Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S933821AbeAKVtc (ORCPT <rfc822;ralf@linux-mips.org> + 1 other);
        Thu, 11 Jan 2018 16:49:32 -0500
Received: from smtp-fw-4101.amazon.com ([72.21.198.25]:23721 "EHLO
        smtp-fw-4101.amazon.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932472AbeAKVrC (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 11 Jan 2018 16:47:02 -0500
X-IronPort-AV: E=Sophos;i="5.46,346,1511827200"; 
   d="scan'208";a="702934713"
From: David Woodhouse <dwmw@amazon.co.uk>
To: Andi Kleen <ak@linux.intel.com>
Cc: Paul Turner <pjt@google.com>, LKML <linux-kernel@vger.kernel.org>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Greg Kroah-Hartman <gregkh@linux-foundation.org>,
        Tim Chen <tim.c.chen@linux.intel.com>,
        Dave Hansen <dave.hansen@intel.com>, tglx@linutronix.de,
        Kees Cook <keescook@google.com>,
        Rik van Riel <riel@redhat.com>,
        Peter Zijlstra <peterz@infradead.org>,
        Andy Lutomirski <luto@amacapital.net>,
        Jiri Kosina <jikos@kernel.org>, gnomes@lxorguk.ukuu.org.uk,
        x86@kernel.org, thomas.lendacky@amd.com,
        Josh Poimboeuf <jpoimboe@redhat.com>
Subject: [PATCH v8 00/12] Retpoline: Avoid speculative indirect calls in kernel
Date: Thu, 11 Jan 2018 21:46:22 +0000
Message-Id: <1515707194-20531-1-git-send-email-dwmw@amazon.co.uk>
X-Mailer: git-send-email 2.7.4
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>

This is a mitigation for the 'variant 2' attack described in
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html

Using GCC patches available from the hjl/indirect/gcc-7-branch/master
branch of https://github.com/hjl-tools/gcc/commits/hjl and by manually
patching assembler code, all vulnerable indirect branches (that occur
after userspace first runs) are eliminated from the kernel.

They are replaced with a 'retpoline' call sequence which deliberately
prevents speculation.

Fedora 27 packages of the updated compiler are available at
https://koji.fedoraproject.org/koji/taskinfo?taskID=24065739


v1: Initial post.
v2: Add CONFIG_RETPOLINE to build kernel without it.
    Change warning messages.
    Hide modpost warning message
v3: Update to the latest CET-capable retpoline version
    Reinstate ALTERNATIVE support
v4: Finish reconciling Andi's and my patch sets, bug fixes.
    Exclude objtool support for now
    Add 'noretpoline' boot option
    Add AMD retpoline alternative
v5: Silence MODVERSIONS warnings
    Use pause;jmp loop instead of lfence;jmp
    Switch to X86_FEATURE_RETPOLINE positive feature logic
    Emit thunks inline from assembler macros
    Merge AMD support into initial patch
v6: Update to latest GCC patches with no dots in symbols
    Fix MODVERSIONS properly(ish)
    Fix typo breaking 32-bit, introduced in V5
    Never set X86_FEATURE_RETPOLINE_AMD yet, pending confirmation
v7: Further bikeshedding on macro names
    Stuff RSB on kernel entry
    Implement 'spectre_v2=' command line option for IBRS/IBPB too
    Revert to precisely the asm sequences from the Google paper
v8: Re-enable (I won't say "fix") objtool support
    Use numeric labels for GCC compatibility
    Add support for RSB-stuffing on vmexit
    I don't know... other bloody bikeshedding. Can I sleep now?

Andi Kleen (1):
  x86/retpoline/irq32: Convert assembler indirect jumps

David Woodhouse (10):
  objtool: Allow alternatives to be ignored
  x86/retpoline: Add initial retpoline support
  x86/spectre: Add boot time option to select Spectre v2 mitigation
  x86/retpoline/crypto: Convert crypto assembler indirect jumps
  x86/retpoline/entry: Convert entry assembler indirect jumps
  x86/retpoline/ftrace: Convert ftrace assembler indirect jumps
  x86/retpoline/hyperv: Convert assembler indirect jumps
  x86/retpoline/xen: Convert Xen hypercall indirect jumps
  x86/retpoline/checksum32: Convert assembler indirect jumps
  x86/retpoline: Fill return stack buffer on vmexit

Josh Poimboeuf (1):
  objtool: Detect jumps to retpoline thunks

 Documentation/admin-guide/kernel-parameters.txt |  28 ++++
 arch/x86/Kconfig                                |  13 ++
 arch/x86/Makefile                               |  10 ++
 arch/x86/crypto/aesni-intel_asm.S               |   5 +-
 arch/x86/crypto/camellia-aesni-avx-asm_64.S     |   3 +-
 arch/x86/crypto/camellia-aesni-avx2-asm_64.S    |   3 +-
 arch/x86/crypto/crc32c-pcl-intel-asm_64.S       |   3 +-
 arch/x86/entry/entry_32.S                       |   5 +-
 arch/x86/entry/entry_64.S                       |  12 +-
 arch/x86/include/asm/asm-prototypes.h           |  25 +++
 arch/x86/include/asm/cpufeatures.h              |   2 +
 arch/x86/include/asm/mshyperv.h                 |  18 +-
 arch/x86/include/asm/nospec-branch.h            | 209 ++++++++++++++++++++++++
 arch/x86/include/asm/xen/hypercall.h            |   5 +-
 arch/x86/kernel/cpu/bugs.c                      | 158 +++++++++++++++++-
 arch/x86/kernel/ftrace_32.S                     |   6 +-
 arch/x86/kernel/ftrace_64.S                     |   8 +-
 arch/x86/kernel/irq_32.c                        |   9 +-
 arch/x86/kvm/svm.c                              |   4 +
 arch/x86/kvm/vmx.c                              |   4 +
 arch/x86/lib/Makefile                           |   1 +
 arch/x86/lib/checksum_32.S                      |   7 +-
 arch/x86/lib/retpoline.S                        |  48 ++++++
 tools/objtool/check.c                           |  69 +++++++-
 tools/objtool/check.h                           |   2 +-
 25 files changed, 616 insertions(+), 41 deletions(-)
 create mode 100644 arch/x86/include/asm/nospec-branch.h
 create mode 100644 arch/x86/lib/retpoline.S

-- 
2.7.4