From: mark gross <mgross@linux.intel.com>
To: speck@linutronix.de
Subject: [MODERATED] Re: [PATCH 3/4] V7 more sampling fun 3
Date: Mon, 13 Apr 2020 20:48:43 -0700 [thread overview]
Message-ID: <20200414034843.GA5995@mtg-dev.jf.intel.com> (raw)
In-Reply-To: cover.1586801416.git.mgross@linux.intel.com
On Thu, Jan 16, 2020 at 02:16:07PM -0800, speck for mark gross wrote:
> From: mark gross <mgross@linux.intel.com>
> Subject: [PATCH 3/4] x86/speculation: Special Register Buffer Data Sampling
> (SRBDS) mitigation control.
>
> SRBDS is an MDS-like speculative side channel that can leak bits from
> the RNG across cores and threads. New microcode serializes the processor
> access during the execution of RDRAND and RDSEED. This ensures that the
> shared buffer is overwritten before it is released for reuse.
>
> While it is present on all affected CPU models, the microcode mitigation
> is not needed on models that enumerate ARCH_CAPABILITIES[MDS_NO] in the
> cases where TSX is not supported or has been disabled with TSX_CTRL.
>
> The mitigation is activated by default on affected processors and it
> increases latency for RDRAND and RDSEED instructions. Among other
> effects this will reduce throughput from /dev/urandom.
>
> * enable administrator to configure the mitigation off when desired
> using either mitigations=off or srbds=off.
> * export vulnerability status via sysfs
> * rename file scoped macros to apply for non-whitelist table
> initializations.
>
> Signed-off-by: Mark Gross <mgross@linux.intel.com>
> Reviewed-by: Tony Luck <tony.luck@intel.com>
> Reviewed-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
> Tested-by: Neelima Krishnan <neelima.krishnan@intel.com>
> ---
> .../ABI/testing/sysfs-devices-system-cpu | 1 +
> .../admin-guide/kernel-parameters.txt | 20 +++
> arch/x86/include/asm/cpufeatures.h | 2 +
> arch/x86/include/asm/msr-index.h | 4 +
> arch/x86/kernel/cpu/bugs.c | 116 ++++++++++++++++++
> arch/x86/kernel/cpu/common.c | 53 ++++++++
> arch/x86/kernel/cpu/cpu.h | 2 +
> drivers/base/cpu.c | 8 ++
> 8 files changed, 206 insertions(+)
>
> diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu b/Documentation/ABI/testing/sysfs-devices-system-cpu
> index 2e0e3b45d02a..b39531a3c5bc 100644
> --- a/Documentation/ABI/testing/sysfs-devices-system-cpu
> +++ b/Documentation/ABI/testing/sysfs-devices-system-cpu
> @@ -492,6 +492,7 @@ What: /sys/devices/system/cpu/vulnerabilities
> /sys/devices/system/cpu/vulnerabilities/spec_store_bypass
> /sys/devices/system/cpu/vulnerabilities/l1tf
> /sys/devices/system/cpu/vulnerabilities/mds
> + /sys/devices/system/cpu/vulnerabilities/srbds
> /sys/devices/system/cpu/vulnerabilities/tsx_async_abort
> /sys/devices/system/cpu/vulnerabilities/itlb_multihit
> Date: January 2018
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index f2a93c8679e8..6bc125ff09da 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -4757,6 +4757,26 @@
> the kernel will oops in either "warn" or "fatal"
> mode.
>
> + srbds= [X86,INTEL]
> + Control mitigation for the Special Register
> + Buffer Data Sampling (SRBDS) mitigation.
> +
> + Certain CPUs are vulnerable to an MDS-like
> + exploit which can leak bits from the random
> + number generator.
> +
> + By default, this issue is mitigated by
> + microcode. However, the microcode fix can cause
> + the RDRAND and RDSEED instructions to become
> + much slower. Among other effects, this will
> + result in reduced throughput from /dev/urandom.
> +
> + The microcode mitigation can be disabled with
> + the following option:
> +
> + off: Disable mitigation and remove
> + performance impact to RDRAND and RDSEED
> +
> srcutree.counter_wrap_check [KNL]
> Specifies how frequently to check for
> grace-period sequence counter wrap for the
> diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
> index db189945e9b0..02dabc9e77b0 100644
> --- a/arch/x86/include/asm/cpufeatures.h
> +++ b/arch/x86/include/asm/cpufeatures.h
> @@ -362,6 +362,7 @@
> #define X86_FEATURE_AVX512_4FMAPS (18*32+ 3) /* AVX-512 Multiply Accumulation Single precision */
> #define X86_FEATURE_FSRM (18*32+ 4) /* Fast Short Rep Mov */
> #define X86_FEATURE_AVX512_VP2INTERSECT (18*32+ 8) /* AVX-512 Intersect for D/Q */
> +#define X86_FEATURE_SRBDS_CTRL (18*32+ 9) /* "" SRBDS mitigation MSR available */
> #define X86_FEATURE_MD_CLEAR (18*32+10) /* VERW clears CPU buffers */
> #define X86_FEATURE_TSX_FORCE_ABORT (18*32+13) /* "" TSX_FORCE_ABORT */
> #define X86_FEATURE_PCONFIG (18*32+18) /* Intel PCONFIG */
> @@ -407,5 +408,6 @@
> #define X86_BUG_SWAPGS X86_BUG(21) /* CPU is affected by speculation through SWAPGS */
> #define X86_BUG_TAA X86_BUG(22) /* CPU is affected by TSX Async Abort(TAA) */
> #define X86_BUG_ITLB_MULTIHIT X86_BUG(23) /* CPU may incur MCE during certain page attribute changes */
> +#define X86_BUG_SRBDS X86_BUG(24) /* CPU may leak RNG bits if not mitigated */
>
> #endif /* _ASM_X86_CPUFEATURES_H */
> diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
> index 12c9684d59ba..3efde600a674 100644
> --- a/arch/x86/include/asm/msr-index.h
> +++ b/arch/x86/include/asm/msr-index.h
> @@ -128,6 +128,10 @@
> #define TSX_CTRL_RTM_DISABLE BIT(0) /* Disable RTM feature */
> #define TSX_CTRL_CPUID_CLEAR BIT(1) /* Disable TSX enumeration */
>
> +/* SRBDS support */
> +#define MSR_IA32_MCU_OPT_CTRL 0x00000123
> +#define RNGDS_MITG_DIS BIT(0)
> +
> #define MSR_IA32_SYSENTER_CS 0x00000174
> #define MSR_IA32_SYSENTER_ESP 0x00000175
> #define MSR_IA32_SYSENTER_EIP 0x00000176
> diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> index ed54b3b21c39..addef92109fe 100644
> --- a/arch/x86/kernel/cpu/bugs.c
> +++ b/arch/x86/kernel/cpu/bugs.c
> @@ -41,6 +41,7 @@ static void __init l1tf_select_mitigation(void);
> static void __init mds_select_mitigation(void);
> static void __init mds_print_mitigation(void);
> static void __init taa_select_mitigation(void);
> +static void __init srbds_select_mitigation(void);
>
> /* The base value of the SPEC_CTRL MSR that always has to be preserved. */
> u64 x86_spec_ctrl_base;
> @@ -108,6 +109,7 @@ void __init check_bugs(void)
> l1tf_select_mitigation();
> mds_select_mitigation();
> taa_select_mitigation();
> + srbds_select_mitigation();
>
> /*
> * As MDS and TAA mitigations are inter-related, print MDS
> @@ -397,6 +399,107 @@ static int __init tsx_async_abort_parse_cmdline(char *str)
> }
> early_param("tsx_async_abort", tsx_async_abort_parse_cmdline);
>
> +#undef pr_fmt
> +#define pr_fmt(fmt) "SRBDS: " fmt
> +
> +enum srbds_mitigations {
> + SRBDS_MITIGATION_OFF,
> + SRBDS_MITIGATION_UCODE_NEEDED,
> + SRBDS_MITIGATION_FULL,
> + SRBDS_MITIGATION_NOT_AFFECTED_TSX_OFF,
> + SRBDS_MITIGATION_HYPERVISOR,
> +};
> +
> +static enum srbds_mitigations srbds_mitigation __ro_after_init = SRBDS_MITIGATION_FULL;
> +static const char * const srbds_strings[] = {
> + [SRBDS_MITIGATION_OFF] = "Vulnerable",
> + [SRBDS_MITIGATION_UCODE_NEEDED] = "Vulnerable: No microcode",
> + [SRBDS_MITIGATION_FULL] = "Mitigated: Microcode",
> + [SRBDS_MITIGATION_NOT_AFFECTED_TSX_OFF] = "Not affected (TSX disabled)",
> + [SRBDS_MITIGATION_HYPERVISOR] = "Unknown: Dependent on hypervisor status",
> +};
> +
> +static bool srbds_off;
> +
> +void update_srbds_msr(void)
> +{
> + u64 mcu_ctrl;
> +
> + if (!boot_cpu_has_bug(X86_BUG_SRBDS))
> + return;
> +
> + if (boot_cpu_has(X86_FEATURE_HYPERVISOR))
> + return;
> +
> + if (srbds_mitigation == SRBDS_MITIGATION_UCODE_NEEDED)
> + return;
> +
> + rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
> +
> + switch (srbds_mitigation) {
> + case SRBDS_MITIGATION_OFF:
> + case SRBDS_MITIGATION_NOT_AFFECTED_TSX_OFF:
> + mcu_ctrl |= RNGDS_MITG_DIS;
> + break;
> + case SRBDS_MITIGATION_FULL:
> + mcu_ctrl &= ~RNGDS_MITG_DIS;
> + break;
> + default:
> + break;
> + }
> +
> + wrmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
> +}
> +
> +static void __init srbds_select_mitigation(void)
> +{
> + u64 ia32_cap;
> +
> + if (!boot_cpu_has_bug(X86_BUG_SRBDS))
> + return;
> + /*
> + * Check to see if this is one of the MDS_NO systems supporting
> + * TSX that are only exposed to SRBDS when TSX is enabled.
> + */
> + ia32_cap = x86_read_arch_cap_msr();
> + if ((ia32_cap & ARCH_CAP_MDS_NO) && !boot_cpu_has(X86_FEATURE_RTM)) {
> + srbds_mitigation = SRBDS_MITIGATION_NOT_AFFECTED_TSX_OFF;
> + goto out;
> + }
> +
> + if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {
> + srbds_mitigation = SRBDS_MITIGATION_HYPERVISOR;
> + goto out;
> + }
> +
> + if (!boot_cpu_has(X86_FEATURE_SRBDS_CTRL)) {
> + srbds_mitigation = SRBDS_MITIGATION_UCODE_NEEDED;
> + goto out;
> + }
> +
> + if (cpu_mitigations_off() || srbds_off) {
> + if (srbds_mitigation != SRBDS_MITIGATION_NOT_AFFECTED_TSX_OFF)
> + srbds_mitigation = SRBDS_MITIGATION_OFF;
> + }
> +out:
The test for cpu_mitigations_off or srbds off needs to be after out:
Otherwise when TSX is off and srbds=off will report the wrong answer.
--mark
> + update_srbds_msr();
> + pr_info("%s\n", srbds_strings[srbds_mitigation]);
> +}
> +
> +static int __init srbds_parse_cmdline(char *str)
> +{
> + if (!str)
> + return -EINVAL;
> +
> + if (!boot_cpu_has_bug(X86_BUG_SRBDS))
> + return 0;
> +
> + srbds_off = !strcmp(str, "off");
> +
> + return 0;
> +}
> +early_param("srbds", srbds_parse_cmdline);
> +
> #undef pr_fmt
> #define pr_fmt(fmt) "Spectre V1 : " fmt
>
> @@ -1528,6 +1631,11 @@ static char *ibpb_state(void)
> return "";
> }
>
> +static ssize_t srbds_show_state(char *buf)
> +{
> + return sprintf(buf, "%s\n", srbds_strings[srbds_mitigation]);
> +}
> +
> static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr,
> char *buf, unsigned int bug)
> {
> @@ -1572,6 +1680,9 @@ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr
> case X86_BUG_ITLB_MULTIHIT:
> return itlb_multihit_show_state(buf);
>
> + case X86_BUG_SRBDS:
> + return srbds_show_state(buf);
> +
> default:
> break;
> }
> @@ -1618,4 +1729,9 @@ ssize_t cpu_show_itlb_multihit(struct device *dev, struct device_attribute *attr
> {
> return cpu_show_common(dev, attr, buf, X86_BUG_ITLB_MULTIHIT);
> }
> +
> +ssize_t cpu_show_srbds(struct device *dev, struct device_attribute *attr, char *buf)
> +{
> + return cpu_show_common(dev, attr, buf, X86_BUG_SRBDS);
> +}
> #endif
> diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
> index 2bea1cc8dcb4..2c9be1fd3c72 100644
> --- a/arch/x86/kernel/cpu/common.c
> +++ b/arch/x86/kernel/cpu/common.c
> @@ -1075,6 +1075,30 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = {
> {}
> };
>
> +#define VULNBL_INTEL_STEPPING(model, steppings, issues) \
> + X86_MATCH_VENDOR_FAM_MODEL_STEPPING_FEATURE(INTEL, 6, \
> + INTEL_FAM6_##model, steppings, \
> + X86_FEATURE_ANY, issues)
> +
> +#define SRBDS BIT(0)
> +#define SRBDS_IF_TSX BIT(1)
> +
> +static const struct x86_cpu_id cpu_vuln_blacklist[] __initconst = {
> + VULNBL_INTEL_STEPPING(IVYBRIDGE, X86_STEPPING_ANY, SRBDS),
> + VULNBL_INTEL_STEPPING(HASWELL, X86_STEPPING_ANY, SRBDS),
> + VULNBL_INTEL_STEPPING(HASWELL_L, X86_STEPPING_ANY, SRBDS),
> + VULNBL_INTEL_STEPPING(HASWELL_G, X86_STEPPING_ANY, SRBDS),
> + VULNBL_INTEL_STEPPING(BROADWELL_G, X86_STEPPING_ANY, SRBDS),
> + VULNBL_INTEL_STEPPING(BROADWELL, X86_STEPPING_ANY, SRBDS),
> + VULNBL_INTEL_STEPPING(SKYLAKE_L, X86_STEPPING_ANY, SRBDS),
> + VULNBL_INTEL_STEPPING(SKYLAKE, X86_STEPPING_ANY, SRBDS),
> + VULNBL_INTEL_STEPPING(KABYLAKE_L, X86_STEPPINGS(0, 0xA), SRBDS),
> + VULNBL_INTEL_STEPPING(KABYLAKE_L, X86_STEPPINGS(0xB, 0xC), SRBDS_IF_TSX),
> + VULNBL_INTEL_STEPPING(KABYLAKE, X86_STEPPINGS(0, 0xB), SRBDS),
> + VULNBL_INTEL_STEPPING(KABYLAKE, X86_STEPPINGS(0xC, 0xD), SRBDS_IF_TSX),
> + {}
> +};
> +
> static bool __init cpu_matches(unsigned long which, const struct x86_cpu_id *table)
> {
> const struct x86_cpu_id *m = x86_match_cpu(table);
> @@ -1142,6 +1166,34 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
> (ia32_cap & ARCH_CAP_TSX_CTRL_MSR)))
> setup_force_cpu_bug(X86_BUG_TAA);
>
> + if (cpu_matches(SRBDS|SRBDS_IF_TSX, cpu_vuln_blacklist)) {
> + /*
> + * Some parts on the list don't have RDRAND or RDSEED. Make sure
> + * they show as "Not affected".
> + */
> + if (!cpu_has(c, X86_FEATURE_RDRAND) &&
> + !cpu_has(c, X86_FEATURE_RDSEED))
> + goto srbds_not_affected;
> + /*
> + * Parts in the blacklist that enumerate MDS_NO are only
> + * vulneralbe if TSX can be used. To handle cases where TSX
> + * gets fused off check to see if TSX is fused off and thus not
> + * affected.
> + *
> + * When running with up to day microcode TSX_CTRL is only
> + * enumerated on parts where TSX fused on.
> + * When running with microcode not supporting TSX_CTRL we check
> + * for RTM
> + */
> + if ((ia32_cap & ARCH_CAP_MDS_NO) &&
> + !((ia32_cap & ARCH_CAP_TSX_CTRL_MSR) ||
> + cpu_has(c, X86_FEATURE_RTM)))
> + goto srbds_not_affected;
> +
> + setup_force_cpu_bug(X86_BUG_SRBDS);
> + }
> +srbds_not_affected:
> +
> if (cpu_matches(NO_MELTDOWN, cpu_vuln_whitelist))
> return;
>
> @@ -1594,6 +1646,7 @@ void identify_secondary_cpu(struct cpuinfo_x86 *c)
> mtrr_ap_init();
> validate_apic_and_package_id(c);
> x86_spec_ctrl_setup_ap();
> + update_srbds_msr();
> }
>
> static __init int setup_noclflush(char *arg)
> diff --git a/arch/x86/kernel/cpu/cpu.h b/arch/x86/kernel/cpu/cpu.h
> index 37fdefd14f28..f3e2fc44dba0 100644
> --- a/arch/x86/kernel/cpu/cpu.h
> +++ b/arch/x86/kernel/cpu/cpu.h
> @@ -44,6 +44,8 @@ struct _tlb_table {
> extern const struct cpu_dev *const __x86_cpu_dev_start[],
> *const __x86_cpu_dev_end[];
>
> +void update_srbds_msr(void);
> +
> #ifdef CONFIG_CPU_SUP_INTEL
> enum tsx_ctrl_states {
> TSX_CTRL_ENABLE,
> diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c
> index 9a1c00fbbaef..d2136ab9b14a 100644
> --- a/drivers/base/cpu.c
> +++ b/drivers/base/cpu.c
> @@ -562,6 +562,12 @@ ssize_t __weak cpu_show_itlb_multihit(struct device *dev,
> return sprintf(buf, "Not affected\n");
> }
>
> +ssize_t __weak cpu_show_srbds(struct device *dev,
> + struct device_attribute *attr, char *buf)
> +{
> + return sprintf(buf, "Not affected\n");
> +}
> +
> static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL);
> static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL);
> static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL);
> @@ -570,6 +576,7 @@ static DEVICE_ATTR(l1tf, 0444, cpu_show_l1tf, NULL);
> static DEVICE_ATTR(mds, 0444, cpu_show_mds, NULL);
> static DEVICE_ATTR(tsx_async_abort, 0444, cpu_show_tsx_async_abort, NULL);
> static DEVICE_ATTR(itlb_multihit, 0444, cpu_show_itlb_multihit, NULL);
> +static DEVICE_ATTR(srbds, 0444, cpu_show_srbds, NULL);
>
> static struct attribute *cpu_root_vulnerabilities_attrs[] = {
> &dev_attr_meltdown.attr,
> @@ -580,6 +587,7 @@ static struct attribute *cpu_root_vulnerabilities_attrs[] = {
> &dev_attr_mds.attr,
> &dev_attr_tsx_async_abort.attr,
> &dev_attr_itlb_multihit.attr,
> + &dev_attr_srbds.attr,
> NULL
> };
>
> --
> 2.17.1
next prev parent reply other threads:[~2020-04-14 3:48 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-13 18:10 [MODERATED] [PATCH 0/4] V7 more sampling fun 0 mark gross
2020-01-16 22:16 ` [MODERATED] [PATCH 3/4] V7 more sampling fun 3 mark gross
2020-01-30 19:12 ` [MODERATED] [PATCH 4/4] V7 more sampling fun 4 mark gross
2020-03-17 0:56 ` [MODERATED] [PATCH 2/4] V7 more sampling fun 2 mark gross
2020-03-17 0:56 ` [MODERATED] [PATCH 1/4] V7 more sampling fun 1 mark gross
2020-04-14 3:48 ` mark gross [this message]
2020-04-14 16:23 ` [PATCH 3/4] V7 more sampling fun 3 Thomas Gleixner
2020-04-14 20:03 ` [MODERATED] " mark gross
2020-04-14 10:58 ` Thomas Gleixner
2020-04-14 16:43 ` [MODERATED] " mark gross
2020-04-14 20:02 ` Josh Poimboeuf
2020-04-14 21:03 ` mark gross
2020-04-14 21:23 ` Josh Poimboeuf
2020-04-14 21:53 ` mark gross
2020-04-14 20:05 ` Josh Poimboeuf
2020-04-14 21:59 ` mark gross
2020-04-14 22:46 ` Josh Poimboeuf
2020-04-15 20:59 ` mark gross
2020-04-15 12:58 ` Thomas Gleixner
2020-04-15 22:21 ` [MODERATED] " mark gross
2020-04-15 17:51 ` [MODERATED] Re: [PATCH 1/4] V7 more sampling fun 1 Borislav Petkov
2020-04-15 23:58 ` mark gross
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200414034843.GA5995@mtg-dev.jf.intel.com \
--to=mgross@linux.intel.com \
--cc=speck@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).