• Anthony Steinhauser's avatar
    x86/speculation: Avoid force-disabling IBPB based on STIBP and enhanced IBRS. · 21998a35
    Anthony Steinhauser authored
    When STIBP is unavailable or enhanced IBRS is available, Linux
    force-disables the IBPB mitigation of Spectre-BTB even when simultaneous
    multithreading is disabled. While attempts to enable IBPB using
    prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, ...) fail with
    EPERM, the seccomp syscall (or its prctl(PR_SET_SECCOMP, ...) equivalent)
    which are used e.g. by Chromium or OpenSSH succeed with no errors but the
    application remains silently vulnerable to cross-process Spectre v2 attacks
    (classical BTB poisoning). At the same time the SYSFS reporting
    (/sys/devices/system/cpu/vulnerabilities/spectre_v2) displays that IBPB is
    conditionally enabled when in fact it is unconditionally disabled.
    
    STIBP is useful only when SMT is enabled. When SMT is disabled and STIBP is
    unavailable, it makes no sense to force-disable also IBPB, because IBPB
    protects against cross-process Spectre-BTB attacks regardless of the SMT
    state. At the same time since missing STIBP was only observed on AMD CPUs,
    AMD does not recommend using STIBP, but recommends using IBPB, so disabling
    IBPB because of missing STIBP goes directly against AMD's advice:
    https://developer.amd.com/wp-content/resources/Architecture_Guidelines_Update_Indirect_Branch_Control.pdf
    
    Similarly, enhanced IBRS is designed to protect cross-core BTB poisoning
    and BTB-poisoning attacks from user space against kernel (and
    BTB-poisoning attacks from guest against hypervisor), it is not designed
    to prevent cross-process (or cross-VM) BTB poisoning between processes (or
    VMs) running on the same core. Therefore, even with enhanced IBRS it is
    necessary to flush the BTB during context-switches, so there is no reason
    to force disable IBPB when enhanced IBRS is available.
    
    Enable the prctl control of IBPB even when STIBP is unavailable or enhanced
    IBRS is available.
    
    Fixes: 7cc765a6 ("x86/speculation: Enable prctl mode for spectre_v2_user")
    Signed-off-by: default avatarAnthony Steinhauser <asteinhauser@google.com>
    Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
    Cc: stable@vger.kernel.org
    21998a35
bugs.c 46 KB