From nobody Thu Dec 21 13:43:21 2023 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Sws896N7Sz54pfT; Thu, 21 Dec 2023 13:43:21 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Sws895nXhz4NFF; Thu, 21 Dec 2023 13:43:21 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1703166201; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Xw1PYDei69F4QvfYVJuLjMLr7Md4CdU5J3KKt2m/syk=; b=Lc8mkcFSWptHHfn22jZrT18oypanCkrh+bhLQjPUH+DM4WMP1Jvn/oGXgV4hRCjkHDUqpr PFZKMU7aemsI+PgXdgL8yO8rYJSCwlOBAR56h2RVURotEUJ5s+UTz9T6yKRPpVTOFjg39S 6+gvKAziEXLxVfmQhb2316MbDyGmlrK+LaGmcOePWqysKkHuK64KgsRZrPKXFPjHLWAX17 CgJNScvVyP08KEYYR/T4dJxjdZXcgu12ZVGH5PSpgK+xPolZrLvp6bdcck0btOqSwhmlrG va1lZsdD1+mRDZqo0OVMJoaJRiUxg2bNnGF4e2n/WeyoO2VY3wJBGSobCNn0Ag== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1703166201; a=rsa-sha256; cv=none; b=d2tusZNxchnBDg5qS3Bl8OLJX5db3X7MUkt5YMtLoNcj5Io1LGQiuXdvoeLluWgUNJmiVb 8djBJiM/kqtCZBZVRiiau0ZeMQPxOBNKLFMwDUNbYKgTCQgh1Ofdd97lV1L64PciEjS70f I0SzEjXCM5Dd+zHcDIfL+2PB+hqVZfXrZbKXQHxEafjj+pfg1DkSJtXJDntOkWeK+qb4VZ KRuBf9IGNgfNWCF2EqnzTpqvZWv/bWG8+r/F+LfHK75QWUfYMdJ6a6WbmNUKxGcXOXQF0Q RbIMKIKjsY/nyyjDGZY/K+dt/AiEp75KwgMA31FU/buXdeEbnCUYg+Amn+j77A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1703166201; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Xw1PYDei69F4QvfYVJuLjMLr7Md4CdU5J3KKt2m/syk=; b=ZcIXV9qTllFpWx4AC542TfWb6WEBBb9sfdVzLgORq8kxN5tc8cqpdklPYx0BkaAoTa1sGk XRJWv1EcL6sLmG5pbSWPuaNqrQbzwrwSUGTe6CWD8FPBc6ziVdTG4+ry9oKRJcDg4D3or+ 8oysG1/GP2wVT5qF4Zb2Gxeg4OVK9b43kwV+yEXho94mAiet2KUoLRquWFLvfR5wgqM3iH q+rkJtnbtdOVWa6L0VKpCuSXNPcD4rMC5XKhgIEfDQn12/yiycc6DsBv/ccTHo+JHsWN6g GtSdSiM4+T+BAYrKuWAuSaROA76p4GtckVKXiYRsoaEYt00YjdEJe+Y2dZC2Pg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Sws894rfVzZmG; Thu, 21 Dec 2023 13:43:21 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 3BLDhLQA078530; Thu, 21 Dec 2023 13:43:21 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 3BLDhLH8078527; Thu, 21 Dec 2023 13:43:21 GMT (envelope-from git) Date: Thu, 21 Dec 2023 13:43:21 GMT Message-Id: <202312211343.3BLDhLH8078527@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Olivier Certner Subject: git: 7552dce04702 - stable/13 - x86: AMD Zen2: Zenbleed chicken bit mitigation List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-branches@freebsd.org X-BeenThere: dev-commits-src-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: olce X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 7552dce0470201fc150b0fc7a2c1b5c452dc35ca Auto-Submitted: auto-generated The branch stable/13 has been updated by olce: URL: https://cgit.FreeBSD.org/src/commit/?id=7552dce0470201fc150b0fc7a2c1b5c452dc35ca commit 7552dce0470201fc150b0fc7a2c1b5c452dc35ca Author: Olivier Certner AuthorDate: 2023-09-11 14:18:30 +0000 Commit: Olivier Certner CommitDate: 2023-12-21 13:35:48 +0000 x86: AMD Zen2: Zenbleed chicken bit mitigation Applies only to bare-metal Zen2 processors. The system currently automatically applies it to all of them. Tunable/sysctl 'machdep.mitigations.zenbleed.enable' can be used to forcibly enable or disable the mitigation at boot or run-time. Possible values are: 0: Mitigation disabled 1: Mitigation enabled 2: Run the automatic determination. Currently, value 2 is the default and has identical effect as value 1. This might change in the future if we choose to take into account microcode revisions in the automatic determination process. The tunable/sysctl value is simply ignored on non-applicable CPU models, which is useful to apply the same configuration on a set of machines that do not all have Zen2 processors. Trying to set it to any integer value not listed above is silently equivalent to setting it to value 2 (automatic determination). The current mitigation state can be queried through sysctl 'machdep.mitigations.zenbleed.state', which returns "Not applicable", "Mitigation enabled" or "Mitigation disabled". Note that this state is not guaranteed to be accurate in case of intervening modifications of the corresponding chicken bit directly via cpuctl(4) (this includes the cpucontrol(8) utility). Resetting the desired policy through 'machdep.mitigations.zenbleed.enable' (possibly to its current value) will reset the hardware state and ensure that the reported state is again coherent with it. Reviewed by: kib Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D41817 (cherry picked from commit ebaea1bcd2eb0aa90937637ed305184b6fedc69b) Approved by: markj (mentor) --- sys/amd64/acpica/acpi_wakeup.c | 1 + sys/amd64/amd64/initcpu.c | 3 + sys/amd64/amd64/machdep.c | 4 ++ sys/dev/cpuctl/cpuctl.c | 1 + sys/x86/include/specialreg.h | 1 + sys/x86/include/x86_var.h | 3 + sys/x86/x86/cpu_machdep.c | 123 +++++++++++++++++++++++++++++++++++++++++ 7 files changed, 136 insertions(+) diff --git a/sys/amd64/acpica/acpi_wakeup.c b/sys/amd64/acpica/acpi_wakeup.c index 3b21935255cb..0f9f987b6590 100644 --- a/sys/amd64/acpica/acpi_wakeup.c +++ b/sys/amd64/acpica/acpi_wakeup.c @@ -306,6 +306,7 @@ acpi_wakeup_machdep(struct acpi_softc *sc, int state, int sleep_result, amd64_syscall_ret_flush_l1d_recalc(); hw_ssb_recalculate(true); x86_rngds_mitg_recalculate(true); + zenbleed_check_and_apply(true); AcpiSetFirmwareWakingVector(0, 0); } else { diff --git a/sys/amd64/amd64/initcpu.c b/sys/amd64/amd64/initcpu.c index eb699a4f90fc..20ac7f7c6be1 100644 --- a/sys/amd64/amd64/initcpu.c +++ b/sys/amd64/amd64/initcpu.c @@ -193,6 +193,9 @@ init_amd(void) hw_lower_amd64_sharedpage = 1; } } + + /* Zenbleed. See the comments in 'cpu_machdep.c'. */ + zenbleed_check_and_apply(false); } /* diff --git a/sys/amd64/amd64/machdep.c b/sys/amd64/amd64/machdep.c index d4de3c0fd679..eef11f0bdddd 100644 --- a/sys/amd64/amd64/machdep.c +++ b/sys/amd64/amd64/machdep.c @@ -1493,6 +1493,10 @@ hammer_time(u_int64_t modulep, u_int64_t physfree) TUNABLE_INT_FETCH("machdep.mitigations.rngds.enable", &x86_rngds_mitg_enable); + TUNABLE_INT_FETCH("machdep.mitigations.zenbleed.enable", + &zenbleed_enable); + zenbleed_sanitize_enable(); + finishidentcpu(); /* Final stage of CPU initialization */ /* diff --git a/sys/dev/cpuctl/cpuctl.c b/sys/dev/cpuctl/cpuctl.c index 9c56db1ad19a..1fa655342121 100644 --- a/sys/dev/cpuctl/cpuctl.c +++ b/sys/dev/cpuctl/cpuctl.c @@ -546,6 +546,7 @@ cpuctl_do_eval_cpu_features(int cpu, struct thread *td) hw_mds_recalculate(); x86_taa_recalculate(); x86_rngds_mitg_recalculate(true); + zenbleed_check_and_apply(true); printcpuinfo(); return (0); } diff --git a/sys/x86/include/specialreg.h b/sys/x86/include/specialreg.h index f45990a056c8..4886430c84b6 100644 --- a/sys/x86/include/specialreg.h +++ b/sys/x86/include/specialreg.h @@ -1172,6 +1172,7 @@ /* MSR_DE_CFG */ #define DE_CFG_10H_12H_STACK_POINTER_JUMP_FIX_BIT 0x1 #define DE_CFG_ZEN_LOAD_STALE_DATA_FIX_BIT 0x2000 +#define DE_CFG_ZEN2_FP_BACKUP_FIX_BIT 0x200 /* VIA ACE crypto featureset: for via_feature_rng */ #define VIA_HAS_RNG 1 /* cpu has RNG */ diff --git a/sys/x86/include/x86_var.h b/sys/x86/include/x86_var.h index 5998998f0a5f..c938d96372d8 100644 --- a/sys/x86/include/x86_var.h +++ b/sys/x86/include/x86_var.h @@ -90,6 +90,7 @@ extern int hw_ssb_active; extern int x86_taa_enable; extern int cpu_flush_rsb_ctxsw; extern int x86_rngds_mitg_enable; +extern int zenbleed_enable; extern int cpu_amdc1e_bug; struct pcb; @@ -139,6 +140,8 @@ void hw_mds_recalculate(void); void hw_ssb_recalculate(bool all_cpus); void x86_taa_recalculate(void); void x86_rngds_mitg_recalculate(bool all_cpus); +void zenbleed_sanitize_enable(void); +void zenbleed_check_and_apply(bool all_cpus); void nmi_call_kdb(u_int cpu, u_int type, struct trapframe *frame); void nmi_call_kdb_smp(u_int type, struct trapframe *frame); void nmi_handle_intr(u_int type, struct trapframe *frame); diff --git a/sys/x86/x86/cpu_machdep.c b/sys/x86/x86/cpu_machdep.c index 51928805a653..5b8ff03d721b 100644 --- a/sys/x86/x86/cpu_machdep.c +++ b/sys/x86/x86/cpu_machdep.c @@ -1482,6 +1482,129 @@ SYSCTL_PROC(_machdep_mitigations_rngds, OID_AUTO, state, sysctl_rngds_state_handler, "A", "MCU Optimization state"); + +/* + * Zenbleed. + * + * No corresponding errata is publicly listed. AMD has issued a security + * bulletin (AMD-SB-7008), entitled "Cross-Process Information Leak". This + * document lists (as of August 2023) platform firmware's availability target + * dates, with most being November/December 2023. It will then be up to + * motherboard manufacturers to produce corresponding BIOS updates, which will + * happen with an inevitable lag. Additionally, for a variety of reasons, + * operators might not be able to apply them everywhere due. On the side of + * standalone CPU microcodes, no plans for availability have been published so + * far. However, a developer appearing to be an AMD employee has hardcoded in + * Linux revision numbers of future microcodes that are presumed to fix the + * vulnerability. + * + * Given the stability issues encountered with early microcode releases for Rome + * (the only microcode publicly released so far) and the absence of official + * communication on standalone CPU microcodes, we have opted instead for + * matching by default all AMD Zen2 processors which, according to the + * vulnerability's discoverer, are all affected (see + * https://lock.cmpxchg8b.com/zenbleed.html). This policy, also adopted by + * OpenBSD, may be overriden using the tunable/sysctl + * 'machdep.mitigations.zenbleed.enable'. We might revise it later depending on + * official statements, microcode updates' public availability and community + * assessment that they actually fix the vulnerability without any instability + * side effects. + */ + +SYSCTL_NODE(_machdep_mitigations, OID_AUTO, zenbleed, + CTLFLAG_RW | CTLFLAG_MPSAFE, 0, + "Zenbleed OS-triggered prevention (via chicken bit)"); + +/* 2 is auto, see below. */ +int zenbleed_enable = 2; + +void +zenbleed_sanitize_enable(void) +{ + /* Default to auto (2). */ + if (zenbleed_enable < 0 || zenbleed_enable > 2) + zenbleed_enable = 2; +} + +static bool +zenbleed_chicken_bit_applicable(void) +{ + /* Concerns only bare-metal AMD Zen2 processors. */ + return (cpu_vendor_id == CPU_VENDOR_AMD && + CPUID_TO_FAMILY(cpu_id) == 0x17 && + CPUID_TO_MODEL(cpu_id) >= 0x30 && + vm_guest == VM_GUEST_NO); +} + +static bool +zenbleed_chicken_bit_should_enable(void) +{ + /* + * Obey tunable/sysctl. + * + * As explained above, currently, the automatic setting (2) and the "on" + * one (1) have the same effect. In the future, we might additionally + * check for specific microcode revisions as part of the automatic + * determination. + */ + return (zenbleed_enable != 0); +} + +void +zenbleed_check_and_apply(bool all_cpus) +{ + bool set; + + if (!zenbleed_chicken_bit_applicable()) + return; + + set = zenbleed_chicken_bit_should_enable(); + + x86_msr_op(MSR_DE_CFG, + (set ? MSR_OP_OR : MSR_OP_ANDNOT) | + (all_cpus ? MSR_OP_RENDEZVOUS_ALL : MSR_OP_LOCAL), + DE_CFG_ZEN2_FP_BACKUP_FIX_BIT, NULL); +} + +static int +sysctl_zenbleed_enable_handler(SYSCTL_HANDLER_ARGS) +{ + int error, val; + + val = zenbleed_enable; + error = sysctl_handle_int(oidp, &val, 0, req); + if (error != 0 || req->newptr == NULL) + return (error); + zenbleed_enable = val; + zenbleed_sanitize_enable(); + zenbleed_check_and_apply(true); + return (0); +} +SYSCTL_PROC(_machdep_mitigations_zenbleed, OID_AUTO, enable, CTLTYPE_INT | + CTLFLAG_RWTUN | CTLFLAG_NOFETCH | CTLFLAG_MPSAFE, NULL, 0, + sysctl_zenbleed_enable_handler, "I", + "Enable Zenbleed OS-triggered mitigation (chicken bit) " + "(0: Force disable, 1: Force enable, 2: Automatic determination)"); + +static int +sysctl_zenbleed_state_handler(SYSCTL_HANDLER_ARGS) +{ + const char *state; + + if (!zenbleed_chicken_bit_applicable()) + state = "Not applicable"; + else if (zenbleed_chicken_bit_should_enable()) + state = "Mitigation enabled"; + else + state = "Mitigation disabled"; + return (SYSCTL_OUT(req, state, strlen(state))); +} +SYSCTL_PROC(_machdep_mitigations_zenbleed, OID_AUTO, state, + CTLTYPE_STRING | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0, + sysctl_zenbleed_state_handler, "A", + "Zenbleed OS-triggered mitigation (chicken bit) state"); + + /* * Enable and restore kernel text write permissions. * Callers must ensure that disable_wp()/restore_wp() are executed