From patchwork Wed Apr 17 23:53:50 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1924766 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VKd6l5Z1Nz1yZ2 for ; Thu, 18 Apr 2024 09:54:23 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1rxF6T-0005gt-Fl; Wed, 17 Apr 2024 23:54:13 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1rxF6O-0005ft-4j for kernel-team@lists.ubuntu.com; Wed, 17 Apr 2024 23:54:08 +0000 Received: from mail-qk1-f199.google.com (mail-qk1-f199.google.com [209.85.222.199]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id C89103F36F for ; Wed, 17 Apr 2024 23:54:07 +0000 (UTC) Received: by mail-qk1-f199.google.com with SMTP id af79cd13be357-78edbede4b7so250063185a.0 for ; Wed, 17 Apr 2024 16:54:07 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713398046; x=1714002846; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=hRo00GTwc6N+7vXKlCGcfJ5178b9Kr2ZoqXLlSWgtqA=; b=NyxidV+U+KnxHqdiwGPLm5DWfg+B+/3W3Q94R3xps6ujZQiP8bDWj8gTSVzo+ToXwS qwyq+s0+sAUZNcwjPxnYHrD6wmX67/ogV6w7OC4dmiWXWSFAJUXuNb3HGMPjqDuU+ohx PuHopTnFKx0kGnWpSRTnMveb1ilF09osgjbktnw4ZuBoi6B23AM4FxH7rKS2oSyn2GmZ avfMnrARI1D7uhUnQ7h1oiTT+msv/1oX5Lu7wtmEJH6+Vs4GyfXI8kN0ozxRgPVK7iZE KVq5F8XQft0ugtBYgxuTqqo2H4ZXJ1WkntFKGI6Hd7UNmQQmYYIionHZ0J9oQW+YZZx8 qH/A== X-Gm-Message-State: AOJu0YyMBeMvOrRYP0HB/BRfKbKIL9Nvaux3VJWYZQ5pQCSyFJBfYYzM 1j+Hnf7sT50pc5MW8bPwqc8x5MgTcOKU5qHhXulzE6ZHpEK8LC0kq8HsBWfFk4+OcY3oUmvkMqT 22bDtP/YsL2v8mOrtcy5hAmLN0BomVtjEvrEKJ9YNAdH5axkjpD92xdtQNX007UQVwPQM8aWfx1 Z5vho2WIF5uBV4 X-Received: by 2002:a05:620a:1a82:b0:78d:6abf:f5e6 with SMTP id bl2-20020a05620a1a8200b0078d6abff5e6mr1471016qkb.8.1713398046379; Wed, 17 Apr 2024 16:54:06 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFGKJ03YRaR5CM4pT25AHz4AZkHeMTsyRoeI1e0kbgoUv8RGXq3ODqO/Svu5fFMwBTE17/oyA== X-Received: by 2002:a05:620a:1a82:b0:78d:6abf:f5e6 with SMTP id bl2-20020a05620a1a8200b0078d6abff5e6mr1470989qkb.8.1713398045846; Wed, 17 Apr 2024 16:54:05 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id x27-20020a05620a099b00b0078d6a0d5728sm129208qkx.29.2024.04.17.16.54.05 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 Apr 2024 16:54:05 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [SRU][Focal][PATCH 00/11] CVE-2024-2201 Date: Wed, 17 Apr 2024 19:53:50 -0400 Message-Id: <20240417235401.243631-1-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" [Impact] Native BHI attack, a Spectre v2 variant, allows local unprivileged attackers to obtain kernel memory information without the help of unprivileged eBPF, negating to the previous belief that unprivileged eBPF is the only real-world source of such an attack. Also, this vulnerability affects KVM as well. [Backport] [1/8] 0cd01ac5dcb1 (“x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file”) - Since the prerequisite commit, 1d30800c0c0a (“x86/bugs: Use sysfs_emit()”), introduces more conflict yet it only solve a printing function conflict, manually substitute ',' with ';'. [2/8] 1e3ad78334a6 (“x86/syscall: Don't force use of indirect calls for system calls”) - (Details in the patch) [3/8] 7390db8aea0d (“x86/bhi: Add support for clearing branch history at syscall entry”) - Pick the stable/5.15.y backport since be5341eb0d43 (“x86/entry: Convert INT 0x80 emulation to IDTENTRY”) is not in the tree, changes made for common.h is discarded. - For entry_64.S, because bc7b11c04ee9 (“x86/asm/64: Change all ENTRY+END to SYM_CODE_*”) is not in the tree, substitute SYM_FUNC_START/SYM_FUNC_END with ENTRY/END. - Dependency issue occurs due to ANNOTATE_INTRA_FUNCTION_CALL not defined and STACK_FRAME_NON_STANDARD is not provided with an assembly code version, the following dependent commits should be backported: - 081df94301e3 (“objtool: Add asm version of STACK_FRAME_NON_STANDARD”) - introduced the needed asm version of STACK_FRAME_NON_STANDARD. - applied changes for include/linux/objtool.h to include/linux/frame.h and ignore tools/include/linux/objtool.h. - 5567c6c39f34 (“objtool: Only include valid definitions depending on source file type”) - adds __ASSEMBLY__ macros to differentiate C and ASM. - 8aa8eb2a8f5b (“objtool: Add support for intra-function calls”) - use stable/5.4.y: f8f25fde0cc680f6488aea6a0a1f80e689525e18 - introduced ANNOTATE_INTRA_FUNCTION_CALL. [4/8] 0f4a837615ff (“x86/bhi: Define SPEC_CTRL_BHI_DIS_S“) - reverse_cpuid.h: since 4e66c0cb79b7 (“KVM: x86: Add support for reverse CPUID lookup of scattered features“) is not in the tree, there is no point backporting reverse_cpuid.h related changes. [5/8] be482ff95009 (“x86/bhi: Enumerate Branch History Injection (BHI) bug”) - Conflicts in both files can be ignored since they are all context difference. [6/8] ec9404e40e8f (“x86/bhi: Add BHI mitigation knob“) - This commit is backported in the same scheme as Jammy's. [7/8] 95a6ccbdc719 ("x86/bhi: Mitigate KVM by default") - Clean cherry pick. [8/8] ed2e8d49b54d (“KVM: x86: Add BHI_NO”) - Since 0204750bd4c6ccc2fb7417618477f10373b33f56 (“KVM: x86: Mask off unsupported and unknown bits of IA32_ARCH_CAPABILITIES“) is not in the tree, the feature is not supported, ignore this patch. [Test] Compiled only. [Where things could go wrong] This patch is more about enabling CPU features and reducing branch history exposed, therefore, that the system is able to boot and run should denote that it is not introducing any regression. For KVM, the most significant impact is the performance regression due to system call substitution since branch prediction probably won't perform as fast as the previous version for users who do not care about the mitigation. Alexandre Chartre (1): objtool: Add support for intra-function calls Daniel Sneddon (1): x86/bhi: Define SPEC_CTRL_BHI_DIS_S Josh Poimboeuf (2): objtool: Add asm version of STACK_FRAME_NON_STANDARD x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file Julien Thierry (1): objtool: Only include valid definitions depending on source file type Linus Torvalds (1): x86/syscall: Don't force use of indirect calls for system calls Pawan Gupta (4): x86/bhi: Add support for clearing branch history at syscall entry x86/bhi: Enumerate Branch History Injection (BHI) bug x86/bhi: Add BHI mitigation knob x86/bhi: Mitigate KVM by default Yuxuan Luo (1): UBUNTU: [Config] updateconfigs for CONFIG_BHI_{AUTO|OFF|ON} Documentation/admin-guide/hw-vuln/spectre.rst | 51 +++++++- .../admin-guide/kernel-parameters.txt | 12 ++ arch/x86/Kconfig | 25 ++++ arch/x86/entry/common.c | 11 +- arch/x86/entry/entry_64.S | 61 +++++++++ arch/x86/entry/entry_64_compat.S | 3 + arch/x86/entry/syscall_32.c | 33 +++++ arch/x86/entry/syscall_64.c | 27 ++++ arch/x86/include/asm/cpufeatures.h | 12 ++ arch/x86/include/asm/msr-index.h | 9 +- arch/x86/include/asm/nospec-branch.h | 17 +++ arch/x86/include/asm/syscall.h | 4 + arch/x86/kernel/cpu/bugs.c | 121 ++++++++++++++++-- arch/x86/kernel/cpu/common.c | 24 ++-- arch/x86/kernel/cpu/scattered.c | 1 + arch/x86/kvm/vmx/vmenter.S | 2 + debian.master/config/annotations | 3 + include/linux/frame.h | 26 ++++ .../Documentation/stack-validation.txt | 8 ++ tools/objtool/arch/x86/decode.c | 6 + tools/objtool/check.c | 62 ++++++++- 21 files changed, 478 insertions(+), 40 deletions(-)