From nobody Mon Sep 15 21:12:14 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8607BC61DB3 for ; Tue, 10 Jan 2023 05:57:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230453AbjAJF5W (ORCPT ); Tue, 10 Jan 2023 00:57:22 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58134 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230280AbjAJF4H (ORCPT ); Tue, 10 Jan 2023 00:56:07 -0500 Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5F1733D1F1 for ; Mon, 9 Jan 2023 21:55:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1673330140; x=1704866140; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=R7MJCu3ZiDY9rM5MlAs/0RBtzhmJ5gjCS2Zlw2Bmc6I=; b=T4h4aQUGXN4mKJGTV0Hz5xqQJ9/IuLj2GeY5MMRQsOAkhoAuk441Sct/ wf6NoHRL42+CzlNT8X1ZHbB3FzBsK+nafud6x1Xsq6MMCKBryvvRmCDF/ 69gibfUhzNfPUJ6njNf04ksotI76NwjUH60p0t3Og8ma95hE+AWtHiylL 4m95HsvSb3LM1LQ9z5g40uOJNWlIWvmEmfWyOAiJS3O+LbS1tE/UGnpWV QWHIB6MrzW+lkhYAKKajNJn1CRP64/oGi2/3kq8aRDNCh2mj/mIr5oxLR y9/PE8xRkahgdi+NmWUm/QmOsyZqzkGxvjhpPrgpDAvbAQBuFzySzCWiX A==; X-IronPort-AV: E=McAfee;i="6500,9779,10585"; a="350289954" X-IronPort-AV: E=Sophos;i="5.96,314,1665471600"; d="scan'208";a="350289954" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Jan 2023 21:55:39 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10585"; a="634483733" X-IronPort-AV: E=Sophos;i="5.96,314,1665471600"; d="scan'208";a="634483733" Received: from oux.sc.intel.com ([10.3.52.57]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Jan 2023 21:55:38 -0800 From: Yian Chen To: linux-kernel@vger.kernel.org, x86@kernel.org, Andy Lutomirski , Dave Hansen , Ravi Shankar , Tony Luck , Sohil Mehta , Paul Lai , Yian Chen Subject: [PATCH 1/7] x86/cpu: Enumerate LASS CPUID and CR4 bits Date: Mon, 9 Jan 2023 21:51:58 -0800 Message-Id: <20230110055204.3227669-2-yian.chen@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230110055204.3227669-1-yian.chen@intel.com> References: <20230110055204.3227669-1-yian.chen@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" LASS (Linear Address Space Separation) is a CPU feature to prevent speculative address access in user/kernel mode. LASS partitions 64-bit virtual address space into two halves, lower address (LA[63]=3D0) and upper address (LA[63]=3D1). It stops any data access or code execution 1. from upper half address space to any lower half address 2, from lower half address space to any upper half address and generates #GP fault for a violation. In Linux, this means LASS does not allow both kernel code to access any user space address and user code to access any kernel space address. Signed-off-by: Yian Chen Reviewed-by: Tony Luck --- arch/x86/include/asm/cpufeatures.h | 1 + arch/x86/include/uapi/asm/processor-flags.h | 2 ++ tools/arch/x86/include/asm/cpufeatures.h | 1 + 3 files changed, 4 insertions(+) diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpuf= eatures.h index 61012476d66e..03b375db026b 100644 --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -311,6 +311,7 @@ /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */ #define X86_FEATURE_AVX_VNNI (12*32+ 4) /* AVX VNNI instructions */ #define X86_FEATURE_AVX512_BF16 (12*32+ 5) /* AVX512 BFLOAT16 instruction= s */ +#define X86_FEATURE_LASS (12*32+ 6) /* Linear address space separation */ #define X86_FEATURE_CMPCCXADD (12*32+ 7) /* "" CMPccXADD instruc= tions */ #define X86_FEATURE_AMX_FP16 (12*32+21) /* "" AMX fp16 Support */ #define X86_FEATURE_AVX_IFMA (12*32+23) /* "" Support for VPMAD= D52[H,L]UQ */ diff --git a/arch/x86/include/uapi/asm/processor-flags.h b/arch/x86/include= /uapi/asm/processor-flags.h index c47cc7f2feeb..fd84ea8240fc 100644 --- a/arch/x86/include/uapi/asm/processor-flags.h +++ b/arch/x86/include/uapi/asm/processor-flags.h @@ -132,6 +132,8 @@ #define X86_CR4_PKE _BITUL(X86_CR4_PKE_BIT) #define X86_CR4_CET_BIT 23 /* enable Control-flow Enforcement Technology = */ #define X86_CR4_CET _BITUL(X86_CR4_CET_BIT) +#define X86_CR4_LASS_BIT 27 /* enable LASS support */ +#define X86_CR4_LASS _BITUL(X86_CR4_LASS_BIT) =20 /* * x86-64 Task Priority Register, CR8 diff --git a/tools/arch/x86/include/asm/cpufeatures.h b/tools/arch/x86/incl= ude/asm/cpufeatures.h index 61012476d66e..03b375db026b 100644 --- a/tools/arch/x86/include/asm/cpufeatures.h +++ b/tools/arch/x86/include/asm/cpufeatures.h @@ -311,6 +311,7 @@ /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */ #define X86_FEATURE_AVX_VNNI (12*32+ 4) /* AVX VNNI instructions */ #define X86_FEATURE_AVX512_BF16 (12*32+ 5) /* AVX512 BFLOAT16 instruction= s */ +#define X86_FEATURE_LASS (12*32+ 6) /* Linear address space separation */ #define X86_FEATURE_CMPCCXADD (12*32+ 7) /* "" CMPccXADD instruc= tions */ #define X86_FEATURE_AMX_FP16 (12*32+21) /* "" AMX fp16 Support */ #define X86_FEATURE_AVX_IFMA (12*32+23) /* "" Support for VPMAD= D52[H,L]UQ */ --=20 2.34.1 From nobody Mon Sep 15 21:12:14 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 95585C54EBE for ; Tue, 10 Jan 2023 05:57:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231143AbjAJF51 (ORCPT ); Tue, 10 Jan 2023 00:57:27 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57772 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231639AbjAJF4I (ORCPT ); Tue, 10 Jan 2023 00:56:08 -0500 Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9C41644352 for ; Mon, 9 Jan 2023 21:55:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1673330141; x=1704866141; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=1w4ypkqHrSsKN+f9gXoNWqz9PeGgeztfz3He0u8lGw4=; b=fPIZO7BNWHOgA1tguA7A3NJkR0gOfsRgsTMXU4T0GIS8ii233anICiTp LWl83ZIFOnsswJAfrPSs4K8Qv2Q5K6b7L6LORAbCbGN4bpzTCeWSvgDVx fQKBs8AzeKhje8CMQs1uFgvRkCABjElmi7Z8MPEeyhHEtyX0lHCLIGiNq 1Lo2j+m8idhzoL1EUCsokTdEGWkq8DUhhMgf6IQSMfd3Ur8mKPfEUmRhX cURyDAarZpCkjniaB5z5VWX6w+F8XfkYE34SkLqJopftnbqj3MI0QwdCO Kc0DqWb5MPjimnFhnudNeLWn4OMHHJdXTCiKWFomlYiegE4jfh6MNClSn g==; X-IronPort-AV: E=McAfee;i="6500,9779,10585"; a="350289957" X-IronPort-AV: E=Sophos;i="5.96,314,1665471600"; d="scan'208";a="350289957" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Jan 2023 21:55:39 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10585"; a="634483736" X-IronPort-AV: E=Sophos;i="5.96,314,1665471600"; d="scan'208";a="634483736" Received: from oux.sc.intel.com ([10.3.52.57]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Jan 2023 21:55:39 -0800 From: Yian Chen To: linux-kernel@vger.kernel.org, x86@kernel.org, Andy Lutomirski , Dave Hansen , Ravi Shankar , Tony Luck , Sohil Mehta , Paul Lai , Yian Chen Subject: [PATCH 2/7] x86: Add CONFIG option X86_LASS Date: Mon, 9 Jan 2023 21:51:59 -0800 Message-Id: <20230110055204.3227669-3-yian.chen@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230110055204.3227669-1-yian.chen@intel.com> References: <20230110055204.3227669-1-yian.chen@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" LASS is an Intel x86-64 only feature. Add CONFIG option X86_LASS and flag DISABLE_LASS to choose opt-in/out the feature from kernel binary. CONFIG_X86_LASS is enabled by default because it is a security feature which should have little to no overhead or side effects. If any issues are found with specific use cases, the CONFIG option makes it easy to disable. Signed-off-by: Yian Chen Reviewed-by: Tony Luck --- arch/x86/Kconfig | 10 ++++++++++ arch/x86/include/asm/disabled-features.h | 8 +++++++- tools/arch/x86/include/asm/disabled-features.h | 8 +++++++- 3 files changed, 24 insertions(+), 2 deletions(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 3604074a878b..38b1497afd75 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -1826,6 +1826,16 @@ config ARCH_USES_PG_UNCACHED def_bool y depends on X86_PAT =20 +config X86_LASS + def_bool y + prompt "Linear Address Space Separation" + depends on X86_64 && CPU_SUP_INTEL + help + Linear Address Space Separation (LASS) is a processor + feature that mitigates address space layout probes. + + if unsure, say Y. + config X86_UMIP def_bool y prompt "User Mode Instruction Prevention" if EXPERT diff --git a/arch/x86/include/asm/disabled-features.h b/arch/x86/include/as= m/disabled-features.h index c44b56f7ffba..0cad37d59e0f 100644 --- a/arch/x86/include/asm/disabled-features.h +++ b/arch/x86/include/asm/disabled-features.h @@ -16,6 +16,12 @@ # define DISABLE_UMIP (1<<(X86_FEATURE_UMIP & 31)) #endif =20 +#ifdef CONFIG_X86_LASS +# define DISABLE_LASS 0 +#else +# define DISABLE_LASS (1<<(X86_FEATURE_LASS & 31)) +#endif + #ifdef CONFIG_X86_64 # define DISABLE_VME (1<<(X86_FEATURE_VME & 31)) # define DISABLE_K6_MTRR (1<<(X86_FEATURE_K6_MTRR & 31)) @@ -115,7 +121,7 @@ #define DISABLED_MASK10 0 #define DISABLED_MASK11 (DISABLE_RETPOLINE|DISABLE_RETHUNK|DISABLE_UNRET| \ DISABLE_CALL_DEPTH_TRACKING) -#define DISABLED_MASK12 0 +#define DISABLED_MASK12 (DISABLE_LASS) #define DISABLED_MASK13 0 #define DISABLED_MASK14 0 #define DISABLED_MASK15 0 diff --git a/tools/arch/x86/include/asm/disabled-features.h b/tools/arch/x8= 6/include/asm/disabled-features.h index c44b56f7ffba..0cad37d59e0f 100644 --- a/tools/arch/x86/include/asm/disabled-features.h +++ b/tools/arch/x86/include/asm/disabled-features.h @@ -16,6 +16,12 @@ # define DISABLE_UMIP (1<<(X86_FEATURE_UMIP & 31)) #endif =20 +#ifdef CONFIG_X86_LASS +# define DISABLE_LASS 0 +#else +# define DISABLE_LASS (1<<(X86_FEATURE_LASS & 31)) +#endif + #ifdef CONFIG_X86_64 # define DISABLE_VME (1<<(X86_FEATURE_VME & 31)) # define DISABLE_K6_MTRR (1<<(X86_FEATURE_K6_MTRR & 31)) @@ -115,7 +121,7 @@ #define DISABLED_MASK10 0 #define DISABLED_MASK11 (DISABLE_RETPOLINE|DISABLE_RETHUNK|DISABLE_UNRET| \ DISABLE_CALL_DEPTH_TRACKING) -#define DISABLED_MASK12 0 +#define DISABLED_MASK12 (DISABLE_LASS) #define DISABLED_MASK13 0 #define DISABLED_MASK14 0 #define DISABLED_MASK15 0 --=20 2.34.1 From nobody Mon Sep 15 21:12:14 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A5252C67871 for ; Tue, 10 Jan 2023 05:57:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231328AbjAJF5d (ORCPT ); Tue, 10 Jan 2023 00:57:33 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58246 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234607AbjAJF4P (ORCPT ); Tue, 10 Jan 2023 00:56:15 -0500 Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EB9E441A79 for ; Mon, 9 Jan 2023 21:55:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1673330147; x=1704866147; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=u9C72MWAdnebgAuucLCSxL3tgtUyaAcK7rWmwewvD48=; b=efiasDThEmkCC6b7qxFU1mv4C1VQd46UxmZCOOJsz+/ngF0yLbXYOmFH 9Te1PtalasXkwT9lCS4HVHxM7CNi+uoSuliJFcDdmfZumqmhZI1ux/4Bw 6GK2J76R9MbANfKK6tVSMlMEc2KslW65Ka6BHta5Fz2Le/FNFdF2PuXna igbGazyGm9dh3PEwaDNKdZqg2s1vyGYBtn1XBpVZCmDphA08jAoJ6FGJu WmvYCpZZO3mssqzr+PlLTYKTZozP5fq+5K0gFHFWjpZfynyD+PaDgGxUd gF02ImBcRjXLdsV4i1sORsqUOxxhJdxlkqoghAaMkg/E0nQhSjsD3kS3v Q==; X-IronPort-AV: E=McAfee;i="6500,9779,10585"; a="350289958" X-IronPort-AV: E=Sophos;i="5.96,314,1665471600"; d="scan'208";a="350289958" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Jan 2023 21:55:40 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10585"; a="634483739" X-IronPort-AV: E=Sophos;i="5.96,314,1665471600"; d="scan'208";a="634483739" Received: from oux.sc.intel.com ([10.3.52.57]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Jan 2023 21:55:39 -0800 From: Yian Chen To: linux-kernel@vger.kernel.org, x86@kernel.org, Andy Lutomirski , Dave Hansen , Ravi Shankar , Tony Luck , Sohil Mehta , Paul Lai , Yian Chen Subject: [PATCH 3/7] x86/cpu: Disable kernel LASS when patching kernel alternatives Date: Mon, 9 Jan 2023 21:52:00 -0800 Message-Id: <20230110055204.3227669-4-yian.chen@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230110055204.3227669-1-yian.chen@intel.com> References: <20230110055204.3227669-1-yian.chen@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Most of the kernel is mapped at virtual addresses in the upper half of the address range. But kernel deliberately initialized a temporary mm area within the lower half of the address range for text poking, see commit 4fc19708b165 ("x86/alternatives: Initialize temporary mm for patching"). LASS stops access to a lower half address in kernel, and this can be deactivated if AC bit in EFLAGS register is set. Hence use stac and clac instructions around access to the address to avoid triggering a LASS #GP fault. Kernel objtool validation warns if the binary calls to a non-whitelisted function that exists outside of the stac/clac guard, or references any function with a dynamic function pointer inside the guard; see section 9 in the document tools/objtool/Documentation/objtool.txt. For these reasons, also considering text poking size is usually small, simple modifications have been done in function text_poke_memcpy() and text_poke_memset() to avoid non-whitelisted function calls inside the stac/clac guard. Gcc may detect and replace the target with its built-in functions. However, the replacement would break the objtool validation criteria. Hence, add compiler option -fno-builtin for the file. Co-developed-by: Tony Luck Signed-off-by: Tony Luck Signed-off-by: Yian Chen --- arch/x86/include/asm/smap.h | 13 +++++++++++++ arch/x86/kernel/Makefile | 2 ++ arch/x86/kernel/alternative.c | 21 +++++++++++++++++++-- tools/objtool/arch/x86/special.c | 2 ++ 4 files changed, 36 insertions(+), 2 deletions(-) diff --git a/arch/x86/include/asm/smap.h b/arch/x86/include/asm/smap.h index bab490379c65..6f7ac0839b10 100644 --- a/arch/x86/include/asm/smap.h +++ b/arch/x86/include/asm/smap.h @@ -39,6 +39,19 @@ static __always_inline void stac(void) alternative("", __ASM_STAC, X86_FEATURE_SMAP); } =20 +/* Deactivate/activate LASS via AC bit in EFLAGS register */ +static __always_inline void low_addr_access_begin(void) +{ + /* Note: a barrier is implicit in alternative() */ + alternative("", __ASM_STAC, X86_FEATURE_LASS); +} + +static __always_inline void low_addr_access_end(void) +{ + /* Note: a barrier is implicit in alternative() */ + alternative("", __ASM_CLAC, X86_FEATURE_LASS); +} + static __always_inline unsigned long smap_save(void) { unsigned long flags; diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile index 96d51bbc2bd4..f8a455fc56a2 100644 --- a/arch/x86/kernel/Makefile +++ b/arch/x86/kernel/Makefile @@ -7,6 +7,8 @@ extra-y +=3D vmlinux.lds =20 CPPFLAGS_vmlinux.lds +=3D -U$(UTS_MACHINE) =20 +CFLAGS_alternative.o +=3D -fno-builtin + ifdef CONFIG_FUNCTION_TRACER # Do not profile debug and lowlevel utilities CFLAGS_REMOVE_tsc.o =3D -pg diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c index 7d8c3cbde368..4de8b54fb5f2 100644 --- a/arch/x86/kernel/alternative.c +++ b/arch/x86/kernel/alternative.c @@ -1530,14 +1530,31 @@ __ro_after_init unsigned long poking_addr; =20 static void text_poke_memcpy(void *dst, const void *src, size_t len) { - memcpy(dst, src, len); + const char *s =3D src; + char *d =3D dst; + + /* The parameter dst ends up referencing to the global variable + * poking_addr, which is mapped to the low half address space. + * In kernel, accessing the low half address range is prevented + * by LASS. So relax LASS prevention while accessing the memory + * range. + */ + low_addr_access_begin(); + while (len-- > 0) + *d++ =3D *s++; + low_addr_access_end(); } =20 static void text_poke_memset(void *dst, const void *src, size_t len) { int c =3D *(const int *)src; + char *d =3D dst; =20 - memset(dst, c, len); + /* The same comment as it is in function text_poke_memcpy */ + low_addr_access_begin(); + while (len-- > 0) + *d++ =3D c; + low_addr_access_end(); } =20 typedef void text_poke_f(void *dst, const void *src, size_t len); diff --git a/tools/objtool/arch/x86/special.c b/tools/objtool/arch/x86/spec= ial.c index 7c97b7391279..3a34ebe3966a 100644 --- a/tools/objtool/arch/x86/special.c +++ b/tools/objtool/arch/x86/special.c @@ -6,11 +6,13 @@ =20 #define X86_FEATURE_POPCNT (4 * 32 + 23) #define X86_FEATURE_SMAP (9 * 32 + 20) +#define X86_FEATURE_LASS (12 * 32 + 6) =20 void arch_handle_alternative(unsigned short feature, struct special_alt *a= lt) { switch (feature) { case X86_FEATURE_SMAP: + case X86_FEATURE_LASS: /* * If UACCESS validation is enabled; force that alternative; * otherwise force it the other way. --=20 2.34.1 From nobody Mon Sep 15 21:12:14 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B70FAC6379F for ; Tue, 10 Jan 2023 05:57:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231388AbjAJF5h (ORCPT ); Tue, 10 Jan 2023 00:57:37 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58252 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234856AbjAJF4T (ORCPT ); Tue, 10 Jan 2023 00:56:19 -0500 Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C1CFC3A1 for ; Mon, 9 Jan 2023 21:55:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1673330151; x=1704866151; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=4Rwgi+OKzj2DOZptaBAy1t4dcVeX1NSbFy3ySQuJdfs=; b=lOZAkj8TRLY+vA+brpUAZJ9/hla4vgGB4WjLEOUxXhtjifY0QNAXE1Ux SL+m5WpwZlHWH20Xi77XY5p6B+HVATgTKX/wnZvwX42rcOHUCykFCkCOA LiclG8a5Oq2xOFeXfOqJFU9c9/WAXyPz/0Su2fIziobVAk40hNT7ASdxa HZgWeQg62QGmfo9Nq8pVYGq6fyf1y1+ddxJpnQczwLqWGEv8ZgEshC+J9 If6iRdFNayLA3OaoEDcEOvChrwRA4IzHp+HjE2Jd8H9vscGJ1Gps9tF6D N6zMivVa6yjiz55d/WwLwzU0SUr/HS3+rGE9/+Z44HbAKThnXK9meWnAT w==; X-IronPort-AV: E=McAfee;i="6500,9779,10585"; a="350289961" X-IronPort-AV: E=Sophos;i="5.96,314,1665471600"; d="scan'208";a="350289961" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Jan 2023 21:55:40 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10585"; a="634483745" X-IronPort-AV: E=Sophos;i="5.96,314,1665471600"; d="scan'208";a="634483745" Received: from oux.sc.intel.com ([10.3.52.57]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Jan 2023 21:55:40 -0800 From: Yian Chen To: linux-kernel@vger.kernel.org, x86@kernel.org, Andy Lutomirski , Dave Hansen , Ravi Shankar , Tony Luck , Sohil Mehta , Paul Lai , Yian Chen Subject: [PATCH 4/7] x86/vsyscall: Setup vsyscall to compromise LASS protection Date: Mon, 9 Jan 2023 21:52:01 -0800 Message-Id: <20230110055204.3227669-5-yian.chen@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230110055204.3227669-1-yian.chen@intel.com> References: <20230110055204.3227669-1-yian.chen@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Kernel enables LASS automatically at starting time in LASS capable platforms. Any access to kernel addresses or upper half addresses from user space triggers a #GP fault. Legacy vsyscall does not comply with LASS, because the vsyscall functions are mapped in the range 0xffffffffff600000-0xffffffffff601000. In theory, it would be possible to write a #GP fault handler to emulate the old vsyscall behavior, but vsyscall has been deprecated for some time, so this has not been done. Therefore, when kernel enforces LASS, vsyscall does not work and should be disabled. On the other hand, the user can relax the enforcement by clearing lass cpu id (clearcpuid=3Dlass/390) or enabling vsyscall (vsyscall=3Dxxx) from kernel command line. The user can also opt-out LASS in config file to build kernel binary. Signed-off-by: Yian Chen Reviewed-by: Tony Luck --- Documentation/admin-guide/kernel-parameters.txt | 12 ++++++++---- arch/x86/entry/vsyscall/vsyscall_64.c | 14 ++++++++++++++ 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentatio= n/admin-guide/kernel-parameters.txt index 6cfa6e3996cf..3988e0c8c175 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -6755,10 +6755,14 @@ versions of glibc use these calls. Because these functions are at fixed addresses, they make nice targets for exploits that can control RIP. - - emulate [default] Vsyscalls turn into traps and are - emulated reasonably safely. The vsyscall - page is readable. + In newer versions of Intel platforms that come with + LASS(Linear Address Space separation) protection, + vsyscall is disabled by default. Enabling vsyscall + via the parameter overrides LASS protection. + + emulate [default if not LASS capable] Vsyscalls + turn into traps and are emulated reasonably + safely. The vsyscall page is readable. =20 xonly Vsyscalls turn into traps and are emulated reasonably safely. The vsyscall diff --git a/arch/x86/entry/vsyscall/vsyscall_64.c b/arch/x86/entry/vsyscal= l/vsyscall_64.c index 4af81df133ee..2691f26835d1 100644 --- a/arch/x86/entry/vsyscall/vsyscall_64.c +++ b/arch/x86/entry/vsyscall/vsyscall_64.c @@ -63,6 +63,12 @@ static int __init vsyscall_setup(char *str) else return -EINVAL; =20 + if (cpu_feature_enabled(X86_FEATURE_LASS) && + vsyscall_mode !=3D NONE) { + setup_clear_cpu_cap(X86_FEATURE_LASS); + pr_warn("LASS disabled by command line enabling vsyscall\n"); + } + return 0; } =20 @@ -379,6 +385,14 @@ void __init map_vsyscall(void) extern char __vsyscall_page; unsigned long physaddr_vsyscall =3D __pa_symbol(&__vsyscall_page); =20 + /* + * When LASS is on, vsyscall triggers a #GP fault, + * so that force vsyscall_mode to NONE. + */ + if (cpu_feature_enabled(X86_FEATURE_LASS)) { + vsyscall_mode =3D NONE; + return; + } /* * For full emulation, the page needs to exist for real. In * execute-only mode, there is no PTE at all backing the vsyscall --=20 2.34.1 From nobody Mon Sep 15 21:12:14 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id CA224C678D6 for ; Tue, 10 Jan 2023 05:57:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231494AbjAJF5k (ORCPT ); Tue, 10 Jan 2023 00:57:40 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58276 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235000AbjAJF4X (ORCPT ); Tue, 10 Jan 2023 00:56:23 -0500 Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7E49DC3F for ; Mon, 9 Jan 2023 21:55:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1673330152; x=1704866152; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=lgcnknU6x6SUKKapMholbQrdWhgTRn5H0KqHPrXRFC4=; b=j1xcbUPQEaNcBBPnQxBKVAaOQGJbVvAFVQqA24Nm2D6E41fYxzOB7ZOb vKOeLbGHAYOa4pLCD4NggY1yZILXd28Fs3UV9WfmZxYXlW0CTE0nYGeAQ d2Dezi/hbmF5Q/6Akqdfb1ADEDwqbZdThzMHeSdix0i3cjoDm2Sg1HPqN bhycFL9dfmnbuaFPTUB6ueh8ax78win2g+Thb2r4KfOmj3hKtLRApTrhJ g9LuzVXj7FMNnQ8xOuLaM0EixF/CwEW2eTu/sVklNIC/u3RgsnCHrVmxg gHCK1c9bNOfPb9nly7xOW+AXy33M97PPrHlmsWCG9gk8LrwOjodGHfPpH w==; X-IronPort-AV: E=McAfee;i="6500,9779,10585"; a="350289965" X-IronPort-AV: E=Sophos;i="5.96,314,1665471600"; d="scan'208";a="350289965" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Jan 2023 21:55:40 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10585"; a="634483749" X-IronPort-AV: E=Sophos;i="5.96,314,1665471600"; d="scan'208";a="634483749" Received: from oux.sc.intel.com ([10.3.52.57]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Jan 2023 21:55:40 -0800 From: Yian Chen To: linux-kernel@vger.kernel.org, x86@kernel.org, Andy Lutomirski , Dave Hansen , Ravi Shankar , Tony Luck , Sohil Mehta , Paul Lai , Yian Chen Subject: [PATCH 5/7] x86/cpu: Enable LASS (Linear Address Space Separation) Date: Mon, 9 Jan 2023 21:52:02 -0800 Message-Id: <20230110055204.3227669-6-yian.chen@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230110055204.3227669-1-yian.chen@intel.com> References: <20230110055204.3227669-1-yian.chen@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" LASS is enabled via setting a CR4 bit if the platform supports the feature. LASS may be disabled in early boot time, for example, by command line parameter clearcpuid=3Dlass/390 or vsyscall flag. In such cases, the CPU feature and CR4 bits will be cleared. Signed-off-by: Yian Chen Reviewed-by: Tony Luck --- arch/x86/kernel/cpu/common.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c index 9cfca3d7d0e2..efc7c7623968 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -412,6 +412,23 @@ static __always_inline void setup_umip(struct cpuinfo_= x86 *c) cr4_clear_bits(X86_CR4_UMIP); } =20 +static __always_inline void setup_lass(struct cpuinfo_x86 *c) +{ + if (cpu_feature_enabled(X86_FEATURE_LASS)) { + cr4_set_bits(X86_CR4_LASS); + } else { + /* + * only clear the feature and cr4 bits when hardware + * supports LASS, in case it was enabled in a previous + * boot (e.g., via kexec) + */ + if (cpu_has(c, X86_FEATURE_LASS)) { + cr4_clear_bits(X86_CR4_LASS); + clear_cpu_cap(c, X86_FEATURE_LASS); + } + } +} + /* These bits should not change their value after CPU init is finished. */ static const unsigned long cr4_pinned_mask =3D X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_UMIP | @@ -1848,6 +1865,7 @@ static void identify_cpu(struct cpuinfo_x86 *c) setup_smep(c); setup_smap(c); setup_umip(c); + setup_lass(c); =20 /* Enable FSGSBASE instructions if available. */ if (cpu_has(c, X86_FEATURE_FSGSBASE)) { --=20 2.34.1 From nobody Mon Sep 15 21:12:14 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 598BAC46467 for ; Tue, 10 Jan 2023 05:58:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230257AbjAJF57 (ORCPT ); Tue, 10 Jan 2023 00:57:59 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58986 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235319AbjAJF4a (ORCPT ); Tue, 10 Jan 2023 00:56:30 -0500 Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 28A076309 for ; Mon, 9 Jan 2023 21:55:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1673330156; x=1704866156; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=PgZ+tC6s+LeyPcVLVfrm/1TfwJMKnT9ckR2VquXmX5s=; b=I3YHNNZ68EJDaoIK8CQRvswPdAfWWrngU5vTLu+25N36hRk3SzbgL+Qm sNWise+0fN8jUcEmhSs7xzPH9RP2oxzNDkF/+egUMmVca16x6hLpBrpKI m4NvbJI9L3kp5B8fEOypiQIOFNpNOeLnTbuL8L46v85KJkLEJHzfUvKke fga+eQ2men2O1P6r+tiYYMMhXsXbT4P38CeU5fYVITO8UTL31p+IHTt5v wkc67S2g5cRqjneeS/EQdMBkhJ6KoVTRP+YgLVU1l/PQqWVwnNx5rpVIj 3pl2Vs/tOMhVlUYDxj4i3665I6i2dV22n5jukycuYp0EHgzmYP9XF3UdK w==; X-IronPort-AV: E=McAfee;i="6500,9779,10585"; a="350289969" X-IronPort-AV: E=Sophos;i="5.96,314,1665471600"; d="scan'208";a="350289969" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Jan 2023 21:55:41 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10585"; a="634483753" X-IronPort-AV: E=Sophos;i="5.96,314,1665471600"; d="scan'208";a="634483753" Received: from oux.sc.intel.com ([10.3.52.57]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Jan 2023 21:55:40 -0800 From: Yian Chen To: linux-kernel@vger.kernel.org, x86@kernel.org, Andy Lutomirski , Dave Hansen , Ravi Shankar , Tony Luck , Sohil Mehta , Paul Lai , Yian Chen Subject: [PATCH 6/7] x86/cpu: Set LASS as pinning sensitive CR4 bit Date: Mon, 9 Jan 2023 21:52:03 -0800 Message-Id: <20230110055204.3227669-7-yian.chen@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230110055204.3227669-1-yian.chen@intel.com> References: <20230110055204.3227669-1-yian.chen@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Security protection features are pinning sensitive. LASS comes with an effort for security concerns. Therefore, add it to the set of pinning sensitive bits Signed-off-by: Yian Chen Reviewed-by: Tony Luck --- arch/x86/kernel/cpu/common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c index efc7c7623968..e224cbaf7866 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -432,7 +432,7 @@ static __always_inline void setup_lass(struct cpuinfo_x= 86 *c) /* These bits should not change their value after CPU init is finished. */ static const unsigned long cr4_pinned_mask =3D X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_UMIP | - X86_CR4_FSGSBASE | X86_CR4_CET; + X86_CR4_FSGSBASE | X86_CR4_CET | X86_CR4_LASS; static DEFINE_STATIC_KEY_FALSE_RO(cr_pinning); static unsigned long cr4_pinned_bits __ro_after_init; =20 --=20 2.34.1 From nobody Mon Sep 15 21:12:14 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id AA76AC54EBE for ; Tue, 10 Jan 2023 05:57:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231639AbjAJF5w (ORCPT ); Tue, 10 Jan 2023 00:57:52 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57830 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235352AbjAJF4a (ORCPT ); Tue, 10 Jan 2023 00:56:30 -0500 Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 25A3A8FC7 for ; Mon, 9 Jan 2023 21:55:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1673330157; x=1704866157; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=DmevG4XQSgqRzdAJ2vm+aeGRW8v5LCwWogDmX0SU+vA=; b=L15N3eRSP5w5d6D1GU5JDsei4lL7QZKuY5+NhzFARCZ5DDKyCy2kTda0 6M7wGL5cM6VRIUJCruIUL3Cux+LJOAR3Y0x1B/8+yYBy7t2+as52ncpct FSBpuwdd4Y7w8ZjcuA11E9K4Vy+hBTH9E1rT9+Xsb2ggRUUexnvCYCjBP Xx1YjthaN34HJ1K73vP6Ld63NzwftB1MQeHHEuo0DKTi9Uvkb44F+XAdt vSKY3Re/EozpbdG159Xmpx9Qzb3oM31DvEJUdERGRS+cQao7wVtF1ClLz 3ROblJbMOMSBzolXq00AurSlxVnfxHTlwyg4BfylDRkdneGIp/fdq0NLo Q==; X-IronPort-AV: E=McAfee;i="6500,9779,10585"; a="350289976" X-IronPort-AV: E=Sophos;i="5.96,314,1665471600"; d="scan'208";a="350289976" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Jan 2023 21:55:41 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10585"; a="634483759" X-IronPort-AV: E=Sophos;i="5.96,314,1665471600"; d="scan'208";a="634483759" Received: from oux.sc.intel.com ([10.3.52.57]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Jan 2023 21:55:41 -0800 From: Yian Chen To: linux-kernel@vger.kernel.org, x86@kernel.org, Andy Lutomirski , Dave Hansen , Ravi Shankar , Tony Luck , Sohil Mehta , Paul Lai , Yian Chen Subject: [PATCH 7/7] x86/kvm: Expose LASS feature to VM guest Date: Mon, 9 Jan 2023 21:52:04 -0800 Message-Id: <20230110055204.3227669-8-yian.chen@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230110055204.3227669-1-yian.chen@intel.com> References: <20230110055204.3227669-1-yian.chen@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Paul Lai Expose LASS feature which is defined in the CPUID.7.1.EAX bit and enabled via the CR4 bit for VM guest. Signed-off-by: Paul Lai Signed-off-by: Yian Chen Reviewed-by: Tony Luck --- arch/x86/include/asm/kvm_host.h | 3 ++- arch/x86/kvm/cpuid.c | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_hos= t.h index f35f1ff4427b..bd39f45e9b5a 100644 --- a/arch/x86/include/asm/kvm_host.h +++ b/arch/x86/include/asm/kvm_host.h @@ -125,7 +125,8 @@ | X86_CR4_PGE | X86_CR4_PCE | X86_CR4_OSFXSR | X86_CR4_PCIDE \ | X86_CR4_OSXSAVE | X86_CR4_SMEP | X86_CR4_FSGSBASE \ | X86_CR4_OSXMMEXCPT | X86_CR4_LA57 | X86_CR4_VMXE \ - | X86_CR4_SMAP | X86_CR4_PKE | X86_CR4_UMIP)) + | X86_CR4_SMAP | X86_CR4_PKE | X86_CR4_UMIP \ + | X86_CR4_LASS)) =20 #define CR8_RESERVED_BITS (~(unsigned long)X86_CR8_TPR) =20 diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c index b14653b61470..e0f53f85f5ae 100644 --- a/arch/x86/kvm/cpuid.c +++ b/arch/x86/kvm/cpuid.c @@ -664,7 +664,7 @@ void kvm_set_cpu_caps(void) =20 kvm_cpu_cap_mask(CPUID_7_1_EAX, F(AVX_VNNI) | F(AVX512_BF16) | F(CMPCCXADD) | F(AMX_FP16) | - F(AVX_IFMA) + F(AVX_IFMA) | F(LASS) ); =20 kvm_cpu_cap_init_kvm_defined(CPUID_7_1_EDX, --=20 2.34.1