Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp1117913ybl; Wed, 11 Dec 2019 12:49:11 -0800 (PST) X-Google-Smtp-Source: APXvYqxf2RqV1LEcF0fbrdgJcvejyu1KQvwFUvTAMmVEG1yzRTkFfcJ0EQ4ARz2HqrHlQX3qJMoC X-Received: by 2002:a9d:3a49:: with SMTP id j67mr3978311otc.264.1576097350974; Wed, 11 Dec 2019 12:49:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1576097350; cv=none; d=google.com; s=arc-20160816; b=Pe+qaAHHgJmsgjGcGdUtTg1o/yzA6e4P/vYAxijj/DmzxpJfdj/dNRH/M7BwTDJTLC MiWg+FdlDWg7HM4ZZ3d+w5F9I8/wJCL2dClyMz2IjLGLaqZU06pkcArUQeMrv535s5yM 29GbCl45cIrGJqfUKq9i9JIcp6XHYUE8uNrhMk+uhX0vxWbam2RMEiNsqUvr299pmw5e MQLqJRMgkBFXPX8wEKktxWdUHOWGkUt7ESv/F6K+ieMjUtx/d9jvWCwbjHB0JjQqUOdk 1vcpCRaApsx5rDBcCiuB0j2g6IQ9TmwKsoSoU5XvzM4wusHl55d31Hipt5iZZpK8dXmo IMOw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:mime-version :message-id:date:dkim-signature; bh=2gC640IyhH5dA8WbV5f5/xeewX2HczJxP4vBYhavCEY=; b=VjtUgpyzAh0N8+vUF89qWkclpgheZOUPuaJZocpf48tIYGUoOrXvTT05sGbUitbLrF v6WqNQZJ8HjQ9QfT8dNASj+p/CMIW4WpsuSDkPks9679t6S5cL26yeSAb33DRmyQ1mdq 9RdX6atoEsULQYxuUGLdls7GT1dwoy2/+4yha4Xyfia4r8Mx8U914C2AAF2A7MTJB6JG Zxu9vrp12F+OmTmWuxkdpxBMo0NcKt7jHKWxVLEGpqE4O2VOSkl9x3FMZTf7bDQkeZ4f UEo8hj3ZxEbY0nPAa0SXBKwMvyfO5RCP8HOaa4B+KK4xvI4y6t3H9ct1tJvrLOoOJcRl q7UA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=QOXWFSPQ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w129si1901563oig.83.2019.12.11.12.48.57; Wed, 11 Dec 2019 12:49:10 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=QOXWFSPQ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727047AbfLKUsS (ORCPT + 99 others); Wed, 11 Dec 2019 15:48:18 -0500 Received: from mail-pf1-f201.google.com ([209.85.210.201]:36767 "EHLO mail-pf1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726771AbfLKUsS (ORCPT ); Wed, 11 Dec 2019 15:48:18 -0500 Received: by mail-pf1-f201.google.com with SMTP id 6so1269610pfv.3 for ; Wed, 11 Dec 2019 12:48:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=2gC640IyhH5dA8WbV5f5/xeewX2HczJxP4vBYhavCEY=; b=QOXWFSPQYjnuJDMP0a4El8Kh5ujIbG0XtwVP1iVHds8uiUZsbjpHgG5WPdWl96GsCo q7mpMlt3B9pzVIYZHTKFtDCCu4Cvr0XBTzrrkwca0VvGL/x98Agf/uml2HXIsWn03J/l WoO+n1BkNjMXj+5AkWjhI5FAQqE+nZbr7cOSbOohyp/aWnmAVnsqkkfHpvoi7r8vgBUH sH301tcL19NGm1CgMJX76L3AFHahIWAjDQj43FZ32PTFZktgX/o2GS8BxEahhUYaBGVK 7rzzv81Tk+0hZarU6nZi777LGxgGHFMLeu7JUR5JgFrTckNSQF4iBL6hi9nBElJsQ6iE /HjA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=2gC640IyhH5dA8WbV5f5/xeewX2HczJxP4vBYhavCEY=; b=MLRy3Tma0mA82o8nNCUMPtEQZVNIO6GwGz5Mdruo/aAiQqVuHIpASNUG1PBYF594L6 AKoIOmW8Ig8B0uUiq8Kt8Qij1ySX7ruEeDrp8UjgJSYRY2d4OUD/0QwCqrrB8lKSxC1a SO6pONqybZYvozTJFRsw6dEfGYSwJ25MXZRuDPwgRFsEyeoNErFuwb1hFgc6n+t1YLiS +eaEKem9Veui33XX1pWtfIQunXV9yCdtMGWkOihDQcbihJupl2GcC8oxFYlfPLK+syBV /x+3XWkVoiZZB16QQODx0Suybw6Ud2Wz0ENMPKI4jd2YYcCE2XyCar6JdWUYSZxCkOPM Awvw== X-Gm-Message-State: APjAAAWOJgoOXe1/NRtEiXscQIRS/W2U0jYh3J3mixZ6LyAJaa49ffUH cDiNEOcffVxwVREsIYfqXKRkbJE8zxz5 X-Received: by 2002:a63:c804:: with SMTP id z4mr6386725pgg.440.1576097297767; Wed, 11 Dec 2019 12:48:17 -0800 (PST) Date: Wed, 11 Dec 2019 12:47:40 -0800 Message-Id: <20191211204753.242298-1-pomonis@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.24.0.525.g8f36a354ae-goog Subject: [PATCH v2 00/13] KVM: x86: Extend Spectre-v1 mitigation From: Marios Pomonis To: Paolo Bonzini , rkrcmar@redhat.com, Sean Christopherson , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel Cc: Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , x86@kernel.org, kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Nick Finco , Andrew Honig , Marios Pomonis Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Nick Finco This extends the Spectre-v1 mitigation introduced in commit 75f139aaf896 ("KVM: x86: Add memory barrier on vmcs field lookup") and commit 085331dfc6bb ("x86/kvm: Update spectre-v1 mitigation") in light of the Spectre-v1/L1TF combination described here: https://xenbits.xen.org/xsa/advisory-289.html As reported in the link, an attacker can use the cache-load part of a Spectre-v1 gadget to bring memory into the L1 cache, then use L1TF to leak the loaded memory. Note that this attack is not fully mitigated by core scheduling; firstly when "kvm-intel.vmentry_l1d_flush" is not set to "always", an attacker could use L1TF on the same thread that loaded the memory values in the cache on paths that do not flush the L1 cache on VMEntry. Otherwise, an attacker could perform this attack using a collusion of two sibling hyperthreads: one that loads memory values in the cache during VMExit handling and another that performs L1TF to leak them. This patch uses array_index_nospec() to prevent index computations from causing speculative loads into the L1 cache. These cases involve a bounds check followed by a memory read using the index; this is more common than the full Spectre-v1 pattern. In some cases, the index computation can be eliminated entirely by small amounts of refactoring. Marios Pomonis (13): KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() from Spectre-v1/L1TF attacks KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF attacks KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() KVM: x86: Protect MSR-based index computations in pmu.h KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c KVM: x86: Protect memory accesses from Spectre-v1/L1TF attacks in x86.c KVM: x86: Protect exit_reason from being used in Spectre-v1/L1TF attacks KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks KVM: x86: Protect pmu_intel.c from Spectre-v1/L1TF attacks arch/x86/kvm/emulate.c | 11 ++++-- arch/x86/kvm/hyperv.c | 10 +++-- arch/x86/kvm/i8259.c | 6 ++- arch/x86/kvm/ioapic.c | 15 +++++--- arch/x86/kvm/lapic.c | 13 +++++-- arch/x86/kvm/mtrr.c | 8 +++- arch/x86/kvm/pmu.h | 18 +++++++-- arch/x86/kvm/vmx/pmu_intel.c | 24 ++++++++---- arch/x86/kvm/vmx/vmx.c | 71 +++++++++++++++++++++--------------- arch/x86/kvm/x86.c | 18 +++++++-- 10 files changed, 129 insertions(+), 65 deletions(-) -- 2.24.0.393.g34dc348eaf-goog