NACK: [N/U][PATCH 00/11] Apply mitigations for the native BHI hardware vulnerabilty

Andrea Righi andrea.righi at canonical.com
Fri Apr 12 10:26:28 UTC 2024 

We have applied the fixes directly from stable (cherry picked).
So, we can drop this one.

-Andrea

On Thu, Apr 11, 2024 at 11:22:45AM +0200, Stefan Bader wrote:
> On 11.04.24 08:24, Andrea Righi wrote:
> > BugLink: https://bugs.launchpad.net/bugs/2060909
> > 
> > [Impact]
> > 
> > Branch History Injection (BHI) attacks may allow a malicious application
> > to influence indirect branch prediction in kernel by poisoning the
> > branch history. eIBRS isolates indirect branch targets in ring0.
> > 
> > The BHB can still influence the choice of indirect branch predictor
> > entry, and although branch predictor entries are isolated between modes
> > when eIBRS is enabled, the BHB itself is not isolated between modes.
> > 
> > Previously the only known real-world BHB attack vector was via
> > unprivileged eBPF. Further research has found attacks that don't require
> > unprivileged eBPF.
> > 
> > See also:
> > https://www.phoronix.com/news/Linux-BHI-Branch-History-Inject
> > 
> > [Test case]
> > 
> > https://www.vusec.net/projects/native-bhi/
> > 
> > [Fix]
> > 
> > Backport from upstream the merge that introduces spectre_bhi= boot
> > option to control BHI mitigation:
> > 
> >   2bb69f5fc721 ("Merge tag 'nativebhi' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip")
> >   ed2e8d49b54d ("KVM: x86: Add BHI_NO")
> >   95a6ccbdc719 ("x86/bhi: Mitigate KVM by default")
> >   ec9404e40e8f ("x86/bhi: Add BHI mitigation knob")
> >   be482ff95009 ("x86/bhi: Enumerate Branch History Injection (BHI) bug")
> >   0f4a837615ff ("x86/bhi: Define SPEC_CTRL_BHI_DIS_S")
> >   7390db8aea0d ("x86/bhi: Add support for clearing branch history at syscall entry")
> >   1e3ad78334a6 ("x86/syscall: Don't force use of indirect calls for system calls")
> >   0cd01ac5dcb1 ("x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file")
> > 
> > Also set spectre_bhi=auto by default, that will rely on the BHI_DIS_S
> > hardware control if it's available on the system CPUs, otherwise a
> > proper software sequence will be executed at VMexit.
> > 
> > NOTE: we may get these changes via stable update in 6.8, when that
> > happens we can drop this backport and apply the patch set like any other
> > regular stable update.
> > 
> > [Regression potential]
> > 
> > We may experience performance regressions with this new mitigation
> > enabled, especially in VMs and CPUs that don't have the BHI hardware
> > support capability (due to the extra software sequence executed at
> > VMexit).
> > 
> > ----------------------------------------------------------------
> > Andrea Righi (1):
> >        UBUNTU: [Config] enable spectre_bhi=auto by default
> > 
> > Daniel Sneddon (2):
> >        x86/bhi: Define SPEC_CTRL_BHI_DIS_S
> >        KVM: x86: Add BHI_NO
> > 
> > Josh Poimboeuf (1):
> >        x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file
> > 
> > Linus Torvalds (1):
> >        x86/syscall: Don't force use of indirect calls for system calls
> > 
> > Pawan Gupta (4):
> >        x86/bhi: Add support for clearing branch history at syscall entry
> >        x86/bhi: Enumerate Branch History Injection (BHI) bug
> >        x86/bhi: Add BHI mitigation knob
> >        x86/bhi: Mitigate KVM by default
> > 
> > Sandipan Das (2):
> >        x86/cpufeatures: Add new word for scattered features
> >        perf/x86/amd/lbr: Use freeze based on availability
> > 
> >   Documentation/admin-guide/hw-vuln/spectre.rst   |  48 ++++++++++++++++++++++++++++----
> >   Documentation/admin-guide/kernel-parameters.txt |  12 ++++++++
> >   arch/x86/Kconfig                                |  25 +++++++++++++++++
> >   arch/x86/entry/common.c                         |  10 +++----
> >   arch/x86/entry/entry_64.S                       |  61 +++++++++++++++++++++++++++++++++++++++++
> >   arch/x86/entry/entry_64_compat.S                |  16 +++++++++++
> >   arch/x86/entry/syscall_32.c                     |  21 ++++++++++++--
> >   arch/x86/entry/syscall_64.c                     |  19 +++++++++++--
> >   arch/x86/entry/syscall_x32.c                    |  10 +++++--
> >   arch/x86/events/amd/core.c                      |   4 +--
> >   arch/x86/events/amd/lbr.c                       |  16 +++++++----
> >   arch/x86/include/asm/cpufeature.h               |   6 ++--
> >   arch/x86/include/asm/cpufeatures.h              |  15 +++++++++-
> >   arch/x86/include/asm/disabled-features.h        |   3 +-
> >   arch/x86/include/asm/msr-index.h                |   9 +++++-
> >   arch/x86/include/asm/nospec-branch.h            |  17 ++++++++++++
> >   arch/x86/include/asm/required-features.h        |   3 +-
> >   arch/x86/include/asm/syscall.h                  |  11 ++++----
> >   arch/x86/kernel/cpu/bugs.c                      | 121 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++---------
> >   arch/x86/kernel/cpu/common.c                    |  24 ++++++++++------
> >   arch/x86/kernel/cpu/scattered.c                 |   2 ++
> >   arch/x86/kvm/reverse_cpuid.h                    |   3 +-
> >   arch/x86/kvm/vmx/vmenter.S                      |   2 ++
> >   arch/x86/kvm/x86.c                              |   2 +-
> >   debian.master/config/annotations                |   3 ++
> >   25 files changed, 402 insertions(+), 61 deletions(-)
> 
> 
> Acked-by: Stefan Bader <stefan.bader at canonical.com>






> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

More information about the kernel-team mailing list