On Mon, Jun 15, 2020 at 02:03:18PM -0400, Sasha Levin wrote: > On Mon, Jun 15, 2020 at 03:33:25PM +0200, gregkh@xxxxxxxxxxxxxxxxxxx wrote: > > > > The patch below does not apply to the 4.19-stable tree. > > If someone wants it applied there, or to any other stable or longterm > > tree, then please email the backport, including the original git commit > > id to <stable@xxxxxxxxxxxxxxx>. > > > > thanks, > > > > greg k-h > > > > ------------------ original commit in Linus's tree ------------------ > > > > > From 21998a351512eba4ed5969006f0c55882d995ada Mon Sep 17 00:00:00 2001 > > From: Anthony Steinhauser <asteinhauser@xxxxxxxxxx> > > Date: Tue, 19 May 2020 06:40:42 -0700 > > Subject: [PATCH] x86/speculation: Avoid force-disabling IBPB based on STIBP > > and enhanced IBRS. > > > > When STIBP is unavailable or enhanced IBRS is available, Linux > > force-disables the IBPB mitigation of Spectre-BTB even when simultaneous > > multithreading is disabled. While attempts to enable IBPB using > > prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, ...) fail with > > EPERM, the seccomp syscall (or its prctl(PR_SET_SECCOMP, ...) equivalent) > > which are used e.g. by Chromium or OpenSSH succeed with no errors but the > > application remains silently vulnerable to cross-process Spectre v2 attacks > > (classical BTB poisoning). At the same time the SYSFS reporting > > (/sys/devices/system/cpu/vulnerabilities/spectre_v2) displays that IBPB is > > conditionally enabled when in fact it is unconditionally disabled. > > > > STIBP is useful only when SMT is enabled. When SMT is disabled and STIBP is > > unavailable, it makes no sense to force-disable also IBPB, because IBPB > > protects against cross-process Spectre-BTB attacks regardless of the SMT > > state. At the same time since missing STIBP was only observed on AMD CPUs, > > AMD does not recommend using STIBP, but recommends using IBPB, so disabling > > IBPB because of missing STIBP goes directly against AMD's advice: > > https://developer.amd.com/wp-content/resources/Architecture_Guidelines_Update_Indirect_Branch_Control.pdf > > > > Similarly, enhanced IBRS is designed to protect cross-core BTB poisoning > > and BTB-poisoning attacks from user space against kernel (and > > BTB-poisoning attacks from guest against hypervisor), it is not designed > > to prevent cross-process (or cross-VM) BTB poisoning between processes (or > > VMs) running on the same core. Therefore, even with enhanced IBRS it is > > necessary to flush the BTB during context-switches, so there is no reason > > to force disable IBPB when enhanced IBRS is available. > > > > Enable the prctl control of IBPB even when STIBP is unavailable or enhanced > > IBRS is available. > > > > Fixes: 7cc765a67d8e ("x86/speculation: Enable prctl mode for spectre_v2_user") > > Signed-off-by: Anthony Steinhauser <asteinhauser@xxxxxxxxxx> > > Signed-off-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx> > > Cc: stable@xxxxxxxxxxxxxxx > > I took these two additional patches for 4.19-4.4: > > aa77bfb354c4 ("x86/speculation: Change misspelled STIPB to STIBP") > 20c3a2c33e9f ("x86/speculation: Add support for STIBP always-on preferred mode") > > With tiny massaging on 4.9 and 4.4. Thanks for doing this, and the other FAILED fixups. greg k-h
