From nobody Mon Dec 1 23:03:59 2025 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BE1C7335553; Wed, 26 Nov 2025 22:14:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.19 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764195297; cv=none; b=kL4r+vd/Up3SMK0rx+Q0qAkVN5LFUCNptfajYAtIXMVaq0m3+OEWZEJkbeFLoFfWAKvituVsLa/K75IZuEYsE+QT/b6HAc+GJJBWwcGFYKwnEvkqJXWlRKdhy7dJ+rqMrFkgn5FVU2Jhw0++CDYYXZfuBEXq3QCCvQGsVOB1xT0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764195297; c=relaxed/simple; bh=MAiaCUP0M6nxH1nX7OpP4kGemqQBUemDN/+yaZL/De4=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=dpw0SHhYH051xjWYnV3bvFMsLJEEvrc5B2rvtGColSGwFApBFFyIU5Rqjj8TPCkdDyfFIt7tEmY5AYOmMchKFjdwms45Dj8R3V0wxxGSqdHCePeY7Hzz+k/WomKNIJDfWWaYdESqSOBjLWCVe0++iSw9GS+8CPBOb4ciUvQDqhs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=GY5OUh2N; arc=none smtp.client-ip=192.198.163.19 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="GY5OUh2N" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1764195295; x=1795731295; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=MAiaCUP0M6nxH1nX7OpP4kGemqQBUemDN/+yaZL/De4=; b=GY5OUh2Nj5BelTGqrPaQD2MrfnbRyfbqjtGLB/lACnzTqkxlcz5Uaypy B8aGhtGpDwifTsBBCdt4oVeYzgLGhIqC8FI2fqL9vSF62TyZNCayupmDv ve9+2XolkEleLoBWkP2A7zETZULr5gIaa+rW5d41z/upJ8jhJRp0cI9WJ Q16hs00gagve/8kXF4QJPsi7/ISrnf/cccc2rrcByp9xyYQm5D/hIlr/s 50YX3e635rRywbq3IV6gRbvZQru8jmyJKK9M6TFX8w6fLkgBmS19K3ynM wjg1aUuuOoO+LHrVXxx7AKfGCs7aijpI9znt61awEvp5MLurVFb+YqMh6 Q==; X-CSE-ConnectionGUID: wJLkNaLPRLycVHkYXz5v8g== X-CSE-MsgGUID: AtjQvt8IQ/O3JF6EXsd3rA== X-IronPort-AV: E=McAfee;i="6800,10657,11625"; a="65246343" X-IronPort-AV: E=Sophos;i="6.20,229,1758610800"; d="scan'208";a="65246343" Received: from fmviesa006.fm.intel.com ([10.60.135.146]) by fmvoesa113.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Nov 2025 14:14:55 -0800 X-CSE-ConnectionGUID: UwEnRufgQyy85dRH8mC8QQ== X-CSE-MsgGUID: VJli0MSNR3meFAKoeCplRw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.20,229,1758610800"; d="scan'208";a="192965101" Received: from guptapa-desk.jf.intel.com (HELO desk) ([10.165.239.46]) by fmviesa006-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Nov 2025 14:14:54 -0800 Date: Wed, 26 Nov 2025 14:14:54 -0800 From: Pawan Gupta To: x86@kernel.org, David Kaplan , Nikolay Borisov , "H. Peter Anvin" , Josh Poimboeuf , Sean Christopherson , Paolo Bonzini , Borislav Petkov , Dave Hansen Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Asit Mallick , Tao Zhang Subject: [PATCH v5 1/9] x86/bhi: x86/vmscape: Move LFENCE out of clear_bhb_loop() Message-ID: <20251126-vmscape-bhb-v5-1-02d66e423b00@linux.intel.com> X-Mailer: b4 0.14.2 References: <20251126-vmscape-bhb-v5-0-02d66e423b00@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20251126-vmscape-bhb-v5-0-02d66e423b00@linux.intel.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Currently, BHB clearing sequence is followed by an LFENCE to prevent transient execution of subsequent indirect branches prematurely. However, LFENCE barrier could be unnecessary in certain cases. For example, when kernel is using BHI_DIS_S mitigation, and BHB clearing is only needed for userspace. In such cases, LFENCE is redundant because ring transitions would provide the necessary serialization. Below is a quick recap of BHI mitigation options: On Alder Lake and newer - BHI_DIS_S: Hardware control to mitigate BHI in ring0. This has low performance overhead. - Long loop: Alternatively, longer version of BHB clearing sequence can be used to mitigate BHI. It can also be used to mitigate BHI variant of VMSCAPE. This is not yet implemented in Linux. On older CPUs - Short loop: Clears BHB at kernel entry and VMexit. The "Long loop" is effective on older CPUs as well, but should be avoided because of unnecessary overhead. On Alder Lake and newer CPUs, eIBRS isolates the indirect targets between guest and host. But when affected by the BHI variant of VMSCAPE, a guest's branch history may still influence indirect branches in userspace. This also means the big hammer IBPB could be replaced with a cheaper option that clears the BHB at exit-to-userspace after a VMexit. In preparation for adding the support for BHB sequence (without LFENCE) on newer CPUs, move the LFENCE to the caller side after clear_bhb_loop() is executed. This allows callers to decide whether they need the LFENCE or not. This does adds a few extra bytes to the call sites, but it obviates the need for multiple variants of clear_bhb_loop(). Suggested-by: Dave Hansen Reviewed-by: Nikolay Borisov Signed-off-by: Pawan Gupta --- arch/x86/entry/entry_64.S | 5 ++++- arch/x86/include/asm/nospec-branch.h | 4 ++-- arch/x86/net/bpf_jit_comp.c | 2 ++ 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S index ed04a968cc7d0095ab0185b2e3b5beffb7680afd..886f86790b4467347031bc27d3d= 761d5cc286da1 100644 --- a/arch/x86/entry/entry_64.S +++ b/arch/x86/entry/entry_64.S @@ -1528,6 +1528,9 @@ SYM_CODE_END(rewind_stack_and_make_dead) * refactored in the future if needed. The .skips are for safety, to ensure * that all RETs are in the second half of a cacheline to mitigate Indirect * Target Selection, rather than taking the slowpath via its_return_thunk. + * + * Note, callers should use a speculation barrier like LFENCE immediately = after + * a call to this function to ensure BHB is cleared before indirect branch= es. */ SYM_FUNC_START(clear_bhb_loop) ANNOTATE_NOENDBR @@ -1562,7 +1565,7 @@ SYM_FUNC_START(clear_bhb_loop) sub $1, %ecx jnz 1b .Lret2: RET -5: lfence +5: pop %rbp RET SYM_FUNC_END(clear_bhb_loop) diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/no= spec-branch.h index 08ed5a2e46a5fd790bcb1b73feb6469518809c06..ec5ebf96dbb9e240f402f39efc6= 929ae45ec8f0b 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -329,11 +329,11 @@ =20 #ifdef CONFIG_X86_64 .macro CLEAR_BRANCH_HISTORY - ALTERNATIVE "", "call clear_bhb_loop", X86_FEATURE_CLEAR_BHB_LOOP + ALTERNATIVE "", "call clear_bhb_loop; lfence", X86_FEATURE_CLEAR_BHB_LOOP .endm =20 .macro CLEAR_BRANCH_HISTORY_VMEXIT - ALTERNATIVE "", "call clear_bhb_loop", X86_FEATURE_CLEAR_BHB_VMEXIT + ALTERNATIVE "", "call clear_bhb_loop; lfence", X86_FEATURE_CLEAR_BHB_VMEX= IT .endm #else #define CLEAR_BRANCH_HISTORY diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c index de5083cb1d3747bba00effca3703a4f6eea80d8d..c1ec14c559119b120edfac079ae= b07948e9844b8 100644 --- a/arch/x86/net/bpf_jit_comp.c +++ b/arch/x86/net/bpf_jit_comp.c @@ -1603,6 +1603,8 @@ static int emit_spectre_bhb_barrier(u8 **pprog, u8 *i= p, =20 if (emit_call(&prog, func, ip)) return -EINVAL; + /* Don't speculate past this until BHB is cleared */ + EMIT_LFENCE(); EMIT1(0x59); /* pop rcx */ EMIT1(0x58); /* pop rax */ } --=20 2.34.1 From nobody Mon Dec 1 23:03:59 2025 Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D79D2335553; Wed, 26 Nov 2025 22:15:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.15 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764195313; cv=none; b=PmRLynxvD4+H8UqBo8NHMUROT+bt6k7rYFdlkAhlbG3VySUSiAo/DDmbqP5eFzdm08JC+JZaEo/iPW3d1AqjJqcw2kCDluNC011o1bdz3iqyYTDVMTUq8zSwg8oSY3rsQkIywqG/pI1iUFQ8ND004mPXZnCh1swi4IHyYk2tqMM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764195313; c=relaxed/simple; bh=uvnGpQRlH4kUe+UMY9Z7043UmlnpQaipVyk2PoJ88MY=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=U40PzXfOsoZVBpOMUi7uurO1hTRYxIKsejC8FeKPT56872JrCRkckYddJ3e/QB9WN+7tz3L5xIdgVrCBSk15jjdFXh1udvujLf3/x+5n2/Jdna7ZxD+OQfM2a7/Kh6Hs3xmbbKOL2z9zgNoFpZYZP2wQnFHKD/2nhngp3g+SNw0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=YTzOuSZN; arc=none smtp.client-ip=198.175.65.15 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="YTzOuSZN" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1764195311; x=1795731311; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=uvnGpQRlH4kUe+UMY9Z7043UmlnpQaipVyk2PoJ88MY=; b=YTzOuSZNz0pyMas8n7CMK2TBGe3uQ9OKxhDmCYYN24TTGVnB1qZLftpO wWKcRgkGVelZZ3r3jW07kxmIh0JOH1SqgMlrSWeBqvnxYCl+BQi4xyZUU jZPS6mZWdd00ONEw3fKt7/7nLb6dhPAafebCyY7Zv0KTVNIr0EldZDDCI epqHTwIxJUbxt5Pm4cyi61/r7QL5AmOWSe9LX5MSNgA/2TgWKIqEXECoB kqHkQesXeDaHoVobv2cVQX/pwS2SCFslo6zQgmNpHMgOnAASRFECFP3Ez Xignm6b4/66dC4ygGC5cCS8rlvcSw3zFyOcLyL2ykCwcqpGo8wNQqudVc w==; X-CSE-ConnectionGUID: zUroRF/qQAC/Uk4lkIoBiQ== X-CSE-MsgGUID: cB6XhBzSRpGYFtP1aw7cng== X-IronPort-AV: E=McAfee;i="6800,10657,11625"; a="69865142" X-IronPort-AV: E=Sophos;i="6.20,229,1758610800"; d="scan'208";a="69865142" Received: from orviesa003.jf.intel.com ([10.64.159.143]) by orvoesa107.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Nov 2025 14:15:10 -0800 X-CSE-ConnectionGUID: SBhnNyY9RNa/PelLOXwkaQ== X-CSE-MsgGUID: a82UF0RmRASvyd4aSApCRQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.20,229,1758610800"; d="scan'208";a="197217948" Received: from guptapa-desk.jf.intel.com (HELO desk) ([10.165.239.46]) by ORVIESA003-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Nov 2025 14:15:10 -0800 Date: Wed, 26 Nov 2025 14:15:10 -0800 From: Pawan Gupta To: x86@kernel.org, David Kaplan , Nikolay Borisov , "H. Peter Anvin" , Josh Poimboeuf , Sean Christopherson , Paolo Bonzini , Borislav Petkov , Dave Hansen Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Asit Mallick , Tao Zhang Subject: [PATCH v5 2/9] x86/bhi: Make clear_bhb_loop() effective on newer CPUs Message-ID: <20251126-vmscape-bhb-v5-2-02d66e423b00@linux.intel.com> X-Mailer: b4 0.14.2 References: <20251126-vmscape-bhb-v5-0-02d66e423b00@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20251126-vmscape-bhb-v5-0-02d66e423b00@linux.intel.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" As a mitigation for BHI, clear_bhb_loop() executes branches that overwrites the Branch History Buffer (BHB). On Alder Lake and newer parts this sequence is not sufficient because it doesn't clear enough entries. This was not an issue because these CPUs have a hardware control (BHI_DIS_S) that mitigates BHI in kernel. BHI variant of VMSCAPE requires isolating branch history between guests and userspace. Note that there is no equivalent hardware control for userspace. To effectively isolate branch history on newer CPUs, clear_bhb_loop() should execute sufficient number of branches to clear a larger BHB. Dynamically set the loop count of clear_bhb_loop() such that it is effective on newer CPUs too. Use the hardware control enumeration X86_FEATURE_BHI_CTRL to select the appropriate loop count. Suggested-by: Dave Hansen Reviewed-by: Nikolay Borisov Signed-off-by: Pawan Gupta --- arch/x86/entry/entry_64.S | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S index 886f86790b4467347031bc27d3d761d5cc286da1..e4863d6d32178f628d994edc06e= d6d591916b390 100644 --- a/arch/x86/entry/entry_64.S +++ b/arch/x86/entry/entry_64.S @@ -1536,7 +1536,11 @@ SYM_FUNC_START(clear_bhb_loop) ANNOTATE_NOENDBR push %rbp mov %rsp, %rbp - movl $5, %ecx + + /* loop count differs based on BHI_CTRL, see Intel's BHI guidance */ + ALTERNATIVE "movl $5, %ecx; movl $5, %edx;", \ + "movl $12, %ecx; movl $7, %edx;", X86_FEATURE_BHI_CTRL + ANNOTATE_INTRA_FUNCTION_CALL call 1f jmp 5f @@ -1557,7 +1561,7 @@ SYM_FUNC_START(clear_bhb_loop) * but some Clang versions (e.g. 18) don't like this. */ .skip 32 - 18, 0xcc -2: movl $5, %eax +2: movl %edx, %eax 3: jmp 4f nop 4: sub $1, %eax --=20 2.34.1 From nobody Mon Dec 1 23:03:59 2025 Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0A98A2D77E9; Wed, 26 Nov 2025 22:15:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.15 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764195328; cv=none; b=ITrnKP/kdyNgCjKVMvPJLmXWhxvuj4hYIVDMOxVzfmT9NoFmDS4HvbqaIreSQegvQdVJte3qaLpiaK+fEVBE4mdTK9V0U4PkOfJXYLCp0lqPdvJjc7wpfwk74Z+VTtH1o/Exs5AYZiTiGRyohknHw1NURRUjKfb1yVRovVlb7h8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764195328; c=relaxed/simple; bh=2kDP/h5XKk2d311MudSRurGHQf2qIocU+MeMeTbQRcE=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=I+Cn6Fbv3+wQjBytuov4BQq454pJll/zYKYOadmbZeFzFwmX5XoGqfuFc1GkDXleYTb2jKpXncrVw3wU5vG7JnyaSJtokmI8yJH5FARgtBIyagzpx1vnd1UHRg+QgFnQ/tFLGsbJzyhoIQDvSqw/5hmKiEkjRGgLrMn5syrRDZk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=MrfVT1xo; arc=none smtp.client-ip=198.175.65.15 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="MrfVT1xo" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1764195326; x=1795731326; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=2kDP/h5XKk2d311MudSRurGHQf2qIocU+MeMeTbQRcE=; b=MrfVT1xo5yxdbf4hUx3lHJOF5ytFIiQPNscsz3KYBmQi1A9ObRkySG7B /ib153xnwjYKid2Af3oAa/VUTKFDNF7RfYxUsIi5988ZihPOliuIQ91sR aiz8aQ2uz8omASxh+XmoMcOxCQMDdtdKX0RCcd1ThWf/+ylEX4fWHchtw RrqbmNi9K4rZdK4m2mBlDi/XMNsYE7//aoGPGc/ZgtXliU9Krg/PUkklx lEbzs4eEXeoFRFET8TXFUJJ+sddBbVsq3x6CuAGazwhM9e41nxtrA8S7u n0af7p/UKTFJFAk9+H7IR0ltmKsjQ9eAajj71AC1HpA13eYgU1Ap8KatP g==; X-CSE-ConnectionGUID: OrT8JYiITxWPlzfQ6AoCRg== X-CSE-MsgGUID: m3sQHjZVT0Cwyk9EaUO+Nw== X-IronPort-AV: E=McAfee;i="6800,10657,11625"; a="69865169" X-IronPort-AV: E=Sophos;i="6.20,229,1758610800"; d="scan'208";a="69865169" Received: from orviesa003.jf.intel.com ([10.64.159.143]) by orvoesa107.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Nov 2025 14:15:25 -0800 X-CSE-ConnectionGUID: jeU2CXFcTHC6T0aYhG6lGw== X-CSE-MsgGUID: L8RxFyNwSbycRF8DYrK+xA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.20,229,1758610800"; d="scan'208";a="197218079" Received: from guptapa-desk.jf.intel.com (HELO desk) ([10.165.239.46]) by ORVIESA003-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Nov 2025 14:15:25 -0800 Date: Wed, 26 Nov 2025 14:15:25 -0800 From: Pawan Gupta To: x86@kernel.org, David Kaplan , Nikolay Borisov , "H. Peter Anvin" , Josh Poimboeuf , Sean Christopherson , Paolo Bonzini , Borislav Petkov , Dave Hansen Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Asit Mallick , Tao Zhang Subject: [PATCH v5 3/9] x86/vmscape: Rename x86_ibpb_exit_to_user to x86_predictor_flush_exit_to_user Message-ID: <20251126-vmscape-bhb-v5-3-02d66e423b00@linux.intel.com> X-Mailer: b4 0.14.2 References: <20251126-vmscape-bhb-v5-0-02d66e423b00@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20251126-vmscape-bhb-v5-0-02d66e423b00@linux.intel.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" With the upcoming changes x86_ibpb_exit_to_user will also be used when BHB clearing sequence is used. Rename it cover both the cases. No functional change. Signed-off-by: Pawan Gupta --- arch/x86/include/asm/entry-common.h | 6 +++--- arch/x86/include/asm/nospec-branch.h | 2 +- arch/x86/kernel/cpu/bugs.c | 4 ++-- arch/x86/kvm/x86.c | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/arch/x86/include/asm/entry-common.h b/arch/x86/include/asm/ent= ry-common.h index ce3eb6d5fdf9f2dba59b7bad24afbfafc8c36918..c45858db16c92fc1364fb818185= fba7657840991 100644 --- a/arch/x86/include/asm/entry-common.h +++ b/arch/x86/include/asm/entry-common.h @@ -94,11 +94,11 @@ static inline void arch_exit_to_user_mode_prepare(struc= t pt_regs *regs, */ choose_random_kstack_offset(rdtsc()); =20 - /* Avoid unnecessary reads of 'x86_ibpb_exit_to_user' */ + /* Avoid unnecessary reads of 'x86_predictor_flush_exit_to_user' */ if (cpu_feature_enabled(X86_FEATURE_IBPB_EXIT_TO_USER) && - this_cpu_read(x86_ibpb_exit_to_user)) { + this_cpu_read(x86_predictor_flush_exit_to_user)) { indirect_branch_prediction_barrier(); - this_cpu_write(x86_ibpb_exit_to_user, false); + this_cpu_write(x86_predictor_flush_exit_to_user, false); } } #define arch_exit_to_user_mode_prepare arch_exit_to_user_mode_prepare diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/no= spec-branch.h index ec5ebf96dbb9e240f402f39efc6929ae45ec8f0b..df60f9cf51b84e5b75e5db70713= 188d2e6ad0f5d 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -531,7 +531,7 @@ void alternative_msr_write(unsigned int msr, u64 val, u= nsigned int feature) : "memory"); } =20 -DECLARE_PER_CPU(bool, x86_ibpb_exit_to_user); +DECLARE_PER_CPU(bool, x86_predictor_flush_exit_to_user); =20 static inline void indirect_branch_prediction_barrier(void) { diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index d7fa03bf51b4517c12cc68e7c441f7589a4983d1..1e9b11198db0fe2483bd17b1327= bcfd44a2c1dbf 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -113,8 +113,8 @@ EXPORT_PER_CPU_SYMBOL_GPL(x86_spec_ctrl_current); * be needed to before running userspace. That IBPB will flush the branch * predictor content. */ -DEFINE_PER_CPU(bool, x86_ibpb_exit_to_user); -EXPORT_PER_CPU_SYMBOL_GPL(x86_ibpb_exit_to_user); +DEFINE_PER_CPU(bool, x86_predictor_flush_exit_to_user); +EXPORT_PER_CPU_SYMBOL_GPL(x86_predictor_flush_exit_to_user); =20 u64 x86_pred_cmd __ro_after_init =3D PRED_CMD_IBPB; =20 diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index c9c2aa6f4705e1ae257bf94572967a5724a940a7..60123568fba85c8a445f9220d3f= 4a1d11fd0eb77 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -11397,7 +11397,7 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu) * may migrate to. */ if (cpu_feature_enabled(X86_FEATURE_IBPB_EXIT_TO_USER)) - this_cpu_write(x86_ibpb_exit_to_user, true); + this_cpu_write(x86_predictor_flush_exit_to_user, true); =20 /* * Consume any pending interrupts, including the possible source of --=20 2.34.1 From nobody Mon Dec 1 23:03:59 2025 Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 453B41E1A17; Wed, 26 Nov 2025 22:15:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.12 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764195342; cv=none; b=WF2iZbBIFgreHGOcrVhoPPfFUvmAGZqqf4oBAHKqcqMCm3HEboY/Csv5sV5JHxpKeRX7AimWEsPjl3kcLlu2ndbFqrXD82Vh8ZMfyUGXbxsHAqyCaCCH82sx9AH07on8Yr5hmrYlSLrrdX7nnH2z1P33arUOJpkGpO2muuXgaZk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764195342; c=relaxed/simple; bh=G2JOWn9yvfYt1qFCSza1jyQm69uDU6B8+P8t0sq/pAU=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=SyInJ655ANQJmUPZhwPSnNQ4PO4ZynQTbETB9/KIwqKlBEvT4HczFvZ+hROA5gLCJlJHYdumnTMWl2PurjyOX0d8HmfLPRuFptNzY13wYxFNifZrydEzyKd7EySNk3sdzznfwqekzoWShJU/V0WdGFBCcTceyxOu9StHCL2y2fk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=Oilujy0m; arc=none smtp.client-ip=198.175.65.12 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="Oilujy0m" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1764195342; x=1795731342; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=G2JOWn9yvfYt1qFCSza1jyQm69uDU6B8+P8t0sq/pAU=; b=Oilujy0mpeZLWXD/AUnTSDGC+7JYaGKFKJGI0z5mc9WQYIDZ4WNOWvPH 36+jl8jOLcSG19yEArnoV/wbtKNw/nZ0mjBHvz0IaNs+9T0H0DrBfIJ36 6BGX5uAJoc9+AbVZVlDFjDiCljSLpBBQp/shCs6l1Q/21tgtIT4+b6gma LyyRe1VI/V5xDmt1DCh7aMkKCkXZeUiLY+CH416vD38jxLaC7JeOuglmr adQLPoGg7WUv83cxx7D6sk/7EpIKTBoDBtvOGGQ5/mqwvKarsXWDdyUhd /YgAs1j7HRtDpxG0qAOu72ssxpyAc5gFIBlZcbjSooW5AOMkGIrtA37K7 Q==; X-CSE-ConnectionGUID: J2n4xmahT9Go1uU8Tjy6XA== X-CSE-MsgGUID: 83pnxrFJRxWkMltbwqhi9Q== X-IronPort-AV: E=McAfee;i="6800,10657,11625"; a="77716029" X-IronPort-AV: E=Sophos;i="6.20,229,1758610800"; d="scan'208";a="77716029" Received: from orviesa007.jf.intel.com ([10.64.159.147]) by orvoesa104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Nov 2025 14:15:41 -0800 X-CSE-ConnectionGUID: yUvYHFdLQWu8pGoJrRBkYg== X-CSE-MsgGUID: UyImgWEbRCaOOKFwZJmNDg== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.20,229,1758610800"; d="scan'208";a="193084780" Received: from guptapa-desk.jf.intel.com (HELO desk) ([10.165.239.46]) by orviesa007-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Nov 2025 14:15:41 -0800 Date: Wed, 26 Nov 2025 14:15:40 -0800 From: Pawan Gupta To: x86@kernel.org, David Kaplan , Nikolay Borisov , "H. Peter Anvin" , Josh Poimboeuf , Sean Christopherson , Paolo Bonzini , Borislav Petkov , Dave Hansen Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Asit Mallick , Tao Zhang Subject: [PATCH v5 4/9] x86/vmscape: Move mitigation selection to a switch() Message-ID: <20251126-vmscape-bhb-v5-4-02d66e423b00@linux.intel.com> X-Mailer: b4 0.14.2 References: <20251126-vmscape-bhb-v5-0-02d66e423b00@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20251126-vmscape-bhb-v5-0-02d66e423b00@linux.intel.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" This ensures that all mitigation modes are explicitly handled, while keeping the mitigation selection for each mode together. This also prepares for adding BHB-clearing mitigation mode for VMSCAPE. Signed-off-by: Pawan Gupta --- arch/x86/kernel/cpu/bugs.c | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 1e9b11198db0fe2483bd17b1327bcfd44a2c1dbf..ecefea3c018117031ea1d1ef8f4= fca6e425a936c 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -3231,17 +3231,32 @@ early_param("vmscape", vmscape_parse_cmdline); =20 static void __init vmscape_select_mitigation(void) { - if (!boot_cpu_has_bug(X86_BUG_VMSCAPE) || - !boot_cpu_has(X86_FEATURE_IBPB)) { + if (!boot_cpu_has_bug(X86_BUG_VMSCAPE)) { vmscape_mitigation =3D VMSCAPE_MITIGATION_NONE; return; } =20 - if (vmscape_mitigation =3D=3D VMSCAPE_MITIGATION_AUTO) { - if (should_mitigate_vuln(X86_BUG_VMSCAPE)) + if ((vmscape_mitigation =3D=3D VMSCAPE_MITIGATION_AUTO) && + !should_mitigate_vuln(X86_BUG_VMSCAPE)) + vmscape_mitigation =3D VMSCAPE_MITIGATION_NONE; + + switch (vmscape_mitigation) { + case VMSCAPE_MITIGATION_NONE: + break; + + case VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER: + if (!boot_cpu_has(X86_FEATURE_IBPB)) + vmscape_mitigation =3D VMSCAPE_MITIGATION_NONE; + break; + + case VMSCAPE_MITIGATION_AUTO: + if (boot_cpu_has(X86_FEATURE_IBPB)) vmscape_mitigation =3D VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER; else vmscape_mitigation =3D VMSCAPE_MITIGATION_NONE; + break; + + default: } } =20 --=20 2.34.1 From nobody Mon Dec 1 23:03:59 2025 Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 52A3836B; Wed, 26 Nov 2025 22:15:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.12 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764195357; cv=none; b=EVaIj6s+c2SfyF7sDKzZijqLTw3YK/5eNRGO8NVq+gUA3PeZuSEv43osYSw/MCnaHvgpFmzum6mH8bxOukGcRJCuZbVTROZnNcJnpzKrmJrLZbkYTQEyotnOymAI1Q4o+Bcx+wKDP8EII6+j+wd9wKFBg6y5UdXSmyQ/eGY5GKY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764195357; c=relaxed/simple; bh=E6xCR9bLpamxJsQ0brS4ODlqWxsh/fFZQVosRkMhOPo=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=Dke0lLRZ/ndAzKCggT3DOIXfqLE/9A8JubCU18taEceF1qqmFGFtWBLHbSr9oDchIEXaBzu02wlKnY/Sd8ltR+HbMttSg71gqCUmHn1GejOfeve+qkODJY0QnsWB7ctaGYcr1oEwk/2Lxay5ot2A6smVuRWF8DSpeNOi6m5tBuA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=Qe54myhW; arc=none smtp.client-ip=198.175.65.12 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="Qe54myhW" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1764195357; x=1795731357; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=E6xCR9bLpamxJsQ0brS4ODlqWxsh/fFZQVosRkMhOPo=; b=Qe54myhWFWGeRQpRiA96gV2Zg5MW+phlUFQuEiKvgwFo5donX2C2yjHR Twt1gYZ5SuQkgSzEbuqnq3B91YzWkN7XLXhlwBmtGmFiCKOrMGqLnWhLW 4Pxx3/pQEe/9RSlu45qZfGFq1Fi0oQHWpeC+46P/fUi1lbbuaUj2KjH3U ZR7UNwaC5LlbEkX7oL+nh1d+YCnPszNVfrKdVSlIJd1jVPxTANC71OMmE nnmM7dKbMINR9C9oMhLBxJytJHPletKp+vslPz6gPB3x5hvuSVgh98YZx RgGVpEiVjAt1X0AfT3UgGDXc0V8UXvyJAf6MP0ZA9d+edPq9yRVOPpyYo w==; X-CSE-ConnectionGUID: ZmbwuuhnQOKoPvRH0/KURw== X-CSE-MsgGUID: uPWbnRgqSSyaV3rjbiUMrw== X-IronPort-AV: E=McAfee;i="6800,10657,11625"; a="77716060" X-IronPort-AV: E=Sophos;i="6.20,229,1758610800"; d="scan'208";a="77716060" Received: from orviesa007.jf.intel.com ([10.64.159.147]) by orvoesa104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Nov 2025 14:15:56 -0800 X-CSE-ConnectionGUID: FZfYrmftTxClgr9UTkNvIg== X-CSE-MsgGUID: CwGHdC6STk63IkW7hvBwOQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.20,229,1758610800"; d="scan'208";a="193084854" Received: from guptapa-desk.jf.intel.com (HELO desk) ([10.165.239.46]) by orviesa007-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Nov 2025 14:15:56 -0800 Date: Wed, 26 Nov 2025 14:15:55 -0800 From: Pawan Gupta To: x86@kernel.org, David Kaplan , Nikolay Borisov , "H. Peter Anvin" , Josh Poimboeuf , Sean Christopherson , Paolo Bonzini , Borislav Petkov , Dave Hansen Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Asit Mallick , Tao Zhang Subject: [PATCH v5 5/9] x86/vmscape: Use write_ibpb() instead of indirect_branch_prediction_barrier() Message-ID: <20251126-vmscape-bhb-v5-5-02d66e423b00@linux.intel.com> X-Mailer: b4 0.14.2 References: <20251126-vmscape-bhb-v5-0-02d66e423b00@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20251126-vmscape-bhb-v5-0-02d66e423b00@linux.intel.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" indirect_branch_prediction_barrier() is a wrapper to write_ibpb(), which also checks if the CPU supports IBPB. For VMSCAPE, call to indirect_branch_prediction_barrier() is only possible when CPU supports IBPB. Simply call write_ibpb() directly to avoid unnecessary alternative patching. Suggested-by: Dave Hansen Reviewed-by: Nikolay Borisov Signed-off-by: Pawan Gupta --- arch/x86/include/asm/entry-common.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/include/asm/entry-common.h b/arch/x86/include/asm/ent= ry-common.h index c45858db16c92fc1364fb818185fba7657840991..78b143673ca72642149eb2dbf3e= 3e31370fe6b28 100644 --- a/arch/x86/include/asm/entry-common.h +++ b/arch/x86/include/asm/entry-common.h @@ -97,7 +97,7 @@ static inline void arch_exit_to_user_mode_prepare(struct = pt_regs *regs, /* Avoid unnecessary reads of 'x86_predictor_flush_exit_to_user' */ if (cpu_feature_enabled(X86_FEATURE_IBPB_EXIT_TO_USER) && this_cpu_read(x86_predictor_flush_exit_to_user)) { - indirect_branch_prediction_barrier(); + write_ibpb(); this_cpu_write(x86_predictor_flush_exit_to_user, false); } } --=20 2.34.1 From nobody Mon Dec 1 23:03:59 2025 Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E867136B; Wed, 26 Nov 2025 22:16:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.14 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764195375; cv=none; b=fZz5o9MWerOm3RHXPx0ck8cCFZStiAAbh2+Duam/lsdUUWdRjiPxqSweOwOsUiKUIupVRUbztVosxPEoBnLN6G2hU5nZXqYew40wK6tz84l6pVtttFk6plaGiP1vzNSMz8gxR3ahxjzjS1xlcxostNfGvvRX9By2leR+ao9RZrc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764195375; c=relaxed/simple; bh=szkVeMV0Zqr+VxuqPoSW2cXj6Mrmdqy4C/UYjNZzBJQ=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=jd1aRm8gDdNKhXyE6aec81BTLHTWuN6iutCsCtBkwEfYCvAdwcYyQqY+98nNWLb0YM5No+BXUEhsN/rbRf0Ph48ArlpCHkAePDZeHHhufyyTvYRMawF6GFalZEgL8A3c1LScGn5haQbRH10O7uTJivt9t8MqCw0JqwzDDLLz9Qw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=bcnSw9Ts; arc=none smtp.client-ip=198.175.65.14 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="bcnSw9Ts" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1764195374; x=1795731374; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=szkVeMV0Zqr+VxuqPoSW2cXj6Mrmdqy4C/UYjNZzBJQ=; b=bcnSw9Ts2A/tUlygvI08J6pU/iuB8RKDqUrbssdb69tOTw34yy3varZb VTrG1bb3iIdFldwMoJw3bCU5tGkaVSo7tOPbZCvXWqvn8y52G+L7lF/fE E7rMH9Wn9PLQl0m9fGnQs7xGtxh5fN4HXu0wrO7zGBmM/RiNyn8a2umeI VtM5X86lKXaSW8bBYenI1yMBgbDUSZETkOlwP4/DOGFUGNdpLkvrseeAF NfrYlzVYFVGAaiF5Bhbk7FPFDOAzKv7LkpiCtOHJx+i3wyoY7SuHRv76q yfdRK75SyHW1ej1k3u595CCF2EillXNKBBGIUy639le8f814nC9nIBheS A==; X-CSE-ConnectionGUID: cM/X8Di1Ts2HQPcmNh7RNw== X-CSE-MsgGUID: sQwe2zaeT9qqJIL2cA8cHA== X-IronPort-AV: E=McAfee;i="6800,10657,11625"; a="70108445" X-IronPort-AV: E=Sophos;i="6.20,229,1758610800"; d="scan'208";a="70108445" Received: from fmviesa009.fm.intel.com ([10.60.135.149]) by orvoesa106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Nov 2025 14:16:12 -0800 X-CSE-ConnectionGUID: yRvSPNJXQ662iUYJcI0L7g== X-CSE-MsgGUID: d+DcqfYMSiWIbOUy29VRsA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.20,229,1758610800"; d="scan'208";a="193517758" Received: from guptapa-desk.jf.intel.com (HELO desk) ([10.165.239.46]) by fmviesa009-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Nov 2025 14:16:10 -0800 Date: Wed, 26 Nov 2025 14:16:10 -0800 From: Pawan Gupta To: x86@kernel.org, David Kaplan , Nikolay Borisov , "H. Peter Anvin" , Josh Poimboeuf , Sean Christopherson , Paolo Bonzini , Borislav Petkov , Dave Hansen Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Asit Mallick , Tao Zhang Subject: [PATCH v5 6/9] x86/vmscape: Use static_call() for predictor flush Message-ID: <20251126-vmscape-bhb-v5-6-02d66e423b00@linux.intel.com> X-Mailer: b4 0.14.2 References: <20251126-vmscape-bhb-v5-0-02d66e423b00@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20251126-vmscape-bhb-v5-0-02d66e423b00@linux.intel.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Adding more mitigation options at exit-to-userspace for VMSCAPE would usually require a series of checks to decide which mitigation to use. In this case, the mitigation is done by calling a function, which is decided at boot. So, adding more feature flags and multiple checks can be avoided by using static_call() to the mitigating function. Replace the flag-based mitigation selector with a static_call(). This also frees the existing X86_FEATURE_IBPB_EXIT_TO_USER. Suggested-by: Dave Hansen Signed-off-by: Pawan Gupta --- arch/x86/Kconfig | 1 + arch/x86/include/asm/cpufeatures.h | 2 +- arch/x86/include/asm/entry-common.h | 7 +++---- arch/x86/include/asm/nospec-branch.h | 3 +++ arch/x86/kernel/cpu/bugs.c | 5 ++++- arch/x86/kvm/x86.c | 2 +- 6 files changed, 13 insertions(+), 7 deletions(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index fa3b616af03a2d50eaf5f922bc8cd4e08a284045..066f62f15e67e85fda0f3fd66ac= abad9a9794ff8 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2706,6 +2706,7 @@ config MITIGATION_TSA config MITIGATION_VMSCAPE bool "Mitigate VMSCAPE" depends on KVM + select HAVE_STATIC_CALL default y help Enable mitigation for VMSCAPE attacks. VMSCAPE is a hardware security diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpuf= eatures.h index 4091a776e37aaed67ca93b0a0cd23cc25dbc33d4..02871318c999f94ec8557e5fb0b= 8fb299960d454 100644 --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -496,7 +496,7 @@ #define X86_FEATURE_TSA_SQ_NO (21*32+11) /* AMD CPU not vulnerable to TSA= -SQ */ #define X86_FEATURE_TSA_L1_NO (21*32+12) /* AMD CPU not vulnerable to TSA= -L1 */ #define X86_FEATURE_CLEAR_CPU_BUF_VM (21*32+13) /* Clear CPU buffers using= VERW before VMRUN */ -#define X86_FEATURE_IBPB_EXIT_TO_USER (21*32+14) /* Use IBPB on exit-to-us= erspace, see VMSCAPE bug */ +/* Free */ #define X86_FEATURE_ABMC (21*32+15) /* Assignable Bandwidth Monitoring Co= unters */ #define X86_FEATURE_MSR_IMM (21*32+16) /* MSR immediate form instructions= */ =20 diff --git a/arch/x86/include/asm/entry-common.h b/arch/x86/include/asm/ent= ry-common.h index 78b143673ca72642149eb2dbf3e3e31370fe6b28..783e7cb50caeb6c6fc68e0a5c75= ab43e75e37116 100644 --- a/arch/x86/include/asm/entry-common.h +++ b/arch/x86/include/asm/entry-common.h @@ -4,6 +4,7 @@ =20 #include #include +#include =20 #include #include @@ -94,10 +95,8 @@ static inline void arch_exit_to_user_mode_prepare(struct= pt_regs *regs, */ choose_random_kstack_offset(rdtsc()); =20 - /* Avoid unnecessary reads of 'x86_predictor_flush_exit_to_user' */ - if (cpu_feature_enabled(X86_FEATURE_IBPB_EXIT_TO_USER) && - this_cpu_read(x86_predictor_flush_exit_to_user)) { - write_ibpb(); + if (unlikely(this_cpu_read(x86_predictor_flush_exit_to_user))) { + static_call_cond(vmscape_predictor_flush)(); this_cpu_write(x86_predictor_flush_exit_to_user, false); } } diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/no= spec-branch.h index df60f9cf51b84e5b75e5db70713188d2e6ad0f5d..15a2fa8f2f48a066e102263513e= ff9537ac1d25f 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -540,6 +540,9 @@ static inline void indirect_branch_prediction_barrier(v= oid) :: "rax", "rcx", "rdx", "memory"); } =20 +#include +DECLARE_STATIC_CALL(vmscape_predictor_flush, write_ibpb); + /* The Intel SPEC CTRL MSR base value cache */ extern u64 x86_spec_ctrl_base; DECLARE_PER_CPU(u64, x86_spec_ctrl_current); diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index ecefea3c018117031ea1d1ef8f4fca6e425a936c..aeda00d2539669f21053ac1bbe4= cd69861b762b7 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -200,6 +200,9 @@ DEFINE_STATIC_KEY_FALSE(switch_mm_cond_l1d_flush); DEFINE_STATIC_KEY_FALSE(cpu_buf_vm_clear); EXPORT_SYMBOL_GPL(cpu_buf_vm_clear); =20 +DEFINE_STATIC_CALL_NULL(vmscape_predictor_flush, write_ibpb); +EXPORT_STATIC_CALL_GPL(vmscape_predictor_flush); + #undef pr_fmt #define pr_fmt(fmt) "mitigations: " fmt =20 @@ -3275,7 +3278,7 @@ static void __init vmscape_update_mitigation(void) static void __init vmscape_apply_mitigation(void) { if (vmscape_mitigation =3D=3D VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER) - setup_force_cpu_cap(X86_FEATURE_IBPB_EXIT_TO_USER); + static_call_update(vmscape_predictor_flush, write_ibpb); } =20 #undef pr_fmt diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 60123568fba85c8a445f9220d3f4a1d11fd0eb77..7e55ef3b3203a26be1a138c8fa8= 38a8c5aae0125 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -11396,7 +11396,7 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu) * set for the CPU that actually ran the guest, and not the CPU that it * may migrate to. */ - if (cpu_feature_enabled(X86_FEATURE_IBPB_EXIT_TO_USER)) + if (static_call_query(vmscape_predictor_flush)) this_cpu_write(x86_predictor_flush_exit_to_user, true); =20 /* --=20 2.34.1 From nobody Mon Dec 1 23:03:59 2025 Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 424291E9B35; Wed, 26 Nov 2025 22:16:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.14 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764195388; cv=none; b=p+vYkOKaTUXO4n77FlSPG5GrQPS3icjLMJm/V12KBOvLW9b6ocUsQfCzGrxvBTXiT8BGJ+fpAPTP9uWpFmoX43gnu+nxuNXhh6j3Bhw4hWW4dHdspBJ987L4K5fMP9ovABITPP600PqE3kGJRE6gGILsKSGbKxMTZixeo7lpX4o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764195388; c=relaxed/simple; bh=5kBEDFoKpjNipycTKQjXiJMg2Z8bsjJkhrmY63z8P5M=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=Azqf/A9TGE0I5ZIVumtDRvtiEOQjiOitLnYVJbqHILMoeqiw2+xclrwBXLdc4/EJ4bf+/icQZiPkGq3pxSZWC9FLWwPdUh1QrCbHzI2L99PFXgoGHBtphQK2Ry+GMD7uEtab3TrjtfBR1bDl7RCC8zeQmvvPkKPhFK1ViL/HeOM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=Wj23Fy6V; arc=none smtp.client-ip=198.175.65.14 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="Wj23Fy6V" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1764195388; x=1795731388; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=5kBEDFoKpjNipycTKQjXiJMg2Z8bsjJkhrmY63z8P5M=; b=Wj23Fy6VqIJxf3CCBnnalets4vKaQlP/WCP3wesaNkApL1UiIt1QLysQ S6cn0QCNV/mV37+avzM3BaKlpH6juHwdc66Lk2LEeTrgvjVRbH6FXrGZc XDE5OkPl0P8b4k8oEzsLfnJ+FR3gOJ4AdzdFTcuNBInhkTziGI/j1YJ5f TaW2Op5OXU7fEfhpAOcap3oVuoz04gbIMTw6jQDl1WZrc8tp7I9rSMSly 8AMzF3QCLz5j7C5zCr4NWQ7/064JgRmcFlGQ6A9bAnATF/2kx1EVZXydF jWe5TbJmzSl0wxAMxDs0d7esiOioga/o56NGx8s+65WwKivpK7ayqnlLX w==; X-CSE-ConnectionGUID: Dsc7iPOmR8iWTML1oEE/jA== X-CSE-MsgGUID: /eQcPBu4RnGVRaEUfOnvgA== X-IronPort-AV: E=McAfee;i="6800,10657,11625"; a="70108502" X-IronPort-AV: E=Sophos;i="6.20,229,1758610800"; d="scan'208";a="70108502" Received: from fmviesa009.fm.intel.com ([10.60.135.149]) by orvoesa106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Nov 2025 14:16:27 -0800 X-CSE-ConnectionGUID: R/MeO/6FSG6285fucfHPPQ== X-CSE-MsgGUID: rIaUDlt7T1mXDOt/amudJQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.20,229,1758610800"; d="scan'208";a="193517794" Received: from guptapa-desk.jf.intel.com (HELO desk) ([10.165.239.46]) by fmviesa009-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Nov 2025 14:16:26 -0800 Date: Wed, 26 Nov 2025 14:16:26 -0800 From: Pawan Gupta To: x86@kernel.org, David Kaplan , Nikolay Borisov , "H. Peter Anvin" , Josh Poimboeuf , Sean Christopherson , Paolo Bonzini , Borislav Petkov , Dave Hansen Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Asit Mallick , Tao Zhang Subject: [PATCH v5 7/9] x86/vmscape: Deploy BHB clearing mitigation Message-ID: <20251126-vmscape-bhb-v5-7-02d66e423b00@linux.intel.com> X-Mailer: b4 0.14.2 References: <20251126-vmscape-bhb-v5-0-02d66e423b00@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20251126-vmscape-bhb-v5-0-02d66e423b00@linux.intel.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" IBPB mitigation for VMSCAPE is an overkill on CPUs that are only affected by the BHI variant of VMSCAPE. On such CPUs, eIBRS already provides indirect branch isolation between guest and host userspace. However, branch history from guest may also influence the indirect branches in host userspace. To mitigate the BHI aspect, use clear_bhb_loop(). Signed-off-by: Pawan Gupta --- Documentation/admin-guide/hw-vuln/vmscape.rst | 4 ++++ arch/x86/include/asm/nospec-branch.h | 2 ++ arch/x86/kernel/cpu/bugs.c | 26 +++++++++++++++++++----= --- 3 files changed, 25 insertions(+), 7 deletions(-) diff --git a/Documentation/admin-guide/hw-vuln/vmscape.rst b/Documentation/= admin-guide/hw-vuln/vmscape.rst index d9b9a2b6c114c05a7325e5f3c9d42129339b870b..dc63a0bac03d43d1e295de0791d= d6497d101f986 100644 --- a/Documentation/admin-guide/hw-vuln/vmscape.rst +++ b/Documentation/admin-guide/hw-vuln/vmscape.rst @@ -86,6 +86,10 @@ The possible values in this file are: run a potentially malicious guest and issues an IBPB before the first exit to userspace after VM-exit. =20 + * 'Mitigation: Clear BHB before exit to userspace': + + As above, conditional BHB clearing mitigation is enabled. + * 'Mitigation: IBPB on VMEXIT': =20 IBPB is issued on every VM-exit. This occurs when other mitigations like diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/no= spec-branch.h index 15a2fa8f2f48a066e102263513eff9537ac1d25f..1e8c26c37dbed4256b35101fb41= c0e1eb6ef9272 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -388,6 +388,8 @@ extern void write_ibpb(void); =20 #ifdef CONFIG_X86_64 extern void clear_bhb_loop(void); +#else +static inline void clear_bhb_loop(void) {} #endif =20 extern void (*x86_return_thunk)(void); diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index aeda00d2539669f21053ac1bbe4cd69861b762b7..16e54e18cb4e7e9e28c5bee9048= 886ab685ae5a6 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -109,9 +109,8 @@ DEFINE_PER_CPU(u64, x86_spec_ctrl_current); EXPORT_PER_CPU_SYMBOL_GPL(x86_spec_ctrl_current); =20 /* - * Set when the CPU has run a potentially malicious guest. An IBPB will - * be needed to before running userspace. That IBPB will flush the branch - * predictor content. + * Set when the CPU has run a potentially malicious guest. Indicates that a + * branch predictor flush is needed before running userspace. */ DEFINE_PER_CPU(bool, x86_predictor_flush_exit_to_user); EXPORT_PER_CPU_SYMBOL_GPL(x86_predictor_flush_exit_to_user); @@ -3200,13 +3199,15 @@ enum vmscape_mitigations { VMSCAPE_MITIGATION_AUTO, VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER, VMSCAPE_MITIGATION_IBPB_ON_VMEXIT, + VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER, }; =20 static const char * const vmscape_strings[] =3D { - [VMSCAPE_MITIGATION_NONE] =3D "Vulnerable", + [VMSCAPE_MITIGATION_NONE] =3D "Vulnerable", /* [VMSCAPE_MITIGATION_AUTO] */ - [VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER] =3D "Mitigation: IBPB before exit = to userspace", - [VMSCAPE_MITIGATION_IBPB_ON_VMEXIT] =3D "Mitigation: IBPB on VMEXIT", + [VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER] =3D "Mitigation: IBPB before exit= to userspace", + [VMSCAPE_MITIGATION_IBPB_ON_VMEXIT] =3D "Mitigation: IBPB on VMEXIT", + [VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER] =3D "Mitigation: Clear BHB be= fore exit to userspace", }; =20 static enum vmscape_mitigations vmscape_mitigation __ro_after_init =3D @@ -3253,7 +3254,15 @@ static void __init vmscape_select_mitigation(void) break; =20 case VMSCAPE_MITIGATION_AUTO: - if (boot_cpu_has(X86_FEATURE_IBPB)) + /* + * CPUs with BHI_CTRL(ADL and newer) can avoid the IBPB and use BHB + * clear sequence. These CPUs are only vulnerable to the BHI variant + * of the VMSCAPE attack and does not require an IBPB flush. In + * 32-bit mode BHB clear sequence is not supported. + */ + if (boot_cpu_has(X86_FEATURE_BHI_CTRL) && IS_ENABLED(CONFIG_X86_64)) + vmscape_mitigation =3D VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER; + else if (boot_cpu_has(X86_FEATURE_IBPB)) vmscape_mitigation =3D VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER; else vmscape_mitigation =3D VMSCAPE_MITIGATION_NONE; @@ -3279,6 +3288,8 @@ static void __init vmscape_apply_mitigation(void) { if (vmscape_mitigation =3D=3D VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER) static_call_update(vmscape_predictor_flush, write_ibpb); + else if (vmscape_mitigation =3D=3D VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_U= SER) + static_call_update(vmscape_predictor_flush, clear_bhb_loop); } =20 #undef pr_fmt @@ -3370,6 +3381,7 @@ void cpu_bugs_smt_update(void) break; case VMSCAPE_MITIGATION_IBPB_ON_VMEXIT: case VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER: + case VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER: /* * Hypervisors can be attacked across-threads, warn for SMT when * STIBP is not already enabled system-wide. --=20 2.34.1 From nobody Mon Dec 1 23:03:59 2025 Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 73B761096F; Wed, 26 Nov 2025 22:16:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.14 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764195404; cv=none; b=MdGDMww3FPImLpLpx+mBe9cit/Zu0GQL8t1Ex2rdZaAc0nGHtovOTjl0qfRrzrpvP9hYo7V7HraEiYGFj+E1HoIkTxw8o+dtqFQKte40yLL/cHboLCRGJSEO1skEYAKd1on+vNGqjUc8jbBpDtLyWoazO5jGOj5ouMLhLcvynSc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764195404; c=relaxed/simple; bh=rNGnWgki6HSzJfX1shDtnCtuaOxz1l7ANVL1kEbENQk=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=SnuNXVM/qGFIV79vPYXMVtoGdqBzp7yv19HOBnEKsAVbc68zwREcvLlQ+ZgiL8iJYwTYz0J4O5/YZpinmbmEQRu5S/zBh0YbLhwIuouR/+qHhnAhGUHbVlJrny/KUklMHl3TAPPTaQyhVyMauwDViFlVF4/OXytF74IPxZzOihU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=DZev+MpK; arc=none smtp.client-ip=198.175.65.14 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="DZev+MpK" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1764195403; x=1795731403; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=rNGnWgki6HSzJfX1shDtnCtuaOxz1l7ANVL1kEbENQk=; b=DZev+MpK9E8SyB3id9BK151HSn/iLn9MwkM+O5myiKHoMA8qsJ0W7jc8 0sF2RXpUOZCUtSiVT13Chrhe1xILipCLThRYabRw/teJCF98puz71hWET ffJSz9eVAB80as8JIgQHW8U/KwuwItvuhuBZ3joxYYP9WHJZMKVSBY4Dq s7JWN2t3Cl0+25huVQ3YqalKOqMwKHnvznKbQuWW2hzev0Qqnz3SsBs8a stB6T6o8Y5wx80iYpRrLNa0iO5idNd5XTqXufzJ0DJ9K3lbkVNYAmME9k oaxO6whPudY0CbOW1NUaRO7EPzMbIcW9HK+t4tcOzlBx7CuFMiVOx0Tyc A==; X-CSE-ConnectionGUID: VXuEk9EYTgOOLVpgv8z/KQ== X-CSE-MsgGUID: FfQHmMWEQCK46ufgU4LuHg== X-IronPort-AV: E=McAfee;i="6800,10657,11625"; a="70108520" X-IronPort-AV: E=Sophos;i="6.20,229,1758610800"; d="scan'208";a="70108520" Received: from fmviesa008.fm.intel.com ([10.60.135.148]) by orvoesa106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Nov 2025 14:16:42 -0800 X-CSE-ConnectionGUID: hqhoMKahQp+ic9oHL8spxw== X-CSE-MsgGUID: vh0DOPpJSCeWZ4C9leTw7g== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.20,229,1758610800"; d="scan'208";a="193286896" Received: from guptapa-desk.jf.intel.com (HELO desk) ([10.165.239.46]) by fmviesa008-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Nov 2025 14:16:42 -0800 Date: Wed, 26 Nov 2025 14:16:41 -0800 From: Pawan Gupta To: x86@kernel.org, David Kaplan , Nikolay Borisov , "H. Peter Anvin" , Josh Poimboeuf , Sean Christopherson , Paolo Bonzini , Borislav Petkov , Dave Hansen Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Asit Mallick , Tao Zhang Subject: [PATCH v5 8/9] x86/vmscape: Fix conflicting attack-vector controls with =force Message-ID: <20251126-vmscape-bhb-v5-8-02d66e423b00@linux.intel.com> X-Mailer: b4 0.14.2 References: <20251126-vmscape-bhb-v5-0-02d66e423b00@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20251126-vmscape-bhb-v5-0-02d66e423b00@linux.intel.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" vmscape=3Dforce option currently defaults to AUTO mitigation. This is not correct because attack-vector controls overrides a mitigation in AUTO mode. This prevents a user from being able to force VMSCAPE mitigation when it conflicts with attack-vector controls. Kernel should deploy a forced mitigation irrespective of attack vectors. Instead of AUTO, use VMSCAPE_MITIGATION_ON that wins over attack-vector controls. Reviewed-by: Nikolay Borisov Signed-off-by: Pawan Gupta --- arch/x86/kernel/cpu/bugs.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 16e54e18cb4e7e9e28c5bee9048886ab685ae5a6..3b9b1f27cc19d3de061814067a5= d8797dfa3858b 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -3197,6 +3197,7 @@ static void __init srso_apply_mitigation(void) enum vmscape_mitigations { VMSCAPE_MITIGATION_NONE, VMSCAPE_MITIGATION_AUTO, + VMSCAPE_MITIGATION_ON, VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER, VMSCAPE_MITIGATION_IBPB_ON_VMEXIT, VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER, @@ -3205,6 +3206,7 @@ enum vmscape_mitigations { static const char * const vmscape_strings[] =3D { [VMSCAPE_MITIGATION_NONE] =3D "Vulnerable", /* [VMSCAPE_MITIGATION_AUTO] */ + /* [VMSCAPE_MITIGATION_ON] */ [VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER] =3D "Mitigation: IBPB before exit= to userspace", [VMSCAPE_MITIGATION_IBPB_ON_VMEXIT] =3D "Mitigation: IBPB on VMEXIT", [VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER] =3D "Mitigation: Clear BHB be= fore exit to userspace", @@ -3224,7 +3226,7 @@ static int __init vmscape_parse_cmdline(char *str) vmscape_mitigation =3D VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER; } else if (!strcmp(str, "force")) { setup_force_cpu_bug(X86_BUG_VMSCAPE); - vmscape_mitigation =3D VMSCAPE_MITIGATION_AUTO; + vmscape_mitigation =3D VMSCAPE_MITIGATION_ON; } else { pr_err("Ignoring unknown vmscape=3D%s option.\n", str); } @@ -3254,6 +3256,7 @@ static void __init vmscape_select_mitigation(void) break; =20 case VMSCAPE_MITIGATION_AUTO: + case VMSCAPE_MITIGATION_ON: /* * CPUs with BHI_CTRL(ADL and newer) can avoid the IBPB and use BHB * clear sequence. These CPUs are only vulnerable to the BHI variant @@ -3378,6 +3381,7 @@ void cpu_bugs_smt_update(void) switch (vmscape_mitigation) { case VMSCAPE_MITIGATION_NONE: case VMSCAPE_MITIGATION_AUTO: + case VMSCAPE_MITIGATION_ON: break; case VMSCAPE_MITIGATION_IBPB_ON_VMEXIT: case VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER: --=20 2.34.1 From nobody Mon Dec 1 23:03:59 2025 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 149571E9B35; Wed, 26 Nov 2025 22:16:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.19 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764195419; cv=none; b=gUiMbeE6jB5PUwJ7iJ0R/Yc3YCYcyYe9H14sqe+aWTpSVXiINwiH/1oZ9Rbox/iARcHaXuIarDK3ayBL5Z46DZrmYxyNBUdMKE2mkYH0xnOaQxezmnqpcvjkeYq3KpbjjdLaK4YASNBn/lgz3rJDCGVeqlbQLjRzi982TZ8snIQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764195419; c=relaxed/simple; bh=vKcKDJ3m8lKaP2C2WtXUd7Fn7JuShcjQ6gHTMQXNo9s=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=HIWFfYM3YNOWKPpK5Ys0/fO4pq7vVKnvGmnOGFGws+eVI+TdgcpvB4fbA/4JLHexXudXfZF7u/ElcMz9/bmuQWsx1fPZJ/r3kAeFCRr5t+UtUPfrOKsKgylZeHIk7Q9Z0bm6fZfBVDZIYJB80XQCe18g2OuPa8ogtbFRaeTh3GE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=OdErRotb; arc=none smtp.client-ip=192.198.163.19 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="OdErRotb" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1764195418; x=1795731418; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=vKcKDJ3m8lKaP2C2WtXUd7Fn7JuShcjQ6gHTMQXNo9s=; b=OdErRotbENm0rhfgE/fKNWpFM7OiXikxr1NoZpTls8fY7qonTJIW0sEV fWJqDDwgVflZq7shlp9Tc9NXOWTGK0tLaL4m0fWcuq8eKmBMWzEY98LLx k4HWBel2c6odu5Wng68+uhLooBSm8/yHe6i/dRJkjJhkHBXMZrJPnybtQ XRWCnjpY9UCK9RJ9yS4c7oDouaLlEY25309VvcjYpQYGy7VWylAGgy3+e 7NSSAR132UMe7O6Lb20pYs6LY+f0zosIPbocXrGySaCcJddeKCSHTxt+y N3HVV+61hzW7zGtiO004xBuWcHUzXuJvxz66hMmAOgV07zIVUR/JuaX5z w==; X-CSE-ConnectionGUID: Umwi8Yt1Q0e2ruD3SDz88A== X-CSE-MsgGUID: qP6egdijRBi6sKjeXTmrgQ== X-IronPort-AV: E=McAfee;i="6800,10657,11625"; a="65246483" X-IronPort-AV: E=Sophos;i="6.20,229,1758610800"; d="scan'208";a="65246483" Received: from fmviesa002.fm.intel.com ([10.60.135.142]) by fmvoesa113.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Nov 2025 14:16:57 -0800 X-CSE-ConnectionGUID: Ev2PgfBMRL6ozP4ax/eLjw== X-CSE-MsgGUID: 2Bjgnt75Rpu9Ku1lly4ZRw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.20,229,1758610800"; d="scan'208";a="216412913" Received: from guptapa-desk.jf.intel.com (HELO desk) ([10.165.239.46]) by fmviesa002-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Nov 2025 14:16:57 -0800 Date: Wed, 26 Nov 2025 14:16:57 -0800 From: Pawan Gupta To: x86@kernel.org, David Kaplan , Nikolay Borisov , "H. Peter Anvin" , Josh Poimboeuf , Sean Christopherson , Paolo Bonzini , Borislav Petkov , Dave Hansen Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Asit Mallick , Tao Zhang Subject: [PATCH v5 9/9] x86/vmscape: Add cmdline vmscape=on to override attack vector controls Message-ID: <20251126-vmscape-bhb-v5-9-02d66e423b00@linux.intel.com> X-Mailer: b4 0.14.2 References: <20251126-vmscape-bhb-v5-0-02d66e423b00@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20251126-vmscape-bhb-v5-0-02d66e423b00@linux.intel.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In general, individual mitigation controls can be used to override the attack vector controls. But, nothing exists to select BHB clearing mitigation for VMSCAPE. The =3Dforce option comes close, but with a side-effect of also forcibly setting the bug, hence deploying the mitigation on unaffected parts too. Add a new cmdline option vmscape=3Don to enable the mitigation based on the VMSCAPE variant the CPU is affected by. Reviewed-by: Nikolay Borisov Signed-off-by: Pawan Gupta --- Documentation/admin-guide/hw-vuln/vmscape.rst | 4 ++++ Documentation/admin-guide/kernel-parameters.txt | 4 +++- arch/x86/kernel/cpu/bugs.c | 2 ++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/Documentation/admin-guide/hw-vuln/vmscape.rst b/Documentation/= admin-guide/hw-vuln/vmscape.rst index dc63a0bac03d43d1e295de0791dd6497d101f986..580f288ae8bfc601ff000d6d95d= 711bb9084459e 100644 --- a/Documentation/admin-guide/hw-vuln/vmscape.rst +++ b/Documentation/admin-guide/hw-vuln/vmscape.rst @@ -112,3 +112,7 @@ The mitigation can be controlled via the ``vmscape=3D``= command line parameter: =20 Force vulnerability detection and mitigation even on processors that are not known to be affected. + + * ``vmscape=3Don``: + + Choose the mitigation based on the VMSCAPE variant the CPU is affected = by. diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentatio= n/admin-guide/kernel-parameters.txt index 6c42061ca20e581b5192b66c6f25aba38d4f8ff8..d2ccec6e10f3ea094c01083d4c1= 33b837c7fc7d7 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -8104,9 +8104,11 @@ =20 off - disable the mitigation ibpb - use Indirect Branch Prediction Barrier - (IBPB) mitigation (default) + (IBPB) mitigation force - force vulnerability detection even on unaffected processors + on - (default) selects IBPB or BHB clear + mitigation based on CPU =20 vsyscall=3D [X86-64,EARLY] Controls the behavior of vsyscalls (i.e. calls to diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 3b9b1f27cc19d3de061814067a5d8797dfa3858b..bda6048085fbad5605534caceda= 32eb1df8c29ec 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -3227,6 +3227,8 @@ static int __init vmscape_parse_cmdline(char *str) } else if (!strcmp(str, "force")) { setup_force_cpu_bug(X86_BUG_VMSCAPE); vmscape_mitigation =3D VMSCAPE_MITIGATION_ON; + } else if (!strcmp(str, "on")) { + vmscape_mitigation =3D VMSCAPE_MITIGATION_ON; } else { pr_err("Ignoring unknown vmscape=3D%s option.\n", str); } --=20 2.34.1