1fb3bd914SBorislav Petkov (AMD).. SPDX-License-Identifier: GPL-2.0 2fb3bd914SBorislav Petkov (AMD) 3fb3bd914SBorislav Petkov (AMD)Speculative Return Stack Overflow (SRSO) 4fb3bd914SBorislav Petkov (AMD)======================================== 5fb3bd914SBorislav Petkov (AMD) 6fb3bd914SBorislav Petkov (AMD)This is a mitigation for the speculative return stack overflow (SRSO) 7fb3bd914SBorislav Petkov (AMD)vulnerability found on AMD processors. The mechanism is by now the well 8fb3bd914SBorislav Petkov (AMD)known scenario of poisoning CPU functional units - the Branch Target 9fb3bd914SBorislav Petkov (AMD)Buffer (BTB) and Return Address Predictor (RAP) in this case - and then 10fb3bd914SBorislav Petkov (AMD)tricking the elevated privilege domain (the kernel) into leaking 11fb3bd914SBorislav Petkov (AMD)sensitive data. 12fb3bd914SBorislav Petkov (AMD) 13fb3bd914SBorislav Petkov (AMD)AMD CPUs predict RET instructions using a Return Address Predictor (aka 14fb3bd914SBorislav Petkov (AMD)Return Address Stack/Return Stack Buffer). In some cases, a non-architectural 15fb3bd914SBorislav Petkov (AMD)CALL instruction (i.e., an instruction predicted to be a CALL but is 16fb3bd914SBorislav Petkov (AMD)not actually a CALL) can create an entry in the RAP which may be used 17fb3bd914SBorislav Petkov (AMD)to predict the target of a subsequent RET instruction. 18fb3bd914SBorislav Petkov (AMD) 19fb3bd914SBorislav Petkov (AMD)The specific circumstances that lead to this varies by microarchitecture 20fb3bd914SBorislav Petkov (AMD)but the concern is that an attacker can mis-train the CPU BTB to predict 21fb3bd914SBorislav Petkov (AMD)non-architectural CALL instructions in kernel space and use this to 22fb3bd914SBorislav Petkov (AMD)control the speculative target of a subsequent kernel RET, potentially 23fb3bd914SBorislav Petkov (AMD)leading to information disclosure via a speculative side-channel. 24fb3bd914SBorislav Petkov (AMD) 25fb3bd914SBorislav Petkov (AMD)The issue is tracked under CVE-2023-20569. 26fb3bd914SBorislav Petkov (AMD) 27fb3bd914SBorislav Petkov (AMD)Affected processors 28fb3bd914SBorislav Petkov (AMD)------------------- 29fb3bd914SBorislav Petkov (AMD) 30fb3bd914SBorislav Petkov (AMD)AMD Zen, generations 1-4. That is, all families 0x17 and 0x19. Older 31fb3bd914SBorislav Petkov (AMD)processors have not been investigated. 32fb3bd914SBorislav Petkov (AMD) 33fb3bd914SBorislav Petkov (AMD)System information and options 34fb3bd914SBorislav Petkov (AMD)------------------------------ 35fb3bd914SBorislav Petkov (AMD) 36fb3bd914SBorislav Petkov (AMD)First of all, it is required that the latest microcode be loaded for 37fb3bd914SBorislav Petkov (AMD)mitigations to be effective. 38fb3bd914SBorislav Petkov (AMD) 39fb3bd914SBorislav Petkov (AMD)The sysfs file showing SRSO mitigation status is: 40fb3bd914SBorislav Petkov (AMD) 41fb3bd914SBorislav Petkov (AMD) /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow 42fb3bd914SBorislav Petkov (AMD) 43fb3bd914SBorislav Petkov (AMD)The possible values in this file are: 44fb3bd914SBorislav Petkov (AMD) 4509f9f37cSBorislav Petkov (AMD) * 'Not affected': 46fb3bd914SBorislav Petkov (AMD) 4709f9f37cSBorislav Petkov (AMD) The processor is not vulnerable 48fb3bd914SBorislav Petkov (AMD) 49dc6306adSJosh Poimboeuf* 'Vulnerable': 50dc6306adSJosh Poimboeuf 51dc6306adSJosh Poimboeuf The processor is vulnerable and no mitigations have been applied. 52dc6306adSJosh Poimboeuf 53dc6306adSJosh Poimboeuf * 'Vulnerable: No microcode': 5409f9f37cSBorislav Petkov (AMD) 5509f9f37cSBorislav Petkov (AMD) The processor is vulnerable, no microcode extending IBPB 5609f9f37cSBorislav Petkov (AMD) functionality to address the vulnerability has been applied. 5709f9f37cSBorislav Petkov (AMD) 58dc6306adSJosh Poimboeuf * 'Vulnerable: Safe RET, no microcode': 59dc6306adSJosh Poimboeuf 60dc6306adSJosh Poimboeuf The "Safe RET" mitigation (see below) has been applied to protect the 61dc6306adSJosh Poimboeuf kernel, but the IBPB-extending microcode has not been applied. User 62dc6306adSJosh Poimboeuf space tasks may still be vulnerable. 63dc6306adSJosh Poimboeuf 64dc6306adSJosh Poimboeuf * 'Vulnerable: Microcode, no safe RET': 6509f9f37cSBorislav Petkov (AMD) 6609f9f37cSBorislav Petkov (AMD) Extended IBPB functionality microcode patch has been applied. It does 6709f9f37cSBorislav Petkov (AMD) not address User->Kernel and Guest->Host transitions protection but it 6809f9f37cSBorislav Petkov (AMD) does address User->User and VM->VM attack vectors. 6909f9f37cSBorislav Petkov (AMD) 7009f9f37cSBorislav Petkov (AMD) Note that User->User mitigation is controlled by how the IBPB aspect in 7109f9f37cSBorislav Petkov (AMD) the Spectre v2 mitigation is selected: 7209f9f37cSBorislav Petkov (AMD) 7309f9f37cSBorislav Petkov (AMD) * conditional IBPB: 7409f9f37cSBorislav Petkov (AMD) 7509f9f37cSBorislav Petkov (AMD) where each process can select whether it needs an IBPB issued 7609f9f37cSBorislav Petkov (AMD) around it PR_SPEC_DISABLE/_ENABLE etc, see :doc:`spectre` 7709f9f37cSBorislav Petkov (AMD) 7809f9f37cSBorislav Petkov (AMD) * strict: 7909f9f37cSBorislav Petkov (AMD) 8009f9f37cSBorislav Petkov (AMD) i.e., always on - by supplying spectre_v2_user=on on the kernel 8109f9f37cSBorislav Petkov (AMD) command line 82fb3bd914SBorislav Petkov (AMD) 83fb3bd914SBorislav Petkov (AMD) (spec_rstack_overflow=microcode) 84fb3bd914SBorislav Petkov (AMD) 85dc6306adSJosh Poimboeuf * 'Mitigation: Safe RET': 86fb3bd914SBorislav Petkov (AMD) 87dc6306adSJosh Poimboeuf Combined microcode/software mitigation. It complements the 88dc6306adSJosh Poimboeuf extended IBPB microcode patch functionality by addressing 89dc6306adSJosh Poimboeuf User->Kernel and Guest->Host transitions protection. 90fb3bd914SBorislav Petkov (AMD) 9109f9f37cSBorislav Petkov (AMD) Selected by default or by spec_rstack_overflow=safe-ret 9209f9f37cSBorislav Petkov (AMD) 9309f9f37cSBorislav Petkov (AMD) * 'Mitigation: IBPB': 9409f9f37cSBorislav Petkov (AMD) 9509f9f37cSBorislav Petkov (AMD) Similar protection as "safe RET" above but employs an IBPB barrier on 9609f9f37cSBorislav Petkov (AMD) privilege domain crossings (User->Kernel, Guest->Host). 97fb3bd914SBorislav Petkov (AMD) 98fb3bd914SBorislav Petkov (AMD) (spec_rstack_overflow=ibpb) 99fb3bd914SBorislav Petkov (AMD) 10009f9f37cSBorislav Petkov (AMD) * 'Mitigation: IBPB on VMEXIT': 10109f9f37cSBorislav Petkov (AMD) 10209f9f37cSBorislav Petkov (AMD) Mitigation addressing the cloud provider scenario - the Guest->Host 10309f9f37cSBorislav Petkov (AMD) transitions only. 104fb3bd914SBorislav Petkov (AMD) 105fb3bd914SBorislav Petkov (AMD) (spec_rstack_overflow=ibpb-vmexit) 106fb3bd914SBorislav Petkov (AMD) 107*8442df2bSBorislav Petkov * 'Mitigation: Reduced Speculation': 10809f9f37cSBorislav Petkov (AMD) 109*8442df2bSBorislav Petkov This mitigation gets automatically enabled when the above one "IBPB on 110*8442df2bSBorislav Petkov VMEXIT" has been selected and the CPU supports the BpSpecReduce bit. 111*8442df2bSBorislav Petkov 112*8442df2bSBorislav Petkov It gets automatically enabled on machines which have the 113*8442df2bSBorislav Petkov SRSO_USER_KERNEL_NO=1 CPUID bit. In that case, the code logic is to switch 114*8442df2bSBorislav Petkov to the above =ibpb-vmexit mitigation because the user/kernel boundary is 115*8442df2bSBorislav Petkov not affected anymore and thus "safe RET" is not needed. 116*8442df2bSBorislav Petkov 117*8442df2bSBorislav Petkov After enabling the IBPB on VMEXIT mitigation option, the BpSpecReduce bit 118*8442df2bSBorislav Petkov is detected (functionality present on all such machines) and that 119*8442df2bSBorislav Petkov practically overrides IBPB on VMEXIT as it has a lot less performance 120*8442df2bSBorislav Petkov impact and takes care of the guest->host attack vector too. 12109f9f37cSBorislav Petkov (AMD) 122fb3bd914SBorislav Petkov (AMD)In order to exploit vulnerability, an attacker needs to: 123fb3bd914SBorislav Petkov (AMD) 124fb3bd914SBorislav Petkov (AMD) - gain local access on the machine 125fb3bd914SBorislav Petkov (AMD) 126fb3bd914SBorislav Petkov (AMD) - break kASLR 127fb3bd914SBorislav Petkov (AMD) 128fb3bd914SBorislav Petkov (AMD) - find gadgets in the running kernel in order to use them in the exploit 129fb3bd914SBorislav Petkov (AMD) 130fb3bd914SBorislav Petkov (AMD) - potentially create and pin an additional workload on the sibling 131fb3bd914SBorislav Petkov (AMD) thread, depending on the microarchitecture (not necessary on fam 0x19) 132fb3bd914SBorislav Petkov (AMD) 133fb3bd914SBorislav Petkov (AMD) - run the exploit 134fb3bd914SBorislav Petkov (AMD) 135fb3bd914SBorislav Petkov (AMD)Considering the performance implications of each mitigation type, the 136fb3bd914SBorislav Petkov (AMD)default one is 'Mitigation: safe RET' which should take care of most 137fb3bd914SBorislav Petkov (AMD)attack vectors, including the local User->Kernel one. 138fb3bd914SBorislav Petkov (AMD) 139fb3bd914SBorislav Petkov (AMD)As always, the user is advised to keep her/his system up-to-date by 140fb3bd914SBorislav Petkov (AMD)applying software updates regularly. 141fb3bd914SBorislav Petkov (AMD) 142fb3bd914SBorislav Petkov (AMD)The default setting will be reevaluated when needed and especially when 143fb3bd914SBorislav Petkov (AMD)new attack vectors appear. 144fb3bd914SBorislav Petkov (AMD) 145fb3bd914SBorislav Petkov (AMD)As one can surmise, 'Mitigation: safe RET' does come at the cost of some 146fb3bd914SBorislav Petkov (AMD)performance depending on the workload. If one trusts her/his userspace 147fb3bd914SBorislav Petkov (AMD)and does not want to suffer the performance impact, one can always 148fb3bd914SBorislav Petkov (AMD)disable the mitigation with spec_rstack_overflow=off. 149fb3bd914SBorislav Petkov (AMD) 150fb3bd914SBorislav Petkov (AMD)Similarly, 'Mitigation: IBPB' is another full mitigation type employing 151da51bbcdSRemington Brasgaan indirect branch prediction barrier after having applied the required 152fb3bd914SBorislav Petkov (AMD)microcode patch for one's system. This mitigation comes also at 153fb3bd914SBorislav Petkov (AMD)a performance cost. 154fb3bd914SBorislav Petkov (AMD) 155dc6306adSJosh PoimboeufMitigation: Safe RET 156fb3bd914SBorislav Petkov (AMD)-------------------- 157fb3bd914SBorislav Petkov (AMD) 158fb3bd914SBorislav Petkov (AMD)The mitigation works by ensuring all RET instructions speculate to 159fb3bd914SBorislav Petkov (AMD)a controlled location, similar to how speculation is controlled in the 160fb3bd914SBorislav Petkov (AMD)retpoline sequence. To accomplish this, the __x86_return_thunk forces 161fb3bd914SBorislav Petkov (AMD)the CPU to mispredict every function return using a 'safe return' 162fb3bd914SBorislav Petkov (AMD)sequence. 163fb3bd914SBorislav Petkov (AMD) 164fb3bd914SBorislav Petkov (AMD)To ensure the safety of this mitigation, the kernel must ensure that the 165fb3bd914SBorislav Petkov (AMD)safe return sequence is itself free from attacker interference. In Zen3 166fb3bd914SBorislav Petkov (AMD)and Zen4, this is accomplished by creating a BTB alias between the 16742be649dSPeter Zijlstrauntraining function srso_alias_untrain_ret() and the safe return 16842be649dSPeter Zijlstrafunction srso_alias_safe_ret() which results in evicting a potentially 169fb3bd914SBorislav Petkov (AMD)poisoned BTB entry and using that safe one for all function returns. 170fb3bd914SBorislav Petkov (AMD) 171fb3bd914SBorislav Petkov (AMD)In older Zen1 and Zen2, this is accomplished using a reinterpretation 172fb3bd914SBorislav Petkov (AMD)technique similar to Retbleed one: srso_untrain_ret() and 173fb3bd914SBorislav Petkov (AMD)srso_safe_ret(). 17440153505SBorislav Petkov (AMD) 17540153505SBorislav Petkov (AMD)Checking the safe RET mitigation actually works 17640153505SBorislav Petkov (AMD)----------------------------------------------- 17740153505SBorislav Petkov (AMD) 17840153505SBorislav Petkov (AMD)In case one wants to validate whether the SRSO safe RET mitigation works 17940153505SBorislav Petkov (AMD)on a kernel, one could use two performance counters 18040153505SBorislav Petkov (AMD) 18140153505SBorislav Petkov (AMD)* PMC_0xc8 - Count of RET/RET lw retired 18240153505SBorislav Petkov (AMD)* PMC_0xc9 - Count of RET/RET lw retired mispredicted 18340153505SBorislav Petkov (AMD) 18440153505SBorislav Petkov (AMD)and compare the number of RETs retired properly vs those retired 18540153505SBorislav Petkov (AMD)mispredicted, in kernel mode. Another way of specifying those events 18640153505SBorislav Petkov (AMD)is:: 18740153505SBorislav Petkov (AMD) 18840153505SBorislav Petkov (AMD) # perf list ex_ret_near_ret 18940153505SBorislav Petkov (AMD) 19040153505SBorislav Petkov (AMD) List of pre-defined events (to be used in -e or -M): 19140153505SBorislav Petkov (AMD) 19240153505SBorislav Petkov (AMD) core: 19340153505SBorislav Petkov (AMD) ex_ret_near_ret 19440153505SBorislav Petkov (AMD) [Retired Near Returns] 19540153505SBorislav Petkov (AMD) ex_ret_near_ret_mispred 19640153505SBorislav Petkov (AMD) [Retired Near Returns Mispredicted] 19740153505SBorislav Petkov (AMD) 19840153505SBorislav Petkov (AMD)Either the command using the event mnemonics:: 19940153505SBorislav Petkov (AMD) 20040153505SBorislav Petkov (AMD) # perf stat -e ex_ret_near_ret:k -e ex_ret_near_ret_mispred:k sleep 10s 20140153505SBorislav Petkov (AMD) 20240153505SBorislav Petkov (AMD)or using the raw PMC numbers:: 20340153505SBorislav Petkov (AMD) 20440153505SBorislav Petkov (AMD) # perf stat -e cpu/event=0xc8,umask=0/k -e cpu/event=0xc9,umask=0/k sleep 10s 20540153505SBorislav Petkov (AMD) 20640153505SBorislav Petkov (AMD)should give the same amount. I.e., every RET retired should be 20740153505SBorislav Petkov (AMD)mispredicted:: 20840153505SBorislav Petkov (AMD) 20940153505SBorislav Petkov (AMD) [root@brent: ~/kernel/linux/tools/perf> ./perf stat -e cpu/event=0xc8,umask=0/k -e cpu/event=0xc9,umask=0/k sleep 10s 21040153505SBorislav Petkov (AMD) 21140153505SBorislav Petkov (AMD) Performance counter stats for 'sleep 10s': 21240153505SBorislav Petkov (AMD) 21340153505SBorislav Petkov (AMD) 137,167 cpu/event=0xc8,umask=0/k 21440153505SBorislav Petkov (AMD) 137,173 cpu/event=0xc9,umask=0/k 21540153505SBorislav Petkov (AMD) 21640153505SBorislav Petkov (AMD) 10.004110303 seconds time elapsed 21740153505SBorislav Petkov (AMD) 21840153505SBorislav Petkov (AMD) 0.000000000 seconds user 21940153505SBorislav Petkov (AMD) 0.004462000 seconds sys 22040153505SBorislav Petkov (AMD) 22140153505SBorislav Petkov (AMD)vs the case when the mitigation is disabled (spec_rstack_overflow=off) 22240153505SBorislav Petkov (AMD)or not functioning properly, showing usually a lot smaller number of 22340153505SBorislav Petkov (AMD)mispredicted retired RETs vs the overall count of retired RETs during 22440153505SBorislav Petkov (AMD)a workload:: 22540153505SBorislav Petkov (AMD) 22640153505SBorislav Petkov (AMD) [root@brent: ~/kernel/linux/tools/perf> ./perf stat -e cpu/event=0xc8,umask=0/k -e cpu/event=0xc9,umask=0/k sleep 10s 22740153505SBorislav Petkov (AMD) 22840153505SBorislav Petkov (AMD) Performance counter stats for 'sleep 10s': 22940153505SBorislav Petkov (AMD) 23040153505SBorislav Petkov (AMD) 201,627 cpu/event=0xc8,umask=0/k 23140153505SBorislav Petkov (AMD) 4,074 cpu/event=0xc9,umask=0/k 23240153505SBorislav Petkov (AMD) 23340153505SBorislav Petkov (AMD) 10.003267252 seconds time elapsed 23440153505SBorislav Petkov (AMD) 23540153505SBorislav Petkov (AMD) 0.002729000 seconds user 23640153505SBorislav Petkov (AMD) 0.000000000 seconds sys 23740153505SBorislav Petkov (AMD) 23840153505SBorislav Petkov (AMD)Also, there is a selftest which performs the above, go to 23940153505SBorislav Petkov (AMD)tools/testing/selftests/x86/ and do:: 24040153505SBorislav Petkov (AMD) 24140153505SBorislav Petkov (AMD) make srso 24240153505SBorislav Petkov (AMD) ./srso 243