| Message ID | 20230214170956.1297309-1-pbonzini@redhat.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | Cross-Thread Return Address Predictions vulnerability | expand |
On Tue, Feb 14, 2023 at 12:09:53PM -0500, Paolo Bonzini wrote: > Certain AMD processors are vulnerable to a cross-thread return address > predictions bug. When running in SMT mode and one of the sibling threads > transitions out of C0 state, the other thread gets access to twice as many > entries in the RSB, but unfortunately the predictions of the now-halted > logical processor are not purged. Therefore, the executing processor > could speculatively execute from locations that the now-halted processor > had trained the RSB on. > > The Spectre v2 mitigations cover the Linux kernel, as it fills the RSB > when context switching to the idle thread. However, KVM allows a VMM to > prevent exiting guest mode when transitioning out of C0 using the > KVM_CAP_X86_DISABLE_EXITS capability can be used by a VMM to change this > behavior. To mitigate the cross-thread return address predictions bug, > a VMM must not be allowed to override the default behavior to intercept > C0 transitions. > > These patches introduce a KVM module parameter that, if set, will prevent > the user from disabling the HLT, MWAIT and CSTATE exits. > > The patches apply to the 5.15 stable tree, and Greg has already received > them through a git bundle. The difference is only in context, but it is > too much for "git cherry-pick" so here they are. Thanks for these, all now queued up. greg k-h
Certain AMD processors are vulnerable to a cross-thread return address predictions bug. When running in SMT mode and one of the sibling threads transitions out of C0 state, the other thread gets access to twice as many entries in the RSB, but unfortunately the predictions of the now-halted logical processor are not purged. Therefore, the executing processor could speculatively execute from locations that the now-halted processor had trained the RSB on. The Spectre v2 mitigations cover the Linux kernel, as it fills the RSB when context switching to the idle thread. However, KVM allows a VMM to prevent exiting guest mode when transitioning out of C0 using the KVM_CAP_X86_DISABLE_EXITS capability can be used by a VMM to change this behavior. To mitigate the cross-thread return address predictions bug, a VMM must not be allowed to override the default behavior to intercept C0 transitions. These patches introduce a KVM module parameter that, if set, will prevent the user from disabling the HLT, MWAIT and CSTATE exits. The patches apply to the 5.15 stable tree, and Greg has already received them through a git bundle. The difference is only in context, but it is too much for "git cherry-pick" so here they are. Thanks, Paolo Tom Lendacky (3): x86/speculation: Identify processors vulnerable to SMT RSB predictions KVM: x86: Mitigate the cross-thread return address predictions bug Documentation/hw-vuln: Add documentation for Cross-Thread Return Predictions .../admin-guide/hw-vuln/cross-thread-rsb.rst | 92 +++++++++++++++++++ Documentation/admin-guide/hw-vuln/index.rst | 1 + arch/x86/include/asm/cpufeatures.h | 1 + arch/x86/kernel/cpu/common.c | 9 +- arch/x86/kvm/x86.c | 43 ++++++--- 5 files changed, 133 insertions(+), 13 deletions(-) create mode 100644 Documentation/admin-guide/hw-vuln/cross-thread-rsb.rst