Initial retpoline patches for Spectre v2

2018-01-11 10:28:58 -06:00 · 2018-01-11 10:28:58 -06:00 · 78b277bd72
commit 78b277bd72
parent d496f759f1
13 changed files with 1856 additions and 0 deletions
--- a/0001-x86-cpu-AMD-Make-LFENCE-a-serializing-instruction.patch
+++ b/0001-x86-cpu-AMD-Make-LFENCE-a-serializing-instruction.patch
@ -0,0 +1,66 @@
 From e4d0e84e490790798691aaa0f2e598637f1867ec Mon Sep 17 00:00:00 2001
 From: Tom Lendacky <thomas.lendacky@amd.com>
 Date: Mon, 8 Jan 2018 16:09:21 -0600
 Subject: [PATCH 1/2] x86/cpu/AMD: Make LFENCE a serializing instruction
 To aid in speculation control, make LFENCE a serializing instruction
 since it has less overhead than MFENCE.  This is done by setting bit 1
 of MSR 0xc0011029 (DE_CFG).  Some families that support LFENCE do not
 have this MSR.  For these families, the LFENCE instruction is already
 serializing.
 Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
 Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
 Reviewed-by: Reviewed-by: Borislav Petkov <bp@suse.de>
 Cc: Peter Zijlstra <peterz@infradead.org>
 Cc: Tim Chen <tim.c.chen@linux.intel.com>
 Cc: Dave Hansen <dave.hansen@intel.com>
 Cc: Borislav Petkov <bp@alien8.de>
 Cc: Dan Williams <dan.j.williams@intel.com>
 Cc: Linus Torvalds <torvalds@linux-foundation.org>
 Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
 Cc: David Woodhouse <dwmw@amazon.co.uk>
 Cc: Paul Turner <pjt@google.com>
 Link: https://lkml.kernel.org/r/20180108220921.12580.71694.stgit@tlendack-t1.amdoffice.net
 ---
 arch/x86/include/asm/msr-index.h |  2 ++
 arch/x86/kernel/cpu/amd.c        | 10 ++++++++++
 2 files changed, 12 insertions(+)
 diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
 index ab022618a50a..1e7d710fef43 100644
 --- a/arch/x86/include/asm/msr-index.h
 +++ b/arch/x86/include/asm/msr-index.h
@@ -352,6 +352,8 @@
 #define FAM10H_MMIO_CONF_BASE_MASK	0xfffffffULL
 #define FAM10H_MMIO_CONF_BASE_SHIFT	20
 #define MSR_FAM10H_NODE_ID		0xc001100c
 +#define MSR_F10H_DECFG			0xc0011029
 +#define MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT	1
 /* K8 MSRs */
 #define MSR_K8_TOP_MEM1			0xc001001a
 diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
 index bcb75dc97d44..5b438d81beb2 100644
 --- a/arch/x86/kernel/cpu/amd.c
 +++ b/arch/x86/kernel/cpu/amd.c
@@ -829,6 +829,16 @@ static void init_amd(struct cpuinfo_x86 *c)
 		set_cpu_cap(c, X86_FEATURE_K8);
 	if (cpu_has(c, X86_FEATURE_XMM2)) {
 +		/*
 +		 * A serializing LFENCE has less overhead than MFENCE, so
 +		 * use it for execution serialization.  On families which
 +		 * don't have that MSR, LFENCE is already serializing.
 +		 * msr_set_bit() uses the safe accessors, too, even if the MSR
 +		 * is not present.
 +		 */
 +		msr_set_bit(MSR_F10H_DECFG,
 +			    MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT);
 +
 		/* MFENCE stops RDTSC speculation */
 		set_cpu_cap(c, X86_FEATURE_MFENCE_RDTSC);
 	}
 -- 
 2.14.3
--- a/0001-x86-cpufeatures-Add-X86_BUG_SPECTRE_V-12.patch
+++ b/0001-x86-cpufeatures-Add-X86_BUG_SPECTRE_V-12.patch
@ -0,0 +1,58 @@
 From 99c6fa2511d8a683e61468be91b83f85452115fa Mon Sep 17 00:00:00 2001
 From: David Woodhouse <dwmw@amazon.co.uk>
 Date: Sat, 6 Jan 2018 11:49:23 +0000
 Subject: [PATCH 1/2] x86/cpufeatures: Add X86_BUG_SPECTRE_V[12]
 Add the bug bits for spectre v1/2 and force them unconditionally for all
 cpus.
 Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
 Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
 Cc: gnomes@lxorguk.ukuu.org.uk
 Cc: Rik van Riel <riel@redhat.com>
 Cc: Andi Kleen <ak@linux.intel.com>
 Cc: Peter Zijlstra <peterz@infradead.org>
 Cc: Linus Torvalds <torvalds@linux-foundation.org>
 Cc: Jiri Kosina <jikos@kernel.org>
 Cc: Andy Lutomirski <luto@amacapital.net>
 Cc: Dave Hansen <dave.hansen@intel.com>
 Cc: Kees Cook <keescook@google.com>
 Cc: Tim Chen <tim.c.chen@linux.intel.com>
 Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
 Cc: Paul Turner <pjt@google.com>
 Cc: stable@vger.kernel.org
 Link: https://lkml.kernel.org/r/1515239374-23361-2-git-send-email-dwmw@amazon.co.uk
 ---
 arch/x86/include/asm/cpufeatures.h | 2 ++
 arch/x86/kernel/cpu/common.c       | 3 +++
 2 files changed, 5 insertions(+)
 diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
 index 21ac898df2d8..1641c2f96363 100644
 --- a/arch/x86/include/asm/cpufeatures.h
 +++ b/arch/x86/include/asm/cpufeatures.h
@@ -342,5 +342,7 @@
 #define X86_BUG_MONITOR			X86_BUG(12) /* IPI required to wake up remote CPU */
 #define X86_BUG_AMD_E400		X86_BUG(13) /* CPU is among the affected by Erratum 400 */
 #define X86_BUG_CPU_MELTDOWN		X86_BUG(14) /* CPU is affected by meltdown attack and needs kernel page table isolation */
 +#define X86_BUG_SPECTRE_V1		X86_BUG(15) /* CPU is affected by Spectre variant 1 attack with conditional branches */
 +#define X86_BUG_SPECTRE_V2		X86_BUG(16) /* CPU is affected by Spectre variant 2 attack with indirect branches */
 #endif /* _ASM_X86_CPUFEATURES_H */
 diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
 index 2d3bd2215e5b..372ba3fb400f 100644
 --- a/arch/x86/kernel/cpu/common.c
 +++ b/arch/x86/kernel/cpu/common.c
@@ -902,6 +902,9 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
 	if (c->x86_vendor != X86_VENDOR_AMD)
 		setup_force_cpu_bug(X86_BUG_CPU_MELTDOWN);
 +	setup_force_cpu_bug(X86_BUG_SPECTRE_V1);
 +	setup_force_cpu_bug(X86_BUG_SPECTRE_V2);
 +
 	fpu__init_system(c);
 #ifdef CONFIG_X86_32
 -- 
 2.14.3
--- a/0002-sysfs-cpu-Add-vulnerability-folder.patch
+++ b/0002-sysfs-cpu-Add-vulnerability-folder.patch
@ -0,0 +1,154 @@
 From 87590ce6e373d1a5401f6539f0c59ef92dd924a9 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Sun, 7 Jan 2018 22:48:00 +0100
 Subject: [PATCH 2/2] sysfs/cpu: Add vulnerability folder
 As the meltdown/spectre problem affects several CPU architectures, it makes
 sense to have common way to express whether a system is affected by a
 particular vulnerability or not. If affected the way to express the
 mitigation should be common as well.
 Create /sys/devices/system/cpu/vulnerabilities folder and files for
 meltdown, spectre_v1 and spectre_v2.
 Allow architectures to override the show function.
 Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
 Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
 Cc: Peter Zijlstra <peterz@infradead.org>
 Cc: Will Deacon <will.deacon@arm.com>
 Cc: Dave Hansen <dave.hansen@intel.com>
 Cc: Linus Torvalds <torvalds@linuxfoundation.org>
 Cc: Borislav Petkov <bp@alien8.de>
 Cc: David Woodhouse <dwmw@amazon.co.uk>
 Link: https://lkml.kernel.org/r/20180107214913.096657732@linutronix.de
 ---
 Documentation/ABI/testing/sysfs-devices-system-cpu | 16 ++++++++
 drivers/base/Kconfig                               |  3 ++
 drivers/base/cpu.c                                 | 48 ++++++++++++++++++++++
 include/linux/cpu.h                                |  7 ++++
 4 files changed, 74 insertions(+)
 diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu b/Documentation/ABI/testing/sysfs-devices-system-cpu
 index f3d5817c4ef0..bd3a88e16d8b 100644
 --- a/Documentation/ABI/testing/sysfs-devices-system-cpu
 +++ b/Documentation/ABI/testing/sysfs-devices-system-cpu
@@ -373,3 +373,19 @@ Contact:	Linux kernel mailing list <linux-kernel@vger.kernel.org>
 Description:	information about CPUs heterogeneity.
 		cpu_capacity: capacity of cpu#.
 +
 +What:		/sys/devices/system/cpu/vulnerabilities
 +		/sys/devices/system/cpu/vulnerabilities/meltdown
 +		/sys/devices/system/cpu/vulnerabilities/spectre_v1
 +		/sys/devices/system/cpu/vulnerabilities/spectre_v2
 +Date:		Januar 2018
 +Contact:	Linux kernel mailing list <linux-kernel@vger.kernel.org>
 +Description:	Information about CPU vulnerabilities
 +
 +		The files are named after the code names of CPU
 +		vulnerabilities. The output of those files reflects the
 +		state of the CPUs in the system. Possible output values:
 +
 +		"Not affected"	  CPU is not affected by the vulnerability
 +		"Vulnerable"	  CPU is affected and no mitigation in effect
 +		"Mitigation: $M"  CPU is affetcted and mitigation $M is in effect
 diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig
 index 2f6614c9a229..37a71fd9043f 100644
 --- a/drivers/base/Kconfig
 +++ b/drivers/base/Kconfig
@@ -235,6 +235,9 @@ config GENERIC_CPU_DEVICES
 config GENERIC_CPU_AUTOPROBE
 	bool
 +config GENERIC_CPU_VULNERABILITIES
 +	bool
 +
 config SOC_BUS
 	bool
 	select GLOB
 diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c
 index 321cd7b4d817..825964efda1d 100644
 --- a/drivers/base/cpu.c
 +++ b/drivers/base/cpu.c
@@ -501,10 +501,58 @@ static void __init cpu_dev_register_generic(void)
 #endif
 }
 +#ifdef CONFIG_GENERIC_CPU_VULNERABILITIES
 +
 +ssize_t __weak cpu_show_meltdown(struct device *dev,
 +				 struct device_attribute *attr, char *buf)
 +{
 +	return sprintf(buf, "Not affected\n");
 +}
 +
 +ssize_t __weak cpu_show_spectre_v1(struct device *dev,
 +				   struct device_attribute *attr, char *buf)
 +{
 +	return sprintf(buf, "Not affected\n");
 +}
 +
 +ssize_t __weak cpu_show_spectre_v2(struct device *dev,
 +				   struct device_attribute *attr, char *buf)
 +{
 +	return sprintf(buf, "Not affected\n");
 +}
 +
 +static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL);
 +static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL);
 +static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL);
 +
 +static struct attribute *cpu_root_vulnerabilities_attrs[] = {
 +	&dev_attr_meltdown.attr,
 +	&dev_attr_spectre_v1.attr,
 +	&dev_attr_spectre_v2.attr,
 +	NULL
 +};
 +
 +static const struct attribute_group cpu_root_vulnerabilities_group = {
 +	.name  = "vulnerabilities",
 +	.attrs = cpu_root_vulnerabilities_attrs,
 +};
 +
 +static void __init cpu_register_vulnerabilities(void)
 +{
 +	if (sysfs_create_group(&cpu_subsys.dev_root->kobj,
 +			       &cpu_root_vulnerabilities_group))
 +		pr_err("Unable to register CPU vulnerabilities\n");
 +}
 +
 +#else
 +static inline void cpu_register_vulnerabilities(void) { }
 +#endif
 +
 void __init cpu_dev_init(void)
 {
 	if (subsys_system_register(&cpu_subsys, cpu_root_attr_groups))
 		panic("Failed to register CPU subsystem");
 	cpu_dev_register_generic();
 +	cpu_register_vulnerabilities();
 }
 diff --git a/include/linux/cpu.h b/include/linux/cpu.h
 index 938ea8ae0ba4..c816e6f2730c 100644
 --- a/include/linux/cpu.h
 +++ b/include/linux/cpu.h
@@ -47,6 +47,13 @@ extern void cpu_remove_dev_attr(struct device_attribute *attr);
 extern int cpu_add_dev_attr_group(struct attribute_group *attrs);
 extern void cpu_remove_dev_attr_group(struct attribute_group *attrs);
 +extern ssize_t cpu_show_meltdown(struct device *dev,
 +				 struct device_attribute *attr, char *buf);
 +extern ssize_t cpu_show_spectre_v1(struct device *dev,
 +				   struct device_attribute *attr, char *buf);
 +extern ssize_t cpu_show_spectre_v2(struct device *dev,
 +				   struct device_attribute *attr, char *buf);
 +
 extern __printf(4, 5)
 struct device *cpu_device_create(struct device *parent, void *drvdata,
 				 const struct attribute_group **groups,
 -- 
 2.14.3
--- a/0002-x86-cpu-AMD-Use-LFENCE_RDTSC-in-preference-to-MFENCE.patch
+++ b/0002-x86-cpu-AMD-Use-LFENCE_RDTSC-in-preference-to-MFENCE.patch
@ -0,0 +1,82 @@
 From 9c6a73c75864ad9fa49e5fa6513e4c4071c0e29f Mon Sep 17 00:00:00 2001
 From: Tom Lendacky <thomas.lendacky@amd.com>
 Date: Mon, 8 Jan 2018 16:09:32 -0600
 Subject: [PATCH 2/2] x86/cpu/AMD: Use LFENCE_RDTSC in preference to
 MFENCE_RDTSC
 With LFENCE now a serializing instruction, use LFENCE_RDTSC in preference
 to MFENCE_RDTSC.  However, since the kernel could be running under a
 hypervisor that does not support writing that MSR, read the MSR back and
 verify that the bit has been set successfully.  If the MSR can be read
 and the bit is set, then set the LFENCE_RDTSC feature, otherwise set the
 MFENCE_RDTSC feature.
 Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
 Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
 Reviewed-by: Reviewed-by: Borislav Petkov <bp@suse.de>
 Cc: Peter Zijlstra <peterz@infradead.org>
 Cc: Tim Chen <tim.c.chen@linux.intel.com>
 Cc: Dave Hansen <dave.hansen@intel.com>
 Cc: Borislav Petkov <bp@alien8.de>
 Cc: Dan Williams <dan.j.williams@intel.com>
 Cc: Linus Torvalds <torvalds@linux-foundation.org>
 Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
 Cc: David Woodhouse <dwmw@amazon.co.uk>
 Cc: Paul Turner <pjt@google.com>
 Link: https://lkml.kernel.org/r/20180108220932.12580.52458.stgit@tlendack-t1.amdoffice.net
 ---
 arch/x86/include/asm/msr-index.h |  1 +
 arch/x86/kernel/cpu/amd.c        | 18 ++++++++++++++++--
 2 files changed, 17 insertions(+), 2 deletions(-)
 diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
 index 1e7d710fef43..fa11fb1fa570 100644
 --- a/arch/x86/include/asm/msr-index.h
 +++ b/arch/x86/include/asm/msr-index.h
@@ -354,6 +354,7 @@
 #define MSR_FAM10H_NODE_ID		0xc001100c
 #define MSR_F10H_DECFG			0xc0011029
 #define MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT	1
 +#define MSR_F10H_DECFG_LFENCE_SERIALIZE		BIT_ULL(MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT)
 /* K8 MSRs */
 #define MSR_K8_TOP_MEM1			0xc001001a
 diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
 index 5b438d81beb2..ea831c858195 100644
 --- a/arch/x86/kernel/cpu/amd.c
 +++ b/arch/x86/kernel/cpu/amd.c
@@ -829,6 +829,9 @@ static void init_amd(struct cpuinfo_x86 *c)
 		set_cpu_cap(c, X86_FEATURE_K8);
 	if (cpu_has(c, X86_FEATURE_XMM2)) {
 +		unsigned long long val;
 +		int ret;
 +
 		/*
 		 * A serializing LFENCE has less overhead than MFENCE, so
 		 * use it for execution serialization.  On families which
@@ -839,8 +842,19 @@ static void init_amd(struct cpuinfo_x86 *c)
 		msr_set_bit(MSR_F10H_DECFG,
 			    MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT);
 -		/* MFENCE stops RDTSC speculation */
 -		set_cpu_cap(c, X86_FEATURE_MFENCE_RDTSC);
 +		/*
 +		 * Verify that the MSR write was successful (could be running
 +		 * under a hypervisor) and only then assume that LFENCE is
 +		 * serializing.
 +		 */
 +		ret = rdmsrl_safe(MSR_F10H_DECFG, &val);
 +		if (!ret && (val & MSR_F10H_DECFG_LFENCE_SERIALIZE)) {
 +			/* A serializing LFENCE stops RDTSC speculation */
 +			set_cpu_cap(c, X86_FEATURE_LFENCE_RDTSC);
 +		} else {
 +			/* MFENCE stops RDTSC speculation */
 +			set_cpu_cap(c, X86_FEATURE_MFENCE_RDTSC);
 +		}
 	}
 	/*
 -- 
 2.14.3
--- a/configs/fedora/generic/x86/CONFIG_RETPOLINE
+++ b/configs/fedora/generic/x86/CONFIG_RETPOLINE
@ -0,0 +1 @@
 CONFIG_RETPOLINE=y
--- a/kernel-i686-PAE.config
+++ b/kernel-i686-PAE.config
@ -4184,6 +4184,7 @@ CONFIG_RENESAS_PHY=m
 # CONFIG_RESET_ATTACK_MITIGATION is not set
 # CONFIG_RESET_HSDK_V1 is not set
 # CONFIG_RESET_TI_SYSCON is not set
 CONFIG_RETPOLINE=y
 # CONFIG_RFD77402 is not set
 # CONFIG_RFD_FTL is not set
 CONFIG_RFKILL_GPIO=m
--- a/kernel-i686-PAEdebug.config
+++ b/kernel-i686-PAEdebug.config
@ -4205,6 +4205,7 @@ CONFIG_RENESAS_PHY=m
 # CONFIG_RESET_ATTACK_MITIGATION is not set
 # CONFIG_RESET_HSDK_V1 is not set
 # CONFIG_RESET_TI_SYSCON is not set
 CONFIG_RETPOLINE=y
 # CONFIG_RFD77402 is not set
 # CONFIG_RFD_FTL is not set
 CONFIG_RFKILL_GPIO=m
--- a/kernel-i686-debug.config
+++ b/kernel-i686-debug.config
@ -4205,6 +4205,7 @@ CONFIG_RENESAS_PHY=m
 # CONFIG_RESET_ATTACK_MITIGATION is not set
 # CONFIG_RESET_HSDK_V1 is not set
 # CONFIG_RESET_TI_SYSCON is not set
 CONFIG_RETPOLINE=y
 # CONFIG_RFD77402 is not set
 # CONFIG_RFD_FTL is not set
 CONFIG_RFKILL_GPIO=m
--- a/kernel-i686.config
+++ b/kernel-i686.config
@ -4184,6 +4184,7 @@ CONFIG_RENESAS_PHY=m
 # CONFIG_RESET_ATTACK_MITIGATION is not set
 # CONFIG_RESET_HSDK_V1 is not set
 # CONFIG_RESET_TI_SYSCON is not set
 CONFIG_RETPOLINE=y
 # CONFIG_RFD77402 is not set
 # CONFIG_RFD_FTL is not set
 CONFIG_RFKILL_GPIO=m
--- a/kernel-x86_64-debug.config
+++ b/kernel-x86_64-debug.config
@ -4283,6 +4283,7 @@ CONFIG_RENESAS_PHY=m
 # CONFIG_RESET_ATTACK_MITIGATION is not set
 # CONFIG_RESET_HSDK_V1 is not set
 # CONFIG_RESET_TI_SYSCON is not set
 CONFIG_RETPOLINE=y
 # CONFIG_RFD77402 is not set
 # CONFIG_RFD_FTL is not set
 CONFIG_RFKILL_GPIO=m
--- a/kernel-x86_64.config
+++ b/kernel-x86_64.config
@ -4262,6 +4262,7 @@ CONFIG_RENESAS_PHY=m
 # CONFIG_RESET_ATTACK_MITIGATION is not set
 # CONFIG_RESET_HSDK_V1 is not set
 # CONFIG_RESET_TI_SYSCON is not set
 CONFIG_RETPOLINE=y
 # CONFIG_RFD77402 is not set
 # CONFIG_RFD_FTL is not set
 CONFIG_RFKILL_GPIO=m
--- a/kernel.spec
+++ b/kernel.spec
@ -635,6 +635,12 @@ Patch641: 0001-Bluetooth-btusb-Disable-autosuspend-on-QCA-Rome-devi.patch
 # Speculative Execution patches
 Patch642: prevent-bounds-check-bypass-via-speculative-execution.patch
 Patch643: 0001-x86-cpufeatures-Add-X86_BUG_SPECTRE_V-12.patch
 Patch644: 0002-sysfs-cpu-Add-vulnerability-folder.patch
 Patch645: 0001-x86-cpu-AMD-Make-LFENCE-a-serializing-instruction.patch
 Patch646: 0002-x86-cpu-AMD-Use-LFENCE_RDTSC-in-preference-to-MFENCE.patch
 Patch647: retpoline.patch
 # END OF PATCH DEFINITIONS
@ -1894,6 +1900,9 @@ fi
 #
 #
 %changelog
 * Thu Jan 11 2018 Justin M. Forbes <jforbes@fedoraproject.org>
 - Initial retpoline patches for Spectre v2
 * Wed Jan 10 2018 Laura Abbott <labbott@redhat.com> - 4.15.0-0.rc7.git2.1
 - Linux v4.15-rc7-102-gcf1fb158230e
--- a/retpoline.patch
+++ b/retpoline.patch