Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753077AbeAFSXy (ORCPT + 1 other); Sat, 6 Jan 2018 13:23:54 -0500 Received: from casper.infradead.org ([85.118.1.10]:51490 "EHLO casper.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752361AbeAFSXw (ORCPT ); Sat, 6 Jan 2018 13:23:52 -0500 X-Greylist: delayed 1103 seconds by postgrey-1.27 at vger.kernel.org; Sat, 06 Jan 2018 13:23:52 EST Message-ID: <1515261921.15588.2.camel@infradead.org> Subject: [PATCH v5.1 02/12] x86/retpoline: Add initial retpoline support From: David Woodhouse To: David Woodhouse , Andi Kleen Cc: Paul Turner , LKML , Linus Torvalds , Greg Kroah-Hartman , Tim Chen , Dave Hansen , tglx@linutronix.de, Kees Cook , Rik van Riel , Peter Zijlstra , Andy Lutomirski , Jiri Kosina , gnomes@lxorguk.ukuu.org.uk Date: Sat, 06 Jan 2018 18:05:21 +0000 In-Reply-To: <1515239374-23361-3-git-send-email-dwmw@amazon.co.uk> References: <1515239374-23361-1-git-send-email-dwmw@amazon.co.uk> <1515239374-23361-3-git-send-email-dwmw@amazon.co.uk> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.26.2 (3.26.2-1.fc27) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-SRS-Rewrite: SMTP reverse-path rewritten from by casper.infradead.org. See http://www.infradead.org/rpr.html Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: >From b330ffe76cbe0574b4ae729b8399e2afbf4bc6eb Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Thu, 4 Jan 2018 13:58:29 +0000 Subject: [PATCH 02/12] x86/retpoline: Add initial retpoline support Enable the use of -mindirect-branch=thunk-extern in newer GCC, and provide the corresponding thunks. Provide assembler macros for invoking the thunks in the same way that GCC does, from native and inline assembler. This adds X86_FEATURE_RETPOLINE and sets it by default on all CPUs. In some circumstances, IBRS microcode features may be used instead, and the retpoline can be disabled. On AMD CPUs the retpoline can be dramatically simplified to a simple lfence; jmp *\reg. This is enabled by setting the X86_FEATURE_RETPOLINE_AMD feature bit instead of (or as well as) X86_FEATURE_RETPOLINE. [Andi Kleen: Rename the macros, add CONFIG_RETPOLINE option, export thunks] Signed-off-by: David Woodhouse --- Won't send the full set again just yet; this is the 32-bit fix. Also at http://git.infradead.org/users/dwmw2/linux-retpoline.git/ arch/x86/Kconfig | 13 +++++ arch/x86/Makefile | 10 ++++ arch/x86/include/asm/cpufeatures.h | 2 + arch/x86/include/asm/nospec-branch.h | 92 ++++++++++++++++++++++++++++++++++++ arch/x86/kernel/cpu/common.c | 5 ++ arch/x86/lib/Makefile | 1 + arch/x86/lib/retpoline.S | 30 ++++++++++++ 7 files changed, 153 insertions(+) create mode 100644 arch/x86/include/asm/nospec-branch.h create mode 100644 arch/x86/lib/retpoline.S diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index cd5199d..77c58ae 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -428,6 +428,19 @@ config GOLDFISH def_bool y depends on X86_GOLDFISH +config RETPOLINE + bool "Avoid speculative indirect branches in kernel" + default y + help + Compile kernel with the retpoline compiler options to guard against + kernel-to-user data leaks by avoiding speculative indirect + branches. Requires a compiler with -mindirect-branch=thunk-extern + support for full protection. The kernel may run slower. + + Without compiler support, at least indirect branches in assembler + code are eliminated. Since this includes the syscall entry path, + it is not entirely pointless. + config INTEL_RDT bool "Intel Resource Director Technology support" default n diff --git a/arch/x86/Makefile b/arch/x86/Makefile index a20eacd..918e550 100644 --- a/arch/x86/Makefile +++ b/arch/x86/Makefile @@ -235,6 +235,16 @@ KBUILD_CFLAGS += -Wno-sign-compare # KBUILD_CFLAGS += -fno-asynchronous-unwind-tables +# Avoid indirect branches in kernel to deal with Spectre +ifdef CONFIG_RETPOLINE + RETPOLINE_CFLAGS += $(call cc-option,-mindirect-branch=thunk-extern -mindirect-branch-register) + ifneq ($(RETPOLINE_CFLAGS),) + KBUILD_CFLAGS += $(RETPOLINE_CFLAGS) -DRETPOLINE + else + $(warning Retpoline not supported in compiler. System may be insecure.) + endif +endif + archscripts: scripts_basic $(Q)$(MAKE) $(build)=arch/x86/tools relocs diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h index 1641c2f..6f10eda 100644 --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -203,6 +203,8 @@ #define X86_FEATURE_PROC_FEEDBACK ( 7*32+ 9) /* AMD ProcFeedbackInterface */ #define X86_FEATURE_SME ( 7*32+10) /* AMD Secure Memory Encryption */ #define X86_FEATURE_PTI ( 7*32+11) /* Kernel Page Table Isolation enabled */ +#define X86_FEATURE_RETPOLINE ( 7*32+12) /* Intel Retpoline mitigation for Spectre variant 2 */ +#define X86_FEATURE_RETPOLINE_AMD ( 7*32+13) /* AMD Retpoline mitigation for Spectre variant 2 */ #define X86_FEATURE_INTEL_PPIN ( 7*32+14) /* Intel Processor Inventory Number */ #define X86_FEATURE_INTEL_PT ( 7*32+15) /* Intel Processor Trace */ #define X86_FEATURE_AVX512_4VNNIW ( 7*32+16) /* AVX-512 Neural Network Instructions */ diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h new file mode 100644 index 0000000..c4d08fa --- /dev/null +++ b/arch/x86/include/asm/nospec-branch.h @@ -0,0 +1,92 @@ +/* SPDX-License-Identifier: GPL-2.0 */ + +#ifndef __NOSPEC_BRANCH_H__ +#define __NOSPEC_BRANCH_H__ + +#include +#include +#include + +#ifdef __ASSEMBLY__ + +/* + * These are the bare retpoline primitives for indirect jmp and call. + * Do not use these directly; they only exist to make the ALTERNATIVE + * invocation below less ugly. + */ +.macro RETPOLINE_JMP reg:req + call 1112f +1111: pause + jmp 1111b +1112: mov \reg, (%_ASM_SP) + ret +.endm + +.macro RETPOLINE_CALL reg:req + jmp 1113f +1110: RETPOLINE_JMP \reg +1113: call 1110b +.endm + +/* + * NOSPEC_JMP and NOSPEC_CALL macros can be used instead of a simple + * indirect jmp/call which may be susceptible to the Spectre variant 2 + * attack. + */ +.macro NOSPEC_JMP reg:req +#ifdef CONFIG_RETPOLINE + ALTERNATIVE_2 __stringify(jmp *\reg), \ + __stringify(RETPOLINE_JMP \reg), X86_FEATURE_RETPOLINE, \ + __stringify(lfence; jmp *\reg), X86_FEATURE_RETPOLINE_AMD +#else + jmp *\reg +#endif +.endm + +.macro NOSPEC_CALL reg:req +#ifdef CONFIG_RETPOLINE + ALTERNATIVE_2 __stringify(call *\reg), \ + __stringify(RETPOLINE_CALL \reg), X86_FEATURE_RETPOLINE,\ + __stringify(lfence; call *\reg), X86_FEATURE_RETPOLINE_AMD +#else + call *\reg +#endif +.endm + +#else /* __ASSEMBLY__ */ + +#if defined(CONFIG_X86_64) && defined(RETPOLINE) +/* + * Since the inline asm uses the %V modifier which is only in newer GCC, + * the 64-bit one is dependent on RETPOLINE not CONFIG_RETPOLINE. + */ +# define NOSPEC_CALL ALTERNATIVE( \ + "call *%[thunk_target]\n", \ + "call __x86.indirect_thunk.%V[thunk_target]\n", \ + X86_FEATURE_RETPOLINE) +# define THUNK_TARGET(addr) [thunk_target] "r" (addr) +#elif defined(CONFIG_X86_32) && defined(CONFIG_RETPOLINE) +/* + * For i386 we use the original ret-equivalent retpoline, because + * otherwise we'll run out of registers. We don't care about CET + * here, anyway. + */ +# define NOSPEC_CALL ALTERNATIVE( \ + "call *%[thunk_target]\n", \ + " jmp 1113f; " \ + "1110: call 1112f; " \ + "1111: pause; " \ + " jmp 1111b; " \ + "1112: addl $4, %%esp; " \ + " pushl %[thunk_target]; " \ + " ret; " \ + "1113: call 1110b;\n", \ + X86_FEATURE_RETPOLINE) +# define THUNK_TARGET(addr) [thunk_target] "rm" (addr) +#else /* No retpoline */ +# define NOSPEC_CALL "call *%[thunk_target]\n" +# define THUNK_TARGET(addr) [thunk_target] "rm" (addr) +#endif + +#endif /* __ASSEMBLY__ */ +#endif /* __NOSPEC_BRANCH_H__ */ diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c index 372ba3f..40e6e54 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -904,6 +904,11 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c) setup_force_cpu_bug(X86_BUG_SPECTRE_V1); setup_force_cpu_bug(X86_BUG_SPECTRE_V2); +#ifdef CONFIG_RETPOLINE + setup_force_cpu_cap(X86_FEATURE_RETPOLINE); + if (c->x86_vendor == X86_VENDOR_AMD) + setup_force_cpu_cap(X86_FEATURE_RETPOLINE_AMD); +#endif fpu__init_system(c); diff --git a/arch/x86/lib/Makefile b/arch/x86/lib/Makefile index 457f681..d435c89 100644 --- a/arch/x86/lib/Makefile +++ b/arch/x86/lib/Makefile @@ -26,6 +26,7 @@ lib-y += memcpy_$(BITS).o lib-$(CONFIG_RWSEM_XCHGADD_ALGORITHM) += rwsem.o lib-$(CONFIG_INSTRUCTION_DECODER) += insn.o inat.o lib-$(CONFIG_RANDOMIZE_BASE) += kaslr.o +lib-$(CONFIG_RETPOLINE) += retpoline.o obj-y += msr.o msr-reg.o msr-reg-export.o hweight.o diff --git a/arch/x86/lib/retpoline.S b/arch/x86/lib/retpoline.S new file mode 100644 index 0000000..ccb117a --- /dev/null +++ b/arch/x86/lib/retpoline.S @@ -0,0 +1,30 @@ +/* SPDX-License-Identifier: GPL-2.0 */ + +#include +#include +#include +#include +#include +#include +#include + +.macro THUNK reg + .section .text.__x86.indirect_thunk.\reg + +ENTRY(__x86.indirect_thunk.\reg) + CFI_STARTPROC + NOSPEC_JMP %\reg + CFI_ENDPROC +ENDPROC(__x86.indirect_thunk.\reg) +EXPORT_SYMBOL(__x86.indirect_thunk.\reg) +.endm + +#ifdef CONFIG_64BIT +.irp reg rax rbx rcx rdx rsi rdi rbp r8 r9 r10 r11 r12 r13 r14 r15 + THUNK \reg +.endr +#else +.irp reg eax ebx ecx edx esi edi ebp + THUNK \reg +.endr +#endif -- 2.7.4 -- dwmw2