| From 9d8d0294e78a164d407133dea05caf4b84247d6a Mon Sep 17 00:00:00 2001 |
| From: Andy Lutomirski <luto@kernel.org> |
| Date: Tue, 14 May 2019 13:24:40 -0700 |
| Subject: x86/speculation/mds: Improve CPU buffer clear documentation |
| |
| From: Andy Lutomirski <luto@kernel.org> |
| |
| commit 9d8d0294e78a164d407133dea05caf4b84247d6a upstream. |
| |
| On x86_64, all returns to usermode go through |
| prepare_exit_to_usermode(), with the sole exception of do_nmi(). |
| This even includes machine checks -- this was added several years |
| ago to support MCE recovery. Update the documentation. |
| |
| Signed-off-by: Andy Lutomirski <luto@kernel.org> |
| Cc: Borislav Petkov <bp@suse.de> |
| Cc: Frederic Weisbecker <frederic@kernel.org> |
| Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| Cc: Jon Masters <jcm@redhat.com> |
| Cc: Linus Torvalds <torvalds@linux-foundation.org> |
| Cc: Peter Zijlstra <peterz@infradead.org> |
| Cc: Thomas Gleixner <tglx@linutronix.de> |
| Cc: stable@vger.kernel.org |
| Fixes: 04dcbdb80578 ("x86/speculation/mds: Clear CPU buffers on exit to user") |
| Link: http://lkml.kernel.org/r/999fa9e126ba6a48e9d214d2f18dbde5c62ac55c.1557865329.git.luto@kernel.org |
| Signed-off-by: Ingo Molnar <mingo@kernel.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| Documentation/x86/mds.rst | 39 +++++++-------------------------------- |
| 1 file changed, 7 insertions(+), 32 deletions(-) |
| |
| --- a/Documentation/x86/mds.rst |
| +++ b/Documentation/x86/mds.rst |
| @@ -142,38 +142,13 @@ Mitigation points |
| mds_user_clear. |
| |
| The mitigation is invoked in prepare_exit_to_usermode() which covers |
| - most of the kernel to user space transitions. There are a few exceptions |
| - which are not invoking prepare_exit_to_usermode() on return to user |
| - space. These exceptions use the paranoid exit code. |
| - |
| - - Non Maskable Interrupt (NMI): |
| - |
| - Access to sensible data like keys, credentials in the NMI context is |
| - mostly theoretical: The CPU can do prefetching or execute a |
| - misspeculated code path and thereby fetching data which might end up |
| - leaking through a buffer. |
| - |
| - But for mounting other attacks the kernel stack address of the task is |
| - already valuable information. So in full mitigation mode, the NMI is |
| - mitigated on the return from do_nmi() to provide almost complete |
| - coverage. |
| - |
| - - Machine Check Exception (#MC): |
| - |
| - Another corner case is a #MC which hits between the CPU buffer clear |
| - invocation and the actual return to user. As this still is in kernel |
| - space it takes the paranoid exit path which does not clear the CPU |
| - buffers. So the #MC handler repopulates the buffers to some |
| - extent. Machine checks are not reliably controllable and the window is |
| - extremly small so mitigation would just tick a checkbox that this |
| - theoretical corner case is covered. To keep the amount of special |
| - cases small, ignore #MC. |
| - |
| - - Debug Exception (#DB): |
| - |
| - This takes the paranoid exit path only when the INT1 breakpoint is in |
| - kernel space. #DB on a user space address takes the regular exit path, |
| - so no extra mitigation required. |
| + all but one of the kernel to user space transitions. The exception |
| + is when we return from a Non Maskable Interrupt (NMI), which is |
| + handled directly in do_nmi(). |
| + |
| + (The reason that NMI is special is that prepare_exit_to_usermode() can |
| + enable IRQs. In NMI context, NMIs are blocked, and we don't want to |
| + enable IRQs with NMIs blocked.) |
| |
| |
| 2. C-State transition |