cyring commented 5 years ago

https://github.com/cyring/CoreFreq/blob/8c65cc252d59938328a46a5bc763570b7ef5cd14/corefreqk.c#L2124

Registers MSR_IA32_PRED_CMD and MSR_IA32_FLUSH_CMD are write-only.

Here's one fix:

void Intel_Mitigation_Mechanisms(void)
{
if (Proc->Registration.Experimental)
{
SPEC_CTRL Spec_Ctrl = {.value = 0};
PRED_CMD  Pred_Cmd  = {.value = 0};
FLUSH_CMD Flush_Cmd = {.value = 0};

if (Proc->Features.ExtFeature.EDX.IBRS_IBPB_Cap)
{
RDMSR(Spec_Ctrl, MSR_IA32_SPEC_CTRL);
if ((Proc->Features.Mechanisms.IBRS = Spec_Ctrl.IBRS) == 1)
{
    Pred_Cmd.IBPB = Spec_Ctrl.IBRS;
    WRMSR(Pred_Cmd, MSR_IA32_PRED_CMD);
    Proc->Features.Mechanisms.IBPB = Spec_Ctrl.IBRS;
}
}
if (Proc->Features.ExtFeature.EDX.STIBP_Cap)
{
RDMSR(Spec_Ctrl, MSR_IA32_SPEC_CTRL);
Proc->Features.Mechanisms.STIBP = Spec_Ctrl.STIBP;
}
if (Proc->Features.ExtFeature.EDX.SSBD_Cap)
{
RDMSR(Spec_Ctrl, MSR_IA32_SPEC_CTRL);
Proc->Features.Mechanisms.SSBD = Spec_Ctrl.SSBD;
}
if (Proc->Features.ExtFeature.EDX.L1D_FLUSH_Cap)
{
Flush_Cmd.L1D_FLUSH_CMD = Proc->Features.ExtFeature.EDX.L1D_FLUSH_Cap;
WRMSR(Flush_Cmd, MSR_IA32_FLUSH_CMD);
Proc->Features.Mechanisms.L1D_FLUSH_CMD = Flush_Cmd.L1D_FLUSH_CMD;
}
if (Proc->Features.ExtFeature.EDX.IA32_ARCH_CAP)
{
ARCH_CAPABILITIES Arch_Cap = {.value = 0};

RDMSR(Arch_Cap, MSR_IA32_ARCH_CAPABILITIES);
Proc->Features.Mechanisms.RDCL_NO   = Arch_Cap.RDCL_NO;
Proc->Features.Mechanisms.IBRS_ALL  = Arch_Cap.IBRS_ALL;
Proc->Features.Mechanisms.RSBA      = Arch_Cap.RSBA;
Proc->Features.Mechanisms.L1DFL_VMENTRY_NO = Arch_Cap.L1DFL_VMENTRY_NO;
Proc->Features.Mechanisms.SSB_NO    = Arch_Cap.SSB_NO;
Proc->Features.Mechanisms.MDS_NO    = Arch_Cap.MDS_NO;
}
}
}

2019-11-04-165152_724x436_scrot

cyring commented 5 years ago

Results of version 1.68.3

2019-11-05-100723_644x316_scrot

Remarks

Driver arguments

# insmod corefreqk.ko Register_CPU_Idle=1 Register_CPU_Freq=1 RDPMC_Enable=1 Experimental=1 Mech_IBRS=1 Mech_STIBP=1 Mech_SSBD=1

Boot command line

# cat /proc/cmdline 
mitigations=off nmi_watchdog=0 module_blacklist=pcspkr,nouveau,iTCO_wdt,iTCO_vendor_support,coretemp,acpi_cpufreq,pcc_cpufreq,intel_cstate,intel_rapl_msr,intel_rapl_common,intel_rapl_perf,intel_uncore,intel_pch_thermal,intel_powerclamp consoleblank=0 vt.color=0x03 cpu0_hotplug audit=0 idle=halt intel_pstate=disable

cyring commented 5 years ago

Rolling back the IBPB and L1D-FLUSH capabilities

Change with the code bellow: https://github.com/cyring/CoreFreq/blob/962bf3c264948c4319783338ac25c17e1d84bfec/corefreq-cli.c#L1377

bix = Shm->Proc.Features.ExtFeature.EDX.IBRS_IBPB_Cap == 1;
PUT(SCANKEY_NULL, attrib[bix], width, 2,
    "%s%.*sIBPB   [%7s]", RSC(MECH_IBPB).CODE(),
    width - 19 - RSZ(MECH_IBPB), hSpace, MECH[bix]);

bix = Shm->Proc.Features.ExtFeature.EDX.L1D_FLUSH_Cap == 1;
PUT(SCANKEY_NULL, attrib[bix], width, 2,
    "%s%.*sL1D-FLUSH   [%7s]", RSC(MECH_L1D_FLUSH).CODE(),
    width - 24 - RSZ(MECH_L1D_FLUSH), hSpace, MECH[bix]);

Un-comment all TODO(Clean-Up) concerning the resource strings RSC_MECH_IBPB, RSC_MECH_SSBD in source files: corefreq-cli-rsc.h , corefreq-cli-rsc.c , corefreq-cli-rsc-fr.h, corefreq-cli-rsc-en.h
Rebuild and Test

cyring commented 5 years ago

[DONE] SMEP (Intel OS Guard), IBPB and L1D-FLUSH capabilities.
- Test cases
[TODO]
- Move MPX (Memory Protection Extensions) from ISA to Features window
- Add the CET (Control flow Enforcement Technology) capability

cyring commented 5 years ago

MPX (Memory Protection Extensions)

MPX State

Intel SDM

BNDREGS state CPUID.(EAX=0DH,ECX=3):EBX enumerates the offset (in bytes, from the base of the XSAVE area) of the section of the extended region of the XSAVE area used for BNDREGS state (when the standard format of the extended region is used). CPUID.(EAX=0DH,ECX=3):EAX enumerates the size (in bytes) required for BNDREGS state. The BNDREGS section is used for the 4 128-bit bound registers BND0–BND3, with bytes 16i+15:16i being used for BNDi.

BNDCSR state CPUID.(EAX=0DH,ECX=4):EBX enumerates the offset of the section of the extended region of the XSAVE area used for BNDCSR state (when the standard format of the extended region is used). CPUID.(EAX=0DH,ECX=4):EAX enumerates the size (in bytes) required for BNDCSR state. In the BNDSCR section, bytes 7:0 are used for BNDCFGU and bytes 15:8 are used for BNDSTATUS.

Both components of MPX state are XSAVE-managed and the MPX feature is XSAVE-enabled. The XSAVE feature set can operate on MPX state only if the feature set is enabled (CR4.OSXSAVE = 1) and has been configured to manage MPX state (XCR0[4:3] = 11b). MPX instructions cannot be used unless the XSAVE feature set is enabled and has been configured to manage MPX state.

CoreFreq impacts [DONE]

https://github.com/cyring/CoreFreq/blob/e746dff67bfa0b49f6cab9e799ad07339391eb62/coretypes.h#L506

#define CPUID_MAX_FUNC  62

https://github.com/cyring/CoreFreq/blob/e746dff67bfa0b49f6cab9e799ad07339391eb62/corefreqk.h#L549

static const CPUID_STRUCT CpuIDforVendor[CPUID_MAX_FUNC]={
/* x86 */
    {.func=0x00000001, .sub=0x00000000},    /* Instruction set  */
/* Intel */
    {.func=0x00000002, .sub=0x00000000},    /* Cache & TLB      */
    {.func=0x00000003, .sub=0x00000000},    /* Proc. Serial Number  */
    {.func=0x00000004, .sub=0x00000000},    /* Cache L1I        */
    {.func=0x00000004, .sub=0x00000001},    /* Cache L1D        */
    {.func=0x00000004, .sub=0x00000002},    /* Cache L2     */
    {.func=0x00000004, .sub=0x00000003},    /* Cache L3     */
/* x86 */
    {.func=0x00000005, .sub=0x00000000},    /* MONITOR/MWAIT    */
    {.func=0x00000006, .sub=0x00000000},    /* Power & Thermal Mgmt */
    {.func=0x00000007, .sub=0x00000000},    /* Extended Features    */
/* Intel */
    {.func=0x00000009, .sub=0x00000000},    /* Direct Cache Access  */
    {.func=0x0000000a, .sub=0x00000000},    /* Perf. Monitoring */
/* x86 */
    {.func=0x0000000b, .sub=0x00000000},    /* Ext. Topology    */
    {.func=0x0000000d, .sub=0x00000000},    /* Ext. State Main leaf */
    {.func=0x0000000d, .sub=0x00000001},    /* Ext. State Sub-leaf  */
/* AMD */
    {.func=0x0000000d, .sub=0x00000002},    /* Ext. State Sub-leaf  */
    {.func=0x0000000d, .sub=0x00000003},    /* BNDREGS state    */
    {.func=0x0000000d, .sub=0x00000004},    /* BNDCSR state     */
/* AMD Family 15h */
    {.func=0x0000000d, .sub=0x0000003e},    /* Ext. State Sub-leaf  */
/* Intel */
    {.func=0x0000000f, .sub=0x00000000},    /* QoS Monitoring cap.  */
    {.func=0x0000000f, .sub=0x00000001},    /* L3 QoS Monitoring    */
    {.func=0x00000010, .sub=0x00000000},    /* QoS Enforcement cap. */
    {.func=0x00000010, .sub=0x00000001},    /* L3 Alloc Enumeration */
    {.func=0x00000010, .sub=0x00000002},    /* L2 Alloc Enumeration */
    {.func=0x00000010, .sub=0x00000003},    /* RAM Bandwidth Enum.  */
    {.func=0x00000012, .sub=0x00000000},    /* SGX Capability   */
    {.func=0x00000012, .sub=0x00000001},    /* SGX Attributes   */
    {.func=0x00000012, .sub=0x00000002},    /* SGX EnclavePageCache */
    {.func=0x00000014, .sub=0x00000000},    /* Processor Trace  */
    {.func=0x00000014, .sub=0x00000001},    /* Proc. Trace Sub-leaf */
    {.func=0x00000015, .sub=0x00000000},    /* Time Stamp Counter   */
    {.func=0x00000016, .sub=0x00000000},    /* Processor Frequency  */
    {.func=0x00000017, .sub=0x00000000},    /* System-On-Chip   */
    {.func=0x00000017, .sub=0x00000001},    /* SOC Attrib. Sub-leaf */
    {.func=0x00000017, .sub=0x00000002},    /* SOC Attrib. Sub-leaf */
    {.func=0x00000017, .sub=0x00000003},    /* SOC Attrib. Sub-leaf */
/* x86 */
    {.func=0x80000001, .sub=0x00000000},    /* Extended Features    */
    {.func=0x80000002, .sub=0x00000000},    /* Processor Name Id.   */
    {.func=0x80000003, .sub=0x00000000},    /* Processor Name Id.   */
    {.func=0x80000004, .sub=0x00000000},    /* Processor Name Id.   */
/* AMD */
    {.func=0x80000005, .sub=0x00000000},    /* Caches L1D L1I TLB   */
/* x86 */
    {.func=0x80000006, .sub=0x00000000},    /* Cache L2 Size & Way  */
    {.func=0x80000007, .sub=0x00000000},    /* Advanced Power Mgmt  */
    {.func=0x80000008, .sub=0x00000000},    /* LM Address Size  */
/* AMD */
    {.func=0x8000000a, .sub=0x00000000},    /* SVM Revision     */
    {.func=0x80000019, .sub=0x00000000},    /* Caches & TLB 1G  */
    {.func=0x8000001a, .sub=0x00000000},    /* Perf. Optimization   */
    {.func=0x8000001b, .sub=0x00000000},    /* Inst. Based Sampling */
    {.func=0x8000001c, .sub=0x00000000},    /* Lightweight Profiling*/
    {.func=0x8000001d, .sub=0x00000000},    /* Cache L1D Properties */
    {.func=0x8000001d, .sub=0x00000001},    /* Cache L1I Properties */
    {.func=0x8000001d, .sub=0x00000002},    /* Cache L2 Properties  */
    {.func=0x8000001d, .sub=0x00000003},    /* Cache Properties End */
    {.func=0x8000001e, .sub=0x00000000},    /* Extended Identifiers */
/* x86 */
    {.func=0x40000000, .sub=0x00000000},    /* Hypervisor vendor    */
    {.func=0x40000001, .sub=0x00000000},    /* Hypervisor interface */
    {.func=0x40000002, .sub=0x00000000},    /* Hypervisor version   */
    {.func=0x40000003, .sub=0x00000000},    /* Hypervisor features  */
    {.func=0x40000004, .sub=0x00000000},    /* Hyperv. requirements */
    {.func=0x40000005, .sub=0x00000000},    /* Hypervisor limits    */
    {.func=0x40000006, .sub=0x00000000},    /* Hypervisor exploits  */
    {.func=0x00000000, .sub=0x00000000},
};

2019-11-07-110327_644x316_scrot

cyring commented 5 years ago

TSX Asynchronous Abort (TAA)

Source: Deep Dive: Intel® Transactional Synchronization Extensions (Intel® TSX) Asynchronous Abort

Code impacts

https://github.com/cyring/CoreFreq/blob/8e57143bc2ed910e85ce91b8fbb96e5f608dc4a8/intelmsr.h#L346

typedef union
{   /* R/O && CPUID.(EAX=07H,ECX=0):EDX[29] == 1            */
    unsigned long long  value;
    struct
    {
        unsigned long long
        RDCL_NO     :  1-0,
        IBRS_ALL    :  2-1,
        RSBA        :  3-2,
        L1DFL_VMENTRY_NO:  4-3,
        SSB_NO      :  5-4,
        MDS_NO      :  6-5,
        PSCHANGE_MC_NO  :  7-6,
        TSX_CTRL    :  8-7,
        TAA_NO      :  9-8,
        ReservedBits    : 64-9;
    };
} ARCH_CAPABILITIES;

CPUID dump w/ micro-code of 20190918

intel-ucode 20190918-1

$ corefreq-cli -s
Processor                              [Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz]
|- Architecture                                                      [Skylake/S]
|- Vendor ID                                                      [GenuineIntel]
|- Microcode                                                        [       204]
|- Signature                                                           [  06_5E]
|- Stepping                                                            [      3]
...
Features                                                                        
|- Hardware Lock Elision                                         HLE   [Capable]
|- Restricted Transactional Memory                               RTM   [Capable]
Mitigation mechanisms                                                           
|- Indirect Branch Restricted Speculation                       IBRS   [Capable]
|- Indirect Branch Prediction Barrier                           IBPB   [Capable]
|- Single Thread Indirect Branch Predictor                     STIBP   [Capable]
|- Speculative Store Bypass Disable                             SSBD   [Capable]
|- Writeback & invalidate the L1 data cache                L1D-FLUSH   [Capable]
|- Hypervisor - No flush L1D on VM entry            L1DFL_VMENTRY_NO   [Missing]
|- Architectural - Buffer Overwriting                       MD-CLEAR   [Capable]
|- Architectural - Rogue Data Cache Load                     RDCL_NO   [Missing]
|- Architectural - Enhanced IBRS                            IBRS_ALL   [Missing]
|- Architectural - Return Stack Buffer Alternate                RSBA   [Missing]
|- Architectural - Speculative Store Bypass                   SSB_NO   [Missing]
|- Architectural - Microarchitectural Data Sampling           MDS_NO   [Missing]

$ corefreq-cli -k
Linux:                                                                          
|- Release                                                       [5.3.8-arch1-1]
|- Version                                          [#1 SMP PREEMPT @1572357769]
|- Machine                                                              [x86_64]

$ corefreq-cli -u
CPU #0   function         EAX          EBX          ECX          EDX            
|- 00000000:00000000    00000016     756e6547     6c65746e     49656e69         
   |- Largest Standard Function=00000016                                        
|- 80000000:00000000    80000008     00000000     00000000     00000000         
   |- Largest Extended Function=80000008                                        
|- 00000001:00000000    000506e3     00100800     7ffafbff     bfebfbff         
|- 00000002:00000000    76036301     00f0b5ff     00000000     00c30000         
|- 00000003:00000000    00000000     00000000     00000000     00000000         
|- 00000004:00000000    1c004121     01c0003f     0000003f     00000000         
|- 00000004:00000001    1c004122     01c0003f     0000003f     00000000         
|- 00000004:00000002    1c004143     00c0003f     000003ff     00000000         
|- 00000004:00000003    1c03c163     03c0003f     00001fff     00000006         
|- 00000005:00000000    00000040     00000040     00000003     00142120         
|- 00000006:00000000    000027f7     00000002     00000009     00000000         
|- 00000007:00000000    00000000     029c6fbf     00000000     9c002400         
|- 00000009:00000000    00000000     00000000     00000000     00000000         
|- 0000000a:00000000    07300404     00000000     00000000     00000603         
|- 0000000b:00000000    00000001     00000002     00000100     00000000         
|- 0000000d:00000000    0000001f     00000440     00000440     00000000         
|- 0000000d:00000001    0000000f     000003c0     00000100     00000000         
|- 0000000d:00000002    00000100     00000240     00000000     00000000         
|- 0000000d:00000003    00000040     000003c0     00000000     00000000         
|- 0000000d:00000004    00000040     00000400     00000000     00000000         
|- 0000000d:0000003e    00000000     00000000     00000000     00000000         
|- 0000000f:00000000    00000000     00000000     00000000     00000000         
|- 0000000f:00000001    00000000     00000000     00000000     00000000         
|- 00000010:00000000    00000000     00000000     00000000     00000000         
|- 00000010:00000001    00000000     00000000     00000000     00000000         
|- 00000010:00000002    00000000     00000000     00000000     00000000         
|- 00000010:00000003    00000000     00000000     00000000     00000000         
|- 00000012:00000000    00000000     00000000     00000000     00000000         
|- 00000012:00000001    00000000     00000000     00000000     00000000         
|- 00000012:00000002    00000000     00000000     00000000     00000000         
|- 00000014:00000000    00000001     0000000f     00000007     00000000         
|- 00000014:00000001    02490002     003f3fff     00000000     00000000         
|- 00000015:00000000    00000002     0000011c     00000000     00000000         
|- 00000016:00000000    00000d48     00000fa0     00000064     00000000         
|- 00000017:00000000    00000d48     00000fa0     00000064     00000000         
|- 00000017:00000001    00000d48     00000fa0     00000064     00000000         
|- 00000017:00000002    00000d48     00000fa0     00000064     00000000         
|- 00000017:00000003    00000d48     00000fa0     00000064     00000000         
|- 80000001:00000000    00000000     00000000     00000121     2c100800         
|- 80000002:00000000    65746e49     2952286c     726f4320     4d542865         
|- 80000003:00000000    37692029     3037362d     50432030     20402055         
|- 80000004:00000000    30342e33     007a4847     00000000     00000000         
|- 80000005:00000000    00000000     00000000     00000000     00000000         
|- 80000006:00000000    00000000     00000000     01006040     00000000         
|- 80000007:00000000    00000000     00000000     00000000     00000100         
|- 80000008:00000000    00003027     00000000     00000000     00000000         
|- 8000000a:00000000    00000d48     00000fa0     00000064     00000000         
|- 80000019:00000000    00000d48     00000fa0     00000064     00000000         
|- 8000001a:00000000    00000d48     00000fa0     00000064     00000000         
|- 8000001b:00000000    00000d48     00000fa0     00000064     00000000         
|- 8000001c:00000000    00000d48     00000fa0     00000064     00000000         
|- 8000001d:00000000    00000d48     00000fa0     00000064     00000000         
|- 8000001d:00000001    00000d48     00000fa0     00000064     00000000         
|- 8000001d:00000002    00000d48     00000fa0     00000064     00000000         
|- 8000001d:00000003    00000d48     00000fa0     00000064     00000000         
|- 8000001e:00000000    00000d48     00000fa0     00000064     00000000         
|- 40000000:00000000    00000d48     00000fa0     00000064     00000000         
|- 40000001:00000000    00000d48     00000fa0     00000064     00000000         
|- 40000002:00000000    00000d48     00000fa0     00000064     00000000         
|- 40000003:00000000    00000d48     00000fa0     00000064     00000000         
|- 40000004:00000000    00000d48     00000fa0     00000064     00000000         
|- 40000005:00000000    00000d48     00000fa0     00000064     00000000         
|- 40000006:00000000    00000d48     00000fa0     00000064     00000000

# rdmsr -ax 0x122
rdmsr: CPU 0 cannot read MSR 0x00000122
# rdmsr -ax 0x10a
rdmsr: CPU 0 cannot read MSR 0x0000010a

cyring commented 4 years ago

This subject appears completed.

cyring / CoreFreq

Intel Mitigation Mechanisms #151

Results of version 1.68.3

Rolling back the IBPB and L1D-FLUSH capabilities

MPX (Memory Protection Extensions)

MPX State

Intel SDM

CoreFreq impacts [DONE]

TSX Asynchronous Abort (TAA)

Code impacts

CPUID dump w/ micro-code of 20190918