a0f7ab8a6a
cherry-pick from upstream 4.14
55 lines
2.0 KiB
Diff
55 lines
2.0 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Tom Lendacky <thomas.lendacky@amd.com>
|
|
Date: Tue, 26 Dec 2017 23:43:54 -0600
|
|
Subject: [PATCH] x86/cpu, x86/pti: Do not enable PTI on AMD processors
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
CVE-2017-5754
|
|
|
|
AMD processors are not subject to the types of attacks that the kernel
|
|
page table isolation feature protects against. The AMD microarchitecture
|
|
does not allow memory references, including speculative references, that
|
|
access higher privileged data when running in a lesser privileged mode
|
|
when that access would result in a page fault.
|
|
|
|
Disable page table isolation by default on AMD processors by not setting
|
|
the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI
|
|
is set.
|
|
|
|
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
|
|
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
Reviewed-by: Borislav Petkov <bp@suse.de>
|
|
Cc: Dave Hansen <dave.hansen@linux.intel.com>
|
|
Cc: Andy Lutomirski <luto@kernel.org>
|
|
Cc: stable@vger.kernel.org
|
|
Link: https://lkml.kernel.org/r/20171227054354.20369.94587.stgit@tlendack-t1.amdoffice.net
|
|
|
|
(cherry picked from commit 694d99d40972f12e59a3696effee8a376b79d7c8)
|
|
Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
|
|
(cherry picked from commit 9d334f48f017b9c6457c6ba321e5a53a1cc6a5c7)
|
|
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
|
|
---
|
|
arch/x86/kernel/cpu/common.c | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
|
|
index 99f37d1636ff..1854dd8071a6 100644
|
|
--- a/arch/x86/kernel/cpu/common.c
|
|
+++ b/arch/x86/kernel/cpu/common.c
|
|
@@ -899,8 +899,8 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
|
|
|
|
setup_force_cpu_cap(X86_FEATURE_ALWAYS);
|
|
|
|
- /* Assume for now that ALL x86 CPUs are insecure */
|
|
- setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
|
|
+ if (c->x86_vendor != X86_VENDOR_AMD)
|
|
+ setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
|
|
|
|
fpu__init_system(c);
|
|
}
|
|
--
|
|
2.14.2
|
|
|