1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * Copyright (C) 1994 Linus Torvalds 4 * 5 * Cyrix stuff, June 1998 by: 6 * - Rafael R. Reilova (moved everything from head.S), 7 * <rreilova@ececs.uc.edu> 8 * - Channing Corn (tests & fixes), 9 * - Andrew D. Balsa (code cleanup). 10 */ 11 #include <linux/init.h> 12 #include <linux/cpu.h> 13 #include <linux/module.h> 14 #include <linux/nospec.h> 15 #include <linux/prctl.h> 16 #include <linux/sched/smt.h> 17 #include <linux/pgtable.h> 18 #include <linux/bpf.h> 19 20 #include <asm/spec-ctrl.h> 21 #include <asm/cmdline.h> 22 #include <asm/bugs.h> 23 #include <asm/processor.h> 24 #include <asm/processor-flags.h> 25 #include <asm/fpu/api.h> 26 #include <asm/msr.h> 27 #include <asm/vmx.h> 28 #include <asm/paravirt.h> 29 #include <asm/intel-family.h> 30 #include <asm/e820/api.h> 31 #include <asm/hypervisor.h> 32 #include <asm/tlbflush.h> 33 #include <asm/cpu.h> 34 35 #include "cpu.h" 36 37 static void __init spectre_v1_select_mitigation(void); 38 static void __init spectre_v2_select_mitigation(void); 39 static void __init retbleed_select_mitigation(void); 40 static void __init spectre_v2_user_select_mitigation(void); 41 static void __init ssb_select_mitigation(void); 42 static void __init l1tf_select_mitigation(void); 43 static void __init mds_select_mitigation(void); 44 static void __init md_clear_update_mitigation(void); 45 static void __init md_clear_select_mitigation(void); 46 static void __init taa_select_mitigation(void); 47 static void __init mmio_select_mitigation(void); 48 static void __init srbds_select_mitigation(void); 49 static void __init l1d_flush_select_mitigation(void); 50 static void __init srso_select_mitigation(void); 51 static void __init gds_select_mitigation(void); 52 53 /* The base value of the SPEC_CTRL MSR without task-specific bits set */ 54 u64 x86_spec_ctrl_base; 55 EXPORT_SYMBOL_GPL(x86_spec_ctrl_base); 56 57 /* The current value of the SPEC_CTRL MSR with task-specific bits set */ 58 DEFINE_PER_CPU(u64, x86_spec_ctrl_current); 59 EXPORT_SYMBOL_GPL(x86_spec_ctrl_current); 60 61 u64 x86_pred_cmd __ro_after_init = PRED_CMD_IBPB; 62 EXPORT_SYMBOL_GPL(x86_pred_cmd); 63 64 static u64 __ro_after_init x86_arch_cap_msr; 65 66 static DEFINE_MUTEX(spec_ctrl_mutex); 67 68 void (*x86_return_thunk)(void) __ro_after_init = __x86_return_thunk; 69 70 /* Update SPEC_CTRL MSR and its cached copy unconditionally */ 71 static void update_spec_ctrl(u64 val) 72 { 73 this_cpu_write(x86_spec_ctrl_current, val); 74 wrmsrl(MSR_IA32_SPEC_CTRL, val); 75 } 76 77 /* 78 * Keep track of the SPEC_CTRL MSR value for the current task, which may differ 79 * from x86_spec_ctrl_base due to STIBP/SSB in __speculation_ctrl_update(). 80 */ 81 void update_spec_ctrl_cond(u64 val) 82 { 83 if (this_cpu_read(x86_spec_ctrl_current) == val) 84 return; 85 86 this_cpu_write(x86_spec_ctrl_current, val); 87 88 /* 89 * When KERNEL_IBRS this MSR is written on return-to-user, unless 90 * forced the update can be delayed until that time. 91 */ 92 if (!cpu_feature_enabled(X86_FEATURE_KERNEL_IBRS)) 93 wrmsrl(MSR_IA32_SPEC_CTRL, val); 94 } 95 96 noinstr u64 spec_ctrl_current(void) 97 { 98 return this_cpu_read(x86_spec_ctrl_current); 99 } 100 EXPORT_SYMBOL_GPL(spec_ctrl_current); 101 102 /* 103 * AMD specific MSR info for Speculative Store Bypass control. 104 * x86_amd_ls_cfg_ssbd_mask is initialized in identify_boot_cpu(). 105 */ 106 u64 __ro_after_init x86_amd_ls_cfg_base; 107 u64 __ro_after_init x86_amd_ls_cfg_ssbd_mask; 108 109 /* Control conditional STIBP in switch_to() */ 110 DEFINE_STATIC_KEY_FALSE(switch_to_cond_stibp); 111 /* Control conditional IBPB in switch_mm() */ 112 DEFINE_STATIC_KEY_FALSE(switch_mm_cond_ibpb); 113 /* Control unconditional IBPB in switch_mm() */ 114 DEFINE_STATIC_KEY_FALSE(switch_mm_always_ibpb); 115 116 /* Control MDS CPU buffer clear before idling (halt, mwait) */ 117 DEFINE_STATIC_KEY_FALSE(mds_idle_clear); 118 EXPORT_SYMBOL_GPL(mds_idle_clear); 119 120 /* 121 * Controls whether l1d flush based mitigations are enabled, 122 * based on hw features and admin setting via boot parameter 123 * defaults to false 124 */ 125 DEFINE_STATIC_KEY_FALSE(switch_mm_cond_l1d_flush); 126 127 /* Controls CPU Fill buffer clear before KVM guest MMIO accesses */ 128 DEFINE_STATIC_KEY_FALSE(mmio_stale_data_clear); 129 EXPORT_SYMBOL_GPL(mmio_stale_data_clear); 130 131 void __init cpu_select_mitigations(void) 132 { 133 /* 134 * Read the SPEC_CTRL MSR to account for reserved bits which may 135 * have unknown values. AMD64_LS_CFG MSR is cached in the early AMD 136 * init code as it is not enumerated and depends on the family. 137 */ 138 if (cpu_feature_enabled(X86_FEATURE_MSR_SPEC_CTRL)) { 139 rdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); 140 141 /* 142 * Previously running kernel (kexec), may have some controls 143 * turned ON. Clear them and let the mitigations setup below 144 * rediscover them based on configuration. 145 */ 146 x86_spec_ctrl_base &= ~SPEC_CTRL_MITIGATIONS_MASK; 147 } 148 149 x86_arch_cap_msr = x86_read_arch_cap_msr(); 150 151 /* Select the proper CPU mitigations before patching alternatives: */ 152 spectre_v1_select_mitigation(); 153 spectre_v2_select_mitigation(); 154 /* 155 * retbleed_select_mitigation() relies on the state set by 156 * spectre_v2_select_mitigation(); specifically it wants to know about 157 * spectre_v2=ibrs. 158 */ 159 retbleed_select_mitigation(); 160 /* 161 * spectre_v2_user_select_mitigation() relies on the state set by 162 * retbleed_select_mitigation(); specifically the STIBP selection is 163 * forced for UNRET or IBPB. 164 */ 165 spectre_v2_user_select_mitigation(); 166 ssb_select_mitigation(); 167 l1tf_select_mitigation(); 168 md_clear_select_mitigation(); 169 srbds_select_mitigation(); 170 l1d_flush_select_mitigation(); 171 172 /* 173 * srso_select_mitigation() depends and must run after 174 * retbleed_select_mitigation(). 175 */ 176 srso_select_mitigation(); 177 gds_select_mitigation(); 178 } 179 180 /* 181 * NOTE: This function is *only* called for SVM, since Intel uses 182 * MSR_IA32_SPEC_CTRL for SSBD. 183 */ 184 void 185 x86_virt_spec_ctrl(u64 guest_virt_spec_ctrl, bool setguest) 186 { 187 u64 guestval, hostval; 188 struct thread_info *ti = current_thread_info(); 189 190 /* 191 * If SSBD is not handled in MSR_SPEC_CTRL on AMD, update 192 * MSR_AMD64_L2_CFG or MSR_VIRT_SPEC_CTRL if supported. 193 */ 194 if (!static_cpu_has(X86_FEATURE_LS_CFG_SSBD) && 195 !static_cpu_has(X86_FEATURE_VIRT_SSBD)) 196 return; 197 198 /* 199 * If the host has SSBD mitigation enabled, force it in the host's 200 * virtual MSR value. If its not permanently enabled, evaluate 201 * current's TIF_SSBD thread flag. 202 */ 203 if (static_cpu_has(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE)) 204 hostval = SPEC_CTRL_SSBD; 205 else 206 hostval = ssbd_tif_to_spec_ctrl(ti->flags); 207 208 /* Sanitize the guest value */ 209 guestval = guest_virt_spec_ctrl & SPEC_CTRL_SSBD; 210 211 if (hostval != guestval) { 212 unsigned long tif; 213 214 tif = setguest ? ssbd_spec_ctrl_to_tif(guestval) : 215 ssbd_spec_ctrl_to_tif(hostval); 216 217 speculation_ctrl_update(tif); 218 } 219 } 220 EXPORT_SYMBOL_GPL(x86_virt_spec_ctrl); 221 222 static void x86_amd_ssb_disable(void) 223 { 224 u64 msrval = x86_amd_ls_cfg_base | x86_amd_ls_cfg_ssbd_mask; 225 226 if (boot_cpu_has(X86_FEATURE_VIRT_SSBD)) 227 wrmsrl(MSR_AMD64_VIRT_SPEC_CTRL, SPEC_CTRL_SSBD); 228 else if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD)) 229 wrmsrl(MSR_AMD64_LS_CFG, msrval); 230 } 231 232 #undef pr_fmt 233 #define pr_fmt(fmt) "MDS: " fmt 234 235 /* Default mitigation for MDS-affected CPUs */ 236 static enum mds_mitigations mds_mitigation __ro_after_init = MDS_MITIGATION_FULL; 237 static bool mds_nosmt __ro_after_init = false; 238 239 static const char * const mds_strings[] = { 240 [MDS_MITIGATION_OFF] = "Vulnerable", 241 [MDS_MITIGATION_FULL] = "Mitigation: Clear CPU buffers", 242 [MDS_MITIGATION_VMWERV] = "Vulnerable: Clear CPU buffers attempted, no microcode", 243 }; 244 245 static void __init mds_select_mitigation(void) 246 { 247 if (!boot_cpu_has_bug(X86_BUG_MDS) || cpu_mitigations_off()) { 248 mds_mitigation = MDS_MITIGATION_OFF; 249 return; 250 } 251 252 if (mds_mitigation == MDS_MITIGATION_FULL) { 253 if (!boot_cpu_has(X86_FEATURE_MD_CLEAR)) 254 mds_mitigation = MDS_MITIGATION_VMWERV; 255 256 setup_force_cpu_cap(X86_FEATURE_CLEAR_CPU_BUF); 257 258 if (!boot_cpu_has(X86_BUG_MSBDS_ONLY) && 259 (mds_nosmt || cpu_mitigations_auto_nosmt())) 260 cpu_smt_disable(false); 261 } 262 } 263 264 static int __init mds_cmdline(char *str) 265 { 266 if (!boot_cpu_has_bug(X86_BUG_MDS)) 267 return 0; 268 269 if (!str) 270 return -EINVAL; 271 272 if (!strcmp(str, "off")) 273 mds_mitigation = MDS_MITIGATION_OFF; 274 else if (!strcmp(str, "full")) 275 mds_mitigation = MDS_MITIGATION_FULL; 276 else if (!strcmp(str, "full,nosmt")) { 277 mds_mitigation = MDS_MITIGATION_FULL; 278 mds_nosmt = true; 279 } 280 281 return 0; 282 } 283 early_param("mds", mds_cmdline); 284 285 #undef pr_fmt 286 #define pr_fmt(fmt) "TAA: " fmt 287 288 enum taa_mitigations { 289 TAA_MITIGATION_OFF, 290 TAA_MITIGATION_UCODE_NEEDED, 291 TAA_MITIGATION_VERW, 292 TAA_MITIGATION_TSX_DISABLED, 293 }; 294 295 /* Default mitigation for TAA-affected CPUs */ 296 static enum taa_mitigations taa_mitigation __ro_after_init = TAA_MITIGATION_VERW; 297 static bool taa_nosmt __ro_after_init; 298 299 static const char * const taa_strings[] = { 300 [TAA_MITIGATION_OFF] = "Vulnerable", 301 [TAA_MITIGATION_UCODE_NEEDED] = "Vulnerable: Clear CPU buffers attempted, no microcode", 302 [TAA_MITIGATION_VERW] = "Mitigation: Clear CPU buffers", 303 [TAA_MITIGATION_TSX_DISABLED] = "Mitigation: TSX disabled", 304 }; 305 306 static void __init taa_select_mitigation(void) 307 { 308 if (!boot_cpu_has_bug(X86_BUG_TAA)) { 309 taa_mitigation = TAA_MITIGATION_OFF; 310 return; 311 } 312 313 /* TSX previously disabled by tsx=off */ 314 if (!boot_cpu_has(X86_FEATURE_RTM)) { 315 taa_mitigation = TAA_MITIGATION_TSX_DISABLED; 316 return; 317 } 318 319 if (cpu_mitigations_off()) { 320 taa_mitigation = TAA_MITIGATION_OFF; 321 return; 322 } 323 324 /* 325 * TAA mitigation via VERW is turned off if both 326 * tsx_async_abort=off and mds=off are specified. 327 */ 328 if (taa_mitigation == TAA_MITIGATION_OFF && 329 mds_mitigation == MDS_MITIGATION_OFF) 330 return; 331 332 if (boot_cpu_has(X86_FEATURE_MD_CLEAR)) 333 taa_mitigation = TAA_MITIGATION_VERW; 334 else 335 taa_mitigation = TAA_MITIGATION_UCODE_NEEDED; 336 337 /* 338 * VERW doesn't clear the CPU buffers when MD_CLEAR=1 and MDS_NO=1. 339 * A microcode update fixes this behavior to clear CPU buffers. It also 340 * adds support for MSR_IA32_TSX_CTRL which is enumerated by the 341 * ARCH_CAP_TSX_CTRL_MSR bit. 342 * 343 * On MDS_NO=1 CPUs if ARCH_CAP_TSX_CTRL_MSR is not set, microcode 344 * update is required. 345 */ 346 if ( (x86_arch_cap_msr & ARCH_CAP_MDS_NO) && 347 !(x86_arch_cap_msr & ARCH_CAP_TSX_CTRL_MSR)) 348 taa_mitigation = TAA_MITIGATION_UCODE_NEEDED; 349 350 /* 351 * TSX is enabled, select alternate mitigation for TAA which is 352 * the same as MDS. Enable MDS static branch to clear CPU buffers. 353 * 354 * For guests that can't determine whether the correct microcode is 355 * present on host, enable the mitigation for UCODE_NEEDED as well. 356 */ 357 setup_force_cpu_cap(X86_FEATURE_CLEAR_CPU_BUF); 358 359 if (taa_nosmt || cpu_mitigations_auto_nosmt()) 360 cpu_smt_disable(false); 361 } 362 363 static int __init tsx_async_abort_parse_cmdline(char *str) 364 { 365 if (!boot_cpu_has_bug(X86_BUG_TAA)) 366 return 0; 367 368 if (!str) 369 return -EINVAL; 370 371 if (!strcmp(str, "off")) { 372 taa_mitigation = TAA_MITIGATION_OFF; 373 } else if (!strcmp(str, "full")) { 374 taa_mitigation = TAA_MITIGATION_VERW; 375 } else if (!strcmp(str, "full,nosmt")) { 376 taa_mitigation = TAA_MITIGATION_VERW; 377 taa_nosmt = true; 378 } 379 380 return 0; 381 } 382 early_param("tsx_async_abort", tsx_async_abort_parse_cmdline); 383 384 #undef pr_fmt 385 #define pr_fmt(fmt) "MMIO Stale Data: " fmt 386 387 enum mmio_mitigations { 388 MMIO_MITIGATION_OFF, 389 MMIO_MITIGATION_UCODE_NEEDED, 390 MMIO_MITIGATION_VERW, 391 }; 392 393 /* Default mitigation for Processor MMIO Stale Data vulnerabilities */ 394 static enum mmio_mitigations mmio_mitigation __ro_after_init = MMIO_MITIGATION_VERW; 395 static bool mmio_nosmt __ro_after_init = false; 396 397 static const char * const mmio_strings[] = { 398 [MMIO_MITIGATION_OFF] = "Vulnerable", 399 [MMIO_MITIGATION_UCODE_NEEDED] = "Vulnerable: Clear CPU buffers attempted, no microcode", 400 [MMIO_MITIGATION_VERW] = "Mitigation: Clear CPU buffers", 401 }; 402 403 static void __init mmio_select_mitigation(void) 404 { 405 if (!boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA) || 406 boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN) || 407 cpu_mitigations_off()) { 408 mmio_mitigation = MMIO_MITIGATION_OFF; 409 return; 410 } 411 412 if (mmio_mitigation == MMIO_MITIGATION_OFF) 413 return; 414 415 /* 416 * Enable CPU buffer clear mitigation for host and VMM, if also affected 417 * by MDS or TAA. Otherwise, enable mitigation for VMM only. 418 */ 419 if (boot_cpu_has_bug(X86_BUG_MDS) || (boot_cpu_has_bug(X86_BUG_TAA) && 420 boot_cpu_has(X86_FEATURE_RTM))) 421 setup_force_cpu_cap(X86_FEATURE_CLEAR_CPU_BUF); 422 423 /* 424 * X86_FEATURE_CLEAR_CPU_BUF could be enabled by other VERW based 425 * mitigations, disable KVM-only mitigation in that case. 426 */ 427 if (boot_cpu_has(X86_FEATURE_CLEAR_CPU_BUF)) 428 static_branch_disable(&mmio_stale_data_clear); 429 else 430 static_branch_enable(&mmio_stale_data_clear); 431 432 /* 433 * If Processor-MMIO-Stale-Data bug is present and Fill Buffer data can 434 * be propagated to uncore buffers, clearing the Fill buffers on idle 435 * is required irrespective of SMT state. 436 */ 437 if (!(x86_arch_cap_msr & ARCH_CAP_FBSDP_NO)) 438 static_branch_enable(&mds_idle_clear); 439 440 /* 441 * Check if the system has the right microcode. 442 * 443 * CPU Fill buffer clear mitigation is enumerated by either an explicit 444 * FB_CLEAR or by the presence of both MD_CLEAR and L1D_FLUSH on MDS 445 * affected systems. 446 */ 447 if ((x86_arch_cap_msr & ARCH_CAP_FB_CLEAR) || 448 (boot_cpu_has(X86_FEATURE_MD_CLEAR) && 449 boot_cpu_has(X86_FEATURE_FLUSH_L1D) && 450 !(x86_arch_cap_msr & ARCH_CAP_MDS_NO))) 451 mmio_mitigation = MMIO_MITIGATION_VERW; 452 else 453 mmio_mitigation = MMIO_MITIGATION_UCODE_NEEDED; 454 455 if (mmio_nosmt || cpu_mitigations_auto_nosmt()) 456 cpu_smt_disable(false); 457 } 458 459 static int __init mmio_stale_data_parse_cmdline(char *str) 460 { 461 if (!boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA)) 462 return 0; 463 464 if (!str) 465 return -EINVAL; 466 467 if (!strcmp(str, "off")) { 468 mmio_mitigation = MMIO_MITIGATION_OFF; 469 } else if (!strcmp(str, "full")) { 470 mmio_mitigation = MMIO_MITIGATION_VERW; 471 } else if (!strcmp(str, "full,nosmt")) { 472 mmio_mitigation = MMIO_MITIGATION_VERW; 473 mmio_nosmt = true; 474 } 475 476 return 0; 477 } 478 early_param("mmio_stale_data", mmio_stale_data_parse_cmdline); 479 480 #undef pr_fmt 481 #define pr_fmt(fmt) "Register File Data Sampling: " fmt 482 483 enum rfds_mitigations { 484 RFDS_MITIGATION_OFF, 485 RFDS_MITIGATION_VERW, 486 RFDS_MITIGATION_UCODE_NEEDED, 487 }; 488 489 /* Default mitigation for Register File Data Sampling */ 490 static enum rfds_mitigations rfds_mitigation __ro_after_init = 491 IS_ENABLED(CONFIG_MITIGATION_RFDS) ? RFDS_MITIGATION_VERW : RFDS_MITIGATION_OFF; 492 493 static const char * const rfds_strings[] = { 494 [RFDS_MITIGATION_OFF] = "Vulnerable", 495 [RFDS_MITIGATION_VERW] = "Mitigation: Clear Register File", 496 [RFDS_MITIGATION_UCODE_NEEDED] = "Vulnerable: No microcode", 497 }; 498 499 static void __init rfds_select_mitigation(void) 500 { 501 if (!boot_cpu_has_bug(X86_BUG_RFDS) || cpu_mitigations_off()) { 502 rfds_mitigation = RFDS_MITIGATION_OFF; 503 return; 504 } 505 if (rfds_mitigation == RFDS_MITIGATION_OFF) 506 return; 507 508 if (x86_arch_cap_msr & ARCH_CAP_RFDS_CLEAR) 509 setup_force_cpu_cap(X86_FEATURE_CLEAR_CPU_BUF); 510 else 511 rfds_mitigation = RFDS_MITIGATION_UCODE_NEEDED; 512 } 513 514 static __init int rfds_parse_cmdline(char *str) 515 { 516 if (!str) 517 return -EINVAL; 518 519 if (!boot_cpu_has_bug(X86_BUG_RFDS)) 520 return 0; 521 522 if (!strcmp(str, "off")) 523 rfds_mitigation = RFDS_MITIGATION_OFF; 524 else if (!strcmp(str, "on")) 525 rfds_mitigation = RFDS_MITIGATION_VERW; 526 527 return 0; 528 } 529 early_param("reg_file_data_sampling", rfds_parse_cmdline); 530 531 #undef pr_fmt 532 #define pr_fmt(fmt) "" fmt 533 534 static void __init md_clear_update_mitigation(void) 535 { 536 if (cpu_mitigations_off()) 537 return; 538 539 if (!boot_cpu_has(X86_FEATURE_CLEAR_CPU_BUF)) 540 goto out; 541 542 /* 543 * X86_FEATURE_CLEAR_CPU_BUF is now enabled. Update MDS, TAA and MMIO 544 * Stale Data mitigation, if necessary. 545 */ 546 if (mds_mitigation == MDS_MITIGATION_OFF && 547 boot_cpu_has_bug(X86_BUG_MDS)) { 548 mds_mitigation = MDS_MITIGATION_FULL; 549 mds_select_mitigation(); 550 } 551 if (taa_mitigation == TAA_MITIGATION_OFF && 552 boot_cpu_has_bug(X86_BUG_TAA)) { 553 taa_mitigation = TAA_MITIGATION_VERW; 554 taa_select_mitigation(); 555 } 556 /* 557 * MMIO_MITIGATION_OFF is not checked here so that mmio_stale_data_clear 558 * gets updated correctly as per X86_FEATURE_CLEAR_CPU_BUF state. 559 */ 560 if (boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA)) { 561 mmio_mitigation = MMIO_MITIGATION_VERW; 562 mmio_select_mitigation(); 563 } 564 if (rfds_mitigation == RFDS_MITIGATION_OFF && 565 boot_cpu_has_bug(X86_BUG_RFDS)) { 566 rfds_mitigation = RFDS_MITIGATION_VERW; 567 rfds_select_mitigation(); 568 } 569 out: 570 if (boot_cpu_has_bug(X86_BUG_MDS)) 571 pr_info("MDS: %s\n", mds_strings[mds_mitigation]); 572 if (boot_cpu_has_bug(X86_BUG_TAA)) 573 pr_info("TAA: %s\n", taa_strings[taa_mitigation]); 574 if (boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA)) 575 pr_info("MMIO Stale Data: %s\n", mmio_strings[mmio_mitigation]); 576 else if (boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN)) 577 pr_info("MMIO Stale Data: Unknown: No mitigations\n"); 578 if (boot_cpu_has_bug(X86_BUG_RFDS)) 579 pr_info("Register File Data Sampling: %s\n", rfds_strings[rfds_mitigation]); 580 } 581 582 static void __init md_clear_select_mitigation(void) 583 { 584 mds_select_mitigation(); 585 taa_select_mitigation(); 586 mmio_select_mitigation(); 587 rfds_select_mitigation(); 588 589 /* 590 * As these mitigations are inter-related and rely on VERW instruction 591 * to clear the microarchitural buffers, update and print their status 592 * after mitigation selection is done for each of these vulnerabilities. 593 */ 594 md_clear_update_mitigation(); 595 } 596 597 #undef pr_fmt 598 #define pr_fmt(fmt) "SRBDS: " fmt 599 600 enum srbds_mitigations { 601 SRBDS_MITIGATION_OFF, 602 SRBDS_MITIGATION_UCODE_NEEDED, 603 SRBDS_MITIGATION_FULL, 604 SRBDS_MITIGATION_TSX_OFF, 605 SRBDS_MITIGATION_HYPERVISOR, 606 }; 607 608 static enum srbds_mitigations srbds_mitigation __ro_after_init = SRBDS_MITIGATION_FULL; 609 610 static const char * const srbds_strings[] = { 611 [SRBDS_MITIGATION_OFF] = "Vulnerable", 612 [SRBDS_MITIGATION_UCODE_NEEDED] = "Vulnerable: No microcode", 613 [SRBDS_MITIGATION_FULL] = "Mitigation: Microcode", 614 [SRBDS_MITIGATION_TSX_OFF] = "Mitigation: TSX disabled", 615 [SRBDS_MITIGATION_HYPERVISOR] = "Unknown: Dependent on hypervisor status", 616 }; 617 618 static bool srbds_off; 619 620 void update_srbds_msr(void) 621 { 622 u64 mcu_ctrl; 623 624 if (!boot_cpu_has_bug(X86_BUG_SRBDS)) 625 return; 626 627 if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) 628 return; 629 630 if (srbds_mitigation == SRBDS_MITIGATION_UCODE_NEEDED) 631 return; 632 633 /* 634 * A MDS_NO CPU for which SRBDS mitigation is not needed due to TSX 635 * being disabled and it hasn't received the SRBDS MSR microcode. 636 */ 637 if (!boot_cpu_has(X86_FEATURE_SRBDS_CTRL)) 638 return; 639 640 rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl); 641 642 switch (srbds_mitigation) { 643 case SRBDS_MITIGATION_OFF: 644 case SRBDS_MITIGATION_TSX_OFF: 645 mcu_ctrl |= RNGDS_MITG_DIS; 646 break; 647 case SRBDS_MITIGATION_FULL: 648 mcu_ctrl &= ~RNGDS_MITG_DIS; 649 break; 650 default: 651 break; 652 } 653 654 wrmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl); 655 } 656 657 static void __init srbds_select_mitigation(void) 658 { 659 if (!boot_cpu_has_bug(X86_BUG_SRBDS)) 660 return; 661 662 /* 663 * Check to see if this is one of the MDS_NO systems supporting TSX that 664 * are only exposed to SRBDS when TSX is enabled or when CPU is affected 665 * by Processor MMIO Stale Data vulnerability. 666 */ 667 if ((x86_arch_cap_msr & ARCH_CAP_MDS_NO) && !boot_cpu_has(X86_FEATURE_RTM) && 668 !boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA)) 669 srbds_mitigation = SRBDS_MITIGATION_TSX_OFF; 670 else if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) 671 srbds_mitigation = SRBDS_MITIGATION_HYPERVISOR; 672 else if (!boot_cpu_has(X86_FEATURE_SRBDS_CTRL)) 673 srbds_mitigation = SRBDS_MITIGATION_UCODE_NEEDED; 674 else if (cpu_mitigations_off() || srbds_off) 675 srbds_mitigation = SRBDS_MITIGATION_OFF; 676 677 update_srbds_msr(); 678 pr_info("%s\n", srbds_strings[srbds_mitigation]); 679 } 680 681 static int __init srbds_parse_cmdline(char *str) 682 { 683 if (!str) 684 return -EINVAL; 685 686 if (!boot_cpu_has_bug(X86_BUG_SRBDS)) 687 return 0; 688 689 srbds_off = !strcmp(str, "off"); 690 return 0; 691 } 692 early_param("srbds", srbds_parse_cmdline); 693 694 #undef pr_fmt 695 #define pr_fmt(fmt) "L1D Flush : " fmt 696 697 enum l1d_flush_mitigations { 698 L1D_FLUSH_OFF = 0, 699 L1D_FLUSH_ON, 700 }; 701 702 static enum l1d_flush_mitigations l1d_flush_mitigation __initdata = L1D_FLUSH_OFF; 703 704 static void __init l1d_flush_select_mitigation(void) 705 { 706 if (!l1d_flush_mitigation || !boot_cpu_has(X86_FEATURE_FLUSH_L1D)) 707 return; 708 709 static_branch_enable(&switch_mm_cond_l1d_flush); 710 pr_info("Conditional flush on switch_mm() enabled\n"); 711 } 712 713 static int __init l1d_flush_parse_cmdline(char *str) 714 { 715 if (!strcmp(str, "on")) 716 l1d_flush_mitigation = L1D_FLUSH_ON; 717 718 return 0; 719 } 720 early_param("l1d_flush", l1d_flush_parse_cmdline); 721 722 #undef pr_fmt 723 #define pr_fmt(fmt) "GDS: " fmt 724 725 enum gds_mitigations { 726 GDS_MITIGATION_OFF, 727 GDS_MITIGATION_UCODE_NEEDED, 728 GDS_MITIGATION_FORCE, 729 GDS_MITIGATION_FULL, 730 GDS_MITIGATION_FULL_LOCKED, 731 GDS_MITIGATION_HYPERVISOR, 732 }; 733 734 #if IS_ENABLED(CONFIG_GDS_FORCE_MITIGATION) 735 static enum gds_mitigations gds_mitigation __ro_after_init = GDS_MITIGATION_FORCE; 736 #else 737 static enum gds_mitigations gds_mitigation __ro_after_init = GDS_MITIGATION_FULL; 738 #endif 739 740 static const char * const gds_strings[] = { 741 [GDS_MITIGATION_OFF] = "Vulnerable", 742 [GDS_MITIGATION_UCODE_NEEDED] = "Vulnerable: No microcode", 743 [GDS_MITIGATION_FORCE] = "Mitigation: AVX disabled, no microcode", 744 [GDS_MITIGATION_FULL] = "Mitigation: Microcode", 745 [GDS_MITIGATION_FULL_LOCKED] = "Mitigation: Microcode (locked)", 746 [GDS_MITIGATION_HYPERVISOR] = "Unknown: Dependent on hypervisor status", 747 }; 748 749 bool gds_ucode_mitigated(void) 750 { 751 return (gds_mitigation == GDS_MITIGATION_FULL || 752 gds_mitigation == GDS_MITIGATION_FULL_LOCKED); 753 } 754 EXPORT_SYMBOL_GPL(gds_ucode_mitigated); 755 756 void update_gds_msr(void) 757 { 758 u64 mcu_ctrl_after; 759 u64 mcu_ctrl; 760 761 switch (gds_mitigation) { 762 case GDS_MITIGATION_OFF: 763 rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl); 764 mcu_ctrl |= GDS_MITG_DIS; 765 break; 766 case GDS_MITIGATION_FULL_LOCKED: 767 /* 768 * The LOCKED state comes from the boot CPU. APs might not have 769 * the same state. Make sure the mitigation is enabled on all 770 * CPUs. 771 */ 772 case GDS_MITIGATION_FULL: 773 rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl); 774 mcu_ctrl &= ~GDS_MITG_DIS; 775 break; 776 case GDS_MITIGATION_FORCE: 777 case GDS_MITIGATION_UCODE_NEEDED: 778 case GDS_MITIGATION_HYPERVISOR: 779 return; 780 }; 781 782 wrmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl); 783 784 /* 785 * Check to make sure that the WRMSR value was not ignored. Writes to 786 * GDS_MITG_DIS will be ignored if this processor is locked but the boot 787 * processor was not. 788 */ 789 rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl_after); 790 WARN_ON_ONCE(mcu_ctrl != mcu_ctrl_after); 791 } 792 793 static void __init gds_select_mitigation(void) 794 { 795 u64 mcu_ctrl; 796 797 if (!boot_cpu_has_bug(X86_BUG_GDS)) 798 return; 799 800 if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) { 801 gds_mitigation = GDS_MITIGATION_HYPERVISOR; 802 goto out; 803 } 804 805 if (cpu_mitigations_off()) 806 gds_mitigation = GDS_MITIGATION_OFF; 807 /* Will verify below that mitigation _can_ be disabled */ 808 809 /* No microcode */ 810 if (!(x86_arch_cap_msr & ARCH_CAP_GDS_CTRL)) { 811 if (gds_mitigation == GDS_MITIGATION_FORCE) { 812 /* 813 * This only needs to be done on the boot CPU so do it 814 * here rather than in update_gds_msr() 815 */ 816 setup_clear_cpu_cap(X86_FEATURE_AVX); 817 pr_warn("Microcode update needed! Disabling AVX as mitigation.\n"); 818 } else { 819 gds_mitigation = GDS_MITIGATION_UCODE_NEEDED; 820 } 821 goto out; 822 } 823 824 /* Microcode has mitigation, use it */ 825 if (gds_mitigation == GDS_MITIGATION_FORCE) 826 gds_mitigation = GDS_MITIGATION_FULL; 827 828 rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl); 829 if (mcu_ctrl & GDS_MITG_LOCKED) { 830 if (gds_mitigation == GDS_MITIGATION_OFF) 831 pr_warn("Mitigation locked. Disable failed.\n"); 832 833 /* 834 * The mitigation is selected from the boot CPU. All other CPUs 835 * _should_ have the same state. If the boot CPU isn't locked 836 * but others are then update_gds_msr() will WARN() of the state 837 * mismatch. If the boot CPU is locked update_gds_msr() will 838 * ensure the other CPUs have the mitigation enabled. 839 */ 840 gds_mitigation = GDS_MITIGATION_FULL_LOCKED; 841 } 842 843 update_gds_msr(); 844 out: 845 pr_info("%s\n", gds_strings[gds_mitigation]); 846 } 847 848 static int __init gds_parse_cmdline(char *str) 849 { 850 if (!str) 851 return -EINVAL; 852 853 if (!boot_cpu_has_bug(X86_BUG_GDS)) 854 return 0; 855 856 if (!strcmp(str, "off")) 857 gds_mitigation = GDS_MITIGATION_OFF; 858 else if (!strcmp(str, "force")) 859 gds_mitigation = GDS_MITIGATION_FORCE; 860 861 return 0; 862 } 863 early_param("gather_data_sampling", gds_parse_cmdline); 864 865 #undef pr_fmt 866 #define pr_fmt(fmt) "Spectre V1 : " fmt 867 868 enum spectre_v1_mitigation { 869 SPECTRE_V1_MITIGATION_NONE, 870 SPECTRE_V1_MITIGATION_AUTO, 871 }; 872 873 static enum spectre_v1_mitigation spectre_v1_mitigation __ro_after_init = 874 SPECTRE_V1_MITIGATION_AUTO; 875 876 static const char * const spectre_v1_strings[] = { 877 [SPECTRE_V1_MITIGATION_NONE] = "Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers", 878 [SPECTRE_V1_MITIGATION_AUTO] = "Mitigation: usercopy/swapgs barriers and __user pointer sanitization", 879 }; 880 881 /* 882 * Does SMAP provide full mitigation against speculative kernel access to 883 * userspace? 884 */ 885 static bool smap_works_speculatively(void) 886 { 887 if (!boot_cpu_has(X86_FEATURE_SMAP)) 888 return false; 889 890 /* 891 * On CPUs which are vulnerable to Meltdown, SMAP does not 892 * prevent speculative access to user data in the L1 cache. 893 * Consider SMAP to be non-functional as a mitigation on these 894 * CPUs. 895 */ 896 if (boot_cpu_has(X86_BUG_CPU_MELTDOWN)) 897 return false; 898 899 return true; 900 } 901 902 static void __init spectre_v1_select_mitigation(void) 903 { 904 if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V1) || cpu_mitigations_off()) { 905 spectre_v1_mitigation = SPECTRE_V1_MITIGATION_NONE; 906 return; 907 } 908 909 if (spectre_v1_mitigation == SPECTRE_V1_MITIGATION_AUTO) { 910 /* 911 * With Spectre v1, a user can speculatively control either 912 * path of a conditional swapgs with a user-controlled GS 913 * value. The mitigation is to add lfences to both code paths. 914 * 915 * If FSGSBASE is enabled, the user can put a kernel address in 916 * GS, in which case SMAP provides no protection. 917 * 918 * If FSGSBASE is disabled, the user can only put a user space 919 * address in GS. That makes an attack harder, but still 920 * possible if there's no SMAP protection. 921 */ 922 if (boot_cpu_has(X86_FEATURE_FSGSBASE) || 923 !smap_works_speculatively()) { 924 /* 925 * Mitigation can be provided from SWAPGS itself or 926 * PTI as the CR3 write in the Meltdown mitigation 927 * is serializing. 928 * 929 * If neither is there, mitigate with an LFENCE to 930 * stop speculation through swapgs. 931 */ 932 if (boot_cpu_has_bug(X86_BUG_SWAPGS) && 933 !boot_cpu_has(X86_FEATURE_PTI)) 934 setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_USER); 935 936 /* 937 * Enable lfences in the kernel entry (non-swapgs) 938 * paths, to prevent user entry from speculatively 939 * skipping swapgs. 940 */ 941 setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_KERNEL); 942 } 943 } 944 945 pr_info("%s\n", spectre_v1_strings[spectre_v1_mitigation]); 946 } 947 948 static int __init nospectre_v1_cmdline(char *str) 949 { 950 spectre_v1_mitigation = SPECTRE_V1_MITIGATION_NONE; 951 return 0; 952 } 953 early_param("nospectre_v1", nospectre_v1_cmdline); 954 955 enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init = SPECTRE_V2_NONE; 956 957 #undef pr_fmt 958 #define pr_fmt(fmt) "RETBleed: " fmt 959 960 enum retbleed_mitigation { 961 RETBLEED_MITIGATION_NONE, 962 RETBLEED_MITIGATION_UNRET, 963 RETBLEED_MITIGATION_IBPB, 964 RETBLEED_MITIGATION_IBRS, 965 RETBLEED_MITIGATION_EIBRS, 966 RETBLEED_MITIGATION_STUFF, 967 }; 968 969 enum retbleed_mitigation_cmd { 970 RETBLEED_CMD_OFF, 971 RETBLEED_CMD_AUTO, 972 RETBLEED_CMD_UNRET, 973 RETBLEED_CMD_IBPB, 974 RETBLEED_CMD_STUFF, 975 }; 976 977 static const char * const retbleed_strings[] = { 978 [RETBLEED_MITIGATION_NONE] = "Vulnerable", 979 [RETBLEED_MITIGATION_UNRET] = "Mitigation: untrained return thunk", 980 [RETBLEED_MITIGATION_IBPB] = "Mitigation: IBPB", 981 [RETBLEED_MITIGATION_IBRS] = "Mitigation: IBRS", 982 [RETBLEED_MITIGATION_EIBRS] = "Mitigation: Enhanced IBRS", 983 [RETBLEED_MITIGATION_STUFF] = "Mitigation: Stuffing", 984 }; 985 986 static enum retbleed_mitigation retbleed_mitigation __ro_after_init = 987 RETBLEED_MITIGATION_NONE; 988 static enum retbleed_mitigation_cmd retbleed_cmd __ro_after_init = 989 RETBLEED_CMD_AUTO; 990 991 static int __ro_after_init retbleed_nosmt = false; 992 993 static int __init retbleed_parse_cmdline(char *str) 994 { 995 if (!str) 996 return -EINVAL; 997 998 while (str) { 999 char *next = strchr(str, ','); 1000 if (next) { 1001 *next = 0; 1002 next++; 1003 } 1004 1005 if (!strcmp(str, "off")) { 1006 retbleed_cmd = RETBLEED_CMD_OFF; 1007 } else if (!strcmp(str, "auto")) { 1008 retbleed_cmd = RETBLEED_CMD_AUTO; 1009 } else if (!strcmp(str, "unret")) { 1010 retbleed_cmd = RETBLEED_CMD_UNRET; 1011 } else if (!strcmp(str, "ibpb")) { 1012 retbleed_cmd = RETBLEED_CMD_IBPB; 1013 } else if (!strcmp(str, "stuff")) { 1014 retbleed_cmd = RETBLEED_CMD_STUFF; 1015 } else if (!strcmp(str, "nosmt")) { 1016 retbleed_nosmt = true; 1017 } else if (!strcmp(str, "force")) { 1018 setup_force_cpu_bug(X86_BUG_RETBLEED); 1019 } else { 1020 pr_err("Ignoring unknown retbleed option (%s).", str); 1021 } 1022 1023 str = next; 1024 } 1025 1026 return 0; 1027 } 1028 early_param("retbleed", retbleed_parse_cmdline); 1029 1030 #define RETBLEED_UNTRAIN_MSG "WARNING: BTB untrained return thunk mitigation is only effective on AMD/Hygon!\n" 1031 #define RETBLEED_INTEL_MSG "WARNING: Spectre v2 mitigation leaves CPU vulnerable to RETBleed attacks, data leaks possible!\n" 1032 1033 static void __init retbleed_select_mitigation(void) 1034 { 1035 bool mitigate_smt = false; 1036 1037 if (!boot_cpu_has_bug(X86_BUG_RETBLEED) || cpu_mitigations_off()) 1038 return; 1039 1040 switch (retbleed_cmd) { 1041 case RETBLEED_CMD_OFF: 1042 return; 1043 1044 case RETBLEED_CMD_UNRET: 1045 if (IS_ENABLED(CONFIG_CPU_UNRET_ENTRY)) { 1046 retbleed_mitigation = RETBLEED_MITIGATION_UNRET; 1047 } else { 1048 pr_err("WARNING: kernel not compiled with CPU_UNRET_ENTRY.\n"); 1049 goto do_cmd_auto; 1050 } 1051 break; 1052 1053 case RETBLEED_CMD_IBPB: 1054 if (!boot_cpu_has(X86_FEATURE_IBPB)) { 1055 pr_err("WARNING: CPU does not support IBPB.\n"); 1056 goto do_cmd_auto; 1057 } else if (IS_ENABLED(CONFIG_CPU_IBPB_ENTRY)) { 1058 retbleed_mitigation = RETBLEED_MITIGATION_IBPB; 1059 } else { 1060 pr_err("WARNING: kernel not compiled with CPU_IBPB_ENTRY.\n"); 1061 goto do_cmd_auto; 1062 } 1063 break; 1064 1065 case RETBLEED_CMD_STUFF: 1066 if (IS_ENABLED(CONFIG_CALL_DEPTH_TRACKING) && 1067 spectre_v2_enabled == SPECTRE_V2_RETPOLINE) { 1068 retbleed_mitigation = RETBLEED_MITIGATION_STUFF; 1069 1070 } else { 1071 if (IS_ENABLED(CONFIG_CALL_DEPTH_TRACKING)) 1072 pr_err("WARNING: retbleed=stuff depends on spectre_v2=retpoline\n"); 1073 else 1074 pr_err("WARNING: kernel not compiled with CALL_DEPTH_TRACKING.\n"); 1075 1076 goto do_cmd_auto; 1077 } 1078 break; 1079 1080 do_cmd_auto: 1081 case RETBLEED_CMD_AUTO: 1082 default: 1083 if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD || 1084 boot_cpu_data.x86_vendor == X86_VENDOR_HYGON) { 1085 if (IS_ENABLED(CONFIG_CPU_UNRET_ENTRY)) 1086 retbleed_mitigation = RETBLEED_MITIGATION_UNRET; 1087 else if (IS_ENABLED(CONFIG_CPU_IBPB_ENTRY) && boot_cpu_has(X86_FEATURE_IBPB)) 1088 retbleed_mitigation = RETBLEED_MITIGATION_IBPB; 1089 } 1090 1091 /* 1092 * The Intel mitigation (IBRS or eIBRS) was already selected in 1093 * spectre_v2_select_mitigation(). 'retbleed_mitigation' will 1094 * be set accordingly below. 1095 */ 1096 1097 break; 1098 } 1099 1100 switch (retbleed_mitigation) { 1101 case RETBLEED_MITIGATION_UNRET: 1102 setup_force_cpu_cap(X86_FEATURE_RETHUNK); 1103 setup_force_cpu_cap(X86_FEATURE_UNRET); 1104 1105 x86_return_thunk = retbleed_return_thunk; 1106 1107 if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD && 1108 boot_cpu_data.x86_vendor != X86_VENDOR_HYGON) 1109 pr_err(RETBLEED_UNTRAIN_MSG); 1110 1111 mitigate_smt = true; 1112 break; 1113 1114 case RETBLEED_MITIGATION_IBPB: 1115 setup_force_cpu_cap(X86_FEATURE_ENTRY_IBPB); 1116 1117 /* 1118 * IBPB on entry already obviates the need for 1119 * software-based untraining so clear those in case some 1120 * other mitigation like SRSO has selected them. 1121 */ 1122 setup_clear_cpu_cap(X86_FEATURE_UNRET); 1123 setup_clear_cpu_cap(X86_FEATURE_RETHUNK); 1124 1125 setup_force_cpu_cap(X86_FEATURE_IBPB_ON_VMEXIT); 1126 mitigate_smt = true; 1127 1128 /* 1129 * There is no need for RSB filling: entry_ibpb() ensures 1130 * all predictions, including the RSB, are invalidated, 1131 * regardless of IBPB implementation. 1132 */ 1133 setup_clear_cpu_cap(X86_FEATURE_RSB_VMEXIT); 1134 1135 break; 1136 1137 case RETBLEED_MITIGATION_STUFF: 1138 setup_force_cpu_cap(X86_FEATURE_RETHUNK); 1139 setup_force_cpu_cap(X86_FEATURE_CALL_DEPTH); 1140 x86_set_skl_return_thunk(); 1141 break; 1142 1143 default: 1144 break; 1145 } 1146 1147 if (mitigate_smt && !boot_cpu_has(X86_FEATURE_STIBP) && 1148 (retbleed_nosmt || cpu_mitigations_auto_nosmt())) 1149 cpu_smt_disable(false); 1150 1151 /* 1152 * Let IBRS trump all on Intel without affecting the effects of the 1153 * retbleed= cmdline option except for call depth based stuffing 1154 */ 1155 if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) { 1156 switch (spectre_v2_enabled) { 1157 case SPECTRE_V2_IBRS: 1158 retbleed_mitigation = RETBLEED_MITIGATION_IBRS; 1159 break; 1160 case SPECTRE_V2_EIBRS: 1161 case SPECTRE_V2_EIBRS_RETPOLINE: 1162 case SPECTRE_V2_EIBRS_LFENCE: 1163 retbleed_mitigation = RETBLEED_MITIGATION_EIBRS; 1164 break; 1165 default: 1166 if (retbleed_mitigation != RETBLEED_MITIGATION_STUFF) 1167 pr_err(RETBLEED_INTEL_MSG); 1168 } 1169 } 1170 1171 pr_info("%s\n", retbleed_strings[retbleed_mitigation]); 1172 } 1173 1174 #undef pr_fmt 1175 #define pr_fmt(fmt) "Spectre V2 : " fmt 1176 1177 static enum spectre_v2_user_mitigation spectre_v2_user_stibp __ro_after_init = 1178 SPECTRE_V2_USER_NONE; 1179 static enum spectre_v2_user_mitigation spectre_v2_user_ibpb __ro_after_init = 1180 SPECTRE_V2_USER_NONE; 1181 1182 #ifdef CONFIG_RETPOLINE 1183 static bool spectre_v2_bad_module; 1184 1185 bool retpoline_module_ok(bool has_retpoline) 1186 { 1187 if (spectre_v2_enabled == SPECTRE_V2_NONE || has_retpoline) 1188 return true; 1189 1190 pr_err("System may be vulnerable to spectre v2\n"); 1191 spectre_v2_bad_module = true; 1192 return false; 1193 } 1194 1195 static inline const char *spectre_v2_module_string(void) 1196 { 1197 return spectre_v2_bad_module ? " - vulnerable module loaded" : ""; 1198 } 1199 #else 1200 static inline const char *spectre_v2_module_string(void) { return ""; } 1201 #endif 1202 1203 #define SPECTRE_V2_LFENCE_MSG "WARNING: LFENCE mitigation is not recommended for this CPU, data leaks possible!\n" 1204 #define SPECTRE_V2_EIBRS_EBPF_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible via Spectre v2 BHB attacks!\n" 1205 #define SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS+LFENCE mitigation and SMT, data leaks possible via Spectre v2 BHB attacks!\n" 1206 #define SPECTRE_V2_IBRS_PERF_MSG "WARNING: IBRS mitigation selected on Enhanced IBRS CPU, this may cause unnecessary performance loss\n" 1207 1208 #ifdef CONFIG_BPF_SYSCALL 1209 void unpriv_ebpf_notify(int new_state) 1210 { 1211 if (new_state) 1212 return; 1213 1214 /* Unprivileged eBPF is enabled */ 1215 1216 switch (spectre_v2_enabled) { 1217 case SPECTRE_V2_EIBRS: 1218 pr_err(SPECTRE_V2_EIBRS_EBPF_MSG); 1219 break; 1220 case SPECTRE_V2_EIBRS_LFENCE: 1221 if (sched_smt_active()) 1222 pr_err(SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG); 1223 break; 1224 default: 1225 break; 1226 } 1227 } 1228 #endif 1229 1230 static inline bool match_option(const char *arg, int arglen, const char *opt) 1231 { 1232 int len = strlen(opt); 1233 1234 return len == arglen && !strncmp(arg, opt, len); 1235 } 1236 1237 /* The kernel command line selection for spectre v2 */ 1238 enum spectre_v2_mitigation_cmd { 1239 SPECTRE_V2_CMD_NONE, 1240 SPECTRE_V2_CMD_AUTO, 1241 SPECTRE_V2_CMD_FORCE, 1242 SPECTRE_V2_CMD_RETPOLINE, 1243 SPECTRE_V2_CMD_RETPOLINE_GENERIC, 1244 SPECTRE_V2_CMD_RETPOLINE_LFENCE, 1245 SPECTRE_V2_CMD_EIBRS, 1246 SPECTRE_V2_CMD_EIBRS_RETPOLINE, 1247 SPECTRE_V2_CMD_EIBRS_LFENCE, 1248 SPECTRE_V2_CMD_IBRS, 1249 }; 1250 1251 enum spectre_v2_user_cmd { 1252 SPECTRE_V2_USER_CMD_NONE, 1253 SPECTRE_V2_USER_CMD_AUTO, 1254 SPECTRE_V2_USER_CMD_FORCE, 1255 SPECTRE_V2_USER_CMD_PRCTL, 1256 SPECTRE_V2_USER_CMD_PRCTL_IBPB, 1257 SPECTRE_V2_USER_CMD_SECCOMP, 1258 SPECTRE_V2_USER_CMD_SECCOMP_IBPB, 1259 }; 1260 1261 static const char * const spectre_v2_user_strings[] = { 1262 [SPECTRE_V2_USER_NONE] = "User space: Vulnerable", 1263 [SPECTRE_V2_USER_STRICT] = "User space: Mitigation: STIBP protection", 1264 [SPECTRE_V2_USER_STRICT_PREFERRED] = "User space: Mitigation: STIBP always-on protection", 1265 [SPECTRE_V2_USER_PRCTL] = "User space: Mitigation: STIBP via prctl", 1266 [SPECTRE_V2_USER_SECCOMP] = "User space: Mitigation: STIBP via seccomp and prctl", 1267 }; 1268 1269 static const struct { 1270 const char *option; 1271 enum spectre_v2_user_cmd cmd; 1272 bool secure; 1273 } v2_user_options[] __initconst = { 1274 { "auto", SPECTRE_V2_USER_CMD_AUTO, false }, 1275 { "off", SPECTRE_V2_USER_CMD_NONE, false }, 1276 { "on", SPECTRE_V2_USER_CMD_FORCE, true }, 1277 { "prctl", SPECTRE_V2_USER_CMD_PRCTL, false }, 1278 { "prctl,ibpb", SPECTRE_V2_USER_CMD_PRCTL_IBPB, false }, 1279 { "seccomp", SPECTRE_V2_USER_CMD_SECCOMP, false }, 1280 { "seccomp,ibpb", SPECTRE_V2_USER_CMD_SECCOMP_IBPB, false }, 1281 }; 1282 1283 static void __init spec_v2_user_print_cond(const char *reason, bool secure) 1284 { 1285 if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2) != secure) 1286 pr_info("spectre_v2_user=%s forced on command line.\n", reason); 1287 } 1288 1289 static __ro_after_init enum spectre_v2_mitigation_cmd spectre_v2_cmd; 1290 1291 static enum spectre_v2_user_cmd __init 1292 spectre_v2_parse_user_cmdline(void) 1293 { 1294 char arg[20]; 1295 int ret, i; 1296 1297 switch (spectre_v2_cmd) { 1298 case SPECTRE_V2_CMD_NONE: 1299 return SPECTRE_V2_USER_CMD_NONE; 1300 case SPECTRE_V2_CMD_FORCE: 1301 return SPECTRE_V2_USER_CMD_FORCE; 1302 default: 1303 break; 1304 } 1305 1306 ret = cmdline_find_option(boot_command_line, "spectre_v2_user", 1307 arg, sizeof(arg)); 1308 if (ret < 0) 1309 return SPECTRE_V2_USER_CMD_AUTO; 1310 1311 for (i = 0; i < ARRAY_SIZE(v2_user_options); i++) { 1312 if (match_option(arg, ret, v2_user_options[i].option)) { 1313 spec_v2_user_print_cond(v2_user_options[i].option, 1314 v2_user_options[i].secure); 1315 return v2_user_options[i].cmd; 1316 } 1317 } 1318 1319 pr_err("Unknown user space protection option (%s). Switching to AUTO select\n", arg); 1320 return SPECTRE_V2_USER_CMD_AUTO; 1321 } 1322 1323 static inline bool spectre_v2_in_ibrs_mode(enum spectre_v2_mitigation mode) 1324 { 1325 return spectre_v2_in_eibrs_mode(mode) || mode == SPECTRE_V2_IBRS; 1326 } 1327 1328 static void __init 1329 spectre_v2_user_select_mitigation(void) 1330 { 1331 enum spectre_v2_user_mitigation mode = SPECTRE_V2_USER_NONE; 1332 bool smt_possible = IS_ENABLED(CONFIG_SMP); 1333 enum spectre_v2_user_cmd cmd; 1334 1335 if (!boot_cpu_has(X86_FEATURE_IBPB) && !boot_cpu_has(X86_FEATURE_STIBP)) 1336 return; 1337 1338 if (cpu_smt_control == CPU_SMT_FORCE_DISABLED || 1339 cpu_smt_control == CPU_SMT_NOT_SUPPORTED) 1340 smt_possible = false; 1341 1342 cmd = spectre_v2_parse_user_cmdline(); 1343 switch (cmd) { 1344 case SPECTRE_V2_USER_CMD_NONE: 1345 goto set_mode; 1346 case SPECTRE_V2_USER_CMD_FORCE: 1347 mode = SPECTRE_V2_USER_STRICT; 1348 break; 1349 case SPECTRE_V2_USER_CMD_AUTO: 1350 case SPECTRE_V2_USER_CMD_PRCTL: 1351 case SPECTRE_V2_USER_CMD_PRCTL_IBPB: 1352 mode = SPECTRE_V2_USER_PRCTL; 1353 break; 1354 case SPECTRE_V2_USER_CMD_SECCOMP: 1355 case SPECTRE_V2_USER_CMD_SECCOMP_IBPB: 1356 if (IS_ENABLED(CONFIG_SECCOMP)) 1357 mode = SPECTRE_V2_USER_SECCOMP; 1358 else 1359 mode = SPECTRE_V2_USER_PRCTL; 1360 break; 1361 } 1362 1363 /* Initialize Indirect Branch Prediction Barrier */ 1364 if (boot_cpu_has(X86_FEATURE_IBPB)) { 1365 setup_force_cpu_cap(X86_FEATURE_USE_IBPB); 1366 1367 spectre_v2_user_ibpb = mode; 1368 switch (cmd) { 1369 case SPECTRE_V2_USER_CMD_FORCE: 1370 case SPECTRE_V2_USER_CMD_PRCTL_IBPB: 1371 case SPECTRE_V2_USER_CMD_SECCOMP_IBPB: 1372 static_branch_enable(&switch_mm_always_ibpb); 1373 spectre_v2_user_ibpb = SPECTRE_V2_USER_STRICT; 1374 break; 1375 case SPECTRE_V2_USER_CMD_PRCTL: 1376 case SPECTRE_V2_USER_CMD_AUTO: 1377 case SPECTRE_V2_USER_CMD_SECCOMP: 1378 static_branch_enable(&switch_mm_cond_ibpb); 1379 break; 1380 default: 1381 break; 1382 } 1383 1384 pr_info("mitigation: Enabling %s Indirect Branch Prediction Barrier\n", 1385 static_key_enabled(&switch_mm_always_ibpb) ? 1386 "always-on" : "conditional"); 1387 } 1388 1389 /* 1390 * If no STIBP, Intel enhanced IBRS is enabled, or SMT impossible, STIBP 1391 * is not required. 1392 * 1393 * Intel's Enhanced IBRS also protects against cross-thread branch target 1394 * injection in user-mode as the IBRS bit remains always set which 1395 * implicitly enables cross-thread protections. However, in legacy IBRS 1396 * mode, the IBRS bit is set only on kernel entry and cleared on return 1397 * to userspace. AMD Automatic IBRS also does not protect userspace. 1398 * These modes therefore disable the implicit cross-thread protection, 1399 * so allow for STIBP to be selected in those cases. 1400 */ 1401 if (!boot_cpu_has(X86_FEATURE_STIBP) || 1402 !smt_possible || 1403 (spectre_v2_in_eibrs_mode(spectre_v2_enabled) && 1404 !boot_cpu_has(X86_FEATURE_AUTOIBRS))) 1405 return; 1406 1407 /* 1408 * At this point, an STIBP mode other than "off" has been set. 1409 * If STIBP support is not being forced, check if STIBP always-on 1410 * is preferred. 1411 */ 1412 if (mode != SPECTRE_V2_USER_STRICT && 1413 boot_cpu_has(X86_FEATURE_AMD_STIBP_ALWAYS_ON)) 1414 mode = SPECTRE_V2_USER_STRICT_PREFERRED; 1415 1416 if (retbleed_mitigation == RETBLEED_MITIGATION_UNRET || 1417 retbleed_mitigation == RETBLEED_MITIGATION_IBPB) { 1418 if (mode != SPECTRE_V2_USER_STRICT && 1419 mode != SPECTRE_V2_USER_STRICT_PREFERRED) 1420 pr_info("Selecting STIBP always-on mode to complement retbleed mitigation\n"); 1421 mode = SPECTRE_V2_USER_STRICT_PREFERRED; 1422 } 1423 1424 spectre_v2_user_stibp = mode; 1425 1426 set_mode: 1427 pr_info("%s\n", spectre_v2_user_strings[mode]); 1428 } 1429 1430 static const char * const spectre_v2_strings[] = { 1431 [SPECTRE_V2_NONE] = "Vulnerable", 1432 [SPECTRE_V2_RETPOLINE] = "Mitigation: Retpolines", 1433 [SPECTRE_V2_LFENCE] = "Mitigation: LFENCE", 1434 [SPECTRE_V2_EIBRS] = "Mitigation: Enhanced / Automatic IBRS", 1435 [SPECTRE_V2_EIBRS_LFENCE] = "Mitigation: Enhanced / Automatic IBRS + LFENCE", 1436 [SPECTRE_V2_EIBRS_RETPOLINE] = "Mitigation: Enhanced / Automatic IBRS + Retpolines", 1437 [SPECTRE_V2_IBRS] = "Mitigation: IBRS", 1438 }; 1439 1440 static const struct { 1441 const char *option; 1442 enum spectre_v2_mitigation_cmd cmd; 1443 bool secure; 1444 } mitigation_options[] __initconst = { 1445 { "off", SPECTRE_V2_CMD_NONE, false }, 1446 { "on", SPECTRE_V2_CMD_FORCE, true }, 1447 { "retpoline", SPECTRE_V2_CMD_RETPOLINE, false }, 1448 { "retpoline,amd", SPECTRE_V2_CMD_RETPOLINE_LFENCE, false }, 1449 { "retpoline,lfence", SPECTRE_V2_CMD_RETPOLINE_LFENCE, false }, 1450 { "retpoline,generic", SPECTRE_V2_CMD_RETPOLINE_GENERIC, false }, 1451 { "eibrs", SPECTRE_V2_CMD_EIBRS, false }, 1452 { "eibrs,lfence", SPECTRE_V2_CMD_EIBRS_LFENCE, false }, 1453 { "eibrs,retpoline", SPECTRE_V2_CMD_EIBRS_RETPOLINE, false }, 1454 { "auto", SPECTRE_V2_CMD_AUTO, false }, 1455 { "ibrs", SPECTRE_V2_CMD_IBRS, false }, 1456 }; 1457 1458 static void __init spec_v2_print_cond(const char *reason, bool secure) 1459 { 1460 if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2) != secure) 1461 pr_info("%s selected on command line.\n", reason); 1462 } 1463 1464 static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void) 1465 { 1466 enum spectre_v2_mitigation_cmd cmd = SPECTRE_V2_CMD_AUTO; 1467 char arg[20]; 1468 int ret, i; 1469 1470 if (cmdline_find_option_bool(boot_command_line, "nospectre_v2") || 1471 cpu_mitigations_off()) 1472 return SPECTRE_V2_CMD_NONE; 1473 1474 ret = cmdline_find_option(boot_command_line, "spectre_v2", arg, sizeof(arg)); 1475 if (ret < 0) 1476 return SPECTRE_V2_CMD_AUTO; 1477 1478 for (i = 0; i < ARRAY_SIZE(mitigation_options); i++) { 1479 if (!match_option(arg, ret, mitigation_options[i].option)) 1480 continue; 1481 cmd = mitigation_options[i].cmd; 1482 break; 1483 } 1484 1485 if (i >= ARRAY_SIZE(mitigation_options)) { 1486 pr_err("unknown option (%s). Switching to AUTO select\n", arg); 1487 return SPECTRE_V2_CMD_AUTO; 1488 } 1489 1490 if ((cmd == SPECTRE_V2_CMD_RETPOLINE || 1491 cmd == SPECTRE_V2_CMD_RETPOLINE_LFENCE || 1492 cmd == SPECTRE_V2_CMD_RETPOLINE_GENERIC || 1493 cmd == SPECTRE_V2_CMD_EIBRS_LFENCE || 1494 cmd == SPECTRE_V2_CMD_EIBRS_RETPOLINE) && 1495 !IS_ENABLED(CONFIG_RETPOLINE)) { 1496 pr_err("%s selected but not compiled in. Switching to AUTO select\n", 1497 mitigation_options[i].option); 1498 return SPECTRE_V2_CMD_AUTO; 1499 } 1500 1501 if ((cmd == SPECTRE_V2_CMD_EIBRS || 1502 cmd == SPECTRE_V2_CMD_EIBRS_LFENCE || 1503 cmd == SPECTRE_V2_CMD_EIBRS_RETPOLINE) && 1504 !boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) { 1505 pr_err("%s selected but CPU doesn't have Enhanced or Automatic IBRS. Switching to AUTO select\n", 1506 mitigation_options[i].option); 1507 return SPECTRE_V2_CMD_AUTO; 1508 } 1509 1510 if ((cmd == SPECTRE_V2_CMD_RETPOLINE_LFENCE || 1511 cmd == SPECTRE_V2_CMD_EIBRS_LFENCE) && 1512 !boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) { 1513 pr_err("%s selected, but CPU doesn't have a serializing LFENCE. Switching to AUTO select\n", 1514 mitigation_options[i].option); 1515 return SPECTRE_V2_CMD_AUTO; 1516 } 1517 1518 if (cmd == SPECTRE_V2_CMD_IBRS && !IS_ENABLED(CONFIG_CPU_IBRS_ENTRY)) { 1519 pr_err("%s selected but not compiled in. Switching to AUTO select\n", 1520 mitigation_options[i].option); 1521 return SPECTRE_V2_CMD_AUTO; 1522 } 1523 1524 if (cmd == SPECTRE_V2_CMD_IBRS && boot_cpu_data.x86_vendor != X86_VENDOR_INTEL) { 1525 pr_err("%s selected but not Intel CPU. Switching to AUTO select\n", 1526 mitigation_options[i].option); 1527 return SPECTRE_V2_CMD_AUTO; 1528 } 1529 1530 if (cmd == SPECTRE_V2_CMD_IBRS && !boot_cpu_has(X86_FEATURE_IBRS)) { 1531 pr_err("%s selected but CPU doesn't have IBRS. Switching to AUTO select\n", 1532 mitigation_options[i].option); 1533 return SPECTRE_V2_CMD_AUTO; 1534 } 1535 1536 if (cmd == SPECTRE_V2_CMD_IBRS && cpu_feature_enabled(X86_FEATURE_XENPV)) { 1537 pr_err("%s selected but running as XenPV guest. Switching to AUTO select\n", 1538 mitigation_options[i].option); 1539 return SPECTRE_V2_CMD_AUTO; 1540 } 1541 1542 spec_v2_print_cond(mitigation_options[i].option, 1543 mitigation_options[i].secure); 1544 return cmd; 1545 } 1546 1547 static enum spectre_v2_mitigation __init spectre_v2_select_retpoline(void) 1548 { 1549 if (!IS_ENABLED(CONFIG_RETPOLINE)) { 1550 pr_err("Kernel not compiled with retpoline; no mitigation available!"); 1551 return SPECTRE_V2_NONE; 1552 } 1553 1554 return SPECTRE_V2_RETPOLINE; 1555 } 1556 1557 static bool __ro_after_init rrsba_disabled; 1558 1559 /* Disable in-kernel use of non-RSB RET predictors */ 1560 static void __init spec_ctrl_disable_kernel_rrsba(void) 1561 { 1562 if (rrsba_disabled) 1563 return; 1564 1565 if (!(x86_arch_cap_msr & ARCH_CAP_RRSBA)) { 1566 rrsba_disabled = true; 1567 return; 1568 } 1569 1570 if (!boot_cpu_has(X86_FEATURE_RRSBA_CTRL)) 1571 return; 1572 1573 x86_spec_ctrl_base |= SPEC_CTRL_RRSBA_DIS_S; 1574 update_spec_ctrl(x86_spec_ctrl_base); 1575 rrsba_disabled = true; 1576 } 1577 1578 static void __init spectre_v2_determine_rsb_fill_type_at_vmexit(enum spectre_v2_mitigation mode) 1579 { 1580 /* 1581 * Similar to context switches, there are two types of RSB attacks 1582 * after VM exit: 1583 * 1584 * 1) RSB underflow 1585 * 1586 * 2) Poisoned RSB entry 1587 * 1588 * When retpoline is enabled, both are mitigated by filling/clearing 1589 * the RSB. 1590 * 1591 * When IBRS is enabled, while #1 would be mitigated by the IBRS branch 1592 * prediction isolation protections, RSB still needs to be cleared 1593 * because of #2. Note that SMEP provides no protection here, unlike 1594 * user-space-poisoned RSB entries. 1595 * 1596 * eIBRS should protect against RSB poisoning, but if the EIBRS_PBRSB 1597 * bug is present then a LITE version of RSB protection is required, 1598 * just a single call needs to retire before a RET is executed. 1599 */ 1600 switch (mode) { 1601 case SPECTRE_V2_NONE: 1602 return; 1603 1604 case SPECTRE_V2_EIBRS_LFENCE: 1605 case SPECTRE_V2_EIBRS: 1606 if (boot_cpu_has_bug(X86_BUG_EIBRS_PBRSB)) { 1607 setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT_LITE); 1608 pr_info("Spectre v2 / PBRSB-eIBRS: Retire a single CALL on VMEXIT\n"); 1609 } 1610 return; 1611 1612 case SPECTRE_V2_EIBRS_RETPOLINE: 1613 case SPECTRE_V2_RETPOLINE: 1614 case SPECTRE_V2_LFENCE: 1615 case SPECTRE_V2_IBRS: 1616 setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT); 1617 pr_info("Spectre v2 / SpectreRSB : Filling RSB on VMEXIT\n"); 1618 return; 1619 } 1620 1621 pr_warn_once("Unknown Spectre v2 mode, disabling RSB mitigation at VM exit"); 1622 dump_stack(); 1623 } 1624 1625 /* 1626 * Set BHI_DIS_S to prevent indirect branches in kernel to be influenced by 1627 * branch history in userspace. Not needed if BHI_NO is set. 1628 */ 1629 static bool __init spec_ctrl_bhi_dis(void) 1630 { 1631 if (!boot_cpu_has(X86_FEATURE_BHI_CTRL)) 1632 return false; 1633 1634 x86_spec_ctrl_base |= SPEC_CTRL_BHI_DIS_S; 1635 update_spec_ctrl(x86_spec_ctrl_base); 1636 setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_HW); 1637 1638 return true; 1639 } 1640 1641 enum bhi_mitigations { 1642 BHI_MITIGATION_OFF, 1643 BHI_MITIGATION_ON, 1644 }; 1645 1646 static enum bhi_mitigations bhi_mitigation __ro_after_init = 1647 IS_ENABLED(CONFIG_MITIGATION_SPECTRE_BHI) ? BHI_MITIGATION_ON : BHI_MITIGATION_OFF; 1648 1649 static int __init spectre_bhi_parse_cmdline(char *str) 1650 { 1651 if (!str) 1652 return -EINVAL; 1653 1654 if (!strcmp(str, "off")) 1655 bhi_mitigation = BHI_MITIGATION_OFF; 1656 else if (!strcmp(str, "on")) 1657 bhi_mitigation = BHI_MITIGATION_ON; 1658 else 1659 pr_err("Ignoring unknown spectre_bhi option (%s)", str); 1660 1661 return 0; 1662 } 1663 early_param("spectre_bhi", spectre_bhi_parse_cmdline); 1664 1665 static void __init bhi_select_mitigation(void) 1666 { 1667 if (bhi_mitigation == BHI_MITIGATION_OFF) 1668 return; 1669 1670 /* Retpoline mitigates against BHI unless the CPU has RRSBA behavior */ 1671 if (boot_cpu_has(X86_FEATURE_RETPOLINE) && 1672 !boot_cpu_has(X86_FEATURE_RETPOLINE_LFENCE)) { 1673 spec_ctrl_disable_kernel_rrsba(); 1674 if (rrsba_disabled) 1675 return; 1676 } 1677 1678 if (spec_ctrl_bhi_dis()) 1679 return; 1680 1681 if (!IS_ENABLED(CONFIG_X86_64)) 1682 return; 1683 1684 /* Mitigate KVM by default */ 1685 setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT); 1686 pr_info("Spectre BHI mitigation: SW BHB clearing on vm exit\n"); 1687 1688 /* Mitigate syscalls when the mitigation is forced =on */ 1689 setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_LOOP); 1690 pr_info("Spectre BHI mitigation: SW BHB clearing on syscall\n"); 1691 } 1692 1693 static void __init spectre_v2_select_mitigation(void) 1694 { 1695 enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline(); 1696 enum spectre_v2_mitigation mode = SPECTRE_V2_NONE; 1697 1698 /* 1699 * If the CPU is not affected and the command line mode is NONE or AUTO 1700 * then nothing to do. 1701 */ 1702 if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2) && 1703 (cmd == SPECTRE_V2_CMD_NONE || cmd == SPECTRE_V2_CMD_AUTO)) 1704 return; 1705 1706 switch (cmd) { 1707 case SPECTRE_V2_CMD_NONE: 1708 return; 1709 1710 case SPECTRE_V2_CMD_FORCE: 1711 case SPECTRE_V2_CMD_AUTO: 1712 if (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) { 1713 mode = SPECTRE_V2_EIBRS; 1714 break; 1715 } 1716 1717 if (IS_ENABLED(CONFIG_CPU_IBRS_ENTRY) && 1718 boot_cpu_has_bug(X86_BUG_RETBLEED) && 1719 retbleed_cmd != RETBLEED_CMD_OFF && 1720 retbleed_cmd != RETBLEED_CMD_STUFF && 1721 boot_cpu_has(X86_FEATURE_IBRS) && 1722 boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) { 1723 mode = SPECTRE_V2_IBRS; 1724 break; 1725 } 1726 1727 mode = spectre_v2_select_retpoline(); 1728 break; 1729 1730 case SPECTRE_V2_CMD_RETPOLINE_LFENCE: 1731 pr_err(SPECTRE_V2_LFENCE_MSG); 1732 mode = SPECTRE_V2_LFENCE; 1733 break; 1734 1735 case SPECTRE_V2_CMD_RETPOLINE_GENERIC: 1736 mode = SPECTRE_V2_RETPOLINE; 1737 break; 1738 1739 case SPECTRE_V2_CMD_RETPOLINE: 1740 mode = spectre_v2_select_retpoline(); 1741 break; 1742 1743 case SPECTRE_V2_CMD_IBRS: 1744 mode = SPECTRE_V2_IBRS; 1745 break; 1746 1747 case SPECTRE_V2_CMD_EIBRS: 1748 mode = SPECTRE_V2_EIBRS; 1749 break; 1750 1751 case SPECTRE_V2_CMD_EIBRS_LFENCE: 1752 mode = SPECTRE_V2_EIBRS_LFENCE; 1753 break; 1754 1755 case SPECTRE_V2_CMD_EIBRS_RETPOLINE: 1756 mode = SPECTRE_V2_EIBRS_RETPOLINE; 1757 break; 1758 } 1759 1760 if (mode == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled()) 1761 pr_err(SPECTRE_V2_EIBRS_EBPF_MSG); 1762 1763 if (spectre_v2_in_ibrs_mode(mode)) { 1764 if (boot_cpu_has(X86_FEATURE_AUTOIBRS)) { 1765 msr_set_bit(MSR_EFER, _EFER_AUTOIBRS); 1766 } else { 1767 x86_spec_ctrl_base |= SPEC_CTRL_IBRS; 1768 update_spec_ctrl(x86_spec_ctrl_base); 1769 } 1770 } 1771 1772 switch (mode) { 1773 case SPECTRE_V2_NONE: 1774 case SPECTRE_V2_EIBRS: 1775 break; 1776 1777 case SPECTRE_V2_IBRS: 1778 setup_force_cpu_cap(X86_FEATURE_KERNEL_IBRS); 1779 if (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) 1780 pr_warn(SPECTRE_V2_IBRS_PERF_MSG); 1781 break; 1782 1783 case SPECTRE_V2_LFENCE: 1784 case SPECTRE_V2_EIBRS_LFENCE: 1785 setup_force_cpu_cap(X86_FEATURE_RETPOLINE_LFENCE); 1786 fallthrough; 1787 1788 case SPECTRE_V2_RETPOLINE: 1789 case SPECTRE_V2_EIBRS_RETPOLINE: 1790 setup_force_cpu_cap(X86_FEATURE_RETPOLINE); 1791 break; 1792 } 1793 1794 /* 1795 * Disable alternate RSB predictions in kernel when indirect CALLs and 1796 * JMPs gets protection against BHI and Intramode-BTI, but RET 1797 * prediction from a non-RSB predictor is still a risk. 1798 */ 1799 if (mode == SPECTRE_V2_EIBRS_LFENCE || 1800 mode == SPECTRE_V2_EIBRS_RETPOLINE || 1801 mode == SPECTRE_V2_RETPOLINE) 1802 spec_ctrl_disable_kernel_rrsba(); 1803 1804 if (boot_cpu_has(X86_BUG_BHI)) 1805 bhi_select_mitigation(); 1806 1807 spectre_v2_enabled = mode; 1808 pr_info("%s\n", spectre_v2_strings[mode]); 1809 1810 /* 1811 * If Spectre v2 protection has been enabled, fill the RSB during a 1812 * context switch. In general there are two types of RSB attacks 1813 * across context switches, for which the CALLs/RETs may be unbalanced. 1814 * 1815 * 1) RSB underflow 1816 * 1817 * Some Intel parts have "bottomless RSB". When the RSB is empty, 1818 * speculated return targets may come from the branch predictor, 1819 * which could have a user-poisoned BTB or BHB entry. 1820 * 1821 * AMD has it even worse: *all* returns are speculated from the BTB, 1822 * regardless of the state of the RSB. 1823 * 1824 * When IBRS or eIBRS is enabled, the "user -> kernel" attack 1825 * scenario is mitigated by the IBRS branch prediction isolation 1826 * properties, so the RSB buffer filling wouldn't be necessary to 1827 * protect against this type of attack. 1828 * 1829 * The "user -> user" attack scenario is mitigated by RSB filling. 1830 * 1831 * 2) Poisoned RSB entry 1832 * 1833 * If the 'next' in-kernel return stack is shorter than 'prev', 1834 * 'next' could be tricked into speculating with a user-poisoned RSB 1835 * entry. 1836 * 1837 * The "user -> kernel" attack scenario is mitigated by SMEP and 1838 * eIBRS. 1839 * 1840 * The "user -> user" scenario, also known as SpectreBHB, requires 1841 * RSB clearing. 1842 * 1843 * So to mitigate all cases, unconditionally fill RSB on context 1844 * switches. 1845 * 1846 * FIXME: Is this pointless for retbleed-affected AMD? 1847 */ 1848 setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW); 1849 pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n"); 1850 1851 spectre_v2_determine_rsb_fill_type_at_vmexit(mode); 1852 1853 /* 1854 * Retpoline protects the kernel, but doesn't protect firmware. IBRS 1855 * and Enhanced IBRS protect firmware too, so enable IBRS around 1856 * firmware calls only when IBRS / Enhanced / Automatic IBRS aren't 1857 * otherwise enabled. 1858 * 1859 * Use "mode" to check Enhanced IBRS instead of boot_cpu_has(), because 1860 * the user might select retpoline on the kernel command line and if 1861 * the CPU supports Enhanced IBRS, kernel might un-intentionally not 1862 * enable IBRS around firmware calls. 1863 */ 1864 if (boot_cpu_has_bug(X86_BUG_RETBLEED) && 1865 boot_cpu_has(X86_FEATURE_IBPB) && 1866 (boot_cpu_data.x86_vendor == X86_VENDOR_AMD || 1867 boot_cpu_data.x86_vendor == X86_VENDOR_HYGON)) { 1868 1869 if (retbleed_cmd != RETBLEED_CMD_IBPB) { 1870 setup_force_cpu_cap(X86_FEATURE_USE_IBPB_FW); 1871 pr_info("Enabling Speculation Barrier for firmware calls\n"); 1872 } 1873 1874 } else if (boot_cpu_has(X86_FEATURE_IBRS) && !spectre_v2_in_ibrs_mode(mode)) { 1875 setup_force_cpu_cap(X86_FEATURE_USE_IBRS_FW); 1876 pr_info("Enabling Restricted Speculation for firmware calls\n"); 1877 } 1878 1879 /* Set up IBPB and STIBP depending on the general spectre V2 command */ 1880 spectre_v2_cmd = cmd; 1881 } 1882 1883 static void update_stibp_msr(void * __unused) 1884 { 1885 u64 val = spec_ctrl_current() | (x86_spec_ctrl_base & SPEC_CTRL_STIBP); 1886 update_spec_ctrl(val); 1887 } 1888 1889 /* Update x86_spec_ctrl_base in case SMT state changed. */ 1890 static void update_stibp_strict(void) 1891 { 1892 u64 mask = x86_spec_ctrl_base & ~SPEC_CTRL_STIBP; 1893 1894 if (sched_smt_active()) 1895 mask |= SPEC_CTRL_STIBP; 1896 1897 if (mask == x86_spec_ctrl_base) 1898 return; 1899 1900 pr_info("Update user space SMT mitigation: STIBP %s\n", 1901 mask & SPEC_CTRL_STIBP ? "always-on" : "off"); 1902 x86_spec_ctrl_base = mask; 1903 on_each_cpu(update_stibp_msr, NULL, 1); 1904 } 1905 1906 /* Update the static key controlling the evaluation of TIF_SPEC_IB */ 1907 static void update_indir_branch_cond(void) 1908 { 1909 if (sched_smt_active()) 1910 static_branch_enable(&switch_to_cond_stibp); 1911 else 1912 static_branch_disable(&switch_to_cond_stibp); 1913 } 1914 1915 #undef pr_fmt 1916 #define pr_fmt(fmt) fmt 1917 1918 /* Update the static key controlling the MDS CPU buffer clear in idle */ 1919 static void update_mds_branch_idle(void) 1920 { 1921 /* 1922 * Enable the idle clearing if SMT is active on CPUs which are 1923 * affected only by MSBDS and not any other MDS variant. 1924 * 1925 * The other variants cannot be mitigated when SMT is enabled, so 1926 * clearing the buffers on idle just to prevent the Store Buffer 1927 * repartitioning leak would be a window dressing exercise. 1928 */ 1929 if (!boot_cpu_has_bug(X86_BUG_MSBDS_ONLY)) 1930 return; 1931 1932 if (sched_smt_active()) { 1933 static_branch_enable(&mds_idle_clear); 1934 } else if (mmio_mitigation == MMIO_MITIGATION_OFF || 1935 (x86_arch_cap_msr & ARCH_CAP_FBSDP_NO)) { 1936 static_branch_disable(&mds_idle_clear); 1937 } 1938 } 1939 1940 #define MDS_MSG_SMT "MDS CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for more details.\n" 1941 #define TAA_MSG_SMT "TAA CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html for more details.\n" 1942 #define MMIO_MSG_SMT "MMIO Stale Data CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html for more details.\n" 1943 1944 void cpu_bugs_smt_update(void) 1945 { 1946 mutex_lock(&spec_ctrl_mutex); 1947 1948 if (sched_smt_active() && unprivileged_ebpf_enabled() && 1949 spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE) 1950 pr_warn_once(SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG); 1951 1952 switch (spectre_v2_user_stibp) { 1953 case SPECTRE_V2_USER_NONE: 1954 break; 1955 case SPECTRE_V2_USER_STRICT: 1956 case SPECTRE_V2_USER_STRICT_PREFERRED: 1957 update_stibp_strict(); 1958 break; 1959 case SPECTRE_V2_USER_PRCTL: 1960 case SPECTRE_V2_USER_SECCOMP: 1961 update_indir_branch_cond(); 1962 break; 1963 } 1964 1965 switch (mds_mitigation) { 1966 case MDS_MITIGATION_FULL: 1967 case MDS_MITIGATION_VMWERV: 1968 if (sched_smt_active() && !boot_cpu_has(X86_BUG_MSBDS_ONLY)) 1969 pr_warn_once(MDS_MSG_SMT); 1970 update_mds_branch_idle(); 1971 break; 1972 case MDS_MITIGATION_OFF: 1973 break; 1974 } 1975 1976 switch (taa_mitigation) { 1977 case TAA_MITIGATION_VERW: 1978 case TAA_MITIGATION_UCODE_NEEDED: 1979 if (sched_smt_active()) 1980 pr_warn_once(TAA_MSG_SMT); 1981 break; 1982 case TAA_MITIGATION_TSX_DISABLED: 1983 case TAA_MITIGATION_OFF: 1984 break; 1985 } 1986 1987 switch (mmio_mitigation) { 1988 case MMIO_MITIGATION_VERW: 1989 case MMIO_MITIGATION_UCODE_NEEDED: 1990 if (sched_smt_active()) 1991 pr_warn_once(MMIO_MSG_SMT); 1992 break; 1993 case MMIO_MITIGATION_OFF: 1994 break; 1995 } 1996 1997 mutex_unlock(&spec_ctrl_mutex); 1998 } 1999 2000 #undef pr_fmt 2001 #define pr_fmt(fmt) "Speculative Store Bypass: " fmt 2002 2003 static enum ssb_mitigation ssb_mode __ro_after_init = SPEC_STORE_BYPASS_NONE; 2004 2005 /* The kernel command line selection */ 2006 enum ssb_mitigation_cmd { 2007 SPEC_STORE_BYPASS_CMD_NONE, 2008 SPEC_STORE_BYPASS_CMD_AUTO, 2009 SPEC_STORE_BYPASS_CMD_ON, 2010 SPEC_STORE_BYPASS_CMD_PRCTL, 2011 SPEC_STORE_BYPASS_CMD_SECCOMP, 2012 }; 2013 2014 static const char * const ssb_strings[] = { 2015 [SPEC_STORE_BYPASS_NONE] = "Vulnerable", 2016 [SPEC_STORE_BYPASS_DISABLE] = "Mitigation: Speculative Store Bypass disabled", 2017 [SPEC_STORE_BYPASS_PRCTL] = "Mitigation: Speculative Store Bypass disabled via prctl", 2018 [SPEC_STORE_BYPASS_SECCOMP] = "Mitigation: Speculative Store Bypass disabled via prctl and seccomp", 2019 }; 2020 2021 static const struct { 2022 const char *option; 2023 enum ssb_mitigation_cmd cmd; 2024 } ssb_mitigation_options[] __initconst = { 2025 { "auto", SPEC_STORE_BYPASS_CMD_AUTO }, /* Platform decides */ 2026 { "on", SPEC_STORE_BYPASS_CMD_ON }, /* Disable Speculative Store Bypass */ 2027 { "off", SPEC_STORE_BYPASS_CMD_NONE }, /* Don't touch Speculative Store Bypass */ 2028 { "prctl", SPEC_STORE_BYPASS_CMD_PRCTL }, /* Disable Speculative Store Bypass via prctl */ 2029 { "seccomp", SPEC_STORE_BYPASS_CMD_SECCOMP }, /* Disable Speculative Store Bypass via prctl and seccomp */ 2030 }; 2031 2032 static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void) 2033 { 2034 enum ssb_mitigation_cmd cmd = SPEC_STORE_BYPASS_CMD_AUTO; 2035 char arg[20]; 2036 int ret, i; 2037 2038 if (cmdline_find_option_bool(boot_command_line, "nospec_store_bypass_disable") || 2039 cpu_mitigations_off()) { 2040 return SPEC_STORE_BYPASS_CMD_NONE; 2041 } else { 2042 ret = cmdline_find_option(boot_command_line, "spec_store_bypass_disable", 2043 arg, sizeof(arg)); 2044 if (ret < 0) 2045 return SPEC_STORE_BYPASS_CMD_AUTO; 2046 2047 for (i = 0; i < ARRAY_SIZE(ssb_mitigation_options); i++) { 2048 if (!match_option(arg, ret, ssb_mitigation_options[i].option)) 2049 continue; 2050 2051 cmd = ssb_mitigation_options[i].cmd; 2052 break; 2053 } 2054 2055 if (i >= ARRAY_SIZE(ssb_mitigation_options)) { 2056 pr_err("unknown option (%s). Switching to AUTO select\n", arg); 2057 return SPEC_STORE_BYPASS_CMD_AUTO; 2058 } 2059 } 2060 2061 return cmd; 2062 } 2063 2064 static enum ssb_mitigation __init __ssb_select_mitigation(void) 2065 { 2066 enum ssb_mitigation mode = SPEC_STORE_BYPASS_NONE; 2067 enum ssb_mitigation_cmd cmd; 2068 2069 if (!boot_cpu_has(X86_FEATURE_SSBD)) 2070 return mode; 2071 2072 cmd = ssb_parse_cmdline(); 2073 if (!boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS) && 2074 (cmd == SPEC_STORE_BYPASS_CMD_NONE || 2075 cmd == SPEC_STORE_BYPASS_CMD_AUTO)) 2076 return mode; 2077 2078 switch (cmd) { 2079 case SPEC_STORE_BYPASS_CMD_SECCOMP: 2080 /* 2081 * Choose prctl+seccomp as the default mode if seccomp is 2082 * enabled. 2083 */ 2084 if (IS_ENABLED(CONFIG_SECCOMP)) 2085 mode = SPEC_STORE_BYPASS_SECCOMP; 2086 else 2087 mode = SPEC_STORE_BYPASS_PRCTL; 2088 break; 2089 case SPEC_STORE_BYPASS_CMD_ON: 2090 mode = SPEC_STORE_BYPASS_DISABLE; 2091 break; 2092 case SPEC_STORE_BYPASS_CMD_AUTO: 2093 case SPEC_STORE_BYPASS_CMD_PRCTL: 2094 mode = SPEC_STORE_BYPASS_PRCTL; 2095 break; 2096 case SPEC_STORE_BYPASS_CMD_NONE: 2097 break; 2098 } 2099 2100 /* 2101 * We have three CPU feature flags that are in play here: 2102 * - X86_BUG_SPEC_STORE_BYPASS - CPU is susceptible. 2103 * - X86_FEATURE_SSBD - CPU is able to turn off speculative store bypass 2104 * - X86_FEATURE_SPEC_STORE_BYPASS_DISABLE - engage the mitigation 2105 */ 2106 if (mode == SPEC_STORE_BYPASS_DISABLE) { 2107 setup_force_cpu_cap(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE); 2108 /* 2109 * Intel uses the SPEC CTRL MSR Bit(2) for this, while AMD may 2110 * use a completely different MSR and bit dependent on family. 2111 */ 2112 if (!static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD) && 2113 !static_cpu_has(X86_FEATURE_AMD_SSBD)) { 2114 x86_amd_ssb_disable(); 2115 } else { 2116 x86_spec_ctrl_base |= SPEC_CTRL_SSBD; 2117 update_spec_ctrl(x86_spec_ctrl_base); 2118 } 2119 } 2120 2121 return mode; 2122 } 2123 2124 static void ssb_select_mitigation(void) 2125 { 2126 ssb_mode = __ssb_select_mitigation(); 2127 2128 if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS)) 2129 pr_info("%s\n", ssb_strings[ssb_mode]); 2130 } 2131 2132 #undef pr_fmt 2133 #define pr_fmt(fmt) "Speculation prctl: " fmt 2134 2135 static void task_update_spec_tif(struct task_struct *tsk) 2136 { 2137 /* Force the update of the real TIF bits */ 2138 set_tsk_thread_flag(tsk, TIF_SPEC_FORCE_UPDATE); 2139 2140 /* 2141 * Immediately update the speculation control MSRs for the current 2142 * task, but for a non-current task delay setting the CPU 2143 * mitigation until it is scheduled next. 2144 * 2145 * This can only happen for SECCOMP mitigation. For PRCTL it's 2146 * always the current task. 2147 */ 2148 if (tsk == current) 2149 speculation_ctrl_update_current(); 2150 } 2151 2152 static int l1d_flush_prctl_set(struct task_struct *task, unsigned long ctrl) 2153 { 2154 2155 if (!static_branch_unlikely(&switch_mm_cond_l1d_flush)) 2156 return -EPERM; 2157 2158 switch (ctrl) { 2159 case PR_SPEC_ENABLE: 2160 set_ti_thread_flag(&task->thread_info, TIF_SPEC_L1D_FLUSH); 2161 return 0; 2162 case PR_SPEC_DISABLE: 2163 clear_ti_thread_flag(&task->thread_info, TIF_SPEC_L1D_FLUSH); 2164 return 0; 2165 default: 2166 return -ERANGE; 2167 } 2168 } 2169 2170 static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl) 2171 { 2172 if (ssb_mode != SPEC_STORE_BYPASS_PRCTL && 2173 ssb_mode != SPEC_STORE_BYPASS_SECCOMP) 2174 return -ENXIO; 2175 2176 switch (ctrl) { 2177 case PR_SPEC_ENABLE: 2178 /* If speculation is force disabled, enable is not allowed */ 2179 if (task_spec_ssb_force_disable(task)) 2180 return -EPERM; 2181 task_clear_spec_ssb_disable(task); 2182 task_clear_spec_ssb_noexec(task); 2183 task_update_spec_tif(task); 2184 break; 2185 case PR_SPEC_DISABLE: 2186 task_set_spec_ssb_disable(task); 2187 task_clear_spec_ssb_noexec(task); 2188 task_update_spec_tif(task); 2189 break; 2190 case PR_SPEC_FORCE_DISABLE: 2191 task_set_spec_ssb_disable(task); 2192 task_set_spec_ssb_force_disable(task); 2193 task_clear_spec_ssb_noexec(task); 2194 task_update_spec_tif(task); 2195 break; 2196 case PR_SPEC_DISABLE_NOEXEC: 2197 if (task_spec_ssb_force_disable(task)) 2198 return -EPERM; 2199 task_set_spec_ssb_disable(task); 2200 task_set_spec_ssb_noexec(task); 2201 task_update_spec_tif(task); 2202 break; 2203 default: 2204 return -ERANGE; 2205 } 2206 return 0; 2207 } 2208 2209 static bool is_spec_ib_user_controlled(void) 2210 { 2211 return spectre_v2_user_ibpb == SPECTRE_V2_USER_PRCTL || 2212 spectre_v2_user_ibpb == SPECTRE_V2_USER_SECCOMP || 2213 spectre_v2_user_stibp == SPECTRE_V2_USER_PRCTL || 2214 spectre_v2_user_stibp == SPECTRE_V2_USER_SECCOMP; 2215 } 2216 2217 static int ib_prctl_set(struct task_struct *task, unsigned long ctrl) 2218 { 2219 switch (ctrl) { 2220 case PR_SPEC_ENABLE: 2221 if (spectre_v2_user_ibpb == SPECTRE_V2_USER_NONE && 2222 spectre_v2_user_stibp == SPECTRE_V2_USER_NONE) 2223 return 0; 2224 2225 /* 2226 * With strict mode for both IBPB and STIBP, the instruction 2227 * code paths avoid checking this task flag and instead, 2228 * unconditionally run the instruction. However, STIBP and IBPB 2229 * are independent and either can be set to conditionally 2230 * enabled regardless of the mode of the other. 2231 * 2232 * If either is set to conditional, allow the task flag to be 2233 * updated, unless it was force-disabled by a previous prctl 2234 * call. Currently, this is possible on an AMD CPU which has the 2235 * feature X86_FEATURE_AMD_STIBP_ALWAYS_ON. In this case, if the 2236 * kernel is booted with 'spectre_v2_user=seccomp', then 2237 * spectre_v2_user_ibpb == SPECTRE_V2_USER_SECCOMP and 2238 * spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED. 2239 */ 2240 if (!is_spec_ib_user_controlled() || 2241 task_spec_ib_force_disable(task)) 2242 return -EPERM; 2243 2244 task_clear_spec_ib_disable(task); 2245 task_update_spec_tif(task); 2246 break; 2247 case PR_SPEC_DISABLE: 2248 case PR_SPEC_FORCE_DISABLE: 2249 /* 2250 * Indirect branch speculation is always allowed when 2251 * mitigation is force disabled. 2252 */ 2253 if (spectre_v2_user_ibpb == SPECTRE_V2_USER_NONE && 2254 spectre_v2_user_stibp == SPECTRE_V2_USER_NONE) 2255 return -EPERM; 2256 2257 if (!is_spec_ib_user_controlled()) 2258 return 0; 2259 2260 task_set_spec_ib_disable(task); 2261 if (ctrl == PR_SPEC_FORCE_DISABLE) 2262 task_set_spec_ib_force_disable(task); 2263 task_update_spec_tif(task); 2264 if (task == current) 2265 indirect_branch_prediction_barrier(); 2266 break; 2267 default: 2268 return -ERANGE; 2269 } 2270 return 0; 2271 } 2272 2273 int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which, 2274 unsigned long ctrl) 2275 { 2276 switch (which) { 2277 case PR_SPEC_STORE_BYPASS: 2278 return ssb_prctl_set(task, ctrl); 2279 case PR_SPEC_INDIRECT_BRANCH: 2280 return ib_prctl_set(task, ctrl); 2281 case PR_SPEC_L1D_FLUSH: 2282 return l1d_flush_prctl_set(task, ctrl); 2283 default: 2284 return -ENODEV; 2285 } 2286 } 2287 2288 #ifdef CONFIG_SECCOMP 2289 void arch_seccomp_spec_mitigate(struct task_struct *task) 2290 { 2291 if (ssb_mode == SPEC_STORE_BYPASS_SECCOMP) 2292 ssb_prctl_set(task, PR_SPEC_FORCE_DISABLE); 2293 if (spectre_v2_user_ibpb == SPECTRE_V2_USER_SECCOMP || 2294 spectre_v2_user_stibp == SPECTRE_V2_USER_SECCOMP) 2295 ib_prctl_set(task, PR_SPEC_FORCE_DISABLE); 2296 } 2297 #endif 2298 2299 static int l1d_flush_prctl_get(struct task_struct *task) 2300 { 2301 if (!static_branch_unlikely(&switch_mm_cond_l1d_flush)) 2302 return PR_SPEC_FORCE_DISABLE; 2303 2304 if (test_ti_thread_flag(&task->thread_info, TIF_SPEC_L1D_FLUSH)) 2305 return PR_SPEC_PRCTL | PR_SPEC_ENABLE; 2306 else 2307 return PR_SPEC_PRCTL | PR_SPEC_DISABLE; 2308 } 2309 2310 static int ssb_prctl_get(struct task_struct *task) 2311 { 2312 switch (ssb_mode) { 2313 case SPEC_STORE_BYPASS_DISABLE: 2314 return PR_SPEC_DISABLE; 2315 case SPEC_STORE_BYPASS_SECCOMP: 2316 case SPEC_STORE_BYPASS_PRCTL: 2317 if (task_spec_ssb_force_disable(task)) 2318 return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE; 2319 if (task_spec_ssb_noexec(task)) 2320 return PR_SPEC_PRCTL | PR_SPEC_DISABLE_NOEXEC; 2321 if (task_spec_ssb_disable(task)) 2322 return PR_SPEC_PRCTL | PR_SPEC_DISABLE; 2323 return PR_SPEC_PRCTL | PR_SPEC_ENABLE; 2324 default: 2325 if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS)) 2326 return PR_SPEC_ENABLE; 2327 return PR_SPEC_NOT_AFFECTED; 2328 } 2329 } 2330 2331 static int ib_prctl_get(struct task_struct *task) 2332 { 2333 if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2)) 2334 return PR_SPEC_NOT_AFFECTED; 2335 2336 if (spectre_v2_user_ibpb == SPECTRE_V2_USER_NONE && 2337 spectre_v2_user_stibp == SPECTRE_V2_USER_NONE) 2338 return PR_SPEC_ENABLE; 2339 else if (is_spec_ib_user_controlled()) { 2340 if (task_spec_ib_force_disable(task)) 2341 return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE; 2342 if (task_spec_ib_disable(task)) 2343 return PR_SPEC_PRCTL | PR_SPEC_DISABLE; 2344 return PR_SPEC_PRCTL | PR_SPEC_ENABLE; 2345 } else if (spectre_v2_user_ibpb == SPECTRE_V2_USER_STRICT || 2346 spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT || 2347 spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED) 2348 return PR_SPEC_DISABLE; 2349 else 2350 return PR_SPEC_NOT_AFFECTED; 2351 } 2352 2353 int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which) 2354 { 2355 switch (which) { 2356 case PR_SPEC_STORE_BYPASS: 2357 return ssb_prctl_get(task); 2358 case PR_SPEC_INDIRECT_BRANCH: 2359 return ib_prctl_get(task); 2360 case PR_SPEC_L1D_FLUSH: 2361 return l1d_flush_prctl_get(task); 2362 default: 2363 return -ENODEV; 2364 } 2365 } 2366 2367 void x86_spec_ctrl_setup_ap(void) 2368 { 2369 if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) 2370 update_spec_ctrl(x86_spec_ctrl_base); 2371 2372 if (ssb_mode == SPEC_STORE_BYPASS_DISABLE) 2373 x86_amd_ssb_disable(); 2374 } 2375 2376 bool itlb_multihit_kvm_mitigation; 2377 EXPORT_SYMBOL_GPL(itlb_multihit_kvm_mitigation); 2378 2379 #undef pr_fmt 2380 #define pr_fmt(fmt) "L1TF: " fmt 2381 2382 /* Default mitigation for L1TF-affected CPUs */ 2383 enum l1tf_mitigations l1tf_mitigation __ro_after_init = L1TF_MITIGATION_FLUSH; 2384 #if IS_ENABLED(CONFIG_KVM_INTEL) 2385 EXPORT_SYMBOL_GPL(l1tf_mitigation); 2386 #endif 2387 enum vmx_l1d_flush_state l1tf_vmx_mitigation = VMENTER_L1D_FLUSH_AUTO; 2388 EXPORT_SYMBOL_GPL(l1tf_vmx_mitigation); 2389 2390 /* 2391 * These CPUs all support 44bits physical address space internally in the 2392 * cache but CPUID can report a smaller number of physical address bits. 2393 * 2394 * The L1TF mitigation uses the top most address bit for the inversion of 2395 * non present PTEs. When the installed memory reaches into the top most 2396 * address bit due to memory holes, which has been observed on machines 2397 * which report 36bits physical address bits and have 32G RAM installed, 2398 * then the mitigation range check in l1tf_select_mitigation() triggers. 2399 * This is a false positive because the mitigation is still possible due to 2400 * the fact that the cache uses 44bit internally. Use the cache bits 2401 * instead of the reported physical bits and adjust them on the affected 2402 * machines to 44bit if the reported bits are less than 44. 2403 */ 2404 static void override_cache_bits(struct cpuinfo_x86 *c) 2405 { 2406 if (c->x86 != 6) 2407 return; 2408 2409 switch (c->x86_model) { 2410 case INTEL_FAM6_NEHALEM: 2411 case INTEL_FAM6_WESTMERE: 2412 case INTEL_FAM6_SANDYBRIDGE: 2413 case INTEL_FAM6_IVYBRIDGE: 2414 case INTEL_FAM6_HASWELL: 2415 case INTEL_FAM6_HASWELL_L: 2416 case INTEL_FAM6_HASWELL_G: 2417 case INTEL_FAM6_BROADWELL: 2418 case INTEL_FAM6_BROADWELL_G: 2419 case INTEL_FAM6_SKYLAKE_L: 2420 case INTEL_FAM6_SKYLAKE: 2421 case INTEL_FAM6_KABYLAKE_L: 2422 case INTEL_FAM6_KABYLAKE: 2423 if (c->x86_cache_bits < 44) 2424 c->x86_cache_bits = 44; 2425 break; 2426 } 2427 } 2428 2429 static void __init l1tf_select_mitigation(void) 2430 { 2431 u64 half_pa; 2432 2433 if (!boot_cpu_has_bug(X86_BUG_L1TF)) 2434 return; 2435 2436 if (cpu_mitigations_off()) 2437 l1tf_mitigation = L1TF_MITIGATION_OFF; 2438 else if (cpu_mitigations_auto_nosmt()) 2439 l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOSMT; 2440 2441 override_cache_bits(&boot_cpu_data); 2442 2443 switch (l1tf_mitigation) { 2444 case L1TF_MITIGATION_OFF: 2445 case L1TF_MITIGATION_FLUSH_NOWARN: 2446 case L1TF_MITIGATION_FLUSH: 2447 break; 2448 case L1TF_MITIGATION_FLUSH_NOSMT: 2449 case L1TF_MITIGATION_FULL: 2450 cpu_smt_disable(false); 2451 break; 2452 case L1TF_MITIGATION_FULL_FORCE: 2453 cpu_smt_disable(true); 2454 break; 2455 } 2456 2457 #if CONFIG_PGTABLE_LEVELS == 2 2458 pr_warn("Kernel not compiled for PAE. No mitigation for L1TF\n"); 2459 return; 2460 #endif 2461 2462 half_pa = (u64)l1tf_pfn_limit() << PAGE_SHIFT; 2463 if (l1tf_mitigation != L1TF_MITIGATION_OFF && 2464 e820__mapped_any(half_pa, ULLONG_MAX - half_pa, E820_TYPE_RAM)) { 2465 pr_warn("System has more than MAX_PA/2 memory. L1TF mitigation not effective.\n"); 2466 pr_info("You may make it effective by booting the kernel with mem=%llu parameter.\n", 2467 half_pa); 2468 pr_info("However, doing so will make a part of your RAM unusable.\n"); 2469 pr_info("Reading https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html might help you decide.\n"); 2470 return; 2471 } 2472 2473 setup_force_cpu_cap(X86_FEATURE_L1TF_PTEINV); 2474 } 2475 2476 static int __init l1tf_cmdline(char *str) 2477 { 2478 if (!boot_cpu_has_bug(X86_BUG_L1TF)) 2479 return 0; 2480 2481 if (!str) 2482 return -EINVAL; 2483 2484 if (!strcmp(str, "off")) 2485 l1tf_mitigation = L1TF_MITIGATION_OFF; 2486 else if (!strcmp(str, "flush,nowarn")) 2487 l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOWARN; 2488 else if (!strcmp(str, "flush")) 2489 l1tf_mitigation = L1TF_MITIGATION_FLUSH; 2490 else if (!strcmp(str, "flush,nosmt")) 2491 l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOSMT; 2492 else if (!strcmp(str, "full")) 2493 l1tf_mitigation = L1TF_MITIGATION_FULL; 2494 else if (!strcmp(str, "full,force")) 2495 l1tf_mitigation = L1TF_MITIGATION_FULL_FORCE; 2496 2497 return 0; 2498 } 2499 early_param("l1tf", l1tf_cmdline); 2500 2501 #undef pr_fmt 2502 #define pr_fmt(fmt) "Speculative Return Stack Overflow: " fmt 2503 2504 enum srso_mitigation { 2505 SRSO_MITIGATION_NONE, 2506 SRSO_MITIGATION_UCODE_NEEDED, 2507 SRSO_MITIGATION_SAFE_RET_UCODE_NEEDED, 2508 SRSO_MITIGATION_MICROCODE, 2509 SRSO_MITIGATION_SAFE_RET, 2510 SRSO_MITIGATION_IBPB, 2511 SRSO_MITIGATION_IBPB_ON_VMEXIT, 2512 }; 2513 2514 enum srso_mitigation_cmd { 2515 SRSO_CMD_OFF, 2516 SRSO_CMD_MICROCODE, 2517 SRSO_CMD_SAFE_RET, 2518 SRSO_CMD_IBPB, 2519 SRSO_CMD_IBPB_ON_VMEXIT, 2520 }; 2521 2522 static const char * const srso_strings[] = { 2523 [SRSO_MITIGATION_NONE] = "Vulnerable", 2524 [SRSO_MITIGATION_UCODE_NEEDED] = "Vulnerable: No microcode", 2525 [SRSO_MITIGATION_SAFE_RET_UCODE_NEEDED] = "Vulnerable: Safe RET, no microcode", 2526 [SRSO_MITIGATION_MICROCODE] = "Vulnerable: Microcode, no safe RET", 2527 [SRSO_MITIGATION_SAFE_RET] = "Mitigation: Safe RET", 2528 [SRSO_MITIGATION_IBPB] = "Mitigation: IBPB", 2529 [SRSO_MITIGATION_IBPB_ON_VMEXIT] = "Mitigation: IBPB on VMEXIT only" 2530 }; 2531 2532 static enum srso_mitigation srso_mitigation __ro_after_init = SRSO_MITIGATION_NONE; 2533 static enum srso_mitigation_cmd srso_cmd __ro_after_init = SRSO_CMD_SAFE_RET; 2534 2535 static int __init srso_parse_cmdline(char *str) 2536 { 2537 if (!str) 2538 return -EINVAL; 2539 2540 if (!strcmp(str, "off")) 2541 srso_cmd = SRSO_CMD_OFF; 2542 else if (!strcmp(str, "microcode")) 2543 srso_cmd = SRSO_CMD_MICROCODE; 2544 else if (!strcmp(str, "safe-ret")) 2545 srso_cmd = SRSO_CMD_SAFE_RET; 2546 else if (!strcmp(str, "ibpb")) 2547 srso_cmd = SRSO_CMD_IBPB; 2548 else if (!strcmp(str, "ibpb-vmexit")) 2549 srso_cmd = SRSO_CMD_IBPB_ON_VMEXIT; 2550 else 2551 pr_err("Ignoring unknown SRSO option (%s).", str); 2552 2553 return 0; 2554 } 2555 early_param("spec_rstack_overflow", srso_parse_cmdline); 2556 2557 #define SRSO_NOTICE "WARNING: See https://kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html for mitigation options." 2558 2559 static void __init srso_select_mitigation(void) 2560 { 2561 bool has_microcode = boot_cpu_has(X86_FEATURE_IBPB_BRTYPE); 2562 2563 if (!boot_cpu_has_bug(X86_BUG_SRSO) || cpu_mitigations_off()) 2564 goto pred_cmd; 2565 2566 if (has_microcode) { 2567 /* 2568 * Zen1/2 with SMT off aren't vulnerable after the right 2569 * IBPB microcode has been applied. 2570 */ 2571 if (boot_cpu_data.x86 < 0x19 && !cpu_smt_possible()) { 2572 setup_force_cpu_cap(X86_FEATURE_SRSO_NO); 2573 return; 2574 } 2575 2576 if (retbleed_mitigation == RETBLEED_MITIGATION_IBPB) { 2577 srso_mitigation = SRSO_MITIGATION_IBPB; 2578 goto out; 2579 } 2580 } else { 2581 pr_warn("IBPB-extending microcode not applied!\n"); 2582 pr_warn(SRSO_NOTICE); 2583 2584 /* may be overwritten by SRSO_CMD_SAFE_RET below */ 2585 srso_mitigation = SRSO_MITIGATION_UCODE_NEEDED; 2586 } 2587 2588 switch (srso_cmd) { 2589 case SRSO_CMD_OFF: 2590 goto pred_cmd; 2591 2592 case SRSO_CMD_MICROCODE: 2593 if (has_microcode) { 2594 srso_mitigation = SRSO_MITIGATION_MICROCODE; 2595 pr_warn(SRSO_NOTICE); 2596 } 2597 break; 2598 2599 case SRSO_CMD_SAFE_RET: 2600 if (IS_ENABLED(CONFIG_CPU_SRSO)) { 2601 /* 2602 * Enable the return thunk for generated code 2603 * like ftrace, static_call, etc. 2604 */ 2605 setup_force_cpu_cap(X86_FEATURE_RETHUNK); 2606 setup_force_cpu_cap(X86_FEATURE_UNRET); 2607 2608 if (boot_cpu_data.x86 == 0x19) { 2609 setup_force_cpu_cap(X86_FEATURE_SRSO_ALIAS); 2610 x86_return_thunk = srso_alias_return_thunk; 2611 } else { 2612 setup_force_cpu_cap(X86_FEATURE_SRSO); 2613 x86_return_thunk = srso_return_thunk; 2614 } 2615 if (has_microcode) 2616 srso_mitigation = SRSO_MITIGATION_SAFE_RET; 2617 else 2618 srso_mitigation = SRSO_MITIGATION_SAFE_RET_UCODE_NEEDED; 2619 } else { 2620 pr_err("WARNING: kernel not compiled with CPU_SRSO.\n"); 2621 goto pred_cmd; 2622 } 2623 break; 2624 2625 case SRSO_CMD_IBPB: 2626 if (IS_ENABLED(CONFIG_CPU_IBPB_ENTRY)) { 2627 if (has_microcode) { 2628 setup_force_cpu_cap(X86_FEATURE_ENTRY_IBPB); 2629 srso_mitigation = SRSO_MITIGATION_IBPB; 2630 2631 /* 2632 * IBPB on entry already obviates the need for 2633 * software-based untraining so clear those in case some 2634 * other mitigation like Retbleed has selected them. 2635 */ 2636 setup_clear_cpu_cap(X86_FEATURE_UNRET); 2637 setup_clear_cpu_cap(X86_FEATURE_RETHUNK); 2638 } 2639 } else { 2640 pr_err("WARNING: kernel not compiled with CPU_IBPB_ENTRY.\n"); 2641 goto pred_cmd; 2642 } 2643 break; 2644 2645 case SRSO_CMD_IBPB_ON_VMEXIT: 2646 if (IS_ENABLED(CONFIG_CPU_SRSO)) { 2647 if (!boot_cpu_has(X86_FEATURE_ENTRY_IBPB) && has_microcode) { 2648 setup_force_cpu_cap(X86_FEATURE_IBPB_ON_VMEXIT); 2649 srso_mitigation = SRSO_MITIGATION_IBPB_ON_VMEXIT; 2650 2651 /* 2652 * There is no need for RSB filling: entry_ibpb() ensures 2653 * all predictions, including the RSB, are invalidated, 2654 * regardless of IBPB implementation. 2655 */ 2656 setup_clear_cpu_cap(X86_FEATURE_RSB_VMEXIT); 2657 } 2658 } else { 2659 pr_err("WARNING: kernel not compiled with CPU_SRSO.\n"); 2660 goto pred_cmd; 2661 } 2662 break; 2663 2664 default: 2665 break; 2666 } 2667 2668 out: 2669 pr_info("%s\n", srso_strings[srso_mitigation]); 2670 2671 pred_cmd: 2672 if ((!boot_cpu_has_bug(X86_BUG_SRSO) || srso_cmd == SRSO_CMD_OFF) && 2673 boot_cpu_has(X86_FEATURE_SBPB)) 2674 x86_pred_cmd = PRED_CMD_SBPB; 2675 } 2676 2677 #undef pr_fmt 2678 #define pr_fmt(fmt) fmt 2679 2680 #ifdef CONFIG_SYSFS 2681 2682 #define L1TF_DEFAULT_MSG "Mitigation: PTE Inversion" 2683 2684 #if IS_ENABLED(CONFIG_KVM_INTEL) 2685 static const char * const l1tf_vmx_states[] = { 2686 [VMENTER_L1D_FLUSH_AUTO] = "auto", 2687 [VMENTER_L1D_FLUSH_NEVER] = "vulnerable", 2688 [VMENTER_L1D_FLUSH_COND] = "conditional cache flushes", 2689 [VMENTER_L1D_FLUSH_ALWAYS] = "cache flushes", 2690 [VMENTER_L1D_FLUSH_EPT_DISABLED] = "EPT disabled", 2691 [VMENTER_L1D_FLUSH_NOT_REQUIRED] = "flush not necessary" 2692 }; 2693 2694 static ssize_t l1tf_show_state(char *buf) 2695 { 2696 if (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_AUTO) 2697 return sysfs_emit(buf, "%s\n", L1TF_DEFAULT_MSG); 2698 2699 if (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_EPT_DISABLED || 2700 (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_NEVER && 2701 sched_smt_active())) { 2702 return sysfs_emit(buf, "%s; VMX: %s\n", L1TF_DEFAULT_MSG, 2703 l1tf_vmx_states[l1tf_vmx_mitigation]); 2704 } 2705 2706 return sysfs_emit(buf, "%s; VMX: %s, SMT %s\n", L1TF_DEFAULT_MSG, 2707 l1tf_vmx_states[l1tf_vmx_mitigation], 2708 sched_smt_active() ? "vulnerable" : "disabled"); 2709 } 2710 2711 static ssize_t itlb_multihit_show_state(char *buf) 2712 { 2713 if (!boot_cpu_has(X86_FEATURE_MSR_IA32_FEAT_CTL) || 2714 !boot_cpu_has(X86_FEATURE_VMX)) 2715 return sysfs_emit(buf, "KVM: Mitigation: VMX unsupported\n"); 2716 else if (!(cr4_read_shadow() & X86_CR4_VMXE)) 2717 return sysfs_emit(buf, "KVM: Mitigation: VMX disabled\n"); 2718 else if (itlb_multihit_kvm_mitigation) 2719 return sysfs_emit(buf, "KVM: Mitigation: Split huge pages\n"); 2720 else 2721 return sysfs_emit(buf, "KVM: Vulnerable\n"); 2722 } 2723 #else 2724 static ssize_t l1tf_show_state(char *buf) 2725 { 2726 return sysfs_emit(buf, "%s\n", L1TF_DEFAULT_MSG); 2727 } 2728 2729 static ssize_t itlb_multihit_show_state(char *buf) 2730 { 2731 return sysfs_emit(buf, "Processor vulnerable\n"); 2732 } 2733 #endif 2734 2735 static ssize_t mds_show_state(char *buf) 2736 { 2737 if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) { 2738 return sysfs_emit(buf, "%s; SMT Host state unknown\n", 2739 mds_strings[mds_mitigation]); 2740 } 2741 2742 if (boot_cpu_has(X86_BUG_MSBDS_ONLY)) { 2743 return sysfs_emit(buf, "%s; SMT %s\n", mds_strings[mds_mitigation], 2744 (mds_mitigation == MDS_MITIGATION_OFF ? "vulnerable" : 2745 sched_smt_active() ? "mitigated" : "disabled")); 2746 } 2747 2748 return sysfs_emit(buf, "%s; SMT %s\n", mds_strings[mds_mitigation], 2749 sched_smt_active() ? "vulnerable" : "disabled"); 2750 } 2751 2752 static ssize_t tsx_async_abort_show_state(char *buf) 2753 { 2754 if ((taa_mitigation == TAA_MITIGATION_TSX_DISABLED) || 2755 (taa_mitigation == TAA_MITIGATION_OFF)) 2756 return sysfs_emit(buf, "%s\n", taa_strings[taa_mitigation]); 2757 2758 if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) { 2759 return sysfs_emit(buf, "%s; SMT Host state unknown\n", 2760 taa_strings[taa_mitigation]); 2761 } 2762 2763 return sysfs_emit(buf, "%s; SMT %s\n", taa_strings[taa_mitigation], 2764 sched_smt_active() ? "vulnerable" : "disabled"); 2765 } 2766 2767 static ssize_t mmio_stale_data_show_state(char *buf) 2768 { 2769 if (boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN)) 2770 return sysfs_emit(buf, "Unknown: No mitigations\n"); 2771 2772 if (mmio_mitigation == MMIO_MITIGATION_OFF) 2773 return sysfs_emit(buf, "%s\n", mmio_strings[mmio_mitigation]); 2774 2775 if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) { 2776 return sysfs_emit(buf, "%s; SMT Host state unknown\n", 2777 mmio_strings[mmio_mitigation]); 2778 } 2779 2780 return sysfs_emit(buf, "%s; SMT %s\n", mmio_strings[mmio_mitigation], 2781 sched_smt_active() ? "vulnerable" : "disabled"); 2782 } 2783 2784 static ssize_t rfds_show_state(char *buf) 2785 { 2786 return sysfs_emit(buf, "%s\n", rfds_strings[rfds_mitigation]); 2787 } 2788 2789 static char *stibp_state(void) 2790 { 2791 if (spectre_v2_in_eibrs_mode(spectre_v2_enabled) && 2792 !boot_cpu_has(X86_FEATURE_AUTOIBRS)) 2793 return ""; 2794 2795 switch (spectre_v2_user_stibp) { 2796 case SPECTRE_V2_USER_NONE: 2797 return "; STIBP: disabled"; 2798 case SPECTRE_V2_USER_STRICT: 2799 return "; STIBP: forced"; 2800 case SPECTRE_V2_USER_STRICT_PREFERRED: 2801 return "; STIBP: always-on"; 2802 case SPECTRE_V2_USER_PRCTL: 2803 case SPECTRE_V2_USER_SECCOMP: 2804 if (static_key_enabled(&switch_to_cond_stibp)) 2805 return "; STIBP: conditional"; 2806 } 2807 return ""; 2808 } 2809 2810 static char *ibpb_state(void) 2811 { 2812 if (boot_cpu_has(X86_FEATURE_IBPB)) { 2813 if (static_key_enabled(&switch_mm_always_ibpb)) 2814 return "; IBPB: always-on"; 2815 if (static_key_enabled(&switch_mm_cond_ibpb)) 2816 return "; IBPB: conditional"; 2817 return "; IBPB: disabled"; 2818 } 2819 return ""; 2820 } 2821 2822 static char *pbrsb_eibrs_state(void) 2823 { 2824 if (boot_cpu_has_bug(X86_BUG_EIBRS_PBRSB)) { 2825 if (boot_cpu_has(X86_FEATURE_RSB_VMEXIT_LITE) || 2826 boot_cpu_has(X86_FEATURE_RSB_VMEXIT)) 2827 return "; PBRSB-eIBRS: SW sequence"; 2828 else 2829 return "; PBRSB-eIBRS: Vulnerable"; 2830 } else { 2831 return "; PBRSB-eIBRS: Not affected"; 2832 } 2833 } 2834 2835 static const char *spectre_bhi_state(void) 2836 { 2837 if (!boot_cpu_has_bug(X86_BUG_BHI)) 2838 return "; BHI: Not affected"; 2839 else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_HW)) 2840 return "; BHI: BHI_DIS_S"; 2841 else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP)) 2842 return "; BHI: SW loop, KVM: SW loop"; 2843 else if (boot_cpu_has(X86_FEATURE_RETPOLINE) && 2844 !boot_cpu_has(X86_FEATURE_RETPOLINE_LFENCE) && 2845 rrsba_disabled) 2846 return "; BHI: Retpoline"; 2847 else if (boot_cpu_has(X86_FEATURE_CLEAR_BHB_LOOP_ON_VMEXIT)) 2848 return "; BHI: Vulnerable, KVM: SW loop"; 2849 2850 return "; BHI: Vulnerable"; 2851 } 2852 2853 static ssize_t spectre_v2_show_state(char *buf) 2854 { 2855 if (spectre_v2_enabled == SPECTRE_V2_LFENCE) 2856 return sysfs_emit(buf, "Vulnerable: LFENCE\n"); 2857 2858 if (spectre_v2_enabled == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled()) 2859 return sysfs_emit(buf, "Vulnerable: eIBRS with unprivileged eBPF\n"); 2860 2861 if (sched_smt_active() && unprivileged_ebpf_enabled() && 2862 spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE) 2863 return sysfs_emit(buf, "Vulnerable: eIBRS+LFENCE with unprivileged eBPF and SMT\n"); 2864 2865 return sysfs_emit(buf, "%s%s%s%s%s%s%s%s\n", 2866 spectre_v2_strings[spectre_v2_enabled], 2867 ibpb_state(), 2868 boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? "; IBRS_FW" : "", 2869 stibp_state(), 2870 boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? "; RSB filling" : "", 2871 pbrsb_eibrs_state(), 2872 spectre_bhi_state(), 2873 /* this should always be at the end */ 2874 spectre_v2_module_string()); 2875 } 2876 2877 static ssize_t srbds_show_state(char *buf) 2878 { 2879 return sysfs_emit(buf, "%s\n", srbds_strings[srbds_mitigation]); 2880 } 2881 2882 static ssize_t retbleed_show_state(char *buf) 2883 { 2884 if (retbleed_mitigation == RETBLEED_MITIGATION_UNRET || 2885 retbleed_mitigation == RETBLEED_MITIGATION_IBPB) { 2886 if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD && 2887 boot_cpu_data.x86_vendor != X86_VENDOR_HYGON) 2888 return sysfs_emit(buf, "Vulnerable: untrained return thunk / IBPB on non-AMD based uarch\n"); 2889 2890 return sysfs_emit(buf, "%s; SMT %s\n", retbleed_strings[retbleed_mitigation], 2891 !sched_smt_active() ? "disabled" : 2892 spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT || 2893 spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED ? 2894 "enabled with STIBP protection" : "vulnerable"); 2895 } 2896 2897 return sysfs_emit(buf, "%s\n", retbleed_strings[retbleed_mitigation]); 2898 } 2899 2900 static ssize_t srso_show_state(char *buf) 2901 { 2902 if (boot_cpu_has(X86_FEATURE_SRSO_NO)) 2903 return sysfs_emit(buf, "Mitigation: SMT disabled\n"); 2904 2905 return sysfs_emit(buf, "%s\n", srso_strings[srso_mitigation]); 2906 } 2907 2908 static ssize_t gds_show_state(char *buf) 2909 { 2910 return sysfs_emit(buf, "%s\n", gds_strings[gds_mitigation]); 2911 } 2912 2913 static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr, 2914 char *buf, unsigned int bug) 2915 { 2916 if (!boot_cpu_has_bug(bug)) 2917 return sysfs_emit(buf, "Not affected\n"); 2918 2919 switch (bug) { 2920 case X86_BUG_CPU_MELTDOWN: 2921 if (boot_cpu_has(X86_FEATURE_PTI)) 2922 return sysfs_emit(buf, "Mitigation: PTI\n"); 2923 2924 if (hypervisor_is_type(X86_HYPER_XEN_PV)) 2925 return sysfs_emit(buf, "Unknown (XEN PV detected, hypervisor mitigation required)\n"); 2926 2927 break; 2928 2929 case X86_BUG_SPECTRE_V1: 2930 return sysfs_emit(buf, "%s\n", spectre_v1_strings[spectre_v1_mitigation]); 2931 2932 case X86_BUG_SPECTRE_V2: 2933 return spectre_v2_show_state(buf); 2934 2935 case X86_BUG_SPEC_STORE_BYPASS: 2936 return sysfs_emit(buf, "%s\n", ssb_strings[ssb_mode]); 2937 2938 case X86_BUG_L1TF: 2939 if (boot_cpu_has(X86_FEATURE_L1TF_PTEINV)) 2940 return l1tf_show_state(buf); 2941 break; 2942 2943 case X86_BUG_MDS: 2944 return mds_show_state(buf); 2945 2946 case X86_BUG_TAA: 2947 return tsx_async_abort_show_state(buf); 2948 2949 case X86_BUG_ITLB_MULTIHIT: 2950 return itlb_multihit_show_state(buf); 2951 2952 case X86_BUG_SRBDS: 2953 return srbds_show_state(buf); 2954 2955 case X86_BUG_MMIO_STALE_DATA: 2956 case X86_BUG_MMIO_UNKNOWN: 2957 return mmio_stale_data_show_state(buf); 2958 2959 case X86_BUG_RETBLEED: 2960 return retbleed_show_state(buf); 2961 2962 case X86_BUG_SRSO: 2963 return srso_show_state(buf); 2964 2965 case X86_BUG_GDS: 2966 return gds_show_state(buf); 2967 2968 case X86_BUG_RFDS: 2969 return rfds_show_state(buf); 2970 2971 default: 2972 break; 2973 } 2974 2975 return sysfs_emit(buf, "Vulnerable\n"); 2976 } 2977 2978 ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf) 2979 { 2980 return cpu_show_common(dev, attr, buf, X86_BUG_CPU_MELTDOWN); 2981 } 2982 2983 ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, char *buf) 2984 { 2985 return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V1); 2986 } 2987 2988 ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, char *buf) 2989 { 2990 return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V2); 2991 } 2992 2993 ssize_t cpu_show_spec_store_bypass(struct device *dev, struct device_attribute *attr, char *buf) 2994 { 2995 return cpu_show_common(dev, attr, buf, X86_BUG_SPEC_STORE_BYPASS); 2996 } 2997 2998 ssize_t cpu_show_l1tf(struct device *dev, struct device_attribute *attr, char *buf) 2999 { 3000 return cpu_show_common(dev, attr, buf, X86_BUG_L1TF); 3001 } 3002 3003 ssize_t cpu_show_mds(struct device *dev, struct device_attribute *attr, char *buf) 3004 { 3005 return cpu_show_common(dev, attr, buf, X86_BUG_MDS); 3006 } 3007 3008 ssize_t cpu_show_tsx_async_abort(struct device *dev, struct device_attribute *attr, char *buf) 3009 { 3010 return cpu_show_common(dev, attr, buf, X86_BUG_TAA); 3011 } 3012 3013 ssize_t cpu_show_itlb_multihit(struct device *dev, struct device_attribute *attr, char *buf) 3014 { 3015 return cpu_show_common(dev, attr, buf, X86_BUG_ITLB_MULTIHIT); 3016 } 3017 3018 ssize_t cpu_show_srbds(struct device *dev, struct device_attribute *attr, char *buf) 3019 { 3020 return cpu_show_common(dev, attr, buf, X86_BUG_SRBDS); 3021 } 3022 3023 ssize_t cpu_show_mmio_stale_data(struct device *dev, struct device_attribute *attr, char *buf) 3024 { 3025 if (boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN)) 3026 return cpu_show_common(dev, attr, buf, X86_BUG_MMIO_UNKNOWN); 3027 else 3028 return cpu_show_common(dev, attr, buf, X86_BUG_MMIO_STALE_DATA); 3029 } 3030 3031 ssize_t cpu_show_retbleed(struct device *dev, struct device_attribute *attr, char *buf) 3032 { 3033 return cpu_show_common(dev, attr, buf, X86_BUG_RETBLEED); 3034 } 3035 3036 ssize_t cpu_show_spec_rstack_overflow(struct device *dev, struct device_attribute *attr, char *buf) 3037 { 3038 return cpu_show_common(dev, attr, buf, X86_BUG_SRSO); 3039 } 3040 3041 ssize_t cpu_show_gds(struct device *dev, struct device_attribute *attr, char *buf) 3042 { 3043 return cpu_show_common(dev, attr, buf, X86_BUG_GDS); 3044 } 3045 3046 ssize_t cpu_show_reg_file_data_sampling(struct device *dev, struct device_attribute *attr, char *buf) 3047 { 3048 return cpu_show_common(dev, attr, buf, X86_BUG_RFDS); 3049 } 3050 #endif 3051