From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
"Peter Zijlstra (Intel)" <peterz@infradead.org>,
Borislav Petkov <bp@suse.de>,
Thomas Gleixner <tglx@linutronix.de>,
Frank van der Linden <fllinden@amazon.com>
Subject: [PATCH 5.4 05/18] Documentation/hw-vuln: Update spectre doc
Date: Wed, 9 Mar 2022 16:59:54 +0100 [thread overview]
Message-ID: <20220309155856.712436212@linuxfoundation.org> (raw)
In-Reply-To: <20220309155856.552503355@linuxfoundation.org>
From: Peter Zijlstra <peterz@infradead.org>
commit 5ad3eb1132453b9795ce5fd4572b1c18b292cca9 upstream.
Update the doc with the new fun.
[ bp: Massage commit message. ]
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
[fllinden@amazon.com: backported to 5.4]
Signed-off-by: Frank van der Linden <fllinden@amazon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/admin-guide/hw-vuln/spectre.rst | 42 ++++++++++++++++--------
Documentation/admin-guide/kernel-parameters.txt | 8 +++-
2 files changed, 35 insertions(+), 15 deletions(-)
--- a/Documentation/admin-guide/hw-vuln/spectre.rst
+++ b/Documentation/admin-guide/hw-vuln/spectre.rst
@@ -131,6 +131,19 @@ steer its indirect branch speculations t
speculative execution's side effects left in level 1 cache to infer the
victim's data.
+Yet another variant 2 attack vector is for the attacker to poison the
+Branch History Buffer (BHB) to speculatively steer an indirect branch
+to a specific Branch Target Buffer (BTB) entry, even if the entry isn't
+associated with the source address of the indirect branch. Specifically,
+the BHB might be shared across privilege levels even in the presence of
+Enhanced IBRS.
+
+Currently the only known real-world BHB attack vector is via
+unprivileged eBPF. Therefore, it's highly recommended to not enable
+unprivileged eBPF, especially when eIBRS is used (without retpolines).
+For a full mitigation against BHB attacks, it's recommended to use
+retpolines (or eIBRS combined with retpolines).
+
Attack scenarios
----------------
@@ -364,13 +377,15 @@ The possible values in this file are:
- Kernel status:
- ==================================== =================================
- 'Not affected' The processor is not vulnerable
- 'Vulnerable' Vulnerable, no mitigation
- 'Mitigation: Full generic retpoline' Software-focused mitigation
- 'Mitigation: Full AMD retpoline' AMD-specific software mitigation
- 'Mitigation: Enhanced IBRS' Hardware-focused mitigation
- ==================================== =================================
+ ======================================== =================================
+ 'Not affected' The processor is not vulnerable
+ 'Mitigation: None' Vulnerable, no mitigation
+ 'Mitigation: Retpolines' Use Retpoline thunks
+ 'Mitigation: LFENCE' Use LFENCE instructions
+ 'Mitigation: Enhanced IBRS' Hardware-focused mitigation
+ 'Mitigation: Enhanced IBRS + Retpolines' Hardware-focused + Retpolines
+ 'Mitigation: Enhanced IBRS + LFENCE' Hardware-focused + LFENCE
+ ======================================== =================================
- Firmware status: Show if Indirect Branch Restricted Speculation (IBRS) is
used to protect against Spectre variant 2 attacks when calling firmware (x86 only).
@@ -584,12 +599,13 @@ kernel command line.
Specific mitigations can also be selected manually:
- retpoline
- replace indirect branches
- retpoline,generic
- google's original retpoline
- retpoline,amd
- AMD-specific minimal thunk
+ retpoline auto pick between generic,lfence
+ retpoline,generic Retpolines
+ retpoline,lfence LFENCE; indirect branch
+ retpoline,amd alias for retpoline,lfence
+ eibrs enhanced IBRS
+ eibrs,retpoline enhanced IBRS + Retpolines
+ eibrs,lfence enhanced IBRS + LFENCE
Not specifying this option is equivalent to
spectre_v2=auto.
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -4493,8 +4493,12 @@
Specific mitigations can also be selected manually:
retpoline - replace indirect branches
- retpoline,generic - google's original retpoline
- retpoline,amd - AMD-specific minimal thunk
+ retpoline,generic - Retpolines
+ retpoline,lfence - LFENCE; indirect branch
+ retpoline,amd - alias for retpoline,lfence
+ eibrs - enhanced IBRS
+ eibrs,retpoline - enhanced IBRS + Retpolines
+ eibrs,lfence - enhanced IBRS + LFENCE
Not specifying this option is equivalent to
spectre_v2=auto.
next prev parent reply other threads:[~2022-03-09 16:10 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-09 15:59 [PATCH 5.4 00/18] 5.4.184-rc1 review Greg Kroah-Hartman
2022-03-09 15:59 ` [PATCH 5.4 01/18] x86/speculation: Merge one test in spectre_v2_user_select_mitigation() Greg Kroah-Hartman
2022-03-09 15:59 ` [PATCH 5.4 02/18] x86,bugs: Unconditionally allow spectre_v2=retpoline,amd Greg Kroah-Hartman
2022-03-09 15:59 ` [PATCH 5.4 03/18] x86/speculation: Rename RETPOLINE_AMD to RETPOLINE_LFENCE Greg Kroah-Hartman
2022-03-09 15:59 ` [PATCH 5.4 04/18] x86/speculation: Add eIBRS + Retpoline options Greg Kroah-Hartman
2022-03-09 15:59 ` Greg Kroah-Hartman [this message]
2022-03-09 15:59 ` [PATCH 5.4 06/18] x86/speculation: Include unprivileged eBPF status in Spectre v2 mitigation reporting Greg Kroah-Hartman
2022-03-09 15:59 ` [PATCH 5.4 07/18] x86/speculation: Use generic retpoline by default on AMD Greg Kroah-Hartman
2022-03-09 15:59 ` [PATCH 5.4 08/18] x86/speculation: Update link to AMD speculation whitepaper Greg Kroah-Hartman
2022-03-09 15:59 ` [PATCH 5.4 09/18] x86/speculation: Warn about Spectre v2 LFENCE mitigation Greg Kroah-Hartman
2022-03-09 15:59 ` [PATCH 5.4 10/18] x86/speculation: Warn about eIBRS + LFENCE + Unprivileged eBPF + SMT Greg Kroah-Hartman
2022-03-09 16:00 ` [PATCH 5.4 11/18] arm/arm64: Provide a wrapper for SMCCC 1.1 calls Greg Kroah-Hartman
2022-03-09 16:00 ` [PATCH 5.4 12/18] arm/arm64: smccc/psci: add arm_smccc_1_1_get_conduit() Greg Kroah-Hartman
2022-03-09 16:00 ` [PATCH 5.4 13/18] ARM: report Spectre v2 status through sysfs Greg Kroah-Hartman
2022-03-09 16:00 ` [PATCH 5.4 14/18] ARM: early traps initialisation Greg Kroah-Hartman
2022-03-09 16:00 ` [PATCH 5.4 15/18] ARM: use LOADADDR() to get load address of sections Greg Kroah-Hartman
2022-03-09 16:00 ` [PATCH 5.4 16/18] ARM: Spectre-BHB workaround Greg Kroah-Hartman
2022-03-09 16:00 ` [PATCH 5.4 17/18] ARM: include unprivileged BPF status in Spectre V2 reporting Greg Kroah-Hartman
2022-03-09 16:00 ` [PATCH 5.4 18/18] ARM: fix build error when BPF_SYSCALL is disabled Greg Kroah-Hartman
2022-03-09 17:38 ` [PATCH 5.4 00/18] 5.4.184-rc1 review Florian Fainelli
2022-03-09 17:50 ` Greg Kroah-Hartman
2022-03-09 19:27 ` Guenter Roeck
2022-03-09 20:25 ` Shuah Khan
2022-03-09 20:50 ` Daniel Díaz
2022-03-10 3:20 ` Samuel Zou
2022-03-10 4:01 ` Florian Fainelli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220309155856.712436212@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=bp@suse.de \
--cc=fllinden@amazon.com \
--cc=linux-kernel@vger.kernel.org \
--cc=peterz@infradead.org \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.