2018-04-29 07:20:11 -06:00
|
|
|
===================
|
|
|
|
|
Speculation Control
|
|
|
|
|
===================
|
|
|
|
|
|
2018-05-08 07:43:45 -06:00
|
|
|
Quite some CPUs have speculation-related misfeatures which are in
|
|
|
|
|
fact vulnerabilities causing data leaks in various forms even across
|
|
|
|
|
privilege domains.
|
2018-04-29 07:20:11 -06:00
|
|
|
|
|
|
|
|
The kernel provides mitigation for such vulnerabilities in various
|
2018-05-08 07:43:45 -06:00
|
|
|
forms. Some of these mitigations are compile-time configurable and some
|
|
|
|
|
can be supplied on the kernel command line.
|
2018-04-29 07:20:11 -06:00
|
|
|
|
|
|
|
|
There is also a class of mitigations which are very expensive, but they can
|
|
|
|
|
be restricted to a certain set of processes or tasks in controlled
|
|
|
|
|
environments. The mechanism to control these mitigations is via
|
|
|
|
|
:manpage:`prctl(2)`.
|
|
|
|
|
|
|
|
|
|
There are two prctl options which are related to this:
|
|
|
|
|
|
|
|
|
|
* PR_GET_SPECULATION_CTRL
|
|
|
|
|
|
|
|
|
|
* PR_SET_SPECULATION_CTRL
|
|
|
|
|
|
|
|
|
|
PR_GET_SPECULATION_CTRL
|
|
|
|
|
-----------------------
|
|
|
|
|
|
|
|
|
|
PR_GET_SPECULATION_CTRL returns the state of the speculation misfeature
|
2018-05-03 14:09:15 -06:00
|
|
|
which is selected with arg2 of prctl(2). The return value uses bits 0-3 with
|
2018-04-29 07:20:11 -06:00
|
|
|
the following meaning:
|
|
|
|
|
|
2018-05-03 14:09:15 -06:00
|
|
|
==== ===================== ===================================================
|
|
|
|
|
Bit Define Description
|
|
|
|
|
==== ===================== ===================================================
|
|
|
|
|
0 PR_SPEC_PRCTL Mitigation can be controlled per task by
|
2018-05-08 07:43:45 -06:00
|
|
|
PR_SET_SPECULATION_CTRL.
|
2018-05-03 14:09:15 -06:00
|
|
|
1 PR_SPEC_ENABLE The speculation feature is enabled, mitigation is
|
2018-05-08 07:43:45 -06:00
|
|
|
disabled.
|
2018-05-03 14:09:15 -06:00
|
|
|
2 PR_SPEC_DISABLE The speculation feature is disabled, mitigation is
|
2018-05-08 07:43:45 -06:00
|
|
|
enabled.
|
2018-05-03 14:09:15 -06:00
|
|
|
3 PR_SPEC_FORCE_DISABLE Same as PR_SPEC_DISABLE, but cannot be undone. A
|
|
|
|
|
subsequent prctl(..., PR_SPEC_ENABLE) will fail.
|
|
|
|
|
==== ===================== ===================================================
|
2018-04-29 07:20:11 -06:00
|
|
|
|
|
|
|
|
If all bits are 0 the CPU is not affected by the speculation misfeature.
|
|
|
|
|
|
2018-05-08 07:43:45 -06:00
|
|
|
If PR_SPEC_PRCTL is set, then the per-task control of the mitigation is
|
2018-04-29 07:20:11 -06:00
|
|
|
available. If not set, prctl(PR_SET_SPECULATION_CTRL) for the speculation
|
|
|
|
|
misfeature will fail.
|
|
|
|
|
|
|
|
|
|
PR_SET_SPECULATION_CTRL
|
|
|
|
|
-----------------------
|
2018-05-03 14:09:15 -06:00
|
|
|
|
2018-04-29 07:20:11 -06:00
|
|
|
PR_SET_SPECULATION_CTRL allows to control the speculation misfeature, which
|
|
|
|
|
is selected by arg2 of :manpage:`prctl(2)` per task. arg3 is used to hand
|
2018-05-03 14:09:15 -06:00
|
|
|
in the control value, i.e. either PR_SPEC_ENABLE or PR_SPEC_DISABLE or
|
|
|
|
|
PR_SPEC_FORCE_DISABLE.
|
2018-04-29 07:20:11 -06:00
|
|
|
|
|
|
|
|
Common error codes
|
|
|
|
|
------------------
|
|
|
|
|
======= =================================================================
|
|
|
|
|
Value Meaning
|
|
|
|
|
======= =================================================================
|
|
|
|
|
EINVAL The prctl is not implemented by the architecture or unused
|
2018-05-08 07:43:45 -06:00
|
|
|
prctl(2) arguments are not 0.
|
2018-04-29 07:20:11 -06:00
|
|
|
|
2018-05-08 07:43:45 -06:00
|
|
|
ENODEV arg2 is selecting a not supported speculation misfeature.
|
2018-04-29 07:20:11 -06:00
|
|
|
======= =================================================================
|
|
|
|
|
|
|
|
|
|
PR_SET_SPECULATION_CTRL error codes
|
|
|
|
|
-----------------------------------
|
|
|
|
|
======= =================================================================
|
|
|
|
|
Value Meaning
|
|
|
|
|
======= =================================================================
|
|
|
|
|
0 Success
|
|
|
|
|
|
|
|
|
|
ERANGE arg3 is incorrect, i.e. it's neither PR_SPEC_ENABLE nor
|
2018-05-08 07:43:45 -06:00
|
|
|
PR_SPEC_DISABLE nor PR_SPEC_FORCE_DISABLE.
|
2018-04-29 07:20:11 -06:00
|
|
|
|
|
|
|
|
ENXIO Control of the selected speculation misfeature is not possible.
|
|
|
|
|
See PR_GET_SPECULATION_CTRL.
|
2018-05-03 14:09:15 -06:00
|
|
|
|
|
|
|
|
EPERM Speculation was disabled with PR_SPEC_FORCE_DISABLE and caller
|
|
|
|
|
tried to enable it again.
|
2018-04-29 07:20:11 -06:00
|
|
|
======= =================================================================
|
|
|
|
|
|
|
|
|
|
Speculation misfeature controls
|
|
|
|
|
-------------------------------
|
|
|
|
|
- PR_SPEC_STORE_BYPASS: Speculative Store Bypass
|
|
|
|
|
|
|
|
|
|
Invocations:
|
|
|
|
|
* prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, 0, 0, 0);
|
|
|
|
|
* prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_ENABLE, 0, 0);
|
|
|
|
|
* prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
|
2018-05-03 14:09:15 -06:00
|
|
|
* prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0);
|
x86/speculation: Add prctl() control for indirect branch speculation
Add the PR_SPEC_INDIRECT_BRANCH option for the PR_GET_SPECULATION_CTRL and
PR_SET_SPECULATION_CTRL prctls to allow fine grained per task control of
indirect branch speculation via STIBP and IBPB.
Invocations:
Check indirect branch speculation status with
- prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, 0, 0, 0);
Enable indirect branch speculation with
- prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_ENABLE, 0, 0);
Disable indirect branch speculation with
- prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_DISABLE, 0, 0);
Force disable indirect branch speculation with
- prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_FORCE_DISABLE, 0, 0);
See Documentation/userspace-api/spec_ctrl.rst.
Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Ingo Molnar <mingo@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Jiri Kosina <jkosina@suse.cz>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: David Woodhouse <dwmw@amazon.co.uk>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Casey Schaufler <casey.schaufler@intel.com>
Cc: Asit Mallick <asit.k.mallick@intel.com>
Cc: Arjan van de Ven <arjan@linux.intel.com>
Cc: Jon Masters <jcm@redhat.com>
Cc: Waiman Long <longman9394@gmail.com>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: Dave Stewart <david.c.stewart@intel.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20181125185005.866780996@linutronix.de
2018-11-25 11:33:53 -07:00
|
|
|
|
|
|
|
|
- PR_SPEC_INDIR_BRANCH: Indirect Branch Speculation in User Processes
|
|
|
|
|
(Mitigate Spectre V2 style attacks against user processes)
|
|
|
|
|
|
|
|
|
|
Invocations:
|
|
|
|
|
* prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, 0, 0, 0);
|
|
|
|
|
* prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_ENABLE, 0, 0);
|
|
|
|
|
* prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_DISABLE, 0, 0);
|
|
|
|
|
* prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_FORCE_DISABLE, 0, 0);
|