1 // SPDX-License-Identifier: GPL-2.0
3 * Copyright (C) 1994 Linus Torvalds
5 * Cyrix stuff, June 1998 by:
6 * - Rafael R. Reilova (moved everything from head.S),
7 * <rreilova@ececs.uc.edu>
8 * - Channing Corn (tests & fixes),
9 * - Andrew D. Balsa (code cleanup).
11 #include <linux/init.h>
12 #include <linux/utsname.h>
13 #include <linux/cpu.h>
14 #include <linux/module.h>
15 #include <linux/nospec.h>
16 #include <linux/prctl.h>
18 #include <asm/spec-ctrl.h>
19 #include <asm/cmdline.h>
21 #include <asm/processor.h>
22 #include <asm/processor-flags.h>
23 #include <asm/fpu/internal.h>
26 #include <asm/paravirt.h>
27 #include <asm/alternative.h>
28 #include <asm/pgtable.h>
29 #include <asm/set_memory.h>
30 #include <asm/intel-family.h>
31 #include <asm/e820/api.h>
32 #include <asm/hypervisor.h>
34 static void __init spectre_v2_select_mitigation(void);
35 static void __init ssb_select_mitigation(void);
36 static void __init l1tf_select_mitigation(void);
38 /* The base value of the SPEC_CTRL MSR that always has to be preserved. */
39 u64 x86_spec_ctrl_base;
40 EXPORT_SYMBOL_GPL(x86_spec_ctrl_base);
41 static DEFINE_MUTEX(spec_ctrl_mutex);
44 * The vendor and possibly platform specific bits which can be modified in
47 static u64 __ro_after_init x86_spec_ctrl_mask = SPEC_CTRL_IBRS;
50 * AMD specific MSR info for Speculative Store Bypass control.
51 * x86_amd_ls_cfg_ssbd_mask is initialized in identify_boot_cpu().
53 u64 __ro_after_init x86_amd_ls_cfg_base;
54 u64 __ro_after_init x86_amd_ls_cfg_ssbd_mask;
56 void __init check_bugs(void)
61 * identify_boot_cpu() initialized SMT support information, let the
64 cpu_smt_check_topology_early();
66 if (!IS_ENABLED(CONFIG_SMP)) {
68 print_cpu_info(&boot_cpu_data);
72 * Read the SPEC_CTRL MSR to account for reserved bits which may
73 * have unknown values. AMD64_LS_CFG MSR is cached in the early AMD
74 * init code as it is not enumerated and depends on the family.
76 if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
77 rdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
79 /* Allow STIBP in MSR_SPEC_CTRL if supported */
80 if (boot_cpu_has(X86_FEATURE_STIBP))
81 x86_spec_ctrl_mask |= SPEC_CTRL_STIBP;
83 /* Select the proper spectre mitigation before patching alternatives */
84 spectre_v2_select_mitigation();
87 * Select proper mitigation for any exposure to the Speculative Store
88 * Bypass vulnerability.
90 ssb_select_mitigation();
92 l1tf_select_mitigation();
96 * Check whether we are able to run this kernel safely on SMP.
98 * - i386 is no longer supported.
99 * - In order to run on anything without a TSC, we need to be
100 * compiled for a i486.
102 if (boot_cpu_data.x86 < 4)
103 panic("Kernel requires i486+ for 'invlpg' and other features");
105 init_utsname()->machine[1] =
106 '0' + (boot_cpu_data.x86 > 6 ? 6 : boot_cpu_data.x86);
107 alternative_instructions();
109 fpu__init_check_bugs();
110 #else /* CONFIG_X86_64 */
111 alternative_instructions();
114 * Make sure the first 2MB area is not mapped by huge pages
115 * There are typically fixed size MTRRs in there and overlapping
116 * MTRRs into large pages causes slow downs.
118 * Right now we don't do that with gbpages because there seems
119 * very little benefit for that case.
122 set_memory_4k((unsigned long)__va(0), 1);
126 /* The kernel command line selection */
127 enum spectre_v2_mitigation_cmd {
130 SPECTRE_V2_CMD_FORCE,
131 SPECTRE_V2_CMD_RETPOLINE,
132 SPECTRE_V2_CMD_RETPOLINE_GENERIC,
133 SPECTRE_V2_CMD_RETPOLINE_AMD,
136 static const char *spectre_v2_strings[] = {
137 [SPECTRE_V2_NONE] = "Vulnerable",
138 [SPECTRE_V2_RETPOLINE_MINIMAL] = "Vulnerable: Minimal generic ASM retpoline",
139 [SPECTRE_V2_RETPOLINE_MINIMAL_AMD] = "Vulnerable: Minimal AMD ASM retpoline",
140 [SPECTRE_V2_RETPOLINE_GENERIC] = "Mitigation: Full generic retpoline",
141 [SPECTRE_V2_RETPOLINE_AMD] = "Mitigation: Full AMD retpoline",
142 [SPECTRE_V2_IBRS_ENHANCED] = "Mitigation: Enhanced IBRS",
146 #define pr_fmt(fmt) "Spectre V2 : " fmt
148 static enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init =
152 x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest)
154 u64 msrval, guestval, hostval = x86_spec_ctrl_base;
155 struct thread_info *ti = current_thread_info();
157 /* Is MSR_SPEC_CTRL implemented ? */
158 if (static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) {
160 * Restrict guest_spec_ctrl to supported values. Clear the
161 * modifiable bits in the host base value and or the
162 * modifiable bits from the guest value.
164 guestval = hostval & ~x86_spec_ctrl_mask;
165 guestval |= guest_spec_ctrl & x86_spec_ctrl_mask;
167 /* SSBD controlled in MSR_SPEC_CTRL */
168 if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD) ||
169 static_cpu_has(X86_FEATURE_AMD_SSBD))
170 hostval |= ssbd_tif_to_spec_ctrl(ti->flags);
172 if (hostval != guestval) {
173 msrval = setguest ? guestval : hostval;
174 wrmsrl(MSR_IA32_SPEC_CTRL, msrval);
179 * If SSBD is not handled in MSR_SPEC_CTRL on AMD, update
180 * MSR_AMD64_L2_CFG or MSR_VIRT_SPEC_CTRL if supported.
182 if (!static_cpu_has(X86_FEATURE_LS_CFG_SSBD) &&
183 !static_cpu_has(X86_FEATURE_VIRT_SSBD))
187 * If the host has SSBD mitigation enabled, force it in the host's
188 * virtual MSR value. If its not permanently enabled, evaluate
189 * current's TIF_SSBD thread flag.
191 if (static_cpu_has(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE))
192 hostval = SPEC_CTRL_SSBD;
194 hostval = ssbd_tif_to_spec_ctrl(ti->flags);
196 /* Sanitize the guest value */
197 guestval = guest_virt_spec_ctrl & SPEC_CTRL_SSBD;
199 if (hostval != guestval) {
202 tif = setguest ? ssbd_spec_ctrl_to_tif(guestval) :
203 ssbd_spec_ctrl_to_tif(hostval);
205 speculative_store_bypass_update(tif);
208 EXPORT_SYMBOL_GPL(x86_virt_spec_ctrl);
210 static void x86_amd_ssb_disable(void)
212 u64 msrval = x86_amd_ls_cfg_base | x86_amd_ls_cfg_ssbd_mask;
214 if (boot_cpu_has(X86_FEATURE_VIRT_SSBD))
215 wrmsrl(MSR_AMD64_VIRT_SPEC_CTRL, SPEC_CTRL_SSBD);
216 else if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD))
217 wrmsrl(MSR_AMD64_LS_CFG, msrval);
221 static bool spectre_v2_bad_module;
223 bool retpoline_module_ok(bool has_retpoline)
225 if (spectre_v2_enabled == SPECTRE_V2_NONE || has_retpoline)
228 pr_err("System may be vulnerable to spectre v2\n");
229 spectre_v2_bad_module = true;
233 static inline const char *spectre_v2_module_string(void)
235 return spectre_v2_bad_module ? " - vulnerable module loaded" : "";
238 static inline const char *spectre_v2_module_string(void) { return ""; }
241 static void __init spec2_print_if_insecure(const char *reason)
243 if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
244 pr_info("%s selected on command line.\n", reason);
247 static void __init spec2_print_if_secure(const char *reason)
249 if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
250 pr_info("%s selected on command line.\n", reason);
253 static inline bool retp_compiler(void)
255 return __is_defined(RETPOLINE);
258 static inline bool match_option(const char *arg, int arglen, const char *opt)
260 int len = strlen(opt);
262 return len == arglen && !strncmp(arg, opt, len);
265 static const struct {
267 enum spectre_v2_mitigation_cmd cmd;
269 } mitigation_options[] = {
270 { "off", SPECTRE_V2_CMD_NONE, false },
271 { "on", SPECTRE_V2_CMD_FORCE, true },
272 { "retpoline", SPECTRE_V2_CMD_RETPOLINE, false },
273 { "retpoline,amd", SPECTRE_V2_CMD_RETPOLINE_AMD, false },
274 { "retpoline,generic", SPECTRE_V2_CMD_RETPOLINE_GENERIC, false },
275 { "auto", SPECTRE_V2_CMD_AUTO, false },
278 static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void)
282 enum spectre_v2_mitigation_cmd cmd = SPECTRE_V2_CMD_AUTO;
284 if (cmdline_find_option_bool(boot_command_line, "nospectre_v2"))
285 return SPECTRE_V2_CMD_NONE;
287 ret = cmdline_find_option(boot_command_line, "spectre_v2", arg, sizeof(arg));
289 return SPECTRE_V2_CMD_AUTO;
291 for (i = 0; i < ARRAY_SIZE(mitigation_options); i++) {
292 if (!match_option(arg, ret, mitigation_options[i].option))
294 cmd = mitigation_options[i].cmd;
298 if (i >= ARRAY_SIZE(mitigation_options)) {
299 pr_err("unknown option (%s). Switching to AUTO select\n", arg);
300 return SPECTRE_V2_CMD_AUTO;
304 if ((cmd == SPECTRE_V2_CMD_RETPOLINE ||
305 cmd == SPECTRE_V2_CMD_RETPOLINE_AMD ||
306 cmd == SPECTRE_V2_CMD_RETPOLINE_GENERIC) &&
307 !IS_ENABLED(CONFIG_RETPOLINE)) {
308 pr_err("%s selected but not compiled in. Switching to AUTO select\n", mitigation_options[i].option);
309 return SPECTRE_V2_CMD_AUTO;
312 if (cmd == SPECTRE_V2_CMD_RETPOLINE_AMD &&
313 boot_cpu_data.x86_vendor != X86_VENDOR_HYGON &&
314 boot_cpu_data.x86_vendor != X86_VENDOR_AMD) {
315 pr_err("retpoline,amd selected but CPU is not AMD. Switching to AUTO select\n");
316 return SPECTRE_V2_CMD_AUTO;
319 if (mitigation_options[i].secure)
320 spec2_print_if_secure(mitigation_options[i].option);
322 spec2_print_if_insecure(mitigation_options[i].option);
327 static bool stibp_needed(void)
329 if (spectre_v2_enabled == SPECTRE_V2_NONE)
332 if (!boot_cpu_has(X86_FEATURE_STIBP))
338 static void update_stibp_msr(void *info)
340 wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
343 void arch_smt_update(void)
350 mutex_lock(&spec_ctrl_mutex);
351 mask = x86_spec_ctrl_base;
352 if (cpu_smt_control == CPU_SMT_ENABLED)
353 mask |= SPEC_CTRL_STIBP;
355 mask &= ~SPEC_CTRL_STIBP;
357 if (mask != x86_spec_ctrl_base) {
358 pr_info("Spectre v2 cross-process SMT mitigation: %s STIBP\n",
359 cpu_smt_control == CPU_SMT_ENABLED ?
360 "Enabling" : "Disabling");
361 x86_spec_ctrl_base = mask;
362 on_each_cpu(update_stibp_msr, NULL, 1);
364 mutex_unlock(&spec_ctrl_mutex);
367 static void __init spectre_v2_select_mitigation(void)
369 enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline();
370 enum spectre_v2_mitigation mode = SPECTRE_V2_NONE;
373 * If the CPU is not affected and the command line mode is NONE or AUTO
374 * then nothing to do.
376 if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2) &&
377 (cmd == SPECTRE_V2_CMD_NONE || cmd == SPECTRE_V2_CMD_AUTO))
381 case SPECTRE_V2_CMD_NONE:
384 case SPECTRE_V2_CMD_FORCE:
385 case SPECTRE_V2_CMD_AUTO:
386 if (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) {
387 mode = SPECTRE_V2_IBRS_ENHANCED;
388 /* Force it so VMEXIT will restore correctly */
389 x86_spec_ctrl_base |= SPEC_CTRL_IBRS;
390 wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
391 goto specv2_set_mode;
393 if (IS_ENABLED(CONFIG_RETPOLINE))
396 case SPECTRE_V2_CMD_RETPOLINE_AMD:
397 if (IS_ENABLED(CONFIG_RETPOLINE))
400 case SPECTRE_V2_CMD_RETPOLINE_GENERIC:
401 if (IS_ENABLED(CONFIG_RETPOLINE))
402 goto retpoline_generic;
404 case SPECTRE_V2_CMD_RETPOLINE:
405 if (IS_ENABLED(CONFIG_RETPOLINE))
409 pr_err("Spectre mitigation: kernel not compiled with retpoline; no mitigation available!");
413 if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD ||
414 boot_cpu_data.x86_vendor == X86_VENDOR_HYGON) {
416 if (!boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) {
417 pr_err("Spectre mitigation: LFENCE not serializing, switching to generic retpoline\n");
418 goto retpoline_generic;
420 mode = retp_compiler() ? SPECTRE_V2_RETPOLINE_AMD :
421 SPECTRE_V2_RETPOLINE_MINIMAL_AMD;
422 setup_force_cpu_cap(X86_FEATURE_RETPOLINE_AMD);
423 setup_force_cpu_cap(X86_FEATURE_RETPOLINE);
426 mode = retp_compiler() ? SPECTRE_V2_RETPOLINE_GENERIC :
427 SPECTRE_V2_RETPOLINE_MINIMAL;
428 setup_force_cpu_cap(X86_FEATURE_RETPOLINE);
432 spectre_v2_enabled = mode;
433 pr_info("%s\n", spectre_v2_strings[mode]);
436 * If spectre v2 protection has been enabled, unconditionally fill
437 * RSB during a context switch; this protects against two independent
440 * - RSB underflow (and switch to BTB) on Skylake+
441 * - SpectreRSB variant of spectre v2 on X86_BUG_SPECTRE_V2 CPUs
443 setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);
444 pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n");
446 /* Initialize Indirect Branch Prediction Barrier if supported */
447 if (boot_cpu_has(X86_FEATURE_IBPB)) {
448 setup_force_cpu_cap(X86_FEATURE_USE_IBPB);
449 pr_info("Spectre v2 mitigation: Enabling Indirect Branch Prediction Barrier\n");
453 * Retpoline means the kernel is safe because it has no indirect
454 * branches. Enhanced IBRS protects firmware too, so, enable restricted
455 * speculation around firmware calls only when Enhanced IBRS isn't
458 * Use "mode" to check Enhanced IBRS instead of boot_cpu_has(), because
459 * the user might select retpoline on the kernel command line and if
460 * the CPU supports Enhanced IBRS, kernel might un-intentionally not
461 * enable IBRS around firmware calls.
463 if (boot_cpu_has(X86_FEATURE_IBRS) && mode != SPECTRE_V2_IBRS_ENHANCED) {
464 setup_force_cpu_cap(X86_FEATURE_USE_IBRS_FW);
465 pr_info("Enabling Restricted Speculation for firmware calls\n");
468 /* Enable STIBP if appropriate */
473 #define pr_fmt(fmt) "Speculative Store Bypass: " fmt
475 static enum ssb_mitigation ssb_mode __ro_after_init = SPEC_STORE_BYPASS_NONE;
477 /* The kernel command line selection */
478 enum ssb_mitigation_cmd {
479 SPEC_STORE_BYPASS_CMD_NONE,
480 SPEC_STORE_BYPASS_CMD_AUTO,
481 SPEC_STORE_BYPASS_CMD_ON,
482 SPEC_STORE_BYPASS_CMD_PRCTL,
483 SPEC_STORE_BYPASS_CMD_SECCOMP,
486 static const char *ssb_strings[] = {
487 [SPEC_STORE_BYPASS_NONE] = "Vulnerable",
488 [SPEC_STORE_BYPASS_DISABLE] = "Mitigation: Speculative Store Bypass disabled",
489 [SPEC_STORE_BYPASS_PRCTL] = "Mitigation: Speculative Store Bypass disabled via prctl",
490 [SPEC_STORE_BYPASS_SECCOMP] = "Mitigation: Speculative Store Bypass disabled via prctl and seccomp",
493 static const struct {
495 enum ssb_mitigation_cmd cmd;
496 } ssb_mitigation_options[] = {
497 { "auto", SPEC_STORE_BYPASS_CMD_AUTO }, /* Platform decides */
498 { "on", SPEC_STORE_BYPASS_CMD_ON }, /* Disable Speculative Store Bypass */
499 { "off", SPEC_STORE_BYPASS_CMD_NONE }, /* Don't touch Speculative Store Bypass */
500 { "prctl", SPEC_STORE_BYPASS_CMD_PRCTL }, /* Disable Speculative Store Bypass via prctl */
501 { "seccomp", SPEC_STORE_BYPASS_CMD_SECCOMP }, /* Disable Speculative Store Bypass via prctl and seccomp */
504 static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void)
506 enum ssb_mitigation_cmd cmd = SPEC_STORE_BYPASS_CMD_AUTO;
510 if (cmdline_find_option_bool(boot_command_line, "nospec_store_bypass_disable")) {
511 return SPEC_STORE_BYPASS_CMD_NONE;
513 ret = cmdline_find_option(boot_command_line, "spec_store_bypass_disable",
516 return SPEC_STORE_BYPASS_CMD_AUTO;
518 for (i = 0; i < ARRAY_SIZE(ssb_mitigation_options); i++) {
519 if (!match_option(arg, ret, ssb_mitigation_options[i].option))
522 cmd = ssb_mitigation_options[i].cmd;
526 if (i >= ARRAY_SIZE(ssb_mitigation_options)) {
527 pr_err("unknown option (%s). Switching to AUTO select\n", arg);
528 return SPEC_STORE_BYPASS_CMD_AUTO;
535 static enum ssb_mitigation __init __ssb_select_mitigation(void)
537 enum ssb_mitigation mode = SPEC_STORE_BYPASS_NONE;
538 enum ssb_mitigation_cmd cmd;
540 if (!boot_cpu_has(X86_FEATURE_SSBD))
543 cmd = ssb_parse_cmdline();
544 if (!boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS) &&
545 (cmd == SPEC_STORE_BYPASS_CMD_NONE ||
546 cmd == SPEC_STORE_BYPASS_CMD_AUTO))
550 case SPEC_STORE_BYPASS_CMD_AUTO:
551 case SPEC_STORE_BYPASS_CMD_SECCOMP:
553 * Choose prctl+seccomp as the default mode if seccomp is
556 if (IS_ENABLED(CONFIG_SECCOMP))
557 mode = SPEC_STORE_BYPASS_SECCOMP;
559 mode = SPEC_STORE_BYPASS_PRCTL;
561 case SPEC_STORE_BYPASS_CMD_ON:
562 mode = SPEC_STORE_BYPASS_DISABLE;
564 case SPEC_STORE_BYPASS_CMD_PRCTL:
565 mode = SPEC_STORE_BYPASS_PRCTL;
567 case SPEC_STORE_BYPASS_CMD_NONE:
572 * We have three CPU feature flags that are in play here:
573 * - X86_BUG_SPEC_STORE_BYPASS - CPU is susceptible.
574 * - X86_FEATURE_SSBD - CPU is able to turn off speculative store bypass
575 * - X86_FEATURE_SPEC_STORE_BYPASS_DISABLE - engage the mitigation
577 if (mode == SPEC_STORE_BYPASS_DISABLE) {
578 setup_force_cpu_cap(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE);
580 * Intel uses the SPEC CTRL MSR Bit(2) for this, while AMD may
581 * use a completely different MSR and bit dependent on family.
583 if (!static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD) &&
584 !static_cpu_has(X86_FEATURE_AMD_SSBD)) {
585 x86_amd_ssb_disable();
587 x86_spec_ctrl_base |= SPEC_CTRL_SSBD;
588 x86_spec_ctrl_mask |= SPEC_CTRL_SSBD;
589 wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
596 static void ssb_select_mitigation(void)
598 ssb_mode = __ssb_select_mitigation();
600 if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS))
601 pr_info("%s\n", ssb_strings[ssb_mode]);
605 #define pr_fmt(fmt) "Speculation prctl: " fmt
607 static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl)
611 if (ssb_mode != SPEC_STORE_BYPASS_PRCTL &&
612 ssb_mode != SPEC_STORE_BYPASS_SECCOMP)
617 /* If speculation is force disabled, enable is not allowed */
618 if (task_spec_ssb_force_disable(task))
620 task_clear_spec_ssb_disable(task);
621 update = test_and_clear_tsk_thread_flag(task, TIF_SSBD);
623 case PR_SPEC_DISABLE:
624 task_set_spec_ssb_disable(task);
625 update = !test_and_set_tsk_thread_flag(task, TIF_SSBD);
627 case PR_SPEC_FORCE_DISABLE:
628 task_set_spec_ssb_disable(task);
629 task_set_spec_ssb_force_disable(task);
630 update = !test_and_set_tsk_thread_flag(task, TIF_SSBD);
637 * If being set on non-current task, delay setting the CPU
638 * mitigation until it is next scheduled.
640 if (task == current && update)
641 speculative_store_bypass_update_current();
646 int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which,
650 case PR_SPEC_STORE_BYPASS:
651 return ssb_prctl_set(task, ctrl);
657 #ifdef CONFIG_SECCOMP
658 void arch_seccomp_spec_mitigate(struct task_struct *task)
660 if (ssb_mode == SPEC_STORE_BYPASS_SECCOMP)
661 ssb_prctl_set(task, PR_SPEC_FORCE_DISABLE);
665 static int ssb_prctl_get(struct task_struct *task)
668 case SPEC_STORE_BYPASS_DISABLE:
669 return PR_SPEC_DISABLE;
670 case SPEC_STORE_BYPASS_SECCOMP:
671 case SPEC_STORE_BYPASS_PRCTL:
672 if (task_spec_ssb_force_disable(task))
673 return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE;
674 if (task_spec_ssb_disable(task))
675 return PR_SPEC_PRCTL | PR_SPEC_DISABLE;
676 return PR_SPEC_PRCTL | PR_SPEC_ENABLE;
678 if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS))
679 return PR_SPEC_ENABLE;
680 return PR_SPEC_NOT_AFFECTED;
684 int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which)
687 case PR_SPEC_STORE_BYPASS:
688 return ssb_prctl_get(task);
694 void x86_spec_ctrl_setup_ap(void)
696 if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
697 wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
699 if (ssb_mode == SPEC_STORE_BYPASS_DISABLE)
700 x86_amd_ssb_disable();
704 #define pr_fmt(fmt) "L1TF: " fmt
706 /* Default mitigation for L1TF-affected CPUs */
707 enum l1tf_mitigations l1tf_mitigation __ro_after_init = L1TF_MITIGATION_FLUSH;
708 #if IS_ENABLED(CONFIG_KVM_INTEL)
709 EXPORT_SYMBOL_GPL(l1tf_mitigation);
711 enum vmx_l1d_flush_state l1tf_vmx_mitigation = VMENTER_L1D_FLUSH_AUTO;
712 EXPORT_SYMBOL_GPL(l1tf_vmx_mitigation);
715 * These CPUs all support 44bits physical address space internally in the
716 * cache but CPUID can report a smaller number of physical address bits.
718 * The L1TF mitigation uses the top most address bit for the inversion of
719 * non present PTEs. When the installed memory reaches into the top most
720 * address bit due to memory holes, which has been observed on machines
721 * which report 36bits physical address bits and have 32G RAM installed,
722 * then the mitigation range check in l1tf_select_mitigation() triggers.
723 * This is a false positive because the mitigation is still possible due to
724 * the fact that the cache uses 44bit internally. Use the cache bits
725 * instead of the reported physical bits and adjust them on the affected
726 * machines to 44bit if the reported bits are less than 44.
728 static void override_cache_bits(struct cpuinfo_x86 *c)
733 switch (c->x86_model) {
734 case INTEL_FAM6_NEHALEM:
735 case INTEL_FAM6_WESTMERE:
736 case INTEL_FAM6_SANDYBRIDGE:
737 case INTEL_FAM6_IVYBRIDGE:
738 case INTEL_FAM6_HASWELL_CORE:
739 case INTEL_FAM6_HASWELL_ULT:
740 case INTEL_FAM6_HASWELL_GT3E:
741 case INTEL_FAM6_BROADWELL_CORE:
742 case INTEL_FAM6_BROADWELL_GT3E:
743 case INTEL_FAM6_SKYLAKE_MOBILE:
744 case INTEL_FAM6_SKYLAKE_DESKTOP:
745 case INTEL_FAM6_KABYLAKE_MOBILE:
746 case INTEL_FAM6_KABYLAKE_DESKTOP:
747 if (c->x86_cache_bits < 44)
748 c->x86_cache_bits = 44;
753 static void __init l1tf_select_mitigation(void)
757 if (!boot_cpu_has_bug(X86_BUG_L1TF))
760 override_cache_bits(&boot_cpu_data);
762 switch (l1tf_mitigation) {
763 case L1TF_MITIGATION_OFF:
764 case L1TF_MITIGATION_FLUSH_NOWARN:
765 case L1TF_MITIGATION_FLUSH:
767 case L1TF_MITIGATION_FLUSH_NOSMT:
768 case L1TF_MITIGATION_FULL:
769 cpu_smt_disable(false);
771 case L1TF_MITIGATION_FULL_FORCE:
772 cpu_smt_disable(true);
776 #if CONFIG_PGTABLE_LEVELS == 2
777 pr_warn("Kernel not compiled for PAE. No mitigation for L1TF\n");
781 half_pa = (u64)l1tf_pfn_limit() << PAGE_SHIFT;
782 if (e820__mapped_any(half_pa, ULLONG_MAX - half_pa, E820_TYPE_RAM)) {
783 pr_warn("System has more than MAX_PA/2 memory. L1TF mitigation not effective.\n");
784 pr_info("You may make it effective by booting the kernel with mem=%llu parameter.\n",
786 pr_info("However, doing so will make a part of your RAM unusable.\n");
787 pr_info("Reading https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html might help you decide.\n");
791 setup_force_cpu_cap(X86_FEATURE_L1TF_PTEINV);
794 static int __init l1tf_cmdline(char *str)
796 if (!boot_cpu_has_bug(X86_BUG_L1TF))
802 if (!strcmp(str, "off"))
803 l1tf_mitigation = L1TF_MITIGATION_OFF;
804 else if (!strcmp(str, "flush,nowarn"))
805 l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOWARN;
806 else if (!strcmp(str, "flush"))
807 l1tf_mitigation = L1TF_MITIGATION_FLUSH;
808 else if (!strcmp(str, "flush,nosmt"))
809 l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOSMT;
810 else if (!strcmp(str, "full"))
811 l1tf_mitigation = L1TF_MITIGATION_FULL;
812 else if (!strcmp(str, "full,force"))
813 l1tf_mitigation = L1TF_MITIGATION_FULL_FORCE;
817 early_param("l1tf", l1tf_cmdline);
823 #define L1TF_DEFAULT_MSG "Mitigation: PTE Inversion"
825 #if IS_ENABLED(CONFIG_KVM_INTEL)
826 static const char *l1tf_vmx_states[] = {
827 [VMENTER_L1D_FLUSH_AUTO] = "auto",
828 [VMENTER_L1D_FLUSH_NEVER] = "vulnerable",
829 [VMENTER_L1D_FLUSH_COND] = "conditional cache flushes",
830 [VMENTER_L1D_FLUSH_ALWAYS] = "cache flushes",
831 [VMENTER_L1D_FLUSH_EPT_DISABLED] = "EPT disabled",
832 [VMENTER_L1D_FLUSH_NOT_REQUIRED] = "flush not necessary"
835 static ssize_t l1tf_show_state(char *buf)
837 if (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_AUTO)
838 return sprintf(buf, "%s\n", L1TF_DEFAULT_MSG);
840 if (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_EPT_DISABLED ||
841 (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_NEVER &&
842 cpu_smt_control == CPU_SMT_ENABLED))
843 return sprintf(buf, "%s; VMX: %s\n", L1TF_DEFAULT_MSG,
844 l1tf_vmx_states[l1tf_vmx_mitigation]);
846 return sprintf(buf, "%s; VMX: %s, SMT %s\n", L1TF_DEFAULT_MSG,
847 l1tf_vmx_states[l1tf_vmx_mitigation],
848 cpu_smt_control == CPU_SMT_ENABLED ? "vulnerable" : "disabled");
851 static ssize_t l1tf_show_state(char *buf)
853 return sprintf(buf, "%s\n", L1TF_DEFAULT_MSG);
857 static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr,
858 char *buf, unsigned int bug)
862 if (!boot_cpu_has_bug(bug))
863 return sprintf(buf, "Not affected\n");
866 case X86_BUG_CPU_MELTDOWN:
867 if (boot_cpu_has(X86_FEATURE_PTI))
868 return sprintf(buf, "Mitigation: PTI\n");
870 if (hypervisor_is_type(X86_HYPER_XEN_PV))
871 return sprintf(buf, "Unknown (XEN PV detected, hypervisor mitigation required)\n");
875 case X86_BUG_SPECTRE_V1:
876 return sprintf(buf, "Mitigation: __user pointer sanitization\n");
878 case X86_BUG_SPECTRE_V2:
879 ret = sprintf(buf, "%s%s%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
880 boot_cpu_has(X86_FEATURE_USE_IBPB) ? ", IBPB" : "",
881 boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "",
882 (x86_spec_ctrl_base & SPEC_CTRL_STIBP) ? ", STIBP" : "",
883 boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? ", RSB filling" : "",
884 spectre_v2_module_string());
887 case X86_BUG_SPEC_STORE_BYPASS:
888 return sprintf(buf, "%s\n", ssb_strings[ssb_mode]);
891 if (boot_cpu_has(X86_FEATURE_L1TF_PTEINV))
892 return l1tf_show_state(buf);
898 return sprintf(buf, "Vulnerable\n");
901 ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf)
903 return cpu_show_common(dev, attr, buf, X86_BUG_CPU_MELTDOWN);
906 ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, char *buf)
908 return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V1);
911 ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, char *buf)
913 return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V2);
916 ssize_t cpu_show_spec_store_bypass(struct device *dev, struct device_attribute *attr, char *buf)
918 return cpu_show_common(dev, attr, buf, X86_BUG_SPEC_STORE_BYPASS);
921 ssize_t cpu_show_l1tf(struct device *dev, struct device_attribute *attr, char *buf)
923 return cpu_show_common(dev, attr, buf, X86_BUG_L1TF);
projects / linux-2.6-block.git / blob