1 // SPDX-License-Identifier: GPL-2.0
3 * Copyright (C) 1994 Linus Torvalds
5 * Cyrix stuff, June 1998 by:
6 * - Rafael R. Reilova (moved everything from head.S),
7 * <rreilova@ececs.uc.edu>
8 * - Channing Corn (tests & fixes),
9 * - Andrew D. Balsa (code cleanup).
11 #include <linux/init.h>
12 #include <linux/utsname.h>
13 #include <linux/cpu.h>
14 #include <linux/module.h>
15 #include <linux/nospec.h>
16 #include <linux/prctl.h>
17 #include <linux/sched/smt.h>
19 #include <asm/spec-ctrl.h>
20 #include <asm/cmdline.h>
22 #include <asm/processor.h>
23 #include <asm/processor-flags.h>
24 #include <asm/fpu/internal.h>
27 #include <asm/paravirt.h>
28 #include <asm/alternative.h>
29 #include <asm/pgtable.h>
30 #include <asm/set_memory.h>
31 #include <asm/intel-family.h>
32 #include <asm/e820/api.h>
33 #include <asm/hypervisor.h>
37 static void __init spectre_v1_select_mitigation(void);
38 static void __init spectre_v2_select_mitigation(void);
39 static void __init ssb_select_mitigation(void);
40 static void __init l1tf_select_mitigation(void);
41 static void __init mds_select_mitigation(void);
43 /* The base value of the SPEC_CTRL MSR that always has to be preserved. */
44 u64 x86_spec_ctrl_base;
45 EXPORT_SYMBOL_GPL(x86_spec_ctrl_base);
46 static DEFINE_MUTEX(spec_ctrl_mutex);
49 * The vendor and possibly platform specific bits which can be modified in
52 static u64 __ro_after_init x86_spec_ctrl_mask = SPEC_CTRL_IBRS;
55 * AMD specific MSR info for Speculative Store Bypass control.
56 * x86_amd_ls_cfg_ssbd_mask is initialized in identify_boot_cpu().
58 u64 __ro_after_init x86_amd_ls_cfg_base;
59 u64 __ro_after_init x86_amd_ls_cfg_ssbd_mask;
61 /* Control conditional STIBP in switch_to() */
62 DEFINE_STATIC_KEY_FALSE(switch_to_cond_stibp);
63 /* Control conditional IBPB in switch_mm() */
64 DEFINE_STATIC_KEY_FALSE(switch_mm_cond_ibpb);
65 /* Control unconditional IBPB in switch_mm() */
66 DEFINE_STATIC_KEY_FALSE(switch_mm_always_ibpb);
68 /* Control MDS CPU buffer clear before returning to user space */
69 DEFINE_STATIC_KEY_FALSE(mds_user_clear);
70 EXPORT_SYMBOL_GPL(mds_user_clear);
71 /* Control MDS CPU buffer clear before idling (halt, mwait) */
72 DEFINE_STATIC_KEY_FALSE(mds_idle_clear);
73 EXPORT_SYMBOL_GPL(mds_idle_clear);
75 void __init check_bugs(void)
80 * identify_boot_cpu() initialized SMT support information, let the
83 cpu_smt_check_topology();
85 if (!IS_ENABLED(CONFIG_SMP)) {
87 print_cpu_info(&boot_cpu_data);
91 * Read the SPEC_CTRL MSR to account for reserved bits which may
92 * have unknown values. AMD64_LS_CFG MSR is cached in the early AMD
93 * init code as it is not enumerated and depends on the family.
95 if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
96 rdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
98 /* Allow STIBP in MSR_SPEC_CTRL if supported */
99 if (boot_cpu_has(X86_FEATURE_STIBP))
100 x86_spec_ctrl_mask |= SPEC_CTRL_STIBP;
102 /* Select the proper CPU mitigations before patching alternatives: */
103 spectre_v1_select_mitigation();
104 spectre_v2_select_mitigation();
105 ssb_select_mitigation();
106 l1tf_select_mitigation();
107 mds_select_mitigation();
113 * Check whether we are able to run this kernel safely on SMP.
115 * - i386 is no longer supported.
116 * - In order to run on anything without a TSC, we need to be
117 * compiled for a i486.
119 if (boot_cpu_data.x86 < 4)
120 panic("Kernel requires i486+ for 'invlpg' and other features");
122 init_utsname()->machine[1] =
123 '0' + (boot_cpu_data.x86 > 6 ? 6 : boot_cpu_data.x86);
124 alternative_instructions();
126 fpu__init_check_bugs();
127 #else /* CONFIG_X86_64 */
128 alternative_instructions();
131 * Make sure the first 2MB area is not mapped by huge pages
132 * There are typically fixed size MTRRs in there and overlapping
133 * MTRRs into large pages causes slow downs.
135 * Right now we don't do that with gbpages because there seems
136 * very little benefit for that case.
139 set_memory_4k((unsigned long)__va(0), 1);
144 x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest)
146 u64 msrval, guestval, hostval = x86_spec_ctrl_base;
147 struct thread_info *ti = current_thread_info();
149 /* Is MSR_SPEC_CTRL implemented ? */
150 if (static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) {
152 * Restrict guest_spec_ctrl to supported values. Clear the
153 * modifiable bits in the host base value and or the
154 * modifiable bits from the guest value.
156 guestval = hostval & ~x86_spec_ctrl_mask;
157 guestval |= guest_spec_ctrl & x86_spec_ctrl_mask;
159 /* SSBD controlled in MSR_SPEC_CTRL */
160 if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD) ||
161 static_cpu_has(X86_FEATURE_AMD_SSBD))
162 hostval |= ssbd_tif_to_spec_ctrl(ti->flags);
164 /* Conditional STIBP enabled? */
165 if (static_branch_unlikely(&switch_to_cond_stibp))
166 hostval |= stibp_tif_to_spec_ctrl(ti->flags);
168 if (hostval != guestval) {
169 msrval = setguest ? guestval : hostval;
170 wrmsrl(MSR_IA32_SPEC_CTRL, msrval);
175 * If SSBD is not handled in MSR_SPEC_CTRL on AMD, update
176 * MSR_AMD64_L2_CFG or MSR_VIRT_SPEC_CTRL if supported.
178 if (!static_cpu_has(X86_FEATURE_LS_CFG_SSBD) &&
179 !static_cpu_has(X86_FEATURE_VIRT_SSBD))
183 * If the host has SSBD mitigation enabled, force it in the host's
184 * virtual MSR value. If its not permanently enabled, evaluate
185 * current's TIF_SSBD thread flag.
187 if (static_cpu_has(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE))
188 hostval = SPEC_CTRL_SSBD;
190 hostval = ssbd_tif_to_spec_ctrl(ti->flags);
192 /* Sanitize the guest value */
193 guestval = guest_virt_spec_ctrl & SPEC_CTRL_SSBD;
195 if (hostval != guestval) {
198 tif = setguest ? ssbd_spec_ctrl_to_tif(guestval) :
199 ssbd_spec_ctrl_to_tif(hostval);
201 speculation_ctrl_update(tif);
204 EXPORT_SYMBOL_GPL(x86_virt_spec_ctrl);
206 static void x86_amd_ssb_disable(void)
208 u64 msrval = x86_amd_ls_cfg_base | x86_amd_ls_cfg_ssbd_mask;
210 if (boot_cpu_has(X86_FEATURE_VIRT_SSBD))
211 wrmsrl(MSR_AMD64_VIRT_SPEC_CTRL, SPEC_CTRL_SSBD);
212 else if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD))
213 wrmsrl(MSR_AMD64_LS_CFG, msrval);
217 #define pr_fmt(fmt) "MDS: " fmt
219 /* Default mitigation for MDS-affected CPUs */
220 static enum mds_mitigations mds_mitigation __ro_after_init = MDS_MITIGATION_FULL;
221 static bool mds_nosmt __ro_after_init = false;
223 static const char * const mds_strings[] = {
224 [MDS_MITIGATION_OFF] = "Vulnerable",
225 [MDS_MITIGATION_FULL] = "Mitigation: Clear CPU buffers",
226 [MDS_MITIGATION_VMWERV] = "Vulnerable: Clear CPU buffers attempted, no microcode",
229 static void __init mds_select_mitigation(void)
231 if (!boot_cpu_has_bug(X86_BUG_MDS) || cpu_mitigations_off()) {
232 mds_mitigation = MDS_MITIGATION_OFF;
236 if (mds_mitigation == MDS_MITIGATION_FULL) {
237 if (!boot_cpu_has(X86_FEATURE_MD_CLEAR))
238 mds_mitigation = MDS_MITIGATION_VMWERV;
240 static_branch_enable(&mds_user_clear);
242 if (!boot_cpu_has(X86_BUG_MSBDS_ONLY) &&
243 (mds_nosmt || cpu_mitigations_auto_nosmt()))
244 cpu_smt_disable(false);
247 pr_info("%s\n", mds_strings[mds_mitigation]);
250 static int __init mds_cmdline(char *str)
252 if (!boot_cpu_has_bug(X86_BUG_MDS))
258 if (!strcmp(str, "off"))
259 mds_mitigation = MDS_MITIGATION_OFF;
260 else if (!strcmp(str, "full"))
261 mds_mitigation = MDS_MITIGATION_FULL;
262 else if (!strcmp(str, "full,nosmt")) {
263 mds_mitigation = MDS_MITIGATION_FULL;
269 early_param("mds", mds_cmdline);
272 #define pr_fmt(fmt) "Spectre V1 : " fmt
274 enum spectre_v1_mitigation {
275 SPECTRE_V1_MITIGATION_NONE,
276 SPECTRE_V1_MITIGATION_AUTO,
279 static enum spectre_v1_mitigation spectre_v1_mitigation __ro_after_init =
280 SPECTRE_V1_MITIGATION_AUTO;
282 static const char * const spectre_v1_strings[] = {
283 [SPECTRE_V1_MITIGATION_NONE] = "Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers",
284 [SPECTRE_V1_MITIGATION_AUTO] = "Mitigation: usercopy/swapgs barriers and __user pointer sanitization",
288 * Does SMAP provide full mitigation against speculative kernel access to
291 static bool smap_works_speculatively(void)
293 if (!boot_cpu_has(X86_FEATURE_SMAP))
297 * On CPUs which are vulnerable to Meltdown, SMAP does not
298 * prevent speculative access to user data in the L1 cache.
299 * Consider SMAP to be non-functional as a mitigation on these
302 if (boot_cpu_has(X86_BUG_CPU_MELTDOWN))
308 static void __init spectre_v1_select_mitigation(void)
310 if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V1) || cpu_mitigations_off()) {
311 spectre_v1_mitigation = SPECTRE_V1_MITIGATION_NONE;
315 if (spectre_v1_mitigation == SPECTRE_V1_MITIGATION_AUTO) {
317 * With Spectre v1, a user can speculatively control either
318 * path of a conditional swapgs with a user-controlled GS
319 * value. The mitigation is to add lfences to both code paths.
321 * If FSGSBASE is enabled, the user can put a kernel address in
322 * GS, in which case SMAP provides no protection.
324 * [ NOTE: Don't check for X86_FEATURE_FSGSBASE until the
325 * FSGSBASE enablement patches have been merged. ]
327 * If FSGSBASE is disabled, the user can only put a user space
328 * address in GS. That makes an attack harder, but still
329 * possible if there's no SMAP protection.
331 if (!smap_works_speculatively()) {
333 * Mitigation can be provided from SWAPGS itself or
334 * PTI as the CR3 write in the Meltdown mitigation
337 * If neither is there, mitigate with an LFENCE to
338 * stop speculation through swapgs.
340 if (boot_cpu_has_bug(X86_BUG_SWAPGS) &&
341 !boot_cpu_has(X86_FEATURE_PTI))
342 setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_USER);
345 * Enable lfences in the kernel entry (non-swapgs)
346 * paths, to prevent user entry from speculatively
349 setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_KERNEL);
353 pr_info("%s\n", spectre_v1_strings[spectre_v1_mitigation]);
356 static int __init nospectre_v1_cmdline(char *str)
358 spectre_v1_mitigation = SPECTRE_V1_MITIGATION_NONE;
361 early_param("nospectre_v1", nospectre_v1_cmdline);
364 #define pr_fmt(fmt) "Spectre V2 : " fmt
366 static enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init =
369 static enum spectre_v2_user_mitigation spectre_v2_user __ro_after_init =
370 SPECTRE_V2_USER_NONE;
372 #ifdef CONFIG_RETPOLINE
373 static bool spectre_v2_bad_module;
375 bool retpoline_module_ok(bool has_retpoline)
377 if (spectre_v2_enabled == SPECTRE_V2_NONE || has_retpoline)
380 pr_err("System may be vulnerable to spectre v2\n");
381 spectre_v2_bad_module = true;
385 static inline const char *spectre_v2_module_string(void)
387 return spectre_v2_bad_module ? " - vulnerable module loaded" : "";
390 static inline const char *spectre_v2_module_string(void) { return ""; }
393 static inline bool match_option(const char *arg, int arglen, const char *opt)
395 int len = strlen(opt);
397 return len == arglen && !strncmp(arg, opt, len);
400 /* The kernel command line selection for spectre v2 */
401 enum spectre_v2_mitigation_cmd {
404 SPECTRE_V2_CMD_FORCE,
405 SPECTRE_V2_CMD_RETPOLINE,
406 SPECTRE_V2_CMD_RETPOLINE_GENERIC,
407 SPECTRE_V2_CMD_RETPOLINE_AMD,
410 enum spectre_v2_user_cmd {
411 SPECTRE_V2_USER_CMD_NONE,
412 SPECTRE_V2_USER_CMD_AUTO,
413 SPECTRE_V2_USER_CMD_FORCE,
414 SPECTRE_V2_USER_CMD_PRCTL,
415 SPECTRE_V2_USER_CMD_PRCTL_IBPB,
416 SPECTRE_V2_USER_CMD_SECCOMP,
417 SPECTRE_V2_USER_CMD_SECCOMP_IBPB,
420 static const char * const spectre_v2_user_strings[] = {
421 [SPECTRE_V2_USER_NONE] = "User space: Vulnerable",
422 [SPECTRE_V2_USER_STRICT] = "User space: Mitigation: STIBP protection",
423 [SPECTRE_V2_USER_STRICT_PREFERRED] = "User space: Mitigation: STIBP always-on protection",
424 [SPECTRE_V2_USER_PRCTL] = "User space: Mitigation: STIBP via prctl",
425 [SPECTRE_V2_USER_SECCOMP] = "User space: Mitigation: STIBP via seccomp and prctl",
428 static const struct {
430 enum spectre_v2_user_cmd cmd;
432 } v2_user_options[] __initconst = {
433 { "auto", SPECTRE_V2_USER_CMD_AUTO, false },
434 { "off", SPECTRE_V2_USER_CMD_NONE, false },
435 { "on", SPECTRE_V2_USER_CMD_FORCE, true },
436 { "prctl", SPECTRE_V2_USER_CMD_PRCTL, false },
437 { "prctl,ibpb", SPECTRE_V2_USER_CMD_PRCTL_IBPB, false },
438 { "seccomp", SPECTRE_V2_USER_CMD_SECCOMP, false },
439 { "seccomp,ibpb", SPECTRE_V2_USER_CMD_SECCOMP_IBPB, false },
442 static void __init spec_v2_user_print_cond(const char *reason, bool secure)
444 if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2) != secure)
445 pr_info("spectre_v2_user=%s forced on command line.\n", reason);
448 static enum spectre_v2_user_cmd __init
449 spectre_v2_parse_user_cmdline(enum spectre_v2_mitigation_cmd v2_cmd)
455 case SPECTRE_V2_CMD_NONE:
456 return SPECTRE_V2_USER_CMD_NONE;
457 case SPECTRE_V2_CMD_FORCE:
458 return SPECTRE_V2_USER_CMD_FORCE;
463 ret = cmdline_find_option(boot_command_line, "spectre_v2_user",
466 return SPECTRE_V2_USER_CMD_AUTO;
468 for (i = 0; i < ARRAY_SIZE(v2_user_options); i++) {
469 if (match_option(arg, ret, v2_user_options[i].option)) {
470 spec_v2_user_print_cond(v2_user_options[i].option,
471 v2_user_options[i].secure);
472 return v2_user_options[i].cmd;
476 pr_err("Unknown user space protection option (%s). Switching to AUTO select\n", arg);
477 return SPECTRE_V2_USER_CMD_AUTO;
481 spectre_v2_user_select_mitigation(enum spectre_v2_mitigation_cmd v2_cmd)
483 enum spectre_v2_user_mitigation mode = SPECTRE_V2_USER_NONE;
484 bool smt_possible = IS_ENABLED(CONFIG_SMP);
485 enum spectre_v2_user_cmd cmd;
487 if (!boot_cpu_has(X86_FEATURE_IBPB) && !boot_cpu_has(X86_FEATURE_STIBP))
490 if (cpu_smt_control == CPU_SMT_FORCE_DISABLED ||
491 cpu_smt_control == CPU_SMT_NOT_SUPPORTED)
492 smt_possible = false;
494 cmd = spectre_v2_parse_user_cmdline(v2_cmd);
496 case SPECTRE_V2_USER_CMD_NONE:
498 case SPECTRE_V2_USER_CMD_FORCE:
499 mode = SPECTRE_V2_USER_STRICT;
501 case SPECTRE_V2_USER_CMD_PRCTL:
502 case SPECTRE_V2_USER_CMD_PRCTL_IBPB:
503 mode = SPECTRE_V2_USER_PRCTL;
505 case SPECTRE_V2_USER_CMD_AUTO:
506 case SPECTRE_V2_USER_CMD_SECCOMP:
507 case SPECTRE_V2_USER_CMD_SECCOMP_IBPB:
508 if (IS_ENABLED(CONFIG_SECCOMP))
509 mode = SPECTRE_V2_USER_SECCOMP;
511 mode = SPECTRE_V2_USER_PRCTL;
516 * At this point, an STIBP mode other than "off" has been set.
517 * If STIBP support is not being forced, check if STIBP always-on
520 if (mode != SPECTRE_V2_USER_STRICT &&
521 boot_cpu_has(X86_FEATURE_AMD_STIBP_ALWAYS_ON))
522 mode = SPECTRE_V2_USER_STRICT_PREFERRED;
524 /* Initialize Indirect Branch Prediction Barrier */
525 if (boot_cpu_has(X86_FEATURE_IBPB)) {
526 setup_force_cpu_cap(X86_FEATURE_USE_IBPB);
529 case SPECTRE_V2_USER_CMD_FORCE:
530 case SPECTRE_V2_USER_CMD_PRCTL_IBPB:
531 case SPECTRE_V2_USER_CMD_SECCOMP_IBPB:
532 static_branch_enable(&switch_mm_always_ibpb);
534 case SPECTRE_V2_USER_CMD_PRCTL:
535 case SPECTRE_V2_USER_CMD_AUTO:
536 case SPECTRE_V2_USER_CMD_SECCOMP:
537 static_branch_enable(&switch_mm_cond_ibpb);
543 pr_info("mitigation: Enabling %s Indirect Branch Prediction Barrier\n",
544 static_key_enabled(&switch_mm_always_ibpb) ?
545 "always-on" : "conditional");
548 /* If enhanced IBRS is enabled no STIBP required */
549 if (spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED)
553 * If SMT is not possible or STIBP is not available clear the STIBP
556 if (!smt_possible || !boot_cpu_has(X86_FEATURE_STIBP))
557 mode = SPECTRE_V2_USER_NONE;
559 spectre_v2_user = mode;
560 /* Only print the STIBP mode when SMT possible */
562 pr_info("%s\n", spectre_v2_user_strings[mode]);
565 static const char * const spectre_v2_strings[] = {
566 [SPECTRE_V2_NONE] = "Vulnerable",
567 [SPECTRE_V2_RETPOLINE_GENERIC] = "Mitigation: Full generic retpoline",
568 [SPECTRE_V2_RETPOLINE_AMD] = "Mitigation: Full AMD retpoline",
569 [SPECTRE_V2_IBRS_ENHANCED] = "Mitigation: Enhanced IBRS",
572 static const struct {
574 enum spectre_v2_mitigation_cmd cmd;
576 } mitigation_options[] __initconst = {
577 { "off", SPECTRE_V2_CMD_NONE, false },
578 { "on", SPECTRE_V2_CMD_FORCE, true },
579 { "retpoline", SPECTRE_V2_CMD_RETPOLINE, false },
580 { "retpoline,amd", SPECTRE_V2_CMD_RETPOLINE_AMD, false },
581 { "retpoline,generic", SPECTRE_V2_CMD_RETPOLINE_GENERIC, false },
582 { "auto", SPECTRE_V2_CMD_AUTO, false },
585 static void __init spec_v2_print_cond(const char *reason, bool secure)
587 if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2) != secure)
588 pr_info("%s selected on command line.\n", reason);
591 static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void)
593 enum spectre_v2_mitigation_cmd cmd = SPECTRE_V2_CMD_AUTO;
597 if (cmdline_find_option_bool(boot_command_line, "nospectre_v2") ||
598 cpu_mitigations_off())
599 return SPECTRE_V2_CMD_NONE;
601 ret = cmdline_find_option(boot_command_line, "spectre_v2", arg, sizeof(arg));
603 return SPECTRE_V2_CMD_AUTO;
605 for (i = 0; i < ARRAY_SIZE(mitigation_options); i++) {
606 if (!match_option(arg, ret, mitigation_options[i].option))
608 cmd = mitigation_options[i].cmd;
612 if (i >= ARRAY_SIZE(mitigation_options)) {
613 pr_err("unknown option (%s). Switching to AUTO select\n", arg);
614 return SPECTRE_V2_CMD_AUTO;
617 if ((cmd == SPECTRE_V2_CMD_RETPOLINE ||
618 cmd == SPECTRE_V2_CMD_RETPOLINE_AMD ||
619 cmd == SPECTRE_V2_CMD_RETPOLINE_GENERIC) &&
620 !IS_ENABLED(CONFIG_RETPOLINE)) {
621 pr_err("%s selected but not compiled in. Switching to AUTO select\n", mitigation_options[i].option);
622 return SPECTRE_V2_CMD_AUTO;
625 if (cmd == SPECTRE_V2_CMD_RETPOLINE_AMD &&
626 boot_cpu_data.x86_vendor != X86_VENDOR_HYGON &&
627 boot_cpu_data.x86_vendor != X86_VENDOR_AMD) {
628 pr_err("retpoline,amd selected but CPU is not AMD. Switching to AUTO select\n");
629 return SPECTRE_V2_CMD_AUTO;
632 spec_v2_print_cond(mitigation_options[i].option,
633 mitigation_options[i].secure);
637 static void __init spectre_v2_select_mitigation(void)
639 enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline();
640 enum spectre_v2_mitigation mode = SPECTRE_V2_NONE;
643 * If the CPU is not affected and the command line mode is NONE or AUTO
644 * then nothing to do.
646 if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2) &&
647 (cmd == SPECTRE_V2_CMD_NONE || cmd == SPECTRE_V2_CMD_AUTO))
651 case SPECTRE_V2_CMD_NONE:
654 case SPECTRE_V2_CMD_FORCE:
655 case SPECTRE_V2_CMD_AUTO:
656 if (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) {
657 mode = SPECTRE_V2_IBRS_ENHANCED;
658 /* Force it so VMEXIT will restore correctly */
659 x86_spec_ctrl_base |= SPEC_CTRL_IBRS;
660 wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
661 goto specv2_set_mode;
663 if (IS_ENABLED(CONFIG_RETPOLINE))
666 case SPECTRE_V2_CMD_RETPOLINE_AMD:
667 if (IS_ENABLED(CONFIG_RETPOLINE))
670 case SPECTRE_V2_CMD_RETPOLINE_GENERIC:
671 if (IS_ENABLED(CONFIG_RETPOLINE))
672 goto retpoline_generic;
674 case SPECTRE_V2_CMD_RETPOLINE:
675 if (IS_ENABLED(CONFIG_RETPOLINE))
679 pr_err("Spectre mitigation: kernel not compiled with retpoline; no mitigation available!");
683 if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD ||
684 boot_cpu_data.x86_vendor == X86_VENDOR_HYGON) {
686 if (!boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) {
687 pr_err("Spectre mitigation: LFENCE not serializing, switching to generic retpoline\n");
688 goto retpoline_generic;
690 mode = SPECTRE_V2_RETPOLINE_AMD;
691 setup_force_cpu_cap(X86_FEATURE_RETPOLINE_AMD);
692 setup_force_cpu_cap(X86_FEATURE_RETPOLINE);
695 mode = SPECTRE_V2_RETPOLINE_GENERIC;
696 setup_force_cpu_cap(X86_FEATURE_RETPOLINE);
700 spectre_v2_enabled = mode;
701 pr_info("%s\n", spectre_v2_strings[mode]);
704 * If spectre v2 protection has been enabled, unconditionally fill
705 * RSB during a context switch; this protects against two independent
708 * - RSB underflow (and switch to BTB) on Skylake+
709 * - SpectreRSB variant of spectre v2 on X86_BUG_SPECTRE_V2 CPUs
711 setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);
712 pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n");
715 * Retpoline means the kernel is safe because it has no indirect
716 * branches. Enhanced IBRS protects firmware too, so, enable restricted
717 * speculation around firmware calls only when Enhanced IBRS isn't
720 * Use "mode" to check Enhanced IBRS instead of boot_cpu_has(), because
721 * the user might select retpoline on the kernel command line and if
722 * the CPU supports Enhanced IBRS, kernel might un-intentionally not
723 * enable IBRS around firmware calls.
725 if (boot_cpu_has(X86_FEATURE_IBRS) && mode != SPECTRE_V2_IBRS_ENHANCED) {
726 setup_force_cpu_cap(X86_FEATURE_USE_IBRS_FW);
727 pr_info("Enabling Restricted Speculation for firmware calls\n");
730 /* Set up IBPB and STIBP depending on the general spectre V2 command */
731 spectre_v2_user_select_mitigation(cmd);
734 static void update_stibp_msr(void * __unused)
736 wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
739 /* Update x86_spec_ctrl_base in case SMT state changed. */
740 static void update_stibp_strict(void)
742 u64 mask = x86_spec_ctrl_base & ~SPEC_CTRL_STIBP;
744 if (sched_smt_active())
745 mask |= SPEC_CTRL_STIBP;
747 if (mask == x86_spec_ctrl_base)
750 pr_info("Update user space SMT mitigation: STIBP %s\n",
751 mask & SPEC_CTRL_STIBP ? "always-on" : "off");
752 x86_spec_ctrl_base = mask;
753 on_each_cpu(update_stibp_msr, NULL, 1);
756 /* Update the static key controlling the evaluation of TIF_SPEC_IB */
757 static void update_indir_branch_cond(void)
759 if (sched_smt_active())
760 static_branch_enable(&switch_to_cond_stibp);
762 static_branch_disable(&switch_to_cond_stibp);
766 #define pr_fmt(fmt) fmt
768 /* Update the static key controlling the MDS CPU buffer clear in idle */
769 static void update_mds_branch_idle(void)
772 * Enable the idle clearing if SMT is active on CPUs which are
773 * affected only by MSBDS and not any other MDS variant.
775 * The other variants cannot be mitigated when SMT is enabled, so
776 * clearing the buffers on idle just to prevent the Store Buffer
777 * repartitioning leak would be a window dressing exercise.
779 if (!boot_cpu_has_bug(X86_BUG_MSBDS_ONLY))
782 if (sched_smt_active())
783 static_branch_enable(&mds_idle_clear);
785 static_branch_disable(&mds_idle_clear);
788 #define MDS_MSG_SMT "MDS CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for more details.\n"
790 void arch_smt_update(void)
792 /* Enhanced IBRS implies STIBP. No update required. */
793 if (spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED)
796 mutex_lock(&spec_ctrl_mutex);
798 switch (spectre_v2_user) {
799 case SPECTRE_V2_USER_NONE:
801 case SPECTRE_V2_USER_STRICT:
802 case SPECTRE_V2_USER_STRICT_PREFERRED:
803 update_stibp_strict();
805 case SPECTRE_V2_USER_PRCTL:
806 case SPECTRE_V2_USER_SECCOMP:
807 update_indir_branch_cond();
811 switch (mds_mitigation) {
812 case MDS_MITIGATION_FULL:
813 case MDS_MITIGATION_VMWERV:
814 if (sched_smt_active() && !boot_cpu_has(X86_BUG_MSBDS_ONLY))
815 pr_warn_once(MDS_MSG_SMT);
816 update_mds_branch_idle();
818 case MDS_MITIGATION_OFF:
822 mutex_unlock(&spec_ctrl_mutex);
826 #define pr_fmt(fmt) "Speculative Store Bypass: " fmt
828 static enum ssb_mitigation ssb_mode __ro_after_init = SPEC_STORE_BYPASS_NONE;
830 /* The kernel command line selection */
831 enum ssb_mitigation_cmd {
832 SPEC_STORE_BYPASS_CMD_NONE,
833 SPEC_STORE_BYPASS_CMD_AUTO,
834 SPEC_STORE_BYPASS_CMD_ON,
835 SPEC_STORE_BYPASS_CMD_PRCTL,
836 SPEC_STORE_BYPASS_CMD_SECCOMP,
839 static const char * const ssb_strings[] = {
840 [SPEC_STORE_BYPASS_NONE] = "Vulnerable",
841 [SPEC_STORE_BYPASS_DISABLE] = "Mitigation: Speculative Store Bypass disabled",
842 [SPEC_STORE_BYPASS_PRCTL] = "Mitigation: Speculative Store Bypass disabled via prctl",
843 [SPEC_STORE_BYPASS_SECCOMP] = "Mitigation: Speculative Store Bypass disabled via prctl and seccomp",
846 static const struct {
848 enum ssb_mitigation_cmd cmd;
849 } ssb_mitigation_options[] __initconst = {
850 { "auto", SPEC_STORE_BYPASS_CMD_AUTO }, /* Platform decides */
851 { "on", SPEC_STORE_BYPASS_CMD_ON }, /* Disable Speculative Store Bypass */
852 { "off", SPEC_STORE_BYPASS_CMD_NONE }, /* Don't touch Speculative Store Bypass */
853 { "prctl", SPEC_STORE_BYPASS_CMD_PRCTL }, /* Disable Speculative Store Bypass via prctl */
854 { "seccomp", SPEC_STORE_BYPASS_CMD_SECCOMP }, /* Disable Speculative Store Bypass via prctl and seccomp */
857 static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void)
859 enum ssb_mitigation_cmd cmd = SPEC_STORE_BYPASS_CMD_AUTO;
863 if (cmdline_find_option_bool(boot_command_line, "nospec_store_bypass_disable") ||
864 cpu_mitigations_off()) {
865 return SPEC_STORE_BYPASS_CMD_NONE;
867 ret = cmdline_find_option(boot_command_line, "spec_store_bypass_disable",
870 return SPEC_STORE_BYPASS_CMD_AUTO;
872 for (i = 0; i < ARRAY_SIZE(ssb_mitigation_options); i++) {
873 if (!match_option(arg, ret, ssb_mitigation_options[i].option))
876 cmd = ssb_mitigation_options[i].cmd;
880 if (i >= ARRAY_SIZE(ssb_mitigation_options)) {
881 pr_err("unknown option (%s). Switching to AUTO select\n", arg);
882 return SPEC_STORE_BYPASS_CMD_AUTO;
889 static enum ssb_mitigation __init __ssb_select_mitigation(void)
891 enum ssb_mitigation mode = SPEC_STORE_BYPASS_NONE;
892 enum ssb_mitigation_cmd cmd;
894 if (!boot_cpu_has(X86_FEATURE_SSBD))
897 cmd = ssb_parse_cmdline();
898 if (!boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS) &&
899 (cmd == SPEC_STORE_BYPASS_CMD_NONE ||
900 cmd == SPEC_STORE_BYPASS_CMD_AUTO))
904 case SPEC_STORE_BYPASS_CMD_AUTO:
905 case SPEC_STORE_BYPASS_CMD_SECCOMP:
907 * Choose prctl+seccomp as the default mode if seccomp is
910 if (IS_ENABLED(CONFIG_SECCOMP))
911 mode = SPEC_STORE_BYPASS_SECCOMP;
913 mode = SPEC_STORE_BYPASS_PRCTL;
915 case SPEC_STORE_BYPASS_CMD_ON:
916 mode = SPEC_STORE_BYPASS_DISABLE;
918 case SPEC_STORE_BYPASS_CMD_PRCTL:
919 mode = SPEC_STORE_BYPASS_PRCTL;
921 case SPEC_STORE_BYPASS_CMD_NONE:
926 * If SSBD is controlled by the SPEC_CTRL MSR, then set the proper
927 * bit in the mask to allow guests to use the mitigation even in the
928 * case where the host does not enable it.
930 if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD) ||
931 static_cpu_has(X86_FEATURE_AMD_SSBD)) {
932 x86_spec_ctrl_mask |= SPEC_CTRL_SSBD;
936 * We have three CPU feature flags that are in play here:
937 * - X86_BUG_SPEC_STORE_BYPASS - CPU is susceptible.
938 * - X86_FEATURE_SSBD - CPU is able to turn off speculative store bypass
939 * - X86_FEATURE_SPEC_STORE_BYPASS_DISABLE - engage the mitigation
941 if (mode == SPEC_STORE_BYPASS_DISABLE) {
942 setup_force_cpu_cap(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE);
944 * Intel uses the SPEC CTRL MSR Bit(2) for this, while AMD may
945 * use a completely different MSR and bit dependent on family.
947 if (!static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD) &&
948 !static_cpu_has(X86_FEATURE_AMD_SSBD)) {
949 x86_amd_ssb_disable();
951 x86_spec_ctrl_base |= SPEC_CTRL_SSBD;
952 wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
959 static void ssb_select_mitigation(void)
961 ssb_mode = __ssb_select_mitigation();
963 if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS))
964 pr_info("%s\n", ssb_strings[ssb_mode]);
968 #define pr_fmt(fmt) "Speculation prctl: " fmt
970 static void task_update_spec_tif(struct task_struct *tsk)
972 /* Force the update of the real TIF bits */
973 set_tsk_thread_flag(tsk, TIF_SPEC_FORCE_UPDATE);
976 * Immediately update the speculation control MSRs for the current
977 * task, but for a non-current task delay setting the CPU
978 * mitigation until it is scheduled next.
980 * This can only happen for SECCOMP mitigation. For PRCTL it's
981 * always the current task.
984 speculation_ctrl_update_current();
987 static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl)
989 if (ssb_mode != SPEC_STORE_BYPASS_PRCTL &&
990 ssb_mode != SPEC_STORE_BYPASS_SECCOMP)
995 /* If speculation is force disabled, enable is not allowed */
996 if (task_spec_ssb_force_disable(task))
998 task_clear_spec_ssb_disable(task);
999 task_clear_spec_ssb_noexec(task);
1000 task_update_spec_tif(task);
1002 case PR_SPEC_DISABLE:
1003 task_set_spec_ssb_disable(task);
1004 task_clear_spec_ssb_noexec(task);
1005 task_update_spec_tif(task);
1007 case PR_SPEC_FORCE_DISABLE:
1008 task_set_spec_ssb_disable(task);
1009 task_set_spec_ssb_force_disable(task);
1010 task_clear_spec_ssb_noexec(task);
1011 task_update_spec_tif(task);
1013 case PR_SPEC_DISABLE_NOEXEC:
1014 if (task_spec_ssb_force_disable(task))
1016 task_set_spec_ssb_disable(task);
1017 task_set_spec_ssb_noexec(task);
1018 task_update_spec_tif(task);
1026 static int ib_prctl_set(struct task_struct *task, unsigned long ctrl)
1029 case PR_SPEC_ENABLE:
1030 if (spectre_v2_user == SPECTRE_V2_USER_NONE)
1033 * Indirect branch speculation is always disabled in strict
1036 if (spectre_v2_user == SPECTRE_V2_USER_STRICT ||
1037 spectre_v2_user == SPECTRE_V2_USER_STRICT_PREFERRED)
1039 task_clear_spec_ib_disable(task);
1040 task_update_spec_tif(task);
1042 case PR_SPEC_DISABLE:
1043 case PR_SPEC_FORCE_DISABLE:
1045 * Indirect branch speculation is always allowed when
1046 * mitigation is force disabled.
1048 if (spectre_v2_user == SPECTRE_V2_USER_NONE)
1050 if (spectre_v2_user == SPECTRE_V2_USER_STRICT ||
1051 spectre_v2_user == SPECTRE_V2_USER_STRICT_PREFERRED)
1053 task_set_spec_ib_disable(task);
1054 if (ctrl == PR_SPEC_FORCE_DISABLE)
1055 task_set_spec_ib_force_disable(task);
1056 task_update_spec_tif(task);
1064 int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which,
1068 case PR_SPEC_STORE_BYPASS:
1069 return ssb_prctl_set(task, ctrl);
1070 case PR_SPEC_INDIRECT_BRANCH:
1071 return ib_prctl_set(task, ctrl);
1077 #ifdef CONFIG_SECCOMP
1078 void arch_seccomp_spec_mitigate(struct task_struct *task)
1080 if (ssb_mode == SPEC_STORE_BYPASS_SECCOMP)
1081 ssb_prctl_set(task, PR_SPEC_FORCE_DISABLE);
1082 if (spectre_v2_user == SPECTRE_V2_USER_SECCOMP)
1083 ib_prctl_set(task, PR_SPEC_FORCE_DISABLE);
1087 static int ssb_prctl_get(struct task_struct *task)
1090 case SPEC_STORE_BYPASS_DISABLE:
1091 return PR_SPEC_DISABLE;
1092 case SPEC_STORE_BYPASS_SECCOMP:
1093 case SPEC_STORE_BYPASS_PRCTL:
1094 if (task_spec_ssb_force_disable(task))
1095 return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE;
1096 if (task_spec_ssb_noexec(task))
1097 return PR_SPEC_PRCTL | PR_SPEC_DISABLE_NOEXEC;
1098 if (task_spec_ssb_disable(task))
1099 return PR_SPEC_PRCTL | PR_SPEC_DISABLE;
1100 return PR_SPEC_PRCTL | PR_SPEC_ENABLE;
1102 if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS))
1103 return PR_SPEC_ENABLE;
1104 return PR_SPEC_NOT_AFFECTED;
1108 static int ib_prctl_get(struct task_struct *task)
1110 if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
1111 return PR_SPEC_NOT_AFFECTED;
1113 switch (spectre_v2_user) {
1114 case SPECTRE_V2_USER_NONE:
1115 return PR_SPEC_ENABLE;
1116 case SPECTRE_V2_USER_PRCTL:
1117 case SPECTRE_V2_USER_SECCOMP:
1118 if (task_spec_ib_force_disable(task))
1119 return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE;
1120 if (task_spec_ib_disable(task))
1121 return PR_SPEC_PRCTL | PR_SPEC_DISABLE;
1122 return PR_SPEC_PRCTL | PR_SPEC_ENABLE;
1123 case SPECTRE_V2_USER_STRICT:
1124 case SPECTRE_V2_USER_STRICT_PREFERRED:
1125 return PR_SPEC_DISABLE;
1127 return PR_SPEC_NOT_AFFECTED;
1131 int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which)
1134 case PR_SPEC_STORE_BYPASS:
1135 return ssb_prctl_get(task);
1136 case PR_SPEC_INDIRECT_BRANCH:
1137 return ib_prctl_get(task);
1143 void x86_spec_ctrl_setup_ap(void)
1145 if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
1146 wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
1148 if (ssb_mode == SPEC_STORE_BYPASS_DISABLE)
1149 x86_amd_ssb_disable();
1153 #define pr_fmt(fmt) "L1TF: " fmt
1155 /* Default mitigation for L1TF-affected CPUs */
1156 enum l1tf_mitigations l1tf_mitigation __ro_after_init = L1TF_MITIGATION_FLUSH;
1157 #if IS_ENABLED(CONFIG_KVM_INTEL)
1158 EXPORT_SYMBOL_GPL(l1tf_mitigation);
1160 enum vmx_l1d_flush_state l1tf_vmx_mitigation = VMENTER_L1D_FLUSH_AUTO;
1161 EXPORT_SYMBOL_GPL(l1tf_vmx_mitigation);
1164 * These CPUs all support 44bits physical address space internally in the
1165 * cache but CPUID can report a smaller number of physical address bits.
1167 * The L1TF mitigation uses the top most address bit for the inversion of
1168 * non present PTEs. When the installed memory reaches into the top most
1169 * address bit due to memory holes, which has been observed on machines
1170 * which report 36bits physical address bits and have 32G RAM installed,
1171 * then the mitigation range check in l1tf_select_mitigation() triggers.
1172 * This is a false positive because the mitigation is still possible due to
1173 * the fact that the cache uses 44bit internally. Use the cache bits
1174 * instead of the reported physical bits and adjust them on the affected
1175 * machines to 44bit if the reported bits are less than 44.
1177 static void override_cache_bits(struct cpuinfo_x86 *c)
1182 switch (c->x86_model) {
1183 case INTEL_FAM6_NEHALEM:
1184 case INTEL_FAM6_WESTMERE:
1185 case INTEL_FAM6_SANDYBRIDGE:
1186 case INTEL_FAM6_IVYBRIDGE:
1187 case INTEL_FAM6_HASWELL_CORE:
1188 case INTEL_FAM6_HASWELL_ULT:
1189 case INTEL_FAM6_HASWELL_GT3E:
1190 case INTEL_FAM6_BROADWELL_CORE:
1191 case INTEL_FAM6_BROADWELL_GT3E:
1192 case INTEL_FAM6_SKYLAKE_MOBILE:
1193 case INTEL_FAM6_SKYLAKE_DESKTOP:
1194 case INTEL_FAM6_KABYLAKE_MOBILE:
1195 case INTEL_FAM6_KABYLAKE_DESKTOP:
1196 if (c->x86_cache_bits < 44)
1197 c->x86_cache_bits = 44;
1202 static void __init l1tf_select_mitigation(void)
1206 if (!boot_cpu_has_bug(X86_BUG_L1TF))
1209 if (cpu_mitigations_off())
1210 l1tf_mitigation = L1TF_MITIGATION_OFF;
1211 else if (cpu_mitigations_auto_nosmt())
1212 l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOSMT;
1214 override_cache_bits(&boot_cpu_data);
1216 switch (l1tf_mitigation) {
1217 case L1TF_MITIGATION_OFF:
1218 case L1TF_MITIGATION_FLUSH_NOWARN:
1219 case L1TF_MITIGATION_FLUSH:
1221 case L1TF_MITIGATION_FLUSH_NOSMT:
1222 case L1TF_MITIGATION_FULL:
1223 cpu_smt_disable(false);
1225 case L1TF_MITIGATION_FULL_FORCE:
1226 cpu_smt_disable(true);
1230 #if CONFIG_PGTABLE_LEVELS == 2
1231 pr_warn("Kernel not compiled for PAE. No mitigation for L1TF\n");
1235 half_pa = (u64)l1tf_pfn_limit() << PAGE_SHIFT;
1236 if (l1tf_mitigation != L1TF_MITIGATION_OFF &&
1237 e820__mapped_any(half_pa, ULLONG_MAX - half_pa, E820_TYPE_RAM)) {
1238 pr_warn("System has more than MAX_PA/2 memory. L1TF mitigation not effective.\n");
1239 pr_info("You may make it effective by booting the kernel with mem=%llu parameter.\n",
1241 pr_info("However, doing so will make a part of your RAM unusable.\n");
1242 pr_info("Reading https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html might help you decide.\n");
1246 setup_force_cpu_cap(X86_FEATURE_L1TF_PTEINV);
1249 static int __init l1tf_cmdline(char *str)
1251 if (!boot_cpu_has_bug(X86_BUG_L1TF))
1257 if (!strcmp(str, "off"))
1258 l1tf_mitigation = L1TF_MITIGATION_OFF;
1259 else if (!strcmp(str, "flush,nowarn"))
1260 l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOWARN;
1261 else if (!strcmp(str, "flush"))
1262 l1tf_mitigation = L1TF_MITIGATION_FLUSH;
1263 else if (!strcmp(str, "flush,nosmt"))
1264 l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOSMT;
1265 else if (!strcmp(str, "full"))
1266 l1tf_mitigation = L1TF_MITIGATION_FULL;
1267 else if (!strcmp(str, "full,force"))
1268 l1tf_mitigation = L1TF_MITIGATION_FULL_FORCE;
1272 early_param("l1tf", l1tf_cmdline);
1275 #define pr_fmt(fmt) fmt
1279 #define L1TF_DEFAULT_MSG "Mitigation: PTE Inversion"
1281 #if IS_ENABLED(CONFIG_KVM_INTEL)
1282 static const char * const l1tf_vmx_states[] = {
1283 [VMENTER_L1D_FLUSH_AUTO] = "auto",
1284 [VMENTER_L1D_FLUSH_NEVER] = "vulnerable",
1285 [VMENTER_L1D_FLUSH_COND] = "conditional cache flushes",
1286 [VMENTER_L1D_FLUSH_ALWAYS] = "cache flushes",
1287 [VMENTER_L1D_FLUSH_EPT_DISABLED] = "EPT disabled",
1288 [VMENTER_L1D_FLUSH_NOT_REQUIRED] = "flush not necessary"
1291 static ssize_t l1tf_show_state(char *buf)
1293 if (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_AUTO)
1294 return sprintf(buf, "%s\n", L1TF_DEFAULT_MSG);
1296 if (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_EPT_DISABLED ||
1297 (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_NEVER &&
1298 sched_smt_active())) {
1299 return sprintf(buf, "%s; VMX: %s\n", L1TF_DEFAULT_MSG,
1300 l1tf_vmx_states[l1tf_vmx_mitigation]);
1303 return sprintf(buf, "%s; VMX: %s, SMT %s\n", L1TF_DEFAULT_MSG,
1304 l1tf_vmx_states[l1tf_vmx_mitigation],
1305 sched_smt_active() ? "vulnerable" : "disabled");
1308 static ssize_t l1tf_show_state(char *buf)
1310 return sprintf(buf, "%s\n", L1TF_DEFAULT_MSG);
1314 static ssize_t mds_show_state(char *buf)
1316 if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {
1317 return sprintf(buf, "%s; SMT Host state unknown\n",
1318 mds_strings[mds_mitigation]);
1321 if (boot_cpu_has(X86_BUG_MSBDS_ONLY)) {
1322 return sprintf(buf, "%s; SMT %s\n", mds_strings[mds_mitigation],
1323 (mds_mitigation == MDS_MITIGATION_OFF ? "vulnerable" :
1324 sched_smt_active() ? "mitigated" : "disabled"));
1327 return sprintf(buf, "%s; SMT %s\n", mds_strings[mds_mitigation],
1328 sched_smt_active() ? "vulnerable" : "disabled");
1331 static char *stibp_state(void)
1333 if (spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED)
1336 switch (spectre_v2_user) {
1337 case SPECTRE_V2_USER_NONE:
1338 return ", STIBP: disabled";
1339 case SPECTRE_V2_USER_STRICT:
1340 return ", STIBP: forced";
1341 case SPECTRE_V2_USER_STRICT_PREFERRED:
1342 return ", STIBP: always-on";
1343 case SPECTRE_V2_USER_PRCTL:
1344 case SPECTRE_V2_USER_SECCOMP:
1345 if (static_key_enabled(&switch_to_cond_stibp))
1346 return ", STIBP: conditional";
1351 static char *ibpb_state(void)
1353 if (boot_cpu_has(X86_FEATURE_IBPB)) {
1354 if (static_key_enabled(&switch_mm_always_ibpb))
1355 return ", IBPB: always-on";
1356 if (static_key_enabled(&switch_mm_cond_ibpb))
1357 return ", IBPB: conditional";
1358 return ", IBPB: disabled";
1363 static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr,
1364 char *buf, unsigned int bug)
1366 if (!boot_cpu_has_bug(bug))
1367 return sprintf(buf, "Not affected\n");
1370 case X86_BUG_CPU_MELTDOWN:
1371 if (boot_cpu_has(X86_FEATURE_PTI))
1372 return sprintf(buf, "Mitigation: PTI\n");
1374 if (hypervisor_is_type(X86_HYPER_XEN_PV))
1375 return sprintf(buf, "Unknown (XEN PV detected, hypervisor mitigation required)\n");
1379 case X86_BUG_SPECTRE_V1:
1380 return sprintf(buf, "%s\n", spectre_v1_strings[spectre_v1_mitigation]);
1382 case X86_BUG_SPECTRE_V2:
1383 return sprintf(buf, "%s%s%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
1385 boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "",
1387 boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? ", RSB filling" : "",
1388 spectre_v2_module_string());
1390 case X86_BUG_SPEC_STORE_BYPASS:
1391 return sprintf(buf, "%s\n", ssb_strings[ssb_mode]);
1394 if (boot_cpu_has(X86_FEATURE_L1TF_PTEINV))
1395 return l1tf_show_state(buf);
1399 return mds_show_state(buf);
1405 return sprintf(buf, "Vulnerable\n");
1408 ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf)
1410 return cpu_show_common(dev, attr, buf, X86_BUG_CPU_MELTDOWN);
1413 ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, char *buf)
1415 return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V1);
1418 ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, char *buf)
1420 return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V2);
1423 ssize_t cpu_show_spec_store_bypass(struct device *dev, struct device_attribute *attr, char *buf)
1425 return cpu_show_common(dev, attr, buf, X86_BUG_SPEC_STORE_BYPASS);
1428 ssize_t cpu_show_l1tf(struct device *dev, struct device_attribute *attr, char *buf)
1430 return cpu_show_common(dev, attr, buf, X86_BUG_L1TF);
1433 ssize_t cpu_show_mds(struct device *dev, struct device_attribute *attr, char *buf)
1435 return cpu_show_common(dev, attr, buf, X86_BUG_MDS);
projects / linux-2.6-block.git / blob