Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751377AbeAECB2 (ORCPT + 1 other); Thu, 4 Jan 2018 21:01:28 -0500 Received: from smtp-fw-4101.amazon.com ([72.21.198.25]:21733 "EHLO smtp-fw-4101.amazon.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751108AbeAECB1 (ORCPT ); Thu, 4 Jan 2018 21:01:27 -0500 X-IronPort-AV: E=Sophos;i="5.46,316,1511827200"; d="scan'208";a="701903270" From: David Woodhouse To: Andi Kleen Cc: Paul Turner , LKML , Linus Torvalds , Greg Kroah-Hartman , Tim Chen , Dave Hansen , tglx@linutronix.de, Kees Cook , Rik van Riel , Peter Zijlstra , Andy Lutomirski , Jiri Kosina , gnomes@lxorguk.ukuu.org.uk Subject: [PATCH v4 00/13] Retpoline: Avoid speculative indirect calls in kernel Date: Fri, 5 Jan 2018 02:00:56 +0000 Message-Id: <1515117669-24787-1-git-send-email-dwmw@amazon.co.uk> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: This is a fix for the 'variant 2' attack described in https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html Using GCC patches available from the gcc-7_2_0-retpoline branch of http://git.infradead.org/users/dwmw2/gcc-retpoline.git and by manually patching assembler code, all indirect branches (that occur after userspace first runs) are eliminated from the kernel. They are replaced with a 'retpoline' call sequence which deliberately prevents speculation. Now that the thunks are exported, we need to fix MODVERSIONS support, because genksyms can't generate the crc for the symbols. Still working on that... v1: Initial post. v2: Add CONFIG_RETPOLINE to build kernel without it. Change warning messages. Hide modpost warning message v3: Update to the latest CET-capable retpoline version Reinstate ALTERNATIVE support v4: Finish reconciling Andi's and my patch sets, bug fixes. Exclude objtool support for now Add 'noretpoline' boot option Add AMD retpoline alternative Andi Kleen (4): x86/retpoline/irq32: Convert assembler indirect jumps retpoline/taint: Taint kernel for missing retpoline in compiler x86/retpoline: Add boot time option to disable retpoline x86/retpoline: Exclude objtool with retpoline David Woodhouse (9): x86/retpoline: Add initial retpoline support x86/retpoline/crypto: Convert crypto assembler indirect jumps x86/retpoline/entry: Convert entry assembler indirect jumps x86/retpoline/ftrace: Convert ftrace assembler indirect jumps x86/retpoline/hyperv: Convert assembler indirect jumps x86/retpoline/xen: Convert Xen hypercall indirect jumps x86/retpoline/checksum32: Convert assembler indirect jumps x86/alternatives: Add missing \n at end of ALTERNATIVE inline asm x86/retpoline: Simplify AMD variant of retpoline thunk Documentation/admin-guide/kernel-parameters.txt | 3 ++ Documentation/admin-guide/tainted-kernels.rst | 3 ++ arch/x86/Kconfig | 17 +++++++- arch/x86/Kconfig.debug | 6 +-- arch/x86/Makefile | 10 +++++ arch/x86/crypto/aesni-intel_asm.S | 5 ++- arch/x86/crypto/camellia-aesni-avx-asm_64.S | 3 +- arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 3 +- arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 4 +- arch/x86/entry/entry_32.S | 5 ++- arch/x86/entry/entry_64.S | 22 ++++++++-- arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/cpufeatures.h | 1 + arch/x86/include/asm/mshyperv.h | 18 ++++---- arch/x86/include/asm/nospec-branch.h | 58 +++++++++++++++++++++++++ arch/x86/include/asm/xen/hypercall.h | 5 ++- arch/x86/kernel/cpu/intel.c | 10 +++++ arch/x86/kernel/ftrace_32.S | 6 ++- arch/x86/kernel/ftrace_64.S | 8 ++-- arch/x86/kernel/irq_32.c | 9 ++-- arch/x86/kernel/setup.c | 6 +++ arch/x86/lib/Makefile | 1 + arch/x86/lib/checksum_32.S | 7 +-- arch/x86/lib/retpoline.S | 53 ++++++++++++++++++++++ include/linux/kernel.h | 4 +- kernel/module.c | 11 ++++- kernel/panic.c | 1 + scripts/mod/modpost.c | 9 ++++ 28 files changed, 250 insertions(+), 42 deletions(-) create mode 100644 arch/x86/include/asm/nospec-branch.h create mode 100644 arch/x86/lib/retpoline.S -- 2.7.4