Initial retpoline patches for Spectre v2

2018-01-11 10:28:58 -06:00 · 2018-01-11 10:28:58 -06:00 · 78b277bd72
parent d496f759f1
commit 78b277bd72
13 changed files with 1856 additions and 0 deletions
--- a/0001-x86-cpu-AMD-Make-LFENCE-a-serializing-instruction.patch
+++ b/0001-x86-cpu-AMD-Make-LFENCE-a-serializing-instruction.patch
@ -0,0 +1,66 @@
+From e4d0e84e490790798691aaa0f2e598637f1867ec Mon Sep 17 00:00:00 2001
+From: Tom Lendacky <thomas.lendacky@amd.com>
+Date: Mon, 8 Jan 2018 16:09:21 -0600
+Subject: [PATCH 1/2] x86/cpu/AMD: Make LFENCE a serializing instruction
+
+To aid in speculation control, make LFENCE a serializing instruction
+since it has less overhead than MFENCE.  This is done by setting bit 1
+of MSR 0xc0011029 (DE_CFG).  Some families that support LFENCE do not
+have this MSR.  For these families, the LFENCE instruction is already
+serializing.
+
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Reviewed-by: Borislav Petkov <bp@suse.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Tim Chen <tim.c.chen@linux.intel.com>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
+Cc: David Woodhouse <dwmw@amazon.co.uk>
+Cc: Paul Turner <pjt@google.com>
+Link: https://lkml.kernel.org/r/20180108220921.12580.71694.stgit@tlendack-t1.amdoffice.net
+---
+ arch/x86/include/asm/msr-index.h |  2 ++
+ arch/x86/kernel/cpu/amd.c        | 10 ++++++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
+index ab022618a50a..1e7d710fef43 100644
+--- a/arch/x86/include/asm/msr-index.h
+++ b/arch/x86/include/asm/msr-index.h
+@@ -352,6 +352,8 @@
+ #define FAM10H_MMIO_CONF_BASE_MASK	0xfffffffULL
+ #define FAM10H_MMIO_CONF_BASE_SHIFT	20
+ #define MSR_FAM10H_NODE_ID		0xc001100c
+#define MSR_F10H_DECFG			0xc0011029
+#define MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT	1
+
+ /* K8 MSRs */
+ #define MSR_K8_TOP_MEM1			0xc001001a
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
+index bcb75dc97d44..5b438d81beb2 100644
+--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
+@@ -829,6 +829,16 @@ static void init_amd(struct cpuinfo_x86 *c)
+ 		set_cpu_cap(c, X86_FEATURE_K8);
+
+ 	if (cpu_has(c, X86_FEATURE_XMM2)) {
+		/*
+		 * A serializing LFENCE has less overhead than MFENCE, so
+		 * use it for execution serialization.  On families which
+		 * don't have that MSR, LFENCE is already serializing.
+		 * msr_set_bit() uses the safe accessors, too, even if the MSR
+		 * is not present.
+		 */
+		msr_set_bit(MSR_F10H_DECFG,
+			    MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT);
+
+ 		/* MFENCE stops RDTSC speculation */
+ 		set_cpu_cap(c, X86_FEATURE_MFENCE_RDTSC);
+ 	}
+-- 
+2.14.3
+
--- a/0001-x86-cpufeatures-Add-X86_BUG_SPECTRE_V-12.patch
+++ b/0001-x86-cpufeatures-Add-X86_BUG_SPECTRE_V-12.patch
@ -0,0 +1,58 @@
+From 99c6fa2511d8a683e61468be91b83f85452115fa Mon Sep 17 00:00:00 2001
+From: David Woodhouse <dwmw@amazon.co.uk>
+Date: Sat, 6 Jan 2018 11:49:23 +0000
+Subject: [PATCH 1/2] x86/cpufeatures: Add X86_BUG_SPECTRE_V[12]
+
+Add the bug bits for spectre v1/2 and force them unconditionally for all
+cpus.
+
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: gnomes@lxorguk.ukuu.org.uk
+Cc: Rik van Riel <riel@redhat.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Jiri Kosina <jikos@kernel.org>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Kees Cook <keescook@google.com>
+Cc: Tim Chen <tim.c.chen@linux.intel.com>
+Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
+Cc: Paul Turner <pjt@google.com>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/1515239374-23361-2-git-send-email-dwmw@amazon.co.uk
+---
+ arch/x86/include/asm/cpufeatures.h | 2 ++
+ arch/x86/kernel/cpu/common.c       | 3 +++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
+index 21ac898df2d8..1641c2f96363 100644
+--- a/arch/x86/include/asm/cpufeatures.h
+++ b/arch/x86/include/asm/cpufeatures.h
+@@ -342,5 +342,7 @@
+ #define X86_BUG_MONITOR			X86_BUG(12) /* IPI required to wake up remote CPU */
+ #define X86_BUG_AMD_E400		X86_BUG(13) /* CPU is among the affected by Erratum 400 */
+ #define X86_BUG_CPU_MELTDOWN		X86_BUG(14) /* CPU is affected by meltdown attack and needs kernel page table isolation */
+#define X86_BUG_SPECTRE_V1		X86_BUG(15) /* CPU is affected by Spectre variant 1 attack with conditional branches */
+#define X86_BUG_SPECTRE_V2		X86_BUG(16) /* CPU is affected by Spectre variant 2 attack with indirect branches */
+
+ #endif /* _ASM_X86_CPUFEATURES_H */
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
+index 2d3bd2215e5b..372ba3fb400f 100644
+--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
+@@ -902,6 +902,9 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
+ 	if (c->x86_vendor != X86_VENDOR_AMD)
+ 		setup_force_cpu_bug(X86_BUG_CPU_MELTDOWN);
+
+	setup_force_cpu_bug(X86_BUG_SPECTRE_V1);
+	setup_force_cpu_bug(X86_BUG_SPECTRE_V2);
+
+ 	fpu__init_system(c);
+
+ #ifdef CONFIG_X86_32
+-- 
+2.14.3
+
--- a/0002-sysfs-cpu-Add-vulnerability-folder.patch
+++ b/0002-sysfs-cpu-Add-vulnerability-folder.patch
@ -0,0 +1,154 @@
+From 87590ce6e373d1a5401f6539f0c59ef92dd924a9 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Sun, 7 Jan 2018 22:48:00 +0100
+Subject: [PATCH 2/2] sysfs/cpu: Add vulnerability folder
+
+As the meltdown/spectre problem affects several CPU architectures, it makes
+sense to have common way to express whether a system is affected by a
+particular vulnerability or not. If affected the way to express the
+mitigation should be common as well.
+
+Create /sys/devices/system/cpu/vulnerabilities folder and files for
+meltdown, spectre_v1 and spectre_v2.
+
+Allow architectures to override the show function.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Linus Torvalds <torvalds@linuxfoundation.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: David Woodhouse <dwmw@amazon.co.uk>
+Link: https://lkml.kernel.org/r/20180107214913.096657732@linutronix.de
+---
+ Documentation/ABI/testing/sysfs-devices-system-cpu | 16 ++++++++
+ drivers/base/Kconfig                               |  3 ++
+ drivers/base/cpu.c                                 | 48 ++++++++++++++++++++++
+ include/linux/cpu.h                                |  7 ++++
+ 4 files changed, 74 insertions(+)
+
+diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu b/Documentation/ABI/testing/sysfs-devices-system-cpu
+index f3d5817c4ef0..bd3a88e16d8b 100644
+--- a/Documentation/ABI/testing/sysfs-devices-system-cpu
+++ b/Documentation/ABI/testing/sysfs-devices-system-cpu
+@@ -373,3 +373,19 @@ Contact:	Linux kernel mailing list <linux-kernel@vger.kernel.org>
+ Description:	information about CPUs heterogeneity.
+
+ 		cpu_capacity: capacity of cpu#.
+
+What:		/sys/devices/system/cpu/vulnerabilities
+		/sys/devices/system/cpu/vulnerabilities/meltdown
+		/sys/devices/system/cpu/vulnerabilities/spectre_v1
+		/sys/devices/system/cpu/vulnerabilities/spectre_v2
+Date:		Januar 2018
+Contact:	Linux kernel mailing list <linux-kernel@vger.kernel.org>
+Description:	Information about CPU vulnerabilities
+
+		The files are named after the code names of CPU
+		vulnerabilities. The output of those files reflects the
+		state of the CPUs in the system. Possible output values:
+
+		"Not affected"	  CPU is not affected by the vulnerability
+		"Vulnerable"	  CPU is affected and no mitigation in effect
+		"Mitigation: $M"  CPU is affetcted and mitigation $M is in effect
+diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig
+index 2f6614c9a229..37a71fd9043f 100644
+--- a/drivers/base/Kconfig
+++ b/drivers/base/Kconfig
+@@ -235,6 +235,9 @@ config GENERIC_CPU_DEVICES
+ config GENERIC_CPU_AUTOPROBE
+ 	bool
+
+config GENERIC_CPU_VULNERABILITIES
+	bool
+
+ config SOC_BUS
+ 	bool
+ 	select GLOB
+diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c
+index 321cd7b4d817..825964efda1d 100644
+--- a/drivers/base/cpu.c
+++ b/drivers/base/cpu.c
+@@ -501,10 +501,58 @@ static void __init cpu_dev_register_generic(void)
+ #endif
+ }
+
+#ifdef CONFIG_GENERIC_CPU_VULNERABILITIES
+
+ssize_t __weak cpu_show_meltdown(struct device *dev,
+				 struct device_attribute *attr, char *buf)
+{
+	return sprintf(buf, "Not affected\n");
+}
+
+ssize_t __weak cpu_show_spectre_v1(struct device *dev,
+				   struct device_attribute *attr, char *buf)
+{
+	return sprintf(buf, "Not affected\n");
+}
+
+ssize_t __weak cpu_show_spectre_v2(struct device *dev,
+				   struct device_attribute *attr, char *buf)
+{
+	return sprintf(buf, "Not affected\n");
+}
+
+static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL);
+static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL);
+static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL);
+
+static struct attribute *cpu_root_vulnerabilities_attrs[] = {
+	&dev_attr_meltdown.attr,
+	&dev_attr_spectre_v1.attr,
+	&dev_attr_spectre_v2.attr,
+	NULL
+};
+
+static const struct attribute_group cpu_root_vulnerabilities_group = {
+	.name  = "vulnerabilities",
+	.attrs = cpu_root_vulnerabilities_attrs,
+};
+
+static void __init cpu_register_vulnerabilities(void)
+{
+	if (sysfs_create_group(&cpu_subsys.dev_root->kobj,
+			       &cpu_root_vulnerabilities_group))
+		pr_err("Unable to register CPU vulnerabilities\n");
+}
+
+#else
+static inline void cpu_register_vulnerabilities(void) { }
+#endif
+
+ void __init cpu_dev_init(void)
+ {
+ 	if (subsys_system_register(&cpu_subsys, cpu_root_attr_groups))
+ 		panic("Failed to register CPU subsystem");
+
+ 	cpu_dev_register_generic();
+	cpu_register_vulnerabilities();
+ }
+diff --git a/include/linux/cpu.h b/include/linux/cpu.h
+index 938ea8ae0ba4..c816e6f2730c 100644
+--- a/include/linux/cpu.h
+++ b/include/linux/cpu.h
+@@ -47,6 +47,13 @@ extern void cpu_remove_dev_attr(struct device_attribute *attr);
+ extern int cpu_add_dev_attr_group(struct attribute_group *attrs);
+ extern void cpu_remove_dev_attr_group(struct attribute_group *attrs);
+
+extern ssize_t cpu_show_meltdown(struct device *dev,
+				 struct device_attribute *attr, char *buf);
+extern ssize_t cpu_show_spectre_v1(struct device *dev,
+				   struct device_attribute *attr, char *buf);
+extern ssize_t cpu_show_spectre_v2(struct device *dev,
+				   struct device_attribute *attr, char *buf);
+
+ extern __printf(4, 5)
+ struct device *cpu_device_create(struct device *parent, void *drvdata,
+ 				 const struct attribute_group **groups,
+-- 
+2.14.3
+
--- a/0002-x86-cpu-AMD-Use-LFENCE_RDTSC-in-preference-to-MFENCE.patch
+++ b/0002-x86-cpu-AMD-Use-LFENCE_RDTSC-in-preference-to-MFENCE.patch
@ -0,0 +1,82 @@
+From 9c6a73c75864ad9fa49e5fa6513e4c4071c0e29f Mon Sep 17 00:00:00 2001
+From: Tom Lendacky <thomas.lendacky@amd.com>
+Date: Mon, 8 Jan 2018 16:09:32 -0600
+Subject: [PATCH 2/2] x86/cpu/AMD: Use LFENCE_RDTSC in preference to
+ MFENCE_RDTSC
+
+With LFENCE now a serializing instruction, use LFENCE_RDTSC in preference
+to MFENCE_RDTSC.  However, since the kernel could be running under a
+hypervisor that does not support writing that MSR, read the MSR back and
+verify that the bit has been set successfully.  If the MSR can be read
+and the bit is set, then set the LFENCE_RDTSC feature, otherwise set the
+MFENCE_RDTSC feature.
+
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Reviewed-by: Borislav Petkov <bp@suse.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Tim Chen <tim.c.chen@linux.intel.com>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
+Cc: David Woodhouse <dwmw@amazon.co.uk>
+Cc: Paul Turner <pjt@google.com>
+Link: https://lkml.kernel.org/r/20180108220932.12580.52458.stgit@tlendack-t1.amdoffice.net
+---
+ arch/x86/include/asm/msr-index.h |  1 +
+ arch/x86/kernel/cpu/amd.c        | 18 ++++++++++++++++--
+ 2 files changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
+index 1e7d710fef43..fa11fb1fa570 100644
+--- a/arch/x86/include/asm/msr-index.h
+++ b/arch/x86/include/asm/msr-index.h
+@@ -354,6 +354,7 @@
+ #define MSR_FAM10H_NODE_ID		0xc001100c
+ #define MSR_F10H_DECFG			0xc0011029
+ #define MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT	1
+#define MSR_F10H_DECFG_LFENCE_SERIALIZE		BIT_ULL(MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT)
+
+ /* K8 MSRs */
+ #define MSR_K8_TOP_MEM1			0xc001001a
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
+index 5b438d81beb2..ea831c858195 100644
+--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
+@@ -829,6 +829,9 @@ static void init_amd(struct cpuinfo_x86 *c)
+ 		set_cpu_cap(c, X86_FEATURE_K8);
+
+ 	if (cpu_has(c, X86_FEATURE_XMM2)) {
+		unsigned long long val;
+		int ret;
+
+ 		/*
+ 		 * A serializing LFENCE has less overhead than MFENCE, so
+ 		 * use it for execution serialization.  On families which
+@@ -839,8 +842,19 @@ static void init_amd(struct cpuinfo_x86 *c)
+ 		msr_set_bit(MSR_F10H_DECFG,
+ 			    MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT);
+
+-		/* MFENCE stops RDTSC speculation */
+-		set_cpu_cap(c, X86_FEATURE_MFENCE_RDTSC);
+		/*
+		 * Verify that the MSR write was successful (could be running
+		 * under a hypervisor) and only then assume that LFENCE is
+		 * serializing.
+		 */
+		ret = rdmsrl_safe(MSR_F10H_DECFG, &val);
+		if (!ret && (val & MSR_F10H_DECFG_LFENCE_SERIALIZE)) {
+			/* A serializing LFENCE stops RDTSC speculation */
+			set_cpu_cap(c, X86_FEATURE_LFENCE_RDTSC);
+		} else {
+			/* MFENCE stops RDTSC speculation */
+			set_cpu_cap(c, X86_FEATURE_MFENCE_RDTSC);
+		}
+ 	}
+
+ 	/*
+-- 
+2.14.3
+
--- a/configs/fedora/generic/x86/CONFIG_RETPOLINE
+++ b/configs/fedora/generic/x86/CONFIG_RETPOLINE
@ -0,0 +1 @@
+CONFIG_RETPOLINE=y
--- a/kernel-i686-PAE.config
+++ b/kernel-i686-PAE.config
@ -4184,6 +4184,7 @@ CONFIG_RENESAS_PHY=m
 # CONFIG_RESET_ATTACK_MITIGATION is not set
 # CONFIG_RESET_HSDK_V1 is not set
 # CONFIG_RESET_TI_SYSCON is not set
+CONFIG_RETPOLINE=y
 # CONFIG_RFD77402 is not set
 # CONFIG_RFD_FTL is not set
 CONFIG_RFKILL_GPIO=m
--- a/kernel-i686-PAEdebug.config
+++ b/kernel-i686-PAEdebug.config
@ -4205,6 +4205,7 @@ CONFIG_RENESAS_PHY=m
 # CONFIG_RESET_ATTACK_MITIGATION is not set
 # CONFIG_RESET_HSDK_V1 is not set
 # CONFIG_RESET_TI_SYSCON is not set
+CONFIG_RETPOLINE=y
 # CONFIG_RFD77402 is not set
 # CONFIG_RFD_FTL is not set
 CONFIG_RFKILL_GPIO=m
--- a/kernel-i686-debug.config
+++ b/kernel-i686-debug.config
@ -4205,6 +4205,7 @@ CONFIG_RENESAS_PHY=m
 # CONFIG_RESET_ATTACK_MITIGATION is not set
 # CONFIG_RESET_HSDK_V1 is not set
 # CONFIG_RESET_TI_SYSCON is not set
+CONFIG_RETPOLINE=y
 # CONFIG_RFD77402 is not set
 # CONFIG_RFD_FTL is not set
 CONFIG_RFKILL_GPIO=m
--- a/kernel-i686.config
+++ b/kernel-i686.config
@ -4184,6 +4184,7 @@ CONFIG_RENESAS_PHY=m
 # CONFIG_RESET_ATTACK_MITIGATION is not set
 # CONFIG_RESET_HSDK_V1 is not set
 # CONFIG_RESET_TI_SYSCON is not set
+CONFIG_RETPOLINE=y
 # CONFIG_RFD77402 is not set
 # CONFIG_RFD_FTL is not set
 CONFIG_RFKILL_GPIO=m
--- a/kernel-x86_64-debug.config
+++ b/kernel-x86_64-debug.config
@ -4283,6 +4283,7 @@ CONFIG_RENESAS_PHY=m
 # CONFIG_RESET_ATTACK_MITIGATION is not set
 # CONFIG_RESET_HSDK_V1 is not set
 # CONFIG_RESET_TI_SYSCON is not set
+CONFIG_RETPOLINE=y
 # CONFIG_RFD77402 is not set
 # CONFIG_RFD_FTL is not set
 CONFIG_RFKILL_GPIO=m
--- a/kernel-x86_64.config
+++ b/kernel-x86_64.config
@ -4262,6 +4262,7 @@ CONFIG_RENESAS_PHY=m
 # CONFIG_RESET_ATTACK_MITIGATION is not set
 # CONFIG_RESET_HSDK_V1 is not set
 # CONFIG_RESET_TI_SYSCON is not set
+CONFIG_RETPOLINE=y
 # CONFIG_RFD77402 is not set
 # CONFIG_RFD_FTL is not set
 CONFIG_RFKILL_GPIO=m
--- a/kernel.spec
+++ b/kernel.spec
@ -635,6 +635,12 @@ Patch641: 0001-Bluetooth-btusb-Disable-autosuspend-on-QCA-Rome-devi.patch

 # Speculative Execution patches
 Patch642: prevent-bounds-check-bypass-via-speculative-execution.patch
+Patch643: 0001-x86-cpufeatures-Add-X86_BUG_SPECTRE_V-12.patch
+Patch644: 0002-sysfs-cpu-Add-vulnerability-folder.patch
+Patch645: 0001-x86-cpu-AMD-Make-LFENCE-a-serializing-instruction.patch
+Patch646: 0002-x86-cpu-AMD-Use-LFENCE_RDTSC-in-preference-to-MFENCE.patch
+Patch647: retpoline.patch
+

 # END OF PATCH DEFINITIONS

@ -1894,6 +1900,9 @@ fi
 #
 #
 %changelog
+* Thu Jan 11 2018 Justin M. Forbes <jforbes@fedoraproject.org>
+- Initial retpoline patches for Spectre v2
+
 * Wed Jan 10 2018 Laura Abbott <labbott@redhat.com> - 4.15.0-0.rc7.git2.1
 - Linux v4.15-rc7-102-gcf1fb158230e

--- a/retpoline.patch
+++ b/retpoline.patch