From patchwork Sun Feb 25 14:31:11 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Whitcroft X-Patchwork-Id: 877548 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3zq6pH1z3cz9s29; Mon, 26 Feb 2018 01:31:19 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1epxKc-0002u1-7s; Sun, 25 Feb 2018 14:31:14 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1epxKa-0002tq-F5 for kernel-team@lists.ubuntu.com; Sun, 25 Feb 2018 14:31:12 +0000 Received: from 1.general.apw.uk.vpn ([10.172.192.78] helo=localhost) by youngberry.canonical.com with esmtpsa (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1epxKa-000630-60 for kernel-team@lists.ubuntu.com; Sun, 25 Feb 2018 14:31:12 +0000 Date: Sun, 25 Feb 2018 14:31:11 +0000 From: Andy Whitcroft To: Ubuntu Kernel Team Subject: [SRU trusty] retpoline/IBPB combined mitigation Message-ID: <20180225143111.GF4362@brain> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.9.3 (2018-01-21) X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" Add retpoline support to Trusty. This combines a backport of the upstream retpoline patches from v4.4 to the existing IBRS/IBPB mitigation we already have applied. It also updates the Intel mitigation to the latest version. This pull request appears more complex than you might otherwise hope as we are slowly replacing the non-upstream code with upstream code as each part becomes available. To this end we are taking off our non-upstream code applying the new upstream code and reapplying the non-upstream code over the top. This means it is the patches we are looking to replace that end up with any delta folded into them not the upstream patches. Proposing for SRU to trusty. -apw The following changes since commit fbfa1ca679dd9ede02e1e776e26021c21cae872e: powerpc: Do not call ppc_md.panic in fadump panic notifier (2018-02-20 09:47:47 +0100) are available in the Git repository at: git://git.launchpad.net/~apw/ubuntu/+source/linux/+git/pti pti/trusty-retpoline-intelv1 for you to fetch changes up to 901c1131a46ef96e376216d60267e73de5c16232: UBUNTU: [Packaging] final-checks -- check for empty retpoline files (2018-02-22 12:09:21 +0000) ---------------------------------------------------------------- * retpoline abi files are empty on i386 (LP: #1751021) - [Packaging] retpoline-extract -- instantiate retpoline files for i386 - [Packaging] final-checks -- sanity checking ABI contents - [Packaging] final-checks -- check for empty retpoline files * CVE-2017-5715 (Spectre v2 Intel) - x86, microcode: Share native MSR accessing variants - kvm: vmx: Scrub hardware GPRs at VM-exit - SAUCE: x86/feature: Enable the x86 feature to control Speculation - SAUCE: x86/feature: Report presence of IBPB and IBRS control - SAUCE: x86/enter: MACROS to set/clear IBRS and set IBPB - SAUCE: x86/enter: Use IBRS on syscall and interrupts - SAUCE: x86/idle: Disable IBRS entering idle and enable it on wakeup - SAUCE: x86/idle: Disable IBRS when offlining cpu and re-enable on wakeup - SAUCE: x86/mm: Set IBPB upon context switch - SAUCE: x86/mm: Only set IBPB when the new thread cannot ptrace current thread - SAUCE: x86/entry: Stuff RSB for entry to kernel for non-SMEP platform - SAUCE: x86/kvm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD to kvm - SAUCE: x86/kvm: Set IBPB when switching VM - SAUCE: x86/kvm: Toggle IBRS on VM entry and exit - SAUCE: x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature - SAUCE: x86/spec_ctrl: Add lock to serialize changes to ibrs and ibpb control - SAUCE: x86/cpu/AMD: Add speculative control support for AMD - SAUCE: x86/microcode: Extend post microcode reload to support IBPB feature - SAUCE: KVM: SVM: Do not intercept new speculative control MSRs - SAUCE: x86/svm: Set IBRS value on VM entry and exit - SAUCE: x86/svm: Set IBPB when running a different VCPU - SAUCE: KVM: x86: Add speculative control CPUID support for guests - SAUCE: x86/entry: Fixup 32bit compat call locations - SAUCE: KVM: Fix spec_ctrl CPUID support for guests - SAUCE: x86/cpuid: Fix ordering of scattered feature list - SAUCE: turn off IBRS when full retpoline is present * CVE-2017-5753 (Spectre v1 Intel) - x86: Add another set of MSR accessor functions - x86/cpu/AMD: Make the LFENCE instruction serialized - SAUCE: x86/cpu/AMD: switch to lfence rather than mfence - locking/barriers: introduce new observable speculation barrier - bpf: prevent speculative execution in eBPF interpreter - uvcvideo: prevent speculative execution - carl9170: prevent speculative execution - qla2xxx: prevent speculative execution - fs: prevent speculative execution - udf: prevent speculative execution - userns: prevent speculative execution - SAUCE: claim mitigation via observable speculation barrier - powerpc: add osb barrier - s390/spinlock: add osb memory barrier - arm64: no osb() implementation yet - arm: no osb() implementation yet * CVE-2017-5715 (Spectre v2 retpoline) - x86/alternatives: Fix ALTERNATIVE_2 padding generation properly - x86/alternatives: Fix alt_max_short macro to really be a max() - x86/alternatives: Guard NOPs optimization - x86/alternatives: Switch AMD F15h and later to the P6 NOPs - x86/alternatives: Make optimize_nops() interrupt safe and synced - x86/alternatives: Fix optimize_nops() checking - x86/cpuid: Provide get_scattered_cpuid_leaf() - x86/cpu: Factor out application of forced CPU caps - x86/cpufeatures: Make CPU bugs sticky - x86/cpufeatures: Add X86_BUG_CPU_INSECURE - x86/pti: Rename BUG_CPU_INSECURE to BUG_CPU_MELTDOWN - x86/cpufeatures: Add X86_BUG_SPECTRE_V[12] - x86/cpu, x86/pti: Do not enable PTI on AMD processors - x86/cpu: Merge bugs.c and bugs_64.c - sysfs/cpu: Add vulnerability folder - x86/cpu: Implement CPU vulnerabilites sysfs functions - x86/alternatives: Add missing '\n' at end of ALTERNATIVE inline asm - x86/mm/32: Move setup_clear_cpu_cap(X86_FEATURE_PCID) earlier - x86/asm: Use register variable to get stack pointer value - x86/kbuild: enable modversions for symbols exported from asm - x86/asm: Make asm/alternative.h safe from assembly - EXPORT_SYMBOL() for asm - kconfig.h: use __is_defined() to check if MODULE is defined - x86/retpoline: Add initial retpoline support - x86/spectre: Add boot time option to select Spectre v2 mitigation - x86/retpoline/crypto: Convert crypto assembler indirect jumps - x86/retpoline/entry: Convert entry assembler indirect jumps - x86/retpoline/ftrace: Convert ftrace assembler indirect jumps - x86/retpoline/hyperv: Convert assembler indirect jumps - x86/retpoline/xen: Convert Xen hypercall indirect jumps - x86/retpoline/checksum32: Convert assembler indirect jumps - x86/retpoline/irq32: Convert assembler indirect jumps - x86/retpoline: Fill return stack buffer on vmexit - x86/retpoline: Remove compile time warning - x86/retpoline: Add LFENCE to the retpoline/RSB filling RSB macros - module: Add retpoline tag to VERMAGIC - x86/mce: Make machine check speculation protected - retpoline: Introduce start/end markers of indirect thunk - kprobes/x86: Disable optimizing on the function jumps to indirect thunk - x86/retpoline: Optimize inline assembler for vmexit_fill_RSB - [Config] CONFIG_RETPOLINE=y - [Packaging] retpoline -- add call site validation - [Packaging] retpoline files must be sorted - [Config] disable retpoline for the first upload * CVE-2017-5715 (revert embargoed) // CVE-2017-5753 (revert embargoed) - Revert "UBUNTU: SAUCE: x86/cpuid: Fix ordering of scattered feature list" - Revert "UBUNTU: SAUCE: KVM: Fix spec_ctrl CPUID support for guests" - Revert "UBUNTU: SAUCE: x86/entry: Fixup 32bit compat call locations" - Revert "UBUNTU: SAUCE: powerpc: no gmb() implementation yet" - Revert "UBUNTU: SAUCE: arm: no gmb() implementation yet" - Revert "UBUNTU: SAUCE: arm64: no gmb() implementation yet" - Revert "UBUNTU: SAUCE: x86/kvm: Fix stuff_RSB() for 32-bit" - Revert "UBUNTU: SAUCE: x86/cpu/AMD: Remove now unused definition of MFENCE_RDTSC feature" - Revert "UBUNTU: SAUCE: x86/cpu/AMD: Make the LFENCE instruction serialized" - Revert "UBUNTU: SAUCE: x86/svm: Add code to clobber the RSB on VM exit" - Revert "UBUNTU: SAUCE: KVM: x86: Add speculative control CPUID support for guests" - Revert "UBUNTU: SAUCE: x86/svm: Set IBPB when running a different VCPU" - Revert "UBUNTU: SAUCE: x86/svm: Set IBRS value on VM entry and exit" - Revert "UBUNTU: SAUCE: KVM: SVM: Do not intercept new speculative control MSRs" - Revert "UBUNTU: SAUCE: x86/microcode: Extend post microcode reload to support IBPB feature" - Revert "UBUNTU: SAUCE: x86/cpu/AMD: Add speculative control support for AMD" - Revert "UBUNTU: SAUCE: x86/entry: Use retpoline for syscall's indirect calls" - Revert "UBUNTU: SAUCE: x86/spec_ctrl: Add lock to serialize changes to ibrs and ibpb control" - Revert "UBUNTU: SAUCE: x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature" - Revert "UBUNTU: SAUCE: x86/kvm: Pad RSB on VM transition" - Revert "UBUNTU: SAUCE: x86/kvm: Toggle IBRS on VM entry and exit" - Revert "UBUNTU: SAUCE: x86/kvm: Set IBPB when switching VM" - Revert "UBUNTU: SAUCE: x86/kvm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD to kvm" - Revert "UBUNTU: SAUCE: x86/entry: Stuff RSB for entry to kernel for non-SMEP platform" - Revert "UBUNTU: SAUCE: x86/mm: Only set IBPB when the new thread cannot ptrace current thread" - Revert "UBUNTU: SAUCE: x86/mm: Set IBPB upon context switch" - Revert "UBUNTU: SAUCE: x86/idle: Disable IBRS when offlining cpu and re- enable on wakeup" - Revert "UBUNTU: SAUCE: x86/idle: Disable IBRS entering idle and enable it on wakeup" - Revert "UBUNTU: SAUCE: x86/enter: Use IBRS on syscall and interrupts" - Revert "UBUNTU: SAUCE: x86/enter: MACROS to set/clear IBRS and set IBPB" - Revert "UBUNTU: SAUCE: x86/feature: Report presence of IBPB and IBRS control" - Revert "UBUNTU: SAUCE: x86/feature: Enable the x86 feature to control Speculation" - Revert "UBUNTU: SAUCE: udf: prevent speculative execution" - Revert "UBUNTU: SAUCE: fs: prevent speculative execution" - Revert "UBUNTU: SAUCE: userns: prevent speculative execution" - Revert "UBUNTU: SAUCE: cw1200: prevent speculative execution" - Revert "UBUNTU: SAUCE: qla2xxx: prevent speculative execution" - Revert "UBUNTU: SAUCE: p54: prevent speculative execution" - Revert "UBUNTU: SAUCE: carl9170: prevent speculative execution" - Revert "UBUNTU: SAUCE: uvcvideo: prevent speculative execution" - Revert "UBUNTU: SAUCE: locking/barriers: introduce new memory barrier gmb()" - Revert "kvm: vmx: Scrub hardware GPRs at VM-exit" - Revert "x86/cpuid: Provide get_scattered_cpuid_leaf()" - Revert "x86: Add another set of MSR accessor functions" - Revert "x86, microcode: Share native MSR accessing variants" Acked-by: Colin Ian King