Message ID | 20240415094820.399980-1-stefan.bader@canonical.com |
---|---|
Headers | show |
Series | CVE-2024-2201 (v2) | expand |
On 15/04/2024 11:48, Stefan Bader wrote: > [Impact] > Native BHI attack, a Spectre v2 variant, allows local unprivileged attackers to > obtain kernel memory information without the help of unprivileged eBPF, negating > to the previous belief that unprivileged eBPF is the only real-world source of > such an attack. Also, this vulnerability affects KVM as well. > > [Backport] > There is a conflict in reverse_cpuid.h due to lack of 80c883db87d9 (“KVM: x86: > Use a switch statement and macros in __feature_translate()”) commit. > There are also some context conflict in cpufeature.h. This v2 takes the > changes from the merge commit and integrates them into the individual > changes from linux-6.6.y. > Also updated in v2 is the annotations change to set the auto mode by > default. > > [Test] > Compiled only (doing this again in parallel to submission) > > [Where things could go wrong] > This patch is more about enabling CPU features and reducing branch history > exposed, therefore, that the system is able to boot and run should denote that > it is not introducing any regression. > > For KVM, the most significant impact is the performance regression due to system > call substitution since branch prediction probably won't perform as fast as the > previous version for users who do not care about the mitigation. > > Daniel Sneddon (2): > x86/bhi: Define SPEC_CTRL_BHI_DIS_S > KVM: x86: Add BHI_NO > > Josh Poimboeuf (1): > x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file > > Linus Torvalds (1): > x86/syscall: Don't force use of indirect calls for system calls > > Pawan Gupta (4): > x86/bhi: Add support for clearing branch history at syscall entry > x86/bhi: Enumerate Branch History Injection (BHI) bug > x86/bhi: Add BHI mitigation knob > x86/bhi: Mitigate KVM by default > > Yuxuan Luo (1): > UBUNTU: [Config] Set CONFIG_BHI to enabled > > Documentation/admin-guide/hw-vuln/spectre.rst | 48 ++++++- > .../admin-guide/kernel-parameters.txt | 12 ++ > arch/x86/Kconfig | 25 ++++ > arch/x86/entry/common.c | 10 +- > arch/x86/entry/entry_64.S | 61 +++++++++ > arch/x86/entry/entry_64_compat.S | 16 +++ > arch/x86/entry/syscall_32.c | 21 ++- > arch/x86/entry/syscall_64.c | 19 ++- > arch/x86/entry/syscall_x32.c | 10 +- > arch/x86/include/asm/cpufeatures.h | 11 ++ > arch/x86/include/asm/msr-index.h | 9 +- > arch/x86/include/asm/nospec-branch.h | 17 +++ > arch/x86/include/asm/syscall.h | 11 +- > arch/x86/kernel/cpu/bugs.c | 121 ++++++++++++++++-- > arch/x86/kernel/cpu/common.c | 24 ++-- > arch/x86/kernel/cpu/scattered.c | 1 + > arch/x86/kvm/reverse_cpuid.h | 5 + > arch/x86/kvm/vmx/vmenter.S | 2 + > arch/x86/kvm/x86.c | 3 +- > debian.master/config/annotations | 3 + > 20 files changed, 382 insertions(+), 47 deletions(-) > Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
On 15.04.24 11:48, Stefan Bader wrote: > [Impact] > Native BHI attack, a Spectre v2 variant, allows local unprivileged attackers to > obtain kernel memory information without the help of unprivileged eBPF, negating > to the previous belief that unprivileged eBPF is the only real-world source of > such an attack. Also, this vulnerability affects KVM as well. > > [Backport] > There is a conflict in reverse_cpuid.h due to lack of 80c883db87d9 (“KVM: x86: > Use a switch statement and macros in __feature_translate()”) commit. > There are also some context conflict in cpufeature.h. This v2 takes the > changes from the merge commit and integrates them into the individual > changes from linux-6.6.y. > Also updated in v2 is the annotations change to set the auto mode by > default. > > [Test] > Compiled only (doing this again in parallel to submission) > > [Where things could go wrong] > This patch is more about enabling CPU features and reducing branch history > exposed, therefore, that the system is able to boot and run should denote that > it is not introducing any regression. > > For KVM, the most significant impact is the performance regression due to system > call substitution since branch prediction probably won't perform as fast as the > previous version for users who do not care about the mitigation. > > Daniel Sneddon (2): > x86/bhi: Define SPEC_CTRL_BHI_DIS_S > KVM: x86: Add BHI_NO > > Josh Poimboeuf (1): > x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file > > Linus Torvalds (1): > x86/syscall: Don't force use of indirect calls for system calls > > Pawan Gupta (4): > x86/bhi: Add support for clearing branch history at syscall entry > x86/bhi: Enumerate Branch History Injection (BHI) bug > x86/bhi: Add BHI mitigation knob > x86/bhi: Mitigate KVM by default > > Yuxuan Luo (1): > UBUNTU: [Config] Set CONFIG_BHI to enabled > > Documentation/admin-guide/hw-vuln/spectre.rst | 48 ++++++- > .../admin-guide/kernel-parameters.txt | 12 ++ > arch/x86/Kconfig | 25 ++++ > arch/x86/entry/common.c | 10 +- > arch/x86/entry/entry_64.S | 61 +++++++++ > arch/x86/entry/entry_64_compat.S | 16 +++ > arch/x86/entry/syscall_32.c | 21 ++- > arch/x86/entry/syscall_64.c | 19 ++- > arch/x86/entry/syscall_x32.c | 10 +- > arch/x86/include/asm/cpufeatures.h | 11 ++ > arch/x86/include/asm/msr-index.h | 9 +- > arch/x86/include/asm/nospec-branch.h | 17 +++ > arch/x86/include/asm/syscall.h | 11 +- > arch/x86/kernel/cpu/bugs.c | 121 ++++++++++++++++-- > arch/x86/kernel/cpu/common.c | 24 ++-- > arch/x86/kernel/cpu/scattered.c | 1 + > arch/x86/kvm/reverse_cpuid.h | 5 + > arch/x86/kvm/vmx/vmenter.S | 2 + > arch/x86/kvm/x86.c | 3 +- > debian.master/config/annotations | 3 + > 20 files changed, 382 insertions(+), 47 deletions(-) > Applied to mantic:linux 2024.04.01-3. Since we are rather late and this is urgent I decided to go ahead with just one ack. Thanks. -Stefan