[PATCH 1/7] x86/feature: Detect the x86 feature to control Speculation

From: Tim Chen
Date: Thu Jan 04 2018 - 13:19:34 EST

Next message: Florian Fainelli: "Re: [PATCH v3 00/20] arm64: Unmap the kernel whilst running in userspace (KPTI)"
Previous message: Tim Chen: "[PATCH 0/7] IBRS patch series"
In reply to: Thomas Gleixner: "Re: [PATCH 3/7] x86/enter: Use IBRS on syscall and interrupts"
Next in thread: Greg KH: "Re: [PATCH 1/7] x86/feature: Detect the x86 feature to control Speculation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

cpuid ax=0x7, return rdx bit 26 to indicate presence of this feature
IA32_SPEC_CTRL (0x48) and IA32_PRED_CMD (0x49)
IA32_SPEC_CTRL, bit0 â Indirect Branch Restricted Speculation (IBRS)
IA32_PRED_CMD, bit0 â Indirect Branch Prediction Barrier (IBPB)

If IBRS is set, near returns and near indirect jumps/calls will not
allow their predicted target address to be controlled by code that
executed in a less privileged prediction mode before the IBRS mode was
last written with a value of 1 or on another logical processor so long
as all RSB entries from the previous less privileged prediction mode
are overwritten.

Setting of IBPB ensures that earlier code's behavior does not control later
indirect branch predictions. It is used when context switching to new
untrusted address space. Unlike IBRS, it is a command MSR and does not retain
its state.

* Thus a near indirect jump/call/return may be affected by code in a
less privileged prediction mode that executed AFTER IBRS mode was last
written with a value of 1

* There is no need to clear IBRS before writing it with a value of
1. Unconditionally writing it with a value of 1 after the prediction
mode change is sufficient

* Note: IBRS is not required in order to isolate branch predictions for
SMM or SGX enclaves

* Code executed by a sibling logical processor cannot control indirect
jump/call/return predicted target when IBRS is set

* SMEP will prevent supervisor mode using RSB entries filled by user code;
this can reduce the need for software to overwrite RSB entries

* IBRS is not guaranteed to differentiate two applications that use
the same CR3 due to recycling. Software can use an IBPB command when
recycling a page table base address.

* VMM software can similarly use an IBPB when recycling a controlling
VMCS pointer address

CPU performance could be reduced when running with IBRS set.

Signed-off-by: Tim Chen <tim.c.chen@xxxxxxxxxxxxxxx>
---
arch/x86/include/asm/cpufeatures.h | 1 +
arch/x86/include/asm/msr-index.h | 7 +++++++
arch/x86/kernel/cpu/scattered.c | 1 +
3 files changed, 9 insertions(+)

diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
index 86c68cb..431f393 100644
--- a/arch/x86/include/asm/cpufeatures.h
+++ b/arch/x86/include/asm/cpufeatures.h
@@ -209,6 +209,7 @@
#define X86_FEATURE_AVX512_4FMAPS ( 7*32+17) /* AVX-512 Multiply Accumulation Single precision */

#define X86_FEATURE_MBA ( 7*32+18) /* Memory Bandwidth Allocation */
+#define X86_FEATURE_SPEC_CTRL ( 7*32+19) /* Control Speculation Control */

/* Virtualization flags: Linux defined, word 8 */
#define X86_FEATURE_TPR_SHADOW ( 8*32+ 0) /* Intel TPR Shadow */
diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
index 1e7d710..f51e516 100644
--- a/arch/x86/include/asm/msr-index.h
+++ b/arch/x86/include/asm/msr-index.h
@@ -42,6 +42,12 @@
#define MSR_PPIN_CTL 0x0000004e
#define MSR_PPIN 0x0000004f

+#define MSR_IA32_SPEC_CTRL 0x00000048
+#define SPEC_CTRL_FEATURE_DISABLE_IBRS (0 << 0)
+#define SPEC_CTRL_FEATURE_ENABLE_IBRS (1 << 0)
+
+#define MSR_IA32_PRED_CMD 0x00000049
+
#define MSR_IA32_PERFCTR0 0x000000c1
#define MSR_IA32_PERFCTR1 0x000000c2
#define MSR_FSB_FREQ 0x000000cd
@@ -439,6 +445,7 @@
#define FEATURE_CONTROL_VMXON_ENABLED_INSIDE_SMX (1<<1)
#define FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX (1<<2)
#define FEATURE_CONTROL_LMCE (1<<20)
+#define FEATURE_SET_IBPB (1<<0)

#define MSR_IA32_APICBASE 0x0000001b
#define MSR_IA32_APICBASE_BSP (1<<8)
diff --git a/arch/x86/kernel/cpu/scattered.c b/arch/x86/kernel/cpu/scattered.c
index 05459ad..bc50c40 100644
--- a/arch/x86/kernel/cpu/scattered.c
+++ b/arch/x86/kernel/cpu/scattered.c
@@ -24,6 +24,7 @@ static const struct cpuid_bit cpuid_bits[] = {
{ X86_FEATURE_INTEL_PT, CPUID_EBX, 25, 0x00000007, 0 },
{ X86_FEATURE_AVX512_4VNNIW, CPUID_EDX, 2, 0x00000007, 0 },
{ X86_FEATURE_AVX512_4FMAPS, CPUID_EDX, 3, 0x00000007, 0 },
+ { X86_FEATURE_SPEC_CTRL, CPUID_EDX, 26, 0x00000007, 0 },
{ X86_FEATURE_CAT_L3, CPUID_EBX, 1, 0x00000010, 0 },
{ X86_FEATURE_CAT_L2, CPUID_EBX, 2, 0x00000010, 0 },
{ X86_FEATURE_CDP_L3, CPUID_ECX, 2, 0x00000010, 1 },
--
2.9.4

Next message: Florian Fainelli: "Re: [PATCH v3 00/20] arm64: Unmap the kernel whilst running in userspace (KPTI)"
Previous message: Tim Chen: "[PATCH 0/7] IBRS patch series"
In reply to: Thomas Gleixner: "Re: [PATCH 3/7] x86/enter: Use IBRS on syscall and interrupts"
Next in thread: Greg KH: "Re: [PATCH 1/7] x86/feature: Detect the x86 feature to control Speculation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]