x86/bugs: Add AUTO mitigations for mds/taa/mmio/rfds

Add AUTO mitigations for mds/taa/mmio/rfds to create consistent vulnerability
handling.  These AUTO mitigations will be turned into the appropriate default
mitigations in the <vuln>_select_mitigation() functions.  Later, these will be
used with the new attack vector controls to help select appropriate
mitigations.

Signed-off-by: David Kaplan <david.kaplan@amd.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Link: https://lore.kernel.org/r/20250108202515.385902-4-david.kaplan@amd.com

diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
index c0cd10182e90c12eed155cbdf4ec1d72b76409ab..90278d0c071b04782e28abe39eaef8c6f5a83e6d 100644 (file)
--- a/arch/x86/include/asm/processor.h
+++ b/arch/x86/include/asm/processor.h
@@ -757,6 +757,7 @@ extern enum l1tf_mitigations l1tf_mitigation;
 
 enum mds_mitigations {
        MDS_MITIGATION_OFF,
+       MDS_MITIGATION_AUTO,
        MDS_MITIGATION_FULL,
        MDS_MITIGATION_VMWERV,
 };

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 4269ed110308317d88fad1c1692c7c0b2fe46f8e..93c437f44c24520b4b4417b030b913b80efe83e4 100644 (file)
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -238,7 +238,7 @@ static void x86_amd_ssb_disable(void)
 
 /* Default mitigation for MDS-affected CPUs */
 static enum mds_mitigations mds_mitigation __ro_after_init =
-       IS_ENABLED(CONFIG_MITIGATION_MDS) ? MDS_MITIGATION_FULL : MDS_MITIGATION_OFF;
+       IS_ENABLED(CONFIG_MITIGATION_MDS) ? MDS_MITIGATION_AUTO : MDS_MITIGATION_OFF;
 static bool mds_nosmt __ro_after_init = false;
 
 static const char * const mds_strings[] = {
@@ -249,6 +249,7 @@ static const char * const mds_strings[] = {
 
 enum taa_mitigations {
        TAA_MITIGATION_OFF,
+       TAA_MITIGATION_AUTO,
        TAA_MITIGATION_UCODE_NEEDED,
        TAA_MITIGATION_VERW,
        TAA_MITIGATION_TSX_DISABLED,
@@ -256,27 +257,29 @@ enum taa_mitigations {
 
 /* Default mitigation for TAA-affected CPUs */
 static enum taa_mitigations taa_mitigation __ro_after_init =
-       IS_ENABLED(CONFIG_MITIGATION_TAA) ? TAA_MITIGATION_VERW : TAA_MITIGATION_OFF;
+       IS_ENABLED(CONFIG_MITIGATION_TAA) ? TAA_MITIGATION_AUTO : TAA_MITIGATION_OFF;
 
 enum mmio_mitigations {
        MMIO_MITIGATION_OFF,
+       MMIO_MITIGATION_AUTO,
        MMIO_MITIGATION_UCODE_NEEDED,
        MMIO_MITIGATION_VERW,
 };
 
 /* Default mitigation for Processor MMIO Stale Data vulnerabilities */
 static enum mmio_mitigations mmio_mitigation __ro_after_init =
-       IS_ENABLED(CONFIG_MITIGATION_MMIO_STALE_DATA) ? MMIO_MITIGATION_VERW : MMIO_MITIGATION_OFF;
+       IS_ENABLED(CONFIG_MITIGATION_MMIO_STALE_DATA) ? MMIO_MITIGATION_AUTO : MMIO_MITIGATION_OFF;
 
 enum rfds_mitigations {
        RFDS_MITIGATION_OFF,
+       RFDS_MITIGATION_AUTO,
        RFDS_MITIGATION_VERW,
        RFDS_MITIGATION_UCODE_NEEDED,
 };
 
 /* Default mitigation for Register File Data Sampling */
 static enum rfds_mitigations rfds_mitigation __ro_after_init =
-       IS_ENABLED(CONFIG_MITIGATION_RFDS) ? RFDS_MITIGATION_VERW : RFDS_MITIGATION_OFF;
+       IS_ENABLED(CONFIG_MITIGATION_RFDS) ? RFDS_MITIGATION_AUTO : RFDS_MITIGATION_OFF;
 
 static void __init mds_select_mitigation(void)
 {
@@ -285,6 +288,9 @@ static void __init mds_select_mitigation(void)
                return;
        }
 
+       if (mds_mitigation == MDS_MITIGATION_AUTO)
+               mds_mitigation = MDS_MITIGATION_FULL;
+
        if (mds_mitigation == MDS_MITIGATION_FULL) {
                if (!boot_cpu_has(X86_FEATURE_MD_CLEAR))
                        mds_mitigation = MDS_MITIGATION_VMWERV;
@@ -514,6 +520,9 @@ static void __init rfds_select_mitigation(void)
        if (rfds_mitigation == RFDS_MITIGATION_OFF)
                return;
 
+       if (rfds_mitigation == RFDS_MITIGATION_AUTO)
+               rfds_mitigation = RFDS_MITIGATION_VERW;
+
        if (x86_arch_cap_msr & ARCH_CAP_RFDS_CLEAR)
                setup_force_cpu_cap(X86_FEATURE_CLEAR_CPU_BUF);
        else
@@ -1979,6 +1988,7 @@ void cpu_bugs_smt_update(void)
 
        switch (mds_mitigation) {
        case MDS_MITIGATION_FULL:
+       case MDS_MITIGATION_AUTO:
        case MDS_MITIGATION_VMWERV:
                if (sched_smt_active() && !boot_cpu_has(X86_BUG_MSBDS_ONLY))
                        pr_warn_once(MDS_MSG_SMT);
@@ -1990,6 +2000,7 @@ void cpu_bugs_smt_update(void)
 
        switch (taa_mitigation) {
        case TAA_MITIGATION_VERW:
+       case TAA_MITIGATION_AUTO:
        case TAA_MITIGATION_UCODE_NEEDED:
                if (sched_smt_active())
                        pr_warn_once(TAA_MSG_SMT);
@@ -2001,6 +2012,7 @@ void cpu_bugs_smt_update(void)
 
        switch (mmio_mitigation) {
        case MMIO_MITIGATION_VERW:
+       case MMIO_MITIGATION_AUTO:
        case MMIO_MITIGATION_UCODE_NEEDED:
                if (sched_smt_active())
                        pr_warn_once(MMIO_MSG_SMT);