[PATCH v2 0/5] Bugs clean-up

[PATCH v2 0/5] Bugs clean-up

[David Kaplan]

Patches 1-3 focus on cleaning up parameter parsing.  Most mitigations use
early_param but a few older ones do not and look at boot_command_line
directly.  Modify those to be consistent with the newer ones.

Patch 4 adds missing attack vector controls for spec store bypass.

Patch 5 cleans up straggling unnecessary calls to cpu_mitigations_off().

Changes from v1
   - Removed spec_*_print_cond() functions
   - Fixed bugs pointed out by Pawan
   - Added last 2 patches

David Kaplan (5):
  x86/bugs: Use early_param for spectre_v2_user
  x86/bugs: Use early_param for spectre_v2
  x86/bugs: Simplify SSB cmdline parsing
  x86/bugs: Add attack vector controls for SSB
  x86/bugs: Remove uses of cpu_mitigations_off()

 .../hw-vuln/attack_vector_controls.rst        |   5 +-
 arch/x86/include/asm/nospec-branch.h          |   1 +
 arch/x86/kernel/cpu/bugs.c                    | 387 ++++++++----------
 3 files changed, 169 insertions(+), 224 deletions(-)


base-commit: 2fd6a6194558303fffd2d7a7fa73fc318d680f38
-- 
2.34.1

[PATCH v2 1/5] x86/bugs: Use early_param for spectre_v2_user

[David Kaplan]

Most of the mitigations in bugs.c use early_param to parse their command
line options.  Modify spectre_v2_user to use early_param for consistency.

Remove spec_v2_user_print_cond() because informing a user about their
cmdline choice isn't very interesting and the chosen mitigation is already
printed in spectre_v2_user_update_mitigation().

Signed-off-by: David Kaplan <david.kaplan@amd.com>
---
 arch/x86/kernel/cpu/bugs.c | 65 +++++++++++++++-----------------------
 1 file changed, 26 insertions(+), 39 deletions(-)

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 49ef1b832c1a..de78b76ae851 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -1826,7 +1826,7 @@ enum spectre_v2_mitigation_cmd {
 
 static enum spectre_v2_mitigation_cmd spectre_v2_cmd __ro_after_init = SPECTRE_V2_CMD_AUTO;
 
-enum spectre_v2_user_cmd {
+enum spectre_v2_user_mitigation_cmd {
 	SPECTRE_V2_USER_CMD_NONE,
 	SPECTRE_V2_USER_CMD_AUTO,
 	SPECTRE_V2_USER_CMD_FORCE,
@@ -1836,6 +1836,9 @@ enum spectre_v2_user_cmd {
 	SPECTRE_V2_USER_CMD_SECCOMP_IBPB,
 };
 
+static enum spectre_v2_user_mitigation_cmd spectre_v2_user_cmd __ro_after_init =
+	SPECTRE_V2_USER_CMD_AUTO;
+
 static const char * const spectre_v2_user_strings[] = {
 	[SPECTRE_V2_USER_NONE]			= "User space: Vulnerable",
 	[SPECTRE_V2_USER_STRICT]		= "User space: Mitigation: STIBP protection",
@@ -1844,50 +1847,34 @@ static const char * const spectre_v2_user_strings[] = {
 	[SPECTRE_V2_USER_SECCOMP]		= "User space: Mitigation: STIBP via seccomp and prctl",
 };
 
-static const struct {
-	const char			*option;
-	enum spectre_v2_user_cmd	cmd;
-	bool				secure;
-} v2_user_options[] __initconst = {
-	{ "auto",		SPECTRE_V2_USER_CMD_AUTO,		false },
-	{ "off",		SPECTRE_V2_USER_CMD_NONE,		false },
-	{ "on",			SPECTRE_V2_USER_CMD_FORCE,		true  },
-	{ "prctl",		SPECTRE_V2_USER_CMD_PRCTL,		false },
-	{ "prctl,ibpb",		SPECTRE_V2_USER_CMD_PRCTL_IBPB,		false },
-	{ "seccomp",		SPECTRE_V2_USER_CMD_SECCOMP,		false },
-	{ "seccomp,ibpb",	SPECTRE_V2_USER_CMD_SECCOMP_IBPB,	false },
-};
-
-static void __init spec_v2_user_print_cond(const char *reason, bool secure)
-{
-	if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2) != secure)
-		pr_info("spectre_v2_user=%s forced on command line.\n", reason);
-}
-
-static enum spectre_v2_user_cmd __init spectre_v2_parse_user_cmdline(void)
+static int __init spectre_v2_parse_user_cmdline(char *str)
 {
-	char arg[20];
-	int ret, i;
+	if (!str)
+		return -EINVAL;
 
 	if (!IS_ENABLED(CONFIG_MITIGATION_SPECTRE_V2))
 		return SPECTRE_V2_USER_CMD_NONE;
 
-	ret = cmdline_find_option(boot_command_line, "spectre_v2_user",
-				  arg, sizeof(arg));
-	if (ret < 0)
-		return SPECTRE_V2_USER_CMD_AUTO;
-
-	for (i = 0; i < ARRAY_SIZE(v2_user_options); i++) {
-		if (match_option(arg, ret, v2_user_options[i].option)) {
-			spec_v2_user_print_cond(v2_user_options[i].option,
-						v2_user_options[i].secure);
-			return v2_user_options[i].cmd;
-		}
-	}
+	if (!strcmp(str, "auto"))
+		spectre_v2_user_cmd = SPECTRE_V2_USER_CMD_AUTO;
+	else if (!strcmp(str, "off"))
+		spectre_v2_user_cmd = SPECTRE_V2_USER_CMD_NONE;
+	else if (!strcmp(str, "on"))
+		spectre_v2_user_cmd = SPECTRE_V2_USER_CMD_FORCE;
+	else if (!strcmp(str, "prctl"))
+		spectre_v2_user_cmd = SPECTRE_V2_USER_CMD_PRCTL;
+	else if (!strcmp(str, "prctl,ibpb"))
+		spectre_v2_user_cmd = SPECTRE_V2_USER_CMD_PRCTL_IBPB;
+	else if (!strcmp(str, "seccomp"))
+		spectre_v2_user_cmd = SPECTRE_V2_USER_CMD_SECCOMP;
+	else if (!strcmp(str, "seccomp,ibpb"))
+		spectre_v2_user_cmd = SPECTRE_V2_USER_CMD_SECCOMP_IBPB;
+	else
+		pr_err("Ignoring unknown spectre_v2_user option (%s).", str);
 
-	pr_err("Unknown user space protection option (%s). Switching to default\n", arg);
-	return SPECTRE_V2_USER_CMD_AUTO;
+	return 0;
 }
+early_param("spectre_v2_user", spectre_v2_parse_user_cmdline);
 
 static inline bool spectre_v2_in_ibrs_mode(enum spectre_v2_mitigation mode)
 {
@@ -1899,7 +1886,7 @@ static void __init spectre_v2_user_select_mitigation(void)
 	if (!boot_cpu_has(X86_FEATURE_IBPB) && !boot_cpu_has(X86_FEATURE_STIBP))
 		return;
 
-	switch (spectre_v2_parse_user_cmdline()) {
+	switch (spectre_v2_user_cmd) {
 	case SPECTRE_V2_USER_CMD_NONE:
 		return;
 	case SPECTRE_V2_USER_CMD_FORCE:
-- 
2.34.1

[PATCH v2 2/5] x86/bugs: Use early_param for spectre_v2

[David Kaplan]

Most of the mitigations in bugs.c use early_param for command line parsing.
Rework the spectre_v2 and nospectre_v2 command line options to be
consistent with the others.

Remove spec_v2_print_cond() as informing the user of the their cmdline
choice isn't interesting.

Signed-off-by: David Kaplan <david.kaplan@amd.com>
---
 arch/x86/kernel/cpu/bugs.c | 186 +++++++++++++++++--------------------
 1 file changed, 87 insertions(+), 99 deletions(-)

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index de78b76ae851..44e0315b58a5 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -1824,7 +1824,8 @@ enum spectre_v2_mitigation_cmd {
 	SPECTRE_V2_CMD_IBRS,
 };
 
-static enum spectre_v2_mitigation_cmd spectre_v2_cmd __ro_after_init = SPECTRE_V2_CMD_AUTO;
+static enum spectre_v2_mitigation_cmd spectre_v2_cmd __ro_after_init =
+	IS_ENABLED(CONFIG_MITIGATION_SPECTRE_V2) ? SPECTRE_V2_CMD_AUTO : SPECTRE_V2_CMD_NONE;
 
 enum spectre_v2_user_mitigation_cmd {
 	SPECTRE_V2_USER_CMD_NONE,
@@ -2021,112 +2022,51 @@ static const char * const spectre_v2_strings[] = {
 	[SPECTRE_V2_IBRS]			= "Mitigation: IBRS",
 };
 
-static const struct {
-	const char *option;
-	enum spectre_v2_mitigation_cmd cmd;
-	bool secure;
-} mitigation_options[] __initconst = {
-	{ "off",		SPECTRE_V2_CMD_NONE,		  false },
-	{ "on",			SPECTRE_V2_CMD_FORCE,		  true  },
-	{ "retpoline",		SPECTRE_V2_CMD_RETPOLINE,	  false },
-	{ "retpoline,amd",	SPECTRE_V2_CMD_RETPOLINE_LFENCE,  false },
-	{ "retpoline,lfence",	SPECTRE_V2_CMD_RETPOLINE_LFENCE,  false },
-	{ "retpoline,generic",	SPECTRE_V2_CMD_RETPOLINE_GENERIC, false },
-	{ "eibrs",		SPECTRE_V2_CMD_EIBRS,		  false },
-	{ "eibrs,lfence",	SPECTRE_V2_CMD_EIBRS_LFENCE,	  false },
-	{ "eibrs,retpoline",	SPECTRE_V2_CMD_EIBRS_RETPOLINE,	  false },
-	{ "auto",		SPECTRE_V2_CMD_AUTO,		  false },
-	{ "ibrs",		SPECTRE_V2_CMD_IBRS,              false },
-};
+static bool nospectre_v2 __ro_after_init;
 
-static void __init spec_v2_print_cond(const char *reason, bool secure)
+static int __init nospectre_v2_parse_cmdline(char *str)
 {
-	if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2) != secure)
-		pr_info("%s selected on command line.\n", reason);
+	nospectre_v2 = true;
+	spectre_v2_cmd = SPECTRE_V2_CMD_NONE;
+	return 0;
 }
+early_param("nospectre_v2", nospectre_v2_parse_cmdline);
 
-static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void)
+static int __init spectre_v2_parse_cmdline(char *str)
 {
-	enum spectre_v2_mitigation_cmd cmd;
-	char arg[20];
-	int ret, i;
-
-	cmd = IS_ENABLED(CONFIG_MITIGATION_SPECTRE_V2) ?  SPECTRE_V2_CMD_AUTO : SPECTRE_V2_CMD_NONE;
-	if (cmdline_find_option_bool(boot_command_line, "nospectre_v2"))
-		return SPECTRE_V2_CMD_NONE;
-
-	ret = cmdline_find_option(boot_command_line, "spectre_v2", arg, sizeof(arg));
-	if (ret < 0)
-		return cmd;
-
-	for (i = 0; i < ARRAY_SIZE(mitigation_options); i++) {
-		if (!match_option(arg, ret, mitigation_options[i].option))
-			continue;
-		cmd = mitigation_options[i].cmd;
-		break;
-	}
-
-	if (i >= ARRAY_SIZE(mitigation_options)) {
-		pr_err("unknown option (%s). Switching to default mode\n", arg);
-		return cmd;
-	}
-
-	if ((cmd == SPECTRE_V2_CMD_RETPOLINE ||
-	     cmd == SPECTRE_V2_CMD_RETPOLINE_LFENCE ||
-	     cmd == SPECTRE_V2_CMD_RETPOLINE_GENERIC ||
-	     cmd == SPECTRE_V2_CMD_EIBRS_LFENCE ||
-	     cmd == SPECTRE_V2_CMD_EIBRS_RETPOLINE) &&
-	    !IS_ENABLED(CONFIG_MITIGATION_RETPOLINE)) {
-		pr_err("%s selected but not compiled in. Switching to AUTO select\n",
-		       mitigation_options[i].option);
-		return SPECTRE_V2_CMD_AUTO;
-	}
-
-	if ((cmd == SPECTRE_V2_CMD_EIBRS ||
-	     cmd == SPECTRE_V2_CMD_EIBRS_LFENCE ||
-	     cmd == SPECTRE_V2_CMD_EIBRS_RETPOLINE) &&
-	    !boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) {
-		pr_err("%s selected but CPU doesn't have Enhanced or Automatic IBRS. Switching to AUTO select\n",
-		       mitigation_options[i].option);
-		return SPECTRE_V2_CMD_AUTO;
-	}
-
-	if ((cmd == SPECTRE_V2_CMD_RETPOLINE_LFENCE ||
-	     cmd == SPECTRE_V2_CMD_EIBRS_LFENCE) &&
-	    !boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) {
-		pr_err("%s selected, but CPU doesn't have a serializing LFENCE. Switching to AUTO select\n",
-		       mitigation_options[i].option);
-		return SPECTRE_V2_CMD_AUTO;
-	}
-
-	if (cmd == SPECTRE_V2_CMD_IBRS && !IS_ENABLED(CONFIG_MITIGATION_IBRS_ENTRY)) {
-		pr_err("%s selected but not compiled in. Switching to AUTO select\n",
-		       mitigation_options[i].option);
-		return SPECTRE_V2_CMD_AUTO;
-	}
-
-	if (cmd == SPECTRE_V2_CMD_IBRS && boot_cpu_data.x86_vendor != X86_VENDOR_INTEL) {
-		pr_err("%s selected but not Intel CPU. Switching to AUTO select\n",
-		       mitigation_options[i].option);
-		return SPECTRE_V2_CMD_AUTO;
-	}
+	if (!str)
+		return -EINVAL;
 
-	if (cmd == SPECTRE_V2_CMD_IBRS && !boot_cpu_has(X86_FEATURE_IBRS)) {
-		pr_err("%s selected but CPU doesn't have IBRS. Switching to AUTO select\n",
-		       mitigation_options[i].option);
-		return SPECTRE_V2_CMD_AUTO;
-	}
+	if (nospectre_v2)
+		return 0;
 
-	if (cmd == SPECTRE_V2_CMD_IBRS && cpu_feature_enabled(X86_FEATURE_XENPV)) {
-		pr_err("%s selected but running as XenPV guest. Switching to AUTO select\n",
-		       mitigation_options[i].option);
-		return SPECTRE_V2_CMD_AUTO;
-	}
+	if (!strcmp(str, "off"))
+		spectre_v2_cmd = SPECTRE_V2_CMD_NONE;
+	else if (!strcmp(str, "on"))
+		spectre_v2_cmd = SPECTRE_V2_CMD_FORCE;
+	else if (!strcmp(str, "retpoline"))
+		spectre_v2_cmd = SPECTRE_V2_CMD_RETPOLINE;
+	else if (!strcmp(str, "retpoline,amd") ||
+		 !strcmp(str, "retpoline,lfence"))
+		spectre_v2_cmd = SPECTRE_V2_CMD_RETPOLINE_LFENCE;
+	else if (!strcmp(str, "retpoline,generic"))
+		spectre_v2_cmd = SPECTRE_V2_CMD_RETPOLINE_GENERIC;
+	else if (!strcmp(str, "eibrs"))
+		spectre_v2_cmd = SPECTRE_V2_CMD_EIBRS;
+	else if (!strcmp(str, "eibrs,lfence"))
+		spectre_v2_cmd = SPECTRE_V2_CMD_EIBRS_LFENCE;
+	else if (!strcmp(str, "eibrs,retpoline"))
+		spectre_v2_cmd = SPECTRE_V2_CMD_EIBRS_RETPOLINE;
+	else if (!strcmp(str, "auto"))
+		spectre_v2_cmd = SPECTRE_V2_CMD_AUTO;
+	else if (!strcmp(str, "ibrs"))
+		spectre_v2_cmd = SPECTRE_V2_CMD_IBRS;
+	else
+		pr_err("Ignoring unknown spectre_v2 option (%s).", str);
 
-	spec_v2_print_cond(mitigation_options[i].option,
-			   mitigation_options[i].secure);
-	return cmd;
+	return 0;
 }
+early_param("spectre_v2", spectre_v2_parse_cmdline);
 
 static enum spectre_v2_mitigation __init spectre_v2_select_retpoline(void)
 {
@@ -2312,9 +2252,57 @@ static void __init bhi_apply_mitigation(void)
 	setup_force_cpu_cap(X86_FEATURE_CLEAR_BHB_VMEXIT);
 }
 
+static void __init spectre_v2_check_cmd(void)
+{
+	if ((spectre_v2_cmd == SPECTRE_V2_CMD_RETPOLINE ||
+	     spectre_v2_cmd == SPECTRE_V2_CMD_RETPOLINE_LFENCE ||
+	     spectre_v2_cmd == SPECTRE_V2_CMD_RETPOLINE_GENERIC ||
+	     spectre_v2_cmd == SPECTRE_V2_CMD_EIBRS_LFENCE ||
+	     spectre_v2_cmd == SPECTRE_V2_CMD_EIBRS_RETPOLINE) &&
+	    !IS_ENABLED(CONFIG_MITIGATION_RETPOLINE)) {
+		pr_err("RETPOLINE selected but not compiled in. Switching to AUTO select\n");
+		spectre_v2_cmd = SPECTRE_V2_CMD_AUTO;
+	}
+
+	if ((spectre_v2_cmd == SPECTRE_V2_CMD_EIBRS ||
+	     spectre_v2_cmd == SPECTRE_V2_CMD_EIBRS_LFENCE ||
+	     spectre_v2_cmd == SPECTRE_V2_CMD_EIBRS_RETPOLINE) &&
+	    !boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) {
+		pr_err("EIBRS selected but CPU doesn't have Enhanced or Automatic IBRS. Switching to AUTO select\n");
+		spectre_v2_cmd = SPECTRE_V2_CMD_AUTO;
+	}
+
+	if ((spectre_v2_cmd == SPECTRE_V2_CMD_RETPOLINE_LFENCE ||
+	     spectre_v2_cmd == SPECTRE_V2_CMD_EIBRS_LFENCE) &&
+	    !boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) {
+		pr_err("LFENCE selected, but CPU doesn't have a serializing LFENCE. Switching to AUTO select\n");
+		spectre_v2_cmd = SPECTRE_V2_CMD_AUTO;
+	}
+
+	if (spectre_v2_cmd == SPECTRE_V2_CMD_IBRS && !IS_ENABLED(CONFIG_MITIGATION_IBRS_ENTRY)) {
+		pr_err("IBRS selected but not compiled in. Switching to AUTO select\n");
+		spectre_v2_cmd = SPECTRE_V2_CMD_AUTO;
+	}
+
+	if (spectre_v2_cmd == SPECTRE_V2_CMD_IBRS && boot_cpu_data.x86_vendor != X86_VENDOR_INTEL) {
+		pr_err("IBRS selected but not Intel CPU. Switching to AUTO select\n");
+		spectre_v2_cmd = SPECTRE_V2_CMD_AUTO;
+	}
+
+	if (spectre_v2_cmd == SPECTRE_V2_CMD_IBRS && !boot_cpu_has(X86_FEATURE_IBRS)) {
+		pr_err("IBRS selected but CPU doesn't have IBRS. Switching to AUTO select\n");
+		spectre_v2_cmd = SPECTRE_V2_CMD_AUTO;
+	}
+
+	if (spectre_v2_cmd == SPECTRE_V2_CMD_IBRS && cpu_feature_enabled(X86_FEATURE_XENPV)) {
+		pr_err("IBRS selected but running as XenPV guest. Switching to AUTO select\n");
+		spectre_v2_cmd = SPECTRE_V2_CMD_AUTO;
+	}
+}
+
 static void __init spectre_v2_select_mitigation(void)
 {
-	spectre_v2_cmd = spectre_v2_parse_cmdline();
+	spectre_v2_check_cmd();
 
 	if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2) &&
 	    (spectre_v2_cmd == SPECTRE_V2_CMD_NONE || spectre_v2_cmd == SPECTRE_V2_CMD_AUTO))
-- 
2.34.1

[PATCH v2 3/5] x86/bugs: Simplify SSB cmdline parsing

[David Kaplan]

Simplify the SSB command line parsing by selecting a mitigation directly,
as is done in most of the simpler vulnerabilities.  Use early_param instead
of cmdline_find_option for consistency with the other mitigation
selections.

Signed-off-by: David Kaplan <david.kaplan@amd.com>
---
 arch/x86/kernel/cpu/bugs.c | 118 ++++++++++++-------------------------
 1 file changed, 39 insertions(+), 79 deletions(-)

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 44e0315b58a5..8dc654ccdbb9 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -2594,16 +2594,8 @@ void cpu_bugs_smt_update(void)
 #undef pr_fmt
 #define pr_fmt(fmt)	"Speculative Store Bypass: " fmt
 
-static enum ssb_mitigation ssb_mode __ro_after_init = SPEC_STORE_BYPASS_NONE;
-
-/* The kernel command line selection */
-enum ssb_mitigation_cmd {
-	SPEC_STORE_BYPASS_CMD_NONE,
-	SPEC_STORE_BYPASS_CMD_AUTO,
-	SPEC_STORE_BYPASS_CMD_ON,
-	SPEC_STORE_BYPASS_CMD_PRCTL,
-	SPEC_STORE_BYPASS_CMD_SECCOMP,
-};
+static enum ssb_mitigation ssb_mode __ro_after_init =
+	IS_ENABLED(CONFIG_MITIGATION_SSB) ? SPEC_STORE_BYPASS_PRCTL : SPEC_STORE_BYPASS_NONE;
 
 static const char * const ssb_strings[] = {
 	[SPEC_STORE_BYPASS_NONE]	= "Vulnerable",
@@ -2612,89 +2604,57 @@ static const char * const ssb_strings[] = {
 	[SPEC_STORE_BYPASS_SECCOMP]	= "Mitigation: Speculative Store Bypass disabled via prctl and seccomp",
 };
 
-static const struct {
-	const char *option;
-	enum ssb_mitigation_cmd cmd;
-} ssb_mitigation_options[]  __initconst = {
-	{ "auto",	SPEC_STORE_BYPASS_CMD_AUTO },    /* Platform decides */
-	{ "on",		SPEC_STORE_BYPASS_CMD_ON },      /* Disable Speculative Store Bypass */
-	{ "off",	SPEC_STORE_BYPASS_CMD_NONE },    /* Don't touch Speculative Store Bypass */
-	{ "prctl",	SPEC_STORE_BYPASS_CMD_PRCTL },   /* Disable Speculative Store Bypass via prctl */
-	{ "seccomp",	SPEC_STORE_BYPASS_CMD_SECCOMP }, /* Disable Speculative Store Bypass via prctl and seccomp */
-};
+static bool nossb __ro_after_init;
 
-static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void)
+static int __init nossb_parse_cmdline(char *str)
 {
-	enum ssb_mitigation_cmd cmd;
-	char arg[20];
-	int ret, i;
+	nossb = true;
+	ssb_mode = SPEC_STORE_BYPASS_NONE;
+	return 0;
+}
+early_param("nospec_store_bypass_disable", nossb_parse_cmdline);
 
-	cmd = IS_ENABLED(CONFIG_MITIGATION_SSB) ?
-		SPEC_STORE_BYPASS_CMD_AUTO : SPEC_STORE_BYPASS_CMD_NONE;
-	if (cmdline_find_option_bool(boot_command_line, "nospec_store_bypass_disable") ||
-	    cpu_mitigations_off()) {
-		return SPEC_STORE_BYPASS_CMD_NONE;
-	} else {
-		ret = cmdline_find_option(boot_command_line, "spec_store_bypass_disable",
-					  arg, sizeof(arg));
-		if (ret < 0)
-			return cmd;
+static int __init ssb_parse_cmdline(char *str)
+{
+	if (!str)
+		return -EINVAL;
 
-		for (i = 0; i < ARRAY_SIZE(ssb_mitigation_options); i++) {
-			if (!match_option(arg, ret, ssb_mitigation_options[i].option))
-				continue;
+	if (!IS_ENABLED(CONFIG_MITIGATION_SSB))
+		return 0;
 
-			cmd = ssb_mitigation_options[i].cmd;
-			break;
-		}
+	if (nossb)
+		return 0;
 
-		if (i >= ARRAY_SIZE(ssb_mitigation_options)) {
-			pr_err("unknown option (%s). Switching to default mode\n", arg);
-			return cmd;
-		}
-	}
+	if (!strcmp(str, "auto"))
+		ssb_mode = SPEC_STORE_BYPASS_PRCTL;
+	else if (!strcmp(str, "on"))
+		ssb_mode = SPEC_STORE_BYPASS_DISABLE;
+	else if (!strcmp(str, "off"))
+		ssb_mode = SPEC_STORE_BYPASS_NONE;
+	else if (!strcmp(str, "prctl"))
+		ssb_mode = SPEC_STORE_BYPASS_PRCTL;
+	else if (!strcmp(str, "seccomp"))
+		ssb_mode = IS_ENABLED(CONFIG_SECCOMP) ?
+			SPEC_STORE_BYPASS_SECCOMP : SPEC_STORE_BYPASS_PRCTL;
+	else
+		pr_err("Ignoring unknown spec_store_bypass_disable option (%s).\n",
+			str);
 
-	return cmd;
+	return 0;
 }
+early_param("spec_store_bypass_disable", ssb_parse_cmdline);
 
 static void __init ssb_select_mitigation(void)
 {
-	enum ssb_mitigation_cmd cmd;
-
-	if (!boot_cpu_has(X86_FEATURE_SSBD))
-		goto out;
-
-	cmd = ssb_parse_cmdline();
-	if (!boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS) &&
-	    (cmd == SPEC_STORE_BYPASS_CMD_NONE ||
-	     cmd == SPEC_STORE_BYPASS_CMD_AUTO))
+	if (!boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS) || cpu_mitigations_off()) {
+		ssb_mode = SPEC_STORE_BYPASS_NONE;
 		return;
-
-	switch (cmd) {
-	case SPEC_STORE_BYPASS_CMD_SECCOMP:
-		/*
-		 * Choose prctl+seccomp as the default mode if seccomp is
-		 * enabled.
-		 */
-		if (IS_ENABLED(CONFIG_SECCOMP))
-			ssb_mode = SPEC_STORE_BYPASS_SECCOMP;
-		else
-			ssb_mode = SPEC_STORE_BYPASS_PRCTL;
-		break;
-	case SPEC_STORE_BYPASS_CMD_ON:
-		ssb_mode = SPEC_STORE_BYPASS_DISABLE;
-		break;
-	case SPEC_STORE_BYPASS_CMD_AUTO:
-	case SPEC_STORE_BYPASS_CMD_PRCTL:
-		ssb_mode = SPEC_STORE_BYPASS_PRCTL;
-		break;
-	case SPEC_STORE_BYPASS_CMD_NONE:
-		break;
 	}
 
-out:
-	if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS))
-		pr_info("%s\n", ssb_strings[ssb_mode]);
+	if (!boot_cpu_has(X86_FEATURE_SSBD))
+		ssb_mode = SPEC_STORE_BYPASS_NONE;
+
+	pr_info("%s\n", ssb_strings[ssb_mode]);
 }
 
 static void __init ssb_apply_mitigation(void)
-- 
2.34.1

[PATCH v2 4/5] x86/bugs: Add attack vector controls for SSB

[David Kaplan]

Attack vector controls for SSB were missed in the initial attack vector
series.  The default mitigation for SSB requires user-space opt-in so it is
only relevant for user->user attacks.  Add an AUTO mitigation for SSB and
use this attack vector control to select the SSB mitigation.

Signed-off-by: David Kaplan <david.kaplan@amd.com>
---
 .../hw-vuln/attack_vector_controls.rst         |  5 +----
 arch/x86/include/asm/nospec-branch.h           |  1 +
 arch/x86/kernel/cpu/bugs.c                     | 18 +++++++++++++++---
 3 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/Documentation/admin-guide/hw-vuln/attack_vector_controls.rst b/Documentation/admin-guide/hw-vuln/attack_vector_controls.rst
index 6dd0800146f6..5964901d66e3 100644
--- a/Documentation/admin-guide/hw-vuln/attack_vector_controls.rst
+++ b/Documentation/admin-guide/hw-vuln/attack_vector_controls.rst
@@ -215,7 +215,7 @@ Spectre_v2            X                           X
 Spectre_v2_user                      X                           X            *       (Note 1)
 SRBDS                 X              X            X              X
 SRSO                  X              X            X              X
-SSB                                                                                   (Note 4)
+SSB                                  X
 TAA                   X              X            X              X            *       (Note 2)
 TSA                   X              X            X              X
 =============== ============== ============ ============= ============== ============ ========
@@ -229,9 +229,6 @@ Notes:
    3 --  Disables SMT if cross-thread mitigations are fully enabled, the CPU is
    vulnerable, and STIBP is not supported
 
-   4 --  Speculative store bypass is always enabled by default (no kernel
-   mitigation applied) unless overridden with spec_store_bypass_disable option
-
 When an attack-vector is disabled, all mitigations for the vulnerabilities
 listed in the above table are disabled, unless mitigation is required for a
 different enabled attack-vector or a mitigation is explicitly selected via a
diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
index 10f261678749..e263c126723a 100644
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -514,6 +514,7 @@ enum spectre_v2_user_mitigation {
 /* The Speculative Store Bypass disable variants */
 enum ssb_mitigation {
 	SPEC_STORE_BYPASS_NONE,
+	SPEC_STORE_BYPASS_AUTO,
 	SPEC_STORE_BYPASS_DISABLE,
 	SPEC_STORE_BYPASS_PRCTL,
 	SPEC_STORE_BYPASS_SECCOMP,
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 8dc654ccdbb9..059269f3f56f 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -416,6 +416,10 @@ static bool __init should_mitigate_vuln(unsigned int bug)
 		       cpu_attack_vector_mitigated(CPU_MITIGATE_USER_USER) ||
 		       cpu_attack_vector_mitigated(CPU_MITIGATE_GUEST_GUEST) ||
 		       (smt_mitigations != SMT_MITIGATIONS_OFF);
+
+	case X86_BUG_SPEC_STORE_BYPASS:
+		return cpu_attack_vector_mitigated(CPU_MITIGATE_USER_USER);
+
 	default:
 		WARN(1, "Unknown bug %x\n", bug);
 		return false;
@@ -2595,7 +2599,7 @@ void cpu_bugs_smt_update(void)
 #define pr_fmt(fmt)	"Speculative Store Bypass: " fmt
 
 static enum ssb_mitigation ssb_mode __ro_after_init =
-	IS_ENABLED(CONFIG_MITIGATION_SSB) ? SPEC_STORE_BYPASS_PRCTL : SPEC_STORE_BYPASS_NONE;
+	IS_ENABLED(CONFIG_MITIGATION_SSB) ? SPEC_STORE_BYPASS_AUTO : SPEC_STORE_BYPASS_NONE;
 
 static const char * const ssb_strings[] = {
 	[SPEC_STORE_BYPASS_NONE]	= "Vulnerable",
@@ -2626,7 +2630,7 @@ static int __init ssb_parse_cmdline(char *str)
 		return 0;
 
 	if (!strcmp(str, "auto"))
-		ssb_mode = SPEC_STORE_BYPASS_PRCTL;
+		ssb_mode = SPEC_STORE_BYPASS_AUTO;
 	else if (!strcmp(str, "on"))
 		ssb_mode = SPEC_STORE_BYPASS_DISABLE;
 	else if (!strcmp(str, "off"))
@@ -2646,11 +2650,18 @@ early_param("spec_store_bypass_disable", ssb_parse_cmdline);
 
 static void __init ssb_select_mitigation(void)
 {
-	if (!boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS) || cpu_mitigations_off()) {
+	if (!boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS)) {
 		ssb_mode = SPEC_STORE_BYPASS_NONE;
 		return;
 	}
 
+	if (ssb_mode == SPEC_STORE_BYPASS_AUTO) {
+		if (should_mitigate_vuln(X86_BUG_SPEC_STORE_BYPASS))
+			ssb_mode = SPEC_STORE_BYPASS_PRCTL;
+		else
+			ssb_mode = SPEC_STORE_BYPASS_NONE;
+	}
+
 	if (!boot_cpu_has(X86_FEATURE_SSBD))
 		ssb_mode = SPEC_STORE_BYPASS_NONE;
 
@@ -2870,6 +2881,7 @@ static int ssb_prctl_get(struct task_struct *task)
 		return PR_SPEC_DISABLE;
 	case SPEC_STORE_BYPASS_SECCOMP:
 	case SPEC_STORE_BYPASS_PRCTL:
+	case SPEC_STORE_BYPASS_AUTO:
 		if (task_spec_ssb_force_disable(task))
 			return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE;
 		if (task_spec_ssb_noexec(task))
-- 
2.34.1

[PATCH v2 5/5] x86/bugs: Remove uses of cpu_mitigations_off()

[David Kaplan]

cpu_mitigations_off() is no longer needed because all bugs use attack
vector controls to select a mitigation, and cpu_mitigations_off() is
equivalent to no attack vectors being selected.

Remove the few remaining unnecessary uses of this function in this file.

Signed-off-by: David Kaplan <david.kaplan@amd.com>
---
 arch/x86/kernel/cpu/bugs.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 059269f3f56f..556b3ba638f0 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -670,8 +670,7 @@ static const char * const mmio_strings[] = {
 
 static void __init mmio_select_mitigation(void)
 {
-	if (!boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA) ||
-	     cpu_mitigations_off()) {
+	if (!boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA)) {
 		mmio_mitigation = MMIO_MITIGATION_OFF;
 		return;
 	}
@@ -3201,14 +3200,15 @@ static void __init srso_select_mitigation(void)
 
 static void __init srso_update_mitigation(void)
 {
+	if (!boot_cpu_has_bug(X86_BUG_SRSO))
+		return;
+
 	/* If retbleed is using IBPB, that works for SRSO as well */
 	if (retbleed_mitigation == RETBLEED_MITIGATION_IBPB &&
 	    boot_cpu_has(X86_FEATURE_IBPB_BRTYPE))
 		srso_mitigation = SRSO_MITIGATION_IBPB;
 
-	if (boot_cpu_has_bug(X86_BUG_SRSO) &&
-	    !cpu_mitigations_off())
-		pr_info("%s\n", srso_strings[srso_mitigation]);
+	pr_info("%s\n", srso_strings[srso_mitigation]);
 }
 
 static void __init srso_apply_mitigation(void)
-- 
2.34.1

Re: [PATCH v2 1/5] x86/bugs: Use early_param for spectre_v2_user

[Borislav Petkov]

On Tue, Aug 19, 2025 at 02:21:56PM -0500, David Kaplan wrote:
> Most of the mitigations in bugs.c use early_param to parse their command
> line options.  Modify spectre_v2_user to use early_param for consistency.
> 
> Remove spec_v2_user_print_cond() because informing a user about their
> cmdline choice isn't very interesting and the chosen mitigation is already
> printed in spectre_v2_user_update_mitigation().
> 
> Signed-off-by: David Kaplan <david.kaplan@amd.com>
> ---
>  arch/x86/kernel/cpu/bugs.c | 65 +++++++++++++++-----------------------
>  1 file changed, 26 insertions(+), 39 deletions(-)

Reviewed-by: Borislav Petkov (AMD) <bp@alien8.de>

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH v2 4/5] x86/bugs: Add attack vector controls for SSB

[Pawan Gupta]

On Tue, Aug 19, 2025 at 02:21:59PM -0500, David Kaplan wrote:
> @@ -2646,11 +2650,18 @@ early_param("spec_store_bypass_disable", ssb_parse_cmdline);
>  
>  static void __init ssb_select_mitigation(void)
>  {
> -	if (!boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS) || cpu_mitigations_off()) {
> +	if (!boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS)) {

Nothing major, but this change belongs to the next patch that cleans up
cpu_mitigations_off().

Re: [PATCH v2 0/5] Bugs clean-up

[Pawan Gupta]

On Tue, Aug 19, 2025 at 02:21:55PM -0500, David Kaplan wrote:
> Patches 1-3 focus on cleaning up parameter parsing.  Most mitigations use
> early_param but a few older ones do not and look at boot_command_line
> directly.  Modify those to be consistent with the newer ones.
> 
> Patch 4 adds missing attack vector controls for spec store bypass.
> 
> Patch 5 cleans up straggling unnecessary calls to cpu_mitigations_off().
> 
> Changes from v1
>    - Removed spec_*_print_cond() functions
>    - Fixed bugs pointed out by Pawan
>    - Added last 2 patches
> 
> David Kaplan (5):
>   x86/bugs: Use early_param for spectre_v2_user
>   x86/bugs: Use early_param for spectre_v2
>   x86/bugs: Simplify SSB cmdline parsing
>   x86/bugs: Add attack vector controls for SSB
>   x86/bugs: Remove uses of cpu_mitigations_off()

For the series:

Reviewed-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>

Re: [PATCH v2 2/5] x86/bugs: Use early_param for spectre_v2

[Borislav Petkov]

On Tue, Aug 19, 2025 at 02:21:57PM -0500, David Kaplan wrote:
> +static void __init spectre_v2_check_cmd(void)

Why the separate function?

This can simply go in spectre_v2_select_mitigation() before the switch-case
like with all the others *_select_mitigation() functions...

> +{
> +	if ((spectre_v2_cmd == SPECTRE_V2_CMD_RETPOLINE ||
> +	     spectre_v2_cmd == SPECTRE_V2_CMD_RETPOLINE_LFENCE ||
> +	     spectre_v2_cmd == SPECTRE_V2_CMD_RETPOLINE_GENERIC ||
> +	     spectre_v2_cmd == SPECTRE_V2_CMD_EIBRS_LFENCE ||
> +	     spectre_v2_cmd == SPECTRE_V2_CMD_EIBRS_RETPOLINE) &&
> +	    !IS_ENABLED(CONFIG_MITIGATION_RETPOLINE)) {
> +		pr_err("RETPOLINE selected but not compiled in. Switching to AUTO select\n");
> +		spectre_v2_cmd = SPECTRE_V2_CMD_AUTO;
> +	}
> +
> +	if ((spectre_v2_cmd == SPECTRE_V2_CMD_EIBRS ||
> +	     spectre_v2_cmd == SPECTRE_V2_CMD_EIBRS_LFENCE ||
> +	     spectre_v2_cmd == SPECTRE_V2_CMD_EIBRS_RETPOLINE) &&
> +	    !boot_cpu_has(X86_FEATURE_IBRS_ENHANCED)) {
> +		pr_err("EIBRS selected but CPU doesn't have Enhanced or Automatic IBRS. Switching to AUTO select\n");
> +		spectre_v2_cmd = SPECTRE_V2_CMD_AUTO;
> +	}
> +
> +	if ((spectre_v2_cmd == SPECTRE_V2_CMD_RETPOLINE_LFENCE ||
> +	     spectre_v2_cmd == SPECTRE_V2_CMD_EIBRS_LFENCE) &&
> +	    !boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) {
> +		pr_err("LFENCE selected, but CPU doesn't have a serializing LFENCE. Switching to AUTO select\n");
> +		spectre_v2_cmd = SPECTRE_V2_CMD_AUTO;
> +	}
> +
> +	if (spectre_v2_cmd == SPECTRE_V2_CMD_IBRS && !IS_ENABLED(CONFIG_MITIGATION_IBRS_ENTRY)) {
> +		pr_err("IBRS selected but not compiled in. Switching to AUTO select\n");
> +		spectre_v2_cmd = SPECTRE_V2_CMD_AUTO;
> +	}
> +
> +	if (spectre_v2_cmd == SPECTRE_V2_CMD_IBRS && boot_cpu_data.x86_vendor != X86_VENDOR_INTEL) {
> +		pr_err("IBRS selected but not Intel CPU. Switching to AUTO select\n");
> +		spectre_v2_cmd = SPECTRE_V2_CMD_AUTO;
> +	}
> +
> +	if (spectre_v2_cmd == SPECTRE_V2_CMD_IBRS && !boot_cpu_has(X86_FEATURE_IBRS)) {
> +		pr_err("IBRS selected but CPU doesn't have IBRS. Switching to AUTO select\n");
> +		spectre_v2_cmd = SPECTRE_V2_CMD_AUTO;
> +	}
> +
> +	if (spectre_v2_cmd == SPECTRE_V2_CMD_IBRS && cpu_feature_enabled(X86_FEATURE_XENPV)) {
> +		pr_err("IBRS selected but running as XenPV guest. Switching to AUTO select\n");
> +		spectre_v2_cmd = SPECTRE_V2_CMD_AUTO;
> +	}
> +}
> +
>  static void __init spectre_v2_select_mitigation(void)
>  {
> -	spectre_v2_cmd = spectre_v2_parse_cmdline();
> +	spectre_v2_check_cmd();
>  
>  	if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2) &&
>  	    (spectre_v2_cmd == SPECTRE_V2_CMD_NONE || spectre_v2_cmd == SPECTRE_V2_CMD_AUTO))
> -- 
> 2.34.1
> 

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

RE: [PATCH v2 2/5] x86/bugs: Use early_param for spectre_v2

[Kaplan, David]

[AMD Official Use Only - AMD Internal Distribution Only]

> -----Original Message-----
> From: Borislav Petkov <bp@alien8.de>
> Sent: Friday, August 22, 2025 6:49 AM
> To: Kaplan, David <David.Kaplan@amd.com>
> Cc: Thomas Gleixner <tglx@linutronix.de>; Peter Zijlstra <peterz@infradead.org>;
> Josh Poimboeuf <jpoimboe@kernel.org>; Pawan Gupta
> <pawan.kumar.gupta@linux.intel.com>; Ingo Molnar <mingo@redhat.com>; Dave
> Hansen <dave.hansen@linux.intel.com>; x86@kernel.org; H . Peter Anvin
> <hpa@zytor.com>; linux-kernel@vger.kernel.org
> Subject: Re: [PATCH v2 2/5] x86/bugs: Use early_param for spectre_v2
>
> Caution: This message originated from an External Source. Use proper caution
> when opening attachments, clicking links, or responding.
>
>
> On Tue, Aug 19, 2025 at 02:21:57PM -0500, David Kaplan wrote:
> > +static void __init spectre_v2_check_cmd(void)
>
> Why the separate function?
>
> This can simply go in spectre_v2_select_mitigation() before the switch-case
> like with all the others *_select_mitigation() functions...

It could, but I felt this was a way to logically separate the code vs having one giant function.  All the code in spectre_v2_check_cmd() does one thing: verifies if the chosen command is possible on this system.  The rest of spectre_v2_select_mitigation() then uses the cmd to actually pick a mitigation.

Since these were two distinct flows, I thought having a separate function made sense to make the code more readable.  But that was just my opinion, I won't object if you want to inline it.

--David Kaplan

Re: [PATCH v2 2/5] x86/bugs: Use early_param for spectre_v2

[Borislav Petkov]

On Fri, Aug 22, 2025 at 02:12:55PM +0000, Kaplan, David wrote:
> It could, but I felt this was a way to logically separate the code vs having
> one giant function.  All the code in spectre_v2_check_cmd() does one thing:
> verifies if the chosen command is possible on this system.  The rest of
> spectre_v2_select_mitigation() then uses the cmd to actually pick
> a mitigation.
> 
> Since these were two distinct flows, I thought having a separate function
> made sense to make the code more readable.  But that was just my opinion,
> I won't object if you want to inline it.

Right, since we're making all the mitigations handling uniform, I'd prefer to
have the same code pattern here too. The function does get a bit big but it is
clear that it does two things: (1) checks the command before it (2) selects
the mitigation. And the others do the same so...

Thx.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

RE: [PATCH v2 2/5] x86/bugs: Use early_param for spectre_v2

[Kaplan, David]

[AMD Official Use Only - AMD Internal Distribution Only]

> -----Original Message-----
> From: Borislav Petkov <bp@alien8.de>
> Sent: Friday, August 22, 2025 9:30 AM
> To: Kaplan, David <David.Kaplan@amd.com>
> Cc: Thomas Gleixner <tglx@linutronix.de>; Peter Zijlstra <peterz@infradead.org>;
> Josh Poimboeuf <jpoimboe@kernel.org>; Pawan Gupta
> <pawan.kumar.gupta@linux.intel.com>; Ingo Molnar <mingo@redhat.com>; Dave
> Hansen <dave.hansen@linux.intel.com>; x86@kernel.org; H . Peter Anvin
> <hpa@zytor.com>; linux-kernel@vger.kernel.org
> Subject: Re: [PATCH v2 2/5] x86/bugs: Use early_param for spectre_v2
>
> Caution: This message originated from an External Source. Use proper caution
> when opening attachments, clicking links, or responding.
>
>
> On Fri, Aug 22, 2025 at 02:12:55PM +0000, Kaplan, David wrote:
> > It could, but I felt this was a way to logically separate the code vs having
> > one giant function.  All the code in spectre_v2_check_cmd() does one thing:
> > verifies if the chosen command is possible on this system.  The rest of
> > spectre_v2_select_mitigation() then uses the cmd to actually pick
> > a mitigation.
> >
> > Since these were two distinct flows, I thought having a separate function
> > made sense to make the code more readable.  But that was just my opinion,
> > I won't object if you want to inline it.
>
> Right, since we're making all the mitigations handling uniform, I'd prefer to
> have the same code pattern here too. The function does get a bit big but it is
> clear that it does two things: (1) checks the command before it (2) selects
> the mitigation. And the others do the same so...
>

Sort of.  Spectre_v2 is a bit unique is that it is more complicated than almost any other ones in terms of the number of options it has.  There are 11 command line options for spectre_v2, the next closest one has 7.  Spectre_v2 (and spectre_v2_user) are the only remaining mitigations where a 'cmd' is initially chosen instead of a mitigation because of all this complexity and checks that have to occur.

--David Kaplan

Re: [PATCH v2 4/5] x86/bugs: Add attack vector controls for SSB

[Borislav Petkov]

On Wed, Aug 20, 2025 at 11:17:23PM -0700, Pawan Gupta wrote:
> On Tue, Aug 19, 2025 at 02:21:59PM -0500, David Kaplan wrote:
> > @@ -2646,11 +2650,18 @@ early_param("spec_store_bypass_disable", ssb_parse_cmdline);
> >  
> >  static void __init ssb_select_mitigation(void)
> >  {
> > -	if (!boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS) || cpu_mitigations_off()) {
> > +	if (!boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS)) {
> 
> Nothing major, but this change belongs to the next patch that cleans up
> cpu_mitigations_off().

Fixed and expediting this one so that 6.17 releases with the full attack
vectors functionality.

Thx.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH v2 4/5] x86/bugs: Add attack vector controls for SSB

[Borislav Petkov]

On Wed, Aug 27, 2025 at 12:27:54PM +0200, Borislav Petkov wrote:
> Fixed and expediting this one so that 6.17 releases with the full attack
> vectors functionality.

Ok, so I'm thinking we should do a minimal fix like this below which goes to
Linus now so that 6.17 has full attack vectors support and then slap
all cleanups ontop. Thoughts?

---
From: David Kaplan <david.kaplan@amd.com>
Date: Tue, 19 Aug 2025 14:21:59 -0500
Subject: [PATCH] x86/bugs: Add attack vector controls for SSB

Attack vector controls for SSB were missed in the initial attack vector series.
The default mitigation for SSB requires user-space opt-in so it is only
relevant for user->user attacks.  Add an AUTO mitigation for SSB and use this
attack vector control to select the SSB mitigation.

Fixes: 2d31d2874663 ("x86/bugs: Define attack vectors relevant for each bug")
Signed-off-by: David Kaplan <david.kaplan@amd.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Link: https://lore.kernel.org/20250819192200.2003074-5-david.kaplan@amd.com
---
 .../hw-vuln/attack_vector_controls.rst            |  5 +----
 arch/x86/include/asm/nospec-branch.h              |  1 +
 arch/x86/kernel/cpu/bugs.c                        | 15 ++++++++++++++-
 3 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/Documentation/admin-guide/hw-vuln/attack_vector_controls.rst b/Documentation/admin-guide/hw-vuln/attack_vector_controls.rst
index 6dd0800146f6..5964901d66e3 100644
--- a/Documentation/admin-guide/hw-vuln/attack_vector_controls.rst
+++ b/Documentation/admin-guide/hw-vuln/attack_vector_controls.rst
@@ -215,7 +215,7 @@ Spectre_v2            X                           X
 Spectre_v2_user                      X                           X            *       (Note 1)
 SRBDS                 X              X            X              X
 SRSO                  X              X            X              X
-SSB                                                                                   (Note 4)
+SSB                                  X
 TAA                   X              X            X              X            *       (Note 2)
 TSA                   X              X            X              X
 =============== ============== ============ ============= ============== ============ ========
@@ -229,9 +229,6 @@ Notes:
    3 --  Disables SMT if cross-thread mitigations are fully enabled, the CPU is
    vulnerable, and STIBP is not supported
 
-   4 --  Speculative store bypass is always enabled by default (no kernel
-   mitigation applied) unless overridden with spec_store_bypass_disable option
-
 When an attack-vector is disabled, all mitigations for the vulnerabilities
 listed in the above table are disabled, unless mitigation is required for a
 different enabled attack-vector or a mitigation is explicitly selected via a
diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
index 10f261678749..e263c126723a 100644
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -514,6 +514,7 @@ enum spectre_v2_user_mitigation {
 /* The Speculative Store Bypass disable variants */
 enum ssb_mitigation {
 	SPEC_STORE_BYPASS_NONE,
+	SPEC_STORE_BYPASS_AUTO,
 	SPEC_STORE_BYPASS_DISABLE,
 	SPEC_STORE_BYPASS_PRCTL,
 	SPEC_STORE_BYPASS_SECCOMP,
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 49ef1b832c1a..159beed05ee8 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -416,6 +416,10 @@ static bool __init should_mitigate_vuln(unsigned int bug)
 		       cpu_attack_vector_mitigated(CPU_MITIGATE_USER_USER) ||
 		       cpu_attack_vector_mitigated(CPU_MITIGATE_GUEST_GUEST) ||
 		       (smt_mitigations != SMT_MITIGATIONS_OFF);
+
+	case X86_BUG_SPEC_STORE_BYPASS:
+		return cpu_attack_vector_mitigated(CPU_MITIGATE_USER_USER);
+
 	default:
 		WARN(1, "Unknown bug %x\n", bug);
 		return false;
@@ -2619,7 +2623,8 @@ void cpu_bugs_smt_update(void)
 #undef pr_fmt
 #define pr_fmt(fmt)	"Speculative Store Bypass: " fmt
 
-static enum ssb_mitigation ssb_mode __ro_after_init = SPEC_STORE_BYPASS_NONE;
+static enum ssb_mitigation ssb_mode __ro_after_init =
+	IS_ENABLED(CONFIG_MITIGATION_SSB) ? SPEC_STORE_BYPASS_AUTO : SPEC_STORE_BYPASS_NONE;
 
 /* The kernel command line selection */
 enum ssb_mitigation_cmd {
@@ -2695,6 +2700,13 @@ static void __init ssb_select_mitigation(void)
 	     cmd == SPEC_STORE_BYPASS_CMD_AUTO))
 		return;
 
+	if (ssb_mode == SPEC_STORE_BYPASS_AUTO) {
+		if (should_mitigate_vuln(X86_BUG_SPEC_STORE_BYPASS))
+			ssb_mode = SPEC_STORE_BYPASS_PRCTL;
+		else
+			ssb_mode = SPEC_STORE_BYPASS_NONE;
+	}
+
 	switch (cmd) {
 	case SPEC_STORE_BYPASS_CMD_SECCOMP:
 		/*
@@ -2935,6 +2947,7 @@ static int ssb_prctl_get(struct task_struct *task)
 		return PR_SPEC_DISABLE;
 	case SPEC_STORE_BYPASS_SECCOMP:
 	case SPEC_STORE_BYPASS_PRCTL:
+	case SPEC_STORE_BYPASS_AUTO:
 		if (task_spec_ssb_force_disable(task))
 			return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE;
 		if (task_spec_ssb_noexec(task))
-- 
2.51.0

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

RE: [PATCH v2 4/5] x86/bugs: Add attack vector controls for SSB

[Kaplan, David]

[AMD Official Use Only - AMD Internal Distribution Only]

> -----Original Message-----
> From: Borislav Petkov <bp@alien8.de>
> Sent: Wednesday, August 27, 2025 6:04 AM
> To: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>; Kaplan, David
> <David.Kaplan@amd.com>
> Cc: Thomas Gleixner <tglx@linutronix.de>; Peter Zijlstra <peterz@infradead.org>;
> Josh Poimboeuf <jpoimboe@kernel.org>; Ingo Molnar <mingo@redhat.com>; Dave
> Hansen <dave.hansen@linux.intel.com>; x86@kernel.org; H . Peter Anvin
> <hpa@zytor.com>; linux-kernel@vger.kernel.org
> Subject: Re: [PATCH v2 4/5] x86/bugs: Add attack vector controls for SSB
>
> Caution: This message originated from an External Source. Use proper caution
> when opening attachments, clicking links, or responding.
>
>
> On Wed, Aug 27, 2025 at 12:27:54PM +0200, Borislav Petkov wrote:
> > Fixed and expediting this one so that 6.17 releases with the full attack
> > vectors functionality.
>
> Ok, so I'm thinking we should do a minimal fix like this below which goes to
> Linus now so that 6.17 has full attack vectors support and then slap
> all cleanups ontop. Thoughts?
>
> ---
> From: David Kaplan <david.kaplan@amd.com>
> Date: Tue, 19 Aug 2025 14:21:59 -0500
> Subject: [PATCH] x86/bugs: Add attack vector controls for SSB
>
> Attack vector controls for SSB were missed in the initial attack vector series.
> The default mitigation for SSB requires user-space opt-in so it is only
> relevant for user->user attacks.  Add an AUTO mitigation for SSB and use this
> attack vector control to select the SSB mitigation.
>
> Fixes: 2d31d2874663 ("x86/bugs: Define attack vectors relevant for each bug")
> Signed-off-by: David Kaplan <david.kaplan@amd.com>
> Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
> Reviewed-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
> Link: https://lore.kernel.org/20250819192200.2003074-5-david.kaplan@amd.com
> ---
>  .../hw-vuln/attack_vector_controls.rst            |  5 +----
>  arch/x86/include/asm/nospec-branch.h              |  1 +
>  arch/x86/kernel/cpu/bugs.c                        | 15 ++++++++++++++-
>  3 files changed, 16 insertions(+), 5 deletions(-)
>
> diff --git a/Documentation/admin-guide/hw-vuln/attack_vector_controls.rst
> b/Documentation/admin-guide/hw-vuln/attack_vector_controls.rst
> index 6dd0800146f6..5964901d66e3 100644
> --- a/Documentation/admin-guide/hw-vuln/attack_vector_controls.rst
> +++ b/Documentation/admin-guide/hw-vuln/attack_vector_controls.rst
> @@ -215,7 +215,7 @@ Spectre_v2            X                           X
>  Spectre_v2_user                      X                           X            *       (Note 1)
>  SRBDS                 X              X            X              X
>  SRSO                  X              X            X              X
> -SSB                                                                                   (Note 4)
> +SSB                                  X
>  TAA                   X              X            X              X            *       (Note 2)
>  TSA                   X              X            X              X
>  =============== ============== ============ =============
> ============== ============ ========
> @@ -229,9 +229,6 @@ Notes:
>     3 --  Disables SMT if cross-thread mitigations are fully enabled, the CPU is
>     vulnerable, and STIBP is not supported
>
> -   4 --  Speculative store bypass is always enabled by default (no kernel
> -   mitigation applied) unless overridden with spec_store_bypass_disable option
> -
>  When an attack-vector is disabled, all mitigations for the vulnerabilities
>  listed in the above table are disabled, unless mitigation is required for a
>  different enabled attack-vector or a mitigation is explicitly selected via a
> diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-
> branch.h
> index 10f261678749..e263c126723a 100644
> --- a/arch/x86/include/asm/nospec-branch.h
> +++ b/arch/x86/include/asm/nospec-branch.h
> @@ -514,6 +514,7 @@ enum spectre_v2_user_mitigation {
>  /* The Speculative Store Bypass disable variants */
>  enum ssb_mitigation {
>         SPEC_STORE_BYPASS_NONE,
> +       SPEC_STORE_BYPASS_AUTO,
>         SPEC_STORE_BYPASS_DISABLE,
>         SPEC_STORE_BYPASS_PRCTL,
>         SPEC_STORE_BYPASS_SECCOMP,
> diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> index 49ef1b832c1a..159beed05ee8 100644
> --- a/arch/x86/kernel/cpu/bugs.c
> +++ b/arch/x86/kernel/cpu/bugs.c
> @@ -416,6 +416,10 @@ static bool __init should_mitigate_vuln(unsigned int bug)
>                        cpu_attack_vector_mitigated(CPU_MITIGATE_USER_USER) ||
>                        cpu_attack_vector_mitigated(CPU_MITIGATE_GUEST_GUEST) ||
>                        (smt_mitigations != SMT_MITIGATIONS_OFF);
> +
> +       case X86_BUG_SPEC_STORE_BYPASS:
> +               return cpu_attack_vector_mitigated(CPU_MITIGATE_USER_USER);
> +
>         default:
>                 WARN(1, "Unknown bug %x\n", bug);
>                 return false;
> @@ -2619,7 +2623,8 @@ void cpu_bugs_smt_update(void)
>  #undef pr_fmt
>  #define pr_fmt(fmt)    "Speculative Store Bypass: " fmt
>
> -static enum ssb_mitigation ssb_mode __ro_after_init =
> SPEC_STORE_BYPASS_NONE;
> +static enum ssb_mitigation ssb_mode __ro_after_init =
> +       IS_ENABLED(CONFIG_MITIGATION_SSB) ?
> SPEC_STORE_BYPASS_AUTO : SPEC_STORE_BYPASS_NONE;
>
>  /* The kernel command line selection */
>  enum ssb_mitigation_cmd {
> @@ -2695,6 +2700,13 @@ static void __init ssb_select_mitigation(void)
>              cmd == SPEC_STORE_BYPASS_CMD_AUTO))
>                 return;
>
> +       if (ssb_mode == SPEC_STORE_BYPASS_AUTO) {
> +               if (should_mitigate_vuln(X86_BUG_SPEC_STORE_BYPASS))
> +                       ssb_mode = SPEC_STORE_BYPASS_PRCTL;
> +               else
> +                       ssb_mode = SPEC_STORE_BYPASS_NONE;
> +       }
> +
>         switch (cmd) {
>         case SPEC_STORE_BYPASS_CMD_SECCOMP:
>                 /*
> @@ -2935,6 +2947,7 @@ static int ssb_prctl_get(struct task_struct *task)
>                 return PR_SPEC_DISABLE;
>         case SPEC_STORE_BYPASS_SECCOMP:
>         case SPEC_STORE_BYPASS_PRCTL:
> +       case SPEC_STORE_BYPASS_AUTO:
>                 if (task_spec_ssb_force_disable(task))
>                         return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE;
>                 if (task_spec_ssb_noexec(task))
> --
> 2.51.0
>

This patch won't work if you don't pick up the SSB clean-up (patch #3).  The SSB clean-up patch removes the ssb_mitigation_cmd and makes all selection on ssb_mode, which is simpler and allows the attack vector control to easily work.

In the above code, ssb_mode is always SPEC_STORE_BYPASS_AUTO when ssb_select_mitigation() runs.  But then ssb_mode will be overwritten by the switch statement later.  In particular, if no cmdline option is passed, the cmd will be SPEC_STORE_BYPASS_CMD_AUTO which in the switch statement always sets mode to SPEC_STORE_BYPASS_PRCTL, ignoring the attack vector.

If you really want to not pick up patch #3 yet, then you could move the should_mitigate_vuln() check into the switch statement for SPEC_STORE_BYPASS_CMD_AUTO only.  Or just pick up the clean-up patch which also reduces the overall code size.

--David Kaplan

Re: [PATCH v2 4/5] x86/bugs: Add attack vector controls for SSB

[Borislav Petkov]

On Wed, Aug 27, 2025 at 02:05:14PM +0000, Kaplan, David wrote:
> If you really want to not pick up patch #3 yet, then you could move the
> should_mitigate_vuln() check into the switch statement for
> SPEC_STORE_BYPASS_CMD_AUTO only.  Or just pick up the clean-up patch which
> also reduces the overall code size.

I need a minimal fix which goes into 6.17 now because we forgot SSB. This
patch was my attempt at doing something like that.

Cleanups can then go ontop.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

RE: [PATCH v2 4/5] x86/bugs: Add attack vector controls for SSB

[Kaplan, David]

[AMD Official Use Only - AMD Internal Distribution Only]

> -----Original Message-----
> From: Borislav Petkov <bp@alien8.de>
> Sent: Wednesday, August 27, 2025 9:22 AM
> To: Kaplan, David <David.Kaplan@amd.com>
> Cc: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>; Thomas Gleixner
> <tglx@linutronix.de>; Peter Zijlstra <peterz@infradead.org>; Josh Poimboeuf
> <jpoimboe@kernel.org>; Ingo Molnar <mingo@redhat.com>; Dave Hansen
> <dave.hansen@linux.intel.com>; x86@kernel.org; H . Peter Anvin
> <hpa@zytor.com>; linux-kernel@vger.kernel.org
> Subject: Re: [PATCH v2 4/5] x86/bugs: Add attack vector controls for SSB
>
> Caution: This message originated from an External Source. Use proper caution
> when opening attachments, clicking links, or responding.
>
>
> On Wed, Aug 27, 2025 at 02:05:14PM +0000, Kaplan, David wrote:
> > If you really want to not pick up patch #3 yet, then you could move the
> > should_mitigate_vuln() check into the switch statement for
> > SPEC_STORE_BYPASS_CMD_AUTO only.  Or just pick up the clean-up patch
> which
> > also reduces the overall code size.
>
> I need a minimal fix which goes into 6.17 now because we forgot SSB. This
> patch was my attempt at doing something like that.
>
> Cleanups can then go ontop.
>

Ok.  Then I would go with the suggestion in my reply...move the should_mitigate_vuln() logic into the SPEC_STORE_BYPASS_CMD_AUTO branch of the switch.  I think that should work as expected.

Rest of the patch was fine I think.

--David Kaplan

Re: [PATCH v2 4/5] x86/bugs: Add attack vector controls for SSB

[Borislav Petkov]

On Wed, Aug 27, 2025 at 02:25:26PM +0000, Kaplan, David wrote:
> Ok.  Then I would go with the suggestion in my reply...move the
> should_mitigate_vuln() logic into the SPEC_STORE_BYPASS_CMD_AUTO branch of
> the switch.  I think that should work as expected.

Makes sense...

> Rest of the patch was fine I think.

Here it is - I *think* it looks good now but doublecheck me again pls.

Thx.

---
From: David Kaplan <david.kaplan@amd.com>
Date: Tue, 19 Aug 2025 14:21:59 -0500
Subject: [PATCH] x86/bugs: Add attack vector controls for SSB

Attack vector controls for SSB were missed in the initial attack vector series.
The default mitigation for SSB requires user-space opt-in so it is only
relevant for user->user attacks.  Add an AUTO mitigation for SSB and use this
attack vector control to select the SSB mitigation.

Fixes: 2d31d2874663 ("x86/bugs: Define attack vectors relevant for each bug")
Signed-off-by: David Kaplan <david.kaplan@amd.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Link: https://lore.kernel.org/20250819192200.2003074-5-david.kaplan@amd.com
---
 .../admin-guide/hw-vuln/attack_vector_controls.rst  |  5 +----
 arch/x86/include/asm/nospec-branch.h                |  1 +
 arch/x86/kernel/cpu/bugs.c                          | 13 ++++++++++++-
 3 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/Documentation/admin-guide/hw-vuln/attack_vector_controls.rst b/Documentation/admin-guide/hw-vuln/attack_vector_controls.rst
index 6dd0800146f6..5964901d66e3 100644
--- a/Documentation/admin-guide/hw-vuln/attack_vector_controls.rst
+++ b/Documentation/admin-guide/hw-vuln/attack_vector_controls.rst
@@ -215,7 +215,7 @@ Spectre_v2            X                           X
 Spectre_v2_user                      X                           X            *       (Note 1)
 SRBDS                 X              X            X              X
 SRSO                  X              X            X              X
-SSB                                                                                   (Note 4)
+SSB                                  X
 TAA                   X              X            X              X            *       (Note 2)
 TSA                   X              X            X              X
 =============== ============== ============ ============= ============== ============ ========
@@ -229,9 +229,6 @@ Notes:
    3 --  Disables SMT if cross-thread mitigations are fully enabled, the CPU is
    vulnerable, and STIBP is not supported
 
-   4 --  Speculative store bypass is always enabled by default (no kernel
-   mitigation applied) unless overridden with spec_store_bypass_disable option
-
 When an attack-vector is disabled, all mitigations for the vulnerabilities
 listed in the above table are disabled, unless mitigation is required for a
 different enabled attack-vector or a mitigation is explicitly selected via a
diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
index 10f261678749..e263c126723a 100644
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -514,6 +514,7 @@ enum spectre_v2_user_mitigation {
 /* The Speculative Store Bypass disable variants */
 enum ssb_mitigation {
 	SPEC_STORE_BYPASS_NONE,
+	SPEC_STORE_BYPASS_AUTO,
 	SPEC_STORE_BYPASS_DISABLE,
 	SPEC_STORE_BYPASS_PRCTL,
 	SPEC_STORE_BYPASS_SECCOMP,
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 49ef1b832c1a..7b4b43aabd18 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -416,6 +416,10 @@ static bool __init should_mitigate_vuln(unsigned int bug)
 		       cpu_attack_vector_mitigated(CPU_MITIGATE_USER_USER) ||
 		       cpu_attack_vector_mitigated(CPU_MITIGATE_GUEST_GUEST) ||
 		       (smt_mitigations != SMT_MITIGATIONS_OFF);
+
+	case X86_BUG_SPEC_STORE_BYPASS:
+		return cpu_attack_vector_mitigated(CPU_MITIGATE_USER_USER);
+
 	default:
 		WARN(1, "Unknown bug %x\n", bug);
 		return false;
@@ -2619,7 +2623,8 @@ void cpu_bugs_smt_update(void)
 #undef pr_fmt
 #define pr_fmt(fmt)	"Speculative Store Bypass: " fmt
 
-static enum ssb_mitigation ssb_mode __ro_after_init = SPEC_STORE_BYPASS_NONE;
+static enum ssb_mitigation ssb_mode __ro_after_init =
+	IS_ENABLED(CONFIG_MITIGATION_SSB) ? SPEC_STORE_BYPASS_AUTO : SPEC_STORE_BYPASS_NONE;
 
 /* The kernel command line selection */
 enum ssb_mitigation_cmd {
@@ -2710,6 +2715,11 @@ static void __init ssb_select_mitigation(void)
 		ssb_mode = SPEC_STORE_BYPASS_DISABLE;
 		break;
 	case SPEC_STORE_BYPASS_CMD_AUTO:
+		if (should_mitigate_vuln(X86_BUG_SPEC_STORE_BYPASS))
+			ssb_mode = SPEC_STORE_BYPASS_PRCTL;
+		else
+			ssb_mode = SPEC_STORE_BYPASS_NONE;
+		break;
 	case SPEC_STORE_BYPASS_CMD_PRCTL:
 		ssb_mode = SPEC_STORE_BYPASS_PRCTL;
 		break;
@@ -2935,6 +2945,7 @@ static int ssb_prctl_get(struct task_struct *task)
 		return PR_SPEC_DISABLE;
 	case SPEC_STORE_BYPASS_SECCOMP:
 	case SPEC_STORE_BYPASS_PRCTL:
+	case SPEC_STORE_BYPASS_AUTO:
 		if (task_spec_ssb_force_disable(task))
 			return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE;
 		if (task_spec_ssb_noexec(task))
-- 
2.51.0

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

RE: [PATCH v2 4/5] x86/bugs: Add attack vector controls for SSB

[Kaplan, David]

[AMD Official Use Only - AMD Internal Distribution Only]

> -----Original Message-----
> From: Borislav Petkov <bp@alien8.de>
> Sent: Wednesday, August 27, 2025 10:34 AM
> To: Kaplan, David <David.Kaplan@amd.com>
> Cc: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>; Thomas Gleixner
> <tglx@linutronix.de>; Peter Zijlstra <peterz@infradead.org>; Josh Poimboeuf
> <jpoimboe@kernel.org>; Ingo Molnar <mingo@redhat.com>; Dave Hansen
> <dave.hansen@linux.intel.com>; x86@kernel.org; H . Peter Anvin
> <hpa@zytor.com>; linux-kernel@vger.kernel.org
> Subject: Re: [PATCH v2 4/5] x86/bugs: Add attack vector controls for SSB
>
> Caution: This message originated from an External Source. Use proper caution
> when opening attachments, clicking links, or responding.
>
>
> On Wed, Aug 27, 2025 at 02:25:26PM +0000, Kaplan, David wrote:
> > Ok.  Then I would go with the suggestion in my reply...move the
> > should_mitigate_vuln() logic into the SPEC_STORE_BYPASS_CMD_AUTO
> branch of
> > the switch.  I think that should work as expected.
>
> Makes sense...
>
> > Rest of the patch was fine I think.
>
> Here it is - I *think* it looks good now but doublecheck me again pls.
>
> Thx.
>
> --- a/arch/x86/include/asm/nospec-branch.h
> +++ b/arch/x86/include/asm/nospec-branch.h
> @@ -514,6 +514,7 @@ enum spectre_v2_user_mitigation {
>  /* The Speculative Store Bypass disable variants */
>  enum ssb_mitigation {
>         SPEC_STORE_BYPASS_NONE,
> +       SPEC_STORE_BYPASS_AUTO,
>         SPEC_STORE_BYPASS_DISABLE,
>         SPEC_STORE_BYPASS_PRCTL,
>         SPEC_STORE_BYPASS_SECCOMP,

After reviewing this further, this change should be removed.  The AUTO mitigation is intended to say 'choose based on attack vector', but with this patch you're not looking at ssb_mode to decide to do that.  You're looking at the ssb mitigation cmd (which already defaults to SPEC_STORE_BYPASS_CMD_AUTO).  Therefore there is no need for a SPEC_STORE_BYPASS_AUTO setting of ssb_mode.

(The clean-up patch removes ssb_mitigation_cmd entirely, so it needs an AUTO setting of ssb_mitigation)

>
> -static enum ssb_mitigation ssb_mode __ro_after_init =
> SPEC_STORE_BYPASS_NONE;
> +static enum ssb_mitigation ssb_mode __ro_after_init =
> +       IS_ENABLED(CONFIG_MITIGATION_SSB) ?
> SPEC_STORE_BYPASS_AUTO : SPEC_STORE_BYPASS_NONE;
>

But more importantly, please remove this.  That's because in the current patch, if the user says 'nospec_store_bypass_disable' then the ssb_select_mitigation() function does not change ssb_mode.  So it needs to default to NONE.

Thanks
--David Kaplan

Re: [PATCH v2 4/5] x86/bugs: Add attack vector controls for SSB

[Borislav Petkov]

On Wed, Aug 27, 2025 at 03:47:10PM +0000, Kaplan, David wrote:
> After reviewing this further, this change should be removed.  The AUTO mitigation is intended to say 'choose based on attack vector', but with this patch you're not looking at ssb_mode to decide to do that.  You're looking at the ssb mitigation cmd (which already defaults to SPEC_STORE_BYPASS_CMD_AUTO).  Therefore there is no need for a SPEC_STORE_BYPASS_AUTO setting of ssb_mode.
> 
> (The clean-up patch removes ssb_mitigation_cmd entirely, so it needs an AUTO setting of ssb_mitigation)

...

> But more importantly, please remove this.  That's because in the current patch, if the user says 'nospec_store_bypass_disable' then the ssb_select_mitigation() function does not change ssb_mode.  So it needs to default to NONE.

Yah, agreed with both. Here's a minimal thing.

---
From: David Kaplan <david.kaplan@amd.com>
Date: Tue, 19 Aug 2025 14:21:59 -0500
Subject: [PATCH] x86/bugs: Add attack vector controls for SSB

Attack vector controls for SSB were missed in the initial attack vector series.
The default mitigation for SSB requires user-space opt-in so it is only
relevant for user->user attacks.  Add an AUTO mitigation for SSB and use this
attack vector control to select the SSB mitigation.

Fixes: 2d31d2874663 ("x86/bugs: Define attack vectors relevant for each bug")
Signed-off-by: David Kaplan <david.kaplan@amd.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Link: https://lore.kernel.org/20250819192200.2003074-5-david.kaplan@amd.com
---
 .../admin-guide/hw-vuln/attack_vector_controls.rst       | 5 +----
 arch/x86/kernel/cpu/bugs.c                               | 9 +++++++++
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/Documentation/admin-guide/hw-vuln/attack_vector_controls.rst b/Documentation/admin-guide/hw-vuln/attack_vector_controls.rst
index 6dd0800146f6..5964901d66e3 100644
--- a/Documentation/admin-guide/hw-vuln/attack_vector_controls.rst
+++ b/Documentation/admin-guide/hw-vuln/attack_vector_controls.rst
@@ -215,7 +215,7 @@ Spectre_v2            X                           X
 Spectre_v2_user                      X                           X            *       (Note 1)
 SRBDS                 X              X            X              X
 SRSO                  X              X            X              X
-SSB                                                                                   (Note 4)
+SSB                                  X
 TAA                   X              X            X              X            *       (Note 2)
 TSA                   X              X            X              X
 =============== ============== ============ ============= ============== ============ ========
@@ -229,9 +229,6 @@ Notes:
    3 --  Disables SMT if cross-thread mitigations are fully enabled, the CPU is
    vulnerable, and STIBP is not supported
 
-   4 --  Speculative store bypass is always enabled by default (no kernel
-   mitigation applied) unless overridden with spec_store_bypass_disable option
-
 When an attack-vector is disabled, all mitigations for the vulnerabilities
 listed in the above table are disabled, unless mitigation is required for a
 different enabled attack-vector or a mitigation is explicitly selected via a
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 49ef1b832c1a..af838b8d845c 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -416,6 +416,10 @@ static bool __init should_mitigate_vuln(unsigned int bug)
 		       cpu_attack_vector_mitigated(CPU_MITIGATE_USER_USER) ||
 		       cpu_attack_vector_mitigated(CPU_MITIGATE_GUEST_GUEST) ||
 		       (smt_mitigations != SMT_MITIGATIONS_OFF);
+
+	case X86_BUG_SPEC_STORE_BYPASS:
+		return cpu_attack_vector_mitigated(CPU_MITIGATE_USER_USER);
+
 	default:
 		WARN(1, "Unknown bug %x\n", bug);
 		return false;
@@ -2710,6 +2714,11 @@ static void __init ssb_select_mitigation(void)
 		ssb_mode = SPEC_STORE_BYPASS_DISABLE;
 		break;
 	case SPEC_STORE_BYPASS_CMD_AUTO:
+		if (should_mitigate_vuln(X86_BUG_SPEC_STORE_BYPASS))
+			ssb_mode = SPEC_STORE_BYPASS_PRCTL;
+		else
+			ssb_mode = SPEC_STORE_BYPASS_NONE;
+		break;
 	case SPEC_STORE_BYPASS_CMD_PRCTL:
 		ssb_mode = SPEC_STORE_BYPASS_PRCTL;
 		break;
-- 
2.51.0

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

RE: [PATCH v2 4/5] x86/bugs: Add attack vector controls for SSB

[Kaplan, David]

[AMD Official Use Only - AMD Internal Distribution Only]

> -----Original Message-----
> From: Borislav Petkov <bp@alien8.de>
> Sent: Wednesday, August 27, 2025 11:12 AM
> To: Kaplan, David <David.Kaplan@amd.com>
> Cc: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>; Thomas Gleixner
> <tglx@linutronix.de>; Peter Zijlstra <peterz@infradead.org>; Josh Poimboeuf
> <jpoimboe@kernel.org>; Ingo Molnar <mingo@redhat.com>; Dave Hansen
> <dave.hansen@linux.intel.com>; x86@kernel.org; H . Peter Anvin
> <hpa@zytor.com>; linux-kernel@vger.kernel.org
> Subject: Re: [PATCH v2 4/5] x86/bugs: Add attack vector controls for SSB
>
> Caution: This message originated from an External Source. Use proper caution
> when opening attachments, clicking links, or responding.
>
>
> On Wed, Aug 27, 2025 at 03:47:10PM +0000, Kaplan, David wrote:
> > After reviewing this further, this change should be removed.  The AUTO mitigation
> is intended to say 'choose based on attack vector', but with this patch you're not
> looking at ssb_mode to decide to do that.  You're looking at the ssb mitigation cmd
> (which already defaults to SPEC_STORE_BYPASS_CMD_AUTO).  Therefore there
> is no need for a SPEC_STORE_BYPASS_AUTO setting of ssb_mode.
> >
> > (The clean-up patch removes ssb_mitigation_cmd entirely, so it needs an AUTO
> setting of ssb_mitigation)
>
> ...
>
> > But more importantly, please remove this.  That's because in the current patch, if
> the user says 'nospec_store_bypass_disable' then the ssb_select_mitigation()
> function does not change ssb_mode.  So it needs to default to NONE.
>
> Yah, agreed with both. Here's a minimal thing.
>
> ---
> From: David Kaplan <david.kaplan@amd.com>
> Date: Tue, 19 Aug 2025 14:21:59 -0500
> Subject: [PATCH] x86/bugs: Add attack vector controls for SSB
>
> Attack vector controls for SSB were missed in the initial attack vector series.
> The default mitigation for SSB requires user-space opt-in so it is only
> relevant for user->user attacks.  Add an AUTO mitigation for SSB and use this
> attack vector control to select the SSB mitigation.
>
> Fixes: 2d31d2874663 ("x86/bugs: Define attack vectors relevant for each bug")
> Signed-off-by: David Kaplan <david.kaplan@amd.com>
> Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
> Link: https://lore.kernel.org/20250819192200.2003074-5-david.kaplan@amd.com
> ---
>  .../admin-guide/hw-vuln/attack_vector_controls.rst       | 5 +----
>  arch/x86/kernel/cpu/bugs.c                               | 9 +++++++++
>  2 files changed, 10 insertions(+), 4 deletions(-)
>
> diff --git a/Documentation/admin-guide/hw-vuln/attack_vector_controls.rst
> b/Documentation/admin-guide/hw-vuln/attack_vector_controls.rst
> index 6dd0800146f6..5964901d66e3 100644
> --- a/Documentation/admin-guide/hw-vuln/attack_vector_controls.rst
> +++ b/Documentation/admin-guide/hw-vuln/attack_vector_controls.rst
> @@ -215,7 +215,7 @@ Spectre_v2            X                           X
>  Spectre_v2_user                      X                           X            *       (Note 1)
>  SRBDS                 X              X            X              X
>  SRSO                  X              X            X              X
> -SSB                                                                                   (Note 4)
> +SSB                                  X
>  TAA                   X              X            X              X            *       (Note 2)
>  TSA                   X              X            X              X
>  =============== ============== ============ =============
> ============== ============ ========
> @@ -229,9 +229,6 @@ Notes:
>     3 --  Disables SMT if cross-thread mitigations are fully enabled, the CPU is
>     vulnerable, and STIBP is not supported
>
> -   4 --  Speculative store bypass is always enabled by default (no kernel
> -   mitigation applied) unless overridden with spec_store_bypass_disable option
> -
>  When an attack-vector is disabled, all mitigations for the vulnerabilities
>  listed in the above table are disabled, unless mitigation is required for a
>  different enabled attack-vector or a mitigation is explicitly selected via a
> diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> index 49ef1b832c1a..af838b8d845c 100644
> --- a/arch/x86/kernel/cpu/bugs.c
> +++ b/arch/x86/kernel/cpu/bugs.c
> @@ -416,6 +416,10 @@ static bool __init should_mitigate_vuln(unsigned int bug)
>                        cpu_attack_vector_mitigated(CPU_MITIGATE_USER_USER) ||
>                        cpu_attack_vector_mitigated(CPU_MITIGATE_GUEST_GUEST) ||
>                        (smt_mitigations != SMT_MITIGATIONS_OFF);
> +
> +       case X86_BUG_SPEC_STORE_BYPASS:
> +               return cpu_attack_vector_mitigated(CPU_MITIGATE_USER_USER);
> +
>         default:
>                 WARN(1, "Unknown bug %x\n", bug);
>                 return false;
> @@ -2710,6 +2714,11 @@ static void __init ssb_select_mitigation(void)
>                 ssb_mode = SPEC_STORE_BYPASS_DISABLE;
>                 break;
>         case SPEC_STORE_BYPASS_CMD_AUTO:
> +               if (should_mitigate_vuln(X86_BUG_SPEC_STORE_BYPASS))
> +                       ssb_mode = SPEC_STORE_BYPASS_PRCTL;
> +               else
> +                       ssb_mode = SPEC_STORE_BYPASS_NONE;
> +               break;
>         case SPEC_STORE_BYPASS_CMD_PRCTL:
>                 ssb_mode = SPEC_STORE_BYPASS_PRCTL;
>                 break;
> --
> 2.51.0
>

LGTM.  Just make sure to update the commit description since it no longer is adding an AUTO mitigation.

Thanks --David Kaplan

Re: [PATCH v2 4/5] x86/bugs: Add attack vector controls for SSB

[Borislav Petkov]

On Wed, Aug 27, 2025 at 04:15:18PM +0000, Kaplan, David wrote:
> LGTM.  Just make sure to update the commit description since it no longer is
> adding an AUTO mitigation.

I have this now:

"Attack vector controls for SSB were missed in the initial attack vector series.
The default mitigation for SSB requires user-space opt-in so it is only
relevant for user->user attacks.  Check with attack vector controls when
the command is auto - i.e., no explicit user selection has been done."

Thx.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH v2 1/5] x86/bugs: Use early_param for spectre_v2_user

[Josh Poimboeuf]

On Tue, Aug 19, 2025 at 02:21:56PM -0500, David Kaplan wrote:
> +++ b/arch/x86/kernel/cpu/bugs.c
> @@ -1826,7 +1826,7 @@ enum spectre_v2_mitigation_cmd {
>  
>  static enum spectre_v2_mitigation_cmd spectre_v2_cmd __ro_after_init = SPECTRE_V2_CMD_AUTO;
>  
> -enum spectre_v2_user_cmd {
> +enum spectre_v2_user_mitigation_cmd {
>  	SPECTRE_V2_USER_CMD_NONE,
>  	SPECTRE_V2_USER_CMD_AUTO,
>  	SPECTRE_V2_USER_CMD_FORCE,
> @@ -1836,6 +1836,9 @@ enum spectre_v2_user_cmd {
>  	SPECTRE_V2_USER_CMD_SECCOMP_IBPB,
>  };
>  
> +static enum spectre_v2_user_mitigation_cmd spectre_v2_user_cmd __ro_after_init =
> +	SPECTRE_V2_USER_CMD_AUTO;

Should this default not be dependent on CONFIG_MITIGATION_SPECTRE_V2?

> -static enum spectre_v2_user_cmd __init spectre_v2_parse_user_cmdline(void)
> +static int __init spectre_v2_parse_user_cmdline(char *str)

Should probably swap "parse" and "user" to match the namespace of the
surrounding code, i.e. spectre_v2_user_parse_cmdline().  This is for
parsing the "spectre_v2_user" option after all.

>  {
> -	char arg[20];
> -	int ret, i;
> +	if (!str)
> +		return -EINVAL;
>  
>  	if (!IS_ENABLED(CONFIG_MITIGATION_SPECTRE_V2))
>  		return SPECTRE_V2_USER_CMD_NONE;

This return value no longer makes sense here, as this no longer returns
'enum spectre_v2_user_cmd'.

But also, most of the other mitigations allow you to override the
compile time default with the cmdline.  Might as well allow that here
too for consistency.

-- 
Josh

RE: [PATCH v2 1/5] x86/bugs: Use early_param for spectre_v2_user

[Kaplan, David]

[AMD Official Use Only - AMD Internal Distribution Only]

> -----Original Message-----
> From: Josh Poimboeuf <jpoimboe@kernel.org>
> Sent: Wednesday, August 27, 2025 4:52 PM
> To: Kaplan, David <David.Kaplan@amd.com>
> Cc: Thomas Gleixner <tglx@linutronix.de>; Borislav Petkov <bp@alien8.de>; Peter
> Zijlstra <peterz@infradead.org>; Pawan Gupta
> <pawan.kumar.gupta@linux.intel.com>; Ingo Molnar <mingo@redhat.com>; Dave
> Hansen <dave.hansen@linux.intel.com>; x86@kernel.org; H . Peter Anvin
> <hpa@zytor.com>; linux-kernel@vger.kernel.org
> Subject: Re: [PATCH v2 1/5] x86/bugs: Use early_param for spectre_v2_user
>
> Caution: This message originated from an External Source. Use proper caution
> when opening attachments, clicking links, or responding.
>
>
> On Tue, Aug 19, 2025 at 02:21:56PM -0500, David Kaplan wrote:
> > +++ b/arch/x86/kernel/cpu/bugs.c
> > @@ -1826,7 +1826,7 @@ enum spectre_v2_mitigation_cmd {
> >
> >  static enum spectre_v2_mitigation_cmd spectre_v2_cmd __ro_after_init =
> SPECTRE_V2_CMD_AUTO;
> >
> > -enum spectre_v2_user_cmd {
> > +enum spectre_v2_user_mitigation_cmd {
> >       SPECTRE_V2_USER_CMD_NONE,
> >       SPECTRE_V2_USER_CMD_AUTO,
> >       SPECTRE_V2_USER_CMD_FORCE,
> > @@ -1836,6 +1836,9 @@ enum spectre_v2_user_cmd {
> >       SPECTRE_V2_USER_CMD_SECCOMP_IBPB,
> >  };
> >
> > +static enum spectre_v2_user_mitigation_cmd spectre_v2_user_cmd
> __ro_after_init =
> > +     SPECTRE_V2_USER_CMD_AUTO;
>
> Should this default not be dependent on CONFIG_MITIGATION_SPECTRE_V2?

Ah, good catch.  Yes, it should be looking at that.


>
> > -static enum spectre_v2_user_cmd __init spectre_v2_parse_user_cmdline(void)
> > +static int __init spectre_v2_parse_user_cmdline(char *str)
>
> Should probably swap "parse" and "user" to match the namespace of the
> surrounding code, i.e. spectre_v2_user_parse_cmdline().  This is for
> parsing the "spectre_v2_user" option after all.

Ok

>
> >  {
> > -     char arg[20];
> > -     int ret, i;
> > +     if (!str)
> > +             return -EINVAL;
> >
> >       if (!IS_ENABLED(CONFIG_MITIGATION_SPECTRE_V2))
> >               return SPECTRE_V2_USER_CMD_NONE;
>
> This return value no longer makes sense here, as this no longer returns
> 'enum spectre_v2_user_cmd'.

Yeah, this should be removed.  And the check should be in the initialization as noted above.

>
> But also, most of the other mitigations allow you to override the
> compile time default with the cmdline.  Might as well allow that here
> too for consistency.
>

Agreed, and with the check removed that should happen correctly.

Thanks
--David Kaplan

Re: [PATCH v2 3/5] x86/bugs: Simplify SSB cmdline parsing

[Josh Poimboeuf]

On Tue, Aug 19, 2025 at 02:21:58PM -0500, David Kaplan wrote:
> +static int __init ssb_parse_cmdline(char *str)
> +{
> +	if (!str)
> +		return -EINVAL;
>  
> -		for (i = 0; i < ARRAY_SIZE(ssb_mitigation_options); i++) {
> -			if (!match_option(arg, ret, ssb_mitigation_options[i].option))
> -				continue;
> +	if (!IS_ENABLED(CONFIG_MITIGATION_SSB))
> +		return 0;

Similar to elsewhere, I think we want to be consistent and allow
overriding the compile time default.

-- 
Josh

[tip: x86/urgent] x86/bugs: Add attack vector controls for SSB

[tip-bot2 for David Kaplan]

The following commit has been merged into the x86/urgent branch of tip:

Commit-ID:     8b3641dfb6f902407495c63b9b64482b32319b66
Gitweb:        https://git.kernel.org/tip/8b3641dfb6f902407495c63b9b64482b32319b66
Author:        David Kaplan <david.kaplan@amd.com>
AuthorDate:    Tue, 19 Aug 2025 14:21:59 -05:00
Committer:     Borislav Petkov (AMD) <bp@alien8.de>
CommitterDate: Wed, 27 Aug 2025 18:17:12 +02:00

x86/bugs: Add attack vector controls for SSB

Attack vector controls for SSB were missed in the initial attack vector series.
The default mitigation for SSB requires user-space opt-in so it is only
relevant for user->user attacks.  Check with attack vector controls when
the command is auto - i.e., no explicit user selection has been done.

Fixes: 2d31d2874663 ("x86/bugs: Define attack vectors relevant for each bug")
Signed-off-by: David Kaplan <david.kaplan@amd.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Link: https://lore.kernel.org/20250819192200.2003074-5-david.kaplan@amd.com
---
 Documentation/admin-guide/hw-vuln/attack_vector_controls.rst |  5 +----
 arch/x86/kernel/cpu/bugs.c                                   |  9 +++++++-
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/Documentation/admin-guide/hw-vuln/attack_vector_controls.rst b/Documentation/admin-guide/hw-vuln/attack_vector_controls.rst
index 6dd0800..5964901 100644
--- a/Documentation/admin-guide/hw-vuln/attack_vector_controls.rst
+++ b/Documentation/admin-guide/hw-vuln/attack_vector_controls.rst
@@ -215,7 +215,7 @@ Spectre_v2            X                           X
 Spectre_v2_user                      X                           X            *       (Note 1)
 SRBDS                 X              X            X              X
 SRSO                  X              X            X              X
-SSB                                                                                   (Note 4)
+SSB                                  X
 TAA                   X              X            X              X            *       (Note 2)
 TSA                   X              X            X              X
 =============== ============== ============ ============= ============== ============ ========
@@ -229,9 +229,6 @@ Notes:
    3 --  Disables SMT if cross-thread mitigations are fully enabled, the CPU is
    vulnerable, and STIBP is not supported
 
-   4 --  Speculative store bypass is always enabled by default (no kernel
-   mitigation applied) unless overridden with spec_store_bypass_disable option
-
 When an attack-vector is disabled, all mitigations for the vulnerabilities
 listed in the above table are disabled, unless mitigation is required for a
 different enabled attack-vector or a mitigation is explicitly selected via a
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 49ef1b8..af838b8 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -416,6 +416,10 @@ static bool __init should_mitigate_vuln(unsigned int bug)
 		       cpu_attack_vector_mitigated(CPU_MITIGATE_USER_USER) ||
 		       cpu_attack_vector_mitigated(CPU_MITIGATE_GUEST_GUEST) ||
 		       (smt_mitigations != SMT_MITIGATIONS_OFF);
+
+	case X86_BUG_SPEC_STORE_BYPASS:
+		return cpu_attack_vector_mitigated(CPU_MITIGATE_USER_USER);
+
 	default:
 		WARN(1, "Unknown bug %x\n", bug);
 		return false;
@@ -2710,6 +2714,11 @@ static void __init ssb_select_mitigation(void)
 		ssb_mode = SPEC_STORE_BYPASS_DISABLE;
 		break;
 	case SPEC_STORE_BYPASS_CMD_AUTO:
+		if (should_mitigate_vuln(X86_BUG_SPEC_STORE_BYPASS))
+			ssb_mode = SPEC_STORE_BYPASS_PRCTL;
+		else
+			ssb_mode = SPEC_STORE_BYPASS_NONE;
+		break;
 	case SPEC_STORE_BYPASS_CMD_PRCTL:
 		ssb_mode = SPEC_STORE_BYPASS_PRCTL;
 		break;