From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linutronix.de (146.0.238.70:993) by crypto-ml.lab.linutronix.de with IMAP4-SSL for ; 12 Jan 2019 01:35:34 -0000 Received: from mga07.intel.com ([134.134.136.100]) by Galois.linutronix.de with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1gi87Q-0002Kf-4Q for speck@linutronix.de; Sat, 12 Jan 2019 02:29:49 +0100 From: Andi Kleen Subject: [MODERATED] [PATCH v4 00/28] MDSv4 2 Date: Fri, 11 Jan 2019 17:29:13 -0800 Message-Id: Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit MIME-Version: 1.0 To: speck@linutronix.de Cc: Andi Kleen List-ID: Here's a new version of flushing CPU buffers for group 4. This mainly covers single thread, not SMT (except for the idle case). I lumped all the issues together under the Microarchitectural Data Sampling (MDS) name because they need the same mitigations,a and it doesn't seem worth duplicating the sysfs files and bug entries. This version drops support for software sequences, and also does VERW unconditionally unless disabled. This version implements Linus' suggestion to only clear the CPU buffer when needed. The patch kit is now a lot more complicated: different subsystems determine if they might touch other user's or sensitive data and schedule a cpu clear on next kernel exit. Generally process context doesn't clear (unless it is cryptographic or does context switches), and interrupt context schedules a clear. There are some exceptions to these rules. For details on the security model see the Documentation/clearcpu.txt file. In my tests the number of clears is much lower now. For most benchmarks we tried the difference is in the noise level now. ebizzy and loopback apache both show about 1.7% degradation. It makes various assumptions on how kernel code behaves. I did some auditing, but wasn't able to do it for everything. Please double check the assumptions laid out in the document. Likely a lot more interrupt and timer handlers (and tasklets and irq poll handlers) could be white listed to not need clear, but I only did a fairly minimum set for now that I could test. For some of the white listed code, especially the networking and block softirqs, as well as the EBPF mitigation, some additional auditing that no rules are violated would be useful. Some notes: - Against 5.0-rc1 Changes against previous versions: - Remove software sequences - Make VERW unconditional - Improved documentation - Some other minor changes Changes against previous versions: - By default now flushes only when needed - Define security model - New administrator document - Added mds=verw and mds=full - Renamed mds_disable to mds=off - KVM virtualization much improved - Too many others to list. Most things different now. Andi Kleen (28): x86/speculation/mds: Add basic bug infrastructure for MDS x86/speculation/mds: Add mds=off x86/speculation/mds: Support clearing CPU data on kernel exit x86/speculation/mds: Support mds=full x86/speculation/mds: Clear CPU buffers on entering idle x86/speculation/mds: Add sysfs reporting x86/speculation/mds: Support mds=full for NMIs x86/speculation/mds: Support mds=full for 32bit NMI x86/speculation/mds: Export MD_CLEAR CPUID to KVM guests. mds: Add documentation for clear cpu usage mds: Add preliminary administrator documentation x86/speculation/mds: Introduce lazy_clear_cpu x86/speculation/mds: Schedule cpu clear on context switch x86/speculation/mds: Add tracing for clear_cpu mds: Force clear cpu on kernel preemption mds: Schedule cpu clear for memzero_explicit and kzfree mds: Mark interrupts clear cpu, unless opted-out mds: Clear cpu on all timers, unless the timer opts-out mds: Clear CPU on tasklets, unless opted-out mds: Clear CPU on irq poll, unless opted-out mds: Clear cpu for string io/memcpy_*io in interrupts mds: Schedule clear cpu in swiotlb mds: Instrument skb functions to clear cpu automatically mds: Opt out tcp tasklet to not touch user data mds: mark kernel/* timers safe as not touching user data mds: Mark AHCI interrupt as not needing cpu clear mds: Mark ACPI interrupt as not needing cpu clear mds: Mitigate BPF .../ABI/testing/sysfs-devices-system-cpu | 1 + .../admin-guide/kernel-parameters.txt | 8 + Documentation/admin-guide/mds.rst | 108 +++++++++++ Documentation/clearcpu.txt | 173 ++++++++++++++++++ arch/Kconfig | 3 + arch/x86/Kconfig | 1 + arch/x86/entry/common.c | 13 +- arch/x86/entry/entry_32.S | 6 + arch/x86/entry/entry_64.S | 12 ++ arch/x86/include/asm/clearbpf.h | 29 +++ arch/x86/include/asm/clearcpu.h | 92 ++++++++++ arch/x86/include/asm/cpufeatures.h | 3 + arch/x86/include/asm/io.h | 3 + arch/x86/include/asm/msr-index.h | 1 + arch/x86/include/asm/thread_info.h | 2 + arch/x86/include/asm/trace/clearcpu.h | 27 +++ arch/x86/kernel/acpi/cstate.c | 2 + arch/x86/kernel/cpu/bugs.c | 46 +++++ arch/x86/kernel/cpu/common.c | 14 ++ arch/x86/kernel/kvm.c | 3 + arch/x86/kernel/process.c | 5 + arch/x86/kernel/process.h | 27 +++ arch/x86/kernel/smpboot.c | 3 + arch/x86/kvm/cpuid.c | 3 +- drivers/acpi/acpi_pad.c | 2 + drivers/acpi/osl.c | 3 +- drivers/acpi/processor_idle.c | 3 + drivers/ata/ahci.c | 2 +- drivers/ata/ahci.h | 2 + drivers/ata/libahci.c | 40 ++-- drivers/base/cpu.c | 8 + drivers/idle/intel_idle.c | 5 + include/asm-generic/io.h | 3 + include/linux/clearcpu.h | 36 ++++ include/linux/filter.h | 21 ++- include/linux/hrtimer.h | 4 + include/linux/interrupt.h | 18 +- include/linux/irq_poll.h | 2 + include/linux/skbuff.h | 2 + include/linux/timer.h | 9 +- kernel/bpf/core.c | 2 + kernel/dma/swiotlb.c | 2 + kernel/events/core.c | 6 +- kernel/fork.c | 3 +- kernel/futex.c | 6 +- kernel/irq/handle.c | 8 + kernel/irq/manage.c | 1 + kernel/sched/core.c | 14 +- kernel/sched/deadline.c | 6 +- kernel/sched/fair.c | 7 +- kernel/sched/idle.c | 3 +- kernel/sched/rt.c | 3 +- kernel/softirq.c | 25 ++- kernel/time/alarmtimer.c | 2 +- kernel/time/hrtimer.c | 11 +- kernel/time/posix-timers.c | 6 +- kernel/time/sched_clock.c | 3 +- kernel/time/tick-sched.c | 6 +- kernel/time/timer.c | 8 + kernel/watchdog.c | 3 +- lib/irq_poll.c | 18 +- lib/string.c | 6 + mm/slab_common.c | 5 +- net/core/skbuff.c | 26 +++ net/ipv4/tcp_output.c | 5 +- 65 files changed, 869 insertions(+), 61 deletions(-) create mode 100644 Documentation/admin-guide/mds.rst create mode 100644 Documentation/clearcpu.txt create mode 100644 arch/x86/include/asm/clearbpf.h create mode 100644 arch/x86/include/asm/clearcpu.h create mode 100644 arch/x86/include/asm/trace/clearcpu.h create mode 100644 include/linux/clearcpu.h -- 2.17.2