1. 17 May, 2018 14 commits
  2. 14 May, 2018 1 commit
  3. 12 May, 2018 1 commit
  4. 10 May, 2018 2 commits
  5. 09 May, 2018 3 commits
  6. 04 May, 2018 6 commits
  7. 03 May, 2018 13 commits
    • Kees Cook's avatar
      seccomp: Enable speculation flaw mitigations · 5c307089
      Kees Cook authored
      When speculation flaw mitigations are opt-in (via prctl), using seccomp
      will automatically opt-in to these protections, since using seccomp
      indicates at least some level of sandboxing is desired.
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      5c307089
    • Kees Cook's avatar
      proc: Provide details on speculation flaw mitigations · fae1fa0f
      Kees Cook authored
      As done with seccomp and no_new_privs, also show speculation flaw
      mitigation state in /proc/$pid/status.
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      fae1fa0f
    • Kees Cook's avatar
      nospec: Allow getting/setting on non-current task · 7bbf1373
      Kees Cook authored
      Adjust arch_prctl_get/set_spec_ctrl() to operate on tasks other than
      current.
      
      This is needed both for /proc/$pid/status queries and for seccomp (since
      thread-syncing can trigger seccomp in non-current threads).
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      7bbf1373
    • Thomas Gleixner's avatar
      x86/speculation: Add prctl for Speculative Store Bypass mitigation · a73ec77e
      Thomas Gleixner authored
      Add prctl based control for Speculative Store Bypass mitigation and make it
      the default mitigation for Intel and AMD.
      
      Andi Kleen provided the following rationale (slightly redacted):
      
       There are multiple levels of impact of Speculative Store Bypass:
      
       1) JITed sandbox.
          It cannot invoke system calls, but can do PRIME+PROBE and may have call
          interfaces to other code
      
       2) Native code process.
          No protection inside the process at this level.
      
       3) Kernel.
      
       4) Between processes. 
      
       The prctl tries to protect against case (1) doing attacks.
      
       If the untrusted code can do random system calls then control is already
       lost in a much worse way. So there needs to be system call protection in
       some way (using a JIT not allowing them or seccomp). Or rather if the
       process can subvert its environment somehow to do the prctl it can already
       execute arbitrary code, which is much worse than SSB.
      
       To put it differently, the point of the prctl is to not allow JITed code
       to read data it shouldn't read from its JITed sandbox. If it already has
       escaped its sandbox then it can already read everything it wants in its
       address space, and do much worse.
      
       The ability to control Speculative Store Bypass allows to enable the
       protection selectively without affecting overall system performance.
      
      Based on an initial patch from Tim Chen. Completely rewritten.
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      a73ec77e
    • Thomas Gleixner's avatar
      x86/process: Allow runtime control of Speculative Store Bypass · 885f82bf
      Thomas Gleixner authored
      The Speculative Store Bypass vulnerability can be mitigated with the
      Reduced Data Speculation (RDS) feature. To allow finer grained control of
      this eventually expensive mitigation a per task mitigation control is
      required.
      
      Add a new TIF_RDS flag and put it into the group of TIF flags which are
      evaluated for mismatch in switch_to(). If these bits differ in the previous
      and the next task, then the slow path function __switch_to_xtra() is
      invoked. Implement the TIF_RDS dependent mitigation control in the slow
      path.
      
      If the prctl for controlling Speculative Store Bypass is disabled or no
      task uses the prctl then there is no overhead in the switch_to() fast
      path.
      
      Update the KVM related speculation control functions to take TID_RDS into
      account as well.
      
      Based on a patch from Tim Chen. Completely rewritten.
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarIngo Molnar <mingo@kernel.org>
      Reviewed-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      885f82bf
    • Thomas Gleixner's avatar
      prctl: Add speculation control prctls · b617cfc8
      Thomas Gleixner authored
      Add two new prctls to control aspects of speculation related vulnerabilites
      and their mitigations to provide finer grained control over performance
      impacting mitigations.
      
      PR_GET_SPECULATION_CTRL returns the state of the speculation misfeature
      which is selected with arg2 of prctl(2). The return value uses bit 0-2 with
      the following meaning:
      
      Bit  Define           Description
      0    PR_SPEC_PRCTL    Mitigation can be controlled per task by
                            PR_SET_SPECULATION_CTRL
      1    PR_SPEC_ENABLE   The speculation feature is enabled, mitigation is
                            disabled
      2    PR_SPEC_DISABLE  The speculation feature is disabled, mitigation is
                            enabled
      
      If all bits are 0 the CPU is not affected by the speculation misfeature.
      
      If PR_SPEC_PRCTL is set, then the per task control of the mitigation is
      available. If not set, prctl(PR_SET_SPECULATION_CTRL) for the speculation
      misfeature will fail.
      
      PR_SET_SPECULATION_CTRL allows to control the speculation misfeature, which
      is selected by arg2 of prctl(2) per task. arg3 is used to hand in the
      control value, i.e. either PR_SPEC_ENABLE or PR_SPEC_DISABLE.
      
      The common return values are:
      
      EINVAL  prctl is not implemented by the architecture or the unused prctl()
              arguments are not 0
      ENODEV  arg2 is selecting a not supported speculation misfeature
      
      PR_SET_SPECULATION_CTRL has these additional return values:
      
      ERANGE  arg3 is incorrect, i.e. it's not either PR_SPEC_ENABLE or PR_SPEC_DISABLE
      ENXIO   prctl control of the selected speculation misfeature is disabled
      
      The first supported controlable speculation misfeature is
      PR_SPEC_STORE_BYPASS. Add the define so this can be shared between
      architectures.
      
      Based on an initial patch from Tim Chen and mostly rewritten.
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarIngo Molnar <mingo@kernel.org>
      Reviewed-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      b617cfc8
    • Thomas Gleixner's avatar
      x86/speculation: Create spec-ctrl.h to avoid include hell · 28a27752
      Thomas Gleixner authored
      Having everything in nospec-branch.h creates a hell of dependencies when
      adding the prctl based switching mechanism. Move everything which is not
      required in nospec-branch.h to spec-ctrl.h and fix up the includes in the
      relevant files.
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Reviewed-by: default avatarIngo Molnar <mingo@kernel.org>
      28a27752
    • Konrad Rzeszutek Wilk's avatar
      x86/KVM/VMX: Expose SPEC_CTRL Bit(2) to the guest · da39556f
      Konrad Rzeszutek Wilk authored
      Expose the CPUID.7.EDX[31] bit to the guest, and also guard against various
      combinations of SPEC_CTRL MSR values.
      
      The handling of the MSR (to take into account the host value of SPEC_CTRL
      Bit(2)) is taken care of in patch:
      
        KVM/SVM/VMX/x86/spectre_v2: Support the combination of guest and host IBRS
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarIngo Molnar <mingo@kernel.org>
      da39556f
    • Konrad Rzeszutek Wilk's avatar
      x86/bugs/AMD: Add support to disable RDS on Fam[15,16,17]h if requested · 764f3c21
      Konrad Rzeszutek Wilk authored
      AMD does not need the Speculative Store Bypass mitigation to be enabled.
      
      The parameters for this are already available and can be done via MSR
      C001_1020. Each family uses a different bit in that MSR for this.
      
      [ tglx: Expose the bit mask via a variable and move the actual MSR fiddling
        	into the bugs code as that's the right thing to do and also required
      	to prepare for dynamic enable/disable ]
      Suggested-by: default avatarBorislav Petkov <bp@suse.de>
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarIngo Molnar <mingo@kernel.org>
      764f3c21
    • Konrad Rzeszutek Wilk's avatar
      x86/bugs: Whitelist allowed SPEC_CTRL MSR values · 1115a859
      Konrad Rzeszutek Wilk authored
      Intel and AMD SPEC_CTRL (0x48) MSR semantics may differ in the
      future (or in fact use different MSRs for the same functionality).
      
      As such a run-time mechanism is required to whitelist the appropriate MSR
      values.
      
      [ tglx: Made the variable __ro_after_init ]
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarIngo Molnar <mingo@kernel.org>
      1115a859
    • Konrad Rzeszutek Wilk's avatar
      x86/bugs/intel: Set proper CPU features and setup RDS · 77243971
      Konrad Rzeszutek Wilk authored
      Intel CPUs expose methods to:
      
       - Detect whether RDS capability is available via CPUID.7.0.EDX[31],
      
       - The SPEC_CTRL MSR(0x48), bit 2 set to enable RDS.
      
       - MSR_IA32_ARCH_CAPABILITIES, Bit(4) no need to enable RRS.
      
      With that in mind if spec_store_bypass_disable=[auto,on] is selected set at
      boot-time the SPEC_CTRL MSR to enable RDS if the platform requires it.
      
      Note that this does not fix the KVM case where the SPEC_CTRL is exposed to
      guests which can muck with it, see patch titled :
       KVM/SVM/VMX/x86/spectre_v2: Support the combination of guest and host IBRS.
      
      And for the firmware (IBRS to be set), see patch titled:
       x86/spectre_v2: Read SPEC_CTRL MSR during boot and re-use reserved bits
      
      [ tglx: Distangled it from the intel implementation and kept the call order ]
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarBorislav Petkov <bp@suse.de>
      Reviewed-by: default avatarIngo Molnar <mingo@kernel.org>
      77243971
    • Konrad Rzeszutek Wilk's avatar
      x86/bugs: Provide boot parameters for the spec_store_bypass_disable mitigation · 24f7fc83
      Konrad Rzeszutek Wilk authored
      Contemporary high performance processors use a common industry-wide
      optimization known as "Speculative Store Bypass" in which loads from
      addresses to which a recent store has occurred may (speculatively) see an
      older value. Intel refers to this feature as "Memory Disambiguation" which
      is part of their "Smart Memory Access" capability.
      
      Memory Disambiguation can expose a cache side-channel attack against such
      speculatively read values. An attacker can create exploit code that allows
      them to read memory outside of a sandbox environment (for example,
      malicious JavaScript in a web page), or to perform more complex attacks
      against code running within the same privilege level, e.g. via the stack.
      
      As a first step to mitigate against such attacks, provide two boot command
      line control knobs:
      
       nospec_store_bypass_disable
       spec_store_bypass_disable=[off,auto,on]
      
      By default affected x86 processors will power on with Speculative
      Store Bypass enabled. Hence the provided kernel parameters are written
      from the point of view of whether to enable a mitigation or not.
      The parameters are as follows:
      
       - auto - Kernel detects whether your CPU model contains an implementation
      	  of Speculative Store Bypass and picks the most appropriate
      	  mitigation.
      
       - on   - disable Speculative Store Bypass
       - off  - enable Speculative Store Bypass
      
      [ tglx: Reordered the checks so that the whole evaluation is not done
        	when the CPU does not support RDS ]
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarBorislav Petkov <bp@suse.de>
      Reviewed-by: default avatarIngo Molnar <mingo@kernel.org>
      24f7fc83
    • Konrad Rzeszutek Wilk's avatar
      x86/cpufeatures: Add X86_FEATURE_RDS · 0cc5fa00
      Konrad Rzeszutek Wilk authored
      Add the CPU feature bit CPUID.7.0.EDX[31] which indicates whether the CPU
      supports Reduced Data Speculation.
      
      [ tglx: Split it out from a later patch ]
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarIngo Molnar <mingo@kernel.org>
      0cc5fa00