current/SOURCES/x86-speculation-warn-about-eibrs-lfence-unprivileged-ebpf-smt.patch

From foo@baz Tue Mar  8 07:37:56 PM CET 2022
From: Josh Poimboeuf <jpoimboe@redhat.com>
Date: Fri, 25 Feb 2022 14:32:28 -0800
Subject: x86/speculation: Warn about eIBRS + LFENCE + Unprivileged eBPF + SMT

From: Josh Poimboeuf <jpoimboe@redhat.com>

commit 0de05d056afdb00eca8c7bbb0c79a3438daf700c upstream.

The commit

   44a3918c8245 ("x86/speculation: Include unprivileged eBPF status in Spectre v2 mitigation reporting")

added a warning for the "eIBRS + unprivileged eBPF" combination, which
has been shown to be vulnerable against Spectre v2 BHB-based attacks.

However, there's no warning about the "eIBRS + LFENCE retpoline +
unprivileged eBPF" combo. The LFENCE adds more protection by shortening
the speculation window after a mispredicted branch. That makes an attack
significantly more difficult, even with unprivileged eBPF. So at least
for now the logic doesn't warn about that combination.

But if you then add SMT into the mix, the SMT attack angle weakens the
effectiveness of the LFENCE considerably.

So extend the "eIBRS + unprivileged eBPF" warning to also include the
"eIBRS + LFENCE + unprivileged eBPF + SMT" case.

  [ bp: Massage commit message. ]

Suggested-by: Alyssa Milburn <alyssa.milburn@linux.intel.com>
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kernel/cpu/bugs.c |   27 +++++++++++++++++++++++++--
 1 file changed, 25 insertions(+), 2 deletions(-)

--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -653,12 +653,27 @@ static inline const char *spectre_v2_mod
 
 #define SPECTRE_V2_LFENCE_MSG "WARNING: LFENCE mitigation is not recommended for this CPU, data leaks possible!\n"
 #define SPECTRE_V2_EIBRS_EBPF_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible via Spectre v2 BHB attacks!\n"
+#define SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS+LFENCE mitigation and SMT, data leaks possible via Spectre v2 BHB attacks!\n"
 
 #ifdef CONFIG_BPF_SYSCALL
 void unpriv_ebpf_notify(int new_state)
 {
-       if (spectre_v2_enabled == SPECTRE_V2_EIBRS && !new_state)
+       if (new_state)
+               return;
+
+       /* Unprivileged eBPF is enabled */
+
+       switch (spectre_v2_enabled) {
+       case SPECTRE_V2_EIBRS:
                pr_err(SPECTRE_V2_EIBRS_EBPF_MSG);
+               break;
+       case SPECTRE_V2_EIBRS_LFENCE:
+               if (sched_smt_active())
+                       pr_err(SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG);
+               break;
+       default:
+               break;
+       }
 }
 #endif
 
@@ -1118,6 +1133,10 @@ void cpu_bugs_smt_update(void)
 {
        mutex_lock(&spec_ctrl_mutex);
 
+       if (sched_smt_active() && unprivileged_ebpf_enabled() &&
+           spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE)
+               pr_warn_once(SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG);
+
        switch (spectre_v2_user_stibp) {
        case SPECTRE_V2_USER_NONE:
                break;
@@ -1793,7 +1812,11 @@ static ssize_t spectre_v2_show_state(cha
                return sprintf(buf, "Vulnerable: LFENCE\n");
 
        if (spectre_v2_enabled == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled())
-               return sprintf(buf, "Vulnerable: Unprivileged eBPF enabled\n");
+               return sprintf(buf, "Vulnerable: eIBRS with unprivileged eBPF\n");
+
+       if (sched_smt_active() && unprivileged_ebpf_enabled() &&
+           spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE)
+               return sprintf(buf, "Vulnerable: eIBRS+LFENCE with unprivileged eBPF and SMT\n");
 
        return sprintf(buf, "%s%s%s%s%s%s\n",
                       spectre_v2_strings[spectre_v2_enabled],
1	From foo@baz Tue Mar 8 07:37:56 PM CET 2022
2	From: Josh Poimboeuf <jpoimboe@redhat.com>
3	Date: Fri, 25 Feb 2022 14:32:28 -0800
4	Subject: x86/speculation: Warn about eIBRS + LFENCE + Unprivileged eBPF + SMT
5
6	From: Josh Poimboeuf <jpoimboe@redhat.com>
7
8	commit 0de05d056afdb00eca8c7bbb0c79a3438daf700c upstream.
9
10	The commit
11
12	44a3918c8245 ("x86/speculation: Include unprivileged eBPF status in Spectre v2 mitigation reporting")
13
14	added a warning for the "eIBRS + unprivileged eBPF" combination, which
15	has been shown to be vulnerable against Spectre v2 BHB-based attacks.
16
17	However, there's no warning about the "eIBRS + LFENCE retpoline +
18	unprivileged eBPF" combo. The LFENCE adds more protection by shortening
19	the speculation window after a mispredicted branch. That makes an attack
20	significantly more difficult, even with unprivileged eBPF. So at least
21	for now the logic doesn't warn about that combination.
22
23	But if you then add SMT into the mix, the SMT attack angle weakens the
24	effectiveness of the LFENCE considerably.
25
26	So extend the "eIBRS + unprivileged eBPF" warning to also include the
27	"eIBRS + LFENCE + unprivileged eBPF + SMT" case.
28
29	[ bp: Massage commit message. ]
30
31	Suggested-by: Alyssa Milburn <alyssa.milburn@linux.intel.com>
32	Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
33	Signed-off-by: Borislav Petkov <bp@suse.de>
34	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
35	---
36	arch/x86/kernel/cpu/bugs.c \| 27 +++++++++++++++++++++++++--
37	1 file changed, 25 insertions(+), 2 deletions(-)
38
39	--- a/arch/x86/kernel/cpu/bugs.c
40	+++ b/arch/x86/kernel/cpu/bugs.c
41	@@ -653,12 +653,27 @@ static inline const char *spectre_v2_mod
42
43	#define SPECTRE_V2_LFENCE_MSG "WARNING: LFENCE mitigation is not recommended for this CPU, data leaks possible!\n"
44	#define SPECTRE_V2_EIBRS_EBPF_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible via Spectre v2 BHB attacks!\n"
45	+#define SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS+LFENCE mitigation and SMT, data leaks possible via Spectre v2 BHB attacks!\n"
46
47	#ifdef CONFIG_BPF_SYSCALL
48	void unpriv_ebpf_notify(int new_state)
49	{
50	- if (spectre_v2_enabled == SPECTRE_V2_EIBRS && !new_state)
51	+ if (new_state)
52	+ return;
53	+
54	+ /* Unprivileged eBPF is enabled */
55	+
56	+ switch (spectre_v2_enabled) {
57	+ case SPECTRE_V2_EIBRS:
58	pr_err(SPECTRE_V2_EIBRS_EBPF_MSG);
59	+ break;
60	+ case SPECTRE_V2_EIBRS_LFENCE:
61	+ if (sched_smt_active())
62	+ pr_err(SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG);
63	+ break;
64	+ default:
65	+ break;
66	+ }
67	}
68	#endif
69
70	@@ -1118,6 +1133,10 @@ void cpu_bugs_smt_update(void)
71	{
72	mutex_lock(&spec_ctrl_mutex);
73
74	+ if (sched_smt_active() && unprivileged_ebpf_enabled() &&
75	+ spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE)
76	+ pr_warn_once(SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG);
77	+
78	switch (spectre_v2_user_stibp) {
79	case SPECTRE_V2_USER_NONE:
80	break;
81	@@ -1793,7 +1812,11 @@ static ssize_t spectre_v2_show_state(cha
82	return sprintf(buf, "Vulnerable: LFENCE\n");
83
84	if (spectre_v2_enabled == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled())
85	- return sprintf(buf, "Vulnerable: Unprivileged eBPF enabled\n");
86	+ return sprintf(buf, "Vulnerable: eIBRS with unprivileged eBPF\n");
87	+
88	+ if (sched_smt_active() && unprivileged_ebpf_enabled() &&
89	+ spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE)
90	+ return sprintf(buf, "Vulnerable: eIBRS+LFENCE with unprivileged eBPF and SMT\n");
91
92	return sprintf(buf, "%s%s%s%s%s%s\n",
93	spectre_v2_strings[spectre_v2_enabled],