x86/bugs, KVM: Support the combination of guest and host IBRS

A guest may modify the SPEC_CTRL MSR from the value used by the
kernel. Since the kernel doesn't use IBRS, this means a value of zero is
what is needed in the host.

But the 336996-Speculative-Execution-Side-Channel-Mitigations.pdf refers to
the other bits as reserved so the kernel should respect the boot time
SPEC_CTRL value and use that.

This allows to deal with future extensions to the SPEC_CTRL interface if
any at all.

Note: This uses wrmsrl() instead of native_wrmsl(). I does not make any
difference as paravirt will over-write the callq *0xfff.. with the wrmsrl
assembler code.

Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Ingo Molnar <mingo@kernel.org>
[tyhicks: Minor backport for context]

CVE-2018-3639 (x86)

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
[backport to review smv.c/vmx.c]
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
index 689dea581f85e62f5c30a9eca79a87c8a2508b31..67a5cbf150bdc2e4bf8e52a3ef8585cb9c435d51 100644 (file)
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -176,6 +176,16 @@ enum spectre_v2_mitigation {
 extern void x86_spec_ctrl_set(u64);
 extern u64 x86_spec_ctrl_get_default(void);
 
+/*
+ * On VMENTER we must preserve whatever view of the SPEC_CTRL MSR
+ * the guest has, while on VMEXIT we restore the host view. This
+ * would be easier if SPEC_CTRL were architecturally maskable or
+ * shadowable for guests but this is not (currently) the case.
+ * Takes the guest view of SPEC_CTRL MSR as a parameter.
+ */
+extern void x86_spec_ctrl_set_guest(u64);
+extern void x86_spec_ctrl_restore_host(u64);
+
 /*
  * On VMEXIT we must ensure that no RSB predictions learned in the guest
  * can be followed in the host, by overwriting the RSB completely. Both

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 384a1e5df1d6f733102a13060e9d6868763e8c0c..934ed77137a02725dd062f51910a4d0481f60df2 100644 (file)
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -122,6 +122,24 @@ u64 x86_spec_ctrl_get_default(void)
 }
 EXPORT_SYMBOL_GPL(x86_spec_ctrl_get_default);
 
+void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl)
+{
+       if (!ibrs_inuse)
+               return;
+       if (x86_spec_ctrl_base != guest_spec_ctrl)
+               wrmsrl(MSR_IA32_SPEC_CTRL, guest_spec_ctrl);
+}
+EXPORT_SYMBOL_GPL(x86_spec_ctrl_set_guest);
+
+void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl)
+{
+       if (!ibrs_inuse)
+               return;
+       if (x86_spec_ctrl_base != guest_spec_ctrl)
+               wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
+}
+EXPORT_SYMBOL_GPL(x86_spec_ctrl_restore_host);
+
 static void __init spec2_print_if_insecure(const char *reason)
 {
        if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2))

diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
index a8c911fcd73fcb3948642e43ba044b52f736293c..f9e7ddd56ea6e480fe41bd290884fd401c6bd93b 100644 (file)
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -4901,8 +4901,8 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
 
        local_irq_enable();
 
-       if (ibrs_inuse && (svm->spec_ctrl != FEATURE_ENABLE_IBRS))
-               wrmsrl(MSR_IA32_SPEC_CTRL, svm->spec_ctrl);
+       /* SMB: Don't care about ibrs_inuse but rely on guest value */
+       x86_spec_ctrl_set_guest(svm->spec_ctrl);
 
        asm volatile (
                "push %%" _ASM_BP "; \n\t"
@@ -4999,11 +4999,7 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
        /* Eliminate branch target predictions from guest mode */
        vmexit_fill_RSB();
 
-       if (ibrs_inuse) {
-               rdmsrl(MSR_IA32_SPEC_CTRL, svm->spec_ctrl);
-               if (svm->spec_ctrl != FEATURE_ENABLE_IBRS)
-                       wrmsrl(MSR_IA32_SPEC_CTRL, FEATURE_ENABLE_IBRS);
-       }
+       x86_spec_ctrl_restore_host(svm->spec_ctrl);
 
 #ifdef CONFIG_X86_64
        wrmsrl(MSR_GS_BASE, svm->host.gs_base);

diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 8c638ef4f40917560008ac407becc87c52a2c617..7a7bd88b2e14e01c4fd127d09dfa78d329d61e37 100644 (file)
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -9104,9 +9104,8 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
 
        atomic_switch_perf_msrs(vmx);
 
-       if (ibrs_inuse)
-               add_atomic_switch_msr(vmx, MSR_IA32_SPEC_CTRL,
-                       vcpu->arch.spec_ctrl, FEATURE_ENABLE_IBRS);
+       /* SMB: Ignore ibrs_inuse but rely on vcpu value */
+       x86_spec_ctrl_set_guest(vcpu->arch.spec_ctrl);
 
        debugctlmsr = get_debugctlmsr();
 
@@ -9230,6 +9229,8 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
 #endif
              );
 
+       x86_spec_ctrl_restore_host(vcpu->arch.spec_ctrl);
+
        /* Eliminate branch target predictions from guest mode */
        vmexit_fill_RSB();