|
Borislav Petkov |
bbc94e |
From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
|
|
Borislav Petkov |
bbc94e |
Date: Thu, 19 May 2022 20:27:08 -0700
|
|
Borislav Petkov |
bbc94e |
Subject: x86/speculation/mmio: Enumerate Processor MMIO Stale Data bug
|
|
Borislav Petkov |
bbc94e |
Git-commit: 51802186158c74a0304f51ab963e7c2b3a2b046f
|
|
Borislav Petkov |
bbc94e |
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git
|
|
Borislav Petkov |
bbc94e |
Patch-mainline: Queued in tip for v5.19
|
|
Borislav Petkov |
bbc94e |
References: bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180
|
|
Borislav Petkov |
bbc94e |
|
|
Borislav Petkov |
bbc94e |
Processor MMIO Stale Data is a class of vulnerabilities that may
|
|
Borislav Petkov |
bbc94e |
expose data after an MMIO operation. For more details please refer to
|
|
Borislav Petkov |
bbc94e |
Documentation/admin-guide/hw-vuln/processor_mmio_stale_data.rst
|
|
Borislav Petkov |
bbc94e |
|
|
Borislav Petkov |
bbc94e |
Add the Processor MMIO Stale Data bug enumeration. A microcode update
|
|
Borislav Petkov |
bbc94e |
adds new bits to the MSR IA32_ARCH_CAPABILITIES, define them.
|
|
Borislav Petkov |
bbc94e |
|
|
Borislav Petkov |
bbc94e |
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
|
|
Borislav Petkov |
bbc94e |
Signed-off-by: Borislav Petkov <bp@suse.de>
|
|
Borislav Petkov |
bbc94e |
---
|
|
Borislav Petkov |
bbc94e |
arch/x86/include/asm/cpufeatures.h | 1 +
|
|
Borislav Petkov |
bbc94e |
arch/x86/include/asm/msr-index.h | 19 +++++++++++++++++++
|
|
Borislav Petkov |
bbc94e |
arch/x86/kernel/cpu/common.c | 37 +++++++++++++++++++++++++++++++++++--
|
|
Borislav Petkov |
bbc94e |
3 files changed, 55 insertions(+), 2 deletions(-)
|
|
Borislav Petkov |
bbc94e |
|
|
Borislav Petkov |
bbc94e |
--- a/arch/x86/include/asm/cpufeatures.h
|
|
Borislav Petkov |
bbc94e |
+++ b/arch/x86/include/asm/cpufeatures.h
|
|
Borislav Petkov |
bbc94e |
@@ -400,5 +400,6 @@
|
|
Borislav Petkov |
bbc94e |
#define X86_BUG_TAA X86_BUG(22) /* CPU is affected by TSX Async Abort(TAA) */
|
|
Borislav Petkov |
bbc94e |
#define X86_BUG_ITLB_MULTIHIT X86_BUG(23) /* CPU may incur MCE during certain page attribute changes */
|
|
Borislav Petkov |
bbc94e |
#define X86_BUG_SRBDS X86_BUG(24) /* CPU may leak RNG bits if not mitigated */
|
|
Borislav Petkov |
bbc94e |
+#define X86_BUG_MMIO_STALE_DATA X86_BUG(25) /* CPU is affected by Processor MMIO Stale Data vulnerabilities */
|
|
Borislav Petkov |
bbc94e |
|
|
Borislav Petkov |
bbc94e |
#endif /* _ASM_X86_CPUFEATURES_H */
|
|
Borislav Petkov |
bbc94e |
--- a/arch/x86/include/asm/msr-index.h
|
|
Borislav Petkov |
bbc94e |
+++ b/arch/x86/include/asm/msr-index.h
|
|
Borislav Petkov |
bbc94e |
@@ -104,6 +104,25 @@
|
|
Borislav Petkov |
bbc94e |
* Not susceptible to
|
|
Borislav Petkov |
bbc94e |
* TSX Async Abort (TAA) vulnerabilities.
|
|
Borislav Petkov |
bbc94e |
*/
|
|
Borislav Petkov |
bbc94e |
+#define ARCH_CAP_SBDR_SSDP_NO BIT(13) /*
|
|
Borislav Petkov |
bbc94e |
+ * Not susceptible to SBDR and SSDP
|
|
Borislav Petkov |
bbc94e |
+ * variants of Processor MMIO stale data
|
|
Borislav Petkov |
bbc94e |
+ * vulnerabilities.
|
|
Borislav Petkov |
bbc94e |
+ */
|
|
Borislav Petkov |
bbc94e |
+#define ARCH_CAP_FBSDP_NO BIT(14) /*
|
|
Borislav Petkov |
bbc94e |
+ * Not susceptible to FBSDP variant of
|
|
Borislav Petkov |
bbc94e |
+ * Processor MMIO stale data
|
|
Borislav Petkov |
bbc94e |
+ * vulnerabilities.
|
|
Borislav Petkov |
bbc94e |
+ */
|
|
Borislav Petkov |
bbc94e |
+#define ARCH_CAP_PSDP_NO BIT(15) /*
|
|
Borislav Petkov |
bbc94e |
+ * Not susceptible to PSDP variant of
|
|
Borislav Petkov |
bbc94e |
+ * Processor MMIO stale data
|
|
Borislav Petkov |
bbc94e |
+ * vulnerabilities.
|
|
Borislav Petkov |
bbc94e |
+ */
|
|
Borislav Petkov |
bbc94e |
+#define ARCH_CAP_FB_CLEAR BIT(17) /*
|
|
Borislav Petkov |
bbc94e |
+ * VERW clears CPU fill buffer
|
|
Borislav Petkov |
bbc94e |
+ * even on MDS_NO CPUs.
|
|
Borislav Petkov |
bbc94e |
+ */
|
|
Borislav Petkov |
bbc94e |
|
|
Borislav Petkov |
bbc94e |
#define MSR_IA32_FLUSH_CMD 0x0000010b
|
|
Borislav Petkov |
bbc94e |
#define L1D_FLUSH BIT(0) /*
|
|
Borislav Petkov |
bbc94e |
--- a/arch/x86/kernel/cpu/common.c
|
|
Borislav Petkov |
bbc94e |
+++ b/arch/x86/kernel/cpu/common.c
|
|
Borislav Petkov |
bbc94e |
@@ -1003,18 +1003,33 @@ static const __initconst struct x86_cpu_
|
|
Borislav Petkov |
bbc94e |
X86_FEATURE_ANY, issues)
|
|
Borislav Petkov |
bbc94e |
|
|
Borislav Petkov |
bbc94e |
#define SRBDS BIT(0)
|
|
Borislav Petkov |
bbc94e |
+/* CPU is affected by X86_BUG_MMIO_STALE_DATA */
|
|
Borislav Petkov |
bbc94e |
+#define MMIO BIT(1)
|
|
Borislav Petkov |
bbc94e |
|
|
Borislav Petkov |
bbc94e |
static const struct x86_cpu_id cpu_vuln_blacklist[] __initconst = {
|
|
Borislav Petkov |
bbc94e |
VULNBL_INTEL_STEPPINGS(IVYBRIDGE, X86_STEPPING_ANY, SRBDS),
|
|
Borislav Petkov |
bbc94e |
VULNBL_INTEL_STEPPINGS(HASWELL, X86_STEPPING_ANY, SRBDS),
|
|
Borislav Petkov |
bbc94e |
VULNBL_INTEL_STEPPINGS(HASWELL_L, X86_STEPPING_ANY, SRBDS),
|
|
Borislav Petkov |
bbc94e |
VULNBL_INTEL_STEPPINGS(HASWELL_G, X86_STEPPING_ANY, SRBDS),
|
|
Borislav Petkov |
bbc94e |
+ VULNBL_INTEL_STEPPINGS(HASWELL_X, BIT(2) | BIT(4), MMIO),
|
|
Borislav Petkov |
bbc94e |
+ VULNBL_INTEL_STEPPINGS(BROADWELL_D, X86_STEPPINGS(0x3, 0x5), MMIO),
|
|
Borislav Petkov |
bbc94e |
VULNBL_INTEL_STEPPINGS(BROADWELL_G, X86_STEPPING_ANY, SRBDS),
|
|
Borislav Petkov |
bbc94e |
+ VULNBL_INTEL_STEPPINGS(BROADWELL_X, X86_STEPPING_ANY, MMIO),
|
|
Borislav Petkov |
bbc94e |
VULNBL_INTEL_STEPPINGS(BROADWELL, X86_STEPPING_ANY, SRBDS),
|
|
Borislav Petkov |
bbc94e |
+ VULNBL_INTEL_STEPPINGS(SKYLAKE_L, X86_STEPPINGS(0x3, 0x3), SRBDS | MMIO),
|
|
Borislav Petkov |
bbc94e |
VULNBL_INTEL_STEPPINGS(SKYLAKE_L, X86_STEPPING_ANY, SRBDS),
|
|
Borislav Petkov |
bbc94e |
+ VULNBL_INTEL_STEPPINGS(SKYLAKE_X, BIT(3) | BIT(4) | BIT(6) |
|
|
Borislav Petkov |
bbc94e |
+ BIT(7) | BIT(0xB), MMIO),
|
|
Borislav Petkov |
bbc94e |
+ VULNBL_INTEL_STEPPINGS(SKYLAKE, X86_STEPPINGS(0x3, 0x3), SRBDS | MMIO),
|
|
Borislav Petkov |
bbc94e |
VULNBL_INTEL_STEPPINGS(SKYLAKE, X86_STEPPING_ANY, SRBDS),
|
|
Borislav Petkov |
bbc94e |
- VULNBL_INTEL_STEPPINGS(KABYLAKE_L, X86_STEPPINGS(0x0, 0xC), SRBDS),
|
|
Borislav Petkov |
bbc94e |
- VULNBL_INTEL_STEPPINGS(KABYLAKE, X86_STEPPINGS(0x0, 0xD), SRBDS),
|
|
Borislav Petkov |
bbc94e |
+ VULNBL_INTEL_STEPPINGS(KABYLAKE_L, X86_STEPPINGS(0x9, 0xC), SRBDS | MMIO),
|
|
Borislav Petkov |
bbc94e |
+ VULNBL_INTEL_STEPPINGS(KABYLAKE_L, X86_STEPPINGS(0x0, 0x8), SRBDS),
|
|
Borislav Petkov |
bbc94e |
+ VULNBL_INTEL_STEPPINGS(KABYLAKE, X86_STEPPINGS(0x9, 0xD), SRBDS | MMIO),
|
|
Borislav Petkov |
bbc94e |
+ VULNBL_INTEL_STEPPINGS(KABYLAKE, X86_STEPPINGS(0x0, 0x8), SRBDS),
|
|
Borislav Petkov |
bbc94e |
+ VULNBL_INTEL_STEPPINGS(ICELAKE_L, X86_STEPPINGS(0x5, 0x5), MMIO),
|
|
Borislav Petkov |
bbc94e |
+ VULNBL_INTEL_STEPPINGS(ICELAKE_XEON_D, X86_STEPPINGS(0x1, 0x1), MMIO),
|
|
Borislav Petkov |
bbc94e |
+ VULNBL_INTEL_STEPPINGS(ICELAKE_X, X86_STEPPINGS(0x4, 0x6), MMIO),
|
|
Borislav Petkov |
bbc94e |
+ VULNBL_INTEL_STEPPINGS(ATOM_TREMONT_D, X86_STEPPING_ANY, MMIO),
|
|
Borislav Petkov |
bbc94e |
{}
|
|
Borislav Petkov |
bbc94e |
};
|
|
Borislav Petkov |
bbc94e |
|
|
Borislav Petkov |
bbc94e |
@@ -1035,6 +1050,13 @@ u64 x86_read_arch_cap_msr(void)
|
|
Borislav Petkov |
bbc94e |
return ia32_cap;
|
|
Borislav Petkov |
bbc94e |
}
|
|
Borislav Petkov |
bbc94e |
|
|
Borislav Petkov |
bbc94e |
+static bool arch_cap_mmio_immune(u64 ia32_cap)
|
|
Borislav Petkov |
bbc94e |
+{
|
|
Borislav Petkov |
bbc94e |
+ return (ia32_cap & ARCH_CAP_FBSDP_NO &&
|
|
Borislav Petkov |
bbc94e |
+ ia32_cap & ARCH_CAP_PSDP_NO &&
|
|
Borislav Petkov |
bbc94e |
+ ia32_cap & ARCH_CAP_SBDR_SSDP_NO);
|
|
Borislav Petkov |
bbc94e |
+}
|
|
Borislav Petkov |
bbc94e |
+
|
|
Borislav Petkov |
bbc94e |
static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
|
|
Borislav Petkov |
bbc94e |
{
|
|
Borislav Petkov |
bbc94e |
u64 ia32_cap = x86_read_arch_cap_msr();
|
|
Borislav Petkov |
bbc94e |
@@ -1092,6 +1114,17 @@ static void __init cpu_set_bug_bits(stru
|
|
Borislav Petkov |
bbc94e |
cpu_matches(cpu_vuln_blacklist, SRBDS))
|
|
Borislav Petkov |
bbc94e |
setup_force_cpu_bug(X86_BUG_SRBDS);
|
|
Borislav Petkov |
bbc94e |
|
|
Borislav Petkov |
bbc94e |
+ /*
|
|
Borislav Petkov |
bbc94e |
+ * Processor MMIO Stale Data bug enumeration
|
|
Borislav Petkov |
bbc94e |
+ *
|
|
Borislav Petkov |
bbc94e |
+ * Affected CPU list is generally enough to enumerate the vulnerability,
|
|
Borislav Petkov |
bbc94e |
+ * but for virtualization case check for ARCH_CAP MSR bits also, VMM may
|
|
Borislav Petkov |
bbc94e |
+ * not want the guest to enumerate the bug.
|
|
Borislav Petkov |
bbc94e |
+ */
|
|
Borislav Petkov |
bbc94e |
+ if (cpu_matches(cpu_vuln_blacklist, MMIO) &&
|
|
Borislav Petkov |
bbc94e |
+ !arch_cap_mmio_immune(ia32_cap))
|
|
Borislav Petkov |
bbc94e |
+ setup_force_cpu_bug(X86_BUG_MMIO_STALE_DATA);
|
|
Borislav Petkov |
bbc94e |
+
|
|
Borislav Petkov |
bbc94e |
if (cpu_matches(cpu_vuln_whitelist, NO_MELTDOWN))
|
|
Borislav Petkov |
bbc94e |
return;
|
|
Borislav Petkov |
bbc94e |
|