[PATCH v4 0/2] Harden spectrev2 userspace-userspace protection

From: Jiri Kosina
Date: Thu Sep 06 2018 - 04:17:31 EST


Currently, linux kernel is basically not preventing userspace-userspace
spectrev2 attack, because:

- IBPB is basically unused (issued only for tasks that marked themselves
explicitly non-dumpable, which is absolutely negligible minority of all
software out there), therefore cross-process branch buffer posioning
using spectrev2 is possible

- STIBP is completely unused, therefore cross-process branch buffer
poisoning using spectrev2 between processess running on two HT siblings
thread s is possible

This patchset changes IBPB semantics, so that it's now applied whenever
context-switching between processess that can't use ptrace() to achieve
the same. This admittedly comes with extra overhad on a context switch;
systems that don't care about could disable the mitigation using
nospectre_v2 boot option.
The IBPB implementaion is heavily based on original patches by Tim Chen.

In addition to that, we unconditionally turn STIBP on so that HT siblings
always have separate branch buffers.

We've been carrying IBPB implementation with the same semantics in our
(SUSE) trees since january disclosure; STIBP was more or less ignored up
to today.

v1->v2:
include IBPB changes
v2->v3:
fix IBPB 'who can trace who' semantics
wire up STIBP flipping to SMT hotplug
v3->v4:
dropped ___ptrace_may_access(), as it's not needed
fixed deadlock with LSM/audit/selinux (Andrea Arcangeli)
statically patch out the ptrace check if !IBPB

Jiri Kosina (2):
x86/speculation: apply IBPB more strictly to avoid cross-process data leak
x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation

arch/x86/kernel/cpu/bugs.c | 63 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
arch/x86/mm/tlb.c | 31 ++++++++++++++++++++-----------
include/linux/ptrace.h | 4 ++++
kernel/cpu.c | 13 ++++++++++++-
kernel/ptrace.c | 12 ++++++++----
5 files changed, 107 insertions(+), 16 deletions(-)

--
Jiri Kosina
SUSE Labs