Commit-ID: d46717c610dcfa2cba5c87500c928993371ef1ad
Gitweb: https://git.kernel.org/tip/d46717c610dcfa2cba5c87500c928993371ef1ad
Author: David Woodhouse
AuthorDate: Tue, 9 Jan 2018 14:43:07 +
Committer: Thomas Gleixner
CommitDate: Wed, 10 Jan 2018 19:36:22 +0100
x86/retpoline: Add
Commit-ID: 689e1c6117fcba2fb4b1f30d164a7a80389c0b29
Gitweb: https://git.kernel.org/tip/689e1c6117fcba2fb4b1f30d164a7a80389c0b29
Author: David Woodhouse
AuthorDate: Tue, 9 Jan 2018 14:43:12 +
Committer: Thomas Gleixner
CommitDate: Wed, 10 Jan 2018 19:09:11 +0100
x86/retpoline
Commit-ID: 0672779c1f8e3ea1cc611bba50c53e224cbf4f31
Gitweb: https://git.kernel.org/tip/0672779c1f8e3ea1cc611bba50c53e224cbf4f31
Author: David Woodhouse
AuthorDate: Tue, 9 Jan 2018 14:43:15 +
Committer: Thomas Gleixner
CommitDate: Wed, 10 Jan 2018 19:09:12 +0100
x86/retpoline
Commit-ID: 9cc0128d93281e7f3be300b2b933d7c363b1ab26
Gitweb: https://git.kernel.org/tip/9cc0128d93281e7f3be300b2b933d7c363b1ab26
Author: David Woodhouse
AuthorDate: Tue, 9 Jan 2018 14:43:14 +
Committer: Thomas Gleixner
CommitDate: Wed, 10 Jan 2018 19:09:11 +0100
x86/retpoline/xen
Commit-ID: fe1678d070e36070c43005c71ce783df57852252
Gitweb: https://git.kernel.org/tip/fe1678d070e36070c43005c71ce783df57852252
Author: David Woodhouse
AuthorDate: Tue, 9 Jan 2018 14:43:09 +
Committer: Thomas Gleixner
CommitDate: Wed, 10 Jan 2018 19:09:09 +0100
x86/spectre: Add
Commit-ID: 713626ed94ad69d330fab550c94d7173cfcbf5ce
Gitweb: https://git.kernel.org/tip/713626ed94ad69d330fab550c94d7173cfcbf5ce
Author: David Woodhouse
AuthorDate: Tue, 9 Jan 2018 14:43:13 +
Committer: Thomas Gleixner
CommitDate: Wed, 10 Jan 2018 19:09:11 +0100
x86/retpoline
Commit-ID: 8e8284e74cf80e1addf71d83794cba23f7a59e3a
Gitweb: https://git.kernel.org/tip/8e8284e74cf80e1addf71d83794cba23f7a59e3a
Author: David Woodhouse
AuthorDate: Tue, 9 Jan 2018 14:43:11 +
Committer: Thomas Gleixner
CommitDate: Wed, 10 Jan 2018 19:09:10 +0100
x86/retpoline/entry
Commit-ID: b86d748af60a52fe5b2bfb28f4451f79e28d0b32
Gitweb: https://git.kernel.org/tip/b86d748af60a52fe5b2bfb28f4451f79e28d0b32
Author: David Woodhouse
AuthorDate: Tue, 9 Jan 2018 14:43:10 +
Committer: Thomas Gleixner
CommitDate: Wed, 10 Jan 2018 19:09:10 +0100
x86/retpoline
Commit-ID: 3c0c41a7bc03932d02d7796b4735f9077eb2b320
Gitweb: https://git.kernel.org/tip/3c0c41a7bc03932d02d7796b4735f9077eb2b320
Author: David Woodhouse
AuthorDate: Tue, 9 Jan 2018 14:43:07 +
Committer: Thomas Gleixner
CommitDate: Wed, 10 Jan 2018 19:09:09 +0100
x86/retpoline: Add
Commit-ID: 6a2b9eb3c189a848fbfc5b3a0b282bc03bc142af
Gitweb: https://git.kernel.org/tip/6a2b9eb3c189a848fbfc5b3a0b282bc03bc142af
Author: David Woodhouse
AuthorDate: Tue, 9 Jan 2018 14:43:15 +
Committer: Thomas Gleixner
CommitDate: Wed, 10 Jan 2018 18:28:24 +0100
x86/retpoline
Commit-ID: 5a6407e118225497fff1f503acbba96cd2abd21c
Gitweb: https://git.kernel.org/tip/5a6407e118225497fff1f503acbba96cd2abd21c
Author: David Woodhouse
AuthorDate: Tue, 9 Jan 2018 14:43:14 +
Committer: Thomas Gleixner
CommitDate: Wed, 10 Jan 2018 18:28:23 +0100
x86/retpoline/xen
Commit-ID: 6916b4cc0d2b1e2191acc82d75cce8a25b3dc9be
Gitweb: https://git.kernel.org/tip/6916b4cc0d2b1e2191acc82d75cce8a25b3dc9be
Author: David Woodhouse
AuthorDate: Tue, 9 Jan 2018 14:43:13 +
Committer: Thomas Gleixner
CommitDate: Wed, 10 Jan 2018 18:28:23 +0100
x86/retpoline
Commit-ID: cafa890653f4a4ba87e98b53d9c301260a4864b7
Gitweb: https://git.kernel.org/tip/cafa890653f4a4ba87e98b53d9c301260a4864b7
Author: David Woodhouse
AuthorDate: Tue, 9 Jan 2018 14:43:12 +
Committer: Thomas Gleixner
CommitDate: Wed, 10 Jan 2018 18:28:23 +0100
x86/retpoline
Commit-ID: d569ded27d11bcb1643b14c54403910d9b3328b1
Gitweb: https://git.kernel.org/tip/d569ded27d11bcb1643b14c54403910d9b3328b1
Author: David Woodhouse
AuthorDate: Tue, 9 Jan 2018 14:43:09 +
Committer: Thomas Gleixner
CommitDate: Wed, 10 Jan 2018 18:28:22 +0100
x86/spectre: Add
Commit-ID: ea89ba993dfa8d77b08ee50f25aa06a403611070
Gitweb: https://git.kernel.org/tip/ea89ba993dfa8d77b08ee50f25aa06a403611070
Author: David Woodhouse
AuthorDate: Tue, 9 Jan 2018 14:43:11 +
Committer: Thomas Gleixner
CommitDate: Wed, 10 Jan 2018 18:28:22 +0100
x86/retpoline/entry
Commit-ID: 73041fe6b4a410ddac9027d03c94c67d12dd3301
Gitweb: https://git.kernel.org/tip/73041fe6b4a410ddac9027d03c94c67d12dd3301
Author: David Woodhouse
AuthorDate: Tue, 9 Jan 2018 14:43:10 +
Committer: Thomas Gleixner
CommitDate: Wed, 10 Jan 2018 18:28:22 +0100
x86/retpoline
Commit-ID: 533ae606cfdbcded9878291761eb4dc0ab19cdb3
Gitweb: https://git.kernel.org/tip/533ae606cfdbcded9878291761eb4dc0ab19cdb3
Author: David Woodhouse
AuthorDate: Tue, 9 Jan 2018 14:43:07 +
Committer: Thomas Gleixner
CommitDate: Wed, 10 Jan 2018 18:28:21 +0100
x86/retpoline: Add
On Wed, 2018-01-10 at 08:51 -0800, Liran Alon wrote:
>
> Hmm... This is exactly how Google Project-Zero PoC leaks kvm-
> intel.ko, kvm.ko & vmlinux...
> See section "Locating the host kernel" here:
> https://googleprojectzero.blogspot.co.il/2018/01/reading-privileged-m
> emory-with-side.html
>
>
On Wed, 2018-01-10 at 08:19 -0800, Liran Alon wrote:
>
> (1) On VMEntry, Intel recommends to just restore SPEC_CTRL to guest
> value (using WRMSR or MSR save/load list) and that's it. As I
> previously said to Jim, I am missing here a mechanism which should be
> responsible for hiding host's BHB &
On Wed, 2018-01-10 at 16:56 +0100, Paolo Bonzini wrote:
> On 10/01/2018 16:48, Woodhouse, David wrote:
> >>
> >> And what is the point of this "always set IBRS=1" then? Are there
> >> some other things lurking in the shadows?
> > Yes. *FUTURE* CPUs will have a mode where you can just set IBRS and
>
On Wed, 2018-01-10 at 16:47 +0100, Andrea Arcangeli wrote:
> On Wed, Jan 10, 2018 at 03:24:17PM +0000, David Woodhouse wrote:
> > Since it achieves nothing¹ but to make userspace run slower, there's no
> > need to write it again on returning to userspace. It will perform th
On Wed, 2018-01-10 at 16:13 +0100, Andrea Arcangeli wrote:
>
> Can you also tell if IBRS must be written as a barrier to SPEC_CTRL in
> return to userland (kernel exit) when ibrs_enabled 2? Generally we
> wouldn't run a barrier there with ibrs_enabled 2, but absolutely
> nothing is intuitive here
On Wed, 2018-01-10 at 14:46 +0100, Thomas Gleixner wrote:
>
> So here is the simple list of questions all to be answered with YES or
> NO. I don't want to see any of the 'but, though ...'. We all know by now
> that it's CPU dependent and slow and whatever and that IBRS_ATT will be in
> future CPUs
On Wed, 2018-01-10 at 13:57 +0100, Andrea Arcangeli wrote:
> On Wed, Jan 10, 2018 at 01:47:22PM +0100, Jiri Kosina wrote:
> >
> > On Wed, 10 Jan 2018, Andrea Arcangeli wrote:
> >
> > >
> > > Perhaps the confusing come from "less privileged prediction mode" and
> > > you thought that meant "less
On Wed, 2018-01-10 at 13:47 +0100, Jiri Kosina wrote:
> On Wed, 10 Jan 2018, Andrea Arcangeli wrote:
>
> > Perhaps the confusing come from "less privileged prediction mode" and
> > you thought that meant "less privileged ring mode". It says "predction
> > mode" not ring 3.
>
> Well, prediction mo
On Wed, 2018-01-10 at 13:17 +0100, Andrea Arcangeli wrote:
> On Wed, Jan 10, 2018 at 12:09:34PM +0000, David Woodhouse wrote:
> > That is not consistent with the documentation I've seen, which Intel
> > have so far utterly failed to publish AFAICT.
> >
> > "a
On Wed, 2018-01-10 at 13:07 +0100, Andrea Arcangeli wrote:
> On Wed, Jan 10, 2018 at 01:01:58PM +0100, Andrea Arcangeli wrote:
> > On Wed, Jan 10, 2018 at 11:58:54AM +0000, David Woodhouse wrote:
> > > On Wed, 2018-01-10 at 12:54 +0100, Andrea Arcangeli wrote:
> > > >
On Wed, 2018-01-10 at 13:01 +0100, Andrea Arcangeli wrote:
>
> > On all current hardware, if you only set IBRS when you exit a guest,
> > then you are not protecting yourself from userspace at all. IBRS acts
> > as a *barrier* in all current hardware.
>
> Kernel memory is 100% protected if you se
spot that the first instruction of the alternative is a NOP and thus turn
*all* the rest of it into NOPs too. (A fix for which is already available,
but we just don't need to do it, so stop.)
Signed-off-by: David Woodhouse
---
arch/x86/include/asm/nospec-branch.h | 3 ---
1 file changed, 3
On Wed, 2018-01-10 at 12:57 +0100, Borislav Petkov wrote:
> On Wed, Jan 10, 2018 at 11:49:55AM +0000, David Woodhouse wrote:
> > Don't suppose you want to make the alignment actually *work*? :)
>
> I can try but only if it is really worth it. If we don't see it in
&
On Wed, 2018-01-10 at 12:54 +0100, Andrea Arcangeli wrote:
> On Wed, Jan 10, 2018 at 09:27:59AM +0000, David Woodhouse wrote:
> > I don't know why you're calling that 'IBRS=2'; are you getting
> confused
> > by Andrea's distro horridness?
>
> Eh, y
On Wed, 2018-01-10 at 12:45 +0100, Borislav Petkov wrote:
> On Wed, Jan 10, 2018 at 11:36:41AM +0000, David Woodhouse wrote:
> >
> > That fixed and understood, I shall remove the offending NOPs anyway,
> > because aligning instructions in the *altinstr* section is entirely
On Wed, 2018-01-10 at 12:28 +0100, Borislav Petkov wrote:
> From: Borislav Petkov
> Date: Wed, 10 Jan 2018 12:14:07 +0100
>
> We check only the first byte whether it is a NOP but if David Woodhouse
> wants to do some crazy experiments with slapping NOPs in front of the
> payl
On Wed, 2018-01-10 at 11:03 +0100, Peter Zijlstra wrote:
> On Wed, Jan 10, 2018 at 09:27:59AM +0000, David Woodhouse wrote:
> >
> > >
> > > The only question I have is if retpoline works at all on SKL (with ucode
> > > update); BDW needs the ucode update
On Wed, 2018-01-10 at 07:15 +, David Woodhouse wrote:
> I'd really like to know what went wrong though. Did we merge Borislav's
> attempt to peek at jumps inside alternatives, perchance? Will take a
> look...
Ah, it only happens if I run in KVM, not with Qemu's CPU; t
On Wed, 2018-01-10 at 10:22 +0100, Peter Zijlstra wrote:
> On Tue, Jan 09, 2018 at 06:02:53PM -0800, Dave Hansen wrote:
> >
> > On 01/09/2018 05:06 PM, Thomas Gleixner wrote:
> > >
> > > --- a/arch/x86/kernel/cpu/bugs.c
> > > +++ b/arch/x86/kernel/cpu/bugs.c
> > > @@ -79,6 +79,7 @@ enum spectre_v
On Tue, 2018-01-09 at 17:30 -0800, Andi Kleen wrote:
> I assume you don't need FILL_RETURN_BUFFER on AMD. If not let me know
> and we can add a X86_FEATURE_RETPOLINE_COMMON
FWIW the AMD doc I have here (Tom, is that public now?) does say we
should fill the RSB. That's a minor tweak s/GENERIC/COMMO
On Tue, 2018-01-09 at 16:39 -0800, Linus Torvalds wrote:
> On Tue, Jan 9, 2018 at 4:31 PM, Andi Kleen
> wrote:
> >
> >
> > The following patch fixes it for me. Something doesn't
> > seem to work with ALTERNATIVE_2. It adds only a few bytes
> > more code, so seems acceptable.
> Ugh. It's kind of
On Tue, 2018-01-09 at 16:05 +, David Woodhouse wrote:
>
>
> Razvan points out that the #ifdef there is redundant; in older kernels,
> bugs.c is only built on 32-bit anyway.
>
> We're working on backporting the other CPU_BUG_* and sysfs
> vulnerabilities bit
On Tue, 2018-01-09 at 09:55 -0800, Tim Chen wrote:
>
> Thomas,
>
> I'll be sending an updated patchset with boot option opt in for ibrs
> and leave the control varaible out. I agree that we can worry about the
> control variable later.
Please base this on the spectre_v2= option that's already i
On Mon, 2018-01-01 at 15:24 +0100, Greg Kroah-Hartman wrote:
>
> --- a/arch/x86/kernel/cpu/bugs.c
> +++ b/arch/x86/kernel/cpu/bugs.c
> @@ -19,6 +19,14 @@
>
> void __init check_bugs(void)
> {
> +#ifdef CONFIG_X86_32
> + /*
> + * Regardless of whether PCID is enumerated, the SDM say
Commit-ID: 8081a6f40dc2f74d40424addf2f5a63c5b85107b
Gitweb: https://git.kernel.org/tip/8081a6f40dc2f74d40424addf2f5a63c5b85107b
Author: David Woodhouse
AuthorDate: Tue, 9 Jan 2018 14:43:14 +
Committer: Thomas Gleixner
CommitDate: Tue, 9 Jan 2018 16:17:54 +0100
x86/retpoline/xen
Commit-ID: 51ab1433794d9f89257fba187c4f4a8fdfccd96d
Gitweb: https://git.kernel.org/tip/51ab1433794d9f89257fba187c4f4a8fdfccd96d
Author: David Woodhouse
AuthorDate: Tue, 9 Jan 2018 14:43:15 +
Committer: Thomas Gleixner
CommitDate: Tue, 9 Jan 2018 16:17:54 +0100
x86/retpoline
Commit-ID: 9fc52018d18e2e72ce21767bb3b58e8c5da4d9e8
Gitweb: https://git.kernel.org/tip/9fc52018d18e2e72ce21767bb3b58e8c5da4d9e8
Author: David Woodhouse
AuthorDate: Tue, 9 Jan 2018 14:43:10 +
Committer: Thomas Gleixner
CommitDate: Tue, 9 Jan 2018 16:17:52 +0100
x86/retpoline/crypto
Commit-ID: 73a780dee079e6e5dd26d84f698ac64d033977e3
Gitweb: https://git.kernel.org/tip/73a780dee079e6e5dd26d84f698ac64d033977e3
Author: David Woodhouse
AuthorDate: Tue, 9 Jan 2018 14:43:12 +
Committer: Thomas Gleixner
CommitDate: Tue, 9 Jan 2018 16:17:53 +0100
x86/retpoline/ftrace
Commit-ID: d4c3db4aa32afef03ba09ba9f1e522828b886854
Gitweb: https://git.kernel.org/tip/d4c3db4aa32afef03ba09ba9f1e522828b886854
Author: David Woodhouse
AuthorDate: Tue, 9 Jan 2018 14:43:13 +
Committer: Thomas Gleixner
CommitDate: Tue, 9 Jan 2018 16:17:53 +0100
x86/retpoline/hyperv
Commit-ID: ce004e1cb670f0bc134be82b24b0d0db16bccc37
Gitweb: https://git.kernel.org/tip/ce004e1cb670f0bc134be82b24b0d0db16bccc37
Author: David Woodhouse
AuthorDate: Tue, 9 Jan 2018 14:43:07 +
Committer: Thomas Gleixner
CommitDate: Tue, 9 Jan 2018 16:17:51 +0100
x86/retpoline: Add
Commit-ID: f3433c1010c6af61c9897f0f0447f81b991feac1
Gitweb: https://git.kernel.org/tip/f3433c1010c6af61c9897f0f0447f81b991feac1
Author: David Woodhouse
AuthorDate: Tue, 9 Jan 2018 14:43:11 +
Committer: Thomas Gleixner
CommitDate: Tue, 9 Jan 2018 16:17:52 +0100
x86/retpoline/entry
Commit-ID: 54d5103245ffd811d99f6cabea5d62377aa941bd
Gitweb: https://git.kernel.org/tip/54d5103245ffd811d99f6cabea5d62377aa941bd
Author: David Woodhouse
AuthorDate: Tue, 9 Jan 2018 14:43:09 +
Committer: Thomas Gleixner
CommitDate: Tue, 9 Jan 2018 16:17:51 +0100
x86/spectre: Add
Convert all indirect jumps in ftrace assembler code to use non-speculative
sequences when CONFIG_RETPOLINE is enabled.
Signed-off-by: David Woodhouse
Acked-By: Arjan van de Ven
Acked-by: Ingo Molnar
Cc: gno...@lxorguk.ukuu.org.uk
Cc: Rik van Riel
Cc: Andi Kleen
Cc: Peter Zijlstra
Cc: Linus
Convert indirect call in Xen hypercall to use non-speculative sequence,
when CONFIG_RETPOLINE is enabled.
Signed-off-by: David Woodhouse
Reviewed-by: Juergen Gross
Acked-By: Arjan van de Ven
Acked-by: Ingo Molnar
Cc: gno...@lxorguk.ukuu.org.uk
Cc: Rik van Riel
Cc: Andi Kleen
Cc: Peter
hunk.rax is going to be a bare
jmp *%rax anyway.
Signed-off-by: David Woodhouse
Acked-By: Arjan van de Ven
Acked-by: Ingo Molnar
Cc: gno...@lxorguk.ukuu.org.uk
Cc: Rik van Riel
Cc: Andi Kleen
Cc: Peter Zijlstra
Cc: Linus Torvalds
Cc: Jiri Kosina
Cc: Andy Lutomirski
Cc: Dave Hansen
Cc: Kee
From: Andi Kleen
Convert all indirect jumps in 32bit irq inline asm code to use non
speculative sequences.
Signed-off-by: Andi Kleen
Signed-off-by: Thomas Gleixner
Acked-By: Arjan van de Ven
Acked-by: Ingo Molnar
Cc: gno...@lxorguk.ukuu.org.uk
Cc: Rik van Riel
Cc: Peter Zijlstra
Cc: Linus
about nop between calls, Move #ifdef CONFIG_RETPOLINE
to call sites not macro. Use Google's original RSB stuffing.]
[tglx: Massaged changelog ]
Signed-off-by: Andi Kleen
Signed-off-by: David Woodhouse
Cc: gno...@lxorguk.ukuu.org.uk
Cc: Rik van Riel
Cc: Tim Chen
Cc: Peter Zijlstra
Convert all indirect jumps in 32bit checksum assembler code to use
non-speculative sequences when CONFIG_RETPOLINE is enabled.
Signed-off-by: David Woodhouse
Acked-By: Arjan van de Ven
Acked-by: Ingo Molnar
Cc: gno...@lxorguk.ukuu.org.uk
Cc: Rik van Riel
Cc: Andi Kleen
Cc: Peter Zijlstra
Cc
Add a spectre_v2= option to select the mitigation used for the indirect
branch speculation vulnerability.
Currently, the only option available is retpoline, in its various forms.
This will be expanded to cover the new IBRS/IBPB microcode features.
Signed-off-by: David Woodhouse
Cc: gno
Convert all indirect jumps in hyperv inline asm code to use non-speculative
sequences when CONFIG_RETPOLINE is enabled.
Signed-off-by: David Woodhouse
Acked-By: Arjan van de Ven
Acked-by: Ingo Molnar
Cc: gno...@lxorguk.ukuu.org.uk
Cc: Rik van Riel
Cc: Andi Kleen
Cc: Peter Zijlstra
Cc: Linus
Convert all indirect jumps in crypto assembler code to use non-speculative
sequences when CONFIG_RETPOLINE is enabled.
Signed-off-by: David Woodhouse
Acked-By: Arjan van de Ven
Acked-by: Ingo Molnar
Cc: gno...@lxorguk.ukuu.org.uk
Cc: Rik van Riel
Cc: Andi Kleen
Cc: Peter Zijlstra
Cc: Linus
inly means that the kernel has to fallback to use the frame pointer
unwinder and livepatch is not supported.
Josh is looking into resolving the issue.
Signed-off-by: Andi Kleen
Signed-off-by: David Woodhouse
Acked-By: Arjan van de Ven
Acked-by: Ingo Molnar
Cc: gno...@lxorguk.ukuu.org.uk
Cc: Ri
Signed-off-by: David Woodhouse
Acked-By: Arjan van de Ven
Acked-by: Ingo Molnar
Cc: gno...@lxorguk.ukuu.org.uk
Cc: Rik van Riel
Cc: Andi Kleen
Cc: Peter Zijlstra
Cc: Linus Torvalds
Cc: Jiri Kosina
Cc: Andy Lutomirski
Cc: Dave Hansen
Cc: Kees Cook
Cc: Tim Chen
Cc: Greg Kroah-Hartman
Cc: P
irq32: Convert assembler indirect jumps
x86/retpoline: Avoid return buffer underflows on context switch
David Woodhouse (8):
x86/retpoline: Add initial retpoline support
x86/spectre: Add boot time option to select Spectre v2 mitigation
x86/retpoline/crypto: Convert crypto assembler indire
On Tue, 2018-01-09 at 10:37 +0100, Peter Zijlstra wrote:
> On Mon, Jan 08, 2018 at 03:51:26PM -0800, Andi Kleen wrote:
>
> >
> > @@ -107,8 +109,15 @@ static inline void mwait_idle_with_hints(unsigned long
> > eax, unsigned long ecx)
> > }
> >
> > __monitor((void *)¤t_th
On Mon, 2018-01-08 at 19:27 -0800, Andy Lutomirski wrote:
> >
> > If SMEP is not active, speculation can go anywhere, including to a user
> > controlled gadget which can reload any registers it needs, including
> > with immediate constants.
>
> I thought that, even on pre-SMEP hardware, the CPU w
On Mon, 2018-01-08 at 18:48 -0800, Paul Turner wrote:
> On Mon, Jan 8, 2018 at 4:48 PM, David Woodhouse wrote:
> >
> > On Tue, 2018-01-09 at 00:44 +, Woodhouse, David wrote:
> > >
> > > On IRC, Arjan assures me that 'pause' here really is sufficien
On Mon, 2018-01-08 at 16:48 -0800, Linus Torvalds wrote:
> On Mon, Jan 8, 2018 at 4:42 PM, David Woodhouse wrote:
> >
> >
> > Hm... on a context switch you're reloading the registers that were in
> > the other saved context.
>
> Actually, iirc we used to
On Tue, 2018-01-09 at 00:44 +, Woodhouse, David wrote:
> On IRC, Arjan assures me that 'pause' here really is sufficient as a
> speculation trap. If we do end up returning back here as a
> misprediction, that 'pause' will stop the speculative execution on
> affected CPUs even though it isn't *a
On Mon, 2018-01-08 at 16:35 -0800, Linus Torvalds wrote:
> On Mon, Jan 8, 2018 at 3:58 PM, Woodhouse, David wrote:
> >>
> >> Is there really nothing more clever we can do?
> >
> > You get this part in the IBRS/microcode solution too. The IBRS MSR
> > doesn't catch everything; you still need to stu
On Mon, 2018-01-08 at 16:24 -0800, Andi Kleen wrote:
> > Probably doesn't matter right there but it's going to end up being used
> > elsewhere with IBRS/IBPB, and the compiler is going to think it needs
> > to save all the call-clobbered registers for that. Do we want to make
> > it use inline asm
On Mon, 2018-01-08 at 15:51 -0800, Andi Kleen wrote:
> From: Andi Kleen
>
> This is an extension of the earlier patch to fill the return buffer
> on context switch. It uses the assembler macros added earlier.
>
> When we go into deeper idle states the return buffer could be cleared
> in MWAIT, b
2: Fix comments about nop between calls,
Move #ifdef CONFIG_RETPOLINE to call sites not macro]
Signed-off-by: Andi Kleen
Signed-off-by: David Woodhouse
---
arch/x86/entry/entry_32.S| 17 +
arch/x86/entry/entry_64.S| 17 +
arch/x86/inc
On Sun, 2018-01-07 at 15:03 +0100, Borislav Petkov wrote:
>
> My fear is if some funky compiler changes the sizes of the insns in
> RETPOLINE_CALL/JMP and then the padding becomes wrong. But looking at the
> labels, they're all close so you have a 2-byte jmp already and the
>
> call 1112f
>
>
.
>
> That's pessimistic because we likely did more controlled kernel calls.
> So in principle we could do less. However it's hard to maintain such an
> invariant, and it may be broken with more aggressive compilers.
> So err on the side of safety and always fill 30.
>
&
On Mon, 2018-01-08 at 19:08 +0100, Paolo Bonzini wrote:
>
> + if (have_spec_ctrl && vmx->spec_ctrl != 0)
> + wrmsrl(MSR_IA32_SPEC_CTRL, vmx->spec_ctrl);
> +
I think this one probably *is* safe even without an 'else lfence',
which means that the CPU can speculate around it, but
> Ok, I can add the read-back check before setting the feature flag(s).
>
> But... what about the case where the guest is a different family than
> hypervisor? If we're on, say, a Fam15h hypervisor but the guest is started
> as a Fam0fh guest where the MSR doesn't exist and LFENCE is supposed to b
> On Mon, Jan 08, 2018 at 02:46:32PM +0100, Thomas Gleixner wrote:
>> On Mon, 8 Jan 2018, Josh Poimboeuf wrote:
>> > On Sun, Jan 07, 2018 at 10:11:16PM +0000, David Woodhouse wrote:
>> > > diff --git a/arch/x86/Makefile b/arch/x86/Makefile
>> > > index
> On Mon, Jan 8, 2018 at 2:45 AM, David Woodhouse
> wrote:
>> On Mon, 2018-01-08 at 02:34 -0800, Paul Turner wrote:
>>> One detail that is missing is that we still need RSB refill in some
>>> cases.
>>> This is not because the retpoline sequence it
> On Mon, Jan 08, 2018 at 10:53:02AM +0000, David Woodhouse wrote:
>> On Mon, 2018-01-08 at 11:45 +0100, Peter Zijlstra wrote:
>> >
>> >
>> > Should this not use local name labels instead?
>> >
>> > .macro RETPOLINE_JMP reg:
On Mon, 2018-01-08 at 11:45 +0100, Peter Zijlstra wrote:
>
>
> Should this not use local name labels instead?
>
> .macro RETPOLINE_JMP reg:req
> call.Ldo_rop_\@
> .Lspec_trap_\@:
> pause
> jmp .Lspec_trap_\@
> .Ldo_rop_\@:
> mov \reg, (%_ASM_SP)
>
On Mon, 2018-01-08 at 02:34 -0800, Paul Turner wrote:
> One detail that is missing is that we still need RSB refill in some
> cases.
> This is not because the retpoline sequence itself will underflow (it
> is actually guaranteed not to, since it consumes only RSB entries
> that it generates.
> Bu
On Sun, 2018-01-07 at 18:32 +, Lu, Hongjiu wrote:
>
> If I get positive feedbacks from kernel folks with my GCC 7 patches today, I
> will submit my patches for GCC 8 today. After they are checked in, I will
> backport them to GCC 7/6/5/4.9.
To confirm: These seem to work for me and I've res
his mainly means that we use the frame pointer unwinder and livepatch
is not supported.
Eventually objtool can be fixed to handle this.
Signed-off-by: Andi Kleen
Signed-off-by: David Woodhouse
Acked-By: Arjan van de Ven
---
arch/x86/Kconfig | 4 ++--
arch/x86/Kconfig.debug | 6 +++--
: David Woodhouse
Acked-By: Arjan van de Ven
---
Documentation/admin-guide/kernel-parameters.txt | 3 +++
arch/x86/kernel/cpu/intel.c | 11 +++
2 files changed, 14 insertions(+)
diff --git a/Documentation/admin-guide/kernel-parameters.txt
b/Documentation/admin-guide
Convert indirect call in Xen hypercall to use non-speculative sequence,
when CONFIG_RETPOLINE is enabled.
Signed-off-by: David Woodhouse
Acked-By: Arjan van de Ven
---
arch/x86/include/asm/xen/hypercall.h | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/arch/x86/include
From: Andi Kleen
Convert all indirect jumps in 32bit irq inline asm code to use
non speculative sequences.
Signed-off-by: Andi Kleen
Signed-off-by: David Woodhouse
Acked-By: Arjan van de Ven
---
arch/x86/kernel/irq_32.c | 9 +
1 file changed, 5 insertions(+), 4 deletions(-)
diff
Convert all indirect jumps in crypto assembler code to use non-speculative
sequences when CONFIG_RETPOLINE is enabled.
Signed-off-by: David Woodhouse
Acked-By: Arjan van de Ven
---
arch/x86/crypto/aesni-intel_asm.S| 5 +++--
arch/x86/crypto/camellia-aesni-avx-asm_64.S | 3
Convert all indirect jumps in 32bit checksum assembler code to use
non-speculative sequences when CONFIG_RETPOLINE is enabled.
Signed-off-by: David Woodhouse
Acked-By: Arjan van de Ven
---
arch/x86/lib/checksum_32.S | 7 ---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a
hunk.rax is going to be a bare
jmp *%rax anyway.
Signed-off-by: David Woodhouse
Acked-By: Arjan van de Ven
---
arch/x86/entry/entry_32.S | 5 +++--
arch/x86/entry/entry_64.S | 12 +---
2 files changed, 12 insertions(+), 5 deletions(-)
diff --git a/arch/x86/entry/entry_32.S b/arch/x86/en
ing in all circumstances, can
enable this by setting the X86_FEATURE_RETPOLINE_AMD feature bit in addition
to X86_FEATURE_RETPOLINE.
[Andi Kleen: Rename the macros, add CONFIG_RETPOLINE option, export thunks]
Signed-off-by: David Woodhouse
Acked-By: Arjan van de Ven
---
arch/x86/Kconfig
Convert all indirect jumps in ftrace assembler code to use non-speculative
sequences when CONFIG_RETPOLINE is enabled.
Signed-off-by: David Woodhouse
Acked-By: Arjan van de Ven
---
arch/x86/kernel/ftrace_32.S | 6 --
arch/x86/kernel/ftrace_64.S | 8
2 files changed, 8 insertions
(3):
x86/retpoline/irq32: Convert assembler indirect jumps
x86/retpoline: Add boot time option to disable retpoline
x86/retpoline: Exclude objtool with retpoline
David Woodhouse (7):
x86/retpoline: Add initial retpoline support
x86/retpoline/crypto: Convert crypto assembler indirect j
Convert all indirect jumps in hyperv inline asm code to use non-speculative
sequences when CONFIG_RETPOLINE is enabled.
Signed-off-by: David Woodhouse
Acked-By: Arjan van de Ven
---
arch/x86/include/asm/mshyperv.h | 18 ++
1 file changed, 10 insertions(+), 8 deletions(-)
diff
On Sun, 2018-01-07 at 18:32 +, Lu, Hongjiu wrote:
>
> > What's the plan for these vs. official GCC? Is that stuff going to part of
> > GCC
> > and if so, which versions of GCC will have that?
>
> If I get positive feedbacks from kernel folks with my GCC 7 patches today, I
> will submit my pa
On Sun, 2018-01-07 at 15:09 +, Lu, Hongjiu wrote:
> Sure, I can use __x86_indirect_thunk_rax.
Great, thanks.
I've made that change on top of your 20171219 patch set which is the
latest I've seen, and pushed it to my tree at
http://git.infradead.org/users/dwmw2/gcc-retpoline.git/shortlog/refs/
On Sun, 2018-01-07 at 12:46 +0100, Borislav Petkov wrote:
>
> >
> > The other fun one for alternatives is in entry_64.S, where we really
> > need the return address of the call instruction to be *precisely* the
> > .Lentry_SYSCALL_64_after_fastpath_call label, so we have to eschew the
> > normal
On Sat, 2018-01-06 at 18:02 +0100, Borislav Petkov wrote:
> On Sat, Jan 06, 2018 at 08:23:21AM +0000, David Woodhouse wrote:
> > Thanks. From code inspection, I couldn't see that it was smart enough
> > *not* to process a relative jump in the 'altinstr' section whi
On Sun, 2018-01-07 at 00:10 +, David Woodhouse wrote:
> Arjan pointed out that CONFIG_TRIM_UNUSED_SYMBOLS *really* doesn't like
> the dot in the symbols that GCC uses for the thunks.
>
> This seems to work, although my eyes are bleeding just a little bit.
>
> Give
Arjan pointed out that CONFIG_TRIM_UNUSED_SYMBOLS *really* doesn't like
the dot in the symbols that GCC uses for the thunks.
This seems to work, although my eyes are bleeding just a little bit.
Given this, and the hack we already needed for MODVERSIONS, I wonder if
a better approach might be to e
Commit-ID: 99c6fa2511d8a683e61468be91b83f85452115fa
Gitweb: https://git.kernel.org/tip/99c6fa2511d8a683e61468be91b83f85452115fa
Author: David Woodhouse
AuthorDate: Sat, 6 Jan 2018 11:49:23 +
Committer: Thomas Gleixner
CommitDate: Sat, 6 Jan 2018 21:57:19 +0100
x86/cpufeatures: Add
On Sat, 2018-01-06 at 10:35 -0800, Eric Biggers wrote:
> On Sat, Jan 06, 2018 at 11:49:24AM +0000, David Woodhouse wrote:
> >
> > +/*
> > + * NOSPEC_JMP and NOSPEC_CALL macros can be used instead of a simple
> > + * indirect jmp/call which may be susceptib
>From b330ffe76cbe0574b4ae729b8399e2afbf4bc6eb Mon Sep 17 00:00:00 2001
From: David Woodhouse
Date: Thu, 4 Jan 2018 13:58:29 +
Subject: [PATCH 02/12] x86/retpoline: Add initial retpoline support
Enable the use of -mindirect-branch=thunk-extern in newer GCC, and provide
the correspond
801 - 900 of 2188 matches
Mail list logo
