Received: by 10.223.185.116 with SMTP id b49csp117156wrg; Tue, 13 Feb 2018 17:51:14 -0800 (PST) X-Google-Smtp-Source: AH8x2267wmZymHrxuTnUT5qCgnqyDQgIz0omDCGgdO0tMRWA9pFiPg6+Tpc9o74884Lg+EPdgl5C X-Received: by 2002:a17:902:6909:: with SMTP id j9-v6mr2870459plk.372.1518573074210; Tue, 13 Feb 2018 17:51:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518573074; cv=none; d=google.com; s=arc-20160816; b=fXELJW9s6syVSbYXNg4y5eKma59ytXX/1SYR4S0/uyYVJ62E9B3XrEP/3/dNaxM53r IE4OSI2lOrz7MkPoEYmTXF6HlBchtJLZCPb++X9E4qtokPmNTaV8z5xAOsaralbkm3V2 0172gHiiWetKSghzIKNcgqbnx4YGeXPEJYuoghEaqmJPPwxH2Fbu5RzR4DrvyxkyRaLr 8f8UNWld2yp6qrZIFnmQe5DB46Y8AVBoeIJVdwLouuQK85GL3OtyEsrh8neRrbmIxSMT 6ymxGIN4RgpS05q8fgGJZWF2lbu3bVztJRBgTJC6R1q+iKTKUDRD7F+8BaYn+4dmfhcj Oy1g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=GyDMNXixjzU6+nYrRiAj7NvPlorwtCxju31JoznvNZg=; b=yRfKOVtlSdFi4WXwgxRaTQFf6QcghEaOLU/+LklJ3IOiNyWLBbxbRKX+JhaBUz1MuH YUaudj20Ocr4jJ2rThhyYwb1flXyj/Zn0+lPLxCFvuB35tPxc7PlXHWcUOa8tl0RBFdO vY3vxbN8YvSpwiDZMtAT/A54w8VSlLt5crvbSVdTB0trUhT++IszprlwZxrwFBhplImK m2fiWjOBQeeg15CAM9bjaWDOXWczbqQJFenebLTPqN2zeVIG5j8vNllyl1JSXcCYIX68 5HCbqsidxsli5QCZUd/06EAIQn0SIId1zy6JV28U4UZPpALDegeDMfJ+4LRQgmv8FoSO PW1Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p8-v6si1960076plk.192.2018.02.13.17.50.59; Tue, 13 Feb 2018 17:51:14 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S966433AbeBNBtv (ORCPT + 99 others); Tue, 13 Feb 2018 20:49:51 -0500 Received: from mga03.intel.com ([134.134.136.65]:11165 "EHLO mga03.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S966364AbeBNBtu (ORCPT ); Tue, 13 Feb 2018 20:49:50 -0500 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Feb 2018 17:49:49 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.46,510,1511856000"; d="scan'208";a="204003407" Received: from schen9-desk3.jf.intel.com (HELO [10.54.74.42]) ([10.54.74.42]) by fmsmga006.fm.intel.com with ESMTP; 13 Feb 2018 17:49:48 -0800 Subject: Re: [tip:x86/pti] x86/speculation: Use IBRS if available before calling into firmware To: Ingo Molnar , Peter Zijlstra Cc: Dave Hansen , hpa@zytor.com, tglx@linutronix.de, torvalds@linux-foundation.org, linux-kernel@vger.kernel.org, dwmw@amazon.co.uk, linux-tip-commits@vger.kernel.org, Borislav Petkov , Arjan van de Ven References: <1518362359-1005-1-git-send-email-dwmw@amazon.co.uk> <20180212102211.cdrrqqd4hdw7xu5y@gmail.com> <20180212165835.GO25181@hirez.programming.kicks-ass.net> <20180213075540.3lkikkpgjoe6ocjk@gmail.com> From: Tim Chen Message-ID: <5c3ba123-abbe-f153-7b75-a89d31d25c72@linux.intel.com> Date: Tue, 13 Feb 2018 17:49:47 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.0 MIME-Version: 1.0 In-Reply-To: <20180213075540.3lkikkpgjoe6ocjk@gmail.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 02/12/2018 11:55 PM, Ingo Molnar wrote: > > * Peter Zijlstra wrote: > >> On Mon, Feb 12, 2018 at 08:13:31AM -0800, Dave Hansen wrote: >>> On 02/12/2018 02:22 AM, Ingo Molnar wrote: >>>>> +static inline void firmware_restrict_branch_speculation_end(void) >>>>> +{ >>>>> + alternative_msr_write(MSR_IA32_SPEC_CTRL, 0, >>>>> + X86_FEATURE_USE_IBRS_FW); >>>> BTW., there's a detail that only occurred to me today, this enabling/disabling >>>> sequence is not NMI safe, and it might be called from NMI context: >>> >>> FWIW, Tim Chen and I talked about this a bunch. We ended up just >>> saving/restoring the MSR verbatim in the NMI handler the same way we do >>> CR3, stashing it in a high general-purpose-register (r%12?). That costs >>> a RDMSR (at least) and an WRMSR (which you can optimize out). We have a >>> patch for that somewhere if anybody wants it. >> >> I would really rather not do that on the NMI path.. And if we _have_ to, >> please keep a software shadow of that MSR state, such that we can avoid >> touching that MSR 99% of the time. > > Yeah, I'd rather avoid doing firmware calls from NMI context altogether. > > Thanks, > > Ingo > Dave Hansen and I had some discussions on how to handle the nested NMI and firmware calls. We thought of using a per cpu counter to record the nesting call depth and toggle IBRS appropriately for the depth 0->1 and 1->0 transition. Will this change be sufficient? Thanks. Tim commit 55546c27a006198630c57b900abcbd3baaabf63a Author: Tim Chen Date: Tue Feb 13 04:10:41 2018 -0800 x86/firmware: Prevent IBRS from being turned off prematurely. Dave Woodhoue proposed to use IBRS to protect the firmware call path against Spectre exploit. However, firmware path can go through NMI and we can get nested calls, causing unsafe firmware calls with missing IBRS as illustrated below: firmware_restrict_branch_speculation_start (set IBRS=1) NMI firmware_restrict_branch_speculation_start (set IBRS=1) firmware call firmware_restrict_branch_speculation_end (set IBRS=0) NMI return firmware call (with IBRS=0) <---- unsafe call, premature IBRS disabling firmware_restrict_branch_speculation_end (set IBRS=0) This patch proposes using a per cpu counter to track the IBRS firmware call nesting depth, to ensure that we don't turn off IBRS prematurely before calling firmware. Signed-off-by: Tim Chen --- diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h index 297d457..1e9c828 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -146,6 +146,8 @@ enum spectre_v2_mitigation { extern char __indirect_thunk_start[]; extern char __indirect_thunk_end[]; +DECLARE_PER_CPU(int, spec_ctrl_ibrs_fw_depth); + /* * On VMEXIT we must ensure that no RSB predictions learned in the guest * can be followed in the host, by overwriting the RSB completely. Both @@ -186,14 +188,16 @@ static inline void indirect_branch_prediction_barrier(void) */ static inline void firmware_restrict_branch_speculation_start(void) { - alternative_msr_write(MSR_IA32_SPEC_CTRL, SPEC_CTRL_IBRS, + if (this_cpu_inc_return(spec_ctrl_ibrs_fw_depth) == 1) + alternative_msr_write(MSR_IA32_SPEC_CTRL, SPEC_CTRL_IBRS, X86_FEATURE_USE_IBRS_FW); } static inline void firmware_restrict_branch_speculation_end(void) { - alternative_msr_write(MSR_IA32_SPEC_CTRL, 0, - X86_FEATURE_USE_IBRS_FW); + if (this_cpu_dec_return(spec_ctrl_ibrs_fw_depth) == 0) + alternative_msr_write(MSR_IA32_SPEC_CTRL, 0, + X86_FEATURE_USE_IBRS_FW); } #endif /* __ASSEMBLY__ */ #endif /* _ASM_X86_NOSPEC_BRANCH_H_ */ diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index c994dab..4ab13f0 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -27,6 +27,8 @@ #include static void __init spectre_v2_select_mitigation(void); +DEFINE_PER_CPU(int, spec_ctrl_ibrs_fw_depth); +EXPORT_PER_CPU_SYMBOL(spec_ctrl_ibrs_fw_depth); void __init check_bugs(void) {