patches/kernel/0033-x86-speculation-Add-Kconfig-option-for-GDS.patch

   1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
   2 From: Daniel Sneddon <daniel.sneddon@linux.intel.com>
   3 Date: Wed, 12 Jul 2023 19:43:13 -0700
   4 Subject: [PATCH] x86/speculation: Add Kconfig option for GDS
   5
   6 Gather Data Sampling (GDS) is mitigated in microcode. However, on
   7 systems that haven't received the updated microcode, disabling AVX
   8 can act as a mitigation. Add a Kconfig option that uses the microcode
   9 mitigation if available and disables AVX otherwise. Setting this
  10 option has no effect on systems not affected by GDS. This is the
  11 equivalent of setting gather_data_sampling=force.
  12
  13 Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
  14 Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
  15 Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
  16
  17 (cherry picked from commit 53cf5797f114ba2bd86d23a862302119848eff19)
  18 CVE-2022-40982
  19 Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
  20 Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
  21 Acked-by: Stefan Bader <stefan.bader@canonical.com>
  22 Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
  23 (cherry picked from commit 92bd969bbe475c5bca376d007ed6558085b237ba)
  24 Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
  25 ---
  26  arch/x86/Kconfig           | 19 +++++++++++++++++++
  27  arch/x86/kernel/cpu/bugs.c |  4 ++++
  28  2 files changed, 23 insertions(+)
  29
  30 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
  31 index 598a303819da..8451e0f36c66 100644
  32 --- a/arch/x86/Kconfig
  33 +++ b/arch/x86/Kconfig
  34 @@ -2640,6 +2640,25 @@ config SLS
  35           against straight line speculation. The kernel image might be slightly
  36           larger.
  37
  38 +config GDS_FORCE_MITIGATION
  39 +       bool "Force GDS Mitigation"
  40 +       depends on CPU_SUP_INTEL
  41 +       default n
  42 +       help
  43 +         Gather Data Sampling (GDS) is a hardware vulnerability which allows
  44 +         unprivileged speculative access to data which was previously stored in
  45 +         vector registers.
  46 +
  47 +         This option is equivalent to setting gather_data_sampling=force on the
  48 +         command line. The microcode mitigation is used if present, otherwise
  49 +         AVX is disabled as a mitigation. On affected systems that are missing
  50 +         the microcode any userspace code that unconditionally uses AVX will
  51 +         break with this option set.
  52 +
  53 +         Setting this option on systems not vulnerable to GDS has no effect.
  54 +
  55 +         If in doubt, say N.
  56 +
  57  endif
  58
  59  config ARCH_HAS_ADD_PAGES
  60 diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
  61 index 0cc3c4f09dd7..819a8aa0c706 100644
  62 --- a/arch/x86/kernel/cpu/bugs.c
  63 +++ b/arch/x86/kernel/cpu/bugs.c
  64 @@ -658,7 +658,11 @@ enum gds_mitigations {
  65         GDS_MITIGATION_HYPERVISOR,
  66  };
  67
  68 +#if IS_ENABLED(CONFIG_GDS_FORCE_MITIGATION)
  69 +static enum gds_mitigations gds_mitigation __ro_after_init = GDS_MITIGATION_FORCE;
  70 +#else
  71  static enum gds_mitigations gds_mitigation __ro_after_init = GDS_MITIGATION_FULL;
  72 +#endif
  73
  74  static const char * const gds_strings[] = {
  75         [GDS_MITIGATION_OFF]            = "Vulnerable",