8 years ago · 04f3b8beca
--- a/patches/kernel/0240-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
+++ b/patches/kernel/0240-x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch
@@ -0,0 +1,54 @@
 
				+From 5462db3d070845ecc34929b6f25a87efda023aae Mon Sep 17 00:00:00 2001
			
 
				+From: Tom Lendacky <[email protected]>
			
 
				+Date: Tue, 26 Dec 2017 23:43:54 -0600
			
 
				+Subject: [PATCH 240/241] x86/cpu, x86/pti: Do not enable PTI on AMD processors
			
 
				+MIME-Version: 1.0
			
 
				+Content-Type: text/plain; charset=UTF-8
			
 
				+Content-Transfer-Encoding: 8bit
			
 
				+
			
 
				+CVE-2017-5754
			
 
				+
			
 
				+AMD processors are not subject to the types of attacks that the kernel
			
 
				+page table isolation feature protects against.  The AMD microarchitecture
			
 
				+does not allow memory references, including speculative references, that
			
 
				+access higher privileged data when running in a lesser privileged mode
			
 
				+when that access would result in a page fault.
			
 
				+
			
 
				+Disable page table isolation by default on AMD processors by not setting
			
 
				+the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI
			
 
				+is set.
			
 
				+
			
 
				+Signed-off-by: Tom Lendacky <[email protected]>
			
 
				+Signed-off-by: Thomas Gleixner <[email protected]>
			
 
				+Reviewed-by: Borislav Petkov <[email protected]>
			
 
				+Cc: Dave Hansen <[email protected]>
			
 
				+Cc: Andy Lutomirski <[email protected]>
			
 
				+Cc: [email protected]
			
 
				+Link: https://lkml.kernel.org/r/[email protected]
			
 
				+
			
 
				+(cherry picked from commit 694d99d40972f12e59a3696effee8a376b79d7c8)
			
 
				+Signed-off-by: Marcelo Henrique Cerri <[email protected]>
			
 
				+(cherry picked from commit 9d334f48f017b9c6457c6ba321e5a53a1cc6a5c7)
			
 
				+Signed-off-by: Fabian Grünbichler <[email protected]>
			
 
				+---
			
 
				+ arch/x86/kernel/cpu/common.c | 4 ++--
			
 
				+ 1 file changed, 2 insertions(+), 2 deletions(-)
			
 
				+
			
 
				+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
			
 
				+index 99f37d1636ff..1854dd8071a6 100644
			
 
				+--- a/arch/x86/kernel/cpu/common.c
			
 
				++++ b/arch/x86/kernel/cpu/common.c
			
 
				+@@ -899,8 +899,8 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
			
 
				+ 
			
 
				+ 	setup_force_cpu_cap(X86_FEATURE_ALWAYS);
			
 
				+ 
			
 
				+-	/* Assume for now that ALL x86 CPUs are insecure */
			
 
				+-	setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
			
 
				++	if (c->x86_vendor != X86_VENDOR_AMD)
			
 
				++		setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
			
 
				+ 
			
 
				+ 	fpu__init_system(c);
			
 
				+ }
			
 
				+-- 
			
 
				+2.14.2
			
 
				+
			
--- a/patches/kernel/0241-x86-microcode-AMD-Add-support-for-fam17h-microcode-l.patch
+++ b/patches/kernel/0241-x86-microcode-AMD-Add-support-for-fam17h-microcode-l.patch
@@ -0,0 +1,52 @@
 
				+From 8329d47141a78a64e8ae6f4a735aceaafe93e098 Mon Sep 17 00:00:00 2001
			
 
				+From: Tom Lendacky <[email protected]>
			
 
				+Date: Thu, 30 Nov 2017 16:46:40 -0600
			
 
				+Subject: [PATCH 241/241] x86/microcode/AMD: Add support for fam17h microcode
			
 
				+ loading
			
 
				+MIME-Version: 1.0
			
 
				+Content-Type: text/plain; charset=UTF-8
			
 
				+Content-Transfer-Encoding: 8bit
			
 
				+
			
 
				+commit f4e9b7af0cd58dd039a0fb2cd67d57cea4889abf upstream.
			
 
				+
			
 
				+The size for the Microcode Patch Block (MPB) for an AMD family 17h
			
 
				+processor is 3200 bytes.  Add a #define for fam17h so that it does
			
 
				+not default to 2048 bytes and fail a microcode load/update.
			
 
				+
			
 
				+Signed-off-by: Tom Lendacky <[email protected]>
			
 
				+Signed-off-by: Thomas Gleixner <[email protected]>
			
 
				+Reviewed-by: Borislav Petkov <[email protected]>
			
 
				+Link: https://lkml.kernel.org/r/[email protected]
			
 
				+Signed-off-by: Ingo Molnar <[email protected]>
			
 
				+Cc: Alice Ferrazzi <[email protected]>
			
 
				+Signed-off-by: Greg Kroah-Hartman <[email protected]>
			
 
				+Signed-off-by: Fabian Grünbichler <[email protected]>
			
 
				+---
			
 
				+ arch/x86/kernel/cpu/microcode/amd.c | 4 ++++
			
 
				+ 1 file changed, 4 insertions(+)
			
 
				+
			
 
				+diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c
			
 
				+index 21b185793c80..248cad00fee6 100644
			
 
				+--- a/arch/x86/kernel/cpu/microcode/amd.c
			
 
				++++ b/arch/x86/kernel/cpu/microcode/amd.c
			
 
				+@@ -467,6 +467,7 @@ static unsigned int verify_patch_size(u8 family, u32 patch_size,
			
 
				+ #define F14H_MPB_MAX_SIZE 1824
			
 
				+ #define F15H_MPB_MAX_SIZE 4096
			
 
				+ #define F16H_MPB_MAX_SIZE 3458
			
 
				++#define F17H_MPB_MAX_SIZE 3200
			
 
				+ 
			
 
				+ 	switch (family) {
			
 
				+ 	case 0x14:
			
 
				+@@ -478,6 +479,9 @@ static unsigned int verify_patch_size(u8 family, u32 patch_size,
			
 
				+ 	case 0x16:
			
 
				+ 		max_size = F16H_MPB_MAX_SIZE;
			
 
				+ 		break;
			
 
				++	case 0x17:
			
 
				++		max_size = F17H_MPB_MAX_SIZE;
			
 
				++		break;
			
 
				+ 	default:
			
 
				+ 		max_size = F1XH_MPB_MAX_SIZE;
			
 
				+ 		break;
			
 
				+-- 
			
 
				+2.14.2
			
 
				+