From: Borislav Petkov <bp@suse.de>
To: speck@linutronix.de
Subject: [MODERATED] Re: ***UNCHECKED*** [patch 2/8] [PATCH v1.3.1 2/7] Linux Patch 2
Date: Wed, 18 Apr 2018 17:20:22 +0200 [thread overview]
Message-ID: <20180418152022.GC4290@pd.tnic> (raw)
In-Reply-To: <20180418141549.54BC46110C@crypto-ml.lab.linutronix.de>
On Thu, Apr 12, 2018 at 10:26:51PM -0400, speck for konrad.wilk_at_oracle.com wrote:
> Documentation/admin-guide/kernel-parameters.txt | 11 +++
> arch/x86/include/asm/cpufeatures.h | 1 +
> arch/x86/include/asm/nospec-branch.h | 6 ++
> arch/x86/kernel/cpu/bugs.c | 93 ++++++++++++++++++++++++-
> arch/x86/kernel/cpu/intel.c | 1 +
> 5 files changed, 111 insertions(+), 1 deletion(-)
>
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index 1d1d53f85ddd..2c22ca7e90a6 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -2173,6 +2173,15 @@
> md= [HW] RAID subsystems devices and level
> See Documentation/admin-guide/md.rst.
>
> + mdd= [X86] Control memory disambiguation disable mitigation.
> +
> + auto - kernel detects whether your CPU model is
> + vulnerable and picks the most appropiate way
"appropriate"
> + userspace - disable memory disambiguation in userspace,
> + and enable it in the kernel.
> + boot - disable memory disambiguation all the time (default).
> + off - do not control memory disambiguation (insecure)
> +
> mdacon= [MDA]
> Format: <first>,<last>
> Specifies range of consoles to be captured by the MDA.
> @@ -2647,6 +2656,8 @@
> allow data leaks with this option, which is equivalent
> to spectre_v2=off.
>
> + nomdd [X86] Disable all mitigations for the memory disambiguation vulnerability.
> +
> noxsave [BUGS=X86] Disables x86 extended register state save
> and restore using xsave. The kernel will fallback to
> enabling legacy floating-point and sse state.
> diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
> index 4393c10fcc6f..7490798a70e9 100644
> --- a/arch/x86/include/asm/cpufeatures.h
> +++ b/arch/x86/include/asm/cpufeatures.h
> @@ -333,6 +333,7 @@
> #define X86_FEATURE_SPEC_CTRL (18*32+26) /* "" Speculation Control (IBRS + IBPB) */
> #define X86_FEATURE_INTEL_STIBP (18*32+27) /* "" Single Thread Indirect Branch Predictors */
> #define X86_FEATURE_ARCH_CAPABILITIES (18*32+29) /* IA32_ARCH_CAPABILITIES MSR (Intel) */
> +#define X86_FEATURE_MDD (18*32+31) /* Intel Memory Disambiguation Disable. */
No need for the "Intel" in the comment - the whole leaf is Intel's.
> /*
> * BUG word(s)
> diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
> index f928ad9b143f..2c098a3250eb 100644
> --- a/arch/x86/include/asm/nospec-branch.h
> +++ b/arch/x86/include/asm/nospec-branch.h
> @@ -216,6 +216,12 @@ enum spectre_v2_mitigation {
> SPECTRE_V2_RETPOLINE_AMD,
> SPECTRE_V2_IBRS,
> };
> +/* The MD mitigation variants */
> +enum md_mitigation {
> + MD_NONE,
> + MD_BOOT_ON,
> + MD_KERNEL_ON,
> +};
>
> extern char __indirect_thunk_start[];
> extern char __indirect_thunk_end[];
> diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> index 79dfc80c4b9c..561cb228605a 100644
> --- a/arch/x86/kernel/cpu/bugs.c
> +++ b/arch/x86/kernel/cpu/bugs.c
> @@ -27,6 +27,7 @@
> #include <asm/intel-family.h>
>
> static void __init spectre_v2_select_mitigation(void);
> +static void __init md_select_mitigation(void);
>
> void __init check_bugs(void)
> {
> @@ -40,6 +41,8 @@ void __init check_bugs(void)
> /* Select the proper spectre mitigation before patching alternatives */
> spectre_v2_select_mitigation();
>
> + md_select_mitigation();
> +
> #ifdef CONFIG_X86_32
> /*
> * Check whether we are able to run this kernel safely on SMP.
> @@ -311,6 +314,94 @@ static void __init spectre_v2_select_mitigation(void)
> }
> }
>
> +#undef pr_fmt
> +#define pr_fmt(fmt) "MDD: " fmt
> +
> +static enum md_mitigation md_mode = MD_NONE;
> +
> +/* The kernel command line selection */
> +enum md_mitigation_cmd {
> + MD_CMD_NONE,
> + MD_CMD_AUTO,
> + MD_CMD_BOOT_ON,
> + MD_CMD_KERNEL_ON,
> +};
> +
> +static const char *md_strings[] = {
> + [MD_NONE] = "Vulnerable",
> + [MD_BOOT_ON] = "Mitigation: Memory disambiguation disabled at boot",
> + [MD_KERNEL_ON] = "Mitigation: Memory disambiguation disabled in userspace",
> +};
> +
> +static const struct {
> + const char *option;
> + enum md_mitigation_cmd cmd;
> +} md_mitigation_options[] = {
> + { "off", MD_CMD_NONE },
> + { "auto", MD_CMD_AUTO },
> + { "boot", MD_CMD_BOOT_ON },
> + { "userspace", MD_CMD_KERNEL_ON },
> +};
> +
> +static enum md_mitigation_cmd __init md_parse_cmdline(void)
> +{
> + char arg[20];
> + int ret, i;
> + enum md_mitigation_cmd cmd = MD_CMD_AUTO;
> +
> + if (cmdline_find_option_bool(boot_command_line, "nomdd"))
> + return MD_CMD_NONE;
> + else {
> + ret = cmdline_find_option(boot_command_line, "mdd", arg, sizeof(arg));
> + if (ret < 0)
> + return MD_CMD_AUTO;
> +
> + for (i = 0; i < ARRAY_SIZE(md_mitigation_options); i++) {
> + if (!match_option(arg, ret, md_mitigation_options[i].option))
> + continue;
<---- newline here.
> + cmd = md_mitigation_options[i].cmd;
> + break;
> + }
> +
> + if (i >= ARRAY_SIZE(md_mitigation_options)) {
> + pr_err("unknown option (%s). Switching to AUTO select\n", arg);
> + return MD_CMD_AUTO;
> + }
> + }
> +
> + return cmd;
> +}
> +
> +static void __init md_select_mitigation(void)
> +{
> + enum md_mitigation_cmd cmd = md_parse_cmdline();
> + enum md_mitigation mode = MD_NONE;
> +
> + if (!boot_cpu_has_bug(X86_BUG_CPU_MD) &&
> + (cmd == MD_CMD_NONE || cmd == MD_CMD_AUTO))
> + return;
> +
> + switch (cmd) {
> + case MD_CMD_AUTO:
> + case MD_CMD_BOOT_ON:
> + mode = MD_BOOT_ON;
> + break;
> + case MD_CMD_KERNEL_ON:
> + mode = MD_KERNEL_ON;
> + break;
> + case MD_CMD_NONE:
> + break;
> + }
> +
> + if (!boot_cpu_has(X86_FEATURE_MDD))
> + return;
This check should happen as the very first thing on function entry.
Actually, it should go into md_parse_cmdline() because all the parsing
is useless without X86_FEATURE_MDD present and there it should do:
if (!boot_cpu_has(X86_FEATURE_MDD))
return MD_CMD_NONE;
> +
> + md_mode = mode;
> + pr_info("%s\n", md_strings[mode]);
> +
> + if (mode == MD_NONE)
> + setup_clear_cpu_cap(X86_FEATURE_MDD);
> +}
> #undef pr_fmt
>
> #ifdef CONFIG_SYSFS
> @@ -346,6 +437,6 @@ ssize_t cpu_show_md(struct device *dev, struct device_attribute *attr, char *buf
> if (!boot_cpu_has_bug(X86_BUG_CPU_MD))
> return sprintf(buf, "Not affected\n");
>
> - return sprintf(buf, "Vulnerable\n");
> + return sprintf(buf, "%s\n", md_strings[md_mode]);
> }
> #endif
--
Regards/Gruss,
Boris.
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
--
parent reply other threads:[~2018-04-18 15:20 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <20180418141549.54BC46110C@crypto-ml.lab.linutronix.de>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180418152022.GC4290@pd.tnic \
--to=bp@suse.de \
--cc=speck@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.