• Sai Praneeth's avatar
    x86/speculation: Support Enhanced IBRS on future CPUs · 706d5168
    Sai Praneeth authored
    Future Intel processors will support "Enhanced IBRS" which is an "always
    on" mode i.e. IBRS bit in SPEC_CTRL MSR is enabled once and never
    disabled.
    
    From the specification [1]:
    
     "With enhanced IBRS, the predicted targets of indirect branches
      executed cannot be controlled by software that was executed in a less
      privileged predictor mode or on another logical processor. As a
      result, software operating on a processor with enhanced IBRS need not
      use WRMSR to set IA32_SPEC_CTRL.IBRS after every transition to a more
      privileged predictor mode. Software can isolate predictor modes
      effectively simply by setting the bit once. Software need not disable
      enhanced IBRS prior to entering a sleep state such as MWAIT or HLT."
    
    If Enhanced IBRS is supported by the processor then use it as the
    preferred spectre v2 mitigation mechanism instead of Retpoline. Intel's
    Retpoline white paper [2] states:
    
     "Retpoline is known to be an effective branch target injection (Spectre
      variant 2) mitigation on Intel processors belonging to family 6
      (enumerated by the CPUID instruction) that do not have support for
      enhanced IBRS. On processors that support enhanced IBRS, it should be
      used for mitigation instead of retpoline."
    
    The reason why Enhanced IBRS is the recommended mitigation on processors
    which support it is that these processors also support CET which
    provides a defense against ROP attacks. Retpoline is very similar to ROP
    techniques and might trigger false positives in the CET defense.
    
    If Enhanced IBRS is selected as the mitigation technique for spectre v2,
    the IBRS bit in SPEC_CTRL MSR is set once at boot time and never
    cleared. Kernel also has to make sure that IBRS bit remains set after
    VMEXIT because the guest might have cleared the bit. This is already
    covered by the existing x86_spec_ctrl_set_guest() and
    x86_spec_ctrl_restore_host() speculation control functions.
    
    Enhanced IBRS still requires IBPB for full mitigation.
    
    [1] Speculative-Execution-Side-Channel-Mitigations.pdf
    [2] Retpoline-A-Branch-Target-Injection-Mitigation.pdf
    Both documents are available at:
    https://bugzilla.kernel.org/show_bug.cgi?id=199511Originally-by: default avatarDavid Woodhouse <dwmw@amazon.co.uk>
    Signed-off-by: default avatarSai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
    Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
    Cc: Tim C Chen <tim.c.chen@intel.com>
    Cc: Dave Hansen <dave.hansen@intel.com>
    Cc: Ravi Shankar <ravi.v.shankar@intel.com>
    Link: https://lkml.kernel.org/r/1533148945-24095-1-git-send-email-sai.praneeth.prakhya@intel.com
    706d5168
bugs.c 19.8 KB