LKML Archive on lore.kernel.org
 help / Atom feed
* [PATCH] x86/cpu, x86/pti: Do not enable PTI on AMD processors
@ 2017-12-27  5:43 Tom Lendacky
  2017-12-27  8:48 ` Dave Hansen
                   ` (3 more replies)
  0 siblings, 4 replies; 10+ messages in thread
From: Tom Lendacky @ 2017-12-27  5:43 UTC (permalink / raw)
  To: x86
  Cc: Dave Hansen, linux-kernel, Ingo Molnar, Andy Lutomirski,
	H. Peter Anvin, Thomas Gleixner, Borislav Petkov

AMD processors are not subject to the types of attacks that the kernel
page table isolation feature protects against.  The AMD microarchitecture
does not allow memory references, including speculative references, that
access higher privileged data when running in a lesser privileged mode
when that access would result in a page fault.

Disable page table isolation by default on AMD processors by not setting
the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI
is set.

Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
---
 arch/x86/kernel/cpu/common.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index c47de4e..7d9e3b0 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -923,8 +923,8 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
 
 	setup_force_cpu_cap(X86_FEATURE_ALWAYS);
 
-	/* Assume for now that ALL x86 CPUs are insecure */
-	setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
+	if (c->x86_vendor != X86_VENDOR_AMD)
+		setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
 
 	fpu__init_system(c);
 

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH] x86/cpu, x86/pti: Do not enable PTI on AMD processors
  2017-12-27  5:43 [PATCH] x86/cpu, x86/pti: Do not enable PTI on AMD processors Tom Lendacky
@ 2017-12-27  8:48 ` Dave Hansen
  2017-12-27 14:47   ` Tom Lendacky
  2017-12-28  0:20 ` Borislav Petkov
                   ` (2 subsequent siblings)
  3 siblings, 1 reply; 10+ messages in thread
From: Dave Hansen @ 2017-12-27  8:48 UTC (permalink / raw)
  To: Tom Lendacky, x86
  Cc: linux-kernel, Ingo Molnar, Andy Lutomirski, H. Peter Anvin,
	Thomas Gleixner, Borislav Petkov

On 12/26/2017 09:43 PM, Tom Lendacky wrote:
> --- a/arch/x86/kernel/cpu/common.c
> +++ b/arch/x86/kernel/cpu/common.c
> @@ -923,8 +923,8 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
>  
>  	setup_force_cpu_cap(X86_FEATURE_ALWAYS);
>  
> -	/* Assume for now that ALL x86 CPUs are insecure */
> -	setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
> +	if (c->x86_vendor != X86_VENDOR_AMD)
> +		setup_force_cpu_bug(X86_BUG_CPU_INSECURE);

Does this disable it in a way that it can be turned back on via the
kernel command-line?

This is a rather wide class of issues and I would rather not just
hard-code it in a way that we say one vendor has never and will never be
affected.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH] x86/cpu, x86/pti: Do not enable PTI on AMD processors
  2017-12-27  8:48 ` Dave Hansen
@ 2017-12-27 14:47   ` Tom Lendacky
  0 siblings, 0 replies; 10+ messages in thread
From: Tom Lendacky @ 2017-12-27 14:47 UTC (permalink / raw)
  To: Dave Hansen, x86
  Cc: linux-kernel, Ingo Molnar, Andy Lutomirski, H. Peter Anvin,
	Thomas Gleixner, Borislav Petkov



On 12/27/2017 2:48 AM, Dave Hansen wrote:
> On 12/26/2017 09:43 PM, Tom Lendacky wrote:
>> --- a/arch/x86/kernel/cpu/common.c
>> +++ b/arch/x86/kernel/cpu/common.c
>> @@ -923,8 +923,8 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
>>  
>>  	setup_force_cpu_cap(X86_FEATURE_ALWAYS);
>>  
>> -	/* Assume for now that ALL x86 CPUs are insecure */
>> -	setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
>> +	if (c->x86_vendor != X86_VENDOR_AMD)
>> +		setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
> 
> Does this disable it in a way that it can be turned back on via the
> kernel command-line?
> 

Yes, specifying pti=on on the command line will turn kernel page table
isolation on regardless of this setting.

Thanks,
Tom

> This is a rather wide class of issues and I would rather not just
> hard-code it in a way that we say one vendor has never and will never be
> affected.
> 

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH] x86/cpu, x86/pti: Do not enable PTI on AMD processors
  2017-12-27  5:43 [PATCH] x86/cpu, x86/pti: Do not enable PTI on AMD processors Tom Lendacky
  2017-12-27  8:48 ` Dave Hansen
@ 2017-12-28  0:20 ` Borislav Petkov
  2018-01-03 16:21 ` [tip:x86/pti] " tip-bot for Tom Lendacky
  2018-02-12 15:26 ` [PATCH] " Pavel Machek
  3 siblings, 0 replies; 10+ messages in thread
From: Borislav Petkov @ 2017-12-28  0:20 UTC (permalink / raw)
  To: Tom Lendacky
  Cc: x86, Dave Hansen, linux-kernel, Ingo Molnar, Andy Lutomirski,
	H. Peter Anvin, Thomas Gleixner

On Tue, Dec 26, 2017 at 11:43:54PM -0600, Tom Lendacky wrote:
> AMD processors are not subject to the types of attacks that the kernel
> page table isolation feature protects against.  The AMD microarchitecture
> does not allow memory references, including speculative references, that
> access higher privileged data when running in a lesser privileged mode
> when that access would result in a page fault.
> 
> Disable page table isolation by default on AMD processors by not setting
> the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI
> is set.
> 
> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
> ---
>  arch/x86/kernel/cpu/common.c |    4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
> index c47de4e..7d9e3b0 100644
> --- a/arch/x86/kernel/cpu/common.c
> +++ b/arch/x86/kernel/cpu/common.c
> @@ -923,8 +923,8 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
>  
>  	setup_force_cpu_cap(X86_FEATURE_ALWAYS);
>  
> -	/* Assume for now that ALL x86 CPUs are insecure */
> -	setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
> +	if (c->x86_vendor != X86_VENDOR_AMD)
> +		setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
>  
>  	fpu__init_system(c);

Reviewed-by: Borislav Petkov <bp@suse.de>

-- 
Regards/Gruss,
    Boris.

SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
-- 

^ permalink raw reply	[flat|nested] 10+ messages in thread

* [tip:x86/pti] x86/cpu, x86/pti: Do not enable PTI on AMD processors
  2017-12-27  5:43 [PATCH] x86/cpu, x86/pti: Do not enable PTI on AMD processors Tom Lendacky
  2017-12-27  8:48 ` Dave Hansen
  2017-12-28  0:20 ` Borislav Petkov
@ 2018-01-03 16:21 ` " tip-bot for Tom Lendacky
  2018-02-12 15:26 ` [PATCH] " Pavel Machek
  3 siblings, 0 replies; 10+ messages in thread
From: tip-bot for Tom Lendacky @ 2018-01-03 16:21 UTC (permalink / raw)
  To: linux-tip-commits
  Cc: dave.hansen, bp, luto, linux-kernel, hpa, thomas.lendacky, mingo, tglx

Commit-ID:  694d99d40972f12e59a3696effee8a376b79d7c8
Gitweb:     https://git.kernel.org/tip/694d99d40972f12e59a3696effee8a376b79d7c8
Author:     Tom Lendacky <thomas.lendacky@amd.com>
AuthorDate: Tue, 26 Dec 2017 23:43:54 -0600
Committer:  Thomas Gleixner <tglx@linutronix.de>
CommitDate: Wed, 3 Jan 2018 15:57:59 +0100

x86/cpu, x86/pti: Do not enable PTI on AMD processors

AMD processors are not subject to the types of attacks that the kernel
page table isolation feature protects against.  The AMD microarchitecture
does not allow memory references, including speculative references, that
access higher privileged data when running in a lesser privileged mode
when that access would result in a page fault.

Disable page table isolation by default on AMD processors by not setting
the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI
is set.

Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Borislav Petkov <bp@suse.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20171227054354.20369.94587.stgit@tlendack-t1.amdoffice.net

---
 arch/x86/kernel/cpu/common.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index f2a94df..b1be494 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -899,8 +899,8 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
 
 	setup_force_cpu_cap(X86_FEATURE_ALWAYS);
 
-	/* Assume for now that ALL x86 CPUs are insecure */
-	setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
+	if (c->x86_vendor != X86_VENDOR_AMD)
+		setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
 
 	fpu__init_system(c);
 

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH] x86/cpu, x86/pti: Do not enable PTI on AMD processors
  2017-12-27  5:43 [PATCH] x86/cpu, x86/pti: Do not enable PTI on AMD processors Tom Lendacky
                   ` (2 preceding siblings ...)
  2018-01-03 16:21 ` [tip:x86/pti] " tip-bot for Tom Lendacky
@ 2018-02-12 15:26 ` " Pavel Machek
  2018-02-12 15:37   ` Brian Gerst
  2018-02-13 13:21   ` Thomas Gleixner
  3 siblings, 2 replies; 10+ messages in thread
From: Pavel Machek @ 2018-02-12 15:26 UTC (permalink / raw)
  To: Tom Lendacky
  Cc: x86, Dave Hansen, linux-kernel, Ingo Molnar, Andy Lutomirski,
	H. Peter Anvin, Thomas Gleixner, Borislav Petkov

[-- Attachment #1: Type: text/plain, Size: 867 bytes --]

On Tue 2017-12-26 23:43:54, Tom Lendacky wrote:
> AMD processors are not subject to the types of attacks that the kernel
> page table isolation feature protects against.  The AMD microarchitecture
> does not allow memory references, including speculative references, that
> access higher privileged data when running in a lesser privileged mode
> when that access would result in a page fault.
> 
> Disable page table isolation by default on AMD processors by not setting
> the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI
> is set.

PTI was originally meant to protect KASLR from memory leaks, before
Spectre was public. I guess that's still valid use on AMD cpus?
								Pavel
								
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH] x86/cpu, x86/pti: Do not enable PTI on AMD processors
  2018-02-12 15:26 ` [PATCH] " Pavel Machek
@ 2018-02-12 15:37   ` Brian Gerst
  2018-02-13 13:21   ` Thomas Gleixner
  1 sibling, 0 replies; 10+ messages in thread
From: Brian Gerst @ 2018-02-12 15:37 UTC (permalink / raw)
  To: Pavel Machek
  Cc: Tom Lendacky, the arch/x86 maintainers, Dave Hansen,
	Linux Kernel Mailing List, Ingo Molnar, Andy Lutomirski,
	H. Peter Anvin, Thomas Gleixner, Borislav Petkov

On Mon, Feb 12, 2018 at 10:26 AM, Pavel Machek <pavel@ucw.cz> wrote:
> On Tue 2017-12-26 23:43:54, Tom Lendacky wrote:
>> AMD processors are not subject to the types of attacks that the kernel
>> page table isolation feature protects against.  The AMD microarchitecture
>> does not allow memory references, including speculative references, that
>> access higher privileged data when running in a lesser privileged mode
>> when that access would result in a page fault.
>>
>> Disable page table isolation by default on AMD processors by not setting
>> the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI
>> is set.
>
> PTI was originally meant to protect KASLR from memory leaks, before
> Spectre was public. I guess that's still valid use on AMD cpus?
>                                                                 Pavel

KASLR leaks are a much lower threat than Meltdown.  Given that no AMD
processor supports PCID, enabling PTI has a much more significant
performance impact for a much smaller benefit.  For the paranoid user
they still have the option to enable PTI at boot, but it should not be
on by default.

--
Brian Gerst

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH] x86/cpu, x86/pti: Do not enable PTI on AMD processors
  2018-02-12 15:26 ` [PATCH] " Pavel Machek
  2018-02-12 15:37   ` Brian Gerst
@ 2018-02-13 13:21   ` Thomas Gleixner
  1 sibling, 0 replies; 10+ messages in thread
From: Thomas Gleixner @ 2018-02-13 13:21 UTC (permalink / raw)
  To: Pavel Machek
  Cc: Tom Lendacky, x86, Dave Hansen, linux-kernel, Ingo Molnar,
	Andy Lutomirski, H. Peter Anvin, Borislav Petkov

On Mon, 12 Feb 2018, Pavel Machek wrote:

> On Tue 2017-12-26 23:43:54, Tom Lendacky wrote:
> > AMD processors are not subject to the types of attacks that the kernel
> > page table isolation feature protects against.  The AMD microarchitecture
> > does not allow memory references, including speculative references, that
> > access higher privileged data when running in a lesser privileged mode
> > when that access would result in a page fault.
> > 
> > Disable page table isolation by default on AMD processors by not setting
> > the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI
> > is set.
> 
> PTI was originally meant to protect KASLR from memory leaks, before
> Spectre was public. I guess that's still valid use on AMD cpus?

The KASLR attacks against which PTI protects are not based on a memory
leak. The KASLR attacks are revealing the kernel virtual address space w/o
revealing any data.

Quite some of those attacks can be mitigated via PTI, but only some of the
attacks work on AMD CPUs. The bulk (and easy to conduct) attacks do not
work work on AMD CPUs due to the same reason why Meltdown does not work.

Thanks,

	tglx

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH] x86/cpu, x86/pti: Do not enable PTI on AMD processors
@ 2018-01-03 19:38 Tim Mouraveiko
  0 siblings, 0 replies; 10+ messages in thread
From: Tim Mouraveiko @ 2018-01-03 19:38 UTC (permalink / raw)
  To: linux-kernel

On 12/26/2017 09:43 PM, Tom Lendacky wrote:
>AMD processors are not subject to the types of attacks that the kernel page table isolation 
feature protects against.

There is no doubt this is a serious flaw. This thread reminded me - about a year ago we 
discovered a software code that bricked an Intel CPU. The software code was executed and 
the processor seized. The Motherboard was reset via the reset button, but the processor 
never came back. It was rather dead - the CPU did not even draw any power. We contacted 
Intel and one of their personnel suggested that they were aware of it. I never quite 
understood if it was a processor feature or a flaw.

Tim

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH] x86/cpu, x86/pti: Do not enable PTI on AMD processors
@ 2018-01-03 11:07 Ivan Ivanov
  0 siblings, 0 replies; 10+ messages in thread
From: Ivan Ivanov @ 2018-01-03 11:07 UTC (permalink / raw)
  To: linux-kernel, thomas.lendacky

Why this wonderful tiny patch by Tom Lendacky is still not merged? If
it is just Intel who made these insecure CPUs , for which this
"slowdown workaround" is required, ---> why the AMD CPU owners should
suffer from Intel's design faults ? " cpu_insecure " is Intel's
problem ; according to Tom Lendacky from AMD - AMD CPUs do not need
this "slowdown workaround" which is required for Intel CPUs. Please
merge this patch as soon as possible

Of course, the Intel employees would be happy to see this patch get
delayed or even not merged, because its a shame and bad reputation for
their company and products :
>
> I would rather not just hard-code it in a way that we say one vendor has never and will never be affected
>
> --- by Dave Hansen from Intel corporation
>

Luckily, according to LKML - a message with Tom's patch is the Top
Hottest Message viewed ! The fate of this patch is being closely
monitored by the people all over the world, and hopefully the Linux
community will not allow any injustice to happen

On Tue, Dec 26, 2017 at 11:43:54PM -0600, Tom Lendacky wrote:
> AMD processors are not subject to the types of attacks that the kernel
> page table isolation feature protects against.  The AMD microarchitecture
> does not allow memory references, including speculative references, that
> access higher privileged data when running in a lesser privileged mode
> when that access would result in a page fault.
>
> Disable page table isolation by default on AMD processors by not setting
> the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI
> is set.
>
> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
> ---
>  arch/x86/kernel/cpu/common.c |    4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
> index c47de4e..7d9e3b0 100644
> --- a/arch/x86/kernel/cpu/common.c
> +++ b/arch/x86/kernel/cpu/common.c
> @@ -923,8 +923,8 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
>
>   setup_force_cpu_cap(X86_FEATURE_ALWAYS);
>
> - /* Assume for now that ALL x86 CPUs are insecure */
> - setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
> + if (c->x86_vendor != X86_VENDOR_AMD)
> + setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
>
>   fpu__init_system(c);

Reviewed-by: Ivan Ivanov <qmastery16@gmail.com>

Best regards,
Ivan Ivanov,
coreboot project developer
and open-source enthusiast

^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, back to index

Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-12-27  5:43 [PATCH] x86/cpu, x86/pti: Do not enable PTI on AMD processors Tom Lendacky
2017-12-27  8:48 ` Dave Hansen
2017-12-27 14:47   ` Tom Lendacky
2017-12-28  0:20 ` Borislav Petkov
2018-01-03 16:21 ` [tip:x86/pti] " tip-bot for Tom Lendacky
2018-02-12 15:26 ` [PATCH] " Pavel Machek
2018-02-12 15:37   ` Brian Gerst
2018-02-13 13:21   ` Thomas Gleixner
2018-01-03 11:07 Ivan Ivanov
2018-01-03 19:38 Tim Mouraveiko

LKML Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/lkml/0 lkml/git/0.git
	git clone --mirror https://lore.kernel.org/lkml/1 lkml/git/1.git
	git clone --mirror https://lore.kernel.org/lkml/2 lkml/git/2.git
	git clone --mirror https://lore.kernel.org/lkml/3 lkml/git/3.git
	git clone --mirror https://lore.kernel.org/lkml/4 lkml/git/4.git
	git clone --mirror https://lore.kernel.org/lkml/5 lkml/git/5.git
	git clone --mirror https://lore.kernel.org/lkml/6 lkml/git/6.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 lkml lkml/ https://lore.kernel.org/lkml \
		linux-kernel@vger.kernel.org linux-kernel@archiver.kernel.org
	public-inbox-index lkml


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-kernel


AGPL code for this site: git clone https://public-inbox.org/ public-inbox