Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2019-11-04 18:49:03 +0100
committerTakashi Iwai <tiwai@suse.de>2019-11-04 18:49:03 +0100
commitca0f1e9b2c4640918a9ee0b6a6a117a663c8841f (patch)
tree4d69a5b519f246f35d89a6b9f99295b6b087a721
parentd34d06bb980f278e70eff35c554e39312cf86caa (diff)
parentf6b5d238214b221984af0a30ac7a535e61b66516 (diff)
Merge branch 'users/bpetkov/SLE15/15-bsc1117665+bsc1139073' into SLE15
Pull x86 security fixes from Borislav Petkov
-rw-r--r--config/ppc64le/default1
-rw-r--r--config/x86_64/default3
-rw-r--r--patches.kabi/Fix-KVM-kABI-after-x86-mmu-backports.patch15
-rw-r--r--patches.kabi/kABI-Fix-for-IFU-patches.patch77
-rw-r--r--patches.suse/0001-KVM-x86-use-Intel-speculation-bugs-and-features-as-d.patch68
-rw-r--r--patches.suse/0001-x86-Add-ITLB_MULTIHIT-bug-infrastructure.patch256
-rw-r--r--patches.suse/0002-x86-cpu-Add-Tremont-to-the-cpu-vulnerability.patch31
-rw-r--r--patches.suse/0002-x86-msr-Add-the-IA32_TSX_CTRL-MSR.patch82
-rw-r--r--patches.suse/0003-kvm-mmu-ITLB_MULTIHIT-mitigation.patch467
-rw-r--r--patches.suse/0003-x86-cpu-Add-a-helper-function-x86_read_arch_cap_msr.patch65
-rw-r--r--patches.suse/0004-kvm-Add-helper-function-for-creating-VM-worker.patch130
-rw-r--r--patches.suse/0004-x86-cpu-Add-a-tsx-cmdline-option-with-TSX-disabled-b.patch250
-rw-r--r--patches.suse/0005-kvm-x86-mmu-Recovery-of-shattered-NX-large-pages.patch358
-rw-r--r--patches.suse/0005-x86-speculation-taa-Add-mitigation-for-TSX-Async-Abo.patch310
-rw-r--r--patches.suse/0006-x86-speculation-taa-Add-sysfs-reporting-for-TSX-Asyn.patch118
-rw-r--r--patches.suse/0007-kvm-x86-Export-MDS_NO-0-to-guests-when-TSX-is-enable.patch63
-rw-r--r--patches.suse/0008-x86-tsx-Add-auto-option-to-the-tsx-cmdline-parameter.patch64
-rw-r--r--patches.suse/0009-x86-speculation-taa-Add-documentation-for-TSX-Async-.patch513
-rw-r--r--patches.suse/0010-x86-tsx-Add-config-options-to-set-tsx-on-off-auto.patch134
-rw-r--r--patches.suse/KVM-vmx-svm-always-run-with-EFER.NXE-1-when-shadow-p.patch68
-rw-r--r--series.conf27
21 files changed, 3088 insertions, 12 deletions
diff --git a/config/ppc64le/default b/config/ppc64le/default
index 3084cdf9fa..69d1404b41 100644
--- a/config/ppc64le/default
+++ b/config/ppc64le/default
@@ -567,7 +567,6 @@ CONFIG_IOMMU_HELPER=y
CONFIG_HOTPLUG_CPU=y
CONFIG_ARCH_CPU_PROBE_RELEASE=y
CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
-CONFIG_ARCH_HAS_WALK_MEMORY=y
CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
CONFIG_PPC64_SUPPORTS_MEMORY_FAILURE=y
CONFIG_KEXEC=y
diff --git a/config/x86_64/default b/config/x86_64/default
index 4da6d1140c..804ba7f1ba 100644
--- a/config/x86_64/default
+++ b/config/x86_64/default
@@ -652,6 +652,9 @@ CONFIG_ARCH_RANDOM=y
CONFIG_X86_SMAP=y
CONFIG_X86_INTEL_MPX=y
CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y
+# CONFIG_X86_INTEL_TSX_MODE_OFF is not set
+CONFIG_X86_INTEL_TSX_MODE_ON=y
+# CONFIG_X86_INTEL_TSX_MODE_AUTO is not set
CONFIG_EFI=y
CONFIG_EFI_STUB=y
CONFIG_EFI_MIXED=y
diff --git a/patches.kabi/Fix-KVM-kABI-after-x86-mmu-backports.patch b/patches.kabi/Fix-KVM-kABI-after-x86-mmu-backports.patch
index 757153ec7c..55f8d03c0c 100644
--- a/patches.kabi/Fix-KVM-kABI-after-x86-mmu-backports.patch
+++ b/patches.kabi/Fix-KVM-kABI-after-x86-mmu-backports.patch
@@ -10,16 +10,14 @@ Signed-off-by: Joerg Roedel <jroedel@suse.de>
include/linux/kvm_host.h | 6 +++++-
2 files changed, 7 insertions(+), 3 deletions(-)
-diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
-index 442c7fcb1bf6..66f9b603a6d8 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
-@@ -276,18 +276,18 @@ struct kvm_rmap_head {
- struct kvm_mmu_page {
- struct list_head link;
+@@ -278,18 +278,17 @@ struct kvm_mmu_page {
struct hlist_node hash_link;
-- bool unsync;
+ struct list_head lpage_disallowed_link;
+- bool unsync;
+-
/*
* The following two entries are used to key the shadow page in the
* hash table.
@@ -35,8 +33,6 @@ index 442c7fcb1bf6..66f9b603a6d8 100644
int root_count; /* Currently serving as active root */
unsigned int unsync_children;
struct kvm_rmap_head parent_ptes; /* rmap pointers to parent sptes */
-diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
-index 9635792374a4..2499d43b1600 100644
--- a/include/linux/kvm_host.h
+++ b/include/linux/kvm_host.h
@@ -1016,15 +1016,19 @@ enum kvm_stat_kind {
@@ -60,6 +56,3 @@ index 9635792374a4..2499d43b1600 100644
};
extern struct kvm_stats_debugfs_item debugfs_entries[];
extern struct dentry *kvm_debugfs_dir;
---
-2.16.3
-
diff --git a/patches.kabi/kABI-Fix-for-IFU-patches.patch b/patches.kabi/kABI-Fix-for-IFU-patches.patch
new file mode 100644
index 0000000000..a5e2b80b71
--- /dev/null
+++ b/patches.kabi/kABI-Fix-for-IFU-patches.patch
@@ -0,0 +1,77 @@
+From: Joerg Roedel <jroedel@suse.de>
+Date: Mon, 28 Oct 2019 10:54:25 +0100
+Subject: [PATCH] kABI Fix for IFU patches
+Patch-mainline: Never, kABI Fix only
+References: bsc#1117665, CVE-2018-12207
+
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ arch/x86/include/asm/kvm_host.h | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
+index 245ffa94971a..821dcdaca123 100644
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -276,7 +276,6 @@ struct kvm_rmap_head {
+ struct kvm_mmu_page {
+ struct list_head link;
+ struct hlist_node hash_link;
+- struct list_head lpage_disallowed_link;
+
+ /*
+ * The following two entries are used to key the shadow page in the
+@@ -295,7 +294,6 @@ struct kvm_mmu_page {
+
+ /* The page is obsolete if mmu_valid_gen != kvm->arch.mmu_valid_gen. */
+ unsigned long mmu_valid_gen;
+- bool lpage_disallowed; /* Can't be replaced by an equiv large page */
+
+ DECLARE_BITMAP(unsync_child_bitmap, 512);
+
+@@ -309,6 +307,11 @@ struct kvm_mmu_page {
+
+ /* Number of writes since the last time traversal visited this page. */
+ atomic_t write_flooding_count;
++
++#ifndef __GENKSYMS__
++ struct list_head lpage_disallowed_link;
++ bool lpage_disallowed; /* Can't be replaced by an equiv large page */
++#endif
+ };
+
+ struct kvm_pio_request {
+@@ -797,7 +800,6 @@ struct kvm_arch {
+ */
+ struct list_head active_mmu_pages;
+ struct list_head zapped_obsolete_pages;
+- struct list_head lpage_disallowed_mmu_pages;
+ struct kvm_page_track_notifier_node mmu_sp_tracker;
+ struct kvm_page_track_notifier_head track_notifier_head;
+
+@@ -876,7 +878,10 @@ struct kvm_arch {
+
+ struct kvm_sev_info sev_info;
+
++#ifndef __GENKSYMS__
++ struct list_head lpage_disallowed_mmu_pages;
+ struct task_struct *nx_lpage_recovery_thread;
++#endif
+ };
+
+ struct kvm_vm_stat {
+@@ -890,8 +895,10 @@ struct kvm_vm_stat {
+ ulong mmu_unsync;
+ ulong remote_tlb_flush;
+ ulong lpages;
+- ulong nx_lpage_splits;
+ ulong max_mmu_page_hash_collisions;
++#ifndef __GENKSYMS__
++ ulong nx_lpage_splits;
++#endif
+ };
+
+ struct kvm_vcpu_stat {
+--
+2.16.3
+
diff --git a/patches.suse/0001-KVM-x86-use-Intel-speculation-bugs-and-features-as-d.patch b/patches.suse/0001-KVM-x86-use-Intel-speculation-bugs-and-features-as-d.patch
new file mode 100644
index 0000000000..21cc836e3d
--- /dev/null
+++ b/patches.suse/0001-KVM-x86-use-Intel-speculation-bugs-and-features-as-d.patch
@@ -0,0 +1,68 @@
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Mon, 19 Aug 2019 17:24:07 +0200
+Subject: [PATCH 01/10] KVM: x86: use Intel speculation bugs and features as
+ derived in generic x86 code
+Patch-mainline: No, still under EMBARGO
+References: bsc#1139073, CVE-2019-11135
+
+commit 0c54914d0c52a15db9954a76ce80fee32cf318f4 upstream
+
+Similar to AMD bits, set the Intel bits from the vendor-independent
+feature and bug flags, because KVM_GET_SUPPORTED_CPUID does not care
+about the vendor and they should be set on AMD processors as well.
+
+Suggested-by: Jim Mattson <jmattson@google.com>
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Joerg Roedel <jroedel@suse.de>
+---
+ arch/x86/kvm/cpuid.c | 17 ++++++++++++-----
+ arch/x86/kvm/x86.c | 8 ++++++++
+ 2 files changed, 20 insertions(+), 5 deletions(-)
+
+--- a/arch/x86/kvm/cpuid.c
++++ b/arch/x86/kvm/cpuid.c
+@@ -482,11 +482,18 @@ static inline int __do_cpuid_ent(struct
+ /* PKU is not yet implemented for shadow paging. */
+ if (!tdp_enabled || !boot_cpu_has(X86_FEATURE_OSPKE))
+ entry->ecx &= ~F(PKU);
+- entry->edx &= kvm_cpuid_7_0_edx_x86_features;
+- cpuid_mask(&entry->edx, CPUID_7_EDX);
+- /*
+- * We emulate ARCH_CAPABILITIES in software even
+- * if the host doesn't support it.
++
++ entry->edx &= kvm_cpuid_7_0_edx_x86_features;
++ cpuid_mask(&entry->edx, CPUID_7_EDX);
++ if (boot_cpu_has(X86_FEATURE_IBPB) && boot_cpu_has(X86_FEATURE_IBRS))
++ entry->edx |= F(SPEC_CTRL);
++ if (boot_cpu_has(X86_FEATURE_STIBP))
++ entry->edx |= F(INTEL_STIBP);
++ if (boot_cpu_has(X86_FEATURE_SSBD))
++ entry->edx |= F(SPEC_CTRL_SSBD);
++ /*
++ * We emulate ARCH_CAPABILITIES in software even
++ * if the host doesn't support it.
+ */
+ entry->edx |= F(ARCH_CAPABILITIES);
+ } else {
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -1075,8 +1075,16 @@ u64 kvm_get_arch_capabilities(void)
+ if (l1tf_vmx_mitigation != VMENTER_L1D_FLUSH_NEVER)
+ data |= ARCH_CAP_SKIP_VMENTRY_L1DFLUSH;
+
++ if (!boot_cpu_has_bug(X86_BUG_CPU_MELTDOWN))
++ data |= ARCH_CAP_RDCL_NO;
++ if (!boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS))
++ data |= ARCH_CAP_SSB_NO;
++ if (!boot_cpu_has_bug(X86_BUG_MDS))
++ data |= ARCH_CAP_MDS_NO;
++
+ return data;
+ }
++
+ EXPORT_SYMBOL_GPL(kvm_get_arch_capabilities);
+
+ static int kvm_get_msr_feature(struct kvm_msr_entry *msr)
diff --git a/patches.suse/0001-x86-Add-ITLB_MULTIHIT-bug-infrastructure.patch b/patches.suse/0001-x86-Add-ITLB_MULTIHIT-bug-infrastructure.patch
new file mode 100644
index 0000000000..a2c4cf8191
--- /dev/null
+++ b/patches.suse/0001-x86-Add-ITLB_MULTIHIT-bug-infrastructure.patch
@@ -0,0 +1,256 @@
+From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Date: Mon, 28 Oct 2019 09:55:28 +0100
+Subject: [PATCH 1/5] x86: Add ITLB_MULTIHIT bug infrastructure
+Patch-mainline: No, still under discussion
+References: bsc#1117665, CVE-2018-12207
+
+Some processors may incur a machine check error possibly
+resulting in an unrecoverable cpu hang when an instruction fetch
+encounters a TLB multi-hit in the instruction TLB. This can occur
+when the page size is changed along with either the physical
+address or cache type [1].
+
+This issue affects both bare-metal x86 page tables and EPT.
+
+This can be mitigated by either eliminating the use of large
+pages or by using careful TLB invalidations when changing the
+page size in the page tables.
+
+Just like Spectre, Meltdown, L1TF and MDS, a new bit has been
+allocated in MSR_IA32_ARCH_CAPABILITIES (PSCHANGE_MC_NO) and will
+be set on CPUs which are mitigated against this issue.
+
+[1] For example please refer to erratum SKL002 in "6th Generation
+Intel Processor Family Specification Update"
+https://www.intel.com/content/www/us/en/products/docs/processors/core/desktop-6th-gen-core-family-spec-update.html
+https://www.google.com/search?q=site:intel.com+SKL002
+
+There are a lot of other affected processors outside of Skylake and
+that the erratum(referred above) does not fully disclose the issue
+and the impact, both on Skylake and across all the affected CPUs.
+
+Signed-off-by: Vineela Tummalapalli <vineela.tummalapalli@intel.com>
+Co-developed-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ Documentation/ABI/testing/sysfs-devices-system-cpu | 1 +
+ arch/x86/include/asm/cpufeatures.h | 1 +
+ arch/x86/include/asm/msr-index.h | 7 +++
+ arch/x86/kernel/cpu/bugs.c | 13 ++++
+ arch/x86/kernel/cpu/common.c | 71 ++++++++++++----------
+ drivers/base/cpu.c | 8 +++
+ include/linux/cpu.h | 2 +
+ 7 files changed, 70 insertions(+), 33 deletions(-)
+
+--- a/Documentation/ABI/testing/sysfs-devices-system-cpu
++++ b/Documentation/ABI/testing/sysfs-devices-system-cpu
+@@ -382,6 +382,7 @@ What: /sys/devices/system/cpu/vulnerabi
+ /sys/devices/system/cpu/vulnerabilities/l1tf
+ /sys/devices/system/cpu/vulnerabilities/mds
+ /sys/devices/system/cpu/vulnerabilities/tsx_async_abort
++ /sys/devices/system/cpu/vulnerabilities/itlb_multihit
+ Date: January 2018
+ Contact: Linux kernel mailing list <linux-kernel@vger.kernel.org>
+ Description: Information about CPU vulnerabilities
+--- a/arch/x86/include/asm/cpufeatures.h
++++ b/arch/x86/include/asm/cpufeatures.h
+@@ -392,5 +392,6 @@
+ #define X86_BUG_MSBDS_ONLY X86_BUG(20) /* CPU is only affected by the MSDBS variant of BUG_MDS */
+ #define X86_BUG_SWAPGS X86_BUG(21) /* CPU is affected by speculation through SWAPGS */
+ #define X86_BUG_TAA X86_BUG(22) /* CPU is affected by TSX Async Abort(TAA) */
++#define X86_BUG_ITLB_MULTIHIT X86_BUG(23) /* CPU may incur MCE during certain page attribute changes */
+
+ #endif /* _ASM_X86_CPUFEATURES_H */
+--- a/arch/x86/include/asm/msr-index.h
++++ b/arch/x86/include/asm/msr-index.h
+@@ -83,6 +83,13 @@
+ * Microarchitectural Data
+ * Sampling (MDS) vulnerabilities.
+ */
++#define ARCH_CAP_PSCHANGE_MC_NO BIT(6) /*
++ * The processor is not susceptible to a
++ * machine check error due to modifying the
++ * code page size along with either the
++ * physical address or cache type
++ * without TLB invalidation.
++ */
+ #define ARCH_CAP_TSX_CTRL_MSR BIT(7) /* MSR for TSX control is available. */
+ #define ARCH_CAP_TAA_NO BIT(8) /*
+ * Not susceptible to
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -1399,6 +1399,11 @@ static ssize_t l1tf_show_state(char *buf
+ }
+ #endif
+
++static ssize_t itlb_multihit_show_state(char *buf)
++{
++ return sprintf(buf, "Processor vulnerable\n");
++}
++
+ static ssize_t mds_show_state(char *buf)
+ {
+ if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {
+@@ -1504,6 +1509,9 @@ static ssize_t cpu_show_common(struct de
+ case X86_BUG_TAA:
+ return tsx_async_abort_show_state(buf);
+
++ case X86_BUG_ITLB_MULTIHIT:
++ return itlb_multihit_show_state(buf);
++
+ default:
+ break;
+ }
+@@ -1545,4 +1553,9 @@ ssize_t cpu_show_tsx_async_abort(struct
+ {
+ return cpu_show_common(dev, attr, buf, X86_BUG_TAA);
+ }
++
++ssize_t cpu_show_itlb_multihit(struct device *dev, struct device_attribute *attr, char *buf)
++{
++ return cpu_show_common(dev, attr, buf, X86_BUG_ITLB_MULTIHIT);
++}
+ #endif
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -902,13 +902,14 @@ static void identify_cpu_without_cpuid(s
+ #endif
+ }
+
+-#define NO_SPECULATION BIT(0)
+-#define NO_MELTDOWN BIT(1)
+-#define NO_SSB BIT(2)
+-#define NO_L1TF BIT(3)
+-#define NO_MDS BIT(4)
+-#define MSBDS_ONLY BIT(5)
+-#define NO_SWAPGS BIT(6)
++#define NO_SPECULATION BIT(0)
++#define NO_MELTDOWN BIT(1)
++#define NO_SSB BIT(2)
++#define NO_L1TF BIT(3)
++#define NO_MDS BIT(4)
++#define MSBDS_ONLY BIT(5)
++#define NO_SWAPGS BIT(6)
++#define NO_ITLB_MULTIHIT BIT(7)
+
+ #define VULNWL(_vendor, _family, _model, _whitelist) \
+ { X86_VENDOR_##_vendor, _family, _model, X86_FEATURE_ANY, _whitelist }
+@@ -929,26 +930,26 @@ static const __initconst struct x86_cpu_
+ VULNWL(NSC, 5, X86_MODEL_ANY, NO_SPECULATION),
+
+ /* Intel Family 6 */
+- VULNWL_INTEL(ATOM_SALTWELL, NO_SPECULATION),
+- VULNWL_INTEL(ATOM_SALTWELL_TABLET, NO_SPECULATION),
+- VULNWL_INTEL(ATOM_SALTWELL_MID, NO_SPECULATION),
+- VULNWL_INTEL(ATOM_BONNELL, NO_SPECULATION),
+- VULNWL_INTEL(ATOM_BONNELL_MID, NO_SPECULATION),
+-
+- VULNWL_INTEL(ATOM_SILVERMONT, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
+- VULNWL_INTEL(ATOM_SILVERMONT_X, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
+- VULNWL_INTEL(ATOM_SILVERMONT_MID, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
+- VULNWL_INTEL(ATOM_AIRMONT, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
+- VULNWL_INTEL(XEON_PHI_KNL, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
+- VULNWL_INTEL(XEON_PHI_KNM, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
++ VULNWL_INTEL(ATOM_SALTWELL, NO_SPECULATION | NO_ITLB_MULTIHIT),
++ VULNWL_INTEL(ATOM_SALTWELL_TABLET, NO_SPECULATION | NO_ITLB_MULTIHIT),
++ VULNWL_INTEL(ATOM_SALTWELL_MID, NO_SPECULATION | NO_ITLB_MULTIHIT),
++ VULNWL_INTEL(ATOM_BONNELL, NO_SPECULATION | NO_ITLB_MULTIHIT),
++ VULNWL_INTEL(ATOM_BONNELL_MID, NO_SPECULATION | NO_ITLB_MULTIHIT),
++
++ VULNWL_INTEL(ATOM_SILVERMONT, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS | NO_ITLB_MULTIHIT),
++ VULNWL_INTEL(ATOM_SILVERMONT_X, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS | NO_ITLB_MULTIHIT),
++ VULNWL_INTEL(ATOM_SILVERMONT_MID, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS | NO_ITLB_MULTIHIT),
++ VULNWL_INTEL(ATOM_AIRMONT, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS | NO_ITLB_MULTIHIT),
++ VULNWL_INTEL(XEON_PHI_KNL, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS | NO_ITLB_MULTIHIT),
++ VULNWL_INTEL(XEON_PHI_KNM, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS | NO_ITLB_MULTIHIT),
+
+ VULNWL_INTEL(CORE_YONAH, NO_SSB),
+
+- VULNWL_INTEL(ATOM_AIRMONT_MID, NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
++ VULNWL_INTEL(ATOM_AIRMONT_MID, NO_L1TF | MSBDS_ONLY | NO_SWAPGS | NO_ITLB_MULTIHIT),
+
+- VULNWL_INTEL(ATOM_GOLDMONT, NO_MDS | NO_L1TF | NO_SWAPGS),
+- VULNWL_INTEL(ATOM_GOLDMONT_X, NO_MDS | NO_L1TF | NO_SWAPGS),
+- VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_MDS | NO_L1TF | NO_SWAPGS),
++ VULNWL_INTEL(ATOM_GOLDMONT, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT),
++ VULNWL_INTEL(ATOM_GOLDMONT_X, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT),
++ VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT),
+
+ /*
+ * Technically, swapgs isn't serializing on AMD (despite it previously
+@@ -959,14 +960,14 @@ static const __initconst struct x86_cpu_
+ */
+
+ /* AMD Family 0xf - 0x12 */
+- VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS),
+- VULNWL_AMD(0x10, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS),
+- VULNWL_AMD(0x11, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS),
+- VULNWL_AMD(0x12, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS),
++ VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT),
++ VULNWL_AMD(0x10, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT),
++ VULNWL_AMD(0x11, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT),
++ VULNWL_AMD(0x12, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT),
+
+ /* FAMILY_ANY must be last, otherwise 0x0f - 0x12 matches won't work */
+- VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS),
+- VULNWL_HYGON(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS),
++ VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT),
++ VULNWL_HYGON(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT),
+ {}
+ };
+
+@@ -991,6 +992,10 @@ static void __init cpu_set_bug_bits(stru
+ {
+ u64 ia32_cap = x86_read_arch_cap_msr();
+
++ /* Set ITLB_MULTIHIT bug if cpu is not in the whitelist and not mitigated */
++ if (!cpu_matches(NO_ITLB_MULTIHIT) && !(ia32_cap & ARCH_CAP_PSCHANGE_MC_NO))
++ setup_force_cpu_bug(X86_BUG_ITLB_MULTIHIT);
++
+ if (cpu_matches(NO_SPECULATION))
+ return;
+
+--- a/drivers/base/cpu.c
++++ b/drivers/base/cpu.c
+@@ -546,6 +546,12 @@ ssize_t __weak cpu_show_tsx_async_abort(
+ return sprintf(buf, "Not affected\n");
+ }
+
++ssize_t __weak cpu_show_itlb_multihit(struct device *dev,
++ struct device_attribute *attr, char *buf)
++{
++ return sprintf(buf, "Not affected\n");
++}
++
+ static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL);
+ static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL);
+ static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL);
+@@ -553,6 +559,7 @@ static DEVICE_ATTR(spec_store_bypass, 04
+ static DEVICE_ATTR(l1tf, 0444, cpu_show_l1tf, NULL);
+ static DEVICE_ATTR(mds, 0444, cpu_show_mds, NULL);
+ static DEVICE_ATTR(tsx_async_abort, 0444, cpu_show_tsx_async_abort, NULL);
++static DEVICE_ATTR(itlb_multihit, 0444, cpu_show_itlb_multihit, NULL);
+
+ static struct attribute *cpu_root_vulnerabilities_attrs[] = {
+ &dev_attr_meltdown.attr,
+@@ -562,6 +569,7 @@ static struct attribute *cpu_root_vulner
+ &dev_attr_l1tf.attr,
+ &dev_attr_mds.attr,
+ &dev_attr_tsx_async_abort.attr,
++ &dev_attr_itlb_multihit.attr,
+ NULL
+ };
+
+--- a/include/linux/cpu.h
++++ b/include/linux/cpu.h
+@@ -61,6 +61,8 @@ extern ssize_t cpu_show_mds(struct devic
+ extern ssize_t cpu_show_tsx_async_abort(struct device *dev,
+ struct device_attribute *attr,
+ char *buf);
++extern ssize_t cpu_show_itlb_multihit(struct device *dev,
++ struct device_attribute *attr, char *buf);
+
+ extern __printf(4, 5)
+ struct device *cpu_device_create(struct device *parent, void *drvdata,
diff --git a/patches.suse/0002-x86-cpu-Add-Tremont-to-the-cpu-vulnerability.patch b/patches.suse/0002-x86-cpu-Add-Tremont-to-the-cpu-vulnerability.patch
new file mode 100644
index 0000000000..5c6821cdaa
--- /dev/null
+++ b/patches.suse/0002-x86-cpu-Add-Tremont-to-the-cpu-vulnerability.patch
@@ -0,0 +1,31 @@
+From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Date: Mon, 28 Oct 2019 09:55:28 +0100
+Subject: [PATCH 2/5] x86/cpu: Add Tremont to the cpu vulnerability
+Patch-mainline: No, still under discussion
+References: bsc#1117665, CVE-2018-12207
+
+ whitelist
+
+This patch adds new cpu family ATOM_TREMONT_D to the cpu vunerability
+whitelist. ATOM_TREMONT_D is not affected by X86_BUG_ITLB_MULTIHIT. There
+may be more bugs not affecting ATOM_TREMONT_D which are not known at
+this point and could be added later.
+
+Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ arch/x86/kernel/cpu/common.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -959,6 +959,8 @@ static const __initconst struct x86_cpu_
+ * good enough for our purposes.
+ */
+
++ VULNWL_INTEL(ATOM_TREMONT_X, NO_ITLB_MULTIHIT),
++
+ /* AMD Family 0xf - 0x12 */
+ VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT),
+ VULNWL_AMD(0x10, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT),
diff --git a/patches.suse/0002-x86-msr-Add-the-IA32_TSX_CTRL-MSR.patch b/patches.suse/0002-x86-msr-Add-the-IA32_TSX_CTRL-MSR.patch
new file mode 100644
index 0000000000..3d0e803298
--- /dev/null
+++ b/patches.suse/0002-x86-msr-Add-the-IA32_TSX_CTRL-MSR.patch
@@ -0,0 +1,82 @@
+From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Date: Wed, 23 Oct 2019 10:45:50 +0200
+Subject: [PATCH 02/10] x86/msr: Add the IA32_TSX_CTRL MSR
+Patch-mainline: No, still under EMBARGO
+References: bsc#1139073, CVE-2019-11135
+
+commit c2955f270a84762343000f103e0640d29c7a96f3 upstream
+
+Transactional Synchronization Extensions (TSX) may be used on certain
+processors as part of a speculative side channel attack. A microcode
+update for existing processors that are vulnerable to this attack will
+add a new MSR - IA32_TSX_CTRL to allow the system administrator the
+option to disable TSX as one of the possible mitigations.
+
+The CPUs which get this new MSR after a microcode upgrade are the ones
+which do not set MSR_IA32_ARCH_CAPABILITIES.MDS_NO (bit 5) because those
+CPUs have CPUID.MD_CLEAR, i.e., the VERW implementation which clears all
+CPU buffers takes care of the TAA case as well.
+
+ [ Note that future processors that are not vulnerable will also
+ support the IA32_TSX_CTRL MSR. ]
+
+Add defines for the new IA32_TSX_CTRL MSR and its bits.
+
+TSX has two sub-features:
+
+1. Restricted Transactional Memory (RTM) is an explicitly-used feature
+ where new instructions begin and end TSX transactions.
+2. Hardware Lock Elision (HLE) is implicitly used when certain kinds of
+ "old" style locks are used by software.
+
+Bit 7 of the IA32_ARCH_CAPABILITIES indicates the presence of the
+IA32_TSX_CTRL MSR.
+
+There are two control bits in IA32_TSX_CTRL MSR:
+
+ Bit 0: When set, it disables the Restricted Transactional Memory (RTM)
+ sub-feature of TSX (will force all transactions to abort on the
+ XBEGIN instruction).
+
+ Bit 1: When set, it disables the enumeration of the RTM and HLE feature
+ (i.e. it will make CPUID(EAX=7).EBX{bit4} and
+ CPUID(EAX=7).EBX{bit11} read as 0).
+
+The other TSX sub-feature, Hardware Lock Elision (HLE), is
+unconditionally disabled by the new microcode but still enumerated
+as present by CPUID(EAX=7).EBX{bit4}, unless disabled by
+IA32_TSX_CTRL_MSR[1] - TSX_CTRL_CPUID_CLEAR.
+
+Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Neelima Krishnan <neelima.krishnan@intel.com>
+Reviewed-by: Mark Gross <mgross@linux.intel.com>
+Reviewed-by: Tony Luck <tony.luck@intel.com>
+Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Acked-by: Joerg Roedel <jroedel@suse.de>
+---
+ arch/x86/include/asm/msr-index.h | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/arch/x86/include/asm/msr-index.h
++++ b/arch/x86/include/asm/msr-index.h
+@@ -83,6 +83,7 @@
+ * Microarchitectural Data
+ * Sampling (MDS) vulnerabilities.
+ */
++#define ARCH_CAP_TSX_CTRL_MSR BIT(7) /* MSR for TSX control is available. */
+
+ #define MSR_IA32_FLUSH_CMD 0x0000010b
+ #define L1D_FLUSH BIT(0) /*
+@@ -93,6 +94,10 @@
+ #define MSR_IA32_BBL_CR_CTL 0x00000119
+ #define MSR_IA32_BBL_CR_CTL3 0x0000011e
+
++#define MSR_IA32_TSX_CTRL 0x00000122
++#define TSX_CTRL_RTM_DISABLE BIT(0) /* Disable RTM feature */
++#define TSX_CTRL_CPUID_CLEAR BIT(1) /* Disable TSX enumeration */
++
+ #define MSR_IA32_SYSENTER_CS 0x00000174
+ #define MSR_IA32_SYSENTER_ESP 0x00000175
+ #define MSR_IA32_SYSENTER_EIP 0x00000176
diff --git a/patches.suse/0003-kvm-mmu-ITLB_MULTIHIT-mitigation.patch b/patches.suse/0003-kvm-mmu-ITLB_MULTIHIT-mitigation.patch
new file mode 100644
index 0000000000..751714d970
--- /dev/null
+++ b/patches.suse/0003-kvm-mmu-ITLB_MULTIHIT-mitigation.patch
@@ -0,0 +1,467 @@
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Mon, 28 Oct 2019 09:55:28 +0100
+Subject: [PATCH 3/5] kvm: mmu: ITLB_MULTIHIT mitigation
+Patch-mainline: No, still under discussion
+References: bsc#1117665, CVE-2018-12207
+
+With some Intel processors, putting the same virtual address in the TLB
+as both a 4 KiB and 2 MiB page can confuse the instruction fetch unit
+and cause the processor to issue a machine check. Unfortunately if EPT
+page tables use huge pages, it possible for a malicious guest to cause
+this situation.
+
+This patch adds a knob to mark huge pages as non-executable. When the
+nx_huge_pages parameter is enabled (and we are using EPT), all huge pages
+are marked as NX. If the guest attempts to execute in one of those pages,
+the page is broken down into 4K pages, which are then marked executable.
+
+This is not an issue for shadow paging (except nested EPT), because then
+the host is in control of TLB flushes and the problematic situation cannot
+happen. With nested EPT, again the nested guest can cause problems so we
+treat shadow and direct EPT the same.
+
+Signed-off-by: Junaid Shahid <junaids@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ Documentation/admin-guide/kernel-parameters.txt | 11 +
+ arch/x86/include/asm/kvm_host.h | 2
+ arch/x86/kernel/cpu/bugs.c | 13 ++
+ arch/x86/kvm/mmu.c | 135 ++++++++++++++++++++++--
+ arch/x86/kvm/paging_tmpl.h | 29 ++++-
+ arch/x86/kvm/x86.c | 10 +
+ 6 files changed, 187 insertions(+), 13 deletions(-)
+
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -294,6 +294,7 @@ struct kvm_mmu_page {
+
+ /* The page is obsolete if mmu_valid_gen != kvm->arch.mmu_valid_gen. */
+ unsigned long mmu_valid_gen;
++ bool lpage_disallowed; /* Can't be replaced by an equiv large page */
+
+ DECLARE_BITMAP(unsync_child_bitmap, 512);
+
+@@ -883,6 +884,7 @@ struct kvm_vm_stat {
+ ulong mmu_unsync;
+ ulong remote_tlb_flush;
+ ulong lpages;
++ ulong nx_lpage_splits;
+ ulong max_mmu_page_hash_collisions;
+ };
+
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -1194,6 +1194,9 @@ static void ssb_select_mitigation(void)
+ pr_info("%s\n", ssb_strings[ssb_mode]);
+ }
+
++bool itlb_multihit_kvm_mitigation;
++EXPORT_SYMBOL_GPL(itlb_multihit_kvm_mitigation);
++
+ #undef pr_fmt
+ #define pr_fmt(fmt) "Speculation prctl: " fmt
+
+@@ -1394,17 +1397,25 @@ static ssize_t l1tf_show_state(char *buf
+ l1tf_vmx_states[l1tf_vmx_mitigation],
+ sched_smt_active() ? "vulnerable" : "disabled");
+ }
++
++static ssize_t itlb_multihit_show_state(char *buf)
++{
++ if (itlb_multihit_kvm_mitigation)
++ return sprintf(buf, "KVM: Mitigation: Split huge pages\n");
++ else
++ return sprintf(buf, "KVM: Vulnerable\n");
++}
+ #else
+ static ssize_t l1tf_show_state(char *buf)
+ {
+ return sprintf(buf, "%s\n", L1TF_DEFAULT_MSG);
+ }
+-#endif
+
+ static ssize_t itlb_multihit_show_state(char *buf)
+ {
+ return sprintf(buf, "Processor vulnerable\n");
+ }
++#endif
+
+ static ssize_t mds_show_state(char *buf)
+ {
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -49,6 +49,20 @@
+ #include <asm/kvm_page_track.h>
+ #include "trace.h"
+
++extern bool itlb_multihit_kvm_mitigation;
++
++static int __read_mostly nx_huge_pages = -1;
++
++static int set_nx_huge_pages(const char *val, const struct kernel_param *kp);
++
++static struct kernel_param_ops nx_huge_pages_ops = {
++ .set = set_nx_huge_pages,
++ .get = param_get_bool,
++};
++
++module_param_cb(nx_huge_pages, &nx_huge_pages_ops, &nx_huge_pages, 0644);
++__MODULE_PARM_TYPE(nx_huge_pages, "bool");
++
+ /*
+ * When setting this variable to true it enables Two-Dimensional-Paging
+ * where the hardware walks 2 page tables:
+@@ -267,6 +281,11 @@ static inline bool spte_ad_enabled(u64 s
+ return !(spte & shadow_acc_track_value);
+ }
+
++static bool is_nx_huge_page_enabled(void)
++{
++ return READ_ONCE(nx_huge_pages);
++}
++
+ static inline u64 spte_shadow_accessed_mask(u64 spte)
+ {
+ MMU_WARN_ON((spte & shadow_mmio_mask) == shadow_mmio_value);
+@@ -1079,6 +1098,15 @@ static void account_shadowed(struct kvm
+ kvm_mmu_gfn_disallow_lpage(slot, gfn);
+ }
+
++static void account_huge_nx_page(struct kvm *kvm, struct kvm_mmu_page *sp)
++{
++ if (sp->lpage_disallowed)
++ return;
++
++ ++kvm->stat.nx_lpage_splits;
++ sp->lpage_disallowed = true;
++}
++
+ static void unaccount_shadowed(struct kvm *kvm, struct kvm_mmu_page *sp)
+ {
+ struct kvm_memslots *slots;
+@@ -1096,6 +1124,12 @@ static void unaccount_shadowed(struct kv
+ kvm_mmu_gfn_allow_lpage(slot, gfn);
+ }
+
++static void unaccount_huge_nx_page(struct kvm *kvm, struct kvm_mmu_page *sp)
++{
++ --kvm->stat.nx_lpage_splits;
++ sp->lpage_disallowed = false;
++}
++
+ static bool __mmu_gfn_lpage_is_disallowed(gfn_t gfn, int level,
+ struct kvm_memory_slot *slot)
+ {
+@@ -2643,6 +2677,9 @@ static int kvm_mmu_prepare_zap_page(stru
+ kvm_reload_remote_mmus(kvm);
+ }
+
++ if (sp->lpage_disallowed)
++ unaccount_huge_nx_page(kvm, sp);
++
+ sp->role.invalid = 1;
+ return ret;
+ }
+@@ -2808,6 +2845,11 @@ static int set_spte(struct kvm_vcpu *vcp
+ if (!speculative)
+ spte |= spte_shadow_accessed_mask(spte);
+
++ if (level > PT_PAGE_TABLE_LEVEL && (pte_access & ACC_EXEC_MASK) &&
++ is_nx_huge_page_enabled()) {
++ pte_access &= ~ACC_EXEC_MASK;
++ }
++
+ if (pte_access & ACC_EXEC_MASK)
+ spte |= shadow_x_mask;
+ else
+@@ -3021,9 +3063,32 @@ static void direct_pte_prefetch(struct k
+ __direct_pte_prefetch(vcpu, sp, sptep);
+ }
+
++static void disallowed_hugepage_adjust(struct kvm_shadow_walk_iterator it,
++ gfn_t gfn, kvm_pfn_t *pfnp, int *levelp)
++{
++ int level = *levelp;
++ u64 spte = *it.sptep;
++
++ if (it.level == level && level > PT_PAGE_TABLE_LEVEL &&
++ is_nx_huge_page_enabled() &&
++ is_shadow_present_pte(spte) &&
++ !is_large_pte(spte)) {
++ /*
++ * A small SPTE exists for this pfn, but FNAME(fetch)
++ * and __direct_map would like to create a large PTE
++ * instead: just force them to go down another level,
++ * patching back for them into pfn the next 9 bits of
++ * the address.
++ */
++ u64 page_mask = KVM_PAGES_PER_HPAGE(level) - KVM_PAGES_PER_HPAGE(level - 1);
++ *pfnp |= gfn & page_mask;
++ (*levelp)--;
++ }
++}
++
+ static int __direct_map(struct kvm_vcpu *vcpu, gpa_t gpa, int write,
+ int map_writable, int level, kvm_pfn_t pfn,
+- bool prefault)
++ bool prefault, bool lpage_disallowed)
+ {
+ struct kvm_shadow_walk_iterator it;
+ struct kvm_mmu_page *sp;
+@@ -3036,6 +3101,12 @@ static int __direct_map(struct kvm_vcpu
+
+ trace_kvm_mmu_spte_requested(gpa, level, pfn);
+ for_each_shadow_entry(vcpu, gpa, it) {
++ /*
++ * We cannot overwrite existing page tables with an NX
++ * large page, as the leaf could be executable.
++ */
++ disallowed_hugepage_adjust(it, gfn, &pfn, &level);
++
+ base_gfn = gfn & ~(KVM_PAGES_PER_HPAGE(it.level) - 1);
+ if (it.level == level)
+ break;
+@@ -3046,6 +3117,8 @@ static int __direct_map(struct kvm_vcpu
+ it.level - 1, true, ACC_ALL);
+
+ link_shadow_page(vcpu, it.sptep, sp);
++ if (lpage_disallowed)
++ account_huge_nx_page(vcpu->kvm, sp);
+ }
+ }
+
+@@ -3345,11 +3418,14 @@ static int nonpaging_map(struct kvm_vcpu
+ {
+ int r;
+ int level;
+- bool force_pt_level = false;
++ bool force_pt_level;
+ kvm_pfn_t pfn;
+ unsigned long mmu_seq;
+ bool map_writable, write = error_code & PFERR_WRITE_MASK;
++ bool lpage_disallowed = (error_code & PFERR_FETCH_MASK) &&
++ is_nx_huge_page_enabled();
+
++ force_pt_level = lpage_disallowed;
+ level = mapping_level(vcpu, gfn, &force_pt_level);
+ if (likely(!force_pt_level)) {
+ /*
+@@ -3383,7 +3459,8 @@ static int nonpaging_map(struct kvm_vcpu
+ goto out_unlock;
+ if (likely(!force_pt_level))
+ transparent_hugepage_adjust(vcpu, gfn, &pfn, &level);
+- r = __direct_map(vcpu, v, write, map_writable, level, pfn, prefault);
++ r = __direct_map(vcpu, v, write, map_writable, level, pfn,
++ prefault, false);
+ out_unlock:
+ spin_unlock(&vcpu->kvm->mmu_lock);
+ kvm_release_pfn_clean(pfn);
+@@ -3932,6 +4009,8 @@ static int tdp_page_fault(struct kvm_vcp
+ unsigned long mmu_seq;
+ int write = error_code & PFERR_WRITE_MASK;
+ bool map_writable;
++ bool lpage_disallowed = (error_code & PFERR_FETCH_MASK) &&
++ is_nx_huge_page_enabled();
+
+ MMU_WARN_ON(!VALID_PAGE(vcpu->arch.mmu.root_hpa));
+
+@@ -3942,8 +4021,9 @@ static int tdp_page_fault(struct kvm_vcp
+ if (r)
+ return r;
+
+- force_pt_level = !check_hugepage_cache_consistency(vcpu, gfn,
+- PT_DIRECTORY_LEVEL);
++ force_pt_level =
++ lpage_disallowed ||
++ !check_hugepage_cache_consistency(vcpu, gfn, PT_DIRECTORY_LEVEL);
+ level = mapping_level(vcpu, gfn, &force_pt_level);
+ if (likely(!force_pt_level)) {
+ if (level > PT_DIRECTORY_LEVEL &&
+@@ -3972,7 +4052,8 @@ static int tdp_page_fault(struct kvm_vcp
+ goto out_unlock;
+ if (likely(!force_pt_level))
+ transparent_hugepage_adjust(vcpu, gfn, &pfn, &level);
+- r = __direct_map(vcpu, gpa, write, map_writable, level, pfn, prefault);
++ r = __direct_map(vcpu, gpa, write, map_writable, level, pfn,
++ prefault, lpage_disallowed);
+ out_unlock:
+ spin_unlock(&vcpu->kvm->mmu_lock);
+ kvm_release_pfn_clean(pfn);
+@@ -5553,10 +5634,52 @@ static void mmu_destroy_caches(void)
+ kmem_cache_destroy(mmu_page_header_cache);
+ }
+
++static void __set_nx_huge_pages(bool val)
++{
++ nx_huge_pages = itlb_multihit_kvm_mitigation = val;
++}
++
++static int set_nx_huge_pages(const char *val, const struct kernel_param *kp)
++{
++ bool old_val = nx_huge_pages;
++ bool new_val;
++
++ /* In "auto" mode deploy workaround only if CPU has the bug. */
++ if (sysfs_streq(val, "off"))
++ new_val = 0;
++ else if (sysfs_streq(val, "force"))
++ new_val = 1;
++ else if (sysfs_streq(val, "auto"))
++ new_val = boot_cpu_has_bug(X86_BUG_ITLB_MULTIHIT);
++ else if (strtobool(val, &new_val) < 0)
++ return -EINVAL;
++
++ __set_nx_huge_pages(new_val);
++
++ if (new_val != old_val) {
++ struct kvm *kvm;
++ int idx;
++
++ mutex_lock(&kvm_lock);
++
++ list_for_each_entry(kvm, &vm_list, vm_list) {
++ idx = srcu_read_lock(&kvm->srcu);
++ kvm_mmu_invalidate_zap_all_pages(kvm);
++ srcu_read_unlock(&kvm->srcu, idx);
++ }
++ mutex_unlock(&kvm_lock);
++ }
++
++ return 0;
++}
++
+ int kvm_mmu_module_init(void)
+ {
+ int ret = -ENOMEM;
+
++ if (nx_huge_pages == -1)
++ __set_nx_huge_pages(boot_cpu_has_bug(X86_BUG_ITLB_MULTIHIT));
++
+ kvm_mmu_reset_all_pte_masks();
+
+ pte_list_desc_cache = kmem_cache_create("pte_list_desc",
+--- a/arch/x86/kvm/paging_tmpl.h
++++ b/arch/x86/kvm/paging_tmpl.h
+@@ -589,13 +589,14 @@ static void FNAME(pte_prefetch)(struct k
+ static int FNAME(fetch)(struct kvm_vcpu *vcpu, gva_t addr,
+ struct guest_walker *gw,
+ int write_fault, int hlevel,
+- kvm_pfn_t pfn, bool map_writable, bool prefault)
++ kvm_pfn_t pfn, bool map_writable, bool prefault,
++ bool lpage_disallowed)
+ {
+ struct kvm_mmu_page *sp = NULL;
+ struct kvm_shadow_walk_iterator it;
+ unsigned direct_access, access = gw->pt_access;
+ int top_level, ret;
+- gfn_t base_gfn;
++ gfn_t gfn, base_gfn;
+
+ direct_access = gw->pte_access;
+
+@@ -640,13 +641,25 @@ static int FNAME(fetch)(struct kvm_vcpu
+ link_shadow_page(vcpu, it.sptep, sp);
+ }
+
+- base_gfn = gw->gfn;
++ /*
++ * FNAME(page_fault) might have clobbered the bottom bits of
++ * gw->gfn, restore them from the virtual address.
++ */
++ gfn = gw->gfn | ((addr & PT_LVL_OFFSET_MASK(gw->level)) >> PAGE_SHIFT);
++ base_gfn = gfn;
+
+ trace_kvm_mmu_spte_requested(addr, gw->level, pfn);
+
+ for (; shadow_walk_okay(&it); shadow_walk_next(&it)) {
+ clear_sp_write_flooding_count(it.sptep);
+- base_gfn = gw->gfn & ~(KVM_PAGES_PER_HPAGE(it.level) - 1);
++
++ /*
++ * We cannot overwrite existing page tables with an NX
++ * large page, as the leaf could be executable.
++ */
++ disallowed_hugepage_adjust(it, gfn, &pfn, &hlevel);
++
++ base_gfn = gfn & ~(KVM_PAGES_PER_HPAGE(it.level) - 1);
+ if (it.level == hlevel)
+ break;
+
+@@ -658,6 +671,8 @@ static int FNAME(fetch)(struct kvm_vcpu
+ sp = kvm_mmu_get_page(vcpu, base_gfn, addr,
+ it.level - 1, true, direct_access);
+ link_shadow_page(vcpu, it.sptep, sp);
++ if (lpage_disallowed)
++ account_huge_nx_page(vcpu->kvm, sp);
+ }
+ }
+
+@@ -734,9 +749,11 @@ static int FNAME(page_fault)(struct kvm_
+ int r;
+ kvm_pfn_t pfn;
+ int level = PT_PAGE_TABLE_LEVEL;
+- bool force_pt_level = false;
+ unsigned long mmu_seq;
+ bool map_writable, is_self_change_mapping;
++ bool lpage_disallowed = (error_code & PFERR_FETCH_MASK) &&
++ is_nx_huge_page_enabled();
++ bool force_pt_level = lpage_disallowed;
+
+ pgprintk("%s: addr %lx err %x\n", __func__, addr, error_code);
+
+@@ -826,7 +843,7 @@ static int FNAME(page_fault)(struct kvm_
+ if (!force_pt_level)
+ transparent_hugepage_adjust(vcpu, walker.gfn, &pfn, &level);
+ r = FNAME(fetch)(vcpu, addr, &walker, write_fault,
+- level, pfn, map_writable, prefault);
++ level, pfn, map_writable, prefault, lpage_disallowed);
+ kvm_mmu_audit(vcpu, AUDIT_POST_PAGE_FAULT);
+
+ out_unlock:
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -195,6 +195,7 @@ struct kvm_stats_debugfs_item debugfs_en
+ { "mmu_unsync", VM_STAT(mmu_unsync) },
+ { "remote_tlb_flush", VM_STAT(remote_tlb_flush) },
+ { "largepages", VM_STAT(lpages, .mode = 0444) },
++ { "nx_largepages_splitted", VM_STAT(nx_lpage_splits, .mode = 0444) },
+ { "max_mmu_page_hash_collisions",
+ VM_STAT(max_mmu_page_hash_collisions) },
+ { NULL }
+@@ -1101,6 +1102,15 @@ u64 kvm_get_arch_capabilities(void)
+ (data & ARCH_CAP_TSX_CTRL_MSR))
+ data &= ~ARCH_CAP_MDS_NO;
+
++
++ /*
++ * If nx_huge_pages is enabled, KVM's shadow paging will ensure that
++ * the nested hypervisor runs with NX huge pages. If it is not,
++ * L1 is anyway vulnerable to ITLB_MULTIHIT explots from other
++ * L1 guests, so it need not worry about its own (L2) guests.
++ */
++ data |= ARCH_CAP_PSCHANGE_MC_NO;
++
+ return data;
+ }
+
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -1839,6 +1839,17 @@
+ KVM MMU at runtime.
+ Default is 0 (off)
+
++ kvm.nx_huge_pages=
++ [KVM] Controls the sw workaround for bug
++ X86_BUG_ITLB_MULTIHIT.
++ force : Always deploy workaround.
++ off : Never deploy workaround.
++ auto : Default. Deploy workaround based on presence of
++ X86_BUG_ITLB_MULTIHIT.
++
++ If the sw workaround is enabled for the host, guests
++ need not enable it for nested guests.
++
+ kvm-amd.nested= [KVM,AMD] Allow nested virtualization in KVM/SVM.
+ Default is 1 (enabled)
+
diff --git a/patches.suse/0003-x86-cpu-Add-a-helper-function-x86_read_arch_cap_msr.patch b/patches.suse/0003-x86-cpu-Add-a-helper-function-x86_read_arch_cap_msr.patch
new file mode 100644
index 0000000000..b897aeff7f
--- /dev/null
+++ b/patches.suse/0003-x86-cpu-Add-a-helper-function-x86_read_arch_cap_msr.patch
@@ -0,0 +1,65 @@
+From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Date: Wed, 23 Oct 2019 10:52:35 +0200
+Subject: [PATCH 03/10] x86/cpu: Add a helper function x86_read_arch_cap_msr()
+Patch-mainline: No, still under EMBARGO
+References: bsc#1139073, CVE-2019-11135
+
+commit 286836a70433fb64131d2590f4bf512097c255e1 upstream
+
+Add a helper function to read the IA32_ARCH_CAPABILITIES MSR.
+
+Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Neelima Krishnan <neelima.krishnan@intel.com>
+Reviewed-by: Mark Gross <mgross@linux.intel.com>
+Reviewed-by: Tony Luck <tony.luck@intel.com>
+Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Acked-by: Joerg Roedel <jroedel@suse.de>
+---
+ arch/x86/kernel/cpu/common.c | 15 +++++++++++----
+ arch/x86/kernel/cpu/cpu.h | 2 ++
+ 2 files changed, 13 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -977,19 +977,26 @@ static bool __init cpu_matches(unsigned
+ return m && !!(m->driver_data & which);
+ }
+
+-static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
++u64 x86_read_arch_cap_msr(void)
+ {
+ u64 ia32_cap = 0;
+
++ if (boot_cpu_has(X86_FEATURE_ARCH_CAPABILITIES))
++ rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap);
++
++ return ia32_cap;
++}
++
++static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
++{
++ u64 ia32_cap = x86_read_arch_cap_msr();
++
+ if (cpu_matches(NO_SPECULATION))
+ return;
+
+ setup_force_cpu_bug(X86_BUG_SPECTRE_V1);
+ setup_force_cpu_bug(X86_BUG_SPECTRE_V2);
+
+- if (cpu_has(c, X86_FEATURE_ARCH_CAPABILITIES))
+- rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap);
+-
+ if (!cpu_matches(NO_SSB) && !(ia32_cap & ARCH_CAP_SSB_NO) &&
+ !cpu_has(c, X86_FEATURE_AMD_SSB_NO))
+ setup_force_cpu_bug(X86_BUG_SPEC_STORE_BYPASS);
+--- a/arch/x86/kernel/cpu/cpu.h
++++ b/arch/x86/kernel/cpu/cpu.h
+@@ -53,4 +53,6 @@ extern int detect_ht_early(struct cpuinf
+ extern void init_hygon_cacheinfo(struct cpuinfo_x86 *c);
+ void cacheinfo_hygon_init_llc_id(struct cpuinfo_x86 *c, int cpu, u8 node_id);
+
++extern u64 x86_read_arch_cap_msr(void);
++
+ #endif /* ARCH_X86_CPU_H */
diff --git a/patches.suse/0004-kvm-Add-helper-function-for-creating-VM-worker.patch b/patches.suse/0004-kvm-Add-helper-function-for-creating-VM-worker.patch
new file mode 100644
index 0000000000..78dff18967
--- /dev/null
+++ b/patches.suse/0004-kvm-Add-helper-function-for-creating-VM-worker.patch
@@ -0,0 +1,130 @@
+From: Junaid Shahid <junaids@google.com>
+Date: Mon, 28 Oct 2019 09:55:28 +0100
+Subject: [PATCH 4/5] kvm: Add helper function for creating VM worker
+Patch-mainline: No, still under discussion
+References: bsc#1117665, CVE-2018-12207
+
+ threads
+
+This adds a function to create a kernel thread associated with a given
+VM. In particular, it ensures that the worker thread inherits the
+priority and cgroups of the calling thread.
+
+Signed-off-by: Junaid Shahid <junaids@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ include/linux/kvm_host.h | 6 ++++
+ virt/kvm/kvm_main.c | 84 ++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 90 insertions(+)
+
+--- a/include/linux/kvm_host.h
++++ b/include/linux/kvm_host.h
+@@ -1278,4 +1278,10 @@ static inline bool kvm_arch_no_poll(stru
+ }
+ #endif /* CONFIG_HAVE_KVM_NO_POLL */
+
++typedef int (*kvm_vm_thread_fn_t)(struct kvm *kvm, uintptr_t data);
++
++int kvm_vm_create_worker_thread(struct kvm *kvm, kvm_vm_thread_fn_t thread_fn,
++ uintptr_t data, const char *name,
++ struct task_struct **thread_ptr);
++
+ #endif
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -51,6 +51,7 @@
+ #include <linux/slab.h>
+ #include <linux/sort.h>
+ #include <linux/bsearch.h>
++#include <linux/kthread.h>
+
+ #include <asm/processor.h>
+ #include <asm/io.h>
+@@ -4193,3 +4194,86 @@ void kvm_exit(void)
+ kvm_vfio_ops_exit();
+ }
+ EXPORT_SYMBOL_GPL(kvm_exit);
++
++struct kvm_vm_worker_thread_context {
++ struct kvm *kvm;
++ struct task_struct *parent;
++ struct completion init_done;
++ kvm_vm_thread_fn_t thread_fn;
++ uintptr_t data;
++ int err;
++};
++
++static int kvm_vm_worker_thread(void *context)
++{
++ /*
++ * The init_context is allocated on the stack of the parent thread, so
++ * we have to locally copy anything that is needed beyond initialization
++ */
++ struct kvm_vm_worker_thread_context *init_context = context;
++ struct kvm *kvm = init_context->kvm;
++ kvm_vm_thread_fn_t thread_fn = init_context->thread_fn;
++ uintptr_t data = init_context->data;
++ int err;
++
++ err = kthread_park(current);
++ /* kthread_park(current) is never supposed to return an error */
++ WARN_ON(err != 0);
++ if (err)
++ goto init_complete;
++
++ err = cgroup_attach_task_all(init_context->parent, current);
++ if (err) {
++ kvm_err("%s: cgroup_attach_task_all failed with err %d\n",
++ __func__, err);
++ goto init_complete;
++ }
++
++ set_user_nice(current, task_nice(init_context->parent));
++
++init_complete:
++ init_context->err = err;
++ complete(&init_context->init_done);
++ init_context = NULL;
++
++ if (err)
++ return err;
++
++ /* Wait to be woken up by the spawner before proceeding. */
++ kthread_parkme();
++
++ if (!kthread_should_stop())
++ err = thread_fn(kvm, data);
++
++ return err;
++}
++
++int kvm_vm_create_worker_thread(struct kvm *kvm, kvm_vm_thread_fn_t thread_fn,
++ uintptr_t data, const char *name,
++ struct task_struct **thread_ptr)
++{
++ struct kvm_vm_worker_thread_context init_context = {};
++ struct task_struct *thread;
++
++ *thread_ptr = NULL;
++ init_context.kvm = kvm;
++ init_context.parent = current;
++ init_context.thread_fn = thread_fn;
++ init_context.data = data;
++ init_completion(&init_context.init_done);
++
++ thread = kthread_run(kvm_vm_worker_thread, &init_context,
++ "%s-%d", name, task_pid_nr(current));
++ if (IS_ERR(thread))
++ return PTR_ERR(thread);
++
++ /* kthread_run is never supposed to return NULL */
++ WARN_ON(thread == NULL);
++
++ wait_for_completion(&init_context.init_done);
++
++ if (!init_context.err)
++ *thread_ptr = thread;
++
++ return init_context.err;
++}
diff --git a/patches.suse/0004-x86-cpu-Add-a-tsx-cmdline-option-with-TSX-disabled-b.patch b/patches.suse/0004-x86-cpu-Add-a-tsx-cmdline-option-with-TSX-disabled-b.patch
new file mode 100644
index 0000000000..94f82af23d
--- /dev/null
+++ b/patches.suse/0004-x86-cpu-Add-a-tsx-cmdline-option-with-TSX-disabled-b.patch
@@ -0,0 +1,250 @@
+From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Date: Wed, 23 Oct 2019 11:01:53 +0200
+Subject: [PATCH 04/10] x86/cpu: Add a "tsx=" cmdline option with TSX disabled
+ by default
+Patch-mainline: No, still under EMBARGO
+References: bsc#1139073, CVE-2019-11135
+
+commit 95c5824f75f3ba4c9e8e5a4b1a623c95390ac266 upstream
+
+Add a kernel cmdline parameter "tsx" to control the Transactional
+Synchronization Extensions (TSX) feature. On CPUs that support TSX
+control, use "tsx=on|off" to enable or disable TSX. Not specifying this
+option is equivalent to "tsx=off". This is because on certain processors
+TSX may be used as a part of a speculative side channel attack.
+
+Carve out the TSX controlling functionality into a separate compilation
+unit because TSX is a CPU feature while the TSX async abort control
+machinery will go to cpu/bugs.c.
+
+ [ bp: - Massage, shorten and clear the arg buffer.
+ - Clarifications of the tsx= possible options - Josh.
+ - Expand on TSX_CTRL availability - Pawan. ]
+
+Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Acked-by: Joerg Roedel <jroedel@suse.de>
+---
+ Documentation/admin-guide/kernel-parameters.txt | 26 +++++
+ arch/x86/kernel/cpu/Makefile | 2 +-
+ arch/x86/kernel/cpu/cpu.h | 16 +++
+ arch/x86/kernel/cpu/intel.c | 5 +
+ arch/x86/kernel/cpu/tsx.c | 125 ++++++++++++++++++++++++
+ 5 files changed, 173 insertions(+), 1 deletion(-)
+ create mode 100644 arch/x86/kernel/cpu/tsx.c
+
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -4475,6 +4475,32 @@
+ platforms where RDTSC is slow and this accounting
+ can add overhead.
+
++ tsx= [X86] Control Transactional Synchronization
++ Extensions (TSX) feature in Intel processors that
++ support TSX control.
++
++ This parameter controls the TSX feature. The options are:
++
++ on - Enable TSX on the system. Although there are
++ mitigations for all known security vulnerabilities,
++ TSX has been known to be an accelerator for
++ several previous speculation-related CVEs, and
++ so there may be unknown security risks associated
++ with leaving it enabled.
++
++ off - Disable TSX on the system. (Note that this
++ option takes effect only on newer CPUs which are
++ not vulnerable to MDS, i.e., have
++ MSR_IA32_ARCH_CAPABILITIES.MDS_NO=1 and which get
++ the new IA32_TSX_CTRL MSR through a microcode
++ update. This new MSR allows for the reliable
++ deactivation of the TSX functionality.)
++
++ Not specifying this option is equivalent to tsx=off.
++
++ See Documentation/admin-guide/hw-vuln/tsx_async_abort.rst
++ for more details.
++
+ turbografx.map[2|3]= [HW,JOY]
+ TurboGraFX parallel port interface
+ Format:
+--- a/arch/x86/kernel/cpu/Makefile
++++ b/arch/x86/kernel/cpu/Makefile
+@@ -27,7 +27,7 @@ obj-y += cpuid-deps.o
+ obj-$(CONFIG_PROC_FS) += proc.o
+ obj-$(CONFIG_X86_FEATURE_NAMES) += capflags.o powerflags.o
+
+-obj-$(CONFIG_CPU_SUP_INTEL) += intel.o
++obj-$(CONFIG_CPU_SUP_INTEL) += intel.o tsx.o
+ obj-$(CONFIG_CPU_SUP_AMD) += amd.o
+ obj-$(CONFIG_CPU_SUP_HYGON) += hygon.o
+ obj-$(CONFIG_CPU_SUP_CYRIX_32) += cyrix.o
+--- a/arch/x86/kernel/cpu/cpu.h
++++ b/arch/x86/kernel/cpu/cpu.h
+@@ -44,6 +44,22 @@ struct _tlb_table {
+ extern const struct cpu_dev *const __x86_cpu_dev_start[],
+ *const __x86_cpu_dev_end[];
+
++#ifdef CONFIG_CPU_SUP_INTEL
++enum tsx_ctrl_states {
++ TSX_CTRL_ENABLE,
++ TSX_CTRL_DISABLE,
++ TSX_CTRL_NOT_SUPPORTED,
++};
++
++extern __ro_after_init enum tsx_ctrl_states tsx_ctrl_state;
++
++extern void __init tsx_init(void);
++extern void tsx_enable(void);
++extern void tsx_disable(void);
++#else
++static inline void tsx_init(void) { }
++#endif /* CONFIG_CPU_SUP_INTEL */
++
+ extern void get_cpu_cap(struct cpuinfo_x86 *c);
+ extern void cpu_detect_cache_sizes(struct cpuinfo_x86 *c);
+ extern void x86_spec_ctrl_setup_ap(void);
+--- a/arch/x86/kernel/cpu/intel.c
++++ b/arch/x86/kernel/cpu/intel.c
+@@ -709,6 +709,11 @@ static void init_intel(struct cpuinfo_x8
+ init_intel_energy_perf(c);
+
+ init_intel_misc_features(c);
++
++ if (tsx_ctrl_state == TSX_CTRL_ENABLE)
++ tsx_enable();
++ if (tsx_ctrl_state == TSX_CTRL_DISABLE)
++ tsx_disable();
+ }
+
+ #ifdef CONFIG_X86_32
+--- /dev/null
++++ b/arch/x86/kernel/cpu/tsx.c
+@@ -0,0 +1,125 @@
++// SPDX-License-Identifier: GPL-2.0
++/*
++ * Intel Transactional Synchronization Extensions (TSX) control.
++ *
++ * Copyright (C) 2019 Intel Corporation
++ *
++ * Author:
++ * Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
++ */
++
++#include <linux/cpufeature.h>
++
++#include <asm/cmdline.h>
++
++#include "cpu.h"
++
++enum tsx_ctrl_states tsx_ctrl_state __ro_after_init = TSX_CTRL_NOT_SUPPORTED;
++
++void tsx_disable(void)
++{
++ u64 tsx;
++
++ rdmsrl(MSR_IA32_TSX_CTRL, tsx);
++
++ /* Force all transactions to immediately abort */
++ tsx |= TSX_CTRL_RTM_DISABLE;
++
++ /*
++ * Ensure TSX support is not enumerated in CPUID.
++ * This is visible to userspace and will ensure they
++ * do not waste resources trying TSX transactions that
++ * will always abort.
++ */
++ tsx |= TSX_CTRL_CPUID_CLEAR;
++
++ wrmsrl(MSR_IA32_TSX_CTRL, tsx);
++}
++
++void tsx_enable(void)
++{
++ u64 tsx;
++
++ rdmsrl(MSR_IA32_TSX_CTRL, tsx);
++
++ /* Enable the RTM feature in the cpu */
++ tsx &= ~TSX_CTRL_RTM_DISABLE;
++
++ /*
++ * Ensure TSX support is enumerated in CPUID.
++ * This is visible to userspace and will ensure they
++ * can enumerate and use the TSX feature.
++ */
++ tsx &= ~TSX_CTRL_CPUID_CLEAR;
++
++ wrmsrl(MSR_IA32_TSX_CTRL, tsx);
++}
++
++static bool __init tsx_ctrl_is_supported(void)
++{
++ u64 ia32_cap = x86_read_arch_cap_msr();
++
++ /*
++ * TSX is controlled via MSR_IA32_TSX_CTRL. However, support for this
++ * MSR is enumerated by ARCH_CAP_TSX_MSR bit in MSR_IA32_ARCH_CAPABILITIES.
++ *
++ * TSX control (aka MSR_IA32_TSX_CTRL) is only available after a
++ * microcode update on CPUs that have their MSR_IA32_ARCH_CAPABILITIES
++ * bit MDS_NO=1. CPUs with MDS_NO=0 are not planned to get
++ * MSR_IA32_TSX_CTRL support even after a microcode update. Thus,
++ * tsx= cmdline requests will do nothing on CPUs without
++ * MSR_IA32_TSX_CTRL support.
++ */
++ return !!(ia32_cap & ARCH_CAP_TSX_CTRL_MSR);
++}
++
++void __init tsx_init(void)
++{
++ char arg[4] = {};
++ int ret;
++
++ if (!tsx_ctrl_is_supported())
++ return;
++
++ ret = cmdline_find_option(boot_command_line, "tsx", arg, sizeof(arg));
++ if (ret >= 0) {
++ if (!strcmp(arg, "on")) {
++ tsx_ctrl_state = TSX_CTRL_ENABLE;
++ } else if (!strcmp(arg, "off")) {
++ tsx_ctrl_state = TSX_CTRL_DISABLE;
++ } else {
++ tsx_ctrl_state = TSX_CTRL_DISABLE;
++ pr_err("tsx: invalid option, defaulting to off\n");
++ }
++ } else {
++ /* tsx= not provided, defaulting to off */
++ tsx_ctrl_state = TSX_CTRL_DISABLE;
++ }
++
++ if (tsx_ctrl_state == TSX_CTRL_DISABLE) {
++ tsx_disable();
++
++ /*
++ * tsx_disable() will change the state of the
++ * RTM CPUID bit. Clear it here since it is now
++ * expected to be not set.
++ */
++ setup_clear_cpu_cap(X86_FEATURE_RTM);
++ } else if (tsx_ctrl_state == TSX_CTRL_ENABLE) {
++
++ /*
++ * HW defaults TSX to be enabled at bootup.
++ * We may still need the TSX enable support
++ * during init for special cases like
++ * kexec after TSX is disabled.
++ */
++ tsx_enable();
++
++ /*
++ * tsx_enable() will change the state of the
++ * RTM CPUID bit. Force it here since it is now
++ * expected to be set.
++ */
++ setup_force_cpu_cap(X86_FEATURE_RTM);
++ }
++}
diff --git a/patches.suse/0005-kvm-x86-mmu-Recovery-of-shattered-NX-large-pages.patch b/patches.suse/0005-kvm-x86-mmu-Recovery-of-shattered-NX-large-pages.patch
new file mode 100644
index 0000000000..73d4af2187
--- /dev/null
+++ b/patches.suse/0005-kvm-x86-mmu-Recovery-of-shattered-NX-large-pages.patch
@@ -0,0 +1,358 @@
+From: Junaid Shahid <junaids@google.com>
+Date: Mon, 28 Oct 2019 09:55:28 +0100
+Subject: [PATCH 5/5] kvm: x86: mmu: Recovery of shattered NX large pages
+Patch-mainline: No, still under discussion
+References: bsc#1117665, CVE-2018-12207
+
+The page table pages corresponding to broken down large pages are
+zapped in FIFO order, so that the large page can potentially
+be recovered, if it is no longer being used for execution. This removes
+the performance penalty for walking deeper EPT page tables.
+
+By default, one large page will last about one hour once the guest
+reaches a steady state.
+
+Signed-off-by: Junaid Shahid <junaids@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ Documentation/admin-guide/kernel-parameters.txt | 6 ++
+ arch/x86/include/asm/kvm_host.h | 4 +
+ arch/x86/kvm/mmu.c | 129 ++++++++++++++++++++++++
+ arch/x86/kvm/mmu.h | 4 +
+ arch/x86/kvm/x86.c | 11 ++
+ virt/kvm/kvm_main.c | 30 +++++-
+ 6 files changed, 183 insertions(+), 1 deletion(-)
+
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -1850,6 +1850,12 @@
+ If the sw workaround is enabled for the host, guests
+ need not enable it for nested guests.
+
++ kvm.nx_huge_pages_recovery_ratio=
++ [KVM] Controls how many 4KiB pages are periodically zapped
++ back to huge pages. 0 disables the recovery, otherwise if
++ the value is N KVM will zap 1/Nth of the 4KiB pages every
++ minute. The default is 60.
++
+ kvm-amd.nested= [KVM,AMD] Allow nested virtualization in KVM/SVM.
+ Default is 1 (enabled)
+
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -276,6 +276,8 @@ struct kvm_rmap_head {
+ struct kvm_mmu_page {
+ struct list_head link;
+ struct hlist_node hash_link;
++ struct list_head lpage_disallowed_link;
++
+ bool unsync;
+
+ /*
+@@ -794,6 +796,7 @@ struct kvm_arch {
+ */
+ struct list_head active_mmu_pages;
+ struct list_head zapped_obsolete_pages;
++ struct list_head lpage_disallowed_mmu_pages;
+ struct kvm_page_track_notifier_node mmu_sp_tracker;
+ struct kvm_page_track_notifier_head track_notifier_head;
+
+@@ -871,6 +874,8 @@ struct kvm_arch {
+ bool x2apic_broadcast_quirk_disabled;
+
+ struct kvm_sev_info sev_info;
++
++ struct task_struct *nx_lpage_recovery_thread;
+ };
+
+ struct kvm_vm_stat {
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -40,6 +40,7 @@
+ #include <linux/uaccess.h>
+ #include <linux/hash.h>
+ #include <linux/kern_levels.h>
++#include <linux/kthread.h>
+
+ #include <asm/page.h>
+ #include <asm/pat.h>
+@@ -52,16 +53,26 @@
+ extern bool itlb_multihit_kvm_mitigation;
+
+ static int __read_mostly nx_huge_pages = -1;
++static uint __read_mostly nx_huge_pages_recovery_ratio = 60;
+
+ static int set_nx_huge_pages(const char *val, const struct kernel_param *kp);
++static int set_nx_huge_pages_recovery_ratio(const char *val, const struct kernel_param *kp);
+
+ static struct kernel_param_ops nx_huge_pages_ops = {
+ .set = set_nx_huge_pages,
+ .get = param_get_bool,
+ };
+
++static struct kernel_param_ops nx_huge_pages_recovery_ratio_ops = {
++ .set = set_nx_huge_pages_recovery_ratio,
++ .get = param_get_uint,
++};
++
+ module_param_cb(nx_huge_pages, &nx_huge_pages_ops, &nx_huge_pages, 0644);
+ __MODULE_PARM_TYPE(nx_huge_pages, "bool");
++module_param_cb(nx_huge_pages_recovery_ratio, &nx_huge_pages_recovery_ratio_ops,
++ &nx_huge_pages_recovery_ratio, 0644);
++__MODULE_PARM_TYPE(nx_huge_pages_recovery_ratio, "uint");
+
+ /*
+ * When setting this variable to true it enables Two-Dimensional-Paging
+@@ -1104,6 +1115,8 @@ static void account_huge_nx_page(struct
+ return;
+
+ ++kvm->stat.nx_lpage_splits;
++ list_add_tail(&sp->lpage_disallowed_link,
++ &kvm->arch.lpage_disallowed_mmu_pages);
+ sp->lpage_disallowed = true;
+ }
+
+@@ -1128,6 +1141,7 @@ static void unaccount_huge_nx_page(struc
+ {
+ --kvm->stat.nx_lpage_splits;
+ sp->lpage_disallowed = false;
++ list_del(&sp->lpage_disallowed_link);
+ }
+
+ static bool __mmu_gfn_lpage_is_disallowed(gfn_t gfn, int level,
+@@ -5666,6 +5680,8 @@ static int set_nx_huge_pages(const char
+ idx = srcu_read_lock(&kvm->srcu);
+ kvm_mmu_invalidate_zap_all_pages(kvm);
+ srcu_read_unlock(&kvm->srcu, idx);
++
++ wake_up_process(kvm->arch.nx_lpage_recovery_thread);
+ }
+ mutex_unlock(&kvm_lock);
+ }
+@@ -5746,3 +5762,116 @@ void kvm_mmu_module_exit(void)
+ unregister_shrinker(&mmu_shrinker);
+ mmu_audit_disable();
+ }
++
++static int set_nx_huge_pages_recovery_ratio(const char *val, const struct kernel_param *kp)
++{
++ unsigned int old_val;
++ int err;
++
++ old_val = nx_huge_pages_recovery_ratio;
++ err = param_set_uint(val, kp);
++ if (err)
++ return err;
++
++ if (READ_ONCE(nx_huge_pages) &&
++ !old_val && nx_huge_pages_recovery_ratio) {
++ struct kvm *kvm;
++
++ mutex_lock(&kvm_lock);
++
++ list_for_each_entry(kvm, &vm_list, vm_list)
++ wake_up_process(kvm->arch.nx_lpage_recovery_thread);
++
++ mutex_unlock(&kvm_lock);
++ }
++
++ return err;
++}
++
++static void kvm_recover_nx_lpages(struct kvm *kvm)
++{
++ int rcu_idx;
++ struct kvm_mmu_page *sp;
++ unsigned int ratio;
++ LIST_HEAD(invalid_list);
++ ulong to_zap;
++
++ rcu_idx = srcu_read_lock(&kvm->srcu);
++ spin_lock(&kvm->mmu_lock);
++
++ ratio = READ_ONCE(nx_huge_pages_recovery_ratio);
++ to_zap = ratio ? DIV_ROUND_UP(kvm->stat.nx_lpage_splits, ratio) : 0;
++ while (to_zap && !list_empty(&kvm->arch.lpage_disallowed_mmu_pages)) {
++ /*
++ * We use a separate list instead of just using active_mmu_pages
++ * because the number of lpage_disallowed pages is expected to
++ * be relatively small compared to the total.
++ */
++ sp = list_first_entry(&kvm->arch.lpage_disallowed_mmu_pages,
++ struct kvm_mmu_page,
++ lpage_disallowed_link);
++ WARN_ON_ONCE(!sp->lpage_disallowed);
++ kvm_mmu_prepare_zap_page(kvm, sp, &invalid_list);
++ WARN_ON_ONCE(sp->lpage_disallowed);
++
++ if (!--to_zap || need_resched() || spin_needbreak(&kvm->mmu_lock)) {
++ kvm_mmu_commit_zap_page(kvm, &invalid_list);
++ if (to_zap)
++ cond_resched_lock(&kvm->mmu_lock);
++ }
++ }
++
++ spin_unlock(&kvm->mmu_lock);
++ srcu_read_unlock(&kvm->srcu, rcu_idx);
++}
++
++static long get_nx_lpage_recovery_timeout(u64 start_time)
++{
++ return READ_ONCE(nx_huge_pages) && READ_ONCE(nx_huge_pages_recovery_ratio)
++ ? start_time + 60 * HZ - get_jiffies_64()
++ : MAX_SCHEDULE_TIMEOUT;
++}
++
++static int kvm_nx_lpage_recovery_worker(struct kvm *kvm, uintptr_t data)
++{
++ u64 start_time;
++ long remaining_time;
++
++ while (true) {
++ start_time = get_jiffies_64();
++ remaining_time = get_nx_lpage_recovery_timeout(start_time);
++
++ set_current_state(TASK_INTERRUPTIBLE);
++ while (!kthread_should_stop() && remaining_time > 0) {
++ schedule_timeout(remaining_time);
++ remaining_time = get_nx_lpage_recovery_timeout(start_time);
++ set_current_state(TASK_INTERRUPTIBLE);
++ }
++
++ set_current_state(TASK_RUNNING);
++
++ if (kthread_should_stop())
++ return 0;
++
++ kvm_recover_nx_lpages(kvm);
++ }
++}
++
++int kvm_mmu_post_init_vm(struct kvm *kvm)
++{
++ int err;
++
++ err = kvm_vm_create_worker_thread(kvm, kvm_nx_lpage_recovery_worker, 0,
++ "kvm-nx-lpage-recovery",
++ &kvm->arch.nx_lpage_recovery_thread);
++ if (!err)
++ kthread_unpark(kvm->arch.nx_lpage_recovery_thread);
++
++ return err;
++}
++
++void kvm_mmu_pre_destroy_vm(struct kvm *kvm)
++{
++ if (kvm->arch.nx_lpage_recovery_thread)
++ kthread_stop(kvm->arch.nx_lpage_recovery_thread);
++}
+--- a/arch/x86/kvm/mmu.h
++++ b/arch/x86/kvm/mmu.h
+@@ -193,4 +193,8 @@ void kvm_mmu_gfn_allow_lpage(struct kvm_
+ bool kvm_mmu_slot_gfn_write_protect(struct kvm *kvm,
+ struct kvm_memory_slot *slot, u64 gfn);
+ int kvm_arch_write_log_dirty(struct kvm_vcpu *vcpu);
++
++int kvm_mmu_post_init_vm(struct kvm *kvm);
++void kvm_mmu_pre_destroy_vm(struct kvm *kvm);
++
+ #endif
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -8435,6 +8435,7 @@ int kvm_arch_init_vm(struct kvm *kvm, un
+ INIT_HLIST_HEAD(&kvm->arch.mask_notifier_list);
+ INIT_LIST_HEAD(&kvm->arch.active_mmu_pages);
+ INIT_LIST_HEAD(&kvm->arch.zapped_obsolete_pages);
++ INIT_LIST_HEAD(&kvm->arch.lpage_disallowed_mmu_pages);
+ INIT_LIST_HEAD(&kvm->arch.assigned_dev_head);
+ atomic_set(&kvm->arch.noncoherent_dma_count, 0);
+
+@@ -8464,6 +8465,11 @@ int kvm_arch_init_vm(struct kvm *kvm, un
+ return 0;
+ }
+
++int kvm_arch_post_init_vm(struct kvm *kvm)
++{
++ return kvm_mmu_post_init_vm(kvm);
++}
++
+ static void kvm_unload_vcpu_mmu(struct kvm_vcpu *vcpu)
+ {
+ int r;
+@@ -8567,6 +8573,11 @@ int x86_set_memory_region(struct kvm *kv
+ }
+ EXPORT_SYMBOL_GPL(x86_set_memory_region);
+
++void kvm_arch_pre_destroy_vm(struct kvm *kvm)
++{
++ kvm_mmu_pre_destroy_vm(kvm);
++}
++
+ void kvm_arch_destroy_vm(struct kvm *kvm)
+ {
+ if (current->mm == kvm->mm) {
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -654,6 +654,23 @@ static int kvm_create_vm_debugfs(struct
+ return 0;
+ }
+
++/*
++ * Called after the VM is otherwise initialized, but just before adding it to
++ * the vm_list.
++ */
++int __weak kvm_arch_post_init_vm(struct kvm *kvm)
++{
++ return 0;
++}
++
++/*
++ * Called just after removing the VM from the vm_list, but before doing any
++ * other destruction.
++ */
++void __weak kvm_arch_pre_destroy_vm(struct kvm *kvm)
++{
++}
++
+ static struct kvm *kvm_create_vm(unsigned long type)
+ {
+ int r, i;
+@@ -708,11 +725,15 @@ static struct kvm *kvm_create_vm(unsigne
+ rcu_assign_pointer(kvm->buses[i],
+ kzalloc(sizeof(struct kvm_io_bus), GFP_KERNEL));
+ if (!kvm->buses[i])
+- goto out_err;
++ goto out_err_no_mmu_notifier;
+ }
+
+ r = kvm_init_mmu_notifier(kvm);
+ if (r)
++ goto out_err_no_mmu_notifier;
++
++ r = kvm_arch_post_init_vm(kvm);
++ if (r)
+ goto out_err;
+
+ mutex_lock(&kvm_lock);
+@@ -724,6 +745,11 @@ static struct kvm *kvm_create_vm(unsigne
+ return kvm;
+
+ out_err:
++#if defined(CONFIG_MMU_NOTIFIER) && defined(KVM_ARCH_WANT_MMU_NOTIFIER)
++ if (kvm->mmu_notifier.ops)
++ mmu_notifier_unregister(&kvm->mmu_notifier, current->mm);
++#endif
++out_err_no_mmu_notifier:
+ cleanup_srcu_struct(&kvm->irq_srcu);
+ out_err_no_irq_srcu:
+ cleanup_srcu_struct(&kvm->srcu);
+@@ -766,6 +792,8 @@ static void kvm_destroy_vm(struct kvm *k
+ mutex_lock(&kvm_lock);
+ list_del(&kvm->vm_list);
+ mutex_unlock(&kvm_lock);
++ kvm_arch_pre_destroy_vm(kvm);
++
+ kvm_free_irq_routing(kvm);
+ for (i = 0; i < KVM_NR_BUSES; i++) {
+ struct kvm_io_bus *bus = kvm_get_bus(kvm, i);
diff --git a/patches.suse/0005-x86-speculation-taa-Add-mitigation-for-TSX-Async-Abo.patch b/patches.suse/0005-x86-speculation-taa-Add-mitigation-for-TSX-Async-Abo.patch
new file mode 100644
index 0000000000..304ab6575b
--- /dev/null
+++ b/patches.suse/0005-x86-speculation-taa-Add-mitigation-for-TSX-Async-Abo.patch
@@ -0,0 +1,310 @@
+From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Date: Wed, 23 Oct 2019 11:30:45 +0200
+Subject: [PATCH 05/10] x86/speculation/taa: Add mitigation for TSX Async Abort
+Patch-mainline: No, still under EMBARGO
+References: bsc#1139073, CVE-2019-11135
+
+commit 1b42f017415b46c317e71d41c34ec088417a1883 upstream
+
+TSX Async Abort (TAA) is a side channel vulnerability to the internal
+buffers in some Intel processors similar to Microachitectural Data
+Sampling (MDS). In this case, certain loads may speculatively pass
+invalid data to dependent operations when an asynchronous abort
+condition is pending in a TSX transaction.
+
+This includes loads with no fault or assist condition. Such loads may
+speculatively expose stale data from the uarch data structures as in
+MDS. Scope of exposure is within the same-thread and cross-thread. This
+issue affects all current processors that support TSX, but do not have
+ARCH_CAP_TAA_NO (bit 8) set in MSR_IA32_ARCH_CAPABILITIES.
+
+On CPUs which have their IA32_ARCH_CAPABILITIES MSR bit MDS_NO=0,
+CPUID.MD_CLEAR=1 and the MDS mitigation is clearing the CPU buffers
+using VERW or L1D_FLUSH, there is no additional mitigation needed for
+TAA. On affected CPUs with MDS_NO=1 this issue can be mitigated by
+disabling the Transactional Synchronization Extensions (TSX) feature.
+
+A new MSR IA32_TSX_CTRL in future and current processors after a
+microcode update can be used to control the TSX feature. There are two
+bits in that MSR:
+
+* TSX_CTRL_RTM_DISABLE disables the TSX sub-feature Restricted
+Transactional Memory (RTM).
+
+* TSX_CTRL_CPUID_CLEAR clears the RTM enumeration in CPUID. The other
+TSX sub-feature, Hardware Lock Elision (HLE), is unconditionally
+disabled with updated microcode but still enumerated as present by
+CPUID(EAX=7).EBX{bit4}.
+
+The second mitigation approach is similar to MDS which is clearing the
+affected CPU buffers on return to user space and when entering a guest.
+Relevant microcode update is required for the mitigation to work. More
+details on this approach can be found here:
+
+ https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
+
+The TSX feature can be controlled by the "tsx" command line parameter.
+If it is force-enabled then "Clear CPU buffers" (MDS mitigation) is
+deployed. The effective mitigation state can be read from sysfs.
+
+ [ bp:
+ - massage + comments cleanup
+ - s/TAA_MITIGATION_TSX_DISABLE/TAA_MITIGATION_TSX_DISABLED/g - Josh.
+ - remove partial TAA mitigation in update_mds_branch_idle() - Josh.
+ - s/tsx_async_abort_cmdline/tsx_async_abort_parse_cmdline/g
+ ]
+
+Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Acked-by: Joerg Roedel <jroedel@suse.de>
+---
+ arch/x86/include/asm/cpufeatures.h | 1 +
+ arch/x86/include/asm/msr-index.h | 4 ++
+ arch/x86/include/asm/nospec-branch.h | 4 +-
+ arch/x86/include/asm/processor.h | 7 +++
+ arch/x86/kernel/cpu/bugs.c | 108 +++++++++++++++++++++++++++++++++++
+ arch/x86/kernel/cpu/common.c | 15 +++++
+ 6 files changed, 137 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/include/asm/cpufeatures.h
++++ b/arch/x86/include/asm/cpufeatures.h
+@@ -391,4 +391,6 @@
+ #define X86_BUG_MDS X86_BUG(19) /* CPU is affected by Microarchitectural data sampling */
+ #define X86_BUG_MSBDS_ONLY X86_BUG(20) /* CPU is only affected by the MSDBS variant of BUG_MDS */
+ #define X86_BUG_SWAPGS X86_BUG(21) /* CPU is affected by speculation through SWAPGS */
++#define X86_BUG_TAA X86_BUG(22) /* CPU is affected by TSX Async Abort(TAA) */
++
+ #endif /* _ASM_X86_CPUFEATURES_H */
+--- a/arch/x86/include/asm/msr-index.h
++++ b/arch/x86/include/asm/msr-index.h
+@@ -84,6 +84,10 @@
+ * Sampling (MDS) vulnerabilities.
+ */
+ #define ARCH_CAP_TSX_CTRL_MSR BIT(7) /* MSR for TSX control is available. */
++#define ARCH_CAP_TAA_NO BIT(8) /*
++ * Not susceptible to
++ * TSX Async Abort (TAA) vulnerabilities.
++ */
+
+ #define MSR_IA32_FLUSH_CMD 0x0000010b
+ #define L1D_FLUSH BIT(0) /*
+--- a/arch/x86/include/asm/nospec-branch.h
++++ b/arch/x86/include/asm/nospec-branch.h
+@@ -358,7 +358,7 @@ DECLARE_STATIC_KEY_FALSE(mds_idle_clear)
+ #include <asm/segment.h>
+
+ /**
+- * mds_clear_cpu_buffers - Mitigation for MDS vulnerability
++ * mds_clear_cpu_buffers - Mitigation for MDS and TAA vulnerability
+ *
+ * This uses the otherwise unused and obsolete VERW instruction in
+ * combination with microcode which triggers a CPU buffer flush when the
+@@ -381,7 +381,7 @@ static inline void mds_clear_cpu_buffers
+ }
+
+ /**
+- * mds_user_clear_cpu_buffers - Mitigation for MDS vulnerability
++ * mds_user_clear_cpu_buffers - Mitigation for MDS and TAA vulnerability
+ *
+ * Clear CPU buffers if the corresponding static key is enabled
+ */
+--- a/arch/x86/include/asm/processor.h
++++ b/arch/x86/include/asm/processor.h
+@@ -991,4 +991,11 @@ enum mds_mitigations {
+ MDS_MITIGATION_VMWERV,
+ };
+
++enum taa_mitigations {
++ TAA_MITIGATION_OFF,
++ TAA_MITIGATION_UCODE_NEEDED,
++ TAA_MITIGATION_VERW,
++ TAA_MITIGATION_TSX_DISABLED,
++};
++
+ #endif /* _ASM_X86_PROCESSOR_H */
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -31,11 +31,14 @@
+ #include <asm/hypervisor.h>
+ #include <asm/e820/api.h>
+
++#include "cpu.h"
++
+ static void __init spectre_v1_select_mitigation(void);
+ static void __init spectre_v2_select_mitigation(void);
+ static void __init ssb_select_mitigation(void);
+ static void __init l1tf_select_mitigation(void);
+ static void __init mds_select_mitigation(void);
++static void __init taa_select_mitigation(void);
+
+ /* The base value of the SPEC_CTRL MSR that always has to be preserved. */
+ u64 x86_spec_ctrl_base;
+@@ -102,6 +105,7 @@ void __init check_bugs(void)
+ ssb_select_mitigation();
+ l1tf_select_mitigation();
+ mds_select_mitigation();
++ taa_select_mitigation();
+
+ arch_smt_update();
+
+@@ -390,6 +394,100 @@ static int __init mds_cmdline(char *str)
+ early_param("mds", mds_cmdline);
+
+ #undef pr_fmt
++#define pr_fmt(fmt) "TAA: " fmt
++
++/* Default mitigation for TAA-affected CPUs */
++static enum taa_mitigations taa_mitigation __ro_after_init = TAA_MITIGATION_VERW;
++static bool taa_nosmt __ro_after_init;
++
++static const char * const taa_strings[] = {
++ [TAA_MITIGATION_OFF] = "Vulnerable",
++ [TAA_MITIGATION_UCODE_NEEDED] = "Vulnerable: Clear CPU buffers attempted, no microcode",
++ [TAA_MITIGATION_VERW] = "Mitigation: Clear CPU buffers",
++ [TAA_MITIGATION_TSX_DISABLED] = "Mitigation: TSX disabled",
++};
++
++static void __init taa_select_mitigation(void)
++{
++ u64 ia32_cap;
++
++ if (!boot_cpu_has_bug(X86_BUG_TAA)) {
++ taa_mitigation = TAA_MITIGATION_OFF;
++ return;
++ }
++
++ /* TSX previously disabled by tsx=off */
++ if (!boot_cpu_has(X86_FEATURE_RTM)) {
++ taa_mitigation = TAA_MITIGATION_TSX_DISABLED;
++ goto out;
++ }
++
++ if (cpu_mitigations_off()) {
++ taa_mitigation = TAA_MITIGATION_OFF;
++ return;
++ }
++
++ /* TAA mitigation is turned off on the cmdline (tsx_async_abort=off) */
++ if (taa_mitigation == TAA_MITIGATION_OFF)
++ goto out;
++
++ if (boot_cpu_has(X86_FEATURE_MD_CLEAR))
++ taa_mitigation = TAA_MITIGATION_VERW;
++ else
++ taa_mitigation = TAA_MITIGATION_UCODE_NEEDED;
++
++ /*
++ * VERW doesn't clear the CPU buffers when MD_CLEAR=1 and MDS_NO=1.
++ * A microcode update fixes this behavior to clear CPU buffers. It also
++ * adds support for MSR_IA32_TSX_CTRL which is enumerated by the
++ * ARCH_CAP_TSX_CTRL_MSR bit.
++ *
++ * On MDS_NO=1 CPUs if ARCH_CAP_TSX_CTRL_MSR is not set, microcode
++ * update is required.
++ */
++ ia32_cap = x86_read_arch_cap_msr();
++ if ( (ia32_cap & ARCH_CAP_MDS_NO) &&
++ !(ia32_cap & ARCH_CAP_TSX_CTRL_MSR))
++ taa_mitigation = TAA_MITIGATION_UCODE_NEEDED;
++
++ /*
++ * TSX is enabled, select alternate mitigation for TAA which is
++ * the same as MDS. Enable MDS static branch to clear CPU buffers.
++ *
++ * For guests that can't determine whether the correct microcode is
++ * present on host, enable the mitigation for UCODE_NEEDED as well.
++ */
++ static_branch_enable(&mds_user_clear);
++
++ if (taa_nosmt || cpu_mitigations_auto_nosmt())
++ cpu_smt_disable(false);
++
++out:
++ pr_info("%s\n", taa_strings[taa_mitigation]);
++}
++
++static int __init tsx_async_abort_parse_cmdline(char *str)
++{
++ if (!boot_cpu_has_bug(X86_BUG_TAA))
++ return 0;
++
++ if (!str)
++ return -EINVAL;
++
++ if (!strcmp(str, "off")) {
++ taa_mitigation = TAA_MITIGATION_OFF;
++ } else if (!strcmp(str, "full")) {
++ taa_mitigation = TAA_MITIGATION_VERW;
++ } else if (!strcmp(str, "full,nosmt")) {
++ taa_mitigation = TAA_MITIGATION_VERW;
++ taa_nosmt = true;
++ }
++
++ return 0;
++}
++early_param("tsx_async_abort", tsx_async_abort_parse_cmdline);
++
++#undef pr_fmt
+ #define pr_fmt(fmt) "Spectre V1 : " fmt
+
+ enum spectre_v1_mitigation {
+@@ -907,6 +1005,7 @@ static void update_mds_branch_idle(void)
+ }
+
+ #define MDS_MSG_SMT "MDS CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for more details.\n"
++#define TAA_MSG_SMT "TAA CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html for more details.\n"
+
+ void arch_smt_update(void)
+ {
+@@ -939,6 +1038,17 @@ void arch_smt_update(void)
+ break;
+ }
+
++ switch (taa_mitigation) {
++ case TAA_MITIGATION_VERW:
++ case TAA_MITIGATION_UCODE_NEEDED:
++ if (sched_smt_active())
++ pr_warn_once(TAA_MSG_SMT);
++ break;
++ case TAA_MITIGATION_TSX_DISABLED:
++ case TAA_MITIGATION_OFF:
++ break;
++ }
++
+ mutex_unlock(&spec_ctrl_mutex);
+ }
+
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -1013,6 +1013,21 @@ static void __init cpu_set_bug_bits(stru
+ if (!cpu_matches(NO_SWAPGS))
+ setup_force_cpu_bug(X86_BUG_SWAPGS);
+
++ /*
++ * When the CPU is not mitigated for TAA (TAA_NO=0) set TAA bug when:
++ * - TSX is supported or
++ * - TSX_CTRL is present
++ *
++ * TSX_CTRL check is needed for cases when TSX could be disabled before
++ * the kernel boot e.g. kexec.
++ * TSX_CTRL check alone is not sufficient for cases when the microcode
++ * update is not present or running as guest that don't get TSX_CTRL.
++ */
++ if (!(ia32_cap & ARCH_CAP_TAA_NO) &&
++ (cpu_has(c, X86_FEATURE_RTM) ||
++ (ia32_cap & ARCH_CAP_TSX_CTRL_MSR)))
++ setup_force_cpu_bug(X86_BUG_TAA);
++
+ if (cpu_matches(NO_MELTDOWN))
+ return;
+
+@@ -1416,6 +1431,7 @@ void __init identify_boot_cpu(void)
+ enable_sep_cpu();
+ #endif
+ cpu_detect_tlb(&boot_cpu_data);
++ tsx_init();
+ }
+
+ void identify_secondary_cpu(struct cpuinfo_x86 *c)
diff --git a/patches.suse/0006-x86-speculation-taa-Add-sysfs-reporting-for-TSX-Asyn.patch b/patches.suse/0006-x86-speculation-taa-Add-sysfs-reporting-for-TSX-Asyn.patch
new file mode 100644
index 0000000000..b8e3c34b3e
--- /dev/null
+++ b/patches.suse/0006-x86-speculation-taa-Add-sysfs-reporting-for-TSX-Asyn.patch
@@ -0,0 +1,118 @@
+From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Date: Wed, 23 Oct 2019 12:19:51 +0200
+Subject: [PATCH 06/10] x86/speculation/taa: Add sysfs reporting for TSX Async
+ Abort
+Patch-mainline: No, still under EMBARGO
+References: bsc#1139073, CVE-2019-11135
+
+commit 6608b45ac5ecb56f9e171252229c39580cc85f0f upstream
+
+Add the sysfs reporting file for TSX Async Abort. It exposes the
+vulnerability and the mitigation state similar to the existing files for
+the other hardware vulnerabilities.
+
+Sysfs file path is:
+/sys/devices/system/cpu/vulnerabilities/tsx_async_abort
+
+Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Neelima Krishnan <neelima.krishnan@intel.com>
+Reviewed-by: Mark Gross <mgross@linux.intel.com>
+Reviewed-by: Tony Luck <tony.luck@intel.com>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Acked-by: Joerg Roedel <jroedel@suse.de>
+---
+ arch/x86/kernel/cpu/bugs.c | 23 +++++++++++++++++++++++
+ drivers/base/cpu.c | 9 +++++++++
+ include/linux/cpu.h | 3 +++
+ 3 files changed, 35 insertions(+)
+
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -1416,6 +1416,21 @@ static ssize_t mds_show_state(char *buf)
+ sched_smt_active() ? "vulnerable" : "disabled");
+ }
+
++static ssize_t tsx_async_abort_show_state(char *buf)
++{
++ if ((taa_mitigation == TAA_MITIGATION_TSX_DISABLED) ||
++ (taa_mitigation == TAA_MITIGATION_OFF))
++ return sprintf(buf, "%s\n", taa_strings[taa_mitigation]);
++
++ if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {
++ return sprintf(buf, "%s; SMT Host state unknown\n",
++ taa_strings[taa_mitigation]);
++ }
++
++ return sprintf(buf, "%s; SMT %s\n", taa_strings[taa_mitigation],
++ sched_smt_active() ? "vulnerable" : "disabled");
++}
++
+ static char *stibp_state(void)
+ {
+ if (spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED)
+@@ -1486,6 +1501,9 @@ static ssize_t cpu_show_common(struct de
+ case X86_BUG_MDS:
+ return mds_show_state(buf);
+
++ case X86_BUG_TAA:
++ return tsx_async_abort_show_state(buf);
++
+ default:
+ break;
+ }
+@@ -1522,4 +1540,9 @@ ssize_t cpu_show_mds(struct device *dev,
+ {
+ return cpu_show_common(dev, attr, buf, X86_BUG_MDS);
+ }
++
++ssize_t cpu_show_tsx_async_abort(struct device *dev, struct device_attribute *attr, char *buf)
++{
++ return cpu_show_common(dev, attr, buf, X86_BUG_TAA);
++}
+ #endif
+--- a/drivers/base/cpu.c
++++ b/drivers/base/cpu.c
+@@ -539,12 +539,20 @@ ssize_t __weak cpu_show_mds(struct devic
+ return sprintf(buf, "Not affected\n");
+ }
+
++ssize_t __weak cpu_show_tsx_async_abort(struct device *dev,
++ struct device_attribute *attr,
++ char *buf)
++{
++ return sprintf(buf, "Not affected\n");
++}
++
+ static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL);
+ static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL);
+ static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL);
+ static DEVICE_ATTR(spec_store_bypass, 0444, cpu_show_spec_store_bypass, NULL);
+ static DEVICE_ATTR(l1tf, 0444, cpu_show_l1tf, NULL);
+ static DEVICE_ATTR(mds, 0444, cpu_show_mds, NULL);
++static DEVICE_ATTR(tsx_async_abort, 0444, cpu_show_tsx_async_abort, NULL);
+
+ static struct attribute *cpu_root_vulnerabilities_attrs[] = {
+ &dev_attr_meltdown.attr,
+@@ -553,6 +561,7 @@ static struct attribute *cpu_root_vulner
+ &dev_attr_spec_store_bypass.attr,
+ &dev_attr_l1tf.attr,
+ &dev_attr_mds.attr,
++ &dev_attr_tsx_async_abort.attr,
+ NULL
+ };
+
+--- a/include/linux/cpu.h
++++ b/include/linux/cpu.h
+@@ -58,6 +58,9 @@ extern ssize_t cpu_show_l1tf(struct devi
+ struct device_attribute *attr, char *buf);
+ extern ssize_t cpu_show_mds(struct device *dev,
+ struct device_attribute *attr, char *buf);
++extern ssize_t cpu_show_tsx_async_abort(struct device *dev,
++ struct device_attribute *attr,
++ char *buf);
+
+ extern __printf(4, 5)
+ struct device *cpu_device_create(struct device *parent, void *drvdata,
diff --git a/patches.suse/0007-kvm-x86-Export-MDS_NO-0-to-guests-when-TSX-is-enable.patch b/patches.suse/0007-kvm-x86-Export-MDS_NO-0-to-guests-when-TSX-is-enable.patch
new file mode 100644
index 0000000000..470f9fab83
--- /dev/null
+++ b/patches.suse/0007-kvm-x86-Export-MDS_NO-0-to-guests-when-TSX-is-enable.patch
@@ -0,0 +1,63 @@
+From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Date: Wed, 23 Oct 2019 12:23:33 +0200
+Subject: [PATCH 07/10] kvm/x86: Export MDS_NO=0 to guests when TSX is enabled
+Patch-mainline: No, still under EMBARGO
+References: bsc#1139073, CVE-2019-11135
+
+commit e1d38b63acd843cfdd4222bf19a26700fd5c699e upstream
+
+Export the IA32_ARCH_CAPABILITIES MSR bit MDS_NO=0 to guests on TSX
+Async Abort(TAA) affected hosts that have TSX enabled and updated
+microcode. This is required so that the guests don't complain,
+
+ "Vulnerable: Clear CPU buffers attempted, no microcode"
+
+when the host has the updated microcode to clear CPU buffers.
+
+Microcode update also adds support for MSR_IA32_TSX_CTRL which is
+enumerated by the ARCH_CAP_TSX_CTRL bit in IA32_ARCH_CAPABILITIES MSR.
+Guests can't do this check themselves when the ARCH_CAP_TSX_CTRL bit is
+not exported to the guests.
+
+In this case export MDS_NO=0 to the guests. When guests have
+CPUID.MD_CLEAR=1, they deploy MDS mitigation which also mitigates TAA.
+
+Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Neelima Krishnan <neelima.krishnan@intel.com>
+Reviewed-by: Tony Luck <tony.luck@intel.com>
+Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Acked-by: Joerg Roedel <jroedel@suse.de>
+---
+ arch/x86/kvm/x86.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -1082,6 +1082,25 @@ u64 kvm_get_arch_capabilities(void)
+ if (!boot_cpu_has_bug(X86_BUG_MDS))
+ data |= ARCH_CAP_MDS_NO;
+
++ /*
++ * On TAA affected systems, export MDS_NO=0 when:
++ * - TSX is enabled on the host, i.e. X86_FEATURE_RTM=1.
++ * - Updated microcode is present. This is detected by
++ * the presence of ARCH_CAP_TSX_CTRL_MSR and ensures
++ * that VERW clears CPU buffers.
++ *
++ * When MDS_NO=0 is exported, guests deploy clear CPU buffer
++ * mitigation and don't complain:
++ *
++ * "Vulnerable: Clear CPU buffers attempted, no microcode"
++ *
++ * If TSX is disabled on the system, guests are also mitigated against
++ * TAA and clear CPU buffer mitigation is not required for guests.
++ */
++ if (boot_cpu_has_bug(X86_BUG_TAA) && boot_cpu_has(X86_FEATURE_RTM) &&
++ (data & ARCH_CAP_TSX_CTRL_MSR))
++ data &= ~ARCH_CAP_MDS_NO;
++
+ return data;
+ }
+
diff --git a/patches.suse/0008-x86-tsx-Add-auto-option-to-the-tsx-cmdline-parameter.patch b/patches.suse/0008-x86-tsx-Add-auto-option-to-the-tsx-cmdline-parameter.patch
new file mode 100644
index 0000000000..870cc8b566
--- /dev/null
+++ b/patches.suse/0008-x86-tsx-Add-auto-option-to-the-tsx-cmdline-parameter.patch
@@ -0,0 +1,64 @@
+From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Date: Wed, 23 Oct 2019 12:28:57 +0200
+Subject: [PATCH 08/10] x86/tsx: Add "auto" option to the tsx= cmdline
+ parameter
+Patch-mainline: No, still under EMBARGO
+References: bsc#1139073, CVE-2019-11135
+
+commit 7531a3596e3272d1f6841e0d601a614555dc6b65 upstream
+
+Platforms which are not affected by X86_BUG_TAA may want the TSX feature
+enabled. Add "auto" option to the TSX cmdline parameter. When tsx=auto
+disable TSX when X86_BUG_TAA is present, otherwise enable TSX.
+
+More details on X86_BUG_TAA can be found here:
+https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html
+
+ [ bp: Extend the arg buffer to accommodate "auto\0". ]
+
+Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Tony Luck <tony.luck@intel.com>
+Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Acked-by: Joerg Roedel <jroedel@suse.de>
+---
+ Documentation/admin-guide/kernel-parameters.txt | 3 +++
+ arch/x86/kernel/cpu/tsx.c | 7 ++++++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -4496,6 +4496,9 @@
+ update. This new MSR allows for the reliable
+ deactivation of the TSX functionality.)
+
++ auto - Disable TSX if X86_BUG_TAA is present,
++ otherwise enable TSX on the system.
++
+ Not specifying this option is equivalent to tsx=off.
+
+ See Documentation/admin-guide/hw-vuln/tsx_async_abort.rst
+--- a/arch/x86/kernel/cpu/tsx.c
++++ b/arch/x86/kernel/cpu/tsx.c
+@@ -75,7 +75,7 @@ static bool __init tsx_ctrl_is_supported
+
+ void __init tsx_init(void)
+ {
+- char arg[4] = {};
++ char arg[5] = {};
+ int ret;
+
+ if (!tsx_ctrl_is_supported())
+@@ -87,6 +87,11 @@ void __init tsx_init(void)
+ tsx_ctrl_state = TSX_CTRL_ENABLE;
+ } else if (!strcmp(arg, "off")) {
+ tsx_ctrl_state = TSX_CTRL_DISABLE;
++ } else if (!strcmp(arg, "auto")) {
++ if (boot_cpu_has_bug(X86_BUG_TAA))
++ tsx_ctrl_state = TSX_CTRL_DISABLE;
++ else
++ tsx_ctrl_state = TSX_CTRL_ENABLE;
+ } else {
+ tsx_ctrl_state = TSX_CTRL_DISABLE;
+ pr_err("tsx: invalid option, defaulting to off\n");
diff --git a/patches.suse/0009-x86-speculation-taa-Add-documentation-for-TSX-Async-.patch b/patches.suse/0009-x86-speculation-taa-Add-documentation-for-TSX-Async-.patch
new file mode 100644
index 0000000000..67466d54a7
--- /dev/null
+++ b/patches.suse/0009-x86-speculation-taa-Add-documentation-for-TSX-Async-.patch
@@ -0,0 +1,513 @@
+From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Date: Wed, 23 Oct 2019 12:32:55 +0200
+Subject: [PATCH 09/10] x86/speculation/taa: Add documentation for TSX Async
+ Abort
+Patch-mainline: No, still under EMBARGO
+References: bsc#1139073, CVE-2019-11135
+
+commit a7a248c593e4fd7a67c50b5f5318fe42a0db335e upstream
+
+Add the documenation for TSX Async Abort. Include the description of
+the issue, how to check the mitigation state, control the mitigation,
+guidance for system administrators.
+
+ [ bp: Add proper SPDX tags, touch ups by Josh and me. ]
+
+Co-developed-by: Antonio Gomez Iglesias <antonio.gomez.iglesias@intel.com>
+
+Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Signed-off-by: Antonio Gomez Iglesias <antonio.gomez.iglesias@intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Mark Gross <mgross@linux.intel.com>
+Reviewed-by: Tony Luck <tony.luck@intel.com>
+Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Acked-by: Joerg Roedel <jroedel@suse.de>
+---
+ Documentation/ABI/testing/sysfs-devices-system-cpu | 1 +
+ Documentation/admin-guide/hw-vuln/index.rst | 1 +
+ .../admin-guide/hw-vuln/tsx_async_abort.rst | 276 +++++++++++++++++++++
+ Documentation/admin-guide/kernel-parameters.txt | 38 +++
+ Documentation/x86/index.rst | 1 +
+ Documentation/x86/tsx_async_abort.rst | 117 +++++++++
+ 6 files changed, 434 insertions(+)
+ create mode 100644 Documentation/admin-guide/hw-vuln/tsx_async_abort.rst
+ create mode 100644 Documentation/x86/tsx_async_abort.rst
+
+--- a/Documentation/ABI/testing/sysfs-devices-system-cpu
++++ b/Documentation/ABI/testing/sysfs-devices-system-cpu
+@@ -381,6 +381,7 @@ What: /sys/devices/system/cpu/vulnerabi
+ /sys/devices/system/cpu/vulnerabilities/spec_store_bypass
+ /sys/devices/system/cpu/vulnerabilities/l1tf
+ /sys/devices/system/cpu/vulnerabilities/mds
++ /sys/devices/system/cpu/vulnerabilities/tsx_async_abort
+ Date: January 2018
+ Contact: Linux kernel mailing list <linux-kernel@vger.kernel.org>
+ Description: Information about CPU vulnerabilities
+--- /dev/null
++++ b/Documentation/admin-guide/hw-vuln/tsx_async_abort.rst
+@@ -0,0 +1,276 @@
++.. SPDX-License-Identifier: GPL-2.0
++
++TAA - TSX Asynchronous Abort
++======================================
++
++TAA is a hardware vulnerability that allows unprivileged speculative access to
++data which is available in various CPU internal buffers by using asynchronous
++aborts within an Intel TSX transactional region.
++
++Affected processors
++-------------------
++
++This vulnerability only affects Intel processors that support Intel
++Transactional Synchronization Extensions (TSX) when the TAA_NO bit (bit 8)
++is 0 in the IA32_ARCH_CAPABILITIES MSR. On processors where the MDS_NO bit
++(bit 5) is 0 in the IA32_ARCH_CAPABILITIES MSR, the existing MDS mitigations
++also mitigate against TAA.
++
++Whether a processor is affected or not can be read out from the TAA
++vulnerability file in sysfs. See :ref:`tsx_async_abort_sys_info`.
++
++Related CVEs
++------------
++
++The following CVE entry is related to this TAA issue:
++
++ ============== ===== ===================================================
++ CVE-2019-11135 TAA TSX Asynchronous Abort (TAA) condition on some
++ microprocessors utilizing speculative execution may
++ allow an authenticated user to potentially enable
++ information disclosure via a side channel with
++ local access.
++ ============== ===== ===================================================
++
++Problem
++-------
++
++When performing store, load or L1 refill operations, processors write
++data into temporary microarchitectural structures (buffers). The data in
++those buffers can be forwarded to load operations as an optimization.
++
++Intel TSX is an extension to the x86 instruction set architecture that adds
++hardware transactional memory support to improve performance of multi-threaded
++software. TSX lets the processor expose and exploit concurrency hidden in an
++application due to dynamically avoiding unnecessary synchronization.
++
++TSX supports atomic memory transactions that are either committed (success) or
++aborted. During an abort, operations that happened within the transactional region
++are rolled back. An asynchronous abort takes place, among other options, when a
++different thread accesses a cache line that is also used within the transactional
++region when that access might lead to a data race.
++
++Immediately after an uncompleted asynchronous abort, certain speculatively
++executed loads may read data from those internal buffers and pass it to dependent
++operations. This can be then used to infer the value via a cache side channel
++attack.
++
++Because the buffers are potentially shared between Hyper-Threads cross
++Hyper-Thread attacks are possible.
++
++The victim of a malicious actor does not need to make use of TSX. Only the
++attacker needs to begin a TSX transaction and raise an asynchronous abort
++which in turn potenitally leaks data stored in the buffers.
++
++More detailed technical information is available in the TAA specific x86
++architecture section: :ref:`Documentation/x86/tsx_async_abort.rst <tsx_async_abort>`.
++
++
++Attack scenarios
++----------------
++
++Attacks against the TAA vulnerability can be implemented from unprivileged
++applications running on hosts or guests.
++
++As for MDS, the attacker has no control over the memory addresses that can
++be leaked. Only the victim is responsible for bringing data to the CPU. As
++a result, the malicious actor has to sample as much data as possible and
++then postprocess it to try to infer any useful information from it.
++
++A potential attacker only has read access to the data. Also, there is no direct
++privilege escalation by using this technique.
++
++
++.. _tsx_async_abort_sys_info:
++
++TAA system information
++-----------------------
++
++The Linux kernel provides a sysfs interface to enumerate the current TAA status
++of mitigated systems. The relevant sysfs file is:
++
++/sys/devices/system/cpu/vulnerabilities/tsx_async_abort
++
++The possible values in this file are:
++
++.. list-table::
++
++ * - 'Vulnerable'
++ - The CPU is affected by this vulnerability and the microcode and kernel mitigation are not applied.
++ * - 'Vulnerable: Clear CPU buffers attempted, no microcode'
++ - The system tries to clear the buffers but the microcode might not support the operation.
++ * - 'Mitigation: Clear CPU buffers'
++ - The microcode has been updated to clear the buffers. TSX is still enabled.
++ * - 'Mitigation: TSX disabled'
++ - TSX is disabled.
++ * - 'Not affected'
++ - The CPU is not affected by this issue.
++
++.. _ucode_needed:
++
++Best effort mitigation mode
++^^^^^^^^^^^^^^^^^^^^^^^^^^^
++
++If the processor is vulnerable, but the availability of the microcode-based
++mitigation mechanism is not advertised via CPUID the kernel selects a best
++effort mitigation mode. This mode invokes the mitigation instructions
++without a guarantee that they clear the CPU buffers.
++
++This is done to address virtualization scenarios where the host has the
++microcode update applied, but the hypervisor is not yet updated to expose the
++CPUID to the guest. If the host has updated microcode the protection takes
++effect; otherwise a few CPU cycles are wasted pointlessly.
++
++The state in the tsx_async_abort sysfs file reflects this situation
++accordingly.
++
++
++Mitigation mechanism
++--------------------
++
++The kernel detects the affected CPUs and the presence of the microcode which is
++required. If a CPU is affected and the microcode is available, then the kernel
++enables the mitigation by default.
++
++
++The mitigation can be controlled at boot time via a kernel command line option.
++See :ref:`taa_mitigation_control_command_line`.
++
++.. _virt_mechanism:
++
++Virtualization mitigation
++^^^^^^^^^^^^^^^^^^^^^^^^^
++
++Affected systems where the host has TAA microcode and TAA is mitigated by
++having disabled TSX previously, are not vulnerable regardless of the status
++of the VMs.
++
++In all other cases, if the host either does not have the TAA microcode or
++the kernel is not mitigated, the system might be vulnerable.
++
++
++.. _taa_mitigation_control_command_line:
++
++Mitigation control on the kernel command line
++---------------------------------------------
++
++The kernel command line allows to control the TAA mitigations at boot time with
++the option "tsx_async_abort=". The valid arguments for this option are:
++
++ ============ =============================================================
++ off This option disables the TAA mitigation on affected platforms.
++ If the system has TSX enabled (see next parameter) and the CPU
++ is affected, the system is vulnerable.
++
++ full TAA mitigation is enabled. If TSX is enabled, on an affected
++ system it will clear CPU buffers on ring transitions. On
++ systems which are MDS-affected and deploy MDS mitigation,
++ TAA is also mitigated. Specifying this option on those
++ systems will have no effect.
++
++ full,nosmt The same as tsx_async_abort=full, with SMT disabled on
++ vulnerable CPUs that have TSX enabled. This is the complete
++ mitigation. When TSX is disabled, SMT is not disabled because
++ CPU is not vulnerable to cross-thread TAA attacks.
++ ============ =============================================================
++
++Not specifying this option is equivalent to "tsx_async_abort=full".
++
++The kernel command line also allows to control the TSX feature using the
++parameter "tsx=" on CPUs which support TSX control. MSR_IA32_TSX_CTRL is used
++to control the TSX feature and the enumeration of the TSX feature bits (RTM
++and HLE) in CPUID.
++
++The valid options are:
++
++ ============ =============================================================
++ off Disables TSX on the system.
++
++ Note that this option takes effect only on newer CPUs which are
++ not vulnerable to MDS, i.e., have MSR_IA32_ARCH_CAPABILITIES.MDS_NO=1
++ and which get the new IA32_TSX_CTRL MSR through a microcode
++ update. This new MSR allows for the reliable deactivation of
++ the TSX functionality.
++
++ on Enables TSX.
++
++ Although there are mitigations for all known security
++ vulnerabilities, TSX has been known to be an accelerator for
++ several previous speculation-related CVEs, and so there may be
++ unknown security risks associated with leaving it enabled.
++
++ auto Disables TSX if X86_BUG_TAA is present, otherwise enables TSX
++ on the system.
++ ============ =============================================================
++
++Not specifying this option is equivalent to "tsx=off".
++
++The following combinations of the "tsx_async_abort" and "tsx" are possible. For
++affected platforms tsx=auto is equivalent to tsx=off and the result will be:
++
++ ========= ========================== =========================================
++ tsx=on tsx_async_abort=full The system will use VERW to clear CPU
++ buffers. Cross-thread attacks are still
++ possible on SMT machines.
++ tsx=on tsx_async_abort=full,nosmt As above, cross-thread attacks on SMT
++ mitigated.
++ tsx=on tsx_async_abort=off The system is vulnerable.
++ tsx=off tsx_async_abort=full TSX might be disabled if microcode
++ provides a TSX control MSR. If so,
++ system is not vulnerable.
++ tsx=off tsx_async_abort=full,nosmt Ditto
++ tsx=off tsx_async_abort=off ditto
++ ========= ========================== =========================================
++
++
++For unaffected platforms "tsx=on" and "tsx_async_abort=full" does not clear CPU
++buffers. For platforms without TSX control (MSR_IA32_ARCH_CAPABILITIES.MDS_NO=0)
++"tsx" command line argument has no effect.
++
++For the affected platforms below table indicates the mitigation status for the
++combinations of CPUID bit MD_CLEAR and IA32_ARCH_CAPABILITIES MSR bits MDS_NO
++and TSX_CTRL_MSR.
++
++ ======= ========= ============= ========================================
++ MDS_NO MD_CLEAR TSX_CTRL_MSR Status
++ ======= ========= ============= ========================================
++ 0 0 0 Vulnerable (needs microcode)
++ 0 1 0 MDS and TAA mitigated via VERW
++ 1 1 0 MDS fixed, TAA vulnerable if TSX enabled
++ because MD_CLEAR has no meaning and
++ VERW is not guaranteed to clear buffers
++ 1 X 1 MDS fixed, TAA can be mitigated by
++ VERW or TSX_CTRL_MSR
++ ======= ========= ============= ========================================
++
++Mitigation selection guide
++--------------------------
++
++1. Trusted userspace and guests
++^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
++
++If all user space applications are from a trusted source and do not execute
++untrusted code which is supplied externally, then the mitigation can be
++disabled. The same applies to virtualized environments with trusted guests.
++
++
++2. Untrusted userspace and guests
++^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
++
++If there are untrusted applications or guests on the system, enabling TSX
++might allow a malicious actor to leak data from the host or from other
++processes running on the same physical core.
++
++If the microcode is available and the TSX is disabled on the host, attacks
++are prevented in a virtualized environment as well, even if the VMs do not
++explicitly enable the mitigation.
++
++
++.. _taa_default_mitigations:
++
++Default mitigations
++-------------------
++
++The kernel's default action for vulnerable processors is:
++
++ - Deploy TSX disable mitigation (tsx_async_abort=full tsx=off).
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -2398,6 +2398,7 @@
+ spec_store_bypass_disable=off [X86,PPC]
+ l1tf=off [X86]
+ mds=off [X86]
++ tsx_async_abort=off [X86]
+
+ auto (default)
+ Mitigate all CPU vulnerabilities, but leave SMT
+@@ -2413,6 +2414,7 @@
+ be fully mitigated, even if it means losing SMT.
+ Equivalent to: l1tf=flush,nosmt [X86]
+ mds=full,nosmt [X86]
++ tsx_async_abort=full,nosmt [X86]
+
+ mminit_loglevel=
+ [KNL] When CONFIG_DEBUG_MEMORY_INIT is set, this
+@@ -4504,6 +4506,42 @@
+ See Documentation/admin-guide/hw-vuln/tsx_async_abort.rst
+ for more details.
+
++ tsx_async_abort= [X86,INTEL] Control mitigation for the TSX Async
++ Abort (TAA) vulnerability.
++
++ Similar to Micro-architectural Data Sampling (MDS)
++ certain CPUs that support Transactional
++ Synchronization Extensions (TSX) are vulnerable to an
++ exploit against CPU internal buffers which can forward
++ information to a disclosure gadget under certain
++ conditions.
++
++ In vulnerable processors, the speculatively forwarded
++ data can be used in a cache side channel attack, to
++ access data to which the attacker does not have direct
++ access.
++
++ This parameter controls the TAA mitigation. The
++ options are:
++
++ full - Enable TAA mitigation on vulnerable CPUs
++ if TSX is enabled.
++
++ full,nosmt - Enable TAA mitigation and disable SMT on
++ vulnerable CPUs. If TSX is disabled, SMT
++ is not disabled because CPU is not
++ vulnerable to cross-thread TAA attacks.
++ off - Unconditionally disable TAA mitigation
++
++ Not specifying this option is equivalent to
++ tsx_async_abort=full. On CPUs which are MDS affected
++ and deploy MDS mitigation, TAA mitigation is not
++ required and doesn't provide any additional
++ mitigation.
++
++ For details see:
++ Documentation/admin-guide/hw-vuln/tsx_async_abort.rst
++
+ turbografx.map[2|3]= [HW,JOY]
+ TurboGraFX parallel port interface
+ Format:
+--- a/Documentation/x86/index.rst
++++ b/Documentation/x86/index.rst
+@@ -6,3 +6,4 @@ x86 architecture specifics
+ :maxdepth: 1
+
+ mds
++ tsx_async_abort
+--- /dev/null
++++ b/Documentation/x86/tsx_async_abort.rst
+@@ -0,0 +1,117 @@
++.. SPDX-License-Identifier: GPL-2.0
++
++TSX Async Abort (TAA) mitigation
++================================
++
++.. _tsx_async_abort:
++
++Overview
++--------
++
++TSX Async Abort (TAA) is a side channel attack on internal buffers in some
++Intel processors similar to Microachitectural Data Sampling (MDS). In this
++case certain loads may speculatively pass invalid data to dependent operations
++when an asynchronous abort condition is pending in a Transactional
++Synchronization Extensions (TSX) transaction. This includes loads with no
++fault or assist condition. Such loads may speculatively expose stale data from
++the same uarch data structures as in MDS, with same scope of exposure i.e.
++same-thread and cross-thread. This issue affects all current processors that
++support TSX.
++
++Mitigation strategy
++-------------------
++
++a) TSX disable - one of the mitigations is to disable TSX. A new MSR
++IA32_TSX_CTRL will be available in future and current processors after
++microcode update which can be used to disable TSX. In addition, it
++controls the enumeration of the TSX feature bits (RTM and HLE) in CPUID.
++
++b) Clear CPU buffers - similar to MDS, clearing the CPU buffers mitigates this
++vulnerability. More details on this approach can be found in
++:ref:`Documentation/admin-guide/hw-vuln/mds.rst <mds>`.
++
++Kernel internal mitigation modes
++--------------------------------
++
++ ============= ============================================================
++ off Mitigation is disabled. Either the CPU is not affected or
++ tsx_async_abort=off is supplied on the kernel command line.
++
++ tsx disabled Mitigation is enabled. TSX feature is disabled by default at
++ bootup on processors that support TSX control.
++
++ verw Mitigation is enabled. CPU is affected and MD_CLEAR is
++ advertised in CPUID.
++
++ ucode needed Mitigation is enabled. CPU is affected and MD_CLEAR is not
++ advertised in CPUID. That is mainly for virtualization
++ scenarios where the host has the updated microcode but the
++ hypervisor does not expose MD_CLEAR in CPUID. It's a best
++ effort approach without guarantee.
++ ============= ============================================================
++
++If the CPU is affected and the "tsx_async_abort" kernel command line parameter is
++not provided then the kernel selects an appropriate mitigation depending on the
++status of RTM and MD_CLEAR CPUID bits.
++
++Below tables indicate the impact of tsx=on|off|auto cmdline options on state of
++TAA mitigation, VERW behavior and TSX feature for various combinations of
++MSR_IA32_ARCH_CAPABILITIES bits.
++
++1. "tsx=off"
++
++========= ========= ============ ============ ============== =================== ======================
++MSR_IA32_ARCH_CAPABILITIES bits Result with cmdline tsx=off
++---------------------------------- -------------------------------------------------------------------------
++TAA_NO MDS_NO TSX_CTRL_MSR TSX state VERW can clear TAA mitigation TAA mitigation
++ after bootup CPU buffers tsx_async_abort=off tsx_async_abort=full
++========= ========= ============ ============ ============== =================== ======================
++ 0 0 0 HW default Yes Same as MDS Same as MDS
++ 0 0 1 Invalid case Invalid case Invalid case Invalid case
++ 0 1 0 HW default No Need ucode update Need ucode update
++ 0 1 1 Disabled Yes TSX disabled TSX disabled
++ 1 X 1 Disabled X None needed None needed
++========= ========= ============ ============ ============== =================== ======================
++
++2. "tsx=on"
++
++========= ========= ============ ============ ============== =================== ======================
++MSR_IA32_ARCH_CAPABILITIES bits Result with cmdline tsx=on
++---------------------------------- -------------------------------------------------------------------------
++TAA_NO MDS_NO TSX_CTRL_MSR TSX state VERW can clear TAA mitigation TAA mitigation
++ after bootup CPU buffers tsx_async_abort=off tsx_async_abort=full
++========= ========= ============ ============ ============== =================== ======================
++ 0 0 0 HW default Yes Same as MDS Same as MDS
++ 0 0 1 Invalid case Invalid case Invalid case Invalid case
++ 0 1 0 HW default No Need ucode update Need ucode update
++ 0 1 1 Enabled Yes None Same as MDS
++ 1 X 1 Enabled X None needed None needed
++========= ========= ============ ============ ============== =================== ======================
++
++3. "tsx=auto"
++
++========= ========= ============ ============ ============== =================== ======================
++MSR_IA32_ARCH_CAPABILITIES bits Result with cmdline tsx=auto
++---------------------------------- -------------------------------------------------------------------------
++TAA_NO MDS_NO TSX_CTRL_MSR TSX state VERW can clear TAA mitigation TAA mitigation
++ after bootup CPU buffers tsx_async_abort=off tsx_async_abort=full
++========= ========= ============ ============ ============== =================== ======================
++ 0 0 0 HW default Yes Same as MDS Same as MDS
++ 0 0 1 Invalid case Invalid case Invalid case Invalid case
++ 0 1 0 HW default No Need ucode update Need ucode update
++ 0 1 1 Disabled Yes TSX disabled TSX disabled
++ 1 X 1 Enabled X None needed None needed
++========= ========= ============ ============ ============== =================== ======================
++
++In the tables, TSX_CTRL_MSR is a new bit in MSR_IA32_ARCH_CAPABILITIES that
++indicates whether MSR_IA32_TSX_CTRL is supported.
++
++There are two control bits in IA32_TSX_CTRL MSR:
++
++ Bit 0: When set it disables the Restricted Transactional Memory (RTM)
++ sub-feature of TSX (will force all transactions to abort on the
++ XBEGIN instruction).
++
++ Bit 1: When set it disables the enumeration of the RTM and HLE feature
++ (i.e. it will make CPUID(EAX=7).EBX{bit4} and
++ CPUID(EAX=7).EBX{bit11} read as 0).
diff --git a/patches.suse/0010-x86-tsx-Add-config-options-to-set-tsx-on-off-auto.patch b/patches.suse/0010-x86-tsx-Add-config-options-to-set-tsx-on-off-auto.patch
new file mode 100644
index 0000000000..15a995572a
--- /dev/null
+++ b/patches.suse/0010-x86-tsx-Add-config-options-to-set-tsx-on-off-auto.patch
@@ -0,0 +1,134 @@
+From: Michal Hocko <mhocko@suse.com>
+Date: Wed, 23 Oct 2019 12:35:50 +0200
+Subject: [PATCH 10/10] x86/tsx: Add config options to set tsx=on|off|auto
+Patch-mainline: No, still under EMBARGO
+References: bsc#1139073, CVE-2019-11135
+
+commit db616173d787395787ecc93eef075fa975227b10 upstream
+
+There is a general consensus that TSX usage is not largely spread while
+the history shows there is a non trivial space for side channel attacks
+possible. Therefore the tsx is disabled by default even on platforms
+that might have a safe implementation of TSX according to the current
+knowledge. This is a fair trade off to make.
+
+There are, however, workloads that really do benefit from using TSX and
+updating to a newer kernel with TSX disabled might introduce a
+noticeable regressions. This would be especially a problem for Linux
+distributions which will provide TAA mitigations.
+
+Introduce config options X86_INTEL_TSX_MODE_OFF, X86_INTEL_TSX_MODE_ON
+and X86_INTEL_TSX_MODE_AUTO to control the TSX feature. The config
+setting can be overridden by the tsx cmdline options.
+
+ [ bp: Text cleanups from Josh. ]
+
+Suggested-by: Borislav Petkov <bpetkov@suse.de>
+Signed-off-by: Michal Hocko <mhocko@suse.com>
+Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Acked-by: Joerg Roedel <jroedel@suse.de>
+---
+ arch/x86/Kconfig | 45 +++++++++++++++++++++++++++++++++++++++++++++
+ arch/x86/kernel/cpu/tsx.c | 22 ++++++++++++++++------
+ 2 files changed, 61 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/Kconfig
++++ b/arch/x86/Kconfig
+@@ -1833,6 +1833,51 @@ config X86_INTEL_MEMORY_PROTECTION_KEYS
+
+ If unsure, say y.
+
++choice
++ prompt "TSX enable mode"
++ depends on CPU_SUP_INTEL
++ default X86_INTEL_TSX_MODE_OFF
++ help
++ Intel's TSX (Transactional Synchronization Extensions) feature
++ allows to optimize locking protocols through lock elision which
++ can lead to a noticeable performance boost.
++
++ On the other hand it has been shown that TSX can be exploited
++ to form side channel attacks (e.g. TAA) and chances are there
++ will be more of those attacks discovered in the future.
++
++ Therefore TSX is not enabled by default (aka tsx=off). An admin
++ might override this decision by tsx=on the command line parameter.
++ Even with TSX enabled, the kernel will attempt to enable the best
++ possible TAA mitigation setting depending on the microcode available
++ for the particular machine.
++
++ This option allows to set the default tsx mode between tsx=on, =off
++ and =auto. See Documentation/admin-guide/kernel-parameters.txt for more
++ details.
++
++ Say off if not sure, auto if TSX is in use but it should be used on safe
++ platforms or on if TSX is in use and the security aspect of tsx is not
++ relevant.
++
++config X86_INTEL_TSX_MODE_OFF
++ bool "off"
++ help
++ TSX is disabled if possible - equals to tsx=off command line parameter.
++
++config X86_INTEL_TSX_MODE_ON
++ bool "on"
++ help
++ TSX is always enabled on TSX capable HW - equals the tsx=on command
++ line parameter.
++
++config X86_INTEL_TSX_MODE_AUTO
++ bool "auto"
++ help
++ TSX is enabled on TSX capable HW that is believed to be safe against
++ side channel attacks- equals the tsx=auto command line parameter.
++endchoice
++
+ config EFI
+ bool "EFI runtime service support"
+ depends on ACPI
+--- a/arch/x86/kernel/cpu/tsx.c
++++ b/arch/x86/kernel/cpu/tsx.c
+@@ -73,6 +73,14 @@ static bool __init tsx_ctrl_is_supported
+ return !!(ia32_cap & ARCH_CAP_TSX_CTRL_MSR);
+ }
+
++static enum tsx_ctrl_states x86_get_tsx_auto_mode(void)
++{
++ if (boot_cpu_has_bug(X86_BUG_TAA))
++ return TSX_CTRL_DISABLE;
++
++ return TSX_CTRL_ENABLE;
++}
++
+ void __init tsx_init(void)
+ {
+ char arg[5] = {};
+@@ -88,17 +96,19 @@ void __init tsx_init(void)
+ } else if (!strcmp(arg, "off")) {
+ tsx_ctrl_state = TSX_CTRL_DISABLE;
+ } else if (!strcmp(arg, "auto")) {
+- if (boot_cpu_has_bug(X86_BUG_TAA))
+- tsx_ctrl_state = TSX_CTRL_DISABLE;
+- else
+- tsx_ctrl_state = TSX_CTRL_ENABLE;
++ tsx_ctrl_state = x86_get_tsx_auto_mode();
+ } else {
+ tsx_ctrl_state = TSX_CTRL_DISABLE;
+ pr_err("tsx: invalid option, defaulting to off\n");
+ }
+ } else {
+- /* tsx= not provided, defaulting to off */
+- tsx_ctrl_state = TSX_CTRL_DISABLE;
++ /* tsx= not provided */
++ if (IS_ENABLED(CONFIG_X86_INTEL_TSX_MODE_AUTO))
++ tsx_ctrl_state = x86_get_tsx_auto_mode();
++ else if (IS_ENABLED(CONFIG_X86_INTEL_TSX_MODE_OFF))
++ tsx_ctrl_state = TSX_CTRL_DISABLE;
++ else
++ tsx_ctrl_state = TSX_CTRL_ENABLE;
+ }
+
+ if (tsx_ctrl_state == TSX_CTRL_DISABLE) {
diff --git a/patches.suse/KVM-vmx-svm-always-run-with-EFER.NXE-1-when-shadow-p.patch b/patches.suse/KVM-vmx-svm-always-run-with-EFER.NXE-1-when-shadow-p.patch
new file mode 100644
index 0000000000..ea2522bdad
--- /dev/null
+++ b/patches.suse/KVM-vmx-svm-always-run-with-EFER.NXE-1-when-shadow-p.patch
@@ -0,0 +1,68 @@
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Sun, 27 Oct 2019 16:23:23 +0100
+Subject: [PATCH] KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging
+ is active
+Patch-mainline: No, still under discussion
+References: bsc#1117665
+
+VMX already does so if the host has SMEP, in order to support the combination of
+CR0.WP=1 and CR4.SMEP=1. However, it is perfectly safe to always do so, and in
+fact VMX already ends up running with EFER.NXE=1 on old processors that lack the
+"load EFER" controls, because it may help avoiding a slow MSR write. Removing
+all the conditionals simplifies the code.
+
+SVM does not have similar code, but it should since recent AMD processors do
+support SMEP. So this patch also makes the code for the two vendors more similar
+while fixing NPT=0, CR0.WP=1 and CR4.SMEP=1 on AMD processors.
+
+Cc: stable@vger.kernel.org
+Cc: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ arch/x86/kvm/svm.c | 10 ++++++++--
+ arch/x86/kvm/vmx/vmx.c | 14 +++-----------
+ 2 files changed, 11 insertions(+), 13 deletions(-)
+
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -705,8 +705,14 @@ static int get_npt_level(struct kvm_vcpu
+ static void svm_set_efer(struct kvm_vcpu *vcpu, u64 efer)
+ {
+ vcpu->arch.efer = efer;
+- if (!npt_enabled && !(efer & EFER_LMA))
+- efer &= ~EFER_LME;
++
++ if (!npt_enabled) {
++ /* Shadow paging assumes NX to be available. */
++ efer |= EFER_NX;
++
++ if (!(efer & EFER_LMA))
++ efer &= ~EFER_LME;
++ }
+
+ to_svm(vcpu)->vmcb->save.efer = efer | EFER_SVME;
+ mark_dirty(to_svm(vcpu)->vmcb, VMCB_CR);
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -2249,17 +2249,9 @@ static bool update_transition_efer(struc
+ u64 guest_efer = vmx->vcpu.arch.efer;
+ u64 ignore_bits = 0;
+
+- if (!enable_ept) {
+- /*
+- * NX is needed to handle CR0.WP=1, CR4.SMEP=1. Testing
+- * host CPUID is more efficient than testing guest CPUID
+- * or CR4. Host SMEP is anyway a requirement for guest SMEP.
+- */
+- if (boot_cpu_has(X86_FEATURE_SMEP))
+- guest_efer |= EFER_NX;
+- else if (!(guest_efer & EFER_NX))
+- ignore_bits |= EFER_NX;
+- }
++ /* Shadow paging assumes NX to be available. */
++ if (!enable_ept)
++ guest_efer |= EFER_NX;
+
+ /*
+ * LMA and LME handled by hardware; SCE meaningless outside long mode.
diff --git a/series.conf b/series.conf
index 738b3c5e2d..74aea24f65 100644
--- a/series.conf
+++ b/series.conf
@@ -25789,6 +25789,30 @@
patches.suse/0002-x86-xen-dont-add-memory-above-max-allowed-allocation.patch
########################################################
+ # TAA patches
+ ########################################################
+ patches.suse/0001-KVM-x86-use-Intel-speculation-bugs-and-features-as-d.patch
+ patches.suse/0002-x86-msr-Add-the-IA32_TSX_CTRL-MSR.patch
+ patches.suse/0003-x86-cpu-Add-a-helper-function-x86_read_arch_cap_msr.patch
+ patches.suse/0004-x86-cpu-Add-a-tsx-cmdline-option-with-TSX-disabled-b.patch
+ patches.suse/0005-x86-speculation-taa-Add-mitigation-for-TSX-Async-Abo.patch
+ patches.suse/0006-x86-speculation-taa-Add-sysfs-reporting-for-TSX-Asyn.patch
+ patches.suse/0007-kvm-x86-Export-MDS_NO-0-to-guests-when-TSX-is-enable.patch
+ patches.suse/0008-x86-tsx-Add-auto-option-to-the-tsx-cmdline-parameter.patch
+ patches.suse/0009-x86-speculation-taa-Add-documentation-for-TSX-Async-.patch
+ patches.suse/0010-x86-tsx-Add-config-options-to-set-tsx-on-off-auto.patch
+
+ ########################################################
+ # IFU patches
+ ########################################################
+ patches.suse/KVM-vmx-svm-always-run-with-EFER.NXE-1-when-shadow-p.patch
+ patches.suse/0001-x86-Add-ITLB_MULTIHIT-bug-infrastructure.patch
+ patches.suse/0002-x86-cpu-Add-Tremont-to-the-cpu-vulnerability.patch
+ patches.suse/0003-kvm-mmu-ITLB_MULTIHIT-mitigation.patch
+ patches.suse/0004-kvm-Add-helper-function-for-creating-VM-worker.patch
+ patches.suse/0005-kvm-x86-mmu-Recovery-of-shattered-NX-large-pages.patch
+
+ ########################################################
# kABI consistency patches
########################################################
@@ -25959,6 +25983,9 @@
patches.kabi/crypto-af_alg-kABI-workaround.patch
+ # IFU kABI Fix
+ patches.kabi/kABI-Fix-for-IFU-patches.patch
+
########################################################
# You'd better have a good reason for adding a patch
# below here.