From nobody Tue Feb 10 17:08:07 2026 Received: from mail-ed1-f42.google.com (mail-ed1-f42.google.com [209.85.208.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D61DE1DDE9 for ; Mon, 22 Apr 2024 16:58:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.42 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713805132; cv=none; b=kyeX1VBhODGwzpDKgxfB/egDBXFHFASKry8ICXUoyfI+pY1Hgup89LSSPh/u7gOUqNzb8dnAGd0MTPGRwC6zJTIe3kC+RyqfmjtXY4K+601ME+Uvh9BcUp+oTqnkFFM1oOPCb/MwpJop20rr/UjlQB2bJyooiVhbCJLLdyN9WNE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713805132; c=relaxed/simple; bh=hXqLihYRFZkuzCw9JYuUqBxMEsnT35op8rRRCnu4HY4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=o+beJwmeOpGaUuNcZ8K085/e70MgYlrjOeXJaugj7lfRNqdPRSuHHGjKEMGBJMfU7wt4B6MzxlPlokp2D9zoXg/mMK9vR/yx79UBbm4lYPH2ndbL9y1+sZr1KcayzBLrQ7EsDvSWH2NZ65rtgWavDPKJY0OLArSjz/45ELgMTqQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org; spf=pass smtp.mailfrom=gmail.com; arc=none smtp.client-ip=209.85.208.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-ed1-f42.google.com with SMTP id 4fb4d7f45d1cf-57217644ba1so642909a12.2 for ; Mon, 22 Apr 2024 09:58:50 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713805129; x=1714409929; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=y+M8nxac4P+fMy2xk1zKUUJNHliTVzYUlBw8aFfQ+TY=; b=eKTRxz+H96fHjmsd43VfTI+W5chWPh/fSdvOBY9/m8aUWmNe1UvnB3x10EdgbSB6pf VpAirNwaTuMTqeWjg9hROqNJiGlYRB8wolEYr6o78hvGC52gj5SGXy/+pZ9vWhrk0Y4e IrY8sd7JKocMhL0ejlTxxvnx2LeU/K6yiquizOELXfL3XANo0pwX8GJfVI9jwQ2bN01J hE1vccLlvBCXIbItXyrFaCncDA48Z/LOkocsRcsBqyCvsZauC5i3leDrwqcnrTkyuTDd aCRpZg0F3a6iJ+cNyfL6tX4kQwPzLNgh5GGgnuKxktdxfra0LesfSjoMu1rypu9yBaLa bC0Q== X-Gm-Message-State: AOJu0YwnsM9RxN2O0/Jojb8wnl/YpRcn0Gi8FwaDEb9NBq4/kU79D5tT ofzJ2Hd6xqA8vV4SX++/sgSgQ5KpH5nFJiXBLyIRobR43q3W9fUs X-Google-Smtp-Source: AGHT+IGsDn4LlxXuTi1FLgWH4nNl0MdFXjS78u76R6NZBmDmau6je1+nmAwS0uOyDzZabkFiGD15jg== X-Received: by 2002:a17:906:db03:b0:a55:b062:3bfd with SMTP id xj3-20020a170906db0300b00a55b0623bfdmr3871403ejb.35.1713805128914; Mon, 22 Apr 2024 09:58:48 -0700 (PDT) Received: from localhost (fwdproxy-lla-009.fbsv.net. [2a03:2880:30ff:9::face:b00c]) by smtp.gmail.com with ESMTPSA id hd38-20020a17090796a600b00a556f41c68asm5840640ejc.182.2024.04.22.09.58.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Apr 2024 09:58:48 -0700 (PDT) From: Breno Leitao To: jpoimboe@kernel.org, mingo@redhat.com, Thomas Gleixner , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Peter Zijlstra , Pawan Gupta Cc: linux-kernel@vger.kernel.org Subject: [PATCH v3 01/10] x86/bugs: Add a separate config for GDS Date: Mon, 22 Apr 2024 09:58:15 -0700 Message-ID: <20240422165830.2142904-2-leitao@debian.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240422165830.2142904-1-leitao@debian.org> References: <20240422165830.2142904-1-leitao@debian.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Currently there is no way to disable GDS mitigation at build time. Disabling the current config option (GDS_MITIGATION_FORCE) does not disable the mitigation, but set it to GDS_MITIGATION_FULL, which does not disable it. Create a new kernel config that allows GDS to be completely disabled, similarly to the "gather_data_sampling=3Doff" or "mitigations=3Doff" kernel command-line. Move the GDS_MITIGATION_FORCE under this new mitigation. Now, there are three options for GDS mitigation: * CONFIG_MITIGATION_GDS=3Dn -> Mitigation disabled (New) * CONFIG_MITIGATION_GDS=3Dy -> Mitigation enabled (GDS_MITIGATION_FULL) * CONFIG_GDS_MITIGATION_FORCE=3Dy -> Forceful mitigation (disable AVX) Suggested-by: Josh Poimboeuf Signed-off-by: Breno Leitao Acked-by: Josh Poimboeuf --- arch/x86/Kconfig | 16 +++++++++++----- arch/x86/kernel/cpu/bugs.c | 7 ++++--- 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index a902680b6537..d99b758c8d35 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2607,15 +2607,21 @@ config MITIGATION_SLS against straight line speculation. The kernel image might be slightly larger. =20 +config MITIGATION_GDS + bool "Mitigate Gather Data Sampling" + depends on CPU_SUP_INTEL + default y + help + Enable mitigation for Gather Data Sampling (GDS). GDS is a hardware + vulnerability which allows unprivileged speculative access to data + which was previously stored in vector registers. The attacker uses gath= er + instructions to infer the stale vector register data. + config MITIGATION_GDS_FORCE bool "Force GDS Mitigation" - depends on CPU_SUP_INTEL + depends on MITIGATION_GDS default n help - Gather Data Sampling (GDS) is a hardware vulnerability which allows - unprivileged speculative access to data which was previously stored in - vector registers. - This option is equivalent to setting gather_data_sampling=3Dforce on the command line. The microcode mitigation is used if present, otherwise AVX is disabled as a mitigation. On affected systems that are missing diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 9a9685c9244b..f2bdfb359f6b 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -731,10 +731,11 @@ enum gds_mitigations { GDS_MITIGATION_HYPERVISOR, }; =20 -#if IS_ENABLED(CONFIG_MITIGATION_GDS_FORCE) -static enum gds_mitigations gds_mitigation __ro_after_init =3D GDS_MITIGAT= ION_FORCE; +#if IS_ENABLED(CONFIG_MITIGATION_GDS) +static enum gds_mitigations gds_mitigation __ro_after_init =3D + IS_ENABLED(CONFIG_MITIGATION_GDS_FORCE) ? GDS_MITIGATION_FORCE : GDS_MITI= GATION_FULL; #else -static enum gds_mitigations gds_mitigation __ro_after_init =3D GDS_MITIGAT= ION_FULL; +static enum gds_mitigations gds_mitigation __ro_after_init =3D GDS_MITIGAT= ION_OFF; #endif =20 static const char * const gds_strings[] =3D { --=20 2.43.0 From nobody Tue Feb 10 17:08:07 2026 Received: from mail-ed1-f50.google.com (mail-ed1-f50.google.com [209.85.208.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B1950153BE8 for ; Mon, 22 Apr 2024 16:58:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713805134; cv=none; b=H35o5PWoGGJZqiWKS+sWEYlZlPgv9W3pe07elZT6M1upXpq94hdTwwS7ozbZJ4NY5MpJDUAYJLUmDjCVvqfGTstD2xMoySGLMf2RtyS3Sdl6MRmXXETrxTLAZOfFBhD43PMLMaetMAgNZc9esvNFbZzImd9zwhu+PKSRzsUaZh4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713805134; c=relaxed/simple; bh=4j2F0EFY2Yri+8LKZZQa1pCui+wm0yqkixqXtoGKqRs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=XpW3AWX2f4Se2D2ACfLn2x9aqP9GwFWJ87Rj4tWdokBQ1rJlzHAHOx5ymBxSu1y8QASDBzKWeDnzkDIQwR/OemSHGvUyBw4hw1CewLszE7zmt6vO3a2JTWbm5Xfk5RqZFXsviD41YSyDeiLSGaz6wFzYipmS2kRm86U4qLSPlNc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org; spf=pass smtp.mailfrom=gmail.com; arc=none smtp.client-ip=209.85.208.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-ed1-f50.google.com with SMTP id 4fb4d7f45d1cf-571be483ccaso5738389a12.2 for ; Mon, 22 Apr 2024 09:58:52 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713805131; x=1714409931; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=gK705pcIgnhmhCzc4RbNjj6wL1B8xNlcTBtJq2Nw8E4=; b=h+b9dSbr/HWGAZ+PszSxhPXvRtmyS9ULYHZhUDRkpG2w4CIJbBv4i7OeHJaADlxvmP S6eHj1xSDpVpVvCCUcQw0x3TBh+O29p16DK6OdWO0v3K8oVhyN8zgjRBeZrF4A532kLd Kt+wLSR4YfhoxL/jx6Jd39CHg0vGcRM+rxhgaQLU1kyTV6H7ehRlVk/Skm+Veg4YFQXE iW66QAWCyOTvZ30/LnOVRA296qTo/aS4Gp/hJOeahraXxJh8D3AGwCeOQ34YhcppEatq ktUS6jx8pmC3l9Imeh9TgYuZn6T0pWaYYC9Xd/0d37ZiI+IxM1KYg23RMqkXYUgkBjrw 9iIg== X-Gm-Message-State: AOJu0Yxe2/0rPrQWQQV89U0k2NDIPZY9MXMt0N+Zsau6QlDhOPgPIZHb 2HNZjnXHnx/jDpC4eSC2owT4h6aofj4qmMM3XcYVlywH7iA7UZOZ X-Google-Smtp-Source: AGHT+IGGgoJyWOIdgqTLHjaCOVGQqIo8EWeZYJevCWHkYfuD9jSpb6viiEarBZbmugs3VNfqkTbUkQ== X-Received: by 2002:a50:ab17:0:b0:56e:2f2c:e249 with SMTP id s23-20020a50ab17000000b0056e2f2ce249mr7133310edc.7.1713805130787; Mon, 22 Apr 2024 09:58:50 -0700 (PDT) Received: from localhost (fwdproxy-lla-007.fbsv.net. [2a03:2880:30ff:7::face:b00c]) by smtp.gmail.com with ESMTPSA id b10-20020aa7dc0a000000b0056fe755f1e6sm5678307edu.91.2024.04.22.09.58.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Apr 2024 09:58:50 -0700 (PDT) From: Breno Leitao To: jpoimboe@kernel.org, mingo@redhat.com, Thomas Gleixner , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Peter Zijlstra , Pawan Gupta Cc: linux-kernel@vger.kernel.org Subject: [PATCH v3 02/10] x86/bugs: Add a separate config for MDS Date: Mon, 22 Apr 2024 09:58:16 -0700 Message-ID: <20240422165830.2142904-3-leitao@debian.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240422165830.2142904-1-leitao@debian.org> References: <20240422165830.2142904-1-leitao@debian.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Currently, the CONFIG_SPECULATION_MITIGATIONS is halfway populated, where some mitigations have entries in Kconfig, and they could be modified, while others mitigations do not have Kconfig entries, and could not be controlled at build time. Create an entry for the MDS CPU mitigation under CONFIG_SPECULATION_MITIGATIONS. This allow users to enable or disable it at compilation time. Signed-off-by: Breno Leitao Acked-by: Josh Poimboeuf --- arch/x86/Kconfig | 9 +++++++++ arch/x86/kernel/cpu/bugs.c | 3 ++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index d99b758c8d35..5d0227b50faa 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2653,6 +2653,15 @@ config MITIGATION_SPECTRE_BHI indirect branches. See =20 +config MITIGATION_MDS + bool "Mitigate Microarchitectural Data Sampling (MDS) hardware bug" + depends on CPU_SUP_INTEL + default y + help + Enable mitigation for Microarchitectural Data Sampling (MDS). MDS is + a hardware vulnerability which allows unprivileged speculative access + to data which is available in various CPU internal buffers. + See also endif =20 config ARCH_HAS_ADD_PAGES diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index f2bdfb359f6b..fb6515b1b33e 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -233,7 +233,8 @@ static void x86_amd_ssb_disable(void) #define pr_fmt(fmt) "MDS: " fmt =20 /* Default mitigation for MDS-affected CPUs */ -static enum mds_mitigations mds_mitigation __ro_after_init =3D MDS_MITIGAT= ION_FULL; +static enum mds_mitigations mds_mitigation __ro_after_init =3D + IS_ENABLED(CONFIG_MITIGATION_MDS) ? MDS_MITIGATION_FULL : MDS_MITIGATION_= OFF; static bool mds_nosmt __ro_after_init =3D false; =20 static const char * const mds_strings[] =3D { --=20 2.43.0 From nobody Tue Feb 10 17:08:07 2026 Received: from mail-ej1-f44.google.com (mail-ej1-f44.google.com [209.85.218.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7B95B153BFF for ; Mon, 22 Apr 2024 16:58:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.44 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713805136; cv=none; b=rMWNELjBlWGOPYCZNcSVCn8il4Nzys/KvffKTO8Brga7i/JiPJgJc33sFefzWqxVWO1j+SX44w93tMXOWCC/ZvMAQmu2HWVMTFm9mS1idjIPpUWDzYY4Fxm8991RKxxT2pTOfiC2ja5/wGzwqehXQrLVGP7Us9JYlAxeb90MJVg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713805136; c=relaxed/simple; bh=Qmp5+zGyzuWu/JzO2kuQaFdzbwby1isRVhT5C+Q3O5A=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=F8YGaTPaPfvf9Xoo2g2lyQvjKWBr2z879mOBdA5jM5eyGPsx5kYyjXTDbtqVQEok5uLI1MYcHpIN3LYp2+xj5pMYXCFrDogHE/xneeUnTmXCBEZjDqK2gtJSEJyfTu7wYiMyVHTawxczhQAl/DvHF1qcxlwAWASACZn//vgCb6I= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org; spf=pass smtp.mailfrom=gmail.com; arc=none smtp.client-ip=209.85.218.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-ej1-f44.google.com with SMTP id a640c23a62f3a-a55b0213a0dso184268166b.2 for ; Mon, 22 Apr 2024 09:58:54 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713805133; x=1714409933; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=molyJkYPrlpsod52dTAqAh/H3c51fMrduV3arIMX/F8=; b=JIpQGvPv1soBu5CF4U5Mj6j4R5vWVdJbL5FAiKhLoZ4oCO9pYKMw8mu3qWNCINdrlc gFKo7VdN1+LeRj9r+aSzd2zIGGcufQZPJIZWYmDE9rH+mzBNOuvvCgxeVCKC0mTDsmdA TXB3Sx/t58zGhnUbLnJbfIcbeNdw+IBHzfUoLrSt6dYeoVBgGb1MFHcuIDY5qitJRLXL N3IEoBg7/Opg4Vf46L1Yd7NyInVGDqkj26l+u4hbYIMPRGhEBVZ2pQ9YfEEUee7OYTPF piFD7cUNdAXSkF9me4zHgeIKzY3s2pXtXO2GWNSVdQMtiMEw4T9p24+1Pb+dZoSJxuRQ Tf3g== X-Gm-Message-State: AOJu0YzZNL0Ch6c3Vz1vKUSU0ZCAimLZZfZlq3V09piAOdfYgBu+lJdl mWwG42FIn0Ll9n6t66Y5Ecr/eNEdwFq8HwTsFTyPyMsZRgIm5B7o X-Google-Smtp-Source: AGHT+IECwH6f4odSqajI+L0ebMJpuroLfwnYHt2+zDymfQ7G2oMLL0zyhhTOJetwDL3Mj7o7fgBxEw== X-Received: by 2002:a17:906:3106:b0:a52:57ee:4464 with SMTP id 6-20020a170906310600b00a5257ee4464mr6642683ejx.19.1713805132739; Mon, 22 Apr 2024 09:58:52 -0700 (PDT) Received: from localhost (fwdproxy-lla-002.fbsv.net. [2a03:2880:30ff:2::face:b00c]) by smtp.gmail.com with ESMTPSA id f24-20020a170906c09800b00a522f867697sm5925075ejz.132.2024.04.22.09.58.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Apr 2024 09:58:52 -0700 (PDT) From: Breno Leitao To: jpoimboe@kernel.org, mingo@redhat.com, Thomas Gleixner , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Peter Zijlstra , Pawan Gupta Cc: linux-kernel@vger.kernel.org Subject: [PATCH v3 03/10] x86/bugs: Add a separate config for TAA Date: Mon, 22 Apr 2024 09:58:17 -0700 Message-ID: <20240422165830.2142904-4-leitao@debian.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240422165830.2142904-1-leitao@debian.org> References: <20240422165830.2142904-1-leitao@debian.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Currently, the CONFIG_SPECULATION_MITIGATIONS is halfway populated, where some mitigations have entries in Kconfig, and they could be modified, while others mitigations do not have Kconfig entries, and could not be controlled at build time. Create an entry for the TAA CPU mitigation under CONFIG_SPECULATION_MITIGATIONS. This allow users to enable or disable it at compilation time. Signed-off-by: Breno Leitao Acked-by: Josh Poimboeuf --- arch/x86/Kconfig | 11 +++++++++++ arch/x86/kernel/cpu/bugs.c | 3 ++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 5d0227b50faa..c7ce800fcdb2 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2662,6 +2662,17 @@ config MITIGATION_MDS a hardware vulnerability which allows unprivileged speculative access to data which is available in various CPU internal buffers. See also + +config MITIGATION_TAA + bool "Mitigate TSX Asynchronous Abort (TAA) hardware bug" + depends on CPU_SUP_INTEL + default y + help + Enable mitigation for TSX Asynchronous Abort (TAA). TAA is a hardware + vulnerability that allows unprivileged speculative access to data + which is available in various CPU internal buffers by using + asynchronous aborts within an Intel TSX transactional region. + See also endif =20 config ARCH_HAS_ADD_PAGES diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index fb6515b1b33e..87f3cc6c438d 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -294,7 +294,8 @@ enum taa_mitigations { }; =20 /* Default mitigation for TAA-affected CPUs */ -static enum taa_mitigations taa_mitigation __ro_after_init =3D TAA_MITIGAT= ION_VERW; +static enum taa_mitigations taa_mitigation __ro_after_init =3D + IS_ENABLED(CONFIG_MITIGATION_TAA) ? TAA_MITIGATION_VERW : TAA_MITIGATION_= OFF; static bool taa_nosmt __ro_after_init; =20 static const char * const taa_strings[] =3D { --=20 2.43.0 From nobody Tue Feb 10 17:08:07 2026 Received: from mail-wr1-f44.google.com (mail-wr1-f44.google.com [209.85.221.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 77084154454 for ; Mon, 22 Apr 2024 16:58:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.44 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713805138; cv=none; b=BdypewaEv2mU7mKMqt0cZhJove4cqa21QB/h2f8W/uaxTZNpASZwQLiSBsqIyMEgVQWQ5MiPFjitxo5RdF45AleOlt9Rv68vINsaMzgLxaDyVqy/CDsRPm5a6GNji5bHuwY7pNK8kYFZUORsgTLGIVt7EZvPmyPN3LkXGFwzw3w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713805138; c=relaxed/simple; bh=3A12Je8N2N3tDKk5OJkio/7RhXVpNZtBOA/vmXVCnuo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=HPNpP6ZsCvq08MiZzH6ogE0qcDP3s+8XRg8d2cycqPKmwpcqNLkllAvBR9L7j23JHCTOGx+78kfM1niVDYlCPAmb2ISKpjfEikFyy11AdzpuosZkHSTVg8UacnQbPW30ntr+OMNv2JjgIm/nTK2JaD+SoQXGHefIib/lXkj05dc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org; spf=pass smtp.mailfrom=gmail.com; arc=none smtp.client-ip=209.85.221.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-wr1-f44.google.com with SMTP id ffacd0b85a97d-347c197a464so3489052f8f.2 for ; Mon, 22 Apr 2024 09:58:56 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713805135; x=1714409935; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=BYD1WGAneao6/IXWzO2Ys5ucl8QyNywmWKSSkk1/LxU=; b=Vr4CcIumQGzM1VmFfWnypZmULmakzNUja+FlGa64F2aic+D/NaCnYun1CqAxhHVnAd +rOsCott6f5r0qwnNXB4oo4XSR6DDc/5fOxkS0xyshbLgGKkr5U88KrWwtYmVRU4CYbS qT+A2pbMPr61MstIJuWPLLceH6rs43NsIW3nm27bFphi5CxX+sxwV0tjdPDWbHun5Hk5 McavKCFeI5roCHO68GUkNUHyOPoRfx7VHQFkti45xMrp5A64khbAj1Hu/qEKDUfzI5Zj ihJh0Hyi1rw5kXJgmUomKoXKgPsRX2279AqeJll1KfmOfocyvTQzjzKleR165mL6/omp sv1w== X-Gm-Message-State: AOJu0YxxdlghYeMj+Ire5a6kSaR+pYgpt6uMOGoIxK54/ERs+zphSLNn /TCJ+EERFj8lnXhbHOdK7PW/l71X8AcAhiKR9zKQLHnuvVG7+xsZ X-Google-Smtp-Source: AGHT+IElkgHGZ/eFalN1+eHYDS1LXVvvJEumR4Ymv77dPjVSsSzJCFl6lewge/1+OYwxdEHRGr/FXg== X-Received: by 2002:a5d:45c2:0:b0:34b:5d10:1d48 with SMTP id b2-20020a5d45c2000000b0034b5d101d48mr283794wrs.26.1713805134815; Mon, 22 Apr 2024 09:58:54 -0700 (PDT) Received: from localhost (fwdproxy-lla-003.fbsv.net. [2a03:2880:30ff:3::face:b00c]) by smtp.gmail.com with ESMTPSA id e14-20020a170906504e00b00a558014ab2csm4933932ejk.145.2024.04.22.09.58.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Apr 2024 09:58:54 -0700 (PDT) From: Breno Leitao To: jpoimboe@kernel.org, mingo@redhat.com, Thomas Gleixner , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Peter Zijlstra , Pawan Gupta Cc: linux-kernel@vger.kernel.org Subject: [PATCH v3 04/10] x86/bugs: Add a separate config for MMIO Stable Data Date: Mon, 22 Apr 2024 09:58:18 -0700 Message-ID: <20240422165830.2142904-5-leitao@debian.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240422165830.2142904-1-leitao@debian.org> References: <20240422165830.2142904-1-leitao@debian.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Currently, the CONFIG_SPECULATION_MITIGATIONS is halfway populated, where some mitigations have entries in Kconfig, and they could be modified, while others mitigations do not have Kconfig entries, and could not be controlled at build time. Create an entry for the MMIO Stale data CPU mitigation under CONFIG_SPECULATION_MITIGATIONS. This allow users to enable or disable it at compilation time. Signed-off-by: Breno Leitao Acked-by: Josh Poimboeuf --- arch/x86/Kconfig | 12 ++++++++++++ arch/x86/kernel/cpu/bugs.c | 3 ++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index c7ce800fcdb2..bba5b65034dc 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2673,6 +2673,18 @@ config MITIGATION_TAA which is available in various CPU internal buffers by using asynchronous aborts within an Intel TSX transactional region. See also + +config MITIGATION_MMIO_STALE_DATA + bool "Mitigate MMIO Stale Data hardware bug" + depends on CPU_SUP_INTEL + default y + help + Enable mitigation for MMIO Stale Data hardware bugs. Processor MMIO + Stale Data Vulnerabilities are a class of memory-mapped I/O (MMIO) + vulnerabilities that can expose data. The vulnerabilities require the + attacker to have access to MMIO. + See also + endif =20 config ARCH_HAS_ADD_PAGES diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 87f3cc6c438d..21daaf202b7f 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -393,7 +393,8 @@ enum mmio_mitigations { }; =20 /* Default mitigation for Processor MMIO Stale Data vulnerabilities */ -static enum mmio_mitigations mmio_mitigation __ro_after_init =3D MMIO_MITI= GATION_VERW; +static enum mmio_mitigations mmio_mitigation __ro_after_init =3D + IS_ENABLED(CONFIG_MITIGATION_MMIO_STALE_DATA) ? MMIO_MITIGATION_VERW : MM= IO_MITIGATION_OFF; static bool mmio_nosmt __ro_after_init =3D false; =20 static const char * const mmio_strings[] =3D { --=20 2.43.0 From nobody Tue Feb 10 17:08:07 2026 Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com [209.85.221.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6CDFB154C12 for ; Mon, 22 Apr 2024 16:58:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.52 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713805140; cv=none; b=mqHBwB2ECECBURLax9TGEWnDzAymAGPy1zP9rlBG3Y11SbIPctlwNa8WNVV0+mG49cza9xCYsh3ib8qTw/5vs9yaj6zQlqV+67Sb4iOtZbSG1NZUHsbQifUv/2Mh0b7b53n28rIo08xZAfuvKD1ZwZM/04fMKeEVjWQAKy2AwWI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713805140; c=relaxed/simple; bh=Fjjwd9JMyXBtYEIPinJUKp5+nS7NszZndg1YDzHArOo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=rgPeMWrEbpKxodE01uXT7+lE1GP1ZIHP1Ituecvwl49ExfPFZUP8n/x+zHTEkeH9ZSFlJ5qdjKNrg1BikBc8JpxFlBzCxDP1+/NSkafBa8uK0F3ADXzLSYEvmguSqCT/Z23q+oyRU0riokcXHgY6yyBezo//56TPBDkTe2t/4eA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org; spf=pass smtp.mailfrom=gmail.com; arc=none smtp.client-ip=209.85.221.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-wr1-f52.google.com with SMTP id ffacd0b85a97d-34665dd7744so3539565f8f.1 for ; Mon, 22 Apr 2024 09:58:58 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713805137; x=1714409937; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=RcxZMik0TKevJdYhFoU/PQpjeiPff+g7faQ8eEohWOM=; b=DpqUhgxNAKxqw0WOjyhFje6iaJ6GnMSAPXiZXS6SVxix4m/OSUjFHX4MB+ohdw39J6 LljkQ0i3zrMaxu5EDgpqZVgZL7UMirL9bH/6pPtzgIfcYNZ6Rz9KURpq2s2u+0qPR2wF hOjMPj1gi1oQBVRF5L5ewZyo90EWPCaajinQ0Lc7qTeWZZWc55EAKyJlccr5y0f74CoO Tt+Wrz8k5Siu5YBt/DnGM6PhrRyqIYjnQjEobLakm+NMPrVje7gynBhzj/lyNmWIe788 NHsovbFkFGOzlsEoOGs63erhyyO4CB5qqYBiXD63d2JD5pbNWoogoWGRPg8anAyx4kI6 ygjg== X-Gm-Message-State: AOJu0YzPO7cyH2naCq+ZnnUeb6CuRmx9zLWOs1h3gDiMJJDP+/MJbJc9 6XvF4vkKuUh30xPMKeM9ONA6xPlNU/dmmBzmxF4HCEuYPjlfvW5T X-Google-Smtp-Source: AGHT+IFqbwGIM5IHp0KMW3LoQg1VfO9D2TyJ2R2GVaZE4/ZnvqlBuYGGKO/fTTHY3crNhp52NwKRhw== X-Received: by 2002:a05:6000:1212:b0:349:c76f:c737 with SMTP id e18-20020a056000121200b00349c76fc737mr6751728wrx.47.1713805136761; Mon, 22 Apr 2024 09:58:56 -0700 (PDT) Received: from localhost (fwdproxy-lla-008.fbsv.net. [2a03:2880:30ff:8::face:b00c]) by smtp.gmail.com with ESMTPSA id l9-20020a17090615c900b00a555be38aaasm5941202ejd.164.2024.04.22.09.58.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Apr 2024 09:58:56 -0700 (PDT) From: Breno Leitao To: jpoimboe@kernel.org, mingo@redhat.com, Thomas Gleixner , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Peter Zijlstra , Pawan Gupta Cc: linux-kernel@vger.kernel.org Subject: [PATCH v3 05/10] x86/bugs: Add a separate config for L1TF Date: Mon, 22 Apr 2024 09:58:19 -0700 Message-ID: <20240422165830.2142904-6-leitao@debian.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240422165830.2142904-1-leitao@debian.org> References: <20240422165830.2142904-1-leitao@debian.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Currently, the CONFIG_SPECULATION_MITIGATIONS is halfway populated, where some mitigations have entries in Kconfig, and they could be modified, while others mitigations do not have Kconfig entries, and could not be controlled at build time. Create an entry for the L1TF CPU mitigation under CONFIG_SPECULATION_MITIGATIONS. This allow users to enable or disable it at compilation time. Signed-off-by: Breno Leitao Acked-by: Josh Poimboeuf --- arch/x86/Kconfig | 10 ++++++++++ arch/x86/kernel/cpu/bugs.c | 3 ++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index bba5b65034dc..192d20348b41 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2685,6 +2685,16 @@ config MITIGATION_MMIO_STALE_DATA attacker to have access to MMIO. See also + +config MITIGATION_L1TF + bool "Mitigate L1 Terminal Fault (L1TF) hardware bug" + depends on CPU_SUP_INTEL + default y + help + Mitigate L1 Terminal Fault (L1TF) hardware bug. L1 Terminal Fault is a + hardware vulnerability which allows unprivileged speculative access to = data + available in the Level 1 Data Cache. + See ; Mon, 22 Apr 2024 16:59:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713805142; cv=none; b=dwX8vsASCOQ4nRbRXg+xT51XpRfTQpXcvUmI/WHWXVpUItmYJhbU0VWvvB3gusyNuIoemDwtarsHZA6tklVk5x/piS1MesxCYHvvItGc4kr9et59FqomvTIcMqonj8ah1br9qWL/emFo3ZdRl1sXu9Aok2MSXnCD5R8hpe3Lrt0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713805142; c=relaxed/simple; bh=YgvAz9KHnENdbdQSX+/hzGCPyOv+Dc9oxXqawLxd/M8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=oAoFP4A9Q8Mer/JcS8Zj1o61mvFzTaGJzUmQe7quPtUOj2BsS0AQb2zbbYPBROpmbBDlLdQhmBoW1KeXXg8u0tBHMhnp+634Tx1ToQOdXAepQym93PqRoUTM6detHYB5X+Us5/S0vuOnPM9/PCK584Obi/txcjjb6OTRbIGaWmI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org; spf=pass smtp.mailfrom=gmail.com; arc=none smtp.client-ip=209.85.208.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-ed1-f46.google.com with SMTP id 4fb4d7f45d1cf-56e56ee8d5cso5870913a12.2 for ; Mon, 22 Apr 2024 09:59:00 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713805139; x=1714409939; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=K16+OPsEQjJ9rybaX0bQn7NDfdzmf1VzGQpkmeZBSqE=; b=Dq4zBNUr7ibGoEx/KORlxCsbIawRLDvi/eMFQS6rsDNR4TelIFeJmTx60QMrpGTF1R sG1qRXIrNQjc2ZQ8bVxNygsl5wuRahai55xJ3zlhG4N0K2rHMvnQKYzFLUDU0K4+xBo4 U/3NAsWdrlqFQx6IcWf2Qg9U3lCOkuqkUeBfZTX34eVduHk6SthHBEjho74LeWyqyf2m GWr1fOPzP9m//3xVRtWQLKkJEH8L1/h5M8Rq7JphyZU/b9I/wKhUAy0APnYf9ZMeSLqQ EE3xusN3MlRbwTm58jFiwvJTFvKfmBzvAT+FDNBwmtTnPwibTy97rdByDIjyZyzjBGl+ N7HQ== X-Gm-Message-State: AOJu0YwHR+eODBbKEfH5BUoP93ZFMdABwEPChmAGLR71uTCZ6ETXouQW bJKn2AfuF2/ctxcSnk9A87Ou0DCiVYCmNi2KzmCMHgLoV9cXVoe/ X-Google-Smtp-Source: AGHT+IE0xJW8Rzq3oCU66PJ2lSgR3MaWR/hRHFKcjHzpZsazbT/2HB+jEN/vkyl4Fb4qe/SdgA4U8A== X-Received: by 2002:a50:9e66:0:b0:56d:b687:5a45 with SMTP id z93-20020a509e66000000b0056db6875a45mr6908036ede.1.1713805138567; Mon, 22 Apr 2024 09:58:58 -0700 (PDT) Received: from localhost (fwdproxy-lla-003.fbsv.net. [2a03:2880:30ff:3::face:b00c]) by smtp.gmail.com with ESMTPSA id k4-20020a50cb84000000b005705bb48307sm5729767edi.42.2024.04.22.09.58.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Apr 2024 09:58:58 -0700 (PDT) From: Breno Leitao To: jpoimboe@kernel.org, mingo@redhat.com, Thomas Gleixner , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Peter Zijlstra , Pawan Gupta Cc: linux-kernel@vger.kernel.org Subject: [PATCH v3 06/10] x86/bugs: Add a separate config for RETBLEED Date: Mon, 22 Apr 2024 09:58:20 -0700 Message-ID: <20240422165830.2142904-7-leitao@debian.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240422165830.2142904-1-leitao@debian.org> References: <20240422165830.2142904-1-leitao@debian.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Currently, the CONFIG_SPECULATION_MITIGATIONS is halfway populated, where some mitigations have entries in Kconfig, and they could be modified, while others mitigations do not have Kconfig entries, and could not be controlled at build time. Create an entry for the RETBLEED CPU mitigation under CONFIG_SPECULATION_MITIGATIONS. This allow users to enable or disable it at compilation time. Signed-off-by: Breno Leitao Acked-by: Josh Poimboeuf --- arch/x86/Kconfig | 13 +++++++++++++ arch/x86/kernel/cpu/bugs.c | 2 +- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 192d20348b41..f5c941a0a837 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2695,6 +2695,19 @@ config MITIGATION_L1TF hardware vulnerability which allows unprivileged speculative access to = data available in the Level 1 Data Cache. See ; Mon, 22 Apr 2024 16:59:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.52 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713805143; cv=none; b=WJgJc67Ilr3dKMG6v6l6aWKs8MVK60EoP8aZ+FHLd/HAywcvyr5pj1KaTqyeZJ8qHTY9nKdvzxTrvSDqBMgBQGaUwT41iq98DmnPN0HV+yiTqqtwd2nrNymxunNC5ZbCxNOl8ZVs4IVLBgKdB0s8AIKtV8I5EuF2D3pN3kFcD9g= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713805143; c=relaxed/simple; bh=ucoBbncin5B2WXivebCu8MnWkr4EwZjdf99LIOzMXAs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=duqV11NmCYM+u3NHg3E0YX/g2EpWAG9I+UoNVpn5wGnxwiKif1SqdC0TxV3vLvfRdENjZc6IMWHxCz8Iu7u4toUsLnX/dqL3sUd0ZK5XJqC41IIZSETiMPEiZHaWjJlTrkcxw3Dp1wFe9YBxxAVg7KlbakcYHa8bl7cWQT02Vdw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org; spf=pass smtp.mailfrom=gmail.com; arc=none smtp.client-ip=209.85.221.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-wr1-f52.google.com with SMTP id ffacd0b85a97d-346b146199eso3553683f8f.0 for ; Mon, 22 Apr 2024 09:59:01 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713805140; x=1714409940; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=SSeOQnWU630u1dd7rprYG6Ohpor9yXklkuz0WMDXmKo=; b=PiWT0sxdd/Yfo12lfftNZiU7B9bcj+DHkx5yk6kORheXIaT3sakLwnOSLNYkqjQByG S2D1iGAMkBxbkSBqvFPjcaexglPg6d3G6NnuAdw03N0N1vYtDhnJGtIveImajzEB6WZc qZC/X+hG/SCpyNOxMQSwxgxTmCxfdbg7dVtMSI3FYbRGqkSIAqA14KIPXzzPHbXvc/re WQbo0VDBA9vvuQKd+9Tx5PtC9xgeBNgRTcIWbFZKNMxvLMhOjxJdBccgM0c8LCiSQxEr FZ/24w72BNLvRUQBQ1oPOqJkHWO1QE8+3d4qpacIL1O5rzPNBq+IInu1i7ZOY00JaEo2 FLDw== X-Gm-Message-State: AOJu0YwWG2knxp816DWDuemE7NOcnUqA7ycpZ43A4jHdv2TvgQFXY5YR JBxuCRfsA0L6ksf8y6jEMDYHw4bI//BVpdTfOhf0i7onBeDeYObm X-Google-Smtp-Source: AGHT+IE3n/u87NY+vjAv0ePCCME9pO0M5j2BtS0S50XtzR05b4GP9o6fxKjNxY8iIz2T+tEmQ3917A== X-Received: by 2002:a05:6000:4022:b0:34a:5d59:5501 with SMTP id cp34-20020a056000402200b0034a5d595501mr8842558wrb.4.1713805140523; Mon, 22 Apr 2024 09:59:00 -0700 (PDT) Received: from localhost (fwdproxy-lla-117.fbsv.net. [2a03:2880:30ff:75::face:b00c]) by smtp.gmail.com with ESMTPSA id hy25-20020a1709068a7900b00a4e03c28fd5sm5967668ejc.43.2024.04.22.09.58.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Apr 2024 09:59:00 -0700 (PDT) From: Breno Leitao To: jpoimboe@kernel.org, mingo@redhat.com, Thomas Gleixner , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Peter Zijlstra , Pawan Gupta Cc: linux-kernel@vger.kernel.org Subject: [PATCH v3 07/10] x86/bugs: Add a separate config for Spectre v1 Date: Mon, 22 Apr 2024 09:58:21 -0700 Message-ID: <20240422165830.2142904-8-leitao@debian.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240422165830.2142904-1-leitao@debian.org> References: <20240422165830.2142904-1-leitao@debian.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Currently, the CONFIG_SPECULATION_MITIGATIONS is halfway populated, where some mitigations have entries in Kconfig, and they could be modified, while others mitigations do not have Kconfig entries, and could not be controlled at build time. Create an entry for the Spectre v1 CPU mitigation under CONFIG_SPECULATION_MITIGATIONS. This allow users to enable or disable it at compilation time. Signed-off-by: Breno Leitao Acked-by: Josh Poimboeuf --- arch/x86/Kconfig | 10 ++++++++++ arch/x86/kernel/cpu/bugs.c | 3 ++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index f5c941a0a837..43dd45720fb1 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2708,6 +2708,16 @@ config MITIGATION_RETBLEED unprivileged attacker can use these flaws to bypass conventional memory security restrictions to gain read access to privileged memory that would otherwise be inaccessible. + +config MITIGATION_SPECTRE_V1 + bool "Mitigate SPECTRE V1 hardware bug" + default y + help + Enable mitigation for Spectre V1 (Bounds Check Bypass). Spectre V1 is a + class of side channel attacks that takes advantage of speculative + execution that bypasses conditional branch instructions used for + memory access bounds check. + See also endif =20 config ARCH_HAS_ADD_PAGES diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index c6c404b1c6ac..00c3438519be 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -875,7 +875,8 @@ enum spectre_v1_mitigation { }; =20 static enum spectre_v1_mitigation spectre_v1_mitigation __ro_after_init = =3D - SPECTRE_V1_MITIGATION_AUTO; + IS_ENABLED(CONFIG_MITIGATION_SPECTRE_V1) ? + SPECTRE_V1_MITIGATION_AUTO : SPECTRE_V1_MITIGATION_NONE; =20 static const char * const spectre_v1_strings[] =3D { [SPECTRE_V1_MITIGATION_NONE] =3D "Vulnerable: __user pointer sanitization= and usercopy barriers only; no swapgs barriers", --=20 2.43.0 From nobody Tue Feb 10 17:08:07 2026 Received: from mail-ed1-f48.google.com (mail-ed1-f48.google.com [209.85.208.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 29A0D15383D for ; Mon, 22 Apr 2024 16:59:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.48 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713805145; cv=none; b=eHNnW5VdRGOpAsLgPjvBoN4DwAqK3RJ/dM+qBq9Ih1nj9VzD9d4EmcAcigo7ArdgqEp1oYFxnl1sHF+n8e2nOWmqmawjF0mwdc+n4s7jnuDKuY3l9vaManw3QD1vQ49D/hvl8LpDF/u1UYDHI9EINQxJnGXC1nzKVpeRCL1yThA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713805145; c=relaxed/simple; bh=0eNYc3U8bi8yFGwIPgL760ITQK0uo5T4ZF7tYuJAh1U=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=K/uWwLy1itgyDLkUSpOaSjyZNmmfd2D9b6TdwQGJYaZ8pJTYTcFyfaj0C5mu/1JN8yjR5owQCXHnCM6aaFyAjdFKRTOsR7eZDuCR7bTjEWhA2IFruQxMXbwA9qGHt5Wgczqh+Y85c/OB1DMi6ijb/5QG/69cEIm/xQ8GgLxdVTU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org; spf=pass smtp.mailfrom=gmail.com; arc=none smtp.client-ip=209.85.208.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-ed1-f48.google.com with SMTP id 4fb4d7f45d1cf-57217644ba1so643232a12.2 for ; Mon, 22 Apr 2024 09:59:03 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713805142; x=1714409942; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=GgNecKF6e69eTU5ORwqqxrLsP2M1JB+/ViIEEiJZ4uo=; b=vLxssY52woEpm9hXEa5XeacnmEU7rxOvpWm/GsRIOuQX7EUzV4GjXSu1iZSRBOlTzH dauqFT7lrTpOiGIQ9+VQpxssrXpTGQhFaGFRikbPVBqCrwU2ZAwq51PommAoiOA/Usev 9SVGyKh/3rC48Wz5PdDvj4T1uugEK0xs+tR1cwoDnpdAU4LRaUYaAuUemJJndRMIhS67 z/lXlsxf08KZwgPsBQaHraxhmDatUQ8KqC5GtGaVSDO6OMgjeQN/Igzn0tys+91+LXf9 bADG0IAygkqN2Kj0xUgxgTVmKFQ3DhIuc4U0PXQmrmeouOv5Cw5h5KPJ03hSni2PC/jU xndg== X-Gm-Message-State: AOJu0YymLluVyYFg3swIMt1R6pNqr8IdutTOFQf+PeK8dhgSg4FosXdS wDmp1YnZo6e5ubvg/rCiankFAcBOhjtTfyfZV+Vq65lTW3x5hkAi X-Google-Smtp-Source: AGHT+IGAUIfBNmriNWmrq9qh/66AGd5fePHPSkIfiX5W8VPoGe229RwikpGgOkvjuPqZxvqu818xeA== X-Received: by 2002:a50:8d52:0:b0:56f:e4f7:fbd9 with SMTP id t18-20020a508d52000000b0056fe4f7fbd9mr7408789edt.20.1713805142412; Mon, 22 Apr 2024 09:59:02 -0700 (PDT) Received: from localhost (fwdproxy-lla-117.fbsv.net. [2a03:2880:30ff:75::face:b00c]) by smtp.gmail.com with ESMTPSA id p23-20020aa7cc97000000b0056fede24155sm5730216edt.89.2024.04.22.09.59.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Apr 2024 09:59:02 -0700 (PDT) From: Breno Leitao To: jpoimboe@kernel.org, mingo@redhat.com, Thomas Gleixner , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Peter Zijlstra , Pawan Gupta Cc: linux-kernel@vger.kernel.org Subject: [PATCH v3 08/10] x86/bugs: Add a separate config for SRBDS Date: Mon, 22 Apr 2024 09:58:22 -0700 Message-ID: <20240422165830.2142904-9-leitao@debian.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240422165830.2142904-1-leitao@debian.org> References: <20240422165830.2142904-1-leitao@debian.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Currently, the CONFIG_SPECULATION_MITIGATIONS is halfway populated, where some mitigations have entries in Kconfig, and they could be modified, while others mitigations do not have Kconfig entries, and could not be controlled at build time. Create an entry for the SRBDS CPU mitigation under CONFIG_SPECULATION_MITIGATIONS. This allow users to enable or disable it at compilation time. Signed-off-by: Breno Leitao Acked-by: Josh Poimboeuf --- arch/x86/Kconfig | 14 ++++++++++++++ arch/x86/kernel/cpu/bugs.c | 3 ++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 43dd45720fb1..fdf1c894fcb8 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2718,6 +2718,20 @@ config MITIGATION_SPECTRE_V1 execution that bypasses conditional branch instructions used for memory access bounds check. See also + +config MITIGATION_SRBDS + bool "Mitigate Special Register Buffer Data Sampling (SRBDS) hardware bug" + depends on CPU_SUP_INTEL + default y + help + Enable mitigation for Special Register Buffer Data Sampling (SRBDS). + SRBDS is a hardware vulnerability that allows Microarchitectural Data + Sampling (MDS) techniques to infer values returned from special + register accesses. An unprivileged user can extract values returned + from RDRAND and RDSEED executed on another core or sibling thread + using MDS techniques. + See also + endif =20 config ARCH_HAS_ADD_PAGES diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 00c3438519be..49b60c0e2eb4 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -608,7 +608,8 @@ enum srbds_mitigations { SRBDS_MITIGATION_HYPERVISOR, }; =20 -static enum srbds_mitigations srbds_mitigation __ro_after_init =3D SRBDS_M= ITIGATION_FULL; +static enum srbds_mitigations srbds_mitigation __ro_after_init =3D + IS_ENABLED(CONFIG_MITIGATION_SRBDS) ? SRBDS_MITIGATION_FULL : SRBDS_MITIG= ATION_OFF; =20 static const char * const srbds_strings[] =3D { [SRBDS_MITIGATION_OFF] =3D "Vulnerable", --=20 2.43.0 From nobody Tue Feb 10 17:08:07 2026 Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E556E155314 for ; Mon, 22 Apr 2024 16:59:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.54 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713805147; cv=none; b=E+qSZLXOwx90tM3j/9g43np6p/mae2psccxOT5wmb0uwP/KdwHhM3Dl8YeeSQBloI1cC01Hndv7Xftbha0yaB6sA+dqw8C5niLx50kIC2laDeUPJS9cOMj6GyXiMfwCX7dYA4MA7rW1am6AZ+4EAG//pn6ZrCDO+fOJEintF8kI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713805147; c=relaxed/simple; bh=CEW6djjENnK8i4xnr2gyr3zOyZhyU7VSWHKtmWEbZvI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=AGGGqLNKlp8Gi1QjWB90vwRYdW9Zckt9HNfE2y9ZOEnjDj1GrkeeYme8fPEhxxPnH1wut35UscHNVDOoQMBNLPoi4J+zG70dhcEXy2+H3jMsUosS6pcXiI4zF7K9uJVINUD9rFOYKgbNSkxH0LqXqSCv1ak7P2m8A4k8e05qSNc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org; spf=pass smtp.mailfrom=gmail.com; arc=none smtp.client-ip=209.85.128.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-41a72f3a20dso7210535e9.0 for ; Mon, 22 Apr 2024 09:59:05 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713805144; x=1714409944; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=aQodkT2pk00x6+Ui5xe7sWS/8qfrbWhleMy31J9gQDg=; b=bAkkqK5mUF1qCld1RU8/9CETxjZF7VoVO2YsyLW1DDXpe7/D2WX543K1NtyJwbsKeo XRMgpNxYde5jqAMabS4jNjS4kL45XBEEkAj+ukD2+UBRsSNyUG7h4M3xbuc4YljUw6Hi UjP97MsAMhmh9qNGkEkT7CaQGVlIvcxrtiKjnw2QVSyOID7s+12D2kKAJV7uOBKv/2+3 bPwyIPk0+yxM3y73D2gZ7Hr8KpSNMRq7XGkrCNsMLMm7CPtgegYouvZUr+ily/jOIsha 6MZouBV5SPiFthV1DnoOxPwkvoHYW0tNZEGoXzK5GTdP1cj90e5gYfXZ0gzZ/eLp4F4N LqLA== X-Gm-Message-State: AOJu0YwjRajjNud3NyIw/yuzUqaSMVA8XGv4zCq9zRhSqS3QF8BjqENz FASsO1YkD6fYyTY2ZCnD1XlBWp9WXZwTSXjAlq7U0dTsZZLikzhU X-Google-Smtp-Source: AGHT+IE5o1g3gt6lfgT2cTCMXsZ1InOMguPjiH1OnB0u2IB1/pdg9UaGREvMM+AgZxQJuCYO0TSZNA== X-Received: by 2002:a05:6000:22d:b0:348:4519:15b8 with SMTP id l13-20020a056000022d00b00348451915b8mr6885572wrz.40.1713805144348; Mon, 22 Apr 2024 09:59:04 -0700 (PDT) Received: from localhost (fwdproxy-lla-007.fbsv.net. [2a03:2880:30ff:7::face:b00c]) by smtp.gmail.com with ESMTPSA id qq22-20020a17090720d600b00a554f6fbb25sm5923437ejb.138.2024.04.22.09.59.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Apr 2024 09:59:03 -0700 (PDT) From: Breno Leitao To: jpoimboe@kernel.org, mingo@redhat.com, Thomas Gleixner , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Peter Zijlstra , Pawan Gupta Cc: linux-kernel@vger.kernel.org Subject: [PATCH v3 09/10] x86/bugs: Add a separate config for Spectre V2 Date: Mon, 22 Apr 2024 09:58:23 -0700 Message-ID: <20240422165830.2142904-10-leitao@debian.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240422165830.2142904-1-leitao@debian.org> References: <20240422165830.2142904-1-leitao@debian.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Currently, the CONFIG_SPECULATION_MITIGATIONS is halfway populated, where some mitigations have entries in Kconfig, and they could be modified, while others mitigations do not have Kconfig entries, and could not be controlled at build time. Create an entry for the Spectre V2 CPU mitigation under CONFIG_SPECULATION_MITIGATIONS. This allow users to enable or disable it at compilation time. Signed-off-by: Breno Leitao Acked-by: Josh Poimboeuf --- arch/x86/Kconfig | 12 ++++++++++++ arch/x86/kernel/cpu/bugs.c | 9 +++++---- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index fdf1c894fcb8..4f69a7f5f675 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2719,6 +2719,18 @@ config MITIGATION_SPECTRE_V1 memory access bounds check. See also =20 +config MITIGATION_SPECTRE_V2 + bool "Mitigate SPECTRE V2 hardware bug" + default y + help + Enable mitigation for Spectre V2 (Branch Target Injection). Spectre + V2 is a class of side channel attacks that takes advantage of + indirect branch predictors inside the processor. In Spectre variant 2 + attacks, the attacker can steer speculative indirect branches in the + victim to gadget code by poisoning the branch target buffer of a CPU + used for predicting indirect branch addresses. + See also + config MITIGATION_SRBDS bool "Mitigate Special Register Buffer Data Sampling (SRBDS) hardware bug" depends on CPU_SUP_INTEL diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 49b60c0e2eb4..5628a77281fe 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -1457,17 +1457,18 @@ static void __init spec_v2_print_cond(const char *r= eason, bool secure) =20 static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void) { - enum spectre_v2_mitigation_cmd cmd =3D SPECTRE_V2_CMD_AUTO; + enum spectre_v2_mitigation_cmd cmd; char arg[20]; int ret, i; =20 + cmd =3D IS_ENABLED(CONFIG_MITIGATION_SPECTRE_V2) ? SPECTRE_V2_CMD_AUTO := SPECTRE_V2_CMD_NONE; if (cmdline_find_option_bool(boot_command_line, "nospectre_v2") || cpu_mitigations_off()) return SPECTRE_V2_CMD_NONE; =20 ret =3D cmdline_find_option(boot_command_line, "spectre_v2", arg, sizeof(= arg)); if (ret < 0) - return SPECTRE_V2_CMD_AUTO; + return cmd; =20 for (i =3D 0; i < ARRAY_SIZE(mitigation_options); i++) { if (!match_option(arg, ret, mitigation_options[i].option)) @@ -1477,8 +1478,8 @@ static enum spectre_v2_mitigation_cmd __init spectre_= v2_parse_cmdline(void) } =20 if (i >=3D ARRAY_SIZE(mitigation_options)) { - pr_err("unknown option (%s). Switching to AUTO select\n", arg); - return SPECTRE_V2_CMD_AUTO; + pr_err("unknown option (%s). Switching to default mode\n", arg); + return cmd; } =20 if ((cmd =3D=3D SPECTRE_V2_CMD_RETPOLINE || --=20 2.43.0 From nobody Tue Feb 10 17:08:07 2026 Received: from mail-ed1-f46.google.com (mail-ed1-f46.google.com [209.85.208.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 72C72155389 for ; Mon, 22 Apr 2024 16:59:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713805150; cv=none; b=fPzGfiHk+0ZF94jFYQwi4WJg0+DkeiJr8MWXEQuE6xHfNK/vzEXz0vQBwjz1Zc4De+1ohV0mJoXj3e1oe3X+DHujjsj79tCJb9NI7VSozlYUvVDEqawmF91ZL1HQrpZmp5GPhbe6LsywsnUe9oGhQD2Ve+aQxGz4Gnvabbt8p9k= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713805150; c=relaxed/simple; bh=SQuiBF/MrCyQ/BCQmn4asn0BFCr/NqEGblHpuUCLd80=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Min2EVqiqRLObfgebsEz2XbZI8vPy/sO7DwNn5W71R+turgCMIuadNQL70LNvI78kjqF/eaf+mJu0pNx3xFQAGY4XJopimwvbdrNyD4tBxA853jhYeaBMARAptF3IkhSfVYTwX0OiiMVNG5E35IXOOMFDLoTgtu+gX0+7pBS+TE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org; spf=pass smtp.mailfrom=gmail.com; arc=none smtp.client-ip=209.85.208.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-ed1-f46.google.com with SMTP id 4fb4d7f45d1cf-56e6acb39d4so5598808a12.1 for ; Mon, 22 Apr 2024 09:59:08 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713805147; x=1714409947; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6+/0PnhwCbrGnHePvFrIclH7z5aZoAPI8sjK8xPZqDc=; b=glwgv7JSmpT4kn6eqvyrsE07YiBxjLC84q0Ukfb35O/147RnZKHtFJPdA5FgnOUcoV oOBS8H0E9Lkl8YtHWHEBGNxxhM/+7N2QCXNQtROtV8PTkCVo/6ZRQHofPDU7ldak3yhy IJz1kdrbqISV+wDVudKuhY3s0xsr1hpJQ/v6UCq7Zcev6RWCqTgVfUCRHktUurh2WLLz 8g1tbRt5ldrUpWnmeISrguNCYiYxWUOLWEnEttOTlVejCBSkzywKyLmwVY6aPFZ6N8br 3HrTmxfhfN5f0Y2DaM1Jxm7EVWEiKt68LnlWue5ZrNg5i2do+bvRJqUCfUww8zYULb0k juxw== X-Gm-Message-State: AOJu0Yzgnn4Mjiz/svq8QHGnAmGDdrtP0uejGiIKAla/bGncNl5IbLgX JFbmHfh+ISQkLT/1Kz1nXtGx00WvIiAzg8TeqkM1fKq3C70zPhbI X-Google-Smtp-Source: AGHT+IFDR+iZyBNOD2psDx0EqBEJi0oKt5u+d8vPXAQZHcr9/rmG3FRadkiDVPKR1YRrX3eF6/LTfw== X-Received: by 2002:a50:d6dd:0:b0:56b:a077:2eee with SMTP id l29-20020a50d6dd000000b0056ba0772eeemr5554859edj.4.1713805146356; Mon, 22 Apr 2024 09:59:06 -0700 (PDT) Received: from localhost (fwdproxy-lla-117.fbsv.net. [2a03:2880:30ff:75::face:b00c]) by smtp.gmail.com with ESMTPSA id e6-20020a056402148600b005702c757af2sm5733234edv.30.2024.04.22.09.59.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Apr 2024 09:59:06 -0700 (PDT) From: Breno Leitao To: jpoimboe@kernel.org, mingo@redhat.com, Thomas Gleixner , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Peter Zijlstra , Pawan Gupta Cc: linux-kernel@vger.kernel.org Subject: [PATCH v3 10/10] x86/bugs: Add a separate config for SSB Date: Mon, 22 Apr 2024 09:58:24 -0700 Message-ID: <20240422165830.2142904-11-leitao@debian.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240422165830.2142904-1-leitao@debian.org> References: <20240422165830.2142904-1-leitao@debian.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Currently, the CONFIG_SPECULATION_MITIGATIONS is halfway populated, where some mitigations have entries in Kconfig, and they could be modified, while others mitigations do not have Kconfig entries, and could not be controlled at build time. Create an entry for the SSB CPU mitigation under CONFIG_SPECULATION_MITIGATIONS. This allow users to enable or disable it at compilation time. Signed-off-by: Breno Leitao Acked-by: Josh Poimboeuf --- arch/x86/Kconfig | 10 ++++++++++ arch/x86/kernel/cpu/bugs.c | 10 ++++++---- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 4f69a7f5f675..8a5fcb1468f0 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2744,6 +2744,16 @@ config MITIGATION_SRBDS using MDS techniques. See also + +config MITIGATION_SSB + bool "Mitigate Speculative Store Bypass (SSB) hardware bug" + default y + help + Enable mitigation for Speculative Store Bypass (SSB). SSB is a + hardware security vulnerability and its exploitation takes advantage + of speculative execution in a similar way to the Meltdown and Spectre + security vulnerabilities. + endif =20 config ARCH_HAS_ADD_PAGES diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 5628a77281fe..2e8b24e36d01 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -2026,10 +2026,12 @@ static const struct { =20 static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void) { - enum ssb_mitigation_cmd cmd =3D SPEC_STORE_BYPASS_CMD_AUTO; + enum ssb_mitigation_cmd cmd; char arg[20]; int ret, i; =20 + cmd =3D IS_ENABLED(CONFIG_MITIGATION_SSB) ? + SPEC_STORE_BYPASS_CMD_AUTO : SPEC_STORE_BYPASS_CMD_NONE; if (cmdline_find_option_bool(boot_command_line, "nospec_store_bypass_disa= ble") || cpu_mitigations_off()) { return SPEC_STORE_BYPASS_CMD_NONE; @@ -2037,7 +2039,7 @@ static enum ssb_mitigation_cmd __init ssb_parse_cmdli= ne(void) ret =3D cmdline_find_option(boot_command_line, "spec_store_bypass_disabl= e", arg, sizeof(arg)); if (ret < 0) - return SPEC_STORE_BYPASS_CMD_AUTO; + return cmd; =20 for (i =3D 0; i < ARRAY_SIZE(ssb_mitigation_options); i++) { if (!match_option(arg, ret, ssb_mitigation_options[i].option)) @@ -2048,8 +2050,8 @@ static enum ssb_mitigation_cmd __init ssb_parse_cmdli= ne(void) } =20 if (i >=3D ARRAY_SIZE(ssb_mitigation_options)) { - pr_err("unknown option (%s). Switching to AUTO select\n", arg); - return SPEC_STORE_BYPASS_CMD_AUTO; + pr_err("unknown option (%s). Switching to default mode\n", arg); + return cmd; } } =20 --=20 2.43.0