From 08350f2b6c96062bd4730786c436aa2bdd32e5b7 Mon Sep 17 00:00:00 2001 From: Nikolay Borisov Date: May 02 2023 07:33:41 +0000 Subject: x86/bugs: Enable STIBP for IBPB mitigated RETBleed (git-fixes). Signed-off-by: Nikolay Borisov --- diff --git a/patches.suse/x86-bugs-enable-stibp-for-ibpb-mitigated-retbleed.patch b/patches.suse/x86-bugs-enable-stibp-for-ibpb-mitigated-retbleed.patch new file mode 100644 index 0000000..6ebb519 --- /dev/null +++ b/patches.suse/x86-bugs-enable-stibp-for-ibpb-mitigated-retbleed.patch @@ -0,0 +1,119 @@ +From: Kim Phillips +Date: Mon, 8 Aug 2022 09:32:33 -0500 +Subject: x86/bugs: Enable STIBP for IBPB mitigated RETBleed +Git-commit: e6cfcdda8cbe81eaf821c897369a65fec987b404 +Patch-mainline: v6.0-rc1 +References: git-fixes + +AMD's "Technical Guidance for Mitigating Branch Type Confusion, +Rev. 1.0 2022-07-12" whitepaper, under section 6.1.2 "IBPB On +Privileged Mode Entry / SMT Safety" says: + + Similar to the Jmp2Ret mitigation, if the code on the sibling thread + cannot be trusted, software should set STIBP to 1 or disable SMT to + ensure SMT safety when using this mitigation. + +So, like already being done for retbleed=unret, and now also for +retbleed=ibpb, force STIBP on machines that have it, and report its SMT +vulnerability status accordingly. + + [ bp: Remove the "we" and remove "[AMD]" applicability parameter which + doesn't work here. ] + +Fixes: 3ebc17006888 ("x86/bugs: Add retbleed=ibpb") +Signed-off-by: Kim Phillips +Signed-off-by: Borislav Petkov +Cc: stable@vger.kernel.org # 5.10, 5.15, 5.19 +Link: https://bugzilla.kernel.org/show_bug.cgi?id=206537 +Link: https://lore.kernel.org/r/20220804192201.439596-1-kim.phillips@amd.com + +Acked-by: Nikolay Borisov +--- + Documentation/admin-guide/kernel-parameters.txt | 29 +++++++++++++++++------- + arch/x86/kernel/cpu/bugs.c | 15 +++++++++--- + 2 files changed, 33 insertions(+), 11 deletions(-) + +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -3987,20 +3987,33 @@ + Speculative Code Execution with Return Instructions) + vulnerability. + ++ AMD-based UNRET and IBPB mitigations alone do not stop ++ sibling threads from influencing the predictions of other ++ sibling threads. For that reason, STIBP is used on pro- ++ cessors that support it, and mitigate SMT on processors ++ that don't. ++ + off - no mitigation + auto - automatically select a migitation + auto,nosmt - automatically select a mitigation, + disabling SMT if necessary for + the full mitigation (only on Zen1 + and older without STIBP). +- ibpb - mitigate short speculation windows on +- basic block boundaries too. Safe, highest +- perf impact. +- unret - force enable untrained return thunks, +- only effective on AMD f15h-f17h +- based systems. +- unret,nosmt - like unret, will disable SMT when STIBP +- is not available. ++ ibpb - On AMD, mitigate short speculation ++ windows on basic block boundaries too. ++ Safe, highest perf impact. It also ++ enables STIBP if present. Not suitable ++ on Intel. ++ ibpb,nosmt - Like "ibpb" above but will disable SMT ++ when STIBP is not available. This is ++ the alternative for systems which do not ++ have STIBP. ++ unret - Force enable untrained return thunks, ++ only effective on AMD f15h-f17h based ++ systems. ++ unret,nosmt - Like unret, but will disable SMT when STIBP ++ is not available. This is the alternative for ++ systems which do not have STIBP. + + Selecting 'auto' will choose a mitigation method at run + time according to the CPU. +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -142,7 +142,7 @@ void __init check_bugs(void) + /* + * spectre_v2_user_select_mitigation() relies on the state set by + * retbleed_select_mitigation(); specifically the STIBP selection is +- * forced for UNRET. ++ * forced for UNRET or IBPB. + */ + spectre_v2_user_select_mitigation(); + ssb_select_mitigation(); +@@ -1117,6 +1117,14 @@ spectre_v2_user_select_mitigation(void) + boot_cpu_has(X86_FEATURE_AMD_STIBP_ALWAYS_ON)) + mode = SPECTRE_V2_USER_STRICT_PREFERRED; + ++ if (retbleed_mitigation == RETBLEED_MITIGATION_UNRET || ++ retbleed_mitigation == RETBLEED_MITIGATION_IBPB ) { ++ if (mode != SPECTRE_V2_USER_STRICT && ++ mode != SPECTRE_V2_USER_STRICT_PREFERRED) ++ pr_info("Selecting STIBP always-on mode to complement retbleed mitigation\n"); ++ mode = SPECTRE_V2_USER_STRICT_PREFERRED; ++ } ++ + spectre_v2_user_stibp = mode; + + set_mode: +@@ -2236,10 +2244,11 @@ static ssize_t spectre_v2_show_state(cha + + static ssize_t retbleed_show_state(char *buf) + { +- if (retbleed_mitigation == RETBLEED_MITIGATION_UNRET) { ++ if (retbleed_mitigation == RETBLEED_MITIGATION_UNRET || ++ retbleed_mitigation == RETBLEED_MITIGATION_IBPB) { + if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD && + boot_cpu_data.x86_vendor != X86_VENDOR_HYGON) +- return sprintf(buf, "Vulnerable: untrained return thunk on non-Zen uarch\n"); ++ return sprintf(buf, "Vulnerable: untrained return thunk / IBPB on non-AMD based uarch\n"); + + return sprintf(buf, "%s; SMT %s\n", + retbleed_strings[retbleed_mitigation], diff --git a/series.conf b/series.conf index 72e0685..aa6d214 100644 --- a/series.conf +++ b/series.conf @@ -62898,6 +62898,7 @@ patches.suse/nfp-fix-use-after-free-in-area_cache_get.patch patches.suse/scsi-lpfc-Check-the-return-value-of-alloc_workqueue.patch patches.suse/scsi-zfcp-Fix-missing-auto-port-scan-and-thus-missing-target-ports + patches.suse/x86-bugs-enable-stibp-for-ibpb-mitigated-retbleed.patch patches.suse/cifs-fix-lock-length-calculation.patch patches.suse/cifs-Do-not-use-tcon-cfid-directly-use-the-cfid-we-get-from-open_.patch patches.suse/xen-xenbus-fix-return-type-in-xenbus_file_read.patch