From nobody Fri Feb 13 01:11:20 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 59BB613C9D1 for ; Thu, 11 Apr 2024 05:41:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712814118; cv=none; b=fJf4+fT9afy0Zve+bwx2Ab/haonNaizJUThOujz+lCgQ3JBVj6MSdwU4XWse5Row0dA5pC7eiAWEeNlK2XGfmYpYUxTUBs87MK9Vrp0Sf6CtHfugCIxHzzYx8mA/Nf33Osmc4Y+Nqfe/CeSu8BpU67fJsUNPohOl1pbleff/7bg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712814118; c=relaxed/simple; bh=RJUrOT3501HyBBPzrkesvvBDDHFyiVAUaxFIjmMpLgQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=TySXEkUMzqBWDqfE4fflT/q3fOBg/IZZuIMtbgsGmoIJfLfZTnXIodnO+5bXP7iSvA3Pvuxyu/TLt3r9b2mdi9R14TZ0P8DolyNOhAIjY1OieswJnFYbE2wf9MShD/8ytrw5vEHRMa9rLnyawqpy3GRvpyqszvXnvq6Pv9kPkzM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=PX5VsAxl; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="PX5VsAxl" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1876AC433A6; Thu, 11 Apr 2024 05:41:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1712814117; bh=RJUrOT3501HyBBPzrkesvvBDDHFyiVAUaxFIjmMpLgQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=PX5VsAxlgKsa8cIbWeVLSCXZKu9o68lSgcISoWXGPTDwQQ+fNA/Wi/0d+peENEd6q Y4VW42xr+QXnn4lygcKbt0AASg/6CqLc/ZZcjTD122UcAWVmH20vFR7ms9kOsOW5IW Vofopajve5+MsvsVoeRk/a9YaEmoobkIVJO0qO5aFfBuinVNjCFaG/fgIs2rsIIqEX YuG2TqgUkWnNGkxmNY97W2QJVT63CPw7ocaCvW+HoUhnOB+aSAwa8Bnk31tWjGjjlr as3c12nMz8CyPA9ZwRTBcRSvs2+VX82OwKcSgmcrO5hCOYoG0n6pT1jykXn1R3HQRc 2W7X0XdFTSpTw== From: Josh Poimboeuf To: x86@kernel.org Cc: linux-kernel@vger.kernel.org, Linus Torvalds , Daniel Sneddon , Pawan Gupta , Thomas Gleixner , Alexandre Chartre , Konrad Rzeszutek Wilk , Peter Zijlstra , Greg Kroah-Hartman , Sean Christopherson , Andrew Cooper , Dave Hansen , Nikolay Borisov , KP Singh , Waiman Long , Borislav Petkov Subject: [PATCH 1/7] x86/bugs: BHI documentation fixes Date: Wed, 10 Apr 2024 22:40:45 -0700 Message-ID: <8c84f7451bfe0dd08543c6082a383f390d4aa7e2.1712813475.git.jpoimboe@kernel.org> X-Mailer: git-send-email 2.44.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Fix up some inaccuracies in the BHI documentation. Fixes: ec9404e40e8f ("x86/bhi: Add BHI mitigation knob") Signed-off-by: Josh Poimboeuf Reviewed-by: Nikolay Borisov --- Documentation/admin-guide/hw-vuln/spectre.rst | 15 ++++++++------- Documentation/admin-guide/kernel-parameters.txt | 12 +++++++----- 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/Documentation/admin-guide/hw-vuln/spectre.rst b/Documentation/= admin-guide/hw-vuln/spectre.rst index b70b1d8bd8e6..3cf18e4a1d9a 100644 --- a/Documentation/admin-guide/hw-vuln/spectre.rst +++ b/Documentation/admin-guide/hw-vuln/spectre.rst @@ -439,11 +439,11 @@ The possible values in this file are: - System is protected by retpoline * - BHI: BHI_DIS_S - System is protected by BHI_DIS_S - * - BHI: SW loop; KVM SW loop + * - BHI: SW loop, KVM SW loop - System is protected by software clearing sequence * - BHI: Syscall hardening - Syscalls are hardened against BHI - * - BHI: Syscall hardening; KVM: SW loop + * - BHI: Syscall hardening, KVM: SW loop - System is protected from userspace attacks by syscall hardening; KVM = is protected by software clearing sequence =20 Full mitigation might require a microcode update from the CPU @@ -666,13 +666,14 @@ kernel command line. of the HW BHI control and the SW BHB clearing sequence. =20 on - unconditionally enable. + (default) Enable the HW or SW mitigation as + needed. off - unconditionally disable. + Disable the mitigation. auto - enable if hardware mitigation - control(BHI_DIS_S) is available, otherwise - enable alternate mitigation in KVM. + Enable the HW mitigation if needed, but + *don't* enable the SW mitigation except for KVM. + The system may be vulnerable. =20 For spectre_v2_user see Documentation/admin-guide/kernel-parameters.txt =20 diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentatio= n/admin-guide/kernel-parameters.txt index 70046a019d42..a029ad6c4963 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -3444,6 +3444,7 @@ retbleed=3Doff [X86] spec_rstack_overflow=3Doff [X86] spec_store_bypass_disable=3Doff [X86,PPC] + spectre_bhi=3Doff [X86] spectre_v2_user=3Doff [X86] srbds=3Doff [X86,INTEL] ssbd=3Dforce-off [ARM64] @@ -6069,11 +6070,12 @@ deployment of the HW BHI control and the SW BHB clearing sequence. =20 - on - unconditionally enable. - off - unconditionally disable. - auto - (default) enable hardware mitigation - (BHI_DIS_S) if available, otherwise enable - alternate mitigation in KVM. + on - (default) Enable the HW or SW mitigation + as needed. + off - Disable the mitigation. + auto - Enable the HW mitigation if needed, but + *don't* enable the SW mitigation except + for KVM. The system may be vulnerable. =20 spectre_v2=3D [X86,EARLY] Control mitigation of Spectre variant 2 (indirect branch speculation) vulnerability. --=20 2.44.0 From nobody Fri Feb 13 01:11:20 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DE1B613C9DE for ; Thu, 11 Apr 2024 05:41:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712814118; cv=none; b=tvJGgSPBFVbG2zH8qFPhphaJK9meMyFQrQTdXzRwOgWCG9Og5o8TgLxRLyDzA6U9PMGMArEqAb+UMo+b9ZG6QQgcugncQDQZKDdCkJN4s99WZkNaaBMCYFPantUcKXn1mlJ7Wz4pR6EKuzJ4lcqfCNSw6hnIV3+OtGse/LrcoyU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712814118; c=relaxed/simple; bh=bjH/hA/VjvWBhWBiH5gqQ//vbhB5hJhCQRISe3nTC2I=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=gb4xLiB9civl0pUIzlXR1DD6uiAC433SC02rt9gEcJyCX5nkjml2Cnwkuz84JhhIuC317ARP31zgAMJtp2FzpdIg5zOQlzwQKUy1bDU2p9ZRWVWI0OUcTJC71c6H2DbIFSFNY33uqAQ1lEQGOnFyo8yPg2ifNcanIhgQdcO+EV0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=jZ0uQD+B; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="jZ0uQD+B" Received: by smtp.kernel.org (Postfix) with ESMTPSA id ED1A4C43601; Thu, 11 Apr 2024 05:41:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1712814118; bh=bjH/hA/VjvWBhWBiH5gqQ//vbhB5hJhCQRISe3nTC2I=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jZ0uQD+Ba9XDmG0qJoleQfk1yM9qJnN0mcY3uxOmjW3iy2uwm8STjOsvaFRLZ3dgJ f4qa4ZexQnBFfDukiimZqrfu+OQ1wP1G8wDcsKSPQIcPyR1QJAyE5cI+Zz95HQCPa5 7aJN1+lj+f7NHjSXBcsmmYqNtu3iqS62igu4jSVNq9O5QUuMiMVNiOQK7q4Wby/38F w55CVtSY2bPW2Fa0NZS1scZPLLW5UfAYzNR3KhQGfeq+1KmQendh6/z4BgcHRv6sHn Xc6ISEk5g8S0Z3HeTiHJVNycpPI/+lPt7JkTccpyYy/YdGtg9BkhK0S5PEAmab+BV3 xRhffogWQjaRw== From: Josh Poimboeuf To: x86@kernel.org Cc: linux-kernel@vger.kernel.org, Linus Torvalds , Daniel Sneddon , Pawan Gupta , Thomas Gleixner , Alexandre Chartre , Konrad Rzeszutek Wilk , Peter Zijlstra , Greg Kroah-Hartman , Sean Christopherson , Andrew Cooper , Dave Hansen , Nikolay Borisov , KP Singh , Waiman Long , Borislav Petkov Subject: [PATCH 2/7] x86/bugs: Cache the value of MSR_IA32_ARCH_CAPABILITIES Date: Wed, 10 Apr 2024 22:40:46 -0700 Message-ID: <9592a18a814368e75f8f4b9d74d3883aa4fd1eaf.1712813475.git.jpoimboe@kernel.org> X-Mailer: git-send-email 2.44.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" There's no need to keep reading MSR_IA32_ARCH_CAPABILITIES over and over. It's even read in the BHI sysfs function which is a big no-no. Just read it once and cache it. Fixes: ec9404e40e8f ("x86/bhi: Add BHI mitigation knob") Signed-off-by: Josh Poimboeuf Reviewed-by: Nikolay Borisov --- arch/x86/kernel/cpu/bugs.c | 22 +++++++--------------- 1 file changed, 7 insertions(+), 15 deletions(-) diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 295463707e68..27d6d64eeec3 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -61,6 +61,8 @@ EXPORT_PER_CPU_SYMBOL_GPL(x86_spec_ctrl_current); u64 x86_pred_cmd __ro_after_init =3D PRED_CMD_IBPB; EXPORT_SYMBOL_GPL(x86_pred_cmd); =20 +static u64 __ro_after_init ia32_cap; + static DEFINE_MUTEX(spec_ctrl_mutex); =20 void (*x86_return_thunk)(void) __ro_after_init =3D __x86_return_thunk; @@ -144,6 +146,8 @@ void __init cpu_select_mitigations(void) x86_spec_ctrl_base &=3D ~SPEC_CTRL_MITIGATIONS_MASK; } =20 + ia32_cap =3D x86_read_arch_cap_msr(); + /* Select the proper CPU mitigations before patching alternatives: */ spectre_v1_select_mitigation(); spectre_v2_select_mitigation(); @@ -301,8 +305,6 @@ static const char * const taa_strings[] =3D { =20 static void __init taa_select_mitigation(void) { - u64 ia32_cap; - if (!boot_cpu_has_bug(X86_BUG_TAA)) { taa_mitigation =3D TAA_MITIGATION_OFF; return; @@ -341,7 +343,6 @@ static void __init taa_select_mitigation(void) * On MDS_NO=3D1 CPUs if ARCH_CAP_TSX_CTRL_MSR is not set, microcode * update is required. */ - ia32_cap =3D x86_read_arch_cap_msr(); if ( (ia32_cap & ARCH_CAP_MDS_NO) && !(ia32_cap & ARCH_CAP_TSX_CTRL_MSR)) taa_mitigation =3D TAA_MITIGATION_UCODE_NEEDED; @@ -401,8 +402,6 @@ static const char * const mmio_strings[] =3D { =20 static void __init mmio_select_mitigation(void) { - u64 ia32_cap; - if (!boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA) || boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN) || cpu_mitigations_off()) { @@ -413,8 +412,6 @@ static void __init mmio_select_mitigation(void) if (mmio_mitigation =3D=3D MMIO_MITIGATION_OFF) return; =20 - ia32_cap =3D x86_read_arch_cap_msr(); - /* * Enable CPU buffer clear mitigation for host and VMM, if also affected * by MDS or TAA. Otherwise, enable mitigation for VMM only. @@ -508,7 +505,7 @@ static void __init rfds_select_mitigation(void) if (rfds_mitigation =3D=3D RFDS_MITIGATION_OFF) return; =20 - if (x86_read_arch_cap_msr() & ARCH_CAP_RFDS_CLEAR) + if (ia32_cap & ARCH_CAP_RFDS_CLEAR) setup_force_cpu_cap(X86_FEATURE_CLEAR_CPU_BUF); else rfds_mitigation =3D RFDS_MITIGATION_UCODE_NEEDED; @@ -659,8 +656,6 @@ void update_srbds_msr(void) =20 static void __init srbds_select_mitigation(void) { - u64 ia32_cap; - if (!boot_cpu_has_bug(X86_BUG_SRBDS)) return; =20 @@ -669,7 +664,6 @@ static void __init srbds_select_mitigation(void) * are only exposed to SRBDS when TSX is enabled or when CPU is affected * by Processor MMIO Stale Data vulnerability. */ - ia32_cap =3D x86_read_arch_cap_msr(); if ((ia32_cap & ARCH_CAP_MDS_NO) && !boot_cpu_has(X86_FEATURE_RTM) && !boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA)) srbds_mitigation =3D SRBDS_MITIGATION_TSX_OFF; @@ -813,7 +807,7 @@ static void __init gds_select_mitigation(void) /* Will verify below that mitigation _can_ be disabled */ =20 /* No microcode */ - if (!(x86_read_arch_cap_msr() & ARCH_CAP_GDS_CTRL)) { + if (!(ia32_cap & ARCH_CAP_GDS_CTRL)) { if (gds_mitigation =3D=3D GDS_MITIGATION_FORCE) { /* * This only needs to be done on the boot CPU so do it @@ -1908,8 +1902,6 @@ static void update_indir_branch_cond(void) /* Update the static key controlling the MDS CPU buffer clear in idle */ static void update_mds_branch_idle(void) { - u64 ia32_cap =3D x86_read_arch_cap_msr(); - /* * Enable the idle clearing if SMT is active on CPUs which are * affected only by MSBDS and not any other MDS variant. @@ -2818,7 +2810,7 @@ static const char * const spectre_bhi_state(void) else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP)) return "; BHI: SW loop, KVM: SW loop"; else if (boot_cpu_has(X86_FEATURE_RETPOLINE) && - !(x86_read_arch_cap_msr() & ARCH_CAP_RRSBA)) + !(ia32_cap & ARCH_CAP_RRSBA)) return "; BHI: Retpoline"; else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT)) return "; BHI: Syscall hardening, KVM: SW loop"; --=20 2.44.0 From nobody Fri Feb 13 01:11:20 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EE62713CA9C for ; Thu, 11 Apr 2024 05:41:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712814120; cv=none; b=EaLMYXsJj64o05C1wfMAxd+5FKqb5PBeqpw+7FqqTOVZsJX57JIyxOyPR3I3u78kqzSWbuEHqdRK9AlQ8d/0cB7ZGv4G86NMxbuZx8EOkkBA5MIWgV0mXdpTMBTjk1qh/2/yVBOB4q1zy5v5JmiK7i+bcLqFPGh+qDkINGKjgcM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712814120; c=relaxed/simple; bh=OncdHB68GtNbx3dHWQR7cZg44SO1zu1bq2L0lGrG/HY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=GZhCftIQFK6xgqV7lt9FrI/G9PrcAAIaq3wwxofN0cX3IzGB6ychjmuBO4Uszx7dcNZRIiJT8UheYL4ZNflcuRWrzLFiFopaBAcacYkTIIowjb0ALMxzKop09G+DaLBt3NFaEmlfuaFgrMqgWeKYI7I16rUaYxvIooOL92sxZno= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=nJMNErly; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="nJMNErly" Received: by smtp.kernel.org (Postfix) with ESMTPSA id D7CFDC43390; Thu, 11 Apr 2024 05:41:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1712814119; bh=OncdHB68GtNbx3dHWQR7cZg44SO1zu1bq2L0lGrG/HY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=nJMNErlyM8Vi/USIIrNgPRTSHavW9bC2+Mx1Fuf1DlUxKw73y9z3pCg5uJLvJ/ZdO F61OJgRVUv4sp28NUVPcWuZVlrgTjJIfYI3zRHyJFBeVT9NEqLwkf73amij4D3Tx12 5BH1tM04W83g0xtXbPC1rKNU4EP8JSl7pCZdzUVbXWo3v16Cim4qiexK9yXNK6jUp7 O2wEmDl32kvIE9d+np8Yly7gkcZUzbAqXnHzCjUB+xjTIqNwGlPj+g3UR22JyPDhMx /6QF1GVYXA2/rEsHi3p3WbQkHMw+gJel5fE2yNSB3KYyGvYIh/DyxhQoqhCVlT33nj 9DU1b1lDLyr8Q== From: Josh Poimboeuf To: x86@kernel.org Cc: linux-kernel@vger.kernel.org, Linus Torvalds , Daniel Sneddon , Pawan Gupta , Thomas Gleixner , Alexandre Chartre , Konrad Rzeszutek Wilk , Peter Zijlstra , Greg Kroah-Hartman , Sean Christopherson , Andrew Cooper , Dave Hansen , Nikolay Borisov , KP Singh , Waiman Long , Borislav Petkov Subject: [PATCH 3/7] x86/bugs: Fix BHI handling of RRSBA Date: Wed, 10 Apr 2024 22:40:47 -0700 Message-ID: <6f56f13da34a0834b69163467449be7f58f253dc.1712813475.git.jpoimboe@kernel.org> X-Mailer: git-send-email 2.44.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The ARCH_CAP_RRSBA check isn't correct: RRSBA may have already been disabled by the Spectre v2 mitigation (or can otherwise be disabled by the BHI mitigation itself if needed). In that case retpolines are fine. Fixes: ec9404e40e8f ("x86/bhi: Add BHI mitigation knob") Signed-off-by: Josh Poimboeuf --- arch/x86/kernel/cpu/bugs.c | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 27d6d64eeec3..0755600d5d18 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -1538,20 +1538,25 @@ static enum spectre_v2_mitigation __init spectre_v2= _select_retpoline(void) return SPECTRE_V2_RETPOLINE; } =20 +static bool __ro_after_init rrsba_disabled; + /* Disable in-kernel use of non-RSB RET predictors */ static void __init spec_ctrl_disable_kernel_rrsba(void) { - u64 ia32_cap; + if (rrsba_disabled) + return; + + if (!(ia32_cap & ARCH_CAP_RRSBA)) { + rrsba_disabled =3D true; + return; + } =20 if (!boot_cpu_has(X86_FEATURE_RRSBA_CTRL)) return; =20 - ia32_cap =3D x86_read_arch_cap_msr(); - - if (ia32_cap & ARCH_CAP_RRSBA) { - x86_spec_ctrl_base |=3D SPEC_CTRL_RRSBA_DIS_S; - update_spec_ctrl(x86_spec_ctrl_base); - } + x86_spec_ctrl_base |=3D SPEC_CTRL_RRSBA_DIS_S; + update_spec_ctrl(x86_spec_ctrl_base); + rrsba_disabled =3D true; } =20 static void __init spectre_v2_determine_rsb_fill_type_at_vmexit(enum spect= re_v2_mitigation mode) @@ -1652,9 +1657,11 @@ static void __init bhi_select_mitigation(void) return; =20 /* Retpoline mitigates against BHI unless the CPU has RRSBA behavior */ - if (cpu_feature_enabled(X86_FEATURE_RETPOLINE) && - !(x86_read_arch_cap_msr() & ARCH_CAP_RRSBA)) - return; + if (cpu_feature_enabled(X86_FEATURE_RETPOLINE)) { + spec_ctrl_disable_kernel_rrsba(); + if (rrsba_disabled) + return; + } =20 if (spec_ctrl_bhi_dis()) return; @@ -2809,8 +2816,7 @@ static const char * const spectre_bhi_state(void) return "; BHI: BHI_DIS_S"; else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP)) return "; BHI: SW loop, KVM: SW loop"; - else if (boot_cpu_has(X86_FEATURE_RETPOLINE) && - !(ia32_cap & ARCH_CAP_RRSBA)) + else if (boot_cpu_has(X86_FEATURE_RETPOLINE) && rrsba_disabled) return "; BHI: Retpoline"; else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT)) return "; BHI: Syscall hardening, KVM: SW loop"; --=20 2.44.0 From nobody Fri Feb 13 01:11:20 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D0AB113CABE for ; Thu, 11 Apr 2024 05:42:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712814120; cv=none; b=e/E3o6+nA55WoeSD0qT+11Dy/13WJJqcb4QiSBkbwEMXOGCvYD7LDLuByAgrJQoCdvs+jHkGVRUb8FpDvj7kwCaKftO6mjLVNkeJ+mN+VsacoXIaM+Cm6scWOJr4f4c0OiG53urJQrjutX4SHe2JAadOiCTj6FuVQ7bqWC0X8RA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712814120; c=relaxed/simple; bh=8AiXA+DvMaBCd3KyxnxGbBJo7F2pcvHfeTZpRIhDzak=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=XfsdG4jZ1UZTbc1lJ/zi/VLE34GyEMG4Eh8e/dBG98D0/v0eISEPkBRzmLrXGIrM5NtZ7YXYK7PG6cj/F5aTK4YA4Q32fyrri7lxKTUUastmL8JEX8wGyP7/qpgIv3ZmCKvJ+10stBldHmvCsmYeHhfhzHUhATVLitGzH6Mg4Dw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=s1zJmu7o; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="s1zJmu7o" Received: by smtp.kernel.org (Postfix) with ESMTPSA id ABF4FC433F1; Thu, 11 Apr 2024 05:41:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1712814120; bh=8AiXA+DvMaBCd3KyxnxGbBJo7F2pcvHfeTZpRIhDzak=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=s1zJmu7ozTzEs2sAGaOOK6yn/GO+QTVvd8eqICkfzqNyiLmK2Guly7awsSRzLnOqw yWnUjJYFk6By95gcAjGLXm1xJ2zNrTAZQIPcpos0broCHhXOSNPaMcTS7izfSdDzAK hnnYI+fEI1kFUXCJlMxovvG9DGwUQyfSxjcV0+1RSIrGo5jLu1vRTfulOEJUDWD/Um psdpRiGgy79JWZcHIBpdu8g1RpihW9es6oLHJvuDi6hfSs3gBV9nz4+LOiqesxsGVd VysGmfv5dJ6siM0D3qyGKYmXB9shwhjcwD9Exfh2MYwI5As/7zOhtTRd4sk0XfW/hq 1I8PZyjvnHWVw== From: Josh Poimboeuf To: x86@kernel.org Cc: linux-kernel@vger.kernel.org, Linus Torvalds , Daniel Sneddon , Pawan Gupta , Thomas Gleixner , Alexandre Chartre , Konrad Rzeszutek Wilk , Peter Zijlstra , Greg Kroah-Hartman , Sean Christopherson , Andrew Cooper , Dave Hansen , Nikolay Borisov , KP Singh , Waiman Long , Borislav Petkov Subject: [PATCH 4/7] x86/bugs: Clarify that syscall hardening isn't a BHI mitigation Date: Wed, 10 Apr 2024 22:40:48 -0700 Message-ID: X-Mailer: git-send-email 2.44.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" While syscall hardening helps prevent some BHI attacks, there's still other low-hanging fruit remaining. Don't classify it as a mitigation and make it clear that the system may still be vulnerable if it doesn't have a HW or SW mitigation enabled. Fixes: ec9404e40e8f ("x86/bhi: Add BHI mitigation knob") Signed-off-by: Josh Poimboeuf --- Documentation/admin-guide/hw-vuln/spectre.rst | 11 +++++------ Documentation/admin-guide/kernel-parameters.txt | 3 +-- arch/x86/kernel/cpu/bugs.c | 6 +++--- 3 files changed, 9 insertions(+), 11 deletions(-) diff --git a/Documentation/admin-guide/hw-vuln/spectre.rst b/Documentation/= admin-guide/hw-vuln/spectre.rst index 3cf18e4a1d9a..5a39acf82483 100644 --- a/Documentation/admin-guide/hw-vuln/spectre.rst +++ b/Documentation/admin-guide/hw-vuln/spectre.rst @@ -441,10 +441,10 @@ The possible values in this file are: - System is protected by BHI_DIS_S * - BHI: SW loop, KVM SW loop - System is protected by software clearing sequence - * - BHI: Syscall hardening - - Syscalls are hardened against BHI - * - BHI: Syscall hardening, KVM: SW loop - - System is protected from userspace attacks by syscall hardening; KVM = is protected by software clearing sequence + * - BHI: Vulnerable + - System is vulnerable to BHI + * - BHI: Vulnerable, KVM: SW loop + - System is vulnerable; KVM is protected by software clearing sequence =20 Full mitigation might require a microcode update from the CPU vendor. When the necessary microcode is not available, the kernel will @@ -661,8 +661,7 @@ kernel command line. spectre_bhi=3D =20 [X86] Control mitigation of Branch History Injection - (BHI) vulnerability. Syscalls are hardened against BHI - regardless of this setting. This setting affects the deployment + (BHI) vulnerability. This setting affects the deployment of the HW BHI control and the SW BHB clearing sequence. =20 on diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentatio= n/admin-guide/kernel-parameters.txt index a029ad6c4963..a3874cc97892 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -6065,8 +6065,7 @@ See Documentation/admin-guide/laptops/sonypi.rst =20 spectre_bhi=3D [X86] Control mitigation of Branch History Injection - (BHI) vulnerability. Syscalls are hardened against BHI - reglardless of this setting. This setting affects the + (BHI) vulnerability. This setting affects the deployment of the HW BHI control and the SW BHB clearing sequence. =20 diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 0755600d5d18..a65c70709bb5 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -2818,10 +2818,10 @@ static const char * const spectre_bhi_state(void) return "; BHI: SW loop, KVM: SW loop"; else if (boot_cpu_has(X86_FEATURE_RETPOLINE) && rrsba_disabled) return "; BHI: Retpoline"; - else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT)) - return "; BHI: Syscall hardening, KVM: SW loop"; + else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT)) + return "; BHI: Vulnerable, KVM: SW loop"; =20 - return "; BHI: Vulnerable (Syscall hardening enabled)"; + return "; BHI: Vulnerable"; } =20 static ssize_t spectre_v2_show_state(char *buf) --=20 2.44.0 From nobody Fri Feb 13 01:11:20 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B034613CFA6 for ; Thu, 11 Apr 2024 05:42:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712814121; cv=none; b=MLysz0zZsBUOloFYiKc3Vhr1XYS1nHbRQ+3ic7AApXIeyeo8TECHfYVvepT0Ka2reef6wNZEgwVNPcfyovBHHTTBdVmVDggCPKBQXmLvFx2hVI9+7MCfoHKxMF7iTxVqfR5YeCQw6EkLUEapZ8w3rPqdxMa5AxPmWLfFqpBsmLU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712814121; c=relaxed/simple; bh=MIxbPiLz3JeRSinxe0pJNrdpV53uSPO0/XHjtw8vB1E=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=IG3eIYRmucsJMquVn28ToOaKSiXRPTchUmlScy2umvcoXVB4VbjFjU0EY/YB3xnRcIaYhn2PkxwFsLtxTwF8EIGqIaDhOOnJRi1k0kA5PsIZ09uyZL6vdkjzUOMAjZnycqmwF9rNVHAAdJ/zYIWDvLD/DZ8wQvasU9w2MTNKQXE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=iuG95pSm; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="iuG95pSm" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7F04FC43390; Thu, 11 Apr 2024 05:42:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1712814121; bh=MIxbPiLz3JeRSinxe0pJNrdpV53uSPO0/XHjtw8vB1E=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=iuG95pSmtjXcZrq8qawMpbEizgtqbTEE3s3CC8o/Ay5bDNhkzyy8ajX2bEaqlpNQh YSWVk6+YW1H/lyHW3I62fS2JHbnp00UwK+UoPPl7DF+XwPPMIVzA8wy0KO65fwhpnI DceCi2VgDaEVW26xjABIeUfpDyaw0H9/RprJ9LXUihKoiA9o5eyNFhEy+rdZ2NPdr5 FBtD1Q/1mDR96rhCQJdsY2Hmq/cdf5DCDxhsU6UjX/p71IYaM6bqdgvczhCe+en8TP AuRmWDH5sXOjV8ln9q1L557ir7gqS0LZ3ZG7M2fMWeLBrUE6MyvVf63N/RkKNG3Q7H PRNlX/3YYlUAw== From: Josh Poimboeuf To: x86@kernel.org Cc: linux-kernel@vger.kernel.org, Linus Torvalds , Daniel Sneddon , Pawan Gupta , Thomas Gleixner , Alexandre Chartre , Konrad Rzeszutek Wilk , Peter Zijlstra , Greg Kroah-Hartman , Sean Christopherson , Andrew Cooper , Dave Hansen , Nikolay Borisov , KP Singh , Waiman Long , Borislav Petkov Subject: [PATCH 5/7] x86/bugs: Only harden syscalls when needed Date: Wed, 10 Apr 2024 22:40:49 -0700 Message-ID: <97befd7c1e008797734dee05181c49056ff6de57.1712813475.git.jpoimboe@kernel.org> X-Mailer: git-send-email 2.44.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Syscall hardening (i.e., converting the syscall indirect branch to a series of direct branches) may cause performance regressions in certain scenarios. Only use the syscall hardening when indirect branches are considered unsafe. Fixes: 1e3ad78334a6 ("x86/syscall: Don't force use of indirect calls for sy= stem calls") Signed-off-by: Josh Poimboeuf --- arch/x86/entry/common.c | 30 +++++++++++++++++++++++++--- arch/x86/entry/syscall_32.c | 11 +--------- arch/x86/entry/syscall_64.c | 8 +------- arch/x86/entry/syscall_x32.c | 7 ++++++- arch/x86/include/asm/cpufeatures.h | 1 + arch/x86/include/asm/syscall.h | 8 +++++++- arch/x86/kernel/cpu/bugs.c | 32 +++++++++++++++++++++++++++++- 7 files changed, 74 insertions(+), 23 deletions(-) diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c index 6de50b80702e..80d432d2fe44 100644 --- a/arch/x86/entry/common.c +++ b/arch/x86/entry/common.c @@ -39,6 +39,28 @@ =20 #ifdef CONFIG_X86_64 =20 +/* + * Do either a direct or an indirect call, depending on whether indirect c= alls + * are considered safe. + */ +#define __do_syscall(table, func_direct, nr, regs) \ +({ \ + unsigned long __rax, __rdi, __rsi; \ + \ + asm_inline volatile( \ + ALTERNATIVE("call " __stringify(func_direct) "\n\t", \ + ANNOTATE_RETPOLINE_SAFE \ + "call *%[func_ptr]\n\t", \ + X86_FEATURE_INDIRECT_SAFE) \ + : "=3DD" (__rdi), "=3DS" (__rsi), "=3Da" (__rax), \ + ASM_CALL_CONSTRAINT \ + : "0" (regs), "1" (nr), [func_ptr] "r" (table[nr]) \ + : "rdx", "rcx", "r8", "r9", "r10", "r11", \ + "cc", "memory"); \ + \ + __rax; \ +}) + static __always_inline bool do_syscall_x64(struct pt_regs *regs, int nr) { /* @@ -49,7 +71,7 @@ static __always_inline bool do_syscall_x64(struct pt_regs= *regs, int nr) =20 if (likely(unr < NR_syscalls)) { unr =3D array_index_nospec(unr, NR_syscalls); - regs->ax =3D x64_sys_call(regs, unr); + regs->ax =3D __do_syscall(sys_call_table, x64_sys_call, unr, regs); return true; } return false; @@ -66,7 +88,7 @@ static __always_inline bool do_syscall_x32(struct pt_regs= *regs, int nr) =20 if (IS_ENABLED(CONFIG_X86_X32_ABI) && likely(xnr < X32_NR_syscalls)) { xnr =3D array_index_nospec(xnr, X32_NR_syscalls); - regs->ax =3D x32_sys_call(regs, xnr); + regs->ax =3D __do_syscall(x32_sys_call_table, x32_sys_call, xnr, regs); return true; } return false; @@ -147,6 +169,8 @@ static int ia32_emulation_override_cmdline(char *arg) return kstrtobool(arg, &__ia32_enabled); } early_param("ia32_emulation", ia32_emulation_override_cmdline); +#else +#define __do_syscall(table, func_direct, nr, regs) table[nr](regs) #endif =20 /* @@ -162,7 +186,7 @@ static __always_inline void do_syscall_32_irqs_on(struc= t pt_regs *regs, int nr) =20 if (likely(unr < IA32_NR_syscalls)) { unr =3D array_index_nospec(unr, IA32_NR_syscalls); - regs->ax =3D ia32_sys_call(regs, unr); + regs->ax =3D __do_syscall(ia32_sys_call_table, ia32_sys_call, unr, regs); } else if (nr !=3D -1) { regs->ax =3D __ia32_sys_ni_syscall(regs); } diff --git a/arch/x86/entry/syscall_32.c b/arch/x86/entry/syscall_32.c index c2235bae17ef..9185870a3ab3 100644 --- a/arch/x86/entry/syscall_32.c +++ b/arch/x86/entry/syscall_32.c @@ -14,25 +14,16 @@ #endif =20 #define __SYSCALL(nr, sym) extern long __ia32_##sym(const struct pt_regs *= ); - #include #undef __SYSCALL =20 -/* - * The sys_call_table[] is no longer used for system calls, but - * kernel/trace/trace_syscalls.c still wants to know the system - * call address. - */ -#ifdef CONFIG_X86_32 #define __SYSCALL(nr, sym) __ia32_##sym, -const sys_call_ptr_t sys_call_table[] =3D { +__visible const sys_call_ptr_t ia32_sys_call_table[] =3D { #include }; #undef __SYSCALL -#endif =20 #define __SYSCALL(nr, sym) case nr: return __ia32_##sym(regs); - long ia32_sys_call(const struct pt_regs *regs, unsigned int nr) { switch (nr) { diff --git a/arch/x86/entry/syscall_64.c b/arch/x86/entry/syscall_64.c index 33b3f09e6f15..c368048efa41 100644 --- a/arch/x86/entry/syscall_64.c +++ b/arch/x86/entry/syscall_64.c @@ -11,19 +11,13 @@ #include #undef __SYSCALL =20 -/* - * The sys_call_table[] is no longer used for system calls, but - * kernel/trace/trace_syscalls.c still wants to know the system - * call address. - */ #define __SYSCALL(nr, sym) __x64_##sym, -const sys_call_ptr_t sys_call_table[] =3D { +asmlinkage const sys_call_ptr_t sys_call_table[] =3D { #include }; #undef __SYSCALL =20 #define __SYSCALL(nr, sym) case nr: return __x64_##sym(regs); - long x64_sys_call(const struct pt_regs *regs, unsigned int nr) { switch (nr) { diff --git a/arch/x86/entry/syscall_x32.c b/arch/x86/entry/syscall_x32.c index 03de4a932131..89a717267fab 100644 --- a/arch/x86/entry/syscall_x32.c +++ b/arch/x86/entry/syscall_x32.c @@ -11,8 +11,13 @@ #include #undef __SYSCALL =20 -#define __SYSCALL(nr, sym) case nr: return __x64_##sym(regs); +#define __SYSCALL(nr, sym) __x64_##sym, +asmlinkage const sys_call_ptr_t x32_sys_call_table[] =3D { +#include +}; +#undef __SYSCALL =20 +#define __SYSCALL(nr, sym) case nr: return __x64_##sym(regs); long x32_sys_call(const struct pt_regs *regs, unsigned int nr) { switch (nr) { diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpuf= eatures.h index 3c7434329661..7c87fe80c696 100644 --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -470,6 +470,7 @@ #define X86_FEATURE_BHI_CTRL (21*32+ 2) /* "" BHI_DIS_S HW control availa= ble */ #define X86_FEATURE_CLEAR_BHB_HW (21*32+ 3) /* "" BHI_DIS_S HW control ena= bled */ #define X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT (21*32+ 4) /* "" Clear branch= history at vmexit using SW loop */ +#define X86_FEATURE_INDIRECT_SAFE (21*32+ 4) /* "" Indirect branches aren'= t vulnerable to Spectre v2 */ =20 /* * BUG word(s) diff --git a/arch/x86/include/asm/syscall.h b/arch/x86/include/asm/syscall.h index 2fc7bc3863ff..dfb59521244c 100644 --- a/arch/x86/include/asm/syscall.h +++ b/arch/x86/include/asm/syscall.h @@ -16,14 +16,20 @@ #include /* for TS_COMPAT */ #include =20 -/* This is used purely for kernel/trace/trace_syscalls.c */ typedef long (*sys_call_ptr_t)(const struct pt_regs *); extern const sys_call_ptr_t sys_call_table[]; =20 +#if defined(CONFIG_X86_32) +#define ia32_sys_call_table sys_call_table +#else /* * These may not exist, but still put the prototypes in so we * can use IS_ENABLED(). */ +extern const sys_call_ptr_t ia32_sys_call_table[]; +extern const sys_call_ptr_t x32_sys_call_table[]; +#endif + extern long ia32_sys_call(const struct pt_regs *, unsigned int nr); extern long x32_sys_call(const struct pt_regs *, unsigned int nr); extern long x64_sys_call(const struct pt_regs *, unsigned int nr); diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index a65c70709bb5..efffd87381b1 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -1669,6 +1669,15 @@ static void __init bhi_select_mitigation(void) if (!IS_ENABLED(CONFIG_X86_64)) return; =20 + /* + * There's no hardware mitigation in place, so mark indirect branches + * as unsafe. + * + * One could argue the SW loop makes indirect branches safe again, but + * Linus prefers it this way. + */ + setup_clear_cpu_cap(X86_FEATURE_INDIRECT_SAFE); + /* Mitigate KVM by default */ setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT); pr_info("Spectre BHI mitigation: SW BHB clearing on vm exit\n"); @@ -1686,6 +1695,21 @@ static void __init spectre_v2_select_mitigation(void) enum spectre_v2_mitigation_cmd cmd =3D spectre_v2_parse_cmdline(); enum spectre_v2_mitigation mode =3D SPECTRE_V2_NONE; =20 + /* + * X86_FEATURE_INDIRECT_SAFE indicates whether indirect calls can be + * considered safe. That means either: + * + * - the CPU isn't vulnerable to Spectre v2 or its variants; + * + * - a hardware mitigation is in place (e.g., IBRS, BHI_DIS_S); or + * + * - the user turned off mitigations altogether. + * + * Assume innocence until proven guilty: set the cap bit now, then + * clear it later if/when needed. + */ + setup_force_cpu_cap(X86_FEATURE_INDIRECT_SAFE); + /* * If the CPU is not affected and the command line mode is NONE or AUTO * then nothing to do. @@ -1720,6 +1744,7 @@ static void __init spectre_v2_select_mitigation(void) =20 case SPECTRE_V2_CMD_RETPOLINE_LFENCE: pr_err(SPECTRE_V2_LFENCE_MSG); + setup_clear_cpu_cap(X86_FEATURE_INDIRECT_SAFE); mode =3D SPECTRE_V2_LFENCE; break; =20 @@ -1772,11 +1797,16 @@ static void __init spectre_v2_select_mitigation(voi= d) break; =20 case SPECTRE_V2_LFENCE: + setup_clear_cpu_cap(X86_FEATURE_INDIRECT_SAFE); + fallthrough; case SPECTRE_V2_EIBRS_LFENCE: setup_force_cpu_cap(X86_FEATURE_RETPOLINE_LFENCE); - fallthrough; + setup_force_cpu_cap(X86_FEATURE_RETPOLINE); + break; =20 case SPECTRE_V2_RETPOLINE: + setup_clear_cpu_cap(X86_FEATURE_INDIRECT_SAFE); + fallthrough; case SPECTRE_V2_EIBRS_RETPOLINE: setup_force_cpu_cap(X86_FEATURE_RETPOLINE); break; --=20 2.44.0 From nobody Fri Feb 13 01:11:20 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8B4FC13D258 for ; Thu, 11 Apr 2024 05:42:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712814122; cv=none; b=drCxYOY/0QZdlhw4u+hu61BuGLBo+/JGKNUjzcovNLAKjTe32aSnf9FwzmdT27DQYoTyAHbCmCcpNyggWe+nzRaOUupzZfrc+AM3ids2LYT+0AfwCGnEaeaL6xBaIc3hLVparl3SH/yN2NESUzA6hRxaolQA/5DD/ectxpvOgi8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712814122; c=relaxed/simple; bh=RzdXWSgQ28zftPcjGimYeRLCbiSvFoClI4JwbSfruDQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=XRdkLCm5OcBLAuwgrhmBbgfciKQk+oHg4XWOkZihSqkR1JD9yd1lMmgFrXrZP/hFHWquxfDGOA270KeWSzOXYTimzATEQ0Z7v1N7Aq5TdnoN/97CB9aCAYFXKrY6tTD9Pwbhd+xKNK7f4ZX0xSIPBF1/+QxmOq+ltImQbRjvupw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=E6jweK2B; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="E6jweK2B" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6A8A7C43399; Thu, 11 Apr 2024 05:42:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1712814122; bh=RzdXWSgQ28zftPcjGimYeRLCbiSvFoClI4JwbSfruDQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=E6jweK2BGNl4al5mzH/V4YrdWVwmdu49bwtRUdT3ai47Fc9KetKuDTNCJ64xT4wyz ulLt9XUOimbVk1/bcM2LXQq6C5bOoeag6RBOqFPvqOOrJxpkwlJXZCrZacGNOHh/5o d4HTDE0WHlCDI49V2aLYOokhyPik1Z17m0igoCLPLC1JmTRvMP/ERC6780eO9XVa+f iAWXgzms4rrTv2rbadsdnWTL1T/EHOBZVezgvOZVpM048Ez3t0IDnKAZZ7p5R8Zb/y fEz0DHk5vO21Ly7j1CmhTzNyPbCZE5JrfMBnEW/fwXsC9n72QBGom62LU3nXB9fwuD +8ukIzMlXa6iQ== From: Josh Poimboeuf To: x86@kernel.org Cc: linux-kernel@vger.kernel.org, Linus Torvalds , Daniel Sneddon , Pawan Gupta , Thomas Gleixner , Alexandre Chartre , Konrad Rzeszutek Wilk , Peter Zijlstra , Greg Kroah-Hartman , Sean Christopherson , Andrew Cooper , Dave Hansen , Nikolay Borisov , KP Singh , Waiman Long , Borislav Petkov Subject: [PATCH 6/7] x86/bugs: Remove CONFIG_BHI_MITIGATION_AUTO and spectre_bhi=auto Date: Wed, 10 Apr 2024 22:40:50 -0700 Message-ID: <412e9dc87971b622bbbaf64740ebc1f140bff343.1712813475.git.jpoimboe@kernel.org> X-Mailer: git-send-email 2.44.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Unlike most other mitigations' "auto" options, spectre_bhi=3Dauto only mitigates newer systems, which is confusing and not particularly useful. Remove it. Signed-off-by: Josh Poimboeuf Reviewed-by: Nikolay Borisov --- Documentation/admin-guide/hw-vuln/spectre.rst | 4 ---- Documentation/admin-guide/kernel-parameters.txt | 3 --- arch/x86/Kconfig | 5 ----- arch/x86/kernel/cpu/bugs.c | 10 +--------- 4 files changed, 1 insertion(+), 21 deletions(-) diff --git a/Documentation/admin-guide/hw-vuln/spectre.rst b/Documentation/= admin-guide/hw-vuln/spectre.rst index 5a39acf82483..25a04cda4c2c 100644 --- a/Documentation/admin-guide/hw-vuln/spectre.rst +++ b/Documentation/admin-guide/hw-vuln/spectre.rst @@ -669,10 +669,6 @@ kernel command line. needed. off Disable the mitigation. - auto - Enable the HW mitigation if needed, but - *don't* enable the SW mitigation except for KVM. - The system may be vulnerable. =20 For spectre_v2_user see Documentation/admin-guide/kernel-parameters.txt =20 diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentatio= n/admin-guide/kernel-parameters.txt index a3874cc97892..902ecd92a29f 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -6072,9 +6072,6 @@ on - (default) Enable the HW or SW mitigation as needed. off - Disable the mitigation. - auto - Enable the HW mitigation if needed, but - *don't* enable the SW mitigation except - for KVM. The system may be vulnerable. =20 spectre_v2=3D [X86,EARLY] Control mitigation of Spectre variant 2 (indirect branch speculation) vulnerability. diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 10a6251f58f3..b63b6767a63d 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2651,11 +2651,6 @@ config SPECTRE_BHI_OFF bool "off" help Equivalent to setting spectre_bhi=3Doff command line parameter. -config SPECTRE_BHI_AUTO - bool "auto" - depends on BROKEN - help - Equivalent to setting spectre_bhi=3Dauto command line parameter. =20 endchoice =20 diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index efffd87381b1..74ade6d7caa3 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -1625,13 +1625,10 @@ static bool __init spec_ctrl_bhi_dis(void) enum bhi_mitigations { BHI_MITIGATION_OFF, BHI_MITIGATION_ON, - BHI_MITIGATION_AUTO, }; =20 static enum bhi_mitigations bhi_mitigation __ro_after_init =3D - IS_ENABLED(CONFIG_SPECTRE_BHI_ON) ? BHI_MITIGATION_ON : - IS_ENABLED(CONFIG_SPECTRE_BHI_OFF) ? BHI_MITIGATION_OFF : - BHI_MITIGATION_AUTO; + IS_ENABLED(CONFIG_SPECTRE_BHI_ON) ? BHI_MITIGATION_ON : BHI_MITIGATION_OF= F; =20 static int __init spectre_bhi_parse_cmdline(char *str) { @@ -1642,8 +1639,6 @@ static int __init spectre_bhi_parse_cmdline(char *str) bhi_mitigation =3D BHI_MITIGATION_OFF; else if (!strcmp(str, "on")) bhi_mitigation =3D BHI_MITIGATION_ON; - else if (!strcmp(str, "auto")) - bhi_mitigation =3D BHI_MITIGATION_AUTO; else pr_err("Ignoring unknown spectre_bhi option (%s)", str); =20 @@ -1682,9 +1677,6 @@ static void __init bhi_select_mitigation(void) setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT); pr_info("Spectre BHI mitigation: SW BHB clearing on vm exit\n"); =20 - if (bhi_mitigation =3D=3D BHI_MITIGATION_AUTO) - return; - /* Mitigate syscalls when the mitigation is forced =3Don */ setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP); pr_info("Spectre BHI mitigation: SW BHB clearing on syscall\n"); --=20 2.44.0 From nobody Fri Feb 13 01:11:20 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6810F13D2A4 for ; Thu, 11 Apr 2024 05:42:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712814123; cv=none; b=K8VbYlOygoeS/bokf2+D/tADsclUtUhVFEB5PTlJ4riXhMpYB375bqSulGDGCatd8uLelz0GHnYdRUseoC9X6hQja2164NVD/Xudj4isgwrWBwyFFEUFRjDgOSeAimnx7bCnxutwLEsfbrIH5+zMSa69CVo3402IJWSDmozhcqg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712814123; c=relaxed/simple; bh=KQx6hDUWnvUOuYNyPwwD89X61R37BaI4V8lXYtXRZlw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=j6nmHEeFGAjKgkVOOHyVyIbxp2l+r7cIaCW8Lr5fdGuV5SoX+zlTgDf1Gpo8Bl8OpNot3Xm7s2zvYr8MftJ0yONXsnvQySQIthHpoXB5imnkvXEMj3+1OSzbwSJKrTrn7lPtU0DaL5V5HHSutNnUKYK7tczO/nQN65RocABfsEk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=kPStNLbj; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="kPStNLbj" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 434DCC433A6; Thu, 11 Apr 2024 05:42:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1712814122; bh=KQx6hDUWnvUOuYNyPwwD89X61R37BaI4V8lXYtXRZlw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kPStNLbjmcKfkwPiwTZIqauu7Lkn/tpQUumlR6v3sU0cAkdhkK/BUf0OtX2uapkNx 42z26hSoFyRg14ls+mPzwHj6xL/QiI31Iu0u9fmuiqUagpP/Iw/43ziv+ckIPlwVlZ x2NnuLaWRLzHyxrGgZnhg74mrwVbWXJVglp9+RT5sMK+Ap2VEK1oH/GbVzj2zqReTl WBIZ/e7QoLCvZALFejevaU4x1/XuqikeQyNvy+F+C4KZPLE+0KaFdcRhdmuZmR5nAD lzMKx2mhf803RnTPBny+vd5zk8bM/NdrrRBTGuDnN2e64eh249w+5PmFmoMpueyZ8l qhFsL492MFffQ== From: Josh Poimboeuf To: x86@kernel.org Cc: linux-kernel@vger.kernel.org, Linus Torvalds , Daniel Sneddon , Pawan Gupta , Thomas Gleixner , Alexandre Chartre , Konrad Rzeszutek Wilk , Peter Zijlstra , Greg Kroah-Hartman , Sean Christopherson , Andrew Cooper , Dave Hansen , Nikolay Borisov , KP Singh , Waiman Long , Borislav Petkov Subject: [PATCH 7/7] x86/bugs: Replace CONFIG_SPECTRE_BHI_{ON,OFF} with CONFIG_MITIGATION_SPECTRE_BHI Date: Wed, 10 Apr 2024 22:40:51 -0700 Message-ID: <3833812ea63e7fdbe36bf8b932e63f70d18e2a2a.1712813475.git.jpoimboe@kernel.org> X-Mailer: git-send-email 2.44.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" For consistency with the other CONFIG_MITIGATION_* options, replace the CONFIG_SPECTRE_BHI_{ON,OFF} options with a single CONFIG_MITIGATION_SPECTRE_BHI option. Signed-off-by: Josh Poimboeuf --- arch/x86/Kconfig | 17 +++-------------- arch/x86/kernel/cpu/bugs.c | 2 +- 2 files changed, 4 insertions(+), 15 deletions(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index b63b6767a63d..4474bf32d0a4 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2633,27 +2633,16 @@ config MITIGATION_RFDS stored in floating point, vector and integer registers. See also =20 -choice - prompt "Clear branch history" +config MITIGATION_SPECTRE_BHI + bool "Mitigate Spectre-BHB (Branch History Injection)" depends on CPU_SUP_INTEL - default SPECTRE_BHI_ON + default y help Enable BHI mitigations. BHI attacks are a form of Spectre V2 attacks where the branch history buffer is poisoned to speculatively steer indirect branches. See =20 -config SPECTRE_BHI_ON - bool "on" - help - Equivalent to setting spectre_bhi=3Don command line parameter. -config SPECTRE_BHI_OFF - bool "off" - help - Equivalent to setting spectre_bhi=3Doff command line parameter. - -endchoice - endif =20 config ARCH_HAS_ADD_PAGES diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 74ade6d7caa3..4c46fa2d08c2 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -1628,7 +1628,7 @@ enum bhi_mitigations { }; =20 static enum bhi_mitigations bhi_mitigation __ro_after_init =3D - IS_ENABLED(CONFIG_SPECTRE_BHI_ON) ? BHI_MITIGATION_ON : BHI_MITIGATION_OF= F; + IS_ENABLED(CONFIG_MITIGATION_SPECTRE_BHI_ON) ? BHI_MITIGATION_ON : BHI_MI= TIGATION_OFF; =20 static int __init spectre_bhi_parse_cmdline(char *str) { --=20 2.44.0