| Message ID | 20240412192351.89501-1-yuxuan.luo@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2024-2201 | expand |
On 12.04.24 21:23, Yuxuan Luo wrote: > [Impact] > Native BHI attack, a Spectre v2 variant, allows local unprivileged attackers to > obtain kernel memory information without the help of unprivileged eBPF, negating > to the previous belief that unprivileged eBPF is the only real-world source of > such an attack. Also, this vulnerability affects KVM as well. > > [Backport] > Since the stable/linux-5.15.y backport is almost identical to the upstream patch > set, only the 7390db8aea0d (“x86/bhi: Add support for clearing branch history at > syscall entry”) commit is substitute by the stable/linux-5.15.y one and the rest > are backported from the upstream. > > The missing prerequisite commits are: > 1. 1d30800c0c0a (“x86/bugs: Use sysfs_emit()”) > This one solves the conflict in [1/8] 0cd01ac5dcb1 (“x86/bugs: Change commas > to semicolons in 'spectre_v2' sysfs file”) by substitute sprintf() with > sysfs_emit() > 2. eefe5e668209 (“KVM: x86: Advertise CPUID.(EAX=7,ECX=2):EDX[5:0] to userspace“) > This commit introduced CPUID_7_2_EDX, a flag used by [4/8] 0f4a837615ff > (“x86/bhi: Define SPEC_CTRL_BHI_DIS_S“) > 3. 047c72299061 (“KVM: x86: Update KVM-only leaf handling to allow for 100% KVM-only leafs”) > This one introduced kvm_cpu_cap_init_kvm_defined(), solving a build error > caused by the commit above. No functional change as noted by the commit > message, safe to backport. > > [Test] > Compiled only. > > [Where things could go wrong] > This patch is more about enabling CPU features and reducing branch history > exposed, therefore, that the system is able to boot and run should denote that > it is not introducing any regression. > > For KVM, the most significant impact is the performance regression due to system > call substitution since branch prediction probably won't perform as fast as the > previous version for users who do not care about the mitigation. > > Borislav Petkov (1): > x86/bugs: Use sysfs_emit() > > Daniel Sneddon (2): > x86/bhi: Define SPEC_CTRL_BHI_DIS_S > KVM: x86: Add BHI_NO > > Jim Mattson (1): > KVM: x86: Advertise CPUID.(EAX=7,ECX=2):EDX[5:0] to userspace > > Josh Poimboeuf (1): > x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file > > Linus Torvalds (1): > x86/syscall: Don't force use of indirect calls for system calls > > Pawan Gupta (4): > x86/bhi: Add support for clearing branch history at syscall entry > x86/bhi: Enumerate Branch History Injection (BHI) bug > x86/bhi: Add BHI mitigation knob > x86/bhi: Mitigate KVM by default > > Sean Christopherson (1): > KVM: x86: Update KVM-only leaf handling to allow for 100% KVM-only > leafs > > Yuxuan Luo (1): > placeholder > > Documentation/admin-guide/hw-vuln/spectre.rst | 50 +++- > .../admin-guide/kernel-parameters.txt | 12 + > arch/x86/Kconfig | 25 ++ > arch/x86/entry/common.c | 6 +- > arch/x86/entry/entry_64.S | 61 +++++ > arch/x86/entry/entry_64_compat.S | 3 + > arch/x86/entry/syscall_32.c | 21 +- > arch/x86/entry/syscall_64.c | 19 +- > arch/x86/entry/syscall_x32.c | 10 +- > arch/x86/include/asm/cpufeatures.h | 12 + > arch/x86/include/asm/msr-index.h | 9 +- > arch/x86/include/asm/nospec-branch.h | 17 ++ > arch/x86/include/asm/syscall.h | 10 +- > arch/x86/kernel/cpu/bugs.c | 218 +++++++++++++----- > arch/x86/kernel/cpu/common.c | 24 +- > arch/x86/kernel/cpu/scattered.c | 1 + > arch/x86/kvm/cpuid.c | 29 ++- > arch/x86/kvm/reverse_cpuid.h | 32 ++- > arch/x86/kvm/vmx/vmenter.S | 2 + > arch/x86/kvm/x86.c | 3 +- > debian.master/config/annotations | 3 + > 21 files changed, 463 insertions(+), 104 deletions(-) > I am not sure whether it would have been simpler just to pull the whole set from linux-5.15.y (including any pre-reqs from there if we did not get there, yet). Also I think we want to exclude #12 and adjust #13 to enable things only in auto mode. Acked-by: Stefan Bader <stefan.bader@canonical.com>
On 12.04.24 21:23, Yuxuan Luo wrote: > [Impact] > Native BHI attack, a Spectre v2 variant, allows local unprivileged attackers to > obtain kernel memory information without the help of unprivileged eBPF, negating > to the previous belief that unprivileged eBPF is the only real-world source of > such an attack. Also, this vulnerability affects KVM as well. > > [Backport] > Since the stable/linux-5.15.y backport is almost identical to the upstream patch > set, only the 7390db8aea0d (“x86/bhi: Add support for clearing branch history at > syscall entry”) commit is substitute by the stable/linux-5.15.y one and the rest > are backported from the upstream. > > The missing prerequisite commits are: > 1. 1d30800c0c0a (“x86/bugs: Use sysfs_emit()”) > This one solves the conflict in [1/8] 0cd01ac5dcb1 (“x86/bugs: Change commas > to semicolons in 'spectre_v2' sysfs file”) by substitute sprintf() with > sysfs_emit() > 2. eefe5e668209 (“KVM: x86: Advertise CPUID.(EAX=7,ECX=2):EDX[5:0] to userspace“) > This commit introduced CPUID_7_2_EDX, a flag used by [4/8] 0f4a837615ff > (“x86/bhi: Define SPEC_CTRL_BHI_DIS_S“) > 3. 047c72299061 (“KVM: x86: Update KVM-only leaf handling to allow for 100% KVM-only leafs”) > This one introduced kvm_cpu_cap_init_kvm_defined(), solving a build error > caused by the commit above. No functional change as noted by the commit > message, safe to backport. > > [Test] > Compiled only. > > [Where things could go wrong] > This patch is more about enabling CPU features and reducing branch history > exposed, therefore, that the system is able to boot and run should denote that > it is not introducing any regression. > > For KVM, the most significant impact is the performance regression due to system > call substitution since branch prediction probably won't perform as fast as the > previous version for users who do not care about the mitigation. > > Borislav Petkov (1): > x86/bugs: Use sysfs_emit() > > Daniel Sneddon (2): > x86/bhi: Define SPEC_CTRL_BHI_DIS_S > KVM: x86: Add BHI_NO > > Jim Mattson (1): > KVM: x86: Advertise CPUID.(EAX=7,ECX=2):EDX[5:0] to userspace > > Josh Poimboeuf (1): > x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file > > Linus Torvalds (1): > x86/syscall: Don't force use of indirect calls for system calls > > Pawan Gupta (4): > x86/bhi: Add support for clearing branch history at syscall entry > x86/bhi: Enumerate Branch History Injection (BHI) bug > x86/bhi: Add BHI mitigation knob > x86/bhi: Mitigate KVM by default > > Sean Christopherson (1): > KVM: x86: Update KVM-only leaf handling to allow for 100% KVM-only > leafs > > Yuxuan Luo (1): > placeholder > > Documentation/admin-guide/hw-vuln/spectre.rst | 50 +++- > .../admin-guide/kernel-parameters.txt | 12 + > arch/x86/Kconfig | 25 ++ > arch/x86/entry/common.c | 6 +- > arch/x86/entry/entry_64.S | 61 +++++ > arch/x86/entry/entry_64_compat.S | 3 + > arch/x86/entry/syscall_32.c | 21 +- > arch/x86/entry/syscall_64.c | 19 +- > arch/x86/entry/syscall_x32.c | 10 +- > arch/x86/include/asm/cpufeatures.h | 12 + > arch/x86/include/asm/msr-index.h | 9 +- > arch/x86/include/asm/nospec-branch.h | 17 ++ > arch/x86/include/asm/syscall.h | 10 +- > arch/x86/kernel/cpu/bugs.c | 218 +++++++++++++----- > arch/x86/kernel/cpu/common.c | 24 +- > arch/x86/kernel/cpu/scattered.c | 1 + > arch/x86/kvm/cpuid.c | 29 ++- > arch/x86/kvm/reverse_cpuid.h | 32 ++- > arch/x86/kvm/vmx/vmenter.S | 2 + > arch/x86/kvm/x86.c | 3 +- > debian.master/config/annotations | 3 + > 21 files changed, 463 insertions(+), 104 deletions(-) > Rejected for the following reasons: Thinking more about this I believe it is better to stick as close to linux-5.15.y to make the upstream stable work not to difficult. I think I got a set prepared which picks one more change from the pending stable patches and then only adjusts for context in 4 of the BHI patches. This time I will do a test build before submitting a v2. Oh and I will adjust the config update to use auto as we did for mantic. -Stefan
[Impact] Native BHI attack, a Spectre v2 variant, allows local unprivileged attackers to obtain kernel memory information without the help of unprivileged eBPF, negating to the previous belief that unprivileged eBPF is the only real-world source of such an attack. Also, this vulnerability affects KVM as well. [Backport] Since the stable/linux-5.15.y backport is almost identical to the upstream patch set, only the 7390db8aea0d (“x86/bhi: Add support for clearing branch history at syscall entry”) commit is substitute by the stable/linux-5.15.y one and the rest are backported from the upstream. The missing prerequisite commits are: 1. 1d30800c0c0a (“x86/bugs: Use sysfs_emit()”) This one solves the conflict in [1/8] 0cd01ac5dcb1 (“x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file”) by substitute sprintf() with sysfs_emit() 2. eefe5e668209 (“KVM: x86: Advertise CPUID.(EAX=7,ECX=2):EDX[5:0] to userspace“) This commit introduced CPUID_7_2_EDX, a flag used by [4/8] 0f4a837615ff (“x86/bhi: Define SPEC_CTRL_BHI_DIS_S“) 3. 047c72299061 (“KVM: x86: Update KVM-only leaf handling to allow for 100% KVM-only leafs”) This one introduced kvm_cpu_cap_init_kvm_defined(), solving a build error caused by the commit above. No functional change as noted by the commit message, safe to backport. [Test] Compiled only. [Where things could go wrong] This patch is more about enabling CPU features and reducing branch history exposed, therefore, that the system is able to boot and run should denote that it is not introducing any regression. For KVM, the most significant impact is the performance regression due to system call substitution since branch prediction probably won't perform as fast as the previous version for users who do not care about the mitigation. Borislav Petkov (1): x86/bugs: Use sysfs_emit() Daniel Sneddon (2): x86/bhi: Define SPEC_CTRL_BHI_DIS_S KVM: x86: Add BHI_NO Jim Mattson (1): KVM: x86: Advertise CPUID.(EAX=7,ECX=2):EDX[5:0] to userspace Josh Poimboeuf (1): x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file Linus Torvalds (1): x86/syscall: Don't force use of indirect calls for system calls Pawan Gupta (4): x86/bhi: Add support for clearing branch history at syscall entry x86/bhi: Enumerate Branch History Injection (BHI) bug x86/bhi: Add BHI mitigation knob x86/bhi: Mitigate KVM by default Sean Christopherson (1): KVM: x86: Update KVM-only leaf handling to allow for 100% KVM-only leafs Yuxuan Luo (1): placeholder Documentation/admin-guide/hw-vuln/spectre.rst | 50 +++- .../admin-guide/kernel-parameters.txt | 12 + arch/x86/Kconfig | 25 ++ arch/x86/entry/common.c | 6 +- arch/x86/entry/entry_64.S | 61 +++++ arch/x86/entry/entry_64_compat.S | 3 + arch/x86/entry/syscall_32.c | 21 +- arch/x86/entry/syscall_64.c | 19 +- arch/x86/entry/syscall_x32.c | 10 +- arch/x86/include/asm/cpufeatures.h | 12 + arch/x86/include/asm/msr-index.h | 9 +- arch/x86/include/asm/nospec-branch.h | 17 ++ arch/x86/include/asm/syscall.h | 10 +- arch/x86/kernel/cpu/bugs.c | 218 +++++++++++++----- arch/x86/kernel/cpu/common.c | 24 +- arch/x86/kernel/cpu/scattered.c | 1 + arch/x86/kvm/cpuid.c | 29 ++- arch/x86/kvm/reverse_cpuid.h | 32 ++- arch/x86/kvm/vmx/vmenter.S | 2 + arch/x86/kvm/x86.c | 3 +- debian.master/config/annotations | 3 + 21 files changed, 463 insertions(+), 104 deletions(-)