From 009ad22ebdaea2d14f8ecd95672dbc2517d28126 Mon Sep 17 00:00:00 2001 From: Olaf Hering Date: Jun 08 2022 11:21:28 +0000 Subject: Merge remote-tracking branch 'kerncvs/SLE12-SP5_EMBARGO' into SLE12-SP5-AZURE_EMBARGO --- diff --git a/patches.suse/KVM-x86-speculation-Disable-Fill-buffer-clear-within-guests.patch b/patches.suse/KVM-x86-speculation-Disable-Fill-buffer-clear-within-guests.patch new file mode 100644 index 0000000..41e5dad --- /dev/null +++ b/patches.suse/KVM-x86-speculation-Disable-Fill-buffer-clear-within-guests.patch @@ -0,0 +1,202 @@ +From: Pawan Gupta +Date: Thu, 19 May 2022 20:35:15 -0700 +Subject: KVM: x86/speculation: Disable Fill buffer clear within guests +Git-commit: 027bbb884be006b05d9c577d6401686053aa789e +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in tip for v5.19 +References: bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180 + +The enumeration of MD_CLEAR in CPUID(EAX=7,ECX=0).EDX{bit 10} is not an +accurate indicator on all CPUs of whether the VERW instruction will +overwrite fill buffers. FB_CLEAR enumeration in +IA32_ARCH_CAPABILITIES{bit 17} covers the case of CPUs that are not +vulnerable to MDS/TAA, indicating that microcode does overwrite fill +buffers. + +Guests running in VMM environments may not be aware of all the +capabilities/vulnerabilities of the host CPU. Specifically, a guest may +apply MDS/TAA mitigations when a virtual CPU is enumerated as vulnerable +to MDS/TAA even when the physical CPU is not. On CPUs that enumerate +FB_CLEAR_CTRL the VMM may set FB_CLEAR_DIS to skip overwriting of fill +buffers by the VERW instruction. This is done by setting FB_CLEAR_DIS +during VMENTER and resetting on VMEXIT. For guests that enumerate +FB_CLEAR (explicitly asking for fill buffer clear capability) the VMM +will not use FB_CLEAR_DIS. + +Irrespective of guest state, host overwrites CPU buffers before VMENTER +to protect itself from an MMIO capable guest, as part of mitigation for +MMIO Stale Data vulnerabilities. + +Signed-off-by: Pawan Gupta +Signed-off-by: Borislav Petkov +--- + arch/x86/include/asm/msr-index.h | 6 +++ + arch/x86/kvm/vmx.c | 73 +++++++++++++++++++++++++++++++++++++++ + arch/x86/kvm/x86.c | 3 + + 3 files changed, 82 insertions(+) + +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -123,6 +123,11 @@ + * VERW clears CPU fill buffer + * even on MDS_NO CPUs. + */ ++#define ARCH_CAP_FB_CLEAR_CTRL BIT(18) /* ++ * MSR_IA32_MCU_OPT_CTRL[FB_CLEAR_DIS] ++ * bit available to control VERW ++ * behavior. ++ */ + + #define MSR_IA32_FLUSH_CMD 0x0000010b + #define L1D_FLUSH BIT(0) /* +@@ -142,6 +147,7 @@ + /* SRBDS support */ + #define MSR_IA32_MCU_OPT_CTRL 0x00000123 + #define RNGDS_MITG_DIS BIT(0) ++#define FB_CLEAR_DIS BIT(3) /* CPU Fill buffer clear disable */ + + #define MSR_IA32_SYSENTER_CS 0x00000174 + #define MSR_IA32_SYSENTER_ESP 0x00000175 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -209,6 +209,9 @@ static const struct { + #define L1D_CACHE_ORDER 4 + static void *vmx_l1d_flush_pages; + ++/* Control for disabling CPU Fill buffer clear */ ++static bool __read_mostly vmx_fb_clear_ctrl_available; ++ + static int vmx_setup_l1d_flush(enum vmx_l1d_flush_state l1tf) + { + struct page *page; +@@ -824,6 +827,9 @@ struct vcpu_vmx { + */ + u64 msr_ia32_feature_control; + u64 msr_ia32_feature_control_valid_bits; ++ ++ u64 msr_ia32_mcu_opt_ctrl; ++ bool disable_fb_clear; + }; + + enum segment_cache_field { +@@ -1693,6 +1699,61 @@ static void vmcs_load(struct vmcs *vmcs) + vmcs, phys_addr); + } + ++static void vmx_setup_fb_clear_ctrl(void) ++{ ++ u64 msr; ++ ++ if (boot_cpu_has(X86_FEATURE_ARCH_CAPABILITIES) && ++ !boot_cpu_has_bug(X86_BUG_MDS) && ++ !boot_cpu_has_bug(X86_BUG_TAA)) { ++ rdmsrl(MSR_IA32_ARCH_CAPABILITIES, msr); ++ if (msr & ARCH_CAP_FB_CLEAR_CTRL) ++ vmx_fb_clear_ctrl_available = true; ++ } ++} ++ ++static __always_inline void vmx_disable_fb_clear(struct vcpu_vmx *vmx) ++{ ++ u64 msr; ++ ++ if (!vmx->disable_fb_clear) ++ return; ++ ++ rdmsrl(MSR_IA32_MCU_OPT_CTRL, msr); ++ msr |= FB_CLEAR_DIS; ++ wrmsrl(MSR_IA32_MCU_OPT_CTRL, msr); ++ /* Cache the MSR value to avoid reading it later */ ++ vmx->msr_ia32_mcu_opt_ctrl = msr; ++} ++ ++static __always_inline void vmx_enable_fb_clear(struct vcpu_vmx *vmx) ++{ ++ if (!vmx->disable_fb_clear) ++ return; ++ ++ vmx->msr_ia32_mcu_opt_ctrl &= ~FB_CLEAR_DIS; ++ wrmsrl(MSR_IA32_MCU_OPT_CTRL, vmx->msr_ia32_mcu_opt_ctrl); ++} ++ ++static void vmx_update_fb_clear_dis(struct kvm_vcpu *vcpu, struct vcpu_vmx *vmx) ++{ ++ vmx->disable_fb_clear = vmx_fb_clear_ctrl_available; ++ ++ /* ++ * If guest will not execute VERW, there is no need to set FB_CLEAR_DIS ++ * at VMEntry. Skip the MSR read/write when a guest has no use case to ++ * execute VERW. ++ */ ++ if ((vcpu->arch.arch_capabilities & ARCH_CAP_FB_CLEAR) || ++ ((vcpu->arch.arch_capabilities & ARCH_CAP_MDS_NO) && ++ (vcpu->arch.arch_capabilities & ARCH_CAP_TAA_NO) && ++ (vcpu->arch.arch_capabilities & ARCH_CAP_PSDP_NO) && ++ (vcpu->arch.arch_capabilities & ARCH_CAP_FBSDP_NO) && ++ (vcpu->arch.arch_capabilities & ARCH_CAP_SBDR_SSDP_NO))) ++ vmx->disable_fb_clear = false; ++} ++ ++ + #ifdef CONFIG_KEXEC_CORE + /* + * This bitmap is used to indicate whether the vmclear +@@ -3775,6 +3836,10 @@ static int vmx_set_msr(struct kvm_vcpu * + ret = kvm_set_msr_common(vcpu, msr_info); + } + ++ /* FB_CLEAR may have changed, also update the FB_CLEAR_DIS behavior */ ++ if (msr_index == MSR_IA32_ARCH_CAPABILITIES) ++ vmx_update_fb_clear_dis(vcpu, vmx); ++ + return ret; + } + +@@ -6109,6 +6174,8 @@ static void vmx_vcpu_reset(struct kvm_vc + update_exception_bitmap(vcpu); + + vpid_sync_context(vmx->vpid); ++ ++ vmx_update_fb_clear_dis(vcpu, vmx); + } + + /* +@@ -9862,6 +9929,8 @@ static void __noclone vmx_vcpu_run(struc + kvm_arch_has_assigned_device(vcpu->kvm)) + mds_clear_cpu_buffers(); + ++ vmx_disable_fb_clear(vmx); ++ + asm( + /* Store host registers */ + "push %%" _ASM_DX "; push %%" _ASM_BP ";" +@@ -9991,6 +10060,8 @@ static void __noclone vmx_vcpu_run(struc + #endif + ); + ++ vmx_enable_fb_clear(vmx); ++ + /* + * We do not use IBRS in the kernel. If this vCPU has used the + * SPEC_CTRL MSR it may have left it on; save the value and +@@ -13140,6 +13211,8 @@ static int __init vmx_init(void) + } + } + ++ vmx_setup_fb_clear_ctrl(); ++ + #ifdef CONFIG_KEXEC_CORE + rcu_assign_pointer(crash_vmclear_loaded_vmcss, + crash_vmclear_local_loaded_vmcss); +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -1125,6 +1125,9 @@ u64 kvm_get_arch_capabilities(void) + */ + data |= ARCH_CAP_PSCHANGE_MC_NO; + ++ /* Guests don't need to know "Fill buffer clear control" exists */ ++ data &= ~ARCH_CAP_FB_CLEAR_CTRL; ++ + return data; + } + diff --git a/patches.suse/powerpc-64s-flush-L1D-after-user-accesses.patch b/patches.suse/powerpc-64s-flush-L1D-after-user-accesses.patch index 22e61b8..9287065 100644 --- a/patches.suse/powerpc-64s-flush-L1D-after-user-accesses.patch +++ b/patches.suse/powerpc-64s-flush-L1D-after-user-accesses.patch @@ -34,45 +34,21 @@ Signed-off-by: Daniel Axtens Signed-off-by: Greg Kroah-Hartman Acked-by: Michal Suchanek --- - .../admin-guide/kernel-parameters.txt | 4 + - .../powerpc/include/asm/book3s/64/kup-radix.h | 22 +++++ - arch/powerpc/include/asm/feature-fixups.h | 9 +++ - arch/powerpc/include/asm/kup.h | 4 + - arch/powerpc/include/asm/security_features.h | 3 + - arch/powerpc/include/asm/setup.h | 1 + - arch/powerpc/kernel/exceptions-64s.S | 81 ++++++------------- - arch/powerpc/kernel/setup_64.c | 62 ++++++++++++++ - arch/powerpc/kernel/vmlinux.lds.S | 7 ++ - arch/powerpc/lib/feature-fixups.c | 50 ++++++++++++ - arch/powerpc/platforms/powernv/setup.c | 10 ++- - arch/powerpc/platforms/pseries/setup.c | 4 + + Documentation/admin-guide/kernel-parameters.txt | 4 + + arch/powerpc/include/asm/book3s/64/kup-radix.h | 22 ++++++ + arch/powerpc/include/asm/feature-fixups.h | 9 ++ + arch/powerpc/include/asm/kup.h | 4 + + arch/powerpc/include/asm/security_features.h | 3 + arch/powerpc/include/asm/setup.h | 1 + arch/powerpc/kernel/exceptions-64s.S | 81 +++++++----------------- + arch/powerpc/kernel/setup_64.c | 62 ++++++++++++++++++ + arch/powerpc/kernel/vmlinux.lds.S | 7 ++ + arch/powerpc/lib/feature-fixups.c | 50 ++++++++++++++ + arch/powerpc/platforms/powernv/setup.c | 10 ++ + arch/powerpc/platforms/pseries/setup.c | 4 + 12 files changed, 198 insertions(+), 59 deletions(-) create mode 100644 arch/powerpc/include/asm/book3s/64/kup-radix.h -diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt ---- a/Documentation/admin-guide/kernel-parameters.txt -+++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -2468,6 +2468,7 @@ - mds=off [X86] - tsx_async_abort=off [X86] - no_entry_flush [PPC] -+ no_uaccess_flush [PPC] - - auto (default) - Mitigate all CPU vulnerabilities, but leave SMT -@@ -2818,6 +2819,9 @@ - nospec_store_bypass_disable - [HW] Disable all mitigations for the Speculative Store Bypass vulnerability - -+ no_uaccess_flush -+ [PPC] Don't flush the L1-D cache after accessing user data. -+ - noxsave [BUGS=X86] Disables x86 extended register state save - and restore using xsave. The kernel will fallback to - enabling legacy floating-point and sse state. -diff --git a/arch/powerpc/include/asm/book3s/64/kup-radix.h b/arch/powerpc/include/asm/book3s/64/kup-radix.h -new file mode 100644 -index 000000000000..aa54ac2e5659 --- /dev/null +++ b/arch/powerpc/include/asm/book3s/64/kup-radix.h @@ -0,0 +1,22 @@ @@ -98,11 +74,9 @@ index 000000000000..aa54ac2e5659 +} + +#endif /* _ASM_POWERPC_BOOK3S_64_KUP_RADIX_H */ -diff --git a/arch/powerpc/include/asm/feature-fixups.h b/arch/powerpc/include/asm/feature-fixups.h -index 9ad779d87b23..5bf3f0779b93 100644 --- a/arch/powerpc/include/asm/feature-fixups.h +++ b/arch/powerpc/include/asm/feature-fixups.h -@@ -205,6 +205,14 @@ label##3: \ +@@ -203,6 +203,14 @@ label##3: \ FTR_ENTRY_OFFSET 955b-956b; \ .popsection; @@ -117,7 +91,7 @@ index 9ad779d87b23..5bf3f0779b93 100644 #define ENTRY_FLUSH_FIXUP_SECTION \ 957: \ .pushsection __entry_flush_fixup,"a"; \ -@@ -248,6 +256,7 @@ extern long stf_barrier_fallback; +@@ -235,6 +243,7 @@ extern long stf_barrier_fallback; extern long entry_flush_fallback; extern long __start___stf_entry_barrier_fixup, __stop___stf_entry_barrier_fixup; extern long __start___stf_exit_barrier_fixup, __stop___stf_exit_barrier_fixup; @@ -125,8 +99,6 @@ index 9ad779d87b23..5bf3f0779b93 100644 extern long __start___entry_flush_fixup, __stop___entry_flush_fixup; extern long __start___rfi_flush_fixup, __stop___rfi_flush_fixup; extern long __start___barrier_nospec_fixup, __stop___barrier_nospec_fixup; -diff --git a/arch/powerpc/include/asm/kup.h b/arch/powerpc/include/asm/kup.h -index 7895d5eeaf21..f0f8e36ad71f 100644 --- a/arch/powerpc/include/asm/kup.h +++ b/arch/powerpc/include/asm/kup.h @@ -6,10 +6,14 @@ @@ -144,11 +116,9 @@ index 7895d5eeaf21..f0f8e36ad71f 100644 static inline void allow_read_from_user(const void __user *from, unsigned long size) { -diff --git a/arch/powerpc/include/asm/security_features.h b/arch/powerpc/include/asm/security_features.h -index 082b56bf678d..3b45a64e491e 100644 --- a/arch/powerpc/include/asm/security_features.h +++ b/arch/powerpc/include/asm/security_features.h -@@ -87,6 +87,8 @@ static inline bool security_ftr_enabled(unsigned long feature) +@@ -89,6 +89,8 @@ static inline bool security_ftr_enabled( // The L1-D cache should be flushed when entering the kernel #define SEC_FTR_L1D_FLUSH_ENTRY 0x0000000000004000ull @@ -157,7 +127,7 @@ index 082b56bf678d..3b45a64e491e 100644 // Features enabled by default #define SEC_FTR_DEFAULT \ -@@ -94,6 +96,7 @@ static inline bool security_ftr_enabled(unsigned long feature) +@@ -96,6 +98,7 @@ static inline bool security_ftr_enabled( SEC_FTR_L1D_FLUSH_PR | \ SEC_FTR_BNDS_CHK_SPEC_BAR | \ SEC_FTR_L1D_FLUSH_ENTRY | \ @@ -165,11 +135,9 @@ index 082b56bf678d..3b45a64e491e 100644 SEC_FTR_FAVOUR_SECURITY) #endif /* _ASM_POWERPC_SECURITY_FEATURES_H */ -diff --git a/arch/powerpc/include/asm/setup.h b/arch/powerpc/include/asm/setup.h -index 556635217e5c..6f2f4497e13b 100644 --- a/arch/powerpc/include/asm/setup.h +++ b/arch/powerpc/include/asm/setup.h -@@ -60,6 +60,7 @@ void setup_barrier_nospec(void); +@@ -58,6 +58,7 @@ void setup_barrier_nospec(void); #else static inline void setup_barrier_nospec(void) { }; #endif @@ -177,11 +145,9 @@ index 556635217e5c..6f2f4497e13b 100644 void do_entry_flush_fixups(enum l1d_flush_type types); void do_barrier_nospec_fixups(bool enable); extern bool barrier_nospec_enabled; -diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S -index 75551690e96e..344e2758b22d 100644 --- a/arch/powerpc/kernel/exceptions-64s.S +++ b/arch/powerpc/kernel/exceptions-64s.S -@@ -1529,11 +1529,8 @@ TRAMP_REAL_BEGIN(stf_barrier_fallback) +@@ -1466,11 +1466,8 @@ TRAMP_REAL_BEGIN(stf_barrier_fallback) .endr blr @@ -195,7 +161,7 @@ index 75551690e96e..344e2758b22d 100644 ld r10,PACA_RFI_FLUSH_FALLBACK_AREA(r13) ld r11,PACA_L1D_FLUSH_SIZE(r13) srdi r11,r11,(7 + 3) /* 128 byte lines, unrolled 8x */ -@@ -1559,7 +1556,14 @@ TRAMP_REAL_BEGIN(entry_flush_fallback) +@@ -1496,7 +1493,14 @@ TRAMP_REAL_BEGIN(entry_flush_fallback) ld r11,(0x80 + 8)*7(r10) addi r10,r10,0x80*8 bdnz 1b @@ -210,7 +176,7 @@ index 75551690e96e..344e2758b22d 100644 mtctr r9 ld r9,PACA_EXRFI+EX_R9(r13) ld r10,PACA_EXRFI+EX_R10(r13) -@@ -1575,32 +1579,7 @@ TRAMP_REAL_BEGIN(rfi_flush_fallback) +@@ -1510,32 +1514,7 @@ TRAMP_REAL_BEGIN(rfi_flush_fallback) std r10,PACA_EXRFI+EX_R10(r13) std r11,PACA_EXRFI+EX_R11(r13) mfctr r9 @@ -244,7 +210,7 @@ index 75551690e96e..344e2758b22d 100644 mtctr r9 ld r9,PACA_EXRFI+EX_R9(r13) ld r10,PACA_EXRFI+EX_R10(r13) -@@ -1618,32 +1597,7 @@ TRAMP_REAL_BEGIN(hrfi_flush_fallback) +@@ -1550,32 +1529,7 @@ TRAMP_REAL_BEGIN(hrfi_flush_fallback) std r10,PACA_EXRFI+EX_R10(r13) std r11,PACA_EXRFI+EX_R11(r13) mfctr r9 @@ -278,7 +244,7 @@ index 75551690e96e..344e2758b22d 100644 mtctr r9 ld r9,PACA_EXRFI+EX_R9(r13) ld r10,PACA_EXRFI+EX_R10(r13) -@@ -1652,6 +1606,19 @@ TRAMP_REAL_BEGIN(hrfi_flush_fallback) +@@ -1583,6 +1537,19 @@ TRAMP_REAL_BEGIN(hrfi_flush_fallback) GET_SCRATCH0(r13); hrfid @@ -298,11 +264,9 @@ index 75551690e96e..344e2758b22d 100644 /* * Real mode exceptions actually use this too, but alternate * instruction code patches (which end up in the common .text area) -diff --git a/arch/powerpc/kernel/setup_64.c b/arch/powerpc/kernel/setup_64.c -index 7bbd9d22d66e..122365624d3d 100644 --- a/arch/powerpc/kernel/setup_64.c +++ b/arch/powerpc/kernel/setup_64.c -@@ -864,8 +864,12 @@ static enum l1d_flush_type enabled_flush_types; +@@ -814,8 +814,12 @@ static enum l1d_flush_type enabled_flush static void *l1d_flush_fallback_area; static bool no_rfi_flush; static bool no_entry_flush; @@ -315,7 +279,7 @@ index 7bbd9d22d66e..122365624d3d 100644 static int __init handle_no_rfi_flush(char *p) { -@@ -883,6 +887,14 @@ static int __init handle_no_entry_flush(char *p) +@@ -833,6 +837,14 @@ static int __init handle_no_entry_flush( } early_param("no_entry_flush", handle_no_entry_flush); @@ -330,7 +294,7 @@ index 7bbd9d22d66e..122365624d3d 100644 /* * The RFI flush is not KPTI, but because users will see doco that says to use * nopti we hijack that option here to also disable the RFI flush. -@@ -926,6 +938,20 @@ void entry_flush_enable(bool enable) +@@ -876,6 +888,20 @@ void entry_flush_enable(bool enable) entry_flush = enable; } @@ -351,7 +315,7 @@ index 7bbd9d22d66e..122365624d3d 100644 static void __ref init_fallback_flush(void) { u64 l1d_size, limit; -@@ -992,6 +1018,15 @@ void setup_entry_flush(bool enable) +@@ -941,6 +967,15 @@ void setup_entry_flush(bool enable) entry_flush_enable(enable); } @@ -367,7 +331,7 @@ index 7bbd9d22d66e..122365624d3d 100644 #ifdef CONFIG_DEBUG_FS static int rfi_flush_set(void *data, u64 val) { -@@ -1045,10 +1080,37 @@ static int entry_flush_get(void *data, u64 *val) +@@ -994,10 +1029,37 @@ static int entry_flush_get(void *data, u DEFINE_SIMPLE_ATTRIBUTE(fops_entry_flush, entry_flush_get, entry_flush_set, "%llu\n"); @@ -405,29 +369,25 @@ index 7bbd9d22d66e..122365624d3d 100644 return 0; } device_initcall(rfi_flush_debugfs_init); -diff --git a/arch/powerpc/kernel/vmlinux.lds.S b/arch/powerpc/kernel/vmlinux.lds.S -index 1432cf996201..695432965f20 100644 --- a/arch/powerpc/kernel/vmlinux.lds.S +++ b/arch/powerpc/kernel/vmlinux.lds.S -@@ -140,6 +140,13 @@ SECTIONS - __stop___stf_entry_barrier_fixup = .; +@@ -143,6 +143,13 @@ SECTIONS } -+ . = ALIGN(8); + . = ALIGN(8); + __uaccess_flush_fixup : AT(ADDR(__uaccess_flush_fixup) - LOAD_OFFSET) { + __start___uaccess_flush_fixup = .; + *(__uaccess_flush_fixup) + __stop___uaccess_flush_fixup = .; + } + - . = ALIGN(8); ++ . = ALIGN(8); __entry_flush_fixup : AT(ADDR(__entry_flush_fixup) - LOAD_OFFSET) { __start___entry_flush_fixup = .; -diff --git a/arch/powerpc/lib/feature-fixups.c b/arch/powerpc/lib/feature-fixups.c -index 22bae8741cae..065a3426f0eb 100644 + *(__entry_flush_fixup) --- a/arch/powerpc/lib/feature-fixups.c +++ b/arch/powerpc/lib/feature-fixups.c -@@ -232,6 +232,56 @@ void do_stf_barrier_fixups(enum stf_barrier_type types) +@@ -232,6 +232,56 @@ void do_stf_barrier_fixups(enum stf_barr do_stf_exit_barrier_fixups(types); } @@ -484,8 +444,6 @@ index 22bae8741cae..065a3426f0eb 100644 void do_entry_flush_fixups(enum l1d_flush_type types) { unsigned int instrs[3], *dest; -diff --git a/arch/powerpc/platforms/powernv/setup.c b/arch/powerpc/platforms/powernv/setup.c -index ad51349e479b..5068dd7f6e74 100644 --- a/arch/powerpc/platforms/powernv/setup.c +++ b/arch/powerpc/platforms/powernv/setup.c @@ -127,10 +127,12 @@ static void pnv_setup_rfi_flush(void) @@ -514,11 +472,9 @@ index ad51349e479b..5068dd7f6e74 100644 } static void __init pnv_setup_arch(void) -diff --git a/arch/powerpc/platforms/pseries/setup.c b/arch/powerpc/platforms/pseries/setup.c -index 8aa4dd87cbf2..2e0d38cafdd4 100644 --- a/arch/powerpc/platforms/pseries/setup.c +++ b/arch/powerpc/platforms/pseries/setup.c -@@ -569,6 +569,10 @@ void pseries_setup_rfi_flush(void) +@@ -590,6 +590,10 @@ void pseries_setup_rfi_flush(void) enable = security_ftr_enabled(SEC_FTR_FAVOUR_SECURITY) && security_ftr_enabled(SEC_FTR_L1D_FLUSH_ENTRY); setup_entry_flush(enable); @@ -529,6 +485,23 @@ index 8aa4dd87cbf2..2e0d38cafdd4 100644 } #ifdef CONFIG_PCI_IOV --- -2.26.2 - +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -2483,6 +2483,7 @@ + tsx_async_abort=off [X86] + mmio_stale_data=off [X86] + no_entry_flush [PPC] ++ no_uaccess_flush [PPC] + + auto (default) + Mitigate all CPU vulnerabilities, but leave SMT +@@ -2868,6 +2869,9 @@ + nospec_store_bypass_disable + [HW] Disable all mitigations for the Speculative Store Bypass vulnerability + ++ no_uaccess_flush ++ [PPC] Don't flush the L1-D cache after accessing user data. ++ + noxsave [BUGS=X86] Disables x86 extended register state save + and restore using xsave. The kernel will fallback to + enabling legacy floating-point and sse state. diff --git a/patches.suse/powerpc-64s-flush-L1D-on-kernel-entry.patch b/patches.suse/powerpc-64s-flush-L1D-on-kernel-entry.patch index d0780a6..56e6f2e 100644 --- a/patches.suse/powerpc-64s-flush-L1D-on-kernel-entry.patch +++ b/patches.suse/powerpc-64s-flush-L1D-on-kernel-entry.patch @@ -34,44 +34,22 @@ Signed-off-by: Daniel Axtens Signed-off-by: Greg Kroah-Hartman Acked-by: Michal Suchanek --- - .../admin-guide/kernel-parameters.txt | 3 + - arch/powerpc/include/asm/exception-64s.h | 9 ++- - arch/powerpc/include/asm/feature-fixups.h | 10 ++++ - arch/powerpc/include/asm/security_features.h | 4 ++ - arch/powerpc/include/asm/setup.h | 3 + - arch/powerpc/kernel/exceptions-64s.S | 47 +++++++++++++-- - arch/powerpc/kernel/setup_64.c | 60 ++++++++++++++++++- - arch/powerpc/kernel/vmlinux.lds.S | 7 +++ - arch/powerpc/lib/feature-fixups.c | 54 +++++++++++++++++ - arch/powerpc/platforms/powernv/setup.c | 11 ++++ - arch/powerpc/platforms/pseries/setup.c | 4 ++ + Documentation/admin-guide/kernel-parameters.txt | 3 + + arch/powerpc/include/asm/exception-64s.h | 9 +++ + arch/powerpc/include/asm/feature-fixups.h | 10 ++++ + arch/powerpc/include/asm/security_features.h | 4 + + arch/powerpc/include/asm/setup.h | 3 + + arch/powerpc/kernel/exceptions-64s.S | 47 ++++++++++++++++-- + arch/powerpc/kernel/setup_64.c | 60 +++++++++++++++++++++++- + arch/powerpc/kernel/vmlinux.lds.S | 7 ++ + arch/powerpc/lib/feature-fixups.c | 54 +++++++++++++++++++++ + arch/powerpc/platforms/powernv/setup.c | 11 ++++ + arch/powerpc/platforms/pseries/setup.c | 4 + 11 files changed, 205 insertions(+), 7 deletions(-) -diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt ---- a/Documentation/admin-guide/kernel-parameters.txt -+++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -2467,6 +2467,7 @@ - l1tf=off [X86] - mds=off [X86] - tsx_async_abort=off [X86] -+ no_entry_flush [PPC] - - auto (default) - Mitigate all CPU vulnerabilities, but leave SMT -@@ -2762,6 +2763,8 @@ - - noefi Disable EFI runtime services support. - -+ no_entry_flush [PPC] Don't flush the L1-D cache when entering the kernel. -+ - noexec [IA-64] - - noexec [X86] -diff --git a/arch/powerpc/include/asm/exception-64s.h b/arch/powerpc/include/asm/exception-64s.h -index a86feddddad0..35fb5b11955a 100644 --- a/arch/powerpc/include/asm/exception-64s.h +++ b/arch/powerpc/include/asm/exception-64s.h -@@ -90,11 +90,18 @@ +@@ -74,11 +74,18 @@ nop; \ nop @@ -91,11 +69,9 @@ index a86feddddad0..35fb5b11955a 100644 /* * Macros for annotating the expected destination of (h)rfid -diff --git a/arch/powerpc/include/asm/feature-fixups.h b/arch/powerpc/include/asm/feature-fixups.h -index 40a6c9261a6b..9ad779d87b23 100644 --- a/arch/powerpc/include/asm/feature-fixups.h +++ b/arch/powerpc/include/asm/feature-fixups.h -@@ -205,6 +205,14 @@ label##3: \ +@@ -203,6 +203,14 @@ label##3: \ FTR_ENTRY_OFFSET 955b-956b; \ .popsection; @@ -110,7 +86,7 @@ index 40a6c9261a6b..9ad779d87b23 100644 #define RFI_FLUSH_FIXUP_SECTION \ 951: \ .pushsection __rfi_flush_fixup,"a"; \ -@@ -237,8 +245,10 @@ label##3: \ +@@ -224,8 +232,10 @@ label##3: \ #include extern long stf_barrier_fallback; @@ -121,11 +97,9 @@ index 40a6c9261a6b..9ad779d87b23 100644 extern long __start___rfi_flush_fixup, __stop___rfi_flush_fixup; extern long __start___barrier_nospec_fixup, __stop___barrier_nospec_fixup; -diff --git a/arch/powerpc/include/asm/security_features.h b/arch/powerpc/include/asm/security_features.h -index ccf44c135389..082b56bf678d 100644 --- a/arch/powerpc/include/asm/security_features.h +++ b/arch/powerpc/include/asm/security_features.h -@@ -84,12 +84,16 @@ static inline bool security_ftr_enabled(unsigned long feature) +@@ -86,12 +86,16 @@ static inline bool security_ftr_enabled( // Software required to flush link stack on context switch #define SEC_FTR_FLUSH_LINK_STACK 0x0000000000001000ull @@ -142,10 +116,9 @@ index ccf44c135389..082b56bf678d 100644 SEC_FTR_FAVOUR_SECURITY) #endif /* _ASM_POWERPC_SECURITY_FEATURES_H */ -diff --git a/arch/powerpc/include/asm/setup.h b/arch/powerpc/include/asm/setup.h --- a/arch/powerpc/include/asm/setup.h +++ b/arch/powerpc/include/asm/setup.h -@@ -52,12 +52,15 @@ enum l1d_flush_type { +@@ -50,12 +50,15 @@ enum l1d_flush_type { }; void setup_rfi_flush(enum l1d_flush_type, bool enable); @@ -161,7 +134,6 @@ diff --git a/arch/powerpc/include/asm/setup.h b/arch/powerpc/include/asm/setup.h void do_barrier_nospec_fixups(bool enable); extern bool barrier_nospec_enabled; -diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S --- a/arch/powerpc/kernel/exceptions-64s.S +++ b/arch/powerpc/kernel/exceptions-64s.S @@ -517,7 +517,7 @@ EXC_COMMON_BEGIN(mce_return) @@ -243,11 +215,9 @@ diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptio TRAMP_REAL_BEGIN(rfi_flush_fallback) SET_SCRATCH0(r13); GET_PACA(r13); -diff --git a/arch/powerpc/kernel/setup_64.c b/arch/powerpc/kernel/setup_64.c -index bd4996958b13..7bbd9d22d66e 100644 --- a/arch/powerpc/kernel/setup_64.c +++ b/arch/powerpc/kernel/setup_64.c -@@ -863,7 +863,9 @@ early_initcall(disable_hardlockup_detector); +@@ -813,7 +813,9 @@ early_initcall(disable_hardlockup_detect static enum l1d_flush_type enabled_flush_types; static void *l1d_flush_fallback_area; static bool no_rfi_flush; @@ -257,7 +227,7 @@ index bd4996958b13..7bbd9d22d66e 100644 static int __init handle_no_rfi_flush(char *p) { -@@ -873,6 +875,14 @@ static int __init handle_no_rfi_flush(char *p) +@@ -823,6 +825,14 @@ static int __init handle_no_rfi_flush(ch } early_param("no_rfi_flush", handle_no_rfi_flush); @@ -272,7 +242,7 @@ index bd4996958b13..7bbd9d22d66e 100644 /* * The RFI flush is not KPTI, but because users will see doco that says to use * nopti we hijack that option here to also disable the RFI flush. -@@ -904,6 +914,18 @@ void rfi_flush_enable(bool enable) +@@ -854,6 +864,18 @@ void rfi_flush_enable(bool enable) rfi_flush = enable; } @@ -291,7 +261,7 @@ index bd4996958b13..7bbd9d22d66e 100644 static void __ref init_fallback_flush(void) { u64 l1d_size, limit; -@@ -957,10 +979,19 @@ void setup_rfi_flush(enum l1d_flush_type types, bool enable) +@@ -906,10 +928,19 @@ void setup_rfi_flush(enum l1d_flush_type enabled_flush_types = types; @@ -312,7 +282,7 @@ index bd4996958b13..7bbd9d22d66e 100644 #ifdef CONFIG_DEBUG_FS static int rfi_flush_set(void *data, u64 val) { -@@ -988,9 +1019,36 @@ static int rfi_flush_get(void *data, u64 *val) +@@ -937,9 +968,36 @@ static int rfi_flush_get(void *data, u64 DEFINE_SIMPLE_ATTRIBUTE(fops_rfi_flush, rfi_flush_get, rfi_flush_set, "%llu\n"); @@ -349,29 +319,25 @@ index bd4996958b13..7bbd9d22d66e 100644 return 0; } device_initcall(rfi_flush_debugfs_init); -diff --git a/arch/powerpc/kernel/vmlinux.lds.S b/arch/powerpc/kernel/vmlinux.lds.S -index d081d726ca8e..1432cf996201 100644 --- a/arch/powerpc/kernel/vmlinux.lds.S +++ b/arch/powerpc/kernel/vmlinux.lds.S -@@ -140,6 +140,13 @@ SECTIONS - __stop___stf_entry_barrier_fixup = .; +@@ -143,6 +143,13 @@ SECTIONS } -+ . = ALIGN(8); + . = ALIGN(8); + __entry_flush_fixup : AT(ADDR(__entry_flush_fixup) - LOAD_OFFSET) { + __start___entry_flush_fixup = .; + *(__entry_flush_fixup) + __stop___entry_flush_fixup = .; + } + - . = ALIGN(8); ++ . = ALIGN(8); __stf_exit_barrier_fixup : AT(ADDR(__stf_exit_barrier_fixup) - LOAD_OFFSET) { __start___stf_exit_barrier_fixup = .; -diff --git a/arch/powerpc/lib/feature-fixups.c b/arch/powerpc/lib/feature-fixups.c -index dbe478e7b8e0..22bae8741cae 100644 + *(__stf_exit_barrier_fixup) --- a/arch/powerpc/lib/feature-fixups.c +++ b/arch/powerpc/lib/feature-fixups.c -@@ -232,6 +232,60 @@ void do_stf_barrier_fixups(enum stf_barrier_type types) +@@ -232,6 +232,60 @@ void do_stf_barrier_fixups(enum stf_barr do_stf_exit_barrier_fixups(types); } @@ -432,8 +398,6 @@ index dbe478e7b8e0..22bae8741cae 100644 void do_rfi_flush_fixups(enum l1d_flush_type types) { unsigned int instrs[3], *dest; -diff --git a/arch/powerpc/platforms/powernv/setup.c b/arch/powerpc/platforms/powernv/setup.c -index adddde023622..ad51349e479b 100644 --- a/arch/powerpc/platforms/powernv/setup.c +++ b/arch/powerpc/platforms/powernv/setup.c @@ -125,12 +125,23 @@ static void pnv_setup_rfi_flush(void) @@ -460,11 +424,9 @@ index adddde023622..ad51349e479b 100644 } static void __init pnv_setup_arch(void) -diff --git a/arch/powerpc/platforms/pseries/setup.c b/arch/powerpc/platforms/pseries/setup.c -index c2d318d1df02..8aa4dd87cbf2 100644 --- a/arch/powerpc/platforms/pseries/setup.c +++ b/arch/powerpc/platforms/pseries/setup.c -@@ -565,6 +565,10 @@ void pseries_setup_rfi_flush(void) +@@ -586,6 +586,10 @@ void pseries_setup_rfi_flush(void) setup_rfi_flush(types, enable); setup_count_cache_flush(); @@ -475,6 +437,22 @@ index c2d318d1df02..8aa4dd87cbf2 100644 } #ifdef CONFIG_PCI_IOV --- -2.26.2 - +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -2482,6 +2482,7 @@ + mds=off [X86] + tsx_async_abort=off [X86] + mmio_stale_data=off [X86] ++ no_entry_flush [PPC] + + auto (default) + Mitigate all CPU vulnerabilities, but leave SMT +@@ -2812,6 +2813,8 @@ + + noefi Disable EFI runtime services support. + ++ no_entry_flush [PPC] Don't flush the L1-D cache when entering the kernel. ++ + noexec [IA-64] + + noexec [X86] diff --git a/patches.suse/x86-bugs-Group-MDS-TAA-Processor-MMIO-Stale-Data-mitigations.patch b/patches.suse/x86-bugs-Group-MDS-TAA-Processor-MMIO-Stale-Data-mitigations.patch new file mode 100644 index 0000000..0e4dbb9 --- /dev/null +++ b/patches.suse/x86-bugs-Group-MDS-TAA-Processor-MMIO-Stale-Data-mitigations.patch @@ -0,0 +1,76 @@ +From: Pawan Gupta +Date: Thu, 19 May 2022 20:30:12 -0700 +Subject: x86/bugs: Group MDS, TAA & Processor MMIO Stale Data mitigations +Git-commit: e5925fb867290ee924fcf2fe3ca887b792714366 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in tip for v5.19 +References: bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180 + +MDS, TAA and Processor MMIO Stale Data mitigations rely on clearing CPU +buffers. Moreover, status of these mitigations affects each other. +During boot, it is important to maintain the order in which these +mitigations are selected. This is especially true for +md_clear_update_mitigation() that needs to be called after MDS, TAA and +Processor MMIO Stale Data mitigation selection is done. + +Introduce md_clear_select_mitigation(), and select all these mitigations +from there. This reflects relationships between these mitigations and +ensures proper ordering. + +Signed-off-by: Pawan Gupta +Signed-off-by: Borislav Petkov +--- + arch/x86/kernel/cpu/bugs.c | 26 ++++++++++++++++---------- + 1 file changed, 16 insertions(+), 10 deletions(-) + +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -40,6 +40,7 @@ static void __init ssb_select_mitigation + static void __init l1tf_select_mitigation(void); + static void __init mds_select_mitigation(void); + static void __init md_clear_update_mitigation(void); ++static void __init md_clear_select_mitigation(void); + static void __init taa_select_mitigation(void); + static void __init mmio_select_mitigation(void); + static void __init srbds_select_mitigation(void); +@@ -112,18 +113,9 @@ void __init check_bugs(void) + spectre_v2_select_mitigation(); + ssb_select_mitigation(); + l1tf_select_mitigation(); +- mds_select_mitigation(); +- taa_select_mitigation(); +- mmio_select_mitigation(); ++ md_clear_select_mitigation(); + srbds_select_mitigation(); + +- /* +- * As MDS, TAA and MMIO Stale Data mitigations are inter-related, update +- * and print their mitigation after MDS, TAA and MMIO Stale Data +- * mitigation selection is done. +- */ +- md_clear_update_mitigation(); +- + arch_smt_update(); + + #ifdef CONFIG_X86_32 +@@ -626,6 +618,20 @@ out: + pr_info("MMIO Stale Data: %s\n", mmio_strings[mmio_mitigation]); + } + ++static void __init md_clear_select_mitigation(void) ++{ ++ mds_select_mitigation(); ++ taa_select_mitigation(); ++ mmio_select_mitigation(); ++ ++ /* ++ * As MDS, TAA and MMIO Stale Data mitigations are inter-related, update ++ * and print their mitigation after MDS, TAA and MMIO Stale Data ++ * mitigation selection is done. ++ */ ++ md_clear_update_mitigation(); ++} ++ + #undef pr_fmt + #define pr_fmt(fmt) "SRBDS: " fmt + diff --git a/patches.suse/x86-speculation-Add-a-common-function-for-MD_CLEAR-mitigation-update.patch b/patches.suse/x86-speculation-Add-a-common-function-for-MD_CLEAR-mitigation-update.patch new file mode 100644 index 0000000..2bfaf64 --- /dev/null +++ b/patches.suse/x86-speculation-Add-a-common-function-for-MD_CLEAR-mitigation-update.patch @@ -0,0 +1,132 @@ +From: Pawan Gupta +Date: Thu, 19 May 2022 20:28:10 -0700 +Subject: x86/speculation: Add a common function for MD_CLEAR mitigation update +Git-commit: f52ea6c26953fed339aa4eae717ee5c2133c7ff2 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in tip for v5.19 +References: bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180 + +Processor MMIO Stale Data mitigation uses similar mitigation as MDS and +TAA. In preparation for adding its mitigation, add a common function to +update all mitigations that depend on MD_CLEAR. + + [ bp: Add a newline in md_clear_update_mitigation() to separate + statements better. ] + +Signed-off-by: Pawan Gupta +Signed-off-by: Borislav Petkov +--- + arch/x86/kernel/cpu/bugs.c | 59 +++++++++++++++++++++++++-------------------- + 1 file changed, 33 insertions(+), 26 deletions(-) + +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -39,7 +39,7 @@ static void __init spectre_v2_select_mit + static void __init ssb_select_mitigation(void); + static void __init l1tf_select_mitigation(void); + static void __init mds_select_mitigation(void); +-static void __init mds_print_mitigation(void); ++static void __init md_clear_update_mitigation(void); + static void __init taa_select_mitigation(void); + static void __init srbds_select_mitigation(void); + +@@ -112,10 +112,10 @@ void __init check_bugs(void) + srbds_select_mitigation(); + + /* +- * As MDS and TAA mitigations are inter-related, print MDS +- * mitigation until after TAA mitigation selection is done. ++ * As MDS and TAA mitigations are inter-related, update and print their ++ * mitigation after TAA mitigation selection is done. + */ +- mds_print_mitigation(); ++ md_clear_update_mitigation(); + + arch_smt_update(); + +@@ -380,14 +380,6 @@ static void __init mds_select_mitigation + } + } + +-static void __init mds_print_mitigation(void) +-{ +- if (!boot_cpu_has_bug(X86_BUG_MDS) || cpu_mitigations_off()) +- return; +- +- pr_info("%s\n", mds_strings[mds_mitigation]); +-} +- + static int __init mds_cmdline(char *str) + { + if (!boot_cpu_has_bug(X86_BUG_MDS)) +@@ -435,7 +427,7 @@ static void __init taa_select_mitigation + /* TSX previously disabled by tsx=off */ + if (!boot_cpu_has(X86_FEATURE_RTM)) { + taa_mitigation = TAA_MITIGATION_TSX_DISABLED; +- goto out; ++ return; + } + + if (cpu_mitigations_off()) { +@@ -449,7 +441,7 @@ static void __init taa_select_mitigation + */ + if (taa_mitigation == TAA_MITIGATION_OFF && + mds_mitigation == MDS_MITIGATION_OFF) +- goto out; ++ return; + + if (boot_cpu_has(X86_FEATURE_MD_CLEAR)) + taa_mitigation = TAA_MITIGATION_VERW; +@@ -481,18 +473,6 @@ static void __init taa_select_mitigation + + if (taa_nosmt || cpu_mitigations_auto_nosmt()) + cpu_smt_disable(false); +- +- /* +- * Update MDS mitigation, if necessary, as the mds_user_clear is +- * now enabled for TAA mitigation. +- */ +- if (mds_mitigation == MDS_MITIGATION_OFF && +- boot_cpu_has_bug(X86_BUG_MDS)) { +- mds_mitigation = MDS_MITIGATION_FULL; +- mds_select_mitigation(); +- } +-out: +- pr_info("%s\n", taa_strings[taa_mitigation]); + } + + static int __init tsx_async_abort_parse_cmdline(char *str) +@@ -517,6 +497,33 @@ static int __init tsx_async_abort_parse_ + early_param("tsx_async_abort", tsx_async_abort_parse_cmdline); + + #undef pr_fmt ++#define pr_fmt(fmt) "" fmt ++ ++static void __init md_clear_update_mitigation(void) ++{ ++ if (cpu_mitigations_off()) ++ return; ++ ++ if (!static_key_enabled(&mds_user_clear)) ++ goto out; ++ ++ /* ++ * mds_user_clear is now enabled. Update MDS mitigation, if ++ * necessary. ++ */ ++ if (mds_mitigation == MDS_MITIGATION_OFF && ++ boot_cpu_has_bug(X86_BUG_MDS)) { ++ mds_mitigation = MDS_MITIGATION_FULL; ++ mds_select_mitigation(); ++ } ++out: ++ if (boot_cpu_has_bug(X86_BUG_MDS)) ++ pr_info("MDS: %s\n", mds_strings[mds_mitigation]); ++ if (boot_cpu_has_bug(X86_BUG_TAA)) ++ pr_info("TAA: %s\n", taa_strings[taa_mitigation]); ++} ++ ++#undef pr_fmt + #define pr_fmt(fmt) "SRBDS: " fmt + + enum srbds_mitigations { diff --git a/patches.suse/x86-speculation-mmio-Add-mitigation-for-Processor-MMIO-Stale-Data.patch b/patches.suse/x86-speculation-mmio-Add-mitigation-for-Processor-MMIO-Stale-Data.patch new file mode 100644 index 0000000..df99936 --- /dev/null +++ b/patches.suse/x86-speculation-mmio-Add-mitigation-for-Processor-MMIO-Stale-Data.patch @@ -0,0 +1,299 @@ +From: Pawan Gupta +Date: Thu, 19 May 2022 20:29:11 -0700 +Subject: x86/speculation/mmio: Add mitigation for Processor MMIO Stale Data +Git-commit: 8cb861e9e3c9a55099ad3d08e1a3b653d29c33ca +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in tip for v5.19 +References: bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180 + +Processor MMIO Stale Data is a class of vulnerabilities that may +expose data after an MMIO operation. For details please refer to +Documentation/admin-guide/hw-vuln/processor_mmio_stale_data.rst. + +These vulnerabilities are broadly categorized as: + +Device Register Partial Write (DRPW): + Some endpoint MMIO registers incorrectly handle writes that are + smaller than the register size. Instead of aborting the write or only + copying the correct subset of bytes (for example, 2 bytes for a 2-byte + write), more bytes than specified by the write transaction may be + written to the register. On some processors, this may expose stale + data from the fill buffers of the core that created the write + transaction. + +Shared Buffers Data Sampling (SBDS): + After propagators may have moved data around the uncore and copied + stale data into client core fill buffers, processors affected by MFBDS + can leak data from the fill buffer. + +Shared Buffers Data Read (SBDR): + It is similar to Shared Buffer Data Sampling (SBDS) except that the + data is directly read into the architectural software-visible state. + +An attacker can use these vulnerabilities to extract data from CPU fill +buffers using MDS and TAA methods. Mitigate it by clearing the CPU fill +buffers using the VERW instruction before returning to a user or a +guest. + +On CPUs not affected by MDS and TAA, user application cannot sample data +from CPU fill buffers using MDS or TAA. A guest with MMIO access can +still use DRPW or SBDR to extract data architecturally. Mitigate it with +VERW instruction to clear fill buffers before VMENTER for MMIO capable +guests. + +Add a kernel parameter mmio_stale_data={off|full|full,nosmt} to control +the mitigation. + +Signed-off-by: Pawan Gupta +Signed-off-by: Borislav Petkov +--- + Documentation/admin-guide/kernel-parameters.txt | 36 +++++++ + arch/x86/include/asm/nospec-branch.h | 2 + arch/x86/kernel/cpu/bugs.c | 111 +++++++++++++++++++++++- + arch/x86/kvm/vmx.c | 3 + 4 files changed, 148 insertions(+), 4 deletions(-) + +--- a/arch/x86/include/asm/nospec-branch.h ++++ b/arch/x86/include/asm/nospec-branch.h +@@ -357,6 +357,8 @@ DECLARE_STATIC_KEY_FALSE(switch_mm_alway + DECLARE_STATIC_KEY_FALSE(mds_user_clear); + DECLARE_STATIC_KEY_FALSE(mds_idle_clear); + ++DECLARE_STATIC_KEY_FALSE(mmio_stale_data_clear); ++ + #include + + /** +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -41,6 +41,7 @@ static void __init l1tf_select_mitigatio + static void __init mds_select_mitigation(void); + static void __init md_clear_update_mitigation(void); + static void __init taa_select_mitigation(void); ++static void __init mmio_select_mitigation(void); + static void __init srbds_select_mitigation(void); + + /* The base value of the SPEC_CTRL MSR that always has to be preserved. */ +@@ -75,6 +76,10 @@ EXPORT_SYMBOL_GPL(mds_user_clear); + DEFINE_STATIC_KEY_FALSE(mds_idle_clear); + EXPORT_SYMBOL_GPL(mds_idle_clear); + ++/* Controls CPU Fill buffer clear before KVM guest MMIO accesses */ ++DEFINE_STATIC_KEY_FALSE(mmio_stale_data_clear); ++EXPORT_SYMBOL_GPL(mmio_stale_data_clear); ++ + void __init check_bugs(void) + { + identify_boot_cpu(); +@@ -109,11 +114,13 @@ void __init check_bugs(void) + l1tf_select_mitigation(); + mds_select_mitigation(); + taa_select_mitigation(); ++ mmio_select_mitigation(); + srbds_select_mitigation(); + + /* +- * As MDS and TAA mitigations are inter-related, update and print their +- * mitigation after TAA mitigation selection is done. ++ * As MDS, TAA and MMIO Stale Data mitigations are inter-related, update ++ * and print their mitigation after MDS, TAA and MMIO Stale Data ++ * mitigation selection is done. + */ + md_clear_update_mitigation(); + +@@ -497,6 +504,90 @@ static int __init tsx_async_abort_parse_ + early_param("tsx_async_abort", tsx_async_abort_parse_cmdline); + + #undef pr_fmt ++#define pr_fmt(fmt) "MMIO Stale Data: " fmt ++ ++enum mmio_mitigations { ++ MMIO_MITIGATION_OFF, ++ MMIO_MITIGATION_UCODE_NEEDED, ++ MMIO_MITIGATION_VERW, ++}; ++ ++/* Default mitigation for Processor MMIO Stale Data vulnerabilities */ ++static enum mmio_mitigations mmio_mitigation __ro_after_init = MMIO_MITIGATION_VERW; ++static bool mmio_nosmt __ro_after_init = false; ++ ++static const char * const mmio_strings[] = { ++ [MMIO_MITIGATION_OFF] = "Vulnerable", ++ [MMIO_MITIGATION_UCODE_NEEDED] = "Vulnerable: Clear CPU buffers attempted, no microcode", ++ [MMIO_MITIGATION_VERW] = "Mitigation: Clear CPU buffers", ++}; ++ ++static void __init mmio_select_mitigation(void) ++{ ++ u64 ia32_cap; ++ ++ if (!boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA) || ++ cpu_mitigations_off()) { ++ mmio_mitigation = MMIO_MITIGATION_OFF; ++ return; ++ } ++ ++ if (mmio_mitigation == MMIO_MITIGATION_OFF) ++ return; ++ ++ ia32_cap = x86_read_arch_cap_msr(); ++ ++ /* ++ * Enable CPU buffer clear mitigation for host and VMM, if also affected ++ * by MDS or TAA. Otherwise, enable mitigation for VMM only. ++ */ ++ if (boot_cpu_has_bug(X86_BUG_MDS) || (boot_cpu_has_bug(X86_BUG_TAA) && ++ boot_cpu_has(X86_FEATURE_RTM))) ++ static_branch_enable(&mds_user_clear); ++ else ++ static_branch_enable(&mmio_stale_data_clear); ++ ++ /* ++ * Check if the system has the right microcode. ++ * ++ * CPU Fill buffer clear mitigation is enumerated by either an explicit ++ * FB_CLEAR or by the presence of both MD_CLEAR and L1D_FLUSH on MDS ++ * affected systems. ++ */ ++ if ((ia32_cap & ARCH_CAP_FB_CLEAR) || ++ (boot_cpu_has(X86_FEATURE_MD_CLEAR) && ++ boot_cpu_has(X86_FEATURE_FLUSH_L1D) && ++ !(ia32_cap & ARCH_CAP_MDS_NO))) ++ mmio_mitigation = MMIO_MITIGATION_VERW; ++ else ++ mmio_mitigation = MMIO_MITIGATION_UCODE_NEEDED; ++ ++ if (mmio_nosmt || cpu_mitigations_auto_nosmt()) ++ cpu_smt_disable(false); ++} ++ ++static int __init mmio_stale_data_parse_cmdline(char *str) ++{ ++ if (!boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA)) ++ return 0; ++ ++ if (!str) ++ return -EINVAL; ++ ++ if (!strcmp(str, "off")) { ++ mmio_mitigation = MMIO_MITIGATION_OFF; ++ } else if (!strcmp(str, "full")) { ++ mmio_mitigation = MMIO_MITIGATION_VERW; ++ } else if (!strcmp(str, "full,nosmt")) { ++ mmio_mitigation = MMIO_MITIGATION_VERW; ++ mmio_nosmt = true; ++ } ++ ++ return 0; ++} ++early_param("mmio_stale_data", mmio_stale_data_parse_cmdline); ++ ++#undef pr_fmt + #define pr_fmt(fmt) "" fmt + + static void __init md_clear_update_mitigation(void) +@@ -508,19 +599,31 @@ static void __init md_clear_update_mitig + goto out; + + /* +- * mds_user_clear is now enabled. Update MDS mitigation, if +- * necessary. ++ * mds_user_clear is now enabled. Update MDS, TAA and MMIO Stale Data ++ * mitigation, if necessary. + */ + if (mds_mitigation == MDS_MITIGATION_OFF && + boot_cpu_has_bug(X86_BUG_MDS)) { + mds_mitigation = MDS_MITIGATION_FULL; + mds_select_mitigation(); + } ++ if (taa_mitigation == TAA_MITIGATION_OFF && ++ boot_cpu_has_bug(X86_BUG_TAA)) { ++ taa_mitigation = TAA_MITIGATION_VERW; ++ taa_select_mitigation(); ++ } ++ if (mmio_mitigation == MMIO_MITIGATION_OFF && ++ boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA)) { ++ mmio_mitigation = MMIO_MITIGATION_VERW; ++ mmio_select_mitigation(); ++ } + out: + if (boot_cpu_has_bug(X86_BUG_MDS)) + pr_info("MDS: %s\n", mds_strings[mds_mitigation]); + if (boot_cpu_has_bug(X86_BUG_TAA)) + pr_info("TAA: %s\n", taa_strings[taa_mitigation]); ++ if (boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA)) ++ pr_info("MMIO Stale Data: %s\n", mmio_strings[mmio_mitigation]); + } + + #undef pr_fmt +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -9858,6 +9858,9 @@ static void __noclone vmx_vcpu_run(struc + vmx_l1d_flush(vcpu); + else if (static_branch_unlikely(&mds_user_clear)) + mds_clear_cpu_buffers(); ++ else if (static_branch_unlikely(&mmio_stale_data_clear) && ++ kvm_arch_has_assigned_device(vcpu->kvm)) ++ mds_clear_cpu_buffers(); + + asm( + /* Store host registers */ +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -2481,6 +2481,7 @@ + l1tf=off [X86] + mds=off [X86] + tsx_async_abort=off [X86] ++ mmio_stale_data=off [X86] + + auto (default) + Mitigate all CPU vulnerabilities, but leave SMT +@@ -2497,6 +2498,7 @@ + Equivalent to: l1tf=flush,nosmt [X86] + mds=full,nosmt [X86] + tsx_async_abort=full,nosmt [X86] ++ mmio_stale_data=full,nosmt [X86] + + mminit_loglevel= + [KNL] When CONFIG_DEBUG_MEMORY_INIT is set, this +@@ -2506,6 +2508,40 @@ + log everything. Information is printed at KERN_DEBUG + so loglevel=8 may also need to be specified. + ++ mmio_stale_data= ++ [X86,INTEL] Control mitigation for the Processor ++ MMIO Stale Data vulnerabilities. ++ ++ Processor MMIO Stale Data is a class of ++ vulnerabilities that may expose data after an MMIO ++ operation. Exposed data could originate or end in ++ the same CPU buffers as affected by MDS and TAA. ++ Therefore, similar to MDS and TAA, the mitigation ++ is to clear the affected CPU buffers. ++ ++ This parameter controls the mitigation. The ++ options are: ++ ++ full - Enable mitigation on vulnerable CPUs ++ ++ full,nosmt - Enable mitigation and disable SMT on ++ vulnerable CPUs. ++ ++ off - Unconditionally disable mitigation ++ ++ On MDS or TAA affected machines, ++ mmio_stale_data=off can be prevented by an active ++ MDS or TAA mitigation as these vulnerabilities are ++ mitigated with the same mechanism so in order to ++ disable this mitigation, you need to specify ++ mds=off and tsx_async_abort=off too. ++ ++ Not specifying this option is equivalent to ++ mmio_stale_data=full. ++ ++ For details see: ++ Documentation/admin-guide/hw-vuln/processor_mmio_stale_data.rst ++ + module.sig_enforce + [KNL] When CONFIG_MODULE_SIG is set, this means that + modules without (valid) signatures will fail to load. diff --git a/patches.suse/x86-speculation-mmio-Add-sysfs-reporting-for-Processor-MMIO-Stale-Data.patch b/patches.suse/x86-speculation-mmio-Add-sysfs-reporting-for-Processor-MMIO-Stale-Data.patch new file mode 100644 index 0000000..d6b3843 --- /dev/null +++ b/patches.suse/x86-speculation-mmio-Add-sysfs-reporting-for-Processor-MMIO-Stale-Data.patch @@ -0,0 +1,117 @@ +From: Pawan Gupta +Date: Thu, 19 May 2022 20:32:13 -0700 +Subject: x86/speculation/mmio: Add sysfs reporting for Processor MMIO Stale Data +Git-commit: 8d50cdf8b8341770bc6367bce40c0c1bb0e1d5b3 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in tip for v5.19 +References: bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180 + +Add the sysfs reporting file for Processor MMIO Stale Data +vulnerability. It exposes the vulnerability and mitigation state similar +to the existing files for the other hardware vulnerabilities. + +Signed-off-by: Pawan Gupta +Signed-off-by: Borislav Petkov +--- + Documentation/ABI/testing/sysfs-devices-system-cpu | 1 + arch/x86/kernel/cpu/bugs.c | 22 +++++++++++++++++++++ + drivers/base/cpu.c | 8 +++++++ + include/linux/cpu.h | 3 ++ + 4 files changed, 34 insertions(+) + +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -1810,6 +1810,20 @@ static ssize_t tsx_async_abort_show_stat + sched_smt_active() ? "vulnerable" : "disabled"); + } + ++static ssize_t mmio_stale_data_show_state(char *buf) ++{ ++ if (mmio_mitigation == MMIO_MITIGATION_OFF) ++ return sprintf(buf, "%s\n", mmio_strings[mmio_mitigation]); ++ ++ if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) { ++ return sprintf(buf, "%s; SMT Host state unknown\n", ++ mmio_strings[mmio_mitigation]); ++ } ++ ++ return sprintf(buf, "%s; SMT %s\n", mmio_strings[mmio_mitigation], ++ sched_smt_active() ? "vulnerable" : "disabled"); ++} ++ + static char *stibp_state(void) + { + if (spectre_v2_in_eibrs_mode(spectre_v2_enabled)) +@@ -1910,6 +1924,9 @@ static ssize_t cpu_show_common(struct de + case X86_BUG_SRBDS: + return srbds_show_state(buf); + ++ case X86_BUG_MMIO_STALE_DATA: ++ return mmio_stale_data_show_state(buf); ++ + default: + break; + } +@@ -1961,4 +1978,9 @@ ssize_t cpu_show_srbds(struct device *de + { + return cpu_show_common(dev, attr, buf, X86_BUG_SRBDS); + } ++ ++ssize_t cpu_show_mmio_stale_data(struct device *dev, struct device_attribute *attr, char *buf) ++{ ++ return cpu_show_common(dev, attr, buf, X86_BUG_MMIO_STALE_DATA); ++} + #endif +--- a/Documentation/ABI/testing/sysfs-devices-system-cpu ++++ b/Documentation/ABI/testing/sysfs-devices-system-cpu +@@ -384,6 +384,7 @@ What: /sys/devices/system/cpu/vulnerabi + /sys/devices/system/cpu/vulnerabilities/srbds + /sys/devices/system/cpu/vulnerabilities/tsx_async_abort + /sys/devices/system/cpu/vulnerabilities/itlb_multihit ++ /sys/devices/system/cpu/vulnerabilities/mmio_stale_data + Date: January 2018 + Contact: Linux kernel mailing list + Description: Information about CPU vulnerabilities +--- a/drivers/base/cpu.c ++++ b/drivers/base/cpu.c +@@ -558,6 +558,12 @@ ssize_t __weak cpu_show_srbds(struct dev + return sprintf(buf, "Not affected\n"); + } + ++ssize_t __weak cpu_show_mmio_stale_data(struct device *dev, ++ struct device_attribute *attr, char *buf) ++{ ++ return sprintf(buf, "Not affected\n"); ++} ++ + static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL); + static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL); + static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL); +@@ -567,6 +573,7 @@ static DEVICE_ATTR(mds, 0444, cpu_show_m + static DEVICE_ATTR(tsx_async_abort, 0444, cpu_show_tsx_async_abort, NULL); + static DEVICE_ATTR(itlb_multihit, 0444, cpu_show_itlb_multihit, NULL); + static DEVICE_ATTR(srbds, 0444, cpu_show_srbds, NULL); ++static DEVICE_ATTR(mmio_stale_data, 0444, cpu_show_mmio_stale_data, NULL); + + static struct attribute *cpu_root_vulnerabilities_attrs[] = { + &dev_attr_meltdown.attr, +@@ -578,6 +585,7 @@ static struct attribute *cpu_root_vulner + &dev_attr_tsx_async_abort.attr, + &dev_attr_itlb_multihit.attr, + &dev_attr_srbds.attr, ++ &dev_attr_mmio_stale_data.attr, + NULL + }; + +--- a/include/linux/cpu.h ++++ b/include/linux/cpu.h +@@ -63,6 +63,9 @@ extern ssize_t cpu_show_tsx_async_abort( + char *buf); + extern ssize_t cpu_show_itlb_multihit(struct device *dev, + struct device_attribute *attr, char *buf); ++extern ssize_t cpu_show_mmio_stale_data(struct device *dev, ++ struct device_attribute *attr, ++ char *buf); + + extern __printf(4, 5) + struct device *cpu_device_create(struct device *parent, void *drvdata, diff --git a/patches.suse/x86-speculation-mmio-Enable-CPU-Fill-buffer-clearing-on-idle.patch b/patches.suse/x86-speculation-mmio-Enable-CPU-Fill-buffer-clearing-on-idle.patch new file mode 100644 index 0000000..9eb320c --- /dev/null +++ b/patches.suse/x86-speculation-mmio-Enable-CPU-Fill-buffer-clearing-on-idle.patch @@ -0,0 +1,67 @@ +From: Pawan Gupta +Date: Thu, 19 May 2022 20:31:12 -0700 +Subject: x86/speculation/mmio: Enable CPU Fill buffer clearing on idle +Git-commit: 99a83db5a605137424e1efe29dc0573d6a5b6316 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in tip for v5.19 +References: bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180 + +When the CPU is affected by Processor MMIO Stale Data vulnerabilities, +Fill Buffer Stale Data Propagator (FBSDP) can propagate stale data out +of Fill buffer to uncore buffer when CPU goes idle. Stale data can then +be exploited with other variants using MMIO operations. + +Mitigate it by clearing the Fill buffer before entering idle state. + +Signed-off-by: Pawan Gupta +Co-developed-by: Josh Poimboeuf +Signed-off-by: Josh Poimboeuf +Signed-off-by: Borislav Petkov +--- + arch/x86/kernel/cpu/bugs.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index d2cc7dbba5e2..56d5dea5e128 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -433,6 +433,14 @@ static void __init mmio_select_mitigation(void) + else + static_branch_enable(&mmio_stale_data_clear); + ++ /* ++ * If Processor-MMIO-Stale-Data bug is present and Fill Buffer data can ++ * be propagated to uncore buffers, clearing the Fill buffers on idle ++ * is required irrespective of SMT state. ++ */ ++ if (!(ia32_cap & ARCH_CAP_FBSDP_NO)) ++ static_branch_enable(&mds_idle_clear); ++ + /* + * Check if the system has the right microcode. + * +@@ -1225,6 +1233,8 @@ static void update_indir_branch_cond(void) + /* Update the static key controlling the MDS CPU buffer clear in idle */ + static void update_mds_branch_idle(void) + { ++ u64 ia32_cap = x86_read_arch_cap_msr(); ++ + /* + * Enable the idle clearing if SMT is active on CPUs which are + * affected only by MSBDS and not any other MDS variant. +@@ -1236,10 +1246,12 @@ static void update_mds_branch_idle(void) + if (!boot_cpu_has_bug(X86_BUG_MSBDS_ONLY)) + return; + +- if (sched_smt_active()) ++ if (sched_smt_active()) { + static_branch_enable(&mds_idle_clear); +- else ++ } else if (mmio_mitigation == MMIO_MITIGATION_OFF || ++ (ia32_cap & ARCH_CAP_FBSDP_NO)) { + static_branch_disable(&mds_idle_clear); ++ } + } + + #define MDS_MSG_SMT "MDS CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for more details.\n" + diff --git a/patches.suse/x86-speculation-mmio-Enumerate-Processor-MMIO-Stale-Data-bug.patch b/patches.suse/x86-speculation-mmio-Enumerate-Processor-MMIO-Stale-Data-bug.patch new file mode 100644 index 0000000..4d252fd --- /dev/null +++ b/patches.suse/x86-speculation-mmio-Enumerate-Processor-MMIO-Stale-Data-bug.patch @@ -0,0 +1,130 @@ +From: Pawan Gupta +Date: Thu, 19 May 2022 20:27:08 -0700 +Subject: x86/speculation/mmio: Enumerate Processor MMIO Stale Data bug +Git-commit: 51802186158c74a0304f51ab963e7c2b3a2b046f +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in tip for v5.19 +References: bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180 + +Processor MMIO Stale Data is a class of vulnerabilities that may +expose data after an MMIO operation. For more details please refer to +Documentation/admin-guide/hw-vuln/processor_mmio_stale_data.rst + +Add the Processor MMIO Stale Data bug enumeration. A microcode update +adds new bits to the MSR IA32_ARCH_CAPABILITIES, define them. + +Signed-off-by: Pawan Gupta +Signed-off-by: Borislav Petkov +--- + arch/x86/include/asm/cpufeatures.h | 1 + + arch/x86/include/asm/msr-index.h | 19 +++++++++++++++++++ + arch/x86/kernel/cpu/common.c | 37 +++++++++++++++++++++++++++++++++++-- + 3 files changed, 55 insertions(+), 2 deletions(-) + +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -400,5 +400,6 @@ + #define X86_BUG_TAA X86_BUG(22) /* CPU is affected by TSX Async Abort(TAA) */ + #define X86_BUG_ITLB_MULTIHIT X86_BUG(23) /* CPU may incur MCE during certain page attribute changes */ + #define X86_BUG_SRBDS X86_BUG(24) /* CPU may leak RNG bits if not mitigated */ ++#define X86_BUG_MMIO_STALE_DATA X86_BUG(25) /* CPU is affected by Processor MMIO Stale Data vulnerabilities */ + + #endif /* _ASM_X86_CPUFEATURES_H */ +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -104,6 +104,25 @@ + * Not susceptible to + * TSX Async Abort (TAA) vulnerabilities. + */ ++#define ARCH_CAP_SBDR_SSDP_NO BIT(13) /* ++ * Not susceptible to SBDR and SSDP ++ * variants of Processor MMIO stale data ++ * vulnerabilities. ++ */ ++#define ARCH_CAP_FBSDP_NO BIT(14) /* ++ * Not susceptible to FBSDP variant of ++ * Processor MMIO stale data ++ * vulnerabilities. ++ */ ++#define ARCH_CAP_PSDP_NO BIT(15) /* ++ * Not susceptible to PSDP variant of ++ * Processor MMIO stale data ++ * vulnerabilities. ++ */ ++#define ARCH_CAP_FB_CLEAR BIT(17) /* ++ * VERW clears CPU fill buffer ++ * even on MDS_NO CPUs. ++ */ + + #define MSR_IA32_FLUSH_CMD 0x0000010b + #define L1D_FLUSH BIT(0) /* +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -1003,18 +1003,33 @@ static const __initconst struct x86_cpu_ + X86_FEATURE_ANY, issues) + + #define SRBDS BIT(0) ++/* CPU is affected by X86_BUG_MMIO_STALE_DATA */ ++#define MMIO BIT(1) + + static const struct x86_cpu_id cpu_vuln_blacklist[] __initconst = { + VULNBL_INTEL_STEPPINGS(IVYBRIDGE, X86_STEPPING_ANY, SRBDS), + VULNBL_INTEL_STEPPINGS(HASWELL, X86_STEPPING_ANY, SRBDS), + VULNBL_INTEL_STEPPINGS(HASWELL_L, X86_STEPPING_ANY, SRBDS), + VULNBL_INTEL_STEPPINGS(HASWELL_G, X86_STEPPING_ANY, SRBDS), ++ VULNBL_INTEL_STEPPINGS(HASWELL_X, BIT(2) | BIT(4), MMIO), ++ VULNBL_INTEL_STEPPINGS(BROADWELL_D, X86_STEPPINGS(0x3, 0x5), MMIO), + VULNBL_INTEL_STEPPINGS(BROADWELL_G, X86_STEPPING_ANY, SRBDS), ++ VULNBL_INTEL_STEPPINGS(BROADWELL_X, X86_STEPPING_ANY, MMIO), + VULNBL_INTEL_STEPPINGS(BROADWELL, X86_STEPPING_ANY, SRBDS), ++ VULNBL_INTEL_STEPPINGS(SKYLAKE_L, X86_STEPPINGS(0x3, 0x3), SRBDS | MMIO), + VULNBL_INTEL_STEPPINGS(SKYLAKE_L, X86_STEPPING_ANY, SRBDS), ++ VULNBL_INTEL_STEPPINGS(SKYLAKE_X, BIT(3) | BIT(4) | BIT(6) | ++ BIT(7) | BIT(0xB), MMIO), ++ VULNBL_INTEL_STEPPINGS(SKYLAKE, X86_STEPPINGS(0x3, 0x3), SRBDS | MMIO), + VULNBL_INTEL_STEPPINGS(SKYLAKE, X86_STEPPING_ANY, SRBDS), +- VULNBL_INTEL_STEPPINGS(KABYLAKE_L, X86_STEPPINGS(0x0, 0xC), SRBDS), +- VULNBL_INTEL_STEPPINGS(KABYLAKE, X86_STEPPINGS(0x0, 0xD), SRBDS), ++ VULNBL_INTEL_STEPPINGS(KABYLAKE_L, X86_STEPPINGS(0x9, 0xC), SRBDS | MMIO), ++ VULNBL_INTEL_STEPPINGS(KABYLAKE_L, X86_STEPPINGS(0x0, 0x8), SRBDS), ++ VULNBL_INTEL_STEPPINGS(KABYLAKE, X86_STEPPINGS(0x9, 0xD), SRBDS | MMIO), ++ VULNBL_INTEL_STEPPINGS(KABYLAKE, X86_STEPPINGS(0x0, 0x8), SRBDS), ++ VULNBL_INTEL_STEPPINGS(ICELAKE_L, X86_STEPPINGS(0x5, 0x5), MMIO), ++ VULNBL_INTEL_STEPPINGS(ICELAKE_XEON_D, X86_STEPPINGS(0x1, 0x1), MMIO), ++ VULNBL_INTEL_STEPPINGS(ICELAKE_X, X86_STEPPINGS(0x4, 0x6), MMIO), ++ VULNBL_INTEL_STEPPINGS(ATOM_TREMONT_D, X86_STEPPING_ANY, MMIO), + {} + }; + +@@ -1035,6 +1050,13 @@ u64 x86_read_arch_cap_msr(void) + return ia32_cap; + } + ++static bool arch_cap_mmio_immune(u64 ia32_cap) ++{ ++ return (ia32_cap & ARCH_CAP_FBSDP_NO && ++ ia32_cap & ARCH_CAP_PSDP_NO && ++ ia32_cap & ARCH_CAP_SBDR_SSDP_NO); ++} ++ + static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) + { + u64 ia32_cap = x86_read_arch_cap_msr(); +@@ -1092,6 +1114,17 @@ static void __init cpu_set_bug_bits(stru + cpu_matches(cpu_vuln_blacklist, SRBDS)) + setup_force_cpu_bug(X86_BUG_SRBDS); + ++ /* ++ * Processor MMIO Stale Data bug enumeration ++ * ++ * Affected CPU list is generally enough to enumerate the vulnerability, ++ * but for virtualization case check for ARCH_CAP MSR bits also, VMM may ++ * not want the guest to enumerate the bug. ++ */ ++ if (cpu_matches(cpu_vuln_blacklist, MMIO) && ++ !arch_cap_mmio_immune(ia32_cap)) ++ setup_force_cpu_bug(X86_BUG_MMIO_STALE_DATA); ++ + if (cpu_matches(cpu_vuln_whitelist, NO_MELTDOWN)) + return; + diff --git a/patches.suse/x86-speculation-mmio-Reuse-SRBDS-mitigation-for-SBDS.patch b/patches.suse/x86-speculation-mmio-Reuse-SRBDS-mitigation-for-SBDS.patch new file mode 100644 index 0000000..884c0f5 --- /dev/null +++ b/patches.suse/x86-speculation-mmio-Reuse-SRBDS-mitigation-for-SBDS.patch @@ -0,0 +1,63 @@ +From: Pawan Gupta +Date: Thu, 19 May 2022 20:34:14 -0700 +Subject: x86/speculation/mmio: Reuse SRBDS mitigation for SBDS +Git-commit: a992b8a4682f119ae035a01b40d4d0665c4a2875 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in tip for v5.19 +References: bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180 + +The Shared Buffers Data Sampling (SBDS) variant of Processor MMIO Stale +Data vulnerabilities may expose RDRAND, RDSEED and SGX EGETKEY data. +Mitigation for this is added by a microcode update. + +As some of the implications of SBDS are similar to SRBDS, SRBDS mitigation +infrastructure can be leveraged by SBDS. Set X86_BUG_SRBDS and use SRBDS +mitigation. + +Mitigation is enabled by default; use srbds=off to opt-out. Mitigation +status can be checked from below file: + + /sys/devices/system/cpu/vulnerabilities/srbds + +Signed-off-by: Pawan Gupta +Signed-off-by: Borislav Petkov +--- + arch/x86/kernel/cpu/common.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -1005,6 +1005,8 @@ static const __initconst struct x86_cpu_ + #define SRBDS BIT(0) + /* CPU is affected by X86_BUG_MMIO_STALE_DATA */ + #define MMIO BIT(1) ++/* CPU is affected by Shared Buffers Data Sampling (SBDS), a variant of X86_BUG_MMIO_STALE_DATA */ ++#define MMIO_SBDS BIT(2) + + static const struct x86_cpu_id cpu_vuln_blacklist[] __initconst = { + VULNBL_INTEL_STEPPINGS(IVYBRIDGE, X86_STEPPING_ANY, SRBDS), +@@ -1026,7 +1028,7 @@ static const struct x86_cpu_id cpu_vuln_ + VULNBL_INTEL_STEPPINGS(KABYLAKE_L, X86_STEPPINGS(0x0, 0x8), SRBDS), + VULNBL_INTEL_STEPPINGS(KABYLAKE, X86_STEPPINGS(0x9, 0xD), SRBDS | MMIO), + VULNBL_INTEL_STEPPINGS(KABYLAKE, X86_STEPPINGS(0x0, 0x8), SRBDS), +- VULNBL_INTEL_STEPPINGS(ICELAKE_L, X86_STEPPINGS(0x5, 0x5), MMIO), ++ VULNBL_INTEL_STEPPINGS(ICELAKE_L, X86_STEPPINGS(0x5, 0x5), MMIO | MMIO_SBDS), + VULNBL_INTEL_STEPPINGS(ICELAKE_XEON_D, X86_STEPPINGS(0x1, 0x1), MMIO), + VULNBL_INTEL_STEPPINGS(ICELAKE_X, X86_STEPPINGS(0x4, 0x6), MMIO), + VULNBL_INTEL_STEPPINGS(ATOM_TREMONT_D, X86_STEPPING_ANY, MMIO), +@@ -1108,10 +1110,14 @@ static void __init cpu_set_bug_bits(stru + /* + * SRBDS affects CPUs which support RDRAND or RDSEED and are listed + * in the vulnerability blacklist. ++ * ++ * Some of the implications and mitigation of Shared Buffers Data ++ * Sampling (SBDS) are similar to SRBDS. Give SBDS same treatment as ++ * SRBDS. + */ + if ((cpu_has(c, X86_FEATURE_RDRAND) || + cpu_has(c, X86_FEATURE_RDSEED)) && +- cpu_matches(cpu_vuln_blacklist, SRBDS)) ++ cpu_matches(cpu_vuln_blacklist, SRBDS | MMIO_SBDS)) + setup_force_cpu_bug(X86_BUG_SRBDS); + + /* diff --git a/patches.suse/x86-speculation-srbds-Update-SRBDS-mitigation-selection.patch b/patches.suse/x86-speculation-srbds-Update-SRBDS-mitigation-selection.patch new file mode 100644 index 0000000..a9b94b3 --- /dev/null +++ b/patches.suse/x86-speculation-srbds-Update-SRBDS-mitigation-selection.patch @@ -0,0 +1,45 @@ +From: Pawan Gupta +Date: Thu, 19 May 2022 20:33:13 -0700 +Subject: x86/speculation/srbds: Update SRBDS mitigation selection +Git-commit: 22cac9c677c95f3ac5c9244f8ca0afdc7c8afb19 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in tip for v5.19 +References: bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180 + +Currently, Linux disables SRBDS mitigation on CPUs not affected by +MDS and have the TSX feature disabled. On such CPUs, secrets cannot +be extracted from CPU fill buffers using MDS or TAA. Without SRBDS +mitigation, Processor MMIO Stale Data vulnerabilities can be used to +extract RDRAND, RDSEED, and EGETKEY data. + +Do not disable SRBDS mitigation by default when CPU is also affected by +Processor MMIO Stale Data vulnerabilities. + +Signed-off-by: Pawan Gupta +Signed-off-by: Borislav Petkov +--- + arch/x86/kernel/cpu/bugs.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index 38853077ca58..ef4749097f42 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -595,11 +595,13 @@ static void __init srbds_select_mitigation(void) + return; + + /* +- * Check to see if this is one of the MDS_NO systems supporting +- * TSX that are only exposed to SRBDS when TSX is enabled. ++ * Check to see if this is one of the MDS_NO systems supporting TSX that ++ * are only exposed to SRBDS when TSX is enabled or when CPU is affected ++ * by Processor MMIO Stale Data vulnerability. + */ + ia32_cap = x86_read_arch_cap_msr(); +- if ((ia32_cap & ARCH_CAP_MDS_NO) && !boot_cpu_has(X86_FEATURE_RTM)) ++ if ((ia32_cap & ARCH_CAP_MDS_NO) && !boot_cpu_has(X86_FEATURE_RTM) && ++ !boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA)) + srbds_mitigation = SRBDS_MITIGATION_TSX_OFF; + else if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) + srbds_mitigation = SRBDS_MITIGATION_HYPERVISOR; + diff --git a/series.conf b/series.conf index f9b4e57..0ace31f 100644 --- a/series.conf +++ b/series.conf @@ -61463,6 +61463,17 @@ patches.suse/x86-speculation-add-special-register-buffer-data-sampling-srbds-mitigation.patch patches.suse/x86-speculation-add-srbds-vulnerability-and-mitigation-documentation.patch + # mmio + patches.suse/x86-speculation-mmio-Enumerate-Processor-MMIO-Stale-Data-bug.patch + patches.suse/x86-speculation-Add-a-common-function-for-MD_CLEAR-mitigation-update.patch + patches.suse/x86-speculation-mmio-Add-mitigation-for-Processor-MMIO-Stale-Data.patch + patches.suse/x86-bugs-Group-MDS-TAA-Processor-MMIO-Stale-Data-mitigations.patch + patches.suse/x86-speculation-mmio-Enable-CPU-Fill-buffer-clearing-on-idle.patch + patches.suse/x86-speculation-mmio-Add-sysfs-reporting-for-Processor-MMIO-Stale-Data.patch + patches.suse/x86-speculation-srbds-Update-SRBDS-mitigation-selection.patch + patches.suse/x86-speculation-mmio-Reuse-SRBDS-mitigation-for-SBDS.patch + patches.suse/KVM-x86-speculation-Disable-Fill-buffer-clear-within-guests.patch + ######################################################## # S/390 ########################################################