Received: by 10.223.176.46 with SMTP id f43csp2331667wra;
        Thu, 25 Jan 2018 08:17:04 -0800 (PST)
X-Google-Smtp-Source: AH8x225iom9myWY2z3a9g4d93ASuhlraiYtW0/86CJUEacl6Ujxhd7Cq5SjDYxj26f0lKsjP5700
X-Received: by 2002:a17:902:8e86:: with SMTP id bg6-v6mr12223437plb.402.1516897024183;
        Thu, 25 Jan 2018 08:17:04 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1516897024; cv=none;
        d=google.com; s=arc-20160816;
        b=Ifth9g7dNI/MWW2MEHISj5knY2/OCSg6hB6XfI5DBw6+VG5k5B75jw/CGDR0zK+kPd
         X7QXtXZiF037+zCWUfP+Fu0D5FTd9cRtL7JvDD5Kl4oQOWHzhvF+iVi2frp4JeRbYzZW
         7VG2RN/OXtrFcM4gaaeXjQ/L2yXNbUaqcGu63IY7Wa/sVOCwfJv8BD3cY14TNrGnBzse
         +6JGL3nvZ9a79oBglWhEBrnrvxo0SzYKr5wPePhY57Px72JolHA2TvoC7uzGZgPLJJ1a
         BAzrglPr37fo5G4UpSNyFAS8cCQLVp3rzEYaCHKqo1+3pyD+5L/JlmmPnH+cUNW9drzD
         zDuA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:to:from
         :dkim-signature:arc-authentication-results;
        bh=8ez39NjgifPVltMpnfO4P31HqtnKRLhoNxVnTdYqE7o=;
        b=SGplqvfrclKtRiiQurMk3M98oYpsezQOf4SNs4sse8Kz5gy5fI07tR8/JgnulVceSy
         P/TgiNOugo7ZgnCNGkyPdOa9g4W79Y2PTifrQ4IfGdVLFD0X7aksyVMpj+4sI/Sdgxi/
         0A1croI/3IrwswhwRvMQXZRo6BMXinRER2ddk0JMiwzMjTNgShCQ66PK4CSGG3F29bqb
         9EVAr6JV5UatGbhawuCP8f7IWjJTTjpdEZM6BSK8jSZfsvvSwWO1O0Yo7Cb2k0du8qrv
         /J4U+AZ/J7bkHGeuWJwW+udsBL+5oiI9F08CcumK6AzgAXxXq0df/o0c90X++u6CJQAx
         ie+g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@amazon.co.uk header.s=amazon201209 header.b=D2TZ06fj;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.co.uk
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id m6si1718752pgr.468.2018.01.25.08.16.49;
        Thu, 25 Jan 2018 08:17:04 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@amazon.co.uk header.s=amazon201209 header.b=D2TZ06fj;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.co.uk
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751450AbeAYQQC (ORCPT <rfc822;daisukeokaopensource@gmail.com>
        + 99 others); Thu, 25 Jan 2018 11:16:02 -0500
Received: from smtp-fw-9102.amazon.com ([207.171.184.29]:50609 "EHLO
        smtp-fw-9102.amazon.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751255AbeAYQOu (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 25 Jan 2018 11:14:50 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=amazon.co.uk; i=@amazon.co.uk; q=dns/txt;
  s=amazon201209; t=1516896890; x=1548432890;
  h=from:to:subject:date:message-id:in-reply-to:references:
   mime-version:content-transfer-encoding;
  bh=8ez39NjgifPVltMpnfO4P31HqtnKRLhoNxVnTdYqE7o=;
  b=D2TZ06fjwDkwF7nes3zLAo0mD6DlTBqKwilTUzTpSak89c6wSF1JV+uX
   ZVD7iRxnd858UZ5cxZRExFhIBYDUA+cTt1e6wPVRcAg5tHGdSoZ/6ShF2
   D0PV1kCSeWZaGVeQl0lLfvzT/pDLBKiIBDQdLkCeqzTosp2sZ4ZYnBEdz
   8=;
X-IronPort-AV: E=Sophos;i="5.46,412,1511827200"; 
   d="scan'208";a="589885269"
Received: from sea3-co-svc-lb6-vlan3.sea.amazon.com (HELO email-inbound-relay-1a-715bee71.us-east-1.amazon.com) ([10.47.22.38])
  by smtp-border-fw-out-9102.sea19.amazon.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 25 Jan 2018 16:14:48 +0000
Received: from uc8d3ff76b9bc5848a9cc.ant.amazon.com (iad1-ws-svc-lb91-vlan2.amazon.com [10.0.103.146])
        by email-inbound-relay-1a-715bee71.us-east-1.amazon.com (8.14.7/8.14.7) with ESMTP id w0PGEb9k115553
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
        Thu, 25 Jan 2018 16:14:39 GMT
Received: from uc8d3ff76b9bc5848a9cc.ant.amazon.com (localhost [127.0.0.1])
        by uc8d3ff76b9bc5848a9cc.ant.amazon.com (8.15.2/8.15.2/Debian-3) with ESMTP id w0PGEZ8J008095;
        Thu, 25 Jan 2018 16:14:35 GMT
Received: (from dwmw@localhost)
        by uc8d3ff76b9bc5848a9cc.ant.amazon.com (8.15.2/8.15.2/Submit) id w0PGEYwB008093;
        Thu, 25 Jan 2018 16:14:34 GMT
From:   David Woodhouse <dwmw@amazon.co.uk>
To:     arjan@linux.intel.com, tglx@linutronix.de, karahmed@amazon.de,
        x86@kernel.org, linux-kernel@vger.kernel.org,
        tim.c.chen@linux.intel.com, bp@alien8.de, peterz@infradead.org,
        pbonzini@redhat.com, ak@linux.intel.com,
        torvalds@linux-foundation.org, gregkh@linux-foundation.org,
        dave.hansen@intel.com, gnomes@lxorguk.ukuu.org.uk,
        ashok.raj@intel.com, mingo@kernel.org
Subject: [PATCH v5 6/7] x86/cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early Spectre v2 microcodes
Date:   Thu, 25 Jan 2018 16:14:14 +0000
Message-Id: <1516896855-7642-7-git-send-email-dwmw@amazon.co.uk>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1516896855-7642-1-git-send-email-dwmw@amazon.co.uk>
References: <1516896855-7642-1-git-send-email-dwmw@amazon.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This doesn't refuse to load the affected microcodes; it just refuses to
use the Spectre v2 mitigation features if they're detected, by clearing
the appropriate feature bits.

The AMD CPUID bits are handled here too, because hypervisors *may* have
been exposing those bits even on Intel chips, for fine-grained control
of what's available.

It is non-trivial to use x86_match_cpu() for this table because that
doesn't handle steppings. And the approach taken in commit bd9240a18
almost made me lose my lunch.

Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kernel/cpu/intel.c | 66 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 66 insertions(+)

diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
index b720dac..125b65f 100644
--- a/arch/x86/kernel/cpu/intel.c
+++ b/arch/x86/kernel/cpu/intel.c
@@ -102,6 +102,59 @@ static void probe_xeon_phi_r3mwait(struct cpuinfo_x86 *c)
 		ELF_HWCAP2 |= HWCAP2_RING3MWAIT;
 }
 
+/*
+ * Early microcode releases for the Spectre v2 mitigation were broken.
+ * Information taken from;
+ * • https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/microcode-update-guidance.pdf
+ * • https://kb.vmware.com/s/article/52345
+ * • Microcode revisions observed in the wild
+ * • releasenote from 20180108 microcode release
+ */
+struct sku_microcode {
+	u8 model;
+	u8 stepping;
+	u32 microcode;
+};
+static const struct sku_microcode spectre_bad_microcodes[] = {
+	{ INTEL_FAM6_KABYLAKE_DESKTOP,	0x0B,	0x84 },
+	{ INTEL_FAM6_KABYLAKE_DESKTOP,	0x0A,	0x84 },
+	{ INTEL_FAM6_KABYLAKE_DESKTOP,	0x09,	0x84 },
+	{ INTEL_FAM6_KABYLAKE_MOBILE,	0x0A,	0x84 },
+	{ INTEL_FAM6_KABYLAKE_MOBILE,	0x09,	0x84 },
+	{ INTEL_FAM6_SKYLAKE_X,		0x03,	0x0100013e },
+	{ INTEL_FAM6_SKYLAKE_X,		0x04,	0x0200003c },
+	{ INTEL_FAM6_SKYLAKE_MOBILE,	0x03,	0xc2 },
+	{ INTEL_FAM6_SKYLAKE_DESKTOP,	0x03,	0xc2 },
+	{ INTEL_FAM6_BROADWELL_CORE,	0x04,	0x28 },
+	{ INTEL_FAM6_BROADWELL_GT3E,	0x01,	0x1b },
+	{ INTEL_FAM6_BROADWELL_XEON_D,	0x02,	0x14 },
+	{ INTEL_FAM6_BROADWELL_XEON_D,	0x03,	0x07000011 },
+	{ INTEL_FAM6_BROADWELL_X,	0x01,	0x0b000025 },
+	{ INTEL_FAM6_HASWELL_ULT,	0x01,	0x21 },
+	{ INTEL_FAM6_HASWELL_GT3E,	0x01,	0x18 },
+	{ INTEL_FAM6_HASWELL_CORE,	0x03,	0x23 },
+	{ INTEL_FAM6_HASWELL_X,		0x02,	0x3b },
+	{ INTEL_FAM6_HASWELL_X,		0x04,	0x10 },
+	{ INTEL_FAM6_IVYBRIDGE_X,	0x04,	0x42a },
+	/* Updated in the 20180108 release; blacklist until we know otherwise */
+	{ INTEL_FAM6_ATOM_GEMINI_LAKE,	0x01,	0x22 },
+	/* Observed in the wild */
+	{ INTEL_FAM6_SANDYBRIDGE_X,	0x06,	0x61b },
+	{ INTEL_FAM6_SANDYBRIDGE_X,	0x07,	0x712 },
+};
+
+static bool bad_spectre_microcode(struct cpuinfo_x86 *c)
+{
+	int i;
+
+	for (i = 0; i < ARRAY_SIZE(spectre_bad_microcodes); i++) {
+		if (c->x86_model == spectre_bad_microcodes[i].model &&
+		    c->x86_mask == spectre_bad_microcodes[i].stepping)
+			return (c->microcode <= spectre_bad_microcodes[i].microcode);
+	}
+	return false;
+}
+
 static void early_init_intel(struct cpuinfo_x86 *c)
 {
 	u64 misc_enable;
@@ -122,6 +175,19 @@ static void early_init_intel(struct cpuinfo_x86 *c)
 	if (c->x86 >= 6 && !cpu_has(c, X86_FEATURE_IA64))
 		c->microcode = intel_get_microcode_revision();
 
+	if ((cpu_has(c, X86_FEATURE_SPEC_CTRL) ||
+	     cpu_has(c, X86_FEATURE_STIBP) ||
+	     cpu_has(c, X86_FEATURE_AMD_SPEC_CTRL) ||
+	     cpu_has(c, X86_FEATURE_AMD_PRED_CMD) ||
+	     cpu_has(c, X86_FEATURE_AMD_STIBP)) && bad_spectre_microcode(c)) {
+		pr_warn("Intel Spectre v2 broken microcode detected; disabling SPEC_CTRL\n");
+		clear_cpu_cap(c, X86_FEATURE_SPEC_CTRL);
+		clear_cpu_cap(c, X86_FEATURE_STIBP);
+		clear_cpu_cap(c, X86_FEATURE_AMD_SPEC_CTRL);
+		clear_cpu_cap(c, X86_FEATURE_AMD_PRED_CMD);
+		clear_cpu_cap(c, X86_FEATURE_AMD_STIBP);
+	}
+
 	/*
 	 * Atom erratum AAE44/AAF40/AAG38/AAH41:
 	 *
-- 
2.7.4