| From: Alejandro Jimenez <alejandro.j.jimenez@oracle.com> |
| Date: Mon, 10 Jun 2019 13:20:10 -0400 |
| Subject: x86/speculation: Allow guests to use SSBD even if host does not |
| |
| commit c1f7fec1eb6a2c86d01bc22afce772c743451d88 upstream. |
| |
| The bits set in x86_spec_ctrl_mask are used to calculate the guest's value |
| of SPEC_CTRL that is written to the MSR before VMENTRY, and control which |
| mitigations the guest can enable. In the case of SSBD, unless the host has |
| enabled SSBD always on mode (by passing "spec_store_bypass_disable=on" in |
| the kernel parameters), the SSBD bit is not set in the mask and the guest |
| can not properly enable the SSBD always on mitigation mode. |
| |
| This has been confirmed by running the SSBD PoC on a guest using the SSBD |
| always on mitigation mode (booted with kernel parameter |
| "spec_store_bypass_disable=on"), and verifying that the guest is vulnerable |
| unless the host is also using SSBD always on mode. In addition, the guest |
| OS incorrectly reports the SSB vulnerability as mitigated. |
| |
| Always set the SSBD bit in x86_spec_ctrl_mask when the host CPU supports |
| it, allowing the guest to use SSBD whether or not the host has chosen to |
| enable the mitigation in any of its modes. |
| |
| Fixes: be6fcb5478e9 ("x86/bugs: Rework spec_ctrl base and mask logic") |
| Signed-off-by: Alejandro Jimenez <alejandro.j.jimenez@oracle.com> |
| Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
| Reviewed-by: Liam Merwick <liam.merwick@oracle.com> |
| Reviewed-by: Mark Kanda <mark.kanda@oracle.com> |
| Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> |
| Cc: bp@alien8.de |
| Cc: rkrcmar@redhat.com |
| Cc: kvm@vger.kernel.org |
| Link: https://lkml.kernel.org/r/1560187210-11054-1-git-send-email-alejandro.j.jimenez@oracle.com |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| arch/x86/kernel/cpu/bugs.c | 11 ++++++++++- |
| 1 file changed, 10 insertions(+), 1 deletion(-) |
| |
| --- a/arch/x86/kernel/cpu/bugs.c |
| +++ b/arch/x86/kernel/cpu/bugs.c |
| @@ -960,6 +960,16 @@ static enum ssb_mitigation __init __ssb_ |
| } |
| |
| /* |
| + * If SSBD is controlled by the SPEC_CTRL MSR, then set the proper |
| + * bit in the mask to allow guests to use the mitigation even in the |
| + * case where the host does not enable it. |
| + */ |
| + if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD) || |
| + static_cpu_has(X86_FEATURE_AMD_SSBD)) { |
| + x86_spec_ctrl_mask |= SPEC_CTRL_SSBD; |
| + } |
| + |
| + /* |
| * We have three CPU feature flags that are in play here: |
| * - X86_BUG_SPEC_STORE_BYPASS - CPU is susceptible. |
| * - X86_FEATURE_SSBD - CPU is able to turn off speculative store bypass |
| @@ -976,7 +986,6 @@ static enum ssb_mitigation __init __ssb_ |
| x86_amd_ssb_disable(); |
| } else { |
| x86_spec_ctrl_base |= SPEC_CTRL_SSBD; |
| - x86_spec_ctrl_mask |= SPEC_CTRL_SSBD; |
| wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); |
| } |
| } |