Re: [PATCH 6.7.y 1/6] x86/bugs: Add asm helpers for executing VERW

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 27. 02. 24, 9:27, Pawan Gupta wrote:
On Tue, Feb 27, 2024 at 08:40:26AM +0100, Jiri Slaby wrote:
...
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -315,6 +315,17 @@
   #endif
   .endm
+/*
+ * Macro to execute VERW instruction that mitigate transient data sampling
+ * attacks such as MDS. On affected systems a microcode update overloaded VERW
+ * instruction to also clear the CPU buffers. VERW clobbers CFLAGS.ZF.
+ *
+ * Note: Only the memory operand variant of VERW clears the CPU buffers.
+ */
+.macro CLEAR_CPU_BUFFERS
+	ALTERNATIVE "", __stringify(verw mds_verw_sel), X86_FEATURE_CLEAR_CPU_BUF

Why is not rip-relative preserved here?

Because Nikolay reported that it was creating a problem for backports on
kernels that don't support relocations in alternatives. More on this
here:

   https://lore.kernel.org/lkml/20558f89-299b-472e-9a96-171403a83bd6@xxxxxxxx/

Sure, I know about the issue.

Also, RIP-relative addressing was a requirement only for the initial
versions of the series, where the VERW operand was pointing within the
macro. For performance gains, later versions switched to the
implementation in which all VERW sites were pointing to single memory
location. With that, RIP-relative addressing could be droped in favor of
fixed addresses.

Will this work at all (it looks like verw would now touch random
memory)?

AFAIK, all memory operand variants of VERW have the CPU buffer clearing
behavior. I will confirm this with the CPU architects.

I might be too dumb to understand this, so sorry if the below does not make sense. Neither I cannot see "why it works" in the minor patch you sent (and incorporated here). You only explain it's easier for backports and "was needed in earlier versions".

But verw can #PF (and actually used to before Nik invented the jmp workaround in the SUSE backport). I assume it's the case when the store of the segment (mds_verw_sel) cannot be accessed/read. Now, with fixed addressing this works unless KASLR is employed. If it is, the fixed address of mds_verw_sel no longer points to the correct memory. Or what am I missing?

In any way, should you do any changes during the backport, you shall
document that.

Sorry, I missed to mention this change in 6.7.y backport. I did include
this info in the other backports I sent:

   https://lore.kernel.org/stable/20240226-delay-verw-backport-6-6-y-v1-0-aa17b2922725@xxxxxxxxxxxxxxx/T/
   https://lore.kernel.org/stable/20240226-delay-verw-backport-6-1-y-v1-0-b3a2c5b9b0cb@xxxxxxxxxxxxxxx/T/

I am sure you are aware you need NOT doing this very change in 6.6 and 6.7 ;). It somehow confused me too.

thanks,
--
js
suse labs





[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux