From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linutronix.de (146.0.238.70:993) by crypto-ml.lab.linutronix.de with IMAP4-SSL for ; 09 Jan 2019 11:00:26 -0000 Received: from mga04.intel.com ([192.55.52.120]) by Galois.linutronix.de with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1ga8fW-0005lf-0X for speck@linutronix.de; Fri, 21 Dec 2018 01:27:58 +0100 From: Andi Kleen Subject: [MODERATED] [PATCH v3 00/32] MDSv3 12 Date: Thu, 20 Dec 2018 16:27:10 -0800 Message-Id: Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit MIME-Version: 1.0 To: speck@linutronix.de Cc: Andi Kleen List-ID: Here's a new version of flushing CPU buffers for group 4. This mainly covers single thread, not SMT (except for the idle case). I lumped all the issues together under the Microarchitectural Data Sampling (MDS) name because they need the same mitigations,a and it doesn't seem worth duplicating the sysfs files and bug entries. This version implements Linus' suggestion to only clear the CPU buffer when needed. The patch kit is now a lot more complicated: different subsystems determine if they might touch other user's or sensitive data and schedule a cpu clear on next kernel exit. Generally process context doesn't clear (unless it is cryptographic or does context switches), and interrupt context schedules a clear. There are some exceptions to these rules. For details on the security model see the Documentation/clearcpu.txt file. In my tests the number of clears is much lower now. For most benchmarks we tried the difference is in the noise level now. ebizzy and loopback apache both show about 1.7% degradation. It makes various assumptions on how kernel code behaves. I did some auditing, but wasn't able to do it for everything. Please double check the assumptions laid out in the document. Likely a lot more interrupt and timer handlers (and tasklets and irq poll handlers) could be white listed to not need clear, but I only did a fairly minimum set for now that I could test. For some of the white listed code, especially the networking and block softirqs, as well as the EBPF mitigation, some additional auditing that no rules are violated would be useful. I kept the support for software sequences because from what I'm hearing some CPUs might need them. If that's not the case they can be still removed. VERW is not done unconditionally because it doesn't allow reporting the correct status in the vulnerabilities file, which I consider important. Instead we now have a mds=verw option that can be set as needed, but is reported explicitely in the mitigation status. Some notes: - Against 4.20-rc5 - There's a new (bogus) build time warning from objtool about unreachable code. Changes against previous versions: - By default now flushes only when needed - Define security model - New administrator document - Added mds=verw and mds=full - Renamed mds_disable to mds=off - KVM virtualization much improved - Too many others to list. Most things different now. Andi Kleen (32): x86/speculation/mds: Add basic bug infrastructure for MDS x86/speculation/mds: Support clearing CPU data on kernel exit x86/speculation/mds: Support mds=full x86/speculation/mds: Clear CPU buffers on entering idle x86/speculation/mds: Add sysfs reporting x86/speculation/mds: Add software sequences for older CPUs. x86/speculation/mds: Support mds=full for NMIs x86/speculation/mds: Avoid NMI races with software sequences x86/speculation/mds: Call software sequences on KVM entry x86/speculation/mds: Clear buffers on NMI exit on 32bit kernels. x86/speculation/mds: Add mds=verw x86/speculation/mds: Export MB_CLEAR CPUID to KVM guests. x86/speculation/mds: Always clear when entering guest without MB_CLEAR mds: Add documentation for clear cpu usage mds: Add preliminary administrator documentation x86/speculation/mds: Introduce lazy_clear_cpu x86/speculation/mds: Schedule cpu clear on context switch x86/speculation/mds: Add tracing for clear_cpu mds: Force clear cpu on kernel preemption mds: Schedule cpu clear for memzero_explicit and kzfree mds: Mark interrupts clear cpu, unless opted-out mds: Clear cpu on all timers, unless the timer opts-out mds: Clear CPU on tasklets, unless opted-out mds: Clear CPU on irq poll, unless opted-out mds: Clear cpu for string io/memcpy_*io in interrupts mds: Schedule clear cpu in swiotlb mds: Instrument skb functions to clear cpu automatically mds: Opt out tcp tasklet to not touch user data mds: mark kernel/* timers safe as not touching user data mds: Mark AHCI interrupt as not needing cpu clear mds: Mark ACPI interrupt as not needing cpu clear mds: Mitigate BPF .../ABI/testing/sysfs-devices-system-cpu | 1 + .../admin-guide/kernel-parameters.txt | 29 +++ Documentation/admin-guide/mds.rst | 128 +++++++++++++ Documentation/clearcpu.txt | 179 ++++++++++++++++++ arch/Kconfig | 3 + arch/x86/Kconfig | 1 + arch/x86/entry/common.c | 24 ++- arch/x86/entry/entry_32.S | 7 + arch/x86/entry/entry_64.S | 24 +++ arch/x86/include/asm/clearbpf.h | 29 +++ arch/x86/include/asm/clearcpu.h | 100 ++++++++++ arch/x86/include/asm/cpufeatures.h | 4 + arch/x86/include/asm/io.h | 3 + arch/x86/include/asm/msr-index.h | 1 + arch/x86/include/asm/thread_info.h | 2 + arch/x86/include/asm/trace/clearcpu.h | 27 +++ arch/x86/kernel/acpi/cstate.c | 2 + arch/x86/kernel/cpu/bugs.c | 108 +++++++++++ arch/x86/kernel/cpu/common.c | 14 ++ arch/x86/kernel/kvm.c | 3 + arch/x86/kernel/process.c | 5 + arch/x86/kernel/process.h | 27 +++ arch/x86/kernel/smpboot.c | 3 + arch/x86/kvm/cpuid.c | 3 +- arch/x86/kvm/vmx.c | 23 ++- arch/x86/lib/Makefile | 1 + arch/x86/lib/clear_cpu.S | 104 ++++++++++ drivers/acpi/acpi_pad.c | 2 + drivers/acpi/osl.c | 3 +- drivers/acpi/processor_idle.c | 3 + drivers/ata/ahci.c | 2 +- drivers/ata/ahci.h | 2 + drivers/ata/libahci.c | 40 ++-- drivers/base/cpu.c | 8 + drivers/idle/intel_idle.c | 5 + include/asm-generic/io.h | 3 + include/linux/clearcpu.h | 36 ++++ include/linux/filter.h | 21 +- include/linux/hrtimer.h | 4 + include/linux/interrupt.h | 18 +- include/linux/irq_poll.h | 2 + include/linux/skbuff.h | 2 + include/linux/timer.h | 9 +- kernel/bpf/core.c | 2 + kernel/dma/swiotlb.c | 2 + kernel/events/core.c | 6 +- kernel/fork.c | 3 +- kernel/futex.c | 6 +- kernel/irq/handle.c | 8 + kernel/irq/manage.c | 1 + kernel/sched/core.c | 14 +- kernel/sched/deadline.c | 6 +- kernel/sched/fair.c | 7 +- kernel/sched/idle.c | 3 +- kernel/sched/rt.c | 3 +- kernel/softirq.c | 25 ++- kernel/time/alarmtimer.c | 2 +- kernel/time/hrtimer.c | 11 +- kernel/time/posix-timers.c | 6 +- kernel/time/sched_clock.c | 3 +- kernel/time/tick-sched.c | 6 +- kernel/time/timer.c | 8 + kernel/watchdog.c | 3 +- lib/irq_poll.c | 18 +- lib/string.c | 6 + mm/slab_common.c | 5 +- net/core/skbuff.c | 26 +++ net/ipv4/tcp_output.c | 5 +- 68 files changed, 1138 insertions(+), 62 deletions(-) create mode 100644 Documentation/admin-guide/mds.rst create mode 100644 Documentation/clearcpu.txt create mode 100644 arch/x86/include/asm/clearbpf.h create mode 100644 arch/x86/include/asm/clearcpu.h create mode 100644 arch/x86/include/asm/trace/clearcpu.h create mode 100644 arch/x86/lib/clear_cpu.S create mode 100644 include/linux/clearcpu.h -- 2.17.2