From 51e18b8b16b81a6cf0845fbb6bfe7b566588fc72 Mon Sep 17 00:00:00 2001 From: Olaf Hering Date: Mar 02 2022 09:05:58 +0000 Subject: Merge remote-tracking branch 'kerncvs/SLE12-SP5_EMBARGO' into SLE12-SP5-AZURE_EMBARGO --- diff --git a/patches.suse/0001-x86-speculation-Add-basic-IBRS-support-infrastructur.patch b/patches.suse/0001-x86-speculation-Add-basic-IBRS-support-infrastructur.patch index fec8758..8263664 100644 --- a/patches.suse/0001-x86-speculation-Add-basic-IBRS-support-infrastructur.patch +++ b/patches.suse/0001-x86-speculation-Add-basic-IBRS-support-infrastructur.patch @@ -22,13 +22,13 @@ Signed-off-by: David Woodhouse Signed-off-by: KarimAllah Ahmed Signed-off-by: Jiri Slaby --- - Documentation/admin-guide/kernel-parameters.txt | 1 - arch/x86/include/asm/cpufeatures.h | 1 - arch/x86/include/asm/nospec-branch.h | 2 - - arch/x86/kernel/cpu/bugs.c | 41 ++++++++++++++++-------- - arch/x86/lib/Makefile | 2 - - arch/x86/lib/retpoline.S | 5 ++ - 6 files changed, 37 insertions(+), 15 deletions(-) + Documentation/admin-guide/kernel-parameters.txt | 1 + + arch/x86/include/asm/cpufeatures.h | 1 + + arch/x86/include/asm/nospec-branch.h | 2 -- + arch/x86/kernel/cpu/bugs.c | 12 ++++++++++++ + arch/x86/lib/Makefile | 2 +- + arch/x86/lib/retpoline.S | 5 +++++ + 6 files changed, 20 insertions(+), 3 deletions(-) --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -42,7 +42,7 @@ Signed-off-by: Jiri Slaby #define X86_FEATURE_IBRS ( 7*32+26) /* Indirect Branch Restricted Speculation */ --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h -@@ -245,7 +245,6 @@ extern char __indirect_thunk_end[]; +@@ -258,7 +258,6 @@ extern char __indirect_thunk_end[]; */ static inline void vmexit_fill_RSB(void) { @@ -50,7 +50,7 @@ Signed-off-by: Jiri Slaby unsigned long loops; asm volatile (ANNOTATE_NOSPEC_ALTERNATIVE -@@ -255,7 +254,6 @@ static inline void vmexit_fill_RSB(void) +@@ -268,7 +267,6 @@ static inline void vmexit_fill_RSB(void) "910:" : "=r" (loops), ASM_CALL_CONSTRAINT : : "memory" ); @@ -60,43 +60,34 @@ Signed-off-by: Jiri Slaby static __always_inline --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c -@@ -357,6 +357,7 @@ enum spectre_v2_mitigation_cmd { - SPECTRE_V2_CMD_RETPOLINE, - SPECTRE_V2_CMD_RETPOLINE_GENERIC, - SPECTRE_V2_CMD_RETPOLINE_AMD, +@@ -655,6 +655,7 @@ enum spectre_v2_mitigation_cmd { + SPECTRE_V2_CMD_EIBRS, + SPECTRE_V2_CMD_EIBRS_RETPOLINE, + SPECTRE_V2_CMD_EIBRS_LFENCE, + SPECTRE_V2_CMD_IBRS, }; enum spectre_v2_user_cmd { -@@ -462,6 +463,7 @@ static const char * const spectre_v2_str - [SPECTRE_V2_RETPOLINE_GENERIC] = "Mitigation: Full generic retpoline", - [SPECTRE_V2_RETPOLINE_AMD] = "Mitigation: Full AMD retpoline", - [SPECTRE_V2_IBRS_ENHANCED] = "Mitigation: Enhanced IBRS", +@@ -816,6 +817,7 @@ static const char * const spectre_v2_str + [SPECTRE_V2_EIBRS] = "Mitigation: Enhanced IBRS", + [SPECTRE_V2_EIBRS_LFENCE] = "Mitigation: Enhanced IBRS + LFENCE", + [SPECTRE_V2_EIBRS_RETPOLINE] = "Mitigation: Enhanced IBRS + Retpolines", + [SPECTRE_V2_IBRS] = "Mitigation: Indirect Branch Restricted Speculation", }; static const struct { -@@ -474,6 +476,7 @@ static const struct { - { "retpoline", SPECTRE_V2_CMD_RETPOLINE, false }, - { "retpoline,amd", SPECTRE_V2_CMD_RETPOLINE_AMD, false }, - { "retpoline,generic", SPECTRE_V2_CMD_RETPOLINE_GENERIC, false }, -+ { "ibrs", SPECTRE_V2_CMD_IBRS, false }, +@@ -832,6 +834,7 @@ static const struct { + { "eibrs", SPECTRE_V2_CMD_EIBRS, false }, + { "eibrs,lfence", SPECTRE_V2_CMD_EIBRS_LFENCE, false }, + { "eibrs,retpoline", SPECTRE_V2_CMD_EIBRS_RETPOLINE, false }, ++ { "ibrs", SPECTRE_V2_CMD_IBRS, false }, { "auto", SPECTRE_V2_CMD_AUTO, false }, }; -@@ -561,6 +564,20 @@ static void __init spectre_v2_select_mit +@@ -936,6 +939,11 @@ static void __init spectre_v2_select_mit case SPECTRE_V2_CMD_NONE: return; -+ case SPECTRE_V2_CMD_RETPOLINE_AMD: -+ if (IS_ENABLED(CONFIG_RETPOLINE)) -+ goto retpoline_amd; -+ break; -+ case SPECTRE_V2_CMD_RETPOLINE_GENERIC: -+ if (IS_ENABLED(CONFIG_RETPOLINE)) -+ goto retpoline_generic; -+ break; -+ + case SPECTRE_V2_CMD_IBRS: + mode = SPECTRE_V2_IBRS; + setup_force_cpu_cap(X86_FEATURE_USE_IBRS); @@ -105,38 +96,22 @@ Signed-off-by: Jiri Slaby case SPECTRE_V2_CMD_FORCE: case SPECTRE_V2_CMD_AUTO: if (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) { -@@ -570,17 +587,17 @@ static void __init spectre_v2_select_mit - wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); - goto specv2_set_mode; - } -- if (IS_ENABLED(CONFIG_RETPOLINE)) -- goto retpoline_auto; -- break; -- case SPECTRE_V2_CMD_RETPOLINE_AMD: -- if (IS_ENABLED(CONFIG_RETPOLINE)) -- goto retpoline_amd; -- break; -- case SPECTRE_V2_CMD_RETPOLINE_GENERIC: -- if (IS_ENABLED(CONFIG_RETPOLINE)) -- goto retpoline_generic; -- break; +@@ -991,8 +999,12 @@ static void __init spectre_v2_select_mit + case SPECTRE_V2_EIBRS_RETPOLINE: + setup_force_cpu_cap(X86_FEATURE_RETPOLINE); + break; + -+ /* -+ * If we have IBRS support, and either Skylake or !RETPOLINE, -+ * then that's what we do. -+ */ -+ if (boot_cpu_has(X86_FEATURE_IBRS) && is_skylake_era()) { -+ mode = SPECTRE_V2_IBRS; -+ setup_force_cpu_cap(X86_FEATURE_USE_IBRS); -+ goto specv2_set_mode; -+ } -+ /* fall through */ - case SPECTRE_V2_CMD_RETPOLINE: - if (IS_ENABLED(CONFIG_RETPOLINE)) - goto retpoline_auto; ++ default: ++ break; + } + ++specv2_set_mode: + spectre_v2_enabled = mode; + pr_info("%s\n", spectre_v2_strings[mode]); + --- a/arch/x86/lib/Makefile +++ b/arch/x86/lib/Makefile -@@ -25,7 +25,7 @@ lib-y += memcpy_$(BITS).o +@@ -37,7 +37,7 @@ lib-y += memcpy_$(BITS).o lib-$(CONFIG_RWSEM_XCHGADD_ALGORITHM) += rwsem.o lib-$(CONFIG_INSTRUCTION_DECODER) += insn.o inat.o insn-eval.o lib-$(CONFIG_RANDOMIZE_BASE) += kaslr.o @@ -165,10 +140,10 @@ Signed-off-by: Jiri Slaby + --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -3990,6 +3990,7 @@ - retpoline - replace indirect branches - retpoline,generic - google's original retpoline - retpoline,amd - AMD-specific minimal thunk +@@ -4186,6 +4186,7 @@ + eibrs - enhanced IBRS + eibrs,retpoline - enhanced IBRS + Retpolines + eibrs,lfence - enhanced IBRS + LFENCE + ibrs - Intel/AMD microcode feature Not specifying this option is equivalent to diff --git a/patches.suse/IBRS-forbid-shooting-in-foot.patch b/patches.suse/IBRS-forbid-shooting-in-foot.patch index 5d2be85..9b1208b 100644 --- a/patches.suse/IBRS-forbid-shooting-in-foot.patch +++ b/patches.suse/IBRS-forbid-shooting-in-foot.patch @@ -14,8 +14,8 @@ Signed-off-by: Jiri Slaby --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c -@@ -488,10 +488,13 @@ static void __init spectre_v2_select_mit - break; +@@ -940,10 +940,13 @@ static void __init spectre_v2_select_mit + return; case SPECTRE_V2_CMD_IBRS: - mode = SPECTRE_V2_IBRS; diff --git a/patches.suse/cpu-smt-create-and-export-cpu_smt_possible.patch b/patches.suse/cpu-smt-create-and-export-cpu_smt_possible.patch new file mode 100644 index 0000000..09c35d2 --- /dev/null +++ b/patches.suse/cpu-smt-create-and-export-cpu_smt_possible.patch @@ -0,0 +1,62 @@ +From: Vitaly Kuznetsov +Date: Mon, 16 Sep 2019 18:22:56 +0200 +Subject: cpu/SMT: create and export cpu_smt_possible() +Git-commit: e1572f1d08be57a5412a464cff0712a23cd0b73e +Patch-mainline: v5.4-rc1 +References: bsc#1191580 CVE-2022-0001 CVE-2022-0002 + +KVM needs to know if SMT is theoretically possible, this means it is +supported and not forcefully disabled ('nosmt=force'). Create and +export cpu_smt_possible() answering this question. + +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Paolo Bonzini +Acked-by: Borislav Petkov +--- + include/linux/cpu.h | 2 ++ + kernel/cpu.c | 11 +++++++++-- + 2 files changed, 11 insertions(+), 2 deletions(-) + +--- a/include/linux/cpu.h ++++ b/include/linux/cpu.h +@@ -191,11 +191,13 @@ extern enum cpuhp_smt_control cpu_smt_co + extern void cpu_smt_disable(bool force); + extern void cpu_smt_check_topology_early(void); + extern void cpu_smt_check_topology(void); ++extern bool cpu_smt_possible(void); + #else + # define cpu_smt_control (CPU_SMT_ENABLED) + static inline void cpu_smt_disable(bool force) { } + static inline void cpu_smt_check_topology_early(void) { } + static inline void cpu_smt_check_topology(void) { } ++static inline bool cpu_smt_possible(void) { return false; } + #endif + + /* +--- a/kernel/cpu.c ++++ b/kernel/cpu.c +@@ -360,8 +360,7 @@ static bool cpu_smt_available __read_mos + + void __init cpu_smt_disable(bool force) + { +- if (cpu_smt_control == CPU_SMT_FORCE_DISABLED || +- cpu_smt_control == CPU_SMT_NOT_SUPPORTED) ++ if (!cpu_smt_possible()) + return; + + if (force) { +@@ -427,6 +426,14 @@ static inline bool cpu_smt_allowed(unsig + */ + return !per_cpu(cpuhp_state, cpu).booted_once; + } ++ ++/* Returns true if SMT is not supported of forcefully (irreversibly) disabled */ ++bool cpu_smt_possible(void) ++{ ++ return cpu_smt_control != CPU_SMT_FORCE_DISABLED && ++ cpu_smt_control != CPU_SMT_NOT_SUPPORTED; ++} ++EXPORT_SYMBOL_GPL(cpu_smt_possible); + #else + static inline bool cpu_smt_allowed(unsigned int cpu) { return true; } + #endif diff --git a/patches.suse/do-not-default-to-ibrs-on-skl.patch b/patches.suse/do-not-default-to-ibrs-on-skl.patch deleted file mode 100644 index 1c69be0..0000000 --- a/patches.suse/do-not-default-to-ibrs-on-skl.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Jiri Kosina -Subject: x86/bugs: do not default to IBRS even on SKL -Patch-mainline: never, SUSE specific -References: bsc#1068032 CVE-2017-5753 bsc#1112824 jsc#SLE-7074 - -Disable SUSE-specific IBRS-on-SKL implementation. Please refer to page 16 of - -https://software.intel.com/security-software-guidance/api-app/sites/default/files/Retpoline-A-Branch-Target-Injection-Mitigation.pdf - -Signed-off-by: Jiri Kosina - ---- - arch/x86/kernel/cpu/bugs.c | 27 --------------------------- - 1 file changed, 27 deletions(-) - ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -644,16 +627,6 @@ - wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); - goto specv2_set_mode; - } -- -- /* -- * If we have IBRS support, and either Skylake or !RETPOLINE, -- * then that's what we do. -- */ -- if (boot_cpu_has(X86_FEATURE_IBRS) && is_skylake_era()) { -- mode = SPECTRE_V2_IBRS; -- setup_force_cpu_cap(X86_FEATURE_USE_IBRS); -- goto specv2_set_mode; -- } - /* fall through */ - case SPECTRE_V2_CMD_RETPOLINE: - if (IS_ENABLED(CONFIG_RETPOLINE)) diff --git a/patches.suse/documentation-hw-vuln-update-spectre-doc.patch b/patches.suse/documentation-hw-vuln-update-spectre-doc.patch new file mode 100644 index 0000000..cd04fef --- /dev/null +++ b/patches.suse/documentation-hw-vuln-update-spectre-doc.patch @@ -0,0 +1,36 @@ +From: Peter Zijlstra +Date: Wed, 16 Feb 2022 20:57:02 +0100 +Subject: Documentation/hw-vuln: Update spectre doc +Git-commit: 5ad3eb1132453b9795ce5fd4572b1c18b292cca9 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in a subsystem tree +References: bsc#1191580 CVE-2022-0001 CVE-2022-0002 + +Update the doc with the new fun. + + [ bp: Massage commit message. ] + +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Borislav Petkov +Reviewed-by: Thomas Gleixner +--- + Documentation/admin-guide/kernel-parameters.txt | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -4180,8 +4180,12 @@ + Specific mitigations can also be selected manually: + + retpoline - replace indirect branches +- retpoline,generic - google's original retpoline +- retpoline,amd - AMD-specific minimal thunk ++ retpoline,generic - Retpolines ++ retpoline,lfence - LFENCE; indirect branch ++ retpoline,amd - alias for retpoline,lfence ++ eibrs - enhanced IBRS ++ eibrs,retpoline - enhanced IBRS + Retpolines ++ eibrs,lfence - enhanced IBRS + LFENCE + + Not specifying this option is equivalent to + spectre_v2=auto. diff --git a/patches.suse/lib-iov_iter-initialize-flags-in-new-pipe_buffer.patch b/patches.suse/lib-iov_iter-initialize-flags-in-new-pipe_buffer.patch new file mode 100644 index 0000000..5ef18b5 --- /dev/null +++ b/patches.suse/lib-iov_iter-initialize-flags-in-new-pipe_buffer.patch @@ -0,0 +1,52 @@ +From a162b11c975ef9a03a75027c04052906ed7710da Mon Sep 17 00:00:00 2001 +From: Max Kellermann +Date: Mon, 21 Feb 2022 11:03:13 +0100 +Subject: [PATCH] lib/iov_iter: initialize "flags" in new pipe_buffer +Git-commit: 9d2231c5d74e13b2a0546fee6737ee4446017903 +Alt-commit: a162b11c975ef9a03a75027c04052906ed7710da +Patch-mainline: v5.17-rc6 +References: bsc#1196584 + +commit 9d2231c5d74e13b2a0546fee6737ee4446017903 upstream. + +The functions copy_page_to_iter_pipe() and push_pipe() can both +allocate a new pipe_buffer, but the "flags" member initializer is +missing. + +Fixes: 241699cd72a8 ("new iov_iter flavour: pipe-backed") +To: Alexander Viro +To: linux-fsdevel@vger.kernel.org +To: linux-kernel@vger.kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: Max Kellermann +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai + +--- + lib/iov_iter.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/iov_iter.c b/lib/iov_iter.c +index 9bdc797ef257..ffa90d4c098e 100644 +--- a/lib/iov_iter.c ++++ b/lib/iov_iter.c +@@ -393,6 +393,7 @@ static size_t copy_page_to_iter_pipe(struct page *page, size_t offset, size_t by + return 0; + pipe->nrbufs++; + buf->ops = &page_cache_pipe_buf_ops; ++ buf->flags = 0; + get_page(buf->page = page); + buf->offset = offset; + buf->len = bytes; +@@ -517,6 +518,7 @@ static size_t push_pipe(struct iov_iter *i, size_t size, + break; + pipe->nrbufs++; + pipe->bufs[idx].ops = &default_pipe_buf_ops; ++ pipe->bufs[idx].flags = 0; + pipe->bufs[idx].page = page; + pipe->bufs[idx].offset = 0; + if (left <= PAGE_SIZE) { +-- +2.31.1 + diff --git a/patches.suse/x86-bugs-unconditionally-allow-spectre_v2-retpoline-amd.patch b/patches.suse/x86-bugs-unconditionally-allow-spectre_v2-retpoline-amd.patch new file mode 100644 index 0000000..93230f5 --- /dev/null +++ b/patches.suse/x86-bugs-unconditionally-allow-spectre_v2-retpoline-amd.patch @@ -0,0 +1,40 @@ +From: Peter Zijlstra +Date: Tue, 26 Oct 2021 14:01:46 +0200 +Subject: x86,bugs: Unconditionally allow spectre_v2=retpoline,amd +Git-commit: f8a66d608a3e471e1202778c2a36cbdc96bae73b +Patch-mainline: v5.16-rc1 +References: bsc#1191580 CVE-2022-0001 CVE-2022-0002 + +Currently Linux prevents usage of retpoline,amd on !AMD hardware, this +is unfriendly and gets in the way of testing. Remove this restriction. + +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Borislav Petkov +Acked-by: Josh Poimboeuf +Tested-by: Alexei Starovoitov +Link: https://lore.kernel.org/r/20211026120310.487348118@infradead.org + +Acked-by: Borislav Petkov +--- + arch/x86/kernel/cpu/bugs.c | 7 ------- + 1 file changed, 7 deletions(-) + +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index ecfca3bbcd96..ba43597f1027 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -882,13 +882,6 @@ static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void) + return SPECTRE_V2_CMD_AUTO; + } + +- if (cmd == SPECTRE_V2_CMD_RETPOLINE_AMD && +- boot_cpu_data.x86_vendor != X86_VENDOR_HYGON && +- boot_cpu_data.x86_vendor != X86_VENDOR_AMD) { +- pr_err("retpoline,amd selected but CPU is not AMD. Switching to AUTO select\n"); +- return SPECTRE_V2_CMD_AUTO; +- } +- + spec_v2_print_cond(mitigation_options[i].option, + mitigation_options[i].secure); + return cmd; + diff --git a/patches.suse/x86-speculation-add-eibrs-retpoline-options.patch b/patches.suse/x86-speculation-add-eibrs-retpoline-options.patch new file mode 100644 index 0000000..e5d7594 --- /dev/null +++ b/patches.suse/x86-speculation-add-eibrs-retpoline-options.patch @@ -0,0 +1,270 @@ +From: Peter Zijlstra +Date: Wed, 16 Feb 2022 20:57:01 +0100 +Subject: x86/speculation: Add eIBRS + Retpoline options +Git-commit: 1e19da8522c81bf46b335f84137165741e0d82b7 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in a subsystem tree +References: bsc#1191580 CVE-2022-0001 CVE-2022-0002 + +Thanks to the chaps at VUsec it is now clear that eIBRS is not +sufficient, therefore allow enabling of retpolines along with eIBRS. + +Add spectre_v2=eibrs, spectre_v2=eibrs,lfence and +spectre_v2=eibrs,retpoline options to explicitly pick your preferred +means of mitigation. + +Since there's new mitigations there's also user visible changes in +/sys/devices/system/cpu/vulnerabilities/spectre_v2 to reflect these +new mitigations. + + [ bp: Massage commit message, trim error messages, + do more precise eIBRS mode checking. ] + +Co-developed-by: Josh Poimboeuf +Signed-off-by: Josh Poimboeuf +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Borislav Petkov +Reviewed-by: Patrick Colp +Reviewed-by: Thomas Gleixner +--- + arch/x86/include/asm/nospec-branch.h | 4 - + arch/x86/kernel/cpu/bugs.c | 133 +++++++++++++++++++++++++---------- + 2 files changed, 99 insertions(+), 38 deletions(-) + +--- a/arch/x86/include/asm/nospec-branch.h ++++ b/arch/x86/include/asm/nospec-branch.h +@@ -226,7 +226,9 @@ enum spectre_v2_mitigation { + SPECTRE_V2_RETPOLINE, + SPECTRE_V2_LFENCE, + SPECTRE_V2_IBRS, +- SPECTRE_V2_IBRS_ENHANCED, ++ SPECTRE_V2_EIBRS, ++ SPECTRE_V2_EIBRS_RETPOLINE, ++ SPECTRE_V2_EIBRS_LFENCE, + }; + + /* The indirect branch speculation control variants */ +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -652,6 +652,9 @@ enum spectre_v2_mitigation_cmd { + SPECTRE_V2_CMD_RETPOLINE, + SPECTRE_V2_CMD_RETPOLINE_GENERIC, + SPECTRE_V2_CMD_RETPOLINE_LFENCE, ++ SPECTRE_V2_CMD_EIBRS, ++ SPECTRE_V2_CMD_EIBRS_RETPOLINE, ++ SPECTRE_V2_CMD_EIBRS_LFENCE, + }; + + enum spectre_v2_user_cmd { +@@ -723,6 +726,13 @@ spectre_v2_parse_user_cmdline(enum spect + return SPECTRE_V2_USER_CMD_AUTO; + } + ++static inline bool spectre_v2_in_eibrs_mode(enum spectre_v2_mitigation mode) ++{ ++ return (mode == SPECTRE_V2_EIBRS || ++ mode == SPECTRE_V2_EIBRS_RETPOLINE || ++ mode == SPECTRE_V2_EIBRS_LFENCE); ++} ++ + static void __init + spectre_v2_user_select_mitigation(enum spectre_v2_mitigation_cmd v2_cmd) + { +@@ -790,7 +800,7 @@ spectre_v2_user_select_mitigation(enum s + */ + if (!boot_cpu_has(X86_FEATURE_STIBP) || + !smt_possible || +- spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED) ++ spectre_v2_in_eibrs_mode(spectre_v2_enabled)) + return; + + spectre_v2_user_stibp = mode; +@@ -803,7 +813,9 @@ static const char * const spectre_v2_str + [SPECTRE_V2_NONE] = "Vulnerable", + [SPECTRE_V2_RETPOLINE] = "Mitigation: Retpolines", + [SPECTRE_V2_LFENCE] = "Mitigation: LFENCE", +- [SPECTRE_V2_IBRS_ENHANCED] = "Mitigation: Enhanced IBRS", ++ [SPECTRE_V2_EIBRS] = "Mitigation: Enhanced IBRS", ++ [SPECTRE_V2_EIBRS_LFENCE] = "Mitigation: Enhanced IBRS + LFENCE", ++ [SPECTRE_V2_EIBRS_RETPOLINE] = "Mitigation: Enhanced IBRS + Retpolines", + }; + + static const struct { +@@ -817,6 +829,9 @@ static const struct { + { "retpoline,amd", SPECTRE_V2_CMD_RETPOLINE_LFENCE, false }, + { "retpoline,lfence", SPECTRE_V2_CMD_RETPOLINE_LFENCE, false }, + { "retpoline,generic", SPECTRE_V2_CMD_RETPOLINE_GENERIC, false }, ++ { "eibrs", SPECTRE_V2_CMD_EIBRS, false }, ++ { "eibrs,lfence", SPECTRE_V2_CMD_EIBRS_LFENCE, false }, ++ { "eibrs,retpoline", SPECTRE_V2_CMD_EIBRS_RETPOLINE, false }, + { "auto", SPECTRE_V2_CMD_AUTO, false }, + }; + +@@ -854,15 +869,29 @@ static enum spectre_v2_mitigation_cmd __ + + if ((cmd == SPECTRE_V2_CMD_RETPOLINE || + cmd == SPECTRE_V2_CMD_RETPOLINE_LFENCE || +- cmd == SPECTRE_V2_CMD_RETPOLINE_GENERIC) && ++ cmd == SPECTRE_V2_CMD_RETPOLINE_GENERIC || ++ cmd == SPECTRE_V2_CMD_EIBRS_LFENCE || ++ cmd == SPECTRE_V2_CMD_EIBRS_RETPOLINE) && + !IS_ENABLED(CONFIG_RETPOLINE)) { +- pr_err("%s selected but not compiled in. Switching to AUTO select\n", mitigation_options[i].option); ++ pr_err("%s selected but not compiled in. Switching to AUTO select\n", ++ mitigation_options[i].option); ++ return SPECTRE_V2_CMD_AUTO; ++ } ++ ++ if ((cmd == SPECTRE_V2_CMD_EIBRS || ++ cmd == SPECTRE_V2_CMD_EIBRS_LFENCE || ++ cmd == SPECTRE_V2_CMD_EIBRS_RETPOLINE) && ++ !boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) { ++ pr_err("%s selected but CPU doesn't have eIBRS. Switching to AUTO select\n", ++ mitigation_options[i].option); + return SPECTRE_V2_CMD_AUTO; + } + +- if ((cmd == SPECTRE_V2_CMD_RETPOLINE_LFENCE) && ++ if ((cmd == SPECTRE_V2_CMD_RETPOLINE_LFENCE || ++ cmd == SPECTRE_V2_CMD_EIBRS_LFENCE) && + !boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) { +- pr_err("%s selected, but CPU doesn't have a serializing LFENCE. Switching to AUTO select\n", mitigation_options[i].option); ++ pr_err("%s selected, but CPU doesn't have a serializing LFENCE. Switching to AUTO select\n", ++ mitigation_options[i].option); + return SPECTRE_V2_CMD_AUTO; + } + +@@ -871,6 +900,25 @@ static enum spectre_v2_mitigation_cmd __ + return cmd; + } + ++static enum spectre_v2_mitigation __init spectre_v2_select_retpoline(void) ++{ ++ if (!IS_ENABLED(CONFIG_RETPOLINE)) { ++ pr_err("Kernel not compiled with retpoline; no mitigation available!"); ++ return SPECTRE_V2_NONE; ++ } ++ ++ if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD || ++ boot_cpu_data.x86_vendor == X86_VENDOR_HYGON) { ++ if (!boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) { ++ pr_err("LFENCE not serializing, switching to generic retpoline\n"); ++ return SPECTRE_V2_RETPOLINE; ++ } ++ return SPECTRE_V2_LFENCE; ++ } ++ ++ return SPECTRE_V2_RETPOLINE; ++} ++ + static void __init spectre_v2_select_mitigation(void) + { + enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline(); +@@ -891,49 +939,60 @@ static void __init spectre_v2_select_mit + case SPECTRE_V2_CMD_FORCE: + case SPECTRE_V2_CMD_AUTO: + if (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) { +- mode = SPECTRE_V2_IBRS_ENHANCED; +- /* Force it so VMEXIT will restore correctly */ +- x86_spec_ctrl_base |= SPEC_CTRL_IBRS; +- wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); +- goto specv2_set_mode; ++ mode = SPECTRE_V2_EIBRS; ++ break; + } +- if (IS_ENABLED(CONFIG_RETPOLINE)) +- goto retpoline_auto; ++ ++ mode = spectre_v2_select_retpoline(); + break; ++ + case SPECTRE_V2_CMD_RETPOLINE_LFENCE: +- if (IS_ENABLED(CONFIG_RETPOLINE)) +- goto retpoline_lfence; ++ mode = SPECTRE_V2_LFENCE; + break; ++ + case SPECTRE_V2_CMD_RETPOLINE_GENERIC: +- if (IS_ENABLED(CONFIG_RETPOLINE)) +- goto retpoline_generic; ++ mode = SPECTRE_V2_RETPOLINE; + break; ++ + case SPECTRE_V2_CMD_RETPOLINE: +- if (IS_ENABLED(CONFIG_RETPOLINE)) +- goto retpoline_auto; ++ mode = spectre_v2_select_retpoline(); ++ break; ++ ++ case SPECTRE_V2_CMD_EIBRS: ++ mode = SPECTRE_V2_EIBRS; ++ break; ++ ++ case SPECTRE_V2_CMD_EIBRS_LFENCE: ++ mode = SPECTRE_V2_EIBRS_LFENCE; ++ break; ++ ++ case SPECTRE_V2_CMD_EIBRS_RETPOLINE: ++ mode = SPECTRE_V2_EIBRS_RETPOLINE; + break; + } +- pr_err("Spectre mitigation: kernel not compiled with retpoline; no mitigation available!"); +- return; + +-retpoline_auto: +- if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD || +- boot_cpu_data.x86_vendor == X86_VENDOR_HYGON) { +- retpoline_lfence: +- if (!boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) { +- pr_err("Spectre mitigation: LFENCE not serializing, switching to generic retpoline\n"); +- goto retpoline_generic; +- } +- mode = SPECTRE_V2_LFENCE; ++ if (spectre_v2_in_eibrs_mode(mode)) { ++ /* Force it so VMEXIT will restore correctly */ ++ x86_spec_ctrl_base |= SPEC_CTRL_IBRS; ++ wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); ++ } ++ ++ switch (mode) { ++ case SPECTRE_V2_NONE: ++ case SPECTRE_V2_EIBRS: ++ break; ++ ++ case SPECTRE_V2_LFENCE: ++ case SPECTRE_V2_EIBRS_LFENCE: + setup_force_cpu_cap(X86_FEATURE_RETPOLINE_LFENCE); ++ /* fallthrough; */ ++ ++ case SPECTRE_V2_RETPOLINE: ++ case SPECTRE_V2_EIBRS_RETPOLINE: + setup_force_cpu_cap(X86_FEATURE_RETPOLINE); +- } else { +- retpoline_generic: +- mode = SPECTRE_V2_RETPOLINE; +- setup_force_cpu_cap(X86_FEATURE_RETPOLINE); ++ break; + } + +-specv2_set_mode: + spectre_v2_enabled = mode; + pr_info("%s\n", spectre_v2_strings[mode]); + +@@ -959,7 +1018,7 @@ specv2_set_mode: + * the CPU supports Enhanced IBRS, kernel might un-intentionally not + * enable IBRS around firmware calls. + */ +- if (boot_cpu_has(X86_FEATURE_IBRS) && mode != SPECTRE_V2_IBRS_ENHANCED) { ++ if (boot_cpu_has(X86_FEATURE_IBRS) && !spectre_v2_in_eibrs_mode(mode)) { + setup_force_cpu_cap(X86_FEATURE_USE_IBRS_FW); + pr_info("Enabling Restricted Speculation for firmware calls\n"); + } +@@ -1491,7 +1550,7 @@ static ssize_t tsx_async_abort_show_stat + + static char *stibp_state(void) + { +- if (spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED) ++ if (spectre_v2_in_eibrs_mode(spectre_v2_enabled)) + return ""; + + switch (spectre_v2_user_stibp) { diff --git a/patches.suse/x86-speculation-add-special-register-buffer-data-sampling-srbds-mitigation.patch b/patches.suse/x86-speculation-add-special-register-buffer-data-sampling-srbds-mitigation.patch index 06459d6..3fa9556 100644 --- a/patches.suse/x86-speculation-add-special-register-buffer-data-sampling-srbds-mitigation.patch +++ b/patches.suse/x86-speculation-add-special-register-buffer-data-sampling-srbds-mitigation.patch @@ -56,7 +56,7 @@ Tested-by: Neelima Krishnan --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h -@@ -349,6 +349,7 @@ +@@ -354,6 +354,7 @@ /* Intel-defined CPU features, CPUID level 0x00000007:0 (EDX), word 18 */ #define X86_FEATURE_AVX512_4VNNIW (18*32+ 2) /* AVX-512 Neural Network Instructions */ #define X86_FEATURE_AVX512_4FMAPS (18*32+ 3) /* AVX-512 Multiply Accumulation Single precision */ @@ -64,7 +64,7 @@ Tested-by: Neelima Krishnan #define X86_FEATURE_MD_CLEAR (18*32+10) /* VERW clears CPU buffers */ #define X86_FEATURE_TSX_FORCE_ABORT (18*32+13) /* "" TSX_FORCE_ABORT */ #define X86_FEATURE_PCONFIG (18*32+18) /* Intel PCONFIG */ -@@ -393,5 +394,6 @@ +@@ -398,5 +399,6 @@ #define X86_BUG_SWAPGS X86_BUG(21) /* CPU is affected by speculation through SWAPGS */ #define X86_BUG_TAA X86_BUG(22) /* CPU is affected by TSX Async Abort(TAA) */ #define X86_BUG_ITLB_MULTIHIT X86_BUG(23) /* CPU may incur MCE during certain page attribute changes */ @@ -73,7 +73,7 @@ Tested-by: Neelima Krishnan #endif /* _ASM_X86_CPUFEATURES_H */ --- a/arch/x86/include/asm/msr-index.h +++ b/arch/x86/include/asm/msr-index.h -@@ -109,6 +109,10 @@ +@@ -118,6 +118,10 @@ #define TSX_CTRL_RTM_DISABLE BIT(0) /* Disable RTM feature */ #define TSX_CTRL_CPUID_CLEAR BIT(1) /* Disable TSX enumeration */ @@ -86,7 +86,7 @@ Tested-by: Neelima Krishnan #define MSR_IA32_SYSENTER_EIP 0x00000176 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c -@@ -40,6 +40,7 @@ static void __init l1tf_select_mitigatio +@@ -41,6 +41,7 @@ static void __init l1tf_select_mitigatio static void __init mds_select_mitigation(void); static void __init mds_print_mitigation(void); static void __init taa_select_mitigation(void); @@ -94,7 +94,7 @@ Tested-by: Neelima Krishnan /* The base value of the SPEC_CTRL MSR that always has to be preserved. */ u64 x86_spec_ctrl_base; -@@ -107,6 +108,7 @@ void __init check_bugs(void) +@@ -108,6 +109,7 @@ void __init check_bugs(void) l1tf_select_mitigation(); mds_select_mitigation(); taa_select_mitigation(); @@ -102,7 +102,7 @@ Tested-by: Neelima Krishnan /* * As MDS and TAA mitigations are inter-related, print MDS -@@ -514,6 +516,97 @@ static int __init tsx_async_abort_parse_ +@@ -515,6 +517,97 @@ static int __init tsx_async_abort_parse_ early_param("tsx_async_abort", tsx_async_abort_parse_cmdline); #undef pr_fmt @@ -200,8 +200,8 @@ Tested-by: Neelima Krishnan #define pr_fmt(fmt) "Spectre V1 : " fmt enum spectre_v1_mitigation { -@@ -1501,6 +1594,11 @@ static char *ibpb_state(void) - return ""; +@@ -1621,6 +1714,11 @@ static ssize_t spectre_v2_show_state(cha + spectre_v2_module_string()); } +static ssize_t srbds_show_state(char *buf) @@ -212,7 +212,7 @@ Tested-by: Neelima Krishnan static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr, char *buf, unsigned int bug) { -@@ -1547,6 +1645,9 @@ static ssize_t cpu_show_common(struct de +@@ -1662,6 +1760,9 @@ static ssize_t cpu_show_common(struct de case X86_BUG_ITLB_MULTIHIT: return itlb_multihit_show_state(buf); @@ -222,7 +222,7 @@ Tested-by: Neelima Krishnan default: break; } -@@ -1593,4 +1694,9 @@ ssize_t cpu_show_itlb_multihit(struct de +@@ -1708,4 +1809,9 @@ ssize_t cpu_show_itlb_multihit(struct de { return cpu_show_common(dev, attr, buf, X86_BUG_ITLB_MULTIHIT); } @@ -234,7 +234,7 @@ Tested-by: Neelima Krishnan #endif --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c -@@ -973,6 +973,27 @@ static const __initconst struct x86_cpu_ +@@ -997,6 +997,27 @@ static const __initconst struct x86_cpu_ {} }; @@ -262,7 +262,7 @@ Tested-by: Neelima Krishnan static bool __init cpu_matches(const struct x86_cpu_id *table, unsigned long which) { const struct x86_cpu_id *m = x86_match_cpu(table); -@@ -1038,6 +1059,15 @@ static void __init cpu_set_bug_bits(stru +@@ -1062,6 +1083,15 @@ static void __init cpu_set_bug_bits(stru (ia32_cap & ARCH_CAP_TSX_CTRL_MSR))) setup_force_cpu_bug(X86_BUG_TAA); @@ -278,7 +278,7 @@ Tested-by: Neelima Krishnan if (cpu_matches(cpu_vuln_whitelist, NO_MELTDOWN)) return; -@@ -1454,6 +1484,7 @@ void identify_secondary_cpu(struct cpuin +@@ -1479,6 +1509,7 @@ void identify_secondary_cpu(struct cpuin mtrr_ap_init(); validate_apic_and_package_id(c); x86_spec_ctrl_setup_ap(); @@ -308,7 +308,7 @@ Tested-by: Neelima Krishnan Date: January 2018 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -4210,6 +4210,26 @@ +@@ -4280,6 +4280,26 @@ spia_pedr= spia_peddr= diff --git a/patches.suse/x86-speculation-include-unprivileged-ebpf-status-in-spectre-v2-mitigation-reporting.patch b/patches.suse/x86-speculation-include-unprivileged-ebpf-status-in-spectre-v2-mitigation-reporting.patch new file mode 100644 index 0000000..1bac650 --- /dev/null +++ b/patches.suse/x86-speculation-include-unprivileged-ebpf-status-in-spectre-v2-mitigation-reporting.patch @@ -0,0 +1,147 @@ +From: Josh Poimboeuf +Date: Fri, 18 Feb 2022 11:49:08 -0800 +Subject: x86/speculation: Include unprivileged eBPF status in Spectre v2 + mitigation reporting +Git-commit: 44a3918c8245ab10c6c9719dd12e7a8d291980d8 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in a subsystem tree +References: bsc#1191580 CVE-2022-0001 CVE-2022-0002 + +With unprivileged eBPF enabled, eIBRS (without retpoline) is vulnerable +to Spectre v2 BHB-based attacks. + +When both are enabled, print a warning message and report it in the +'spectre_v2' sysfs vulnerabilities file. + +Signed-off-by: Josh Poimboeuf +Signed-off-by: Borislav Petkov +Reviewed-by: Thomas Gleixner +--- + arch/x86/kernel/cpu/bugs.c | 35 +++++++++++++++++++++++++++++------ + include/linux/bpf.h | 11 +++++++++++ + kernel/sysctl.c | 8 ++++++++ + 3 files changed, 48 insertions(+), 6 deletions(-) + +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -637,6 +638,16 @@ static inline const char *spectre_v2_mod + static inline const char *spectre_v2_module_string(void) { return ""; } + #endif + ++#define SPECTRE_V2_EIBRS_EBPF_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible via Spectre v2 BHB attacks!\n" ++ ++#ifdef CONFIG_BPF_SYSCALL ++void unpriv_ebpf_notify(int new_state) ++{ ++ if (spectre_v2_enabled == SPECTRE_V2_EIBRS && !new_state) ++ pr_err(SPECTRE_V2_EIBRS_EBPF_MSG); ++} ++#endif ++ + static inline bool match_option(const char *arg, int arglen, const char *opt) + { + int len = strlen(opt); +@@ -971,6 +982,9 @@ static void __init spectre_v2_select_mit + break; + } + ++ if (mode == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled()) ++ pr_err(SPECTRE_V2_EIBRS_EBPF_MSG); ++ + if (spectre_v2_in_eibrs_mode(mode)) { + /* Force it so VMEXIT will restore correctly */ + x86_spec_ctrl_base |= SPEC_CTRL_IBRS; +@@ -1578,6 +1592,20 @@ static char *ibpb_state(void) + return ""; + } + ++static ssize_t spectre_v2_show_state(char *buf) ++{ ++ if (spectre_v2_enabled == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled()) ++ return sprintf(buf, "Vulnerable: Unprivileged eBPF enabled\n"); ++ ++ return sprintf(buf, "%s%s%s%s%s%s\n", ++ spectre_v2_strings[spectre_v2_enabled], ++ ibpb_state(), ++ boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "", ++ stibp_state(), ++ boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? ", RSB filling" : "", ++ spectre_v2_module_string()); ++} ++ + static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr, + char *buf, unsigned int bug) + { +@@ -1599,12 +1627,7 @@ static ssize_t cpu_show_common(struct de + return sprintf(buf, "%s\n", spectre_v1_strings[spectre_v1_mitigation]); + + case X86_BUG_SPECTRE_V2: +- return sprintf(buf, "%s%s%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled], +- ibpb_state(), +- boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "", +- stibp_state(), +- boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? ", RSB filling" : "", +- spectre_v2_module_string()); ++ return spectre_v2_show_state(buf); + + case X86_BUG_SPEC_STORE_BYPASS: + return sprintf(buf, "%s\n", ssb_strings[ssb_mode]); +--- a/include/linux/bpf.h ++++ b/include/linux/bpf.h +@@ -529,6 +529,11 @@ static inline int bpf_map_attr_numa_node + + struct bpf_prog *bpf_prog_get_type_path(const char *name, enum bpf_prog_type type); + ++static inline bool unprivileged_ebpf_enabled(void) ++{ ++ return !sysctl_unprivileged_bpf_disabled; ++} ++ + #else /* !CONFIG_BPF_SYSCALL */ + static inline struct bpf_prog *bpf_prog_get(u32 ufd) + { +@@ -582,6 +587,12 @@ static inline struct net_device *__dev_ + return NULL; + } + ++static inline bool unprivileged_ebpf_enabled(void) ++{ ++ return false; ++} ++ ++ + static inline void __dev_map_insert_ctx(struct bpf_map *map, u32 index) + { + } +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -307,6 +307,11 @@ static int max_extfrag_threshold = 1000; + #endif + + #if defined(CONFIG_BPF_SYSCALL) && defined(CONFIG_SYSCTL) ++ ++void __weak unpriv_ebpf_notify(int new_state) ++{ ++} ++ + static int bpf_unpriv_handler(struct ctl_table *table, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { +@@ -324,6 +329,9 @@ static int bpf_unpriv_handler(struct ctl + return -EPERM; + *(int *)table->data = unpriv_enable; + } ++ ++ unpriv_ebpf_notify(unpriv_enable); ++ + return ret; + } + #endif /* CONFIG_BPF_SYSCALL && CONFIG_SYSCTL */ diff --git a/patches.suse/x86-speculation-merge-one-test-in-spectre_v2_user_select_mitigation.patch b/patches.suse/x86-speculation-merge-one-test-in-spectre_v2_user_select_mitigation.patch new file mode 100644 index 0000000..7820a19 --- /dev/null +++ b/patches.suse/x86-speculation-merge-one-test-in-spectre_v2_user_select_mitigation.patch @@ -0,0 +1,47 @@ +From: Borislav Petkov +Date: Mon, 15 Jun 2020 08:51:25 +0200 +Subject: x86/speculation: Merge one test in + spectre_v2_user_select_mitigation() +Git-commit: a5ce9f2bb665d1d2b31f139a02dbaa2dfbb62fa6 +Patch-mainline: v5.9-rc1 +References: bsc#1191580 CVE-2022-0001 CVE-2022-0002 + +Merge the test whether the CPU supports STIBP into the test which +determines whether STIBP is required. Thus try to simplify what is +already an insane logic. + +Remove a superfluous newline in a comment, while at it. + +Signed-off-by: Borislav Petkov +Cc: Anthony Steinhauser +Link: https://lkml.kernel.org/r/20200615065806.GB14668@zn.tnic +--- + arch/x86/kernel/cpu/bugs.c | 13 ++++--------- + 1 file changed, 4 insertions(+), 9 deletions(-) + +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -785,19 +785,14 @@ spectre_v2_user_select_mitigation(enum s + } + + /* +- * If enhanced IBRS is enabled or SMT impossible, STIBP is not ++ * If no STIBP, enhanced IBRS is enabled or SMT impossible, STIBP is not + * required. + */ +- if (!smt_possible || spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED) ++ if (!boot_cpu_has(X86_FEATURE_STIBP) || ++ !smt_possible || ++ spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED) + return; + +- /* +- * If SMT is not possible or STIBP is not available clear the STIPB +- * mode. +- */ +- if (!boot_cpu_has(X86_FEATURE_STIBP)) +- mode = SPECTRE_V2_USER_NONE; +- + spectre_v2_user_stibp = mode; + + set_mode: diff --git a/patches.suse/x86-speculation-rename-retpoline_amd-to-retpoline_lfence.patch b/patches.suse/x86-speculation-rename-retpoline_amd-to-retpoline_lfence.patch new file mode 100644 index 0000000..4547ba9 --- /dev/null +++ b/patches.suse/x86-speculation-rename-retpoline_amd-to-retpoline_lfence.patch @@ -0,0 +1,177 @@ +From: "Peter Zijlstra (Intel)" +Date: Wed, 16 Feb 2022 20:57:00 +0100 +Subject: x86/speculation: Rename RETPOLINE_AMD to RETPOLINE_LFENCE +Git-commit: d45476d9832409371537013ebdd8dc1a7781f97a +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in a subsystem tree +References: bsc#1191580 CVE-2022-0001 CVE-2022-0002 + +The RETPOLINE_AMD name is unfortunate since it isn't necessarily +AMD only, in fact Hygon also uses it. Furthermore it will likely be +sufficient for some Intel processors. Therefore rename the thing to +RETPOLINE_LFENCE to better describe what it is. + +Add the spectre_v2=retpoline,lfence option as an alias to +spectre_v2=retpoline,amd to preserve existing setups. However, the output +of /sys/devices/system/cpu/vulnerabilities/spectre_v2 will be changed. + + [ bp: Fix typos, massage. ] + +Co-developed-by: Josh Poimboeuf +Signed-off-by: Josh Poimboeuf +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Borislav Petkov +Reviewed-by: Thomas Gleixner +--- + arch/x86/include/asm/cpufeatures.h | 2 +- + arch/x86/include/asm/nospec-branch.h | 12 ++++++------ + arch/x86/kernel/cpu/bugs.c | 29 ++++++++++++++++++----------- + 3 files changed, 25 insertions(+), 18 deletions(-) + +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -204,7 +204,7 @@ + #define X86_FEATURE_SME ( 7*32+10) /* AMD Secure Memory Encryption */ + #define X86_FEATURE_PTI ( 7*32+11) /* Kernel Page Table Isolation enabled */ + #define X86_FEATURE_RETPOLINE ( 7*32+12) /* "" Generic Retpoline mitigation for Spectre variant 2 */ +-#define X86_FEATURE_RETPOLINE_AMD ( 7*32+13) /* "" AMD Retpoline mitigation for Spectre variant 2 */ ++#define X86_FEATURE_RETPOLINE_LFENCE ( 7*32+13) /* "" Use LFENCE for Spectre variant 2 */ + #define X86_FEATURE_INTEL_PPIN ( 7*32+14) /* Intel Processor Inventory Number */ + #define X86_FEATURE_CDP_L2 ( 7*32+15) /* Code and Data Prioritization L2 */ + #define X86_FEATURE_MSR_SPEC_CTRL ( 7*32+16) /* "" MSR SPEC_CTRL is implemented */ +--- a/arch/x86/include/asm/nospec-branch.h ++++ b/arch/x86/include/asm/nospec-branch.h +@@ -119,7 +119,7 @@ + ANNOTATE_NOSPEC_ALTERNATIVE + ALTERNATIVE_2 __stringify(ANNOTATE_RETPOLINE_SAFE; jmp *\reg), \ + __stringify(RETPOLINE_JMP \reg), X86_FEATURE_RETPOLINE, \ +- __stringify(lfence; ANNOTATE_RETPOLINE_SAFE; jmp *\reg), X86_FEATURE_RETPOLINE_AMD ++ __stringify(lfence; ANNOTATE_RETPOLINE_SAFE; jmp *\reg), X86_FEATURE_RETPOLINE_LFENCE + #else + jmp *\reg + #endif +@@ -130,7 +130,7 @@ + ANNOTATE_NOSPEC_ALTERNATIVE + ALTERNATIVE_2 __stringify(ANNOTATE_RETPOLINE_SAFE; call *\reg), \ + __stringify(RETPOLINE_CALL \reg), X86_FEATURE_RETPOLINE,\ +- __stringify(lfence; ANNOTATE_RETPOLINE_SAFE; call *\reg), X86_FEATURE_RETPOLINE_AMD ++ __stringify(lfence; ANNOTATE_RETPOLINE_SAFE; call *\reg), X86_FEATURE_RETPOLINE_LFENCE + #else + call *\reg + #endif +@@ -181,7 +181,7 @@ + "lfence;\n" \ + ANNOTATE_RETPOLINE_SAFE \ + "call *%[thunk_target]\n", \ +- X86_FEATURE_RETPOLINE_AMD) ++ X86_FEATURE_RETPOLINE_LFENCE) + # define THUNK_TARGET(addr) [thunk_target] "r" (addr) + + #else /* CONFIG_X86_32 */ +@@ -211,7 +211,7 @@ + "lfence;\n" \ + ANNOTATE_RETPOLINE_SAFE \ + "call *%[thunk_target]\n", \ +- X86_FEATURE_RETPOLINE_AMD) ++ X86_FEATURE_RETPOLINE_LFENCE) + + # define THUNK_TARGET(addr) [thunk_target] "rm" (addr) + #endif +@@ -223,8 +223,8 @@ + /* The Spectre V2 mitigation variants */ + enum spectre_v2_mitigation { + SPECTRE_V2_NONE, +- SPECTRE_V2_RETPOLINE_GENERIC, +- SPECTRE_V2_RETPOLINE_AMD, ++ SPECTRE_V2_RETPOLINE, ++ SPECTRE_V2_LFENCE, + SPECTRE_V2_IBRS, + SPECTRE_V2_IBRS_ENHANCED, + }; +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -651,7 +651,7 @@ enum spectre_v2_mitigation_cmd { + SPECTRE_V2_CMD_FORCE, + SPECTRE_V2_CMD_RETPOLINE, + SPECTRE_V2_CMD_RETPOLINE_GENERIC, +- SPECTRE_V2_CMD_RETPOLINE_AMD, ++ SPECTRE_V2_CMD_RETPOLINE_LFENCE, + }; + + enum spectre_v2_user_cmd { +@@ -801,8 +801,8 @@ set_mode: + + static const char * const spectre_v2_strings[] = { + [SPECTRE_V2_NONE] = "Vulnerable", +- [SPECTRE_V2_RETPOLINE_GENERIC] = "Mitigation: Full generic retpoline", +- [SPECTRE_V2_RETPOLINE_AMD] = "Mitigation: Full AMD retpoline", ++ [SPECTRE_V2_RETPOLINE] = "Mitigation: Retpolines", ++ [SPECTRE_V2_LFENCE] = "Mitigation: LFENCE", + [SPECTRE_V2_IBRS_ENHANCED] = "Mitigation: Enhanced IBRS", + }; + +@@ -814,7 +814,8 @@ static const struct { + { "off", SPECTRE_V2_CMD_NONE, false }, + { "on", SPECTRE_V2_CMD_FORCE, true }, + { "retpoline", SPECTRE_V2_CMD_RETPOLINE, false }, +- { "retpoline,amd", SPECTRE_V2_CMD_RETPOLINE_AMD, false }, ++ { "retpoline,amd", SPECTRE_V2_CMD_RETPOLINE_LFENCE, false }, ++ { "retpoline,lfence", SPECTRE_V2_CMD_RETPOLINE_LFENCE, false }, + { "retpoline,generic", SPECTRE_V2_CMD_RETPOLINE_GENERIC, false }, + { "auto", SPECTRE_V2_CMD_AUTO, false }, + }; +@@ -852,13 +853,19 @@ static enum spectre_v2_mitigation_cmd __ + } + + if ((cmd == SPECTRE_V2_CMD_RETPOLINE || +- cmd == SPECTRE_V2_CMD_RETPOLINE_AMD || ++ cmd == SPECTRE_V2_CMD_RETPOLINE_LFENCE || + cmd == SPECTRE_V2_CMD_RETPOLINE_GENERIC) && + !IS_ENABLED(CONFIG_RETPOLINE)) { + pr_err("%s selected but not compiled in. Switching to AUTO select\n", mitigation_options[i].option); + return SPECTRE_V2_CMD_AUTO; + } + ++ if ((cmd == SPECTRE_V2_CMD_RETPOLINE_LFENCE) && ++ !boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) { ++ pr_err("%s selected, but CPU doesn't have a serializing LFENCE. Switching to AUTO select\n", mitigation_options[i].option); ++ return SPECTRE_V2_CMD_AUTO; ++ } ++ + spec_v2_print_cond(mitigation_options[i].option, + mitigation_options[i].secure); + return cmd; +@@ -893,9 +900,9 @@ static void __init spectre_v2_select_mit + if (IS_ENABLED(CONFIG_RETPOLINE)) + goto retpoline_auto; + break; +- case SPECTRE_V2_CMD_RETPOLINE_AMD: ++ case SPECTRE_V2_CMD_RETPOLINE_LFENCE: + if (IS_ENABLED(CONFIG_RETPOLINE)) +- goto retpoline_amd; ++ goto retpoline_lfence; + break; + case SPECTRE_V2_CMD_RETPOLINE_GENERIC: + if (IS_ENABLED(CONFIG_RETPOLINE)) +@@ -912,17 +919,17 @@ static void __init spectre_v2_select_mit + retpoline_auto: + if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD || + boot_cpu_data.x86_vendor == X86_VENDOR_HYGON) { +- retpoline_amd: ++ retpoline_lfence: + if (!boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) { + pr_err("Spectre mitigation: LFENCE not serializing, switching to generic retpoline\n"); + goto retpoline_generic; + } +- mode = SPECTRE_V2_RETPOLINE_AMD; +- setup_force_cpu_cap(X86_FEATURE_RETPOLINE_AMD); ++ mode = SPECTRE_V2_LFENCE; ++ setup_force_cpu_cap(X86_FEATURE_RETPOLINE_LFENCE); + setup_force_cpu_cap(X86_FEATURE_RETPOLINE); + } else { + retpoline_generic: +- mode = SPECTRE_V2_RETPOLINE_GENERIC; ++ mode = SPECTRE_V2_RETPOLINE; + setup_force_cpu_cap(X86_FEATURE_RETPOLINE); + } + diff --git a/patches.suse/x86-speculation-use-generic-retpoline-by-default-on-amd.patch b/patches.suse/x86-speculation-use-generic-retpoline-by-default-on-amd.patch new file mode 100644 index 0000000..47fbcc2 --- /dev/null +++ b/patches.suse/x86-speculation-use-generic-retpoline-by-default-on-amd.patch @@ -0,0 +1,43 @@ +From: Kim Phillips +Date: Mon, 28 Feb 2022 11:23:15 -0600 +Subject: x86/speculation: Use generic retpoline by default on AMD +Git-commit: 244d00b5dd4755f8df892c86cab35fb2cfd4f14b +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git +Patch-mainline: Queued in a subsystem tree +References: bsc#1191580 CVE-2022-0001 CVE-2022-0002 + +AMD retpoline may be susceptible to speculation. The speculation +execution window for an incorrect indirect branch prediction using +LFENCE/JMP sequence may potentially be large enough to allow +exploitation using Spectre V2. + +By default, don't use retpoline,lfence on AMD. Instead, use the +generic retpoline. + +Signed-off-by: Kim Phillips +Signed-off-by: Borislav Petkov +--- + arch/x86/kernel/cpu/bugs.c | 9 --------- + 1 file changed, 9 deletions(-) + +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index 0a4267c63d3b..a36bfe2c2480 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -941,15 +941,6 @@ static enum spectre_v2_mitigation __init spectre_v2_select_retpoline(void) + return SPECTRE_V2_NONE; + } + +- if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD || +- boot_cpu_data.x86_vendor == X86_VENDOR_HYGON) { +- if (!boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) { +- pr_err("LFENCE not serializing, switching to generic retpoline\n"); +- return SPECTRE_V2_RETPOLINE; +- } +- return SPECTRE_V2_LFENCE; +- } +- + return SPECTRE_V2_RETPOLINE; + } + + diff --git a/series.conf b/series.conf index 8c17748..596f2ce 100644 --- a/series.conf +++ b/series.conf @@ -52558,6 +52558,7 @@ patches.suse/watchdog-imx2_wdt-fix-min-calculation-in-imx2_wdt_se.patch patches.suse/thermal_hwmon-Sanitize-thermal_zone-type.patch patches.suse/thermal-Fix-use-after-free-when-unregistering-therma.patch + patches.suse/cpu-smt-create-and-export-cpu_smt_possible.patch patches.suse/0001-Revert-locking-pvqspinlock-Don-t-wait-if-vCPU-is-pre.patch patches.suse/9p-avoid-attaching-writeback_fid-on-mmap-with-type-P.patch patches.suse/nfsd-handle-drc-over-allocation-gracefully.patch @@ -56649,6 +56650,7 @@ patches.suse/0001-block-improve-discard-bio-alignment-in-__blkdev_issu.patch patches.suse/block-Use-non-_rcu-version-of-list-functions-for-tag.patch patches.suse/s390-ap-rework-crypto-config-info-and-default-domain-code + patches.suse/x86-speculation-merge-one-test-in-spectre_v2_user_select_mitigation.patch patches.suse/x86-mce-inject-fix-a-wrong-assignment-of-i_mce-status.patch patches.suse/platform-x86-intel-hid-Fix-return-value-check-in-che.patch patches.suse/platform-x86-intel-vbtn-Fix-return-value-check-in-ch.patch @@ -60425,6 +60427,7 @@ patches.suse/tpm-Check-for-integer-overflow-in-tpm2_map_response_.patch patches.suse/powerpc-perf-Fix-data-source-encodings-for-L2.1-and-.patch patches.suse/x86-xen-Mark-cpu_bringup_and_idle-as-dead_end_functi.patch + patches.suse/x86-bugs-unconditionally-allow-spectre_v2-retpoline-amd.patch patches.suse/edac-amd64-handle-three-rank-interleaving-mode.patch patches.suse/edac-sb_edac-fix-top-of-high-memory-value-for-broadwell-haswell.patch patches.suse/tracing-use-ps-format-string-to-print-symbols.patch @@ -60685,6 +60688,7 @@ patches.suse/ixgbevf-Require-large-buffers-for-build_skb-on-82599.patch patches.suse/gve-Recording-rx-queue-before-sending-to-napi.patch patches.suse/scsi-lpfc-Fix-pt2pt-NVMe-PRLI-reject-LOGO-loop.patch + patches.suse/lib-iov_iter-initialize-flags-in-new-pipe_buffer.patch patches.suse/tracing-Dump-stacktrace-trigger-to-the-corresponding-instance.patch patches.suse/tracing-Have-traceon-and-traceoff-trigger-honor-the-instance.patch @@ -60769,6 +60773,13 @@ # end of sorted patches ######################################################## + # bsc#1191580 + patches.suse/x86-speculation-rename-retpoline_amd-to-retpoline_lfence.patch + patches.suse/x86-speculation-add-eibrs-retpoline-options.patch + patches.suse/documentation-hw-vuln-update-spectre-doc.patch + patches.suse/x86-speculation-include-unprivileged-ebpf-status-in-spectre-v2-mitigation-reporting.patch + patches.suse/x86-speculation-use-generic-retpoline-by-default-on-amd.patch + ######################################################## # upstream patches broken after a merge ######################################################## @@ -60846,7 +60857,6 @@ patches.suse/0004-x86-enter-Create-macros-to-restrict-unrestrict-Indir.patch patches.suse/0005-x86-enter-Use-IBRS-on-syscall-and-interrupts.patch patches.suse/IBRS-forbid-shooting-in-foot.patch - patches.suse/do-not-default-to-ibrs-on-skl.patch # bsc#1137366 patches.suse/sched-topology-Improve-load-balancing-on-AMD-EPYC.patch