linux/arch/x86
Andi Kleen 6b28baca9b x86/speculation/l1tf: Protect PROT_NONE PTEs against speculation
When PTEs are set to PROT_NONE the kernel just clears the Present bit and
preserves the PFN, which creates attack surface for L1TF speculation
speculation attacks.

This is important inside guests, because L1TF speculation bypasses physical
page remapping. While the host has its own migitations preventing leaking
data from other VMs into the guest, this would still risk leaking the wrong
page inside the current guest.

This uses the same technique as Linus' swap entry patch: while an entry is
is in PROTNONE state invert the complete PFN part part of it. This ensures
that the the highest bit will point to non existing memory.

The invert is done by pte/pmd_modify and pfn/pmd/pud_pte for PROTNONE and
pte/pmd/pud_pfn undo it.

This assume that no code path touches the PFN part of a PTE directly
without using these primitives.

This doesn't handle the case that MMIO is on the top of the CPU physical
memory. If such an MMIO region was exposed by an unpriviledged driver for
mmap it would be possible to attack some real memory.  However this
situation is all rather unlikely.

For 32bit non PAE the inversion is not done because there are really not
enough bits to protect anything.

Q: Why does the guest need to be protected when the HyperVisor already has
   L1TF mitigations?

A: Here's an example:

   Physical pages 1 2 get mapped into a guest as
   GPA 1 -> PA 2
   GPA 2 -> PA 1
   through EPT.

   The L1TF speculation ignores the EPT remapping.

   Now the guest kernel maps GPA 1 to process A and GPA 2 to process B, and
   they belong to different users and should be isolated.

   A sets the GPA 1 PA 2 PTE to PROT_NONE to bypass the EPT remapping and
   gets read access to the underlying physical page. Which in this case
   points to PA 2, so it can read process B's data, if it happened to be in
   L1, so isolation inside the guest is broken.

   There's nothing the hypervisor can do about this. This mitigation has to
   be done in the guest itself.

[ tglx: Massaged changelog ]

Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Acked-by: Dave Hansen <dave.hansen@intel.com>
2018-06-20 19:10:00 +02:00
..
boot Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2018-06-10 09:44:53 -07:00
configs
crypto crypto: x86/salsa20 - remove x86 salsa20 implementations 2018-05-31 00:13:57 +08:00
entry docs: Fix some broken references 2018-06-15 18:10:01 -03:00
events treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
hyperv x86/hyper-v: move struct hv_flush_pcpu{,ex} definitions to common header 2018-05-26 14:14:33 +02:00
ia32 syscalls/x86: auto-create compat_sys_*() prototypes 2018-04-02 20:16:18 +02:00
include x86/speculation/l1tf: Protect PROT_NONE PTEs against speculation 2018-06-20 19:10:00 +02:00
kernel Kbuild: rename CC_STACKPROTECTOR[_STRONG] config variables 2018-06-14 12:21:18 +09:00
kvm KVM: x86: VMX: redo fix for link error without CONFIG_HYPERV 2018-06-14 18:53:14 +02:00
lib libnvdimm for 4.18 2018-06-08 17:21:52 -07:00
math-emu
mm treewide: use PHYS_ADDR_MAX to avoid type casting ULLONG_MAX 2018-06-15 07:55:25 +09:00
net treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
oprofile x86/oprofile: Fix bogus GCC-8 warning in nmi_setup() 2018-02-21 09:54:17 +01:00
pci treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
platform treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
power x86/mm: Stop pretending pgtable_l5_enabled is a variable 2018-05-19 11:56:57 +02:00
purgatory kernel/kexec_file.c: move purgatories sha256 to common code 2018-04-13 17:10:28 -07:00
ras
realmode x86-64/realmode: Add instruction suffix 2018-02-20 09:33:41 +01:00
tools x86: Treat R_X86_64_PLT32 as R_X86_64_PC32 2018-02-22 09:01:10 -08:00
um Kconfig updates for v4.18 2018-06-06 11:31:45 -07:00
video
xen xen: fixes and features for v4-18-rc1 2018-06-08 09:24:54 -07:00
.gitignore x86/build: Add arch/x86/tools/insn_decoder_test to .gitignore 2018-02-13 14:10:29 +01:00
Kbuild
Kconfig Kbuild: rename HAVE_CC_STACKPROTECTOR config variable 2018-06-15 07:15:28 +09:00
Kconfig.cpu Merge branch 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2018-03-25 07:36:02 -10:00
Kconfig.debug x86, nfit_test: Add unit test for memcpy_mcsafe() 2018-05-22 23:18:31 -07:00
Makefile kbuild: add machine size to CHECKFLAGS 2018-06-01 11:36:58 +09:00
Makefile_32.cpu
Makefile.um