From patchwork Mon Apr 15 09:48:11 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Stefan Bader <stefan.bader@canonical.com>
X-Patchwork-Id: 1923652
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4VJ2Rk5cqDz1yY4
	for <incoming@patchwork.ozlabs.org>; Mon, 15 Apr 2024 19:48:33 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1rwIwp-000470-A8; Mon, 15 Apr 2024 09:48:23 +0000
Received: from smtp-relay-canonical-0.internal ([10.131.114.83]
 helo=smtp-relay-canonical-0.canonical.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <stefan.bader@canonical.com>)
 id 1rwIwn-00046h-EW
 for kernel-team@lists.ubuntu.com; Mon, 15 Apr 2024 09:48:21 +0000
Received: from canonical.com (2.general.smb.uk.vpn [10.172.193.29])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest
 SHA256) (No client certificate requested)
 by smtp-relay-canonical-0.canonical.com (Postfix) with ESMTPSA id 0125C40F52
 for <kernel-team@lists.ubuntu.com>; Mon, 15 Apr 2024 09:48:20 +0000 (UTC)
From: Stefan Bader <stefan.bader@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU Mantic][PATCH 0/9] CVE-2024-2201 (v2)
Date: Mon, 15 Apr 2024 11:48:11 +0200
Message-Id: <20240415094820.399980-1-stefan.bader@canonical.com>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

[Impact]
Native BHI attack, a Spectre v2 variant, allows local unprivileged attackers to
obtain kernel memory information without the help of unprivileged eBPF, negating
to the previous belief that unprivileged eBPF is the only real-world source of
such an attack. Also, this vulnerability affects KVM as well.

[Backport]
There is a conflict in reverse_cpuid.h due to lack of 80c883db87d9 (“KVM: x86:
Use a switch statement and macros in __feature_translate()”) commit.
There are also some context conflict in cpufeature.h. This v2 takes the
changes from the merge commit and integrates them into the individual
changes from linux-6.6.y.
Also updated in v2 is the annotations change to set the auto mode by
default.

[Test]
Compiled only (doing this again in parallel to submission)

[Where things could go wrong]
This patch is more about enabling CPU features and reducing branch history
exposed, therefore, that the system is able to boot and run should denote that
it is not introducing any regression.

For KVM, the most significant impact is the performance regression due to system
call substitution since branch prediction probably won't perform as fast as the
previous version for users who do not care about the mitigation.

Daniel Sneddon (2):
  x86/bhi: Define SPEC_CTRL_BHI_DIS_S
  KVM: x86: Add BHI_NO

Josh Poimboeuf (1):
  x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file

Linus Torvalds (1):
  x86/syscall: Don't force use of indirect calls for system calls

Pawan Gupta (4):
  x86/bhi: Add support for clearing branch history at syscall entry
  x86/bhi: Enumerate Branch History Injection (BHI) bug
  x86/bhi: Add BHI mitigation knob
  x86/bhi: Mitigate KVM by default

Yuxuan Luo (1):
  UBUNTU: [Config] Set CONFIG_BHI to enabled

 Documentation/admin-guide/hw-vuln/spectre.rst |  48 ++++++-
 .../admin-guide/kernel-parameters.txt         |  12 ++
 arch/x86/Kconfig                              |  25 ++++
 arch/x86/entry/common.c                       |  10 +-
 arch/x86/entry/entry_64.S                     |  61 +++++++++
 arch/x86/entry/entry_64_compat.S              |  16 +++
 arch/x86/entry/syscall_32.c                   |  21 ++-
 arch/x86/entry/syscall_64.c                   |  19 ++-
 arch/x86/entry/syscall_x32.c                  |  10 +-
 arch/x86/include/asm/cpufeatures.h            |  11 ++
 arch/x86/include/asm/msr-index.h              |   9 +-
 arch/x86/include/asm/nospec-branch.h          |  17 +++
 arch/x86/include/asm/syscall.h                |  11 +-
 arch/x86/kernel/cpu/bugs.c                    | 121 ++++++++++++++++--
 arch/x86/kernel/cpu/common.c                  |  24 ++--
 arch/x86/kernel/cpu/scattered.c               |   1 +
 arch/x86/kvm/reverse_cpuid.h                  |   5 +
 arch/x86/kvm/vmx/vmenter.S                    |   2 +
 arch/x86/kvm/x86.c                            |   3 +-
 debian.master/config/annotations              |   3 +
 20 files changed, 382 insertions(+), 47 deletions(-)
Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>