Commit 0e33cf95 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'rfds-for-linus-2024-03-11' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 

Pull x86 RFDS mitigation from Dave Hansen:
 "RFDS is a CPU vulnerability that may allow a malicious userspace to
  infer stale register values from kernel space. Kernel registers can
  have all kinds of secrets in them so the mitigation is basically to
  wait until the kernel is about to return to userspace and has user
  values in the registers. At that point there is little chance of
  kernel secrets ending up in the registers and the microarchitectural
  state can be cleared.

  This leverages some recent robustness fixes for the existing MDS
  vulnerability. Both MDS and RFDS use the VERW instruction for
  mitigation"

* tag 'rfds-for-linus-2024-03-11' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  KVM/x86: Export RFDS_NO and RFDS_CLEAR to guests
  x86/rfds: Mitigate Register File Data Sampling (RFDS)
  Documentation/hw-vuln: Add documentation for RFDS
  x86/mmio: Disable KVM mitigation when X86_FEATURE_CLEAR_CPU_BUF is set
parents 855684c7 2a018012

Documentation/ABI/testing/sysfs-devices-system-cpu

+1 −0
Original line number Diff line number Diff line
@@ -516,6 +516,7 @@ What: /sys/devices/system/cpu/vulnerabilities 
		/sys/devices/system/cpu/vulnerabilities/mds

		/sys/devices/system/cpu/vulnerabilities/meltdown

		/sys/devices/system/cpu/vulnerabilities/mmio_stale_data

		/sys/devices/system/cpu/vulnerabilities/reg_file_data_sampling

		/sys/devices/system/cpu/vulnerabilities/retbleed

		/sys/devices/system/cpu/vulnerabilities/spec_store_bypass

		/sys/devices/system/cpu/vulnerabilities/spectre_v1

Documentation/admin-guide/hw-vuln/index.rst

+1 −0
Original line number Diff line number Diff line
@@ -21,3 +21,4 @@ are configurable at compile, boot or run time. 
   cross-thread-rsb

   srso

   gather_data_sampling

   reg-file-data-sampling

Documentation/admin-guide/hw-vuln/reg-file-data-sampling.rst

0 → 100644
+104 −0
Original line number Diff line number Diff line 
==================================

Register File Data Sampling (RFDS)

==================================



Register File Data Sampling (RFDS) is a microarchitectural vulnerability that

only affects Intel Atom parts(also branded as E-cores). RFDS may allow

a malicious actor to infer data values previously used in floating point

registers, vector registers, or integer registers. RFDS does not provide the

ability to choose which data is inferred. CVE-2023-28746 is assigned to RFDS.



Affected Processors

===================

Below is the list of affected Intel processors [#f1]_:



   ===================  ============

   Common name          Family_Model

   ===================  ============

   ATOM_GOLDMONT           06_5CH

   ATOM_GOLDMONT_D         06_5FH

   ATOM_GOLDMONT_PLUS      06_7AH

   ATOM_TREMONT_D          06_86H

   ATOM_TREMONT            06_96H

   ALDERLAKE               06_97H

   ALDERLAKE_L             06_9AH

   ATOM_TREMONT_L          06_9CH

   RAPTORLAKE              06_B7H

   RAPTORLAKE_P            06_BAH

   ATOM_GRACEMONT          06_BEH

   RAPTORLAKE_S            06_BFH

   ===================  ============



As an exception to this table, Intel Xeon E family parts ALDERLAKE(06_97H) and

RAPTORLAKE(06_B7H) codenamed Catlow are not affected. They are reported as

vulnerable in Linux because they share the same family/model with an affected

part. Unlike their affected counterparts, they do not enumerate RFDS_CLEAR or

CPUID.HYBRID. This information could be used to distinguish between the

affected and unaffected parts, but it is deemed not worth adding complexity as

the reporting is fixed automatically when these parts enumerate RFDS_NO.



Mitigation

==========

Intel released a microcode update that enables software to clear sensitive

information using the VERW instruction. Like MDS, RFDS deploys the same

mitigation strategy to force the CPU to clear the affected buffers before an

attacker can extract the secrets. This is achieved by using the otherwise

unused and obsolete VERW instruction in combination with a microcode update.

The microcode clears the affected CPU buffers when the VERW instruction is

executed.



Mitigation points

-----------------

VERW is executed by the kernel before returning to user space, and by KVM

before VMentry. None of the affected cores support SMT, so VERW is not required

at C-state transitions.



New bits in IA32_ARCH_CAPABILITIES

----------------------------------

Newer processors and microcode update on existing affected processors added new

bits to IA32_ARCH_CAPABILITIES MSR. These bits can be used to enumerate

vulnerability and mitigation capability:



- Bit 27 - RFDS_NO - When set, processor is not affected by RFDS.

- Bit 28 - RFDS_CLEAR - When set, processor is affected by RFDS, and has the

  microcode that clears the affected buffers on VERW execution.



Mitigation control on the kernel command line

---------------------------------------------

The kernel command line allows to control RFDS mitigation at boot time with the

parameter "reg_file_data_sampling=". The valid arguments are:



  ==========  =================================================================

  on          If the CPU is vulnerable, enable mitigation; CPU buffer clearing

              on exit to userspace and before entering a VM.

  off         Disables mitigation.

  ==========  =================================================================



Mitigation default is selected by CONFIG_MITIGATION_RFDS.



Mitigation status information

-----------------------------

The Linux kernel provides a sysfs interface to enumerate the current

vulnerability status of the system: whether the system is vulnerable, and

which mitigations are active. The relevant sysfs file is:



	/sys/devices/system/cpu/vulnerabilities/reg_file_data_sampling



The possible values in this file are:



  .. list-table::



     * - 'Not affected'

       - The processor is not vulnerable

     * - 'Vulnerable'

       - The processor is vulnerable, but no mitigation enabled

     * - 'Vulnerable: No microcode'

       - The processor is vulnerable but microcode is not updated.

     * - 'Mitigation: Clear Register File'

       - The processor is vulnerable and the CPU buffer clearing mitigation is

	 enabled.



References

----------

.. [#f1] Affected Processors

   https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html

Documentation/admin-guide/kernel-parameters.txt

+21 −0
Original line number Diff line number Diff line
@@ -1136,6 +1136,26 @@ 
			The filter can be disabled or changed to another

			driver later using sysfs.



	reg_file_data_sampling=

			[X86] Controls mitigation for Register File Data

			Sampling (RFDS) vulnerability. RFDS is a CPU

			vulnerability which may allow userspace to infer

			kernel data values previously stored in floating point

			registers, vector registers, or integer registers.

			RFDS only affects Intel Atom processors.



			on:	Turns ON the mitigation.

			off:	Turns OFF the mitigation.



			This parameter overrides the compile time default set

			by CONFIG_MITIGATION_RFDS. Mitigation cannot be

			disabled when other VERW based mitigations (like MDS)

			are enabled. In order to disable RFDS mitigation all

			VERW based mitigations need to be disabled.



			For details see:

			Documentation/admin-guide/hw-vuln/reg-file-data-sampling.rst



	driver_async_probe=  [KNL]

			List of driver names to be probed asynchronously. *

			matches with all driver names. If * is specified, the
@@ -3394,6 +3414,7 @@ 
					       nospectre_bhb [ARM64]

					       nospectre_v1 [X86,PPC]

					       nospectre_v2 [X86,PPC,S390,ARM64]

					       reg_file_data_sampling=off [X86]

					       retbleed=off [X86]

					       spec_rstack_overflow=off [X86]

					       spec_store_bypass_disable=off [X86,PPC]

arch/x86/Kconfig

+11 −0
Original line number Diff line number Diff line
@@ -2623,6 +2623,17 @@ config MITIGATION_GDS_FORCE 


	  If in doubt, say N.



config MITIGATION_RFDS

	bool "RFDS Mitigation"

	depends on CPU_SUP_INTEL

	default y

	help

	  Enable mitigation for Register File Data Sampling (RFDS) by default.

	  RFDS is a hardware vulnerability which affects Intel Atom CPUs. It

	  allows unprivileged speculative access to stale data previously

	  stored in floating point, vector and integer registers.

	  See also <file:Documentation/admin-guide/hw-vuln/reg-file-data-sampling.rst>



endif



config ARCH_HAS_ADD_PAGES