ACK: [N/U][PATCH 00/11] Apply mitigations for the native BHI hardware vulnerabilty

Stefan Bader stefan.bader at canonical.com
Thu Apr 11 09:22:45 UTC 2024 

On 11.04.24 08:24, Andrea Righi wrote:
> BugLink: https://bugs.launchpad.net/bugs/2060909
> 
> [Impact]
> 
> Branch History Injection (BHI) attacks may allow a malicious application
> to influence indirect branch prediction in kernel by poisoning the
> branch history. eIBRS isolates indirect branch targets in ring0.
> 
> The BHB can still influence the choice of indirect branch predictor
> entry, and although branch predictor entries are isolated between modes
> when eIBRS is enabled, the BHB itself is not isolated between modes.
> 
> Previously the only known real-world BHB attack vector was via
> unprivileged eBPF. Further research has found attacks that don't require
> unprivileged eBPF.
> 
> See also:
> https://www.phoronix.com/news/Linux-BHI-Branch-History-Inject
> 
> [Test case]
> 
> https://www.vusec.net/projects/native-bhi/
> 
> [Fix]
> 
> Backport from upstream the merge that introduces spectre_bhi= boot
> option to control BHI mitigation:
> 
>   2bb69f5fc721 ("Merge tag 'nativebhi' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip")
>   ed2e8d49b54d ("KVM: x86: Add BHI_NO")
>   95a6ccbdc719 ("x86/bhi: Mitigate KVM by default")
>   ec9404e40e8f ("x86/bhi: Add BHI mitigation knob")
>   be482ff95009 ("x86/bhi: Enumerate Branch History Injection (BHI) bug")
>   0f4a837615ff ("x86/bhi: Define SPEC_CTRL_BHI_DIS_S")
>   7390db8aea0d ("x86/bhi: Add support for clearing branch history at syscall entry")
>   1e3ad78334a6 ("x86/syscall: Don't force use of indirect calls for system calls")
>   0cd01ac5dcb1 ("x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file")
> 
> Also set spectre_bhi=auto by default, that will rely on the BHI_DIS_S
> hardware control if it's available on the system CPUs, otherwise a
> proper software sequence will be executed at VMexit.
> 
> NOTE: we may get these changes via stable update in 6.8, when that
> happens we can drop this backport and apply the patch set like any other
> regular stable update.
> 
> [Regression potential]
> 
> We may experience performance regressions with this new mitigation
> enabled, especially in VMs and CPUs that don't have the BHI hardware
> support capability (due to the extra software sequence executed at
> VMexit).
> 
> ----------------------------------------------------------------
> Andrea Righi (1):
>        UBUNTU: [Config] enable spectre_bhi=auto by default
> 
> Daniel Sneddon (2):
>        x86/bhi: Define SPEC_CTRL_BHI_DIS_S
>        KVM: x86: Add BHI_NO
> 
> Josh Poimboeuf (1):
>        x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file
> 
> Linus Torvalds (1):
>        x86/syscall: Don't force use of indirect calls for system calls
> 
> Pawan Gupta (4):
>        x86/bhi: Add support for clearing branch history at syscall entry
>        x86/bhi: Enumerate Branch History Injection (BHI) bug
>        x86/bhi: Add BHI mitigation knob
>        x86/bhi: Mitigate KVM by default
> 
> Sandipan Das (2):
>        x86/cpufeatures: Add new word for scattered features
>        perf/x86/amd/lbr: Use freeze based on availability
> 
>   Documentation/admin-guide/hw-vuln/spectre.rst   |  48 ++++++++++++++++++++++++++++----
>   Documentation/admin-guide/kernel-parameters.txt |  12 ++++++++
>   arch/x86/Kconfig                                |  25 +++++++++++++++++
>   arch/x86/entry/common.c                         |  10 +++----
>   arch/x86/entry/entry_64.S                       |  61 +++++++++++++++++++++++++++++++++++++++++
>   arch/x86/entry/entry_64_compat.S                |  16 +++++++++++
>   arch/x86/entry/syscall_32.c                     |  21 ++++++++++++--
>   arch/x86/entry/syscall_64.c                     |  19 +++++++++++--
>   arch/x86/entry/syscall_x32.c                    |  10 +++++--
>   arch/x86/events/amd/core.c                      |   4 +--
>   arch/x86/events/amd/lbr.c                       |  16 +++++++----
>   arch/x86/include/asm/cpufeature.h               |   6 ++--
>   arch/x86/include/asm/cpufeatures.h              |  15 +++++++++-
>   arch/x86/include/asm/disabled-features.h        |   3 +-
>   arch/x86/include/asm/msr-index.h                |   9 +++++-
>   arch/x86/include/asm/nospec-branch.h            |  17 ++++++++++++
>   arch/x86/include/asm/required-features.h        |   3 +-
>   arch/x86/include/asm/syscall.h                  |  11 ++++----
>   arch/x86/kernel/cpu/bugs.c                      | 121 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++---------
>   arch/x86/kernel/cpu/common.c                    |  24 ++++++++++------
>   arch/x86/kernel/cpu/scattered.c                 |   2 ++
>   arch/x86/kvm/reverse_cpuid.h                    |   3 +-
>   arch/x86/kvm/vmx/vmenter.S                      |   2 ++
>   arch/x86/kvm/x86.c                              |   2 +-
>   debian.master/config/annotations                |   3 ++
>   25 files changed, 402 insertions(+), 61 deletions(-)


Acked-by: Stefan Bader <stefan.bader at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240411/47f91311/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240411/47f91311/attachment-0001.sig>

More information about the kernel-team mailing list