Commit | Line | Data |
---|---|---|
b2441318 | 1 | // SPDX-License-Identifier: GPL-2.0 |
1353ebb4 | 2 | /* |
1353ebb4 JF |
3 | * Copyright (C) 1994 Linus Torvalds |
4 | * | |
5 | * Cyrix stuff, June 1998 by: | |
6 | * - Rafael R. Reilova (moved everything from head.S), | |
7 | * <rreilova@ececs.uc.edu> | |
8 | * - Channing Corn (tests & fixes), | |
9 | * - Andrew D. Balsa (code cleanup). | |
10 | */ | |
11 | #include <linux/init.h> | |
12 | #include <linux/utsname.h> | |
61dc0f55 | 13 | #include <linux/cpu.h> |
caf7501a | 14 | #include <linux/module.h> |
a73ec77e TG |
15 | #include <linux/nospec.h> |
16 | #include <linux/prctl.h> | |
a74cfffb | 17 | #include <linux/sched/smt.h> |
da285121 | 18 | |
28a27752 | 19 | #include <asm/spec-ctrl.h> |
da285121 | 20 | #include <asm/cmdline.h> |
91eb1b79 | 21 | #include <asm/bugs.h> |
1353ebb4 | 22 | #include <asm/processor.h> |
7ebad705 | 23 | #include <asm/processor-flags.h> |
952f07ec | 24 | #include <asm/fpu/internal.h> |
1353ebb4 | 25 | #include <asm/msr.h> |
72c6d2db | 26 | #include <asm/vmx.h> |
1353ebb4 JF |
27 | #include <asm/paravirt.h> |
28 | #include <asm/alternative.h> | |
62a67e12 | 29 | #include <asm/pgtable.h> |
d1163651 | 30 | #include <asm/set_memory.h> |
c995efd5 | 31 | #include <asm/intel-family.h> |
17dbca11 | 32 | #include <asm/e820/api.h> |
6cb2b08f | 33 | #include <asm/hypervisor.h> |
1353ebb4 | 34 | |
da285121 | 35 | static void __init spectre_v2_select_mitigation(void); |
24f7fc83 | 36 | static void __init ssb_select_mitigation(void); |
17dbca11 | 37 | static void __init l1tf_select_mitigation(void); |
da285121 | 38 | |
53c613fe JK |
39 | /* The base value of the SPEC_CTRL MSR that always has to be preserved. */ |
40 | u64 x86_spec_ctrl_base; | |
fa8ac498 | 41 | EXPORT_SYMBOL_GPL(x86_spec_ctrl_base); |
53c613fe | 42 | static DEFINE_MUTEX(spec_ctrl_mutex); |
1b86883c | 43 | |
1115a859 KRW |
44 | /* |
45 | * The vendor and possibly platform specific bits which can be modified in | |
46 | * x86_spec_ctrl_base. | |
47 | */ | |
be6fcb54 | 48 | static u64 __ro_after_init x86_spec_ctrl_mask = SPEC_CTRL_IBRS; |
1115a859 | 49 | |
764f3c21 KRW |
50 | /* |
51 | * AMD specific MSR info for Speculative Store Bypass control. | |
9f65fb29 | 52 | * x86_amd_ls_cfg_ssbd_mask is initialized in identify_boot_cpu(). |
764f3c21 KRW |
53 | */ |
54 | u64 __ro_after_init x86_amd_ls_cfg_base; | |
9f65fb29 | 55 | u64 __ro_after_init x86_amd_ls_cfg_ssbd_mask; |
764f3c21 | 56 | |
fa1202ef TG |
57 | /* Control conditional STIPB in switch_to() */ |
58 | DEFINE_STATIC_KEY_FALSE(switch_to_cond_stibp); | |
4c71a2b6 TG |
59 | /* Control conditional IBPB in switch_mm() */ |
60 | DEFINE_STATIC_KEY_FALSE(switch_mm_cond_ibpb); | |
61 | /* Control unconditional IBPB in switch_mm() */ | |
62 | DEFINE_STATIC_KEY_FALSE(switch_mm_always_ibpb); | |
fa1202ef | 63 | |
1353ebb4 JF |
64 | void __init check_bugs(void) |
65 | { | |
66 | identify_boot_cpu(); | |
55a36b65 | 67 | |
fee0aede TG |
68 | /* |
69 | * identify_boot_cpu() initialized SMT support information, let the | |
70 | * core code know. | |
71 | */ | |
bc2d8d26 | 72 | cpu_smt_check_topology_early(); |
fee0aede | 73 | |
62a67e12 BP |
74 | if (!IS_ENABLED(CONFIG_SMP)) { |
75 | pr_info("CPU: "); | |
76 | print_cpu_info(&boot_cpu_data); | |
77 | } | |
78 | ||
1b86883c KRW |
79 | /* |
80 | * Read the SPEC_CTRL MSR to account for reserved bits which may | |
764f3c21 KRW |
81 | * have unknown values. AMD64_LS_CFG MSR is cached in the early AMD |
82 | * init code as it is not enumerated and depends on the family. | |
1b86883c | 83 | */ |
7eb8956a | 84 | if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) |
1b86883c KRW |
85 | rdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); |
86 | ||
be6fcb54 TG |
87 | /* Allow STIBP in MSR_SPEC_CTRL if supported */ |
88 | if (boot_cpu_has(X86_FEATURE_STIBP)) | |
89 | x86_spec_ctrl_mask |= SPEC_CTRL_STIBP; | |
90 | ||
da285121 DW |
91 | /* Select the proper spectre mitigation before patching alternatives */ |
92 | spectre_v2_select_mitigation(); | |
93 | ||
24f7fc83 KRW |
94 | /* |
95 | * Select proper mitigation for any exposure to the Speculative Store | |
96 | * Bypass vulnerability. | |
97 | */ | |
98 | ssb_select_mitigation(); | |
99 | ||
17dbca11 AK |
100 | l1tf_select_mitigation(); |
101 | ||
62a67e12 | 102 | #ifdef CONFIG_X86_32 |
55a36b65 BP |
103 | /* |
104 | * Check whether we are able to run this kernel safely on SMP. | |
105 | * | |
106 | * - i386 is no longer supported. | |
107 | * - In order to run on anything without a TSC, we need to be | |
108 | * compiled for a i486. | |
109 | */ | |
110 | if (boot_cpu_data.x86 < 4) | |
111 | panic("Kernel requires i486+ for 'invlpg' and other features"); | |
112 | ||
bfe4bb15 MV |
113 | init_utsname()->machine[1] = |
114 | '0' + (boot_cpu_data.x86 > 6 ? 6 : boot_cpu_data.x86); | |
1353ebb4 | 115 | alternative_instructions(); |
304bceda | 116 | |
4d164092 | 117 | fpu__init_check_bugs(); |
62a67e12 BP |
118 | #else /* CONFIG_X86_64 */ |
119 | alternative_instructions(); | |
120 | ||
121 | /* | |
122 | * Make sure the first 2MB area is not mapped by huge pages | |
123 | * There are typically fixed size MTRRs in there and overlapping | |
124 | * MTRRs into large pages causes slow downs. | |
125 | * | |
126 | * Right now we don't do that with gbpages because there seems | |
127 | * very little benefit for that case. | |
128 | */ | |
129 | if (!direct_gbpages) | |
130 | set_memory_4k((unsigned long)__va(0), 1); | |
131 | #endif | |
1353ebb4 | 132 | } |
61dc0f55 | 133 | |
cc69b349 BP |
134 | void |
135 | x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest) | |
5cf68754 | 136 | { |
be6fcb54 | 137 | u64 msrval, guestval, hostval = x86_spec_ctrl_base; |
cc69b349 | 138 | struct thread_info *ti = current_thread_info(); |
885f82bf | 139 | |
7eb8956a | 140 | /* Is MSR_SPEC_CTRL implemented ? */ |
cc69b349 | 141 | if (static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) { |
be6fcb54 TG |
142 | /* |
143 | * Restrict guest_spec_ctrl to supported values. Clear the | |
144 | * modifiable bits in the host base value and or the | |
145 | * modifiable bits from the guest value. | |
146 | */ | |
147 | guestval = hostval & ~x86_spec_ctrl_mask; | |
148 | guestval |= guest_spec_ctrl & x86_spec_ctrl_mask; | |
149 | ||
cc69b349 | 150 | /* SSBD controlled in MSR_SPEC_CTRL */ |
612bc3b3 TL |
151 | if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD) || |
152 | static_cpu_has(X86_FEATURE_AMD_SSBD)) | |
be6fcb54 | 153 | hostval |= ssbd_tif_to_spec_ctrl(ti->flags); |
cc69b349 | 154 | |
5bfbe3ad TC |
155 | /* Conditional STIBP enabled? */ |
156 | if (static_branch_unlikely(&switch_to_cond_stibp)) | |
157 | hostval |= stibp_tif_to_spec_ctrl(ti->flags); | |
158 | ||
be6fcb54 TG |
159 | if (hostval != guestval) { |
160 | msrval = setguest ? guestval : hostval; | |
161 | wrmsrl(MSR_IA32_SPEC_CTRL, msrval); | |
cc69b349 BP |
162 | } |
163 | } | |
47c61b39 TG |
164 | |
165 | /* | |
166 | * If SSBD is not handled in MSR_SPEC_CTRL on AMD, update | |
167 | * MSR_AMD64_L2_CFG or MSR_VIRT_SPEC_CTRL if supported. | |
168 | */ | |
169 | if (!static_cpu_has(X86_FEATURE_LS_CFG_SSBD) && | |
170 | !static_cpu_has(X86_FEATURE_VIRT_SSBD)) | |
171 | return; | |
172 | ||
173 | /* | |
174 | * If the host has SSBD mitigation enabled, force it in the host's | |
175 | * virtual MSR value. If its not permanently enabled, evaluate | |
176 | * current's TIF_SSBD thread flag. | |
177 | */ | |
178 | if (static_cpu_has(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE)) | |
179 | hostval = SPEC_CTRL_SSBD; | |
180 | else | |
181 | hostval = ssbd_tif_to_spec_ctrl(ti->flags); | |
182 | ||
183 | /* Sanitize the guest value */ | |
184 | guestval = guest_virt_spec_ctrl & SPEC_CTRL_SSBD; | |
185 | ||
186 | if (hostval != guestval) { | |
187 | unsigned long tif; | |
188 | ||
189 | tif = setguest ? ssbd_spec_ctrl_to_tif(guestval) : | |
190 | ssbd_spec_ctrl_to_tif(hostval); | |
191 | ||
26c4d75b | 192 | speculation_ctrl_update(tif); |
47c61b39 | 193 | } |
5cf68754 | 194 | } |
cc69b349 | 195 | EXPORT_SYMBOL_GPL(x86_virt_spec_ctrl); |
5cf68754 | 196 | |
9f65fb29 | 197 | static void x86_amd_ssb_disable(void) |
764f3c21 | 198 | { |
9f65fb29 | 199 | u64 msrval = x86_amd_ls_cfg_base | x86_amd_ls_cfg_ssbd_mask; |
764f3c21 | 200 | |
11fb0683 TL |
201 | if (boot_cpu_has(X86_FEATURE_VIRT_SSBD)) |
202 | wrmsrl(MSR_AMD64_VIRT_SPEC_CTRL, SPEC_CTRL_SSBD); | |
203 | else if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD)) | |
764f3c21 KRW |
204 | wrmsrl(MSR_AMD64_LS_CFG, msrval); |
205 | } | |
206 | ||
15d6b7aa TG |
207 | #undef pr_fmt |
208 | #define pr_fmt(fmt) "Spectre V2 : " fmt | |
209 | ||
210 | static enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init = | |
211 | SPECTRE_V2_NONE; | |
212 | ||
fa1202ef TG |
213 | static enum spectre_v2_user_mitigation spectre_v2_user __ro_after_init = |
214 | SPECTRE_V2_USER_NONE; | |
215 | ||
caf7501a | 216 | #ifdef RETPOLINE |
e383095c TG |
217 | static bool spectre_v2_bad_module; |
218 | ||
caf7501a AK |
219 | bool retpoline_module_ok(bool has_retpoline) |
220 | { | |
221 | if (spectre_v2_enabled == SPECTRE_V2_NONE || has_retpoline) | |
222 | return true; | |
223 | ||
e698dcdf | 224 | pr_err("System may be vulnerable to spectre v2\n"); |
caf7501a AK |
225 | spectre_v2_bad_module = true; |
226 | return false; | |
227 | } | |
e383095c TG |
228 | |
229 | static inline const char *spectre_v2_module_string(void) | |
230 | { | |
231 | return spectre_v2_bad_module ? " - vulnerable module loaded" : ""; | |
232 | } | |
233 | #else | |
234 | static inline const char *spectre_v2_module_string(void) { return ""; } | |
caf7501a | 235 | #endif |
da285121 | 236 | |
da285121 DW |
237 | static inline bool match_option(const char *arg, int arglen, const char *opt) |
238 | { | |
239 | int len = strlen(opt); | |
240 | ||
241 | return len == arglen && !strncmp(arg, opt, len); | |
242 | } | |
243 | ||
15d6b7aa TG |
244 | /* The kernel command line selection for spectre v2 */ |
245 | enum spectre_v2_mitigation_cmd { | |
246 | SPECTRE_V2_CMD_NONE, | |
247 | SPECTRE_V2_CMD_AUTO, | |
248 | SPECTRE_V2_CMD_FORCE, | |
249 | SPECTRE_V2_CMD_RETPOLINE, | |
250 | SPECTRE_V2_CMD_RETPOLINE_GENERIC, | |
251 | SPECTRE_V2_CMD_RETPOLINE_AMD, | |
252 | }; | |
253 | ||
fa1202ef TG |
254 | enum spectre_v2_user_cmd { |
255 | SPECTRE_V2_USER_CMD_NONE, | |
256 | SPECTRE_V2_USER_CMD_AUTO, | |
257 | SPECTRE_V2_USER_CMD_FORCE, | |
258 | }; | |
259 | ||
260 | static const char * const spectre_v2_user_strings[] = { | |
261 | [SPECTRE_V2_USER_NONE] = "User space: Vulnerable", | |
262 | [SPECTRE_V2_USER_STRICT] = "User space: Mitigation: STIBP protection", | |
263 | }; | |
264 | ||
265 | static const struct { | |
266 | const char *option; | |
267 | enum spectre_v2_user_cmd cmd; | |
268 | bool secure; | |
269 | } v2_user_options[] __initdata = { | |
270 | { "auto", SPECTRE_V2_USER_CMD_AUTO, false }, | |
271 | { "off", SPECTRE_V2_USER_CMD_NONE, false }, | |
272 | { "on", SPECTRE_V2_USER_CMD_FORCE, true }, | |
273 | }; | |
274 | ||
275 | static void __init spec_v2_user_print_cond(const char *reason, bool secure) | |
276 | { | |
277 | if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2) != secure) | |
278 | pr_info("spectre_v2_user=%s forced on command line.\n", reason); | |
279 | } | |
280 | ||
281 | static enum spectre_v2_user_cmd __init | |
282 | spectre_v2_parse_user_cmdline(enum spectre_v2_mitigation_cmd v2_cmd) | |
283 | { | |
284 | char arg[20]; | |
285 | int ret, i; | |
286 | ||
287 | switch (v2_cmd) { | |
288 | case SPECTRE_V2_CMD_NONE: | |
289 | return SPECTRE_V2_USER_CMD_NONE; | |
290 | case SPECTRE_V2_CMD_FORCE: | |
291 | return SPECTRE_V2_USER_CMD_FORCE; | |
292 | default: | |
293 | break; | |
294 | } | |
295 | ||
296 | ret = cmdline_find_option(boot_command_line, "spectre_v2_user", | |
297 | arg, sizeof(arg)); | |
298 | if (ret < 0) | |
299 | return SPECTRE_V2_USER_CMD_AUTO; | |
300 | ||
301 | for (i = 0; i < ARRAY_SIZE(v2_user_options); i++) { | |
302 | if (match_option(arg, ret, v2_user_options[i].option)) { | |
303 | spec_v2_user_print_cond(v2_user_options[i].option, | |
304 | v2_user_options[i].secure); | |
305 | return v2_user_options[i].cmd; | |
306 | } | |
307 | } | |
308 | ||
309 | pr_err("Unknown user space protection option (%s). Switching to AUTO select\n", arg); | |
310 | return SPECTRE_V2_USER_CMD_AUTO; | |
311 | } | |
312 | ||
313 | static void __init | |
314 | spectre_v2_user_select_mitigation(enum spectre_v2_mitigation_cmd v2_cmd) | |
315 | { | |
316 | enum spectre_v2_user_mitigation mode = SPECTRE_V2_USER_NONE; | |
317 | bool smt_possible = IS_ENABLED(CONFIG_SMP); | |
318 | ||
319 | if (!boot_cpu_has(X86_FEATURE_IBPB) && !boot_cpu_has(X86_FEATURE_STIBP)) | |
320 | return; | |
321 | ||
322 | if (cpu_smt_control == CPU_SMT_FORCE_DISABLED || | |
323 | cpu_smt_control == CPU_SMT_NOT_SUPPORTED) | |
324 | smt_possible = false; | |
325 | ||
326 | switch (spectre_v2_parse_user_cmdline(v2_cmd)) { | |
327 | case SPECTRE_V2_USER_CMD_AUTO: | |
328 | case SPECTRE_V2_USER_CMD_NONE: | |
329 | goto set_mode; | |
330 | case SPECTRE_V2_USER_CMD_FORCE: | |
331 | mode = SPECTRE_V2_USER_STRICT; | |
332 | break; | |
333 | } | |
334 | ||
335 | /* Initialize Indirect Branch Prediction Barrier */ | |
336 | if (boot_cpu_has(X86_FEATURE_IBPB)) { | |
337 | setup_force_cpu_cap(X86_FEATURE_USE_IBPB); | |
4c71a2b6 TG |
338 | |
339 | switch (mode) { | |
340 | case SPECTRE_V2_USER_STRICT: | |
341 | static_branch_enable(&switch_mm_always_ibpb); | |
342 | break; | |
343 | default: | |
344 | break; | |
345 | } | |
346 | ||
347 | pr_info("mitigation: Enabling %s Indirect Branch Prediction Barrier\n", | |
348 | mode == SPECTRE_V2_USER_STRICT ? "always-on" : "conditional"); | |
fa1202ef TG |
349 | } |
350 | ||
351 | /* If enhanced IBRS is enabled no STIPB required */ | |
352 | if (spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED) | |
353 | return; | |
354 | ||
355 | set_mode: | |
356 | spectre_v2_user = mode; | |
357 | /* Only print the STIBP mode when SMT possible */ | |
358 | if (smt_possible) | |
359 | pr_info("%s\n", spectre_v2_user_strings[mode]); | |
360 | } | |
361 | ||
8770709f | 362 | static const char * const spectre_v2_strings[] = { |
15d6b7aa TG |
363 | [SPECTRE_V2_NONE] = "Vulnerable", |
364 | [SPECTRE_V2_RETPOLINE_GENERIC] = "Mitigation: Full generic retpoline", | |
365 | [SPECTRE_V2_RETPOLINE_AMD] = "Mitigation: Full AMD retpoline", | |
366 | [SPECTRE_V2_IBRS_ENHANCED] = "Mitigation: Enhanced IBRS", | |
367 | }; | |
368 | ||
9005c683 KA |
369 | static const struct { |
370 | const char *option; | |
371 | enum spectre_v2_mitigation_cmd cmd; | |
372 | bool secure; | |
30ba72a9 | 373 | } mitigation_options[] __initdata = { |
15d6b7aa TG |
374 | { "off", SPECTRE_V2_CMD_NONE, false }, |
375 | { "on", SPECTRE_V2_CMD_FORCE, true }, | |
376 | { "retpoline", SPECTRE_V2_CMD_RETPOLINE, false }, | |
377 | { "retpoline,amd", SPECTRE_V2_CMD_RETPOLINE_AMD, false }, | |
378 | { "retpoline,generic", SPECTRE_V2_CMD_RETPOLINE_GENERIC, false }, | |
379 | { "auto", SPECTRE_V2_CMD_AUTO, false }, | |
9005c683 KA |
380 | }; |
381 | ||
495d470e | 382 | static void __init spec_v2_print_cond(const char *reason, bool secure) |
15d6b7aa | 383 | { |
495d470e | 384 | if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2) != secure) |
15d6b7aa TG |
385 | pr_info("%s selected on command line.\n", reason); |
386 | } | |
387 | ||
da285121 DW |
388 | static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void) |
389 | { | |
15d6b7aa | 390 | enum spectre_v2_mitigation_cmd cmd = SPECTRE_V2_CMD_AUTO; |
da285121 | 391 | char arg[20]; |
9005c683 | 392 | int ret, i; |
9005c683 KA |
393 | |
394 | if (cmdline_find_option_bool(boot_command_line, "nospectre_v2")) | |
395 | return SPECTRE_V2_CMD_NONE; | |
9005c683 | 396 | |
24848509 TC |
397 | ret = cmdline_find_option(boot_command_line, "spectre_v2", arg, sizeof(arg)); |
398 | if (ret < 0) | |
399 | return SPECTRE_V2_CMD_AUTO; | |
400 | ||
401 | for (i = 0; i < ARRAY_SIZE(mitigation_options); i++) { | |
402 | if (!match_option(arg, ret, mitigation_options[i].option)) | |
403 | continue; | |
404 | cmd = mitigation_options[i].cmd; | |
405 | break; | |
406 | } | |
407 | ||
408 | if (i >= ARRAY_SIZE(mitigation_options)) { | |
409 | pr_err("unknown option (%s). Switching to AUTO select\n", arg); | |
410 | return SPECTRE_V2_CMD_AUTO; | |
da285121 DW |
411 | } |
412 | ||
9005c683 KA |
413 | if ((cmd == SPECTRE_V2_CMD_RETPOLINE || |
414 | cmd == SPECTRE_V2_CMD_RETPOLINE_AMD || | |
415 | cmd == SPECTRE_V2_CMD_RETPOLINE_GENERIC) && | |
416 | !IS_ENABLED(CONFIG_RETPOLINE)) { | |
21e433bd | 417 | pr_err("%s selected but not compiled in. Switching to AUTO select\n", mitigation_options[i].option); |
da285121 | 418 | return SPECTRE_V2_CMD_AUTO; |
9005c683 KA |
419 | } |
420 | ||
421 | if (cmd == SPECTRE_V2_CMD_RETPOLINE_AMD && | |
1a576b23 | 422 | boot_cpu_data.x86_vendor != X86_VENDOR_HYGON && |
9005c683 KA |
423 | boot_cpu_data.x86_vendor != X86_VENDOR_AMD) { |
424 | pr_err("retpoline,amd selected but CPU is not AMD. Switching to AUTO select\n"); | |
425 | return SPECTRE_V2_CMD_AUTO; | |
426 | } | |
427 | ||
495d470e TG |
428 | spec_v2_print_cond(mitigation_options[i].option, |
429 | mitigation_options[i].secure); | |
9005c683 | 430 | return cmd; |
da285121 DW |
431 | } |
432 | ||
433 | static void __init spectre_v2_select_mitigation(void) | |
434 | { | |
435 | enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline(); | |
436 | enum spectre_v2_mitigation mode = SPECTRE_V2_NONE; | |
437 | ||
438 | /* | |
439 | * If the CPU is not affected and the command line mode is NONE or AUTO | |
440 | * then nothing to do. | |
441 | */ | |
442 | if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2) && | |
443 | (cmd == SPECTRE_V2_CMD_NONE || cmd == SPECTRE_V2_CMD_AUTO)) | |
444 | return; | |
445 | ||
446 | switch (cmd) { | |
447 | case SPECTRE_V2_CMD_NONE: | |
448 | return; | |
449 | ||
450 | case SPECTRE_V2_CMD_FORCE: | |
da285121 | 451 | case SPECTRE_V2_CMD_AUTO: |
706d5168 SP |
452 | if (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) { |
453 | mode = SPECTRE_V2_IBRS_ENHANCED; | |
454 | /* Force it so VMEXIT will restore correctly */ | |
455 | x86_spec_ctrl_base |= SPEC_CTRL_IBRS; | |
456 | wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); | |
457 | goto specv2_set_mode; | |
458 | } | |
9471eee9 DL |
459 | if (IS_ENABLED(CONFIG_RETPOLINE)) |
460 | goto retpoline_auto; | |
461 | break; | |
da285121 DW |
462 | case SPECTRE_V2_CMD_RETPOLINE_AMD: |
463 | if (IS_ENABLED(CONFIG_RETPOLINE)) | |
464 | goto retpoline_amd; | |
465 | break; | |
466 | case SPECTRE_V2_CMD_RETPOLINE_GENERIC: | |
467 | if (IS_ENABLED(CONFIG_RETPOLINE)) | |
468 | goto retpoline_generic; | |
469 | break; | |
470 | case SPECTRE_V2_CMD_RETPOLINE: | |
471 | if (IS_ENABLED(CONFIG_RETPOLINE)) | |
472 | goto retpoline_auto; | |
473 | break; | |
474 | } | |
21e433bd | 475 | pr_err("Spectre mitigation: kernel not compiled with retpoline; no mitigation available!"); |
da285121 DW |
476 | return; |
477 | ||
478 | retpoline_auto: | |
1a576b23 PW |
479 | if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD || |
480 | boot_cpu_data.x86_vendor == X86_VENDOR_HYGON) { | |
da285121 DW |
481 | retpoline_amd: |
482 | if (!boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) { | |
21e433bd | 483 | pr_err("Spectre mitigation: LFENCE not serializing, switching to generic retpoline\n"); |
da285121 DW |
484 | goto retpoline_generic; |
485 | } | |
ef014aae | 486 | mode = SPECTRE_V2_RETPOLINE_AMD; |
da285121 DW |
487 | setup_force_cpu_cap(X86_FEATURE_RETPOLINE_AMD); |
488 | setup_force_cpu_cap(X86_FEATURE_RETPOLINE); | |
489 | } else { | |
490 | retpoline_generic: | |
ef014aae | 491 | mode = SPECTRE_V2_RETPOLINE_GENERIC; |
da285121 DW |
492 | setup_force_cpu_cap(X86_FEATURE_RETPOLINE); |
493 | } | |
494 | ||
706d5168 | 495 | specv2_set_mode: |
da285121 DW |
496 | spectre_v2_enabled = mode; |
497 | pr_info("%s\n", spectre_v2_strings[mode]); | |
c995efd5 DW |
498 | |
499 | /* | |
fdf82a78 JK |
500 | * If spectre v2 protection has been enabled, unconditionally fill |
501 | * RSB during a context switch; this protects against two independent | |
502 | * issues: | |
c995efd5 | 503 | * |
fdf82a78 JK |
504 | * - RSB underflow (and switch to BTB) on Skylake+ |
505 | * - SpectreRSB variant of spectre v2 on X86_BUG_SPECTRE_V2 CPUs | |
c995efd5 | 506 | */ |
fdf82a78 JK |
507 | setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW); |
508 | pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n"); | |
20ffa1ca | 509 | |
dd84441a DW |
510 | /* |
511 | * Retpoline means the kernel is safe because it has no indirect | |
706d5168 SP |
512 | * branches. Enhanced IBRS protects firmware too, so, enable restricted |
513 | * speculation around firmware calls only when Enhanced IBRS isn't | |
514 | * supported. | |
515 | * | |
516 | * Use "mode" to check Enhanced IBRS instead of boot_cpu_has(), because | |
517 | * the user might select retpoline on the kernel command line and if | |
518 | * the CPU supports Enhanced IBRS, kernel might un-intentionally not | |
519 | * enable IBRS around firmware calls. | |
dd84441a | 520 | */ |
706d5168 | 521 | if (boot_cpu_has(X86_FEATURE_IBRS) && mode != SPECTRE_V2_IBRS_ENHANCED) { |
dd84441a DW |
522 | setup_force_cpu_cap(X86_FEATURE_USE_IBRS_FW); |
523 | pr_info("Enabling Restricted Speculation for firmware calls\n"); | |
524 | } | |
53c613fe | 525 | |
fa1202ef TG |
526 | /* Set up IBPB and STIBP depending on the general spectre V2 command */ |
527 | spectre_v2_user_select_mitigation(cmd); | |
528 | ||
53c613fe JK |
529 | /* Enable STIBP if appropriate */ |
530 | arch_smt_update(); | |
da285121 DW |
531 | } |
532 | ||
15d6b7aa TG |
533 | static bool stibp_needed(void) |
534 | { | |
15d6b7aa TG |
535 | /* Enhanced IBRS makes using STIBP unnecessary. */ |
536 | if (spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED) | |
537 | return false; | |
538 | ||
fa1202ef TG |
539 | /* Check for strict user mitigation mode */ |
540 | return spectre_v2_user == SPECTRE_V2_USER_STRICT; | |
15d6b7aa TG |
541 | } |
542 | ||
543 | static void update_stibp_msr(void *info) | |
544 | { | |
545 | wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); | |
546 | } | |
547 | ||
548 | void arch_smt_update(void) | |
549 | { | |
550 | u64 mask; | |
551 | ||
552 | if (!stibp_needed()) | |
553 | return; | |
554 | ||
555 | mutex_lock(&spec_ctrl_mutex); | |
556 | ||
557 | mask = x86_spec_ctrl_base & ~SPEC_CTRL_STIBP; | |
558 | if (sched_smt_active()) | |
559 | mask |= SPEC_CTRL_STIBP; | |
560 | ||
561 | if (mask != x86_spec_ctrl_base) { | |
562 | pr_info("Spectre v2 cross-process SMT mitigation: %s STIBP\n", | |
563 | mask & SPEC_CTRL_STIBP ? "Enabling" : "Disabling"); | |
564 | x86_spec_ctrl_base = mask; | |
565 | on_each_cpu(update_stibp_msr, NULL, 1); | |
566 | } | |
567 | mutex_unlock(&spec_ctrl_mutex); | |
568 | } | |
569 | ||
24f7fc83 KRW |
570 | #undef pr_fmt |
571 | #define pr_fmt(fmt) "Speculative Store Bypass: " fmt | |
572 | ||
f9544b2b | 573 | static enum ssb_mitigation ssb_mode __ro_after_init = SPEC_STORE_BYPASS_NONE; |
24f7fc83 KRW |
574 | |
575 | /* The kernel command line selection */ | |
576 | enum ssb_mitigation_cmd { | |
577 | SPEC_STORE_BYPASS_CMD_NONE, | |
578 | SPEC_STORE_BYPASS_CMD_AUTO, | |
579 | SPEC_STORE_BYPASS_CMD_ON, | |
a73ec77e | 580 | SPEC_STORE_BYPASS_CMD_PRCTL, |
f21b53b2 | 581 | SPEC_STORE_BYPASS_CMD_SECCOMP, |
24f7fc83 KRW |
582 | }; |
583 | ||
8770709f | 584 | static const char * const ssb_strings[] = { |
24f7fc83 | 585 | [SPEC_STORE_BYPASS_NONE] = "Vulnerable", |
a73ec77e | 586 | [SPEC_STORE_BYPASS_DISABLE] = "Mitigation: Speculative Store Bypass disabled", |
f21b53b2 KC |
587 | [SPEC_STORE_BYPASS_PRCTL] = "Mitigation: Speculative Store Bypass disabled via prctl", |
588 | [SPEC_STORE_BYPASS_SECCOMP] = "Mitigation: Speculative Store Bypass disabled via prctl and seccomp", | |
24f7fc83 KRW |
589 | }; |
590 | ||
591 | static const struct { | |
592 | const char *option; | |
593 | enum ssb_mitigation_cmd cmd; | |
30ba72a9 | 594 | } ssb_mitigation_options[] __initdata = { |
f21b53b2 KC |
595 | { "auto", SPEC_STORE_BYPASS_CMD_AUTO }, /* Platform decides */ |
596 | { "on", SPEC_STORE_BYPASS_CMD_ON }, /* Disable Speculative Store Bypass */ | |
597 | { "off", SPEC_STORE_BYPASS_CMD_NONE }, /* Don't touch Speculative Store Bypass */ | |
598 | { "prctl", SPEC_STORE_BYPASS_CMD_PRCTL }, /* Disable Speculative Store Bypass via prctl */ | |
599 | { "seccomp", SPEC_STORE_BYPASS_CMD_SECCOMP }, /* Disable Speculative Store Bypass via prctl and seccomp */ | |
24f7fc83 KRW |
600 | }; |
601 | ||
602 | static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void) | |
603 | { | |
604 | enum ssb_mitigation_cmd cmd = SPEC_STORE_BYPASS_CMD_AUTO; | |
605 | char arg[20]; | |
606 | int ret, i; | |
607 | ||
608 | if (cmdline_find_option_bool(boot_command_line, "nospec_store_bypass_disable")) { | |
609 | return SPEC_STORE_BYPASS_CMD_NONE; | |
610 | } else { | |
611 | ret = cmdline_find_option(boot_command_line, "spec_store_bypass_disable", | |
612 | arg, sizeof(arg)); | |
613 | if (ret < 0) | |
614 | return SPEC_STORE_BYPASS_CMD_AUTO; | |
615 | ||
616 | for (i = 0; i < ARRAY_SIZE(ssb_mitigation_options); i++) { | |
617 | if (!match_option(arg, ret, ssb_mitigation_options[i].option)) | |
618 | continue; | |
619 | ||
620 | cmd = ssb_mitigation_options[i].cmd; | |
621 | break; | |
622 | } | |
623 | ||
624 | if (i >= ARRAY_SIZE(ssb_mitigation_options)) { | |
625 | pr_err("unknown option (%s). Switching to AUTO select\n", arg); | |
626 | return SPEC_STORE_BYPASS_CMD_AUTO; | |
627 | } | |
628 | } | |
629 | ||
630 | return cmd; | |
631 | } | |
632 | ||
d66d8ff3 | 633 | static enum ssb_mitigation __init __ssb_select_mitigation(void) |
24f7fc83 KRW |
634 | { |
635 | enum ssb_mitigation mode = SPEC_STORE_BYPASS_NONE; | |
636 | enum ssb_mitigation_cmd cmd; | |
637 | ||
9f65fb29 | 638 | if (!boot_cpu_has(X86_FEATURE_SSBD)) |
24f7fc83 KRW |
639 | return mode; |
640 | ||
641 | cmd = ssb_parse_cmdline(); | |
642 | if (!boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS) && | |
643 | (cmd == SPEC_STORE_BYPASS_CMD_NONE || | |
644 | cmd == SPEC_STORE_BYPASS_CMD_AUTO)) | |
645 | return mode; | |
646 | ||
647 | switch (cmd) { | |
648 | case SPEC_STORE_BYPASS_CMD_AUTO: | |
f21b53b2 KC |
649 | case SPEC_STORE_BYPASS_CMD_SECCOMP: |
650 | /* | |
651 | * Choose prctl+seccomp as the default mode if seccomp is | |
652 | * enabled. | |
653 | */ | |
654 | if (IS_ENABLED(CONFIG_SECCOMP)) | |
655 | mode = SPEC_STORE_BYPASS_SECCOMP; | |
656 | else | |
657 | mode = SPEC_STORE_BYPASS_PRCTL; | |
a73ec77e | 658 | break; |
24f7fc83 KRW |
659 | case SPEC_STORE_BYPASS_CMD_ON: |
660 | mode = SPEC_STORE_BYPASS_DISABLE; | |
661 | break; | |
a73ec77e TG |
662 | case SPEC_STORE_BYPASS_CMD_PRCTL: |
663 | mode = SPEC_STORE_BYPASS_PRCTL; | |
664 | break; | |
24f7fc83 KRW |
665 | case SPEC_STORE_BYPASS_CMD_NONE: |
666 | break; | |
667 | } | |
668 | ||
77243971 KRW |
669 | /* |
670 | * We have three CPU feature flags that are in play here: | |
671 | * - X86_BUG_SPEC_STORE_BYPASS - CPU is susceptible. | |
9f65fb29 | 672 | * - X86_FEATURE_SSBD - CPU is able to turn off speculative store bypass |
77243971 KRW |
673 | * - X86_FEATURE_SPEC_STORE_BYPASS_DISABLE - engage the mitigation |
674 | */ | |
a73ec77e | 675 | if (mode == SPEC_STORE_BYPASS_DISABLE) { |
24f7fc83 | 676 | setup_force_cpu_cap(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE); |
77243971 | 677 | /* |
6ac2f49e KRW |
678 | * Intel uses the SPEC CTRL MSR Bit(2) for this, while AMD may |
679 | * use a completely different MSR and bit dependent on family. | |
77243971 | 680 | */ |
612bc3b3 TL |
681 | if (!static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD) && |
682 | !static_cpu_has(X86_FEATURE_AMD_SSBD)) { | |
108fab4b | 683 | x86_amd_ssb_disable(); |
612bc3b3 | 684 | } else { |
9f65fb29 | 685 | x86_spec_ctrl_base |= SPEC_CTRL_SSBD; |
be6fcb54 | 686 | x86_spec_ctrl_mask |= SPEC_CTRL_SSBD; |
4b59bdb5 | 687 | wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); |
77243971 KRW |
688 | } |
689 | } | |
690 | ||
24f7fc83 KRW |
691 | return mode; |
692 | } | |
693 | ||
ffed645e | 694 | static void ssb_select_mitigation(void) |
24f7fc83 KRW |
695 | { |
696 | ssb_mode = __ssb_select_mitigation(); | |
697 | ||
698 | if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS)) | |
699 | pr_info("%s\n", ssb_strings[ssb_mode]); | |
700 | } | |
701 | ||
da285121 | 702 | #undef pr_fmt |
f21b53b2 | 703 | #define pr_fmt(fmt) "Speculation prctl: " fmt |
da285121 | 704 | |
6d991ba5 | 705 | static void task_update_spec_tif(struct task_struct *tsk) |
a73ec77e | 706 | { |
6d991ba5 TG |
707 | /* Force the update of the real TIF bits */ |
708 | set_tsk_thread_flag(tsk, TIF_SPEC_FORCE_UPDATE); | |
e6da8bb6 TG |
709 | |
710 | /* | |
711 | * Immediately update the speculation control MSRs for the current | |
712 | * task, but for a non-current task delay setting the CPU | |
713 | * mitigation until it is scheduled next. | |
714 | * | |
715 | * This can only happen for SECCOMP mitigation. For PRCTL it's | |
716 | * always the current task. | |
717 | */ | |
6d991ba5 | 718 | if (tsk == current) |
e6da8bb6 TG |
719 | speculation_ctrl_update_current(); |
720 | } | |
721 | ||
722 | static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl) | |
723 | { | |
f21b53b2 KC |
724 | if (ssb_mode != SPEC_STORE_BYPASS_PRCTL && |
725 | ssb_mode != SPEC_STORE_BYPASS_SECCOMP) | |
a73ec77e TG |
726 | return -ENXIO; |
727 | ||
356e4bff TG |
728 | switch (ctrl) { |
729 | case PR_SPEC_ENABLE: | |
730 | /* If speculation is force disabled, enable is not allowed */ | |
731 | if (task_spec_ssb_force_disable(task)) | |
732 | return -EPERM; | |
733 | task_clear_spec_ssb_disable(task); | |
6d991ba5 | 734 | task_update_spec_tif(task); |
356e4bff TG |
735 | break; |
736 | case PR_SPEC_DISABLE: | |
737 | task_set_spec_ssb_disable(task); | |
6d991ba5 | 738 | task_update_spec_tif(task); |
356e4bff TG |
739 | break; |
740 | case PR_SPEC_FORCE_DISABLE: | |
741 | task_set_spec_ssb_disable(task); | |
742 | task_set_spec_ssb_force_disable(task); | |
6d991ba5 | 743 | task_update_spec_tif(task); |
356e4bff TG |
744 | break; |
745 | default: | |
746 | return -ERANGE; | |
747 | } | |
a73ec77e TG |
748 | return 0; |
749 | } | |
750 | ||
8bf37d8c TG |
751 | int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which, |
752 | unsigned long ctrl) | |
753 | { | |
754 | switch (which) { | |
755 | case PR_SPEC_STORE_BYPASS: | |
756 | return ssb_prctl_set(task, ctrl); | |
757 | default: | |
758 | return -ENODEV; | |
759 | } | |
760 | } | |
761 | ||
762 | #ifdef CONFIG_SECCOMP | |
763 | void arch_seccomp_spec_mitigate(struct task_struct *task) | |
764 | { | |
f21b53b2 KC |
765 | if (ssb_mode == SPEC_STORE_BYPASS_SECCOMP) |
766 | ssb_prctl_set(task, PR_SPEC_FORCE_DISABLE); | |
8bf37d8c TG |
767 | } |
768 | #endif | |
769 | ||
7bbf1373 | 770 | static int ssb_prctl_get(struct task_struct *task) |
a73ec77e TG |
771 | { |
772 | switch (ssb_mode) { | |
773 | case SPEC_STORE_BYPASS_DISABLE: | |
774 | return PR_SPEC_DISABLE; | |
f21b53b2 | 775 | case SPEC_STORE_BYPASS_SECCOMP: |
a73ec77e | 776 | case SPEC_STORE_BYPASS_PRCTL: |
356e4bff TG |
777 | if (task_spec_ssb_force_disable(task)) |
778 | return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE; | |
779 | if (task_spec_ssb_disable(task)) | |
a73ec77e TG |
780 | return PR_SPEC_PRCTL | PR_SPEC_DISABLE; |
781 | return PR_SPEC_PRCTL | PR_SPEC_ENABLE; | |
782 | default: | |
783 | if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS)) | |
784 | return PR_SPEC_ENABLE; | |
785 | return PR_SPEC_NOT_AFFECTED; | |
786 | } | |
787 | } | |
788 | ||
7bbf1373 | 789 | int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which) |
a73ec77e TG |
790 | { |
791 | switch (which) { | |
792 | case PR_SPEC_STORE_BYPASS: | |
7bbf1373 | 793 | return ssb_prctl_get(task); |
a73ec77e TG |
794 | default: |
795 | return -ENODEV; | |
796 | } | |
797 | } | |
798 | ||
77243971 KRW |
799 | void x86_spec_ctrl_setup_ap(void) |
800 | { | |
7eb8956a | 801 | if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) |
4b59bdb5 | 802 | wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); |
764f3c21 KRW |
803 | |
804 | if (ssb_mode == SPEC_STORE_BYPASS_DISABLE) | |
9f65fb29 | 805 | x86_amd_ssb_disable(); |
77243971 KRW |
806 | } |
807 | ||
56563f53 KRW |
808 | #undef pr_fmt |
809 | #define pr_fmt(fmt) "L1TF: " fmt | |
72c6d2db | 810 | |
d90a7a0e JK |
811 | /* Default mitigation for L1TF-affected CPUs */ |
812 | enum l1tf_mitigations l1tf_mitigation __ro_after_init = L1TF_MITIGATION_FLUSH; | |
72c6d2db | 813 | #if IS_ENABLED(CONFIG_KVM_INTEL) |
d90a7a0e | 814 | EXPORT_SYMBOL_GPL(l1tf_mitigation); |
1eb46908 | 815 | #endif |
895ae47f | 816 | enum vmx_l1d_flush_state l1tf_vmx_mitigation = VMENTER_L1D_FLUSH_AUTO; |
72c6d2db | 817 | EXPORT_SYMBOL_GPL(l1tf_vmx_mitigation); |
72c6d2db | 818 | |
cc51e542 AK |
819 | /* |
820 | * These CPUs all support 44bits physical address space internally in the | |
821 | * cache but CPUID can report a smaller number of physical address bits. | |
822 | * | |
823 | * The L1TF mitigation uses the top most address bit for the inversion of | |
824 | * non present PTEs. When the installed memory reaches into the top most | |
825 | * address bit due to memory holes, which has been observed on machines | |
826 | * which report 36bits physical address bits and have 32G RAM installed, | |
827 | * then the mitigation range check in l1tf_select_mitigation() triggers. | |
828 | * This is a false positive because the mitigation is still possible due to | |
829 | * the fact that the cache uses 44bit internally. Use the cache bits | |
830 | * instead of the reported physical bits and adjust them on the affected | |
831 | * machines to 44bit if the reported bits are less than 44. | |
832 | */ | |
833 | static void override_cache_bits(struct cpuinfo_x86 *c) | |
834 | { | |
835 | if (c->x86 != 6) | |
836 | return; | |
837 | ||
838 | switch (c->x86_model) { | |
839 | case INTEL_FAM6_NEHALEM: | |
840 | case INTEL_FAM6_WESTMERE: | |
841 | case INTEL_FAM6_SANDYBRIDGE: | |
842 | case INTEL_FAM6_IVYBRIDGE: | |
843 | case INTEL_FAM6_HASWELL_CORE: | |
844 | case INTEL_FAM6_HASWELL_ULT: | |
845 | case INTEL_FAM6_HASWELL_GT3E: | |
846 | case INTEL_FAM6_BROADWELL_CORE: | |
847 | case INTEL_FAM6_BROADWELL_GT3E: | |
848 | case INTEL_FAM6_SKYLAKE_MOBILE: | |
849 | case INTEL_FAM6_SKYLAKE_DESKTOP: | |
850 | case INTEL_FAM6_KABYLAKE_MOBILE: | |
851 | case INTEL_FAM6_KABYLAKE_DESKTOP: | |
852 | if (c->x86_cache_bits < 44) | |
853 | c->x86_cache_bits = 44; | |
854 | break; | |
855 | } | |
856 | } | |
857 | ||
56563f53 KRW |
858 | static void __init l1tf_select_mitigation(void) |
859 | { | |
860 | u64 half_pa; | |
861 | ||
862 | if (!boot_cpu_has_bug(X86_BUG_L1TF)) | |
863 | return; | |
864 | ||
cc51e542 AK |
865 | override_cache_bits(&boot_cpu_data); |
866 | ||
d90a7a0e JK |
867 | switch (l1tf_mitigation) { |
868 | case L1TF_MITIGATION_OFF: | |
869 | case L1TF_MITIGATION_FLUSH_NOWARN: | |
870 | case L1TF_MITIGATION_FLUSH: | |
871 | break; | |
872 | case L1TF_MITIGATION_FLUSH_NOSMT: | |
873 | case L1TF_MITIGATION_FULL: | |
874 | cpu_smt_disable(false); | |
875 | break; | |
876 | case L1TF_MITIGATION_FULL_FORCE: | |
877 | cpu_smt_disable(true); | |
878 | break; | |
879 | } | |
880 | ||
56563f53 KRW |
881 | #if CONFIG_PGTABLE_LEVELS == 2 |
882 | pr_warn("Kernel not compiled for PAE. No mitigation for L1TF\n"); | |
883 | return; | |
884 | #endif | |
885 | ||
56563f53 KRW |
886 | half_pa = (u64)l1tf_pfn_limit() << PAGE_SHIFT; |
887 | if (e820__mapped_any(half_pa, ULLONG_MAX - half_pa, E820_TYPE_RAM)) { | |
888 | pr_warn("System has more than MAX_PA/2 memory. L1TF mitigation not effective.\n"); | |
6a012288 VB |
889 | pr_info("You may make it effective by booting the kernel with mem=%llu parameter.\n", |
890 | half_pa); | |
891 | pr_info("However, doing so will make a part of your RAM unusable.\n"); | |
892 | pr_info("Reading https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html might help you decide.\n"); | |
56563f53 KRW |
893 | return; |
894 | } | |
895 | ||
896 | setup_force_cpu_cap(X86_FEATURE_L1TF_PTEINV); | |
897 | } | |
d90a7a0e JK |
898 | |
899 | static int __init l1tf_cmdline(char *str) | |
900 | { | |
901 | if (!boot_cpu_has_bug(X86_BUG_L1TF)) | |
902 | return 0; | |
903 | ||
904 | if (!str) | |
905 | return -EINVAL; | |
906 | ||
907 | if (!strcmp(str, "off")) | |
908 | l1tf_mitigation = L1TF_MITIGATION_OFF; | |
909 | else if (!strcmp(str, "flush,nowarn")) | |
910 | l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOWARN; | |
911 | else if (!strcmp(str, "flush")) | |
912 | l1tf_mitigation = L1TF_MITIGATION_FLUSH; | |
913 | else if (!strcmp(str, "flush,nosmt")) | |
914 | l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOSMT; | |
915 | else if (!strcmp(str, "full")) | |
916 | l1tf_mitigation = L1TF_MITIGATION_FULL; | |
917 | else if (!strcmp(str, "full,force")) | |
918 | l1tf_mitigation = L1TF_MITIGATION_FULL_FORCE; | |
919 | ||
920 | return 0; | |
921 | } | |
922 | early_param("l1tf", l1tf_cmdline); | |
923 | ||
56563f53 KRW |
924 | #undef pr_fmt |
925 | ||
61dc0f55 | 926 | #ifdef CONFIG_SYSFS |
d1059518 | 927 | |
72c6d2db TG |
928 | #define L1TF_DEFAULT_MSG "Mitigation: PTE Inversion" |
929 | ||
930 | #if IS_ENABLED(CONFIG_KVM_INTEL) | |
8770709f | 931 | static const char * const l1tf_vmx_states[] = { |
a7b9020b TG |
932 | [VMENTER_L1D_FLUSH_AUTO] = "auto", |
933 | [VMENTER_L1D_FLUSH_NEVER] = "vulnerable", | |
934 | [VMENTER_L1D_FLUSH_COND] = "conditional cache flushes", | |
935 | [VMENTER_L1D_FLUSH_ALWAYS] = "cache flushes", | |
936 | [VMENTER_L1D_FLUSH_EPT_DISABLED] = "EPT disabled", | |
8e0b2b91 | 937 | [VMENTER_L1D_FLUSH_NOT_REQUIRED] = "flush not necessary" |
72c6d2db TG |
938 | }; |
939 | ||
940 | static ssize_t l1tf_show_state(char *buf) | |
941 | { | |
942 | if (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_AUTO) | |
943 | return sprintf(buf, "%s\n", L1TF_DEFAULT_MSG); | |
944 | ||
ea156d19 PB |
945 | if (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_EPT_DISABLED || |
946 | (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_NEVER && | |
130d6f94 | 947 | sched_smt_active())) { |
ea156d19 PB |
948 | return sprintf(buf, "%s; VMX: %s\n", L1TF_DEFAULT_MSG, |
949 | l1tf_vmx_states[l1tf_vmx_mitigation]); | |
130d6f94 | 950 | } |
ea156d19 PB |
951 | |
952 | return sprintf(buf, "%s; VMX: %s, SMT %s\n", L1TF_DEFAULT_MSG, | |
953 | l1tf_vmx_states[l1tf_vmx_mitigation], | |
130d6f94 | 954 | sched_smt_active() ? "vulnerable" : "disabled"); |
72c6d2db TG |
955 | } |
956 | #else | |
957 | static ssize_t l1tf_show_state(char *buf) | |
958 | { | |
959 | return sprintf(buf, "%s\n", L1TF_DEFAULT_MSG); | |
960 | } | |
961 | #endif | |
962 | ||
a8f76ae4 TC |
963 | static char *stibp_state(void) |
964 | { | |
34bce7c9 TC |
965 | if (spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED) |
966 | return ""; | |
967 | ||
fa1202ef TG |
968 | switch (spectre_v2_user) { |
969 | case SPECTRE_V2_USER_NONE: | |
970 | return ", STIBP: disabled"; | |
971 | case SPECTRE_V2_USER_STRICT: | |
972 | return ", STIBP: forced"; | |
973 | } | |
974 | return ""; | |
a8f76ae4 TC |
975 | } |
976 | ||
977 | static char *ibpb_state(void) | |
978 | { | |
4c71a2b6 TG |
979 | if (boot_cpu_has(X86_FEATURE_IBPB)) { |
980 | switch (spectre_v2_user) { | |
981 | case SPECTRE_V2_USER_NONE: | |
982 | return ", IBPB: disabled"; | |
983 | case SPECTRE_V2_USER_STRICT: | |
984 | return ", IBPB: always-on"; | |
985 | } | |
986 | } | |
987 | return ""; | |
a8f76ae4 TC |
988 | } |
989 | ||
7bb4d366 | 990 | static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr, |
ffed645e | 991 | char *buf, unsigned int bug) |
61dc0f55 | 992 | { |
d1059518 | 993 | if (!boot_cpu_has_bug(bug)) |
61dc0f55 | 994 | return sprintf(buf, "Not affected\n"); |
d1059518 KRW |
995 | |
996 | switch (bug) { | |
997 | case X86_BUG_CPU_MELTDOWN: | |
998 | if (boot_cpu_has(X86_FEATURE_PTI)) | |
999 | return sprintf(buf, "Mitigation: PTI\n"); | |
1000 | ||
6cb2b08f JK |
1001 | if (hypervisor_is_type(X86_HYPER_XEN_PV)) |
1002 | return sprintf(buf, "Unknown (XEN PV detected, hypervisor mitigation required)\n"); | |
1003 | ||
d1059518 KRW |
1004 | break; |
1005 | ||
1006 | case X86_BUG_SPECTRE_V1: | |
1007 | return sprintf(buf, "Mitigation: __user pointer sanitization\n"); | |
1008 | ||
1009 | case X86_BUG_SPECTRE_V2: | |
b86bda04 | 1010 | return sprintf(buf, "%s%s%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled], |
a8f76ae4 | 1011 | ibpb_state(), |
d1059518 | 1012 | boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "", |
a8f76ae4 | 1013 | stibp_state(), |
bb4b3b77 | 1014 | boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? ", RSB filling" : "", |
d1059518 KRW |
1015 | spectre_v2_module_string()); |
1016 | ||
24f7fc83 KRW |
1017 | case X86_BUG_SPEC_STORE_BYPASS: |
1018 | return sprintf(buf, "%s\n", ssb_strings[ssb_mode]); | |
1019 | ||
17dbca11 AK |
1020 | case X86_BUG_L1TF: |
1021 | if (boot_cpu_has(X86_FEATURE_L1TF_PTEINV)) | |
72c6d2db | 1022 | return l1tf_show_state(buf); |
17dbca11 | 1023 | break; |
d1059518 KRW |
1024 | default: |
1025 | break; | |
1026 | } | |
1027 | ||
61dc0f55 TG |
1028 | return sprintf(buf, "Vulnerable\n"); |
1029 | } | |
1030 | ||
d1059518 KRW |
1031 | ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf) |
1032 | { | |
1033 | return cpu_show_common(dev, attr, buf, X86_BUG_CPU_MELTDOWN); | |
1034 | } | |
1035 | ||
21e433bd | 1036 | ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, char *buf) |
61dc0f55 | 1037 | { |
d1059518 | 1038 | return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V1); |
61dc0f55 TG |
1039 | } |
1040 | ||
21e433bd | 1041 | ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, char *buf) |
61dc0f55 | 1042 | { |
d1059518 | 1043 | return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V2); |
61dc0f55 | 1044 | } |
c456442c KRW |
1045 | |
1046 | ssize_t cpu_show_spec_store_bypass(struct device *dev, struct device_attribute *attr, char *buf) | |
1047 | { | |
1048 | return cpu_show_common(dev, attr, buf, X86_BUG_SPEC_STORE_BYPASS); | |
1049 | } | |
17dbca11 AK |
1050 | |
1051 | ssize_t cpu_show_l1tf(struct device *dev, struct device_attribute *attr, char *buf) | |
1052 | { | |
1053 | return cpu_show_common(dev, attr, buf, X86_BUG_L1TF); | |
1054 | } | |
61dc0f55 | 1055 | #endif |