[PATCH 0/2][B] Enhanced IBRS (LP: #1786139)

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH 0/2][B] Enhanced IBRS (LP: #1786139)

Tyler Hicks-2
BugLink: https://launchpad.net/bugs/1786139

[Impact]

Future Intel CPU's like Cascade Lake and GLK+ support Enhanced IBRS. Enhanced
IBRS is a H/W mitigation technique for Spectre V2 bug. So, it's important to
make sure that all the OSV's are using this feature.

[Test Case]

For processors that don't support Enhanced IBRS, the test is to ensure that
/sys/devices/system/cpu/vulnerabilities/spectre_v2 doesn't change state after
applying the patches. This will typically be the string when running on Intel
processors that don't support Enhanced IBRS:

  "Mitigation: Full generic retpoline, IBPB, IBRS_FW"

New Intel processors that do support Enhanced IBRS will display "Enhanced IBRS"
in place of "Full generic retpoline"

[Regression Potential]

Pretty low. The patches are fairly simple and they should only affect new
processors. The main concern is around the possibility of regressing IBRS
support on processors that don't support Enhanced IBRS.

Tyler


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH 1/2][B] x86/speculation: Remove SPECTRE_V2_IBRS in enum spectre_v2_mitigation

Tyler Hicks-2
From: Jiang Biao <[hidden email]>

BugLink: https://launchpad.net/bugs/1786139

SPECTRE_V2_IBRS in enum spectre_v2_mitigation is never used. Remove it.

Signed-off-by: Jiang Biao <[hidden email]>
Signed-off-by: Thomas Gleixner <[hidden email]>
Cc: [hidden email]
Cc: [hidden email]
Cc: [hidden email]
Cc: [hidden email]
Cc: [hidden email]
Link: https://lkml.kernel.org/r/1531872194-39207-1-git-send-email-jiang.biao2@...

(cherry picked from commit d9f4426c73002957be5dd39936f44a09498f7560)
Signed-off-by: Tyler Hicks <[hidden email]>
---
 arch/x86/include/asm/nospec-branch.h | 1 -
 1 file changed, 1 deletion(-)

diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
index 8b38df98548e..5f6ae990c59a 100644
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -214,7 +214,6 @@ enum spectre_v2_mitigation {
  SPECTRE_V2_RETPOLINE_MINIMAL_AMD,
  SPECTRE_V2_RETPOLINE_GENERIC,
  SPECTRE_V2_RETPOLINE_AMD,
- SPECTRE_V2_IBRS,
 };
 
 /* The Speculative Store Bypass disable variants */
--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH 2/2][B] x86/speculation: Support Enhanced IBRS on future CPUs

Tyler Hicks-2
In reply to this post by Tyler Hicks-2
From: Sai Praneeth <[hidden email]>

BugLink: https://launchpad.net/bugs/1786139

Future Intel processors will support "Enhanced IBRS" which is an "always
on" mode i.e. IBRS bit in SPEC_CTRL MSR is enabled once and never
disabled.

From the specification [1]:

 "With enhanced IBRS, the predicted targets of indirect branches
  executed cannot be controlled by software that was executed in a less
  privileged predictor mode or on another logical processor. As a
  result, software operating on a processor with enhanced IBRS need not
  use WRMSR to set IA32_SPEC_CTRL.IBRS after every transition to a more
  privileged predictor mode. Software can isolate predictor modes
  effectively simply by setting the bit once. Software need not disable
  enhanced IBRS prior to entering a sleep state such as MWAIT or HLT."

If Enhanced IBRS is supported by the processor then use it as the
preferred spectre v2 mitigation mechanism instead of Retpoline. Intel's
Retpoline white paper [2] states:

 "Retpoline is known to be an effective branch target injection (Spectre
  variant 2) mitigation on Intel processors belonging to family 6
  (enumerated by the CPUID instruction) that do not have support for
  enhanced IBRS. On processors that support enhanced IBRS, it should be
  used for mitigation instead of retpoline."

The reason why Enhanced IBRS is the recommended mitigation on processors
which support it is that these processors also support CET which
provides a defense against ROP attacks. Retpoline is very similar to ROP
techniques and might trigger false positives in the CET defense.

If Enhanced IBRS is selected as the mitigation technique for spectre v2,
the IBRS bit in SPEC_CTRL MSR is set once at boot time and never
cleared. Kernel also has to make sure that IBRS bit remains set after
VMEXIT because the guest might have cleared the bit. This is already
covered by the existing x86_spec_ctrl_set_guest() and
x86_spec_ctrl_restore_host() speculation control functions.

Enhanced IBRS still requires IBPB for full mitigation.

[1] Speculative-Execution-Side-Channel-Mitigations.pdf
[2] Retpoline-A-Branch-Target-Injection-Mitigation.pdf
Both documents are available at:
https://bugzilla.kernel.org/show_bug.cgi?id=199511

Originally-by: David Woodhouse <[hidden email]>
Signed-off-by: Sai Praneeth Prakhya <[hidden email]>
Signed-off-by: Thomas Gleixner <[hidden email]>
Cc: Tim C Chen <[hidden email]>
Cc: Dave Hansen <[hidden email]>
Cc: Ravi Shankar <[hidden email]>
Link: https://lkml.kernel.org/r/1533148945-24095-1-git-send-email-sai.praneeth.prakhya@...

(backported from commit 706d51681d636a0c4a5ef53395ec3b803e45ed4d)
[tyhicks: Minor context change and properly place the check in cpu_set_bug_bits()]
Signed-off-by: Tyler Hicks <[hidden email]>
---
 arch/x86/include/asm/cpufeatures.h   |  1 +
 arch/x86/include/asm/nospec-branch.h |  1 +
 arch/x86/kernel/cpu/bugs.c           | 20 ++++++++++++++++++--
 arch/x86/kernel/cpu/common.c         |  3 +++
 4 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
index 14e3d1a1946e..d0e631a55a33 100644
--- a/arch/x86/include/asm/cpufeatures.h
+++ b/arch/x86/include/asm/cpufeatures.h
@@ -220,6 +220,7 @@
 #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */
 #define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU is AMD family 0x17 (Zen) */
 #define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */
+#define X86_FEATURE_IBRS_ENHANCED ( 7*32+30) /* Enhanced IBRS */
 
 /* Virtualization flags: Linux defined, word 8 */
 #define X86_FEATURE_TPR_SHADOW ( 8*32+ 0) /* Intel TPR Shadow */
diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
index 5f6ae990c59a..d15c352db687 100644
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -214,6 +214,7 @@ enum spectre_v2_mitigation {
  SPECTRE_V2_RETPOLINE_MINIMAL_AMD,
  SPECTRE_V2_RETPOLINE_GENERIC,
  SPECTRE_V2_RETPOLINE_AMD,
+ SPECTRE_V2_IBRS_ENHANCED,
 };
 
 /* The Speculative Store Bypass disable variants */
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index df9e418f73f8..9c3ba64763c6 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -140,6 +140,7 @@ static const char *spectre_v2_strings[] = {
  [SPECTRE_V2_RETPOLINE_MINIMAL_AMD] = "Vulnerable: Minimal AMD ASM retpoline",
  [SPECTRE_V2_RETPOLINE_GENERIC] = "Mitigation: Full generic retpoline",
  [SPECTRE_V2_RETPOLINE_AMD] = "Mitigation: Full AMD retpoline",
+ [SPECTRE_V2_IBRS_ENHANCED] = "Mitigation: Enhanced IBRS",
 };
 
 #undef pr_fmt
@@ -341,6 +342,13 @@ static void __init spectre_v2_select_mitigation(void)
 
  case SPECTRE_V2_CMD_FORCE:
  case SPECTRE_V2_CMD_AUTO:
+ if (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) {
+ mode = SPECTRE_V2_IBRS_ENHANCED;
+ /* Force it so VMEXIT will restore correctly */
+ x86_spec_ctrl_base |= SPEC_CTRL_IBRS;
+ wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
+ goto specv2_set_mode;
+ }
  if (IS_ENABLED(CONFIG_RETPOLINE))
  goto retpoline_auto;
  break;
@@ -378,6 +386,7 @@ static void __init spectre_v2_select_mitigation(void)
  setup_force_cpu_cap(X86_FEATURE_RETPOLINE);
  }
 
+specv2_set_mode:
  spectre_v2_enabled = mode;
  pr_info("%s\n", spectre_v2_strings[mode]);
 
@@ -400,9 +409,16 @@ static void __init spectre_v2_select_mitigation(void)
 
  /*
  * Retpoline means the kernel is safe because it has no indirect
- * branches. But firmware isn't, so use IBRS to protect that.
+ * branches. Enhanced IBRS protects firmware too, so, enable restricted
+ * speculation around firmware calls only when Enhanced IBRS isn't
+ * supported.
+ *
+ * Use "mode" to check Enhanced IBRS instead of boot_cpu_has(), because
+ * the user might select retpoline on the kernel command line and if
+ * the CPU supports Enhanced IBRS, kernel might un-intentionally not
+ * enable IBRS around firmware calls.
  */
- if (boot_cpu_has(X86_FEATURE_IBRS)) {
+ if (boot_cpu_has(X86_FEATURE_IBRS) && mode != SPECTRE_V2_IBRS_ENHANCED) {
  setup_force_cpu_cap(X86_FEATURE_USE_IBRS_FW);
  pr_info("Enabling Restricted Speculation for firmware calls\n");
  }
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index 8f1bf52d24a0..345935832d0f 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -1003,6 +1003,9 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
  setup_force_cpu_bug(X86_BUG_SPECTRE_V1);
  setup_force_cpu_bug(X86_BUG_SPECTRE_V2);
 
+ if (ia32_cap & ARCH_CAP_IBRS_ALL)
+ setup_force_cpu_cap(X86_FEATURE_IBRS_ENHANCED);
+
  if (x86_match_cpu(cpu_no_meltdown))
  return;
 
--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [PATCH 0/2][B] Enhanced IBRS (LP: #1786139)

Stefan Bader-2
In reply to this post by Tyler Hicks-2
On 20.10.18 01:34, Tyler Hicks wrote:

> BugLink: https://launchpad.net/bugs/1786139
>
> [Impact]
>
> Future Intel CPU's like Cascade Lake and GLK+ support Enhanced IBRS. Enhanced
> IBRS is a H/W mitigation technique for Spectre V2 bug. So, it's important to
> make sure that all the OSV's are using this feature.
>
> [Test Case]
>
> For processors that don't support Enhanced IBRS, the test is to ensure that
> /sys/devices/system/cpu/vulnerabilities/spectre_v2 doesn't change state after
> applying the patches. This will typically be the string when running on Intel
> processors that don't support Enhanced IBRS:
>
>   "Mitigation: Full generic retpoline, IBPB, IBRS_FW"
>
> New Intel processors that do support Enhanced IBRS will display "Enhanced IBRS"
> in place of "Full generic retpoline"
>
> [Regression Potential]
>
> Pretty low. The patches are fairly simple and they should only affect new
> processors. The main concern is around the possibility of regressing IBRS
> support on processors that don't support Enhanced IBRS.
>
> Tyler
>
>
Acked-by: Stefan Bader <[hidden email]>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

ACK: [PATCH 0/2][B] Enhanced IBRS (LP: #1786139)

Kleber Sacilotto de Souza
In reply to this post by Tyler Hicks-2
On 10/20/18 01:34, Tyler Hicks wrote:

> BugLink: https://launchpad.net/bugs/1786139
>
> [Impact]
>
> Future Intel CPU's like Cascade Lake and GLK+ support Enhanced IBRS. Enhanced
> IBRS is a H/W mitigation technique for Spectre V2 bug. So, it's important to
> make sure that all the OSV's are using this feature.
>
> [Test Case]
>
> For processors that don't support Enhanced IBRS, the test is to ensure that
> /sys/devices/system/cpu/vulnerabilities/spectre_v2 doesn't change state after
> applying the patches. This will typically be the string when running on Intel
> processors that don't support Enhanced IBRS:
>
>   "Mitigation: Full generic retpoline, IBPB, IBRS_FW"
>
> New Intel processors that do support Enhanced IBRS will display "Enhanced IBRS"
> in place of "Full generic retpoline"
>
> [Regression Potential]
>
> Pretty low. The patches are fairly simple and they should only affect new
> processors. The main concern is around the possibility of regressing IBRS
> support on processors that don't support Enhanced IBRS.
>
> Tyler
>
>
Acked-by: Kleber Sacilotto de Souza <[hidden email]>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED: [PATCH 0/2][B] Enhanced IBRS (LP: #1786139)

Stefan Bader-2
In reply to this post by Tyler Hicks-2
On 20.10.18 01:34, Tyler Hicks wrote:

> BugLink: https://launchpad.net/bugs/1786139
>
> [Impact]
>
> Future Intel CPU's like Cascade Lake and GLK+ support Enhanced IBRS. Enhanced
> IBRS is a H/W mitigation technique for Spectre V2 bug. So, it's important to
> make sure that all the OSV's are using this feature.
>
> [Test Case]
>
> For processors that don't support Enhanced IBRS, the test is to ensure that
> /sys/devices/system/cpu/vulnerabilities/spectre_v2 doesn't change state after
> applying the patches. This will typically be the string when running on Intel
> processors that don't support Enhanced IBRS:
>
>   "Mitigation: Full generic retpoline, IBPB, IBRS_FW"
>
> New Intel processors that do support Enhanced IBRS will display "Enhanced IBRS"
> in place of "Full generic retpoline"
>
> [Regression Potential]
>
> Pretty low. The patches are fairly simple and they should only affect new
> processors. The main concern is around the possibility of regressing IBRS
> support on processors that don't support Enhanced IBRS.
>
> Tyler
>
>
Applied to bionic/master-next. Thanks.

-Stefan


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (836 bytes) Download Attachment