Ubuntu
linux package

~tyhicks/ubuntu/+source/linux/+git/bionic:speculation

Git
lp:~tyhicks/ubuntu/+source/linux/+git/bionic
speculation

Last commit made on 2019-03-25

Get this branch:: git clone -b speculation https://git.launchpad.net/~tyhicks/ubuntu/+source/linux/+git/bionic

Only Tyler Hicks can upload to this branch. If you are Tyler Hicks please log in for upload directions.

Branch merges

Branch information

Name:: speculation

Repository:: lp:~tyhicks/ubuntu/+source/linux/+git/bionic

Recent commits

5ea0a84... by WANG Chao <email address hidden> on 2018-12-10

x86, modpost: Replace last remnants of RETPOLINE with CONFIG_RETPOLINE

Commit

4cd24de3a098 ("x86/retpoline: Make CONFIG_RETPOLINE depend on compiler support")

replaced the RETPOLINE define with CONFIG_RETPOLINE checks. Remove the
remaining pieces.

[ bp: Massage commit message. ]

Fixes: 4cd24de3a098 ("x86/retpoline: Make CONFIG_RETPOLINE depend on compiler support")
Signed-off-by: WANG Chao <email address hidden>
Signed-off-by: Borislav Petkov <email address hidden>
Reviewed-by: Zhenzhong Duan <email address hidden>
Reviewed-by: Masahiro Yamada <email address hidden>
Cc: "H. Peter Anvin" <email address hidden>
Cc: Andi Kleen <email address hidden>
Cc: Andrew Morton <email address hidden>
Cc: Andy Lutomirski <email address hidden>
Cc: Arnd Bergmann <email address hidden>
Cc: Daniel Borkmann <email address hidden>
Cc: David Woodhouse <email address hidden>
Cc: Geert Uytterhoeven <email address hidden>
Cc: Jessica Yu <email address hidden>
Cc: Jiri Kosina <email address hidden>
Cc: Kees Cook <email address hidden>
Cc: Konrad Rzeszutek Wilk <email address hidden>
Cc: Luc Van Oostenryck <email address hidden>
Cc: Michal Marek <email address hidden>
Cc: Miguel Ojeda <email address hidden>
Cc: Peter Zijlstra <email address hidden>
Cc: Tim Chen <email address hidden>
Cc: Vasily Gorbik <email address hidden>
Cc: <email address hidden>
Cc: <email address hidden>
Cc: stable <email address hidden>
Cc: x86-ml <email address hidden>
Link: https://<email address hidden>

CVE-2017-5715

(backported from commit e4f358916d528d479c3c12bd2fd03f2d5a576380)
[tyhicks: Backport to 4.15:
- Minor context adjustment in compiler-gcc.h]
Signed-off-by: Tyler Hicks <email address hidden>

4bd004a... by Tom Lendacky on 2018-12-13

x86/speculation: Add support for STIBP always-on preferred mode

Different AMD processors may have different implementations of STIBP.
When STIBP is conditionally enabled, some implementations would benefit
from having STIBP always on instead of toggling the STIBP bit through MSR
writes. This preference is advertised through a CPUID feature bit.

When conditional STIBP support is requested at boot and the CPU advertises
STIBP always-on mode as preferred, switch to STIBP "on" support. To show
that this transition has occurred, create a new spectre_v2_user_mitigation
value and a new spectre_v2_user_strings message. The new mitigation value
is used in spectre_v2_user_select_mitigation() to print the new mitigation
message as well as to return a new string from stibp_state().

Signed-off-by: Tom Lendacky <email address hidden>
Signed-off-by: Thomas Gleixner <email address hidden>
Cc: Andrea Arcangeli <email address hidden>
Cc: Konrad Rzeszutek Wilk <email address hidden>
Cc: Jiri Kosina <email address hidden>
Cc: Borislav Petkov <email address hidden>
Cc: Tim Chen <email address hidden>
Cc: David Woodhouse <email address hidden>
Link: https://<email address hidden>

CVE-2017-5715

(cherry picked from commit 20c3a2c33e9fdc82e9e8e8d2a6445b3256d20191)
Signed-off-by: Tyler Hicks <email address hidden>

529f812... by Waiman Long <email address hidden> on 2018-12-05

x86/speculation: Change misspelled STIPB to STIBP

STIBP stands for Single Thread Indirect Branch Predictors. The acronym,
however, can be easily mis-spelled as STIPB. It is perhaps due to the
presence of another related term - IBPB (Indirect Branch Predictor
Barrier).

Fix the mis-spelling in the code.

Signed-off-by: Waiman Long <email address hidden>
Signed-off-by: Borislav Petkov <email address hidden>
Cc: "H. Peter Anvin" <email address hidden>
Cc: Andi Kleen <email address hidden>
Cc: David Woodhouse <email address hidden>
Cc: Ingo Molnar <email address hidden>
Cc: Jiri Kosina <email address hidden>
Cc: Josh Poimboeuf <email address hidden>
Cc: KarimAllah Ahmed <email address hidden>
Cc: Konrad Rzeszutek Wilk <email address hidden>
Cc: Peter Zijlstra <email address hidden>
Cc: Thomas Gleixner <email address hidden>
Cc: Tim Chen <email address hidden>
Cc: x86-ml <email address hidden>
Link: https://<email address hidden>

CVE-2017-5715

(cherry picked from commit aa77bfb354c495fc4361199e63fc5765b9e1e783)
Signed-off-by: Tyler Hicks <email address hidden>

12e9708... by Jim Mattson <email address hidden> on 2018-05-22

kvm: svm: Ensure an IBPB on all affected CPUs when freeing a vmcb

Previously, we only called indirect_branch_prediction_barrier on the
logical CPU that freed a vmcb. This function should be called on all
logical CPUs that last loaded the vmcb in question.

Fixes: 15d45071523d ("KVM/x86: Add IBPB support")
Reported-by: Neel Natu <email address hidden>
Signed-off-by: Jim Mattson <email address hidden>
Reviewed-by: Konrad Rzeszutek Wilk <email address hidden>
Cc: <email address hidden>
Signed-off-by: Paolo Bonzini <email address hidden>

CVE-2017-5715

(cherry picked from commit fd65d3142f734bc4376053c8d75670041903134d)
Signed-off-by: Tyler Hicks <email address hidden>

c50e39f... by tglx on 2018-11-25

x86/speculation: Provide IBPB always command line options

Provide the possibility to enable IBPB always in combination with 'prctl'
and 'seccomp'.

Add the extra command line options and rework the IBPB selection to
evaluate the command instead of the mode selected by the STIPB switch case.

Signed-off-by: Thomas Gleixner <email address hidden>
Reviewed-by: Ingo Molnar <email address hidden>
Cc: Peter Zijlstra <email address hidden>
Cc: Andy Lutomirski <email address hidden>
Cc: Linus Torvalds <email address hidden>
Cc: Jiri Kosina <email address hidden>
Cc: Tom Lendacky <email address hidden>
Cc: Josh Poimboeuf <email address hidden>
Cc: Andrea Arcangeli <email address hidden>
Cc: David Woodhouse <email address hidden>
Cc: Tim Chen <email address hidden>
Cc: Andi Kleen <email address hidden>
Cc: Dave Hansen <email address hidden>
Cc: Casey Schaufler <email address hidden>
Cc: Asit Mallick <email address hidden>
Cc: Arjan van de Ven <email address hidden>
Cc: Jon Masters <email address hidden>
Cc: Waiman Long <email address hidden>
Cc: Greg KH <email address hidden>
Cc: Dave Stewart <email address hidden>
Cc: Kees Cook <email address hidden>
Cc: <email address hidden>
Link: https://<email address hidden>

CVE-2017-5715

(cherry picked from commit 55a974021ec952ee460dc31ca08722158639de72)
Signed-off-by: Tyler Hicks <email address hidden>

4d4faf9... by tglx on 2018-11-25

x86/speculation: Add seccomp Spectre v2 user space protection mode

If 'prctl' mode of user space protection from spectre v2 is selected
on the kernel command-line, STIBP and IBPB are applied on tasks which
restrict their indirect branch speculation via prctl.

SECCOMP enables the SSBD mitigation for sandboxed tasks already, so it
makes sense to prevent spectre v2 user space to user space attacks as
well.

The Intel mitigation guide documents how STIPB works:

   Setting bit 1 (STIBP) of the IA32_SPEC_CTRL MSR on a logical processor
   prevents the predicted targets of indirect branches on any logical
   processor of that core from being controlled by software that executes
   (or executed previously) on another logical processor of the same core.

Ergo setting STIBP protects the task itself from being attacked from a task
running on a different hyper-thread and protects the tasks running on
different hyper-threads from being attacked.

While the document suggests that the branch predictors are shielded between
the logical processors, the observed performance regressions suggest that
STIBP simply disables the branch predictor more or less completely. Of
course the document wording is vague, but the fact that there is also no
requirement for issuing IBPB when STIBP is used points clearly in that
direction. The kernel still issues IBPB even when STIBP is used until Intel
clarifies the whole mechanism.

IBPB is issued when the task switches out, so malicious sandbox code cannot
mistrain the branch predictor for the next user space task on the same
logical processor.

Signed-off-by: Jiri Kosina <email address hidden>
Signed-off-by: Thomas Gleixner <email address hidden>
Reviewed-by: Ingo Molnar <email address hidden>
Cc: Peter Zijlstra <email address hidden>
Cc: Andy Lutomirski <email address hidden>
Cc: Linus Torvalds <email address hidden>
Cc: Tom Lendacky <email address hidden>
Cc: Josh Poimboeuf <email address hidden>
Cc: Andrea Arcangeli <email address hidden>
Cc: David Woodhouse <email address hidden>
Cc: Tim Chen <email address hidden>
Cc: Andi Kleen <email address hidden>
Cc: Dave Hansen <email address hidden>
Cc: Casey Schaufler <email address hidden>
Cc: Asit Mallick <email address hidden>
Cc: Arjan van de Ven <email address hidden>
Cc: Jon Masters <email address hidden>
Cc: Waiman Long <email address hidden>
Cc: Greg KH <email address hidden>
Cc: Dave Stewart <email address hidden>
Cc: Kees Cook <email address hidden>
Cc: <email address hidden>
Link: https://<email address hidden>

CVE-2017-5715

(cherry picked from commit 6b3e64c237c072797a9ec918654a60e3a46488e2)
Signed-off-by: Tyler Hicks <email address hidden>

dc43f5b... by tglx on 2018-11-25

x86/speculation: Enable prctl mode for spectre_v2_user

Now that all prerequisites are in place:

- Add the prctl command line option

- Default the 'auto' mode to 'prctl'

- When SMT state changes, update the static key which controls the
conditional STIBP evaluation on context switch.

- At init update the static key which controls the conditional IBPB
evaluation on context switch.

CVE-2017-5715

(cherry picked from commit 7cc765a67d8e04ef7d772425ca5a2a1e2b894c15)
Signed-off-by: Tyler Hicks <email address hidden>

8b964b3... by tglx on 2018-11-25

x86/speculation: Add prctl() control for indirect branch speculation

Add the PR_SPEC_INDIRECT_BRANCH option for the PR_GET_SPECULATION_CTRL and
PR_SET_SPECULATION_CTRL prctls to allow fine grained per task control of
indirect branch speculation via STIBP and IBPB.

Invocations:
Check indirect branch speculation status with
- prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, 0, 0, 0);

Enable indirect branch speculation with
- prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_ENABLE, 0, 0);

Disable indirect branch speculation with
- prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_DISABLE, 0, 0);

Force disable indirect branch speculation with
- prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_FORCE_DISABLE, 0, 0);

See Documentation/userspace-api/spec_ctrl.rst.

Signed-off-by: Tim Chen <email address hidden>
Signed-off-by: Thomas Gleixner <email address hidden>
Reviewed-by: Ingo Molnar <email address hidden>
Cc: Peter Zijlstra <email address hidden>
Cc: Andy Lutomirski <email address hidden>
Cc: Linus Torvalds <email address hidden>
Cc: Jiri Kosina <email address hidden>
Cc: Tom Lendacky <email address hidden>
Cc: Josh Poimboeuf <email address hidden>
Cc: Andrea Arcangeli <email address hidden>
Cc: David Woodhouse <email address hidden>
Cc: Andi Kleen <email address hidden>
Cc: Dave Hansen <email address hidden>
Cc: Casey Schaufler <email address hidden>
Cc: Asit Mallick <email address hidden>
Cc: Arjan van de Ven <email address hidden>
Cc: Jon Masters <email address hidden>
Cc: Waiman Long <email address hidden>
Cc: Greg KH <email address hidden>
Cc: Dave Stewart <email address hidden>
Cc: Kees Cook <email address hidden>
Cc: <email address hidden>
Link: https://<email address hidden>

CVE-2017-5715

(cherry picked from commit 9137bb27e60e554dab694eafa4cca241fa3a694f)
Signed-off-by: Tyler Hicks <email address hidden>

72a2159... by tglx on 2018-11-25

x86/speculation: Prepare arch_smt_update() for PRCTL mode

The upcoming fine grained per task STIBP control needs to be updated on CPU
hotplug as well.

Split out the code which controls the strict mode so the prctl control code
can be added later. Mark the SMP function call argument __unused while at it.

CVE-2017-5715

(cherry picked from commit 6893a959d7fdebbab5f5aa112c277d5a44435ba1)
Signed-off-by: Tyler Hicks <email address hidden>

370cbb1... by tglx on 2018-11-28

x86/speculation: Prevent stale SPEC_CTRL msr content

The seccomp speculation control operates on all tasks of a process, but
only the current task of a process can update the MSR immediately. For the
other threads the update is deferred to the next context switch.

This creates the following situation with Process A and B:

Process A task 2 and Process B task 1 are pinned on CPU1. Process A task 2
does not have the speculation control TIF bit set. Process B task 1 has the
speculation control TIF bit set.

CPU0 CPU1
     MSR bit is set
     ProcB.T1 schedules out
     ProcA.T2 schedules in
     MSR bit is cleared
ProcA.T1
  seccomp_update()
  set TIF bit on ProcA.T2
     ProcB.T1 schedules in
     MSR is not updated <-- FAIL

This happens because the context switch code tries to avoid the MSR update
if the speculation control TIF bits of the incoming and the outgoing task
are the same. In the worst case ProcB.T1 and ProcA.T2 are the only tasks
scheduling back and forth on CPU1, which keeps the MSR stale forever.

In theory this could be remedied by IPIs, but chasing the remote task which
could be migrated is complex and full of races.

The straight forward solution is to avoid the asychronous update of the TIF
bit and defer it to the next context switch. The speculation control state
is stored in task_struct::atomic_flags by the prctl and seccomp updates
already.

Add a new TIF_SPEC_FORCE_UPDATE bit and set this after updating the
atomic_flags. Check the bit on context switch and force a synchronous
update of the speculation control if set. Use the same mechanism for
updating the current task.

Reported-by: Tim Chen <email address hidden>
Signed-off-by: Thomas Gleixner <email address hidden>
Cc: Peter Zijlstra <email address hidden>
Cc: Andy Lutomirski <email address hidden>
Cc: Linus Torvalds <email address hidden>
Cc: Jiri Kosina <email address hidden>
Cc: Tom Lendacky <email address hidden>
Cc: Josh Poimboeuf <email address hidden>
Cc: Andrea Arcangeli <email address hidden>
Cc: David Woodhouse <email address hidden>
Cc: Tim Chen <email address hidden>
Cc: Andi Kleen <email address hidden>
Cc: Dave Hansen <email address hidden>
Cc: Casey Schaufler <email address hidden>
Cc: Asit Mallick <email address hidden>
Cc: Arjan van de Ven <email address hidden>
Cc: Jon Masters <email address hidden>
Cc: Waiman Long <email address hidden>
Cc: Greg KH <email address hidden>
Cc: Dave Stewart <email address hidden>
Cc: Kees Cook <email address hidden>
Cc: <email address hidden>
Link: https://<email address hidden>

CVE-2017-5715

(cherry picked from commit 6d991ba509ebcfcc908e009d1db51972a4f7a064)
Signed-off-by: Tyler Hicks <email address hidden>

Ubuntulinux package

~tyhicks/ubuntu/+source/linux/+git/bionic:speculation

Branch merges

Related source package recipes

Related snap packages

Related charm recipes

Branch information

Recent commits

Ubuntu
linux package