|
Borislav Petkov |
ccaf1a |
From: Thomas Gleixner <tglx@linutronix.de>
|
|
Borislav Petkov |
ccaf1a |
Date: Wed, 27 Feb 2019 12:48:14 +0100
|
|
Borislav Petkov |
ccaf1a |
Subject: x86/kvm/vmx: Add MDS protection when L1D Flush is not active
|
|
Borislav Petkov |
ccaf1a |
Git-commit: 650b68a0622f933444a6d66936abb3103029413b
|
|
Borislav Petkov |
ccaf1a |
Patch-mainline: v5.1-rc1
|
|
Borislav Petkov |
6576c0 |
References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
|
|
Borislav Petkov |
ccaf1a |
|
|
Borislav Petkov |
ccaf1a |
CPUs which are affected by L1TF and MDS mitigate MDS with the L1D Flush on
|
|
Borislav Petkov |
ccaf1a |
VMENTER when updated microcode is installed.
|
|
Borislav Petkov |
ccaf1a |
|
|
Borislav Petkov |
ccaf1a |
If a CPU is not affected by L1TF or if the L1D Flush is not in use, then
|
|
Borislav Petkov |
ccaf1a |
MDS mitigation needs to be invoked explicitly.
|
|
Borislav Petkov |
ccaf1a |
|
|
Borislav Petkov |
ccaf1a |
For these cases, follow the host mitigation state and invoke the MDS
|
|
Borislav Petkov |
ccaf1a |
mitigation before VMENTER.
|
|
Borislav Petkov |
ccaf1a |
|
|
Borislav Petkov |
ccaf1a |
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
Borislav Petkov |
ccaf1a |
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Borislav Petkov |
ccaf1a |
Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
|
|
Borislav Petkov |
ccaf1a |
Reviewed-by: Borislav Petkov <bp@suse.de>
|
|
Borislav Petkov |
ccaf1a |
Reviewed-by: Jon Masters <jcm@redhat.com>
|
|
Borislav Petkov |
ccaf1a |
Tested-by: Jon Masters <jcm@redhat.com>
|
|
Borislav Petkov |
ccaf1a |
Acked-by: Borislav Petkov <bp@suse.de>
|
|
Borislav Petkov |
ccaf1a |
---
|
|
Borislav Petkov |
ccaf1a |
arch/x86/kernel/cpu/bugs.c | 1 +
|
|
Borislav Petkov |
ccaf1a |
arch/x86/kvm/vmx.c | 3 +++
|
|
Borislav Petkov |
ccaf1a |
2 files changed, 4 insertions(+)
|
|
Borislav Petkov |
ccaf1a |
|
|
Borislav Petkov |
ccaf1a |
--- a/arch/x86/kernel/cpu/bugs.c
|
|
Borislav Petkov |
ccaf1a |
+++ b/arch/x86/kernel/cpu/bugs.c
|
|
Borislav Petkov |
ccaf1a |
@@ -62,6 +62,7 @@ DEFINE_STATIC_KEY_FALSE(switch_mm_always
|
|
Borislav Petkov |
ccaf1a |
|
|
Borislav Petkov |
ccaf1a |
/* Control MDS CPU buffer clear before returning to user space */
|
|
Borislav Petkov |
ccaf1a |
DEFINE_STATIC_KEY_FALSE(mds_user_clear);
|
|
Borislav Petkov |
ccaf1a |
+EXPORT_SYMBOL_GPL(mds_user_clear);
|
|
Borislav Petkov |
ccaf1a |
|
|
Borislav Petkov |
ccaf1a |
void __init check_bugs(void)
|
|
Borislav Petkov |
ccaf1a |
{
|
|
Borislav Petkov |
ccaf1a |
--- a/arch/x86/kvm/vmx.c
|
|
Borislav Petkov |
ccaf1a |
+++ b/arch/x86/kvm/vmx.c
|
|
Borislav Petkov |
ccaf1a |
@@ -9684,8 +9684,11 @@ static void __noclone vmx_vcpu_run(struc
|
|
Borislav Petkov |
ccaf1a |
|
|
Borislav Petkov |
ccaf1a |
vmx->__launched = vmx->loaded_vmcs->launched;
|
|
Borislav Petkov |
ccaf1a |
|
|
Borislav Petkov |
ccaf1a |
+ /* L1D Flush includes CPU buffer clear to mitigate MDS */
|
|
Borislav Petkov |
ccaf1a |
if (static_branch_unlikely(&vmx_l1d_should_flush))
|
|
Borislav Petkov |
ccaf1a |
vmx_l1d_flush(vcpu);
|
|
Borislav Petkov |
ccaf1a |
+ else if (static_branch_unlikely(&mds_user_clear))
|
|
Borislav Petkov |
ccaf1a |
+ mds_clear_cpu_buffers();
|
|
Borislav Petkov |
ccaf1a |
|
|
Borislav Petkov |
ccaf1a |
asm(
|
|
Borislav Petkov |
ccaf1a |
/* Store host registers */
|