~tyhicks/ubuntu/+source/linux/+git/bionic:speculation
- Git
- lp:~tyhicks/ubuntu/+source/linux/+git/bionic
- speculation
- Get this branch:
-
git clone
-b speculation
https://git.launchpad.net/~tyhicks/ubuntu/+source/linux/+git/bionic
Branch merges
Related source package recipes
Branch information
- Name:
- speculation
- Repository:
- lp:~tyhicks/ubuntu/+source/linux/+git/bionic
Recent commits
- 5ea0a84... by WANG Chao <email address hidden>
-
x86, modpost: Replace last remnants of RETPOLINE with CONFIG_RETPOLINE
Commit
4cd24de3a098 ("x86/retpoline: Make CONFIG_RETPOLINE depend on compiler support")
replaced the RETPOLINE define with CONFIG_RETPOLINE checks. Remove the
remaining pieces.[ bp: Massage commit message. ]
Fixes: 4cd24de3a098 ("x86/retpoline: Make CONFIG_RETPOLINE depend on compiler support")
Signed-off-by: WANG Chao <email address hidden>
Signed-off-by: Borislav Petkov <email address hidden>
Reviewed-by: Zhenzhong Duan <email address hidden>
Reviewed-by: Masahiro Yamada <email address hidden>
Cc: "H. Peter Anvin" <email address hidden>
Cc: Andi Kleen <email address hidden>
Cc: Andrew Morton <email address hidden>
Cc: Andy Lutomirski <email address hidden>
Cc: Arnd Bergmann <email address hidden>
Cc: Daniel Borkmann <email address hidden>
Cc: David Woodhouse <email address hidden>
Cc: Geert Uytterhoeven <email address hidden>
Cc: Jessica Yu <email address hidden>
Cc: Jiri Kosina <email address hidden>
Cc: Kees Cook <email address hidden>
Cc: Konrad Rzeszutek Wilk <email address hidden>
Cc: Luc Van Oostenryck <email address hidden>
Cc: Michal Marek <email address hidden>
Cc: Miguel Ojeda <email address hidden>
Cc: Peter Zijlstra <email address hidden>
Cc: Tim Chen <email address hidden>
Cc: Vasily Gorbik <email address hidden>
Cc: <email address hidden>
Cc: <email address hidden>
Cc: stable <email address hidden>
Cc: x86-ml <email address hidden>
Link: https://<email address hidden>CVE-2017-5715
(backported from commit e4f358916d528d4
79c3c12bd2fd03f 2d5a576380)
[tyhicks: Backport to 4.15:
- Minor context adjustment in compiler-gcc.h]
Signed-off-by: Tyler Hicks <email address hidden> - 4bd004a... by Tom Lendacky
-
x86/speculation: Add support for STIBP always-on preferred mode
Different AMD processors may have different implementations of STIBP.
When STIBP is conditionally enabled, some implementations would benefit
from having STIBP always on instead of toggling the STIBP bit through MSR
writes. This preference is advertised through a CPUID feature bit.When conditional STIBP support is requested at boot and the CPU advertises
STIBP always-on mode as preferred, switch to STIBP "on" support. To show
that this transition has occurred, create a new spectre_v2_user_ mitigation
value and a new spectre_v2_user_ strings message. The new mitigation value
is used in spectre_v2_user_ select_ mitigation( ) to print the new mitigation
message as well as to return a new string from stibp_state().Signed-off-by: Tom Lendacky <email address hidden>
Signed-off-by: Thomas Gleixner <email address hidden>
Cc: Andrea Arcangeli <email address hidden>
Cc: Konrad Rzeszutek Wilk <email address hidden>
Cc: Jiri Kosina <email address hidden>
Cc: Borislav Petkov <email address hidden>
Cc: Tim Chen <email address hidden>
Cc: David Woodhouse <email address hidden>
Link: https://<email address hidden>CVE-2017-5715
(cherry picked from commit 20c3a2c33e9fdc8
2e9e8e8d2a6445b 3256d20191)
Signed-off-by: Tyler Hicks <email address hidden> - 529f812... by Waiman Long <email address hidden>
-
x86/speculation: Change misspelled STIPB to STIBP
STIBP stands for Single Thread Indirect Branch Predictors. The acronym,
however, can be easily mis-spelled as STIPB. It is perhaps due to the
presence of another related term - IBPB (Indirect Branch Predictor
Barrier).Fix the mis-spelling in the code.
Signed-off-by: Waiman Long <email address hidden>
Signed-off-by: Borislav Petkov <email address hidden>
Cc: "H. Peter Anvin" <email address hidden>
Cc: Andi Kleen <email address hidden>
Cc: David Woodhouse <email address hidden>
Cc: Ingo Molnar <email address hidden>
Cc: Jiri Kosina <email address hidden>
Cc: Josh Poimboeuf <email address hidden>
Cc: KarimAllah Ahmed <email address hidden>
Cc: Konrad Rzeszutek Wilk <email address hidden>
Cc: Peter Zijlstra <email address hidden>
Cc: Thomas Gleixner <email address hidden>
Cc: Tim Chen <email address hidden>
Cc: x86-ml <email address hidden>
Link: https://<email address hidden>CVE-2017-5715
(cherry picked from commit aa77bfb354c495f
c4361199e63fc57 65b9e1e783)
Signed-off-by: Tyler Hicks <email address hidden> - 12e9708... by Jim Mattson <email address hidden>
-
kvm: svm: Ensure an IBPB on all affected CPUs when freeing a vmcb
Previously, we only called indirect_
branch_ prediction_ barrier on the
logical CPU that freed a vmcb. This function should be called on all
logical CPUs that last loaded the vmcb in question.Fixes: 15d45071523d ("KVM/x86: Add IBPB support")
Reported-by: Neel Natu <email address hidden>
Signed-off-by: Jim Mattson <email address hidden>
Reviewed-by: Konrad Rzeszutek Wilk <email address hidden>
Cc: <email address hidden>
Signed-off-by: Paolo Bonzini <email address hidden>CVE-2017-5715
(cherry picked from commit fd65d3142f734bc
4376053c8d75670 041903134d)
Signed-off-by: Tyler Hicks <email address hidden> - c50e39f... by tglx
-
x86/speculation: Provide IBPB always command line options
Provide the possibility to enable IBPB always in combination with 'prctl'
and 'seccomp'.Add the extra command line options and rework the IBPB selection to
evaluate the command instead of the mode selected by the STIPB switch case.Signed-off-by: Thomas Gleixner <email address hidden>
Reviewed-by: Ingo Molnar <email address hidden>
Cc: Peter Zijlstra <email address hidden>
Cc: Andy Lutomirski <email address hidden>
Cc: Linus Torvalds <email address hidden>
Cc: Jiri Kosina <email address hidden>
Cc: Tom Lendacky <email address hidden>
Cc: Josh Poimboeuf <email address hidden>
Cc: Andrea Arcangeli <email address hidden>
Cc: David Woodhouse <email address hidden>
Cc: Tim Chen <email address hidden>
Cc: Andi Kleen <email address hidden>
Cc: Dave Hansen <email address hidden>
Cc: Casey Schaufler <email address hidden>
Cc: Asit Mallick <email address hidden>
Cc: Arjan van de Ven <email address hidden>
Cc: Jon Masters <email address hidden>
Cc: Waiman Long <email address hidden>
Cc: Greg KH <email address hidden>
Cc: Dave Stewart <email address hidden>
Cc: Kees Cook <email address hidden>
Cc: <email address hidden>
Link: https://<email address hidden>CVE-2017-5715
(cherry picked from commit 55a974021ec952e
e460dc31ca08722 158639de72)
Signed-off-by: Tyler Hicks <email address hidden> - 4d4faf9... by tglx
-
x86/speculation: Add seccomp Spectre v2 user space protection mode
If 'prctl' mode of user space protection from spectre v2 is selected
on the kernel command-line, STIBP and IBPB are applied on tasks which
restrict their indirect branch speculation via prctl.SECCOMP enables the SSBD mitigation for sandboxed tasks already, so it
makes sense to prevent spectre v2 user space to user space attacks as
well.The Intel mitigation guide documents how STIPB works:
Setting bit 1 (STIBP) of the IA32_SPEC_CTRL MSR on a logical processor
prevents the predicted targets of indirect branches on any logical
processor of that core from being controlled by software that executes
(or executed previously) on another logical processor of the same core.Ergo setting STIBP protects the task itself from being attacked from a task
running on a different hyper-thread and protects the tasks running on
different hyper-threads from being attacked.While the document suggests that the branch predictors are shielded between
the logical processors, the observed performance regressions suggest that
STIBP simply disables the branch predictor more or less completely. Of
course the document wording is vague, but the fact that there is also no
requirement for issuing IBPB when STIBP is used points clearly in that
direction. The kernel still issues IBPB even when STIBP is used until Intel
clarifies the whole mechanism.IBPB is issued when the task switches out, so malicious sandbox code cannot
mistrain the branch predictor for the next user space task on the same
logical processor.Signed-off-by: Jiri Kosina <email address hidden>
Signed-off-by: Thomas Gleixner <email address hidden>
Reviewed-by: Ingo Molnar <email address hidden>
Cc: Peter Zijlstra <email address hidden>
Cc: Andy Lutomirski <email address hidden>
Cc: Linus Torvalds <email address hidden>
Cc: Tom Lendacky <email address hidden>
Cc: Josh Poimboeuf <email address hidden>
Cc: Andrea Arcangeli <email address hidden>
Cc: David Woodhouse <email address hidden>
Cc: Tim Chen <email address hidden>
Cc: Andi Kleen <email address hidden>
Cc: Dave Hansen <email address hidden>
Cc: Casey Schaufler <email address hidden>
Cc: Asit Mallick <email address hidden>
Cc: Arjan van de Ven <email address hidden>
Cc: Jon Masters <email address hidden>
Cc: Waiman Long <email address hidden>
Cc: Greg KH <email address hidden>
Cc: Dave Stewart <email address hidden>
Cc: Kees Cook <email address hidden>
Cc: <email address hidden>
Link: https://<email address hidden>CVE-2017-5715
(cherry picked from commit 6b3e64c237c0727
97a9ec918654a60 e3a46488e2)
Signed-off-by: Tyler Hicks <email address hidden> - dc43f5b... by tglx
-
x86/speculation: Enable prctl mode for spectre_v2_user
Now that all prerequisites are in place:
- Add the prctl command line option
- Default the 'auto' mode to 'prctl'
- When SMT state changes, update the static key which controls the
conditional STIBP evaluation on context switch.- At init update the static key which controls the conditional IBPB
evaluation on context switch.Signed-off-by: Thomas Gleixner <email address hidden>
Reviewed-by: Ingo Molnar <email address hidden>
Cc: Peter Zijlstra <email address hidden>
Cc: Andy Lutomirski <email address hidden>
Cc: Linus Torvalds <email address hidden>
Cc: Jiri Kosina <email address hidden>
Cc: Tom Lendacky <email address hidden>
Cc: Josh Poimboeuf <email address hidden>
Cc: Andrea Arcangeli <email address hidden>
Cc: David Woodhouse <email address hidden>
Cc: Tim Chen <email address hidden>
Cc: Andi Kleen <email address hidden>
Cc: Dave Hansen <email address hidden>
Cc: Casey Schaufler <email address hidden>
Cc: Asit Mallick <email address hidden>
Cc: Arjan van de Ven <email address hidden>
Cc: Jon Masters <email address hidden>
Cc: Waiman Long <email address hidden>
Cc: Greg KH <email address hidden>
Cc: Dave Stewart <email address hidden>
Cc: Kees Cook <email address hidden>
Cc: <email address hidden>
Link: https://<email address hidden>CVE-2017-5715
(cherry picked from commit 7cc765a67d8e04e
f7d772425ca5a2a 1e2b894c15)
Signed-off-by: Tyler Hicks <email address hidden> - 8b964b3... by tglx
-
x86/speculation: Add prctl() control for indirect branch speculation
Add the PR_SPEC_
INDIRECT_ BRANCH option for the PR_GET_ SPECULATION_ CTRL and
PR_SET_SPECULATION_ CTRL prctls to allow fine grained per task control of
indirect branch speculation via STIBP and IBPB.Invocations:
Check indirect branch speculation status with
- prctl(PR_GET_SPECULATION _CTRL, PR_SPEC_ INDIRECT_ BRANCH, 0, 0, 0); Enable indirect branch speculation with
- prctl(PR_SET_SPECULATION _CTRL, PR_SPEC_ INDIRECT_ BRANCH, PR_SPEC_ENABLE, 0, 0); Disable indirect branch speculation with
- prctl(PR_SET_SPECULATION _CTRL, PR_SPEC_ INDIRECT_ BRANCH, PR_SPEC_DISABLE, 0, 0); Force disable indirect branch speculation with
- prctl(PR_SET_SPECULATION _CTRL, PR_SPEC_ INDIRECT_ BRANCH, PR_SPEC_ FORCE_DISABLE, 0, 0); See Documentation/
userspace- api/spec_ ctrl.rst. Signed-off-by: Tim Chen <email address hidden>
Signed-off-by: Thomas Gleixner <email address hidden>
Reviewed-by: Ingo Molnar <email address hidden>
Cc: Peter Zijlstra <email address hidden>
Cc: Andy Lutomirski <email address hidden>
Cc: Linus Torvalds <email address hidden>
Cc: Jiri Kosina <email address hidden>
Cc: Tom Lendacky <email address hidden>
Cc: Josh Poimboeuf <email address hidden>
Cc: Andrea Arcangeli <email address hidden>
Cc: David Woodhouse <email address hidden>
Cc: Andi Kleen <email address hidden>
Cc: Dave Hansen <email address hidden>
Cc: Casey Schaufler <email address hidden>
Cc: Asit Mallick <email address hidden>
Cc: Arjan van de Ven <email address hidden>
Cc: Jon Masters <email address hidden>
Cc: Waiman Long <email address hidden>
Cc: Greg KH <email address hidden>
Cc: Dave Stewart <email address hidden>
Cc: Kees Cook <email address hidden>
Cc: <email address hidden>
Link: https://<email address hidden>CVE-2017-5715
(cherry picked from commit 9137bb27e60e554
dab694eafa4cca2 41fa3a694f)
Signed-off-by: Tyler Hicks <email address hidden> - 72a2159... by tglx
-
x86/speculation: Prepare arch_smt_update() for PRCTL mode
The upcoming fine grained per task STIBP control needs to be updated on CPU
hotplug as well.Split out the code which controls the strict mode so the prctl control code
can be added later. Mark the SMP function call argument __unused while at it.Signed-off-by: Thomas Gleixner <email address hidden>
Reviewed-by: Ingo Molnar <email address hidden>
Cc: Peter Zijlstra <email address hidden>
Cc: Andy Lutomirski <email address hidden>
Cc: Linus Torvalds <email address hidden>
Cc: Jiri Kosina <email address hidden>
Cc: Tom Lendacky <email address hidden>
Cc: Josh Poimboeuf <email address hidden>
Cc: Andrea Arcangeli <email address hidden>
Cc: David Woodhouse <email address hidden>
Cc: Tim Chen <email address hidden>
Cc: Andi Kleen <email address hidden>
Cc: Dave Hansen <email address hidden>
Cc: Casey Schaufler <email address hidden>
Cc: Asit Mallick <email address hidden>
Cc: Arjan van de Ven <email address hidden>
Cc: Jon Masters <email address hidden>
Cc: Waiman Long <email address hidden>
Cc: Greg KH <email address hidden>
Cc: Dave Stewart <email address hidden>
Cc: Kees Cook <email address hidden>
Cc: <email address hidden>
Link: https://<email address hidden>CVE-2017-5715
(cherry picked from commit 6893a959d7fdebb
ab5f5aa112c277d 5a44435ba1)
Signed-off-by: Tyler Hicks <email address hidden> - 370cbb1... by tglx
-
x86/speculation: Prevent stale SPEC_CTRL msr content
The seccomp speculation control operates on all tasks of a process, but
only the current task of a process can update the MSR immediately. For the
other threads the update is deferred to the next context switch.This creates the following situation with Process A and B:
Process A task 2 and Process B task 1 are pinned on CPU1. Process A task 2
does not have the speculation control TIF bit set. Process B task 1 has the
speculation control TIF bit set.CPU0 CPU1
MSR bit is set
ProcB.T1 schedules out
ProcA.T2 schedules in
MSR bit is cleared
ProcA.T1
seccomp_update()
set TIF bit on ProcA.T2
ProcB.T1 schedules in
MSR is not updated <-- FAILThis happens because the context switch code tries to avoid the MSR update
if the speculation control TIF bits of the incoming and the outgoing task
are the same. In the worst case ProcB.T1 and ProcA.T2 are the only tasks
scheduling back and forth on CPU1, which keeps the MSR stale forever.In theory this could be remedied by IPIs, but chasing the remote task which
could be migrated is complex and full of races.The straight forward solution is to avoid the asychronous update of the TIF
bit and defer it to the next context switch. The speculation control state
is stored in task_struct::atomic_ flags by the prctl and seccomp updates
already.Add a new TIF_SPEC_
FORCE_UPDATE bit and set this after updating the
atomic_flags. Check the bit on context switch and force a synchronous
update of the speculation control if set. Use the same mechanism for
updating the current task.Reported-by: Tim Chen <email address hidden>
Signed-off-by: Thomas Gleixner <email address hidden>
Cc: Peter Zijlstra <email address hidden>
Cc: Andy Lutomirski <email address hidden>
Cc: Linus Torvalds <email address hidden>
Cc: Jiri Kosina <email address hidden>
Cc: Tom Lendacky <email address hidden>
Cc: Josh Poimboeuf <email address hidden>
Cc: Andrea Arcangeli <email address hidden>
Cc: David Woodhouse <email address hidden>
Cc: Tim Chen <email address hidden>
Cc: Andi Kleen <email address hidden>
Cc: Dave Hansen <email address hidden>
Cc: Casey Schaufler <email address hidden>
Cc: Asit Mallick <email address hidden>
Cc: Arjan van de Ven <email address hidden>
Cc: Jon Masters <email address hidden>
Cc: Waiman Long <email address hidden>
Cc: Greg KH <email address hidden>
Cc: Dave Stewart <email address hidden>
Cc: Kees Cook <email address hidden>
Cc: <email address hidden>
Link: https://<email address hidden>CVE-2017-5715
(cherry picked from commit 6d991ba509ebcfc
c908e009d1db519 72a4f7a064)
Signed-off-by: Tyler Hicks <email address hidden>