NACK: [SRU][Trusty][Xenial][PATCH] Fix for LP:#1764956

Juerg Haefliger juerg.haefliger at canonical.com
Fri Nov 23 09:14:23 UTC 2018


Thanks for this Gavin!

I recognize the problem and as discussed yesterday, I need to
investigate some more. It seems we're missing a couple of patches to
make IBRS (and probably IBPB) passthrough work correctly. So rather than
patching this up I prefer to backport the relevant commits.

After taking a quick peek, it seems we're missing (or at least
partially) the following (from linux-stable):

fc00dde96099 KVM/SVM: Allow direct access to MSR_IA32_SPEC_CTRL
e5a83419c957 KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL
755502f810c6 KVM/VMX: Emulate MSR_IA32_ARCH_CAPABILITIES
7013129a4034 KVM/x86: Add IBPB support

And probably more plus whatever is needed for our runtime controls (from
your patch).

...Juerg


On Thu, 22 Nov 2018 22:09:31 +0800
Gavin Guo <gavin.guo at canonical.com> wrote:

> BugLink: https://launchpad.net/bugs/1764956
> 
> [Impact]
> the IBRS would be mistakenly enabled in the host when the switching
> from an IBRS-enabled VM and that causes the performance overhead in
> the host. The other condition could also mistakenly disables the IBRS
> in VM when context-switching from the host. And this could be
> considered a CVE host.
> 
> [Fix]
> The patch fixes the logic inside the x86_virt_spec_ctrl that it checks
> the ibrs_enabled and _or_ the hostval with the SPEC_CTRL_IBRS as the
> x86_spec_ctrl_base by default is zero. Because the upstream
> implementation is not equal to the Xenial's implementation. Upstream
> doesn't use the IBRS as the formal fix. So, by default, it's zero.
> 
> On the other hand, after the VM exit, the SPEC_CTRL register also
> needs to be saved manually by reading the SPEC_CTRL MSR as the MSR
> intercept is disabled by default in the hardware_setup(v4.4) and
> vmx_init(v3.13). The access to SPEC_CTRL MSR in VM is direct and
> doesn't trigger a trap. So, the vmx_set_msr() function isn't called.
> 
> The v3.13 kernel hasn't been tested. However, the patch can be viewed
> at:
> http://kernel.ubuntu.com/git/gavinguo/ubuntu-trusty-amd64.git/log/?h=sf00191076-sru
> 
> The v4.4 patch:
> http://kernel.ubuntu.com/git/gavinguo/ubuntu-xenial.git/log/?h=sf00191076-spectre-v2-regres-backport-juerg
> 
> [Test]
> 
> The patch has been tested on the 4.4.0-140.166 and works fine.
> 
> The reproducing environment:
> Guest kernel version: 4.4.0-138.164
> Host kernel version: 4.4.0-140.166
> 
> (host IBRS, guest IBRS)
> 
> - 1). (0, 1).
> The case can be reproduced by the following instructions:
> guest$ echo 1 | sudo tee /proc/sys/kernel/ibrs_enabled
> 1
> 
> <Several minutes later...>
> 
> host$ cat /proc/sys/kernel/ibrs_enabled
> 0
> host$ for i in {0..55}; do sudo rdmsr 0x48 -p $i; done
> 11111111111111000000000000000000010010100000000000000000
> 
> Some of the IBRS bit inside the SPEC_CTRL MSR are mistakenly
> enabled.
> 
> host$ taskset -c 5 stress-ng -c 1 --cpu-ops 2500
> stress-ng: info:  [11264] defaulting to a 86400 second run per
> stressor stress-ng: info:  [11264] dispatching hogs: 1 cpu
> stress-ng: info:  [11264] cache allocate: default cache size: 35840K
> stress-ng: info:  [11264] successful run completed in 33.48s
> 
> The host kernel didn't notice the IBRS bit is enabled. So, the
> situation is the same as "echo 2 > /proc/sys/kernel/ibrs_enabled" in
> the host. And running the stress-ng is a pure userspace CPU capability
> calculation. So, the performance downgrades to about 1/3. Without the
> IBRS enabled, it needs about 10s.
> 
> - 2). (1, 1) disables IBRS in host -> (0, 1) actually it becomes (0,
> 0). The guest IBRS has been mistakenly disabled.
> 
> guest$ echo 2 | sudo tee /proc/sys/kernel/ibrs_enabled
> guest$ for i in {0..55}; do sudo rdmsr 0x48 -p $i; done
> 11111111111111111111111111111111111111111111111111111111
> 
> host$ echo 2 | sudo tee /proc/sys/kernel/ibrs_enabled
> host$ for i in {0..55}; do sudo rdmsr 0x48 -p $i; done
> 11111111111111111111111111111111111111111111111111111111
> host$ echo 0 | sudo tee /proc/sys/kernel/ibrs_enabled
> host$ for i in {0..55}; do sudo rdmsr 0x48 -p $i; done
> 00000000000000000000000000000000000000000000000000000000
> 
> guest$ for i in {0..55}; do sudo rdmsr 0x48 -p $i; done
> 00000000000000000000000000000000000000000000000000000000
> 
> Gavin Guo (1):
>   UBUNTU: SAUCE: x86/speculation: Fix the IBRS synchronization
> 
>  arch/x86/kernel/cpu/bugs.c |  7 +++++++
>  arch/x86/kvm/vmx.c         | 37 +++++++++++++++++++++++++++++++++++++
>  2 files changed, 44 insertions(+)
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20181123/6a91071b/attachment.sig>


More information about the kernel-team mailing list