76 lines
2.8 KiB
Diff
76 lines
2.8 KiB
Diff
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||
|
From: Daniel Sneddon <daniel.sneddon@linux.intel.com>
|
||
|
Date: Wed, 12 Jul 2023 19:43:13 -0700
|
||
|
Subject: [PATCH] x86/speculation: Add Kconfig option for GDS
|
||
|
|
||
|
Gather Data Sampling (GDS) is mitigated in microcode. However, on
|
||
|
systems that haven't received the updated microcode, disabling AVX
|
||
|
can act as a mitigation. Add a Kconfig option that uses the microcode
|
||
|
mitigation if available and disables AVX otherwise. Setting this
|
||
|
option has no effect on systems not affected by GDS. This is the
|
||
|
equivalent of setting gather_data_sampling=force.
|
||
|
|
||
|
Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
|
||
|
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
|
||
|
Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
|
||
|
|
||
|
(cherry picked from commit 53cf5797f114ba2bd86d23a862302119848eff19)
|
||
|
CVE-2022-40982
|
||
|
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
|
||
|
Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
|
||
|
Acked-by: Stefan Bader <stefan.bader@canonical.com>
|
||
|
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
|
||
|
(cherry picked from commit 92bd969bbe475c5bca376d007ed6558085b237ba)
|
||
|
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
|
||
|
---
|
||
|
arch/x86/Kconfig | 19 +++++++++++++++++++
|
||
|
arch/x86/kernel/cpu/bugs.c | 4 ++++
|
||
|
2 files changed, 23 insertions(+)
|
||
|
|
||
|
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
|
||
|
index 598a303819da..8451e0f36c66 100644
|
||
|
--- a/arch/x86/Kconfig
|
||
|
+++ b/arch/x86/Kconfig
|
||
|
@@ -2640,6 +2640,25 @@ config SLS
|
||
|
against straight line speculation. The kernel image might be slightly
|
||
|
larger.
|
||
|
|
||
|
+config GDS_FORCE_MITIGATION
|
||
|
+ bool "Force GDS Mitigation"
|
||
|
+ depends on CPU_SUP_INTEL
|
||
|
+ default n
|
||
|
+ help
|
||
|
+ Gather Data Sampling (GDS) is a hardware vulnerability which allows
|
||
|
+ unprivileged speculative access to data which was previously stored in
|
||
|
+ vector registers.
|
||
|
+
|
||
|
+ This option is equivalent to setting gather_data_sampling=force on the
|
||
|
+ command line. The microcode mitigation is used if present, otherwise
|
||
|
+ AVX is disabled as a mitigation. On affected systems that are missing
|
||
|
+ the microcode any userspace code that unconditionally uses AVX will
|
||
|
+ break with this option set.
|
||
|
+
|
||
|
+ Setting this option on systems not vulnerable to GDS has no effect.
|
||
|
+
|
||
|
+ If in doubt, say N.
|
||
|
+
|
||
|
endif
|
||
|
|
||
|
config ARCH_HAS_ADD_PAGES
|
||
|
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
|
||
|
index 0cc3c4f09dd7..819a8aa0c706 100644
|
||
|
--- a/arch/x86/kernel/cpu/bugs.c
|
||
|
+++ b/arch/x86/kernel/cpu/bugs.c
|
||
|
@@ -658,7 +658,11 @@ enum gds_mitigations {
|
||
|
GDS_MITIGATION_HYPERVISOR,
|
||
|
};
|
||
|
|
||
|
+#if IS_ENABLED(CONFIG_GDS_FORCE_MITIGATION)
|
||
|
+static enum gds_mitigations gds_mitigation __ro_after_init = GDS_MITIGATION_FORCE;
|
||
|
+#else
|
||
|
static enum gds_mitigations gds_mitigation __ro_after_init = GDS_MITIGATION_FULL;
|
||
|
+#endif
|
||
|
|
||
|
static const char * const gds_strings[] = {
|
||
|
[GDS_MITIGATION_OFF] = "Vulnerable",
|