kernel / kernel-source

Clone
Source Code
GIT

Blame patches.arch/x86-kvm-vmx-add-mds-protection-when-l1d-flush-is-not-active.patch

ALP-current ALP-current-GA ALP-current-RT ALP-current-RT-GA SLE12-SP5 SLE12-SP5-AZURE SLE12-SP5-RT SLE15-SP2-EB SLE15-SP3-RT-LTSS SLE15-SP4-RT-LTSS SLE15-SP5 SLE15-SP5-AZURE SLE15-SP5-RT SLE15-SP6 SLE15-SP6-AZURE SLE15-SP6-AZURE-GA SLE15-SP6-GA SLE15-SP6-RT SLE15-SP6-RT-GA linux-next master packaging scripts slowroll stable vanilla
  1.   8fba5164b8248f0fbebc0cdccebca7f09474b488
  2.   patches.arch
  3.   x86-kvm-vmx-add-mds-protection-when-l1d-flush-is-not-active.patch
Blob History Raw
Borislav Petkov ccaf1a 
From: Thomas Gleixner <tglx@linutronix.de>
Borislav Petkov ccaf1a 
Date: Wed, 27 Feb 2019 12:48:14 +0100
Borislav Petkov ccaf1a 
Subject: x86/kvm/vmx: Add MDS protection when L1D Flush is not active
Borislav Petkov ccaf1a 
Git-commit: 650b68a0622f933444a6d66936abb3103029413b
Borislav Petkov ccaf1a 
Patch-mainline: v5.1-rc1
Borislav Petkov 6576c0 
References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
Borislav Petkov ccaf1a
Borislav Petkov ccaf1a 
CPUs which are affected by L1TF and MDS mitigate MDS with the L1D Flush on
Borislav Petkov ccaf1a 
VMENTER when updated microcode is installed.
Borislav Petkov ccaf1a
Borislav Petkov ccaf1a 
If a CPU is not affected by L1TF or if the L1D Flush is not in use, then
Borislav Petkov ccaf1a 
MDS mitigation needs to be invoked explicitly.
Borislav Petkov ccaf1a
Borislav Petkov ccaf1a 
For these cases, follow the host mitigation state and invoke the MDS
Borislav Petkov ccaf1a 
mitigation before VMENTER.
Borislav Petkov ccaf1a
Borislav Petkov ccaf1a 
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Borislav Petkov ccaf1a 
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Borislav Petkov ccaf1a 
Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
Borislav Petkov ccaf1a 
Reviewed-by: Borislav Petkov <bp@suse.de>
Borislav Petkov ccaf1a 
Reviewed-by: Jon Masters <jcm@redhat.com>
Borislav Petkov ccaf1a 
Tested-by: Jon Masters <jcm@redhat.com>
Borislav Petkov ccaf1a 
Acked-by: Borislav Petkov <bp@suse.de>
Borislav Petkov ccaf1a 
---
Borislav Petkov ccaf1a 
 arch/x86/kernel/cpu/bugs.c |    1 +
Borislav Petkov ccaf1a 
 arch/x86/kvm/vmx.c         |    3 +++
Borislav Petkov ccaf1a 
 2 files changed, 4 insertions(+)
Borislav Petkov ccaf1a
Borislav Petkov ccaf1a 
--- a/arch/x86/kernel/cpu/bugs.c
Borislav Petkov ccaf1a 
+++ b/arch/x86/kernel/cpu/bugs.c
Borislav Petkov ccaf1a 
@@ -62,6 +62,7 @@ DEFINE_STATIC_KEY_FALSE(switch_mm_always
Borislav Petkov ccaf1a
Borislav Petkov ccaf1a 
 /* Control MDS CPU buffer clear before returning to user space */
Borislav Petkov ccaf1a 
 DEFINE_STATIC_KEY_FALSE(mds_user_clear);
Borislav Petkov ccaf1a 
+EXPORT_SYMBOL_GPL(mds_user_clear);
Borislav Petkov ccaf1a
Borislav Petkov ccaf1a 
 void __init check_bugs(void)
Borislav Petkov ccaf1a 
 {
Borislav Petkov ccaf1a 
--- a/arch/x86/kvm/vmx.c
Borislav Petkov ccaf1a 
+++ b/arch/x86/kvm/vmx.c
Borislav Petkov ccaf1a 
@@ -9684,8 +9684,11 @@ static void __noclone vmx_vcpu_run(struc
Borislav Petkov ccaf1a
Borislav Petkov ccaf1a 
 	vmx->__launched = vmx->loaded_vmcs->launched;
Borislav Petkov ccaf1a
Borislav Petkov ccaf1a 
+	/* L1D Flush includes CPU buffer clear to mitigate MDS */
Borislav Petkov ccaf1a 
 	if (static_branch_unlikely(&vmx_l1d_should_flush))
Borislav Petkov ccaf1a 
 		vmx_l1d_flush(vcpu);
Borislav Petkov ccaf1a 
+	else if (static_branch_unlikely(&mds_user_clear))
Borislav Petkov ccaf1a 
+		mds_clear_cpu_buffers();
Borislav Petkov ccaf1a
Borislav Petkov ccaf1a 
 	asm(
Borislav Petkov ccaf1a 
 		/* Store host registers */
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.