From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ak@linux.intel.com>
X-Google-Smtp-Source: AH8x227x1xOeJuqkIHYaDPf5coPveoCC3wDgvNu7E+mfdUsefbncTJ5si83jRgkLVMiuriBGIxdo
ARC-Seal: i=1; a=rsa-sha256; t=1516817879; cv=none;
        d=google.com; s=arc-20160816;
        b=maZOazho72JnXKf9J36KsiBsic89mW97sfWR14C1tv0BtIP3nYp2237HXW+aIH2mrt
         D2r3P4sgZs7cWF4byeAxgFqkHHVghB9gP8cZv9Fxk0j9qAQwP+GfrnSxIH7qRd5tBwo1
         N4TxrKwQk3tIGonq+tCRb7K/kpK/1Krmew1XuNtvqbD0i0H0yLAhxlMxCufj4ZoxJTyy
         Ta0PXFSaq5Rvx5oKoc0BSNc8oBMbfhTSHZOpQI6/JH8t+LAYDuR4Mn7rPTPoiY0aq/e4
         GLzbm4ZzOlu1pa8EjToKSObJRUoVJiyUNnxpijAQPpc/cStCtMGw3NO0VF7GT8ZGvaxQ
         WToQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=user-agent:in-reply-to:content-disposition:mime-version:references
         :message-id:subject:cc:to:from:date:arc-authentication-results;
        bh=hS3dnulZ9+UIvpb0Ghy5Y/2FlVNUfOMDNl6JPJB05eU=;
        b=RF1dgst1xPuKcQ6wPcbYbRVOG7E1OAvPs0pF454CCNz5vZWTnXrn5+RnSsrGjx3s4Q
         lNtUD/tccIYX/FvydYOp2SEzMa/FtMeBtsz7l2zUyp3jLo2jZv7WckH/R5WW1J57fRNq
         h0ONpiYbycodF8A0lEOGLaNpxZsuDHZz++Dt1bLZHhr9D14TIytDIgKD6A1OqFAdcAKK
         GEOKK8pTR9BsRwvRcSIn6vmMwK7LWKUrF6m5/901NqaSrJ/OVmDBskg+hai8vycKb7OT
         UAuRPpoZ+94/XxDTAUHhmTE8GdPFedcYBxp/ag2cccblyz3bIIBRiVVXqoaVLW8lM5bZ
         IUnA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of ak@linux.intel.com designates 192.55.52.88 as permitted sender) smtp.mailfrom=ak@linux.intel.com
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of ak@linux.intel.com designates 192.55.52.88 as permitted sender) smtp.mailfrom=ak@linux.intel.com
X-Amp-Result: UNKNOWN
X-Amp-Original-Verdict: FILE UNKNOWN
X-Amp-File-Uploaded: False
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.46,408,1511856000";
   d="scan'208";a="12328827"
Date: Wed, 24 Jan 2018 10:17:35 -0800
From: Andi Kleen <ak@linux.intel.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Jiri Kosina <jikos@kernel.org>,
	Thomas Gleixner <tglx@linutronix.de>,
	David Woodhouse <dwmw@amazon.co.uk>,
	Rusty Russell <rusty@rustcorp.com.au>,
	"Van De Ven, Arjan" <arjan.van.de.ven@intel.com>,
	Jessica Yu <jeyu@kernel.org>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] Revert "module: Add retpoline tag to VERMAGIC"
Message-ID: <20180124181735.GB26209@tassilo.jf.intel.com>
References: <20180124142817.GA23797@kroah.com>
 <CA+55aFySB9h9jStKoCKa31QvqRNmDnYUqw-0Y+xk-o4E6mATQA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CA+55aFySB9h9jStKoCKa31QvqRNmDnYUqw-0Y+xk-o4E6mATQA@mail.gmail.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-LABELS: =?utf-8?b?IlxcSW1wb3J0YW50Ig==?=
X-GMAIL-THRID: =?utf-8?q?1590489149252174297?=
X-GMAIL-MSGID: =?utf-8?q?1590498824498317125?=
X-Mailing-List: linux-kernel@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>

On Wed, Jan 24, 2018 at 09:00:48AM -0800, Linus Torvalds wrote:
> On Wed, Jan 24, 2018 at 6:28 AM, Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> >
> > Linus, if there are no objections, can you apply this revert to your
> > tree now so this doesn't get into 4.15?
> 
> Applied.

So can we get the warning replacement? It would be good to have some
kind of solution.

-Andi

----

retpoline/module: Warn for missing retpoline in module

There's a risk that a kernel that has full retpoline mitigations
becomes vulnerable when a module gets loaded that hasn't been
compiled with the right compiler or the right option.

We cannot fix it, but should at least warn the user when that
happens.

When the a module hasn't been compiled with a retpoline
aware compiler, print a warning and change the SPECTRE_V2
mitigation mode to show the system is vulnerable now.

For modules it is checked at compile time, however it cannot
check assembler or other non compiled objects used in the module link.

v2: Change warning message
v3: Port to latest tree
v4: Remove tainting
Cc: jeyu@kernel.org
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>

diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
index 9c18da64daa9..ea707c91bd8c 100644
--- a/arch/x86/include/asm/processor.h
+++ b/arch/x86/include/asm/processor.h
@@ -970,4 +970,8 @@ bool xen_set_default_idle(void);
 
 void stop_this_cpu(void *dummy);
 void df_debug(struct pt_regs *regs, long error_code);
+
+void disable_retpoline(void);
+bool retpoline_enabled(void);
+
 #endif /* _ASM_X86_PROCESSOR_H */
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index e4dc26185aa7..9064b20473a7 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -93,6 +93,18 @@ static const char *spectre_v2_strings[] = {
 
 static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE;
 
+/* A module has been loaded. Disable reporting that we're good. */
+void disable_retpoline(void)
+{
+	spectre_v2_enabled = SPECTRE_V2_NONE;
+	pr_err("system may be vunerable to spectre\n");
+}
+
+bool retpoline_enabled(void)
+{
+	return spectre_v2_enabled != SPECTRE_V2_NONE;
+}
+
 static void __init spec2_print_if_insecure(const char *reason)
 {
 	if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
diff --git a/kernel/module.c b/kernel/module.c
index de66ec825992..136ea6cabec6 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -3020,7 +3020,13 @@ static int check_modinfo(struct module *mod, struct load_info *info, int flags)
 				mod->name);
 		add_taint_module(mod, TAINT_OOT_MODULE, LOCKDEP_STILL_OK);
 	}
-
+#ifdef RETPOLINE
+	if (retpoline_enabled() && !get_modinfo(info, "retpoline")) {
+		pr_warn("%s: loading module not compiled with retpoline compiler.\n",
+				mod->name);
+		disable_retpoline();
+	}
+#endif
 	if (get_modinfo(info, "staging")) {
 		add_taint_module(mod, TAINT_CRAP, LOCKDEP_STILL_OK);
 		pr_warn("%s: module is from the staging directory, the quality "
diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
index 98314b400a95..54deaa1066cf 100644
--- a/scripts/mod/modpost.c
+++ b/scripts/mod/modpost.c
@@ -2165,6 +2165,14 @@ static void add_intree_flag(struct buffer *b, int is_intree)
 		buf_printf(b, "\nMODULE_INFO(intree, \"Y\");\n");
 }
 
+/* Cannot check for assembler */
+static void add_retpoline(struct buffer *b)
+{
+	buf_printf(b, "\n#ifdef RETPOLINE\n");
+	buf_printf(b, "MODULE_INFO(retpoline, \"Y\");\n");
+	buf_printf(b, "#endif\n");
+}
+
 static void add_staging_flag(struct buffer *b, const char *name)
 {
 	static const char *staging_dir = "drivers/staging";
@@ -2506,6 +2514,7 @@ int main(int argc, char **argv)
 		err |= check_modname_len(mod);
 		add_header(&buf, mod);
 		add_intree_flag(&buf, !external_module);
+		add_retpoline(&buf);
 		add_staging_flag(&buf, mod->name);
 		err |= add_versions(&buf, mod);
 		add_depends(&buf, mod, modules);