Commit 90617477 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'x86_bugs_for_v6.15' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 

Pull x86 speculation mitigation updates from Borislav Petkov:

 - Some preparatory work to convert the mitigations machinery to
   mitigating attack vectors instead of single vulnerabilities

 - Untangle and remove a now unneeded X86_FEATURE_USE_IBPB flag

 - Add support for a Zen5-specific SRSO mitigation

 - Cleanups and minor improvements

* tag 'x86_bugs_for_v6.15' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86/bugs: Make spectre user default depend on MITIGATION_SPECTRE_V2
  x86/bugs: Use the cpu_smt_possible() helper instead of open-coded code
  x86/bugs: Add AUTO mitigations for mds/taa/mmio/rfds
  x86/bugs: Relocate mds/taa/mmio/rfds defines
  x86/bugs: Add X86_BUG_SPECTRE_V2_USER
  x86/bugs: Remove X86_FEATURE_USE_IBPB
  KVM: nVMX: Always use IBPB to properly virtualize IBRS
  x86/bugs: Use a static branch to guard IBPB on vCPU switch
  x86/bugs: Remove the X86_FEATURE_USE_IBPB check in ib_prctl_set()
  x86/mm: Remove X86_FEATURE_USE_IBPB checks in cond_mitigation()
  x86/bugs: Move the X86_FEATURE_USE_IBPB check into callers
  x86/bugs: KVM: Add support for SRSO_MSR_FIX
parents 2d09a944 98fdaeb2

Documentation/admin-guide/hw-vuln/srso.rst

+13 −0
Original line number Diff line number Diff line
@@ -104,7 +104,20 @@ The possible values in this file are: 


   (spec_rstack_overflow=ibpb-vmexit)



 * 'Mitigation: Reduced Speculation':



   This mitigation gets automatically enabled when the above one "IBPB on

   VMEXIT" has been selected and the CPU supports the BpSpecReduce bit.



   It gets automatically enabled on machines which have the

   SRSO_USER_KERNEL_NO=1 CPUID bit. In that case, the code logic is to switch

   to the above =ibpb-vmexit mitigation because the user/kernel boundary is

   not affected anymore and thus "safe RET" is not needed.



   After enabling the IBPB on VMEXIT mitigation option, the BpSpecReduce bit

   is detected (functionality present on all such machines) and that

   practically overrides IBPB on VMEXIT as it has a lot less performance

   impact and takes care of the guest->host attack vector too.



In order to exploit vulnerability, an attacker needs to:

Documentation/admin-guide/kernel-parameters.txt

+2 −0
Original line number Diff line number Diff line
@@ -6585,6 +6585,8 @@ 


			Selecting 'on' will also enable the mitigation

			against user space to user space task attacks.

			Selecting specific mitigation does not force enable

			user mitigations.



			Selecting 'off' will disable both the kernel and

			the user space protections.

arch/x86/include/asm/cpufeatures.h

+5 −1
Original line number Diff line number Diff line
@@ -202,7 +202,6 @@ 
#define X86_FEATURE_MBA			( 7*32+18) /* "mba" Memory Bandwidth Allocation */

#define X86_FEATURE_RSB_CTXSW		( 7*32+19) /* Fill RSB on context switches */

#define X86_FEATURE_PERFMON_V2		( 7*32+20) /* "perfmon_v2" AMD Performance Monitoring Version 2 */

#define X86_FEATURE_USE_IBPB		( 7*32+21) /* Indirect Branch Prediction Barrier enabled */

#define X86_FEATURE_USE_IBRS_FW		( 7*32+22) /* Use IBRS during runtime firmware calls */

#define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE	( 7*32+23) /* Disable Speculative Store Bypass. */

#define X86_FEATURE_LS_CFG_SSBD		( 7*32+24)  /* AMD SSBD implementation via LS_CFG MSR */
@@ -461,6 +460,10 @@ 
#define X86_FEATURE_IBPB_BRTYPE		(20*32+28) /* MSR_PRED_CMD[IBPB] flushes all branch type predictions */

#define X86_FEATURE_SRSO_NO		(20*32+29) /* CPU is not affected by SRSO */

#define X86_FEATURE_SRSO_USER_KERNEL_NO	(20*32+30) /* CPU is not affected by SRSO across user/kernel boundaries */

#define X86_FEATURE_SRSO_BP_SPEC_REDUCE	(20*32+31) /*

						    * BP_CFG[BpSpecReduce] can be used to mitigate SRSO for VMs.

						    * (SRSO_MSR_FIX in the official doc).

						    */



/*

 * Extended auxiliary flags: Linux defined - for features scattered in various
@@ -527,4 +530,5 @@ 
#define X86_BUG_RFDS			X86_BUG(1*32 + 2) /* "rfds" CPU is vulnerable to Register File Data Sampling */

#define X86_BUG_BHI			X86_BUG(1*32 + 3) /* "bhi" CPU is affected by Branch History Injection */

#define X86_BUG_IBPB_NO_RET	   	X86_BUG(1*32 + 4) /* "ibpb_no_ret" IBPB omits return target predictions */

#define X86_BUG_SPECTRE_V2_USER		X86_BUG(1*32 + 5) /* "spectre_v2_user" CPU is affected by Spectre variant 2 attack between user processes */

#endif /* _ASM_X86_CPUFEATURES_H */

arch/x86/include/asm/msr-index.h

+1 −0
Original line number Diff line number Diff line
@@ -723,6 +723,7 @@ 


/* Zen4 */

#define MSR_ZEN4_BP_CFG                 0xc001102e

#define MSR_ZEN4_BP_CFG_BP_SPEC_REDUCE_BIT 4

#define MSR_ZEN4_BP_CFG_SHARED_BTB_FIX_BIT 5



/* Fam 19h MSRs */

arch/x86/include/asm/nospec-branch.h

+3 −1
Original line number Diff line number Diff line
@@ -522,7 +522,7 @@ extern u64 x86_pred_cmd; 


static inline void indirect_branch_prediction_barrier(void)

{

	alternative_msr_write(MSR_IA32_PRED_CMD, x86_pred_cmd, X86_FEATURE_USE_IBPB);

	alternative_msr_write(MSR_IA32_PRED_CMD, x86_pred_cmd, X86_FEATURE_IBPB);

}



/* The Intel SPEC CTRL MSR base value cache */
@@ -559,6 +559,8 @@ DECLARE_STATIC_KEY_FALSE(switch_to_cond_stibp); 
DECLARE_STATIC_KEY_FALSE(switch_mm_cond_ibpb);

DECLARE_STATIC_KEY_FALSE(switch_mm_always_ibpb);



DECLARE_STATIC_KEY_FALSE(switch_vcpu_ibpb);



DECLARE_STATIC_KEY_FALSE(mds_idle_clear);



DECLARE_STATIC_KEY_FALSE(switch_mm_cond_l1d_flush);