Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp1047371ybc; Tue, 12 Nov 2019 13:23:06 -0800 (PST) X-Google-Smtp-Source: APXvYqw0xuQeJ1wAgiIIpR+nhpzi0yTvw5VBOYCf4E4uSUAXBxgLWiHlT9cT/1oEYolAnZFVpCFK X-Received: by 2002:a50:9713:: with SMTP id c19mr35205112edb.206.1573593786166; Tue, 12 Nov 2019 13:23:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1573593786; cv=none; d=google.com; s=arc-20160816; b=UH/GrVim0vjaUu4OtBM3r5BT7uFksH3fM6pvt0/2VaKk/ML/oZniGHSrdsCh3ge5yV uUWFuTrZ6cgi+FumYDR4qvvXAirGOan9rr9ZZ090NpcfMhyRXCHUqvVZ3cVsw0lbaJ6T KvZj4uVxpN6hVfEGGr0CrVikrgiX0h5Mb7OJniBcguAyOEy0t7oZgrB4u2QeizbRlJAH 8z0csArKNmfdrt3WgXnEM+127pjqETz2jZyb4WNTsjEqfNfW5LSTZkKb9cFaq1F+Dm24 UBAQkXSrrBNmG/59lHdRMv2tudkKbP3v+VR02epKm6ohZASWMHEVj9lLJSdLJVi1FmTq HePw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:to:from:dkim-signature; bh=k7yjor2EMmJZynb3fnq6oXvNP7d6yGjg6jAPuIWUBQA=; b=0ClOEa0+0o5mTSCHptZxCD7ozQIfD0iKRnCsjO3K/IqPZir14Xg5LYaZr3nrj0uMCi ebBASNB8QJD6FuRgKsSxGv5DxksKEICfL/0KxkKWDmUfxIPTbSjfk3ObTNNyZ0C7y+2U r+AhIb1rYlnOMnjXCEybvrxXUBq2jT/jk18fiyOyiCuVMW2NLCwCdA5zpQy55tNwNPZc tFtHfHCh+Rf+5KiORtrUKj6cP2TfOTVUd3OV86W2MKkcf7qxSNPRyLLWOcpQWIjTsk2l VMJ4dNfAOUmeTaFMt6bsjXW5obEFS9o1XyZru0nhfhPtb84Al2tfjFzRe1OmSTeYdPVO mgqA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=m+oOa8iY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id jo11si828800ejb.342.2019.11.12.13.22.34; Tue, 12 Nov 2019 13:23:06 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=m+oOa8iY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727221AbfKLVVv (ORCPT + 99 others); Tue, 12 Nov 2019 16:21:51 -0500 Received: from mail-wm1-f67.google.com ([209.85.128.67]:54527 "EHLO mail-wm1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727065AbfKLVVt (ORCPT ); Tue, 12 Nov 2019 16:21:49 -0500 Received: by mail-wm1-f67.google.com with SMTP id z26so4811249wmi.4; Tue, 12 Nov 2019 13:21:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:subject:date:message-id:in-reply-to:references; bh=k7yjor2EMmJZynb3fnq6oXvNP7d6yGjg6jAPuIWUBQA=; b=m+oOa8iY9vkUipOOVBW8a/KkGz0+sl7M7RCLKx9YRks1w99Pg+PhC66jBRgHSYhZMU /54GEGSuQ2s49sujJZnXK6svyTjfyHbXmzi8lAyPgbhnWQNNo7l+U7miBRs+vlpZBGBJ Xcsgly3Hm9V0Ih8Lamu1rQuh5xBti/7I8UEyLUMLHXVXCBrP936oCaL1xze22mSjoZvh nL+qao1mlSjESUK6KUcA28A6gfsLqTTnPA2bhHmIi6YHUHvL62ib7im/OLzFEe5DFKcE MZnHcjb9qZV4k9QI5Z1zRMhb/A5c9s3kHzg42CQLf8hNz0IwR+i36qhhVqVP4nSb646M 2BpA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:subject:date:message-id :in-reply-to:references; bh=k7yjor2EMmJZynb3fnq6oXvNP7d6yGjg6jAPuIWUBQA=; b=tvbxNkpafoZQ8CjuIjfqDvlMGtf6H/2IO3h/HEm4nMn5E1dQp9h3bA6CSqG5mzRvOa kCu1PS7IpKUzTLkNLI8ESy/13e39knWLZ3LSyB7AeSxQAaKuxh2xoWNuY4Htd4jrtyp1 mAHuytUTuCQBntHHrGdDX1QMrPmoirjqwYlMS4DB374zsjLXCRBZ2NHvyhCyhTbb433Z 7ZV42abl2KUTPmjrzFwtxxm35eLnFYgXkNOXJQz4ulahvmf71Oovrh3p+7zkK+YvM4cO qPQpgTkdeYEmNUO4I2x+CsJQF728iMRmxgZhQq3qHWFvgXQnLYQSta7vgoYGBJo5fHMw 7Wbg== X-Gm-Message-State: APjAAAWCllmP6mNDa3jmB/jLhDEHBiBD+ZDaty25PIZednLSQqf37Lc3 Wm/JJwr3Dpnezm7T/VieDiFFOOoo X-Received: by 2002:a1c:4d11:: with SMTP id o17mr5851918wmh.170.1573593706792; Tue, 12 Nov 2019 13:21:46 -0800 (PST) Received: from 640k.lan ([93.56.166.5]) by smtp.gmail.com with ESMTPSA id q25sm198664wra.3.2019.11.12.13.21.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Nov 2019 13:21:46 -0800 (PST) From: Paolo Bonzini To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Subject: [PATCH 7/7] Documentation: Add ITLB_MULTIHIT documentation Date: Tue, 12 Nov 2019 22:21:37 +0100 Message-Id: <1573593697-25061-8-git-send-email-pbonzini@redhat.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1573593697-25061-1-git-send-email-pbonzini@redhat.com> References: <1573593697-25061-1-git-send-email-pbonzini@redhat.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: "Gomez Iglesias, Antonio" Add the initial ITLB_MULTIHIT documentation. [ tglx: Add it to the index so it gets actually built. ] Signed-off-by: Antonio Gomez Iglesias Signed-off-by: Nelson D'Souza Signed-off-by: Paolo Bonzini Signed-off-by: Thomas Gleixner --- Documentation/admin-guide/hw-vuln/index.rst | 1 + Documentation/admin-guide/hw-vuln/multihit.rst | 163 +++++++++++++++++++++++++ 2 files changed, 164 insertions(+) create mode 100644 Documentation/admin-guide/hw-vuln/multihit.rst diff --git a/Documentation/admin-guide/hw-vuln/index.rst b/Documentation/admin-guide/hw-vuln/index.rst index 0802b1c67452..0795e3c2643f 100644 --- a/Documentation/admin-guide/hw-vuln/index.rst +++ b/Documentation/admin-guide/hw-vuln/index.rst @@ -13,3 +13,4 @@ are configurable at compile, boot or run time. l1tf mds tsx_async_abort + multihit.rst diff --git a/Documentation/admin-guide/hw-vuln/multihit.rst b/Documentation/admin-guide/hw-vuln/multihit.rst new file mode 100644 index 000000000000..ba9988d8bce5 --- /dev/null +++ b/Documentation/admin-guide/hw-vuln/multihit.rst @@ -0,0 +1,163 @@ +iTLB multihit +============= + +iTLB multihit is an erratum where some processors may incur a machine check +error, possibly resulting in an unrecoverable CPU lockup, when an +instruction fetch hits multiple entries in the instruction TLB. This can +occur when the page size is changed along with either the physical address +or cache type. A malicious guest running on a virtualized system can +exploit this erratum to perform a denial of service attack. + + +Affected processors +------------------- + +Variations of this erratum are present on most Intel Core and Xeon processor +models. The erratum is not present on: + + - non-Intel processors + + - Some Atoms (Airmont, Bonnell, Goldmont, GoldmontPlus, Saltwell, Silvermont) + + - Intel processors that have the PSCHANGE_MC_NO bit set in the + IA32_ARCH_CAPABILITIES MSR. + + +Related CVEs +------------ + +The following CVE entry is related to this issue: + + ============== ================================================= + CVE-2018-12207 Machine Check Error Avoidance on Page Size Change + ============== ================================================= + + +Problem +------- + +Privileged software, including OS and virtual machine managers (VMM), are in +charge of memory management. A key component in memory management is the control +of the page tables. Modern processors use virtual memory, a technique that creates +the illusion of a very large memory for processors. This virtual space is split +into pages of a given size. Page tables translate virtual addresses to physical +addresses. + +To reduce latency when performing a virtual to physical address translation, +processors include a structure, called TLB, that caches recent translations. +There are separate TLBs for instruction (iTLB) and data (dTLB). + +Under this errata, instructions are fetched from a linear address translated +using a 4 KB translation cached in the iTLB. Privileged software modifies the +paging structure so that the same linear address using large page size (2 MB, 4 +MB, 1 GB) with a different physical address or memory type. After the page +structure modification but before the software invalidates any iTLB entries for +the linear address, a code fetch that happens on the same linear address may +cause a machine-check error which can result in a system hang or shutdown. + + +Attack scenarios +---------------- + +Attacks against the iTLB multihit erratum can be mounted from malicious +guests in a virtualized system. + + +iTLB multihit system information +-------------------------------- + +The Linux kernel provides a sysfs interface to enumerate the current iTLB +multihit status of the system:whether the system is vulnerable and which +mitigations are active. The relevant sysfs file is: + +/sys/devices/system/cpu/vulnerabilities/itlb_multihit + +The possible values in this file are: + +.. list-table:: + + * - Not affected + - The processor is not vulnerable. + * - KVM: Mitigation: Split huge pages + - Software changes mitigate this issue. + * - KVM: Vulnerable + - The processor is vulnerable, but no mitigation enabled + + +Enumeration of the erratum +-------------------------------- + +A new bit has been allocated in the IA32_ARCH_CAPABILITIES (PSCHANGE_MC_NO) msr +and will be set on CPU's which are mitigated against this issue. + + ======================================= =========== =============================== + IA32_ARCH_CAPABILITIES MSR Not present Possibly vulnerable,check model + IA32_ARCH_CAPABILITIES[PSCHANGE_MC_NO] '0' Likely vulnerable,check model + IA32_ARCH_CAPABILITIES[PSCHANGE_MC_NO] '1' Not vulnerable + ======================================= =========== =============================== + + +Mitigation mechanism +------------------------- + +This erratum can be mitigated by restricting the use of large page sizes to +non-executable pages. This forces all iTLB entries to be 4K, and removes +the possibility of multiple hits. + +In order to mitigate the vulnerability, KVM initially marks all huge pages +as non-executable. If the guest attempts to execute in one of those pages, +the page is broken down into 4K pages, which are then marked executable. + +If EPT is disabled or not available on the host, KVM is in control of TLB +flushes and the problematic situation cannot happen. However, the shadow +EPT paging mechanism used by nested virtualization is vulnerable, because +the nested guest can trigger multiple iTLB hits by modifying its own +(non-nested) page tables. For simplicity, KVM will make large pages +non-executable in all shadow paging modes. + +Mitigation control on the kernel command line and KVM - module parameter +------------------------------------------------------------------------ + +The KVM hypervisor mitigation mechanism for marking huge pages as +non-executable can be controlled with a module parameter "nx_huge_pages=". +The kernel command line allows to control the iTLB multihit mitigations at +boot time with the option "kvm.nx_huge_pages=". + +The valid arguments for these options are: + + ========== ================================================================ + force Mitigation is enabled. In this case, the mitigation implements + non-executable huge pages in Linux kernel KVM module. All huge + pages in the EPT are marked as non-executable. + If a guest attempts to execute in one of those pages, the page is + broken down into 4K pages, which are then marked executable. + + off Mitigation is disabled. + + auto Enable mitigation only if the platform is affected and the kernel + was not booted with the "mitigations=off" command line parameter. + This is the default option. + ========== ================================================================ + + +Mitigation selection guide +-------------------------- + +1. No virtualization in use +^^^^^^^^^^^^^^^^^^^^^^^^^^^ + + The system is protected by the kernel unconditionally and no further + action is required. + +2. Virtualization with trusted guests +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + + If the guest comes from a trusted source, you may assume that the guest will + not attempt to maliciously exploit these errata and no further action is + required. + +3. Virtualization with untrusted guests +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + If the guest comes from an untrusted source, the guest host kernel will need + to apply iTLB multihit mitigation via the kernel command line or kvm + module parameter. -- 1.8.3.1