With cmdline "spectre_v2=ibrs retbleed=off" sysfs reports vulnerable to
retbleed:
$ cat /sys/devices/system/cpu/vulnerabilities/retbleed
Vulnerable
On Intel CPUs when IBRS or Enhanced IBRS is enabled, system is not
vulnerable to retbleed.
Even if a user has passed retbleed=off, mitigation for retbleed could be
deployed as part of spectre_v2 mitigation. Fix retbleed reporting for
such a case.
Fixes: 6ad0ad2bf8a6 ("x86/bugs: Report Intel retbleed vulnerability")
Reported-by: Antonio Gomez Iglesias <[email protected]>
Signed-off-by: Pawan Gupta <[email protected]>
Cc: [email protected]
---
.../admin-guide/kernel-parameters.txt | 4 +++-
arch/x86/kernel/cpu/bugs.c | 19 +++++++++++--------
2 files changed, 14 insertions(+), 9 deletions(-)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 426fa892d311..70447979111c 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -5280,7 +5280,9 @@
cessors that support it, and mitigate SMT on processors
that don't.
- off - no mitigation
+ off - no mitigation. Overridden when
+ spectre_v2 mitigation already mitigates
+ retbleed.
auto - automatically select a migitation
auto,nosmt - automatically select a mitigation,
disabling SMT if necessary for
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index da7c361f47e0..02f4e0a2f725 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -778,6 +778,14 @@ early_param("nospectre_v1", nospectre_v1_cmdline);
static enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init =
SPECTRE_V2_NONE;
+static inline bool spectre_v2_in_ibrs_mode(enum spectre_v2_mitigation mode)
+{
+ return mode == SPECTRE_V2_IBRS ||
+ mode == SPECTRE_V2_EIBRS ||
+ mode == SPECTRE_V2_EIBRS_RETPOLINE ||
+ mode == SPECTRE_V2_EIBRS_LFENCE;
+}
+
#undef pr_fmt
#define pr_fmt(fmt) "RETBleed: " fmt
@@ -856,6 +864,9 @@ static void __init retbleed_select_mitigation(void)
switch (retbleed_cmd) {
case RETBLEED_CMD_OFF:
+ if (spectre_v2_in_ibrs_mode(spectre_v2_enabled) &&
+ boot_cpu_data.x86_vendor == X86_VENDOR_INTEL)
+ goto do_cmd_auto;
return;
case RETBLEED_CMD_UNRET:
@@ -1095,14 +1106,6 @@ spectre_v2_parse_user_cmdline(void)
return SPECTRE_V2_USER_CMD_AUTO;
}
-static inline bool spectre_v2_in_ibrs_mode(enum spectre_v2_mitigation mode)
-{
- return mode == SPECTRE_V2_IBRS ||
- mode == SPECTRE_V2_EIBRS ||
- mode == SPECTRE_V2_EIBRS_RETPOLINE ||
- mode == SPECTRE_V2_EIBRS_LFENCE;
-}
-
static void __init
spectre_v2_user_select_mitigation(void)
{
base-commit: b90cb1053190353cc30f0fef0ef1f378ccc063c5
--
2.37.2