• Peter Zijlstra's avatar
    x86/cpu: Clean up SRSO return thunk mess · d43490d0
    Peter Zijlstra authored
    Use the existing configurable return thunk. There is absolute no
    justification for having created this __x86_return_thunk alternative.
    
    To clarify, the whole thing looks like:
    
    Zen3/4 does:
    
      srso_alias_untrain_ret:
    	  nop2
    	  lfence
    	  jmp srso_alias_return_thunk
    	  int3
    
      srso_alias_safe_ret: // aliasses srso_alias_untrain_ret just so
    	  add $8, %rsp
    	  ret
    	  int3
    
      srso_alias_return_thunk:
    	  call srso_alias_safe_ret
    	  ud2
    
    While Zen1/2 does:
    
      srso_untrain_ret:
    	  movabs $foo, %rax
    	  lfence
    	  call srso_safe_ret           (jmp srso_return_thunk ?)
    	  int3
    
      srso_safe_ret: // embedded in movabs instruction
    	  add $8,%rsp
              ret
              int3
    
      srso_return_thunk:
    	  call srso_safe_ret
    	  ud2
    
    While retbleed does:
    
      zen_untrain_ret:
    	  test $0xcc, %bl
    	  lfence
    	  jmp zen_return_thunk
              int3
    
      zen_return_thunk: // embedded in the test instruction
    	  ret
              int3
    
    Where Zen1/2 flush the BTB entry using the instruction decoder trick
    (test,movabs) Zen3/4 use BTB aliasing. SRSO adds a return sequence
    (srso_safe_ret()) which forces the function return instruction to
    speculate into a trap (UD2).  This RET will then mispredict and
    execution will continue at the return site read from the top of the
    stack.
    
    Pick one of three options at boot (evey function can only ever return
    once).
    
      [ bp: Fixup commit message uarch details and add them in a comment in
        the code too. Add a comment about the srso_select_mitigation()
        dependency on retbleed_select_mitigation(). Add moar ifdeffery for
        32-bit builds. Add a dummy srso_untrain_ret_alias() definition for
        32-bit alternatives needing the symbol. ]
    
    Fixes: fb3bd914 ("x86/srso: Add a Speculative RAS Overflow mitigation")
    Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
    Signed-off-by: default avatarBorislav Petkov (AMD) <bp@alien8.de>
    Link: https://lore.kernel.org/r/20230814121148.842775684@infradead.org
    d43490d0
decode.c 15.4 KB