linux-azure: Enable FSGSBASE instructions to support SGX

Bug #1877425 reported by Marcelo Cerri
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux-azure (Ubuntu)
Fix Released
Undecided
Marcelo Cerri
Bionic
Invalid
Undecided
Unassigned
Eoan
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Groovy
Fix Released
Undecided
Marcelo Cerri
linux-azure-4.15 (Ubuntu)
Invalid
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Eoan
Invalid
Undecided
Unassigned
Focal
Invalid
Undecided
Unassigned
Groovy
Invalid
Undecided
Unassigned

Bug Description

X86 has instructions (RDFSBASE, RDGSBASE, WRFSBASE, and WRGSBASE) to support read/write of the FS/GS bases. Linux doesn't allow user mode code to execute these instructions by default. These instructions can be enabled for user mode by setting the 16th control bit of the CR4 register. Since only protected mode can modify the control registers, application programs and operating-system procedures (running at privilege levels 1, 2, or 3) are prevented from reading or loading the control registers. The kernel patch sets this CR4 register and handles the context switching to account for the fact that user mode can now modify the FS/GS base.

A recent news article that talks about the performance benefits: https://phoronix.com/scan.php?page=news_item&px=Intel-FSGSBASE-Linux-2020. Another news article covers the performance information in a lot more detail by running a number of performance tests: https://www.phoronix.com/scan.php?page=article&item=linux-wip-fsgsbase&num=1

Patch set: https://lkml.org/lkml/2019/10/4/725

CVE References

Marcelo Cerri (mhcerri)
Changed in linux-azure (Ubuntu Bionic):
status: New → Invalid
Changed in linux-azure-4.15 (Ubuntu Eoan):
status: New → Invalid
Changed in linux-azure-4.15 (Ubuntu Focal):
status: New → Invalid
Changed in linux-azure (Ubuntu Eoan):
status: New → In Progress
Changed in linux-azure (Ubuntu Focal):
status: New → In Progress
Changed in linux-azure-4.15 (Ubuntu):
status: New → In Progress
Changed in linux-azure-4.15 (Ubuntu Bionic):
status: New → In Progress
Changed in linux-azure (Ubuntu Eoan):
status: In Progress → Fix Committed
Marcelo Cerri (mhcerri)
Changed in linux-azure (Ubuntu Focal):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (39.9 KiB)

This bug was fixed in the package linux-azure - 5.4.0-1016.16

---------------
linux-azure (5.4.0-1016.16) focal; urgency=medium

  [ Ubuntu: 5.4.0-37.41 ]

  * CVE-2020-0543
    - SAUCE: x86/speculation/spectre_v2: Exclude Zhaoxin CPUs from SPECTRE_V2
    - SAUCE: x86/cpu: Add a steppings field to struct x86_cpu_id
    - SAUCE: x86/cpu: Add 'table' argument to cpu_matches()
    - SAUCE: x86/speculation: Add Special Register Buffer Data Sampling (SRBDS)
      mitigation
    - SAUCE: x86/speculation: Add SRBDS vulnerability and mitigation documentation
    - SAUCE: x86/speculation: Add Ivy Bridge to affected list

linux-azure (5.4.0-1013.13) focal; urgency=medium

  * focal/linux-azure: 5.4.0-1013.13 -proposed tracker (LP: #1878793)

  * Add support for Ambiq micro AM1805 RTC chip (LP: #1876667)
    - SAUCE: rtc: add am-1805 RTC driver

  * linux-azure: Enable FSGSBASE instructions to support SGX (LP: #1877425)
    - SAUCE: x86/ptrace: Prevent ptrace from clearing the FS/GS selector
    - SAUCE: selftests/x86/fsgsbase: Test GS selector on ptracer-induced GS base
      write
    - SAUCE: x86/cpu: Add 'unsafe_fsgsbase' to enable CR4.FSGSBASE
    - SAUCE: x86/entry/64: Clean up paranoid exit
    - SAUCE: x86/entry/64: Switch CR3 before SWAPGS in paranoid entry
    - SAUCE: x86/entry/64: Introduce the FIND_PERCPU_BASE macro
    - SAUCE: x86/entry/64: Handle FSGSBASE enabled paranoid entry/exit
    - SAUCE: x86/entry/64: Document GSBASE handling in the paranoid path
    - SAUCE: x86/fsgsbase/64: Add intrinsics for FSGSBASE instructions
    - SAUCE: x86/fsgsbase/64: Enable FSGSBASE instructions in helper functions
    - SAUCE: x86/fsgsbase/64: Use FSGSBASE in switch_to() if available
    - SAUCE: x86/fsgsbase/64: Use FSGSBASE instructions on thread copy and ptrace
    - SAUCE: x86/speculation/swapgs: Check FSGSBASE in enabling SWAPGS mitigation
    - SAUCE: selftests/x86/fsgsbase: Test ptracer-induced GS base write with
      FSGSBASE
    - SAUCE: x86/fsgsbase/64: Enable FSGSBASE on 64bit by default and add a
      chicken bit
    - SAUCE: x86/elf: Enumerate kernel FSGSBASE capability in AT_HWCAP2
    - SAUCE: Documentation/x86/64: Add documentation for GS/FS addressing mode

  * rtkit-daemon[*]: Failed to make ourselves RT: Operation not permitted after
    upgrade to 20.04 (LP: #1875665)
    - [Config] Turn off CONFIG_RT_GROUP_SCHED

  [ Ubuntu: 5.4.0-34.38 ]

  * focal/linux: 5.4.0-34.38 -proposed tracker (LP: #1880118)
  * debian/scripts/file-downloader does not handle positive failures correctly
    (LP: #1878897)
    - [Packaging] file-downloader not handling positive failures correctly
  * Focal update: v5.4.41 upstream stable release (LP: #1878649)
    - USB: serial: qcserial: Add DW5816e support
    - nvme: refactor nvme_identify_ns_descs error handling
    - nvme: fix possible hang when ns scanning fails during error recovery
    - tracing/kprobes: Fix a double initialization typo
    - net: macb: Fix runtime PM refcounting
    - drm/amdgpu: move kfd suspend after ip_suspend_phase1
    - drm/amdgpu: drop redundant cg/pg ungate on runpm enter
    - vt: fix unicode console freeing with a common interface
    - tty: xilinx_uartps: Fix missing...

Changed in linux-azure (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (23.8 KiB)

This bug was fixed in the package linux-azure - 5.3.0-1028.29

---------------
linux-azure (5.3.0-1028.29) eoan; urgency=medium

  [ Ubuntu: 5.3.0-59.53 ]

  * CVE-2020-0543
    - SAUCE: x86/speculation/spectre_v2: Exclude Zhaoxin CPUs from SPECTRE_V2
    - SAUCE: x86/cpu: Add a steppings field to struct x86_cpu_id
    - SAUCE: x86/cpu: Add 'table' argument to cpu_matches()
    - SAUCE: x86/speculation: Add Special Register Buffer Data Sampling (SRBDS)
      mitigation
    - SAUCE: x86/speculation: Add SRBDS vulnerability and mitigation documentation
    - SAUCE: x86/speculation: Add Ivy Bridge to affected list

linux-azure (5.3.0-1023.24) eoan; urgency=medium

  * eoan/linux-azure: 5.3.0-1023.24 -proposed tracker (LP: #1878809)

  * Build and ship a signed wireguard.ko (LP: #1861284)
    - [Config] azure: wireguard -- enable on all architectures

  * linux-azure: Enable FSGSBASE instructions to support SGX (LP: #1877425)
    - SAUCE: x86/ptrace: Prevent ptrace from clearing the FS/GS selector
    - SAUCE: selftests/x86/fsgsbase: Test GS selector on ptracer-induced GS base
      write
    - SAUCE: x86/cpu: Add 'unsafe_fsgsbase' to enable CR4.FSGSBASE
    - SAUCE: x86/entry/64: Clean up paranoid exit
    - SAUCE: x86/entry/64: Switch CR3 before SWAPGS in paranoid entry
    - SAUCE: x86/entry/64: Introduce the FIND_PERCPU_BASE macro
    - SAUCE: x86/entry/64: Handle FSGSBASE enabled paranoid entry/exit
    - SAUCE: x86/entry/64: Document GSBASE handling in the paranoid path
    - SAUCE: x86/fsgsbase/64: Add intrinsics for FSGSBASE instructions
    - SAUCE: x86/fsgsbase/64: Enable FSGSBASE instructions in helper functions
    - SAUCE: x86/fsgsbase/64: Use FSGSBASE in switch_to() if available
    - SAUCE: x86/fsgsbase/64: Use FSGSBASE instructions on thread copy and ptrace
    - SAUCE: x86/speculation/swapgs: Check FSGSBASE in enabling SWAPGS mitigation
    - SAUCE: selftests/x86/fsgsbase: Test ptracer-induced GS base write with
      FSGSBASE
    - SAUCE: x86/fsgsbase/64: Enable FSGSBASE on 64bit by default and add a
      chicken bit
    - SAUCE: x86/elf: Enumerate kernel FSGSBASE capability in AT_HWCAP2
    - SAUCE: Documentation/x86/64: Add documentation for GS/FS addressing mode

  [ Ubuntu: 5.3.0-56.50 ]

  * eoan/linux: 5.3.0-56.50 -proposed tracker (LP: #1880111)
  * Build and ship a signed wireguard.ko (LP: #1861284)
    - [Packaging] wireguard -- add support for building signed .ko
    - [Config] wireguard -- enable on all architectures
  * Packaging resync (LP: #1786013)
    - update dkms package versions
  * debian/scripts/file-downloader does not handle positive failures correctly
    (LP: #1878897)
    - [Packaging] file-downloader not handling positive failures correctly
  * Killer(R) Wi-Fi 6 AX1650i 160MHz Wireless Network Adapter (201NGW),
    REV=0x354 [8086:a0f0] subsystem id [1a56:1651] wireless adapter not found
    due to firmware crash (LP: #1874685)
    - iwlwifi: pcie: handle QuZ configs with killer NICs as well
  * CVE-2020-12114
    - propagate_one(): mnt_set_mountpoint() needs mount_lock
  * Eoan update: upstream stable patchset 2020-05-11 (LP: #1878073)
    - ext4: fix extent_status fragmentation for plain files
    -...

Changed in linux-azure (Ubuntu Eoan):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (21.8 KiB)

This bug was fixed in the package linux-azure-4.15 - 4.15.0-1089.99

---------------
linux-azure-4.15 (4.15.0-1089.99) bionic; urgency=medium

  [ Ubuntu: 4.15.0-106.107 ]

  * CVE-2020-0543
    - SAUCE: x86/cpu: Add a steppings field to struct x86_cpu_id
    - SAUCE: x86/cpu: Add 'table' argument to cpu_matches()
    - SAUCE: x86/speculation: Add Special Register Buffer Data Sampling (SRBDS)
      mitigation
    - SAUCE: x86/speculation: Add SRBDS vulnerability and mitigation documentation
    - SAUCE: x86/speculation: Add Ivy Bridge to affected list

  [ Ubuntu: 4.15.0-103.104 ]

  * bionic/linux: 4.15.0-103.104 -proposed tracker (LP: #1881272)
  * "BUG: unable to handle kernel paging request" when testing
    ubuntu_kvm_smoke_test.kvm_smoke_test with B-KVM in proposed (LP: #1881072)
    - KVM: VMX: Explicitly reference RCX as the vmx_vcpu pointer in asm blobs
    - KVM: VMX: Mark RCX, RDX and RSI as clobbered in vmx_vcpu_run()'s asm blob

linux-azure-4.15 (4.15.0-1084.94) bionic; urgency=medium

  * bionic/linux-azure-4.15: 4.15.0-1084.94 -proposed tracker (LP: #1878842)

  * Add support for Ambiq micro AM1805 RTC chip (LP: #1876667)
    - SAUCE: rtc: add am-1805 RTC driver

  * linux-azure: Enable FSGSBASE instructions to support SGX (LP: #1877425)
    - x86/entry: Add some paranoid entry/exit CR3 handling comments
    - x86/entry/64: Further improve paranoid_entry comments
    - x86/fsgsbase/64: Introduce FS/GS base helper functions
    - x86/fsgsbase/64: Make ptrace use the new FS/GS base helpers
    - x86/fsgsbase/64: Factor out FS/GS segment loading from __switch_to()
    - x86/segments/64: Rename the GDT PER_CPU entry to CPU_NUMBER
    - x86/vdso: Introduce helper functions for CPU and node number
    - x86/vdso: Initialize the CPU/node NR segment descriptor earlier
    - x86/segments: Introduce the 'CPUNODE' naming to better document the segment
      limit CPU/node NR trick
    - x86/fsgsbase/64: Clean up various details
    - x86/fsgsbase/64: Fix the base write helper functions
    - selftests/x86/fsgsbase: Test ptracer-induced GSBASE write
    - selftests/x86/fsgsbase: Test RD/WRGSBASE
    - selftests/x86/fsgsbase: Test ptracer-induced GSBASE write with FSGSBASE
    - selftests/x86/fsgsbase: Fix some test case bugs
    - Revert "x86/ptrace: Prevent ptrace from clearing the FS/GS selector" and fix
      the test
    - SAUCE: x86/ptrace: Prevent ptrace from clearing the FS/GS selector
    - SAUCE: selftests/x86/fsgsbase: Test GS selector on ptracer-induced GS base
      write
    - SAUCE: x86/cpu: Add 'unsafe_fsgsbase' to enable CR4.FSGSBASE
    - SAUCE: x86/entry/64: Clean up paranoid exit
    - SAUCE: x86/entry/64: Switch CR3 before SWAPGS in paranoid entry
    - SAUCE: x86/entry/64: Introduce the FIND_PERCPU_BASE macro
    - SAUCE: x86/entry/64: Handle FSGSBASE enabled paranoid entry/exit
    - SAUCE: x86/fsgsbase/64: Add intrinsics for FSGSBASE instructions
    - SAUCE: x86/fsgsbase/64: Enable FSGSBASE instructions in helper functions
    - SAUCE: x86/fsgsbase/64: Use FSGSBASE in switch_to() if available
    - SAUCE: x86/fsgsbase/64: Use FSGSBASE instructions on thread copy and ptrace
    - SAUCE: x86/speculation/swapgs: Check ...

Changed in linux-azure-4.15 (Ubuntu Bionic):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (21.9 KiB)

This bug was fixed in the package linux-azure - 4.15.0-1089.99~16.04.1

---------------
linux-azure (4.15.0-1089.99~16.04.1) xenial; urgency=medium

  [ Ubuntu: 4.15.0-1089.99 ]

  * CVE-2020-0543
    - SAUCE: x86/cpu: Add a steppings field to struct x86_cpu_id
    - SAUCE: x86/cpu: Add 'table' argument to cpu_matches()
    - SAUCE: x86/speculation: Add Special Register Buffer Data Sampling (SRBDS)
      mitigation
    - SAUCE: x86/speculation: Add SRBDS vulnerability and mitigation documentation
    - SAUCE: x86/speculation: Add Ivy Bridge to affected list
  * bionic/linux: 4.15.0-103.104 -proposed tracker (LP: #1881272)
  * "BUG: unable to handle kernel paging request" when testing
    ubuntu_kvm_smoke_test.kvm_smoke_test with B-KVM in proposed (LP: #1881072)
    - KVM: VMX: Explicitly reference RCX as the vmx_vcpu pointer in asm blobs
    - KVM: VMX: Mark RCX, RDX and RSI as clobbered in vmx_vcpu_run()'s asm blob

linux-azure (4.15.0-1084.94~16.04.1) xenial; urgency=medium

  * xenial/linux-azure: 4.15.0-1084.94~16.04.1 -proposed tracker (LP: #1878840)

  [ Ubuntu: 4.15.0-1084.94 ]

  * bionic/linux-azure-4.15: 4.15.0-1084.94 -proposed tracker (LP: #1878842)
  * Add support for Ambiq micro AM1805 RTC chip (LP: #1876667)
    - SAUCE: rtc: add am-1805 RTC driver
  * linux-azure: Enable FSGSBASE instructions to support SGX (LP: #1877425)
    - x86/entry: Add some paranoid entry/exit CR3 handling comments
    - x86/entry/64: Further improve paranoid_entry comments
    - x86/fsgsbase/64: Introduce FS/GS base helper functions
    - x86/fsgsbase/64: Make ptrace use the new FS/GS base helpers
    - x86/fsgsbase/64: Factor out FS/GS segment loading from __switch_to()
    - x86/segments/64: Rename the GDT PER_CPU entry to CPU_NUMBER
    - x86/vdso: Introduce helper functions for CPU and node number
    - x86/vdso: Initialize the CPU/node NR segment descriptor earlier
    - x86/segments: Introduce the 'CPUNODE' naming to better document the segment
      limit CPU/node NR trick
    - x86/fsgsbase/64: Clean up various details
    - x86/fsgsbase/64: Fix the base write helper functions
    - selftests/x86/fsgsbase: Test ptracer-induced GSBASE write
    - selftests/x86/fsgsbase: Test RD/WRGSBASE
    - selftests/x86/fsgsbase: Test ptracer-induced GSBASE write with FSGSBASE
    - selftests/x86/fsgsbase: Fix some test case bugs
    - Revert "x86/ptrace: Prevent ptrace from clearing the FS/GS selector" and fix
      the test
    - SAUCE: x86/ptrace: Prevent ptrace from clearing the FS/GS selector
    - SAUCE: selftests/x86/fsgsbase: Test GS selector on ptracer-induced GS base
      write
    - SAUCE: x86/cpu: Add 'unsafe_fsgsbase' to enable CR4.FSGSBASE
    - SAUCE: x86/entry/64: Clean up paranoid exit
    - SAUCE: x86/entry/64: Switch CR3 before SWAPGS in paranoid entry
    - SAUCE: x86/entry/64: Introduce the FIND_PERCPU_BASE macro
    - SAUCE: x86/entry/64: Handle FSGSBASE enabled paranoid entry/exit
    - SAUCE: x86/fsgsbase/64: Add intrinsics for FSGSBASE instructions
    - SAUCE: x86/fsgsbase/64: Enable FSGSBASE instructions in helper functions
    - SAUCE: x86/fsgsbase/64: Use FSGSBASE in switch_to() if available
    - SAUCE: x86/fsgsbase/64: Use FSGS...

Changed in linux-azure (Ubuntu):
status: In Progress → Fix Released
Marcelo Cerri (mhcerri)
Changed in linux-azure-4.15 (Ubuntu Groovy):
status: In Progress → Invalid
Changed in linux-azure (Ubuntu Groovy):
status: Fix Released → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (20.9 KiB)

This bug was fixed in the package linux-azure - 5.8.0-1007.7

---------------
linux-azure (5.8.0-1007.7) groovy; urgency=medium

  * groovy/linux-azure: 5.8.0-1007.7 -proposed tracker (LP: #1898144)

  * linux-azure: Enable FSGSBASE instructions to support SGX (LP: #1877425)
    - x86/ptrace: Prevent ptrace from clearing the FS/GS selector
    - x86/cpu: Add 'unsafe_fsgsbase' to enable CR4.FSGSBASE
    - x86/fsgsbase/64: Add intrinsics for FSGSBASE instructions
    - x86/fsgsbase/64: Enable FSGSBASE instructions in helper functions
    - x86/process/64: Make save_fsgs_for_kvm() ready for FSGSBASE
    - x86/process/64: Use FSBSBASE in switch_to() if available
    - x86/process/64: Use FSGSBASE instructions on thread copy and ptrace
    - x86/speculation/swapgs: Check FSGSBASE in enabling SWAPGS mitigation
    - x86/entry/64: Switch CR3 before SWAPGS in paranoid entry
    - x86/entry/64: Introduce the FIND_PERCPU_BASE macro
    - x86/entry/64: Handle FSGSBASE enabled paranoid entry/exit
    - x86/cpu: Enable FSGSBASE on 64bit by default and add a chicken bit
    - x86/elf: Enumerate kernel FSGSBASE capability in AT_HWCAP2
    - Documentation/x86/64: Add documentation for GS/FS addressing mode
    - selftests/x86/fsgsbase: Test GS selector on ptracer-induced GS base write
    - selftests/x86/fsgsbase: Test ptracer-induced GS base write with FSGSBASE
    - x86/ptrace: Fix 32-bit PTRACE_SETREGS vs fsbase and gsbase
    - x86/fsgsbase: Fix Xen PV support

  * Miscellaneous Ubuntu changes
    - [Config] GCC version update

  [ Ubuntu: 5.8.0-21.22 ]

  * groovy/linux: 5.8.0-21.22 -proposed tracker (LP: #1898150)
  * Packaging resync (LP: #1786013)
    - update dkms package versions
  * Fix broken e1000e device after S3 (LP: #1897755)
    - SAUCE: e1000e: Increase polling timeout on MDIC ready bit
  * EFA: add support for 0xefa1 devices (LP: #1896791)
    - RDMA/efa: Expose maximum TX doorbell batch
    - RDMA/efa: Expose minimum SQ size
    - RDMA/efa: User/kernel compatibility handshake mechanism
    - RDMA/efa: Add EFA 0xefa1 PCI ID
  * Groovy update: v5.8.13 upstream stable release (LP: #1898076)
    - device_cgroup: Fix RCU list debugging warning
    - ASoC: pcm3168a: ignore 0 Hz settings
    - ASoC: wm8994: Skip setting of the WM8994_MICBIAS register for WM1811
    - ASoC: wm8994: Ensure the device is resumed in wm89xx_mic_detect functions
    - ASoC: Intel: bytcr_rt5640: Add quirk for MPMAN Converter9 2-in-1
    - clk: versatile: Add of_node_put() before return statement
    - RISC-V: Take text_mutex in ftrace_init_nop()
    - i2c: aspeed: Mask IRQ status to relevant bits
    - s390/init: add missing __init annotations
    - lockdep: fix order in trace_hardirqs_off_caller()
    - EDAC/ghes: Check whether the driver is on the safe list correctly
    - drm/amdkfd: fix a memory leak issue
    - drm/amd/display: Don't use DRM_ERROR() for DTM add topology
    - drm/amd/display: update nv1x stutter latencies
    - drm/amdgpu/dc: Require primary plane to be enabled whenever the CRTC is
    - drm/amd/display: Don't log hdcp module warnings in dmesg
    - objtool: Fix noreturn detection for ignored functions
    - i2c: mediatek: Send i2c master code at ...

Changed in linux-azure (Ubuntu Groovy):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.