- 12 Jan, 2018 40 commits
-
-
Nicholas Piggin authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772 add an ori 31,31,0 speculation barrier ahead of the ori 30,30,0 flush type, which was found necessary to completely flush out all lines. Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Michael Ellerman authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772 To enable migration between machines with different flush types enabled, allow the hypervisor to advertise more than one flush type, and if we see that we patch both in. On any given machine only one will be active (due to firmware configuration), but a kernel will be able to migrate between machines with different flush instructions enabled without modification. Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Michael Ellerman authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Michael Ellerman authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Michael Ellerman authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Michael Ellerman authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772 So we can select more than one. Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Nicholas Piggin authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772 This patch chnages the fallback flush to load all ways of a set, then move to the next set. This is the best way to flush the cache, accoring to HW people. Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Michael Ellerman authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772 After discussions this needs to be in Qemu, to deal with migration and other complications. Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Michael Ellerman authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Michael Ellerman authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Michael Ellerman authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Michael Ellerman authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Nicholas Piggin authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742772 This puts a nop before each rfid/hrfid and patches in an L1-D cache flush instruction where possible. It provides /sys/devices/system/cpu/rfi_flush which can report and can patch the rfi flushes at runtime. This has some debug checking in the rfi instructions to make sure we're returning to the context we think we are, so we can avoid some flushes. Includes support for querying the device tree, or hypervisor, to determine the platform's capabilities and requirements. Also includes an implementation of the hcall for KVM guests. Signed-off-by: Nicholas Piggin <npiggin@gmail.com> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Michael Neuling <mikey@neuling.org> Signed-off-by: Oliver O'Halloran <oohall@gmail.com> Signed-off-by: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-
Martin Schwidefsky authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742771Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Vasily Gorbik authored
CVE-2017-5754 BugLink: http://bugs.launchpad.net/bugs/1742771 Implement CPU alternatives, which allows to optionally patch newer instructions at runtime, based on CPU facilities availability. A new kernel boot parameter "noaltinstr" disables patching. Current implementation is derived from x86 alternatives. Although ideal instructions padding (when altinstr is longer then oldinstr) is added at compile time, and no oldinstr nops optimization has to be done at runtime. Also couple of compile time sanity checks are done: 1. oldinstr and altinstr must be <= 254 bytes long, 2. oldinstr and altinstr must not have an odd length. alternative(oldinstr, altinstr, facility); alternative_2(oldinstr, altinstr1, facility1, altinstr2, facility2); Both compile time and runtime padding consists of either 6/4/2 bytes nop or a jump (brcl) + 2 bytes nop filler if padding is longer then 6 bytes. .altinstructions and .altinstr_replacement sections are part of __init_begin : __init_end region and are freed after initialization. Signed-off-by: Vasily Gorbik <gor@linux.vnet.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
William Grant authored
CVE-2017-5753 CVE-2017-5715 Signed-off-by: William Grant <wgrant@ubuntu.com> Acked-by: Kamal Mostafa <kamal@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com> Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Martin Schwidefsky authored
CVE-2017-5753 CVE-2017-5715 Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Andy Whitcroft authored
CVE-2017-5753 CVE-2017-5715 Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit 1d40e84780e12578489810065695f5e72c7d1b89) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tom Lendacky authored
CVE-2017-5753 CVE-2017-5715 With the switch to using LFENCE_RDTSC on AMD platforms there is no longer a need for the MFENCE_RDTSC feature. Remove it usage and definition. Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit 1faf0ed25006beed56fd6465d53c61250ed22d39) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tom Lendacky authored
CVE-2017-5753 CVE-2017-5715 In order to reduce the impact of using MFENCE, make the execution of the LFENCE instruction serialized. This is done by setting bit 1 of MSR 0xc0011029 (DE_CFG). Some families that support LFENCE do not have this MSR. For these families, the LFENCE instruction is already serialized. Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit c8bd06975d1b15b5f81f684d9d3f926b60cd77a9) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tom Lendacky authored
CVE-2017-5753 CVE-2017-5715 Clear registers on VM exit to prevent speculative use of them. Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (cherry picked from commit fa3bf5051d2cb8df4c2ff38750c895ea497cc1d4) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tom Lendacky authored
CVE-2017-5753 CVE-2017-5715 Add code to overwrite the local CPU RSB entries from the previous less privileged mode. Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (cherry picked from commit 3dc0cf238b89fb023fd5ee6cdf2dbff5ffd4046c) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tom Lendacky authored
CVE-2017-5753 CVE-2017-5715 Provide the guest with the speculative control CPUID related values. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit cbfe052b7e811a2854162b210f242d3e815cbc17) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tom Lendacky authored
CVE-2017-5753 CVE-2017-5715 Set IBPB (Indirect Branch Prediction Barrier) when the current CPU is going to run a VCPU different from what was previously run. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit bb6edde44a0529ec52618c97a281719d968aaeab) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tom Lendacky authored
CVE-2017-5753 CVE-2017-5715 Set/restore the guests IBRS value on VM entry. On VM exit back to the kernel save the guest IBRS value and then set IBRS to 1. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit ae47b6df435ae255747a9aa1a5520bd9ef01005f) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tom Lendacky authored
CVE-2017-5753 CVE-2017-5715 Allow guest access to the speculative control MSRs without being intercepted. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (cherry picked from commit 68c2587c0680813d57af0a4073fa22a95a15e980) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tom Lendacky authored
CVE-2017-5753 CVE-2017-5715 Add an IBPB feature check to the speculative control update check after a microcode reload. Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit 073bee2caa42ddde1134cb87c955b4cad7b7d38b) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tom Lendacky authored
CVE-2017-5753 CVE-2017-5715 Add speculative control support for AMD processors. For AMD, speculative control is indicated as follows: CPUID EAX=0x00000007, ECX=0x00 return EDX[26] indicates support for both IBRS and IBPB. CPUID EAX=0x80000008, ECX=0x00 return EBX[12] indicates support for just IBPB. On AMD family 0x10, 0x12 and 0x16 processors where either of the above features are not supported, IBPB can be achieved by disabling indirect branch predictor support in MSR 0xc0011021[14] at boot. Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit 38994a3e1a9288622cb170bc89d037ca8f2b0fb6) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Borislav Petkov authored
CVE-2017-5753 CVE-2017-5715 The kernel accesses IC_CFG MSR (0xc0011021) on AMD because it checks whether the way access filter is enabled on some F15h models, and, if so, disables it. kvm doesn't handle that MSR access and complains about it, which can get really noisy in dmesg when one starts kvm guests all the time for testing. And it is useless anyway - guest kernel shouldn't be doing such changes anyway so tell it that that filter is disabled. Signed-off-by: Borislav Petkov <bp@suse.de> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Borislav Petkov <bp@alien8.de> Cc: Brian Gerst <brgerst@gmail.com> Cc: Denys Vlasenko <dvlasenk@redhat.com> Cc: H. Peter Anvin <hpa@zytor.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Link: http://lkml.kernel.org/r/1448273546-2567-4-git-send-email-bp@alien8.deSigned-off-by: Ingo Molnar <mingo@kernel.org> (cherry picked from commit ae8b7875) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tim Chen authored
CVE-2017-5753 CVE-2017-5715 Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit 48ec0cfa6dac428470e30855e2d9751e00e2ba6c) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tim Chen authored
CVE-2017-5753 CVE-2017-5715 To prevent the unused registers %r8-%r15, from being used speculatively, we clear them upon syscall entrance for code hygiene in 32 bit compatible mode. Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit 85910f3f9cd728acce9ef34a6df4f8bf8714d006) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tim Chen authored
CVE-2017-5753 CVE-2017-5715 To prevent the unused registers %r12-%r15, %rbp and %rbx from being used speculatively, we clear them upon syscall entrance for code hygiene. Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit 20018a1207a68ee311e9e080f8589e23a0e14852) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tim Chen authored
CVE-2017-5753 CVE-2017-5715 Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit 33e16ee8bd43aa4f065e17abbe9ed66457327b84) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tim Chen authored
CVE-2017-5753 CVE-2017-5715 There are 2 ways to control IBPB and IBRS 1. At boot time noibrs kernel boot parameter will disable IBRS usage noibpb kernel boot parameter will disable IBPB usage Otherwise if the above parameters are not specified, the system will enable ibrs and ibpb usage if the cpu supports it. 2. At run time echo 0 > /proc/sys/kernel/ibrs_enabled will turn off IBRS echo 1 > /proc/sys/kernel/ibrs_enabled will turn on IBRS in kernel echo 2 > /proc/sys/kernel/ibrs_enabled will turn on IBRS in both userspace and kernel Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit 50169d8fada2532084c9f8ccde51c6c9211603d5) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tim Chen authored
CVE-2017-5753 CVE-2017-5715 Add code to pad the local CPU's RSB entries to protect from previous less privilege mode. Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (cherry picked from commit 65ced0bf5b4bb86d1fa08200b57a5f55617ad7ad) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tim Chen authored
CVE-2017-5753 CVE-2017-5715 Restore guest IBRS on VM entry and set it to 1 on VM exit back to kernel. Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (cherry picked from commit 08aeb17b6385ac5b82d73753ac43cc8c7cff5d5c) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tim Chen authored
CVE-2017-5753 CVE-2017-5715 Set IBPB (Indirect branch prediction barrier) when switching VM. Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit 472524f41206beb0a29c08f10689648a3dcd7707) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Wei Wang authored
CVE-2017-5753 CVE-2017-5715 Add field to access guest MSR_IA332_SPEC_CTRL and MSR_IA32_PRED_CMD state. Signed-off-by: Wei Wang <wei.w.wang@intel.com> Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit f93ba2a9b5ab2c275e9adc10876cc0425a33eec0) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tim Chen authored
CVE-2017-5753 CVE-2017-5715 Stuff RSB to prevent RSB underflow on non-SMEP platform. Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit 183ab2f8dfb26ad2c83602af3ee9a5f11d65128b) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tim Chen authored
CVE-2017-5753 CVE-2017-5715 To reduce overhead of setting IBPB, we only do that when the new thread cannot ptrace the current one. If the new thread has ptrace capability on current thread, it is safe. Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit 294ed6288a44f78781cf33cc9de32c50630c1646) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-