* [MODERATED] Re: ***UNCHECKED*** [patch 2/8] [PATCH v1.3.1 2/7] Linux Patch 2
[not found] <20180418141549.54BC46110C@crypto-ml.lab.linutronix.de>
@ 2018-04-18 15:20 ` Borislav Petkov
0 siblings, 0 replies; only message in thread
From: Borislav Petkov @ 2018-04-18 15:20 UTC (permalink / raw)
To: speck
On Thu, Apr 12, 2018 at 10:26:51PM -0400, speck for konrad.wilk_at_oracle.com wrote:
> Documentation/admin-guide/kernel-parameters.txt | 11 +++
> arch/x86/include/asm/cpufeatures.h | 1 +
> arch/x86/include/asm/nospec-branch.h | 6 ++
> arch/x86/kernel/cpu/bugs.c | 93 ++++++++++++++++++++++++-
> arch/x86/kernel/cpu/intel.c | 1 +
> 5 files changed, 111 insertions(+), 1 deletion(-)
>
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index 1d1d53f85ddd..2c22ca7e90a6 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -2173,6 +2173,15 @@
> md= [HW] RAID subsystems devices and level
> See Documentation/admin-guide/md.rst.
>
> + mdd= [X86] Control memory disambiguation disable mitigation.
> +
> + auto - kernel detects whether your CPU model is
> + vulnerable and picks the most appropiate way
"appropriate"
> + userspace - disable memory disambiguation in userspace,
> + and enable it in the kernel.
> + boot - disable memory disambiguation all the time (default).
> + off - do not control memory disambiguation (insecure)
> +
> mdacon= [MDA]
> Format: <first>,<last>
> Specifies range of consoles to be captured by the MDA.
> @@ -2647,6 +2656,8 @@
> allow data leaks with this option, which is equivalent
> to spectre_v2=off.
>
> + nomdd [X86] Disable all mitigations for the memory disambiguation vulnerability.
> +
> noxsave [BUGS=X86] Disables x86 extended register state save
> and restore using xsave. The kernel will fallback to
> enabling legacy floating-point and sse state.
> diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
> index 4393c10fcc6f..7490798a70e9 100644
> --- a/arch/x86/include/asm/cpufeatures.h
> +++ b/arch/x86/include/asm/cpufeatures.h
> @@ -333,6 +333,7 @@
> #define X86_FEATURE_SPEC_CTRL (18*32+26) /* "" Speculation Control (IBRS + IBPB) */
> #define X86_FEATURE_INTEL_STIBP (18*32+27) /* "" Single Thread Indirect Branch Predictors */
> #define X86_FEATURE_ARCH_CAPABILITIES (18*32+29) /* IA32_ARCH_CAPABILITIES MSR (Intel) */
> +#define X86_FEATURE_MDD (18*32+31) /* Intel Memory Disambiguation Disable. */
No need for the "Intel" in the comment - the whole leaf is Intel's.
> /*
> * BUG word(s)
> diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
> index f928ad9b143f..2c098a3250eb 100644
> --- a/arch/x86/include/asm/nospec-branch.h
> +++ b/arch/x86/include/asm/nospec-branch.h
> @@ -216,6 +216,12 @@ enum spectre_v2_mitigation {
> SPECTRE_V2_RETPOLINE_AMD,
> SPECTRE_V2_IBRS,
> };
> +/* The MD mitigation variants */
> +enum md_mitigation {
> + MD_NONE,
> + MD_BOOT_ON,
> + MD_KERNEL_ON,
> +};
>
> extern char __indirect_thunk_start[];
> extern char __indirect_thunk_end[];
> diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> index 79dfc80c4b9c..561cb228605a 100644
> --- a/arch/x86/kernel/cpu/bugs.c
> +++ b/arch/x86/kernel/cpu/bugs.c
> @@ -27,6 +27,7 @@
> #include <asm/intel-family.h>
>
> static void __init spectre_v2_select_mitigation(void);
> +static void __init md_select_mitigation(void);
>
> void __init check_bugs(void)
> {
> @@ -40,6 +41,8 @@ void __init check_bugs(void)
> /* Select the proper spectre mitigation before patching alternatives */
> spectre_v2_select_mitigation();
>
> + md_select_mitigation();
> +
> #ifdef CONFIG_X86_32
> /*
> * Check whether we are able to run this kernel safely on SMP.
> @@ -311,6 +314,94 @@ static void __init spectre_v2_select_mitigation(void)
> }
> }
>
> +#undef pr_fmt
> +#define pr_fmt(fmt) "MDD: " fmt
> +
> +static enum md_mitigation md_mode = MD_NONE;
> +
> +/* The kernel command line selection */
> +enum md_mitigation_cmd {
> + MD_CMD_NONE,
> + MD_CMD_AUTO,
> + MD_CMD_BOOT_ON,
> + MD_CMD_KERNEL_ON,
> +};
> +
> +static const char *md_strings[] = {
> + [MD_NONE] = "Vulnerable",
> + [MD_BOOT_ON] = "Mitigation: Memory disambiguation disabled at boot",
> + [MD_KERNEL_ON] = "Mitigation: Memory disambiguation disabled in userspace",
> +};
> +
> +static const struct {
> + const char *option;
> + enum md_mitigation_cmd cmd;
> +} md_mitigation_options[] = {
> + { "off", MD_CMD_NONE },
> + { "auto", MD_CMD_AUTO },
> + { "boot", MD_CMD_BOOT_ON },
> + { "userspace", MD_CMD_KERNEL_ON },
> +};
> +
> +static enum md_mitigation_cmd __init md_parse_cmdline(void)
> +{
> + char arg[20];
> + int ret, i;
> + enum md_mitigation_cmd cmd = MD_CMD_AUTO;
> +
> + if (cmdline_find_option_bool(boot_command_line, "nomdd"))
> + return MD_CMD_NONE;
> + else {
> + ret = cmdline_find_option(boot_command_line, "mdd", arg, sizeof(arg));
> + if (ret < 0)
> + return MD_CMD_AUTO;
> +
> + for (i = 0; i < ARRAY_SIZE(md_mitigation_options); i++) {
> + if (!match_option(arg, ret, md_mitigation_options[i].option))
> + continue;
<---- newline here.
> + cmd = md_mitigation_options[i].cmd;
> + break;
> + }
> +
> + if (i >= ARRAY_SIZE(md_mitigation_options)) {
> + pr_err("unknown option (%s). Switching to AUTO select\n", arg);
> + return MD_CMD_AUTO;
> + }
> + }
> +
> + return cmd;
> +}
> +
> +static void __init md_select_mitigation(void)
> +{
> + enum md_mitigation_cmd cmd = md_parse_cmdline();
> + enum md_mitigation mode = MD_NONE;
> +
> + if (!boot_cpu_has_bug(X86_BUG_CPU_MD) &&
> + (cmd == MD_CMD_NONE || cmd == MD_CMD_AUTO))
> + return;
> +
> + switch (cmd) {
> + case MD_CMD_AUTO:
> + case MD_CMD_BOOT_ON:
> + mode = MD_BOOT_ON;
> + break;
> + case MD_CMD_KERNEL_ON:
> + mode = MD_KERNEL_ON;
> + break;
> + case MD_CMD_NONE:
> + break;
> + }
> +
> + if (!boot_cpu_has(X86_FEATURE_MDD))
> + return;
This check should happen as the very first thing on function entry.
Actually, it should go into md_parse_cmdline() because all the parsing
is useless without X86_FEATURE_MDD present and there it should do:
if (!boot_cpu_has(X86_FEATURE_MDD))
return MD_CMD_NONE;
> +
> + md_mode = mode;
> + pr_info("%s\n", md_strings[mode]);
> +
> + if (mode == MD_NONE)
> + setup_clear_cpu_cap(X86_FEATURE_MDD);
> +}
> #undef pr_fmt
>
> #ifdef CONFIG_SYSFS
> @@ -346,6 +437,6 @@ ssize_t cpu_show_md(struct device *dev, struct device_attribute *attr, char *buf
> if (!boot_cpu_has_bug(X86_BUG_CPU_MD))
> return sprintf(buf, "Not affected\n");
>
> - return sprintf(buf, "Vulnerable\n");
> + return sprintf(buf, "%s\n", md_strings[md_mode]);
> }
> #endif
--
Regards/Gruss,
Boris.
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
--
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2018-04-18 15:20 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20180418141549.54BC46110C@crypto-ml.lab.linutronix.de>
2018-04-18 15:20 ` [MODERATED] Re: ***UNCHECKED*** [patch 2/8] [PATCH v1.3.1 2/7] Linux Patch 2 Borislav Petkov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.