projects / linux-2.6-microblaze.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 8aacd1e) | patch
x86/mm: Prepare for opt-in based L1D flush in switch_mm()
authorBalbir Singh <sblbir@amazon.com>
Mon, 26 Apr 2021 19:42:30 +0000 (21:42 +0200)
committerThomas Gleixner <tglx@linutronix.de>
Wed, 28 Jul 2021 09:42:24 +0000 (11:42 +0200)
commitb5f06f64e269f9820cd5ad9e9a98afa6c8914b7a
tree63d847b668f00700b31c9a876ff899a54c18d6cbtree | snapshot
parent8aacd1eab53ec853c2d29cdc9b64e9dc87d2a519commit | diff
x86/mm: Prepare for opt-in based L1D flush in switch_mm()

The goal of this is to allow tasks that want to protect sensitive
information, against e.g. the recently found snoop assisted data sampling
vulnerabilites, to flush their L1D on being switched out.  This protects
their data from being snooped or leaked via side channels after the task
has context switched out.

This could also be used to wipe L1D when an untrusted task is switched in,
but that's not a really well defined scenario while the opt-in variant is
clearly defined.

The mechanism is default disabled and can be enabled on the kernel command
line.

Prepare for the actual prctl based opt-in:

  1) Provide the necessary setup functionality similar to the other
     mitigations and enable the static branch when the command line option
     is set and the CPU provides support for hardware assisted L1D
     flushing. Software based L1D flush is not supported because it's CPU
     model specific and not really well defined.

     This does not come with a sysfs file like the other mitigations
     because it is not bound to any specific vulnerability.

     Support has to be queried via the prctl(2) interface.

  2) Add TIF_SPEC_L1D_FLUSH next to L1D_SPEC_IB so the two bits can be
     mangled into the mm pointer in one go which allows to reuse the
     existing mechanism in switch_mm() for the conditional IBPB speculation
     barrier efficiently.

  3) Add the L1D flush specific functionality which flushes L1D when the
     outgoing task opted in.

     Also check whether the incoming task has requested L1D flush and if so
     validate that it is not accidentaly running on an SMT sibling as this
     makes the whole excercise moot because SMT siblings share L1D which
     opens tons of other attack vectors. If that happens schedule task work
     which signals the incoming task on return to user/guest with SIGBUS as
     this is part of the paranoid L1D flush contract.

Suggested-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Balbir Singh <sblbir@amazon.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/r/20210108121056.21940-1-sblbir@amazon.com
arch/x86/Kconfig diff | blob | history
arch/x86/include/asm/nospec-branch.h diff | blob | history
arch/x86/include/asm/thread_info.h diff | blob | history
arch/x86/kernel/cpu/bugs.c diff | blob | history
arch/x86/mm/tlb.c diff | blob | history
MicroBlaze GIT Repository