[SRU,trusty] retpoline/IBPB combined mitigation
mbox series

Message ID 20180225143111.GF4362@brain
State New
Headers show
Series
  • [SRU,trusty] retpoline/IBPB combined mitigation
Related show

Pull-request

git://git.launchpad.net/~apw/ubuntu/+source/linux/+git/pti pti/trusty-retpoline-intelv1

Message

Andy Whitcroft Feb. 25, 2018, 2:31 p.m. UTC
Add retpoline support to Trusty.  This combines a backport of the upstream
retpoline patches from v4.4 to the existing IBRS/IBPB mitigation we
already have applied.  It also updates the Intel mitigation to the
latest version.

This pull request appears more complex than you might otherwise hope as
we are slowly replacing the non-upstream code with upstream code as each
part becomes available.  To this end we are taking off our non-upstream
code applying the new upstream code and reapplying the non-upstream code
over the top.  This means it is the patches we are looking to replace
that end up with any delta folded into them not the upstream patches.

Proposing for SRU to trusty.

-apw

The following changes since commit fbfa1ca679dd9ede02e1e776e26021c21cae872e:

  powerpc: Do not call ppc_md.panic in fadump panic notifier (2018-02-20 09:47:47 +0100)

are available in the Git repository at:

  git://git.launchpad.net/~apw/ubuntu/+source/linux/+git/pti pti/trusty-retpoline-intelv1

for you to fetch changes up to 901c1131a46ef96e376216d60267e73de5c16232:

  UBUNTU: [Packaging] final-checks -- check for empty retpoline files (2018-02-22 12:09:21 +0000)

----------------------------------------------------------------
  * retpoline abi files are empty on i386 (LP: #1751021)
    - [Packaging] retpoline-extract -- instantiate retpoline files for i386
    - [Packaging] final-checks -- sanity checking ABI contents
    - [Packaging] final-checks -- check for empty retpoline files

  * CVE-2017-5715 (Spectre v2 Intel)
    - x86, microcode: Share native MSR accessing variants
    - kvm: vmx: Scrub hardware GPRs at VM-exit
    - SAUCE: x86/feature: Enable the x86 feature to control Speculation
    - SAUCE: x86/feature: Report presence of IBPB and IBRS control
    - SAUCE: x86/enter: MACROS to set/clear IBRS and set IBPB
    - SAUCE: x86/enter: Use IBRS on syscall and interrupts
    - SAUCE: x86/idle: Disable IBRS entering idle and enable it on wakeup
    - SAUCE: x86/idle: Disable IBRS when offlining cpu and re-enable on wakeup
    - SAUCE: x86/mm: Set IBPB upon context switch
    - SAUCE: x86/mm: Only set IBPB when the new thread cannot ptrace current
      thread
    - SAUCE: x86/entry: Stuff RSB for entry to kernel for non-SMEP platform
    - SAUCE: x86/kvm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD to kvm
    - SAUCE: x86/kvm: Set IBPB when switching VM
    - SAUCE: x86/kvm: Toggle IBRS on VM entry and exit
    - SAUCE: x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature
    - SAUCE: x86/spec_ctrl: Add lock to serialize changes to ibrs and ibpb control
    - SAUCE: x86/cpu/AMD: Add speculative control support for AMD
    - SAUCE: x86/microcode: Extend post microcode reload to support IBPB feature
    - SAUCE: KVM: SVM: Do not intercept new speculative control MSRs
    - SAUCE: x86/svm: Set IBRS value on VM entry and exit
    - SAUCE: x86/svm: Set IBPB when running a different VCPU
    - SAUCE: KVM: x86: Add speculative control CPUID support for guests
    - SAUCE: x86/entry: Fixup 32bit compat call locations
    - SAUCE: KVM: Fix spec_ctrl CPUID support for guests
    - SAUCE: x86/cpuid: Fix ordering of scattered feature list
    - SAUCE: turn off IBRS when full retpoline is present

  * CVE-2017-5753 (Spectre v1 Intel)
    - x86: Add another set of MSR accessor functions
    - x86/cpu/AMD: Make the LFENCE instruction serialized
    - SAUCE: x86/cpu/AMD: switch to lfence rather than mfence
    - locking/barriers: introduce new observable speculation barrier
    - bpf: prevent speculative execution in eBPF interpreter
    - uvcvideo: prevent speculative execution
    - carl9170: prevent speculative execution
    - qla2xxx: prevent speculative execution
    - fs: prevent speculative execution
    - udf: prevent speculative execution
    - userns: prevent speculative execution
    - SAUCE: claim mitigation via observable speculation barrier
    - powerpc: add osb barrier
    - s390/spinlock: add osb memory barrier
    - arm64: no osb() implementation yet
    - arm: no osb() implementation yet

  * CVE-2017-5715 (Spectre v2 retpoline)
    - x86/alternatives: Fix ALTERNATIVE_2 padding generation properly
    - x86/alternatives: Fix alt_max_short macro to really be a max()
    - x86/alternatives: Guard NOPs optimization
    - x86/alternatives: Switch AMD F15h and later to the P6 NOPs
    - x86/alternatives: Make optimize_nops() interrupt safe and synced
    - x86/alternatives: Fix optimize_nops() checking
    - x86/cpuid: Provide get_scattered_cpuid_leaf()
    - x86/cpu: Factor out application of forced CPU caps
    - x86/cpufeatures: Make CPU bugs sticky
    - x86/cpufeatures: Add X86_BUG_CPU_INSECURE
    - x86/pti: Rename BUG_CPU_INSECURE to BUG_CPU_MELTDOWN
    - x86/cpufeatures: Add X86_BUG_SPECTRE_V[12]
    - x86/cpu, x86/pti: Do not enable PTI on AMD processors
    - x86/cpu: Merge bugs.c and bugs_64.c
    - sysfs/cpu: Add vulnerability folder
    - x86/cpu: Implement CPU vulnerabilites sysfs functions
    - x86/alternatives: Add missing '\n' at end of ALTERNATIVE inline asm
    - x86/mm/32: Move setup_clear_cpu_cap(X86_FEATURE_PCID) earlier
    - x86/asm: Use register variable to get stack pointer value
    - x86/kbuild: enable modversions for symbols exported from asm
    - x86/asm: Make asm/alternative.h safe from assembly
    - EXPORT_SYMBOL() for asm
    - kconfig.h: use __is_defined() to check if MODULE is defined
    - x86/retpoline: Add initial retpoline support
    - x86/spectre: Add boot time option to select Spectre v2 mitigation
    - x86/retpoline/crypto: Convert crypto assembler indirect jumps
    - x86/retpoline/entry: Convert entry assembler indirect jumps
    - x86/retpoline/ftrace: Convert ftrace assembler indirect jumps
    - x86/retpoline/hyperv: Convert assembler indirect jumps
    - x86/retpoline/xen: Convert Xen hypercall indirect jumps
    - x86/retpoline/checksum32: Convert assembler indirect jumps
    - x86/retpoline/irq32: Convert assembler indirect jumps
    - x86/retpoline: Fill return stack buffer on vmexit
    - x86/retpoline: Remove compile time warning
    - x86/retpoline: Add LFENCE to the retpoline/RSB filling RSB macros
    - module: Add retpoline tag to VERMAGIC
    - x86/mce: Make machine check speculation protected
    - retpoline: Introduce start/end markers of indirect thunk
    - kprobes/x86: Disable optimizing on the function jumps to indirect thunk
    - x86/retpoline: Optimize inline assembler for vmexit_fill_RSB
    - [Config] CONFIG_RETPOLINE=y
    - [Packaging] retpoline -- add call site validation
    - [Packaging] retpoline files must be sorted
    - [Config] disable retpoline for the first upload

  * CVE-2017-5715 (revert embargoed) // CVE-2017-5753 (revert embargoed)
    - Revert "UBUNTU: SAUCE: x86/cpuid: Fix ordering of scattered feature list"
    - Revert "UBUNTU: SAUCE: KVM: Fix spec_ctrl CPUID support for guests"
    - Revert "UBUNTU: SAUCE: x86/entry: Fixup 32bit compat call locations"
    - Revert "UBUNTU: SAUCE: powerpc: no gmb() implementation yet"
    - Revert "UBUNTU: SAUCE: arm: no gmb() implementation yet"
    - Revert "UBUNTU: SAUCE: arm64: no gmb() implementation yet"
    - Revert "UBUNTU: SAUCE: x86/kvm: Fix stuff_RSB() for 32-bit"
    - Revert "UBUNTU: SAUCE: x86/cpu/AMD: Remove now unused definition of
      MFENCE_RDTSC feature"
    - Revert "UBUNTU: SAUCE: x86/cpu/AMD: Make the LFENCE instruction serialized"
    - Revert "UBUNTU: SAUCE: x86/svm: Add code to clobber the RSB on VM exit"
    - Revert "UBUNTU: SAUCE: KVM: x86: Add speculative control CPUID support for
      guests"
    - Revert "UBUNTU: SAUCE: x86/svm: Set IBPB when running a different VCPU"
    - Revert "UBUNTU: SAUCE: x86/svm: Set IBRS value on VM entry and exit"
    - Revert "UBUNTU: SAUCE: KVM: SVM: Do not intercept new speculative control
      MSRs"
    - Revert "UBUNTU: SAUCE: x86/microcode: Extend post microcode reload to
      support IBPB feature"
    - Revert "UBUNTU: SAUCE: x86/cpu/AMD: Add speculative control support for AMD"
    - Revert "UBUNTU: SAUCE: x86/entry: Use retpoline for syscall's indirect
      calls"
    - Revert "UBUNTU: SAUCE: x86/spec_ctrl: Add lock to serialize changes to ibrs
      and ibpb control"
    - Revert "UBUNTU: SAUCE: x86/spec_ctrl: Add sysctl knobs to enable/disable
      SPEC_CTRL feature"
    - Revert "UBUNTU: SAUCE: x86/kvm: Pad RSB on VM transition"
    - Revert "UBUNTU: SAUCE: x86/kvm: Toggle IBRS on VM entry and exit"
    - Revert "UBUNTU: SAUCE: x86/kvm: Set IBPB when switching VM"
    - Revert "UBUNTU: SAUCE: x86/kvm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD
      to kvm"
    - Revert "UBUNTU: SAUCE: x86/entry: Stuff RSB for entry to kernel for non-SMEP
      platform"
    - Revert "UBUNTU: SAUCE: x86/mm: Only set IBPB when the new thread cannot
      ptrace current thread"
    - Revert "UBUNTU: SAUCE: x86/mm: Set IBPB upon context switch"
    - Revert "UBUNTU: SAUCE: x86/idle: Disable IBRS when offlining cpu and re-
      enable on wakeup"
    - Revert "UBUNTU: SAUCE: x86/idle: Disable IBRS entering idle and enable it on
      wakeup"
    - Revert "UBUNTU: SAUCE: x86/enter: Use IBRS on syscall and interrupts"
    - Revert "UBUNTU: SAUCE: x86/enter: MACROS to set/clear IBRS and set IBPB"
    - Revert "UBUNTU: SAUCE: x86/feature: Report presence of IBPB and IBRS
      control"
    - Revert "UBUNTU: SAUCE: x86/feature: Enable the x86 feature to control
      Speculation"
    - Revert "UBUNTU: SAUCE: udf: prevent speculative execution"
    - Revert "UBUNTU: SAUCE: fs: prevent speculative execution"
    - Revert "UBUNTU: SAUCE: userns: prevent speculative execution"
    - Revert "UBUNTU: SAUCE: cw1200: prevent speculative execution"
    - Revert "UBUNTU: SAUCE: qla2xxx: prevent speculative execution"
    - Revert "UBUNTU: SAUCE: p54: prevent speculative execution"
    - Revert "UBUNTU: SAUCE: carl9170: prevent speculative execution"
    - Revert "UBUNTU: SAUCE: uvcvideo: prevent speculative execution"
    - Revert "UBUNTU: SAUCE: locking/barriers: introduce new memory barrier gmb()"
    - Revert "kvm: vmx: Scrub hardware GPRs at VM-exit"
    - Revert "x86/cpuid: Provide get_scattered_cpuid_leaf()"
    - Revert "x86: Add another set of MSR accessor functions"
    - Revert "x86, microcode: Share native MSR accessing variants"

Comments

Brad Figg Feb. 25, 2018, 3:56 p.m. UTC | #1
Positive testing.
Colin King Feb. 26, 2018, 11:09 a.m. UTC | #2
On 25/02/18 14:31, Andy Whitcroft wrote:
> Add retpoline support to Trusty.  This combines a backport of the upstream
> retpoline patches from v4.4 to the existing IBRS/IBPB mitigation we
> already have applied.  It also updates the Intel mitigation to the
> latest version.
> 
> This pull request appears more complex than you might otherwise hope as
> we are slowly replacing the non-upstream code with upstream code as each
> part becomes available.  To this end we are taking off our non-upstream
> code applying the new upstream code and reapplying the non-upstream code
> over the top.  This means it is the patches we are looking to replace
> that end up with any delta folded into them not the upstream patches.
> 
> Proposing for SRU to trusty.
> 
> -apw
> 
> The following changes since commit fbfa1ca679dd9ede02e1e776e26021c21cae872e:
> 
>   powerpc: Do not call ppc_md.panic in fadump panic notifier (2018-02-20 09:47:47 +0100)
> 
> are available in the Git repository at:
> 
>   git://git.launchpad.net/~apw/ubuntu/+source/linux/+git/pti pti/trusty-retpoline-intelv1
> 
> for you to fetch changes up to 901c1131a46ef96e376216d60267e73de5c16232:
> 
>   UBUNTU: [Packaging] final-checks -- check for empty retpoline files (2018-02-22 12:09:21 +0000)
> 
> ----------------------------------------------------------------
>   * retpoline abi files are empty on i386 (LP: #1751021)
>     - [Packaging] retpoline-extract -- instantiate retpoline files for i386
>     - [Packaging] final-checks -- sanity checking ABI contents
>     - [Packaging] final-checks -- check for empty retpoline files
> 
>   * CVE-2017-5715 (Spectre v2 Intel)
>     - x86, microcode: Share native MSR accessing variants
>     - kvm: vmx: Scrub hardware GPRs at VM-exit
>     - SAUCE: x86/feature: Enable the x86 feature to control Speculation
>     - SAUCE: x86/feature: Report presence of IBPB and IBRS control
>     - SAUCE: x86/enter: MACROS to set/clear IBRS and set IBPB
>     - SAUCE: x86/enter: Use IBRS on syscall and interrupts
>     - SAUCE: x86/idle: Disable IBRS entering idle and enable it on wakeup
>     - SAUCE: x86/idle: Disable IBRS when offlining cpu and re-enable on wakeup
>     - SAUCE: x86/mm: Set IBPB upon context switch
>     - SAUCE: x86/mm: Only set IBPB when the new thread cannot ptrace current
>       thread
>     - SAUCE: x86/entry: Stuff RSB for entry to kernel for non-SMEP platform
>     - SAUCE: x86/kvm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD to kvm
>     - SAUCE: x86/kvm: Set IBPB when switching VM
>     - SAUCE: x86/kvm: Toggle IBRS on VM entry and exit
>     - SAUCE: x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature
>     - SAUCE: x86/spec_ctrl: Add lock to serialize changes to ibrs and ibpb control
>     - SAUCE: x86/cpu/AMD: Add speculative control support for AMD
>     - SAUCE: x86/microcode: Extend post microcode reload to support IBPB feature
>     - SAUCE: KVM: SVM: Do not intercept new speculative control MSRs
>     - SAUCE: x86/svm: Set IBRS value on VM entry and exit
>     - SAUCE: x86/svm: Set IBPB when running a different VCPU
>     - SAUCE: KVM: x86: Add speculative control CPUID support for guests
>     - SAUCE: x86/entry: Fixup 32bit compat call locations
>     - SAUCE: KVM: Fix spec_ctrl CPUID support for guests
>     - SAUCE: x86/cpuid: Fix ordering of scattered feature list
>     - SAUCE: turn off IBRS when full retpoline is present
> 
>   * CVE-2017-5753 (Spectre v1 Intel)
>     - x86: Add another set of MSR accessor functions
>     - x86/cpu/AMD: Make the LFENCE instruction serialized
>     - SAUCE: x86/cpu/AMD: switch to lfence rather than mfence
>     - locking/barriers: introduce new observable speculation barrier
>     - bpf: prevent speculative execution in eBPF interpreter
>     - uvcvideo: prevent speculative execution
>     - carl9170: prevent speculative execution
>     - qla2xxx: prevent speculative execution
>     - fs: prevent speculative execution
>     - udf: prevent speculative execution
>     - userns: prevent speculative execution
>     - SAUCE: claim mitigation via observable speculation barrier
>     - powerpc: add osb barrier
>     - s390/spinlock: add osb memory barrier
>     - arm64: no osb() implementation yet
>     - arm: no osb() implementation yet
> 
>   * CVE-2017-5715 (Spectre v2 retpoline)
>     - x86/alternatives: Fix ALTERNATIVE_2 padding generation properly
>     - x86/alternatives: Fix alt_max_short macro to really be a max()
>     - x86/alternatives: Guard NOPs optimization
>     - x86/alternatives: Switch AMD F15h and later to the P6 NOPs
>     - x86/alternatives: Make optimize_nops() interrupt safe and synced
>     - x86/alternatives: Fix optimize_nops() checking
>     - x86/cpuid: Provide get_scattered_cpuid_leaf()
>     - x86/cpu: Factor out application of forced CPU caps
>     - x86/cpufeatures: Make CPU bugs sticky
>     - x86/cpufeatures: Add X86_BUG_CPU_INSECURE
>     - x86/pti: Rename BUG_CPU_INSECURE to BUG_CPU_MELTDOWN
>     - x86/cpufeatures: Add X86_BUG_SPECTRE_V[12]
>     - x86/cpu, x86/pti: Do not enable PTI on AMD processors
>     - x86/cpu: Merge bugs.c and bugs_64.c
>     - sysfs/cpu: Add vulnerability folder
>     - x86/cpu: Implement CPU vulnerabilites sysfs functions
>     - x86/alternatives: Add missing '\n' at end of ALTERNATIVE inline asm
>     - x86/mm/32: Move setup_clear_cpu_cap(X86_FEATURE_PCID) earlier
>     - x86/asm: Use register variable to get stack pointer value
>     - x86/kbuild: enable modversions for symbols exported from asm
>     - x86/asm: Make asm/alternative.h safe from assembly
>     - EXPORT_SYMBOL() for asm
>     - kconfig.h: use __is_defined() to check if MODULE is defined
>     - x86/retpoline: Add initial retpoline support
>     - x86/spectre: Add boot time option to select Spectre v2 mitigation
>     - x86/retpoline/crypto: Convert crypto assembler indirect jumps
>     - x86/retpoline/entry: Convert entry assembler indirect jumps
>     - x86/retpoline/ftrace: Convert ftrace assembler indirect jumps
>     - x86/retpoline/hyperv: Convert assembler indirect jumps
>     - x86/retpoline/xen: Convert Xen hypercall indirect jumps
>     - x86/retpoline/checksum32: Convert assembler indirect jumps
>     - x86/retpoline/irq32: Convert assembler indirect jumps
>     - x86/retpoline: Fill return stack buffer on vmexit
>     - x86/retpoline: Remove compile time warning
>     - x86/retpoline: Add LFENCE to the retpoline/RSB filling RSB macros
>     - module: Add retpoline tag to VERMAGIC
>     - x86/mce: Make machine check speculation protected
>     - retpoline: Introduce start/end markers of indirect thunk
>     - kprobes/x86: Disable optimizing on the function jumps to indirect thunk
>     - x86/retpoline: Optimize inline assembler for vmexit_fill_RSB
>     - [Config] CONFIG_RETPOLINE=y
>     - [Packaging] retpoline -- add call site validation
>     - [Packaging] retpoline files must be sorted
>     - [Config] disable retpoline for the first upload
> 
>   * CVE-2017-5715 (revert embargoed) // CVE-2017-5753 (revert embargoed)
>     - Revert "UBUNTU: SAUCE: x86/cpuid: Fix ordering of scattered feature list"
>     - Revert "UBUNTU: SAUCE: KVM: Fix spec_ctrl CPUID support for guests"
>     - Revert "UBUNTU: SAUCE: x86/entry: Fixup 32bit compat call locations"
>     - Revert "UBUNTU: SAUCE: powerpc: no gmb() implementation yet"
>     - Revert "UBUNTU: SAUCE: arm: no gmb() implementation yet"
>     - Revert "UBUNTU: SAUCE: arm64: no gmb() implementation yet"
>     - Revert "UBUNTU: SAUCE: x86/kvm: Fix stuff_RSB() for 32-bit"
>     - Revert "UBUNTU: SAUCE: x86/cpu/AMD: Remove now unused definition of
>       MFENCE_RDTSC feature"
>     - Revert "UBUNTU: SAUCE: x86/cpu/AMD: Make the LFENCE instruction serialized"
>     - Revert "UBUNTU: SAUCE: x86/svm: Add code to clobber the RSB on VM exit"
>     - Revert "UBUNTU: SAUCE: KVM: x86: Add speculative control CPUID support for
>       guests"
>     - Revert "UBUNTU: SAUCE: x86/svm: Set IBPB when running a different VCPU"
>     - Revert "UBUNTU: SAUCE: x86/svm: Set IBRS value on VM entry and exit"
>     - Revert "UBUNTU: SAUCE: KVM: SVM: Do not intercept new speculative control
>       MSRs"
>     - Revert "UBUNTU: SAUCE: x86/microcode: Extend post microcode reload to
>       support IBPB feature"
>     - Revert "UBUNTU: SAUCE: x86/cpu/AMD: Add speculative control support for AMD"
>     - Revert "UBUNTU: SAUCE: x86/entry: Use retpoline for syscall's indirect
>       calls"
>     - Revert "UBUNTU: SAUCE: x86/spec_ctrl: Add lock to serialize changes to ibrs
>       and ibpb control"
>     - Revert "UBUNTU: SAUCE: x86/spec_ctrl: Add sysctl knobs to enable/disable
>       SPEC_CTRL feature"
>     - Revert "UBUNTU: SAUCE: x86/kvm: Pad RSB on VM transition"
>     - Revert "UBUNTU: SAUCE: x86/kvm: Toggle IBRS on VM entry and exit"
>     - Revert "UBUNTU: SAUCE: x86/kvm: Set IBPB when switching VM"
>     - Revert "UBUNTU: SAUCE: x86/kvm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD
>       to kvm"
>     - Revert "UBUNTU: SAUCE: x86/entry: Stuff RSB for entry to kernel for non-SMEP
>       platform"
>     - Revert "UBUNTU: SAUCE: x86/mm: Only set IBPB when the new thread cannot
>       ptrace current thread"
>     - Revert "UBUNTU: SAUCE: x86/mm: Set IBPB upon context switch"
>     - Revert "UBUNTU: SAUCE: x86/idle: Disable IBRS when offlining cpu and re-
>       enable on wakeup"
>     - Revert "UBUNTU: SAUCE: x86/idle: Disable IBRS entering idle and enable it on
>       wakeup"
>     - Revert "UBUNTU: SAUCE: x86/enter: Use IBRS on syscall and interrupts"
>     - Revert "UBUNTU: SAUCE: x86/enter: MACROS to set/clear IBRS and set IBPB"
>     - Revert "UBUNTU: SAUCE: x86/feature: Report presence of IBPB and IBRS
>       control"
>     - Revert "UBUNTU: SAUCE: x86/feature: Enable the x86 feature to control
>       Speculation"
>     - Revert "UBUNTU: SAUCE: udf: prevent speculative execution"
>     - Revert "UBUNTU: SAUCE: fs: prevent speculative execution"
>     - Revert "UBUNTU: SAUCE: userns: prevent speculative execution"
>     - Revert "UBUNTU: SAUCE: cw1200: prevent speculative execution"
>     - Revert "UBUNTU: SAUCE: qla2xxx: prevent speculative execution"
>     - Revert "UBUNTU: SAUCE: p54: prevent speculative execution"
>     - Revert "UBUNTU: SAUCE: carl9170: prevent speculative execution"
>     - Revert "UBUNTU: SAUCE: uvcvideo: prevent speculative execution"
>     - Revert "UBUNTU: SAUCE: locking/barriers: introduce new memory barrier gmb()"
>     - Revert "kvm: vmx: Scrub hardware GPRs at VM-exit"
>     - Revert "x86/cpuid: Provide get_scattered_cpuid_leaf()"
>     - Revert "x86: Add another set of MSR accessor functions"
>     - Revert "x86, microcode: Share native MSR accessing variants"
> 
I'm happy to ACK these as I had positive testing results on these.

Acked-by: Colin Ian King <colin.king@canonical.com>
Kleber Souza Feb. 27, 2018, 9:42 a.m. UTC | #3
On 02/25/18 15:31, Andy Whitcroft wrote:
> Add retpoline support to Trusty.  This combines a backport of the upstream
> retpoline patches from v4.4 to the existing IBRS/IBPB mitigation we
> already have applied.  It also updates the Intel mitigation to the
> latest version.
> 
> This pull request appears more complex than you might otherwise hope as
> we are slowly replacing the non-upstream code with upstream code as each
> part becomes available.  To this end we are taking off our non-upstream
> code applying the new upstream code and reapplying the non-upstream code
> over the top.  This means it is the patches we are looking to replace
> that end up with any delta folded into them not the upstream patches.
> 
> Proposing for SRU to trusty.
> 
> -apw
> 
> The following changes since commit fbfa1ca679dd9ede02e1e776e26021c21cae872e:
> 
>   powerpc: Do not call ppc_md.panic in fadump panic notifier (2018-02-20 09:47:47 +0100)
> 
> are available in the Git repository at:
> 
>   git://git.launchpad.net/~apw/ubuntu/+source/linux/+git/pti pti/trusty-retpoline-intelv1
> 
> for you to fetch changes up to 901c1131a46ef96e376216d60267e73de5c16232:
> 
>   UBUNTU: [Packaging] final-checks -- check for empty retpoline files (2018-02-22 12:09:21 +0000)
> 
> ----------------------------------------------------------------
>   * retpoline abi files are empty on i386 (LP: #1751021)
>     - [Packaging] retpoline-extract -- instantiate retpoline files for i386
>     - [Packaging] final-checks -- sanity checking ABI contents
>     - [Packaging] final-checks -- check for empty retpoline files
> 
>   * CVE-2017-5715 (Spectre v2 Intel)
>     - x86, microcode: Share native MSR accessing variants
>     - kvm: vmx: Scrub hardware GPRs at VM-exit
>     - SAUCE: x86/feature: Enable the x86 feature to control Speculation
>     - SAUCE: x86/feature: Report presence of IBPB and IBRS control
>     - SAUCE: x86/enter: MACROS to set/clear IBRS and set IBPB
>     - SAUCE: x86/enter: Use IBRS on syscall and interrupts
>     - SAUCE: x86/idle: Disable IBRS entering idle and enable it on wakeup
>     - SAUCE: x86/idle: Disable IBRS when offlining cpu and re-enable on wakeup
>     - SAUCE: x86/mm: Set IBPB upon context switch
>     - SAUCE: x86/mm: Only set IBPB when the new thread cannot ptrace current
>       thread
>     - SAUCE: x86/entry: Stuff RSB for entry to kernel for non-SMEP platform
>     - SAUCE: x86/kvm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD to kvm
>     - SAUCE: x86/kvm: Set IBPB when switching VM
>     - SAUCE: x86/kvm: Toggle IBRS on VM entry and exit
>     - SAUCE: x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature
>     - SAUCE: x86/spec_ctrl: Add lock to serialize changes to ibrs and ibpb control
>     - SAUCE: x86/cpu/AMD: Add speculative control support for AMD
>     - SAUCE: x86/microcode: Extend post microcode reload to support IBPB feature
>     - SAUCE: KVM: SVM: Do not intercept new speculative control MSRs
>     - SAUCE: x86/svm: Set IBRS value on VM entry and exit
>     - SAUCE: x86/svm: Set IBPB when running a different VCPU
>     - SAUCE: KVM: x86: Add speculative control CPUID support for guests
>     - SAUCE: x86/entry: Fixup 32bit compat call locations
>     - SAUCE: KVM: Fix spec_ctrl CPUID support for guests
>     - SAUCE: x86/cpuid: Fix ordering of scattered feature list
>     - SAUCE: turn off IBRS when full retpoline is present
> 
>   * CVE-2017-5753 (Spectre v1 Intel)
>     - x86: Add another set of MSR accessor functions
>     - x86/cpu/AMD: Make the LFENCE instruction serialized
>     - SAUCE: x86/cpu/AMD: switch to lfence rather than mfence
>     - locking/barriers: introduce new observable speculation barrier
>     - bpf: prevent speculative execution in eBPF interpreter
>     - uvcvideo: prevent speculative execution
>     - carl9170: prevent speculative execution
>     - qla2xxx: prevent speculative execution
>     - fs: prevent speculative execution
>     - udf: prevent speculative execution
>     - userns: prevent speculative execution
>     - SAUCE: claim mitigation via observable speculation barrier
>     - powerpc: add osb barrier
>     - s390/spinlock: add osb memory barrier
>     - arm64: no osb() implementation yet
>     - arm: no osb() implementation yet
> 
>   * CVE-2017-5715 (Spectre v2 retpoline)
>     - x86/alternatives: Fix ALTERNATIVE_2 padding generation properly
>     - x86/alternatives: Fix alt_max_short macro to really be a max()
>     - x86/alternatives: Guard NOPs optimization
>     - x86/alternatives: Switch AMD F15h and later to the P6 NOPs
>     - x86/alternatives: Make optimize_nops() interrupt safe and synced
>     - x86/alternatives: Fix optimize_nops() checking
>     - x86/cpuid: Provide get_scattered_cpuid_leaf()
>     - x86/cpu: Factor out application of forced CPU caps
>     - x86/cpufeatures: Make CPU bugs sticky
>     - x86/cpufeatures: Add X86_BUG_CPU_INSECURE
>     - x86/pti: Rename BUG_CPU_INSECURE to BUG_CPU_MELTDOWN
>     - x86/cpufeatures: Add X86_BUG_SPECTRE_V[12]
>     - x86/cpu, x86/pti: Do not enable PTI on AMD processors
>     - x86/cpu: Merge bugs.c and bugs_64.c
>     - sysfs/cpu: Add vulnerability folder
>     - x86/cpu: Implement CPU vulnerabilites sysfs functions
>     - x86/alternatives: Add missing '\n' at end of ALTERNATIVE inline asm
>     - x86/mm/32: Move setup_clear_cpu_cap(X86_FEATURE_PCID) earlier
>     - x86/asm: Use register variable to get stack pointer value
>     - x86/kbuild: enable modversions for symbols exported from asm
>     - x86/asm: Make asm/alternative.h safe from assembly
>     - EXPORT_SYMBOL() for asm
>     - kconfig.h: use __is_defined() to check if MODULE is defined
>     - x86/retpoline: Add initial retpoline support
>     - x86/spectre: Add boot time option to select Spectre v2 mitigation
>     - x86/retpoline/crypto: Convert crypto assembler indirect jumps
>     - x86/retpoline/entry: Convert entry assembler indirect jumps
>     - x86/retpoline/ftrace: Convert ftrace assembler indirect jumps
>     - x86/retpoline/hyperv: Convert assembler indirect jumps
>     - x86/retpoline/xen: Convert Xen hypercall indirect jumps
>     - x86/retpoline/checksum32: Convert assembler indirect jumps
>     - x86/retpoline/irq32: Convert assembler indirect jumps
>     - x86/retpoline: Fill return stack buffer on vmexit
>     - x86/retpoline: Remove compile time warning
>     - x86/retpoline: Add LFENCE to the retpoline/RSB filling RSB macros
>     - module: Add retpoline tag to VERMAGIC
>     - x86/mce: Make machine check speculation protected
>     - retpoline: Introduce start/end markers of indirect thunk
>     - kprobes/x86: Disable optimizing on the function jumps to indirect thunk
>     - x86/retpoline: Optimize inline assembler for vmexit_fill_RSB
>     - [Config] CONFIG_RETPOLINE=y
>     - [Packaging] retpoline -- add call site validation
>     - [Packaging] retpoline files must be sorted
>     - [Config] disable retpoline for the first upload
> 
>   * CVE-2017-5715 (revert embargoed) // CVE-2017-5753 (revert embargoed)
>     - Revert "UBUNTU: SAUCE: x86/cpuid: Fix ordering of scattered feature list"
>     - Revert "UBUNTU: SAUCE: KVM: Fix spec_ctrl CPUID support for guests"
>     - Revert "UBUNTU: SAUCE: x86/entry: Fixup 32bit compat call locations"
>     - Revert "UBUNTU: SAUCE: powerpc: no gmb() implementation yet"
>     - Revert "UBUNTU: SAUCE: arm: no gmb() implementation yet"
>     - Revert "UBUNTU: SAUCE: arm64: no gmb() implementation yet"
>     - Revert "UBUNTU: SAUCE: x86/kvm: Fix stuff_RSB() for 32-bit"
>     - Revert "UBUNTU: SAUCE: x86/cpu/AMD: Remove now unused definition of
>       MFENCE_RDTSC feature"
>     - Revert "UBUNTU: SAUCE: x86/cpu/AMD: Make the LFENCE instruction serialized"
>     - Revert "UBUNTU: SAUCE: x86/svm: Add code to clobber the RSB on VM exit"
>     - Revert "UBUNTU: SAUCE: KVM: x86: Add speculative control CPUID support for
>       guests"
>     - Revert "UBUNTU: SAUCE: x86/svm: Set IBPB when running a different VCPU"
>     - Revert "UBUNTU: SAUCE: x86/svm: Set IBRS value on VM entry and exit"
>     - Revert "UBUNTU: SAUCE: KVM: SVM: Do not intercept new speculative control
>       MSRs"
>     - Revert "UBUNTU: SAUCE: x86/microcode: Extend post microcode reload to
>       support IBPB feature"
>     - Revert "UBUNTU: SAUCE: x86/cpu/AMD: Add speculative control support for AMD"
>     - Revert "UBUNTU: SAUCE: x86/entry: Use retpoline for syscall's indirect
>       calls"
>     - Revert "UBUNTU: SAUCE: x86/spec_ctrl: Add lock to serialize changes to ibrs
>       and ibpb control"
>     - Revert "UBUNTU: SAUCE: x86/spec_ctrl: Add sysctl knobs to enable/disable
>       SPEC_CTRL feature"
>     - Revert "UBUNTU: SAUCE: x86/kvm: Pad RSB on VM transition"
>     - Revert "UBUNTU: SAUCE: x86/kvm: Toggle IBRS on VM entry and exit"
>     - Revert "UBUNTU: SAUCE: x86/kvm: Set IBPB when switching VM"
>     - Revert "UBUNTU: SAUCE: x86/kvm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD
>       to kvm"
>     - Revert "UBUNTU: SAUCE: x86/entry: Stuff RSB for entry to kernel for non-SMEP
>       platform"
>     - Revert "UBUNTU: SAUCE: x86/mm: Only set IBPB when the new thread cannot
>       ptrace current thread"
>     - Revert "UBUNTU: SAUCE: x86/mm: Set IBPB upon context switch"
>     - Revert "UBUNTU: SAUCE: x86/idle: Disable IBRS when offlining cpu and re-
>       enable on wakeup"
>     - Revert "UBUNTU: SAUCE: x86/idle: Disable IBRS entering idle and enable it on
>       wakeup"
>     - Revert "UBUNTU: SAUCE: x86/enter: Use IBRS on syscall and interrupts"
>     - Revert "UBUNTU: SAUCE: x86/enter: MACROS to set/clear IBRS and set IBPB"
>     - Revert "UBUNTU: SAUCE: x86/feature: Report presence of IBPB and IBRS
>       control"
>     - Revert "UBUNTU: SAUCE: x86/feature: Enable the x86 feature to control
>       Speculation"
>     - Revert "UBUNTU: SAUCE: udf: prevent speculative execution"
>     - Revert "UBUNTU: SAUCE: fs: prevent speculative execution"
>     - Revert "UBUNTU: SAUCE: userns: prevent speculative execution"
>     - Revert "UBUNTU: SAUCE: cw1200: prevent speculative execution"
>     - Revert "UBUNTU: SAUCE: qla2xxx: prevent speculative execution"
>     - Revert "UBUNTU: SAUCE: p54: prevent speculative execution"
>     - Revert "UBUNTU: SAUCE: carl9170: prevent speculative execution"
>     - Revert "UBUNTU: SAUCE: uvcvideo: prevent speculative execution"
>     - Revert "UBUNTU: SAUCE: locking/barriers: introduce new memory barrier gmb()"
>     - Revert "kvm: vmx: Scrub hardware GPRs at VM-exit"
>     - Revert "x86/cpuid: Provide get_scattered_cpuid_leaf()"
>     - Revert "x86: Add another set of MSR accessor functions"
>     - Revert "x86, microcode: Share native MSR accessing variants"
> 

Applied to trusty/master-next branch.

Thanks,
Kleber