aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKonstantin Belousov <kib@FreeBSD.org>2020-05-28 16:34:53 +0000
committerKonstantin Belousov <kib@FreeBSD.org>2020-05-28 16:34:53 +0000
commitd7f80c63beaa6af3efd1e8c3d13493d972ad2b7a (patch)
tree7b235521465ed05a334364389584e53b1fb4a0c6
parent064f6f33e7eacb07dfdb3f65be459e7612f7e8c8 (diff)
downloadsrc-d7f80c63beaa6af3efd1e8c3d13493d972ad2b7a.tar.gz
src-d7f80c63beaa6af3efd1e8c3d13493d972ad2b7a.zip
MFC r361299, r361302:
MFstable/11 r361558, r361302: Do not consider CAP_RDCL_NO as an indicator for all MDS vulnerabilities handled by hardware. amd64: Add a knob to flush RSB on context switches if machine has SMEP. Approved by: re (gjb)
Notes
Notes: svn path=/releng/11.4/; revision=361588
-rw-r--r--sys/amd64/amd64/cpu_switch.S2
-rw-r--r--sys/amd64/amd64/initcpu.c18
-rw-r--r--sys/amd64/amd64/support.S21
-rw-r--r--sys/i386/i386/support.s24
-rw-r--r--sys/x86/include/x86_var.h1
-rw-r--r--sys/x86/x86/cpu_machdep.c10
6 files changed, 61 insertions, 15 deletions
diff --git a/sys/amd64/amd64/cpu_switch.S b/sys/amd64/amd64/cpu_switch.S
index 2c78c3bcac4b..fa9d0fc34ee6 100644
--- a/sys/amd64/amd64/cpu_switch.S
+++ b/sys/amd64/amd64/cpu_switch.S
@@ -235,6 +235,8 @@ done_load_dr:
movq %rax,(%rsp)
movq PCPU(CURTHREAD),%rdi
call fpu_activate_sw
+ cmpb $0,cpu_flush_rsb_ctxsw(%rip)
+ jne rsb_flush
ret
/*
diff --git a/sys/amd64/amd64/initcpu.c b/sys/amd64/amd64/initcpu.c
index ded5ecb78cd0..3c104b3f82e4 100644
--- a/sys/amd64/amd64/initcpu.c
+++ b/sys/amd64/amd64/initcpu.c
@@ -232,13 +232,27 @@ initializecpu(void)
cr4 |= CR4_FSGSBASE;
/*
+ * If SMEP is present, we only need to flush RSB (by default)
+ * on context switches, to prevent cross-process ret2spec
+ * attacks. Do it automatically if ibrs_disable is set, to
+ * complete the mitigation.
+ *
* Postpone enabling the SMEP on the boot CPU until the page
* tables are switched from the boot loader identity mapping
* to the kernel tables. The boot loader enables the U bit in
* its tables.
*/
- if (!IS_BSP() && (cpu_stdext_feature & CPUID_STDEXT_SMEP))
- cr4 |= CR4_SMEP;
+ if (IS_BSP()) {
+ if (cpu_stdext_feature & CPUID_STDEXT_SMEP &&
+ !TUNABLE_INT_FETCH(
+ "machdep.mitigations.cpu_flush_rsb_ctxsw",
+ &cpu_flush_rsb_ctxsw) &&
+ hw_ibrs_disable)
+ cpu_flush_rsb_ctxsw = 1;
+ } else {
+ if (cpu_stdext_feature & CPUID_STDEXT_SMEP)
+ cr4 |= CR4_SMEP;
+ }
load_cr4(cr4);
if ((amd_feature & AMDID_NX) != 0) {
msr = rdmsr(MSR_EFER) | EFER_NXE;
diff --git a/sys/amd64/amd64/support.S b/sys/amd64/amd64/support.S
index d8c7e6e2fe9b..ed2baeacf4bc 100644
--- a/sys/amd64/amd64/support.S
+++ b/sys/amd64/amd64/support.S
@@ -832,23 +832,27 @@ ENTRY(pmap_pti_pcid_invlrng)
retq
.altmacro
- .macro ibrs_seq_label l
-handle_ibrs_\l:
+ .macro rsb_seq_label l
+rsb_seq_\l:
.endm
- .macro ibrs_call_label l
- call handle_ibrs_\l
+ .macro rsb_call_label l
+ call rsb_seq_\l
.endm
- .macro ibrs_seq count
+ .macro rsb_seq count
ll=1
.rept \count
- ibrs_call_label %(ll)
+ rsb_call_label %(ll)
nop
- ibrs_seq_label %(ll)
+ rsb_seq_label %(ll)
addq $8,%rsp
ll=ll+1
.endr
.endm
+ENTRY(rsb_flush)
+ rsb_seq 32
+ ret
+
/* all callers already saved %rax, %rdx, and %rcx */
ENTRY(handle_ibrs_entry)
cmpb $0,hw_ibrs_ibpb_active(%rip)
@@ -860,8 +864,7 @@ ENTRY(handle_ibrs_entry)
wrmsr
movb $1,PCPU(IBPB_SET)
testl $CPUID_STDEXT_SMEP,cpu_stdext_feature(%rip)
- jne 1f
- ibrs_seq 32
+ je rsb_flush
1: ret
END(handle_ibrs_entry)
diff --git a/sys/i386/i386/support.s b/sys/i386/i386/support.s
index 8fbb2aa3951f..848539f0a3b8 100644
--- a/sys/i386/i386/support.s
+++ b/sys/i386/i386/support.s
@@ -819,8 +819,30 @@ msr_onfault:
movl $EFAULT,%eax
ret
-ENTRY(handle_ibrs_entry)
+ .altmacro
+ .macro rsb_seq_label l
+rsb_seq_\l:
+ .endm
+ .macro rsb_call_label l
+ call rsb_seq_\l
+ .endm
+ .macro rsb_seq count
+ ll=1
+ .rept \count
+ rsb_call_label %(ll)
+ nop
+ rsb_seq_label %(ll)
+ addl $4,%esp
+ ll=ll+1
+ .endr
+ .endm
+
+ENTRY(rsb_flush)
+ rsb_seq 32
ret
+
+ENTRY(handle_ibrs_entry)
+ jmp rsb_flush
END(handle_ibrs_entry)
ENTRY(handle_ibrs_exit)
diff --git a/sys/x86/include/x86_var.h b/sys/x86/include/x86_var.h
index 9fc1e886b54e..81adba1c0de9 100644
--- a/sys/x86/include/x86_var.h
+++ b/sys/x86/include/x86_var.h
@@ -86,6 +86,7 @@ extern int hw_ibrs_ibpb_active;
extern int hw_mds_disable;
extern int hw_ssb_active;
extern int x86_taa_enable;
+extern int cpu_flush_rsb_ctxsw;
struct pcb;
struct thread;
diff --git a/sys/x86/x86/cpu_machdep.c b/sys/x86/x86/cpu_machdep.c
index 50211bca9757..23586eae9fe6 100644
--- a/sys/x86/x86/cpu_machdep.c
+++ b/sys/x86/x86/cpu_machdep.c
@@ -1049,11 +1049,11 @@ hw_mds_recalculate(void)
* reported. For instance, hypervisor might unknowingly
* filter the cap out.
* For the similar reasons, and for testing, allow to enable
- * mitigation even for RDCL_NO or MDS_NO caps.
+ * mitigation even when MDS_NO cap is set.
*/
if (cpu_vendor_id != CPU_VENDOR_INTEL || hw_mds_disable == 0 ||
- ((cpu_ia32_arch_caps & (IA32_ARCH_CAP_RDCL_NO |
- IA32_ARCH_CAP_MDS_NO)) != 0 && hw_mds_disable == 3)) {
+ ((cpu_ia32_arch_caps & IA32_ARCH_CAP_MDS_NO) != 0 &&
+ hw_mds_disable == 3)) {
mds_handler = mds_handler_void;
} else if (((cpu_stdext_feature3 & CPUID_STDEXT3_MD_CLEAR) != 0 &&
hw_mds_disable == 3) || hw_mds_disable == 1) {
@@ -1360,3 +1360,7 @@ SYSCTL_PROC(_machdep_mitigations_taa, OID_AUTO, state,
sysctl_taa_state_handler, "A",
"TAA Mitigation state");
+int __read_frequently cpu_flush_rsb_ctxsw;
+SYSCTL_INT(_machdep_mitigations, OID_AUTO, flush_rsb_ctxsw,
+ CTLFLAG_RW | CTLFLAG_NOFETCH, &cpu_flush_rsb_ctxsw, 0,
+ "Flush Return Stack Buffer on context switch");