Received: by 10.223.176.5 with SMTP id f5csp10632wra; Tue, 6 Feb 2018 16:05:01 -0800 (PST) X-Google-Smtp-Source: AH8x2240fJaiSYWuuZw244AHZrAJX178DgN2CXvxMjF6UsNcrO5ejg+IRh15lDKyVXTmQo0xitgG X-Received: by 2002:a17:902:7c03:: with SMTP id x3-v6mr4013306pll.355.1517961901059; Tue, 06 Feb 2018 16:05:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517961901; cv=none; d=google.com; s=arc-20160816; b=LT5+eqXiDcRp7zhSgoiPQvn7fwkWPaOEP85xvT9wsLjCaq9aqiUiM+U2HQhu5V73WL Ac1V+tQRYc7ytOy8QPh2KPNYpazjd2nHuP+IbiNIEfuv3iVpOWMqnQ2NsCVGSqIlEFAA TOocKW/h/SBw6WaeveHkeMVxW6HoZQ6aYJTBGFWR+dgmN04wo4YdmSssM5CyW/nXYkNy j2VGmd9aoT3jqKQUxDiDEAupuJMFI6G14aUA2mwxlej8LOmFFj2rFrzur43es6wlxNxU IFvkYf8xWdZh9SG+oRxa0cAVw/GzZXUSR9pQt9OuG9ad7dbn1aGc34Hv+XJCQqTVS7jz 051w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:to:from :dkim-signature:arc-authentication-results; bh=8lS6qqyVJDKtiZxbm+errr5USxiHsmCwhK8dcjUBi9Y=; b=ZheVKVK+UCEyctQvVCXTXMgwHOyhKNGVkOzvlOCeTqXY6yO1nzMxZTN5PDglPWd86J jhDnme7vK684uQRw/mFHr9u9L2lAa+mQFHPyqZQTeQCzJG4gCFe/R/QZoxkM+Cm2PFOK nxabuspnafu2qoQT7InX9qi9mxe8lZ7v41MP8eNZgwToS/TmZLvcQBv+eNm99q4do4NT quJ48RcKWghUwTAxapLv28wcLJCeTGvIKW/IPvGrRCb/k6Qz+EtAU3puvPxMF8yhJoS9 JLWv1RAZHmzDrVXVuqhOK7UEra3WI776/ws3liT/znm8FoYR3/R92ML2m18dvC+Y/6rg TebQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amazon.co.uk header.s=amazon201209 header.b=PvZcrXDI; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.co.uk Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n8si132941pgv.308.2018.02.06.16.04.46; Tue, 06 Feb 2018 16:05:01 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amazon.co.uk header.s=amazon201209 header.b=PvZcrXDI; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.co.uk Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932183AbeBGAD4 (ORCPT + 99 others); Tue, 6 Feb 2018 19:03:56 -0500 Received: from smtp-fw-4101.amazon.com ([72.21.198.25]:36282 "EHLO smtp-fw-4101.amazon.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932152AbeBGADr (ORCPT ); Tue, 6 Feb 2018 19:03:47 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.co.uk; i=@amazon.co.uk; q=dns/txt; s=amazon201209; t=1517961826; x=1549497826; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=8lS6qqyVJDKtiZxbm+errr5USxiHsmCwhK8dcjUBi9Y=; b=PvZcrXDItcuD+829P9iXQOFB/NZKnQvyBEj3v0V2XHbqzeZkmf8Np+WN wj4nwvIzTc+M+xSTx3BhoLtAxb+IhtEWzsksXoSBBWIRRXebcJOdwt8IP W3tfxPAB/NcGtoudsvepmpEM0eahB0vqow9LKeljj68CJn5EBXFNLguNe 4=; X-IronPort-AV: E=Sophos;i="5.46,470,1511827200"; d="scan'208";a="707180262" Received: from iad6-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-1d-2c665b5d.us-east-1.amazon.com) ([10.124.125.6]) by smtp-border-fw-out-4101.iad4.amazon.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 07 Feb 2018 00:03:45 +0000 Received: from uc8d3ff76b9bc5848a9cc.ant.amazon.com (iad1-ws-svc-lb91-vlan3.amazon.com [10.0.103.150]) by email-inbound-relay-1d-2c665b5d.us-east-1.amazon.com (8.14.7/8.14.7) with ESMTP id w1703dHI104263 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 7 Feb 2018 00:03:41 GMT Received: from uc8d3ff76b9bc5848a9cc.ant.amazon.com (localhost [127.0.0.1]) by uc8d3ff76b9bc5848a9cc.ant.amazon.com (8.15.2/8.15.2/Debian-3) with ESMTP id w1703cCT015519; Wed, 7 Feb 2018 00:03:38 GMT Received: (from dwmw@localhost) by uc8d3ff76b9bc5848a9cc.ant.amazon.com (8.15.2/8.15.2/Submit) id w1703bRO015518; Wed, 7 Feb 2018 00:03:37 GMT From: David Woodhouse To: tglx@linutronix.de, torvalds@linux-foundation.org, x86@kernel.org, linux-kernel@vger.kernel.org, bp@alien8.de, peterz@infradead.org, tim.c.chen@linux.intel.com, dave.hansen@intel.com, arjan.van.de.ven@intel.com Subject: [RFC PATCH 4/4] x86/speculation: Support "Enhanced IBRS" on future CPUs Date: Wed, 7 Feb 2018 00:03:14 +0000 Message-Id: <1517961794-14972-5-git-send-email-dwmw@amazon.co.uk> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1517961794-14972-1-git-send-email-dwmw@amazon.co.uk> References: <1517961794-14972-1-git-send-email-dwmw@amazon.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The original IBRS hack in microcode is horribly slow. For the next generation of CPUs, as a stopgap until we get a proper fix, Intel promise an "Enhanced IBRS" which will be fast. The assumption is that predictions in the BTB/RSB will be tagged with the VMX mode and ring that they were learned in, and thus we can avoid consuming unsafe predictions without a performance penalty. This does not actually *set* the IBRS bit in the SPEC_CTRL register, because Intel's documentation is wrong. Not wrong in the sense of "does not accurately describe Intel's planned future hardware", but more in the sense that if Intel make hardware like that, then they are Doing It Wrong™. With IBRS_ALL advertised in IA32_ARCH_CAPABILITIES, the IBRS bit in the MSR should do *nothing*. The safe mode where the CPU honours the tags in the BTB/RSB should be enabled *unconditionally*. Signed-off-by: David Woodhouse --- arch/x86/include/asm/nospec-branch.h | 2 +- arch/x86/kernel/cpu/bugs.c | 13 ++++++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h index 788c4da..9b65211 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -140,7 +140,7 @@ enum spectre_v2_mitigation { SPECTRE_V2_RETPOLINE_MINIMAL_AMD, SPECTRE_V2_RETPOLINE_GENERIC, SPECTRE_V2_RETPOLINE_AMD, - SPECTRE_V2_IBRS, + SPECTRE_V2_IBRS_ALL, }; extern char __indirect_thunk_start[]; diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 6f6d763..8dbbeda 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -88,6 +88,7 @@ static const char *spectre_v2_strings[] = { [SPECTRE_V2_RETPOLINE_MINIMAL_AMD] = "Vulnerable: Minimal AMD ASM retpoline", [SPECTRE_V2_RETPOLINE_GENERIC] = "Mitigation: Full generic retpoline", [SPECTRE_V2_RETPOLINE_AMD] = "Mitigation: Full AMD retpoline", + [SPECTRE_V2_IBRS_ALL] = "Mitigation: Enhanced IBRS", }; #undef pr_fmt @@ -240,6 +241,15 @@ static void __init spectre_v2_select_mitigation(void) case SPECTRE_V2_CMD_FORCE: case SPECTRE_V2_CMD_AUTO: + if (boot_cpu_has(X86_FEATURE_ARCH_CAPABILITIES)) { + u64 ia32_cap = 0; + + rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap); + if (ia32_cap & ARCH_CAP_IBRS_ALL) { + mode = SPECTRE_V2_IBRS_ALL; + goto ibrs_all; + } + } if (IS_ENABLED(CONFIG_RETPOLINE)) goto retpoline_auto; break; @@ -277,6 +287,7 @@ static void __init spectre_v2_select_mitigation(void) setup_force_cpu_cap(X86_FEATURE_RETPOLINE); } + ibrs_all: spectre_v2_enabled = mode; pr_info("%s\n", spectre_v2_strings[mode]); @@ -308,7 +319,7 @@ static void __init spectre_v2_select_mitigation(void) * Retpoline means the kernel is safe because it has no indirect * branches. But firmware isn't, so use IBRS to protect that. */ - if (boot_cpu_has(X86_FEATURE_IBRS)) { + if (mode != SPECTRE_V2_IBRS_ALL && boot_cpu_has(X86_FEATURE_IBRS)) { setup_force_cpu_cap(X86_FEATURE_USE_IBRS_FW); pr_info("Enabling Restricted Speculation for firmware calls\n"); } -- 2.7.4