KPTI: disable on AMD
and allow loading of microcode on recent AMD systems in preparation of further Spectre fixes
This commit is contained in:
Fabian Grünbichler
parent
e4cdf2a53e
commit
04f3b8beca
2 changed files with 106 additions and 0 deletions
|
|
@ -0,0 +1,54 @@
|
|||
From 5462db3d070845ecc34929b6f25a87efda023aae Mon Sep 17 00:00:00 2001
|
||||
From: Tom Lendacky <thomas.lendacky@amd.com>
|
||||
Date: Tue, 26 Dec 2017 23:43:54 -0600
|
||||
Subject: [PATCH 240/241] x86/cpu, x86/pti: Do not enable PTI on AMD processors
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
CVE-2017-5754
|
||||
|
||||
AMD processors are not subject to the types of attacks that the kernel
|
||||
page table isolation feature protects against. The AMD microarchitecture
|
||||
does not allow memory references, including speculative references, that
|
||||
access higher privileged data when running in a lesser privileged mode
|
||||
when that access would result in a page fault.
|
||||
|
||||
Disable page table isolation by default on AMD processors by not setting
|
||||
the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI
|
||||
is set.
|
||||
|
||||
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
|
||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
||||
Reviewed-by: Borislav Petkov <bp@suse.de>
|
||||
Cc: Dave Hansen <dave.hansen@linux.intel.com>
|
||||
Cc: Andy Lutomirski <luto@kernel.org>
|
||||
Cc: stable@vger.kernel.org
|
||||
Link: https://lkml.kernel.org/r/20171227054354.20369.94587.stgit@tlendack-t1.amdoffice.net
|
||||
|
||||
(cherry picked from commit 694d99d40972f12e59a3696effee8a376b79d7c8)
|
||||
Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
|
||||
(cherry picked from commit 9d334f48f017b9c6457c6ba321e5a53a1cc6a5c7)
|
||||
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
|
||||
---
|
||||
arch/x86/kernel/cpu/common.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
|
||||
index 99f37d1636ff..1854dd8071a6 100644
|
||||
--- a/arch/x86/kernel/cpu/common.c
|
||||
+++ b/arch/x86/kernel/cpu/common.c
|
||||
@@ -899,8 +899,8 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
|
||||
|
||||
setup_force_cpu_cap(X86_FEATURE_ALWAYS);
|
||||
|
||||
- /* Assume for now that ALL x86 CPUs are insecure */
|
||||
- setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
|
||||
+ if (c->x86_vendor != X86_VENDOR_AMD)
|
||||
+ setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
|
||||
|
||||
fpu__init_system(c);
|
||||
}
|
||||
--
|
||||
2.14.2
|
||||
|
||||
|
|
@ -0,0 +1,52 @@
|
|||
From 8329d47141a78a64e8ae6f4a735aceaafe93e098 Mon Sep 17 00:00:00 2001
|
||||
From: Tom Lendacky <thomas.lendacky@amd.com>
|
||||
Date: Thu, 30 Nov 2017 16:46:40 -0600
|
||||
Subject: [PATCH 241/241] x86/microcode/AMD: Add support for fam17h microcode
|
||||
loading
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
commit f4e9b7af0cd58dd039a0fb2cd67d57cea4889abf upstream.
|
||||
|
||||
The size for the Microcode Patch Block (MPB) for an AMD family 17h
|
||||
processor is 3200 bytes. Add a #define for fam17h so that it does
|
||||
not default to 2048 bytes and fail a microcode load/update.
|
||||
|
||||
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
|
||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
||||
Reviewed-by: Borislav Petkov <bp@alien8.de>
|
||||
Link: https://lkml.kernel.org/r/20171130224640.15391.40247.stgit@tlendack-t1.amdoffice.net
|
||||
Signed-off-by: Ingo Molnar <mingo@kernel.org>
|
||||
Cc: Alice Ferrazzi <alicef@gentoo.org>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
|
||||
---
|
||||
arch/x86/kernel/cpu/microcode/amd.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c
|
||||
index 21b185793c80..248cad00fee6 100644
|
||||
--- a/arch/x86/kernel/cpu/microcode/amd.c
|
||||
+++ b/arch/x86/kernel/cpu/microcode/amd.c
|
||||
@@ -467,6 +467,7 @@ static unsigned int verify_patch_size(u8 family, u32 patch_size,
|
||||
#define F14H_MPB_MAX_SIZE 1824
|
||||
#define F15H_MPB_MAX_SIZE 4096
|
||||
#define F16H_MPB_MAX_SIZE 3458
|
||||
+#define F17H_MPB_MAX_SIZE 3200
|
||||
|
||||
switch (family) {
|
||||
case 0x14:
|
||||
@@ -478,6 +479,9 @@ static unsigned int verify_patch_size(u8 family, u32 patch_size,
|
||||
case 0x16:
|
||||
max_size = F16H_MPB_MAX_SIZE;
|
||||
break;
|
||||
+ case 0x17:
|
||||
+ max_size = F17H_MPB_MAX_SIZE;
|
||||
+ break;
|
||||
default:
|
||||
max_size = F1XH_MPB_MAX_SIZE;
|
||||
break;
|
||||
--
|
||||
2.14.2
|
||||
|
||||
Loading…
Reference in a new issue