1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
2 From: Daniel Sneddon <daniel.sneddon@linux.intel.com>
3 Date: Wed, 12 Jul 2023 19:43:13 -0700
4 Subject: [PATCH] x86/speculation: Add Kconfig option for GDS
6 Gather Data Sampling (GDS) is mitigated in microcode. However, on
7 systems that haven't received the updated microcode, disabling AVX
8 can act as a mitigation. Add a Kconfig option that uses the microcode
9 mitigation if available and disables AVX otherwise. Setting this
10 option has no effect on systems not affected by GDS. This is the
11 equivalent of setting gather_data_sampling=force.
13 Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
14 Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
15 Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
17 (cherry picked from commit 53cf5797f114ba2bd86d23a862302119848eff19)
19 Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
20 Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
21 Acked-by: Stefan Bader <stefan.bader@canonical.com>
22 Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
23 (cherry picked from commit 92bd969bbe475c5bca376d007ed6558085b237ba)
24 Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
26 arch/x86/Kconfig | 19 +++++++++++++++++++
27 arch/x86/kernel/cpu/bugs.c | 4 ++++
28 2 files changed, 23 insertions(+)
30 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
31 index 598a303819da..8451e0f36c66 100644
32 --- a/arch/x86/Kconfig
33 +++ b/arch/x86/Kconfig
34 @@ -2640,6 +2640,25 @@ config SLS
35 against straight line speculation. The kernel image might be slightly
38 +config GDS_FORCE_MITIGATION
39 + bool "Force GDS Mitigation"
40 + depends on CPU_SUP_INTEL
43 + Gather Data Sampling (GDS) is a hardware vulnerability which allows
44 + unprivileged speculative access to data which was previously stored in
47 + This option is equivalent to setting gather_data_sampling=force on the
48 + command line. The microcode mitigation is used if present, otherwise
49 + AVX is disabled as a mitigation. On affected systems that are missing
50 + the microcode any userspace code that unconditionally uses AVX will
51 + break with this option set.
53 + Setting this option on systems not vulnerable to GDS has no effect.
59 config ARCH_HAS_ADD_PAGES
60 diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
61 index 0cc3c4f09dd7..819a8aa0c706 100644
62 --- a/arch/x86/kernel/cpu/bugs.c
63 +++ b/arch/x86/kernel/cpu/bugs.c
64 @@ -658,7 +658,11 @@ enum gds_mitigations {
65 GDS_MITIGATION_HYPERVISOR,
68 +#if IS_ENABLED(CONFIG_GDS_FORCE_MITIGATION)
69 +static enum gds_mitigations gds_mitigation __ro_after_init = GDS_MITIGATION_FORCE;
71 static enum gds_mitigations gds_mitigation __ro_after_init = GDS_MITIGATION_FULL;
74 static const char * const gds_strings[] = {
75 [GDS_MITIGATION_OFF] = "Vulnerable",