ACK: [SRU artful] retpoline/IBPB combined mitigation
Colin Ian King
colin.king at canonical.com
Fri Feb 9 17:12:28 UTC 2018
On 09/02/18 17:08, Andy Whitcroft wrote:
> The previous retpoline update dropped IBPB support. This would reduce our
> protection for userspace/VMs. This patch kit reinstates that protection
> and uses it in combination with retpoline where each is available. Note
> that IBPB support is dependent on having microcode for your CPU which
> supports it.
>
> Proposing for SRU to artful.
>
> -apw
>
> The following changes since commit d878dfee54cf6cef17a3d8a661effd3c9731420d:
>
> UBUNTU: Ubuntu-4.13.0-33.36 (2018-02-06 13:22:54 -0500)
>
> are available in the Git repository at:
>
> https://git.launchpad.net/~apw/ubuntu/+source/linux/+git/pti pti/artful-speculation-control-intel
>
> for you to fetch changes up to 6a36999c9ce2f76b7db724f5132832ae46a5a36e:
>
> UBUNTU: SAUCE: turn off IBPB when full retpoline is present (2018-02-09 12:12:34 +0000)
>
> ----------------------------------------------------------------
> * CVE-2017-5715 (Spectre v2 Intel)
> - x86/feature: Enable the x86 feature to control Speculation
> - x86/feature: Report presence of IBPB and IBRS control
> - x86/enter: MACROS to set/clear IBRS and set IBPB
> - x86/enter: Use IBRS on syscall and interrupts
> - x86/idle: Disable IBRS entering idle and enable it on wakeup
> - x86/idle: Disable IBRS when offlining cpu and re-enable on wakeup
> - x86/mm: Set IBPB upon context switch
> - x86/mm: Only set IBPB when the new thread cannot ptrace current thread
> - x86/entry: Stuff RSB for entry to kernel for non-SMEP platform
> - x86/kvm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD to kvm
> - x86/kvm: Set IBPB when switching VM
> - x86/kvm: Toggle IBRS on VM entry and exit
> - x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature
> - x86/spec_ctrl: Add lock to serialize changes to ibrs and ibpb control
> - x86/cpu/AMD: Add speculative control support for AMD
> - x86/microcode: Extend post microcode reload to support IBPB feature
> - KVM: SVM: Do not intercept new speculative control MSRs
> - x86/svm: Set IBRS value on VM entry and exit
> - x86/svm: Set IBPB when running a different VCPU
> - KVM: x86: Add speculative control CPUID support for guests
> - SAUCE: turn off IBPB when full retpoline is present
>
I've tested these and didn't see any regressions.
Acked-by: Colin Ian King <colin.king at canonical.com>
More information about the kernel-team
mailing list