2bb69f5fc7
Branch History Injection (BHI) attacks may allow a malicious application to influence indirect branch prediction in kernel by poisoning the branch history. eIBRS isolates indirect branch targets in ring0. The BHB can still influence the choice of indirect branch predictor entry, and although branch predictor entries are isolated between modes when eIBRS is enabled, the BHB itself is not isolated between modes. Add mitigations against it either with the help of microcode or with software sequences for the affected CPUs. -----BEGIN PGP SIGNATURE----- iQJHBAABCgAxFiEEQp8+kY+LLUocC4bMphj1TA10mKEFAmYUKPMTHHRnbHhAbGlu dXRyb25peC5kZQAKCRCmGPVMDXSYofT8EACJJix+GzGUcJjOvfWFZcxwziY152hO 5XSzHOZZL6oz5Yk/Rye/S9RVTN7aDjn1CEvI0cD/ULxaTP869sS9dDdUcHhEJ//5 6hjqWsWiKc1QmLjBy3Pcb97GZHQXM5a9D1f6jXnJD+0FMLbQHpzSEBit0H4tv/TC 75myGgYihvUbhN9/bL10M5fz+UADU42nChvPWDMr9ukljjCqa46tPTmKUIAW5TWj /xsyf+Nk+4kZpdaidKGhpof6KCV2rNeevvzUGN8Pv5y13iAmvlyplqTcQ6dlubnZ CuDX5Ji9spNF9WmhKpLgy5N+Ocb64oVHov98N2zw1sT1N8XOYcSM0fBj7SQIFURs L7T4jBZS+1c3ZGJPPFWIaGjV8w1ZMhelglwJxjY7ZgRD6fK3mwRx/ks54J8H4HjE FbirXaZLeKlscDIOKtnxxKoIGwpdGwLKQYi/wEw7F9NhCLSj9wMia+j3uYIUEEHr 6xEiYEtyjcV3ocxagH7eiHyrasOKG64vjx2h1XodusBA2Wrvgm/jXlchUu+wb6B4 LiiZJt+DmOdQ1h5j3r2rt3hw7+nWa7kyq34qfN6NSUCHiedp6q7BClueSaKiOCGk RoNibNiS+CqaxwGxj/RGuvajEJeEMCsLuCxzT3aeaDBsqscW6Ka/HkGA76Tpb5nJ E3JyjYE7AlG4rw== =W0W3 -----END PGP SIGNATURE----- Merge tag 'nativebhi' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 mitigations from Thomas Gleixner: "Mitigations for the native BHI hardware vulnerabilty: Branch History Injection (BHI) attacks may allow a malicious application to influence indirect branch prediction in kernel by poisoning the branch history. eIBRS isolates indirect branch targets in ring0. The BHB can still influence the choice of indirect branch predictor entry, and although branch predictor entries are isolated between modes when eIBRS is enabled, the BHB itself is not isolated between modes. Add mitigations against it either with the help of microcode or with software sequences for the affected CPUs" [ This also ends up enabling the full mitigation by default despite the system call hardening, because apparently there are other indirect calls that are still sufficiently reachable, and the 'auto' case just isn't hardened enough. We'll have some more inevitable tweaking in the future - Linus ] * tag 'nativebhi' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: KVM: x86: Add BHI_NO x86/bhi: Mitigate KVM by default x86/bhi: Add BHI mitigation knob x86/bhi: Enumerate Branch History Injection (BHI) bug x86/bhi: Define SPEC_CTRL_BHI_DIS_S x86/bhi: Add support for clearing branch history at syscall entry x86/syscall: Don't force use of indirect calls for system calls x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file |
||
|---|---|---|
| .. | ||
| acpi | ||
| apic | ||
| cpu | ||
| fpu | ||
| kprobes | ||
| .gitignore | ||
| alternative.c | ||
| amd_gart_64.c | ||
| amd_nb.c | ||
| aperture_64.c | ||
| apm_32.c | ||
| asm-offsets_32.c | ||
| asm-offsets_64.c | ||
| asm-offsets.c | ||
| audit_64.c | ||
| bootflag.c | ||
| callthunks.c | ||
| cet.c | ||
| cfi.c | ||
| check.c | ||
| cpuid.c | ||
| crash_dump_32.c | ||
| crash_dump_64.c | ||
| crash.c | ||
| devicetree.c | ||
| doublefault_32.c | ||
| dumpstack_32.c | ||
| dumpstack_64.c | ||
| dumpstack.c | ||
| e820.c | ||
| early_printk.c | ||
| early-quirks.c | ||
| ebda.c | ||
| eisa.c | ||
| espfix_64.c | ||
| fred.c | ||
| ftrace_32.S | ||
| ftrace_64.S | ||
| ftrace.c | ||
| head32.c | ||
| head64.c | ||
| head_32.S | ||
| head_64.S | ||
| hpet.c | ||
| hw_breakpoint.c | ||
| i8237.c | ||
| i8253.c | ||
| i8259.c | ||
| ibt_selftest.S | ||
| idt.c | ||
| io_delay.c | ||
| ioport.c | ||
| irq_32.c | ||
| irq_64.c | ||
| irq_work.c | ||
| irq.c | ||
| irqflags.S | ||
| irqinit.c | ||
| itmt.c | ||
| jailhouse.c | ||
| jump_label.c | ||
| kdebugfs.c | ||
| kexec-bzimage64.c | ||
| kgdb.c | ||
| ksysfs.c | ||
| kvm.c | ||
| kvmclock.c | ||
| ldt.c | ||
| machine_kexec_32.c | ||
| machine_kexec_64.c | ||
| Makefile | ||
| mmconf-fam10h_64.c | ||
| module.c | ||
| mpparse.c | ||
| msr.c | ||
| nmi_selftest.c | ||
| nmi.c | ||
| paravirt-spinlocks.c | ||
| paravirt.c | ||
| pci-dma.c | ||
| pcspeaker.c | ||
| perf_regs.c | ||
| platform-quirks.c | ||
| pmem.c | ||
| probe_roms.c | ||
| process_32.c | ||
| process_64.c | ||
| process.c | ||
| process.h | ||
| ptrace.c | ||
| pvclock.c | ||
| quirks.c | ||
| reboot_fixups_32.c | ||
| reboot.c | ||
| relocate_kernel_32.S | ||
| relocate_kernel_64.S | ||
| resource.c | ||
| rethook.c | ||
| rtc.c | ||
| setup_percpu.c | ||
| setup.c | ||
| sev_verify_cbit.S | ||
| sev-shared.c | ||
| sev.c | ||
| shstk.c | ||
| signal_32.c | ||
| signal_64.c | ||
| signal.c | ||
| smp.c | ||
| smpboot.c | ||
| stacktrace.c | ||
| static_call.c | ||
| step.c | ||
| sys_ia32.c | ||
| sys_x86_64.c | ||
| tboot.c | ||
| time.c | ||
| tls.c | ||
| tls.h | ||
| topology.c | ||
| trace_clock.c | ||
| trace.c | ||
| tracepoint.c | ||
| traps.c | ||
| tsc_msr.c | ||
| tsc_sync.c | ||
| tsc.c | ||
| umip.c | ||
| unwind_frame.c | ||
| unwind_guess.c | ||
| unwind_orc.c | ||
| uprobes.c | ||
| verify_cpu.S | ||
| vm86_32.c | ||
| vmcore_info_32.c | ||
| vmcore_info_64.c | ||
| vmlinux.lds.S | ||
| vsmp_64.c | ||
| x86_init.c | ||