From: Tim Chen <tim.c.chen@linux.intel.com>
To: Thomas Gleixner <tglx@linutronix.de>,
Andy Lutomirski <luto@kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Greg KH <gregkh@linuxfoundation.org>
Cc: Tim Chen <tim.c.chen@linux.intel.com>,
Dave Hansen <dave.hansen@intel.com>,
Andrea Arcangeli <aarcange@redhat.com>,
Andi Kleen <ak@linux.intel.com>,
Arjan Van De Ven <arjan.van.de.ven@intel.com>,
linux-kernel@vger.kernel.org
Subject: [PATCH 3/7] x86/enter: Use IBRS on syscall and interrupts
Date: Thu, 4 Jan 2018 09:56:44 -0800 [thread overview]
Message-ID: <0c525c4c6c817e9c42c7ed583d86dc591a86efde.1515086770.git.tim.c.chen@linux.intel.com> (raw)
In-Reply-To: <cover.1515086770.git.tim.c.chen@linux.intel.com>
In-Reply-To: <cover.1515086770.git.tim.c.chen@linux.intel.com>
Set IBRS upon kernel entrance via syscall and interrupts. Clear it
upon exit.
If NMI runs when exiting kernel between IBRS_DISABLE and
SWAPGS, the NMI would have turned on IBRS bit 0 and then it would have
left enabled when exiting the NMI. IBRS bit 0 would then be left
enabled in userland until the next enter kernel.
That is a minor inefficiency only, but we can eliminate it by saving
the MSR when entering the NMI in save_paranoid and restoring it when
exiting the NMI.
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
---
arch/x86/entry/entry_64.S | 24 ++++++++++++++++++++++++
arch/x86/entry/entry_64_compat.S | 9 +++++++++
2 files changed, 33 insertions(+)
diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
index 3f72f5c..0c4d542 100644
--- a/arch/x86/entry/entry_64.S
+++ b/arch/x86/entry/entry_64.S
@@ -37,6 +37,7 @@
#include <asm/pgtable_types.h>
#include <asm/export.h>
#include <asm/frame.h>
+#include <asm/spec_ctrl.h>
#include <linux/err.h>
#include "calling.h"
@@ -170,6 +171,8 @@ ENTRY(entry_SYSCALL_64_trampoline)
/* Load the top of the task stack into RSP */
movq CPU_ENTRY_AREA_tss + TSS_sp1 + CPU_ENTRY_AREA, %rsp
+ /* Stack is usable, use the non-clobbering IBRS enable: */
+ ENABLE_IBRS
/* Start building the simulated IRET frame. */
pushq $__USER_DS /* pt_regs->ss */
@@ -213,6 +216,8 @@ ENTRY(entry_SYSCALL_64)
* is not required to switch CR3.
*/
movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
+ /* Stack is usable, use the non-clobbering IBRS enable: */
+ ENABLE_IBRS
TRACE_IRQS_OFF
@@ -407,6 +412,7 @@ syscall_return_via_sysret:
* We are on the trampoline stack. All regs except RDI are live.
* We can do future final exit work right here.
*/
+ DISABLE_IBRS
SWITCH_TO_USER_CR3_STACK scratch_reg=%rdi
popq %rdi
@@ -745,6 +751,7 @@ GLOBAL(swapgs_restore_regs_and_return_to_usermode)
* We can do future final exit work right here.
*/
+ DISABLE_IBRS
SWITCH_TO_USER_CR3_STACK scratch_reg=%rdi
/* Restore RDI. */
@@ -832,6 +839,14 @@ native_irq_return_ldt:
SWAPGS /* to kernel GS */
SWITCH_TO_KERNEL_CR3 scratch_reg=%rdi /* to kernel CR3 */
+ /*
+ * Normally we enable IBRS when we switch to kernel's CR3.
+ * But we are going to switch back to user CR3 immediately
+ * in this routine after fixing ESPFIX stack. There is
+ * no vulnerable code branching for IBRS to protect.
+ * We don't toggle IBRS to avoid the cost of two MSR writes.
+ */
+
movq PER_CPU_VAR(espfix_waddr), %rdi
movq %rax, (0*8)(%rdi) /* user RAX */
movq (1*8)(%rsp), %rax /* user RIP */
@@ -965,6 +980,8 @@ ENTRY(switch_to_thread_stack)
SWITCH_TO_KERNEL_CR3 scratch_reg=%rdi
movq %rsp, %rdi
movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
+ /* Stack is usable, use the non-clobbering IBRS enable: */
+ ENABLE_IBRS
UNWIND_HINT sp_offset=16 sp_reg=ORC_REG_DI
pushq 7*8(%rdi) /* regs->ss */
@@ -1265,6 +1282,7 @@ ENTRY(paranoid_entry)
1:
SAVE_AND_SWITCH_TO_KERNEL_CR3 scratch_reg=%rax save_reg=%r14
+ ENABLE_IBRS_SAVE_AND_CLOBBER save_reg=%r13d
ret
END(paranoid_entry)
@@ -1288,6 +1306,7 @@ ENTRY(paranoid_exit)
testl %ebx, %ebx /* swapgs needed? */
jnz .Lparanoid_exit_no_swapgs
TRACE_IRQS_IRETQ
+ RESTORE_IBRS_CLOBBER save_reg=%r13d
RESTORE_CR3 scratch_reg=%rbx save_reg=%r14
SWAPGS_UNSAFE_STACK
jmp .Lparanoid_exit_restore
@@ -1318,6 +1337,7 @@ ENTRY(error_entry)
SWAPGS
/* We have user CR3. Change to kernel CR3. */
SWITCH_TO_KERNEL_CR3 scratch_reg=%rax
+ ENABLE_IBRS_CLOBBER
.Lerror_entry_from_usermode_after_swapgs:
/* Put us onto the real thread stack. */
@@ -1365,6 +1385,7 @@ ENTRY(error_entry)
*/
SWAPGS
SWITCH_TO_KERNEL_CR3 scratch_reg=%rax
+ ENABLE_IBRS_CLOBBER
jmp .Lerror_entry_done
.Lbstep_iret:
@@ -1379,6 +1400,7 @@ ENTRY(error_entry)
*/
SWAPGS
SWITCH_TO_KERNEL_CR3 scratch_reg=%rax
+ ENABLE_IBRS
/*
* Pretend that the exception came from user mode: set up pt_regs
@@ -1480,6 +1502,7 @@ ENTRY(nmi)
SWITCH_TO_KERNEL_CR3 scratch_reg=%rdx
movq %rsp, %rdx
movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
+ ENABLE_IBRS
UNWIND_HINT_IRET_REGS base=%rdx offset=8
pushq 5*8(%rdx) /* pt_regs->ss */
pushq 4*8(%rdx) /* pt_regs->rsp */
@@ -1730,6 +1753,7 @@ end_repeat_nmi:
movq $-1, %rsi
call do_nmi
+ RESTORE_IBRS_CLOBBER save_reg=%r13d
RESTORE_CR3 scratch_reg=%r15 save_reg=%r14
testl %ebx, %ebx /* swapgs needed? */
diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S
index 40f1700..88ee1c0 100644
--- a/arch/x86/entry/entry_64_compat.S
+++ b/arch/x86/entry/entry_64_compat.S
@@ -14,6 +14,7 @@
#include <asm/irqflags.h>
#include <asm/asm.h>
#include <asm/smap.h>
+#include <asm/spec_ctrl.h>
#include <linux/linkage.h>
#include <linux/err.h>
@@ -54,6 +55,7 @@ ENTRY(entry_SYSENTER_compat)
SWITCH_TO_KERNEL_CR3 scratch_reg=%rsp
movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
+ ENABLE_IBRS
/*
* User tracing code (ptrace or signal handlers) might assume that
@@ -224,6 +226,7 @@ GLOBAL(entry_SYSCALL_compat_after_hwframe)
* preserved during the C calls inside TRACE_IRQS_OFF anyway.
*/
SWITCH_TO_KERNEL_CR3 scratch_reg=%rdi
+ ENABLE_IBRS_CLOBBER /* clobbers %rax, %rcx, %rdx */
/*
* User mode is traced as though IRQs are on, and SYSENTER
@@ -240,6 +243,12 @@ GLOBAL(entry_SYSCALL_compat_after_hwframe)
/* Opportunistic SYSRET */
sysret32_from_system_call:
TRACE_IRQS_ON /* User mode traces as IRQs on. */
+ /*
+ * Clobber of %rax, %rcx, %rdx is OK before register restoring.
+ * This is safe to do here because we have no indirect branches
+ * between here and the return to userspace (sysretl).
+ */
+ DISABLE_IBRS_CLOBBER
movq RBX(%rsp), %rbx /* pt_regs->rbx */
movq RBP(%rsp), %rbp /* pt_regs->rbp */
movq EFLAGS(%rsp), %r11 /* pt_regs->flags (in r11) */
--
2.9.4
next prev parent reply other threads:[~2018-01-04 18:19 UTC|newest]
Thread overview: 116+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-04 17:56 [PATCH 0/7] IBRS patch series Tim Chen
2018-01-04 17:56 ` [PATCH 1/7] x86/feature: Detect the x86 feature to control Speculation Tim Chen
2018-01-04 19:58 ` Greg KH
2018-01-04 20:47 ` Tim Chen
2018-01-05 11:14 ` David Woodhouse
2018-01-05 15:14 ` Tom Lendacky
2018-01-05 17:07 ` Tim Chen
2018-01-05 13:09 ` Thomas Gleixner
2018-01-05 13:44 ` Andrea Arcangeli
2018-01-05 13:51 ` Thomas Gleixner
2018-01-04 17:56 ` [PATCH 2/7] x86/enter: MACROS to set/clear IBRS Tim Chen
2018-01-04 22:16 ` Peter Zijlstra
2018-01-04 22:21 ` Tim Chen
2018-01-04 22:23 ` Dave Hansen
2018-01-05 4:54 ` Andy Lutomirski
2018-01-05 5:05 ` Dave Hansen
2018-01-05 13:19 ` Thomas Gleixner
2018-01-04 17:56 ` Tim Chen [this message]
2018-01-04 20:00 ` [PATCH 3/7] x86/enter: Use IBRS on syscall and interrupts Greg KH
2018-01-04 20:26 ` Tim Chen
2018-01-04 20:45 ` Dave Hansen
2018-01-04 22:33 ` Peter Zijlstra
2018-01-04 23:12 ` Andrea Arcangeli
2018-01-05 0:08 ` Dave Hansen
2018-01-05 4:51 ` Andy Lutomirski
2018-01-05 5:11 ` Dave Hansen
2018-01-05 12:01 ` Alan Cox
2018-01-05 13:35 ` Thomas Gleixner
2018-01-04 17:56 ` [PATCH 4/7] x86/idle: Disable IBRS entering idle and enable it on wakeup Tim Chen
2018-01-04 22:47 ` Peter Zijlstra
2018-01-04 23:00 ` Andrea Arcangeli
2018-01-04 23:22 ` Tim Chen
2018-01-04 23:42 ` Andrea Arcangeli
2018-01-04 23:45 ` Thomas Gleixner
2018-01-05 0:03 ` Andrea Arcangeli
2018-01-08 8:24 ` Peter Zijlstra
2018-01-04 17:56 ` [PATCH 5/7] x86: Use IBRS for firmware update path Tim Chen
2018-01-04 18:48 ` Alan Cox
2018-01-04 20:05 ` Greg KH
2018-01-04 20:08 ` Woodhouse, David
2018-01-05 16:08 ` gregkh
2018-01-05 16:37 ` Andrea Arcangeli
2018-01-04 20:21 ` Andrew Cooper
2018-01-04 20:48 ` Andrea Arcangeli
2018-01-04 20:51 ` Yves-Alexis Perez
2018-01-04 21:13 ` Tim Chen
2018-01-04 22:51 ` Peter Zijlstra
2018-01-05 13:40 ` Thomas Gleixner
2018-01-04 17:56 ` [PATCH 6/7] x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature Tim Chen
2018-01-04 18:33 ` Borislav Petkov
2018-01-04 18:36 ` Dave Hansen
2018-01-04 18:52 ` Borislav Petkov
2018-01-04 18:57 ` Andrea Arcangeli
2018-01-04 18:59 ` Dave Hansen
2018-01-04 19:06 ` Borislav Petkov
2018-01-05 13:48 ` Thomas Gleixner
2018-01-04 18:38 ` Andrea Arcangeli
2018-01-04 18:54 ` Dave Hansen
2018-01-04 18:56 ` Borislav Petkov
2018-01-04 18:55 ` Borislav Petkov
2018-01-04 18:34 ` Andrea Arcangeli
2018-01-04 19:02 ` Tim Chen
2018-01-04 18:50 ` Alan Cox
2018-01-04 20:16 ` Greg KH
2018-01-04 20:58 ` Tim Chen
2018-01-04 22:54 ` Peter Zijlstra
2018-01-04 23:26 ` Tim Chen
2018-01-04 23:51 ` Andrea Arcangeli
2018-01-04 23:59 ` Borislav Petkov
2018-01-05 0:07 ` Thomas Gleixner
2018-01-05 11:16 ` David Woodhouse
2018-01-06 1:29 ` Tim Chen
2018-01-04 17:56 ` [PATCH 7/7] x86/microcode: Recheck IBRS features on microcode reload Tim Chen
2018-01-04 18:28 ` Borislav Petkov
2018-01-04 18:34 ` Andrea Arcangeli
2018-01-04 18:50 ` Borislav Petkov
2018-01-04 19:10 ` Tim Chen
2018-01-05 13:32 ` Greg KH
2018-01-05 13:37 ` Borislav Petkov
2018-01-05 13:47 ` Greg KH
2018-01-05 15:28 ` Andrea Arcangeli
2018-01-04 19:00 ` [PATCH 0/7] IBRS patch series Linus Torvalds
2018-01-04 19:19 ` David Woodhouse
2018-01-04 19:33 ` Linus Torvalds
2018-01-04 19:39 ` David Woodhouse
2018-01-04 19:40 ` Andrew Cooper
2018-01-04 19:46 ` David Woodhouse
2018-01-04 21:22 ` Van De Ven, Arjan
2018-01-05 11:32 ` Paolo Bonzini
2018-01-05 12:09 ` Paul Turner
2018-01-05 14:45 ` Van De Ven, Arjan
2018-01-05 14:43 ` Andrea Arcangeli
2018-01-05 14:52 ` Van De Ven, Arjan
2018-01-05 15:03 ` Andrea Arcangeli
2018-01-05 14:54 ` Thomas Gleixner
2018-01-05 11:52 ` Paul Turner
2018-01-05 14:28 ` David Woodhouse
2018-01-05 14:42 ` Van De Ven, Arjan
2018-01-05 15:38 ` David Woodhouse
2018-01-05 16:05 ` Andrea Arcangeli
2018-01-05 16:37 ` David Woodhouse
2018-01-05 16:42 ` Andrea Arcangeli
2018-01-05 16:44 ` Van De Ven, Arjan
2018-01-05 16:46 ` David Woodhouse
2018-01-05 5:25 ` Florian Weimer
2018-01-05 11:05 ` David Woodhouse
2018-01-04 19:05 ` Justin Forbes
2018-01-04 19:10 ` Tim Chen
2018-01-04 21:01 ` Yves-Alexis Perez
2018-01-05 13:28 ` Greg KH
2018-01-05 13:47 ` Yves-Alexis Perez
2018-01-05 14:01 ` Greg KH
2018-01-05 14:26 ` Paolo Bonzini
2018-01-05 14:54 ` Yves-Alexis Perez
2018-01-05 12:27 [PATCH 3/7] x86/enter: Use IBRS on syscall and interrupts Dr. David Alan Gilbert
2018-01-05 18:00 ` Dave Hansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0c525c4c6c817e9c42c7ed583d86dc591a86efde.1515086770.git.tim.c.chen@linux.intel.com \
--to=tim.c.chen@linux.intel.com \
--cc=aarcange@redhat.com \
--cc=ak@linux.intel.com \
--cc=arjan.van.de.ven@intel.com \
--cc=dave.hansen@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).