[PATCH] x86/retpoline: Fill RSB on context switch for affected CPUs

lution for Skylake+ since there are many other conditions which may result in the RSB becoming empty. The full solution on Skylake+ is to use IBRS, which will prevent the problem even when the RSB becomes empty. With IBRS, the RSB-stuffing will not be required on context switch. Signed-off-by: Davi

[tip:x86/pti] x86/retpoline: Fill return stack buffer on vmexit

Commit-ID: 117cc7a908c83697b0b737d15ae1eb5943afe35b Gitweb: https://git.kernel.org/tip/117cc7a908c83697b0b737d15ae1eb5943afe35b Author: David Woodhouse <d...@amazon.co.uk> AuthorDate: Fri, 12 Jan 2018 11:11:27 + Committer: Thomas Gleixner <t...@linutronix.de> CommitDate:

[tip:x86/pti] x86/retpoline: Fill return stack buffer on vmexit

Commit-ID: 117cc7a908c83697b0b737d15ae1eb5943afe35b Gitweb: https://git.kernel.org/tip/117cc7a908c83697b0b737d15ae1eb5943afe35b Author: David Woodhouse AuthorDate: Fri, 12 Jan 2018 11:11:27 + Committer: Thomas Gleixner CommitDate: Fri, 12 Jan 2018 12:33:37 +0100 x86/retpoline

[PATCH v8.1 12/12] x86/retpoline: Fill return stack buffer on vmexit

-off-by: David Woodhouse <d...@amazon.co.uk> Tested-by: Peter Zijlstra (Intel) <pet...@infradead.org> --- I love the smell of bikeshed paint in the morning. But to be fair, this one was actually an issue which might possibly have bitten in the future. Can we please stop arguing about as

[PATCH v8.1 12/12] x86/retpoline: Fill return stack buffer on vmexit

-off-by: David Woodhouse Tested-by: Peter Zijlstra (Intel) --- I love the smell of bikeshed paint in the morning. But to be fair, this one was actually an issue which might possibly have bitten in the future. Can we please stop arguing about asm labels now though? Let's get this stuff done

Re: [PATCH v8 03/12] x86/retpoline: Add initial retpoline support

On Thu, 2018-01-11 at 17:58 -0600, Tom Lendacky wrote: > > > + * These are the bare retpoline primitives for indirect jmp and call. > > + * Do not use these directly; they only exist to make the ALTERNATIVE > > + * invocation below less ugly. > > + */ > > +.macro RETPOLINE_JMP reg:req > > + 

Re: [PATCH v8 03/12] x86/retpoline: Add initial retpoline support

On Thu, 2018-01-11 at 17:58 -0600, Tom Lendacky wrote: > > > + * These are the bare retpoline primitives for indirect jmp and call. > > + * Do not use these directly; they only exist to make the ALTERNATIVE > > + * invocation below less ugly. > > + */ > > +.macro RETPOLINE_JMP reg:req > > + 

Re: [PATCH 4/5] x86/svm: Direct access to MSR_IA32_SPEC_CTRL

On Fri, 2018-01-12 at 10:58 +0100, Peter Zijlstra wrote: > I disagree, and if you worry about that, we should write a testcase. But > we rely on GCC for correct code generation in lots of places, this isn't > different. It's different because it's not a *correctness* issue... unless we let you

Re: [PATCH 4/5] x86/svm: Direct access to MSR_IA32_SPEC_CTRL

On Fri, 2018-01-12 at 10:58 +0100, Peter Zijlstra wrote: > I disagree, and if you worry about that, we should write a testcase. But > we rely on GCC for correct code generation in lots of places, this isn't > different. It's different because it's not a *correctness* issue... unless we let you

Re: [PATCH 3/5] x86/ibrs: Add direct access support for MSR_IA32_SPEC_CTRL

On Fri, 2018-01-12 at 10:51 +0100, Peter Zijlstra wrote: > On Thu, Jan 11, 2018 at 05:58:11PM -0800, Dave Hansen wrote: > > On 01/11/2018 05:32 PM, Ashok Raj wrote: > > > +static void save_guest_spec_ctrl(struct vcpu_vmx *vmx) > > > +{ > > > +   if (boot_cpu_has(X86_FEATURE_SPEC_CTRL)) { > > > +   

Re: [PATCH 3/5] x86/ibrs: Add direct access support for MSR_IA32_SPEC_CTRL

On Fri, 2018-01-12 at 10:51 +0100, Peter Zijlstra wrote: > On Thu, Jan 11, 2018 at 05:58:11PM -0800, Dave Hansen wrote: > > On 01/11/2018 05:32 PM, Ashok Raj wrote: > > > +static void save_guest_spec_ctrl(struct vcpu_vmx *vmx) > > > +{ > > > +   if (boot_cpu_has(X86_FEATURE_SPEC_CTRL)) { > > > +   

Re: [PATCH 4/5] x86/svm: Direct access to MSR_IA32_SPEC_CTRL

On Thu, 2018-01-11 at 17:32 -0800, Ashok Raj wrote: > > @@ -4910,6 +4935,14 @@ static void svm_vcpu_run(struct kvm_vcpu > *vcpu) >   > clgi(); >   > +   if (boot_cpu_has(X86_FEATURE_SPEC_CTRL)) { > +   /* > +    * FIXME: lockdep_assert_irqs_disabled(); > +  

Re: [PATCH 4/5] x86/svm: Direct access to MSR_IA32_SPEC_CTRL

On Thu, 2018-01-11 at 17:32 -0800, Ashok Raj wrote: > > @@ -4910,6 +4935,14 @@ static void svm_vcpu_run(struct kvm_vcpu > *vcpu) >   > clgi(); >   > +   if (boot_cpu_has(X86_FEATURE_SPEC_CTRL)) { > +   /* > +    * FIXME: lockdep_assert_irqs_disabled(); > +  

[tip:x86/pti] x86/retpoline: Fill return stack buffer on vmexit

Commit-ID: 85ec967c1dc04bde16d783ea04428bef3c00a171 Gitweb: https://git.kernel.org/tip/85ec967c1dc04bde16d783ea04428bef3c00a171 Author: David Woodhouse <d...@amazon.co.uk> AuthorDate: Thu, 11 Jan 2018 21:46:34 + Committer: Thomas Gleixner <t...@linutronix.de> CommitDate:

[tip:x86/pti] x86/retpoline/xen: Convert Xen hypercall indirect jumps

Commit-ID: ea08816d5b185ab3d09e95e393f265af54560350 Gitweb: https://git.kernel.org/tip/ea08816d5b185ab3d09e95e393f265af54560350 Author: David Woodhouse <d...@amazon.co.uk> AuthorDate: Thu, 11 Jan 2018 21:46:31 + Committer: Thomas Gleixner <t...@linutronix.de> CommitDate:

[tip:x86/pti] x86/retpoline: Fill return stack buffer on vmexit

Commit-ID: 85ec967c1dc04bde16d783ea04428bef3c00a171 Gitweb: https://git.kernel.org/tip/85ec967c1dc04bde16d783ea04428bef3c00a171 Author: David Woodhouse AuthorDate: Thu, 11 Jan 2018 21:46:34 + Committer: Thomas Gleixner CommitDate: Fri, 12 Jan 2018 00:14:32 +0100 x86/retpoline

[tip:x86/pti] x86/retpoline/xen: Convert Xen hypercall indirect jumps

Commit-ID: ea08816d5b185ab3d09e95e393f265af54560350 Gitweb: https://git.kernel.org/tip/ea08816d5b185ab3d09e95e393f265af54560350 Author: David Woodhouse AuthorDate: Thu, 11 Jan 2018 21:46:31 + Committer: Thomas Gleixner CommitDate: Fri, 12 Jan 2018 00:14:31 +0100 x86/retpoline/xen

[tip:x86/pti] x86/retpoline/checksum32: Convert assembler indirect jumps

Commit-ID: 5096732f6f695001fa2d6f1335a2680b37912c69 Gitweb: https://git.kernel.org/tip/5096732f6f695001fa2d6f1335a2680b37912c69 Author: David Woodhouse <d...@amazon.co.uk> AuthorDate: Thu, 11 Jan 2018 21:46:32 + Committer: Thomas Gleixner <t...@linutronix.de> CommitDate:

[tip:x86/pti] x86/retpoline/checksum32: Convert assembler indirect jumps

Commit-ID: 5096732f6f695001fa2d6f1335a2680b37912c69 Gitweb: https://git.kernel.org/tip/5096732f6f695001fa2d6f1335a2680b37912c69 Author: David Woodhouse AuthorDate: Thu, 11 Jan 2018 21:46:32 + Committer: Thomas Gleixner CommitDate: Fri, 12 Jan 2018 00:14:31 +0100 x86/retpoline

[tip:x86/pti] x86/retpoline/hyperv: Convert assembler indirect jumps

Commit-ID: e70e5892b28c18f517f29ab6e83bd57705104b31 Gitweb: https://git.kernel.org/tip/e70e5892b28c18f517f29ab6e83bd57705104b31 Author: David Woodhouse <d...@amazon.co.uk> AuthorDate: Thu, 11 Jan 2018 21:46:30 + Committer: Thomas Gleixner <t...@linutronix.de> CommitDate:

[tip:x86/pti] x86/retpoline/hyperv: Convert assembler indirect jumps

Commit-ID: e70e5892b28c18f517f29ab6e83bd57705104b31 Gitweb: https://git.kernel.org/tip/e70e5892b28c18f517f29ab6e83bd57705104b31 Author: David Woodhouse AuthorDate: Thu, 11 Jan 2018 21:46:30 + Committer: Thomas Gleixner CommitDate: Fri, 12 Jan 2018 00:14:30 +0100 x86/retpoline

[tip:x86/pti] x86/retpoline/ftrace: Convert ftrace assembler indirect jumps

Commit-ID: 9351803bd803cdbeb9b5a7850b7b6f464806e3db Gitweb: https://git.kernel.org/tip/9351803bd803cdbeb9b5a7850b7b6f464806e3db Author: David Woodhouse <d...@amazon.co.uk> AuthorDate: Thu, 11 Jan 2018 21:46:29 + Committer: Thomas Gleixner <t...@linutronix.de> CommitDate:

[tip:x86/pti] x86/retpoline/ftrace: Convert ftrace assembler indirect jumps

Commit-ID: 9351803bd803cdbeb9b5a7850b7b6f464806e3db Gitweb: https://git.kernel.org/tip/9351803bd803cdbeb9b5a7850b7b6f464806e3db Author: David Woodhouse AuthorDate: Thu, 11 Jan 2018 21:46:29 + Committer: Thomas Gleixner CommitDate: Fri, 12 Jan 2018 00:14:30 +0100 x86/retpoline

[tip:x86/pti] x86/retpoline/crypto: Convert crypto assembler indirect jumps

Commit-ID: 9697fa39efd3fc3692f2949d4045f393ec58450b Gitweb: https://git.kernel.org/tip/9697fa39efd3fc3692f2949d4045f393ec58450b Author: David Woodhouse <d...@amazon.co.uk> AuthorDate: Thu, 11 Jan 2018 21:46:27 + Committer: Thomas Gleixner <t...@linutronix.de> CommitDate:

[tip:x86/pti] x86/retpoline/crypto: Convert crypto assembler indirect jumps

Commit-ID: 9697fa39efd3fc3692f2949d4045f393ec58450b Gitweb: https://git.kernel.org/tip/9697fa39efd3fc3692f2949d4045f393ec58450b Author: David Woodhouse AuthorDate: Thu, 11 Jan 2018 21:46:27 + Committer: Thomas Gleixner CommitDate: Fri, 12 Jan 2018 00:14:29 +0100 x86/retpoline

[tip:x86/pti] x86/retpoline/entry: Convert entry assembler indirect jumps

Commit-ID: 2641f08bb7fc63a636a2b18173221d7040a3512e Gitweb: https://git.kernel.org/tip/2641f08bb7fc63a636a2b18173221d7040a3512e Author: David Woodhouse <d...@amazon.co.uk> AuthorDate: Thu, 11 Jan 2018 21:46:28 + Committer: Thomas Gleixner <t...@linutronix.de> CommitDate:

[tip:x86/pti] x86/retpoline/entry: Convert entry assembler indirect jumps

Commit-ID: 2641f08bb7fc63a636a2b18173221d7040a3512e Gitweb: https://git.kernel.org/tip/2641f08bb7fc63a636a2b18173221d7040a3512e Author: David Woodhouse AuthorDate: Thu, 11 Jan 2018 21:46:28 + Committer: Thomas Gleixner CommitDate: Fri, 12 Jan 2018 00:14:29 +0100 x86/retpoline

[tip:x86/pti] x86/retpoline: Add initial retpoline support

Commit-ID: 76b043848fd22dbf7f8bf3a1452f8c70d557b860 Gitweb: https://git.kernel.org/tip/76b043848fd22dbf7f8bf3a1452f8c70d557b860 Author: David Woodhouse <d...@amazon.co.uk> AuthorDate: Thu, 11 Jan 2018 21:46:25 + Committer: Thomas Gleixner <t...@linutronix.de> CommitDate:

[tip:x86/pti] x86/retpoline: Add initial retpoline support

Commit-ID: 76b043848fd22dbf7f8bf3a1452f8c70d557b860 Gitweb: https://git.kernel.org/tip/76b043848fd22dbf7f8bf3a1452f8c70d557b860 Author: David Woodhouse AuthorDate: Thu, 11 Jan 2018 21:46:25 + Committer: Thomas Gleixner CommitDate: Fri, 12 Jan 2018 00:14:28 +0100 x86/retpoline: Add

[tip:x86/pti] x86/spectre: Add boot time option to select Spectre v2 mitigation

Commit-ID: da285121560e769cc31797bba6422eea71d473e0 Gitweb: https://git.kernel.org/tip/da285121560e769cc31797bba6422eea71d473e0 Author: David Woodhouse <d...@amazon.co.uk> AuthorDate: Thu, 11 Jan 2018 21:46:26 + Committer: Thomas Gleixner <t...@linutronix.de> CommitDate:

[tip:x86/pti] x86/spectre: Add boot time option to select Spectre v2 mitigation

Commit-ID: da285121560e769cc31797bba6422eea71d473e0 Gitweb: https://git.kernel.org/tip/da285121560e769cc31797bba6422eea71d473e0 Author: David Woodhouse AuthorDate: Thu, 11 Jan 2018 21:46:26 + Committer: Thomas Gleixner CommitDate: Fri, 12 Jan 2018 00:14:29 +0100 x86/spectre: Add

[PATCH v8 04/12] x86/spectre: Add boot time option to select Spectre v2 mitigation

on a serializing LFENCE for speculation control. For AMD hardware, only set RETPOLINE_AMD if LFENCE is a serializing instruction, which is indicated by the LFENCE_RDTSC feature. [ tglx: Folded back the LFENCE/AMD fixes and reworked it so IBRS integration becomes simple ] Signed-off-by: David Woodhouse &l

[PATCH v8 04/12] x86/spectre: Add boot time option to select Spectre v2 mitigation

on a serializing LFENCE for speculation control. For AMD hardware, only set RETPOLINE_AMD if LFENCE is a serializing instruction, which is indicated by the LFENCE_RDTSC feature. [ tglx: Folded back the LFENCE/AMD fixes and reworked it so IBRS integration becomes simple ] Signed-off-by: David Woodhouse

[PATCH v8 02/12] objtool: Allow alternatives to be ignored

the control flow *around* the retpoline, even if it can't yet follow what's inside. This means the ORC unwinder will fail to unwind from inside a retpoline, but will work fine otherwise. Signed-off-by: Josh Poimboeuf <jpoim...@redhat.com> Signed-off-by: David Woodhouse <d...@ama

[PATCH v8 02/12] objtool: Allow alternatives to be ignored

the control flow *around* the retpoline, even if it can't yet follow what's inside. This means the ORC unwinder will fail to unwind from inside a retpoline, but will work fine otherwise. Signed-off-by: Josh Poimboeuf Signed-off-by: David Woodhouse --- tools/objtool/check.c | 62

[PATCH v8 05/12] x86/retpoline/crypto: Convert crypto assembler indirect jumps

Convert all indirect jumps in crypto assembler code to use non-speculative sequences when CONFIG_RETPOLINE is enabled. Signed-off-by: David Woodhouse <d...@amazon.co.uk> Signed-off-by: Thomas Gleixner <t...@linutronix.de> Acked-by: Arjan van de Ven <ar...@linux.intel.com> Ack

[PATCH v8 05/12] x86/retpoline/crypto: Convert crypto assembler indirect jumps

Convert all indirect jumps in crypto assembler code to use non-speculative sequences when CONFIG_RETPOLINE is enabled. Signed-off-by: David Woodhouse Signed-off-by: Thomas Gleixner Acked-by: Arjan van de Ven Acked-by: Ingo Molnar Cc: gno...@lxorguk.ukuu.org.uk Cc: Rik van Riel Cc: Andi Kleen

[PATCH v8 00/12] Retpoline: Avoid speculative indirect calls in kernel

exit I don't know... other bloody bikeshedding. Can I sleep now? Andi Kleen (1): x86/retpoline/irq32: Convert assembler indirect jumps David Woodhouse (10): objtool: Allow alternatives to be ignored x86/retpoline: Add initial retpoline support x86/spectre: Add boot time option to select

[PATCH v8 00/12] Retpoline: Avoid speculative indirect calls in kernel

exit I don't know... other bloody bikeshedding. Can I sleep now? Andi Kleen (1): x86/retpoline/irq32: Convert assembler indirect jumps David Woodhouse (10): objtool: Allow alternatives to be ignored x86/retpoline: Add initial retpoline support x86/spectre: Add boot time option to select

[PATCH v8 11/12] x86/retpoline/irq32: Convert assembler indirect jumps

From: Andi Kleen Convert all indirect jumps in 32bit irq inline asm code to use non speculative sequences. Signed-off-by: Andi Kleen Signed-off-by: Thomas Gleixner Acked-by: Arjan van de Ven Acked-by: Ingo

[PATCH v8 08/12] x86/retpoline/hyperv: Convert assembler indirect jumps

Convert all indirect jumps in hyperv inline asm code to use non-speculative sequences when CONFIG_RETPOLINE is enabled. Signed-off-by: David Woodhouse <d...@amazon.co.uk> Signed-off-by: Thomas Gleixner <t...@linutronix.de> Acked-by: Arjan van de Ven <ar...@linux.intel.com> Ack

[PATCH v8 11/12] x86/retpoline/irq32: Convert assembler indirect jumps

From: Andi Kleen Convert all indirect jumps in 32bit irq inline asm code to use non speculative sequences. Signed-off-by: Andi Kleen Signed-off-by: Thomas Gleixner Acked-by: Arjan van de Ven Acked-by: Ingo Molnar Cc: gno...@lxorguk.ukuu.org.uk Cc: Rik van Riel Cc: Peter Zijlstra Cc: Linus

[PATCH v8 08/12] x86/retpoline/hyperv: Convert assembler indirect jumps

Convert all indirect jumps in hyperv inline asm code to use non-speculative sequences when CONFIG_RETPOLINE is enabled. Signed-off-by: David Woodhouse Signed-off-by: Thomas Gleixner Acked-by: Arjan van de Ven Acked-by: Ingo Molnar Cc: gno...@lxorguk.ukuu.org.uk Cc: Rik van Riel Cc: Andi

[PATCH v8 07/12] x86/retpoline/ftrace: Convert ftrace assembler indirect jumps

Convert all indirect jumps in ftrace assembler code to use non-speculative sequences when CONFIG_RETPOLINE is enabled. Signed-off-by: David Woodhouse <d...@amazon.co.uk> Signed-off-by: Thomas Gleixner <t...@linutronix.de> Acked-by: Arjan van de Ven <ar...@linux.intel.com> Ack

[PATCH v8 07/12] x86/retpoline/ftrace: Convert ftrace assembler indirect jumps

Convert all indirect jumps in ftrace assembler code to use non-speculative sequences when CONFIG_RETPOLINE is enabled. Signed-off-by: David Woodhouse Signed-off-by: Thomas Gleixner Acked-by: Arjan van de Ven Acked-by: Ingo Molnar Cc: gno...@lxorguk.ukuu.org.uk Cc: Rik van Riel Cc: Andi Kleen

[PATCH v8 10/12] x86/retpoline/checksum32: Convert assembler indirect jumps

Convert all indirect jumps in 32bit checksum assembler code to use non-speculative sequences when CONFIG_RETPOLINE is enabled. Signed-off-by: David Woodhouse <d...@amazon.co.uk> Signed-off-by: Thomas Gleixner <t...@linutronix.de> Acked-by: Arjan van de Ven <ar...@linux.intel.com&

[PATCH v8 10/12] x86/retpoline/checksum32: Convert assembler indirect jumps

Convert all indirect jumps in 32bit checksum assembler code to use non-speculative sequences when CONFIG_RETPOLINE is enabled. Signed-off-by: David Woodhouse Signed-off-by: Thomas Gleixner Acked-by: Arjan van de Ven Acked-by: Ingo Molnar Cc: gno...@lxorguk.ukuu.org.uk Cc: Rik van Riel Cc

[PATCH v8 06/12] x86/retpoline/entry: Convert entry assembler indirect jumps

to be a bare jmp *%rax anyway. Signed-off-by: David Woodhouse <d...@amazon.co.uk> Signed-off-by: Thomas Gleixner <t...@linutronix.de> Acked-by: Ingo Molnar <mi...@kernel.org> Acked-by: Arjan van de Ven <ar...@linux.intel.com> Cc: gno...@lxorguk.ukuu.org.uk Cc: Rik van Riel &l

[PATCH v8 06/12] x86/retpoline/entry: Convert entry assembler indirect jumps

to be a bare jmp *%rax anyway. Signed-off-by: David Woodhouse Signed-off-by: Thomas Gleixner Acked-by: Ingo Molnar Acked-by: Arjan van de Ven Cc: gno...@lxorguk.ukuu.org.uk Cc: Rik van Riel Cc: Andi Kleen Cc: Peter Zijlstra Cc: Linus Torvalds Cc: Jiri Kosina Cc: Andy Lutomirski Cc: Dave

[PATCH v8 12/12] x86/retpoline: Fill return stack buffer on vmexit

In accordance with the Intel and AMD documentation, we need to overwrite all entries in the RSB on exiting a guest, to prevent malicious branch target predictions from affecting the host kernel. This is needed both for retpoline and for IBRS. Signed-off-by: David Woodhouse <d...@amazon.co

[PATCH v8 09/12] x86/retpoline/xen: Convert Xen hypercall indirect jumps

Convert indirect call in Xen hypercall to use non-speculative sequence, when CONFIG_RETPOLINE is enabled. Signed-off-by: David Woodhouse <d...@amazon.co.uk> Signed-off-by: Thomas Gleixner <t...@linutronix.de> Reviewed-by: Juergen Gross <jgr...@suse.com> Acked-by: Ar

[PATCH v8 12/12] x86/retpoline: Fill return stack buffer on vmexit

In accordance with the Intel and AMD documentation, we need to overwrite all entries in the RSB on exiting a guest, to prevent malicious branch target predictions from affecting the host kernel. This is needed both for retpoline and for IBRS. Signed-off-by: David Woodhouse Tested-by: Peter

[PATCH v8 09/12] x86/retpoline/xen: Convert Xen hypercall indirect jumps

Convert indirect call in Xen hypercall to use non-speculative sequence, when CONFIG_RETPOLINE is enabled. Signed-off-by: David Woodhouse Signed-off-by: Thomas Gleixner Reviewed-by: Juergen Gross Acked-by: Arjan van de Ven Acked-by: Ingo Molnar Cc: gno...@lxorguk.ukuu.org.uk Cc: Rik van Riel

[PATCH v8 03/12] x86/retpoline: Add initial retpoline support

Andi Kleen: Rename the macros, add CONFIG_RETPOLINE option, export thunks] [ tglx: Put actual function CALL/JMP in front of the macros, convert to symbolic labels ] [ dwmw2: Convert back to numeric labels, merge objtool fixes ] Signed-off-by: David Woodhouse <d...@amazon.co.uk> Signe

[PATCH v8 03/12] x86/retpoline: Add initial retpoline support

Andi Kleen: Rename the macros, add CONFIG_RETPOLINE option, export thunks] [ tglx: Put actual function CALL/JMP in front of the macros, convert to symbolic labels ] [ dwmw2: Convert back to numeric labels, merge objtool fixes ] Signed-off-by: David Woodhouse Signed-off-by: Thomas Gleixner Acked

[PATCH v8 01/12] objtool: Detect jumps to retpoline thunks

uction with modified stack frame ... Signed-off-by: Josh Poimboeuf <jpoim...@redhat.com> Signed-off-by: David Woodhouse <d...@amazon.co.uk> --- tools/objtool/check.c | 7 +++ 1 file changed, 7 insertions(+) diff --git a/tools/objtool/check.c b/tools/objtool/check.c index 9b3415

[PATCH v8 01/12] objtool: Detect jumps to retpoline thunks

frame ... Signed-off-by: Josh Poimboeuf Signed-off-by: David Woodhouse --- tools/objtool/check.c | 7 +++ 1 file changed, 7 insertions(+) diff --git a/tools/objtool/check.c b/tools/objtool/check.c index 9b341584..de053fb 100644 --- a/tools/objtool/check.c +++ b/tools/objtool/check.c @@ -456,6

Re: [PATCH 2/3] objtool: Ignore retpoline alternatives

On Thu, 2018-01-11 at 09:29 -0800, Linus Torvalds wrote: > > That, btw, is also why it's pointless to make the small numbers > "bigger". Using "1122" as a label is actively worse than just using > "1". Actually in macros I don't think that's entirely true (depending on the assembler/preprocessor

Re: [PATCH 2/3] objtool: Ignore retpoline alternatives

On Thu, 2018-01-11 at 09:29 -0800, Linus Torvalds wrote: > > That, btw, is also why it's pointless to make the small numbers > "bigger". Using "1122" as a label is actively worse than just using > "1". Actually in macros I don't think that's entirely true (depending on the assembler/preprocessor

Re: [PATCH 2/3] objtool: Ignore retpoline alternatives

On Thu, 2018-01-11 at 09:29 -0800, Linus Torvalds wrote: > On Thu, Jan 11, 2018 at 8:27 AM, David Woodhouse <dw...@infradead.org> wrote: > > > > > >   Ick, numbers. Use .Lfoo_%= instead. > > > > Actually, I think PeterZ is wrong on this one. > >

Re: [PATCH 2/3] objtool: Ignore retpoline alternatives

On Thu, 2018-01-11 at 09:29 -0800, Linus Torvalds wrote: > On Thu, Jan 11, 2018 at 8:27 AM, David Woodhouse wrote: > > > > > >   Ick, numbers. Use .Lfoo_%= instead. > > > > Actually, I think PeterZ is wrong on this one. > > First off, we do *not*

Re: [PATCH 2/3] objtool: Ignore retpoline alternatives

On Thu, 2018-01-11 at 18:05 +0100, Peter Zijlstra wrote: > On Thu, Jan 11, 2018 at 06:01:23PM +0100, Jiri Kosina wrote: > > On Thu, 11 Jan 2018, Josh Poimboeuf wrote: > >  > > > I think I heard that retpolines won't be ported to anything older than  > > > GCC 4.9, so maybe it's safe to use '%='. 

Re: [PATCH 2/3] objtool: Ignore retpoline alternatives

On Thu, 2018-01-11 at 18:05 +0100, Peter Zijlstra wrote: > On Thu, Jan 11, 2018 at 06:01:23PM +0100, Jiri Kosina wrote: > > On Thu, 11 Jan 2018, Josh Poimboeuf wrote: > >  > > > I think I heard that retpolines won't be ported to anything older than  > > > GCC 4.9, so maybe it's safe to use '%='. 

Re: [PATCH 2/3] objtool: Ignore retpoline alternatives

On Thu, 2018-01-11 at 10:48 -0600, Josh Poimboeuf wrote: > > The above macro is protected by '#ifdef RETPOLINE', and I seriously > doubt 0-day is testing with an unreleased version of GCC.  So you > shouldn't see a 0-day warning. It's actually #ifdef CONFIG_RETPOLINE isn't it?  If you enable

Re: [PATCH 2/3] objtool: Ignore retpoline alternatives

On Thu, 2018-01-11 at 10:48 -0600, Josh Poimboeuf wrote: > > The above macro is protected by '#ifdef RETPOLINE', and I seriously > doubt 0-day is testing with an unreleased version of GCC.  So you > shouldn't see a 0-day warning. It's actually #ifdef CONFIG_RETPOLINE isn't it?  If you enable

Re: [PATCH 2/3] objtool: Ignore retpoline alternatives

On Thu, 2018-01-11 at 10:33 -0600, Josh Poimboeuf wrote: > On Thu, Jan 11, 2018 at 04:27:38PM +0000, David Woodhouse wrote: > > > > On Wed, 2018-01-10 at 19:48 -0600, Josh Poimboeuf wrote: > > > > > > > > > +#define ANNOTATE_NOSPEC_ALTERNATIVE 

Re: [PATCH 2/3] objtool: Ignore retpoline alternatives

On Thu, 2018-01-11 at 10:33 -0600, Josh Poimboeuf wrote: > On Thu, Jan 11, 2018 at 04:27:38PM +0000, David Woodhouse wrote: > > > > On Wed, 2018-01-10 at 19:48 -0600, Josh Poimboeuf wrote: > > > > > > > > > +#define ANNOTATE_NOSPEC_ALTERNATIVE 

Re: [PATCH 2/3] objtool: Ignore retpoline alternatives

On Wed, 2018-01-10 at 19:48 -0600, Josh Poimboeuf wrote: > > +#define ANNOTATE_NOSPEC_ALTERNATIVE\ > +   "999:\n\t"  \ > +   ".pushsection .discard.nospec\n\t"  \ > +   ".long 999b - .\n\t" 

Re: [PATCH 2/3] objtool: Ignore retpoline alternatives

On Wed, 2018-01-10 at 19:48 -0600, Josh Poimboeuf wrote: > > +#define ANNOTATE_NOSPEC_ALTERNATIVE\ > +   "999:\n\t"  \ > +   ".pushsection .discard.nospec\n\t"  \ > +   ".long 999b - .\n\t" 

Re: [PATCH v2.1] x86/retpoline: Fill return stack buffer on vmexit

On Thu, 2018-01-11 at 09:04 -0600, Josh Poimboeuf wrote: > > > How about this one then (with ANNOTATE_NOSPEC_ALTERNATIVE): > >  > > -   asm volatile (ALTERNATIVE("", > > +   asm volatile (ALTERNATIVE("jmp " alt_end_marker "f", > >   

Re: [PATCH v2.1] x86/retpoline: Fill return stack buffer on vmexit

On Thu, 2018-01-11 at 09:04 -0600, Josh Poimboeuf wrote: > > > How about this one then (with ANNOTATE_NOSPEC_ALTERNATIVE): > >  > > -   asm volatile (ALTERNATIVE("", > > +   asm volatile (ALTERNATIVE("jmp " alt_end_marker "f", > >   

[PATCH v3] x86/retpoline: Fill return stack buffer on vmexit

In accordance with the Intel and AMD documentation, we need to overwrite all entries in the RSB on exiting a guest, to prevent malicious branch target predictions from affecting the host kernel. This is needed both for retpoline and for IBRS. Signed-off-by: David Woodhouse <d...@amazon.co

[PATCH v3] x86/retpoline: Fill return stack buffer on vmexit

In accordance with the Intel and AMD documentation, we need to overwrite all entries in the RSB on exiting a guest, to prevent malicious branch target predictions from affecting the host kernel. This is needed both for retpoline and for IBRS. Signed-off-by: David Woodhouse Tested-by: Peter

Re: [PATCH v2.1] x86/retpoline: Fill return stack buffer on vmexit

On Thu, 2018-01-11 at 10:22 -0500, Brian Gerst wrote: > On Thu, Jan 11, 2018 at 9:32 AM, Peter Zijlstra <pet...@infradead.org> wrote: > > On Thu, Jan 11, 2018 at 02:28:32PM +, David Woodhouse wrote: > >> On Thu, 2018-01-11 at 08:20 -0600, Josh Poimboeuf wrote: > &

Re: [PATCH v2.1] x86/retpoline: Fill return stack buffer on vmexit

On Thu, 2018-01-11 at 10:22 -0500, Brian Gerst wrote: > On Thu, Jan 11, 2018 at 9:32 AM, Peter Zijlstra wrote: > > On Thu, Jan 11, 2018 at 02:28:32PM +0000, David Woodhouse wrote: > >> On Thu, 2018-01-11 at 08:20 -0600, Josh Poimboeuf wrote: > >> > > >>

Re: [PATCH v2.1] x86/retpoline: Fill return stack buffer on vmexit

On Thu, 2018-01-11 at 15:32 +0100, Peter Zijlstra wrote: > On Thu, Jan 11, 2018 at 02:28:32PM +0000, David Woodhouse wrote: > > > > On Thu, 2018-01-11 at 08:20 -0600, Josh Poimboeuf wrote: > > > > > > > > > This seems weird.  I liked v1 a lot bette

Re: [PATCH v2.1] x86/retpoline: Fill return stack buffer on vmexit

On Thu, 2018-01-11 at 15:32 +0100, Peter Zijlstra wrote: > On Thu, Jan 11, 2018 at 02:28:32PM +0000, David Woodhouse wrote: > > > > On Thu, 2018-01-11 at 08:20 -0600, Josh Poimboeuf wrote: > > > > > > > > > This seems weird.  I liked v1 a lot bette

Re: [PATCH v2.1] x86/retpoline: Fill return stack buffer on vmexit

On Thu, 2018-01-11 at 08:20 -0600, Josh Poimboeuf wrote: > > This seems weird.  I liked v1 a lot better.  What's the problem with > patching in the whole thing? > > Also, if you go back to v1, it should be an easy objtool fix, just add > ANNOTATE_NOSPEC_ALTERNATIVE in front of it. The objection

Re: [PATCH v2.1] x86/retpoline: Fill return stack buffer on vmexit

On Thu, 2018-01-11 at 08:20 -0600, Josh Poimboeuf wrote: > > This seems weird.  I liked v1 a lot better.  What's the problem with > patching in the whole thing? > > Also, if you go back to v1, it should be an easy objtool fix, just add > ANNOTATE_NOSPEC_ALTERNATIVE in front of it. The objection

[PATCH v2.1] x86/retpoline: Fill return stack buffer on vmexit

In accordance with the Intel and AMD documentation, we need to overwrite all entries in the RSB on exiting a guest, to prevent malicious branch target predictions from affecting the host kernel. This is needed both for retpoline and for IBRS. Signed-off-by: David Woodhouse <d...@amazon.co

[PATCH v2.1] x86/retpoline: Fill return stack buffer on vmexit

In accordance with the Intel and AMD documentation, we need to overwrite all entries in the RSB on exiting a guest, to prevent malicious branch target predictions from affecting the host kernel. This is needed both for retpoline and for IBRS. Signed-off-by: David Woodhouse --- v2: Reduce

Re: [PATCH 0/3] objtool: retpoline compatibility

On Wed, 2018-01-10 at 19:48 -0600, Josh Poimboeuf wrote: > Make objtool compatible with CONFIG_RETPOLINE and re-enable the > objtool-dependent features. > > Josh Poimboeuf (3): >   objtool: Detect jumps to retpoline thunks >   objtool: Ignore retpoline alternatives >   Revert "x86/retpoline:

Re: [PATCH 0/3] objtool: retpoline compatibility

On Wed, 2018-01-10 at 19:48 -0600, Josh Poimboeuf wrote: > Make objtool compatible with CONFIG_RETPOLINE and re-enable the > objtool-dependent features. > > Josh Poimboeuf (3): >   objtool: Detect jumps to retpoline thunks >   objtool: Ignore retpoline alternatives >   Revert "x86/retpoline:

Re: [PATCH] x86/retpoline: Fill return stack buffer on vmexit

On Thu, 2018-01-11 at 01:04 +, David Woodhouse wrote: > On Wed, 2018-01-10 at 18:14 -0600, Tom Lendacky wrote: > > On 1/10/2018 5:47 PM, David Woodhouse wrote: > > > Now smoke tested with Intel VT-x, but not yet on AMD. Tom, would you be > > > able to do tha

Re: [PATCH] x86/retpoline: Fill return stack buffer on vmexit

On Thu, 2018-01-11 at 01:04 +, David Woodhouse wrote: > On Wed, 2018-01-10 at 18:14 -0600, Tom Lendacky wrote: > > On 1/10/2018 5:47 PM, David Woodhouse wrote: > > > Now smoke tested with Intel VT-x, but not yet on AMD. Tom, would you be > > > able to do tha

Re: [PATCH] x86/retpoline: Fill return stack buffer on vmexit

On Wed, 2018-01-10 at 18:14 -0600, Tom Lendacky wrote: > On 1/10/2018 5:47 PM, David Woodhouse wrote: > > On Wed, 2018-01-10 at 22:51 +0000, David Woodhouse wrote: > >> In accordance with the Intel and AMD documentation, we need to overwrite > >> all entries in

Re: [PATCH] x86/retpoline: Fill return stack buffer on vmexit

On Wed, 2018-01-10 at 18:14 -0600, Tom Lendacky wrote: > On 1/10/2018 5:47 PM, David Woodhouse wrote: > > On Wed, 2018-01-10 at 22:51 +0000, David Woodhouse wrote: > >> In accordance with the Intel and AMD documentation, we need to overwrite > >> all entries in

Re: [PATCH] x86/retpoline: Fill return stack buffer on vmexit

On Wed, 2018-01-10 at 22:51 +, David Woodhouse wrote: > In accordance with the Intel and AMD documentation, we need to overwrite > all entries in the RSB on exiting a guest, to prevent malicious branch > target predictions from affecting the host kernel. This is needed both > f

Re: [PATCH] x86/retpoline: Fill return stack buffer on vmexit

On Wed, 2018-01-10 at 22:51 +, David Woodhouse wrote: > In accordance with the Intel and AMD documentation, we need to overwrite > all entries in the RSB on exiting a guest, to prevent malicious branch > target predictions from affecting the host kernel. This is needed both > f

[PATCH] x86/retpoline: Fill return stack buffer on vmexit

In accordance with the Intel and AMD documentation, we need to overwrite all entries in the RSB on exiting a guest, to prevent malicious branch target predictions from affecting the host kernel. This is needed both for retpoline and for IBRS. Signed-off-by: David Woodhouse <d...@amazon.co

[PATCH] x86/retpoline: Fill return stack buffer on vmexit

In accordance with the Intel and AMD documentation, we need to overwrite all entries in the RSB on exiting a guest, to prevent malicious branch target predictions from affecting the host kernel. This is needed both for retpoline and for IBRS. Signed-off-by: David Woodhouse --- Untested

Re: [PATCH] x86/alternatives: Fix optimize_nops() checking

On Wed, 2018-01-10 at 13:05 -0800, Linus Torvalds wrote: > On Wed, Jan 10, 2018 at 12:55 PM, Borislav Petkov > wrote: > > > > Ok, so the problem was: how to fixup jumps which are not the first > > instruction which is being replaced but a following one in the > > instruction bytes

Re: [PATCH] x86/alternatives: Fix optimize_nops() checking

On Wed, 2018-01-10 at 13:05 -0800, Linus Torvalds wrote: > On Wed, Jan 10, 2018 at 12:55 PM, Borislav Petkov > wrote: > > > > Ok, so the problem was: how to fixup jumps which are not the first > > instruction which is being replaced but a following one in the > > instruction bytes with which we

Re: [PATCH] x86/alternatives: Fix optimize_nops() checking

On Wed, 2018-01-10 at 21:33 +0100, Peter Zijlstra wrote: > On Wed, Jan 10, 2018 at 12:26:25PM -0800, Linus Torvalds wrote: > > Imagine just how crazy that would be to debug. You'd be basically > > executing insane code, and looking at the sources - or even the > > binaries - it would _look_

Re: [PATCH] x86/alternatives: Fix optimize_nops() checking

On Wed, 2018-01-10 at 21:33 +0100, Peter Zijlstra wrote: > On Wed, Jan 10, 2018 at 12:26:25PM -0800, Linus Torvalds wrote: > > Imagine just how crazy that would be to debug. You'd be basically > > executing insane code, and looking at the sources - or even the > > binaries - it would _look_

Re: [PATCH] x86/alternatives: Fix optimize_nops() checking

On Wed, 2018-01-10 at 14:15 -0600, Josh Poimboeuf wrote: > On Wed, Jan 10, 2018 at 08:55:40PM +0100, Thomas Gleixner wrote: > > On Wed, 10 Jan 2018, Linus Torvalds wrote: > >  > > > On Wed, Jan 10, 2018 at 3:28 AM, Borislav Petkov wrote: > > > > > > > > Make sure we scan all bytes

Re: [PATCH] x86/alternatives: Fix optimize_nops() checking

On Wed, 2018-01-10 at 14:15 -0600, Josh Poimboeuf wrote: > On Wed, Jan 10, 2018 at 08:55:40PM +0100, Thomas Gleixner wrote: > > On Wed, 10 Jan 2018, Linus Torvalds wrote: > >  > > > On Wed, Jan 10, 2018 at 3:28 AM, Borislav Petkov wrote: > > > > > > > > Make sure we scan all bytes before we

[tip:x86/pti] x86/retpoline/checksum32: Convert assembler indirect jumps

Commit-ID: 96f71b3a482e918991d165eb7a6b42eb9a9ef735 Gitweb: https://git.kernel.org/tip/96f71b3a482e918991d165eb7a6b42eb9a9ef735 Author: David Woodhouse <d...@amazon.co.uk> AuthorDate: Tue, 9 Jan 2018 14:43:15 + Committer: Thomas Gleixner <t...@linutronix.de> CommitDate:

[tip:x86/pti] x86/retpoline/checksum32: Convert assembler indirect jumps

Commit-ID: 96f71b3a482e918991d165eb7a6b42eb9a9ef735 Gitweb: https://git.kernel.org/tip/96f71b3a482e918991d165eb7a6b42eb9a9ef735 Author: David Woodhouse AuthorDate: Tue, 9 Jan 2018 14:43:15 + Committer: Thomas Gleixner CommitDate: Wed, 10 Jan 2018 19:36:25 +0100 x86/retpoline

[tip:x86/pti] x86/retpoline/xen: Convert Xen hypercall indirect jumps

Commit-ID: b569cb1e72bda00e7e6245519fe7d0d0ab13898e Gitweb: https://git.kernel.org/tip/b569cb1e72bda00e7e6245519fe7d0d0ab13898e Author: David Woodhouse <d...@amazon.co.uk> AuthorDate: Tue, 9 Jan 2018 14:43:14 + Committer: Thomas Gleixner <t...@linutronix.de> CommitDate:

<    7   8   9   10   11   12   13   14   15   16   >