1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * Copyright (C) 1994 Linus Torvalds
4 *
5 * Cyrix stuff, June 1998 by:
6 * - Rafael R. Reilova (moved everything from head.S),
7 * <rreilova@ececs.uc.edu>
8 * - Channing Corn (tests & fixes),
9 * - Andrew D. Balsa (code cleanup).
10 */
11 #include <linux/init.h>
12 #include <linux/cpu.h>
13 #include <linux/module.h>
14 #include <linux/nospec.h>
15 #include <linux/prctl.h>
16 #include <linux/sched/smt.h>
17
18 #include <asm/spec-ctrl.h>
19 #include <asm/cmdline.h>
20 #include <asm/bugs.h>
21 #include <asm/processor.h>
22 #include <asm/processor-flags.h>
23 #include <asm/fpu/internal.h>
24 #include <asm/msr.h>
25 #include <asm/vmx.h>
26 #include <asm/paravirt.h>
27 #include <asm/pgtable.h>
28 #include <asm/intel-family.h>
29 #include <asm/e820/api.h>
30 #include <asm/hypervisor.h>
31 #include <linux/bpf.h>
32
33 #include "cpu.h"
34
35 static void __init spectre_v1_select_mitigation(void);
36 static void __init spectre_v2_select_mitigation(void);
37 static void __init retbleed_select_mitigation(void);
38 static void __init spectre_v2_user_select_mitigation(void);
39 static void __init ssb_select_mitigation(void);
40 static void __init l1tf_select_mitigation(void);
41 static void __init mds_select_mitigation(void);
42 static void __init md_clear_update_mitigation(void);
43 static void __init md_clear_select_mitigation(void);
44 static void __init taa_select_mitigation(void);
45 static void __init mmio_select_mitigation(void);
46 static void __init srbds_select_mitigation(void);
47 static void __init gds_select_mitigation(void);
48
49 /* The base value of the SPEC_CTRL MSR without task-specific bits set */
50 u64 x86_spec_ctrl_base;
51 EXPORT_SYMBOL_GPL(x86_spec_ctrl_base);
52
53 /* The current value of the SPEC_CTRL MSR with task-specific bits set */
54 DEFINE_PER_CPU(u64, x86_spec_ctrl_current);
55 EXPORT_SYMBOL_GPL(x86_spec_ctrl_current);
56
57 static DEFINE_MUTEX(spec_ctrl_mutex);
58
59 /* Update SPEC_CTRL MSR and its cached copy unconditionally */
update_spec_ctrl(u64 val)60 static void update_spec_ctrl(u64 val)
61 {
62 this_cpu_write(x86_spec_ctrl_current, val);
63 wrmsrl(MSR_IA32_SPEC_CTRL, val);
64 }
65
66 /*
67 * Keep track of the SPEC_CTRL MSR value for the current task, which may differ
68 * from x86_spec_ctrl_base due to STIBP/SSB in __speculation_ctrl_update().
69 */
update_spec_ctrl_cond(u64 val)70 void update_spec_ctrl_cond(u64 val)
71 {
72 if (this_cpu_read(x86_spec_ctrl_current) == val)
73 return;
74
75 this_cpu_write(x86_spec_ctrl_current, val);
76
77 /*
78 * When KERNEL_IBRS this MSR is written on return-to-user, unless
79 * forced the update can be delayed until that time.
80 */
81 if (!cpu_feature_enabled(X86_FEATURE_KERNEL_IBRS))
82 wrmsrl(MSR_IA32_SPEC_CTRL, val);
83 }
84
spec_ctrl_current(void)85 u64 spec_ctrl_current(void)
86 {
87 return this_cpu_read(x86_spec_ctrl_current);
88 }
89 EXPORT_SYMBOL_GPL(spec_ctrl_current);
90
91 /*
92 * AMD specific MSR info for Speculative Store Bypass control.
93 * x86_amd_ls_cfg_ssbd_mask is initialized in identify_boot_cpu().
94 */
95 u64 __ro_after_init x86_amd_ls_cfg_base;
96 u64 __ro_after_init x86_amd_ls_cfg_ssbd_mask;
97
98 /* Control conditional STIBP in switch_to() */
99 DEFINE_STATIC_KEY_FALSE(switch_to_cond_stibp);
100 /* Control conditional IBPB in switch_mm() */
101 DEFINE_STATIC_KEY_FALSE(switch_mm_cond_ibpb);
102 /* Control unconditional IBPB in switch_mm() */
103 DEFINE_STATIC_KEY_FALSE(switch_mm_always_ibpb);
104
105 /* Control MDS CPU buffer clear before returning to user space */
106 DEFINE_STATIC_KEY_FALSE(mds_user_clear);
107 EXPORT_SYMBOL_GPL(mds_user_clear);
108 /* Control MDS CPU buffer clear before idling (halt, mwait) */
109 DEFINE_STATIC_KEY_FALSE(mds_idle_clear);
110 EXPORT_SYMBOL_GPL(mds_idle_clear);
111
112 /* Controls CPU Fill buffer clear before KVM guest MMIO accesses */
113 DEFINE_STATIC_KEY_FALSE(mmio_stale_data_clear);
114 EXPORT_SYMBOL_GPL(mmio_stale_data_clear);
115
cpu_select_mitigations(void)116 void __init cpu_select_mitigations(void)
117 {
118 /*
119 * Read the SPEC_CTRL MSR to account for reserved bits which may
120 * have unknown values. AMD64_LS_CFG MSR is cached in the early AMD
121 * init code as it is not enumerated and depends on the family.
122 */
123 if (cpu_feature_enabled(X86_FEATURE_MSR_SPEC_CTRL)) {
124 rdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
125
126 /*
127 * Previously running kernel (kexec), may have some controls
128 * turned ON. Clear them and let the mitigations setup below
129 * rediscover them based on configuration.
130 */
131 x86_spec_ctrl_base &= ~SPEC_CTRL_MITIGATIONS_MASK;
132 }
133
134 /* Select the proper CPU mitigations before patching alternatives: */
135 spectre_v1_select_mitigation();
136 spectre_v2_select_mitigation();
137 /*
138 * retbleed_select_mitigation() relies on the state set by
139 * spectre_v2_select_mitigation(); specifically it wants to know about
140 * spectre_v2=ibrs.
141 */
142 retbleed_select_mitigation();
143 /*
144 * spectre_v2_user_select_mitigation() relies on the state set by
145 * retbleed_select_mitigation(); specifically the STIBP selection is
146 * forced for UNRET.
147 */
148 spectre_v2_user_select_mitigation();
149 ssb_select_mitigation();
150 l1tf_select_mitigation();
151 md_clear_select_mitigation();
152 srbds_select_mitigation();
153 gds_select_mitigation();
154 }
155
156 /*
157 * NOTE: For VMX, this function is not called in the vmexit path.
158 * It uses vmx_spec_ctrl_restore_host() instead.
159 */
160 void
x86_virt_spec_ctrl(u64 guest_spec_ctrl,u64 guest_virt_spec_ctrl,bool setguest)161 x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest)
162 {
163 u64 msrval, guestval = guest_spec_ctrl, hostval = spec_ctrl_current();
164 struct thread_info *ti = current_thread_info();
165
166 if (static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) {
167 if (hostval != guestval) {
168 msrval = setguest ? guestval : hostval;
169 wrmsrl(MSR_IA32_SPEC_CTRL, msrval);
170 }
171 }
172
173 /*
174 * If SSBD is not handled in MSR_SPEC_CTRL on AMD, update
175 * MSR_AMD64_L2_CFG or MSR_VIRT_SPEC_CTRL if supported.
176 */
177 if (!static_cpu_has(X86_FEATURE_LS_CFG_SSBD) &&
178 !static_cpu_has(X86_FEATURE_VIRT_SSBD))
179 return;
180
181 /*
182 * If the host has SSBD mitigation enabled, force it in the host's
183 * virtual MSR value. If its not permanently enabled, evaluate
184 * current's TIF_SSBD thread flag.
185 */
186 if (static_cpu_has(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE))
187 hostval = SPEC_CTRL_SSBD;
188 else
189 hostval = ssbd_tif_to_spec_ctrl(ti->flags);
190
191 /* Sanitize the guest value */
192 guestval = guest_virt_spec_ctrl & SPEC_CTRL_SSBD;
193
194 if (hostval != guestval) {
195 unsigned long tif;
196
197 tif = setguest ? ssbd_spec_ctrl_to_tif(guestval) :
198 ssbd_spec_ctrl_to_tif(hostval);
199
200 speculation_ctrl_update(tif);
201 }
202 }
203 EXPORT_SYMBOL_GPL(x86_virt_spec_ctrl);
204
x86_amd_ssb_disable(void)205 static void x86_amd_ssb_disable(void)
206 {
207 u64 msrval = x86_amd_ls_cfg_base | x86_amd_ls_cfg_ssbd_mask;
208
209 if (boot_cpu_has(X86_FEATURE_VIRT_SSBD))
210 wrmsrl(MSR_AMD64_VIRT_SPEC_CTRL, SPEC_CTRL_SSBD);
211 else if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD))
212 wrmsrl(MSR_AMD64_LS_CFG, msrval);
213 }
214
215 #undef pr_fmt
216 #define pr_fmt(fmt) "MDS: " fmt
217
218 /* Default mitigation for MDS-affected CPUs */
219 static enum mds_mitigations mds_mitigation __ro_after_init = MDS_MITIGATION_FULL;
220 static bool mds_nosmt __ro_after_init = false;
221
222 static const char * const mds_strings[] = {
223 [MDS_MITIGATION_OFF] = "Vulnerable",
224 [MDS_MITIGATION_FULL] = "Mitigation: Clear CPU buffers",
225 [MDS_MITIGATION_VMWERV] = "Vulnerable: Clear CPU buffers attempted, no microcode",
226 };
227
mds_select_mitigation(void)228 static void __init mds_select_mitigation(void)
229 {
230 if (!boot_cpu_has_bug(X86_BUG_MDS) || cpu_mitigations_off()) {
231 mds_mitigation = MDS_MITIGATION_OFF;
232 return;
233 }
234
235 if (mds_mitigation == MDS_MITIGATION_FULL) {
236 if (!boot_cpu_has(X86_FEATURE_MD_CLEAR))
237 mds_mitigation = MDS_MITIGATION_VMWERV;
238
239 static_branch_enable(&mds_user_clear);
240
241 if (!boot_cpu_has(X86_BUG_MSBDS_ONLY) &&
242 (mds_nosmt || cpu_mitigations_auto_nosmt()))
243 cpu_smt_disable(false);
244 }
245 }
246
mds_cmdline(char * str)247 static int __init mds_cmdline(char *str)
248 {
249 if (!boot_cpu_has_bug(X86_BUG_MDS))
250 return 0;
251
252 if (!str)
253 return -EINVAL;
254
255 if (!strcmp(str, "off"))
256 mds_mitigation = MDS_MITIGATION_OFF;
257 else if (!strcmp(str, "full"))
258 mds_mitigation = MDS_MITIGATION_FULL;
259 else if (!strcmp(str, "full,nosmt")) {
260 mds_mitigation = MDS_MITIGATION_FULL;
261 mds_nosmt = true;
262 }
263
264 return 0;
265 }
266 early_param("mds", mds_cmdline);
267
268 #undef pr_fmt
269 #define pr_fmt(fmt) "TAA: " fmt
270
271 /* Default mitigation for TAA-affected CPUs */
272 static enum taa_mitigations taa_mitigation __ro_after_init = TAA_MITIGATION_VERW;
273 static bool taa_nosmt __ro_after_init;
274
275 static const char * const taa_strings[] = {
276 [TAA_MITIGATION_OFF] = "Vulnerable",
277 [TAA_MITIGATION_UCODE_NEEDED] = "Vulnerable: Clear CPU buffers attempted, no microcode",
278 [TAA_MITIGATION_VERW] = "Mitigation: Clear CPU buffers",
279 [TAA_MITIGATION_TSX_DISABLED] = "Mitigation: TSX disabled",
280 };
281
taa_select_mitigation(void)282 static void __init taa_select_mitigation(void)
283 {
284 u64 ia32_cap;
285
286 if (!boot_cpu_has_bug(X86_BUG_TAA)) {
287 taa_mitigation = TAA_MITIGATION_OFF;
288 return;
289 }
290
291 /* TSX previously disabled by tsx=off */
292 if (!boot_cpu_has(X86_FEATURE_RTM)) {
293 taa_mitigation = TAA_MITIGATION_TSX_DISABLED;
294 return;
295 }
296
297 if (cpu_mitigations_off()) {
298 taa_mitigation = TAA_MITIGATION_OFF;
299 return;
300 }
301
302 /*
303 * TAA mitigation via VERW is turned off if both
304 * tsx_async_abort=off and mds=off are specified.
305 */
306 if (taa_mitigation == TAA_MITIGATION_OFF &&
307 mds_mitigation == MDS_MITIGATION_OFF)
308 return;
309
310 if (boot_cpu_has(X86_FEATURE_MD_CLEAR))
311 taa_mitigation = TAA_MITIGATION_VERW;
312 else
313 taa_mitigation = TAA_MITIGATION_UCODE_NEEDED;
314
315 /*
316 * VERW doesn't clear the CPU buffers when MD_CLEAR=1 and MDS_NO=1.
317 * A microcode update fixes this behavior to clear CPU buffers. It also
318 * adds support for MSR_IA32_TSX_CTRL which is enumerated by the
319 * ARCH_CAP_TSX_CTRL_MSR bit.
320 *
321 * On MDS_NO=1 CPUs if ARCH_CAP_TSX_CTRL_MSR is not set, microcode
322 * update is required.
323 */
324 ia32_cap = x86_read_arch_cap_msr();
325 if ( (ia32_cap & ARCH_CAP_MDS_NO) &&
326 !(ia32_cap & ARCH_CAP_TSX_CTRL_MSR))
327 taa_mitigation = TAA_MITIGATION_UCODE_NEEDED;
328
329 /*
330 * TSX is enabled, select alternate mitigation for TAA which is
331 * the same as MDS. Enable MDS static branch to clear CPU buffers.
332 *
333 * For guests that can't determine whether the correct microcode is
334 * present on host, enable the mitigation for UCODE_NEEDED as well.
335 */
336 static_branch_enable(&mds_user_clear);
337
338 if (taa_nosmt || cpu_mitigations_auto_nosmt())
339 cpu_smt_disable(false);
340 }
341
tsx_async_abort_parse_cmdline(char * str)342 static int __init tsx_async_abort_parse_cmdline(char *str)
343 {
344 if (!boot_cpu_has_bug(X86_BUG_TAA))
345 return 0;
346
347 if (!str)
348 return -EINVAL;
349
350 if (!strcmp(str, "off")) {
351 taa_mitigation = TAA_MITIGATION_OFF;
352 } else if (!strcmp(str, "full")) {
353 taa_mitigation = TAA_MITIGATION_VERW;
354 } else if (!strcmp(str, "full,nosmt")) {
355 taa_mitigation = TAA_MITIGATION_VERW;
356 taa_nosmt = true;
357 }
358
359 return 0;
360 }
361 early_param("tsx_async_abort", tsx_async_abort_parse_cmdline);
362
363 #undef pr_fmt
364 #define pr_fmt(fmt) "MMIO Stale Data: " fmt
365
366 enum mmio_mitigations {
367 MMIO_MITIGATION_OFF,
368 MMIO_MITIGATION_UCODE_NEEDED,
369 MMIO_MITIGATION_VERW,
370 };
371
372 /* Default mitigation for Processor MMIO Stale Data vulnerabilities */
373 static enum mmio_mitigations mmio_mitigation __ro_after_init = MMIO_MITIGATION_VERW;
374 static bool mmio_nosmt __ro_after_init = false;
375
376 static const char * const mmio_strings[] = {
377 [MMIO_MITIGATION_OFF] = "Vulnerable",
378 [MMIO_MITIGATION_UCODE_NEEDED] = "Vulnerable: Clear CPU buffers attempted, no microcode",
379 [MMIO_MITIGATION_VERW] = "Mitigation: Clear CPU buffers",
380 };
381
mmio_select_mitigation(void)382 static void __init mmio_select_mitigation(void)
383 {
384 u64 ia32_cap;
385
386 if (!boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA) ||
387 boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN) ||
388 cpu_mitigations_off()) {
389 mmio_mitigation = MMIO_MITIGATION_OFF;
390 return;
391 }
392
393 if (mmio_mitigation == MMIO_MITIGATION_OFF)
394 return;
395
396 ia32_cap = x86_read_arch_cap_msr();
397
398 /*
399 * Enable CPU buffer clear mitigation for host and VMM, if also affected
400 * by MDS or TAA. Otherwise, enable mitigation for VMM only.
401 */
402 if (boot_cpu_has_bug(X86_BUG_MDS) || (boot_cpu_has_bug(X86_BUG_TAA) &&
403 boot_cpu_has(X86_FEATURE_RTM)))
404 static_branch_enable(&mds_user_clear);
405 else
406 static_branch_enable(&mmio_stale_data_clear);
407
408 /*
409 * If Processor-MMIO-Stale-Data bug is present and Fill Buffer data can
410 * be propagated to uncore buffers, clearing the Fill buffers on idle
411 * is required irrespective of SMT state.
412 */
413 if (!(ia32_cap & ARCH_CAP_FBSDP_NO))
414 static_branch_enable(&mds_idle_clear);
415
416 /*
417 * Check if the system has the right microcode.
418 *
419 * CPU Fill buffer clear mitigation is enumerated by either an explicit
420 * FB_CLEAR or by the presence of both MD_CLEAR and L1D_FLUSH on MDS
421 * affected systems.
422 */
423 if ((ia32_cap & ARCH_CAP_FB_CLEAR) ||
424 (boot_cpu_has(X86_FEATURE_MD_CLEAR) &&
425 boot_cpu_has(X86_FEATURE_FLUSH_L1D) &&
426 !(ia32_cap & ARCH_CAP_MDS_NO)))
427 mmio_mitigation = MMIO_MITIGATION_VERW;
428 else
429 mmio_mitigation = MMIO_MITIGATION_UCODE_NEEDED;
430
431 if (mmio_nosmt || cpu_mitigations_auto_nosmt())
432 cpu_smt_disable(false);
433 }
434
mmio_stale_data_parse_cmdline(char * str)435 static int __init mmio_stale_data_parse_cmdline(char *str)
436 {
437 if (!boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA))
438 return 0;
439
440 if (!str)
441 return -EINVAL;
442
443 if (!strcmp(str, "off")) {
444 mmio_mitigation = MMIO_MITIGATION_OFF;
445 } else if (!strcmp(str, "full")) {
446 mmio_mitigation = MMIO_MITIGATION_VERW;
447 } else if (!strcmp(str, "full,nosmt")) {
448 mmio_mitigation = MMIO_MITIGATION_VERW;
449 mmio_nosmt = true;
450 }
451
452 return 0;
453 }
454 early_param("mmio_stale_data", mmio_stale_data_parse_cmdline);
455
456 #undef pr_fmt
457 #define pr_fmt(fmt) "" fmt
458
md_clear_update_mitigation(void)459 static void __init md_clear_update_mitigation(void)
460 {
461 if (cpu_mitigations_off())
462 return;
463
464 if (!static_key_enabled(&mds_user_clear))
465 goto out;
466
467 /*
468 * mds_user_clear is now enabled. Update MDS, TAA and MMIO Stale Data
469 * mitigation, if necessary.
470 */
471 if (mds_mitigation == MDS_MITIGATION_OFF &&
472 boot_cpu_has_bug(X86_BUG_MDS)) {
473 mds_mitigation = MDS_MITIGATION_FULL;
474 mds_select_mitigation();
475 }
476 if (taa_mitigation == TAA_MITIGATION_OFF &&
477 boot_cpu_has_bug(X86_BUG_TAA)) {
478 taa_mitigation = TAA_MITIGATION_VERW;
479 taa_select_mitigation();
480 }
481 if (mmio_mitigation == MMIO_MITIGATION_OFF &&
482 boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA)) {
483 mmio_mitigation = MMIO_MITIGATION_VERW;
484 mmio_select_mitigation();
485 }
486 out:
487 if (boot_cpu_has_bug(X86_BUG_MDS))
488 pr_info("MDS: %s\n", mds_strings[mds_mitigation]);
489 if (boot_cpu_has_bug(X86_BUG_TAA))
490 pr_info("TAA: %s\n", taa_strings[taa_mitigation]);
491 if (boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA))
492 pr_info("MMIO Stale Data: %s\n", mmio_strings[mmio_mitigation]);
493 else if (boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN))
494 pr_info("MMIO Stale Data: Unknown: No mitigations\n");
495 }
496
md_clear_select_mitigation(void)497 static void __init md_clear_select_mitigation(void)
498 {
499 mds_select_mitigation();
500 taa_select_mitigation();
501 mmio_select_mitigation();
502
503 /*
504 * As MDS, TAA and MMIO Stale Data mitigations are inter-related, update
505 * and print their mitigation after MDS, TAA and MMIO Stale Data
506 * mitigation selection is done.
507 */
508 md_clear_update_mitigation();
509 }
510
511 #undef pr_fmt
512 #define pr_fmt(fmt) "SRBDS: " fmt
513
514 enum srbds_mitigations {
515 SRBDS_MITIGATION_OFF,
516 SRBDS_MITIGATION_UCODE_NEEDED,
517 SRBDS_MITIGATION_FULL,
518 SRBDS_MITIGATION_TSX_OFF,
519 SRBDS_MITIGATION_HYPERVISOR,
520 };
521
522 static enum srbds_mitigations srbds_mitigation __ro_after_init = SRBDS_MITIGATION_FULL;
523
524 static const char * const srbds_strings[] = {
525 [SRBDS_MITIGATION_OFF] = "Vulnerable",
526 [SRBDS_MITIGATION_UCODE_NEEDED] = "Vulnerable: No microcode",
527 [SRBDS_MITIGATION_FULL] = "Mitigation: Microcode",
528 [SRBDS_MITIGATION_TSX_OFF] = "Mitigation: TSX disabled",
529 [SRBDS_MITIGATION_HYPERVISOR] = "Unknown: Dependent on hypervisor status",
530 };
531
532 static bool srbds_off;
533
update_srbds_msr(void)534 void update_srbds_msr(void)
535 {
536 u64 mcu_ctrl;
537
538 if (!boot_cpu_has_bug(X86_BUG_SRBDS))
539 return;
540
541 if (boot_cpu_has(X86_FEATURE_HYPERVISOR))
542 return;
543
544 if (srbds_mitigation == SRBDS_MITIGATION_UCODE_NEEDED)
545 return;
546
547 rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
548
549 switch (srbds_mitigation) {
550 case SRBDS_MITIGATION_OFF:
551 case SRBDS_MITIGATION_TSX_OFF:
552 mcu_ctrl |= RNGDS_MITG_DIS;
553 break;
554 case SRBDS_MITIGATION_FULL:
555 mcu_ctrl &= ~RNGDS_MITG_DIS;
556 break;
557 default:
558 break;
559 }
560
561 wrmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
562 }
563
srbds_select_mitigation(void)564 static void __init srbds_select_mitigation(void)
565 {
566 u64 ia32_cap;
567
568 if (!boot_cpu_has_bug(X86_BUG_SRBDS))
569 return;
570
571 /*
572 * Check to see if this is one of the MDS_NO systems supporting TSX that
573 * are only exposed to SRBDS when TSX is enabled or when CPU is affected
574 * by Processor MMIO Stale Data vulnerability.
575 */
576 ia32_cap = x86_read_arch_cap_msr();
577 if ((ia32_cap & ARCH_CAP_MDS_NO) && !boot_cpu_has(X86_FEATURE_RTM) &&
578 !boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA))
579 srbds_mitigation = SRBDS_MITIGATION_TSX_OFF;
580 else if (boot_cpu_has(X86_FEATURE_HYPERVISOR))
581 srbds_mitigation = SRBDS_MITIGATION_HYPERVISOR;
582 else if (!boot_cpu_has(X86_FEATURE_SRBDS_CTRL))
583 srbds_mitigation = SRBDS_MITIGATION_UCODE_NEEDED;
584 else if (cpu_mitigations_off() || srbds_off)
585 srbds_mitigation = SRBDS_MITIGATION_OFF;
586
587 update_srbds_msr();
588 pr_info("%s\n", srbds_strings[srbds_mitigation]);
589 }
590
srbds_parse_cmdline(char * str)591 static int __init srbds_parse_cmdline(char *str)
592 {
593 if (!str)
594 return -EINVAL;
595
596 if (!boot_cpu_has_bug(X86_BUG_SRBDS))
597 return 0;
598
599 srbds_off = !strcmp(str, "off");
600 return 0;
601 }
602 early_param("srbds", srbds_parse_cmdline);
603
604 #undef pr_fmt
605 #define pr_fmt(fmt) "GDS: " fmt
606
607 enum gds_mitigations {
608 GDS_MITIGATION_OFF,
609 GDS_MITIGATION_UCODE_NEEDED,
610 GDS_MITIGATION_FORCE,
611 GDS_MITIGATION_FULL,
612 GDS_MITIGATION_FULL_LOCKED,
613 GDS_MITIGATION_HYPERVISOR,
614 };
615
616 #if IS_ENABLED(CONFIG_GDS_FORCE_MITIGATION)
617 static enum gds_mitigations gds_mitigation __ro_after_init = GDS_MITIGATION_FORCE;
618 #else
619 static enum gds_mitigations gds_mitigation __ro_after_init = GDS_MITIGATION_FULL;
620 #endif
621
622 static const char * const gds_strings[] = {
623 [GDS_MITIGATION_OFF] = "Vulnerable",
624 [GDS_MITIGATION_UCODE_NEEDED] = "Vulnerable: No microcode",
625 [GDS_MITIGATION_FORCE] = "Mitigation: AVX disabled, no microcode",
626 [GDS_MITIGATION_FULL] = "Mitigation: Microcode",
627 [GDS_MITIGATION_FULL_LOCKED] = "Mitigation: Microcode (locked)",
628 [GDS_MITIGATION_HYPERVISOR] = "Unknown: Dependent on hypervisor status",
629 };
630
gds_ucode_mitigated(void)631 bool gds_ucode_mitigated(void)
632 {
633 return (gds_mitigation == GDS_MITIGATION_FULL ||
634 gds_mitigation == GDS_MITIGATION_FULL_LOCKED);
635 }
636 EXPORT_SYMBOL_GPL(gds_ucode_mitigated);
637
update_gds_msr(void)638 void update_gds_msr(void)
639 {
640 u64 mcu_ctrl_after;
641 u64 mcu_ctrl;
642
643 switch (gds_mitigation) {
644 case GDS_MITIGATION_OFF:
645 rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
646 mcu_ctrl |= GDS_MITG_DIS;
647 break;
648 case GDS_MITIGATION_FULL_LOCKED:
649 /*
650 * The LOCKED state comes from the boot CPU. APs might not have
651 * the same state. Make sure the mitigation is enabled on all
652 * CPUs.
653 */
654 case GDS_MITIGATION_FULL:
655 rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
656 mcu_ctrl &= ~GDS_MITG_DIS;
657 break;
658 case GDS_MITIGATION_FORCE:
659 case GDS_MITIGATION_UCODE_NEEDED:
660 case GDS_MITIGATION_HYPERVISOR:
661 return;
662 };
663
664 wrmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
665
666 /*
667 * Check to make sure that the WRMSR value was not ignored. Writes to
668 * GDS_MITG_DIS will be ignored if this processor is locked but the boot
669 * processor was not.
670 */
671 rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl_after);
672 WARN_ON_ONCE(mcu_ctrl != mcu_ctrl_after);
673 }
674
gds_select_mitigation(void)675 static void __init gds_select_mitigation(void)
676 {
677 u64 mcu_ctrl;
678
679 if (!boot_cpu_has_bug(X86_BUG_GDS))
680 return;
681
682 if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {
683 gds_mitigation = GDS_MITIGATION_HYPERVISOR;
684 goto out;
685 }
686
687 if (cpu_mitigations_off())
688 gds_mitigation = GDS_MITIGATION_OFF;
689 /* Will verify below that mitigation _can_ be disabled */
690
691 /* No microcode */
692 if (!(x86_read_arch_cap_msr() & ARCH_CAP_GDS_CTRL)) {
693 if (gds_mitigation == GDS_MITIGATION_FORCE) {
694 /*
695 * This only needs to be done on the boot CPU so do it
696 * here rather than in update_gds_msr()
697 */
698 setup_clear_cpu_cap(X86_FEATURE_AVX);
699 pr_warn("Microcode update needed! Disabling AVX as mitigation.\n");
700 } else {
701 gds_mitigation = GDS_MITIGATION_UCODE_NEEDED;
702 }
703 goto out;
704 }
705
706 /* Microcode has mitigation, use it */
707 if (gds_mitigation == GDS_MITIGATION_FORCE)
708 gds_mitigation = GDS_MITIGATION_FULL;
709
710 rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
711 if (mcu_ctrl & GDS_MITG_LOCKED) {
712 if (gds_mitigation == GDS_MITIGATION_OFF)
713 pr_warn("Mitigation locked. Disable failed.\n");
714
715 /*
716 * The mitigation is selected from the boot CPU. All other CPUs
717 * _should_ have the same state. If the boot CPU isn't locked
718 * but others are then update_gds_msr() will WARN() of the state
719 * mismatch. If the boot CPU is locked update_gds_msr() will
720 * ensure the other CPUs have the mitigation enabled.
721 */
722 gds_mitigation = GDS_MITIGATION_FULL_LOCKED;
723 }
724
725 update_gds_msr();
726 out:
727 pr_info("%s\n", gds_strings[gds_mitigation]);
728 }
729
gds_parse_cmdline(char * str)730 static int __init gds_parse_cmdline(char *str)
731 {
732 if (!str)
733 return -EINVAL;
734
735 if (!boot_cpu_has_bug(X86_BUG_GDS))
736 return 0;
737
738 if (!strcmp(str, "off"))
739 gds_mitigation = GDS_MITIGATION_OFF;
740 else if (!strcmp(str, "force"))
741 gds_mitigation = GDS_MITIGATION_FORCE;
742
743 return 0;
744 }
745 early_param("gather_data_sampling", gds_parse_cmdline);
746
747 #undef pr_fmt
748 #define pr_fmt(fmt) "Spectre V1 : " fmt
749
750 enum spectre_v1_mitigation {
751 SPECTRE_V1_MITIGATION_NONE,
752 SPECTRE_V1_MITIGATION_AUTO,
753 };
754
755 static enum spectre_v1_mitigation spectre_v1_mitigation __ro_after_init =
756 SPECTRE_V1_MITIGATION_AUTO;
757
758 static const char * const spectre_v1_strings[] = {
759 [SPECTRE_V1_MITIGATION_NONE] = "Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers",
760 [SPECTRE_V1_MITIGATION_AUTO] = "Mitigation: usercopy/swapgs barriers and __user pointer sanitization",
761 };
762
763 /*
764 * Does SMAP provide full mitigation against speculative kernel access to
765 * userspace?
766 */
smap_works_speculatively(void)767 static bool smap_works_speculatively(void)
768 {
769 if (!boot_cpu_has(X86_FEATURE_SMAP))
770 return false;
771
772 /*
773 * On CPUs which are vulnerable to Meltdown, SMAP does not
774 * prevent speculative access to user data in the L1 cache.
775 * Consider SMAP to be non-functional as a mitigation on these
776 * CPUs.
777 */
778 if (boot_cpu_has(X86_BUG_CPU_MELTDOWN))
779 return false;
780
781 return true;
782 }
783
spectre_v1_select_mitigation(void)784 static void __init spectre_v1_select_mitigation(void)
785 {
786 if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V1) || cpu_mitigations_off()) {
787 spectre_v1_mitigation = SPECTRE_V1_MITIGATION_NONE;
788 return;
789 }
790
791 if (spectre_v1_mitigation == SPECTRE_V1_MITIGATION_AUTO) {
792 /*
793 * With Spectre v1, a user can speculatively control either
794 * path of a conditional swapgs with a user-controlled GS
795 * value. The mitigation is to add lfences to both code paths.
796 *
797 * If FSGSBASE is enabled, the user can put a kernel address in
798 * GS, in which case SMAP provides no protection.
799 *
800 * [ NOTE: Don't check for X86_FEATURE_FSGSBASE until the
801 * FSGSBASE enablement patches have been merged. ]
802 *
803 * If FSGSBASE is disabled, the user can only put a user space
804 * address in GS. That makes an attack harder, but still
805 * possible if there's no SMAP protection.
806 */
807 if (!smap_works_speculatively()) {
808 /*
809 * Mitigation can be provided from SWAPGS itself or
810 * PTI as the CR3 write in the Meltdown mitigation
811 * is serializing.
812 *
813 * If neither is there, mitigate with an LFENCE to
814 * stop speculation through swapgs.
815 */
816 if (boot_cpu_has_bug(X86_BUG_SWAPGS) &&
817 !boot_cpu_has(X86_FEATURE_PTI))
818 setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_USER);
819
820 /*
821 * Enable lfences in the kernel entry (non-swapgs)
822 * paths, to prevent user entry from speculatively
823 * skipping swapgs.
824 */
825 setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_KERNEL);
826 }
827 }
828
829 pr_info("%s\n", spectre_v1_strings[spectre_v1_mitigation]);
830 }
831
nospectre_v1_cmdline(char * str)832 static int __init nospectre_v1_cmdline(char *str)
833 {
834 spectre_v1_mitigation = SPECTRE_V1_MITIGATION_NONE;
835 return 0;
836 }
837 early_param("nospectre_v1", nospectre_v1_cmdline);
838
839 static enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init =
840 SPECTRE_V2_NONE;
841
842 #undef pr_fmt
843 #define pr_fmt(fmt) "RETBleed: " fmt
844
845 enum retbleed_mitigation {
846 RETBLEED_MITIGATION_NONE,
847 RETBLEED_MITIGATION_IBRS,
848 RETBLEED_MITIGATION_EIBRS,
849 };
850
851 enum retbleed_mitigation_cmd {
852 RETBLEED_CMD_OFF,
853 RETBLEED_CMD_AUTO,
854 };
855
856 const char * const retbleed_strings[] = {
857 [RETBLEED_MITIGATION_NONE] = "Vulnerable",
858 [RETBLEED_MITIGATION_IBRS] = "Mitigation: IBRS",
859 [RETBLEED_MITIGATION_EIBRS] = "Mitigation: Enhanced IBRS",
860 };
861
862 static enum retbleed_mitigation retbleed_mitigation __ro_after_init =
863 RETBLEED_MITIGATION_NONE;
864 static enum retbleed_mitigation_cmd retbleed_cmd __ro_after_init =
865 RETBLEED_CMD_AUTO;
866
retbleed_parse_cmdline(char * str)867 static int __init retbleed_parse_cmdline(char *str)
868 {
869 if (!str)
870 return -EINVAL;
871
872 if (!strcmp(str, "off"))
873 retbleed_cmd = RETBLEED_CMD_OFF;
874 else if (!strcmp(str, "auto"))
875 retbleed_cmd = RETBLEED_CMD_AUTO;
876 else
877 pr_err("Unknown retbleed option (%s). Defaulting to 'auto'\n", str);
878
879 return 0;
880 }
881 early_param("retbleed", retbleed_parse_cmdline);
882
883 #define RETBLEED_UNTRAIN_MSG "WARNING: BTB untrained return thunk mitigation is only effective on AMD/Hygon!\n"
884 #define RETBLEED_COMPILER_MSG "WARNING: kernel not compiled with RETPOLINE or -mfunction-return capable compiler!\n"
885 #define RETBLEED_INTEL_MSG "WARNING: Spectre v2 mitigation leaves CPU vulnerable to RETBleed attacks, data leaks possible!\n"
886
retbleed_select_mitigation(void)887 static void __init retbleed_select_mitigation(void)
888 {
889 if (!boot_cpu_has_bug(X86_BUG_RETBLEED) || cpu_mitigations_off())
890 return;
891
892 switch (retbleed_cmd) {
893 case RETBLEED_CMD_OFF:
894 return;
895
896 case RETBLEED_CMD_AUTO:
897 default:
898 /*
899 * The Intel mitigation (IBRS) was already selected in
900 * spectre_v2_select_mitigation().
901 */
902
903 break;
904 }
905
906 switch (retbleed_mitigation) {
907 default:
908 break;
909 }
910
911 /*
912 * Let IBRS trump all on Intel without affecting the effects of the
913 * retbleed= cmdline option.
914 */
915 if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) {
916 switch (spectre_v2_enabled) {
917 case SPECTRE_V2_IBRS:
918 retbleed_mitigation = RETBLEED_MITIGATION_IBRS;
919 break;
920 case SPECTRE_V2_EIBRS:
921 case SPECTRE_V2_EIBRS_RETPOLINE:
922 case SPECTRE_V2_EIBRS_LFENCE:
923 retbleed_mitigation = RETBLEED_MITIGATION_EIBRS;
924 break;
925 default:
926 pr_err(RETBLEED_INTEL_MSG);
927 }
928 }
929
930 pr_info("%s\n", retbleed_strings[retbleed_mitigation]);
931 }
932
933 #undef pr_fmt
934 #define pr_fmt(fmt) "Spectre V2 : " fmt
935
936 static enum spectre_v2_user_mitigation spectre_v2_user_stibp __ro_after_init =
937 SPECTRE_V2_USER_NONE;
938 static enum spectre_v2_user_mitigation spectre_v2_user_ibpb __ro_after_init =
939 SPECTRE_V2_USER_NONE;
940
941 #ifdef CONFIG_RETPOLINE
942 static bool spectre_v2_bad_module;
943
retpoline_module_ok(bool has_retpoline)944 bool retpoline_module_ok(bool has_retpoline)
945 {
946 if (spectre_v2_enabled == SPECTRE_V2_NONE || has_retpoline)
947 return true;
948
949 pr_err("System may be vulnerable to spectre v2\n");
950 spectre_v2_bad_module = true;
951 return false;
952 }
953
spectre_v2_module_string(void)954 static inline const char *spectre_v2_module_string(void)
955 {
956 return spectre_v2_bad_module ? " - vulnerable module loaded" : "";
957 }
958 #else
spectre_v2_module_string(void)959 static inline const char *spectre_v2_module_string(void) { return ""; }
960 #endif
961
962 #define SPECTRE_V2_LFENCE_MSG "WARNING: LFENCE mitigation is not recommended for this CPU, data leaks possible!\n"
963 #define SPECTRE_V2_EIBRS_EBPF_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible via Spectre v2 BHB attacks!\n"
964 #define SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS+LFENCE mitigation and SMT, data leaks possible via Spectre v2 BHB attacks!\n"
965 #define SPECTRE_V2_IBRS_PERF_MSG "WARNING: IBRS mitigation selected on Enhanced IBRS CPU, this may cause unnecessary performance loss\n"
966
967 #ifdef CONFIG_BPF_SYSCALL
unpriv_ebpf_notify(int new_state)968 void unpriv_ebpf_notify(int new_state)
969 {
970 if (new_state)
971 return;
972
973 /* Unprivileged eBPF is enabled */
974
975 switch (spectre_v2_enabled) {
976 case SPECTRE_V2_EIBRS:
977 pr_err(SPECTRE_V2_EIBRS_EBPF_MSG);
978 break;
979 case SPECTRE_V2_EIBRS_LFENCE:
980 if (sched_smt_active())
981 pr_err(SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG);
982 break;
983 default:
984 break;
985 }
986 }
987 #endif
988
match_option(const char * arg,int arglen,const char * opt)989 static inline bool match_option(const char *arg, int arglen, const char *opt)
990 {
991 int len = strlen(opt);
992
993 return len == arglen && !strncmp(arg, opt, len);
994 }
995
996 /* The kernel command line selection for spectre v2 */
997 enum spectre_v2_mitigation_cmd {
998 SPECTRE_V2_CMD_NONE,
999 SPECTRE_V2_CMD_AUTO,
1000 SPECTRE_V2_CMD_FORCE,
1001 SPECTRE_V2_CMD_RETPOLINE,
1002 SPECTRE_V2_CMD_RETPOLINE_GENERIC,
1003 SPECTRE_V2_CMD_RETPOLINE_LFENCE,
1004 SPECTRE_V2_CMD_EIBRS,
1005 SPECTRE_V2_CMD_EIBRS_RETPOLINE,
1006 SPECTRE_V2_CMD_EIBRS_LFENCE,
1007 SPECTRE_V2_CMD_IBRS,
1008 };
1009
1010 enum spectre_v2_user_cmd {
1011 SPECTRE_V2_USER_CMD_NONE,
1012 SPECTRE_V2_USER_CMD_AUTO,
1013 SPECTRE_V2_USER_CMD_FORCE,
1014 SPECTRE_V2_USER_CMD_PRCTL,
1015 SPECTRE_V2_USER_CMD_PRCTL_IBPB,
1016 SPECTRE_V2_USER_CMD_SECCOMP,
1017 SPECTRE_V2_USER_CMD_SECCOMP_IBPB,
1018 };
1019
1020 static const char * const spectre_v2_user_strings[] = {
1021 [SPECTRE_V2_USER_NONE] = "User space: Vulnerable",
1022 [SPECTRE_V2_USER_STRICT] = "User space: Mitigation: STIBP protection",
1023 [SPECTRE_V2_USER_STRICT_PREFERRED] = "User space: Mitigation: STIBP always-on protection",
1024 [SPECTRE_V2_USER_PRCTL] = "User space: Mitigation: STIBP via prctl",
1025 [SPECTRE_V2_USER_SECCOMP] = "User space: Mitigation: STIBP via seccomp and prctl",
1026 };
1027
1028 static const struct {
1029 const char *option;
1030 enum spectre_v2_user_cmd cmd;
1031 bool secure;
1032 } v2_user_options[] __initconst = {
1033 { "auto", SPECTRE_V2_USER_CMD_AUTO, false },
1034 { "off", SPECTRE_V2_USER_CMD_NONE, false },
1035 { "on", SPECTRE_V2_USER_CMD_FORCE, true },
1036 { "prctl", SPECTRE_V2_USER_CMD_PRCTL, false },
1037 { "prctl,ibpb", SPECTRE_V2_USER_CMD_PRCTL_IBPB, false },
1038 { "seccomp", SPECTRE_V2_USER_CMD_SECCOMP, false },
1039 { "seccomp,ibpb", SPECTRE_V2_USER_CMD_SECCOMP_IBPB, false },
1040 };
1041
spec_v2_user_print_cond(const char * reason,bool secure)1042 static void __init spec_v2_user_print_cond(const char *reason, bool secure)
1043 {
1044 if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2) != secure)
1045 pr_info("spectre_v2_user=%s forced on command line.\n", reason);
1046 }
1047
1048 static __ro_after_init enum spectre_v2_mitigation_cmd spectre_v2_cmd;
1049
1050 static enum spectre_v2_user_cmd __init
spectre_v2_parse_user_cmdline(void)1051 spectre_v2_parse_user_cmdline(void)
1052 {
1053 char arg[20];
1054 int ret, i;
1055
1056 switch (spectre_v2_cmd) {
1057 case SPECTRE_V2_CMD_NONE:
1058 return SPECTRE_V2_USER_CMD_NONE;
1059 case SPECTRE_V2_CMD_FORCE:
1060 return SPECTRE_V2_USER_CMD_FORCE;
1061 default:
1062 break;
1063 }
1064
1065 ret = cmdline_find_option(boot_command_line, "spectre_v2_user",
1066 arg, sizeof(arg));
1067 if (ret < 0)
1068 return SPECTRE_V2_USER_CMD_AUTO;
1069
1070 for (i = 0; i < ARRAY_SIZE(v2_user_options); i++) {
1071 if (match_option(arg, ret, v2_user_options[i].option)) {
1072 spec_v2_user_print_cond(v2_user_options[i].option,
1073 v2_user_options[i].secure);
1074 return v2_user_options[i].cmd;
1075 }
1076 }
1077
1078 pr_err("Unknown user space protection option (%s). Switching to AUTO select\n", arg);
1079 return SPECTRE_V2_USER_CMD_AUTO;
1080 }
1081
spectre_v2_in_eibrs_mode(enum spectre_v2_mitigation mode)1082 static inline bool spectre_v2_in_eibrs_mode(enum spectre_v2_mitigation mode)
1083 {
1084 return mode == SPECTRE_V2_EIBRS ||
1085 mode == SPECTRE_V2_EIBRS_RETPOLINE ||
1086 mode == SPECTRE_V2_EIBRS_LFENCE;
1087 }
1088
spectre_v2_in_ibrs_mode(enum spectre_v2_mitigation mode)1089 static inline bool spectre_v2_in_ibrs_mode(enum spectre_v2_mitigation mode)
1090 {
1091 return spectre_v2_in_eibrs_mode(mode) || mode == SPECTRE_V2_IBRS;
1092 }
1093
1094 static void __init
spectre_v2_user_select_mitigation(void)1095 spectre_v2_user_select_mitigation(void)
1096 {
1097 enum spectre_v2_user_mitigation mode = SPECTRE_V2_USER_NONE;
1098 bool smt_possible = IS_ENABLED(CONFIG_SMP);
1099 enum spectre_v2_user_cmd cmd;
1100
1101 if (!boot_cpu_has(X86_FEATURE_IBPB) && !boot_cpu_has(X86_FEATURE_STIBP))
1102 return;
1103
1104 if (cpu_smt_control == CPU_SMT_FORCE_DISABLED ||
1105 cpu_smt_control == CPU_SMT_NOT_SUPPORTED)
1106 smt_possible = false;
1107
1108 cmd = spectre_v2_parse_user_cmdline();
1109 switch (cmd) {
1110 case SPECTRE_V2_USER_CMD_NONE:
1111 goto set_mode;
1112 case SPECTRE_V2_USER_CMD_FORCE:
1113 mode = SPECTRE_V2_USER_STRICT;
1114 break;
1115 case SPECTRE_V2_USER_CMD_PRCTL:
1116 case SPECTRE_V2_USER_CMD_PRCTL_IBPB:
1117 mode = SPECTRE_V2_USER_PRCTL;
1118 break;
1119 case SPECTRE_V2_USER_CMD_AUTO:
1120 case SPECTRE_V2_USER_CMD_SECCOMP:
1121 case SPECTRE_V2_USER_CMD_SECCOMP_IBPB:
1122 if (IS_ENABLED(CONFIG_SECCOMP))
1123 mode = SPECTRE_V2_USER_SECCOMP;
1124 else
1125 mode = SPECTRE_V2_USER_PRCTL;
1126 break;
1127 }
1128
1129 /* Initialize Indirect Branch Prediction Barrier */
1130 if (boot_cpu_has(X86_FEATURE_IBPB)) {
1131 setup_force_cpu_cap(X86_FEATURE_USE_IBPB);
1132
1133 spectre_v2_user_ibpb = mode;
1134 switch (cmd) {
1135 case SPECTRE_V2_USER_CMD_FORCE:
1136 case SPECTRE_V2_USER_CMD_PRCTL_IBPB:
1137 case SPECTRE_V2_USER_CMD_SECCOMP_IBPB:
1138 static_branch_enable(&switch_mm_always_ibpb);
1139 spectre_v2_user_ibpb = SPECTRE_V2_USER_STRICT;
1140 break;
1141 case SPECTRE_V2_USER_CMD_PRCTL:
1142 case SPECTRE_V2_USER_CMD_AUTO:
1143 case SPECTRE_V2_USER_CMD_SECCOMP:
1144 static_branch_enable(&switch_mm_cond_ibpb);
1145 break;
1146 default:
1147 break;
1148 }
1149
1150 pr_info("mitigation: Enabling %s Indirect Branch Prediction Barrier\n",
1151 static_key_enabled(&switch_mm_always_ibpb) ?
1152 "always-on" : "conditional");
1153 }
1154
1155 /*
1156 * If no STIBP, Intel enhanced IBRS is enabled, or SMT impossible, STIBP
1157 * is not required.
1158 *
1159 * Intel's Enhanced IBRS also protects against cross-thread branch target
1160 * injection in user-mode as the IBRS bit remains always set which
1161 * implicitly enables cross-thread protections. However, in legacy IBRS
1162 * mode, the IBRS bit is set only on kernel entry and cleared on return
1163 * to userspace. AMD Automatic IBRS also does not protect userspace.
1164 * These modes therefore disable the implicit cross-thread protection,
1165 * so allow for STIBP to be selected in those cases.
1166 */
1167 if (!boot_cpu_has(X86_FEATURE_STIBP) ||
1168 !smt_possible ||
1169 (spectre_v2_in_eibrs_mode(spectre_v2_enabled) &&
1170 !boot_cpu_has(X86_FEATURE_AUTOIBRS)))
1171 return;
1172
1173 /*
1174 * At this point, an STIBP mode other than "off" has been set.
1175 * If STIBP support is not being forced, check if STIBP always-on
1176 * is preferred.
1177 */
1178 if (mode != SPECTRE_V2_USER_STRICT &&
1179 boot_cpu_has(X86_FEATURE_AMD_STIBP_ALWAYS_ON))
1180 mode = SPECTRE_V2_USER_STRICT_PREFERRED;
1181
1182 spectre_v2_user_stibp = mode;
1183
1184 set_mode:
1185 pr_info("%s\n", spectre_v2_user_strings[mode]);
1186 }
1187
1188 static const char * const spectre_v2_strings[] = {
1189 [SPECTRE_V2_NONE] = "Vulnerable",
1190 [SPECTRE_V2_RETPOLINE] = "Mitigation: Retpolines",
1191 [SPECTRE_V2_LFENCE] = "Mitigation: LFENCE",
1192 [SPECTRE_V2_EIBRS] = "Mitigation: Enhanced / Automatic IBRS",
1193 [SPECTRE_V2_EIBRS_LFENCE] = "Mitigation: Enhanced / Automatic IBRS + LFENCE",
1194 [SPECTRE_V2_EIBRS_RETPOLINE] = "Mitigation: Enhanced / Automatic IBRS + Retpolines",
1195 [SPECTRE_V2_IBRS] = "Mitigation: IBRS",
1196 };
1197
1198 static const struct {
1199 const char *option;
1200 enum spectre_v2_mitigation_cmd cmd;
1201 bool secure;
1202 } mitigation_options[] __initconst = {
1203 { "off", SPECTRE_V2_CMD_NONE, false },
1204 { "on", SPECTRE_V2_CMD_FORCE, true },
1205 { "retpoline", SPECTRE_V2_CMD_RETPOLINE, false },
1206 { "retpoline,amd", SPECTRE_V2_CMD_RETPOLINE_LFENCE, false },
1207 { "retpoline,lfence", SPECTRE_V2_CMD_RETPOLINE_LFENCE, false },
1208 { "retpoline,generic", SPECTRE_V2_CMD_RETPOLINE_GENERIC, false },
1209 { "eibrs", SPECTRE_V2_CMD_EIBRS, false },
1210 { "eibrs,lfence", SPECTRE_V2_CMD_EIBRS_LFENCE, false },
1211 { "eibrs,retpoline", SPECTRE_V2_CMD_EIBRS_RETPOLINE, false },
1212 { "auto", SPECTRE_V2_CMD_AUTO, false },
1213 { "ibrs", SPECTRE_V2_CMD_IBRS, false },
1214 };
1215
spec_v2_print_cond(const char * reason,bool secure)1216 static void __init spec_v2_print_cond(const char *reason, bool secure)
1217 {
1218 if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2) != secure)
1219 pr_info("%s selected on command line.\n", reason);
1220 }
1221
spectre_v2_parse_cmdline(void)1222 static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void)
1223 {
1224 enum spectre_v2_mitigation_cmd cmd = SPECTRE_V2_CMD_AUTO;
1225 char arg[20];
1226 int ret, i;
1227
1228 if (cmdline_find_option_bool(boot_command_line, "nospectre_v2") ||
1229 cpu_mitigations_off())
1230 return SPECTRE_V2_CMD_NONE;
1231
1232 ret = cmdline_find_option(boot_command_line, "spectre_v2", arg, sizeof(arg));
1233 if (ret < 0)
1234 return SPECTRE_V2_CMD_AUTO;
1235
1236 for (i = 0; i < ARRAY_SIZE(mitigation_options); i++) {
1237 if (!match_option(arg, ret, mitigation_options[i].option))
1238 continue;
1239 cmd = mitigation_options[i].cmd;
1240 break;
1241 }
1242
1243 if (i >= ARRAY_SIZE(mitigation_options)) {
1244 pr_err("unknown option (%s). Switching to AUTO select\n", arg);
1245 return SPECTRE_V2_CMD_AUTO;
1246 }
1247
1248 if ((cmd == SPECTRE_V2_CMD_RETPOLINE ||
1249 cmd == SPECTRE_V2_CMD_RETPOLINE_LFENCE ||
1250 cmd == SPECTRE_V2_CMD_RETPOLINE_GENERIC ||
1251 cmd == SPECTRE_V2_CMD_EIBRS_LFENCE ||
1252 cmd == SPECTRE_V2_CMD_EIBRS_RETPOLINE) &&
1253 !IS_ENABLED(CONFIG_RETPOLINE)) {
1254 pr_err("%s selected but not compiled in. Switching to AUTO select\n",
1255 mitigation_options[i].option);
1256 return SPECTRE_V2_CMD_AUTO;
1257 }
1258
1259 if ((cmd == SPECTRE_V2_CMD_EIBRS ||
1260 cmd == SPECTRE_V2_CMD_EIBRS_LFENCE ||
1261 cmd == SPECTRE_V2_CMD_EIBRS_RETPOLINE) &&
1262 !boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) {
1263 pr_err("%s selected but CPU doesn't have Enhanced or Automatic IBRS. Switching to AUTO select\n",
1264 mitigation_options[i].option);
1265 return SPECTRE_V2_CMD_AUTO;
1266 }
1267
1268 if ((cmd == SPECTRE_V2_CMD_RETPOLINE_LFENCE ||
1269 cmd == SPECTRE_V2_CMD_EIBRS_LFENCE) &&
1270 !boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) {
1271 pr_err("%s selected, but CPU doesn't have a serializing LFENCE. Switching to AUTO select\n",
1272 mitigation_options[i].option);
1273 return SPECTRE_V2_CMD_AUTO;
1274 }
1275
1276 if (cmd == SPECTRE_V2_CMD_IBRS && boot_cpu_data.x86_vendor != X86_VENDOR_INTEL) {
1277 pr_err("%s selected but not Intel CPU. Switching to AUTO select\n",
1278 mitigation_options[i].option);
1279 return SPECTRE_V2_CMD_AUTO;
1280 }
1281
1282 if (cmd == SPECTRE_V2_CMD_IBRS && !boot_cpu_has(X86_FEATURE_IBRS)) {
1283 pr_err("%s selected but CPU doesn't have IBRS. Switching to AUTO select\n",
1284 mitigation_options[i].option);
1285 return SPECTRE_V2_CMD_AUTO;
1286 }
1287
1288 if (cmd == SPECTRE_V2_CMD_IBRS && boot_cpu_has(X86_FEATURE_XENPV)) {
1289 pr_err("%s selected but running as XenPV guest. Switching to AUTO select\n",
1290 mitigation_options[i].option);
1291 return SPECTRE_V2_CMD_AUTO;
1292 }
1293
1294 spec_v2_print_cond(mitigation_options[i].option,
1295 mitigation_options[i].secure);
1296 return cmd;
1297 }
1298
spectre_v2_select_retpoline(void)1299 static enum spectre_v2_mitigation __init spectre_v2_select_retpoline(void)
1300 {
1301 if (!IS_ENABLED(CONFIG_RETPOLINE)) {
1302 pr_err("Kernel not compiled with retpoline; no mitigation available!");
1303 return SPECTRE_V2_NONE;
1304 }
1305
1306 return SPECTRE_V2_RETPOLINE;
1307 }
1308
1309 /* Disable in-kernel use of non-RSB RET predictors */
spec_ctrl_disable_kernel_rrsba(void)1310 static void __init spec_ctrl_disable_kernel_rrsba(void)
1311 {
1312 u64 ia32_cap;
1313
1314 if (!boot_cpu_has(X86_FEATURE_RRSBA_CTRL))
1315 return;
1316
1317 ia32_cap = x86_read_arch_cap_msr();
1318
1319 if (ia32_cap & ARCH_CAP_RRSBA) {
1320 x86_spec_ctrl_base |= SPEC_CTRL_RRSBA_DIS_S;
1321 update_spec_ctrl(x86_spec_ctrl_base);
1322 }
1323 }
1324
spectre_v2_determine_rsb_fill_type_at_vmexit(enum spectre_v2_mitigation mode)1325 static void __init spectre_v2_determine_rsb_fill_type_at_vmexit(enum spectre_v2_mitigation mode)
1326 {
1327 /*
1328 * Similar to context switches, there are two types of RSB attacks
1329 * after VM exit:
1330 *
1331 * 1) RSB underflow
1332 *
1333 * 2) Poisoned RSB entry
1334 *
1335 * When retpoline is enabled, both are mitigated by filling/clearing
1336 * the RSB.
1337 *
1338 * When IBRS is enabled, while #1 would be mitigated by the IBRS branch
1339 * prediction isolation protections, RSB still needs to be cleared
1340 * because of #2. Note that SMEP provides no protection here, unlike
1341 * user-space-poisoned RSB entries.
1342 *
1343 * eIBRS should protect against RSB poisoning, but if the EIBRS_PBRSB
1344 * bug is present then a LITE version of RSB protection is required,
1345 * just a single call needs to retire before a RET is executed.
1346 */
1347 switch (mode) {
1348 case SPECTRE_V2_NONE:
1349 return;
1350
1351 case SPECTRE_V2_EIBRS_LFENCE:
1352 case SPECTRE_V2_EIBRS:
1353 if (boot_cpu_has_bug(X86_BUG_EIBRS_PBRSB)) {
1354 setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT_LITE);
1355 pr_info("Spectre v2 / PBRSB-eIBRS: Retire a single CALL on VMEXIT\n");
1356 }
1357 return;
1358
1359 case SPECTRE_V2_EIBRS_RETPOLINE:
1360 case SPECTRE_V2_RETPOLINE:
1361 case SPECTRE_V2_LFENCE:
1362 case SPECTRE_V2_IBRS:
1363 setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT);
1364 pr_info("Spectre v2 / SpectreRSB : Filling RSB on VMEXIT\n");
1365 return;
1366 }
1367
1368 pr_warn_once("Unknown Spectre v2 mode, disabling RSB mitigation at VM exit");
1369 dump_stack();
1370 }
1371
spectre_v2_select_mitigation(void)1372 static void __init spectre_v2_select_mitigation(void)
1373 {
1374 enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline();
1375 enum spectre_v2_mitigation mode = SPECTRE_V2_NONE;
1376
1377 /*
1378 * If the CPU is not affected and the command line mode is NONE or AUTO
1379 * then nothing to do.
1380 */
1381 if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2) &&
1382 (cmd == SPECTRE_V2_CMD_NONE || cmd == SPECTRE_V2_CMD_AUTO))
1383 return;
1384
1385 switch (cmd) {
1386 case SPECTRE_V2_CMD_NONE:
1387 return;
1388
1389 case SPECTRE_V2_CMD_FORCE:
1390 case SPECTRE_V2_CMD_AUTO:
1391 if (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) {
1392 mode = SPECTRE_V2_EIBRS;
1393 break;
1394 }
1395
1396 if (boot_cpu_has_bug(X86_BUG_RETBLEED) &&
1397 retbleed_cmd != RETBLEED_CMD_OFF &&
1398 boot_cpu_has(X86_FEATURE_IBRS) &&
1399 boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) {
1400 mode = SPECTRE_V2_IBRS;
1401 break;
1402 }
1403
1404 mode = spectre_v2_select_retpoline();
1405 break;
1406
1407 case SPECTRE_V2_CMD_RETPOLINE_LFENCE:
1408 pr_err(SPECTRE_V2_LFENCE_MSG);
1409 mode = SPECTRE_V2_LFENCE;
1410 break;
1411
1412 case SPECTRE_V2_CMD_RETPOLINE_GENERIC:
1413 mode = SPECTRE_V2_RETPOLINE;
1414 break;
1415
1416 case SPECTRE_V2_CMD_RETPOLINE:
1417 mode = spectre_v2_select_retpoline();
1418 break;
1419
1420 case SPECTRE_V2_CMD_IBRS:
1421 mode = SPECTRE_V2_IBRS;
1422 break;
1423
1424 case SPECTRE_V2_CMD_EIBRS:
1425 mode = SPECTRE_V2_EIBRS;
1426 break;
1427
1428 case SPECTRE_V2_CMD_EIBRS_LFENCE:
1429 mode = SPECTRE_V2_EIBRS_LFENCE;
1430 break;
1431
1432 case SPECTRE_V2_CMD_EIBRS_RETPOLINE:
1433 mode = SPECTRE_V2_EIBRS_RETPOLINE;
1434 break;
1435 }
1436
1437 if (mode == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled())
1438 pr_err(SPECTRE_V2_EIBRS_EBPF_MSG);
1439
1440 if (spectre_v2_in_ibrs_mode(mode)) {
1441 if (boot_cpu_has(X86_FEATURE_AUTOIBRS)) {
1442 msr_set_bit(MSR_EFER, _EFER_AUTOIBRS);
1443 } else {
1444 x86_spec_ctrl_base |= SPEC_CTRL_IBRS;
1445 update_spec_ctrl(x86_spec_ctrl_base);
1446 }
1447 }
1448
1449 switch (mode) {
1450 case SPECTRE_V2_NONE:
1451 case SPECTRE_V2_EIBRS:
1452 break;
1453
1454 case SPECTRE_V2_IBRS:
1455 setup_force_cpu_cap(X86_FEATURE_KERNEL_IBRS);
1456 if (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED))
1457 pr_warn(SPECTRE_V2_IBRS_PERF_MSG);
1458 break;
1459
1460 case SPECTRE_V2_LFENCE:
1461 case SPECTRE_V2_EIBRS_LFENCE:
1462 setup_force_cpu_cap(X86_FEATURE_RETPOLINE_LFENCE);
1463 fallthrough;
1464
1465 case SPECTRE_V2_RETPOLINE:
1466 case SPECTRE_V2_EIBRS_RETPOLINE:
1467 setup_force_cpu_cap(X86_FEATURE_RETPOLINE);
1468 break;
1469 }
1470
1471 /*
1472 * Disable alternate RSB predictions in kernel when indirect CALLs and
1473 * JMPs gets protection against BHI and Intramode-BTI, but RET
1474 * prediction from a non-RSB predictor is still a risk.
1475 */
1476 if (mode == SPECTRE_V2_EIBRS_LFENCE ||
1477 mode == SPECTRE_V2_EIBRS_RETPOLINE ||
1478 mode == SPECTRE_V2_RETPOLINE)
1479 spec_ctrl_disable_kernel_rrsba();
1480
1481 spectre_v2_enabled = mode;
1482 pr_info("%s\n", spectre_v2_strings[mode]);
1483
1484 /*
1485 * If Spectre v2 protection has been enabled, fill the RSB during a
1486 * context switch. In general there are two types of RSB attacks
1487 * across context switches, for which the CALLs/RETs may be unbalanced.
1488 *
1489 * 1) RSB underflow
1490 *
1491 * Some Intel parts have "bottomless RSB". When the RSB is empty,
1492 * speculated return targets may come from the branch predictor,
1493 * which could have a user-poisoned BTB or BHB entry.
1494 *
1495 * AMD has it even worse: *all* returns are speculated from the BTB,
1496 * regardless of the state of the RSB.
1497 *
1498 * When IBRS or eIBRS is enabled, the "user -> kernel" attack
1499 * scenario is mitigated by the IBRS branch prediction isolation
1500 * properties, so the RSB buffer filling wouldn't be necessary to
1501 * protect against this type of attack.
1502 *
1503 * The "user -> user" attack scenario is mitigated by RSB filling.
1504 *
1505 * 2) Poisoned RSB entry
1506 *
1507 * If the 'next' in-kernel return stack is shorter than 'prev',
1508 * 'next' could be tricked into speculating with a user-poisoned RSB
1509 * entry.
1510 *
1511 * The "user -> kernel" attack scenario is mitigated by SMEP and
1512 * eIBRS.
1513 *
1514 * The "user -> user" scenario, also known as SpectreBHB, requires
1515 * RSB clearing.
1516 *
1517 * So to mitigate all cases, unconditionally fill RSB on context
1518 * switches.
1519 *
1520 * FIXME: Is this pointless for retbleed-affected AMD?
1521 */
1522 setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);
1523 pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n");
1524
1525 spectre_v2_determine_rsb_fill_type_at_vmexit(mode);
1526
1527 /*
1528 * Retpoline protects the kernel, but doesn't protect firmware. IBRS
1529 * and Enhanced IBRS protect firmware too, so enable IBRS around
1530 * firmware calls only when IBRS / Enhanced / Automatic IBRS aren't
1531 * otherwise enabled.
1532 *
1533 * Use "mode" to check Enhanced IBRS instead of boot_cpu_has(), because
1534 * the user might select retpoline on the kernel command line and if
1535 * the CPU supports Enhanced IBRS, kernel might un-intentionally not
1536 * enable IBRS around firmware calls.
1537 */
1538 if (boot_cpu_has(X86_FEATURE_IBRS) && !spectre_v2_in_ibrs_mode(mode)) {
1539 setup_force_cpu_cap(X86_FEATURE_USE_IBRS_FW);
1540 pr_info("Enabling Restricted Speculation for firmware calls\n");
1541 }
1542
1543 /* Set up IBPB and STIBP depending on the general spectre V2 command */
1544 spectre_v2_cmd = cmd;
1545 }
1546
update_stibp_msr(void * __unused)1547 static void update_stibp_msr(void * __unused)
1548 {
1549 u64 val = spec_ctrl_current() | (x86_spec_ctrl_base & SPEC_CTRL_STIBP);
1550 update_spec_ctrl(val);
1551 }
1552
1553 /* Update x86_spec_ctrl_base in case SMT state changed. */
update_stibp_strict(void)1554 static void update_stibp_strict(void)
1555 {
1556 u64 mask = x86_spec_ctrl_base & ~SPEC_CTRL_STIBP;
1557
1558 if (sched_smt_active())
1559 mask |= SPEC_CTRL_STIBP;
1560
1561 if (mask == x86_spec_ctrl_base)
1562 return;
1563
1564 pr_info("Update user space SMT mitigation: STIBP %s\n",
1565 mask & SPEC_CTRL_STIBP ? "always-on" : "off");
1566 x86_spec_ctrl_base = mask;
1567 on_each_cpu(update_stibp_msr, NULL, 1);
1568 }
1569
1570 /* Update the static key controlling the evaluation of TIF_SPEC_IB */
update_indir_branch_cond(void)1571 static void update_indir_branch_cond(void)
1572 {
1573 if (sched_smt_active())
1574 static_branch_enable(&switch_to_cond_stibp);
1575 else
1576 static_branch_disable(&switch_to_cond_stibp);
1577 }
1578
1579 #undef pr_fmt
1580 #define pr_fmt(fmt) fmt
1581
1582 /* Update the static key controlling the MDS CPU buffer clear in idle */
update_mds_branch_idle(void)1583 static void update_mds_branch_idle(void)
1584 {
1585 u64 ia32_cap = x86_read_arch_cap_msr();
1586
1587 /*
1588 * Enable the idle clearing if SMT is active on CPUs which are
1589 * affected only by MSBDS and not any other MDS variant.
1590 *
1591 * The other variants cannot be mitigated when SMT is enabled, so
1592 * clearing the buffers on idle just to prevent the Store Buffer
1593 * repartitioning leak would be a window dressing exercise.
1594 */
1595 if (!boot_cpu_has_bug(X86_BUG_MSBDS_ONLY))
1596 return;
1597
1598 if (sched_smt_active()) {
1599 static_branch_enable(&mds_idle_clear);
1600 } else if (mmio_mitigation == MMIO_MITIGATION_OFF ||
1601 (ia32_cap & ARCH_CAP_FBSDP_NO)) {
1602 static_branch_disable(&mds_idle_clear);
1603 }
1604 }
1605
1606 #define MDS_MSG_SMT "MDS CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for more details.\n"
1607 #define TAA_MSG_SMT "TAA CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html for more details.\n"
1608 #define MMIO_MSG_SMT "MMIO Stale Data CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html for more details.\n"
1609
cpu_bugs_smt_update(void)1610 void cpu_bugs_smt_update(void)
1611 {
1612 mutex_lock(&spec_ctrl_mutex);
1613
1614 if (sched_smt_active() && unprivileged_ebpf_enabled() &&
1615 spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE)
1616 pr_warn_once(SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG);
1617
1618 switch (spectre_v2_user_stibp) {
1619 case SPECTRE_V2_USER_NONE:
1620 break;
1621 case SPECTRE_V2_USER_STRICT:
1622 case SPECTRE_V2_USER_STRICT_PREFERRED:
1623 update_stibp_strict();
1624 break;
1625 case SPECTRE_V2_USER_PRCTL:
1626 case SPECTRE_V2_USER_SECCOMP:
1627 update_indir_branch_cond();
1628 break;
1629 }
1630
1631 switch (mds_mitigation) {
1632 case MDS_MITIGATION_FULL:
1633 case MDS_MITIGATION_VMWERV:
1634 if (sched_smt_active() && !boot_cpu_has(X86_BUG_MSBDS_ONLY))
1635 pr_warn_once(MDS_MSG_SMT);
1636 update_mds_branch_idle();
1637 break;
1638 case MDS_MITIGATION_OFF:
1639 break;
1640 }
1641
1642 switch (taa_mitigation) {
1643 case TAA_MITIGATION_VERW:
1644 case TAA_MITIGATION_UCODE_NEEDED:
1645 if (sched_smt_active())
1646 pr_warn_once(TAA_MSG_SMT);
1647 break;
1648 case TAA_MITIGATION_TSX_DISABLED:
1649 case TAA_MITIGATION_OFF:
1650 break;
1651 }
1652
1653 switch (mmio_mitigation) {
1654 case MMIO_MITIGATION_VERW:
1655 case MMIO_MITIGATION_UCODE_NEEDED:
1656 if (sched_smt_active())
1657 pr_warn_once(MMIO_MSG_SMT);
1658 break;
1659 case MMIO_MITIGATION_OFF:
1660 break;
1661 }
1662
1663 mutex_unlock(&spec_ctrl_mutex);
1664 }
1665
1666 #undef pr_fmt
1667 #define pr_fmt(fmt) "Speculative Store Bypass: " fmt
1668
1669 static enum ssb_mitigation ssb_mode __ro_after_init = SPEC_STORE_BYPASS_NONE;
1670
1671 /* The kernel command line selection */
1672 enum ssb_mitigation_cmd {
1673 SPEC_STORE_BYPASS_CMD_NONE,
1674 SPEC_STORE_BYPASS_CMD_AUTO,
1675 SPEC_STORE_BYPASS_CMD_ON,
1676 SPEC_STORE_BYPASS_CMD_PRCTL,
1677 SPEC_STORE_BYPASS_CMD_SECCOMP,
1678 };
1679
1680 static const char * const ssb_strings[] = {
1681 [SPEC_STORE_BYPASS_NONE] = "Vulnerable",
1682 [SPEC_STORE_BYPASS_DISABLE] = "Mitigation: Speculative Store Bypass disabled",
1683 [SPEC_STORE_BYPASS_PRCTL] = "Mitigation: Speculative Store Bypass disabled via prctl",
1684 [SPEC_STORE_BYPASS_SECCOMP] = "Mitigation: Speculative Store Bypass disabled via prctl and seccomp",
1685 };
1686
1687 static const struct {
1688 const char *option;
1689 enum ssb_mitigation_cmd cmd;
1690 } ssb_mitigation_options[] __initconst = {
1691 { "auto", SPEC_STORE_BYPASS_CMD_AUTO }, /* Platform decides */
1692 { "on", SPEC_STORE_BYPASS_CMD_ON }, /* Disable Speculative Store Bypass */
1693 { "off", SPEC_STORE_BYPASS_CMD_NONE }, /* Don't touch Speculative Store Bypass */
1694 { "prctl", SPEC_STORE_BYPASS_CMD_PRCTL }, /* Disable Speculative Store Bypass via prctl */
1695 { "seccomp", SPEC_STORE_BYPASS_CMD_SECCOMP }, /* Disable Speculative Store Bypass via prctl and seccomp */
1696 };
1697
ssb_parse_cmdline(void)1698 static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void)
1699 {
1700 enum ssb_mitigation_cmd cmd = SPEC_STORE_BYPASS_CMD_AUTO;
1701 char arg[20];
1702 int ret, i;
1703
1704 if (cmdline_find_option_bool(boot_command_line, "nospec_store_bypass_disable") ||
1705 cpu_mitigations_off()) {
1706 return SPEC_STORE_BYPASS_CMD_NONE;
1707 } else {
1708 ret = cmdline_find_option(boot_command_line, "spec_store_bypass_disable",
1709 arg, sizeof(arg));
1710 if (ret < 0)
1711 return SPEC_STORE_BYPASS_CMD_AUTO;
1712
1713 for (i = 0; i < ARRAY_SIZE(ssb_mitigation_options); i++) {
1714 if (!match_option(arg, ret, ssb_mitigation_options[i].option))
1715 continue;
1716
1717 cmd = ssb_mitigation_options[i].cmd;
1718 break;
1719 }
1720
1721 if (i >= ARRAY_SIZE(ssb_mitigation_options)) {
1722 pr_err("unknown option (%s). Switching to AUTO select\n", arg);
1723 return SPEC_STORE_BYPASS_CMD_AUTO;
1724 }
1725 }
1726
1727 return cmd;
1728 }
1729
__ssb_select_mitigation(void)1730 static enum ssb_mitigation __init __ssb_select_mitigation(void)
1731 {
1732 enum ssb_mitigation mode = SPEC_STORE_BYPASS_NONE;
1733 enum ssb_mitigation_cmd cmd;
1734
1735 if (!boot_cpu_has(X86_FEATURE_SSBD))
1736 return mode;
1737
1738 cmd = ssb_parse_cmdline();
1739 if (!boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS) &&
1740 (cmd == SPEC_STORE_BYPASS_CMD_NONE ||
1741 cmd == SPEC_STORE_BYPASS_CMD_AUTO))
1742 return mode;
1743
1744 switch (cmd) {
1745 case SPEC_STORE_BYPASS_CMD_AUTO:
1746 case SPEC_STORE_BYPASS_CMD_SECCOMP:
1747 /*
1748 * Choose prctl+seccomp as the default mode if seccomp is
1749 * enabled.
1750 */
1751 if (IS_ENABLED(CONFIG_SECCOMP))
1752 mode = SPEC_STORE_BYPASS_SECCOMP;
1753 else
1754 mode = SPEC_STORE_BYPASS_PRCTL;
1755 break;
1756 case SPEC_STORE_BYPASS_CMD_ON:
1757 mode = SPEC_STORE_BYPASS_DISABLE;
1758 break;
1759 case SPEC_STORE_BYPASS_CMD_PRCTL:
1760 mode = SPEC_STORE_BYPASS_PRCTL;
1761 break;
1762 case SPEC_STORE_BYPASS_CMD_NONE:
1763 break;
1764 }
1765
1766 /*
1767 * We have three CPU feature flags that are in play here:
1768 * - X86_BUG_SPEC_STORE_BYPASS - CPU is susceptible.
1769 * - X86_FEATURE_SSBD - CPU is able to turn off speculative store bypass
1770 * - X86_FEATURE_SPEC_STORE_BYPASS_DISABLE - engage the mitigation
1771 */
1772 if (mode == SPEC_STORE_BYPASS_DISABLE) {
1773 setup_force_cpu_cap(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE);
1774 /*
1775 * Intel uses the SPEC CTRL MSR Bit(2) for this, while AMD may
1776 * use a completely different MSR and bit dependent on family.
1777 */
1778 if (!static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD) &&
1779 !static_cpu_has(X86_FEATURE_AMD_SSBD)) {
1780 x86_amd_ssb_disable();
1781 } else {
1782 x86_spec_ctrl_base |= SPEC_CTRL_SSBD;
1783 update_spec_ctrl(x86_spec_ctrl_base);
1784 }
1785 }
1786
1787 return mode;
1788 }
1789
ssb_select_mitigation(void)1790 static void ssb_select_mitigation(void)
1791 {
1792 ssb_mode = __ssb_select_mitigation();
1793
1794 if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS))
1795 pr_info("%s\n", ssb_strings[ssb_mode]);
1796 }
1797
1798 #undef pr_fmt
1799 #define pr_fmt(fmt) "Speculation prctl: " fmt
1800
task_update_spec_tif(struct task_struct * tsk)1801 static void task_update_spec_tif(struct task_struct *tsk)
1802 {
1803 /* Force the update of the real TIF bits */
1804 set_tsk_thread_flag(tsk, TIF_SPEC_FORCE_UPDATE);
1805
1806 /*
1807 * Immediately update the speculation control MSRs for the current
1808 * task, but for a non-current task delay setting the CPU
1809 * mitigation until it is scheduled next.
1810 *
1811 * This can only happen for SECCOMP mitigation. For PRCTL it's
1812 * always the current task.
1813 */
1814 if (tsk == current)
1815 speculation_ctrl_update_current();
1816 }
1817
ssb_prctl_set(struct task_struct * task,unsigned long ctrl)1818 static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl)
1819 {
1820 if (ssb_mode != SPEC_STORE_BYPASS_PRCTL &&
1821 ssb_mode != SPEC_STORE_BYPASS_SECCOMP)
1822 return -ENXIO;
1823
1824 switch (ctrl) {
1825 case PR_SPEC_ENABLE:
1826 /* If speculation is force disabled, enable is not allowed */
1827 if (task_spec_ssb_force_disable(task))
1828 return -EPERM;
1829 task_clear_spec_ssb_disable(task);
1830 task_clear_spec_ssb_noexec(task);
1831 task_update_spec_tif(task);
1832 break;
1833 case PR_SPEC_DISABLE:
1834 task_set_spec_ssb_disable(task);
1835 task_clear_spec_ssb_noexec(task);
1836 task_update_spec_tif(task);
1837 break;
1838 case PR_SPEC_FORCE_DISABLE:
1839 task_set_spec_ssb_disable(task);
1840 task_set_spec_ssb_force_disable(task);
1841 task_clear_spec_ssb_noexec(task);
1842 task_update_spec_tif(task);
1843 break;
1844 case PR_SPEC_DISABLE_NOEXEC:
1845 if (task_spec_ssb_force_disable(task))
1846 return -EPERM;
1847 task_set_spec_ssb_disable(task);
1848 task_set_spec_ssb_noexec(task);
1849 task_update_spec_tif(task);
1850 break;
1851 default:
1852 return -ERANGE;
1853 }
1854 return 0;
1855 }
1856
is_spec_ib_user_controlled(void)1857 static bool is_spec_ib_user_controlled(void)
1858 {
1859 return spectre_v2_user_ibpb == SPECTRE_V2_USER_PRCTL ||
1860 spectre_v2_user_ibpb == SPECTRE_V2_USER_SECCOMP ||
1861 spectre_v2_user_stibp == SPECTRE_V2_USER_PRCTL ||
1862 spectre_v2_user_stibp == SPECTRE_V2_USER_SECCOMP;
1863 }
1864
ib_prctl_set(struct task_struct * task,unsigned long ctrl)1865 static int ib_prctl_set(struct task_struct *task, unsigned long ctrl)
1866 {
1867 switch (ctrl) {
1868 case PR_SPEC_ENABLE:
1869 if (spectre_v2_user_ibpb == SPECTRE_V2_USER_NONE &&
1870 spectre_v2_user_stibp == SPECTRE_V2_USER_NONE)
1871 return 0;
1872 /*
1873 * With strict mode for both IBPB and STIBP, the instruction
1874 * code paths avoid checking this task flag and instead,
1875 * unconditionally run the instruction. However, STIBP and IBPB
1876 * are independent and either can be set to conditionally
1877 * enabled regardless of the mode of the other.
1878 *
1879 * If either is set to conditional, allow the task flag to be
1880 * updated, unless it was force-disabled by a previous prctl
1881 * call. Currently, this is possible on an AMD CPU which has the
1882 * feature X86_FEATURE_AMD_STIBP_ALWAYS_ON. In this case, if the
1883 * kernel is booted with 'spectre_v2_user=seccomp', then
1884 * spectre_v2_user_ibpb == SPECTRE_V2_USER_SECCOMP and
1885 * spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED.
1886 */
1887 if (!is_spec_ib_user_controlled() ||
1888 task_spec_ib_force_disable(task))
1889 return -EPERM;
1890
1891 task_clear_spec_ib_disable(task);
1892 task_update_spec_tif(task);
1893 break;
1894 case PR_SPEC_DISABLE:
1895 case PR_SPEC_FORCE_DISABLE:
1896 /*
1897 * Indirect branch speculation is always allowed when
1898 * mitigation is force disabled.
1899 */
1900 if (spectre_v2_user_ibpb == SPECTRE_V2_USER_NONE &&
1901 spectre_v2_user_stibp == SPECTRE_V2_USER_NONE)
1902 return -EPERM;
1903
1904 if (!is_spec_ib_user_controlled())
1905 return 0;
1906
1907 task_set_spec_ib_disable(task);
1908 if (ctrl == PR_SPEC_FORCE_DISABLE)
1909 task_set_spec_ib_force_disable(task);
1910 task_update_spec_tif(task);
1911 if (task == current)
1912 indirect_branch_prediction_barrier();
1913 break;
1914 default:
1915 return -ERANGE;
1916 }
1917 return 0;
1918 }
1919
arch_prctl_spec_ctrl_set(struct task_struct * task,unsigned long which,unsigned long ctrl)1920 int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which,
1921 unsigned long ctrl)
1922 {
1923 switch (which) {
1924 case PR_SPEC_STORE_BYPASS:
1925 return ssb_prctl_set(task, ctrl);
1926 case PR_SPEC_INDIRECT_BRANCH:
1927 return ib_prctl_set(task, ctrl);
1928 default:
1929 return -ENODEV;
1930 }
1931 }
1932
1933 #ifdef CONFIG_SECCOMP
arch_seccomp_spec_mitigate(struct task_struct * task)1934 void arch_seccomp_spec_mitigate(struct task_struct *task)
1935 {
1936 if (ssb_mode == SPEC_STORE_BYPASS_SECCOMP)
1937 ssb_prctl_set(task, PR_SPEC_FORCE_DISABLE);
1938 if (spectre_v2_user_ibpb == SPECTRE_V2_USER_SECCOMP ||
1939 spectre_v2_user_stibp == SPECTRE_V2_USER_SECCOMP)
1940 ib_prctl_set(task, PR_SPEC_FORCE_DISABLE);
1941 }
1942 #endif
1943
ssb_prctl_get(struct task_struct * task)1944 static int ssb_prctl_get(struct task_struct *task)
1945 {
1946 switch (ssb_mode) {
1947 case SPEC_STORE_BYPASS_DISABLE:
1948 return PR_SPEC_DISABLE;
1949 case SPEC_STORE_BYPASS_SECCOMP:
1950 case SPEC_STORE_BYPASS_PRCTL:
1951 if (task_spec_ssb_force_disable(task))
1952 return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE;
1953 if (task_spec_ssb_noexec(task))
1954 return PR_SPEC_PRCTL | PR_SPEC_DISABLE_NOEXEC;
1955 if (task_spec_ssb_disable(task))
1956 return PR_SPEC_PRCTL | PR_SPEC_DISABLE;
1957 return PR_SPEC_PRCTL | PR_SPEC_ENABLE;
1958 default:
1959 if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS))
1960 return PR_SPEC_ENABLE;
1961 return PR_SPEC_NOT_AFFECTED;
1962 }
1963 }
1964
ib_prctl_get(struct task_struct * task)1965 static int ib_prctl_get(struct task_struct *task)
1966 {
1967 if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
1968 return PR_SPEC_NOT_AFFECTED;
1969
1970 if (spectre_v2_user_ibpb == SPECTRE_V2_USER_NONE &&
1971 spectre_v2_user_stibp == SPECTRE_V2_USER_NONE)
1972 return PR_SPEC_ENABLE;
1973 else if (is_spec_ib_user_controlled()) {
1974 if (task_spec_ib_force_disable(task))
1975 return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE;
1976 if (task_spec_ib_disable(task))
1977 return PR_SPEC_PRCTL | PR_SPEC_DISABLE;
1978 return PR_SPEC_PRCTL | PR_SPEC_ENABLE;
1979 } else if (spectre_v2_user_ibpb == SPECTRE_V2_USER_STRICT ||
1980 spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT ||
1981 spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED)
1982 return PR_SPEC_DISABLE;
1983 else
1984 return PR_SPEC_NOT_AFFECTED;
1985 }
1986
arch_prctl_spec_ctrl_get(struct task_struct * task,unsigned long which)1987 int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which)
1988 {
1989 switch (which) {
1990 case PR_SPEC_STORE_BYPASS:
1991 return ssb_prctl_get(task);
1992 case PR_SPEC_INDIRECT_BRANCH:
1993 return ib_prctl_get(task);
1994 default:
1995 return -ENODEV;
1996 }
1997 }
1998
x86_spec_ctrl_setup_ap(void)1999 void x86_spec_ctrl_setup_ap(void)
2000 {
2001 if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
2002 update_spec_ctrl(x86_spec_ctrl_base);
2003
2004 if (ssb_mode == SPEC_STORE_BYPASS_DISABLE)
2005 x86_amd_ssb_disable();
2006 }
2007
2008 bool itlb_multihit_kvm_mitigation;
2009 EXPORT_SYMBOL_GPL(itlb_multihit_kvm_mitigation);
2010
2011 #undef pr_fmt
2012 #define pr_fmt(fmt) "L1TF: " fmt
2013
2014 /* Default mitigation for L1TF-affected CPUs */
2015 enum l1tf_mitigations l1tf_mitigation __ro_after_init = L1TF_MITIGATION_FLUSH;
2016 #if IS_ENABLED(CONFIG_KVM_INTEL)
2017 EXPORT_SYMBOL_GPL(l1tf_mitigation);
2018 #endif
2019 enum vmx_l1d_flush_state l1tf_vmx_mitigation = VMENTER_L1D_FLUSH_AUTO;
2020 EXPORT_SYMBOL_GPL(l1tf_vmx_mitigation);
2021
2022 /*
2023 * These CPUs all support 44bits physical address space internally in the
2024 * cache but CPUID can report a smaller number of physical address bits.
2025 *
2026 * The L1TF mitigation uses the top most address bit for the inversion of
2027 * non present PTEs. When the installed memory reaches into the top most
2028 * address bit due to memory holes, which has been observed on machines
2029 * which report 36bits physical address bits and have 32G RAM installed,
2030 * then the mitigation range check in l1tf_select_mitigation() triggers.
2031 * This is a false positive because the mitigation is still possible due to
2032 * the fact that the cache uses 44bit internally. Use the cache bits
2033 * instead of the reported physical bits and adjust them on the affected
2034 * machines to 44bit if the reported bits are less than 44.
2035 */
override_cache_bits(struct cpuinfo_x86 * c)2036 static void override_cache_bits(struct cpuinfo_x86 *c)
2037 {
2038 if (c->x86 != 6)
2039 return;
2040
2041 switch (c->x86_model) {
2042 case INTEL_FAM6_NEHALEM:
2043 case INTEL_FAM6_WESTMERE:
2044 case INTEL_FAM6_SANDYBRIDGE:
2045 case INTEL_FAM6_IVYBRIDGE:
2046 case INTEL_FAM6_HASWELL:
2047 case INTEL_FAM6_HASWELL_L:
2048 case INTEL_FAM6_HASWELL_G:
2049 case INTEL_FAM6_BROADWELL:
2050 case INTEL_FAM6_BROADWELL_G:
2051 case INTEL_FAM6_SKYLAKE_L:
2052 case INTEL_FAM6_SKYLAKE:
2053 case INTEL_FAM6_KABYLAKE_L:
2054 case INTEL_FAM6_KABYLAKE:
2055 if (c->x86_cache_bits < 44)
2056 c->x86_cache_bits = 44;
2057 break;
2058 }
2059 }
2060
l1tf_select_mitigation(void)2061 static void __init l1tf_select_mitigation(void)
2062 {
2063 u64 half_pa;
2064
2065 if (!boot_cpu_has_bug(X86_BUG_L1TF))
2066 return;
2067
2068 if (cpu_mitigations_off())
2069 l1tf_mitigation = L1TF_MITIGATION_OFF;
2070 else if (cpu_mitigations_auto_nosmt())
2071 l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOSMT;
2072
2073 override_cache_bits(&boot_cpu_data);
2074
2075 switch (l1tf_mitigation) {
2076 case L1TF_MITIGATION_OFF:
2077 case L1TF_MITIGATION_FLUSH_NOWARN:
2078 case L1TF_MITIGATION_FLUSH:
2079 break;
2080 case L1TF_MITIGATION_FLUSH_NOSMT:
2081 case L1TF_MITIGATION_FULL:
2082 cpu_smt_disable(false);
2083 break;
2084 case L1TF_MITIGATION_FULL_FORCE:
2085 cpu_smt_disable(true);
2086 break;
2087 }
2088
2089 #if CONFIG_PGTABLE_LEVELS == 2
2090 pr_warn("Kernel not compiled for PAE. No mitigation for L1TF\n");
2091 return;
2092 #endif
2093
2094 half_pa = (u64)l1tf_pfn_limit() << PAGE_SHIFT;
2095 if (l1tf_mitigation != L1TF_MITIGATION_OFF &&
2096 e820__mapped_any(half_pa, ULLONG_MAX - half_pa, E820_TYPE_RAM)) {
2097 pr_warn("System has more than MAX_PA/2 memory. L1TF mitigation not effective.\n");
2098 pr_info("You may make it effective by booting the kernel with mem=%llu parameter.\n",
2099 half_pa);
2100 pr_info("However, doing so will make a part of your RAM unusable.\n");
2101 pr_info("Reading https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html might help you decide.\n");
2102 return;
2103 }
2104
2105 setup_force_cpu_cap(X86_FEATURE_L1TF_PTEINV);
2106 }
2107
l1tf_cmdline(char * str)2108 static int __init l1tf_cmdline(char *str)
2109 {
2110 if (!boot_cpu_has_bug(X86_BUG_L1TF))
2111 return 0;
2112
2113 if (!str)
2114 return -EINVAL;
2115
2116 if (!strcmp(str, "off"))
2117 l1tf_mitigation = L1TF_MITIGATION_OFF;
2118 else if (!strcmp(str, "flush,nowarn"))
2119 l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOWARN;
2120 else if (!strcmp(str, "flush"))
2121 l1tf_mitigation = L1TF_MITIGATION_FLUSH;
2122 else if (!strcmp(str, "flush,nosmt"))
2123 l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOSMT;
2124 else if (!strcmp(str, "full"))
2125 l1tf_mitigation = L1TF_MITIGATION_FULL;
2126 else if (!strcmp(str, "full,force"))
2127 l1tf_mitigation = L1TF_MITIGATION_FULL_FORCE;
2128
2129 return 0;
2130 }
2131 early_param("l1tf", l1tf_cmdline);
2132
2133 #undef pr_fmt
2134 #define pr_fmt(fmt) fmt
2135
2136 #ifdef CONFIG_SYSFS
2137
2138 #define L1TF_DEFAULT_MSG "Mitigation: PTE Inversion"
2139
2140 #if IS_ENABLED(CONFIG_KVM_INTEL)
2141 static const char * const l1tf_vmx_states[] = {
2142 [VMENTER_L1D_FLUSH_AUTO] = "auto",
2143 [VMENTER_L1D_FLUSH_NEVER] = "vulnerable",
2144 [VMENTER_L1D_FLUSH_COND] = "conditional cache flushes",
2145 [VMENTER_L1D_FLUSH_ALWAYS] = "cache flushes",
2146 [VMENTER_L1D_FLUSH_EPT_DISABLED] = "EPT disabled",
2147 [VMENTER_L1D_FLUSH_NOT_REQUIRED] = "flush not necessary"
2148 };
2149
l1tf_show_state(char * buf)2150 static ssize_t l1tf_show_state(char *buf)
2151 {
2152 if (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_AUTO)
2153 return sysfs_emit(buf, "%s\n", L1TF_DEFAULT_MSG);
2154
2155 if (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_EPT_DISABLED ||
2156 (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_NEVER &&
2157 sched_smt_active())) {
2158 return sysfs_emit(buf, "%s; VMX: %s\n", L1TF_DEFAULT_MSG,
2159 l1tf_vmx_states[l1tf_vmx_mitigation]);
2160 }
2161
2162 return sysfs_emit(buf, "%s; VMX: %s, SMT %s\n", L1TF_DEFAULT_MSG,
2163 l1tf_vmx_states[l1tf_vmx_mitigation],
2164 sched_smt_active() ? "vulnerable" : "disabled");
2165 }
2166
itlb_multihit_show_state(char * buf)2167 static ssize_t itlb_multihit_show_state(char *buf)
2168 {
2169 if (itlb_multihit_kvm_mitigation)
2170 return sysfs_emit(buf, "KVM: Mitigation: Split huge pages\n");
2171 else
2172 return sysfs_emit(buf, "KVM: Vulnerable\n");
2173 }
2174 #else
l1tf_show_state(char * buf)2175 static ssize_t l1tf_show_state(char *buf)
2176 {
2177 return sysfs_emit(buf, "%s\n", L1TF_DEFAULT_MSG);
2178 }
2179
itlb_multihit_show_state(char * buf)2180 static ssize_t itlb_multihit_show_state(char *buf)
2181 {
2182 return sysfs_emit(buf, "Processor vulnerable\n");
2183 }
2184 #endif
2185
mds_show_state(char * buf)2186 static ssize_t mds_show_state(char *buf)
2187 {
2188 if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {
2189 return sysfs_emit(buf, "%s; SMT Host state unknown\n",
2190 mds_strings[mds_mitigation]);
2191 }
2192
2193 if (boot_cpu_has(X86_BUG_MSBDS_ONLY)) {
2194 return sysfs_emit(buf, "%s; SMT %s\n", mds_strings[mds_mitigation],
2195 (mds_mitigation == MDS_MITIGATION_OFF ? "vulnerable" :
2196 sched_smt_active() ? "mitigated" : "disabled"));
2197 }
2198
2199 return sysfs_emit(buf, "%s; SMT %s\n", mds_strings[mds_mitigation],
2200 sched_smt_active() ? "vulnerable" : "disabled");
2201 }
2202
tsx_async_abort_show_state(char * buf)2203 static ssize_t tsx_async_abort_show_state(char *buf)
2204 {
2205 if ((taa_mitigation == TAA_MITIGATION_TSX_DISABLED) ||
2206 (taa_mitigation == TAA_MITIGATION_OFF))
2207 return sysfs_emit(buf, "%s\n", taa_strings[taa_mitigation]);
2208
2209 if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {
2210 return sysfs_emit(buf, "%s; SMT Host state unknown\n",
2211 taa_strings[taa_mitigation]);
2212 }
2213
2214 return sysfs_emit(buf, "%s; SMT %s\n", taa_strings[taa_mitigation],
2215 sched_smt_active() ? "vulnerable" : "disabled");
2216 }
2217
mmio_stale_data_show_state(char * buf)2218 static ssize_t mmio_stale_data_show_state(char *buf)
2219 {
2220 if (boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN))
2221 return sysfs_emit(buf, "Unknown: No mitigations\n");
2222
2223 if (mmio_mitigation == MMIO_MITIGATION_OFF)
2224 return sysfs_emit(buf, "%s\n", mmio_strings[mmio_mitigation]);
2225
2226 if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {
2227 return sysfs_emit(buf, "%s; SMT Host state unknown\n",
2228 mmio_strings[mmio_mitigation]);
2229 }
2230
2231 return sysfs_emit(buf, "%s; SMT %s\n", mmio_strings[mmio_mitigation],
2232 sched_smt_active() ? "vulnerable" : "disabled");
2233 }
2234
stibp_state(void)2235 static char *stibp_state(void)
2236 {
2237 if (spectre_v2_in_eibrs_mode(spectre_v2_enabled) &&
2238 !boot_cpu_has(X86_FEATURE_AUTOIBRS))
2239 return "";
2240
2241 switch (spectre_v2_user_stibp) {
2242 case SPECTRE_V2_USER_NONE:
2243 return ", STIBP: disabled";
2244 case SPECTRE_V2_USER_STRICT:
2245 return ", STIBP: forced";
2246 case SPECTRE_V2_USER_STRICT_PREFERRED:
2247 return ", STIBP: always-on";
2248 case SPECTRE_V2_USER_PRCTL:
2249 case SPECTRE_V2_USER_SECCOMP:
2250 if (static_key_enabled(&switch_to_cond_stibp))
2251 return ", STIBP: conditional";
2252 }
2253 return "";
2254 }
2255
ibpb_state(void)2256 static char *ibpb_state(void)
2257 {
2258 if (boot_cpu_has(X86_FEATURE_IBPB)) {
2259 if (static_key_enabled(&switch_mm_always_ibpb))
2260 return ", IBPB: always-on";
2261 if (static_key_enabled(&switch_mm_cond_ibpb))
2262 return ", IBPB: conditional";
2263 return ", IBPB: disabled";
2264 }
2265 return "";
2266 }
2267
pbrsb_eibrs_state(void)2268 static char *pbrsb_eibrs_state(void)
2269 {
2270 if (boot_cpu_has_bug(X86_BUG_EIBRS_PBRSB)) {
2271 if (boot_cpu_has(X86_FEATURE_RSB_VMEXIT_LITE) ||
2272 boot_cpu_has(X86_FEATURE_RSB_VMEXIT))
2273 return ", PBRSB-eIBRS: SW sequence";
2274 else
2275 return ", PBRSB-eIBRS: Vulnerable";
2276 } else {
2277 return ", PBRSB-eIBRS: Not affected";
2278 }
2279 }
2280
spectre_v2_show_state(char * buf)2281 static ssize_t spectre_v2_show_state(char *buf)
2282 {
2283 if (spectre_v2_enabled == SPECTRE_V2_LFENCE)
2284 return sysfs_emit(buf, "Vulnerable: LFENCE\n");
2285
2286 if (spectre_v2_enabled == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled())
2287 return sysfs_emit(buf, "Vulnerable: eIBRS with unprivileged eBPF\n");
2288
2289 if (sched_smt_active() && unprivileged_ebpf_enabled() &&
2290 spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE)
2291 return sysfs_emit(buf, "Vulnerable: eIBRS+LFENCE with unprivileged eBPF and SMT\n");
2292
2293 return sysfs_emit(buf, "%s%s%s%s%s%s%s\n",
2294 spectre_v2_strings[spectre_v2_enabled],
2295 ibpb_state(),
2296 boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "",
2297 stibp_state(),
2298 boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? ", RSB filling" : "",
2299 pbrsb_eibrs_state(),
2300 spectre_v2_module_string());
2301 }
2302
srbds_show_state(char * buf)2303 static ssize_t srbds_show_state(char *buf)
2304 {
2305 return sysfs_emit(buf, "%s\n", srbds_strings[srbds_mitigation]);
2306 }
2307
retbleed_show_state(char * buf)2308 static ssize_t retbleed_show_state(char *buf)
2309 {
2310 return sysfs_emit(buf, "%s\n", retbleed_strings[retbleed_mitigation]);
2311 }
2312
gds_show_state(char * buf)2313 static ssize_t gds_show_state(char *buf)
2314 {
2315 return sysfs_emit(buf, "%s\n", gds_strings[gds_mitigation]);
2316 }
2317
cpu_show_common(struct device * dev,struct device_attribute * attr,char * buf,unsigned int bug)2318 static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr,
2319 char *buf, unsigned int bug)
2320 {
2321 if (!boot_cpu_has_bug(bug))
2322 return sysfs_emit(buf, "Not affected\n");
2323
2324 switch (bug) {
2325 case X86_BUG_CPU_MELTDOWN:
2326 if (boot_cpu_has(X86_FEATURE_PTI))
2327 return sysfs_emit(buf, "Mitigation: PTI\n");
2328
2329 if (hypervisor_is_type(X86_HYPER_XEN_PV))
2330 return sysfs_emit(buf, "Unknown (XEN PV detected, hypervisor mitigation required)\n");
2331
2332 break;
2333
2334 case X86_BUG_SPECTRE_V1:
2335 return sysfs_emit(buf, "%s\n", spectre_v1_strings[spectre_v1_mitigation]);
2336
2337 case X86_BUG_SPECTRE_V2:
2338 return spectre_v2_show_state(buf);
2339
2340 case X86_BUG_SPEC_STORE_BYPASS:
2341 return sysfs_emit(buf, "%s\n", ssb_strings[ssb_mode]);
2342
2343 case X86_BUG_L1TF:
2344 if (boot_cpu_has(X86_FEATURE_L1TF_PTEINV))
2345 return l1tf_show_state(buf);
2346 break;
2347
2348 case X86_BUG_MDS:
2349 return mds_show_state(buf);
2350
2351 case X86_BUG_TAA:
2352 return tsx_async_abort_show_state(buf);
2353
2354 case X86_BUG_ITLB_MULTIHIT:
2355 return itlb_multihit_show_state(buf);
2356
2357 case X86_BUG_SRBDS:
2358 return srbds_show_state(buf);
2359
2360 case X86_BUG_MMIO_STALE_DATA:
2361 case X86_BUG_MMIO_UNKNOWN:
2362 return mmio_stale_data_show_state(buf);
2363
2364 case X86_BUG_RETBLEED:
2365 return retbleed_show_state(buf);
2366
2367 case X86_BUG_GDS:
2368 return gds_show_state(buf);
2369
2370 default:
2371 break;
2372 }
2373
2374 return sysfs_emit(buf, "Vulnerable\n");
2375 }
2376
cpu_show_meltdown(struct device * dev,struct device_attribute * attr,char * buf)2377 ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf)
2378 {
2379 return cpu_show_common(dev, attr, buf, X86_BUG_CPU_MELTDOWN);
2380 }
2381
cpu_show_spectre_v1(struct device * dev,struct device_attribute * attr,char * buf)2382 ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, char *buf)
2383 {
2384 return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V1);
2385 }
2386
cpu_show_spectre_v2(struct device * dev,struct device_attribute * attr,char * buf)2387 ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, char *buf)
2388 {
2389 return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V2);
2390 }
2391
cpu_show_spec_store_bypass(struct device * dev,struct device_attribute * attr,char * buf)2392 ssize_t cpu_show_spec_store_bypass(struct device *dev, struct device_attribute *attr, char *buf)
2393 {
2394 return cpu_show_common(dev, attr, buf, X86_BUG_SPEC_STORE_BYPASS);
2395 }
2396
cpu_show_l1tf(struct device * dev,struct device_attribute * attr,char * buf)2397 ssize_t cpu_show_l1tf(struct device *dev, struct device_attribute *attr, char *buf)
2398 {
2399 return cpu_show_common(dev, attr, buf, X86_BUG_L1TF);
2400 }
2401
cpu_show_mds(struct device * dev,struct device_attribute * attr,char * buf)2402 ssize_t cpu_show_mds(struct device *dev, struct device_attribute *attr, char *buf)
2403 {
2404 return cpu_show_common(dev, attr, buf, X86_BUG_MDS);
2405 }
2406
cpu_show_tsx_async_abort(struct device * dev,struct device_attribute * attr,char * buf)2407 ssize_t cpu_show_tsx_async_abort(struct device *dev, struct device_attribute *attr, char *buf)
2408 {
2409 return cpu_show_common(dev, attr, buf, X86_BUG_TAA);
2410 }
2411
cpu_show_itlb_multihit(struct device * dev,struct device_attribute * attr,char * buf)2412 ssize_t cpu_show_itlb_multihit(struct device *dev, struct device_attribute *attr, char *buf)
2413 {
2414 return cpu_show_common(dev, attr, buf, X86_BUG_ITLB_MULTIHIT);
2415 }
2416
cpu_show_srbds(struct device * dev,struct device_attribute * attr,char * buf)2417 ssize_t cpu_show_srbds(struct device *dev, struct device_attribute *attr, char *buf)
2418 {
2419 return cpu_show_common(dev, attr, buf, X86_BUG_SRBDS);
2420 }
2421
cpu_show_mmio_stale_data(struct device * dev,struct device_attribute * attr,char * buf)2422 ssize_t cpu_show_mmio_stale_data(struct device *dev, struct device_attribute *attr, char *buf)
2423 {
2424 if (boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN))
2425 return cpu_show_common(dev, attr, buf, X86_BUG_MMIO_UNKNOWN);
2426 else
2427 return cpu_show_common(dev, attr, buf, X86_BUG_MMIO_STALE_DATA);
2428 }
2429
cpu_show_retbleed(struct device * dev,struct device_attribute * attr,char * buf)2430 ssize_t cpu_show_retbleed(struct device *dev, struct device_attribute *attr, char *buf)
2431 {
2432 return cpu_show_common(dev, attr, buf, X86_BUG_RETBLEED);
2433 }
2434
cpu_show_gds(struct device * dev,struct device_attribute * attr,char * buf)2435 ssize_t cpu_show_gds(struct device *dev, struct device_attribute *attr, char *buf)
2436 {
2437 return cpu_show_common(dev, attr, buf, X86_BUG_GDS);
2438 }
2439 #endif
2440