| Message ID | 20190325045720.GA1714@sec |
|---|---|
| State | New |
| Headers | show |
| Series | [SRU,Cosmic,PULL] Update speculation side-channel mitigations | expand |
This looks good and nice testing! But I think you missed a few commits (will send a patchset in a minute). Acked-by: Juerg Haefliger <juergh@canonical.com> > Update the speculation side-channel mitigations to match recent upstream > changes in order to get userspace to userspace protections for Spectre Variant > 2. In addition to modernizing our mitigations for Spectre Variant 2, this pull > request fixes a considerable performance regression in Cosmic introduced in > 4.18.0-14.15 due pulling in the final linux-stable 4.18.y release. It contained > upstream commit 53c613fe6349 ("x86/speculation: Enable cross-hyperthread > spectre v2 STIBP mitigation") which unconditionally enabled Single Thread > Indirect Branch Predictors (STIBP) mode. > > STIBP mode will be used conditionally. It will not be used on non-SMT systems. > It will be used on SMT systems to protect processes that have seccomp filters > loaded or processes that have used prctl() and the newly defined > PR_SPEC_INDIRECT_BRANCH argument to opt into STIBP protection. > > Indirect Branch Prediction Barrier (IBPB) will also be used conditionally when > switching between different userspace tasks and one of the tasks has a > seccomp filter loaded or has used prctl() to opt into protection. > > I've tested these patches on an SMT system that I've been using for several > days without any issues. I've also ran the x86 selftests. Additionally, I > verified that loading a seccomp filter and/or opting into the mitigations via > prctl() correctly enables STIBP mode on the SMT system. Finally, I verified > that the dmesg and /sys/devices/system/cpu/vulnerabilities/* files report the > correct status when using the "nospectre_v2", "spectre_v2=off", > "spectre_v2_user=secccomp,ipbp", "spectre_v2_user=on", and > "spectre_v2_user=off" kernel command line options. > > All but two of the patches were clean cherry-picks. The two that required > backported were simple backports. These patches have all been applied to > various linux-stable trees. > > The following changes since commit fc64292e63e0272f049bcaf2184d3b9a4c8c0dbd: > > UBUNTU: Ubuntu-4.18.0-17.18 (2019-03-13 12:52:13 +0100) > > are available in the git repository at: > > https://git.launchpad.net/~tyhicks/ubuntu/+source/linux/+git/cosmic speculation > > for you to fetch changes up to acae9df78c6acaf90b522a51a94d067c752d37df: > > x86/speculation: Provide IBPB always command line options (2019-03-15 12:00:52 +0000) > > ---------------------------------------------------------------- > Jiri Kosina (2): > x86/speculation: Apply IBPB more strictly to avoid cross-process data leak > x86/speculation: Propagate information about RSB filling mitigation to sysfs > > Peter Zijlstra (Intel) (1): > sched/smt: Make sched_smt_present track topology > > Thomas Gleixner (21): > x86/speculation: Rename SSBD update functions > x86/Kconfig: Select SCHED_SMT if SMP enabled > sched/smt: Expose sched_smt_present static key > x86/speculation: Rework SMT state change > x86/l1tf: Show actual SMT state > x86/speculation: Reorder the spec_v2 code > x86/speculation: Mark string arrays const correctly > x86/speculataion: Mark command line parser data __initdata > x86/speculation: Unify conditional spectre v2 print functions > x86/speculation: Add command line control for indirect branch speculation > x86/process: Consolidate and simplify switch_to_xtra() code > x86/speculation: Avoid __switch_to_xtra() calls > x86/speculation: Prepare for conditional IBPB in switch_mm() > ptrace: Remove unused ptrace_may_access_sched() and MODE_IBRS > x86/speculation: Split out TIF update > x86/speculation: Prevent stale SPEC_CTRL msr content > x86/speculation: Prepare arch_smt_update() for PRCTL mode > x86/speculation: Add prctl() control for indirect branch speculation > x86/speculation: Enable prctl mode for spectre_v2_user > x86/speculation: Add seccomp Spectre v2 user space protection mode > x86/speculation: Provide IBPB always command line options > > Tim Chen (7): > x86/speculation: Update the TIF_SSBD comment > x86/speculation: Clean up spectre_v2_parse_cmdline() > x86/speculation: Remove unnecessary ret variable in cpu_show_common() > x86/speculation: Move STIPB/IBPB string conditionals out of cpu_show_common() > x86/speculation: Disable STIBP when enhanced IBRS is in use > x86/speculation: Reorganize speculation control MSRs update > x86/speculation: Prepare for per task indirect branch speculation control > > Zhenzhong Duan (3): > x86/speculation: Add RETPOLINE_AMD support to the inline asm CALL_NOSPEC variant > x86/retpoline: Make CONFIG_RETPOLINE depend on compiler support > x86/retpoline: Remove minimal retpoline support > > Documentation/admin-guide/kernel-parameters.txt | 56 ++- > Documentation/userspace-api/spec_ctrl.rst | 9 + > arch/x86/Kconfig | 12 +- > arch/x86/Makefile | 5 +- > arch/x86/include/asm/msr-index.h | 5 +- > arch/x86/include/asm/nospec-branch.h | 43 +- > arch/x86/include/asm/spec-ctrl.h | 20 +- > arch/x86/include/asm/switch_to.h | 3 - > arch/x86/include/asm/thread_info.h | 20 +- > arch/x86/include/asm/tlbflush.h | 8 +- > arch/x86/kernel/cpu/bugs.c | 526 ++++++++++++++++++------ > arch/x86/kernel/process.c | 101 ++++- > arch/x86/kernel/process.h | 39 ++ > arch/x86/kernel/process_32.c | 10 +- > arch/x86/kernel/process_64.c | 10 +- > arch/x86/mm/tlb.c | 115 ++++-- > include/linux/ptrace.h | 4 +- > include/linux/sched.h | 9 + > include/linux/sched/smt.h | 20 + > include/uapi/linux/prctl.h | 1 + > kernel/cpu.c | 15 +- > kernel/sched/core.c | 19 +- > kernel/sched/sched.h | 4 +- > scripts/Makefile.build | 2 - > tools/include/uapi/linux/prctl.h | 1 + > 25 files changed, 801 insertions(+), 256 deletions(-) > create mode 100644 arch/x86/kernel/process.h > create mode 100644 include/linux/sched/smt.h
On 25.03.19 05:57, Tyler Hicks wrote: > Update the speculation side-channel mitigations to match recent upstream > changes in order to get userspace to userspace protections for Spectre Variant > 2. In addition to modernizing our mitigations for Spectre Variant 2, this pull > request fixes a considerable performance regression in Cosmic introduced in > 4.18.0-14.15 due pulling in the final linux-stable 4.18.y release. It contained > upstream commit 53c613fe6349 ("x86/speculation: Enable cross-hyperthread > spectre v2 STIBP mitigation") which unconditionally enabled Single Thread > Indirect Branch Predictors (STIBP) mode. > > STIBP mode will be used conditionally. It will not be used on non-SMT systems. > It will be used on SMT systems to protect processes that have seccomp filters > loaded or processes that have used prctl() and the newly defined > PR_SPEC_INDIRECT_BRANCH argument to opt into STIBP protection. > > Indirect Branch Prediction Barrier (IBPB) will also be used conditionally when > switching between different userspace tasks and one of the tasks has a > seccomp filter loaded or has used prctl() to opt into protection. > > I've tested these patches on an SMT system that I've been using for several > days without any issues. I've also ran the x86 selftests. Additionally, I > verified that loading a seccomp filter and/or opting into the mitigations via > prctl() correctly enables STIBP mode on the SMT system. Finally, I verified > that the dmesg and /sys/devices/system/cpu/vulnerabilities/* files report the > correct status when using the "nospectre_v2", "spectre_v2=off", > "spectre_v2_user=secccomp,ipbp", "spectre_v2_user=on", and > "spectre_v2_user=off" kernel command line options. > > All but two of the patches were clean cherry-picks. The two that required > backported were simple backports. These patches have all been applied to > various linux-stable trees. > > The following changes since commit fc64292e63e0272f049bcaf2184d3b9a4c8c0dbd: > > UBUNTU: Ubuntu-4.18.0-17.18 (2019-03-13 12:52:13 +0100) > > are available in the git repository at: > > https://git.launchpad.net/~tyhicks/ubuntu/+source/linux/+git/cosmic speculation > > for you to fetch changes up to acae9df78c6acaf90b522a51a94d067c752d37df: > > x86/speculation: Provide IBPB always command line options (2019-03-15 12:00:52 +0000) > > ---------------------------------------------------------------- > Jiri Kosina (2): > x86/speculation: Apply IBPB more strictly to avoid cross-process data leak > x86/speculation: Propagate information about RSB filling mitigation to sysfs > > Peter Zijlstra (Intel) (1): > sched/smt: Make sched_smt_present track topology > > Thomas Gleixner (21): > x86/speculation: Rename SSBD update functions > x86/Kconfig: Select SCHED_SMT if SMP enabled > sched/smt: Expose sched_smt_present static key > x86/speculation: Rework SMT state change > x86/l1tf: Show actual SMT state > x86/speculation: Reorder the spec_v2 code > x86/speculation: Mark string arrays const correctly > x86/speculataion: Mark command line parser data __initdata > x86/speculation: Unify conditional spectre v2 print functions > x86/speculation: Add command line control for indirect branch speculation > x86/process: Consolidate and simplify switch_to_xtra() code > x86/speculation: Avoid __switch_to_xtra() calls > x86/speculation: Prepare for conditional IBPB in switch_mm() > ptrace: Remove unused ptrace_may_access_sched() and MODE_IBRS > x86/speculation: Split out TIF update > x86/speculation: Prevent stale SPEC_CTRL msr content > x86/speculation: Prepare arch_smt_update() for PRCTL mode > x86/speculation: Add prctl() control for indirect branch speculation > x86/speculation: Enable prctl mode for spectre_v2_user > x86/speculation: Add seccomp Spectre v2 user space protection mode > x86/speculation: Provide IBPB always command line options > > Tim Chen (7): > x86/speculation: Update the TIF_SSBD comment > x86/speculation: Clean up spectre_v2_parse_cmdline() > x86/speculation: Remove unnecessary ret variable in cpu_show_common() > x86/speculation: Move STIPB/IBPB string conditionals out of cpu_show_common() > x86/speculation: Disable STIBP when enhanced IBRS is in use > x86/speculation: Reorganize speculation control MSRs update > x86/speculation: Prepare for per task indirect branch speculation control > > Zhenzhong Duan (3): > x86/speculation: Add RETPOLINE_AMD support to the inline asm CALL_NOSPEC variant > x86/retpoline: Make CONFIG_RETPOLINE depend on compiler support > x86/retpoline: Remove minimal retpoline support > > Documentation/admin-guide/kernel-parameters.txt | 56 ++- > Documentation/userspace-api/spec_ctrl.rst | 9 + > arch/x86/Kconfig | 12 +- > arch/x86/Makefile | 5 +- > arch/x86/include/asm/msr-index.h | 5 +- > arch/x86/include/asm/nospec-branch.h | 43 +- > arch/x86/include/asm/spec-ctrl.h | 20 +- > arch/x86/include/asm/switch_to.h | 3 - > arch/x86/include/asm/thread_info.h | 20 +- > arch/x86/include/asm/tlbflush.h | 8 +- > arch/x86/kernel/cpu/bugs.c | 526 ++++++++++++++++++------ > arch/x86/kernel/process.c | 101 ++++- > arch/x86/kernel/process.h | 39 ++ > arch/x86/kernel/process_32.c | 10 +- > arch/x86/kernel/process_64.c | 10 +- > arch/x86/mm/tlb.c | 115 ++++-- > include/linux/ptrace.h | 4 +- > include/linux/sched.h | 9 + > include/linux/sched/smt.h | 20 + > include/uapi/linux/prctl.h | 1 + > kernel/cpu.c | 15 +- > kernel/sched/core.c | 19 +- > kernel/sched/sched.h | 4 +- > scripts/Makefile.build | 2 - > tools/include/uapi/linux/prctl.h | 1 + > 25 files changed, 801 insertions(+), 256 deletions(-) > create mode 100644 arch/x86/kernel/process.h > create mode 100644 include/linux/sched/smt.h > > All patches seem to fall into the expected range of things. Since it does changes some config options, should there be a related updateconfigs change in the series? I can see this being wanted, unfortunately this will be hardly testable due to the dependencies to HW support and 32/64 bit specialties. But at least Cosmic (and I think there was a Bionic port) should be a bit more future proof. So Acked-by: Stefan Bader <stefan.bader@canonical.com> [includes the 4 additional patches]
On 2019-03-27 12:35:53, Stefan Bader wrote: > On 25.03.19 05:57, Tyler Hicks wrote: > > Update the speculation side-channel mitigations to match recent upstream > > changes in order to get userspace to userspace protections for Spectre Variant > > 2. In addition to modernizing our mitigations for Spectre Variant 2, this pull > > request fixes a considerable performance regression in Cosmic introduced in > > 4.18.0-14.15 due pulling in the final linux-stable 4.18.y release. It contained > > upstream commit 53c613fe6349 ("x86/speculation: Enable cross-hyperthread > > spectre v2 STIBP mitigation") which unconditionally enabled Single Thread > > Indirect Branch Predictors (STIBP) mode. > > > > STIBP mode will be used conditionally. It will not be used on non-SMT systems. > > It will be used on SMT systems to protect processes that have seccomp filters > > loaded or processes that have used prctl() and the newly defined > > PR_SPEC_INDIRECT_BRANCH argument to opt into STIBP protection. > > > > Indirect Branch Prediction Barrier (IBPB) will also be used conditionally when > > switching between different userspace tasks and one of the tasks has a > > seccomp filter loaded or has used prctl() to opt into protection. > > > > I've tested these patches on an SMT system that I've been using for several > > days without any issues. I've also ran the x86 selftests. Additionally, I > > verified that loading a seccomp filter and/or opting into the mitigations via > > prctl() correctly enables STIBP mode on the SMT system. Finally, I verified > > that the dmesg and /sys/devices/system/cpu/vulnerabilities/* files report the > > correct status when using the "nospectre_v2", "spectre_v2=off", > > "spectre_v2_user=secccomp,ipbp", "spectre_v2_user=on", and > > "spectre_v2_user=off" kernel command line options. > > > > All but two of the patches were clean cherry-picks. The two that required > > backported were simple backports. These patches have all been applied to > > various linux-stable trees. > > > > The following changes since commit fc64292e63e0272f049bcaf2184d3b9a4c8c0dbd: > > > > UBUNTU: Ubuntu-4.18.0-17.18 (2019-03-13 12:52:13 +0100) > > > > are available in the git repository at: > > > > https://git.launchpad.net/~tyhicks/ubuntu/+source/linux/+git/cosmic speculation > > > > for you to fetch changes up to acae9df78c6acaf90b522a51a94d067c752d37df: > > > > x86/speculation: Provide IBPB always command line options (2019-03-15 12:00:52 +0000) > > > > ---------------------------------------------------------------- > > Jiri Kosina (2): > > x86/speculation: Apply IBPB more strictly to avoid cross-process data leak > > x86/speculation: Propagate information about RSB filling mitigation to sysfs > > > > Peter Zijlstra (Intel) (1): > > sched/smt: Make sched_smt_present track topology > > > > Thomas Gleixner (21): > > x86/speculation: Rename SSBD update functions > > x86/Kconfig: Select SCHED_SMT if SMP enabled > > sched/smt: Expose sched_smt_present static key > > x86/speculation: Rework SMT state change > > x86/l1tf: Show actual SMT state > > x86/speculation: Reorder the spec_v2 code > > x86/speculation: Mark string arrays const correctly > > x86/speculataion: Mark command line parser data __initdata > > x86/speculation: Unify conditional spectre v2 print functions > > x86/speculation: Add command line control for indirect branch speculation > > x86/process: Consolidate and simplify switch_to_xtra() code > > x86/speculation: Avoid __switch_to_xtra() calls > > x86/speculation: Prepare for conditional IBPB in switch_mm() > > ptrace: Remove unused ptrace_may_access_sched() and MODE_IBRS > > x86/speculation: Split out TIF update > > x86/speculation: Prevent stale SPEC_CTRL msr content > > x86/speculation: Prepare arch_smt_update() for PRCTL mode > > x86/speculation: Add prctl() control for indirect branch speculation > > x86/speculation: Enable prctl mode for spectre_v2_user > > x86/speculation: Add seccomp Spectre v2 user space protection mode > > x86/speculation: Provide IBPB always command line options > > > > Tim Chen (7): > > x86/speculation: Update the TIF_SSBD comment > > x86/speculation: Clean up spectre_v2_parse_cmdline() > > x86/speculation: Remove unnecessary ret variable in cpu_show_common() > > x86/speculation: Move STIPB/IBPB string conditionals out of cpu_show_common() > > x86/speculation: Disable STIBP when enhanced IBRS is in use > > x86/speculation: Reorganize speculation control MSRs update > > x86/speculation: Prepare for per task indirect branch speculation control > > > > Zhenzhong Duan (3): > > x86/speculation: Add RETPOLINE_AMD support to the inline asm CALL_NOSPEC variant > > x86/retpoline: Make CONFIG_RETPOLINE depend on compiler support > > x86/retpoline: Remove minimal retpoline support > > > > Documentation/admin-guide/kernel-parameters.txt | 56 ++- > > Documentation/userspace-api/spec_ctrl.rst | 9 + > > arch/x86/Kconfig | 12 +- > > arch/x86/Makefile | 5 +- > > arch/x86/include/asm/msr-index.h | 5 +- > > arch/x86/include/asm/nospec-branch.h | 43 +- > > arch/x86/include/asm/spec-ctrl.h | 20 +- > > arch/x86/include/asm/switch_to.h | 3 - > > arch/x86/include/asm/thread_info.h | 20 +- > > arch/x86/include/asm/tlbflush.h | 8 +- > > arch/x86/kernel/cpu/bugs.c | 526 ++++++++++++++++++------ > > arch/x86/kernel/process.c | 101 ++++- > > arch/x86/kernel/process.h | 39 ++ > > arch/x86/kernel/process_32.c | 10 +- > > arch/x86/kernel/process_64.c | 10 +- > > arch/x86/mm/tlb.c | 115 ++++-- > > include/linux/ptrace.h | 4 +- > > include/linux/sched.h | 9 + > > include/linux/sched/smt.h | 20 + > > include/uapi/linux/prctl.h | 1 + > > kernel/cpu.c | 15 +- > > kernel/sched/core.c | 19 +- > > kernel/sched/sched.h | 4 +- > > scripts/Makefile.build | 2 - > > tools/include/uapi/linux/prctl.h | 1 + > > 25 files changed, 801 insertions(+), 256 deletions(-) > > create mode 100644 arch/x86/kernel/process.h > > create mode 100644 include/linux/sched/smt.h > > > > > All patches seem to fall into the expected range of things. Since it does > changes some config options, should there be a related updateconfigs change in > the series? There were no changes to the config options. There were changes to how the in-code ifdef's referred to retpoline. Instead of using RETPOLINE, they're now using CONFIG_RETPOLINE but the kernel config option itself remained the same. Therefore, no updateconfigs changes are necessary. > I can see this being wanted, unfortunately this will be hardly > testable due to the dependencies to HW support and 32/64 bit > specialties. But at least Cosmic (and I think there was a Bionic port) > should be a bit more future proof. So > > Acked-by: Stefan Bader <stefan.bader@canonical.com> > [includes the 4 additional patches] Thanks for the review! Tyler
I'm going to send an updated, cleaned up pull request so ignore this one and all of the followup patches in this thread. Tyler On 2019-03-25 04:57:32, Tyler Hicks wrote: > Update the speculation side-channel mitigations to match recent upstream > changes in order to get userspace to userspace protections for Spectre Variant > 2. In addition to modernizing our mitigations for Spectre Variant 2, this pull > request fixes a considerable performance regression in Cosmic introduced in > 4.18.0-14.15 due pulling in the final linux-stable 4.18.y release. It contained > upstream commit 53c613fe6349 ("x86/speculation: Enable cross-hyperthread > spectre v2 STIBP mitigation") which unconditionally enabled Single Thread > Indirect Branch Predictors (STIBP) mode. > > STIBP mode will be used conditionally. It will not be used on non-SMT systems. > It will be used on SMT systems to protect processes that have seccomp filters > loaded or processes that have used prctl() and the newly defined > PR_SPEC_INDIRECT_BRANCH argument to opt into STIBP protection. > > Indirect Branch Prediction Barrier (IBPB) will also be used conditionally when > switching between different userspace tasks and one of the tasks has a > seccomp filter loaded or has used prctl() to opt into protection. > > I've tested these patches on an SMT system that I've been using for several > days without any issues. I've also ran the x86 selftests. Additionally, I > verified that loading a seccomp filter and/or opting into the mitigations via > prctl() correctly enables STIBP mode on the SMT system. Finally, I verified > that the dmesg and /sys/devices/system/cpu/vulnerabilities/* files report the > correct status when using the "nospectre_v2", "spectre_v2=off", > "spectre_v2_user=secccomp,ipbp", "spectre_v2_user=on", and > "spectre_v2_user=off" kernel command line options. > > All but two of the patches were clean cherry-picks. The two that required > backported were simple backports. These patches have all been applied to > various linux-stable trees. > > The following changes since commit fc64292e63e0272f049bcaf2184d3b9a4c8c0dbd: > > UBUNTU: Ubuntu-4.18.0-17.18 (2019-03-13 12:52:13 +0100) > > are available in the git repository at: > > https://git.launchpad.net/~tyhicks/ubuntu/+source/linux/+git/cosmic speculation > > for you to fetch changes up to acae9df78c6acaf90b522a51a94d067c752d37df: > > x86/speculation: Provide IBPB always command line options (2019-03-15 12:00:52 +0000) > > ---------------------------------------------------------------- > Jiri Kosina (2): > x86/speculation: Apply IBPB more strictly to avoid cross-process data leak > x86/speculation: Propagate information about RSB filling mitigation to sysfs > > Peter Zijlstra (Intel) (1): > sched/smt: Make sched_smt_present track topology > > Thomas Gleixner (21): > x86/speculation: Rename SSBD update functions > x86/Kconfig: Select SCHED_SMT if SMP enabled > sched/smt: Expose sched_smt_present static key > x86/speculation: Rework SMT state change > x86/l1tf: Show actual SMT state > x86/speculation: Reorder the spec_v2 code > x86/speculation: Mark string arrays const correctly > x86/speculataion: Mark command line parser data __initdata > x86/speculation: Unify conditional spectre v2 print functions > x86/speculation: Add command line control for indirect branch speculation > x86/process: Consolidate and simplify switch_to_xtra() code > x86/speculation: Avoid __switch_to_xtra() calls > x86/speculation: Prepare for conditional IBPB in switch_mm() > ptrace: Remove unused ptrace_may_access_sched() and MODE_IBRS > x86/speculation: Split out TIF update > x86/speculation: Prevent stale SPEC_CTRL msr content > x86/speculation: Prepare arch_smt_update() for PRCTL mode > x86/speculation: Add prctl() control for indirect branch speculation > x86/speculation: Enable prctl mode for spectre_v2_user > x86/speculation: Add seccomp Spectre v2 user space protection mode > x86/speculation: Provide IBPB always command line options > > Tim Chen (7): > x86/speculation: Update the TIF_SSBD comment > x86/speculation: Clean up spectre_v2_parse_cmdline() > x86/speculation: Remove unnecessary ret variable in cpu_show_common() > x86/speculation: Move STIPB/IBPB string conditionals out of cpu_show_common() > x86/speculation: Disable STIBP when enhanced IBRS is in use > x86/speculation: Reorganize speculation control MSRs update > x86/speculation: Prepare for per task indirect branch speculation control > > Zhenzhong Duan (3): > x86/speculation: Add RETPOLINE_AMD support to the inline asm CALL_NOSPEC variant > x86/retpoline: Make CONFIG_RETPOLINE depend on compiler support > x86/retpoline: Remove minimal retpoline support > > Documentation/admin-guide/kernel-parameters.txt | 56 ++- > Documentation/userspace-api/spec_ctrl.rst | 9 + > arch/x86/Kconfig | 12 +- > arch/x86/Makefile | 5 +- > arch/x86/include/asm/msr-index.h | 5 +- > arch/x86/include/asm/nospec-branch.h | 43 +- > arch/x86/include/asm/spec-ctrl.h | 20 +- > arch/x86/include/asm/switch_to.h | 3 - > arch/x86/include/asm/thread_info.h | 20 +- > arch/x86/include/asm/tlbflush.h | 8 +- > arch/x86/kernel/cpu/bugs.c | 526 ++++++++++++++++++------ > arch/x86/kernel/process.c | 101 ++++- > arch/x86/kernel/process.h | 39 ++ > arch/x86/kernel/process_32.c | 10 +- > arch/x86/kernel/process_64.c | 10 +- > arch/x86/mm/tlb.c | 115 ++++-- > include/linux/ptrace.h | 4 +- > include/linux/sched.h | 9 + > include/linux/sched/smt.h | 20 + > include/uapi/linux/prctl.h | 1 + > kernel/cpu.c | 15 +- > kernel/sched/core.c | 19 +- > kernel/sched/sched.h | 4 +- > scripts/Makefile.build | 2 - > tools/include/uapi/linux/prctl.h | 1 + > 25 files changed, 801 insertions(+), 256 deletions(-) > create mode 100644 arch/x86/kernel/process.h > create mode 100644 include/linux/sched/smt.h > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
Update the speculation side-channel mitigations to match recent upstream changes in order to get userspace to userspace protections for Spectre Variant 2. In addition to modernizing our mitigations for Spectre Variant 2, this pull request fixes a considerable performance regression in Cosmic introduced in 4.18.0-14.15 due pulling in the final linux-stable 4.18.y release. It contained upstream commit 53c613fe6349 ("x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation") which unconditionally enabled Single Thread Indirect Branch Predictors (STIBP) mode. STIBP mode will be used conditionally. It will not be used on non-SMT systems. It will be used on SMT systems to protect processes that have seccomp filters loaded or processes that have used prctl() and the newly defined PR_SPEC_INDIRECT_BRANCH argument to opt into STIBP protection. Indirect Branch Prediction Barrier (IBPB) will also be used conditionally when switching between different userspace tasks and one of the tasks has a seccomp filter loaded or has used prctl() to opt into protection. I've tested these patches on an SMT system that I've been using for several days without any issues. I've also ran the x86 selftests. Additionally, I verified that loading a seccomp filter and/or opting into the mitigations via prctl() correctly enables STIBP mode on the SMT system. Finally, I verified that the dmesg and /sys/devices/system/cpu/vulnerabilities/* files report the correct status when using the "nospectre_v2", "spectre_v2=off", "spectre_v2_user=secccomp,ipbp", "spectre_v2_user=on", and "spectre_v2_user=off" kernel command line options. All but two of the patches were clean cherry-picks. The two that required backported were simple backports. These patches have all been applied to various linux-stable trees. The following changes since commit fc64292e63e0272f049bcaf2184d3b9a4c8c0dbd: UBUNTU: Ubuntu-4.18.0-17.18 (2019-03-13 12:52:13 +0100) are available in the git repository at: https://git.launchpad.net/~tyhicks/ubuntu/+source/linux/+git/cosmic speculation for you to fetch changes up to acae9df78c6acaf90b522a51a94d067c752d37df: x86/speculation: Provide IBPB always command line options (2019-03-15 12:00:52 +0000) ---------------------------------------------------------------- Jiri Kosina (2): x86/speculation: Apply IBPB more strictly to avoid cross-process data leak x86/speculation: Propagate information about RSB filling mitigation to sysfs Peter Zijlstra (Intel) (1): sched/smt: Make sched_smt_present track topology Thomas Gleixner (21): x86/speculation: Rename SSBD update functions x86/Kconfig: Select SCHED_SMT if SMP enabled sched/smt: Expose sched_smt_present static key x86/speculation: Rework SMT state change x86/l1tf: Show actual SMT state x86/speculation: Reorder the spec_v2 code x86/speculation: Mark string arrays const correctly x86/speculataion: Mark command line parser data __initdata x86/speculation: Unify conditional spectre v2 print functions x86/speculation: Add command line control for indirect branch speculation x86/process: Consolidate and simplify switch_to_xtra() code x86/speculation: Avoid __switch_to_xtra() calls x86/speculation: Prepare for conditional IBPB in switch_mm() ptrace: Remove unused ptrace_may_access_sched() and MODE_IBRS x86/speculation: Split out TIF update x86/speculation: Prevent stale SPEC_CTRL msr content x86/speculation: Prepare arch_smt_update() for PRCTL mode x86/speculation: Add prctl() control for indirect branch speculation x86/speculation: Enable prctl mode for spectre_v2_user x86/speculation: Add seccomp Spectre v2 user space protection mode x86/speculation: Provide IBPB always command line options Tim Chen (7): x86/speculation: Update the TIF_SSBD comment x86/speculation: Clean up spectre_v2_parse_cmdline() x86/speculation: Remove unnecessary ret variable in cpu_show_common() x86/speculation: Move STIPB/IBPB string conditionals out of cpu_show_common() x86/speculation: Disable STIBP when enhanced IBRS is in use x86/speculation: Reorganize speculation control MSRs update x86/speculation: Prepare for per task indirect branch speculation control Zhenzhong Duan (3): x86/speculation: Add RETPOLINE_AMD support to the inline asm CALL_NOSPEC variant x86/retpoline: Make CONFIG_RETPOLINE depend on compiler support x86/retpoline: Remove minimal retpoline support Documentation/admin-guide/kernel-parameters.txt | 56 ++- Documentation/userspace-api/spec_ctrl.rst | 9 + arch/x86/Kconfig | 12 +- arch/x86/Makefile | 5 +- arch/x86/include/asm/msr-index.h | 5 +- arch/x86/include/asm/nospec-branch.h | 43 +- arch/x86/include/asm/spec-ctrl.h | 20 +- arch/x86/include/asm/switch_to.h | 3 - arch/x86/include/asm/thread_info.h | 20 +- arch/x86/include/asm/tlbflush.h | 8 +- arch/x86/kernel/cpu/bugs.c | 526 ++++++++++++++++++------ arch/x86/kernel/process.c | 101 ++++- arch/x86/kernel/process.h | 39 ++ arch/x86/kernel/process_32.c | 10 +- arch/x86/kernel/process_64.c | 10 +- arch/x86/mm/tlb.c | 115 ++++-- include/linux/ptrace.h | 4 +- include/linux/sched.h | 9 + include/linux/sched/smt.h | 20 + include/uapi/linux/prctl.h | 1 + kernel/cpu.c | 15 +- kernel/sched/core.c | 19 +- kernel/sched/sched.h | 4 +- scripts/Makefile.build | 2 - tools/include/uapi/linux/prctl.h | 1 + 25 files changed, 801 insertions(+), 256 deletions(-) create mode 100644 arch/x86/kernel/process.h create mode 100644 include/linux/sched/smt.h