x86/speculation/mmio: Fix Processor MMIO Stale Data Vulnerabilities
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2090254
MR: !1065 (merged)
CVE: CVE-2022-21123
CVE: CVE-2022-21125
CVE: CVE-2022-21166
Omitted-fix: 2c3ef25c4a60 ("tools headers UAPI: Sync linux/prctl.h with the kernel sources")
This commit also adds symbols from 433c38f40f6a81cf ("arm64: mte:
change ASYNC and SYNC TCF settings into bit fields") which isn't in
RHEL9 yet and tools headers won't affect kernel build.
Processor MMIO Stale Data Vulnerabilities are a class of memory-mapped I/O (MMIO) vulnerabilities that can expose data. When a processor core reads or writes MMIO, the transaction is normally done with uncacheable or write-combining memory types and is routed through the uncore, which is a section of logic in the CPU that is shared by physical processor cores and provides several common services. Malicious actors may use uncore buffers and mapped registers to leak information from different hardware threads within the same physical core or across cores.
More details about these vulnerabilities can be found in the documentation patch as well as in [1].
The first 8 patches are additional upstream commits that reduce merge conflict. That includes the support for the paranoid L1D flush functionality that may be useful for those that are really paranoid. The remaining 11 patches are the upstream kernel commits for fixing these MMIO vulnerabilities.
Signed-off-by: Waiman Long longman@redhat.com
Waiman Long (19):
x86/mm: Refactor cond_ibpb() to support other use cases
sched: Add task_work callback for paranoid L1D flush
x86/process: Make room for TIF_SPEC_L1D_FLUSH
x86/mm: Prepare for opt-in based L1D flush in switch_mm()
x86, prctl: Hook L1D flushing in via prctl
Documentation: Add L1D flushing Documentation
x86/tsx: Use MSR_TSX_CTRL to clear CPUID bits
x86/tsx: Disable TSX development mode at boot
Documentation: Add documentation for Processor MMIO Stale Data
x86/speculation/mmio: Enumerate Processor MMIO Stale Data bug
x86/speculation: Add a common function for MD_CLEAR mitigation update
x86/speculation/mmio: Add mitigation for Processor MMIO Stale Data
x86/bugs: Group MDS, TAA & Processor MMIO Stale Data mitigations
x86/speculation/mmio: Enable CPU Fill buffer clearing on idle
x86/speculation/mmio: Add sysfs reporting for Processor MMIO Stale
Data
x86/speculation/srbds: Update SRBDS mitigation selection
x86/speculation/mmio: Reuse SRBDS mitigation for SBDS
KVM: x86/speculation: Disable Fill buffer clear within guests
x86/speculation/mmio: Print SMT warning
.../ABI/testing/sysfs-devices-system-cpu | 1 +
Documentation/admin-guide/hw-vuln/index.rst | 2 +
.../admin-guide/hw-vuln/l1d_flush.rst | 69 ++++
.../hw-vuln/processor_mmio_stale_data.rst | 246 ++++++++++++++
.../admin-guide/kernel-parameters.txt | 53 +++
Documentation/userspace-api/spec_ctrl.rst | 8 +
arch/Kconfig | 3 +
arch/x86/Kconfig | 1 +
arch/x86/include/asm/cpufeatures.h | 1 +
arch/x86/include/asm/msr-index.h | 29 +-
arch/x86/include/asm/nospec-branch.h | 4 +
arch/x86/include/asm/thread_info.h | 6 +-
arch/x86/include/asm/tlbflush.h | 2 +-
arch/x86/kernel/cpu/bugs.c | 305 +++++++++++++++---
arch/x86/kernel/cpu/common.c | 54 +++-
arch/x86/kernel/cpu/cpu.h | 5 +-
arch/x86/kernel/cpu/intel.c | 7 -
arch/x86/kernel/cpu/tsx.c | 104 +++++-
arch/x86/kvm/vmx/vmx.c | 72 +++++
arch/x86/kvm/vmx/vmx.h | 2 +
arch/x86/kvm/x86.c | 3 +
arch/x86/mm/tlb.c | 107 ++++--
drivers/base/cpu.c | 8 +
include/linux/cpu.h | 3 +
include/linux/sched.h | 10 +
include/uapi/linux/prctl.h | 1 +
tools/arch/x86/include/asm/cpufeatures.h | 1 +
tools/arch/x86/include/asm/msr-index.h | 29 +-
28 files changed, 1046 insertions(+), 90 deletions(-)
create mode 100644 Documentation/admin-guide/hw-vuln/l1d_flush.rst
create mode 100644 Documentation/admin-guide/hw-vuln/processor_mmio_stale_data.rst