x86/speculation/mds: Add mitigation mode VMWERV

commit 22dd8365088b6403630b82423cf906491859b65e upstream

In virtualized environments it can happen that the host has the microcode
update which utilizes the VERW instruction to clear CPU buffers, but the
hypervisor is not yet updated to expose the X86_FEATURE_MD_CLEAR CPUID bit
to guests.

Introduce an internal mitigation mode VWWERV which enables the invocation
of the CPU buffer clearing even if X86_FEATURE_MD_CLEAR is not set. If the
system has no updated microcode this results in a pointless execution of
the VERW instruction wasting a few CPU cycles. If the microcode is updated,
but not exposed to a guest then the CPU buffers will be cleared.

That said: Virtual Machines Will Eventually Receive Vaccine

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Jon Masters <jcm@redhat.com>
Tested-by: Jon Masters <jcm@redhat.com>
(cherry picked from commit a2227b3f734fad5ace7c99103d6a7bc020c193fd)

Orabug: 29526900
CVE: CVE-2018-12126
CVE: CVE-2018-12130
CVE: CVE-2018-12127

Signed-off-by: Kanth Ghatraju <kanth.ghatraju@oracle.com>
Reviewed-by: Mihai Carabas <mihai.carabas@oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Conflicts:
	The changes to arch/x86/kernel/cpu/bugs.c instead need to be made to
	arch/x86/kernel/cpu/bugs_64.c.

diff --git a/Documentation/x86/mds.rst b/Documentation/x86/mds.rst
index 87ce8ac9f36edff3885287046c2915360721a0ff..3d6f943f1afb5b119461bba7b625b6abafa3fd0a 100644 (file)
--- a/Documentation/x86/mds.rst
+++ b/Documentation/x86/mds.rst
@@ -93,11 +93,38 @@ The kernel provides a function to invoke the buffer clearing:
 The mitigation is invoked on kernel/userspace, hypervisor/guest and C-state
 (idle) transitions.
 
+As a special quirk to address virtualization scenarios where the host has
+the microcode updated, but the hypervisor does not (yet) expose the
+MD_CLEAR CPUID bit to guests, the kernel issues the VERW instruction in the
+hope that it might actually clear the buffers. The state is reflected
+accordingly.
+
 According to current knowledge additional mitigations inside the kernel
 itself are not required because the necessary gadgets to expose the leaked
 data cannot be controlled in a way which allows exploitation from malicious
 user space or VM guests.
 
+Kernel internal mitigation modes
+--------------------------------
+
+ ======= ============================================================
+ off      Mitigation is disabled. Either the CPU is not affected or
+          mds=off is supplied on the kernel command line
+
+ full     Mitigation is eanbled. CPU is affected and MD_CLEAR is
+          advertised in CPUID.
+
+ vmwerv          Mitigation is enabled. CPU is affected and MD_CLEAR is not
+         advertised in CPUID. That is mainly for virtualization
+         scenarios where the host has the updated microcode but the
+         hypervisor does not expose MD_CLEAR in CPUID. It's a best
+         effort approach without guarantee.
+ ======= ============================================================
+
+If the CPU is affected and mds=off is not supplied on the kernel command
+line then the kernel selects the appropriate mitigation mode depending on
+the availability of the MD_CLEAR CPUID bit.
+
 Mitigation points
 -----------------
 

diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
index 0c86d0aa513a58f8aba6e8e7168b19fdb8f2f0bc..b09573e473d6fec9fd7d84c2ff131a5df7586a31 100644 (file)
--- a/arch/x86/include/asm/processor.h
+++ b/arch/x86/include/asm/processor.h
@@ -1031,6 +1031,7 @@ extern bool mds_idle_clear_enabled(void);
 enum mds_mitigations {
        MDS_MITIGATION_OFF,
        MDS_MITIGATION_FULL,
+       MDS_MITIGATION_VMWERV,
 };
 
 #endif /* _ASM_X86_PROCESSOR_H */

diff --git a/arch/x86/kernel/cpu/bugs_64.c b/arch/x86/kernel/cpu/bugs_64.c
index 82c1506caf96a48f0405cf3a17d8755c6cd8356b..3237a76441a78184b425ee0320b08226fd845794 100644 (file)
--- a/arch/x86/kernel/cpu/bugs_64.c
+++ b/arch/x86/kernel/cpu/bugs_64.c
@@ -1322,7 +1322,8 @@ static enum mds_mitigations mds_mitigation __read_mostly = MDS_MITIGATION_FULL;
 
 static const char * const mds_strings[] = {
        [MDS_MITIGATION_OFF]    = "Vulnerable",
-       [MDS_MITIGATION_FULL]   = "Mitigation: Clear CPU buffers"
+       [MDS_MITIGATION_FULL]   = "Mitigation: Clear CPU buffers",
+       [MDS_MITIGATION_VMWERV] = "Vulnerable: Clear CPU buffers attempted, no microcode",
 };
 
 static void update_mds_branch_idle(void)
@@ -1362,12 +1363,10 @@ static void mds_select_mitigation(void)
        }
 
        if (mds_mitigation == MDS_MITIGATION_FULL) {
-               if (boot_cpu_has(X86_FEATURE_MD_CLEAR)) {
-                       static_branch_enable(&mds_user_clear);
-                       update_mds_branch_idle();
-               } else {
-                       mds_mitigation = MDS_MITIGATION_OFF;
-               }
+               if (!boot_cpu_has(X86_FEATURE_MD_CLEAR))
+                       mds_mitigation = MDS_MITIGATION_VMWERV;
+               static_branch_enable(&mds_user_clear);
+               update_mds_branch_idle();
        }
        pr_info("%s\n", mds_strings[mds_mitigation]);
 }