[SRU xenial] retpoline/IBPB combined mitigation

Andy Whitcroft apw at canonical.com
Fri Feb 9 17:08:35 UTC 2018 

The previous retpoline update dropped IBPB support.  This would reduce our
protection for userspace/VMs.  This patch kit reinstates that protection
and uses it in combination with retpoline where each is available.  Note
that IBPB support is dependent on having microcode for your CPU which
supports it.

Proposing for SRU to xenial.

-apw

The following changes since commit 0d65082c299f05f6d3d9a5d37e033e162337b881:

  UBUNTU: Ubuntu-4.4.0-113.136 (2018-02-07 16:08:01 +0000)

are available in the Git repository at:

  https://git.launchpad.net/~apw/ubuntu/+source/linux/+git/pti pti/xenial-speculation-control-intel

for you to fetch changes up to a828947db96c16f224bf3e040f9e5e8b770dc497:

  UBUNTU: SAUCE: turn off IBPB when full retpoline is present (2018-02-09 14:36:13 +0000)

----------------------------------------------------------------
  * CVE-2017-5715 (Spectre v2 Intel)
    - SAUCE: drop lingering gmb() macro
    - x86/feature: Enable the x86 feature to control Speculation
    - x86/feature: Report presence of IBPB and IBRS control
    - x86/enter: MACROS to set/clear IBRS and set IBPB
    - x86/enter: Use IBRS on syscall and interrupts
    - x86/idle: Disable IBRS entering idle and enable it on wakeup
    - x86/idle: Disable IBRS when offlining cpu and re-enable on wakeup
    - x86/mm: Set IBPB upon context switch
    - x86/mm: Only set IBPB when the new thread cannot ptrace current thread
    - x86/kvm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD to kvm
    - x86/kvm: Set IBPB when switching VM
    - x86/kvm: Toggle IBRS on VM entry and exit
    - x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature
    - x86/spec_ctrl: Add lock to serialize changes to ibrs and ibpb control
    - x86/cpu/amd, kvm: Satisfy guest kernel reads of IC_CFG MSR
    - x86/cpu/AMD: Add speculative control support for AMD
    - x86/microcode: Extend post microcode reload to support IBPB feature
    - KVM: SVM: Do not intercept new speculative control MSRs
    - x86/svm: Set IBRS value on VM entry and exit
    - x86/svm: Set IBPB when running a different VCPU
    - KVM: x86: Add speculative control CPUID support for guests
    - SAUCE: Fix spec_ctrl support in KVM
    - SAUCE: turn off IBPB when full retpoline is present

More information about the kernel-team mailing list