1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * Copyright (C) 1994 Linus Torvalds 4 * 5 * Cyrix stuff, June 1998 by: 6 * - Rafael R. Reilova (moved everything from head.S), 7 * <rreilova@ececs.uc.edu> 8 * - Channing Corn (tests & fixes), 9 * - Andrew D. Balsa (code cleanup). 10 */ 11 #include <linux/init.h> 12 #include <linux/utsname.h> 13 #include <linux/cpu.h> 14 #include <linux/module.h> 15 #include <linux/nospec.h> 16 #include <linux/prctl.h> 17 #include <linux/sched/smt.h> 18 19 #include <asm/spec-ctrl.h> 20 #include <asm/cmdline.h> 21 #include <asm/bugs.h> 22 #include <asm/processor.h> 23 #include <asm/processor-flags.h> 24 #include <asm/fpu/internal.h> 25 #include <asm/msr.h> 26 #include <asm/vmx.h> 27 #include <asm/paravirt.h> 28 #include <asm/alternative.h> 29 #include <asm/pgtable.h> 30 #include <asm/set_memory.h> 31 #include <asm/intel-family.h> 32 #include <asm/e820/api.h> 33 #include <asm/hypervisor.h> 34 35 #include "cpu.h" 36 37 static void __init spectre_v2_select_mitigation(void); 38 static void __init ssb_select_mitigation(void); 39 static void __init l1tf_select_mitigation(void); 40 41 /* The base value of the SPEC_CTRL MSR that always has to be preserved. */ 42 u64 x86_spec_ctrl_base; 43 EXPORT_SYMBOL_GPL(x86_spec_ctrl_base); 44 static DEFINE_MUTEX(spec_ctrl_mutex); 45 46 /* 47 * The vendor and possibly platform specific bits which can be modified in 48 * x86_spec_ctrl_base. 49 */ 50 static u64 __ro_after_init x86_spec_ctrl_mask = SPEC_CTRL_IBRS; 51 52 /* 53 * AMD specific MSR info for Speculative Store Bypass control. 54 * x86_amd_ls_cfg_ssbd_mask is initialized in identify_boot_cpu(). 55 */ 56 u64 __ro_after_init x86_amd_ls_cfg_base; 57 u64 __ro_after_init x86_amd_ls_cfg_ssbd_mask; 58 59 /* Control conditional STIBP in switch_to() */ 60 DEFINE_STATIC_KEY_FALSE(switch_to_cond_stibp); 61 /* Control conditional IBPB in switch_mm() */ 62 DEFINE_STATIC_KEY_FALSE(switch_mm_cond_ibpb); 63 /* Control unconditional IBPB in switch_mm() */ 64 DEFINE_STATIC_KEY_FALSE(switch_mm_always_ibpb); 65 66 void __init check_bugs(void) 67 { 68 identify_boot_cpu(); 69 70 /* 71 * identify_boot_cpu() initialized SMT support information, let the 72 * core code know. 73 */ 74 cpu_smt_check_topology(); 75 76 if (!IS_ENABLED(CONFIG_SMP)) { 77 pr_info("CPU: "); 78 print_cpu_info(&boot_cpu_data); 79 } 80 81 /* 82 * Read the SPEC_CTRL MSR to account for reserved bits which may 83 * have unknown values. AMD64_LS_CFG MSR is cached in the early AMD 84 * init code as it is not enumerated and depends on the family. 85 */ 86 if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) 87 rdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); 88 89 /* Allow STIBP in MSR_SPEC_CTRL if supported */ 90 if (boot_cpu_has(X86_FEATURE_STIBP)) 91 x86_spec_ctrl_mask |= SPEC_CTRL_STIBP; 92 93 /* Select the proper spectre mitigation before patching alternatives */ 94 spectre_v2_select_mitigation(); 95 96 /* 97 * Select proper mitigation for any exposure to the Speculative Store 98 * Bypass vulnerability. 99 */ 100 ssb_select_mitigation(); 101 102 l1tf_select_mitigation(); 103 104 #ifdef CONFIG_X86_32 105 /* 106 * Check whether we are able to run this kernel safely on SMP. 107 * 108 * - i386 is no longer supported. 109 * - In order to run on anything without a TSC, we need to be 110 * compiled for a i486. 111 */ 112 if (boot_cpu_data.x86 < 4) 113 panic("Kernel requires i486+ for 'invlpg' and other features"); 114 115 init_utsname()->machine[1] = 116 '0' + (boot_cpu_data.x86 > 6 ? 6 : boot_cpu_data.x86); 117 alternative_instructions(); 118 119 fpu__init_check_bugs(); 120 #else /* CONFIG_X86_64 */ 121 alternative_instructions(); 122 123 /* 124 * Make sure the first 2MB area is not mapped by huge pages 125 * There are typically fixed size MTRRs in there and overlapping 126 * MTRRs into large pages causes slow downs. 127 * 128 * Right now we don't do that with gbpages because there seems 129 * very little benefit for that case. 130 */ 131 if (!direct_gbpages) 132 set_memory_4k((unsigned long)__va(0), 1); 133 #endif 134 } 135 136 void 137 x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest) 138 { 139 u64 msrval, guestval, hostval = x86_spec_ctrl_base; 140 struct thread_info *ti = current_thread_info(); 141 142 /* Is MSR_SPEC_CTRL implemented ? */ 143 if (static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) { 144 /* 145 * Restrict guest_spec_ctrl to supported values. Clear the 146 * modifiable bits in the host base value and or the 147 * modifiable bits from the guest value. 148 */ 149 guestval = hostval & ~x86_spec_ctrl_mask; 150 guestval |= guest_spec_ctrl & x86_spec_ctrl_mask; 151 152 /* SSBD controlled in MSR_SPEC_CTRL */ 153 if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD) || 154 static_cpu_has(X86_FEATURE_AMD_SSBD)) 155 hostval |= ssbd_tif_to_spec_ctrl(ti->flags); 156 157 /* Conditional STIBP enabled? */ 158 if (static_branch_unlikely(&switch_to_cond_stibp)) 159 hostval |= stibp_tif_to_spec_ctrl(ti->flags); 160 161 if (hostval != guestval) { 162 msrval = setguest ? guestval : hostval; 163 wrmsrl(MSR_IA32_SPEC_CTRL, msrval); 164 } 165 } 166 167 /* 168 * If SSBD is not handled in MSR_SPEC_CTRL on AMD, update 169 * MSR_AMD64_L2_CFG or MSR_VIRT_SPEC_CTRL if supported. 170 */ 171 if (!static_cpu_has(X86_FEATURE_LS_CFG_SSBD) && 172 !static_cpu_has(X86_FEATURE_VIRT_SSBD)) 173 return; 174 175 /* 176 * If the host has SSBD mitigation enabled, force it in the host's 177 * virtual MSR value. If its not permanently enabled, evaluate 178 * current's TIF_SSBD thread flag. 179 */ 180 if (static_cpu_has(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE)) 181 hostval = SPEC_CTRL_SSBD; 182 else 183 hostval = ssbd_tif_to_spec_ctrl(ti->flags); 184 185 /* Sanitize the guest value */ 186 guestval = guest_virt_spec_ctrl & SPEC_CTRL_SSBD; 187 188 if (hostval != guestval) { 189 unsigned long tif; 190 191 tif = setguest ? ssbd_spec_ctrl_to_tif(guestval) : 192 ssbd_spec_ctrl_to_tif(hostval); 193 194 speculation_ctrl_update(tif); 195 } 196 } 197 EXPORT_SYMBOL_GPL(x86_virt_spec_ctrl); 198 199 static void x86_amd_ssb_disable(void) 200 { 201 u64 msrval = x86_amd_ls_cfg_base | x86_amd_ls_cfg_ssbd_mask; 202 203 if (boot_cpu_has(X86_FEATURE_VIRT_SSBD)) 204 wrmsrl(MSR_AMD64_VIRT_SPEC_CTRL, SPEC_CTRL_SSBD); 205 else if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD)) 206 wrmsrl(MSR_AMD64_LS_CFG, msrval); 207 } 208 209 #undef pr_fmt 210 #define pr_fmt(fmt) "Spectre V2 : " fmt 211 212 static enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init = 213 SPECTRE_V2_NONE; 214 215 static enum spectre_v2_user_mitigation spectre_v2_user __ro_after_init = 216 SPECTRE_V2_USER_NONE; 217 218 #ifdef CONFIG_RETPOLINE 219 static bool spectre_v2_bad_module; 220 221 bool retpoline_module_ok(bool has_retpoline) 222 { 223 if (spectre_v2_enabled == SPECTRE_V2_NONE || has_retpoline) 224 return true; 225 226 pr_err("System may be vulnerable to spectre v2\n"); 227 spectre_v2_bad_module = true; 228 return false; 229 } 230 231 static inline const char *spectre_v2_module_string(void) 232 { 233 return spectre_v2_bad_module ? " - vulnerable module loaded" : ""; 234 } 235 #else 236 static inline const char *spectre_v2_module_string(void) { return ""; } 237 #endif 238 239 static inline bool match_option(const char *arg, int arglen, const char *opt) 240 { 241 int len = strlen(opt); 242 243 return len == arglen && !strncmp(arg, opt, len); 244 } 245 246 /* The kernel command line selection for spectre v2 */ 247 enum spectre_v2_mitigation_cmd { 248 SPECTRE_V2_CMD_NONE, 249 SPECTRE_V2_CMD_AUTO, 250 SPECTRE_V2_CMD_FORCE, 251 SPECTRE_V2_CMD_RETPOLINE, 252 SPECTRE_V2_CMD_RETPOLINE_GENERIC, 253 SPECTRE_V2_CMD_RETPOLINE_AMD, 254 }; 255 256 enum spectre_v2_user_cmd { 257 SPECTRE_V2_USER_CMD_NONE, 258 SPECTRE_V2_USER_CMD_AUTO, 259 SPECTRE_V2_USER_CMD_FORCE, 260 SPECTRE_V2_USER_CMD_PRCTL, 261 SPECTRE_V2_USER_CMD_PRCTL_IBPB, 262 SPECTRE_V2_USER_CMD_SECCOMP, 263 SPECTRE_V2_USER_CMD_SECCOMP_IBPB, 264 }; 265 266 static const char * const spectre_v2_user_strings[] = { 267 [SPECTRE_V2_USER_NONE] = "User space: Vulnerable", 268 [SPECTRE_V2_USER_STRICT] = "User space: Mitigation: STIBP protection", 269 [SPECTRE_V2_USER_STRICT_PREFERRED] = "User space: Mitigation: STIBP always-on protection", 270 [SPECTRE_V2_USER_PRCTL] = "User space: Mitigation: STIBP via prctl", 271 [SPECTRE_V2_USER_SECCOMP] = "User space: Mitigation: STIBP via seccomp and prctl", 272 }; 273 274 static const struct { 275 const char *option; 276 enum spectre_v2_user_cmd cmd; 277 bool secure; 278 } v2_user_options[] __initconst = { 279 { "auto", SPECTRE_V2_USER_CMD_AUTO, false }, 280 { "off", SPECTRE_V2_USER_CMD_NONE, false }, 281 { "on", SPECTRE_V2_USER_CMD_FORCE, true }, 282 { "prctl", SPECTRE_V2_USER_CMD_PRCTL, false }, 283 { "prctl,ibpb", SPECTRE_V2_USER_CMD_PRCTL_IBPB, false }, 284 { "seccomp", SPECTRE_V2_USER_CMD_SECCOMP, false }, 285 { "seccomp,ibpb", SPECTRE_V2_USER_CMD_SECCOMP_IBPB, false }, 286 }; 287 288 static void __init spec_v2_user_print_cond(const char *reason, bool secure) 289 { 290 if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2) != secure) 291 pr_info("spectre_v2_user=%s forced on command line.\n", reason); 292 } 293 294 static enum spectre_v2_user_cmd __init 295 spectre_v2_parse_user_cmdline(enum spectre_v2_mitigation_cmd v2_cmd) 296 { 297 char arg[20]; 298 int ret, i; 299 300 switch (v2_cmd) { 301 case SPECTRE_V2_CMD_NONE: 302 return SPECTRE_V2_USER_CMD_NONE; 303 case SPECTRE_V2_CMD_FORCE: 304 return SPECTRE_V2_USER_CMD_FORCE; 305 default: 306 break; 307 } 308 309 ret = cmdline_find_option(boot_command_line, "spectre_v2_user", 310 arg, sizeof(arg)); 311 if (ret < 0) 312 return SPECTRE_V2_USER_CMD_AUTO; 313 314 for (i = 0; i < ARRAY_SIZE(v2_user_options); i++) { 315 if (match_option(arg, ret, v2_user_options[i].option)) { 316 spec_v2_user_print_cond(v2_user_options[i].option, 317 v2_user_options[i].secure); 318 return v2_user_options[i].cmd; 319 } 320 } 321 322 pr_err("Unknown user space protection option (%s). Switching to AUTO select\n", arg); 323 return SPECTRE_V2_USER_CMD_AUTO; 324 } 325 326 static void __init 327 spectre_v2_user_select_mitigation(enum spectre_v2_mitigation_cmd v2_cmd) 328 { 329 enum spectre_v2_user_mitigation mode = SPECTRE_V2_USER_NONE; 330 bool smt_possible = IS_ENABLED(CONFIG_SMP); 331 enum spectre_v2_user_cmd cmd; 332 333 if (!boot_cpu_has(X86_FEATURE_IBPB) && !boot_cpu_has(X86_FEATURE_STIBP)) 334 return; 335 336 if (cpu_smt_control == CPU_SMT_FORCE_DISABLED || 337 cpu_smt_control == CPU_SMT_NOT_SUPPORTED) 338 smt_possible = false; 339 340 cmd = spectre_v2_parse_user_cmdline(v2_cmd); 341 switch (cmd) { 342 case SPECTRE_V2_USER_CMD_NONE: 343 goto set_mode; 344 case SPECTRE_V2_USER_CMD_FORCE: 345 mode = SPECTRE_V2_USER_STRICT; 346 break; 347 case SPECTRE_V2_USER_CMD_PRCTL: 348 case SPECTRE_V2_USER_CMD_PRCTL_IBPB: 349 mode = SPECTRE_V2_USER_PRCTL; 350 break; 351 case SPECTRE_V2_USER_CMD_AUTO: 352 case SPECTRE_V2_USER_CMD_SECCOMP: 353 case SPECTRE_V2_USER_CMD_SECCOMP_IBPB: 354 if (IS_ENABLED(CONFIG_SECCOMP)) 355 mode = SPECTRE_V2_USER_SECCOMP; 356 else 357 mode = SPECTRE_V2_USER_PRCTL; 358 break; 359 } 360 361 /* 362 * At this point, an STIBP mode other than "off" has been set. 363 * If STIBP support is not being forced, check if STIBP always-on 364 * is preferred. 365 */ 366 if (mode != SPECTRE_V2_USER_STRICT && 367 boot_cpu_has(X86_FEATURE_AMD_STIBP_ALWAYS_ON)) 368 mode = SPECTRE_V2_USER_STRICT_PREFERRED; 369 370 /* Initialize Indirect Branch Prediction Barrier */ 371 if (boot_cpu_has(X86_FEATURE_IBPB)) { 372 setup_force_cpu_cap(X86_FEATURE_USE_IBPB); 373 374 switch (cmd) { 375 case SPECTRE_V2_USER_CMD_FORCE: 376 case SPECTRE_V2_USER_CMD_PRCTL_IBPB: 377 case SPECTRE_V2_USER_CMD_SECCOMP_IBPB: 378 static_branch_enable(&switch_mm_always_ibpb); 379 break; 380 case SPECTRE_V2_USER_CMD_PRCTL: 381 case SPECTRE_V2_USER_CMD_AUTO: 382 case SPECTRE_V2_USER_CMD_SECCOMP: 383 static_branch_enable(&switch_mm_cond_ibpb); 384 break; 385 default: 386 break; 387 } 388 389 pr_info("mitigation: Enabling %s Indirect Branch Prediction Barrier\n", 390 static_key_enabled(&switch_mm_always_ibpb) ? 391 "always-on" : "conditional"); 392 } 393 394 /* If enhanced IBRS is enabled no STIBP required */ 395 if (spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED) 396 return; 397 398 /* 399 * If SMT is not possible or STIBP is not available clear the STIBP 400 * mode. 401 */ 402 if (!smt_possible || !boot_cpu_has(X86_FEATURE_STIBP)) 403 mode = SPECTRE_V2_USER_NONE; 404 set_mode: 405 spectre_v2_user = mode; 406 /* Only print the STIBP mode when SMT possible */ 407 if (smt_possible) 408 pr_info("%s\n", spectre_v2_user_strings[mode]); 409 } 410 411 static const char * const spectre_v2_strings[] = { 412 [SPECTRE_V2_NONE] = "Vulnerable", 413 [SPECTRE_V2_RETPOLINE_GENERIC] = "Mitigation: Full generic retpoline", 414 [SPECTRE_V2_RETPOLINE_AMD] = "Mitigation: Full AMD retpoline", 415 [SPECTRE_V2_IBRS_ENHANCED] = "Mitigation: Enhanced IBRS", 416 }; 417 418 static const struct { 419 const char *option; 420 enum spectre_v2_mitigation_cmd cmd; 421 bool secure; 422 } mitigation_options[] __initconst = { 423 { "off", SPECTRE_V2_CMD_NONE, false }, 424 { "on", SPECTRE_V2_CMD_FORCE, true }, 425 { "retpoline", SPECTRE_V2_CMD_RETPOLINE, false }, 426 { "retpoline,amd", SPECTRE_V2_CMD_RETPOLINE_AMD, false }, 427 { "retpoline,generic", SPECTRE_V2_CMD_RETPOLINE_GENERIC, false }, 428 { "auto", SPECTRE_V2_CMD_AUTO, false }, 429 }; 430 431 static void __init spec_v2_print_cond(const char *reason, bool secure) 432 { 433 if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2) != secure) 434 pr_info("%s selected on command line.\n", reason); 435 } 436 437 static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void) 438 { 439 enum spectre_v2_mitigation_cmd cmd = SPECTRE_V2_CMD_AUTO; 440 char arg[20]; 441 int ret, i; 442 443 if (cmdline_find_option_bool(boot_command_line, "nospectre_v2") || 444 cpu_mitigations_off()) 445 return SPECTRE_V2_CMD_NONE; 446 447 ret = cmdline_find_option(boot_command_line, "spectre_v2", arg, sizeof(arg)); 448 if (ret < 0) 449 return SPECTRE_V2_CMD_AUTO; 450 451 for (i = 0; i < ARRAY_SIZE(mitigation_options); i++) { 452 if (!match_option(arg, ret, mitigation_options[i].option)) 453 continue; 454 cmd = mitigation_options[i].cmd; 455 break; 456 } 457 458 if (i >= ARRAY_SIZE(mitigation_options)) { 459 pr_err("unknown option (%s). Switching to AUTO select\n", arg); 460 return SPECTRE_V2_CMD_AUTO; 461 } 462 463 if ((cmd == SPECTRE_V2_CMD_RETPOLINE || 464 cmd == SPECTRE_V2_CMD_RETPOLINE_AMD || 465 cmd == SPECTRE_V2_CMD_RETPOLINE_GENERIC) && 466 !IS_ENABLED(CONFIG_RETPOLINE)) { 467 pr_err("%s selected but not compiled in. Switching to AUTO select\n", mitigation_options[i].option); 468 return SPECTRE_V2_CMD_AUTO; 469 } 470 471 if (cmd == SPECTRE_V2_CMD_RETPOLINE_AMD && 472 boot_cpu_data.x86_vendor != X86_VENDOR_HYGON && 473 boot_cpu_data.x86_vendor != X86_VENDOR_AMD) { 474 pr_err("retpoline,amd selected but CPU is not AMD. Switching to AUTO select\n"); 475 return SPECTRE_V2_CMD_AUTO; 476 } 477 478 spec_v2_print_cond(mitigation_options[i].option, 479 mitigation_options[i].secure); 480 return cmd; 481 } 482 483 static void __init spectre_v2_select_mitigation(void) 484 { 485 enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline(); 486 enum spectre_v2_mitigation mode = SPECTRE_V2_NONE; 487 488 /* 489 * If the CPU is not affected and the command line mode is NONE or AUTO 490 * then nothing to do. 491 */ 492 if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2) && 493 (cmd == SPECTRE_V2_CMD_NONE || cmd == SPECTRE_V2_CMD_AUTO)) 494 return; 495 496 switch (cmd) { 497 case SPECTRE_V2_CMD_NONE: 498 return; 499 500 case SPECTRE_V2_CMD_FORCE: 501 case SPECTRE_V2_CMD_AUTO: 502 if (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) { 503 mode = SPECTRE_V2_IBRS_ENHANCED; 504 /* Force it so VMEXIT will restore correctly */ 505 x86_spec_ctrl_base |= SPEC_CTRL_IBRS; 506 wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); 507 goto specv2_set_mode; 508 } 509 if (IS_ENABLED(CONFIG_RETPOLINE)) 510 goto retpoline_auto; 511 break; 512 case SPECTRE_V2_CMD_RETPOLINE_AMD: 513 if (IS_ENABLED(CONFIG_RETPOLINE)) 514 goto retpoline_amd; 515 break; 516 case SPECTRE_V2_CMD_RETPOLINE_GENERIC: 517 if (IS_ENABLED(CONFIG_RETPOLINE)) 518 goto retpoline_generic; 519 break; 520 case SPECTRE_V2_CMD_RETPOLINE: 521 if (IS_ENABLED(CONFIG_RETPOLINE)) 522 goto retpoline_auto; 523 break; 524 } 525 pr_err("Spectre mitigation: kernel not compiled with retpoline; no mitigation available!"); 526 return; 527 528 retpoline_auto: 529 if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD || 530 boot_cpu_data.x86_vendor == X86_VENDOR_HYGON) { 531 retpoline_amd: 532 if (!boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) { 533 pr_err("Spectre mitigation: LFENCE not serializing, switching to generic retpoline\n"); 534 goto retpoline_generic; 535 } 536 mode = SPECTRE_V2_RETPOLINE_AMD; 537 setup_force_cpu_cap(X86_FEATURE_RETPOLINE_AMD); 538 setup_force_cpu_cap(X86_FEATURE_RETPOLINE); 539 } else { 540 retpoline_generic: 541 mode = SPECTRE_V2_RETPOLINE_GENERIC; 542 setup_force_cpu_cap(X86_FEATURE_RETPOLINE); 543 } 544 545 specv2_set_mode: 546 spectre_v2_enabled = mode; 547 pr_info("%s\n", spectre_v2_strings[mode]); 548 549 /* 550 * If spectre v2 protection has been enabled, unconditionally fill 551 * RSB during a context switch; this protects against two independent 552 * issues: 553 * 554 * - RSB underflow (and switch to BTB) on Skylake+ 555 * - SpectreRSB variant of spectre v2 on X86_BUG_SPECTRE_V2 CPUs 556 */ 557 setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW); 558 pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n"); 559 560 /* 561 * Retpoline means the kernel is safe because it has no indirect 562 * branches. Enhanced IBRS protects firmware too, so, enable restricted 563 * speculation around firmware calls only when Enhanced IBRS isn't 564 * supported. 565 * 566 * Use "mode" to check Enhanced IBRS instead of boot_cpu_has(), because 567 * the user might select retpoline on the kernel command line and if 568 * the CPU supports Enhanced IBRS, kernel might un-intentionally not 569 * enable IBRS around firmware calls. 570 */ 571 if (boot_cpu_has(X86_FEATURE_IBRS) && mode != SPECTRE_V2_IBRS_ENHANCED) { 572 setup_force_cpu_cap(X86_FEATURE_USE_IBRS_FW); 573 pr_info("Enabling Restricted Speculation for firmware calls\n"); 574 } 575 576 /* Set up IBPB and STIBP depending on the general spectre V2 command */ 577 spectre_v2_user_select_mitigation(cmd); 578 579 /* Enable STIBP if appropriate */ 580 arch_smt_update(); 581 } 582 583 static void update_stibp_msr(void * __unused) 584 { 585 wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); 586 } 587 588 /* Update x86_spec_ctrl_base in case SMT state changed. */ 589 static void update_stibp_strict(void) 590 { 591 u64 mask = x86_spec_ctrl_base & ~SPEC_CTRL_STIBP; 592 593 if (sched_smt_active()) 594 mask |= SPEC_CTRL_STIBP; 595 596 if (mask == x86_spec_ctrl_base) 597 return; 598 599 pr_info("Update user space SMT mitigation: STIBP %s\n", 600 mask & SPEC_CTRL_STIBP ? "always-on" : "off"); 601 x86_spec_ctrl_base = mask; 602 on_each_cpu(update_stibp_msr, NULL, 1); 603 } 604 605 /* Update the static key controlling the evaluation of TIF_SPEC_IB */ 606 static void update_indir_branch_cond(void) 607 { 608 if (sched_smt_active()) 609 static_branch_enable(&switch_to_cond_stibp); 610 else 611 static_branch_disable(&switch_to_cond_stibp); 612 } 613 614 void arch_smt_update(void) 615 { 616 /* Enhanced IBRS implies STIBP. No update required. */ 617 if (spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED) 618 return; 619 620 mutex_lock(&spec_ctrl_mutex); 621 622 switch (spectre_v2_user) { 623 case SPECTRE_V2_USER_NONE: 624 break; 625 case SPECTRE_V2_USER_STRICT: 626 case SPECTRE_V2_USER_STRICT_PREFERRED: 627 update_stibp_strict(); 628 break; 629 case SPECTRE_V2_USER_PRCTL: 630 case SPECTRE_V2_USER_SECCOMP: 631 update_indir_branch_cond(); 632 break; 633 } 634 635 mutex_unlock(&spec_ctrl_mutex); 636 } 637 638 #undef pr_fmt 639 #define pr_fmt(fmt) "Speculative Store Bypass: " fmt 640 641 static enum ssb_mitigation ssb_mode __ro_after_init = SPEC_STORE_BYPASS_NONE; 642 643 /* The kernel command line selection */ 644 enum ssb_mitigation_cmd { 645 SPEC_STORE_BYPASS_CMD_NONE, 646 SPEC_STORE_BYPASS_CMD_AUTO, 647 SPEC_STORE_BYPASS_CMD_ON, 648 SPEC_STORE_BYPASS_CMD_PRCTL, 649 SPEC_STORE_BYPASS_CMD_SECCOMP, 650 }; 651 652 static const char * const ssb_strings[] = { 653 [SPEC_STORE_BYPASS_NONE] = "Vulnerable", 654 [SPEC_STORE_BYPASS_DISABLE] = "Mitigation: Speculative Store Bypass disabled", 655 [SPEC_STORE_BYPASS_PRCTL] = "Mitigation: Speculative Store Bypass disabled via prctl", 656 [SPEC_STORE_BYPASS_SECCOMP] = "Mitigation: Speculative Store Bypass disabled via prctl and seccomp", 657 }; 658 659 static const struct { 660 const char *option; 661 enum ssb_mitigation_cmd cmd; 662 } ssb_mitigation_options[] __initconst = { 663 { "auto", SPEC_STORE_BYPASS_CMD_AUTO }, /* Platform decides */ 664 { "on", SPEC_STORE_BYPASS_CMD_ON }, /* Disable Speculative Store Bypass */ 665 { "off", SPEC_STORE_BYPASS_CMD_NONE }, /* Don't touch Speculative Store Bypass */ 666 { "prctl", SPEC_STORE_BYPASS_CMD_PRCTL }, /* Disable Speculative Store Bypass via prctl */ 667 { "seccomp", SPEC_STORE_BYPASS_CMD_SECCOMP }, /* Disable Speculative Store Bypass via prctl and seccomp */ 668 }; 669 670 static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void) 671 { 672 enum ssb_mitigation_cmd cmd = SPEC_STORE_BYPASS_CMD_AUTO; 673 char arg[20]; 674 int ret, i; 675 676 if (cmdline_find_option_bool(boot_command_line, "nospec_store_bypass_disable") || 677 cpu_mitigations_off()) { 678 return SPEC_STORE_BYPASS_CMD_NONE; 679 } else { 680 ret = cmdline_find_option(boot_command_line, "spec_store_bypass_disable", 681 arg, sizeof(arg)); 682 if (ret < 0) 683 return SPEC_STORE_BYPASS_CMD_AUTO; 684 685 for (i = 0; i < ARRAY_SIZE(ssb_mitigation_options); i++) { 686 if (!match_option(arg, ret, ssb_mitigation_options[i].option)) 687 continue; 688 689 cmd = ssb_mitigation_options[i].cmd; 690 break; 691 } 692 693 if (i >= ARRAY_SIZE(ssb_mitigation_options)) { 694 pr_err("unknown option (%s). Switching to AUTO select\n", arg); 695 return SPEC_STORE_BYPASS_CMD_AUTO; 696 } 697 } 698 699 return cmd; 700 } 701 702 static enum ssb_mitigation __init __ssb_select_mitigation(void) 703 { 704 enum ssb_mitigation mode = SPEC_STORE_BYPASS_NONE; 705 enum ssb_mitigation_cmd cmd; 706 707 if (!boot_cpu_has(X86_FEATURE_SSBD)) 708 return mode; 709 710 cmd = ssb_parse_cmdline(); 711 if (!boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS) && 712 (cmd == SPEC_STORE_BYPASS_CMD_NONE || 713 cmd == SPEC_STORE_BYPASS_CMD_AUTO)) 714 return mode; 715 716 switch (cmd) { 717 case SPEC_STORE_BYPASS_CMD_AUTO: 718 case SPEC_STORE_BYPASS_CMD_SECCOMP: 719 /* 720 * Choose prctl+seccomp as the default mode if seccomp is 721 * enabled. 722 */ 723 if (IS_ENABLED(CONFIG_SECCOMP)) 724 mode = SPEC_STORE_BYPASS_SECCOMP; 725 else 726 mode = SPEC_STORE_BYPASS_PRCTL; 727 break; 728 case SPEC_STORE_BYPASS_CMD_ON: 729 mode = SPEC_STORE_BYPASS_DISABLE; 730 break; 731 case SPEC_STORE_BYPASS_CMD_PRCTL: 732 mode = SPEC_STORE_BYPASS_PRCTL; 733 break; 734 case SPEC_STORE_BYPASS_CMD_NONE: 735 break; 736 } 737 738 /* 739 * We have three CPU feature flags that are in play here: 740 * - X86_BUG_SPEC_STORE_BYPASS - CPU is susceptible. 741 * - X86_FEATURE_SSBD - CPU is able to turn off speculative store bypass 742 * - X86_FEATURE_SPEC_STORE_BYPASS_DISABLE - engage the mitigation 743 */ 744 if (mode == SPEC_STORE_BYPASS_DISABLE) { 745 setup_force_cpu_cap(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE); 746 /* 747 * Intel uses the SPEC CTRL MSR Bit(2) for this, while AMD may 748 * use a completely different MSR and bit dependent on family. 749 */ 750 if (!static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD) && 751 !static_cpu_has(X86_FEATURE_AMD_SSBD)) { 752 x86_amd_ssb_disable(); 753 } else { 754 x86_spec_ctrl_base |= SPEC_CTRL_SSBD; 755 x86_spec_ctrl_mask |= SPEC_CTRL_SSBD; 756 wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); 757 } 758 } 759 760 return mode; 761 } 762 763 static void ssb_select_mitigation(void) 764 { 765 ssb_mode = __ssb_select_mitigation(); 766 767 if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS)) 768 pr_info("%s\n", ssb_strings[ssb_mode]); 769 } 770 771 #undef pr_fmt 772 #define pr_fmt(fmt) "Speculation prctl: " fmt 773 774 static void task_update_spec_tif(struct task_struct *tsk) 775 { 776 /* Force the update of the real TIF bits */ 777 set_tsk_thread_flag(tsk, TIF_SPEC_FORCE_UPDATE); 778 779 /* 780 * Immediately update the speculation control MSRs for the current 781 * task, but for a non-current task delay setting the CPU 782 * mitigation until it is scheduled next. 783 * 784 * This can only happen for SECCOMP mitigation. For PRCTL it's 785 * always the current task. 786 */ 787 if (tsk == current) 788 speculation_ctrl_update_current(); 789 } 790 791 static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl) 792 { 793 if (ssb_mode != SPEC_STORE_BYPASS_PRCTL && 794 ssb_mode != SPEC_STORE_BYPASS_SECCOMP) 795 return -ENXIO; 796 797 switch (ctrl) { 798 case PR_SPEC_ENABLE: 799 /* If speculation is force disabled, enable is not allowed */ 800 if (task_spec_ssb_force_disable(task)) 801 return -EPERM; 802 task_clear_spec_ssb_disable(task); 803 task_clear_spec_ssb_noexec(task); 804 task_update_spec_tif(task); 805 break; 806 case PR_SPEC_DISABLE: 807 task_set_spec_ssb_disable(task); 808 task_clear_spec_ssb_noexec(task); 809 task_update_spec_tif(task); 810 break; 811 case PR_SPEC_FORCE_DISABLE: 812 task_set_spec_ssb_disable(task); 813 task_set_spec_ssb_force_disable(task); 814 task_clear_spec_ssb_noexec(task); 815 task_update_spec_tif(task); 816 break; 817 case PR_SPEC_DISABLE_NOEXEC: 818 if (task_spec_ssb_force_disable(task)) 819 return -EPERM; 820 task_set_spec_ssb_disable(task); 821 task_set_spec_ssb_noexec(task); 822 task_update_spec_tif(task); 823 break; 824 default: 825 return -ERANGE; 826 } 827 return 0; 828 } 829 830 static int ib_prctl_set(struct task_struct *task, unsigned long ctrl) 831 { 832 switch (ctrl) { 833 case PR_SPEC_ENABLE: 834 if (spectre_v2_user == SPECTRE_V2_USER_NONE) 835 return 0; 836 /* 837 * Indirect branch speculation is always disabled in strict 838 * mode. 839 */ 840 if (spectre_v2_user == SPECTRE_V2_USER_STRICT || 841 spectre_v2_user == SPECTRE_V2_USER_STRICT_PREFERRED) 842 return -EPERM; 843 task_clear_spec_ib_disable(task); 844 task_update_spec_tif(task); 845 break; 846 case PR_SPEC_DISABLE: 847 case PR_SPEC_FORCE_DISABLE: 848 /* 849 * Indirect branch speculation is always allowed when 850 * mitigation is force disabled. 851 */ 852 if (spectre_v2_user == SPECTRE_V2_USER_NONE) 853 return -EPERM; 854 if (spectre_v2_user == SPECTRE_V2_USER_STRICT || 855 spectre_v2_user == SPECTRE_V2_USER_STRICT_PREFERRED) 856 return 0; 857 task_set_spec_ib_disable(task); 858 if (ctrl == PR_SPEC_FORCE_DISABLE) 859 task_set_spec_ib_force_disable(task); 860 task_update_spec_tif(task); 861 break; 862 default: 863 return -ERANGE; 864 } 865 return 0; 866 } 867 868 int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which, 869 unsigned long ctrl) 870 { 871 switch (which) { 872 case PR_SPEC_STORE_BYPASS: 873 return ssb_prctl_set(task, ctrl); 874 case PR_SPEC_INDIRECT_BRANCH: 875 return ib_prctl_set(task, ctrl); 876 default: 877 return -ENODEV; 878 } 879 } 880 881 #ifdef CONFIG_SECCOMP 882 void arch_seccomp_spec_mitigate(struct task_struct *task) 883 { 884 if (ssb_mode == SPEC_STORE_BYPASS_SECCOMP) 885 ssb_prctl_set(task, PR_SPEC_FORCE_DISABLE); 886 if (spectre_v2_user == SPECTRE_V2_USER_SECCOMP) 887 ib_prctl_set(task, PR_SPEC_FORCE_DISABLE); 888 } 889 #endif 890 891 static int ssb_prctl_get(struct task_struct *task) 892 { 893 switch (ssb_mode) { 894 case SPEC_STORE_BYPASS_DISABLE: 895 return PR_SPEC_DISABLE; 896 case SPEC_STORE_BYPASS_SECCOMP: 897 case SPEC_STORE_BYPASS_PRCTL: 898 if (task_spec_ssb_force_disable(task)) 899 return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE; 900 if (task_spec_ssb_noexec(task)) 901 return PR_SPEC_PRCTL | PR_SPEC_DISABLE_NOEXEC; 902 if (task_spec_ssb_disable(task)) 903 return PR_SPEC_PRCTL | PR_SPEC_DISABLE; 904 return PR_SPEC_PRCTL | PR_SPEC_ENABLE; 905 default: 906 if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS)) 907 return PR_SPEC_ENABLE; 908 return PR_SPEC_NOT_AFFECTED; 909 } 910 } 911 912 static int ib_prctl_get(struct task_struct *task) 913 { 914 if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2)) 915 return PR_SPEC_NOT_AFFECTED; 916 917 switch (spectre_v2_user) { 918 case SPECTRE_V2_USER_NONE: 919 return PR_SPEC_ENABLE; 920 case SPECTRE_V2_USER_PRCTL: 921 case SPECTRE_V2_USER_SECCOMP: 922 if (task_spec_ib_force_disable(task)) 923 return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE; 924 if (task_spec_ib_disable(task)) 925 return PR_SPEC_PRCTL | PR_SPEC_DISABLE; 926 return PR_SPEC_PRCTL | PR_SPEC_ENABLE; 927 case SPECTRE_V2_USER_STRICT: 928 case SPECTRE_V2_USER_STRICT_PREFERRED: 929 return PR_SPEC_DISABLE; 930 default: 931 return PR_SPEC_NOT_AFFECTED; 932 } 933 } 934 935 int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which) 936 { 937 switch (which) { 938 case PR_SPEC_STORE_BYPASS: 939 return ssb_prctl_get(task); 940 case PR_SPEC_INDIRECT_BRANCH: 941 return ib_prctl_get(task); 942 default: 943 return -ENODEV; 944 } 945 } 946 947 void x86_spec_ctrl_setup_ap(void) 948 { 949 if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) 950 wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); 951 952 if (ssb_mode == SPEC_STORE_BYPASS_DISABLE) 953 x86_amd_ssb_disable(); 954 } 955 956 #undef pr_fmt 957 #define pr_fmt(fmt) "L1TF: " fmt 958 959 /* Default mitigation for L1TF-affected CPUs */ 960 enum l1tf_mitigations l1tf_mitigation __ro_after_init = L1TF_MITIGATION_FLUSH; 961 #if IS_ENABLED(CONFIG_KVM_INTEL) 962 EXPORT_SYMBOL_GPL(l1tf_mitigation); 963 #endif 964 enum vmx_l1d_flush_state l1tf_vmx_mitigation = VMENTER_L1D_FLUSH_AUTO; 965 EXPORT_SYMBOL_GPL(l1tf_vmx_mitigation); 966 967 /* 968 * These CPUs all support 44bits physical address space internally in the 969 * cache but CPUID can report a smaller number of physical address bits. 970 * 971 * The L1TF mitigation uses the top most address bit for the inversion of 972 * non present PTEs. When the installed memory reaches into the top most 973 * address bit due to memory holes, which has been observed on machines 974 * which report 36bits physical address bits and have 32G RAM installed, 975 * then the mitigation range check in l1tf_select_mitigation() triggers. 976 * This is a false positive because the mitigation is still possible due to 977 * the fact that the cache uses 44bit internally. Use the cache bits 978 * instead of the reported physical bits and adjust them on the affected 979 * machines to 44bit if the reported bits are less than 44. 980 */ 981 static void override_cache_bits(struct cpuinfo_x86 *c) 982 { 983 if (c->x86 != 6) 984 return; 985 986 switch (c->x86_model) { 987 case INTEL_FAM6_NEHALEM: 988 case INTEL_FAM6_WESTMERE: 989 case INTEL_FAM6_SANDYBRIDGE: 990 case INTEL_FAM6_IVYBRIDGE: 991 case INTEL_FAM6_HASWELL_CORE: 992 case INTEL_FAM6_HASWELL_ULT: 993 case INTEL_FAM6_HASWELL_GT3E: 994 case INTEL_FAM6_BROADWELL_CORE: 995 case INTEL_FAM6_BROADWELL_GT3E: 996 case INTEL_FAM6_SKYLAKE_MOBILE: 997 case INTEL_FAM6_SKYLAKE_DESKTOP: 998 case INTEL_FAM6_KABYLAKE_MOBILE: 999 case INTEL_FAM6_KABYLAKE_DESKTOP: 1000 if (c->x86_cache_bits < 44) 1001 c->x86_cache_bits = 44; 1002 break; 1003 } 1004 } 1005 1006 static void __init l1tf_select_mitigation(void) 1007 { 1008 u64 half_pa; 1009 1010 if (!boot_cpu_has_bug(X86_BUG_L1TF)) 1011 return; 1012 1013 if (cpu_mitigations_off()) 1014 l1tf_mitigation = L1TF_MITIGATION_OFF; 1015 else if (cpu_mitigations_auto_nosmt()) 1016 l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOSMT; 1017 1018 override_cache_bits(&boot_cpu_data); 1019 1020 switch (l1tf_mitigation) { 1021 case L1TF_MITIGATION_OFF: 1022 case L1TF_MITIGATION_FLUSH_NOWARN: 1023 case L1TF_MITIGATION_FLUSH: 1024 break; 1025 case L1TF_MITIGATION_FLUSH_NOSMT: 1026 case L1TF_MITIGATION_FULL: 1027 cpu_smt_disable(false); 1028 break; 1029 case L1TF_MITIGATION_FULL_FORCE: 1030 cpu_smt_disable(true); 1031 break; 1032 } 1033 1034 #if CONFIG_PGTABLE_LEVELS == 2 1035 pr_warn("Kernel not compiled for PAE. No mitigation for L1TF\n"); 1036 return; 1037 #endif 1038 1039 half_pa = (u64)l1tf_pfn_limit() << PAGE_SHIFT; 1040 if (l1tf_mitigation != L1TF_MITIGATION_OFF && 1041 e820__mapped_any(half_pa, ULLONG_MAX - half_pa, E820_TYPE_RAM)) { 1042 pr_warn("System has more than MAX_PA/2 memory. L1TF mitigation not effective.\n"); 1043 pr_info("You may make it effective by booting the kernel with mem=%llu parameter.\n", 1044 half_pa); 1045 pr_info("However, doing so will make a part of your RAM unusable.\n"); 1046 pr_info("Reading https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html might help you decide.\n"); 1047 return; 1048 } 1049 1050 setup_force_cpu_cap(X86_FEATURE_L1TF_PTEINV); 1051 } 1052 1053 static int __init l1tf_cmdline(char *str) 1054 { 1055 if (!boot_cpu_has_bug(X86_BUG_L1TF)) 1056 return 0; 1057 1058 if (!str) 1059 return -EINVAL; 1060 1061 if (!strcmp(str, "off")) 1062 l1tf_mitigation = L1TF_MITIGATION_OFF; 1063 else if (!strcmp(str, "flush,nowarn")) 1064 l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOWARN; 1065 else if (!strcmp(str, "flush")) 1066 l1tf_mitigation = L1TF_MITIGATION_FLUSH; 1067 else if (!strcmp(str, "flush,nosmt")) 1068 l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOSMT; 1069 else if (!strcmp(str, "full")) 1070 l1tf_mitigation = L1TF_MITIGATION_FULL; 1071 else if (!strcmp(str, "full,force")) 1072 l1tf_mitigation = L1TF_MITIGATION_FULL_FORCE; 1073 1074 return 0; 1075 } 1076 early_param("l1tf", l1tf_cmdline); 1077 1078 #undef pr_fmt 1079 1080 #ifdef CONFIG_SYSFS 1081 1082 #define L1TF_DEFAULT_MSG "Mitigation: PTE Inversion" 1083 1084 #if IS_ENABLED(CONFIG_KVM_INTEL) 1085 static const char * const l1tf_vmx_states[] = { 1086 [VMENTER_L1D_FLUSH_AUTO] = "auto", 1087 [VMENTER_L1D_FLUSH_NEVER] = "vulnerable", 1088 [VMENTER_L1D_FLUSH_COND] = "conditional cache flushes", 1089 [VMENTER_L1D_FLUSH_ALWAYS] = "cache flushes", 1090 [VMENTER_L1D_FLUSH_EPT_DISABLED] = "EPT disabled", 1091 [VMENTER_L1D_FLUSH_NOT_REQUIRED] = "flush not necessary" 1092 }; 1093 1094 static ssize_t l1tf_show_state(char *buf) 1095 { 1096 if (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_AUTO) 1097 return sprintf(buf, "%s\n", L1TF_DEFAULT_MSG); 1098 1099 if (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_EPT_DISABLED || 1100 (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_NEVER && 1101 sched_smt_active())) { 1102 return sprintf(buf, "%s; VMX: %s\n", L1TF_DEFAULT_MSG, 1103 l1tf_vmx_states[l1tf_vmx_mitigation]); 1104 } 1105 1106 return sprintf(buf, "%s; VMX: %s, SMT %s\n", L1TF_DEFAULT_MSG, 1107 l1tf_vmx_states[l1tf_vmx_mitigation], 1108 sched_smt_active() ? "vulnerable" : "disabled"); 1109 } 1110 #else 1111 static ssize_t l1tf_show_state(char *buf) 1112 { 1113 return sprintf(buf, "%s\n", L1TF_DEFAULT_MSG); 1114 } 1115 #endif 1116 1117 static char *stibp_state(void) 1118 { 1119 if (spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED) 1120 return ""; 1121 1122 switch (spectre_v2_user) { 1123 case SPECTRE_V2_USER_NONE: 1124 return ", STIBP: disabled"; 1125 case SPECTRE_V2_USER_STRICT: 1126 return ", STIBP: forced"; 1127 case SPECTRE_V2_USER_STRICT_PREFERRED: 1128 return ", STIBP: always-on"; 1129 case SPECTRE_V2_USER_PRCTL: 1130 case SPECTRE_V2_USER_SECCOMP: 1131 if (static_key_enabled(&switch_to_cond_stibp)) 1132 return ", STIBP: conditional"; 1133 } 1134 return ""; 1135 } 1136 1137 static char *ibpb_state(void) 1138 { 1139 if (boot_cpu_has(X86_FEATURE_IBPB)) { 1140 if (static_key_enabled(&switch_mm_always_ibpb)) 1141 return ", IBPB: always-on"; 1142 if (static_key_enabled(&switch_mm_cond_ibpb)) 1143 return ", IBPB: conditional"; 1144 return ", IBPB: disabled"; 1145 } 1146 return ""; 1147 } 1148 1149 static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr, 1150 char *buf, unsigned int bug) 1151 { 1152 if (!boot_cpu_has_bug(bug)) 1153 return sprintf(buf, "Not affected\n"); 1154 1155 switch (bug) { 1156 case X86_BUG_CPU_MELTDOWN: 1157 if (boot_cpu_has(X86_FEATURE_PTI)) 1158 return sprintf(buf, "Mitigation: PTI\n"); 1159 1160 if (hypervisor_is_type(X86_HYPER_XEN_PV)) 1161 return sprintf(buf, "Unknown (XEN PV detected, hypervisor mitigation required)\n"); 1162 1163 break; 1164 1165 case X86_BUG_SPECTRE_V1: 1166 return sprintf(buf, "Mitigation: __user pointer sanitization\n"); 1167 1168 case X86_BUG_SPECTRE_V2: 1169 return sprintf(buf, "%s%s%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled], 1170 ibpb_state(), 1171 boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "", 1172 stibp_state(), 1173 boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? ", RSB filling" : "", 1174 spectre_v2_module_string()); 1175 1176 case X86_BUG_SPEC_STORE_BYPASS: 1177 return sprintf(buf, "%s\n", ssb_strings[ssb_mode]); 1178 1179 case X86_BUG_L1TF: 1180 if (boot_cpu_has(X86_FEATURE_L1TF_PTEINV)) 1181 return l1tf_show_state(buf); 1182 break; 1183 default: 1184 break; 1185 } 1186 1187 return sprintf(buf, "Vulnerable\n"); 1188 } 1189 1190 ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf) 1191 { 1192 return cpu_show_common(dev, attr, buf, X86_BUG_CPU_MELTDOWN); 1193 } 1194 1195 ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, char *buf) 1196 { 1197 return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V1); 1198 } 1199 1200 ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, char *buf) 1201 { 1202 return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V2); 1203 } 1204 1205 ssize_t cpu_show_spec_store_bypass(struct device *dev, struct device_attribute *attr, char *buf) 1206 { 1207 return cpu_show_common(dev, attr, buf, X86_BUG_SPEC_STORE_BYPASS); 1208 } 1209 1210 ssize_t cpu_show_l1tf(struct device *dev, struct device_attribute *attr, char *buf) 1211 { 1212 return cpu_show_common(dev, attr, buf, X86_BUG_L1TF); 1213 } 1214 #endif 1215