| Message ID | 20240417235401.243631-1-yuxuan.luo@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2024-2201 | expand |
There's a bunch of follow-on fixes that we probably want/need. They're also missing from jammy but should come in through a regular stable update. ec9404e40e8f x86/bhi: Add BHI mitigation knob 69129794d94c x86/bugs: Fix BHI retpoline check 5f882f3b0a8b x86/bugs: Clarify that syscall hardening isn't a BHI mitigation 1cea8a280dfd x86/bugs: Fix BHI handling of RRSBA cb2db5bb04d7 x86/bugs: Cache the value of MSR_IA32_ARCH_CAPABILITIES dfe648903f42 x86/bugs: Fix BHI documentation ...Juerg On Wed, 17 Apr 2024 19:53:50 -0400 Yuxuan Luo <yuxuan.luo@canonical.com> wrote: > [Impact] > Native BHI attack, a Spectre v2 variant, allows local unprivileged attackers to > obtain kernel memory information without the help of unprivileged eBPF, negating > to the previous belief that unprivileged eBPF is the only real-world source of > such an attack. Also, this vulnerability affects KVM as well. > > [Backport] > [1/8] 0cd01ac5dcb1 (“x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs > file”) > - Since the prerequisite commit, 1d30800c0c0a (“x86/bugs: Use sysfs_emit()”), > introduces more conflict yet it only solve a printing function conflict, > manually substitute ',' with ';'. > > [2/8] 1e3ad78334a6 (“x86/syscall: Don't force use of indirect calls for system > calls”) > - (Details in the patch) > > [3/8] 7390db8aea0d (“x86/bhi: Add support for clearing branch history at syscall > entry”) > - Pick the stable/5.15.y backport since be5341eb0d43 (“x86/entry: Convert INT > 0x80 emulation to IDTENTRY”) is not in the tree, changes made for common.h is > discarded. > - For entry_64.S, because bc7b11c04ee9 (“x86/asm/64: Change all ENTRY+END to > SYM_CODE_*”) is not in the tree, substitute SYM_FUNC_START/SYM_FUNC_END with > ENTRY/END. > - Dependency issue occurs due to ANNOTATE_INTRA_FUNCTION_CALL not defined and > STACK_FRAME_NON_STANDARD is not provided with an assembly code version, the > following dependent commits should be backported: > - 081df94301e3 (“objtool: Add asm version of STACK_FRAME_NON_STANDARD”) > - introduced the needed asm version of STACK_FRAME_NON_STANDARD. > - applied changes for include/linux/objtool.h to include/linux/frame.h and > ignore tools/include/linux/objtool.h. > - 5567c6c39f34 (“objtool: Only include valid definitions depending on source > file type”) > - adds __ASSEMBLY__ macros to differentiate C and ASM. > - 8aa8eb2a8f5b (“objtool: Add support for intra-function calls”) > - use stable/5.4.y: f8f25fde0cc680f6488aea6a0a1f80e689525e18 > - introduced ANNOTATE_INTRA_FUNCTION_CALL. > > [4/8] 0f4a837615ff (“x86/bhi: Define SPEC_CTRL_BHI_DIS_S“) > - reverse_cpuid.h: since 4e66c0cb79b7 (“KVM: x86: Add support for reverse CPUID > lookup of scattered features“) is not in the tree, there is no point > backporting reverse_cpuid.h related changes. > > [5/8] be482ff95009 (“x86/bhi: Enumerate Branch History Injection (BHI) bug”) > - Conflicts in both files can be ignored since they are all context difference. > > [6/8] ec9404e40e8f (“x86/bhi: Add BHI mitigation knob“) > - This commit is backported in the same scheme as Jammy's. > > [7/8] 95a6ccbdc719 ("x86/bhi: Mitigate KVM by default") > - Clean cherry pick. > > [8/8] ed2e8d49b54d (“KVM: x86: Add BHI_NO”) > - Since 0204750bd4c6ccc2fb7417618477f10373b33f56 (“KVM: x86: Mask off > unsupported and unknown bits of IA32_ARCH_CAPABILITIES“) is not in the tree, > the feature is not supported, ignore this patch. > > [Test] > Compiled only. > > [Where things could go wrong] > This patch is more about enabling CPU features and reducing branch history > exposed, therefore, that the system is able to boot and run should denote that > it is not introducing any regression. > > For KVM, the most significant impact is the performance regression due to system > call substitution since branch prediction probably won't perform as fast as the > previous version for users who do not care about the mitigation. > > Alexandre Chartre (1): > objtool: Add support for intra-function calls > > Daniel Sneddon (1): > x86/bhi: Define SPEC_CTRL_BHI_DIS_S > > Josh Poimboeuf (2): > objtool: Add asm version of STACK_FRAME_NON_STANDARD > x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file > > Julien Thierry (1): > objtool: Only include valid definitions depending on source file type > > Linus Torvalds (1): > x86/syscall: Don't force use of indirect calls for system calls > > Pawan Gupta (4): > x86/bhi: Add support for clearing branch history at syscall entry > x86/bhi: Enumerate Branch History Injection (BHI) bug > x86/bhi: Add BHI mitigation knob > x86/bhi: Mitigate KVM by default > > Yuxuan Luo (1): > UBUNTU: [Config] updateconfigs for CONFIG_BHI_{AUTO|OFF|ON} > > Documentation/admin-guide/hw-vuln/spectre.rst | 51 +++++++- > .../admin-guide/kernel-parameters.txt | 12 ++ > arch/x86/Kconfig | 25 ++++ > arch/x86/entry/common.c | 11 +- > arch/x86/entry/entry_64.S | 61 +++++++++ > arch/x86/entry/entry_64_compat.S | 3 + > arch/x86/entry/syscall_32.c | 33 +++++ > arch/x86/entry/syscall_64.c | 27 ++++ > arch/x86/include/asm/cpufeatures.h | 12 ++ > arch/x86/include/asm/msr-index.h | 9 +- > arch/x86/include/asm/nospec-branch.h | 17 +++ > arch/x86/include/asm/syscall.h | 4 + > arch/x86/kernel/cpu/bugs.c | 121 ++++++++++++++++-- > arch/x86/kernel/cpu/common.c | 24 ++-- > arch/x86/kernel/cpu/scattered.c | 1 + > arch/x86/kvm/vmx/vmenter.S | 2 + > debian.master/config/annotations | 3 + > include/linux/frame.h | 26 ++++ > .../Documentation/stack-validation.txt | 8 ++ > tools/objtool/arch/x86/decode.c | 6 + > tools/objtool/check.c | 62 ++++++++- > 21 files changed, 478 insertions(+), 40 deletions(-) >
[Impact] Native BHI attack, a Spectre v2 variant, allows local unprivileged attackers to obtain kernel memory information without the help of unprivileged eBPF, negating to the previous belief that unprivileged eBPF is the only real-world source of such an attack. Also, this vulnerability affects KVM as well. [Backport] [1/8] 0cd01ac5dcb1 (“x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file”) - Since the prerequisite commit, 1d30800c0c0a (“x86/bugs: Use sysfs_emit()”), introduces more conflict yet it only solve a printing function conflict, manually substitute ',' with ';'. [2/8] 1e3ad78334a6 (“x86/syscall: Don't force use of indirect calls for system calls”) - (Details in the patch) [3/8] 7390db8aea0d (“x86/bhi: Add support for clearing branch history at syscall entry”) - Pick the stable/5.15.y backport since be5341eb0d43 (“x86/entry: Convert INT 0x80 emulation to IDTENTRY”) is not in the tree, changes made for common.h is discarded. - For entry_64.S, because bc7b11c04ee9 (“x86/asm/64: Change all ENTRY+END to SYM_CODE_*”) is not in the tree, substitute SYM_FUNC_START/SYM_FUNC_END with ENTRY/END. - Dependency issue occurs due to ANNOTATE_INTRA_FUNCTION_CALL not defined and STACK_FRAME_NON_STANDARD is not provided with an assembly code version, the following dependent commits should be backported: - 081df94301e3 (“objtool: Add asm version of STACK_FRAME_NON_STANDARD”) - introduced the needed asm version of STACK_FRAME_NON_STANDARD. - applied changes for include/linux/objtool.h to include/linux/frame.h and ignore tools/include/linux/objtool.h. - 5567c6c39f34 (“objtool: Only include valid definitions depending on source file type”) - adds __ASSEMBLY__ macros to differentiate C and ASM. - 8aa8eb2a8f5b (“objtool: Add support for intra-function calls”) - use stable/5.4.y: f8f25fde0cc680f6488aea6a0a1f80e689525e18 - introduced ANNOTATE_INTRA_FUNCTION_CALL. [4/8] 0f4a837615ff (“x86/bhi: Define SPEC_CTRL_BHI_DIS_S“) - reverse_cpuid.h: since 4e66c0cb79b7 (“KVM: x86: Add support for reverse CPUID lookup of scattered features“) is not in the tree, there is no point backporting reverse_cpuid.h related changes. [5/8] be482ff95009 (“x86/bhi: Enumerate Branch History Injection (BHI) bug”) - Conflicts in both files can be ignored since they are all context difference. [6/8] ec9404e40e8f (“x86/bhi: Add BHI mitigation knob“) - This commit is backported in the same scheme as Jammy's. [7/8] 95a6ccbdc719 ("x86/bhi: Mitigate KVM by default") - Clean cherry pick. [8/8] ed2e8d49b54d (“KVM: x86: Add BHI_NO”) - Since 0204750bd4c6ccc2fb7417618477f10373b33f56 (“KVM: x86: Mask off unsupported and unknown bits of IA32_ARCH_CAPABILITIES“) is not in the tree, the feature is not supported, ignore this patch. [Test] Compiled only. [Where things could go wrong] This patch is more about enabling CPU features and reducing branch history exposed, therefore, that the system is able to boot and run should denote that it is not introducing any regression. For KVM, the most significant impact is the performance regression due to system call substitution since branch prediction probably won't perform as fast as the previous version for users who do not care about the mitigation. Alexandre Chartre (1): objtool: Add support for intra-function calls Daniel Sneddon (1): x86/bhi: Define SPEC_CTRL_BHI_DIS_S Josh Poimboeuf (2): objtool: Add asm version of STACK_FRAME_NON_STANDARD x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file Julien Thierry (1): objtool: Only include valid definitions depending on source file type Linus Torvalds (1): x86/syscall: Don't force use of indirect calls for system calls Pawan Gupta (4): x86/bhi: Add support for clearing branch history at syscall entry x86/bhi: Enumerate Branch History Injection (BHI) bug x86/bhi: Add BHI mitigation knob x86/bhi: Mitigate KVM by default Yuxuan Luo (1): UBUNTU: [Config] updateconfigs for CONFIG_BHI_{AUTO|OFF|ON} Documentation/admin-guide/hw-vuln/spectre.rst | 51 +++++++- .../admin-guide/kernel-parameters.txt | 12 ++ arch/x86/Kconfig | 25 ++++ arch/x86/entry/common.c | 11 +- arch/x86/entry/entry_64.S | 61 +++++++++ arch/x86/entry/entry_64_compat.S | 3 + arch/x86/entry/syscall_32.c | 33 +++++ arch/x86/entry/syscall_64.c | 27 ++++ arch/x86/include/asm/cpufeatures.h | 12 ++ arch/x86/include/asm/msr-index.h | 9 +- arch/x86/include/asm/nospec-branch.h | 17 +++ arch/x86/include/asm/syscall.h | 4 + arch/x86/kernel/cpu/bugs.c | 121 ++++++++++++++++-- arch/x86/kernel/cpu/common.c | 24 ++-- arch/x86/kernel/cpu/scattered.c | 1 + arch/x86/kvm/vmx/vmenter.S | 2 + debian.master/config/annotations | 3 + include/linux/frame.h | 26 ++++ .../Documentation/stack-validation.txt | 8 ++ tools/objtool/arch/x86/decode.c | 6 + tools/objtool/check.c | 62 ++++++++- 21 files changed, 478 insertions(+), 40 deletions(-)