From patchwork Fri Oct 20 11:37:21 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: tip-bot2 for Thomas Gleixner X-Patchwork-Id: 156035 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:2010:b0:403:3b70:6f57 with SMTP id fe16csp991016vqb; Fri, 20 Oct 2023 04:39:11 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHF/Tm7NOkP32mgPD9ownIQPDjBbw43+4CHWVhaUMY0kXAvG1JOA097Sm9u6eBUVMZeYLFf X-Received: by 2002:a17:903:27ce:b0:1c1:f6d1:3118 with SMTP id km14-20020a17090327ce00b001c1f6d13118mr1456106plb.27.1697801950785; Fri, 20 Oct 2023 04:39:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697801950; cv=none; d=google.com; s=arc-20160816; b=wcW5NAjVCehn9/5YGf+2gssEQjcl2PyIhb9ao7NO0nS3VmjixlztphX2W2CoIasW5G AR+uJ5S7VXwxoffavqdYaFbxWMsnHRalTnbNyRhx0TjA+5FBezNE/RSXO15rR+d/CC18 KXKdoIDbTRyFt6KQMuN2QSwQmlccmYu9ACWbtdjxnm6sbQ8Ap9+JEFiIg/VGEBt2JUgJ nsN96SBAX/+nrRwW+Xw3AVgtsMYC7u32I9N54J2Dl2iMELfATR86M78o88Z/wuvyQL2J GNSqRC0Jb6QXiE7lvee4YdGdzx/dVEpAaYiISkVK+d4Evn1yWhyLGFfIyQ/KC73nxQTk zaNw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:robot-unsubscribe :robot-id:message-id:mime-version:references:in-reply-to:cc:subject :to:reply-to:sender:from:dkim-signature:dkim-signature:date; bh=MCwRpGYVXklYoDrgqF6wdIUNJUA3aMgI1E4BknR7zLg=; fh=TJa98jjcJcAUyvo2yQiOqi+wukdLlQU80th5XskGe8U=; b=cVq2UewTo29LdSZlIdgaxBxKWXzXku5RrokOlru1pouOsV08uT2CDMWHw73Dab/Yqp vQUySPyG2a8xmBNJMVsW+RgLx0MHcYRPmqsiZYcrXTxNdCl0RcVkW/hf7PT7hWR10VnR xVwFIgamAYAQ7z/JSjRhvfjr8bflcDbUt95cHYxpNEEIb3NcHZAwe0QqobcPbwoqlWTD L4Sw7zt20YwsfzLFbHxW11PEqYYjURjdpBHdJPucq8Qv08MSLpA5Sfr9KLH56iNLXeQY tEZ8o08x9aPMAzlWQh/+kp2Gr2qxsYiMhiPrNDJ6x/B80Uddj2FYfro19Q5ELxcr1E+G lWaQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b="W/Petjyh"; dkim=neutral (no key) header.i=@linutronix.de; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Received: from morse.vger.email (morse.vger.email. [2620:137:e000::3:1]) by mx.google.com with ESMTPS id jo23-20020a170903055700b001c9e75f87edsi1521317plb.152.2023.10.20.04.39.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Oct 2023 04:39:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) client-ip=2620:137:e000::3:1; Authentication-Results: mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b="W/Petjyh"; dkim=neutral (no key) header.i=@linutronix.de; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by morse.vger.email (Postfix) with ESMTP id 9B8A883F69BA; Fri, 20 Oct 2023 04:39:04 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at morse.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1377341AbjJTLiN (ORCPT + 25 others); Fri, 20 Oct 2023 07:38:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41132 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1377208AbjJTLh1 (ORCPT ); Fri, 20 Oct 2023 07:37:27 -0400 Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C5D0FD61; Fri, 20 Oct 2023 04:37:23 -0700 (PDT) Date: Fri, 20 Oct 2023 11:37:21 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1697801842; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=MCwRpGYVXklYoDrgqF6wdIUNJUA3aMgI1E4BknR7zLg=; b=W/Petjyh6Fo3pTPRABAS5vMlFpaGrSVUfDiIxXH5NDj9acC4DyQuzhouo3ks3LVJhyGxuP DSSwzinjjpULVFUn8L8qMVsszKE8yCXVfIew1/Wg9N/FhjFPZea7BN8u/jHUyCSUAuw+6Y NoHsfiaWy01qVwD9RF8+FJUKHxtLQB9DHLxy9EKAp/V1Fa2hxu4YxBzti1T+zb1HWw/v6/ ZM/a+w50I8ZaxnGimc4oQZ2HXNziFlEvrQfH+LI90+4bjHDvpj/8q8JQVsQ3eS1HIEsBCw rHvfRd9aHyyFsbzjG8/iCB8T+Ykx9s6v5BCjr9FWJ8b//uR5ixlcI+PYy+uuMQ== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1697801842; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=MCwRpGYVXklYoDrgqF6wdIUNJUA3aMgI1E4BknR7zLg=; b=ahwFO0HKdKaH0EgU2XRJwW7vdY/PDazCYcaKtY4wU5y6L8F2P05X28yYsq4HbS1zc1RglQ bB9FdoNe975Y2bCA== From: "tip-bot2 for Josh Poimboeuf" Sender: tip-bot2@linutronix.de Reply-to: linux-kernel@vger.kernel.org To: linux-tip-commits@vger.kernel.org Subject: [tip: x86/bugs] x86/srso: Fix vulnerability reporting for missing microcode Cc: Josh Poimboeuf , Ingo Molnar , "Borislav Petkov (AMD)" , x86@kernel.org, linux-kernel@vger.kernel.org In-Reply-To: References: MIME-Version: 1.0 Message-ID: <169780184184.3135.1753974962314259626.tip-bot2@tip-bot2> Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Fri, 20 Oct 2023 04:39:04 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1777497817300608200 X-GMAIL-MSGID: 1780274378309471280 The following commit has been merged into the x86/bugs branch of tip: Commit-ID: dc6306ad5b0dda040baf1fde3cfd458e6abfc4da Gitweb: https://git.kernel.org/tip/dc6306ad5b0dda040baf1fde3cfd458e6abfc4da Author: Josh Poimboeuf AuthorDate: Mon, 04 Sep 2023 22:04:52 -07:00 Committer: Borislav Petkov (AMD) CommitterDate: Fri, 20 Oct 2023 11:46:09 +02:00 x86/srso: Fix vulnerability reporting for missing microcode The SRSO default safe-ret mitigation is reported as "mitigated" even if microcode hasn't been updated. That's wrong because userspace may still be vulnerable to SRSO attacks due to IBPB not flushing branch type predictions. Report the safe-ret + !microcode case as vulnerable. Also report the microcode-only case as vulnerable as it leaves the kernel open to attacks. Fixes: fb3bd914b3ec ("x86/srso: Add a Speculative RAS Overflow mitigation") Signed-off-by: Josh Poimboeuf Signed-off-by: Ingo Molnar Signed-off-by: Borislav Petkov (AMD) Acked-by: Borislav Petkov (AMD) Link: https://lore.kernel.org/r/a8a14f97d1b0e03ec255c81637afdf4cf0ae9c99.1693889988.git.jpoimboe@kernel.org --- Documentation/admin-guide/hw-vuln/srso.rst | 24 +++++++++----- arch/x86/kernel/cpu/bugs.c | 36 ++++++++++++--------- 2 files changed, 39 insertions(+), 21 deletions(-) diff --git a/Documentation/admin-guide/hw-vuln/srso.rst b/Documentation/admin-guide/hw-vuln/srso.rst index b6cfb51..e715bfc 100644 --- a/Documentation/admin-guide/hw-vuln/srso.rst +++ b/Documentation/admin-guide/hw-vuln/srso.rst @@ -46,12 +46,22 @@ The possible values in this file are: The processor is not vulnerable - * 'Vulnerable: no microcode': +* 'Vulnerable': + + The processor is vulnerable and no mitigations have been applied. + + * 'Vulnerable: No microcode': The processor is vulnerable, no microcode extending IBPB functionality to address the vulnerability has been applied. - * 'Mitigation: microcode': + * 'Vulnerable: Safe RET, no microcode': + + The "Safe RET" mitigation (see below) has been applied to protect the + kernel, but the IBPB-extending microcode has not been applied. User + space tasks may still be vulnerable. + + * 'Vulnerable: Microcode, no safe RET': Extended IBPB functionality microcode patch has been applied. It does not address User->Kernel and Guest->Host transitions protection but it @@ -72,11 +82,11 @@ The possible values in this file are: (spec_rstack_overflow=microcode) - * 'Mitigation: safe RET': + * 'Mitigation: Safe RET': - Software-only mitigation. It complements the extended IBPB microcode - patch functionality by addressing User->Kernel and Guest->Host - transitions protection. + Combined microcode/software mitigation. It complements the + extended IBPB microcode patch functionality by addressing + User->Kernel and Guest->Host transitions protection. Selected by default or by spec_rstack_overflow=safe-ret @@ -129,7 +139,7 @@ an indrect branch prediction barrier after having applied the required microcode patch for one's system. This mitigation comes also at a performance cost. -Mitigation: safe RET +Mitigation: Safe RET -------------------- The mitigation works by ensuring all RET instructions speculate to diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 6c47f37..e45dd69 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -2353,6 +2353,8 @@ early_param("l1tf", l1tf_cmdline); enum srso_mitigation { SRSO_MITIGATION_NONE, + SRSO_MITIGATION_UCODE_NEEDED, + SRSO_MITIGATION_SAFE_RET_UCODE_NEEDED, SRSO_MITIGATION_MICROCODE, SRSO_MITIGATION_SAFE_RET, SRSO_MITIGATION_IBPB, @@ -2368,11 +2370,13 @@ enum srso_mitigation_cmd { }; static const char * const srso_strings[] = { - [SRSO_MITIGATION_NONE] = "Vulnerable", - [SRSO_MITIGATION_MICROCODE] = "Mitigation: microcode", - [SRSO_MITIGATION_SAFE_RET] = "Mitigation: safe RET", - [SRSO_MITIGATION_IBPB] = "Mitigation: IBPB", - [SRSO_MITIGATION_IBPB_ON_VMEXIT] = "Mitigation: IBPB on VMEXIT only" + [SRSO_MITIGATION_NONE] = "Vulnerable", + [SRSO_MITIGATION_UCODE_NEEDED] = "Vulnerable: No microcode", + [SRSO_MITIGATION_SAFE_RET_UCODE_NEEDED] = "Vulnerable: Safe RET, no microcode", + [SRSO_MITIGATION_MICROCODE] = "Vulnerable: Microcode, no safe RET", + [SRSO_MITIGATION_SAFE_RET] = "Mitigation: Safe RET", + [SRSO_MITIGATION_IBPB] = "Mitigation: IBPB", + [SRSO_MITIGATION_IBPB_ON_VMEXIT] = "Mitigation: IBPB on VMEXIT only" }; static enum srso_mitigation srso_mitigation __ro_after_init = SRSO_MITIGATION_NONE; @@ -2409,10 +2413,7 @@ static void __init srso_select_mitigation(void) if (!boot_cpu_has_bug(X86_BUG_SRSO) || cpu_mitigations_off()) goto pred_cmd; - if (!has_microcode) { - pr_warn("IBPB-extending microcode not applied!\n"); - pr_warn(SRSO_NOTICE); - } else { + if (has_microcode) { /* * Zen1/2 with SMT off aren't vulnerable after the right * IBPB microcode has been applied. @@ -2428,6 +2429,12 @@ static void __init srso_select_mitigation(void) srso_mitigation = SRSO_MITIGATION_IBPB; goto out; } + } else { + pr_warn("IBPB-extending microcode not applied!\n"); + pr_warn(SRSO_NOTICE); + + /* may be overwritten by SRSO_CMD_SAFE_RET below */ + srso_mitigation = SRSO_MITIGATION_UCODE_NEEDED; } switch (srso_cmd) { @@ -2457,7 +2464,10 @@ static void __init srso_select_mitigation(void) setup_force_cpu_cap(X86_FEATURE_SRSO); x86_return_thunk = srso_return_thunk; } - srso_mitigation = SRSO_MITIGATION_SAFE_RET; + if (has_microcode) + srso_mitigation = SRSO_MITIGATION_SAFE_RET; + else + srso_mitigation = SRSO_MITIGATION_SAFE_RET_UCODE_NEEDED; } else { pr_err("WARNING: kernel not compiled with CPU_SRSO.\n"); } @@ -2490,7 +2500,7 @@ static void __init srso_select_mitigation(void) } out: - pr_info("%s%s\n", srso_strings[srso_mitigation], has_microcode ? "" : ", no microcode"); + pr_info("%s\n", srso_strings[srso_mitigation]); pred_cmd: if ((!boot_cpu_has_bug(X86_BUG_SRSO) || srso_cmd == SRSO_CMD_OFF) && @@ -2701,9 +2711,7 @@ static ssize_t srso_show_state(char *buf) if (boot_cpu_has(X86_FEATURE_SRSO_NO)) return sysfs_emit(buf, "Mitigation: SMT disabled\n"); - return sysfs_emit(buf, "%s%s\n", - srso_strings[srso_mitigation], - boot_cpu_has(X86_FEATURE_IBPB_BRTYPE) ? "" : ", no microcode"); + return sysfs_emit(buf, "%s\n", srso_strings[srso_mitigation]); } static ssize_t gds_show_state(char *buf)