tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge tag 'x86-urgent-2023-03-05' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull x86 updates from Thomas Gleixner:
"A small set of updates for x86:

- Return -EIO instead of success when the certificate buffer for SEV
guests is not large enough

- Allow STIPB to be enabled with legacy IBSR. Legacy IBRS is cleared
on return to userspace for performance reasons, but the leaves user
space vulnerable to cross-thread attacks which STIBP prevents.
Update the documentation accordingly"

* tag 'x86-urgent-2023-03-05' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
virt/sev-guest: Return -EIO if certificate buffer is not large enough
Documentation/hw-vuln: Document the interaction between IBRS and STIBP
x86/speculation: Allow enabling STIBP with legacy IBRS

Linus Torvalds 7f9ec7d8 4e9c542c

options
unified split
Changed files
+51 -15
Documentation
admin-guide
hw-vuln
spectre.rst
arch
x86
kernel
cpu
bugs.c
drivers
virt
coco
sev-guest
sev-guest.c
+16 -5
Documentation/admin-guide/hw-vuln/spectre.rst
··· 479 479 On Intel Skylake-era systems the mitigation covers most, but not all, 480 480 cases. See :ref:`[3] <spec_ref3>` for more details. 481 481 482 - On CPUs with hardware mitigation for Spectre variant 2 (e.g. Enhanced 483 - IBRS on x86), retpoline is automatically disabled at run time. 482 + On CPUs with hardware mitigation for Spectre variant 2 (e.g. IBRS 483 + or enhanced IBRS on x86), retpoline is automatically disabled at run time. 484 + 485 + Systems which support enhanced IBRS (eIBRS) enable IBRS protection once at 486 + boot, by setting the IBRS bit, and they're automatically protected against 487 + Spectre v2 variant attacks, including cross-thread branch target injections 488 + on SMT systems (STIBP). In other words, eIBRS enables STIBP too. 489 + 490 + Legacy IBRS systems clear the IBRS bit on exit to userspace and 491 + therefore explicitly enable STIBP for that 484 492 485 493 The retpoline mitigation is turned on by default on vulnerable 486 494 CPUs. It can be forced on or off by the administrator ··· 512 504 For Spectre variant 2 mitigation, individual user programs 513 505 can be compiled with return trampolines for indirect branches. 514 506 This protects them from consuming poisoned entries in the branch 515 - target buffer left by malicious software. Alternatively, the 516 - programs can disable their indirect branch speculation via prctl() 517 - (See :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`). 507 + target buffer left by malicious software. 508 + 509 + On legacy IBRS systems, at return to userspace, implicit STIBP is disabled 510 + because the kernel clears the IBRS bit. In this case, the userspace programs 511 + can disable indirect branch speculation via prctl() (See 512 + :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`). 518 513 On x86, this will turn on STIBP to guard against attacks from the 519 514 sibling thread when the user program is running, and use IBPB to 520 515 flush the branch target buffer when switching to/from the program.
+18 -7
arch/x86/kernel/cpu/bugs.c
··· 1133 1133 return SPECTRE_V2_USER_CMD_AUTO; 1134 1134 } 1135 1135 1136 - static inline bool spectre_v2_in_ibrs_mode(enum spectre_v2_mitigation mode) 1136 + static inline bool spectre_v2_in_eibrs_mode(enum spectre_v2_mitigation mode) 1137 1137 { 1138 - return mode == SPECTRE_V2_IBRS || 1139 - mode == SPECTRE_V2_EIBRS || 1138 + return mode == SPECTRE_V2_EIBRS || 1140 1139 mode == SPECTRE_V2_EIBRS_RETPOLINE || 1141 1140 mode == SPECTRE_V2_EIBRS_LFENCE; 1141 + } 1142 + 1143 + static inline bool spectre_v2_in_ibrs_mode(enum spectre_v2_mitigation mode) 1144 + { 1145 + return spectre_v2_in_eibrs_mode(mode) || mode == SPECTRE_V2_IBRS; 1142 1146 } 1143 1147 1144 1148 static void __init ··· 1207 1203 } 1208 1204 1209 1205 /* 1210 - * If no STIBP, IBRS or enhanced IBRS is enabled, or SMT impossible, 1211 - * STIBP is not required. 1206 + * If no STIBP, enhanced IBRS is enabled, or SMT impossible, STIBP 1207 + * is not required. 1208 + * 1209 + * Enhanced IBRS also protects against cross-thread branch target 1210 + * injection in user-mode as the IBRS bit remains always set which 1211 + * implicitly enables cross-thread protections. However, in legacy IBRS 1212 + * mode, the IBRS bit is set only on kernel entry and cleared on return 1213 + * to userspace. This disables the implicit cross-thread protection, 1214 + * so allow for STIBP to be selected in that case. 1212 1215 */ 1213 1216 if (!boot_cpu_has(X86_FEATURE_STIBP) || 1214 1217 !smt_possible || 1215 - spectre_v2_in_ibrs_mode(spectre_v2_enabled)) 1218 + spectre_v2_in_eibrs_mode(spectre_v2_enabled)) 1216 1219 return; 1217 1220 1218 1221 /* ··· 2351 2340 2352 2341 static char *stibp_state(void) 2353 2342 { 2354 - if (spectre_v2_in_ibrs_mode(spectre_v2_enabled)) 2343 + if (spectre_v2_in_eibrs_mode(spectre_v2_enabled)) 2355 2344 return ""; 2356 2345 2357 2346 switch (spectre_v2_user_stibp) {
+17 -3
drivers/virt/coco/sev-guest/sev-guest.c
··· 377 377 snp_dev->input.data_npages = certs_npages; 378 378 } 379 379 380 + /* 381 + * Increment the message sequence number. There is no harm in doing 382 + * this now because decryption uses the value stored in the response 383 + * structure and any failure will wipe the VMPCK, preventing further 384 + * use anyway. 385 + */ 386 + snp_inc_msg_seqno(snp_dev); 387 + 380 388 if (fw_err) 381 389 *fw_err = err; 390 + 391 + /* 392 + * If an extended guest request was issued and the supplied certificate 393 + * buffer was not large enough, a standard guest request was issued to 394 + * prevent IV reuse. If the standard request was successful, return -EIO 395 + * back to the caller as would have originally been returned. 396 + */ 397 + if (!rc && err == SNP_GUEST_REQ_INVALID_LEN) 398 + return -EIO; 382 399 383 400 if (rc) { 384 401 dev_alert(snp_dev->dev, ··· 411 394 rc); 412 395 goto disable_vmpck; 413 396 } 414 - 415 - /* Increment to new message sequence after payload decryption was successful. */ 416 - snp_inc_msg_seqno(snp_dev); 417 397 418 398 return 0; 419 399