1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * Copyright (C) 1994 Linus Torvalds
4 *
5 * Cyrix stuff, June 1998 by:
6 * - Rafael R. Reilova (moved everything from head.S),
7 * <rreilova@ececs.uc.edu>
8 * - Channing Corn (tests & fixes),
9 * - Andrew D. Balsa (code cleanup).
10 */
11 #include <linux/init.h>
12 #include <linux/cpu.h>
13 #include <linux/module.h>
14 #include <linux/nospec.h>
15 #include <linux/prctl.h>
16 #include <linux/sched/smt.h>
17 #include <linux/pgtable.h>
18 #include <linux/bpf.h>
19
20 #include <asm/spec-ctrl.h>
21 #include <asm/cmdline.h>
22 #include <asm/bugs.h>
23 #include <asm/processor.h>
24 #include <asm/processor-flags.h>
25 #include <asm/fpu/api.h>
26 #include <asm/msr.h>
27 #include <asm/vmx.h>
28 #include <asm/paravirt.h>
29 #include <asm/intel-family.h>
30 #include <asm/e820/api.h>
31 #include <asm/hypervisor.h>
32 #include <asm/tlbflush.h>
33 #include <asm/cpu.h>
34
35 #include "cpu.h"
36
37 static void __init spectre_v1_select_mitigation(void);
38 static void __init spectre_v2_select_mitigation(void);
39 static void __init retbleed_select_mitigation(void);
40 static void __init spectre_v2_user_select_mitigation(void);
41 static void __init ssb_select_mitigation(void);
42 static void __init l1tf_select_mitigation(void);
43 static void __init mds_select_mitigation(void);
44 static void __init md_clear_update_mitigation(void);
45 static void __init md_clear_select_mitigation(void);
46 static void __init taa_select_mitigation(void);
47 static void __init mmio_select_mitigation(void);
48 static void __init srbds_select_mitigation(void);
49 static void __init l1d_flush_select_mitigation(void);
50 static void __init srso_select_mitigation(void);
51 static void __init gds_select_mitigation(void);
52 static void __init its_select_mitigation(void);
53 static void __init tsa_select_mitigation(void);
54
55 /* The base value of the SPEC_CTRL MSR without task-specific bits set */
56 u64 x86_spec_ctrl_base;
57 EXPORT_SYMBOL_GPL(x86_spec_ctrl_base);
58
59 /* The current value of the SPEC_CTRL MSR with task-specific bits set */
60 DEFINE_PER_CPU(u64, x86_spec_ctrl_current);
61 EXPORT_SYMBOL_GPL(x86_spec_ctrl_current);
62
63 u64 x86_pred_cmd __ro_after_init = PRED_CMD_IBPB;
64 EXPORT_SYMBOL_GPL(x86_pred_cmd);
65
66 static u64 __ro_after_init x86_arch_cap_msr;
67
68 static DEFINE_MUTEX(spec_ctrl_mutex);
69
70 void (*x86_return_thunk)(void) __ro_after_init = __x86_return_thunk;
71
set_return_thunk(void * thunk)72 static void __init set_return_thunk(void *thunk)
73 {
74 if (x86_return_thunk != __x86_return_thunk)
75 pr_warn("x86/bugs: return thunk changed\n");
76
77 x86_return_thunk = thunk;
78 }
79
80 /* Update SPEC_CTRL MSR and its cached copy unconditionally */
update_spec_ctrl(u64 val)81 static void update_spec_ctrl(u64 val)
82 {
83 this_cpu_write(x86_spec_ctrl_current, val);
84 wrmsrl(MSR_IA32_SPEC_CTRL, val);
85 }
86
87 /*
88 * Keep track of the SPEC_CTRL MSR value for the current task, which may differ
89 * from x86_spec_ctrl_base due to STIBP/SSB in __speculation_ctrl_update().
90 */
update_spec_ctrl_cond(u64 val)91 void update_spec_ctrl_cond(u64 val)
92 {
93 if (this_cpu_read(x86_spec_ctrl_current) == val)
94 return;
95
96 this_cpu_write(x86_spec_ctrl_current, val);
97
98 /*
99 * When KERNEL_IBRS this MSR is written on return-to-user, unless
100 * forced the update can be delayed until that time.
101 */
102 if (!cpu_feature_enabled(X86_FEATURE_KERNEL_IBRS))
103 wrmsrl(MSR_IA32_SPEC_CTRL, val);
104 }
105
spec_ctrl_current(void)106 noinstr u64 spec_ctrl_current(void)
107 {
108 return this_cpu_read(x86_spec_ctrl_current);
109 }
110 EXPORT_SYMBOL_GPL(spec_ctrl_current);
111
112 /*
113 * AMD specific MSR info for Speculative Store Bypass control.
114 * x86_amd_ls_cfg_ssbd_mask is initialized in identify_boot_cpu().
115 */
116 u64 __ro_after_init x86_amd_ls_cfg_base;
117 u64 __ro_after_init x86_amd_ls_cfg_ssbd_mask;
118
119 /* Control conditional STIBP in switch_to() */
120 DEFINE_STATIC_KEY_FALSE(switch_to_cond_stibp);
121 /* Control conditional IBPB in switch_mm() */
122 DEFINE_STATIC_KEY_FALSE(switch_mm_cond_ibpb);
123 /* Control unconditional IBPB in switch_mm() */
124 DEFINE_STATIC_KEY_FALSE(switch_mm_always_ibpb);
125
126 /* Control CPU buffer clear before idling (halt, mwait) */
127 DEFINE_STATIC_KEY_FALSE(cpu_buf_idle_clear);
128 EXPORT_SYMBOL_GPL(cpu_buf_idle_clear);
129
130 /*
131 * Controls whether l1d flush based mitigations are enabled,
132 * based on hw features and admin setting via boot parameter
133 * defaults to false
134 */
135 DEFINE_STATIC_KEY_FALSE(switch_mm_cond_l1d_flush);
136
137 /* Controls CPU Fill buffer clear before KVM guest MMIO accesses */
138 DEFINE_STATIC_KEY_FALSE(mmio_stale_data_clear);
139 EXPORT_SYMBOL_GPL(mmio_stale_data_clear);
140
cpu_select_mitigations(void)141 void __init cpu_select_mitigations(void)
142 {
143 /*
144 * Read the SPEC_CTRL MSR to account for reserved bits which may
145 * have unknown values. AMD64_LS_CFG MSR is cached in the early AMD
146 * init code as it is not enumerated and depends on the family.
147 */
148 if (cpu_feature_enabled(X86_FEATURE_MSR_SPEC_CTRL)) {
149 rdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
150
151 /*
152 * Previously running kernel (kexec), may have some controls
153 * turned ON. Clear them and let the mitigations setup below
154 * rediscover them based on configuration.
155 */
156 x86_spec_ctrl_base &= ~SPEC_CTRL_MITIGATIONS_MASK;
157 }
158
159 x86_arch_cap_msr = x86_read_arch_cap_msr();
160
161 /* Select the proper CPU mitigations before patching alternatives: */
162 spectre_v1_select_mitigation();
163 spectre_v2_select_mitigation();
164 /*
165 * retbleed_select_mitigation() relies on the state set by
166 * spectre_v2_select_mitigation(); specifically it wants to know about
167 * spectre_v2=ibrs.
168 */
169 retbleed_select_mitigation();
170 /*
171 * spectre_v2_user_select_mitigation() relies on the state set by
172 * retbleed_select_mitigation(); specifically the STIBP selection is
173 * forced for UNRET or IBPB.
174 */
175 spectre_v2_user_select_mitigation();
176 ssb_select_mitigation();
177 l1tf_select_mitigation();
178 md_clear_select_mitigation();
179 srbds_select_mitigation();
180 l1d_flush_select_mitigation();
181
182 /*
183 * srso_select_mitigation() depends and must run after
184 * retbleed_select_mitigation().
185 */
186 srso_select_mitigation();
187 gds_select_mitigation();
188 its_select_mitigation();
189 tsa_select_mitigation();
190 }
191
192 /*
193 * NOTE: This function is *only* called for SVM, since Intel uses
194 * MSR_IA32_SPEC_CTRL for SSBD.
195 */
196 void
x86_virt_spec_ctrl(u64 guest_virt_spec_ctrl,bool setguest)197 x86_virt_spec_ctrl(u64 guest_virt_spec_ctrl, bool setguest)
198 {
199 u64 guestval, hostval;
200 struct thread_info *ti = current_thread_info();
201
202 /*
203 * If SSBD is not handled in MSR_SPEC_CTRL on AMD, update
204 * MSR_AMD64_L2_CFG or MSR_VIRT_SPEC_CTRL if supported.
205 */
206 if (!static_cpu_has(X86_FEATURE_LS_CFG_SSBD) &&
207 !static_cpu_has(X86_FEATURE_VIRT_SSBD))
208 return;
209
210 /*
211 * If the host has SSBD mitigation enabled, force it in the host's
212 * virtual MSR value. If its not permanently enabled, evaluate
213 * current's TIF_SSBD thread flag.
214 */
215 if (static_cpu_has(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE))
216 hostval = SPEC_CTRL_SSBD;
217 else
218 hostval = ssbd_tif_to_spec_ctrl(ti->flags);
219
220 /* Sanitize the guest value */
221 guestval = guest_virt_spec_ctrl & SPEC_CTRL_SSBD;
222
223 if (hostval != guestval) {
224 unsigned long tif;
225
226 tif = setguest ? ssbd_spec_ctrl_to_tif(guestval) :
227 ssbd_spec_ctrl_to_tif(hostval);
228
229 speculation_ctrl_update(tif);
230 }
231 }
232 EXPORT_SYMBOL_GPL(x86_virt_spec_ctrl);
233
x86_amd_ssb_disable(void)234 static void x86_amd_ssb_disable(void)
235 {
236 u64 msrval = x86_amd_ls_cfg_base | x86_amd_ls_cfg_ssbd_mask;
237
238 if (boot_cpu_has(X86_FEATURE_VIRT_SSBD))
239 wrmsrl(MSR_AMD64_VIRT_SPEC_CTRL, SPEC_CTRL_SSBD);
240 else if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD))
241 wrmsrl(MSR_AMD64_LS_CFG, msrval);
242 }
243
244 #undef pr_fmt
245 #define pr_fmt(fmt) "MDS: " fmt
246
247 /* Default mitigation for MDS-affected CPUs */
248 static enum mds_mitigations mds_mitigation __ro_after_init = MDS_MITIGATION_FULL;
249 static bool mds_nosmt __ro_after_init = false;
250
251 static const char * const mds_strings[] = {
252 [MDS_MITIGATION_OFF] = "Vulnerable",
253 [MDS_MITIGATION_FULL] = "Mitigation: Clear CPU buffers",
254 [MDS_MITIGATION_VMWERV] = "Vulnerable: Clear CPU buffers attempted, no microcode",
255 };
256
mds_select_mitigation(void)257 static void __init mds_select_mitigation(void)
258 {
259 if (!boot_cpu_has_bug(X86_BUG_MDS) || cpu_mitigations_off()) {
260 mds_mitigation = MDS_MITIGATION_OFF;
261 return;
262 }
263
264 if (mds_mitigation == MDS_MITIGATION_FULL) {
265 if (!boot_cpu_has(X86_FEATURE_MD_CLEAR))
266 mds_mitigation = MDS_MITIGATION_VMWERV;
267
268 setup_force_cpu_cap(X86_FEATURE_CLEAR_CPU_BUF);
269
270 if (!boot_cpu_has(X86_BUG_MSBDS_ONLY) &&
271 (mds_nosmt || cpu_mitigations_auto_nosmt()))
272 cpu_smt_disable(false);
273 }
274 }
275
mds_cmdline(char * str)276 static int __init mds_cmdline(char *str)
277 {
278 if (!boot_cpu_has_bug(X86_BUG_MDS))
279 return 0;
280
281 if (!str)
282 return -EINVAL;
283
284 if (!strcmp(str, "off"))
285 mds_mitigation = MDS_MITIGATION_OFF;
286 else if (!strcmp(str, "full"))
287 mds_mitigation = MDS_MITIGATION_FULL;
288 else if (!strcmp(str, "full,nosmt")) {
289 mds_mitigation = MDS_MITIGATION_FULL;
290 mds_nosmt = true;
291 }
292
293 return 0;
294 }
295 early_param("mds", mds_cmdline);
296
297 #undef pr_fmt
298 #define pr_fmt(fmt) "TAA: " fmt
299
300 enum taa_mitigations {
301 TAA_MITIGATION_OFF,
302 TAA_MITIGATION_UCODE_NEEDED,
303 TAA_MITIGATION_VERW,
304 TAA_MITIGATION_TSX_DISABLED,
305 };
306
307 /* Default mitigation for TAA-affected CPUs */
308 static enum taa_mitigations taa_mitigation __ro_after_init = TAA_MITIGATION_VERW;
309 static bool taa_nosmt __ro_after_init;
310
311 static const char * const taa_strings[] = {
312 [TAA_MITIGATION_OFF] = "Vulnerable",
313 [TAA_MITIGATION_UCODE_NEEDED] = "Vulnerable: Clear CPU buffers attempted, no microcode",
314 [TAA_MITIGATION_VERW] = "Mitigation: Clear CPU buffers",
315 [TAA_MITIGATION_TSX_DISABLED] = "Mitigation: TSX disabled",
316 };
317
taa_select_mitigation(void)318 static void __init taa_select_mitigation(void)
319 {
320 if (!boot_cpu_has_bug(X86_BUG_TAA)) {
321 taa_mitigation = TAA_MITIGATION_OFF;
322 return;
323 }
324
325 /* TSX previously disabled by tsx=off */
326 if (!boot_cpu_has(X86_FEATURE_RTM)) {
327 taa_mitigation = TAA_MITIGATION_TSX_DISABLED;
328 return;
329 }
330
331 if (cpu_mitigations_off()) {
332 taa_mitigation = TAA_MITIGATION_OFF;
333 return;
334 }
335
336 /*
337 * TAA mitigation via VERW is turned off if both
338 * tsx_async_abort=off and mds=off are specified.
339 */
340 if (taa_mitigation == TAA_MITIGATION_OFF &&
341 mds_mitigation == MDS_MITIGATION_OFF)
342 return;
343
344 if (boot_cpu_has(X86_FEATURE_MD_CLEAR))
345 taa_mitigation = TAA_MITIGATION_VERW;
346 else
347 taa_mitigation = TAA_MITIGATION_UCODE_NEEDED;
348
349 /*
350 * VERW doesn't clear the CPU buffers when MD_CLEAR=1 and MDS_NO=1.
351 * A microcode update fixes this behavior to clear CPU buffers. It also
352 * adds support for MSR_IA32_TSX_CTRL which is enumerated by the
353 * ARCH_CAP_TSX_CTRL_MSR bit.
354 *
355 * On MDS_NO=1 CPUs if ARCH_CAP_TSX_CTRL_MSR is not set, microcode
356 * update is required.
357 */
358 if ( (x86_arch_cap_msr & ARCH_CAP_MDS_NO) &&
359 !(x86_arch_cap_msr & ARCH_CAP_TSX_CTRL_MSR))
360 taa_mitigation = TAA_MITIGATION_UCODE_NEEDED;
361
362 /*
363 * TSX is enabled, select alternate mitigation for TAA which is
364 * the same as MDS. Enable MDS static branch to clear CPU buffers.
365 *
366 * For guests that can't determine whether the correct microcode is
367 * present on host, enable the mitigation for UCODE_NEEDED as well.
368 */
369 setup_force_cpu_cap(X86_FEATURE_CLEAR_CPU_BUF);
370
371 if (taa_nosmt || cpu_mitigations_auto_nosmt())
372 cpu_smt_disable(false);
373 }
374
tsx_async_abort_parse_cmdline(char * str)375 static int __init tsx_async_abort_parse_cmdline(char *str)
376 {
377 if (!boot_cpu_has_bug(X86_BUG_TAA))
378 return 0;
379
380 if (!str)
381 return -EINVAL;
382
383 if (!strcmp(str, "off")) {
384 taa_mitigation = TAA_MITIGATION_OFF;
385 } else if (!strcmp(str, "full")) {
386 taa_mitigation = TAA_MITIGATION_VERW;
387 } else if (!strcmp(str, "full,nosmt")) {
388 taa_mitigation = TAA_MITIGATION_VERW;
389 taa_nosmt = true;
390 }
391
392 return 0;
393 }
394 early_param("tsx_async_abort", tsx_async_abort_parse_cmdline);
395
396 #undef pr_fmt
397 #define pr_fmt(fmt) "MMIO Stale Data: " fmt
398
399 enum mmio_mitigations {
400 MMIO_MITIGATION_OFF,
401 MMIO_MITIGATION_UCODE_NEEDED,
402 MMIO_MITIGATION_VERW,
403 };
404
405 /* Default mitigation for Processor MMIO Stale Data vulnerabilities */
406 static enum mmio_mitigations mmio_mitigation __ro_after_init = MMIO_MITIGATION_VERW;
407 static bool mmio_nosmt __ro_after_init = false;
408
409 static const char * const mmio_strings[] = {
410 [MMIO_MITIGATION_OFF] = "Vulnerable",
411 [MMIO_MITIGATION_UCODE_NEEDED] = "Vulnerable: Clear CPU buffers attempted, no microcode",
412 [MMIO_MITIGATION_VERW] = "Mitigation: Clear CPU buffers",
413 };
414
mmio_select_mitigation(void)415 static void __init mmio_select_mitigation(void)
416 {
417 if (!boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA) ||
418 boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN) ||
419 cpu_mitigations_off()) {
420 mmio_mitigation = MMIO_MITIGATION_OFF;
421 return;
422 }
423
424 if (mmio_mitigation == MMIO_MITIGATION_OFF)
425 return;
426
427 /*
428 * Enable CPU buffer clear mitigation for host and VMM, if also affected
429 * by MDS or TAA. Otherwise, enable mitigation for VMM only.
430 */
431 if (boot_cpu_has_bug(X86_BUG_MDS) || (boot_cpu_has_bug(X86_BUG_TAA) &&
432 boot_cpu_has(X86_FEATURE_RTM)))
433 setup_force_cpu_cap(X86_FEATURE_CLEAR_CPU_BUF);
434
435 /*
436 * X86_FEATURE_CLEAR_CPU_BUF could be enabled by other VERW based
437 * mitigations, disable KVM-only mitigation in that case.
438 */
439 if (boot_cpu_has(X86_FEATURE_CLEAR_CPU_BUF))
440 static_branch_disable(&mmio_stale_data_clear);
441 else
442 static_branch_enable(&mmio_stale_data_clear);
443
444 /*
445 * If Processor-MMIO-Stale-Data bug is present and Fill Buffer data can
446 * be propagated to uncore buffers, clearing the Fill buffers on idle
447 * is required irrespective of SMT state.
448 */
449 if (!(x86_arch_cap_msr & ARCH_CAP_FBSDP_NO))
450 static_branch_enable(&cpu_buf_idle_clear);
451
452 /*
453 * Check if the system has the right microcode.
454 *
455 * CPU Fill buffer clear mitigation is enumerated by either an explicit
456 * FB_CLEAR or by the presence of both MD_CLEAR and L1D_FLUSH on MDS
457 * affected systems.
458 */
459 if ((x86_arch_cap_msr & ARCH_CAP_FB_CLEAR) ||
460 (boot_cpu_has(X86_FEATURE_MD_CLEAR) &&
461 boot_cpu_has(X86_FEATURE_FLUSH_L1D) &&
462 !(x86_arch_cap_msr & ARCH_CAP_MDS_NO)))
463 mmio_mitigation = MMIO_MITIGATION_VERW;
464 else
465 mmio_mitigation = MMIO_MITIGATION_UCODE_NEEDED;
466
467 if (mmio_nosmt || cpu_mitigations_auto_nosmt())
468 cpu_smt_disable(false);
469 }
470
mmio_stale_data_parse_cmdline(char * str)471 static int __init mmio_stale_data_parse_cmdline(char *str)
472 {
473 if (!boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA))
474 return 0;
475
476 if (!str)
477 return -EINVAL;
478
479 if (!strcmp(str, "off")) {
480 mmio_mitigation = MMIO_MITIGATION_OFF;
481 } else if (!strcmp(str, "full")) {
482 mmio_mitigation = MMIO_MITIGATION_VERW;
483 } else if (!strcmp(str, "full,nosmt")) {
484 mmio_mitigation = MMIO_MITIGATION_VERW;
485 mmio_nosmt = true;
486 }
487
488 return 0;
489 }
490 early_param("mmio_stale_data", mmio_stale_data_parse_cmdline);
491
492 #undef pr_fmt
493 #define pr_fmt(fmt) "Register File Data Sampling: " fmt
494
495 enum rfds_mitigations {
496 RFDS_MITIGATION_OFF,
497 RFDS_MITIGATION_VERW,
498 RFDS_MITIGATION_UCODE_NEEDED,
499 };
500
501 /* Default mitigation for Register File Data Sampling */
502 static enum rfds_mitigations rfds_mitigation __ro_after_init =
503 IS_ENABLED(CONFIG_MITIGATION_RFDS) ? RFDS_MITIGATION_VERW : RFDS_MITIGATION_OFF;
504
505 static const char * const rfds_strings[] = {
506 [RFDS_MITIGATION_OFF] = "Vulnerable",
507 [RFDS_MITIGATION_VERW] = "Mitigation: Clear Register File",
508 [RFDS_MITIGATION_UCODE_NEEDED] = "Vulnerable: No microcode",
509 };
510
rfds_select_mitigation(void)511 static void __init rfds_select_mitigation(void)
512 {
513 if (!boot_cpu_has_bug(X86_BUG_RFDS) || cpu_mitigations_off()) {
514 rfds_mitigation = RFDS_MITIGATION_OFF;
515 return;
516 }
517 if (rfds_mitigation == RFDS_MITIGATION_OFF)
518 return;
519
520 if (x86_arch_cap_msr & ARCH_CAP_RFDS_CLEAR)
521 setup_force_cpu_cap(X86_FEATURE_CLEAR_CPU_BUF);
522 else
523 rfds_mitigation = RFDS_MITIGATION_UCODE_NEEDED;
524 }
525
rfds_parse_cmdline(char * str)526 static __init int rfds_parse_cmdline(char *str)
527 {
528 if (!str)
529 return -EINVAL;
530
531 if (!boot_cpu_has_bug(X86_BUG_RFDS))
532 return 0;
533
534 if (!strcmp(str, "off"))
535 rfds_mitigation = RFDS_MITIGATION_OFF;
536 else if (!strcmp(str, "on"))
537 rfds_mitigation = RFDS_MITIGATION_VERW;
538
539 return 0;
540 }
541 early_param("reg_file_data_sampling", rfds_parse_cmdline);
542
543 #undef pr_fmt
544 #define pr_fmt(fmt) "" fmt
545
md_clear_update_mitigation(void)546 static void __init md_clear_update_mitigation(void)
547 {
548 if (cpu_mitigations_off())
549 return;
550
551 if (!boot_cpu_has(X86_FEATURE_CLEAR_CPU_BUF))
552 goto out;
553
554 /*
555 * X86_FEATURE_CLEAR_CPU_BUF is now enabled. Update MDS, TAA and MMIO
556 * Stale Data mitigation, if necessary.
557 */
558 if (mds_mitigation == MDS_MITIGATION_OFF &&
559 boot_cpu_has_bug(X86_BUG_MDS)) {
560 mds_mitigation = MDS_MITIGATION_FULL;
561 mds_select_mitigation();
562 }
563 if (taa_mitigation == TAA_MITIGATION_OFF &&
564 boot_cpu_has_bug(X86_BUG_TAA)) {
565 taa_mitigation = TAA_MITIGATION_VERW;
566 taa_select_mitigation();
567 }
568 /*
569 * MMIO_MITIGATION_OFF is not checked here so that mmio_stale_data_clear
570 * gets updated correctly as per X86_FEATURE_CLEAR_CPU_BUF state.
571 */
572 if (boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA)) {
573 mmio_mitigation = MMIO_MITIGATION_VERW;
574 mmio_select_mitigation();
575 }
576 if (rfds_mitigation == RFDS_MITIGATION_OFF &&
577 boot_cpu_has_bug(X86_BUG_RFDS)) {
578 rfds_mitigation = RFDS_MITIGATION_VERW;
579 rfds_select_mitigation();
580 }
581 out:
582 if (boot_cpu_has_bug(X86_BUG_MDS))
583 pr_info("MDS: %s\n", mds_strings[mds_mitigation]);
584 if (boot_cpu_has_bug(X86_BUG_TAA))
585 pr_info("TAA: %s\n", taa_strings[taa_mitigation]);
586 if (boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA))
587 pr_info("MMIO Stale Data: %s\n", mmio_strings[mmio_mitigation]);
588 else if (boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN))
589 pr_info("MMIO Stale Data: Unknown: No mitigations\n");
590 if (boot_cpu_has_bug(X86_BUG_RFDS))
591 pr_info("Register File Data Sampling: %s\n", rfds_strings[rfds_mitigation]);
592 }
593
md_clear_select_mitigation(void)594 static void __init md_clear_select_mitigation(void)
595 {
596 mds_select_mitigation();
597 taa_select_mitigation();
598 mmio_select_mitigation();
599 rfds_select_mitigation();
600
601 /*
602 * As these mitigations are inter-related and rely on VERW instruction
603 * to clear the microarchitural buffers, update and print their status
604 * after mitigation selection is done for each of these vulnerabilities.
605 */
606 md_clear_update_mitigation();
607 }
608
609 #undef pr_fmt
610 #define pr_fmt(fmt) "SRBDS: " fmt
611
612 enum srbds_mitigations {
613 SRBDS_MITIGATION_OFF,
614 SRBDS_MITIGATION_UCODE_NEEDED,
615 SRBDS_MITIGATION_FULL,
616 SRBDS_MITIGATION_TSX_OFF,
617 SRBDS_MITIGATION_HYPERVISOR,
618 };
619
620 static enum srbds_mitigations srbds_mitigation __ro_after_init = SRBDS_MITIGATION_FULL;
621
622 static const char * const srbds_strings[] = {
623 [SRBDS_MITIGATION_OFF] = "Vulnerable",
624 [SRBDS_MITIGATION_UCODE_NEEDED] = "Vulnerable: No microcode",
625 [SRBDS_MITIGATION_FULL] = "Mitigation: Microcode",
626 [SRBDS_MITIGATION_TSX_OFF] = "Mitigation: TSX disabled",
627 [SRBDS_MITIGATION_HYPERVISOR] = "Unknown: Dependent on hypervisor status",
628 };
629
630 static bool srbds_off;
631
update_srbds_msr(void)632 void update_srbds_msr(void)
633 {
634 u64 mcu_ctrl;
635
636 if (!boot_cpu_has_bug(X86_BUG_SRBDS))
637 return;
638
639 if (boot_cpu_has(X86_FEATURE_HYPERVISOR))
640 return;
641
642 if (srbds_mitigation == SRBDS_MITIGATION_UCODE_NEEDED)
643 return;
644
645 /*
646 * A MDS_NO CPU for which SRBDS mitigation is not needed due to TSX
647 * being disabled and it hasn't received the SRBDS MSR microcode.
648 */
649 if (!boot_cpu_has(X86_FEATURE_SRBDS_CTRL))
650 return;
651
652 rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
653
654 switch (srbds_mitigation) {
655 case SRBDS_MITIGATION_OFF:
656 case SRBDS_MITIGATION_TSX_OFF:
657 mcu_ctrl |= RNGDS_MITG_DIS;
658 break;
659 case SRBDS_MITIGATION_FULL:
660 mcu_ctrl &= ~RNGDS_MITG_DIS;
661 break;
662 default:
663 break;
664 }
665
666 wrmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
667 }
668
srbds_select_mitigation(void)669 static void __init srbds_select_mitigation(void)
670 {
671 if (!boot_cpu_has_bug(X86_BUG_SRBDS))
672 return;
673
674 /*
675 * Check to see if this is one of the MDS_NO systems supporting TSX that
676 * are only exposed to SRBDS when TSX is enabled or when CPU is affected
677 * by Processor MMIO Stale Data vulnerability.
678 */
679 if ((x86_arch_cap_msr & ARCH_CAP_MDS_NO) && !boot_cpu_has(X86_FEATURE_RTM) &&
680 !boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA))
681 srbds_mitigation = SRBDS_MITIGATION_TSX_OFF;
682 else if (boot_cpu_has(X86_FEATURE_HYPERVISOR))
683 srbds_mitigation = SRBDS_MITIGATION_HYPERVISOR;
684 else if (!boot_cpu_has(X86_FEATURE_SRBDS_CTRL))
685 srbds_mitigation = SRBDS_MITIGATION_UCODE_NEEDED;
686 else if (cpu_mitigations_off() || srbds_off)
687 srbds_mitigation = SRBDS_MITIGATION_OFF;
688
689 update_srbds_msr();
690 pr_info("%s\n", srbds_strings[srbds_mitigation]);
691 }
692
srbds_parse_cmdline(char * str)693 static int __init srbds_parse_cmdline(char *str)
694 {
695 if (!str)
696 return -EINVAL;
697
698 if (!boot_cpu_has_bug(X86_BUG_SRBDS))
699 return 0;
700
701 srbds_off = !strcmp(str, "off");
702 return 0;
703 }
704 early_param("srbds", srbds_parse_cmdline);
705
706 #undef pr_fmt
707 #define pr_fmt(fmt) "L1D Flush : " fmt
708
709 enum l1d_flush_mitigations {
710 L1D_FLUSH_OFF = 0,
711 L1D_FLUSH_ON,
712 };
713
714 static enum l1d_flush_mitigations l1d_flush_mitigation __initdata = L1D_FLUSH_OFF;
715
l1d_flush_select_mitigation(void)716 static void __init l1d_flush_select_mitigation(void)
717 {
718 if (!l1d_flush_mitigation || !boot_cpu_has(X86_FEATURE_FLUSH_L1D))
719 return;
720
721 static_branch_enable(&switch_mm_cond_l1d_flush);
722 pr_info("Conditional flush on switch_mm() enabled\n");
723 }
724
l1d_flush_parse_cmdline(char * str)725 static int __init l1d_flush_parse_cmdline(char *str)
726 {
727 if (!strcmp(str, "on"))
728 l1d_flush_mitigation = L1D_FLUSH_ON;
729
730 return 0;
731 }
732 early_param("l1d_flush", l1d_flush_parse_cmdline);
733
734 #undef pr_fmt
735 #define pr_fmt(fmt) "GDS: " fmt
736
737 enum gds_mitigations {
738 GDS_MITIGATION_OFF,
739 GDS_MITIGATION_UCODE_NEEDED,
740 GDS_MITIGATION_FORCE,
741 GDS_MITIGATION_FULL,
742 GDS_MITIGATION_FULL_LOCKED,
743 GDS_MITIGATION_HYPERVISOR,
744 };
745
746 #if IS_ENABLED(CONFIG_GDS_FORCE_MITIGATION)
747 static enum gds_mitigations gds_mitigation __ro_after_init = GDS_MITIGATION_FORCE;
748 #else
749 static enum gds_mitigations gds_mitigation __ro_after_init = GDS_MITIGATION_FULL;
750 #endif
751
752 static const char * const gds_strings[] = {
753 [GDS_MITIGATION_OFF] = "Vulnerable",
754 [GDS_MITIGATION_UCODE_NEEDED] = "Vulnerable: No microcode",
755 [GDS_MITIGATION_FORCE] = "Mitigation: AVX disabled, no microcode",
756 [GDS_MITIGATION_FULL] = "Mitigation: Microcode",
757 [GDS_MITIGATION_FULL_LOCKED] = "Mitigation: Microcode (locked)",
758 [GDS_MITIGATION_HYPERVISOR] = "Unknown: Dependent on hypervisor status",
759 };
760
gds_ucode_mitigated(void)761 bool gds_ucode_mitigated(void)
762 {
763 return (gds_mitigation == GDS_MITIGATION_FULL ||
764 gds_mitigation == GDS_MITIGATION_FULL_LOCKED);
765 }
766 EXPORT_SYMBOL_GPL(gds_ucode_mitigated);
767
update_gds_msr(void)768 void update_gds_msr(void)
769 {
770 u64 mcu_ctrl_after;
771 u64 mcu_ctrl;
772
773 switch (gds_mitigation) {
774 case GDS_MITIGATION_OFF:
775 rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
776 mcu_ctrl |= GDS_MITG_DIS;
777 break;
778 case GDS_MITIGATION_FULL_LOCKED:
779 /*
780 * The LOCKED state comes from the boot CPU. APs might not have
781 * the same state. Make sure the mitigation is enabled on all
782 * CPUs.
783 */
784 case GDS_MITIGATION_FULL:
785 rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
786 mcu_ctrl &= ~GDS_MITG_DIS;
787 break;
788 case GDS_MITIGATION_FORCE:
789 case GDS_MITIGATION_UCODE_NEEDED:
790 case GDS_MITIGATION_HYPERVISOR:
791 return;
792 };
793
794 wrmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
795
796 /*
797 * Check to make sure that the WRMSR value was not ignored. Writes to
798 * GDS_MITG_DIS will be ignored if this processor is locked but the boot
799 * processor was not.
800 */
801 rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl_after);
802 WARN_ON_ONCE(mcu_ctrl != mcu_ctrl_after);
803 }
804
gds_select_mitigation(void)805 static void __init gds_select_mitigation(void)
806 {
807 u64 mcu_ctrl;
808
809 if (!boot_cpu_has_bug(X86_BUG_GDS))
810 return;
811
812 if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {
813 gds_mitigation = GDS_MITIGATION_HYPERVISOR;
814 goto out;
815 }
816
817 if (cpu_mitigations_off())
818 gds_mitigation = GDS_MITIGATION_OFF;
819 /* Will verify below that mitigation _can_ be disabled */
820
821 /* No microcode */
822 if (!(x86_arch_cap_msr & ARCH_CAP_GDS_CTRL)) {
823 if (gds_mitigation == GDS_MITIGATION_FORCE) {
824 /*
825 * This only needs to be done on the boot CPU so do it
826 * here rather than in update_gds_msr()
827 */
828 setup_clear_cpu_cap(X86_FEATURE_AVX);
829 pr_warn("Microcode update needed! Disabling AVX as mitigation.\n");
830 } else {
831 gds_mitigation = GDS_MITIGATION_UCODE_NEEDED;
832 }
833 goto out;
834 }
835
836 /* Microcode has mitigation, use it */
837 if (gds_mitigation == GDS_MITIGATION_FORCE)
838 gds_mitigation = GDS_MITIGATION_FULL;
839
840 rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
841 if (mcu_ctrl & GDS_MITG_LOCKED) {
842 if (gds_mitigation == GDS_MITIGATION_OFF)
843 pr_warn("Mitigation locked. Disable failed.\n");
844
845 /*
846 * The mitigation is selected from the boot CPU. All other CPUs
847 * _should_ have the same state. If the boot CPU isn't locked
848 * but others are then update_gds_msr() will WARN() of the state
849 * mismatch. If the boot CPU is locked update_gds_msr() will
850 * ensure the other CPUs have the mitigation enabled.
851 */
852 gds_mitigation = GDS_MITIGATION_FULL_LOCKED;
853 }
854
855 update_gds_msr();
856 out:
857 pr_info("%s\n", gds_strings[gds_mitigation]);
858 }
859
gds_parse_cmdline(char * str)860 static int __init gds_parse_cmdline(char *str)
861 {
862 if (!str)
863 return -EINVAL;
864
865 if (!boot_cpu_has_bug(X86_BUG_GDS))
866 return 0;
867
868 if (!strcmp(str, "off"))
869 gds_mitigation = GDS_MITIGATION_OFF;
870 else if (!strcmp(str, "force"))
871 gds_mitigation = GDS_MITIGATION_FORCE;
872
873 return 0;
874 }
875 early_param("gather_data_sampling", gds_parse_cmdline);
876
877 #undef pr_fmt
878 #define pr_fmt(fmt) "Spectre V1 : " fmt
879
880 enum spectre_v1_mitigation {
881 SPECTRE_V1_MITIGATION_NONE,
882 SPECTRE_V1_MITIGATION_AUTO,
883 };
884
885 static enum spectre_v1_mitigation spectre_v1_mitigation __ro_after_init =
886 SPECTRE_V1_MITIGATION_AUTO;
887
888 static const char * const spectre_v1_strings[] = {
889 [SPECTRE_V1_MITIGATION_NONE] = "Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers",
890 [SPECTRE_V1_MITIGATION_AUTO] = "Mitigation: usercopy/swapgs barriers and __user pointer sanitization",
891 };
892
893 /*
894 * Does SMAP provide full mitigation against speculative kernel access to
895 * userspace?
896 */
smap_works_speculatively(void)897 static bool smap_works_speculatively(void)
898 {
899 if (!boot_cpu_has(X86_FEATURE_SMAP))
900 return false;
901
902 /*
903 * On CPUs which are vulnerable to Meltdown, SMAP does not
904 * prevent speculative access to user data in the L1 cache.
905 * Consider SMAP to be non-functional as a mitigation on these
906 * CPUs.
907 */
908 if (boot_cpu_has(X86_BUG_CPU_MELTDOWN))
909 return false;
910
911 return true;
912 }
913
spectre_v1_select_mitigation(void)914 static void __init spectre_v1_select_mitigation(void)
915 {
916 if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V1) || cpu_mitigations_off()) {
917 spectre_v1_mitigation = SPECTRE_V1_MITIGATION_NONE;
918 return;
919 }
920
921 if (spectre_v1_mitigation == SPECTRE_V1_MITIGATION_AUTO) {
922 /*
923 * With Spectre v1, a user can speculatively control either
924 * path of a conditional swapgs with a user-controlled GS
925 * value. The mitigation is to add lfences to both code paths.
926 *
927 * If FSGSBASE is enabled, the user can put a kernel address in
928 * GS, in which case SMAP provides no protection.
929 *
930 * If FSGSBASE is disabled, the user can only put a user space
931 * address in GS. That makes an attack harder, but still
932 * possible if there's no SMAP protection.
933 */
934 if (boot_cpu_has(X86_FEATURE_FSGSBASE) ||
935 !smap_works_speculatively()) {
936 /*
937 * Mitigation can be provided from SWAPGS itself or
938 * PTI as the CR3 write in the Meltdown mitigation
939 * is serializing.
940 *
941 * If neither is there, mitigate with an LFENCE to
942 * stop speculation through swapgs.
943 */
944 if (boot_cpu_has_bug(X86_BUG_SWAPGS) &&
945 !boot_cpu_has(X86_FEATURE_PTI))
946 setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_USER);
947
948 /*
949 * Enable lfences in the kernel entry (non-swapgs)
950 * paths, to prevent user entry from speculatively
951 * skipping swapgs.
952 */
953 setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_KERNEL);
954 }
955 }
956
957 pr_info("%s\n", spectre_v1_strings[spectre_v1_mitigation]);
958 }
959
nospectre_v1_cmdline(char * str)960 static int __init nospectre_v1_cmdline(char *str)
961 {
962 spectre_v1_mitigation = SPECTRE_V1_MITIGATION_NONE;
963 return 0;
964 }
965 early_param("nospectre_v1", nospectre_v1_cmdline);
966
967 enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init = SPECTRE_V2_NONE;
968
969 #undef pr_fmt
970 #define pr_fmt(fmt) "RETBleed: " fmt
971
972 enum retbleed_mitigation {
973 RETBLEED_MITIGATION_NONE,
974 RETBLEED_MITIGATION_UNRET,
975 RETBLEED_MITIGATION_IBPB,
976 RETBLEED_MITIGATION_IBRS,
977 RETBLEED_MITIGATION_EIBRS,
978 RETBLEED_MITIGATION_STUFF,
979 };
980
981 enum retbleed_mitigation_cmd {
982 RETBLEED_CMD_OFF,
983 RETBLEED_CMD_AUTO,
984 RETBLEED_CMD_UNRET,
985 RETBLEED_CMD_IBPB,
986 RETBLEED_CMD_STUFF,
987 };
988
989 static const char * const retbleed_strings[] = {
990 [RETBLEED_MITIGATION_NONE] = "Vulnerable",
991 [RETBLEED_MITIGATION_UNRET] = "Mitigation: untrained return thunk",
992 [RETBLEED_MITIGATION_IBPB] = "Mitigation: IBPB",
993 [RETBLEED_MITIGATION_IBRS] = "Mitigation: IBRS",
994 [RETBLEED_MITIGATION_EIBRS] = "Mitigation: Enhanced IBRS",
995 [RETBLEED_MITIGATION_STUFF] = "Mitigation: Stuffing",
996 };
997
998 static enum retbleed_mitigation retbleed_mitigation __ro_after_init =
999 RETBLEED_MITIGATION_NONE;
1000 static enum retbleed_mitigation_cmd retbleed_cmd __ro_after_init =
1001 RETBLEED_CMD_AUTO;
1002
1003 static int __ro_after_init retbleed_nosmt = false;
1004
retbleed_parse_cmdline(char * str)1005 static int __init retbleed_parse_cmdline(char *str)
1006 {
1007 if (!str)
1008 return -EINVAL;
1009
1010 while (str) {
1011 char *next = strchr(str, ',');
1012 if (next) {
1013 *next = 0;
1014 next++;
1015 }
1016
1017 if (!strcmp(str, "off")) {
1018 retbleed_cmd = RETBLEED_CMD_OFF;
1019 } else if (!strcmp(str, "auto")) {
1020 retbleed_cmd = RETBLEED_CMD_AUTO;
1021 } else if (!strcmp(str, "unret")) {
1022 retbleed_cmd = RETBLEED_CMD_UNRET;
1023 } else if (!strcmp(str, "ibpb")) {
1024 retbleed_cmd = RETBLEED_CMD_IBPB;
1025 } else if (!strcmp(str, "stuff")) {
1026 retbleed_cmd = RETBLEED_CMD_STUFF;
1027 } else if (!strcmp(str, "nosmt")) {
1028 retbleed_nosmt = true;
1029 } else if (!strcmp(str, "force")) {
1030 setup_force_cpu_bug(X86_BUG_RETBLEED);
1031 } else {
1032 pr_err("Ignoring unknown retbleed option (%s).", str);
1033 }
1034
1035 str = next;
1036 }
1037
1038 return 0;
1039 }
1040 early_param("retbleed", retbleed_parse_cmdline);
1041
1042 #define RETBLEED_UNTRAIN_MSG "WARNING: BTB untrained return thunk mitigation is only effective on AMD/Hygon!\n"
1043 #define RETBLEED_INTEL_MSG "WARNING: Spectre v2 mitigation leaves CPU vulnerable to RETBleed attacks, data leaks possible!\n"
1044
retbleed_select_mitigation(void)1045 static void __init retbleed_select_mitigation(void)
1046 {
1047 bool mitigate_smt = false;
1048
1049 if (!boot_cpu_has_bug(X86_BUG_RETBLEED) || cpu_mitigations_off())
1050 return;
1051
1052 switch (retbleed_cmd) {
1053 case RETBLEED_CMD_OFF:
1054 return;
1055
1056 case RETBLEED_CMD_UNRET:
1057 if (IS_ENABLED(CONFIG_CPU_UNRET_ENTRY)) {
1058 retbleed_mitigation = RETBLEED_MITIGATION_UNRET;
1059 } else {
1060 pr_err("WARNING: kernel not compiled with CPU_UNRET_ENTRY.\n");
1061 goto do_cmd_auto;
1062 }
1063 break;
1064
1065 case RETBLEED_CMD_IBPB:
1066 if (!boot_cpu_has(X86_FEATURE_IBPB)) {
1067 pr_err("WARNING: CPU does not support IBPB.\n");
1068 goto do_cmd_auto;
1069 } else if (IS_ENABLED(CONFIG_CPU_IBPB_ENTRY)) {
1070 retbleed_mitigation = RETBLEED_MITIGATION_IBPB;
1071 } else {
1072 pr_err("WARNING: kernel not compiled with CPU_IBPB_ENTRY.\n");
1073 goto do_cmd_auto;
1074 }
1075 break;
1076
1077 case RETBLEED_CMD_STUFF:
1078 if (IS_ENABLED(CONFIG_CALL_DEPTH_TRACKING) &&
1079 spectre_v2_enabled == SPECTRE_V2_RETPOLINE) {
1080 retbleed_mitigation = RETBLEED_MITIGATION_STUFF;
1081
1082 } else {
1083 if (IS_ENABLED(CONFIG_CALL_DEPTH_TRACKING))
1084 pr_err("WARNING: retbleed=stuff depends on spectre_v2=retpoline\n");
1085 else
1086 pr_err("WARNING: kernel not compiled with CALL_DEPTH_TRACKING.\n");
1087
1088 goto do_cmd_auto;
1089 }
1090 break;
1091
1092 do_cmd_auto:
1093 case RETBLEED_CMD_AUTO:
1094 default:
1095 if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD ||
1096 boot_cpu_data.x86_vendor == X86_VENDOR_HYGON) {
1097 if (IS_ENABLED(CONFIG_CPU_UNRET_ENTRY))
1098 retbleed_mitigation = RETBLEED_MITIGATION_UNRET;
1099 else if (IS_ENABLED(CONFIG_CPU_IBPB_ENTRY) && boot_cpu_has(X86_FEATURE_IBPB))
1100 retbleed_mitigation = RETBLEED_MITIGATION_IBPB;
1101 }
1102
1103 /*
1104 * The Intel mitigation (IBRS or eIBRS) was already selected in
1105 * spectre_v2_select_mitigation(). 'retbleed_mitigation' will
1106 * be set accordingly below.
1107 */
1108
1109 break;
1110 }
1111
1112 switch (retbleed_mitigation) {
1113 case RETBLEED_MITIGATION_UNRET:
1114 setup_force_cpu_cap(X86_FEATURE_RETHUNK);
1115 setup_force_cpu_cap(X86_FEATURE_UNRET);
1116
1117 set_return_thunk(retbleed_return_thunk);
1118
1119 if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD &&
1120 boot_cpu_data.x86_vendor != X86_VENDOR_HYGON)
1121 pr_err(RETBLEED_UNTRAIN_MSG);
1122
1123 mitigate_smt = true;
1124 break;
1125
1126 case RETBLEED_MITIGATION_IBPB:
1127 setup_force_cpu_cap(X86_FEATURE_ENTRY_IBPB);
1128 setup_force_cpu_cap(X86_FEATURE_IBPB_ON_VMEXIT);
1129 mitigate_smt = true;
1130
1131 /*
1132 * IBPB on entry already obviates the need for
1133 * software-based untraining so clear those in case some
1134 * other mitigation like SRSO has selected them.
1135 */
1136 setup_clear_cpu_cap(X86_FEATURE_UNRET);
1137 setup_clear_cpu_cap(X86_FEATURE_RETHUNK);
1138
1139 /*
1140 * There is no need for RSB filling: entry_ibpb() ensures
1141 * all predictions, including the RSB, are invalidated,
1142 * regardless of IBPB implementation.
1143 */
1144 setup_clear_cpu_cap(X86_FEATURE_RSB_VMEXIT);
1145
1146 break;
1147
1148 case RETBLEED_MITIGATION_STUFF:
1149 setup_force_cpu_cap(X86_FEATURE_RETHUNK);
1150 setup_force_cpu_cap(X86_FEATURE_CALL_DEPTH);
1151 #ifdef CONFIG_CALL_DEPTH_TRACKING
1152 set_return_thunk(&__x86_return_skl);
1153 #endif
1154 break;
1155
1156 default:
1157 break;
1158 }
1159
1160 if (mitigate_smt && !boot_cpu_has(X86_FEATURE_STIBP) &&
1161 (retbleed_nosmt || cpu_mitigations_auto_nosmt()))
1162 cpu_smt_disable(false);
1163
1164 /*
1165 * Let IBRS trump all on Intel without affecting the effects of the
1166 * retbleed= cmdline option except for call depth based stuffing
1167 */
1168 if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) {
1169 switch (spectre_v2_enabled) {
1170 case SPECTRE_V2_IBRS:
1171 retbleed_mitigation = RETBLEED_MITIGATION_IBRS;
1172 break;
1173 case SPECTRE_V2_EIBRS:
1174 case SPECTRE_V2_EIBRS_RETPOLINE:
1175 case SPECTRE_V2_EIBRS_LFENCE:
1176 retbleed_mitigation = RETBLEED_MITIGATION_EIBRS;
1177 break;
1178 default:
1179 if (retbleed_mitigation != RETBLEED_MITIGATION_STUFF)
1180 pr_err(RETBLEED_INTEL_MSG);
1181 }
1182 }
1183
1184 pr_info("%s\n", retbleed_strings[retbleed_mitigation]);
1185 }
1186
1187 #undef pr_fmt
1188 #define pr_fmt(fmt) "ITS: " fmt
1189
1190 enum its_mitigation_cmd {
1191 ITS_CMD_OFF,
1192 ITS_CMD_ON,
1193 ITS_CMD_VMEXIT,
1194 ITS_CMD_RSB_STUFF,
1195 };
1196
1197 enum its_mitigation {
1198 ITS_MITIGATION_OFF,
1199 ITS_MITIGATION_VMEXIT_ONLY,
1200 ITS_MITIGATION_ALIGNED_THUNKS,
1201 ITS_MITIGATION_RETPOLINE_STUFF,
1202 };
1203
1204 static const char * const its_strings[] = {
1205 [ITS_MITIGATION_OFF] = "Vulnerable",
1206 [ITS_MITIGATION_VMEXIT_ONLY] = "Mitigation: Vulnerable, KVM: Not affected",
1207 [ITS_MITIGATION_ALIGNED_THUNKS] = "Mitigation: Aligned branch/return thunks",
1208 [ITS_MITIGATION_RETPOLINE_STUFF] = "Mitigation: Retpolines, Stuffing RSB",
1209 };
1210
1211 static enum its_mitigation its_mitigation __ro_after_init = ITS_MITIGATION_ALIGNED_THUNKS;
1212
1213 static enum its_mitigation_cmd its_cmd __ro_after_init =
1214 IS_ENABLED(CONFIG_MITIGATION_ITS) ? ITS_CMD_ON : ITS_CMD_OFF;
1215
its_parse_cmdline(char * str)1216 static int __init its_parse_cmdline(char *str)
1217 {
1218 if (!str)
1219 return -EINVAL;
1220
1221 if (!IS_ENABLED(CONFIG_MITIGATION_ITS)) {
1222 pr_err("Mitigation disabled at compile time, ignoring option (%s)", str);
1223 return 0;
1224 }
1225
1226 if (!strcmp(str, "off")) {
1227 its_cmd = ITS_CMD_OFF;
1228 } else if (!strcmp(str, "on")) {
1229 its_cmd = ITS_CMD_ON;
1230 } else if (!strcmp(str, "force")) {
1231 its_cmd = ITS_CMD_ON;
1232 setup_force_cpu_bug(X86_BUG_ITS);
1233 } else if (!strcmp(str, "vmexit")) {
1234 its_cmd = ITS_CMD_VMEXIT;
1235 } else if (!strcmp(str, "stuff")) {
1236 its_cmd = ITS_CMD_RSB_STUFF;
1237 } else {
1238 pr_err("Ignoring unknown indirect_target_selection option (%s).", str);
1239 }
1240
1241 return 0;
1242 }
1243 early_param("indirect_target_selection", its_parse_cmdline);
1244
its_select_mitigation(void)1245 static void __init its_select_mitigation(void)
1246 {
1247 enum its_mitigation_cmd cmd = its_cmd;
1248
1249 if (!boot_cpu_has_bug(X86_BUG_ITS) || cpu_mitigations_off()) {
1250 its_mitigation = ITS_MITIGATION_OFF;
1251 return;
1252 }
1253
1254 /* Retpoline+CDT mitigates ITS, bail out */
1255 if (boot_cpu_has(X86_FEATURE_RETPOLINE) &&
1256 boot_cpu_has(X86_FEATURE_CALL_DEPTH)) {
1257 its_mitigation = ITS_MITIGATION_RETPOLINE_STUFF;
1258 goto out;
1259 }
1260
1261 /* Exit early to avoid irrelevant warnings */
1262 if (cmd == ITS_CMD_OFF) {
1263 its_mitigation = ITS_MITIGATION_OFF;
1264 goto out;
1265 }
1266 if (spectre_v2_enabled == SPECTRE_V2_NONE) {
1267 pr_err("WARNING: Spectre-v2 mitigation is off, disabling ITS\n");
1268 its_mitigation = ITS_MITIGATION_OFF;
1269 goto out;
1270 }
1271 if (!IS_ENABLED(CONFIG_RETPOLINE) || !IS_ENABLED(CONFIG_RETHUNK)) {
1272 pr_err("WARNING: ITS mitigation depends on retpoline and rethunk support\n");
1273 its_mitigation = ITS_MITIGATION_OFF;
1274 goto out;
1275 }
1276 if (IS_ENABLED(CONFIG_DEBUG_FORCE_FUNCTION_ALIGN_64B)) {
1277 pr_err("WARNING: ITS mitigation is not compatible with CONFIG_DEBUG_FORCE_FUNCTION_ALIGN_64B\n");
1278 its_mitigation = ITS_MITIGATION_OFF;
1279 goto out;
1280 }
1281 if (boot_cpu_has(X86_FEATURE_RETPOLINE_LFENCE)) {
1282 pr_err("WARNING: ITS mitigation is not compatible with lfence mitigation\n");
1283 its_mitigation = ITS_MITIGATION_OFF;
1284 goto out;
1285 }
1286
1287 if (cmd == ITS_CMD_RSB_STUFF &&
1288 (!boot_cpu_has(X86_FEATURE_RETPOLINE) || !IS_ENABLED(CONFIG_CALL_DEPTH_TRACKING))) {
1289 pr_err("RSB stuff mitigation not supported, using default\n");
1290 cmd = ITS_CMD_ON;
1291 }
1292
1293 switch (cmd) {
1294 case ITS_CMD_OFF:
1295 its_mitigation = ITS_MITIGATION_OFF;
1296 break;
1297 case ITS_CMD_VMEXIT:
1298 if (boot_cpu_has_bug(X86_BUG_ITS_NATIVE_ONLY)) {
1299 its_mitigation = ITS_MITIGATION_VMEXIT_ONLY;
1300 goto out;
1301 }
1302 fallthrough;
1303 case ITS_CMD_ON:
1304 its_mitigation = ITS_MITIGATION_ALIGNED_THUNKS;
1305 if (!boot_cpu_has(X86_FEATURE_RETPOLINE))
1306 setup_force_cpu_cap(X86_FEATURE_INDIRECT_THUNK_ITS);
1307 setup_force_cpu_cap(X86_FEATURE_RETHUNK);
1308 set_return_thunk(its_return_thunk);
1309 break;
1310 case ITS_CMD_RSB_STUFF:
1311 its_mitigation = ITS_MITIGATION_RETPOLINE_STUFF;
1312 setup_force_cpu_cap(X86_FEATURE_RETHUNK);
1313 setup_force_cpu_cap(X86_FEATURE_CALL_DEPTH);
1314 #ifdef CONFIG_CALL_DEPTH_TRACKING
1315 set_return_thunk(&__x86_return_skl);
1316 #endif
1317 if (retbleed_mitigation == RETBLEED_MITIGATION_NONE) {
1318 retbleed_mitigation = RETBLEED_MITIGATION_STUFF;
1319 pr_info("Retbleed mitigation updated to stuffing\n");
1320 }
1321 break;
1322 }
1323 out:
1324 pr_info("%s\n", its_strings[its_mitigation]);
1325 }
1326
1327 #undef pr_fmt
1328 #define pr_fmt(fmt) "Spectre V2 : " fmt
1329
1330 static enum spectre_v2_user_mitigation spectre_v2_user_stibp __ro_after_init =
1331 SPECTRE_V2_USER_NONE;
1332 static enum spectre_v2_user_mitigation spectre_v2_user_ibpb __ro_after_init =
1333 SPECTRE_V2_USER_NONE;
1334
1335 #ifdef CONFIG_RETPOLINE
1336 static bool spectre_v2_bad_module;
1337
retpoline_module_ok(bool has_retpoline)1338 bool retpoline_module_ok(bool has_retpoline)
1339 {
1340 if (spectre_v2_enabled == SPECTRE_V2_NONE || has_retpoline)
1341 return true;
1342
1343 pr_err("System may be vulnerable to spectre v2\n");
1344 spectre_v2_bad_module = true;
1345 return false;
1346 }
1347
spectre_v2_module_string(void)1348 static inline const char *spectre_v2_module_string(void)
1349 {
1350 return spectre_v2_bad_module ? " - vulnerable module loaded" : "";
1351 }
1352 #else
spectre_v2_module_string(void)1353 static inline const char *spectre_v2_module_string(void) { return ""; }
1354 #endif
1355
1356 #define SPECTRE_V2_LFENCE_MSG "WARNING: LFENCE mitigation is not recommended for this CPU, data leaks possible!\n"
1357 #define SPECTRE_V2_EIBRS_EBPF_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible via Spectre v2 BHB attacks!\n"
1358 #define SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS+LFENCE mitigation and SMT, data leaks possible via Spectre v2 BHB attacks!\n"
1359 #define SPECTRE_V2_IBRS_PERF_MSG "WARNING: IBRS mitigation selected on Enhanced IBRS CPU, this may cause unnecessary performance loss\n"
1360
1361 #ifdef CONFIG_BPF_SYSCALL
unpriv_ebpf_notify(int new_state)1362 void unpriv_ebpf_notify(int new_state)
1363 {
1364 if (new_state)
1365 return;
1366
1367 /* Unprivileged eBPF is enabled */
1368
1369 switch (spectre_v2_enabled) {
1370 case SPECTRE_V2_EIBRS:
1371 pr_err(SPECTRE_V2_EIBRS_EBPF_MSG);
1372 break;
1373 case SPECTRE_V2_EIBRS_LFENCE:
1374 if (sched_smt_active())
1375 pr_err(SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG);
1376 break;
1377 default:
1378 break;
1379 }
1380 }
1381 #endif
1382
match_option(const char * arg,int arglen,const char * opt)1383 static inline bool match_option(const char *arg, int arglen, const char *opt)
1384 {
1385 int len = strlen(opt);
1386
1387 return len == arglen && !strncmp(arg, opt, len);
1388 }
1389
1390 /* The kernel command line selection for spectre v2 */
1391 enum spectre_v2_mitigation_cmd {
1392 SPECTRE_V2_CMD_NONE,
1393 SPECTRE_V2_CMD_AUTO,
1394 SPECTRE_V2_CMD_FORCE,
1395 SPECTRE_V2_CMD_RETPOLINE,
1396 SPECTRE_V2_CMD_RETPOLINE_GENERIC,
1397 SPECTRE_V2_CMD_RETPOLINE_LFENCE,
1398 SPECTRE_V2_CMD_EIBRS,
1399 SPECTRE_V2_CMD_EIBRS_RETPOLINE,
1400 SPECTRE_V2_CMD_EIBRS_LFENCE,
1401 SPECTRE_V2_CMD_IBRS,
1402 };
1403
1404 enum spectre_v2_user_cmd {
1405 SPECTRE_V2_USER_CMD_NONE,
1406 SPECTRE_V2_USER_CMD_AUTO,
1407 SPECTRE_V2_USER_CMD_FORCE,
1408 SPECTRE_V2_USER_CMD_PRCTL,
1409 SPECTRE_V2_USER_CMD_PRCTL_IBPB,
1410 SPECTRE_V2_USER_CMD_SECCOMP,
1411 SPECTRE_V2_USER_CMD_SECCOMP_IBPB,
1412 };
1413
1414 static const char * const spectre_v2_user_strings[] = {
1415 [SPECTRE_V2_USER_NONE] = "User space: Vulnerable",
1416 [SPECTRE_V2_USER_STRICT] = "User space: Mitigation: STIBP protection",
1417 [SPECTRE_V2_USER_STRICT_PREFERRED] = "User space: Mitigation: STIBP always-on protection",
1418 [SPECTRE_V2_USER_PRCTL] = "User space: Mitigation: STIBP via prctl",
1419 [SPECTRE_V2_USER_SECCOMP] = "User space: Mitigation: STIBP via seccomp and prctl",
1420 };
1421
1422 static const struct {
1423 const char *option;
1424 enum spectre_v2_user_cmd cmd;
1425 bool secure;
1426 } v2_user_options[] __initconst = {
1427 { "auto", SPECTRE_V2_USER_CMD_AUTO, false },
1428 { "off", SPECTRE_V2_USER_CMD_NONE, false },
1429 { "on", SPECTRE_V2_USER_CMD_FORCE, true },
1430 { "prctl", SPECTRE_V2_USER_CMD_PRCTL, false },
1431 { "prctl,ibpb", SPECTRE_V2_USER_CMD_PRCTL_IBPB, false },
1432 { "seccomp", SPECTRE_V2_USER_CMD_SECCOMP, false },
1433 { "seccomp,ibpb", SPECTRE_V2_USER_CMD_SECCOMP_IBPB, false },
1434 };
1435
spec_v2_user_print_cond(const char * reason,bool secure)1436 static void __init spec_v2_user_print_cond(const char *reason, bool secure)
1437 {
1438 if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2) != secure)
1439 pr_info("spectre_v2_user=%s forced on command line.\n", reason);
1440 }
1441
1442 static __ro_after_init enum spectre_v2_mitigation_cmd spectre_v2_cmd;
1443
1444 static enum spectre_v2_user_cmd __init
spectre_v2_parse_user_cmdline(void)1445 spectre_v2_parse_user_cmdline(void)
1446 {
1447 char arg[20];
1448 int ret, i;
1449
1450 switch (spectre_v2_cmd) {
1451 case SPECTRE_V2_CMD_NONE:
1452 return SPECTRE_V2_USER_CMD_NONE;
1453 case SPECTRE_V2_CMD_FORCE:
1454 return SPECTRE_V2_USER_CMD_FORCE;
1455 default:
1456 break;
1457 }
1458
1459 ret = cmdline_find_option(boot_command_line, "spectre_v2_user",
1460 arg, sizeof(arg));
1461 if (ret < 0)
1462 return SPECTRE_V2_USER_CMD_AUTO;
1463
1464 for (i = 0; i < ARRAY_SIZE(v2_user_options); i++) {
1465 if (match_option(arg, ret, v2_user_options[i].option)) {
1466 spec_v2_user_print_cond(v2_user_options[i].option,
1467 v2_user_options[i].secure);
1468 return v2_user_options[i].cmd;
1469 }
1470 }
1471
1472 pr_err("Unknown user space protection option (%s). Switching to AUTO select\n", arg);
1473 return SPECTRE_V2_USER_CMD_AUTO;
1474 }
1475
spectre_v2_in_ibrs_mode(enum spectre_v2_mitigation mode)1476 static inline bool spectre_v2_in_ibrs_mode(enum spectre_v2_mitigation mode)
1477 {
1478 return spectre_v2_in_eibrs_mode(mode) || mode == SPECTRE_V2_IBRS;
1479 }
1480
1481 static void __init
spectre_v2_user_select_mitigation(void)1482 spectre_v2_user_select_mitigation(void)
1483 {
1484 enum spectre_v2_user_mitigation mode = SPECTRE_V2_USER_NONE;
1485 bool smt_possible = IS_ENABLED(CONFIG_SMP);
1486 enum spectre_v2_user_cmd cmd;
1487
1488 if (!boot_cpu_has(X86_FEATURE_IBPB) && !boot_cpu_has(X86_FEATURE_STIBP))
1489 return;
1490
1491 if (cpu_smt_control == CPU_SMT_FORCE_DISABLED ||
1492 cpu_smt_control == CPU_SMT_NOT_SUPPORTED)
1493 smt_possible = false;
1494
1495 cmd = spectre_v2_parse_user_cmdline();
1496 switch (cmd) {
1497 case SPECTRE_V2_USER_CMD_NONE:
1498 goto set_mode;
1499 case SPECTRE_V2_USER_CMD_FORCE:
1500 mode = SPECTRE_V2_USER_STRICT;
1501 break;
1502 case SPECTRE_V2_USER_CMD_AUTO:
1503 case SPECTRE_V2_USER_CMD_PRCTL:
1504 case SPECTRE_V2_USER_CMD_PRCTL_IBPB:
1505 mode = SPECTRE_V2_USER_PRCTL;
1506 break;
1507 case SPECTRE_V2_USER_CMD_SECCOMP:
1508 case SPECTRE_V2_USER_CMD_SECCOMP_IBPB:
1509 if (IS_ENABLED(CONFIG_SECCOMP))
1510 mode = SPECTRE_V2_USER_SECCOMP;
1511 else
1512 mode = SPECTRE_V2_USER_PRCTL;
1513 break;
1514 }
1515
1516 /* Initialize Indirect Branch Prediction Barrier */
1517 if (boot_cpu_has(X86_FEATURE_IBPB)) {
1518 setup_force_cpu_cap(X86_FEATURE_USE_IBPB);
1519
1520 spectre_v2_user_ibpb = mode;
1521 switch (cmd) {
1522 case SPECTRE_V2_USER_CMD_FORCE:
1523 case SPECTRE_V2_USER_CMD_PRCTL_IBPB:
1524 case SPECTRE_V2_USER_CMD_SECCOMP_IBPB:
1525 static_branch_enable(&switch_mm_always_ibpb);
1526 spectre_v2_user_ibpb = SPECTRE_V2_USER_STRICT;
1527 break;
1528 case SPECTRE_V2_USER_CMD_PRCTL:
1529 case SPECTRE_V2_USER_CMD_AUTO:
1530 case SPECTRE_V2_USER_CMD_SECCOMP:
1531 static_branch_enable(&switch_mm_cond_ibpb);
1532 break;
1533 default:
1534 break;
1535 }
1536
1537 pr_info("mitigation: Enabling %s Indirect Branch Prediction Barrier\n",
1538 static_key_enabled(&switch_mm_always_ibpb) ?
1539 "always-on" : "conditional");
1540 }
1541
1542 /*
1543 * If no STIBP, Intel enhanced IBRS is enabled, or SMT impossible, STIBP
1544 * is not required.
1545 *
1546 * Intel's Enhanced IBRS also protects against cross-thread branch target
1547 * injection in user-mode as the IBRS bit remains always set which
1548 * implicitly enables cross-thread protections. However, in legacy IBRS
1549 * mode, the IBRS bit is set only on kernel entry and cleared on return
1550 * to userspace. AMD Automatic IBRS also does not protect userspace.
1551 * These modes therefore disable the implicit cross-thread protection,
1552 * so allow for STIBP to be selected in those cases.
1553 */
1554 if (!boot_cpu_has(X86_FEATURE_STIBP) ||
1555 !smt_possible ||
1556 (spectre_v2_in_eibrs_mode(spectre_v2_enabled) &&
1557 !boot_cpu_has(X86_FEATURE_AUTOIBRS)))
1558 return;
1559
1560 /*
1561 * At this point, an STIBP mode other than "off" has been set.
1562 * If STIBP support is not being forced, check if STIBP always-on
1563 * is preferred.
1564 */
1565 if (mode != SPECTRE_V2_USER_STRICT &&
1566 boot_cpu_has(X86_FEATURE_AMD_STIBP_ALWAYS_ON))
1567 mode = SPECTRE_V2_USER_STRICT_PREFERRED;
1568
1569 if (retbleed_mitigation == RETBLEED_MITIGATION_UNRET ||
1570 retbleed_mitigation == RETBLEED_MITIGATION_IBPB) {
1571 if (mode != SPECTRE_V2_USER_STRICT &&
1572 mode != SPECTRE_V2_USER_STRICT_PREFERRED)
1573 pr_info("Selecting STIBP always-on mode to complement retbleed mitigation\n");
1574 mode = SPECTRE_V2_USER_STRICT_PREFERRED;
1575 }
1576
1577 spectre_v2_user_stibp = mode;
1578
1579 set_mode:
1580 pr_info("%s\n", spectre_v2_user_strings[mode]);
1581 }
1582
1583 static const char * const spectre_v2_strings[] = {
1584 [SPECTRE_V2_NONE] = "Vulnerable",
1585 [SPECTRE_V2_RETPOLINE] = "Mitigation: Retpolines",
1586 [SPECTRE_V2_LFENCE] = "Mitigation: LFENCE",
1587 [SPECTRE_V2_EIBRS] = "Mitigation: Enhanced / Automatic IBRS",
1588 [SPECTRE_V2_EIBRS_LFENCE] = "Mitigation: Enhanced / Automatic IBRS + LFENCE",
1589 [SPECTRE_V2_EIBRS_RETPOLINE] = "Mitigation: Enhanced / Automatic IBRS + Retpolines",
1590 [SPECTRE_V2_IBRS] = "Mitigation: IBRS",
1591 };
1592
1593 static const struct {
1594 const char *option;
1595 enum spectre_v2_mitigation_cmd cmd;
1596 bool secure;
1597 } mitigation_options[] __initconst = {
1598 { "off", SPECTRE_V2_CMD_NONE, false },
1599 { "on", SPECTRE_V2_CMD_FORCE, true },
1600 { "retpoline", SPECTRE_V2_CMD_RETPOLINE, false },
1601 { "retpoline,amd", SPECTRE_V2_CMD_RETPOLINE_LFENCE, false },
1602 { "retpoline,lfence", SPECTRE_V2_CMD_RETPOLINE_LFENCE, false },
1603 { "retpoline,generic", SPECTRE_V2_CMD_RETPOLINE_GENERIC, false },
1604 { "eibrs", SPECTRE_V2_CMD_EIBRS, false },
1605 { "eibrs,lfence", SPECTRE_V2_CMD_EIBRS_LFENCE, false },
1606 { "eibrs,retpoline", SPECTRE_V2_CMD_EIBRS_RETPOLINE, false },
1607 { "auto", SPECTRE_V2_CMD_AUTO, false },
1608 { "ibrs", SPECTRE_V2_CMD_IBRS, false },
1609 };
1610
spec_v2_print_cond(const char * reason,bool secure)1611 static void __init spec_v2_print_cond(const char *reason, bool secure)
1612 {
1613 if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2) != secure)
1614 pr_info("%s selected on command line.\n", reason);
1615 }
1616
spectre_v2_parse_cmdline(void)1617 static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void)
1618 {
1619 enum spectre_v2_mitigation_cmd cmd = SPECTRE_V2_CMD_AUTO;
1620 char arg[20];
1621 int ret, i;
1622
1623 if (cmdline_find_option_bool(boot_command_line, "nospectre_v2") ||
1624 cpu_mitigations_off())
1625 return SPECTRE_V2_CMD_NONE;
1626
1627 ret = cmdline_find_option(boot_command_line, "spectre_v2", arg, sizeof(arg));
1628 if (ret < 0)
1629 return SPECTRE_V2_CMD_AUTO;
1630
1631 for (i = 0; i < ARRAY_SIZE(mitigation_options); i++) {
1632 if (!match_option(arg, ret, mitigation_options[i].option))
1633 continue;
1634 cmd = mitigation_options[i].cmd;
1635 break;
1636 }
1637
1638 if (i >= ARRAY_SIZE(mitigation_options)) {
1639 pr_err("unknown option (%s). Switching to AUTO select\n", arg);
1640 return SPECTRE_V2_CMD_AUTO;
1641 }
1642
1643 if ((cmd == SPECTRE_V2_CMD_RETPOLINE ||
1644 cmd == SPECTRE_V2_CMD_RETPOLINE_LFENCE ||
1645 cmd == SPECTRE_V2_CMD_RETPOLINE_GENERIC ||
1646 cmd == SPECTRE_V2_CMD_EIBRS_LFENCE ||
1647 cmd == SPECTRE_V2_CMD_EIBRS_RETPOLINE) &&
1648 !IS_ENABLED(CONFIG_RETPOLINE)) {
1649 pr_err("%s selected but not compiled in. Switching to AUTO select\n",
1650 mitigation_options[i].option);
1651 return SPECTRE_V2_CMD_AUTO;
1652 }
1653
1654 if ((cmd == SPECTRE_V2_CMD_EIBRS ||
1655 cmd == SPECTRE_V2_CMD_EIBRS_LFENCE ||
1656 cmd == SPECTRE_V2_CMD_EIBRS_RETPOLINE) &&
1657 !boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) {
1658 pr_err("%s selected but CPU doesn't have Enhanced or Automatic IBRS. Switching to AUTO select\n",
1659 mitigation_options[i].option);
1660 return SPECTRE_V2_CMD_AUTO;
1661 }
1662
1663 if ((cmd == SPECTRE_V2_CMD_RETPOLINE_LFENCE ||
1664 cmd == SPECTRE_V2_CMD_EIBRS_LFENCE) &&
1665 !boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) {
1666 pr_err("%s selected, but CPU doesn't have a serializing LFENCE. Switching to AUTO select\n",
1667 mitigation_options[i].option);
1668 return SPECTRE_V2_CMD_AUTO;
1669 }
1670
1671 if (cmd == SPECTRE_V2_CMD_IBRS && !IS_ENABLED(CONFIG_CPU_IBRS_ENTRY)) {
1672 pr_err("%s selected but not compiled in. Switching to AUTO select\n",
1673 mitigation_options[i].option);
1674 return SPECTRE_V2_CMD_AUTO;
1675 }
1676
1677 if (cmd == SPECTRE_V2_CMD_IBRS && boot_cpu_data.x86_vendor != X86_VENDOR_INTEL) {
1678 pr_err("%s selected but not Intel CPU. Switching to AUTO select\n",
1679 mitigation_options[i].option);
1680 return SPECTRE_V2_CMD_AUTO;
1681 }
1682
1683 if (cmd == SPECTRE_V2_CMD_IBRS && !boot_cpu_has(X86_FEATURE_IBRS)) {
1684 pr_err("%s selected but CPU doesn't have IBRS. Switching to AUTO select\n",
1685 mitigation_options[i].option);
1686 return SPECTRE_V2_CMD_AUTO;
1687 }
1688
1689 if (cmd == SPECTRE_V2_CMD_IBRS && cpu_feature_enabled(X86_FEATURE_XENPV)) {
1690 pr_err("%s selected but running as XenPV guest. Switching to AUTO select\n",
1691 mitigation_options[i].option);
1692 return SPECTRE_V2_CMD_AUTO;
1693 }
1694
1695 spec_v2_print_cond(mitigation_options[i].option,
1696 mitigation_options[i].secure);
1697 return cmd;
1698 }
1699
spectre_v2_select_retpoline(void)1700 static enum spectre_v2_mitigation __init spectre_v2_select_retpoline(void)
1701 {
1702 if (!IS_ENABLED(CONFIG_RETPOLINE)) {
1703 pr_err("Kernel not compiled with retpoline; no mitigation available!");
1704 return SPECTRE_V2_NONE;
1705 }
1706
1707 return SPECTRE_V2_RETPOLINE;
1708 }
1709
1710 static bool __ro_after_init rrsba_disabled;
1711
1712 /* Disable in-kernel use of non-RSB RET predictors */
spec_ctrl_disable_kernel_rrsba(void)1713 static void __init spec_ctrl_disable_kernel_rrsba(void)
1714 {
1715 if (rrsba_disabled)
1716 return;
1717
1718 if (!(x86_arch_cap_msr & ARCH_CAP_RRSBA)) {
1719 rrsba_disabled = true;
1720 return;
1721 }
1722
1723 if (!boot_cpu_has(X86_FEATURE_RRSBA_CTRL))
1724 return;
1725
1726 x86_spec_ctrl_base |= SPEC_CTRL_RRSBA_DIS_S;
1727 update_spec_ctrl(x86_spec_ctrl_base);
1728 rrsba_disabled = true;
1729 }
1730
spectre_v2_select_rsb_mitigation(enum spectre_v2_mitigation mode)1731 static void __init spectre_v2_select_rsb_mitigation(enum spectre_v2_mitigation mode)
1732 {
1733 /*
1734 * Similar to context switches, there are two types of RSB attacks
1735 * after VM exit:
1736 *
1737 * 1) RSB underflow
1738 *
1739 * 2) Poisoned RSB entry
1740 *
1741 * When retpoline is enabled, both are mitigated by filling/clearing
1742 * the RSB.
1743 *
1744 * When IBRS is enabled, while #1 would be mitigated by the IBRS branch
1745 * prediction isolation protections, RSB still needs to be cleared
1746 * because of #2. Note that SMEP provides no protection here, unlike
1747 * user-space-poisoned RSB entries.
1748 *
1749 * eIBRS should protect against RSB poisoning, but if the EIBRS_PBRSB
1750 * bug is present then a LITE version of RSB protection is required,
1751 * just a single call needs to retire before a RET is executed.
1752 */
1753 switch (mode) {
1754 case SPECTRE_V2_NONE:
1755 break;
1756
1757 case SPECTRE_V2_EIBRS:
1758 case SPECTRE_V2_EIBRS_LFENCE:
1759 case SPECTRE_V2_EIBRS_RETPOLINE:
1760 if (boot_cpu_has_bug(X86_BUG_EIBRS_PBRSB)) {
1761 pr_info("Spectre v2 / PBRSB-eIBRS: Retire a single CALL on VMEXIT\n");
1762 setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT_LITE);
1763 }
1764 break;
1765
1766 case SPECTRE_V2_RETPOLINE:
1767 case SPECTRE_V2_LFENCE:
1768 case SPECTRE_V2_IBRS:
1769 pr_info("Spectre v2 / SpectreRSB: Filling RSB on context switch and VMEXIT\n");
1770 setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);
1771 setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT);
1772 break;
1773
1774 default:
1775 pr_warn_once("Unknown Spectre v2 mode, disabling RSB mitigation\n");
1776 dump_stack();
1777 break;
1778 }
1779 }
1780
1781 /*
1782 * Set BHI_DIS_S to prevent indirect branches in kernel to be influenced by
1783 * branch history in userspace. Not needed if BHI_NO is set.
1784 */
spec_ctrl_bhi_dis(void)1785 static bool __init spec_ctrl_bhi_dis(void)
1786 {
1787 if (!boot_cpu_has(X86_FEATURE_BHI_CTRL))
1788 return false;
1789
1790 x86_spec_ctrl_base |= SPEC_CTRL_BHI_DIS_S;
1791 update_spec_ctrl(x86_spec_ctrl_base);
1792 setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_HW);
1793
1794 return true;
1795 }
1796
1797 enum bhi_mitigations {
1798 BHI_MITIGATION_OFF,
1799 BHI_MITIGATION_ON,
1800 };
1801
1802 static enum bhi_mitigations bhi_mitigation __ro_after_init =
1803 IS_ENABLED(CONFIG_MITIGATION_SPECTRE_BHI) ? BHI_MITIGATION_ON : BHI_MITIGATION_OFF;
1804
spectre_bhi_parse_cmdline(char * str)1805 static int __init spectre_bhi_parse_cmdline(char *str)
1806 {
1807 if (!str)
1808 return -EINVAL;
1809
1810 if (!strcmp(str, "off"))
1811 bhi_mitigation = BHI_MITIGATION_OFF;
1812 else if (!strcmp(str, "on"))
1813 bhi_mitigation = BHI_MITIGATION_ON;
1814 else
1815 pr_err("Ignoring unknown spectre_bhi option (%s)", str);
1816
1817 return 0;
1818 }
1819 early_param("spectre_bhi", spectre_bhi_parse_cmdline);
1820
bhi_select_mitigation(void)1821 static void __init bhi_select_mitigation(void)
1822 {
1823 if (bhi_mitigation == BHI_MITIGATION_OFF)
1824 return;
1825
1826 /* Retpoline mitigates against BHI unless the CPU has RRSBA behavior */
1827 if (boot_cpu_has(X86_FEATURE_RETPOLINE) &&
1828 !boot_cpu_has(X86_FEATURE_RETPOLINE_LFENCE)) {
1829 spec_ctrl_disable_kernel_rrsba();
1830 if (rrsba_disabled)
1831 return;
1832 }
1833
1834 if (!IS_ENABLED(CONFIG_X86_64))
1835 return;
1836
1837 /* Mitigate in hardware if supported */
1838 if (spec_ctrl_bhi_dis())
1839 return;
1840
1841 /* Mitigate KVM by default */
1842 setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT);
1843 pr_info("Spectre BHI mitigation: SW BHB clearing on vm exit\n");
1844
1845 /* Mitigate syscalls when the mitigation is forced =on */
1846 setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP);
1847 pr_info("Spectre BHI mitigation: SW BHB clearing on syscall\n");
1848 }
1849
spectre_v2_select_mitigation(void)1850 static void __init spectre_v2_select_mitigation(void)
1851 {
1852 enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline();
1853 enum spectre_v2_mitigation mode = SPECTRE_V2_NONE;
1854
1855 /*
1856 * If the CPU is not affected and the command line mode is NONE or AUTO
1857 * then nothing to do.
1858 */
1859 if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2) &&
1860 (cmd == SPECTRE_V2_CMD_NONE || cmd == SPECTRE_V2_CMD_AUTO))
1861 return;
1862
1863 switch (cmd) {
1864 case SPECTRE_V2_CMD_NONE:
1865 return;
1866
1867 case SPECTRE_V2_CMD_FORCE:
1868 case SPECTRE_V2_CMD_AUTO:
1869 if (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) {
1870 mode = SPECTRE_V2_EIBRS;
1871 break;
1872 }
1873
1874 if (IS_ENABLED(CONFIG_CPU_IBRS_ENTRY) &&
1875 boot_cpu_has_bug(X86_BUG_RETBLEED) &&
1876 retbleed_cmd != RETBLEED_CMD_OFF &&
1877 retbleed_cmd != RETBLEED_CMD_STUFF &&
1878 boot_cpu_has(X86_FEATURE_IBRS) &&
1879 boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) {
1880 mode = SPECTRE_V2_IBRS;
1881 break;
1882 }
1883
1884 mode = spectre_v2_select_retpoline();
1885 break;
1886
1887 case SPECTRE_V2_CMD_RETPOLINE_LFENCE:
1888 pr_err(SPECTRE_V2_LFENCE_MSG);
1889 mode = SPECTRE_V2_LFENCE;
1890 break;
1891
1892 case SPECTRE_V2_CMD_RETPOLINE_GENERIC:
1893 mode = SPECTRE_V2_RETPOLINE;
1894 break;
1895
1896 case SPECTRE_V2_CMD_RETPOLINE:
1897 mode = spectre_v2_select_retpoline();
1898 break;
1899
1900 case SPECTRE_V2_CMD_IBRS:
1901 mode = SPECTRE_V2_IBRS;
1902 break;
1903
1904 case SPECTRE_V2_CMD_EIBRS:
1905 mode = SPECTRE_V2_EIBRS;
1906 break;
1907
1908 case SPECTRE_V2_CMD_EIBRS_LFENCE:
1909 mode = SPECTRE_V2_EIBRS_LFENCE;
1910 break;
1911
1912 case SPECTRE_V2_CMD_EIBRS_RETPOLINE:
1913 mode = SPECTRE_V2_EIBRS_RETPOLINE;
1914 break;
1915 }
1916
1917 if (mode == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled())
1918 pr_err(SPECTRE_V2_EIBRS_EBPF_MSG);
1919
1920 if (spectre_v2_in_ibrs_mode(mode)) {
1921 if (boot_cpu_has(X86_FEATURE_AUTOIBRS)) {
1922 msr_set_bit(MSR_EFER, _EFER_AUTOIBRS);
1923 } else {
1924 x86_spec_ctrl_base |= SPEC_CTRL_IBRS;
1925 update_spec_ctrl(x86_spec_ctrl_base);
1926 }
1927 }
1928
1929 switch (mode) {
1930 case SPECTRE_V2_NONE:
1931 case SPECTRE_V2_EIBRS:
1932 break;
1933
1934 case SPECTRE_V2_IBRS:
1935 setup_force_cpu_cap(X86_FEATURE_KERNEL_IBRS);
1936 if (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED))
1937 pr_warn(SPECTRE_V2_IBRS_PERF_MSG);
1938 break;
1939
1940 case SPECTRE_V2_LFENCE:
1941 case SPECTRE_V2_EIBRS_LFENCE:
1942 setup_force_cpu_cap(X86_FEATURE_RETPOLINE_LFENCE);
1943 fallthrough;
1944
1945 case SPECTRE_V2_RETPOLINE:
1946 case SPECTRE_V2_EIBRS_RETPOLINE:
1947 setup_force_cpu_cap(X86_FEATURE_RETPOLINE);
1948 break;
1949 }
1950
1951 /*
1952 * Disable alternate RSB predictions in kernel when indirect CALLs and
1953 * JMPs gets protection against BHI and Intramode-BTI, but RET
1954 * prediction from a non-RSB predictor is still a risk.
1955 */
1956 if (mode == SPECTRE_V2_EIBRS_LFENCE ||
1957 mode == SPECTRE_V2_EIBRS_RETPOLINE ||
1958 mode == SPECTRE_V2_RETPOLINE)
1959 spec_ctrl_disable_kernel_rrsba();
1960
1961 if (boot_cpu_has(X86_BUG_BHI))
1962 bhi_select_mitigation();
1963
1964 spectre_v2_enabled = mode;
1965 pr_info("%s\n", spectre_v2_strings[mode]);
1966
1967 /*
1968 * If Spectre v2 protection has been enabled, fill the RSB during a
1969 * context switch. In general there are two types of RSB attacks
1970 * across context switches, for which the CALLs/RETs may be unbalanced.
1971 *
1972 * 1) RSB underflow
1973 *
1974 * Some Intel parts have "bottomless RSB". When the RSB is empty,
1975 * speculated return targets may come from the branch predictor,
1976 * which could have a user-poisoned BTB or BHB entry.
1977 *
1978 * AMD has it even worse: *all* returns are speculated from the BTB,
1979 * regardless of the state of the RSB.
1980 *
1981 * When IBRS or eIBRS is enabled, the "user -> kernel" attack
1982 * scenario is mitigated by the IBRS branch prediction isolation
1983 * properties, so the RSB buffer filling wouldn't be necessary to
1984 * protect against this type of attack.
1985 *
1986 * The "user -> user" attack scenario is mitigated by RSB filling.
1987 *
1988 * 2) Poisoned RSB entry
1989 *
1990 * If the 'next' in-kernel return stack is shorter than 'prev',
1991 * 'next' could be tricked into speculating with a user-poisoned RSB
1992 * entry.
1993 *
1994 * The "user -> kernel" attack scenario is mitigated by SMEP and
1995 * eIBRS.
1996 *
1997 * The "user -> user" scenario, also known as SpectreBHB, requires
1998 * RSB clearing.
1999 *
2000 * So to mitigate all cases, unconditionally fill RSB on context
2001 * switches.
2002 *
2003 * FIXME: Is this pointless for retbleed-affected AMD?
2004 */
2005 spectre_v2_select_rsb_mitigation(mode);
2006
2007 /*
2008 * Retpoline protects the kernel, but doesn't protect firmware. IBRS
2009 * and Enhanced IBRS protect firmware too, so enable IBRS around
2010 * firmware calls only when IBRS / Enhanced / Automatic IBRS aren't
2011 * otherwise enabled.
2012 *
2013 * Use "mode" to check Enhanced IBRS instead of boot_cpu_has(), because
2014 * the user might select retpoline on the kernel command line and if
2015 * the CPU supports Enhanced IBRS, kernel might un-intentionally not
2016 * enable IBRS around firmware calls.
2017 */
2018 if (boot_cpu_has_bug(X86_BUG_RETBLEED) &&
2019 boot_cpu_has(X86_FEATURE_IBPB) &&
2020 (boot_cpu_data.x86_vendor == X86_VENDOR_AMD ||
2021 boot_cpu_data.x86_vendor == X86_VENDOR_HYGON)) {
2022
2023 if (retbleed_cmd != RETBLEED_CMD_IBPB) {
2024 setup_force_cpu_cap(X86_FEATURE_USE_IBPB_FW);
2025 pr_info("Enabling Speculation Barrier for firmware calls\n");
2026 }
2027
2028 } else if (boot_cpu_has(X86_FEATURE_IBRS) && !spectre_v2_in_ibrs_mode(mode)) {
2029 setup_force_cpu_cap(X86_FEATURE_USE_IBRS_FW);
2030 pr_info("Enabling Restricted Speculation for firmware calls\n");
2031 }
2032
2033 /* Set up IBPB and STIBP depending on the general spectre V2 command */
2034 spectre_v2_cmd = cmd;
2035 }
2036
update_stibp_msr(void * __unused)2037 static void update_stibp_msr(void * __unused)
2038 {
2039 u64 val = spec_ctrl_current() | (x86_spec_ctrl_base & SPEC_CTRL_STIBP);
2040 update_spec_ctrl(val);
2041 }
2042
2043 /* Update x86_spec_ctrl_base in case SMT state changed. */
update_stibp_strict(void)2044 static void update_stibp_strict(void)
2045 {
2046 u64 mask = x86_spec_ctrl_base & ~SPEC_CTRL_STIBP;
2047
2048 if (sched_smt_active())
2049 mask |= SPEC_CTRL_STIBP;
2050
2051 if (mask == x86_spec_ctrl_base)
2052 return;
2053
2054 pr_info("Update user space SMT mitigation: STIBP %s\n",
2055 mask & SPEC_CTRL_STIBP ? "always-on" : "off");
2056 x86_spec_ctrl_base = mask;
2057 on_each_cpu(update_stibp_msr, NULL, 1);
2058 }
2059
2060 /* Update the static key controlling the evaluation of TIF_SPEC_IB */
update_indir_branch_cond(void)2061 static void update_indir_branch_cond(void)
2062 {
2063 if (sched_smt_active())
2064 static_branch_enable(&switch_to_cond_stibp);
2065 else
2066 static_branch_disable(&switch_to_cond_stibp);
2067 }
2068
2069 #undef pr_fmt
2070 #define pr_fmt(fmt) fmt
2071
2072 /* Update the static key controlling the MDS CPU buffer clear in idle */
update_mds_branch_idle(void)2073 static void update_mds_branch_idle(void)
2074 {
2075 /*
2076 * Enable the idle clearing if SMT is active on CPUs which are
2077 * affected only by MSBDS and not any other MDS variant.
2078 *
2079 * The other variants cannot be mitigated when SMT is enabled, so
2080 * clearing the buffers on idle just to prevent the Store Buffer
2081 * repartitioning leak would be a window dressing exercise.
2082 */
2083 if (!boot_cpu_has_bug(X86_BUG_MSBDS_ONLY))
2084 return;
2085
2086 if (sched_smt_active()) {
2087 static_branch_enable(&cpu_buf_idle_clear);
2088 } else if (mmio_mitigation == MMIO_MITIGATION_OFF ||
2089 (x86_arch_cap_msr & ARCH_CAP_FBSDP_NO)) {
2090 static_branch_disable(&cpu_buf_idle_clear);
2091 }
2092 }
2093
2094 #define MDS_MSG_SMT "MDS CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for more details.\n"
2095 #define TAA_MSG_SMT "TAA CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html for more details.\n"
2096 #define MMIO_MSG_SMT "MMIO Stale Data CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html for more details.\n"
2097
2098 #undef pr_fmt
2099 #define pr_fmt(fmt) "Transient Scheduler Attacks: " fmt
2100
2101 enum tsa_mitigations {
2102 TSA_MITIGATION_NONE,
2103 TSA_MITIGATION_UCODE_NEEDED,
2104 TSA_MITIGATION_USER_KERNEL,
2105 TSA_MITIGATION_VM,
2106 TSA_MITIGATION_FULL,
2107 };
2108
2109 static const char * const tsa_strings[] = {
2110 [TSA_MITIGATION_NONE] = "Vulnerable",
2111 [TSA_MITIGATION_UCODE_NEEDED] = "Vulnerable: Clear CPU buffers attempted, no microcode",
2112 [TSA_MITIGATION_USER_KERNEL] = "Mitigation: Clear CPU buffers: user/kernel boundary",
2113 [TSA_MITIGATION_VM] = "Mitigation: Clear CPU buffers: VM",
2114 [TSA_MITIGATION_FULL] = "Mitigation: Clear CPU buffers",
2115 };
2116
2117 static enum tsa_mitigations tsa_mitigation __ro_after_init =
2118 IS_ENABLED(CONFIG_MITIGATION_TSA) ? TSA_MITIGATION_FULL : TSA_MITIGATION_NONE;
2119
tsa_parse_cmdline(char * str)2120 static int __init tsa_parse_cmdline(char *str)
2121 {
2122 if (!str)
2123 return -EINVAL;
2124
2125 if (!strcmp(str, "off"))
2126 tsa_mitigation = TSA_MITIGATION_NONE;
2127 else if (!strcmp(str, "on"))
2128 tsa_mitigation = TSA_MITIGATION_FULL;
2129 else if (!strcmp(str, "user"))
2130 tsa_mitigation = TSA_MITIGATION_USER_KERNEL;
2131 else if (!strcmp(str, "vm"))
2132 tsa_mitigation = TSA_MITIGATION_VM;
2133 else
2134 pr_err("Ignoring unknown tsa=%s option.\n", str);
2135
2136 return 0;
2137 }
2138 early_param("tsa", tsa_parse_cmdline);
2139
tsa_select_mitigation(void)2140 static void __init tsa_select_mitigation(void)
2141 {
2142 if (tsa_mitigation == TSA_MITIGATION_NONE)
2143 return;
2144
2145 if (cpu_mitigations_off() || !boot_cpu_has_bug(X86_BUG_TSA)) {
2146 tsa_mitigation = TSA_MITIGATION_NONE;
2147 return;
2148 }
2149
2150 if (!boot_cpu_has(X86_FEATURE_VERW_CLEAR))
2151 tsa_mitigation = TSA_MITIGATION_UCODE_NEEDED;
2152
2153 switch (tsa_mitigation) {
2154 case TSA_MITIGATION_USER_KERNEL:
2155 setup_force_cpu_cap(X86_FEATURE_CLEAR_CPU_BUF);
2156 break;
2157
2158 case TSA_MITIGATION_VM:
2159 setup_force_cpu_cap(X86_FEATURE_CLEAR_CPU_BUF_VM);
2160 break;
2161
2162 case TSA_MITIGATION_UCODE_NEEDED:
2163 if (!boot_cpu_has(X86_FEATURE_HYPERVISOR))
2164 goto out;
2165
2166 pr_notice("Forcing mitigation on in a VM\n");
2167
2168 /*
2169 * On the off-chance that microcode has been updated
2170 * on the host, enable the mitigation in the guest just
2171 * in case.
2172 */
2173 fallthrough;
2174 case TSA_MITIGATION_FULL:
2175 setup_force_cpu_cap(X86_FEATURE_CLEAR_CPU_BUF);
2176 setup_force_cpu_cap(X86_FEATURE_CLEAR_CPU_BUF_VM);
2177 break;
2178 default:
2179 break;
2180 }
2181
2182 out:
2183 pr_info("%s\n", tsa_strings[tsa_mitigation]);
2184 }
2185
cpu_bugs_smt_update(void)2186 void cpu_bugs_smt_update(void)
2187 {
2188 mutex_lock(&spec_ctrl_mutex);
2189
2190 if (sched_smt_active() && unprivileged_ebpf_enabled() &&
2191 spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE)
2192 pr_warn_once(SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG);
2193
2194 switch (spectre_v2_user_stibp) {
2195 case SPECTRE_V2_USER_NONE:
2196 break;
2197 case SPECTRE_V2_USER_STRICT:
2198 case SPECTRE_V2_USER_STRICT_PREFERRED:
2199 update_stibp_strict();
2200 break;
2201 case SPECTRE_V2_USER_PRCTL:
2202 case SPECTRE_V2_USER_SECCOMP:
2203 update_indir_branch_cond();
2204 break;
2205 }
2206
2207 switch (mds_mitigation) {
2208 case MDS_MITIGATION_FULL:
2209 case MDS_MITIGATION_VMWERV:
2210 if (sched_smt_active() && !boot_cpu_has(X86_BUG_MSBDS_ONLY))
2211 pr_warn_once(MDS_MSG_SMT);
2212 update_mds_branch_idle();
2213 break;
2214 case MDS_MITIGATION_OFF:
2215 break;
2216 }
2217
2218 switch (taa_mitigation) {
2219 case TAA_MITIGATION_VERW:
2220 case TAA_MITIGATION_UCODE_NEEDED:
2221 if (sched_smt_active())
2222 pr_warn_once(TAA_MSG_SMT);
2223 break;
2224 case TAA_MITIGATION_TSX_DISABLED:
2225 case TAA_MITIGATION_OFF:
2226 break;
2227 }
2228
2229 switch (mmio_mitigation) {
2230 case MMIO_MITIGATION_VERW:
2231 case MMIO_MITIGATION_UCODE_NEEDED:
2232 if (sched_smt_active())
2233 pr_warn_once(MMIO_MSG_SMT);
2234 break;
2235 case MMIO_MITIGATION_OFF:
2236 break;
2237 }
2238
2239 switch (tsa_mitigation) {
2240 case TSA_MITIGATION_USER_KERNEL:
2241 case TSA_MITIGATION_VM:
2242 case TSA_MITIGATION_FULL:
2243 case TSA_MITIGATION_UCODE_NEEDED:
2244 /*
2245 * TSA-SQ can potentially lead to info leakage between
2246 * SMT threads.
2247 */
2248 if (sched_smt_active())
2249 static_branch_enable(&cpu_buf_idle_clear);
2250 else
2251 static_branch_disable(&cpu_buf_idle_clear);
2252 break;
2253 case TSA_MITIGATION_NONE:
2254 break;
2255 }
2256
2257 mutex_unlock(&spec_ctrl_mutex);
2258 }
2259
2260 #undef pr_fmt
2261 #define pr_fmt(fmt) "Speculative Store Bypass: " fmt
2262
2263 static enum ssb_mitigation ssb_mode __ro_after_init = SPEC_STORE_BYPASS_NONE;
2264
2265 /* The kernel command line selection */
2266 enum ssb_mitigation_cmd {
2267 SPEC_STORE_BYPASS_CMD_NONE,
2268 SPEC_STORE_BYPASS_CMD_AUTO,
2269 SPEC_STORE_BYPASS_CMD_ON,
2270 SPEC_STORE_BYPASS_CMD_PRCTL,
2271 SPEC_STORE_BYPASS_CMD_SECCOMP,
2272 };
2273
2274 static const char * const ssb_strings[] = {
2275 [SPEC_STORE_BYPASS_NONE] = "Vulnerable",
2276 [SPEC_STORE_BYPASS_DISABLE] = "Mitigation: Speculative Store Bypass disabled",
2277 [SPEC_STORE_BYPASS_PRCTL] = "Mitigation: Speculative Store Bypass disabled via prctl",
2278 [SPEC_STORE_BYPASS_SECCOMP] = "Mitigation: Speculative Store Bypass disabled via prctl and seccomp",
2279 };
2280
2281 static const struct {
2282 const char *option;
2283 enum ssb_mitigation_cmd cmd;
2284 } ssb_mitigation_options[] __initconst = {
2285 { "auto", SPEC_STORE_BYPASS_CMD_AUTO }, /* Platform decides */
2286 { "on", SPEC_STORE_BYPASS_CMD_ON }, /* Disable Speculative Store Bypass */
2287 { "off", SPEC_STORE_BYPASS_CMD_NONE }, /* Don't touch Speculative Store Bypass */
2288 { "prctl", SPEC_STORE_BYPASS_CMD_PRCTL }, /* Disable Speculative Store Bypass via prctl */
2289 { "seccomp", SPEC_STORE_BYPASS_CMD_SECCOMP }, /* Disable Speculative Store Bypass via prctl and seccomp */
2290 };
2291
ssb_parse_cmdline(void)2292 static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void)
2293 {
2294 enum ssb_mitigation_cmd cmd = SPEC_STORE_BYPASS_CMD_AUTO;
2295 char arg[20];
2296 int ret, i;
2297
2298 if (cmdline_find_option_bool(boot_command_line, "nospec_store_bypass_disable") ||
2299 cpu_mitigations_off()) {
2300 return SPEC_STORE_BYPASS_CMD_NONE;
2301 } else {
2302 ret = cmdline_find_option(boot_command_line, "spec_store_bypass_disable",
2303 arg, sizeof(arg));
2304 if (ret < 0)
2305 return SPEC_STORE_BYPASS_CMD_AUTO;
2306
2307 for (i = 0; i < ARRAY_SIZE(ssb_mitigation_options); i++) {
2308 if (!match_option(arg, ret, ssb_mitigation_options[i].option))
2309 continue;
2310
2311 cmd = ssb_mitigation_options[i].cmd;
2312 break;
2313 }
2314
2315 if (i >= ARRAY_SIZE(ssb_mitigation_options)) {
2316 pr_err("unknown option (%s). Switching to AUTO select\n", arg);
2317 return SPEC_STORE_BYPASS_CMD_AUTO;
2318 }
2319 }
2320
2321 return cmd;
2322 }
2323
__ssb_select_mitigation(void)2324 static enum ssb_mitigation __init __ssb_select_mitigation(void)
2325 {
2326 enum ssb_mitigation mode = SPEC_STORE_BYPASS_NONE;
2327 enum ssb_mitigation_cmd cmd;
2328
2329 if (!boot_cpu_has(X86_FEATURE_SSBD))
2330 return mode;
2331
2332 cmd = ssb_parse_cmdline();
2333 if (!boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS) &&
2334 (cmd == SPEC_STORE_BYPASS_CMD_NONE ||
2335 cmd == SPEC_STORE_BYPASS_CMD_AUTO))
2336 return mode;
2337
2338 switch (cmd) {
2339 case SPEC_STORE_BYPASS_CMD_SECCOMP:
2340 /*
2341 * Choose prctl+seccomp as the default mode if seccomp is
2342 * enabled.
2343 */
2344 if (IS_ENABLED(CONFIG_SECCOMP))
2345 mode = SPEC_STORE_BYPASS_SECCOMP;
2346 else
2347 mode = SPEC_STORE_BYPASS_PRCTL;
2348 break;
2349 case SPEC_STORE_BYPASS_CMD_ON:
2350 mode = SPEC_STORE_BYPASS_DISABLE;
2351 break;
2352 case SPEC_STORE_BYPASS_CMD_AUTO:
2353 case SPEC_STORE_BYPASS_CMD_PRCTL:
2354 mode = SPEC_STORE_BYPASS_PRCTL;
2355 break;
2356 case SPEC_STORE_BYPASS_CMD_NONE:
2357 break;
2358 }
2359
2360 /*
2361 * We have three CPU feature flags that are in play here:
2362 * - X86_BUG_SPEC_STORE_BYPASS - CPU is susceptible.
2363 * - X86_FEATURE_SSBD - CPU is able to turn off speculative store bypass
2364 * - X86_FEATURE_SPEC_STORE_BYPASS_DISABLE - engage the mitigation
2365 */
2366 if (mode == SPEC_STORE_BYPASS_DISABLE) {
2367 setup_force_cpu_cap(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE);
2368 /*
2369 * Intel uses the SPEC CTRL MSR Bit(2) for this, while AMD may
2370 * use a completely different MSR and bit dependent on family.
2371 */
2372 if (!static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD) &&
2373 !static_cpu_has(X86_FEATURE_AMD_SSBD)) {
2374 x86_amd_ssb_disable();
2375 } else {
2376 x86_spec_ctrl_base |= SPEC_CTRL_SSBD;
2377 update_spec_ctrl(x86_spec_ctrl_base);
2378 }
2379 }
2380
2381 return mode;
2382 }
2383
ssb_select_mitigation(void)2384 static void ssb_select_mitigation(void)
2385 {
2386 ssb_mode = __ssb_select_mitigation();
2387
2388 if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS))
2389 pr_info("%s\n", ssb_strings[ssb_mode]);
2390 }
2391
2392 #undef pr_fmt
2393 #define pr_fmt(fmt) "Speculation prctl: " fmt
2394
task_update_spec_tif(struct task_struct * tsk)2395 static void task_update_spec_tif(struct task_struct *tsk)
2396 {
2397 /* Force the update of the real TIF bits */
2398 set_tsk_thread_flag(tsk, TIF_SPEC_FORCE_UPDATE);
2399
2400 /*
2401 * Immediately update the speculation control MSRs for the current
2402 * task, but for a non-current task delay setting the CPU
2403 * mitigation until it is scheduled next.
2404 *
2405 * This can only happen for SECCOMP mitigation. For PRCTL it's
2406 * always the current task.
2407 */
2408 if (tsk == current)
2409 speculation_ctrl_update_current();
2410 }
2411
l1d_flush_prctl_set(struct task_struct * task,unsigned long ctrl)2412 static int l1d_flush_prctl_set(struct task_struct *task, unsigned long ctrl)
2413 {
2414
2415 if (!static_branch_unlikely(&switch_mm_cond_l1d_flush))
2416 return -EPERM;
2417
2418 switch (ctrl) {
2419 case PR_SPEC_ENABLE:
2420 set_ti_thread_flag(&task->thread_info, TIF_SPEC_L1D_FLUSH);
2421 return 0;
2422 case PR_SPEC_DISABLE:
2423 clear_ti_thread_flag(&task->thread_info, TIF_SPEC_L1D_FLUSH);
2424 return 0;
2425 default:
2426 return -ERANGE;
2427 }
2428 }
2429
ssb_prctl_set(struct task_struct * task,unsigned long ctrl)2430 static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl)
2431 {
2432 if (ssb_mode != SPEC_STORE_BYPASS_PRCTL &&
2433 ssb_mode != SPEC_STORE_BYPASS_SECCOMP)
2434 return -ENXIO;
2435
2436 switch (ctrl) {
2437 case PR_SPEC_ENABLE:
2438 /* If speculation is force disabled, enable is not allowed */
2439 if (task_spec_ssb_force_disable(task))
2440 return -EPERM;
2441 task_clear_spec_ssb_disable(task);
2442 task_clear_spec_ssb_noexec(task);
2443 task_update_spec_tif(task);
2444 break;
2445 case PR_SPEC_DISABLE:
2446 task_set_spec_ssb_disable(task);
2447 task_clear_spec_ssb_noexec(task);
2448 task_update_spec_tif(task);
2449 break;
2450 case PR_SPEC_FORCE_DISABLE:
2451 task_set_spec_ssb_disable(task);
2452 task_set_spec_ssb_force_disable(task);
2453 task_clear_spec_ssb_noexec(task);
2454 task_update_spec_tif(task);
2455 break;
2456 case PR_SPEC_DISABLE_NOEXEC:
2457 if (task_spec_ssb_force_disable(task))
2458 return -EPERM;
2459 task_set_spec_ssb_disable(task);
2460 task_set_spec_ssb_noexec(task);
2461 task_update_spec_tif(task);
2462 break;
2463 default:
2464 return -ERANGE;
2465 }
2466 return 0;
2467 }
2468
is_spec_ib_user_controlled(void)2469 static bool is_spec_ib_user_controlled(void)
2470 {
2471 return spectre_v2_user_ibpb == SPECTRE_V2_USER_PRCTL ||
2472 spectre_v2_user_ibpb == SPECTRE_V2_USER_SECCOMP ||
2473 spectre_v2_user_stibp == SPECTRE_V2_USER_PRCTL ||
2474 spectre_v2_user_stibp == SPECTRE_V2_USER_SECCOMP;
2475 }
2476
ib_prctl_set(struct task_struct * task,unsigned long ctrl)2477 static int ib_prctl_set(struct task_struct *task, unsigned long ctrl)
2478 {
2479 switch (ctrl) {
2480 case PR_SPEC_ENABLE:
2481 if (spectre_v2_user_ibpb == SPECTRE_V2_USER_NONE &&
2482 spectre_v2_user_stibp == SPECTRE_V2_USER_NONE)
2483 return 0;
2484
2485 /*
2486 * With strict mode for both IBPB and STIBP, the instruction
2487 * code paths avoid checking this task flag and instead,
2488 * unconditionally run the instruction. However, STIBP and IBPB
2489 * are independent and either can be set to conditionally
2490 * enabled regardless of the mode of the other.
2491 *
2492 * If either is set to conditional, allow the task flag to be
2493 * updated, unless it was force-disabled by a previous prctl
2494 * call. Currently, this is possible on an AMD CPU which has the
2495 * feature X86_FEATURE_AMD_STIBP_ALWAYS_ON. In this case, if the
2496 * kernel is booted with 'spectre_v2_user=seccomp', then
2497 * spectre_v2_user_ibpb == SPECTRE_V2_USER_SECCOMP and
2498 * spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED.
2499 */
2500 if (!is_spec_ib_user_controlled() ||
2501 task_spec_ib_force_disable(task))
2502 return -EPERM;
2503
2504 task_clear_spec_ib_disable(task);
2505 task_update_spec_tif(task);
2506 break;
2507 case PR_SPEC_DISABLE:
2508 case PR_SPEC_FORCE_DISABLE:
2509 /*
2510 * Indirect branch speculation is always allowed when
2511 * mitigation is force disabled.
2512 */
2513 if (spectre_v2_user_ibpb == SPECTRE_V2_USER_NONE &&
2514 spectre_v2_user_stibp == SPECTRE_V2_USER_NONE)
2515 return -EPERM;
2516
2517 if (!is_spec_ib_user_controlled())
2518 return 0;
2519
2520 task_set_spec_ib_disable(task);
2521 if (ctrl == PR_SPEC_FORCE_DISABLE)
2522 task_set_spec_ib_force_disable(task);
2523 task_update_spec_tif(task);
2524 if (task == current)
2525 indirect_branch_prediction_barrier();
2526 break;
2527 default:
2528 return -ERANGE;
2529 }
2530 return 0;
2531 }
2532
arch_prctl_spec_ctrl_set(struct task_struct * task,unsigned long which,unsigned long ctrl)2533 int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which,
2534 unsigned long ctrl)
2535 {
2536 switch (which) {
2537 case PR_SPEC_STORE_BYPASS:
2538 return ssb_prctl_set(task, ctrl);
2539 case PR_SPEC_INDIRECT_BRANCH:
2540 return ib_prctl_set(task, ctrl);
2541 case PR_SPEC_L1D_FLUSH:
2542 return l1d_flush_prctl_set(task, ctrl);
2543 default:
2544 return -ENODEV;
2545 }
2546 }
2547
2548 #ifdef CONFIG_SECCOMP
arch_seccomp_spec_mitigate(struct task_struct * task)2549 void arch_seccomp_spec_mitigate(struct task_struct *task)
2550 {
2551 if (ssb_mode == SPEC_STORE_BYPASS_SECCOMP)
2552 ssb_prctl_set(task, PR_SPEC_FORCE_DISABLE);
2553 if (spectre_v2_user_ibpb == SPECTRE_V2_USER_SECCOMP ||
2554 spectre_v2_user_stibp == SPECTRE_V2_USER_SECCOMP)
2555 ib_prctl_set(task, PR_SPEC_FORCE_DISABLE);
2556 }
2557 #endif
2558
l1d_flush_prctl_get(struct task_struct * task)2559 static int l1d_flush_prctl_get(struct task_struct *task)
2560 {
2561 if (!static_branch_unlikely(&switch_mm_cond_l1d_flush))
2562 return PR_SPEC_FORCE_DISABLE;
2563
2564 if (test_ti_thread_flag(&task->thread_info, TIF_SPEC_L1D_FLUSH))
2565 return PR_SPEC_PRCTL | PR_SPEC_ENABLE;
2566 else
2567 return PR_SPEC_PRCTL | PR_SPEC_DISABLE;
2568 }
2569
ssb_prctl_get(struct task_struct * task)2570 static int ssb_prctl_get(struct task_struct *task)
2571 {
2572 switch (ssb_mode) {
2573 case SPEC_STORE_BYPASS_DISABLE:
2574 return PR_SPEC_DISABLE;
2575 case SPEC_STORE_BYPASS_SECCOMP:
2576 case SPEC_STORE_BYPASS_PRCTL:
2577 if (task_spec_ssb_force_disable(task))
2578 return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE;
2579 if (task_spec_ssb_noexec(task))
2580 return PR_SPEC_PRCTL | PR_SPEC_DISABLE_NOEXEC;
2581 if (task_spec_ssb_disable(task))
2582 return PR_SPEC_PRCTL | PR_SPEC_DISABLE;
2583 return PR_SPEC_PRCTL | PR_SPEC_ENABLE;
2584 default:
2585 if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS))
2586 return PR_SPEC_ENABLE;
2587 return PR_SPEC_NOT_AFFECTED;
2588 }
2589 }
2590
ib_prctl_get(struct task_struct * task)2591 static int ib_prctl_get(struct task_struct *task)
2592 {
2593 if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
2594 return PR_SPEC_NOT_AFFECTED;
2595
2596 if (spectre_v2_user_ibpb == SPECTRE_V2_USER_NONE &&
2597 spectre_v2_user_stibp == SPECTRE_V2_USER_NONE)
2598 return PR_SPEC_ENABLE;
2599 else if (is_spec_ib_user_controlled()) {
2600 if (task_spec_ib_force_disable(task))
2601 return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE;
2602 if (task_spec_ib_disable(task))
2603 return PR_SPEC_PRCTL | PR_SPEC_DISABLE;
2604 return PR_SPEC_PRCTL | PR_SPEC_ENABLE;
2605 } else if (spectre_v2_user_ibpb == SPECTRE_V2_USER_STRICT ||
2606 spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT ||
2607 spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED)
2608 return PR_SPEC_DISABLE;
2609 else
2610 return PR_SPEC_NOT_AFFECTED;
2611 }
2612
arch_prctl_spec_ctrl_get(struct task_struct * task,unsigned long which)2613 int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which)
2614 {
2615 switch (which) {
2616 case PR_SPEC_STORE_BYPASS:
2617 return ssb_prctl_get(task);
2618 case PR_SPEC_INDIRECT_BRANCH:
2619 return ib_prctl_get(task);
2620 case PR_SPEC_L1D_FLUSH:
2621 return l1d_flush_prctl_get(task);
2622 default:
2623 return -ENODEV;
2624 }
2625 }
2626
x86_spec_ctrl_setup_ap(void)2627 void x86_spec_ctrl_setup_ap(void)
2628 {
2629 if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
2630 update_spec_ctrl(x86_spec_ctrl_base);
2631
2632 if (ssb_mode == SPEC_STORE_BYPASS_DISABLE)
2633 x86_amd_ssb_disable();
2634 }
2635
2636 bool itlb_multihit_kvm_mitigation;
2637 EXPORT_SYMBOL_GPL(itlb_multihit_kvm_mitigation);
2638
2639 #undef pr_fmt
2640 #define pr_fmt(fmt) "L1TF: " fmt
2641
2642 /* Default mitigation for L1TF-affected CPUs */
2643 enum l1tf_mitigations l1tf_mitigation __ro_after_init = L1TF_MITIGATION_FLUSH;
2644 #if IS_ENABLED(CONFIG_KVM_INTEL)
2645 EXPORT_SYMBOL_GPL(l1tf_mitigation);
2646 #endif
2647 enum vmx_l1d_flush_state l1tf_vmx_mitigation = VMENTER_L1D_FLUSH_AUTO;
2648 EXPORT_SYMBOL_GPL(l1tf_vmx_mitigation);
2649
2650 /*
2651 * These CPUs all support 44bits physical address space internally in the
2652 * cache but CPUID can report a smaller number of physical address bits.
2653 *
2654 * The L1TF mitigation uses the top most address bit for the inversion of
2655 * non present PTEs. When the installed memory reaches into the top most
2656 * address bit due to memory holes, which has been observed on machines
2657 * which report 36bits physical address bits and have 32G RAM installed,
2658 * then the mitigation range check in l1tf_select_mitigation() triggers.
2659 * This is a false positive because the mitigation is still possible due to
2660 * the fact that the cache uses 44bit internally. Use the cache bits
2661 * instead of the reported physical bits and adjust them on the affected
2662 * machines to 44bit if the reported bits are less than 44.
2663 */
override_cache_bits(struct cpuinfo_x86 * c)2664 static void override_cache_bits(struct cpuinfo_x86 *c)
2665 {
2666 if (c->x86 != 6)
2667 return;
2668
2669 switch (c->x86_model) {
2670 case INTEL_FAM6_NEHALEM:
2671 case INTEL_FAM6_WESTMERE:
2672 case INTEL_FAM6_SANDYBRIDGE:
2673 case INTEL_FAM6_IVYBRIDGE:
2674 case INTEL_FAM6_HASWELL:
2675 case INTEL_FAM6_HASWELL_L:
2676 case INTEL_FAM6_HASWELL_G:
2677 case INTEL_FAM6_BROADWELL:
2678 case INTEL_FAM6_BROADWELL_G:
2679 case INTEL_FAM6_SKYLAKE_L:
2680 case INTEL_FAM6_SKYLAKE:
2681 case INTEL_FAM6_KABYLAKE_L:
2682 case INTEL_FAM6_KABYLAKE:
2683 if (c->x86_cache_bits < 44)
2684 c->x86_cache_bits = 44;
2685 break;
2686 }
2687 }
2688
l1tf_select_mitigation(void)2689 static void __init l1tf_select_mitigation(void)
2690 {
2691 u64 half_pa;
2692
2693 if (!boot_cpu_has_bug(X86_BUG_L1TF))
2694 return;
2695
2696 if (cpu_mitigations_off())
2697 l1tf_mitigation = L1TF_MITIGATION_OFF;
2698 else if (cpu_mitigations_auto_nosmt())
2699 l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOSMT;
2700
2701 override_cache_bits(&boot_cpu_data);
2702
2703 switch (l1tf_mitigation) {
2704 case L1TF_MITIGATION_OFF:
2705 case L1TF_MITIGATION_FLUSH_NOWARN:
2706 case L1TF_MITIGATION_FLUSH:
2707 break;
2708 case L1TF_MITIGATION_FLUSH_NOSMT:
2709 case L1TF_MITIGATION_FULL:
2710 cpu_smt_disable(false);
2711 break;
2712 case L1TF_MITIGATION_FULL_FORCE:
2713 cpu_smt_disable(true);
2714 break;
2715 }
2716
2717 #if CONFIG_PGTABLE_LEVELS == 2
2718 pr_warn("Kernel not compiled for PAE. No mitigation for L1TF\n");
2719 return;
2720 #endif
2721
2722 half_pa = (u64)l1tf_pfn_limit() << PAGE_SHIFT;
2723 if (l1tf_mitigation != L1TF_MITIGATION_OFF &&
2724 e820__mapped_any(half_pa, ULLONG_MAX - half_pa, E820_TYPE_RAM)) {
2725 pr_warn("System has more than MAX_PA/2 memory. L1TF mitigation not effective.\n");
2726 pr_info("You may make it effective by booting the kernel with mem=%llu parameter.\n",
2727 half_pa);
2728 pr_info("However, doing so will make a part of your RAM unusable.\n");
2729 pr_info("Reading https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html might help you decide.\n");
2730 return;
2731 }
2732
2733 setup_force_cpu_cap(X86_FEATURE_L1TF_PTEINV);
2734 }
2735
l1tf_cmdline(char * str)2736 static int __init l1tf_cmdline(char *str)
2737 {
2738 if (!boot_cpu_has_bug(X86_BUG_L1TF))
2739 return 0;
2740
2741 if (!str)
2742 return -EINVAL;
2743
2744 if (!strcmp(str, "off"))
2745 l1tf_mitigation = L1TF_MITIGATION_OFF;
2746 else if (!strcmp(str, "flush,nowarn"))
2747 l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOWARN;
2748 else if (!strcmp(str, "flush"))
2749 l1tf_mitigation = L1TF_MITIGATION_FLUSH;
2750 else if (!strcmp(str, "flush,nosmt"))
2751 l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOSMT;
2752 else if (!strcmp(str, "full"))
2753 l1tf_mitigation = L1TF_MITIGATION_FULL;
2754 else if (!strcmp(str, "full,force"))
2755 l1tf_mitigation = L1TF_MITIGATION_FULL_FORCE;
2756
2757 return 0;
2758 }
2759 early_param("l1tf", l1tf_cmdline);
2760
2761 #undef pr_fmt
2762 #define pr_fmt(fmt) "Speculative Return Stack Overflow: " fmt
2763
2764 enum srso_mitigation {
2765 SRSO_MITIGATION_NONE,
2766 SRSO_MITIGATION_UCODE_NEEDED,
2767 SRSO_MITIGATION_SAFE_RET_UCODE_NEEDED,
2768 SRSO_MITIGATION_MICROCODE,
2769 SRSO_MITIGATION_SAFE_RET,
2770 SRSO_MITIGATION_IBPB,
2771 SRSO_MITIGATION_IBPB_ON_VMEXIT,
2772 };
2773
2774 enum srso_mitigation_cmd {
2775 SRSO_CMD_OFF,
2776 SRSO_CMD_MICROCODE,
2777 SRSO_CMD_SAFE_RET,
2778 SRSO_CMD_IBPB,
2779 SRSO_CMD_IBPB_ON_VMEXIT,
2780 };
2781
2782 static const char * const srso_strings[] = {
2783 [SRSO_MITIGATION_NONE] = "Vulnerable",
2784 [SRSO_MITIGATION_UCODE_NEEDED] = "Vulnerable: No microcode",
2785 [SRSO_MITIGATION_SAFE_RET_UCODE_NEEDED] = "Vulnerable: Safe RET, no microcode",
2786 [SRSO_MITIGATION_MICROCODE] = "Vulnerable: Microcode, no safe RET",
2787 [SRSO_MITIGATION_SAFE_RET] = "Mitigation: Safe RET",
2788 [SRSO_MITIGATION_IBPB] = "Mitigation: IBPB",
2789 [SRSO_MITIGATION_IBPB_ON_VMEXIT] = "Mitigation: IBPB on VMEXIT only"
2790 };
2791
2792 static enum srso_mitigation srso_mitigation __ro_after_init = SRSO_MITIGATION_NONE;
2793 static enum srso_mitigation_cmd srso_cmd __ro_after_init = SRSO_CMD_SAFE_RET;
2794
srso_parse_cmdline(char * str)2795 static int __init srso_parse_cmdline(char *str)
2796 {
2797 if (!str)
2798 return -EINVAL;
2799
2800 if (!strcmp(str, "off"))
2801 srso_cmd = SRSO_CMD_OFF;
2802 else if (!strcmp(str, "microcode"))
2803 srso_cmd = SRSO_CMD_MICROCODE;
2804 else if (!strcmp(str, "safe-ret"))
2805 srso_cmd = SRSO_CMD_SAFE_RET;
2806 else if (!strcmp(str, "ibpb"))
2807 srso_cmd = SRSO_CMD_IBPB;
2808 else if (!strcmp(str, "ibpb-vmexit"))
2809 srso_cmd = SRSO_CMD_IBPB_ON_VMEXIT;
2810 else
2811 pr_err("Ignoring unknown SRSO option (%s).", str);
2812
2813 return 0;
2814 }
2815 early_param("spec_rstack_overflow", srso_parse_cmdline);
2816
2817 #define SRSO_NOTICE "WARNING: See https://kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html for mitigation options."
2818
srso_select_mitigation(void)2819 static void __init srso_select_mitigation(void)
2820 {
2821 bool has_microcode = boot_cpu_has(X86_FEATURE_IBPB_BRTYPE);
2822
2823 if (!boot_cpu_has_bug(X86_BUG_SRSO) || cpu_mitigations_off())
2824 goto pred_cmd;
2825
2826 if (has_microcode) {
2827 /*
2828 * Zen1/2 with SMT off aren't vulnerable after the right
2829 * IBPB microcode has been applied.
2830 */
2831 if (boot_cpu_data.x86 < 0x19 && !cpu_smt_possible()) {
2832 setup_force_cpu_cap(X86_FEATURE_SRSO_NO);
2833 return;
2834 }
2835
2836 if (retbleed_mitigation == RETBLEED_MITIGATION_IBPB) {
2837 srso_mitigation = SRSO_MITIGATION_IBPB;
2838 goto out;
2839 }
2840 } else {
2841 pr_warn("IBPB-extending microcode not applied!\n");
2842 pr_warn(SRSO_NOTICE);
2843
2844 /* may be overwritten by SRSO_CMD_SAFE_RET below */
2845 srso_mitigation = SRSO_MITIGATION_UCODE_NEEDED;
2846 }
2847
2848 switch (srso_cmd) {
2849 case SRSO_CMD_OFF:
2850 goto pred_cmd;
2851
2852 case SRSO_CMD_MICROCODE:
2853 if (has_microcode) {
2854 srso_mitigation = SRSO_MITIGATION_MICROCODE;
2855 pr_warn(SRSO_NOTICE);
2856 }
2857 break;
2858
2859 case SRSO_CMD_SAFE_RET:
2860 if (IS_ENABLED(CONFIG_CPU_SRSO)) {
2861 /*
2862 * Enable the return thunk for generated code
2863 * like ftrace, static_call, etc.
2864 */
2865 setup_force_cpu_cap(X86_FEATURE_RETHUNK);
2866 setup_force_cpu_cap(X86_FEATURE_UNRET);
2867
2868 if (boot_cpu_data.x86 == 0x19) {
2869 setup_force_cpu_cap(X86_FEATURE_SRSO_ALIAS);
2870 set_return_thunk(srso_alias_return_thunk);
2871 } else {
2872 setup_force_cpu_cap(X86_FEATURE_SRSO);
2873 set_return_thunk(srso_return_thunk);
2874 }
2875 if (has_microcode)
2876 srso_mitigation = SRSO_MITIGATION_SAFE_RET;
2877 else
2878 srso_mitigation = SRSO_MITIGATION_SAFE_RET_UCODE_NEEDED;
2879 } else {
2880 pr_err("WARNING: kernel not compiled with CPU_SRSO.\n");
2881 goto pred_cmd;
2882 }
2883 break;
2884
2885 case SRSO_CMD_IBPB:
2886 if (IS_ENABLED(CONFIG_CPU_IBPB_ENTRY)) {
2887 if (has_microcode) {
2888 setup_force_cpu_cap(X86_FEATURE_ENTRY_IBPB);
2889 setup_force_cpu_cap(X86_FEATURE_IBPB_ON_VMEXIT);
2890 srso_mitigation = SRSO_MITIGATION_IBPB;
2891
2892 /*
2893 * IBPB on entry already obviates the need for
2894 * software-based untraining so clear those in case some
2895 * other mitigation like Retbleed has selected them.
2896 */
2897 setup_clear_cpu_cap(X86_FEATURE_UNRET);
2898 setup_clear_cpu_cap(X86_FEATURE_RETHUNK);
2899
2900 /*
2901 * There is no need for RSB filling: entry_ibpb() ensures
2902 * all predictions, including the RSB, are invalidated,
2903 * regardless of IBPB implementation.
2904 */
2905 setup_clear_cpu_cap(X86_FEATURE_RSB_VMEXIT);
2906 }
2907 } else {
2908 pr_err("WARNING: kernel not compiled with CPU_IBPB_ENTRY.\n");
2909 goto pred_cmd;
2910 }
2911 break;
2912
2913 case SRSO_CMD_IBPB_ON_VMEXIT:
2914 if (IS_ENABLED(CONFIG_CPU_IBPB_ENTRY)) {
2915 if (has_microcode) {
2916 setup_force_cpu_cap(X86_FEATURE_IBPB_ON_VMEXIT);
2917 srso_mitigation = SRSO_MITIGATION_IBPB_ON_VMEXIT;
2918
2919 /*
2920 * There is no need for RSB filling: entry_ibpb() ensures
2921 * all predictions, including the RSB, are invalidated,
2922 * regardless of IBPB implementation.
2923 */
2924 setup_clear_cpu_cap(X86_FEATURE_RSB_VMEXIT);
2925 }
2926 } else {
2927 pr_err("WARNING: kernel not compiled with CPU_IBPB_ENTRY.\n");
2928 goto pred_cmd;
2929 }
2930 break;
2931
2932 default:
2933 break;
2934 }
2935
2936 out:
2937 pr_info("%s\n", srso_strings[srso_mitigation]);
2938
2939 pred_cmd:
2940 if ((!boot_cpu_has_bug(X86_BUG_SRSO) || srso_cmd == SRSO_CMD_OFF) &&
2941 boot_cpu_has(X86_FEATURE_SBPB))
2942 x86_pred_cmd = PRED_CMD_SBPB;
2943 }
2944
2945 #undef pr_fmt
2946 #define pr_fmt(fmt) fmt
2947
2948 #ifdef CONFIG_SYSFS
2949
2950 #define L1TF_DEFAULT_MSG "Mitigation: PTE Inversion"
2951
2952 #if IS_ENABLED(CONFIG_KVM_INTEL)
2953 static const char * const l1tf_vmx_states[] = {
2954 [VMENTER_L1D_FLUSH_AUTO] = "auto",
2955 [VMENTER_L1D_FLUSH_NEVER] = "vulnerable",
2956 [VMENTER_L1D_FLUSH_COND] = "conditional cache flushes",
2957 [VMENTER_L1D_FLUSH_ALWAYS] = "cache flushes",
2958 [VMENTER_L1D_FLUSH_EPT_DISABLED] = "EPT disabled",
2959 [VMENTER_L1D_FLUSH_NOT_REQUIRED] = "flush not necessary"
2960 };
2961
l1tf_show_state(char * buf)2962 static ssize_t l1tf_show_state(char *buf)
2963 {
2964 if (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_AUTO)
2965 return sysfs_emit(buf, "%s\n", L1TF_DEFAULT_MSG);
2966
2967 if (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_EPT_DISABLED ||
2968 (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_NEVER &&
2969 sched_smt_active())) {
2970 return sysfs_emit(buf, "%s; VMX: %s\n", L1TF_DEFAULT_MSG,
2971 l1tf_vmx_states[l1tf_vmx_mitigation]);
2972 }
2973
2974 return sysfs_emit(buf, "%s; VMX: %s, SMT %s\n", L1TF_DEFAULT_MSG,
2975 l1tf_vmx_states[l1tf_vmx_mitigation],
2976 sched_smt_active() ? "vulnerable" : "disabled");
2977 }
2978
itlb_multihit_show_state(char * buf)2979 static ssize_t itlb_multihit_show_state(char *buf)
2980 {
2981 if (!boot_cpu_has(X86_FEATURE_MSR_IA32_FEAT_CTL) ||
2982 !boot_cpu_has(X86_FEATURE_VMX))
2983 return sysfs_emit(buf, "KVM: Mitigation: VMX unsupported\n");
2984 else if (!(cr4_read_shadow() & X86_CR4_VMXE))
2985 return sysfs_emit(buf, "KVM: Mitigation: VMX disabled\n");
2986 else if (itlb_multihit_kvm_mitigation)
2987 return sysfs_emit(buf, "KVM: Mitigation: Split huge pages\n");
2988 else
2989 return sysfs_emit(buf, "KVM: Vulnerable\n");
2990 }
2991 #else
l1tf_show_state(char * buf)2992 static ssize_t l1tf_show_state(char *buf)
2993 {
2994 return sysfs_emit(buf, "%s\n", L1TF_DEFAULT_MSG);
2995 }
2996
itlb_multihit_show_state(char * buf)2997 static ssize_t itlb_multihit_show_state(char *buf)
2998 {
2999 return sysfs_emit(buf, "Processor vulnerable\n");
3000 }
3001 #endif
3002
mds_show_state(char * buf)3003 static ssize_t mds_show_state(char *buf)
3004 {
3005 if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {
3006 return sysfs_emit(buf, "%s; SMT Host state unknown\n",
3007 mds_strings[mds_mitigation]);
3008 }
3009
3010 if (boot_cpu_has(X86_BUG_MSBDS_ONLY)) {
3011 return sysfs_emit(buf, "%s; SMT %s\n", mds_strings[mds_mitigation],
3012 (mds_mitigation == MDS_MITIGATION_OFF ? "vulnerable" :
3013 sched_smt_active() ? "mitigated" : "disabled"));
3014 }
3015
3016 return sysfs_emit(buf, "%s; SMT %s\n", mds_strings[mds_mitigation],
3017 sched_smt_active() ? "vulnerable" : "disabled");
3018 }
3019
tsx_async_abort_show_state(char * buf)3020 static ssize_t tsx_async_abort_show_state(char *buf)
3021 {
3022 if ((taa_mitigation == TAA_MITIGATION_TSX_DISABLED) ||
3023 (taa_mitigation == TAA_MITIGATION_OFF))
3024 return sysfs_emit(buf, "%s\n", taa_strings[taa_mitigation]);
3025
3026 if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {
3027 return sysfs_emit(buf, "%s; SMT Host state unknown\n",
3028 taa_strings[taa_mitigation]);
3029 }
3030
3031 return sysfs_emit(buf, "%s; SMT %s\n", taa_strings[taa_mitigation],
3032 sched_smt_active() ? "vulnerable" : "disabled");
3033 }
3034
mmio_stale_data_show_state(char * buf)3035 static ssize_t mmio_stale_data_show_state(char *buf)
3036 {
3037 if (boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN))
3038 return sysfs_emit(buf, "Unknown: No mitigations\n");
3039
3040 if (mmio_mitigation == MMIO_MITIGATION_OFF)
3041 return sysfs_emit(buf, "%s\n", mmio_strings[mmio_mitigation]);
3042
3043 if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {
3044 return sysfs_emit(buf, "%s; SMT Host state unknown\n",
3045 mmio_strings[mmio_mitigation]);
3046 }
3047
3048 return sysfs_emit(buf, "%s; SMT %s\n", mmio_strings[mmio_mitigation],
3049 sched_smt_active() ? "vulnerable" : "disabled");
3050 }
3051
rfds_show_state(char * buf)3052 static ssize_t rfds_show_state(char *buf)
3053 {
3054 return sysfs_emit(buf, "%s\n", rfds_strings[rfds_mitigation]);
3055 }
3056
its_show_state(char * buf)3057 static ssize_t its_show_state(char *buf)
3058 {
3059 return sysfs_emit(buf, "%s\n", its_strings[its_mitigation]);
3060 }
3061
stibp_state(void)3062 static char *stibp_state(void)
3063 {
3064 if (spectre_v2_in_eibrs_mode(spectre_v2_enabled) &&
3065 !boot_cpu_has(X86_FEATURE_AUTOIBRS))
3066 return "";
3067
3068 switch (spectre_v2_user_stibp) {
3069 case SPECTRE_V2_USER_NONE:
3070 return "; STIBP: disabled";
3071 case SPECTRE_V2_USER_STRICT:
3072 return "; STIBP: forced";
3073 case SPECTRE_V2_USER_STRICT_PREFERRED:
3074 return "; STIBP: always-on";
3075 case SPECTRE_V2_USER_PRCTL:
3076 case SPECTRE_V2_USER_SECCOMP:
3077 if (static_key_enabled(&switch_to_cond_stibp))
3078 return "; STIBP: conditional";
3079 }
3080 return "";
3081 }
3082
ibpb_state(void)3083 static char *ibpb_state(void)
3084 {
3085 if (boot_cpu_has(X86_FEATURE_IBPB)) {
3086 if (static_key_enabled(&switch_mm_always_ibpb))
3087 return "; IBPB: always-on";
3088 if (static_key_enabled(&switch_mm_cond_ibpb))
3089 return "; IBPB: conditional";
3090 return "; IBPB: disabled";
3091 }
3092 return "";
3093 }
3094
pbrsb_eibrs_state(void)3095 static char *pbrsb_eibrs_state(void)
3096 {
3097 if (boot_cpu_has_bug(X86_BUG_EIBRS_PBRSB)) {
3098 if (boot_cpu_has(X86_FEATURE_RSB_VMEXIT_LITE) ||
3099 boot_cpu_has(X86_FEATURE_RSB_VMEXIT))
3100 return "; PBRSB-eIBRS: SW sequence";
3101 else
3102 return "; PBRSB-eIBRS: Vulnerable";
3103 } else {
3104 return "; PBRSB-eIBRS: Not affected";
3105 }
3106 }
3107
spectre_bhi_state(void)3108 static const char *spectre_bhi_state(void)
3109 {
3110 if (!boot_cpu_has_bug(X86_BUG_BHI))
3111 return "; BHI: Not affected";
3112 else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_HW))
3113 return "; BHI: BHI_DIS_S";
3114 else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP))
3115 return "; BHI: SW loop, KVM: SW loop";
3116 else if (boot_cpu_has(X86_FEATURE_RETPOLINE) &&
3117 !boot_cpu_has(X86_FEATURE_RETPOLINE_LFENCE) &&
3118 rrsba_disabled)
3119 return "; BHI: Retpoline";
3120 else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT))
3121 return "; BHI: Vulnerable, KVM: SW loop";
3122
3123 return "; BHI: Vulnerable";
3124 }
3125
spectre_v2_show_state(char * buf)3126 static ssize_t spectre_v2_show_state(char *buf)
3127 {
3128 if (spectre_v2_enabled == SPECTRE_V2_LFENCE)
3129 return sysfs_emit(buf, "Vulnerable: LFENCE\n");
3130
3131 if (spectre_v2_enabled == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled())
3132 return sysfs_emit(buf, "Vulnerable: eIBRS with unprivileged eBPF\n");
3133
3134 if (sched_smt_active() && unprivileged_ebpf_enabled() &&
3135 spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE)
3136 return sysfs_emit(buf, "Vulnerable: eIBRS+LFENCE with unprivileged eBPF and SMT\n");
3137
3138 return sysfs_emit(buf, "%s%s%s%s%s%s%s%s\n",
3139 spectre_v2_strings[spectre_v2_enabled],
3140 ibpb_state(),
3141 boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? "; IBRS_FW" : "",
3142 stibp_state(),
3143 boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? "; RSB filling" : "",
3144 pbrsb_eibrs_state(),
3145 spectre_bhi_state(),
3146 /* this should always be at the end */
3147 spectre_v2_module_string());
3148 }
3149
srbds_show_state(char * buf)3150 static ssize_t srbds_show_state(char *buf)
3151 {
3152 return sysfs_emit(buf, "%s\n", srbds_strings[srbds_mitigation]);
3153 }
3154
retbleed_show_state(char * buf)3155 static ssize_t retbleed_show_state(char *buf)
3156 {
3157 if (retbleed_mitigation == RETBLEED_MITIGATION_UNRET ||
3158 retbleed_mitigation == RETBLEED_MITIGATION_IBPB) {
3159 if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD &&
3160 boot_cpu_data.x86_vendor != X86_VENDOR_HYGON)
3161 return sysfs_emit(buf, "Vulnerable: untrained return thunk / IBPB on non-AMD based uarch\n");
3162
3163 return sysfs_emit(buf, "%s; SMT %s\n", retbleed_strings[retbleed_mitigation],
3164 !sched_smt_active() ? "disabled" :
3165 spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT ||
3166 spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED ?
3167 "enabled with STIBP protection" : "vulnerable");
3168 }
3169
3170 return sysfs_emit(buf, "%s\n", retbleed_strings[retbleed_mitigation]);
3171 }
3172
srso_show_state(char * buf)3173 static ssize_t srso_show_state(char *buf)
3174 {
3175 if (boot_cpu_has(X86_FEATURE_SRSO_NO))
3176 return sysfs_emit(buf, "Mitigation: SMT disabled\n");
3177
3178 return sysfs_emit(buf, "%s\n", srso_strings[srso_mitigation]);
3179 }
3180
gds_show_state(char * buf)3181 static ssize_t gds_show_state(char *buf)
3182 {
3183 return sysfs_emit(buf, "%s\n", gds_strings[gds_mitigation]);
3184 }
3185
tsa_show_state(char * buf)3186 static ssize_t tsa_show_state(char *buf)
3187 {
3188 return sysfs_emit(buf, "%s\n", tsa_strings[tsa_mitigation]);
3189 }
3190
cpu_show_common(struct device * dev,struct device_attribute * attr,char * buf,unsigned int bug)3191 static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr,
3192 char *buf, unsigned int bug)
3193 {
3194 if (!boot_cpu_has_bug(bug))
3195 return sysfs_emit(buf, "Not affected\n");
3196
3197 switch (bug) {
3198 case X86_BUG_CPU_MELTDOWN:
3199 if (boot_cpu_has(X86_FEATURE_PTI))
3200 return sysfs_emit(buf, "Mitigation: PTI\n");
3201
3202 if (hypervisor_is_type(X86_HYPER_XEN_PV))
3203 return sysfs_emit(buf, "Unknown (XEN PV detected, hypervisor mitigation required)\n");
3204
3205 break;
3206
3207 case X86_BUG_SPECTRE_V1:
3208 return sysfs_emit(buf, "%s\n", spectre_v1_strings[spectre_v1_mitigation]);
3209
3210 case X86_BUG_SPECTRE_V2:
3211 return spectre_v2_show_state(buf);
3212
3213 case X86_BUG_SPEC_STORE_BYPASS:
3214 return sysfs_emit(buf, "%s\n", ssb_strings[ssb_mode]);
3215
3216 case X86_BUG_L1TF:
3217 if (boot_cpu_has(X86_FEATURE_L1TF_PTEINV))
3218 return l1tf_show_state(buf);
3219 break;
3220
3221 case X86_BUG_MDS:
3222 return mds_show_state(buf);
3223
3224 case X86_BUG_TAA:
3225 return tsx_async_abort_show_state(buf);
3226
3227 case X86_BUG_ITLB_MULTIHIT:
3228 return itlb_multihit_show_state(buf);
3229
3230 case X86_BUG_SRBDS:
3231 return srbds_show_state(buf);
3232
3233 case X86_BUG_MMIO_STALE_DATA:
3234 case X86_BUG_MMIO_UNKNOWN:
3235 return mmio_stale_data_show_state(buf);
3236
3237 case X86_BUG_RETBLEED:
3238 return retbleed_show_state(buf);
3239
3240 case X86_BUG_SRSO:
3241 return srso_show_state(buf);
3242
3243 case X86_BUG_GDS:
3244 return gds_show_state(buf);
3245
3246 case X86_BUG_RFDS:
3247 return rfds_show_state(buf);
3248
3249 case X86_BUG_ITS:
3250 return its_show_state(buf);
3251
3252 case X86_BUG_TSA:
3253 return tsa_show_state(buf);
3254
3255 default:
3256 break;
3257 }
3258
3259 return sysfs_emit(buf, "Vulnerable\n");
3260 }
3261
cpu_show_meltdown(struct device * dev,struct device_attribute * attr,char * buf)3262 ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf)
3263 {
3264 return cpu_show_common(dev, attr, buf, X86_BUG_CPU_MELTDOWN);
3265 }
3266
cpu_show_spectre_v1(struct device * dev,struct device_attribute * attr,char * buf)3267 ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, char *buf)
3268 {
3269 return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V1);
3270 }
3271
cpu_show_spectre_v2(struct device * dev,struct device_attribute * attr,char * buf)3272 ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, char *buf)
3273 {
3274 return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V2);
3275 }
3276
cpu_show_spec_store_bypass(struct device * dev,struct device_attribute * attr,char * buf)3277 ssize_t cpu_show_spec_store_bypass(struct device *dev, struct device_attribute *attr, char *buf)
3278 {
3279 return cpu_show_common(dev, attr, buf, X86_BUG_SPEC_STORE_BYPASS);
3280 }
3281
cpu_show_l1tf(struct device * dev,struct device_attribute * attr,char * buf)3282 ssize_t cpu_show_l1tf(struct device *dev, struct device_attribute *attr, char *buf)
3283 {
3284 return cpu_show_common(dev, attr, buf, X86_BUG_L1TF);
3285 }
3286
cpu_show_mds(struct device * dev,struct device_attribute * attr,char * buf)3287 ssize_t cpu_show_mds(struct device *dev, struct device_attribute *attr, char *buf)
3288 {
3289 return cpu_show_common(dev, attr, buf, X86_BUG_MDS);
3290 }
3291
cpu_show_tsx_async_abort(struct device * dev,struct device_attribute * attr,char * buf)3292 ssize_t cpu_show_tsx_async_abort(struct device *dev, struct device_attribute *attr, char *buf)
3293 {
3294 return cpu_show_common(dev, attr, buf, X86_BUG_TAA);
3295 }
3296
cpu_show_itlb_multihit(struct device * dev,struct device_attribute * attr,char * buf)3297 ssize_t cpu_show_itlb_multihit(struct device *dev, struct device_attribute *attr, char *buf)
3298 {
3299 return cpu_show_common(dev, attr, buf, X86_BUG_ITLB_MULTIHIT);
3300 }
3301
cpu_show_srbds(struct device * dev,struct device_attribute * attr,char * buf)3302 ssize_t cpu_show_srbds(struct device *dev, struct device_attribute *attr, char *buf)
3303 {
3304 return cpu_show_common(dev, attr, buf, X86_BUG_SRBDS);
3305 }
3306
cpu_show_mmio_stale_data(struct device * dev,struct device_attribute * attr,char * buf)3307 ssize_t cpu_show_mmio_stale_data(struct device *dev, struct device_attribute *attr, char *buf)
3308 {
3309 if (boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN))
3310 return cpu_show_common(dev, attr, buf, X86_BUG_MMIO_UNKNOWN);
3311 else
3312 return cpu_show_common(dev, attr, buf, X86_BUG_MMIO_STALE_DATA);
3313 }
3314
cpu_show_retbleed(struct device * dev,struct device_attribute * attr,char * buf)3315 ssize_t cpu_show_retbleed(struct device *dev, struct device_attribute *attr, char *buf)
3316 {
3317 return cpu_show_common(dev, attr, buf, X86_BUG_RETBLEED);
3318 }
3319
cpu_show_spec_rstack_overflow(struct device * dev,struct device_attribute * attr,char * buf)3320 ssize_t cpu_show_spec_rstack_overflow(struct device *dev, struct device_attribute *attr, char *buf)
3321 {
3322 return cpu_show_common(dev, attr, buf, X86_BUG_SRSO);
3323 }
3324
cpu_show_gds(struct device * dev,struct device_attribute * attr,char * buf)3325 ssize_t cpu_show_gds(struct device *dev, struct device_attribute *attr, char *buf)
3326 {
3327 return cpu_show_common(dev, attr, buf, X86_BUG_GDS);
3328 }
3329
cpu_show_reg_file_data_sampling(struct device * dev,struct device_attribute * attr,char * buf)3330 ssize_t cpu_show_reg_file_data_sampling(struct device *dev, struct device_attribute *attr, char *buf)
3331 {
3332 return cpu_show_common(dev, attr, buf, X86_BUG_RFDS);
3333 }
3334
cpu_show_indirect_target_selection(struct device * dev,struct device_attribute * attr,char * buf)3335 ssize_t cpu_show_indirect_target_selection(struct device *dev, struct device_attribute *attr, char *buf)
3336 {
3337 return cpu_show_common(dev, attr, buf, X86_BUG_ITS);
3338 }
3339
cpu_show_tsa(struct device * dev,struct device_attribute * attr,char * buf)3340 ssize_t cpu_show_tsa(struct device *dev, struct device_attribute *attr, char *buf)
3341 {
3342 return cpu_show_common(dev, attr, buf, X86_BUG_TSA);
3343 }
3344 #endif
3345