michaelh/zephyr
1
0
Fork 0
Code Releases Activity

x86: up-level speculative attack mitigations

Browse source 
These are now part of the common Kconfig and we
build spec_ctrl.c for all.

Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This commit is contained in:
Andrew Boie 2019-11-19 23:28:17 -08:00 committed by Anas Nashif
commit edc14e50ad
5 changed files with 52 additions and 52 deletions
Download patch file Download diff file Expand all files Collapse all files

50
arch/x86/Kconfig
View file

@ -225,6 +225,56 @@ config X86_NO_SPECULATIVE_VULNERABILITIES
or is a newer chip which is immune to the class of vulnerabilities or is a newer chip which is immune to the class of vulnerabilities
which exploit speculative execution side channel attacks. which exploit speculative execution side channel attacks.
config DISABLE_SSBD
bool "Disable Speculative Store Bypass"
depends on USERSPACE
default y if !X86_NO_SPECTRE_V4
help
This option will disable Speculative Store Bypass in order to
mitigate against certain kinds of side channel attacks. Quoting
the "Speculative Execution Side Channels" document, version 2.0:
When SSBD is set, loads will not execute speculatively
until the addresses of all older stores are known. This
ensure s that a load does not speculatively consume stale
data values due to bypassing an older store on the same
logical processor.
If enabled, this applies to all threads in the system.
Even if enabled, will have no effect on CPUs that do not
require this feature.
config ENABLE_EXTENDED_IBRS
bool "Enable Extended IBRS"
depends on USERSPACE
default y if !X86_NO_SPECTRE_V2
help
This option will enable the Extended Indirect Branch Restricted
Speculation 'always on' feature. This mitigates Indirect Branch
Control vulnerabilities (aka Spectre V2).
config X86_BOUNDS_CHECK_BYPASS_MITIGATION
bool
depends on USERSPACE
default y if !X86_NO_SPECTRE_V1
select BOUNDS_CHECK_BYPASS_MITIGATION
help
Hidden config to select arch-independent option to enable
Spectre V1 mitigations by default if the CPU is not known
to be immune to it.
config X86_KPTI
bool "Enable kernel page table isolation"
default y
depends on USERSPACE
depends on !X86_NO_MELTDOWN
help
Implements kernel page table isolation to mitigate Meltdown exploits
to read Kernel RAM. Incurs a significant performance cost for
user thread interrupts and system calls, and significant footprint
increase for additional page tables and trampoline stacks.
source "arch/x86/core/Kconfig.ia32" source "arch/x86/core/Kconfig.ia32"
source "arch/x86/core/Kconfig.intel64" source "arch/x86/core/Kconfig.intel64"

1
arch/x86/core/CMakeLists.txt
View file

@ -11,6 +11,7 @@ zephyr_library_sources(cpuhalt.c)
zephyr_library_sources(memmap.c) zephyr_library_sources(memmap.c)
zephyr_library_sources(prep_c.c) zephyr_library_sources(prep_c.c)
zephyr_library_sources(fatal.c) zephyr_library_sources(fatal.c)
zephyr_library_sources(spec_ctrl.c)
zephyr_library_sources_if_kconfig(pcie.c) zephyr_library_sources_if_kconfig(pcie.c)
zephyr_library_sources_if_kconfig(reboot_rst_cnt.c) zephyr_library_sources_if_kconfig(reboot_rst_cnt.c)

52
arch/x86/core/Kconfig.ia32
View file

@ -41,34 +41,7 @@ config GDT_DYNAMIC
endmenu endmenu
config DISABLE_SSBD menu "Processor Capabilities"
bool "Disable Speculative Store Bypass"
depends on USERSPACE
default y if !X86_NO_SPECTRE_V4
help
This option will disable Speculative Store Bypass in order to
mitigate against certain kinds of side channel attacks. Quoting
the "Speculative Execution Side Channels" document, version 2.0:
When SSBD is set, loads will not execute speculatively
until the addresses of all older stores are known. This
ensure s that a load does not speculatively consume stale
data values due to bypassing an older store on the same
logical processor.
If enabled, this applies to all threads in the system.
Even if enabled, will have no effect on CPUs that do not
require this feature.
config ENABLE_EXTENDED_IBRS
bool "Enable Extended IBRS"
depends on USERSPACE
default y if !X86_NO_SPECTRE_V2
help
This option will enable the Extended Indirect Branch Restricted
Speculation 'always on' feature. This mitigates Indirect Branch
Control vulnerabilities (aka Spectre V2).
config X86_RETPOLINE config X86_RETPOLINE
bool "Build with retpolines enabled in x86 assembly code" bool "Build with retpolines enabled in x86 assembly code"
@ -80,18 +53,6 @@ config X86_RETPOLINE
[1] https://support.google.com/faqs/answer/7625886 [1] https://support.google.com/faqs/answer/7625886
config X86_BOUNDS_CHECK_BYPASS_MITIGATION
bool
depends on USERSPACE
default y if !X86_NO_SPECTRE_V1
select BOUNDS_CHECK_BYPASS_MITIGATION
help
Hidden config to select arch-independent option to enable
Spectre V1 mitigations by default if the CPU is not known
to be immune to it.
menu "Processor Capabilities"
config X86_ENABLE_TSS config X86_ENABLE_TSS
bool bool
help help
@ -124,17 +85,6 @@ config X86_USERSPACE
supporting user-level threads that are protected from each other and supporting user-level threads that are protected from each other and
from crashing the kernel. from crashing the kernel.
config X86_KPTI
bool "Enable kernel page table isolation"
default y
depends on USERSPACE
depends on !X86_NO_MELTDOWN
help
Implements kernel page table isolation to mitigate Meltdown exploits
to read Kernel RAM. Incurs a significant performance cost for
user thread interrupts and system calls, and significant footprint
increase for additional page tables and trampoline stacks.
menu "Architecture Floating Point Options" menu "Architecture Floating Point Options"
depends on CPU_HAS_FPU depends on CPU_HAS_FPU

1
arch/x86/core/ia32.cmake
View file

@ -17,7 +17,6 @@ zephyr_library_sources(
ia32/irq_manage.c ia32/irq_manage.c
ia32/swap.S ia32/swap.S
ia32/thread.c ia32/thread.c
ia32/spec_ctrl.c
) )
zephyr_library_sources_ifdef(CONFIG_IRQ_OFFLOAD ia32/irq_offload.c) zephyr_library_sources_ifdef(CONFIG_IRQ_OFFLOAD ia32/irq_offload.c)

0
arch/x86/core/ia32/spec_ctrl.c → arch/x86/core/spec_ctrl.c
View file