[Patch v6 11/16] x86/speculation: Enable IBPB for tasks with TIF_SPEC_BRANCH_SPECULATION

From: Tim Chen
Date: Tue Nov 20 2018 - 19:34:06 EST

Next message: Tim Chen: "[Patch v6 09/16] x86/speculation: Add Spectre v2 app to app protection modes"
Previous message: Tim Chen: "[Patch v6 12/16] x86/speculation: Add 'seccomp' Spectre v2 app to app protection mode"
In reply to: Tim Chen: "Re: [Patch v6 12/16] x86/speculation: Add 'seccomp' Spectre v2 app to app protection mode"
Next in thread: Tim Chen: "[Patch v6 09/16] x86/speculation: Add Spectre v2 app to app protection modes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

IBPB currently is applied to all tasks. However,
when spectre_v2_app2app_enabled is set to default
value SPECTRE_V2_APP2APP_PRCTL, only tasks marked with
TIF_SPEC_BRANCH_SPECULATION via prctl are protected against Spectre V2
sibling thread attack to minimize performance impact.

Extend this option to IBPB to protect only
tasks marked with TIF_SPEC_BRANCH_SPECULATION needing
mitigation to minimize performance impact.

Make IBPB usage follow the spectre_v2_app2app_enabled option:
spectre_v2_app2app =
SPECTRE_V2_APP2APP_PRCTL : Use IBPB only on tasks with TIF_SPEC_BRANCH_SPECULATION
SPECTRE_V2_APP2APP_STRICT : Use IBPB on all tasks
SPECTRE_V2_APP2APP_NONE : Don't use IBPB

Signed-off-by: Tim Chen <tim.c.chen@xxxxxxxxxxxxxxx>
---
arch/x86/kernel/cpu/bugs.c | 29 ++++++++++++++++++-----------
arch/x86/mm/tlb.c | 23 ++++++++++++++++++-----
2 files changed, 36 insertions(+), 16 deletions(-)

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 26e1a87..44f7127 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -534,12 +534,6 @@ static void __init spectre_v2_select_mitigation(void)
setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);
pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n");

- /* Initialize Indirect Branch Prediction Barrier if supported */
- if (boot_cpu_has(X86_FEATURE_IBPB)) {
- setup_force_cpu_cap(X86_FEATURE_USE_IBPB);
- pr_info("Spectre v2 mitigation: Enabling Indirect Branch Prediction Barrier\n");
- }
-
/*
* Retpoline means the kernel is safe because it has no indirect
* branches. Enhanced IBRS protects firmware too, so, enable restricted
@@ -558,8 +552,9 @@ static void __init spectre_v2_select_mitigation(void)

app2app_mode = SPECTRE_V2_APP2APP_NONE;

- /* No mitigation if mitigation feature is unavailable */
- if (!boot_cpu_has(X86_FEATURE_STIBP))
+ /* No mitigation if all mitigation features are unavailable */
+ if (!boot_cpu_has(X86_FEATURE_IBPB) &&
+ !boot_cpu_has(X86_FEATURE_STIBP))
goto set_app2app_mode;

app2app_cmd = spectre_v2_parse_app2app_cmdline(cmd);
@@ -587,6 +582,16 @@ static void __init spectre_v2_select_mitigation(void)
break;
}

+ /*
+ * Initialize Indirect Branch Prediction Barrier if supported
+ * and not disabled explicitly
+ */
+ if (boot_cpu_has(X86_FEATURE_IBPB) &&
+ app2app_mode != SPECTRE_V2_APP2APP_NONE) {
+ setup_force_cpu_cap(X86_FEATURE_USE_IBPB);
+ pr_info("Spectre v2 mitigation: Enabling Indirect Branch Prediction Barrier\n");
+ }
+
set_app2app_mode:
spectre_v2_app2app_enabled = app2app_mode;
pr_info("%s\n", spectre_v2_app2app_strings[app2app_mode]);
@@ -1076,10 +1081,12 @@ static char *stibp_state(void)

static char *ibpb_state(void)
{
- if (boot_cpu_has(X86_FEATURE_USE_IBPB))
- return ", IBPB";
- else
+ if (spectre_v2_app2app_enabled == SPECTRE_V2_APP2APP_NONE)
return "";
+ else if (spectre_v2_app2app_enabled == SPECTRE_V2_APP2APP_PRCTL)
+ return ", IBPB-prctl";
+ else
+ return ", IBPB-all";
}

static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr,
diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
index bddd6b3..616694c 100644
--- a/arch/x86/mm/tlb.c
+++ b/arch/x86/mm/tlb.c
@@ -184,14 +184,27 @@ static void sync_current_stack_to_mm(struct mm_struct *mm)
static bool ibpb_needed(struct task_struct *tsk, u64 last_ctx_id)
{
/*
- * Check if the current (previous) task has access to the memory
- * of the @tsk (next) task. If access is denied, make sure to
- * issue a IBPB to stop user->user Spectre-v2 attacks.
+ * Don't issue IBPB when switching to kernel threads or staying in the
+ * same mm context.
+ */
+ if (!tsk || !tsk->mm || tsk->mm->context.ctx_id == last_ctx_id)
+ return false;
+
+ /*
+ * If lite protection mode is enabled, check the STIBP thread flag.
+ *
+ * Otherwise check if the current (previous) task has access to the
+ * the memory of the @tsk (next) task for strict app to app protection.
+ * If access is denied, make sure to issue a IBPB to stop user->user
+ * Spectre-v2 attacks.
*
* Note: __ptrace_may_access() returns 0 or -ERRNO.
*/
- return (tsk && tsk->mm && tsk->mm->context.ctx_id != last_ctx_id &&
- ptrace_may_access_sched(tsk, PTRACE_MODE_SPEC_IBPB));
+
+ if (static_branch_unlikely(&spectre_v2_app_lite))
+ return test_tsk_thread_flag(tsk, TIF_SPEC_INDIR_BRANCH);
+ else
+ return ptrace_may_access_sched(tsk, PTRACE_MODE_SPEC_IBPB);
}

void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
--
2.9.4

Next message: Tim Chen: "[Patch v6 09/16] x86/speculation: Add Spectre v2 app to app protection modes"
Previous message: Tim Chen: "[Patch v6 12/16] x86/speculation: Add 'seccomp' Spectre v2 app to app protection mode"
In reply to: Tim Chen: "Re: [Patch v6 12/16] x86/speculation: Add 'seccomp' Spectre v2 app to app protection mode"
Next in thread: Tim Chen: "[Patch v6 09/16] x86/speculation: Add Spectre v2 app to app protection modes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]