Merge branch 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull x86 fixes from Thomas Gleixner:
 "Yet another pile of melted spectrum related changes:

   - sanitize the array_index_nospec protection mechanism: Remove the
     overengineered array_index_nospec_mask_check() magic and allow
     const-qualified types as index to avoid temporary storage in a
     non-const local variable.

   - make the microcode loader more robust by properly propagating error
     codes. Provide information about new feature bits after micro code
     was updated so administrators can act upon.

   - optimizations of the entry ASM code which reduce code footprint and
     make the code simpler and faster.

   - fix the {pmd,pud}_{set,clear}_flags() implementations to work
     properly on paravirt kernels by removing the address translation
     operations.

   - revert the harmful vmexit_fill_RSB() optimization

   - use IBRS around firmware calls

   - teach objtool about retpolines and add annotations for indirect
     jumps and calls.

   - explicitly disable jumplabel patching in __init code and handle
     patching failures properly instead of silently ignoring them.

   - remove indirect paravirt calls for writing the speculation control
     MSR as these calls are obviously proving the same attack vector
     which is tried to be mitigated.

   - a few small fixes which address build issues with recent compiler
     and assembler versions"

* 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (38 commits)
  KVM/VMX: Optimize vmx_vcpu_run() and svm_vcpu_run() by marking the RDMSR path as unlikely()
  KVM/x86: Remove indirect MSR op calls from SPEC_CTRL
  objtool, retpolines: Integrate objtool with retpoline support more closely
  x86/entry/64: Simplify ENCODE_FRAME_POINTER
  extable: Make init_kernel_text() global
  jump_label: Warn on failed jump_label patching attempt
  jump_label: Explicitly disable jump labels in __init code
  x86/entry/64: Open-code switch_to_thread_stack()
  x86/entry/64: Move ASM_CLAC to interrupt_entry()
  x86/entry/64: Remove 'interrupt' macro
  x86/entry/64: Move the switch_to_thread_stack() call to interrupt_entry()
  x86/entry/64: Move ENTER_IRQ_STACK from interrupt macro to interrupt_entry
  x86/entry/64: Move PUSH_AND_CLEAR_REGS from interrupt macro to helper function
  x86/speculation: Move firmware_restrict_branch_speculation_*() from C to CPP
  objtool: Add module specific retpoline rules
  objtool: Add retpoline validation
  objtool: Use existing global variables for options
  x86/mm/sme, objtool: Annotate indirect call in sme_encrypt_execute()
  x86/boot, objtool: Annotate indirect jump in secondary_startup_64()
  x86/paravirt, objtool: Annotate indirect calls
  ...

5 files changed, 108 insertions, 12 deletions

diff --git a/tools/objtool/builtin-check.c b/tools/objtool/builtin-check.c
index 57254f5b2779..694abc628e9b 100644
--- a/tools/objtool/builtin-check.c
+++ b/tools/objtool/builtin-check.c
@@ -29,7 +29,7 @@
 #include "builtin.h"
 #include "check.h"
 
-bool no_fp, no_unreachable;
+bool no_fp, no_unreachable, retpoline, module;
 
 static const char * const check_usage[] = {
         "objtool check [<options>] file.o",
@@ -39,6 +39,8 @@ static const char * const check_usage[] = {
 const struct option check_options[] = {
         OPT_BOOLEAN('f', "no-fp", &no_fp, "Skip frame pointer validation"),
         OPT_BOOLEAN('u', "no-unreachable", &no_unreachable, "Skip 'unreachable instruction' warnings"),
+        OPT_BOOLEAN('r', "retpoline", &retpoline, "Validate retpoline assumptions"),
+        OPT_BOOLEAN('m', "module", &module, "Indicates the object will be part of a kernel module"),
         OPT_END(),
 };
 
@@ -53,5 +55,5 @@ int cmd_check(int argc, const char **argv)
 
         objname = argv[0];
 
-        return check(objname, no_fp, no_unreachable, false);
+        return check(objname, false);
 }
diff --git a/tools/objtool/builtin-orc.c b/tools/objtool/builtin-orc.c
index 91e8e19ff5e0..77ea2b97117d 100644
--- a/tools/objtool/builtin-orc.c
+++ b/tools/objtool/builtin-orc.c
@@ -25,7 +25,6 @@
  */
 
 #include <string.h>
-#include <subcmd/parse-options.h>
 #include "builtin.h"
 #include "check.h"
 
@@ -36,9 +35,6 @@ static const char *orc_usage[] = {
         NULL,
 };
 
-extern const struct option check_options[];
-extern bool no_fp, no_unreachable;
-
 int cmd_orc(int argc, const char **argv)
 {
         const char *objname;
@@ -54,7 +50,7 @@ int cmd_orc(int argc, const char **argv)
 
                 objname = argv[0];
 
-                return check(objname, no_fp, no_unreachable, true);
+                return check(objname, true);
         }
 
         if (!strcmp(argv[0], "dump")) {
diff --git a/tools/objtool/builtin.h b/tools/objtool/builtin.h
index dd526067fed5..28ff40e19a14 100644
--- a/tools/objtool/builtin.h
+++ b/tools/objtool/builtin.h
@@ -17,6 +17,11 @@
 #ifndef _BUILTIN_H
 #define _BUILTIN_H
 
+#include <subcmd/parse-options.h>
+
+extern const struct option check_options[];
+extern bool no_fp, no_unreachable, retpoline, module;
+
 extern int cmd_check(int argc, const char **argv);
 extern int cmd_orc(int argc, const char **argv);
 
diff --git a/tools/objtool/check.c b/tools/objtool/check.c
index a8cb69a26576..472e64e95891 100644
--- a/tools/objtool/check.c
+++ b/tools/objtool/check.c
@@ -18,6 +18,7 @@
 #include <string.h>
 #include <stdlib.h>
 
+#include "builtin.h"
 #include "check.h"
 #include "elf.h"
 #include "special.h"
@@ -33,7 +34,6 @@ struct alternative {
 };
 
 const char *objname;
-static bool no_fp;
 struct cfi_state initial_func_cfi;
 
 struct instruction *find_insn(struct objtool_file *file,
@@ -497,6 +497,7 @@ static int add_jump_destinations(struct objtool_file *file)
                          * disguise, so convert them accordingly.
                          */
                         insn->type = INSN_JUMP_DYNAMIC;
+                        insn->retpoline_safe = true;
                         continue;
                 } else {
                         /* sibling call */
@@ -548,7 +549,8 @@ static int add_call_destinations(struct objtool_file *file)
                         if (!insn->call_dest && !insn->ignore) {
                                 WARN_FUNC("unsupported intra-function call",
                                           insn->sec, insn->offset);
-                                WARN("If this is a retpoline, please patch it in with alternatives and annotate it with ANNOTATE_NOSPEC_ALTERNATIVE.");
+                                if (retpoline)
+                                        WARN("If this is a retpoline, please patch it in with alternatives and annotate it with ANNOTATE_NOSPEC_ALTERNATIVE.");
                                 return -1;
                         }
 
@@ -1108,6 +1110,54 @@ static int read_unwind_hints(struct objtool_file *file)
         return 0;
 }
 
+static int read_retpoline_hints(struct objtool_file *file)
+{
+        struct section *sec, *relasec;
+        struct instruction *insn;
+        struct rela *rela;
+        int i;
+
+        sec = find_section_by_name(file->elf, ".discard.retpoline_safe");
+        if (!sec)
+                return 0;
+
+        relasec = sec->rela;
+        if (!relasec) {
+                WARN("missing .rela.discard.retpoline_safe section");
+                return -1;
+        }
+
+        if (sec->len % sizeof(unsigned long)) {
+                WARN("retpoline_safe size mismatch: %d %ld", sec->len, sizeof(unsigned long));
+                return -1;
+        }
+
+        for (i = 0; i < sec->len / sizeof(unsigned long); i++) {
+                rela = find_rela_by_dest(sec, i * sizeof(unsigned long));
+                if (!rela) {
+                        WARN("can't find rela for retpoline_safe[%d]", i);
+                        return -1;
+                }
+
+                insn = find_insn(file, rela->sym->sec, rela->addend);
+                if (!insn) {
+                        WARN("can't find insn for retpoline_safe[%d]", i);
+                        return -1;
+                }
+
+                if (insn->type != INSN_JUMP_DYNAMIC &&
+                    insn->type != INSN_CALL_DYNAMIC) {
+                        WARN_FUNC("retpoline_safe hint not a indirect jump/call",
+                                  insn->sec, insn->offset);
+                        return -1;
+                }
+
+                insn->retpoline_safe = true;
+        }
+
+        return 0;
+}
+
 static int decode_sections(struct objtool_file *file)
 {
         int ret;
@@ -1146,6 +1196,10 @@ static int decode_sections(struct objtool_file *file)
         if (ret)
                 return ret;
 
+        ret = read_retpoline_hints(file);
+        if (ret)
+                return ret;
+
         return 0;
 }
 
@@ -1891,6 +1945,38 @@ static int validate_unwind_hints(struct objtool_file *file)
         return warnings;
 }
 
+static int validate_retpoline(struct objtool_file *file)
+{
+        struct instruction *insn;
+        int warnings = 0;
+
+        for_each_insn(file, insn) {
+                if (insn->type != INSN_JUMP_DYNAMIC &&
+                    insn->type != INSN_CALL_DYNAMIC)
+                        continue;
+
+                if (insn->retpoline_safe)
+                        continue;
+
+                /*
+                 * .init.text code is ran before userspace and thus doesn't
+                 * strictly need retpolines, except for modules which are
+                 * loaded late, they very much do need retpoline in their
+                 * .init.text
+                 */
+                if (!strcmp(insn->sec->name, ".init.text") && !module)
+                        continue;
+
+                WARN_FUNC("indirect %s found in RETPOLINE build",
+                          insn->sec, insn->offset,
+                          insn->type == INSN_JUMP_DYNAMIC ? "jump" : "call");
+
+                warnings++;
+        }
+
+        return warnings;
+}
+
 static bool is_kasan_insn(struct instruction *insn)
 {
         return (insn->type == INSN_CALL &&
@@ -2022,13 +2108,12 @@ static void cleanup(struct objtool_file *file)
         elf_close(file->elf);
 }
 
-int check(const char *_objname, bool _no_fp, bool no_unreachable, bool orc)
+int check(const char *_objname, bool orc)
 {
         struct objtool_file file;
         int ret, warnings = 0;
 
         objname = _objname;
-        no_fp = _no_fp;
 
         file.elf = elf_open(objname, orc ? O_RDWR : O_RDONLY);
         if (!file.elf)
@@ -2052,6 +2137,13 @@ int check(const char *_objname, bool _no_fp, bool no_unreachable, bool orc)
         if (list_empty(&file.insn_list))
                 goto out;
 
+        if (retpoline) {
+                ret = validate_retpoline(&file);
+                if (ret < 0)
+                        return ret;
+                warnings += ret;
+        }
+
         ret = validate_functions(&file);
         if (ret < 0)
                 goto out;
diff --git a/tools/objtool/check.h b/tools/objtool/check.h
index 23a1d065cae1..c6b68fcb926f 100644
--- a/tools/objtool/check.h
+++ b/tools/objtool/check.h
@@ -45,6 +45,7 @@ struct instruction {
         unsigned char type;
         unsigned long immediate;
         bool alt_group, visited, dead_end, ignore, hint, save, restore, ignore_alts;
+        bool retpoline_safe;
         struct symbol *call_dest;
         struct instruction *jump_dest;
         struct instruction *first_jump_src;
@@ -63,7 +64,7 @@ struct objtool_file {
         bool ignore_unreachables, c_file, hints;
 };
 
-int check(const char *objname, bool no_fp, bool no_unreachable, bool orc);
+int check(const char *objname, bool orc);
 
 struct instruction *find_insn(struct objtool_file *file,
                               struct section *sec, unsigned long offset);