forked from ~ljy/RK356X_SDK_RELEASE

blame | history | patch | commit | commitdiff
hc
2023-12-11 d2ccde1c8e90d38cee87a1b0309ad2827f3fd30d 
 kernel/Documentation/admin-guide/hw-vuln/spectre.rst
....@@ -60,8 +60,8 @@
6060 Spectre variant 1 attacks take advantage of speculative execution of
6161 conditional branches, while Spectre variant 2 attacks use speculative
6262 execution of indirect branches to leak privileged memory.
63
-See :ref:`[1] <spec_ref1>` :ref:`[5] <spec_ref5>` :ref:`[7] <spec_ref7>`
64
-:ref:`[10] <spec_ref10>` :ref:`[11] <spec_ref11>`.
63
+See :ref:`[1] <spec_ref1>` :ref:`[5] <spec_ref5>` :ref:`[6] <spec_ref6>`
64
+:ref:`[7] <spec_ref7>` :ref:`[10] <spec_ref10>` :ref:`[11] <spec_ref11>`.
6565 
6666 Spectre variant 1 (Bounds Check Bypass)
6767 ---------------------------------------
....@@ -130,6 +130,19 @@
130130 steer its indirect branch speculations to gadget code, and measure the
131131 speculative execution's side effects left in level 1 cache to infer the
132132 victim's data.
133
+
134
+Yet another variant 2 attack vector is for the attacker to poison the
135
+Branch History Buffer (BHB) to speculatively steer an indirect branch
136
+to a specific Branch Target Buffer (BTB) entry, even if the entry isn't
137
+associated with the source address of the indirect branch. Specifically,
138
+the BHB might be shared across privilege levels even in the presence of
139
+Enhanced IBRS.
140
+
141
+Currently the only known real-world BHB attack vector is via
142
+unprivileged eBPF. Therefore, it's highly recommended to not enable
143
+unprivileged eBPF, especially when eIBRS is used (without retpolines).
144
+For a full mitigation against BHB attacks, it's recommended to use
145
+retpolines (or eIBRS combined with retpolines).
133146 
134147 Attack scenarios
135148 ----------------
....@@ -364,13 +377,15 @@
364377 
365378   - Kernel status:
366379 
367
-  ====================================  =================================
368
-  'Not affected'                        The processor is not vulnerable
369
-  'Vulnerable'                          Vulnerable, no mitigation
370
-  'Mitigation: Full generic retpoline'  Software-focused mitigation
371
-  'Mitigation: Full AMD retpoline'      AMD-specific software mitigation
372
-  'Mitigation: Enhanced IBRS'           Hardware-focused mitigation
373
-  ====================================  =================================
380
+  ========================================  =================================
381
+  'Not affected'                            The processor is not vulnerable
382
+  'Mitigation: None'                        Vulnerable, no mitigation
383
+  'Mitigation: Retpolines'                  Use Retpoline thunks
384
+  'Mitigation: LFENCE'                      Use LFENCE instructions
385
+  'Mitigation: Enhanced IBRS'               Hardware-focused mitigation
386
+  'Mitigation: Enhanced IBRS + Retpolines'  Hardware-focused + Retpolines
387
+  'Mitigation: Enhanced IBRS + LFENCE'      Hardware-focused + LFENCE
388
+  ========================================  =================================
374389 
375390   - Firmware status: Show if Indirect Branch Restricted Speculation (IBRS) is
376391     used to protect against Spectre variant 2 attacks when calling firmware (x86 only).
....@@ -406,6 +421,14 @@
406421   =============   ===========================================
407422   'RSB filling'   Protection of RSB on context switch enabled
408423   =============   ===========================================
424
+
425
+  - EIBRS Post-barrier Return Stack Buffer (PBRSB) protection status:
426
+
427
+  ===========================  =======================================================
428
+  'PBRSB-eIBRS: SW sequence'   CPU is affected and protection of RSB on VMEXIT enabled
429
+  'PBRSB-eIBRS: Vulnerable'    CPU is vulnerable
430
+  'PBRSB-eIBRS: Not affected'  CPU is not affected by PBRSB
431
+  ===========================  =======================================================
409432 
410433 Full mitigation might require a microcode update from the CPU
411434 vendor. When the necessary microcode is not available, the kernel will
....@@ -584,12 +607,13 @@
584607 
585608 		Specific mitigations can also be selected manually:
586609 
587
-		retpoline
588
-					replace indirect branches
589
-		retpoline,generic
590
-					google's original retpoline
591
-		retpoline,amd
592
-					AMD-specific minimal thunk
610
+                retpoline               auto pick between generic,lfence
611
+                retpoline,generic       Retpolines
612
+                retpoline,lfence        LFENCE; indirect branch
613
+                retpoline,amd           alias for retpoline,lfence
614
+                eibrs                   enhanced IBRS
615
+                eibrs,retpoline         enhanced IBRS + Retpolines
616
+                eibrs,lfence            enhanced IBRS + LFENCE
593617 
594618 		Not specifying this option is equivalent to
595619 		spectre_v2=auto.
....@@ -730,7 +754,7 @@
730754 
731755 .. _spec_ref6:
732756 
733
-[6] `Software techniques for managing speculation on AMD processors <https://developer.amd.com/wp-content/resources/90343-B_SoftwareTechniquesforManagingSpeculation_WP_7-18Update_FNL.pdf>`_.
757
+[6] `Software techniques for managing speculation on AMD processors <https://developer.amd.com/wp-content/resources/Managing-Speculation-on-AMD-Processors.pdf>`_.
734758 
735759 ARM white papers:
736760