ACK/Cmnt: [SRU][Cosmic][PULL+follow-up] Update speculation side-channel mitigations

Tyler Hicks tyhicks at canonical.com
Wed Mar 27 18:34:49 UTC 2019 

On 2019-03-27 12:35:53, Stefan Bader wrote:
> On 25.03.19 05:57, Tyler Hicks wrote:
> > Update the speculation side-channel mitigations to match recent upstream
> > changes in order to get userspace to userspace protections for Spectre Variant
> > 2. In addition to modernizing our mitigations for Spectre Variant 2, this pull
> > request fixes a considerable performance regression in Cosmic introduced in
> > 4.18.0-14.15 due pulling in the final linux-stable 4.18.y release. It contained
> > upstream commit 53c613fe6349 ("x86/speculation: Enable cross-hyperthread
> > spectre v2 STIBP mitigation") which unconditionally enabled Single Thread
> > Indirect Branch Predictors (STIBP) mode.
> > 
> > STIBP mode will be used conditionally. It will not be used on non-SMT systems.
> > It will be used on SMT systems to protect processes that have seccomp filters
> > loaded or processes that have used prctl() and the newly defined
> > PR_SPEC_INDIRECT_BRANCH argument to opt into STIBP protection.
> > 
> > Indirect Branch Prediction Barrier (IBPB) will also be used conditionally when
> > switching between different userspace tasks and one of the tasks has a
> > seccomp filter loaded or has used prctl() to opt into protection.
> > 
> > I've tested these patches on an SMT system that I've been using for several
> > days without any issues. I've also ran the x86 selftests. Additionally, I
> > verified that loading a seccomp filter and/or opting into the mitigations via
> > prctl() correctly enables STIBP mode on the SMT system. Finally, I verified
> > that the dmesg and /sys/devices/system/cpu/vulnerabilities/* files report the
> > correct status when using the "nospectre_v2", "spectre_v2=off",
> > "spectre_v2_user=secccomp,ipbp", "spectre_v2_user=on", and
> > "spectre_v2_user=off" kernel command line options.
> > 
> > All but two of the patches were clean cherry-picks. The two that required
> > backported were simple backports. These patches have all been applied to
> > various linux-stable trees.
> > 
> > The following changes since commit fc64292e63e0272f049bcaf2184d3b9a4c8c0dbd:
> > 
> >   UBUNTU: Ubuntu-4.18.0-17.18 (2019-03-13 12:52:13 +0100)
> > 
> > are available in the git repository at:
> > 
> >   https://git.launchpad.net/~tyhicks/ubuntu/+source/linux/+git/cosmic speculation
> > 
> > for you to fetch changes up to acae9df78c6acaf90b522a51a94d067c752d37df:
> > 
> >   x86/speculation: Provide IBPB always command line options (2019-03-15 12:00:52 +0000)
> > 
> > ----------------------------------------------------------------
> > Jiri Kosina (2):
> >       x86/speculation: Apply IBPB more strictly to avoid cross-process data leak
> >       x86/speculation: Propagate information about RSB filling mitigation to sysfs
> > 
> > Peter Zijlstra (Intel) (1):
> >       sched/smt: Make sched_smt_present track topology
> > 
> > Thomas Gleixner (21):
> >       x86/speculation: Rename SSBD update functions
> >       x86/Kconfig: Select SCHED_SMT if SMP enabled
> >       sched/smt: Expose sched_smt_present static key
> >       x86/speculation: Rework SMT state change
> >       x86/l1tf: Show actual SMT state
> >       x86/speculation: Reorder the spec_v2 code
> >       x86/speculation: Mark string arrays const correctly
> >       x86/speculataion: Mark command line parser data __initdata
> >       x86/speculation: Unify conditional spectre v2 print functions
> >       x86/speculation: Add command line control for indirect branch speculation
> >       x86/process: Consolidate and simplify switch_to_xtra() code
> >       x86/speculation: Avoid __switch_to_xtra() calls
> >       x86/speculation: Prepare for conditional IBPB in switch_mm()
> >       ptrace: Remove unused ptrace_may_access_sched() and MODE_IBRS
> >       x86/speculation: Split out TIF update
> >       x86/speculation: Prevent stale SPEC_CTRL msr content
> >       x86/speculation: Prepare arch_smt_update() for PRCTL mode
> >       x86/speculation: Add prctl() control for indirect branch speculation
> >       x86/speculation: Enable prctl mode for spectre_v2_user
> >       x86/speculation: Add seccomp Spectre v2 user space protection mode
> >       x86/speculation: Provide IBPB always command line options
> > 
> > Tim Chen (7):
> >       x86/speculation: Update the TIF_SSBD comment
> >       x86/speculation: Clean up spectre_v2_parse_cmdline()
> >       x86/speculation: Remove unnecessary ret variable in cpu_show_common()
> >       x86/speculation: Move STIPB/IBPB string conditionals out of cpu_show_common()
> >       x86/speculation: Disable STIBP when enhanced IBRS is in use
> >       x86/speculation: Reorganize speculation control MSRs update
> >       x86/speculation: Prepare for per task indirect branch speculation control
> > 
> > Zhenzhong Duan (3):
> >       x86/speculation: Add RETPOLINE_AMD support to the inline asm CALL_NOSPEC variant
> >       x86/retpoline: Make CONFIG_RETPOLINE depend on compiler support
> >       x86/retpoline: Remove minimal retpoline support
> > 
> >  Documentation/admin-guide/kernel-parameters.txt |  56 ++-
> >  Documentation/userspace-api/spec_ctrl.rst       |   9 +
> >  arch/x86/Kconfig                                |  12 +-
> >  arch/x86/Makefile                               |   5 +-
> >  arch/x86/include/asm/msr-index.h                |   5 +-
> >  arch/x86/include/asm/nospec-branch.h            |  43 +-
> >  arch/x86/include/asm/spec-ctrl.h                |  20 +-
> >  arch/x86/include/asm/switch_to.h                |   3 -
> >  arch/x86/include/asm/thread_info.h              |  20 +-
> >  arch/x86/include/asm/tlbflush.h                 |   8 +-
> >  arch/x86/kernel/cpu/bugs.c                      | 526 ++++++++++++++++++------
> >  arch/x86/kernel/process.c                       | 101 ++++-
> >  arch/x86/kernel/process.h                       |  39 ++
> >  arch/x86/kernel/process_32.c                    |  10 +-
> >  arch/x86/kernel/process_64.c                    |  10 +-
> >  arch/x86/mm/tlb.c                               | 115 ++++--
> >  include/linux/ptrace.h                          |   4 +-
> >  include/linux/sched.h                           |   9 +
> >  include/linux/sched/smt.h                       |  20 +
> >  include/uapi/linux/prctl.h                      |   1 +
> >  kernel/cpu.c                                    |  15 +-
> >  kernel/sched/core.c                             |  19 +-
> >  kernel/sched/sched.h                            |   4 +-
> >  scripts/Makefile.build                          |   2 -
> >  tools/include/uapi/linux/prctl.h                |   1 +
> >  25 files changed, 801 insertions(+), 256 deletions(-)
> >  create mode 100644 arch/x86/kernel/process.h
> >  create mode 100644 include/linux/sched/smt.h
> > 
> > 
> All patches seem to fall into the expected range of things. Since it does
> changes some config options, should there be a related updateconfigs change in
> the series?

There were no changes to the config options. There were changes to how
the in-code ifdef's referred to retpoline. Instead of using RETPOLINE,
they're now using CONFIG_RETPOLINE but the kernel config option itself
remained the same. Therefore, no updateconfigs changes are necessary.

> I can see this being wanted, unfortunately this will be hardly
> testable due to the dependencies to HW support and 32/64 bit
> specialties. But at least Cosmic (and I think there was a Bionic port)
> should be a bit more future proof. So
> 
> Acked-by: Stefan Bader <stefan.bader at canonical.com>
> [includes the 4 additional patches]

Thanks for the review!

Tyler

More information about the kernel-team mailing list