From nobody Tue Dec 16 23:57:28 2025
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 8970CEE49A5
	for <linux-kernel@archiver.kernel.org>; Fri, 25 Aug 2023 10:21:32 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S244394AbjHYKVM (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Fri, 25 Aug 2023 06:21:12 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35134 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S244413AbjHYKUK (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 25 Aug 2023 06:20:10 -0400
Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C6D43210D;
        Fri, 25 Aug 2023 03:19:52 -0700 (PDT)
Date: Fri, 25 Aug 2023 10:19:32 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de;
        s=2020; t=1692958773;
        h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date:
         message-id:message-id:to:to:cc:cc:mime-version:mime-version:
         content-type:content-type:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=mbFOQJFm8m7pDEmKdOJjAglgD6A9TM/706GUCcigTWQ=;
        b=LO4AyqgQkJVt9iqY5EpDgfbCtwqaKB8nnL1kCGoNuSvOCEW2fQZuRx1lfV7ofKDy9FO5h5
        1x9lN+iWIf1YH29kLt8Sg2wUNwa0vpMYrfo5BnnbEghbDLDRqPvCTjSB3xEmXHso65kFWe
        agpY6lCrEsoCA42vv1C5pa3/+0KUjObG7eARuGdYPaiU9hgHl5q6LvzoutLCAjVomFEcpO
        sMTtjT2407Jvo6N9R3sl2ra0eNO8WD+v6AHhoRBITOi6VZb3HzdqC61U9f9pt+KwqFkAvr
        sHpQgqKvzeG5PO+Bf+yXXJ+C1Ga/qau9aLQ+i3HM0YCpUWk8cbnoXXwXy3UUiQ==
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de;
        s=2020e; t=1692958773;
        h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date:
         message-id:message-id:to:to:cc:cc:mime-version:mime-version:
         content-type:content-type:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=mbFOQJFm8m7pDEmKdOJjAglgD6A9TM/706GUCcigTWQ=;
        b=LyYbLpEb+F/Lna0I+vEUTkkmwsSExf01+wNwXlcewjH9YMB2jlozu4d81uO1WhBH7Z1a0G
        alLyUiXdZKHjXKDg==
From: "tip-bot2 for Josh Poimboeuf" <tip-bot2@linutronix.de>
Sender: tip-bot2@linutronix.de
Reply-to: linux-kernel@vger.kernel.org
To: linux-tip-commits@vger.kernel.org
Subject: [tip: x86/bugs] x86/srso: Fix vulnerability reporting for missing
 microcode
Cc: Josh Poimboeuf <jpoimboe@kernel.org>,
        Ingo Molnar <mingo@kernel.org>, x86@kernel.org,
        linux-kernel@vger.kernel.org
In-Reply-To: 
 <65556eeb1bf7cb9bd7db8662ef115dd73191db84.1692919072.git.jpoimboe@kernel.org>
References: 
 <65556eeb1bf7cb9bd7db8662ef115dd73191db84.1692919072.git.jpoimboe@kernel.org>
MIME-Version: 1.0
Message-ID: <169295877252.27769.17888941552572030723.tip-bot2@tip-bot2>
Robot-ID: <tip-bot2@linutronix.de>
Robot-Unsubscribe: Contact <mailto:tglx@linutronix.de> to get blacklisted from
 these emails
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

The following commit has been merged into the x86/bugs branch of tip:

Commit-ID:     b3be1397be0340b2c30b2dcd7339dbfaa5563e2b
Gitweb:        https://git.kernel.org/tip/b3be1397be0340b2c30b2dcd7339dbfaa=
5563e2b
Author:        Josh Poimboeuf <jpoimboe@kernel.org>
AuthorDate:    Fri, 25 Aug 2023 00:01:41 -07:00
Committer:     Ingo Molnar <mingo@kernel.org>
CommitterDate: Fri, 25 Aug 2023 11:21:59 +02:00

x86/srso: Fix vulnerability reporting for missing microcode

The SRSO default safe-ret mitigation is reported as "mitigated" even if
microcode hasn't been updated.  That's wrong because userspace may still
be vulnerable to SRSO attacks due to IBPB not flushing branch type
predictions.

Report the safe-ret + !microcode case as vulnerable.

Also report the microcode-only case as vulnerable as it leaves the
kernel open to attacks.

Fixes: fb3bd914b3ec ("x86/srso: Add a Speculative RAS Overflow mitigation")
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Link: https://lore.kernel.org/r/65556eeb1bf7cb9bd7db8662ef115dd73191db84.16=
92919072.git.jpoimboe@kernel.org
---
 Documentation/admin-guide/hw-vuln/srso.rst | 22 ++++++++++----
 arch/x86/kernel/cpu/bugs.c                 | 34 ++++++++++++---------
 2 files changed, 37 insertions(+), 19 deletions(-)

diff --git a/Documentation/admin-guide/hw-vuln/srso.rst b/Documentation/adm=
in-guide/hw-vuln/srso.rst
index b6cfb51..4516719 100644
--- a/Documentation/admin-guide/hw-vuln/srso.rst
+++ b/Documentation/admin-guide/hw-vuln/srso.rst
@@ -46,12 +46,22 @@ The possible values in this file are:
=20
    The processor is not vulnerable
=20
- * 'Vulnerable: no microcode':
+* 'Vulnerable':
+
+   The processor is vulnerable and no mitigations have been applied.
+
+ * 'Vulnerable: No microcode':
=20
    The processor is vulnerable, no microcode extending IBPB
    functionality to address the vulnerability has been applied.
=20
- * 'Mitigation: microcode':
+ * 'Vulnerable: Safe RET, no microcode':
+
+   The "Safe Ret" mitigation (see below) has been applied to protect the
+   kernel, but the IBPB-extending microcode has not been applied.  User
+   space tasks may still be vulnerable.
+
+ * 'Vulnerable: Microcode, no safe RET':
=20
    Extended IBPB functionality microcode patch has been applied. It does
    not address User->Kernel and Guest->Host transitions protection but it
@@ -72,11 +82,11 @@ The possible values in this file are:
=20
    (spec_rstack_overflow=3Dmicrocode)
=20
- * 'Mitigation: safe RET':
+ * 'Mitigation: Safe RET':
=20
-   Software-only mitigation. It complements the extended IBPB microcode
-   patch functionality by addressing User->Kernel and Guest->Host
-   transitions protection.
+   Combined microcode/software mitigation. It complements the
+   extended IBPB microcode patch functionality by addressing
+   User->Kernel and Guest->Host transitions protection.
=20
    Selected by default or by spec_rstack_overflow=3Dsafe-ret
=20
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 6c47f37..d883d1c 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -2353,6 +2353,8 @@ early_param("l1tf", l1tf_cmdline);
=20
 enum srso_mitigation {
 	SRSO_MITIGATION_NONE,
+	SRSO_MITIGATION_UCODE_NEEDED,
+	SRSO_MITIGATION_SAFE_RET_UCODE_NEEDED,
 	SRSO_MITIGATION_MICROCODE,
 	SRSO_MITIGATION_SAFE_RET,
 	SRSO_MITIGATION_IBPB,
@@ -2368,11 +2370,13 @@ enum srso_mitigation_cmd {
 };
=20
 static const char * const srso_strings[] =3D {
-	[SRSO_MITIGATION_NONE]           =3D "Vulnerable",
-	[SRSO_MITIGATION_MICROCODE]      =3D "Mitigation: microcode",
-	[SRSO_MITIGATION_SAFE_RET]	 =3D "Mitigation: safe RET",
-	[SRSO_MITIGATION_IBPB]		 =3D "Mitigation: IBPB",
-	[SRSO_MITIGATION_IBPB_ON_VMEXIT] =3D "Mitigation: IBPB on VMEXIT only"
+	[SRSO_MITIGATION_NONE]			=3D "Vulnerable",
+	[SRSO_MITIGATION_UCODE_NEEDED]		=3D "Vulnerable: No microcode",
+	[SRSO_MITIGATION_SAFE_RET_UCODE_NEEDED]	=3D "Vulnerable: Safe RET, no mic=
rocode",
+	[SRSO_MITIGATION_MICROCODE]		=3D "Vulnerable: Microcode, no safe RET",
+	[SRSO_MITIGATION_SAFE_RET]		=3D "Mitigation: Safe RET",
+	[SRSO_MITIGATION_IBPB]			=3D "Mitigation: IBPB",
+	[SRSO_MITIGATION_IBPB_ON_VMEXIT]	=3D "Mitigation: IBPB on VMEXIT only"
 };
=20
 static enum srso_mitigation srso_mitigation __ro_after_init =3D SRSO_MITIG=
ATION_NONE;
@@ -2409,10 +2413,7 @@ static void __init srso_select_mitigation(void)
 	if (!boot_cpu_has_bug(X86_BUG_SRSO) || cpu_mitigations_off())
 		goto pred_cmd;
=20
-	if (!has_microcode) {
-		pr_warn("IBPB-extending microcode not applied!\n");
-		pr_warn(SRSO_NOTICE);
-	} else {
+	if (has_microcode) {
 		/*
 		 * Zen1/2 with SMT off aren't vulnerable after the right
 		 * IBPB microcode has been applied.
@@ -2428,6 +2429,12 @@ static void __init srso_select_mitigation(void)
 			srso_mitigation =3D SRSO_MITIGATION_IBPB;
 			goto out;
 		}
+	} else {
+		pr_warn("IBPB-extending microcode not applied!\n");
+		pr_warn(SRSO_NOTICE);
+
+		/* may be overwritten by SRSO_CMD_SAFE_RET below */
+		srso_mitigation =3D SRSO_MITIGATION_UCODE_NEEDED;
 	}
=20
 	switch (srso_cmd) {
@@ -2457,7 +2464,10 @@ static void __init srso_select_mitigation(void)
 				setup_force_cpu_cap(X86_FEATURE_SRSO);
 				x86_return_thunk =3D srso_return_thunk;
 			}
-			srso_mitigation =3D SRSO_MITIGATION_SAFE_RET;
+			if (has_microcode)
+				srso_mitigation =3D SRSO_MITIGATION_SAFE_RET;
+			else
+				srso_mitigation =3D SRSO_MITIGATION_SAFE_RET_UCODE_NEEDED;
 		} else {
 			pr_err("WARNING: kernel not compiled with CPU_SRSO.\n");
 		}
@@ -2701,9 +2711,7 @@ static ssize_t srso_show_state(char *buf)
 	if (boot_cpu_has(X86_FEATURE_SRSO_NO))
 		return sysfs_emit(buf, "Mitigation: SMT disabled\n");
=20
-	return sysfs_emit(buf, "%s%s\n",
-			  srso_strings[srso_mitigation],
-			  boot_cpu_has(X86_FEATURE_IBPB_BRTYPE) ? "" : ", no microcode");
+	return sysfs_emit(buf, "%s\n", srso_strings[srso_mitigation]);
 }
=20
 static ssize_t gds_show_state(char *buf)