Documentation/hw-vuln: Add VMSCAPE documentation
VMSCAPE is a vulnerability that may allow a guest to influence the branch prediction in host userspace, particularly affecting hypervisors like QEMU. Add the documentation. Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com> Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> Reviewed-by: Borislav Petkov (AMD) <bp@alien8.de> Reviewed-by: Dave Hansen <dave.hansen@linux.intel.com>pull/824/head
Pawan Gupta
Dave Hansen
parent
8f5ae30d69
commit
9969779d08
|
|
@ -26,3 +26,4 @@ are configurable at compile, boot or run time.
|
||||||
rsb
|
rsb
|
||||||
old_microcode
|
old_microcode
|
||||||
indirect-target-selection
|
indirect-target-selection
|
||||||
|
vmscape
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,110 @@
|
||||||
|
.. SPDX-License-Identifier: GPL-2.0
|
||||||
|
|
||||||
|
VMSCAPE
|
||||||
|
=======
|
||||||
|
|
||||||
|
VMSCAPE is a vulnerability that may allow a guest to influence the branch
|
||||||
|
prediction in host userspace. It particularly affects hypervisors like QEMU.
|
||||||
|
|
||||||
|
Even if a hypervisor may not have any sensitive data like disk encryption keys,
|
||||||
|
guest-userspace may be able to attack the guest-kernel using the hypervisor as
|
||||||
|
a confused deputy.
|
||||||
|
|
||||||
|
Affected processors
|
||||||
|
-------------------
|
||||||
|
|
||||||
|
The following CPU families are affected by VMSCAPE:
|
||||||
|
|
||||||
|
**Intel processors:**
|
||||||
|
- Skylake generation (Parts without Enhanced-IBRS)
|
||||||
|
- Cascade Lake generation - (Parts affected by ITS guest/host separation)
|
||||||
|
- Alder Lake and newer (Parts affected by BHI)
|
||||||
|
|
||||||
|
Note that, BHI affected parts that use BHB clearing software mitigation e.g.
|
||||||
|
Icelake are not vulnerable to VMSCAPE.
|
||||||
|
|
||||||
|
**AMD processors:**
|
||||||
|
- Zen series (families 0x17, 0x19, 0x1a)
|
||||||
|
|
||||||
|
** Hygon processors:**
|
||||||
|
- Family 0x18
|
||||||
|
|
||||||
|
Mitigation
|
||||||
|
----------
|
||||||
|
|
||||||
|
Conditional IBPB
|
||||||
|
----------------
|
||||||
|
|
||||||
|
Kernel tracks when a CPU has run a potentially malicious guest and issues an
|
||||||
|
IBPB before the first exit to userspace after VM-exit. If userspace did not run
|
||||||
|
between VM-exit and the next VM-entry, no IBPB is issued.
|
||||||
|
|
||||||
|
Note that the existing userspace mitigation against Spectre-v2 is effective in
|
||||||
|
protecting the userspace. They are insufficient to protect the userspace VMMs
|
||||||
|
from a malicious guest. This is because Spectre-v2 mitigations are applied at
|
||||||
|
context switch time, while the userspace VMM can run after a VM-exit without a
|
||||||
|
context switch.
|
||||||
|
|
||||||
|
Vulnerability enumeration and mitigation is not applied inside a guest. This is
|
||||||
|
because nested hypervisors should already be deploying IBPB to isolate
|
||||||
|
themselves from nested guests.
|
||||||
|
|
||||||
|
SMT considerations
|
||||||
|
------------------
|
||||||
|
|
||||||
|
When Simultaneous Multi-Threading (SMT) is enabled, hypervisors can be
|
||||||
|
vulnerable to cross-thread attacks. For complete protection against VMSCAPE
|
||||||
|
attacks in SMT environments, STIBP should be enabled.
|
||||||
|
|
||||||
|
The kernel will issue a warning if SMT is enabled without adequate STIBP
|
||||||
|
protection. Warning is not issued when:
|
||||||
|
|
||||||
|
- SMT is disabled
|
||||||
|
- STIBP is enabled system-wide
|
||||||
|
- Intel eIBRS is enabled (which implies STIBP protection)
|
||||||
|
|
||||||
|
System information and options
|
||||||
|
------------------------------
|
||||||
|
|
||||||
|
The sysfs file showing VMSCAPE mitigation status is:
|
||||||
|
|
||||||
|
/sys/devices/system/cpu/vulnerabilities/vmscape
|
||||||
|
|
||||||
|
The possible values in this file are:
|
||||||
|
|
||||||
|
* 'Not affected':
|
||||||
|
|
||||||
|
The processor is not vulnerable to VMSCAPE attacks.
|
||||||
|
|
||||||
|
* 'Vulnerable':
|
||||||
|
|
||||||
|
The processor is vulnerable and no mitigation has been applied.
|
||||||
|
|
||||||
|
* 'Mitigation: IBPB before exit to userspace':
|
||||||
|
|
||||||
|
Conditional IBPB mitigation is enabled. The kernel tracks when a CPU has
|
||||||
|
run a potentially malicious guest and issues an IBPB before the first
|
||||||
|
exit to userspace after VM-exit.
|
||||||
|
|
||||||
|
* 'Mitigation: IBPB on VMEXIT':
|
||||||
|
|
||||||
|
IBPB is issued on every VM-exit. This occurs when other mitigations like
|
||||||
|
RETBLEED or SRSO are already issuing IBPB on VM-exit.
|
||||||
|
|
||||||
|
Mitigation control on the kernel command line
|
||||||
|
----------------------------------------------
|
||||||
|
|
||||||
|
The mitigation can be controlled via the ``vmscape=`` command line parameter:
|
||||||
|
|
||||||
|
* ``vmscape=off``:
|
||||||
|
|
||||||
|
Disable the VMSCAPE mitigation.
|
||||||
|
|
||||||
|
* ``vmscape=ibpb``:
|
||||||
|
|
||||||
|
Enable conditional IBPB mitigation (default when CONFIG_MITIGATION_VMSCAPE=y).
|
||||||
|
|
||||||
|
* ``vmscape=force``:
|
||||||
|
|
||||||
|
Force vulnerability detection and mitigation even on processors that are
|
||||||
|
not known to be affected.
|
||||||
Loading…
Reference in New Issue