From nobody Sat Feb 7 11:55:48 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B67F6202F95; Mon, 2 Dec 2024 12:04:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733141063; cv=none; b=M0l7eF56b/gzIz4t+acz3FdfTm/b5n1ItGqsUpSm/9S/b2BiYIOHlc7rIAvdqvYJd141r8iv4PKHtnTDgovoEsNfQdrl5ayxDDKYT+zqC/4lXNn9Feovk+22PLrjmvLtdQ1ff7oSA1danOL4puaE19d4at+eby/pbvL8SPcTKik= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733141063; c=relaxed/simple; bh=+81R2yhEI3xCcGHia9rOeaSyJc2c3Vsh3iF1V5uCdXg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=kRaNVPAunLYNWJtNcbAGn0Kxm42fTAmGd55ujA9NNXki+TTviSi3KOQEHNz1O/UH8Td5TFEnZhqANd60yOLOdCp5E4mJ0YL9J47ZkCQO+Yw0oCLWy6Sna91Ep7gJM3wr/jT4gRBpb/K5qPJHXYDTgQl3zS0isH1g6vdYTaZ+jZ8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=JarQvoen; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="JarQvoen" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 86061C4CED2; Mon, 2 Dec 2024 12:04:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1733141063; bh=+81R2yhEI3xCcGHia9rOeaSyJc2c3Vsh3iF1V5uCdXg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=JarQvoen9Ub9hp5ehA5M+u2t8upPDtHrdR+Fj8HYtKuiUJizrG0pg4tqcV/D2yaCV StgtnjWJGdV7Zwsu2hQGFgZhQQLlkUfliIi8wa9IPAbOYquOqQK7Ajn6yQBhmMV4Mc K+dOespHYS5qtPZdYynjvR2u4cj9eLjj0bV1xgM/pvzO8nff8ZvwUI9niI17QI6bXw ccssd689TW9BfufbIMCkprXolbbYPbL1NSdyv6rU1pSN46Sdz9qky4p4xeZOnnDmqY PS+bULIroogjiuXrgGHYprzaymivuhInveUPBqSnzunNLhTQFZNl1NjPnF+RbelJFk m/NzZYUIh5fbw== From: Borislav Petkov To: Sean Christopherson , X86 ML Cc: Paolo Bonzini , Josh Poimboeuf , Pawan Gupta , KVM , LKML , "Borislav Petkov (AMD)" Subject: [PATCH v2 1/4] x86/bugs: Add SRSO_USER_KERNEL_NO support Date: Mon, 2 Dec 2024 13:04:13 +0100 Message-ID: <20241202120416.6054-2-bp@kernel.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241202120416.6054-1-bp@kernel.org> References: <20241202120416.6054-1-bp@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: "Borislav Petkov (AMD)" If the machine has: CPUID Fn8000_0021_EAX[30] (SRSO_USER_KERNEL_NO) -- If this bit is 1, it indicates the CPU is not subject to the SRSO vulnerability across user/kernel boundaries. have it fall back to IBPB on VMEXIT only, in the case it is going to run VMs: Speculative Return Stack Overflow: CPU user/kernel transitions protected,= falling back to IBPB-on-VMEXIT Speculative Return Stack Overflow: Mitigation: IBPB on VMEXIT only Signed-off-by: Borislav Petkov (AMD) Reviewed-by: Nikolay Borisov --- arch/x86/include/asm/cpufeatures.h | 1 + arch/x86/kernel/cpu/bugs.c | 6 ++++++ arch/x86/kernel/cpu/common.c | 1 + 3 files changed, 8 insertions(+) diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpuf= eatures.h index 17b6590748c0..2787227a8b42 100644 --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -464,6 +464,7 @@ #define X86_FEATURE_SBPB (20*32+27) /* Selective Branch Prediction Barrie= r */ #define X86_FEATURE_IBPB_BRTYPE (20*32+28) /* MSR_PRED_CMD[IBPB] flushes = all branch type predictions */ #define X86_FEATURE_SRSO_NO (20*32+29) /* CPU is not affected by SRSO */ +#define X86_FEATURE_SRSO_USER_KERNEL_NO (20*32+30) /* CPU is not affected = by SRSO across user/kernel boundaries */ =20 /* * Extended auxiliary flags: Linux defined - for features scattered in var= ious diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 47a01d4028f6..8854d9bce2a5 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -2615,6 +2615,11 @@ static void __init srso_select_mitigation(void) break; =20 case SRSO_CMD_SAFE_RET: + if (boot_cpu_has(X86_FEATURE_SRSO_USER_KERNEL_NO)) { + pr_notice("CPU user/kernel transitions protected, falling back to IBPB-= on-VMEXIT\n"); + goto ibpb_on_vmexit; + } + if (IS_ENABLED(CONFIG_MITIGATION_SRSO)) { /* * Enable the return thunk for generated code @@ -2658,6 +2663,7 @@ static void __init srso_select_mitigation(void) } break; =20 +ibpb_on_vmexit: case SRSO_CMD_IBPB_ON_VMEXIT: if (IS_ENABLED(CONFIG_MITIGATION_SRSO)) { if (!boot_cpu_has(X86_FEATURE_ENTRY_IBPB) && has_microcode) { diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c index a5c28975c608..954f9c727f11 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -1270,6 +1270,7 @@ static const struct x86_cpu_id cpu_vuln_blacklist[] _= _initconst =3D { VULNBL_AMD(0x17, RETBLEED | SMT_RSB | SRSO), VULNBL_HYGON(0x18, RETBLEED | SMT_RSB | SRSO), VULNBL_AMD(0x19, SRSO), + VULNBL_AMD(0x1a, SRSO), {} }; =20 --=20 2.43.0 From nobody Sat Feb 7 11:55:48 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D1D78204087; Mon, 2 Dec 2024 12:04:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733141065; cv=none; b=SCRWlqSjZqTIJbFymmxEYZmUBZGaMwxdVr+gW8Ju7IcRtejPWzL+EosLavQgYNFKFRswFeN4dWRTB+Bi9qLQrtadNJ1VyVh2iokurYBg+4Yv83+UMx6gQz0T+ejd1qo4X7EPOGg29Fho3K0V72MmYLacRaybSe5sOre24sLhbyw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733141065; c=relaxed/simple; bh=iG+FWqfHcVRBreJM9nURrF5EK7KuHNIEuynzkO4KzW0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=F8Vff4vCN3Kre90/K5AKTdZi7lM/8mJzOotVnb+shrFb9KjY8bJ34RnWYSBHtwALA4rM2fIMOXnDvmt6GmklqncYEFnD1xjVi6kQh6yGJ5m5GfKGL/mvdoaUcz5Vzr0jQKrzkOXoL9TMw1aGjkwjkWjLCV7WHlH4zIN6yqmHW/Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=MqwL1oN+; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="MqwL1oN+" Received: by smtp.kernel.org (Postfix) with ESMTPSA id A97E8C4CED1; Mon, 2 Dec 2024 12:04:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1733141065; bh=iG+FWqfHcVRBreJM9nURrF5EK7KuHNIEuynzkO4KzW0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=MqwL1oN+WwLYc0Dzmegjn47dyKTIs8ssi0Ib6fI0zcNYcutByMV/OBU/Vj88/VxRE AtIpPNRRaAh01VK1eJHT+PsDSYaKTcaB0Db0uE/SUmcP25hPRhrekgsug1GOAGcHaC rPd2Ec/+1Aghb7UgOjVfCI+YXdl+/VS7lAR9qZhgV9xSwkqzN+xJKWvdPu9sUf54Ji 3qYbkxlEEJIbqZVmVxKOpHHpztVVg2l8Td/G91D28jw2MlKX0sp4AIJ8Y+2Va3gG1d v7I/ZSIx6p2gSIhzLwjNLpU+sZnJatKPy3uXrGR1XPMUi9JSt0KHWzuvyk7fcs/IaP qW/gSoenXOMQA== From: Borislav Petkov To: Sean Christopherson , X86 ML Cc: Paolo Bonzini , Josh Poimboeuf , Pawan Gupta , KVM , LKML , "Borislav Petkov (AMD)" Subject: [PATCH v2 2/4] KVM: x86: Advertise SRSO_USER_KERNEL_NO to userspace Date: Mon, 2 Dec 2024 13:04:14 +0100 Message-ID: <20241202120416.6054-3-bp@kernel.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241202120416.6054-1-bp@kernel.org> References: <20241202120416.6054-1-bp@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: "Borislav Petkov (AMD)" SRSO_USER_KERNEL_NO denotes whether the CPU is affected by SRSO across user/kernel boundaries. Advertise it to guest userspace. Signed-off-by: Borislav Petkov (AMD) Reviewed-by: Nikolay Borisov --- arch/x86/kvm/cpuid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c index 097bdc022d0f..7cf5fa77e399 100644 --- a/arch/x86/kvm/cpuid.c +++ b/arch/x86/kvm/cpuid.c @@ -800,7 +800,7 @@ void kvm_set_cpu_caps(void) kvm_cpu_cap_mask(CPUID_8000_0021_EAX, F(NO_NESTED_DATA_BP) | F(LFENCE_RDTSC) | 0 /* SmmPgCfgLock */ | F(NULL_SEL_CLR_BASE) | F(AUTOIBRS) | 0 /* PrefetchCtlMsr */ | - F(WRMSR_XX_BASE_NS) + F(WRMSR_XX_BASE_NS) | F(SRSO_USER_KERNEL_NO) ); =20 kvm_cpu_cap_check_and_set(X86_FEATURE_SBPB); --=20 2.43.0 From nobody Sat Feb 7 11:55:48 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EA37E20CCC5; Mon, 2 Dec 2024 12:04:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733141068; cv=none; b=rcC8NmWcEHVJeNZMtuSJrhVIwOKwFJ33BPo1+4pXaz0Rdb35a2Buiu2ky3H4bMeYLDhfqsO/dsOnIOfMdqUGJ29QGcHf13s/lrOh87IEVofGzxirvh4Kt+t7wls8gHrsD4JrTvDotG/NXYVvnvwxBthtOk3oZNrE35dWJDBOC0k= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733141068; c=relaxed/simple; bh=rwIZNHK8K2cbMDrjttnAWkZObvHb0ZFLdaa8N3u5Gag=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=o9Au7r6qOfNrNCrJClbgAytIKynZ14SS0bPq2zX205mIlbDEh7HIJv4GCDLhCXXAbe+vvQlv92uLSBvzeQ+UOLlR625wduMcw+OCPCkdAr6Fwe8FXuieLNatKCgiIujt3CoXoDZBf2GhRdUbjYGFCmu0WeiXGABIKVcVXK+SatY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=RL93bExF; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="RL93bExF" Received: by smtp.kernel.org (Postfix) with ESMTPSA id D6C3CC4CED2; Mon, 2 Dec 2024 12:04:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1733141067; bh=rwIZNHK8K2cbMDrjttnAWkZObvHb0ZFLdaa8N3u5Gag=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=RL93bExFYhz4owtaRmYkI8/ptRqQXYfU4Ernovq07v/1uOQ2He+CwsUA2YUnc3zlD +WWf8coQU0C6LUu8BYQCqf8L3ATQ2UPx4g5VtVCnfdkkZEIHCACuOIX60SHa5jOijM xIH5l/5PTRTK2UovFvfL02zG+6lxY16MSukdxXR/nL8Xx/HraryZIB+y6hdNyRwPNv HZ4uy9sdMMfTrFF2K1DGtqrj5TncTVwf6zIh/JboK1r/LLTV4YbI3j0XiRUXuBCuUY 3yCa+w3PZbfCqDwh2TsVnx96wjcB6xcCj0qlD9gRSaeGuwTEO+0y8f0pGmiBKKLCmX DeYvWhn4LDoUw== From: Borislav Petkov To: Sean Christopherson , X86 ML Cc: Paolo Bonzini , Josh Poimboeuf , Pawan Gupta , KVM , LKML , "Borislav Petkov (AMD)" Subject: [PATCH v2 3/4] x86/bugs: KVM: Add support for SRSO_MSR_FIX Date: Mon, 2 Dec 2024 13:04:15 +0100 Message-ID: <20241202120416.6054-4-bp@kernel.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241202120416.6054-1-bp@kernel.org> References: <20241202120416.6054-1-bp@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: "Borislav Petkov (AMD)" Add support for CPUID Fn8000_0021_EAX[31] (SRSO_MSR_FIX). If this bit is 1, it indicates that software may use MSR BP_CFG[BpSpecReduce] to mitigate SRSO. enable this BpSpecReduce bit to mitigate SRSO across guest/host boundaries. Signed-off-by: Borislav Petkov (AMD) Reviewed-by: Nikolay Borisov --- v2: Add some doc blurb about the modalities of the mitigation. Documentation/admin-guide/hw-vuln/srso.rst | 10 ++++++++++ arch/x86/include/asm/cpufeatures.h | 1 + arch/x86/include/asm/msr-index.h | 1 + arch/x86/kernel/cpu/bugs.c | 10 +++++++++- arch/x86/kvm/svm/svm.c | 6 ++++++ arch/x86/lib/msr.c | 2 ++ 6 files changed, 29 insertions(+), 1 deletion(-) diff --git a/Documentation/admin-guide/hw-vuln/srso.rst b/Documentation/adm= in-guide/hw-vuln/srso.rst index 2ad1c05b8c88..79a8f7dea06d 100644 --- a/Documentation/admin-guide/hw-vuln/srso.rst +++ b/Documentation/admin-guide/hw-vuln/srso.rst @@ -104,7 +104,17 @@ The possible values in this file are: =20 (spec_rstack_overflow=3Dibpb-vmexit) =20 + * 'Mitigation: Reduced Speculation': =20 + This mitigation gets automatically enabled when the above one "IBPB on + VMEXIT" has been selected and the CPU supports the BpSpecReduce bit. + + Currently, the mitigation is automatically enabled when KVM enables + virtualization and can incur some cost. If no VMs will run on the syste= m, + you can either disable virtualization or set kvm.enable_virt_at_load=3D= 0 to + enable it only when a VM gets started and thus when really needed. See = the + text in Documentation/admin-guide/kernel-parameters.txt on this paramet= er + for more details. =20 In order to exploit vulnerability, an attacker needs to: =20 diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpuf= eatures.h index 2787227a8b42..94582c0ed9f2 100644 --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -465,6 +465,7 @@ #define X86_FEATURE_IBPB_BRTYPE (20*32+28) /* MSR_PRED_CMD[IBPB] flushes = all branch type predictions */ #define X86_FEATURE_SRSO_NO (20*32+29) /* CPU is not affected by SRSO */ #define X86_FEATURE_SRSO_USER_KERNEL_NO (20*32+30) /* CPU is not affected = by SRSO across user/kernel boundaries */ +#define X86_FEATURE_SRSO_MSR_FIX (20*32+31) /* MSR BP_CFG[BpSpecReduce] ca= n be used to mitigate SRSO for VMs */ =20 /* * Extended auxiliary flags: Linux defined - for features scattered in var= ious diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-in= dex.h index 3ae84c3b8e6d..1372a569fb58 100644 --- a/arch/x86/include/asm/msr-index.h +++ b/arch/x86/include/asm/msr-index.h @@ -717,6 +717,7 @@ =20 /* Zen4 */ #define MSR_ZEN4_BP_CFG 0xc001102e +#define MSR_ZEN4_BP_CFG_BP_SPEC_REDUCE_BIT 4 #define MSR_ZEN4_BP_CFG_SHARED_BTB_FIX_BIT 5 =20 /* Fam 19h MSRs */ diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 8854d9bce2a5..a2eb7c0700da 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -2523,6 +2523,7 @@ enum srso_mitigation { SRSO_MITIGATION_SAFE_RET, SRSO_MITIGATION_IBPB, SRSO_MITIGATION_IBPB_ON_VMEXIT, + SRSO_MITIGATION_BP_SPEC_REDUCE, }; =20 enum srso_mitigation_cmd { @@ -2540,7 +2541,8 @@ static const char * const srso_strings[] =3D { [SRSO_MITIGATION_MICROCODE] =3D "Vulnerable: Microcode, no safe RET", [SRSO_MITIGATION_SAFE_RET] =3D "Mitigation: Safe RET", [SRSO_MITIGATION_IBPB] =3D "Mitigation: IBPB", - [SRSO_MITIGATION_IBPB_ON_VMEXIT] =3D "Mitigation: IBPB on VMEXIT only" + [SRSO_MITIGATION_IBPB_ON_VMEXIT] =3D "Mitigation: IBPB on VMEXIT only", + [SRSO_MITIGATION_BP_SPEC_REDUCE] =3D "Mitigation: Reduced Speculation" }; =20 static enum srso_mitigation srso_mitigation __ro_after_init =3D SRSO_MITIG= ATION_NONE; @@ -2665,6 +2667,12 @@ static void __init srso_select_mitigation(void) =20 ibpb_on_vmexit: case SRSO_CMD_IBPB_ON_VMEXIT: + if (boot_cpu_has(X86_FEATURE_SRSO_MSR_FIX)) { + pr_notice("Reducing speculation to address VM/HV SRSO attack vector.\n"= ); + srso_mitigation =3D SRSO_MITIGATION_BP_SPEC_REDUCE; + break; + } + if (IS_ENABLED(CONFIG_MITIGATION_SRSO)) { if (!boot_cpu_has(X86_FEATURE_ENTRY_IBPB) && has_microcode) { setup_force_cpu_cap(X86_FEATURE_IBPB_ON_VMEXIT); diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index dd15cc635655..e4fad330cd25 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -608,6 +608,9 @@ static void svm_disable_virtualization_cpu(void) kvm_cpu_svm_disable(); =20 amd_pmu_disable_virt(); + + if (cpu_feature_enabled(X86_FEATURE_SRSO_MSR_FIX)) + msr_clear_bit(MSR_ZEN4_BP_CFG, MSR_ZEN4_BP_CFG_BP_SPEC_REDUCE_BIT); } =20 static int svm_enable_virtualization_cpu(void) @@ -685,6 +688,9 @@ static int svm_enable_virtualization_cpu(void) rdmsr(MSR_TSC_AUX, sev_es_host_save_area(sd)->tsc_aux, msr_hi); } =20 + if (cpu_feature_enabled(X86_FEATURE_SRSO_MSR_FIX)) + msr_set_bit(MSR_ZEN4_BP_CFG, MSR_ZEN4_BP_CFG_BP_SPEC_REDUCE_BIT); + return 0; } =20 diff --git a/arch/x86/lib/msr.c b/arch/x86/lib/msr.c index 4bf4fad5b148..5a18ecc04a6c 100644 --- a/arch/x86/lib/msr.c +++ b/arch/x86/lib/msr.c @@ -103,6 +103,7 @@ int msr_set_bit(u32 msr, u8 bit) { return __flip_bit(msr, bit, true); } +EXPORT_SYMBOL_GPL(msr_set_bit); =20 /** * msr_clear_bit - Clear @bit in a MSR @msr. @@ -118,6 +119,7 @@ int msr_clear_bit(u32 msr, u8 bit) { return __flip_bit(msr, bit, false); } +EXPORT_SYMBOL_GPL(msr_clear_bit); =20 #ifdef CONFIG_TRACEPOINTS void do_trace_write_msr(unsigned int msr, u64 val, int failed) --=20 2.43.0 From nobody Sat Feb 7 11:55:48 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3448120CCE9; Mon, 2 Dec 2024 12:04:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733141070; cv=none; b=nqU6z2bk2abLSdlwIP2po97Q0TWFB10Tz/4HKqwVFPEPVF3SfWixK4Lgzm5Jc08Kl/3p6h+rq8CIfmQyXVwkgLwxKQyOreEdzUPjqqzXT8IlNjSZmAu8uAXKoIpQGXVM0Y+AiIDcyO2QIQ2kZyHPbjphehwRPXQ0HES/zXohaoY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733141070; c=relaxed/simple; bh=ntyjtRQBzDCZOIUj0LJQ6UP3yD/2RxIZEvoUeHfG6AU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=AV4c1Vt4NKyiY8MIVPHiB8Ayg/LwCKLYzrXRhPpzWe6M+qQbCZ9iwFmo3E0f3+78HEsqae2SWEqG3ZGjCt1nJQXMxPEr43so6Zniwul5fAYQrb1/P5/7qR2UoF+VUbVxVykUlcSx7iUGmFAIGZj2uyfqOe3GB5eVK8R6vd2Eolg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=fX6bjgMM; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="fX6bjgMM" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 05E4FC4CED9; Mon, 2 Dec 2024 12:04:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1733141069; bh=ntyjtRQBzDCZOIUj0LJQ6UP3yD/2RxIZEvoUeHfG6AU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fX6bjgMMjsXlPDLo1IEsaQKWmPR4SblrZXCbeg37u/bq3D+InFtE7D4RJMLwq0AAu wXmCZ4216vCdb+bKZam+RE6uemLAd52Fs+VBtnwNLaqI+lhw2OPtsczG835M5ym8q+ aXYWHX4y7rGURQCaldGPr0CnHYLOpoudCLB+7oVZBu2jGqXM1JgBZOr0p1hNpbZZ4M SIPN+ua7mu/0m4u9L7qL8gHaubpuGcCWLVu25fCGsfkaUJsV3aGmy2Mf+ewNPyuz3F QzHH33FaB3Sgxsj3uIojxEzQSy+8uN+qPCvmsW0r5QYhxEPm59rXxc83Ca8KShPCNN WpkFxgFcxc9zw== From: Borislav Petkov To: Sean Christopherson , X86 ML Cc: Paolo Bonzini , Josh Poimboeuf , Pawan Gupta , KVM , LKML , "Borislav Petkov (AMD)" Subject: [PATCH v2 4/4] Documentation/kernel-parameters: Fix a typo in kvm.enable_virt_at_load text Date: Mon, 2 Dec 2024 13:04:16 +0100 Message-ID: <20241202120416.6054-5-bp@kernel.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241202120416.6054-1-bp@kernel.org> References: <20241202120416.6054-1-bp@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: "Borislav Petkov (AMD)" s/lode/load/ Signed-off-by: Borislav Petkov (AMD) Reviewed-by: Nikolay Borisov --- Documentation/admin-guide/kernel-parameters.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentatio= n/admin-guide/kernel-parameters.txt index dc663c0ca670..e623e2b53be2 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -2695,7 +2695,7 @@ VMs, i.e. on the 0=3D>1 and 1=3D>0 transitions of the number of VMs. =20 - Enabling virtualization at module lode avoids potential + Enabling virtualization at module load avoids potential latency for creation of the 0=3D>1 VM, as KVM serializes virtualization enabling across all online CPUs. The "cost" of enabling virtualization when KVM is loaded, --=20 2.43.0 From nobody Sat Feb 7 11:55:48 2026 Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C2DF521C9E7; Wed, 26 Feb 2025 14:32:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.142.43.55 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740580344; cv=none; b=OYOYKzqfrS6ZosG0jgxvT9XLu/Y+ocUTuH8HkWnLtyDP96KV0uQ/CEwChot27taMXYij8Y+e98hzyav9EKQrneHNrpDrtmaFBFKnjLKjE5g12wfQdsPwIZBYtW8LUso1YjNQm57zV416bGoUg3rMj8tf2lSOfflqRa7CvwNHfbM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740580344; c=relaxed/simple; bh=+ufnCXIOa42ioEZmKEJc9b4YqZv72bYUZ8TCEIOz8vQ=; h=Date:From:To:Subject:Cc:In-Reply-To:References:MIME-Version: Message-ID:Content-Type; b=YBhqy7zYd7mP2JpRW1ui/U4HwzkXv2puskPbzF7h6hwrHzBfXVtqGwXkwczsW0gfD4FgbQAoxdMlvqu0HGvlozNvHlWPqpAvLItq+XGVkrghFfR+PZHCCxIEzC4dULtDAgoX/TbVKf8q8mGpjdsIy72Nv9oYvElKwkC13ro9V3I= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de; spf=pass smtp.mailfrom=linutronix.de; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=yD+zq5fb; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=3pA7yXsf; arc=none smtp.client-ip=193.142.43.55 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linutronix.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="yD+zq5fb"; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="3pA7yXsf" Date: Wed, 26 Feb 2025 14:32:16 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1740580340; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0P4UXeTSYxYdr3zFT2CY1jD6TBa5GnyKHlZ+ZGbw+O0=; b=yD+zq5fbgi25vIAddPb4NCTuRYpPQ3YJBrinq3VO/1jA95a5cSo1/TZMhe/mV2zsWHxf3k lNgqmMOSDPSkY0v9WhHvu5a9aRI3fZH48PsoS20Dr1OZxx0tcX/nXb9E+G+UJbDDtxPUjs glDbQnwDrYhnzKy6/5G3PSYajoHiCo/ST4+QNG4C0sTm0XXmXzfA1ioGGnSbxNfkc3PrUt BxCOgyTNBYiT5E3RNG8cx2wWVS1SwnpL7/056Ezav5s9SMjyhd2MUuix+r5b4JiW/b8oIg VPLGDwYVWloAMU15r25lwXyTie91/FolSDdZPE9ij8sV/nhVeWgSY05XgidkFg== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1740580340; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0P4UXeTSYxYdr3zFT2CY1jD6TBa5GnyKHlZ+ZGbw+O0=; b=3pA7yXsfLGNxkP06kLxxe/cVX4LhdHj/cj219ot6ELiFs7xximW1FR/4xlhnt1XZVidUQs TLs05ujWO/GupkBA== From: "tip-bot2 for Borislav Petkov" Sender: tip-bot2@linutronix.de Reply-to: linux-kernel@vger.kernel.org To: linux-tip-commits@vger.kernel.org Subject: [tip: x86/bugs] x86/bugs: KVM: Add support for SRSO_MSR_FIX Cc: Sean Christopherson , "Borislav Petkov (AMD)" , x86@kernel.org, linux-kernel@vger.kernel.org In-Reply-To: <20241202120416.6054-1-bp@kernel.org> References: <20241202120416.6054-1-bp@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-ID: <174058033705.10177.12083332218583279567.tip-bot2@tip-bot2> Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails Precedence: bulk Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable The following commit has been merged into the x86/bugs branch of tip: Commit-ID: 8442df2b49ed9bcd67833ad4f091d15ac91efd00 Gitweb: https://git.kernel.org/tip/8442df2b49ed9bcd67833ad4f091d15ac= 91efd00 Author: Borislav Petkov AuthorDate: Tue, 18 Feb 2025 12:13:33 +01:00 Committer: Borislav Petkov (AMD) CommitterDate: Wed, 26 Feb 2025 15:13:06 +01:00 x86/bugs: KVM: Add support for SRSO_MSR_FIX Add support for CPUID Fn8000_0021_EAX[31] (SRSO_MSR_FIX). If this bit is 1, it indicates that software may use MSR BP_CFG[BpSpecReduce] to mitigate SRSO. Enable BpSpecReduce to mitigate SRSO across guest/host boundaries. Switch back to enabling the bit when virtualization is enabled and to clear the bit when virtualization is disabled because using a MSR slot would clear the bit when the guest is exited and any training the guest has done, would potentially influence the host kernel when execution enters the kernel and hasn't VMRUN the guest yet. More detail on the public thread in Link below. Co-developed-by: Sean Christopherson Signed-off-by: Sean Christopherson Signed-off-by: Borislav Petkov (AMD) Link: https://lore.kernel.org/r/20241202120416.6054-1-bp@kernel.org Reviewed-by: Nikolay Borisov --- Documentation/admin-guide/hw-vuln/srso.rst | 13 +++++++++++- arch/x86/include/asm/cpufeatures.h | 4 ++++- arch/x86/include/asm/msr-index.h | 1 +- arch/x86/kernel/cpu/bugs.c | 24 +++++++++++++++++---- arch/x86/kvm/svm/svm.c | 6 +++++- arch/x86/lib/msr.c | 2 ++- 6 files changed, 46 insertions(+), 4 deletions(-) diff --git a/Documentation/admin-guide/hw-vuln/srso.rst b/Documentation/adm= in-guide/hw-vuln/srso.rst index 2ad1c05..66af952 100644 --- a/Documentation/admin-guide/hw-vuln/srso.rst +++ b/Documentation/admin-guide/hw-vuln/srso.rst @@ -104,7 +104,20 @@ The possible values in this file are: =20 (spec_rstack_overflow=3Dibpb-vmexit) =20 + * 'Mitigation: Reduced Speculation': =20 + This mitigation gets automatically enabled when the above one "IBPB on + VMEXIT" has been selected and the CPU supports the BpSpecReduce bit. + + It gets automatically enabled on machines which have the + SRSO_USER_KERNEL_NO=3D1 CPUID bit. In that case, the code logic is to s= witch + to the above =3Dibpb-vmexit mitigation because the user/kernel boundary= is + not affected anymore and thus "safe RET" is not needed. + + After enabling the IBPB on VMEXIT mitigation option, the BpSpecReduce b= it + is detected (functionality present on all such machines) and that + practically overrides IBPB on VMEXIT as it has a lot less performance + impact and takes care of the guest->host attack vector too. =20 In order to exploit vulnerability, an attacker needs to: =20 diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpuf= eatures.h index 508c0da..43653f2 100644 --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -468,6 +468,10 @@ #define X86_FEATURE_IBPB_BRTYPE (20*32+28) /* MSR_PRED_CMD[IBPB] flushes = all branch type predictions */ #define X86_FEATURE_SRSO_NO (20*32+29) /* CPU is not affected by SRSO */ #define X86_FEATURE_SRSO_USER_KERNEL_NO (20*32+30) /* CPU is not affected = by SRSO across user/kernel boundaries */ +#define X86_FEATURE_SRSO_BP_SPEC_REDUCE (20*32+31) /* + * BP_CFG[BpSpecReduce] can be used to mitigate SRSO for VMs. + * (SRSO_MSR_FIX in the official doc). + */ =20 /* * Extended auxiliary flags: Linux defined - for features scattered in var= ious diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-in= dex.h index 72765b2..d35519b 100644 --- a/arch/x86/include/asm/msr-index.h +++ b/arch/x86/include/asm/msr-index.h @@ -721,6 +721,7 @@ =20 /* Zen4 */ #define MSR_ZEN4_BP_CFG 0xc001102e +#define MSR_ZEN4_BP_CFG_BP_SPEC_REDUCE_BIT 4 #define MSR_ZEN4_BP_CFG_SHARED_BTB_FIX_BIT 5 =20 /* Fam 19h MSRs */ diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index a5d0998..1d7afc4 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -2522,6 +2522,7 @@ enum srso_mitigation { SRSO_MITIGATION_SAFE_RET, SRSO_MITIGATION_IBPB, SRSO_MITIGATION_IBPB_ON_VMEXIT, + SRSO_MITIGATION_BP_SPEC_REDUCE, }; =20 enum srso_mitigation_cmd { @@ -2539,7 +2540,8 @@ static const char * const srso_strings[] =3D { [SRSO_MITIGATION_MICROCODE] =3D "Vulnerable: Microcode, no safe RET", [SRSO_MITIGATION_SAFE_RET] =3D "Mitigation: Safe RET", [SRSO_MITIGATION_IBPB] =3D "Mitigation: IBPB", - [SRSO_MITIGATION_IBPB_ON_VMEXIT] =3D "Mitigation: IBPB on VMEXIT only" + [SRSO_MITIGATION_IBPB_ON_VMEXIT] =3D "Mitigation: IBPB on VMEXIT only", + [SRSO_MITIGATION_BP_SPEC_REDUCE] =3D "Mitigation: Reduced Speculation" }; =20 static enum srso_mitigation srso_mitigation __ro_after_init =3D SRSO_MITIG= ATION_NONE; @@ -2578,7 +2580,7 @@ static void __init srso_select_mitigation(void) srso_cmd =3D=3D SRSO_CMD_OFF) { if (boot_cpu_has(X86_FEATURE_SBPB)) x86_pred_cmd =3D PRED_CMD_SBPB; - return; + goto out; } =20 if (has_microcode) { @@ -2590,7 +2592,7 @@ static void __init srso_select_mitigation(void) */ if (boot_cpu_data.x86 < 0x19 && !cpu_smt_possible()) { setup_force_cpu_cap(X86_FEATURE_SRSO_NO); - return; + goto out; } =20 if (retbleed_mitigation =3D=3D RETBLEED_MITIGATION_IBPB) { @@ -2670,6 +2672,12 @@ static void __init srso_select_mitigation(void) =20 ibpb_on_vmexit: case SRSO_CMD_IBPB_ON_VMEXIT: + if (boot_cpu_has(X86_FEATURE_SRSO_BP_SPEC_REDUCE)) { + pr_notice("Reducing speculation to address VM/HV SRSO attack vector.\n"= ); + srso_mitigation =3D SRSO_MITIGATION_BP_SPEC_REDUCE; + break; + } + if (IS_ENABLED(CONFIG_MITIGATION_IBPB_ENTRY)) { if (has_microcode) { setup_force_cpu_cap(X86_FEATURE_IBPB_ON_VMEXIT); @@ -2691,7 +2699,15 @@ ibpb_on_vmexit: } =20 out: - pr_info("%s\n", srso_strings[srso_mitigation]); + /* + * Clear the feature flag if this mitigation is not selected as that + * feature flag controls the BpSpecReduce MSR bit toggling in KVM. + */ + if (srso_mitigation !=3D SRSO_MITIGATION_BP_SPEC_REDUCE) + setup_clear_cpu_cap(X86_FEATURE_SRSO_BP_SPEC_REDUCE); + + if (srso_mitigation !=3D SRSO_MITIGATION_NONE) + pr_info("%s\n", srso_strings[srso_mitigation]); } =20 #undef pr_fmt diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index a713c80..77ab66c 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -607,6 +607,9 @@ static void svm_disable_virtualization_cpu(void) kvm_cpu_svm_disable(); =20 amd_pmu_disable_virt(); + + if (cpu_feature_enabled(X86_FEATURE_SRSO_BP_SPEC_REDUCE)) + msr_clear_bit(MSR_ZEN4_BP_CFG, MSR_ZEN4_BP_CFG_BP_SPEC_REDUCE_BIT); } =20 static int svm_enable_virtualization_cpu(void) @@ -684,6 +687,9 @@ static int svm_enable_virtualization_cpu(void) rdmsr(MSR_TSC_AUX, sev_es_host_save_area(sd)->tsc_aux, msr_hi); } =20 + if (cpu_feature_enabled(X86_FEATURE_SRSO_BP_SPEC_REDUCE)) + msr_set_bit(MSR_ZEN4_BP_CFG, MSR_ZEN4_BP_CFG_BP_SPEC_REDUCE_BIT); + return 0; } =20 diff --git a/arch/x86/lib/msr.c b/arch/x86/lib/msr.c index 4bf4fad..5a18ecc 100644 --- a/arch/x86/lib/msr.c +++ b/arch/x86/lib/msr.c @@ -103,6 +103,7 @@ int msr_set_bit(u32 msr, u8 bit) { return __flip_bit(msr, bit, true); } +EXPORT_SYMBOL_GPL(msr_set_bit); =20 /** * msr_clear_bit - Clear @bit in a MSR @msr. @@ -118,6 +119,7 @@ int msr_clear_bit(u32 msr, u8 bit) { return __flip_bit(msr, bit, false); } +EXPORT_SYMBOL_GPL(msr_clear_bit); =20 #ifdef CONFIG_TRACEPOINTS void do_trace_write_msr(unsigned int msr, u64 val, int failed)