diff options
| author | Andy Lutomirski <luto@kernel.org> | 2019-05-14 16:24:40 -0400 |
|---|---|---|
| committer | Ingo Molnar <mingo@kernel.org> | 2019-05-16 03:05:12 -0400 |
| commit | 9d8d0294e78a164d407133dea05caf4b84247d6a (patch) | |
| tree | 3c67d0f73e4df1ca917a06965cffab368194c0e3 | |
| parent | 88640e1dcd089879530a49a8d212d1814678dfe7 (diff) | |
x86/speculation/mds: Improve CPU buffer clear documentation
On x86_64, all returns to usermode go through
prepare_exit_to_usermode(), with the sole exception of do_nmi().
This even includes machine checks -- this was added several years
ago to support MCE recovery. Update the documentation.
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@suse.de>
Cc: Frederic Weisbecker <frederic@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Jon Masters <jcm@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Fixes: 04dcbdb80578 ("x86/speculation/mds: Clear CPU buffers on exit to user")
Link: http://lkml.kernel.org/r/999fa9e126ba6a48e9d214d2f18dbde5c62ac55c.1557865329.git.luto@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
| -rw-r--r-- | Documentation/x86/mds.rst | 39 |
1 files changed, 7 insertions, 32 deletions
diff --git a/Documentation/x86/mds.rst b/Documentation/x86/mds.rst index 0dc812bb9249..5d4330be200f 100644 --- a/Documentation/x86/mds.rst +++ b/Documentation/x86/mds.rst | |||
| @@ -142,38 +142,13 @@ Mitigation points | |||
| 142 | mds_user_clear. | 142 | mds_user_clear. |
| 143 | 143 | ||
| 144 | The mitigation is invoked in prepare_exit_to_usermode() which covers | 144 | The mitigation is invoked in prepare_exit_to_usermode() which covers |
| 145 | most of the kernel to user space transitions. There are a few exceptions | 145 | all but one of the kernel to user space transitions. The exception |
| 146 | which are not invoking prepare_exit_to_usermode() on return to user | 146 | is when we return from a Non Maskable Interrupt (NMI), which is |
| 147 | space. These exceptions use the paranoid exit code. | 147 | handled directly in do_nmi(). |
| 148 | 148 | ||
| 149 | - Non Maskable Interrupt (NMI): | 149 | (The reason that NMI is special is that prepare_exit_to_usermode() can |
| 150 | 150 | enable IRQs. In NMI context, NMIs are blocked, and we don't want to | |
| 151 | Access to sensible data like keys, credentials in the NMI context is | 151 | enable IRQs with NMIs blocked.) |
| 152 | mostly theoretical: The CPU can do prefetching or execute a | ||
| 153 | misspeculated code path and thereby fetching data which might end up | ||
| 154 | leaking through a buffer. | ||
| 155 | |||
| 156 | But for mounting other attacks the kernel stack address of the task is | ||
| 157 | already valuable information. So in full mitigation mode, the NMI is | ||
| 158 | mitigated on the return from do_nmi() to provide almost complete | ||
| 159 | coverage. | ||
| 160 | |||
| 161 | - Machine Check Exception (#MC): | ||
| 162 | |||
| 163 | Another corner case is a #MC which hits between the CPU buffer clear | ||
| 164 | invocation and the actual return to user. As this still is in kernel | ||
| 165 | space it takes the paranoid exit path which does not clear the CPU | ||
| 166 | buffers. So the #MC handler repopulates the buffers to some | ||
| 167 | extent. Machine checks are not reliably controllable and the window is | ||
| 168 | extremly small so mitigation would just tick a checkbox that this | ||
| 169 | theoretical corner case is covered. To keep the amount of special | ||
| 170 | cases small, ignore #MC. | ||
| 171 | |||
| 172 | - Debug Exception (#DB): | ||
| 173 | |||
| 174 | This takes the paranoid exit path only when the INT1 breakpoint is in | ||
| 175 | kernel space. #DB on a user space address takes the regular exit path, | ||
| 176 | so no extra mitigation required. | ||
| 177 | 152 | ||
| 178 | 153 | ||
| 179 | 2. C-State transition | 154 | 2. C-State transition |