From: Thomas Gleixner <tglx@linutronix.de>
To: speck@linutronix.de
Subject: [patch V4 09/11] x86/speculation/mds: Add mitigation mode VMWERV
Date: Fri, 22 Feb 2019 23:24:27 +0100 [thread overview]
Message-ID: <20190222224149.881444221@linutronix.de> (raw)
In-Reply-To: 20190222222418.405369026@linutronix.de
From: Thomas Gleixner <tglx@linutronix.de>
In virtualized environments it can happen that the host has the microcode
update which utilizes the VERW instruction to clear CPU buffers, but the
hypervisor is not yet updated to expose the X86_FEATURE_MD_CLEAR CPUID bit
to guests.
Introduce an internal mitigation mode VWWERV which enables the invocation
of the CPU buffer clearing even if X86_FEATURE_MD_CLEAR is not set. If the
system has no updated microcode this results in a pointless execution of
the VERW instruction wasting a few CPU cycles. If the microcode is updated,
but not exposed to a guest then the CPU buffers will be cleared.
That said: Virtual Machines Will Eventually Receive Vaccine
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
---
V2 -> V3: Rename mode.
---
Documentation/x86/mds.rst | 29 +++++++++++++++++++++++++++++
arch/x86/include/asm/processor.h | 1 +
arch/x86/kernel/cpu/bugs.c | 14 ++++++++------
3 files changed, 38 insertions(+), 6 deletions(-)
--- a/Documentation/x86/mds.rst
+++ b/Documentation/x86/mds.rst
@@ -90,11 +90,40 @@ The mitigation is invoked on kernel/user
(idle) transitions. Depending on the mitigation mode and the system state
the invocation can be enforced or conditional.
+As a special quirk to address virtualization scenarios where the host has
+the microcode updated, but the hypervisor does not (yet) expose the
+MD_CLEAR CPUID bit to guests, the kernel issues the VERW instruction in the
+hope that it might actually clear the buffers. The state is reflected
+accordingly.
+
According to current knowledge additional mitigations inside the kernel
itself are not required because the necessary gadgets to expose the leaked
data cannot be controlled in a way which allows exploitation from malicious
user space or VM guests.
+
+Kernel internal mitigation modes
+--------------------------------
+
+ ======= ===========================================================
+ off Mitigation is disabled. Either the CPU is not affected or
+ mds=off is supplied on the kernel command line
+
+ full Mitigation is eanbled. CPU is affected and MD_CLEAR is
+ advertised in CPUID.
+
+ vmwerv Mitigation is enabled. CPU is affected and MD_CLEAR is not
+ advertised in CPUID. That is mainly for virtualization
+ scenarios where the host has the updated microcode but the
+ hypervisor does not expose MD_CLEAR in CPUID. It's a best
+ effort approach without guarantee.
+ ======= ===========================================================
+
+If the CPU is affected and mds=off is not supplied on the kernel
+command line then the kernel selects the appropriate mitigation mode
+depending on the availability of the MD_CLEAR CPUID bit.
+
+
Mitigation points
-----------------
--- a/arch/x86/include/asm/processor.h
+++ b/arch/x86/include/asm/processor.h
@@ -996,6 +996,7 @@ enum mds_mitigations {
MDS_MITIGATION_OFF,
MDS_MITIGATION_AUTO,
MDS_MITIGATION_FULL,
+ MDS_MITIGATION_VMWERV,
};
#endif /* _ASM_X86_PROCESSOR_H */
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -222,7 +222,8 @@ static enum mds_mitigations mds_mitigati
static const char * const mds_strings[] = {
[MDS_MITIGATION_OFF] = "Vulnerable",
- [MDS_MITIGATION_FULL] = "Mitigation: Clear CPU buffers"
+ [MDS_MITIGATION_FULL] = "Mitigation: Clear CPU buffers",
+ [MDS_MITIGATION_VMWERV] = "Vulnerable: Clear CPU buffers attempted, no microcode",
};
static void mds_select_mitigation(void)
@@ -237,12 +238,12 @@ static void mds_select_mitigation(void)
break;
case MDS_MITIGATION_AUTO:
case MDS_MITIGATION_FULL:
- if (boot_cpu_has(X86_FEATURE_MD_CLEAR)) {
+ case MDS_MITIGATION_VMWERV:
+ if (boot_cpu_has(X86_FEATURE_MD_CLEAR))
mds_mitigation = MDS_MITIGATION_FULL;
- static_branch_enable(&mds_user_clear);
- } else {
- mds_mitigation = MDS_MITIGATION_OFF;
- }
+ else
+ mds_mitigation = MDS_MITIGATION_VMWERV;
+ static_branch_enable(&mds_user_clear);
break;
}
pr_info("%s\n", mds_strings[mds_mitigation]);
@@ -705,6 +706,7 @@ void arch_smt_update(void)
case MDS_MITIGATION_OFF:
break;
case MDS_MITIGATION_FULL:
+ case MDS_MITIGATION_VMWERV:
update_mds_branch_idle();
break;
/* Keep GCC happy */
next prev parent reply other threads:[~2019-02-23 0:04 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-22 22:24 [patch V4 00/11] MDS basics Thomas Gleixner
2019-02-22 22:24 ` [patch V4 01/11] x86/msr-index: Cleanup bit defines Thomas Gleixner
2019-02-22 22:24 ` [patch V4 02/11] x86/speculation/mds: Add basic bug infrastructure for MDS Thomas Gleixner
2019-02-23 1:28 ` [MODERATED] " Linus Torvalds
2019-02-23 7:42 ` Thomas Gleixner
2019-02-27 13:04 ` Thomas Gleixner
2019-02-22 22:24 ` [patch V4 03/11] x86/kvm: Expose X86_FEATURE_MD_CLEAR to guests Thomas Gleixner
2019-02-22 22:24 ` [patch V4 04/11] x86/speculation/mds: Add mds_clear_cpu_buffer() Thomas Gleixner
2019-02-25 16:06 ` [MODERATED] " Frederic Weisbecker
2019-02-26 14:19 ` Josh Poimboeuf
2019-03-01 20:58 ` [MODERATED] Encrypted Message Jon Masters
2019-03-01 22:14 ` Jon Masters
2019-02-26 15:00 ` [MODERATED] Re: [patch V4 04/11] x86/speculation/mds: Add mds_clear_cpu_buffer() David Woodhouse
2019-02-22 22:24 ` [patch V4 05/11] x86/speculation/mds: Clear CPU buffers on exit to user Thomas Gleixner
2019-02-25 21:04 ` [MODERATED] " Greg KH
2019-02-26 15:20 ` Josh Poimboeuf
2019-02-26 20:26 ` Thomas Gleixner
2019-02-22 22:24 ` [patch V4 06/11] x86/speculation/mds: Conditionally clear CPU buffers on idle entry Thomas Gleixner
2019-02-25 21:09 ` [MODERATED] " Greg KH
2019-02-26 15:31 ` Josh Poimboeuf
2019-02-26 20:20 ` Thomas Gleixner
2019-02-22 22:24 ` [patch V4 07/11] x86/speculation/mds: Add mitigation control for MDS Thomas Gleixner
2019-02-25 20:17 ` [MODERATED] " mark gross
2019-02-26 15:50 ` Josh Poimboeuf
2019-02-26 20:16 ` Thomas Gleixner
2019-02-22 22:24 ` [patch V4 08/11] x86/speculation/mds: Add sysfs reporting " Thomas Gleixner
2019-02-22 22:24 ` Thomas Gleixner [this message]
2019-02-23 9:52 ` [MODERATED] Re: [patch V4 09/11] x86/speculation/mds: Add mitigation mode VMWERV Greg KH
2019-02-25 20:31 ` mark gross
2019-02-26 0:34 ` Andrew Cooper
2019-02-26 18:51 ` mark gross
2019-02-26 19:29 ` Thomas Gleixner
2019-02-22 22:24 ` [patch V4 10/11] Documentation: Move L1TF to separate directory Thomas Gleixner
2019-02-23 8:41 ` [MODERATED] " Greg KH
2019-02-22 22:24 ` [patch V4 11/11] Documentation: Add MDS vulnerability documentation Thomas Gleixner
2019-02-23 9:58 ` [MODERATED] " Greg KH
2019-02-26 20:11 ` Thomas Gleixner
2019-02-25 18:02 ` [MODERATED] " Dave Hansen
2019-02-26 20:10 ` Thomas Gleixner
2019-02-23 0:53 ` [MODERATED] Re: [patch V4 00/11] MDS basics Andrew Cooper
2019-02-23 14:12 ` Peter Zijlstra
2019-02-25 16:38 ` mark gross
2019-02-26 19:58 ` Thomas Gleixner
2019-02-26 16:28 ` [MODERATED] " Tyler Hicks
2019-02-26 19:58 ` Thomas Gleixner
2019-02-26 18:58 ` [MODERATED] " Kanth Ghatraju
2019-02-26 19:59 ` Thomas Gleixner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190222224149.881444221@linutronix.de \
--to=tglx@linutronix.de \
--cc=speck@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).