2023-08-14 09:30:29

by Xi Ruoyao

[permalink] [raw]
Subject: Does srso safe RET mitigation require microcode update?

Hi,

There seems a difference between Documentation/admin-guide/hw-
vuln/srso.rst and the actual behavior. The documentation says:

First of all, it is required that the latest microcode be loaded for
mitigations to be effective.

And:

* 'Vulnerable: no microcode':

The processor is vulnerable, no microcode extending IBPB
functionality to address the vulnerability has been applied.

Per the text, if there is no firmware update, the system is just
vulnerable. But on a real Zen 3 system, the spec_rstack_overflow file
contains "Mitigation: safe RET, no microcode".

So we are puzzled now: is this system vulnerable or mitigated?

--
Xi Ruoyao <[email protected]>
School of Aerospace Science and Technology, Xidian University


2023-08-14 09:45:19

by Borislav Petkov

[permalink] [raw]
Subject: Re: Does srso safe RET mitigation require microcode update?

On Mon, Aug 14, 2023 at 05:00:12PM +0800, Xi Ruoyao wrote:
> So we are puzzled now: is this system vulnerable or mitigated?

Read the whole options text here:

https://kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html

Does it explain it better?

--
Regards/Gruss,
Boris.

https://people.kernel.org/tglx/notes-about-netiquette

2023-08-14 10:12:08

by Rainer Fiebig

[permalink] [raw]
Subject: Re: Does srso safe RET mitigation require microcode update?

Am 14.08.23 um 11:10 schrieb Borislav Petkov:
> On Mon, Aug 14, 2023 at 05:00:12PM +0800, Xi Ruoyao wrote:
>> So we are puzzled now: is this system vulnerable or mitigated?
>
> Read the whole options text here:
>
> https://kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html
>
> Does it explain it better?
Not really, IMO. The text says:

"First of all, it is required that the latest microcode be loaded for
mitigations to be effective.
[...]"

According to that: no latest microcode - system is vulnerable.

Later:
"* 'Mitigation: safe RET':

Software-only mitigation. It complements the extended IBPB microcode
patch functionality by addressing User->Kernel and Guest->Host
transitions protection."

Now, what does that mean: partial mitigation or also no mitigation
without microcode?

And if the latest microcode is indeed needed for "Safe RET": why do
users of AMD's "consumer" Zens have to wait weeks or even longer for an
AGESA instead of being able to simply compile the microcode into the
kernel and get rid of the problem in a few minutes?

Thanks.

Rainer

2023-08-14 13:07:55

by Borislav Petkov

[permalink] [raw]
Subject: Re: Does srso safe RET mitigation require microcode update?

On Mon, Aug 14, 2023 at 01:21:01PM +0200, Rainer Fiebig wrote:
> OK, thanks. So I think a reasonable approach for ordinary users would
> be to update to the latest (LTS-) kernel, use the defaults for the
> mitigations and update to the new AGESA when available.

Yap, pretty much.

--
Regards/Gruss,
Boris.

https://people.kernel.org/tglx/notes-about-netiquette

2023-08-14 13:20:51

by Borislav Petkov

[permalink] [raw]
Subject: Re: Does srso safe RET mitigation require microcode update?

On Mon, Aug 14, 2023 at 11:47:54AM +0200, Rainer Fiebig wrote:
> "* 'Mitigation: safe RET':
>
> Software-only mitigation. It complements the extended IBPB microcode
> patch functionality by addressing User->Kernel and Guest->Host
> transitions protection."
>
> Now, what does that mean: partial mitigation or also no mitigation
> without microcode?

It *complements*! Meaning, for a full safe RET mitigation, you need the
microcode on Zen3/4.

Would that explain it better?

"First of all, it is required that the latest microcode be loaded for
mitigations to be effective. That means that for the User->User
aspect of the mitigation to be effective, one needs the updated
microcode for Zen3 and Zen4 generations. In addition, one needs to
*enable* the User->User mitigation which is part of the spectre_v2_user
controls:

- conditional IBPB:

where each process can select whether it needs an IBPB issued around
it PR_SPEC_DISABLE/_ENABLE etc, see Spectre Side Channels. That is the
default setting

- strict:

i.e., always on - by supplying spectre_v2_user=on on the kernel
command line."

IOW, without microcode, you do not mitigate the User->User aspect of the
mitigation but you mitigate the other vectors with safe RET.

--
Regards/Gruss,
Boris.

https://people.kernel.org/tglx/notes-about-netiquette

2023-08-14 13:38:11

by Rainer Fiebig

[permalink] [raw]
Subject: Re: Does srso safe RET mitigation require microcode update?

Am 14.08.23 um 12:11 schrieb Borislav Petkov:
> On Mon, Aug 14, 2023 at 11:47:54AM +0200, Rainer Fiebig wrote:
>> "* 'Mitigation: safe RET':
>>
>> Software-only mitigation. It complements the extended IBPB microcode
>> patch functionality by addressing User->Kernel and Guest->Host
>> transitions protection."
>>
>> Now, what does that mean: partial mitigation or also no mitigation
>> without microcode?
>
> It *complements*! Meaning, for a full safe RET mitigation, you need the
> microcode on Zen3/4.
>
> Would that explain it better?
>
> "First of all, it is required that the latest microcode be loaded for
> mitigations to be effective. That means that for the User->User
> aspect of the mitigation to be effective, one needs the updated
> microcode for Zen3 and Zen4 generations. In addition, one needs to
> *enable* the User->User mitigation which is part of the spectre_v2_user
> controls:
>
> - conditional IBPB:
>
> where each process can select whether it needs an IBPB issued around
> it PR_SPEC_DISABLE/_ENABLE etc, see Spectre Side Channels. That is the
> default setting
>
> - strict:
>
> i.e., always on - by supplying spectre_v2_user=on on the kernel
> command line."
>
> IOW, without microcode, you do not mitigate the User->User aspect of the
> mitigation but you mitigate the other vectors with safe RET.
>
OK, thanks. So I think a reasonable approach for ordinary users would
be to update to the latest (LTS-) kernel, use the defaults for the
mitigations and update to the new AGESA when available.

Rainer