From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mx2.suse.de ([195.135.220.15]) by Galois.linutronix.de with esmtps (TLS1.0:DHE_RSA_CAMELLIA_256_CBC_SHA1:256) (Exim 4.80) (envelope-from ) id 1f8osp-0004DL-4n for speck@linutronix.de; Wed, 18 Apr 2018 17:20:31 +0200 Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id B14A9AD2D for ; Wed, 18 Apr 2018 15:20:24 +0000 (UTC) Date: Wed, 18 Apr 2018 17:20:22 +0200 From: Borislav Petkov Subject: [MODERATED] Re: ***UNCHECKED*** [patch 2/8] [PATCH v1.3.1 2/7] Linux Patch 2 Message-ID: <20180418152022.GC4290@pd.tnic> References: <20180418141549.54BC46110C@crypto-ml.lab.linutronix.de> MIME-Version: 1.0 In-Reply-To: <20180418141549.54BC46110C@crypto-ml.lab.linutronix.de> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable To: speck@linutronix.de List-ID: On Thu, Apr 12, 2018 at 10:26:51PM -0400, speck for konrad.wilk_at_oracle.com= wrote: > Documentation/admin-guide/kernel-parameters.txt | 11 +++ > arch/x86/include/asm/cpufeatures.h | 1 + > arch/x86/include/asm/nospec-branch.h | 6 ++ > arch/x86/kernel/cpu/bugs.c | 93 +++++++++++++++++++++= +++- > arch/x86/kernel/cpu/intel.c | 1 + > 5 files changed, 111 insertions(+), 1 deletion(-) >=20 > diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentatio= n/admin-guide/kernel-parameters.txt > index 1d1d53f85ddd..2c22ca7e90a6 100644 > --- a/Documentation/admin-guide/kernel-parameters.txt > +++ b/Documentation/admin-guide/kernel-parameters.txt > @@ -2173,6 +2173,15 @@ > md=3D [HW] RAID subsystems devices and level > See Documentation/admin-guide/md.rst. > =20 > + mdd=3D [X86] Control memory disambiguation disable mitigation. > + > + auto - kernel detects whether your CPU model is > + vulnerable and picks the most appropiate way "appropriate" > + userspace - disable memory disambiguation in userspace, > + and enable it in the kernel. > + boot - disable memory disambiguation all the time (default). > + off - do not control memory disambiguation (insecure) > + > mdacon=3D [MDA] > Format: , > Specifies range of consoles to be captured by the MDA. > @@ -2647,6 +2656,8 @@ > allow data leaks with this option, which is equivalent > to spectre_v2=3Doff. > =20 > + nomdd [X86] Disable all mitigations for the memory disambiguation vulner= ability. > + > noxsave [BUGS=3DX86] Disables x86 extended register state save > and restore using xsave. The kernel will fallback to > enabling legacy floating-point and sse state. > diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpuf= eatures.h > index 4393c10fcc6f..7490798a70e9 100644 > --- a/arch/x86/include/asm/cpufeatures.h > +++ b/arch/x86/include/asm/cpufeatures.h > @@ -333,6 +333,7 @@ > #define X86_FEATURE_SPEC_CTRL (18*32+26) /* "" Speculation Control (IBRS = + IBPB) */ > #define X86_FEATURE_INTEL_STIBP (18*32+27) /* "" Single Thread Indirect B= ranch Predictors */ > #define X86_FEATURE_ARCH_CAPABILITIES (18*32+29) /* IA32_ARCH_CAPABILITIES= MSR (Intel) */ > +#define X86_FEATURE_MDD (18*32+31) /* Intel Memory Disambiguation Disabl= e. */ No need for the "Intel" in the comment - the whole leaf is Intel's. > /* > * BUG word(s) > diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/no= spec-branch.h > index f928ad9b143f..2c098a3250eb 100644 > --- a/arch/x86/include/asm/nospec-branch.h > +++ b/arch/x86/include/asm/nospec-branch.h > @@ -216,6 +216,12 @@ enum spectre_v2_mitigation { > SPECTRE_V2_RETPOLINE_AMD, > SPECTRE_V2_IBRS, > }; > +/* The MD mitigation variants */ > +enum md_mitigation { > + MD_NONE, > + MD_BOOT_ON, > + MD_KERNEL_ON, > +}; > =20 > extern char __indirect_thunk_start[]; > extern char __indirect_thunk_end[]; > diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c > index 79dfc80c4b9c..561cb228605a 100644 > --- a/arch/x86/kernel/cpu/bugs.c > +++ b/arch/x86/kernel/cpu/bugs.c > @@ -27,6 +27,7 @@ > #include > =20 > static void __init spectre_v2_select_mitigation(void); > +static void __init md_select_mitigation(void); > =20 > void __init check_bugs(void) > { > @@ -40,6 +41,8 @@ void __init check_bugs(void) > /* Select the proper spectre mitigation before patching alternatives */ > spectre_v2_select_mitigation(); > =20 > + md_select_mitigation(); > + > #ifdef CONFIG_X86_32 > /* > * Check whether we are able to run this kernel safely on SMP. > @@ -311,6 +314,94 @@ static void __init spectre_v2_select_mitigation(void) > } > } > =20 > +#undef pr_fmt > +#define pr_fmt(fmt) "MDD: " fmt > + > +static enum md_mitigation md_mode =3D MD_NONE; > + > +/* The kernel command line selection */ > +enum md_mitigation_cmd { > + MD_CMD_NONE, > + MD_CMD_AUTO, > + MD_CMD_BOOT_ON, > + MD_CMD_KERNEL_ON, > +}; > + > +static const char *md_strings[] =3D { > + [MD_NONE] =3D "Vulnerable", > + [MD_BOOT_ON] =3D "Mitigation: Memory disambiguation disabled at boot", > + [MD_KERNEL_ON] =3D "Mitigation: Memory disambiguation disabled in users= pace", > +}; > + > +static const struct { > + const char *option; > + enum md_mitigation_cmd cmd; > +} md_mitigation_options[] =3D { > + { "off", MD_CMD_NONE }, > + { "auto", MD_CMD_AUTO }, > + { "boot", MD_CMD_BOOT_ON }, > + { "userspace", MD_CMD_KERNEL_ON }, > +}; > + > +static enum md_mitigation_cmd __init md_parse_cmdline(void) > +{ > + char arg[20]; > + int ret, i; > + enum md_mitigation_cmd cmd =3D MD_CMD_AUTO; > + > + if (cmdline_find_option_bool(boot_command_line, "nomdd")) > + return MD_CMD_NONE; > + else { > + ret =3D cmdline_find_option(boot_command_line, "mdd", arg, sizeof(arg)); > + if (ret < 0) > + return MD_CMD_AUTO; > + > + for (i =3D 0; i < ARRAY_SIZE(md_mitigation_options); i++) { > + if (!match_option(arg, ret, md_mitigation_options[i].option)) > + continue; <---- newline here. > + cmd =3D md_mitigation_options[i].cmd; > + break; > + } > + > + if (i >=3D ARRAY_SIZE(md_mitigation_options)) { > + pr_err("unknown option (%s). Switching to AUTO select\n", arg); > + return MD_CMD_AUTO; > + } > + } > + > + return cmd; > +} > + > +static void __init md_select_mitigation(void) > +{ > + enum md_mitigation_cmd cmd =3D md_parse_cmdline(); > + enum md_mitigation mode =3D MD_NONE; > + > + if (!boot_cpu_has_bug(X86_BUG_CPU_MD) && > + (cmd =3D=3D MD_CMD_NONE || cmd =3D=3D MD_CMD_AUTO)) > + return; > + > + switch (cmd) { > + case MD_CMD_AUTO: > + case MD_CMD_BOOT_ON: > + mode =3D MD_BOOT_ON; > + break; > + case MD_CMD_KERNEL_ON: > + mode =3D MD_KERNEL_ON; > + break; > + case MD_CMD_NONE: > + break; > + } > + > + if (!boot_cpu_has(X86_FEATURE_MDD)) > + return; This check should happen as the very first thing on function entry. Actually, it should go into md_parse_cmdline() because all the parsing is useless without X86_FEATURE_MDD present and there it should do: if (!boot_cpu_has(X86_FEATURE_MDD)) return MD_CMD_NONE; > + > + md_mode =3D mode; > + pr_info("%s\n", md_strings[mode]); > + > + if (mode =3D=3D MD_NONE) > + setup_clear_cpu_cap(X86_FEATURE_MDD); > +} > #undef pr_fmt > =20 > #ifdef CONFIG_SYSFS > @@ -346,6 +437,6 @@ ssize_t cpu_show_md(struct device *dev, struct device_a= ttribute *attr, char *buf > if (!boot_cpu_has_bug(X86_BUG_CPU_MD)) > return sprintf(buf, "Not affected\n"); > =20 > - return sprintf(buf, "Vulnerable\n"); > + return sprintf(buf, "%s\n", md_strings[md_mode]); > } > #endif --=20 Regards/Gruss, Boris. SUSE Linux GmbH, GF: Felix Imend=C3=B6rffer, Jane Smithard, Graham Norton, HR= B 21284 (AG N=C3=BCrnberg) --=20