Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBorislav Petkov <bp@suse.de>2019-08-16 11:20:20 +0200
committerBorislav Petkov <bp@suse.de>2019-08-16 11:20:20 +0200
commit66db1d68a503531736cf09f70b760d7882a03a72 (patch)
tree9a5963f1e42e05ea64b7830c6bc3e4c3d782b56b
parent6ffe96cbb7ae2a351631485f3302bdb66df41f79 (diff)
x86/speculation: Allow guests to use SSBD even if host does not
(bsc#1114279).
-rw-r--r--patches.arch/x86-speculation-allow-guests-to-use-ssbd-even-if-host-does-not.patch71
-rw-r--r--series.conf1
2 files changed, 72 insertions, 0 deletions
diff --git a/patches.arch/x86-speculation-allow-guests-to-use-ssbd-even-if-host-does-not.patch b/patches.arch/x86-speculation-allow-guests-to-use-ssbd-even-if-host-does-not.patch
new file mode 100644
index 0000000000..eba44ed109
--- /dev/null
+++ b/patches.arch/x86-speculation-allow-guests-to-use-ssbd-even-if-host-does-not.patch
@@ -0,0 +1,71 @@
+From: Alejandro Jimenez <alejandro.j.jimenez@oracle.com>
+Date: Mon, 10 Jun 2019 13:20:10 -0400
+Subject: x86/speculation: Allow guests to use SSBD even if host does not
+Git-commit: c1f7fec1eb6a2c86d01bc22afce772c743451d88
+Patch-mainline: v5.2-rc7
+References: bsc#1114279
+
+The bits set in x86_spec_ctrl_mask are used to calculate the guest's value
+of SPEC_CTRL that is written to the MSR before VMENTRY, and control which
+mitigations the guest can enable. In the case of SSBD, unless the host has
+enabled SSBD always on mode (by passing "spec_store_bypass_disable=on" in
+the kernel parameters), the SSBD bit is not set in the mask and the guest
+can not properly enable the SSBD always on mitigation mode.
+
+This has been confirmed by running the SSBD PoC on a guest using the SSBD
+always on mitigation mode (booted with kernel parameter
+"spec_store_bypass_disable=on"), and verifying that the guest is vulnerable
+unless the host is also using SSBD always on mode. In addition, the guest
+OS incorrectly reports the SSB vulnerability as mitigated.
+
+Always set the SSBD bit in x86_spec_ctrl_mask when the host CPU supports
+it, allowing the guest to use SSBD whether or not the host has chosen to
+enable the mitigation in any of its modes.
+
+Fixes: be6fcb5478e9 ("x86/bugs: Rework spec_ctrl base and mask logic")
+Signed-off-by: Alejandro Jimenez <alejandro.j.jimenez@oracle.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Liam Merwick <liam.merwick@oracle.com>
+Reviewed-by: Mark Kanda <mark.kanda@oracle.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Cc: bp@alien8.de
+Cc: rkrcmar@redhat.com
+Cc: kvm@vger.kernel.org
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/1560187210-11054-1-git-send-email-alejandro.j.jimenez@oracle.com
+
+Acked-by: Borislav Petkov <bp@suse.de>
+---
+ arch/x86/kernel/cpu/bugs.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
+index 03b4cc0ec3a7..66ca906aa790 100644
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -835,6 +835,16 @@ static enum ssb_mitigation __init __ssb_select_mitigation(void)
+ break;
+ }
+
++ /*
++ * If SSBD is controlled by the SPEC_CTRL MSR, then set the proper
++ * bit in the mask to allow guests to use the mitigation even in the
++ * case where the host does not enable it.
++ */
++ if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD) ||
++ static_cpu_has(X86_FEATURE_AMD_SSBD)) {
++ x86_spec_ctrl_mask |= SPEC_CTRL_SSBD;
++ }
++
+ /*
+ * We have three CPU feature flags that are in play here:
+ * - X86_BUG_SPEC_STORE_BYPASS - CPU is susceptible.
+@@ -852,7 +862,6 @@ static enum ssb_mitigation __init __ssb_select_mitigation(void)
+ x86_amd_ssb_disable();
+ } else {
+ x86_spec_ctrl_base |= SPEC_CTRL_SSBD;
+- x86_spec_ctrl_mask |= SPEC_CTRL_SSBD;
+ wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
+ }
+ }
+
diff --git a/series.conf b/series.conf
index eb74b11f8d..4000e45b50 100644
--- a/series.conf
+++ b/series.conf
@@ -22998,6 +22998,7 @@
patches.fixes/scsi-vmw_pscsi-Fix-use-after-free-in-pvscsi_queue_lc.patch
patches.fixes/efi-bgrt-Drop-BGRT-status-field-reserved-bits-check.patch
patches.arch/x86-microcode-fix-the-microcode-load-on-cpu-hotplug-for-real.patch
+ patches.arch/x86-speculation-allow-guests-to-use-ssbd-even-if-host-does-not.patch
patches.fixes/Bluetooth-Fix-faulty-expression-for-minimum-encrypti.patch
patches.suse/ftrace-x86-remove-possible-deadlock-between-register_kprobe-and-ftrace_run_update_code.patch
patches.suse/tracing-snapshot-resize-spare-buffer-if-size-changed.patch