From: Tim Chen <tim.c.chen@linux.intel.com>
To: Thomas Gleixner <tglx@linutronix.de>,
Andy Lutomirski <luto@kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Greg KH <gregkh@linuxfoundation.org>
Cc: Tim Chen <tim.c.chen@linux.intel.com>,
Dave Hansen <dave.hansen@intel.com>,
Andrea Arcangeli <aarcange@redhat.com>,
Andi Kleen <ak@linux.intel.com>,
Arjan Van De Ven <arjan.van.de.ven@intel.com>,
David Woodhouse <dwmw@amazon.co.uk>,
linux-kernel@vger.kernel.org
Subject: [PATCH v2 0/8] IBRS patch series
Date: Fri, 5 Jan 2018 18:12:15 -0800 [thread overview]
Message-ID: <cover.1515204614.git.tim.c.chen@linux.intel.com> (raw)
Thanks to everyone for the feedback on the initial posting.
This is an updated patchset and I hope I've captured all
the review comments. I've done a lot of code clean up
per everyone's comments. Please let me know if I've missed
something.
The retpoline related changes is moved to the end of the
patch series, so they can be taken out or changed easily
without affecting the other patches.
Many people hate the multi-bits spec_ctrl_ibrs variable so
I got rid of that and replace it with a dynamic_ibrs flag
to indicate if we need to switch IBRS enter/exiting kernel
which is more intuitive and also makes the code cleaner.
Peter/Andrea suggested that we use a static key to control the run time
IBRS enabling/disabling with "STATIC_JUMP_IF_TRUE" kind
of construct. However, I had some concerns that
JUMP_LABEL config may be disabled and the construct cannot
be used. I also encountered some
OOPs when I'm changing ibrs control state probably
related to changing the jump label branching. I haven't
had time to debug that so I left it out for now.
I will welcome some help here on a patch to get the static key
thing working right.
v2.
1. Added missing feature enumeration in tools/arch/x86/include/asm/cpufeatures.h
2. Kernel entry macros label cleanup and move them to calling.h
3. Remove unnecessary irqs_diabled check in the mwait
4. Don't use a bit field base sys control variable to make ibrs enabling
simpler and easier to understand
5. Corrected compile issues for firmware update code
6. Leave IBPB feature bits out from this patch series and will be added
in its own set of patches later
Tim
---patch series details---
This patch series enables the basic detection and usage of x86 indirect
branch speculation feature. It enables the indirect branch restricted
speculation (IBRS) on kernel entry and disables it on exit.
It enumerates the indirect branch prediction barrier (IBPB).
The x86 IBRS feature requires corresponding microcode support.
It mitigates the variant 2 vulnerability described in
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
If IBRS is set, near returns and near indirect jumps/calls will not
allow their predicted target address to be controlled by code that
executed in a less privileged prediction mode before the IBRS mode was
last written with a value of 1 or on another logical processor so long
as all RSB entries from the previous less privileged prediction mode
are overwritten.
Both retpoline and IBRS provides mitigation against variant 2 attacks,
with IBRS being the most secured method but could incur more performance
overhead compared to retpoline[1]. If you are very paranoid or you
run on a CPU where IBRS=1 is cheaper, you may also want to run in "IBRS
always" mode.
See: https://docs.google.com/document/d/e/2PACX-1vSMrwkaoSUBAFc6Fjd19F18c1O9pudkfAY-7lGYGOTN8mc9ul-J6pWadcAaBJZcVA7W_3jlLKRtKRbd/pub
More detailed description of IBRS is described in the first patch.
It is applied on top of the page table isolation changes.
A run time and boot time control of the IBRS feature is provided
There are 2 ways to control IBRS
1. At boot time
noibrs kernel boot parameter will disable IBRS usage
Otherwise if the above parameters are not specified, the system
will enable ibrs and ibpb usage if the cpu supports it.
2. At run time
echo 0 > /sys/kernel/debug/x86/ibrs_enabled will turn off IBRS
echo 1 > /sys/kernel/debug/x86/ibrs_enabled will turn on IBRS in kernel
echo 2 > /sys/kernel/debug/x86/ibrs_enabled will turn on IBRS in both userspace and kernel (IBRS always)
[1] https://lkml.org/lkml/2018/1/4/174
Tim Chen (8):
x86/feature: Detect the x86 IBRS feature to control Speculation
x86/enter: MACROS to set/clear IBRS
x86/enter: Use IBRS on syscall and interrupts
x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature
x86/idle: Disable IBRS entering idle and enable it on wakeup
x86/microcode: Recheck IBRS features on microcode reload
x86: Do not use dynamic IBRS if retpoline is enabled
x86: Use IBRS for firmware update path
arch/x86/entry/calling.h | 104 +++++++++++++++
arch/x86/entry/entry_64.S | 23 ++++
arch/x86/entry/entry_64_compat.S | 8 ++
arch/x86/include/asm/apm.h | 6 +
arch/x86/include/asm/cpufeatures.h | 1 +
arch/x86/include/asm/efi.h | 17 ++-
arch/x86/include/asm/msr-index.h | 4 +
arch/x86/include/asm/mwait.h | 13 ++
arch/x86/include/asm/spec_ctrl.h | 54 ++++++++
arch/x86/kernel/cpu/Makefile | 1 +
arch/x86/kernel/cpu/microcode/core.c | 4 +
arch/x86/kernel/cpu/scattered.c | 3 +
arch/x86/kernel/cpu/spec_ctrl.c | 209 +++++++++++++++++++++++++++++++
arch/x86/kernel/process.c | 9 +-
tools/arch/x86/include/asm/cpufeatures.h | 1 +
15 files changed, 453 insertions(+), 4 deletions(-)
create mode 100644 arch/x86/include/asm/spec_ctrl.h
create mode 100644 arch/x86/kernel/cpu/spec_ctrl.c
--
2.9.4
next reply other threads:[~2018-01-06 2:33 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-06 2:12 Tim Chen [this message]
2018-01-06 2:12 ` [PATCH v2 1/8] x86/feature: Detect the x86 IBRS feature to control Speculation Tim Chen
2018-01-06 12:56 ` Borislav Petkov
2018-01-07 17:14 ` Tim Chen
2018-01-07 18:31 ` Borislav Petkov
2018-01-09 18:13 ` Dave Hansen
2018-01-09 18:55 ` Borislav Petkov
2018-01-08 16:14 ` Paolo Bonzini
2018-01-09 10:39 ` Paolo Bonzini
2018-01-09 17:53 ` Tim Chen
2018-01-09 17:58 ` Paolo Bonzini
2018-01-09 22:59 ` Tim Chen
2018-01-18 23:28 ` Andy Lutomirski
2018-01-06 2:12 ` [PATCH v2 2/8] x86/enter: MACROS to set/clear IBRS Tim Chen
2018-01-07 12:03 ` Borislav Petkov
2018-01-07 17:12 ` Tim Chen
2018-01-07 18:44 ` Borislav Petkov
2018-01-08 22:24 ` Tim Chen
2018-01-06 2:12 ` [PATCH v2 3/8] x86/enter: Use IBRS on syscall and interrupts Tim Chen
2018-01-07 19:27 ` Borislav Petkov
2018-01-06 2:12 ` [PATCH v2 4/8] x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature Tim Chen
2018-01-06 3:12 ` Dave Hansen
2018-01-08 12:47 ` Peter Zijlstra
2018-01-08 16:14 ` Peter Zijlstra
2018-01-08 17:28 ` Tim Chen
2018-01-08 17:42 ` Peter Zijlstra
2018-01-08 19:34 ` Woodhouse, David
2018-01-08 19:52 ` Lu, Hongjiu
2018-01-09 10:40 ` Thomas Gleixner
2018-01-09 17:55 ` Tim Chen
2018-01-09 18:13 ` David Woodhouse
2018-01-09 20:31 ` Tim Chen
2018-01-27 13:59 ` Konrad Rzeszutek Wilk
2018-01-27 14:26 ` David Woodhouse
2018-01-06 8:54 ` Greg KH
2018-01-06 18:10 ` Tim Chen
2018-01-06 21:25 ` Konrad Rzeszutek Wilk
2018-01-07 8:20 ` Greg KH
2018-01-06 14:41 ` Konrad Rzeszutek Wilk
2018-01-06 17:33 ` Dave Hansen
2018-01-06 17:41 ` Van De Ven, Arjan
2018-01-06 19:22 ` Dave Hansen
2018-01-06 19:47 ` Thomas Gleixner
2018-01-06 21:32 ` Konrad Rzeszutek Wilk
2018-01-06 21:34 ` Van De Ven, Arjan
2018-01-06 21:41 ` Konrad Rzeszutek Wilk
2018-01-06 21:44 ` Van De Ven, Arjan
2018-01-06 21:39 ` Thomas Gleixner
2018-01-06 21:46 ` Is: Linus, name for 'spectre' variable. Was:Re: " Konrad Rzeszutek Wilk
2018-01-06 18:23 ` Tim Chen
2018-01-06 18:20 ` Tim Chen
2018-01-08 15:08 ` Peter Zijlstra
2018-01-08 15:29 ` Van De Ven, Arjan
2018-01-08 17:02 ` Tim Chen
2018-01-08 15:11 ` Peter Zijlstra
2018-01-08 15:15 ` Peter Zijlstra
2018-01-08 15:53 ` Peter Zijlstra
2018-01-09 0:29 ` Borislav Petkov
2018-01-09 18:05 ` Tim Chen
2018-01-06 2:12 ` [PATCH v2 5/8] x86/idle: Disable IBRS entering idle and enable it on wakeup Tim Chen
2018-01-06 2:12 ` [PATCH v2 6/8] x86/microcode: Recheck IBRS features on microcode reload Tim Chen
2018-01-06 12:09 ` Woodhouse, David
2018-01-09 0:34 ` Borislav Petkov
2018-01-06 2:12 ` [PATCH v2 7/8] x86: Do not use dynamic IBRS if retpoline is enabled Tim Chen
2018-01-06 2:12 ` [PATCH v2 8/8] x86: Use IBRS for firmware update path Tim Chen
2018-01-06 8:55 ` Greg KH
2018-01-06 8:57 ` Greg KH
2018-01-06 6:43 ` [PATCH v2 0/8] IBRS patch series Tim Chen
2018-01-06 12:00 ` Woodhouse, David
2018-01-06 12:11 ` Woodhouse, David
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1515204614.git.tim.c.chen@linux.intel.com \
--to=tim.c.chen@linux.intel.com \
--cc=aarcange@redhat.com \
--cc=ak@linux.intel.com \
--cc=arjan.van.de.ven@intel.com \
--cc=dave.hansen@intel.com \
--cc=dwmw@amazon.co.uk \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).