From: Suraj Jitindar Singh <surajjs@amazon.com>
To: <stable@vger.kernel.org>
Cc: <surajjs@amazon.com>, <sjitindarsingh@gmail.com>,
<cascardo@canonical.com>, <kvm@vger.kernel.org>,
<pbonzini@redhat.com>, <jpoimboe@kernel.org>,
<peterz@infradead.org>, <x86@kernel.org>
Subject: [PATCH 4.14 27/34] x86/speculation: Fill RSB on vmexit for IBRS
Date: Thu, 27 Oct 2022 13:55:32 -0700 [thread overview]
Message-ID: <20221027205533.17873-3-surajjs@amazon.com> (raw)
In-Reply-To: <20221027205533.17873-1-surajjs@amazon.com>
From: Josh Poimboeuf <jpoimboe@kernel.org>
commit 9756bba28470722dacb79ffce554336dd1f6a6cd upstream.
Prevent RSB underflow/poisoning attacks with RSB. While at it, add a
bunch of comments to attempt to document the current state of tribal
knowledge about RSB attacks and what exactly is being mitigated.
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ bp: Adjust for the fact that vmexit is in inline assembly ]
Signed-off-by: Suraj Jitindar Singh <surajjs@amazon.com>
---
arch/x86/include/asm/cpufeatures.h | 2 +-
arch/x86/include/asm/nospec-branch.h | 4 +-
arch/x86/kernel/cpu/bugs.c | 63 +++++++++++++++++++++++++---
arch/x86/kvm/vmx.c | 4 +-
4 files changed, 62 insertions(+), 11 deletions(-)
diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
index b78acf1e70b6..fc52b59c3178 100644
--- a/arch/x86/include/asm/cpufeatures.h
+++ b/arch/x86/include/asm/cpufeatures.h
@@ -203,7 +203,7 @@
#define X86_FEATURE_SME ( 7*32+10) /* AMD Secure Memory Encryption */
#define X86_FEATURE_PTI ( 7*32+11) /* Kernel Page Table Isolation enabled */
#define X86_FEATURE_KERNEL_IBRS ( 7*32+12) /* "" Set/clear IBRS on kernel entry/exit */
-/* FREE! ( 7*32+13) */
+#define X86_FEATURE_RSB_VMEXIT ( 7*32+13) /* "" Fill RSB on VM-Exit */
#define X86_FEATURE_INTEL_PPIN ( 7*32+14) /* Intel Processor Inventory Number */
#define X86_FEATURE_CDP_L2 ( 7*32+15) /* Code and Data Prioritization L2 */
#define X86_FEATURE_MSR_SPEC_CTRL ( 7*32+16) /* "" MSR SPEC_CTRL is implemented */
diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
index 2d6d5bac4997..dad872462e8a 100644
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -259,17 +259,15 @@ extern char __indirect_thunk_end[];
*/
static __always_inline void vmexit_fill_RSB(void)
{
-#ifdef CONFIG_RETPOLINE
unsigned long loops;
asm volatile (ANNOTATE_NOSPEC_ALTERNATIVE
ALTERNATIVE("jmp 910f",
__stringify(__FILL_RETURN_BUFFER(%0, RSB_CLEAR_LOOPS, %1)),
- X86_FEATURE_RETPOLINE)
+ X86_FEATURE_RSB_VMEXIT)
"910:"
: "=r" (loops), ASM_CALL_CONSTRAINT
: : "memory" );
-#endif
}
static __always_inline
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 1fde42e5be6e..4c491c2f772b 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -1276,16 +1276,69 @@ static void __init spectre_v2_select_mitigation(void)
pr_info("%s\n", spectre_v2_strings[mode]);
/*
- * If spectre v2 protection has been enabled, unconditionally fill
- * RSB during a context switch; this protects against two independent
- * issues:
+ * If Spectre v2 protection has been enabled, fill the RSB during a
+ * context switch. In general there are two types of RSB attacks
+ * across context switches, for which the CALLs/RETs may be unbalanced.
*
- * - RSB underflow (and switch to BTB) on Skylake+
- * - SpectreRSB variant of spectre v2 on X86_BUG_SPECTRE_V2 CPUs
+ * 1) RSB underflow
+ *
+ * Some Intel parts have "bottomless RSB". When the RSB is empty,
+ * speculated return targets may come from the branch predictor,
+ * which could have a user-poisoned BTB or BHB entry.
+ *
+ * AMD has it even worse: *all* returns are speculated from the BTB,
+ * regardless of the state of the RSB.
+ *
+ * When IBRS or eIBRS is enabled, the "user -> kernel" attack
+ * scenario is mitigated by the IBRS branch prediction isolation
+ * properties, so the RSB buffer filling wouldn't be necessary to
+ * protect against this type of attack.
+ *
+ * The "user -> user" attack scenario is mitigated by RSB filling.
+ *
+ * 2) Poisoned RSB entry
+ *
+ * If the 'next' in-kernel return stack is shorter than 'prev',
+ * 'next' could be tricked into speculating with a user-poisoned RSB
+ * entry.
+ *
+ * The "user -> kernel" attack scenario is mitigated by SMEP and
+ * eIBRS.
+ *
+ * The "user -> user" scenario, also known as SpectreBHB, requires
+ * RSB clearing.
+ *
+ * So to mitigate all cases, unconditionally fill RSB on context
+ * switches.
+ *
+ * FIXME: Is this pointless for retbleed-affected AMD?
*/
setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);
pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n");
+ /*
+ * Similar to context switches, there are two types of RSB attacks
+ * after vmexit:
+ *
+ * 1) RSB underflow
+ *
+ * 2) Poisoned RSB entry
+ *
+ * When retpoline is enabled, both are mitigated by filling/clearing
+ * the RSB.
+ *
+ * When IBRS is enabled, while #1 would be mitigated by the IBRS branch
+ * prediction isolation protections, RSB still needs to be cleared
+ * because of #2. Note that SMEP provides no protection here, unlike
+ * user-space-poisoned RSB entries.
+ *
+ * eIBRS, on the other hand, has RSB-poisoning protections, so it
+ * doesn't need RSB clearing after vmexit.
+ */
+ if (boot_cpu_has(X86_FEATURE_RETPOLINE) ||
+ boot_cpu_has(X86_FEATURE_KERNEL_IBRS))
+ setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT);
+
/*
* Retpoline protects the kernel, but doesn't protect firmware. IBRS
* and Enhanced IBRS protect firmware too, so enable IBRS around
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index e35cb9560eeb..d6ae5237fc38 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -9997,8 +9997,8 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
* IMPORTANT: RSB filling and SPEC_CTRL handling must be done before
* the first unbalanced RET after vmexit!
*
- * For retpoline, RSB filling is needed to prevent poisoned RSB entries
- * and (in some cases) RSB underflow.
+ * For retpoline or IBRS, RSB filling is needed to prevent poisoned RSB
+ * entries and (in some cases) RSB underflow.
*
* eIBRS has its own protection against poisoned RSB, so it doesn't
* need the RSB filling sequence. But it does need to be enabled
--
2.17.1
next prev parent reply other threads:[~2022-10-27 21:03 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-27 20:48 [PATCH 4.14 00/34] Retbleed & PBRSB Mitigations Suraj Jitindar Singh
2022-10-27 20:54 ` [PATCH 4.14 01/34] Revert "x86/cpu: Add a steppings field to struct x86_cpu_id" Suraj Jitindar Singh
2022-10-27 20:54 ` [PATCH 4.14 02/34] x86/cpufeature: Add facility to check for min microcode revisions Suraj Jitindar Singh
2022-10-27 20:54 ` [PATCH 4.14 03/34] x86/cpufeature: Fix various quality problems in the <asm/cpu_device_hd.h> header Suraj Jitindar Singh
2022-10-27 20:54 ` [PATCH 4.14 04/34] x86/devicetable: Move x86 specific macro out of generic code Suraj Jitindar Singh
2022-10-27 20:54 ` [PATCH 4.14 05/34] x86/cpu: Add consistent CPU match macros Suraj Jitindar Singh
2022-10-27 20:54 ` [PATCH 4.14 06/34] x86/cpu: Add a steppings field to struct x86_cpu_id Suraj Jitindar Singh
2022-10-27 20:54 ` [PATCH 4.14 07/34] x86/entry: Remove skip_r11rcx Suraj Jitindar Singh
2022-10-27 20:54 ` [PATCH 4.14 08/34] x86/cpufeatures: Move RETPOLINE flags to word 11 Suraj Jitindar Singh
2022-10-27 20:54 ` [PATCH 4.14 09/34] x86/bugs: Report AMD retbleed vulnerability Suraj Jitindar Singh
2022-10-27 20:54 ` [PATCH 4.14 10/34] x86/bugs: Add AMD retbleed= boot parameter Suraj Jitindar Singh
2022-10-27 20:54 ` [PATCH 4.14 11/34] x86/bugs: Keep a per-CPU IA32_SPEC_CTRL value Suraj Jitindar Singh
2022-10-27 20:54 ` [PATCH 4.14 12/34] x86/entry: Add kernel IBRS implementation Suraj Jitindar Singh
2022-10-27 20:54 ` [PATCH 4.14 13/34] x86/bugs: Optimize SPEC_CTRL MSR writes Suraj Jitindar Singh
2022-10-27 20:55 ` [PATCH 4.14 14/34] x86/speculation: Add spectre_v2=ibrs option to support Kernel IBRS Suraj Jitindar Singh
2022-10-27 20:55 ` [PATCH 4.14 15/34] x86/bugs: Split spectre_v2_select_mitigation() and spectre_v2_user_select_mitigation() Suraj Jitindar Singh
2022-10-27 20:55 ` [PATCH 4.14 16/34] x86/bugs: Report Intel retbleed vulnerability Suraj Jitindar Singh
2022-10-27 20:55 ` [PATCH 4.14 17/34] entel_idle: Disable IBRS during long idle Suraj Jitindar Singh
2022-10-27 20:55 ` [PATCH 4.14 18/34] x86/speculation: Change FILL_RETURN_BUFFER to work with objtool Suraj Jitindar Singh
2022-10-27 20:55 ` [PATCH 4.14 19/34] x86/speculation: Add LFENCE to RSB fill sequence Suraj Jitindar Singh
2022-10-27 20:55 ` [PATCH 4.14 20/34] x86/speculation: Fix RSB filling with CONFIG_RETPOLINE=n Suraj Jitindar Singh
2022-10-27 20:55 ` [PATCH 4.14 21/34] x86/speculation: Fix firmware entry SPEC_CTRL handling Suraj Jitindar Singh
2022-10-27 20:55 ` [PATCH 4.14 22/34] x86/speculation: Fix SPEC_CTRL write on SMT state change Suraj Jitindar Singh
2022-10-27 20:55 ` [PATCH 4.14 23/34] x86/speculation: Use cached host SPEC_CTRL value for guest entry/exit Suraj Jitindar Singh
2022-10-27 20:55 ` [PATCH 4.14 24/34] x86/speculation: Remove x86_spec_ctrl_mask Suraj Jitindar Singh
2022-10-27 20:55 ` [PATCH 4.14 25/34] KVM: VMX: Prevent guest RSB poisoning attacks with eIBRS Suraj Jitindar Singh
2022-10-27 20:55 ` [PATCH 4.14 26/34] KVM: VMX: Fix IBRS handling after vmexit Suraj Jitindar Singh
2022-10-27 20:55 ` Suraj Jitindar Singh [this message]
2022-10-27 20:55 ` [PATCH 4.14 28/34] x86/common: Stamp out the stepping madness Suraj Jitindar Singh
2022-10-27 20:55 ` [PATCH 4.14 29/34] x86/cpu/amd: Enumerate BTC_NO Suraj Jitindar Singh
2022-10-27 20:55 ` [PATCH 4.14 30/34] x86/bugs: Add Cannon lake to RETBleed affected CPU list Suraj Jitindar Singh
2022-10-27 20:55 ` [PATCH 4.14 31/34] x86/speculation: Disable RRSBA behavior Suraj Jitindar Singh
2022-10-27 20:55 ` [PATCH 4.14 32/34] x86/speculation: Use DECLARE_PER_CPU for x86_spec_ctrl_current Suraj Jitindar Singh
2022-10-27 20:56 ` [PATCH 4.14 33/34] x86/bugs: Warn when "ibrs" mitigation is selected on Enhanced IBRS parts Suraj Jitindar Singh
2022-10-27 20:56 ` [PATCH 4.14 34/34] x86/speculation: Add RSB VM Exit protections Suraj Jitindar Singh
2022-10-31 7:00 ` [PATCH 4.14 00/34] Retbleed & PBRSB Mitigations Greg KH
-- strict thread matches above, loose matches on Subject: below --
2022-10-31 7:02 [PATCH 4.14 00/34] 4.14.297-rc1 review Greg Kroah-Hartman
2022-10-31 7:03 ` [PATCH 4.14 27/34] x86/speculation: Fill RSB on vmexit for IBRS Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221027205533.17873-3-surajjs@amazon.com \
--to=surajjs@amazon.com \
--cc=cascardo@canonical.com \
--cc=jpoimboe@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=sjitindarsingh@gmail.com \
--cc=stable@vger.kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.