x86/bhi: Additional mitigation for BHI vulnerability (CVE-2024-2201) (!4014) · Merge requests · Red Hat / centos-stream / src / kernel / centos-stream-9

Waiman Long requested to merge llong1/centos-stream-9:rhel-28203_bhi into main Apr 10, 2024

JIRA: https://issues.redhat.com/browse/RHEL-28203
JIRA: https://issues.redhat.com/browse/RHEL-28209
CVE: CVE-2024-2201
MR: !4014
Depends: !3961

Branch History Injection (BHI) attacks may allow a malicious application to influence indirect branch prediction in kernel by poisoning the branch history. eIBRS isolates indirect branch targets in ring0. The BHB can still influence the choice of indirect branch predictor entry, and although branch predictor entries are isolated between modes when eIBRS is enabled, the BHB itself is not isolated between modes.

Alder Lake and new processors supports a hardware control BHI_DIS_S to mitigate BHI. For older processors Intel has released a software sequence to clear the branch history on parts that don't support BHI_DIS_S. Add support to execute the software sequence at syscall entry and VMexit to overwrite the branch history.

This MR extends the existing spectre_v2 mitigation to enable either software or hardware BHI mitigation for vulnerable Intel processors, if enabled. The spectre_v2 vulnerability sysfs file will now show the status of the BHI mitigation like

...; SW sequence; BHI: SW loop, KVM: SW loop

As Linus has changed the default upstream to CONFIG_SPECTRE_BHI_ON, the syscall hardening commit 1e3ad78334a6 ("x86/syscall: Don't force use of indirect calls for system calls") is skipped for now. It may be backported in the future, if necessary.

Signed-off-by: Waiman Long longman@redhat.com

Edited Apr 10, 2024 by Waiman Long

x86/bhi: Additional mitigation for BHI vulnerability (CVE-2024-2201)

Merge request reports