OpenBSD Journal

More mitigations against speculative execution vulnerabilities

Contributed by rueda on from the gift-that-keeps-on-giving dept.

Philip Guenther (guenther@) and Bryan Steele (brynet@) have added more mitigations against speculative execution CPU vulnerabilities on the amd64 platform.

For "SpectreRSB" and earlier Spectre variants:

CVSROOT:	/cvs
Module name:	src
Changes by:	guenther@cvs.openbsd.org	2018/07/23 11:54:04

Modified files:
	sys/arch/amd64/amd64: locore.S 
	sys/arch/amd64/include: asm.h cpufunc.h frameasm.h 

Log message:
Do "Return stack refilling", based on the "Return stack underflow" discussion
and its associated appendix at https://support.google.com/faqs/answer/7625886
This should address at least some cases of "SpectreRSB" and earlier
Spectre variants; more commits to follow.

The refilling is done in the enter-kernel-from-userspace and
return-to-userspace-from-kernel paths, making sure to do it before
unblocking interrupts so that a successive interrupt can't get the
CPU to C code without doing this refill.  Per the link above, it
also does it immediately after mwait, apparently in case the low-power
CPU states of idle-via-mwait flush the RSB.

ok mlarkin@ deraadt@

and:

CVSROOT:	/cvs
Module name:	src
Changes by:	guenther@cvs.openbsd.org	2018/07/23 20:42:25

Modified files:
	sys/arch/amd64/amd64: locore.S vector.S vmm_support.S 
	sys/arch/amd64/include: asm.h cpufunc.h 

Log message:
Also do RSB refilling when context switching, after vmexits, and
when vmlaunch or vmresume fails.

Follow the lead of clang and the intel recommendation and do an lfence
after the pause in the speculation-stop path for retpoline, RSB refill,
and meltover ASM bits.

ok kettenis@ deraadt@

"Mitigation G-2" for AMD processors:

CVSROOT:	/cvs
Module name:	src
Changes by:	brynet@cvs.openbsd.org	2018/07/23 17:25:03

Modified files:
	sys/arch/amd64/amd64: identcpu.c 
	sys/arch/amd64/include: specialreg.h 

Log message:
Add "Mitigation G-2" per AMD's Whitepaper "Software Techniques for
Managing Speculation on AMD Processors"

By setting MSR C001_1029[1]=1, LFENCE becomes a dispatch serializing
instruction.

Tested on AMD FX-4100 "Bulldozer", and Linux guest in SVM vmd(8)

ok deraadt@ mlarkin@

(Comments are closed)


Comments
  1. By Amit Kulkarni (amitkulz) on

    As noted by brynet@ "Mitigation G-2" for AMD processors diff was also ok'd by guenther@

    https://marc.info/?l=openbsd-cvs&m=153239639930847&w=2

    Comments

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]