[SRU trusty] retpoline/IBPB combined mitigation
Andy Whitcroft
apw at canonical.com
Sun Feb 25 14:31:11 UTC 2018
Add retpoline support to Trusty. This combines a backport of the upstream
retpoline patches from v4.4 to the existing IBRS/IBPB mitigation we
already have applied. It also updates the Intel mitigation to the
latest version.
This pull request appears more complex than you might otherwise hope as
we are slowly replacing the non-upstream code with upstream code as each
part becomes available. To this end we are taking off our non-upstream
code applying the new upstream code and reapplying the non-upstream code
over the top. This means it is the patches we are looking to replace
that end up with any delta folded into them not the upstream patches.
Proposing for SRU to trusty.
-apw
The following changes since commit fbfa1ca679dd9ede02e1e776e26021c21cae872e:
powerpc: Do not call ppc_md.panic in fadump panic notifier (2018-02-20 09:47:47 +0100)
are available in the Git repository at:
git://git.launchpad.net/~apw/ubuntu/+source/linux/+git/pti pti/trusty-retpoline-intelv1
for you to fetch changes up to 901c1131a46ef96e376216d60267e73de5c16232:
UBUNTU: [Packaging] final-checks -- check for empty retpoline files (2018-02-22 12:09:21 +0000)
----------------------------------------------------------------
* retpoline abi files are empty on i386 (LP: #1751021)
- [Packaging] retpoline-extract -- instantiate retpoline files for i386
- [Packaging] final-checks -- sanity checking ABI contents
- [Packaging] final-checks -- check for empty retpoline files
* CVE-2017-5715 (Spectre v2 Intel)
- x86, microcode: Share native MSR accessing variants
- kvm: vmx: Scrub hardware GPRs at VM-exit
- SAUCE: x86/feature: Enable the x86 feature to control Speculation
- SAUCE: x86/feature: Report presence of IBPB and IBRS control
- SAUCE: x86/enter: MACROS to set/clear IBRS and set IBPB
- SAUCE: x86/enter: Use IBRS on syscall and interrupts
- SAUCE: x86/idle: Disable IBRS entering idle and enable it on wakeup
- SAUCE: x86/idle: Disable IBRS when offlining cpu and re-enable on wakeup
- SAUCE: x86/mm: Set IBPB upon context switch
- SAUCE: x86/mm: Only set IBPB when the new thread cannot ptrace current
thread
- SAUCE: x86/entry: Stuff RSB for entry to kernel for non-SMEP platform
- SAUCE: x86/kvm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD to kvm
- SAUCE: x86/kvm: Set IBPB when switching VM
- SAUCE: x86/kvm: Toggle IBRS on VM entry and exit
- SAUCE: x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature
- SAUCE: x86/spec_ctrl: Add lock to serialize changes to ibrs and ibpb control
- SAUCE: x86/cpu/AMD: Add speculative control support for AMD
- SAUCE: x86/microcode: Extend post microcode reload to support IBPB feature
- SAUCE: KVM: SVM: Do not intercept new speculative control MSRs
- SAUCE: x86/svm: Set IBRS value on VM entry and exit
- SAUCE: x86/svm: Set IBPB when running a different VCPU
- SAUCE: KVM: x86: Add speculative control CPUID support for guests
- SAUCE: x86/entry: Fixup 32bit compat call locations
- SAUCE: KVM: Fix spec_ctrl CPUID support for guests
- SAUCE: x86/cpuid: Fix ordering of scattered feature list
- SAUCE: turn off IBRS when full retpoline is present
* CVE-2017-5753 (Spectre v1 Intel)
- x86: Add another set of MSR accessor functions
- x86/cpu/AMD: Make the LFENCE instruction serialized
- SAUCE: x86/cpu/AMD: switch to lfence rather than mfence
- locking/barriers: introduce new observable speculation barrier
- bpf: prevent speculative execution in eBPF interpreter
- uvcvideo: prevent speculative execution
- carl9170: prevent speculative execution
- qla2xxx: prevent speculative execution
- fs: prevent speculative execution
- udf: prevent speculative execution
- userns: prevent speculative execution
- SAUCE: claim mitigation via observable speculation barrier
- powerpc: add osb barrier
- s390/spinlock: add osb memory barrier
- arm64: no osb() implementation yet
- arm: no osb() implementation yet
* CVE-2017-5715 (Spectre v2 retpoline)
- x86/alternatives: Fix ALTERNATIVE_2 padding generation properly
- x86/alternatives: Fix alt_max_short macro to really be a max()
- x86/alternatives: Guard NOPs optimization
- x86/alternatives: Switch AMD F15h and later to the P6 NOPs
- x86/alternatives: Make optimize_nops() interrupt safe and synced
- x86/alternatives: Fix optimize_nops() checking
- x86/cpuid: Provide get_scattered_cpuid_leaf()
- x86/cpu: Factor out application of forced CPU caps
- x86/cpufeatures: Make CPU bugs sticky
- x86/cpufeatures: Add X86_BUG_CPU_INSECURE
- x86/pti: Rename BUG_CPU_INSECURE to BUG_CPU_MELTDOWN
- x86/cpufeatures: Add X86_BUG_SPECTRE_V[12]
- x86/cpu, x86/pti: Do not enable PTI on AMD processors
- x86/cpu: Merge bugs.c and bugs_64.c
- sysfs/cpu: Add vulnerability folder
- x86/cpu: Implement CPU vulnerabilites sysfs functions
- x86/alternatives: Add missing '\n' at end of ALTERNATIVE inline asm
- x86/mm/32: Move setup_clear_cpu_cap(X86_FEATURE_PCID) earlier
- x86/asm: Use register variable to get stack pointer value
- x86/kbuild: enable modversions for symbols exported from asm
- x86/asm: Make asm/alternative.h safe from assembly
- EXPORT_SYMBOL() for asm
- kconfig.h: use __is_defined() to check if MODULE is defined
- x86/retpoline: Add initial retpoline support
- x86/spectre: Add boot time option to select Spectre v2 mitigation
- x86/retpoline/crypto: Convert crypto assembler indirect jumps
- x86/retpoline/entry: Convert entry assembler indirect jumps
- x86/retpoline/ftrace: Convert ftrace assembler indirect jumps
- x86/retpoline/hyperv: Convert assembler indirect jumps
- x86/retpoline/xen: Convert Xen hypercall indirect jumps
- x86/retpoline/checksum32: Convert assembler indirect jumps
- x86/retpoline/irq32: Convert assembler indirect jumps
- x86/retpoline: Fill return stack buffer on vmexit
- x86/retpoline: Remove compile time warning
- x86/retpoline: Add LFENCE to the retpoline/RSB filling RSB macros
- module: Add retpoline tag to VERMAGIC
- x86/mce: Make machine check speculation protected
- retpoline: Introduce start/end markers of indirect thunk
- kprobes/x86: Disable optimizing on the function jumps to indirect thunk
- x86/retpoline: Optimize inline assembler for vmexit_fill_RSB
- [Config] CONFIG_RETPOLINE=y
- [Packaging] retpoline -- add call site validation
- [Packaging] retpoline files must be sorted
- [Config] disable retpoline for the first upload
* CVE-2017-5715 (revert embargoed) // CVE-2017-5753 (revert embargoed)
- Revert "UBUNTU: SAUCE: x86/cpuid: Fix ordering of scattered feature list"
- Revert "UBUNTU: SAUCE: KVM: Fix spec_ctrl CPUID support for guests"
- Revert "UBUNTU: SAUCE: x86/entry: Fixup 32bit compat call locations"
- Revert "UBUNTU: SAUCE: powerpc: no gmb() implementation yet"
- Revert "UBUNTU: SAUCE: arm: no gmb() implementation yet"
- Revert "UBUNTU: SAUCE: arm64: no gmb() implementation yet"
- Revert "UBUNTU: SAUCE: x86/kvm: Fix stuff_RSB() for 32-bit"
- Revert "UBUNTU: SAUCE: x86/cpu/AMD: Remove now unused definition of
MFENCE_RDTSC feature"
- Revert "UBUNTU: SAUCE: x86/cpu/AMD: Make the LFENCE instruction serialized"
- Revert "UBUNTU: SAUCE: x86/svm: Add code to clobber the RSB on VM exit"
- Revert "UBUNTU: SAUCE: KVM: x86: Add speculative control CPUID support for
guests"
- Revert "UBUNTU: SAUCE: x86/svm: Set IBPB when running a different VCPU"
- Revert "UBUNTU: SAUCE: x86/svm: Set IBRS value on VM entry and exit"
- Revert "UBUNTU: SAUCE: KVM: SVM: Do not intercept new speculative control
MSRs"
- Revert "UBUNTU: SAUCE: x86/microcode: Extend post microcode reload to
support IBPB feature"
- Revert "UBUNTU: SAUCE: x86/cpu/AMD: Add speculative control support for AMD"
- Revert "UBUNTU: SAUCE: x86/entry: Use retpoline for syscall's indirect
calls"
- Revert "UBUNTU: SAUCE: x86/spec_ctrl: Add lock to serialize changes to ibrs
and ibpb control"
- Revert "UBUNTU: SAUCE: x86/spec_ctrl: Add sysctl knobs to enable/disable
SPEC_CTRL feature"
- Revert "UBUNTU: SAUCE: x86/kvm: Pad RSB on VM transition"
- Revert "UBUNTU: SAUCE: x86/kvm: Toggle IBRS on VM entry and exit"
- Revert "UBUNTU: SAUCE: x86/kvm: Set IBPB when switching VM"
- Revert "UBUNTU: SAUCE: x86/kvm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD
to kvm"
- Revert "UBUNTU: SAUCE: x86/entry: Stuff RSB for entry to kernel for non-SMEP
platform"
- Revert "UBUNTU: SAUCE: x86/mm: Only set IBPB when the new thread cannot
ptrace current thread"
- Revert "UBUNTU: SAUCE: x86/mm: Set IBPB upon context switch"
- Revert "UBUNTU: SAUCE: x86/idle: Disable IBRS when offlining cpu and re-
enable on wakeup"
- Revert "UBUNTU: SAUCE: x86/idle: Disable IBRS entering idle and enable it on
wakeup"
- Revert "UBUNTU: SAUCE: x86/enter: Use IBRS on syscall and interrupts"
- Revert "UBUNTU: SAUCE: x86/enter: MACROS to set/clear IBRS and set IBPB"
- Revert "UBUNTU: SAUCE: x86/feature: Report presence of IBPB and IBRS
control"
- Revert "UBUNTU: SAUCE: x86/feature: Enable the x86 feature to control
Speculation"
- Revert "UBUNTU: SAUCE: udf: prevent speculative execution"
- Revert "UBUNTU: SAUCE: fs: prevent speculative execution"
- Revert "UBUNTU: SAUCE: userns: prevent speculative execution"
- Revert "UBUNTU: SAUCE: cw1200: prevent speculative execution"
- Revert "UBUNTU: SAUCE: qla2xxx: prevent speculative execution"
- Revert "UBUNTU: SAUCE: p54: prevent speculative execution"
- Revert "UBUNTU: SAUCE: carl9170: prevent speculative execution"
- Revert "UBUNTU: SAUCE: uvcvideo: prevent speculative execution"
- Revert "UBUNTU: SAUCE: locking/barriers: introduce new memory barrier gmb()"
- Revert "kvm: vmx: Scrub hardware GPRs at VM-exit"
- Revert "x86/cpuid: Provide get_scattered_cpuid_leaf()"
- Revert "x86: Add another set of MSR accessor functions"
- Revert "x86, microcode: Share native MSR accessing variants"
More information about the kernel-team
mailing list