From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mx2.suse.de ([195.135.220.15]) by Galois.linutronix.de with esmtps (TLS1.0:DHE_RSA_CAMELLIA_256_CBC_SHA1:256) (Exim 4.80) (envelope-from ) id 1f8iYy-0006Pw-3F for speck@linutronix.de; Wed, 18 Apr 2018 10:35:39 +0200 Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 5BE89ADCE for ; Wed, 18 Apr 2018 08:35:30 +0000 (UTC) Date: Wed, 18 Apr 2018 10:35:29 +0200 From: Michal Hocko Subject: [MODERATED] terminal fault Message-ID: <20180418083529.GT17484@dhcp22.suse.cz> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit To: speck@linutronix.de List-ID: We have discussed the following patch as a mitigation for the native OS L1 Terminal fault issue. Intel was suggesting to set a bit outside of the uarch addressable range but flipping all the bits seems both easier and more future proof. So unless there is something else that would prevent such a fix I would vote to go with this patch. Thoughts? --- >From 7b03455455e1152988b2a295a917c0641f531fb0 Mon Sep 17 00:00:00 2001 From: Michal Hocko Date: Tue, 10 Apr 2018 14:10:42 +0200 Subject: [PATCH] mm, swap, x86: make sure high bits of the swap offset are set Intel platforms have a bug where L1 cache contents can speculatively be used to load content of !present entries. This allows certain side channel attacks. We do have several different classes of !present pages. Unmapped memory clears the whole ptes so they are non-issue. mprotect, numa hints are referring to an existing pfns which cannot be tweaked by an attacker to a different privilege domains. So we are left with swap entries which encode the swap offset and that might conflict with an existing pfn. Obfuscate those entries by inverting bits in the swap offset which will set all the high bits and that _should_ stop the speculation as it should refer to the maximum addressable memory on all Intel platforms. Well this doesn't solve the problem on very large offsets (1<<30 on uarchs with 44b addressing) but this should be out of any practical attack space. Signed-off-by: Linus Torvalds Signed-off-by: Michal Hocko --- arch/x86/include/asm/pgtable_64.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/include/asm/pgtable_64.h b/arch/x86/include/asm/pgtable_64.h index 1149d2112b2e..213c15b2e168 100644 --- a/arch/x86/include/asm/pgtable_64.h +++ b/arch/x86/include/asm/pgtable_64.h @@ -299,10 +299,10 @@ static inline int pgd_large(pgd_t pgd) { return 0; } #define __swp_type(x) (((x).val >> (SWP_TYPE_FIRST_BIT)) \ & ((1U << SWP_TYPE_BITS) - 1)) -#define __swp_offset(x) ((x).val >> SWP_OFFSET_FIRST_BIT) +#define __swp_offset(x) (~(x).val >> SWP_OFFSET_FIRST_BIT) #define __swp_entry(type, offset) ((swp_entry_t) { \ ((type) << (SWP_TYPE_FIRST_BIT)) \ - | ((offset) << SWP_OFFSET_FIRST_BIT) }) + | (~(offset) << SWP_OFFSET_FIRST_BIT) }) #define __pte_to_swp_entry(pte) ((swp_entry_t) { pte_val((pte)) }) #define __pmd_to_swp_entry(pmd) ((swp_entry_t) { pmd_val((pmd)) }) #define __swp_entry_to_pte(x) ((pte_t) { .pte = (x).val }) -- 2.16.3 -- Michal Hocko SUSE Labs