Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

		/sys/devices/system/cpu/vulnerabilities/srbds

		/sys/devices/system/cpu/vulnerabilities/tsa

		/sys/devices/system/cpu/vulnerabilities/tsx_async_abort

		/sys/devices/system/cpu/vulnerabilities/vmscape

Date:		January 2018

Contact:	Linux kernel mailing list <linux-kernel@vger.kernel.org>

Description:	Information about CPU vulnerabilities

   rsb

   old_microcode

   indirect-target-selection

   vmscape

.. SPDX-License-Identifier: GPL-2.0

VMSCAPE

=======

VMSCAPE is a vulnerability that may allow a guest to influence the branch

prediction in host userspace. It particularly affects hypervisors like QEMU.

Even if a hypervisor may not have any sensitive data like disk encryption keys,

guest-userspace may be able to attack the guest-kernel using the hypervisor as

a confused deputy.

Affected processors

-------------------

The following CPU families are affected by VMSCAPE:

**Intel processors:**

  - Skylake generation (Parts without Enhanced-IBRS)

  - Cascade Lake generation - (Parts affected by ITS guest/host separation)

  - Alder Lake and newer (Parts affected by BHI)

Note that, BHI affected parts that use BHB clearing software mitigation e.g.

Icelake are not vulnerable to VMSCAPE.

**AMD processors:**

  - Zen series (families 0x17, 0x19, 0x1a)

** Hygon processors:**

 - Family 0x18

Mitigation

----------

Conditional IBPB

----------------

Kernel tracks when a CPU has run a potentially malicious guest and issues an

IBPB before the first exit to userspace after VM-exit. If userspace did not run

between VM-exit and the next VM-entry, no IBPB is issued.

Note that the existing userspace mitigation against Spectre-v2 is effective in

protecting the userspace. They are insufficient to protect the userspace VMMs

from a malicious guest. This is because Spectre-v2 mitigations are applied at

context switch time, while the userspace VMM can run after a VM-exit without a

context switch.

Vulnerability enumeration and mitigation is not applied inside a guest. This is

because nested hypervisors should already be deploying IBPB to isolate

themselves from nested guests.

SMT considerations

------------------

When Simultaneous Multi-Threading (SMT) is enabled, hypervisors can be

vulnerable to cross-thread attacks. For complete protection against VMSCAPE

attacks in SMT environments, STIBP should be enabled.

The kernel will issue a warning if SMT is enabled without adequate STIBP

protection. Warning is not issued when:

- SMT is disabled

- STIBP is enabled system-wide

- Intel eIBRS is enabled (which implies STIBP protection)

System information and options

------------------------------

The sysfs file showing VMSCAPE mitigation status is:

  /sys/devices/system/cpu/vulnerabilities/vmscape

The possible values in this file are:

 * 'Not affected':

   The processor is not vulnerable to VMSCAPE attacks.

 * 'Vulnerable':

   The processor is vulnerable and no mitigation has been applied.

 * 'Mitigation: IBPB before exit to userspace':

   Conditional IBPB mitigation is enabled. The kernel tracks when a CPU has

   run a potentially malicious guest and issues an IBPB before the first

   exit to userspace after VM-exit.

 * 'Mitigation: IBPB on VMEXIT':

   IBPB is issued on every VM-exit. This occurs when other mitigations like

   RETBLEED or SRSO are already issuing IBPB on VM-exit.

Mitigation control on the kernel command line

----------------------------------------------

The mitigation can be controlled via the ``vmscape=`` command line parameter:

 * ``vmscape=off``:

   Disable the VMSCAPE mitigation.

 * ``vmscape=ibpb``:

   Enable conditional IBPB mitigation (default when CONFIG_MITIGATION_VMSCAPE=y).

 * ``vmscape=force``:

   Force vulnerability detection and mitigation even on processors that are

   not known to be affected.

					       srbds=off [X86,INTEL]

					       ssbd=force-off [ARM64]

					       tsx_async_abort=off [X86]

					       vmscape=off [X86]

				Exceptions:

					       This does not have any effect on

	vmpoff=		[KNL,S390] Perform z/VM CP command after power off.

			Format: <command>

	vmscape=	[X86] Controls mitigation for VMscape attacks.

			VMscape attacks can leak information from a userspace

			hypervisor to a guest via speculative side-channels.

			off		- disable the mitigation

			ibpb		- use Indirect Branch Prediction Barrier

					  (IBPB) mitigation (default)

			force		- force vulnerability detection even on

					  unaffected processors

	vsyscall=	[X86-64,EARLY]

			Controls the behavior of vsyscalls (i.e. calls to

			fixed addresses of 0xffffffffff600x00 from legacy

      - enum:

          - fsl,imx7ulp-spi

          - fsl,imx8qxp-spi

          - nxp,s32g2-lpspi

      - items:

          - enum:

              - fsl,imx8ulp-spi

              - fsl,imx94-spi

              - fsl,imx95-spi

          - const: fsl,imx7ulp-spi

      - items:

          - const: nxp,s32g3-lpspi

          - const: nxp,s32g2-lpspi

  reg:

    maxItems: 1