summaryrefslogtreecommitdiffstats
path: root/debian/patches
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches')
-rw-r--r--debian/patches/bugfix/x86/Documentation-hw-vuln-Add-documentation-for-RFDS.patch140
-rw-r--r--debian/patches/bugfix/x86/KVM-x86-Export-RFDS_NO-and-RFDS_CLEAR-to-guests.patch48
-rw-r--r--debian/patches/bugfix/x86/platform-x86-p2sb-On-Goldmont-only-cache-P2SB-and-SP.patch77
-rw-r--r--debian/patches/bugfix/x86/x86-mmio-Disable-KVM-mitigation-when-X86_FEATURE_CLE.patch58
-rw-r--r--debian/patches/bugfix/x86/x86-rfds-Mitigate-Register-File-Data-Sampling-RFDS.patch384
-rw-r--r--debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch10
-rw-r--r--debian/patches/series5
7 files changed, 5 insertions, 717 deletions
diff --git a/debian/patches/bugfix/x86/Documentation-hw-vuln-Add-documentation-for-RFDS.patch b/debian/patches/bugfix/x86/Documentation-hw-vuln-Add-documentation-for-RFDS.patch
deleted file mode 100644
index 781be97097..0000000000
--- a/debian/patches/bugfix/x86/Documentation-hw-vuln-Add-documentation-for-RFDS.patch
+++ /dev/null
@@ -1,140 +0,0 @@
-From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
-Date: Mon, 11 Mar 2024 12:29:43 -0700
-Subject: Documentation/hw-vuln: Add documentation for RFDS
-Origin: https://git.kernel.org/linus/4e42765d1be01111df0c0275bbaf1db1acef346e
-
-Add the documentation for transient execution vulnerability Register
-File Data Sampling (RFDS) that affects Intel Atom CPUs.
-
-Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
-Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
-Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
-Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
----
- Documentation/admin-guide/hw-vuln/index.rst | 1 +
- .../hw-vuln/reg-file-data-sampling.rst | 104 ++++++++++++++++++
- 2 files changed, 105 insertions(+)
- create mode 100644 Documentation/admin-guide/hw-vuln/reg-file-data-sampling.rst
-
-diff --git a/Documentation/admin-guide/hw-vuln/index.rst b/Documentation/admin-guide/hw-vuln/index.rst
-index de99caabf65a..ff0b440ef2dc 100644
---- a/Documentation/admin-guide/hw-vuln/index.rst
-+++ b/Documentation/admin-guide/hw-vuln/index.rst
-@@ -21,3 +21,4 @@ are configurable at compile, boot or run time.
- cross-thread-rsb
- srso
- gather_data_sampling
-+ reg-file-data-sampling
-diff --git a/Documentation/admin-guide/hw-vuln/reg-file-data-sampling.rst b/Documentation/admin-guide/hw-vuln/reg-file-data-sampling.rst
-new file mode 100644
-index 000000000000..0585d02b9a6c
---- /dev/null
-+++ b/Documentation/admin-guide/hw-vuln/reg-file-data-sampling.rst
-@@ -0,0 +1,104 @@
-+==================================
-+Register File Data Sampling (RFDS)
-+==================================
-+
-+Register File Data Sampling (RFDS) is a microarchitectural vulnerability that
-+only affects Intel Atom parts(also branded as E-cores). RFDS may allow
-+a malicious actor to infer data values previously used in floating point
-+registers, vector registers, or integer registers. RFDS does not provide the
-+ability to choose which data is inferred. CVE-2023-28746 is assigned to RFDS.
-+
-+Affected Processors
-+===================
-+Below is the list of affected Intel processors [#f1]_:
-+
-+ =================== ============
-+ Common name Family_Model
-+ =================== ============
-+ ATOM_GOLDMONT 06_5CH
-+ ATOM_GOLDMONT_D 06_5FH
-+ ATOM_GOLDMONT_PLUS 06_7AH
-+ ATOM_TREMONT_D 06_86H
-+ ATOM_TREMONT 06_96H
-+ ALDERLAKE 06_97H
-+ ALDERLAKE_L 06_9AH
-+ ATOM_TREMONT_L 06_9CH
-+ RAPTORLAKE 06_B7H
-+ RAPTORLAKE_P 06_BAH
-+ ATOM_GRACEMONT 06_BEH
-+ RAPTORLAKE_S 06_BFH
-+ =================== ============
-+
-+As an exception to this table, Intel Xeon E family parts ALDERLAKE(06_97H) and
-+RAPTORLAKE(06_B7H) codenamed Catlow are not affected. They are reported as
-+vulnerable in Linux because they share the same family/model with an affected
-+part. Unlike their affected counterparts, they do not enumerate RFDS_CLEAR or
-+CPUID.HYBRID. This information could be used to distinguish between the
-+affected and unaffected parts, but it is deemed not worth adding complexity as
-+the reporting is fixed automatically when these parts enumerate RFDS_NO.
-+
-+Mitigation
-+==========
-+Intel released a microcode update that enables software to clear sensitive
-+information using the VERW instruction. Like MDS, RFDS deploys the same
-+mitigation strategy to force the CPU to clear the affected buffers before an
-+attacker can extract the secrets. This is achieved by using the otherwise
-+unused and obsolete VERW instruction in combination with a microcode update.
-+The microcode clears the affected CPU buffers when the VERW instruction is
-+executed.
-+
-+Mitigation points
-+-----------------
-+VERW is executed by the kernel before returning to user space, and by KVM
-+before VMentry. None of the affected cores support SMT, so VERW is not required
-+at C-state transitions.
-+
-+New bits in IA32_ARCH_CAPABILITIES
-+----------------------------------
-+Newer processors and microcode update on existing affected processors added new
-+bits to IA32_ARCH_CAPABILITIES MSR. These bits can be used to enumerate
-+vulnerability and mitigation capability:
-+
-+- Bit 27 - RFDS_NO - When set, processor is not affected by RFDS.
-+- Bit 28 - RFDS_CLEAR - When set, processor is affected by RFDS, and has the
-+ microcode that clears the affected buffers on VERW execution.
-+
-+Mitigation control on the kernel command line
-+---------------------------------------------
-+The kernel command line allows to control RFDS mitigation at boot time with the
-+parameter "reg_file_data_sampling=". The valid arguments are:
-+
-+ ========== =================================================================
-+ on If the CPU is vulnerable, enable mitigation; CPU buffer clearing
-+ on exit to userspace and before entering a VM.
-+ off Disables mitigation.
-+ ========== =================================================================
-+
-+Mitigation default is selected by CONFIG_MITIGATION_RFDS.
-+
-+Mitigation status information
-+-----------------------------
-+The Linux kernel provides a sysfs interface to enumerate the current
-+vulnerability status of the system: whether the system is vulnerable, and
-+which mitigations are active. The relevant sysfs file is:
-+
-+ /sys/devices/system/cpu/vulnerabilities/reg_file_data_sampling
-+
-+The possible values in this file are:
-+
-+ .. list-table::
-+
-+ * - 'Not affected'
-+ - The processor is not vulnerable
-+ * - 'Vulnerable'
-+ - The processor is vulnerable, but no mitigation enabled
-+ * - 'Vulnerable: No microcode'
-+ - The processor is vulnerable but microcode is not updated.
-+ * - 'Mitigation: Clear Register File'
-+ - The processor is vulnerable and the CPU buffer clearing mitigation is
-+ enabled.
-+
-+References
-+----------
-+.. [#f1] Affected Processors
-+ https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html
---
-2.43.0
-
diff --git a/debian/patches/bugfix/x86/KVM-x86-Export-RFDS_NO-and-RFDS_CLEAR-to-guests.patch b/debian/patches/bugfix/x86/KVM-x86-Export-RFDS_NO-and-RFDS_CLEAR-to-guests.patch
deleted file mode 100644
index 13a5c96a49..0000000000
--- a/debian/patches/bugfix/x86/KVM-x86-Export-RFDS_NO-and-RFDS_CLEAR-to-guests.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
-Date: Mon, 11 Mar 2024 12:29:43 -0700
-Subject: KVM/x86: Export RFDS_NO and RFDS_CLEAR to guests
-Origin: https://git.kernel.org/linus/2a0180129d726a4b953232175857d442651b55a0
-
-Mitigation for RFDS requires RFDS_CLEAR capability which is enumerated
-by MSR_IA32_ARCH_CAPABILITIES bit 27. If the host has it set, export it
-to guests so that they can deploy the mitigation.
-
-RFDS_NO indicates that the system is not vulnerable to RFDS, export it
-to guests so that they don't deploy the mitigation unnecessarily. When
-the host is not affected by X86_BUG_RFDS, but has RFDS_NO=0, synthesize
-RFDS_NO to the guest.
-
-Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
-Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
-Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
-Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
----
- arch/x86/kvm/x86.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index 48a61d283406..68fdf3ba031a 100644
---- a/arch/x86/kvm/x86.c
-+++ b/arch/x86/kvm/x86.c
-@@ -1623,7 +1623,8 @@ static bool kvm_is_immutable_feature_msr(u32 msr)
- ARCH_CAP_SKIP_VMENTRY_L1DFLUSH | ARCH_CAP_SSB_NO | ARCH_CAP_MDS_NO | \
- ARCH_CAP_PSCHANGE_MC_NO | ARCH_CAP_TSX_CTRL_MSR | ARCH_CAP_TAA_NO | \
- ARCH_CAP_SBDR_SSDP_NO | ARCH_CAP_FBSDP_NO | ARCH_CAP_PSDP_NO | \
-- ARCH_CAP_FB_CLEAR | ARCH_CAP_RRSBA | ARCH_CAP_PBRSB_NO | ARCH_CAP_GDS_NO)
-+ ARCH_CAP_FB_CLEAR | ARCH_CAP_RRSBA | ARCH_CAP_PBRSB_NO | ARCH_CAP_GDS_NO | \
-+ ARCH_CAP_RFDS_NO | ARCH_CAP_RFDS_CLEAR)
-
- static u64 kvm_get_arch_capabilities(void)
- {
-@@ -1655,6 +1656,8 @@ static u64 kvm_get_arch_capabilities(void)
- data |= ARCH_CAP_SSB_NO;
- if (!boot_cpu_has_bug(X86_BUG_MDS))
- data |= ARCH_CAP_MDS_NO;
-+ if (!boot_cpu_has_bug(X86_BUG_RFDS))
-+ data |= ARCH_CAP_RFDS_NO;
-
- if (!boot_cpu_has(X86_FEATURE_RTM)) {
- /*
---
-2.43.0
-
diff --git a/debian/patches/bugfix/x86/platform-x86-p2sb-On-Goldmont-only-cache-P2SB-and-SP.patch b/debian/patches/bugfix/x86/platform-x86-p2sb-On-Goldmont-only-cache-P2SB-and-SP.patch
deleted file mode 100644
index 50e5f8dc5d..0000000000
--- a/debian/patches/bugfix/x86/platform-x86-p2sb-On-Goldmont-only-cache-P2SB-and-SP.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-From: Hans de Goede <hdegoede@redhat.com>
-Date: Mon, 4 Mar 2024 14:43:55 +0100
-Subject: platform/x86: p2sb: On Goldmont only cache P2SB and SPI devfn BAR
-Origin: https://git.kernel.org/linus/aec7d25b497ce4a8d044e9496de0aa433f7f8f06
-Bug-Debian: https://bugs.debian.org/1065320
-
-On Goldmont p2sb_bar() only ever gets called for 2 devices, the actual P2SB
-devfn 13,0 and the SPI controller which is part of the P2SB, devfn 13,2.
-
-But the current p2sb code tries to cache BAR0 info for all of
-devfn 13,0 to 13,7 . This involves calling pci_scan_single_device()
-for device 13 functions 0-7 and the hw does not seem to like
-pci_scan_single_device() getting called for some of the other hidden
-devices. E.g. on an ASUS VivoBook D540NV-GQ065T this leads to continuous
-ACPI errors leading to high CPU usage.
-
-Fix this by only caching BAR0 info and thus only calling
-pci_scan_single_device() for the P2SB and the SPI controller.
-
-Fixes: 5913320eb0b3 ("platform/x86: p2sb: Allow p2sb_bar() calls during PCI device probe")
-Reported-by: Danil Rybakov <danilrybakov249@gmail.com>
-Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218531
-Tested-by: Danil Rybakov <danilrybakov249@gmail.com>
-Signed-off-by: Hans de Goede <hdegoede@redhat.com>
-Link: https://lore.kernel.org/r/20240304134356.305375-2-hdegoede@redhat.com
----
- drivers/platform/x86/p2sb.c | 25 +++++++++----------------
- 1 file changed, 9 insertions(+), 16 deletions(-)
-
-diff --git a/drivers/platform/x86/p2sb.c b/drivers/platform/x86/p2sb.c
-index 6bd14d0132db..3d66e1d4eb1f 100644
---- a/drivers/platform/x86/p2sb.c
-+++ b/drivers/platform/x86/p2sb.c
-@@ -20,9 +20,11 @@
- #define P2SBC_HIDE BIT(8)
-
- #define P2SB_DEVFN_DEFAULT PCI_DEVFN(31, 1)
-+#define P2SB_DEVFN_GOLDMONT PCI_DEVFN(13, 0)
-+#define SPI_DEVFN_GOLDMONT PCI_DEVFN(13, 2)
-
- static const struct x86_cpu_id p2sb_cpu_ids[] = {
-- X86_MATCH_INTEL_FAM6_MODEL(ATOM_GOLDMONT, PCI_DEVFN(13, 0)),
-+ X86_MATCH_INTEL_FAM6_MODEL(ATOM_GOLDMONT, P2SB_DEVFN_GOLDMONT),
- {}
- };
-
-@@ -98,21 +100,12 @@ static void p2sb_scan_and_cache_devfn(struct pci_bus *bus, unsigned int devfn)
-
- static int p2sb_scan_and_cache(struct pci_bus *bus, unsigned int devfn)
- {
-- unsigned int slot, fn;
--
-- if (PCI_FUNC(devfn) == 0) {
-- /*
-- * When function number of the P2SB device is zero, scan it and
-- * other function numbers, and if devices are available, cache
-- * their BAR0s.
-- */
-- slot = PCI_SLOT(devfn);
-- for (fn = 0; fn < NR_P2SB_RES_CACHE; fn++)
-- p2sb_scan_and_cache_devfn(bus, PCI_DEVFN(slot, fn));
-- } else {
-- /* Scan the P2SB device and cache its BAR0 */
-- p2sb_scan_and_cache_devfn(bus, devfn);
-- }
-+ /* Scan the P2SB device and cache its BAR0 */
-+ p2sb_scan_and_cache_devfn(bus, devfn);
-+
-+ /* On Goldmont p2sb_bar() also gets called for the SPI controller */
-+ if (devfn == P2SB_DEVFN_GOLDMONT)
-+ p2sb_scan_and_cache_devfn(bus, SPI_DEVFN_GOLDMONT);
-
- if (!p2sb_valid_resource(&p2sb_resources[PCI_FUNC(devfn)].res))
- return -ENOENT;
---
-2.43.0
-
diff --git a/debian/patches/bugfix/x86/x86-mmio-Disable-KVM-mitigation-when-X86_FEATURE_CLE.patch b/debian/patches/bugfix/x86/x86-mmio-Disable-KVM-mitigation-when-X86_FEATURE_CLE.patch
deleted file mode 100644
index 313064d2bc..0000000000
--- a/debian/patches/bugfix/x86/x86-mmio-Disable-KVM-mitigation-when-X86_FEATURE_CLE.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
-Date: Mon, 11 Mar 2024 12:29:43 -0700
-Subject: x86/mmio: Disable KVM mitigation when X86_FEATURE_CLEAR_CPU_BUF is
- set
-Origin: https://git.kernel.org/linus/e95df4ec0c0c9791941f112db699fae794b9862a
-
-Currently MMIO Stale Data mitigation for CPUs not affected by MDS/TAA is
-to only deploy VERW at VMentry by enabling mmio_stale_data_clear static
-branch. No mitigation is needed for kernel->user transitions. If such
-CPUs are also affected by RFDS, its mitigation may set
-X86_FEATURE_CLEAR_CPU_BUF to deploy VERW at kernel->user and VMentry.
-This could result in duplicate VERW at VMentry.
-
-Fix this by disabling mmio_stale_data_clear static branch when
-X86_FEATURE_CLEAR_CPU_BUF is enabled.
-
-Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
-Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
-Reviewed-by: Dave Hansen <dave.hansen@linux.intel.com>
----
- arch/x86/kernel/cpu/bugs.c | 14 ++++++++++++--
- 1 file changed, 12 insertions(+), 2 deletions(-)
-
-diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
-index 48d049cd74e7..cd6ac89c1a0d 100644
---- a/arch/x86/kernel/cpu/bugs.c
-+++ b/arch/x86/kernel/cpu/bugs.c
-@@ -422,6 +422,13 @@ static void __init mmio_select_mitigation(void)
- if (boot_cpu_has_bug(X86_BUG_MDS) || (boot_cpu_has_bug(X86_BUG_TAA) &&
- boot_cpu_has(X86_FEATURE_RTM)))
- setup_force_cpu_cap(X86_FEATURE_CLEAR_CPU_BUF);
-+
-+ /*
-+ * X86_FEATURE_CLEAR_CPU_BUF could be enabled by other VERW based
-+ * mitigations, disable KVM-only mitigation in that case.
-+ */
-+ if (boot_cpu_has(X86_FEATURE_CLEAR_CPU_BUF))
-+ static_branch_disable(&mmio_stale_data_clear);
- else
- static_branch_enable(&mmio_stale_data_clear);
-
-@@ -498,8 +505,11 @@ static void __init md_clear_update_mitigation(void)
- taa_mitigation = TAA_MITIGATION_VERW;
- taa_select_mitigation();
- }
-- if (mmio_mitigation == MMIO_MITIGATION_OFF &&
-- boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA)) {
-+ /*
-+ * MMIO_MITIGATION_OFF is not checked here so that mmio_stale_data_clear
-+ * gets updated correctly as per X86_FEATURE_CLEAR_CPU_BUF state.
-+ */
-+ if (boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA)) {
- mmio_mitigation = MMIO_MITIGATION_VERW;
- mmio_select_mitigation();
- }
---
-2.43.0
-
diff --git a/debian/patches/bugfix/x86/x86-rfds-Mitigate-Register-File-Data-Sampling-RFDS.patch b/debian/patches/bugfix/x86/x86-rfds-Mitigate-Register-File-Data-Sampling-RFDS.patch
deleted file mode 100644
index 21603126c5..0000000000
--- a/debian/patches/bugfix/x86/x86-rfds-Mitigate-Register-File-Data-Sampling-RFDS.patch
+++ /dev/null
@@ -1,384 +0,0 @@
-From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
-Date: Mon, 11 Mar 2024 12:29:43 -0700
-Subject: x86/rfds: Mitigate Register File Data Sampling (RFDS)
-Origin: https://git.kernel.org/linus/8076fcde016c9c0e0660543e67bff86cb48a7c9c
-
-RFDS is a CPU vulnerability that may allow userspace to infer kernel
-stale data previously used in floating point registers, vector registers
-and integer registers. RFDS only affects certain Intel Atom processors.
-
-Intel released a microcode update that uses VERW instruction to clear
-the affected CPU buffers. Unlike MDS, none of the affected cores support
-SMT.
-
-Add RFDS bug infrastructure and enable the VERW based mitigation by
-default, that clears the affected buffers just before exiting to
-userspace. Also add sysfs reporting and cmdline parameter
-"reg_file_data_sampling" to control the mitigation.
-
-For details see:
-Documentation/admin-guide/hw-vuln/reg-file-data-sampling.rst
-
-Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
-Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
-Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
-Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
----
- .../ABI/testing/sysfs-devices-system-cpu | 1 +
- .../admin-guide/kernel-parameters.txt | 21 +++++
- arch/x86/Kconfig | 11 +++
- arch/x86/include/asm/cpufeatures.h | 1 +
- arch/x86/include/asm/msr-index.h | 8 ++
- arch/x86/kernel/cpu/bugs.c | 78 ++++++++++++++++++-
- arch/x86/kernel/cpu/common.c | 38 ++++++++-
- drivers/base/cpu.c | 3 +
- include/linux/cpu.h | 2 +
- 9 files changed, 157 insertions(+), 6 deletions(-)
-
-diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu b/Documentation/ABI/testing/sysfs-devices-system-cpu
-index a1db6db47505..710d47be11e0 100644
---- a/Documentation/ABI/testing/sysfs-devices-system-cpu
-+++ b/Documentation/ABI/testing/sysfs-devices-system-cpu
-@@ -516,6 +516,7 @@ What: /sys/devices/system/cpu/vulnerabilities
- /sys/devices/system/cpu/vulnerabilities/mds
- /sys/devices/system/cpu/vulnerabilities/meltdown
- /sys/devices/system/cpu/vulnerabilities/mmio_stale_data
-+ /sys/devices/system/cpu/vulnerabilities/reg_file_data_sampling
- /sys/devices/system/cpu/vulnerabilities/retbleed
- /sys/devices/system/cpu/vulnerabilities/spec_store_bypass
- /sys/devices/system/cpu/vulnerabilities/spectre_v1
-diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
-index 31b3a25680d0..73062d47a462 100644
---- a/Documentation/admin-guide/kernel-parameters.txt
-+++ b/Documentation/admin-guide/kernel-parameters.txt
-@@ -1150,6 +1150,26 @@
- The filter can be disabled or changed to another
- driver later using sysfs.
-
-+ reg_file_data_sampling=
-+ [X86] Controls mitigation for Register File Data
-+ Sampling (RFDS) vulnerability. RFDS is a CPU
-+ vulnerability which may allow userspace to infer
-+ kernel data values previously stored in floating point
-+ registers, vector registers, or integer registers.
-+ RFDS only affects Intel Atom processors.
-+
-+ on: Turns ON the mitigation.
-+ off: Turns OFF the mitigation.
-+
-+ This parameter overrides the compile time default set
-+ by CONFIG_MITIGATION_RFDS. Mitigation cannot be
-+ disabled when other VERW based mitigations (like MDS)
-+ are enabled. In order to disable RFDS mitigation all
-+ VERW based mitigations need to be disabled.
-+
-+ For details see:
-+ Documentation/admin-guide/hw-vuln/reg-file-data-sampling.rst
-+
- driver_async_probe= [KNL]
- List of driver names to be probed asynchronously. *
- matches with all driver names. If * is specified, the
-@@ -3398,6 +3418,7 @@
- nospectre_bhb [ARM64]
- nospectre_v1 [X86,PPC]
- nospectre_v2 [X86,PPC,S390,ARM64]
-+ reg_file_data_sampling=off [X86]
- retbleed=off [X86]
- spec_store_bypass_disable=off [X86,PPC]
- spectre_v2_user=off [X86]
-diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 5edec175b9bf..637e337c332e 100644
---- a/arch/x86/Kconfig
-+++ b/arch/x86/Kconfig
-@@ -2614,6 +2614,17 @@ config GDS_FORCE_MITIGATION
-
- If in doubt, say N.
-
-+config MITIGATION_RFDS
-+ bool "RFDS Mitigation"
-+ depends on CPU_SUP_INTEL
-+ default y
-+ help
-+ Enable mitigation for Register File Data Sampling (RFDS) by default.
-+ RFDS is a hardware vulnerability which affects Intel Atom CPUs. It
-+ allows unprivileged speculative access to stale data previously
-+ stored in floating point, vector and integer registers.
-+ See also <file:Documentation/admin-guide/hw-vuln/reg-file-data-sampling.rst>
-+
- endif
-
- config ARCH_HAS_ADD_PAGES
-diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
-index 2b62cdd8dd12..8511aad59581 100644
---- a/arch/x86/include/asm/cpufeatures.h
-+++ b/arch/x86/include/asm/cpufeatures.h
-@@ -503,4 +503,5 @@
- /* BUG word 2 */
- #define X86_BUG_SRSO X86_BUG(1*32 + 0) /* AMD SRSO bug */
- #define X86_BUG_DIV0 X86_BUG(1*32 + 1) /* AMD DIV0 speculation bug */
-+#define X86_BUG_RFDS X86_BUG(1*32 + 2) /* CPU is vulnerable to Register File Data Sampling */
- #endif /* _ASM_X86_CPUFEATURES_H */
-diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
-index f1bd7b91b3c6..d1b5edaf6c34 100644
---- a/arch/x86/include/asm/msr-index.h
-+++ b/arch/x86/include/asm/msr-index.h
-@@ -165,6 +165,14 @@
- * CPU is not vulnerable to Gather
- * Data Sampling (GDS).
- */
-+#define ARCH_CAP_RFDS_NO BIT(27) /*
-+ * Not susceptible to Register
-+ * File Data Sampling.
-+ */
-+#define ARCH_CAP_RFDS_CLEAR BIT(28) /*
-+ * VERW clears CPU Register
-+ * File.
-+ */
-
- #define ARCH_CAP_XAPIC_DISABLE BIT(21) /*
- * IA32_XAPIC_DISABLE_STATUS MSR
-diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
-index cd6ac89c1a0d..01ac18f56147 100644
---- a/arch/x86/kernel/cpu/bugs.c
-+++ b/arch/x86/kernel/cpu/bugs.c
-@@ -480,6 +480,57 @@ static int __init mmio_stale_data_parse_cmdline(char *str)
- }
- early_param("mmio_stale_data", mmio_stale_data_parse_cmdline);
-
-+#undef pr_fmt
-+#define pr_fmt(fmt) "Register File Data Sampling: " fmt
-+
-+enum rfds_mitigations {
-+ RFDS_MITIGATION_OFF,
-+ RFDS_MITIGATION_VERW,
-+ RFDS_MITIGATION_UCODE_NEEDED,
-+};
-+
-+/* Default mitigation for Register File Data Sampling */
-+static enum rfds_mitigations rfds_mitigation __ro_after_init =
-+ IS_ENABLED(CONFIG_MITIGATION_RFDS) ? RFDS_MITIGATION_VERW : RFDS_MITIGATION_OFF;
-+
-+static const char * const rfds_strings[] = {
-+ [RFDS_MITIGATION_OFF] = "Vulnerable",
-+ [RFDS_MITIGATION_VERW] = "Mitigation: Clear Register File",
-+ [RFDS_MITIGATION_UCODE_NEEDED] = "Vulnerable: No microcode",
-+};
-+
-+static void __init rfds_select_mitigation(void)
-+{
-+ if (!boot_cpu_has_bug(X86_BUG_RFDS) || cpu_mitigations_off()) {
-+ rfds_mitigation = RFDS_MITIGATION_OFF;
-+ return;
-+ }
-+ if (rfds_mitigation == RFDS_MITIGATION_OFF)
-+ return;
-+
-+ if (x86_read_arch_cap_msr() & ARCH_CAP_RFDS_CLEAR)
-+ setup_force_cpu_cap(X86_FEATURE_CLEAR_CPU_BUF);
-+ else
-+ rfds_mitigation = RFDS_MITIGATION_UCODE_NEEDED;
-+}
-+
-+static __init int rfds_parse_cmdline(char *str)
-+{
-+ if (!str)
-+ return -EINVAL;
-+
-+ if (!boot_cpu_has_bug(X86_BUG_RFDS))
-+ return 0;
-+
-+ if (!strcmp(str, "off"))
-+ rfds_mitigation = RFDS_MITIGATION_OFF;
-+ else if (!strcmp(str, "on"))
-+ rfds_mitigation = RFDS_MITIGATION_VERW;
-+
-+ return 0;
-+}
-+early_param("reg_file_data_sampling", rfds_parse_cmdline);
-+
- #undef pr_fmt
- #define pr_fmt(fmt) "" fmt
-
-@@ -513,6 +564,11 @@ static void __init md_clear_update_mitigation(void)
- mmio_mitigation = MMIO_MITIGATION_VERW;
- mmio_select_mitigation();
- }
-+ if (rfds_mitigation == RFDS_MITIGATION_OFF &&
-+ boot_cpu_has_bug(X86_BUG_RFDS)) {
-+ rfds_mitigation = RFDS_MITIGATION_VERW;
-+ rfds_select_mitigation();
-+ }
- out:
- if (boot_cpu_has_bug(X86_BUG_MDS))
- pr_info("MDS: %s\n", mds_strings[mds_mitigation]);
-@@ -522,6 +578,8 @@ static void __init md_clear_update_mitigation(void)
- pr_info("MMIO Stale Data: %s\n", mmio_strings[mmio_mitigation]);
- else if (boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN))
- pr_info("MMIO Stale Data: Unknown: No mitigations\n");
-+ if (boot_cpu_has_bug(X86_BUG_RFDS))
-+ pr_info("Register File Data Sampling: %s\n", rfds_strings[rfds_mitigation]);
- }
-
- static void __init md_clear_select_mitigation(void)
-@@ -529,11 +587,12 @@ static void __init md_clear_select_mitigation(void)
- mds_select_mitigation();
- taa_select_mitigation();
- mmio_select_mitigation();
-+ rfds_select_mitigation();
-
- /*
-- * As MDS, TAA and MMIO Stale Data mitigations are inter-related, update
-- * and print their mitigation after MDS, TAA and MMIO Stale Data
-- * mitigation selection is done.
-+ * As these mitigations are inter-related and rely on VERW instruction
-+ * to clear the microarchitural buffers, update and print their status
-+ * after mitigation selection is done for each of these vulnerabilities.
- */
- md_clear_update_mitigation();
- }
-@@ -2622,6 +2681,11 @@ static ssize_t mmio_stale_data_show_state(char *buf)
- sched_smt_active() ? "vulnerable" : "disabled");
- }
-
-+static ssize_t rfds_show_state(char *buf)
-+{
-+ return sysfs_emit(buf, "%s\n", rfds_strings[rfds_mitigation]);
-+}
-+
- static char *stibp_state(void)
- {
- if (spectre_v2_in_eibrs_mode(spectre_v2_enabled) &&
-@@ -2781,6 +2845,9 @@ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr
- case X86_BUG_GDS:
- return gds_show_state(buf);
-
-+ case X86_BUG_RFDS:
-+ return rfds_show_state(buf);
-+
- default:
- break;
- }
-@@ -2855,4 +2922,9 @@ ssize_t cpu_show_gds(struct device *dev, struct device_attribute *attr, char *bu
- {
- return cpu_show_common(dev, attr, buf, X86_BUG_GDS);
- }
-+
-+ssize_t cpu_show_reg_file_data_sampling(struct device *dev, struct device_attribute *attr, char *buf)
-+{
-+ return cpu_show_common(dev, attr, buf, X86_BUG_RFDS);
-+}
- #endif
-diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
-index fbc4e60d027c..40d8c110bb32 100644
---- a/arch/x86/kernel/cpu/common.c
-+++ b/arch/x86/kernel/cpu/common.c
-@@ -1267,6 +1267,8 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = {
- #define SRSO BIT(5)
- /* CPU is affected by GDS */
- #define GDS BIT(6)
-+/* CPU is affected by Register File Data Sampling */
-+#define RFDS BIT(7)
-
- static const struct x86_cpu_id cpu_vuln_blacklist[] __initconst = {
- VULNBL_INTEL_STEPPINGS(IVYBRIDGE, X86_STEPPING_ANY, SRBDS),
-@@ -1294,9 +1296,18 @@ static const struct x86_cpu_id cpu_vuln_blacklist[] __initconst = {
- VULNBL_INTEL_STEPPINGS(TIGERLAKE, X86_STEPPING_ANY, GDS),
- VULNBL_INTEL_STEPPINGS(LAKEFIELD, X86_STEPPING_ANY, MMIO | MMIO_SBDS | RETBLEED),
- VULNBL_INTEL_STEPPINGS(ROCKETLAKE, X86_STEPPING_ANY, MMIO | RETBLEED | GDS),
-- VULNBL_INTEL_STEPPINGS(ATOM_TREMONT, X86_STEPPING_ANY, MMIO | MMIO_SBDS),
-- VULNBL_INTEL_STEPPINGS(ATOM_TREMONT_D, X86_STEPPING_ANY, MMIO),
-- VULNBL_INTEL_STEPPINGS(ATOM_TREMONT_L, X86_STEPPING_ANY, MMIO | MMIO_SBDS),
-+ VULNBL_INTEL_STEPPINGS(ALDERLAKE, X86_STEPPING_ANY, RFDS),
-+ VULNBL_INTEL_STEPPINGS(ALDERLAKE_L, X86_STEPPING_ANY, RFDS),
-+ VULNBL_INTEL_STEPPINGS(RAPTORLAKE, X86_STEPPING_ANY, RFDS),
-+ VULNBL_INTEL_STEPPINGS(RAPTORLAKE_P, X86_STEPPING_ANY, RFDS),
-+ VULNBL_INTEL_STEPPINGS(RAPTORLAKE_S, X86_STEPPING_ANY, RFDS),
-+ VULNBL_INTEL_STEPPINGS(ATOM_GRACEMONT, X86_STEPPING_ANY, RFDS),
-+ VULNBL_INTEL_STEPPINGS(ATOM_TREMONT, X86_STEPPING_ANY, MMIO | MMIO_SBDS | RFDS),
-+ VULNBL_INTEL_STEPPINGS(ATOM_TREMONT_D, X86_STEPPING_ANY, MMIO | RFDS),
-+ VULNBL_INTEL_STEPPINGS(ATOM_TREMONT_L, X86_STEPPING_ANY, MMIO | MMIO_SBDS | RFDS),
-+ VULNBL_INTEL_STEPPINGS(ATOM_GOLDMONT, X86_STEPPING_ANY, RFDS),
-+ VULNBL_INTEL_STEPPINGS(ATOM_GOLDMONT_D, X86_STEPPING_ANY, RFDS),
-+ VULNBL_INTEL_STEPPINGS(ATOM_GOLDMONT_PLUS, X86_STEPPING_ANY, RFDS),
-
- VULNBL_AMD(0x15, RETBLEED),
- VULNBL_AMD(0x16, RETBLEED),
-@@ -1330,6 +1341,24 @@ static bool arch_cap_mmio_immune(u64 ia32_cap)
- ia32_cap & ARCH_CAP_SBDR_SSDP_NO);
- }
-
-+static bool __init vulnerable_to_rfds(u64 ia32_cap)
-+{
-+ /* The "immunity" bit trumps everything else: */
-+ if (ia32_cap & ARCH_CAP_RFDS_NO)
-+ return false;
-+
-+ /*
-+ * VMMs set ARCH_CAP_RFDS_CLEAR for processors not in the blacklist to
-+ * indicate that mitigation is needed because guest is running on a
-+ * vulnerable hardware or may migrate to such hardware:
-+ */
-+ if (ia32_cap & ARCH_CAP_RFDS_CLEAR)
-+ return true;
-+
-+ /* Only consult the blacklist when there is no enumeration: */
-+ return cpu_matches(cpu_vuln_blacklist, RFDS);
-+}
-+
- static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
- {
- u64 ia32_cap = x86_read_arch_cap_msr();
-@@ -1441,6 +1470,9 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
- boot_cpu_has(X86_FEATURE_AVX))
- setup_force_cpu_bug(X86_BUG_GDS);
-
-+ if (vulnerable_to_rfds(ia32_cap))
-+ setup_force_cpu_bug(X86_BUG_RFDS);
-+
- if (cpu_matches(cpu_vuln_whitelist, NO_MELTDOWN))
- return;
-
-diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c
-index 47de0f140ba6..0b33e81f9c9b 100644
---- a/drivers/base/cpu.c
-+++ b/drivers/base/cpu.c
-@@ -588,6 +588,7 @@ CPU_SHOW_VULN_FALLBACK(mmio_stale_data);
- CPU_SHOW_VULN_FALLBACK(retbleed);
- CPU_SHOW_VULN_FALLBACK(spec_rstack_overflow);
- CPU_SHOW_VULN_FALLBACK(gds);
-+CPU_SHOW_VULN_FALLBACK(reg_file_data_sampling);
-
- static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL);
- static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL);
-@@ -602,6 +603,7 @@ static DEVICE_ATTR(mmio_stale_data, 0444, cpu_show_mmio_stale_data, NULL);
- static DEVICE_ATTR(retbleed, 0444, cpu_show_retbleed, NULL);
- static DEVICE_ATTR(spec_rstack_overflow, 0444, cpu_show_spec_rstack_overflow, NULL);
- static DEVICE_ATTR(gather_data_sampling, 0444, cpu_show_gds, NULL);
-+static DEVICE_ATTR(reg_file_data_sampling, 0444, cpu_show_reg_file_data_sampling, NULL);
-
- static struct attribute *cpu_root_vulnerabilities_attrs[] = {
- &dev_attr_meltdown.attr,
-@@ -617,6 +619,7 @@ static struct attribute *cpu_root_vulnerabilities_attrs[] = {
- &dev_attr_retbleed.attr,
- &dev_attr_spec_rstack_overflow.attr,
- &dev_attr_gather_data_sampling.attr,
-+ &dev_attr_reg_file_data_sampling.attr,
- NULL
- };
-
-diff --git a/include/linux/cpu.h b/include/linux/cpu.h
-index dcb89c987164..8654714421a0 100644
---- a/include/linux/cpu.h
-+++ b/include/linux/cpu.h
-@@ -75,6 +75,8 @@ extern ssize_t cpu_show_spec_rstack_overflow(struct device *dev,
- struct device_attribute *attr, char *buf);
- extern ssize_t cpu_show_gds(struct device *dev,
- struct device_attribute *attr, char *buf);
-+extern ssize_t cpu_show_reg_file_data_sampling(struct device *dev,
-+ struct device_attribute *attr, char *buf);
-
- extern __printf(4, 5)
- struct device *cpu_device_create(struct device *parent, void *drvdata,
---
-2.43.0
-
diff --git a/debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch b/debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
index 3d8bdf0664..3a10822b3b 100644
--- a/debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
+++ b/debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
@@ -26,16 +26,16 @@ Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
-@@ -1031,6 +1031,8 @@ void __init setup_arch(char **cmdline_p)
+@@ -902,6 +902,8 @@ void __init setup_arch(char **cmdline_p)
if (efi_enabled(EFI_BOOT))
efi_init();
+ efi_set_secure_boot(boot_params.secure_boot);
+
reserve_ibft_region();
- dmi_setup();
+ x86_init.resources.dmi_setup();
-@@ -1192,8 +1194,6 @@ void __init setup_arch(char **cmdline_p)
+@@ -1063,8 +1065,6 @@ void __init setup_arch(char **cmdline_p)
/* Allocate bigger log buffer */
setup_log_buf(1);
@@ -67,7 +67,7 @@ Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
default:
--- a/include/linux/security.h
+++ b/include/linux/security.h
-@@ -482,6 +482,7 @@ int security_inode_notifysecctx(struct i
+@@ -486,6 +486,7 @@ int security_inode_notifysecctx(struct i
int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
int security_locked_down(enum lockdown_reason what);
@@ -75,7 +75,7 @@ Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
#else /* CONFIG_SECURITY */
static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
-@@ -1388,6 +1389,11 @@ static inline int security_locked_down(e
+@@ -1404,6 +1405,11 @@ static inline int security_locked_down(e
{
return 0;
}
diff --git a/debian/patches/series b/debian/patches/series
index 361758bb88..8c1ff52363 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -68,7 +68,6 @@ bugfix/arm/arm-mm-export-__sync_icache_dcache-for-xen-privcmd.patch
bugfix/powerpc/powerpc-boot-fix-missing-crc32poly.h-when-building-with-kernel_xz.patch
bugfix/arm64/arm64-acpi-Add-fixup-for-HPE-m400-quirks.patch
bugfix/alpha/alpha-fix-missing-symbol-versions-for-str-n-cat-cpy.patch
-bugfix/x86/platform-x86-p2sb-On-Goldmont-only-cache-P2SB-and-SP.patch
# Arch features
features/x86/x86-memtest-WARN-if-bad-RAM-found.patch
@@ -95,10 +94,6 @@ features/all/db-mok-keyring/trust-machine-keyring-by-default.patch
# Security fixes
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
debian/ntfs-mark-it-as-broken.patch
-bugfix/x86/x86-mmio-Disable-KVM-mitigation-when-X86_FEATURE_CLE.patch
-bugfix/x86/Documentation-hw-vuln-Add-documentation-for-RFDS.patch
-bugfix/x86/x86-rfds-Mitigate-Register-File-Data-Sampling-RFDS.patch
-bugfix/x86/KVM-x86-Export-RFDS_NO-and-RFDS_CLEAR-to-guests.patch
# Fix exported symbol versions
bugfix/all/module-disable-matching-missing-version-crc.patch