From: David Woodhouse <dwmw@amazon.co.uk>
Date: Sat, 27 Jan 2018 15:09:34 +0000
Subject: x86/speculation: Add basic IBRS support infrastructure
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/djbw/linux.git
Git-commit: 264b9aa1a901e5032df948d47fb3cb51f0111647
Patch-mainline: Queued in subsystem maintainer repository
References: bsc#1068032 CVE-2017-5753
Not functional yet; just add the handling for it in the Spectre v2
mitigation selection, and the X86_FEATURE_USE_IBRS flag which will
control the code to be added in later patches.
Also take the #ifdef CONFIG_RETPOLINE from around the RSB-stuffing; IBRS
mode will want that too.
For now we are auto-selecting IBRS on Skylake. We will probably end up
changing that but for now let's default to the safest option.
[karahmed: simplify the switch block and get rid of all the magic]
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: KarimAllah Ahmed <karahmed@amazon.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
Documentation/admin-guide/kernel-parameters.txt | 1
arch/x86/include/asm/cpufeatures.h | 1
arch/x86/include/asm/nospec-branch.h | 2 -
arch/x86/kernel/cpu/bugs.c | 31 +++++++++++++++++++-----
arch/x86/lib/Makefile | 2 -
arch/x86/lib/retpoline.S | 5 +++
6 files changed, 33 insertions(+), 9 deletions(-)
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -3980,6 +3980,7 @@
retpoline - replace indirect branches
retpoline,generic - google's original retpoline
retpoline,amd - AMD-specific minimal thunk
+ ibrs - Intel/AMD microcode feature
Not specifying this option is equivalent to
spectre_v2=auto.
--- a/arch/x86/include/asm/cpufeatures.h
+++ b/arch/x86/include/asm/cpufeatures.h
@@ -214,6 +214,7 @@
#define X86_FEATURE_SEV ( 7*32+20) /* AMD Secure Encrypted Virtualization */
#define X86_FEATURE_USE_IBPB ( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled */
#define X86_FEATURE_USE_IBRS_FW ( 7*32+22) /* "" Use IBRS during runtime firmware calls */
+#define X86_FEATURE_USE_IBRS ( 7*32+23) /* "" Use IBRS for Spectre v2 safety */
#define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE ( 7*32+24) /* "" Disable Speculative Store Bypass. */
#define X86_FEATURE_LS_CFG_SSBD ( 7*32+25) /* "" AMD SSBD implementation via LS_CFG MSR */
#define X86_FEATURE_IBRS ( 7*32+26) /* Indirect Branch Restricted Speculation */
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -236,7 +236,6 @@ extern char __indirect_thunk_end[];
*/
static inline void vmexit_fill_RSB(void)
{
-#ifdef CONFIG_RETPOLINE
unsigned long loops;
asm volatile (ANNOTATE_NOSPEC_ALTERNATIVE
@@ -246,7 +245,6 @@ static inline void vmexit_fill_RSB(void)
"910:"
: "=r" (loops), ASM_CALL_CONSTRAINT
: : "memory" );
-#endif
}
static __always_inline
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -132,6 +132,7 @@ enum spectre_v2_mitigation_cmd {
SPECTRE_V2_CMD_RETPOLINE,
SPECTRE_V2_CMD_RETPOLINE_GENERIC,
SPECTRE_V2_CMD_RETPOLINE_AMD,
+ SPECTRE_V2_CMD_IBRS,
};
static const char *spectre_v2_strings[] = {
@@ -140,6 +141,7 @@ static const char *spectre_v2_strings[]
[SPECTRE_V2_RETPOLINE_MINIMAL_AMD] = "Vulnerable: Minimal AMD ASM retpoline",
[SPECTRE_V2_RETPOLINE_GENERIC] = "Mitigation: Full generic retpoline",
[SPECTRE_V2_RETPOLINE_AMD] = "Mitigation: Full AMD retpoline",
+ [SPECTRE_V2_IBRS] = "Mitigation: Indirect Branch Restricted Speculation",
};
#undef pr_fmt
@@ -389,6 +391,7 @@ static const struct {
{ "retpoline", SPECTRE_V2_CMD_RETPOLINE, false },
{ "retpoline,amd", SPECTRE_V2_CMD_RETPOLINE_AMD, false },
{ "retpoline,generic", SPECTRE_V2_CMD_RETPOLINE_GENERIC, false },
+ { "ibrs", SPECTRE_V2_CMD_IBRS, false },
{ "auto", SPECTRE_V2_CMD_AUTO, false },
};
@@ -440,7 +443,7 @@ static enum spectre_v2_mitigation_cmd __
return cmd;
}
-/* Check for Skylake-like CPUs (for RSB handling) */
+/* Check for Skylake-like CPUs (for RSB and IBRS handling) */
static bool __init is_skylake_era(void)
{
if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL &&
@@ -474,19 +477,34 @@ static void __init spectre_v2_select_mit
case SPECTRE_V2_CMD_NONE:
return;
- case SPECTRE_V2_CMD_FORCE:
- case SPECTRE_V2_CMD_AUTO:
- if (IS_ENABLED(CONFIG_RETPOLINE))
- goto retpoline_auto;
- break;
case SPECTRE_V2_CMD_RETPOLINE_AMD:
if (IS_ENABLED(CONFIG_RETPOLINE))
goto retpoline_amd;
break;
+
case SPECTRE_V2_CMD_RETPOLINE_GENERIC:
if (IS_ENABLED(CONFIG_RETPOLINE))
goto retpoline_generic;
break;
+
+ case SPECTRE_V2_CMD_IBRS:
+ mode = SPECTRE_V2_IBRS;
+ setup_force_cpu_cap(X86_FEATURE_USE_IBRS);
+ goto enabled;
+
+ case SPECTRE_V2_CMD_AUTO:
+ case SPECTRE_V2_CMD_FORCE:
+ /*
+ * If we have IBRS support, and either Skylake or !RETPOLINE,
+ * then that's what we do.
+ */
+ if (boot_cpu_has(X86_FEATURE_IBRS) &&
+ (is_skylake_era() || !retp_compiler())) {
+ mode = SPECTRE_V2_IBRS;
+ setup_force_cpu_cap(X86_FEATURE_USE_IBRS);
+ goto enabled;
+ }
+ /* fall through */
case SPECTRE_V2_CMD_RETPOLINE:
if (IS_ENABLED(CONFIG_RETPOLINE))
goto retpoline_auto;
@@ -513,6 +531,7 @@ retpoline_auto:
setup_force_cpu_cap(X86_FEATURE_RETPOLINE);
}
+ enabled:
spectre_v2_enabled = mode;
pr_info("%s\n", spectre_v2_strings[mode]);
--- a/arch/x86/lib/Makefile
+++ b/arch/x86/lib/Makefile
@@ -25,7 +25,7 @@ lib-y += memcpy_$(BITS).o
lib-$(CONFIG_RWSEM_XCHGADD_ALGORITHM) += rwsem.o
lib-$(CONFIG_INSTRUCTION_DECODER) += insn.o inat.o
lib-$(CONFIG_RANDOMIZE_BASE) += kaslr.o
-lib-$(CONFIG_RETPOLINE) += retpoline.o
+lib-y += retpoline.o
obj-y += msr.o msr-reg.o msr-reg-export.o hweight.o
--- a/arch/x86/lib/retpoline.S
+++ b/arch/x86/lib/retpoline.S
@@ -8,6 +8,8 @@
#include <asm/export.h>
#include <asm/nospec-branch.h>
+#ifdef CONFIG_RETPOLINE
+
.macro THUNK reg
.section .text.__x86.indirect_thunk
@@ -46,3 +48,6 @@ GENERATE_THUNK(r13)
GENERATE_THUNK(r14)
GENERATE_THUNK(r15)
#endif
+
+#endif /* CONFIG_RETPOLINE */
+