x86/retpoline: Add initial retpoline support
Enable the use of -mindirect-branch=thunk-extern in newer GCC, and provide
the corresponding thunks. Provide assembler macros for invoking the thunks
in the same way that GCC does, from native and inline assembler.
This adds X86_FEATURE_RETPOLINE and sets it by default on all CPUs. In
some circumstances, IBRS microcode features may be used instead, and the
retpoline can be disabled.
On AMD CPUs if lfence is serialising, the retpoline can be dramatically
simplified to a simple "lfence; jmp *\reg". A future patch, after it has
been verified that lfence really is serialising in all circumstances, can
enable this by setting the X86_FEATURE_RETPOLINE_AMD feature bit in addition
to X86_FEATURE_RETPOLINE.
Do not align the retpoline in the altinstr section, because there is no
guarantee that it stays aligned when it's copied over the oldinstr during
alternative patching.
[ Andi Kleen: Rename the macros, add CONFIG_RETPOLINE option, export thunks]
[ tglx: Put actual function CALL/JMP in front of the macros, convert to
symbolic labels ]
[ dwmw2: Convert back to numeric labels, merge objtool fixes ]
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Arjan van de Ven <arjan@linux.intel.com>
Acked-by: Ingo Molnar <mingo@kernel.org>
Cc: gnomes@lxorguk.ukuu.org.uk
Cc: Rik van Riel <riel@redhat.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: thomas.lendacky@amd.com
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Jiri Kosina <jikos@kernel.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Kees Cook <keescook@google.com>
Cc: Tim Chen <tim.c.chen@linux.intel.com>
Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
Cc: Paul Turner <pjt@google.com>
Link: https://lkml.kernel.org/r/1515707194-20531-4-git-send-email-dwmw@amazon.co.uk
2018-01-12 05:46:25 +08:00
|
|
|
/* SPDX-License-Identifier: GPL-2.0 */
|
|
|
|
|
|
|
|
#include <linux/stringify.h>
|
|
|
|
#include <linux/linkage.h>
|
|
|
|
#include <asm/dwarf2.h>
|
|
|
|
#include <asm/cpufeatures.h>
|
|
|
|
#include <asm/alternative-asm.h>
|
|
|
|
#include <asm/export.h>
|
|
|
|
#include <asm/nospec-branch.h>
|
2018-01-28 00:24:33 +08:00
|
|
|
#include <asm/bitsperlong.h>
|
x86/retpoline: Add initial retpoline support
Enable the use of -mindirect-branch=thunk-extern in newer GCC, and provide
the corresponding thunks. Provide assembler macros for invoking the thunks
in the same way that GCC does, from native and inline assembler.
This adds X86_FEATURE_RETPOLINE and sets it by default on all CPUs. In
some circumstances, IBRS microcode features may be used instead, and the
retpoline can be disabled.
On AMD CPUs if lfence is serialising, the retpoline can be dramatically
simplified to a simple "lfence; jmp *\reg". A future patch, after it has
been verified that lfence really is serialising in all circumstances, can
enable this by setting the X86_FEATURE_RETPOLINE_AMD feature bit in addition
to X86_FEATURE_RETPOLINE.
Do not align the retpoline in the altinstr section, because there is no
guarantee that it stays aligned when it's copied over the oldinstr during
alternative patching.
[ Andi Kleen: Rename the macros, add CONFIG_RETPOLINE option, export thunks]
[ tglx: Put actual function CALL/JMP in front of the macros, convert to
symbolic labels ]
[ dwmw2: Convert back to numeric labels, merge objtool fixes ]
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Arjan van de Ven <arjan@linux.intel.com>
Acked-by: Ingo Molnar <mingo@kernel.org>
Cc: gnomes@lxorguk.ukuu.org.uk
Cc: Rik van Riel <riel@redhat.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: thomas.lendacky@amd.com
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Jiri Kosina <jikos@kernel.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Kees Cook <keescook@google.com>
Cc: Tim Chen <tim.c.chen@linux.intel.com>
Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
Cc: Paul Turner <pjt@google.com>
Link: https://lkml.kernel.org/r/1515707194-20531-4-git-send-email-dwmw@amazon.co.uk
2018-01-12 05:46:25 +08:00
|
|
|
|
|
|
|
.macro THUNK reg
|
2018-01-19 00:14:21 +08:00
|
|
|
.section .text.__x86.indirect_thunk
|
x86/retpoline: Add initial retpoline support
Enable the use of -mindirect-branch=thunk-extern in newer GCC, and provide
the corresponding thunks. Provide assembler macros for invoking the thunks
in the same way that GCC does, from native and inline assembler.
This adds X86_FEATURE_RETPOLINE and sets it by default on all CPUs. In
some circumstances, IBRS microcode features may be used instead, and the
retpoline can be disabled.
On AMD CPUs if lfence is serialising, the retpoline can be dramatically
simplified to a simple "lfence; jmp *\reg". A future patch, after it has
been verified that lfence really is serialising in all circumstances, can
enable this by setting the X86_FEATURE_RETPOLINE_AMD feature bit in addition
to X86_FEATURE_RETPOLINE.
Do not align the retpoline in the altinstr section, because there is no
guarantee that it stays aligned when it's copied over the oldinstr during
alternative patching.
[ Andi Kleen: Rename the macros, add CONFIG_RETPOLINE option, export thunks]
[ tglx: Put actual function CALL/JMP in front of the macros, convert to
symbolic labels ]
[ dwmw2: Convert back to numeric labels, merge objtool fixes ]
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Arjan van de Ven <arjan@linux.intel.com>
Acked-by: Ingo Molnar <mingo@kernel.org>
Cc: gnomes@lxorguk.ukuu.org.uk
Cc: Rik van Riel <riel@redhat.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: thomas.lendacky@amd.com
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Jiri Kosina <jikos@kernel.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Kees Cook <keescook@google.com>
Cc: Tim Chen <tim.c.chen@linux.intel.com>
Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
Cc: Paul Turner <pjt@google.com>
Link: https://lkml.kernel.org/r/1515707194-20531-4-git-send-email-dwmw@amazon.co.uk
2018-01-12 05:46:25 +08:00
|
|
|
|
|
|
|
ENTRY(__x86_indirect_thunk_\reg)
|
|
|
|
CFI_STARTPROC
|
|
|
|
JMP_NOSPEC %\reg
|
|
|
|
CFI_ENDPROC
|
|
|
|
ENDPROC(__x86_indirect_thunk_\reg)
|
|
|
|
.endm
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Despite being an assembler file we can't just use .irp here
|
|
|
|
* because __KSYM_DEPS__ only uses the C preprocessor and would
|
|
|
|
* only see one instance of "__x86_indirect_thunk_\reg" rather
|
|
|
|
* than one per register with the correct names. So we do it
|
|
|
|
* the simple and nasty way...
|
|
|
|
*/
|
2018-01-19 00:14:51 +08:00
|
|
|
#define __EXPORT_THUNK(sym) _ASM_NOKPROBE(sym); EXPORT_SYMBOL(sym)
|
|
|
|
#define EXPORT_THUNK(reg) __EXPORT_THUNK(__x86_indirect_thunk_ ## reg)
|
x86/retpoline: Add initial retpoline support
Enable the use of -mindirect-branch=thunk-extern in newer GCC, and provide
the corresponding thunks. Provide assembler macros for invoking the thunks
in the same way that GCC does, from native and inline assembler.
This adds X86_FEATURE_RETPOLINE and sets it by default on all CPUs. In
some circumstances, IBRS microcode features may be used instead, and the
retpoline can be disabled.
On AMD CPUs if lfence is serialising, the retpoline can be dramatically
simplified to a simple "lfence; jmp *\reg". A future patch, after it has
been verified that lfence really is serialising in all circumstances, can
enable this by setting the X86_FEATURE_RETPOLINE_AMD feature bit in addition
to X86_FEATURE_RETPOLINE.
Do not align the retpoline in the altinstr section, because there is no
guarantee that it stays aligned when it's copied over the oldinstr during
alternative patching.
[ Andi Kleen: Rename the macros, add CONFIG_RETPOLINE option, export thunks]
[ tglx: Put actual function CALL/JMP in front of the macros, convert to
symbolic labels ]
[ dwmw2: Convert back to numeric labels, merge objtool fixes ]
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Arjan van de Ven <arjan@linux.intel.com>
Acked-by: Ingo Molnar <mingo@kernel.org>
Cc: gnomes@lxorguk.ukuu.org.uk
Cc: Rik van Riel <riel@redhat.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: thomas.lendacky@amd.com
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Jiri Kosina <jikos@kernel.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Kees Cook <keescook@google.com>
Cc: Tim Chen <tim.c.chen@linux.intel.com>
Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
Cc: Paul Turner <pjt@google.com>
Link: https://lkml.kernel.org/r/1515707194-20531-4-git-send-email-dwmw@amazon.co.uk
2018-01-12 05:46:25 +08:00
|
|
|
#define GENERATE_THUNK(reg) THUNK reg ; EXPORT_THUNK(reg)
|
|
|
|
|
|
|
|
GENERATE_THUNK(_ASM_AX)
|
|
|
|
GENERATE_THUNK(_ASM_BX)
|
|
|
|
GENERATE_THUNK(_ASM_CX)
|
|
|
|
GENERATE_THUNK(_ASM_DX)
|
|
|
|
GENERATE_THUNK(_ASM_SI)
|
|
|
|
GENERATE_THUNK(_ASM_DI)
|
|
|
|
GENERATE_THUNK(_ASM_BP)
|
|
|
|
#ifdef CONFIG_64BIT
|
|
|
|
GENERATE_THUNK(r8)
|
|
|
|
GENERATE_THUNK(r9)
|
|
|
|
GENERATE_THUNK(r10)
|
|
|
|
GENERATE_THUNK(r11)
|
|
|
|
GENERATE_THUNK(r12)
|
|
|
|
GENERATE_THUNK(r13)
|
|
|
|
GENERATE_THUNK(r14)
|
|
|
|
GENERATE_THUNK(r15)
|
|
|
|
#endif
|
2018-01-28 00:24:33 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Fill the CPU return stack buffer.
|
|
|
|
*
|
|
|
|
* Each entry in the RSB, if used for a speculative 'ret', contains an
|
|
|
|
* infinite 'pause; lfence; jmp' loop to capture speculative execution.
|
|
|
|
*
|
|
|
|
* This is required in various cases for retpoline and IBRS-based
|
|
|
|
* mitigations for the Spectre variant 2 vulnerability. Sometimes to
|
|
|
|
* eliminate potentially bogus entries from the RSB, and sometimes
|
|
|
|
* purely to ensure that it doesn't get empty, which on some CPUs would
|
|
|
|
* allow predictions from other (unwanted!) sources to be used.
|
|
|
|
*
|
|
|
|
* Google experimented with loop-unrolling and this turned out to be
|
|
|
|
* the optimal version - two calls, each with their own speculation
|
|
|
|
* trap should their return address end up getting used, in a loop.
|
|
|
|
*/
|
|
|
|
.macro STUFF_RSB nr:req sp:req
|
|
|
|
mov $(\nr / 2), %_ASM_BX
|
|
|
|
.align 16
|
|
|
|
771:
|
|
|
|
call 772f
|
|
|
|
773: /* speculation trap */
|
|
|
|
pause
|
|
|
|
lfence
|
|
|
|
jmp 773b
|
|
|
|
.align 16
|
|
|
|
772:
|
|
|
|
call 774f
|
|
|
|
775: /* speculation trap */
|
|
|
|
pause
|
|
|
|
lfence
|
|
|
|
jmp 775b
|
|
|
|
.align 16
|
|
|
|
774:
|
|
|
|
dec %_ASM_BX
|
|
|
|
jnz 771b
|
|
|
|
add $((BITS_PER_LONG/8) * \nr), \sp
|
|
|
|
.endm
|
|
|
|
|
|
|
|
#define RSB_FILL_LOOPS 16 /* To avoid underflow */
|
|
|
|
|
|
|
|
ENTRY(__fill_rsb)
|
|
|
|
STUFF_RSB RSB_FILL_LOOPS, %_ASM_SP
|
|
|
|
ret
|
|
|
|
END(__fill_rsb)
|
|
|
|
EXPORT_SYMBOL_GPL(__fill_rsb)
|
|
|
|
|
|
|
|
#define RSB_CLEAR_LOOPS 32 /* To forcibly overwrite all entries */
|
|
|
|
|
|
|
|
ENTRY(__clear_rsb)
|
|
|
|
STUFF_RSB RSB_CLEAR_LOOPS, %_ASM_SP
|
|
|
|
ret
|
|
|
|
END(__clear_rsb)
|
|
|
|
EXPORT_SYMBOL_GPL(__clear_rsb)
|