In cloud environments it can be useful to *only* enable the vmexit
mitigation and leave syscalls vulnerable. Add that as an option.
This is similar to the old spectre_bhi=auto option which was removed
with the following commit:
36d4fe147c87 ("x86/bugs: Remove CONFIG_BHI_MITIGATION_AUTO and spectre_bhi=auto")
with the main difference being that this has a more descriptive name and
is disabled by default.
Requested-by: Maksim Davydov <davydov-max@yandex-team.ru>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
---
Documentation/admin-guide/kernel-parameters.txt | 12 +++++++++---
arch/x86/kernel/cpu/bugs.c | 16 +++++++++++-----
2 files changed, 20 insertions(+), 8 deletions(-)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 213d0719e2b7..9c1f63f04502 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -6072,9 +6072,15 @@
deployment of the HW BHI control and the SW BHB
clearing sequence.
- on - (default) Enable the HW or SW mitigation
- as needed.
- off - Disable the mitigation.
+ on - (default) Enable the HW or SW mitigation as
+ needed. This protects the kernel from
+ both syscalls and VMs.
+ vmexit - On systems which don't have the HW mitigation
+ available, enable the SW mitigation on vmexit
+ ONLY. On such systems, the host kernel is
+ protected from VM-originated BHI attacks, but
+ may still be vulnerable to syscall attacks.
+ off - Disable the mitigation.
spectre_v2= [X86,EARLY] Control mitigation of Spectre variant 2
(indirect branch speculation) vulnerability.
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index ab18185894df..6974c8c9792d 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -1625,6 +1625,7 @@ static bool __init spec_ctrl_bhi_dis(void)
enum bhi_mitigations {
BHI_MITIGATION_OFF,
BHI_MITIGATION_ON,
+ BHI_MITIGATION_VMEXIT_ONLY,
};
static enum bhi_mitigations bhi_mitigation __ro_after_init =
@@ -1639,6 +1640,8 @@ static int __init spectre_bhi_parse_cmdline(char *str)
bhi_mitigation = BHI_MITIGATION_OFF;
else if (!strcmp(str, "on"))
bhi_mitigation = BHI_MITIGATION_ON;
+ else if (!strcmp(str, "vmexit"))
+ bhi_mitigation = BHI_MITIGATION_VMEXIT_ONLY;
else
pr_err("Ignoring unknown spectre_bhi option (%s)", str);
@@ -1659,19 +1662,22 @@ static void __init bhi_select_mitigation(void)
return;
}
+ /* Mitigate in hardware if supported */
if (spec_ctrl_bhi_dis())
return;
if (!IS_ENABLED(CONFIG_X86_64))
return;
- /* Mitigate KVM by default */
- setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT);
- pr_info("Spectre BHI mitigation: SW BHB clearing on vm exit\n");
+ if (bhi_mitigation == BHI_MITIGATION_VMEXIT_ONLY) {
+ pr_info("Spectre BHI mitigation: SW BHB clearing on vm exit only\n");
+ setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT);
+ return;
+ }
- /* Mitigate syscalls when the mitigation is forced =on */
+ pr_info("Spectre BHI mitigation: SW BHB clearing on syscall and vm exit\n");
setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP);
- pr_info("Spectre BHI mitigation: SW BHB clearing on syscall\n");
+ setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT);
}
static void __init spectre_v2_select_mitigation(void)
--
2.44.0Hi!
What is the current status of the series?
On 5/7/24 08:30, Josh Poimboeuf wrote:
> In cloud environments it can be useful to *only* enable the vmexit
> mitigation and leave syscalls vulnerable. Add that as an option.
>
> This is similar to the old spectre_bhi=auto option which was removed
> with the following commit:
>
> 36d4fe147c87 ("x86/bugs: Remove CONFIG_BHI_MITIGATION_AUTO and spectre_bhi=auto")
>
> with the main difference being that this has a more descriptive name and
> is disabled by default.
>
> Requested-by: Maksim Davydov <davydov-max@yandex-team.ru>
> Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
> ---
> Documentation/admin-guide/kernel-parameters.txt | 12 +++++++++---
> arch/x86/kernel/cpu/bugs.c | 16 +++++++++++-----
> 2 files changed, 20 insertions(+), 8 deletions(-)
>
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index 213d0719e2b7..9c1f63f04502 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -6072,9 +6072,15 @@
> deployment of the HW BHI control and the SW BHB
> clearing sequence.
>
> - on - (default) Enable the HW or SW mitigation
> - as needed.
> - off - Disable the mitigation.
> + on - (default) Enable the HW or SW mitigation as
> + needed. This protects the kernel from
> + both syscalls and VMs.
> + vmexit - On systems which don't have the HW mitigation
> + available, enable the SW mitigation on vmexit
> + ONLY. On such systems, the host kernel is
> + protected from VM-originated BHI attacks, but
> + may still be vulnerable to syscall attacks.
> + off - Disable the mitigation.
>
> spectre_v2= [X86,EARLY] Control mitigation of Spectre variant 2
> (indirect branch speculation) vulnerability.
> diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> index ab18185894df..6974c8c9792d 100644
> --- a/arch/x86/kernel/cpu/bugs.c
> +++ b/arch/x86/kernel/cpu/bugs.c
> @@ -1625,6 +1625,7 @@ static bool __init spec_ctrl_bhi_dis(void)
> enum bhi_mitigations {
> BHI_MITIGATION_OFF,
> BHI_MITIGATION_ON,
> + BHI_MITIGATION_VMEXIT_ONLY,
> };
>
> static enum bhi_mitigations bhi_mitigation __ro_after_init =
> @@ -1639,6 +1640,8 @@ static int __init spectre_bhi_parse_cmdline(char *str)
> bhi_mitigation = BHI_MITIGATION_OFF;
> else if (!strcmp(str, "on"))
> bhi_mitigation = BHI_MITIGATION_ON;
> + else if (!strcmp(str, "vmexit"))
> + bhi_mitigation = BHI_MITIGATION_VMEXIT_ONLY;
> else
> pr_err("Ignoring unknown spectre_bhi option (%s)", str);
>
> @@ -1659,19 +1662,22 @@ static void __init bhi_select_mitigation(void)
> return;
> }
>
> + /* Mitigate in hardware if supported */
> if (spec_ctrl_bhi_dis())
> return;
>
> if (!IS_ENABLED(CONFIG_X86_64))
> return;
>
> - /* Mitigate KVM by default */
> - setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT);
> - pr_info("Spectre BHI mitigation: SW BHB clearing on vm exit\n");
> + if (bhi_mitigation == BHI_MITIGATION_VMEXIT_ONLY) {
> + pr_info("Spectre BHI mitigation: SW BHB clearing on vm exit only\n");
> + setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT);
> + return;
> + }
>
> - /* Mitigate syscalls when the mitigation is forced =on */
> + pr_info("Spectre BHI mitigation: SW BHB clearing on syscall and vm exit\n");
> setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP);
> - pr_info("Spectre BHI mitigation: SW BHB clearing on syscall\n");
> + setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT);
> }
>
> static void __init spectre_v2_select_mitigation(void)
--
Best regards,
Maksim Davydov
On Mon, May 20, 2024 at 04:12:58PM +0300, Maksim Davydov wrote: > Hi! > What is the current status of the series? Looks like it didn't make the merge window. I can post a new version of the series next week (with the minor documentation fix in patch 2). -- Josh
On 7.05.24 г. 8:30 ч., Josh Poimboeuf wrote:
> In cloud environments it can be useful to *only* enable the vmexit
> mitigation and leave syscalls vulnerable. Add that as an option.
>
> This is similar to the old spectre_bhi=auto option which was removed
> with the following commit:
>
> 36d4fe147c87 ("x86/bugs: Remove CONFIG_BHI_MITIGATION_AUTO and spectre_bhi=auto")
>
> with the main difference being that this has a more descriptive name and
> is disabled by default.
>
> Requested-by: Maksim Davydov <davydov-max@yandex-team.ru>
> Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
> ---
> Documentation/admin-guide/kernel-parameters.txt | 12 +++++++++---
> arch/x86/kernel/cpu/bugs.c | 16 +++++++++++-----
> 2 files changed, 20 insertions(+), 8 deletions(-)
>
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index 213d0719e2b7..9c1f63f04502 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -6072,9 +6072,15 @@
> deployment of the HW BHI control and the SW BHB
> clearing sequence.
>
> - on - (default) Enable the HW or SW mitigation
> - as needed.
> - off - Disable the mitigation.
> + on - (default) Enable the HW or SW mitigation as
> + needed. This protects the kernel from
> + both syscalls and VMs.
> + vmexit - On systems which don't have the HW mitigation
> + available, enable the SW mitigation on vmexit
> + ONLY. On such systems, the host kernel is
> + protected from VM-originated BHI attacks, but
> + may still be vulnerable to syscall attacks.
> + off - Disable the mitigation.
>
> spectre_v2= [X86,EARLY] Control mitigation of Spectre variant 2
> (indirect branch speculation) vulnerability.
> diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> index ab18185894df..6974c8c9792d 100644
> --- a/arch/x86/kernel/cpu/bugs.c
> +++ b/arch/x86/kernel/cpu/bugs.c
> @@ -1625,6 +1625,7 @@ static bool __init spec_ctrl_bhi_dis(void)
> enum bhi_mitigations {
> BHI_MITIGATION_OFF,
> BHI_MITIGATION_ON,
> + BHI_MITIGATION_VMEXIT_ONLY,
> };
>
> static enum bhi_mitigations bhi_mitigation __ro_after_init =
> @@ -1639,6 +1640,8 @@ static int __init spectre_bhi_parse_cmdline(char *str)
> bhi_mitigation = BHI_MITIGATION_OFF;
> else if (!strcmp(str, "on"))
> bhi_mitigation = BHI_MITIGATION_ON;
> + else if (!strcmp(str, "vmexit"))
> + bhi_mitigation = BHI_MITIGATION_VMEXIT_ONLY;
> else
> pr_err("Ignoring unknown spectre_bhi option (%s)", str);
>
> @@ -1659,19 +1662,22 @@ static void __init bhi_select_mitigation(void)
> return;
> }
>
> + /* Mitigate in hardware if supported */
> if (spec_ctrl_bhi_dis())
> return;
>
> if (!IS_ENABLED(CONFIG_X86_64))
> return;
>
> - /* Mitigate KVM by default */
> - setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT);
> - pr_info("Spectre BHI mitigation: SW BHB clearing on vm exit\n");
> + if (bhi_mitigation == BHI_MITIGATION_VMEXIT_ONLY) {
> + pr_info("Spectre BHI mitigation: SW BHB clearing on vm exit only\n");
> + setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT);
> + return;
> + }
nit: How about setting CLEAR_BHB_LOOP_ON_VMEXIT unconditionally, then
afterwards checking if MITIGATION_VMEXIT_ONLY is set and if yes simply
return, that way you don't duplicate the setup of the VMEXIT code
>
> - /* Mitigate syscalls when the mitigation is forced =on */
> + pr_info("Spectre BHI mitigation: SW BHB clearing on syscall and vm exit\n");
> setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP);
> - pr_info("Spectre BHI mitigation: SW BHB clearing on syscall\n");
> + setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT);
> }
>
> static void __init spectre_v2_select_mitigation(void)
On Wed, May 08, 2024 at 06:10:21PM +0300, Nikolay Borisov wrote:
> > @@ -1659,19 +1662,22 @@ static void __init bhi_select_mitigation(void)
> > return;
> > }
> > + /* Mitigate in hardware if supported */
> > if (spec_ctrl_bhi_dis())
> > return;
> > if (!IS_ENABLED(CONFIG_X86_64))
> > return;
> > - /* Mitigate KVM by default */
> > - setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT);
> > - pr_info("Spectre BHI mitigation: SW BHB clearing on vm exit\n");
> > + if (bhi_mitigation == BHI_MITIGATION_VMEXIT_ONLY) {
> > + pr_info("Spectre BHI mitigation: SW BHB clearing on vm exit only\n");
> > + setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT);
> > + return;
> > + }
>
> nit: How about setting CLEAR_BHB_LOOP_ON_VMEXIT unconditionally, then
> afterwards checking if MITIGATION_VMEXIT_ONLY is set and if yes simply
> return, that way you don't duplicate the setup of the VMEXIT code
I think the duplication actually makes it more readable. In both cases
it puts the setting of the features together along with the
corresponding pr_info().
--
Josh
On 9.05.24 г. 8:24 ч., Josh Poimboeuf wrote:
> On Wed, May 08, 2024 at 06:10:21PM +0300, Nikolay Borisov wrote:
>>> @@ -1659,19 +1662,22 @@ static void __init bhi_select_mitigation(void)
>>> return;
>>> }
>>> + /* Mitigate in hardware if supported */
>>> if (spec_ctrl_bhi_dis())
>>> return;
>>> if (!IS_ENABLED(CONFIG_X86_64))
>>> return;
>>> - /* Mitigate KVM by default */
>>> - setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT);
>>> - pr_info("Spectre BHI mitigation: SW BHB clearing on vm exit\n");
>>> + if (bhi_mitigation == BHI_MITIGATION_VMEXIT_ONLY) {
>>> + pr_info("Spectre BHI mitigation: SW BHB clearing on vm exit only\n");
>>> + setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT);
>>> + return;
>>> + }
>>
>> nit: How about setting CLEAR_BHB_LOOP_ON_VMEXIT unconditionally, then
>> afterwards checking if MITIGATION_VMEXIT_ONLY is set and if yes simply
>> return, that way you don't duplicate the setup of the VMEXIT code
>
> I think the duplication actually makes it more readable. In both cases
> it puts the setting of the features together along with the
> corresponding pr_info().
Right, my suggestion also meant that setting + pr info will be together,
unconditional and if MITIGATION_VMEXIT_ONLY is set we return early,
without setting X86_FEATURE_CLEAR_BHB_LOOP. In any case it's a minor
remark, feel free to ignore.
Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
>
On 5/6/24 22:30, Josh Poimboeuf wrote:
> In cloud environments it can be useful to *only* enable the vmexit
> mitigation and leave syscalls vulnerable. Add that as an option.
>
> This is similar to the old spectre_bhi=auto option which was removed
> with the following commit:
>
> 36d4fe147c87 ("x86/bugs: Remove CONFIG_BHI_MITIGATION_AUTO and spectre_bhi=auto")
>
> with the main difference being that this has a more descriptive name and
> is disabled by default.
>
> Requested-by: Maksim Davydov <davydov-max@yandex-team.ru>
> Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
> ---
Does the KConfig option need to be updated to support this as well? Other than
that,
Reviewed-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
> Documentation/admin-guide/kernel-parameters.txt | 12 +++++++++---
> arch/x86/kernel/cpu/bugs.c | 16 +++++++++++-----
> 2 files changed, 20 insertions(+), 8 deletions(-)
>
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index 213d0719e2b7..9c1f63f04502 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -6072,9 +6072,15 @@
> deployment of the HW BHI control and the SW BHB
> clearing sequence.
>
> - on - (default) Enable the HW or SW mitigation
> - as needed.
> - off - Disable the mitigation.
> + on - (default) Enable the HW or SW mitigation as
> + needed. This protects the kernel from
> + both syscalls and VMs.
> + vmexit - On systems which don't have the HW mitigation
> + available, enable the SW mitigation on vmexit
> + ONLY. On such systems, the host kernel is
> + protected from VM-originated BHI attacks, but
> + may still be vulnerable to syscall attacks.
> + off - Disable the mitigation.
>
> spectre_v2= [X86,EARLY] Control mitigation of Spectre variant 2
> (indirect branch speculation) vulnerability.
> diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> index ab18185894df..6974c8c9792d 100644
> --- a/arch/x86/kernel/cpu/bugs.c
> +++ b/arch/x86/kernel/cpu/bugs.c
> @@ -1625,6 +1625,7 @@ static bool __init spec_ctrl_bhi_dis(void)
> enum bhi_mitigations {
> BHI_MITIGATION_OFF,
> BHI_MITIGATION_ON,
> + BHI_MITIGATION_VMEXIT_ONLY,
> };
>
> static enum bhi_mitigations bhi_mitigation __ro_after_init =
> @@ -1639,6 +1640,8 @@ static int __init spectre_bhi_parse_cmdline(char *str)
> bhi_mitigation = BHI_MITIGATION_OFF;
> else if (!strcmp(str, "on"))
> bhi_mitigation = BHI_MITIGATION_ON;
> + else if (!strcmp(str, "vmexit"))
> + bhi_mitigation = BHI_MITIGATION_VMEXIT_ONLY;
> else
> pr_err("Ignoring unknown spectre_bhi option (%s)", str);
>
> @@ -1659,19 +1662,22 @@ static void __init bhi_select_mitigation(void)
> return;
> }
>
> + /* Mitigate in hardware if supported */
> if (spec_ctrl_bhi_dis())
> return;
>
> if (!IS_ENABLED(CONFIG_X86_64))
> return;
>
> - /* Mitigate KVM by default */
> - setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT);
> - pr_info("Spectre BHI mitigation: SW BHB clearing on vm exit\n");
> + if (bhi_mitigation == BHI_MITIGATION_VMEXIT_ONLY) {
> + pr_info("Spectre BHI mitigation: SW BHB clearing on vm exit only\n");
> + setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT);
> + return;
> + }
>
> - /* Mitigate syscalls when the mitigation is forced =on */
> + pr_info("Spectre BHI mitigation: SW BHB clearing on syscall and vm exit\n");
> setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP);
> - pr_info("Spectre BHI mitigation: SW BHB clearing on syscall\n");
> + setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT);
> }
>
> static void __init spectre_v2_select_mitigation(void)
On Tue, May 07, 2024 at 07:58:07AM -0700, Daniel Sneddon wrote:
> On 5/6/24 22:30, Josh Poimboeuf wrote:
> > In cloud environments it can be useful to *only* enable the vmexit
> > mitigation and leave syscalls vulnerable. Add that as an option.
> >
> > This is similar to the old spectre_bhi=auto option which was removed
> > with the following commit:
> >
> > 36d4fe147c87 ("x86/bugs: Remove CONFIG_BHI_MITIGATION_AUTO and spectre_bhi=auto")
> >
> > with the main difference being that this has a more descriptive name and
> > is disabled by default.
> >
> > Requested-by: Maksim Davydov <davydov-max@yandex-team.ru>
> > Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
> > ---
>
> Does the KConfig option need to be updated to support this as well?
In general we don't provide a config option for every possible
mitigation cmdline option. If someone requests it we could add it
later.
> Reviewed-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
Thanks!
--
Josh
On 5/8/24 08:19, Josh Poimboeuf wrote:
> On Tue, May 07, 2024 at 07:58:07AM -0700, Daniel Sneddon wrote:
>> On 5/6/24 22:30, Josh Poimboeuf wrote:
>>> In cloud environments it can be useful to *only* enable the vmexit
>>> mitigation and leave syscalls vulnerable. Add that as an option.
>>>
>>> This is similar to the old spectre_bhi=auto option which was removed
>>> with the following commit:
>>>
>>> 36d4fe147c87 ("x86/bugs: Remove CONFIG_BHI_MITIGATION_AUTO and spectre_bhi=auto")
>>>
>>> with the main difference being that this has a more descriptive name and
>>> is disabled by default.
>>>
>>> Requested-by: Maksim Davydov <davydov-max@yandex-team.ru>
>>> Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
>>> ---
>>
>> Does the KConfig option need to be updated to support this as well?
>
> In general we don't provide a config option for every possible
> mitigation cmdline option. If someone requests it we could add it
> later.
>
>> Reviewed-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
>
> Thanks!
>
I think it will be useful for us to have appropriate Kconfig option.
Could you please add it to the next version?
--
Best regards,
Maksim Davydov
On Mon, May 27, 2024 at 01:45:59PM +0300, Maksim Davydov wrote:
> I think it will be useful for us to have appropriate Kconfig option. Could
> you please add it to the next version?
That should probably be a separate patch, something like the below?
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 1d7122a1883e..ab1ea701bc42 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -2642,17 +2642,46 @@ config MITIGATION_RFDS
stored in floating point, vector and integer registers.
See also <file:Documentation/admin-guide/hw-vuln/reg-file-data-sampling.rst>
-config MITIGATION_SPECTRE_BHI
- bool "Mitigate Spectre-BHB (Branch History Injection)"
+choice
+ prompt "Mitigate Spectre-BHB (Branch History Injection)"
depends on CPU_SUP_INTEL
- default y
+ default MITIGATION_SPECTRE_BHI_ON
help
Enable BHI mitigations. BHI attacks are a form of Spectre V2 attacks
where the branch history buffer is poisoned to speculatively steer
indirect branches.
+
+ The compile-time default can be set to on, vmexit, or off,
+ corresponding to the "spectre_bhi=" cmdline defaults described in
+ Documentation/admin-guide/kernel-parameters.rst. The cmdline
+ options can be used to override this compile-time default.
+
See <file:Documentation/admin-guide/hw-vuln/spectre.rst>
-endif
+config MITIGATION_SPECTRE_BHI_ON
+ bool "on"
+ help
+ Enable the HW or SW mitigation as needed. This protects the kernel
+ from both syscalls and VMs. Equivalent to the spectre_bhi=on cmdline
+ option.
+
+config MITIGATION_SPECTRE_BHI_VMEXIT
+ bool "vmexit"
+ help
+ On systems which don't have the HW mitigation available, enable the
+ SW mitigation on vmexit ONLY. On such systems, the host kernel is
+ protected from VM-originated BHI attacks, but may still be vulnerable
+ to syscall attacks. Equivalent to the spectre_bhi=vmexit cmdline
+ option.
+
+config MITIGATION_SPECTRE_BHI_OFF
+ bool "off"
+ help
+ Disable the mitigation. Equivalent to the spectre_bhi=off cmdline
+ option.
+endchoice
+
+endif # CPU_MITIGATIONS
config ARCH_HAS_ADD_PAGES
def_bool y
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 94bcf29df465..d415f24b7169 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -1628,8 +1628,13 @@ enum bhi_mitigations {
BHI_MITIGATION_VMEXIT_ONLY,
};
-static enum bhi_mitigations bhi_mitigation __ro_after_init =
- IS_ENABLED(CONFIG_MITIGATION_SPECTRE_BHI) ? BHI_MITIGATION_ON : BHI_MITIGATION_OFF;
+#ifdef CONFIG_MITIGATION_SPECTRE_BHI_ON
+static enum bhi_mitigations bhi_mitigation __ro_after_init = BHI_MITIGATION_ON;
+#elif CONFIG_MITIGATION_SPECTRE_BHI_VMEXIT
+static enum bhi_mitigations bhi_mitigation __ro_after_init = BHI_MITIGATION_VMEXIT;
+#else
+static enum bhi_mitigations bhi_mitigation __ro_after_init = BHI_MITIGATION_OFF;
+#endif
static int __init spectre_bhi_parse_cmdline(char *str)
{
© 2016 - 2026 Red Hat, Inc.