From nobody Fri Jun 12 03:08:05 2026 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D6D83315793; Thu, 23 Apr 2026 06:15:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.13 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776924913; cv=none; b=EoBzK0FopSNXNBHTzj20ns6SfHSpgpcwsUtU/IMy5PcZP6ZV2ceNRikug+9qfIhmR0HuyTC0Rwf+ts2U+oorlLxkRz2sxDUulmx7f4YJW0E1CuLXhN+69hcMrJsnz2vrdib9gmU7QZR8Q+lbKL7zYuEJQ/23hE/zG1+EfcumcgM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776924913; c=relaxed/simple; bh=qYMlW7Iazwx2SJg9rG06dKwrA3GpaLTGPkj+MQ+5FQc=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=K52kxh+cgWndKTA7d+4Q4mSXA6z8rG9aMYGU/abFIuOklh/Ie4khc5xDXvCHwW2um0VmQJq+DvncPDgGz+U/zJP3HbAJlVzo6DjpEQEfxzUTrxu9vVqy7m3QH5IRTCyy3PDN68/R/yHPDYf1pumw9xQOaS+nwI5wvWWZMATyiwc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=lZG5TKlS; arc=none smtp.client-ip=192.198.163.13 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="lZG5TKlS" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1776924902; x=1808460902; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=qYMlW7Iazwx2SJg9rG06dKwrA3GpaLTGPkj+MQ+5FQc=; b=lZG5TKlSRcK0DarrrO/Y6+AfvHBX4GgsbR3jdsX134QjjHCRI5tKLo8i Jb6piD2JzqunM1iCgUD2JuHHrRizwctljK6FGGkHtTOxM4ihocNGWV+Vu IpJhAm2rKCm2bhZdhJEBEKYsEyRlezj8vzrVcLz3KFcLB82GGoMye49ws ZNYDh7jHAdOnDSAdTDFMCN8TvjC15BVIZsHZ2FwK6bxJ3cpl95g6MsUtG mKh06kzeG7NeK84cup5/Eej/hvT3uLppCzNoi8AZnqNmii+iYRV76LN27 mB8eeYdQDRUrGL0weicphAo5KmmQVKKZw/Sq4aMRaonSJrjRJBPS9XW7t A==; X-CSE-ConnectionGUID: vse5DvuiSr2s1Yl2TT4jBQ== X-CSE-MsgGUID: BjeGMbfWRv6ltd9qbXjq8Q== X-IronPort-AV: E=McAfee;i="6800,10657,11764"; a="80473182" X-IronPort-AV: E=Sophos;i="6.23,194,1770624000"; d="scan'208";a="80473182" Received: from fmviesa005.fm.intel.com ([10.60.135.145]) by fmvoesa107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Apr 2026 23:15:01 -0700 X-CSE-ConnectionGUID: UUa/w1yJQeyWCux2t1R5PQ== X-CSE-MsgGUID: +/cfRvm7QUesnQt0wLRKzA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.23,194,1770624000"; d="scan'208";a="237550609" Received: from guptapa-desk.jf.intel.com (HELO desk) ([10.165.239.46]) by fmviesa005-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Apr 2026 23:15:00 -0700 Date: Wed, 22 Apr 2026 23:14:59 -0700 From: Pawan Gupta To: x86@kernel.org, Jon Kohler , Nikolay Borisov , "H. Peter Anvin" , Josh Poimboeuf , David Kaplan , Sean Christopherson , Borislav Petkov , Dave Hansen , Peter Zijlstra , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , KP Singh , Jiri Olsa , "David S. Miller" , David Laight , Andy Lutomirski , Thomas Gleixner , Ingo Molnar , David Ahern , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , Stanislav Fomichev , Hao Luo , Paolo Bonzini , Jonathan Corbet , Jason Baron , Alice Ryhl , Steven Rostedt , Ard Biesheuvel , Shuah Khan Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Asit Mallick , Tao Zhang , bpf@vger.kernel.org, netdev@vger.kernel.org, linux-doc@vger.kernel.org Subject: [PATCH v11 01/12] x86/bhi: x86/vmscape: Move LFENCE out of clear_bhb_loop() Message-ID: <20260422-vmscape-bhb-v11-1-b18e0cf32af4@linux.intel.com> X-Mailer: b4 0.16-dev References: <20260422-vmscape-bhb-v11-0-b18e0cf32af4@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20260422-vmscape-bhb-v11-0-b18e0cf32af4@linux.intel.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Currently, the BHB clearing sequence is followed by an LFENCE to prevent transient execution of subsequent indirect branches prematurely. However, the LFENCE barrier could be unnecessary in certain cases. For example, when the kernel is using the BHI_DIS_S mitigation, and BHB clearing is only needed for userspace. In such cases, the LFENCE is redundant because ring transitions would provide the necessary serialization. Below is a quick recap of BHI mitigation options: On Alder Lake and newer BHI_DIS_S: Hardware control to mitigate BHI in ring0. This has low performance overhead. Long loop: Alternatively, a longer version of the BHB clearing sequence can be used to mitigate BHI. It can also be used to mitigate the BHI variant of VMSCAPE. This is not yet implemented in Linux. On older CPUs Short loop: Clears BHB at kernel entry and VMexit. The "Long loop" is effective on older CPUs as well, but should be avoided because of unnecessary overhead. On Alder Lake and newer CPUs, eIBRS isolates the indirect targets between guest and host. But when affected by the BHI variant of VMSCAPE, a guest's branch history may still influence indirect branches in userspace. This also means the big hammer IBPB could be replaced with a cheaper option that clears the BHB at exit-to-userspace after a VMexit. In preparation for adding the support for the BHB sequence (without LFENCE) on newer CPUs, move the LFENCE to the caller side after clear_bhb_loop() is executed. Allow callers to decide whether they need the LFENCE or not. This adds a few extra bytes to the call sites, but it obviates the need for multiple variants of clear_bhb_loop(). Suggested-by: Dave Hansen Tested-by: Jon Kohler Reviewed-by: Nikolay Borisov Acked-by: Borislav Petkov (AMD) Signed-off-by: Pawan Gupta --- arch/x86/entry/entry_64.S | 5 ++++- arch/x86/include/asm/nospec-branch.h | 4 ++-- arch/x86/net/bpf_jit_comp.c | 2 ++ 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S index 42447b1e1dff..3a180a36ca0e 100644 --- a/arch/x86/entry/entry_64.S +++ b/arch/x86/entry/entry_64.S @@ -1528,6 +1528,9 @@ SYM_CODE_END(rewind_stack_and_make_dead) * refactored in the future if needed. The .skips are for safety, to ensure * that all RETs are in the second half of a cacheline to mitigate Indirect * Target Selection, rather than taking the slowpath via its_return_thunk. + * + * Note, callers should use a speculation barrier like LFENCE immediately = after + * a call to this function to ensure BHB is cleared before indirect branch= es. */ SYM_FUNC_START(clear_bhb_loop) ANNOTATE_NOENDBR @@ -1562,7 +1565,7 @@ SYM_FUNC_START(clear_bhb_loop) sub $1, %ecx jnz 1b .Lret2: RET -5: lfence +5: pop %rbp RET SYM_FUNC_END(clear_bhb_loop) diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/no= spec-branch.h index 4f4b5e8a1574..70b377fcbc1c 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -331,11 +331,11 @@ =20 #ifdef CONFIG_X86_64 .macro CLEAR_BRANCH_HISTORY - ALTERNATIVE "", "call clear_bhb_loop", X86_FEATURE_CLEAR_BHB_LOOP + ALTERNATIVE "", "call clear_bhb_loop; lfence", X86_FEATURE_CLEAR_BHB_LOOP .endm =20 .macro CLEAR_BRANCH_HISTORY_VMEXIT - ALTERNATIVE "", "call clear_bhb_loop", X86_FEATURE_CLEAR_BHB_VMEXIT + ALTERNATIVE "", "call clear_bhb_loop; lfence", X86_FEATURE_CLEAR_BHB_VMEX= IT .endm #else #define CLEAR_BRANCH_HISTORY diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c index e9b78040d703..63d6c9fa5e80 100644 --- a/arch/x86/net/bpf_jit_comp.c +++ b/arch/x86/net/bpf_jit_comp.c @@ -1624,6 +1624,8 @@ static int emit_spectre_bhb_barrier(u8 **pprog, u8 *i= p, =20 if (emit_call(&prog, func, ip)) return -EINVAL; + /* Don't speculate past this until BHB is cleared */ + EMIT_LFENCE(); EMIT1(0x59); /* pop rcx */ EMIT1(0x58); /* pop rax */ } --=20 2.34.1 From nobody Fri Jun 12 03:08:05 2026 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AB5012C11EE; Thu, 23 Apr 2026 06:15:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.13 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776924924; cv=none; b=c1rMdzJruLykM3e0pbSIAlVCszd9QHJu78jEZYUAfhhXQG7ZJa++kHjYFm7FVC+dVdbfv9w83CTI7H7gK3Dwm0bp0VLZWWTseDFw/T1VT1zBBy8ltUWKLYgYPqpQ+pHqDd54y1VpcQAve7jorDcLCyUi699xCTDXq+SECfaCqUs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776924924; c=relaxed/simple; bh=HoDN0XYx5hRbRHIiPcm/8zQ8DC0db38UWRcLtxFcyPE=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=mtyEC2vUq+gXlA1d2IuLkpBad3Ev9Mbcko4VV3KOy+KtUZejJ+dyXC97zf7nJvLghDQg00SLTah2sCgKs8v5lowHomEhELd2KobrA4Nfiun2ogwu63HXv2lyog6oVTLPKtca14Abe4bXc1KLh7MgonefS/pHSEeejgJ3ik8UVO0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=fCi0kiwE; arc=none smtp.client-ip=192.198.163.13 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="fCi0kiwE" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1776924918; x=1808460918; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=HoDN0XYx5hRbRHIiPcm/8zQ8DC0db38UWRcLtxFcyPE=; b=fCi0kiwEjQBbu6SYVCc6X/0DeIkxetci3RIRcU6pANXhGK6xQP3ynn2L KrVqwX+Gw+cUffQZI5TYuS2NXkdkeqMUooUayHdM+UKkFhJaJXb6maLM4 T6HBm4Su2MPW0vT/t46I15TY7c3KUg3nonocMUhqDEaeC491Z2cAyqcBw mx+jmjUSFrzzoDpiU7vPvp6WRJXExaFGmk/fzQy/XqBwJuCl3qKWJ7gGb JkT3rlXfZHFlUWFTj0AAFUqUFaiMgqC652ZBpB4RKEZGjKtUwR0SFHndv EaLvpTsWAEWcd9ihdruGFc2Fe3daomgVFFCswIhf6NZyujiDylo68nwug w==; X-CSE-ConnectionGUID: O6xH4ksYSxmX13Rnuqv/Dw== X-CSE-MsgGUID: DPscJwM1QTKYD9lo/WPwxg== X-IronPort-AV: E=McAfee;i="6800,10657,11764"; a="80473230" X-IronPort-AV: E=Sophos;i="6.23,194,1770624000"; d="scan'208";a="80473230" Received: from fmviesa005.fm.intel.com ([10.60.135.145]) by fmvoesa107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Apr 2026 23:15:17 -0700 X-CSE-ConnectionGUID: 5AIWqlXvS+SDVYuUFypdmA== X-CSE-MsgGUID: MjoodSf/RCGKGPNN1H/snw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.23,194,1770624000"; d="scan'208";a="237550689" Received: from guptapa-desk.jf.intel.com (HELO desk) ([10.165.239.46]) by fmviesa005-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Apr 2026 23:15:16 -0700 Date: Wed, 22 Apr 2026 23:15:15 -0700 From: Pawan Gupta To: x86@kernel.org, Jon Kohler , Nikolay Borisov , "H. Peter Anvin" , Josh Poimboeuf , David Kaplan , Sean Christopherson , Borislav Petkov , Dave Hansen , Peter Zijlstra , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , KP Singh , Jiri Olsa , "David S. Miller" , David Laight , Andy Lutomirski , Thomas Gleixner , Ingo Molnar , David Ahern , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , Stanislav Fomichev , Hao Luo , Paolo Bonzini , Jonathan Corbet , Jason Baron , Alice Ryhl , Steven Rostedt , Ard Biesheuvel , Shuah Khan Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Asit Mallick , Tao Zhang , bpf@vger.kernel.org, netdev@vger.kernel.org, linux-doc@vger.kernel.org Subject: [PATCH v11 02/12] x86/bhi: Make clear_bhb_loop() effective on newer CPUs Message-ID: <20260422-vmscape-bhb-v11-2-b18e0cf32af4@linux.intel.com> X-Mailer: b4 0.16-dev References: <20260422-vmscape-bhb-v11-0-b18e0cf32af4@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20260422-vmscape-bhb-v11-0-b18e0cf32af4@linux.intel.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" As a mitigation for BHI, clear_bhb_loop() executes branches that overwrite the Branch History Buffer (BHB). On Alder Lake and newer parts this sequence is not sufficient because it doesn't clear enough entries. This was not an issue because these CPUs use the BHI_DIS_S hardware mitigation in the kernel. Now with VMSCAPE (BHI variant) it is also required to isolate branch history between guests and userspace. Since BHI_DIS_S only protects the kernel, the newer CPUs also use IBPB. A cheaper alternative to the current IBPB mitigation is clear_bhb_loop(). But it currently does not clear enough BHB entries to be effective on newer CPUs with larger BHB. At boot, dynamically set the loop count of clear_bhb_loop() such that it is effective on newer CPUs too. Introduce global loop counts, initializing them with appropriate value based on the hardware feature X86_FEATURE_BHI_CTRL. Suggested-by: Dave Hansen Signed-off-by: Pawan Gupta Acked-by: Borislav Petkov (AMD) --- arch/x86/entry/entry_64.S | 8 +++++--- arch/x86/include/asm/nospec-branch.h | 2 ++ arch/x86/kernel/cpu/bugs.c | 13 +++++++++++++ 3 files changed, 20 insertions(+), 3 deletions(-) diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S index 3a180a36ca0e..bbd4b1c7ec04 100644 --- a/arch/x86/entry/entry_64.S +++ b/arch/x86/entry/entry_64.S @@ -1536,7 +1536,9 @@ SYM_FUNC_START(clear_bhb_loop) ANNOTATE_NOENDBR push %rbp mov %rsp, %rbp - movl $5, %ecx + + movzbl bhb_seq_outer_loop(%rip), %ecx + ANNOTATE_INTRA_FUNCTION_CALL call 1f jmp 5f @@ -1556,8 +1558,8 @@ SYM_FUNC_START(clear_bhb_loop) * This should be ideally be: .skip 32 - (.Lret2 - 2f), 0xcc * but some Clang versions (e.g. 18) don't like this. */ - .skip 32 - 18, 0xcc -2: movl $5, %eax + .skip 32 - 20, 0xcc +2: movzbl bhb_seq_inner_loop(%rip), %eax 3: jmp 4f nop 4: sub $1, %eax diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/no= spec-branch.h index 70b377fcbc1c..87b83ae7c97f 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -548,6 +548,8 @@ DECLARE_PER_CPU(u64, x86_spec_ctrl_current); extern void update_spec_ctrl_cond(u64 val); extern u64 spec_ctrl_current(void); =20 +extern u8 bhb_seq_inner_loop, bhb_seq_outer_loop; + /* * With retpoline, we must use IBRS to restrict branch prediction * before calling into firmware. diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 83f51cab0b1e..2cb4a96247d8 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -2047,6 +2047,10 @@ enum bhi_mitigations { static enum bhi_mitigations bhi_mitigation __ro_after_init =3D IS_ENABLED(CONFIG_MITIGATION_SPECTRE_BHI) ? BHI_MITIGATION_AUTO : BHI_MIT= IGATION_OFF; =20 +/* Default to short BHB sequence values */ +u8 bhb_seq_outer_loop __ro_after_init =3D 5; +u8 bhb_seq_inner_loop __ro_after_init =3D 5; + static int __init spectre_bhi_parse_cmdline(char *str) { if (!str) @@ -3242,6 +3246,15 @@ void __init cpu_select_mitigations(void) x86_spec_ctrl_base &=3D ~SPEC_CTRL_MITIGATIONS_MASK; } =20 + /* + * Switch to long BHB clear sequence on newer CPUs (with BHI_CTRL + * support), see Intel's BHI guidance. + */ + if (cpu_feature_enabled(X86_FEATURE_BHI_CTRL)) { + bhb_seq_outer_loop =3D 12; + bhb_seq_inner_loop =3D 7; + } + x86_arch_cap_msr =3D x86_read_arch_cap_msr(); =20 cpu_print_attack_vectors(); --=20 2.34.1 From nobody Fri Jun 12 03:08:05 2026 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5DB8B1531E8; Thu, 23 Apr 2026 06:15:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.16 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776924934; cv=none; b=l8WzYkHgDC7VeMT60krPHkjvdiIsDdLhrkn2tcA43n9wXUWEZeEQXQ8bLZFzyuLnfAU7Qs3RARbVs+qrTe44rvAt3ZGExWdzRWioxuHXgaxelYj2aS+BOQIZD6joxgYKiWjD47ebOhTGZLmuhil3AEvT2yyg1l7GMEKip32b9sg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776924934; c=relaxed/simple; bh=Dc8CmE7nMp3oc4TVyDoXVNiGITwPjHDIoAHr8yLepJY=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=edkMZXApu2XCMoPXJYytSbxoMTFdz+sAi3aDolk3l9WPSjGWfbmjLBJSW845juAHN+xB5e5XKnXj46b9ThJW7tehPJwpx7l5toEaf23OlVS7zUT0WlbfK8y0ZY65IqUnZMROXBGW1gaYcHdyhPuRgA8HqzYI058kFrhf75VPXPo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=LEssJZ/N; arc=none smtp.client-ip=192.198.163.16 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="LEssJZ/N" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1776924933; x=1808460933; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=Dc8CmE7nMp3oc4TVyDoXVNiGITwPjHDIoAHr8yLepJY=; b=LEssJZ/N++JznBnS7Zt1Nehqx5S9uEKXfE7zcbcArnkEAsae9DcG03Xe 3I/7LGEjD5kEWgiXS88RFmXl55urZ5Yeb31YiiEya4ffEUPsSKgcRZu7J yZEHzwuciP5Um1EGvzoKUxLe4AAAi6yt9xwVvUSn3tEMzB1FwvF3QiKaN 7tgRfcFv3tgjzEETT220CvXxmc9YBwcIbzdko9rBBbiVHplxXDf0Ae9eZ nNm0Rxh/zxh0EgUUd8GSkqnMRukcn41leElrO+fnz6esiE17HO8PKmwhb zVJWUPubdSlC7AWydvA6fSYZmZQPj98KsT5Spuzx+plYj4s63x3HQQuNm A==; X-CSE-ConnectionGUID: 4+/UYL/8QLaA72WukBbZtA== X-CSE-MsgGUID: nIQ+fST/RzKrwVg79fWg1A== X-IronPort-AV: E=McAfee;i="6800,10657,11764"; a="65419621" X-IronPort-AV: E=Sophos;i="6.23,194,1770624000"; d="scan'208";a="65419621" Received: from orviesa005.jf.intel.com ([10.64.159.145]) by fmvoesa110.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Apr 2026 23:15:32 -0700 X-CSE-ConnectionGUID: DBz5ASIdSOqyIWiO+yzA5g== X-CSE-MsgGUID: LYZlkOYpQuq0c3RC+iQmyA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.23,194,1770624000"; d="scan'208";a="237623781" Received: from guptapa-desk.jf.intel.com (HELO desk) ([10.165.239.46]) by orviesa005-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Apr 2026 23:15:32 -0700 Date: Wed, 22 Apr 2026 23:15:32 -0700 From: Pawan Gupta To: x86@kernel.org, Jon Kohler , Nikolay Borisov , "H. Peter Anvin" , Josh Poimboeuf , David Kaplan , Sean Christopherson , Borislav Petkov , Dave Hansen , Peter Zijlstra , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , KP Singh , Jiri Olsa , "David S. Miller" , David Laight , Andy Lutomirski , Thomas Gleixner , Ingo Molnar , David Ahern , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , Stanislav Fomichev , Hao Luo , Paolo Bonzini , Jonathan Corbet , Jason Baron , Alice Ryhl , Steven Rostedt , Ard Biesheuvel , Shuah Khan Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Asit Mallick , Tao Zhang , bpf@vger.kernel.org, netdev@vger.kernel.org, linux-doc@vger.kernel.org Subject: [PATCH v11 03/12] x86/bhi: Rename clear_bhb_loop() to clear_bhb_loop_nofence() Message-ID: <20260422-vmscape-bhb-v11-3-b18e0cf32af4@linux.intel.com> X-Mailer: b4 0.16-dev References: <20260422-vmscape-bhb-v11-0-b18e0cf32af4@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20260422-vmscape-bhb-v11-0-b18e0cf32af4@linux.intel.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" To reflect the recent change that moved LFENCE to the caller side. Suggested-by: Borislav Petkov Reviewed-by: Nikolay Borisov Tested-by: Jon Kohler Signed-off-by: Pawan Gupta --- arch/x86/entry/entry_64.S | 8 ++++---- arch/x86/include/asm/nospec-branch.h | 6 +++--- arch/x86/net/bpf_jit_comp.c | 2 +- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S index bbd4b1c7ec04..1f56d086d312 100644 --- a/arch/x86/entry/entry_64.S +++ b/arch/x86/entry/entry_64.S @@ -1532,7 +1532,7 @@ SYM_CODE_END(rewind_stack_and_make_dead) * Note, callers should use a speculation barrier like LFENCE immediately = after * a call to this function to ensure BHB is cleared before indirect branch= es. */ -SYM_FUNC_START(clear_bhb_loop) +SYM_FUNC_START(clear_bhb_loop_nofence) ANNOTATE_NOENDBR push %rbp mov %rsp, %rbp @@ -1570,6 +1570,6 @@ SYM_FUNC_START(clear_bhb_loop) 5: pop %rbp RET -SYM_FUNC_END(clear_bhb_loop) -EXPORT_SYMBOL_FOR_KVM(clear_bhb_loop) -STACK_FRAME_NON_STANDARD(clear_bhb_loop) +SYM_FUNC_END(clear_bhb_loop_nofence) +EXPORT_SYMBOL_FOR_KVM(clear_bhb_loop_nofence) +STACK_FRAME_NON_STANDARD(clear_bhb_loop_nofence) diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/no= spec-branch.h index 87b83ae7c97f..157eb69c7f0f 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -331,11 +331,11 @@ =20 #ifdef CONFIG_X86_64 .macro CLEAR_BRANCH_HISTORY - ALTERNATIVE "", "call clear_bhb_loop; lfence", X86_FEATURE_CLEAR_BHB_LOOP + ALTERNATIVE "", "call clear_bhb_loop_nofence; lfence", X86_FEATURE_CLEAR_= BHB_LOOP .endm =20 .macro CLEAR_BRANCH_HISTORY_VMEXIT - ALTERNATIVE "", "call clear_bhb_loop; lfence", X86_FEATURE_CLEAR_BHB_VMEX= IT + ALTERNATIVE "", "call clear_bhb_loop_nofence; lfence", X86_FEATURE_CLEAR_= BHB_VMEXIT .endm #else #define CLEAR_BRANCH_HISTORY @@ -389,7 +389,7 @@ extern void entry_untrain_ret(void); extern void write_ibpb(void); =20 #ifdef CONFIG_X86_64 -extern void clear_bhb_loop(void); +extern void clear_bhb_loop_nofence(void); #endif =20 extern void (*x86_return_thunk)(void); diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c index 63d6c9fa5e80..f40e88f87273 100644 --- a/arch/x86/net/bpf_jit_comp.c +++ b/arch/x86/net/bpf_jit_comp.c @@ -1619,7 +1619,7 @@ static int emit_spectre_bhb_barrier(u8 **pprog, u8 *i= p, EMIT1(0x51); /* push rcx */ ip +=3D 2; =20 - func =3D (u8 *)clear_bhb_loop; + func =3D (u8 *)clear_bhb_loop_nofence; ip +=3D x86_call_depth_emit_accounting(&prog, func, ip); =20 if (emit_call(&prog, func, ip)) --=20 2.34.1 From nobody Fri Jun 12 03:08:05 2026 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DBD4086329; Thu, 23 Apr 2026 06:15:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.16 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776924950; cv=none; b=Sl2Fihc58ztEmpYO9wLUSgIb0IIKSaW672i2Yc7ZbbHdUqlxqMX6arZjkwSNTaSQGhXn+fpEpYpApGbvZyVnkTHrwZXv+xQg6WPMYMTSeDb6UlQXbjtErSrMqecDCTZZ6quaCIO998esVTVSKP+PqwNAZRchQXFRyXRWXShaavQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776924950; c=relaxed/simple; bh=mav5aDg8EwieFJ2WAvHM82MSHiRvIIrK2PTU0j5TFLQ=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=B64gWoaGR/jqDzwjSBY91lmn8CsGRKMSdCc/qHBnoSZNZ0ChD1XWNVVQioW6ZMwddEQ60wALvnXlExJRtmo7+FTlSM4g1B9Ks/HMEq1vfLYZ0udkXpfXcpXFni61Z7LtKrGr9e2Jx9biFXH6u2jWdfrwdRsmIbxB9Ac2/o74/zw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=gGfP9i3W; arc=none smtp.client-ip=192.198.163.16 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="gGfP9i3W" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1776924949; x=1808460949; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=mav5aDg8EwieFJ2WAvHM82MSHiRvIIrK2PTU0j5TFLQ=; b=gGfP9i3WODZGupCQ7rcwuVPRwIwZCPnL0+QGaWt0Lz8ry5RSsreK50dE PaCSux7wwk8Bryp9TnwGaAksGw4XU7PYm35V7CiHw0xHklxjpDLrFpBC+ 1Q1LRc70h01ZnHEdYIVIGm2YHbg3Wo4Fph1PcJOQuRJFD0eikc7w5u9Il jCDfAXKaEZfupmNbxL70cnBndAxXp9wrSzenOStUMBlJWAfLxq1ZAPsdd Ryfw2iqKgcCOBWZRgOKAobbNP5EDRrHxVk90xGSmqJaD7BPYKdcFIlKO+ jJ5AN8Di0rOyCoJ5vC8Dwgd2WhrbvoeAND9jfbE1H2UpcAReAprTutH0F A==; X-CSE-ConnectionGUID: zjFbfx3BRnSw4/zTMllUrQ== X-CSE-MsgGUID: mjJ2Rm3tTvOEgrEADI+tQQ== X-IronPort-AV: E=McAfee;i="6800,10657,11764"; a="65419653" X-IronPort-AV: E=Sophos;i="6.23,194,1770624000"; d="scan'208";a="65419653" Received: from orviesa005.jf.intel.com ([10.64.159.145]) by fmvoesa110.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Apr 2026 23:15:47 -0700 X-CSE-ConnectionGUID: LzdT4yqhQCOdIYDRJVydrg== X-CSE-MsgGUID: 06ow060aQIemTVFkt46tiw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.23,194,1770624000"; d="scan'208";a="237623816" Received: from guptapa-desk.jf.intel.com (HELO desk) ([10.165.239.46]) by orviesa005-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Apr 2026 23:15:47 -0700 Date: Wed, 22 Apr 2026 23:15:47 -0700 From: Pawan Gupta To: x86@kernel.org, Jon Kohler , Nikolay Borisov , "H. Peter Anvin" , Josh Poimboeuf , David Kaplan , Sean Christopherson , Borislav Petkov , Dave Hansen , Peter Zijlstra , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , KP Singh , Jiri Olsa , "David S. Miller" , David Laight , Andy Lutomirski , Thomas Gleixner , Ingo Molnar , David Ahern , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , Stanislav Fomichev , Hao Luo , Paolo Bonzini , Jonathan Corbet , Jason Baron , Alice Ryhl , Steven Rostedt , Ard Biesheuvel , Shuah Khan Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Asit Mallick , Tao Zhang , bpf@vger.kernel.org, netdev@vger.kernel.org, linux-doc@vger.kernel.org Subject: [PATCH v11 04/12] x86/vmscape: Rename x86_ibpb_exit_to_user to x86_predictor_flush_exit_to_user Message-ID: <20260422-vmscape-bhb-v11-4-b18e0cf32af4@linux.intel.com> X-Mailer: b4 0.16-dev References: <20260422-vmscape-bhb-v11-0-b18e0cf32af4@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20260422-vmscape-bhb-v11-0-b18e0cf32af4@linux.intel.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" With the upcoming changes x86_ibpb_exit_to_user will also be used when BHB clearing sequence is used. Rename it cover both the cases. No functional change. Suggested-by: Sean Christopherson Tested-by: Jon Kohler Acked-by: Sean Christopherson Signed-off-by: Pawan Gupta --- arch/x86/include/asm/entry-common.h | 6 +++--- arch/x86/include/asm/nospec-branch.h | 2 +- arch/x86/kernel/cpu/bugs.c | 4 ++-- arch/x86/kvm/x86.c | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/arch/x86/include/asm/entry-common.h b/arch/x86/include/asm/ent= ry-common.h index ce3eb6d5fdf9..c45858db16c9 100644 --- a/arch/x86/include/asm/entry-common.h +++ b/arch/x86/include/asm/entry-common.h @@ -94,11 +94,11 @@ static inline void arch_exit_to_user_mode_prepare(struc= t pt_regs *regs, */ choose_random_kstack_offset(rdtsc()); =20 - /* Avoid unnecessary reads of 'x86_ibpb_exit_to_user' */ + /* Avoid unnecessary reads of 'x86_predictor_flush_exit_to_user' */ if (cpu_feature_enabled(X86_FEATURE_IBPB_EXIT_TO_USER) && - this_cpu_read(x86_ibpb_exit_to_user)) { + this_cpu_read(x86_predictor_flush_exit_to_user)) { indirect_branch_prediction_barrier(); - this_cpu_write(x86_ibpb_exit_to_user, false); + this_cpu_write(x86_predictor_flush_exit_to_user, false); } } #define arch_exit_to_user_mode_prepare arch_exit_to_user_mode_prepare diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/no= spec-branch.h index 157eb69c7f0f..0381db59c39d 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -533,7 +533,7 @@ void alternative_msr_write(unsigned int msr, u64 val, u= nsigned int feature) : "memory"); } =20 -DECLARE_PER_CPU(bool, x86_ibpb_exit_to_user); +DECLARE_PER_CPU(bool, x86_predictor_flush_exit_to_user); =20 static inline void indirect_branch_prediction_barrier(void) { diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 2cb4a96247d8..002bf4adccc3 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -65,8 +65,8 @@ EXPORT_PER_CPU_SYMBOL_GPL(x86_spec_ctrl_current); * be needed to before running userspace. That IBPB will flush the branch * predictor content. */ -DEFINE_PER_CPU(bool, x86_ibpb_exit_to_user); -EXPORT_PER_CPU_SYMBOL_GPL(x86_ibpb_exit_to_user); +DEFINE_PER_CPU(bool, x86_predictor_flush_exit_to_user); +EXPORT_PER_CPU_SYMBOL_GPL(x86_predictor_flush_exit_to_user); =20 u64 x86_pred_cmd __ro_after_init =3D PRED_CMD_IBPB; =20 diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index fd1c4a36b593..45d7cfedc507 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -11464,7 +11464,7 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu) * may migrate to. */ if (cpu_feature_enabled(X86_FEATURE_IBPB_EXIT_TO_USER)) - this_cpu_write(x86_ibpb_exit_to_user, true); + this_cpu_write(x86_predictor_flush_exit_to_user, true); =20 /* * Consume any pending interrupts, including the possible source of --=20 2.34.1 From nobody Fri Jun 12 03:08:05 2026 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 700891FE47B; Thu, 23 Apr 2026 06:16:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.14 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776924965; cv=none; b=UwuGQCmu0P1NYA9oX0+GIwgoie5VbCOTIPOy9okGOPVs5XB/mZfeM9FSzujzlIphvH9z6b5pH3i1HgfbE5GFpms9Dv6aZzziWoNJlzfwxUYuokMsZO5dqLlsxJi7Rvk67Iw73A/9XPooQwP5XbFZoKWOyIx2yDBYFyfAcFm8YO8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776924965; c=relaxed/simple; bh=Z+UBFYvZmhxdkKBWIZKrd5/Lkbp8grvu2K8zVnKyDK0=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=AkjvOgUNNo37vUeGB0JoQogiuMFKxLR4dE7mMP/s9ZGSITgvBVdhSOug2Cp85mOzizy4ZzA2gRgux3bGF3m4cdRgQNxevv8s9DcQhnrvjUVlObz5cHlOnyWMnK3txijkhlOZic9oM07Xr4UZjoQvjvfzJYP1aqQxrzEsQp59Qd8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=Exblg3AG; arc=none smtp.client-ip=192.198.163.14 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="Exblg3AG" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1776924964; x=1808460964; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=Z+UBFYvZmhxdkKBWIZKrd5/Lkbp8grvu2K8zVnKyDK0=; b=Exblg3AGYLcGww4+Tx52lnsHknG7Q0JsMzujIw0UxDPIFY3OtFHMw5e2 uf47RNa+S+xh0YnOGuROUbKiQTP7RudT9DPVNjUMdmFpPsX9zHOZdF621 yK+Y5om8FSyXAxyTthZPCw0hX5iEhy15HtgeRGkVSZjLx98PyTRFXIFxR ltzXlevbDgHaJFcI483VzQ/zFpww+m+XhXfRzQjiwdvJ8vtalJHQjhHkX q8gP9ktfhlJ7bC+d/zLs2pUVOe8QXbRSpRklECwmh1Xyrw0L3IZkwPSuh Rk3WqrSRc+uJT85F6VhlOjIUmTtD34YjmBYVZ6Ea9j55TT3UxIZC/AjIL Q==; X-CSE-ConnectionGUID: QbWuaUZrQX+bXA5PgE3yXQ== X-CSE-MsgGUID: yrgCS/3BQWix/RzfbhOh6w== X-IronPort-AV: E=McAfee;i="6800,10657,11764"; a="77947588" X-IronPort-AV: E=Sophos;i="6.23,194,1770624000"; d="scan'208";a="77947588" Received: from fmviesa007.fm.intel.com ([10.60.135.147]) by fmvoesa108.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Apr 2026 23:16:03 -0700 X-CSE-ConnectionGUID: /p5o7N/cQ5SRvm4VbwrMPw== X-CSE-MsgGUID: fo4HVhffRFW5i3eqn2WaBw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.23,194,1770624000"; d="scan'208";a="229385064" Received: from guptapa-desk.jf.intel.com (HELO desk) ([10.165.239.46]) by fmviesa007-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Apr 2026 23:16:02 -0700 Date: Wed, 22 Apr 2026 23:16:02 -0700 From: Pawan Gupta To: x86@kernel.org, Jon Kohler , Nikolay Borisov , "H. Peter Anvin" , Josh Poimboeuf , David Kaplan , Sean Christopherson , Borislav Petkov , Dave Hansen , Peter Zijlstra , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , KP Singh , Jiri Olsa , "David S. Miller" , David Laight , Andy Lutomirski , Thomas Gleixner , Ingo Molnar , David Ahern , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , Stanislav Fomichev , Hao Luo , Paolo Bonzini , Jonathan Corbet , Jason Baron , Alice Ryhl , Steven Rostedt , Ard Biesheuvel , Shuah Khan Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Asit Mallick , Tao Zhang , bpf@vger.kernel.org, netdev@vger.kernel.org, linux-doc@vger.kernel.org Subject: [PATCH v11 05/12] x86/vmscape: Move mitigation selection to a switch() Message-ID: <20260422-vmscape-bhb-v11-5-b18e0cf32af4@linux.intel.com> X-Mailer: b4 0.16-dev References: <20260422-vmscape-bhb-v11-0-b18e0cf32af4@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20260422-vmscape-bhb-v11-0-b18e0cf32af4@linux.intel.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" This ensures that all mitigation modes are explicitly handled, while keeping the mitigation selection for each mode together. This also prepares for adding BHB-clearing mitigation mode for VMSCAPE. Tested-by: Jon Kohler Reviewed-by: Nikolay Borisov Signed-off-by: Pawan Gupta --- arch/x86/kernel/cpu/bugs.c | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 002bf4adccc3..636280c612f0 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -3088,17 +3088,33 @@ early_param("vmscape", vmscape_parse_cmdline); =20 static void __init vmscape_select_mitigation(void) { - if (!boot_cpu_has_bug(X86_BUG_VMSCAPE) || - !boot_cpu_has(X86_FEATURE_IBPB)) { + if (!boot_cpu_has_bug(X86_BUG_VMSCAPE)) { vmscape_mitigation =3D VMSCAPE_MITIGATION_NONE; return; } =20 - if (vmscape_mitigation =3D=3D VMSCAPE_MITIGATION_AUTO) { - if (should_mitigate_vuln(X86_BUG_VMSCAPE)) + if ((vmscape_mitigation =3D=3D VMSCAPE_MITIGATION_AUTO) && + !should_mitigate_vuln(X86_BUG_VMSCAPE)) + vmscape_mitigation =3D VMSCAPE_MITIGATION_NONE; + + switch (vmscape_mitigation) { + case VMSCAPE_MITIGATION_NONE: + break; + + case VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER: + if (!boot_cpu_has(X86_FEATURE_IBPB)) + vmscape_mitigation =3D VMSCAPE_MITIGATION_NONE; + break; + + case VMSCAPE_MITIGATION_AUTO: + if (boot_cpu_has(X86_FEATURE_IBPB)) vmscape_mitigation =3D VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER; else vmscape_mitigation =3D VMSCAPE_MITIGATION_NONE; + break; + + default: + break; } } =20 --=20 2.34.1 From nobody Fri Jun 12 03:08:05 2026 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EBB4A86329; Thu, 23 Apr 2026 06:16:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.14 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776924981; cv=none; b=JU1awYtLasI9eaCKtptLDl7sTeo0iP//Pxam1MlzrAcQ3RJ3/1Vzr7Tx7AUs7DOzSj6A0o0vGDVskOGapYfy8EGZPcup3kYFGb+CY/vScBJPASKliq6gOY0xFHBrEe84KzMy+klLnDUlkWTrmInMKFRH5OMEmF69VtavJ3P9sGQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776924981; c=relaxed/simple; bh=YsdvlQqeVior0g/k+WAElPcnRGxse6gI8p2joQTg8Fc=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=NporuhXMeEBX7yQrelz3u+loRsM6nOtKimJKAEQAwc5n1NdCpWrPyT2RoHI1q6bV8KsfMm+v/CBHX50kpGA3asLbLcjS7n5JLEExPj8/ZtaB8mODQ8z3KqoEMbpigOuxm4KMqxnF0YhLG6fKm7fyBiFlNeNinJ8HpDlDvRLjMgU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=Dxt2zyw6; arc=none smtp.client-ip=192.198.163.14 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="Dxt2zyw6" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1776924980; x=1808460980; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=YsdvlQqeVior0g/k+WAElPcnRGxse6gI8p2joQTg8Fc=; b=Dxt2zyw6hfzn1wl3YkcGJHa1/3yiteqRGt9YJG1BHKkVQ5jk5E4BkBYt nwJsl7ajfwJdI0SFePaY/nOj78EJhEtToUfkTLbC1/UvotrfQ5KSPO5OK Cu2tFaI+9KCf5UwjTd57PWQ0aJW/wrePM8t1OOzeHkpS1O/fBPtNwYaA0 WWNl4ZsN9smJu/lbwxrP4H0n+uE3DKWYW3lmsBGRAHGCBgXUl7jL+ElrU KP7GP7rid/VGTg0vWktTEIYU7Txg14uy4dKaYJ9xhO2R3HmWiRd4Z43ON 6NLU0dv8eub90yQg8ApjCCKHQDAVQ4uNV8L2ILWy+KG+qSN3R/F+XCoDl A==; X-CSE-ConnectionGUID: AxD11cf0Tqiekk+r6Rzkig== X-CSE-MsgGUID: hi3C3KLzSvKxg9eGipCzKw== X-IronPort-AV: E=McAfee;i="6800,10657,11764"; a="77947654" X-IronPort-AV: E=Sophos;i="6.23,194,1770624000"; d="scan'208";a="77947654" Received: from fmviesa007.fm.intel.com ([10.60.135.147]) by fmvoesa108.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Apr 2026 23:16:19 -0700 X-CSE-ConnectionGUID: EhSLhq+OQHuTHCn3oUw5hQ== X-CSE-MsgGUID: p+msgnavRSqnUze2Ca456g== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.23,194,1770624000"; d="scan'208";a="229385102" Received: from guptapa-desk.jf.intel.com (HELO desk) ([10.165.239.46]) by fmviesa007-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Apr 2026 23:16:18 -0700 Date: Wed, 22 Apr 2026 23:16:18 -0700 From: Pawan Gupta To: x86@kernel.org, Jon Kohler , Nikolay Borisov , "H. Peter Anvin" , Josh Poimboeuf , David Kaplan , Sean Christopherson , Borislav Petkov , Dave Hansen , Peter Zijlstra , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , KP Singh , Jiri Olsa , "David S. Miller" , David Laight , Andy Lutomirski , Thomas Gleixner , Ingo Molnar , David Ahern , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , Stanislav Fomichev , Hao Luo , Paolo Bonzini , Jonathan Corbet , Jason Baron , Alice Ryhl , Steven Rostedt , Ard Biesheuvel , Shuah Khan Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Asit Mallick , Tao Zhang , bpf@vger.kernel.org, netdev@vger.kernel.org, linux-doc@vger.kernel.org Subject: [PATCH v11 06/12] x86/vmscape: Use write_ibpb() instead of indirect_branch_prediction_barrier() Message-ID: <20260422-vmscape-bhb-v11-6-b18e0cf32af4@linux.intel.com> X-Mailer: b4 0.16-dev References: <20260422-vmscape-bhb-v11-0-b18e0cf32af4@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20260422-vmscape-bhb-v11-0-b18e0cf32af4@linux.intel.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" indirect_branch_prediction_barrier() is a wrapper to write_ibpb(), which also checks if the CPU supports IBPB. For VMSCAPE, call to indirect_branch_prediction_barrier() is only possible when CPU supports IBPB. Simply call write_ibpb() directly to avoid unnecessary alternative patching. Suggested-by: Dave Hansen Tested-by: Jon Kohler Reviewed-by: Nikolay Borisov Signed-off-by: Pawan Gupta --- arch/x86/include/asm/entry-common.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/include/asm/entry-common.h b/arch/x86/include/asm/ent= ry-common.h index c45858db16c9..78b143673ca7 100644 --- a/arch/x86/include/asm/entry-common.h +++ b/arch/x86/include/asm/entry-common.h @@ -97,7 +97,7 @@ static inline void arch_exit_to_user_mode_prepare(struct = pt_regs *regs, /* Avoid unnecessary reads of 'x86_predictor_flush_exit_to_user' */ if (cpu_feature_enabled(X86_FEATURE_IBPB_EXIT_TO_USER) && this_cpu_read(x86_predictor_flush_exit_to_user)) { - indirect_branch_prediction_barrier(); + write_ibpb(); this_cpu_write(x86_predictor_flush_exit_to_user, false); } } --=20 2.34.1 From nobody Fri Jun 12 03:08:05 2026 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 68BC6307481; Thu, 23 Apr 2026 06:16:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.13 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776924997; cv=none; b=PWgfPD556+SgzloEHdtRHNcbmyqjnmSaX9w7Nuemkl3a4T6G0gIbfuck9Kpi91jM7Q8e4Bzew+Q5apDyRKIn+4qD0b0ld3liRnaa0wBqIS8ZkDPk2AC2vhdNS7wz8TQWzmSJQxHOvz24p0NNvVjyr9AH4UXLeZ2Z+Bxd20gH7OI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776924997; c=relaxed/simple; bh=ru4xmAG5090zMTorvzBMO3CkMmXYAyYQWFiIdf/Og8c=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=QZDxxFEhcgGic5uIjhT3aZ5HFmDKdevUXQtS+7cmJ1O7Ep4tmqMcXIa9voz2D3kuReH/CXcB2F9jkIPFS6dasOI8gyGGGD6ugDqCszKaXEWz+Wi4hSRnzSfeUZm6N6qxw1Xu7UU2M/A2UmQRJ2Ovn5Dwo+abp8MnoXb/v3LsGXs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=fZ/fDlZX; arc=none smtp.client-ip=192.198.163.13 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="fZ/fDlZX" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1776924996; x=1808460996; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=ru4xmAG5090zMTorvzBMO3CkMmXYAyYQWFiIdf/Og8c=; b=fZ/fDlZXcTiZJSn9o0187r7CkOtRXpI8NAnaSgQVQbdTI7U/Pm1EuYXL CVkPWbzmyc8+zBDVHz+Z9k+8ALXy/cvH88rJEqH8hbCMR+NVYZx8uY3cT EjYmaRtvPwQ4ogphU05po+8lVV0muP5A6k7rQbxFZcvsl/R6CI6+FvLEB buHWZWw1Bf/IwMGDAvTzla75XVzcUXWLqMjr3ypVOQ0Gj4rBEEwGR2CH2 QygnmU/j24142FbBlhiFo+33ZKkQyoa4ZEToIdAz9bNpdKoVIQ7cGKJhF Ym7DrBbwRYnyNTruqIYM5CxZTMxkNSeo7aau9t9ZVS7mH6i1jQXicZozL A==; X-CSE-ConnectionGUID: cLNLjd/FST6nxXG+osyhKw== X-CSE-MsgGUID: Z3x7wzwCRL2YXQlBGnscXw== X-IronPort-AV: E=McAfee;i="6800,10657,11764"; a="80473325" X-IronPort-AV: E=Sophos;i="6.23,194,1770624000"; d="scan'208";a="80473325" Received: from fmviesa005.fm.intel.com ([10.60.135.145]) by fmvoesa107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Apr 2026 23:16:36 -0700 X-CSE-ConnectionGUID: DQ9toAe3RKe2uxdSk+RHtQ== X-CSE-MsgGUID: vc0uzW6MSh6AQBEKp9IpbA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.23,194,1770624000"; d="scan'208";a="237551256" Received: from guptapa-desk.jf.intel.com (HELO desk) ([10.165.239.46]) by fmviesa005-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Apr 2026 23:16:35 -0700 Date: Wed, 22 Apr 2026 23:16:34 -0700 From: Pawan Gupta To: x86@kernel.org, Jon Kohler , Nikolay Borisov , "H. Peter Anvin" , Josh Poimboeuf , David Kaplan , Sean Christopherson , Borislav Petkov , Dave Hansen , Peter Zijlstra , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , KP Singh , Jiri Olsa , "David S. Miller" , David Laight , Andy Lutomirski , Thomas Gleixner , Ingo Molnar , David Ahern , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , Stanislav Fomichev , Hao Luo , Paolo Bonzini , Jonathan Corbet , Jason Baron , Alice Ryhl , Steven Rostedt , Ard Biesheuvel , Shuah Khan Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Asit Mallick , Tao Zhang , bpf@vger.kernel.org, netdev@vger.kernel.org, linux-doc@vger.kernel.org Subject: [PATCH v11 07/12] static_call: Define EXPORT_STATIC_CALL_FOR_MODULES() Message-ID: <20260422-vmscape-bhb-v11-7-b18e0cf32af4@linux.intel.com> X-Mailer: b4 0.16-dev References: <20260422-vmscape-bhb-v11-0-b18e0cf32af4@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20260422-vmscape-bhb-v11-0-b18e0cf32af4@linux.intel.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" There is EXPORT_STATIC_CALL_TRAMP() that hides the static key from all modules. But there is no equivalent of EXPORT_SYMBOL_FOR_MODULES() to restrict symbol visibility to only certain modules. Add EXPORT_STATIC_CALL_FOR_MODULES(name, mods) that wraps both the key and the trampoline with EXPORT_SYMBOL_FOR_MODULES(), allowing only a limited set of modules to see and update the static key. The immediate user is KVM, in the following commit. checkpatch reported below warnings with this change that I believe don't apply in this case: include/linux/static_call.h:219: WARNING: Non-declarative macros with mul= tiple statements should be enclosed in a do - while loop include/linux/static_call.h:220: WARNING: EXPORT_SYMBOL(foo); should imme= diately follow its function/variable Suggested-by: Peter Zijlstra Signed-off-by: Pawan Gupta --- include/linux/static_call.h | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/include/linux/static_call.h b/include/linux/static_call.h index 78a77a4ae0ea..b610afd1ed55 100644 --- a/include/linux/static_call.h +++ b/include/linux/static_call.h @@ -216,6 +216,9 @@ extern long __static_call_return0(void); #define EXPORT_STATIC_CALL_GPL(name) \ EXPORT_SYMBOL_GPL(STATIC_CALL_KEY(name)); \ EXPORT_SYMBOL_GPL(STATIC_CALL_TRAMP(name)) +#define EXPORT_STATIC_CALL_FOR_MODULES(name, mods) \ + EXPORT_SYMBOL_FOR_MODULES(STATIC_CALL_KEY(name), mods); \ + EXPORT_SYMBOL_FOR_MODULES(STATIC_CALL_TRAMP(name), mods) =20 /* Leave the key unexported, so modules can't change static call targets: = */ #define EXPORT_STATIC_CALL_TRAMP(name) \ @@ -276,6 +279,9 @@ extern long __static_call_return0(void); #define EXPORT_STATIC_CALL_GPL(name) \ EXPORT_SYMBOL_GPL(STATIC_CALL_KEY(name)); \ EXPORT_SYMBOL_GPL(STATIC_CALL_TRAMP(name)) +#define EXPORT_STATIC_CALL_FOR_MODULES(name, mods) \ + EXPORT_SYMBOL_FOR_MODULES(STATIC_CALL_KEY(name), mods); \ + EXPORT_SYMBOL_FOR_MODULES(STATIC_CALL_TRAMP(name), mods) =20 /* Leave the key unexported, so modules can't change static call targets: = */ #define EXPORT_STATIC_CALL_TRAMP(name) \ @@ -346,6 +352,8 @@ static inline int static_call_text_reserved(void *start= , void *end) =20 #define EXPORT_STATIC_CALL(name) EXPORT_SYMBOL(STATIC_CALL_KEY(name)) #define EXPORT_STATIC_CALL_GPL(name) EXPORT_SYMBOL_GPL(STATIC_CALL_KEY(nam= e)) +#define EXPORT_STATIC_CALL_FOR_MODULES(name, mods) \ + EXPORT_SYMBOL_FOR_MODULES(STATIC_CALL_KEY(name), mods) =20 #endif /* CONFIG_HAVE_STATIC_CALL */ =20 --=20 2.34.1 From nobody Fri Jun 12 03:08:05 2026 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 800E5310777; Thu, 23 Apr 2026 06:16:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.13 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776925013; cv=none; b=qZOVmnAMJCahjU2cOXO80v92U/U0/rF8Lh44CuPrYDFN5MuiZ0zJYpzYd/4euSBT77SeC4XziMBbvGygw5znS1YW8ZNavh8pVPM/DXpTeh4hU+s9Av0wyLXzdsiOET/4fObN7HOHfRTIxPEbqq31BFUBr6HcnPoreLYwxj+DyAE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776925013; c=relaxed/simple; bh=ZuTIHjCRRWZzxI6mCXEsoUagqM4uYFytgSX9dnoqQKk=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=EXc1wmSjTQeG6d1KePbbbh/hcVGO6L0Lo+Flrz8UFGA2ViRYIsjVS7/8gGazYInGCj2FNs1dgOTQmY4VPXhRiznM+P6LSW3Vyt+5ELvutQaOaTUh1ylXdrqIY3Oue1znrR9Si5FTpRzGu8p+8pL8vNzfh9W7asCm9s7KQ4rxG+E= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=PIssIm/A; arc=none smtp.client-ip=192.198.163.13 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="PIssIm/A" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1776925012; x=1808461012; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=ZuTIHjCRRWZzxI6mCXEsoUagqM4uYFytgSX9dnoqQKk=; b=PIssIm/AGR+YNwCcAGL0IsDabhX8bd2l0BEErA/eGlBRuHsoDuTcPG2A lbbwlgRVuN+5E3EMQ2SquYEAU9BzmxhUZ0bap2UatNfqIeHEr0cjCnYhs gzFRWhbVMpNFehTtQHNf4Gy3LaOIqBrweMFDDNZWtJsH495blxO56Nvu1 3ivWwAOyHBWPEdRHle25tW8/Bs7zifrl2naeMNgc8/q29VFbw/hKAtpDX hQcbuxEYxeld/Yc0mG7geKp9M5pkYDxTTZsu2os7BJIgWZkXO4fwfGgKF 3yRPaFA1PMxj4hOWtaSRO2mb6qFd0pfuw6RZkVIS/E3gJ0Y7g3YkVOtAb A==; X-CSE-ConnectionGUID: cxf/n+BASKmNMj6IVHmUsg== X-CSE-MsgGUID: H8Jp7MCrRgi8WyNYDts6HA== X-IronPort-AV: E=McAfee;i="6800,10657,11764"; a="80473349" X-IronPort-AV: E=Sophos;i="6.23,194,1770624000"; d="scan'208";a="80473349" Received: from fmviesa005.fm.intel.com ([10.60.135.145]) by fmvoesa107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Apr 2026 23:16:52 -0700 X-CSE-ConnectionGUID: D7pbfXHMRu+bDadIC+P17w== X-CSE-MsgGUID: 5SaLnwAPQkC0q9MYjogkZQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.23,194,1770624000"; d="scan'208";a="237551349" Received: from guptapa-desk.jf.intel.com (HELO desk) ([10.165.239.46]) by fmviesa005-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Apr 2026 23:16:51 -0700 Date: Wed, 22 Apr 2026 23:16:50 -0700 From: Pawan Gupta To: x86@kernel.org, Jon Kohler , Nikolay Borisov , "H. Peter Anvin" , Josh Poimboeuf , David Kaplan , Sean Christopherson , Borislav Petkov , Dave Hansen , Peter Zijlstra , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , KP Singh , Jiri Olsa , "David S. Miller" , David Laight , Andy Lutomirski , Thomas Gleixner , Ingo Molnar , David Ahern , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , Stanislav Fomichev , Hao Luo , Paolo Bonzini , Jonathan Corbet , Jason Baron , Alice Ryhl , Steven Rostedt , Ard Biesheuvel , Shuah Khan Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Asit Mallick , Tao Zhang , bpf@vger.kernel.org, netdev@vger.kernel.org, linux-doc@vger.kernel.org Subject: [PATCH v11 08/12] kvm: Define EXPORT_STATIC_CALL_FOR_KVM() Message-ID: <20260422-vmscape-bhb-v11-8-b18e0cf32af4@linux.intel.com> X-Mailer: b4 0.16-dev References: <20260422-vmscape-bhb-v11-0-b18e0cf32af4@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20260422-vmscape-bhb-v11-0-b18e0cf32af4@linux.intel.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" EXPORT_SYMBOL_FOR_KVM() exists to export symbols to KVM modules. Static calls need the same treatment when the core kernel defines a static_call that KVM needs access to (e.g. from a VM-exit path). Define EXPORT_STATIC_CALL_FOR_KVM() as the static_call analogue of EXPORT_SYMBOL_FOR_KVM(). The same three-way logic applies: - KVM_SUB_MODULES defined: export to "kvm," plus all sub-modules - KVM=3Dm, no sub-modules: export to "kvm" only - KVM built-in: no export needed (noop) As with EXPORT_SYMBOL_FOR_KVM(), allow architectures to override both macros (e.g. to suppress the export when kvm.ko itself will not be built despite CONFIG_KVM=3Dm). Add the x86 no-op overrides in arch/x86/include/asm/kvm_types.h for that case. To keep the pair in sync, EXPORT_STATIC_CALL_FOR_KVM() is defined inside the EXPORT_SYMBOL_FOR_KVM #ifndef block; an arch that defines EXPORT_SYMBOL_FOR_KVM must also define EXPORT_STATIC_CALL_FOR_KVM or the build will fail with a compile-time error. As with EXPORT_SYMBOL_FOR_KVM(), allow architectures to override EXPORT_STATIC_CALL_FOR_KVM definition (e.g. to suppress the export when kvm.ko itself will not be built despite CONFIG_KVM=3Dm). Add the x86 no-op override in arch/x86/include/asm/kvm_types.h for that case. Architectures must also define EXPORT_STATIC_CALL_FOR_KVM when they define EXPORT_SYMBOL_FOR_KVM. Suggested-by: Sean Christopherson Signed-off-by: Pawan Gupta Acked-by: Sean Christopherson --- arch/x86/include/asm/kvm_types.h | 1 + include/linux/kvm_types.h | 10 +++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/arch/x86/include/asm/kvm_types.h b/arch/x86/include/asm/kvm_ty= pes.h index d7c704ed1be9..bceeaed2940e 100644 --- a/arch/x86/include/asm/kvm_types.h +++ b/arch/x86/include/asm/kvm_types.h @@ -15,6 +15,7 @@ * at least one vendor module is enabled. */ #define EXPORT_SYMBOL_FOR_KVM(symbol) +#define EXPORT_STATIC_CALL_FOR_KVM(symbol) #endif =20 #define KVM_ARCH_NR_OBJS_PER_MEMORY_CACHE 40 diff --git a/include/linux/kvm_types.h b/include/linux/kvm_types.h index a568d8e6f4e8..be602d3f287e 100644 --- a/include/linux/kvm_types.h +++ b/include/linux/kvm_types.h @@ -13,6 +13,8 @@ EXPORT_SYMBOL_FOR_MODULES(symbol, __stringify(KVM_SUB_MODULES)) #define EXPORT_SYMBOL_FOR_KVM(symbol) \ EXPORT_SYMBOL_FOR_MODULES(symbol, "kvm," __stringify(KVM_SUB_MODULES)) +#define EXPORT_STATIC_CALL_FOR_KVM(symbol) \ + EXPORT_STATIC_CALL_FOR_MODULES(symbol, "kvm," __stringify(KVM_SUB_MODULES= )) #else #define EXPORT_SYMBOL_FOR_KVM_INTERNAL(symbol) /* @@ -23,11 +25,17 @@ #ifndef EXPORT_SYMBOL_FOR_KVM #if IS_MODULE(CONFIG_KVM) #define EXPORT_SYMBOL_FOR_KVM(symbol) EXPORT_SYMBOL_FOR_MODULES(symbol, "k= vm") +#define EXPORT_STATIC_CALL_FOR_KVM(symbol) EXPORT_STATIC_CALL_FOR_MODULES(= symbol, "kvm") #else #define EXPORT_SYMBOL_FOR_KVM(symbol) +#define EXPORT_STATIC_CALL_FOR_KVM(symbol) #endif /* IS_MODULE(CONFIG_KVM) */ -#endif /* EXPORT_SYMBOL_FOR_KVM */ +#else +#ifndef EXPORT_STATIC_CALL_FOR_KVM +#error Must #define EXPORT_STATIC_CALL_FOR_KVM if #defining EXPORT_SYMBOL_= FOR_KVM #endif +#endif /* EXPORT_SYMBOL_FOR_KVM */ +#endif /* KVM_SUB_MODULES */ =20 #ifndef __ASSEMBLER__ =20 --=20 2.34.1 From nobody Fri Jun 12 03:08:05 2026 Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EAEB6349AFF; Thu, 23 Apr 2026 06:17:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.17 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776925029; cv=none; b=Z+ouV5QBnjZ+M7I7Cvf8nW6hNrmzCHvB4ffbahgDhfcvhS9cymP1vR1v3ixYhkyvc6NYGyiTi71qctXX6lpq0Clpk8kmDS/8JadfTkl3hOtB0rKge+WB97QKJpESvuyOfBoj3YAzFNq5R0bpeO9c/r1Wy0LQ+Zej1COmyPx62O0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776925029; c=relaxed/simple; bh=MDBefYv2Cx35/Fjv4DQ54o5bDvSakfUN5tck9FJHLDc=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=bbaocqWrMJ9/gf+OOAZ80LzoJ6IFel4JkVoJa1EmaGFvemeYJ2yFsZ5H8ZcmEoDX4dgNhSoYl6wqo00z+Kk751/sH5pgP9VKWTKoIa3h01U9n6m8R57apr6Cw4QpnF7PrMB5fZJhPzdcvkhPb8WYspwezPNehpgn9hleqJo4/Hg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=WxvmAsbx; arc=none smtp.client-ip=198.175.65.17 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="WxvmAsbx" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1776925028; x=1808461028; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=MDBefYv2Cx35/Fjv4DQ54o5bDvSakfUN5tck9FJHLDc=; b=WxvmAsbxvxut8zEQaOd4N2RYwdAxi7OyiJwjGMb54q/XbRgrvDwTVxHS lNSdTnO302ZpiPS33aCLmZ5t6DZ18cHUGa9GKGrbE+Wxr2FMU6TW8jaFh brLAGR0HY+BqgTRNfyCOuGpyQMZ/BjIcz4QsCBVHVfaFYfrD9QzW61yVD S4CcgB0TMqpsXD1trIY2rg6xbvw/bA2gCDSyIxg2eRMA/C4beBRwtnfll ZPjPYc9AEQXCoWdSHYTLXHXazEOTYCCA/CSgtL0VbM6A+/6aZJ7n+bWKV cOzYYfkcG538fXwklcam1/uKrwPMg1n4oHBiRm62LuTv/qI/dduF4e9Mm Q==; X-CSE-ConnectionGUID: G8i/CIT5SPC/aI423cMq+A== X-CSE-MsgGUID: rlthUkqcSNWg12KNFwKvzg== X-IronPort-AV: E=McAfee;i="6800,10657,11764"; a="77868544" X-IronPort-AV: E=Sophos;i="6.23,194,1770624000"; d="scan'208";a="77868544" Received: from orviesa010.jf.intel.com ([10.64.159.150]) by orvoesa109.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Apr 2026 23:17:07 -0700 X-CSE-ConnectionGUID: XxydoqnBRbWIxYpGuSrc6A== X-CSE-MsgGUID: HdaxvPKpRHyl5Pk7ytkGuA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.23,194,1770624000"; d="scan'208";a="231684503" Received: from guptapa-desk.jf.intel.com (HELO desk) ([10.165.239.46]) by orviesa010-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Apr 2026 23:17:07 -0700 Date: Wed, 22 Apr 2026 23:17:06 -0700 From: Pawan Gupta To: x86@kernel.org, Jon Kohler , Nikolay Borisov , "H. Peter Anvin" , Josh Poimboeuf , David Kaplan , Sean Christopherson , Borislav Petkov , Dave Hansen , Peter Zijlstra , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , KP Singh , Jiri Olsa , "David S. Miller" , David Laight , Andy Lutomirski , Thomas Gleixner , Ingo Molnar , David Ahern , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , Stanislav Fomichev , Hao Luo , Paolo Bonzini , Jonathan Corbet , Jason Baron , Alice Ryhl , Steven Rostedt , Ard Biesheuvel , Shuah Khan Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Asit Mallick , Tao Zhang , bpf@vger.kernel.org, netdev@vger.kernel.org, linux-doc@vger.kernel.org Subject: [PATCH v11 09/12] x86/vmscape: Use static_call() for predictor flush Message-ID: <20260422-vmscape-bhb-v11-9-b18e0cf32af4@linux.intel.com> X-Mailer: b4 0.16-dev References: <20260422-vmscape-bhb-v11-0-b18e0cf32af4@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20260422-vmscape-bhb-v11-0-b18e0cf32af4@linux.intel.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Adding more mitigation options at exit-to-userspace for VMSCAPE would usually require a series of checks to decide which mitigation to use. In this case, the mitigation is done by calling a function, which is decided at boot. So, adding more feature flags and multiple checks can be avoided by using static_call() to the mitigating function. Replace the flag-based mitigation selector with a static_call(). This also frees the existing X86_FEATURE_IBPB_EXIT_TO_USER. Suggested-by: Dave Hansen Tested-by: Jon Kohler Acked-by: Sean Christopherson Signed-off-by: Pawan Gupta --- arch/x86/Kconfig | 1 + arch/x86/include/asm/cpufeatures.h | 2 +- arch/x86/include/asm/entry-common.h | 7 +++---- arch/x86/include/asm/nospec-branch.h | 3 +++ arch/x86/kernel/cpu/bugs.c | 9 ++++++++- arch/x86/kvm/x86.c | 2 +- 6 files changed, 17 insertions(+), 7 deletions(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index e2df1b147184..5b8def9ddb98 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2720,6 +2720,7 @@ config MITIGATION_TSA config MITIGATION_VMSCAPE bool "Mitigate VMSCAPE" depends on KVM + depends on HAVE_STATIC_CALL default y help Enable mitigation for VMSCAPE attacks. VMSCAPE is a hardware security diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpuf= eatures.h index dbe104df339b..b4d529dd6d30 100644 --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -503,7 +503,7 @@ #define X86_FEATURE_TSA_SQ_NO (21*32+11) /* AMD CPU not vulnerable to TSA= -SQ */ #define X86_FEATURE_TSA_L1_NO (21*32+12) /* AMD CPU not vulnerable to TSA= -L1 */ #define X86_FEATURE_CLEAR_CPU_BUF_VM (21*32+13) /* Clear CPU buffers using= VERW before VMRUN */ -#define X86_FEATURE_IBPB_EXIT_TO_USER (21*32+14) /* Use IBPB on exit-to-us= erspace, see VMSCAPE bug */ +/* Free */ #define X86_FEATURE_ABMC (21*32+15) /* Assignable Bandwidth Monitoring Co= unters */ #define X86_FEATURE_MSR_IMM (21*32+16) /* MSR immediate form instructions= */ #define X86_FEATURE_SGX_EUPDATESVN (21*32+17) /* Support for ENCLS[EUPDATE= SVN] instruction */ diff --git a/arch/x86/include/asm/entry-common.h b/arch/x86/include/asm/ent= ry-common.h index 78b143673ca7..783e7cb50cae 100644 --- a/arch/x86/include/asm/entry-common.h +++ b/arch/x86/include/asm/entry-common.h @@ -4,6 +4,7 @@ =20 #include #include +#include =20 #include #include @@ -94,10 +95,8 @@ static inline void arch_exit_to_user_mode_prepare(struct= pt_regs *regs, */ choose_random_kstack_offset(rdtsc()); =20 - /* Avoid unnecessary reads of 'x86_predictor_flush_exit_to_user' */ - if (cpu_feature_enabled(X86_FEATURE_IBPB_EXIT_TO_USER) && - this_cpu_read(x86_predictor_flush_exit_to_user)) { - write_ibpb(); + if (unlikely(this_cpu_read(x86_predictor_flush_exit_to_user))) { + static_call_cond(vmscape_predictor_flush)(); this_cpu_write(x86_predictor_flush_exit_to_user, false); } } diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/no= spec-branch.h index 0381db59c39d..066fd8095200 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -542,6 +542,9 @@ static inline void indirect_branch_prediction_barrier(v= oid) :: "rax", "rcx", "rdx", "memory"); } =20 +#include +DECLARE_STATIC_CALL(vmscape_predictor_flush, write_ibpb); + /* The Intel SPEC CTRL MSR base value cache */ extern u64 x86_spec_ctrl_base; DECLARE_PER_CPU(u64, x86_spec_ctrl_current); diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 636280c612f0..bfc0e41697f6 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -144,6 +144,13 @@ EXPORT_SYMBOL_GPL(cpu_buf_idle_clear); */ DEFINE_STATIC_KEY_FALSE(switch_mm_cond_l1d_flush); =20 +/* + * Controls how vmscape is mitigated e.g. via IBPB or BHB-clear + * sequence. This defaults to no mitigation. + */ +DEFINE_STATIC_CALL_NULL(vmscape_predictor_flush, write_ibpb); +EXPORT_STATIC_CALL_FOR_KVM(vmscape_predictor_flush); + #undef pr_fmt #define pr_fmt(fmt) "mitigations: " fmt =20 @@ -3133,7 +3140,7 @@ static void __init vmscape_update_mitigation(void) static void __init vmscape_apply_mitigation(void) { if (vmscape_mitigation =3D=3D VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER) - setup_force_cpu_cap(X86_FEATURE_IBPB_EXIT_TO_USER); + static_call_update(vmscape_predictor_flush, write_ibpb); } =20 #undef pr_fmt diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 45d7cfedc507..5582056b2fa1 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -11463,7 +11463,7 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu) * set for the CPU that actually ran the guest, and not the CPU that it * may migrate to. */ - if (cpu_feature_enabled(X86_FEATURE_IBPB_EXIT_TO_USER)) + if (static_call_query(vmscape_predictor_flush)) this_cpu_write(x86_predictor_flush_exit_to_user, true); =20 /* --=20 2.34.1 From nobody Fri Jun 12 03:08:05 2026 Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EA959310777; Thu, 23 Apr 2026 06:17:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.17 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776925048; cv=none; b=ZRgPqJJXaAQjxJSfeDEwgYLgJiQAL1Or3jy0/xCurllyVhdNxybDGokcYmRtPcmYlOrYYh2Ad0JmByQfQEbdjy0utwtF91XU2c146EL5Vf0jIi0QpvY3YTukt1YcShX5BsZdkp5evquNULBjdNDX61c9E4NKuTkRoCJluV4e/n4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776925048; c=relaxed/simple; bh=/5skwiH0gY1oo5ieSmlZoXl/fkBIevmFUlNqtPJTLYQ=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=edfE/gxepAI5Om62FMbMli+qvTGIOi3X7xoQ91M78JBjiLOlhUcJK0mKrutmScbbPObKWaIXe/QltQZAaRJL7T3Qkrqzpn7rkvztZRTOnwnl0aQdXGTDQNbrV2bCA3loM8KtPf6cAodAyjLUEicUuPZCinEsQxv/W2BCRclPMQw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=DWuBgJ2s; arc=none smtp.client-ip=198.175.65.17 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="DWuBgJ2s" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1776925043; x=1808461043; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=/5skwiH0gY1oo5ieSmlZoXl/fkBIevmFUlNqtPJTLYQ=; b=DWuBgJ2sp6jKjHhkEAhHsWg/0ZkSuCKIbGA4YwsrOa+nbQJbUwcrCMyM DRyZoYvxnDiJfTFBCNZBVwBh4ni7e9C6M/Q+8chfjQs15anyVFZ7oe6/9 eJRp1J2AjKuG725RCGKCkjl2UAI/e0HUK6aI71oRT3hbKyNt1YJRjCVgd V27GyI6eNFqmfeNcBSKi1l+txurxuxeUIwjFT1vOqu6QVq1NY/GcWItlp HPl9WQI+pEk++IimhJdCTbOuc1weC/+kgvZcHlRH2oyc3LTxE3mjvPNxC aL2L8N7qcdRs6rTDSyM3dtrx4LyZAmcquHbezejP/ReMOdZU67hPhpqRf Q==; X-CSE-ConnectionGUID: uGzJpND4QG+LlSKZ4tMsMg== X-CSE-MsgGUID: ADe55cd5QfigPrL+ZM9Myw== X-IronPort-AV: E=McAfee;i="6800,10657,11764"; a="77868590" X-IronPort-AV: E=Sophos;i="6.23,194,1770624000"; d="scan'208";a="77868590" Received: from orviesa010.jf.intel.com ([10.64.159.150]) by orvoesa109.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Apr 2026 23:17:22 -0700 X-CSE-ConnectionGUID: TxNx8IuGS8S6Ph1FO1ZAJg== X-CSE-MsgGUID: vaon3I4wStK7eqEjIKEFfA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.23,194,1770624000"; d="scan'208";a="231684575" Received: from guptapa-desk.jf.intel.com (HELO desk) ([10.165.239.46]) by orviesa010-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Apr 2026 23:17:22 -0700 Date: Wed, 22 Apr 2026 23:17:21 -0700 From: Pawan Gupta To: x86@kernel.org, Jon Kohler , Nikolay Borisov , "H. Peter Anvin" , Josh Poimboeuf , David Kaplan , Sean Christopherson , Borislav Petkov , Dave Hansen , Peter Zijlstra , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , KP Singh , Jiri Olsa , "David S. Miller" , David Laight , Andy Lutomirski , Thomas Gleixner , Ingo Molnar , David Ahern , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , Stanislav Fomichev , Hao Luo , Paolo Bonzini , Jonathan Corbet , Jason Baron , Alice Ryhl , Steven Rostedt , Ard Biesheuvel , Shuah Khan Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Asit Mallick , Tao Zhang , bpf@vger.kernel.org, netdev@vger.kernel.org, linux-doc@vger.kernel.org Subject: [PATCH v11 10/12] x86/vmscape: Deploy BHB clearing mitigation Message-ID: <20260422-vmscape-bhb-v11-10-b18e0cf32af4@linux.intel.com> X-Mailer: b4 0.16-dev References: <20260422-vmscape-bhb-v11-0-b18e0cf32af4@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20260422-vmscape-bhb-v11-0-b18e0cf32af4@linux.intel.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" IBPB mitigation for VMSCAPE is an overkill on CPUs that are only affected by the BHI variant of VMSCAPE. On such CPUs, eIBRS already provides indirect branch isolation between guest and host userspace. However, branch history from guest may also influence the indirect branches in host userspace. To mitigate the BHI aspect, use the BHB clearing sequence. Since now, IBPB is not the only mitigation for VMSCAPE, update the documentation to reflect that =3Dauto could select either IBPB or BHB clear mitigation based on the CPU. Reviewed-by: Nikolay Borisov Tested-by: Jon Kohler Signed-off-by: Pawan Gupta --- Documentation/admin-guide/hw-vuln/vmscape.rst | 11 ++++++++- Documentation/admin-guide/kernel-parameters.txt | 4 +++- arch/x86/include/asm/entry-common.h | 4 ++++ arch/x86/include/asm/nospec-branch.h | 2 ++ arch/x86/kernel/cpu/bugs.c | 30 +++++++++++++++++++--= ---- 5 files changed, 42 insertions(+), 9 deletions(-) diff --git a/Documentation/admin-guide/hw-vuln/vmscape.rst b/Documentation/= admin-guide/hw-vuln/vmscape.rst index d9b9a2b6c114..7c40cf70ad7a 100644 --- a/Documentation/admin-guide/hw-vuln/vmscape.rst +++ b/Documentation/admin-guide/hw-vuln/vmscape.rst @@ -86,6 +86,10 @@ The possible values in this file are: run a potentially malicious guest and issues an IBPB before the first exit to userspace after VM-exit. =20 + * 'Mitigation: Clear BHB before exit to userspace': + + As above, conditional BHB clearing mitigation is enabled. + * 'Mitigation: IBPB on VMEXIT': =20 IBPB is issued on every VM-exit. This occurs when other mitigations like @@ -102,9 +106,14 @@ The mitigation can be controlled via the ``vmscape=3D`= ` command line parameter: =20 * ``vmscape=3Dibpb``: =20 - Enable conditional IBPB mitigation (default when CONFIG_MITIGATION_VMSC= APE=3Dy). + Enable conditional IBPB mitigation. =20 * ``vmscape=3Dforce``: =20 Force vulnerability detection and mitigation even on processors that are not known to be affected. + + * ``vmscape=3Dauto``: + + Choose the mitigation based on the VMSCAPE variant the CPU is affected = by. + (default when CONFIG_MITIGATION_VMSCAPE=3Dy) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentatio= n/admin-guide/kernel-parameters.txt index 03a550630644..3853c7109419 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -8378,9 +8378,11 @@ Kernel parameters =20 off - disable the mitigation ibpb - use Indirect Branch Prediction Barrier - (IBPB) mitigation (default) + (IBPB) mitigation force - force vulnerability detection even on unaffected processors + auto - (default) use IBPB or BHB clear + mitigation based on CPU =20 vsyscall=3D [X86-64,EARLY] Controls the behavior of vsyscalls (i.e. calls to diff --git a/arch/x86/include/asm/entry-common.h b/arch/x86/include/asm/ent= ry-common.h index 783e7cb50cae..13db31472f3a 100644 --- a/arch/x86/include/asm/entry-common.h +++ b/arch/x86/include/asm/entry-common.h @@ -96,6 +96,10 @@ static inline void arch_exit_to_user_mode_prepare(struct= pt_regs *regs, choose_random_kstack_offset(rdtsc()); =20 if (unlikely(this_cpu_read(x86_predictor_flush_exit_to_user))) { + /* + * Since the mitigation is for userspace, an explicit + * speculation barrier is not required after flush. + */ static_call_cond(vmscape_predictor_flush)(); this_cpu_write(x86_predictor_flush_exit_to_user, false); } diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/no= spec-branch.h index 066fd8095200..38478383139b 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -390,6 +390,8 @@ extern void write_ibpb(void); =20 #ifdef CONFIG_X86_64 extern void clear_bhb_loop_nofence(void); +#else +static inline void clear_bhb_loop_nofence(void) {} #endif =20 extern void (*x86_return_thunk)(void); diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index bfc0e41697f6..1082ed1fb2e6 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -61,9 +61,8 @@ DEFINE_PER_CPU(u64, x86_spec_ctrl_current); EXPORT_PER_CPU_SYMBOL_GPL(x86_spec_ctrl_current); =20 /* - * Set when the CPU has run a potentially malicious guest. An IBPB will - * be needed to before running userspace. That IBPB will flush the branch - * predictor content. + * Set when the CPU has run a potentially malicious guest. Indicates that a + * branch predictor flush is needed before running userspace. */ DEFINE_PER_CPU(bool, x86_predictor_flush_exit_to_user); EXPORT_PER_CPU_SYMBOL_GPL(x86_predictor_flush_exit_to_user); @@ -3061,13 +3060,15 @@ enum vmscape_mitigations { VMSCAPE_MITIGATION_AUTO, VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER, VMSCAPE_MITIGATION_IBPB_ON_VMEXIT, + VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER, }; =20 static const char * const vmscape_strings[] =3D { - [VMSCAPE_MITIGATION_NONE] =3D "Vulnerable", + [VMSCAPE_MITIGATION_NONE] =3D "Vulnerable", /* [VMSCAPE_MITIGATION_AUTO] */ - [VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER] =3D "Mitigation: IBPB before exit = to userspace", - [VMSCAPE_MITIGATION_IBPB_ON_VMEXIT] =3D "Mitigation: IBPB on VMEXIT", + [VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER] =3D "Mitigation: IBPB before exit= to userspace", + [VMSCAPE_MITIGATION_IBPB_ON_VMEXIT] =3D "Mitigation: IBPB on VMEXIT", + [VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER] =3D "Mitigation: Clear BHB be= fore exit to userspace", }; =20 static enum vmscape_mitigations vmscape_mitigation __ro_after_init =3D @@ -3085,6 +3086,8 @@ static int __init vmscape_parse_cmdline(char *str) } else if (!strcmp(str, "force")) { setup_force_cpu_bug(X86_BUG_VMSCAPE); vmscape_mitigation =3D VMSCAPE_MITIGATION_AUTO; + } else if (!strcmp(str, "auto")) { + vmscape_mitigation =3D VMSCAPE_MITIGATION_AUTO; } else { pr_err("Ignoring unknown vmscape=3D%s option.\n", str); } @@ -3114,7 +3117,17 @@ static void __init vmscape_select_mitigation(void) break; =20 case VMSCAPE_MITIGATION_AUTO: - if (boot_cpu_has(X86_FEATURE_IBPB)) + /* + * CPUs with BHI_CTRL(ADL and newer) can avoid the IBPB and use + * BHB clear sequence. These CPUs are only vulnerable to the BHI + * variant of the VMSCAPE attack, and thus they do not require a + * full predictor flush. + * + * Note, in 32-bit mode BHB clear sequence is not supported. + */ + if (boot_cpu_has(X86_FEATURE_BHI_CTRL) && IS_ENABLED(CONFIG_X86_64)) + vmscape_mitigation =3D VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER; + else if (boot_cpu_has(X86_FEATURE_IBPB)) vmscape_mitigation =3D VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER; else vmscape_mitigation =3D VMSCAPE_MITIGATION_NONE; @@ -3141,6 +3154,8 @@ static void __init vmscape_apply_mitigation(void) { if (vmscape_mitigation =3D=3D VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER) static_call_update(vmscape_predictor_flush, write_ibpb); + else if (vmscape_mitigation =3D=3D VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_U= SER) + static_call_update(vmscape_predictor_flush, clear_bhb_loop_nofence); } =20 #undef pr_fmt @@ -3232,6 +3247,7 @@ void cpu_bugs_smt_update(void) break; case VMSCAPE_MITIGATION_IBPB_ON_VMEXIT: case VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER: + case VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER: /* * Hypervisors can be attacked across-threads, warn for SMT when * STIBP is not already enabled system-wide. --=20 2.34.1 From nobody Fri Jun 12 03:08:05 2026 Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0D2CB310777; Thu, 23 Apr 2026 06:17:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.17 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776925060; cv=none; b=j+vURJ76n3Rvx+ps5f3xN73NG5tM56f1rTk6o8cQUzFhOstWFQ15RS8DCyuU4dtdwnQwNHt+7j8L38PMSABvGvdLilCWDMC8uKqptFMT+kmmiCNLaQ7w9A1xr59DaRMHP/ceNGkx3bjZbT3OhIHt47zOESrWpzFYwUO/gr5lrho= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776925060; c=relaxed/simple; bh=6gK4EmiJjoxMBErZvB2QlG52OKl4TSLVAd68WmRFl3s=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=pkUkTFQBf882ZCQARAgiQgR1EEy7jfxvOFzMDNdKgA4QA09hmYuS+cdlFQqHpbdtXx1RSaE5wkaFHPONY7+Ec6ydAL1kuTOL/djAdAVzGAv+bMcO0l+zG2nFULKCisRJHbUnxL1vhk1cwih6y/OXPsm9tw9Lu1mTzAyUQEMUT34= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=msD5WnSQ; arc=none smtp.client-ip=198.175.65.17 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="msD5WnSQ" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1776925059; x=1808461059; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=6gK4EmiJjoxMBErZvB2QlG52OKl4TSLVAd68WmRFl3s=; b=msD5WnSQGyyzAcpqbikD3iZXI49nABsJ1QU96dglQfbaExJ8UutfwUK+ 2l6D9FkDp5tXAA+iEoLcV5LQMNyeLwW9sz3bzo1IZr4q5Yl8ub2EqNFd1 qeMqh+vTZ6/qdeAA4ks+IHTlS0x5RwbXd77b8p8/GvFeAsBJqoM2VO/s1 /QoNCIColdDx3XmGWBkuVyN/E+1g5j5xgwGN+rFNgPFYziBiOVGw4l4f2 OAAG3QZZ795ViiCIzOJF624P8gOOa8Z5IirQHyviwaYS/+ZuSzQGoMJS/ /gS4gqneYv2SkEhGKK43bDSflstz9UFBlO3Inzcw7YRgEhgZR8ya7bYaG g==; X-CSE-ConnectionGUID: VdClrXdXRs29VqU4eNE4Cg== X-CSE-MsgGUID: qTR5FxOdRiC2tmAlw7piAg== X-IronPort-AV: E=McAfee;i="6800,10657,11764"; a="77868628" X-IronPort-AV: E=Sophos;i="6.23,194,1770624000"; d="scan'208";a="77868628" Received: from orviesa010.jf.intel.com ([10.64.159.150]) by orvoesa109.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Apr 2026 23:17:37 -0700 X-CSE-ConnectionGUID: k3JJm9/nQji8+5YpX/EA4w== X-CSE-MsgGUID: UGP0AjIsSI+dVaQLoQqQfw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.23,194,1770624000"; d="scan'208";a="231684612" Received: from guptapa-desk.jf.intel.com (HELO desk) ([10.165.239.46]) by orviesa010-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Apr 2026 23:17:37 -0700 Date: Wed, 22 Apr 2026 23:17:37 -0700 From: Pawan Gupta To: x86@kernel.org, Jon Kohler , Nikolay Borisov , "H. Peter Anvin" , Josh Poimboeuf , David Kaplan , Sean Christopherson , Borislav Petkov , Dave Hansen , Peter Zijlstra , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , KP Singh , Jiri Olsa , "David S. Miller" , David Laight , Andy Lutomirski , Thomas Gleixner , Ingo Molnar , David Ahern , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , Stanislav Fomichev , Hao Luo , Paolo Bonzini , Jonathan Corbet , Jason Baron , Alice Ryhl , Steven Rostedt , Ard Biesheuvel , Shuah Khan Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Asit Mallick , Tao Zhang , bpf@vger.kernel.org, netdev@vger.kernel.org, linux-doc@vger.kernel.org Subject: [PATCH v11 11/12] x86/vmscape: Resolve conflict between attack-vectors and vmscape=force Message-ID: <20260422-vmscape-bhb-v11-11-b18e0cf32af4@linux.intel.com> X-Mailer: b4 0.16-dev References: <20260422-vmscape-bhb-v11-0-b18e0cf32af4@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20260422-vmscape-bhb-v11-0-b18e0cf32af4@linux.intel.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" vmscape=3Dforce option currently defaults to AUTO mitigation. This lets attack-vector controls to override the vmscape mitigation. Preventing the user from being able to force VMSCAPE mitigation. When vmscape mitigation is forced, allow it be deployed irrespective of attack vectors. Introduce VMSCAPE_MITIGATION_ON that wins over attack-vector controls. Tested-by: Jon Kohler Reviewed-by: Nikolay Borisov Signed-off-by: Pawan Gupta --- arch/x86/kernel/cpu/bugs.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 1082ed1fb2e6..fbdb137720c4 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -3058,6 +3058,7 @@ static void __init srso_apply_mitigation(void) enum vmscape_mitigations { VMSCAPE_MITIGATION_NONE, VMSCAPE_MITIGATION_AUTO, + VMSCAPE_MITIGATION_ON, VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER, VMSCAPE_MITIGATION_IBPB_ON_VMEXIT, VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER, @@ -3066,6 +3067,7 @@ enum vmscape_mitigations { static const char * const vmscape_strings[] =3D { [VMSCAPE_MITIGATION_NONE] =3D "Vulnerable", /* [VMSCAPE_MITIGATION_AUTO] */ + /* [VMSCAPE_MITIGATION_ON] */ [VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER] =3D "Mitigation: IBPB before exit= to userspace", [VMSCAPE_MITIGATION_IBPB_ON_VMEXIT] =3D "Mitigation: IBPB on VMEXIT", [VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER] =3D "Mitigation: Clear BHB be= fore exit to userspace", @@ -3085,7 +3087,7 @@ static int __init vmscape_parse_cmdline(char *str) vmscape_mitigation =3D VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER; } else if (!strcmp(str, "force")) { setup_force_cpu_bug(X86_BUG_VMSCAPE); - vmscape_mitigation =3D VMSCAPE_MITIGATION_AUTO; + vmscape_mitigation =3D VMSCAPE_MITIGATION_ON; } else if (!strcmp(str, "auto")) { vmscape_mitigation =3D VMSCAPE_MITIGATION_AUTO; } else { @@ -3117,6 +3119,7 @@ static void __init vmscape_select_mitigation(void) break; =20 case VMSCAPE_MITIGATION_AUTO: + case VMSCAPE_MITIGATION_ON: /* * CPUs with BHI_CTRL(ADL and newer) can avoid the IBPB and use * BHB clear sequence. These CPUs are only vulnerable to the BHI @@ -3244,6 +3247,7 @@ void cpu_bugs_smt_update(void) switch (vmscape_mitigation) { case VMSCAPE_MITIGATION_NONE: case VMSCAPE_MITIGATION_AUTO: + case VMSCAPE_MITIGATION_ON: break; case VMSCAPE_MITIGATION_IBPB_ON_VMEXIT: case VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER: --=20 2.34.1 From nobody Fri Jun 12 03:08:05 2026 Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E5B62310777; Thu, 23 Apr 2026 06:17:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.9 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776925075; cv=none; b=jXFCBIvivshCYQPR2n95uk0TBjctDc3hgQAhY7dN/TFeFFaNwv1C9oX4DvF+nqQYBj+DUsOOSwyFhIpclUujf3u2EKSLMxAOb/RjRoFVSeLMiI4dgBZrQ7yGiVnuS97odp/hDp4hxzsj4DIhXKBIX5NPPsoaBMT+x2BvytzHf/Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776925075; c=relaxed/simple; bh=b6MuRVTf/ZgA9L22eiHzgpdsNzUtE5SipssmAjn0OuY=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=q5ziba7oKYUFVGaP7jrd+VeXjyqyMZt+ovYGo9LF5sd1095OF/LG4j71J+G87qPQrGFCU2EYlmatHqUtRGlzJ6CibBkxaD/EM6Kr20+E4mUEWTcMkUM3BE+FZx6PI/wEy1QPqhdCKgVeHnylRxEgVKXPSf2H34TPL9pZReCdRlc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=bCj3YTNO; arc=none smtp.client-ip=198.175.65.9 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="bCj3YTNO" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1776925074; x=1808461074; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=b6MuRVTf/ZgA9L22eiHzgpdsNzUtE5SipssmAjn0OuY=; b=bCj3YTNOJJ+0bpJZbCMlkL2fCcPybdY6VP56M0YVzUXVDG4T2jDLhWr1 4x2tRTBzHZzTu5TS5+870ntFcd7jLrceDUnGp0RpZjT1RDlqPlr0gqB09 bIVyexesLw1Sh34n33kgSSxs1MMQ+A/dtABUv+uuoaMV4KGOzL9K1l+fa mdNB1oFKeTfOTdKPwg6fAwveXOf7vIXmkzz64GsxINQnw2hh2aJzNcs96 yC255KgLFuoePoXI3klMl8g5oCsn/CA/3R/s33FqGiwBD+ITfHTqTqgfq OA29AgZAWOXwTUSlvDJzzaomMstw8Jc1ns1Xf/C4KR/WHP/mtoxGKuuCc g==; X-CSE-ConnectionGUID: RDG7+Fw9SwKy91R9WQ55TA== X-CSE-MsgGUID: fUtcQbmTT4ij4CWLdm14OQ== X-IronPort-AV: E=McAfee;i="6800,10657,11764"; a="100539497" X-IronPort-AV: E=Sophos;i="6.23,194,1770624000"; d="scan'208";a="100539497" Received: from fmviesa008.fm.intel.com ([10.60.135.148]) by orvoesa101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Apr 2026 23:17:53 -0700 X-CSE-ConnectionGUID: S+yNJqCWSamNx0R/Nab0pw== X-CSE-MsgGUID: ldGozOmnSMCeaNdo8u1hhA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.23,194,1770624000"; d="scan'208";a="229899249" Received: from guptapa-desk.jf.intel.com (HELO desk) ([10.165.239.46]) by fmviesa008-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Apr 2026 23:17:52 -0700 Date: Wed, 22 Apr 2026 23:17:52 -0700 From: Pawan Gupta To: x86@kernel.org, Jon Kohler , Nikolay Borisov , "H. Peter Anvin" , Josh Poimboeuf , David Kaplan , Sean Christopherson , Borislav Petkov , Dave Hansen , Peter Zijlstra , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , KP Singh , Jiri Olsa , "David S. Miller" , David Laight , Andy Lutomirski , Thomas Gleixner , Ingo Molnar , David Ahern , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , Stanislav Fomichev , Hao Luo , Paolo Bonzini , Jonathan Corbet , Jason Baron , Alice Ryhl , Steven Rostedt , Ard Biesheuvel , Shuah Khan Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Asit Mallick , Tao Zhang , bpf@vger.kernel.org, netdev@vger.kernel.org, linux-doc@vger.kernel.org Subject: [PATCH v11 12/12] x86/vmscape: Add cmdline vmscape=on to override attack vector controls Message-ID: <20260422-vmscape-bhb-v11-12-b18e0cf32af4@linux.intel.com> X-Mailer: b4 0.16-dev References: <20260422-vmscape-bhb-v11-0-b18e0cf32af4@linux.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20260422-vmscape-bhb-v11-0-b18e0cf32af4@linux.intel.com> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In general, individual mitigation knobs override the attack vector controls. For VMSCAPE, =3Dibpb exists but nothing to select BHB clearing mitigation. The =3Dforce option would select BHB clearing when supported, b= ut with a side-effect of also forcing the bug, hence deploying the mitigation on unaffected parts too. Add a new cmdline option vmscape=3Don to enable the mitigation based on the VMSCAPE variant the CPU is affected by. Reviewed-by: Nikolay Borisov Tested-by: Jon Kohler Signed-off-by: Pawan Gupta --- Documentation/admin-guide/hw-vuln/vmscape.rst | 4 ++++ Documentation/admin-guide/kernel-parameters.txt | 2 ++ arch/x86/kernel/cpu/bugs.c | 2 ++ 3 files changed, 8 insertions(+) diff --git a/Documentation/admin-guide/hw-vuln/vmscape.rst b/Documentation/= admin-guide/hw-vuln/vmscape.rst index 7c40cf70ad7a..2558a5c3d956 100644 --- a/Documentation/admin-guide/hw-vuln/vmscape.rst +++ b/Documentation/admin-guide/hw-vuln/vmscape.rst @@ -117,3 +117,7 @@ The mitigation can be controlled via the ``vmscape=3D``= command line parameter: =20 Choose the mitigation based on the VMSCAPE variant the CPU is affected = by. (default when CONFIG_MITIGATION_VMSCAPE=3Dy) + + * ``vmscape=3Don``: + + Same as ``auto``, except that it overrides attack vector controls. diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentatio= n/admin-guide/kernel-parameters.txt index 3853c7109419..98204d464477 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -8383,6 +8383,8 @@ Kernel parameters unaffected processors auto - (default) use IBPB or BHB clear mitigation based on CPU + on - same as "auto", but override attack + vector control =20 vsyscall=3D [X86-64,EARLY] Controls the behavior of vsyscalls (i.e. calls to diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index fbdb137720c4..4e0b77fb21dd 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -3088,6 +3088,8 @@ static int __init vmscape_parse_cmdline(char *str) } else if (!strcmp(str, "force")) { setup_force_cpu_bug(X86_BUG_VMSCAPE); vmscape_mitigation =3D VMSCAPE_MITIGATION_ON; + } else if (!strcmp(str, "on")) { + vmscape_mitigation =3D VMSCAPE_MITIGATION_ON; } else if (!strcmp(str, "auto")) { vmscape_mitigation =3D VMSCAPE_MITIGATION_AUTO; } else { --=20 2.34.1