Documentation/hw-vuln: Update spectre doc

stable inclusion from stable-v5.10.105 commit 071e8b69d7808d96f388d7c5ed606e75fd3d518d category: bugfix bugzilla: 186453 https://gitee.com/src-openeuler/kernel/issues/I50WBM CVE: CVE-2022-0001 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=071e8b69d780 -------------------------------- commit 5ad3eb11 upstream. Update the doc with the new fun. [ bp: Massage commit message. ] Signed-off-by: N Peter Zijlstra (Intel) <peterz@infradead.org> Signed-off-by: N Borislav Petkov <bp@suse.de> Reviewed-by: N Thomas Gleixner <tglx@linutronix.de> [fllinden@amazon.com: backported to 5.10] Signed-off-by: N Frank van der Linden <fllinden@amazon.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Chen Jiahao <chenjiahao16@huawei.com> Reviewed-by: N Liao Chang <liaochang1@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

Documentation/hw-vuln: Update spectre doc
stable inclusion from stable-v5.10.105 commit 071e8b69d7808d96f388d7c5ed606e75fd3d518d category: bugfix bugzilla: 186453 https://gitee.com/src-openeuler/kernel/issues/I50WBM CVE: CVE-2022-0001 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=071e8b69d780 -------------------------------- commit 5ad3eb11 upstream. Update the doc with the new fun. [ bp: Massage commit message. ] Signed-off-by: N Peter Zijlstra (Intel) <peterz@infradead.org> Signed-off-by: N Borislav Petkov <bp@suse.de> Reviewed-by: N Thomas Gleixner <tglx@linutronix.de> [fllinden@amazon.com: backported to 5.10] Signed-off-by: N Frank van der Linden <fllinden@amazon.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Chen Jiahao <chenjiahao16@huawei.com> Reviewed-by: N Liao Chang <liaochang1@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
6e857e41 · Peter Zijlstra · Zheng Zengkai · 5db42e7e · 6e857e41 · 6e857e41
Showing with 35 addition and 15 deletion

Documentation/admin-guide/hw-vuln/spectre.rst Documentation/admin-guide/hw-vuln/spectre.rst +29 -13

Documentation/admin-guide/kernel-parameters.txt Documentation/admin-guide/kernel-parameters.txt +6 -2

未找到文件。
--- a/Documentation/admin-guide/hw-vuln/spectre.rst
+++ b/Documentation/admin-guide/hw-vuln/spectre.rst
@@ -131,6 +131,19 @@ steer its indirect branch speculations to gadget code, and measure the
 speculative execution's side effects left in level 1 cache to infer the
 victim's data.

+Yet another variant 2 attack vector is for the attacker to poison the
+Branch History Buffer (BHB) to speculatively steer an indirect branch
+to a specific Branch Target Buffer (BTB) entry, even if the entry isn't
+associated with the source address of the indirect branch. Specifically,
+the BHB might be shared across privilege levels even in the presence of
+Enhanced IBRS.
+
+Currently the only known real-world BHB attack vector is via
+unprivileged eBPF. Therefore, it's highly recommended to not enable
+unprivileged eBPF, especially when eIBRS is used (without retpolines).
+For a full mitigation against BHB attacks, it's recommended to use
+retpolines (or eIBRS combined with retpolines).
+
 Attack scenarios
 ----------------

@@ -364,13 +377,15 @@ The possible values in this file are:

  - Kernel status:

-  ====================================  =================================
-  'Not affected'                        The processor is not vulnerable
-  'Vulnerable'                          Vulnerable, no mitigation
-  'Mitigation: Full generic retpoline'  Software-focused mitigation
-  'Mitigation: Full AMD retpoline'      AMD-specific software mitigation
-  'Mitigation: Enhanced IBRS'           Hardware-focused mitigation
-  ====================================  =================================
+  ========================================  =================================
+  'Not affected'                            The processor is not vulnerable
+  'Mitigation: None'                        Vulnerable, no mitigation
+  'Mitigation: Retpolines'                  Use Retpoline thunks
+  'Mitigation: LFENCE'                      Use LFENCE instructions
+  'Mitigation: Enhanced IBRS'               Hardware-focused mitigation
+  'Mitigation: Enhanced IBRS + Retpolines'  Hardware-focused + Retpolines
+  'Mitigation: Enhanced IBRS + LFENCE'      Hardware-focused + LFENCE
+  ========================================  =================================

  - Firmware status: Show if Indirect Branch Restricted Speculation (IBRS) is
    used to protect against Spectre variant 2 attacks when calling firmware (x86 only).
@@ -584,12 +599,13 @@ kernel command line.

 		Specific mitigations can also be selected manually:

-		retpoline
-					replace indirect branches
-		retpoline,generic
-					google's original retpoline
-		retpoline,amd
-					AMD-specific minimal thunk
+                retpoline               auto pick between generic,lfence
+                retpoline,generic       Retpolines
+                retpoline,lfence        LFENCE; indirect branch
+                retpoline,amd           alias for retpoline,lfence
+                eibrs                   enhanced IBRS
+                eibrs,retpoline         enhanced IBRS + Retpolines
+                eibrs,lfence            enhanced IBRS + LFENCE

 		Not specifying this option is equivalent to
 		spectre_v2=auto.

--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -5116,8 +5116,12 @@
 			Specific mitigations can also be selected manually:

 			retpoline	  - replace indirect branches
-			retpoline,generic - google's original retpoline
-			retpoline,amd     - AMD-specific minimal thunk
+			retpoline,generic - Retpolines
+			retpoline,lfence  - LFENCE; indirect branch
+			retpoline,amd     - alias for retpoline,lfence
+			eibrs		  - enhanced IBRS
+			eibrs,retpoline   - enhanced IBRS + Retpolines
+			eibrs,lfence      - enhanced IBRS + LFENCE

 			Not specifying this option is equivalent to
 			spectre_v2=auto.