Received: by 2002:a05:7412:1703:b0:e2:908c:2ebd with SMTP id dm3csp814060rdb; Fri, 25 Aug 2023 01:40:30 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHG7HNS7ug/q8x5iTJBJy7tzzp7hrGFoo8ij3ttiIsVSMUdnk26ai0yVYmHrpdhalxMbXg3 X-Received: by 2002:aa7:d9cb:0:b0:51e:309:2e11 with SMTP id v11-20020aa7d9cb000000b0051e03092e11mr14562423eds.36.1692952830140; Fri, 25 Aug 2023 01:40:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1692952830; cv=none; d=google.com; s=arc-20160816; b=aqV3QMkKlzlMmwcDrQXBAe2ORbkPXQ9A0rXbyqoGc6j2QjnAOIkq0eIm11rHcxoheq mo1/+L6TXFOh5ezpGCvu5LLp2eTNpGOWoxOcmk66SxPw65SmvMhje8zPaC+lh93J8hvP V70An0xFz49wW5WMtE6DOAh4n0L2qqG9dQARCtQt3cSIBDTMAxkc38FMpAK4wzkK0zig wQEgmtzbJBBKmY/C6FD1OJO9kMyoSPwcgUmJ2OJsjq3WQrilpXtCNpj2s2ZWpan5DZ4L sBn2vzqfhYvF+wrKvjCTCDtsIUM1wvqKRraQlNq2ZN9xGADVSB5fuNwWePAAF4mDYock TyCA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=EV59hLUncilPgtbK2gFFewIJ7KUmXIsYi45UEtnxlpE=; fh=ZwaEcDYNCnlh+U7YxZ1LCEcet9pcdhSkEX0cCEOksvY=; b=T18XAT0nFLpEDTm1JzW4B4XuAZIZ60l1J/5ZCcYo4MIKb0UkxMuaGNsrLfWUwuQhdm VbKc392RW+SmNLD3+CpFNzOL8k5k9TU2V8d0zw7h485tsKrPaprXCz848enzh7Gn19kQ QXJM8yd2EybG0jvBZGN9iUF2B94pJtqM3+tjXTf8qcRAGlE8BevtiSotG4+jDKS+2jDi JF3tVjwGGFQTLe4r3jE7F0IeRfMBOKqRUVhp0LuQt0jUNjif84emxcNBpJTVPwXP8ZOU f/Y6q+L8YOzHjXmxD2X2wf3+E+t0Zg7Ikk28XYmaY5v08CgHD3QRghgqtP7ziLDgU2rI P9ag== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=E6BL5XVk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id e26-20020a056402149a00b0052a1c3d069csi809439edv.403.2023.08.25.01.40.00; Fri, 25 Aug 2023 01:40:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=E6BL5XVk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242903AbjHYHC2 (ORCPT + 99 others); Fri, 25 Aug 2023 03:02:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44548 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242347AbjHYHCK (ORCPT ); Fri, 25 Aug 2023 03:02:10 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DCCB6199E for ; Fri, 25 Aug 2023 00:02:08 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id BDA2C66618 for ; Fri, 25 Aug 2023 07:02:08 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id BC868C433C9; Fri, 25 Aug 2023 07:02:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1692946928; bh=fKOii1S1EeuGXwfVXJP3CUvif9GQAHVo0ffbkIoUbuo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=E6BL5XVkJsgxBLFMf0Tia+m9Q9ZptdpAGt3KF083jTgdN9zCJdRsHu2in9BGbkKlG iHEFpx9hrQT2bxBN4CXelg3shC/yQ1HSQ0CoO3VDWTZ+CibqjkaY62kZxZTBWHUHcG YhpdiaXSdYZxub6J+9BslTgO6fTvOqs3fir1WdCMvFGCJx2gbjzRVnmjk5sGwd1QaE N2sJZrZbjdgnm57AnIx1GK0+pQ7GeEopHibpdZK9OgO5vEluorFX1E790S+bhAnl2T xPTpeJGnad8wU5bvHgfHlmbWQyM29EP54CXDg9JOOb39uIM1uR0CujIJGS0Tb8BpRL Fiwoh6+Rz4y2w== From: Josh Poimboeuf To: x86@kernel.org Cc: linux-kernel@vger.kernel.org, Borislav Petkov , Peter Zijlstra , Babu Moger , Paolo Bonzini , Sean Christopherson , David.Kaplan@amd.com, Andrew Cooper , Nikolay Borisov , gregkh@linuxfoundation.org, Thomas Gleixner Subject: [PATCH 10/23] x86/srso: Fix vulnerability reporting for missing microcode Date: Fri, 25 Aug 2023 00:01:41 -0700 Message-ID: <65556eeb1bf7cb9bd7db8662ef115dd73191db84.1692919072.git.jpoimboe@kernel.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The SRSO default safe-ret mitigation is reported as "mitigated" even if microcode hasn't been updated. That's wrong because userspace may still be vulnerable to SRSO attacks due to IBPB not flushing branch type predictions. Report the safe-ret + !microcode case as vulnerable. Also report the microcode-only case as vulnerable as it leaves the kernel open to attacks. Fixes: fb3bd914b3ec ("x86/srso: Add a Speculative RAS Overflow mitigation") Signed-off-by: Josh Poimboeuf --- Documentation/admin-guide/hw-vuln/srso.rst | 22 ++++++++++---- arch/x86/kernel/cpu/bugs.c | 34 +++++++++++++--------- 2 files changed, 37 insertions(+), 19 deletions(-) diff --git a/Documentation/admin-guide/hw-vuln/srso.rst b/Documentation/admin-guide/hw-vuln/srso.rst index b6cfb51cb0b4..4516719e00b5 100644 --- a/Documentation/admin-guide/hw-vuln/srso.rst +++ b/Documentation/admin-guide/hw-vuln/srso.rst @@ -46,12 +46,22 @@ The possible values in this file are: The processor is not vulnerable - * 'Vulnerable: no microcode': +* 'Vulnerable': + + The processor is vulnerable and no mitigations have been applied. + + * 'Vulnerable: No microcode': The processor is vulnerable, no microcode extending IBPB functionality to address the vulnerability has been applied. - * 'Mitigation: microcode': + * 'Vulnerable: Safe RET, no microcode': + + The "Safe Ret" mitigation (see below) has been applied to protect the + kernel, but the IBPB-extending microcode has not been applied. User + space tasks may still be vulnerable. + + * 'Vulnerable: Microcode, no safe RET': Extended IBPB functionality microcode patch has been applied. It does not address User->Kernel and Guest->Host transitions protection but it @@ -72,11 +82,11 @@ The possible values in this file are: (spec_rstack_overflow=microcode) - * 'Mitigation: safe RET': + * 'Mitigation: Safe RET': - Software-only mitigation. It complements the extended IBPB microcode - patch functionality by addressing User->Kernel and Guest->Host - transitions protection. + Combined microcode/software mitigation. It complements the + extended IBPB microcode patch functionality by addressing + User->Kernel and Guest->Host transitions protection. Selected by default or by spec_rstack_overflow=safe-ret diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 6c47f37515b8..d883d1c38f7f 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -2353,6 +2353,8 @@ early_param("l1tf", l1tf_cmdline); enum srso_mitigation { SRSO_MITIGATION_NONE, + SRSO_MITIGATION_UCODE_NEEDED, + SRSO_MITIGATION_SAFE_RET_UCODE_NEEDED, SRSO_MITIGATION_MICROCODE, SRSO_MITIGATION_SAFE_RET, SRSO_MITIGATION_IBPB, @@ -2368,11 +2370,13 @@ enum srso_mitigation_cmd { }; static const char * const srso_strings[] = { - [SRSO_MITIGATION_NONE] = "Vulnerable", - [SRSO_MITIGATION_MICROCODE] = "Mitigation: microcode", - [SRSO_MITIGATION_SAFE_RET] = "Mitigation: safe RET", - [SRSO_MITIGATION_IBPB] = "Mitigation: IBPB", - [SRSO_MITIGATION_IBPB_ON_VMEXIT] = "Mitigation: IBPB on VMEXIT only" + [SRSO_MITIGATION_NONE] = "Vulnerable", + [SRSO_MITIGATION_UCODE_NEEDED] = "Vulnerable: No microcode", + [SRSO_MITIGATION_SAFE_RET_UCODE_NEEDED] = "Vulnerable: Safe RET, no microcode", + [SRSO_MITIGATION_MICROCODE] = "Vulnerable: Microcode, no safe RET", + [SRSO_MITIGATION_SAFE_RET] = "Mitigation: Safe RET", + [SRSO_MITIGATION_IBPB] = "Mitigation: IBPB", + [SRSO_MITIGATION_IBPB_ON_VMEXIT] = "Mitigation: IBPB on VMEXIT only" }; static enum srso_mitigation srso_mitigation __ro_after_init = SRSO_MITIGATION_NONE; @@ -2409,10 +2413,7 @@ static void __init srso_select_mitigation(void) if (!boot_cpu_has_bug(X86_BUG_SRSO) || cpu_mitigations_off()) goto pred_cmd; - if (!has_microcode) { - pr_warn("IBPB-extending microcode not applied!\n"); - pr_warn(SRSO_NOTICE); - } else { + if (has_microcode) { /* * Zen1/2 with SMT off aren't vulnerable after the right * IBPB microcode has been applied. @@ -2428,6 +2429,12 @@ static void __init srso_select_mitigation(void) srso_mitigation = SRSO_MITIGATION_IBPB; goto out; } + } else { + pr_warn("IBPB-extending microcode not applied!\n"); + pr_warn(SRSO_NOTICE); + + /* may be overwritten by SRSO_CMD_SAFE_RET below */ + srso_mitigation = SRSO_MITIGATION_UCODE_NEEDED; } switch (srso_cmd) { @@ -2457,7 +2464,10 @@ static void __init srso_select_mitigation(void) setup_force_cpu_cap(X86_FEATURE_SRSO); x86_return_thunk = srso_return_thunk; } - srso_mitigation = SRSO_MITIGATION_SAFE_RET; + if (has_microcode) + srso_mitigation = SRSO_MITIGATION_SAFE_RET; + else + srso_mitigation = SRSO_MITIGATION_SAFE_RET_UCODE_NEEDED; } else { pr_err("WARNING: kernel not compiled with CPU_SRSO.\n"); } @@ -2701,9 +2711,7 @@ static ssize_t srso_show_state(char *buf) if (boot_cpu_has(X86_FEATURE_SRSO_NO)) return sysfs_emit(buf, "Mitigation: SMT disabled\n"); - return sysfs_emit(buf, "%s%s\n", - srso_strings[srso_mitigation], - boot_cpu_has(X86_FEATURE_IBPB_BRTYPE) ? "" : ", no microcode"); + return sysfs_emit(buf, "%s\n", srso_strings[srso_mitigation]); } static ssize_t gds_show_state(char *buf) -- 2.41.0