From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linutronix.de (146.0.238.70:993) by crypto-ml.lab.linutronix.de with IMAP4-SSL for ; 20 Feb 2019 15:19:17 -0000 Received: from localhost ([127.0.0.1] helo=nanos.tec.linutronix.de) by Galois.linutronix.de with esmtp (Exim 4.80) (envelope-from ) id 1gwTdH-00063H-KI for speck@linutronix.de; Wed, 20 Feb 2019 16:17:59 +0100 Message-Id: <20190220151400.682732169@linutronix.de> Date: Wed, 20 Feb 2019 16:08:01 +0100 From: Thomas Gleixner References: <20190220150753.665964899@linutronix.de> MIME-Version: 1.0 Subject: [patch V2 08/10] MDS basics+ 8 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit To: speck@linutronix.de List-ID: In virtualized environments it can happen that the host has the microcode update which utilizes the VERW instruction to clear CPU buffers, but the hypervisor is not yet updated to expose the X86_FEATURE_MD_CLEAR CPUID bit to guests. Introduce an internal mitigation mode 'HOPE' which enables the invocation of the CPU buffer clearing even if X86_FEATURE_MD_CLEAR is not set. If the system has no updated microcode this results in a pointless execution of the VERW instruction wasting a few CPU cycles. If the microcode is updated, but not exposed to a guest then the CPU buffers will be cleared. Hope dies last.... Signed-off-by: Thomas Gleixner --- Documentation/x86/mds.rst | 5 +++++ arch/x86/include/asm/processor.h | 1 + arch/x86/kernel/cpu/bugs.c | 14 ++++++++------ 3 files changed, 14 insertions(+), 6 deletions(-) --- a/Documentation/x86/mds.rst +++ b/Documentation/x86/mds.rst @@ -65,6 +65,11 @@ The mitigation is invoked on kernel/user (idle) transitions. Depending on the mitigation mode and the system state the invocation can be enforced or conditional. +As a special quirk to address virtualization scenarios where the host has +the microcode updated, but the hypervisor does not (yet) expose the +MD_CLEAR CPUID bit to guests, the kernel issues the VERW instruction in the +hope that it might work. The state is reflected accordingly. + According to current knowledge additional mitigations inside the kernel itself are not required because the necessary gadgets to expose the leaked data cannot be controlled in a way which allows exploitation from malicious --- a/arch/x86/include/asm/processor.h +++ b/arch/x86/include/asm/processor.h @@ -995,6 +995,7 @@ enum mds_mitigations { MDS_MITIGATION_OFF, MDS_MITIGATION_AUTO, MDS_MITIGATION_FULL, + MDS_MITIGATION_HOPE, }; #endif /* _ASM_X86_PROCESSOR_H */ --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -221,7 +221,8 @@ static enum mds_mitigations mds_mitigati static const char * const mds_strings[] = { [MDS_MITIGATION_OFF] = "Vulnerable", - [MDS_MITIGATION_FULL] = "Mitigation: Clear CPU buffers" + [MDS_MITIGATION_FULL] = "Mitigation: Clear CPU buffers", + [MDS_MITIGATION_HOPE] = "Vulnerable: Clear CPU buffers attempted, no microcode", }; static void mds_select_mitigation(void) @@ -236,12 +237,12 @@ static void mds_select_mitigation(void) break; case MDS_MITIGATION_AUTO: case MDS_MITIGATION_FULL: - if (boot_cpu_has(X86_FEATURE_MD_CLEAR)) { + case MDS_MITIGATION_HOPE: + if (boot_cpu_has(X86_FEATURE_MD_CLEAR)) mds_mitigation = MDS_MITIGATION_FULL; - static_branch_enable(&mds_user_clear_always); - } else { - mds_mitigation = MDS_MITIGATION_OFF; - } + else + mds_mitigation = MDS_MITIGATION_HOPE; + static_branch_enable(&mds_user_clear_always); break; } pr_info("%s\n", mds_strings[mds_mitigation]); @@ -704,6 +705,7 @@ void arch_smt_update(void) case MDS_MITIGATION_OFF: break; case MDS_MITIGATION_FULL: + case MDS_MITIGATION_HOPE: update_mds_branch_idle(); break; /* Keep GCC happy */