From: Tim Chen <tim.c.chen@linux.intel.com>
To: Thomas Gleixner <tglx@linutronix.de>,
        Andy Lutomirski <luto@kernel.org>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Greg KH <gregkh@linuxfoundation.org>
Cc: Tim Chen <tim.c.chen@linux.intel.com>,
        Dave Hansen <dave.hansen@intel.com>,
        Andrea Arcangeli <aarcange@redhat.com>,
        Andi Kleen <ak@linux.intel.com>,
        Arjan Van De Ven <arjan.van.de.ven@intel.com>,
        David Woodhouse <dwmw@amazon.co.uk>,
        linux-kernel@vger.kernel.org
Subject: [PATCH v2 0/8] IBRS patch series
Date: Fri,  5 Jan 2018 18:12:15 -0800
Message-Id: <cover.1515204614.git.tim.c.chen@linux.intel.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org

Thanks to everyone for the feedback on the initial posting.
This is an updated patchset and I hope I've captured all
the review comments.  I've done a lot of code clean up
per everyone's comments. Please let me know if I've missed
something.

The retpoline related changes is moved to the end of the
patch series, so they can be taken out or changed easily
without affecting the other patches.

Many people hate the multi-bits spec_ctrl_ibrs variable so
I got rid of that and replace it with a dynamic_ibrs flag
to indicate if we need to switch IBRS enter/exiting kernel
which is more intuitive and also makes the code cleaner.

Peter/Andrea suggested that we use a static key to control the run time
IBRS enabling/disabling with "STATIC_JUMP_IF_TRUE" kind
of construct.  However, I had some concerns that
JUMP_LABEL config may be disabled and the construct cannot
be used. I also encountered some
OOPs when I'm changing ibrs control state probably
related to changing the jump label branching. I haven't
had time to debug that so I left it out for now.
I will welcome some help here on a patch to get the static key
thing working right.

v2.
1. Added missing feature enumeration in tools/arch/x86/include/asm/cpufeatures.h  
2. Kernel entry macros label cleanup and move them to calling.h
3. Remove unnecessary irqs_diabled check in the mwait
4. Don't use a bit field base sys control variable to make ibrs enabling
   simpler and easier to understand
5. Corrected compile issues for firmware update code
6. Leave IBPB feature bits out from this patch series and will be added
   in its own set of patches later

Tim

---patch series details---
This patch series enables the basic detection and usage of x86 indirect
branch speculation feature.  It enables the indirect branch restricted
speculation (IBRS) on kernel entry and disables it on exit.
It enumerates the indirect branch prediction barrier (IBPB).

The x86 IBRS feature requires corresponding microcode support.
It mitigates the variant 2 vulnerability described in
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html

If IBRS is set, near returns and near indirect jumps/calls will not
allow their predicted target address to be controlled by code that
executed in a less privileged prediction mode before the IBRS mode was
last written with a value of 1 or on another logical processor so long
as all RSB entries from the previous less privileged prediction mode
are overwritten.

Both retpoline and IBRS provides mitigation against variant 2 attacks,
with IBRS being the most secured method but could incur more performance
overhead compared to retpoline[1].  If you are very paranoid or you
run on a CPU where IBRS=1 is cheaper, you may also want to run in "IBRS
always" mode.

See: https://docs.google.com/document/d/e/2PACX-1vSMrwkaoSUBAFc6Fjd19F18c1O9pudkfAY-7lGYGOTN8mc9ul-J6pWadcAaBJZcVA7W_3jlLKRtKRbd/pub

More detailed description of IBRS is described in the first patch.

It is applied on top of the page table isolation changes.

A run time and boot time control of the IBRS feature is provided

There are 2 ways to control IBRS

1. At boot time
    noibrs kernel boot parameter will disable IBRS usage

Otherwise if the above parameters are not specified, the system
will enable ibrs and ibpb usage if the cpu supports it.

2. At run time
    echo 0 > /sys/kernel/debug/x86/ibrs_enabled will turn off IBRS
    echo 1 > /sys/kernel/debug/x86/ibrs_enabled will turn on IBRS in kernel
    echo 2 > /sys/kernel/debug/x86/ibrs_enabled will turn on IBRS in both userspace and kernel (IBRS always)

[1] https://lkml.org/lkml/2018/1/4/174


Tim Chen (8):
  x86/feature: Detect the x86 IBRS feature to control Speculation
  x86/enter: MACROS to set/clear IBRS
  x86/enter: Use IBRS on syscall and interrupts
  x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature
  x86/idle: Disable IBRS entering idle and enable it on wakeup
  x86/microcode: Recheck IBRS features on microcode reload
  x86: Do not use dynamic IBRS if retpoline is enabled
  x86: Use IBRS for firmware update path

 arch/x86/entry/calling.h                 | 104 +++++++++++++++
 arch/x86/entry/entry_64.S                |  23 ++++
 arch/x86/entry/entry_64_compat.S         |   8 ++
 arch/x86/include/asm/apm.h               |   6 +
 arch/x86/include/asm/cpufeatures.h       |   1 +
 arch/x86/include/asm/efi.h               |  17 ++-
 arch/x86/include/asm/msr-index.h         |   4 +
 arch/x86/include/asm/mwait.h             |  13 ++
 arch/x86/include/asm/spec_ctrl.h         |  54 ++++++++
 arch/x86/kernel/cpu/Makefile             |   1 +
 arch/x86/kernel/cpu/microcode/core.c     |   4 +
 arch/x86/kernel/cpu/scattered.c          |   3 +
 arch/x86/kernel/cpu/spec_ctrl.c          | 209 +++++++++++++++++++++++++++++++
 arch/x86/kernel/process.c                |   9 +-
 tools/arch/x86/include/asm/cpufeatures.h |   1 +
 15 files changed, 453 insertions(+), 4 deletions(-)
 create mode 100644 arch/x86/include/asm/spec_ctrl.h
 create mode 100644 arch/x86/kernel/cpu/spec_ctrl.c

-- 
2.9.4