Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp3030267rwb; Mon, 15 Aug 2022 16:29:20 -0700 (PDT) X-Google-Smtp-Source: AA6agR7i3HekULKG5cUQc7KMFG7NodFxNKFpGD83CafiiHLUKbM3U46i6/U9bN0/p3LDr+mSwXUz X-Received: by 2002:a17:906:98c8:b0:730:92dd:521 with SMTP id zd8-20020a17090698c800b0073092dd0521mr11993232ejb.79.1660606160083; Mon, 15 Aug 2022 16:29:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660606160; cv=none; d=google.com; s=arc-20160816; b=sPHLczYb0DR5EP5Kc3Hs+dnkMW9/jv53eUA0+z1PrmhB/TkgKWmcyqYxZYS5zoA37l BOnoMyIeoAlHuzd0ukzksPz+cShdIs/bXRXKATxLj6D8INbOFYI1w3pQovYkJRsRUAOU O9MfqiTN2Okl5dLRUWZikcPfUdVMwLTGao6lQ1Cyvnq+2ne25KtlKPdjVgm1bXCgThSW 02ODHZMFohq93tX+UP7P59uM3ZGB6um3RD+9h1lPDxmqAdxYT23NXMsvTAUHnqlU25FG aGZ8PEh9QcG89PF6xoFfps2CbSU/sFpuXtozjP2PwwRK/63YTDSVpFQCt2fWkgW+ODeI lGiQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=VvDhfM2QAjopDEannkRHu+Z9Sa+bJxmSZGB8dGNc19U=; b=wwAKrvZweHQ3wvYD58rP8TyVMWvT/q8JmeM8ushLbXx10MIgviVLjxpTEBhBFz3FXe HEMh4aBm4ubMLEwHZNnY29A7gDJ1MjSfUhX+nMlGiEH+4oH2OUWxJxytCP6H+Xs3j67i irDD6Q9ZGnfgh/jqwKPJ48MYe7/F7EEHKVmsAu8/4VM6JSVEm2abCSepYZeMVlWtj1qE DUGk1W7hT0p5mgo6Jp0Pre4YAfj9dkAuHc8j2JDqr94pDqWl3bSR7f/V5ujhfWsJ9rfX JBvc/htgcZuotIewNBIsHVnpFIzrMKX9rRnMHhjxw/CJTgouPXnEJS0ZEx03977JW+Tl K8Ww== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="omZMT/fn"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hd11-20020a170907968b00b00732f74db437si7975512ejc.891.2022.08.15.16.28.49; Mon, 15 Aug 2022 16:29:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="omZMT/fn"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346375AbiHOXKT (ORCPT + 99 others); Mon, 15 Aug 2022 19:10:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35364 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244999AbiHOXIK (ORCPT ); Mon, 15 Aug 2022 19:08:10 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 13DD278BCB; Mon, 15 Aug 2022 12:59:44 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 87A31B80EB1; Mon, 15 Aug 2022 19:59:43 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id DF05EC433C1; Mon, 15 Aug 2022 19:59:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660593582; bh=IKiFqsVBpkSCn9+EeYNF1YPmUb0OiOAXXHU+8G+n66w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=omZMT/fnLrno4CqjH8qzCr5u7gxcUaVHKkzCDZ0pXk5M4GM7bzRK37cazlVm6bTu8 1HI5zaBwbGzfH+hmgV5nc/eZygWRl2AU14EKSfEhaHnKvKv0UwImntpgkd5s7IVaWw wKFuKCR1ujXw0EXGbLtDWvFSa3iNpygCo3JigLcg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kim Phillips , Borislav Petkov Subject: [PATCH 5.18 0971/1095] x86/bugs: Enable STIBP for IBPB mitigated RETBleed Date: Mon, 15 Aug 2022 20:06:10 +0200 Message-Id: <20220815180509.232916030@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220815180429.240518113@linuxfoundation.org> References: <20220815180429.240518113@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Kim Phillips commit e6cfcdda8cbe81eaf821c897369a65fec987b404 upstream. AMD's "Technical Guidance for Mitigating Branch Type Confusion, Rev. 1.0 2022-07-12" whitepaper, under section 6.1.2 "IBPB On Privileged Mode Entry / SMT Safety" says: Similar to the Jmp2Ret mitigation, if the code on the sibling thread cannot be trusted, software should set STIBP to 1 or disable SMT to ensure SMT safety when using this mitigation. So, like already being done for retbleed=unret, and now also for retbleed=ibpb, force STIBP on machines that have it, and report its SMT vulnerability status accordingly. [ bp: Remove the "we" and remove "[AMD]" applicability parameter which doesn't work here. ] Fixes: 3ebc17006888 ("x86/bugs: Add retbleed=ibpb") Signed-off-by: Kim Phillips Signed-off-by: Borislav Petkov Cc: stable@vger.kernel.org # 5.10, 5.15, 5.19 Link: https://bugzilla.kernel.org/show_bug.cgi?id=206537 Link: https://lore.kernel.org/r/20220804192201.439596-1-kim.phillips@amd.com Signed-off-by: Greg Kroah-Hartman --- Documentation/admin-guide/kernel-parameters.txt | 29 +++++++++++++++++------- arch/x86/kernel/cpu/bugs.c | 10 ++++---- 2 files changed, 27 insertions(+), 12 deletions(-) --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -5130,20 +5130,33 @@ Speculative Code Execution with Return Instructions) vulnerability. + AMD-based UNRET and IBPB mitigations alone do not stop + sibling threads from influencing the predictions of other + sibling threads. For that reason, STIBP is used on pro- + cessors that support it, and mitigate SMT on processors + that don't. + off - no mitigation auto - automatically select a migitation auto,nosmt - automatically select a mitigation, disabling SMT if necessary for the full mitigation (only on Zen1 and older without STIBP). - ibpb - mitigate short speculation windows on - basic block boundaries too. Safe, highest - perf impact. - unret - force enable untrained return thunks, - only effective on AMD f15h-f17h - based systems. - unret,nosmt - like unret, will disable SMT when STIBP - is not available. + ibpb - On AMD, mitigate short speculation + windows on basic block boundaries too. + Safe, highest perf impact. It also + enables STIBP if present. Not suitable + on Intel. + ibpb,nosmt - Like "ibpb" above but will disable SMT + when STIBP is not available. This is + the alternative for systems which do not + have STIBP. + unret - Force enable untrained return thunks, + only effective on AMD f15h-f17h based + systems. + unret,nosmt - Like unret, but will disable SMT when STIBP + is not available. This is the alternative for + systems which do not have STIBP. Selecting 'auto' will choose a mitigation method at run time according to the CPU. --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -152,7 +152,7 @@ void __init check_bugs(void) /* * spectre_v2_user_select_mitigation() relies on the state set by * retbleed_select_mitigation(); specifically the STIBP selection is - * forced for UNRET. + * forced for UNRET or IBPB. */ spectre_v2_user_select_mitigation(); ssb_select_mitigation(); @@ -1172,7 +1172,8 @@ spectre_v2_user_select_mitigation(void) boot_cpu_has(X86_FEATURE_AMD_STIBP_ALWAYS_ON)) mode = SPECTRE_V2_USER_STRICT_PREFERRED; - if (retbleed_mitigation == RETBLEED_MITIGATION_UNRET) { + if (retbleed_mitigation == RETBLEED_MITIGATION_UNRET || + retbleed_mitigation == RETBLEED_MITIGATION_IBPB) { if (mode != SPECTRE_V2_USER_STRICT && mode != SPECTRE_V2_USER_STRICT_PREFERRED) pr_info("Selecting STIBP always-on mode to complement retbleed mitigation\n"); @@ -2353,10 +2354,11 @@ static ssize_t srbds_show_state(char *bu static ssize_t retbleed_show_state(char *buf) { - if (retbleed_mitigation == RETBLEED_MITIGATION_UNRET) { + if (retbleed_mitigation == RETBLEED_MITIGATION_UNRET || + retbleed_mitigation == RETBLEED_MITIGATION_IBPB) { if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD && boot_cpu_data.x86_vendor != X86_VENDOR_HYGON) - return sprintf(buf, "Vulnerable: untrained return thunk on non-Zen uarch\n"); + return sprintf(buf, "Vulnerable: untrained return thunk / IBPB on non-AMD based uarch\n"); return sprintf(buf, "%s; SMT %s\n", retbleed_strings[retbleed_mitigation],