commit 7cc765a67d8e04ef7d772425ca5a2a1e2b894c15 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

x86/speculation: Enable prctl mode for spectre_v2_user

Now that all prerequisites are in place:

- Add the prctl command line option

- Default the 'auto' mode to 'prctl'

- When SMT state changes, update the static key which controls the
conditional STIBP evaluation on context switch.

- At init update the static key which controls the conditional IBPB
evaluation on context switch.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Ingo Molnar <mingo@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Jiri Kosina <jkosina@suse.cz>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: David Woodhouse <dwmw@amazon.co.uk>
Cc: Tim Chen <tim.c.chen@linux.intel.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Casey Schaufler <casey.schaufler@intel.com>
Cc: Asit Mallick <asit.k.mallick@intel.com>
Cc: Arjan van de Ven <arjan@linux.intel.com>
Cc: Jon Masters <jcm@redhat.com>
Cc: Waiman Long <longman9394@gmail.com>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: Dave Stewart <david.c.stewart@intel.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20181125185005.958421388@linutronix.de

Thomas Gleixner 7 years ago 7cc765a6 9137bb27

+38 -10

2 changed files

expand all

unified split

Documentation

admin-guide

kernel-parameters.txt

arch

x86

kernel

cpu

bugs.c

+6 -1

Documentation/admin-guide/kernel-parameters.txt

··· 4236 off - Unconditionally disable mitigations. Is 4237 enforced by spectre_v2=off 4238 4239 auto - Kernel selects the mitigation depending on 4240 the available CPU features and vulnerability. 4241 - Default is off. 4242 4243 Not specifying this option is equivalent to 4244 spectre_v2_user=auto.

··· 4236 off - Unconditionally disable mitigations. Is 4237 enforced by spectre_v2=off 4238 4239 + prctl - Indirect branch speculation is enabled, 4240 + but mitigation can be enabled via prctl 4241 + per thread. The mitigation control state 4242 + is inherited on fork. 4243 + 4244 auto - Kernel selects the mitigation depending on 4245 the available CPU features and vulnerability. 4246 + Default is prctl. 4247 4248 Not specifying this option is equivalent to 4249 spectre_v2_user=auto.

+32 -9

arch/x86/kernel/cpu/bugs.c

··· 255 SPECTRE_V2_USER_CMD_NONE, 256 SPECTRE_V2_USER_CMD_AUTO, 257 SPECTRE_V2_USER_CMD_FORCE, 258 }; 259 260 static const char * const spectre_v2_user_strings[] = { 261 [SPECTRE_V2_USER_NONE] = "User space: Vulnerable", 262 [SPECTRE_V2_USER_STRICT] = "User space: Mitigation: STIBP protection", 263 }; 264 265 static const struct { ··· 272 { "auto", SPECTRE_V2_USER_CMD_AUTO, false }, 273 { "off", SPECTRE_V2_USER_CMD_NONE, false }, 274 { "on", SPECTRE_V2_USER_CMD_FORCE, true }, 275 }; 276 277 static void __init spec_v2_user_print_cond(const char *reason, bool secure) ··· 327 smt_possible = false; 328 329 switch (spectre_v2_parse_user_cmdline(v2_cmd)) { 330 - case SPECTRE_V2_USER_CMD_AUTO: 331 case SPECTRE_V2_USER_CMD_NONE: 332 goto set_mode; 333 case SPECTRE_V2_USER_CMD_FORCE: 334 mode = SPECTRE_V2_USER_STRICT; 335 break; 336 } 337 ··· 345 switch (mode) { 346 case SPECTRE_V2_USER_STRICT: 347 static_branch_enable(&switch_mm_always_ibpb); 348 break; 349 default: 350 break; ··· 361 if (spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED) 362 return; 363 364 set_mode: 365 spectre_v2_user = mode; 366 /* Only print the STIBP mode when SMT possible */ ··· 567 on_each_cpu(update_stibp_msr, NULL, 1); 568 } 569 570 void arch_smt_update(void) 571 { 572 /* Enhanced IBRS implies STIBP. No update required. */ ··· 591 update_stibp_strict(); 592 break; 593 case SPECTRE_V2_USER_PRCTL: 594 break; 595 } 596 ··· 1063 case SPECTRE_V2_USER_STRICT: 1064 return ", STIBP: forced"; 1065 case SPECTRE_V2_USER_PRCTL: 1066 - return ""; 1067 } 1068 return ""; 1069 } ··· 1072 static char *ibpb_state(void) 1073 { 1074 if (boot_cpu_has(X86_FEATURE_IBPB)) { 1075 - switch (spectre_v2_user) { 1076 - case SPECTRE_V2_USER_NONE: 1077 - return ", IBPB: disabled"; 1078 - case SPECTRE_V2_USER_STRICT: 1079 return ", IBPB: always-on"; 1080 - case SPECTRE_V2_USER_PRCTL: 1081 - return ""; 1082 - } 1083 } 1084 return ""; 1085 }

··· 255 SPECTRE_V2_USER_CMD_NONE, 256 SPECTRE_V2_USER_CMD_AUTO, 257 SPECTRE_V2_USER_CMD_FORCE, 258 + SPECTRE_V2_USER_CMD_PRCTL, 259 }; 260 261 static const char * const spectre_v2_user_strings[] = { 262 [SPECTRE_V2_USER_NONE] = "User space: Vulnerable", 263 [SPECTRE_V2_USER_STRICT] = "User space: Mitigation: STIBP protection", 264 + [SPECTRE_V2_USER_PRCTL] = "User space: Mitigation: STIBP via prctl", 265 }; 266 267 static const struct { ··· 270 { "auto", SPECTRE_V2_USER_CMD_AUTO, false }, 271 { "off", SPECTRE_V2_USER_CMD_NONE, false }, 272 { "on", SPECTRE_V2_USER_CMD_FORCE, true }, 273 + { "prctl", SPECTRE_V2_USER_CMD_PRCTL, false }, 274 }; 275 276 static void __init spec_v2_user_print_cond(const char *reason, bool secure) ··· 324 smt_possible = false; 325 326 switch (spectre_v2_parse_user_cmdline(v2_cmd)) { 327 case SPECTRE_V2_USER_CMD_NONE: 328 goto set_mode; 329 case SPECTRE_V2_USER_CMD_FORCE: 330 mode = SPECTRE_V2_USER_STRICT; 331 + break; 332 + case SPECTRE_V2_USER_CMD_AUTO: 333 + case SPECTRE_V2_USER_CMD_PRCTL: 334 + mode = SPECTRE_V2_USER_PRCTL; 335 break; 336 } 337 ··· 339 switch (mode) { 340 case SPECTRE_V2_USER_STRICT: 341 static_branch_enable(&switch_mm_always_ibpb); 342 + break; 343 + case SPECTRE_V2_USER_PRCTL: 344 + static_branch_enable(&switch_mm_cond_ibpb); 345 break; 346 default: 347 break; ··· 352 if (spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED) 353 return; 354 355 + /* 356 + * If SMT is not possible or STIBP is not available clear the STIPB 357 + * mode. 358 + */ 359 + if (!smt_possible || !boot_cpu_has(X86_FEATURE_STIBP)) 360 + mode = SPECTRE_V2_USER_NONE; 361 set_mode: 362 spectre_v2_user = mode; 363 /* Only print the STIBP mode when SMT possible */ ··· 552 on_each_cpu(update_stibp_msr, NULL, 1); 553 } 554 555 + /* Update the static key controlling the evaluation of TIF_SPEC_IB */ 556 + static void update_indir_branch_cond(void) 557 + { 558 + if (sched_smt_active()) 559 + static_branch_enable(&switch_to_cond_stibp); 560 + else 561 + static_branch_disable(&switch_to_cond_stibp); 562 + } 563 + 564 void arch_smt_update(void) 565 { 566 /* Enhanced IBRS implies STIBP. No update required. */ ··· 567 update_stibp_strict(); 568 break; 569 case SPECTRE_V2_USER_PRCTL: 570 + update_indir_branch_cond(); 571 break; 572 } 573 ··· 1038 case SPECTRE_V2_USER_STRICT: 1039 return ", STIBP: forced"; 1040 case SPECTRE_V2_USER_PRCTL: 1041 + if (static_key_enabled(&switch_to_cond_stibp)) 1042 + return ", STIBP: conditional"; 1043 } 1044 return ""; 1045 } ··· 1046 static char *ibpb_state(void) 1047 { 1048 if (boot_cpu_has(X86_FEATURE_IBPB)) { 1049 + if (static_key_enabled(&switch_mm_always_ibpb)) 1050 return ", IBPB: always-on"; 1051 + if (static_key_enabled(&switch_mm_cond_ibpb)) 1052 + return ", IBPB: conditional"; 1053 + return ", IBPB: disabled"; 1054 } 1055 return ""; 1056 }