From: David Kaplan <david.kaplan@amd.com>
To: Thomas Gleixner <tglx@linutronix.de>,
Borislav Petkov <bp@alien8.de>,
Peter Zijlstra <peterz@infradead.org>,
Josh Poimboeuf <jpoimboe@kernel.org>,
Pawan Gupta <pawan.kumar.gupta@linux.intel.com>,
Ingo Molnar <mingo@redhat.com>,
Dave Hansen <dave.hansen@linux.intel.com>, <x86@kernel.org>,
"H . Peter Anvin" <hpa@zytor.com>
Cc: <linux-kernel@vger.kernel.org>,
Brendan Jackman <jackmanb@google.com>,
Derek Manwaring <derekmn@amazon.com>
Subject: [PATCH v4 02/36] x86/bugs: Restructure taa mitigation
Date: Mon, 10 Mar 2025 11:39:49 -0500 [thread overview]
Message-ID: <20250310164023.779191-3-david.kaplan@amd.com> (raw)
In-Reply-To: <20250310164023.779191-1-david.kaplan@amd.com>
Restructure taa mitigation to use select/update/apply functions to
create consistent vulnerability handling.
Signed-off-by: David Kaplan <david.kaplan@amd.com>
---
arch/x86/kernel/cpu/bugs.c | 94 ++++++++++++++++++++++++--------------
1 file changed, 59 insertions(+), 35 deletions(-)
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 71da57c4f83b..2fd58b7089c4 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -65,6 +65,8 @@ static void __init mds_apply_mitigation(void);
static void __init md_clear_update_mitigation(void);
static void __init md_clear_select_mitigation(void);
static void __init taa_select_mitigation(void);
+static void __init taa_update_mitigation(void);
+static void __init taa_apply_mitigation(void);
static void __init mmio_select_mitigation(void);
static void __init srbds_select_mitigation(void);
static void __init l1d_flush_select_mitigation(void);
@@ -191,6 +193,7 @@ void __init cpu_select_mitigations(void)
ssb_select_mitigation();
l1tf_select_mitigation();
mds_select_mitigation();
+ taa_select_mitigation();
md_clear_select_mitigation();
srbds_select_mitigation();
l1d_flush_select_mitigation();
@@ -207,8 +210,10 @@ void __init cpu_select_mitigations(void)
* choices.
*/
mds_update_mitigation();
+ taa_update_mitigation();
mds_apply_mitigation();
+ taa_apply_mitigation();
}
/*
@@ -388,6 +393,11 @@ static const char * const taa_strings[] = {
[TAA_MITIGATION_TSX_DISABLED] = "Mitigation: TSX disabled",
};
+static bool __init taa_vulnerable(void)
+{
+ return boot_cpu_has_bug(X86_BUG_TAA) && boot_cpu_has(X86_FEATURE_RTM);
+}
+
static void __init taa_select_mitigation(void)
{
if (!boot_cpu_has_bug(X86_BUG_TAA)) {
@@ -401,48 +411,63 @@ static void __init taa_select_mitigation(void)
return;
}
- if (cpu_mitigations_off()) {
+ if (cpu_mitigations_off())
taa_mitigation = TAA_MITIGATION_OFF;
- return;
- }
- /*
- * TAA mitigation via VERW is turned off if both
- * tsx_async_abort=off and mds=off are specified.
- */
- if (taa_mitigation == TAA_MITIGATION_OFF &&
- mds_mitigation == MDS_MITIGATION_OFF)
+ /* Microcode will be checked in taa_update_mitigation(). */
+ if (taa_mitigation == TAA_MITIGATION_AUTO)
+ taa_mitigation = TAA_MITIGATION_VERW;
+
+ if (taa_mitigation != TAA_MITIGATION_OFF)
+ verw_mitigation_selected = true;
+}
+
+static void __init taa_update_mitigation(void)
+{
+ if (!taa_vulnerable() || cpu_mitigations_off())
return;
- if (boot_cpu_has(X86_FEATURE_MD_CLEAR))
+ if (verw_mitigation_selected)
taa_mitigation = TAA_MITIGATION_VERW;
- else
- taa_mitigation = TAA_MITIGATION_UCODE_NEEDED;
- /*
- * VERW doesn't clear the CPU buffers when MD_CLEAR=1 and MDS_NO=1.
- * A microcode update fixes this behavior to clear CPU buffers. It also
- * adds support for MSR_IA32_TSX_CTRL which is enumerated by the
- * ARCH_CAP_TSX_CTRL_MSR bit.
- *
- * On MDS_NO=1 CPUs if ARCH_CAP_TSX_CTRL_MSR is not set, microcode
- * update is required.
- */
- if ( (x86_arch_cap_msr & ARCH_CAP_MDS_NO) &&
- !(x86_arch_cap_msr & ARCH_CAP_TSX_CTRL_MSR))
- taa_mitigation = TAA_MITIGATION_UCODE_NEEDED;
+ if (taa_mitigation == TAA_MITIGATION_VERW) {
+ /* Check if the requisite ucode is available. */
+ if (!boot_cpu_has(X86_FEATURE_MD_CLEAR))
+ taa_mitigation = TAA_MITIGATION_UCODE_NEEDED;
- /*
- * TSX is enabled, select alternate mitigation for TAA which is
- * the same as MDS. Enable MDS static branch to clear CPU buffers.
- *
- * For guests that can't determine whether the correct microcode is
- * present on host, enable the mitigation for UCODE_NEEDED as well.
- */
- setup_force_cpu_cap(X86_FEATURE_CLEAR_CPU_BUF);
+ /*
+ * VERW doesn't clear the CPU buffers when MD_CLEAR=1 and MDS_NO=1.
+ * A microcode update fixes this behavior to clear CPU buffers. It also
+ * adds support for MSR_IA32_TSX_CTRL which is enumerated by the
+ * ARCH_CAP_TSX_CTRL_MSR bit.
+ *
+ * On MDS_NO=1 CPUs if ARCH_CAP_TSX_CTRL_MSR is not set, microcode
+ * update is required.
+ */
+ if ((x86_arch_cap_msr & ARCH_CAP_MDS_NO) &&
+ !(x86_arch_cap_msr & ARCH_CAP_TSX_CTRL_MSR))
+ taa_mitigation = TAA_MITIGATION_UCODE_NEEDED;
+ }
- if (taa_nosmt || cpu_mitigations_auto_nosmt())
- cpu_smt_disable(false);
+ pr_info("%s\n", taa_strings[taa_mitigation]);
+}
+
+static void __init taa_apply_mitigation(void)
+{
+ if (taa_mitigation == TAA_MITIGATION_VERW ||
+ taa_mitigation == TAA_MITIGATION_UCODE_NEEDED) {
+ /*
+ * TSX is enabled, select alternate mitigation for TAA which is
+ * the same as MDS. Enable MDS static branch to clear CPU buffers.
+ *
+ * For guests that can't determine whether the correct microcode is
+ * present on host, enable the mitigation for UCODE_NEEDED as well.
+ */
+ setup_force_cpu_cap(X86_FEATURE_CLEAR_CPU_BUF);
+
+ if (taa_nosmt || cpu_mitigations_auto_nosmt())
+ cpu_smt_disable(false);
+ }
}
static int __init tsx_async_abort_parse_cmdline(char *str)
@@ -651,7 +676,6 @@ static void __init md_clear_update_mitigation(void)
static void __init md_clear_select_mitigation(void)
{
- taa_select_mitigation();
mmio_select_mitigation();
rfds_select_mitigation();
--
2.34.1
next prev parent reply other threads:[~2025-03-10 16:40 UTC|newest]
Thread overview: 76+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-10 16:39 [PATCH v4 00/36] Attack vector controls David Kaplan
2025-03-10 16:39 ` [PATCH v4 01/36] x86/bugs: Restructure mds mitigation David Kaplan
2025-03-10 16:39 ` David Kaplan [this message]
2025-03-10 16:39 ` [PATCH v4 03/36] x86/bugs: Restructure mmio mitigation David Kaplan
2025-03-13 9:36 ` Borislav Petkov
2025-03-13 14:19 ` Kaplan, David
2025-03-13 19:26 ` Pawan Gupta
2025-03-18 14:16 ` MMIO and VERW Borislav Petkov
2025-03-18 16:25 ` Pawan Gupta
2025-03-18 16:34 ` Borislav Petkov
2025-03-18 16:56 ` Pawan Gupta
2025-03-18 17:37 ` Borislav Petkov
2025-03-18 18:15 ` Pawan Gupta
2025-03-18 18:55 ` Borislav Petkov
2025-03-24 9:29 ` [PATCH v4 03/36] x86/bugs: Restructure mmio mitigation Borislav Petkov
2025-03-24 17:41 ` Pawan Gupta
2025-03-25 11:31 ` Borislav Petkov
2025-03-10 16:39 ` [PATCH v4 04/36] x86/bugs: Restructure rfds mitigation David Kaplan
2025-04-10 16:24 ` Josh Poimboeuf
2025-04-14 19:10 ` Kaplan, David
2025-03-10 16:39 ` [PATCH v4 05/36] x86/bugs: Remove md_clear_*_mitigation() David Kaplan
2025-03-10 16:39 ` [PATCH v4 06/36] x86/bugs: Restructure srbds mitigation David Kaplan
2025-03-10 16:39 ` [PATCH v4 07/36] x86/bugs: Restructure gds mitigation David Kaplan
2025-03-10 16:39 ` [PATCH v4 08/36] x86/bugs: Restructure spectre_v1 mitigation David Kaplan
2025-03-10 16:39 ` [PATCH v4 09/36] x86/bugs: Only allow retbleed=stuff on Intel David Kaplan
2025-03-10 16:39 ` [PATCH v4 10/36] x86/bugs: Restructure retbleed mitigation David Kaplan
2025-03-10 16:39 ` [PATCH v4 11/36] x86/bugs: Restructure spectre_v2_user mitigation David Kaplan
2025-03-12 9:49 ` kernel test robot
2025-04-10 16:26 ` Josh Poimboeuf
2025-04-14 19:20 ` Kaplan, David
2025-04-10 16:41 ` Josh Poimboeuf
2025-04-14 19:20 ` Kaplan, David
2025-04-14 23:48 ` Josh Poimboeuf
2025-04-15 14:56 ` Kaplan, David
2025-03-10 16:39 ` [PATCH v4 12/36] x86/bugs: Restructure bhi mitigation David Kaplan
2025-03-10 16:40 ` [PATCH v4 13/36] x86/bugs: Restructure spectre_v2 mitigation David Kaplan
2025-04-10 17:08 ` Josh Poimboeuf
2025-04-14 19:25 ` Kaplan, David
2025-03-10 16:40 ` [PATCH v4 14/36] x86/bugs: Restructure ssb mitigation David Kaplan
2025-03-10 16:40 ` [PATCH v4 15/36] x86/bugs: Restructure l1tf mitigation David Kaplan
2025-03-10 16:40 ` [PATCH v4 16/36] x86/bugs: Restructure srso mitigation David Kaplan
2025-04-10 17:38 ` Josh Poimboeuf
2025-04-14 21:12 ` Kaplan, David
2025-03-10 16:40 ` [PATCH v4 17/36] Documentation/x86: Document the new attack vector controls David Kaplan
2025-04-10 18:14 ` Josh Poimboeuf
2025-04-14 21:15 ` Kaplan, David
2025-04-14 23:51 ` Josh Poimboeuf
2025-04-15 14:59 ` Kaplan, David
2025-04-15 15:32 ` Josh Poimboeuf
2025-04-15 16:10 ` Kaplan, David
2025-04-15 16:47 ` Josh Poimboeuf
2025-04-15 17:06 ` Kaplan, David
2025-03-10 16:40 ` [PATCH v4 18/36] cpu: Define attack vectors David Kaplan
2025-04-10 18:12 ` Josh Poimboeuf
2025-04-14 21:20 ` Kaplan, David
2025-03-10 16:40 ` [PATCH v4 19/36] x86/Kconfig: Arch attack vector support David Kaplan
2025-03-10 16:40 ` [PATCH v4 20/36] x86/bugs: Determine relevant vulnerabilities based on attack vector controls David Kaplan
2025-03-12 11:32 ` kernel test robot
2025-03-10 16:40 ` [PATCH v4 21/36] x86/bugs: Add attack vector controls for mds David Kaplan
2025-03-10 16:40 ` [PATCH v4 22/36] x86/bugs: Add attack vector controls for taa David Kaplan
2025-03-10 16:40 ` [PATCH v4 23/36] x86/bugs: Add attack vector controls for mmio David Kaplan
2025-03-10 16:40 ` [PATCH v4 24/36] x86/bugs: Add attack vector controls for rfds David Kaplan
2025-03-10 16:40 ` [PATCH v4 25/36] x86/bugs: Add attack vector controls for srbds David Kaplan
2025-03-10 16:40 ` [PATCH v4 26/36] x86/bugs: Add attack vector controls for gds David Kaplan
2025-03-10 16:40 ` [PATCH v4 27/36] x86/bugs: Add attack vector controls for spectre_v1 David Kaplan
2025-03-10 16:40 ` [PATCH v4 28/36] x86/bugs: Add attack vector controls for retbleed David Kaplan
2025-03-10 16:40 ` [PATCH v4 29/36] x86/bugs: Add attack vector controls for spectre_v2_user David Kaplan
2025-03-10 16:40 ` [PATCH v4 30/36] x86/bugs: Add attack vector controls for bhi David Kaplan
2025-03-10 16:40 ` [PATCH v4 31/36] x86/bugs: Add attack vector controls for spectre_v2 David Kaplan
2025-03-10 16:40 ` [PATCH v4 32/36] x86/bugs: Add attack vector controls for l1tf David Kaplan
2025-03-10 16:40 ` [PATCH v4 33/36] x86/bugs: Add attack vector controls for srso David Kaplan
2025-03-10 16:40 ` [PATCH v4 34/36] x86/pti: Add attack vector controls for pti David Kaplan
2025-03-10 16:40 ` [PATCH v4 35/36] x86/bugs: Print enabled attack vectors David Kaplan
2025-03-10 16:40 ` [PATCH v4 36/36] cpu: Show attack vectors in sysfs David Kaplan
2025-03-10 18:45 ` [PATCH v4 00/36] Attack vector controls Ingo Molnar
2025-03-10 20:46 ` Kaplan, David
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250310164023.779191-3-david.kaplan@amd.com \
--to=david.kaplan@amd.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=derekmn@amazon.com \
--cc=hpa@zytor.com \
--cc=jackmanb@google.com \
--cc=jpoimboe@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=pawan.kumar.gupta@linux.intel.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.