- 15 Jan, 2018 7 commits
-
-
Kleber Sacilotto de Souza authored
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Andy Whitcroft authored
BugLink: http://bugs.launchpad.net/bugs/1743383Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
Jim Mattson authored
CVE-2017-5753 CVE-2017-5715 commit 0cb5b306 upstream. Guest GPR values are live in the hardware GPRs at VM-exit. Do not leave any guest values in hardware GPRs after the guest GPR values are saved to the vcpu_vmx structure. This is a partial mitigation for CVE 2017-5715 and CVE 2017-5753. Specifically, it defeats the Project Zero PoC for CVE 2017-5715. Suggested-by: Eric Northup <digitaleric@google.com> Signed-off-by: Jim Mattson <jmattson@google.com> Reviewed-by: Eric Northup <digitaleric@google.com> Reviewed-by: Benjamin Serebrin <serebrin@google.com> Reviewed-by: Andrew Honig <ahonig@google.com> [Paolo: Add AMD bits, Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>] Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Andy Whitcroft authored
CVE-2017-5753 CVE-2017-5715 This reverts commit a1c61c3a. Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Andy Whitcroft authored
UBUNTU: SAUCE: x86/microcode: Extend post microcode reload to support IBPB feature -- repair missmerge CVE-2017-5753 CVE-2017-5715 Fix missmerge leading to removal of late_initcall(). Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Seth Forshee authored
CVE-2017-5754 hwsync was added as a mnemonic for sync in binutils 2.25, prior to that there is no support for hwsync. Replace uses of hwsync with sync to maintain compatibility with older binutils. Fixes: ee71154e ("UBUNTU: SAUCE: rfi-flush: Add barriers to the fallback L1D flushing") Acked-by: Kamal Mostafa <kamal@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
-
Kleber Sacilotto de Souza authored
Ignore: yes Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
-
- 12 Jan, 2018 33 commits
-
-
Marcelo Henrique Cerri authored
Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Andy Whitcroft authored
CVE-2017-5753 CVE-2017-5715 Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Andy Whitcroft authored
CVE-2017-5753 CVE-2017-5715 Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Marcelo Henrique Cerri authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Michael Ellerman authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772 Spotted by Paul. Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Michael Ellerman authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772 Spotted by Paul. Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Nicholas Piggin authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772 Add a data dependency on loads for the fallback flush. This reduces or eliminates instances of incomplete flushing on P8 and P9. Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Michael Ellerman authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Michael Ellerman authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772 We use the x86 'nopti' option because all the documenation on earth is going to refer to that, and we can guess what users mean when they specify that - they want to avoid any overhead due to Meltdown mitigations. Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Michael Ellerman authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772 To avoid a bug like the previous commit ever happening again, put the nops in a single place. Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Michael Ellerman authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772 We forgot to expand the number of nops in HRFI_TO_UNKNOWN when we expanded the number of nops. The result is we actually overwrite the rfid with a nop, which is not good. Luckily this is only used in denorm_done, which is not hit often. Spotted by Ram. Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Michael Ellerman authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772 Since we now have three nops, we need to branch further to get over the nops to the branch to the fallback flush. Instead of putting the branch in slot 1 and branching by 8, put it in 0 and branch all the way to keep it simple. Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Michael Ellerman authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772 Rather than assuming a successful return from the hcall will tell us a valid flush type, if the hcall doesn't select one of the known flush types use the fallback. Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Michael Ellerman authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772 Assume we need to do the fallback flush, unless firmware tells us explicitly not to, by having the two needs-l1d-flush properties set to disabled. The previous logic assumed that the existence of a "fw-features" node with no further properties was sufficient to indicate the flush wasn't needed. This should make no difference in practice with current firmwares, because the "fw-features" node has only just been introduced, so there are no machines in the wild which have an empty "fw-features" node. Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Balbir Singh authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772 Add a hwsync after DCBT_STOP_ALL_STREAM_IDS to order loads/ stores prior to stopping prefetch with loads and stores as a part of the flushing. A lwsync is needed to ensure that after we don't mix the flushing of one congruence class with another Signed-off-by: Balbir Singh <bsingharora@gmail.com> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Aneesh Kumar K.V authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Aneesh Kumar K.V authored
UBUNTU: SAUCE: Remove setup.h include file otherwise compilation complains about missing header file. CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Michael Ellerman authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772 There's no reason to #error if we include ppc_asm.h in asm files, the ifdef already prevents any problems. Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Nicholas Piggin authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772 add an ori 31,31,0 speculation barrier ahead of the ori 30,30,0 flush type, which was found necessary to completely flush out all lines. Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Michael Ellerman authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772 To enable migration between machines with different flush types enabled, allow the hypervisor to advertise more than one flush type, and if we see that we patch both in. On any given machine only one will be active (due to firmware configuration), but a kernel will be able to migrate between machines with different flush instructions enabled without modification. Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Michael Ellerman authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Michael Ellerman authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Michael Ellerman authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Michael Ellerman authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772 So we can select more than one. Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Nicholas Piggin authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772 This patch chnages the fallback flush to load all ways of a set, then move to the next set. This is the best way to flush the cache, accoring to HW people. Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Michael Ellerman authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772 After discussions this needs to be in Qemu, to deal with migration and other complications. Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Michael Ellerman authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Michael Ellerman authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Michael Ellerman authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Michael Ellerman authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Nicholas Piggin authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772 This puts a nop before each rfid/hrfid and patches in an L1-D cache flush instruction where possible. It provides /sys/devices/system/cpu/rfi_flush which can report and can patch the rfi flushes at runtime. This has some debug checking in the rfi instructions to make sure we're returning to the context we think we are, so we can avoid some flushes. Includes support for querying the device tree, or hypervisor, to determine the platform's capabilities and requirements. Also includes an implementation of the hcall for KVM guests. Signed-off-by: Nicholas Piggin <npiggin@gmail.com> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Michael Neuling <mikey@neuling.org> Signed-off-by: Oliver O'Halloran <oohall@gmail.com> Signed-off-by: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Martin Schwidefsky authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742771Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Vasily Gorbik authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742771 Implement CPU alternatives, which allows to optionally patch newer instructions at runtime, based on CPU facilities availability. A new kernel boot parameter "noaltinstr" disables patching. Current implementation is derived from x86 alternatives. Although ideal instructions padding (when altinstr is longer then oldinstr) is added at compile time, and no oldinstr nops optimization has to be done at runtime. Also couple of compile time sanity checks are done: 1. oldinstr and altinstr must be <= 254 bytes long, 2. oldinstr and altinstr must not have an odd length. alternative(oldinstr, altinstr, facility); alternative_2(oldinstr, altinstr1, facility1, altinstr2, facility2); Both compile time and runtime padding consists of either 6/4/2 bytes nop or a jump (brcl) + 2 bytes nop filler if padding is longer then 6 bytes. .altinstructions and .altinstr_replacement sections are part of __init_begin : __init_end region and are freed after initialization. Signed-off-by: Vasily Gorbik <gor@linux.vnet.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by: Andy Whitcroft <apw@canonical.com>
-