x86/bugs: Enable STIBP for IBPB mitigated RETBleed

commit e6cfcdda8cbe81eaf821c897369a65fec987b404 upstream.

AMD's "Technical Guidance for Mitigating Branch Type Confusion,
Rev. 1.0 2022-07-12" whitepaper, under section 6.1.2 "IBPB On
Privileged Mode Entry / SMT Safety" says:

  Similar to the Jmp2Ret mitigation, if the code on the sibling thread
  cannot be trusted, software should set STIBP to 1 or disable SMT to
  ensure SMT safety when using this mitigation.

So, like already being done for retbleed=unret, and now also for
retbleed=ibpb, force STIBP on machines that have it, and report its SMT
vulnerability status accordingly.

 [ bp: Remove the "we" and remove "[AMD]" applicability parameter which
   doesn't work here. ]

Fixes: 3ebc17006888 ("x86/bugs: Add retbleed=ibpb")
Signed-off-by: Kim Phillips <kim.phillips@amd.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: stable@vger.kernel.org # 5.10, 5.15, 5.19
Link: https://bugzilla.kernel.org/show_bug.cgi?id=206537
Link: https://lore.kernel.org/r/20220804192201.439596-1-kim.phillips@amd.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index b47905c..bcb102c 100644 (file)
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -4974,20 +4974,33 @@
                        Speculative Code Execution with Return Instructions)
                        vulnerability.
 
+                       AMD-based UNRET and IBPB mitigations alone do not stop
+                       sibling threads from influencing the predictions of other
+                       sibling threads. For that reason, STIBP is used on pro-
+                       cessors that support it, and mitigate SMT on processors
+                       that don't.
+
                        off          - no mitigation
                        auto         - automatically select a migitation
                        auto,nosmt   - automatically select a mitigation,
                                       disabling SMT if necessary for
                                       the full mitigation (only on Zen1
                                       and older without STIBP).
-                       ibpb         - mitigate short speculation windows on
-                                      basic block boundaries too. Safe, highest
-                                      perf impact.
-                       unret        - force enable untrained return thunks,
-                                      only effective on AMD f15h-f17h
-                                      based systems.
-                       unret,nosmt  - like unret, will disable SMT when STIBP
-                                      is not available.
+                       ibpb         - On AMD, mitigate short speculation
+                                      windows on basic block boundaries too.
+                                      Safe, highest perf impact. It also
+                                      enables STIBP if present. Not suitable
+                                      on Intel.
+                       ibpb,nosmt   - Like "ibpb" above but will disable SMT
+                                      when STIBP is not available. This is
+                                      the alternative for systems which do not
+                                      have STIBP.
+                       unret        - Force enable untrained return thunks,
+                                      only effective on AMD f15h-f17h based
+                                      systems.
+                       unret,nosmt  - Like unret, but will disable SMT when STIBP
+                                      is not available. This is the alternative for
+                                      systems which do not have STIBP.
 
                        Selecting 'auto' will choose a mitigation method at run
                        time according to the CPU.

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 837e617..977d9d7 100644 (file)
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -152,7 +152,7 @@ void __init check_bugs(void)
        /*
         * spectre_v2_user_select_mitigation() relies on the state set by
         * retbleed_select_mitigation(); specifically the STIBP selection is
-        * forced for UNRET.
+        * forced for UNRET or IBPB.
         */
        spectre_v2_user_select_mitigation();
        ssb_select_mitigation();
@@ -1172,7 +1172,8 @@ spectre_v2_user_select_mitigation(void)
            boot_cpu_has(X86_FEATURE_AMD_STIBP_ALWAYS_ON))
                mode = SPECTRE_V2_USER_STRICT_PREFERRED;
 
-       if (retbleed_mitigation == RETBLEED_MITIGATION_UNRET) {
+       if (retbleed_mitigation == RETBLEED_MITIGATION_UNRET ||
+           retbleed_mitigation == RETBLEED_MITIGATION_IBPB) {
                if (mode != SPECTRE_V2_USER_STRICT &&
                    mode != SPECTRE_V2_USER_STRICT_PREFERRED)
                        pr_info("Selecting STIBP always-on mode to complement retbleed mitigation\n");
@@ -2353,10 +2354,11 @@ static ssize_t srbds_show_state(char *buf)
 
 static ssize_t retbleed_show_state(char *buf)
 {
-       if (retbleed_mitigation == RETBLEED_MITIGATION_UNRET) {
+       if (retbleed_mitigation == RETBLEED_MITIGATION_UNRET ||
+           retbleed_mitigation == RETBLEED_MITIGATION_IBPB) {
            if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD &&
                boot_cpu_data.x86_vendor != X86_VENDOR_HYGON)
-                   return sprintf(buf, "Vulnerable: untrained return thunk on non-Zen uarch\n");
+                   return sprintf(buf, "Vulnerable: untrained return thunk / IBPB on non-AMD based uarch\n");
 
            return sprintf(buf, "%s; SMT %s\n",
                           retbleed_strings[retbleed_mitigation],