Received: by 2002:a25:86ce:0:0:0:0:0 with SMTP id y14csp11539ybm; Mon, 20 May 2019 10:59:13 -0700 (PDT) X-Google-Smtp-Source: APXvYqxfAV7/6oh5sujBmZFqEm3rORZa594ttLeQCWV/h8qq2ELmjeXPhBViuVQgxXQ5BGXfJ8ZR X-Received: by 2002:a17:902:b58a:: with SMTP id a10mr47506923pls.83.1558375153083; Mon, 20 May 2019 10:59:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1558375153; cv=none; d=google.com; s=arc-20160816; b=QWOILNTwlX3z+RJh4sNm4AHecXOe3JWAmakD3tFvgw+jmUBp/xbh21uq2TryHj4R2j 3BzwnrYepxxv9d87EzwD57whqTQ8pUZwSTZ++o0X3IPgPcukFVNOoHNvz9fvZov4DaR4 rP6em6Ed/oyM8r2BXU5Io0UcAqYMIQHplBtG0uB+Oz0LJCinumpveQQzoDiHHCLmEOpq PIUHdLAwbj6CipNfYTrPQZwBDOCv93PgdYLqp9lqj8owVzmonMeRz5tK3VOUv0J1OiYC hwooFsmamTNkNYsfWsdzmF/MkUrc2F3LD6HY1hzDPM+i3P+2BW/bBogshqR9ZO4Cov+l RxjQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=8NgyReSLpbVPU/QjACev8PQrpDlF6U3CRNqJHeFqJes=; b=TNMEI5A7TGSvdXTaEEHNo4W5L5qvLtRW7dprFsJEjtC+pcPDptrao7TaGj+ok7VMjA 1MuEf+cWGDuqzT/si6VtB6ybDbCB249J1aRqpKCHBuXv/+sRIbtGOanAeenHDzDlsmgV Ds+dq/oZUfxSI/3SLg6UFymAPyZWrIi2TISsf3QB0ubY7uE29CU1aXR62qROBrlOa1Xd BxeMKKXV76Q4ZPMa/2yKAptzkM0y/KNGzSMB/5lum9ZGKPRqzQHiHF/OnrGQ/fdur4BI hBXE+aQ9HwPw+6wth88CjjrQM0O/aMHoi974uB0H9Pebextlw8WLxNfVaa3w2DNVRbFv LScw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=IZIhyJYn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id co12si19177343plb.384.2019.05.20.10.58.58; Mon, 20 May 2019 10:59:13 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=IZIhyJYn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390907AbfETMuF (ORCPT + 99 others); Mon, 20 May 2019 08:50:05 -0400 Received: from mail.kernel.org ([198.145.29.99]:34696 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730404AbfETMVM (ORCPT ); Mon, 20 May 2019 08:21:12 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B3A46213F2; Mon, 20 May 2019 12:21:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1558354871; bh=hcCWdm8G1C81OZqG9T6IE40vqZ2g7WBEfGBUW8Mt+Bg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IZIhyJYneebqqkkR5EjA4s3UqF59ZcVwKRRqmRsqMMvDeYZ+QBlIwDfvZm9uCjxpL N9YWS45fsqcKCCyqwKQBC1tEA3zHzRRgQExUSDyp5UJCjbiZfV6EUF3rnuYUnDRPUS 6lw+xd+DddGKmlA+IWXwS1rQXUrlRi8eaSNOehhs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Andy Lutomirski , Borislav Petkov , Frederic Weisbecker , Jon Masters , Linus Torvalds , Peter Zijlstra , Thomas Gleixner , Ingo Molnar Subject: [PATCH 4.19 003/105] x86/speculation/mds: Improve CPU buffer clear documentation Date: Mon, 20 May 2019 14:13:09 +0200 Message-Id: <20190520115247.289761419@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190520115247.060821231@linuxfoundation.org> References: <20190520115247.060821231@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Andy Lutomirski commit 9d8d0294e78a164d407133dea05caf4b84247d6a upstream. On x86_64, all returns to usermode go through prepare_exit_to_usermode(), with the sole exception of do_nmi(). This even includes machine checks -- this was added several years ago to support MCE recovery. Update the documentation. Signed-off-by: Andy Lutomirski Cc: Borislav Petkov Cc: Frederic Weisbecker Cc: Greg Kroah-Hartman Cc: Jon Masters Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: stable@vger.kernel.org Fixes: 04dcbdb80578 ("x86/speculation/mds: Clear CPU buffers on exit to user") Link: http://lkml.kernel.org/r/999fa9e126ba6a48e9d214d2f18dbde5c62ac55c.1557865329.git.luto@kernel.org Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman --- Documentation/x86/mds.rst | 39 +++++++-------------------------------- 1 file changed, 7 insertions(+), 32 deletions(-) --- a/Documentation/x86/mds.rst +++ b/Documentation/x86/mds.rst @@ -142,38 +142,13 @@ Mitigation points mds_user_clear. The mitigation is invoked in prepare_exit_to_usermode() which covers - most of the kernel to user space transitions. There are a few exceptions - which are not invoking prepare_exit_to_usermode() on return to user - space. These exceptions use the paranoid exit code. - - - Non Maskable Interrupt (NMI): - - Access to sensible data like keys, credentials in the NMI context is - mostly theoretical: The CPU can do prefetching or execute a - misspeculated code path and thereby fetching data which might end up - leaking through a buffer. - - But for mounting other attacks the kernel stack address of the task is - already valuable information. So in full mitigation mode, the NMI is - mitigated on the return from do_nmi() to provide almost complete - coverage. - - - Machine Check Exception (#MC): - - Another corner case is a #MC which hits between the CPU buffer clear - invocation and the actual return to user. As this still is in kernel - space it takes the paranoid exit path which does not clear the CPU - buffers. So the #MC handler repopulates the buffers to some - extent. Machine checks are not reliably controllable and the window is - extremly small so mitigation would just tick a checkbox that this - theoretical corner case is covered. To keep the amount of special - cases small, ignore #MC. - - - Debug Exception (#DB): - - This takes the paranoid exit path only when the INT1 breakpoint is in - kernel space. #DB on a user space address takes the regular exit path, - so no extra mitigation required. + all but one of the kernel to user space transitions. The exception + is when we return from a Non Maskable Interrupt (NMI), which is + handled directly in do_nmi(). + + (The reason that NMI is special is that prepare_exit_to_usermode() can + enable IRQs. In NMI context, NMIs are blocked, and we don't want to + enable IRQs with NMIs blocked.) 2. C-State transition