Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp1883327pxp; Thu, 10 Mar 2022 14:11:46 -0800 (PST) X-Google-Smtp-Source: ABdhPJxPUQFgEG+RCJPbbaAVBY1t3g/EYxSQF66WGeTWyEiLCxZF8EAHXCvgiBORX99esDibwivw X-Received: by 2002:a17:90a:dc18:b0:1bf:50c7:a4fa with SMTP id i24-20020a17090adc1800b001bf50c7a4famr7257524pjv.187.1646950305963; Thu, 10 Mar 2022 14:11:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1646950305; cv=none; d=google.com; s=arc-20160816; b=UzmVJggk8vZJ7S36pu13haZSkPaPSPSzdR7EBC0eenonMNg2l1VSEaN/RNXUAk5nKb JZtFy4SAfiGDNx3x6VJgKE/npSPg80/7KrUqG/Ykby9Q30h1yzQfHfVC1d+Ah9rYhTNI OViCYU1HKFSM2IrCmLN7GcW6bFCFZzBzHF4Yjpg2DQHqyqgTmnSIRu9jqn1fJpy1jMWF R2pDpRZFa674PY/Go3oqxwvZIWJ6UdNblEGpSFXHzDWybWRGVapEvNRUkhp+ohg4dt9p fzAOAx6VyfjgbP9MccY60YvDOh1z2OyZophBPqDy5D09G2lTh1a3fzo4Yl9NCOzBzgOx m/eQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=P0+Hq02w0KAKOmw9eZdnu5BxwH/vKw+2mzp/blkUTUQ=; b=RqTee1CmPqOY7xzOGNbqxi5D6Q21VWuvMPLZ9NZwVHjzLVrb1KWlR0cGjB3yHG1qzK vcO9oPt2PSTCKMdwfzMWlVc/NVyLaK/5gBUPD6f38TUYG1iZ77VsrVPxAMkgD7Gn228O /+wxBclYLDj85tUhpGaSe7oCa5XlRcSqUfS26quQmwsuaJMwaa+Ag7RGTSiGzHKjCaMw 09f/QFNNbNgGpXYDB98Qoes0ckpsl9nqW5ttNLEUOyE0UknimN3JcGDpaguieBi4M8Sw lTDVGSDCQzZjIy3iKAxHwxQBf7joq7Mx4U+1ELbkZ8n2GE3txCptbWHXQH2ryIxw+LxR 3F1A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=wSgybXwW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id k8-20020a056a00168800b004a4e3507c3csi7099870pfc.43.2022.03.10.14.11.29; Thu, 10 Mar 2022 14:11:45 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=wSgybXwW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243426AbiCJOZV (ORCPT + 99 others); Thu, 10 Mar 2022 09:25:21 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56794 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243011AbiCJOVZ (ORCPT ); Thu, 10 Mar 2022 09:21:25 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C066DB18BF; Thu, 10 Mar 2022 06:20:15 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 42D9DB825A7; Thu, 10 Mar 2022 14:20:14 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A8B49C340E8; Thu, 10 Mar 2022 14:20:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1646922013; bh=V0cfzmqwopV1PivZZMWmBcTS6Z2GRxflX2Jvc901+co=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=wSgybXwWOs0ZpUwGTlUCGVpuDGEBpCFLx8uAycHkRYgh2I3xS6g8QU4XzjWfBZDHY EGJgjTSncdAuopF4LzLDjLyUufkPffLMMtz6+pMx4SYYr0VjkLkZ0V5oND/szCAVoa trwhyXinn3g4rPgTWNFSJyAw60nWP6pFuNVGH1yI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alyssa Milburn , Josh Poimboeuf , Borislav Petkov Subject: [PATCH 4.14 10/31] x86/speculation: Warn about eIBRS + LFENCE + Unprivileged eBPF + SMT Date: Thu, 10 Mar 2022 15:18:23 +0100 Message-Id: <20220310140807.834122671@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220310140807.524313448@linuxfoundation.org> References: <20220310140807.524313448@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Josh Poimboeuf commit 0de05d056afdb00eca8c7bbb0c79a3438daf700c upstream. The commit 44a3918c8245 ("x86/speculation: Include unprivileged eBPF status in Spectre v2 mitigation reporting") added a warning for the "eIBRS + unprivileged eBPF" combination, which has been shown to be vulnerable against Spectre v2 BHB-based attacks. However, there's no warning about the "eIBRS + LFENCE retpoline + unprivileged eBPF" combo. The LFENCE adds more protection by shortening the speculation window after a mispredicted branch. That makes an attack significantly more difficult, even with unprivileged eBPF. So at least for now the logic doesn't warn about that combination. But if you then add SMT into the mix, the SMT attack angle weakens the effectiveness of the LFENCE considerably. So extend the "eIBRS + unprivileged eBPF" warning to also include the "eIBRS + LFENCE + unprivileged eBPF + SMT" case. [ bp: Massage commit message. ] Suggested-by: Alyssa Milburn Signed-off-by: Josh Poimboeuf Signed-off-by: Borislav Petkov Signed-off-by: Greg Kroah-Hartman --- arch/x86/kernel/cpu/bugs.c | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -610,12 +610,27 @@ static inline const char *spectre_v2_mod #define SPECTRE_V2_LFENCE_MSG "WARNING: LFENCE mitigation is not recommended for this CPU, data leaks possible!\n" #define SPECTRE_V2_EIBRS_EBPF_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible via Spectre v2 BHB attacks!\n" +#define SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS+LFENCE mitigation and SMT, data leaks possible via Spectre v2 BHB attacks!\n" #ifdef CONFIG_BPF_SYSCALL void unpriv_ebpf_notify(int new_state) { - if (spectre_v2_enabled == SPECTRE_V2_EIBRS && !new_state) + if (new_state) + return; + + /* Unprivileged eBPF is enabled */ + + switch (spectre_v2_enabled) { + case SPECTRE_V2_EIBRS: pr_err(SPECTRE_V2_EIBRS_EBPF_MSG); + break; + case SPECTRE_V2_EIBRS_LFENCE: + if (sched_smt_active()) + pr_err(SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG); + break; + default: + break; + } } #endif @@ -1075,6 +1090,10 @@ void arch_smt_update(void) { mutex_lock(&spec_ctrl_mutex); + if (sched_smt_active() && unprivileged_ebpf_enabled() && + spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE) + pr_warn_once(SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG); + switch (spectre_v2_user_stibp) { case SPECTRE_V2_USER_NONE: break; @@ -1699,7 +1718,11 @@ static ssize_t spectre_v2_show_state(cha return sprintf(buf, "Vulnerable: LFENCE\n"); if (spectre_v2_enabled == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled()) - return sprintf(buf, "Vulnerable: Unprivileged eBPF enabled\n"); + return sprintf(buf, "Vulnerable: eIBRS with unprivileged eBPF\n"); + + if (sched_smt_active() && unprivileged_ebpf_enabled() && + spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE) + return sprintf(buf, "Vulnerable: eIBRS+LFENCE with unprivileged eBPF and SMT\n"); return sprintf(buf, "%s%s%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],