[PATCH v4 00/13] Retpoline: Avoid speculative indirect calls in kernel

From: David Woodhouse
Date: Thu Jan 04 2018 - 21:01:45 EST

Next message: David Woodhouse: "[PATCH v4 04/13] x86/retpoline/ftrace: Convert ftrace assembler indirect jumps"
Previous message: David Woodhouse: "[PATCH v4 01/13] x86/retpoline: Add initial retpoline support"
Next in thread: David Woodhouse: "[PATCH v4 01/13] x86/retpoline: Add initial retpoline support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is a fix for the 'variant 2' attack described in
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html

Using GCC patches available from the gcc-7_2_0-retpoline branch of
http://git.infradead.org/users/dwmw2/gcc-retpoline.git and by manually
patching assembler code, all indirect branches (that occur after userspace
first runs) are eliminated from the kernel.

They are replaced with a 'retpoline' call sequence which deliberately
prevents speculation.

Now that the thunks are exported, we need to fix MODVERSIONS support,
because genksyms can't generate the crc for the symbols. Still working
on that...

v1: Initial post.
v2: Add CONFIG_RETPOLINE to build kernel without it.
Change warning messages.
Hide modpost warning message
v3: Update to the latest CET-capable retpoline version
Reinstate ALTERNATIVE support
v4: Finish reconciling Andi's and my patch sets, bug fixes.
Exclude objtool support for now
Add 'noretpoline' boot option
Add AMD retpoline alternative

Andi Kleen (4):
x86/retpoline/irq32: Convert assembler indirect jumps
retpoline/taint: Taint kernel for missing retpoline in compiler
x86/retpoline: Add boot time option to disable retpoline
x86/retpoline: Exclude objtool with retpoline

David Woodhouse (9):
x86/retpoline: Add initial retpoline support
x86/retpoline/crypto: Convert crypto assembler indirect jumps
x86/retpoline/entry: Convert entry assembler indirect jumps
x86/retpoline/ftrace: Convert ftrace assembler indirect jumps
x86/retpoline/hyperv: Convert assembler indirect jumps
x86/retpoline/xen: Convert Xen hypercall indirect jumps
x86/retpoline/checksum32: Convert assembler indirect jumps
x86/alternatives: Add missing \n at end of ALTERNATIVE inline asm
x86/retpoline: Simplify AMD variant of retpoline thunk

Documentation/admin-guide/kernel-parameters.txt | 3 ++
Documentation/admin-guide/tainted-kernels.rst | 3 ++
arch/x86/Kconfig | 17 +++++++-
arch/x86/Kconfig.debug | 6 +--
arch/x86/Makefile | 10 +++++
arch/x86/crypto/aesni-intel_asm.S | 5 ++-
arch/x86/crypto/camellia-aesni-avx-asm_64.S | 3 +-
arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 3 +-
arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 4 +-
arch/x86/entry/entry_32.S | 5 ++-
arch/x86/entry/entry_64.S | 22 ++++++++--
arch/x86/include/asm/alternative.h | 4 +-
arch/x86/include/asm/cpufeatures.h | 1 +
arch/x86/include/asm/mshyperv.h | 18 ++++----
arch/x86/include/asm/nospec-branch.h | 58 +++++++++++++++++++++++++
arch/x86/include/asm/xen/hypercall.h | 5 ++-
arch/x86/kernel/cpu/intel.c | 10 +++++
arch/x86/kernel/ftrace_32.S | 6 ++-
arch/x86/kernel/ftrace_64.S | 8 ++--
arch/x86/kernel/irq_32.c | 9 ++--
arch/x86/kernel/setup.c | 6 +++
arch/x86/lib/Makefile | 1 +
arch/x86/lib/checksum_32.S | 7 +--
arch/x86/lib/retpoline.S | 53 ++++++++++++++++++++++
include/linux/kernel.h | 4 +-
kernel/module.c | 11 ++++-
kernel/panic.c | 1 +
scripts/mod/modpost.c | 9 ++++
28 files changed, 250 insertions(+), 42 deletions(-)
create mode 100644 arch/x86/include/asm/nospec-branch.h
create mode 100644 arch/x86/lib/retpoline.S

--
2.7.4

Next message: David Woodhouse: "[PATCH v4 04/13] x86/retpoline/ftrace: Convert ftrace assembler indirect jumps"
Previous message: David Woodhouse: "[PATCH v4 01/13] x86/retpoline: Add initial retpoline support"
Next in thread: David Woodhouse: "[PATCH v4 01/13] x86/retpoline: Add initial retpoline support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]