From nobody Tue Dec 16 21:25:05 2025 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 569762F6189; Tue, 2 Dec 2025 06:19:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.17 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764656343; cv=none; b=j5ztdP1ttHwWpGeCDBeGsjF0qQIrNJh3XSgKG6rTU9ujziMN04W9aN3jusEACvnNrhilAbxpITr6hnqoUj6eRBgHPHXkovOyOYB+CL90FMBipKS3t1VA5OzuJVHtXuwWDCbXUnLp1203qpMMjflUiXyW/yrbQJXY0A6tfVgF2EY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764656343; c=relaxed/simple; bh=MAiaCUP0M6nxH1nX7OpP4kGemqQBUemDN/+yaZL/De4=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=Af+vrHHPBeZuiC8X01ABRtfNDAO/QIZLJjlS6k0jqtQWkQ8m9LJiRkzCyQfuuk8gIB4Ox2aUClDGnhMi19uF3RzoDRkQE14IQoTxUwETjmiyGXXlWJoTRLKYoQouj79IR+Sj9rgAkqp3J08s8VDf88BCjs30kLsCOFVVvIm6W6M= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=CgFUlZ2o; arc=none smtp.client-ip=192.198.163.17 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="CgFUlZ2o" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1764656341; x=1796192341; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=MAiaCUP0M6nxH1nX7OpP4kGemqQBUemDN/+yaZL/De4=; b=CgFUlZ2oOL1lXV6vfweOFVINbD6lnuzBWW/i0PODidyM6yU9m1gTdHCG bQi81kdGN/g36TDmg1wle9Ff/R1+UfAqVKafDhYd+CcNa9g4iV39yfRBh 4AEwCksIYV5TwzUpZmjGw+VlCp+9XJp3b1/LCBKV4EuBtBfBRH70XGqPM klOeZdcOBav8Iyf2Qy1AOzMf9aH8QJhcI6eTHkP6VRfhUxRjyq7+w8Rtl iIcLjysd8R80ffxn1iLDwXXd8oJBiOWr04OzFhAQ0iRxKqs6y93veHR+l sEBeQ/bW8JnZaWbzyg2Amp3SLXG5fjGX3YUkgJhTFL7fsgnGh6UG0N8we Q==; X-CSE-ConnectionGUID: pYliuFrzTAOfGVkYR8dmMA== X-CSE-MsgGUID: 2dKwKJRMTiOY1T0VqeNIZg== X-IronPort-AV: E=McAfee;i="6800,10657,11630"; a="66499076" X-IronPort-AV: E=Sophos;i="6.20,242,1758610800"; d="scan'208";a="66499076" Received: from orviesa007.jf.intel.com ([10.64.159.147]) by fmvoesa111.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Dec 2025 22:19:00 -0800 X-CSE-ConnectionGUID: Z2Mp99fQRveriU5jv5ea0A== X-CSE-MsgGUID: cZcILv9ES4upYDXuyouDiA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.20,242,1758610800"; d="scan'208";a="194276801" Received: from guptapa-desk.jf.intel.com (HELO desk) ([10.165.239.46]) by orviesa007-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Dec 2025 22:19:00 -0800 Date: Mon, 1 Dec 2025 22:18:59 -0800 From: Pawan Gupta To: x86@kernel.org, David Kaplan , Nikolay Borisov , "H. Peter Anvin" , Josh Poimboeuf , Sean Christopherson , Paolo Bonzini , Borislav Petkov , Dave Hansen Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Asit Mallick , Tao Zhang Subject: [PATCH v6 1/9] x86/bhi: x86/vmscape: Move LFENCE out of clear_bhb_loop() Message-ID: <20251201-vmscape-bhb-v6-1-d610dd515714@linux.intel.com> X-Mailer: b4 0.14.2 References: <20251201-vmscape-bhb-v6-0-d610dd515714@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20251201-vmscape-bhb-v6-0-d610dd515714@linux.intel.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Currently, BHB clearing sequence is followed by an LFENCE to prevent transient execution of subsequent indirect branches prematurely. However, LFENCE barrier could be unnecessary in certain cases. For example, when kernel is using BHI_DIS_S mitigation, and BHB clearing is only needed for userspace. In such cases, LFENCE is redundant because ring transitions would provide the necessary serialization. Below is a quick recap of BHI mitigation options: On Alder Lake and newer - BHI_DIS_S: Hardware control to mitigate BHI in ring0. This has low performance overhead. - Long loop: Alternatively, longer version of BHB clearing sequence can be used to mitigate BHI. It can also be used to mitigate BHI variant of VMSCAPE. This is not yet implemented in Linux. On older CPUs - Short loop: Clears BHB at kernel entry and VMexit. The "Long loop" is effective on older CPUs as well, but should be avoided because of unnecessary overhead. On Alder Lake and newer CPUs, eIBRS isolates the indirect targets between guest and host. But when affected by the BHI variant of VMSCAPE, a guest's branch history may still influence indirect branches in userspace. This also means the big hammer IBPB could be replaced with a cheaper option that clears the BHB at exit-to-userspace after a VMexit. In preparation for adding the support for BHB sequence (without LFENCE) on newer CPUs, move the LFENCE to the caller side after clear_bhb_loop() is executed. This allows callers to decide whether they need the LFENCE or not. This does adds a few extra bytes to the call sites, but it obviates the need for multiple variants of clear_bhb_loop(). Suggested-by: Dave Hansen Reviewed-by: Nikolay Borisov Signed-off-by: Pawan Gupta --- arch/x86/entry/entry_64.S | 5 ++++- arch/x86/include/asm/nospec-branch.h | 4 ++-- arch/x86/net/bpf_jit_comp.c | 2 ++ 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S index ed04a968cc7d0095ab0185b2e3b5beffb7680afd..886f86790b4467347031bc27d3d= 761d5cc286da1 100644 --- a/arch/x86/entry/entry_64.S +++ b/arch/x86/entry/entry_64.S @@ -1528,6 +1528,9 @@ SYM_CODE_END(rewind_stack_and_make_dead) * refactored in the future if needed. The .skips are for safety, to ensure * that all RETs are in the second half of a cacheline to mitigate Indirect * Target Selection, rather than taking the slowpath via its_return_thunk. + * + * Note, callers should use a speculation barrier like LFENCE immediately = after + * a call to this function to ensure BHB is cleared before indirect branch= es. */ SYM_FUNC_START(clear_bhb_loop) ANNOTATE_NOENDBR @@ -1562,7 +1565,7 @@ SYM_FUNC_START(clear_bhb_loop) sub $1, %ecx jnz 1b .Lret2: RET -5: lfence +5: pop %rbp RET SYM_FUNC_END(clear_bhb_loop) diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/no= spec-branch.h index 08ed5a2e46a5fd790bcb1b73feb6469518809c06..ec5ebf96dbb9e240f402f39efc6= 929ae45ec8f0b 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -329,11 +329,11 @@ =20 #ifdef CONFIG_X86_64 .macro CLEAR_BRANCH_HISTORY - ALTERNATIVE "", "call clear_bhb_loop", X86_FEATURE_CLEAR_BHB_LOOP + ALTERNATIVE "", "call clear_bhb_loop; lfence", X86_FEATURE_CLEAR_BHB_LOOP .endm =20 .macro CLEAR_BRANCH_HISTORY_VMEXIT - ALTERNATIVE "", "call clear_bhb_loop", X86_FEATURE_CLEAR_BHB_VMEXIT + ALTERNATIVE "", "call clear_bhb_loop; lfence", X86_FEATURE_CLEAR_BHB_VMEX= IT .endm #else #define CLEAR_BRANCH_HISTORY diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c index de5083cb1d3747bba00effca3703a4f6eea80d8d..c1ec14c559119b120edfac079ae= b07948e9844b8 100644 --- a/arch/x86/net/bpf_jit_comp.c +++ b/arch/x86/net/bpf_jit_comp.c @@ -1603,6 +1603,8 @@ static int emit_spectre_bhb_barrier(u8 **pprog, u8 *i= p, =20 if (emit_call(&prog, func, ip)) return -EINVAL; + /* Don't speculate past this until BHB is cleared */ + EMIT_LFENCE(); EMIT1(0x59); /* pop rcx */ EMIT1(0x58); /* pop rax */ } --=20 2.34.1 From nobody Tue Dec 16 21:25:05 2025 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 552352FE060; Tue, 2 Dec 2025 06:19:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.17 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764656357; cv=none; b=PR6aFlmaHT1x6o2TfQZZ0GI7gMivveyR2ISva0KgvxeasqYrIZftYzA+F4H3WCy3HULr0yRU0sfrVpTvPstVlFO2BxlvlLBHvsx/qOxfmxOTxCOV46LPciAHiIqGjNgKnDyDNiKXqKN4Ayeo/mbSVV/48kVgIxtMWerFx1Uzo4Y= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764656357; c=relaxed/simple; bh=26Gb2aAL5y3KjVhUT8doU80e2/xN6+BATNJ5g7ulYUQ=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=QOo2LpmvNmjEyFhkX6jSLPACDzX2KvzRiCPWzyZnvsK9AhDKvNSKF6NXNKrvCuY92OIMDY+zU3TIkubdBPHdVJ6lQl9xZt6SWMnbsW8td1loRXpw/unHFt7oIP1Z9i/nMMo468RCgpoQFuHWLhca2TJpHcj++hODZ6i8TqZ+k7w= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=ay06hgPs; arc=none smtp.client-ip=192.198.163.17 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="ay06hgPs" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1764656355; x=1796192355; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=26Gb2aAL5y3KjVhUT8doU80e2/xN6+BATNJ5g7ulYUQ=; b=ay06hgPsf65dwSoH3cjKzOkgtDbMI7q7QzAt0mI6xAPOX0OpIsx+2XXb mCjDpIBgsZ5xIjqw+DzwFAVDPURWxrVxf/rs2KWebVUkme83PjOefnHyY bbOsZDqSYDQk8etf6T9Ck8O92nQ3XnMM0CXSSFeEjL17f4SOaZPw2tUBw cPV+de/JQcIT3QIXaCy9FDNOrovkpSyjXP1N3EohO0wbCvm54LgHu1Rws 9McqvmYctph4prX+WH3lCIltnE+lnt3DnxP07+MpuAUmXUz3+w8LlWy6r AHRB3Q2Uww4cVmBXIwcmMjT8n65H2Riyyknyr+g4+7wNFBvnuXUIfSx4Q Q==; X-CSE-ConnectionGUID: 91IW8bcsQnqp5FPG6ghJUg== X-CSE-MsgGUID: ZyZuYfqpStC8tasdolxYvQ== X-IronPort-AV: E=McAfee;i="6800,10657,11630"; a="66499100" X-IronPort-AV: E=Sophos;i="6.20,242,1758610800"; d="scan'208";a="66499100" Received: from orviesa007.jf.intel.com ([10.64.159.147]) by fmvoesa111.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Dec 2025 22:19:15 -0800 X-CSE-ConnectionGUID: pRCHdKrNRcmzqdyzU18LTQ== X-CSE-MsgGUID: Sdv5/h5ORsqW4LPd+tYOpQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.20,242,1758610800"; d="scan'208";a="194276813" Received: from guptapa-desk.jf.intel.com (HELO desk) ([10.165.239.46]) by orviesa007-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Dec 2025 22:19:15 -0800 Date: Mon, 1 Dec 2025 22:19:14 -0800 From: Pawan Gupta To: x86@kernel.org, David Kaplan , Nikolay Borisov , "H. Peter Anvin" , Josh Poimboeuf , Sean Christopherson , Paolo Bonzini , Borislav Petkov , Dave Hansen Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Asit Mallick , Tao Zhang Subject: [PATCH v6 2/9] x86/bhi: Make clear_bhb_loop() effective on newer CPUs Message-ID: <20251201-vmscape-bhb-v6-2-d610dd515714@linux.intel.com> X-Mailer: b4 0.14.2 References: <20251201-vmscape-bhb-v6-0-d610dd515714@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20251201-vmscape-bhb-v6-0-d610dd515714@linux.intel.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" As a mitigation for BHI, clear_bhb_loop() executes branches that overwrites the Branch History Buffer (BHB). On Alder Lake and newer parts this sequence is not sufficient because it doesn't clear enough entries. This was not an issue because these CPUs have a hardware control (BHI_DIS_S) that mitigates BHI in kernel. BHI variant of VMSCAPE requires isolating branch history between guests and userspace. Note that there is no equivalent hardware control for userspace. To effectively isolate branch history on newer CPUs, clear_bhb_loop() should execute sufficient number of branches to clear a larger BHB. Dynamically set the loop count of clear_bhb_loop() such that it is effective on newer CPUs too. Use the hardware control enumeration X86_FEATURE_BHI_CTRL to select the appropriate loop count. Suggested-by: Dave Hansen Reviewed-by: Nikolay Borisov Signed-off-by: Pawan Gupta --- arch/x86/entry/entry_64.S | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S index 886f86790b4467347031bc27d3d761d5cc286da1..9f6f4a7c5baf1fe4e3ab18b11e2= 5e2fbcc77489d 100644 --- a/arch/x86/entry/entry_64.S +++ b/arch/x86/entry/entry_64.S @@ -1536,7 +1536,11 @@ SYM_FUNC_START(clear_bhb_loop) ANNOTATE_NOENDBR push %rbp mov %rsp, %rbp - movl $5, %ecx + + /* loop count differs based on BHI_CTRL, see Intel's BHI guidance */ + ALTERNATIVE "movl $5, %ecx; movl $5, %edx", \ + "movl $12, %ecx; movl $7, %edx", X86_FEATURE_BHI_CTRL + ANNOTATE_INTRA_FUNCTION_CALL call 1f jmp 5f @@ -1557,7 +1561,7 @@ SYM_FUNC_START(clear_bhb_loop) * but some Clang versions (e.g. 18) don't like this. */ .skip 32 - 18, 0xcc -2: movl $5, %eax +2: movl %edx, %eax 3: jmp 4f nop 4: sub $1, %eax --=20 2.34.1 From nobody Tue Dec 16 21:25:05 2025 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8CA6C2F6189; Tue, 2 Dec 2025 06:19:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.17 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764656372; cv=none; b=XW8zmswN9Z9FwAnYcXIhU81wH4LLrPgI+qwv5QniBdijO8qwdPb7qUZvFgI8pIQJ5N5VX3XEjS7Zt0utgfhUnZFQgP+i4epEqpVpiDJQWaEqGIENScJ+VC1e4OdUJaflwa/XIu34DJip5lEveJCTvh1kTX0OEXEkb4iDccVdMZg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764656372; c=relaxed/simple; bh=2kDP/h5XKk2d311MudSRurGHQf2qIocU+MeMeTbQRcE=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=SEi027yEBwCqpniW96YMFDVpt/EHBO1n6JCsVFRiCgp+95FALc0K3SaotS3kxAXw/P6oDUSV+VPl0odRWcNbMzIz5b+I7ht+tr/jL85TwN3AOTraJEfeFbjZ0bSZFAzoXnIoUMot9btt2ujeRxaGnoudujiyeujHIRxgUxKsiHo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=OsA1c+JX; arc=none smtp.client-ip=192.198.163.17 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="OsA1c+JX" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1764656371; x=1796192371; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=2kDP/h5XKk2d311MudSRurGHQf2qIocU+MeMeTbQRcE=; b=OsA1c+JXB85/wuOSqDzjf4T5grVmLYoGLqYUSNChEh49fxM1b1w3n9s8 7T8vlZmamsKazNCbiQbNvVbVTR5O1wsY94zuzyxKdKiOsc4kgITgNQf6v g+vYuluau3y+QEN4TzuObJI12GUE/pbQfyzzJuLYtJhNWZsFiDYgRv+Ax rjVWXLz+krmlhu0dzl3SRjV5cqI2uIxtTWIZDYDmdfSebVd6n/tzy/a2y TJQGOdhLPqLvSuCRe9nfQjpAsyn5NEBNn27LXFPdWGdiK/SfKk51JvwC5 R8lWonih6D5ZHZrG11wWbio/pTu4AFMGB9d/WdWTb64tniWxXO65uZZgU w==; X-CSE-ConnectionGUID: uoA2GqmQTkGLVRyKDQUHZQ== X-CSE-MsgGUID: DMp3jjcnT/ChniXC7//YFQ== X-IronPort-AV: E=McAfee;i="6800,10657,11630"; a="66499111" X-IronPort-AV: E=Sophos;i="6.20,242,1758610800"; d="scan'208";a="66499111" Received: from orviesa007.jf.intel.com ([10.64.159.147]) by fmvoesa111.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Dec 2025 22:19:30 -0800 X-CSE-ConnectionGUID: mwJ23ZXBRp2MHPGVBEvkXA== X-CSE-MsgGUID: 4kivsGHuT5+2u4tw0Ixxzw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.20,242,1758610800"; d="scan'208";a="194276824" Received: from guptapa-desk.jf.intel.com (HELO desk) ([10.165.239.46]) by orviesa007-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Dec 2025 22:19:30 -0800 Date: Mon, 1 Dec 2025 22:19:29 -0800 From: Pawan Gupta To: x86@kernel.org, David Kaplan , Nikolay Borisov , "H. Peter Anvin" , Josh Poimboeuf , Sean Christopherson , Paolo Bonzini , Borislav Petkov , Dave Hansen Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Asit Mallick , Tao Zhang Subject: [PATCH v6 3/9] x86/vmscape: Rename x86_ibpb_exit_to_user to x86_predictor_flush_exit_to_user Message-ID: <20251201-vmscape-bhb-v6-3-d610dd515714@linux.intel.com> X-Mailer: b4 0.14.2 References: <20251201-vmscape-bhb-v6-0-d610dd515714@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20251201-vmscape-bhb-v6-0-d610dd515714@linux.intel.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" With the upcoming changes x86_ibpb_exit_to_user will also be used when BHB clearing sequence is used. Rename it cover both the cases. No functional change. Signed-off-by: Pawan Gupta --- arch/x86/include/asm/entry-common.h | 6 +++--- arch/x86/include/asm/nospec-branch.h | 2 +- arch/x86/kernel/cpu/bugs.c | 4 ++-- arch/x86/kvm/x86.c | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/arch/x86/include/asm/entry-common.h b/arch/x86/include/asm/ent= ry-common.h index ce3eb6d5fdf9f2dba59b7bad24afbfafc8c36918..c45858db16c92fc1364fb818185= fba7657840991 100644 --- a/arch/x86/include/asm/entry-common.h +++ b/arch/x86/include/asm/entry-common.h @@ -94,11 +94,11 @@ static inline void arch_exit_to_user_mode_prepare(struc= t pt_regs *regs, */ choose_random_kstack_offset(rdtsc()); =20 - /* Avoid unnecessary reads of 'x86_ibpb_exit_to_user' */ + /* Avoid unnecessary reads of 'x86_predictor_flush_exit_to_user' */ if (cpu_feature_enabled(X86_FEATURE_IBPB_EXIT_TO_USER) && - this_cpu_read(x86_ibpb_exit_to_user)) { + this_cpu_read(x86_predictor_flush_exit_to_user)) { indirect_branch_prediction_barrier(); - this_cpu_write(x86_ibpb_exit_to_user, false); + this_cpu_write(x86_predictor_flush_exit_to_user, false); } } #define arch_exit_to_user_mode_prepare arch_exit_to_user_mode_prepare diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/no= spec-branch.h index ec5ebf96dbb9e240f402f39efc6929ae45ec8f0b..df60f9cf51b84e5b75e5db70713= 188d2e6ad0f5d 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -531,7 +531,7 @@ void alternative_msr_write(unsigned int msr, u64 val, u= nsigned int feature) : "memory"); } =20 -DECLARE_PER_CPU(bool, x86_ibpb_exit_to_user); +DECLARE_PER_CPU(bool, x86_predictor_flush_exit_to_user); =20 static inline void indirect_branch_prediction_barrier(void) { diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index d7fa03bf51b4517c12cc68e7c441f7589a4983d1..1e9b11198db0fe2483bd17b1327= bcfd44a2c1dbf 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -113,8 +113,8 @@ EXPORT_PER_CPU_SYMBOL_GPL(x86_spec_ctrl_current); * be needed to before running userspace. That IBPB will flush the branch * predictor content. */ -DEFINE_PER_CPU(bool, x86_ibpb_exit_to_user); -EXPORT_PER_CPU_SYMBOL_GPL(x86_ibpb_exit_to_user); +DEFINE_PER_CPU(bool, x86_predictor_flush_exit_to_user); +EXPORT_PER_CPU_SYMBOL_GPL(x86_predictor_flush_exit_to_user); =20 u64 x86_pred_cmd __ro_after_init =3D PRED_CMD_IBPB; =20 diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index c9c2aa6f4705e1ae257bf94572967a5724a940a7..60123568fba85c8a445f9220d3f= 4a1d11fd0eb77 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -11397,7 +11397,7 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu) * may migrate to. */ if (cpu_feature_enabled(X86_FEATURE_IBPB_EXIT_TO_USER)) - this_cpu_write(x86_ibpb_exit_to_user, true); + this_cpu_write(x86_predictor_flush_exit_to_user, true); =20 /* * Consume any pending interrupts, including the possible source of --=20 2.34.1 From nobody Tue Dec 16 21:25:05 2025 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0CE6325D527; Tue, 2 Dec 2025 06:19:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.16 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764656387; cv=none; b=leejcYgtvqwxaSPYWq6TDT39WmmstY/E3DS/EqVcZG3iNcdyFLPzgXIdSOedqJsW52cytPssSBKzuAos4bkFrXbarinRIWd0ZcNRtD2JSDJH6XVbdx3hBd7geDdKT/eXq1LJurWU5MxBOcOd+jJUGPm22lVGuc0bA1YLFXkNlpY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764656387; c=relaxed/simple; bh=LwiRaiJm83rbz1obic3BMaKDvfBkIvzUhBGwulJDATA=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=T41nRVoKX+hmLNRSy2Y/veaCfBHmVZ05V6OI7KZ7PDYheIkgsrvNvLu/xSg2QIOQMROJTPEoPEnRheCKZDRCXSUgF9zhu67vRW3Npd4o9Gb9xtF10ZOQLI0FvA1Qjzwm/HTj3+LT2b4lLFRu3MAstvPUgeZEqhT+/9vTsDfK3cA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=apGi2zuz; arc=none smtp.client-ip=192.198.163.16 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="apGi2zuz" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1764656386; x=1796192386; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=LwiRaiJm83rbz1obic3BMaKDvfBkIvzUhBGwulJDATA=; b=apGi2zuz7saDTjGztVvxVunmriaiGC9DZ6Oz5iYAIkqZiY5q8auV8MtG Yvr+WOFOtOaHX8Zw6PKS9nfplP2RTItp4bQ+LgjgkocxrpBzkvxtGgG9J WGziWHrZ8rHFuKEPwWXmeJ6x1cWzYrPGi7OjuTRijkrDmOJOoeu12Eu7V QpQfpAoN1MIAOtUMASngA1TF5G1jfoPIQZhOTvbzeb/Xp4KTRn0Vdd4+t bFyeIFw8bocJleCV/CqCLRExpz5BH81xlLbX9MaQDqUImlkvmAaaGDaxb HMAq7khrou4QxszVAJ4ZLXGcc4viEuPY0WweJmB6nsKJCOX6r1uUD43cT g==; X-CSE-ConnectionGUID: qXWEzwgtTUysywkngHIvsA== X-CSE-MsgGUID: OGH5xzV8S9mcLBryM6rbNg== X-IronPort-AV: E=McAfee;i="6800,10657,11630"; a="54165859" X-IronPort-AV: E=Sophos;i="6.20,242,1758610800"; d="scan'208";a="54165859" Received: from orviesa010.jf.intel.com ([10.64.159.150]) by fmvoesa110.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Dec 2025 22:19:45 -0800 X-CSE-ConnectionGUID: vzfJv1gdSBymVAQCvFLUng== X-CSE-MsgGUID: Ebg/GjRaRkiLfCsvNbeT+g== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.20,242,1758610800"; d="scan'208";a="193580374" Received: from guptapa-desk.jf.intel.com (HELO desk) ([10.165.239.46]) by orviesa010-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Dec 2025 22:19:45 -0800 Date: Mon, 1 Dec 2025 22:19:44 -0800 From: Pawan Gupta To: x86@kernel.org, David Kaplan , Nikolay Borisov , "H. Peter Anvin" , Josh Poimboeuf , Sean Christopherson , Paolo Bonzini , Borislav Petkov , Dave Hansen Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Asit Mallick , Tao Zhang Subject: [PATCH v6 4/9] x86/vmscape: Move mitigation selection to a switch() Message-ID: <20251201-vmscape-bhb-v6-4-d610dd515714@linux.intel.com> X-Mailer: b4 0.14.2 References: <20251201-vmscape-bhb-v6-0-d610dd515714@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20251201-vmscape-bhb-v6-0-d610dd515714@linux.intel.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" This ensures that all mitigation modes are explicitly handled, while keeping the mitigation selection for each mode together. This also prepares for adding BHB-clearing mitigation mode for VMSCAPE. Signed-off-by: Pawan Gupta Reviewed-by: Nikolay Borisov --- arch/x86/kernel/cpu/bugs.c | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 1e9b11198db0fe2483bd17b1327bcfd44a2c1dbf..71865b9d2c5c18cd0cf3cb8bbf0= 7d1576cd20498 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -3231,17 +3231,33 @@ early_param("vmscape", vmscape_parse_cmdline); =20 static void __init vmscape_select_mitigation(void) { - if (!boot_cpu_has_bug(X86_BUG_VMSCAPE) || - !boot_cpu_has(X86_FEATURE_IBPB)) { + if (!boot_cpu_has_bug(X86_BUG_VMSCAPE)) { vmscape_mitigation =3D VMSCAPE_MITIGATION_NONE; return; } =20 - if (vmscape_mitigation =3D=3D VMSCAPE_MITIGATION_AUTO) { - if (should_mitigate_vuln(X86_BUG_VMSCAPE)) + if ((vmscape_mitigation =3D=3D VMSCAPE_MITIGATION_AUTO) && + !should_mitigate_vuln(X86_BUG_VMSCAPE)) + vmscape_mitigation =3D VMSCAPE_MITIGATION_NONE; + + switch (vmscape_mitigation) { + case VMSCAPE_MITIGATION_NONE: + break; + + case VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER: + if (!boot_cpu_has(X86_FEATURE_IBPB)) + vmscape_mitigation =3D VMSCAPE_MITIGATION_NONE; + break; + + case VMSCAPE_MITIGATION_AUTO: + if (boot_cpu_has(X86_FEATURE_IBPB)) vmscape_mitigation =3D VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER; else vmscape_mitigation =3D VMSCAPE_MITIGATION_NONE; + break; + + default: + break; } } =20 --=20 2.34.1 From nobody Tue Dec 16 21:25:05 2025 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9F2A72FD7CA; Tue, 2 Dec 2025 06:20:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.16 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764656402; cv=none; b=PeUD54Jiyi7BkNlLx1Ik7Ra9rmLWEm7j0dIX76V26cj3Fxt9iH2U5ilGIEUreP5OtKprspLggYms6rnG5V6I9477B4EWFtjcGxqvJEh7ZyJwfqlTfC4tdoYBNH39Y5yeNcaSHUTZy1yt5X5S5WGNjXFzqagVrh3eVAyJYomzprs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764656402; c=relaxed/simple; bh=E6xCR9bLpamxJsQ0brS4ODlqWxsh/fFZQVosRkMhOPo=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=Ez3/TeOlWsncZvqApHURDfavmnRgrP7DzsfyHrWhhHpMnPo9TGEhoNfeRW8fTH8u3shPywO4Nzfwc6zSsPTxH89DgHlt0Z/6/2v45T7x6OXZH8u7QgmZlPQbqcZb2cTYxCI0xYlCmxINJ9C5lxetuOgLfSrkswXYRal5yMRbZ0s= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=S4xFI9bv; arc=none smtp.client-ip=192.198.163.16 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="S4xFI9bv" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1764656400; x=1796192400; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=E6xCR9bLpamxJsQ0brS4ODlqWxsh/fFZQVosRkMhOPo=; b=S4xFI9bvpEeTnEaK+gVtdyLp1FYyqG+lRYPZNrY6TMwssMBdKiNqQYfw YU7fwewyFa9S0nDMgANOR0oZoB4qZPFspetBrX1FicNmgvMO8UvM9ofLj htzpkztY5UJpfz9F5JCyLtDVwORw8HXJj93uZP4S+JlIRszhWiKvZtLRr aeitTz/nyWF+c8RwlQSxYL4KBSsC18hVoDKHLfLv9ncff35lF8OHaleEJ q9KqWYFKoA3BrgoC6ORu9/YHj95z9o+/z6jdu4RY36hH7W48eCIz0x/SF ds6OpILASDyzpYltqK1lEqUh8EjjsSk4cgj+UFELiTNeq1EbGBU5YnA89 w==; X-CSE-ConnectionGUID: pnrFgVqSSDytTesPsPLayA== X-CSE-MsgGUID: XDex8jxHQqaCeUoLMi7SEg== X-IronPort-AV: E=McAfee;i="6800,10657,11630"; a="54165867" X-IronPort-AV: E=Sophos;i="6.20,242,1758610800"; d="scan'208";a="54165867" Received: from orviesa010.jf.intel.com ([10.64.159.150]) by fmvoesa110.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Dec 2025 22:20:00 -0800 X-CSE-ConnectionGUID: bzBH77pdQ+e0Cl5JkV/PLw== X-CSE-MsgGUID: tnkZrSH7QM+3lowqXstA0A== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.20,242,1758610800"; d="scan'208";a="193580407" Received: from guptapa-desk.jf.intel.com (HELO desk) ([10.165.239.46]) by orviesa010-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Dec 2025 22:20:00 -0800 Date: Mon, 1 Dec 2025 22:19:59 -0800 From: Pawan Gupta To: x86@kernel.org, David Kaplan , Nikolay Borisov , "H. Peter Anvin" , Josh Poimboeuf , Sean Christopherson , Paolo Bonzini , Borislav Petkov , Dave Hansen Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Asit Mallick , Tao Zhang Subject: [PATCH v6 5/9] x86/vmscape: Use write_ibpb() instead of indirect_branch_prediction_barrier() Message-ID: <20251201-vmscape-bhb-v6-5-d610dd515714@linux.intel.com> X-Mailer: b4 0.14.2 References: <20251201-vmscape-bhb-v6-0-d610dd515714@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20251201-vmscape-bhb-v6-0-d610dd515714@linux.intel.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" indirect_branch_prediction_barrier() is a wrapper to write_ibpb(), which also checks if the CPU supports IBPB. For VMSCAPE, call to indirect_branch_prediction_barrier() is only possible when CPU supports IBPB. Simply call write_ibpb() directly to avoid unnecessary alternative patching. Suggested-by: Dave Hansen Reviewed-by: Nikolay Borisov Signed-off-by: Pawan Gupta --- arch/x86/include/asm/entry-common.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/include/asm/entry-common.h b/arch/x86/include/asm/ent= ry-common.h index c45858db16c92fc1364fb818185fba7657840991..78b143673ca72642149eb2dbf3e= 3e31370fe6b28 100644 --- a/arch/x86/include/asm/entry-common.h +++ b/arch/x86/include/asm/entry-common.h @@ -97,7 +97,7 @@ static inline void arch_exit_to_user_mode_prepare(struct = pt_regs *regs, /* Avoid unnecessary reads of 'x86_predictor_flush_exit_to_user' */ if (cpu_feature_enabled(X86_FEATURE_IBPB_EXIT_TO_USER) && this_cpu_read(x86_predictor_flush_exit_to_user)) { - indirect_branch_prediction_barrier(); + write_ibpb(); this_cpu_write(x86_predictor_flush_exit_to_user, false); } } --=20 2.34.1 From nobody Tue Dec 16 21:25:05 2025 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E577830147D; Tue, 2 Dec 2025 06:20:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.17 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764656418; cv=none; b=qySOKw2RRSzOqMx08pZi2jqWqS4DVvAa46r/Fe0a7ivBual7AgP67y0IVP4bNEooVWhe2nqWkWAY5fAh7+3VaIEJVXCfadq/a2aTXiIYZkmpkGQu6zFwrdw1ELVuedEaDvfeUGPobM1lM8UWBmpbVovfpsaCeRn4D6fDu7Qu1qQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764656418; c=relaxed/simple; bh=oocrIPR6C+2DQH6c7yeWH8JPDaIMIcXBefjYt1+BAho=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=WWI139X0AcYYXoiyTTO3FFJ9v1T79sk7RZjV/Y4BN1g4fck2TpDleuVj6kjie6Di6Wxs8TEABe7uJBBcFNtqvyTPUPgIfgbUbWFffHEroZ7z3BF6dBKggM2w5qXSUJYCdG0V0qGv88Jrp9cpVIJdGIgj2gaqNi717ZsWcMxhX+M= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=my6H27dV; arc=none smtp.client-ip=192.198.163.17 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="my6H27dV" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1764656417; x=1796192417; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=oocrIPR6C+2DQH6c7yeWH8JPDaIMIcXBefjYt1+BAho=; b=my6H27dVFdpAQP090YFO6+1E3my8aqOncagfP32HrNc+K0QSiA6FvGJT BsQP5WiV4NqIH4kBg2e9B0VXI7dIct1zBDfS8TxhBFn9qxSGbqC7TNn5X 8eyN04oMKZS8FJ/Kg8w9/YZWxPYxI8hS1GzQEDiZ2j/GrmDqoB9ZwRiop Eywo6PDrXEtXm/l8I1sVXPrDd+CEYt6pBv2rwkWAOI9dnckTS+WJkG7mQ X2JKWMQHPladYocP3Zc9e5IAup+11U3HMTEDXX0YwlPIFl/LMiLI1cTWO Lm2pct4w8E7pGXOB0URRGHFm/6ZRgjDgarer+ZEyZHzX0r505KsMCYjdG Q==; X-CSE-ConnectionGUID: 3AUS9kddRdynKxXopP6SMQ== X-CSE-MsgGUID: n3Zo1xuCTuiCWgFWxruEpw== X-IronPort-AV: E=McAfee;i="6800,10657,11630"; a="66499174" X-IronPort-AV: E=Sophos;i="6.20,242,1758610800"; d="scan'208";a="66499174" Received: from fmviesa007.fm.intel.com ([10.60.135.147]) by fmvoesa111.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Dec 2025 22:20:16 -0800 X-CSE-ConnectionGUID: +X+p83W5SaeSbx7UsBsxbw== X-CSE-MsgGUID: Yuih8XwoQ069Ytetxyz/KA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.20,242,1758610800"; d="scan'208";a="193960127" Received: from guptapa-desk.jf.intel.com (HELO desk) ([10.165.239.46]) by fmviesa007-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Dec 2025 22:20:16 -0800 Date: Mon, 1 Dec 2025 22:20:14 -0800 From: Pawan Gupta To: x86@kernel.org, David Kaplan , Nikolay Borisov , "H. Peter Anvin" , Josh Poimboeuf , Sean Christopherson , Paolo Bonzini , Borislav Petkov , Dave Hansen Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Asit Mallick , Tao Zhang Subject: [PATCH v6 6/9] x86/vmscape: Use static_call() for predictor flush Message-ID: <20251201-vmscape-bhb-v6-6-d610dd515714@linux.intel.com> X-Mailer: b4 0.14.2 References: <20251201-vmscape-bhb-v6-0-d610dd515714@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20251201-vmscape-bhb-v6-0-d610dd515714@linux.intel.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Adding more mitigation options at exit-to-userspace for VMSCAPE would usually require a series of checks to decide which mitigation to use. In this case, the mitigation is done by calling a function, which is decided at boot. So, adding more feature flags and multiple checks can be avoided by using static_call() to the mitigating function. Replace the flag-based mitigation selector with a static_call(). This also frees the existing X86_FEATURE_IBPB_EXIT_TO_USER. Suggested-by: Dave Hansen Signed-off-by: Pawan Gupta Reviewed-by: Nikolay Borisov --- arch/x86/Kconfig | 1 + arch/x86/include/asm/cpufeatures.h | 2 +- arch/x86/include/asm/entry-common.h | 7 +++---- arch/x86/include/asm/nospec-branch.h | 3 +++ arch/x86/kernel/cpu/bugs.c | 5 ++++- arch/x86/kvm/x86.c | 2 +- 6 files changed, 13 insertions(+), 7 deletions(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index fa3b616af03a2d50eaf5f922bc8cd4e08a284045..066f62f15e67e85fda0f3fd66ac= abad9a9794ff8 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2706,6 +2706,7 @@ config MITIGATION_TSA config MITIGATION_VMSCAPE bool "Mitigate VMSCAPE" depends on KVM + select HAVE_STATIC_CALL default y help Enable mitigation for VMSCAPE attacks. VMSCAPE is a hardware security diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpuf= eatures.h index 4091a776e37aaed67ca93b0a0cd23cc25dbc33d4..02871318c999f94ec8557e5fb0b= 8fb299960d454 100644 --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -496,7 +496,7 @@ #define X86_FEATURE_TSA_SQ_NO (21*32+11) /* AMD CPU not vulnerable to TSA= -SQ */ #define X86_FEATURE_TSA_L1_NO (21*32+12) /* AMD CPU not vulnerable to TSA= -L1 */ #define X86_FEATURE_CLEAR_CPU_BUF_VM (21*32+13) /* Clear CPU buffers using= VERW before VMRUN */ -#define X86_FEATURE_IBPB_EXIT_TO_USER (21*32+14) /* Use IBPB on exit-to-us= erspace, see VMSCAPE bug */ +/* Free */ #define X86_FEATURE_ABMC (21*32+15) /* Assignable Bandwidth Monitoring Co= unters */ #define X86_FEATURE_MSR_IMM (21*32+16) /* MSR immediate form instructions= */ =20 diff --git a/arch/x86/include/asm/entry-common.h b/arch/x86/include/asm/ent= ry-common.h index 78b143673ca72642149eb2dbf3e3e31370fe6b28..783e7cb50caeb6c6fc68e0a5c75= ab43e75e37116 100644 --- a/arch/x86/include/asm/entry-common.h +++ b/arch/x86/include/asm/entry-common.h @@ -4,6 +4,7 @@ =20 #include #include +#include =20 #include #include @@ -94,10 +95,8 @@ static inline void arch_exit_to_user_mode_prepare(struct= pt_regs *regs, */ choose_random_kstack_offset(rdtsc()); =20 - /* Avoid unnecessary reads of 'x86_predictor_flush_exit_to_user' */ - if (cpu_feature_enabled(X86_FEATURE_IBPB_EXIT_TO_USER) && - this_cpu_read(x86_predictor_flush_exit_to_user)) { - write_ibpb(); + if (unlikely(this_cpu_read(x86_predictor_flush_exit_to_user))) { + static_call_cond(vmscape_predictor_flush)(); this_cpu_write(x86_predictor_flush_exit_to_user, false); } } diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/no= spec-branch.h index df60f9cf51b84e5b75e5db70713188d2e6ad0f5d..15a2fa8f2f48a066e102263513e= ff9537ac1d25f 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -540,6 +540,9 @@ static inline void indirect_branch_prediction_barrier(v= oid) :: "rax", "rcx", "rdx", "memory"); } =20 +#include +DECLARE_STATIC_CALL(vmscape_predictor_flush, write_ibpb); + /* The Intel SPEC CTRL MSR base value cache */ extern u64 x86_spec_ctrl_base; DECLARE_PER_CPU(u64, x86_spec_ctrl_current); diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 71865b9d2c5c18cd0cf3cb8bbf07d1576cd20498..71a35a153c1eb852438d533fc8a= d76eefaca3219 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -200,6 +200,9 @@ DEFINE_STATIC_KEY_FALSE(switch_mm_cond_l1d_flush); DEFINE_STATIC_KEY_FALSE(cpu_buf_vm_clear); EXPORT_SYMBOL_GPL(cpu_buf_vm_clear); =20 +DEFINE_STATIC_CALL_NULL(vmscape_predictor_flush, write_ibpb); +EXPORT_STATIC_CALL_GPL(vmscape_predictor_flush); + #undef pr_fmt #define pr_fmt(fmt) "mitigations: " fmt =20 @@ -3276,7 +3279,7 @@ static void __init vmscape_update_mitigation(void) static void __init vmscape_apply_mitigation(void) { if (vmscape_mitigation =3D=3D VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER) - setup_force_cpu_cap(X86_FEATURE_IBPB_EXIT_TO_USER); + static_call_update(vmscape_predictor_flush, write_ibpb); } =20 #undef pr_fmt diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 60123568fba85c8a445f9220d3f4a1d11fd0eb77..7e55ef3b3203a26be1a138c8fa8= 38a8c5aae0125 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -11396,7 +11396,7 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu) * set for the CPU that actually ran the guest, and not the CPU that it * may migrate to. */ - if (cpu_feature_enabled(X86_FEATURE_IBPB_EXIT_TO_USER)) + if (static_call_query(vmscape_predictor_flush)) this_cpu_write(x86_predictor_flush_exit_to_user, true); =20 /* --=20 2.34.1 From nobody Tue Dec 16 21:25:05 2025 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8A7242FF170; Tue, 2 Dec 2025 06:20:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.17 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764656434; cv=none; b=M9ecX7hkOAsRqLGfQw0MlCC+GHtBa/tqJ4VVcigy92xg4Ho1i+Xl2Dz71l7JnCnekoD1NQlPrTHv2ztwSXpF6wcvZNF7Qs1PdCE8t6T2xMzWGEew/e+x/TVenJqhQEtrN+21sgFHv42A/xOKfbUMvqrB9wAdMznxbdqVIlB9VT4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764656434; c=relaxed/simple; bh=ZQhMVnv9d/AX3bUhl3PykwO88qYd8dFN+pQByBWxHEk=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=Vu5j4uN5/3w+CivQLkBNHXnQGmcxvMBVIvrqnBcQEyo2ogxq5OCnTewzA25UqncaQ928yCrZYqheKcItQsf++Whc8fra4zueUwyFyrpUGLd7MfHuR1ftGZ2ISKzh84OdoLnRiCx8/9VScgdicPEiX35jnazbdpntIHBLhu+94O8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=UtN2gUBz; arc=none smtp.client-ip=192.198.163.17 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="UtN2gUBz" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1764656433; x=1796192433; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=ZQhMVnv9d/AX3bUhl3PykwO88qYd8dFN+pQByBWxHEk=; b=UtN2gUBz8dlodpiABn2Sv4l9VRnwqnlLyGqdHgQEzBkJFa4KJNkvNv/j AXcHdigr6CC7SHY83b/KX5ZmlQmJqJnHeqLVe3CkMqBMr3x/1Fsm/TK+6 dI5FzmCBHMtJZLe/n6g+abg1JgiuKWefaFQQMlpUga7loOxoaLWtUl0et EbjV2I4zU/+ngAXAXY5HU5d2aPcOLMOh9xb0f10BbrZsY/Jml++v6LCzo DoffmdE/QqBzDKSVt80utakdSbo/iiuVWanxXjPSefj4TlxRu3CftGci5 FpCij1Pypfj5kxeMYuhOomXjxz9TLwqxK0yponn4/bCZFwmm7/fcE1hah w==; X-CSE-ConnectionGUID: /HdMkjJeSHiUkke3DM6A5A== X-CSE-MsgGUID: 8TbRL7uOSpimhTiuGx5kqQ== X-IronPort-AV: E=McAfee;i="6800,10657,11630"; a="66499230" X-IronPort-AV: E=Sophos;i="6.20,242,1758610800"; d="scan'208";a="66499230" Received: from fmviesa007.fm.intel.com ([10.60.135.147]) by fmvoesa111.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Dec 2025 22:20:32 -0800 X-CSE-ConnectionGUID: Tqhd3403R+2i+80+Ssj9Uw== X-CSE-MsgGUID: /2P9Rov7QBWIdJVIgylFfQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.20,242,1758610800"; d="scan'208";a="193960166" Received: from guptapa-desk.jf.intel.com (HELO desk) ([10.165.239.46]) by fmviesa007-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Dec 2025 22:20:31 -0800 Date: Mon, 1 Dec 2025 22:20:31 -0800 From: Pawan Gupta To: x86@kernel.org, David Kaplan , Nikolay Borisov , "H. Peter Anvin" , Josh Poimboeuf , Sean Christopherson , Paolo Bonzini , Borislav Petkov , Dave Hansen Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Asit Mallick , Tao Zhang Subject: [PATCH v6 7/9] x86/vmscape: Deploy BHB clearing mitigation Message-ID: <20251201-vmscape-bhb-v6-7-d610dd515714@linux.intel.com> X-Mailer: b4 0.14.2 References: <20251201-vmscape-bhb-v6-0-d610dd515714@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20251201-vmscape-bhb-v6-0-d610dd515714@linux.intel.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" IBPB mitigation for VMSCAPE is an overkill on CPUs that are only affected by the BHI variant of VMSCAPE. On such CPUs, eIBRS already provides indirect branch isolation between guest and host userspace. However, branch history from guest may also influence the indirect branches in host userspace. To mitigate the BHI aspect, use clear_bhb_loop(). Signed-off-by: Pawan Gupta Reviewed-by: Nikolay Borisov --- Documentation/admin-guide/hw-vuln/vmscape.rst | 4 ++++ arch/x86/include/asm/nospec-branch.h | 2 ++ arch/x86/kernel/cpu/bugs.c | 26 +++++++++++++++++++----= --- 3 files changed, 25 insertions(+), 7 deletions(-) diff --git a/Documentation/admin-guide/hw-vuln/vmscape.rst b/Documentation/= admin-guide/hw-vuln/vmscape.rst index d9b9a2b6c114c05a7325e5f3c9d42129339b870b..dc63a0bac03d43d1e295de0791d= d6497d101f986 100644 --- a/Documentation/admin-guide/hw-vuln/vmscape.rst +++ b/Documentation/admin-guide/hw-vuln/vmscape.rst @@ -86,6 +86,10 @@ The possible values in this file are: run a potentially malicious guest and issues an IBPB before the first exit to userspace after VM-exit. =20 + * 'Mitigation: Clear BHB before exit to userspace': + + As above, conditional BHB clearing mitigation is enabled. + * 'Mitigation: IBPB on VMEXIT': =20 IBPB is issued on every VM-exit. This occurs when other mitigations like diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/no= spec-branch.h index 15a2fa8f2f48a066e102263513eff9537ac1d25f..1e8c26c37dbed4256b35101fb41= c0e1eb6ef9272 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -388,6 +388,8 @@ extern void write_ibpb(void); =20 #ifdef CONFIG_X86_64 extern void clear_bhb_loop(void); +#else +static inline void clear_bhb_loop(void) {} #endif =20 extern void (*x86_return_thunk)(void); diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 71a35a153c1eb852438d533fc8ad76eefaca3219..61c3b4ae131f39fd716a54ba46d= 255844b1bb609 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -109,9 +109,8 @@ DEFINE_PER_CPU(u64, x86_spec_ctrl_current); EXPORT_PER_CPU_SYMBOL_GPL(x86_spec_ctrl_current); =20 /* - * Set when the CPU has run a potentially malicious guest. An IBPB will - * be needed to before running userspace. That IBPB will flush the branch - * predictor content. + * Set when the CPU has run a potentially malicious guest. Indicates that a + * branch predictor flush is needed before running userspace. */ DEFINE_PER_CPU(bool, x86_predictor_flush_exit_to_user); EXPORT_PER_CPU_SYMBOL_GPL(x86_predictor_flush_exit_to_user); @@ -3200,13 +3199,15 @@ enum vmscape_mitigations { VMSCAPE_MITIGATION_AUTO, VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER, VMSCAPE_MITIGATION_IBPB_ON_VMEXIT, + VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER, }; =20 static const char * const vmscape_strings[] =3D { - [VMSCAPE_MITIGATION_NONE] =3D "Vulnerable", + [VMSCAPE_MITIGATION_NONE] =3D "Vulnerable", /* [VMSCAPE_MITIGATION_AUTO] */ - [VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER] =3D "Mitigation: IBPB before exit = to userspace", - [VMSCAPE_MITIGATION_IBPB_ON_VMEXIT] =3D "Mitigation: IBPB on VMEXIT", + [VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER] =3D "Mitigation: IBPB before exit= to userspace", + [VMSCAPE_MITIGATION_IBPB_ON_VMEXIT] =3D "Mitigation: IBPB on VMEXIT", + [VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER] =3D "Mitigation: Clear BHB be= fore exit to userspace", }; =20 static enum vmscape_mitigations vmscape_mitigation __ro_after_init =3D @@ -3253,7 +3254,15 @@ static void __init vmscape_select_mitigation(void) break; =20 case VMSCAPE_MITIGATION_AUTO: - if (boot_cpu_has(X86_FEATURE_IBPB)) + /* + * CPUs with BHI_CTRL(ADL and newer) can avoid the IBPB and use BHB + * clear sequence. These CPUs are only vulnerable to the BHI variant + * of the VMSCAPE attack and does not require an IBPB flush. In + * 32-bit mode BHB clear sequence is not supported. + */ + if (boot_cpu_has(X86_FEATURE_BHI_CTRL) && IS_ENABLED(CONFIG_X86_64)) + vmscape_mitigation =3D VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER; + else if (boot_cpu_has(X86_FEATURE_IBPB)) vmscape_mitigation =3D VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER; else vmscape_mitigation =3D VMSCAPE_MITIGATION_NONE; @@ -3280,6 +3289,8 @@ static void __init vmscape_apply_mitigation(void) { if (vmscape_mitigation =3D=3D VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER) static_call_update(vmscape_predictor_flush, write_ibpb); + else if (vmscape_mitigation =3D=3D VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_U= SER) + static_call_update(vmscape_predictor_flush, clear_bhb_loop); } =20 #undef pr_fmt @@ -3371,6 +3382,7 @@ void cpu_bugs_smt_update(void) break; case VMSCAPE_MITIGATION_IBPB_ON_VMEXIT: case VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER: + case VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER: /* * Hypervisors can be attacked across-threads, warn for SMT when * STIBP is not already enabled system-wide. --=20 2.34.1 From nobody Tue Dec 16 21:25:05 2025 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 08F392FF170; Tue, 2 Dec 2025 06:20:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764656450; cv=none; b=UJcYs2zAnLl+tfv46su4LpxrqNTblhRpmpvQcTz2lGmGXTh08UHlmfkwVeP/eDXj0G1LDYY8exc6IdGd9eGgL1yt6NdJm0V4VWMrbNE/ySis8i1/Hz01hcl6I+pFNID/qohIuyoZElGnH/X80nsEpK+U1oHlySVnQ20BE1KplQk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764656450; c=relaxed/simple; bh=idDh8M13yray+EnvDUA87xzOocdhcSouom6DpZ4kJZk=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=JX4EdftvOx35natp1d1O6/obnpWloIVAI2exdoKxRJ/QK7u1ObLJ60NBLvBoqFjRdmUEAg44e5O2+9tszWSWz4lS1NyorSwQNwWN0bmWMG9wpQifL/X67aCuLfTY+uuubJYzhE5yKY68GkekmDtM4q6re+g4moh5tPraLH1Kdgw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=iO9K3ufS; arc=none smtp.client-ip=192.198.163.18 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="iO9K3ufS" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1764656449; x=1796192449; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=idDh8M13yray+EnvDUA87xzOocdhcSouom6DpZ4kJZk=; b=iO9K3ufS9QrH3MxfHhTJJn7VXlOUwCdBLlpEutO9xUYTQCb5amX7qJrx IcbcClHNcjyUF6l7lFZuVzHyGP8I9f2qm68zGX3QmJxTcnmYOCFnf1BV4 xq6UamFkr2gpbCzBI+x701a3Av8y4SVbC59LYyu5C3r1uznAkLxrdH/O/ fSDUc4FjxxqhdgVT4iPRQOEA1YJDNbW3iNS2pFLkF/hONe2JUjAbj1qfq HIMe34d/CSwhQFruskpGehVh2s4e7fSBnWFfnFG578bFUIxdIsevTIi6O hZbYoJbp05kUBlZD15D7AazRCnqZZnPuO25IWjftynuEys+JHBWim9ijS g==; X-CSE-ConnectionGUID: jskggzXQRBSXTbF4iC0udA== X-CSE-MsgGUID: On9gnAuaQfOBFUppCvVXRQ== X-IronPort-AV: E=McAfee;i="6800,10657,11630"; a="65801211" X-IronPort-AV: E=Sophos;i="6.20,242,1758610800"; d="scan'208";a="65801211" Received: from fmviesa002.fm.intel.com ([10.60.135.142]) by fmvoesa112.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Dec 2025 22:20:47 -0800 X-CSE-ConnectionGUID: SabKAysGTbq9gspSoQ/pBw== X-CSE-MsgGUID: BedyVFdOToOvxRxt9pw8vw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.20,242,1758610800"; d="scan'208";a="217624884" Received: from guptapa-desk.jf.intel.com (HELO desk) ([10.165.239.46]) by fmviesa002-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Dec 2025 22:20:47 -0800 Date: Mon, 1 Dec 2025 22:20:46 -0800 From: Pawan Gupta To: x86@kernel.org, David Kaplan , Nikolay Borisov , "H. Peter Anvin" , Josh Poimboeuf , Sean Christopherson , Paolo Bonzini , Borislav Petkov , Dave Hansen Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Asit Mallick , Tao Zhang Subject: [PATCH v6 8/9] x86/vmscape: Fix conflicting attack-vector controls with =force Message-ID: <20251201-vmscape-bhb-v6-8-d610dd515714@linux.intel.com> X-Mailer: b4 0.14.2 References: <20251201-vmscape-bhb-v6-0-d610dd515714@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20251201-vmscape-bhb-v6-0-d610dd515714@linux.intel.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" vmscape=3Dforce option currently defaults to AUTO mitigation. This is not correct because attack-vector controls overrides a mitigation in AUTO mode. This prevents a user from being able to force VMSCAPE mitigation when it conflicts with attack-vector controls. Kernel should deploy a forced mitigation irrespective of attack vectors. Instead of AUTO, use VMSCAPE_MITIGATION_ON that wins over attack-vector controls. Reviewed-by: Nikolay Borisov Signed-off-by: Pawan Gupta --- arch/x86/kernel/cpu/bugs.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 61c3b4ae131f39fd716a54ba46d255844b1bb609..58cd26e4f4c385a10230912666c= 02dbb05e71cba 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -3197,6 +3197,7 @@ static void __init srso_apply_mitigation(void) enum vmscape_mitigations { VMSCAPE_MITIGATION_NONE, VMSCAPE_MITIGATION_AUTO, + VMSCAPE_MITIGATION_ON, VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER, VMSCAPE_MITIGATION_IBPB_ON_VMEXIT, VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER, @@ -3205,6 +3206,7 @@ enum vmscape_mitigations { static const char * const vmscape_strings[] =3D { [VMSCAPE_MITIGATION_NONE] =3D "Vulnerable", /* [VMSCAPE_MITIGATION_AUTO] */ + /* [VMSCAPE_MITIGATION_ON] */ [VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER] =3D "Mitigation: IBPB before exit= to userspace", [VMSCAPE_MITIGATION_IBPB_ON_VMEXIT] =3D "Mitigation: IBPB on VMEXIT", [VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER] =3D "Mitigation: Clear BHB be= fore exit to userspace", @@ -3224,7 +3226,7 @@ static int __init vmscape_parse_cmdline(char *str) vmscape_mitigation =3D VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER; } else if (!strcmp(str, "force")) { setup_force_cpu_bug(X86_BUG_VMSCAPE); - vmscape_mitigation =3D VMSCAPE_MITIGATION_AUTO; + vmscape_mitigation =3D VMSCAPE_MITIGATION_ON; } else { pr_err("Ignoring unknown vmscape=3D%s option.\n", str); } @@ -3254,6 +3256,7 @@ static void __init vmscape_select_mitigation(void) break; =20 case VMSCAPE_MITIGATION_AUTO: + case VMSCAPE_MITIGATION_ON: /* * CPUs with BHI_CTRL(ADL and newer) can avoid the IBPB and use BHB * clear sequence. These CPUs are only vulnerable to the BHI variant @@ -3379,6 +3382,7 @@ void cpu_bugs_smt_update(void) switch (vmscape_mitigation) { case VMSCAPE_MITIGATION_NONE: case VMSCAPE_MITIGATION_AUTO: + case VMSCAPE_MITIGATION_ON: break; case VMSCAPE_MITIGATION_IBPB_ON_VMEXIT: case VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER: --=20 2.34.1 From nobody Tue Dec 16 21:25:05 2025 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A1BC92FFDF4; Tue, 2 Dec 2025 06:21:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764656484; cv=none; b=LRWj+TtBenqu+Wp50rfS9DjHKRUNs/gzHOVezRzm3w7w91hCr9VN2RCdG9m1RgKv6g96sqsqClymDsA6ZoFvFB7dY2w6OCGuYtFRjXtnOjr7NsQJTH3306Cjmkcy3sP25N2fPGFJJ+GIGir7JHP9yeI2mfJi8UWQqRyVsIezLr0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764656484; c=relaxed/simple; bh=PrK+AMN/Tnlv4FHU76kjXMTZzreOCQkhyKRZczt3/0w=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=poE+cjmCceqlOsc/FN/QiOhJu5J5jM3SHPtcbNLE4W0BMiZ0hkxNcAPok8trAHDx9g2LEbNfcYlPG+BOiv/DNhzWp7Hc8QeV95l6GZ+EA+Cef1rTI6XOfk3HSBV2K+OgDnYCN9lvEbVn0Ypa0A75hvrNQrWMcwQ9gTLHVQJlLJo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=HhXwGEn0; arc=none smtp.client-ip=192.198.163.18 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="HhXwGEn0" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1764656483; x=1796192483; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=PrK+AMN/Tnlv4FHU76kjXMTZzreOCQkhyKRZczt3/0w=; b=HhXwGEn07Z2xHqUFu0qjpaD5sYW7xzt5yG5m00eBjeMnZh9RjguHNcMX YsHUcuT2Pac/69vxuTwRMkmwsEgmG1E+dqa3s36ECqFY+95jVj10tNb4l 6Y1zQnWe1yX5nT/h4qJMEfrkWSen332eeYh/Sd2xWqP8XZQAYhMO2ZjYE PTj6YZHnBbNamOH2bsd92yMgxG2jw56HpSLNlaN+nelQfsFLGKl5oy6tz +o0QfYz/wt9cfMhPTTuz9aRF8tUAyn8iuKdh+cyeQz7j++tonrOphhWQi gq0JHcA6vkuEUvfBTjtnHE58iVztOawscmBSKqy/vdjzyAFZPdY6wQ7j9 g==; X-CSE-ConnectionGUID: j3DStMtTQ3quCJO4YplsrA== X-CSE-MsgGUID: YnIZxM++RNOeXtzkmdfy3w== X-IronPort-AV: E=McAfee;i="6800,10657,11630"; a="65801241" X-IronPort-AV: E=Sophos;i="6.20,242,1758610800"; d="scan'208";a="65801241" Received: from fmviesa002.fm.intel.com ([10.60.135.142]) by fmvoesa112.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Dec 2025 22:21:21 -0800 X-CSE-ConnectionGUID: bahEhZniTSuwstCvo4+PBQ== X-CSE-MsgGUID: 3MY/cSb8SW+32E5Fhplvkg== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.20,242,1758610800"; d="scan'208";a="217625072" Received: from guptapa-desk.jf.intel.com (HELO desk) ([10.165.239.46]) by fmviesa002-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Dec 2025 22:21:02 -0800 Date: Mon, 1 Dec 2025 22:21:02 -0800 From: Pawan Gupta To: x86@kernel.org, David Kaplan , Nikolay Borisov , "H. Peter Anvin" , Josh Poimboeuf , Sean Christopherson , Paolo Bonzini , Borislav Petkov , Dave Hansen Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Asit Mallick , Tao Zhang Subject: [PATCH v6 9/9] x86/vmscape: Add cmdline vmscape=on to override attack vector controls Message-ID: <20251201-vmscape-bhb-v6-9-d610dd515714@linux.intel.com> X-Mailer: b4 0.14.2 References: <20251201-vmscape-bhb-v6-0-d610dd515714@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20251201-vmscape-bhb-v6-0-d610dd515714@linux.intel.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In general, individual mitigation controls can be used to override the attack vector controls. But, nothing exists to select BHB clearing mitigation for VMSCAPE. The =3Dforce option comes close, but with a side-effect of also forcibly setting the bug, hence deploying the mitigation on unaffected parts too. Add a new cmdline option vmscape=3Don to enable the mitigation based on the VMSCAPE variant the CPU is affected by. Reviewed-by: Nikolay Borisov Signed-off-by: Pawan Gupta --- Documentation/admin-guide/hw-vuln/vmscape.rst | 4 ++++ Documentation/admin-guide/kernel-parameters.txt | 4 +++- arch/x86/kernel/cpu/bugs.c | 2 ++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/Documentation/admin-guide/hw-vuln/vmscape.rst b/Documentation/= admin-guide/hw-vuln/vmscape.rst index dc63a0bac03d43d1e295de0791dd6497d101f986..580f288ae8bfc601ff000d6d95d= 711bb9084459e 100644 --- a/Documentation/admin-guide/hw-vuln/vmscape.rst +++ b/Documentation/admin-guide/hw-vuln/vmscape.rst @@ -112,3 +112,7 @@ The mitigation can be controlled via the ``vmscape=3D``= command line parameter: =20 Force vulnerability detection and mitigation even on processors that are not known to be affected. + + * ``vmscape=3Don``: + + Choose the mitigation based on the VMSCAPE variant the CPU is affected = by. diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentatio= n/admin-guide/kernel-parameters.txt index 6c42061ca20e581b5192b66c6f25aba38d4f8ff8..d2ccec6e10f3ea094c01083d4c1= 33b837c7fc7d7 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -8104,9 +8104,11 @@ =20 off - disable the mitigation ibpb - use Indirect Branch Prediction Barrier - (IBPB) mitigation (default) + (IBPB) mitigation force - force vulnerability detection even on unaffected processors + on - (default) selects IBPB or BHB clear + mitigation based on CPU =20 vsyscall=3D [X86-64,EARLY] Controls the behavior of vsyscalls (i.e. calls to diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 58cd26e4f4c385a10230912666c02dbb05e71cba..5870bb67baf3bb54be80a7c193c= 26b6f6eb246d5 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -3227,6 +3227,8 @@ static int __init vmscape_parse_cmdline(char *str) } else if (!strcmp(str, "force")) { setup_force_cpu_bug(X86_BUG_VMSCAPE); vmscape_mitigation =3D VMSCAPE_MITIGATION_ON; + } else if (!strcmp(str, "on")) { + vmscape_mitigation =3D VMSCAPE_MITIGATION_ON; } else { pr_err("Ignoring unknown vmscape=3D%s option.\n", str); } --=20 2.34.1