]> git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/blob - arch/x86/kernel/cpu/bugs.c
projects / mirror_ubuntu-jammy-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
KVM: VMX: Prevent RSB underflow before vmenter
[mirror_ubuntu-jammy-kernel.git] / arch / x86 / kernel / cpu / bugs.c
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * Copyright (C) 1994 Linus Torvalds
4 *
5 * Cyrix stuff, June 1998 by:
6 * - Rafael R. Reilova (moved everything from head.S),
7 * <rreilova@ececs.uc.edu>
8 * - Channing Corn (tests & fixes),
9 * - Andrew D. Balsa (code cleanup).
10 */
11 #include <linux/init.h>
12 #include <linux/utsname.h>
13 #include <linux/cpu.h>
14 #include <linux/module.h>
15 #include <linux/nospec.h>
16 #include <linux/prctl.h>
17 #include <linux/sched/smt.h>
18 #include <linux/pgtable.h>
19 #include <linux/bpf.h>
20
21 #include <asm/spec-ctrl.h>
22 #include <asm/cmdline.h>
23 #include <asm/bugs.h>
24 #include <asm/processor.h>
25 #include <asm/processor-flags.h>
26 #include <asm/fpu/api.h>
27 #include <asm/msr.h>
28 #include <asm/vmx.h>
29 #include <asm/paravirt.h>
30 #include <asm/alternative.h>
31 #include <asm/set_memory.h>
32 #include <asm/intel-family.h>
33 #include <asm/e820/api.h>
34 #include <asm/hypervisor.h>
35 #include <asm/tlbflush.h>
36
37 #include "cpu.h"
38
39 static void __init spectre_v1_select_mitigation(void);
40 static void __init spectre_v2_select_mitigation(void);
41 static void __init retbleed_select_mitigation(void);
42 static void __init spectre_v2_user_select_mitigation(void);
43 static void __init ssb_select_mitigation(void);
44 static void __init l1tf_select_mitigation(void);
45 static void __init mds_select_mitigation(void);
46 static void __init md_clear_update_mitigation(void);
47 static void __init md_clear_select_mitigation(void);
48 static void __init taa_select_mitigation(void);
49 static void __init mmio_select_mitigation(void);
50 static void __init srbds_select_mitigation(void);
51 static void __init l1d_flush_select_mitigation(void);
52
53 /* The base value of the SPEC_CTRL MSR without task-specific bits set */
54 u64 x86_spec_ctrl_base;
55 EXPORT_SYMBOL_GPL(x86_spec_ctrl_base);
56
57 /* The current value of the SPEC_CTRL MSR with task-specific bits set */
58 DEFINE_PER_CPU(u64, x86_spec_ctrl_current);
59 EXPORT_SYMBOL_GPL(x86_spec_ctrl_current);
60
61 static DEFINE_MUTEX(spec_ctrl_mutex);
62
63 /*
64 * Keep track of the SPEC_CTRL MSR value for the current task, which may differ
65 * from x86_spec_ctrl_base due to STIBP/SSB in __speculation_ctrl_update().
66 */
67 void write_spec_ctrl_current(u64 val, bool force)
68 {
69 if (this_cpu_read(x86_spec_ctrl_current) == val)
70 return;
71
72 this_cpu_write(x86_spec_ctrl_current, val);
73
74 /*
75 * When KERNEL_IBRS this MSR is written on return-to-user, unless
76 * forced the update can be delayed until that time.
77 */
78 if (force || !cpu_feature_enabled(X86_FEATURE_KERNEL_IBRS))
79 wrmsrl(MSR_IA32_SPEC_CTRL, val);
80 }
81
82 u64 spec_ctrl_current(void)
83 {
84 return this_cpu_read(x86_spec_ctrl_current);
85 }
86 EXPORT_SYMBOL_GPL(spec_ctrl_current);
87
88 /*
89 * AMD specific MSR info for Speculative Store Bypass control.
90 * x86_amd_ls_cfg_ssbd_mask is initialized in identify_boot_cpu().
91 */
92 u64 __ro_after_init x86_amd_ls_cfg_base;
93 u64 __ro_after_init x86_amd_ls_cfg_ssbd_mask;
94
95 /* Control conditional STIBP in switch_to() */
96 DEFINE_STATIC_KEY_FALSE(switch_to_cond_stibp);
97 /* Control conditional IBPB in switch_mm() */
98 DEFINE_STATIC_KEY_FALSE(switch_mm_cond_ibpb);
99 /* Control unconditional IBPB in switch_mm() */
100 DEFINE_STATIC_KEY_FALSE(switch_mm_always_ibpb);
101
102 /* Control MDS CPU buffer clear before returning to user space */
103 DEFINE_STATIC_KEY_FALSE(mds_user_clear);
104 EXPORT_SYMBOL_GPL(mds_user_clear);
105 /* Control MDS CPU buffer clear before idling (halt, mwait) */
106 DEFINE_STATIC_KEY_FALSE(mds_idle_clear);
107 EXPORT_SYMBOL_GPL(mds_idle_clear);
108
109 /*
110 * Controls whether l1d flush based mitigations are enabled,
111 * based on hw features and admin setting via boot parameter
112 * defaults to false
113 */
114 DEFINE_STATIC_KEY_FALSE(switch_mm_cond_l1d_flush);
115
116 /* Controls CPU Fill buffer clear before KVM guest MMIO accesses */
117 DEFINE_STATIC_KEY_FALSE(mmio_stale_data_clear);
118 EXPORT_SYMBOL_GPL(mmio_stale_data_clear);
119
120 void __init check_bugs(void)
121 {
122 identify_boot_cpu();
123
124 /*
125 * identify_boot_cpu() initialized SMT support information, let the
126 * core code know.
127 */
128 cpu_smt_check_topology();
129
130 if (!IS_ENABLED(CONFIG_SMP)) {
131 pr_info("CPU: ");
132 print_cpu_info(&boot_cpu_data);
133 }
134
135 /*
136 * Read the SPEC_CTRL MSR to account for reserved bits which may
137 * have unknown values. AMD64_LS_CFG MSR is cached in the early AMD
138 * init code as it is not enumerated and depends on the family.
139 */
140 if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
141 rdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
142
143 /* Select the proper CPU mitigations before patching alternatives: */
144 spectre_v1_select_mitigation();
145 spectre_v2_select_mitigation();
146 /*
147 * retbleed_select_mitigation() relies on the state set by
148 * spectre_v2_select_mitigation(); specifically it wants to know about
149 * spectre_v2=ibrs.
150 */
151 retbleed_select_mitigation();
152 /*
153 * spectre_v2_user_select_mitigation() relies on the state set by
154 * retbleed_select_mitigation(); specifically the STIBP selection is
155 * forced for UNRET.
156 */
157 spectre_v2_user_select_mitigation();
158 ssb_select_mitigation();
159 l1tf_select_mitigation();
160 md_clear_select_mitigation();
161 srbds_select_mitigation();
162 l1d_flush_select_mitigation();
163
164 arch_smt_update();
165
166 #ifdef CONFIG_X86_32
167 /*
168 * Check whether we are able to run this kernel safely on SMP.
169 *
170 * - i386 is no longer supported.
171 * - In order to run on anything without a TSC, we need to be
172 * compiled for a i486.
173 */
174 if (boot_cpu_data.x86 < 4)
175 panic("Kernel requires i486+ for 'invlpg' and other features");
176
177 init_utsname()->machine[1] =
178 '0' + (boot_cpu_data.x86 > 6 ? 6 : boot_cpu_data.x86);
179 alternative_instructions();
180
181 fpu__init_check_bugs();
182 #else /* CONFIG_X86_64 */
183 alternative_instructions();
184
185 /*
186 * Make sure the first 2MB area is not mapped by huge pages
187 * There are typically fixed size MTRRs in there and overlapping
188 * MTRRs into large pages causes slow downs.
189 *
190 * Right now we don't do that with gbpages because there seems
191 * very little benefit for that case.
192 */
193 if (!direct_gbpages)
194 set_memory_4k((unsigned long)__va(0), 1);
195 #endif
196 }
197
198 /*
199 * NOTE: This function is *only* called for SVM. VMX spec_ctrl handling is
200 * done in vmenter.S.
201 */
202 void
203 x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest)
204 {
205 u64 msrval, guestval = guest_spec_ctrl, hostval = spec_ctrl_current();
206 struct thread_info *ti = current_thread_info();
207
208 if (static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) {
209 if (hostval != guestval) {
210 msrval = setguest ? guestval : hostval;
211 wrmsrl(MSR_IA32_SPEC_CTRL, msrval);
212 }
213 }
214
215 /*
216 * If SSBD is not handled in MSR_SPEC_CTRL on AMD, update
217 * MSR_AMD64_L2_CFG or MSR_VIRT_SPEC_CTRL if supported.
218 */
219 if (!static_cpu_has(X86_FEATURE_LS_CFG_SSBD) &&
220 !static_cpu_has(X86_FEATURE_VIRT_SSBD))
221 return;
222
223 /*
224 * If the host has SSBD mitigation enabled, force it in the host's
225 * virtual MSR value. If its not permanently enabled, evaluate
226 * current's TIF_SSBD thread flag.
227 */
228 if (static_cpu_has(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE))
229 hostval = SPEC_CTRL_SSBD;
230 else
231 hostval = ssbd_tif_to_spec_ctrl(ti->flags);
232
233 /* Sanitize the guest value */
234 guestval = guest_virt_spec_ctrl & SPEC_CTRL_SSBD;
235
236 if (hostval != guestval) {
237 unsigned long tif;
238
239 tif = setguest ? ssbd_spec_ctrl_to_tif(guestval) :
240 ssbd_spec_ctrl_to_tif(hostval);
241
242 speculation_ctrl_update(tif);
243 }
244 }
245 EXPORT_SYMBOL_GPL(x86_virt_spec_ctrl);
246
247 static void x86_amd_ssb_disable(void)
248 {
249 u64 msrval = x86_amd_ls_cfg_base | x86_amd_ls_cfg_ssbd_mask;
250
251 if (boot_cpu_has(X86_FEATURE_VIRT_SSBD))
252 wrmsrl(MSR_AMD64_VIRT_SPEC_CTRL, SPEC_CTRL_SSBD);
253 else if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD))
254 wrmsrl(MSR_AMD64_LS_CFG, msrval);
255 }
256
257 #undef pr_fmt
258 #define pr_fmt(fmt) "MDS: " fmt
259
260 /* Default mitigation for MDS-affected CPUs */
261 static enum mds_mitigations mds_mitigation __ro_after_init = MDS_MITIGATION_FULL;
262 static bool mds_nosmt __ro_after_init = false;
263
264 static const char * const mds_strings[] = {
265 [MDS_MITIGATION_OFF] = "Vulnerable",
266 [MDS_MITIGATION_FULL] = "Mitigation: Clear CPU buffers",
267 [MDS_MITIGATION_VMWERV] = "Vulnerable: Clear CPU buffers attempted, no microcode",
268 };
269
270 static void __init mds_select_mitigation(void)
271 {
272 if (!boot_cpu_has_bug(X86_BUG_MDS) || cpu_mitigations_off()) {
273 mds_mitigation = MDS_MITIGATION_OFF;
274 return;
275 }
276
277 if (mds_mitigation == MDS_MITIGATION_FULL) {
278 if (!boot_cpu_has(X86_FEATURE_MD_CLEAR))
279 mds_mitigation = MDS_MITIGATION_VMWERV;
280
281 static_branch_enable(&mds_user_clear);
282
283 if (!boot_cpu_has(X86_BUG_MSBDS_ONLY) &&
284 (mds_nosmt || cpu_mitigations_auto_nosmt()))
285 cpu_smt_disable(false);
286 }
287 }
288
289 static int __init mds_cmdline(char *str)
290 {
291 if (!boot_cpu_has_bug(X86_BUG_MDS))
292 return 0;
293
294 if (!str)
295 return -EINVAL;
296
297 if (!strcmp(str, "off"))
298 mds_mitigation = MDS_MITIGATION_OFF;
299 else if (!strcmp(str, "full"))
300 mds_mitigation = MDS_MITIGATION_FULL;
301 else if (!strcmp(str, "full,nosmt")) {
302 mds_mitigation = MDS_MITIGATION_FULL;
303 mds_nosmt = true;
304 }
305
306 return 0;
307 }
308 early_param("mds", mds_cmdline);
309
310 #undef pr_fmt
311 #define pr_fmt(fmt) "TAA: " fmt
312
313 enum taa_mitigations {
314 TAA_MITIGATION_OFF,
315 TAA_MITIGATION_UCODE_NEEDED,
316 TAA_MITIGATION_VERW,
317 TAA_MITIGATION_TSX_DISABLED,
318 };
319
320 /* Default mitigation for TAA-affected CPUs */
321 static enum taa_mitigations taa_mitigation __ro_after_init = TAA_MITIGATION_VERW;
322 static bool taa_nosmt __ro_after_init;
323
324 static const char * const taa_strings[] = {
325 [TAA_MITIGATION_OFF] = "Vulnerable",
326 [TAA_MITIGATION_UCODE_NEEDED] = "Vulnerable: Clear CPU buffers attempted, no microcode",
327 [TAA_MITIGATION_VERW] = "Mitigation: Clear CPU buffers",
328 [TAA_MITIGATION_TSX_DISABLED] = "Mitigation: TSX disabled",
329 };
330
331 static void __init taa_select_mitigation(void)
332 {
333 u64 ia32_cap;
334
335 if (!boot_cpu_has_bug(X86_BUG_TAA)) {
336 taa_mitigation = TAA_MITIGATION_OFF;
337 return;
338 }
339
340 /* TSX previously disabled by tsx=off */
341 if (!boot_cpu_has(X86_FEATURE_RTM)) {
342 taa_mitigation = TAA_MITIGATION_TSX_DISABLED;
343 return;
344 }
345
346 if (cpu_mitigations_off()) {
347 taa_mitigation = TAA_MITIGATION_OFF;
348 return;
349 }
350
351 /*
352 * TAA mitigation via VERW is turned off if both
353 * tsx_async_abort=off and mds=off are specified.
354 */
355 if (taa_mitigation == TAA_MITIGATION_OFF &&
356 mds_mitigation == MDS_MITIGATION_OFF)
357 return;
358
359 if (boot_cpu_has(X86_FEATURE_MD_CLEAR))
360 taa_mitigation = TAA_MITIGATION_VERW;
361 else
362 taa_mitigation = TAA_MITIGATION_UCODE_NEEDED;
363
364 /*
365 * VERW doesn't clear the CPU buffers when MD_CLEAR=1 and MDS_NO=1.
366 * A microcode update fixes this behavior to clear CPU buffers. It also
367 * adds support for MSR_IA32_TSX_CTRL which is enumerated by the
368 * ARCH_CAP_TSX_CTRL_MSR bit.
369 *
370 * On MDS_NO=1 CPUs if ARCH_CAP_TSX_CTRL_MSR is not set, microcode
371 * update is required.
372 */
373 ia32_cap = x86_read_arch_cap_msr();
374 if ( (ia32_cap & ARCH_CAP_MDS_NO) &&
375 !(ia32_cap & ARCH_CAP_TSX_CTRL_MSR))
376 taa_mitigation = TAA_MITIGATION_UCODE_NEEDED;
377
378 /*
379 * TSX is enabled, select alternate mitigation for TAA which is
380 * the same as MDS. Enable MDS static branch to clear CPU buffers.
381 *
382 * For guests that can't determine whether the correct microcode is
383 * present on host, enable the mitigation for UCODE_NEEDED as well.
384 */
385 static_branch_enable(&mds_user_clear);
386
387 if (taa_nosmt || cpu_mitigations_auto_nosmt())
388 cpu_smt_disable(false);
389 }
390
391 static int __init tsx_async_abort_parse_cmdline(char *str)
392 {
393 if (!boot_cpu_has_bug(X86_BUG_TAA))
394 return 0;
395
396 if (!str)
397 return -EINVAL;
398
399 if (!strcmp(str, "off")) {
400 taa_mitigation = TAA_MITIGATION_OFF;
401 } else if (!strcmp(str, "full")) {
402 taa_mitigation = TAA_MITIGATION_VERW;
403 } else if (!strcmp(str, "full,nosmt")) {
404 taa_mitigation = TAA_MITIGATION_VERW;
405 taa_nosmt = true;
406 }
407
408 return 0;
409 }
410 early_param("tsx_async_abort", tsx_async_abort_parse_cmdline);
411
412 #undef pr_fmt
413 #define pr_fmt(fmt) "MMIO Stale Data: " fmt
414
415 enum mmio_mitigations {
416 MMIO_MITIGATION_OFF,
417 MMIO_MITIGATION_UCODE_NEEDED,
418 MMIO_MITIGATION_VERW,
419 };
420
421 /* Default mitigation for Processor MMIO Stale Data vulnerabilities */
422 static enum mmio_mitigations mmio_mitigation __ro_after_init = MMIO_MITIGATION_VERW;
423 static bool mmio_nosmt __ro_after_init = false;
424
425 static const char * const mmio_strings[] = {
426 [MMIO_MITIGATION_OFF] = "Vulnerable",
427 [MMIO_MITIGATION_UCODE_NEEDED] = "Vulnerable: Clear CPU buffers attempted, no microcode",
428 [MMIO_MITIGATION_VERW] = "Mitigation: Clear CPU buffers",
429 };
430
431 static void __init mmio_select_mitigation(void)
432 {
433 u64 ia32_cap;
434
435 if (!boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA) ||
436 cpu_mitigations_off()) {
437 mmio_mitigation = MMIO_MITIGATION_OFF;
438 return;
439 }
440
441 if (mmio_mitigation == MMIO_MITIGATION_OFF)
442 return;
443
444 ia32_cap = x86_read_arch_cap_msr();
445
446 /*
447 * Enable CPU buffer clear mitigation for host and VMM, if also affected
448 * by MDS or TAA. Otherwise, enable mitigation for VMM only.
449 */
450 if (boot_cpu_has_bug(X86_BUG_MDS) || (boot_cpu_has_bug(X86_BUG_TAA) &&
451 boot_cpu_has(X86_FEATURE_RTM)))
452 static_branch_enable(&mds_user_clear);
453 else
454 static_branch_enable(&mmio_stale_data_clear);
455
456 /*
457 * If Processor-MMIO-Stale-Data bug is present and Fill Buffer data can
458 * be propagated to uncore buffers, clearing the Fill buffers on idle
459 * is required irrespective of SMT state.
460 */
461 if (!(ia32_cap & ARCH_CAP_FBSDP_NO))
462 static_branch_enable(&mds_idle_clear);
463
464 /*
465 * Check if the system has the right microcode.
466 *
467 * CPU Fill buffer clear mitigation is enumerated by either an explicit
468 * FB_CLEAR or by the presence of both MD_CLEAR and L1D_FLUSH on MDS
469 * affected systems.
470 */
471 if ((ia32_cap & ARCH_CAP_FB_CLEAR) ||
472 (boot_cpu_has(X86_FEATURE_MD_CLEAR) &&
473 boot_cpu_has(X86_FEATURE_FLUSH_L1D) &&
474 !(ia32_cap & ARCH_CAP_MDS_NO)))
475 mmio_mitigation = MMIO_MITIGATION_VERW;
476 else
477 mmio_mitigation = MMIO_MITIGATION_UCODE_NEEDED;
478
479 if (mmio_nosmt || cpu_mitigations_auto_nosmt())
480 cpu_smt_disable(false);
481 }
482
483 static int __init mmio_stale_data_parse_cmdline(char *str)
484 {
485 if (!boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA))
486 return 0;
487
488 if (!str)
489 return -EINVAL;
490
491 if (!strcmp(str, "off")) {
492 mmio_mitigation = MMIO_MITIGATION_OFF;
493 } else if (!strcmp(str, "full")) {
494 mmio_mitigation = MMIO_MITIGATION_VERW;
495 } else if (!strcmp(str, "full,nosmt")) {
496 mmio_mitigation = MMIO_MITIGATION_VERW;
497 mmio_nosmt = true;
498 }
499
500 return 0;
501 }
502 early_param("mmio_stale_data", mmio_stale_data_parse_cmdline);
503
504 #undef pr_fmt
505 #define pr_fmt(fmt) "" fmt
506
507 static void __init md_clear_update_mitigation(void)
508 {
509 if (cpu_mitigations_off())
510 return;
511
512 if (!static_key_enabled(&mds_user_clear))
513 goto out;
514
515 /*
516 * mds_user_clear is now enabled. Update MDS, TAA and MMIO Stale Data
517 * mitigation, if necessary.
518 */
519 if (mds_mitigation == MDS_MITIGATION_OFF &&
520 boot_cpu_has_bug(X86_BUG_MDS)) {
521 mds_mitigation = MDS_MITIGATION_FULL;
522 mds_select_mitigation();
523 }
524 if (taa_mitigation == TAA_MITIGATION_OFF &&
525 boot_cpu_has_bug(X86_BUG_TAA)) {
526 taa_mitigation = TAA_MITIGATION_VERW;
527 taa_select_mitigation();
528 }
529 if (mmio_mitigation == MMIO_MITIGATION_OFF &&
530 boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA)) {
531 mmio_mitigation = MMIO_MITIGATION_VERW;
532 mmio_select_mitigation();
533 }
534 out:
535 if (boot_cpu_has_bug(X86_BUG_MDS))
536 pr_info("MDS: %s\n", mds_strings[mds_mitigation]);
537 if (boot_cpu_has_bug(X86_BUG_TAA))
538 pr_info("TAA: %s\n", taa_strings[taa_mitigation]);
539 if (boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA))
540 pr_info("MMIO Stale Data: %s\n", mmio_strings[mmio_mitigation]);
541 }
542
543 static void __init md_clear_select_mitigation(void)
544 {
545 mds_select_mitigation();
546 taa_select_mitigation();
547 mmio_select_mitigation();
548
549 /*
550 * As MDS, TAA and MMIO Stale Data mitigations are inter-related, update
551 * and print their mitigation after MDS, TAA and MMIO Stale Data
552 * mitigation selection is done.
553 */
554 md_clear_update_mitigation();
555 }
556
557 #undef pr_fmt
558 #define pr_fmt(fmt) "SRBDS: " fmt
559
560 enum srbds_mitigations {
561 SRBDS_MITIGATION_OFF,
562 SRBDS_MITIGATION_UCODE_NEEDED,
563 SRBDS_MITIGATION_FULL,
564 SRBDS_MITIGATION_TSX_OFF,
565 SRBDS_MITIGATION_HYPERVISOR,
566 };
567
568 static enum srbds_mitigations srbds_mitigation __ro_after_init = SRBDS_MITIGATION_FULL;
569
570 static const char * const srbds_strings[] = {
571 [SRBDS_MITIGATION_OFF] = "Vulnerable",
572 [SRBDS_MITIGATION_UCODE_NEEDED] = "Vulnerable: No microcode",
573 [SRBDS_MITIGATION_FULL] = "Mitigation: Microcode",
574 [SRBDS_MITIGATION_TSX_OFF] = "Mitigation: TSX disabled",
575 [SRBDS_MITIGATION_HYPERVISOR] = "Unknown: Dependent on hypervisor status",
576 };
577
578 static bool srbds_off;
579
580 void update_srbds_msr(void)
581 {
582 u64 mcu_ctrl;
583
584 if (!boot_cpu_has_bug(X86_BUG_SRBDS))
585 return;
586
587 if (boot_cpu_has(X86_FEATURE_HYPERVISOR))
588 return;
589
590 if (srbds_mitigation == SRBDS_MITIGATION_UCODE_NEEDED)
591 return;
592
593 rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
594
595 switch (srbds_mitigation) {
596 case SRBDS_MITIGATION_OFF:
597 case SRBDS_MITIGATION_TSX_OFF:
598 mcu_ctrl |= RNGDS_MITG_DIS;
599 break;
600 case SRBDS_MITIGATION_FULL:
601 mcu_ctrl &= ~RNGDS_MITG_DIS;
602 break;
603 default:
604 break;
605 }
606
607 wrmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
608 }
609
610 static void __init srbds_select_mitigation(void)
611 {
612 u64 ia32_cap;
613
614 if (!boot_cpu_has_bug(X86_BUG_SRBDS))
615 return;
616
617 /*
618 * Check to see if this is one of the MDS_NO systems supporting TSX that
619 * are only exposed to SRBDS when TSX is enabled or when CPU is affected
620 * by Processor MMIO Stale Data vulnerability.
621 */
622 ia32_cap = x86_read_arch_cap_msr();
623 if ((ia32_cap & ARCH_CAP_MDS_NO) && !boot_cpu_has(X86_FEATURE_RTM) &&
624 !boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA))
625 srbds_mitigation = SRBDS_MITIGATION_TSX_OFF;
626 else if (boot_cpu_has(X86_FEATURE_HYPERVISOR))
627 srbds_mitigation = SRBDS_MITIGATION_HYPERVISOR;
628 else if (!boot_cpu_has(X86_FEATURE_SRBDS_CTRL))
629 srbds_mitigation = SRBDS_MITIGATION_UCODE_NEEDED;
630 else if (cpu_mitigations_off() || srbds_off)
631 srbds_mitigation = SRBDS_MITIGATION_OFF;
632
633 update_srbds_msr();
634 pr_info("%s\n", srbds_strings[srbds_mitigation]);
635 }
636
637 static int __init srbds_parse_cmdline(char *str)
638 {
639 if (!str)
640 return -EINVAL;
641
642 if (!boot_cpu_has_bug(X86_BUG_SRBDS))
643 return 0;
644
645 srbds_off = !strcmp(str, "off");
646 return 0;
647 }
648 early_param("srbds", srbds_parse_cmdline);
649
650 #undef pr_fmt
651 #define pr_fmt(fmt) "L1D Flush : " fmt
652
653 enum l1d_flush_mitigations {
654 L1D_FLUSH_OFF = 0,
655 L1D_FLUSH_ON,
656 };
657
658 static enum l1d_flush_mitigations l1d_flush_mitigation __initdata = L1D_FLUSH_OFF;
659
660 static void __init l1d_flush_select_mitigation(void)
661 {
662 if (!l1d_flush_mitigation || !boot_cpu_has(X86_FEATURE_FLUSH_L1D))
663 return;
664
665 static_branch_enable(&switch_mm_cond_l1d_flush);
666 pr_info("Conditional flush on switch_mm() enabled\n");
667 }
668
669 static int __init l1d_flush_parse_cmdline(char *str)
670 {
671 if (!strcmp(str, "on"))
672 l1d_flush_mitigation = L1D_FLUSH_ON;
673
674 return 0;
675 }
676 early_param("l1d_flush", l1d_flush_parse_cmdline);
677
678 #undef pr_fmt
679 #define pr_fmt(fmt) "Spectre V1 : " fmt
680
681 enum spectre_v1_mitigation {
682 SPECTRE_V1_MITIGATION_NONE,
683 SPECTRE_V1_MITIGATION_AUTO,
684 };
685
686 static enum spectre_v1_mitigation spectre_v1_mitigation __ro_after_init =
687 SPECTRE_V1_MITIGATION_AUTO;
688
689 static const char * const spectre_v1_strings[] = {
690 [SPECTRE_V1_MITIGATION_NONE] = "Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers",
691 [SPECTRE_V1_MITIGATION_AUTO] = "Mitigation: usercopy/swapgs barriers and __user pointer sanitization",
692 };
693
694 /*
695 * Does SMAP provide full mitigation against speculative kernel access to
696 * userspace?
697 */
698 static bool smap_works_speculatively(void)
699 {
700 if (!boot_cpu_has(X86_FEATURE_SMAP))
701 return false;
702
703 /*
704 * On CPUs which are vulnerable to Meltdown, SMAP does not
705 * prevent speculative access to user data in the L1 cache.
706 * Consider SMAP to be non-functional as a mitigation on these
707 * CPUs.
708 */
709 if (boot_cpu_has(X86_BUG_CPU_MELTDOWN))
710 return false;
711
712 return true;
713 }
714
715 static void __init spectre_v1_select_mitigation(void)
716 {
717 if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V1) || cpu_mitigations_off()) {
718 spectre_v1_mitigation = SPECTRE_V1_MITIGATION_NONE;
719 return;
720 }
721
722 if (spectre_v1_mitigation == SPECTRE_V1_MITIGATION_AUTO) {
723 /*
724 * With Spectre v1, a user can speculatively control either
725 * path of a conditional swapgs with a user-controlled GS
726 * value. The mitigation is to add lfences to both code paths.
727 *
728 * If FSGSBASE is enabled, the user can put a kernel address in
729 * GS, in which case SMAP provides no protection.
730 *
731 * If FSGSBASE is disabled, the user can only put a user space
732 * address in GS. That makes an attack harder, but still
733 * possible if there's no SMAP protection.
734 */
735 if (boot_cpu_has(X86_FEATURE_FSGSBASE) ||
736 !smap_works_speculatively()) {
737 /*
738 * Mitigation can be provided from SWAPGS itself or
739 * PTI as the CR3 write in the Meltdown mitigation
740 * is serializing.
741 *
742 * If neither is there, mitigate with an LFENCE to
743 * stop speculation through swapgs.
744 */
745 if (boot_cpu_has_bug(X86_BUG_SWAPGS) &&
746 !boot_cpu_has(X86_FEATURE_PTI))
747 setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_USER);
748
749 /*
750 * Enable lfences in the kernel entry (non-swapgs)
751 * paths, to prevent user entry from speculatively
752 * skipping swapgs.
753 */
754 setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_KERNEL);
755 }
756 }
757
758 pr_info("%s\n", spectre_v1_strings[spectre_v1_mitigation]);
759 }
760
761 static int __init nospectre_v1_cmdline(char *str)
762 {
763 spectre_v1_mitigation = SPECTRE_V1_MITIGATION_NONE;
764 return 0;
765 }
766 early_param("nospectre_v1", nospectre_v1_cmdline);
767
768 static enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init =
769 SPECTRE_V2_NONE;
770
771 #undef pr_fmt
772 #define pr_fmt(fmt) "RETBleed: " fmt
773
774 enum retbleed_mitigation {
775 RETBLEED_MITIGATION_NONE,
776 RETBLEED_MITIGATION_UNRET,
777 RETBLEED_MITIGATION_IBPB,
778 RETBLEED_MITIGATION_IBRS,
779 RETBLEED_MITIGATION_EIBRS,
780 };
781
782 enum retbleed_mitigation_cmd {
783 RETBLEED_CMD_OFF,
784 RETBLEED_CMD_AUTO,
785 RETBLEED_CMD_UNRET,
786 RETBLEED_CMD_IBPB,
787 };
788
789 const char * const retbleed_strings[] = {
790 [RETBLEED_MITIGATION_NONE] = "Vulnerable",
791 [RETBLEED_MITIGATION_UNRET] = "Mitigation: untrained return thunk",
792 [RETBLEED_MITIGATION_IBPB] = "Mitigation: IBPB",
793 [RETBLEED_MITIGATION_IBRS] = "Mitigation: IBRS",
794 [RETBLEED_MITIGATION_EIBRS] = "Mitigation: Enhanced IBRS",
795 };
796
797 static enum retbleed_mitigation retbleed_mitigation __ro_after_init =
798 RETBLEED_MITIGATION_NONE;
799 static enum retbleed_mitigation_cmd retbleed_cmd __ro_after_init =
800 RETBLEED_CMD_AUTO;
801
802 static int __ro_after_init retbleed_nosmt = false;
803
804 static int __init retbleed_parse_cmdline(char *str)
805 {
806 if (!str)
807 return -EINVAL;
808
809 while (str) {
810 char *next = strchr(str, ',');
811 if (next) {
812 *next = 0;
813 next++;
814 }
815
816 if (!strcmp(str, "off")) {
817 retbleed_cmd = RETBLEED_CMD_OFF;
818 } else if (!strcmp(str, "auto")) {
819 retbleed_cmd = RETBLEED_CMD_AUTO;
820 } else if (!strcmp(str, "unret")) {
821 retbleed_cmd = RETBLEED_CMD_UNRET;
822 } else if (!strcmp(str, "ibpb")) {
823 retbleed_cmd = RETBLEED_CMD_IBPB;
824 } else if (!strcmp(str, "nosmt")) {
825 retbleed_nosmt = true;
826 } else {
827 pr_err("Ignoring unknown retbleed option (%s).", str);
828 }
829
830 str = next;
831 }
832
833 return 0;
834 }
835 early_param("retbleed", retbleed_parse_cmdline);
836
837 #define RETBLEED_UNTRAIN_MSG "WARNING: BTB untrained return thunk mitigation is only effective on AMD/Hygon!\n"
838 #define RETBLEED_COMPILER_MSG "WARNING: kernel not compiled with RETPOLINE or -mfunction-return capable compiler; falling back to IBPB!\n"
839 #define RETBLEED_INTEL_MSG "WARNING: Spectre v2 mitigation leaves CPU vulnerable to RETBleed attacks, data leaks possible!\n"
840
841 static void __init retbleed_select_mitigation(void)
842 {
843 bool mitigate_smt = false;
844
845 if (!boot_cpu_has_bug(X86_BUG_RETBLEED) || cpu_mitigations_off())
846 return;
847
848 switch (retbleed_cmd) {
849 case RETBLEED_CMD_OFF:
850 return;
851
852 case RETBLEED_CMD_UNRET:
853 retbleed_mitigation = RETBLEED_MITIGATION_UNRET;
854 break;
855
856 case RETBLEED_CMD_IBPB:
857 retbleed_mitigation = RETBLEED_MITIGATION_IBPB;
858 break;
859
860 case RETBLEED_CMD_AUTO:
861 default:
862 if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD ||
863 boot_cpu_data.x86_vendor == X86_VENDOR_HYGON)
864 retbleed_mitigation = RETBLEED_MITIGATION_UNRET;
865
866 /*
867 * The Intel mitigation (IBRS or eIBRS) was already selected in
868 * spectre_v2_select_mitigation(). 'retbleed_mitigation' will
869 * be set accordingly below.
870 */
871
872 break;
873 }
874
875 switch (retbleed_mitigation) {
876 case RETBLEED_MITIGATION_UNRET:
877
878 if (!IS_ENABLED(CONFIG_RETPOLINE) ||
879 !IS_ENABLED(CONFIG_CC_HAS_RETURN_THUNK)) {
880 pr_err(RETBLEED_COMPILER_MSG);
881 retbleed_mitigation = RETBLEED_MITIGATION_IBPB;
882 goto retbleed_force_ibpb;
883 }
884
885 setup_force_cpu_cap(X86_FEATURE_RETHUNK);
886 setup_force_cpu_cap(X86_FEATURE_UNRET);
887
888 if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD &&
889 boot_cpu_data.x86_vendor != X86_VENDOR_HYGON)
890 pr_err(RETBLEED_UNTRAIN_MSG);
891
892 mitigate_smt = true;
893 break;
894
895 case RETBLEED_MITIGATION_IBPB:
896 retbleed_force_ibpb:
897 setup_force_cpu_cap(X86_FEATURE_ENTRY_IBPB);
898 mitigate_smt = true;
899 break;
900
901 default:
902 break;
903 }
904
905 if (mitigate_smt && !boot_cpu_has(X86_FEATURE_STIBP) &&
906 (retbleed_nosmt || cpu_mitigations_auto_nosmt()))
907 cpu_smt_disable(false);
908
909 /*
910 * Let IBRS trump all on Intel without affecting the effects of the
911 * retbleed= cmdline option.
912 */
913 if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) {
914 switch (spectre_v2_enabled) {
915 case SPECTRE_V2_IBRS:
916 retbleed_mitigation = RETBLEED_MITIGATION_IBRS;
917 break;
918 case SPECTRE_V2_EIBRS:
919 case SPECTRE_V2_EIBRS_RETPOLINE:
920 case SPECTRE_V2_EIBRS_LFENCE:
921 retbleed_mitigation = RETBLEED_MITIGATION_EIBRS;
922 break;
923 default:
924 pr_err(RETBLEED_INTEL_MSG);
925 }
926 }
927
928 pr_info("%s\n", retbleed_strings[retbleed_mitigation]);
929 }
930
931 #undef pr_fmt
932 #define pr_fmt(fmt) "Spectre V2 : " fmt
933
934 static enum spectre_v2_user_mitigation spectre_v2_user_stibp __ro_after_init =
935 SPECTRE_V2_USER_NONE;
936 static enum spectre_v2_user_mitigation spectre_v2_user_ibpb __ro_after_init =
937 SPECTRE_V2_USER_NONE;
938
939 #ifdef CONFIG_RETPOLINE
940 static bool spectre_v2_bad_module;
941
942 bool retpoline_module_ok(bool has_retpoline)
943 {
944 if (spectre_v2_enabled == SPECTRE_V2_NONE || has_retpoline)
945 return true;
946
947 pr_err("System may be vulnerable to spectre v2\n");
948 spectre_v2_bad_module = true;
949 return false;
950 }
951
952 static inline const char *spectre_v2_module_string(void)
953 {
954 return spectre_v2_bad_module ? " - vulnerable module loaded" : "";
955 }
956 #else
957 static inline const char *spectre_v2_module_string(void) { return ""; }
958 #endif
959
960 #define SPECTRE_V2_LFENCE_MSG "WARNING: LFENCE mitigation is not recommended for this CPU, data leaks possible!\n"
961 #define SPECTRE_V2_EIBRS_EBPF_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible via Spectre v2 BHB attacks!\n"
962 #define SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS+LFENCE mitigation and SMT, data leaks possible via Spectre v2 BHB attacks!\n"
963
964 #ifdef CONFIG_BPF_SYSCALL
965 void unpriv_ebpf_notify(int new_state)
966 {
967 if (new_state)
968 return;
969
970 /* Unprivileged eBPF is enabled */
971
972 switch (spectre_v2_enabled) {
973 case SPECTRE_V2_EIBRS:
974 pr_err(SPECTRE_V2_EIBRS_EBPF_MSG);
975 break;
976 case SPECTRE_V2_EIBRS_LFENCE:
977 if (sched_smt_active())
978 pr_err(SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG);
979 break;
980 default:
981 break;
982 }
983 }
984 #endif
985
986 static inline bool match_option(const char *arg, int arglen, const char *opt)
987 {
988 int len = strlen(opt);
989
990 return len == arglen && !strncmp(arg, opt, len);
991 }
992
993 /* The kernel command line selection for spectre v2 */
994 enum spectre_v2_mitigation_cmd {
995 SPECTRE_V2_CMD_NONE,
996 SPECTRE_V2_CMD_AUTO,
997 SPECTRE_V2_CMD_FORCE,
998 SPECTRE_V2_CMD_RETPOLINE,
999 SPECTRE_V2_CMD_RETPOLINE_GENERIC,
1000 SPECTRE_V2_CMD_RETPOLINE_LFENCE,
1001 SPECTRE_V2_CMD_EIBRS,
1002 SPECTRE_V2_CMD_EIBRS_RETPOLINE,
1003 SPECTRE_V2_CMD_EIBRS_LFENCE,
1004 SPECTRE_V2_CMD_IBRS,
1005 };
1006
1007 enum spectre_v2_user_cmd {
1008 SPECTRE_V2_USER_CMD_NONE,
1009 SPECTRE_V2_USER_CMD_AUTO,
1010 SPECTRE_V2_USER_CMD_FORCE,
1011 SPECTRE_V2_USER_CMD_PRCTL,
1012 SPECTRE_V2_USER_CMD_PRCTL_IBPB,
1013 SPECTRE_V2_USER_CMD_SECCOMP,
1014 SPECTRE_V2_USER_CMD_SECCOMP_IBPB,
1015 };
1016
1017 static const char * const spectre_v2_user_strings[] = {
1018 [SPECTRE_V2_USER_NONE] = "User space: Vulnerable",
1019 [SPECTRE_V2_USER_STRICT] = "User space: Mitigation: STIBP protection",
1020 [SPECTRE_V2_USER_STRICT_PREFERRED] = "User space: Mitigation: STIBP always-on protection",
1021 [SPECTRE_V2_USER_PRCTL] = "User space: Mitigation: STIBP via prctl",
1022 [SPECTRE_V2_USER_SECCOMP] = "User space: Mitigation: STIBP via seccomp and prctl",
1023 };
1024
1025 static const struct {
1026 const char *option;
1027 enum spectre_v2_user_cmd cmd;
1028 bool secure;
1029 } v2_user_options[] __initconst = {
1030 { "auto", SPECTRE_V2_USER_CMD_AUTO, false },
1031 { "off", SPECTRE_V2_USER_CMD_NONE, false },
1032 { "on", SPECTRE_V2_USER_CMD_FORCE, true },
1033 { "prctl", SPECTRE_V2_USER_CMD_PRCTL, false },
1034 { "prctl,ibpb", SPECTRE_V2_USER_CMD_PRCTL_IBPB, false },
1035 { "seccomp", SPECTRE_V2_USER_CMD_SECCOMP, false },
1036 { "seccomp,ibpb", SPECTRE_V2_USER_CMD_SECCOMP_IBPB, false },
1037 };
1038
1039 static void __init spec_v2_user_print_cond(const char *reason, bool secure)
1040 {
1041 if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2) != secure)
1042 pr_info("spectre_v2_user=%s forced on command line.\n", reason);
1043 }
1044
1045 static __ro_after_init enum spectre_v2_mitigation_cmd spectre_v2_cmd;
1046
1047 static enum spectre_v2_user_cmd __init
1048 spectre_v2_parse_user_cmdline(void)
1049 {
1050 char arg[20];
1051 int ret, i;
1052
1053 switch (spectre_v2_cmd) {
1054 case SPECTRE_V2_CMD_NONE:
1055 return SPECTRE_V2_USER_CMD_NONE;
1056 case SPECTRE_V2_CMD_FORCE:
1057 return SPECTRE_V2_USER_CMD_FORCE;
1058 default:
1059 break;
1060 }
1061
1062 ret = cmdline_find_option(boot_command_line, "spectre_v2_user",
1063 arg, sizeof(arg));
1064 if (ret < 0)
1065 return SPECTRE_V2_USER_CMD_AUTO;
1066
1067 for (i = 0; i < ARRAY_SIZE(v2_user_options); i++) {
1068 if (match_option(arg, ret, v2_user_options[i].option)) {
1069 spec_v2_user_print_cond(v2_user_options[i].option,
1070 v2_user_options[i].secure);
1071 return v2_user_options[i].cmd;
1072 }
1073 }
1074
1075 pr_err("Unknown user space protection option (%s). Switching to AUTO select\n", arg);
1076 return SPECTRE_V2_USER_CMD_AUTO;
1077 }
1078
1079 static inline bool spectre_v2_in_ibrs_mode(enum spectre_v2_mitigation mode)
1080 {
1081 return mode == SPECTRE_V2_IBRS ||
1082 mode == SPECTRE_V2_EIBRS ||
1083 mode == SPECTRE_V2_EIBRS_RETPOLINE ||
1084 mode == SPECTRE_V2_EIBRS_LFENCE;
1085 }
1086
1087 static void __init
1088 spectre_v2_user_select_mitigation(void)
1089 {
1090 enum spectre_v2_user_mitigation mode = SPECTRE_V2_USER_NONE;
1091 bool smt_possible = IS_ENABLED(CONFIG_SMP);
1092 enum spectre_v2_user_cmd cmd;
1093
1094 if (!boot_cpu_has(X86_FEATURE_IBPB) && !boot_cpu_has(X86_FEATURE_STIBP))
1095 return;
1096
1097 if (cpu_smt_control == CPU_SMT_FORCE_DISABLED ||
1098 cpu_smt_control == CPU_SMT_NOT_SUPPORTED)
1099 smt_possible = false;
1100
1101 cmd = spectre_v2_parse_user_cmdline();
1102 switch (cmd) {
1103 case SPECTRE_V2_USER_CMD_NONE:
1104 goto set_mode;
1105 case SPECTRE_V2_USER_CMD_FORCE:
1106 mode = SPECTRE_V2_USER_STRICT;
1107 break;
1108 case SPECTRE_V2_USER_CMD_PRCTL:
1109 case SPECTRE_V2_USER_CMD_PRCTL_IBPB:
1110 mode = SPECTRE_V2_USER_PRCTL;
1111 break;
1112 case SPECTRE_V2_USER_CMD_AUTO:
1113 case SPECTRE_V2_USER_CMD_SECCOMP:
1114 case SPECTRE_V2_USER_CMD_SECCOMP_IBPB:
1115 if (IS_ENABLED(CONFIG_SECCOMP))
1116 mode = SPECTRE_V2_USER_SECCOMP;
1117 else
1118 mode = SPECTRE_V2_USER_PRCTL;
1119 break;
1120 }
1121
1122 /* Initialize Indirect Branch Prediction Barrier */
1123 if (boot_cpu_has(X86_FEATURE_IBPB)) {
1124 setup_force_cpu_cap(X86_FEATURE_USE_IBPB);
1125
1126 spectre_v2_user_ibpb = mode;
1127 switch (cmd) {
1128 case SPECTRE_V2_USER_CMD_FORCE:
1129 case SPECTRE_V2_USER_CMD_PRCTL_IBPB:
1130 case SPECTRE_V2_USER_CMD_SECCOMP_IBPB:
1131 static_branch_enable(&switch_mm_always_ibpb);
1132 spectre_v2_user_ibpb = SPECTRE_V2_USER_STRICT;
1133 break;
1134 case SPECTRE_V2_USER_CMD_PRCTL:
1135 case SPECTRE_V2_USER_CMD_AUTO:
1136 case SPECTRE_V2_USER_CMD_SECCOMP:
1137 static_branch_enable(&switch_mm_cond_ibpb);
1138 break;
1139 default:
1140 break;
1141 }
1142
1143 pr_info("mitigation: Enabling %s Indirect Branch Prediction Barrier\n",
1144 static_key_enabled(&switch_mm_always_ibpb) ?
1145 "always-on" : "conditional");
1146 }
1147
1148 /*
1149 * If no STIBP, IBRS or enhanced IBRS is enabled, or SMT impossible,
1150 * STIBP is not required.
1151 */
1152 if (!boot_cpu_has(X86_FEATURE_STIBP) ||
1153 !smt_possible ||
1154 spectre_v2_in_ibrs_mode(spectre_v2_enabled))
1155 return;
1156
1157 /*
1158 * At this point, an STIBP mode other than "off" has been set.
1159 * If STIBP support is not being forced, check if STIBP always-on
1160 * is preferred.
1161 */
1162 if (mode != SPECTRE_V2_USER_STRICT &&
1163 boot_cpu_has(X86_FEATURE_AMD_STIBP_ALWAYS_ON))
1164 mode = SPECTRE_V2_USER_STRICT_PREFERRED;
1165
1166 if (retbleed_mitigation == RETBLEED_MITIGATION_UNRET) {
1167 if (mode != SPECTRE_V2_USER_STRICT &&
1168 mode != SPECTRE_V2_USER_STRICT_PREFERRED)
1169 pr_info("Selecting STIBP always-on mode to complement retbleed mitigation'\n");
1170 mode = SPECTRE_V2_USER_STRICT_PREFERRED;
1171 }
1172
1173 spectre_v2_user_stibp = mode;
1174
1175 set_mode:
1176 pr_info("%s\n", spectre_v2_user_strings[mode]);
1177 }
1178
1179 static const char * const spectre_v2_strings[] = {
1180 [SPECTRE_V2_NONE] = "Vulnerable",
1181 [SPECTRE_V2_RETPOLINE] = "Mitigation: Retpolines",
1182 [SPECTRE_V2_LFENCE] = "Mitigation: LFENCE",
1183 [SPECTRE_V2_EIBRS] = "Mitigation: Enhanced IBRS",
1184 [SPECTRE_V2_EIBRS_LFENCE] = "Mitigation: Enhanced IBRS + LFENCE",
1185 [SPECTRE_V2_EIBRS_RETPOLINE] = "Mitigation: Enhanced IBRS + Retpolines",
1186 [SPECTRE_V2_IBRS] = "Mitigation: IBRS",
1187 };
1188
1189 static const struct {
1190 const char *option;
1191 enum spectre_v2_mitigation_cmd cmd;
1192 bool secure;
1193 } mitigation_options[] __initconst = {
1194 { "off", SPECTRE_V2_CMD_NONE, false },
1195 { "on", SPECTRE_V2_CMD_FORCE, true },
1196 { "retpoline", SPECTRE_V2_CMD_RETPOLINE, false },
1197 { "retpoline,amd", SPECTRE_V2_CMD_RETPOLINE_LFENCE, false },
1198 { "retpoline,lfence", SPECTRE_V2_CMD_RETPOLINE_LFENCE, false },
1199 { "retpoline,generic", SPECTRE_V2_CMD_RETPOLINE_GENERIC, false },
1200 { "eibrs", SPECTRE_V2_CMD_EIBRS, false },
1201 { "eibrs,lfence", SPECTRE_V2_CMD_EIBRS_LFENCE, false },
1202 { "eibrs,retpoline", SPECTRE_V2_CMD_EIBRS_RETPOLINE, false },
1203 { "auto", SPECTRE_V2_CMD_AUTO, false },
1204 { "ibrs", SPECTRE_V2_CMD_IBRS, false },
1205 };
1206
1207 static void __init spec_v2_print_cond(const char *reason, bool secure)
1208 {
1209 if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2) != secure)
1210 pr_info("%s selected on command line.\n", reason);
1211 }
1212
1213 static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void)
1214 {
1215 enum spectre_v2_mitigation_cmd cmd = SPECTRE_V2_CMD_AUTO;
1216 char arg[20];
1217 int ret, i;
1218
1219 if (cmdline_find_option_bool(boot_command_line, "nospectre_v2") ||
1220 cpu_mitigations_off())
1221 return SPECTRE_V2_CMD_NONE;
1222
1223 ret = cmdline_find_option(boot_command_line, "spectre_v2", arg, sizeof(arg));
1224 if (ret < 0)
1225 return SPECTRE_V2_CMD_AUTO;
1226
1227 for (i = 0; i < ARRAY_SIZE(mitigation_options); i++) {
1228 if (!match_option(arg, ret, mitigation_options[i].option))
1229 continue;
1230 cmd = mitigation_options[i].cmd;
1231 break;
1232 }
1233
1234 if (i >= ARRAY_SIZE(mitigation_options)) {
1235 pr_err("unknown option (%s). Switching to AUTO select\n", arg);
1236 return SPECTRE_V2_CMD_AUTO;
1237 }
1238
1239 if ((cmd == SPECTRE_V2_CMD_RETPOLINE ||
1240 cmd == SPECTRE_V2_CMD_RETPOLINE_LFENCE ||
1241 cmd == SPECTRE_V2_CMD_RETPOLINE_GENERIC ||
1242 cmd == SPECTRE_V2_CMD_EIBRS_LFENCE ||
1243 cmd == SPECTRE_V2_CMD_EIBRS_RETPOLINE) &&
1244 !IS_ENABLED(CONFIG_RETPOLINE)) {
1245 pr_err("%s selected but not compiled in. Switching to AUTO select\n",
1246 mitigation_options[i].option);
1247 return SPECTRE_V2_CMD_AUTO;
1248 }
1249
1250 if ((cmd == SPECTRE_V2_CMD_EIBRS ||
1251 cmd == SPECTRE_V2_CMD_EIBRS_LFENCE ||
1252 cmd == SPECTRE_V2_CMD_EIBRS_RETPOLINE) &&
1253 !boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) {
1254 pr_err("%s selected but CPU doesn't have eIBRS. Switching to AUTO select\n",
1255 mitigation_options[i].option);
1256 return SPECTRE_V2_CMD_AUTO;
1257 }
1258
1259 if ((cmd == SPECTRE_V2_CMD_RETPOLINE_LFENCE ||
1260 cmd == SPECTRE_V2_CMD_EIBRS_LFENCE) &&
1261 !boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) {
1262 pr_err("%s selected, but CPU doesn't have a serializing LFENCE. Switching to AUTO select\n",
1263 mitigation_options[i].option);
1264 return SPECTRE_V2_CMD_AUTO;
1265 }
1266
1267 if (cmd == SPECTRE_V2_CMD_IBRS && boot_cpu_data.x86_vendor != X86_VENDOR_INTEL) {
1268 pr_err("%s selected but not Intel CPU. Switching to AUTO select\n",
1269 mitigation_options[i].option);
1270 return SPECTRE_V2_CMD_AUTO;
1271 }
1272
1273 if (cmd == SPECTRE_V2_CMD_IBRS && !boot_cpu_has(X86_FEATURE_IBRS)) {
1274 pr_err("%s selected but CPU doesn't have IBRS. Switching to AUTO select\n",
1275 mitigation_options[i].option);
1276 return SPECTRE_V2_CMD_AUTO;
1277 }
1278
1279 if (cmd == SPECTRE_V2_CMD_IBRS && boot_cpu_has(X86_FEATURE_XENPV)) {
1280 pr_err("%s selected but running as XenPV guest. Switching to AUTO select\n",
1281 mitigation_options[i].option);
1282 return SPECTRE_V2_CMD_AUTO;
1283 }
1284
1285 spec_v2_print_cond(mitigation_options[i].option,
1286 mitigation_options[i].secure);
1287 return cmd;
1288 }
1289
1290 static enum spectre_v2_mitigation __init spectre_v2_select_retpoline(void)
1291 {
1292 if (!IS_ENABLED(CONFIG_RETPOLINE)) {
1293 pr_err("Kernel not compiled with retpoline; no mitigation available!");
1294 return SPECTRE_V2_NONE;
1295 }
1296
1297 return SPECTRE_V2_RETPOLINE;
1298 }
1299
1300 static void __init spectre_v2_select_mitigation(void)
1301 {
1302 enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline();
1303 enum spectre_v2_mitigation mode = SPECTRE_V2_NONE;
1304
1305 /*
1306 * If the CPU is not affected and the command line mode is NONE or AUTO
1307 * then nothing to do.
1308 */
1309 if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2) &&
1310 (cmd == SPECTRE_V2_CMD_NONE || cmd == SPECTRE_V2_CMD_AUTO))
1311 return;
1312
1313 switch (cmd) {
1314 case SPECTRE_V2_CMD_NONE:
1315 return;
1316
1317 case SPECTRE_V2_CMD_FORCE:
1318 case SPECTRE_V2_CMD_AUTO:
1319 if (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) {
1320 mode = SPECTRE_V2_EIBRS;
1321 break;
1322 }
1323
1324 if (boot_cpu_has_bug(X86_BUG_RETBLEED) &&
1325 retbleed_cmd != RETBLEED_CMD_OFF &&
1326 boot_cpu_has(X86_FEATURE_IBRS) &&
1327 boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) {
1328 mode = SPECTRE_V2_IBRS;
1329 break;
1330 }
1331
1332 mode = spectre_v2_select_retpoline();
1333 break;
1334
1335 case SPECTRE_V2_CMD_RETPOLINE_LFENCE:
1336 pr_err(SPECTRE_V2_LFENCE_MSG);
1337 mode = SPECTRE_V2_LFENCE;
1338 break;
1339
1340 case SPECTRE_V2_CMD_RETPOLINE_GENERIC:
1341 mode = SPECTRE_V2_RETPOLINE;
1342 break;
1343
1344 case SPECTRE_V2_CMD_RETPOLINE:
1345 mode = spectre_v2_select_retpoline();
1346 break;
1347
1348 case SPECTRE_V2_CMD_IBRS:
1349 mode = SPECTRE_V2_IBRS;
1350 break;
1351
1352 case SPECTRE_V2_CMD_EIBRS:
1353 mode = SPECTRE_V2_EIBRS;
1354 break;
1355
1356 case SPECTRE_V2_CMD_EIBRS_LFENCE:
1357 mode = SPECTRE_V2_EIBRS_LFENCE;
1358 break;
1359
1360 case SPECTRE_V2_CMD_EIBRS_RETPOLINE:
1361 mode = SPECTRE_V2_EIBRS_RETPOLINE;
1362 break;
1363 }
1364
1365 if (mode == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled())
1366 pr_err(SPECTRE_V2_EIBRS_EBPF_MSG);
1367
1368 if (spectre_v2_in_ibrs_mode(mode)) {
1369 x86_spec_ctrl_base |= SPEC_CTRL_IBRS;
1370 write_spec_ctrl_current(x86_spec_ctrl_base, true);
1371 }
1372
1373 switch (mode) {
1374 case SPECTRE_V2_NONE:
1375 case SPECTRE_V2_EIBRS:
1376 break;
1377
1378 case SPECTRE_V2_IBRS:
1379 setup_force_cpu_cap(X86_FEATURE_KERNEL_IBRS);
1380 break;
1381
1382 case SPECTRE_V2_LFENCE:
1383 case SPECTRE_V2_EIBRS_LFENCE:
1384 setup_force_cpu_cap(X86_FEATURE_RETPOLINE_LFENCE);
1385 fallthrough;
1386
1387 case SPECTRE_V2_RETPOLINE:
1388 case SPECTRE_V2_EIBRS_RETPOLINE:
1389 setup_force_cpu_cap(X86_FEATURE_RETPOLINE);
1390 break;
1391 }
1392
1393 spectre_v2_enabled = mode;
1394 pr_info("%s\n", spectre_v2_strings[mode]);
1395
1396 /*
1397 * If Spectre v2 protection has been enabled, fill the RSB during a
1398 * context switch. In general there are two types of RSB attacks
1399 * across context switches, for which the CALLs/RETs may be unbalanced.
1400 *
1401 * 1) RSB underflow
1402 *
1403 * Some Intel parts have "bottomless RSB". When the RSB is empty,
1404 * speculated return targets may come from the branch predictor,
1405 * which could have a user-poisoned BTB or BHB entry.
1406 *
1407 * AMD has it even worse: *all* returns are speculated from the BTB,
1408 * regardless of the state of the RSB.
1409 *
1410 * When IBRS or eIBRS is enabled, the "user -> kernel" attack
1411 * scenario is mitigated by the IBRS branch prediction isolation
1412 * properties, so the RSB buffer filling wouldn't be necessary to
1413 * protect against this type of attack.
1414 *
1415 * The "user -> user" attack scenario is mitigated by RSB filling.
1416 *
1417 * 2) Poisoned RSB entry
1418 *
1419 * If the 'next' in-kernel return stack is shorter than 'prev',
1420 * 'next' could be tricked into speculating with a user-poisoned RSB
1421 * entry.
1422 *
1423 * The "user -> kernel" attack scenario is mitigated by SMEP and
1424 * eIBRS.
1425 *
1426 * The "user -> user" scenario, also known as SpectreBHB, requires
1427 * RSB clearing.
1428 *
1429 * So to mitigate all cases, unconditionally fill RSB on context
1430 * switches.
1431 *
1432 * FIXME: Is this pointless for retbleed-affected AMD?
1433 */
1434 setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);
1435 pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n");
1436
1437 /*
1438 * Similar to context switches, there are two types of RSB attacks
1439 * after vmexit:
1440 *
1441 * 1) RSB underflow
1442 *
1443 * 2) Poisoned RSB entry
1444 *
1445 * When retpoline is enabled, both are mitigated by filling/clearing
1446 * the RSB.
1447 *
1448 * When IBRS is enabled, while #1 would be mitigated by the IBRS branch
1449 * prediction isolation protections, RSB still needs to be cleared
1450 * because of #2. Note that SMEP provides no protection here, unlike
1451 * user-space-poisoned RSB entries.
1452 *
1453 * eIBRS, on the other hand, has RSB-poisoning protections, so it
1454 * doesn't need RSB clearing after vmexit.
1455 */
1456 if (boot_cpu_has(X86_FEATURE_RETPOLINE) ||
1457 boot_cpu_has(X86_FEATURE_KERNEL_IBRS))
1458 setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT);
1459
1460 /*
1461 * Retpoline protects the kernel, but doesn't protect firmware. IBRS
1462 * and Enhanced IBRS protect firmware too, so enable IBRS around
1463 * firmware calls only when IBRS / Enhanced IBRS aren't otherwise
1464 * enabled.
1465 *
1466 * Use "mode" to check Enhanced IBRS instead of boot_cpu_has(), because
1467 * the user might select retpoline on the kernel command line and if
1468 * the CPU supports Enhanced IBRS, kernel might un-intentionally not
1469 * enable IBRS around firmware calls.
1470 */
1471 if (boot_cpu_has(X86_FEATURE_IBRS) && !spectre_v2_in_ibrs_mode(mode)) {
1472 setup_force_cpu_cap(X86_FEATURE_USE_IBRS_FW);
1473 pr_info("Enabling Restricted Speculation for firmware calls\n");
1474 }
1475
1476 /* Set up IBPB and STIBP depending on the general spectre V2 command */
1477 spectre_v2_cmd = cmd;
1478 }
1479
1480 static void update_stibp_msr(void * __unused)
1481 {
1482 u64 val = spec_ctrl_current() | (x86_spec_ctrl_base & SPEC_CTRL_STIBP);
1483 write_spec_ctrl_current(val, true);
1484 }
1485
1486 /* Update x86_spec_ctrl_base in case SMT state changed. */
1487 static void update_stibp_strict(void)
1488 {
1489 u64 mask = x86_spec_ctrl_base & ~SPEC_CTRL_STIBP;
1490
1491 if (sched_smt_active())
1492 mask |= SPEC_CTRL_STIBP;
1493
1494 if (mask == x86_spec_ctrl_base)
1495 return;
1496
1497 pr_info("Update user space SMT mitigation: STIBP %s\n",
1498 mask & SPEC_CTRL_STIBP ? "always-on" : "off");
1499 x86_spec_ctrl_base = mask;
1500 on_each_cpu(update_stibp_msr, NULL, 1);
1501 }
1502
1503 /* Update the static key controlling the evaluation of TIF_SPEC_IB */
1504 static void update_indir_branch_cond(void)
1505 {
1506 if (sched_smt_active())
1507 static_branch_enable(&switch_to_cond_stibp);
1508 else
1509 static_branch_disable(&switch_to_cond_stibp);
1510 }
1511
1512 #undef pr_fmt
1513 #define pr_fmt(fmt) fmt
1514
1515 /* Update the static key controlling the MDS CPU buffer clear in idle */
1516 static void update_mds_branch_idle(void)
1517 {
1518 u64 ia32_cap = x86_read_arch_cap_msr();
1519
1520 /*
1521 * Enable the idle clearing if SMT is active on CPUs which are
1522 * affected only by MSBDS and not any other MDS variant.
1523 *
1524 * The other variants cannot be mitigated when SMT is enabled, so
1525 * clearing the buffers on idle just to prevent the Store Buffer
1526 * repartitioning leak would be a window dressing exercise.
1527 */
1528 if (!boot_cpu_has_bug(X86_BUG_MSBDS_ONLY))
1529 return;
1530
1531 if (sched_smt_active()) {
1532 static_branch_enable(&mds_idle_clear);
1533 } else if (mmio_mitigation == MMIO_MITIGATION_OFF ||
1534 (ia32_cap & ARCH_CAP_FBSDP_NO)) {
1535 static_branch_disable(&mds_idle_clear);
1536 }
1537 }
1538
1539 #define MDS_MSG_SMT "MDS CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for more details.\n"
1540 #define TAA_MSG_SMT "TAA CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html for more details.\n"
1541 #define MMIO_MSG_SMT "MMIO Stale Data CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html for more details.\n"
1542
1543 void cpu_bugs_smt_update(void)
1544 {
1545 mutex_lock(&spec_ctrl_mutex);
1546
1547 if (sched_smt_active() && unprivileged_ebpf_enabled() &&
1548 spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE)
1549 pr_warn_once(SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG);
1550
1551 switch (spectre_v2_user_stibp) {
1552 case SPECTRE_V2_USER_NONE:
1553 break;
1554 case SPECTRE_V2_USER_STRICT:
1555 case SPECTRE_V2_USER_STRICT_PREFERRED:
1556 update_stibp_strict();
1557 break;
1558 case SPECTRE_V2_USER_PRCTL:
1559 case SPECTRE_V2_USER_SECCOMP:
1560 update_indir_branch_cond();
1561 break;
1562 }
1563
1564 switch (mds_mitigation) {
1565 case MDS_MITIGATION_FULL:
1566 case MDS_MITIGATION_VMWERV:
1567 if (sched_smt_active() && !boot_cpu_has(X86_BUG_MSBDS_ONLY))
1568 pr_warn_once(MDS_MSG_SMT);
1569 update_mds_branch_idle();
1570 break;
1571 case MDS_MITIGATION_OFF:
1572 break;
1573 }
1574
1575 switch (taa_mitigation) {
1576 case TAA_MITIGATION_VERW:
1577 case TAA_MITIGATION_UCODE_NEEDED:
1578 if (sched_smt_active())
1579 pr_warn_once(TAA_MSG_SMT);
1580 break;
1581 case TAA_MITIGATION_TSX_DISABLED:
1582 case TAA_MITIGATION_OFF:
1583 break;
1584 }
1585
1586 switch (mmio_mitigation) {
1587 case MMIO_MITIGATION_VERW:
1588 case MMIO_MITIGATION_UCODE_NEEDED:
1589 if (sched_smt_active())
1590 pr_warn_once(MMIO_MSG_SMT);
1591 break;
1592 case MMIO_MITIGATION_OFF:
1593 break;
1594 }
1595
1596 mutex_unlock(&spec_ctrl_mutex);
1597 }
1598
1599 #undef pr_fmt
1600 #define pr_fmt(fmt) "Speculative Store Bypass: " fmt
1601
1602 static enum ssb_mitigation ssb_mode __ro_after_init = SPEC_STORE_BYPASS_NONE;
1603
1604 /* The kernel command line selection */
1605 enum ssb_mitigation_cmd {
1606 SPEC_STORE_BYPASS_CMD_NONE,
1607 SPEC_STORE_BYPASS_CMD_AUTO,
1608 SPEC_STORE_BYPASS_CMD_ON,
1609 SPEC_STORE_BYPASS_CMD_PRCTL,
1610 SPEC_STORE_BYPASS_CMD_SECCOMP,
1611 };
1612
1613 static const char * const ssb_strings[] = {
1614 [SPEC_STORE_BYPASS_NONE] = "Vulnerable",
1615 [SPEC_STORE_BYPASS_DISABLE] = "Mitigation: Speculative Store Bypass disabled",
1616 [SPEC_STORE_BYPASS_PRCTL] = "Mitigation: Speculative Store Bypass disabled via prctl",
1617 [SPEC_STORE_BYPASS_SECCOMP] = "Mitigation: Speculative Store Bypass disabled via prctl and seccomp",
1618 };
1619
1620 static const struct {
1621 const char *option;
1622 enum ssb_mitigation_cmd cmd;
1623 } ssb_mitigation_options[] __initconst = {
1624 { "auto", SPEC_STORE_BYPASS_CMD_AUTO }, /* Platform decides */
1625 { "on", SPEC_STORE_BYPASS_CMD_ON }, /* Disable Speculative Store Bypass */
1626 { "off", SPEC_STORE_BYPASS_CMD_NONE }, /* Don't touch Speculative Store Bypass */
1627 { "prctl", SPEC_STORE_BYPASS_CMD_PRCTL }, /* Disable Speculative Store Bypass via prctl */
1628 { "seccomp", SPEC_STORE_BYPASS_CMD_SECCOMP }, /* Disable Speculative Store Bypass via prctl and seccomp */
1629 };
1630
1631 static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void)
1632 {
1633 enum ssb_mitigation_cmd cmd = SPEC_STORE_BYPASS_CMD_AUTO;
1634 char arg[20];
1635 int ret, i;
1636
1637 if (cmdline_find_option_bool(boot_command_line, "nospec_store_bypass_disable") ||
1638 cpu_mitigations_off()) {
1639 return SPEC_STORE_BYPASS_CMD_NONE;
1640 } else {
1641 ret = cmdline_find_option(boot_command_line, "spec_store_bypass_disable",
1642 arg, sizeof(arg));
1643 if (ret < 0)
1644 return SPEC_STORE_BYPASS_CMD_AUTO;
1645
1646 for (i = 0; i < ARRAY_SIZE(ssb_mitigation_options); i++) {
1647 if (!match_option(arg, ret, ssb_mitigation_options[i].option))
1648 continue;
1649
1650 cmd = ssb_mitigation_options[i].cmd;
1651 break;
1652 }
1653
1654 if (i >= ARRAY_SIZE(ssb_mitigation_options)) {
1655 pr_err("unknown option (%s). Switching to AUTO select\n", arg);
1656 return SPEC_STORE_BYPASS_CMD_AUTO;
1657 }
1658 }
1659
1660 return cmd;
1661 }
1662
1663 static enum ssb_mitigation __init __ssb_select_mitigation(void)
1664 {
1665 enum ssb_mitigation mode = SPEC_STORE_BYPASS_NONE;
1666 enum ssb_mitigation_cmd cmd;
1667
1668 if (!boot_cpu_has(X86_FEATURE_SSBD))
1669 return mode;
1670
1671 cmd = ssb_parse_cmdline();
1672 if (!boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS) &&
1673 (cmd == SPEC_STORE_BYPASS_CMD_NONE ||
1674 cmd == SPEC_STORE_BYPASS_CMD_AUTO))
1675 return mode;
1676
1677 switch (cmd) {
1678 case SPEC_STORE_BYPASS_CMD_AUTO:
1679 case SPEC_STORE_BYPASS_CMD_SECCOMP:
1680 /*
1681 * Choose prctl+seccomp as the default mode if seccomp is
1682 * enabled.
1683 */
1684 if (IS_ENABLED(CONFIG_SECCOMP))
1685 mode = SPEC_STORE_BYPASS_SECCOMP;
1686 else
1687 mode = SPEC_STORE_BYPASS_PRCTL;
1688 break;
1689 case SPEC_STORE_BYPASS_CMD_ON:
1690 mode = SPEC_STORE_BYPASS_DISABLE;
1691 break;
1692 case SPEC_STORE_BYPASS_CMD_PRCTL:
1693 mode = SPEC_STORE_BYPASS_PRCTL;
1694 break;
1695 case SPEC_STORE_BYPASS_CMD_NONE:
1696 break;
1697 }
1698
1699 /*
1700 * We have three CPU feature flags that are in play here:
1701 * - X86_BUG_SPEC_STORE_BYPASS - CPU is susceptible.
1702 * - X86_FEATURE_SSBD - CPU is able to turn off speculative store bypass
1703 * - X86_FEATURE_SPEC_STORE_BYPASS_DISABLE - engage the mitigation
1704 */
1705 if (mode == SPEC_STORE_BYPASS_DISABLE) {
1706 setup_force_cpu_cap(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE);
1707 /*
1708 * Intel uses the SPEC CTRL MSR Bit(2) for this, while AMD may
1709 * use a completely different MSR and bit dependent on family.
1710 */
1711 if (!static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD) &&
1712 !static_cpu_has(X86_FEATURE_AMD_SSBD)) {
1713 x86_amd_ssb_disable();
1714 } else {
1715 x86_spec_ctrl_base |= SPEC_CTRL_SSBD;
1716 write_spec_ctrl_current(x86_spec_ctrl_base, true);
1717 }
1718 }
1719
1720 return mode;
1721 }
1722
1723 static void ssb_select_mitigation(void)
1724 {
1725 ssb_mode = __ssb_select_mitigation();
1726
1727 if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS))
1728 pr_info("%s\n", ssb_strings[ssb_mode]);
1729 }
1730
1731 #undef pr_fmt
1732 #define pr_fmt(fmt) "Speculation prctl: " fmt
1733
1734 static void task_update_spec_tif(struct task_struct *tsk)
1735 {
1736 /* Force the update of the real TIF bits */
1737 set_tsk_thread_flag(tsk, TIF_SPEC_FORCE_UPDATE);
1738
1739 /*
1740 * Immediately update the speculation control MSRs for the current
1741 * task, but for a non-current task delay setting the CPU
1742 * mitigation until it is scheduled next.
1743 *
1744 * This can only happen for SECCOMP mitigation. For PRCTL it's
1745 * always the current task.
1746 */
1747 if (tsk == current)
1748 speculation_ctrl_update_current();
1749 }
1750
1751 static int l1d_flush_prctl_set(struct task_struct *task, unsigned long ctrl)
1752 {
1753
1754 if (!static_branch_unlikely(&switch_mm_cond_l1d_flush))
1755 return -EPERM;
1756
1757 switch (ctrl) {
1758 case PR_SPEC_ENABLE:
1759 set_ti_thread_flag(&task->thread_info, TIF_SPEC_L1D_FLUSH);
1760 return 0;
1761 case PR_SPEC_DISABLE:
1762 clear_ti_thread_flag(&task->thread_info, TIF_SPEC_L1D_FLUSH);
1763 return 0;
1764 default:
1765 return -ERANGE;
1766 }
1767 }
1768
1769 static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl)
1770 {
1771 if (ssb_mode != SPEC_STORE_BYPASS_PRCTL &&
1772 ssb_mode != SPEC_STORE_BYPASS_SECCOMP)
1773 return -ENXIO;
1774
1775 switch (ctrl) {
1776 case PR_SPEC_ENABLE:
1777 /* If speculation is force disabled, enable is not allowed */
1778 if (task_spec_ssb_force_disable(task))
1779 return -EPERM;
1780 task_clear_spec_ssb_disable(task);
1781 task_clear_spec_ssb_noexec(task);
1782 task_update_spec_tif(task);
1783 break;
1784 case PR_SPEC_DISABLE:
1785 task_set_spec_ssb_disable(task);
1786 task_clear_spec_ssb_noexec(task);
1787 task_update_spec_tif(task);
1788 break;
1789 case PR_SPEC_FORCE_DISABLE:
1790 task_set_spec_ssb_disable(task);
1791 task_set_spec_ssb_force_disable(task);
1792 task_clear_spec_ssb_noexec(task);
1793 task_update_spec_tif(task);
1794 break;
1795 case PR_SPEC_DISABLE_NOEXEC:
1796 if (task_spec_ssb_force_disable(task))
1797 return -EPERM;
1798 task_set_spec_ssb_disable(task);
1799 task_set_spec_ssb_noexec(task);
1800 task_update_spec_tif(task);
1801 break;
1802 default:
1803 return -ERANGE;
1804 }
1805 return 0;
1806 }
1807
1808 static bool is_spec_ib_user_controlled(void)
1809 {
1810 return spectre_v2_user_ibpb == SPECTRE_V2_USER_PRCTL ||
1811 spectre_v2_user_ibpb == SPECTRE_V2_USER_SECCOMP ||
1812 spectre_v2_user_stibp == SPECTRE_V2_USER_PRCTL ||
1813 spectre_v2_user_stibp == SPECTRE_V2_USER_SECCOMP;
1814 }
1815
1816 static int ib_prctl_set(struct task_struct *task, unsigned long ctrl)
1817 {
1818 switch (ctrl) {
1819 case PR_SPEC_ENABLE:
1820 if (spectre_v2_user_ibpb == SPECTRE_V2_USER_NONE &&
1821 spectre_v2_user_stibp == SPECTRE_V2_USER_NONE)
1822 return 0;
1823
1824 /*
1825 * With strict mode for both IBPB and STIBP, the instruction
1826 * code paths avoid checking this task flag and instead,
1827 * unconditionally run the instruction. However, STIBP and IBPB
1828 * are independent and either can be set to conditionally
1829 * enabled regardless of the mode of the other.
1830 *
1831 * If either is set to conditional, allow the task flag to be
1832 * updated, unless it was force-disabled by a previous prctl
1833 * call. Currently, this is possible on an AMD CPU which has the
1834 * feature X86_FEATURE_AMD_STIBP_ALWAYS_ON. In this case, if the
1835 * kernel is booted with 'spectre_v2_user=seccomp', then
1836 * spectre_v2_user_ibpb == SPECTRE_V2_USER_SECCOMP and
1837 * spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED.
1838 */
1839 if (!is_spec_ib_user_controlled() ||
1840 task_spec_ib_force_disable(task))
1841 return -EPERM;
1842
1843 task_clear_spec_ib_disable(task);
1844 task_update_spec_tif(task);
1845 break;
1846 case PR_SPEC_DISABLE:
1847 case PR_SPEC_FORCE_DISABLE:
1848 /*
1849 * Indirect branch speculation is always allowed when
1850 * mitigation is force disabled.
1851 */
1852 if (spectre_v2_user_ibpb == SPECTRE_V2_USER_NONE &&
1853 spectre_v2_user_stibp == SPECTRE_V2_USER_NONE)
1854 return -EPERM;
1855
1856 if (!is_spec_ib_user_controlled())
1857 return 0;
1858
1859 task_set_spec_ib_disable(task);
1860 if (ctrl == PR_SPEC_FORCE_DISABLE)
1861 task_set_spec_ib_force_disable(task);
1862 task_update_spec_tif(task);
1863 break;
1864 default:
1865 return -ERANGE;
1866 }
1867 return 0;
1868 }
1869
1870 int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which,
1871 unsigned long ctrl)
1872 {
1873 switch (which) {
1874 case PR_SPEC_STORE_BYPASS:
1875 return ssb_prctl_set(task, ctrl);
1876 case PR_SPEC_INDIRECT_BRANCH:
1877 return ib_prctl_set(task, ctrl);
1878 case PR_SPEC_L1D_FLUSH:
1879 return l1d_flush_prctl_set(task, ctrl);
1880 default:
1881 return -ENODEV;
1882 }
1883 }
1884
1885 #ifdef CONFIG_SECCOMP
1886 void arch_seccomp_spec_mitigate(struct task_struct *task)
1887 {
1888 if (ssb_mode == SPEC_STORE_BYPASS_SECCOMP)
1889 ssb_prctl_set(task, PR_SPEC_FORCE_DISABLE);
1890 if (spectre_v2_user_ibpb == SPECTRE_V2_USER_SECCOMP ||
1891 spectre_v2_user_stibp == SPECTRE_V2_USER_SECCOMP)
1892 ib_prctl_set(task, PR_SPEC_FORCE_DISABLE);
1893 }
1894 #endif
1895
1896 static int l1d_flush_prctl_get(struct task_struct *task)
1897 {
1898 if (!static_branch_unlikely(&switch_mm_cond_l1d_flush))
1899 return PR_SPEC_FORCE_DISABLE;
1900
1901 if (test_ti_thread_flag(&task->thread_info, TIF_SPEC_L1D_FLUSH))
1902 return PR_SPEC_PRCTL | PR_SPEC_ENABLE;
1903 else
1904 return PR_SPEC_PRCTL | PR_SPEC_DISABLE;
1905 }
1906
1907 static int ssb_prctl_get(struct task_struct *task)
1908 {
1909 switch (ssb_mode) {
1910 case SPEC_STORE_BYPASS_DISABLE:
1911 return PR_SPEC_DISABLE;
1912 case SPEC_STORE_BYPASS_SECCOMP:
1913 case SPEC_STORE_BYPASS_PRCTL:
1914 if (task_spec_ssb_force_disable(task))
1915 return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE;
1916 if (task_spec_ssb_noexec(task))
1917 return PR_SPEC_PRCTL | PR_SPEC_DISABLE_NOEXEC;
1918 if (task_spec_ssb_disable(task))
1919 return PR_SPEC_PRCTL | PR_SPEC_DISABLE;
1920 return PR_SPEC_PRCTL | PR_SPEC_ENABLE;
1921 default:
1922 if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS))
1923 return PR_SPEC_ENABLE;
1924 return PR_SPEC_NOT_AFFECTED;
1925 }
1926 }
1927
1928 static int ib_prctl_get(struct task_struct *task)
1929 {
1930 if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
1931 return PR_SPEC_NOT_AFFECTED;
1932
1933 if (spectre_v2_user_ibpb == SPECTRE_V2_USER_NONE &&
1934 spectre_v2_user_stibp == SPECTRE_V2_USER_NONE)
1935 return PR_SPEC_ENABLE;
1936 else if (is_spec_ib_user_controlled()) {
1937 if (task_spec_ib_force_disable(task))
1938 return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE;
1939 if (task_spec_ib_disable(task))
1940 return PR_SPEC_PRCTL | PR_SPEC_DISABLE;
1941 return PR_SPEC_PRCTL | PR_SPEC_ENABLE;
1942 } else if (spectre_v2_user_ibpb == SPECTRE_V2_USER_STRICT ||
1943 spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT ||
1944 spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED)
1945 return PR_SPEC_DISABLE;
1946 else
1947 return PR_SPEC_NOT_AFFECTED;
1948 }
1949
1950 int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which)
1951 {
1952 switch (which) {
1953 case PR_SPEC_STORE_BYPASS:
1954 return ssb_prctl_get(task);
1955 case PR_SPEC_INDIRECT_BRANCH:
1956 return ib_prctl_get(task);
1957 case PR_SPEC_L1D_FLUSH:
1958 return l1d_flush_prctl_get(task);
1959 default:
1960 return -ENODEV;
1961 }
1962 }
1963
1964 void x86_spec_ctrl_setup_ap(void)
1965 {
1966 if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
1967 write_spec_ctrl_current(x86_spec_ctrl_base, true);
1968
1969 if (ssb_mode == SPEC_STORE_BYPASS_DISABLE)
1970 x86_amd_ssb_disable();
1971 }
1972
1973 bool itlb_multihit_kvm_mitigation;
1974 EXPORT_SYMBOL_GPL(itlb_multihit_kvm_mitigation);
1975
1976 #undef pr_fmt
1977 #define pr_fmt(fmt) "L1TF: " fmt
1978
1979 /* Default mitigation for L1TF-affected CPUs */
1980 enum l1tf_mitigations l1tf_mitigation __ro_after_init = L1TF_MITIGATION_FLUSH;
1981 #if IS_ENABLED(CONFIG_KVM_INTEL)
1982 EXPORT_SYMBOL_GPL(l1tf_mitigation);
1983 #endif
1984 enum vmx_l1d_flush_state l1tf_vmx_mitigation = VMENTER_L1D_FLUSH_AUTO;
1985 EXPORT_SYMBOL_GPL(l1tf_vmx_mitigation);
1986
1987 /*
1988 * These CPUs all support 44bits physical address space internally in the
1989 * cache but CPUID can report a smaller number of physical address bits.
1990 *
1991 * The L1TF mitigation uses the top most address bit for the inversion of
1992 * non present PTEs. When the installed memory reaches into the top most
1993 * address bit due to memory holes, which has been observed on machines
1994 * which report 36bits physical address bits and have 32G RAM installed,
1995 * then the mitigation range check in l1tf_select_mitigation() triggers.
1996 * This is a false positive because the mitigation is still possible due to
1997 * the fact that the cache uses 44bit internally. Use the cache bits
1998 * instead of the reported physical bits and adjust them on the affected
1999 * machines to 44bit if the reported bits are less than 44.
2000 */
2001 static void override_cache_bits(struct cpuinfo_x86 *c)
2002 {
2003 if (c->x86 != 6)
2004 return;
2005
2006 switch (c->x86_model) {
2007 case INTEL_FAM6_NEHALEM:
2008 case INTEL_FAM6_WESTMERE:
2009 case INTEL_FAM6_SANDYBRIDGE:
2010 case INTEL_FAM6_IVYBRIDGE:
2011 case INTEL_FAM6_HASWELL:
2012 case INTEL_FAM6_HASWELL_L:
2013 case INTEL_FAM6_HASWELL_G:
2014 case INTEL_FAM6_BROADWELL:
2015 case INTEL_FAM6_BROADWELL_G:
2016 case INTEL_FAM6_SKYLAKE_L:
2017 case INTEL_FAM6_SKYLAKE:
2018 case INTEL_FAM6_KABYLAKE_L:
2019 case INTEL_FAM6_KABYLAKE:
2020 if (c->x86_cache_bits < 44)
2021 c->x86_cache_bits = 44;
2022 break;
2023 }
2024 }
2025
2026 static void __init l1tf_select_mitigation(void)
2027 {
2028 u64 half_pa;
2029
2030 if (!boot_cpu_has_bug(X86_BUG_L1TF))
2031 return;
2032
2033 if (cpu_mitigations_off())
2034 l1tf_mitigation = L1TF_MITIGATION_OFF;
2035 else if (cpu_mitigations_auto_nosmt())
2036 l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOSMT;
2037
2038 override_cache_bits(&boot_cpu_data);
2039
2040 switch (l1tf_mitigation) {
2041 case L1TF_MITIGATION_OFF:
2042 case L1TF_MITIGATION_FLUSH_NOWARN:
2043 case L1TF_MITIGATION_FLUSH:
2044 break;
2045 case L1TF_MITIGATION_FLUSH_NOSMT:
2046 case L1TF_MITIGATION_FULL:
2047 cpu_smt_disable(false);
2048 break;
2049 case L1TF_MITIGATION_FULL_FORCE:
2050 cpu_smt_disable(true);
2051 break;
2052 }
2053
2054 #if CONFIG_PGTABLE_LEVELS == 2
2055 pr_warn("Kernel not compiled for PAE. No mitigation for L1TF\n");
2056 return;
2057 #endif
2058
2059 half_pa = (u64)l1tf_pfn_limit() << PAGE_SHIFT;
2060 if (l1tf_mitigation != L1TF_MITIGATION_OFF &&
2061 e820__mapped_any(half_pa, ULLONG_MAX - half_pa, E820_TYPE_RAM)) {
2062 pr_warn("System has more than MAX_PA/2 memory. L1TF mitigation not effective.\n");
2063 pr_info("You may make it effective by booting the kernel with mem=%llu parameter.\n",
2064 half_pa);
2065 pr_info("However, doing so will make a part of your RAM unusable.\n");
2066 pr_info("Reading https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html might help you decide.\n");
2067 return;
2068 }
2069
2070 setup_force_cpu_cap(X86_FEATURE_L1TF_PTEINV);
2071 }
2072
2073 static int __init l1tf_cmdline(char *str)
2074 {
2075 if (!boot_cpu_has_bug(X86_BUG_L1TF))
2076 return 0;
2077
2078 if (!str)
2079 return -EINVAL;
2080
2081 if (!strcmp(str, "off"))
2082 l1tf_mitigation = L1TF_MITIGATION_OFF;
2083 else if (!strcmp(str, "flush,nowarn"))
2084 l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOWARN;
2085 else if (!strcmp(str, "flush"))
2086 l1tf_mitigation = L1TF_MITIGATION_FLUSH;
2087 else if (!strcmp(str, "flush,nosmt"))
2088 l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOSMT;
2089 else if (!strcmp(str, "full"))
2090 l1tf_mitigation = L1TF_MITIGATION_FULL;
2091 else if (!strcmp(str, "full,force"))
2092 l1tf_mitigation = L1TF_MITIGATION_FULL_FORCE;
2093
2094 return 0;
2095 }
2096 early_param("l1tf", l1tf_cmdline);
2097
2098 #undef pr_fmt
2099 #define pr_fmt(fmt) fmt
2100
2101 #ifdef CONFIG_SYSFS
2102
2103 #define L1TF_DEFAULT_MSG "Mitigation: PTE Inversion"
2104
2105 #if IS_ENABLED(CONFIG_KVM_INTEL)
2106 static const char * const l1tf_vmx_states[] = {
2107 [VMENTER_L1D_FLUSH_AUTO] = "auto",
2108 [VMENTER_L1D_FLUSH_NEVER] = "vulnerable",
2109 [VMENTER_L1D_FLUSH_COND] = "conditional cache flushes",
2110 [VMENTER_L1D_FLUSH_ALWAYS] = "cache flushes",
2111 [VMENTER_L1D_FLUSH_EPT_DISABLED] = "EPT disabled",
2112 [VMENTER_L1D_FLUSH_NOT_REQUIRED] = "flush not necessary"
2113 };
2114
2115 static ssize_t l1tf_show_state(char *buf)
2116 {
2117 if (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_AUTO)
2118 return sprintf(buf, "%s\n", L1TF_DEFAULT_MSG);
2119
2120 if (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_EPT_DISABLED ||
2121 (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_NEVER &&
2122 sched_smt_active())) {
2123 return sprintf(buf, "%s; VMX: %s\n", L1TF_DEFAULT_MSG,
2124 l1tf_vmx_states[l1tf_vmx_mitigation]);
2125 }
2126
2127 return sprintf(buf, "%s; VMX: %s, SMT %s\n", L1TF_DEFAULT_MSG,
2128 l1tf_vmx_states[l1tf_vmx_mitigation],
2129 sched_smt_active() ? "vulnerable" : "disabled");
2130 }
2131
2132 static ssize_t itlb_multihit_show_state(char *buf)
2133 {
2134 if (!boot_cpu_has(X86_FEATURE_MSR_IA32_FEAT_CTL) ||
2135 !boot_cpu_has(X86_FEATURE_VMX))
2136 return sprintf(buf, "KVM: Mitigation: VMX unsupported\n");
2137 else if (!(cr4_read_shadow() & X86_CR4_VMXE))
2138 return sprintf(buf, "KVM: Mitigation: VMX disabled\n");
2139 else if (itlb_multihit_kvm_mitigation)
2140 return sprintf(buf, "KVM: Mitigation: Split huge pages\n");
2141 else
2142 return sprintf(buf, "KVM: Vulnerable\n");
2143 }
2144 #else
2145 static ssize_t l1tf_show_state(char *buf)
2146 {
2147 return sprintf(buf, "%s\n", L1TF_DEFAULT_MSG);
2148 }
2149
2150 static ssize_t itlb_multihit_show_state(char *buf)
2151 {
2152 return sprintf(buf, "Processor vulnerable\n");
2153 }
2154 #endif
2155
2156 static ssize_t mds_show_state(char *buf)
2157 {
2158 if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {
2159 return sprintf(buf, "%s; SMT Host state unknown\n",
2160 mds_strings[mds_mitigation]);
2161 }
2162
2163 if (boot_cpu_has(X86_BUG_MSBDS_ONLY)) {
2164 return sprintf(buf, "%s; SMT %s\n", mds_strings[mds_mitigation],
2165 (mds_mitigation == MDS_MITIGATION_OFF ? "vulnerable" :
2166 sched_smt_active() ? "mitigated" : "disabled"));
2167 }
2168
2169 return sprintf(buf, "%s; SMT %s\n", mds_strings[mds_mitigation],
2170 sched_smt_active() ? "vulnerable" : "disabled");
2171 }
2172
2173 static ssize_t tsx_async_abort_show_state(char *buf)
2174 {
2175 if ((taa_mitigation == TAA_MITIGATION_TSX_DISABLED) ||
2176 (taa_mitigation == TAA_MITIGATION_OFF))
2177 return sprintf(buf, "%s\n", taa_strings[taa_mitigation]);
2178
2179 if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {
2180 return sprintf(buf, "%s; SMT Host state unknown\n",
2181 taa_strings[taa_mitigation]);
2182 }
2183
2184 return sprintf(buf, "%s; SMT %s\n", taa_strings[taa_mitigation],
2185 sched_smt_active() ? "vulnerable" : "disabled");
2186 }
2187
2188 static ssize_t mmio_stale_data_show_state(char *buf)
2189 {
2190 if (mmio_mitigation == MMIO_MITIGATION_OFF)
2191 return sysfs_emit(buf, "%s\n", mmio_strings[mmio_mitigation]);
2192
2193 if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {
2194 return sysfs_emit(buf, "%s; SMT Host state unknown\n",
2195 mmio_strings[mmio_mitigation]);
2196 }
2197
2198 return sysfs_emit(buf, "%s; SMT %s\n", mmio_strings[mmio_mitigation],
2199 sched_smt_active() ? "vulnerable" : "disabled");
2200 }
2201
2202 static char *stibp_state(void)
2203 {
2204 if (spectre_v2_in_ibrs_mode(spectre_v2_enabled))
2205 return "";
2206
2207 switch (spectre_v2_user_stibp) {
2208 case SPECTRE_V2_USER_NONE:
2209 return ", STIBP: disabled";
2210 case SPECTRE_V2_USER_STRICT:
2211 return ", STIBP: forced";
2212 case SPECTRE_V2_USER_STRICT_PREFERRED:
2213 return ", STIBP: always-on";
2214 case SPECTRE_V2_USER_PRCTL:
2215 case SPECTRE_V2_USER_SECCOMP:
2216 if (static_key_enabled(&switch_to_cond_stibp))
2217 return ", STIBP: conditional";
2218 }
2219 return "";
2220 }
2221
2222 static char *ibpb_state(void)
2223 {
2224 if (boot_cpu_has(X86_FEATURE_IBPB)) {
2225 if (static_key_enabled(&switch_mm_always_ibpb))
2226 return ", IBPB: always-on";
2227 if (static_key_enabled(&switch_mm_cond_ibpb))
2228 return ", IBPB: conditional";
2229 return ", IBPB: disabled";
2230 }
2231 return "";
2232 }
2233
2234 static ssize_t spectre_v2_show_state(char *buf)
2235 {
2236 if (spectre_v2_enabled == SPECTRE_V2_LFENCE)
2237 return sprintf(buf, "Vulnerable: LFENCE\n");
2238
2239 if (spectre_v2_enabled == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled())
2240 return sprintf(buf, "Vulnerable: eIBRS with unprivileged eBPF\n");
2241
2242 if (sched_smt_active() && unprivileged_ebpf_enabled() &&
2243 spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE)
2244 return sprintf(buf, "Vulnerable: eIBRS+LFENCE with unprivileged eBPF and SMT\n");
2245
2246 return sprintf(buf, "%s%s%s%s%s%s\n",
2247 spectre_v2_strings[spectre_v2_enabled],
2248 ibpb_state(),
2249 boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "",
2250 stibp_state(),
2251 boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? ", RSB filling" : "",
2252 spectre_v2_module_string());
2253 }
2254
2255 static ssize_t srbds_show_state(char *buf)
2256 {
2257 return sprintf(buf, "%s\n", srbds_strings[srbds_mitigation]);
2258 }
2259
2260 static ssize_t retbleed_show_state(char *buf)
2261 {
2262 if (retbleed_mitigation == RETBLEED_MITIGATION_UNRET) {
2263 if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD &&
2264 boot_cpu_data.x86_vendor != X86_VENDOR_HYGON)
2265 return sprintf(buf, "Vulnerable: untrained return thunk on non-Zen uarch\n");
2266
2267 return sprintf(buf, "%s; SMT %s\n",
2268 retbleed_strings[retbleed_mitigation],
2269 !sched_smt_active() ? "disabled" :
2270 spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT ||
2271 spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED ?
2272 "enabled with STIBP protection" : "vulnerable");
2273 }
2274
2275 return sprintf(buf, "%s\n", retbleed_strings[retbleed_mitigation]);
2276 }
2277
2278 static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr,
2279 char *buf, unsigned int bug)
2280 {
2281 if (!boot_cpu_has_bug(bug))
2282 return sprintf(buf, "Not affected\n");
2283
2284 switch (bug) {
2285 case X86_BUG_CPU_MELTDOWN:
2286 if (boot_cpu_has(X86_FEATURE_PTI))
2287 return sprintf(buf, "Mitigation: PTI\n");
2288
2289 if (hypervisor_is_type(X86_HYPER_XEN_PV))
2290 return sprintf(buf, "Unknown (XEN PV detected, hypervisor mitigation required)\n");
2291
2292 break;
2293
2294 case X86_BUG_SPECTRE_V1:
2295 return sprintf(buf, "%s\n", spectre_v1_strings[spectre_v1_mitigation]);
2296
2297 case X86_BUG_SPECTRE_V2:
2298 return spectre_v2_show_state(buf);
2299
2300 case X86_BUG_SPEC_STORE_BYPASS:
2301 return sprintf(buf, "%s\n", ssb_strings[ssb_mode]);
2302
2303 case X86_BUG_L1TF:
2304 if (boot_cpu_has(X86_FEATURE_L1TF_PTEINV))
2305 return l1tf_show_state(buf);
2306 break;
2307
2308 case X86_BUG_MDS:
2309 return mds_show_state(buf);
2310
2311 case X86_BUG_TAA:
2312 return tsx_async_abort_show_state(buf);
2313
2314 case X86_BUG_ITLB_MULTIHIT:
2315 return itlb_multihit_show_state(buf);
2316
2317 case X86_BUG_SRBDS:
2318 return srbds_show_state(buf);
2319
2320 case X86_BUG_MMIO_STALE_DATA:
2321 return mmio_stale_data_show_state(buf);
2322
2323 case X86_BUG_RETBLEED:
2324 return retbleed_show_state(buf);
2325
2326 default:
2327 break;
2328 }
2329
2330 return sprintf(buf, "Vulnerable\n");
2331 }
2332
2333 ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf)
2334 {
2335 return cpu_show_common(dev, attr, buf, X86_BUG_CPU_MELTDOWN);
2336 }
2337
2338 ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, char *buf)
2339 {
2340 return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V1);
2341 }
2342
2343 ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, char *buf)
2344 {
2345 return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V2);
2346 }
2347
2348 ssize_t cpu_show_spec_store_bypass(struct device *dev, struct device_attribute *attr, char *buf)
2349 {
2350 return cpu_show_common(dev, attr, buf, X86_BUG_SPEC_STORE_BYPASS);
2351 }
2352
2353 ssize_t cpu_show_l1tf(struct device *dev, struct device_attribute *attr, char *buf)
2354 {
2355 return cpu_show_common(dev, attr, buf, X86_BUG_L1TF);
2356 }
2357
2358 ssize_t cpu_show_mds(struct device *dev, struct device_attribute *attr, char *buf)
2359 {
2360 return cpu_show_common(dev, attr, buf, X86_BUG_MDS);
2361 }
2362
2363 ssize_t cpu_show_tsx_async_abort(struct device *dev, struct device_attribute *attr, char *buf)
2364 {
2365 return cpu_show_common(dev, attr, buf, X86_BUG_TAA);
2366 }
2367
2368 ssize_t cpu_show_itlb_multihit(struct device *dev, struct device_attribute *attr, char *buf)
2369 {
2370 return cpu_show_common(dev, attr, buf, X86_BUG_ITLB_MULTIHIT);
2371 }
2372
2373 ssize_t cpu_show_srbds(struct device *dev, struct device_attribute *attr, char *buf)
2374 {
2375 return cpu_show_common(dev, attr, buf, X86_BUG_SRBDS);
2376 }
2377
2378 ssize_t cpu_show_mmio_stale_data(struct device *dev, struct device_attribute *attr, char *buf)
2379 {
2380 return cpu_show_common(dev, attr, buf, X86_BUG_MMIO_STALE_DATA);
2381 }
2382
2383 ssize_t cpu_show_retbleed(struct device *dev, struct device_attribute *attr, char *buf)
2384 {
2385 return cpu_show_common(dev, attr, buf, X86_BUG_RETBLEED);
2386 }
2387 #endif
Ubuntu Jammy Linux kernel mirror