sf00191076: Fix IBRS synchronization

PPA description

    UBUNTU: SAUCE: : x86/speculation: Fix the IBRS synchronization

    Ubuntu v4.4 kernel uses the in-house patches for IBRS. The backports
    still have some problems causing the IBRS status wrong when
    context-switching between the VM and host. For example, the IBRS would be
    mistakenly enabled in the host when the switching from a IBRS-enabled
    VM and that causes the performance overhead in the host. The other
    condition could also mistakenly disables the IBRS in host when
    contex-switching from the guest. And this could be considered a CVE.

    The detail different situations analysis:

    (host IBRS, guest IBRS)

    1). (1, 0)

    - Enter the VM with ibrs_enabled = 0, the host and guest value
      comparison will be wrong and the ibrs bit would not be
    _DISABLED_(The hostval and guestval are all zero when enhanced IBRS
    doesn't exist). Then, the _VM_ IBRS register will be mistakenly
    enabled.

    - Exit the VM with ibrs_enabled = 0, the host and guest value
      comparison will be wrong and the ibrs bit would not be
    _RE-ENABLED_(The hostval and guestval are all zero when enhanced IBRS
    doesn't exist). Then, the _host_ IBRS register will be mistakenly
    disabled.

    2). (0, 0)
    - work correctly.

    3). (0, 1)

    - Enter the VM with the ibrs_enabled = 1, the hostval != guestval, so,
      the guestval can be restored and work correctly.

    - Exit the VM with the ibrs_enabled = 1, the hostval != guestval, so,
      the hostval can be restored and work correctly.

    4). (1, 1)

    - Enter the VM with the ibrs_enabled = 1, however, the hostval !=
      guestval, then the guestval will be evaluated again and set to the
    MSR. This is the redundant work to set up the SPEC_CTRL MSR. But, the
    result is still correct.

    - Exit the VM with the ibrs_enabled = 1, however, the hostval !=
      guestval, then, the hostval will be restored with the value
    0(x86_spec_ctrl_base == 0 without the enhanced IBRS feature), the IBRS
    bit is mistakenly disabledand causes the host kernel vulnerability.

    Fixes: 4d8d3dbed275 ("UBUNTU: SAUCE: x86/bugs, KVM: Support the combination ...")
    Fixes: f676aa34b402 ("x86/kvm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD ...")
    Signed-off-by: Gavin Guo <email address hidden>

Adding this PPA to your system

You can update your system with unsupported packages from this untrusted PPA by adding ppa:mimi0213kimo/sf00191076-fix-ibrs-synchronization to your system's Software Sources. (Read about installing)

sudo add-apt-repository ppa:mimi0213kimo/sf00191076-fix-ibrs-synchronization
sudo apt update
        
Technical details about this PPA

This PPA can be added to your system manually by copying the lines below and adding them to your system's software sources.

deb https://ppa.launchpadcontent.net/mimi0213kimo/sf00191076-fix-ibrs-synchronization/ubuntu xenial main 
deb-src https://ppa.launchpadcontent.net/mimi0213kimo/sf00191076-fix-ibrs-synchronization/ubuntu xenial main 
Signing key:
1024R/507FCC449C3DF235AF6799B2B68469EAC3EDBBD2 (What is this?)
Fingerprint:
507FCC449C3DF235AF6799B2B68469EAC3EDBBD2

For questions and bugs with software in this PPA please contact Gavin Guo.

PPA statistics

Activity
0 updates added during the past month.
View package details

Overview of published packages

11 of 1 result
Package Version Uploaded by
linux 4.4.0-138.164+hf191076v20181120b1h3acb33fb32a5 (Newer version available) Gavin Guo ()
11 of 1 result

Latest updates

  • linux 279 weeks ago
    Successfully built