Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1234093imu; Wed, 28 Nov 2018 06:39:25 -0800 (PST) X-Google-Smtp-Source: AFSGD/VHkSxwBTVZ+tWz19aTNy/xVnxuEGvgri5bclekW6+/vcNGro1EC6frFTBNjxALNQejjpBj X-Received: by 2002:a17:902:b090:: with SMTP id p16mr20822534plr.190.1543415965504; Wed, 28 Nov 2018 06:39:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543415965; cv=none; d=google.com; s=arc-20160816; b=WbmaZc7ZN/0aq7DOS4J4ncBhmnv0i88UdFGEZBzaFnpzJD6waGoRQFfn6E5YsZenf7 0c2IY5Za7QmJZ3z7zIim/ePHKZDjMEUh94L+xHFB/hmrMBRo79vlHbudZy65qqbwZQS5 PWqh9rzLbaY+yPa775kPArMxLjQhCdJFB0euzrlFJMRVB2rnV+LWoAmfOUH3pyd2LNby zwKTbenGx/yT9UAJZAmvz/vxUqemWRIYwmu9Dq1vV4iROSmggrJi/Hi2RGtD1N/zpbag haaETj1bykSeeWXL3xDpaY/0iaOzB/ARPRzgRMxPAYOGxgi2khxSqV29P6i92cE/HSVb zsjA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-disposition :content-transfer-encoding:mime-version:robot-unsubscribe:robot-id :git-commit-id:subject:to:references:in-reply-to:reply-to:cc :message-id:from:date; bh=x26OLSr5McMzxSQGDyA+ZHkWgJuENCiCB/e7DhtqaGQ=; b=KI/EarItyHMOTZxctN4BSWWoxZsa2Ewamcs27RF+VdwgZB7GeC1WZGHP6CNm9vrIVC FvK6nkEKd+eP9hyUhNNcaH6aS85UTXnZwr8L4GwacAAai+TLHuF7Kw2H9xpsmaog7LyY eyPCPx8DeFIpzp6WlNz5wChDq29Qhy1AIpA66V3s69e2SLWEzFd9PWM3ipt93ZKJcYCe WxENAAEnWGhazsZvphNKnXWxZp8k++9gCCPZhocmibowSklybTHbCU9rN00TPIgF0rWK Ky2kAQkfTCVS4YaSMGUogZg+4ZxUwEgbvN8I4EpvwawbmBEUUTKogGbt6B9HQrCcXu0j J/9A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l6si7165318pgg.592.2018.11.28.06.39.05; Wed, 28 Nov 2018 06:39:25 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728633AbeK2Bic (ORCPT + 99 others); Wed, 28 Nov 2018 20:38:32 -0500 Received: from terminus.zytor.com ([198.137.202.136]:41237 "EHLO terminus.zytor.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727979AbeK2Bic (ORCPT ); Wed, 28 Nov 2018 20:38:32 -0500 Received: from terminus.zytor.com (localhost [127.0.0.1]) by terminus.zytor.com (8.15.2/8.15.2) with ESMTPS id wASEZwHK2324537 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 28 Nov 2018 06:35:58 -0800 Received: (from tipbot@localhost) by terminus.zytor.com (8.15.2/8.15.2/Submit) id wASEZw4m2324534; Wed, 28 Nov 2018 06:35:58 -0800 Date: Wed, 28 Nov 2018 06:35:58 -0800 X-Authentication-Warning: terminus.zytor.com: tipbot set sender to tipbot@zytor.com using -f From: tip-bot for Thomas Gleixner Message-ID: Cc: peterz@infradead.org, tglx@linutronix.de, linux-kernel@vger.kernel.org, arjan@linux.intel.com, thomas.lendacky@amd.com, jkosina@suse.cz, aarcange@redhat.com, jpoimboe@redhat.com, keescook@chromium.org, mingo@kernel.org, ak@linux.intel.com, david.c.stewart@intel.com, longman9394@gmail.com, gregkh@linuxfoundation.org, jcm@redhat.com, dave.hansen@intel.com, dwmw@amazon.co.uk, tim.c.chen@linux.intel.com, hpa@zytor.com, asit.k.mallick@intel.com, casey.schaufler@intel.com, luto@kernel.org, torvalds@linux-foundation.org Reply-To: thomas.lendacky@amd.com, jkosina@suse.cz, aarcange@redhat.com, jpoimboe@redhat.com, keescook@chromium.org, mingo@kernel.org, peterz@infradead.org, tglx@linutronix.de, arjan@linux.intel.com, linux-kernel@vger.kernel.org, longman9394@gmail.com, gregkh@linuxfoundation.org, ak@linux.intel.com, david.c.stewart@intel.com, tim.c.chen@linux.intel.com, hpa@zytor.com, asit.k.mallick@intel.com, jcm@redhat.com, dave.hansen@intel.com, dwmw@amazon.co.uk, torvalds@linux-foundation.org, luto@kernel.org, casey.schaufler@intel.com In-Reply-To: <20181125185006.051663132@linutronix.de> References: <20181125185006.051663132@linutronix.de> To: linux-tip-commits@vger.kernel.org Subject: [tip:x86/pti] x86/speculation: Add seccomp Spectre v2 user space protection mode Git-Commit-ID: 6b3e64c237c072797a9ec918654a60e3a46488e2 X-Mailer: tip-git-log-daemon Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 Content-Disposition: inline X-Spam-Status: No, score=1.5 required=5.0 tests=ALL_TRUSTED,BAYES_00, DATE_IN_FUTURE_24_48,FREEMAIL_FORGED_REPLYTO, FREEMAIL_REPLYTO_END_DIGIT autolearn=no autolearn_force=no version=3.4.2 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on terminus.zytor.com Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Commit-ID: 6b3e64c237c072797a9ec918654a60e3a46488e2 Gitweb: https://git.kernel.org/tip/6b3e64c237c072797a9ec918654a60e3a46488e2 Author: Thomas Gleixner AuthorDate: Sun, 25 Nov 2018 19:33:55 +0100 Committer: Thomas Gleixner CommitDate: Wed, 28 Nov 2018 11:57:14 +0100 x86/speculation: Add seccomp Spectre v2 user space protection mode If 'prctl' mode of user space protection from spectre v2 is selected on the kernel command-line, STIBP and IBPB are applied on tasks which restrict their indirect branch speculation via prctl. SECCOMP enables the SSBD mitigation for sandboxed tasks already, so it makes sense to prevent spectre v2 user space to user space attacks as well. The Intel mitigation guide documents how STIPB works: Setting bit 1 (STIBP) of the IA32_SPEC_CTRL MSR on a logical processor prevents the predicted targets of indirect branches on any logical processor of that core from being controlled by software that executes (or executed previously) on another logical processor of the same core. Ergo setting STIBP protects the task itself from being attacked from a task running on a different hyper-thread and protects the tasks running on different hyper-threads from being attacked. While the document suggests that the branch predictors are shielded between the logical processors, the observed performance regressions suggest that STIBP simply disables the branch predictor more or less completely. Of course the document wording is vague, but the fact that there is also no requirement for issuing IBPB when STIBP is used points clearly in that direction. The kernel still issues IBPB even when STIBP is used until Intel clarifies the whole mechanism. IBPB is issued when the task switches out, so malicious sandbox code cannot mistrain the branch predictor for the next user space task on the same logical processor. Signed-off-by: Jiri Kosina Signed-off-by: Thomas Gleixner Reviewed-by: Ingo Molnar Cc: Peter Zijlstra Cc: Andy Lutomirski Cc: Linus Torvalds Cc: Tom Lendacky Cc: Josh Poimboeuf Cc: Andrea Arcangeli Cc: David Woodhouse Cc: Tim Chen Cc: Andi Kleen Cc: Dave Hansen Cc: Casey Schaufler Cc: Asit Mallick Cc: Arjan van de Ven Cc: Jon Masters Cc: Waiman Long Cc: Greg KH Cc: Dave Stewart Cc: Kees Cook Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/20181125185006.051663132@linutronix.de --- Documentation/admin-guide/kernel-parameters.txt | 9 ++++++++- arch/x86/include/asm/nospec-branch.h | 1 + arch/x86/kernel/cpu/bugs.c | 17 ++++++++++++++++- 3 files changed, 25 insertions(+), 2 deletions(-) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index a9b98a4e8789..f405281bb202 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -4241,9 +4241,16 @@ per thread. The mitigation control state is inherited on fork. + seccomp + - Same as "prctl" above, but all seccomp + threads will enable the mitigation unless + they explicitly opt out. + auto - Kernel selects the mitigation depending on the available CPU features and vulnerability. - Default is prctl. + + Default mitigation: + If CONFIG_SECCOMP=y then "seccomp", otherwise "prctl" Not specifying this option is equivalent to spectre_v2_user=auto. diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h index 2adbe7b047fa..032b6009baab 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -233,6 +233,7 @@ enum spectre_v2_user_mitigation { SPECTRE_V2_USER_NONE, SPECTRE_V2_USER_STRICT, SPECTRE_V2_USER_PRCTL, + SPECTRE_V2_USER_SECCOMP, }; /* The Speculative Store Bypass disable variants */ diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index d0137d10f9a6..c9e304960534 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -256,12 +256,14 @@ enum spectre_v2_user_cmd { SPECTRE_V2_USER_CMD_AUTO, SPECTRE_V2_USER_CMD_FORCE, SPECTRE_V2_USER_CMD_PRCTL, + SPECTRE_V2_USER_CMD_SECCOMP, }; static const char * const spectre_v2_user_strings[] = { [SPECTRE_V2_USER_NONE] = "User space: Vulnerable", [SPECTRE_V2_USER_STRICT] = "User space: Mitigation: STIBP protection", [SPECTRE_V2_USER_PRCTL] = "User space: Mitigation: STIBP via prctl", + [SPECTRE_V2_USER_SECCOMP] = "User space: Mitigation: STIBP via seccomp and prctl", }; static const struct { @@ -273,6 +275,7 @@ static const struct { { "off", SPECTRE_V2_USER_CMD_NONE, false }, { "on", SPECTRE_V2_USER_CMD_FORCE, true }, { "prctl", SPECTRE_V2_USER_CMD_PRCTL, false }, + { "seccomp", SPECTRE_V2_USER_CMD_SECCOMP, false }, }; static void __init spec_v2_user_print_cond(const char *reason, bool secure) @@ -332,10 +335,16 @@ spectre_v2_user_select_mitigation(enum spectre_v2_mitigation_cmd v2_cmd) case SPECTRE_V2_USER_CMD_FORCE: mode = SPECTRE_V2_USER_STRICT; break; - case SPECTRE_V2_USER_CMD_AUTO: case SPECTRE_V2_USER_CMD_PRCTL: mode = SPECTRE_V2_USER_PRCTL; break; + case SPECTRE_V2_USER_CMD_AUTO: + case SPECTRE_V2_USER_CMD_SECCOMP: + if (IS_ENABLED(CONFIG_SECCOMP)) + mode = SPECTRE_V2_USER_SECCOMP; + else + mode = SPECTRE_V2_USER_PRCTL; + break; } /* Initialize Indirect Branch Prediction Barrier */ @@ -347,6 +356,7 @@ spectre_v2_user_select_mitigation(enum spectre_v2_mitigation_cmd v2_cmd) static_branch_enable(&switch_mm_always_ibpb); break; case SPECTRE_V2_USER_PRCTL: + case SPECTRE_V2_USER_SECCOMP: static_branch_enable(&switch_mm_cond_ibpb); break; default: @@ -591,6 +601,7 @@ void arch_smt_update(void) update_stibp_strict(); break; case SPECTRE_V2_USER_PRCTL: + case SPECTRE_V2_USER_SECCOMP: update_indir_branch_cond(); break; } @@ -833,6 +844,8 @@ void arch_seccomp_spec_mitigate(struct task_struct *task) { if (ssb_mode == SPEC_STORE_BYPASS_SECCOMP) ssb_prctl_set(task, PR_SPEC_FORCE_DISABLE); + if (spectre_v2_user == SPECTRE_V2_USER_SECCOMP) + ib_prctl_set(task, PR_SPEC_FORCE_DISABLE); } #endif @@ -864,6 +877,7 @@ static int ib_prctl_get(struct task_struct *task) case SPECTRE_V2_USER_NONE: return PR_SPEC_ENABLE; case SPECTRE_V2_USER_PRCTL: + case SPECTRE_V2_USER_SECCOMP: if (task_spec_ib_force_disable(task)) return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE; if (task_spec_ib_disable(task)) @@ -1063,6 +1077,7 @@ static char *stibp_state(void) case SPECTRE_V2_USER_STRICT: return ", STIBP: forced"; case SPECTRE_V2_USER_PRCTL: + case SPECTRE_V2_USER_SECCOMP: if (static_key_enabled(&switch_to_cond_stibp)) return ", STIBP: conditional"; }