ACK: [SRU artful] retpoline/IBPB combined mitigation

Kamal Mostafa kamal at canonical.com
Fri Feb 9 17:13:50 UTC 2018 

Acked-by: Kamal Mostafa <kamal at canonical.com>

On Fri, Feb 09, 2018 at 05:08:21PM +0000, Andy Whitcroft wrote:
> The previous retpoline update dropped IBPB support.  This would reduce our
> protection for userspace/VMs.  This patch kit reinstates that protection
> and uses it in combination with retpoline where each is available.  Note
> that IBPB support is dependent on having microcode for your CPU which
> supports it.
> 
> Proposing for SRU to artful.
> 
> -apw
> 
> The following changes since commit d878dfee54cf6cef17a3d8a661effd3c9731420d:
> 
>   UBUNTU: Ubuntu-4.13.0-33.36 (2018-02-06 13:22:54 -0500)
> 
> are available in the Git repository at:
> 
>   https://git.launchpad.net/~apw/ubuntu/+source/linux/+git/pti pti/artful-speculation-control-intel
> 
> for you to fetch changes up to 6a36999c9ce2f76b7db724f5132832ae46a5a36e:
> 
>   UBUNTU: SAUCE: turn off IBPB when full retpoline is present (2018-02-09 12:12:34 +0000)
> 
> ----------------------------------------------------------------
>   * CVE-2017-5715 (Spectre v2 Intel)
>     - x86/feature: Enable the x86 feature to control Speculation
>     - x86/feature: Report presence of IBPB and IBRS control
>     - x86/enter: MACROS to set/clear IBRS and set IBPB
>     - x86/enter: Use IBRS on syscall and interrupts
>     - x86/idle: Disable IBRS entering idle and enable it on wakeup
>     - x86/idle: Disable IBRS when offlining cpu and re-enable on wakeup
>     - x86/mm: Set IBPB upon context switch
>     - x86/mm: Only set IBPB when the new thread cannot ptrace current thread
>     - x86/entry: Stuff RSB for entry to kernel for non-SMEP platform
>     - x86/kvm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD to kvm
>     - x86/kvm: Set IBPB when switching VM
>     - x86/kvm: Toggle IBRS on VM entry and exit
>     - x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature
>     - x86/spec_ctrl: Add lock to serialize changes to ibrs and ibpb control
>     - x86/cpu/AMD: Add speculative control support for AMD
>     - x86/microcode: Extend post microcode reload to support IBPB feature
>     - KVM: SVM: Do not intercept new speculative control MSRs
>     - x86/svm: Set IBRS value on VM entry and exit
>     - x86/svm: Set IBPB when running a different VCPU
>     - KVM: x86: Add speculative control CPUID support for guests
>     - SAUCE: turn off IBPB when full retpoline is present
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

More information about the kernel-team mailing list