From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bp@suse.de>
Received: from mail.linutronix.de (146.0.238.70:993) by
  crypto-ml.lab.linutronix.de with IMAP4-SSL for <speck@linutronix.de>; 20 Feb
  2019 16:27:32 -0000
Received: from mx2.suse.de ([195.135.220.15] helo=mx1.suse.de)
	by Galois.linutronix.de with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256)
	(Exim 4.80)
	(envelope-from <bp@suse.de>)
	id 1gwUiY-0000L4-GP
	for speck@linutronix.de; Wed, 20 Feb 2019 17:27:31 +0100
Received: from relay2.suse.de (unknown [195.135.220.254])
	by mx1.suse.de (Postfix) with ESMTP id C177BACEF
	for <speck@linutronix.de>; Wed, 20 Feb 2019 16:27:24 +0000 (UTC)
Date: Wed, 20 Feb 2019 17:27:16 +0100
From: Borislav Petkov <bp@suse.de>
Subject: [MODERATED] Re: [patch V2 01/10] MDS basics+ 1
Message-ID: <20190220162716.GB3304@zn.tnic>
References: <20190220150753.665964899@linutronix.de>
 <20190220151400.026283215@linutronix.de>
MIME-Version: 1.0
In-Reply-To: <20190220151400.026283215@linutronix.de>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
To: speck@linutronix.de
List-ID: <speck.linutronix.de>

This is fine-tooth comb review, round 2.

On Wed, Feb 20, 2019 at 04:07:54PM +0100, speck for Thomas Gleixner wrote:
> Subject: [patch V2 01/10] x86/speculation/mds: Add basic bug infrastructure=
 for MDS
> From: Andi Kleen <ak@linux.intel.com>
>=20
> Microarchitectural Data Sampling (MDS), is a class of side channel attacks

s/,//

> on internal buffers in Intel CPUs. The variants are:
>=20
>  - Microarchitectural Store Buffer Data Sampling (MSBDS) (CVE-2018-12126)
>  - Microarchitectural Fill Buffer Data Sampling (MFBDS) (CVE-2018-12130)
>  - Microarchitectural Load Port Data (MLPDS) (CVE-2018-12127)
				      ^
				      Sampling

> MSBDS leaks Store Buffer Entries which can be speculatively forwarded to a
> dependent load (store-load forwarding) as an optimization. The forward can

AFAIK, that's called "store-to-load" forwarding, abbreviated as STLF in
CPU speak:

https://en.wikipedia.org/wiki/Memory_disambiguation#Store_to_load_forwarding

> also happen to a faulting or assisting load operation for a different
> memory address, which can be exploited under certain conditions. Store
> buffers are partitionened between Hyper-Threads so cross thread forwarding

partitioned

> is not possible. But if a thread enters or exits a sleep state the store
> buffer is repartioned which can expose data from one thread to the other.

"... repartitioned, "

>=20
> MFBDS leaks Fill Buffer Entries. Fill buffers are used internally to manage
> L1 miss situations and to hold data which is returned or sent in response
> to a memory or I/O operation. Fill buffers can forward data to a load
> operation and also write data to the cache. When the fill buffer is
> deallocated it can retain the stale data of the preceeding operations which

WARNING: 'preceeding' may be misspelled - perhaps 'preceding'?

> can then be forwarded to a faulting or assisting load operation, which can
> be exploited under certain conditions. Fill buffers are shared between
> Hyper-Threads so cross thread leakage is possible.
>=20
> MLDPS leaks Load Port Data. Load ports are used to perform load operations
> from memory or I/O. The received data is then forwarded to the register
> file or a subsequent operation. In some implementations the Load Port can
> contain stale data from a previous operation which can be forwarded to
> faulting or assisting loads under certain conditions, which again can be
> exploited eventually. Load poorts are shared between Hyper-Threads so cross

ports

> thread leakage is possible.
>=20
> All variants have the same mitigation for single CPU thread case (SMT off),
> so the kernel can treat them as one MDS issue.
>=20
> Add the basic infrastructure to detect if the current CPU is affected by
> MDS.
>=20
> [ tglx: Rewrote changelog ]
>=20
> Signed-off-by: Andi Kleen <ak@linux.intel.com>
> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
>=20
> ---
>  arch/x86/include/asm/cpufeatures.h |    2 ++
>  arch/x86/include/asm/msr-index.h   |    5 +++++
>  arch/x86/kernel/cpu/common.c       |   13 +++++++++++++
>  3 files changed, 20 insertions(+)
>=20
> --- a/arch/x86/include/asm/cpufeatures.h
> +++ b/arch/x86/include/asm/cpufeatures.h
> @@ -344,6 +344,7 @@
>  /* Intel-defined CPU features, CPUID level 0x00000007:0 (EDX), word 18 */
>  #define X86_FEATURE_AVX512_4VNNIW	(18*32+ 2) /* AVX-512 Neural Network Ins=
tructions */
>  #define X86_FEATURE_AVX512_4FMAPS	(18*32+ 3) /* AVX-512 Multiply Accumulat=
ion Single precision */
> +#define X86_FEATURE_MD_CLEAR		(18*32+10) /* VERW flushs CPU state */
							   ^
							   flushes


>  #define X86_FEATURE_PCONFIG		(18*32+18) /* Intel PCONFIG */
>  #define X86_FEATURE_SPEC_CTRL		(18*32+26) /* "" Speculation Control (IBRS =
+ IBPB) */
>  #define X86_FEATURE_INTEL_STIBP		(18*32+27) /* "" Single Thread Indirect B=
ranch Predictors */
> @@ -381,5 +382,6 @@
>  #define X86_BUG_SPECTRE_V2		X86_BUG(16) /* CPU is affected by Spectre vari=
ant 2 attack with indirect branches */
>  #define X86_BUG_SPEC_STORE_BYPASS	X86_BUG(17) /* CPU is affected by specul=
ative store bypass attack */
>  #define X86_BUG_L1TF			X86_BUG(18) /* CPU is affected by L1 Terminal Fault=
 */
> +#define X86_BUG_MDS			X86_BUG(19) /* CPU is affected by Microarchitectural=
 data sampling */
> =20
>  #endif /* _ASM_X86_CPUFEATURES_H */

With that addressed:

Reviewed-by: Borislav Petkov <bp@suse.de>

--=20
Regards/Gruss,
    Boris.

SUSE Linux GmbH, GF: Felix Imend=C3=B6rffer, Jane Smithard, Graham Norton, HR=
B 21284 (AG N=C3=BCrnberg)
--=20