On Wed, Nov 07, 2018 at 10:06:42AM -0800, Sai Praneeth Prakhya wrote: > From: Sai Praneeth <sai.praneeth.prakhya@xxxxxxxxx> > > [ Upstream commit 706d51681d636a0c4a5ef53395ec3b803e45ed4d ] > > Future Intel processors will support "Enhanced IBRS" which is an "always > on" mode i.e. IBRS bit in SPEC_CTRL MSR is enabled once and never > disabled. > > >From the specification [1]: > > "With enhanced IBRS, the predicted targets of indirect branches > executed cannot be controlled by software that was executed in a less > privileged predictor mode or on another logical processor. As a > result, software operating on a processor with enhanced IBRS need not > use WRMSR to set IA32_SPEC_CTRL.IBRS after every transition to a more > privileged predictor mode. Software can isolate predictor modes > effectively simply by setting the bit once. Software need not disable > enhanced IBRS prior to entering a sleep state such as MWAIT or HLT." > > If Enhanced IBRS is supported by the processor then use it as the > preferred spectre v2 mitigation mechanism instead of Retpoline. Intel's > Retpoline white paper [2] states: > > "Retpoline is known to be an effective branch target injection (Spectre > variant 2) mitigation on Intel processors belonging to family 6 > (enumerated by the CPUID instruction) that do not have support for > enhanced IBRS. On processors that support enhanced IBRS, it should be > used for mitigation instead of retpoline." > > The reason why Enhanced IBRS is the recommended mitigation on processors > which support it is that these processors also support CET which > provides a defense against ROP attacks. Retpoline is very similar to ROP > techniques and might trigger false positives in the CET defense. > > If Enhanced IBRS is selected as the mitigation technique for spectre v2, > the IBRS bit in SPEC_CTRL MSR is set once at boot time and never > cleared. Kernel also has to make sure that IBRS bit remains set after > VMEXIT because the guest might have cleared the bit. This is already > covered by the existing x86_spec_ctrl_set_guest() and > x86_spec_ctrl_restore_host() speculation control functions. > > Enhanced IBRS still requires IBPB for full mitigation. > > [1] Speculative-Execution-Side-Channel-Mitigations.pdf > [2] Retpoline-A-Branch-Target-Injection-Mitigation.pdf > Both documents are available at: > https://bugzilla.kernel.org/show_bug.cgi?id=199511 > > Originally-by: David Woodhouse <dwmw@xxxxxxxxxxxx> > Signed-off-by: Sai Praneeth Prakhya <sai.praneeth.prakhya@xxxxxxxxx> > Signed-off-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx> > Cc: Tim C Chen <tim.c.chen@xxxxxxxxx> > Cc: Dave Hansen <dave.hansen@xxxxxxxxx> > Cc: Ravi Shankar <ravi.v.shankar@xxxxxxxxx> > Cc: Andi Kleen <ak@xxxxxxxxxxxxxxx> > Cc: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> > Cc: <stable@xxxxxxxxxxxxxxx> > --- > arch/x86/include/asm/cpufeatures.h | 1 + > arch/x86/include/asm/nospec-branch.h | 1 + > arch/x86/kernel/cpu/bugs.c | 20 ++++++++++++++++++-- > arch/x86/kernel/cpu/common.c | 3 +++ > 4 files changed, 23 insertions(+), 2 deletions(-) > > Changes from upstream: > ---------------------- > 1. Use bit 30 of word 7 in cpufeatures for X86_FEATURE_IBRS_ENHANCED as bit 29 > is now used by L1TF. > 2. Fix some trivial line fuzzing. > > Note: Based on kernel version "Linux 4.18.17" and to be applied on both "Linux > 4.18.17" and "Linux 4.14.79". Please note that git am doesn't apply this patch > smoothly on 4.14.79 because of line fuzz, so please use "patch -p1". Didn't want > to spam the mailing list by sending a duplicate patch and hence sending single > patch for two stable releases. > Sending valid patches is never "spam", don't be afraid to do that. I've queued this up now, please verify I got it right. thanks, greg k-h
