Received: by 2002:ab2:6203:0:b0:1f5:f2ab:c469 with SMTP id o3csp802164lqt; Fri, 19 Apr 2024 10:47:25 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWVpxOPTcyx/c7EqO9tW22zmftOV/Fx70DHRvP5yEog1ym/+LRgB6hXA4uhcSoFUtepnMKVcphDUD/TsaUIGKEoSXQJHIqrgyUuvA0MuQ== X-Google-Smtp-Source: AGHT+IFFaOhp+Dfk49Wav3BRDkwjlwo3fOWSmvY6zuSd4DCjfvUBxNQA9q5q+WJGNFWePXCSbIdd X-Received: by 2002:a17:906:5650:b0:a52:1a7b:2ef8 with SMTP id v16-20020a170906565000b00a521a7b2ef8mr2043708ejr.27.1713548845349; Fri, 19 Apr 2024 10:47:25 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1713548845; cv=pass; d=google.com; s=arc-20160816; b=pu1E6noP1ReNIHl++PVpVudg4aKHTAgwb9F9Ifc6ZVxdv/7FbsjQDPl0aG7EHfhudx IbwC8f4xyvobDItdC9afI/3YGlq43XUz1Wqc3kRX6pDTAxVup1qxxxu9HjHnDL6ez7pA 5DApfVTtrOHOUqpi/mXUFDRHetmnEtZV5GqER+waVAnJnG+QZBtrbY36bLF3Z23AA3D3 E0yeedXdiiPK58af67rGfxg4+azja0FPKGgkZZij7tp7Ewo8Bo+gSdrTH9Zx4UlQH9sl oNs/DCIragNlwkrHfkRVh29hWG/xgr5iTkcf7MsnJXSAgsjMuSTXCAzWsJhtVW4tjZ+P 3gxQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=duQPL6sJsQBO6GCGmNGAujHXBRm9KJnX15olEuF57kM=; fh=NP+4TSv8R2fXGEH+yoKHWlAJCiCVhjcPVWMpEKvYotU=; b=zsCP1vRL8OxOOfuIHOHyC4NQrGp5J92UarnIa2qEx8ndZqs39Ce4e3t/783Io0Mjau iBs0Yhl6ufKmdhlusQt53YcVJS0hn7OM3J4nNjvdTAjtxjZNYcobD3Mvf3YNCAcPO69M CGMKeGULKKEwQwmm57l3+W+I8yl2euOIpbgPn1ROJ29eiT5RQblyuPs360ibKZ15cnAP upA4VMwupV6CBFSzqteLMiJlhbD6M19uUkHZRWuGV44hlhkPy/7Z6Ryx6Icg8cUTEG0W MrypgGqN5rUR90PHkNqoJg2IIMZPMzR5WhPCL7gznMpkqI1mUmmGkQRo/MOKTsNL+3Xd BPgw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=XbODikgj; arc=pass (i=1 dkim=pass dkdomain=intel.com dmarc=pass fromdomain=linux.intel.com); spf=pass (google.com: domain of linux-kernel+bounces-151833-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-151833-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id k16-20020a17090627d000b00a5257b7c39asi2347587ejc.94.2024.04.19.10.47.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 19 Apr 2024 10:47:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-151833-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=XbODikgj; arc=pass (i=1 dkim=pass dkdomain=intel.com dmarc=pass fromdomain=linux.intel.com); spf=pass (google.com: domain of linux-kernel+bounces-151833-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-151833-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 198971F2182A for ; Fri, 19 Apr 2024 17:47:25 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id AA1E5130E5E; Fri, 19 Apr 2024 17:47:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="XbODikgj" Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7C14713AA49 for ; Fri, 19 Apr 2024 17:47:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.14 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713548838; cv=none; b=mkjUbzVja2nqNhA3S3X+HVgUK/4PAaPNeD9v+rrxjzi/LVjUGLAD+6G1gNO/TlfU8qLvsYCHIRmyh/YI929c6X16QlPcF4syMN0jTer5hDe/aliQ88CkA1VAboDRAU3eD3P2txXFUfObNqluswYUhFFbajPnKSkYYKi2U+Cm94Y= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713548838; c=relaxed/simple; bh=rKdIz8bODpfYXkMRjJX1iea8o8ZfdsGpCLn7v3ZMJc0=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=chQoMyMpEeDIpNyuVYMfu1CBq+Kg5Ow9Xnq1eUZ/wWHt1IXEDwMYAZbyQvbdFrrN81JFuS5EG6reeSMdSCgCZ83na++CnnVs9Gmo0f4xSVUC4VxnHAa2hX5FHfNzJy6pIT4ba+VWDPWG7AwIrMQMJEkpyg9z1oLHEbqalTCdPlc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=none smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=XbODikgj; arc=none smtp.client-ip=192.198.163.14 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=linux.intel.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1713548838; x=1745084838; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=rKdIz8bODpfYXkMRjJX1iea8o8ZfdsGpCLn7v3ZMJc0=; b=XbODikgjuWQIQcgHWAn2Sfd6vyL4ufHtKaTt5kL1WAx/14QXdAQP1VI2 H1NZvfRea9EE2YHCPvEKe01oub5T5tWffYh9eTgTpJfSPqs3t9rfRwk9O kEgjoPG2Z5zQO31SdkNyHE4biN0sBYhRZj0tZx2eKkT8IPqBVj7/fcGIw 88FuGVVqhWormUO1G+RFvaeH4DJf6SMzySk3fM8Gh/GZ6DSNI+NYS+dYH PHaRDv8U58SWNUHE9FNxr9el4rMs9YoGCWC5nbIqStU+gd+6iN5raeW8R feUl0BYUdUa0NYH+a3dPz89v9pSqrDDPfCbXvZgzV7l+cT+vEdLbM4B0V Q==; X-CSE-ConnectionGUID: THck89pvT1mB3lERmLvqQA== X-CSE-MsgGUID: VlUiKMyZQZe3d2+s1bc3pA== X-IronPort-AV: E=McAfee;i="6600,9927,11049"; a="9384581" X-IronPort-AV: E=Sophos;i="6.07,214,1708416000"; d="scan'208";a="9384581" Received: from orviesa003.jf.intel.com ([10.64.159.143]) by fmvoesa108.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Apr 2024 10:47:17 -0700 X-CSE-ConnectionGUID: vaTzWpgjQISFo/slmjXcVg== X-CSE-MsgGUID: EIUKYVtLRBK611TfljtbBw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.07,214,1708416000"; d="scan'208";a="28048284" Received: from jncarlic-mobl1.amr.corp.intel.com (HELO desk) ([10.209.73.101]) by ORVIESA003-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Apr 2024 10:47:16 -0700 Date: Fri, 19 Apr 2024 10:47:09 -0700 From: Pawan Gupta To: linux-kernel@vger.kernel.org Cc: x86@kernel.org, dan.j.williams@intel.com, bernie.keany@intel.com, charishma1.gairuboyina@intel.com, chang.seok.bae@intel.com, Josh Poimboeuf , daniel.sneddon@linux.intel.com, antonio.gomez.iglesias@linux.intel.com Subject: [PATCH 15/14] x86/gds: Lock GDS mitigation when keylocker feature is present Message-ID: <20240419-gds-lock-v1-1-adcbef6ce24b@linux.intel.com> X-B4-Tracking: v=1; b=H4sIAK+rImYC/6tWKk4tykwtVrJSqFYqSi3LLM7MzwNyDHUUlJIzE vPSU3UzU4B8JSMDIxMDE0ML3fSUYt2c/ORsXSOz1OSk5FQLCxNzAyWg8oKi1LTMCrBR0bG1tQD wXRdIWgAAAA== X-Mailer: b4 0.12.3 References: <20240407230432.912290-1-chang.seok.bae@intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240407230432.912290-1-chang.seok.bae@intel.com> In order to safely enable Intel Keylocker feature, Gather Data Sampling (GDS) mitigation should be enabled and locked. Hardware provides a way to lock the mitigation, such that the mitigation cannot be disabled until the CPU is reset. Currently, GDS mitigation is enabled without the lock. Below is the recommendation from Intel: "Intel recommends that system software does not enable Key Locker (by setting CR4.KL) unless the GDS mitigation is enabled (IA32_MCU_OPT_CTRL [GDS_MITG_DIS] (bit 4) is 0) and locked (IA32_MCU_OPT_CTRL [GDS_MITG_LOCK](bit 5) is 1). This will prevent an adversary that takes control of the system from turning off the mitigation in order to infer the keys behind Key Locker handles." [1] When GDS mitigation is enabled, and Keylocker feature is present, also lock the mitigation. [1] Gather Data Sampling (ID# 785676) https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/gather-data-sampling.html Signed-off-by: Pawan Gupta --- This should ideally go before the patch that enables Keylocker. It is only compile tested. arch/x86/kernel/cpu/bugs.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index ca295b0c1eee..2777a58110e0 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -755,8 +755,8 @@ EXPORT_SYMBOL_GPL(gds_ucode_mitigated); void update_gds_msr(void) { - u64 mcu_ctrl_after; - u64 mcu_ctrl; + u64 mcu_ctrl, mcu_ctrl_after; + u64 gds_lock = 0; switch (gds_mitigation) { case GDS_MITIGATION_OFF: @@ -769,6 +769,8 @@ void update_gds_msr(void) * the same state. Make sure the mitigation is enabled on all * CPUs. */ + gds_lock = GDS_MITG_LOCKED; + fallthrough; case GDS_MITIGATION_FULL: rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl); mcu_ctrl &= ~GDS_MITG_DIS; @@ -779,6 +781,7 @@ void update_gds_msr(void) return; } + mcu_ctrl |= gds_lock; wrmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl); /* @@ -840,6 +843,11 @@ static void __init gds_select_mitigation(void) gds_mitigation = GDS_MITIGATION_FULL_LOCKED; } + /* Keylocker can only be enabled when GDS mitigation is locked */ + if (boot_cpu_has(X86_FEATURE_KEYLOCKER) && + gds_mitigation == GDS_MITIGATION_FULL) + gds_mitigation = GDS_MITIGATION_FULL_LOCKED; + update_gds_msr(); out: pr_info("%s\n", gds_strings[gds_mitigation]); --- base-commit: 0bbac3facb5d6cc0171c45c9873a2dc96bea9680 change-id: 20240418-gds-lock-26ecbce88470 Best regards, -- Thanks, Pawan