1 |
From foo@baz Tue Mar 8 07:37:56 PM CET 2022 |
2 |
From: Josh Poimboeuf <jpoimboe@redhat.com> |
3 |
Date: Fri, 25 Feb 2022 14:32:28 -0800 |
4 |
Subject: x86/speculation: Warn about eIBRS + LFENCE + Unprivileged eBPF + SMT |
5 |
|
6 |
From: Josh Poimboeuf <jpoimboe@redhat.com> |
7 |
|
8 |
commit 0de05d056afdb00eca8c7bbb0c79a3438daf700c upstream. |
9 |
|
10 |
The commit |
11 |
|
12 |
44a3918c8245 ("x86/speculation: Include unprivileged eBPF status in Spectre v2 mitigation reporting") |
13 |
|
14 |
added a warning for the "eIBRS + unprivileged eBPF" combination, which |
15 |
has been shown to be vulnerable against Spectre v2 BHB-based attacks. |
16 |
|
17 |
However, there's no warning about the "eIBRS + LFENCE retpoline + |
18 |
unprivileged eBPF" combo. The LFENCE adds more protection by shortening |
19 |
the speculation window after a mispredicted branch. That makes an attack |
20 |
significantly more difficult, even with unprivileged eBPF. So at least |
21 |
for now the logic doesn't warn about that combination. |
22 |
|
23 |
But if you then add SMT into the mix, the SMT attack angle weakens the |
24 |
effectiveness of the LFENCE considerably. |
25 |
|
26 |
So extend the "eIBRS + unprivileged eBPF" warning to also include the |
27 |
"eIBRS + LFENCE + unprivileged eBPF + SMT" case. |
28 |
|
29 |
[ bp: Massage commit message. ] |
30 |
|
31 |
Suggested-by: Alyssa Milburn <alyssa.milburn@linux.intel.com> |
32 |
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com> |
33 |
Signed-off-by: Borislav Petkov <bp@suse.de> |
34 |
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
35 |
--- |
36 |
arch/x86/kernel/cpu/bugs.c | 27 +++++++++++++++++++++++++-- |
37 |
1 file changed, 25 insertions(+), 2 deletions(-) |
38 |
|
39 |
--- a/arch/x86/kernel/cpu/bugs.c |
40 |
+++ b/arch/x86/kernel/cpu/bugs.c |
41 |
@@ -653,12 +653,27 @@ static inline const char *spectre_v2_mod |
42 |
|
43 |
#define SPECTRE_V2_LFENCE_MSG "WARNING: LFENCE mitigation is not recommended for this CPU, data leaks possible!\n" |
44 |
#define SPECTRE_V2_EIBRS_EBPF_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible via Spectre v2 BHB attacks!\n" |
45 |
+#define SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS+LFENCE mitigation and SMT, data leaks possible via Spectre v2 BHB attacks!\n" |
46 |
|
47 |
#ifdef CONFIG_BPF_SYSCALL |
48 |
void unpriv_ebpf_notify(int new_state) |
49 |
{ |
50 |
- if (spectre_v2_enabled == SPECTRE_V2_EIBRS && !new_state) |
51 |
+ if (new_state) |
52 |
+ return; |
53 |
+ |
54 |
+ /* Unprivileged eBPF is enabled */ |
55 |
+ |
56 |
+ switch (spectre_v2_enabled) { |
57 |
+ case SPECTRE_V2_EIBRS: |
58 |
pr_err(SPECTRE_V2_EIBRS_EBPF_MSG); |
59 |
+ break; |
60 |
+ case SPECTRE_V2_EIBRS_LFENCE: |
61 |
+ if (sched_smt_active()) |
62 |
+ pr_err(SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG); |
63 |
+ break; |
64 |
+ default: |
65 |
+ break; |
66 |
+ } |
67 |
} |
68 |
#endif |
69 |
|
70 |
@@ -1118,6 +1133,10 @@ void cpu_bugs_smt_update(void) |
71 |
{ |
72 |
mutex_lock(&spec_ctrl_mutex); |
73 |
|
74 |
+ if (sched_smt_active() && unprivileged_ebpf_enabled() && |
75 |
+ spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE) |
76 |
+ pr_warn_once(SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG); |
77 |
+ |
78 |
switch (spectre_v2_user_stibp) { |
79 |
case SPECTRE_V2_USER_NONE: |
80 |
break; |
81 |
@@ -1793,7 +1812,11 @@ static ssize_t spectre_v2_show_state(cha |
82 |
return sprintf(buf, "Vulnerable: LFENCE\n"); |
83 |
|
84 |
if (spectre_v2_enabled == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled()) |
85 |
- return sprintf(buf, "Vulnerable: Unprivileged eBPF enabled\n"); |
86 |
+ return sprintf(buf, "Vulnerable: eIBRS with unprivileged eBPF\n"); |
87 |
+ |
88 |
+ if (sched_smt_active() && unprivileged_ebpf_enabled() && |
89 |
+ spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE) |
90 |
+ return sprintf(buf, "Vulnerable: eIBRS+LFENCE with unprivileged eBPF and SMT\n"); |
91 |
|
92 |
return sprintf(buf, "%s%s%s%s%s%s\n", |
93 |
spectre_v2_strings[spectre_v2_enabled], |