Received: by 2002:a05:7412:ba23:b0:fa:4c10:6cad with SMTP id jp35csp499280rdb; Thu, 18 Jan 2024 09:32:54 -0800 (PST) X-Google-Smtp-Source: AGHT+IHPxfJyVe7t2jzZhG9Vhcai0Tjy1mmgX3yVr8H2mWomyWBPR3VWbpB/YFH+cP7BhYvnwjvw X-Received: by 2002:a17:907:8b8b:b0:a2d:f52b:8934 with SMTP id tb11-20020a1709078b8b00b00a2df52b8934mr776914ejc.87.1705599174093; Thu, 18 Jan 2024 09:32:54 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1705599174; cv=pass; d=google.com; s=arc-20160816; b=NfDvjA3lQ74t28nCCkDxM7LafSd24bVkotG7yPFTK6oU4oDGNzIOs63qOEWgm4ibdz NpSfQDnpQX1hi5wPt5Y5OLsrt0c5Sf9MRALL9A1g60bM7nrJ2YvJzmgAcNjlF883BTPT g5p15yKH02eKHN4jXtlkPZy2gmIVeF9U+1f8rjixn9M84X0bbhevNuaH6riZaab+SGe8 gMyu0LVhNIQXPMGA8CLZQg8bn0N5W1unaVWiBXw6lMtP0kMGJ2ubanZgHhB8h0QB1Bg1 f8tjjYjZcdCCoV6/xeP+qHtasHXAgVRpfioLSAybvjECp32k/i64vbWFvxAI1UT3d2OH ZPRw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from; bh=XEYSqpyfrDZSkYFm3rTNQP9D1iITVTBODLatPLfXrH8=; fh=SrIDuFueflwiQaG9KBi3w/TYUKWy0IiywCWSziMeiUo=; b=pLzfy2Aioc6auzo3y42u9AbKrLHrWswILwbW0QWDOG84KSctLv6oKXXzynjGsEq5BU 6l4r4tBdCU7juufbQVlVVKMQFAP19z3z2AoA72LWMV8c9M71PMMaTd9LxzN9VxVyw8B6 0hV0DVq9cN4zNXYQTxvjYoQKPyv5gaGS2+oMnGxUICs3horErVM6Z1SuYupKe/mA4ofb +0rm881Bmazzl24PAo6KMdjjev45NsuChvQ2NBUtZNGGucti9px0dIsVoNZ6vodslOZZ 04ty2RZpW0CmdbljD2bf8A83reIMz0v+metfduKzGILaD0ZgooI8LbYLO0L721Iwa1dz P75w== ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-30421-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-30421-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id lf5-20020a170906ae4500b00a2798e382a1si6827368ejb.182.2024.01.18.09.32.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Jan 2024 09:32:54 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-30421-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-30421-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-30421-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id CFDD11F21F95 for ; Thu, 18 Jan 2024 17:32:53 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 2E4DC2D60A; Thu, 18 Jan 2024 17:32:35 +0000 (UTC) Received: from mail-ej1-f53.google.com (mail-ej1-f53.google.com [209.85.218.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1991D2D044 for ; Thu, 18 Jan 2024 17:32:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.53 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705599154; cv=none; b=iqt8hem/8kHBAJAWLep2kJMQsI4viTHD9KUpp2WNZg0k0Df9MyOfMwGf2QkxzCm+dsM4qjJ3jATmeKzFftCvp3S1VKBdFrNVqWr90nFh4a6zlZAQRAtgDfjaK33ae1CEmcy9CXuZuj+9ugqxvLnnotz8HldF+CHp6AC7o8PafOU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705599154; c=relaxed/simple; bh=cvbCPN1PNGNQlz20JF8uuYdvdoi6CQOEbNjgwbPBiao=; h=Received:X-Google-DKIM-Signature:X-Gm-Message-State: X-Google-Smtp-Source:X-Received:Received:From:To:Cc:Subject:Date: Message-Id:X-Mailer:In-Reply-To:References:MIME-Version: Content-Transfer-Encoding; b=gDkCR5CcfouRXp0oIdYvVunwUEV8JCZkTaftYMyy5CtxV5tsMmKPoAdoCjCTg57vB6w36evSlMgFOm3ByqqODZNMGZE7lnslOGr4YvMbbZFxv5uYFPcxmJ80vGipojabWPr973vbz8pnbSFy7YVYJ4Tk8OnSv9GQT5eQvjAqkdI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org; spf=pass smtp.mailfrom=gmail.com; arc=none smtp.client-ip=209.85.218.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-ej1-f53.google.com with SMTP id a640c23a62f3a-a26fa294e56so1310306366b.0 for ; Thu, 18 Jan 2024 09:32:32 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705599151; x=1706203951; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=XEYSqpyfrDZSkYFm3rTNQP9D1iITVTBODLatPLfXrH8=; b=CZl/JFZHA3kQBUurcomjW3LNHrE6lI5Hd45F+XWmgd1fCJPf8xPojXIZYXDlE+r5Qa R6zW/ub6OXoi1EN8PcvU8Dz8xcSmLf+LUbMk4hmp+XG2GbJndMNZuz4inI5vOxltpm1a b4pFQucKi0RhqOgKX3xtNG3PTeNLeZt7TNTb+RWYYzwVkRdAc+I9ncc0kLFc8uMEp/oS /WltxAYsniOODJ7k+4tRRoQenG4dvV6rnWWIG0wY6m5nG/ZR4QrmaDOCuoOPowe5m4wX viPjwgdohxdVHUAj3H3ZrMgsSEaseMMdAPIKVJ8V7sebljyrVJKyrFWaRNKfABtwS7hC L2Sw== X-Gm-Message-State: AOJu0YxfLMAQnXwBXoZuk/CTtIXXpQKi7QKAgbYQmBD44GWNE0utcdcF RjnsdYq+EgsaW/3l/RJwjqNVT4XXAVpR8mYIoOW28R5KuwDlWi+p X-Received: by 2002:a17:906:195b:b0:a2c:fd6c:4753 with SMTP id b27-20020a170906195b00b00a2cfd6c4753mr715643eje.53.1705599151126; Thu, 18 Jan 2024 09:32:31 -0800 (PST) Received: from localhost (fwdproxy-cln-020.fbsv.net. [2a03:2880:31ff:14::face:b00c]) by smtp.gmail.com with ESMTPSA id rv25-20020a17090710d900b00a26c8c70069sm9329801ejb.48.2024.01.18.09.32.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Jan 2024 09:32:30 -0800 (PST) From: Breno Leitao To: mingo@kernel.org, Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Peter Zijlstra , Josh Poimboeuf , Pawan Gupta Cc: linux-kernel@vger.kernel.org Subject: [PATCH 1/3] x86/bugs: Create a way to disable GDS mitigation Date: Thu, 18 Jan 2024 09:32:11 -0800 Message-Id: <20240118173213.2008115-2-leitao@debian.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240118173213.2008115-1-leitao@debian.org> References: <20240118173213.2008115-1-leitao@debian.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Currently there is no way to disable GDS mitigation at build time. The current config option (GDS_MITIGATION_FORCE) just enables a more drastic mitigation. Create a new kernel config that allows GDS to be completely disabled, similarly to the "gather_data_sampling=off" or "mitigations=off" kernel command-line. Move the GDS_MITIGATION_FORCE under this new mitigation. Suggested-by: Josh Poimboeuf Signed-off-by: Breno Leitao Acked-by: Josh Poimboeuf --- arch/x86/Kconfig | 16 +++++++++++----- arch/x86/kernel/cpu/bugs.c | 7 ++++--- 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 0a9fea390ef3..d5e3f1a8cacd 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2587,15 +2587,21 @@ config MITIGATION_SLS against straight line speculation. The kernel image might be slightly larger. +config MITIGATION_GDS + bool "Mitigate Gather Data Sampling" + depends on CPU_SUP_INTEL + default y + help + Enable mitigation for Gather Data Sampling (GDS). GDS is a hardware + vulnerability which allows unprivileged speculative access to data + which was previously stored in vector registers. The attacker uses gather + instructions to infer the stale vector register data. + config MITIGATION_GDS_FORCE bool "Force GDS Mitigation" - depends on CPU_SUP_INTEL + depends on MITIGATION_GDS default n help - Gather Data Sampling (GDS) is a hardware vulnerability which allows - unprivileged speculative access to data which was previously stored in - vector registers. - This option is equivalent to setting gather_data_sampling=force on the command line. The microcode mitigation is used if present, otherwise AVX is disabled as a mitigation. On affected systems that are missing diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index f2775417bda2..0172bb0f61fe 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -671,10 +671,11 @@ enum gds_mitigations { GDS_MITIGATION_HYPERVISOR, }; -#if IS_ENABLED(CONFIG_MITIGATION_GDS_FORCE) -static enum gds_mitigations gds_mitigation __ro_after_init = GDS_MITIGATION_FORCE; +#if IS_ENABLED(CONFIG_MITIGATION_GDS) +static enum gds_mitigations gds_mitigation __ro_after_init = + IS_ENABLED(CONFIG_MITIGATION_GDS_FORCE) ? GDS_MITIGATION_FORCE : GDS_MITIGATION_FULL; #else -static enum gds_mitigations gds_mitigation __ro_after_init = GDS_MITIGATION_FULL; +static enum gds_mitigations gds_mitigation __ro_after_init = GDS_MITIGATION_OFF; #endif static const char * const gds_strings[] = { -- 2.34.1