diff options
Diffstat (limited to 'x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch')
| -rw-r--r-- | x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch b/x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch new file mode 100644 index 000000000..a7e0accb6 --- /dev/null +++ b/x86-cpu-x86-pti-Do-not-enable-PTI-on-AMD-processors.patch @@ -0,0 +1,46 @@ +From patchwork Wed Dec 27 05:43:54 2017 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: x86/cpu, x86/pti: Do not enable PTI on AMD processors +From: Tom Lendacky <thomas.lendacky@amd.com> +X-Patchwork-Id: 10133447 +Message-Id: <20171227054354.20369.94587.stgit@tlendack-t1.amdoffice.net> +To: x86@kernel.org +Cc: Dave Hansen <dave.hansen@linux.intel.com>, + linux-kernel@vger.kernel.org, Ingo Molnar <mingo@redhat.com>, + Andy Lutomirski <luto@kernel.org>, "H. Peter Anvin" <hpa@zytor.com>, + Thomas Gleixner <tglx@linutronix.de>, Borislav Petkov <bp@suse.de> +Date: Tue, 26 Dec 2017 23:43:54 -0600 + +AMD processors are not subject to the types of attacks that the kernel +page table isolation feature protects against. The AMD microarchitecture +does not allow memory references, including speculative references, that +access higher privileged data when running in a lesser privileged mode +when that access would result in a page fault. + +Disable page table isolation by default on AMD processors by not setting +the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI +is set. + +Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> +Reviewed-by: Borislav Petkov <bp@suse.de> +--- + arch/x86/kernel/cpu/common.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index c47de4e..7d9e3b0 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -923,8 +923,8 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c) + + setup_force_cpu_cap(X86_FEATURE_ALWAYS); + +- /* Assume for now that ALL x86 CPUs are insecure */ +- setup_force_cpu_bug(X86_BUG_CPU_INSECURE); ++ if (c->x86_vendor != X86_VENDOR_AMD) ++ setup_force_cpu_bug(X86_BUG_CPU_INSECURE); + + fpu__init_system(c); + |