tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

x86/cpufeatures: Enumerate the LASS feature bits

Linear Address Space Separation (LASS) is a security feature that
mitigates a class of side-channel attacks relying on speculative access
across the user/kernel boundary.

Privilege mode based access protection already exists today with paging
and features such as SMEP and SMAP. However, to enforce these
protections, the processor must traverse the paging structures in
memory. An attacker can use timing information resulting from this
traversal to determine details about the paging structures, and to
determine the layout of the kernel memory.

LASS provides the same mode-based protections as paging but without
traversing the paging structures. Because the protections are enforced
prior to page-walks, an attacker will not be able to derive paging-based
timing information from the various caching structures such as the TLBs,
mid-level caches, page walker, data caches, etc.

LASS enforcement relies on the kernel implementation to divide the
64-bit virtual address space into two halves:
Addr[63]=0 -> User address space
Addr[63]=1 -> Kernel address space

Any data access or code execution across address spaces typically
results in a #GP fault, with an #SS generated in some rare cases. The
LASS enforcement for kernel data accesses is dependent on CR4.SMAP being
set. The enforcement can be disabled by toggling the RFLAGS.AC bit
similar to SMAP.

Define the CPU feature bits to enumerate LASS. Also, disable the feature
at compile time on 32-bit kernels. Use a direct dependency on X86_32
(instead of !X86_64) to make it easier to combine with similar 32-bit
specific dependencies in the future.

LASS mitigates a class of side-channel speculative attacks, such as
Spectre LAM, described in the paper, "Leaky Address Masking: Exploiting
Unmasked Spectre Gadgets with Noncanonical Address Translation".

Add the "lass" flag to /proc/cpuinfo to indicate that the feature is
supported by hardware and enabled by the kernel. This allows userspace
to determine if the system is secure against such attacks.

Signed-off-by: Sohil Mehta <sohil.mehta@intel.com>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Reviewed-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Xin Li (Intel) <xin@zytor.com>
Reviewed-by: Dave Hansen <dave.hansen@linux.intel.com>
Link: https://patch.msgid.link/20251118182911.2983253-2-sohil.mehta%40intel.com

authored by

Sohil Mehta and committed by
Dave Hansen 7baadd46 ddde4aba

+7
+4
arch/x86/Kconfig.cpufeatures
··· 124 124 def_bool y 125 125 depends on !X86_64 126 126 127 + config X86_DISABLED_FEATURE_LASS 128 + def_bool y 129 + depends on X86_32 130 + 127 131 config X86_DISABLED_FEATURE_PKU 128 132 def_bool y 129 133 depends on !X86_INTEL_MEMORY_PROTECTION_KEYS
+1
arch/x86/include/asm/cpufeatures.h
··· 314 314 #define X86_FEATURE_SM4 (12*32+ 2) /* SM4 instructions */ 315 315 #define X86_FEATURE_AVX_VNNI (12*32+ 4) /* "avx_vnni" AVX VNNI instructions */ 316 316 #define X86_FEATURE_AVX512_BF16 (12*32+ 5) /* "avx512_bf16" AVX512 BFLOAT16 instructions */ 317 + #define X86_FEATURE_LASS (12*32+ 6) /* "lass" Linear Address Space Separation */ 317 318 #define X86_FEATURE_CMPCCXADD (12*32+ 7) /* CMPccXADD instructions */ 318 319 #define X86_FEATURE_ARCH_PERFMON_EXT (12*32+ 8) /* Intel Architectural PerfMon Extension */ 319 320 #define X86_FEATURE_FZRM (12*32+10) /* Fast zero-length REP MOVSB */
+2
arch/x86/include/uapi/asm/processor-flags.h
··· 136 136 #define X86_CR4_PKE _BITUL(X86_CR4_PKE_BIT) 137 137 #define X86_CR4_CET_BIT 23 /* enable Control-flow Enforcement Technology */ 138 138 #define X86_CR4_CET _BITUL(X86_CR4_CET_BIT) 139 + #define X86_CR4_LASS_BIT 27 /* enable Linear Address Space Separation support */ 140 + #define X86_CR4_LASS _BITUL(X86_CR4_LASS_BIT) 139 141 #define X86_CR4_LAM_SUP_BIT 28 /* LAM for supervisor pointers */ 140 142 #define X86_CR4_LAM_SUP _BITUL(X86_CR4_LAM_SUP_BIT) 141 143