Message ID | 20240412192351.89501-1-yuxuan.luo@canonical.com |
---|---|
Headers | show |
Series | CVE-2024-2201 | expand |
On 12.04.24 21:23, Yuxuan Luo wrote: > [Impact] > Native BHI attack, a Spectre v2 variant, allows local unprivileged attackers to > obtain kernel memory information without the help of unprivileged eBPF, negating > to the previous belief that unprivileged eBPF is the only real-world source of > such an attack. Also, this vulnerability affects KVM as well. > > [Backport] > Since the stable/linux-5.15.y backport is almost identical to the upstream patch > set, only the 7390db8aea0d (“x86/bhi: Add support for clearing branch history at > syscall entry”) commit is substitute by the stable/linux-5.15.y one and the rest > are backported from the upstream. > > The missing prerequisite commits are: > 1. 1d30800c0c0a (“x86/bugs: Use sysfs_emit()”) > This one solves the conflict in [1/8] 0cd01ac5dcb1 (“x86/bugs: Change commas > to semicolons in 'spectre_v2' sysfs file”) by substitute sprintf() with > sysfs_emit() > 2. eefe5e668209 (“KVM: x86: Advertise CPUID.(EAX=7,ECX=2):EDX[5:0] to userspace“) > This commit introduced CPUID_7_2_EDX, a flag used by [4/8] 0f4a837615ff > (“x86/bhi: Define SPEC_CTRL_BHI_DIS_S“) > 3. 047c72299061 (“KVM: x86: Update KVM-only leaf handling to allow for 100% KVM-only leafs”) > This one introduced kvm_cpu_cap_init_kvm_defined(), solving a build error > caused by the commit above. No functional change as noted by the commit > message, safe to backport. > > [Test] > Compiled only. > > [Where things could go wrong] > This patch is more about enabling CPU features and reducing branch history > exposed, therefore, that the system is able to boot and run should denote that > it is not introducing any regression. > > For KVM, the most significant impact is the performance regression due to system > call substitution since branch prediction probably won't perform as fast as the > previous version for users who do not care about the mitigation. > > Borislav Petkov (1): > x86/bugs: Use sysfs_emit() > > Daniel Sneddon (2): > x86/bhi: Define SPEC_CTRL_BHI_DIS_S > KVM: x86: Add BHI_NO > > Jim Mattson (1): > KVM: x86: Advertise CPUID.(EAX=7,ECX=2):EDX[5:0] to userspace > > Josh Poimboeuf (1): > x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file > > Linus Torvalds (1): > x86/syscall: Don't force use of indirect calls for system calls > > Pawan Gupta (4): > x86/bhi: Add support for clearing branch history at syscall entry > x86/bhi: Enumerate Branch History Injection (BHI) bug > x86/bhi: Add BHI mitigation knob > x86/bhi: Mitigate KVM by default > > Sean Christopherson (1): > KVM: x86: Update KVM-only leaf handling to allow for 100% KVM-only > leafs > > Yuxuan Luo (1): > placeholder > > Documentation/admin-guide/hw-vuln/spectre.rst | 50 +++- > .../admin-guide/kernel-parameters.txt | 12 + > arch/x86/Kconfig | 25 ++ > arch/x86/entry/common.c | 6 +- > arch/x86/entry/entry_64.S | 61 +++++ > arch/x86/entry/entry_64_compat.S | 3 + > arch/x86/entry/syscall_32.c | 21 +- > arch/x86/entry/syscall_64.c | 19 +- > arch/x86/entry/syscall_x32.c | 10 +- > arch/x86/include/asm/cpufeatures.h | 12 + > arch/x86/include/asm/msr-index.h | 9 +- > arch/x86/include/asm/nospec-branch.h | 17 ++ > arch/x86/include/asm/syscall.h | 10 +- > arch/x86/kernel/cpu/bugs.c | 218 +++++++++++++----- > arch/x86/kernel/cpu/common.c | 24 +- > arch/x86/kernel/cpu/scattered.c | 1 + > arch/x86/kvm/cpuid.c | 29 ++- > arch/x86/kvm/reverse_cpuid.h | 32 ++- > arch/x86/kvm/vmx/vmenter.S | 2 + > arch/x86/kvm/x86.c | 3 +- > debian.master/config/annotations | 3 + > 21 files changed, 463 insertions(+), 104 deletions(-) > I am not sure whether it would have been simpler just to pull the whole set from linux-5.15.y (including any pre-reqs from there if we did not get there, yet). Also I think we want to exclude #12 and adjust #13 to enable things only in auto mode. Acked-by: Stefan Bader <stefan.bader@canonical.com>
On 12.04.24 21:23, Yuxuan Luo wrote: > [Impact] > Native BHI attack, a Spectre v2 variant, allows local unprivileged attackers to > obtain kernel memory information without the help of unprivileged eBPF, negating > to the previous belief that unprivileged eBPF is the only real-world source of > such an attack. Also, this vulnerability affects KVM as well. > > [Backport] > Since the stable/linux-5.15.y backport is almost identical to the upstream patch > set, only the 7390db8aea0d (“x86/bhi: Add support for clearing branch history at > syscall entry”) commit is substitute by the stable/linux-5.15.y one and the rest > are backported from the upstream. > > The missing prerequisite commits are: > 1. 1d30800c0c0a (“x86/bugs: Use sysfs_emit()”) > This one solves the conflict in [1/8] 0cd01ac5dcb1 (“x86/bugs: Change commas > to semicolons in 'spectre_v2' sysfs file”) by substitute sprintf() with > sysfs_emit() > 2. eefe5e668209 (“KVM: x86: Advertise CPUID.(EAX=7,ECX=2):EDX[5:0] to userspace“) > This commit introduced CPUID_7_2_EDX, a flag used by [4/8] 0f4a837615ff > (“x86/bhi: Define SPEC_CTRL_BHI_DIS_S“) > 3. 047c72299061 (“KVM: x86: Update KVM-only leaf handling to allow for 100% KVM-only leafs”) > This one introduced kvm_cpu_cap_init_kvm_defined(), solving a build error > caused by the commit above. No functional change as noted by the commit > message, safe to backport. > > [Test] > Compiled only. > > [Where things could go wrong] > This patch is more about enabling CPU features and reducing branch history > exposed, therefore, that the system is able to boot and run should denote that > it is not introducing any regression. > > For KVM, the most significant impact is the performance regression due to system > call substitution since branch prediction probably won't perform as fast as the > previous version for users who do not care about the mitigation. > > Borislav Petkov (1): > x86/bugs: Use sysfs_emit() > > Daniel Sneddon (2): > x86/bhi: Define SPEC_CTRL_BHI_DIS_S > KVM: x86: Add BHI_NO > > Jim Mattson (1): > KVM: x86: Advertise CPUID.(EAX=7,ECX=2):EDX[5:0] to userspace > > Josh Poimboeuf (1): > x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file > > Linus Torvalds (1): > x86/syscall: Don't force use of indirect calls for system calls > > Pawan Gupta (4): > x86/bhi: Add support for clearing branch history at syscall entry > x86/bhi: Enumerate Branch History Injection (BHI) bug > x86/bhi: Add BHI mitigation knob > x86/bhi: Mitigate KVM by default > > Sean Christopherson (1): > KVM: x86: Update KVM-only leaf handling to allow for 100% KVM-only > leafs > > Yuxuan Luo (1): > placeholder > > Documentation/admin-guide/hw-vuln/spectre.rst | 50 +++- > .../admin-guide/kernel-parameters.txt | 12 + > arch/x86/Kconfig | 25 ++ > arch/x86/entry/common.c | 6 +- > arch/x86/entry/entry_64.S | 61 +++++ > arch/x86/entry/entry_64_compat.S | 3 + > arch/x86/entry/syscall_32.c | 21 +- > arch/x86/entry/syscall_64.c | 19 +- > arch/x86/entry/syscall_x32.c | 10 +- > arch/x86/include/asm/cpufeatures.h | 12 + > arch/x86/include/asm/msr-index.h | 9 +- > arch/x86/include/asm/nospec-branch.h | 17 ++ > arch/x86/include/asm/syscall.h | 10 +- > arch/x86/kernel/cpu/bugs.c | 218 +++++++++++++----- > arch/x86/kernel/cpu/common.c | 24 +- > arch/x86/kernel/cpu/scattered.c | 1 + > arch/x86/kvm/cpuid.c | 29 ++- > arch/x86/kvm/reverse_cpuid.h | 32 ++- > arch/x86/kvm/vmx/vmenter.S | 2 + > arch/x86/kvm/x86.c | 3 +- > debian.master/config/annotations | 3 + > 21 files changed, 463 insertions(+), 104 deletions(-) > Rejected for the following reasons: Thinking more about this I believe it is better to stick as close to linux-5.15.y to make the upstream stable work not to difficult. I think I got a set prepared which picks one more change from the pending stable patches and then only adjusts for context in 4 of the BHI patches. This time I will do a test build before submitting a v2. Oh and I will adjust the config update to use auto as we did for mantic. -Stefan