xref: /linux/Documentation/admin-guide/hw-vuln/vmscape.rst (revision 223ba8ee0a3986718c874b66ed24e7f87f6b8124)

.. SPDX-License-Identifier: GPL-2.0

VMSCAPE
=======

VMSCAPE is a vulnerability that may allow a guest to influence the branch
prediction in host userspace. It particularly affects hypervisors like QEMU.

Even if a hypervisor may not have any sensitive data like disk encryption keys,
guest-userspace may be able to attack the guest-kernel using the hypervisor as
a confused deputy.

Affected processors
-------------------

The following CPU families are affected by VMSCAPE:

**Intel processors:**
  - Skylake generation (Parts without Enhanced-IBRS)
  - Cascade Lake generation - (Parts affected by ITS guest/host separation)
  - Alder Lake and newer (Parts affected by BHI)

Note that, BHI affected parts that use BHB clearing software mitigation e.g.
Icelake are not vulnerable to VMSCAPE.

**AMD processors:**
  - Zen series (families 0x17, 0x19, 0x1a)

** Hygon processors:**
 - Family 0x18

Mitigation
----------

Conditional IBPB
----------------

Kernel tracks when a CPU has run a potentially malicious guest and issues an
IBPB before the first exit to userspace after VM-exit. If userspace did not run
between VM-exit and the next VM-entry, no IBPB is issued.

Note that the existing userspace mitigation against Spectre-v2 is effective in
protecting the userspace. They are insufficient to protect the userspace VMMs
from a malicious guest. This is because Spectre-v2 mitigations are applied at
context switch time, while the userspace VMM can run after a VM-exit without a
context switch.

Vulnerability enumeration and mitigation is not applied inside a guest. This is
because nested hypervisors should already be deploying IBPB to isolate
themselves from nested guests.

SMT considerations
------------------

When Simultaneous Multi-Threading (SMT) is enabled, hypervisors can be
vulnerable to cross-thread attacks. For complete protection against VMSCAPE
attacks in SMT environments, STIBP should be enabled.

The kernel will issue a warning if SMT is enabled without adequate STIBP
protection. Warning is not issued when:

- SMT is disabled
- STIBP is enabled system-wide
- Intel eIBRS is enabled (which implies STIBP protection)

System information and options
------------------------------

The sysfs file showing VMSCAPE mitigation status is:

  /sys/devices/system/cpu/vulnerabilities/vmscape

The possible values in this file are:

 * 'Not affected':

   The processor is not vulnerable to VMSCAPE attacks.

 * 'Vulnerable':

   The processor is vulnerable and no mitigation has been applied.

 * 'Mitigation: IBPB before exit to userspace':

   Conditional IBPB mitigation is enabled. The kernel tracks when a CPU has
   run a potentially malicious guest and issues an IBPB before the first
   exit to userspace after VM-exit.

 * 'Mitigation: IBPB on VMEXIT':

   IBPB is issued on every VM-exit. This occurs when other mitigations like
   RETBLEED or SRSO are already issuing IBPB on VM-exit.

Mitigation control on the kernel command line
----------------------------------------------

The mitigation can be controlled via the ``vmscape=`` command line parameter:

 * ``vmscape=off``:

   Disable the VMSCAPE mitigation.

 * ``vmscape=ibpb``:

   Enable conditional IBPB mitigation (default when CONFIG_MITIGATION_VMSCAPE=y).

 * ``vmscape=force``:

   Force vulnerability detection and mitigation even on processors that are
   not known to be affected.