| From foo@baz Wed Mar 9 04:10:24 PM CET 2022 |
| From: Peter Zijlstra <peterz@infradead.org> |
| Date: Wed, 16 Feb 2022 20:57:02 +0100 |
| Subject: Documentation/hw-vuln: Update spectre doc |
| |
| From: Peter Zijlstra <peterz@infradead.org> |
| |
| commit 5ad3eb1132453b9795ce5fd4572b1c18b292cca9 upstream. |
| |
| Update the doc with the new fun. |
| |
| [ bp: Massage commit message. ] |
| |
| Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> |
| Signed-off-by: Borislav Petkov <bp@suse.de> |
| Reviewed-by: Thomas Gleixner <tglx@linutronix.de> |
| [fllinden@amazon.com: backported to 4.19] |
| Signed-off-by: Frank van der Linden <fllinden@amazon.com> |
| [bwh: Backported to 4.9: adjust filenames] |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| Documentation/hw-vuln/spectre.rst | 42 ++++++++++++++++++++++++------------ |
| Documentation/kernel-parameters.txt | 8 +++++- |
| 2 files changed, 35 insertions(+), 15 deletions(-) |
| |
| --- a/Documentation/hw-vuln/spectre.rst |
| +++ b/Documentation/hw-vuln/spectre.rst |
| @@ -131,6 +131,19 @@ steer its indirect branch speculations t |
| speculative execution's side effects left in level 1 cache to infer the |
| victim's data. |
| |
| +Yet another variant 2 attack vector is for the attacker to poison the |
| +Branch History Buffer (BHB) to speculatively steer an indirect branch |
| +to a specific Branch Target Buffer (BTB) entry, even if the entry isn't |
| +associated with the source address of the indirect branch. Specifically, |
| +the BHB might be shared across privilege levels even in the presence of |
| +Enhanced IBRS. |
| + |
| +Currently the only known real-world BHB attack vector is via |
| +unprivileged eBPF. Therefore, it's highly recommended to not enable |
| +unprivileged eBPF, especially when eIBRS is used (without retpolines). |
| +For a full mitigation against BHB attacks, it's recommended to use |
| +retpolines (or eIBRS combined with retpolines). |
| + |
| Attack scenarios |
| ---------------- |
| |
| @@ -364,13 +377,15 @@ The possible values in this file are: |
| |
| - Kernel status: |
| |
| - ==================================== ================================= |
| - 'Not affected' The processor is not vulnerable |
| - 'Vulnerable' Vulnerable, no mitigation |
| - 'Mitigation: Full generic retpoline' Software-focused mitigation |
| - 'Mitigation: Full AMD retpoline' AMD-specific software mitigation |
| - 'Mitigation: Enhanced IBRS' Hardware-focused mitigation |
| - ==================================== ================================= |
| + ======================================== ================================= |
| + 'Not affected' The processor is not vulnerable |
| + 'Mitigation: None' Vulnerable, no mitigation |
| + 'Mitigation: Retpolines' Use Retpoline thunks |
| + 'Mitigation: LFENCE' Use LFENCE instructions |
| + 'Mitigation: Enhanced IBRS' Hardware-focused mitigation |
| + 'Mitigation: Enhanced IBRS + Retpolines' Hardware-focused + Retpolines |
| + 'Mitigation: Enhanced IBRS + LFENCE' Hardware-focused + LFENCE |
| + ======================================== ================================= |
| |
| - Firmware status: Show if Indirect Branch Restricted Speculation (IBRS) is |
| used to protect against Spectre variant 2 attacks when calling firmware (x86 only). |
| @@ -584,12 +599,13 @@ kernel command line. |
| |
| Specific mitigations can also be selected manually: |
| |
| - retpoline |
| - replace indirect branches |
| - retpoline,generic |
| - google's original retpoline |
| - retpoline,amd |
| - AMD-specific minimal thunk |
| + retpoline auto pick between generic,lfence |
| + retpoline,generic Retpolines |
| + retpoline,lfence LFENCE; indirect branch |
| + retpoline,amd alias for retpoline,lfence |
| + eibrs enhanced IBRS |
| + eibrs,retpoline enhanced IBRS + Retpolines |
| + eibrs,lfence enhanced IBRS + LFENCE |
| |
| Not specifying this option is equivalent to |
| spectre_v2=auto. |
| --- a/Documentation/kernel-parameters.txt |
| +++ b/Documentation/kernel-parameters.txt |
| @@ -4174,8 +4174,12 @@ bytes respectively. Such letter suffixes |
| Specific mitigations can also be selected manually: |
| |
| retpoline - replace indirect branches |
| - retpoline,generic - google's original retpoline |
| - retpoline,amd - AMD-specific minimal thunk |
| + retpoline,generic - Retpolines |
| + retpoline,lfence - LFENCE; indirect branch |
| + retpoline,amd - alias for retpoline,lfence |
| + eibrs - enhanced IBRS |
| + eibrs,retpoline - enhanced IBRS + Retpolines |
| + eibrs,lfence - enhanced IBRS + LFENCE |
| |
| Not specifying this option is equivalent to |
| spectre_v2=auto. |