Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp1355157ybt; Thu, 18 Jun 2020 06:53:56 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzWDkAWS6HEN124BWhUzSkloGlQOJLNIC2j27WuCLME4etl4FZB3EFdWYZqoKkG6fSXJXpV X-Received: by 2002:a17:906:830b:: with SMTP id j11mr4369059ejx.42.1592488436104; Thu, 18 Jun 2020 06:53:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1592488436; cv=none; d=google.com; s=arc-20160816; b=nw/QSOT5/R36YeE+jifafznV6/pMYU6kpjqB6EN1aR7ft2xfjH18btZ1oe8oOWPZPr s9oaNouxJRZsUwxXcWR58s4LCufCYrsODwKVLFKTDr6q6r7scw4VbDiYin/IyeHC/2bU ZWhAwKbGMQMUu0YkRLt0oME6tf9JjbJULZtJ4V16/l5H9ErfeXGSJ/scFfkw5AWgrexj sr3qZDuo7JOI8+mDrhvA8rmXNeHZQxG5bplX2plymbIC8CKg7aM4mZWdRKqGviKI19BL TilB7hm7OELii9v5BH0jSs8z/mta7oMz30iSEokSQi9YmTVfE3JTjanDc5okOym0Zcb/ qdRA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :robot-unsubscribe:robot-id:message-id:mime-version:references :in-reply-to:cc:subject:to:reply-to:from:date; bh=mmFmnpeb4hGMANlkY//myLpGLuV66H4CqtnwqJgGDEc=; b=isSSRRa/U7H0TvQWTtlPgLELzDlPMAGPZUlad+x6GBKzCDwCOFJiHp1EQBD+98zGWr ulfnue6tTy2GCam6vVR6It2faoSMTDKFG/PYkyImOVGTSiBkgk3xKmL55Gp+WRP4j9f6 lQ8li8xlHq8k1i9fONGTGkcTks0rQpK3PPR4jpdAjV9U39W3MM1Ono2fdcfrBbjXinSZ 9AIsqcgtGLDcU3ITbpYyp/8jLLMrC5tv8NGoR3IRlTjyE41NXrAYj8yOTSaceHJRpi1s H9k37ssDcGroHcj2SYq+ujU1vT2rYsSeUQzIjL5nuElXgn5kEwEAMs93hmes6ELABNNN 2FYQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id cx3si1868229edb.547.2020.06.18.06.53.34; Thu, 18 Jun 2020 06:53:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730628AbgFRNvY (ORCPT + 99 others); Thu, 18 Jun 2020 09:51:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49182 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730565AbgFRNvG (ORCPT ); Thu, 18 Jun 2020 09:51:06 -0400 Received: from Galois.linutronix.de (Galois.linutronix.de [IPv6:2a0a:51c0:0:12e:550::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7DA79C0613F0; Thu, 18 Jun 2020 06:51:06 -0700 (PDT) Received: from [5.158.153.53] (helo=tip-bot2.lab.linutronix.de) by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1jluwZ-0002kT-Ek; Thu, 18 Jun 2020 15:51:03 +0200 Received: from [127.0.1.1] (localhost [IPv6:::1]) by tip-bot2.lab.linutronix.de (Postfix) with ESMTP id 87E2E1C06FE; Thu, 18 Jun 2020 15:50:57 +0200 (CEST) Date: Thu, 18 Jun 2020 13:50:57 -0000 From: "tip-bot2 for Tony Luck" Reply-to: linux-kernel@vger.kernel.org To: linux-tip-commits@vger.kernel.org Subject: [tip: x86/fsgsbase] x86/speculation/swapgs: Check FSGSBASE in enabling SWAPGS mitigation Cc: Tony Luck , "Chang S. Bae" , Sasha Levin , Thomas Gleixner , x86 , LKML In-Reply-To: <20200528201402.1708239-9-sashal@kernel.org> References: <20200528201402.1708239-9-sashal@kernel.org> MIME-Version: 1.0 Message-ID: <159248825731.16989.10228192989851794615.tip-bot2@tip-bot2> X-Mailer: tip-git-log-daemon Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Linutronix-Spam-Score: -1.0 X-Linutronix-Spam-Level: - X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required, ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The following commit has been merged into the x86/fsgsbase branch of tip: Commit-ID: 978e1342c3c4d7b20808fd5875d9ac0d57db22ee Gitweb: https://git.kernel.org/tip/978e1342c3c4d7b20808fd5875d9ac0d57db22ee Author: Tony Luck AuthorDate: Thu, 28 May 2020 16:13:54 -04:00 Committer: Thomas Gleixner CommitterDate: Thu, 18 Jun 2020 15:47:02 +02:00 x86/speculation/swapgs: Check FSGSBASE in enabling SWAPGS mitigation Before enabling FSGSBASE the kernel could safely assume that the content of GS base was a user address. Thus any speculative access as the result of a mispredicted branch controlling the execution of SWAPGS would be to a user address. So systems with speculation-proof SMAP did not need to add additional LFENCE instructions to mitigate. With FSGSBASE enabled a hostile user can set GS base to a kernel address. So they can make the kernel speculatively access data they wish to leak via a side channel. This means that SMAP provides no protection. Add FSGSBASE as an additional condition to enable the fence-based SWAPGS mitigation. Signed-off-by: Tony Luck Signed-off-by: Chang S. Bae Signed-off-by: Sasha Levin Signed-off-by: Thomas Gleixner Link: https://lkml.kernel.org/r/20200528201402.1708239-9-sashal@kernel.org --- arch/x86/kernel/cpu/bugs.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 0b71970..5ea5fbd 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -543,14 +543,12 @@ static void __init spectre_v1_select_mitigation(void) * If FSGSBASE is enabled, the user can put a kernel address in * GS, in which case SMAP provides no protection. * - * [ NOTE: Don't check for X86_FEATURE_FSGSBASE until the - * FSGSBASE enablement patches have been merged. ] - * * If FSGSBASE is disabled, the user can only put a user space * address in GS. That makes an attack harder, but still * possible if there's no SMAP protection. */ - if (!smap_works_speculatively()) { + if (boot_cpu_has(X86_FEATURE_FSGSBASE) || + !smap_works_speculatively()) { /* * Mitigation can be provided from SWAPGS itself or * PTI as the CR3 write in the Meltdown mitigation