1 // SPDX-License-Identifier: GPL-2.0
3 * Copyright (C) 1994 Linus Torvalds
5 * Cyrix stuff, June 1998 by:
6 * - Rafael R. Reilova (moved everything from head.S),
8 * - Channing Corn (tests & fixes),
9 * - Andrew D. Balsa (code cleanup).
11 #include <linux/init.h>
12 #include <linux/cpu.h>
13 #include <linux/module.h>
14 #include <linux/nospec.h>
15 #include <linux/prctl.h>
16 #include <linux/sched/smt.h>
17 #include <linux/pgtable.h>
18 #include <linux/bpf.h>
20 #include <asm/spec-ctrl.h>
21 #include <asm/cmdline.h>
23 #include <asm/processor.h>
24 #include <asm/processor-flags.h>
25 #include <asm/fpu/api.h>
28 #include <asm/paravirt.h>
29 #include <asm/cpu_device_id.h>
30 #include <asm/e820/api.h>
31 #include <asm/hypervisor.h>
32 #include <asm/tlbflush.h>
37 static void __init spectre_v1_select_mitigation(void);
38 static void __init spectre_v2_select_mitigation(void);
39 static void __init retbleed_select_mitigation(void);
40 static void __init spectre_v2_user_select_mitigation(void);
41 static void __init ssb_select_mitigation(void);
42 static void __init l1tf_select_mitigation(void);
43 static void __init mds_select_mitigation(void);
44 static void __init md_clear_update_mitigation(void);
45 static void __init md_clear_select_mitigation(void);
46 static void __init taa_select_mitigation(void);
47 static void __init mmio_select_mitigation(void);
48 static void __init srbds_select_mitigation(void);
49 static void __init l1d_flush_select_mitigation(void);
50 static void __init srso_select_mitigation(void);
51 static void __init gds_select_mitigation(void);
53 /* The base value of the SPEC_CTRL MSR without task-specific bits set */
54 u64 x86_spec_ctrl_base;
55 EXPORT_SYMBOL_GPL(x86_spec_ctrl_base);
57 /* The current value of the SPEC_CTRL MSR with task-specific bits set */
58 DEFINE_PER_CPU(u64, x86_spec_ctrl_current);
59 EXPORT_PER_CPU_SYMBOL_GPL(x86_spec_ctrl_current);
61 u64 x86_pred_cmd __ro_after_init = PRED_CMD_IBPB;
62 EXPORT_SYMBOL_GPL(x86_pred_cmd);
64 static u64 __ro_after_init x86_arch_cap_msr;
66 static DEFINE_MUTEX(spec_ctrl_mutex);
68 void (*x86_return_thunk)(void) __ro_after_init = __x86_return_thunk;
70 /* Update SPEC_CTRL MSR and its cached copy unconditionally */
71 static void update_spec_ctrl(u64 val)
73 this_cpu_write(x86_spec_ctrl_current, val);
74 wrmsrl(MSR_IA32_SPEC_CTRL, val);
78 * Keep track of the SPEC_CTRL MSR value for the current task, which may differ
79 * from x86_spec_ctrl_base due to STIBP/SSB in __speculation_ctrl_update().
81 void update_spec_ctrl_cond(u64 val)
83 if (this_cpu_read(x86_spec_ctrl_current) == val)
86 this_cpu_write(x86_spec_ctrl_current, val);
89 * When KERNEL_IBRS this MSR is written on return-to-user, unless
90 * forced the update can be delayed until that time.
92 if (!cpu_feature_enabled(X86_FEATURE_KERNEL_IBRS))
93 wrmsrl(MSR_IA32_SPEC_CTRL, val);
96 noinstr u64 spec_ctrl_current(void)
98 return this_cpu_read(x86_spec_ctrl_current);
100 EXPORT_SYMBOL_GPL(spec_ctrl_current);
103 * AMD specific MSR info for Speculative Store Bypass control.
104 * x86_amd_ls_cfg_ssbd_mask is initialized in identify_boot_cpu().
106 u64 __ro_after_init x86_amd_ls_cfg_base;
107 u64 __ro_after_init x86_amd_ls_cfg_ssbd_mask;
109 /* Control conditional STIBP in switch_to() */
110 DEFINE_STATIC_KEY_FALSE(switch_to_cond_stibp);
111 /* Control conditional IBPB in switch_mm() */
112 DEFINE_STATIC_KEY_FALSE(switch_mm_cond_ibpb);
113 /* Control unconditional IBPB in switch_mm() */
114 DEFINE_STATIC_KEY_FALSE(switch_mm_always_ibpb);
116 /* Control MDS CPU buffer clear before idling (halt, mwait) */
117 DEFINE_STATIC_KEY_FALSE(mds_idle_clear);
118 EXPORT_SYMBOL_GPL(mds_idle_clear);
121 * Controls whether l1d flush based mitigations are enabled,
122 * based on hw features and admin setting via boot parameter
125 DEFINE_STATIC_KEY_FALSE(switch_mm_cond_l1d_flush);
127 /* Controls CPU Fill buffer clear before KVM guest MMIO accesses */
128 DEFINE_STATIC_KEY_FALSE(mmio_stale_data_clear);
129 EXPORT_SYMBOL_GPL(mmio_stale_data_clear);
131 void __init cpu_select_mitigations(void)
134 * Read the SPEC_CTRL MSR to account for reserved bits which may
135 * have unknown values. AMD64_LS_CFG MSR is cached in the early AMD
136 * init code as it is not enumerated and depends on the family.
138 if (cpu_feature_enabled(X86_FEATURE_MSR_SPEC_CTRL)) {
139 rdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
142 * Previously running kernel (kexec), may have some controls
143 * turned ON. Clear them and let the mitigations setup below
144 * rediscover them based on configuration.
146 x86_spec_ctrl_base &= ~SPEC_CTRL_MITIGATIONS_MASK;
149 x86_arch_cap_msr = x86_read_arch_cap_msr();
151 /* Select the proper CPU mitigations before patching alternatives: */
152 spectre_v1_select_mitigation();
153 spectre_v2_select_mitigation();
155 * retbleed_select_mitigation() relies on the state set by
156 * spectre_v2_select_mitigation(); specifically it wants to know about
159 retbleed_select_mitigation();
161 * spectre_v2_user_select_mitigation() relies on the state set by
162 * retbleed_select_mitigation(); specifically the STIBP selection is
163 * forced for UNRET or IBPB.
165 spectre_v2_user_select_mitigation();
166 ssb_select_mitigation();
167 l1tf_select_mitigation();
168 md_clear_select_mitigation();
169 srbds_select_mitigation();
170 l1d_flush_select_mitigation();
173 * srso_select_mitigation() depends and must run after
174 * retbleed_select_mitigation().
176 srso_select_mitigation();
177 gds_select_mitigation();
181 * NOTE: This function is *only* called for SVM, since Intel uses
182 * MSR_IA32_SPEC_CTRL for SSBD.
185 x86_virt_spec_ctrl(u64 guest_virt_spec_ctrl, bool setguest)
187 u64 guestval, hostval;
188 struct thread_info *ti = current_thread_info();
191 * If SSBD is not handled in MSR_SPEC_CTRL on AMD, update
192 * MSR_AMD64_L2_CFG or MSR_VIRT_SPEC_CTRL if supported.
194 if (!static_cpu_has(X86_FEATURE_LS_CFG_SSBD) &&
195 !static_cpu_has(X86_FEATURE_VIRT_SSBD))
199 * If the host has SSBD mitigation enabled, force it in the host's
200 * virtual MSR value. If its not permanently enabled, evaluate
201 * current's TIF_SSBD thread flag.
203 if (static_cpu_has(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE))
204 hostval = SPEC_CTRL_SSBD;
206 hostval = ssbd_tif_to_spec_ctrl(ti->flags);
208 /* Sanitize the guest value */
209 guestval = guest_virt_spec_ctrl & SPEC_CTRL_SSBD;
211 if (hostval != guestval) {
214 tif = setguest ? ssbd_spec_ctrl_to_tif(guestval) :
215 ssbd_spec_ctrl_to_tif(hostval);
217 speculation_ctrl_update(tif);
220 EXPORT_SYMBOL_GPL(x86_virt_spec_ctrl);
222 static void x86_amd_ssb_disable(void)
224 u64 msrval = x86_amd_ls_cfg_base | x86_amd_ls_cfg_ssbd_mask;
226 if (boot_cpu_has(X86_FEATURE_VIRT_SSBD))
227 wrmsrl(MSR_AMD64_VIRT_SPEC_CTRL, SPEC_CTRL_SSBD);
228 else if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD))
229 wrmsrl(MSR_AMD64_LS_CFG, msrval);
233 #define pr_fmt(fmt) "MDS: " fmt
235 /* Default mitigation for MDS-affected CPUs */
236 static enum mds_mitigations mds_mitigation __ro_after_init =
237 IS_ENABLED(CONFIG_MITIGATION_MDS) ? MDS_MITIGATION_FULL : MDS_MITIGATION_OFF;
238 static bool mds_nosmt __ro_after_init = false;
240 static const char * const mds_strings[] = {
241 [MDS_MITIGATION_OFF] = "Vulnerable",
242 [MDS_MITIGATION_FULL] = "Mitigation: Clear CPU buffers",
243 [MDS_MITIGATION_VMWERV] = "Vulnerable: Clear CPU buffers attempted, no microcode",
246 static void __init mds_select_mitigation(void)
248 if (!boot_cpu_has_bug(X86_BUG_MDS) || cpu_mitigations_off()) {
249 mds_mitigation = MDS_MITIGATION_OFF;
253 if (mds_mitigation == MDS_MITIGATION_FULL) {
254 if (!boot_cpu_has(X86_FEATURE_MD_CLEAR))
255 mds_mitigation = MDS_MITIGATION_VMWERV;
257 setup_force_cpu_cap(X86_FEATURE_CLEAR_CPU_BUF);
259 if (!boot_cpu_has(X86_BUG_MSBDS_ONLY) &&
260 (mds_nosmt || cpu_mitigations_auto_nosmt()))
261 cpu_smt_disable(false);
265 static int __init mds_cmdline(char *str)
267 if (!boot_cpu_has_bug(X86_BUG_MDS))
273 if (!strcmp(str, "off"))
274 mds_mitigation = MDS_MITIGATION_OFF;
275 else if (!strcmp(str, "full"))
276 mds_mitigation = MDS_MITIGATION_FULL;
277 else if (!strcmp(str, "full,nosmt")) {
278 mds_mitigation = MDS_MITIGATION_FULL;
284 early_param("mds", mds_cmdline);
287 #define pr_fmt(fmt) "TAA: " fmt
289 enum taa_mitigations {
291 TAA_MITIGATION_UCODE_NEEDED,
293 TAA_MITIGATION_TSX_DISABLED,
296 /* Default mitigation for TAA-affected CPUs */
297 static enum taa_mitigations taa_mitigation __ro_after_init =
298 IS_ENABLED(CONFIG_MITIGATION_TAA) ? TAA_MITIGATION_VERW : TAA_MITIGATION_OFF;
299 static bool taa_nosmt __ro_after_init;
301 static const char * const taa_strings[] = {
302 [TAA_MITIGATION_OFF] = "Vulnerable",
303 [TAA_MITIGATION_UCODE_NEEDED] = "Vulnerable: Clear CPU buffers attempted, no microcode",
304 [TAA_MITIGATION_VERW] = "Mitigation: Clear CPU buffers",
305 [TAA_MITIGATION_TSX_DISABLED] = "Mitigation: TSX disabled",
308 static void __init taa_select_mitigation(void)
310 if (!boot_cpu_has_bug(X86_BUG_TAA)) {
311 taa_mitigation = TAA_MITIGATION_OFF;
315 /* TSX previously disabled by tsx=off */
316 if (!boot_cpu_has(X86_FEATURE_RTM)) {
317 taa_mitigation = TAA_MITIGATION_TSX_DISABLED;
321 if (cpu_mitigations_off()) {
322 taa_mitigation = TAA_MITIGATION_OFF;
327 * TAA mitigation via VERW is turned off if both
328 * tsx_async_abort=off and mds=off are specified.
330 if (taa_mitigation == TAA_MITIGATION_OFF &&
331 mds_mitigation == MDS_MITIGATION_OFF)
334 if (boot_cpu_has(X86_FEATURE_MD_CLEAR))
335 taa_mitigation = TAA_MITIGATION_VERW;
337 taa_mitigation = TAA_MITIGATION_UCODE_NEEDED;
340 * VERW doesn't clear the CPU buffers when MD_CLEAR=1 and MDS_NO=1.
341 * A microcode update fixes this behavior to clear CPU buffers. It also
342 * adds support for MSR_IA32_TSX_CTRL which is enumerated by the
343 * ARCH_CAP_TSX_CTRL_MSR bit.
345 * On MDS_NO=1 CPUs if ARCH_CAP_TSX_CTRL_MSR is not set, microcode
346 * update is required.
348 if ( (x86_arch_cap_msr & ARCH_CAP_MDS_NO) &&
349 !(x86_arch_cap_msr & ARCH_CAP_TSX_CTRL_MSR))
350 taa_mitigation = TAA_MITIGATION_UCODE_NEEDED;
353 * TSX is enabled, select alternate mitigation for TAA which is
354 * the same as MDS. Enable MDS static branch to clear CPU buffers.
356 * For guests that can't determine whether the correct microcode is
357 * present on host, enable the mitigation for UCODE_NEEDED as well.
359 setup_force_cpu_cap(X86_FEATURE_CLEAR_CPU_BUF);
361 if (taa_nosmt || cpu_mitigations_auto_nosmt())
362 cpu_smt_disable(false);
365 static int __init tsx_async_abort_parse_cmdline(char *str)
367 if (!boot_cpu_has_bug(X86_BUG_TAA))
373 if (!strcmp(str, "off")) {
374 taa_mitigation = TAA_MITIGATION_OFF;
375 } else if (!strcmp(str, "full")) {
376 taa_mitigation = TAA_MITIGATION_VERW;
377 } else if (!strcmp(str, "full,nosmt")) {
378 taa_mitigation = TAA_MITIGATION_VERW;
384 early_param("tsx_async_abort", tsx_async_abort_parse_cmdline);
387 #define pr_fmt(fmt) "MMIO Stale Data: " fmt
389 enum mmio_mitigations {
391 MMIO_MITIGATION_UCODE_NEEDED,
392 MMIO_MITIGATION_VERW,
395 /* Default mitigation for Processor MMIO Stale Data vulnerabilities */
396 static enum mmio_mitigations mmio_mitigation __ro_after_init =
397 IS_ENABLED(CONFIG_MITIGATION_MMIO_STALE_DATA) ? MMIO_MITIGATION_VERW : MMIO_MITIGATION_OFF;
398 static bool mmio_nosmt __ro_after_init = false;
400 static const char * const mmio_strings[] = {
401 [MMIO_MITIGATION_OFF] = "Vulnerable",
402 [MMIO_MITIGATION_UCODE_NEEDED] = "Vulnerable: Clear CPU buffers attempted, no microcode",
403 [MMIO_MITIGATION_VERW] = "Mitigation: Clear CPU buffers",
406 static void __init mmio_select_mitigation(void)
408 if (!boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA) ||
409 boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN) ||
410 cpu_mitigations_off()) {
411 mmio_mitigation = MMIO_MITIGATION_OFF;
415 if (mmio_mitigation == MMIO_MITIGATION_OFF)
419 * Enable CPU buffer clear mitigation for host and VMM, if also affected
420 * by MDS or TAA. Otherwise, enable mitigation for VMM only.
422 if (boot_cpu_has_bug(X86_BUG_MDS) || (boot_cpu_has_bug(X86_BUG_TAA) &&
423 boot_cpu_has(X86_FEATURE_RTM)))
424 setup_force_cpu_cap(X86_FEATURE_CLEAR_CPU_BUF);
427 * X86_FEATURE_CLEAR_CPU_BUF could be enabled by other VERW based
428 * mitigations, disable KVM-only mitigation in that case.
430 if (boot_cpu_has(X86_FEATURE_CLEAR_CPU_BUF))
431 static_branch_disable(&mmio_stale_data_clear);
433 static_branch_enable(&mmio_stale_data_clear);
436 * If Processor-MMIO-Stale-Data bug is present and Fill Buffer data can
437 * be propagated to uncore buffers, clearing the Fill buffers on idle
438 * is required irrespective of SMT state.
440 if (!(x86_arch_cap_msr & ARCH_CAP_FBSDP_NO))
441 static_branch_enable(&mds_idle_clear);
444 * Check if the system has the right microcode.
446 * CPU Fill buffer clear mitigation is enumerated by either an explicit
447 * FB_CLEAR or by the presence of both MD_CLEAR and L1D_FLUSH on MDS
450 if ((x86_arch_cap_msr & ARCH_CAP_FB_CLEAR) ||
451 (boot_cpu_has(X86_FEATURE_MD_CLEAR) &&
452 boot_cpu_has(X86_FEATURE_FLUSH_L1D) &&
453 !(x86_arch_cap_msr & ARCH_CAP_MDS_NO)))
454 mmio_mitigation = MMIO_MITIGATION_VERW;
456 mmio_mitigation = MMIO_MITIGATION_UCODE_NEEDED;
458 if (mmio_nosmt || cpu_mitigations_auto_nosmt())
459 cpu_smt_disable(false);
462 static int __init mmio_stale_data_parse_cmdline(char *str)
464 if (!boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA))
470 if (!strcmp(str, "off")) {
471 mmio_mitigation = MMIO_MITIGATION_OFF;
472 } else if (!strcmp(str, "full")) {
473 mmio_mitigation = MMIO_MITIGATION_VERW;
474 } else if (!strcmp(str, "full,nosmt")) {
475 mmio_mitigation = MMIO_MITIGATION_VERW;
481 early_param("mmio_stale_data", mmio_stale_data_parse_cmdline);
484 #define pr_fmt(fmt) "Register File Data Sampling: " fmt
486 enum rfds_mitigations {
488 RFDS_MITIGATION_VERW,
489 RFDS_MITIGATION_UCODE_NEEDED,
492 /* Default mitigation for Register File Data Sampling */
493 static enum rfds_mitigations rfds_mitigation __ro_after_init =
494 IS_ENABLED(CONFIG_MITIGATION_RFDS) ? RFDS_MITIGATION_VERW : RFDS_MITIGATION_OFF;
496 static const char * const rfds_strings[] = {
497 [RFDS_MITIGATION_OFF] = "Vulnerable",
498 [RFDS_MITIGATION_VERW] = "Mitigation: Clear Register File",
499 [RFDS_MITIGATION_UCODE_NEEDED] = "Vulnerable: No microcode",
502 static void __init rfds_select_mitigation(void)
504 if (!boot_cpu_has_bug(X86_BUG_RFDS) || cpu_mitigations_off()) {
505 rfds_mitigation = RFDS_MITIGATION_OFF;
508 if (rfds_mitigation == RFDS_MITIGATION_OFF)
511 if (x86_arch_cap_msr & ARCH_CAP_RFDS_CLEAR)
512 setup_force_cpu_cap(X86_FEATURE_CLEAR_CPU_BUF);
514 rfds_mitigation = RFDS_MITIGATION_UCODE_NEEDED;
517 static __init int rfds_parse_cmdline(char *str)
522 if (!boot_cpu_has_bug(X86_BUG_RFDS))
525 if (!strcmp(str, "off"))
526 rfds_mitigation = RFDS_MITIGATION_OFF;
527 else if (!strcmp(str, "on"))
528 rfds_mitigation = RFDS_MITIGATION_VERW;
532 early_param("reg_file_data_sampling", rfds_parse_cmdline);
535 #define pr_fmt(fmt) "" fmt
537 static void __init md_clear_update_mitigation(void)
539 if (cpu_mitigations_off())
542 if (!boot_cpu_has(X86_FEATURE_CLEAR_CPU_BUF))
546 * X86_FEATURE_CLEAR_CPU_BUF is now enabled. Update MDS, TAA and MMIO
547 * Stale Data mitigation, if necessary.
549 if (mds_mitigation == MDS_MITIGATION_OFF &&
550 boot_cpu_has_bug(X86_BUG_MDS)) {
551 mds_mitigation = MDS_MITIGATION_FULL;
552 mds_select_mitigation();
554 if (taa_mitigation == TAA_MITIGATION_OFF &&
555 boot_cpu_has_bug(X86_BUG_TAA)) {
556 taa_mitigation = TAA_MITIGATION_VERW;
557 taa_select_mitigation();
560 * MMIO_MITIGATION_OFF is not checked here so that mmio_stale_data_clear
561 * gets updated correctly as per X86_FEATURE_CLEAR_CPU_BUF state.
563 if (boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA)) {
564 mmio_mitigation = MMIO_MITIGATION_VERW;
565 mmio_select_mitigation();
567 if (rfds_mitigation == RFDS_MITIGATION_OFF &&
568 boot_cpu_has_bug(X86_BUG_RFDS)) {
569 rfds_mitigation = RFDS_MITIGATION_VERW;
570 rfds_select_mitigation();
573 if (boot_cpu_has_bug(X86_BUG_MDS))
574 pr_info("MDS: %s\n", mds_strings[mds_mitigation]);
575 if (boot_cpu_has_bug(X86_BUG_TAA))
576 pr_info("TAA: %s\n", taa_strings[taa_mitigation]);
577 if (boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA))
578 pr_info("MMIO Stale Data: %s\n", mmio_strings[mmio_mitigation]);
579 else if (boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN))
580 pr_info("MMIO Stale Data: Unknown: No mitigations\n");
581 if (boot_cpu_has_bug(X86_BUG_RFDS))
582 pr_info("Register File Data Sampling: %s\n", rfds_strings[rfds_mitigation]);
585 static void __init md_clear_select_mitigation(void)
587 mds_select_mitigation();
588 taa_select_mitigation();
589 mmio_select_mitigation();
590 rfds_select_mitigation();
593 * As these mitigations are inter-related and rely on VERW instruction
594 * to clear the microarchitural buffers, update and print their status
595 * after mitigation selection is done for each of these vulnerabilities.
597 md_clear_update_mitigation();
601 #define pr_fmt(fmt) "SRBDS: " fmt
603 enum srbds_mitigations {
604 SRBDS_MITIGATION_OFF,
605 SRBDS_MITIGATION_UCODE_NEEDED,
606 SRBDS_MITIGATION_FULL,
607 SRBDS_MITIGATION_TSX_OFF,
608 SRBDS_MITIGATION_HYPERVISOR,
611 static enum srbds_mitigations srbds_mitigation __ro_after_init =
612 IS_ENABLED(CONFIG_MITIGATION_SRBDS) ? SRBDS_MITIGATION_FULL : SRBDS_MITIGATION_OFF;
614 static const char * const srbds_strings[] = {
615 [SRBDS_MITIGATION_OFF] = "Vulnerable",
616 [SRBDS_MITIGATION_UCODE_NEEDED] = "Vulnerable: No microcode",
617 [SRBDS_MITIGATION_FULL] = "Mitigation: Microcode",
618 [SRBDS_MITIGATION_TSX_OFF] = "Mitigation: TSX disabled",
619 [SRBDS_MITIGATION_HYPERVISOR] = "Unknown: Dependent on hypervisor status",
622 static bool srbds_off;
624 void update_srbds_msr(void)
628 if (!boot_cpu_has_bug(X86_BUG_SRBDS))
631 if (boot_cpu_has(X86_FEATURE_HYPERVISOR))
634 if (srbds_mitigation == SRBDS_MITIGATION_UCODE_NEEDED)
638 * A MDS_NO CPU for which SRBDS mitigation is not needed due to TSX
639 * being disabled and it hasn't received the SRBDS MSR microcode.
641 if (!boot_cpu_has(X86_FEATURE_SRBDS_CTRL))
644 rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
646 switch (srbds_mitigation) {
647 case SRBDS_MITIGATION_OFF:
648 case SRBDS_MITIGATION_TSX_OFF:
649 mcu_ctrl |= RNGDS_MITG_DIS;
651 case SRBDS_MITIGATION_FULL:
652 mcu_ctrl &= ~RNGDS_MITG_DIS;
658 wrmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
661 static void __init srbds_select_mitigation(void)
663 if (!boot_cpu_has_bug(X86_BUG_SRBDS))
667 * Check to see if this is one of the MDS_NO systems supporting TSX that
668 * are only exposed to SRBDS when TSX is enabled or when CPU is affected
669 * by Processor MMIO Stale Data vulnerability.
671 if ((x86_arch_cap_msr & ARCH_CAP_MDS_NO) && !boot_cpu_has(X86_FEATURE_RTM) &&
672 !boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA))
673 srbds_mitigation = SRBDS_MITIGATION_TSX_OFF;
674 else if (boot_cpu_has(X86_FEATURE_HYPERVISOR))
675 srbds_mitigation = SRBDS_MITIGATION_HYPERVISOR;
676 else if (!boot_cpu_has(X86_FEATURE_SRBDS_CTRL))
677 srbds_mitigation = SRBDS_MITIGATION_UCODE_NEEDED;
678 else if (cpu_mitigations_off() || srbds_off)
679 srbds_mitigation = SRBDS_MITIGATION_OFF;
682 pr_info("%s\n", srbds_strings[srbds_mitigation]);
685 static int __init srbds_parse_cmdline(char *str)
690 if (!boot_cpu_has_bug(X86_BUG_SRBDS))
693 srbds_off = !strcmp(str, "off");
696 early_param("srbds", srbds_parse_cmdline);
699 #define pr_fmt(fmt) "L1D Flush : " fmt
701 enum l1d_flush_mitigations {
706 static enum l1d_flush_mitigations l1d_flush_mitigation __initdata = L1D_FLUSH_OFF;
708 static void __init l1d_flush_select_mitigation(void)
710 if (!l1d_flush_mitigation || !boot_cpu_has(X86_FEATURE_FLUSH_L1D))
713 static_branch_enable(&switch_mm_cond_l1d_flush);
714 pr_info("Conditional flush on switch_mm() enabled\n");
717 static int __init l1d_flush_parse_cmdline(char *str)
719 if (!strcmp(str, "on"))
720 l1d_flush_mitigation = L1D_FLUSH_ON;
724 early_param("l1d_flush", l1d_flush_parse_cmdline);
727 #define pr_fmt(fmt) "GDS: " fmt
729 enum gds_mitigations {
731 GDS_MITIGATION_UCODE_NEEDED,
732 GDS_MITIGATION_FORCE,
734 GDS_MITIGATION_FULL_LOCKED,
735 GDS_MITIGATION_HYPERVISOR,
738 static enum gds_mitigations gds_mitigation __ro_after_init =
739 IS_ENABLED(CONFIG_MITIGATION_GDS) ? GDS_MITIGATION_FULL : GDS_MITIGATION_OFF;
741 static const char * const gds_strings[] = {
742 [GDS_MITIGATION_OFF] = "Vulnerable",
743 [GDS_MITIGATION_UCODE_NEEDED] = "Vulnerable: No microcode",
744 [GDS_MITIGATION_FORCE] = "Mitigation: AVX disabled, no microcode",
745 [GDS_MITIGATION_FULL] = "Mitigation: Microcode",
746 [GDS_MITIGATION_FULL_LOCKED] = "Mitigation: Microcode (locked)",
747 [GDS_MITIGATION_HYPERVISOR] = "Unknown: Dependent on hypervisor status",
750 bool gds_ucode_mitigated(void)
752 return (gds_mitigation == GDS_MITIGATION_FULL ||
753 gds_mitigation == GDS_MITIGATION_FULL_LOCKED);
755 EXPORT_SYMBOL_GPL(gds_ucode_mitigated);
757 void update_gds_msr(void)
762 switch (gds_mitigation) {
763 case GDS_MITIGATION_OFF:
764 rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
765 mcu_ctrl |= GDS_MITG_DIS;
767 case GDS_MITIGATION_FULL_LOCKED:
769 * The LOCKED state comes from the boot CPU. APs might not have
770 * the same state. Make sure the mitigation is enabled on all
773 case GDS_MITIGATION_FULL:
774 rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
775 mcu_ctrl &= ~GDS_MITG_DIS;
777 case GDS_MITIGATION_FORCE:
778 case GDS_MITIGATION_UCODE_NEEDED:
779 case GDS_MITIGATION_HYPERVISOR:
783 wrmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
786 * Check to make sure that the WRMSR value was not ignored. Writes to
787 * GDS_MITG_DIS will be ignored if this processor is locked but the boot
790 rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl_after);
791 WARN_ON_ONCE(mcu_ctrl != mcu_ctrl_after);
794 static void __init gds_select_mitigation(void)
798 if (!boot_cpu_has_bug(X86_BUG_GDS))
801 if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {
802 gds_mitigation = GDS_MITIGATION_HYPERVISOR;
806 if (cpu_mitigations_off())
807 gds_mitigation = GDS_MITIGATION_OFF;
808 /* Will verify below that mitigation _can_ be disabled */
811 if (!(x86_arch_cap_msr & ARCH_CAP_GDS_CTRL)) {
812 if (gds_mitigation == GDS_MITIGATION_FORCE) {
814 * This only needs to be done on the boot CPU so do it
815 * here rather than in update_gds_msr()
817 setup_clear_cpu_cap(X86_FEATURE_AVX);
818 pr_warn("Microcode update needed! Disabling AVX as mitigation.\n");
820 gds_mitigation = GDS_MITIGATION_UCODE_NEEDED;
825 /* Microcode has mitigation, use it */
826 if (gds_mitigation == GDS_MITIGATION_FORCE)
827 gds_mitigation = GDS_MITIGATION_FULL;
829 rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
830 if (mcu_ctrl & GDS_MITG_LOCKED) {
831 if (gds_mitigation == GDS_MITIGATION_OFF)
832 pr_warn("Mitigation locked. Disable failed.\n");
835 * The mitigation is selected from the boot CPU. All other CPUs
836 * _should_ have the same state. If the boot CPU isn't locked
837 * but others are then update_gds_msr() will WARN() of the state
838 * mismatch. If the boot CPU is locked update_gds_msr() will
839 * ensure the other CPUs have the mitigation enabled.
841 gds_mitigation = GDS_MITIGATION_FULL_LOCKED;
846 pr_info("%s\n", gds_strings[gds_mitigation]);
849 static int __init gds_parse_cmdline(char *str)
854 if (!boot_cpu_has_bug(X86_BUG_GDS))
857 if (!strcmp(str, "off"))
858 gds_mitigation = GDS_MITIGATION_OFF;
859 else if (!strcmp(str, "force"))
860 gds_mitigation = GDS_MITIGATION_FORCE;
864 early_param("gather_data_sampling", gds_parse_cmdline);
867 #define pr_fmt(fmt) "Spectre V1 : " fmt
869 enum spectre_v1_mitigation {
870 SPECTRE_V1_MITIGATION_NONE,
871 SPECTRE_V1_MITIGATION_AUTO,
874 static enum spectre_v1_mitigation spectre_v1_mitigation __ro_after_init =
875 IS_ENABLED(CONFIG_MITIGATION_SPECTRE_V1) ?
876 SPECTRE_V1_MITIGATION_AUTO : SPECTRE_V1_MITIGATION_NONE;
878 static const char * const spectre_v1_strings[] = {
879 [SPECTRE_V1_MITIGATION_NONE] = "Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers",
880 [SPECTRE_V1_MITIGATION_AUTO] = "Mitigation: usercopy/swapgs barriers and __user pointer sanitization",
884 * Does SMAP provide full mitigation against speculative kernel access to
887 static bool smap_works_speculatively(void)
889 if (!boot_cpu_has(X86_FEATURE_SMAP))
893 * On CPUs which are vulnerable to Meltdown, SMAP does not
894 * prevent speculative access to user data in the L1 cache.
895 * Consider SMAP to be non-functional as a mitigation on these
898 if (boot_cpu_has(X86_BUG_CPU_MELTDOWN))
904 static void __init spectre_v1_select_mitigation(void)
906 if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V1) || cpu_mitigations_off()) {
907 spectre_v1_mitigation = SPECTRE_V1_MITIGATION_NONE;
911 if (spectre_v1_mitigation == SPECTRE_V1_MITIGATION_AUTO) {
913 * With Spectre v1, a user can speculatively control either
914 * path of a conditional swapgs with a user-controlled GS
915 * value. The mitigation is to add lfences to both code paths.
917 * If FSGSBASE is enabled, the user can put a kernel address in
918 * GS, in which case SMAP provides no protection.
920 * If FSGSBASE is disabled, the user can only put a user space
921 * address in GS. That makes an attack harder, but still
922 * possible if there's no SMAP protection.
924 if (boot_cpu_has(X86_FEATURE_FSGSBASE) ||
925 !smap_works_speculatively()) {
927 * Mitigation can be provided from SWAPGS itself or
928 * PTI as the CR3 write in the Meltdown mitigation
931 * If neither is there, mitigate with an LFENCE to
932 * stop speculation through swapgs.
934 if (boot_cpu_has_bug(X86_BUG_SWAPGS) &&
935 !boot_cpu_has(X86_FEATURE_PTI))
936 setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_USER);
939 * Enable lfences in the kernel entry (non-swapgs)
940 * paths, to prevent user entry from speculatively
943 setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_KERNEL);
947 pr_info("%s\n", spectre_v1_strings[spectre_v1_mitigation]);
950 static int __init nospectre_v1_cmdline(char *str)
952 spectre_v1_mitigation = SPECTRE_V1_MITIGATION_NONE;
955 early_param("nospectre_v1", nospectre_v1_cmdline);
957 enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init = SPECTRE_V2_NONE;
960 #define pr_fmt(fmt) "RETBleed: " fmt
962 enum retbleed_mitigation {
963 RETBLEED_MITIGATION_NONE,
964 RETBLEED_MITIGATION_UNRET,
965 RETBLEED_MITIGATION_IBPB,
966 RETBLEED_MITIGATION_IBRS,
967 RETBLEED_MITIGATION_EIBRS,
968 RETBLEED_MITIGATION_STUFF,
971 enum retbleed_mitigation_cmd {
979 static const char * const retbleed_strings[] = {
980 [RETBLEED_MITIGATION_NONE] = "Vulnerable",
981 [RETBLEED_MITIGATION_UNRET] = "Mitigation: untrained return thunk",
982 [RETBLEED_MITIGATION_IBPB] = "Mitigation: IBPB",
983 [RETBLEED_MITIGATION_IBRS] = "Mitigation: IBRS",
984 [RETBLEED_MITIGATION_EIBRS] = "Mitigation: Enhanced IBRS",
985 [RETBLEED_MITIGATION_STUFF] = "Mitigation: Stuffing",
988 static enum retbleed_mitigation retbleed_mitigation __ro_after_init =
989 RETBLEED_MITIGATION_NONE;
990 static enum retbleed_mitigation_cmd retbleed_cmd __ro_after_init =
991 IS_ENABLED(CONFIG_MITIGATION_RETBLEED) ? RETBLEED_CMD_AUTO : RETBLEED_CMD_OFF;
993 static int __ro_after_init retbleed_nosmt = false;
995 static int __init retbleed_parse_cmdline(char *str)
1001 char *next = strchr(str, ',');
1007 if (!strcmp(str, "off")) {
1008 retbleed_cmd = RETBLEED_CMD_OFF;
1009 } else if (!strcmp(str, "auto")) {
1010 retbleed_cmd = RETBLEED_CMD_AUTO;
1011 } else if (!strcmp(str, "unret")) {
1012 retbleed_cmd = RETBLEED_CMD_UNRET;
1013 } else if (!strcmp(str, "ibpb")) {
1014 retbleed_cmd = RETBLEED_CMD_IBPB;
1015 } else if (!strcmp(str, "stuff")) {
1016 retbleed_cmd = RETBLEED_CMD_STUFF;
1017 } else if (!strcmp(str, "nosmt")) {
1018 retbleed_nosmt = true;
1019 } else if (!strcmp(str, "force")) {
1020 setup_force_cpu_bug(X86_BUG_RETBLEED);
1022 pr_err("Ignoring unknown retbleed option (%s).", str);
1030 early_param("retbleed", retbleed_parse_cmdline);
1032 #define RETBLEED_UNTRAIN_MSG "WARNING: BTB untrained return thunk mitigation is only effective on AMD/Hygon!\n"
1033 #define RETBLEED_INTEL_MSG "WARNING: Spectre v2 mitigation leaves CPU vulnerable to RETBleed attacks, data leaks possible!\n"
1035 static void __init retbleed_select_mitigation(void)
1037 bool mitigate_smt = false;
1039 if (!boot_cpu_has_bug(X86_BUG_RETBLEED) || cpu_mitigations_off())
1042 switch (retbleed_cmd) {
1043 case RETBLEED_CMD_OFF:
1046 case RETBLEED_CMD_UNRET:
1047 if (IS_ENABLED(CONFIG_MITIGATION_UNRET_ENTRY)) {
1048 retbleed_mitigation = RETBLEED_MITIGATION_UNRET;
1050 pr_err("WARNING: kernel not compiled with MITIGATION_UNRET_ENTRY.\n");
1055 case RETBLEED_CMD_IBPB:
1056 if (!boot_cpu_has(X86_FEATURE_IBPB)) {
1057 pr_err("WARNING: CPU does not support IBPB.\n");
1059 } else if (IS_ENABLED(CONFIG_MITIGATION_IBPB_ENTRY)) {
1060 retbleed_mitigation = RETBLEED_MITIGATION_IBPB;
1062 pr_err("WARNING: kernel not compiled with MITIGATION_IBPB_ENTRY.\n");
1067 case RETBLEED_CMD_STUFF:
1068 if (IS_ENABLED(CONFIG_MITIGATION_CALL_DEPTH_TRACKING) &&
1069 spectre_v2_enabled == SPECTRE_V2_RETPOLINE) {
1070 retbleed_mitigation = RETBLEED_MITIGATION_STUFF;
1073 if (IS_ENABLED(CONFIG_MITIGATION_CALL_DEPTH_TRACKING))
1074 pr_err("WARNING: retbleed=stuff depends on spectre_v2=retpoline\n");
1076 pr_err("WARNING: kernel not compiled with MITIGATION_CALL_DEPTH_TRACKING.\n");
1083 case RETBLEED_CMD_AUTO:
1084 if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD ||
1085 boot_cpu_data.x86_vendor == X86_VENDOR_HYGON) {
1086 if (IS_ENABLED(CONFIG_MITIGATION_UNRET_ENTRY))
1087 retbleed_mitigation = RETBLEED_MITIGATION_UNRET;
1088 else if (IS_ENABLED(CONFIG_MITIGATION_IBPB_ENTRY) &&
1089 boot_cpu_has(X86_FEATURE_IBPB))
1090 retbleed_mitigation = RETBLEED_MITIGATION_IBPB;
1094 * The Intel mitigation (IBRS or eIBRS) was already selected in
1095 * spectre_v2_select_mitigation(). 'retbleed_mitigation' will
1096 * be set accordingly below.
1102 switch (retbleed_mitigation) {
1103 case RETBLEED_MITIGATION_UNRET:
1104 setup_force_cpu_cap(X86_FEATURE_RETHUNK);
1105 setup_force_cpu_cap(X86_FEATURE_UNRET);
1107 x86_return_thunk = retbleed_return_thunk;
1109 if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD &&
1110 boot_cpu_data.x86_vendor != X86_VENDOR_HYGON)
1111 pr_err(RETBLEED_UNTRAIN_MSG);
1113 mitigate_smt = true;
1116 case RETBLEED_MITIGATION_IBPB:
1117 setup_force_cpu_cap(X86_FEATURE_ENTRY_IBPB);
1118 setup_force_cpu_cap(X86_FEATURE_IBPB_ON_VMEXIT);
1119 mitigate_smt = true;
1122 * IBPB on entry already obviates the need for
1123 * software-based untraining so clear those in case some
1124 * other mitigation like SRSO has selected them.
1126 setup_clear_cpu_cap(X86_FEATURE_UNRET);
1127 setup_clear_cpu_cap(X86_FEATURE_RETHUNK);
1130 * There is no need for RSB filling: entry_ibpb() ensures
1131 * all predictions, including the RSB, are invalidated,
1132 * regardless of IBPB implementation.
1134 setup_clear_cpu_cap(X86_FEATURE_RSB_VMEXIT);
1138 case RETBLEED_MITIGATION_STUFF:
1139 setup_force_cpu_cap(X86_FEATURE_RETHUNK);
1140 setup_force_cpu_cap(X86_FEATURE_CALL_DEPTH);
1142 x86_return_thunk = call_depth_return_thunk;
1149 if (mitigate_smt && !boot_cpu_has(X86_FEATURE_STIBP) &&
1150 (retbleed_nosmt || cpu_mitigations_auto_nosmt()))
1151 cpu_smt_disable(false);
1154 * Let IBRS trump all on Intel without affecting the effects of the
1155 * retbleed= cmdline option except for call depth based stuffing
1157 if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) {
1158 switch (spectre_v2_enabled) {
1159 case SPECTRE_V2_IBRS:
1160 retbleed_mitigation = RETBLEED_MITIGATION_IBRS;
1162 case SPECTRE_V2_EIBRS:
1163 case SPECTRE_V2_EIBRS_RETPOLINE:
1164 case SPECTRE_V2_EIBRS_LFENCE:
1165 retbleed_mitigation = RETBLEED_MITIGATION_EIBRS;
1168 if (retbleed_mitigation != RETBLEED_MITIGATION_STUFF)
1169 pr_err(RETBLEED_INTEL_MSG);
1173 pr_info("%s\n", retbleed_strings[retbleed_mitigation]);
1177 #define pr_fmt(fmt) "Spectre V2 : " fmt
1179 static enum spectre_v2_user_mitigation spectre_v2_user_stibp __ro_after_init =
1180 SPECTRE_V2_USER_NONE;
1181 static enum spectre_v2_user_mitigation spectre_v2_user_ibpb __ro_after_init =
1182 SPECTRE_V2_USER_NONE;
1184 #ifdef CONFIG_MITIGATION_RETPOLINE
1185 static bool spectre_v2_bad_module;
1187 bool retpoline_module_ok(bool has_retpoline)
1189 if (spectre_v2_enabled == SPECTRE_V2_NONE || has_retpoline)
1192 pr_err("System may be vulnerable to spectre v2\n");
1193 spectre_v2_bad_module = true;
1197 static inline const char *spectre_v2_module_string(void)
1199 return spectre_v2_bad_module ? " - vulnerable module loaded" : "";
1202 static inline const char *spectre_v2_module_string(void) { return ""; }
1205 #define SPECTRE_V2_LFENCE_MSG "WARNING: LFENCE mitigation is not recommended for this CPU, data leaks possible!\n"
1206 #define SPECTRE_V2_EIBRS_EBPF_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible via Spectre v2 BHB attacks!\n"
1207 #define SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS+LFENCE mitigation and SMT, data leaks possible via Spectre v2 BHB attacks!\n"
1208 #define SPECTRE_V2_IBRS_PERF_MSG "WARNING: IBRS mitigation selected on Enhanced IBRS CPU, this may cause unnecessary performance loss\n"
1210 #ifdef CONFIG_BPF_SYSCALL
1211 void unpriv_ebpf_notify(int new_state)
1216 /* Unprivileged eBPF is enabled */
1218 switch (spectre_v2_enabled) {
1219 case SPECTRE_V2_EIBRS:
1220 pr_err(SPECTRE_V2_EIBRS_EBPF_MSG);
1222 case SPECTRE_V2_EIBRS_LFENCE:
1223 if (sched_smt_active())
1224 pr_err(SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG);
1232 static inline bool match_option(const char *arg, int arglen, const char *opt)
1234 int len = strlen(opt);
1236 return len == arglen && !strncmp(arg, opt, len);
1239 /* The kernel command line selection for spectre v2 */
1240 enum spectre_v2_mitigation_cmd {
1241 SPECTRE_V2_CMD_NONE,
1242 SPECTRE_V2_CMD_AUTO,
1243 SPECTRE_V2_CMD_FORCE,
1244 SPECTRE_V2_CMD_RETPOLINE,
1245 SPECTRE_V2_CMD_RETPOLINE_GENERIC,
1246 SPECTRE_V2_CMD_RETPOLINE_LFENCE,
1247 SPECTRE_V2_CMD_EIBRS,
1248 SPECTRE_V2_CMD_EIBRS_RETPOLINE,
1249 SPECTRE_V2_CMD_EIBRS_LFENCE,
1250 SPECTRE_V2_CMD_IBRS,
1253 enum spectre_v2_user_cmd {
1254 SPECTRE_V2_USER_CMD_NONE,
1255 SPECTRE_V2_USER_CMD_AUTO,
1256 SPECTRE_V2_USER_CMD_FORCE,
1257 SPECTRE_V2_USER_CMD_PRCTL,
1258 SPECTRE_V2_USER_CMD_PRCTL_IBPB,
1259 SPECTRE_V2_USER_CMD_SECCOMP,
1260 SPECTRE_V2_USER_CMD_SECCOMP_IBPB,
1263 static const char * const spectre_v2_user_strings[] = {
1264 [SPECTRE_V2_USER_NONE] = "User space: Vulnerable",
1265 [SPECTRE_V2_USER_STRICT] = "User space: Mitigation: STIBP protection",
1266 [SPECTRE_V2_USER_STRICT_PREFERRED] = "User space: Mitigation: STIBP always-on protection",
1267 [SPECTRE_V2_USER_PRCTL] = "User space: Mitigation: STIBP via prctl",
1268 [SPECTRE_V2_USER_SECCOMP] = "User space: Mitigation: STIBP via seccomp and prctl",
1271 static const struct {
1273 enum spectre_v2_user_cmd cmd;
1275 } v2_user_options[] __initconst = {
1276 { "auto", SPECTRE_V2_USER_CMD_AUTO, false },
1277 { "off", SPECTRE_V2_USER_CMD_NONE, false },
1278 { "on", SPECTRE_V2_USER_CMD_FORCE, true },
1279 { "prctl", SPECTRE_V2_USER_CMD_PRCTL, false },
1280 { "prctl,ibpb", SPECTRE_V2_USER_CMD_PRCTL_IBPB, false },
1281 { "seccomp", SPECTRE_V2_USER_CMD_SECCOMP, false },
1282 { "seccomp,ibpb", SPECTRE_V2_USER_CMD_SECCOMP_IBPB, false },
1285 static void __init spec_v2_user_print_cond(const char *reason, bool secure)
1287 if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2) != secure)
1288 pr_info("spectre_v2_user=%s forced on command line.\n", reason);
1291 static __ro_after_init enum spectre_v2_mitigation_cmd spectre_v2_cmd;
1293 static enum spectre_v2_user_cmd __init
1294 spectre_v2_parse_user_cmdline(void)
1299 switch (spectre_v2_cmd) {
1300 case SPECTRE_V2_CMD_NONE:
1301 return SPECTRE_V2_USER_CMD_NONE;
1302 case SPECTRE_V2_CMD_FORCE:
1303 return SPECTRE_V2_USER_CMD_FORCE;
1308 ret = cmdline_find_option(boot_command_line, "spectre_v2_user",
1311 return SPECTRE_V2_USER_CMD_AUTO;
1313 for (i = 0; i < ARRAY_SIZE(v2_user_options); i++) {
1314 if (match_option(arg, ret, v2_user_options[i].option)) {
1315 spec_v2_user_print_cond(v2_user_options[i].option,
1316 v2_user_options[i].secure);
1317 return v2_user_options[i].cmd;
1321 pr_err("Unknown user space protection option (%s). Switching to AUTO select\n", arg);
1322 return SPECTRE_V2_USER_CMD_AUTO;
1325 static inline bool spectre_v2_in_ibrs_mode(enum spectre_v2_mitigation mode)
1327 return spectre_v2_in_eibrs_mode(mode) || mode == SPECTRE_V2_IBRS;
1331 spectre_v2_user_select_mitigation(void)
1333 enum spectre_v2_user_mitigation mode = SPECTRE_V2_USER_NONE;
1334 bool smt_possible = IS_ENABLED(CONFIG_SMP);
1335 enum spectre_v2_user_cmd cmd;
1337 if (!boot_cpu_has(X86_FEATURE_IBPB) && !boot_cpu_has(X86_FEATURE_STIBP))
1340 if (cpu_smt_control == CPU_SMT_FORCE_DISABLED ||
1341 cpu_smt_control == CPU_SMT_NOT_SUPPORTED)
1342 smt_possible = false;
1344 cmd = spectre_v2_parse_user_cmdline();
1346 case SPECTRE_V2_USER_CMD_NONE:
1348 case SPECTRE_V2_USER_CMD_FORCE:
1349 mode = SPECTRE_V2_USER_STRICT;
1351 case SPECTRE_V2_USER_CMD_AUTO:
1352 case SPECTRE_V2_USER_CMD_PRCTL:
1353 case SPECTRE_V2_USER_CMD_PRCTL_IBPB:
1354 mode = SPECTRE_V2_USER_PRCTL;
1356 case SPECTRE_V2_USER_CMD_SECCOMP:
1357 case SPECTRE_V2_USER_CMD_SECCOMP_IBPB:
1358 if (IS_ENABLED(CONFIG_SECCOMP))
1359 mode = SPECTRE_V2_USER_SECCOMP;
1361 mode = SPECTRE_V2_USER_PRCTL;
1365 /* Initialize Indirect Branch Prediction Barrier */
1366 if (boot_cpu_has(X86_FEATURE_IBPB)) {
1367 setup_force_cpu_cap(X86_FEATURE_USE_IBPB);
1369 spectre_v2_user_ibpb = mode;
1371 case SPECTRE_V2_USER_CMD_NONE:
1373 case SPECTRE_V2_USER_CMD_FORCE:
1374 case SPECTRE_V2_USER_CMD_PRCTL_IBPB:
1375 case SPECTRE_V2_USER_CMD_SECCOMP_IBPB:
1376 static_branch_enable(&switch_mm_always_ibpb);
1377 spectre_v2_user_ibpb = SPECTRE_V2_USER_STRICT;
1379 case SPECTRE_V2_USER_CMD_PRCTL:
1380 case SPECTRE_V2_USER_CMD_AUTO:
1381 case SPECTRE_V2_USER_CMD_SECCOMP:
1382 static_branch_enable(&switch_mm_cond_ibpb);
1386 pr_info("mitigation: Enabling %s Indirect Branch Prediction Barrier\n",
1387 static_key_enabled(&switch_mm_always_ibpb) ?
1388 "always-on" : "conditional");
1392 * If no STIBP, Intel enhanced IBRS is enabled, or SMT impossible, STIBP
1395 * Intel's Enhanced IBRS also protects against cross-thread branch target
1396 * injection in user-mode as the IBRS bit remains always set which
1397 * implicitly enables cross-thread protections. However, in legacy IBRS
1398 * mode, the IBRS bit is set only on kernel entry and cleared on return
1399 * to userspace. AMD Automatic IBRS also does not protect userspace.
1400 * These modes therefore disable the implicit cross-thread protection,
1401 * so allow for STIBP to be selected in those cases.
1403 if (!boot_cpu_has(X86_FEATURE_STIBP) ||
1405 (spectre_v2_in_eibrs_mode(spectre_v2_enabled) &&
1406 !boot_cpu_has(X86_FEATURE_AUTOIBRS)))
1410 * At this point, an STIBP mode other than "off" has been set.
1411 * If STIBP support is not being forced, check if STIBP always-on
1414 if (mode != SPECTRE_V2_USER_STRICT &&
1415 boot_cpu_has(X86_FEATURE_AMD_STIBP_ALWAYS_ON))
1416 mode = SPECTRE_V2_USER_STRICT_PREFERRED;
1418 if (retbleed_mitigation == RETBLEED_MITIGATION_UNRET ||
1419 retbleed_mitigation == RETBLEED_MITIGATION_IBPB) {
1420 if (mode != SPECTRE_V2_USER_STRICT &&
1421 mode != SPECTRE_V2_USER_STRICT_PREFERRED)
1422 pr_info("Selecting STIBP always-on mode to complement retbleed mitigation\n");
1423 mode = SPECTRE_V2_USER_STRICT_PREFERRED;
1426 spectre_v2_user_stibp = mode;
1429 pr_info("%s\n", spectre_v2_user_strings[mode]);
1432 static const char * const spectre_v2_strings[] = {
1433 [SPECTRE_V2_NONE] = "Vulnerable",
1434 [SPECTRE_V2_RETPOLINE] = "Mitigation: Retpolines",
1435 [SPECTRE_V2_LFENCE] = "Mitigation: LFENCE",
1436 [SPECTRE_V2_EIBRS] = "Mitigation: Enhanced / Automatic IBRS",
1437 [SPECTRE_V2_EIBRS_LFENCE] = "Mitigation: Enhanced / Automatic IBRS + LFENCE",
1438 [SPECTRE_V2_EIBRS_RETPOLINE] = "Mitigation: Enhanced / Automatic IBRS + Retpolines",
1439 [SPECTRE_V2_IBRS] = "Mitigation: IBRS",
1442 static const struct {
1444 enum spectre_v2_mitigation_cmd cmd;
1446 } mitigation_options[] __initconst = {
1447 { "off", SPECTRE_V2_CMD_NONE, false },
1448 { "on", SPECTRE_V2_CMD_FORCE, true },
1449 { "retpoline", SPECTRE_V2_CMD_RETPOLINE, false },
1450 { "retpoline,amd", SPECTRE_V2_CMD_RETPOLINE_LFENCE, false },
1451 { "retpoline,lfence", SPECTRE_V2_CMD_RETPOLINE_LFENCE, false },
1452 { "retpoline,generic", SPECTRE_V2_CMD_RETPOLINE_GENERIC, false },
1453 { "eibrs", SPECTRE_V2_CMD_EIBRS, false },
1454 { "eibrs,lfence", SPECTRE_V2_CMD_EIBRS_LFENCE, false },
1455 { "eibrs,retpoline", SPECTRE_V2_CMD_EIBRS_RETPOLINE, false },
1456 { "auto", SPECTRE_V2_CMD_AUTO, false },
1457 { "ibrs", SPECTRE_V2_CMD_IBRS, false },
1460 static void __init spec_v2_print_cond(const char *reason, bool secure)
1462 if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2) != secure)
1463 pr_info("%s selected on command line.\n", reason);
1466 static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void)
1468 enum spectre_v2_mitigation_cmd cmd;
1472 cmd = IS_ENABLED(CONFIG_MITIGATION_SPECTRE_V2) ? SPECTRE_V2_CMD_AUTO : SPECTRE_V2_CMD_NONE;
1473 if (cmdline_find_option_bool(boot_command_line, "nospectre_v2") ||
1474 cpu_mitigations_off())
1475 return SPECTRE_V2_CMD_NONE;
1477 ret = cmdline_find_option(boot_command_line, "spectre_v2", arg, sizeof(arg));
1481 for (i = 0; i < ARRAY_SIZE(mitigation_options); i++) {
1482 if (!match_option(arg, ret, mitigation_options[i].option))
1484 cmd = mitigation_options[i].cmd;
1488 if (i >= ARRAY_SIZE(mitigation_options)) {
1489 pr_err("unknown option (%s). Switching to default mode\n", arg);
1493 if ((cmd == SPECTRE_V2_CMD_RETPOLINE ||
1494 cmd == SPECTRE_V2_CMD_RETPOLINE_LFENCE ||
1495 cmd == SPECTRE_V2_CMD_RETPOLINE_GENERIC ||
1496 cmd == SPECTRE_V2_CMD_EIBRS_LFENCE ||
1497 cmd == SPECTRE_V2_CMD_EIBRS_RETPOLINE) &&
1498 !IS_ENABLED(CONFIG_MITIGATION_RETPOLINE)) {
1499 pr_err("%s selected but not compiled in. Switching to AUTO select\n",
1500 mitigation_options[i].option);
1501 return SPECTRE_V2_CMD_AUTO;
1504 if ((cmd == SPECTRE_V2_CMD_EIBRS ||
1505 cmd == SPECTRE_V2_CMD_EIBRS_LFENCE ||
1506 cmd == SPECTRE_V2_CMD_EIBRS_RETPOLINE) &&
1507 !boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) {
1508 pr_err("%s selected but CPU doesn't have Enhanced or Automatic IBRS. Switching to AUTO select\n",
1509 mitigation_options[i].option);
1510 return SPECTRE_V2_CMD_AUTO;
1513 if ((cmd == SPECTRE_V2_CMD_RETPOLINE_LFENCE ||
1514 cmd == SPECTRE_V2_CMD_EIBRS_LFENCE) &&
1515 !boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) {
1516 pr_err("%s selected, but CPU doesn't have a serializing LFENCE. Switching to AUTO select\n",
1517 mitigation_options[i].option);
1518 return SPECTRE_V2_CMD_AUTO;
1521 if (cmd == SPECTRE_V2_CMD_IBRS && !IS_ENABLED(CONFIG_MITIGATION_IBRS_ENTRY)) {
1522 pr_err("%s selected but not compiled in. Switching to AUTO select\n",
1523 mitigation_options[i].option);
1524 return SPECTRE_V2_CMD_AUTO;
1527 if (cmd == SPECTRE_V2_CMD_IBRS && boot_cpu_data.x86_vendor != X86_VENDOR_INTEL) {
1528 pr_err("%s selected but not Intel CPU. Switching to AUTO select\n",
1529 mitigation_options[i].option);
1530 return SPECTRE_V2_CMD_AUTO;
1533 if (cmd == SPECTRE_V2_CMD_IBRS && !boot_cpu_has(X86_FEATURE_IBRS)) {
1534 pr_err("%s selected but CPU doesn't have IBRS. Switching to AUTO select\n",
1535 mitigation_options[i].option);
1536 return SPECTRE_V2_CMD_AUTO;
1539 if (cmd == SPECTRE_V2_CMD_IBRS && cpu_feature_enabled(X86_FEATURE_XENPV)) {
1540 pr_err("%s selected but running as XenPV guest. Switching to AUTO select\n",
1541 mitigation_options[i].option);
1542 return SPECTRE_V2_CMD_AUTO;
1545 spec_v2_print_cond(mitigation_options[i].option,
1546 mitigation_options[i].secure);
1550 static enum spectre_v2_mitigation __init spectre_v2_select_retpoline(void)
1552 if (!IS_ENABLED(CONFIG_MITIGATION_RETPOLINE)) {
1553 pr_err("Kernel not compiled with retpoline; no mitigation available!");
1554 return SPECTRE_V2_NONE;
1557 return SPECTRE_V2_RETPOLINE;
1560 static bool __ro_after_init rrsba_disabled;
1562 /* Disable in-kernel use of non-RSB RET predictors */
1563 static void __init spec_ctrl_disable_kernel_rrsba(void)
1568 if (!(x86_arch_cap_msr & ARCH_CAP_RRSBA)) {
1569 rrsba_disabled = true;
1573 if (!boot_cpu_has(X86_FEATURE_RRSBA_CTRL))
1576 x86_spec_ctrl_base |= SPEC_CTRL_RRSBA_DIS_S;
1577 update_spec_ctrl(x86_spec_ctrl_base);
1578 rrsba_disabled = true;
1581 static void __init spectre_v2_determine_rsb_fill_type_at_vmexit(enum spectre_v2_mitigation mode)
1584 * Similar to context switches, there are two types of RSB attacks
1589 * 2) Poisoned RSB entry
1591 * When retpoline is enabled, both are mitigated by filling/clearing
1594 * When IBRS is enabled, while #1 would be mitigated by the IBRS branch
1595 * prediction isolation protections, RSB still needs to be cleared
1596 * because of #2. Note that SMEP provides no protection here, unlike
1597 * user-space-poisoned RSB entries.
1599 * eIBRS should protect against RSB poisoning, but if the EIBRS_PBRSB
1600 * bug is present then a LITE version of RSB protection is required,
1601 * just a single call needs to retire before a RET is executed.
1604 case SPECTRE_V2_NONE:
1607 case SPECTRE_V2_EIBRS_LFENCE:
1608 case SPECTRE_V2_EIBRS:
1609 if (boot_cpu_has_bug(X86_BUG_EIBRS_PBRSB)) {
1610 setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT_LITE);
1611 pr_info("Spectre v2 / PBRSB-eIBRS: Retire a single CALL on VMEXIT\n");
1615 case SPECTRE_V2_EIBRS_RETPOLINE:
1616 case SPECTRE_V2_RETPOLINE:
1617 case SPECTRE_V2_LFENCE:
1618 case SPECTRE_V2_IBRS:
1619 setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT);
1620 pr_info("Spectre v2 / SpectreRSB : Filling RSB on VMEXIT\n");
1624 pr_warn_once("Unknown Spectre v2 mode, disabling RSB mitigation at VM exit");
1629 * Set BHI_DIS_S to prevent indirect branches in kernel to be influenced by
1630 * branch history in userspace. Not needed if BHI_NO is set.
1632 static bool __init spec_ctrl_bhi_dis(void)
1634 if (!boot_cpu_has(X86_FEATURE_BHI_CTRL))
1637 x86_spec_ctrl_base |= SPEC_CTRL_BHI_DIS_S;
1638 update_spec_ctrl(x86_spec_ctrl_base);
1639 setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_HW);
1644 enum bhi_mitigations {
1647 BHI_MITIGATION_VMEXIT_ONLY,
1650 static enum bhi_mitigations bhi_mitigation __ro_after_init =
1651 IS_ENABLED(CONFIG_MITIGATION_SPECTRE_BHI) ? BHI_MITIGATION_ON : BHI_MITIGATION_OFF;
1653 static int __init spectre_bhi_parse_cmdline(char *str)
1658 if (!strcmp(str, "off"))
1659 bhi_mitigation = BHI_MITIGATION_OFF;
1660 else if (!strcmp(str, "on"))
1661 bhi_mitigation = BHI_MITIGATION_ON;
1662 else if (!strcmp(str, "vmexit"))
1663 bhi_mitigation = BHI_MITIGATION_VMEXIT_ONLY;
1665 pr_err("Ignoring unknown spectre_bhi option (%s)", str);
1669 early_param("spectre_bhi", spectre_bhi_parse_cmdline);
1671 static void __init bhi_select_mitigation(void)
1673 if (bhi_mitigation == BHI_MITIGATION_OFF)
1676 /* Retpoline mitigates against BHI unless the CPU has RRSBA behavior */
1677 if (boot_cpu_has(X86_FEATURE_RETPOLINE) &&
1678 !boot_cpu_has(X86_FEATURE_RETPOLINE_LFENCE)) {
1679 spec_ctrl_disable_kernel_rrsba();
1684 /* Mitigate in hardware if supported */
1685 if (spec_ctrl_bhi_dis())
1688 if (!IS_ENABLED(CONFIG_X86_64))
1691 if (bhi_mitigation == BHI_MITIGATION_VMEXIT_ONLY) {
1692 pr_info("Spectre BHI mitigation: SW BHB clearing on VM exit only\n");
1693 setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT);
1697 pr_info("Spectre BHI mitigation: SW BHB clearing on syscall and VM exit\n");
1698 setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP);
1699 setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT);
1702 static void __init spectre_v2_select_mitigation(void)
1704 enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline();
1705 enum spectre_v2_mitigation mode = SPECTRE_V2_NONE;
1708 * If the CPU is not affected and the command line mode is NONE or AUTO
1709 * then nothing to do.
1711 if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2) &&
1712 (cmd == SPECTRE_V2_CMD_NONE || cmd == SPECTRE_V2_CMD_AUTO))
1716 case SPECTRE_V2_CMD_NONE:
1719 case SPECTRE_V2_CMD_FORCE:
1720 case SPECTRE_V2_CMD_AUTO:
1721 if (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) {
1722 mode = SPECTRE_V2_EIBRS;
1726 if (IS_ENABLED(CONFIG_MITIGATION_IBRS_ENTRY) &&
1727 boot_cpu_has_bug(X86_BUG_RETBLEED) &&
1728 retbleed_cmd != RETBLEED_CMD_OFF &&
1729 retbleed_cmd != RETBLEED_CMD_STUFF &&
1730 boot_cpu_has(X86_FEATURE_IBRS) &&
1731 boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) {
1732 mode = SPECTRE_V2_IBRS;
1736 mode = spectre_v2_select_retpoline();
1739 case SPECTRE_V2_CMD_RETPOLINE_LFENCE:
1740 pr_err(SPECTRE_V2_LFENCE_MSG);
1741 mode = SPECTRE_V2_LFENCE;
1744 case SPECTRE_V2_CMD_RETPOLINE_GENERIC:
1745 mode = SPECTRE_V2_RETPOLINE;
1748 case SPECTRE_V2_CMD_RETPOLINE:
1749 mode = spectre_v2_select_retpoline();
1752 case SPECTRE_V2_CMD_IBRS:
1753 mode = SPECTRE_V2_IBRS;
1756 case SPECTRE_V2_CMD_EIBRS:
1757 mode = SPECTRE_V2_EIBRS;
1760 case SPECTRE_V2_CMD_EIBRS_LFENCE:
1761 mode = SPECTRE_V2_EIBRS_LFENCE;
1764 case SPECTRE_V2_CMD_EIBRS_RETPOLINE:
1765 mode = SPECTRE_V2_EIBRS_RETPOLINE;
1769 if (mode == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled())
1770 pr_err(SPECTRE_V2_EIBRS_EBPF_MSG);
1772 if (spectre_v2_in_ibrs_mode(mode)) {
1773 if (boot_cpu_has(X86_FEATURE_AUTOIBRS)) {
1774 msr_set_bit(MSR_EFER, _EFER_AUTOIBRS);
1776 x86_spec_ctrl_base |= SPEC_CTRL_IBRS;
1777 update_spec_ctrl(x86_spec_ctrl_base);
1782 case SPECTRE_V2_NONE:
1783 case SPECTRE_V2_EIBRS:
1786 case SPECTRE_V2_IBRS:
1787 setup_force_cpu_cap(X86_FEATURE_KERNEL_IBRS);
1788 if (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED))
1789 pr_warn(SPECTRE_V2_IBRS_PERF_MSG);
1792 case SPECTRE_V2_LFENCE:
1793 case SPECTRE_V2_EIBRS_LFENCE:
1794 setup_force_cpu_cap(X86_FEATURE_RETPOLINE_LFENCE);
1797 case SPECTRE_V2_RETPOLINE:
1798 case SPECTRE_V2_EIBRS_RETPOLINE:
1799 setup_force_cpu_cap(X86_FEATURE_RETPOLINE);
1804 * Disable alternate RSB predictions in kernel when indirect CALLs and
1805 * JMPs gets protection against BHI and Intramode-BTI, but RET
1806 * prediction from a non-RSB predictor is still a risk.
1808 if (mode == SPECTRE_V2_EIBRS_LFENCE ||
1809 mode == SPECTRE_V2_EIBRS_RETPOLINE ||
1810 mode == SPECTRE_V2_RETPOLINE)
1811 spec_ctrl_disable_kernel_rrsba();
1813 if (boot_cpu_has(X86_BUG_BHI))
1814 bhi_select_mitigation();
1816 spectre_v2_enabled = mode;
1817 pr_info("%s\n", spectre_v2_strings[mode]);
1820 * If Spectre v2 protection has been enabled, fill the RSB during a
1821 * context switch. In general there are two types of RSB attacks
1822 * across context switches, for which the CALLs/RETs may be unbalanced.
1826 * Some Intel parts have "bottomless RSB". When the RSB is empty,
1827 * speculated return targets may come from the branch predictor,
1828 * which could have a user-poisoned BTB or BHB entry.
1830 * AMD has it even worse: *all* returns are speculated from the BTB,
1831 * regardless of the state of the RSB.
1833 * When IBRS or eIBRS is enabled, the "user -> kernel" attack
1834 * scenario is mitigated by the IBRS branch prediction isolation
1835 * properties, so the RSB buffer filling wouldn't be necessary to
1836 * protect against this type of attack.
1838 * The "user -> user" attack scenario is mitigated by RSB filling.
1840 * 2) Poisoned RSB entry
1842 * If the 'next' in-kernel return stack is shorter than 'prev',
1843 * 'next' could be tricked into speculating with a user-poisoned RSB
1846 * The "user -> kernel" attack scenario is mitigated by SMEP and
1849 * The "user -> user" scenario, also known as SpectreBHB, requires
1852 * So to mitigate all cases, unconditionally fill RSB on context
1855 * FIXME: Is this pointless for retbleed-affected AMD?
1857 setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);
1858 pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n");
1860 spectre_v2_determine_rsb_fill_type_at_vmexit(mode);
1863 * Retpoline protects the kernel, but doesn't protect firmware. IBRS
1864 * and Enhanced IBRS protect firmware too, so enable IBRS around
1865 * firmware calls only when IBRS / Enhanced / Automatic IBRS aren't
1866 * otherwise enabled.
1868 * Use "mode" to check Enhanced IBRS instead of boot_cpu_has(), because
1869 * the user might select retpoline on the kernel command line and if
1870 * the CPU supports Enhanced IBRS, kernel might un-intentionally not
1871 * enable IBRS around firmware calls.
1873 if (boot_cpu_has_bug(X86_BUG_RETBLEED) &&
1874 boot_cpu_has(X86_FEATURE_IBPB) &&
1875 (boot_cpu_data.x86_vendor == X86_VENDOR_AMD ||
1876 boot_cpu_data.x86_vendor == X86_VENDOR_HYGON)) {
1878 if (retbleed_cmd != RETBLEED_CMD_IBPB) {
1879 setup_force_cpu_cap(X86_FEATURE_USE_IBPB_FW);
1880 pr_info("Enabling Speculation Barrier for firmware calls\n");
1883 } else if (boot_cpu_has(X86_FEATURE_IBRS) && !spectre_v2_in_ibrs_mode(mode)) {
1884 setup_force_cpu_cap(X86_FEATURE_USE_IBRS_FW);
1885 pr_info("Enabling Restricted Speculation for firmware calls\n");
1888 /* Set up IBPB and STIBP depending on the general spectre V2 command */
1889 spectre_v2_cmd = cmd;
1892 static void update_stibp_msr(void * __unused)
1894 u64 val = spec_ctrl_current() | (x86_spec_ctrl_base & SPEC_CTRL_STIBP);
1895 update_spec_ctrl(val);
1898 /* Update x86_spec_ctrl_base in case SMT state changed. */
1899 static void update_stibp_strict(void)
1901 u64 mask = x86_spec_ctrl_base & ~SPEC_CTRL_STIBP;
1903 if (sched_smt_active())
1904 mask |= SPEC_CTRL_STIBP;
1906 if (mask == x86_spec_ctrl_base)
1909 pr_info("Update user space SMT mitigation: STIBP %s\n",
1910 mask & SPEC_CTRL_STIBP ? "always-on" : "off");
1911 x86_spec_ctrl_base = mask;
1912 on_each_cpu(update_stibp_msr, NULL, 1);
1915 /* Update the static key controlling the evaluation of TIF_SPEC_IB */
1916 static void update_indir_branch_cond(void)
1918 if (sched_smt_active())
1919 static_branch_enable(&switch_to_cond_stibp);
1921 static_branch_disable(&switch_to_cond_stibp);
1925 #define pr_fmt(fmt) fmt
1927 /* Update the static key controlling the MDS CPU buffer clear in idle */
1928 static void update_mds_branch_idle(void)
1931 * Enable the idle clearing if SMT is active on CPUs which are
1932 * affected only by MSBDS and not any other MDS variant.
1934 * The other variants cannot be mitigated when SMT is enabled, so
1935 * clearing the buffers on idle just to prevent the Store Buffer
1936 * repartitioning leak would be a window dressing exercise.
1938 if (!boot_cpu_has_bug(X86_BUG_MSBDS_ONLY))
1941 if (sched_smt_active()) {
1942 static_branch_enable(&mds_idle_clear);
1943 } else if (mmio_mitigation == MMIO_MITIGATION_OFF ||
1944 (x86_arch_cap_msr & ARCH_CAP_FBSDP_NO)) {
1945 static_branch_disable(&mds_idle_clear);
1949 #define MDS_MSG_SMT "MDS CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for more details.\n"
1950 #define TAA_MSG_SMT "TAA CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html for more details.\n"
1951 #define MMIO_MSG_SMT "MMIO Stale Data CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html for more details.\n"
1953 void cpu_bugs_smt_update(void)
1955 mutex_lock(&spec_ctrl_mutex);
1957 if (sched_smt_active() && unprivileged_ebpf_enabled() &&
1958 spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE)
1959 pr_warn_once(SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG);
1961 switch (spectre_v2_user_stibp) {
1962 case SPECTRE_V2_USER_NONE:
1964 case SPECTRE_V2_USER_STRICT:
1965 case SPECTRE_V2_USER_STRICT_PREFERRED:
1966 update_stibp_strict();
1968 case SPECTRE_V2_USER_PRCTL:
1969 case SPECTRE_V2_USER_SECCOMP:
1970 update_indir_branch_cond();
1974 switch (mds_mitigation) {
1975 case MDS_MITIGATION_FULL:
1976 case MDS_MITIGATION_VMWERV:
1977 if (sched_smt_active() && !boot_cpu_has(X86_BUG_MSBDS_ONLY))
1978 pr_warn_once(MDS_MSG_SMT);
1979 update_mds_branch_idle();
1981 case MDS_MITIGATION_OFF:
1985 switch (taa_mitigation) {
1986 case TAA_MITIGATION_VERW:
1987 case TAA_MITIGATION_UCODE_NEEDED:
1988 if (sched_smt_active())
1989 pr_warn_once(TAA_MSG_SMT);
1991 case TAA_MITIGATION_TSX_DISABLED:
1992 case TAA_MITIGATION_OFF:
1996 switch (mmio_mitigation) {
1997 case MMIO_MITIGATION_VERW:
1998 case MMIO_MITIGATION_UCODE_NEEDED:
1999 if (sched_smt_active())
2000 pr_warn_once(MMIO_MSG_SMT);
2002 case MMIO_MITIGATION_OFF:
2006 mutex_unlock(&spec_ctrl_mutex);
2010 #define pr_fmt(fmt) "Speculative Store Bypass: " fmt
2012 static enum ssb_mitigation ssb_mode __ro_after_init = SPEC_STORE_BYPASS_NONE;
2014 /* The kernel command line selection */
2015 enum ssb_mitigation_cmd {
2016 SPEC_STORE_BYPASS_CMD_NONE,
2017 SPEC_STORE_BYPASS_CMD_AUTO,
2018 SPEC_STORE_BYPASS_CMD_ON,
2019 SPEC_STORE_BYPASS_CMD_PRCTL,
2020 SPEC_STORE_BYPASS_CMD_SECCOMP,
2023 static const char * const ssb_strings[] = {
2024 [SPEC_STORE_BYPASS_NONE] = "Vulnerable",
2025 [SPEC_STORE_BYPASS_DISABLE] = "Mitigation: Speculative Store Bypass disabled",
2026 [SPEC_STORE_BYPASS_PRCTL] = "Mitigation: Speculative Store Bypass disabled via prctl",
2027 [SPEC_STORE_BYPASS_SECCOMP] = "Mitigation: Speculative Store Bypass disabled via prctl and seccomp",
2030 static const struct {
2032 enum ssb_mitigation_cmd cmd;
2033 } ssb_mitigation_options[] __initconst = {
2034 { "auto", SPEC_STORE_BYPASS_CMD_AUTO }, /* Platform decides */
2035 { "on", SPEC_STORE_BYPASS_CMD_ON }, /* Disable Speculative Store Bypass */
2036 { "off", SPEC_STORE_BYPASS_CMD_NONE }, /* Don't touch Speculative Store Bypass */
2037 { "prctl", SPEC_STORE_BYPASS_CMD_PRCTL }, /* Disable Speculative Store Bypass via prctl */
2038 { "seccomp", SPEC_STORE_BYPASS_CMD_SECCOMP }, /* Disable Speculative Store Bypass via prctl and seccomp */
2041 static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void)
2043 enum ssb_mitigation_cmd cmd;
2047 cmd = IS_ENABLED(CONFIG_MITIGATION_SSB) ?
2048 SPEC_STORE_BYPASS_CMD_AUTO : SPEC_STORE_BYPASS_CMD_NONE;
2049 if (cmdline_find_option_bool(boot_command_line, "nospec_store_bypass_disable") ||
2050 cpu_mitigations_off()) {
2051 return SPEC_STORE_BYPASS_CMD_NONE;
2053 ret = cmdline_find_option(boot_command_line, "spec_store_bypass_disable",
2058 for (i = 0; i < ARRAY_SIZE(ssb_mitigation_options); i++) {
2059 if (!match_option(arg, ret, ssb_mitigation_options[i].option))
2062 cmd = ssb_mitigation_options[i].cmd;
2066 if (i >= ARRAY_SIZE(ssb_mitigation_options)) {
2067 pr_err("unknown option (%s). Switching to default mode\n", arg);
2075 static enum ssb_mitigation __init __ssb_select_mitigation(void)
2077 enum ssb_mitigation mode = SPEC_STORE_BYPASS_NONE;
2078 enum ssb_mitigation_cmd cmd;
2080 if (!boot_cpu_has(X86_FEATURE_SSBD))
2083 cmd = ssb_parse_cmdline();
2084 if (!boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS) &&
2085 (cmd == SPEC_STORE_BYPASS_CMD_NONE ||
2086 cmd == SPEC_STORE_BYPASS_CMD_AUTO))
2090 case SPEC_STORE_BYPASS_CMD_SECCOMP:
2092 * Choose prctl+seccomp as the default mode if seccomp is
2095 if (IS_ENABLED(CONFIG_SECCOMP))
2096 mode = SPEC_STORE_BYPASS_SECCOMP;
2098 mode = SPEC_STORE_BYPASS_PRCTL;
2100 case SPEC_STORE_BYPASS_CMD_ON:
2101 mode = SPEC_STORE_BYPASS_DISABLE;
2103 case SPEC_STORE_BYPASS_CMD_AUTO:
2104 case SPEC_STORE_BYPASS_CMD_PRCTL:
2105 mode = SPEC_STORE_BYPASS_PRCTL;
2107 case SPEC_STORE_BYPASS_CMD_NONE:
2112 * We have three CPU feature flags that are in play here:
2113 * - X86_BUG_SPEC_STORE_BYPASS - CPU is susceptible.
2114 * - X86_FEATURE_SSBD - CPU is able to turn off speculative store bypass
2115 * - X86_FEATURE_SPEC_STORE_BYPASS_DISABLE - engage the mitigation
2117 if (mode == SPEC_STORE_BYPASS_DISABLE) {
2118 setup_force_cpu_cap(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE);
2120 * Intel uses the SPEC CTRL MSR Bit(2) for this, while AMD may
2121 * use a completely different MSR and bit dependent on family.
2123 if (!static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD) &&
2124 !static_cpu_has(X86_FEATURE_AMD_SSBD)) {
2125 x86_amd_ssb_disable();
2127 x86_spec_ctrl_base |= SPEC_CTRL_SSBD;
2128 update_spec_ctrl(x86_spec_ctrl_base);
2135 static void ssb_select_mitigation(void)
2137 ssb_mode = __ssb_select_mitigation();
2139 if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS))
2140 pr_info("%s\n", ssb_strings[ssb_mode]);
2144 #define pr_fmt(fmt) "Speculation prctl: " fmt
2146 static void task_update_spec_tif(struct task_struct *tsk)
2148 /* Force the update of the real TIF bits */
2149 set_tsk_thread_flag(tsk, TIF_SPEC_FORCE_UPDATE);
2152 * Immediately update the speculation control MSRs for the current
2153 * task, but for a non-current task delay setting the CPU
2154 * mitigation until it is scheduled next.
2156 * This can only happen for SECCOMP mitigation. For PRCTL it's
2157 * always the current task.
2160 speculation_ctrl_update_current();
2163 static int l1d_flush_prctl_set(struct task_struct *task, unsigned long ctrl)
2166 if (!static_branch_unlikely(&switch_mm_cond_l1d_flush))
2170 case PR_SPEC_ENABLE:
2171 set_ti_thread_flag(&task->thread_info, TIF_SPEC_L1D_FLUSH);
2173 case PR_SPEC_DISABLE:
2174 clear_ti_thread_flag(&task->thread_info, TIF_SPEC_L1D_FLUSH);
2181 static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl)
2183 if (ssb_mode != SPEC_STORE_BYPASS_PRCTL &&
2184 ssb_mode != SPEC_STORE_BYPASS_SECCOMP)
2188 case PR_SPEC_ENABLE:
2189 /* If speculation is force disabled, enable is not allowed */
2190 if (task_spec_ssb_force_disable(task))
2192 task_clear_spec_ssb_disable(task);
2193 task_clear_spec_ssb_noexec(task);
2194 task_update_spec_tif(task);
2196 case PR_SPEC_DISABLE:
2197 task_set_spec_ssb_disable(task);
2198 task_clear_spec_ssb_noexec(task);
2199 task_update_spec_tif(task);
2201 case PR_SPEC_FORCE_DISABLE:
2202 task_set_spec_ssb_disable(task);
2203 task_set_spec_ssb_force_disable(task);
2204 task_clear_spec_ssb_noexec(task);
2205 task_update_spec_tif(task);
2207 case PR_SPEC_DISABLE_NOEXEC:
2208 if (task_spec_ssb_force_disable(task))
2210 task_set_spec_ssb_disable(task);
2211 task_set_spec_ssb_noexec(task);
2212 task_update_spec_tif(task);
2220 static bool is_spec_ib_user_controlled(void)
2222 return spectre_v2_user_ibpb == SPECTRE_V2_USER_PRCTL ||
2223 spectre_v2_user_ibpb == SPECTRE_V2_USER_SECCOMP ||
2224 spectre_v2_user_stibp == SPECTRE_V2_USER_PRCTL ||
2225 spectre_v2_user_stibp == SPECTRE_V2_USER_SECCOMP;
2228 static int ib_prctl_set(struct task_struct *task, unsigned long ctrl)
2231 case PR_SPEC_ENABLE:
2232 if (spectre_v2_user_ibpb == SPECTRE_V2_USER_NONE &&
2233 spectre_v2_user_stibp == SPECTRE_V2_USER_NONE)
2237 * With strict mode for both IBPB and STIBP, the instruction
2238 * code paths avoid checking this task flag and instead,
2239 * unconditionally run the instruction. However, STIBP and IBPB
2240 * are independent and either can be set to conditionally
2241 * enabled regardless of the mode of the other.
2243 * If either is set to conditional, allow the task flag to be
2244 * updated, unless it was force-disabled by a previous prctl
2245 * call. Currently, this is possible on an AMD CPU which has the
2246 * feature X86_FEATURE_AMD_STIBP_ALWAYS_ON. In this case, if the
2247 * kernel is booted with 'spectre_v2_user=seccomp', then
2248 * spectre_v2_user_ibpb == SPECTRE_V2_USER_SECCOMP and
2249 * spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED.
2251 if (!is_spec_ib_user_controlled() ||
2252 task_spec_ib_force_disable(task))
2255 task_clear_spec_ib_disable(task);
2256 task_update_spec_tif(task);
2258 case PR_SPEC_DISABLE:
2259 case PR_SPEC_FORCE_DISABLE:
2261 * Indirect branch speculation is always allowed when
2262 * mitigation is force disabled.
2264 if (spectre_v2_user_ibpb == SPECTRE_V2_USER_NONE &&
2265 spectre_v2_user_stibp == SPECTRE_V2_USER_NONE)
2268 if (!is_spec_ib_user_controlled())
2271 task_set_spec_ib_disable(task);
2272 if (ctrl == PR_SPEC_FORCE_DISABLE)
2273 task_set_spec_ib_force_disable(task);
2274 task_update_spec_tif(task);
2275 if (task == current)
2276 indirect_branch_prediction_barrier();
2284 int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which,
2288 case PR_SPEC_STORE_BYPASS:
2289 return ssb_prctl_set(task, ctrl);
2290 case PR_SPEC_INDIRECT_BRANCH:
2291 return ib_prctl_set(task, ctrl);
2292 case PR_SPEC_L1D_FLUSH:
2293 return l1d_flush_prctl_set(task, ctrl);
2299 #ifdef CONFIG_SECCOMP
2300 void arch_seccomp_spec_mitigate(struct task_struct *task)
2302 if (ssb_mode == SPEC_STORE_BYPASS_SECCOMP)
2303 ssb_prctl_set(task, PR_SPEC_FORCE_DISABLE);
2304 if (spectre_v2_user_ibpb == SPECTRE_V2_USER_SECCOMP ||
2305 spectre_v2_user_stibp == SPECTRE_V2_USER_SECCOMP)
2306 ib_prctl_set(task, PR_SPEC_FORCE_DISABLE);
2310 static int l1d_flush_prctl_get(struct task_struct *task)
2312 if (!static_branch_unlikely(&switch_mm_cond_l1d_flush))
2313 return PR_SPEC_FORCE_DISABLE;
2315 if (test_ti_thread_flag(&task->thread_info, TIF_SPEC_L1D_FLUSH))
2316 return PR_SPEC_PRCTL | PR_SPEC_ENABLE;
2318 return PR_SPEC_PRCTL | PR_SPEC_DISABLE;
2321 static int ssb_prctl_get(struct task_struct *task)
2324 case SPEC_STORE_BYPASS_NONE:
2325 if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS))
2326 return PR_SPEC_ENABLE;
2327 return PR_SPEC_NOT_AFFECTED;
2328 case SPEC_STORE_BYPASS_DISABLE:
2329 return PR_SPEC_DISABLE;
2330 case SPEC_STORE_BYPASS_SECCOMP:
2331 case SPEC_STORE_BYPASS_PRCTL:
2332 if (task_spec_ssb_force_disable(task))
2333 return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE;
2334 if (task_spec_ssb_noexec(task))
2335 return PR_SPEC_PRCTL | PR_SPEC_DISABLE_NOEXEC;
2336 if (task_spec_ssb_disable(task))
2337 return PR_SPEC_PRCTL | PR_SPEC_DISABLE;
2338 return PR_SPEC_PRCTL | PR_SPEC_ENABLE;
2343 static int ib_prctl_get(struct task_struct *task)
2345 if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
2346 return PR_SPEC_NOT_AFFECTED;
2348 if (spectre_v2_user_ibpb == SPECTRE_V2_USER_NONE &&
2349 spectre_v2_user_stibp == SPECTRE_V2_USER_NONE)
2350 return PR_SPEC_ENABLE;
2351 else if (is_spec_ib_user_controlled()) {
2352 if (task_spec_ib_force_disable(task))
2353 return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE;
2354 if (task_spec_ib_disable(task))
2355 return PR_SPEC_PRCTL | PR_SPEC_DISABLE;
2356 return PR_SPEC_PRCTL | PR_SPEC_ENABLE;
2357 } else if (spectre_v2_user_ibpb == SPECTRE_V2_USER_STRICT ||
2358 spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT ||
2359 spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED)
2360 return PR_SPEC_DISABLE;
2362 return PR_SPEC_NOT_AFFECTED;
2365 int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which)
2368 case PR_SPEC_STORE_BYPASS:
2369 return ssb_prctl_get(task);
2370 case PR_SPEC_INDIRECT_BRANCH:
2371 return ib_prctl_get(task);
2372 case PR_SPEC_L1D_FLUSH:
2373 return l1d_flush_prctl_get(task);
2379 void x86_spec_ctrl_setup_ap(void)
2381 if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
2382 update_spec_ctrl(x86_spec_ctrl_base);
2384 if (ssb_mode == SPEC_STORE_BYPASS_DISABLE)
2385 x86_amd_ssb_disable();
2388 bool itlb_multihit_kvm_mitigation;
2389 EXPORT_SYMBOL_GPL(itlb_multihit_kvm_mitigation);
2392 #define pr_fmt(fmt) "L1TF: " fmt
2394 /* Default mitigation for L1TF-affected CPUs */
2395 enum l1tf_mitigations l1tf_mitigation __ro_after_init =
2396 IS_ENABLED(CONFIG_MITIGATION_L1TF) ? L1TF_MITIGATION_FLUSH : L1TF_MITIGATION_OFF;
2397 #if IS_ENABLED(CONFIG_KVM_INTEL)
2398 EXPORT_SYMBOL_GPL(l1tf_mitigation);
2400 enum vmx_l1d_flush_state l1tf_vmx_mitigation = VMENTER_L1D_FLUSH_AUTO;
2401 EXPORT_SYMBOL_GPL(l1tf_vmx_mitigation);
2404 * These CPUs all support 44bits physical address space internally in the
2405 * cache but CPUID can report a smaller number of physical address bits.
2407 * The L1TF mitigation uses the top most address bit for the inversion of
2408 * non present PTEs. When the installed memory reaches into the top most
2409 * address bit due to memory holes, which has been observed on machines
2410 * which report 36bits physical address bits and have 32G RAM installed,
2411 * then the mitigation range check in l1tf_select_mitigation() triggers.
2412 * This is a false positive because the mitigation is still possible due to
2413 * the fact that the cache uses 44bit internally. Use the cache bits
2414 * instead of the reported physical bits and adjust them on the affected
2415 * machines to 44bit if the reported bits are less than 44.
2417 static void override_cache_bits(struct cpuinfo_x86 *c)
2422 switch (c->x86_vfm) {
2424 case INTEL_WESTMERE:
2425 case INTEL_SANDYBRIDGE:
2426 case INTEL_IVYBRIDGE:
2428 case INTEL_HASWELL_L:
2429 case INTEL_HASWELL_G:
2430 case INTEL_BROADWELL:
2431 case INTEL_BROADWELL_G:
2432 case INTEL_SKYLAKE_L:
2434 case INTEL_KABYLAKE_L:
2435 case INTEL_KABYLAKE:
2436 if (c->x86_cache_bits < 44)
2437 c->x86_cache_bits = 44;
2442 static void __init l1tf_select_mitigation(void)
2446 if (!boot_cpu_has_bug(X86_BUG_L1TF))
2449 if (cpu_mitigations_off())
2450 l1tf_mitigation = L1TF_MITIGATION_OFF;
2451 else if (cpu_mitigations_auto_nosmt())
2452 l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOSMT;
2454 override_cache_bits(&boot_cpu_data);
2456 switch (l1tf_mitigation) {
2457 case L1TF_MITIGATION_OFF:
2458 case L1TF_MITIGATION_FLUSH_NOWARN:
2459 case L1TF_MITIGATION_FLUSH:
2461 case L1TF_MITIGATION_FLUSH_NOSMT:
2462 case L1TF_MITIGATION_FULL:
2463 cpu_smt_disable(false);
2465 case L1TF_MITIGATION_FULL_FORCE:
2466 cpu_smt_disable(true);
2470 #if CONFIG_PGTABLE_LEVELS == 2
2471 pr_warn("Kernel not compiled for PAE. No mitigation for L1TF\n");
2475 half_pa = (u64)l1tf_pfn_limit() << PAGE_SHIFT;
2476 if (l1tf_mitigation != L1TF_MITIGATION_OFF &&
2477 e820__mapped_any(half_pa, ULLONG_MAX - half_pa, E820_TYPE_RAM)) {
2478 pr_warn("System has more than MAX_PA/2 memory. L1TF mitigation not effective.\n");
2479 pr_info("You may make it effective by booting the kernel with mem=%llu parameter.\n",
2481 pr_info("However, doing so will make a part of your RAM unusable.\n");
2482 pr_info("Reading https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html might help you decide.\n");
2486 setup_force_cpu_cap(X86_FEATURE_L1TF_PTEINV);
2489 static int __init l1tf_cmdline(char *str)
2491 if (!boot_cpu_has_bug(X86_BUG_L1TF))
2497 if (!strcmp(str, "off"))
2498 l1tf_mitigation = L1TF_MITIGATION_OFF;
2499 else if (!strcmp(str, "flush,nowarn"))
2500 l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOWARN;
2501 else if (!strcmp(str, "flush"))
2502 l1tf_mitigation = L1TF_MITIGATION_FLUSH;
2503 else if (!strcmp(str, "flush,nosmt"))
2504 l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOSMT;
2505 else if (!strcmp(str, "full"))
2506 l1tf_mitigation = L1TF_MITIGATION_FULL;
2507 else if (!strcmp(str, "full,force"))
2508 l1tf_mitigation = L1TF_MITIGATION_FULL_FORCE;
2512 early_param("l1tf", l1tf_cmdline);
2515 #define pr_fmt(fmt) "Speculative Return Stack Overflow: " fmt
2517 enum srso_mitigation {
2518 SRSO_MITIGATION_NONE,
2519 SRSO_MITIGATION_UCODE_NEEDED,
2520 SRSO_MITIGATION_SAFE_RET_UCODE_NEEDED,
2521 SRSO_MITIGATION_MICROCODE,
2522 SRSO_MITIGATION_SAFE_RET,
2523 SRSO_MITIGATION_IBPB,
2524 SRSO_MITIGATION_IBPB_ON_VMEXIT,
2527 enum srso_mitigation_cmd {
2532 SRSO_CMD_IBPB_ON_VMEXIT,
2535 static const char * const srso_strings[] = {
2536 [SRSO_MITIGATION_NONE] = "Vulnerable",
2537 [SRSO_MITIGATION_UCODE_NEEDED] = "Vulnerable: No microcode",
2538 [SRSO_MITIGATION_SAFE_RET_UCODE_NEEDED] = "Vulnerable: Safe RET, no microcode",
2539 [SRSO_MITIGATION_MICROCODE] = "Vulnerable: Microcode, no safe RET",
2540 [SRSO_MITIGATION_SAFE_RET] = "Mitigation: Safe RET",
2541 [SRSO_MITIGATION_IBPB] = "Mitigation: IBPB",
2542 [SRSO_MITIGATION_IBPB_ON_VMEXIT] = "Mitigation: IBPB on VMEXIT only"
2545 static enum srso_mitigation srso_mitigation __ro_after_init = SRSO_MITIGATION_NONE;
2546 static enum srso_mitigation_cmd srso_cmd __ro_after_init = SRSO_CMD_SAFE_RET;
2548 static int __init srso_parse_cmdline(char *str)
2553 if (!strcmp(str, "off"))
2554 srso_cmd = SRSO_CMD_OFF;
2555 else if (!strcmp(str, "microcode"))
2556 srso_cmd = SRSO_CMD_MICROCODE;
2557 else if (!strcmp(str, "safe-ret"))
2558 srso_cmd = SRSO_CMD_SAFE_RET;
2559 else if (!strcmp(str, "ibpb"))
2560 srso_cmd = SRSO_CMD_IBPB;
2561 else if (!strcmp(str, "ibpb-vmexit"))
2562 srso_cmd = SRSO_CMD_IBPB_ON_VMEXIT;
2564 pr_err("Ignoring unknown SRSO option (%s).", str);
2568 early_param("spec_rstack_overflow", srso_parse_cmdline);
2570 #define SRSO_NOTICE "WARNING: See https://kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html for mitigation options."
2572 static void __init srso_select_mitigation(void)
2574 bool has_microcode = boot_cpu_has(X86_FEATURE_IBPB_BRTYPE);
2576 if (!boot_cpu_has_bug(X86_BUG_SRSO) ||
2577 cpu_mitigations_off() ||
2578 srso_cmd == SRSO_CMD_OFF) {
2579 if (boot_cpu_has(X86_FEATURE_SBPB))
2580 x86_pred_cmd = PRED_CMD_SBPB;
2584 if (has_microcode) {
2586 * Zen1/2 with SMT off aren't vulnerable after the right
2587 * IBPB microcode has been applied.
2589 * Zen1/2 don't have SBPB, no need to try to enable it here.
2591 if (boot_cpu_data.x86 < 0x19 && !cpu_smt_possible()) {
2592 setup_force_cpu_cap(X86_FEATURE_SRSO_NO);
2596 if (retbleed_mitigation == RETBLEED_MITIGATION_IBPB) {
2597 srso_mitigation = SRSO_MITIGATION_IBPB;
2601 pr_warn("IBPB-extending microcode not applied!\n");
2602 pr_warn(SRSO_NOTICE);
2604 /* may be overwritten by SRSO_CMD_SAFE_RET below */
2605 srso_mitigation = SRSO_MITIGATION_UCODE_NEEDED;
2609 case SRSO_CMD_MICROCODE:
2610 if (has_microcode) {
2611 srso_mitigation = SRSO_MITIGATION_MICROCODE;
2612 pr_warn(SRSO_NOTICE);
2616 case SRSO_CMD_SAFE_RET:
2617 if (boot_cpu_has(X86_FEATURE_SRSO_USER_KERNEL_NO))
2618 goto ibpb_on_vmexit;
2620 if (IS_ENABLED(CONFIG_MITIGATION_SRSO)) {
2622 * Enable the return thunk for generated code
2623 * like ftrace, static_call, etc.
2625 setup_force_cpu_cap(X86_FEATURE_RETHUNK);
2626 setup_force_cpu_cap(X86_FEATURE_UNRET);
2628 if (boot_cpu_data.x86 == 0x19) {
2629 setup_force_cpu_cap(X86_FEATURE_SRSO_ALIAS);
2630 x86_return_thunk = srso_alias_return_thunk;
2632 setup_force_cpu_cap(X86_FEATURE_SRSO);
2633 x86_return_thunk = srso_return_thunk;
2636 srso_mitigation = SRSO_MITIGATION_SAFE_RET;
2638 srso_mitigation = SRSO_MITIGATION_SAFE_RET_UCODE_NEEDED;
2640 pr_err("WARNING: kernel not compiled with MITIGATION_SRSO.\n");
2645 if (IS_ENABLED(CONFIG_MITIGATION_IBPB_ENTRY)) {
2646 if (has_microcode) {
2647 setup_force_cpu_cap(X86_FEATURE_ENTRY_IBPB);
2648 setup_force_cpu_cap(X86_FEATURE_IBPB_ON_VMEXIT);
2649 srso_mitigation = SRSO_MITIGATION_IBPB;
2652 * IBPB on entry already obviates the need for
2653 * software-based untraining so clear those in case some
2654 * other mitigation like Retbleed has selected them.
2656 setup_clear_cpu_cap(X86_FEATURE_UNRET);
2657 setup_clear_cpu_cap(X86_FEATURE_RETHUNK);
2660 * There is no need for RSB filling: entry_ibpb() ensures
2661 * all predictions, including the RSB, are invalidated,
2662 * regardless of IBPB implementation.
2664 setup_clear_cpu_cap(X86_FEATURE_RSB_VMEXIT);
2667 pr_err("WARNING: kernel not compiled with MITIGATION_IBPB_ENTRY.\n");
2672 case SRSO_CMD_IBPB_ON_VMEXIT:
2673 if (IS_ENABLED(CONFIG_MITIGATION_IBPB_ENTRY)) {
2674 if (has_microcode) {
2675 setup_force_cpu_cap(X86_FEATURE_IBPB_ON_VMEXIT);
2676 srso_mitigation = SRSO_MITIGATION_IBPB_ON_VMEXIT;
2679 * There is no need for RSB filling: entry_ibpb() ensures
2680 * all predictions, including the RSB, are invalidated,
2681 * regardless of IBPB implementation.
2683 setup_clear_cpu_cap(X86_FEATURE_RSB_VMEXIT);
2686 pr_err("WARNING: kernel not compiled with MITIGATION_IBPB_ENTRY.\n");
2694 pr_info("%s\n", srso_strings[srso_mitigation]);
2698 #define pr_fmt(fmt) fmt
2702 #define L1TF_DEFAULT_MSG "Mitigation: PTE Inversion"
2704 #if IS_ENABLED(CONFIG_KVM_INTEL)
2705 static const char * const l1tf_vmx_states[] = {
2706 [VMENTER_L1D_FLUSH_AUTO] = "auto",
2707 [VMENTER_L1D_FLUSH_NEVER] = "vulnerable",
2708 [VMENTER_L1D_FLUSH_COND] = "conditional cache flushes",
2709 [VMENTER_L1D_FLUSH_ALWAYS] = "cache flushes",
2710 [VMENTER_L1D_FLUSH_EPT_DISABLED] = "EPT disabled",
2711 [VMENTER_L1D_FLUSH_NOT_REQUIRED] = "flush not necessary"
2714 static ssize_t l1tf_show_state(char *buf)
2716 if (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_AUTO)
2717 return sysfs_emit(buf, "%s\n", L1TF_DEFAULT_MSG);
2719 if (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_EPT_DISABLED ||
2720 (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_NEVER &&
2721 sched_smt_active())) {
2722 return sysfs_emit(buf, "%s; VMX: %s\n", L1TF_DEFAULT_MSG,
2723 l1tf_vmx_states[l1tf_vmx_mitigation]);
2726 return sysfs_emit(buf, "%s; VMX: %s, SMT %s\n", L1TF_DEFAULT_MSG,
2727 l1tf_vmx_states[l1tf_vmx_mitigation],
2728 sched_smt_active() ? "vulnerable" : "disabled");
2731 static ssize_t itlb_multihit_show_state(char *buf)
2733 if (!boot_cpu_has(X86_FEATURE_MSR_IA32_FEAT_CTL) ||
2734 !boot_cpu_has(X86_FEATURE_VMX))
2735 return sysfs_emit(buf, "KVM: Mitigation: VMX unsupported\n");
2736 else if (!(cr4_read_shadow() & X86_CR4_VMXE))
2737 return sysfs_emit(buf, "KVM: Mitigation: VMX disabled\n");
2738 else if (itlb_multihit_kvm_mitigation)
2739 return sysfs_emit(buf, "KVM: Mitigation: Split huge pages\n");
2741 return sysfs_emit(buf, "KVM: Vulnerable\n");
2744 static ssize_t l1tf_show_state(char *buf)
2746 return sysfs_emit(buf, "%s\n", L1TF_DEFAULT_MSG);
2749 static ssize_t itlb_multihit_show_state(char *buf)
2751 return sysfs_emit(buf, "Processor vulnerable\n");
2755 static ssize_t mds_show_state(char *buf)
2757 if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {
2758 return sysfs_emit(buf, "%s; SMT Host state unknown\n",
2759 mds_strings[mds_mitigation]);
2762 if (boot_cpu_has(X86_BUG_MSBDS_ONLY)) {
2763 return sysfs_emit(buf, "%s; SMT %s\n", mds_strings[mds_mitigation],
2764 (mds_mitigation == MDS_MITIGATION_OFF ? "vulnerable" :
2765 sched_smt_active() ? "mitigated" : "disabled"));
2768 return sysfs_emit(buf, "%s; SMT %s\n", mds_strings[mds_mitigation],
2769 sched_smt_active() ? "vulnerable" : "disabled");
2772 static ssize_t tsx_async_abort_show_state(char *buf)
2774 if ((taa_mitigation == TAA_MITIGATION_TSX_DISABLED) ||
2775 (taa_mitigation == TAA_MITIGATION_OFF))
2776 return sysfs_emit(buf, "%s\n", taa_strings[taa_mitigation]);
2778 if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {
2779 return sysfs_emit(buf, "%s; SMT Host state unknown\n",
2780 taa_strings[taa_mitigation]);
2783 return sysfs_emit(buf, "%s; SMT %s\n", taa_strings[taa_mitigation],
2784 sched_smt_active() ? "vulnerable" : "disabled");
2787 static ssize_t mmio_stale_data_show_state(char *buf)
2789 if (boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN))
2790 return sysfs_emit(buf, "Unknown: No mitigations\n");
2792 if (mmio_mitigation == MMIO_MITIGATION_OFF)
2793 return sysfs_emit(buf, "%s\n", mmio_strings[mmio_mitigation]);
2795 if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {
2796 return sysfs_emit(buf, "%s; SMT Host state unknown\n",
2797 mmio_strings[mmio_mitigation]);
2800 return sysfs_emit(buf, "%s; SMT %s\n", mmio_strings[mmio_mitigation],
2801 sched_smt_active() ? "vulnerable" : "disabled");
2804 static ssize_t rfds_show_state(char *buf)
2806 return sysfs_emit(buf, "%s\n", rfds_strings[rfds_mitigation]);
2809 static char *stibp_state(void)
2811 if (spectre_v2_in_eibrs_mode(spectre_v2_enabled) &&
2812 !boot_cpu_has(X86_FEATURE_AUTOIBRS))
2815 switch (spectre_v2_user_stibp) {
2816 case SPECTRE_V2_USER_NONE:
2817 return "; STIBP: disabled";
2818 case SPECTRE_V2_USER_STRICT:
2819 return "; STIBP: forced";
2820 case SPECTRE_V2_USER_STRICT_PREFERRED:
2821 return "; STIBP: always-on";
2822 case SPECTRE_V2_USER_PRCTL:
2823 case SPECTRE_V2_USER_SECCOMP:
2824 if (static_key_enabled(&switch_to_cond_stibp))
2825 return "; STIBP: conditional";
2830 static char *ibpb_state(void)
2832 if (boot_cpu_has(X86_FEATURE_IBPB)) {
2833 if (static_key_enabled(&switch_mm_always_ibpb))
2834 return "; IBPB: always-on";
2835 if (static_key_enabled(&switch_mm_cond_ibpb))
2836 return "; IBPB: conditional";
2837 return "; IBPB: disabled";
2842 static char *pbrsb_eibrs_state(void)
2844 if (boot_cpu_has_bug(X86_BUG_EIBRS_PBRSB)) {
2845 if (boot_cpu_has(X86_FEATURE_RSB_VMEXIT_LITE) ||
2846 boot_cpu_has(X86_FEATURE_RSB_VMEXIT))
2847 return "; PBRSB-eIBRS: SW sequence";
2849 return "; PBRSB-eIBRS: Vulnerable";
2851 return "; PBRSB-eIBRS: Not affected";
2855 static const char *spectre_bhi_state(void)
2857 if (!boot_cpu_has_bug(X86_BUG_BHI))
2858 return "; BHI: Not affected";
2859 else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_HW))
2860 return "; BHI: BHI_DIS_S";
2861 else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP))
2862 return "; BHI: SW loop, KVM: SW loop";
2863 else if (boot_cpu_has(X86_FEATURE_RETPOLINE) &&
2864 !boot_cpu_has(X86_FEATURE_RETPOLINE_LFENCE) &&
2866 return "; BHI: Retpoline";
2867 else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT))
2868 return "; BHI: Vulnerable, KVM: SW loop";
2870 return "; BHI: Vulnerable";
2873 static ssize_t spectre_v2_show_state(char *buf)
2875 if (spectre_v2_enabled == SPECTRE_V2_LFENCE)
2876 return sysfs_emit(buf, "Vulnerable: LFENCE\n");
2878 if (spectre_v2_enabled == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled())
2879 return sysfs_emit(buf, "Vulnerable: eIBRS with unprivileged eBPF\n");
2881 if (sched_smt_active() && unprivileged_ebpf_enabled() &&
2882 spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE)
2883 return sysfs_emit(buf, "Vulnerable: eIBRS+LFENCE with unprivileged eBPF and SMT\n");
2885 return sysfs_emit(buf, "%s%s%s%s%s%s%s%s\n",
2886 spectre_v2_strings[spectre_v2_enabled],
2888 boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? "; IBRS_FW" : "",
2890 boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? "; RSB filling" : "",
2891 pbrsb_eibrs_state(),
2892 spectre_bhi_state(),
2893 /* this should always be at the end */
2894 spectre_v2_module_string());
2897 static ssize_t srbds_show_state(char *buf)
2899 return sysfs_emit(buf, "%s\n", srbds_strings[srbds_mitigation]);
2902 static ssize_t retbleed_show_state(char *buf)
2904 if (retbleed_mitigation == RETBLEED_MITIGATION_UNRET ||
2905 retbleed_mitigation == RETBLEED_MITIGATION_IBPB) {
2906 if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD &&
2907 boot_cpu_data.x86_vendor != X86_VENDOR_HYGON)
2908 return sysfs_emit(buf, "Vulnerable: untrained return thunk / IBPB on non-AMD based uarch\n");
2910 return sysfs_emit(buf, "%s; SMT %s\n", retbleed_strings[retbleed_mitigation],
2911 !sched_smt_active() ? "disabled" :
2912 spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT ||
2913 spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED ?
2914 "enabled with STIBP protection" : "vulnerable");
2917 return sysfs_emit(buf, "%s\n", retbleed_strings[retbleed_mitigation]);
2920 static ssize_t srso_show_state(char *buf)
2922 if (boot_cpu_has(X86_FEATURE_SRSO_NO))
2923 return sysfs_emit(buf, "Mitigation: SMT disabled\n");
2925 return sysfs_emit(buf, "%s\n", srso_strings[srso_mitigation]);
2928 static ssize_t gds_show_state(char *buf)
2930 return sysfs_emit(buf, "%s\n", gds_strings[gds_mitigation]);
2933 static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr,
2934 char *buf, unsigned int bug)
2936 if (!boot_cpu_has_bug(bug))
2937 return sysfs_emit(buf, "Not affected\n");
2940 case X86_BUG_CPU_MELTDOWN:
2941 if (boot_cpu_has(X86_FEATURE_PTI))
2942 return sysfs_emit(buf, "Mitigation: PTI\n");
2944 if (hypervisor_is_type(X86_HYPER_XEN_PV))
2945 return sysfs_emit(buf, "Unknown (XEN PV detected, hypervisor mitigation required)\n");
2949 case X86_BUG_SPECTRE_V1:
2950 return sysfs_emit(buf, "%s\n", spectre_v1_strings[spectre_v1_mitigation]);
2952 case X86_BUG_SPECTRE_V2:
2953 return spectre_v2_show_state(buf);
2955 case X86_BUG_SPEC_STORE_BYPASS:
2956 return sysfs_emit(buf, "%s\n", ssb_strings[ssb_mode]);
2959 if (boot_cpu_has(X86_FEATURE_L1TF_PTEINV))
2960 return l1tf_show_state(buf);
2964 return mds_show_state(buf);
2967 return tsx_async_abort_show_state(buf);
2969 case X86_BUG_ITLB_MULTIHIT:
2970 return itlb_multihit_show_state(buf);
2973 return srbds_show_state(buf);
2975 case X86_BUG_MMIO_STALE_DATA:
2976 case X86_BUG_MMIO_UNKNOWN:
2977 return mmio_stale_data_show_state(buf);
2979 case X86_BUG_RETBLEED:
2980 return retbleed_show_state(buf);
2983 return srso_show_state(buf);
2986 return gds_show_state(buf);
2989 return rfds_show_state(buf);
2995 return sysfs_emit(buf, "Vulnerable\n");
2998 ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf)
3000 return cpu_show_common(dev, attr, buf, X86_BUG_CPU_MELTDOWN);
3003 ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, char *buf)
3005 return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V1);
3008 ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, char *buf)
3010 return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V2);
3013 ssize_t cpu_show_spec_store_bypass(struct device *dev, struct device_attribute *attr, char *buf)
3015 return cpu_show_common(dev, attr, buf, X86_BUG_SPEC_STORE_BYPASS);
3018 ssize_t cpu_show_l1tf(struct device *dev, struct device_attribute *attr, char *buf)
3020 return cpu_show_common(dev, attr, buf, X86_BUG_L1TF);
3023 ssize_t cpu_show_mds(struct device *dev, struct device_attribute *attr, char *buf)
3025 return cpu_show_common(dev, attr, buf, X86_BUG_MDS);
3028 ssize_t cpu_show_tsx_async_abort(struct device *dev, struct device_attribute *attr, char *buf)
3030 return cpu_show_common(dev, attr, buf, X86_BUG_TAA);
3033 ssize_t cpu_show_itlb_multihit(struct device *dev, struct device_attribute *attr, char *buf)
3035 return cpu_show_common(dev, attr, buf, X86_BUG_ITLB_MULTIHIT);
3038 ssize_t cpu_show_srbds(struct device *dev, struct device_attribute *attr, char *buf)
3040 return cpu_show_common(dev, attr, buf, X86_BUG_SRBDS);
3043 ssize_t cpu_show_mmio_stale_data(struct device *dev, struct device_attribute *attr, char *buf)
3045 if (boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN))
3046 return cpu_show_common(dev, attr, buf, X86_BUG_MMIO_UNKNOWN);
3048 return cpu_show_common(dev, attr, buf, X86_BUG_MMIO_STALE_DATA);
3051 ssize_t cpu_show_retbleed(struct device *dev, struct device_attribute *attr, char *buf)
3053 return cpu_show_common(dev, attr, buf, X86_BUG_RETBLEED);
3056 ssize_t cpu_show_spec_rstack_overflow(struct device *dev, struct device_attribute *attr, char *buf)
3058 return cpu_show_common(dev, attr, buf, X86_BUG_SRSO);
3061 ssize_t cpu_show_gds(struct device *dev, struct device_attribute *attr, char *buf)
3063 return cpu_show_common(dev, attr, buf, X86_BUG_GDS);
3066 ssize_t cpu_show_reg_file_data_sampling(struct device *dev, struct device_attribute *attr, char *buf)
3068 return cpu_show_common(dev, attr, buf, X86_BUG_RFDS);
3072 void __warn_thunk(void)
3074 WARN_ONCE(1, "Unpatched return thunk in use. This should not happen!\n");
projects / linux.git / blob