On Mon, Feb 20, 2023 at 11:52:27AM +0100, Greg KH wrote:
On Mon, Feb 20, 2023 at 11:39:30AM +0100, KP Singh wrote:
With the introduction of KERNEL_IBRS, STIBP is no longer needed to prevent cross thread training in the kernel space. When KERNEL_IBRS was added, it also disabled the user-mode protections for spectre_v2. KERNEL_IBRS does not mitigate cross thread training in the userspace.
In order to demonstrate the issue, one needs to avoid syscalls in the victim as syscalls can shorten the window size due to a user -> kernel -> user transition which sets the IBRS bit when entering kernel space and clearing any training the attacker may have done.
Allow users to select a spectre_v2_user mitigation (STIBP always on, opt-in via prctl) when KERNEL_IBRS is enabled.
Reported-by: José Oliveira joseloliveira11@gmail.com Reported-by: Rodrigo Branco rodrigo@kernelhacking.com Reviewed-by: Alexandra Sandulescu aesa@google.com Reviewed-by: Jim Mattson jmattson@google.com Fixes: 7c693f54c873 ("x86/speculation: Add spectre_v2=ibrs option to support Kernel IBRS") Cc: stable@vger.kernel.org Signed-off-by: KP Singh kpsingh@kernel.org
arch/x86/kernel/cpu/bugs.c | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-)
As this is posted publicly, there's no need to send it to security@kernel.org, it doesn't need to be involved.
Also, since this seems intended to be public, please add lkml to Cc on the next revision.