Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp131469imm; Tue, 7 Aug 2018 15:26:59 -0700 (PDT) X-Google-Smtp-Source: AA+uWPx6IXGHJ0/Tf3LF67KRnXRNXM1PxgcVr1tYq03R44r4zid0hVuz2cvLpEIMEIUkafy9NhOd X-Received: by 2002:a17:902:7803:: with SMTP id p3-v6mr185643pll.119.1533680819904; Tue, 07 Aug 2018 15:26:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533680819; cv=none; d=google.com; s=arc-20160816; b=YA7ZUFbigTxEenmFXpH5J+UUDy3WZpNpTWgf8YJv7BU8FbAXM/z7eKhKSfjeRg5uWf 0MdSX2Onxdsv8efupAb8k06qzTXL4ytM3ZvFyazDF/EfipsPkkPmzCOgT0GMy1zAqfG9 +AuD8Daz5af6uvORm7k8t67FJtNUoNX2EVARWFNKL/3Mmq6DSdacxNpWdz6Qg2IyoMza 7bydrMKENOgCdHdcAD1Lp0Ri2K6W0y6VVHFlWq1d2d+z34XmLrhD2agOda/7uRjoNpAC MjLcZugw6vQRjmzSAi00KnyUHrzU11/H+bHrSDMu9Kcm1OSbrDaoRhjbxBjdy5YUTOq8 N4ow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:mime-version :message-id:date:dkim-signature:arc-authentication-results; bh=qJCOjqNxFtKmqGH5vUW3yqjdtP2jB6E+9RWxAqqlfzc=; b=0yAn8IuyCyyVGixIeJ5DhH2QqHpajGs8fqyr6KlcG/i8JF77sCi1mppqvnAhuAmoX5 RPUNieTfRO3pYqMbRLYWM2bCR+PuO7+Xf4OTi4T9k5IzhOJzq4se6AicoiORq8zNZkMY dD/TbMkOsPtOx4Vj7+1WWXG3hx9iqv3wiXynoe5OOVgnSb4yktOZKT6ZMtywyASSJskH 5iZ2xzao+/y+L6J0tBccWJi1qjWjRv/ockhXEWxZtzI2h1n7YpIJY2RiKbspHfyNNaLS ff0eKhld/Pb4WR19BKjNu2A3ZHyyqocS6owLx0z0QorbZHeEbG5e9cX90RFOcmR50pu2 8iFw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=j0RJnfSn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z21-v6si2128450pgn.365.2018.08.07.15.26.45; Tue, 07 Aug 2018 15:26:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=j0RJnfSn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726982AbeHHAmO (ORCPT + 99 others); Tue, 7 Aug 2018 20:42:14 -0400 Received: from mail-qt0-f202.google.com ([209.85.216.202]:39772 "EHLO mail-qt0-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726521AbeHHAmO (ORCPT ); Tue, 7 Aug 2018 20:42:14 -0400 Received: by mail-qt0-f202.google.com with SMTP id c6-v6so233074qta.6 for ; Tue, 07 Aug 2018 15:25:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=qJCOjqNxFtKmqGH5vUW3yqjdtP2jB6E+9RWxAqqlfzc=; b=j0RJnfSnJHeisHvX2LaicgfuFtaL7Zh/vzA4e1LOVV5cGnpt8WnWwZWbxBKAFpYMom R1KqNuUMhzLbioDtjEoaJshf5sGewm6+UkcbyIaZC/wJdWgV4Vr0U/4e0Z3S9SYCAJMz LZXFNxSVR8tG1IWiZyuWrUrYGkAry3ULczeb048J4Cz8X9A48Zw/ABySZ4RLiU51cV6+ S3qRfDErmaAxNvsw+70OY2xZ6YUeGhbuwsPXfhlE5kBTQkexXEBC1xlLoxGJM+zI2W7F 5LGSHJAAHiV2xASOx5AWkPK7EclPW8wzo/ZjfgpvLrQGA82/vEherejbqsh2jlmXb0Xo dOgw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=qJCOjqNxFtKmqGH5vUW3yqjdtP2jB6E+9RWxAqqlfzc=; b=DrmSPBJhnfe0SgBce/7AEbqARAh38fd9CqiF4EUeMLize37HFtu09gk3mDW6Q3pwLs 4YZzK8LttyH5tvzVWEtDjsZ2v4gZG40LMX6OZ+4HQR/+9A4K7WHPp0ex9oPawUrfQZ9P wRYkKL2Hl6eRTr81b1soRSeTYv2EFgLdZS7pIH7BXNtPM6Qm+BTyPy028WKH0SSU0mSN 5dPnRpCkgD4IgZKBqPLITBVTlIVFXMxqkZmxOyMlU4peLRSJXS4s1nM/9emhn8EYsDEL 9a2dZGtNfYuTsWsuYQuAPUjpqFf6ZhFITsoaXdrthV7uFkC6srAi04AYjAD0gdmov9Qh 3sdw== X-Gm-Message-State: AOUpUlGm6sTL3ObdWUmU5hBVHdPKeMMjX/jExgDDxj3O7osu0IbZH9Gb 1UTGsrQnVLaeb7dLstrNieoXCphhN4A6ow== X-Received: by 2002:ac8:48d:: with SMTP id s13-v6mr182412qtg.60.1533680742478; Tue, 07 Aug 2018 15:25:42 -0700 (PDT) Date: Tue, 7 Aug 2018 15:25:35 -0700 Message-Id: <20180807222535.143193-1-jmattson@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.18.0.597.ga71716f1ad-goog Subject: [PATCH] x86/spectre: Expand test for vulnerability to empty RSB exploits From: Jim Mattson To: Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , x86@kernel.org Cc: Borislav Petkov , Konrad Rzeszutek Wilk , David Woodhouse , linux-kernel@vger.kernel.org, Fred Jacobs , Peter Shier , Jim Mattson Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Skylake-era Intel CPUs are vulnerable to exploits of empty RSB conditions. On hardware, platform vulnerability can be determined simply by checking the processor's DisplayModel/DisplayFamily signature. However, when running in a VM, the operating system should also query IA32_ARCH_CAPABILITIES.RSBA[bit 2], a synthetic bit that can be set by a hypervisor to indicate that the VM might run on a vulnerable physical processor, regardless of the DisplayModel/DisplayFamily reported by CPUID. Note that IA32_ARCH_CAPABILITIES.RSBA[bit 2] is always clear on hardware, so the DisplayModel/DisplayFamily check is still required. For all of the details, see the Intel white paper, "Retpoline: A Branch Target Injection Mitigation" (document number 337131-001), section 5.3: Virtual Machine CPU Identification. Signed-off-by: Jim Mattson Reviewed-by: Peter Shier --- arch/x86/include/asm/msr-index.h | 1 + arch/x86/kernel/cpu/bugs.c | 14 +++++++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h index 68b2c3150de1..f37ec58c4e04 100644 --- a/arch/x86/include/asm/msr-index.h +++ b/arch/x86/include/asm/msr-index.h @@ -70,6 +70,7 @@ #define MSR_IA32_ARCH_CAPABILITIES 0x0000010a #define ARCH_CAP_RDCL_NO (1 << 0) /* Not susceptible to Meltdown */ #define ARCH_CAP_IBRS_ALL (1 << 1) /* Enhanced IBRS support */ +#define ARCH_CAP_RSBA (1 << 2) /* Vulnerable to empty RSB */ #define ARCH_CAP_SSB_NO (1 << 4) /* * Not susceptible to Speculative Store Bypass * attack, so no Speculative Store Bypass diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 5c0ea39311fe..b6fe335746a4 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -330,6 +330,18 @@ static bool __init is_skylake_era(void) return false; } +/* Check for vulnerability to exploits of empty RSB conditions */ +static bool __init is_vulnerable_to_empty_rsb(void) +{ + u64 ia32_cap = 0; + + if (boot_cpu_has(X86_FEATURE_ARCH_CAPABILITIES)) + rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap); + + return (ia32_cap & ARCH_CAP_RSBA) || is_skylake_era(); +} + + static void __init spectre_v2_select_mitigation(void) { enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline(); @@ -402,7 +414,7 @@ static void __init spectre_v2_select_mitigation(void) * switch is required. */ if ((!boot_cpu_has(X86_FEATURE_PTI) && - !boot_cpu_has(X86_FEATURE_SMEP)) || is_skylake_era()) { + !boot_cpu_has(X86_FEATURE_SMEP)) || is_vulnerable_to_empty_rsb()) { setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW); pr_info("Spectre v2 mitigation: Filling RSB on context switch\n"); } -- 2.18.0.597.ga71716f1ad-goog