diff options
| author | David Woodhouse <dwmw@amazon.co.uk> | 2018-02-19 05:50:54 -0500 |
|---|---|---|
| committer | Ingo Molnar <mingo@kernel.org> | 2018-02-20 03:38:33 -0500 |
| commit | dd84441a797150dcc49298ec95c459a8891d8bb1 (patch) | |
| tree | 4ee6744c6d1a764f80d4c6829c5f322ce05dece0 | |
| parent | d1c99108af3c5992640aa2afa7d2e88c3775c06e (diff) | |
x86/speculation: Use IBRS if available before calling into firmware
Retpoline means the kernel is safe because it has no indirect branches.
But firmware isn't, so use IBRS for firmware calls if it's available.
Block preemption while IBRS is set, although in practice the call sites
already had to be doing that.
Ignore hpwdt.c for now. It's taking spinlocks and calling into firmware
code, from an NMI handler. I don't want to touch that with a bargepole.
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: arjan.van.de.ven@intel.com
Cc: bp@alien8.de
Cc: dave.hansen@intel.com
Cc: jmattson@google.com
Cc: karahmed@amazon.de
Cc: kvm@vger.kernel.org
Cc: pbonzini@redhat.com
Cc: rkrcmar@redhat.com
Link: http://lkml.kernel.org/r/1519037457-7643-2-git-send-email-dwmw@amazon.co.uk
Signed-off-by: Ingo Molnar <mingo@kernel.org>
| -rw-r--r-- | arch/x86/include/asm/apm.h | 6 | ||||
| -rw-r--r-- | arch/x86/include/asm/cpufeatures.h | 1 | ||||
| -rw-r--r-- | arch/x86/include/asm/efi.h | 17 | ||||
| -rw-r--r-- | arch/x86/include/asm/nospec-branch.h | 39 | ||||
| -rw-r--r-- | arch/x86/kernel/cpu/bugs.c | 12 |
5 files changed, 63 insertions, 12 deletions
diff --git a/arch/x86/include/asm/apm.h b/arch/x86/include/asm/apm.h index 4d4015ddcf26..c356098b6fb9 100644 --- a/arch/x86/include/asm/apm.h +++ b/arch/x86/include/asm/apm.h | |||
| @@ -7,6 +7,8 @@ | |||
| 7 | #ifndef _ASM_X86_MACH_DEFAULT_APM_H | 7 | #ifndef _ASM_X86_MACH_DEFAULT_APM_H |
| 8 | #define _ASM_X86_MACH_DEFAULT_APM_H | 8 | #define _ASM_X86_MACH_DEFAULT_APM_H |
| 9 | 9 | ||
| 10 | #include <asm/nospec-branch.h> | ||
| 11 | |||
| 10 | #ifdef APM_ZERO_SEGS | 12 | #ifdef APM_ZERO_SEGS |
| 11 | # define APM_DO_ZERO_SEGS \ | 13 | # define APM_DO_ZERO_SEGS \ |
| 12 | "pushl %%ds\n\t" \ | 14 | "pushl %%ds\n\t" \ |
| @@ -32,6 +34,7 @@ static inline void apm_bios_call_asm(u32 func, u32 ebx_in, u32 ecx_in, | |||
| 32 | * N.B. We do NOT need a cld after the BIOS call | 34 | * N.B. We do NOT need a cld after the BIOS call |
| 33 | * because we always save and restore the flags. | 35 | * because we always save and restore the flags. |
| 34 | */ | 36 | */ |
| 37 | firmware_restrict_branch_speculation_start(); | ||
| 35 | __asm__ __volatile__(APM_DO_ZERO_SEGS | 38 | __asm__ __volatile__(APM_DO_ZERO_SEGS |
| 36 | "pushl %%edi\n\t" | 39 | "pushl %%edi\n\t" |
| 37 | "pushl %%ebp\n\t" | 40 | "pushl %%ebp\n\t" |
| @@ -44,6 +47,7 @@ static inline void apm_bios_call_asm(u32 func, u32 ebx_in, u32 ecx_in, | |||
| 44 | "=S" (*esi) | 47 | "=S" (*esi) |
| 45 | : "a" (func), "b" (ebx_in), "c" (ecx_in) | 48 | : "a" (func), "b" (ebx_in), "c" (ecx_in) |
| 46 | : "memory", "cc"); | 49 | : "memory", "cc"); |
| 50 | firmware_restrict_branch_speculation_end(); | ||
| 47 | } | 51 | } |
| 48 | 52 | ||
| 49 | static inline bool apm_bios_call_simple_asm(u32 func, u32 ebx_in, | 53 | static inline bool apm_bios_call_simple_asm(u32 func, u32 ebx_in, |
| @@ -56,6 +60,7 @@ static inline bool apm_bios_call_simple_asm(u32 func, u32 ebx_in, | |||
| 56 | * N.B. We do NOT need a cld after the BIOS call | 60 | * N.B. We do NOT need a cld after the BIOS call |
| 57 | * because we always save and restore the flags. | 61 | * because we always save and restore the flags. |
| 58 | */ | 62 | */ |
| 63 | firmware_restrict_branch_speculation_start(); | ||
| 59 | __asm__ __volatile__(APM_DO_ZERO_SEGS | 64 | __asm__ __volatile__(APM_DO_ZERO_SEGS |
| 60 | "pushl %%edi\n\t" | 65 | "pushl %%edi\n\t" |
| 61 | "pushl %%ebp\n\t" | 66 | "pushl %%ebp\n\t" |
| @@ -68,6 +73,7 @@ static inline bool apm_bios_call_simple_asm(u32 func, u32 ebx_in, | |||
| 68 | "=S" (si) | 73 | "=S" (si) |
| 69 | : "a" (func), "b" (ebx_in), "c" (ecx_in) | 74 | : "a" (func), "b" (ebx_in), "c" (ecx_in) |
| 70 | : "memory", "cc"); | 75 | : "memory", "cc"); |
| 76 | firmware_restrict_branch_speculation_end(); | ||
| 71 | return error; | 77 | return error; |
| 72 | } | 78 | } |
| 73 | 79 | ||
diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h index 0dfe4d3f74e2..f41079da38c5 100644 --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h | |||
| @@ -213,6 +213,7 @@ | |||
| 213 | #define X86_FEATURE_SEV ( 7*32+20) /* AMD Secure Encrypted Virtualization */ | 213 | #define X86_FEATURE_SEV ( 7*32+20) /* AMD Secure Encrypted Virtualization */ |
| 214 | 214 | ||
| 215 | #define X86_FEATURE_USE_IBPB ( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled */ | 215 | #define X86_FEATURE_USE_IBPB ( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled */ |
| 216 | #define X86_FEATURE_USE_IBRS_FW ( 7*32+22) /* "" Use IBRS during runtime firmware calls */ | ||
| 216 | 217 | ||
| 217 | /* Virtualization flags: Linux defined, word 8 */ | 218 | /* Virtualization flags: Linux defined, word 8 */ |
| 218 | #define X86_FEATURE_TPR_SHADOW ( 8*32+ 0) /* Intel TPR Shadow */ | 219 | #define X86_FEATURE_TPR_SHADOW ( 8*32+ 0) /* Intel TPR Shadow */ |
diff --git a/arch/x86/include/asm/efi.h b/arch/x86/include/asm/efi.h index 85f6ccb80b91..a399c1ebf6f0 100644 --- a/arch/x86/include/asm/efi.h +++ b/arch/x86/include/asm/efi.h | |||
| @@ -6,6 +6,7 @@ | |||
| 6 | #include <asm/pgtable.h> | 6 | #include <asm/pgtable.h> |
| 7 | #include <asm/processor-flags.h> | 7 | #include <asm/processor-flags.h> |
| 8 | #include <asm/tlb.h> | 8 | #include <asm/tlb.h> |
| 9 | #include <asm/nospec-branch.h> | ||
| 9 | 10 | ||
| 10 | /* | 11 | /* |
| 11 | * We map the EFI regions needed for runtime services non-contiguously, | 12 | * We map the EFI regions needed for runtime services non-contiguously, |
| @@ -36,8 +37,18 @@ | |||
| 36 | 37 | ||
| 37 | extern asmlinkage unsigned long efi_call_phys(void *, ...); | 38 | extern asmlinkage unsigned long efi_call_phys(void *, ...); |
| 38 | 39 | ||
| 39 | #define arch_efi_call_virt_setup() kernel_fpu_begin() | 40 | #define arch_efi_call_virt_setup() \ |
| 40 | #define arch_efi_call_virt_teardown() kernel_fpu_end() | 41 | ({ \ |
| 42 | kernel_fpu_begin(); \ | ||
| 43 | firmware_restrict_branch_speculation_start(); \ | ||
| 44 | }) | ||
| 45 | |||
| 46 | #define arch_efi_call_virt_teardown() \ | ||
| 47 | ({ \ | ||
| 48 | firmware_restrict_branch_speculation_end(); \ | ||
| 49 | kernel_fpu_end(); \ | ||
| 50 | }) | ||
| 51 | |||
| 41 | 52 | ||
| 42 | /* | 53 | /* |
| 43 | * Wrap all the virtual calls in a way that forces the parameters on the stack. | 54 | * Wrap all the virtual calls in a way that forces the parameters on the stack. |
| @@ -73,6 +84,7 @@ struct efi_scratch { | |||
| 73 | efi_sync_low_kernel_mappings(); \ | 84 | efi_sync_low_kernel_mappings(); \ |
| 74 | preempt_disable(); \ | 85 | preempt_disable(); \ |
| 75 | __kernel_fpu_begin(); \ | 86 | __kernel_fpu_begin(); \ |
| 87 | firmware_restrict_branch_speculation_start(); \ | ||
| 76 | \ | 88 | \ |
| 77 | if (efi_scratch.use_pgd) { \ | 89 | if (efi_scratch.use_pgd) { \ |
| 78 | efi_scratch.prev_cr3 = __read_cr3(); \ | 90 | efi_scratch.prev_cr3 = __read_cr3(); \ |
| @@ -91,6 +103,7 @@ struct efi_scratch { | |||
| 91 | __flush_tlb_all(); \ | 103 | __flush_tlb_all(); \ |
| 92 | } \ | 104 | } \ |
| 93 | \ | 105 | \ |
| 106 | firmware_restrict_branch_speculation_end(); \ | ||
| 94 | __kernel_fpu_end(); \ | 107 | __kernel_fpu_end(); \ |
| 95 | preempt_enable(); \ | 108 | preempt_enable(); \ |
| 96 | }) | 109 | }) |
diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h index af34b1e8069a..ec90c3228991 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h | |||
| @@ -219,17 +219,38 @@ static inline void vmexit_fill_RSB(void) | |||
| 219 | #endif | 219 | #endif |
| 220 | } | 220 | } |
| 221 | 221 | ||
| 222 | #define alternative_msr_write(_msr, _val, _feature) \ | ||
| 223 | asm volatile(ALTERNATIVE("", \ | ||
| 224 | "movl %[msr], %%ecx\n\t" \ | ||
| 225 | "movl %[val], %%eax\n\t" \ | ||
| 226 | "movl $0, %%edx\n\t" \ | ||
| 227 | "wrmsr", \ | ||
| 228 | _feature) \ | ||
| 229 | : : [msr] "i" (_msr), [val] "i" (_val) \ | ||
| 230 | : "eax", "ecx", "edx", "memory") | ||
| 231 | |||
| 222 | static inline void indirect_branch_prediction_barrier(void) | 232 | static inline void indirect_branch_prediction_barrier(void) |
| 223 | { | 233 | { |
| 224 | asm volatile(ALTERNATIVE("", | 234 | alternative_msr_write(MSR_IA32_PRED_CMD, PRED_CMD_IBPB, |
| 225 | "movl %[msr], %%ecx\n\t" | 235 | X86_FEATURE_USE_IBPB); |
| 226 | "movl %[val], %%eax\n\t" | 236 | } |
| 227 | "movl $0, %%edx\n\t" | 237 | |
| 228 | "wrmsr", | 238 | /* |
| 229 | X86_FEATURE_USE_IBPB) | 239 | * With retpoline, we must use IBRS to restrict branch prediction |
| 230 | : : [msr] "i" (MSR_IA32_PRED_CMD), | 240 | * before calling into firmware. |
| 231 | [val] "i" (PRED_CMD_IBPB) | 241 | */ |
| 232 | : "eax", "ecx", "edx", "memory"); | 242 | static inline void firmware_restrict_branch_speculation_start(void) |
| 243 | { | ||
| 244 | preempt_disable(); | ||
| 245 | alternative_msr_write(MSR_IA32_SPEC_CTRL, SPEC_CTRL_IBRS, | ||
| 246 | X86_FEATURE_USE_IBRS_FW); | ||
| 247 | } | ||
| 248 | |||
| 249 | static inline void firmware_restrict_branch_speculation_end(void) | ||
| 250 | { | ||
| 251 | alternative_msr_write(MSR_IA32_SPEC_CTRL, 0, | ||
| 252 | X86_FEATURE_USE_IBRS_FW); | ||
| 253 | preempt_enable(); | ||
| 233 | } | 254 | } |
| 234 | 255 | ||
| 235 | #endif /* __ASSEMBLY__ */ | 256 | #endif /* __ASSEMBLY__ */ |
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index d71c8b54b696..bfca937bdcc3 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c | |||
| @@ -300,6 +300,15 @@ retpoline_auto: | |||
| 300 | setup_force_cpu_cap(X86_FEATURE_USE_IBPB); | 300 | setup_force_cpu_cap(X86_FEATURE_USE_IBPB); |
| 301 | pr_info("Spectre v2 mitigation: Enabling Indirect Branch Prediction Barrier\n"); | 301 | pr_info("Spectre v2 mitigation: Enabling Indirect Branch Prediction Barrier\n"); |
| 302 | } | 302 | } |
| 303 | |||
| 304 | /* | ||
| 305 | * Retpoline means the kernel is safe because it has no indirect | ||
| 306 | * branches. But firmware isn't, so use IBRS to protect that. | ||
| 307 | */ | ||
| 308 | if (boot_cpu_has(X86_FEATURE_IBRS)) { | ||
| 309 | setup_force_cpu_cap(X86_FEATURE_USE_IBRS_FW); | ||
| 310 | pr_info("Enabling Restricted Speculation for firmware calls\n"); | ||
| 311 | } | ||
| 303 | } | 312 | } |
| 304 | 313 | ||
| 305 | #undef pr_fmt | 314 | #undef pr_fmt |
| @@ -326,8 +335,9 @@ ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, c | |||
| 326 | if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2)) | 335 | if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2)) |
| 327 | return sprintf(buf, "Not affected\n"); | 336 | return sprintf(buf, "Not affected\n"); |
| 328 | 337 | ||
| 329 | return sprintf(buf, "%s%s%s\n", spectre_v2_strings[spectre_v2_enabled], | 338 | return sprintf(buf, "%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled], |
| 330 | boot_cpu_has(X86_FEATURE_USE_IBPB) ? ", IBPB" : "", | 339 | boot_cpu_has(X86_FEATURE_USE_IBPB) ? ", IBPB" : "", |
| 340 | boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "", | ||
| 331 | spectre_v2_module_string()); | 341 | spectre_v2_module_string()); |
| 332 | } | 342 | } |
| 333 | #endif | 343 | #endif |