpoline: Add initial retpoline support x86/retpoline/crypto: Convert crypto assembler indirect jumps x86/retpoline/entry: Convert entry assembler indirect jumps x86/retpoline/ftrace: Convert ftrace assembler indirect jumps x86/retpoline/hyperv: Convert assembler indirect jumps x86/retpoline/xen: Convert Xen hypercall indirect jumps x86/retpoline/checksum32: Convert assembler indirect jumps Documentation/admin-guide/kernel-parameters.txt | 3 + arch/x86/Kconfig | 17 ++++- arch/x86/Kconfig.debug | 6 +- arch/x86/Makefile | 10 +++ arch/x86/crypto/aesni-intel_asm.S | 5 +- arch/x86/crypto/camellia-aesni-avx-asm_64.S | 3 +- arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 3 +- arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 3 +- arch/x86/entry/entry_32.S | 5 +- arch/x86/entry/entry_64.S | 12 +++- arch/x86/include/asm/cpufeatures.h | 4 ++ arch/x86/include/asm/mshyperv.h | 18 ++--- arch/x86/include/asm/nospec-branch.h | 91 +++++++++++++++++++++++++ arch/x86/include/asm/xen/hypercall.h | 5 +- arch/x86/kernel/cpu/common.c | 8 +++ arch/x86/kernel/cpu/intel.c | 11 +++ arch/x86/kernel/ftrace_32.S | 6 +- arch/x86/kernel/ftrace_64.S | 8 +-- arch/x86/kernel/irq_32.c | 9 +-- arch/x86/lib/Makefile | 1 + arch/x86/lib/checksum_32.S | 7 +- arch/x86/lib/retpoline.S | 30 ++++++++ scripts/mod/modpost.c | 6 +- 23 files changed, 231 insertions(+), 40 deletions(-) create mode 100644 arch/x86/include/asm/nospec-branch.h create mode 100644 arch/x86/lib/retpoline.S -- 2.7.4