Ubuntu
linux package

~apw/ubuntu/+source/linux/+git/pti:pti/artful-speculation-control-intel

Git
lp:~apw/ubuntu/+source/linux/+git/pti
pti/artful-speculation-control-intel

Last commit made on 2018-02-09

Get this branch:: git clone -b pti/artful-speculation-control-intel https://git.launchpad.net/~apw/ubuntu/+source/linux/+git/pti

Only Andy Whitcroft can upload to this branch. If you are Andy Whitcroft please log in for upload directions.

Branch merges

Branch information

Name:: pti/artful-speculation-control-intel

Repository:: lp:~apw/ubuntu/+source/linux/+git/pti

Recent commits

5324f04... by Andy Whitcroft on 2018-02-08

UBUNTU: SAUCE: turn off IBPB when full retpoline is present

CVE-2017-5715 (Spectre v2 Intel)

When we have full retpoline enabled then we do not actually require IBPB
flushes when entering the kernel. Add a new use_ibpb bit to represent
when we have retpoline enabled. Further split the enable bit into two
0x1 representing whether entry IBPB is enabled and 0x10 representing
whether kernel flushes for userspace/VMs etc are applied.

Signed-off-by: Andy Whitcroft <email address hidden>

53b510d... by Tom Lendacky on 2017-12-20

KVM: x86: Add speculative control CPUID support for guests

CVE-2017-5715 (Spectre v2 Intel)

Provide the guest with the speculative control CPUID related values.

Signed-off-by: Paolo Bonzini <email address hidden>
Signed-off-by: Tom Lendacky <email address hidden>
Signed-off-by: Andy Whitcroft <email address hidden>
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>
Signed-off-by: Andy Whitcroft <email address hidden>

dcf1dbb... by Tom Lendacky on 2017-12-20

x86/svm: Set IBPB when running a different VCPU

CVE-2017-5715 (Spectre v2 Intel)

Set IBPB (Indirect Branch Prediction Barrier) when the current CPU is
going to run a VCPU different from what was previously run.

c1e4af7... by Tom Lendacky on 2017-12-20

x86/svm: Set IBRS value on VM entry and exit

CVE-2017-5715 (Spectre v2 Intel)

Set/restore the guests IBRS value on VM entry. On VM exit back to the
kernel save the guest IBRS value and then set IBRS to 1.

9e93d98... by Tom Lendacky on 2017-12-20

KVM: SVM: Do not intercept new speculative control MSRs

CVE-2017-5715 (Spectre v2 Intel)

Allow guest access to the speculative control MSRs without being
intercepted.

e29ab4b... by Tom Lendacky on 2017-12-20

x86/microcode: Extend post microcode reload to support IBPB feature

CVE-2017-5715 (Spectre v2 Intel)

Add an IBPB feature check to the speculative control update check after
a microcode reload.

Signed-off-by: Tom Lendacky <email address hidden>
Signed-off-by: Andy Whitcroft <email address hidden>
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>
Signed-off-by: Andy Whitcroft <email address hidden>

70f4b97... by Tom Lendacky on 2017-12-20

x86/cpu/AMD: Add speculative control support for AMD

CVE-2017-5715 (Spectre v2 Intel)

Add speculative control support for AMD processors. For AMD, speculative
control is indicated as follows:

CPUID EAX=0x00000007, ECX=0x00 return EDX[26] indicates support for
both IBRS and IBPB.

CPUID EAX=0x80000008, ECX=0x00 return EBX[12] indicates support for
just IBPB.

On AMD family 0x10, 0x12 and 0x16 processors where either of the above
features are not supported, IBPB can be achieved by disabling
indirect branch predictor support in MSR 0xc0011021[14] at boot.

907654f... by Tim Chen <email address hidden> on 2017-11-20

x86/spec_ctrl: Add lock to serialize changes to ibrs and ibpb control

CVE-2017-5715 (Spectre v2 Intel)

Signed-off-by: Tim Chen <email address hidden>
Signed-off-by: Andy Whitcroft <email address hidden>
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>
Signed-off-by: Andy Whitcroft <email address hidden>

4e8998d... by Tim Chen <email address hidden> on 2017-11-16

x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature

CVE-2017-5715 (Spectre v2 Intel)

There are 2 ways to control IBPB and IBRS

1. At boot time
noibrs kernel boot parameter will disable IBRS usage
noibpb kernel boot parameter will disable IBPB usage
Otherwise if the above parameters are not specified, the system
will enable ibrs and ibpb usage if the cpu supports it.

2. At run time
echo 0 > /proc/sys/kernel/ibrs_enabled will turn off IBRS
echo 1 > /proc/sys/kernel/ibrs_enabled will turn on IBRS in kernel
echo 2 > /proc/sys/kernel/ibrs_enabled will turn on IBRS in both userspace and kernel

Signed-off-by: Tim Chen <email address hidden>
Signed-off-by: Andy Whitcroft <email address hidden>
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>
[<email address hidden>: add x86 guards to kernel/smp.c]
[<email address hidden>: include asm/msr.h under x86 guard in kernel/sysctl.c]
Signed-off-by: Marcelo Henrique Cerri <email address hidden>
Signed-off-by: Andy Whitcroft <email address hidden>

46e0bdf... by Tim Chen <email address hidden> on 2017-10-21

x86/kvm: Toggle IBRS on VM entry and exit

CVE-2017-5715 (Spectre v2 Intel)

Restore guest IBRS on VM entry and set it to 1 on VM exit
back to kernel.

Ubuntulinux package

~apw/ubuntu/+source/linux/+git/pti:pti/artful-speculation-control-intel

Branch merges

Related source package recipes

Related snap packages

Related charm recipes

Branch information

Recent commits

Ubuntu
linux package