From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Josh Poimboeuf <jpoimboe@redhat.com>,
"Peter Zijlstra (Intel)" <peterz@infradead.org>,
Borislav Petkov <bp@suse.de>,
Patrick Colp <patrick.colp@oracle.com>,
Thomas Gleixner <tglx@linutronix.de>
Subject: [PATCH 5.15 03/43] x86/speculation: Add eIBRS + Retpoline options
Date: Wed, 9 Mar 2022 16:59:47 +0100 [thread overview]
Message-ID: <20220309155859.837339341@linuxfoundation.org> (raw)
In-Reply-To: <20220309155859.734715884@linuxfoundation.org>
From: Peter Zijlstra <peterz@infradead.org>
commit 1e19da8522c81bf46b335f84137165741e0d82b7 upstream.
Thanks to the chaps at VUsec it is now clear that eIBRS is not
sufficient, therefore allow enabling of retpolines along with eIBRS.
Add spectre_v2=eibrs, spectre_v2=eibrs,lfence and
spectre_v2=eibrs,retpoline options to explicitly pick your preferred
means of mitigation.
Since there's new mitigations there's also user visible changes in
/sys/devices/system/cpu/vulnerabilities/spectre_v2 to reflect these
new mitigations.
[ bp: Massage commit message, trim error messages,
do more precise eIBRS mode checking. ]
Co-developed-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Patrick Colp <patrick.colp@oracle.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/nospec-branch.h | 4 -
arch/x86/kernel/cpu/bugs.c | 133 +++++++++++++++++++++++++----------
2 files changed, 99 insertions(+), 38 deletions(-)
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -177,7 +177,9 @@ enum spectre_v2_mitigation {
SPECTRE_V2_NONE,
SPECTRE_V2_RETPOLINE,
SPECTRE_V2_LFENCE,
- SPECTRE_V2_IBRS_ENHANCED,
+ SPECTRE_V2_EIBRS,
+ SPECTRE_V2_EIBRS_RETPOLINE,
+ SPECTRE_V2_EIBRS_LFENCE,
};
/* The indirect branch speculation control variants */
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -665,6 +665,9 @@ enum spectre_v2_mitigation_cmd {
SPECTRE_V2_CMD_RETPOLINE,
SPECTRE_V2_CMD_RETPOLINE_GENERIC,
SPECTRE_V2_CMD_RETPOLINE_LFENCE,
+ SPECTRE_V2_CMD_EIBRS,
+ SPECTRE_V2_CMD_EIBRS_RETPOLINE,
+ SPECTRE_V2_CMD_EIBRS_LFENCE,
};
enum spectre_v2_user_cmd {
@@ -737,6 +740,13 @@ spectre_v2_parse_user_cmdline(enum spect
return SPECTRE_V2_USER_CMD_AUTO;
}
+static inline bool spectre_v2_in_eibrs_mode(enum spectre_v2_mitigation mode)
+{
+ return (mode == SPECTRE_V2_EIBRS ||
+ mode == SPECTRE_V2_EIBRS_RETPOLINE ||
+ mode == SPECTRE_V2_EIBRS_LFENCE);
+}
+
static void __init
spectre_v2_user_select_mitigation(enum spectre_v2_mitigation_cmd v2_cmd)
{
@@ -804,7 +814,7 @@ spectre_v2_user_select_mitigation(enum s
*/
if (!boot_cpu_has(X86_FEATURE_STIBP) ||
!smt_possible ||
- spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED)
+ spectre_v2_in_eibrs_mode(spectre_v2_enabled))
return;
/*
@@ -826,7 +836,9 @@ static const char * const spectre_v2_str
[SPECTRE_V2_NONE] = "Vulnerable",
[SPECTRE_V2_RETPOLINE] = "Mitigation: Retpolines",
[SPECTRE_V2_LFENCE] = "Mitigation: LFENCE",
- [SPECTRE_V2_IBRS_ENHANCED] = "Mitigation: Enhanced IBRS",
+ [SPECTRE_V2_EIBRS] = "Mitigation: Enhanced IBRS",
+ [SPECTRE_V2_EIBRS_LFENCE] = "Mitigation: Enhanced IBRS + LFENCE",
+ [SPECTRE_V2_EIBRS_RETPOLINE] = "Mitigation: Enhanced IBRS + Retpolines",
};
static const struct {
@@ -840,6 +852,9 @@ static const struct {
{ "retpoline,amd", SPECTRE_V2_CMD_RETPOLINE_LFENCE, false },
{ "retpoline,lfence", SPECTRE_V2_CMD_RETPOLINE_LFENCE, false },
{ "retpoline,generic", SPECTRE_V2_CMD_RETPOLINE_GENERIC, false },
+ { "eibrs", SPECTRE_V2_CMD_EIBRS, false },
+ { "eibrs,lfence", SPECTRE_V2_CMD_EIBRS_LFENCE, false },
+ { "eibrs,retpoline", SPECTRE_V2_CMD_EIBRS_RETPOLINE, false },
{ "auto", SPECTRE_V2_CMD_AUTO, false },
};
@@ -877,15 +892,29 @@ static enum spectre_v2_mitigation_cmd __
if ((cmd == SPECTRE_V2_CMD_RETPOLINE ||
cmd == SPECTRE_V2_CMD_RETPOLINE_LFENCE ||
- cmd == SPECTRE_V2_CMD_RETPOLINE_GENERIC) &&
+ cmd == SPECTRE_V2_CMD_RETPOLINE_GENERIC ||
+ cmd == SPECTRE_V2_CMD_EIBRS_LFENCE ||
+ cmd == SPECTRE_V2_CMD_EIBRS_RETPOLINE) &&
!IS_ENABLED(CONFIG_RETPOLINE)) {
- pr_err("%s selected but not compiled in. Switching to AUTO select\n", mitigation_options[i].option);
+ pr_err("%s selected but not compiled in. Switching to AUTO select\n",
+ mitigation_options[i].option);
+ return SPECTRE_V2_CMD_AUTO;
+ }
+
+ if ((cmd == SPECTRE_V2_CMD_EIBRS ||
+ cmd == SPECTRE_V2_CMD_EIBRS_LFENCE ||
+ cmd == SPECTRE_V2_CMD_EIBRS_RETPOLINE) &&
+ !boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) {
+ pr_err("%s selected but CPU doesn't have eIBRS. Switching to AUTO select\n",
+ mitigation_options[i].option);
return SPECTRE_V2_CMD_AUTO;
}
- if ((cmd == SPECTRE_V2_CMD_RETPOLINE_LFENCE) &&
+ if ((cmd == SPECTRE_V2_CMD_RETPOLINE_LFENCE ||
+ cmd == SPECTRE_V2_CMD_EIBRS_LFENCE) &&
!boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) {
- pr_err("%s selected, but CPU doesn't have a serializing LFENCE. Switching to AUTO select\n", mitigation_options[i].option);
+ pr_err("%s selected, but CPU doesn't have a serializing LFENCE. Switching to AUTO select\n",
+ mitigation_options[i].option);
return SPECTRE_V2_CMD_AUTO;
}
@@ -894,6 +923,25 @@ static enum spectre_v2_mitigation_cmd __
return cmd;
}
+static enum spectre_v2_mitigation __init spectre_v2_select_retpoline(void)
+{
+ if (!IS_ENABLED(CONFIG_RETPOLINE)) {
+ pr_err("Kernel not compiled with retpoline; no mitigation available!");
+ return SPECTRE_V2_NONE;
+ }
+
+ if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD ||
+ boot_cpu_data.x86_vendor == X86_VENDOR_HYGON) {
+ if (!boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) {
+ pr_err("LFENCE not serializing, switching to generic retpoline\n");
+ return SPECTRE_V2_RETPOLINE;
+ }
+ return SPECTRE_V2_LFENCE;
+ }
+
+ return SPECTRE_V2_RETPOLINE;
+}
+
static void __init spectre_v2_select_mitigation(void)
{
enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline();
@@ -914,49 +962,60 @@ static void __init spectre_v2_select_mit
case SPECTRE_V2_CMD_FORCE:
case SPECTRE_V2_CMD_AUTO:
if (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) {
- mode = SPECTRE_V2_IBRS_ENHANCED;
- /* Force it so VMEXIT will restore correctly */
- x86_spec_ctrl_base |= SPEC_CTRL_IBRS;
- wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
- goto specv2_set_mode;
+ mode = SPECTRE_V2_EIBRS;
+ break;
}
- if (IS_ENABLED(CONFIG_RETPOLINE))
- goto retpoline_auto;
+
+ mode = spectre_v2_select_retpoline();
break;
+
case SPECTRE_V2_CMD_RETPOLINE_LFENCE:
- if (IS_ENABLED(CONFIG_RETPOLINE))
- goto retpoline_lfence;
+ mode = SPECTRE_V2_LFENCE;
break;
+
case SPECTRE_V2_CMD_RETPOLINE_GENERIC:
- if (IS_ENABLED(CONFIG_RETPOLINE))
- goto retpoline_generic;
+ mode = SPECTRE_V2_RETPOLINE;
break;
+
case SPECTRE_V2_CMD_RETPOLINE:
- if (IS_ENABLED(CONFIG_RETPOLINE))
- goto retpoline_auto;
+ mode = spectre_v2_select_retpoline();
+ break;
+
+ case SPECTRE_V2_CMD_EIBRS:
+ mode = SPECTRE_V2_EIBRS;
+ break;
+
+ case SPECTRE_V2_CMD_EIBRS_LFENCE:
+ mode = SPECTRE_V2_EIBRS_LFENCE;
+ break;
+
+ case SPECTRE_V2_CMD_EIBRS_RETPOLINE:
+ mode = SPECTRE_V2_EIBRS_RETPOLINE;
break;
}
- pr_err("Spectre mitigation: kernel not compiled with retpoline; no mitigation available!");
- return;
-retpoline_auto:
- if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD ||
- boot_cpu_data.x86_vendor == X86_VENDOR_HYGON) {
- retpoline_lfence:
- if (!boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) {
- pr_err("Spectre mitigation: LFENCE not serializing, switching to generic retpoline\n");
- goto retpoline_generic;
- }
- mode = SPECTRE_V2_LFENCE;
+ if (spectre_v2_in_eibrs_mode(mode)) {
+ /* Force it so VMEXIT will restore correctly */
+ x86_spec_ctrl_base |= SPEC_CTRL_IBRS;
+ wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
+ }
+
+ switch (mode) {
+ case SPECTRE_V2_NONE:
+ case SPECTRE_V2_EIBRS:
+ break;
+
+ case SPECTRE_V2_LFENCE:
+ case SPECTRE_V2_EIBRS_LFENCE:
setup_force_cpu_cap(X86_FEATURE_RETPOLINE_LFENCE);
+ fallthrough;
+
+ case SPECTRE_V2_RETPOLINE:
+ case SPECTRE_V2_EIBRS_RETPOLINE:
setup_force_cpu_cap(X86_FEATURE_RETPOLINE);
- } else {
- retpoline_generic:
- mode = SPECTRE_V2_RETPOLINE;
- setup_force_cpu_cap(X86_FEATURE_RETPOLINE);
+ break;
}
-specv2_set_mode:
spectre_v2_enabled = mode;
pr_info("%s\n", spectre_v2_strings[mode]);
@@ -982,7 +1041,7 @@ specv2_set_mode:
* the CPU supports Enhanced IBRS, kernel might un-intentionally not
* enable IBRS around firmware calls.
*/
- if (boot_cpu_has(X86_FEATURE_IBRS) && mode != SPECTRE_V2_IBRS_ENHANCED) {
+ if (boot_cpu_has(X86_FEATURE_IBRS) && !spectre_v2_in_eibrs_mode(mode)) {
setup_force_cpu_cap(X86_FEATURE_USE_IBRS_FW);
pr_info("Enabling Restricted Speculation for firmware calls\n");
}
@@ -1691,7 +1750,7 @@ static ssize_t tsx_async_abort_show_stat
static char *stibp_state(void)
{
- if (spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED)
+ if (spectre_v2_in_eibrs_mode(spectre_v2_enabled))
return "";
switch (spectre_v2_user_stibp) {
next prev parent reply other threads:[~2022-03-09 16:15 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-09 15:59 [PATCH 5.15 00/43] 5.15.28-rc1 review Greg Kroah-Hartman
2022-03-09 15:59 ` [PATCH 5.15 01/43] x86,bugs: Unconditionally allow spectre_v2=retpoline,amd Greg Kroah-Hartman
2022-03-09 15:59 ` [PATCH 5.15 02/43] x86/speculation: Rename RETPOLINE_AMD to RETPOLINE_LFENCE Greg Kroah-Hartman
2022-03-09 15:59 ` Greg Kroah-Hartman [this message]
2022-03-09 15:59 ` [PATCH 5.15 04/43] Documentation/hw-vuln: Update spectre doc Greg Kroah-Hartman
2022-03-09 15:59 ` [PATCH 5.15 05/43] x86/speculation: Include unprivileged eBPF status in Spectre v2 mitigation reporting Greg Kroah-Hartman
2022-03-09 15:59 ` [PATCH 5.15 06/43] x86/speculation: Use generic retpoline by default on AMD Greg Kroah-Hartman
2022-03-09 15:59 ` [PATCH 5.15 07/43] x86/speculation: Update link to AMD speculation whitepaper Greg Kroah-Hartman
2022-03-09 15:59 ` [PATCH 5.15 08/43] x86/speculation: Warn about Spectre v2 LFENCE mitigation Greg Kroah-Hartman
2022-03-09 15:59 ` [PATCH 5.15 09/43] x86/speculation: Warn about eIBRS + LFENCE + Unprivileged eBPF + SMT Greg Kroah-Hartman
2022-03-09 15:59 ` [PATCH 5.15 10/43] ARM: report Spectre v2 status through sysfs Greg Kroah-Hartman
2022-03-09 15:59 ` [PATCH 5.15 11/43] ARM: early traps initialisation Greg Kroah-Hartman
2022-03-09 15:59 ` [PATCH 5.15 12/43] ARM: use LOADADDR() to get load address of sections Greg Kroah-Hartman
2022-03-09 15:59 ` [PATCH 5.15 13/43] ARM: Spectre-BHB workaround Greg Kroah-Hartman
2022-03-09 15:59 ` [PATCH 5.15 14/43] ARM: include unprivileged BPF status in Spectre V2 reporting Greg Kroah-Hartman
2022-03-09 15:59 ` [PATCH 5.15 15/43] arm64: Add Neoverse-N2, Cortex-A710 CPU part definition Greg Kroah-Hartman
2022-03-09 16:00 ` [PATCH 5.15 16/43] arm64: Add HWCAP for self-synchronising virtual counter Greg Kroah-Hartman
2022-03-09 16:00 ` [PATCH 5.15 17/43] arm64: Add Cortex-X2 CPU part definition Greg Kroah-Hartman
2022-03-09 16:00 ` [PATCH 5.15 18/43] arm64: add ID_AA64ISAR2_EL1 sys register Greg Kroah-Hartman
2022-03-09 16:00 ` [PATCH 5.15 19/43] arm64: cpufeature: add HWCAP for FEAT_AFP Greg Kroah-Hartman
2022-03-09 16:00 ` [PATCH 5.15 20/43] arm64: cpufeature: add HWCAP for FEAT_RPRES Greg Kroah-Hartman
2022-03-09 16:00 ` [PATCH 5.15 21/43] arm64: entry.S: Add ventry overflow sanity checks Greg Kroah-Hartman
2022-03-09 16:00 ` [PATCH 5.15 22/43] arm64: spectre: Rename spectre_v4_patch_fw_mitigation_conduit Greg Kroah-Hartman
2022-03-09 16:00 ` [PATCH 5.15 23/43] KVM: arm64: Allow indirect vectors to be used without SPECTRE_V3A Greg Kroah-Hartman
2022-03-09 16:00 ` [PATCH 5.15 24/43] arm64: entry: Make the trampoline cleanup optional Greg Kroah-Hartman
2022-03-09 16:00 ` [PATCH 5.15 25/43] arm64: entry: Free up another register on kptis tramp_exit path Greg Kroah-Hartman
2022-03-09 16:00 ` [PATCH 5.15 26/43] arm64: entry: Move the trampoline data page before the text page Greg Kroah-Hartman
2022-03-09 16:00 ` [PATCH 5.15 27/43] arm64: entry: Allow tramp_alias to access symbols after the 4K boundary Greg Kroah-Hartman
2022-03-09 16:00 ` [PATCH 5.15 28/43] arm64: entry: Dont assume tramp_vectors is the start of the vectors Greg Kroah-Hartman
2022-03-09 16:00 ` [PATCH 5.15 29/43] arm64: entry: Move trampoline macros out of ifdefd section Greg Kroah-Hartman
2022-03-09 16:00 ` [PATCH 5.15 30/43] arm64: entry: Make the kpti trampolines kpti sequence optional Greg Kroah-Hartman
2022-03-09 16:00 ` [PATCH 5.15 31/43] arm64: entry: Allow the trampoline text to occupy multiple pages Greg Kroah-Hartman
2022-03-09 16:00 ` [PATCH 5.15 32/43] arm64: entry: Add non-kpti __bp_harden_el1_vectors for mitigations Greg Kroah-Hartman
2022-03-09 16:00 ` [PATCH 5.15 33/43] arm64: entry: Add vectors that have the bhb mitigation sequences Greg Kroah-Hartman
2022-03-09 16:00 ` [PATCH 5.15 34/43] arm64: entry: Add macro for reading symbol addresses from the trampoline Greg Kroah-Hartman
2022-03-09 16:00 ` [PATCH 5.15 35/43] arm64: Add percpu vectors for EL1 Greg Kroah-Hartman
2022-03-09 16:00 ` [PATCH 5.15 36/43] arm64: proton-pack: Report Spectre-BHB vulnerabilities as part of Spectre-v2 Greg Kroah-Hartman
2022-03-09 16:00 ` [PATCH 5.15 37/43] arm64: Mitigate spectre style branch history side channels Greg Kroah-Hartman
2022-03-09 16:00 ` [PATCH 5.15 38/43] KVM: arm64: Allow SMCCC_ARCH_WORKAROUND_3 to be discovered and migrated Greg Kroah-Hartman
2022-03-09 16:00 ` [PATCH 5.15 39/43] arm64: Use the clearbhb instruction in mitigations Greg Kroah-Hartman
2022-03-09 16:00 ` [PATCH 5.15 40/43] arm64: proton-pack: Include unprivileged eBPF status in Spectre v2 mitigation reporting Greg Kroah-Hartman
2022-03-09 16:00 ` [PATCH 5.15 41/43] ARM: fix build error when BPF_SYSCALL is disabled Greg Kroah-Hartman
2022-03-09 16:00 ` [PATCH 5.15 42/43] slip: fix macro redefine warning Greg Kroah-Hartman
2022-03-09 16:00 ` [PATCH 5.15 43/43] block: drop unused includes in <linux/genhd.h> Greg Kroah-Hartman
2022-03-09 19:39 ` [PATCH 5.15 00/43] 5.15.28-rc1 review Fox Chen
2022-03-09 20:23 ` Shuah Khan
2022-03-09 21:14 ` Daniel Díaz
2022-03-10 3:33 ` Florian Fainelli
2022-03-10 10:30 ` Anders Roxell
2022-03-10 10:52 ` Greg Kroah-Hartman
2022-03-10 4:39 ` Florian Fainelli
2022-03-10 6:00 ` Ron Economos
2022-03-10 8:10 ` Bagas Sanjaya
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220309155859.837339341@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=bp@suse.de \
--cc=jpoimboe@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=patrick.colp@oracle.com \
--cc=peterz@infradead.org \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).