Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932719AbeAKJHi (ORCPT + 1 other); Thu, 11 Jan 2018 04:07:38 -0500 Received: from smtp-fw-33001.amazon.com ([207.171.190.10]:59999 "EHLO smtp-fw-33001.amazon.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932529AbeAKJHg (ORCPT ); Thu, 11 Jan 2018 04:07:36 -0500 X-IronPort-AV: E=Sophos;i="5.46,343,1511827200"; d="scan'208";a="714882753" Message-ID: <1515661628.22302.294.camel@amazon.co.uk> Subject: Re: [PATCH] x86/retpoline: Fill return stack buffer on vmexit To: Boris Petkov , Peter Zijlstra , "Thomas.Lendacky@amd.com" CC: "ak@linux.intel.com" , "tim.c.chen@linux.intel.com" , "linux-kernel@vger.kernel.org" , "torvalds@linux-foundation.org" , "tglx@linutronix.de" , "x86@kernel.org" , "riel@redhat.com" , "keescook@google.com" , "gnomes@lxorguk.ukuu.org.uk" , "pjt@google.com" , "Ghitulete, Razvan-alin" , "dave.hansen@intel.com" , "luto@amacapital.net" , "jikos@kernel.org" , "gregkh@linux-foundation.org" In-Reply-To: <1F5F831F-0C4B-4DA9-8A48-D0D1C1ADC0D7@alien8.de> References: <1515624682-3556-1-git-send-email-dwmw@amazon.co.uk> <5371f9a0-f221-af1f-641f-05e4d0991847@linux.intel.com> <1515629074.22302.282.camel@amazon.co.uk> <20180111084238.GT6176@hirez.programming.kicks-ass.net> <1F5F831F-0C4B-4DA9-8A48-D0D1C1ADC0D7@alien8.de> Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAG1BMVEUHBwcUFBQpKSlGRkZhYWF9fX2Xl5eysrLMzMxFF+rXAAACaElEQVQ4y21UQXbbIBQE9wJALmAg6ToWON22FrhZthHgbvssUPathC7QWMful2JHSmtWwGg+zPxBCE0DU4QoJQgRgsg4w2gJjBNE8PjFBZgnQMBs+uZ1NQNQjZO3BV4AGDFC0f+l4DBG0VUAM4yv7SO8IgRdHXQ+A78HKL5OAeCfNQV5cHX8DsBUyIJKtYbt98BKaGNCKjfgFVkqYVLbkHKsRsbSCSa0T6npIqLrpRBgQKHUpQmgs9eEKaiUcooE8WWfCGVnBiUcn1uF2XhbfmN9apKnmMP2K4kizKkQWxuaVNOpU2cACIyxO1Po8ETHcXEDMVnozcejkAYA9iaD4pU0ZvNQ8VurNnTuFAYVtuIPUZW25PjDIjQAlGyffIiRQxoWAZBmJ0LTdW2Nyc0iP3DqRhxizvGJkBWZmyFVyZkddWzmBoIBVMpCCJ1CFzl98xav4VJKSSD45KbUT75ixikTphDSRh8+Uz7JLgUTAgAFwzqzjxc/nDY7WUApqY0OMdTwCKZSXplSKkgIRCHElCp8ZnhnKqXuwcNbk1L0VXE+I9alUXoHlLHl3mv7/dWQlJwtjREC7mu9L/U2jQyMUuO2EDS4q9Kl2ddm232bxIE5pjJuVwiljNn/Cfv25/T0cu5cZbwHGVq7h/zp0B4n3S99V/utD+Uo8BiGx9xCsOAV5z7/tjo4Z4z1Lvb90KZ7eFOoOeXOukqF2seo234YYuaQPpRP+cVZU5adT1Edun5Iz3z8fTz3+eSDh0Ip1c7zx1MaijGzTd/3MbRuBHz8cvcVgCMBRpOHvgu59WDhoat+nIZm+LWm9C/aaaGq5DCP9QAAAABJRU5ErkJggg== Organization: Amazon Content-Type: multipart/signed; micalg=sha-256; protocol="application/x-pkcs7-signature"; boundary="=-CVfsV0F/J0+onWtfHXPQ" Date: Thu, 11 Jan 2018 09:07:08 +0000 X-Mailer: Evolution 3.18.5.2-0ubuntu3.2 MIME-Version: 1.0 From: "Woodhouse, David" X-Evolution-Source: 1481217574.17989.4@uc8d3ff76b9bc5848a9cc Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: --=-CVfsV0F/J0+onWtfHXPQ Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, 2018-01-11 at 09:49 +0100, Boris Petkov wrote: > On January 11, 2018 9:42:38 AM GMT+01:00, Peter Zijlstra wrote: > >Or we teach the alternative thing to patch in a jmp to end instead of > >NOP padding the entire thing as soon as the jmp (3 bytes) fits ? >=20 > Or, even better: use alternative_call() to call functions instead of patc= hing gazillion bytes. For this one I kind of wanted to keep it as a macro so we can select which register it uses. I've taken the bulk of it out of the ALTERNATIVE, and just switch between the first 'mov' instruction and a jmp over the whole lot. Looks like this now... =46rom 302622182f56825b7cf2c39ce88ea8c462d587fe Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Wed, 10 Jan 2018 22:32:24 +0000 Subject: [PATCH] x86/retpoline: Fill return stack buffer on vmexit In accordance with the Intel and AMD documentation, we need to overwrite all entries in the RSB on exiting a guest, to prevent malicious branch target predictions from affecting the host kernel. This is needed both for retpoline and for IBRS. Signed-off-by: David Woodhouse --- =C2=A0arch/x86/include/asm/nospec-branch.h | 72 +++++++++++++++++++++++++++= +++++++++ =C2=A0arch/x86/kvm/svm.c=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0|=C2=A0=C2= =A04 ++ =C2=A0arch/x86/kvm/vmx.c=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0|=C2=A0=C2= =A04 ++ =C2=A03 files changed, 80 insertions(+) diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/no= spec-branch.h index 7d70ea9..8fbc8b9 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -7,6 +7,50 @@ =C2=A0#include =C2=A0#include =C2=A0 +/* + * Fill the CPU return stack buffer. + * + * Each entry in the RSB, if used for a speculative 'ret', contains an + * infinite 'pause; jmp' loop to capture speculative execution. + * + * This is required in various cases for retpoline and IBRS-based + * mitigations for the Spectre variant 2 vulnerability. Sometimes to + * eliminate potentially bogus entries from the RSB, and sometimes + * purely to ensure that it doesn't get empty, which on some CPUs would + * allow predictions from other (unwanted!) sources to be used. + * + * We define a CPP macro such that it can be used from both .S files and + * inline assembly. It's possible to do a .macro and then include that + * from C via asm(".include ") but let's not go there= --=-CVfsV0F/J0+onWtfHXPQ--