diff options
author | Salvatore Bonaccorso <carnil@debian.org> | 2022-03-09 20:33:15 +0100 |
---|---|---|
committer | Salvatore Bonaccorso <carnil@debian.org> | 2022-03-09 20:33:15 +0100 |
commit | f87733ce230377a24eaab11527d8f26067533073 (patch) | |
tree | c5f6e1d84f57de0cb0b6f3e5ee6b8bc1f4064944 /debian/patches | |
parent | a33974f22f7234540651695da72564a3828b9688 (diff) | |
parent | 8e2453c1acb7e245354628a38f6fae7bc4eaea69 (diff) | |
download | linux-debian-f87733ce230377a24eaab11527d8f26067533073.tar.gz |
Merge tag 'debian/5.16.12-1'
Release linux (5.16.12-1).
Replace Spectre v2-type Branch History Buffer patches with upstream
versions for mainline.
Diffstat (limited to 'debian/patches')
10 files changed, 1142 insertions, 0 deletions
diff --git a/debian/patches/bugfix/x86/bhb/0001-x86-speculation-Rename-RETPOLINE_AMD-to-RETPOLINE_LF.patch b/debian/patches/bugfix/x86/bhb/0001-x86-speculation-Rename-RETPOLINE_AMD-to-RETPOLINE_LF.patch new file mode 100644 index 000000000..171f08108 --- /dev/null +++ b/debian/patches/bugfix/x86/bhb/0001-x86-speculation-Rename-RETPOLINE_AMD-to-RETPOLINE_LF.patch @@ -0,0 +1,260 @@ +From d45476d9832409371537013ebdd8dc1a7781f97a Mon Sep 17 00:00:00 2001 +From: "Peter Zijlstra (Intel)" <peterz@infradead.org> +Date: Wed, 16 Feb 2022 20:57:00 +0100 +Subject: [PATCH 1/8] x86/speculation: Rename RETPOLINE_AMD to RETPOLINE_LFENCE + +The RETPOLINE_AMD name is unfortunate since it isn't necessarily +AMD only, in fact Hygon also uses it. Furthermore it will likely be +sufficient for some Intel processors. Therefore rename the thing to +RETPOLINE_LFENCE to better describe what it is. + +Add the spectre_v2=retpoline,lfence option as an alias to +spectre_v2=retpoline,amd to preserve existing setups. However, the output +of /sys/devices/system/cpu/vulnerabilities/spectre_v2 will be changed. + + [ bp: Fix typos, massage. ] + +Co-developed-by: Josh Poimboeuf <jpoimboe@redhat.com> +Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com> +Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> +Signed-off-by: Borislav Petkov <bp@suse.de> +Reviewed-by: Thomas Gleixner <tglx@linutronix.de> +--- + arch/x86/include/asm/cpufeatures.h | 2 +- + arch/x86/include/asm/nospec-branch.h | 12 +++++----- + arch/x86/kernel/alternative.c | 8 +++---- + arch/x86/kernel/cpu/bugs.c | 29 +++++++++++++++--------- + arch/x86/lib/retpoline.S | 2 +- + arch/x86/net/bpf_jit_comp.c | 2 +- + tools/arch/x86/include/asm/cpufeatures.h | 2 +- + 7 files changed, 32 insertions(+), 25 deletions(-) + +diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h +index 6db4e2932b3d..65d147974f8d 100644 +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -204,7 +204,7 @@ + /* FREE! ( 7*32+10) */ + #define X86_FEATURE_PTI ( 7*32+11) /* Kernel Page Table Isolation enabled */ + #define X86_FEATURE_RETPOLINE ( 7*32+12) /* "" Generic Retpoline mitigation for Spectre variant 2 */ +-#define X86_FEATURE_RETPOLINE_AMD ( 7*32+13) /* "" AMD Retpoline mitigation for Spectre variant 2 */ ++#define X86_FEATURE_RETPOLINE_LFENCE ( 7*32+13) /* "" Use LFENCE for Spectre variant 2 */ + #define X86_FEATURE_INTEL_PPIN ( 7*32+14) /* Intel Processor Inventory Number */ + #define X86_FEATURE_CDP_L2 ( 7*32+15) /* Code and Data Prioritization L2 */ + #define X86_FEATURE_MSR_SPEC_CTRL ( 7*32+16) /* "" MSR SPEC_CTRL is implemented */ +diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h +index cc74dc584836..c91d97bee237 100644 +--- a/arch/x86/include/asm/nospec-branch.h ++++ b/arch/x86/include/asm/nospec-branch.h +@@ -84,7 +84,7 @@ + #ifdef CONFIG_RETPOLINE + ALTERNATIVE_2 __stringify(ANNOTATE_RETPOLINE_SAFE; jmp *%\reg), \ + __stringify(jmp __x86_indirect_thunk_\reg), X86_FEATURE_RETPOLINE, \ +- __stringify(lfence; ANNOTATE_RETPOLINE_SAFE; jmp *%\reg), X86_FEATURE_RETPOLINE_AMD ++ __stringify(lfence; ANNOTATE_RETPOLINE_SAFE; jmp *%\reg), X86_FEATURE_RETPOLINE_LFENCE + #else + jmp *%\reg + #endif +@@ -94,7 +94,7 @@ + #ifdef CONFIG_RETPOLINE + ALTERNATIVE_2 __stringify(ANNOTATE_RETPOLINE_SAFE; call *%\reg), \ + __stringify(call __x86_indirect_thunk_\reg), X86_FEATURE_RETPOLINE, \ +- __stringify(lfence; ANNOTATE_RETPOLINE_SAFE; call *%\reg), X86_FEATURE_RETPOLINE_AMD ++ __stringify(lfence; ANNOTATE_RETPOLINE_SAFE; call *%\reg), X86_FEATURE_RETPOLINE_LFENCE + #else + call *%\reg + #endif +@@ -146,7 +146,7 @@ extern retpoline_thunk_t __x86_indirect_thunk_array[]; + "lfence;\n" \ + ANNOTATE_RETPOLINE_SAFE \ + "call *%[thunk_target]\n", \ +- X86_FEATURE_RETPOLINE_AMD) ++ X86_FEATURE_RETPOLINE_LFENCE) + + # define THUNK_TARGET(addr) [thunk_target] "r" (addr) + +@@ -176,7 +176,7 @@ extern retpoline_thunk_t __x86_indirect_thunk_array[]; + "lfence;\n" \ + ANNOTATE_RETPOLINE_SAFE \ + "call *%[thunk_target]\n", \ +- X86_FEATURE_RETPOLINE_AMD) ++ X86_FEATURE_RETPOLINE_LFENCE) + + # define THUNK_TARGET(addr) [thunk_target] "rm" (addr) + #endif +@@ -188,8 +188,8 @@ extern retpoline_thunk_t __x86_indirect_thunk_array[]; + /* The Spectre V2 mitigation variants */ + enum spectre_v2_mitigation { + SPECTRE_V2_NONE, +- SPECTRE_V2_RETPOLINE_GENERIC, +- SPECTRE_V2_RETPOLINE_AMD, ++ SPECTRE_V2_RETPOLINE, ++ SPECTRE_V2_LFENCE, + SPECTRE_V2_IBRS_ENHANCED, + }; + +diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c +index 5007c3ffe96f..b4470eabf151 100644 +--- a/arch/x86/kernel/alternative.c ++++ b/arch/x86/kernel/alternative.c +@@ -389,7 +389,7 @@ static int emit_indirect(int op, int reg, u8 *bytes) + * + * CALL *%\reg + * +- * It also tries to inline spectre_v2=retpoline,amd when size permits. ++ * It also tries to inline spectre_v2=retpoline,lfence when size permits. + */ + static int patch_retpoline(void *addr, struct insn *insn, u8 *bytes) + { +@@ -407,7 +407,7 @@ static int patch_retpoline(void *addr, struct insn *insn, u8 *bytes) + BUG_ON(reg == 4); + + if (cpu_feature_enabled(X86_FEATURE_RETPOLINE) && +- !cpu_feature_enabled(X86_FEATURE_RETPOLINE_AMD)) ++ !cpu_feature_enabled(X86_FEATURE_RETPOLINE_LFENCE)) + return -1; + + op = insn->opcode.bytes[0]; +@@ -438,9 +438,9 @@ static int patch_retpoline(void *addr, struct insn *insn, u8 *bytes) + } + + /* +- * For RETPOLINE_AMD: prepend the indirect CALL/JMP with an LFENCE. ++ * For RETPOLINE_LFENCE: prepend the indirect CALL/JMP with an LFENCE. + */ +- if (cpu_feature_enabled(X86_FEATURE_RETPOLINE_AMD)) { ++ if (cpu_feature_enabled(X86_FEATURE_RETPOLINE_LFENCE)) { + bytes[i++] = 0x0f; + bytes[i++] = 0xae; + bytes[i++] = 0xe8; /* LFENCE */ +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index 1c1f218a701d..e3bb8afc6768 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -664,7 +664,7 @@ enum spectre_v2_mitigation_cmd { + SPECTRE_V2_CMD_FORCE, + SPECTRE_V2_CMD_RETPOLINE, + SPECTRE_V2_CMD_RETPOLINE_GENERIC, +- SPECTRE_V2_CMD_RETPOLINE_AMD, ++ SPECTRE_V2_CMD_RETPOLINE_LFENCE, + }; + + enum spectre_v2_user_cmd { +@@ -824,8 +824,8 @@ spectre_v2_user_select_mitigation(enum spectre_v2_mitigation_cmd v2_cmd) + + static const char * const spectre_v2_strings[] = { + [SPECTRE_V2_NONE] = "Vulnerable", +- [SPECTRE_V2_RETPOLINE_GENERIC] = "Mitigation: Full generic retpoline", +- [SPECTRE_V2_RETPOLINE_AMD] = "Mitigation: Full AMD retpoline", ++ [SPECTRE_V2_RETPOLINE] = "Mitigation: Retpolines", ++ [SPECTRE_V2_LFENCE] = "Mitigation: LFENCE", + [SPECTRE_V2_IBRS_ENHANCED] = "Mitigation: Enhanced IBRS", + }; + +@@ -837,7 +837,8 @@ static const struct { + { "off", SPECTRE_V2_CMD_NONE, false }, + { "on", SPECTRE_V2_CMD_FORCE, true }, + { "retpoline", SPECTRE_V2_CMD_RETPOLINE, false }, +- { "retpoline,amd", SPECTRE_V2_CMD_RETPOLINE_AMD, false }, ++ { "retpoline,amd", SPECTRE_V2_CMD_RETPOLINE_LFENCE, false }, ++ { "retpoline,lfence", SPECTRE_V2_CMD_RETPOLINE_LFENCE, false }, + { "retpoline,generic", SPECTRE_V2_CMD_RETPOLINE_GENERIC, false }, + { "auto", SPECTRE_V2_CMD_AUTO, false }, + }; +@@ -875,13 +876,19 @@ static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void) + } + + if ((cmd == SPECTRE_V2_CMD_RETPOLINE || +- cmd == SPECTRE_V2_CMD_RETPOLINE_AMD || ++ cmd == SPECTRE_V2_CMD_RETPOLINE_LFENCE || + cmd == SPECTRE_V2_CMD_RETPOLINE_GENERIC) && + !IS_ENABLED(CONFIG_RETPOLINE)) { + pr_err("%s selected but not compiled in. Switching to AUTO select\n", mitigation_options[i].option); + return SPECTRE_V2_CMD_AUTO; + } + ++ if ((cmd == SPECTRE_V2_CMD_RETPOLINE_LFENCE) && ++ !boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) { ++ pr_err("%s selected, but CPU doesn't have a serializing LFENCE. Switching to AUTO select\n", mitigation_options[i].option); ++ return SPECTRE_V2_CMD_AUTO; ++ } ++ + spec_v2_print_cond(mitigation_options[i].option, + mitigation_options[i].secure); + return cmd; +@@ -916,9 +923,9 @@ static void __init spectre_v2_select_mitigation(void) + if (IS_ENABLED(CONFIG_RETPOLINE)) + goto retpoline_auto; + break; +- case SPECTRE_V2_CMD_RETPOLINE_AMD: ++ case SPECTRE_V2_CMD_RETPOLINE_LFENCE: + if (IS_ENABLED(CONFIG_RETPOLINE)) +- goto retpoline_amd; ++ goto retpoline_lfence; + break; + case SPECTRE_V2_CMD_RETPOLINE_GENERIC: + if (IS_ENABLED(CONFIG_RETPOLINE)) +@@ -935,17 +942,17 @@ static void __init spectre_v2_select_mitigation(void) + retpoline_auto: + if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD || + boot_cpu_data.x86_vendor == X86_VENDOR_HYGON) { +- retpoline_amd: ++ retpoline_lfence: + if (!boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) { + pr_err("Spectre mitigation: LFENCE not serializing, switching to generic retpoline\n"); + goto retpoline_generic; + } +- mode = SPECTRE_V2_RETPOLINE_AMD; +- setup_force_cpu_cap(X86_FEATURE_RETPOLINE_AMD); ++ mode = SPECTRE_V2_LFENCE; ++ setup_force_cpu_cap(X86_FEATURE_RETPOLINE_LFENCE); + setup_force_cpu_cap(X86_FEATURE_RETPOLINE); + } else { + retpoline_generic: +- mode = SPECTRE_V2_RETPOLINE_GENERIC; ++ mode = SPECTRE_V2_RETPOLINE; + setup_force_cpu_cap(X86_FEATURE_RETPOLINE); + } + +diff --git a/arch/x86/lib/retpoline.S b/arch/x86/lib/retpoline.S +index 89b3fb244e15..afbdda539b80 100644 +--- a/arch/x86/lib/retpoline.S ++++ b/arch/x86/lib/retpoline.S +@@ -34,7 +34,7 @@ SYM_INNER_LABEL(__x86_indirect_thunk_\reg, SYM_L_GLOBAL) + + ALTERNATIVE_2 __stringify(ANNOTATE_RETPOLINE_SAFE; jmp *%\reg), \ + __stringify(RETPOLINE \reg), X86_FEATURE_RETPOLINE, \ +- __stringify(lfence; ANNOTATE_RETPOLINE_SAFE; jmp *%\reg; int3), X86_FEATURE_RETPOLINE_AMD ++ __stringify(lfence; ANNOTATE_RETPOLINE_SAFE; jmp *%\reg; int3), X86_FEATURE_RETPOLINE_LFENCE + + .endm + +diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c +index 2b1e266ff95c..0ecb140864b2 100644 +--- a/arch/x86/net/bpf_jit_comp.c ++++ b/arch/x86/net/bpf_jit_comp.c +@@ -394,7 +394,7 @@ static void emit_indirect_jump(u8 **pprog, int reg, u8 *ip) + u8 *prog = *pprog; + + #ifdef CONFIG_RETPOLINE +- if (cpu_feature_enabled(X86_FEATURE_RETPOLINE_AMD)) { ++ if (cpu_feature_enabled(X86_FEATURE_RETPOLINE_LFENCE)) { + EMIT_LFENCE(); + EMIT2(0xFF, 0xE0 + reg); + } else if (cpu_feature_enabled(X86_FEATURE_RETPOLINE)) { +diff --git a/tools/arch/x86/include/asm/cpufeatures.h b/tools/arch/x86/include/asm/cpufeatures.h +index 6db4e2932b3d..ab4e53715d8a 100644 +--- a/tools/arch/x86/include/asm/cpufeatures.h ++++ b/tools/arch/x86/include/asm/cpufeatures.h +@@ -204,7 +204,7 @@ + /* FREE! ( 7*32+10) */ + #define X86_FEATURE_PTI ( 7*32+11) /* Kernel Page Table Isolation enabled */ + #define X86_FEATURE_RETPOLINE ( 7*32+12) /* "" Generic Retpoline mitigation for Spectre variant 2 */ +-#define X86_FEATURE_RETPOLINE_AMD ( 7*32+13) /* "" AMD Retpoline mitigation for Spectre variant 2 */ ++#define X86_FEATURE_RETPOLINE_LFENCE ( 7*32+13) /* "" Use LFENCEs for Spectre variant 2 */ + #define X86_FEATURE_INTEL_PPIN ( 7*32+14) /* Intel Processor Inventory Number */ + #define X86_FEATURE_CDP_L2 ( 7*32+15) /* Code and Data Prioritization L2 */ + #define X86_FEATURE_MSR_SPEC_CTRL ( 7*32+16) /* "" MSR SPEC_CTRL is implemented */ +-- +2.35.1 + diff --git a/debian/patches/bugfix/x86/bhb/0002-x86-speculation-Add-eIBRS-Retpoline-options.patch b/debian/patches/bugfix/x86/bhb/0002-x86-speculation-Add-eIBRS-Retpoline-options.patch new file mode 100644 index 000000000..090aedd02 --- /dev/null +++ b/debian/patches/bugfix/x86/bhb/0002-x86-speculation-Add-eIBRS-Retpoline-options.patch @@ -0,0 +1,274 @@ +From 1e19da8522c81bf46b335f84137165741e0d82b7 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra <peterz@infradead.org> +Date: Wed, 16 Feb 2022 20:57:01 +0100 +Subject: [PATCH 2/8] x86/speculation: Add eIBRS + Retpoline options + +Thanks to the chaps at VUsec it is now clear that eIBRS is not +sufficient, therefore allow enabling of retpolines along with eIBRS. + +Add spectre_v2=eibrs, spectre_v2=eibrs,lfence and +spectre_v2=eibrs,retpoline options to explicitly pick your preferred +means of mitigation. + +Since there's new mitigations there's also user visible changes in +/sys/devices/system/cpu/vulnerabilities/spectre_v2 to reflect these +new mitigations. + + [ bp: Massage commit message, trim error messages, + do more precise eIBRS mode checking. ] + +Co-developed-by: Josh Poimboeuf <jpoimboe@redhat.com> +Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com> +Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> +Signed-off-by: Borislav Petkov <bp@suse.de> +Reviewed-by: Patrick Colp <patrick.colp@oracle.com> +Reviewed-by: Thomas Gleixner <tglx@linutronix.de> +--- + arch/x86/include/asm/nospec-branch.h | 4 +- + arch/x86/kernel/cpu/bugs.c | 133 +++++++++++++++++++-------- + 2 files changed, 99 insertions(+), 38 deletions(-) + +diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h +index c91d97bee237..acbaeaf83b61 100644 +--- a/arch/x86/include/asm/nospec-branch.h ++++ b/arch/x86/include/asm/nospec-branch.h +@@ -190,7 +190,9 @@ enum spectre_v2_mitigation { + SPECTRE_V2_NONE, + SPECTRE_V2_RETPOLINE, + SPECTRE_V2_LFENCE, +- SPECTRE_V2_IBRS_ENHANCED, ++ SPECTRE_V2_EIBRS, ++ SPECTRE_V2_EIBRS_RETPOLINE, ++ SPECTRE_V2_EIBRS_LFENCE, + }; + + /* The indirect branch speculation control variants */ +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index e3bb8afc6768..79c52dd6c597 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -665,6 +665,9 @@ enum spectre_v2_mitigation_cmd { + SPECTRE_V2_CMD_RETPOLINE, + SPECTRE_V2_CMD_RETPOLINE_GENERIC, + SPECTRE_V2_CMD_RETPOLINE_LFENCE, ++ SPECTRE_V2_CMD_EIBRS, ++ SPECTRE_V2_CMD_EIBRS_RETPOLINE, ++ SPECTRE_V2_CMD_EIBRS_LFENCE, + }; + + enum spectre_v2_user_cmd { +@@ -737,6 +740,13 @@ spectre_v2_parse_user_cmdline(enum spectre_v2_mitigation_cmd v2_cmd) + return SPECTRE_V2_USER_CMD_AUTO; + } + ++static inline bool spectre_v2_in_eibrs_mode(enum spectre_v2_mitigation mode) ++{ ++ return (mode == SPECTRE_V2_EIBRS || ++ mode == SPECTRE_V2_EIBRS_RETPOLINE || ++ mode == SPECTRE_V2_EIBRS_LFENCE); ++} ++ + static void __init + spectre_v2_user_select_mitigation(enum spectre_v2_mitigation_cmd v2_cmd) + { +@@ -804,7 +814,7 @@ spectre_v2_user_select_mitigation(enum spectre_v2_mitigation_cmd v2_cmd) + */ + if (!boot_cpu_has(X86_FEATURE_STIBP) || + !smt_possible || +- spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED) ++ spectre_v2_in_eibrs_mode(spectre_v2_enabled)) + return; + + /* +@@ -826,7 +836,9 @@ static const char * const spectre_v2_strings[] = { + [SPECTRE_V2_NONE] = "Vulnerable", + [SPECTRE_V2_RETPOLINE] = "Mitigation: Retpolines", + [SPECTRE_V2_LFENCE] = "Mitigation: LFENCE", +- [SPECTRE_V2_IBRS_ENHANCED] = "Mitigation: Enhanced IBRS", ++ [SPECTRE_V2_EIBRS] = "Mitigation: Enhanced IBRS", ++ [SPECTRE_V2_EIBRS_LFENCE] = "Mitigation: Enhanced IBRS + LFENCE", ++ [SPECTRE_V2_EIBRS_RETPOLINE] = "Mitigation: Enhanced IBRS + Retpolines", + }; + + static const struct { +@@ -840,6 +852,9 @@ static const struct { + { "retpoline,amd", SPECTRE_V2_CMD_RETPOLINE_LFENCE, false }, + { "retpoline,lfence", SPECTRE_V2_CMD_RETPOLINE_LFENCE, false }, + { "retpoline,generic", SPECTRE_V2_CMD_RETPOLINE_GENERIC, false }, ++ { "eibrs", SPECTRE_V2_CMD_EIBRS, false }, ++ { "eibrs,lfence", SPECTRE_V2_CMD_EIBRS_LFENCE, false }, ++ { "eibrs,retpoline", SPECTRE_V2_CMD_EIBRS_RETPOLINE, false }, + { "auto", SPECTRE_V2_CMD_AUTO, false }, + }; + +@@ -877,15 +892,29 @@ static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void) + + if ((cmd == SPECTRE_V2_CMD_RETPOLINE || + cmd == SPECTRE_V2_CMD_RETPOLINE_LFENCE || +- cmd == SPECTRE_V2_CMD_RETPOLINE_GENERIC) && ++ cmd == SPECTRE_V2_CMD_RETPOLINE_GENERIC || ++ cmd == SPECTRE_V2_CMD_EIBRS_LFENCE || ++ cmd == SPECTRE_V2_CMD_EIBRS_RETPOLINE) && + !IS_ENABLED(CONFIG_RETPOLINE)) { +- pr_err("%s selected but not compiled in. Switching to AUTO select\n", mitigation_options[i].option); ++ pr_err("%s selected but not compiled in. Switching to AUTO select\n", ++ mitigation_options[i].option); ++ return SPECTRE_V2_CMD_AUTO; ++ } ++ ++ if ((cmd == SPECTRE_V2_CMD_EIBRS || ++ cmd == SPECTRE_V2_CMD_EIBRS_LFENCE || ++ cmd == SPECTRE_V2_CMD_EIBRS_RETPOLINE) && ++ !boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) { ++ pr_err("%s selected but CPU doesn't have eIBRS. Switching to AUTO select\n", ++ mitigation_options[i].option); + return SPECTRE_V2_CMD_AUTO; + } + +- if ((cmd == SPECTRE_V2_CMD_RETPOLINE_LFENCE) && ++ if ((cmd == SPECTRE_V2_CMD_RETPOLINE_LFENCE || ++ cmd == SPECTRE_V2_CMD_EIBRS_LFENCE) && + !boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) { +- pr_err("%s selected, but CPU doesn't have a serializing LFENCE. Switching to AUTO select\n", mitigation_options[i].option); ++ pr_err("%s selected, but CPU doesn't have a serializing LFENCE. Switching to AUTO select\n", ++ mitigation_options[i].option); + return SPECTRE_V2_CMD_AUTO; + } + +@@ -894,6 +923,25 @@ static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void) + return cmd; + } + ++static enum spectre_v2_mitigation __init spectre_v2_select_retpoline(void) ++{ ++ if (!IS_ENABLED(CONFIG_RETPOLINE)) { ++ pr_err("Kernel not compiled with retpoline; no mitigation available!"); ++ return SPECTRE_V2_NONE; ++ } ++ ++ if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD || ++ boot_cpu_data.x86_vendor == X86_VENDOR_HYGON) { ++ if (!boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) { ++ pr_err("LFENCE not serializing, switching to generic retpoline\n"); ++ return SPECTRE_V2_RETPOLINE; ++ } ++ return SPECTRE_V2_LFENCE; ++ } ++ ++ return SPECTRE_V2_RETPOLINE; ++} ++ + static void __init spectre_v2_select_mitigation(void) + { + enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline(); +@@ -914,49 +962,60 @@ static void __init spectre_v2_select_mitigation(void) + case SPECTRE_V2_CMD_FORCE: + case SPECTRE_V2_CMD_AUTO: + if (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) { +- mode = SPECTRE_V2_IBRS_ENHANCED; +- /* Force it so VMEXIT will restore correctly */ +- x86_spec_ctrl_base |= SPEC_CTRL_IBRS; +- wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); +- goto specv2_set_mode; ++ mode = SPECTRE_V2_EIBRS; ++ break; + } +- if (IS_ENABLED(CONFIG_RETPOLINE)) +- goto retpoline_auto; ++ ++ mode = spectre_v2_select_retpoline(); + break; ++ + case SPECTRE_V2_CMD_RETPOLINE_LFENCE: +- if (IS_ENABLED(CONFIG_RETPOLINE)) +- goto retpoline_lfence; ++ mode = SPECTRE_V2_LFENCE; + break; ++ + case SPECTRE_V2_CMD_RETPOLINE_GENERIC: +- if (IS_ENABLED(CONFIG_RETPOLINE)) +- goto retpoline_generic; ++ mode = SPECTRE_V2_RETPOLINE; + break; ++ + case SPECTRE_V2_CMD_RETPOLINE: +- if (IS_ENABLED(CONFIG_RETPOLINE)) +- goto retpoline_auto; ++ mode = spectre_v2_select_retpoline(); ++ break; ++ ++ case SPECTRE_V2_CMD_EIBRS: ++ mode = SPECTRE_V2_EIBRS; ++ break; ++ ++ case SPECTRE_V2_CMD_EIBRS_LFENCE: ++ mode = SPECTRE_V2_EIBRS_LFENCE; ++ break; ++ ++ case SPECTRE_V2_CMD_EIBRS_RETPOLINE: ++ mode = SPECTRE_V2_EIBRS_RETPOLINE; + break; + } +- pr_err("Spectre mitigation: kernel not compiled with retpoline; no mitigation available!"); +- return; + +-retpoline_auto: +- if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD || +- boot_cpu_data.x86_vendor == X86_VENDOR_HYGON) { +- retpoline_lfence: +- if (!boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) { +- pr_err("Spectre mitigation: LFENCE not serializing, switching to generic retpoline\n"); +- goto retpoline_generic; +- } +- mode = SPECTRE_V2_LFENCE; ++ if (spectre_v2_in_eibrs_mode(mode)) { ++ /* Force it so VMEXIT will restore correctly */ ++ x86_spec_ctrl_base |= SPEC_CTRL_IBRS; ++ wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); ++ } ++ ++ switch (mode) { ++ case SPECTRE_V2_NONE: ++ case SPECTRE_V2_EIBRS: ++ break; ++ ++ case SPECTRE_V2_LFENCE: ++ case SPECTRE_V2_EIBRS_LFENCE: + setup_force_cpu_cap(X86_FEATURE_RETPOLINE_LFENCE); ++ fallthrough; ++ ++ case SPECTRE_V2_RETPOLINE: ++ case SPECTRE_V2_EIBRS_RETPOLINE: + setup_force_cpu_cap(X86_FEATURE_RETPOLINE); +- } else { +- retpoline_generic: +- mode = SPECTRE_V2_RETPOLINE; +- setup_force_cpu_cap(X86_FEATURE_RETPOLINE); ++ break; + } + +-specv2_set_mode: + spectre_v2_enabled = mode; + pr_info("%s\n", spectre_v2_strings[mode]); + +@@ -982,7 +1041,7 @@ static void __init spectre_v2_select_mitigation(void) + * the CPU supports Enhanced IBRS, kernel might un-intentionally not + * enable IBRS around firmware calls. + */ +- if (boot_cpu_has(X86_FEATURE_IBRS) && mode != SPECTRE_V2_IBRS_ENHANCED) { ++ if (boot_cpu_has(X86_FEATURE_IBRS) && !spectre_v2_in_eibrs_mode(mode)) { + setup_force_cpu_cap(X86_FEATURE_USE_IBRS_FW); + pr_info("Enabling Restricted Speculation for firmware calls\n"); + } +@@ -1691,7 +1750,7 @@ static ssize_t tsx_async_abort_show_state(char *buf) + + static char *stibp_state(void) + { +- if (spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED) ++ if (spectre_v2_in_eibrs_mode(spectre_v2_enabled)) + return ""; + + switch (spectre_v2_user_stibp) { +-- +2.35.1 + diff --git a/debian/patches/bugfix/x86/bhb/0003-Documentation-hw-vuln-Update-spectre-doc.patch b/debian/patches/bugfix/x86/bhb/0003-Documentation-hw-vuln-Update-spectre-doc.patch new file mode 100644 index 000000000..6f8e06995 --- /dev/null +++ b/debian/patches/bugfix/x86/bhb/0003-Documentation-hw-vuln-Update-spectre-doc.patch @@ -0,0 +1,115 @@ +From 5ad3eb1132453b9795ce5fd4572b1c18b292cca9 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra <peterz@infradead.org> +Date: Wed, 16 Feb 2022 20:57:02 +0100 +Subject: [PATCH 3/8] Documentation/hw-vuln: Update spectre doc + +Update the doc with the new fun. + + [ bp: Massage commit message. ] + +Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> +Signed-off-by: Borislav Petkov <bp@suse.de> +Reviewed-by: Thomas Gleixner <tglx@linutronix.de> +--- + Documentation/admin-guide/hw-vuln/spectre.rst | 44 +++++++++++++------ + .../admin-guide/kernel-parameters.txt | 8 +++- + 2 files changed, 36 insertions(+), 16 deletions(-) + +diff --git a/Documentation/admin-guide/hw-vuln/spectre.rst b/Documentation/admin-guide/hw-vuln/spectre.rst +index a2b22d5640ec..79051f4dac45 100644 +--- a/Documentation/admin-guide/hw-vuln/spectre.rst ++++ b/Documentation/admin-guide/hw-vuln/spectre.rst +@@ -131,6 +131,19 @@ steer its indirect branch speculations to gadget code, and measure the + speculative execution's side effects left in level 1 cache to infer the + victim's data. + ++Yet another variant 2 attack vector is for the attacker to poison the ++Branch History Buffer (BHB) to speculatively steer an indirect branch ++to a specific Branch Target Buffer (BTB) entry, even if the entry isn't ++associated with the source address of the indirect branch. Specifically, ++the BHB might be shared across privilege levels even in the presence of ++Enhanced IBRS. ++ ++Currently the only known real-world BHB attack vector is via ++unprivileged eBPF. Therefore, it's highly recommended to not enable ++unprivileged eBPF, especially when eIBRS is used (without retpolines). ++For a full mitigation against BHB attacks, it's recommended to use ++retpolines (or eIBRS combined with retpolines). ++ + Attack scenarios + ---------------- + +@@ -364,13 +377,15 @@ The possible values in this file are: + + - Kernel status: + +- ==================================== ================================= +- 'Not affected' The processor is not vulnerable +- 'Vulnerable' Vulnerable, no mitigation +- 'Mitigation: Full generic retpoline' Software-focused mitigation +- 'Mitigation: Full AMD retpoline' AMD-specific software mitigation +- 'Mitigation: Enhanced IBRS' Hardware-focused mitigation +- ==================================== ================================= ++ ======================================== ================================= ++ 'Not affected' The processor is not vulnerable ++ 'Mitigation: None' Vulnerable, no mitigation ++ 'Mitigation: Retpolines' Use Retpoline thunks ++ 'Mitigation: LFENCE' Use LFENCE instructions ++ 'Mitigation: Enhanced IBRS' Hardware-focused mitigation ++ 'Mitigation: Enhanced IBRS + Retpolines' Hardware-focused + Retpolines ++ 'Mitigation: Enhanced IBRS + LFENCE' Hardware-focused + LFENCE ++ ======================================== ================================= + + - Firmware status: Show if Indirect Branch Restricted Speculation (IBRS) is + used to protect against Spectre variant 2 attacks when calling firmware (x86 only). +@@ -583,12 +598,13 @@ kernel command line. + + Specific mitigations can also be selected manually: + +- retpoline +- replace indirect branches +- retpoline,generic +- google's original retpoline +- retpoline,amd +- AMD-specific minimal thunk ++ retpoline auto pick between generic,lfence ++ retpoline,generic Retpolines ++ retpoline,lfence LFENCE; indirect branch ++ retpoline,amd alias for retpoline,lfence ++ eibrs enhanced IBRS ++ eibrs,retpoline enhanced IBRS + Retpolines ++ eibrs,lfence enhanced IBRS + LFENCE + + Not specifying this option is equivalent to + spectre_v2=auto. +@@ -599,7 +615,7 @@ kernel command line. + spectre_v2=off. Spectre variant 1 mitigations + cannot be disabled. + +-For spectre_v2_user see :doc:`/admin-guide/kernel-parameters`. ++For spectre_v2_user see Documentation/admin-guide/kernel-parameters.txt + + Mitigation selection guide + -------------------------- +diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt +index f5a27f067db9..7123524a86b8 100644 +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -5361,8 +5361,12 @@ + Specific mitigations can also be selected manually: + + retpoline - replace indirect branches +- retpoline,generic - google's original retpoline +- retpoline,amd - AMD-specific minimal thunk ++ retpoline,generic - Retpolines ++ retpoline,lfence - LFENCE; indirect branch ++ retpoline,amd - alias for retpoline,lfence ++ eibrs - enhanced IBRS ++ eibrs,retpoline - enhanced IBRS + Retpolines ++ eibrs,lfence - enhanced IBRS + LFENCE + + Not specifying this option is equivalent to + spectre_v2=auto. +-- +2.35.1 + diff --git a/debian/patches/bugfix/x86/bhb/0004-x86-speculation-Include-unprivileged-eBPF-status-in-.patch b/debian/patches/bugfix/x86/bhb/0004-x86-speculation-Include-unprivileged-eBPF-status-in-.patch new file mode 100644 index 000000000..798109d6c --- /dev/null +++ b/debian/patches/bugfix/x86/bhb/0004-x86-speculation-Include-unprivileged-eBPF-status-in-.patch @@ -0,0 +1,152 @@ +From 44a3918c8245ab10c6c9719dd12e7a8d291980d8 Mon Sep 17 00:00:00 2001 +From: Josh Poimboeuf <jpoimboe@redhat.com> +Date: Fri, 18 Feb 2022 11:49:08 -0800 +Subject: [PATCH 4/8] x86/speculation: Include unprivileged eBPF status in + Spectre v2 mitigation reporting + +With unprivileged eBPF enabled, eIBRS (without retpoline) is vulnerable +to Spectre v2 BHB-based attacks. + +When both are enabled, print a warning message and report it in the +'spectre_v2' sysfs vulnerabilities file. + +Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com> +Signed-off-by: Borislav Petkov <bp@suse.de> +Reviewed-by: Thomas Gleixner <tglx@linutronix.de> +--- + arch/x86/kernel/cpu/bugs.c | 35 +++++++++++++++++++++++++++++------ + include/linux/bpf.h | 11 +++++++++++ + kernel/sysctl.c | 7 +++++++ + 3 files changed, 47 insertions(+), 6 deletions(-) + +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index 79c52dd6c597..0a4267c63d3b 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -16,6 +16,7 @@ + #include <linux/prctl.h> + #include <linux/sched/smt.h> + #include <linux/pgtable.h> ++#include <linux/bpf.h> + + #include <asm/spec-ctrl.h> + #include <asm/cmdline.h> +@@ -650,6 +651,16 @@ static inline const char *spectre_v2_module_string(void) + static inline const char *spectre_v2_module_string(void) { return ""; } + #endif + ++#define SPECTRE_V2_EIBRS_EBPF_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible via Spectre v2 BHB attacks!\n" ++ ++#ifdef CONFIG_BPF_SYSCALL ++void unpriv_ebpf_notify(int new_state) ++{ ++ if (spectre_v2_enabled == SPECTRE_V2_EIBRS && !new_state) ++ pr_err(SPECTRE_V2_EIBRS_EBPF_MSG); ++} ++#endif ++ + static inline bool match_option(const char *arg, int arglen, const char *opt) + { + int len = strlen(opt); +@@ -994,6 +1005,9 @@ static void __init spectre_v2_select_mitigation(void) + break; + } + ++ if (mode == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled()) ++ pr_err(SPECTRE_V2_EIBRS_EBPF_MSG); ++ + if (spectre_v2_in_eibrs_mode(mode)) { + /* Force it so VMEXIT will restore correctly */ + x86_spec_ctrl_base |= SPEC_CTRL_IBRS; +@@ -1780,6 +1794,20 @@ static char *ibpb_state(void) + return ""; + } + ++static ssize_t spectre_v2_show_state(char *buf) ++{ ++ if (spectre_v2_enabled == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled()) ++ return sprintf(buf, "Vulnerable: Unprivileged eBPF enabled\n"); ++ ++ return sprintf(buf, "%s%s%s%s%s%s\n", ++ spectre_v2_strings[spectre_v2_enabled], ++ ibpb_state(), ++ boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "", ++ stibp_state(), ++ boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? ", RSB filling" : "", ++ spectre_v2_module_string()); ++} ++ + static ssize_t srbds_show_state(char *buf) + { + return sprintf(buf, "%s\n", srbds_strings[srbds_mitigation]); +@@ -1805,12 +1833,7 @@ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr + return sprintf(buf, "%s\n", spectre_v1_strings[spectre_v1_mitigation]); + + case X86_BUG_SPECTRE_V2: +- return sprintf(buf, "%s%s%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled], +- ibpb_state(), +- boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "", +- stibp_state(), +- boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? ", RSB filling" : "", +- spectre_v2_module_string()); ++ return spectre_v2_show_state(buf); + + case X86_BUG_SPEC_STORE_BYPASS: + return sprintf(buf, "%s\n", ssb_strings[ssb_mode]); +diff --git a/include/linux/bpf.h b/include/linux/bpf.h +index fa517ae604ad..1f56806d8eb9 100644 +--- a/include/linux/bpf.h ++++ b/include/linux/bpf.h +@@ -1793,6 +1793,11 @@ struct bpf_core_ctx { + int bpf_core_apply(struct bpf_core_ctx *ctx, const struct bpf_core_relo *relo, + int relo_idx, void *insn); + ++static inline bool unprivileged_ebpf_enabled(void) ++{ ++ return !sysctl_unprivileged_bpf_disabled; ++} ++ + #else /* !CONFIG_BPF_SYSCALL */ + static inline struct bpf_prog *bpf_prog_get(u32 ufd) + { +@@ -2012,6 +2017,12 @@ bpf_jit_find_kfunc_model(const struct bpf_prog *prog, + { + return NULL; + } ++ ++static inline bool unprivileged_ebpf_enabled(void) ++{ ++ return false; ++} ++ + #endif /* CONFIG_BPF_SYSCALL */ + + void __bpf_free_used_btfs(struct bpf_prog_aux *aux, +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 5ae443b2882e..730ab56d9e92 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -180,6 +180,10 @@ static int bpf_stats_handler(struct ctl_table *table, int write, + return ret; + } + ++void __weak unpriv_ebpf_notify(int new_state) ++{ ++} ++ + static int bpf_unpriv_handler(struct ctl_table *table, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { +@@ -197,6 +201,9 @@ static int bpf_unpriv_handler(struct ctl_table *table, int write, + return -EPERM; + *(int *)table->data = unpriv_enable; + } ++ ++ unpriv_ebpf_notify(unpriv_enable); ++ + return ret; + } + #endif /* CONFIG_BPF_SYSCALL && CONFIG_SYSCTL */ +-- +2.35.1 + diff --git a/debian/patches/bugfix/x86/bhb/0005-x86-speculation-Use-generic-retpoline-by-default-on-.patch b/debian/patches/bugfix/x86/bhb/0005-x86-speculation-Use-generic-retpoline-by-default-on-.patch new file mode 100644 index 000000000..3e8f82439 --- /dev/null +++ b/debian/patches/bugfix/x86/bhb/0005-x86-speculation-Use-generic-retpoline-by-default-on-.patch @@ -0,0 +1,42 @@ +From 244d00b5dd4755f8df892c86cab35fb2cfd4f14b Mon Sep 17 00:00:00 2001 +From: Kim Phillips <kim.phillips@amd.com> +Date: Mon, 28 Feb 2022 11:23:15 -0600 +Subject: [PATCH 5/8] x86/speculation: Use generic retpoline by default on AMD + +AMD retpoline may be susceptible to speculation. The speculation +execution window for an incorrect indirect branch prediction using +LFENCE/JMP sequence may potentially be large enough to allow +exploitation using Spectre V2. + +By default, don't use retpoline,lfence on AMD. Instead, use the +generic retpoline. + +Signed-off-by: Kim Phillips <kim.phillips@amd.com> +Signed-off-by: Borislav Petkov <bp@suse.de> +--- + arch/x86/kernel/cpu/bugs.c | 9 --------- + 1 file changed, 9 deletions(-) + +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index 0a4267c63d3b..a36bfe2c2480 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -941,15 +941,6 @@ static enum spectre_v2_mitigation __init spectre_v2_select_retpoline(void) + return SPECTRE_V2_NONE; + } + +- if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD || +- boot_cpu_data.x86_vendor == X86_VENDOR_HYGON) { +- if (!boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) { +- pr_err("LFENCE not serializing, switching to generic retpoline\n"); +- return SPECTRE_V2_RETPOLINE; +- } +- return SPECTRE_V2_LFENCE; +- } +- + return SPECTRE_V2_RETPOLINE; + } + +-- +2.35.1 + diff --git a/debian/patches/bugfix/x86/bhb/0006-x86-speculation-Update-link-to-AMD-speculation-white.patch b/debian/patches/bugfix/x86/bhb/0006-x86-speculation-Update-link-to-AMD-speculation-white.patch new file mode 100644 index 000000000..3a976a6e1 --- /dev/null +++ b/debian/patches/bugfix/x86/bhb/0006-x86-speculation-Update-link-to-AMD-speculation-white.patch @@ -0,0 +1,42 @@ +From e9b6013a7ce31535b04b02ba99babefe8a8599fa Mon Sep 17 00:00:00 2001 +From: Kim Phillips <kim.phillips@amd.com> +Date: Mon, 28 Feb 2022 11:23:16 -0600 +Subject: [PATCH 6/8] x86/speculation: Update link to AMD speculation + whitepaper + +Update the link to the "Software Techniques for Managing Speculation +on AMD Processors" whitepaper. + +Signed-off-by: Kim Phillips <kim.phillips@amd.com> +Signed-off-by: Borislav Petkov <bp@suse.de> +--- + Documentation/admin-guide/hw-vuln/spectre.rst | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/Documentation/admin-guide/hw-vuln/spectre.rst b/Documentation/admin-guide/hw-vuln/spectre.rst +index 79051f4dac45..9e9556826450 100644 +--- a/Documentation/admin-guide/hw-vuln/spectre.rst ++++ b/Documentation/admin-guide/hw-vuln/spectre.rst +@@ -60,8 +60,8 @@ privileged data touched during the speculative execution. + Spectre variant 1 attacks take advantage of speculative execution of + conditional branches, while Spectre variant 2 attacks use speculative + execution of indirect branches to leak privileged memory. +-See :ref:`[1] <spec_ref1>` :ref:`[5] <spec_ref5>` :ref:`[7] <spec_ref7>` +-:ref:`[10] <spec_ref10>` :ref:`[11] <spec_ref11>`. ++See :ref:`[1] <spec_ref1>` :ref:`[5] <spec_ref5>` :ref:`[6] <spec_ref6>` ++:ref:`[7] <spec_ref7>` :ref:`[10] <spec_ref10>` :ref:`[11] <spec_ref11>`. + + Spectre variant 1 (Bounds Check Bypass) + --------------------------------------- +@@ -697,7 +697,7 @@ AMD white papers: + + .. _spec_ref6: + +-[6] `Software techniques for managing speculation on AMD processors <https://developer.amd.com/wp-content/resources/90343-B_SoftwareTechniquesforManagingSpeculation_WP_7-18Update_FNL.pdf>`_. ++[6] `Software techniques for managing speculation on AMD processors <https://developer.amd.com/wp-content/resources/Managing-Speculation-on-AMD-Processors.pdf>`_. + + ARM white papers: + +-- +2.35.1 + diff --git a/debian/patches/bugfix/x86/bhb/0007-x86-speculation-Warn-about-Spectre-v2-LFENCE-mitigat.patch b/debian/patches/bugfix/x86/bhb/0007-x86-speculation-Warn-about-Spectre-v2-LFENCE-mitigat.patch new file mode 100644 index 000000000..102086aae --- /dev/null +++ b/debian/patches/bugfix/x86/bhb/0007-x86-speculation-Warn-about-Spectre-v2-LFENCE-mitigat.patch @@ -0,0 +1,62 @@ +From eafd987d4a82c7bb5aa12f0e3b4f8f3dea93e678 Mon Sep 17 00:00:00 2001 +From: Josh Poimboeuf <jpoimboe@redhat.com> +Date: Fri, 25 Feb 2022 14:31:49 -0800 +Subject: [PATCH 7/8] x86/speculation: Warn about Spectre v2 LFENCE mitigation + +With: + + f8a66d608a3e ("x86,bugs: Unconditionally allow spectre_v2=retpoline,amd") + +it became possible to enable the LFENCE "retpoline" on Intel. However, +Intel doesn't recommend it, as it has some weaknesses compared to +retpoline. + +Now AMD doesn't recommend it either. + +It can still be left available as a cmdline option. It's faster than +retpoline but is weaker in certain scenarios -- particularly SMT, but +even non-SMT may be vulnerable in some cases. + +So just unconditionally warn if the user requests it on the cmdline. + + [ bp: Massage commit message. ] + +Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com> +Signed-off-by: Borislav Petkov <bp@suse.de> +--- + arch/x86/kernel/cpu/bugs.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index a36bfe2c2480..cfd116423908 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -651,6 +651,7 @@ static inline const char *spectre_v2_module_string(void) + static inline const char *spectre_v2_module_string(void) { return ""; } + #endif + ++#define SPECTRE_V2_LFENCE_MSG "WARNING: LFENCE mitigation is not recommended for this CPU, data leaks possible!\n" + #define SPECTRE_V2_EIBRS_EBPF_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible via Spectre v2 BHB attacks!\n" + + #ifdef CONFIG_BPF_SYSCALL +@@ -972,6 +973,7 @@ static void __init spectre_v2_select_mitigation(void) + break; + + case SPECTRE_V2_CMD_RETPOLINE_LFENCE: ++ pr_err(SPECTRE_V2_LFENCE_MSG); + mode = SPECTRE_V2_LFENCE; + break; + +@@ -1787,6 +1789,9 @@ static char *ibpb_state(void) + + static ssize_t spectre_v2_show_state(char *buf) + { ++ if (spectre_v2_enabled == SPECTRE_V2_LFENCE) ++ return sprintf(buf, "Vulnerable: LFENCE\n"); ++ + if (spectre_v2_enabled == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled()) + return sprintf(buf, "Vulnerable: Unprivileged eBPF enabled\n"); + +-- +2.35.1 + diff --git a/debian/patches/bugfix/x86/bhb/0008-x86-speculation-Warn-about-eIBRS-LFENCE-Unprivileged.patch b/debian/patches/bugfix/x86/bhb/0008-x86-speculation-Warn-about-eIBRS-LFENCE-Unprivileged.patch new file mode 100644 index 000000000..dfc17c0ee --- /dev/null +++ b/debian/patches/bugfix/x86/bhb/0008-x86-speculation-Warn-about-eIBRS-LFENCE-Unprivileged.patch @@ -0,0 +1,94 @@ +From 0de05d056afdb00eca8c7bbb0c79a3438daf700c Mon Sep 17 00:00:00 2001 +From: Josh Poimboeuf <jpoimboe@redhat.com> +Date: Fri, 25 Feb 2022 14:32:28 -0800 +Subject: [PATCH 8/8] x86/speculation: Warn about eIBRS + LFENCE + Unprivileged + eBPF + SMT + +The commit + + 44a3918c8245 ("x86/speculation: Include unprivileged eBPF status in Spectre v2 mitigation reporting") + +added a warning for the "eIBRS + unprivileged eBPF" combination, which +has been shown to be vulnerable against Spectre v2 BHB-based attacks. + +However, there's no warning about the "eIBRS + LFENCE retpoline + +unprivileged eBPF" combo. The LFENCE adds more protection by shortening +the speculation window after a mispredicted branch. That makes an attack +significantly more difficult, even with unprivileged eBPF. So at least +for now the logic doesn't warn about that combination. + +But if you then add SMT into the mix, the SMT attack angle weakens the +effectiveness of the LFENCE considerably. + +So extend the "eIBRS + unprivileged eBPF" warning to also include the +"eIBRS + LFENCE + unprivileged eBPF + SMT" case. + + [ bp: Massage commit message. ] + +Suggested-by: Alyssa Milburn <alyssa.milburn@linux.intel.com> +Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com> +Signed-off-by: Borislav Petkov <bp@suse.de> +--- + arch/x86/kernel/cpu/bugs.c | 27 +++++++++++++++++++++++++-- + 1 file changed, 25 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index cfd116423908..6296e1ebed1d 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -653,12 +653,27 @@ static inline const char *spectre_v2_module_string(void) { return ""; } + + #define SPECTRE_V2_LFENCE_MSG "WARNING: LFENCE mitigation is not recommended for this CPU, data leaks possible!\n" + #define SPECTRE_V2_EIBRS_EBPF_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible via Spectre v2 BHB attacks!\n" ++#define SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS+LFENCE mitigation and SMT, data leaks possible via Spectre v2 BHB attacks!\n" + + #ifdef CONFIG_BPF_SYSCALL + void unpriv_ebpf_notify(int new_state) + { +- if (spectre_v2_enabled == SPECTRE_V2_EIBRS && !new_state) ++ if (new_state) ++ return; ++ ++ /* Unprivileged eBPF is enabled */ ++ ++ switch (spectre_v2_enabled) { ++ case SPECTRE_V2_EIBRS: + pr_err(SPECTRE_V2_EIBRS_EBPF_MSG); ++ break; ++ case SPECTRE_V2_EIBRS_LFENCE: ++ if (sched_smt_active()) ++ pr_err(SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG); ++ break; ++ default: ++ break; ++ } + } + #endif + +@@ -1118,6 +1133,10 @@ void cpu_bugs_smt_update(void) + { + mutex_lock(&spec_ctrl_mutex); + ++ if (sched_smt_active() && unprivileged_ebpf_enabled() && ++ spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE) ++ pr_warn_once(SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG); ++ + switch (spectre_v2_user_stibp) { + case SPECTRE_V2_USER_NONE: + break; +@@ -1793,7 +1812,11 @@ static ssize_t spectre_v2_show_state(char *buf) + return sprintf(buf, "Vulnerable: LFENCE\n"); + + if (spectre_v2_enabled == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled()) +- return sprintf(buf, "Vulnerable: Unprivileged eBPF enabled\n"); ++ return sprintf(buf, "Vulnerable: eIBRS with unprivileged eBPF\n"); ++ ++ if (sched_smt_active() && unprivileged_ebpf_enabled() && ++ spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE) ++ return sprintf(buf, "Vulnerable: eIBRS+LFENCE with unprivileged eBPF and SMT\n"); + + return sprintf(buf, "%s%s%s%s%s%s\n", + spectre_v2_strings[spectre_v2_enabled], +-- +2.35.1 + diff --git a/debian/patches/debian/module-avoid-abi-changes-when-debug-info-is-disabled.patch b/debian/patches/debian/module-avoid-abi-changes-when-debug-info-is-disabled.patch new file mode 100644 index 000000000..4cd5eb648 --- /dev/null +++ b/debian/patches/debian/module-avoid-abi-changes-when-debug-info-is-disabled.patch @@ -0,0 +1,92 @@ +From: Ben Hutchings <benh@debian.org> +Date: Wed, 02 Mar 2022 21:22:28 +0100 +Subject: module: Avoid ABI changes when debug info is disabled +Forwarded: not-needed + +CI builds are done with debug info disabled, but this removes some +members from struct module and replaces some BTF-related exports with +static definitions. This causes builds to fail if there is an ABI +reference for the current ABI. + +- Add a new config symbol DEBUG_INFO_BTF_MODULES_NOOP which can be + enabled when DEBUG_INFO is not enabled +- When the symbol is enabled: + - Define the BTF-related members of struct module + - Export the no-op definitions of BTF-related functions + - Define and export the same BTF-related static lists + +--- +--- a/include/linux/module.h ++++ b/include/linux/module.h +@@ -470,7 +470,7 @@ struct module { + unsigned int num_bpf_raw_events; + struct bpf_raw_event_map *bpf_raw_events; + #endif +-#ifdef CONFIG_DEBUG_INFO_BTF_MODULES ++#if defined(CONFIG_DEBUG_INFO_BTF_MODULES) || defined(CONFIG_DEBUG_INFO_BTF_MODULES_NOOP) + unsigned int btf_data_size; + void *btf_data; + #endif +--- a/include/linux/btf.h ++++ b/include/linux/btf.h +@@ -250,7 +250,7 @@ struct kfunc_btf_id_list { + struct mutex mutex; + }; + +-#ifdef CONFIG_DEBUG_INFO_BTF_MODULES ++#if defined(CONFIG_DEBUG_INFO_BTF_MODULES) || defined(CONFIG_DEBUG_INFO_BTF_MODULES_NOOP) + void register_kfunc_btf_id_set(struct kfunc_btf_id_list *l, + struct kfunc_btf_id_set *s); + void unregister_kfunc_btf_id_set(struct kfunc_btf_id_list *l, +--- a/kernel/bpf/btf.c ++++ b/kernel/bpf/btf.c +@@ -6383,6 +6383,30 @@ bool bpf_check_mod_kfunc_call(struct kfu + return false; + } + ++#elif defined(CONFIG_DEBUG_INFO_BTF_MODULES_NOOP) ++ ++void register_kfunc_btf_id_set(struct kfunc_btf_id_list *l, ++ struct kfunc_btf_id_set *s) ++{ ++} ++EXPORT_SYMBOL_GPL(register_kfunc_btf_id_set); ++ ++void unregister_kfunc_btf_id_set(struct kfunc_btf_id_list *l, ++ struct kfunc_btf_id_set *s) ++{ ++} ++EXPORT_SYMBOL_GPL(unregister_kfunc_btf_id_set); ++ ++bool bpf_check_mod_kfunc_call(struct kfunc_btf_id_list *klist, u32 kfunc_id, ++ struct module *owner) ++{ ++ return false; ++} ++ ++#endif /* CONFIG_DEBUG_INFO_BTF_MODULES */ ++ ++#if defined(CONFIG_DEBUG_INFO_BTF_MODULES) || defined(CONFIG_DEBUG_INFO_BTF_MODULES_NOOP) ++ + #define DEFINE_KFUNC_BTF_ID_LIST(name) \ + struct kfunc_btf_id_list name = { LIST_HEAD_INIT(name.list), \ + __MUTEX_INITIALIZER(name.mutex) }; \ +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -343,6 +343,16 @@ config GDB_SCRIPTS + + endif # DEBUG_INFO + ++if !DEBUG_INFO ++ ++config DEBUG_INFO_BTF_MODULES_NOOP ++ bool "Provide no-op BTF ABI to modules" ++ help ++ Enable this option instead of DEBUG_INFO_BTF to avoid an ABI ++ change when debug info is disabled. ++ ++endif ++ + config FRAME_WARN + int "Warn for stack frames larger than" + range 0 8192 diff --git a/debian/patches/series b/debian/patches/series index 9f5dcf417..a4aa70302 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -26,6 +26,7 @@ debian/documentation-drop-sphinx-version-check.patch debian/perf-traceevent-support-asciidoctor-for-documentatio.patch debian/kbuild-look-for-module.lds-under-arch-directory-too.patch debian/kbuild-abort-build-if-subdirs-used.patch +debian/module-avoid-abi-changes-when-debug-info-is-disabled.patch # Fixes/improvements to firmware loading features/all/drivers-media-dvb-usb-af9005-request_firmware.patch @@ -96,6 +97,14 @@ features/all/db-mok-keyring/KEYS-Make-use-of-platform-keyring-for-module-signatu # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch debian/ntfs-mark-it-as-broken.patch +bugfix/x86/bhb/0001-x86-speculation-Rename-RETPOLINE_AMD-to-RETPOLINE_LF.patch +bugfix/x86/bhb/0002-x86-speculation-Add-eIBRS-Retpoline-options.patch +bugfix/x86/bhb/0003-Documentation-hw-vuln-Update-spectre-doc.patch +bugfix/x86/bhb/0004-x86-speculation-Include-unprivileged-eBPF-status-in-.patch +bugfix/x86/bhb/0005-x86-speculation-Use-generic-retpoline-by-default-on-.patch +bugfix/x86/bhb/0006-x86-speculation-Update-link-to-AMD-speculation-white.patch +bugfix/x86/bhb/0007-x86-speculation-Warn-about-Spectre-v2-LFENCE-mitigat.patch +bugfix/x86/bhb/0008-x86-speculation-Warn-about-eIBRS-LFENCE-Unprivileged.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch |