ACK: [SRU xenial] retpoline/IBPB combined mitigation

Colin Ian King colin.king at canonical.com
Fri Feb 9 17:12:16 UTC 2018 

On 09/02/18 17:08, Andy Whitcroft wrote:
> The previous retpoline update dropped IBPB support.  This would reduce our
> protection for userspace/VMs.  This patch kit reinstates that protection
> and uses it in combination with retpoline where each is available.  Note
> that IBPB support is dependent on having microcode for your CPU which
> supports it.
> 
> Proposing for SRU to xenial.
> 
> -apw
> 
> The following changes since commit 0d65082c299f05f6d3d9a5d37e033e162337b881:
> 
>   UBUNTU: Ubuntu-4.4.0-113.136 (2018-02-07 16:08:01 +0000)
> 
> are available in the Git repository at:
> 
>   https://git.launchpad.net/~apw/ubuntu/+source/linux/+git/pti pti/xenial-speculation-control-intel
> 
> for you to fetch changes up to a828947db96c16f224bf3e040f9e5e8b770dc497:
> 
>   UBUNTU: SAUCE: turn off IBPB when full retpoline is present (2018-02-09 14:36:13 +0000)
> 
> ----------------------------------------------------------------
>   * CVE-2017-5715 (Spectre v2 Intel)
>     - SAUCE: drop lingering gmb() macro
>     - x86/feature: Enable the x86 feature to control Speculation
>     - x86/feature: Report presence of IBPB and IBRS control
>     - x86/enter: MACROS to set/clear IBRS and set IBPB
>     - x86/enter: Use IBRS on syscall and interrupts
>     - x86/idle: Disable IBRS entering idle and enable it on wakeup
>     - x86/idle: Disable IBRS when offlining cpu and re-enable on wakeup
>     - x86/mm: Set IBPB upon context switch
>     - x86/mm: Only set IBPB when the new thread cannot ptrace current thread
>     - x86/kvm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD to kvm
>     - x86/kvm: Set IBPB when switching VM
>     - x86/kvm: Toggle IBRS on VM entry and exit
>     - x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature
>     - x86/spec_ctrl: Add lock to serialize changes to ibrs and ibpb control
>     - x86/cpu/amd, kvm: Satisfy guest kernel reads of IC_CFG MSR
>     - x86/cpu/AMD: Add speculative control support for AMD
>     - x86/microcode: Extend post microcode reload to support IBPB feature
>     - KVM: SVM: Do not intercept new speculative control MSRs
>     - x86/svm: Set IBRS value on VM entry and exit
>     - x86/svm: Set IBPB when running a different VCPU
>     - KVM: x86: Add speculative control CPUID support for guests
>     - SAUCE: Fix spec_ctrl support in KVM
>     - SAUCE: turn off IBPB when full retpoline is present
> 
I've tested these and didn't see any regressions.

Acked-by: Colin Ian King <colin.king at canonical.com>

More information about the kernel-team mailing list