git.baikalelectronics.ru Git - kernel.git/commit

author	Peter Zijlstra <peterz@infradead.org>
	Tue, 14 Jun 2022 21:16:02 +0000 (23:16 +0200)
committer	Borislav Petkov <bp@suse.de>
	Mon, 27 Jun 2022 08:34:00 +0000 (10:34 +0200)
commit	6bbb56b56b4e3b68695f091e006126e52f32affb
tree	1e91294a6b76f0d2fe842e035bbd588fd63d75cd	tree \| snapshot
parent	589628e00cd231e265f00027ace09379bb3b9524	commit \| diff

x86/bugs: Add retbleed=ibpb

jmp2ret mitigates the easy-to-attack case at relatively low overhead.
It mitigates the long speculation windows after a mispredicted RET, but
it does not mitigate the short speculation window from arbitrary
instruction boundaries.

On Zen2, there is a chicken bit which needs setting, which mitigates
"arbitrary instruction boundaries" down to just "basic block boundaries".

But there is no fix for the short speculation window on basic block
boundaries, other than to flush the entire BTB to evict all attacker
predictions.

On the spectrum of "fast & blurry" -> "safe", there is (on top of STIBP
or no-SMT):

  1) Nothing System wide open
  2) jmp2ret May stop a script kiddy
  3) jmp2ret+chickenbit  Raises the bar rather further
  4) IBPB Only thing which can count as "safe".

Tentative numbers put IBPB-on-entry at a 2.5x hit on Zen2, and a 10x hit
on Zen1 according to lmbench.

  [ bp: Fixup feature bit comments, document option, 32-bit build fix. ]

Suggested-by: Andrew Cooper <Andrew.Cooper3@citrix.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Borislav Petkov <bp@suse.de>

Documentation/admin-guide/kernel-parameters.txt		diff \| blob \| history
arch/x86/entry/Makefile		diff \| blob \| history
arch/x86/entry/entry.S	[new file with mode: 0644]	blob
arch/x86/include/asm/cpufeatures.h		diff \| blob \| history
arch/x86/include/asm/nospec-branch.h		diff \| blob \| history
arch/x86/kernel/cpu/bugs.c		diff \| blob \| history