diff -u linux-6.5.0/Documentation/admin-guide/kernel-parameters.txt linux-6.5.0/Documentation/admin-guide/kernel-parameters.txt --- linux-6.5.0/Documentation/admin-guide/kernel-parameters.txt +++ linux-6.5.0/Documentation/admin-guide/kernel-parameters.txt @@ -5838,6 +5838,18 @@ sonypi.*= [HW] Sony Programmable I/O Control Device driver See Documentation/admin-guide/laptops/sonypi.rst + spectre_bhi= [X86] Control mitigation of Branch History Injection + (BHI) vulnerability. Syscalls are hardened against BHI + reglardless of this setting. This setting affects the + deployment of the HW BHI control and the SW BHB + clearing sequence. + + on - unconditionally enable. + off - unconditionally disable. + auto - (default) enable hardware mitigation + (BHI_DIS_S) if available, otherwise enable + alternate mitigation in KVM. + spectre_v2= [X86] Control mitigation of Spectre variant 2 (indirect branch speculation) vulnerability. The default operation protects the kernel from diff -u linux-6.5.0/arch/x86/Kconfig linux-6.5.0/arch/x86/Kconfig --- linux-6.5.0/arch/x86/Kconfig +++ linux-6.5.0/arch/x86/Kconfig @@ -2629,6 +2629,31 @@ If in doubt, say N. +choice + prompt "Clear branch history" + depends on CPU_SUP_INTEL + default SPECTRE_BHI_AUTO + help + Enable BHI mitigations. BHI attacks are a form of Spectre V2 attacks + where the branch history buffer is poisoned to speculatively steer + indirect branches. + See + +config SPECTRE_BHI_ON + bool "on" + help + Equivalent to setting spectre_bhi=on command line parameter. +config SPECTRE_BHI_OFF + bool "off" + help + Equivalent to setting spectre_bhi=off command line parameter. +config SPECTRE_BHI_AUTO + bool "auto" + help + Equivalent to setting spectre_bhi=auto command line parameter. + +endchoice + endif config ARCH_HAS_ADD_PAGES diff -u linux-6.5.0/arch/x86/entry/common.c linux-6.5.0/arch/x86/entry/common.c --- linux-6.5.0/arch/x86/entry/common.c +++ linux-6.5.0/arch/x86/entry/common.c @@ -48,7 +48,7 @@ if (likely(unr < NR_syscalls)) { unr = array_index_nospec(unr, NR_syscalls); - regs->ax = sys_call_table[unr](regs); + regs->ax = x64_sys_call(regs, unr); return true; } return false; @@ -65,7 +65,7 @@ if (IS_ENABLED(CONFIG_X86_X32_ABI) && likely(xnr < X32_NR_syscalls)) { xnr = array_index_nospec(xnr, X32_NR_syscalls); - regs->ax = x32_sys_call_table[xnr](regs); + regs->ax = x32_sys_call(regs, xnr); return true; } return false; @@ -114,7 +114,7 @@ if (likely(unr < IA32_NR_syscalls)) { unr = array_index_nospec(unr, IA32_NR_syscalls); - regs->ax = ia32_sys_call_table[unr](regs); + regs->ax = ia32_sys_call(regs, unr); } else if (nr != -1) { regs->ax = __ia32_sys_ni_syscall(regs); } @@ -141,7 +141,7 @@ } /** - * int80_emulation - 32-bit legacy syscall entry + * do_int80_emulation - 32-bit legacy syscall C entry from asm * * This entry point can be used by 32-bit and 64-bit programs to perform * 32-bit system calls. Instances of INT $0x80 can be found inline in @@ -159,7 +159,7 @@ * eax: system call number * ebx, ecx, edx, esi, edi, ebp: arg1 - arg 6 */ -DEFINE_IDTENTRY_RAW(int80_emulation) +__visible noinstr void do_int80_emulation(struct pt_regs *regs) { int nr; diff -u linux-6.5.0/arch/x86/entry/entry_64_compat.S linux-6.5.0/arch/x86/entry/entry_64_compat.S --- linux-6.5.0/arch/x86/entry/entry_64_compat.S +++ linux-6.5.0/arch/x86/entry/entry_64_compat.S @@ -92,6 +92,7 @@ IBRS_ENTER UNTRAIN_RET + CLEAR_BRANCH_HISTORY /* * SYSENTER doesn't filter flags, so we need to clear NT and AC @@ -209,6 +210,7 @@ IBRS_ENTER UNTRAIN_RET + CLEAR_BRANCH_HISTORY movq %rsp, %rdi call do_fast_syscall_32 @@ -278,0 +281,14 @@ + +/* + * int 0x80 is used by 32 bit mode as a system call entry. Normally idt entries + * point to C routines, however since this is a system call interface the branch + * history needs to be scrubbed to protect against BHI attacks, and that + * scrubbing needs to take place in assembly code prior to entering any C + * routines. + */ +SYM_CODE_START(int80_emulation) + ANNOTATE_NOENDBR + UNWIND_HINT_FUNC + CLEAR_BRANCH_HISTORY + jmp do_int80_emulation +SYM_CODE_END(int80_emulation) diff -u linux-6.5.0/arch/x86/include/asm/msr-index.h linux-6.5.0/arch/x86/include/asm/msr-index.h --- linux-6.5.0/arch/x86/include/asm/msr-index.h +++ linux-6.5.0/arch/x86/include/asm/msr-index.h @@ -50,10 +50,13 @@ #define SPEC_CTRL_SSBD BIT(SPEC_CTRL_SSBD_SHIFT) /* Speculative Store Bypass Disable */ #define SPEC_CTRL_RRSBA_DIS_S_SHIFT 6 /* Disable RRSBA behavior */ #define SPEC_CTRL_RRSBA_DIS_S BIT(SPEC_CTRL_RRSBA_DIS_S_SHIFT) +#define SPEC_CTRL_BHI_DIS_S_SHIFT 10 /* Disable Branch History Injection behavior */ +#define SPEC_CTRL_BHI_DIS_S BIT(SPEC_CTRL_BHI_DIS_S_SHIFT) /* A mask for bits which the kernel toggles when controlling mitigations */ #define SPEC_CTRL_MITIGATIONS_MASK (SPEC_CTRL_IBRS | SPEC_CTRL_STIBP | SPEC_CTRL_SSBD \ - | SPEC_CTRL_RRSBA_DIS_S) + | SPEC_CTRL_RRSBA_DIS_S \ + | SPEC_CTRL_BHI_DIS_S) #define MSR_IA32_PRED_CMD 0x00000049 /* Prediction Command */ #define PRED_CMD_IBPB BIT(0) /* Indirect Branch Prediction Barrier */ @@ -152,6 +155,10 @@ * are restricted to targets in * kernel. */ +#define ARCH_CAP_BHI_NO BIT(20) /* + * CPU is not affected by Branch + * History Injection. + */ #define ARCH_CAP_PBRSB_NO BIT(24) /* * Not susceptible to Post-Barrier * Return Stack Buffer Predictions. diff -u linux-6.5.0/arch/x86/include/asm/nospec-branch.h linux-6.5.0/arch/x86/include/asm/nospec-branch.h --- linux-6.5.0/arch/x86/include/asm/nospec-branch.h +++ linux-6.5.0/arch/x86/include/asm/nospec-branch.h @@ -329,6 +329,19 @@ #endif .endm +#ifdef CONFIG_X86_64 +.macro CLEAR_BRANCH_HISTORY + ALTERNATIVE "", "call clear_bhb_loop", X86_FEATURE_CLEAR_BHB_LOOP +.endm + +.macro CLEAR_BRANCH_HISTORY_VMEXIT + ALTERNATIVE "", "call clear_bhb_loop", X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT +.endm +#else +#define CLEAR_BRANCH_HISTORY +#define CLEAR_BRANCH_HISTORY_VMEXIT +#endif + #else /* __ASSEMBLY__ */ #define ANNOTATE_RETPOLINE_SAFE \ @@ -359,6 +372,10 @@ extern void entry_untrain_ret(void); extern void entry_ibpb(void); +#ifdef CONFIG_X86_64 +extern void clear_bhb_loop(void); +#endif + extern void (*x86_return_thunk)(void); #ifdef CONFIG_CALL_DEPTH_TRACKING diff -u linux-6.5.0/arch/x86/kernel/cpu/bugs.c linux-6.5.0/arch/x86/kernel/cpu/bugs.c --- linux-6.5.0/arch/x86/kernel/cpu/bugs.c +++ linux-6.5.0/arch/x86/kernel/cpu/bugs.c @@ -1541,6 +1541,79 @@ dump_stack(); } +/* + * Set BHI_DIS_S to prevent indirect branches in kernel to be influenced by + * branch history in userspace. Not needed if BHI_NO is set. + */ +static bool __init spec_ctrl_bhi_dis(void) +{ + if (!boot_cpu_has(X86_FEATURE_BHI_CTRL)) + return false; + + x86_spec_ctrl_base |= SPEC_CTRL_BHI_DIS_S; + update_spec_ctrl(x86_spec_ctrl_base); + setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_HW); + + return true; +} + +enum bhi_mitigations { + BHI_MITIGATION_OFF, + BHI_MITIGATION_ON, + BHI_MITIGATION_AUTO, +}; + +static enum bhi_mitigations bhi_mitigation __ro_after_init = + IS_ENABLED(CONFIG_SPECTRE_BHI_ON) ? BHI_MITIGATION_ON : + IS_ENABLED(CONFIG_SPECTRE_BHI_OFF) ? BHI_MITIGATION_OFF : + BHI_MITIGATION_AUTO; + +static int __init spectre_bhi_parse_cmdline(char *str) +{ + if (!str) + return -EINVAL; + + if (!strcmp(str, "off")) + bhi_mitigation = BHI_MITIGATION_OFF; + else if (!strcmp(str, "on")) + bhi_mitigation = BHI_MITIGATION_ON; + else if (!strcmp(str, "auto")) + bhi_mitigation = BHI_MITIGATION_AUTO; + else + pr_err("Ignoring unknown spectre_bhi option (%s)", str); + + return 0; +} +early_param("spectre_bhi", spectre_bhi_parse_cmdline); + +static void __init bhi_select_mitigation(void) +{ + if (bhi_mitigation == BHI_MITIGATION_OFF) + return; + + /* Retpoline mitigates against BHI unless the CPU has RRSBA behavior */ + if (cpu_feature_enabled(X86_FEATURE_RETPOLINE) && + !(x86_read_arch_cap_msr() & ARCH_CAP_RRSBA)) + return; + + if (spec_ctrl_bhi_dis()) + return; + + if (!IS_ENABLED(CONFIG_X86_64)) + return; + + /* Mitigate KVM by default */ + setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT); + pr_info("Spectre BHI mitigation: SW BHB clearing on vm exit\n"); + + if (bhi_mitigation == BHI_MITIGATION_AUTO) + return; + + /* Mitigate syscalls when the mitigation is forced =on */ + setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP); + pr_info("Spectre BHI mitigation: SW BHB clearing on syscall\n"); +} + static void __init spectre_v2_select_mitigation(void) { enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline(); @@ -1652,6 +1725,9 @@ mode == SPECTRE_V2_RETPOLINE) spec_ctrl_disable_kernel_rrsba(); + if (boot_cpu_has(X86_BUG_BHI)) + bhi_select_mitigation(); + spectre_v2_enabled = mode; pr_info("%s\n", spectre_v2_strings[mode]); @@ -2626,15 +2702,15 @@ switch (spectre_v2_user_stibp) { case SPECTRE_V2_USER_NONE: - return ", STIBP: disabled"; + return "; STIBP: disabled"; case SPECTRE_V2_USER_STRICT: - return ", STIBP: forced"; + return "; STIBP: forced"; case SPECTRE_V2_USER_STRICT_PREFERRED: - return ", STIBP: always-on"; + return "; STIBP: always-on"; case SPECTRE_V2_USER_PRCTL: case SPECTRE_V2_USER_SECCOMP: if (static_key_enabled(&switch_to_cond_stibp)) - return ", STIBP: conditional"; + return "; STIBP: conditional"; } return ""; } @@ -2643,10 +2719,10 @@ { if (boot_cpu_has(X86_FEATURE_IBPB)) { if (static_key_enabled(&switch_mm_always_ibpb)) - return ", IBPB: always-on"; + return "; IBPB: always-on"; if (static_key_enabled(&switch_mm_cond_ibpb)) - return ", IBPB: conditional"; - return ", IBPB: disabled"; + return "; IBPB: conditional"; + return "; IBPB: disabled"; } return ""; } @@ -2656,14 +2732,31 @@ if (boot_cpu_has_bug(X86_BUG_EIBRS_PBRSB)) { if (boot_cpu_has(X86_FEATURE_RSB_VMEXIT_LITE) || boot_cpu_has(X86_FEATURE_RSB_VMEXIT)) - return ", PBRSB-eIBRS: SW sequence"; + return "; PBRSB-eIBRS: SW sequence"; else - return ", PBRSB-eIBRS: Vulnerable"; + return "; PBRSB-eIBRS: Vulnerable"; } else { - return ", PBRSB-eIBRS: Not affected"; + return "; PBRSB-eIBRS: Not affected"; } } +static const char * const spectre_bhi_state(void) +{ + if (!boot_cpu_has_bug(X86_BUG_BHI)) + return "; BHI: Not affected"; + else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_HW)) + return "; BHI: BHI_DIS_S"; + else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP)) + return "; BHI: SW loop, KVM: SW loop"; + else if (boot_cpu_has(X86_FEATURE_RETPOLINE) && + !(x86_read_arch_cap_msr() & ARCH_CAP_RRSBA)) + return "; BHI: Retpoline"; + else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT)) + return "; BHI: Syscall hardening, KVM: SW loop"; + + return "; BHI: Vulnerable (Syscall hardening enabled)"; +} + static ssize_t spectre_v2_show_state(char *buf) { if (spectre_v2_enabled == SPECTRE_V2_LFENCE) @@ -2676,13 +2769,15 @@ spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE) return sysfs_emit(buf, "Vulnerable: eIBRS+LFENCE with unprivileged eBPF and SMT\n"); - return sysfs_emit(buf, "%s%s%s%s%s%s%s\n", + return sysfs_emit(buf, "%s%s%s%s%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled], ibpb_state(), - boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "", + boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? "; IBRS_FW" : "", stibp_state(), - boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? ", RSB filling" : "", + boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? "; RSB filling" : "", pbrsb_eibrs_state(), + spectre_bhi_state(), + /* this should always be at the end */ spectre_v2_module_string()); } diff -u linux-6.5.0/arch/x86/kernel/cpu/common.c linux-6.5.0/arch/x86/kernel/cpu/common.c --- linux-6.5.0/arch/x86/kernel/cpu/common.c +++ linux-6.5.0/arch/x86/kernel/cpu/common.c @@ -1150,6 +1150,7 @@ #define NO_SPECTRE_V2 BIT(8) #define NO_MMIO BIT(9) #define NO_EIBRS_PBRSB BIT(10) +#define NO_BHI BIT(11) #define VULNWL(vendor, family, model, whitelist) \ X86_MATCH_VENDOR_FAM_MODEL(vendor, family, model, whitelist) @@ -1212,18 +1213,18 @@ VULNWL_INTEL(ATOM_TREMONT_D, NO_ITLB_MULTIHIT | NO_EIBRS_PBRSB), /* AMD Family 0xf - 0x12 */ - VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO), - VULNWL_AMD(0x10, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO), - VULNWL_AMD(0x11, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO), - VULNWL_AMD(0x12, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO), + VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO | NO_BHI), + VULNWL_AMD(0x10, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO | NO_BHI), + VULNWL_AMD(0x11, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO | NO_BHI), + VULNWL_AMD(0x12, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO | NO_BHI), /* FAMILY_ANY must be last, otherwise 0x0f - 0x12 matches won't work */ - VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO | NO_EIBRS_PBRSB), - VULNWL_HYGON(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO | NO_EIBRS_PBRSB), + VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO | NO_EIBRS_PBRSB | NO_BHI), + VULNWL_HYGON(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_MMIO | NO_EIBRS_PBRSB | NO_BHI), /* Zhaoxin Family 7 */ - VULNWL(CENTAUR, 7, X86_MODEL_ANY, NO_SPECTRE_V2 | NO_SWAPGS | NO_MMIO), - VULNWL(ZHAOXIN, 7, X86_MODEL_ANY, NO_SPECTRE_V2 | NO_SWAPGS | NO_MMIO), + VULNWL(CENTAUR, 7, X86_MODEL_ANY, NO_SPECTRE_V2 | NO_SWAPGS | NO_MMIO | NO_BHI), + VULNWL(ZHAOXIN, 7, X86_MODEL_ANY, NO_SPECTRE_V2 | NO_SWAPGS | NO_MMIO | NO_BHI), {} }; @@ -1428,6 +1429,13 @@ boot_cpu_has(X86_FEATURE_AVX)) setup_force_cpu_bug(X86_BUG_GDS); + /* When virtualized, eIBRS could be hidden, assume vulnerable */ + if (!(ia32_cap & ARCH_CAP_BHI_NO) && + !cpu_matches(cpu_vuln_whitelist, NO_BHI) && + (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED) || + boot_cpu_has(X86_FEATURE_HYPERVISOR))) + setup_force_cpu_bug(X86_BUG_BHI); + if (cpu_matches(cpu_vuln_whitelist, NO_MELTDOWN)) return; diff -u linux-6.5.0/arch/x86/kvm/x86.c linux-6.5.0/arch/x86/kvm/x86.c --- linux-6.5.0/arch/x86/kvm/x86.c +++ linux-6.5.0/arch/x86/kvm/x86.c @@ -1616,7 +1616,8 @@ ARCH_CAP_SKIP_VMENTRY_L1DFLUSH | ARCH_CAP_SSB_NO | ARCH_CAP_MDS_NO | \ ARCH_CAP_PSCHANGE_MC_NO | ARCH_CAP_TSX_CTRL_MSR | ARCH_CAP_TAA_NO | \ ARCH_CAP_SBDR_SSDP_NO | ARCH_CAP_FBSDP_NO | ARCH_CAP_PSDP_NO | \ - ARCH_CAP_FB_CLEAR | ARCH_CAP_RRSBA | ARCH_CAP_PBRSB_NO | ARCH_CAP_GDS_NO) + ARCH_CAP_FB_CLEAR | ARCH_CAP_RRSBA | ARCH_CAP_PBRSB_NO | ARCH_CAP_GDS_NO | \ + ARCH_CAP_BHI_NO) static u64 kvm_get_arch_capabilities(void) { diff -u linux-6.5.0/debian.master/changelog linux-6.5.0/debian.master/changelog --- linux-6.5.0/debian.master/changelog +++ linux-6.5.0/debian.master/changelog @@ -1,3 +1,20 @@ +linux (6.5.0-34.34) mantic; urgency=medium + + * mantic/linux: 6.5.0-34.34 -proposed tracker (LP: #2061443) + + * CVE-2024-2201 + - x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file + - x86/syscall: Don't force use of indirect calls for system calls + - x86/bhi: Add support for clearing branch history at syscall entry + - x86/bhi: Define SPEC_CTRL_BHI_DIS_S + - x86/bhi: Enumerate Branch History Injection (BHI) bug + - x86/bhi: Add BHI mitigation knob + - x86/bhi: Mitigate KVM by default + - KVM: x86: Add BHI_NO + - [Config] Set CONFIG_BHI to enabled (auto) + + -- Stefan Bader Mon, 15 Apr 2024 15:09:54 +0200 + linux (6.5.0-33.33) mantic; urgency=medium * mantic/linux: 6.5.0-33.33 -proposed tracker (LP: #2060448) diff -u linux-6.5.0/debian.master/config/annotations linux-6.5.0/debian.master/config/annotations --- linux-6.5.0/debian.master/config/annotations +++ linux-6.5.0/debian.master/config/annotations @@ -12918,6 +12918,9 @@ CONFIG_SPEAKUP_SYNTH_SOFT policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'ppc64el': 'm', 'riscv64': 'm'}> CONFIG_SPEAKUP_SYNTH_SPKOUT policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'ppc64el': 'm', 'riscv64': 'm'}> CONFIG_SPEAKUP_SYNTH_TXPRT policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'ppc64el': 'm', 'riscv64': 'm'}> +CONFIG_SPECTRE_BHI_AUTO policy<{'amd64': 'y'}> +CONFIG_SPECTRE_BHI_OFF policy<{'amd64': 'n'}> +CONFIG_SPECTRE_BHI_ON policy<{'amd64': 'n'}> CONFIG_SPECULATION_MITIGATIONS policy<{'amd64': 'y'}> CONFIG_SPI policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 'riscv64': 'y', 's390x': 'n'}> CONFIG_SPI_ALTERA policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'ppc64el': 'm', 'riscv64': 'm', 's390x': '-'}> diff -u linux-6.5.0/debian.master/tracking-bug linux-6.5.0/debian.master/tracking-bug --- linux-6.5.0/debian.master/tracking-bug +++ linux-6.5.0/debian.master/tracking-bug @@ -1 +1 @@ -2060448 2024.04.01-2 +2061443 2024.04.01-3 diff -u linux-6.5.0/debian/changelog linux-6.5.0/debian/changelog --- linux-6.5.0/debian/changelog +++ linux-6.5.0/debian/changelog @@ -1,3 +1,20 @@ +linux (6.5.0-34.34) mantic; urgency=medium + + * mantic/linux: 6.5.0-34.34 -proposed tracker (LP: #2061443) + + * CVE-2024-2201 + - x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file + - x86/syscall: Don't force use of indirect calls for system calls + - x86/bhi: Add support for clearing branch history at syscall entry + - x86/bhi: Define SPEC_CTRL_BHI_DIS_S + - x86/bhi: Enumerate Branch History Injection (BHI) bug + - x86/bhi: Add BHI mitigation knob + - x86/bhi: Mitigate KVM by default + - KVM: x86: Add BHI_NO + - [Config] Set CONFIG_BHI to enabled (auto) + + -- Stefan Bader Mon, 15 Apr 2024 15:09:54 +0200 + linux (6.5.0-33.33) mantic; urgency=medium * mantic/linux: 6.5.0-33.33 -proposed tracker (LP: #2060448) diff -u linux-6.5.0/debian/control linux-6.5.0/debian/control --- linux-6.5.0/debian/control +++ linux-6.5.0/debian/control @@ -94,7 +94,7 @@ you do not want this package. Install the appropriate linux-headers package instead. -Package: linux-headers-6.5.0-33 +Package: linux-headers-6.5.0-34 Build-Profiles: Architecture: all Multi-Arch: foreign @@ -104,7 +104,7 @@ Description: Header files related to Linux kernel version 6.5.0 This package provides kernel header files for version 6.5.0, for sites that want the latest kernel headers. Please read - /usr/share/doc/linux-headers-6.5.0-33/debian.README.gz for details + /usr/share/doc/linux-headers-6.5.0-34/debian.README.gz for details Package: linux-tools-common Build-Profiles: @@ -119,18 +119,18 @@ version locked tools (such as perf and x86_energy_perf_policy) for version 6.5.0. -Package: linux-tools-6.5.0-33 +Package: linux-tools-6.5.0-34 Build-Profiles: Architecture: amd64 armhf arm64 ppc64el s390x Section: devel Priority: optional Depends: ${misc:Depends}, ${shlibs:Depends}, linux-tools-common -Description: Linux kernel version specific tools for version 6.5.0-33 +Description: Linux kernel version specific tools for version 6.5.0-34 This package provides the architecture dependant parts for kernel version locked tools (such as perf and x86_energy_perf_policy) for - version 6.5.0-33 on + version 6.5.0-34 on 64 bit x86. - You probably want to install linux-tools-6.5.0-33-. + You probably want to install linux-tools-6.5.0-34-. Package: linux-cloud-tools-common Build-Profiles: @@ -143,17 +143,17 @@ This package provides the architecture independent parts for kernel version locked tools for cloud tools for version 6.5.0. -Package: linux-cloud-tools-6.5.0-33 +Package: linux-cloud-tools-6.5.0-34 Build-Profiles: Architecture: amd64 armhf Section: devel Priority: optional Depends: ${misc:Depends}, ${shlibs:Depends}, linux-cloud-tools-common -Description: Linux kernel version specific cloud tools for version 6.5.0-33 +Description: Linux kernel version specific cloud tools for version 6.5.0-34 This package provides the architecture dependant parts for kernel - version locked tools for cloud tools for version 6.5.0-33 on + version locked tools for cloud tools for version 6.5.0-34 on 64 bit x86. - You probably want to install linux-cloud-tools-6.5.0-33-. + You probably want to install linux-cloud-tools-6.5.0-34-. Package: linux-tools-host Build-Profiles: @@ -193,17 +193,17 @@ contained in each file. -Package: linux-image-unsigned-6.5.0-33-generic +Package: linux-image-unsigned-6.5.0-34-generic Build-Profiles: Architecture: amd64 armhf arm64 ppc64el s390x Section: kernel Priority: optional Provides: linux-image, fuse-module, kvm-api-4, redhat-cluster-modules, ivtv-modules, virtualbox-guest-modules [amd64], ${linux:rprovides} -Depends: ${misc:Depends}, ${shlibs:Depends}, kmod, linux-base (>= 4.5ubuntu1~16.04.1), linux-modules-6.5.0-33-generic +Depends: ${misc:Depends}, ${shlibs:Depends}, kmod, linux-base (>= 4.5ubuntu1~16.04.1), linux-modules-6.5.0-34-generic Recommends: grub-pc [amd64] | grub-efi-amd64 [amd64] | grub-efi-ia32 [amd64] | grub [amd64] | lilo [amd64] | flash-kernel [armhf arm64] | grub-efi-arm64 [arm64] | grub-efi-arm [armhf] | grub-ieee1275 [ppc64el], initramfs-tools | linux-initramfs-tool Breaks: flash-kernel (<< 3.90ubuntu2) [arm64 armhf], s390-tools (<< 2.3.0-0ubuntu3) [s390x] -Conflicts: linux-image-6.5.0-33-generic -Suggests: fdutils, linux-doc | linux-source-6.5.0, linux-tools, linux-headers-6.5.0-33-generic, linux-modules-extra-6.5.0-33-generic +Conflicts: linux-image-6.5.0-34-generic +Suggests: fdutils, linux-doc | linux-source-6.5.0, linux-tools, linux-headers-6.5.0-34-generic, linux-modules-extra-6.5.0-34-generic Description: Linux kernel image for version 6.5.0 on 64 bit x86 SMP This package contains the unsigned Linux kernel image for version 6.5.0 on 64 bit x86 SMP. @@ -216,7 +216,7 @@ the linux-generic meta-package, which will ensure that upgrades work correctly, and that supporting packages are also installed. -Package: linux-modules-6.5.0-33-generic +Package: linux-modules-6.5.0-34-generic Build-Profiles: Architecture: amd64 armhf arm64 ppc64el s390x Section: kernel @@ -236,12 +236,12 @@ the linux-generic meta-package, which will ensure that upgrades work correctly, and that supporting packages are also installed. -Package: linux-modules-extra-6.5.0-33-generic +Package: linux-modules-extra-6.5.0-34-generic Build-Profiles: Architecture: amd64 armhf arm64 ppc64el s390x Section: kernel Priority: optional -Depends: ${misc:Depends}, ${shlibs:Depends}, linux-modules-6.5.0-33-generic, wireless-regdb +Depends: ${misc:Depends}, ${shlibs:Depends}, linux-modules-6.5.0-34-generic, wireless-regdb Description: Linux kernel extra modules for version 6.5.0 on 64 bit x86 SMP This package contains the Linux kernel extra modules for version 6.5.0 on 64 bit x86 SMP. @@ -258,21 +258,21 @@ the linux-generic meta-package, which will ensure that upgrades work correctly, and that supporting packages are also installed. -Package: linux-headers-6.5.0-33-generic +Package: linux-headers-6.5.0-34-generic Build-Profiles: Architecture: amd64 armhf arm64 ppc64el s390x Section: devel Priority: optional -Depends: ${misc:Depends}, linux-headers-6.5.0-33, ${shlibs:Depends} +Depends: ${misc:Depends}, linux-headers-6.5.0-34, ${shlibs:Depends} Provides: linux-headers, linux-headers-3.0 Description: Linux kernel headers for version 6.5.0 on 64 bit x86 SMP This package provides kernel header files for version 6.5.0 on 64 bit x86 SMP. . This is for sites that want the latest kernel headers. Please read - /usr/share/doc/linux-headers-6.5.0-33/debian.README.gz for details. + /usr/share/doc/linux-headers-6.5.0-34/debian.README.gz for details. -Package: linux-lib-rust-6.5.0-33-generic +Package: linux-lib-rust-6.5.0-34-generic Build-Profiles: Architecture: amd64 Multi-Arch: foreign @@ -283,7 +283,7 @@ This package provides kernel library files for version 6.5.0, that allow to compile out-of-tree kernel modules written in Rust. -Package: linux-image-unsigned-6.5.0-33-generic-dbgsym +Package: linux-image-unsigned-6.5.0-34-generic-dbgsym Build-Profiles: Architecture: amd64 armhf arm64 ppc64el s390x Section: devel @@ -300,31 +300,31 @@ is uncompressed, and unstripped. This package also includes the unstripped modules. -Package: linux-tools-6.5.0-33-generic +Package: linux-tools-6.5.0-34-generic Build-Profiles: Architecture: amd64 armhf arm64 ppc64el s390x Section: devel Priority: optional -Depends: ${misc:Depends}, linux-tools-6.5.0-33 -Description: Linux kernel version specific tools for version 6.5.0-33 +Depends: ${misc:Depends}, linux-tools-6.5.0-34 +Description: Linux kernel version specific tools for version 6.5.0-34 This package provides the architecture dependant parts for kernel version locked tools (such as perf and x86_energy_perf_policy) for - version 6.5.0-33 on + version 6.5.0-34 on 64 bit x86. -Package: linux-cloud-tools-6.5.0-33-generic +Package: linux-cloud-tools-6.5.0-34-generic Build-Profiles: Architecture: amd64 armhf arm64 ppc64el s390x Section: devel Priority: optional -Depends: ${misc:Depends}, linux-cloud-tools-6.5.0-33 -Description: Linux kernel version specific cloud tools for version 6.5.0-33 +Depends: ${misc:Depends}, linux-cloud-tools-6.5.0-34 +Description: Linux kernel version specific cloud tools for version 6.5.0-34 This package provides the architecture dependant parts for kernel - version locked tools for cloud for version 6.5.0-33 on + version locked tools for cloud for version 6.5.0-34 on 64 bit x86. -Package: linux-buildinfo-6.5.0-33-generic +Package: linux-buildinfo-6.5.0-34-generic Build-Profiles: Architecture: amd64 armhf arm64 ppc64el s390x Section: kernel @@ -338,18 +338,18 @@ You likely do not want to install this package. -Package: linux-modules-ipu6-6.5.0-33-generic +Package: linux-modules-ipu6-6.5.0-34-generic Build-Profiles: Architecture: amd64 armhf arm64 ppc64el s390x Section: kernel Priority: optional Depends: ${misc:Depends}, - linux-image-6.5.0-33-generic | linux-image-unsigned-6.5.0-33-generic, + linux-image-6.5.0-34-generic | linux-image-unsigned-6.5.0-34-generic, Built-Using: ${linux:BuiltUsing} -Description: Linux kernel ipu6 modules for version 6.5.0-33 +Description: Linux kernel ipu6 modules for version 6.5.0-34 This package provides the Linux kernel ipu6 modules for version - 6.5.0-33. + 6.5.0-34. . You likely do not want to install this package directly. Instead, install the one of the linux-modules-ipu6-generic* meta-packages, @@ -357,18 +357,18 @@ also installed. -Package: linux-modules-ivsc-6.5.0-33-generic +Package: linux-modules-ivsc-6.5.0-34-generic Build-Profiles: Architecture: amd64 armhf arm64 ppc64el s390x Section: kernel Priority: optional Depends: ${misc:Depends}, - linux-image-6.5.0-33-generic | linux-image-unsigned-6.5.0-33-generic, + linux-image-6.5.0-34-generic | linux-image-unsigned-6.5.0-34-generic, Built-Using: ${linux:BuiltUsing} -Description: Linux kernel ivsc modules for version 6.5.0-33 +Description: Linux kernel ivsc modules for version 6.5.0-34 This package provides the Linux kernel ivsc modules for version - 6.5.0-33. + 6.5.0-34. . You likely do not want to install this package directly. Instead, install the one of the linux-modules-ivsc-generic* meta-packages, @@ -376,18 +376,18 @@ also installed. -Package: linux-modules-iwlwifi-6.5.0-33-generic +Package: linux-modules-iwlwifi-6.5.0-34-generic Build-Profiles: Architecture: amd64 armhf arm64 ppc64el s390x Section: kernel Priority: optional Depends: ${misc:Depends}, - linux-image-6.5.0-33-generic | linux-image-unsigned-6.5.0-33-generic, + linux-image-6.5.0-34-generic | linux-image-unsigned-6.5.0-34-generic, Built-Using: ${linux:BuiltUsing} -Description: Linux kernel iwlwifi modules for version 6.5.0-33 +Description: Linux kernel iwlwifi modules for version 6.5.0-34 This package provides the Linux kernel iwlwifi modules for version - 6.5.0-33. + 6.5.0-34. . You likely do not want to install this package directly. Instead, install the one of the linux-modules-iwlwifi-generic* meta-packages, @@ -395,17 +395,17 @@ also installed. -Package: linux-image-unsigned-6.5.0-33-generic-64k +Package: linux-image-unsigned-6.5.0-34-generic-64k Build-Profiles: Architecture: arm64 Section: kernel Priority: optional Provides: linux-image, fuse-module, kvm-api-4, redhat-cluster-modules, ivtv-modules, ${linux:rprovides} -Depends: ${misc:Depends}, ${shlibs:Depends}, kmod, linux-base (>= 4.5ubuntu1~16.04.1), linux-modules-6.5.0-33-generic-64k +Depends: ${misc:Depends}, ${shlibs:Depends}, kmod, linux-base (>= 4.5ubuntu1~16.04.1), linux-modules-6.5.0-34-generic-64k Recommends: grub-efi-arm64 [arm64] | flash-kernel [arm64], initramfs-tools | linux-initramfs-tool Breaks: flash-kernel (<< 3.90ubuntu2) [arm64 armhf], s390-tools (<< 2.3.0-0ubuntu3) [s390x] -Conflicts: linux-image-6.5.0-33-generic-64k -Suggests: fdutils, linux-doc | linux-source-6.5.0, linux-tools, linux-headers-6.5.0-33-generic-64k, linux-modules-extra-6.5.0-33-generic-64k +Conflicts: linux-image-6.5.0-34-generic-64k +Suggests: fdutils, linux-doc | linux-source-6.5.0, linux-tools, linux-headers-6.5.0-34-generic-64k, linux-modules-extra-6.5.0-34-generic-64k Description: Linux kernel image for version 6.5.0 on 64 bit x86 SMP This package contains the unsigned Linux kernel image for version 6.5.0 on 64 bit x86 SMP. @@ -418,7 +418,7 @@ the linux-generic-64k meta-package, which will ensure that upgrades work correctly, and that supporting packages are also installed. -Package: linux-modules-6.5.0-33-generic-64k +Package: linux-modules-6.5.0-34-generic-64k Build-Profiles: Architecture: arm64 Section: kernel @@ -438,12 +438,12 @@ the linux-generic-64k meta-package, which will ensure that upgrades work correctly, and that supporting packages are also installed. -Package: linux-modules-extra-6.5.0-33-generic-64k +Package: linux-modules-extra-6.5.0-34-generic-64k Build-Profiles: Architecture: arm64 Section: kernel Priority: optional -Depends: ${misc:Depends}, ${shlibs:Depends}, linux-modules-6.5.0-33-generic-64k, wireless-regdb +Depends: ${misc:Depends}, ${shlibs:Depends}, linux-modules-6.5.0-34-generic-64k, wireless-regdb Description: Linux kernel extra modules for version 6.5.0 on 64 bit x86 SMP This package contains the Linux kernel extra modules for version 6.5.0 on 64 bit x86 SMP. @@ -460,21 +460,21 @@ the linux-generic-64k meta-package, which will ensure that upgrades work correctly, and that supporting packages are also installed. -Package: linux-headers-6.5.0-33-generic-64k +Package: linux-headers-6.5.0-34-generic-64k Build-Profiles: Architecture: arm64 Section: devel Priority: optional -Depends: ${misc:Depends}, linux-headers-6.5.0-33, ${shlibs:Depends} +Depends: ${misc:Depends}, linux-headers-6.5.0-34, ${shlibs:Depends} Provides: linux-headers, linux-headers-3.0 Description: Linux kernel headers for version 6.5.0 on 64 bit x86 SMP This package provides kernel header files for version 6.5.0 on 64 bit x86 SMP. . This is for sites that want the latest kernel headers. Please read - /usr/share/doc/linux-headers-6.5.0-33/debian.README.gz for details. + /usr/share/doc/linux-headers-6.5.0-34/debian.README.gz for details. -Package: linux-lib-rust-6.5.0-33-generic-64k +Package: linux-lib-rust-6.5.0-34-generic-64k Build-Profiles: Architecture: amd64 Multi-Arch: foreign @@ -485,7 +485,7 @@ This package provides kernel library files for version 6.5.0, that allow to compile out-of-tree kernel modules written in Rust. -Package: linux-image-unsigned-6.5.0-33-generic-64k-dbgsym +Package: linux-image-unsigned-6.5.0-34-generic-64k-dbgsym Build-Profiles: Architecture: arm64 Section: devel @@ -502,31 +502,31 @@ is uncompressed, and unstripped. This package also includes the unstripped modules. -Package: linux-tools-6.5.0-33-generic-64k +Package: linux-tools-6.5.0-34-generic-64k Build-Profiles: Architecture: arm64 Section: devel Priority: optional -Depends: ${misc:Depends}, linux-tools-6.5.0-33 -Description: Linux kernel version specific tools for version 6.5.0-33 +Depends: ${misc:Depends}, linux-tools-6.5.0-34 +Description: Linux kernel version specific tools for version 6.5.0-34 This package provides the architecture dependant parts for kernel version locked tools (such as perf and x86_energy_perf_policy) for - version 6.5.0-33 on + version 6.5.0-34 on 64 bit x86. -Package: linux-cloud-tools-6.5.0-33-generic-64k +Package: linux-cloud-tools-6.5.0-34-generic-64k Build-Profiles: Architecture: arm64 Section: devel Priority: optional -Depends: ${misc:Depends}, linux-cloud-tools-6.5.0-33 -Description: Linux kernel version specific cloud tools for version 6.5.0-33 +Depends: ${misc:Depends}, linux-cloud-tools-6.5.0-34 +Description: Linux kernel version specific cloud tools for version 6.5.0-34 This package provides the architecture dependant parts for kernel - version locked tools for cloud for version 6.5.0-33 on + version locked tools for cloud for version 6.5.0-34 on 64 bit x86. -Package: linux-buildinfo-6.5.0-33-generic-64k +Package: linux-buildinfo-6.5.0-34-generic-64k Build-Profiles: Architecture: arm64 Section: kernel @@ -540,18 +540,18 @@ You likely do not want to install this package. -Package: linux-modules-ipu6-6.5.0-33-generic-64k +Package: linux-modules-ipu6-6.5.0-34-generic-64k Build-Profiles: Architecture: arm64 Section: kernel Priority: optional Depends: ${misc:Depends}, - linux-image-6.5.0-33-generic-64k | linux-image-unsigned-6.5.0-33-generic-64k, + linux-image-6.5.0-34-generic-64k | linux-image-unsigned-6.5.0-34-generic-64k, Built-Using: ${linux:BuiltUsing} -Description: Linux kernel ipu6 modules for version 6.5.0-33 +Description: Linux kernel ipu6 modules for version 6.5.0-34 This package provides the Linux kernel ipu6 modules for version - 6.5.0-33. + 6.5.0-34. . You likely do not want to install this package directly. Instead, install the one of the linux-modules-ipu6-generic-64k* meta-packages, @@ -559,18 +559,18 @@ also installed. -Package: linux-modules-ivsc-6.5.0-33-generic-64k +Package: linux-modules-ivsc-6.5.0-34-generic-64k Build-Profiles: Architecture: arm64 Section: kernel Priority: optional Depends: ${misc:Depends}, - linux-image-6.5.0-33-generic-64k | linux-image-unsigned-6.5.0-33-generic-64k, + linux-image-6.5.0-34-generic-64k | linux-image-unsigned-6.5.0-34-generic-64k, Built-Using: ${linux:BuiltUsing} -Description: Linux kernel ivsc modules for version 6.5.0-33 +Description: Linux kernel ivsc modules for version 6.5.0-34 This package provides the Linux kernel ivsc modules for version - 6.5.0-33. + 6.5.0-34. . You likely do not want to install this package directly. Instead, install the one of the linux-modules-ivsc-generic-64k* meta-packages, @@ -578,18 +578,18 @@ also installed. -Package: linux-modules-iwlwifi-6.5.0-33-generic-64k +Package: linux-modules-iwlwifi-6.5.0-34-generic-64k Build-Profiles: Architecture: arm64 Section: kernel Priority: optional Depends: ${misc:Depends}, - linux-image-6.5.0-33-generic-64k | linux-image-unsigned-6.5.0-33-generic-64k, + linux-image-6.5.0-34-generic-64k | linux-image-unsigned-6.5.0-34-generic-64k, Built-Using: ${linux:BuiltUsing} -Description: Linux kernel iwlwifi modules for version 6.5.0-33 +Description: Linux kernel iwlwifi modules for version 6.5.0-34 This package provides the Linux kernel iwlwifi modules for version - 6.5.0-33. + 6.5.0-34. . You likely do not want to install this package directly. Instead, install the one of the linux-modules-iwlwifi-generic-64k* meta-packages, @@ -597,17 +597,17 @@ also installed. -Package: linux-image-unsigned-6.5.0-33-generic-lpae +Package: linux-image-unsigned-6.5.0-34-generic-lpae Build-Profiles: Architecture: armhf Section: kernel Priority: optional Provides: linux-image, fuse-module, kvm-api-4, redhat-cluster-modules, ivtv-modules, ${linux:rprovides} -Depends: ${misc:Depends}, ${shlibs:Depends}, kmod, linux-base (>= 4.5ubuntu1~16.04.1), linux-modules-6.5.0-33-generic-lpae +Depends: ${misc:Depends}, ${shlibs:Depends}, kmod, linux-base (>= 4.5ubuntu1~16.04.1), linux-modules-6.5.0-34-generic-lpae Recommends: flash-kernel [armhf] | grub-efi-arm [armhf], initramfs-tools | linux-initramfs-tool Breaks: flash-kernel (<< 3.90ubuntu2) [arm64 armhf], s390-tools (<< 2.3.0-0ubuntu3) [s390x] -Conflicts: linux-image-6.5.0-33-generic-lpae -Suggests: fdutils, linux-doc | linux-source-6.5.0, linux-tools, linux-headers-6.5.0-33-generic-lpae, linux-modules-extra-6.5.0-33-generic-lpae +Conflicts: linux-image-6.5.0-34-generic-lpae +Suggests: fdutils, linux-doc | linux-source-6.5.0, linux-tools, linux-headers-6.5.0-34-generic-lpae, linux-modules-extra-6.5.0-34-generic-lpae Description: Linux kernel image for version 6.5.0 on 64 bit x86 SMP This package contains the unsigned Linux kernel image for version 6.5.0 on 64 bit x86 SMP. @@ -620,7 +620,7 @@ the linux-generic-lpae meta-package, which will ensure that upgrades work correctly, and that supporting packages are also installed. -Package: linux-modules-6.5.0-33-generic-lpae +Package: linux-modules-6.5.0-34-generic-lpae Build-Profiles: Architecture: armhf Section: kernel @@ -640,12 +640,12 @@ the linux-generic-lpae meta-package, which will ensure that upgrades work correctly, and that supporting packages are also installed. -Package: linux-modules-extra-6.5.0-33-generic-lpae +Package: linux-modules-extra-6.5.0-34-generic-lpae Build-Profiles: Architecture: armhf Section: kernel Priority: optional -Depends: ${misc:Depends}, ${shlibs:Depends}, linux-modules-6.5.0-33-generic-lpae, wireless-regdb +Depends: ${misc:Depends}, ${shlibs:Depends}, linux-modules-6.5.0-34-generic-lpae, wireless-regdb Description: Linux kernel extra modules for version 6.5.0 on 64 bit x86 SMP This package contains the Linux kernel extra modules for version 6.5.0 on 64 bit x86 SMP. @@ -662,21 +662,21 @@ the linux-generic-lpae meta-package, which will ensure that upgrades work correctly, and that supporting packages are also installed. -Package: linux-headers-6.5.0-33-generic-lpae +Package: linux-headers-6.5.0-34-generic-lpae Build-Profiles: Architecture: armhf Section: devel Priority: optional -Depends: ${misc:Depends}, linux-headers-6.5.0-33, ${shlibs:Depends} +Depends: ${misc:Depends}, linux-headers-6.5.0-34, ${shlibs:Depends} Provides: linux-headers, linux-headers-3.0 Description: Linux kernel headers for version 6.5.0 on 64 bit x86 SMP This package provides kernel header files for version 6.5.0 on 64 bit x86 SMP. . This is for sites that want the latest kernel headers. Please read - /usr/share/doc/linux-headers-6.5.0-33/debian.README.gz for details. + /usr/share/doc/linux-headers-6.5.0-34/debian.README.gz for details. -Package: linux-lib-rust-6.5.0-33-generic-lpae +Package: linux-lib-rust-6.5.0-34-generic-lpae Build-Profiles: Architecture: amd64 Multi-Arch: foreign @@ -687,7 +687,7 @@ This package provides kernel library files for version 6.5.0, that allow to compile out-of-tree kernel modules written in Rust. -Package: linux-image-unsigned-6.5.0-33-generic-lpae-dbgsym +Package: linux-image-unsigned-6.5.0-34-generic-lpae-dbgsym Build-Profiles: Architecture: armhf Section: devel @@ -704,31 +704,31 @@ is uncompressed, and unstripped. This package also includes the unstripped modules. -Package: linux-tools-6.5.0-33-generic-lpae +Package: linux-tools-6.5.0-34-generic-lpae Build-Profiles: Architecture: armhf Section: devel Priority: optional -Depends: ${misc:Depends}, linux-tools-6.5.0-33 -Description: Linux kernel version specific tools for version 6.5.0-33 +Depends: ${misc:Depends}, linux-tools-6.5.0-34 +Description: Linux kernel version specific tools for version 6.5.0-34 This package provides the architecture dependant parts for kernel version locked tools (such as perf and x86_energy_perf_policy) for - version 6.5.0-33 on + version 6.5.0-34 on 64 bit x86. -Package: linux-cloud-tools-6.5.0-33-generic-lpae +Package: linux-cloud-tools-6.5.0-34-generic-lpae Build-Profiles: Architecture: armhf Section: devel Priority: optional -Depends: ${misc:Depends}, linux-cloud-tools-6.5.0-33 -Description: Linux kernel version specific cloud tools for version 6.5.0-33 +Depends: ${misc:Depends}, linux-cloud-tools-6.5.0-34 +Description: Linux kernel version specific cloud tools for version 6.5.0-34 This package provides the architecture dependant parts for kernel - version locked tools for cloud for version 6.5.0-33 on + version locked tools for cloud for version 6.5.0-34 on 64 bit x86. -Package: linux-buildinfo-6.5.0-33-generic-lpae +Package: linux-buildinfo-6.5.0-34-generic-lpae Build-Profiles: Architecture: armhf Section: kernel @@ -742,18 +742,18 @@ You likely do not want to install this package. -Package: linux-modules-ipu6-6.5.0-33-generic-lpae +Package: linux-modules-ipu6-6.5.0-34-generic-lpae Build-Profiles: Architecture: armhf Section: kernel Priority: optional Depends: ${misc:Depends}, - linux-image-6.5.0-33-generic-lpae | linux-image-unsigned-6.5.0-33-generic-lpae, + linux-image-6.5.0-34-generic-lpae | linux-image-unsigned-6.5.0-34-generic-lpae, Built-Using: ${linux:BuiltUsing} -Description: Linux kernel ipu6 modules for version 6.5.0-33 +Description: Linux kernel ipu6 modules for version 6.5.0-34 This package provides the Linux kernel ipu6 modules for version - 6.5.0-33. + 6.5.0-34. . You likely do not want to install this package directly. Instead, install the one of the linux-modules-ipu6-generic-lpae* meta-packages, @@ -761,18 +761,18 @@ also installed. -Package: linux-modules-ivsc-6.5.0-33-generic-lpae +Package: linux-modules-ivsc-6.5.0-34-generic-lpae Build-Profiles: Architecture: armhf Section: kernel Priority: optional Depends: ${misc:Depends}, - linux-image-6.5.0-33-generic-lpae | linux-image-unsigned-6.5.0-33-generic-lpae, + linux-image-6.5.0-34-generic-lpae | linux-image-unsigned-6.5.0-34-generic-lpae, Built-Using: ${linux:BuiltUsing} -Description: Linux kernel ivsc modules for version 6.5.0-33 +Description: Linux kernel ivsc modules for version 6.5.0-34 This package provides the Linux kernel ivsc modules for version - 6.5.0-33. + 6.5.0-34. . You likely do not want to install this package directly. Instead, install the one of the linux-modules-ivsc-generic-lpae* meta-packages, @@ -780,18 +780,18 @@ also installed. -Package: linux-modules-iwlwifi-6.5.0-33-generic-lpae +Package: linux-modules-iwlwifi-6.5.0-34-generic-lpae Build-Profiles: Architecture: armhf Section: kernel Priority: optional Depends: ${misc:Depends}, - linux-image-6.5.0-33-generic-lpae | linux-image-unsigned-6.5.0-33-generic-lpae, + linux-image-6.5.0-34-generic-lpae | linux-image-unsigned-6.5.0-34-generic-lpae, Built-Using: ${linux:BuiltUsing} -Description: Linux kernel iwlwifi modules for version 6.5.0-33 +Description: Linux kernel iwlwifi modules for version 6.5.0-34 This package provides the Linux kernel iwlwifi modules for version - 6.5.0-33. + 6.5.0-34. . You likely do not want to install this package directly. Instead, install the one of the linux-modules-iwlwifi-generic-lpae* meta-packages, only in patch2: unchanged: --- linux-6.5.0.orig/Documentation/admin-guide/hw-vuln/spectre.rst +++ linux-6.5.0/Documentation/admin-guide/hw-vuln/spectre.rst @@ -138,11 +138,10 @@ the BHB might be shared across privilege levels even in the presence of Enhanced IBRS. -Currently the only known real-world BHB attack vector is via -unprivileged eBPF. Therefore, it's highly recommended to not enable -unprivileged eBPF, especially when eIBRS is used (without retpolines). -For a full mitigation against BHB attacks, it's recommended to use -retpolines (or eIBRS combined with retpolines). +Previously the only known real-world BHB attack vector was via unprivileged +eBPF. Further research has found attacks that don't require unprivileged eBPF. +For a full mitigation against BHB attacks it is recommended to set BHI_DIS_S or +use the BHB clearing sequence. Attack scenarios ---------------- @@ -430,6 +429,23 @@ 'PBRSB-eIBRS: Not affected' CPU is not affected by PBRSB =========================== ======================================================= + - Branch History Injection (BHI) protection status: + +.. list-table:: + + * - BHI: Not affected + - System is not affected + * - BHI: Retpoline + - System is protected by retpoline + * - BHI: BHI_DIS_S + - System is protected by BHI_DIS_S + * - BHI: SW loop; KVM SW loop + - System is protected by software clearing sequence + * - BHI: Syscall hardening + - Syscalls are hardened against BHI + * - BHI: Syscall hardening; KVM: SW loop + - System is protected from userspace attacks by syscall hardening; KVM is protected by software clearing sequence + Full mitigation might require a microcode update from the CPU vendor. When the necessary microcode is not available, the kernel will report vulnerability. @@ -484,7 +500,11 @@ Systems which support enhanced IBRS (eIBRS) enable IBRS protection once at boot, by setting the IBRS bit, and they're automatically protected against - Spectre v2 variant attacks. + some Spectre v2 variant attacks. The BHB can still influence the choice of + indirect branch predictor entry, and although branch predictor entries are + isolated between modes when eIBRS is enabled, the BHB itself is not isolated + between modes. Systems which support BHI_DIS_S will set it to protect against + BHI attacks. On Intel's enhanced IBRS systems, this includes cross-thread branch target injections on SMT systems (STIBP). In other words, Intel eIBRS enables @@ -638,6 +658,22 @@ spectre_v2=off. Spectre variant 1 mitigations cannot be disabled. + spectre_bhi= + + [X86] Control mitigation of Branch History Injection + (BHI) vulnerability. Syscalls are hardened against BHI + regardless of this setting. This setting affects the deployment + of the HW BHI control and the SW BHB clearing sequence. + + on + unconditionally enable. + off + unconditionally disable. + auto + enable if hardware mitigation + control(BHI_DIS_S) is available, otherwise + enable alternate mitigation in KVM. + For spectre_v2_user see Documentation/admin-guide/kernel-parameters.txt Mitigation selection guide only in patch2: unchanged: --- linux-6.5.0.orig/arch/x86/entry/entry_64.S +++ linux-6.5.0/arch/x86/entry/entry_64.S @@ -116,6 +116,7 @@ /* clobbers %rax, make sure it is after saving the syscall nr */ IBRS_ENTER UNTRAIN_RET + CLEAR_BRANCH_HISTORY call do_syscall_64 /* returns with IRQs disabled */ @@ -1538,3 +1539,63 @@ call make_task_dead SYM_CODE_END(rewind_stack_and_make_dead) .popsection + +/* + * This sequence executes branches in order to remove user branch information + * from the branch history tracker in the Branch Predictor, therefore removing + * user influence on subsequent BTB lookups. + * + * It should be used on parts prior to Alder Lake. Newer parts should use the + * BHI_DIS_S hardware control instead. If a pre-Alder Lake part is being + * virtualized on newer hardware the VMM should protect against BHI attacks by + * setting BHI_DIS_S for the guests. + * + * CALLs/RETs are necessary to prevent Loop Stream Detector(LSD) from engaging + * and not clearing the branch history. The call tree looks like: + * + * call 1 + * call 2 + * call 2 + * call 2 + * call 2 + * call 2 + * ret + * ret + * ret + * ret + * ret + * ret + * + * This means that the stack is non-constant and ORC can't unwind it with %rsp + * alone. Therefore we unconditionally set up the frame pointer, which allows + * ORC to unwind properly. + * + * The alignment is for performance and not for safety, and may be safely + * refactored in the future if needed. + */ +SYM_FUNC_START(clear_bhb_loop) + push %rbp + mov %rsp, %rbp + movl $5, %ecx + ANNOTATE_INTRA_FUNCTION_CALL + call 1f + jmp 5f + .align 64, 0xcc + ANNOTATE_INTRA_FUNCTION_CALL +1: call 2f + RET + .align 64, 0xcc +2: movl $5, %eax +3: jmp 4f + nop +4: sub $1, %eax + jnz 3b + sub $1, %ecx + jnz 1b + RET +5: lfence + pop %rbp + RET +SYM_FUNC_END(clear_bhb_loop) +EXPORT_SYMBOL_GPL(clear_bhb_loop) +STACK_FRAME_NON_STANDARD(clear_bhb_loop) only in patch2: unchanged: --- linux-6.5.0.orig/arch/x86/entry/syscall_32.c +++ linux-6.5.0/arch/x86/entry/syscall_32.c @@ -18,8 +18,25 @@ #include #undef __SYSCALL +/* + * The sys_call_table[] is no longer used for system calls, but + * kernel/trace/trace_syscalls.c still wants to know the system + * call address. + */ +#ifdef CONFIG_X86_32 #define __SYSCALL(nr, sym) __ia32_##sym, - -__visible const sys_call_ptr_t ia32_sys_call_table[] = { +const sys_call_ptr_t sys_call_table[] = { #include }; +#undef __SYSCALL +#endif + +#define __SYSCALL(nr, sym) case nr: return __ia32_##sym(regs); + +long ia32_sys_call(const struct pt_regs *regs, unsigned int nr) +{ + switch (nr) { + #include + default: return __ia32_sys_ni_syscall(regs); + } +}; only in patch2: unchanged: --- linux-6.5.0.orig/arch/x86/entry/syscall_64.c +++ linux-6.5.0/arch/x86/entry/syscall_64.c @@ -11,8 +11,23 @@ #include #undef __SYSCALL +/* + * The sys_call_table[] is no longer used for system calls, but + * kernel/trace/trace_syscalls.c still wants to know the system + * call address. + */ #define __SYSCALL(nr, sym) __x64_##sym, - -asmlinkage const sys_call_ptr_t sys_call_table[] = { +const sys_call_ptr_t sys_call_table[] = { #include }; +#undef __SYSCALL + +#define __SYSCALL(nr, sym) case nr: return __x64_##sym(regs); + +long x64_sys_call(const struct pt_regs *regs, unsigned int nr) +{ + switch (nr) { + #include + default: return __x64_sys_ni_syscall(regs); + } +}; only in patch2: unchanged: --- linux-6.5.0.orig/arch/x86/entry/syscall_x32.c +++ linux-6.5.0/arch/x86/entry/syscall_x32.c @@ -11,8 +11,12 @@ #include #undef __SYSCALL -#define __SYSCALL(nr, sym) __x64_##sym, +#define __SYSCALL(nr, sym) case nr: return __x64_##sym(regs); -asmlinkage const sys_call_ptr_t x32_sys_call_table[] = { -#include +long x32_sys_call(const struct pt_regs *regs, unsigned int nr) +{ + switch (nr) { + #include + default: return __x64_sys_ni_syscall(regs); + } }; only in patch2: unchanged: --- linux-6.5.0.orig/arch/x86/include/asm/cpufeatures.h +++ linux-6.5.0/arch/x86/include/asm/cpufeatures.h @@ -451,6 +451,17 @@ #define X86_FEATURE_SRSO_NO (20*32+29) /* "" CPU is not affected by SRSO */ /* + * Extended auxiliary flags: Linux defined - for features scattered in various + * CPUID levels like 0x80000022, etc and Linux defined features. + * + * Reuse free bits when adding new feature flags! + */ +#define X86_FEATURE_CLEAR_BHB_LOOP (21*32+ 1) /* "" Clear branch history at syscall entry using SW loop */ +#define X86_FEATURE_BHI_CTRL (21*32+ 2) /* "" BHI_DIS_S HW control available */ +#define X86_FEATURE_CLEAR_BHB_HW (21*32+ 3) /* "" BHI_DIS_S HW control enabled */ +#define X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT (21*32+ 4) /* "" Clear branch history at vmexit using SW loop */ + +/* * BUG word(s) */ #define X86_BUG(x) (NCAPINTS*32 + (x)) @@ -496,4 +507,5 @@ /* BUG word 2 */ #define X86_BUG_SRSO X86_BUG(1*32 + 0) /* AMD SRSO bug */ #define X86_BUG_DIV0 X86_BUG(1*32 + 1) /* AMD DIV0 speculation bug */ +#define X86_BUG_BHI X86_BUG(1*32 + 3) /* CPU is affected by Branch History Injection */ #endif /* _ASM_X86_CPUFEATURES_H */ only in patch2: unchanged: --- linux-6.5.0.orig/arch/x86/include/asm/syscall.h +++ linux-6.5.0/arch/x86/include/asm/syscall.h @@ -16,19 +16,17 @@ #include /* for TS_COMPAT */ #include +/* This is used purely for kernel/trace/trace_syscalls.c */ typedef long (*sys_call_ptr_t)(const struct pt_regs *); extern const sys_call_ptr_t sys_call_table[]; -#if defined(CONFIG_X86_32) -#define ia32_sys_call_table sys_call_table -#else /* * These may not exist, but still put the prototypes in so we * can use IS_ENABLED(). */ -extern const sys_call_ptr_t ia32_sys_call_table[]; -extern const sys_call_ptr_t x32_sys_call_table[]; -#endif +extern long ia32_sys_call(const struct pt_regs *, unsigned int nr); +extern long x32_sys_call(const struct pt_regs *, unsigned int nr); +extern long x64_sys_call(const struct pt_regs *, unsigned int nr); /* * Only the low 32 bits of orig_ax are meaningful, so we return int. @@ -127,6 +125,7 @@ } void do_syscall_64(struct pt_regs *regs, int nr); +void do_int80_emulation(struct pt_regs *regs); #endif /* CONFIG_X86_32 */ only in patch2: unchanged: --- linux-6.5.0.orig/arch/x86/kernel/cpu/scattered.c +++ linux-6.5.0/arch/x86/kernel/cpu/scattered.c @@ -28,6 +28,7 @@ { X86_FEATURE_EPB, CPUID_ECX, 3, 0x00000006, 0 }, { X86_FEATURE_INTEL_PPIN, CPUID_EBX, 0, 0x00000007, 1 }, { X86_FEATURE_RRSBA_CTRL, CPUID_EDX, 2, 0x00000007, 2 }, + { X86_FEATURE_BHI_CTRL, CPUID_EDX, 4, 0x00000007, 2 }, { X86_FEATURE_CQM_LLC, CPUID_EDX, 1, 0x0000000f, 0 }, { X86_FEATURE_CQM_OCCUP_LLC, CPUID_EDX, 0, 0x0000000f, 1 }, { X86_FEATURE_CQM_MBM_TOTAL, CPUID_EDX, 1, 0x0000000f, 1 }, only in patch2: unchanged: --- linux-6.5.0.orig/arch/x86/kvm/reverse_cpuid.h +++ linux-6.5.0/arch/x86/kvm/reverse_cpuid.h @@ -45,6 +45,9 @@ #define X86_FEATURE_AVX_NE_CONVERT KVM_X86_FEATURE(CPUID_7_1_EDX, 5) #define X86_FEATURE_PREFETCHITI KVM_X86_FEATURE(CPUID_7_1_EDX, 14) +/* Intel-defined sub-features, CPUID level 0x00000007:2 (EDX) */ +#define KVM_X86_FEATURE_BHI_CTRL KVM_X86_FEATURE(CPUID_7_2_EDX, 4) + /* CPUID level 0x80000007 (EDX). */ #define KVM_X86_FEATURE_CONSTANT_TSC KVM_X86_FEATURE(CPUID_8000_0007_EDX, 8) @@ -115,6 +118,8 @@ return KVM_X86_FEATURE_CONSTANT_TSC; else if (x86_feature == X86_FEATURE_PERFMON_V2) return KVM_X86_FEATURE_PERFMON_V2; + else if (x86_feature == X86_FEATURE_BHI_CTRL) + return X86_FEATURE_BHI_CTRL; return x86_feature; } only in patch2: unchanged: --- linux-6.5.0.orig/arch/x86/kvm/vmx/vmenter.S +++ linux-6.5.0/arch/x86/kvm/vmx/vmenter.S @@ -272,6 +272,8 @@ call vmx_spec_ctrl_restore_host + CLEAR_BRANCH_HISTORY_VMEXIT + /* Put return value in AX */ mov %_ASM_BX, %_ASM_AX