1// SPDX-License-Identifier: GPL-2.0
2/*
3 * Copyright (C) 1994 Linus Torvalds
4 *
5 * Cyrix stuff, June 1998 by:
6 * - Rafael R. Reilova (moved everything from head.S),
7 * <rreilova@ececs.uc.edu>
8 * - Channing Corn (tests & fixes),
9 * - Andrew D. Balsa (code cleanup).
10 */
11#include <linux/init.h>
12#include <linux/utsname.h>
13#include <linux/cpu.h>
14#include <linux/module.h>
15#include <linux/nospec.h>
16#include <linux/prctl.h>
17#include <linux/sched/smt.h>
18#include <linux/pgtable.h>
19#include <linux/bpf.h>
20
21#include <asm/spec-ctrl.h>
22#include <asm/cmdline.h>
23#include <asm/bugs.h>
24#include <asm/processor.h>
25#include <asm/processor-flags.h>
26#include <asm/fpu/api.h>
27#include <asm/msr.h>
28#include <asm/vmx.h>
29#include <asm/paravirt.h>
30#include <asm/alternative.h>
31#include <asm/set_memory.h>
32#include <asm/intel-family.h>
33#include <asm/e820/api.h>
34#include <asm/hypervisor.h>
35#include <asm/tlbflush.h>
36
37#include "cpu.h"
38
39static void __init spectre_v1_select_mitigation(void);
40static void __init spectre_v2_select_mitigation(void);
41static void __init retbleed_select_mitigation(void);
42static void __init spectre_v2_user_select_mitigation(void);
43static void __init ssb_select_mitigation(void);
44static void __init l1tf_select_mitigation(void);
45static void __init mds_select_mitigation(void);
46static void __init md_clear_update_mitigation(void);
47static void __init md_clear_select_mitigation(void);
48static void __init taa_select_mitigation(void);
49static void __init mmio_select_mitigation(void);
50static void __init srbds_select_mitigation(void);
51static void __init l1d_flush_select_mitigation(void);
52
53/* The base value of the SPEC_CTRL MSR without task-specific bits set */
54u64 x86_spec_ctrl_base;
55EXPORT_SYMBOL_GPL(x86_spec_ctrl_base);
56
57/* The current value of the SPEC_CTRL MSR with task-specific bits set */
58DEFINE_PER_CPU(u64, x86_spec_ctrl_current);
59EXPORT_SYMBOL_GPL(x86_spec_ctrl_current);
60
61static DEFINE_MUTEX(spec_ctrl_mutex);
62
63/*
64 * Keep track of the SPEC_CTRL MSR value for the current task, which may differ
65 * from x86_spec_ctrl_base due to STIBP/SSB in __speculation_ctrl_update().
66 */
67void write_spec_ctrl_current(u64 val, bool force)
68{
69 if (this_cpu_read(x86_spec_ctrl_current) == val)
70 return;
71
72 this_cpu_write(x86_spec_ctrl_current, val);
73
74 /*
75 * When KERNEL_IBRS this MSR is written on return-to-user, unless
76 * forced the update can be delayed until that time.
77 */
78 if (force || !cpu_feature_enabled(X86_FEATURE_KERNEL_IBRS))
79 wrmsrl(MSR_IA32_SPEC_CTRL, val);
80}
81
82u64 spec_ctrl_current(void)
83{
84 return this_cpu_read(x86_spec_ctrl_current);
85}
86EXPORT_SYMBOL_GPL(spec_ctrl_current);
87
88/*
89 * AMD specific MSR info for Speculative Store Bypass control.
90 * x86_amd_ls_cfg_ssbd_mask is initialized in identify_boot_cpu().
91 */
92u64 __ro_after_init x86_amd_ls_cfg_base;
93u64 __ro_after_init x86_amd_ls_cfg_ssbd_mask;
94
95/* Control conditional STIBP in switch_to() */
96DEFINE_STATIC_KEY_FALSE(switch_to_cond_stibp);
97/* Control conditional IBPB in switch_mm() */
98DEFINE_STATIC_KEY_FALSE(switch_mm_cond_ibpb);
99/* Control unconditional IBPB in switch_mm() */
100DEFINE_STATIC_KEY_FALSE(switch_mm_always_ibpb);
101
102/* Control MDS CPU buffer clear before returning to user space */
103DEFINE_STATIC_KEY_FALSE(mds_user_clear);
104EXPORT_SYMBOL_GPL(mds_user_clear);
105/* Control MDS CPU buffer clear before idling (halt, mwait) */
106DEFINE_STATIC_KEY_FALSE(mds_idle_clear);
107EXPORT_SYMBOL_GPL(mds_idle_clear);
108
109/*
110 * Controls whether l1d flush based mitigations are enabled,
111 * based on hw features and admin setting via boot parameter
112 * defaults to false
113 */
114DEFINE_STATIC_KEY_FALSE(switch_mm_cond_l1d_flush);
115
116/* Controls CPU Fill buffer clear before KVM guest MMIO accesses */
117DEFINE_STATIC_KEY_FALSE(mmio_stale_data_clear);
118EXPORT_SYMBOL_GPL(mmio_stale_data_clear);
119
120void __init check_bugs(void)
121{
122 identify_boot_cpu();
123
124 /*
125 * identify_boot_cpu() initialized SMT support information, let the
126 * core code know.
127 */
128 cpu_smt_check_topology();
129
130 if (!IS_ENABLED(CONFIG_SMP)) {
131 pr_info("CPU: ");
132 print_cpu_info(&boot_cpu_data);
133 }
134
135 /*
136 * Read the SPEC_CTRL MSR to account for reserved bits which may
137 * have unknown values. AMD64_LS_CFG MSR is cached in the early AMD
138 * init code as it is not enumerated and depends on the family.
139 */
140 if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
141 rdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
142
143 /* Select the proper CPU mitigations before patching alternatives: */
144 spectre_v1_select_mitigation();
145 spectre_v2_select_mitigation();
146 /*
147 * retbleed_select_mitigation() relies on the state set by
148 * spectre_v2_select_mitigation(); specifically it wants to know about
149 * spectre_v2=ibrs.
150 */
151 retbleed_select_mitigation();
152 /*
153 * spectre_v2_user_select_mitigation() relies on the state set by
154 * retbleed_select_mitigation(); specifically the STIBP selection is
155 * forced for UNRET or IBPB.
156 */
157 spectre_v2_user_select_mitigation();
158 ssb_select_mitigation();
159 l1tf_select_mitigation();
160 md_clear_select_mitigation();
161 srbds_select_mitigation();
162 l1d_flush_select_mitigation();
163
164 arch_smt_update();
165
166#ifdef CONFIG_X86_32
167 /*
168 * Check whether we are able to run this kernel safely on SMP.
169 *
170 * - i386 is no longer supported.
171 * - In order to run on anything without a TSC, we need to be
172 * compiled for a i486.
173 */
174 if (boot_cpu_data.x86 < 4)
175 panic("Kernel requires i486+ for 'invlpg' and other features");
176
177 init_utsname()->machine[1] =
178 '0' + (boot_cpu_data.x86 > 6 ? 6 : boot_cpu_data.x86);
179 alternative_instructions();
180
181 fpu__init_check_bugs();
182#else /* CONFIG_X86_64 */
183 alternative_instructions();
184
185 /*
186 * Make sure the first 2MB area is not mapped by huge pages
187 * There are typically fixed size MTRRs in there and overlapping
188 * MTRRs into large pages causes slow downs.
189 *
190 * Right now we don't do that with gbpages because there seems
191 * very little benefit for that case.
192 */
193 if (!direct_gbpages)
194 set_memory_4k((unsigned long)__va(0), 1);
195#endif
196}
197
198/*
199 * NOTE: This function is *only* called for SVM. VMX spec_ctrl handling is
200 * done in vmenter.S.
201 */
202void
203x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest)
204{
205 u64 msrval, guestval = guest_spec_ctrl, hostval = spec_ctrl_current();
206 struct thread_info *ti = current_thread_info();
207
208 if (static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) {
209 if (hostval != guestval) {
210 msrval = setguest ? guestval : hostval;
211 wrmsrl(MSR_IA32_SPEC_CTRL, msrval);
212 }
213 }
214
215 /*
216 * If SSBD is not handled in MSR_SPEC_CTRL on AMD, update
217 * MSR_AMD64_L2_CFG or MSR_VIRT_SPEC_CTRL if supported.
218 */
219 if (!static_cpu_has(X86_FEATURE_LS_CFG_SSBD) &&
220 !static_cpu_has(X86_FEATURE_VIRT_SSBD))
221 return;
222
223 /*
224 * If the host has SSBD mitigation enabled, force it in the host's
225 * virtual MSR value. If its not permanently enabled, evaluate
226 * current's TIF_SSBD thread flag.
227 */
228 if (static_cpu_has(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE))
229 hostval = SPEC_CTRL_SSBD;
230 else
231 hostval = ssbd_tif_to_spec_ctrl(ti->flags);
232
233 /* Sanitize the guest value */
234 guestval = guest_virt_spec_ctrl & SPEC_CTRL_SSBD;
235
236 if (hostval != guestval) {
237 unsigned long tif;
238
239 tif = setguest ? ssbd_spec_ctrl_to_tif(guestval) :
240 ssbd_spec_ctrl_to_tif(hostval);
241
242 speculation_ctrl_update(tif);
243 }
244}
245EXPORT_SYMBOL_GPL(x86_virt_spec_ctrl);
246
247static void x86_amd_ssb_disable(void)
248{
249 u64 msrval = x86_amd_ls_cfg_base | x86_amd_ls_cfg_ssbd_mask;
250
251 if (boot_cpu_has(X86_FEATURE_VIRT_SSBD))
252 wrmsrl(MSR_AMD64_VIRT_SPEC_CTRL, SPEC_CTRL_SSBD);
253 else if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD))
254 wrmsrl(MSR_AMD64_LS_CFG, msrval);
255}
256
257#undef pr_fmt
258#define pr_fmt(fmt) "MDS: " fmt
259
260/* Default mitigation for MDS-affected CPUs */
261static enum mds_mitigations mds_mitigation __ro_after_init = MDS_MITIGATION_FULL;
262static bool mds_nosmt __ro_after_init = false;
263
264static const char * const mds_strings[] = {
265 [MDS_MITIGATION_OFF] = "Vulnerable",
266 [MDS_MITIGATION_FULL] = "Mitigation: Clear CPU buffers",
267 [MDS_MITIGATION_VMWERV] = "Vulnerable: Clear CPU buffers attempted, no microcode",
268};
269
270static void __init mds_select_mitigation(void)
271{
272 if (!boot_cpu_has_bug(X86_BUG_MDS) || cpu_mitigations_off()) {
273 mds_mitigation = MDS_MITIGATION_OFF;
274 return;
275 }
276
277 if (mds_mitigation == MDS_MITIGATION_FULL) {
278 if (!boot_cpu_has(X86_FEATURE_MD_CLEAR))
279 mds_mitigation = MDS_MITIGATION_VMWERV;
280
281 static_branch_enable(&mds_user_clear);
282
283 if (!boot_cpu_has(X86_BUG_MSBDS_ONLY) &&
284 (mds_nosmt || cpu_mitigations_auto_nosmt()))
285 cpu_smt_disable(false);
286 }
287}
288
289static int __init mds_cmdline(char *str)
290{
291 if (!boot_cpu_has_bug(X86_BUG_MDS))
292 return 0;
293
294 if (!str)
295 return -EINVAL;
296
297 if (!strcmp(str, "off"))
298 mds_mitigation = MDS_MITIGATION_OFF;
299 else if (!strcmp(str, "full"))
300 mds_mitigation = MDS_MITIGATION_FULL;
301 else if (!strcmp(str, "full,nosmt")) {
302 mds_mitigation = MDS_MITIGATION_FULL;
303 mds_nosmt = true;
304 }
305
306 return 0;
307}
308early_param("mds", mds_cmdline);
309
310#undef pr_fmt
311#define pr_fmt(fmt) "TAA: " fmt
312
313enum taa_mitigations {
314 TAA_MITIGATION_OFF,
315 TAA_MITIGATION_UCODE_NEEDED,
316 TAA_MITIGATION_VERW,
317 TAA_MITIGATION_TSX_DISABLED,
318};
319
320/* Default mitigation for TAA-affected CPUs */
321static enum taa_mitigations taa_mitigation __ro_after_init = TAA_MITIGATION_VERW;
322static bool taa_nosmt __ro_after_init;
323
324static const char * const taa_strings[] = {
325 [TAA_MITIGATION_OFF] = "Vulnerable",
326 [TAA_MITIGATION_UCODE_NEEDED] = "Vulnerable: Clear CPU buffers attempted, no microcode",
327 [TAA_MITIGATION_VERW] = "Mitigation: Clear CPU buffers",
328 [TAA_MITIGATION_TSX_DISABLED] = "Mitigation: TSX disabled",
329};
330
331static void __init taa_select_mitigation(void)
332{
333 u64 ia32_cap;
334
335 if (!boot_cpu_has_bug(X86_BUG_TAA)) {
336 taa_mitigation = TAA_MITIGATION_OFF;
337 return;
338 }
339
340 /* TSX previously disabled by tsx=off */
341 if (!boot_cpu_has(X86_FEATURE_RTM)) {
342 taa_mitigation = TAA_MITIGATION_TSX_DISABLED;
343 return;
344 }
345
346 if (cpu_mitigations_off()) {
347 taa_mitigation = TAA_MITIGATION_OFF;
348 return;
349 }
350
351 /*
352 * TAA mitigation via VERW is turned off if both
353 * tsx_async_abort=off and mds=off are specified.
354 */
355 if (taa_mitigation == TAA_MITIGATION_OFF &&
356 mds_mitigation == MDS_MITIGATION_OFF)
357 return;
358
359 if (boot_cpu_has(X86_FEATURE_MD_CLEAR))
360 taa_mitigation = TAA_MITIGATION_VERW;
361 else
362 taa_mitigation = TAA_MITIGATION_UCODE_NEEDED;
363
364 /*
365 * VERW doesn't clear the CPU buffers when MD_CLEAR=1 and MDS_NO=1.
366 * A microcode update fixes this behavior to clear CPU buffers. It also
367 * adds support for MSR_IA32_TSX_CTRL which is enumerated by the
368 * ARCH_CAP_TSX_CTRL_MSR bit.
369 *
370 * On MDS_NO=1 CPUs if ARCH_CAP_TSX_CTRL_MSR is not set, microcode
371 * update is required.
372 */
373 ia32_cap = x86_read_arch_cap_msr();
374 if ( (ia32_cap & ARCH_CAP_MDS_NO) &&
375 !(ia32_cap & ARCH_CAP_TSX_CTRL_MSR))
376 taa_mitigation = TAA_MITIGATION_UCODE_NEEDED;
377
378 /*
379 * TSX is enabled, select alternate mitigation for TAA which is
380 * the same as MDS. Enable MDS static branch to clear CPU buffers.
381 *
382 * For guests that can't determine whether the correct microcode is
383 * present on host, enable the mitigation for UCODE_NEEDED as well.
384 */
385 static_branch_enable(&mds_user_clear);
386
387 if (taa_nosmt || cpu_mitigations_auto_nosmt())
388 cpu_smt_disable(false);
389}
390
391static int __init tsx_async_abort_parse_cmdline(char *str)
392{
393 if (!boot_cpu_has_bug(X86_BUG_TAA))
394 return 0;
395
396 if (!str)
397 return -EINVAL;
398
399 if (!strcmp(str, "off")) {
400 taa_mitigation = TAA_MITIGATION_OFF;
401 } else if (!strcmp(str, "full")) {
402 taa_mitigation = TAA_MITIGATION_VERW;
403 } else if (!strcmp(str, "full,nosmt")) {
404 taa_mitigation = TAA_MITIGATION_VERW;
405 taa_nosmt = true;
406 }
407
408 return 0;
409}
410early_param("tsx_async_abort", tsx_async_abort_parse_cmdline);
411
412#undef pr_fmt
413#define pr_fmt(fmt) "MMIO Stale Data: " fmt
414
415enum mmio_mitigations {
416 MMIO_MITIGATION_OFF,
417 MMIO_MITIGATION_UCODE_NEEDED,
418 MMIO_MITIGATION_VERW,
419};
420
421/* Default mitigation for Processor MMIO Stale Data vulnerabilities */
422static enum mmio_mitigations mmio_mitigation __ro_after_init = MMIO_MITIGATION_VERW;
423static bool mmio_nosmt __ro_after_init = false;
424
425static const char * const mmio_strings[] = {
426 [MMIO_MITIGATION_OFF] = "Vulnerable",
427 [MMIO_MITIGATION_UCODE_NEEDED] = "Vulnerable: Clear CPU buffers attempted, no microcode",
428 [MMIO_MITIGATION_VERW] = "Mitigation: Clear CPU buffers",
429};
430
431static void __init mmio_select_mitigation(void)
432{
433 u64 ia32_cap;
434
435 if (!boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA) ||
436 cpu_mitigations_off()) {
437 mmio_mitigation = MMIO_MITIGATION_OFF;
438 return;
439 }
440
441 if (mmio_mitigation == MMIO_MITIGATION_OFF)
442 return;
443
444 ia32_cap = x86_read_arch_cap_msr();
445
446 /*
447 * Enable CPU buffer clear mitigation for host and VMM, if also affected
448 * by MDS or TAA. Otherwise, enable mitigation for VMM only.
449 */
450 if (boot_cpu_has_bug(X86_BUG_MDS) || (boot_cpu_has_bug(X86_BUG_TAA) &&
451 boot_cpu_has(X86_FEATURE_RTM)))
452 static_branch_enable(&mds_user_clear);
453 else
454 static_branch_enable(&mmio_stale_data_clear);
455
456 /*
457 * If Processor-MMIO-Stale-Data bug is present and Fill Buffer data can
458 * be propagated to uncore buffers, clearing the Fill buffers on idle
459 * is required irrespective of SMT state.
460 */
461 if (!(ia32_cap & ARCH_CAP_FBSDP_NO))
462 static_branch_enable(&mds_idle_clear);
463
464 /*
465 * Check if the system has the right microcode.
466 *
467 * CPU Fill buffer clear mitigation is enumerated by either an explicit
468 * FB_CLEAR or by the presence of both MD_CLEAR and L1D_FLUSH on MDS
469 * affected systems.
470 */
471 if ((ia32_cap & ARCH_CAP_FB_CLEAR) ||
472 (boot_cpu_has(X86_FEATURE_MD_CLEAR) &&
473 boot_cpu_has(X86_FEATURE_FLUSH_L1D) &&
474 !(ia32_cap & ARCH_CAP_MDS_NO)))
475 mmio_mitigation = MMIO_MITIGATION_VERW;
476 else
477 mmio_mitigation = MMIO_MITIGATION_UCODE_NEEDED;
478
479 if (mmio_nosmt || cpu_mitigations_auto_nosmt())
480 cpu_smt_disable(false);
481}
482
483static int __init mmio_stale_data_parse_cmdline(char *str)
484{
485 if (!boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA))
486 return 0;
487
488 if (!str)
489 return -EINVAL;
490
491 if (!strcmp(str, "off")) {
492 mmio_mitigation = MMIO_MITIGATION_OFF;
493 } else if (!strcmp(str, "full")) {
494 mmio_mitigation = MMIO_MITIGATION_VERW;
495 } else if (!strcmp(str, "full,nosmt")) {
496 mmio_mitigation = MMIO_MITIGATION_VERW;
497 mmio_nosmt = true;
498 }
499
500 return 0;
501}
502early_param("mmio_stale_data", mmio_stale_data_parse_cmdline);
503
504#undef pr_fmt
505#define pr_fmt(fmt) "" fmt
506
507static void __init md_clear_update_mitigation(void)
508{
509 if (cpu_mitigations_off())
510 return;
511
512 if (!static_key_enabled(&mds_user_clear))
513 goto out;
514
515 /*
516 * mds_user_clear is now enabled. Update MDS, TAA and MMIO Stale Data
517 * mitigation, if necessary.
518 */
519 if (mds_mitigation == MDS_MITIGATION_OFF &&
520 boot_cpu_has_bug(X86_BUG_MDS)) {
521 mds_mitigation = MDS_MITIGATION_FULL;
522 mds_select_mitigation();
523 }
524 if (taa_mitigation == TAA_MITIGATION_OFF &&
525 boot_cpu_has_bug(X86_BUG_TAA)) {
526 taa_mitigation = TAA_MITIGATION_VERW;
527 taa_select_mitigation();
528 }
529 if (mmio_mitigation == MMIO_MITIGATION_OFF &&
530 boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA)) {
531 mmio_mitigation = MMIO_MITIGATION_VERW;
532 mmio_select_mitigation();
533 }
534out:
535 if (boot_cpu_has_bug(X86_BUG_MDS))
536 pr_info("MDS: %s\n", mds_strings[mds_mitigation]);
537 if (boot_cpu_has_bug(X86_BUG_TAA))
538 pr_info("TAA: %s\n", taa_strings[taa_mitigation]);
539 if (boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA))
540 pr_info("MMIO Stale Data: %s\n", mmio_strings[mmio_mitigation]);
541}
542
543static void __init md_clear_select_mitigation(void)
544{
545 mds_select_mitigation();
546 taa_select_mitigation();
547 mmio_select_mitigation();
548
549 /*
550 * As MDS, TAA and MMIO Stale Data mitigations are inter-related, update
551 * and print their mitigation after MDS, TAA and MMIO Stale Data
552 * mitigation selection is done.
553 */
554 md_clear_update_mitigation();
555}
556
557#undef pr_fmt
558#define pr_fmt(fmt) "SRBDS: " fmt
559
560enum srbds_mitigations {
561 SRBDS_MITIGATION_OFF,
562 SRBDS_MITIGATION_UCODE_NEEDED,
563 SRBDS_MITIGATION_FULL,
564 SRBDS_MITIGATION_TSX_OFF,
565 SRBDS_MITIGATION_HYPERVISOR,
566};
567
568static enum srbds_mitigations srbds_mitigation __ro_after_init = SRBDS_MITIGATION_FULL;
569
570static const char * const srbds_strings[] = {
571 [SRBDS_MITIGATION_OFF] = "Vulnerable",
572 [SRBDS_MITIGATION_UCODE_NEEDED] = "Vulnerable: No microcode",
573 [SRBDS_MITIGATION_FULL] = "Mitigation: Microcode",
574 [SRBDS_MITIGATION_TSX_OFF] = "Mitigation: TSX disabled",
575 [SRBDS_MITIGATION_HYPERVISOR] = "Unknown: Dependent on hypervisor status",
576};
577
578static bool srbds_off;
579
580void update_srbds_msr(void)
581{
582 u64 mcu_ctrl;
583
584 if (!boot_cpu_has_bug(X86_BUG_SRBDS))
585 return;
586
587 if (boot_cpu_has(X86_FEATURE_HYPERVISOR))
588 return;
589
590 if (srbds_mitigation == SRBDS_MITIGATION_UCODE_NEEDED)
591 return;
592
593 /*
594 * A MDS_NO CPU for which SRBDS mitigation is not needed due to TSX
595 * being disabled and it hasn't received the SRBDS MSR microcode.
596 */
597 if (!boot_cpu_has(X86_FEATURE_SRBDS_CTRL))
598 return;
599
600 rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
601
602 switch (srbds_mitigation) {
603 case SRBDS_MITIGATION_OFF:
604 case SRBDS_MITIGATION_TSX_OFF:
605 mcu_ctrl |= RNGDS_MITG_DIS;
606 break;
607 case SRBDS_MITIGATION_FULL:
608 mcu_ctrl &= ~RNGDS_MITG_DIS;
609 break;
610 default:
611 break;
612 }
613
614 wrmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
615}
616
617static void __init srbds_select_mitigation(void)
618{
619 u64 ia32_cap;
620
621 if (!boot_cpu_has_bug(X86_BUG_SRBDS))
622 return;
623
624 /*
625 * Check to see if this is one of the MDS_NO systems supporting TSX that
626 * are only exposed to SRBDS when TSX is enabled or when CPU is affected
627 * by Processor MMIO Stale Data vulnerability.
628 */
629 ia32_cap = x86_read_arch_cap_msr();
630 if ((ia32_cap & ARCH_CAP_MDS_NO) && !boot_cpu_has(X86_FEATURE_RTM) &&
631 !boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA))
632 srbds_mitigation = SRBDS_MITIGATION_TSX_OFF;
633 else if (boot_cpu_has(X86_FEATURE_HYPERVISOR))
634 srbds_mitigation = SRBDS_MITIGATION_HYPERVISOR;
635 else if (!boot_cpu_has(X86_FEATURE_SRBDS_CTRL))
636 srbds_mitigation = SRBDS_MITIGATION_UCODE_NEEDED;
637 else if (cpu_mitigations_off() || srbds_off)
638 srbds_mitigation = SRBDS_MITIGATION_OFF;
639
640 update_srbds_msr();
641 pr_info("%s\n", srbds_strings[srbds_mitigation]);
642}
643
644static int __init srbds_parse_cmdline(char *str)
645{
646 if (!str)
647 return -EINVAL;
648
649 if (!boot_cpu_has_bug(X86_BUG_SRBDS))
650 return 0;
651
652 srbds_off = !strcmp(str, "off");
653 return 0;
654}
655early_param("srbds", srbds_parse_cmdline);
656
657#undef pr_fmt
658#define pr_fmt(fmt) "L1D Flush : " fmt
659
660enum l1d_flush_mitigations {
661 L1D_FLUSH_OFF = 0,
662 L1D_FLUSH_ON,
663};
664
665static enum l1d_flush_mitigations l1d_flush_mitigation __initdata = L1D_FLUSH_OFF;
666
667static void __init l1d_flush_select_mitigation(void)
668{
669 if (!l1d_flush_mitigation || !boot_cpu_has(X86_FEATURE_FLUSH_L1D))
670 return;
671
672 static_branch_enable(&switch_mm_cond_l1d_flush);
673 pr_info("Conditional flush on switch_mm() enabled\n");
674}
675
676static int __init l1d_flush_parse_cmdline(char *str)
677{
678 if (!strcmp(str, "on"))
679 l1d_flush_mitigation = L1D_FLUSH_ON;
680
681 return 0;
682}
683early_param("l1d_flush", l1d_flush_parse_cmdline);
684
685#undef pr_fmt
686#define pr_fmt(fmt) "Spectre V1 : " fmt
687
688enum spectre_v1_mitigation {
689 SPECTRE_V1_MITIGATION_NONE,
690 SPECTRE_V1_MITIGATION_AUTO,
691};
692
693static enum spectre_v1_mitigation spectre_v1_mitigation __ro_after_init =
694 SPECTRE_V1_MITIGATION_AUTO;
695
696static const char * const spectre_v1_strings[] = {
697 [SPECTRE_V1_MITIGATION_NONE] = "Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers",
698 [SPECTRE_V1_MITIGATION_AUTO] = "Mitigation: usercopy/swapgs barriers and __user pointer sanitization",
699};
700
701/*
702 * Does SMAP provide full mitigation against speculative kernel access to
703 * userspace?
704 */
705static bool smap_works_speculatively(void)
706{
707 if (!boot_cpu_has(X86_FEATURE_SMAP))
708 return false;
709
710 /*
711 * On CPUs which are vulnerable to Meltdown, SMAP does not
712 * prevent speculative access to user data in the L1 cache.
713 * Consider SMAP to be non-functional as a mitigation on these
714 * CPUs.
715 */
716 if (boot_cpu_has(X86_BUG_CPU_MELTDOWN))
717 return false;
718
719 return true;
720}
721
722static void __init spectre_v1_select_mitigation(void)
723{
724 if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V1) || cpu_mitigations_off()) {
725 spectre_v1_mitigation = SPECTRE_V1_MITIGATION_NONE;
726 return;
727 }
728
729 if (spectre_v1_mitigation == SPECTRE_V1_MITIGATION_AUTO) {
730 /*
731 * With Spectre v1, a user can speculatively control either
732 * path of a conditional swapgs with a user-controlled GS
733 * value. The mitigation is to add lfences to both code paths.
734 *
735 * If FSGSBASE is enabled, the user can put a kernel address in
736 * GS, in which case SMAP provides no protection.
737 *
738 * If FSGSBASE is disabled, the user can only put a user space
739 * address in GS. That makes an attack harder, but still
740 * possible if there's no SMAP protection.
741 */
742 if (boot_cpu_has(X86_FEATURE_FSGSBASE) ||
743 !smap_works_speculatively()) {
744 /*
745 * Mitigation can be provided from SWAPGS itself or
746 * PTI as the CR3 write in the Meltdown mitigation
747 * is serializing.
748 *
749 * If neither is there, mitigate with an LFENCE to
750 * stop speculation through swapgs.
751 */
752 if (boot_cpu_has_bug(X86_BUG_SWAPGS) &&
753 !boot_cpu_has(X86_FEATURE_PTI))
754 setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_USER);
755
756 /*
757 * Enable lfences in the kernel entry (non-swapgs)
758 * paths, to prevent user entry from speculatively
759 * skipping swapgs.
760 */
761 setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_KERNEL);
762 }
763 }
764
765 pr_info("%s\n", spectre_v1_strings[spectre_v1_mitigation]);
766}
767
768static int __init nospectre_v1_cmdline(char *str)
769{
770 spectre_v1_mitigation = SPECTRE_V1_MITIGATION_NONE;
771 return 0;
772}
773early_param("nospectre_v1", nospectre_v1_cmdline);
774
775static enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init =
776 SPECTRE_V2_NONE;
777
778#undef pr_fmt
779#define pr_fmt(fmt) "RETBleed: " fmt
780
781enum retbleed_mitigation {
782 RETBLEED_MITIGATION_NONE,
783 RETBLEED_MITIGATION_UNRET,
784 RETBLEED_MITIGATION_IBPB,
785 RETBLEED_MITIGATION_IBRS,
786 RETBLEED_MITIGATION_EIBRS,
787};
788
789enum retbleed_mitigation_cmd {
790 RETBLEED_CMD_OFF,
791 RETBLEED_CMD_AUTO,
792 RETBLEED_CMD_UNRET,
793 RETBLEED_CMD_IBPB,
794};
795
796static const char * const retbleed_strings[] = {
797 [RETBLEED_MITIGATION_NONE] = "Vulnerable",
798 [RETBLEED_MITIGATION_UNRET] = "Mitigation: untrained return thunk",
799 [RETBLEED_MITIGATION_IBPB] = "Mitigation: IBPB",
800 [RETBLEED_MITIGATION_IBRS] = "Mitigation: IBRS",
801 [RETBLEED_MITIGATION_EIBRS] = "Mitigation: Enhanced IBRS",
802};
803
804static enum retbleed_mitigation retbleed_mitigation __ro_after_init =
805 RETBLEED_MITIGATION_NONE;
806static enum retbleed_mitigation_cmd retbleed_cmd __ro_after_init =
807 RETBLEED_CMD_AUTO;
808
809static int __ro_after_init retbleed_nosmt = false;
810
811static int __init retbleed_parse_cmdline(char *str)
812{
813 if (!str)
814 return -EINVAL;
815
816 while (str) {
817 char *next = strchr(str, ',');
818 if (next) {
819 *next = 0;
820 next++;
821 }
822
823 if (!strcmp(str, "off")) {
824 retbleed_cmd = RETBLEED_CMD_OFF;
825 } else if (!strcmp(str, "auto")) {
826 retbleed_cmd = RETBLEED_CMD_AUTO;
827 } else if (!strcmp(str, "unret")) {
828 retbleed_cmd = RETBLEED_CMD_UNRET;
829 } else if (!strcmp(str, "ibpb")) {
830 retbleed_cmd = RETBLEED_CMD_IBPB;
831 } else if (!strcmp(str, "nosmt")) {
832 retbleed_nosmt = true;
833 } else {
834 pr_err("Ignoring unknown retbleed option (%s).", str);
835 }
836
837 str = next;
838 }
839
840 return 0;
841}
842early_param("retbleed", retbleed_parse_cmdline);
843
844#define RETBLEED_UNTRAIN_MSG "WARNING: BTB untrained return thunk mitigation is only effective on AMD/Hygon!\n"
845#define RETBLEED_INTEL_MSG "WARNING: Spectre v2 mitigation leaves CPU vulnerable to RETBleed attacks, data leaks possible!\n"
846
847static void __init retbleed_select_mitigation(void)
848{
849 bool mitigate_smt = false;
850
851 if (!boot_cpu_has_bug(X86_BUG_RETBLEED) || cpu_mitigations_off())
852 return;
853
854 switch (retbleed_cmd) {
855 case RETBLEED_CMD_OFF:
856 return;
857
858 case RETBLEED_CMD_UNRET:
859 if (IS_ENABLED(CONFIG_CPU_UNRET_ENTRY)) {
860 retbleed_mitigation = RETBLEED_MITIGATION_UNRET;
861 } else {
862 pr_err("WARNING: kernel not compiled with CPU_UNRET_ENTRY.\n");
863 goto do_cmd_auto;
864 }
865 break;
866
867 case RETBLEED_CMD_IBPB:
868 if (!boot_cpu_has(X86_FEATURE_IBPB)) {
869 pr_err("WARNING: CPU does not support IBPB.\n");
870 goto do_cmd_auto;
871 } else if (IS_ENABLED(CONFIG_CPU_IBPB_ENTRY)) {
872 retbleed_mitigation = RETBLEED_MITIGATION_IBPB;
873 } else {
874 pr_err("WARNING: kernel not compiled with CPU_IBPB_ENTRY.\n");
875 goto do_cmd_auto;
876 }
877 break;
878
879do_cmd_auto:
880 case RETBLEED_CMD_AUTO:
881 default:
882 if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD ||
883 boot_cpu_data.x86_vendor == X86_VENDOR_HYGON) {
884 if (IS_ENABLED(CONFIG_CPU_UNRET_ENTRY))
885 retbleed_mitigation = RETBLEED_MITIGATION_UNRET;
886 else if (IS_ENABLED(CONFIG_CPU_IBPB_ENTRY) && boot_cpu_has(X86_FEATURE_IBPB))
887 retbleed_mitigation = RETBLEED_MITIGATION_IBPB;
888 }
889
890 /*
891 * The Intel mitigation (IBRS or eIBRS) was already selected in
892 * spectre_v2_select_mitigation(). 'retbleed_mitigation' will
893 * be set accordingly below.
894 */
895
896 break;
897 }
898
899 switch (retbleed_mitigation) {
900 case RETBLEED_MITIGATION_UNRET:
901 setup_force_cpu_cap(X86_FEATURE_RETHUNK);
902 setup_force_cpu_cap(X86_FEATURE_UNRET);
903
904 if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD &&
905 boot_cpu_data.x86_vendor != X86_VENDOR_HYGON)
906 pr_err(RETBLEED_UNTRAIN_MSG);
907
908 mitigate_smt = true;
909 break;
910
911 case RETBLEED_MITIGATION_IBPB:
912 setup_force_cpu_cap(X86_FEATURE_ENTRY_IBPB);
913 mitigate_smt = true;
914 break;
915
916 default:
917 break;
918 }
919
920 if (mitigate_smt && !boot_cpu_has(X86_FEATURE_STIBP) &&
921 (retbleed_nosmt || cpu_mitigations_auto_nosmt()))
922 cpu_smt_disable(false);
923
924 /*
925 * Let IBRS trump all on Intel without affecting the effects of the
926 * retbleed= cmdline option.
927 */
928 if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) {
929 switch (spectre_v2_enabled) {
930 case SPECTRE_V2_IBRS:
931 retbleed_mitigation = RETBLEED_MITIGATION_IBRS;
932 break;
933 case SPECTRE_V2_EIBRS:
934 case SPECTRE_V2_EIBRS_RETPOLINE:
935 case SPECTRE_V2_EIBRS_LFENCE:
936 retbleed_mitigation = RETBLEED_MITIGATION_EIBRS;
937 break;
938 default:
939 pr_err(RETBLEED_INTEL_MSG);
940 }
941 }
942
943 pr_info("%s\n", retbleed_strings[retbleed_mitigation]);
944}
945
946#undef pr_fmt
947#define pr_fmt(fmt) "Spectre V2 : " fmt
948
949static enum spectre_v2_user_mitigation spectre_v2_user_stibp __ro_after_init =
950 SPECTRE_V2_USER_NONE;
951static enum spectre_v2_user_mitigation spectre_v2_user_ibpb __ro_after_init =
952 SPECTRE_V2_USER_NONE;
953
954#ifdef CONFIG_RETPOLINE
955static bool spectre_v2_bad_module;
956
957bool retpoline_module_ok(bool has_retpoline)
958{
959 if (spectre_v2_enabled == SPECTRE_V2_NONE || has_retpoline)
960 return true;
961
962 pr_err("System may be vulnerable to spectre v2\n");
963 spectre_v2_bad_module = true;
964 return false;
965}
966
967static inline const char *spectre_v2_module_string(void)
968{
969 return spectre_v2_bad_module ? " - vulnerable module loaded" : "";
970}
971#else
972static inline const char *spectre_v2_module_string(void) { return ""; }
973#endif
974
975#define SPECTRE_V2_LFENCE_MSG "WARNING: LFENCE mitigation is not recommended for this CPU, data leaks possible!\n"
976#define SPECTRE_V2_EIBRS_EBPF_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible via Spectre v2 BHB attacks!\n"
977#define SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS+LFENCE mitigation and SMT, data leaks possible via Spectre v2 BHB attacks!\n"
978#define SPECTRE_V2_IBRS_PERF_MSG "WARNING: IBRS mitigation selected on Enhanced IBRS CPU, this may cause unnecessary performance loss\n"
979
980#ifdef CONFIG_BPF_SYSCALL
981void unpriv_ebpf_notify(int new_state)
982{
983 if (new_state)
984 return;
985
986 /* Unprivileged eBPF is enabled */
987
988 switch (spectre_v2_enabled) {
989 case SPECTRE_V2_EIBRS:
990 pr_err(SPECTRE_V2_EIBRS_EBPF_MSG);
991 break;
992 case SPECTRE_V2_EIBRS_LFENCE:
993 if (sched_smt_active())
994 pr_err(SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG);
995 break;
996 default:
997 break;
998 }
999}
1000#endif
1001
1002static inline bool match_option(const char *arg, int arglen, const char *opt)
1003{
1004 int len = strlen(opt);
1005
1006 return len == arglen && !strncmp(arg, opt, len);
1007}
1008
1009/* The kernel command line selection for spectre v2 */
1010enum spectre_v2_mitigation_cmd {
1011 SPECTRE_V2_CMD_NONE,
1012 SPECTRE_V2_CMD_AUTO,
1013 SPECTRE_V2_CMD_FORCE,
1014 SPECTRE_V2_CMD_RETPOLINE,
1015 SPECTRE_V2_CMD_RETPOLINE_GENERIC,
1016 SPECTRE_V2_CMD_RETPOLINE_LFENCE,
1017 SPECTRE_V2_CMD_EIBRS,
1018 SPECTRE_V2_CMD_EIBRS_RETPOLINE,
1019 SPECTRE_V2_CMD_EIBRS_LFENCE,
1020 SPECTRE_V2_CMD_IBRS,
1021};
1022
1023enum spectre_v2_user_cmd {
1024 SPECTRE_V2_USER_CMD_NONE,
1025 SPECTRE_V2_USER_CMD_AUTO,
1026 SPECTRE_V2_USER_CMD_FORCE,
1027 SPECTRE_V2_USER_CMD_PRCTL,
1028 SPECTRE_V2_USER_CMD_PRCTL_IBPB,
1029 SPECTRE_V2_USER_CMD_SECCOMP,
1030 SPECTRE_V2_USER_CMD_SECCOMP_IBPB,
1031};
1032
1033static const char * const spectre_v2_user_strings[] = {
1034 [SPECTRE_V2_USER_NONE] = "User space: Vulnerable",
1035 [SPECTRE_V2_USER_STRICT] = "User space: Mitigation: STIBP protection",
1036 [SPECTRE_V2_USER_STRICT_PREFERRED] = "User space: Mitigation: STIBP always-on protection",
1037 [SPECTRE_V2_USER_PRCTL] = "User space: Mitigation: STIBP via prctl",
1038 [SPECTRE_V2_USER_SECCOMP] = "User space: Mitigation: STIBP via seccomp and prctl",
1039};
1040
1041static const struct {
1042 const char *option;
1043 enum spectre_v2_user_cmd cmd;
1044 bool secure;
1045} v2_user_options[] __initconst = {
1046 { "auto", SPECTRE_V2_USER_CMD_AUTO, false },
1047 { "off", SPECTRE_V2_USER_CMD_NONE, false },
1048 { "on", SPECTRE_V2_USER_CMD_FORCE, true },
1049 { "prctl", SPECTRE_V2_USER_CMD_PRCTL, false },
1050 { "prctl,ibpb", SPECTRE_V2_USER_CMD_PRCTL_IBPB, false },
1051 { "seccomp", SPECTRE_V2_USER_CMD_SECCOMP, false },
1052 { "seccomp,ibpb", SPECTRE_V2_USER_CMD_SECCOMP_IBPB, false },
1053};
1054
1055static void __init spec_v2_user_print_cond(const char *reason, bool secure)
1056{
1057 if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2) != secure)
1058 pr_info("spectre_v2_user=%s forced on command line.\n", reason);
1059}
1060
1061static __ro_after_init enum spectre_v2_mitigation_cmd spectre_v2_cmd;
1062
1063static enum spectre_v2_user_cmd __init
1064spectre_v2_parse_user_cmdline(void)
1065{
1066 char arg[20];
1067 int ret, i;
1068
1069 switch (spectre_v2_cmd) {
1070 case SPECTRE_V2_CMD_NONE:
1071 return SPECTRE_V2_USER_CMD_NONE;
1072 case SPECTRE_V2_CMD_FORCE:
1073 return SPECTRE_V2_USER_CMD_FORCE;
1074 default:
1075 break;
1076 }
1077
1078 ret = cmdline_find_option(boot_command_line, "spectre_v2_user",
1079 arg, sizeof(arg));
1080 if (ret < 0)
1081 return SPECTRE_V2_USER_CMD_AUTO;
1082
1083 for (i = 0; i < ARRAY_SIZE(v2_user_options); i++) {
1084 if (match_option(arg, ret, v2_user_options[i].option)) {
1085 spec_v2_user_print_cond(v2_user_options[i].option,
1086 v2_user_options[i].secure);
1087 return v2_user_options[i].cmd;
1088 }
1089 }
1090
1091 pr_err("Unknown user space protection option (%s). Switching to AUTO select\n", arg);
1092 return SPECTRE_V2_USER_CMD_AUTO;
1093}
1094
1095static inline bool spectre_v2_in_ibrs_mode(enum spectre_v2_mitigation mode)
1096{
1097 return mode == SPECTRE_V2_IBRS ||
1098 mode == SPECTRE_V2_EIBRS ||
1099 mode == SPECTRE_V2_EIBRS_RETPOLINE ||
1100 mode == SPECTRE_V2_EIBRS_LFENCE;
1101}
1102
1103static void __init
1104spectre_v2_user_select_mitigation(void)
1105{
1106 enum spectre_v2_user_mitigation mode = SPECTRE_V2_USER_NONE;
1107 bool smt_possible = IS_ENABLED(CONFIG_SMP);
1108 enum spectre_v2_user_cmd cmd;
1109
1110 if (!boot_cpu_has(X86_FEATURE_IBPB) && !boot_cpu_has(X86_FEATURE_STIBP))
1111 return;
1112
1113 if (cpu_smt_control == CPU_SMT_FORCE_DISABLED ||
1114 cpu_smt_control == CPU_SMT_NOT_SUPPORTED)
1115 smt_possible = false;
1116
1117 cmd = spectre_v2_parse_user_cmdline();
1118 switch (cmd) {
1119 case SPECTRE_V2_USER_CMD_NONE:
1120 goto set_mode;
1121 case SPECTRE_V2_USER_CMD_FORCE:
1122 mode = SPECTRE_V2_USER_STRICT;
1123 break;
1124 case SPECTRE_V2_USER_CMD_AUTO:
1125 case SPECTRE_V2_USER_CMD_PRCTL:
1126 case SPECTRE_V2_USER_CMD_PRCTL_IBPB:
1127 mode = SPECTRE_V2_USER_PRCTL;
1128 break;
1129 case SPECTRE_V2_USER_CMD_SECCOMP:
1130 case SPECTRE_V2_USER_CMD_SECCOMP_IBPB:
1131 if (IS_ENABLED(CONFIG_SECCOMP))
1132 mode = SPECTRE_V2_USER_SECCOMP;
1133 else
1134 mode = SPECTRE_V2_USER_PRCTL;
1135 break;
1136 }
1137
1138 /* Initialize Indirect Branch Prediction Barrier */
1139 if (boot_cpu_has(X86_FEATURE_IBPB)) {
1140 setup_force_cpu_cap(X86_FEATURE_USE_IBPB);
1141
1142 spectre_v2_user_ibpb = mode;
1143 switch (cmd) {
1144 case SPECTRE_V2_USER_CMD_FORCE:
1145 case SPECTRE_V2_USER_CMD_PRCTL_IBPB:
1146 case SPECTRE_V2_USER_CMD_SECCOMP_IBPB:
1147 static_branch_enable(&switch_mm_always_ibpb);
1148 spectre_v2_user_ibpb = SPECTRE_V2_USER_STRICT;
1149 break;
1150 case SPECTRE_V2_USER_CMD_PRCTL:
1151 case SPECTRE_V2_USER_CMD_AUTO:
1152 case SPECTRE_V2_USER_CMD_SECCOMP:
1153 static_branch_enable(&switch_mm_cond_ibpb);
1154 break;
1155 default:
1156 break;
1157 }
1158
1159 pr_info("mitigation: Enabling %s Indirect Branch Prediction Barrier\n",
1160 static_key_enabled(&switch_mm_always_ibpb) ?
1161 "always-on" : "conditional");
1162 }
1163
1164 /*
1165 * If no STIBP, IBRS or enhanced IBRS is enabled, or SMT impossible,
1166 * STIBP is not required.
1167 */
1168 if (!boot_cpu_has(X86_FEATURE_STIBP) ||
1169 !smt_possible ||
1170 spectre_v2_in_ibrs_mode(spectre_v2_enabled))
1171 return;
1172
1173 /*
1174 * At this point, an STIBP mode other than "off" has been set.
1175 * If STIBP support is not being forced, check if STIBP always-on
1176 * is preferred.
1177 */
1178 if (mode != SPECTRE_V2_USER_STRICT &&
1179 boot_cpu_has(X86_FEATURE_AMD_STIBP_ALWAYS_ON))
1180 mode = SPECTRE_V2_USER_STRICT_PREFERRED;
1181
1182 if (retbleed_mitigation == RETBLEED_MITIGATION_UNRET ||
1183 retbleed_mitigation == RETBLEED_MITIGATION_IBPB) {
1184 if (mode != SPECTRE_V2_USER_STRICT &&
1185 mode != SPECTRE_V2_USER_STRICT_PREFERRED)
1186 pr_info("Selecting STIBP always-on mode to complement retbleed mitigation\n");
1187 mode = SPECTRE_V2_USER_STRICT_PREFERRED;
1188 }
1189
1190 spectre_v2_user_stibp = mode;
1191
1192set_mode:
1193 pr_info("%s\n", spectre_v2_user_strings[mode]);
1194}
1195
1196static const char * const spectre_v2_strings[] = {
1197 [SPECTRE_V2_NONE] = "Vulnerable",
1198 [SPECTRE_V2_RETPOLINE] = "Mitigation: Retpolines",
1199 [SPECTRE_V2_LFENCE] = "Mitigation: LFENCE",
1200 [SPECTRE_V2_EIBRS] = "Mitigation: Enhanced IBRS",
1201 [SPECTRE_V2_EIBRS_LFENCE] = "Mitigation: Enhanced IBRS + LFENCE",
1202 [SPECTRE_V2_EIBRS_RETPOLINE] = "Mitigation: Enhanced IBRS + Retpolines",
1203 [SPECTRE_V2_IBRS] = "Mitigation: IBRS",
1204};
1205
1206static const struct {
1207 const char *option;
1208 enum spectre_v2_mitigation_cmd cmd;
1209 bool secure;
1210} mitigation_options[] __initconst = {
1211 { "off", SPECTRE_V2_CMD_NONE, false },
1212 { "on", SPECTRE_V2_CMD_FORCE, true },
1213 { "retpoline", SPECTRE_V2_CMD_RETPOLINE, false },
1214 { "retpoline,amd", SPECTRE_V2_CMD_RETPOLINE_LFENCE, false },
1215 { "retpoline,lfence", SPECTRE_V2_CMD_RETPOLINE_LFENCE, false },
1216 { "retpoline,generic", SPECTRE_V2_CMD_RETPOLINE_GENERIC, false },
1217 { "eibrs", SPECTRE_V2_CMD_EIBRS, false },
1218 { "eibrs,lfence", SPECTRE_V2_CMD_EIBRS_LFENCE, false },
1219 { "eibrs,retpoline", SPECTRE_V2_CMD_EIBRS_RETPOLINE, false },
1220 { "auto", SPECTRE_V2_CMD_AUTO, false },
1221 { "ibrs", SPECTRE_V2_CMD_IBRS, false },
1222};
1223
1224static void __init spec_v2_print_cond(const char *reason, bool secure)
1225{
1226 if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2) != secure)
1227 pr_info("%s selected on command line.\n", reason);
1228}
1229
1230static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void)
1231{
1232 enum spectre_v2_mitigation_cmd cmd = SPECTRE_V2_CMD_AUTO;
1233 char arg[20];
1234 int ret, i;
1235
1236 if (cmdline_find_option_bool(boot_command_line, "nospectre_v2") ||
1237 cpu_mitigations_off())
1238 return SPECTRE_V2_CMD_NONE;
1239
1240 ret = cmdline_find_option(boot_command_line, "spectre_v2", arg, sizeof(arg));
1241 if (ret < 0)
1242 return SPECTRE_V2_CMD_AUTO;
1243
1244 for (i = 0; i < ARRAY_SIZE(mitigation_options); i++) {
1245 if (!match_option(arg, ret, mitigation_options[i].option))
1246 continue;
1247 cmd = mitigation_options[i].cmd;
1248 break;
1249 }
1250
1251 if (i >= ARRAY_SIZE(mitigation_options)) {
1252 pr_err("unknown option (%s). Switching to AUTO select\n", arg);
1253 return SPECTRE_V2_CMD_AUTO;
1254 }
1255
1256 if ((cmd == SPECTRE_V2_CMD_RETPOLINE ||
1257 cmd == SPECTRE_V2_CMD_RETPOLINE_LFENCE ||
1258 cmd == SPECTRE_V2_CMD_RETPOLINE_GENERIC ||
1259 cmd == SPECTRE_V2_CMD_EIBRS_LFENCE ||
1260 cmd == SPECTRE_V2_CMD_EIBRS_RETPOLINE) &&
1261 !IS_ENABLED(CONFIG_RETPOLINE)) {
1262 pr_err("%s selected but not compiled in. Switching to AUTO select\n",
1263 mitigation_options[i].option);
1264 return SPECTRE_V2_CMD_AUTO;
1265 }
1266
1267 if ((cmd == SPECTRE_V2_CMD_EIBRS ||
1268 cmd == SPECTRE_V2_CMD_EIBRS_LFENCE ||
1269 cmd == SPECTRE_V2_CMD_EIBRS_RETPOLINE) &&
1270 !boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) {
1271 pr_err("%s selected but CPU doesn't have eIBRS. Switching to AUTO select\n",
1272 mitigation_options[i].option);
1273 return SPECTRE_V2_CMD_AUTO;
1274 }
1275
1276 if ((cmd == SPECTRE_V2_CMD_RETPOLINE_LFENCE ||
1277 cmd == SPECTRE_V2_CMD_EIBRS_LFENCE) &&
1278 !boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) {
1279 pr_err("%s selected, but CPU doesn't have a serializing LFENCE. Switching to AUTO select\n",
1280 mitigation_options[i].option);
1281 return SPECTRE_V2_CMD_AUTO;
1282 }
1283
1284 if (cmd == SPECTRE_V2_CMD_IBRS && !IS_ENABLED(CONFIG_CPU_IBRS_ENTRY)) {
1285 pr_err("%s selected but not compiled in. Switching to AUTO select\n",
1286 mitigation_options[i].option);
1287 return SPECTRE_V2_CMD_AUTO;
1288 }
1289
1290 if (cmd == SPECTRE_V2_CMD_IBRS && boot_cpu_data.x86_vendor != X86_VENDOR_INTEL) {
1291 pr_err("%s selected but not Intel CPU. Switching to AUTO select\n",
1292 mitigation_options[i].option);
1293 return SPECTRE_V2_CMD_AUTO;
1294 }
1295
1296 if (cmd == SPECTRE_V2_CMD_IBRS && !boot_cpu_has(X86_FEATURE_IBRS)) {
1297 pr_err("%s selected but CPU doesn't have IBRS. Switching to AUTO select\n",
1298 mitigation_options[i].option);
1299 return SPECTRE_V2_CMD_AUTO;
1300 }
1301
1302 if (cmd == SPECTRE_V2_CMD_IBRS && boot_cpu_has(X86_FEATURE_XENPV)) {
1303 pr_err("%s selected but running as XenPV guest. Switching to AUTO select\n",
1304 mitigation_options[i].option);
1305 return SPECTRE_V2_CMD_AUTO;
1306 }
1307
1308 spec_v2_print_cond(mitigation_options[i].option,
1309 mitigation_options[i].secure);
1310 return cmd;
1311}
1312
1313static enum spectre_v2_mitigation __init spectre_v2_select_retpoline(void)
1314{
1315 if (!IS_ENABLED(CONFIG_RETPOLINE)) {
1316 pr_err("Kernel not compiled with retpoline; no mitigation available!");
1317 return SPECTRE_V2_NONE;
1318 }
1319
1320 return SPECTRE_V2_RETPOLINE;
1321}
1322
1323/* Disable in-kernel use of non-RSB RET predictors */
1324static void __init spec_ctrl_disable_kernel_rrsba(void)
1325{
1326 u64 ia32_cap;
1327
1328 if (!boot_cpu_has(X86_FEATURE_RRSBA_CTRL))
1329 return;
1330
1331 ia32_cap = x86_read_arch_cap_msr();
1332
1333 if (ia32_cap & ARCH_CAP_RRSBA) {
1334 x86_spec_ctrl_base |= SPEC_CTRL_RRSBA_DIS_S;
1335 write_spec_ctrl_current(x86_spec_ctrl_base, true);
1336 }
1337}
1338
1339static void __init spectre_v2_determine_rsb_fill_type_at_vmexit(enum spectre_v2_mitigation mode)
1340{
1341 /*
1342 * Similar to context switches, there are two types of RSB attacks
1343 * after VM exit:
1344 *
1345 * 1) RSB underflow
1346 *
1347 * 2) Poisoned RSB entry
1348 *
1349 * When retpoline is enabled, both are mitigated by filling/clearing
1350 * the RSB.
1351 *
1352 * When IBRS is enabled, while #1 would be mitigated by the IBRS branch
1353 * prediction isolation protections, RSB still needs to be cleared
1354 * because of #2. Note that SMEP provides no protection here, unlike
1355 * user-space-poisoned RSB entries.
1356 *
1357 * eIBRS should protect against RSB poisoning, but if the EIBRS_PBRSB
1358 * bug is present then a LITE version of RSB protection is required,
1359 * just a single call needs to retire before a RET is executed.
1360 */
1361 switch (mode) {
1362 case SPECTRE_V2_NONE:
1363 return;
1364
1365 case SPECTRE_V2_EIBRS_LFENCE:
1366 case SPECTRE_V2_EIBRS:
1367 if (boot_cpu_has_bug(X86_BUG_EIBRS_PBRSB)) {
1368 setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT_LITE);
1369 pr_info("Spectre v2 / PBRSB-eIBRS: Retire a single CALL on VMEXIT\n");
1370 }
1371 return;
1372
1373 case SPECTRE_V2_EIBRS_RETPOLINE:
1374 case SPECTRE_V2_RETPOLINE:
1375 case SPECTRE_V2_LFENCE:
1376 case SPECTRE_V2_IBRS:
1377 setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT);
1378 pr_info("Spectre v2 / SpectreRSB : Filling RSB on VMEXIT\n");
1379 return;
1380 }
1381
1382 pr_warn_once("Unknown Spectre v2 mode, disabling RSB mitigation at VM exit");
1383 dump_stack();
1384}
1385
1386static void __init spectre_v2_select_mitigation(void)
1387{
1388 enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline();
1389 enum spectre_v2_mitigation mode = SPECTRE_V2_NONE;
1390
1391 /*
1392 * If the CPU is not affected and the command line mode is NONE or AUTO
1393 * then nothing to do.
1394 */
1395 if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2) &&
1396 (cmd == SPECTRE_V2_CMD_NONE || cmd == SPECTRE_V2_CMD_AUTO))
1397 return;
1398
1399 switch (cmd) {
1400 case SPECTRE_V2_CMD_NONE:
1401 return;
1402
1403 case SPECTRE_V2_CMD_FORCE:
1404 case SPECTRE_V2_CMD_AUTO:
1405 if (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) {
1406 mode = SPECTRE_V2_EIBRS;
1407 break;
1408 }
1409
1410 if (IS_ENABLED(CONFIG_CPU_IBRS_ENTRY) &&
1411 boot_cpu_has_bug(X86_BUG_RETBLEED) &&
1412 retbleed_cmd != RETBLEED_CMD_OFF &&
1413 boot_cpu_has(X86_FEATURE_IBRS) &&
1414 boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) {
1415 mode = SPECTRE_V2_IBRS;
1416 break;
1417 }
1418
1419 mode = spectre_v2_select_retpoline();
1420 break;
1421
1422 case SPECTRE_V2_CMD_RETPOLINE_LFENCE:
1423 pr_err(SPECTRE_V2_LFENCE_MSG);
1424 mode = SPECTRE_V2_LFENCE;
1425 break;
1426
1427 case SPECTRE_V2_CMD_RETPOLINE_GENERIC:
1428 mode = SPECTRE_V2_RETPOLINE;
1429 break;
1430
1431 case SPECTRE_V2_CMD_RETPOLINE:
1432 mode = spectre_v2_select_retpoline();
1433 break;
1434
1435 case SPECTRE_V2_CMD_IBRS:
1436 mode = SPECTRE_V2_IBRS;
1437 break;
1438
1439 case SPECTRE_V2_CMD_EIBRS:
1440 mode = SPECTRE_V2_EIBRS;
1441 break;
1442
1443 case SPECTRE_V2_CMD_EIBRS_LFENCE:
1444 mode = SPECTRE_V2_EIBRS_LFENCE;
1445 break;
1446
1447 case SPECTRE_V2_CMD_EIBRS_RETPOLINE:
1448 mode = SPECTRE_V2_EIBRS_RETPOLINE;
1449 break;
1450 }
1451
1452 if (mode == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled())
1453 pr_err(SPECTRE_V2_EIBRS_EBPF_MSG);
1454
1455 if (spectre_v2_in_ibrs_mode(mode)) {
1456 x86_spec_ctrl_base |= SPEC_CTRL_IBRS;
1457 write_spec_ctrl_current(x86_spec_ctrl_base, true);
1458 }
1459
1460 switch (mode) {
1461 case SPECTRE_V2_NONE:
1462 case SPECTRE_V2_EIBRS:
1463 break;
1464
1465 case SPECTRE_V2_IBRS:
1466 setup_force_cpu_cap(X86_FEATURE_KERNEL_IBRS);
1467 if (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED))
1468 pr_warn(SPECTRE_V2_IBRS_PERF_MSG);
1469 break;
1470
1471 case SPECTRE_V2_LFENCE:
1472 case SPECTRE_V2_EIBRS_LFENCE:
1473 setup_force_cpu_cap(X86_FEATURE_RETPOLINE_LFENCE);
1474 fallthrough;
1475
1476 case SPECTRE_V2_RETPOLINE:
1477 case SPECTRE_V2_EIBRS_RETPOLINE:
1478 setup_force_cpu_cap(X86_FEATURE_RETPOLINE);
1479 break;
1480 }
1481
1482 /*
1483 * Disable alternate RSB predictions in kernel when indirect CALLs and
1484 * JMPs gets protection against BHI and Intramode-BTI, but RET
1485 * prediction from a non-RSB predictor is still a risk.
1486 */
1487 if (mode == SPECTRE_V2_EIBRS_LFENCE ||
1488 mode == SPECTRE_V2_EIBRS_RETPOLINE ||
1489 mode == SPECTRE_V2_RETPOLINE)
1490 spec_ctrl_disable_kernel_rrsba();
1491
1492 spectre_v2_enabled = mode;
1493 pr_info("%s\n", spectre_v2_strings[mode]);
1494
1495 /*
1496 * If Spectre v2 protection has been enabled, fill the RSB during a
1497 * context switch. In general there are two types of RSB attacks
1498 * across context switches, for which the CALLs/RETs may be unbalanced.
1499 *
1500 * 1) RSB underflow
1501 *
1502 * Some Intel parts have "bottomless RSB". When the RSB is empty,
1503 * speculated return targets may come from the branch predictor,
1504 * which could have a user-poisoned BTB or BHB entry.
1505 *
1506 * AMD has it even worse: *all* returns are speculated from the BTB,
1507 * regardless of the state of the RSB.
1508 *
1509 * When IBRS or eIBRS is enabled, the "user -> kernel" attack
1510 * scenario is mitigated by the IBRS branch prediction isolation
1511 * properties, so the RSB buffer filling wouldn't be necessary to
1512 * protect against this type of attack.
1513 *
1514 * The "user -> user" attack scenario is mitigated by RSB filling.
1515 *
1516 * 2) Poisoned RSB entry
1517 *
1518 * If the 'next' in-kernel return stack is shorter than 'prev',
1519 * 'next' could be tricked into speculating with a user-poisoned RSB
1520 * entry.
1521 *
1522 * The "user -> kernel" attack scenario is mitigated by SMEP and
1523 * eIBRS.
1524 *
1525 * The "user -> user" scenario, also known as SpectreBHB, requires
1526 * RSB clearing.
1527 *
1528 * So to mitigate all cases, unconditionally fill RSB on context
1529 * switches.
1530 *
1531 * FIXME: Is this pointless for retbleed-affected AMD?
1532 */
1533 setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);
1534 pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n");
1535
1536 spectre_v2_determine_rsb_fill_type_at_vmexit(mode);
1537
1538 /*
1539 * Retpoline protects the kernel, but doesn't protect firmware. IBRS
1540 * and Enhanced IBRS protect firmware too, so enable IBRS around
1541 * firmware calls only when IBRS / Enhanced IBRS aren't otherwise
1542 * enabled.
1543 *
1544 * Use "mode" to check Enhanced IBRS instead of boot_cpu_has(), because
1545 * the user might select retpoline on the kernel command line and if
1546 * the CPU supports Enhanced IBRS, kernel might un-intentionally not
1547 * enable IBRS around firmware calls.
1548 */
1549 if (boot_cpu_has_bug(X86_BUG_RETBLEED) &&
1550 boot_cpu_has(X86_FEATURE_IBPB) &&
1551 (boot_cpu_data.x86_vendor == X86_VENDOR_AMD ||
1552 boot_cpu_data.x86_vendor == X86_VENDOR_HYGON)) {
1553
1554 if (retbleed_cmd != RETBLEED_CMD_IBPB) {
1555 setup_force_cpu_cap(X86_FEATURE_USE_IBPB_FW);
1556 pr_info("Enabling Speculation Barrier for firmware calls\n");
1557 }
1558
1559 } else if (boot_cpu_has(X86_FEATURE_IBRS) && !spectre_v2_in_ibrs_mode(mode)) {
1560 setup_force_cpu_cap(X86_FEATURE_USE_IBRS_FW);
1561 pr_info("Enabling Restricted Speculation for firmware calls\n");
1562 }
1563
1564 /* Set up IBPB and STIBP depending on the general spectre V2 command */
1565 spectre_v2_cmd = cmd;
1566}
1567
1568static void update_stibp_msr(void * __unused)
1569{
1570 u64 val = spec_ctrl_current() | (x86_spec_ctrl_base & SPEC_CTRL_STIBP);
1571 write_spec_ctrl_current(val, true);
1572}
1573
1574/* Update x86_spec_ctrl_base in case SMT state changed. */
1575static void update_stibp_strict(void)
1576{
1577 u64 mask = x86_spec_ctrl_base & ~SPEC_CTRL_STIBP;
1578
1579 if (sched_smt_active())
1580 mask |= SPEC_CTRL_STIBP;
1581
1582 if (mask == x86_spec_ctrl_base)
1583 return;
1584
1585 pr_info("Update user space SMT mitigation: STIBP %s\n",
1586 mask & SPEC_CTRL_STIBP ? "always-on" : "off");
1587 x86_spec_ctrl_base = mask;
1588 on_each_cpu(update_stibp_msr, NULL, 1);
1589}
1590
1591/* Update the static key controlling the evaluation of TIF_SPEC_IB */
1592static void update_indir_branch_cond(void)
1593{
1594 if (sched_smt_active())
1595 static_branch_enable(&switch_to_cond_stibp);
1596 else
1597 static_branch_disable(&switch_to_cond_stibp);
1598}
1599
1600#undef pr_fmt
1601#define pr_fmt(fmt) fmt
1602
1603/* Update the static key controlling the MDS CPU buffer clear in idle */
1604static void update_mds_branch_idle(void)
1605{
1606 u64 ia32_cap = x86_read_arch_cap_msr();
1607
1608 /*
1609 * Enable the idle clearing if SMT is active on CPUs which are
1610 * affected only by MSBDS and not any other MDS variant.
1611 *
1612 * The other variants cannot be mitigated when SMT is enabled, so
1613 * clearing the buffers on idle just to prevent the Store Buffer
1614 * repartitioning leak would be a window dressing exercise.
1615 */
1616 if (!boot_cpu_has_bug(X86_BUG_MSBDS_ONLY))
1617 return;
1618
1619 if (sched_smt_active()) {
1620 static_branch_enable(&mds_idle_clear);
1621 } else if (mmio_mitigation == MMIO_MITIGATION_OFF ||
1622 (ia32_cap & ARCH_CAP_FBSDP_NO)) {
1623 static_branch_disable(&mds_idle_clear);
1624 }
1625}
1626
1627#define MDS_MSG_SMT "MDS CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for more details.\n"
1628#define TAA_MSG_SMT "TAA CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html for more details.\n"
1629#define MMIO_MSG_SMT "MMIO Stale Data CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html for more details.\n"
1630
1631void cpu_bugs_smt_update(void)
1632{
1633 mutex_lock(&spec_ctrl_mutex);
1634
1635 if (sched_smt_active() && unprivileged_ebpf_enabled() &&
1636 spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE)
1637 pr_warn_once(SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG);
1638
1639 switch (spectre_v2_user_stibp) {
1640 case SPECTRE_V2_USER_NONE:
1641 break;
1642 case SPECTRE_V2_USER_STRICT:
1643 case SPECTRE_V2_USER_STRICT_PREFERRED:
1644 update_stibp_strict();
1645 break;
1646 case SPECTRE_V2_USER_PRCTL:
1647 case SPECTRE_V2_USER_SECCOMP:
1648 update_indir_branch_cond();
1649 break;
1650 }
1651
1652 switch (mds_mitigation) {
1653 case MDS_MITIGATION_FULL:
1654 case MDS_MITIGATION_VMWERV:
1655 if (sched_smt_active() && !boot_cpu_has(X86_BUG_MSBDS_ONLY))
1656 pr_warn_once(MDS_MSG_SMT);
1657 update_mds_branch_idle();
1658 break;
1659 case MDS_MITIGATION_OFF:
1660 break;
1661 }
1662
1663 switch (taa_mitigation) {
1664 case TAA_MITIGATION_VERW:
1665 case TAA_MITIGATION_UCODE_NEEDED:
1666 if (sched_smt_active())
1667 pr_warn_once(TAA_MSG_SMT);
1668 break;
1669 case TAA_MITIGATION_TSX_DISABLED:
1670 case TAA_MITIGATION_OFF:
1671 break;
1672 }
1673
1674 switch (mmio_mitigation) {
1675 case MMIO_MITIGATION_VERW:
1676 case MMIO_MITIGATION_UCODE_NEEDED:
1677 if (sched_smt_active())
1678 pr_warn_once(MMIO_MSG_SMT);
1679 break;
1680 case MMIO_MITIGATION_OFF:
1681 break;
1682 }
1683
1684 mutex_unlock(&spec_ctrl_mutex);
1685}
1686
1687#undef pr_fmt
1688#define pr_fmt(fmt) "Speculative Store Bypass: " fmt
1689
1690static enum ssb_mitigation ssb_mode __ro_after_init = SPEC_STORE_BYPASS_NONE;
1691
1692/* The kernel command line selection */
1693enum ssb_mitigation_cmd {
1694 SPEC_STORE_BYPASS_CMD_NONE,
1695 SPEC_STORE_BYPASS_CMD_AUTO,
1696 SPEC_STORE_BYPASS_CMD_ON,
1697 SPEC_STORE_BYPASS_CMD_PRCTL,
1698 SPEC_STORE_BYPASS_CMD_SECCOMP,
1699};
1700
1701static const char * const ssb_strings[] = {
1702 [SPEC_STORE_BYPASS_NONE] = "Vulnerable",
1703 [SPEC_STORE_BYPASS_DISABLE] = "Mitigation: Speculative Store Bypass disabled",
1704 [SPEC_STORE_BYPASS_PRCTL] = "Mitigation: Speculative Store Bypass disabled via prctl",
1705 [SPEC_STORE_BYPASS_SECCOMP] = "Mitigation: Speculative Store Bypass disabled via prctl and seccomp",
1706};
1707
1708static const struct {
1709 const char *option;
1710 enum ssb_mitigation_cmd cmd;
1711} ssb_mitigation_options[] __initconst = {
1712 { "auto", SPEC_STORE_BYPASS_CMD_AUTO }, /* Platform decides */
1713 { "on", SPEC_STORE_BYPASS_CMD_ON }, /* Disable Speculative Store Bypass */
1714 { "off", SPEC_STORE_BYPASS_CMD_NONE }, /* Don't touch Speculative Store Bypass */
1715 { "prctl", SPEC_STORE_BYPASS_CMD_PRCTL }, /* Disable Speculative Store Bypass via prctl */
1716 { "seccomp", SPEC_STORE_BYPASS_CMD_SECCOMP }, /* Disable Speculative Store Bypass via prctl and seccomp */
1717};
1718
1719static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void)
1720{
1721 enum ssb_mitigation_cmd cmd = SPEC_STORE_BYPASS_CMD_AUTO;
1722 char arg[20];
1723 int ret, i;
1724
1725 if (cmdline_find_option_bool(boot_command_line, "nospec_store_bypass_disable") ||
1726 cpu_mitigations_off()) {
1727 return SPEC_STORE_BYPASS_CMD_NONE;
1728 } else {
1729 ret = cmdline_find_option(boot_command_line, "spec_store_bypass_disable",
1730 arg, sizeof(arg));
1731 if (ret < 0)
1732 return SPEC_STORE_BYPASS_CMD_AUTO;
1733
1734 for (i = 0; i < ARRAY_SIZE(ssb_mitigation_options); i++) {
1735 if (!match_option(arg, ret, ssb_mitigation_options[i].option))
1736 continue;
1737
1738 cmd = ssb_mitigation_options[i].cmd;
1739 break;
1740 }
1741
1742 if (i >= ARRAY_SIZE(ssb_mitigation_options)) {
1743 pr_err("unknown option (%s). Switching to AUTO select\n", arg);
1744 return SPEC_STORE_BYPASS_CMD_AUTO;
1745 }
1746 }
1747
1748 return cmd;
1749}
1750
1751static enum ssb_mitigation __init __ssb_select_mitigation(void)
1752{
1753 enum ssb_mitigation mode = SPEC_STORE_BYPASS_NONE;
1754 enum ssb_mitigation_cmd cmd;
1755
1756 if (!boot_cpu_has(X86_FEATURE_SSBD))
1757 return mode;
1758
1759 cmd = ssb_parse_cmdline();
1760 if (!boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS) &&
1761 (cmd == SPEC_STORE_BYPASS_CMD_NONE ||
1762 cmd == SPEC_STORE_BYPASS_CMD_AUTO))
1763 return mode;
1764
1765 switch (cmd) {
1766 case SPEC_STORE_BYPASS_CMD_SECCOMP:
1767 /*
1768 * Choose prctl+seccomp as the default mode if seccomp is
1769 * enabled.
1770 */
1771 if (IS_ENABLED(CONFIG_SECCOMP))
1772 mode = SPEC_STORE_BYPASS_SECCOMP;
1773 else
1774 mode = SPEC_STORE_BYPASS_PRCTL;
1775 break;
1776 case SPEC_STORE_BYPASS_CMD_ON:
1777 mode = SPEC_STORE_BYPASS_DISABLE;
1778 break;
1779 case SPEC_STORE_BYPASS_CMD_AUTO:
1780 case SPEC_STORE_BYPASS_CMD_PRCTL:
1781 mode = SPEC_STORE_BYPASS_PRCTL;
1782 break;
1783 case SPEC_STORE_BYPASS_CMD_NONE:
1784 break;
1785 }
1786
1787 /*
1788 * We have three CPU feature flags that are in play here:
1789 * - X86_BUG_SPEC_STORE_BYPASS - CPU is susceptible.
1790 * - X86_FEATURE_SSBD - CPU is able to turn off speculative store bypass
1791 * - X86_FEATURE_SPEC_STORE_BYPASS_DISABLE - engage the mitigation
1792 */
1793 if (mode == SPEC_STORE_BYPASS_DISABLE) {
1794 setup_force_cpu_cap(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE);
1795 /*
1796 * Intel uses the SPEC CTRL MSR Bit(2) for this, while AMD may
1797 * use a completely different MSR and bit dependent on family.
1798 */
1799 if (!static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD) &&
1800 !static_cpu_has(X86_FEATURE_AMD_SSBD)) {
1801 x86_amd_ssb_disable();
1802 } else {
1803 x86_spec_ctrl_base |= SPEC_CTRL_SSBD;
1804 write_spec_ctrl_current(x86_spec_ctrl_base, true);
1805 }
1806 }
1807
1808 return mode;
1809}
1810
1811static void ssb_select_mitigation(void)
1812{
1813 ssb_mode = __ssb_select_mitigation();
1814
1815 if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS))
1816 pr_info("%s\n", ssb_strings[ssb_mode]);
1817}
1818
1819#undef pr_fmt
1820#define pr_fmt(fmt) "Speculation prctl: " fmt
1821
1822static void task_update_spec_tif(struct task_struct *tsk)
1823{
1824 /* Force the update of the real TIF bits */
1825 set_tsk_thread_flag(tsk, TIF_SPEC_FORCE_UPDATE);
1826
1827 /*
1828 * Immediately update the speculation control MSRs for the current
1829 * task, but for a non-current task delay setting the CPU
1830 * mitigation until it is scheduled next.
1831 *
1832 * This can only happen for SECCOMP mitigation. For PRCTL it's
1833 * always the current task.
1834 */
1835 if (tsk == current)
1836 speculation_ctrl_update_current();
1837}
1838
1839static int l1d_flush_prctl_set(struct task_struct *task, unsigned long ctrl)
1840{
1841
1842 if (!static_branch_unlikely(&switch_mm_cond_l1d_flush))
1843 return -EPERM;
1844
1845 switch (ctrl) {
1846 case PR_SPEC_ENABLE:
1847 set_ti_thread_flag(&task->thread_info, TIF_SPEC_L1D_FLUSH);
1848 return 0;
1849 case PR_SPEC_DISABLE:
1850 clear_ti_thread_flag(&task->thread_info, TIF_SPEC_L1D_FLUSH);
1851 return 0;
1852 default:
1853 return -ERANGE;
1854 }
1855}
1856
1857static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl)
1858{
1859 if (ssb_mode != SPEC_STORE_BYPASS_PRCTL &&
1860 ssb_mode != SPEC_STORE_BYPASS_SECCOMP)
1861 return -ENXIO;
1862
1863 switch (ctrl) {
1864 case PR_SPEC_ENABLE:
1865 /* If speculation is force disabled, enable is not allowed */
1866 if (task_spec_ssb_force_disable(task))
1867 return -EPERM;
1868 task_clear_spec_ssb_disable(task);
1869 task_clear_spec_ssb_noexec(task);
1870 task_update_spec_tif(task);
1871 break;
1872 case PR_SPEC_DISABLE:
1873 task_set_spec_ssb_disable(task);
1874 task_clear_spec_ssb_noexec(task);
1875 task_update_spec_tif(task);
1876 break;
1877 case PR_SPEC_FORCE_DISABLE:
1878 task_set_spec_ssb_disable(task);
1879 task_set_spec_ssb_force_disable(task);
1880 task_clear_spec_ssb_noexec(task);
1881 task_update_spec_tif(task);
1882 break;
1883 case PR_SPEC_DISABLE_NOEXEC:
1884 if (task_spec_ssb_force_disable(task))
1885 return -EPERM;
1886 task_set_spec_ssb_disable(task);
1887 task_set_spec_ssb_noexec(task);
1888 task_update_spec_tif(task);
1889 break;
1890 default:
1891 return -ERANGE;
1892 }
1893 return 0;
1894}
1895
1896static bool is_spec_ib_user_controlled(void)
1897{
1898 return spectre_v2_user_ibpb == SPECTRE_V2_USER_PRCTL ||
1899 spectre_v2_user_ibpb == SPECTRE_V2_USER_SECCOMP ||
1900 spectre_v2_user_stibp == SPECTRE_V2_USER_PRCTL ||
1901 spectre_v2_user_stibp == SPECTRE_V2_USER_SECCOMP;
1902}
1903
1904static int ib_prctl_set(struct task_struct *task, unsigned long ctrl)
1905{
1906 switch (ctrl) {
1907 case PR_SPEC_ENABLE:
1908 if (spectre_v2_user_ibpb == SPECTRE_V2_USER_NONE &&
1909 spectre_v2_user_stibp == SPECTRE_V2_USER_NONE)
1910 return 0;
1911
1912 /*
1913 * With strict mode for both IBPB and STIBP, the instruction
1914 * code paths avoid checking this task flag and instead,
1915 * unconditionally run the instruction. However, STIBP and IBPB
1916 * are independent and either can be set to conditionally
1917 * enabled regardless of the mode of the other.
1918 *
1919 * If either is set to conditional, allow the task flag to be
1920 * updated, unless it was force-disabled by a previous prctl
1921 * call. Currently, this is possible on an AMD CPU which has the
1922 * feature X86_FEATURE_AMD_STIBP_ALWAYS_ON. In this case, if the
1923 * kernel is booted with 'spectre_v2_user=seccomp', then
1924 * spectre_v2_user_ibpb == SPECTRE_V2_USER_SECCOMP and
1925 * spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED.
1926 */
1927 if (!is_spec_ib_user_controlled() ||
1928 task_spec_ib_force_disable(task))
1929 return -EPERM;
1930
1931 task_clear_spec_ib_disable(task);
1932 task_update_spec_tif(task);
1933 break;
1934 case PR_SPEC_DISABLE:
1935 case PR_SPEC_FORCE_DISABLE:
1936 /*
1937 * Indirect branch speculation is always allowed when
1938 * mitigation is force disabled.
1939 */
1940 if (spectre_v2_user_ibpb == SPECTRE_V2_USER_NONE &&
1941 spectre_v2_user_stibp == SPECTRE_V2_USER_NONE)
1942 return -EPERM;
1943
1944 if (!is_spec_ib_user_controlled())
1945 return 0;
1946
1947 task_set_spec_ib_disable(task);
1948 if (ctrl == PR_SPEC_FORCE_DISABLE)
1949 task_set_spec_ib_force_disable(task);
1950 task_update_spec_tif(task);
1951 break;
1952 default:
1953 return -ERANGE;
1954 }
1955 return 0;
1956}
1957
1958int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which,
1959 unsigned long ctrl)
1960{
1961 switch (which) {
1962 case PR_SPEC_STORE_BYPASS:
1963 return ssb_prctl_set(task, ctrl);
1964 case PR_SPEC_INDIRECT_BRANCH:
1965 return ib_prctl_set(task, ctrl);
1966 case PR_SPEC_L1D_FLUSH:
1967 return l1d_flush_prctl_set(task, ctrl);
1968 default:
1969 return -ENODEV;
1970 }
1971}
1972
1973#ifdef CONFIG_SECCOMP
1974void arch_seccomp_spec_mitigate(struct task_struct *task)
1975{
1976 if (ssb_mode == SPEC_STORE_BYPASS_SECCOMP)
1977 ssb_prctl_set(task, PR_SPEC_FORCE_DISABLE);
1978 if (spectre_v2_user_ibpb == SPECTRE_V2_USER_SECCOMP ||
1979 spectre_v2_user_stibp == SPECTRE_V2_USER_SECCOMP)
1980 ib_prctl_set(task, PR_SPEC_FORCE_DISABLE);
1981}
1982#endif
1983
1984static int l1d_flush_prctl_get(struct task_struct *task)
1985{
1986 if (!static_branch_unlikely(&switch_mm_cond_l1d_flush))
1987 return PR_SPEC_FORCE_DISABLE;
1988
1989 if (test_ti_thread_flag(&task->thread_info, TIF_SPEC_L1D_FLUSH))
1990 return PR_SPEC_PRCTL | PR_SPEC_ENABLE;
1991 else
1992 return PR_SPEC_PRCTL | PR_SPEC_DISABLE;
1993}
1994
1995static int ssb_prctl_get(struct task_struct *task)
1996{
1997 switch (ssb_mode) {
1998 case SPEC_STORE_BYPASS_DISABLE:
1999 return PR_SPEC_DISABLE;
2000 case SPEC_STORE_BYPASS_SECCOMP:
2001 case SPEC_STORE_BYPASS_PRCTL:
2002 if (task_spec_ssb_force_disable(task))
2003 return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE;
2004 if (task_spec_ssb_noexec(task))
2005 return PR_SPEC_PRCTL | PR_SPEC_DISABLE_NOEXEC;
2006 if (task_spec_ssb_disable(task))
2007 return PR_SPEC_PRCTL | PR_SPEC_DISABLE;
2008 return PR_SPEC_PRCTL | PR_SPEC_ENABLE;
2009 default:
2010 if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS))
2011 return PR_SPEC_ENABLE;
2012 return PR_SPEC_NOT_AFFECTED;
2013 }
2014}
2015
2016static int ib_prctl_get(struct task_struct *task)
2017{
2018 if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
2019 return PR_SPEC_NOT_AFFECTED;
2020
2021 if (spectre_v2_user_ibpb == SPECTRE_V2_USER_NONE &&
2022 spectre_v2_user_stibp == SPECTRE_V2_USER_NONE)
2023 return PR_SPEC_ENABLE;
2024 else if (is_spec_ib_user_controlled()) {
2025 if (task_spec_ib_force_disable(task))
2026 return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE;
2027 if (task_spec_ib_disable(task))
2028 return PR_SPEC_PRCTL | PR_SPEC_DISABLE;
2029 return PR_SPEC_PRCTL | PR_SPEC_ENABLE;
2030 } else if (spectre_v2_user_ibpb == SPECTRE_V2_USER_STRICT ||
2031 spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT ||
2032 spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED)
2033 return PR_SPEC_DISABLE;
2034 else
2035 return PR_SPEC_NOT_AFFECTED;
2036}
2037
2038int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which)
2039{
2040 switch (which) {
2041 case PR_SPEC_STORE_BYPASS:
2042 return ssb_prctl_get(task);
2043 case PR_SPEC_INDIRECT_BRANCH:
2044 return ib_prctl_get(task);
2045 case PR_SPEC_L1D_FLUSH:
2046 return l1d_flush_prctl_get(task);
2047 default:
2048 return -ENODEV;
2049 }
2050}
2051
2052void x86_spec_ctrl_setup_ap(void)
2053{
2054 if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
2055 write_spec_ctrl_current(x86_spec_ctrl_base, true);
2056
2057 if (ssb_mode == SPEC_STORE_BYPASS_DISABLE)
2058 x86_amd_ssb_disable();
2059}
2060
2061bool itlb_multihit_kvm_mitigation;
2062EXPORT_SYMBOL_GPL(itlb_multihit_kvm_mitigation);
2063
2064#undef pr_fmt
2065#define pr_fmt(fmt) "L1TF: " fmt
2066
2067/* Default mitigation for L1TF-affected CPUs */
2068enum l1tf_mitigations l1tf_mitigation __ro_after_init = L1TF_MITIGATION_FLUSH;
2069#if IS_ENABLED(CONFIG_KVM_INTEL)
2070EXPORT_SYMBOL_GPL(l1tf_mitigation);
2071#endif
2072enum vmx_l1d_flush_state l1tf_vmx_mitigation = VMENTER_L1D_FLUSH_AUTO;
2073EXPORT_SYMBOL_GPL(l1tf_vmx_mitigation);
2074
2075/*
2076 * These CPUs all support 44bits physical address space internally in the
2077 * cache but CPUID can report a smaller number of physical address bits.
2078 *
2079 * The L1TF mitigation uses the top most address bit for the inversion of
2080 * non present PTEs. When the installed memory reaches into the top most
2081 * address bit due to memory holes, which has been observed on machines
2082 * which report 36bits physical address bits and have 32G RAM installed,
2083 * then the mitigation range check in l1tf_select_mitigation() triggers.
2084 * This is a false positive because the mitigation is still possible due to
2085 * the fact that the cache uses 44bit internally. Use the cache bits
2086 * instead of the reported physical bits and adjust them on the affected
2087 * machines to 44bit if the reported bits are less than 44.
2088 */
2089static void override_cache_bits(struct cpuinfo_x86 *c)
2090{
2091 if (c->x86 != 6)
2092 return;
2093
2094 switch (c->x86_model) {
2095 case INTEL_FAM6_NEHALEM:
2096 case INTEL_FAM6_WESTMERE:
2097 case INTEL_FAM6_SANDYBRIDGE:
2098 case INTEL_FAM6_IVYBRIDGE:
2099 case INTEL_FAM6_HASWELL:
2100 case INTEL_FAM6_HASWELL_L:
2101 case INTEL_FAM6_HASWELL_G:
2102 case INTEL_FAM6_BROADWELL:
2103 case INTEL_FAM6_BROADWELL_G:
2104 case INTEL_FAM6_SKYLAKE_L:
2105 case INTEL_FAM6_SKYLAKE:
2106 case INTEL_FAM6_KABYLAKE_L:
2107 case INTEL_FAM6_KABYLAKE:
2108 if (c->x86_cache_bits < 44)
2109 c->x86_cache_bits = 44;
2110 break;
2111 }
2112}
2113
2114static void __init l1tf_select_mitigation(void)
2115{
2116 u64 half_pa;
2117
2118 if (!boot_cpu_has_bug(X86_BUG_L1TF))
2119 return;
2120
2121 if (cpu_mitigations_off())
2122 l1tf_mitigation = L1TF_MITIGATION_OFF;
2123 else if (cpu_mitigations_auto_nosmt())
2124 l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOSMT;
2125
2126 override_cache_bits(&boot_cpu_data);
2127
2128 switch (l1tf_mitigation) {
2129 case L1TF_MITIGATION_OFF:
2130 case L1TF_MITIGATION_FLUSH_NOWARN:
2131 case L1TF_MITIGATION_FLUSH:
2132 break;
2133 case L1TF_MITIGATION_FLUSH_NOSMT:
2134 case L1TF_MITIGATION_FULL:
2135 cpu_smt_disable(false);
2136 break;
2137 case L1TF_MITIGATION_FULL_FORCE:
2138 cpu_smt_disable(true);
2139 break;
2140 }
2141
2142#if CONFIG_PGTABLE_LEVELS == 2
2143 pr_warn("Kernel not compiled for PAE. No mitigation for L1TF\n");
2144 return;
2145#endif
2146
2147 half_pa = (u64)l1tf_pfn_limit() << PAGE_SHIFT;
2148 if (l1tf_mitigation != L1TF_MITIGATION_OFF &&
2149 e820__mapped_any(half_pa, ULLONG_MAX - half_pa, E820_TYPE_RAM)) {
2150 pr_warn("System has more than MAX_PA/2 memory. L1TF mitigation not effective.\n");
2151 pr_info("You may make it effective by booting the kernel with mem=%llu parameter.\n",
2152 half_pa);
2153 pr_info("However, doing so will make a part of your RAM unusable.\n");
2154 pr_info("Reading https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html might help you decide.\n");
2155 return;
2156 }
2157
2158 setup_force_cpu_cap(X86_FEATURE_L1TF_PTEINV);
2159}
2160
2161static int __init l1tf_cmdline(char *str)
2162{
2163 if (!boot_cpu_has_bug(X86_BUG_L1TF))
2164 return 0;
2165
2166 if (!str)
2167 return -EINVAL;
2168
2169 if (!strcmp(str, "off"))
2170 l1tf_mitigation = L1TF_MITIGATION_OFF;
2171 else if (!strcmp(str, "flush,nowarn"))
2172 l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOWARN;
2173 else if (!strcmp(str, "flush"))
2174 l1tf_mitigation = L1TF_MITIGATION_FLUSH;
2175 else if (!strcmp(str, "flush,nosmt"))
2176 l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOSMT;
2177 else if (!strcmp(str, "full"))
2178 l1tf_mitigation = L1TF_MITIGATION_FULL;
2179 else if (!strcmp(str, "full,force"))
2180 l1tf_mitigation = L1TF_MITIGATION_FULL_FORCE;
2181
2182 return 0;
2183}
2184early_param("l1tf", l1tf_cmdline);
2185
2186#undef pr_fmt
2187#define pr_fmt(fmt) fmt
2188
2189#ifdef CONFIG_SYSFS
2190
2191#define L1TF_DEFAULT_MSG "Mitigation: PTE Inversion"
2192
2193#if IS_ENABLED(CONFIG_KVM_INTEL)
2194static const char * const l1tf_vmx_states[] = {
2195 [VMENTER_L1D_FLUSH_AUTO] = "auto",
2196 [VMENTER_L1D_FLUSH_NEVER] = "vulnerable",
2197 [VMENTER_L1D_FLUSH_COND] = "conditional cache flushes",
2198 [VMENTER_L1D_FLUSH_ALWAYS] = "cache flushes",
2199 [VMENTER_L1D_FLUSH_EPT_DISABLED] = "EPT disabled",
2200 [VMENTER_L1D_FLUSH_NOT_REQUIRED] = "flush not necessary"
2201};
2202
2203static ssize_t l1tf_show_state(char *buf)
2204{
2205 if (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_AUTO)
2206 return sprintf(buf, "%s\n", L1TF_DEFAULT_MSG);
2207
2208 if (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_EPT_DISABLED ||
2209 (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_NEVER &&
2210 sched_smt_active())) {
2211 return sprintf(buf, "%s; VMX: %s\n", L1TF_DEFAULT_MSG,
2212 l1tf_vmx_states[l1tf_vmx_mitigation]);
2213 }
2214
2215 return sprintf(buf, "%s; VMX: %s, SMT %s\n", L1TF_DEFAULT_MSG,
2216 l1tf_vmx_states[l1tf_vmx_mitigation],
2217 sched_smt_active() ? "vulnerable" : "disabled");
2218}
2219
2220static ssize_t itlb_multihit_show_state(char *buf)
2221{
2222 if (!boot_cpu_has(X86_FEATURE_MSR_IA32_FEAT_CTL) ||
2223 !boot_cpu_has(X86_FEATURE_VMX))
2224 return sprintf(buf, "KVM: Mitigation: VMX unsupported\n");
2225 else if (!(cr4_read_shadow() & X86_CR4_VMXE))
2226 return sprintf(buf, "KVM: Mitigation: VMX disabled\n");
2227 else if (itlb_multihit_kvm_mitigation)
2228 return sprintf(buf, "KVM: Mitigation: Split huge pages\n");
2229 else
2230 return sprintf(buf, "KVM: Vulnerable\n");
2231}
2232#else
2233static ssize_t l1tf_show_state(char *buf)
2234{
2235 return sprintf(buf, "%s\n", L1TF_DEFAULT_MSG);
2236}
2237
2238static ssize_t itlb_multihit_show_state(char *buf)
2239{
2240 return sprintf(buf, "Processor vulnerable\n");
2241}
2242#endif
2243
2244static ssize_t mds_show_state(char *buf)
2245{
2246 if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {
2247 return sprintf(buf, "%s; SMT Host state unknown\n",
2248 mds_strings[mds_mitigation]);
2249 }
2250
2251 if (boot_cpu_has(X86_BUG_MSBDS_ONLY)) {
2252 return sprintf(buf, "%s; SMT %s\n", mds_strings[mds_mitigation],
2253 (mds_mitigation == MDS_MITIGATION_OFF ? "vulnerable" :
2254 sched_smt_active() ? "mitigated" : "disabled"));
2255 }
2256
2257 return sprintf(buf, "%s; SMT %s\n", mds_strings[mds_mitigation],
2258 sched_smt_active() ? "vulnerable" : "disabled");
2259}
2260
2261static ssize_t tsx_async_abort_show_state(char *buf)
2262{
2263 if ((taa_mitigation == TAA_MITIGATION_TSX_DISABLED) ||
2264 (taa_mitigation == TAA_MITIGATION_OFF))
2265 return sprintf(buf, "%s\n", taa_strings[taa_mitigation]);
2266
2267 if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {
2268 return sprintf(buf, "%s; SMT Host state unknown\n",
2269 taa_strings[taa_mitigation]);
2270 }
2271
2272 return sprintf(buf, "%s; SMT %s\n", taa_strings[taa_mitigation],
2273 sched_smt_active() ? "vulnerable" : "disabled");
2274}
2275
2276static ssize_t mmio_stale_data_show_state(char *buf)
2277{
2278 if (mmio_mitigation == MMIO_MITIGATION_OFF)
2279 return sysfs_emit(buf, "%s\n", mmio_strings[mmio_mitigation]);
2280
2281 if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {
2282 return sysfs_emit(buf, "%s; SMT Host state unknown\n",
2283 mmio_strings[mmio_mitigation]);
2284 }
2285
2286 return sysfs_emit(buf, "%s; SMT %s\n", mmio_strings[mmio_mitigation],
2287 sched_smt_active() ? "vulnerable" : "disabled");
2288}
2289
2290static char *stibp_state(void)
2291{
2292 if (spectre_v2_in_ibrs_mode(spectre_v2_enabled))
2293 return "";
2294
2295 switch (spectre_v2_user_stibp) {
2296 case SPECTRE_V2_USER_NONE:
2297 return ", STIBP: disabled";
2298 case SPECTRE_V2_USER_STRICT:
2299 return ", STIBP: forced";
2300 case SPECTRE_V2_USER_STRICT_PREFERRED:
2301 return ", STIBP: always-on";
2302 case SPECTRE_V2_USER_PRCTL:
2303 case SPECTRE_V2_USER_SECCOMP:
2304 if (static_key_enabled(&switch_to_cond_stibp))
2305 return ", STIBP: conditional";
2306 }
2307 return "";
2308}
2309
2310static char *ibpb_state(void)
2311{
2312 if (boot_cpu_has(X86_FEATURE_IBPB)) {
2313 if (static_key_enabled(&switch_mm_always_ibpb))
2314 return ", IBPB: always-on";
2315 if (static_key_enabled(&switch_mm_cond_ibpb))
2316 return ", IBPB: conditional";
2317 return ", IBPB: disabled";
2318 }
2319 return "";
2320}
2321
2322static char *pbrsb_eibrs_state(void)
2323{
2324 if (boot_cpu_has_bug(X86_BUG_EIBRS_PBRSB)) {
2325 if (boot_cpu_has(X86_FEATURE_RSB_VMEXIT_LITE) ||
2326 boot_cpu_has(X86_FEATURE_RSB_VMEXIT))
2327 return ", PBRSB-eIBRS: SW sequence";
2328 else
2329 return ", PBRSB-eIBRS: Vulnerable";
2330 } else {
2331 return ", PBRSB-eIBRS: Not affected";
2332 }
2333}
2334
2335static ssize_t spectre_v2_show_state(char *buf)
2336{
2337 if (spectre_v2_enabled == SPECTRE_V2_LFENCE)
2338 return sprintf(buf, "Vulnerable: LFENCE\n");
2339
2340 if (spectre_v2_enabled == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled())
2341 return sprintf(buf, "Vulnerable: eIBRS with unprivileged eBPF\n");
2342
2343 if (sched_smt_active() && unprivileged_ebpf_enabled() &&
2344 spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE)
2345 return sprintf(buf, "Vulnerable: eIBRS+LFENCE with unprivileged eBPF and SMT\n");
2346
2347 return sprintf(buf, "%s%s%s%s%s%s%s\n",
2348 spectre_v2_strings[spectre_v2_enabled],
2349 ibpb_state(),
2350 boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "",
2351 stibp_state(),
2352 boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? ", RSB filling" : "",
2353 pbrsb_eibrs_state(),
2354 spectre_v2_module_string());
2355}
2356
2357static ssize_t srbds_show_state(char *buf)
2358{
2359 return sprintf(buf, "%s\n", srbds_strings[srbds_mitigation]);
2360}
2361
2362static ssize_t retbleed_show_state(char *buf)
2363{
2364 if (retbleed_mitigation == RETBLEED_MITIGATION_UNRET ||
2365 retbleed_mitigation == RETBLEED_MITIGATION_IBPB) {
2366 if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD &&
2367 boot_cpu_data.x86_vendor != X86_VENDOR_HYGON)
2368 return sprintf(buf, "Vulnerable: untrained return thunk / IBPB on non-AMD based uarch\n");
2369
2370 return sprintf(buf, "%s; SMT %s\n",
2371 retbleed_strings[retbleed_mitigation],
2372 !sched_smt_active() ? "disabled" :
2373 spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT ||
2374 spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED ?
2375 "enabled with STIBP protection" : "vulnerable");
2376 }
2377
2378 return sprintf(buf, "%s\n", retbleed_strings[retbleed_mitigation]);
2379}
2380
2381static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr,
2382 char *buf, unsigned int bug)
2383{
2384 if (!boot_cpu_has_bug(bug))
2385 return sprintf(buf, "Not affected\n");
2386
2387 switch (bug) {
2388 case X86_BUG_CPU_MELTDOWN:
2389 if (boot_cpu_has(X86_FEATURE_PTI))
2390 return sprintf(buf, "Mitigation: PTI\n");
2391
2392 if (hypervisor_is_type(X86_HYPER_XEN_PV))
2393 return sprintf(buf, "Unknown (XEN PV detected, hypervisor mitigation required)\n");
2394
2395 break;
2396
2397 case X86_BUG_SPECTRE_V1:
2398 return sprintf(buf, "%s\n", spectre_v1_strings[spectre_v1_mitigation]);
2399
2400 case X86_BUG_SPECTRE_V2:
2401 return spectre_v2_show_state(buf);
2402
2403 case X86_BUG_SPEC_STORE_BYPASS:
2404 return sprintf(buf, "%s\n", ssb_strings[ssb_mode]);
2405
2406 case X86_BUG_L1TF:
2407 if (boot_cpu_has(X86_FEATURE_L1TF_PTEINV))
2408 return l1tf_show_state(buf);
2409 break;
2410
2411 case X86_BUG_MDS:
2412 return mds_show_state(buf);
2413
2414 case X86_BUG_TAA:
2415 return tsx_async_abort_show_state(buf);
2416
2417 case X86_BUG_ITLB_MULTIHIT:
2418 return itlb_multihit_show_state(buf);
2419
2420 case X86_BUG_SRBDS:
2421 return srbds_show_state(buf);
2422
2423 case X86_BUG_MMIO_STALE_DATA:
2424 return mmio_stale_data_show_state(buf);
2425
2426 case X86_BUG_RETBLEED:
2427 return retbleed_show_state(buf);
2428
2429 default:
2430 break;
2431 }
2432
2433 return sprintf(buf, "Vulnerable\n");
2434}
2435
2436ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf)
2437{
2438 return cpu_show_common(dev, attr, buf, X86_BUG_CPU_MELTDOWN);
2439}
2440
2441ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, char *buf)
2442{
2443 return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V1);
2444}
2445
2446ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, char *buf)
2447{
2448 return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V2);
2449}
2450
2451ssize_t cpu_show_spec_store_bypass(struct device *dev, struct device_attribute *attr, char *buf)
2452{
2453 return cpu_show_common(dev, attr, buf, X86_BUG_SPEC_STORE_BYPASS);
2454}
2455
2456ssize_t cpu_show_l1tf(struct device *dev, struct device_attribute *attr, char *buf)
2457{
2458 return cpu_show_common(dev, attr, buf, X86_BUG_L1TF);
2459}
2460
2461ssize_t cpu_show_mds(struct device *dev, struct device_attribute *attr, char *buf)
2462{
2463 return cpu_show_common(dev, attr, buf, X86_BUG_MDS);
2464}
2465
2466ssize_t cpu_show_tsx_async_abort(struct device *dev, struct device_attribute *attr, char *buf)
2467{
2468 return cpu_show_common(dev, attr, buf, X86_BUG_TAA);
2469}
2470
2471ssize_t cpu_show_itlb_multihit(struct device *dev, struct device_attribute *attr, char *buf)
2472{
2473 return cpu_show_common(dev, attr, buf, X86_BUG_ITLB_MULTIHIT);
2474}
2475
2476ssize_t cpu_show_srbds(struct device *dev, struct device_attribute *attr, char *buf)
2477{
2478 return cpu_show_common(dev, attr, buf, X86_BUG_SRBDS);
2479}
2480
2481ssize_t cpu_show_mmio_stale_data(struct device *dev, struct device_attribute *attr, char *buf)
2482{
2483 return cpu_show_common(dev, attr, buf, X86_BUG_MMIO_STALE_DATA);
2484}
2485
2486ssize_t cpu_show_retbleed(struct device *dev, struct device_attribute *attr, char *buf)
2487{
2488 return cpu_show_common(dev, attr, buf, X86_BUG_RETBLEED);
2489}
2490#endif
2491

source code of linux/arch/x86/kernel/cpu/bugs.c