x86/speculation/mmio: Enumerate Processor MMIO Stale Data bug

author Pawan Gupta <pawan.kumar.gupta@linux.intel.com>

Fri, 20 May 2022 03:27:08 +0000 (20:27 -0700)

committer Thadeu Lima de Souza Cascardo <cascardo@canonical.com>

Thu, 9 Jun 2022 14:20:20 +0000 (11:20 -0300)
author Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Fri, 20 May 2022 03:27:08 +0000 (20:27 -0700)
committer Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Thu, 9 Jun 2022 14:20:20 +0000 (11:20 -0300)
diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h

index f7436fccc07645ac20cc3a58b36fc2c55286b8cd..51d6da6552904548cebf4b3f7ec24ae9443f7a52 100644 (file)
--- a/arch/x86/include/asm/cpufeatures.h
+++ b/arch/x86/include/asm/cpufeatures.h
@@ -441,5 +441,6 @@
  #define X86_BUG_TAA                    X86_BUG(22) /* CPU is affected by TSX Async Abort(TAA) */
  #define X86_BUG_ITLB_MULTIHIT          X86_BUG(23) /* CPU may incur MCE during certain page attribute changes */
  #define X86_BUG_SRBDS                  X86_BUG(24) /* CPU may leak RNG bits if not mitigated */
+#define X86_BUG_MMIO_STALE_DATA                X86_BUG(25) /* CPU is affected by Processor MMIO Stale Data vulnerabilities */
  
  #endif /* _ASM_X86_CPUFEATURES_H */
diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h

index 8cf53b0344a25c5a1de65fc921ec932307135bef..2c83d062b14943777802d2e377d919a57695733e 100644 (file)
--- a/arch/x86/include/asm/msr-index.h
+++ b/arch/x86/include/asm/msr-index.h
@@ -114,6 +114,25 @@
                                                  * Not susceptible to
                                                  * TSX Async Abort (TAA) vulnerabilities.
                                                  */
+#define ARCH_CAP_SBDR_SSDP_NO          BIT(13) /*
+                                                * Not susceptible to SBDR and SSDP
+                                                * variants of Processor MMIO stale data
+                                                * vulnerabilities.
+                                                */
+#define ARCH_CAP_FBSDP_NO              BIT(14) /*
+                                                * Not susceptible to FBSDP variant of
+                                                * Processor MMIO stale data
+                                                * vulnerabilities.
+                                                */
+#define ARCH_CAP_PSDP_NO               BIT(15) /*
+                                                * Not susceptible to PSDP variant of
+                                                * Processor MMIO stale data
+                                                * vulnerabilities.
+                                                */
+#define ARCH_CAP_FB_CLEAR              BIT(17) /*
+                                                * VERW clears CPU fill buffer
+                                                * even on MDS_NO CPUs.
+                                                */
  
  #define MSR_IA32_FLUSH_CMD             0x0000010b
  #define L1D_FLUSH                      BIT(0)  /*
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c

index fdae041dccbff97e78566fda442b82b1f2633443..698585aea20f0cf24f628da738ee3c0b5a73689d 100644 (file)
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -1101,18 +1101,39 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = {
                                             X86_FEATURE_ANY, issues)
  
  #define SRBDS          BIT(0)
+/* CPU is affected by X86_BUG_MMIO_STALE_DATA */
+#define MMIO           BIT(1)
  
  static const struct x86_cpu_id cpu_vuln_blacklist[] __initconst = {
         VULNBL_INTEL_STEPPINGS(IVYBRIDGE,       X86_STEPPING_ANY,               SRBDS),
         VULNBL_INTEL_STEPPINGS(HASWELL,         X86_STEPPING_ANY,               SRBDS),
         VULNBL_INTEL_STEPPINGS(HASWELL_L,       X86_STEPPING_ANY,               SRBDS),
         VULNBL_INTEL_STEPPINGS(HASWELL_G,       X86_STEPPING_ANY,               SRBDS),
+       VULNBL_INTEL_STEPPINGS(HASWELL_X,       BIT(2) | BIT(4),                MMIO),
+       VULNBL_INTEL_STEPPINGS(BROADWELL_D,     X86_STEPPINGS(0x3, 0x5),        MMIO),
         VULNBL_INTEL_STEPPINGS(BROADWELL_G,     X86_STEPPING_ANY,               SRBDS),
+       VULNBL_INTEL_STEPPINGS(BROADWELL_X,     X86_STEPPING_ANY,               MMIO),
         VULNBL_INTEL_STEPPINGS(BROADWELL,       X86_STEPPING_ANY,               SRBDS),
+       VULNBL_INTEL_STEPPINGS(SKYLAKE_L,       X86_STEPPINGS(0x3, 0x3),        SRBDS | MMIO),
         VULNBL_INTEL_STEPPINGS(SKYLAKE_L,       X86_STEPPING_ANY,               SRBDS),
+       VULNBL_INTEL_STEPPINGS(SKYLAKE_X,       BIT(3) | BIT(4) | BIT(6) |
+                                               BIT(7) | BIT(0xB),              MMIO),
+       VULNBL_INTEL_STEPPINGS(SKYLAKE,         X86_STEPPINGS(0x3, 0x3),        SRBDS | MMIO),
         VULNBL_INTEL_STEPPINGS(SKYLAKE,         X86_STEPPING_ANY,               SRBDS),
-       VULNBL_INTEL_STEPPINGS(KABYLAKE_L,      X86_STEPPINGS(0x0, 0xC),        SRBDS),
-       VULNBL_INTEL_STEPPINGS(KABYLAKE,        X86_STEPPINGS(0x0, 0xD),        SRBDS),
+       VULNBL_INTEL_STEPPINGS(KABYLAKE_L,      X86_STEPPINGS(0x9, 0xC),        SRBDS | MMIO),
+       VULNBL_INTEL_STEPPINGS(KABYLAKE_L,      X86_STEPPINGS(0x0, 0x8),        SRBDS),
+       VULNBL_INTEL_STEPPINGS(KABYLAKE,        X86_STEPPINGS(0x9, 0xD),        SRBDS | MMIO),
+       VULNBL_INTEL_STEPPINGS(KABYLAKE,        X86_STEPPINGS(0x0, 0x8),        SRBDS),
+       VULNBL_INTEL_STEPPINGS(ICELAKE_L,       X86_STEPPINGS(0x5, 0x5),        MMIO),
+       VULNBL_INTEL_STEPPINGS(ICELAKE_D,       X86_STEPPINGS(0x1, 0x1),        MMIO),
+       VULNBL_INTEL_STEPPINGS(ICELAKE_X,       X86_STEPPINGS(0x4, 0x6),        MMIO),
+       VULNBL_INTEL_STEPPINGS(COMETLAKE,       BIT(2) | BIT(3) | BIT(5),       MMIO),
+       VULNBL_INTEL_STEPPINGS(COMETLAKE_L,     X86_STEPPINGS(0x0, 0x1),        MMIO),
+       VULNBL_INTEL_STEPPINGS(LAKEFIELD,       X86_STEPPINGS(0x1, 0x1),        MMIO),
+       VULNBL_INTEL_STEPPINGS(ROCKETLAKE,      X86_STEPPINGS(0x1, 0x1),        MMIO),
+       VULNBL_INTEL_STEPPINGS(ATOM_TREMONT,    X86_STEPPINGS(0x1, 0x1),        MMIO),
+       VULNBL_INTEL_STEPPINGS(ATOM_TREMONT_D,  X86_STEPPING_ANY,               MMIO),
+       VULNBL_INTEL_STEPPINGS(ATOM_TREMONT_L,  X86_STEPPINGS(0x0, 0x0),        MMIO),
         {}
  };
  
@@ -1133,6 +1154,13 @@ u64 x86_read_arch_cap_msr(void)
         return ia32_cap;
  }
  
+static bool arch_cap_mmio_immune(u64 ia32_cap)
+{
+       return (ia32_cap & ARCH_CAP_FBSDP_NO &&
+               ia32_cap & ARCH_CAP_PSDP_NO &&
+               ia32_cap & ARCH_CAP_SBDR_SSDP_NO);
+}
+
  static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
  {
         u64 ia32_cap = x86_read_arch_cap_msr();
@@ -1192,6 +1220,17 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
             cpu_matches(cpu_vuln_blacklist, SRBDS))
                     setup_force_cpu_bug(X86_BUG_SRBDS);
  
+       /*
+        * Processor MMIO Stale Data bug enumeration
+        *
+        * Affected CPU list is generally enough to enumerate the vulnerability,
+        * but for virtualization case check for ARCH_CAP MSR bits also, VMM may
+        * not want the guest to enumerate the bug.
+        */
+       if (cpu_matches(cpu_vuln_blacklist, MMIO) &&
+           !arch_cap_mmio_immune(ia32_cap))
+               setup_force_cpu_bug(X86_BUG_MMIO_STALE_DATA);
+
         if (cpu_matches(cpu_vuln_whitelist, NO_MELTDOWN))
                 return;
  
diff --git a/tools/arch/x86/include/asm/cpufeatures.h b/tools/arch/x86/include/asm/cpufeatures.h

index 63d30dde20f942f2170a229a0f6db28e86e8390b..96eefc05387a4aa90ecefd98341fd8faed782a36 100644 (file)
--- a/tools/arch/x86/include/asm/cpufeatures.h
+++ b/tools/arch/x86/include/asm/cpufeatures.h
@@ -436,5 +436,6 @@
  #define X86_BUG_TAA                    X86_BUG(22) /* CPU is affected by TSX Async Abort(TAA) */
  #define X86_BUG_ITLB_MULTIHIT          X86_BUG(23) /* CPU may incur MCE during certain page attribute changes */
  #define X86_BUG_SRBDS                  X86_BUG(24) /* CPU may leak RNG bits if not mitigated */
+#define X86_BUG_MMIO_STALE_DATA                X86_BUG(25) /* CPU is affected by Processor MMIO Stale Data vulnerabilities */
  
  #endif /* _ASM_X86_CPUFEATURES_H */
diff --git a/tools/arch/x86/include/asm/msr-index.h b/tools/arch/x86/include/asm/msr-index.h

index 66ae309840fefeb8e6baba5dfae51488228ce547..0e64872fd070db28958a5dd34746af469a46348c 100644 (file)
--- a/tools/arch/x86/include/asm/msr-index.h
+++ b/tools/arch/x86/include/asm/msr-index.h
@@ -114,6 +114,25 @@
                                                  * Not susceptible to
                                                  * TSX Async Abort (TAA) vulnerabilities.
                                                  */
+#define ARCH_CAP_SBDR_SSDP_NO          BIT(13) /*
+                                                * Not susceptible to SBDR and SSDP
+                                                * variants of Processor MMIO stale data
+                                                * vulnerabilities.
+                                                */
+#define ARCH_CAP_FBSDP_NO              BIT(14) /*
+                                                * Not susceptible to FBSDP variant of
+                                                * Processor MMIO stale data
+                                                * vulnerabilities.
+                                                */
+#define ARCH_CAP_PSDP_NO               BIT(15) /*
+                                                * Not susceptible to PSDP variant of
+                                                * Processor MMIO stale data
+                                                * vulnerabilities.
+                                                */
+#define ARCH_CAP_FB_CLEAR              BIT(17) /*
+                                                * VERW clears CPU fill buffer
+                                                * even on MDS_NO CPUs.
+                                                */
  
  #define MSR_IA32_FLUSH_CMD             0x0000010b
  #define L1D_FLUSH                      BIT(0)  /*
author	Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
	Fri, 20 May 2022 03:27:08 +0000 (20:27 -0700)
committer	Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
	Thu, 9 Jun 2022 14:20:20 +0000 (11:20 -0300)
arch/x86/include/asm/cpufeatures.h		patch \| blob \| blame \| history
arch/x86/include/asm/msr-index.h		patch \| blob \| blame \| history
arch/x86/kernel/cpu/common.c		patch \| blob \| blame \| history
tools/arch/x86/include/asm/cpufeatures.h		patch \| blob \| blame \| history
tools/arch/x86/include/asm/msr-index.h		patch \| blob \| blame \| history