From: David Woodhouse <dwmw@amazon.co.uk>
To: Andi Kleen <ak@linux.intel.com>
Cc: Paul Turner <pjt@google.com>, LKML <linux-kernel@vger.kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Greg Kroah-Hartman <gregkh@linux-foundation.org>,
Tim Chen <tim.c.chen@linux.intel.com>,
Dave Hansen <dave.hansen@intel.com>,
tglx@linutronix.de, Kees Cook <keescook@google.com>,
Rik van Riel <riel@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
Andy Lutomirski <luto@amacapital.net>,
Jiri Kosina <jikos@kernel.org>,
gnomes@lxorguk.ukuu.org.uk, x86@kernel.org,
thomas.lendacky@amd.com, Josh Poimboeuf <jpoimboe@redhat.com>
Subject: [PATCH v8 00/12] Retpoline: Avoid speculative indirect calls in kernel
Date: Thu, 11 Jan 2018 21:46:22 +0000 [thread overview]
Message-ID: <1515707194-20531-1-git-send-email-dwmw@amazon.co.uk> (raw)
This is a mitigation for the 'variant 2' attack described in
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
Using GCC patches available from the hjl/indirect/gcc-7-branch/master
branch of https://github.com/hjl-tools/gcc/commits/hjl and by manually
patching assembler code, all vulnerable indirect branches (that occur
after userspace first runs) are eliminated from the kernel.
They are replaced with a 'retpoline' call sequence which deliberately
prevents speculation.
Fedora 27 packages of the updated compiler are available at
https://koji.fedoraproject.org/koji/taskinfo?taskID=24065739
v1: Initial post.
v2: Add CONFIG_RETPOLINE to build kernel without it.
Change warning messages.
Hide modpost warning message
v3: Update to the latest CET-capable retpoline version
Reinstate ALTERNATIVE support
v4: Finish reconciling Andi's and my patch sets, bug fixes.
Exclude objtool support for now
Add 'noretpoline' boot option
Add AMD retpoline alternative
v5: Silence MODVERSIONS warnings
Use pause;jmp loop instead of lfence;jmp
Switch to X86_FEATURE_RETPOLINE positive feature logic
Emit thunks inline from assembler macros
Merge AMD support into initial patch
v6: Update to latest GCC patches with no dots in symbols
Fix MODVERSIONS properly(ish)
Fix typo breaking 32-bit, introduced in V5
Never set X86_FEATURE_RETPOLINE_AMD yet, pending confirmation
v7: Further bikeshedding on macro names
Stuff RSB on kernel entry
Implement 'spectre_v2=' command line option for IBRS/IBPB too
Revert to precisely the asm sequences from the Google paper
v8: Re-enable (I won't say "fix") objtool support
Use numeric labels for GCC compatibility
Add support for RSB-stuffing on vmexit
I don't know... other bloody bikeshedding. Can I sleep now?
Andi Kleen (1):
x86/retpoline/irq32: Convert assembler indirect jumps
David Woodhouse (10):
objtool: Allow alternatives to be ignored
x86/retpoline: Add initial retpoline support
x86/spectre: Add boot time option to select Spectre v2 mitigation
x86/retpoline/crypto: Convert crypto assembler indirect jumps
x86/retpoline/entry: Convert entry assembler indirect jumps
x86/retpoline/ftrace: Convert ftrace assembler indirect jumps
x86/retpoline/hyperv: Convert assembler indirect jumps
x86/retpoline/xen: Convert Xen hypercall indirect jumps
x86/retpoline/checksum32: Convert assembler indirect jumps
x86/retpoline: Fill return stack buffer on vmexit
Josh Poimboeuf (1):
objtool: Detect jumps to retpoline thunks
Documentation/admin-guide/kernel-parameters.txt | 28 ++++
arch/x86/Kconfig | 13 ++
arch/x86/Makefile | 10 ++
arch/x86/crypto/aesni-intel_asm.S | 5 +-
arch/x86/crypto/camellia-aesni-avx-asm_64.S | 3 +-
arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 3 +-
arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 3 +-
arch/x86/entry/entry_32.S | 5 +-
arch/x86/entry/entry_64.S | 12 +-
arch/x86/include/asm/asm-prototypes.h | 25 +++
arch/x86/include/asm/cpufeatures.h | 2 +
arch/x86/include/asm/mshyperv.h | 18 +-
arch/x86/include/asm/nospec-branch.h | 209 ++++++++++++++++++++++++
arch/x86/include/asm/xen/hypercall.h | 5 +-
arch/x86/kernel/cpu/bugs.c | 158 +++++++++++++++++-
arch/x86/kernel/ftrace_32.S | 6 +-
arch/x86/kernel/ftrace_64.S | 8 +-
arch/x86/kernel/irq_32.c | 9 +-
arch/x86/kvm/svm.c | 4 +
arch/x86/kvm/vmx.c | 4 +
arch/x86/lib/Makefile | 1 +
arch/x86/lib/checksum_32.S | 7 +-
arch/x86/lib/retpoline.S | 48 ++++++
tools/objtool/check.c | 69 +++++++-
tools/objtool/check.h | 2 +-
25 files changed, 616 insertions(+), 41 deletions(-)
create mode 100644 arch/x86/include/asm/nospec-branch.h
create mode 100644 arch/x86/lib/retpoline.S
--
2.7.4
next reply other threads:[~2018-01-11 21:49 UTC|newest]
Thread overview: 85+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-11 21:46 David Woodhouse [this message]
2018-01-11 21:46 ` [PATCH v8 01/12] objtool: Detect jumps to retpoline thunks David Woodhouse
2018-01-11 23:22 ` [tip:x86/pti] " tip-bot for Josh Poimboeuf
2018-01-11 21:46 ` [PATCH v8 02/12] objtool: Allow alternatives to be ignored David Woodhouse
2018-01-11 23:22 ` [tip:x86/pti] " tip-bot for Josh Poimboeuf
2018-01-18 19:09 ` [v8,02/12] " Guenter Roeck
2018-01-18 19:33 ` Josh Poimboeuf
2018-01-18 19:41 ` Guenter Roeck
2018-01-22 19:34 ` David Woodhouse
2018-01-22 20:25 ` Guenter Roeck
2018-01-22 20:27 ` David Woodhouse
2018-01-28 21:06 ` Josh Poimboeuf
2018-01-29 1:26 ` Guenter Roeck
2018-01-29 17:15 ` Guenter Roeck
2018-01-29 17:30 ` Josh Poimboeuf
2018-01-22 19:27 ` Guenter Roeck
2018-01-11 21:46 ` [PATCH v8 03/12] x86/retpoline: Add initial retpoline support David Woodhouse
2018-01-11 23:23 ` [tip:x86/pti] " tip-bot for David Woodhouse
2018-01-11 23:58 ` [PATCH v8 03/12] " Tom Lendacky
2018-01-12 10:28 ` David Woodhouse
2018-01-12 14:02 ` Tom Lendacky
2018-01-14 15:02 ` Borislav Petkov
2018-01-14 15:53 ` Josh Poimboeuf
2018-01-14 15:59 ` Borislav Petkov
2018-01-11 21:46 ` [PATCH v8 04/12] x86/spectre: Add boot time option to select Spectre v2 mitigation David Woodhouse
2018-01-11 23:23 ` [tip:x86/pti] " tip-bot for David Woodhouse
2018-01-23 22:40 ` [PATCH v8 04/12] " Borislav Petkov
2018-01-23 22:53 ` David Woodhouse
2018-01-23 23:05 ` Andi Kleen
2018-01-23 22:55 ` Jiri Kosina
2018-01-23 23:05 ` Borislav Petkov
2018-01-24 0:32 ` Kees Cook
2018-01-24 9:58 ` Borislav Petkov
2018-01-23 23:06 ` Jiri Kosina
2018-01-23 23:21 ` Andi Kleen
2018-01-23 23:24 ` Jiri Kosina
2018-01-23 23:45 ` Andi Kleen
2018-01-23 23:49 ` Jiri Kosina
2018-01-24 4:26 ` Greg Kroah-Hartman
2018-01-24 9:56 ` Jiri Kosina
2018-01-24 13:58 ` Greg Kroah-Hartman
2018-01-24 14:03 ` Jiri Kosina
2018-01-24 14:22 ` Greg Kroah-Hartman
2018-01-11 21:46 ` [PATCH v8 05/12] x86/retpoline/crypto: Convert crypto assembler indirect jumps David Woodhouse
2018-01-11 23:24 ` [tip:x86/pti] " tip-bot for David Woodhouse
2018-01-11 21:46 ` [PATCH v8 06/12] x86/retpoline/entry: Convert entry " David Woodhouse
2018-01-11 23:24 ` [tip:x86/pti] " tip-bot for David Woodhouse
2018-01-11 21:46 ` [PATCH v8 07/12] x86/retpoline/ftrace: Convert ftrace " David Woodhouse
2018-01-11 23:25 ` [tip:x86/pti] " tip-bot for David Woodhouse
2018-01-11 21:46 ` [PATCH v8 08/12] x86/retpoline/hyperv: Convert " David Woodhouse
2018-01-11 23:25 ` [tip:x86/pti] " tip-bot for David Woodhouse
2018-01-11 21:46 ` [PATCH v8 09/12] x86/retpoline/xen: Convert Xen hypercall " David Woodhouse
2018-01-11 23:25 ` [tip:x86/pti] " tip-bot for David Woodhouse
2018-01-11 21:46 ` [PATCH v8 10/12] x86/retpoline/checksum32: Convert assembler " David Woodhouse
2018-01-11 23:26 ` [tip:x86/pti] " tip-bot for David Woodhouse
2018-01-11 21:46 ` [PATCH v8 11/12] x86/retpoline/irq32: " David Woodhouse
2018-01-11 23:26 ` [tip:x86/pti] " tip-bot for Andi Kleen
2018-01-11 21:46 ` [PATCH v8 12/12] x86/retpoline: Fill return stack buffer on vmexit David Woodhouse
2018-01-11 23:27 ` [tip:x86/pti] " tip-bot for David Woodhouse
2018-01-11 23:51 ` [PATCH v8 12/12] " Andi Kleen
2018-01-12 11:11 ` [PATCH v8.1 " David Woodhouse
2018-01-12 11:15 ` Thomas Gleixner
2018-01-12 11:21 ` Woodhouse, David
2018-01-12 11:37 ` [tip:x86/pti] " tip-bot for David Woodhouse
2018-01-14 14:50 ` Borislav Petkov
2018-01-14 15:28 ` Thomas Gleixner
2018-01-14 15:35 ` Borislav Petkov
2018-01-25 12:07 ` Borislav Petkov
2018-01-25 12:20 ` David Woodhouse
2018-01-25 12:45 ` Borislav Petkov
2018-01-25 15:10 ` Josh Poimboeuf
2018-01-25 15:51 ` Borislav Petkov
2018-01-25 16:03 ` David Woodhouse
2018-01-25 16:56 ` Josh Poimboeuf
2018-01-25 17:00 ` David Woodhouse
2018-01-25 17:05 ` Andy Lutomirski
2018-01-25 17:44 ` Josh Poimboeuf
2018-01-25 18:41 ` Jiri Kosina
2018-01-25 17:10 ` Thomas Gleixner
2018-01-25 17:32 ` Josh Poimboeuf
2018-01-25 17:53 ` Borislav Petkov
2018-01-25 18:04 ` David Woodhouse
2018-01-25 18:32 ` Josh Poimboeuf
2018-01-25 19:07 ` Borislav Petkov
2018-01-25 19:10 ` Borislav Petkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1515707194-20531-1-git-send-email-dwmw@amazon.co.uk \
--to=dwmw@amazon.co.uk \
--cc=ak@linux.intel.com \
--cc=dave.hansen@intel.com \
--cc=gnomes@lxorguk.ukuu.org.uk \
--cc=gregkh@linux-foundation.org \
--cc=jikos@kernel.org \
--cc=jpoimboe@redhat.com \
--cc=keescook@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=peterz@infradead.org \
--cc=pjt@google.com \
--cc=riel@redhat.com \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=tim.c.chen@linux.intel.com \
--cc=torvalds@linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.