Commit 223ba8ee authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'vmscape-for-linus-20250904' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 

Pull vmescape mitigation fixes from Dave Hansen:
 "Mitigate vmscape issue with indirect branch predictor flushes.

  vmscape is a vulnerability that essentially takes Spectre-v2 and
  attacks host userspace from a guest. It particularly affects
  hypervisors like QEMU.

  Even if a hypervisor may not have any sensitive data like disk
  encryption keys, guest-userspace may be able to attack the
  guest-kernel using the hypervisor as a confused deputy.

  There are many ways to mitigate vmscape using the existing Spectre-v2
  defenses like IBRS variants or the IBPB flushes. This series focuses
  solely on IBPB because it works universally across vendors and all
  vulnerable processors. Further work doing vendor and model-specific
  optimizations can build on top of this if needed / wanted.

  Do the normal issue mitigation dance:

   - Add the CPU bug boilerplate

   - Add a list of vulnerable CPUs

   - Use IBPB to flush the branch predictors after running guests"

* tag 'vmscape-for-linus-20250904' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86/vmscape: Add old Intel CPUs to affected list
  x86/vmscape: Warn when STIBP is disabled with SMT
  x86/bugs: Move cpu_bugs_smt_update() down
  x86/vmscape: Enable the mitigation
  x86/vmscape: Add conditional IBPB mitigation
  x86/vmscape: Enumerate VMSCAPE bug
  Documentation/hw-vuln: Add VMSCAPE documentation
parents 7aac7190 8a68d64b

Documentation/ABI/testing/sysfs-devices-system-cpu

+1 −0
Original line number Diff line number Diff line
@@ -586,6 +586,7 @@ What: /sys/devices/system/cpu/vulnerabilities 
		/sys/devices/system/cpu/vulnerabilities/srbds

		/sys/devices/system/cpu/vulnerabilities/tsa

		/sys/devices/system/cpu/vulnerabilities/tsx_async_abort

		/sys/devices/system/cpu/vulnerabilities/vmscape

Date:		January 2018

Contact:	Linux kernel mailing list <linux-kernel@vger.kernel.org>

Description:	Information about CPU vulnerabilities

Documentation/admin-guide/hw-vuln/index.rst

+1 −0
Original line number Diff line number Diff line
@@ -26,3 +26,4 @@ are configurable at compile, boot or run time. 
   rsb

   old_microcode

   indirect-target-selection

   vmscape

Documentation/admin-guide/hw-vuln/vmscape.rst

0 → 100644
+110 −0
Original line number Diff line number Diff line 
.. SPDX-License-Identifier: GPL-2.0



VMSCAPE

=======



VMSCAPE is a vulnerability that may allow a guest to influence the branch

prediction in host userspace. It particularly affects hypervisors like QEMU.



Even if a hypervisor may not have any sensitive data like disk encryption keys,

guest-userspace may be able to attack the guest-kernel using the hypervisor as

a confused deputy.



Affected processors

-------------------



The following CPU families are affected by VMSCAPE:



**Intel processors:**

  - Skylake generation (Parts without Enhanced-IBRS)

  - Cascade Lake generation - (Parts affected by ITS guest/host separation)

  - Alder Lake and newer (Parts affected by BHI)



Note that, BHI affected parts that use BHB clearing software mitigation e.g.

Icelake are not vulnerable to VMSCAPE.



**AMD processors:**

  - Zen series (families 0x17, 0x19, 0x1a)



** Hygon processors:**

 - Family 0x18



Mitigation

----------



Conditional IBPB

----------------



Kernel tracks when a CPU has run a potentially malicious guest and issues an

IBPB before the first exit to userspace after VM-exit. If userspace did not run

between VM-exit and the next VM-entry, no IBPB is issued.



Note that the existing userspace mitigation against Spectre-v2 is effective in

protecting the userspace. They are insufficient to protect the userspace VMMs

from a malicious guest. This is because Spectre-v2 mitigations are applied at

context switch time, while the userspace VMM can run after a VM-exit without a

context switch.



Vulnerability enumeration and mitigation is not applied inside a guest. This is

because nested hypervisors should already be deploying IBPB to isolate

themselves from nested guests.



SMT considerations

------------------



When Simultaneous Multi-Threading (SMT) is enabled, hypervisors can be

vulnerable to cross-thread attacks. For complete protection against VMSCAPE

attacks in SMT environments, STIBP should be enabled.



The kernel will issue a warning if SMT is enabled without adequate STIBP

protection. Warning is not issued when:



- SMT is disabled

- STIBP is enabled system-wide

- Intel eIBRS is enabled (which implies STIBP protection)



System information and options

------------------------------



The sysfs file showing VMSCAPE mitigation status is:



  /sys/devices/system/cpu/vulnerabilities/vmscape



The possible values in this file are:



 * 'Not affected':



   The processor is not vulnerable to VMSCAPE attacks.



 * 'Vulnerable':



   The processor is vulnerable and no mitigation has been applied.



 * 'Mitigation: IBPB before exit to userspace':



   Conditional IBPB mitigation is enabled. The kernel tracks when a CPU has

   run a potentially malicious guest and issues an IBPB before the first

   exit to userspace after VM-exit.



 * 'Mitigation: IBPB on VMEXIT':



   IBPB is issued on every VM-exit. This occurs when other mitigations like

   RETBLEED or SRSO are already issuing IBPB on VM-exit.



Mitigation control on the kernel command line

----------------------------------------------



The mitigation can be controlled via the ``vmscape=`` command line parameter:



 * ``vmscape=off``:



   Disable the VMSCAPE mitigation.



 * ``vmscape=ibpb``:



   Enable conditional IBPB mitigation (default when CONFIG_MITIGATION_VMSCAPE=y).



 * ``vmscape=force``:



   Force vulnerability detection and mitigation even on processors that are

   not known to be affected.

Documentation/admin-guide/kernel-parameters.txt

+11 −0
Original line number Diff line number Diff line
@@ -3829,6 +3829,7 @@ 
					       srbds=off [X86,INTEL]

					       ssbd=force-off [ARM64]

					       tsx_async_abort=off [X86]

					       vmscape=off [X86]



				Exceptions:

					       This does not have any effect on
@@ -8041,6 +8042,16 @@ 
	vmpoff=		[KNL,S390] Perform z/VM CP command after power off.

			Format: <command>



	vmscape=	[X86] Controls mitigation for VMscape attacks.

			VMscape attacks can leak information from a userspace

			hypervisor to a guest via speculative side-channels.



			off		- disable the mitigation

			ibpb		- use Indirect Branch Prediction Barrier

					  (IBPB) mitigation (default)

			force		- force vulnerability detection even on

					  unaffected processors



	vsyscall=	[X86-64,EARLY]

			Controls the behavior of vsyscalls (i.e. calls to

			fixed addresses of 0xffffffffff600x00 from legacy

arch/x86/Kconfig

+9 −0
Original line number Diff line number Diff line
@@ -2701,6 +2701,15 @@ config MITIGATION_TSA 
	  security vulnerability on AMD CPUs which can lead to forwarding of

	  invalid info to subsequent instructions and thus can affect their

	  timing and thereby cause a leakage.



config MITIGATION_VMSCAPE

	bool "Mitigate VMSCAPE"

	depends on KVM

	default y

	help

	  Enable mitigation for VMSCAPE attacks. VMSCAPE is a hardware security

	  vulnerability on Intel and AMD CPUs that may allow a guest to do

	  Spectre v2 style attacks on userspace hypervisor.

endif



config ARCH_HAS_ADD_PAGES