Re: [tip: x86/urgent] x86/bugs: Add asm helpers for executing VERW

From: Nikolay Borisov
Date: Mon Feb 26 2024 - 17:20:16 EST

Next message: John Groves: "Re: [RFC PATCH 10/20] famfs: famfs_open_device() & dax_holder_operations"
Previous message: Michael Grzeschik: "[PATCH] dmaengine: zynqmp_dma: rework tasklet to threaded interrupt handler"
In reply to: Pawan Gupta: "Re: [tip: x86/urgent] x86/bugs: Add asm helpers for executing VERW"
Next in thread: Pawan Gupta: "Re: [tip: x86/urgent] x86/bugs: Add asm helpers for executing VERW"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 27.02.24 г. 0:10 ч., Pawan Gupta wrote:

On Mon, Feb 26, 2024 at 09:17:30AM +0200, Nikolay Borisov wrote:

diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
index 262e655..077083e 100644
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -315,6 +315,17 @@
#endif
.endm
+/*
+ * Macro to execute VERW instruction that mitigate transient data sampling
+ * attacks such as MDS. On affected systems a microcode update overloaded VERW
+ * instruction to also clear the CPU buffers. VERW clobbers CFLAGS.ZF.
+ *
+ * Note: Only the memory operand variant of VERW clears the CPU buffers.
+ */
+.macro CLEAR_CPU_BUFFERS
+ ALTERNATIVE "", __stringify(verw _ASM_RIP(mds_verw_sel)), X86_FEATURE_CLEAR_CPU_BUF

Any particular reason why this uses RIP-relative vs an absolute address
mode?

Early versions of the series had the VERW arg pointing to the macro
itself, that is why relative addressing was used. That got changed in a
later version with all VERW sites pointing to a single memory location.

I know in our private exchange you said there is no significance but
for example older kernels have a missing relocation support in alternatives.
This of course can be worked around by slightly changing the logic of the
macro which means different kernels will have slightly different macros.

Do you anticipate a problem with that? If yes, I can send a patch to use
fixed addressing in upstream as well.

I experienced crashes on older kernels before realizing that the relocation wasn't resolved correctly by the alternative framework. Instead i simply changed the macro to jmp 1f, where the next instruction is the verw ( I did send a backport for 5.4) and it works. Recently there's been a push to make as much of the kernel assembly as possible PIC so having a rip-relative addressing helps. Whether that makes any material difference - I cannot say.

Here's my backport version for reference:

https://lore.kernel.org/stable/20240226122237.198921-3-nik.borisov@xxxxxxxx/

Next message: John Groves: "Re: [RFC PATCH 10/20] famfs: famfs_open_device() & dax_holder_operations"
Previous message: Michael Grzeschik: "[PATCH] dmaengine: zynqmp_dma: rework tasklet to threaded interrupt handler"
In reply to: Pawan Gupta: "Re: [tip: x86/urgent] x86/bugs: Add asm helpers for executing VERW"
Next in thread: Pawan Gupta: "Re: [tip: x86/urgent] x86/bugs: Add asm helpers for executing VERW"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]