Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754758AbeAGWL6 (ORCPT + 1 other); Sun, 7 Jan 2018 17:11:58 -0500 Received: from smtp-fw-6001.amazon.com ([52.95.48.154]:21478 "EHLO smtp-fw-6001.amazon.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754716AbeAGWL5 (ORCPT ); Sun, 7 Jan 2018 17:11:57 -0500 X-IronPort-AV: E=Sophos;i="5.46,327,1511827200"; d="scan'208";a="326702205" From: David Woodhouse To: Andi Kleen Cc: Paul Turner , LKML , Linus Torvalds , Greg Kroah-Hartman , Tim Chen , Dave Hansen , tglx@linutronix.de, Kees Cook , Rik van Riel , Peter Zijlstra , Andy Lutomirski , Jiri Kosina , gnomes@lxorguk.ukuu.org.uk Subject: [PATCH v6 00/10] Retpoline: Avoid speculative indirect calls in kernel Date: Sun, 7 Jan 2018 22:11:15 +0000 Message-Id: <1515363085-4219-1-git-send-email-dwmw@amazon.co.uk> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: This is a mitigation for the 'variant 2' attack described in https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html Using GCC patches available from the hjl/indirect/gcc-7-branch/master branch of https://github.com/hjl-tools/gcc/commits/hjl and by manually patching assembler code, all vulnerable indirect branches (that occur after userspace first runs) are eliminated from the kernel. They are replaced with a 'retpoline' call sequence which deliberately prevents speculation. Fedora 27 packages of the updated compiler are available at https://koji.fedoraproject.org/koji/taskinfo?taskID=24065739 v1: Initial post. v2: Add CONFIG_RETPOLINE to build kernel without it. Change warning messages. Hide modpost warning message v3: Update to the latest CET-capable retpoline version Reinstate ALTERNATIVE support v4: Finish reconciling Andi's and my patch sets, bug fixes. Exclude objtool support for now Add 'noretpoline' boot option Add AMD retpoline alternative v5: Silence MODVERSIONS warnings Use pause;jmp loop instead of lfence;jmp Switch to X86_FEATURE_RETPOLINE positive feature logic Emit thunks inline from assembler macros Merge AMD support into initial patch v6: Update to latest GCC patches with no dots in symbols Fix MODVERSIONS properly(ish) Fix typo breaking 32-bit, introduced in V5 Never set X86_FEATURE_RETPOLINE_AMD yet, pending confirmation Andi Kleen (3): x86/retpoline/irq32: Convert assembler indirect jumps x86/retpoline: Add boot time option to disable retpoline x86/retpoline: Exclude objtool with retpoline David Woodhouse (7): x86/retpoline: Add initial retpoline support x86/retpoline/crypto: Convert crypto assembler indirect jumps x86/retpoline/entry: Convert entry assembler indirect jumps x86/retpoline/ftrace: Convert ftrace assembler indirect jumps x86/retpoline/hyperv: Convert assembler indirect jumps x86/retpoline/xen: Convert Xen hypercall indirect jumps x86/retpoline/checksum32: Convert assembler indirect jumps Documentation/admin-guide/kernel-parameters.txt | 3 + arch/x86/Kconfig | 17 ++++- arch/x86/Kconfig.debug | 6 +- arch/x86/Makefile | 10 +++ arch/x86/crypto/aesni-intel_asm.S | 5 +- arch/x86/crypto/camellia-aesni-avx-asm_64.S | 3 +- arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 3 +- arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 3 +- arch/x86/entry/entry_32.S | 5 +- arch/x86/entry/entry_64.S | 12 +++- arch/x86/include/asm/asm-prototypes.h | 25 +++++++ arch/x86/include/asm/cpufeatures.h | 2 + arch/x86/include/asm/mshyperv.h | 18 ++--- arch/x86/include/asm/nospec-branch.h | 92 +++++++++++++++++++++++++ arch/x86/include/asm/xen/hypercall.h | 5 +- arch/x86/kernel/cpu/common.c | 3 + arch/x86/kernel/cpu/intel.c | 11 +++ arch/x86/kernel/ftrace_32.S | 6 +- arch/x86/kernel/ftrace_64.S | 8 +-- arch/x86/kernel/irq_32.c | 9 +-- arch/x86/lib/Makefile | 1 + arch/x86/lib/checksum_32.S | 7 +- arch/x86/lib/retpoline.S | 48 +++++++++++++ 23 files changed, 264 insertions(+), 38 deletions(-) create mode 100644 arch/x86/include/asm/nospec-branch.h create mode 100644 arch/x86/lib/retpoline.S -- 2.7.4