]> git.proxmox.com Git - pve-kernel.git/blob - patches/kernel/0031-x86-speculation-Add-Gather-Data-Sampling-mitigation.patch
projects / pve-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
add fixes for downfall
[pve-kernel.git] / patches / kernel / 0031-x86-speculation-Add-Gather-Data-Sampling-mitigation.patch
1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
2 From: Daniel Sneddon <daniel.sneddon@linux.intel.com>
3 Date: Wed, 12 Jul 2023 19:43:11 -0700
4 Subject: [PATCH] x86/speculation: Add Gather Data Sampling mitigation
5
6 Gather Data Sampling (GDS) is a hardware vulnerability which allows
7 unprivileged speculative access to data which was previously stored in
8 vector registers.
9
10 Intel processors that support AVX2 and AVX512 have gather instructions
11 that fetch non-contiguous data elements from memory. On vulnerable
12 hardware, when a gather instruction is transiently executed and
13 encounters a fault, stale data from architectural or internal vector
14 registers may get transiently stored to the destination vector
15 register allowing an attacker to infer the stale data using typical
16 side channel techniques like cache timing attacks.
17
18 This mitigation is different from many earlier ones for two reasons.
19 First, it is enabled by default and a bit must be set to *DISABLE* it.
20 This is the opposite of normal mitigation polarity. This means GDS can
21 be mitigated simply by updating microcode and leaving the new control
22 bit alone.
23
24 Second, GDS has a "lock" bit. This lock bit is there because the
25 mitigation affects the hardware security features KeyLocker and SGX.
26 It needs to be enabled and *STAY* enabled for these features to be
27 mitigated against GDS.
28
29 The mitigation is enabled in the microcode by default. Disable it by
30 setting gather_data_sampling=off or by disabling all mitigations with
31 mitigations=off. The mitigation status can be checked by reading:
32
33 /sys/devices/system/cpu/vulnerabilities/gather_data_sampling
34
35 Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
36 Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
37 Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
38
39 (cherry picked from commit 8974eb588283b7d44a7c91fa09fcbaf380339f3a)
40 CVE-2022-40982
41 Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
42 Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
43 Acked-by: Stefan Bader <stefan.bader@canonical.com>
44 Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
45 (cherry picked from commit a82fd9ff16b574fc42677c7b5f9e05b2f965d709)
46 Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
47 ---
48 .../ABI/testing/sysfs-devices-system-cpu | 13 +-
49 .../hw-vuln/gather_data_sampling.rst | 99 ++++++++++++++
50 Documentation/admin-guide/hw-vuln/index.rst | 1 +
51 .../admin-guide/kernel-parameters.txt | 41 ++++--
52 arch/x86/include/asm/cpufeatures.h | 1 +
53 arch/x86/include/asm/msr-index.h | 11 ++
54 arch/x86/kernel/cpu/bugs.c | 129 ++++++++++++++++++
55 arch/x86/kernel/cpu/common.c | 34 +++--
56 arch/x86/kernel/cpu/cpu.h | 1 +
57 drivers/base/cpu.c | 8 ++
58 10 files changed, 310 insertions(+), 28 deletions(-)
59 create mode 100644 Documentation/admin-guide/hw-vuln/gather_data_sampling.rst
60
61 diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu b/Documentation/ABI/testing/sysfs-devices-system-cpu
62 index f54867cadb0f..13c01b641dc7 100644
63 --- a/Documentation/ABI/testing/sysfs-devices-system-cpu
64 +++ b/Documentation/ABI/testing/sysfs-devices-system-cpu
65 @@ -513,17 +513,18 @@ Description: information about CPUs heterogeneity.
66 cpu_capacity: capacity of cpuX.
67
68 What: /sys/devices/system/cpu/vulnerabilities
69 + /sys/devices/system/cpu/vulnerabilities/gather_data_sampling
70 + /sys/devices/system/cpu/vulnerabilities/itlb_multihit
71 + /sys/devices/system/cpu/vulnerabilities/l1tf
72 + /sys/devices/system/cpu/vulnerabilities/mds
73 /sys/devices/system/cpu/vulnerabilities/meltdown
74 + /sys/devices/system/cpu/vulnerabilities/mmio_stale_data
75 + /sys/devices/system/cpu/vulnerabilities/retbleed
76 + /sys/devices/system/cpu/vulnerabilities/spec_store_bypass
77 /sys/devices/system/cpu/vulnerabilities/spectre_v1
78 /sys/devices/system/cpu/vulnerabilities/spectre_v2
79 - /sys/devices/system/cpu/vulnerabilities/spec_store_bypass
80 - /sys/devices/system/cpu/vulnerabilities/l1tf
81 - /sys/devices/system/cpu/vulnerabilities/mds
82 /sys/devices/system/cpu/vulnerabilities/srbds
83 /sys/devices/system/cpu/vulnerabilities/tsx_async_abort
84 - /sys/devices/system/cpu/vulnerabilities/itlb_multihit
85 - /sys/devices/system/cpu/vulnerabilities/mmio_stale_data
86 - /sys/devices/system/cpu/vulnerabilities/retbleed
87 Date: January 2018
88 Contact: Linux kernel mailing list <linux-kernel@vger.kernel.org>
89 Description: Information about CPU vulnerabilities
90 diff --git a/Documentation/admin-guide/hw-vuln/gather_data_sampling.rst b/Documentation/admin-guide/hw-vuln/gather_data_sampling.rst
91 new file mode 100644
92 index 000000000000..74dab6af7fe1
93 --- /dev/null
94 +++ b/Documentation/admin-guide/hw-vuln/gather_data_sampling.rst
95 @@ -0,0 +1,99 @@
96 +.. SPDX-License-Identifier: GPL-2.0
97 +
98 +GDS - Gather Data Sampling
99 +==========================
100 +
101 +Gather Data Sampling is a hardware vulnerability which allows unprivileged
102 +speculative access to data which was previously stored in vector registers.
103 +
104 +Problem
105 +-------
106 +When a gather instruction performs loads from memory, different data elements
107 +are merged into the destination vector register. However, when a gather
108 +instruction that is transiently executed encounters a fault, stale data from
109 +architectural or internal vector registers may get transiently forwarded to the
110 +destination vector register instead. This will allow a malicious attacker to
111 +infer stale data using typical side channel techniques like cache timing
112 +attacks. GDS is a purely sampling-based attack.
113 +
114 +The attacker uses gather instructions to infer the stale vector register data.
115 +The victim does not need to do anything special other than use the vector
116 +registers. The victim does not need to use gather instructions to be
117 +vulnerable.
118 +
119 +Because the buffers are shared between Hyper-Threads cross Hyper-Thread attacks
120 +are possible.
121 +
122 +Attack scenarios
123 +----------------
124 +Without mitigation, GDS can infer stale data across virtually all
125 +permission boundaries:
126 +
127 + Non-enclaves can infer SGX enclave data
128 + Userspace can infer kernel data
129 + Guests can infer data from hosts
130 + Guest can infer guest from other guests
131 + Users can infer data from other users
132 +
133 +Because of this, it is important to ensure that the mitigation stays enabled in
134 +lower-privilege contexts like guests and when running outside SGX enclaves.
135 +
136 +The hardware enforces the mitigation for SGX. Likewise, VMMs should ensure
137 +that guests are not allowed to disable the GDS mitigation. If a host erred and
138 +allowed this, a guest could theoretically disable GDS mitigation, mount an
139 +attack, and re-enable it.
140 +
141 +Mitigation mechanism
142 +--------------------
143 +This issue is mitigated in microcode. The microcode defines the following new
144 +bits:
145 +
146 + ================================ === ============================
147 + IA32_ARCH_CAPABILITIES[GDS_CTRL] R/O Enumerates GDS vulnerability
148 + and mitigation support.
149 + IA32_ARCH_CAPABILITIES[GDS_NO] R/O Processor is not vulnerable.
150 + IA32_MCU_OPT_CTRL[GDS_MITG_DIS] R/W Disables the mitigation
151 + 0 by default.
152 + IA32_MCU_OPT_CTRL[GDS_MITG_LOCK] R/W Locks GDS_MITG_DIS=0. Writes
153 + to GDS_MITG_DIS are ignored
154 + Can't be cleared once set.
155 + ================================ === ============================
156 +
157 +GDS can also be mitigated on systems that don't have updated microcode by
158 +disabling AVX. This can be done by setting "clearcpuid=avx" on the kernel
159 +command-line.
160 +
161 +Mitigation control on the kernel command line
162 +---------------------------------------------
163 +The mitigation can be disabled by setting "gather_data_sampling=off" or
164 +"mitigations=off" on the kernel command line. Not specifying either will
165 +default to the mitigation being enabled.
166 +
167 +GDS System Information
168 +------------------------
169 +The kernel provides vulnerability status information through sysfs. For
170 +GDS this can be accessed by the following sysfs file:
171 +
172 +/sys/devices/system/cpu/vulnerabilities/gather_data_sampling
173 +
174 +The possible values contained in this file are:
175 +
176 + ============================== =============================================
177 + Not affected Processor not vulnerable.
178 + Vulnerable Processor vulnerable and mitigation disabled.
179 + Vulnerable: No microcode Processor vulnerable and microcode is missing
180 + mitigation.
181 + Mitigation: Microcode Processor is vulnerable and mitigation is in
182 + effect.
183 + Mitigation: Microcode (locked) Processor is vulnerable and mitigation is in
184 + effect and cannot be disabled.
185 + Unknown: Dependent on
186 + hypervisor status Running on a virtual guest processor that is
187 + affected but with no way to know if host
188 + processor is mitigated or vulnerable.
189 + ============================== =============================================
190 +
191 +GDS Default mitigation
192 +----------------------
193 +The updated microcode will enable the mitigation by default. The kernel's
194 +default action is to leave the mitigation enabled.
195 diff --git a/Documentation/admin-guide/hw-vuln/index.rst b/Documentation/admin-guide/hw-vuln/index.rst
196 index e0614760a99e..436fac0bd9c3 100644
197 --- a/Documentation/admin-guide/hw-vuln/index.rst
198 +++ b/Documentation/admin-guide/hw-vuln/index.rst
199 @@ -19,3 +19,4 @@ are configurable at compile, boot or run time.
200 l1d_flush.rst
201 processor_mmio_stale_data.rst
202 cross-thread-rsb.rst
203 + gather_data_sampling.rst
204 diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
205 index c0d8867359bc..380e1e46ffa1 100644
206 --- a/Documentation/admin-guide/kernel-parameters.txt
207 +++ b/Documentation/admin-guide/kernel-parameters.txt
208 @@ -1610,6 +1610,20 @@
209 Format: off | on
210 default: on
211
212 + gather_data_sampling=
213 + [X86,INTEL] Control the Gather Data Sampling (GDS)
214 + mitigation.
215 +
216 + Gather Data Sampling is a hardware vulnerability which
217 + allows unprivileged speculative access to data which was
218 + previously stored in vector registers.
219 +
220 + This issue is mitigated by default in updated microcode.
221 + The mitigation may have a performance impact but can be
222 + disabled.
223 +
224 + off: Disable GDS mitigation.
225 +
226 gcov_persist= [GCOV] When non-zero (default), profiling data for
227 kernel modules is saved and remains accessible via
228 debugfs, even when the module is unloaded/reloaded.
229 @@ -3245,24 +3259,25 @@
230 Disable all optional CPU mitigations. This
231 improves system performance, but it may also
232 expose users to several CPU vulnerabilities.
233 - Equivalent to: nopti [X86,PPC]
234 - if nokaslr then kpti=0 [ARM64]
235 - nospectre_v1 [X86,PPC]
236 - nobp=0 [S390]
237 - nospectre_v2 [X86,PPC,S390,ARM64]
238 - spectre_v2_user=off [X86]
239 - spec_store_bypass_disable=off [X86,PPC]
240 - ssbd=force-off [ARM64]
241 - nospectre_bhb [ARM64]
242 + Equivalent to: if nokaslr then kpti=0 [ARM64]
243 + gather_data_sampling=off [X86]
244 + kvm.nx_huge_pages=off [X86]
245 l1tf=off [X86]
246 mds=off [X86]
247 - tsx_async_abort=off [X86]
248 - kvm.nx_huge_pages=off [X86]
249 - srbds=off [X86,INTEL]
250 + mmio_stale_data=off [X86]
251 no_entry_flush [PPC]
252 no_uaccess_flush [PPC]
253 - mmio_stale_data=off [X86]
254 + nobp=0 [S390]
255 + nopti [X86,PPC]
256 + nospectre_bhb [ARM64]
257 + nospectre_v1 [X86,PPC]
258 + nospectre_v2 [X86,PPC,S390,ARM64]
259 retbleed=off [X86]
260 + spec_store_bypass_disable=off [X86,PPC]
261 + spectre_v2_user=off [X86]
262 + srbds=off [X86,INTEL]
263 + ssbd=force-off [ARM64]
264 + tsx_async_abort=off [X86]
265
266 Exceptions:
267 This does not have any effect on
268 diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
269 index 8f39c46197b8..93f232eb9786 100644
270 --- a/arch/x86/include/asm/cpufeatures.h
271 +++ b/arch/x86/include/asm/cpufeatures.h
272 @@ -467,5 +467,6 @@
273 #define X86_BUG_RETBLEED X86_BUG(27) /* CPU is affected by RETBleed */
274 #define X86_BUG_EIBRS_PBRSB X86_BUG(28) /* EIBRS is vulnerable to Post Barrier RSB Predictions */
275 #define X86_BUG_SMT_RSB X86_BUG(29) /* CPU is vulnerable to Cross-Thread Return Address Predictions */
276 +#define X86_BUG_GDS X86_BUG(30) /* CPU is affected by Gather Data Sampling */
277
278 #endif /* _ASM_X86_CPUFEATURES_H */
279 diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
280 index 52a09dbc2c26..b030a03ca8d6 100644
281 --- a/arch/x86/include/asm/msr-index.h
282 +++ b/arch/x86/include/asm/msr-index.h
283 @@ -153,6 +153,15 @@
284 * Not susceptible to Post-Barrier
285 * Return Stack Buffer Predictions.
286 */
287 +#define ARCH_CAP_GDS_CTRL BIT(25) /*
288 + * CPU is vulnerable to Gather
289 + * Data Sampling (GDS) and
290 + * has controls for mitigation.
291 + */
292 +#define ARCH_CAP_GDS_NO BIT(26) /*
293 + * CPU is not vulnerable to Gather
294 + * Data Sampling (GDS).
295 + */
296
297 #define ARCH_CAP_XAPIC_DISABLE BIT(21) /*
298 * IA32_XAPIC_DISABLE_STATUS MSR
299 @@ -176,6 +185,8 @@
300 #define RNGDS_MITG_DIS BIT(0) /* SRBDS support */
301 #define RTM_ALLOW BIT(1) /* TSX development mode */
302 #define FB_CLEAR_DIS BIT(3) /* CPU Fill buffer clear disable */
303 +#define GDS_MITG_DIS BIT(4) /* Disable GDS mitigation */
304 +#define GDS_MITG_LOCKED BIT(5) /* GDS mitigation locked */
305
306 #define MSR_IA32_SYSENTER_CS 0x00000174
307 #define MSR_IA32_SYSENTER_ESP 0x00000175
308 diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
309 index edb670b77294..a1c1c8e4995c 100644
310 --- a/arch/x86/kernel/cpu/bugs.c
311 +++ b/arch/x86/kernel/cpu/bugs.c
312 @@ -46,6 +46,7 @@ static void __init taa_select_mitigation(void);
313 static void __init mmio_select_mitigation(void);
314 static void __init srbds_select_mitigation(void);
315 static void __init l1d_flush_select_mitigation(void);
316 +static void __init gds_select_mitigation(void);
317
318 /* The base value of the SPEC_CTRL MSR without task-specific bits set */
319 u64 x86_spec_ctrl_base;
320 @@ -159,6 +160,7 @@ void __init cpu_select_mitigations(void)
321 md_clear_select_mitigation();
322 srbds_select_mitigation();
323 l1d_flush_select_mitigation();
324 + gds_select_mitigation();
325 }
326
327 /*
328 @@ -644,6 +646,120 @@ static int __init l1d_flush_parse_cmdline(char *str)
329 }
330 early_param("l1d_flush", l1d_flush_parse_cmdline);
331
332 +#undef pr_fmt
333 +#define pr_fmt(fmt) "GDS: " fmt
334 +
335 +enum gds_mitigations {
336 + GDS_MITIGATION_OFF,
337 + GDS_MITIGATION_UCODE_NEEDED,
338 + GDS_MITIGATION_FULL,
339 + GDS_MITIGATION_FULL_LOCKED,
340 + GDS_MITIGATION_HYPERVISOR,
341 +};
342 +
343 +static enum gds_mitigations gds_mitigation __ro_after_init = GDS_MITIGATION_FULL;
344 +
345 +static const char * const gds_strings[] = {
346 + [GDS_MITIGATION_OFF] = "Vulnerable",
347 + [GDS_MITIGATION_UCODE_NEEDED] = "Vulnerable: No microcode",
348 + [GDS_MITIGATION_FULL] = "Mitigation: Microcode",
349 + [GDS_MITIGATION_FULL_LOCKED] = "Mitigation: Microcode (locked)",
350 + [GDS_MITIGATION_HYPERVISOR] = "Unknown: Dependent on hypervisor status",
351 +};
352 +
353 +void update_gds_msr(void)
354 +{
355 + u64 mcu_ctrl_after;
356 + u64 mcu_ctrl;
357 +
358 + switch (gds_mitigation) {
359 + case GDS_MITIGATION_OFF:
360 + rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
361 + mcu_ctrl |= GDS_MITG_DIS;
362 + break;
363 + case GDS_MITIGATION_FULL_LOCKED:
364 + /*
365 + * The LOCKED state comes from the boot CPU. APs might not have
366 + * the same state. Make sure the mitigation is enabled on all
367 + * CPUs.
368 + */
369 + case GDS_MITIGATION_FULL:
370 + rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
371 + mcu_ctrl &= ~GDS_MITG_DIS;
372 + break;
373 + case GDS_MITIGATION_UCODE_NEEDED:
374 + case GDS_MITIGATION_HYPERVISOR:
375 + return;
376 + };
377 +
378 + wrmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
379 +
380 + /*
381 + * Check to make sure that the WRMSR value was not ignored. Writes to
382 + * GDS_MITG_DIS will be ignored if this processor is locked but the boot
383 + * processor was not.
384 + */
385 + rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl_after);
386 + WARN_ON_ONCE(mcu_ctrl != mcu_ctrl_after);
387 +}
388 +
389 +static void __init gds_select_mitigation(void)
390 +{
391 + u64 mcu_ctrl;
392 +
393 + if (!boot_cpu_has_bug(X86_BUG_GDS))
394 + return;
395 +
396 + if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {
397 + gds_mitigation = GDS_MITIGATION_HYPERVISOR;
398 + goto out;
399 + }
400 +
401 + if (cpu_mitigations_off())
402 + gds_mitigation = GDS_MITIGATION_OFF;
403 + /* Will verify below that mitigation _can_ be disabled */
404 +
405 + /* No microcode */
406 + if (!(x86_read_arch_cap_msr() & ARCH_CAP_GDS_CTRL)) {
407 + gds_mitigation = GDS_MITIGATION_UCODE_NEEDED;
408 + goto out;
409 + }
410 +
411 + rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
412 + if (mcu_ctrl & GDS_MITG_LOCKED) {
413 + if (gds_mitigation == GDS_MITIGATION_OFF)
414 + pr_warn("Mitigation locked. Disable failed.\n");
415 +
416 + /*
417 + * The mitigation is selected from the boot CPU. All other CPUs
418 + * _should_ have the same state. If the boot CPU isn't locked
419 + * but others are then update_gds_msr() will WARN() of the state
420 + * mismatch. If the boot CPU is locked update_gds_msr() will
421 + * ensure the other CPUs have the mitigation enabled.
422 + */
423 + gds_mitigation = GDS_MITIGATION_FULL_LOCKED;
424 + }
425 +
426 + update_gds_msr();
427 +out:
428 + pr_info("%s\n", gds_strings[gds_mitigation]);
429 +}
430 +
431 +static int __init gds_parse_cmdline(char *str)
432 +{
433 + if (!str)
434 + return -EINVAL;
435 +
436 + if (!boot_cpu_has_bug(X86_BUG_GDS))
437 + return 0;
438 +
439 + if (!strcmp(str, "off"))
440 + gds_mitigation = GDS_MITIGATION_OFF;
441 +
442 + return 0;
443 +}
444 +early_param("gather_data_sampling", gds_parse_cmdline);
445 +
446 #undef pr_fmt
447 #define pr_fmt(fmt) "Spectre V1 : " fmt
448
449 @@ -2385,6 +2501,11 @@ static ssize_t retbleed_show_state(char *buf)
450 return sysfs_emit(buf, "%s\n", retbleed_strings[retbleed_mitigation]);
451 }
452
453 +static ssize_t gds_show_state(char *buf)
454 +{
455 + return sysfs_emit(buf, "%s\n", gds_strings[gds_mitigation]);
456 +}
457 +
458 static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr,
459 char *buf, unsigned int bug)
460 {
461 @@ -2434,6 +2555,9 @@ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr
462 case X86_BUG_RETBLEED:
463 return retbleed_show_state(buf);
464
465 + case X86_BUG_GDS:
466 + return gds_show_state(buf);
467 +
468 default:
469 break;
470 }
471 @@ -2498,4 +2622,9 @@ ssize_t cpu_show_retbleed(struct device *dev, struct device_attribute *attr, cha
472 {
473 return cpu_show_common(dev, attr, buf, X86_BUG_RETBLEED);
474 }
475 +
476 +ssize_t cpu_show_gds(struct device *dev, struct device_attribute *attr, char *buf)
477 +{
478 + return cpu_show_common(dev, attr, buf, X86_BUG_GDS);
479 +}
480 #endif
481 diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
482 index 9b53d1cb424d..d950fb5ac0b4 100644
483 --- a/arch/x86/kernel/cpu/common.c
484 +++ b/arch/x86/kernel/cpu/common.c
485 @@ -1262,6 +1262,8 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = {
486 #define RETBLEED BIT(3)
487 /* CPU is affected by SMT (cross-thread) return predictions */
488 #define SMT_RSB BIT(4)
489 +/* CPU is affected by GDS */
490 +#define GDS BIT(5)
491
492 static const struct x86_cpu_id cpu_vuln_blacklist[] __initconst = {
493 VULNBL_INTEL_STEPPINGS(IVYBRIDGE, X86_STEPPING_ANY, SRBDS),
494 @@ -1274,19 +1276,21 @@ static const struct x86_cpu_id cpu_vuln_blacklist[] __initconst = {
495 VULNBL_INTEL_STEPPINGS(BROADWELL_X, X86_STEPPING_ANY, MMIO),
496 VULNBL_INTEL_STEPPINGS(BROADWELL, X86_STEPPING_ANY, SRBDS),
497 VULNBL_INTEL_STEPPINGS(SKYLAKE_L, X86_STEPPING_ANY, SRBDS | MMIO | RETBLEED),
498 - VULNBL_INTEL_STEPPINGS(SKYLAKE_X, X86_STEPPING_ANY, MMIO | RETBLEED),
499 + VULNBL_INTEL_STEPPINGS(SKYLAKE_X, X86_STEPPING_ANY, MMIO | RETBLEED | GDS),
500 VULNBL_INTEL_STEPPINGS(SKYLAKE, X86_STEPPING_ANY, SRBDS | MMIO | RETBLEED),
501 - VULNBL_INTEL_STEPPINGS(KABYLAKE_L, X86_STEPPING_ANY, SRBDS | MMIO | RETBLEED),
502 - VULNBL_INTEL_STEPPINGS(KABYLAKE, X86_STEPPING_ANY, SRBDS | MMIO | RETBLEED),
503 + VULNBL_INTEL_STEPPINGS(KABYLAKE_L, X86_STEPPING_ANY, SRBDS | MMIO | RETBLEED | GDS),
504 + VULNBL_INTEL_STEPPINGS(KABYLAKE, X86_STEPPING_ANY, SRBDS | MMIO | RETBLEED | GDS),
505 VULNBL_INTEL_STEPPINGS(CANNONLAKE_L, X86_STEPPING_ANY, RETBLEED),
506 - VULNBL_INTEL_STEPPINGS(ICELAKE_L, X86_STEPPING_ANY, MMIO | MMIO_SBDS | RETBLEED),
507 - VULNBL_INTEL_STEPPINGS(ICELAKE_D, X86_STEPPING_ANY, MMIO),
508 - VULNBL_INTEL_STEPPINGS(ICELAKE_X, X86_STEPPING_ANY, MMIO),
509 - VULNBL_INTEL_STEPPINGS(COMETLAKE, X86_STEPPING_ANY, MMIO | MMIO_SBDS | RETBLEED),
510 + VULNBL_INTEL_STEPPINGS(ICELAKE_L, X86_STEPPING_ANY, MMIO | MMIO_SBDS | RETBLEED | GDS),
511 + VULNBL_INTEL_STEPPINGS(ICELAKE_D, X86_STEPPING_ANY, MMIO | GDS),
512 + VULNBL_INTEL_STEPPINGS(ICELAKE_X, X86_STEPPING_ANY, MMIO | GDS),
513 + VULNBL_INTEL_STEPPINGS(COMETLAKE, X86_STEPPING_ANY, MMIO | MMIO_SBDS | RETBLEED | GDS),
514 VULNBL_INTEL_STEPPINGS(COMETLAKE_L, X86_STEPPINGS(0x0, 0x0), MMIO | RETBLEED),
515 - VULNBL_INTEL_STEPPINGS(COMETLAKE_L, X86_STEPPING_ANY, MMIO | MMIO_SBDS | RETBLEED),
516 + VULNBL_INTEL_STEPPINGS(COMETLAKE_L, X86_STEPPING_ANY, MMIO | MMIO_SBDS | RETBLEED | GDS),
517 + VULNBL_INTEL_STEPPINGS(TIGERLAKE_L, X86_STEPPING_ANY, GDS),
518 + VULNBL_INTEL_STEPPINGS(TIGERLAKE, X86_STEPPING_ANY, GDS),
519 VULNBL_INTEL_STEPPINGS(LAKEFIELD, X86_STEPPING_ANY, MMIO | MMIO_SBDS | RETBLEED),
520 - VULNBL_INTEL_STEPPINGS(ROCKETLAKE, X86_STEPPING_ANY, MMIO | RETBLEED),
521 + VULNBL_INTEL_STEPPINGS(ROCKETLAKE, X86_STEPPING_ANY, MMIO | RETBLEED | GDS),
522 VULNBL_INTEL_STEPPINGS(ATOM_TREMONT, X86_STEPPING_ANY, MMIO | MMIO_SBDS),
523 VULNBL_INTEL_STEPPINGS(ATOM_TREMONT_D, X86_STEPPING_ANY, MMIO),
524 VULNBL_INTEL_STEPPINGS(ATOM_TREMONT_L, X86_STEPPING_ANY, MMIO | MMIO_SBDS),
525 @@ -1415,6 +1419,16 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
526 if (cpu_matches(cpu_vuln_blacklist, SMT_RSB))
527 setup_force_cpu_bug(X86_BUG_SMT_RSB);
528
529 + /*
530 + * Check if CPU is vulnerable to GDS. If running in a virtual machine on
531 + * an affected processor, the VMM may have disabled the use of GATHER by
532 + * disabling AVX2. The only way to do this in HW is to clear XCR0[2],
533 + * which means that AVX will be disabled.
534 + */
535 + if (cpu_matches(cpu_vuln_blacklist, GDS) && !(ia32_cap & ARCH_CAP_GDS_NO) &&
536 + boot_cpu_has(X86_FEATURE_AVX))
537 + setup_force_cpu_bug(X86_BUG_GDS);
538 +
539 if (cpu_matches(cpu_vuln_whitelist, NO_MELTDOWN))
540 return;
541
542 @@ -1977,6 +1991,8 @@ void identify_secondary_cpu(struct cpuinfo_x86 *c)
543 validate_apic_and_package_id(c);
544 x86_spec_ctrl_setup_ap();
545 update_srbds_msr();
546 + if (boot_cpu_has_bug(X86_BUG_GDS))
547 + update_gds_msr();
548
549 tsx_ap_init();
550 }
551 diff --git a/arch/x86/kernel/cpu/cpu.h b/arch/x86/kernel/cpu/cpu.h
552 index 61dbb9b216e6..d9aeb335002d 100644
553 --- a/arch/x86/kernel/cpu/cpu.h
554 +++ b/arch/x86/kernel/cpu/cpu.h
555 @@ -83,6 +83,7 @@ void cpu_select_mitigations(void);
556
557 extern void x86_spec_ctrl_setup_ap(void);
558 extern void update_srbds_msr(void);
559 +extern void update_gds_msr(void);
560
561 extern u64 x86_read_arch_cap_msr(void);
562
563 diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c
564 index 7af8e33735a3..cc6cf06ce88e 100644
565 --- a/drivers/base/cpu.c
566 +++ b/drivers/base/cpu.c
567 @@ -577,6 +577,12 @@ ssize_t __weak cpu_show_retbleed(struct device *dev,
568 return sysfs_emit(buf, "Not affected\n");
569 }
570
571 +ssize_t __weak cpu_show_gds(struct device *dev,
572 + struct device_attribute *attr, char *buf)
573 +{
574 + return sysfs_emit(buf, "Not affected\n");
575 +}
576 +
577 static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL);
578 static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL);
579 static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL);
580 @@ -588,6 +594,7 @@ static DEVICE_ATTR(itlb_multihit, 0444, cpu_show_itlb_multihit, NULL);
581 static DEVICE_ATTR(srbds, 0444, cpu_show_srbds, NULL);
582 static DEVICE_ATTR(mmio_stale_data, 0444, cpu_show_mmio_stale_data, NULL);
583 static DEVICE_ATTR(retbleed, 0444, cpu_show_retbleed, NULL);
584 +static DEVICE_ATTR(gather_data_sampling, 0444, cpu_show_gds, NULL);
585
586 static struct attribute *cpu_root_vulnerabilities_attrs[] = {
587 &dev_attr_meltdown.attr,
588 @@ -601,6 +608,7 @@ static struct attribute *cpu_root_vulnerabilities_attrs[] = {
589 &dev_attr_srbds.attr,
590 &dev_attr_mmio_stale_data.attr,
591 &dev_attr_retbleed.attr,
592 + &dev_attr_gather_data_sampling.attr,
593 NULL
594 };
595
Linux Kernel for Proxmox projects