Received: by 2002:a05:6a10:8a4d:0:0:0:0 with SMTP id dn13csp296907pxb; Thu, 12 Aug 2021 16:54:58 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyZmStBX2vIQjlgrV6ohMJLz/xsTl7lZXVwfSrTvd1eKnkRqg3AuXrk+fRAJ0rtuQc8buoL X-Received: by 2002:a02:340a:: with SMTP id x10mr5970927jae.13.1628812498066; Thu, 12 Aug 2021 16:54:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628812498; cv=none; d=google.com; s=arc-20160816; b=FU3XnrV9n7CScRDqNYd094FgtPmZ25s8DpzmX6qC5AxjEaBnRfjK0J69ZJqRZkq3SO DZ4j7IaX9RB/BWO11u4Edwy9fKNYxg6bvlTCDKJste2EsPxFCD1C0ypN1seEotdJLdsH F4KgHPVxC76MQ3ZNSIuuq/u0mNPQI0E7Bzd/YkAmePjfXVDntZV/j8ebsfYwQ388p+f4 A1wOSLxE+idWVjUSj0D4NHP/104Uc9oQyLTsv8uDmyn6DwAaTLCL6rDz1BzeFWaXPXkx OgJ0sXlD8LtiV4ONloHuTcHp7hFr957dHFl0FSg919TdelHizbghywWRTapK7JoSS4/9 oWeA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=Rd3OV6Dvw8ckC2y3lCBsgXJ9t52P1EWnPLZIGT1HBu4=; b=045oWsnxh3AHDwKNlnjxcgO29MXW9CmG7U9f6K88UhIBFDwz3wUIDYsgVbvLfV7uSK OGjZ/K3kXkkbDAXP151Re0qK+yFXF0N5cglUowYR46uO79TZEjYeKeTeemJukFk1Tz1V iVuIF0pcL0KOxII3cNMnLq1xgOnrxdhT7mj/nDYnwYstFPVBNdrXLryWC76Id1RgbkXA p+wj+9+kTBDJDG0c1q4mBFcmJS7BJbvoC/HJPdkpI9GWVtQhWsUyb4mXnv/wZS+DGjKi iB+exET/dBI7pfaUVlx/F2S0atFIS7ailIf0mc/yBQLgU4aLB3/4jyzX1FYggxg9hL0f MAFw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="QGl+sH/s"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v2si5177381jat.40.2021.08.12.16.54.46; Thu, 12 Aug 2021 16:54:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="QGl+sH/s"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230244AbhHLXpN (ORCPT + 99 others); Thu, 12 Aug 2021 19:45:13 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:50239 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229601AbhHLXpN (ORCPT ); Thu, 12 Aug 2021 19:45:13 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1628811886; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=Rd3OV6Dvw8ckC2y3lCBsgXJ9t52P1EWnPLZIGT1HBu4=; b=QGl+sH/s7K8NbwD6+ZyP64h8ca69xCGZUiwqwxMkOe4u9p+KU5UYj3mDM7e0if0VNcZ18q K/bKrFQ8TIFka2NUXn7e/B0i2mcImgQTJX1b2Jyf0h4x7wyE+mSikWgM1eieydRHD6VgPC TmttKIjMIx+uP0fmrhbIZs6s/3tAknc= Received: from mail-qv1-f69.google.com (mail-qv1-f69.google.com [209.85.219.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-242-ZaF8jtUaOK-Tku2-STNFjQ-1; Thu, 12 Aug 2021 19:44:45 -0400 X-MC-Unique: ZaF8jtUaOK-Tku2-STNFjQ-1 Received: by mail-qv1-f69.google.com with SMTP id t3-20020a0cf9830000b0290359840930bdso981512qvn.2 for ; Thu, 12 Aug 2021 16:44:45 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=Rd3OV6Dvw8ckC2y3lCBsgXJ9t52P1EWnPLZIGT1HBu4=; b=YYoKOCp+LgnKgsEKvaDCxvJ1UbH4uDzOr176dfi6JWRpRzwGPjQyRRtSn5zahareFY gPFSSQc/RI73NSKHUvodF/r5ZeyOXdX/QMEZ45UQRuZW9QmaaHuQwIiuQxfbM31dVotI pCY+aooTmnAW2XlwqwqQFyqxIanJVRB6rAVJa+SvvSjnfyeUf8eC3+vqI2BwLKi50t+y N9dfII1Eo+IjclytOrlZov1eN4bISyFGSkTHCBj9ZtlSqU7EhH8MxgO+DEubJFghvJQF 3KJAVZcpF3dqz/BQIwIg2zD8fQiVOEuYfJktokEosoqKF/yep9AzJnurlmA2J3EOxenl c1GA== X-Gm-Message-State: AOAM533K2HWf9TbXhinQZ17oIbMHZzZ6i2+7AjADdfgZrCthvnV3Gd6H BYPbfka+OFGt5O7BFnaBOmQv2iRpIQB0IBagbDmwbpNRo68JOSBlUgk5ndjlEsbrtjKFoHGLpu0 yE/iXkOI+bDLclS3Nn65JZg5r X-Received: by 2002:a05:6214:29cb:: with SMTP id gh11mr6584277qvb.61.1628811884826; Thu, 12 Aug 2021 16:44:44 -0700 (PDT) X-Received: by 2002:a05:6214:29cb:: with SMTP id gh11mr6584258qvb.61.1628811884614; Thu, 12 Aug 2021 16:44:44 -0700 (PDT) Received: from treble ([68.74.140.199]) by smtp.gmail.com with ESMTPSA id i10sm2286766qkl.51.2021.08.12.16.44.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 12 Aug 2021 16:44:44 -0700 (PDT) Date: Thu, 12 Aug 2021 16:44:40 -0700 From: Josh Poimboeuf To: Ramakrishna Saripalli Cc: linux-kernel@vger.kernel.org, x86@kernel.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, hpa@zytor.com, Jonathan Corbet , bsd@redhat.com Subject: Re: [v6 1/1] x86/bugs: Implement mitigation for Predictive Store Forwarding Message-ID: <20210812234440.tcssf2iqs435bgdo@treble> References: <20210517220059.6452-1-rsaripal@amd.com> <20210517220059.6452-2-rsaripal@amd.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20210517220059.6452-2-rsaripal@amd.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 17, 2021 at 05:00:58PM -0500, Ramakrishna Saripalli wrote: > From: Ramakrishna Saripalli > diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt > index 04545725f187..a5f694dccb24 100644 > --- a/Documentation/admin-guide/kernel-parameters.txt > +++ b/Documentation/admin-guide/kernel-parameters.txt > @@ -3940,6 +3940,11 @@ > Format: {"off"} > Disable Hardware Transactional Memory > > + predictive_store_fwd_disable= [X86] This option controls PSF. > + off - Turns on PSF. > + on - Turns off PSF. > + default : off. > + This needs a lot more text. > +static const char * const psf_strings[] = { > + [PREDICTIVE_STORE_FORWARD_NONE] = "Vulnerable", > + [PREDICTIVE_STORE_FORWARD_DISABLE] = "Mitigation: Predictive Store Forward disabled", This defaults to "Vulnerable", which is problematic for at least a few reasons. 1) I'm fairly sure this would be the first mitigation designed to default to "Vulnerable". Aside from whether that's a good idea, many users will be alarmed to see "Vulnerable" in sysfs. 2) If the system has the default per-process SSB mitigation (prctl/seccomp) then PSF will be automatically mitigated in the same way. In that case "Vulnerable" isn't an accurate description. (More on that below.) > +static const struct { > + const char *option; > + enum psf_mitigation_cmd cmd; > +} psf_mitigation_options[] __initconst = { > + { "on", PREDICTIVE_STORE_FORWARD_CMD_ON }, /* Disable Speculative Store Bypass */ > + { "off", PREDICTIVE_STORE_FORWARD_CMD_NONE }, /* Don't touch Speculative Store Bypass */ Copy/paste error in the comments: "Speculative Store Bypass" -> "Predictive Store Forwarding" I'd also recommend an "auto" option: { "auto", PREDICTIVE_STORE_FORWARD_CMD_AUTO }, /* Platform decides */ which would be the default. For now it would function the same as "off", but would give room for tweaking defaults later. > +static enum psf_mitigation __init __psf_select_mitigation(void) > +{ > + enum psf_mitigation mode = PREDICTIVE_STORE_FORWARD_NONE; > + enum psf_mitigation_cmd cmd; > + > + if (!boot_cpu_has(X86_FEATURE_PSFD)) > + return mode; > + > + cmd = psf_parse_cmdline(); > + > + switch (cmd) { > + case PREDICTIVE_STORE_FORWARD_CMD_ON: > + mode = PREDICTIVE_STORE_FORWARD_DISABLE; > + break; > + default: > + mode = PREDICTIVE_STORE_FORWARD_NONE; > + break; > + } > + > + x86_spec_ctrl_mask |= SPEC_CTRL_PSFD; A comment would help for this last line. I assume it's virt-related. > + > + if (ssb_mode == SPEC_STORE_BYPASS_DISABLE) > + mode = PREDICTIVE_STORE_FORWARD_DISABLE; > + > + if (mode == PREDICTIVE_STORE_FORWARD_DISABLE) { > + setup_force_cpu_cap(X86_FEATURE_PSFD); > + x86_spec_ctrl_base |= SPEC_CTRL_PSFD; > + wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); > + } The PSF mitigation is (to some extent) dependent on the SSB mitigation, since turning off SSB implicitly turns off PSF. That should be reflected properly in sysfs for the prctl/seccomp cases. Here I'd propose adding something like: } else if (ssb_mode == SPEC_STORE_BYPASS_PRCTL) { mode = PREDICTIVE_STORE_FORWARD_SSB_PRCTL; } else if (ssb_mode == SPEC_STORE_BYPASS_SECCOMP) { mode = PREDICTIVE_STORE_FORWARD_SSB_SECCOMP; } And of course you'd need additional strings for those: [PREDICTIVE_STORE_FORWARD_SSB_PRCTL] = "Mitigation: Predictive Store Forward disabled via SSB prctl", [PREDICTIVE_STORE_FORWARD_SSB_SECCOMP] = "Mitigation: Predictive Store Forward disabled via SSB seccomp", -- Josh