| Message ID | 20180209170821.GA4572@brain |
|---|---|
| State | New |
| Headers | show |
| Series | [SRU,artful] retpoline/IBPB combined mitigation | expand |
On 09/02/18 17:08, Andy Whitcroft wrote: > The previous retpoline update dropped IBPB support. This would reduce our > protection for userspace/VMs. This patch kit reinstates that protection > and uses it in combination with retpoline where each is available. Note > that IBPB support is dependent on having microcode for your CPU which > supports it. > > Proposing for SRU to artful. > > -apw > > The following changes since commit d878dfee54cf6cef17a3d8a661effd3c9731420d: > > UBUNTU: Ubuntu-4.13.0-33.36 (2018-02-06 13:22:54 -0500) > > are available in the Git repository at: > > https://git.launchpad.net/~apw/ubuntu/+source/linux/+git/pti pti/artful-speculation-control-intel > > for you to fetch changes up to 6a36999c9ce2f76b7db724f5132832ae46a5a36e: > > UBUNTU: SAUCE: turn off IBPB when full retpoline is present (2018-02-09 12:12:34 +0000) > > ---------------------------------------------------------------- > * CVE-2017-5715 (Spectre v2 Intel) > - x86/feature: Enable the x86 feature to control Speculation > - x86/feature: Report presence of IBPB and IBRS control > - x86/enter: MACROS to set/clear IBRS and set IBPB > - x86/enter: Use IBRS on syscall and interrupts > - x86/idle: Disable IBRS entering idle and enable it on wakeup > - x86/idle: Disable IBRS when offlining cpu and re-enable on wakeup > - x86/mm: Set IBPB upon context switch > - x86/mm: Only set IBPB when the new thread cannot ptrace current thread > - x86/entry: Stuff RSB for entry to kernel for non-SMEP platform > - x86/kvm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD to kvm > - x86/kvm: Set IBPB when switching VM > - x86/kvm: Toggle IBRS on VM entry and exit > - x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature > - x86/spec_ctrl: Add lock to serialize changes to ibrs and ibpb control > - x86/cpu/AMD: Add speculative control support for AMD > - x86/microcode: Extend post microcode reload to support IBPB feature > - KVM: SVM: Do not intercept new speculative control MSRs > - x86/svm: Set IBRS value on VM entry and exit > - x86/svm: Set IBPB when running a different VCPU > - KVM: x86: Add speculative control CPUID support for guests > - SAUCE: turn off IBPB when full retpoline is present > I've tested these and didn't see any regressions. Acked-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Kamal Mostafa <kamal@canonical.com> On Fri, Feb 09, 2018 at 05:08:21PM +0000, Andy Whitcroft wrote: > The previous retpoline update dropped IBPB support. This would reduce our > protection for userspace/VMs. This patch kit reinstates that protection > and uses it in combination with retpoline where each is available. Note > that IBPB support is dependent on having microcode for your CPU which > supports it. > > Proposing for SRU to artful. > > -apw > > The following changes since commit d878dfee54cf6cef17a3d8a661effd3c9731420d: > > UBUNTU: Ubuntu-4.13.0-33.36 (2018-02-06 13:22:54 -0500) > > are available in the Git repository at: > > https://git.launchpad.net/~apw/ubuntu/+source/linux/+git/pti pti/artful-speculation-control-intel > > for you to fetch changes up to 6a36999c9ce2f76b7db724f5132832ae46a5a36e: > > UBUNTU: SAUCE: turn off IBPB when full retpoline is present (2018-02-09 12:12:34 +0000) > > ---------------------------------------------------------------- > * CVE-2017-5715 (Spectre v2 Intel) > - x86/feature: Enable the x86 feature to control Speculation > - x86/feature: Report presence of IBPB and IBRS control > - x86/enter: MACROS to set/clear IBRS and set IBPB > - x86/enter: Use IBRS on syscall and interrupts > - x86/idle: Disable IBRS entering idle and enable it on wakeup > - x86/idle: Disable IBRS when offlining cpu and re-enable on wakeup > - x86/mm: Set IBPB upon context switch > - x86/mm: Only set IBPB when the new thread cannot ptrace current thread > - x86/entry: Stuff RSB for entry to kernel for non-SMEP platform > - x86/kvm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD to kvm > - x86/kvm: Set IBPB when switching VM > - x86/kvm: Toggle IBRS on VM entry and exit > - x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature > - x86/spec_ctrl: Add lock to serialize changes to ibrs and ibpb control > - x86/cpu/AMD: Add speculative control support for AMD > - x86/microcode: Extend post microcode reload to support IBPB feature > - KVM: SVM: Do not intercept new speculative control MSRs > - x86/svm: Set IBRS value on VM entry and exit > - x86/svm: Set IBPB when running a different VCPU > - KVM: x86: Add speculative control CPUID support for guests > - SAUCE: turn off IBPB when full retpoline is present > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
Applied to artful/master-next On 2018-02-09 17:08:21 , Andy Whitcroft wrote: > The previous retpoline update dropped IBPB support. This would reduce our > protection for userspace/VMs. This patch kit reinstates that protection > and uses it in combination with retpoline where each is available. Note > that IBPB support is dependent on having microcode for your CPU which > supports it. > > Proposing for SRU to artful. > > -apw > > The following changes since commit d878dfee54cf6cef17a3d8a661effd3c9731420d: > > UBUNTU: Ubuntu-4.13.0-33.36 (2018-02-06 13:22:54 -0500) > > are available in the Git repository at: > > https://git.launchpad.net/~apw/ubuntu/+source/linux/+git/pti pti/artful-speculation-control-intel > > for you to fetch changes up to 6a36999c9ce2f76b7db724f5132832ae46a5a36e: > > UBUNTU: SAUCE: turn off IBPB when full retpoline is present (2018-02-09 12:12:34 +0000) > > ---------------------------------------------------------------- > * CVE-2017-5715 (Spectre v2 Intel) > - x86/feature: Enable the x86 feature to control Speculation > - x86/feature: Report presence of IBPB and IBRS control > - x86/enter: MACROS to set/clear IBRS and set IBPB > - x86/enter: Use IBRS on syscall and interrupts > - x86/idle: Disable IBRS entering idle and enable it on wakeup > - x86/idle: Disable IBRS when offlining cpu and re-enable on wakeup > - x86/mm: Set IBPB upon context switch > - x86/mm: Only set IBPB when the new thread cannot ptrace current thread > - x86/entry: Stuff RSB for entry to kernel for non-SMEP platform > - x86/kvm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD to kvm > - x86/kvm: Set IBPB when switching VM > - x86/kvm: Toggle IBRS on VM entry and exit > - x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature > - x86/spec_ctrl: Add lock to serialize changes to ibrs and ibpb control > - x86/cpu/AMD: Add speculative control support for AMD > - x86/microcode: Extend post microcode reload to support IBPB feature > - KVM: SVM: Do not intercept new speculative control MSRs > - x86/svm: Set IBRS value on VM entry and exit > - x86/svm: Set IBPB when running a different VCPU > - KVM: x86: Add speculative control CPUID support for guests > - SAUCE: turn off IBPB when full retpoline is present > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
The previous retpoline update dropped IBPB support. This would reduce our protection for userspace/VMs. This patch kit reinstates that protection and uses it in combination with retpoline where each is available. Note that IBPB support is dependent on having microcode for your CPU which supports it. Proposing for SRU to artful. -apw The following changes since commit d878dfee54cf6cef17a3d8a661effd3c9731420d: UBUNTU: Ubuntu-4.13.0-33.36 (2018-02-06 13:22:54 -0500) are available in the Git repository at: https://git.launchpad.net/~apw/ubuntu/+source/linux/+git/pti pti/artful-speculation-control-intel for you to fetch changes up to 6a36999c9ce2f76b7db724f5132832ae46a5a36e: UBUNTU: SAUCE: turn off IBPB when full retpoline is present (2018-02-09 12:12:34 +0000) ---------------------------------------------------------------- * CVE-2017-5715 (Spectre v2 Intel) - x86/feature: Enable the x86 feature to control Speculation - x86/feature: Report presence of IBPB and IBRS control - x86/enter: MACROS to set/clear IBRS and set IBPB - x86/enter: Use IBRS on syscall and interrupts - x86/idle: Disable IBRS entering idle and enable it on wakeup - x86/idle: Disable IBRS when offlining cpu and re-enable on wakeup - x86/mm: Set IBPB upon context switch - x86/mm: Only set IBPB when the new thread cannot ptrace current thread - x86/entry: Stuff RSB for entry to kernel for non-SMEP platform - x86/kvm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD to kvm - x86/kvm: Set IBPB when switching VM - x86/kvm: Toggle IBRS on VM entry and exit - x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature - x86/spec_ctrl: Add lock to serialize changes to ibrs and ibpb control - x86/cpu/AMD: Add speculative control support for AMD - x86/microcode: Extend post microcode reload to support IBPB feature - KVM: SVM: Do not intercept new speculative control MSRs - x86/svm: Set IBRS value on VM entry and exit - x86/svm: Set IBPB when running a different VCPU - KVM: x86: Add speculative control CPUID support for guests - SAUCE: turn off IBPB when full retpoline is present