1 // SPDX-License-Identifier: GPL-2.0
3 * Copyright (C) 1994 Linus Torvalds
5 * Cyrix stuff, June 1998 by:
6 * - Rafael R. Reilova (moved everything from head.S),
7 * <rreilova@ececs.uc.edu>
8 * - Channing Corn (tests & fixes),
9 * - Andrew D. Balsa (code cleanup).
11 #include <linux/init.h>
12 #include <linux/cpu.h>
13 #include <linux/module.h>
14 #include <linux/nospec.h>
15 #include <linux/prctl.h>
16 #include <linux/sched/smt.h>
17 #include <linux/pgtable.h>
18 #include <linux/bpf.h>
20 #include <asm/spec-ctrl.h>
21 #include <asm/cmdline.h>
23 #include <asm/processor.h>
24 #include <asm/processor-flags.h>
25 #include <asm/fpu/api.h>
28 #include <asm/paravirt.h>
29 #include <asm/intel-family.h>
30 #include <asm/e820/api.h>
31 #include <asm/hypervisor.h>
32 #include <asm/tlbflush.h>
37 static void __init spectre_v1_select_mitigation(void);
38 static void __init spectre_v2_select_mitigation(void);
39 static void __init retbleed_select_mitigation(void);
40 static void __init spectre_v2_user_select_mitigation(void);
41 static void __init ssb_select_mitigation(void);
42 static void __init l1tf_select_mitigation(void);
43 static void __init mds_select_mitigation(void);
44 static void __init md_clear_update_mitigation(void);
45 static void __init md_clear_select_mitigation(void);
46 static void __init taa_select_mitigation(void);
47 static void __init mmio_select_mitigation(void);
48 static void __init srbds_select_mitigation(void);
49 static void __init l1d_flush_select_mitigation(void);
50 static void __init srso_select_mitigation(void);
52 /* The base value of the SPEC_CTRL MSR without task-specific bits set */
53 u64 x86_spec_ctrl_base;
54 EXPORT_SYMBOL_GPL(x86_spec_ctrl_base);
56 /* The current value of the SPEC_CTRL MSR with task-specific bits set */
57 DEFINE_PER_CPU(u64, x86_spec_ctrl_current);
58 EXPORT_SYMBOL_GPL(x86_spec_ctrl_current);
60 u64 x86_pred_cmd __ro_after_init = PRED_CMD_IBPB;
61 EXPORT_SYMBOL_GPL(x86_pred_cmd);
63 static DEFINE_MUTEX(spec_ctrl_mutex);
65 /* Update SPEC_CTRL MSR and its cached copy unconditionally */
66 static void update_spec_ctrl(u64 val)
68 this_cpu_write(x86_spec_ctrl_current, val);
69 wrmsrl(MSR_IA32_SPEC_CTRL, val);
73 * Keep track of the SPEC_CTRL MSR value for the current task, which may differ
74 * from x86_spec_ctrl_base due to STIBP/SSB in __speculation_ctrl_update().
76 void update_spec_ctrl_cond(u64 val)
78 if (this_cpu_read(x86_spec_ctrl_current) == val)
81 this_cpu_write(x86_spec_ctrl_current, val);
84 * When KERNEL_IBRS this MSR is written on return-to-user, unless
85 * forced the update can be delayed until that time.
87 if (!cpu_feature_enabled(X86_FEATURE_KERNEL_IBRS))
88 wrmsrl(MSR_IA32_SPEC_CTRL, val);
91 noinstr u64 spec_ctrl_current(void)
93 return this_cpu_read(x86_spec_ctrl_current);
95 EXPORT_SYMBOL_GPL(spec_ctrl_current);
98 * AMD specific MSR info for Speculative Store Bypass control.
99 * x86_amd_ls_cfg_ssbd_mask is initialized in identify_boot_cpu().
101 u64 __ro_after_init x86_amd_ls_cfg_base;
102 u64 __ro_after_init x86_amd_ls_cfg_ssbd_mask;
104 /* Control conditional STIBP in switch_to() */
105 DEFINE_STATIC_KEY_FALSE(switch_to_cond_stibp);
106 /* Control conditional IBPB in switch_mm() */
107 DEFINE_STATIC_KEY_FALSE(switch_mm_cond_ibpb);
108 /* Control unconditional IBPB in switch_mm() */
109 DEFINE_STATIC_KEY_FALSE(switch_mm_always_ibpb);
111 /* Control MDS CPU buffer clear before returning to user space */
112 DEFINE_STATIC_KEY_FALSE(mds_user_clear);
113 EXPORT_SYMBOL_GPL(mds_user_clear);
114 /* Control MDS CPU buffer clear before idling (halt, mwait) */
115 DEFINE_STATIC_KEY_FALSE(mds_idle_clear);
116 EXPORT_SYMBOL_GPL(mds_idle_clear);
119 * Controls whether l1d flush based mitigations are enabled,
120 * based on hw features and admin setting via boot parameter
123 DEFINE_STATIC_KEY_FALSE(switch_mm_cond_l1d_flush);
125 /* Controls CPU Fill buffer clear before KVM guest MMIO accesses */
126 DEFINE_STATIC_KEY_FALSE(mmio_stale_data_clear);
127 EXPORT_SYMBOL_GPL(mmio_stale_data_clear);
129 void __init cpu_select_mitigations(void)
132 * Read the SPEC_CTRL MSR to account for reserved bits which may
133 * have unknown values. AMD64_LS_CFG MSR is cached in the early AMD
134 * init code as it is not enumerated and depends on the family.
136 if (cpu_feature_enabled(X86_FEATURE_MSR_SPEC_CTRL)) {
137 rdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
140 * Previously running kernel (kexec), may have some controls
141 * turned ON. Clear them and let the mitigations setup below
142 * rediscover them based on configuration.
144 x86_spec_ctrl_base &= ~SPEC_CTRL_MITIGATIONS_MASK;
147 /* Select the proper CPU mitigations before patching alternatives: */
148 spectre_v1_select_mitigation();
149 spectre_v2_select_mitigation();
151 * retbleed_select_mitigation() relies on the state set by
152 * spectre_v2_select_mitigation(); specifically it wants to know about
155 retbleed_select_mitigation();
157 * spectre_v2_user_select_mitigation() relies on the state set by
158 * retbleed_select_mitigation(); specifically the STIBP selection is
159 * forced for UNRET or IBPB.
161 spectre_v2_user_select_mitigation();
162 ssb_select_mitigation();
163 l1tf_select_mitigation();
164 md_clear_select_mitigation();
165 srbds_select_mitigation();
166 l1d_flush_select_mitigation();
167 srso_select_mitigation();
171 * NOTE: This function is *only* called for SVM, since Intel uses
172 * MSR_IA32_SPEC_CTRL for SSBD.
175 x86_virt_spec_ctrl(u64 guest_virt_spec_ctrl, bool setguest)
177 u64 guestval, hostval;
178 struct thread_info *ti = current_thread_info();
181 * If SSBD is not handled in MSR_SPEC_CTRL on AMD, update
182 * MSR_AMD64_L2_CFG or MSR_VIRT_SPEC_CTRL if supported.
184 if (!static_cpu_has(X86_FEATURE_LS_CFG_SSBD) &&
185 !static_cpu_has(X86_FEATURE_VIRT_SSBD))
189 * If the host has SSBD mitigation enabled, force it in the host's
190 * virtual MSR value. If its not permanently enabled, evaluate
191 * current's TIF_SSBD thread flag.
193 if (static_cpu_has(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE))
194 hostval = SPEC_CTRL_SSBD;
196 hostval = ssbd_tif_to_spec_ctrl(ti->flags);
198 /* Sanitize the guest value */
199 guestval = guest_virt_spec_ctrl & SPEC_CTRL_SSBD;
201 if (hostval != guestval) {
204 tif = setguest ? ssbd_spec_ctrl_to_tif(guestval) :
205 ssbd_spec_ctrl_to_tif(hostval);
207 speculation_ctrl_update(tif);
210 EXPORT_SYMBOL_GPL(x86_virt_spec_ctrl);
212 static void x86_amd_ssb_disable(void)
214 u64 msrval = x86_amd_ls_cfg_base | x86_amd_ls_cfg_ssbd_mask;
216 if (boot_cpu_has(X86_FEATURE_VIRT_SSBD))
217 wrmsrl(MSR_AMD64_VIRT_SPEC_CTRL, SPEC_CTRL_SSBD);
218 else if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD))
219 wrmsrl(MSR_AMD64_LS_CFG, msrval);
223 #define pr_fmt(fmt) "MDS: " fmt
225 /* Default mitigation for MDS-affected CPUs */
226 static enum mds_mitigations mds_mitigation __ro_after_init = MDS_MITIGATION_FULL;
227 static bool mds_nosmt __ro_after_init = false;
229 static const char * const mds_strings[] = {
230 [MDS_MITIGATION_OFF] = "Vulnerable",
231 [MDS_MITIGATION_FULL] = "Mitigation: Clear CPU buffers",
232 [MDS_MITIGATION_VMWERV] = "Vulnerable: Clear CPU buffers attempted, no microcode",
235 static void __init mds_select_mitigation(void)
237 if (!boot_cpu_has_bug(X86_BUG_MDS) || cpu_mitigations_off()) {
238 mds_mitigation = MDS_MITIGATION_OFF;
242 if (mds_mitigation == MDS_MITIGATION_FULL) {
243 if (!boot_cpu_has(X86_FEATURE_MD_CLEAR))
244 mds_mitigation = MDS_MITIGATION_VMWERV;
246 static_branch_enable(&mds_user_clear);
248 if (!boot_cpu_has(X86_BUG_MSBDS_ONLY) &&
249 (mds_nosmt || cpu_mitigations_auto_nosmt()))
250 cpu_smt_disable(false);
254 static int __init mds_cmdline(char *str)
256 if (!boot_cpu_has_bug(X86_BUG_MDS))
262 if (!strcmp(str, "off"))
263 mds_mitigation = MDS_MITIGATION_OFF;
264 else if (!strcmp(str, "full"))
265 mds_mitigation = MDS_MITIGATION_FULL;
266 else if (!strcmp(str, "full,nosmt")) {
267 mds_mitigation = MDS_MITIGATION_FULL;
273 early_param("mds", mds_cmdline);
276 #define pr_fmt(fmt) "TAA: " fmt
278 enum taa_mitigations {
280 TAA_MITIGATION_UCODE_NEEDED,
282 TAA_MITIGATION_TSX_DISABLED,
285 /* Default mitigation for TAA-affected CPUs */
286 static enum taa_mitigations taa_mitigation __ro_after_init = TAA_MITIGATION_VERW;
287 static bool taa_nosmt __ro_after_init;
289 static const char * const taa_strings[] = {
290 [TAA_MITIGATION_OFF] = "Vulnerable",
291 [TAA_MITIGATION_UCODE_NEEDED] = "Vulnerable: Clear CPU buffers attempted, no microcode",
292 [TAA_MITIGATION_VERW] = "Mitigation: Clear CPU buffers",
293 [TAA_MITIGATION_TSX_DISABLED] = "Mitigation: TSX disabled",
296 static void __init taa_select_mitigation(void)
300 if (!boot_cpu_has_bug(X86_BUG_TAA)) {
301 taa_mitigation = TAA_MITIGATION_OFF;
305 /* TSX previously disabled by tsx=off */
306 if (!boot_cpu_has(X86_FEATURE_RTM)) {
307 taa_mitigation = TAA_MITIGATION_TSX_DISABLED;
311 if (cpu_mitigations_off()) {
312 taa_mitigation = TAA_MITIGATION_OFF;
317 * TAA mitigation via VERW is turned off if both
318 * tsx_async_abort=off and mds=off are specified.
320 if (taa_mitigation == TAA_MITIGATION_OFF &&
321 mds_mitigation == MDS_MITIGATION_OFF)
324 if (boot_cpu_has(X86_FEATURE_MD_CLEAR))
325 taa_mitigation = TAA_MITIGATION_VERW;
327 taa_mitigation = TAA_MITIGATION_UCODE_NEEDED;
330 * VERW doesn't clear the CPU buffers when MD_CLEAR=1 and MDS_NO=1.
331 * A microcode update fixes this behavior to clear CPU buffers. It also
332 * adds support for MSR_IA32_TSX_CTRL which is enumerated by the
333 * ARCH_CAP_TSX_CTRL_MSR bit.
335 * On MDS_NO=1 CPUs if ARCH_CAP_TSX_CTRL_MSR is not set, microcode
336 * update is required.
338 ia32_cap = x86_read_arch_cap_msr();
339 if ( (ia32_cap & ARCH_CAP_MDS_NO) &&
340 !(ia32_cap & ARCH_CAP_TSX_CTRL_MSR))
341 taa_mitigation = TAA_MITIGATION_UCODE_NEEDED;
344 * TSX is enabled, select alternate mitigation for TAA which is
345 * the same as MDS. Enable MDS static branch to clear CPU buffers.
347 * For guests that can't determine whether the correct microcode is
348 * present on host, enable the mitigation for UCODE_NEEDED as well.
350 static_branch_enable(&mds_user_clear);
352 if (taa_nosmt || cpu_mitigations_auto_nosmt())
353 cpu_smt_disable(false);
356 static int __init tsx_async_abort_parse_cmdline(char *str)
358 if (!boot_cpu_has_bug(X86_BUG_TAA))
364 if (!strcmp(str, "off")) {
365 taa_mitigation = TAA_MITIGATION_OFF;
366 } else if (!strcmp(str, "full")) {
367 taa_mitigation = TAA_MITIGATION_VERW;
368 } else if (!strcmp(str, "full,nosmt")) {
369 taa_mitigation = TAA_MITIGATION_VERW;
375 early_param("tsx_async_abort", tsx_async_abort_parse_cmdline);
378 #define pr_fmt(fmt) "MMIO Stale Data: " fmt
380 enum mmio_mitigations {
382 MMIO_MITIGATION_UCODE_NEEDED,
383 MMIO_MITIGATION_VERW,
386 /* Default mitigation for Processor MMIO Stale Data vulnerabilities */
387 static enum mmio_mitigations mmio_mitigation __ro_after_init = MMIO_MITIGATION_VERW;
388 static bool mmio_nosmt __ro_after_init = false;
390 static const char * const mmio_strings[] = {
391 [MMIO_MITIGATION_OFF] = "Vulnerable",
392 [MMIO_MITIGATION_UCODE_NEEDED] = "Vulnerable: Clear CPU buffers attempted, no microcode",
393 [MMIO_MITIGATION_VERW] = "Mitigation: Clear CPU buffers",
396 static void __init mmio_select_mitigation(void)
400 if (!boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA) ||
401 boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN) ||
402 cpu_mitigations_off()) {
403 mmio_mitigation = MMIO_MITIGATION_OFF;
407 if (mmio_mitigation == MMIO_MITIGATION_OFF)
410 ia32_cap = x86_read_arch_cap_msr();
413 * Enable CPU buffer clear mitigation for host and VMM, if also affected
414 * by MDS or TAA. Otherwise, enable mitigation for VMM only.
416 if (boot_cpu_has_bug(X86_BUG_MDS) || (boot_cpu_has_bug(X86_BUG_TAA) &&
417 boot_cpu_has(X86_FEATURE_RTM)))
418 static_branch_enable(&mds_user_clear);
420 static_branch_enable(&mmio_stale_data_clear);
423 * If Processor-MMIO-Stale-Data bug is present and Fill Buffer data can
424 * be propagated to uncore buffers, clearing the Fill buffers on idle
425 * is required irrespective of SMT state.
427 if (!(ia32_cap & ARCH_CAP_FBSDP_NO))
428 static_branch_enable(&mds_idle_clear);
431 * Check if the system has the right microcode.
433 * CPU Fill buffer clear mitigation is enumerated by either an explicit
434 * FB_CLEAR or by the presence of both MD_CLEAR and L1D_FLUSH on MDS
437 if ((ia32_cap & ARCH_CAP_FB_CLEAR) ||
438 (boot_cpu_has(X86_FEATURE_MD_CLEAR) &&
439 boot_cpu_has(X86_FEATURE_FLUSH_L1D) &&
440 !(ia32_cap & ARCH_CAP_MDS_NO)))
441 mmio_mitigation = MMIO_MITIGATION_VERW;
443 mmio_mitigation = MMIO_MITIGATION_UCODE_NEEDED;
445 if (mmio_nosmt || cpu_mitigations_auto_nosmt())
446 cpu_smt_disable(false);
449 static int __init mmio_stale_data_parse_cmdline(char *str)
451 if (!boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA))
457 if (!strcmp(str, "off")) {
458 mmio_mitigation = MMIO_MITIGATION_OFF;
459 } else if (!strcmp(str, "full")) {
460 mmio_mitigation = MMIO_MITIGATION_VERW;
461 } else if (!strcmp(str, "full,nosmt")) {
462 mmio_mitigation = MMIO_MITIGATION_VERW;
468 early_param("mmio_stale_data", mmio_stale_data_parse_cmdline);
471 #define pr_fmt(fmt) "" fmt
473 static void __init md_clear_update_mitigation(void)
475 if (cpu_mitigations_off())
478 if (!static_key_enabled(&mds_user_clear))
482 * mds_user_clear is now enabled. Update MDS, TAA and MMIO Stale Data
483 * mitigation, if necessary.
485 if (mds_mitigation == MDS_MITIGATION_OFF &&
486 boot_cpu_has_bug(X86_BUG_MDS)) {
487 mds_mitigation = MDS_MITIGATION_FULL;
488 mds_select_mitigation();
490 if (taa_mitigation == TAA_MITIGATION_OFF &&
491 boot_cpu_has_bug(X86_BUG_TAA)) {
492 taa_mitigation = TAA_MITIGATION_VERW;
493 taa_select_mitigation();
495 if (mmio_mitigation == MMIO_MITIGATION_OFF &&
496 boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA)) {
497 mmio_mitigation = MMIO_MITIGATION_VERW;
498 mmio_select_mitigation();
501 if (boot_cpu_has_bug(X86_BUG_MDS))
502 pr_info("MDS: %s\n", mds_strings[mds_mitigation]);
503 if (boot_cpu_has_bug(X86_BUG_TAA))
504 pr_info("TAA: %s\n", taa_strings[taa_mitigation]);
505 if (boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA))
506 pr_info("MMIO Stale Data: %s\n", mmio_strings[mmio_mitigation]);
507 else if (boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN))
508 pr_info("MMIO Stale Data: Unknown: No mitigations\n");
511 static void __init md_clear_select_mitigation(void)
513 mds_select_mitigation();
514 taa_select_mitigation();
515 mmio_select_mitigation();
518 * As MDS, TAA and MMIO Stale Data mitigations are inter-related, update
519 * and print their mitigation after MDS, TAA and MMIO Stale Data
520 * mitigation selection is done.
522 md_clear_update_mitigation();
526 #define pr_fmt(fmt) "SRBDS: " fmt
528 enum srbds_mitigations {
529 SRBDS_MITIGATION_OFF,
530 SRBDS_MITIGATION_UCODE_NEEDED,
531 SRBDS_MITIGATION_FULL,
532 SRBDS_MITIGATION_TSX_OFF,
533 SRBDS_MITIGATION_HYPERVISOR,
536 static enum srbds_mitigations srbds_mitigation __ro_after_init = SRBDS_MITIGATION_FULL;
538 static const char * const srbds_strings[] = {
539 [SRBDS_MITIGATION_OFF] = "Vulnerable",
540 [SRBDS_MITIGATION_UCODE_NEEDED] = "Vulnerable: No microcode",
541 [SRBDS_MITIGATION_FULL] = "Mitigation: Microcode",
542 [SRBDS_MITIGATION_TSX_OFF] = "Mitigation: TSX disabled",
543 [SRBDS_MITIGATION_HYPERVISOR] = "Unknown: Dependent on hypervisor status",
546 static bool srbds_off;
548 void update_srbds_msr(void)
552 if (!boot_cpu_has_bug(X86_BUG_SRBDS))
555 if (boot_cpu_has(X86_FEATURE_HYPERVISOR))
558 if (srbds_mitigation == SRBDS_MITIGATION_UCODE_NEEDED)
562 * A MDS_NO CPU for which SRBDS mitigation is not needed due to TSX
563 * being disabled and it hasn't received the SRBDS MSR microcode.
565 if (!boot_cpu_has(X86_FEATURE_SRBDS_CTRL))
568 rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
570 switch (srbds_mitigation) {
571 case SRBDS_MITIGATION_OFF:
572 case SRBDS_MITIGATION_TSX_OFF:
573 mcu_ctrl |= RNGDS_MITG_DIS;
575 case SRBDS_MITIGATION_FULL:
576 mcu_ctrl &= ~RNGDS_MITG_DIS;
582 wrmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_ctrl);
585 static void __init srbds_select_mitigation(void)
589 if (!boot_cpu_has_bug(X86_BUG_SRBDS))
593 * Check to see if this is one of the MDS_NO systems supporting TSX that
594 * are only exposed to SRBDS when TSX is enabled or when CPU is affected
595 * by Processor MMIO Stale Data vulnerability.
597 ia32_cap = x86_read_arch_cap_msr();
598 if ((ia32_cap & ARCH_CAP_MDS_NO) && !boot_cpu_has(X86_FEATURE_RTM) &&
599 !boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA))
600 srbds_mitigation = SRBDS_MITIGATION_TSX_OFF;
601 else if (boot_cpu_has(X86_FEATURE_HYPERVISOR))
602 srbds_mitigation = SRBDS_MITIGATION_HYPERVISOR;
603 else if (!boot_cpu_has(X86_FEATURE_SRBDS_CTRL))
604 srbds_mitigation = SRBDS_MITIGATION_UCODE_NEEDED;
605 else if (cpu_mitigations_off() || srbds_off)
606 srbds_mitigation = SRBDS_MITIGATION_OFF;
609 pr_info("%s\n", srbds_strings[srbds_mitigation]);
612 static int __init srbds_parse_cmdline(char *str)
617 if (!boot_cpu_has_bug(X86_BUG_SRBDS))
620 srbds_off = !strcmp(str, "off");
623 early_param("srbds", srbds_parse_cmdline);
626 #define pr_fmt(fmt) "L1D Flush : " fmt
628 enum l1d_flush_mitigations {
633 static enum l1d_flush_mitigations l1d_flush_mitigation __initdata = L1D_FLUSH_OFF;
635 static void __init l1d_flush_select_mitigation(void)
637 if (!l1d_flush_mitigation || !boot_cpu_has(X86_FEATURE_FLUSH_L1D))
640 static_branch_enable(&switch_mm_cond_l1d_flush);
641 pr_info("Conditional flush on switch_mm() enabled\n");
644 static int __init l1d_flush_parse_cmdline(char *str)
646 if (!strcmp(str, "on"))
647 l1d_flush_mitigation = L1D_FLUSH_ON;
651 early_param("l1d_flush", l1d_flush_parse_cmdline);
654 #define pr_fmt(fmt) "Spectre V1 : " fmt
656 enum spectre_v1_mitigation {
657 SPECTRE_V1_MITIGATION_NONE,
658 SPECTRE_V1_MITIGATION_AUTO,
661 static enum spectre_v1_mitigation spectre_v1_mitigation __ro_after_init =
662 SPECTRE_V1_MITIGATION_AUTO;
664 static const char * const spectre_v1_strings[] = {
665 [SPECTRE_V1_MITIGATION_NONE] = "Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers",
666 [SPECTRE_V1_MITIGATION_AUTO] = "Mitigation: usercopy/swapgs barriers and __user pointer sanitization",
670 * Does SMAP provide full mitigation against speculative kernel access to
673 static bool smap_works_speculatively(void)
675 if (!boot_cpu_has(X86_FEATURE_SMAP))
679 * On CPUs which are vulnerable to Meltdown, SMAP does not
680 * prevent speculative access to user data in the L1 cache.
681 * Consider SMAP to be non-functional as a mitigation on these
684 if (boot_cpu_has(X86_BUG_CPU_MELTDOWN))
690 static void __init spectre_v1_select_mitigation(void)
692 if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V1) || cpu_mitigations_off()) {
693 spectre_v1_mitigation = SPECTRE_V1_MITIGATION_NONE;
697 if (spectre_v1_mitigation == SPECTRE_V1_MITIGATION_AUTO) {
699 * With Spectre v1, a user can speculatively control either
700 * path of a conditional swapgs with a user-controlled GS
701 * value. The mitigation is to add lfences to both code paths.
703 * If FSGSBASE is enabled, the user can put a kernel address in
704 * GS, in which case SMAP provides no protection.
706 * If FSGSBASE is disabled, the user can only put a user space
707 * address in GS. That makes an attack harder, but still
708 * possible if there's no SMAP protection.
710 if (boot_cpu_has(X86_FEATURE_FSGSBASE) ||
711 !smap_works_speculatively()) {
713 * Mitigation can be provided from SWAPGS itself or
714 * PTI as the CR3 write in the Meltdown mitigation
717 * If neither is there, mitigate with an LFENCE to
718 * stop speculation through swapgs.
720 if (boot_cpu_has_bug(X86_BUG_SWAPGS) &&
721 !boot_cpu_has(X86_FEATURE_PTI))
722 setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_USER);
725 * Enable lfences in the kernel entry (non-swapgs)
726 * paths, to prevent user entry from speculatively
729 setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_KERNEL);
733 pr_info("%s\n", spectre_v1_strings[spectre_v1_mitigation]);
736 static int __init nospectre_v1_cmdline(char *str)
738 spectre_v1_mitigation = SPECTRE_V1_MITIGATION_NONE;
741 early_param("nospectre_v1", nospectre_v1_cmdline);
743 enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init = SPECTRE_V2_NONE;
746 #define pr_fmt(fmt) "RETBleed: " fmt
748 enum retbleed_mitigation {
749 RETBLEED_MITIGATION_NONE,
750 RETBLEED_MITIGATION_UNRET,
751 RETBLEED_MITIGATION_IBPB,
752 RETBLEED_MITIGATION_IBRS,
753 RETBLEED_MITIGATION_EIBRS,
754 RETBLEED_MITIGATION_STUFF,
757 enum retbleed_mitigation_cmd {
765 static const char * const retbleed_strings[] = {
766 [RETBLEED_MITIGATION_NONE] = "Vulnerable",
767 [RETBLEED_MITIGATION_UNRET] = "Mitigation: untrained return thunk",
768 [RETBLEED_MITIGATION_IBPB] = "Mitigation: IBPB",
769 [RETBLEED_MITIGATION_IBRS] = "Mitigation: IBRS",
770 [RETBLEED_MITIGATION_EIBRS] = "Mitigation: Enhanced IBRS",
771 [RETBLEED_MITIGATION_STUFF] = "Mitigation: Stuffing",
774 static enum retbleed_mitigation retbleed_mitigation __ro_after_init =
775 RETBLEED_MITIGATION_NONE;
776 static enum retbleed_mitigation_cmd retbleed_cmd __ro_after_init =
779 static int __ro_after_init retbleed_nosmt = false;
781 static int __init retbleed_parse_cmdline(char *str)
787 char *next = strchr(str, ',');
793 if (!strcmp(str, "off")) {
794 retbleed_cmd = RETBLEED_CMD_OFF;
795 } else if (!strcmp(str, "auto")) {
796 retbleed_cmd = RETBLEED_CMD_AUTO;
797 } else if (!strcmp(str, "unret")) {
798 retbleed_cmd = RETBLEED_CMD_UNRET;
799 } else if (!strcmp(str, "ibpb")) {
800 retbleed_cmd = RETBLEED_CMD_IBPB;
801 } else if (!strcmp(str, "stuff")) {
802 retbleed_cmd = RETBLEED_CMD_STUFF;
803 } else if (!strcmp(str, "nosmt")) {
804 retbleed_nosmt = true;
805 } else if (!strcmp(str, "force")) {
806 setup_force_cpu_bug(X86_BUG_RETBLEED);
808 pr_err("Ignoring unknown retbleed option (%s).", str);
816 early_param("retbleed", retbleed_parse_cmdline);
818 #define RETBLEED_UNTRAIN_MSG "WARNING: BTB untrained return thunk mitigation is only effective on AMD/Hygon!\n"
819 #define RETBLEED_INTEL_MSG "WARNING: Spectre v2 mitigation leaves CPU vulnerable to RETBleed attacks, data leaks possible!\n"
821 static void __init retbleed_select_mitigation(void)
823 bool mitigate_smt = false;
825 if (!boot_cpu_has_bug(X86_BUG_RETBLEED) || cpu_mitigations_off())
828 switch (retbleed_cmd) {
829 case RETBLEED_CMD_OFF:
832 case RETBLEED_CMD_UNRET:
833 if (IS_ENABLED(CONFIG_CPU_UNRET_ENTRY)) {
834 retbleed_mitigation = RETBLEED_MITIGATION_UNRET;
836 pr_err("WARNING: kernel not compiled with CPU_UNRET_ENTRY.\n");
841 case RETBLEED_CMD_IBPB:
842 if (!boot_cpu_has(X86_FEATURE_IBPB)) {
843 pr_err("WARNING: CPU does not support IBPB.\n");
845 } else if (IS_ENABLED(CONFIG_CPU_IBPB_ENTRY)) {
846 retbleed_mitigation = RETBLEED_MITIGATION_IBPB;
848 pr_err("WARNING: kernel not compiled with CPU_IBPB_ENTRY.\n");
853 case RETBLEED_CMD_STUFF:
854 if (IS_ENABLED(CONFIG_CALL_DEPTH_TRACKING) &&
855 spectre_v2_enabled == SPECTRE_V2_RETPOLINE) {
856 retbleed_mitigation = RETBLEED_MITIGATION_STUFF;
859 if (IS_ENABLED(CONFIG_CALL_DEPTH_TRACKING))
860 pr_err("WARNING: retbleed=stuff depends on spectre_v2=retpoline\n");
862 pr_err("WARNING: kernel not compiled with CALL_DEPTH_TRACKING.\n");
869 case RETBLEED_CMD_AUTO:
871 if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD ||
872 boot_cpu_data.x86_vendor == X86_VENDOR_HYGON) {
873 if (IS_ENABLED(CONFIG_CPU_UNRET_ENTRY))
874 retbleed_mitigation = RETBLEED_MITIGATION_UNRET;
875 else if (IS_ENABLED(CONFIG_CPU_IBPB_ENTRY) && boot_cpu_has(X86_FEATURE_IBPB))
876 retbleed_mitigation = RETBLEED_MITIGATION_IBPB;
880 * The Intel mitigation (IBRS or eIBRS) was already selected in
881 * spectre_v2_select_mitigation(). 'retbleed_mitigation' will
882 * be set accordingly below.
888 switch (retbleed_mitigation) {
889 case RETBLEED_MITIGATION_UNRET:
890 setup_force_cpu_cap(X86_FEATURE_RETHUNK);
891 setup_force_cpu_cap(X86_FEATURE_UNRET);
893 if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD &&
894 boot_cpu_data.x86_vendor != X86_VENDOR_HYGON)
895 pr_err(RETBLEED_UNTRAIN_MSG);
900 case RETBLEED_MITIGATION_IBPB:
901 setup_force_cpu_cap(X86_FEATURE_ENTRY_IBPB);
905 case RETBLEED_MITIGATION_STUFF:
906 setup_force_cpu_cap(X86_FEATURE_RETHUNK);
907 setup_force_cpu_cap(X86_FEATURE_CALL_DEPTH);
908 x86_set_skl_return_thunk();
915 if (mitigate_smt && !boot_cpu_has(X86_FEATURE_STIBP) &&
916 (retbleed_nosmt || cpu_mitigations_auto_nosmt()))
917 cpu_smt_disable(false);
920 * Let IBRS trump all on Intel without affecting the effects of the
921 * retbleed= cmdline option except for call depth based stuffing
923 if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) {
924 switch (spectre_v2_enabled) {
925 case SPECTRE_V2_IBRS:
926 retbleed_mitigation = RETBLEED_MITIGATION_IBRS;
928 case SPECTRE_V2_EIBRS:
929 case SPECTRE_V2_EIBRS_RETPOLINE:
930 case SPECTRE_V2_EIBRS_LFENCE:
931 retbleed_mitigation = RETBLEED_MITIGATION_EIBRS;
934 if (retbleed_mitigation != RETBLEED_MITIGATION_STUFF)
935 pr_err(RETBLEED_INTEL_MSG);
939 pr_info("%s\n", retbleed_strings[retbleed_mitigation]);
943 #define pr_fmt(fmt) "Spectre V2 : " fmt
945 static enum spectre_v2_user_mitigation spectre_v2_user_stibp __ro_after_init =
946 SPECTRE_V2_USER_NONE;
947 static enum spectre_v2_user_mitigation spectre_v2_user_ibpb __ro_after_init =
948 SPECTRE_V2_USER_NONE;
950 #ifdef CONFIG_RETPOLINE
951 static bool spectre_v2_bad_module;
953 bool retpoline_module_ok(bool has_retpoline)
955 if (spectre_v2_enabled == SPECTRE_V2_NONE || has_retpoline)
958 pr_err("System may be vulnerable to spectre v2\n");
959 spectre_v2_bad_module = true;
963 static inline const char *spectre_v2_module_string(void)
965 return spectre_v2_bad_module ? " - vulnerable module loaded" : "";
968 static inline const char *spectre_v2_module_string(void) { return ""; }
971 #define SPECTRE_V2_LFENCE_MSG "WARNING: LFENCE mitigation is not recommended for this CPU, data leaks possible!\n"
972 #define SPECTRE_V2_EIBRS_EBPF_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible via Spectre v2 BHB attacks!\n"
973 #define SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS+LFENCE mitigation and SMT, data leaks possible via Spectre v2 BHB attacks!\n"
974 #define SPECTRE_V2_IBRS_PERF_MSG "WARNING: IBRS mitigation selected on Enhanced IBRS CPU, this may cause unnecessary performance loss\n"
976 #ifdef CONFIG_BPF_SYSCALL
977 void unpriv_ebpf_notify(int new_state)
982 /* Unprivileged eBPF is enabled */
984 switch (spectre_v2_enabled) {
985 case SPECTRE_V2_EIBRS:
986 pr_err(SPECTRE_V2_EIBRS_EBPF_MSG);
988 case SPECTRE_V2_EIBRS_LFENCE:
989 if (sched_smt_active())
990 pr_err(SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG);
998 static inline bool match_option(const char *arg, int arglen, const char *opt)
1000 int len = strlen(opt);
1002 return len == arglen && !strncmp(arg, opt, len);
1005 /* The kernel command line selection for spectre v2 */
1006 enum spectre_v2_mitigation_cmd {
1007 SPECTRE_V2_CMD_NONE,
1008 SPECTRE_V2_CMD_AUTO,
1009 SPECTRE_V2_CMD_FORCE,
1010 SPECTRE_V2_CMD_RETPOLINE,
1011 SPECTRE_V2_CMD_RETPOLINE_GENERIC,
1012 SPECTRE_V2_CMD_RETPOLINE_LFENCE,
1013 SPECTRE_V2_CMD_EIBRS,
1014 SPECTRE_V2_CMD_EIBRS_RETPOLINE,
1015 SPECTRE_V2_CMD_EIBRS_LFENCE,
1016 SPECTRE_V2_CMD_IBRS,
1019 enum spectre_v2_user_cmd {
1020 SPECTRE_V2_USER_CMD_NONE,
1021 SPECTRE_V2_USER_CMD_AUTO,
1022 SPECTRE_V2_USER_CMD_FORCE,
1023 SPECTRE_V2_USER_CMD_PRCTL,
1024 SPECTRE_V2_USER_CMD_PRCTL_IBPB,
1025 SPECTRE_V2_USER_CMD_SECCOMP,
1026 SPECTRE_V2_USER_CMD_SECCOMP_IBPB,
1029 static const char * const spectre_v2_user_strings[] = {
1030 [SPECTRE_V2_USER_NONE] = "User space: Vulnerable",
1031 [SPECTRE_V2_USER_STRICT] = "User space: Mitigation: STIBP protection",
1032 [SPECTRE_V2_USER_STRICT_PREFERRED] = "User space: Mitigation: STIBP always-on protection",
1033 [SPECTRE_V2_USER_PRCTL] = "User space: Mitigation: STIBP via prctl",
1034 [SPECTRE_V2_USER_SECCOMP] = "User space: Mitigation: STIBP via seccomp and prctl",
1037 static const struct {
1039 enum spectre_v2_user_cmd cmd;
1041 } v2_user_options[] __initconst = {
1042 { "auto", SPECTRE_V2_USER_CMD_AUTO, false },
1043 { "off", SPECTRE_V2_USER_CMD_NONE, false },
1044 { "on", SPECTRE_V2_USER_CMD_FORCE, true },
1045 { "prctl", SPECTRE_V2_USER_CMD_PRCTL, false },
1046 { "prctl,ibpb", SPECTRE_V2_USER_CMD_PRCTL_IBPB, false },
1047 { "seccomp", SPECTRE_V2_USER_CMD_SECCOMP, false },
1048 { "seccomp,ibpb", SPECTRE_V2_USER_CMD_SECCOMP_IBPB, false },
1051 static void __init spec_v2_user_print_cond(const char *reason, bool secure)
1053 if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2) != secure)
1054 pr_info("spectre_v2_user=%s forced on command line.\n", reason);
1057 static __ro_after_init enum spectre_v2_mitigation_cmd spectre_v2_cmd;
1059 static enum spectre_v2_user_cmd __init
1060 spectre_v2_parse_user_cmdline(void)
1065 switch (spectre_v2_cmd) {
1066 case SPECTRE_V2_CMD_NONE:
1067 return SPECTRE_V2_USER_CMD_NONE;
1068 case SPECTRE_V2_CMD_FORCE:
1069 return SPECTRE_V2_USER_CMD_FORCE;
1074 ret = cmdline_find_option(boot_command_line, "spectre_v2_user",
1077 return SPECTRE_V2_USER_CMD_AUTO;
1079 for (i = 0; i < ARRAY_SIZE(v2_user_options); i++) {
1080 if (match_option(arg, ret, v2_user_options[i].option)) {
1081 spec_v2_user_print_cond(v2_user_options[i].option,
1082 v2_user_options[i].secure);
1083 return v2_user_options[i].cmd;
1087 pr_err("Unknown user space protection option (%s). Switching to AUTO select\n", arg);
1088 return SPECTRE_V2_USER_CMD_AUTO;
1091 static inline bool spectre_v2_in_ibrs_mode(enum spectre_v2_mitigation mode)
1093 return spectre_v2_in_eibrs_mode(mode) || mode == SPECTRE_V2_IBRS;
1097 spectre_v2_user_select_mitigation(void)
1099 enum spectre_v2_user_mitigation mode = SPECTRE_V2_USER_NONE;
1100 bool smt_possible = IS_ENABLED(CONFIG_SMP);
1101 enum spectre_v2_user_cmd cmd;
1103 if (!boot_cpu_has(X86_FEATURE_IBPB) && !boot_cpu_has(X86_FEATURE_STIBP))
1106 if (cpu_smt_control == CPU_SMT_FORCE_DISABLED ||
1107 cpu_smt_control == CPU_SMT_NOT_SUPPORTED)
1108 smt_possible = false;
1110 cmd = spectre_v2_parse_user_cmdline();
1112 case SPECTRE_V2_USER_CMD_NONE:
1114 case SPECTRE_V2_USER_CMD_FORCE:
1115 mode = SPECTRE_V2_USER_STRICT;
1117 case SPECTRE_V2_USER_CMD_AUTO:
1118 case SPECTRE_V2_USER_CMD_PRCTL:
1119 case SPECTRE_V2_USER_CMD_PRCTL_IBPB:
1120 mode = SPECTRE_V2_USER_PRCTL;
1122 case SPECTRE_V2_USER_CMD_SECCOMP:
1123 case SPECTRE_V2_USER_CMD_SECCOMP_IBPB:
1124 if (IS_ENABLED(CONFIG_SECCOMP))
1125 mode = SPECTRE_V2_USER_SECCOMP;
1127 mode = SPECTRE_V2_USER_PRCTL;
1131 /* Initialize Indirect Branch Prediction Barrier */
1132 if (boot_cpu_has(X86_FEATURE_IBPB)) {
1133 setup_force_cpu_cap(X86_FEATURE_USE_IBPB);
1135 spectre_v2_user_ibpb = mode;
1137 case SPECTRE_V2_USER_CMD_FORCE:
1138 case SPECTRE_V2_USER_CMD_PRCTL_IBPB:
1139 case SPECTRE_V2_USER_CMD_SECCOMP_IBPB:
1140 static_branch_enable(&switch_mm_always_ibpb);
1141 spectre_v2_user_ibpb = SPECTRE_V2_USER_STRICT;
1143 case SPECTRE_V2_USER_CMD_PRCTL:
1144 case SPECTRE_V2_USER_CMD_AUTO:
1145 case SPECTRE_V2_USER_CMD_SECCOMP:
1146 static_branch_enable(&switch_mm_cond_ibpb);
1152 pr_info("mitigation: Enabling %s Indirect Branch Prediction Barrier\n",
1153 static_key_enabled(&switch_mm_always_ibpb) ?
1154 "always-on" : "conditional");
1158 * If no STIBP, enhanced IBRS is enabled, or SMT impossible, STIBP
1161 * Enhanced IBRS also protects against cross-thread branch target
1162 * injection in user-mode as the IBRS bit remains always set which
1163 * implicitly enables cross-thread protections. However, in legacy IBRS
1164 * mode, the IBRS bit is set only on kernel entry and cleared on return
1165 * to userspace. This disables the implicit cross-thread protection,
1166 * so allow for STIBP to be selected in that case.
1168 if (!boot_cpu_has(X86_FEATURE_STIBP) ||
1170 spectre_v2_in_eibrs_mode(spectre_v2_enabled))
1174 * At this point, an STIBP mode other than "off" has been set.
1175 * If STIBP support is not being forced, check if STIBP always-on
1178 if (mode != SPECTRE_V2_USER_STRICT &&
1179 boot_cpu_has(X86_FEATURE_AMD_STIBP_ALWAYS_ON))
1180 mode = SPECTRE_V2_USER_STRICT_PREFERRED;
1182 if (retbleed_mitigation == RETBLEED_MITIGATION_UNRET ||
1183 retbleed_mitigation == RETBLEED_MITIGATION_IBPB) {
1184 if (mode != SPECTRE_V2_USER_STRICT &&
1185 mode != SPECTRE_V2_USER_STRICT_PREFERRED)
1186 pr_info("Selecting STIBP always-on mode to complement retbleed mitigation\n");
1187 mode = SPECTRE_V2_USER_STRICT_PREFERRED;
1190 spectre_v2_user_stibp = mode;
1193 pr_info("%s\n", spectre_v2_user_strings[mode]);
1196 static const char * const spectre_v2_strings[] = {
1197 [SPECTRE_V2_NONE] = "Vulnerable",
1198 [SPECTRE_V2_RETPOLINE] = "Mitigation: Retpolines",
1199 [SPECTRE_V2_LFENCE] = "Mitigation: LFENCE",
1200 [SPECTRE_V2_EIBRS] = "Mitigation: Enhanced / Automatic IBRS",
1201 [SPECTRE_V2_EIBRS_LFENCE] = "Mitigation: Enhanced / Automatic IBRS + LFENCE",
1202 [SPECTRE_V2_EIBRS_RETPOLINE] = "Mitigation: Enhanced / Automatic IBRS + Retpolines",
1203 [SPECTRE_V2_IBRS] = "Mitigation: IBRS",
1206 static const struct {
1208 enum spectre_v2_mitigation_cmd cmd;
1210 } mitigation_options[] __initconst = {
1211 { "off", SPECTRE_V2_CMD_NONE, false },
1212 { "on", SPECTRE_V2_CMD_FORCE, true },
1213 { "retpoline", SPECTRE_V2_CMD_RETPOLINE, false },
1214 { "retpoline,amd", SPECTRE_V2_CMD_RETPOLINE_LFENCE, false },
1215 { "retpoline,lfence", SPECTRE_V2_CMD_RETPOLINE_LFENCE, false },
1216 { "retpoline,generic", SPECTRE_V2_CMD_RETPOLINE_GENERIC, false },
1217 { "eibrs", SPECTRE_V2_CMD_EIBRS, false },
1218 { "eibrs,lfence", SPECTRE_V2_CMD_EIBRS_LFENCE, false },
1219 { "eibrs,retpoline", SPECTRE_V2_CMD_EIBRS_RETPOLINE, false },
1220 { "auto", SPECTRE_V2_CMD_AUTO, false },
1221 { "ibrs", SPECTRE_V2_CMD_IBRS, false },
1224 static void __init spec_v2_print_cond(const char *reason, bool secure)
1226 if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2) != secure)
1227 pr_info("%s selected on command line.\n", reason);
1230 static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void)
1232 enum spectre_v2_mitigation_cmd cmd = SPECTRE_V2_CMD_AUTO;
1236 if (cmdline_find_option_bool(boot_command_line, "nospectre_v2") ||
1237 cpu_mitigations_off())
1238 return SPECTRE_V2_CMD_NONE;
1240 ret = cmdline_find_option(boot_command_line, "spectre_v2", arg, sizeof(arg));
1242 return SPECTRE_V2_CMD_AUTO;
1244 for (i = 0; i < ARRAY_SIZE(mitigation_options); i++) {
1245 if (!match_option(arg, ret, mitigation_options[i].option))
1247 cmd = mitigation_options[i].cmd;
1251 if (i >= ARRAY_SIZE(mitigation_options)) {
1252 pr_err("unknown option (%s). Switching to AUTO select\n", arg);
1253 return SPECTRE_V2_CMD_AUTO;
1256 if ((cmd == SPECTRE_V2_CMD_RETPOLINE ||
1257 cmd == SPECTRE_V2_CMD_RETPOLINE_LFENCE ||
1258 cmd == SPECTRE_V2_CMD_RETPOLINE_GENERIC ||
1259 cmd == SPECTRE_V2_CMD_EIBRS_LFENCE ||
1260 cmd == SPECTRE_V2_CMD_EIBRS_RETPOLINE) &&
1261 !IS_ENABLED(CONFIG_RETPOLINE)) {
1262 pr_err("%s selected but not compiled in. Switching to AUTO select\n",
1263 mitigation_options[i].option);
1264 return SPECTRE_V2_CMD_AUTO;
1267 if ((cmd == SPECTRE_V2_CMD_EIBRS ||
1268 cmd == SPECTRE_V2_CMD_EIBRS_LFENCE ||
1269 cmd == SPECTRE_V2_CMD_EIBRS_RETPOLINE) &&
1270 !boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) {
1271 pr_err("%s selected but CPU doesn't have Enhanced or Automatic IBRS. Switching to AUTO select\n",
1272 mitigation_options[i].option);
1273 return SPECTRE_V2_CMD_AUTO;
1276 if ((cmd == SPECTRE_V2_CMD_RETPOLINE_LFENCE ||
1277 cmd == SPECTRE_V2_CMD_EIBRS_LFENCE) &&
1278 !boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) {
1279 pr_err("%s selected, but CPU doesn't have a serializing LFENCE. Switching to AUTO select\n",
1280 mitigation_options[i].option);
1281 return SPECTRE_V2_CMD_AUTO;
1284 if (cmd == SPECTRE_V2_CMD_IBRS && !IS_ENABLED(CONFIG_CPU_IBRS_ENTRY)) {
1285 pr_err("%s selected but not compiled in. Switching to AUTO select\n",
1286 mitigation_options[i].option);
1287 return SPECTRE_V2_CMD_AUTO;
1290 if (cmd == SPECTRE_V2_CMD_IBRS && boot_cpu_data.x86_vendor != X86_VENDOR_INTEL) {
1291 pr_err("%s selected but not Intel CPU. Switching to AUTO select\n",
1292 mitigation_options[i].option);
1293 return SPECTRE_V2_CMD_AUTO;
1296 if (cmd == SPECTRE_V2_CMD_IBRS && !boot_cpu_has(X86_FEATURE_IBRS)) {
1297 pr_err("%s selected but CPU doesn't have IBRS. Switching to AUTO select\n",
1298 mitigation_options[i].option);
1299 return SPECTRE_V2_CMD_AUTO;
1302 if (cmd == SPECTRE_V2_CMD_IBRS && cpu_feature_enabled(X86_FEATURE_XENPV)) {
1303 pr_err("%s selected but running as XenPV guest. Switching to AUTO select\n",
1304 mitigation_options[i].option);
1305 return SPECTRE_V2_CMD_AUTO;
1308 spec_v2_print_cond(mitigation_options[i].option,
1309 mitigation_options[i].secure);
1313 static enum spectre_v2_mitigation __init spectre_v2_select_retpoline(void)
1315 if (!IS_ENABLED(CONFIG_RETPOLINE)) {
1316 pr_err("Kernel not compiled with retpoline; no mitigation available!");
1317 return SPECTRE_V2_NONE;
1320 return SPECTRE_V2_RETPOLINE;
1323 /* Disable in-kernel use of non-RSB RET predictors */
1324 static void __init spec_ctrl_disable_kernel_rrsba(void)
1328 if (!boot_cpu_has(X86_FEATURE_RRSBA_CTRL))
1331 ia32_cap = x86_read_arch_cap_msr();
1333 if (ia32_cap & ARCH_CAP_RRSBA) {
1334 x86_spec_ctrl_base |= SPEC_CTRL_RRSBA_DIS_S;
1335 update_spec_ctrl(x86_spec_ctrl_base);
1339 static void __init spectre_v2_determine_rsb_fill_type_at_vmexit(enum spectre_v2_mitigation mode)
1342 * Similar to context switches, there are two types of RSB attacks
1347 * 2) Poisoned RSB entry
1349 * When retpoline is enabled, both are mitigated by filling/clearing
1352 * When IBRS is enabled, while #1 would be mitigated by the IBRS branch
1353 * prediction isolation protections, RSB still needs to be cleared
1354 * because of #2. Note that SMEP provides no protection here, unlike
1355 * user-space-poisoned RSB entries.
1357 * eIBRS should protect against RSB poisoning, but if the EIBRS_PBRSB
1358 * bug is present then a LITE version of RSB protection is required,
1359 * just a single call needs to retire before a RET is executed.
1362 case SPECTRE_V2_NONE:
1365 case SPECTRE_V2_EIBRS_LFENCE:
1366 case SPECTRE_V2_EIBRS:
1367 if (boot_cpu_has_bug(X86_BUG_EIBRS_PBRSB)) {
1368 setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT_LITE);
1369 pr_info("Spectre v2 / PBRSB-eIBRS: Retire a single CALL on VMEXIT\n");
1373 case SPECTRE_V2_EIBRS_RETPOLINE:
1374 case SPECTRE_V2_RETPOLINE:
1375 case SPECTRE_V2_LFENCE:
1376 case SPECTRE_V2_IBRS:
1377 setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT);
1378 pr_info("Spectre v2 / SpectreRSB : Filling RSB on VMEXIT\n");
1382 pr_warn_once("Unknown Spectre v2 mode, disabling RSB mitigation at VM exit");
1386 static void __init spectre_v2_select_mitigation(void)
1388 enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline();
1389 enum spectre_v2_mitigation mode = SPECTRE_V2_NONE;
1392 * If the CPU is not affected and the command line mode is NONE or AUTO
1393 * then nothing to do.
1395 if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2) &&
1396 (cmd == SPECTRE_V2_CMD_NONE || cmd == SPECTRE_V2_CMD_AUTO))
1400 case SPECTRE_V2_CMD_NONE:
1403 case SPECTRE_V2_CMD_FORCE:
1404 case SPECTRE_V2_CMD_AUTO:
1405 if (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) {
1406 mode = SPECTRE_V2_EIBRS;
1410 if (IS_ENABLED(CONFIG_CPU_IBRS_ENTRY) &&
1411 boot_cpu_has_bug(X86_BUG_RETBLEED) &&
1412 retbleed_cmd != RETBLEED_CMD_OFF &&
1413 retbleed_cmd != RETBLEED_CMD_STUFF &&
1414 boot_cpu_has(X86_FEATURE_IBRS) &&
1415 boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) {
1416 mode = SPECTRE_V2_IBRS;
1420 mode = spectre_v2_select_retpoline();
1423 case SPECTRE_V2_CMD_RETPOLINE_LFENCE:
1424 pr_err(SPECTRE_V2_LFENCE_MSG);
1425 mode = SPECTRE_V2_LFENCE;
1428 case SPECTRE_V2_CMD_RETPOLINE_GENERIC:
1429 mode = SPECTRE_V2_RETPOLINE;
1432 case SPECTRE_V2_CMD_RETPOLINE:
1433 mode = spectre_v2_select_retpoline();
1436 case SPECTRE_V2_CMD_IBRS:
1437 mode = SPECTRE_V2_IBRS;
1440 case SPECTRE_V2_CMD_EIBRS:
1441 mode = SPECTRE_V2_EIBRS;
1444 case SPECTRE_V2_CMD_EIBRS_LFENCE:
1445 mode = SPECTRE_V2_EIBRS_LFENCE;
1448 case SPECTRE_V2_CMD_EIBRS_RETPOLINE:
1449 mode = SPECTRE_V2_EIBRS_RETPOLINE;
1453 if (mode == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled())
1454 pr_err(SPECTRE_V2_EIBRS_EBPF_MSG);
1456 if (spectre_v2_in_ibrs_mode(mode)) {
1457 if (boot_cpu_has(X86_FEATURE_AUTOIBRS)) {
1458 msr_set_bit(MSR_EFER, _EFER_AUTOIBRS);
1460 x86_spec_ctrl_base |= SPEC_CTRL_IBRS;
1461 update_spec_ctrl(x86_spec_ctrl_base);
1466 case SPECTRE_V2_NONE:
1467 case SPECTRE_V2_EIBRS:
1470 case SPECTRE_V2_IBRS:
1471 setup_force_cpu_cap(X86_FEATURE_KERNEL_IBRS);
1472 if (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED))
1473 pr_warn(SPECTRE_V2_IBRS_PERF_MSG);
1476 case SPECTRE_V2_LFENCE:
1477 case SPECTRE_V2_EIBRS_LFENCE:
1478 setup_force_cpu_cap(X86_FEATURE_RETPOLINE_LFENCE);
1481 case SPECTRE_V2_RETPOLINE:
1482 case SPECTRE_V2_EIBRS_RETPOLINE:
1483 setup_force_cpu_cap(X86_FEATURE_RETPOLINE);
1488 * Disable alternate RSB predictions in kernel when indirect CALLs and
1489 * JMPs gets protection against BHI and Intramode-BTI, but RET
1490 * prediction from a non-RSB predictor is still a risk.
1492 if (mode == SPECTRE_V2_EIBRS_LFENCE ||
1493 mode == SPECTRE_V2_EIBRS_RETPOLINE ||
1494 mode == SPECTRE_V2_RETPOLINE)
1495 spec_ctrl_disable_kernel_rrsba();
1497 spectre_v2_enabled = mode;
1498 pr_info("%s\n", spectre_v2_strings[mode]);
1501 * If Spectre v2 protection has been enabled, fill the RSB during a
1502 * context switch. In general there are two types of RSB attacks
1503 * across context switches, for which the CALLs/RETs may be unbalanced.
1507 * Some Intel parts have "bottomless RSB". When the RSB is empty,
1508 * speculated return targets may come from the branch predictor,
1509 * which could have a user-poisoned BTB or BHB entry.
1511 * AMD has it even worse: *all* returns are speculated from the BTB,
1512 * regardless of the state of the RSB.
1514 * When IBRS or eIBRS is enabled, the "user -> kernel" attack
1515 * scenario is mitigated by the IBRS branch prediction isolation
1516 * properties, so the RSB buffer filling wouldn't be necessary to
1517 * protect against this type of attack.
1519 * The "user -> user" attack scenario is mitigated by RSB filling.
1521 * 2) Poisoned RSB entry
1523 * If the 'next' in-kernel return stack is shorter than 'prev',
1524 * 'next' could be tricked into speculating with a user-poisoned RSB
1527 * The "user -> kernel" attack scenario is mitigated by SMEP and
1530 * The "user -> user" scenario, also known as SpectreBHB, requires
1533 * So to mitigate all cases, unconditionally fill RSB on context
1536 * FIXME: Is this pointless for retbleed-affected AMD?
1538 setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);
1539 pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n");
1541 spectre_v2_determine_rsb_fill_type_at_vmexit(mode);
1544 * Retpoline protects the kernel, but doesn't protect firmware. IBRS
1545 * and Enhanced IBRS protect firmware too, so enable IBRS around
1546 * firmware calls only when IBRS / Enhanced / Automatic IBRS aren't
1547 * otherwise enabled.
1549 * Use "mode" to check Enhanced IBRS instead of boot_cpu_has(), because
1550 * the user might select retpoline on the kernel command line and if
1551 * the CPU supports Enhanced IBRS, kernel might un-intentionally not
1552 * enable IBRS around firmware calls.
1554 if (boot_cpu_has_bug(X86_BUG_RETBLEED) &&
1555 boot_cpu_has(X86_FEATURE_IBPB) &&
1556 (boot_cpu_data.x86_vendor == X86_VENDOR_AMD ||
1557 boot_cpu_data.x86_vendor == X86_VENDOR_HYGON)) {
1559 if (retbleed_cmd != RETBLEED_CMD_IBPB) {
1560 setup_force_cpu_cap(X86_FEATURE_USE_IBPB_FW);
1561 pr_info("Enabling Speculation Barrier for firmware calls\n");
1564 } else if (boot_cpu_has(X86_FEATURE_IBRS) && !spectre_v2_in_ibrs_mode(mode)) {
1565 setup_force_cpu_cap(X86_FEATURE_USE_IBRS_FW);
1566 pr_info("Enabling Restricted Speculation for firmware calls\n");
1569 /* Set up IBPB and STIBP depending on the general spectre V2 command */
1570 spectre_v2_cmd = cmd;
1573 static void update_stibp_msr(void * __unused)
1575 u64 val = spec_ctrl_current() | (x86_spec_ctrl_base & SPEC_CTRL_STIBP);
1576 update_spec_ctrl(val);
1579 /* Update x86_spec_ctrl_base in case SMT state changed. */
1580 static void update_stibp_strict(void)
1582 u64 mask = x86_spec_ctrl_base & ~SPEC_CTRL_STIBP;
1584 if (sched_smt_active())
1585 mask |= SPEC_CTRL_STIBP;
1587 if (mask == x86_spec_ctrl_base)
1590 pr_info("Update user space SMT mitigation: STIBP %s\n",
1591 mask & SPEC_CTRL_STIBP ? "always-on" : "off");
1592 x86_spec_ctrl_base = mask;
1593 on_each_cpu(update_stibp_msr, NULL, 1);
1596 /* Update the static key controlling the evaluation of TIF_SPEC_IB */
1597 static void update_indir_branch_cond(void)
1599 if (sched_smt_active())
1600 static_branch_enable(&switch_to_cond_stibp);
1602 static_branch_disable(&switch_to_cond_stibp);
1606 #define pr_fmt(fmt) fmt
1608 /* Update the static key controlling the MDS CPU buffer clear in idle */
1609 static void update_mds_branch_idle(void)
1611 u64 ia32_cap = x86_read_arch_cap_msr();
1614 * Enable the idle clearing if SMT is active on CPUs which are
1615 * affected only by MSBDS and not any other MDS variant.
1617 * The other variants cannot be mitigated when SMT is enabled, so
1618 * clearing the buffers on idle just to prevent the Store Buffer
1619 * repartitioning leak would be a window dressing exercise.
1621 if (!boot_cpu_has_bug(X86_BUG_MSBDS_ONLY))
1624 if (sched_smt_active()) {
1625 static_branch_enable(&mds_idle_clear);
1626 } else if (mmio_mitigation == MMIO_MITIGATION_OFF ||
1627 (ia32_cap & ARCH_CAP_FBSDP_NO)) {
1628 static_branch_disable(&mds_idle_clear);
1632 #define MDS_MSG_SMT "MDS CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for more details.\n"
1633 #define TAA_MSG_SMT "TAA CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html for more details.\n"
1634 #define MMIO_MSG_SMT "MMIO Stale Data CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html for more details.\n"
1636 void cpu_bugs_smt_update(void)
1638 mutex_lock(&spec_ctrl_mutex);
1640 if (sched_smt_active() && unprivileged_ebpf_enabled() &&
1641 spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE)
1642 pr_warn_once(SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG);
1644 switch (spectre_v2_user_stibp) {
1645 case SPECTRE_V2_USER_NONE:
1647 case SPECTRE_V2_USER_STRICT:
1648 case SPECTRE_V2_USER_STRICT_PREFERRED:
1649 update_stibp_strict();
1651 case SPECTRE_V2_USER_PRCTL:
1652 case SPECTRE_V2_USER_SECCOMP:
1653 update_indir_branch_cond();
1657 switch (mds_mitigation) {
1658 case MDS_MITIGATION_FULL:
1659 case MDS_MITIGATION_VMWERV:
1660 if (sched_smt_active() && !boot_cpu_has(X86_BUG_MSBDS_ONLY))
1661 pr_warn_once(MDS_MSG_SMT);
1662 update_mds_branch_idle();
1664 case MDS_MITIGATION_OFF:
1668 switch (taa_mitigation) {
1669 case TAA_MITIGATION_VERW:
1670 case TAA_MITIGATION_UCODE_NEEDED:
1671 if (sched_smt_active())
1672 pr_warn_once(TAA_MSG_SMT);
1674 case TAA_MITIGATION_TSX_DISABLED:
1675 case TAA_MITIGATION_OFF:
1679 switch (mmio_mitigation) {
1680 case MMIO_MITIGATION_VERW:
1681 case MMIO_MITIGATION_UCODE_NEEDED:
1682 if (sched_smt_active())
1683 pr_warn_once(MMIO_MSG_SMT);
1685 case MMIO_MITIGATION_OFF:
1689 mutex_unlock(&spec_ctrl_mutex);
1693 #define pr_fmt(fmt) "Speculative Store Bypass: " fmt
1695 static enum ssb_mitigation ssb_mode __ro_after_init = SPEC_STORE_BYPASS_NONE;
1697 /* The kernel command line selection */
1698 enum ssb_mitigation_cmd {
1699 SPEC_STORE_BYPASS_CMD_NONE,
1700 SPEC_STORE_BYPASS_CMD_AUTO,
1701 SPEC_STORE_BYPASS_CMD_ON,
1702 SPEC_STORE_BYPASS_CMD_PRCTL,
1703 SPEC_STORE_BYPASS_CMD_SECCOMP,
1706 static const char * const ssb_strings[] = {
1707 [SPEC_STORE_BYPASS_NONE] = "Vulnerable",
1708 [SPEC_STORE_BYPASS_DISABLE] = "Mitigation: Speculative Store Bypass disabled",
1709 [SPEC_STORE_BYPASS_PRCTL] = "Mitigation: Speculative Store Bypass disabled via prctl",
1710 [SPEC_STORE_BYPASS_SECCOMP] = "Mitigation: Speculative Store Bypass disabled via prctl and seccomp",
1713 static const struct {
1715 enum ssb_mitigation_cmd cmd;
1716 } ssb_mitigation_options[] __initconst = {
1717 { "auto", SPEC_STORE_BYPASS_CMD_AUTO }, /* Platform decides */
1718 { "on", SPEC_STORE_BYPASS_CMD_ON }, /* Disable Speculative Store Bypass */
1719 { "off", SPEC_STORE_BYPASS_CMD_NONE }, /* Don't touch Speculative Store Bypass */
1720 { "prctl", SPEC_STORE_BYPASS_CMD_PRCTL }, /* Disable Speculative Store Bypass via prctl */
1721 { "seccomp", SPEC_STORE_BYPASS_CMD_SECCOMP }, /* Disable Speculative Store Bypass via prctl and seccomp */
1724 static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void)
1726 enum ssb_mitigation_cmd cmd = SPEC_STORE_BYPASS_CMD_AUTO;
1730 if (cmdline_find_option_bool(boot_command_line, "nospec_store_bypass_disable") ||
1731 cpu_mitigations_off()) {
1732 return SPEC_STORE_BYPASS_CMD_NONE;
1734 ret = cmdline_find_option(boot_command_line, "spec_store_bypass_disable",
1737 return SPEC_STORE_BYPASS_CMD_AUTO;
1739 for (i = 0; i < ARRAY_SIZE(ssb_mitigation_options); i++) {
1740 if (!match_option(arg, ret, ssb_mitigation_options[i].option))
1743 cmd = ssb_mitigation_options[i].cmd;
1747 if (i >= ARRAY_SIZE(ssb_mitigation_options)) {
1748 pr_err("unknown option (%s). Switching to AUTO select\n", arg);
1749 return SPEC_STORE_BYPASS_CMD_AUTO;
1756 static enum ssb_mitigation __init __ssb_select_mitigation(void)
1758 enum ssb_mitigation mode = SPEC_STORE_BYPASS_NONE;
1759 enum ssb_mitigation_cmd cmd;
1761 if (!boot_cpu_has(X86_FEATURE_SSBD))
1764 cmd = ssb_parse_cmdline();
1765 if (!boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS) &&
1766 (cmd == SPEC_STORE_BYPASS_CMD_NONE ||
1767 cmd == SPEC_STORE_BYPASS_CMD_AUTO))
1771 case SPEC_STORE_BYPASS_CMD_SECCOMP:
1773 * Choose prctl+seccomp as the default mode if seccomp is
1776 if (IS_ENABLED(CONFIG_SECCOMP))
1777 mode = SPEC_STORE_BYPASS_SECCOMP;
1779 mode = SPEC_STORE_BYPASS_PRCTL;
1781 case SPEC_STORE_BYPASS_CMD_ON:
1782 mode = SPEC_STORE_BYPASS_DISABLE;
1784 case SPEC_STORE_BYPASS_CMD_AUTO:
1785 case SPEC_STORE_BYPASS_CMD_PRCTL:
1786 mode = SPEC_STORE_BYPASS_PRCTL;
1788 case SPEC_STORE_BYPASS_CMD_NONE:
1793 * We have three CPU feature flags that are in play here:
1794 * - X86_BUG_SPEC_STORE_BYPASS - CPU is susceptible.
1795 * - X86_FEATURE_SSBD - CPU is able to turn off speculative store bypass
1796 * - X86_FEATURE_SPEC_STORE_BYPASS_DISABLE - engage the mitigation
1798 if (mode == SPEC_STORE_BYPASS_DISABLE) {
1799 setup_force_cpu_cap(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE);
1801 * Intel uses the SPEC CTRL MSR Bit(2) for this, while AMD may
1802 * use a completely different MSR and bit dependent on family.
1804 if (!static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD) &&
1805 !static_cpu_has(X86_FEATURE_AMD_SSBD)) {
1806 x86_amd_ssb_disable();
1808 x86_spec_ctrl_base |= SPEC_CTRL_SSBD;
1809 update_spec_ctrl(x86_spec_ctrl_base);
1816 static void ssb_select_mitigation(void)
1818 ssb_mode = __ssb_select_mitigation();
1820 if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS))
1821 pr_info("%s\n", ssb_strings[ssb_mode]);
1825 #define pr_fmt(fmt) "Speculation prctl: " fmt
1827 static void task_update_spec_tif(struct task_struct *tsk)
1829 /* Force the update of the real TIF bits */
1830 set_tsk_thread_flag(tsk, TIF_SPEC_FORCE_UPDATE);
1833 * Immediately update the speculation control MSRs for the current
1834 * task, but for a non-current task delay setting the CPU
1835 * mitigation until it is scheduled next.
1837 * This can only happen for SECCOMP mitigation. For PRCTL it's
1838 * always the current task.
1841 speculation_ctrl_update_current();
1844 static int l1d_flush_prctl_set(struct task_struct *task, unsigned long ctrl)
1847 if (!static_branch_unlikely(&switch_mm_cond_l1d_flush))
1851 case PR_SPEC_ENABLE:
1852 set_ti_thread_flag(&task->thread_info, TIF_SPEC_L1D_FLUSH);
1854 case PR_SPEC_DISABLE:
1855 clear_ti_thread_flag(&task->thread_info, TIF_SPEC_L1D_FLUSH);
1862 static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl)
1864 if (ssb_mode != SPEC_STORE_BYPASS_PRCTL &&
1865 ssb_mode != SPEC_STORE_BYPASS_SECCOMP)
1869 case PR_SPEC_ENABLE:
1870 /* If speculation is force disabled, enable is not allowed */
1871 if (task_spec_ssb_force_disable(task))
1873 task_clear_spec_ssb_disable(task);
1874 task_clear_spec_ssb_noexec(task);
1875 task_update_spec_tif(task);
1877 case PR_SPEC_DISABLE:
1878 task_set_spec_ssb_disable(task);
1879 task_clear_spec_ssb_noexec(task);
1880 task_update_spec_tif(task);
1882 case PR_SPEC_FORCE_DISABLE:
1883 task_set_spec_ssb_disable(task);
1884 task_set_spec_ssb_force_disable(task);
1885 task_clear_spec_ssb_noexec(task);
1886 task_update_spec_tif(task);
1888 case PR_SPEC_DISABLE_NOEXEC:
1889 if (task_spec_ssb_force_disable(task))
1891 task_set_spec_ssb_disable(task);
1892 task_set_spec_ssb_noexec(task);
1893 task_update_spec_tif(task);
1901 static bool is_spec_ib_user_controlled(void)
1903 return spectre_v2_user_ibpb == SPECTRE_V2_USER_PRCTL ||
1904 spectre_v2_user_ibpb == SPECTRE_V2_USER_SECCOMP ||
1905 spectre_v2_user_stibp == SPECTRE_V2_USER_PRCTL ||
1906 spectre_v2_user_stibp == SPECTRE_V2_USER_SECCOMP;
1909 static int ib_prctl_set(struct task_struct *task, unsigned long ctrl)
1912 case PR_SPEC_ENABLE:
1913 if (spectre_v2_user_ibpb == SPECTRE_V2_USER_NONE &&
1914 spectre_v2_user_stibp == SPECTRE_V2_USER_NONE)
1918 * With strict mode for both IBPB and STIBP, the instruction
1919 * code paths avoid checking this task flag and instead,
1920 * unconditionally run the instruction. However, STIBP and IBPB
1921 * are independent and either can be set to conditionally
1922 * enabled regardless of the mode of the other.
1924 * If either is set to conditional, allow the task flag to be
1925 * updated, unless it was force-disabled by a previous prctl
1926 * call. Currently, this is possible on an AMD CPU which has the
1927 * feature X86_FEATURE_AMD_STIBP_ALWAYS_ON. In this case, if the
1928 * kernel is booted with 'spectre_v2_user=seccomp', then
1929 * spectre_v2_user_ibpb == SPECTRE_V2_USER_SECCOMP and
1930 * spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED.
1932 if (!is_spec_ib_user_controlled() ||
1933 task_spec_ib_force_disable(task))
1936 task_clear_spec_ib_disable(task);
1937 task_update_spec_tif(task);
1939 case PR_SPEC_DISABLE:
1940 case PR_SPEC_FORCE_DISABLE:
1942 * Indirect branch speculation is always allowed when
1943 * mitigation is force disabled.
1945 if (spectre_v2_user_ibpb == SPECTRE_V2_USER_NONE &&
1946 spectre_v2_user_stibp == SPECTRE_V2_USER_NONE)
1949 if (!is_spec_ib_user_controlled())
1952 task_set_spec_ib_disable(task);
1953 if (ctrl == PR_SPEC_FORCE_DISABLE)
1954 task_set_spec_ib_force_disable(task);
1955 task_update_spec_tif(task);
1956 if (task == current)
1957 indirect_branch_prediction_barrier();
1965 int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which,
1969 case PR_SPEC_STORE_BYPASS:
1970 return ssb_prctl_set(task, ctrl);
1971 case PR_SPEC_INDIRECT_BRANCH:
1972 return ib_prctl_set(task, ctrl);
1973 case PR_SPEC_L1D_FLUSH:
1974 return l1d_flush_prctl_set(task, ctrl);
1980 #ifdef CONFIG_SECCOMP
1981 void arch_seccomp_spec_mitigate(struct task_struct *task)
1983 if (ssb_mode == SPEC_STORE_BYPASS_SECCOMP)
1984 ssb_prctl_set(task, PR_SPEC_FORCE_DISABLE);
1985 if (spectre_v2_user_ibpb == SPECTRE_V2_USER_SECCOMP ||
1986 spectre_v2_user_stibp == SPECTRE_V2_USER_SECCOMP)
1987 ib_prctl_set(task, PR_SPEC_FORCE_DISABLE);
1991 static int l1d_flush_prctl_get(struct task_struct *task)
1993 if (!static_branch_unlikely(&switch_mm_cond_l1d_flush))
1994 return PR_SPEC_FORCE_DISABLE;
1996 if (test_ti_thread_flag(&task->thread_info, TIF_SPEC_L1D_FLUSH))
1997 return PR_SPEC_PRCTL | PR_SPEC_ENABLE;
1999 return PR_SPEC_PRCTL | PR_SPEC_DISABLE;
2002 static int ssb_prctl_get(struct task_struct *task)
2005 case SPEC_STORE_BYPASS_DISABLE:
2006 return PR_SPEC_DISABLE;
2007 case SPEC_STORE_BYPASS_SECCOMP:
2008 case SPEC_STORE_BYPASS_PRCTL:
2009 if (task_spec_ssb_force_disable(task))
2010 return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE;
2011 if (task_spec_ssb_noexec(task))
2012 return PR_SPEC_PRCTL | PR_SPEC_DISABLE_NOEXEC;
2013 if (task_spec_ssb_disable(task))
2014 return PR_SPEC_PRCTL | PR_SPEC_DISABLE;
2015 return PR_SPEC_PRCTL | PR_SPEC_ENABLE;
2017 if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS))
2018 return PR_SPEC_ENABLE;
2019 return PR_SPEC_NOT_AFFECTED;
2023 static int ib_prctl_get(struct task_struct *task)
2025 if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
2026 return PR_SPEC_NOT_AFFECTED;
2028 if (spectre_v2_user_ibpb == SPECTRE_V2_USER_NONE &&
2029 spectre_v2_user_stibp == SPECTRE_V2_USER_NONE)
2030 return PR_SPEC_ENABLE;
2031 else if (is_spec_ib_user_controlled()) {
2032 if (task_spec_ib_force_disable(task))
2033 return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE;
2034 if (task_spec_ib_disable(task))
2035 return PR_SPEC_PRCTL | PR_SPEC_DISABLE;
2036 return PR_SPEC_PRCTL | PR_SPEC_ENABLE;
2037 } else if (spectre_v2_user_ibpb == SPECTRE_V2_USER_STRICT ||
2038 spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT ||
2039 spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED)
2040 return PR_SPEC_DISABLE;
2042 return PR_SPEC_NOT_AFFECTED;
2045 int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which)
2048 case PR_SPEC_STORE_BYPASS:
2049 return ssb_prctl_get(task);
2050 case PR_SPEC_INDIRECT_BRANCH:
2051 return ib_prctl_get(task);
2052 case PR_SPEC_L1D_FLUSH:
2053 return l1d_flush_prctl_get(task);
2059 void x86_spec_ctrl_setup_ap(void)
2061 if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
2062 update_spec_ctrl(x86_spec_ctrl_base);
2064 if (ssb_mode == SPEC_STORE_BYPASS_DISABLE)
2065 x86_amd_ssb_disable();
2068 bool itlb_multihit_kvm_mitigation;
2069 EXPORT_SYMBOL_GPL(itlb_multihit_kvm_mitigation);
2072 #define pr_fmt(fmt) "L1TF: " fmt
2074 /* Default mitigation for L1TF-affected CPUs */
2075 enum l1tf_mitigations l1tf_mitigation __ro_after_init = L1TF_MITIGATION_FLUSH;
2076 #if IS_ENABLED(CONFIG_KVM_INTEL)
2077 EXPORT_SYMBOL_GPL(l1tf_mitigation);
2079 enum vmx_l1d_flush_state l1tf_vmx_mitigation = VMENTER_L1D_FLUSH_AUTO;
2080 EXPORT_SYMBOL_GPL(l1tf_vmx_mitigation);
2083 * These CPUs all support 44bits physical address space internally in the
2084 * cache but CPUID can report a smaller number of physical address bits.
2086 * The L1TF mitigation uses the top most address bit for the inversion of
2087 * non present PTEs. When the installed memory reaches into the top most
2088 * address bit due to memory holes, which has been observed on machines
2089 * which report 36bits physical address bits and have 32G RAM installed,
2090 * then the mitigation range check in l1tf_select_mitigation() triggers.
2091 * This is a false positive because the mitigation is still possible due to
2092 * the fact that the cache uses 44bit internally. Use the cache bits
2093 * instead of the reported physical bits and adjust them on the affected
2094 * machines to 44bit if the reported bits are less than 44.
2096 static void override_cache_bits(struct cpuinfo_x86 *c)
2101 switch (c->x86_model) {
2102 case INTEL_FAM6_NEHALEM:
2103 case INTEL_FAM6_WESTMERE:
2104 case INTEL_FAM6_SANDYBRIDGE:
2105 case INTEL_FAM6_IVYBRIDGE:
2106 case INTEL_FAM6_HASWELL:
2107 case INTEL_FAM6_HASWELL_L:
2108 case INTEL_FAM6_HASWELL_G:
2109 case INTEL_FAM6_BROADWELL:
2110 case INTEL_FAM6_BROADWELL_G:
2111 case INTEL_FAM6_SKYLAKE_L:
2112 case INTEL_FAM6_SKYLAKE:
2113 case INTEL_FAM6_KABYLAKE_L:
2114 case INTEL_FAM6_KABYLAKE:
2115 if (c->x86_cache_bits < 44)
2116 c->x86_cache_bits = 44;
2121 static void __init l1tf_select_mitigation(void)
2125 if (!boot_cpu_has_bug(X86_BUG_L1TF))
2128 if (cpu_mitigations_off())
2129 l1tf_mitigation = L1TF_MITIGATION_OFF;
2130 else if (cpu_mitigations_auto_nosmt())
2131 l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOSMT;
2133 override_cache_bits(&boot_cpu_data);
2135 switch (l1tf_mitigation) {
2136 case L1TF_MITIGATION_OFF:
2137 case L1TF_MITIGATION_FLUSH_NOWARN:
2138 case L1TF_MITIGATION_FLUSH:
2140 case L1TF_MITIGATION_FLUSH_NOSMT:
2141 case L1TF_MITIGATION_FULL:
2142 cpu_smt_disable(false);
2144 case L1TF_MITIGATION_FULL_FORCE:
2145 cpu_smt_disable(true);
2149 #if CONFIG_PGTABLE_LEVELS == 2
2150 pr_warn("Kernel not compiled for PAE. No mitigation for L1TF\n");
2154 half_pa = (u64)l1tf_pfn_limit() << PAGE_SHIFT;
2155 if (l1tf_mitigation != L1TF_MITIGATION_OFF &&
2156 e820__mapped_any(half_pa, ULLONG_MAX - half_pa, E820_TYPE_RAM)) {
2157 pr_warn("System has more than MAX_PA/2 memory. L1TF mitigation not effective.\n");
2158 pr_info("You may make it effective by booting the kernel with mem=%llu parameter.\n",
2160 pr_info("However, doing so will make a part of your RAM unusable.\n");
2161 pr_info("Reading https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html might help you decide.\n");
2165 setup_force_cpu_cap(X86_FEATURE_L1TF_PTEINV);
2168 static int __init l1tf_cmdline(char *str)
2170 if (!boot_cpu_has_bug(X86_BUG_L1TF))
2176 if (!strcmp(str, "off"))
2177 l1tf_mitigation = L1TF_MITIGATION_OFF;
2178 else if (!strcmp(str, "flush,nowarn"))
2179 l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOWARN;
2180 else if (!strcmp(str, "flush"))
2181 l1tf_mitigation = L1TF_MITIGATION_FLUSH;
2182 else if (!strcmp(str, "flush,nosmt"))
2183 l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOSMT;
2184 else if (!strcmp(str, "full"))
2185 l1tf_mitigation = L1TF_MITIGATION_FULL;
2186 else if (!strcmp(str, "full,force"))
2187 l1tf_mitigation = L1TF_MITIGATION_FULL_FORCE;
2191 early_param("l1tf", l1tf_cmdline);
2194 #define pr_fmt(fmt) "Speculative Return Stack Overflow: " fmt
2196 enum srso_mitigation {
2197 SRSO_MITIGATION_NONE,
2198 SRSO_MITIGATION_MICROCODE,
2199 SRSO_MITIGATION_SAFE_RET,
2200 SRSO_MITIGATION_IBPB,
2201 SRSO_MITIGATION_IBPB_ON_VMEXIT,
2204 enum srso_mitigation_cmd {
2209 SRSO_CMD_IBPB_ON_VMEXIT,
2212 static const char * const srso_strings[] = {
2213 [SRSO_MITIGATION_NONE] = "Vulnerable",
2214 [SRSO_MITIGATION_MICROCODE] = "Mitigation: microcode",
2215 [SRSO_MITIGATION_SAFE_RET] = "Mitigation: safe RET",
2216 [SRSO_MITIGATION_IBPB] = "Mitigation: IBPB",
2217 [SRSO_MITIGATION_IBPB_ON_VMEXIT] = "Mitigation: IBPB on VMEXIT only"
2220 static enum srso_mitigation srso_mitigation __ro_after_init = SRSO_MITIGATION_NONE;
2221 static enum srso_mitigation_cmd srso_cmd __ro_after_init = SRSO_CMD_SAFE_RET;
2223 static int __init srso_parse_cmdline(char *str)
2228 if (!strcmp(str, "off"))
2229 srso_cmd = SRSO_CMD_OFF;
2230 else if (!strcmp(str, "microcode"))
2231 srso_cmd = SRSO_CMD_MICROCODE;
2232 else if (!strcmp(str, "safe-ret"))
2233 srso_cmd = SRSO_CMD_SAFE_RET;
2234 else if (!strcmp(str, "ibpb"))
2235 srso_cmd = SRSO_CMD_IBPB;
2236 else if (!strcmp(str, "ibpb-vmexit"))
2237 srso_cmd = SRSO_CMD_IBPB_ON_VMEXIT;
2239 pr_err("Ignoring unknown SRSO option (%s).", str);
2243 early_param("spec_rstack_overflow", srso_parse_cmdline);
2245 #define SRSO_NOTICE "WARNING: See https://kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html for mitigation options."
2247 static void __init srso_select_mitigation(void)
2251 if (!boot_cpu_has_bug(X86_BUG_SRSO) || cpu_mitigations_off())
2255 * The first check is for the kernel running as a guest in order
2256 * for guests to verify whether IBPB is a viable mitigation.
2258 has_microcode = boot_cpu_has(X86_FEATURE_IBPB_BRTYPE) || cpu_has_ibpb_brtype_microcode();
2259 if (!has_microcode) {
2260 pr_warn("IBPB-extending microcode not applied!\n");
2261 pr_warn(SRSO_NOTICE);
2264 * Enable the synthetic (even if in a real CPUID leaf)
2267 setup_force_cpu_cap(X86_FEATURE_IBPB_BRTYPE);
2268 setup_force_cpu_cap(X86_FEATURE_SBPB);
2271 * Zen1/2 with SMT off aren't vulnerable after the right
2272 * IBPB microcode has been applied.
2274 if ((boot_cpu_data.x86 < 0x19) &&
2275 (cpu_smt_control == CPU_SMT_DISABLED))
2276 setup_force_cpu_cap(X86_FEATURE_SRSO_NO);
2279 if (retbleed_mitigation == RETBLEED_MITIGATION_IBPB) {
2280 if (has_microcode) {
2281 pr_err("Retbleed IBPB mitigation enabled, using same for SRSO\n");
2282 srso_mitigation = SRSO_MITIGATION_IBPB;
2291 case SRSO_CMD_MICROCODE:
2292 if (has_microcode) {
2293 srso_mitigation = SRSO_MITIGATION_MICROCODE;
2294 pr_warn(SRSO_NOTICE);
2298 case SRSO_CMD_SAFE_RET:
2299 if (IS_ENABLED(CONFIG_CPU_SRSO)) {
2301 * Enable the return thunk for generated code
2302 * like ftrace, static_call, etc.
2304 setup_force_cpu_cap(X86_FEATURE_RETHUNK);
2306 if (boot_cpu_data.x86 == 0x19)
2307 setup_force_cpu_cap(X86_FEATURE_SRSO_ALIAS);
2309 setup_force_cpu_cap(X86_FEATURE_SRSO);
2310 srso_mitigation = SRSO_MITIGATION_SAFE_RET;
2312 pr_err("WARNING: kernel not compiled with CPU_SRSO.\n");
2318 if (IS_ENABLED(CONFIG_CPU_IBPB_ENTRY)) {
2319 if (has_microcode) {
2320 setup_force_cpu_cap(X86_FEATURE_ENTRY_IBPB);
2321 srso_mitigation = SRSO_MITIGATION_IBPB;
2324 pr_err("WARNING: kernel not compiled with CPU_IBPB_ENTRY.\n");
2329 case SRSO_CMD_IBPB_ON_VMEXIT:
2330 if (IS_ENABLED(CONFIG_CPU_SRSO)) {
2331 if (!boot_cpu_has(X86_FEATURE_ENTRY_IBPB) && has_microcode) {
2332 setup_force_cpu_cap(X86_FEATURE_IBPB_ON_VMEXIT);
2333 srso_mitigation = SRSO_MITIGATION_IBPB_ON_VMEXIT;
2336 pr_err("WARNING: kernel not compiled with CPU_SRSO.\n");
2345 pr_info("%s%s\n", srso_strings[srso_mitigation], (has_microcode ? "" : ", no microcode"));
2348 if (boot_cpu_has(X86_FEATURE_SRSO_NO) ||
2349 srso_cmd == SRSO_CMD_OFF)
2350 x86_pred_cmd = PRED_CMD_SBPB;
2354 #define pr_fmt(fmt) fmt
2358 #define L1TF_DEFAULT_MSG "Mitigation: PTE Inversion"
2360 #if IS_ENABLED(CONFIG_KVM_INTEL)
2361 static const char * const l1tf_vmx_states[] = {
2362 [VMENTER_L1D_FLUSH_AUTO] = "auto",
2363 [VMENTER_L1D_FLUSH_NEVER] = "vulnerable",
2364 [VMENTER_L1D_FLUSH_COND] = "conditional cache flushes",
2365 [VMENTER_L1D_FLUSH_ALWAYS] = "cache flushes",
2366 [VMENTER_L1D_FLUSH_EPT_DISABLED] = "EPT disabled",
2367 [VMENTER_L1D_FLUSH_NOT_REQUIRED] = "flush not necessary"
2370 static ssize_t l1tf_show_state(char *buf)
2372 if (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_AUTO)
2373 return sysfs_emit(buf, "%s\n", L1TF_DEFAULT_MSG);
2375 if (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_EPT_DISABLED ||
2376 (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_NEVER &&
2377 sched_smt_active())) {
2378 return sysfs_emit(buf, "%s; VMX: %s\n", L1TF_DEFAULT_MSG,
2379 l1tf_vmx_states[l1tf_vmx_mitigation]);
2382 return sysfs_emit(buf, "%s; VMX: %s, SMT %s\n", L1TF_DEFAULT_MSG,
2383 l1tf_vmx_states[l1tf_vmx_mitigation],
2384 sched_smt_active() ? "vulnerable" : "disabled");
2387 static ssize_t itlb_multihit_show_state(char *buf)
2389 if (!boot_cpu_has(X86_FEATURE_MSR_IA32_FEAT_CTL) ||
2390 !boot_cpu_has(X86_FEATURE_VMX))
2391 return sysfs_emit(buf, "KVM: Mitigation: VMX unsupported\n");
2392 else if (!(cr4_read_shadow() & X86_CR4_VMXE))
2393 return sysfs_emit(buf, "KVM: Mitigation: VMX disabled\n");
2394 else if (itlb_multihit_kvm_mitigation)
2395 return sysfs_emit(buf, "KVM: Mitigation: Split huge pages\n");
2397 return sysfs_emit(buf, "KVM: Vulnerable\n");
2400 static ssize_t l1tf_show_state(char *buf)
2402 return sysfs_emit(buf, "%s\n", L1TF_DEFAULT_MSG);
2405 static ssize_t itlb_multihit_show_state(char *buf)
2407 return sysfs_emit(buf, "Processor vulnerable\n");
2411 static ssize_t mds_show_state(char *buf)
2413 if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {
2414 return sysfs_emit(buf, "%s; SMT Host state unknown\n",
2415 mds_strings[mds_mitigation]);
2418 if (boot_cpu_has(X86_BUG_MSBDS_ONLY)) {
2419 return sysfs_emit(buf, "%s; SMT %s\n", mds_strings[mds_mitigation],
2420 (mds_mitigation == MDS_MITIGATION_OFF ? "vulnerable" :
2421 sched_smt_active() ? "mitigated" : "disabled"));
2424 return sysfs_emit(buf, "%s; SMT %s\n", mds_strings[mds_mitigation],
2425 sched_smt_active() ? "vulnerable" : "disabled");
2428 static ssize_t tsx_async_abort_show_state(char *buf)
2430 if ((taa_mitigation == TAA_MITIGATION_TSX_DISABLED) ||
2431 (taa_mitigation == TAA_MITIGATION_OFF))
2432 return sysfs_emit(buf, "%s\n", taa_strings[taa_mitigation]);
2434 if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {
2435 return sysfs_emit(buf, "%s; SMT Host state unknown\n",
2436 taa_strings[taa_mitigation]);
2439 return sysfs_emit(buf, "%s; SMT %s\n", taa_strings[taa_mitigation],
2440 sched_smt_active() ? "vulnerable" : "disabled");
2443 static ssize_t mmio_stale_data_show_state(char *buf)
2445 if (boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN))
2446 return sysfs_emit(buf, "Unknown: No mitigations\n");
2448 if (mmio_mitigation == MMIO_MITIGATION_OFF)
2449 return sysfs_emit(buf, "%s\n", mmio_strings[mmio_mitigation]);
2451 if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {
2452 return sysfs_emit(buf, "%s; SMT Host state unknown\n",
2453 mmio_strings[mmio_mitigation]);
2456 return sysfs_emit(buf, "%s; SMT %s\n", mmio_strings[mmio_mitigation],
2457 sched_smt_active() ? "vulnerable" : "disabled");
2460 static char *stibp_state(void)
2462 if (spectre_v2_in_eibrs_mode(spectre_v2_enabled))
2465 switch (spectre_v2_user_stibp) {
2466 case SPECTRE_V2_USER_NONE:
2467 return ", STIBP: disabled";
2468 case SPECTRE_V2_USER_STRICT:
2469 return ", STIBP: forced";
2470 case SPECTRE_V2_USER_STRICT_PREFERRED:
2471 return ", STIBP: always-on";
2472 case SPECTRE_V2_USER_PRCTL:
2473 case SPECTRE_V2_USER_SECCOMP:
2474 if (static_key_enabled(&switch_to_cond_stibp))
2475 return ", STIBP: conditional";
2480 static char *ibpb_state(void)
2482 if (boot_cpu_has(X86_FEATURE_IBPB)) {
2483 if (static_key_enabled(&switch_mm_always_ibpb))
2484 return ", IBPB: always-on";
2485 if (static_key_enabled(&switch_mm_cond_ibpb))
2486 return ", IBPB: conditional";
2487 return ", IBPB: disabled";
2492 static char *pbrsb_eibrs_state(void)
2494 if (boot_cpu_has_bug(X86_BUG_EIBRS_PBRSB)) {
2495 if (boot_cpu_has(X86_FEATURE_RSB_VMEXIT_LITE) ||
2496 boot_cpu_has(X86_FEATURE_RSB_VMEXIT))
2497 return ", PBRSB-eIBRS: SW sequence";
2499 return ", PBRSB-eIBRS: Vulnerable";
2501 return ", PBRSB-eIBRS: Not affected";
2505 static ssize_t spectre_v2_show_state(char *buf)
2507 if (spectre_v2_enabled == SPECTRE_V2_LFENCE)
2508 return sysfs_emit(buf, "Vulnerable: LFENCE\n");
2510 if (spectre_v2_enabled == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled())
2511 return sysfs_emit(buf, "Vulnerable: eIBRS with unprivileged eBPF\n");
2513 if (sched_smt_active() && unprivileged_ebpf_enabled() &&
2514 spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE)
2515 return sysfs_emit(buf, "Vulnerable: eIBRS+LFENCE with unprivileged eBPF and SMT\n");
2517 return sysfs_emit(buf, "%s%s%s%s%s%s%s\n",
2518 spectre_v2_strings[spectre_v2_enabled],
2520 boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "",
2522 boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? ", RSB filling" : "",
2523 pbrsb_eibrs_state(),
2524 spectre_v2_module_string());
2527 static ssize_t srbds_show_state(char *buf)
2529 return sysfs_emit(buf, "%s\n", srbds_strings[srbds_mitigation]);
2532 static ssize_t retbleed_show_state(char *buf)
2534 if (retbleed_mitigation == RETBLEED_MITIGATION_UNRET ||
2535 retbleed_mitigation == RETBLEED_MITIGATION_IBPB) {
2536 if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD &&
2537 boot_cpu_data.x86_vendor != X86_VENDOR_HYGON)
2538 return sysfs_emit(buf, "Vulnerable: untrained return thunk / IBPB on non-AMD based uarch\n");
2540 return sysfs_emit(buf, "%s; SMT %s\n", retbleed_strings[retbleed_mitigation],
2541 !sched_smt_active() ? "disabled" :
2542 spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT ||
2543 spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED ?
2544 "enabled with STIBP protection" : "vulnerable");
2547 return sysfs_emit(buf, "%s\n", retbleed_strings[retbleed_mitigation]);
2550 static ssize_t srso_show_state(char *buf)
2552 return sysfs_emit(buf, "%s%s\n",
2553 srso_strings[srso_mitigation],
2554 (cpu_has_ibpb_brtype_microcode() ? "" : ", no microcode"));
2557 static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr,
2558 char *buf, unsigned int bug)
2560 if (!boot_cpu_has_bug(bug))
2561 return sysfs_emit(buf, "Not affected\n");
2564 case X86_BUG_CPU_MELTDOWN:
2565 if (boot_cpu_has(X86_FEATURE_PTI))
2566 return sysfs_emit(buf, "Mitigation: PTI\n");
2568 if (hypervisor_is_type(X86_HYPER_XEN_PV))
2569 return sysfs_emit(buf, "Unknown (XEN PV detected, hypervisor mitigation required)\n");
2573 case X86_BUG_SPECTRE_V1:
2574 return sysfs_emit(buf, "%s\n", spectre_v1_strings[spectre_v1_mitigation]);
2576 case X86_BUG_SPECTRE_V2:
2577 return spectre_v2_show_state(buf);
2579 case X86_BUG_SPEC_STORE_BYPASS:
2580 return sysfs_emit(buf, "%s\n", ssb_strings[ssb_mode]);
2583 if (boot_cpu_has(X86_FEATURE_L1TF_PTEINV))
2584 return l1tf_show_state(buf);
2588 return mds_show_state(buf);
2591 return tsx_async_abort_show_state(buf);
2593 case X86_BUG_ITLB_MULTIHIT:
2594 return itlb_multihit_show_state(buf);
2597 return srbds_show_state(buf);
2599 case X86_BUG_MMIO_STALE_DATA:
2600 case X86_BUG_MMIO_UNKNOWN:
2601 return mmio_stale_data_show_state(buf);
2603 case X86_BUG_RETBLEED:
2604 return retbleed_show_state(buf);
2607 return srso_show_state(buf);
2613 return sysfs_emit(buf, "Vulnerable\n");
2616 ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf)
2618 return cpu_show_common(dev, attr, buf, X86_BUG_CPU_MELTDOWN);
2621 ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, char *buf)
2623 return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V1);
2626 ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, char *buf)
2628 return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V2);
2631 ssize_t cpu_show_spec_store_bypass(struct device *dev, struct device_attribute *attr, char *buf)
2633 return cpu_show_common(dev, attr, buf, X86_BUG_SPEC_STORE_BYPASS);
2636 ssize_t cpu_show_l1tf(struct device *dev, struct device_attribute *attr, char *buf)
2638 return cpu_show_common(dev, attr, buf, X86_BUG_L1TF);
2641 ssize_t cpu_show_mds(struct device *dev, struct device_attribute *attr, char *buf)
2643 return cpu_show_common(dev, attr, buf, X86_BUG_MDS);
2646 ssize_t cpu_show_tsx_async_abort(struct device *dev, struct device_attribute *attr, char *buf)
2648 return cpu_show_common(dev, attr, buf, X86_BUG_TAA);
2651 ssize_t cpu_show_itlb_multihit(struct device *dev, struct device_attribute *attr, char *buf)
2653 return cpu_show_common(dev, attr, buf, X86_BUG_ITLB_MULTIHIT);
2656 ssize_t cpu_show_srbds(struct device *dev, struct device_attribute *attr, char *buf)
2658 return cpu_show_common(dev, attr, buf, X86_BUG_SRBDS);
2661 ssize_t cpu_show_mmio_stale_data(struct device *dev, struct device_attribute *attr, char *buf)
2663 if (boot_cpu_has_bug(X86_BUG_MMIO_UNKNOWN))
2664 return cpu_show_common(dev, attr, buf, X86_BUG_MMIO_UNKNOWN);
2666 return cpu_show_common(dev, attr, buf, X86_BUG_MMIO_STALE_DATA);
2669 ssize_t cpu_show_retbleed(struct device *dev, struct device_attribute *attr, char *buf)
2671 return cpu_show_common(dev, attr, buf, X86_BUG_RETBLEED);
2674 ssize_t cpu_show_spec_rstack_overflow(struct device *dev, struct device_attribute *attr, char *buf)
2676 return cpu_show_common(dev, attr, buf, X86_BUG_SRSO);