[SRU artful] retpoline/IBPB combined mitigation

Andy Whitcroft apw at canonical.com
Fri Feb 9 17:08:21 UTC 2018

The previous retpoline update dropped IBPB support.  This would reduce our
protection for userspace/VMs.  This patch kit reinstates that protection
and uses it in combination with retpoline where each is available.  Note
that IBPB support is dependent on having microcode for your CPU which
supports it.

Proposing for SRU to artful.


The following changes since commit d878dfee54cf6cef17a3d8a661effd3c9731420d:

  UBUNTU: Ubuntu-4.13.0-33.36 (2018-02-06 13:22:54 -0500)

are available in the Git repository at:

  https://git.launchpad.net/~apw/ubuntu/+source/linux/+git/pti pti/artful-speculation-control-intel

for you to fetch changes up to 6a36999c9ce2f76b7db724f5132832ae46a5a36e:

  UBUNTU: SAUCE: turn off IBPB when full retpoline is present (2018-02-09 12:12:34 +0000)

  * CVE-2017-5715 (Spectre v2 Intel)
    - x86/feature: Enable the x86 feature to control Speculation
    - x86/feature: Report presence of IBPB and IBRS control
    - x86/enter: MACROS to set/clear IBRS and set IBPB
    - x86/enter: Use IBRS on syscall and interrupts
    - x86/idle: Disable IBRS entering idle and enable it on wakeup
    - x86/idle: Disable IBRS when offlining cpu and re-enable on wakeup
    - x86/mm: Set IBPB upon context switch
    - x86/mm: Only set IBPB when the new thread cannot ptrace current thread
    - x86/entry: Stuff RSB for entry to kernel for non-SMEP platform
    - x86/kvm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD to kvm
    - x86/kvm: Set IBPB when switching VM
    - x86/kvm: Toggle IBRS on VM entry and exit
    - x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature
    - x86/spec_ctrl: Add lock to serialize changes to ibrs and ibpb control
    - x86/cpu/AMD: Add speculative control support for AMD
    - x86/microcode: Extend post microcode reload to support IBPB feature
    - KVM: SVM: Do not intercept new speculative control MSRs
    - x86/svm: Set IBRS value on VM entry and exit
    - x86/svm: Set IBPB when running a different VCPU
    - KVM: x86: Add speculative control CPUID support for guests
    - SAUCE: turn off IBPB when full retpoline is present

More information about the kernel-team mailing list