diff options
| -rw-r--r-- | Documentation/x86/mds.rst | 39 |
1 files changed, 7 insertions, 32 deletions
diff --git a/Documentation/x86/mds.rst b/Documentation/x86/mds.rst index 0dc812bb9249..5d4330be200f 100644 --- a/Documentation/x86/mds.rst +++ b/Documentation/x86/mds.rst | |||
| @@ -142,38 +142,13 @@ Mitigation points | |||
| 142 | mds_user_clear. | 142 | mds_user_clear. |
| 143 | 143 | ||
| 144 | The mitigation is invoked in prepare_exit_to_usermode() which covers | 144 | The mitigation is invoked in prepare_exit_to_usermode() which covers |
| 145 | most of the kernel to user space transitions. There are a few exceptions | 145 | all but one of the kernel to user space transitions. The exception |
| 146 | which are not invoking prepare_exit_to_usermode() on return to user | 146 | is when we return from a Non Maskable Interrupt (NMI), which is |
| 147 | space. These exceptions use the paranoid exit code. | 147 | handled directly in do_nmi(). |
| 148 | 148 | ||
| 149 | - Non Maskable Interrupt (NMI): | 149 | (The reason that NMI is special is that prepare_exit_to_usermode() can |
| 150 | 150 | enable IRQs. In NMI context, NMIs are blocked, and we don't want to | |
| 151 | Access to sensible data like keys, credentials in the NMI context is | 151 | enable IRQs with NMIs blocked.) |
| 152 | mostly theoretical: The CPU can do prefetching or execute a | ||
| 153 | misspeculated code path and thereby fetching data which might end up | ||
| 154 | leaking through a buffer. | ||
| 155 | |||
| 156 | But for mounting other attacks the kernel stack address of the task is | ||
| 157 | already valuable information. So in full mitigation mode, the NMI is | ||
| 158 | mitigated on the return from do_nmi() to provide almost complete | ||
| 159 | coverage. | ||
| 160 | |||
| 161 | - Machine Check Exception (#MC): | ||
| 162 | |||
| 163 | Another corner case is a #MC which hits between the CPU buffer clear | ||
| 164 | invocation and the actual return to user. As this still is in kernel | ||
| 165 | space it takes the paranoid exit path which does not clear the CPU | ||
| 166 | buffers. So the #MC handler repopulates the buffers to some | ||
| 167 | extent. Machine checks are not reliably controllable and the window is | ||
| 168 | extremly small so mitigation would just tick a checkbox that this | ||
| 169 | theoretical corner case is covered. To keep the amount of special | ||
| 170 | cases small, ignore #MC. | ||
| 171 | |||
| 172 | - Debug Exception (#DB): | ||
| 173 | |||
| 174 | This takes the paranoid exit path only when the INT1 breakpoint is in | ||
| 175 | kernel space. #DB on a user space address takes the regular exit path, | ||
| 176 | so no extra mitigation required. | ||
| 177 | 152 | ||
| 178 | 153 | ||
| 179 | 2. C-State transition | 154 | 2. C-State transition |