Received: by 2002:a05:6a10:7420:0:0:0:0 with SMTP id hk32csp609850pxb; Tue, 15 Feb 2022 23:41:45 -0800 (PST) X-Google-Smtp-Source: ABdhPJxm365Bh3LLgYa7R95xmwFnDK2WRS9Yos5gegcWtJMCWBFXJjwG7MwbiLG9bnfQ0ySQGsMk X-Received: by 2002:a65:53cb:0:b0:343:8e85:2d81 with SMTP id z11-20020a6553cb000000b003438e852d81mr1301691pgr.44.1644997305223; Tue, 15 Feb 2022 23:41:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644997305; cv=none; d=google.com; s=arc-20160816; b=E4iBbLRFflBHEMstFMipIBT6yuO4C0NNfw0nLcoz8kfeCJbr6rkKCTWUcbP+4cn/DG U/rdXo1WiM1voyUbz7w5s2woG8NSV4VL3MFhL4cvsU7KM4+h6OVMBdUW2t+S8zoDVRnG kJ0bCbVh28rpSqVDRwELnvhIGDhcHhRSyFb8rABkj+Q1XGTosihnm4LVoEWAHKMi9cVm cPYDgblrfHR7KgfnKxL2xOLrcfBV6xE0FTY5z/4BymGuXfRsutCoHE9AjPz7fpeEWvCc v8Oz3WBBUsFx5PG8z8Rv64Xc/EOF1Ut3EpDEj8kxLce5NMVXX/Jw2AkOZ5eGv8wbaWBe KlHw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=rvuweWDUUE+ccToDKQapZNpeLJf/P/IRtDpcdNHr25E=; b=TfrrY1LS4CKFeT5OPQsWJpxTt+1u5bMkjIerUV14dLs4xYMvz/56HhKDVzUhjSWp0Q zhjfYK4TanQaw5FOR0TbHRjcuJg29HyDRJP226RIK9hV3YNzwebz3adj1AQ53p5lp6U1 bwynnq5V1zU9uq2mSUL0zy012Dt08/dkrYPQ+TvO5PhjyaEYQdyEz2WIxaSnj8javbon dqu0qTxeS3kkr2aJUPlwcJ+8QVc/1X5J73+wUZOieKbnNj+mFfuDK4JYbTwa7mmpjLx9 SbMaNhVbFl7iVXgqdV/WwHyMh4+lgFYE7KXhM1oUMVG3Uem43MqOpaKcA+8tAYQXb6VU Y9ag== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=kg+h0J72; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id v10si5828120pgt.424.2022.02.15.23.41.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Feb 2022 23:41:45 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=kg+h0J72; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id B8E28254A52; Tue, 15 Feb 2022 23:06:15 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229972AbiBPGIm (ORCPT + 99 others); Wed, 16 Feb 2022 01:08:42 -0500 Received: from gmail-smtp-in.l.google.com ([23.128.96.19]:35508 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229484AbiBPGIk (ORCPT ); Wed, 16 Feb 2022 01:08:40 -0500 Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 55F50166E2C; Tue, 15 Feb 2022 22:08:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1644991708; x=1676527708; h=date:from:to:cc:subject:message-id:references: mime-version:content-transfer-encoding:in-reply-to; bh=17B1tG6qWPiba58hIphPz6b0Xse84huEgceNoiiY6q8=; b=kg+h0J72NQzfoQFb4Z2lxUmVL2LuC2eTmyhAQV0hlnkXr3w8NuBJw8D4 e52HrJWsjFADQ9Wcj+CZrvLGfGAq6qy4qHLFgaWk8gcOWYvxIwVsBQUlQ SRIiElxwdSWWQlQTEOOTdCGQWQxAYGSGYa/JN9BKjP3vGRQa/tCRsPcKe Mjih9t2VGZqRMM8KOMU7e923QeEt9sAOr9K0hj17KksgsfX5V2R2YjUMe q1aZO4UGLUIWRHtfa0+bfeAX2IL4cA8SakqffjLlEcoEdAnTfRsQMm8Y1 dWQmBT0ms8d54ZychM61O2c+DKvgUn32JcDbH07+PSlnzf9L5NjOeXr2G Q==; X-IronPort-AV: E=McAfee;i="6200,9189,10259"; a="311272240" X-IronPort-AV: E=Sophos;i="5.88,373,1635231600"; d="scan'208";a="311272240" Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 Feb 2022 22:08:27 -0800 X-IronPort-AV: E=Sophos;i="5.88,373,1635231600"; d="scan'208";a="486704058" Received: from guptapa-mobl1.amr.corp.intel.com ([10.209.113.151]) by orsmga003-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 Feb 2022 22:08:27 -0800 Date: Tue, 15 Feb 2022 22:08:26 -0800 From: Pawan Gupta To: Andrew Cooper Cc: Borislav Petkov , Thomas Gleixner , Ingo Molnar , Dave Hansen , "x86@kernel.org" , "H. Peter Anvin" , Andi Kleen , Tony Luck , "linux-kernel@vger.kernel.org" , "antonio.gomez.iglesias@linux.intel.com" , "neelima.krishnan@intel.com" , "stable@vger.kernel.org" Subject: Re: [PATCH] x86/tsx: Use MSR_TSX_CTRL to clear CPUID bits Message-ID: <20220216060826.dwki2jk6kzft4f7c@guptapa-mobl1.amr.corp.intel.com> References: <20220215002014.mb7g4y3hfefmyozx@guptapa-mobl1.amr.corp.intel.com> <20220215121103.vhb2lpoygxn3xywy@guptapa-mobl1.amr.corp.intel.com> <20220215181931.wxfsn2a3npg7xmi2@guptapa-mobl1.amr.corp.intel.com> <20220216003950.5jxecuf773g2kuwl@guptapa-mobl1.amr.corp.intel.com> <6724088f-c7cf-da92-e894-d8970f13bf1e@citrix.com> <20220216012841.vxlnugre2j4pczp7@guptapa-mobl1.amr.corp.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20220216012841.vxlnugre2j4pczp7@guptapa-mobl1.amr.corp.intel.com> X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 15.02.2022 17:28, Pawan Gupta wrote: >On 16.02.2022 00:49, Andrew Cooper wrote: >>On 16/02/2022 00:39, Pawan Gupta wrote: >>>On 15.02.2022 20:33, Borislav Petkov wrote: >>>>On Tue, Feb 15, 2022 at 10:19:31AM -0800, Pawan Gupta wrote: >>>>>I admit it has gotten complicated with so many bits associated with >>>>>TSX. >>>> >>>>Yah, and looka here: >>>> >>>>https://github.com/andyhhp/xen/commit/ad9f7c3b2e0df38ad6d54f4769d4dccf765fbcee >>>> >>>> >>>>It seems it isn't complicated enough. ;-\ >>>> >>>>Andy just made me aware of this thing where you guys have added a new >>>>MSR bit: >>>> >>>>MSR_MCU_OPT_CTRL[1] which is called something like >>>>MCU_OPT_CTRL_RTM_ALLOW or so. >>> >>>RTM_ALLOW bit was added to MSR_MCU_OPT_CTRL, but its not set by default, >>>and it is *not* recommended to be used in production deployments [1]: >>> >>>  Although MSR 0x122 (TSX_CTRL) and MSR 0x123 (IA32_MCU_OPT_CTRL) can be >>>  used to reenable Intel TSX for development, doing so is not recommended >>>  for production deployments. In particular, applying MD_CLEAR flows for >>>  mitigation of the Intel TSX Asynchronous Abort (TAA) transient >>>execution >>>  attack may not be effective on these processors when Intel TSX is >>>  enabled with updated microcode. The processors continue to be mitigated >>>  against TAA when Intel TSX is disabled. >> >>The purpose of setting RTM_ALLOW isn't to enable TSX per say. >> >>The purpose is to make MSR_TSX_CTRL.RTM_DISABLE behaves consistently on >>all hardware, which reduces the complexity and invasiveness of dealing >>with this special case, because the TAA workaround will still turn TSX >>off by default. >> >>The configuration you don't want to be running with is RTM_ALLOW && >>!RTM_DISABLE, because that is "still vulnerable to TSX Async Abort". > >I am not sure how a system can end up with RTM_ALLOW && !RTM_DISABLE? I >have no problem taking care of this case, I am just debating why we need >it. > >One way to get to this state is BIOS sets RTM_ALLOW (dont know why?) and >linux cmdline has tsx=on. If RTM_ALLOW is set for any reason, we can still deny tsx=on request. Below patch should do that (I haven't tested it yet). Alternatively, we can reset RTM_ALLOW, which will set CPUID.RTM_ALWAYS_ABORT and may require re-enumeration of CPU features or otherwise setup_force_cpu_cap(X86_FEATURE_RTM_ALWAYS_ABORT) should also work. --- diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h index 3faf0f97edb1..2ef58bcfb1e4 100644 --- a/arch/x86/include/asm/msr-index.h +++ b/arch/x86/include/asm/msr-index.h @@ -131,6 +131,8 @@ /* SRBDS support */ #define MSR_IA32_MCU_OPT_CTRL 0x00000123 #define RNGDS_MITG_DIS BIT(0) +#define MCU_OPT_CTRL_RTM_ALLOW BIT(1) +#define MCU_OPT_CTRL_RTM_LOCKED BIT(2) #define MSR_IA32_SYSENTER_CS 0x00000174 #define MSR_IA32_SYSENTER_ESP 0x00000175 diff --git a/arch/x86/kernel/cpu/tsx.c b/arch/x86/kernel/cpu/tsx.c index 2835fa89fc6f..8ac085ac597f 100644 --- a/arch/x86/kernel/cpu/tsx.c +++ b/arch/x86/kernel/cpu/tsx.c @@ -142,6 +142,29 @@ void tsx_clear_cpuid(void) } } +/* + * When the microcode released in Feb 2022 is applied, TSX will be disabled by + * default on some processors. MSR 0x122 (TSX_CTRL) and MSR 0x123 + * (IA32_MCU_OPT_CTRL) can be used to re-enable TSX for development, doing so is + * not recommended for production deployments. In particular, applying MD_CLEAR + * flows for mitigation of the Intel TSX Asynchronous Abort (TAA) transient + * execution attack may not be effective on these processors when TSX is + * enabled with updated microcode. + * + * Detect if this unsafe TSX development mode is enabled. + */ +static bool tsx_is_unsafe(void) +{ + u64 mcu_opt_ctrl; + + if (!boot_cpu_has(X86_FEATURE_SRBDS_CTRL)) + return false; + + rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_opt_ctrl); + + return !!(mcu_opt_ctrl & MCU_OPT_CTRL_RTM_ALLOW); +} + void __init tsx_init(void) { char arg[5] = {}; @@ -163,6 +186,13 @@ void __init tsx_init(void) if (!tsx_ctrl_is_supported()) { tsx_ctrl_state = TSX_CTRL_NOT_SUPPORTED; return; + } else if (tsx_is_unsafe()) { + /* Do not allow tsx=on, when TSX is unsafe to use */ + tsx_ctrl_state = TSX_CTRL_DISABLE; + tsx_disable(); + setup_clear_cpu_cap(X86_FEATURE_RTM); + setup_clear_cpu_cap(X86_FEATURE_HLE); + return; } ret = cmdline_find_option(boot_command_line, "tsx", arg, sizeof(arg));