14575 AMD-specific retpolines shouldn't be used for spectre v2

Reviewed by: Rich Lowe <richlowe@richlowe.net>
Reviewed by: Toomas Soome <tsoome@me.com>
Approved by: Dan McDonald <danmcd@mnx.io>

2 files changed, 12 insertions, 58 deletions

diff --git a/usr/src/uts/i86pc/os/cpuid.c b/usr/src/uts/i86pc/os/cpuid.c
index 364881ebf3..00a1c0004f 100644
--- a/usr/src/uts/i86pc/os/cpuid.c
+++ b/usr/src/uts/i86pc/os/cpuid.c
@@ -24,7 +24,7 @@
  * Copyright 2013 Nexenta Systems, Inc. All rights reserved.
  * Copyright 2014 Josef "Jeff" Sipek <jeffpc@josefsipek.net>
  * Copyright 2020 Joyent, Inc.
- * Copyright 2021 Oxide Computer Company
+ * Copyright 2022 Oxide Computer Company
  */
 /*
  * Copyright (c) 2010, Intel Corporation.
@@ -1076,18 +1076,17 @@
  *
  * We have to use a common external location of the thunk and not inline it into
  * the callsite so that way we can have a single place to patch these functions.
- * As it turns out, we actually have three different forms of retpolines that
+ * As it turns out, we currently have two different forms of retpolines that
  * exist in the system:
  *
  *  1. A full retpoline
- *  2. An AMD-specific optimized retpoline
- *  3. A no-op version
+ *  2. A no-op version
  *
- * The first one is used in the general case. The second one is used if we can
- * determine that we're on an AMD system and we can successfully toggle the
- * lfence serializing MSR that exists on the platform. Basically with this
- * present, an lfence is sufficient and we don't need to do anywhere near as
- * complicated a dance to successfully use retpolines.
+ * The first one is used in the general case. Historically, there was an
+ * AMD-specific optimized retopoline variant that was based around using a
+ * serializing lfence instruction; however, in March 2022 it was announced that
+ * this was actually still vulnerable to Spectre v2 and therefore we no longer
+ * use it and it is no longer available in the system.
  *
  * The third form described above is the most curious. It turns out that the way
  * that retpolines are implemented is that they rely on how speculation is
@@ -1428,7 +1427,6 @@ int x86_use_invpcid = -1;
 
 typedef enum {
 	X86_SPECTREV2_RETPOLINE,
-	X86_SPECTREV2_RETPOLINE_AMD,
 	X86_SPECTREV2_ENHANCED_IBRS,
 	X86_SPECTREV2_DISABLED
 } x86_spectrev2_mitigation_t;
@@ -2817,9 +2815,6 @@ cpuid_patch_retpolines(x86_spectrev2_mitigation_t mit)
 	case X86_SPECTREV2_RETPOLINE:
 		type = "gen";
 		break;
-	case X86_SPECTREV2_RETPOLINE_AMD:
-		type = "amd";
-		break;
 	case X86_SPECTREV2_ENHANCED_IBRS:
 	case X86_SPECTREV2_DISABLED:
 		type = "jmp";
@@ -2858,21 +2853,6 @@ cpuid_enable_enhanced_ibrs(void)
 }
 
 /*
- * Determine whether or not we can use the AMD optimized retpoline
- * functionality. We use this when we know we're on an AMD system and we can
- * successfully verify that lfence is dispatch serializing.
- */
-static boolean_t
-cpuid_use_amd_retpoline(struct cpuid_info *cpi)
-{
-	if (cpi->cpi_vendor != X86_VENDOR_AMD &&
-	    cpi->cpi_vendor != X86_VENDOR_HYGON)
-		return (B_FALSE);
-
-	return (is_x86_feature(x86_featureset, X86FSET_LFENCE_SER));
-}
-
-/*
  * Determine how we should mitigate TAA or if we need to. Regardless of TAA, if
  * we can disable TSX, we do so.
  *
@@ -3102,15 +3082,16 @@ cpuid_scan_security(cpu_t *cpu, uchar_t *featureset)
 	/*
 	 * By default we've come in with retpolines enabled. Check whether we
 	 * should disable them or enable enhanced IBRS. RSB stuffing is enabled
-	 * by default, but disabled if we are using enhanced IBRS.
+	 * by default, but disabled if we are using enhanced IBRS. Note, we do
+	 * not allow the use of AMD optimized retpolines as it was disclosed by
+	 * AMD in March 2022 that they were still vulnerable. Prior to that
+	 * point, we used them.
 	 */
 	if (x86_disable_spectrev2 != 0) {
 		v2mit = X86_SPECTREV2_DISABLED;
 	} else if (is_x86_feature(featureset, X86FSET_IBRS_ALL)) {
 		cpuid_enable_enhanced_ibrs();
 		v2mit = X86_SPECTREV2_ENHANCED_IBRS;
-	} else if (cpuid_use_amd_retpoline(cpi)) {
-		v2mit = X86_SPECTREV2_RETPOLINE_AMD;
 	} else {
 		v2mit = X86_SPECTREV2_RETPOLINE;
 	}
diff --git a/usr/src/uts/intel/ml/retpoline.s b/usr/src/uts/intel/ml/retpoline.s
index a68d9504c1..ac09d841b3 100644
--- a/usr/src/uts/intel/ml/retpoline.s
+++ b/usr/src/uts/intel/ml/retpoline.s
@@ -61,17 +61,6 @@
 	SET_SIZE(__x86_indirect_thunk_gen_/**/reg)
 
 /*
- * This macro generates the AMD optimized form of a retpoline which will be used
- * on systems where the lfence dispatch serializing behavior has been changed.
- */
-#define	RETPOLINE_MKLFENCE(reg)			\
-	ENTRY(__x86_indirect_thunk_amd_/**/reg)	\
-	lfence;					\
-	jmp	*%/**/reg;			\
-	SET_SIZE(__x86_indirect_thunk_amd_/**/reg)
-
-
-/*
  * This macro generates the no-op form of the retpoline which will be used if we
  * either need to disable retpolines because we have enhanced IBRS or because we
  * have been asked to disable mitigations.
@@ -113,22 +102,6 @@
 	RETPOLINE_MKGENERIC(r14)
 	RETPOLINE_MKGENERIC(r15)
 
-	RETPOLINE_MKLFENCE(rax)
-	RETPOLINE_MKLFENCE(rbx)
-	RETPOLINE_MKLFENCE(rcx)
-	RETPOLINE_MKLFENCE(rdx)
-	RETPOLINE_MKLFENCE(rdi)
-	RETPOLINE_MKLFENCE(rsi)
-	RETPOLINE_MKLFENCE(rbp)
-	RETPOLINE_MKLFENCE(r8)
-	RETPOLINE_MKLFENCE(r9)
-	RETPOLINE_MKLFENCE(r10)
-	RETPOLINE_MKLFENCE(r11)
-	RETPOLINE_MKLFENCE(r12)
-	RETPOLINE_MKLFENCE(r13)
-	RETPOLINE_MKLFENCE(r14)
-	RETPOLINE_MKLFENCE(r15)
-
 	RETPOLINE_MKJUMP(rax)
 	RETPOLINE_MKJUMP(rbx)
 	RETPOLINE_MKJUMP(rcx)