This is a note to let you know that I've just added the patch titled x86/bugs: Report Intel retbleed vulnerability to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: x86-bugs-report-intel-retbleed-vulnerability.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From foo@baz Mon Oct 31 07:55:50 AM CET 2022 From: Suraj Jitindar Singh <surajjs@xxxxxxxxxx> Date: Thu, 27 Oct 2022 13:55:02 -0700 Subject: x86/bugs: Report Intel retbleed vulnerability To: <stable@xxxxxxxxxxxxxxx> Cc: <surajjs@xxxxxxxxxx>, <sjitindarsingh@xxxxxxxxx>, <cascardo@xxxxxxxxxxxxx>, <kvm@xxxxxxxxxxxxxxx>, <pbonzini@xxxxxxxxxx>, <jpoimboe@xxxxxxxxxx>, <peterz@xxxxxxxxxxxxx>, <x86@xxxxxxxxxx> Message-ID: <20221027205502.17426-4-surajjs@xxxxxxxxxx> From: Peter Zijlstra <peterz@xxxxxxxxxxxxx> commit 6ad0ad2bf8a67e27d1f9d006a1dabb0e1c360cc3 upstream. Skylake suffers from RSB underflow speculation issues; report this vulnerability and it's mitigation (spectre_v2=ibrs). [jpoimboe: cleanups, eibrs] Signed-off-by: Peter Zijlstra (Intel) <peterz@xxxxxxxxxxxxx> Signed-off-by: Borislav Petkov <bp@xxxxxxx> Reviewed-by: Josh Poimboeuf <jpoimboe@xxxxxxxxxx> Signed-off-by: Borislav Petkov <bp@xxxxxxx> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@xxxxxxxxxxxxx> [ bp: Adjust to different processor family names ] Signed-off-by: Suraj Jitindar Singh <surajjs@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- arch/x86/include/asm/msr-index.h | 1 arch/x86/kernel/cpu/bugs.c | 42 ++++++++++++++++++++++++++++++++------- arch/x86/kernel/cpu/common.c | 24 +++++++++++----------- 3 files changed, 48 insertions(+), 19 deletions(-) --- a/arch/x86/include/asm/msr-index.h +++ b/arch/x86/include/asm/msr-index.h @@ -73,6 +73,7 @@ #define MSR_IA32_ARCH_CAPABILITIES 0x0000010a #define ARCH_CAP_RDCL_NO BIT(0) /* Not susceptible to Meltdown */ #define ARCH_CAP_IBRS_ALL BIT(1) /* Enhanced IBRS support */ +#define ARCH_CAP_RSBA BIT(2) /* RET may use alternative branch predictors */ #define ARCH_CAP_SKIP_VMENTRY_L1DFLUSH BIT(3) /* Skip L1D flush on vmentry */ #define ARCH_CAP_SSB_NO BIT(4) /* * Not susceptible to Speculative Store Bypass --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -743,11 +743,16 @@ static int __init nospectre_v1_cmdline(c } early_param("nospectre_v1", nospectre_v1_cmdline); +static enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init = + SPECTRE_V2_NONE; + #undef pr_fmt #define pr_fmt(fmt) "RETBleed: " fmt enum retbleed_mitigation { - RETBLEED_MITIGATION_NONE + RETBLEED_MITIGATION_NONE, + RETBLEED_MITIGATION_IBRS, + RETBLEED_MITIGATION_EIBRS, }; enum retbleed_mitigation_cmd { @@ -756,7 +761,9 @@ enum retbleed_mitigation_cmd { }; const char * const retbleed_strings[] = { - [RETBLEED_MITIGATION_NONE] = "Vulnerable" + [RETBLEED_MITIGATION_NONE] = "Vulnerable", + [RETBLEED_MITIGATION_IBRS] = "Mitigation: IBRS", + [RETBLEED_MITIGATION_EIBRS] = "Mitigation: Enhanced IBRS", }; static enum retbleed_mitigation retbleed_mitigation __ro_after_init = @@ -780,6 +787,8 @@ static int __init retbleed_parse_cmdline } early_param("retbleed", retbleed_parse_cmdline); +#define RETBLEED_INTEL_MSG "WARNING: Spectre v2 mitigation leaves CPU vulnerable to RETBleed attacks, data leaks possible!\n" + static void __init retbleed_select_mitigation(void) { if (!boot_cpu_has_bug(X86_BUG_RETBLEED) || cpu_mitigations_off()) @@ -791,8 +800,11 @@ static void __init retbleed_select_mitig case RETBLEED_CMD_AUTO: default: - if (!boot_cpu_has_bug(X86_BUG_RETBLEED)) - break; + /* + * The Intel mitigation (IBRS) was already selected in + * spectre_v2_select_mitigation(). + */ + break; } @@ -801,15 +813,31 @@ static void __init retbleed_select_mitig break; } + /* + * Let IBRS trump all on Intel without affecting the effects of the + * retbleed= cmdline option. + */ + if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) { + switch (spectre_v2_enabled) { + case SPECTRE_V2_IBRS: + retbleed_mitigation = RETBLEED_MITIGATION_IBRS; + break; + case SPECTRE_V2_EIBRS: + case SPECTRE_V2_EIBRS_RETPOLINE: + case SPECTRE_V2_EIBRS_LFENCE: + retbleed_mitigation = RETBLEED_MITIGATION_EIBRS; + break; + default: + pr_err(RETBLEED_INTEL_MSG); + } + } + pr_info("%s\n", retbleed_strings[retbleed_mitigation]); } #undef pr_fmt #define pr_fmt(fmt) "Spectre V2 : " fmt -static enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init = - SPECTRE_V2_NONE; - static enum spectre_v2_user_mitigation spectre_v2_user_stibp __ro_after_init = SPECTRE_V2_USER_NONE; static enum spectre_v2_user_mitigation spectre_v2_user_ibpb __ro_after_init = --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -999,24 +999,24 @@ static const struct x86_cpu_id cpu_vuln_ VULNBL_INTEL_STEPPINGS(BROADWELL_GT3E, X86_STEPPING_ANY, SRBDS), VULNBL_INTEL_STEPPINGS(BROADWELL_X, X86_STEPPING_ANY, MMIO), VULNBL_INTEL_STEPPINGS(BROADWELL_CORE, X86_STEPPING_ANY, SRBDS), - VULNBL_INTEL_STEPPINGS(SKYLAKE_MOBILE, X86_STEPPINGS(0x3, 0x3), SRBDS | MMIO), + VULNBL_INTEL_STEPPINGS(SKYLAKE_MOBILE, X86_STEPPINGS(0x3, 0x3), SRBDS | MMIO | RETBLEED), VULNBL_INTEL_STEPPINGS(SKYLAKE_MOBILE, X86_STEPPING_ANY, SRBDS), VULNBL_INTEL_STEPPINGS(SKYLAKE_X, BIT(3) | BIT(4) | BIT(6) | - BIT(7) | BIT(0xB), MMIO), - VULNBL_INTEL_STEPPINGS(SKYLAKE_DESKTOP, X86_STEPPINGS(0x3, 0x3), SRBDS | MMIO), + BIT(7) | BIT(0xB), MMIO | RETBLEED), + VULNBL_INTEL_STEPPINGS(SKYLAKE_DESKTOP, X86_STEPPINGS(0x3, 0x3), SRBDS | MMIO | RETBLEED), VULNBL_INTEL_STEPPINGS(SKYLAKE_DESKTOP, X86_STEPPING_ANY, SRBDS), - VULNBL_INTEL_STEPPINGS(KABYLAKE_MOBILE, X86_STEPPINGS(0x9, 0xC), SRBDS | MMIO), + VULNBL_INTEL_STEPPINGS(KABYLAKE_MOBILE, X86_STEPPINGS(0x9, 0xC), SRBDS | MMIO | RETBLEED), VULNBL_INTEL_STEPPINGS(KABYLAKE_MOBILE, X86_STEPPINGS(0x0, 0x8), SRBDS), - VULNBL_INTEL_STEPPINGS(KABYLAKE_DESKTOP,X86_STEPPINGS(0x9, 0xD), SRBDS | MMIO), + VULNBL_INTEL_STEPPINGS(KABYLAKE_DESKTOP,X86_STEPPINGS(0x9, 0xD), SRBDS | MMIO | RETBLEED), VULNBL_INTEL_STEPPINGS(KABYLAKE_DESKTOP,X86_STEPPINGS(0x0, 0x8), SRBDS), - VULNBL_INTEL_STEPPINGS(ICELAKE_MOBILE, X86_STEPPINGS(0x5, 0x5), MMIO | MMIO_SBDS), + VULNBL_INTEL_STEPPINGS(ICELAKE_MOBILE, X86_STEPPINGS(0x5, 0x5), MMIO | MMIO_SBDS | RETBLEED), VULNBL_INTEL_STEPPINGS(ICELAKE_XEON_D, X86_STEPPINGS(0x1, 0x1), MMIO), VULNBL_INTEL_STEPPINGS(ICELAKE_X, X86_STEPPINGS(0x4, 0x6), MMIO), - VULNBL_INTEL_STEPPINGS(COMETLAKE, BIT(2) | BIT(3) | BIT(5), MMIO | MMIO_SBDS), - VULNBL_INTEL_STEPPINGS(COMETLAKE_L, X86_STEPPINGS(0x1, 0x1), MMIO | MMIO_SBDS), - VULNBL_INTEL_STEPPINGS(COMETLAKE_L, X86_STEPPINGS(0x0, 0x0), MMIO), - VULNBL_INTEL_STEPPINGS(LAKEFIELD, X86_STEPPINGS(0x1, 0x1), MMIO | MMIO_SBDS), - VULNBL_INTEL_STEPPINGS(ROCKETLAKE, X86_STEPPINGS(0x1, 0x1), MMIO), + VULNBL_INTEL_STEPPINGS(COMETLAKE, BIT(2) | BIT(3) | BIT(5), MMIO | MMIO_SBDS | RETBLEED), + VULNBL_INTEL_STEPPINGS(COMETLAKE_L, X86_STEPPINGS(0x1, 0x1), MMIO | MMIO_SBDS | RETBLEED), + VULNBL_INTEL_STEPPINGS(COMETLAKE_L, X86_STEPPINGS(0x0, 0x0), MMIO | RETBLEED), + VULNBL_INTEL_STEPPINGS(LAKEFIELD, X86_STEPPINGS(0x1, 0x1), MMIO | MMIO_SBDS | RETBLEED), + VULNBL_INTEL_STEPPINGS(ROCKETLAKE, X86_STEPPINGS(0x1, 0x1), MMIO | RETBLEED), VULNBL_INTEL_STEPPINGS(ATOM_TREMONT, X86_STEPPINGS(0x1, 0x1), MMIO | MMIO_SBDS), VULNBL_INTEL_STEPPINGS(ATOM_TREMONT_X, X86_STEPPING_ANY, MMIO), VULNBL_INTEL_STEPPINGS(ATOM_TREMONT_L, X86_STEPPINGS(0x0, 0x0), MMIO | MMIO_SBDS), @@ -1129,7 +1129,7 @@ static void __init cpu_set_bug_bits(stru setup_force_cpu_bug(X86_BUG_MMIO_UNKNOWN); } - if (cpu_matches(cpu_vuln_blacklist, RETBLEED)) + if ((cpu_matches(cpu_vuln_blacklist, RETBLEED) || (ia32_cap & ARCH_CAP_RSBA))) setup_force_cpu_bug(X86_BUG_RETBLEED); if (cpu_matches(cpu_vuln_whitelist, NO_MELTDOWN)) Patches currently in stable-queue which might be from surajjs@xxxxxxxxxx are queue-4.14/x86-speculation-disable-rrsba-behavior.patch queue-4.14/x86-bugs-report-intel-retbleed-vulnerability.patch queue-4.14/x86-entry-add-kernel-ibrs-implementation.patch queue-4.14/x86-bugs-warn-when-ibrs-mitigation-is-selected-on-enhanced-ibrs-parts.patch queue-4.14/x86-cpu-add-a-steppings-field-to-struct-x86_cpu_id.patch queue-4.14/x86-speculation-fix-spec_ctrl-write-on-smt-state-change.patch queue-4.14/entel_idle-disable-ibrs-during-long-idle.patch queue-4.14/x86-speculation-use-cached-host-spec_ctrl-value-for-guest-entry-exit.patch queue-4.14/x86-speculation-change-fill_return_buffer-to-work-with-objtool.patch queue-4.14/x86-speculation-add-lfence-to-rsb-fill-sequence.patch queue-4.14/x86-bugs-report-amd-retbleed-vulnerability.patch queue-4.14/x86-speculation-add-spectre_v2-ibrs-option-to-support-kernel-ibrs.patch queue-4.14/x86-bugs-keep-a-per-cpu-ia32_spec_ctrl-value.patch queue-4.14/x86-speculation-fill-rsb-on-vmexit-for-ibrs.patch queue-4.14/x86-speculation-fix-rsb-filling-with-config_retpoline-n.patch queue-4.14/x86-speculation-add-rsb-vm-exit-protections.patch queue-4.14/x86-bugs-optimize-spec_ctrl-msr-writes.patch queue-4.14/kvm-vmx-fix-ibrs-handling-after-vmexit.patch queue-4.14/kvm-vmx-prevent-guest-rsb-poisoning-attacks-with-eibrs.patch queue-4.14/x86-speculation-fix-firmware-entry-spec_ctrl-handling.patch queue-4.14/x86-bugs-add-amd-retbleed-boot-parameter.patch queue-4.14/x86-cpu-add-consistent-cpu-match-macros.patch queue-4.14/x86-speculation-remove-x86_spec_ctrl_mask.patch queue-4.14/x86-speculation-use-declare_per_cpu-for-x86_spec_ctrl_current.patch queue-4.14/x86-cpufeature-fix-various-quality-problems-in-the-asm-cpu_device_hd.h-header.patch queue-4.14/x86-entry-remove-skip_r11rcx.patch queue-4.14/revert-x86-cpu-add-a-steppings-field-to-struct-x86_cpu_id.patch queue-4.14/x86-common-stamp-out-the-stepping-madness.patch queue-4.14/x86-cpu-amd-enumerate-btc_no.patch queue-4.14/x86-bugs-add-cannon-lake-to-retbleed-affected-cpu-list.patch queue-4.14/x86-devicetable-move-x86-specific-macro-out-of-generic-code.patch queue-4.14/x86-bugs-split-spectre_v2_select_mitigation-and-spectre_v2_user_select_mitigation.patch queue-4.14/x86-cpufeatures-move-retpoline-flags-to-word-11.patch queue-4.14/x86-cpufeature-add-facility-to-check-for-min-microcode-revisions.patch