This is a mitigation for the 'variant 2' attack described in https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
Using GCC patches available from the hjl/indirect/gcc-7-branch/master branch of https://github.com/hjl-tools/gcc/commits/hjl and by manually patching assembler code, all vulnerable indirect branches (that occur after userspace first runs) are eliminated from the kernel. They are replaced with a 'retpoline' call sequence which deliberately prevents speculation. Fedora 27 packages of the updated compiler are available at https://koji.fedoraproject.org/koji/taskinfo?taskID=24065739 v1: Initial post. v2: Add CONFIG_RETPOLINE to build kernel without it. Change warning messages. Hide modpost warning message v3: Update to the latest CET-capable retpoline version Reinstate ALTERNATIVE support v4: Finish reconciling Andi's and my patch sets, bug fixes. Exclude objtool support for now Add 'noretpoline' boot option Add AMD retpoline alternative v5: Silence MODVERSIONS warnings Use pause;jmp loop instead of lfence;jmp Switch to X86_FEATURE_RETPOLINE positive feature logic Emit thunks inline from assembler macros Merge AMD support into initial patch v6: Update to latest GCC patches with no dots in symbols Fix MODVERSIONS properly(ish) Fix typo breaking 32-bit, introduced in V5 Never set X86_FEATURE_RETPOLINE_AMD yet, pending confirmation Andi Kleen (3): x86/retpoline/irq32: Convert assembler indirect jumps x86/retpoline: Add boot time option to disable retpoline x86/retpoline: Exclude objtool with retpoline David Woodhouse (7): x86/retpoline: Add initial retpoline support x86/retpoline/crypto: Convert crypto assembler indirect jumps x86/retpoline/entry: Convert entry assembler indirect jumps x86/retpoline/ftrace: Convert ftrace assembler indirect jumps x86/retpoline/hyperv: Convert assembler indirect jumps x86/retpoline/xen: Convert Xen hypercall indirect jumps x86/retpoline/checksum32: Convert assembler indirect jumps Documentation/admin-guide/kernel-parameters.txt | 3 + arch/x86/Kconfig | 17 ++++- arch/x86/Kconfig.debug | 6 +- arch/x86/Makefile | 10 +++ arch/x86/crypto/aesni-intel_asm.S | 5 +- arch/x86/crypto/camellia-aesni-avx-asm_64.S | 3 +- arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 3 +- arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 3 +- arch/x86/entry/entry_32.S | 5 +- arch/x86/entry/entry_64.S | 12 +++- arch/x86/include/asm/asm-prototypes.h | 25 +++++++ arch/x86/include/asm/cpufeatures.h | 2 + arch/x86/include/asm/mshyperv.h | 18 ++--- arch/x86/include/asm/nospec-branch.h | 92 +++++++++++++++++++++++++ arch/x86/include/asm/xen/hypercall.h | 5 +- arch/x86/kernel/cpu/common.c | 3 + arch/x86/kernel/cpu/intel.c | 11 +++ arch/x86/kernel/ftrace_32.S | 6 +- arch/x86/kernel/ftrace_64.S | 8 +-- arch/x86/kernel/irq_32.c | 9 +-- arch/x86/lib/Makefile | 1 + arch/x86/lib/checksum_32.S | 7 +- arch/x86/lib/retpoline.S | 48 +++++++++++++ 23 files changed, 264 insertions(+), 38 deletions(-) create mode 100644 arch/x86/include/asm/nospec-branch.h create mode 100644 arch/x86/lib/retpoline.S -- 2.7.4
