From patchwork Thu Nov 28 15:04:33 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Benjamin M Romer X-Patchwork-Id: 1202106 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47P1C30Lzrz9sPc; Fri, 29 Nov 2019 02:04:47 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1iaLLX-0004ci-5L; Thu, 28 Nov 2019 15:04:43 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iaLLT-0004bh-Sx for kernel-team@lists.ubuntu.com; Thu, 28 Nov 2019 15:04:39 +0000 Received: from mail-qk1-f200.google.com ([209.85.222.200]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iaLLT-0003jv-LO for kernel-team@lists.ubuntu.com; Thu, 28 Nov 2019 15:04:39 +0000 Received: by mail-qk1-f200.google.com with SMTP id q125so16173105qka.1 for ; Thu, 28 Nov 2019 07:04:39 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=puHW/U9TboZeBeWVaDSsDrEELo5Q3+yRgspUaB72QH8=; b=X8avLZVvP6qCSCBrb7xc/16tR0hw3ZUBqlm08kZhKQWvdY+fnDFqCrwyD5//18NY0i KBD5CvsZEeLihW1yvvA1HkR3unTLHUhhMJPPpVWVCPNZs61CbhFdPzs/7q1BmZ+GdkqD 69ZZp5z6TZm9i0euS5arYtJPCEEIYDFYak7zukMR03x9AHY4ITKOK8FJ/alMRtvomtO3 JRIH7GRkfI0oFdo8GQ6pqTwylfuEayCAfy6bl109oN3iB41+sI7RP7Hn/Uq7iEp+JoG3 hvQCpQOfubMbuqXcvwpLjqwQT2XL5lFCHZv9dYhAVG8CaF7jq+y/iLQCL7WvBnyCnWg7 SPFw== X-Gm-Message-State: APjAAAUdUrQViMNcyBmv7aSaRSlZBw6fhokPOs6uy5fm3f6Bww+hxT1h yJ/1J79Z6t1gXJDR8kaQPP1x01AyLeVyPia5Wz7xKleLpDkxzAZGgbMz0sgSjU3y7RfvHWShnrZ hT1T7zabtVADUWbeh+X7dL+O64uP6bKIdIXJVIox5pQ== X-Received: by 2002:a37:582:: with SMTP id 124mr9582511qkf.257.1574953478420; Thu, 28 Nov 2019 07:04:38 -0800 (PST) X-Google-Smtp-Source: APXvYqydMUo3dSckpRIjPV+weBsK0cTQk/16CyokjpTkUJOgr2xBh3f2VU/YuLl8xAc8zd+fI8maHA== X-Received: by 2002:a37:582:: with SMTP id 124mr9582409qkf.257.1574953477532; Thu, 28 Nov 2019 07:04:37 -0800 (PST) Received: from beast (c-68-80-13-9.hsd1.pa.comcast.net. [68.80.13.9]) by smtp.gmail.com with ESMTPSA id f25sm8410315qkh.93.2019.11.28.07.04.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 Nov 2019 07:04:36 -0800 (PST) Received: from ben by beast with local (Exim 4.92.1) (envelope-from ) id 1iaLLP-0008AF-LN for kernel-team@lists.ubuntu.com; Thu, 28 Nov 2019 10:04:35 -0500 From: Benjamin M Romer To: kernel-team@lists.ubuntu.com Subject: [xenial][PATCH 1/3] powerpc/64s: support nospectre_v2 cmdline option Date: Thu, 28 Nov 2019 10:04:33 -0500 Message-Id: <20191128150435.31340-2-benjamin.romer@canonical.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191128150435.31340-1-benjamin.romer@canonical.com> References: <20191128150435.31340-1-benjamin.romer@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: "Christopher M. Riedl" BugLink: https://bugs.launchpad.net/bugs/1853142 commit d8f0e0b073e1ec52a05f0c2a56318b47387d2f10 upstream. Add support for disabling the kernel implemented spectre v2 mitigation (count cache flush on context switch) via the nospectre_v2 and mitigations=off cmdline options. Suggested-by: Michael Ellerman Signed-off-by: Christopher M. Riedl Reviewed-by: Andrew Donnellan Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20190524024647.381-1-cmr@informatik.wtf Signed-off-by: Daniel Axtens CVE-2019-18660 Signed-off-by: Benjamin M Romer --- arch/powerpc/kernel/security.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/arch/powerpc/kernel/security.c b/arch/powerpc/kernel/security.c index 64efba4bd05d..37d96227e7cf 100644 --- a/arch/powerpc/kernel/security.c +++ b/arch/powerpc/kernel/security.c @@ -29,7 +29,7 @@ static enum count_cache_flush_type count_cache_flush_type = COUNT_CACHE_FLUSH_NO bool barrier_nospec_enabled; static bool no_nospec; static bool btb_flush_enabled; -#ifdef CONFIG_PPC_FSL_BOOK3E +#if defined(CONFIG_PPC_FSL_BOOK3E) || defined(CONFIG_PPC_BOOK3S_64) static bool no_spectrev2; #endif @@ -107,7 +107,7 @@ static __init int barrier_nospec_debugfs_init(void) device_initcall(barrier_nospec_debugfs_init); #endif /* CONFIG_DEBUG_FS */ -#ifdef CONFIG_PPC_FSL_BOOK3E +#if defined(CONFIG_PPC_FSL_BOOK3E) || defined(CONFIG_PPC_BOOK3S_64) static int __init handle_nospectre_v2(char *p) { no_spectrev2 = true; @@ -115,6 +115,9 @@ static int __init handle_nospectre_v2(char *p) return 0; } early_param("nospectre_v2", handle_nospectre_v2); +#endif /* CONFIG_PPC_FSL_BOOK3E || CONFIG_PPC_BOOK3S_64 */ + +#ifdef CONFIG_PPC_FSL_BOOK3E void setup_spectre_v2(void) { if (no_spectrev2 || cpu_mitigations_off()) @@ -390,7 +393,17 @@ static void toggle_count_cache_flush(bool enable) void setup_count_cache_flush(void) { - toggle_count_cache_flush(true); + bool enable = true; + + if (no_spectrev2 || cpu_mitigations_off()) { + if (security_ftr_enabled(SEC_FTR_BCCTRL_SERIALISED) || + security_ftr_enabled(SEC_FTR_COUNT_CACHE_DISABLED)) + pr_warn("Spectre v2 mitigations not under software control, can't disable\n"); + + enable = false; + } + + toggle_count_cache_flush(enable); } #ifdef CONFIG_DEBUG_FS From patchwork Thu Nov 28 15:04:34 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Benjamin M Romer X-Patchwork-Id: 1202105 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47P1C11TYqz9sPV; Fri, 29 Nov 2019 02:04:45 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1iaLLV-0004cD-W3; Thu, 28 Nov 2019 15:04:41 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iaLLT-0004bf-PR for kernel-team@lists.ubuntu.com; Thu, 28 Nov 2019 15:04:39 +0000 Received: from mail-qv1-f70.google.com ([209.85.219.70]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iaLLT-0003ju-HF for kernel-team@lists.ubuntu.com; Thu, 28 Nov 2019 15:04:39 +0000 Received: by mail-qv1-f70.google.com with SMTP id b6so17136426qvo.4 for ; Thu, 28 Nov 2019 07:04:39 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=XZS269kLYPYSl57O8ud2UPIWgNWCqmxchxXWmdc2s/s=; b=AcKRceHjSk+7xF4vnM5wMJSpE5hhj/7xtAZxDisTotcHWmJPNwry9JrPaDxc+wGi2J LVfVY2Zjg9PECFwnJccn6mhUITjoC3QVwWJr2WpIsVcr2R43cKM+qGfbo780UnCjSo9a 0Y5SOkPSdtZsZCxjbFs7+9b9nR/UIA664iZq1l9pn+23kHyVD3LkAm1OH1kETZ+sRTev x0tXv8f9S9FhRW9iQo4141qJEVx7CbkHx62PYhqAFShulBtJKM4yZs3nrmfN6x/Hd2HE 4t96/UVORPuyjPCqFW7AEP6G88mDUgoq8DWVcZ071AYQY9fnSJ3w6UUMX/H3COnIJslY 8+oQ== X-Gm-Message-State: APjAAAX60QY36hNTFHw3CmNtkx7/HT4V5g3K3UEcTcCU6RTg6sOGlazg HbJ7skkTre8ukK77QnMnEY9XDJ/K9GTzx4N3TNmtBfSF6p05ehhKe8KycFftIaiArZjdHHUgsGs YpneDYVYTaA79EbWjD61MG72C+xGqr8yDeHSRBiTAgg== X-Received: by 2002:ad4:50a7:: with SMTP id d7mr10985026qvq.227.1574953478308; Thu, 28 Nov 2019 07:04:38 -0800 (PST) X-Google-Smtp-Source: APXvYqxUTRJWqqby/GOd5YuYm0FH+bjyKc4wekRGzW7RB9AgolwUr3xTx582A7LfikHF6K+d6IV96w== X-Received: by 2002:ad4:50a7:: with SMTP id d7mr10984985qvq.227.1574953477863; Thu, 28 Nov 2019 07:04:37 -0800 (PST) Received: from beast (c-68-80-13-9.hsd1.pa.comcast.net. [68.80.13.9]) by smtp.gmail.com with ESMTPSA id f19sm660304qkh.2.2019.11.28.07.04.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 Nov 2019 07:04:36 -0800 (PST) Received: from ben by beast with local (Exim 4.92.1) (envelope-from ) id 1iaLLP-0008AH-MM for kernel-team@lists.ubuntu.com; Thu, 28 Nov 2019 10:04:35 -0500 From: Benjamin M Romer To: kernel-team@lists.ubuntu.com Subject: [xenial][PATCH 2/3] powerpc/book3s64: Fix link stack flush on context switch Date: Thu, 28 Nov 2019 10:04:34 -0500 Message-Id: <20191128150435.31340-3-benjamin.romer@canonical.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191128150435.31340-1-benjamin.romer@canonical.com> References: <20191128150435.31340-1-benjamin.romer@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Michael Ellerman BugLink: https://bugs.launchpad.net/bugs/1853142 commit 39e72bf96f5847ba87cc5bd7a3ce0fed813dc9ad upstream. In commit ee13cb249fab ("powerpc/64s: Add support for software count cache flush"), I added support for software to flush the count cache (indirect branch cache) on context switch if firmware told us that was the required mitigation for Spectre v2. As part of that code we also added a software flush of the link stack (return address stack), which protects against Spectre-RSB between user processes. That is all correct for CPUs that activate that mitigation, which is currently Power9 Nimbus DD2.3. What I got wrong is that on older CPUs, where firmware has disabled the count cache, we also need to flush the link stack on context switch. To fix it we create a new feature bit which is not set by firmware, which tells us we need to flush the link stack. We set that when firmware tells us that either of the existing Spectre v2 mitigations are enabled. Then we adjust the patching code so that if we see that feature bit we enable the link stack flush. If we're also told to flush the count cache in software then we fall through and do that also. On the older CPUs we don't need to do do the software count cache flush, firmware has disabled it, so in that case we patch in an early return after the link stack flush. The naming of some of the functions is awkward after this patch, because they're called "count cache" but they also do link stack. But we'll fix that up in a later commit to ease backporting. This is the fix for CVE-2019-18660. Reported-by: Anthony Steinhauser Fixes: ee13cb249fab ("powerpc/64s: Add support for software count cache flush") Cc: stable@vger.kernel.org # v4.4+ Signed-off-by: Michael Ellerman [dja: straightforward backport to v4.14 applies directly to Xenial's v4.4] Signed-off-by: Daniel Axtens CVE-2019-18660 Signed-off-by: Benjamin M Romer --- arch/powerpc/include/asm/asm-prototypes.h | 1 + arch/powerpc/include/asm/security_features.h | 3 ++ arch/powerpc/kernel/entry_64.S | 6 +++ arch/powerpc/kernel/security.c | 48 ++++++++++++++++++-- 4 files changed, 54 insertions(+), 4 deletions(-) diff --git a/arch/powerpc/include/asm/asm-prototypes.h b/arch/powerpc/include/asm/asm-prototypes.h index 8944c55591cf..7c74384c0146 100644 --- a/arch/powerpc/include/asm/asm-prototypes.h +++ b/arch/powerpc/include/asm/asm-prototypes.h @@ -15,6 +15,7 @@ /* Patch sites */ extern s32 patch__call_flush_count_cache; extern s32 patch__flush_count_cache_return; +extern s32 patch__flush_link_stack_return; extern long flush_count_cache; diff --git a/arch/powerpc/include/asm/security_features.h b/arch/powerpc/include/asm/security_features.h index 759597bf0fd8..ccf44c135389 100644 --- a/arch/powerpc/include/asm/security_features.h +++ b/arch/powerpc/include/asm/security_features.h @@ -81,6 +81,9 @@ static inline bool security_ftr_enabled(unsigned long feature) // Software required to flush count cache on context switch #define SEC_FTR_FLUSH_COUNT_CACHE 0x0000000000000400ull +// Software required to flush link stack on context switch +#define SEC_FTR_FLUSH_LINK_STACK 0x0000000000001000ull + // Features enabled by default #define SEC_FTR_DEFAULT \ diff --git a/arch/powerpc/kernel/entry_64.S b/arch/powerpc/kernel/entry_64.S index 6d36a4fb4acf..e523d16c8b6e 100644 --- a/arch/powerpc/kernel/entry_64.S +++ b/arch/powerpc/kernel/entry_64.S @@ -477,6 +477,7 @@ flush_count_cache: /* Save LR into r9 */ mflr r9 + // Flush the link stack .rept 64 bl .+4 .endr @@ -486,6 +487,11 @@ flush_count_cache: .balign 32 /* Restore LR */ 1: mtlr r9 + + // If we're just flushing the link stack, return here +3: nop + patch_site 3b patch__flush_link_stack_return + li r9,0x7fff mtctr r9 diff --git a/arch/powerpc/kernel/security.c b/arch/powerpc/kernel/security.c index 37d96227e7cf..ce6b612c605a 100644 --- a/arch/powerpc/kernel/security.c +++ b/arch/powerpc/kernel/security.c @@ -25,6 +25,7 @@ enum count_cache_flush_type { COUNT_CACHE_FLUSH_HW = 0x4, }; static enum count_cache_flush_type count_cache_flush_type = COUNT_CACHE_FLUSH_NONE; +static bool link_stack_flush_enabled; bool barrier_nospec_enabled; static bool no_nospec; @@ -205,11 +206,19 @@ ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, c if (ccd) seq_buf_printf(&s, "Indirect branch cache disabled"); + + if (link_stack_flush_enabled) + seq_buf_printf(&s, ", Software link stack flush"); + } else if (count_cache_flush_type != COUNT_CACHE_FLUSH_NONE) { seq_buf_printf(&s, "Mitigation: Software count cache flush"); if (count_cache_flush_type == COUNT_CACHE_FLUSH_HW) seq_buf_printf(&s, " (hardware accelerated)"); + + if (link_stack_flush_enabled) + seq_buf_printf(&s, ", Software link stack flush"); + } else if (btb_flush_enabled) { seq_buf_printf(&s, "Mitigation: Branch predictor state flush"); } else { @@ -368,18 +377,40 @@ static __init int stf_barrier_debugfs_init(void) device_initcall(stf_barrier_debugfs_init); #endif /* CONFIG_DEBUG_FS */ +static void no_count_cache_flush(void) +{ + count_cache_flush_type = COUNT_CACHE_FLUSH_NONE; + pr_info("count-cache-flush: software flush disabled.\n"); +} + static void toggle_count_cache_flush(bool enable) { - if (!enable || !security_ftr_enabled(SEC_FTR_FLUSH_COUNT_CACHE)) { + if (!security_ftr_enabled(SEC_FTR_FLUSH_COUNT_CACHE) && + !security_ftr_enabled(SEC_FTR_FLUSH_LINK_STACK)) + enable = false; + + if (!enable) { patch_instruction_site(&patch__call_flush_count_cache, PPC_INST_NOP); - count_cache_flush_type = COUNT_CACHE_FLUSH_NONE; - pr_info("count-cache-flush: software flush disabled.\n"); + pr_info("link-stack-flush: software flush disabled.\n"); + link_stack_flush_enabled = false; + no_count_cache_flush(); return; } + // This enables the branch from _switch to flush_count_cache patch_branch_site(&patch__call_flush_count_cache, (u64)&flush_count_cache, BRANCH_SET_LINK); + pr_info("link-stack-flush: software flush enabled.\n"); + link_stack_flush_enabled = true; + + // If we just need to flush the link stack, patch an early return + if (!security_ftr_enabled(SEC_FTR_FLUSH_COUNT_CACHE)) { + patch_instruction_site(&patch__flush_link_stack_return, PPC_INST_BLR); + no_count_cache_flush(); + return; + } + if (!security_ftr_enabled(SEC_FTR_BCCTR_FLUSH_ASSIST)) { count_cache_flush_type = COUNT_CACHE_FLUSH_SW; pr_info("count-cache-flush: full software flush sequence enabled.\n"); @@ -398,11 +429,20 @@ void setup_count_cache_flush(void) if (no_spectrev2 || cpu_mitigations_off()) { if (security_ftr_enabled(SEC_FTR_BCCTRL_SERIALISED) || security_ftr_enabled(SEC_FTR_COUNT_CACHE_DISABLED)) - pr_warn("Spectre v2 mitigations not under software control, can't disable\n"); + pr_warn("Spectre v2 mitigations not fully under software control, can't disable\n"); enable = false; } + /* + * There's no firmware feature flag/hypervisor bit to tell us we need to + * flush the link stack on context switch. So we set it here if we see + * either of the Spectre v2 mitigations that aim to protect userspace. + */ + if (security_ftr_enabled(SEC_FTR_COUNT_CACHE_DISABLED) || + security_ftr_enabled(SEC_FTR_FLUSH_COUNT_CACHE)) + security_ftr_set(SEC_FTR_FLUSH_LINK_STACK); + toggle_count_cache_flush(enable); } From patchwork Thu Nov 28 15:04:35 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Benjamin M Romer X-Patchwork-Id: 1202107 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47P1C520x7z9sPT; Fri, 29 Nov 2019 02:04:49 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1iaLLa-0004eF-BR; Thu, 28 Nov 2019 15:04:46 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iaLLU-0004bv-CH for kernel-team@lists.ubuntu.com; Thu, 28 Nov 2019 15:04:40 +0000 Received: from mail-qk1-f198.google.com ([209.85.222.198]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iaLLU-0003jy-4E for kernel-team@lists.ubuntu.com; Thu, 28 Nov 2019 15:04:40 +0000 Received: by mail-qk1-f198.google.com with SMTP id s9so10513546qkg.21 for ; Thu, 28 Nov 2019 07:04:40 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=rTNN6kx8F8+KZ2BVCa3F5RRUCNfwTNzcEAm/OgA8CFE=; b=ZNyDjXaoi2ZqOfBWmX5Dzh2skJAqOoxOdDT9VvHO5YNj5JQwbDG0YIqYe8nil87EcJ QYjkGmRArx0mA9w7iUnDK7v+bLT4Toi1KbhKjeNAYuNiYS8h8XbBRzIR+HPuoXoVAGGL CUvtDkexuo8E2L/Vg+fBi1WOywpBoeq7EsqsEx/50pclf+xGu5tsxyPqGGI0hf4f3GE2 KsKDtNM1qCq900KF/tCMbYcAr4TlB4WGC9G31Zs31LsYFnfEqEexrl7lgXLaW3hckwzP FDr5GTZA8TWxmaiYkHWYg5VGvlEO4pEIir/rWr238rV+E+BwT2te1HDik3LOHecfFPB5 mpkg== X-Gm-Message-State: APjAAAWsvP/VLZWwYTDDJ3RP/DeWm1BatZhYffn3c9k1ecQS0l7iWx45 +FSUoWVgx8cZ6n4YkJn2CuzRIHXqgsMZBAG2l720+zhatH4FRCkwNbaC/6QpvNtDhkMNBm1qKTY BqeTDJ5V2+w68YJpEHJgcpACYRin9YUdPSYew8qUprg== X-Received: by 2002:ac8:8d6:: with SMTP id y22mr12835990qth.85.1574953478838; Thu, 28 Nov 2019 07:04:38 -0800 (PST) X-Google-Smtp-Source: APXvYqzw9Ll+dJ/+BhJ18HPyTwAWjap4OOMd1njQrLNA0VF7f/OlMRuqWZ2L6PM0OTS2AKhX3xtn7g== X-Received: by 2002:ac8:8d6:: with SMTP id y22mr12835919qth.85.1574953478157; Thu, 28 Nov 2019 07:04:38 -0800 (PST) Received: from beast (c-68-80-13-9.hsd1.pa.comcast.net. [68.80.13.9]) by smtp.gmail.com with ESMTPSA id f13sm461646qtj.14.2019.11.28.07.04.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 Nov 2019 07:04:36 -0800 (PST) Received: from ben by beast with local (Exim 4.92.1) (envelope-from ) id 1iaLLP-0008AL-NW for kernel-team@lists.ubuntu.com; Thu, 28 Nov 2019 10:04:35 -0500 From: Benjamin M Romer To: kernel-team@lists.ubuntu.com Subject: [xenial][PATCH 3/3] KVM: PPC: Book3S HV: Flush link stack on guest exit to host kernel Date: Thu, 28 Nov 2019 10:04:35 -0500 Message-Id: <20191128150435.31340-4-benjamin.romer@canonical.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191128150435.31340-1-benjamin.romer@canonical.com> References: <20191128150435.31340-1-benjamin.romer@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Michael Ellerman BugLink: https://bugs.launchpad.net/bugs/1853142 commit af2e8c68b9c5403f77096969c516f742f5bb29e0 upstream. On some systems that are vulnerable to Spectre v2, it is up to software to flush the link stack (return address stack), in order to protect against Spectre-RSB. When exiting from a guest we do some house keeping and then potentially exit to C code which is several stack frames deep in the host kernel. We will then execute a series of returns without preceeding calls, opening up the possiblity that the guest could have poisoned the link stack, and direct speculative execution of the host to a gadget of some sort. To prevent this we add a flush of the link stack on exit from a guest. Signed-off-by: Michael Ellerman [dja: backport to v4.4, drop P9 support] Signed-off-by: Daniel Axtens CVE-2019-18660 Signed-off-by: Benjamin M Romer --- arch/powerpc/include/asm/asm-prototypes.h | 2 ++ arch/powerpc/kernel/security.c | 9 +++++++++ arch/powerpc/kvm/book3s_hv_rmhandlers.S | 20 ++++++++++++++++++++ 3 files changed, 31 insertions(+) diff --git a/arch/powerpc/include/asm/asm-prototypes.h b/arch/powerpc/include/asm/asm-prototypes.h index 7c74384c0146..77c6bfe60137 100644 --- a/arch/powerpc/include/asm/asm-prototypes.h +++ b/arch/powerpc/include/asm/asm-prototypes.h @@ -16,7 +16,9 @@ extern s32 patch__call_flush_count_cache; extern s32 patch__flush_count_cache_return; extern s32 patch__flush_link_stack_return; +extern s32 patch__call_kvm_flush_link_stack; extern long flush_count_cache; +extern long kvm_flush_link_stack; #endif /* _ASM_POWERPC_ASM_PROTOTYPES_H */ diff --git a/arch/powerpc/kernel/security.c b/arch/powerpc/kernel/security.c index ce6b612c605a..730801c64295 100644 --- a/arch/powerpc/kernel/security.c +++ b/arch/powerpc/kernel/security.c @@ -391,6 +391,9 @@ static void toggle_count_cache_flush(bool enable) if (!enable) { patch_instruction_site(&patch__call_flush_count_cache, PPC_INST_NOP); +#ifdef CONFIG_KVM_BOOK3S_HV_POSSIBLE + patch_instruction_site(&patch__call_kvm_flush_link_stack, PPC_INST_NOP); +#endif pr_info("link-stack-flush: software flush disabled.\n"); link_stack_flush_enabled = false; no_count_cache_flush(); @@ -401,6 +404,12 @@ static void toggle_count_cache_flush(bool enable) patch_branch_site(&patch__call_flush_count_cache, (u64)&flush_count_cache, BRANCH_SET_LINK); +#ifdef CONFIG_KVM_BOOK3S_HV_POSSIBLE + // This enables the branch from guest_exit_cont to kvm_flush_link_stack + patch_branch_site(&patch__call_kvm_flush_link_stack, + (u64)&kvm_flush_link_stack, BRANCH_SET_LINK); +#endif + pr_info("link-stack-flush: software flush enabled.\n"); link_stack_flush_enabled = true; diff --git a/arch/powerpc/kvm/book3s_hv_rmhandlers.S b/arch/powerpc/kvm/book3s_hv_rmhandlers.S index d780a3cf83f3..96659a2b5496 100644 --- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S +++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S @@ -18,6 +18,7 @@ */ #include +#include #include #include #include @@ -1193,6 +1194,10 @@ mc_cont: bl kvmhv_accumulate_time #endif + /* Possibly flush the link stack here. */ +1: nop + patch_site 1b patch__call_kvm_flush_link_stack + mr r3, r12 /* Increment exit count, poke other threads to exit */ bl kvmhv_commence_exit @@ -1611,6 +1616,21 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S) mtlr r0 blr +.balign 32 +.global kvm_flush_link_stack +kvm_flush_link_stack: + /* Save LR into r0 */ + mflr r0 + + /* Flush the link stack. On Power8 it's up to 32 entries in size. */ + .rept 32 + bl .+4 + .endr + + /* Restore LR */ + mtlr r0 + blr + /* * Check whether an HDSI is an HPTE not found fault or something else. * If it is an HPTE not found fault that is due to the guest accessing