[PATCH 0/6] s390: improve speculative execution handling v3

From: Martin Schwidefsky
Date: Wed Feb 07 2018 - 02:00:33 EST


Version 3 of the speculative execution improvements for s390.

Changes to v2:

* Dropped the prctl to introduce the PR_ISOLATE_BP control and simply
added two exported functions s390_isolate_bp and s390_isolate_bp_guest.
There is currently no caller for these functions, for now an out-of-tree
module can be used until an acceptable upstream solution for the user
space interface is found.

* Added an optimized version for the the array_index_mask_nospec
function based on subtract with borrow for the spectre v1 defense.

* Introduce "expoline", the s390 version of a retpoline. As s390 does
not have a return instruction and the associate return stack we use
an execute-type instruction on an indirect branch to get unpredicatable
branches. This requires gcc support for -mindirect-branch=thunk /
-mfunction-return=thunk. To be able to disable expolines there is
another gcc option -mindirect-branch-table to keep a list of PC relative
locations of calls to the execute thunks. With spectre_v2=off the call
will be replaced with the original indirect branch and a nop.

Martin Schwidefsky (6):
s390: scrub registers on kernel entry and KVM exit
s390: add optimized array_index_mask_nospec
s390/alternative: use a copy of the facility bit mask
s390: add options to change branch prediction behaviour for the kernel
s390: run user space and KVM guests with modified branch prediction
s390: introduce execute-trampolines for branches

arch/s390/Kconfig | 45 ++++++
arch/s390/Makefile | 12 ++
arch/s390/include/asm/barrier.h | 24 ++++
arch/s390/include/asm/facility.h | 18 +++
arch/s390/include/asm/lowcore.h | 9 +-
arch/s390/include/asm/nospec-branch.h | 18 +++
arch/s390/include/asm/processor.h | 4 +
arch/s390/include/asm/thread_info.h | 4 +
arch/s390/kernel/Makefile | 4 +
arch/s390/kernel/alternative.c | 26 +++-
arch/s390/kernel/early.c | 5 +
arch/s390/kernel/entry.S | 249 ++++++++++++++++++++++++++++++----
arch/s390/kernel/ipl.c | 1 +
arch/s390/kernel/module.c | 62 +++++++--
arch/s390/kernel/nospec-branch.c | 100 ++++++++++++++
arch/s390/kernel/processor.c | 18 +++
arch/s390/kernel/setup.c | 8 +-
arch/s390/kernel/smp.c | 7 +-
arch/s390/kernel/vmlinux.lds.S | 14 ++
drivers/s390/char/Makefile | 2 +
20 files changed, 591 insertions(+), 39 deletions(-)
create mode 100644 arch/s390/include/asm/nospec-branch.h
create mode 100644 arch/s390/kernel/nospec-branch.c

--
2.7.4