| From foo@baz Wed Mar 9 04:10:24 PM CET 2022 |
| From: Josh Poimboeuf <jpoimboe@redhat.com> |
| Date: Fri, 25 Feb 2022 14:32:28 -0800 |
| Subject: x86/speculation: Warn about eIBRS + LFENCE + Unprivileged eBPF + SMT |
| |
| From: Josh Poimboeuf <jpoimboe@redhat.com> |
| |
| commit 0de05d056afdb00eca8c7bbb0c79a3438daf700c upstream. |
| |
| The commit |
| |
| 44a3918c8245 ("x86/speculation: Include unprivileged eBPF status in Spectre v2 mitigation reporting") |
| |
| added a warning for the "eIBRS + unprivileged eBPF" combination, which |
| has been shown to be vulnerable against Spectre v2 BHB-based attacks. |
| |
| However, there's no warning about the "eIBRS + LFENCE retpoline + |
| unprivileged eBPF" combo. The LFENCE adds more protection by shortening |
| the speculation window after a mispredicted branch. That makes an attack |
| significantly more difficult, even with unprivileged eBPF. So at least |
| for now the logic doesn't warn about that combination. |
| |
| But if you then add SMT into the mix, the SMT attack angle weakens the |
| effectiveness of the LFENCE considerably. |
| |
| So extend the "eIBRS + unprivileged eBPF" warning to also include the |
| "eIBRS + LFENCE + unprivileged eBPF + SMT" case. |
| |
| [ bp: Massage commit message. ] |
| |
| Suggested-by: Alyssa Milburn <alyssa.milburn@linux.intel.com> |
| Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com> |
| Signed-off-by: Borislav Petkov <bp@suse.de> |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| arch/x86/kernel/cpu/bugs.c | 27 +++++++++++++++++++++++++-- |
| 1 file changed, 25 insertions(+), 2 deletions(-) |
| |
| --- a/arch/x86/kernel/cpu/bugs.c |
| +++ b/arch/x86/kernel/cpu/bugs.c |
| @@ -609,12 +609,27 @@ static inline const char *spectre_v2_mod |
| |
| #define SPECTRE_V2_LFENCE_MSG "WARNING: LFENCE mitigation is not recommended for this CPU, data leaks possible!\n" |
| #define SPECTRE_V2_EIBRS_EBPF_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible via Spectre v2 BHB attacks!\n" |
| +#define SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS+LFENCE mitigation and SMT, data leaks possible via Spectre v2 BHB attacks!\n" |
| |
| #ifdef CONFIG_BPF_SYSCALL |
| void unpriv_ebpf_notify(int new_state) |
| { |
| - if (spectre_v2_enabled == SPECTRE_V2_EIBRS && !new_state) |
| + if (new_state) |
| + return; |
| + |
| + /* Unprivileged eBPF is enabled */ |
| + |
| + switch (spectre_v2_enabled) { |
| + case SPECTRE_V2_EIBRS: |
| pr_err(SPECTRE_V2_EIBRS_EBPF_MSG); |
| + break; |
| + case SPECTRE_V2_EIBRS_LFENCE: |
| + if (sched_smt_active()) |
| + pr_err(SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG); |
| + break; |
| + default: |
| + break; |
| + } |
| } |
| #endif |
| |
| @@ -1074,6 +1089,10 @@ void arch_smt_update(void) |
| { |
| mutex_lock(&spec_ctrl_mutex); |
| |
| + if (sched_smt_active() && unprivileged_ebpf_enabled() && |
| + spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE) |
| + pr_warn_once(SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG); |
| + |
| switch (spectre_v2_user_stibp) { |
| case SPECTRE_V2_USER_NONE: |
| break; |
| @@ -1700,7 +1719,11 @@ static ssize_t spectre_v2_show_state(cha |
| return sprintf(buf, "Vulnerable: LFENCE\n"); |
| |
| if (spectre_v2_enabled == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled()) |
| - return sprintf(buf, "Vulnerable: Unprivileged eBPF enabled\n"); |
| + return sprintf(buf, "Vulnerable: eIBRS with unprivileged eBPF\n"); |
| + |
| + if (sched_smt_active() && unprivileged_ebpf_enabled() && |
| + spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE) |
| + return sprintf(buf, "Vulnerable: eIBRS+LFENCE with unprivileged eBPF and SMT\n"); |
| |
| return sprintf(buf, "%s%s%s%s%s%s\n", |
| spectre_v2_strings[spectre_v2_enabled], |