From: Thomas Gleixner <tglx@linutronix.de>
To: speck@linutronix.de
Subject: [patch V7 04/15] SBB 4
Date: Sun, 29 Apr 2018 21:30:49 +0200 [thread overview]
Message-ID: <20180429193937.787272580@linutronix.de> (raw)
In-Reply-To: 20180429193045.711908246@linutronix.de
A guest may modify the SPEC_CTRL MSR from the value used by the
kernel. Since the kernel doesn't use IBRS, this means a value of zero is
what is needed in the host.
But the 336996-Speculative-Execution-Side-Channel-Mitigations.pdf refers to
the other bits as reserved so the kernel should respect the boot time
SPEC_CTRL value and use that.
This allows to deal with future extensions to the SPEC_CTRL interface if
any at all.
Note: This uses wrmsrl instead of native_wrmsl. I does not make any
difference as paravirt will over-write the callq *0xfff.. with the wrmsrl
assembler code.
A copy of this document is available at
https://bugzilla.kernel.org/show_bug.cgi?id=199511
[ tglx: Added a paranoia check for IBRS into the functions and simplified
them ]
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Borislav Petkov <bp@suse.de>
---
v2: New patch
v3: Use the two accessory functions instead of poking at the global variable.
v4: Use x86_get_spec_ctrl instead of global variable.
v5: Use x86_get_default_spec_ctrl instead of x86_get_spec_ctrl
---
arch/x86/include/asm/nospec-branch.h | 10 ++++++++++
arch/x86/kernel/cpu/bugs.c | 18 ++++++++++++++++++
arch/x86/kvm/svm.c | 6 ++----
arch/x86/kvm/vmx.c | 6 ++----
4 files changed, 32 insertions(+), 8 deletions(-)
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -228,6 +228,16 @@ enum spectre_v2_mitigation {
extern void x86_set_spec_ctrl(u64);
extern u64 x86_get_default_spec_ctrl(void);
+/*
+ * On VMENTER we must preserve whatever view of the SPEC_CTRL MSR
+ * the guest has, while on VMEXIT we restore the host view. This
+ * would be easier if SPEC_CTRL were architecturally maskable or
+ * shadowable for guests but this is not (currently) the case.
+ * Takes the guest view of SPEC_CTRL MSR as a parameter.
+ */
+extern void x86_set_guest_spec_ctrl(u64);
+extern void x86_restore_host_spec_ctrl(u64);
+
extern char __indirect_thunk_start[];
extern char __indirect_thunk_end[];
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -123,6 +123,24 @@ u64 x86_get_default_spec_ctrl(void)
}
EXPORT_SYMBOL_GPL(x86_get_default_spec_ctrl);
+void x86_set_guest_spec_ctrl(u64 guest_spec_ctrl)
+{
+ if (!boot_cpu_has(X86_FEATURE_IBRS))
+ return;
+ if (x86_spec_ctrl_base != guest_spec_ctrl)
+ wrmsrl(MSR_IA32_SPEC_CTRL, guest_spec_ctrl);
+}
+EXPORT_SYMBOL_GPL(x86_set_guest_spec_ctrl);
+
+void x86_restore_host_spec_ctrl(u64 guest_spec_ctrl)
+{
+ if (!boot_cpu_has(X86_FEATURE_IBRS))
+ return;
+ if (x86_spec_ctrl_base != guest_spec_ctrl)
+ wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
+}
+EXPORT_SYMBOL_GPL(x86_restore_host_spec_ctrl);
+
#ifdef RETPOLINE
static bool spectre_v2_bad_module;
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -5557,8 +5557,7 @@ static void svm_vcpu_run(struct kvm_vcpu
* is no need to worry about the conditional branch over the wrmsr
* being speculatively taken.
*/
- if (svm->spec_ctrl)
- native_wrmsrl(MSR_IA32_SPEC_CTRL, svm->spec_ctrl);
+ x86_set_guest_spec_ctrl(svm->spec_ctrl);
asm volatile (
"push %%" _ASM_BP "; \n\t"
@@ -5670,8 +5669,7 @@ static void svm_vcpu_run(struct kvm_vcpu
if (unlikely(!msr_write_intercepted(vcpu, MSR_IA32_SPEC_CTRL)))
svm->spec_ctrl = native_read_msr(MSR_IA32_SPEC_CTRL);
- if (svm->spec_ctrl)
- native_wrmsrl(MSR_IA32_SPEC_CTRL, 0);
+ x86_restore_host_spec_ctrl(svm->spec_ctrl);
/* Eliminate branch target predictions from guest mode */
vmexit_fill_RSB();
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -9726,8 +9726,7 @@ static void __noclone vmx_vcpu_run(struc
* is no need to worry about the conditional branch over the wrmsr
* being speculatively taken.
*/
- if (vmx->spec_ctrl)
- native_wrmsrl(MSR_IA32_SPEC_CTRL, vmx->spec_ctrl);
+ x86_set_guest_spec_ctrl(vmx->spec_ctrl);
vmx->__launched = vmx->loaded_vmcs->launched;
@@ -9875,8 +9874,7 @@ static void __noclone vmx_vcpu_run(struc
if (unlikely(!msr_write_intercepted(vcpu, MSR_IA32_SPEC_CTRL)))
vmx->spec_ctrl = native_read_msr(MSR_IA32_SPEC_CTRL);
- if (vmx->spec_ctrl)
- native_wrmsrl(MSR_IA32_SPEC_CTRL, 0);
+ x86_restore_host_spec_ctrl(vmx->spec_ctrl);
/* Eliminate branch target predictions from guest mode */
vmexit_fill_RSB();
next prev parent reply other threads:[~2018-04-29 20:02 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-29 19:30 [patch V7 00/15] SBB 0 Thomas Gleixner
2018-04-29 19:30 ` [patch V7 01/15] SBB 1 Thomas Gleixner
2018-04-29 19:30 ` [patch V7 02/15] SBB 2 Thomas Gleixner
2018-04-29 19:30 ` [patch V7 03/15] SBB 3 Thomas Gleixner
2018-04-29 23:31 ` [MODERATED] " Linus Torvalds
2018-04-30 2:50 ` Konrad Rzeszutek Wilk
2018-04-30 7:09 ` David Woodhouse
2018-04-29 19:30 ` Thomas Gleixner [this message]
2018-04-29 19:30 ` [patch V7 05/15] SBB 5 Thomas Gleixner
2018-04-29 19:30 ` [patch V7 06/15] SBB 6 Thomas Gleixner
2018-04-29 19:30 ` [patch V7 07/15] SBB 7 Thomas Gleixner
2018-04-29 19:30 ` [patch V7 08/15] SBB 8 Thomas Gleixner
2018-04-29 19:30 ` [patch V7 09/15] SBB 9 Thomas Gleixner
2018-04-29 19:30 ` [patch V7 10/15] SBB 10 Thomas Gleixner
2018-04-30 0:16 ` [MODERATED] " Konrad Rzeszutek Wilk
2018-04-30 7:49 ` Thomas Gleixner
2018-04-29 19:30 ` [patch V7 11/15] SBB 11 Thomas Gleixner
2018-04-29 19:30 ` [patch V7 12/15] SBB 12 Thomas Gleixner
2018-04-30 1:33 ` [MODERATED] " Konrad Rzeszutek Wilk
2018-04-29 19:30 ` [patch V7 13/15] SBB 13 Thomas Gleixner
2018-04-30 1:48 ` [MODERATED] " Konrad Rzeszutek Wilk
2018-04-30 2:39 ` Konrad Rzeszutek Wilk
2018-04-30 3:17 ` Jon Masters
2018-04-30 8:35 ` Thomas Gleixner
2018-04-30 2:20 ` [MODERATED] " Konrad Rzeszutek Wilk
2018-04-30 2:36 ` Konrad Rzeszutek Wilk
2018-04-30 17:28 ` Konrad Rzeszutek Wilk
2018-04-29 19:30 ` [patch V7 14/15] SBB 14 Thomas Gleixner
2018-04-30 2:14 ` [MODERATED] " Konrad Rzeszutek Wilk
2018-04-30 5:57 ` Thomas Gleixner
2018-04-30 15:49 ` [MODERATED] " Konrad Rzeszutek Wilk
2018-04-29 19:31 ` [patch V7 15/15] SBB 15 Thomas Gleixner
2018-04-30 2:32 ` [MODERATED] " Konrad Rzeszutek Wilk
2018-04-30 15:56 ` Konrad Rzeszutek Wilk
2018-04-30 16:07 ` Thomas Gleixner
2018-04-30 19:30 ` [MODERATED] " Tim Chen
2018-04-30 19:36 ` Thomas Gleixner
2018-04-30 20:12 ` [MODERATED] " Tim Chen
2018-04-30 20:20 ` Konrad Rzeszutek Wilk
2018-04-30 20:44 ` Tim Chen
2018-04-30 20:28 ` Thomas Gleixner
2018-04-30 20:09 ` [MODERATED] " Konrad Rzeszutek Wilk
2018-04-29 20:14 ` [patch V7 00/15] SBB 0 Thomas Gleixner
2018-04-29 20:35 ` [MODERATED] " Borislav Petkov
2018-04-29 20:46 ` Konrad Rzeszutek Wilk
2018-04-29 20:57 ` Thomas Gleixner
2018-04-29 21:40 ` [MODERATED] " Borislav Petkov
2018-04-29 20:55 ` Thomas Gleixner
2018-04-29 22:05 ` Thomas Gleixner
2018-04-30 0:06 ` [MODERATED] " Jon Masters
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180429193937.787272580@linutronix.de \
--to=tglx@linutronix.de \
--cc=speck@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.