zephyr/arch/x86/core/spec_ctrl.c

/*
 * Copyright (c) 2018 Intel Corporation
 *
 * SPDX-License-Identifier: Apache-2.0
 */

#include <zephyr/init.h>
#include <zephyr/kernel.h>
#include <kernel_arch_data.h>
#include <kernel_arch_func.h>
#include <zephyr/arch/x86/msr.h>
#include <zephyr/arch/x86/cpuid.h>

/*
 * See:
 * https://software.intel.com/security-software-guidance/api-app/sites/default/files/336996-Speculative-Execution-Side-Channel-Mitigations.pdf
 */

#if defined(CONFIG_X86_DISABLE_SSBD) || defined(CONFIG_X86_ENABLE_EXTENDED_IBRS)
static int spec_ctrl_init(void)
{

	uint32_t enable_bits = 0U;
	uint32_t cpuid7 = z_x86_cpuid_extended_features();

#ifdef CONFIG_X86_DISABLE_SSBD
	if ((cpuid7 & CPUID_SPEC_CTRL_SSBD) != 0U) {
		enable_bits |= X86_SPEC_CTRL_MSR_SSBD;
	}
#endif
#ifdef CONFIG_X86_ENABLE_EXTENDED_IBRS
	if ((cpuid7 & CPUID_SPEC_CTRL_IBRS) != 0U) {
		enable_bits |= X86_SPEC_CTRL_MSR_IBRS;
	}
#endif
	if (enable_bits != 0U) {
		uint64_t cur = z_x86_msr_read(X86_SPEC_CTRL_MSR);

		z_x86_msr_write(X86_SPEC_CTRL_MSR,
			       cur | enable_bits);
	}

	return 0;
}

SYS_INIT(spec_ctrl_init, PRE_KERNEL_1, 0);
#endif /* CONFIG_X86_DISABLE_SSBD || CONFIG_X86_ENABLE_EXTENDED_IBRS */
arch: x86: Allow disabling speculative store bypass In order to mitigate against Spectre V4, add an option that will, at boot time, verify if the CPU supports the SPEC_CTRL MSR; if so, it'll attempt to disable the feature. More information can be found in chapter 4 (Speculative Store Bypass Mitigation) of the "Speculative Execution Side Channel Mitigations" document, version 2, published by Intel: https://goo.gl/nocTcj Signed-off-by: Leandro Pereira <leandro.pereira@intel.com> 2018-05-22 02:47:47 +02:00			`/*`
			`* Copyright (c) 2018 Intel Corporation`
			`*`
			`* SPDX-License-Identifier: Apache-2.0`
			`*/`

arch: migrate includes to <zephyr/...> In order to bring consistency in-tree, migrate all arch code to the new prefix <zephyr/...>. Note that the conversion has been scripted, refer to zephyrproject-rtos#45388 for more details. Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no> 2022-05-06 10:49:15 +02:00			`#include <zephyr/init.h>`
arch: x86: core: include kernel.h first There seems to be an unresolved dependency chain in some x86 arch headers, this file needs kernel.h to be included before arch_data/func. This patch is a workaround, but problem should be fixed properly at some point. Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no> 2022-10-05 16:09:51 +02:00			`#include <zephyr/kernel.h>`
arch: x86: Allow disabling speculative store bypass In order to mitigate against Spectre V4, add an option that will, at boot time, verify if the CPU supports the SPEC_CTRL MSR; if so, it'll attempt to disable the feature. More information can be found in chapter 4 (Speculative Store Bypass Mitigation) of the "Speculative Execution Side Channel Mitigations" document, version 2, published by Intel: https://goo.gl/nocTcj Signed-off-by: Leandro Pereira <leandro.pereira@intel.com> 2018-05-22 02:47:47 +02:00			`#include <kernel_arch_data.h>`
			`#include <kernel_arch_func.h>`
arch: migrate includes to <zephyr/...> In order to bring consistency in-tree, migrate all arch code to the new prefix <zephyr/...>. Note that the conversion has been scripted, refer to zephyrproject-rtos#45388 for more details. Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no> 2022-05-06 10:49:15 +02:00			`#include <zephyr/arch/x86/msr.h>`
			`#include <zephyr/arch/x86/cpuid.h>`
arch: x86: Allow disabling speculative store bypass In order to mitigate against Spectre V4, add an option that will, at boot time, verify if the CPU supports the SPEC_CTRL MSR; if so, it'll attempt to disable the feature. More information can be found in chapter 4 (Speculative Store Bypass Mitigation) of the "Speculative Execution Side Channel Mitigations" document, version 2, published by Intel: https://goo.gl/nocTcj Signed-off-by: Leandro Pereira <leandro.pereira@intel.com> 2018-05-22 02:47:47 +02:00
x86: enable Extended IBRS This is a CPU mitigation feature for Spectre V2 attacks Signed-off-by: Andrew Boie <andrew.p.boie@intel.com> 2019-03-01 00:51:56 +01:00			`/*`
			`* See:`
			`* https://software.intel.com/security-software-guidance/api-app/sites/default/files/336996-Speculative-Execution-Side-Channel-Mitigations.pdf`
			`*/`

x86: prefix x86 SSBD and IBRS related kconfigs with X86 There are two kconfigs that are security related and are x86 specific. Prefix them with X86 to put them under the x86 namespace. Signed-off-by: Daniel Leung <daniel.leung@intel.com> 2024-03-01 19:43:41 +01:00			`#if defined(CONFIG_X86_DISABLE_SSBD) \|\| defined(CONFIG_X86_ENABLE_EXTENDED_IBRS)`
init: remove the need for a dummy device pointer in SYS_INIT functions The init infrastructure, found in `init.h`, is currently used by: - `SYS_INIT`: to call functions before `main` - `DEVICE_`: to initialize devices They are all sorted according to an initialization level + a priority. `SYS_INIT` calls are really orthogonal to devices, however, the required function signature requires a `const struct device dev` as a first argument. The only reason for that is because the same init machinery is used by devices, so we have something like: ```c struct init_entry { int (init)(const struct device dev); /* only set by DEVICE_, otherwise NULL / const struct device dev; } ``` As a result, we end up with such weird/ugly pattern: ```c static int my_init(const struct device dev) { /* always NULL! add ARG_UNUSED to avoid compiler warning / ARG_UNUSED(dev); ... } ``` This is really a result of poor internals isolation. This patch proposes a to make init entries more flexible so that they can accept sytem initialization calls like this: ```c static int my_init(void) { ... } ``` This is achieved using a union: ```c union init_function { / for SYS_INIT, used when init_entry.dev == NULL / int (sys)(void); /* for DEVICE, used when init_entry.dev != NULL / int (dev)(const struct device dev); }; struct init_entry { /* stores init function (either for SYS_INIT or DEVICE) union init_function init_fn; / stores device pointer for DEVICE, NULL for SYS_INIT. Allows to know which union entry to call. / const struct device dev; } ``` This solution does not increase ROM usage, and allows to offer clean public APIs for both SYS_INIT and DEVICE. Note that however, init machinery keeps a coupling with devices. NOTE: This is a breaking change! All `SYS_INIT` functions will need to be converted to the new signature. See the script offered in the following commit. Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no> init: convert SYS_INIT functions to the new signature Conversion scripted using scripts/utils/migrate_sys_init.py. Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no> manifest: update projects for SYS_INIT changes Update modules with updated SYS_INIT calls: - hal_ti - lvgl - sof - TraceRecorderSource Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no> tests: devicetree: devices: adjust test Adjust test according to the recently introduced SYS_INIT infrastructure. Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no> tests: kernel: threads: adjust SYS_INIT call Adjust to the new signature: int (init_fn)(void); Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no> 2022-10-19 09:33:44 +02:00			`static int spec_ctrl_init(void)`
arch: x86: Allow disabling speculative store bypass In order to mitigate against Spectre V4, add an option that will, at boot time, verify if the CPU supports the SPEC_CTRL MSR; if so, it'll attempt to disable the feature. More information can be found in chapter 4 (Speculative Store Bypass Mitigation) of the "Speculative Execution Side Channel Mitigations" document, version 2, published by Intel: https://goo.gl/nocTcj Signed-off-by: Leandro Pereira <leandro.pereira@intel.com> 2018-05-22 02:47:47 +02:00			`{`
x86: enable Extended IBRS This is a CPU mitigation feature for Spectre V2 attacks Signed-off-by: Andrew Boie <andrew.p.boie@intel.com> 2019-03-01 00:51:56 +01:00
zephyr: replace zephyr integer types with C99 types git grep -l 'u\(8\\|16\\|32\\|64\)_t' \| \ xargs sed -i "s/u\(8\\|16\\|32\\|64\)_t/uint\1_t/g" git grep -l 's\(8\\|16\\|32\\|64\)_t' \| \ xargs sed -i "s/s\(8\\|16\\|32\\|64\)_t/int\1_t/g" Signed-off-by: Kumar Gala <kumar.gala@linaro.org> 2020-05-27 18:26:57 +02:00			`uint32_t enable_bits = 0U;`
arch/x86: Have a dedicated place for CPUID related functions This will centralize CPUID related accessors. There was no need for it so far, but this is going to change. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> 2022-02-04 09:55:47 +01:00			`uint32_t cpuid7 = z_x86_cpuid_extended_features();`
x86: enable Extended IBRS This is a CPU mitigation feature for Spectre V2 attacks Signed-off-by: Andrew Boie <andrew.p.boie@intel.com> 2019-03-01 00:51:56 +01:00
x86: prefix x86 SSBD and IBRS related kconfigs with X86 There are two kconfigs that are security related and are x86 specific. Prefix them with X86 to put them under the x86 namespace. Signed-off-by: Daniel Leung <daniel.leung@intel.com> 2024-03-01 19:43:41 +01:00			`#ifdef CONFIG_X86_DISABLE_SSBD`
all: Add 'U' suffix when using unsigned variables Add a 'U' suffix to values when computing and comparing against unsigned variables. Signed-off-by: Patrik Flykt <patrik.flykt@intel.com> 2019-03-27 02:57:45 +01:00			`if ((cpuid7 & CPUID_SPEC_CTRL_SSBD) != 0U) {`
arch/x86: clean up model-specific register definitions in msr.h Eliminate definitions for MSRs that we don't use. Centralize the definitions for the MSRs that we do use, including their fields. Signed-off-by: Charles E. Youse <charles.youse@intel.com> 2019-06-27 19:41:58 +02:00			`enable_bits \|= X86_SPEC_CTRL_MSR_SSBD;`
x86: enable Extended IBRS This is a CPU mitigation feature for Spectre V2 attacks Signed-off-by: Andrew Boie <andrew.p.boie@intel.com> 2019-03-01 00:51:56 +01:00			`}`
			`#endif`
x86: prefix x86 SSBD and IBRS related kconfigs with X86 There are two kconfigs that are security related and are x86 specific. Prefix them with X86 to put them under the x86 namespace. Signed-off-by: Daniel Leung <daniel.leung@intel.com> 2024-03-01 19:43:41 +01:00			`#ifdef CONFIG_X86_ENABLE_EXTENDED_IBRS`
all: Add 'U' suffix when using unsigned variables Add a 'U' suffix to values when computing and comparing against unsigned variables. Signed-off-by: Patrik Flykt <patrik.flykt@intel.com> 2019-03-27 02:57:45 +01:00			`if ((cpuid7 & CPUID_SPEC_CTRL_IBRS) != 0U) {`
arch/x86: clean up model-specific register definitions in msr.h Eliminate definitions for MSRs that we don't use. Centralize the definitions for the MSRs that we do use, including their fields. Signed-off-by: Charles E. Youse <charles.youse@intel.com> 2019-06-27 19:41:58 +02:00			`enable_bits \|= X86_SPEC_CTRL_MSR_IBRS;`
x86: enable Extended IBRS This is a CPU mitigation feature for Spectre V2 attacks Signed-off-by: Andrew Boie <andrew.p.boie@intel.com> 2019-03-01 00:51:56 +01:00			`}`
			`#endif`
all: Add 'U' suffix when using unsigned variables Add a 'U' suffix to values when computing and comparing against unsigned variables. Signed-off-by: Patrik Flykt <patrik.flykt@intel.com> 2019-03-27 02:57:45 +01:00			`if (enable_bits != 0U) {`
zephyr: replace zephyr integer types with C99 types git grep -l 'u\(8\\|16\\|32\\|64\)_t' \| \ xargs sed -i "s/u\(8\\|16\\|32\\|64\)_t/uint\1_t/g" git grep -l 's\(8\\|16\\|32\\|64\)_t' \| \ xargs sed -i "s/s\(8\\|16\\|32\\|64\)_t/int\1_t/g" Signed-off-by: Kumar Gala <kumar.gala@linaro.org> 2020-05-27 18:26:57 +02:00			`uint64_t cur = z_x86_msr_read(X86_SPEC_CTRL_MSR);`
arch: x86: Allow disabling speculative store bypass In order to mitigate against Spectre V4, add an option that will, at boot time, verify if the CPU supports the SPEC_CTRL MSR; if so, it'll attempt to disable the feature. More information can be found in chapter 4 (Speculative Store Bypass Mitigation) of the "Speculative Execution Side Channel Mitigations" document, version 2, published by Intel: https://goo.gl/nocTcj Signed-off-by: Leandro Pereira <leandro.pereira@intel.com> 2018-05-22 02:47:47 +02:00
arch/x86: move MSR definitions to include/arch/x86/msr.h Light reorganization. All MSR definitions and manipulation functions are consolidated into one header. The names are changed to use an X86_* prefix instead of IA32_* which is misleading/incorrect. Signed-off-by: Charles E. Youse <charles.youse@intel.com> 2019-06-04 21:42:01 +02:00			`z_x86_msr_write(X86_SPEC_CTRL_MSR,`
x86: enable Extended IBRS This is a CPU mitigation feature for Spectre V2 attacks Signed-off-by: Andrew Boie <andrew.p.boie@intel.com> 2019-03-01 00:51:56 +01:00			`cur \| enable_bits);`
arch: x86: Allow disabling speculative store bypass In order to mitigate against Spectre V4, add an option that will, at boot time, verify if the CPU supports the SPEC_CTRL MSR; if so, it'll attempt to disable the feature. More information can be found in chapter 4 (Speculative Store Bypass Mitigation) of the "Speculative Execution Side Channel Mitigations" document, version 2, published by Intel: https://goo.gl/nocTcj Signed-off-by: Leandro Pereira <leandro.pereira@intel.com> 2018-05-22 02:47:47 +02:00			`}`

			`return 0;`
			`}`

x86: enable Extended IBRS This is a CPU mitigation feature for Spectre V2 attacks Signed-off-by: Andrew Boie <andrew.p.boie@intel.com> 2019-03-01 00:51:56 +01:00			`SYS_INIT(spec_ctrl_init, PRE_KERNEL_1, 0);`
x86: prefix x86 SSBD and IBRS related kconfigs with X86 There are two kconfigs that are security related and are x86 specific. Prefix them with X86 to put them under the x86 namespace. Signed-off-by: Daniel Leung <daniel.leung@intel.com> 2024-03-01 19:43:41 +01:00			`#endif /* CONFIG_X86_DISABLE_SSBD \|\| CONFIG_X86_ENABLE_EXTENDED_IBRS */`