xref: /linux/Documentation/userspace-api/spec_ctrl.rst (revision 778b8ebe5192e7a7f00563a7456517dfa63e1d90) 
1===================
2Speculation Control
3===================
4
5Quite some CPUs have speculation-related misfeatures which are in
6fact vulnerabilities causing data leaks in various forms even across
7privilege domains.
8
9The kernel provides mitigation for such vulnerabilities in various
10forms. Some of these mitigations are compile-time configurable and some
11can be supplied on the kernel command line.
12
13There is also a class of mitigations which are very expensive, but they can
14be restricted to a certain set of processes or tasks in controlled
15environments. The mechanism to control these mitigations is via
16:manpage:`prctl(2)`.
17
18There are two prctl options which are related to this:
19
20 * PR_GET_SPECULATION_CTRL
21
22 * PR_SET_SPECULATION_CTRL
23
24PR_GET_SPECULATION_CTRL
25-----------------------
26
27PR_GET_SPECULATION_CTRL returns the state of the speculation misfeature
28which is selected with arg2 of prctl(2). The return value uses bits 0-3 with
29the following meaning (with the caveat that PR_SPEC_L1D_FLUSH has less obvious
30semantics, see documentation for that specific control below):
31
32==== ====================== ==================================================
33Bit  Define                 Description
34==== ====================== ==================================================
350    PR_SPEC_PRCTL          Mitigation can be controlled per task by
36                            PR_SET_SPECULATION_CTRL.
371    PR_SPEC_ENABLE         The speculation feature is enabled, mitigation is
38                            disabled.
392    PR_SPEC_DISABLE        The speculation feature is disabled, mitigation is
40                            enabled.
413    PR_SPEC_FORCE_DISABLE  Same as PR_SPEC_DISABLE, but cannot be undone. A
42                            subsequent prctl(..., PR_SPEC_ENABLE) will fail.
434    PR_SPEC_DISABLE_NOEXEC Same as PR_SPEC_DISABLE, but the state will be
44                            cleared on :manpage:`execve(2)`.
45==== ====================== ==================================================
46
47If all bits are 0 the CPU is not affected by the speculation misfeature.
48
49If PR_SPEC_PRCTL is set, then the per-task control of the mitigation is
50available. If not set, prctl(PR_SET_SPECULATION_CTRL) for the speculation
51misfeature will fail.
52
53.. _set_spec_ctrl:
54
55PR_SET_SPECULATION_CTRL
56-----------------------
57
58PR_SET_SPECULATION_CTRL allows to control the speculation misfeature, which
59is selected by arg2 of :manpage:`prctl(2)` per task. arg3 is used to hand
60in the control value, i.e. either PR_SPEC_ENABLE or PR_SPEC_DISABLE or
61PR_SPEC_FORCE_DISABLE.
62
63Common error codes
64------------------
65======= =================================================================
66Value   Meaning
67======= =================================================================
68EINVAL  The prctl is not implemented by the architecture or unused
69        prctl(2) arguments are not 0.
70
71ENODEV  arg2 is selecting a not supported speculation misfeature.
72======= =================================================================
73
74PR_SET_SPECULATION_CTRL error codes
75-----------------------------------
76======= =================================================================
77Value   Meaning
78======= =================================================================
790       Success
80
81ERANGE  arg3 is incorrect, i.e. it's neither PR_SPEC_ENABLE nor
82        PR_SPEC_DISABLE nor PR_SPEC_FORCE_DISABLE.
83
84ENXIO   Control of the selected speculation misfeature is not possible.
85        See PR_GET_SPECULATION_CTRL.
86
87EPERM   Speculation was disabled with PR_SPEC_FORCE_DISABLE and caller
88        tried to enable it again.
89======= =================================================================
90
91Speculation misfeature controls
92-------------------------------
93- PR_SPEC_STORE_BYPASS: Speculative Store Bypass
94
95  Invocations:
96   * prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, 0, 0, 0);
97   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_ENABLE, 0, 0);
98   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
99   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0);
100   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE_NOEXEC, 0, 0);
101
102- PR_SPEC_INDIR_BRANCH: Indirect Branch Speculation in User Processes
103                        (Mitigate Spectre V2 style attacks against user processes)
104
105  Invocations:
106   * prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, 0, 0, 0);
107   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_ENABLE, 0, 0);
108   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_DISABLE, 0, 0);
109   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_FORCE_DISABLE, 0, 0);
110
111- PR_SPEC_L1D_FLUSH: Flush L1D Cache on context switch out of the task
112                        (works only when tasks run on non SMT cores)
113
114For this control, PR_SPEC_ENABLE means that the **mitigation** is enabled (L1D
115is flushed), PR_SPEC_DISABLE means it is disabled.
116
117  Invocations:
118   * prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, 0, 0, 0);
119   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, PR_SPEC_ENABLE, 0, 0);
120   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, PR_SPEC_DISABLE, 0, 0);
121