From 9eb0ec16a63b49ed7f2aba6c76fafda4241ed492 Mon Sep 17 00:00:00 2001 From: Oscar Salvador Date: May 03 2023 03:52:40 +0000 Subject: Merge remote-tracking branch 'origin/users/dfaggioli/SLE15-SP5-GA/for-next' into SLE15-SP5-GA Pull kvm fix from Dario Faggioli --- diff --git a/patches.suse/KVM-VMX-Execute-IBPB-on-emulated-VM-exit-when-guest-has-IBRS b/patches.suse/KVM-VMX-Execute-IBPB-on-emulated-VM-exit-when-guest-has-IBRS new file mode 100644 index 0000000..a0e2c64 --- /dev/null +++ b/patches.suse/KVM-VMX-Execute-IBPB-on-emulated-VM-exit-when-guest-has-IBRS @@ -0,0 +1,86 @@ +From: Jim Mattson +Date: Wed, 19 Oct 2022 14:36:20 -0700 +Subject: KVM: VMX: Execute IBPB on emulated VM-exit when guest has IBRS +Git-commit: 2e7eab81425ad6c875f2ed47c0ce01e78afc38a5 +Patch-mainline: v6.2-rc1 +References: bsc#1206992 CVE-2022-2196 + +According to Intel's document on Indirect Branch Restricted +Speculation, "Enabling IBRS does not prevent software from controlling +the predicted targets of indirect branches of unrelated software +executed later at the same predictor mode (for example, between two +different user applications, or two different virtual machines). Such +isolation can be ensured through use of the Indirect Branch Predictor +Barrier (IBPB) command." This applies to both basic and enhanced IBRS. + +Since L1 and L2 VMs share hardware predictor modes (guest-user and +guest-kernel), hardware IBRS is not sufficient to virtualize +IBRS. (The way that basic IBRS is implemented on pre-eIBRS parts, +hardware IBRS is actually sufficient in practice, even though it isn't +sufficient architecturally.) + +For virtual CPUs that support IBRS, add an indirect branch prediction +barrier on emulated VM-exit, to ensure that the predicted targets of +indirect branches executed in L1 cannot be controlled by software that +was executed in L2. + +Since we typically don't intercept guest writes to IA32_SPEC_CTRL, +perform the IBPB at emulated VM-exit regardless of the current +IA32_SPEC_CTRL.IBRS value, even though the IBPB could technically be +deferred until L1 sets IA32_SPEC_CTRL.IBRS, if IA32_SPEC_CTRL.IBRS is +clear at emulated VM-exit. + +This is CVE-2022-2196. + +Fixes: 5c911beff20a ("KVM: nVMX: Skip IBPB when switching between vmcs01 and vmcs02") +Cc: Sean Christopherson +Signed-off-by: Jim Mattson +Reviewed-by: Sean Christopherson +Link: https://lore.kernel.org/r/20221019213620.1953281-3-jmattson@google.com +Signed-off-by: Sean Christopherson +Acked-by: Dario Faggioli +--- + arch/x86/kvm/vmx/nested.c | 11 +++++++++++ + arch/x86/kvm/vmx/vmx.c | 6 ++++-- + 2 files changed, 15 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c +index 892791019968..61c83424285c 100644 +--- a/arch/x86/kvm/vmx/nested.c ++++ b/arch/x86/kvm/vmx/nested.c +@@ -4798,6 +4798,17 @@ void nested_vmx_vmexit(struct kvm_vcpu *vcpu, u32 vm_exit_reason, + + vmx_switch_vmcs(vcpu, &vmx->vmcs01); + ++ /* ++ * If IBRS is advertised to the vCPU, KVM must flush the indirect ++ * branch predictors when transitioning from L2 to L1, as L1 expects ++ * hardware (KVM in this case) to provide separate predictor modes. ++ * Bare metal isolates VMX root (host) from VMX non-root (guest), but ++ * doesn't isolate different VMCSs, i.e. in this case, doesn't provide ++ * separate modes for L2 vs L1. ++ */ ++ if (guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL)) ++ indirect_branch_prediction_barrier(); ++ + /* Update any VMCS fields that might have changed while L2 ran */ + vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, vmx->msr_autoload.host.nr); + vmcs_write32(VM_ENTRY_MSR_LOAD_COUNT, vmx->msr_autoload.guest.nr); +diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c +index cb40f724d8cc..3f31c46c306e 100644 +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -1348,8 +1348,10 @@ void vmx_vcpu_load_vmcs(struct kvm_vcpu *vcpu, int cpu, + + /* + * No indirect branch prediction barrier needed when switching +- * the active VMCS within a guest, e.g. on nested VM-Enter. +- * The L1 VMM can protect itself with retpolines, IBPB or IBRS. ++ * the active VMCS within a vCPU, unless IBRS is advertised to ++ * the vCPU. To minimize the number of IBPBs executed, KVM ++ * performs IBPB on nested VM-Exit (a single nested transition ++ * may switch the active VMCS multiple times). + */ + if (!buddy || WARN_ON_ONCE(buddy->vmcs != prev)) + indirect_branch_prediction_barrier(); + diff --git a/series.conf b/series.conf index 54cdc38..14ea206 100644 --- a/series.conf +++ b/series.conf @@ -36533,6 +36533,7 @@ patches.suse/gpiolib-cdev-fix-NULL-pointer-dereferences.patch patches.suse/thermal-drivers-imx8mm_thermal-Validate-temperature-.patch patches.suse/thermal-drivers-qcom-temp-alarm-Fix-inaccurate-warni.patch + patches.suse/KVM-VMX-Execute-IBPB-on-emulated-VM-exit-when-guest-has-IBRS patches.suse/vfio-platform-Do-not-pass-return-buffer-to-ACPI-_RST.patch patches.suse/i2c-pxa-pci-fix-missing-pci_disable_device-on-error-.patch patches.suse/i2c-mux-reg-check-return-value-after-calling-platfor.patch