forked from ~ljy/RK356X_SDK_RELEASE

blame | history | patch | commit | commitdiff
hc
2024-05-14 bedbef8ad3e75a304af6361af235302bcc61d06b 
 kernel/Documentation/admin-guide/hw-vuln/spectre.rst
....@@ -60,8 +60,8 @@
6060 Spectre variant 1 attacks take advantage of speculative execution of
6161 conditional branches, while Spectre variant 2 attacks use speculative
6262 execution of indirect branches to leak privileged memory.
63
-See :ref:`[1] <spec_ref1>` :ref:`[5] <spec_ref5>` :ref:`[7] <spec_ref7>`
64
-:ref:`[10] <spec_ref10>` :ref:`[11] <spec_ref11>`.
63
+See :ref:`[1] <spec_ref1>` :ref:`[5] <spec_ref5>` :ref:`[6] <spec_ref6>`
64
+:ref:`[7] <spec_ref7>` :ref:`[10] <spec_ref10>` :ref:`[11] <spec_ref11>`.
6565 
6666 Spectre variant 1 (Bounds Check Bypass)
6767 ---------------------------------------
....@@ -130,6 +130,19 @@
130130 steer its indirect branch speculations to gadget code, and measure the
131131 speculative execution's side effects left in level 1 cache to infer the
132132 victim's data.
133
+
134
+Yet another variant 2 attack vector is for the attacker to poison the
135
+Branch History Buffer (BHB) to speculatively steer an indirect branch
136
+to a specific Branch Target Buffer (BTB) entry, even if the entry isn't
137
+associated with the source address of the indirect branch. Specifically,
138
+the BHB might be shared across privilege levels even in the presence of
139
+Enhanced IBRS.
140
+
141
+Currently the only known real-world BHB attack vector is via
142
+unprivileged eBPF. Therefore, it's highly recommended to not enable
143
+unprivileged eBPF, especially when eIBRS is used (without retpolines).
144
+For a full mitigation against BHB attacks, it's recommended to use
145
+retpolines (or eIBRS combined with retpolines).
133146 
134147 Attack scenarios
135148 ----------------
....@@ -364,13 +377,15 @@
364377 
365378   - Kernel status:
366379 
367
-  ====================================  =================================
368
-  'Not affected'                        The processor is not vulnerable
369
-  'Vulnerable'                          Vulnerable, no mitigation
370
-  'Mitigation: Full generic retpoline'  Software-focused mitigation
371
-  'Mitigation: Full AMD retpoline'      AMD-specific software mitigation
372
-  'Mitigation: Enhanced IBRS'           Hardware-focused mitigation
373
-  ====================================  =================================
380
+  ========================================  =================================
381
+  'Not affected'                            The processor is not vulnerable
382
+  'Mitigation: None'                        Vulnerable, no mitigation
383
+  'Mitigation: Retpolines'                  Use Retpoline thunks
384
+  'Mitigation: LFENCE'                      Use LFENCE instructions
385
+  'Mitigation: Enhanced IBRS'               Hardware-focused mitigation
386
+  'Mitigation: Enhanced IBRS + Retpolines'  Hardware-focused + Retpolines
387
+  'Mitigation: Enhanced IBRS + LFENCE'      Hardware-focused + LFENCE
388
+  ========================================  =================================
374389 
375390   - Firmware status: Show if Indirect Branch Restricted Speculation (IBRS) is
376391     used to protect against Spectre variant 2 attacks when calling firmware (x86 only).
....@@ -406,6 +421,14 @@
406421   =============   ===========================================
407422   'RSB filling'   Protection of RSB on context switch enabled
408423   =============   ===========================================
424
+
425
+  - EIBRS Post-barrier Return Stack Buffer (PBRSB) protection status:
426
+
427
+  ===========================  =======================================================
428
+  'PBRSB-eIBRS: SW sequence'   CPU is affected and protection of RSB on VMEXIT enabled
429
+  'PBRSB-eIBRS: Vulnerable'    CPU is vulnerable
430
+  'PBRSB-eIBRS: Not affected'  CPU is not affected by PBRSB
431
+  ===========================  =======================================================
409432 
410433 Full mitigation might require a microcode update from the CPU
411434 vendor. When the necessary microcode is not available, the kernel will
....@@ -456,8 +479,16 @@
456479    On Intel Skylake-era systems the mitigation covers most, but not all,
457480    cases. See :ref:`[3] <spec_ref3>` for more details.
458481 
459
-   On CPUs with hardware mitigation for Spectre variant 2 (e.g. Enhanced
460
-   IBRS on x86), retpoline is automatically disabled at run time.
482
+   On CPUs with hardware mitigation for Spectre variant 2 (e.g. IBRS
483
+   or enhanced IBRS on x86), retpoline is automatically disabled at run time.
484
+
485
+   Systems which support enhanced IBRS (eIBRS) enable IBRS protection once at
486
+   boot, by setting the IBRS bit, and they're automatically protected against
487
+   Spectre v2 variant attacks, including cross-thread branch target injections
488
+   on SMT systems (STIBP). In other words, eIBRS enables STIBP too.
489
+
490
+   Legacy IBRS systems clear the IBRS bit on exit to userspace and
491
+   therefore explicitly enable STIBP for that
461492 
462493    The retpoline mitigation is turned on by default on vulnerable
463494    CPUs. It can be forced on or off by the administrator
....@@ -481,9 +512,12 @@
481512    For Spectre variant 2 mitigation, individual user programs
482513    can be compiled with return trampolines for indirect branches.
483514    This protects them from consuming poisoned entries in the branch
484
-   target buffer left by malicious software.  Alternatively, the
485
-   programs can disable their indirect branch speculation via prctl()
486
-   (See :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`).
515
+   target buffer left by malicious software.
516
+
517
+   On legacy IBRS systems, at return to userspace, implicit STIBP is disabled
518
+   because the kernel clears the IBRS bit. In this case, the userspace programs
519
+   can disable indirect branch speculation via prctl() (See
520
+   :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`).
487521    On x86, this will turn on STIBP to guard against attacks from the
488522    sibling thread when the user program is running, and use IBPB to
489523    flush the branch target buffer when switching to/from the program.
....@@ -584,12 +618,13 @@
584618 
585619 		Specific mitigations can also be selected manually:
586620 
587
-		retpoline
588
-					replace indirect branches
589
-		retpoline,generic
590
-					google's original retpoline
591
-		retpoline,amd
592
-					AMD-specific minimal thunk
621
+                retpoline               auto pick between generic,lfence
622
+                retpoline,generic       Retpolines
623
+                retpoline,lfence        LFENCE; indirect branch
624
+                retpoline,amd           alias for retpoline,lfence
625
+                eibrs                   enhanced IBRS
626
+                eibrs,retpoline         enhanced IBRS + Retpolines
627
+                eibrs,lfence            enhanced IBRS + LFENCE
593628 
594629 		Not specifying this option is equivalent to
595630 		spectre_v2=auto.
....@@ -730,7 +765,7 @@
730765 
731766 .. _spec_ref6:
732767 
733
-[6] `Software techniques for managing speculation on AMD processors <https://developer.amd.com/wp-content/resources/90343-B_SoftwareTechniquesforManagingSpeculation_WP_7-18Update_FNL.pdf>`_.
768
+[6] `Software techniques for managing speculation on AMD processors <https://developer.amd.com/wp-content/resources/Managing-Speculation-on-AMD-Processors.pdf>`_.
734769 
735770 ARM white papers:
736771