x86/speculation/mds: Add mitigation mode VMWERV

In virtualized environments it can happen that the host has the microcode update which utilizes the VERW instruction to clear CPU buffers, but the hypervisor is not yet updated to expose the X86_FEATURE_MD_CLEAR CPUID bit to guests. Introduce an internal mitigation mode VMWERV which enables the invocation of the CPU buffer clearing even if X86_FEATURE_MD_CLEAR is not set. If the system has no updated microcode this results in a pointless execution of the VERW instruction wasting a few CPU cycles. If the microcode is updated, but not exposed to a guest then the CPU buffers will be cleared. That said: Virtual Machines Will Eventually Receive Vaccine Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Borislav Petkov <bp@suse.de> Reviewed-by: Jon Masters <jcm@redhat.com> Tested-by: Jon Masters <jcm@redhat.com>
author: Thomas Gleixner <tglx@linutronix.de> 2019-02-20 03:40:40 -0500
committer: Thomas Gleixner <tglx@linutronix.de> 2019-03-06 15:52:15 -0500
commit: 22dd8365088b6403630b82423cf906491859b65e (patch)
tree: 117ad21ac265302596d4a11c35625312f2c25c0a /Documentation/x86
parent: 8a4b06d391b0a42a373808979b5028f5c84d9c6a (diff)
1 files changed, 27 insertions, 0 deletions
diff --git a/Documentation/x86/mds.rst b/Documentation/x86/mds.rst
index 87ce8ac9f36e..3d6f943f1afb 100644
--- a/Documentation/x86/mds.rst
+++ b/Documentation/x86/mds.rst
@@ -93,11 +93,38 @@ The kernel provides a function to invoke the buffer clearing:
 The mitigation is invoked on kernel/userspace, hypervisor/guest and C-state
 (idle) transitions.
+As a special quirk to address virtualization scenarios where the host has
+the microcode updated, but the hypervisor does not (yet) expose the
+MD_CLEAR CPUID bit to guests, the kernel issues the VERW instruction in the
+hope that it might actually clear the buffers. The state is reflected
+accordingly.
 According to current knowledge additional mitigations inside the kernel
 itself are not required because the necessary gadgets to expose the leaked
 data cannot be controlled in a way which allows exploitation from malicious
 user space or VM guests.
+Kernel internal mitigation modes
+--------------------------------
+ ======= ============================================================
+ off      Mitigation is disabled. Either the CPU is not affected or
+          mds=off is supplied on the kernel command line
+ full     Mitigation is eanbled. CPU is affected and MD_CLEAR is
+          advertised in CPUID.
+ vmwerv   Mitigation is enabled. CPU is affected and MD_CLEAR is not
+          advertised in CPUID. That is mainly for virtualization
+          scenarios where the host has the updated microcode but the
+          hypervisor does not expose MD_CLEAR in CPUID. It's a best
+          effort approach without guarantee.
+ ======= ============================================================
+If the CPU is affected and mds=off is not supplied on the kernel command
+line then the kernel selects the appropriate mitigation mode depending on
+the availability of the MD_CLEAR CPUID bit.
 Mitigation points
 -----------------
author	Thomas Gleixner <tglx@linutronix.de>	2019-02-20 03:40:40 -0500
committer	Thomas Gleixner <tglx@linutronix.de>	2019-03-06 15:52:15 -0500
commit	22dd8365088b6403630b82423cf906491859b65e (patch)
tree	117ad21ac265302596d4a11c35625312f2c25c0a /Documentation/x86
parent	8a4b06d391b0a42a373808979b5028f5c84d9c6a (diff)

diff --git a/Documentation/x86/mds.rst b/Documentation/x86/mds.rst index 87ce8ac9f36e..3d6f943f1afb 100644 --- a/Documentation/x86/mds.rst +++ b/Documentation/x86/mds.rst
@@ -93,11 +93,38 @@ The kernel provides a function to invoke the buffer clearing:
93	The mitigation is invoked on kernel/userspace, hypervisor/guest and C-state	93	The mitigation is invoked on kernel/userspace, hypervisor/guest and C-state
94	(idle) transitions.	94	(idle) transitions.
95		95
		96	As a special quirk to address virtualization scenarios where the host has
		97	the microcode updated, but the hypervisor does not (yet) expose the
		98	MD_CLEAR CPUID bit to guests, the kernel issues the VERW instruction in the
		99	hope that it might actually clear the buffers. The state is reflected
		100	accordingly.
		101
96	According to current knowledge additional mitigations inside the kernel	102	According to current knowledge additional mitigations inside the kernel
97	itself are not required because the necessary gadgets to expose the leaked	103	itself are not required because the necessary gadgets to expose the leaked
98	data cannot be controlled in a way which allows exploitation from malicious	104	data cannot be controlled in a way which allows exploitation from malicious
99	user space or VM guests.	105	user space or VM guests.
100		106
		107	Kernel internal mitigation modes
		108	--------------------------------
		109
		110	======= ============================================================
		111	off Mitigation is disabled. Either the CPU is not affected or
		112	mds=off is supplied on the kernel command line
		113
		114	full Mitigation is eanbled. CPU is affected and MD_CLEAR is
		115	advertised in CPUID.
		116
		117	vmwerv Mitigation is enabled. CPU is affected and MD_CLEAR is not
		118	advertised in CPUID. That is mainly for virtualization
		119	scenarios where the host has the updated microcode but the
		120	hypervisor does not expose MD_CLEAR in CPUID. It's a best
		121	effort approach without guarantee.
		122	======= ============================================================
		123
		124	If the CPU is affected and mds=off is not supplied on the kernel command
		125	line then the kernel selects the appropriate mitigation mode depending on
		126	the availability of the MD_CLEAR CPUID bit.
		127
101	Mitigation points	128	Mitigation points
102	-----------------	129	-----------------
103		130