[PATCH v3 00/10] x86/bugs: Separate config for mitigations

[PATCH v3 00/10] x86/bugs: Separate config for mitigations

[Breno Leitao]

The current CONFIG_SPECULATION_MITIGATIONS namespace is only
halfway populated, where some mitigations have entries in Kconfig, and
they could be modified, while others mitigations do not have Kconfig
entries, and can not be controlled at build time.

New mitigations, such as BHI, were properly added, i.e, having an
independent Kconfig, which depends on CONFIG_SPECULATION_MITIGATIONS,
so, you can enable/disable at compilation time.

This patch set aims to have the old mitigations in the same format,
bringing some uniformity to the mitigations.

These are the advantages of having fine-grained control for the
mitigations:

1) Users can choose and pick only mitigations that are important for
 their workloads.

2) Users and developers can choose to disable mitigations that mangle
 the assembly code generation, making it hard to read.

3) Separate Kconfigs for just source code readability,
 so that we see *which* butt-ugly piece of crap code is for what
 reason...

In most cases, if a mitigation is disabled at compilation time, it
can still be enabled at runtime using kernel command line arguments.

This is the second part of the initial patchset[1] that got half landed.
The first patch did some code re-organization. This second part
contains the exact missing patches from the initial patchset, and
basically adds build-time configuration for the other mitigations that
are currently only disabled at boot time.

Here is a detailed view of each patch:

With this patch applied, setting CONFIG_SPECULATION_MITIGATIONS=n, a
simple script[2] shows that all the mitigations are disabled:

  spectre_v2_user_stibp   	 SPECTRE_V2_USER_NONE
  spectre_v2_user_ibpb    	 SPECTRE_V2_USER_NONE
  spectre_v2_cmd          	 SPECTRE_V2_CMD_NONE
  ssb_mode                	 SPEC_STORE_BYPASS_NONE
  l1tf_mitigation         	 L1TF_MITIGATION_OFF
  srso_mitigation         	 SRSO_MITIGATION_NONE
  srso_cmd                	 SRSO_CMD_SAFE_RET
  mds_mitigation          	 MDS_MITIGATION_OFF
  taa_mitigation          	 TAA_MITIGATION_OFF
  mmio_mitigation         	 MMIO_MITIGATION_OFF
  srbds_mitigation        	 SRBDS_MITIGATION_OFF
  gds_mitigation          	 GDS_MITIGATION_OFF
  spectre_v1_mitigation   	 SPECTRE_V1_MITIGATION_NONE
  spectre_v2_enabled      	 SPECTRE_V2_NONE
  retbleed_mitigation     	 RETBLEED_MITIGATION_NONE

[1] https://lore.kernel.org/all/ZZ7c9EbJ71zU5TOF@gmail.com/#t
[2] https://github.com/leitao/debug/blob/main/spec/dump_speculation.py

Changelog:

v3:
  * Rebased the patch on top of linux-next, since BHI mitigation added
    some hunk to original patch series.
  * Broke down the patches even further, creating one patch for each
    mitigation. This make the review code easier (I hope).
	* Nothing was changed, code-wise. The code is *exactly* the * same
  * Dropped the "spectre_v2_user default mode depends on main default"
    patch, that will be sent later, since there is no dependency to this
    patch series. Hopping to make the review/acceptance easier as well.
v2:
  * Patch 2: Changed `mode` type from int to `enum spectre_v2_user_cmd`
    as suggested by Pawan Gupta
  * Patch 3: Change MITIGATION_RETBLEED dependency to match the code.
  * https://lore.kernel.org/all/20240208174555.44200-1-leitao@debian.org/
v1:
  * https://lore.kernel.org/all/20240118173213.2008115-1-leitao@debian.org/

Breno Leitao (10):
  x86/bugs: Add a separate config for GDS
  x86/bugs: Add a separate config for MDS
  x86/bugs: Add a separate config for TAA
  x86/bugs: Add a separate config for MMIO Stable Data
  x86/bugs: Add a separate config for L1TF
  x86/bugs: Add a separate config for RETBLEED
  x86/bugs: Add a separate config for Spectre v1
  x86/bugs: Add a separate config for SRBDS
  x86/bugs: Add a separate config for Spectre V2
  x86/bugs: Add a separate config for SSB

 arch/x86/Kconfig           | 117 +++++++++++++++++++++++++++++++++++--
 arch/x86/kernel/cpu/bugs.c |  46 +++++++++------
 2 files changed, 140 insertions(+), 23 deletions(-)

-- 
2.43.0

[PATCH v3 01/10] x86/bugs: Add a separate config for GDS

[Breno Leitao]

Currently there is no way to disable GDS mitigation at build time.
Disabling the current config option (GDS_MITIGATION_FORCE) does not
disable the mitigation, but set it to GDS_MITIGATION_FULL, which does
not disable it.

Create a new kernel config that allows GDS to be completely disabled,
similarly to the "gather_data_sampling=off" or "mitigations=off" kernel
command-line. Move the GDS_MITIGATION_FORCE under this new mitigation.

Now, there are three options for GDS mitigation:

* CONFIG_MITIGATION_GDS=n -> Mitigation disabled (New)
* CONFIG_MITIGATION_GDS=y -> Mitigation enabled (GDS_MITIGATION_FULL)
* CONFIG_GDS_MITIGATION_FORCE=y -> Forceful mitigation (disable AVX)

Suggested-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Breno Leitao <leitao@debian.org>
Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
---
 arch/x86/Kconfig           | 16 +++++++++++-----
 arch/x86/kernel/cpu/bugs.c |  7 ++++---
 2 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index a902680b6537..d99b758c8d35 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -2607,15 +2607,21 @@ config MITIGATION_SLS
 	  against straight line speculation. The kernel image might be slightly
 	  larger.
 
+config MITIGATION_GDS
+	bool "Mitigate Gather Data Sampling"
+	depends on CPU_SUP_INTEL
+	default y
+	help
+	  Enable mitigation for Gather Data Sampling (GDS). GDS is a hardware
+	  vulnerability which allows unprivileged speculative access to data
+	  which was previously stored in vector registers. The attacker uses gather
+	  instructions to infer the stale vector register data.
+
 config MITIGATION_GDS_FORCE
 	bool "Force GDS Mitigation"
-	depends on CPU_SUP_INTEL
+	depends on MITIGATION_GDS
 	default n
 	help
-	  Gather Data Sampling (GDS) is a hardware vulnerability which allows
-	  unprivileged speculative access to data which was previously stored in
-	  vector registers.
-
 	  This option is equivalent to setting gather_data_sampling=force on the
 	  command line. The microcode mitigation is used if present, otherwise
 	  AVX is disabled as a mitigation. On affected systems that are missing
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 9a9685c9244b..f2bdfb359f6b 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -731,10 +731,11 @@ enum gds_mitigations {
 	GDS_MITIGATION_HYPERVISOR,
 };
 
-#if IS_ENABLED(CONFIG_MITIGATION_GDS_FORCE)
-static enum gds_mitigations gds_mitigation __ro_after_init = GDS_MITIGATION_FORCE;
+#if IS_ENABLED(CONFIG_MITIGATION_GDS)
+static enum gds_mitigations gds_mitigation __ro_after_init =
+	IS_ENABLED(CONFIG_MITIGATION_GDS_FORCE) ? GDS_MITIGATION_FORCE : GDS_MITIGATION_FULL;
 #else
-static enum gds_mitigations gds_mitigation __ro_after_init = GDS_MITIGATION_FULL;
+static enum gds_mitigations gds_mitigation __ro_after_init = GDS_MITIGATION_OFF;
 #endif
 
 static const char * const gds_strings[] = {
-- 
2.43.0

[PATCH v3 02/10] x86/bugs: Add a separate config for MDS

[Breno Leitao]

Currently, the CONFIG_SPECULATION_MITIGATIONS is halfway populated,
where some mitigations have entries in Kconfig, and they could be
modified, while others mitigations do not have Kconfig entries, and
could not be controlled at build time.

Create an entry for the MDS CPU mitigation under
CONFIG_SPECULATION_MITIGATIONS. This allow users to enable or disable
it at compilation time.

Signed-off-by: Breno Leitao <leitao@debian.org>
Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
---
 arch/x86/Kconfig           | 9 +++++++++
 arch/x86/kernel/cpu/bugs.c | 3 ++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index d99b758c8d35..5d0227b50faa 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -2653,6 +2653,15 @@ config MITIGATION_SPECTRE_BHI
 	  indirect branches.
 	  See <file:Documentation/admin-guide/hw-vuln/spectre.rst>
 
+config MITIGATION_MDS
+	bool "Mitigate Microarchitectural Data Sampling (MDS) hardware bug"
+	depends on CPU_SUP_INTEL
+	default y
+	help
+	  Enable mitigation for Microarchitectural Data Sampling (MDS). MDS is
+	  a hardware vulnerability which allows unprivileged speculative access
+	  to data which is available in various CPU internal buffers.
+	  See also <file:Documentation/admin-guide/hw-vuln/mds.rst>
 endif
 
 config ARCH_HAS_ADD_PAGES
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index f2bdfb359f6b..fb6515b1b33e 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -233,7 +233,8 @@ static void x86_amd_ssb_disable(void)
 #define pr_fmt(fmt)	"MDS: " fmt
 
 /* Default mitigation for MDS-affected CPUs */
-static enum mds_mitigations mds_mitigation __ro_after_init = MDS_MITIGATION_FULL;
+static enum mds_mitigations mds_mitigation __ro_after_init =
+	IS_ENABLED(CONFIG_MITIGATION_MDS) ? MDS_MITIGATION_FULL : MDS_MITIGATION_OFF;
 static bool mds_nosmt __ro_after_init = false;
 
 static const char * const mds_strings[] = {
-- 
2.43.0

[PATCH v3 03/10] x86/bugs: Add a separate config for TAA

[Breno Leitao]

Currently, the CONFIG_SPECULATION_MITIGATIONS is halfway populated,
where some mitigations have entries in Kconfig, and they could be
modified, while others mitigations do not have Kconfig entries, and
could not be controlled at build time.

Create an entry for the TAA CPU mitigation under
CONFIG_SPECULATION_MITIGATIONS. This allow users to enable or disable
it at compilation time.

Signed-off-by: Breno Leitao <leitao@debian.org>
Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
---
 arch/x86/Kconfig           | 11 +++++++++++
 arch/x86/kernel/cpu/bugs.c |  3 ++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 5d0227b50faa..c7ce800fcdb2 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -2662,6 +2662,17 @@ config MITIGATION_MDS
 	  a hardware vulnerability which allows unprivileged speculative access
 	  to data which is available in various CPU internal buffers.
 	  See also <file:Documentation/admin-guide/hw-vuln/mds.rst>
+
+config MITIGATION_TAA
+	bool "Mitigate TSX Asynchronous Abort (TAA) hardware bug"
+	depends on CPU_SUP_INTEL
+	default y
+	help
+	  Enable mitigation for TSX Asynchronous Abort (TAA). TAA is a hardware
+	  vulnerability that allows unprivileged speculative access to data
+	  which is available in various CPU internal buffers by using
+	  asynchronous aborts within an Intel TSX transactional region.
+	  See also <file:Documentation/admin-guide/hw-vuln/tsx_async_abort.rst>
 endif
 
 config ARCH_HAS_ADD_PAGES
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index fb6515b1b33e..87f3cc6c438d 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -294,7 +294,8 @@ enum taa_mitigations {
 };
 
 /* Default mitigation for TAA-affected CPUs */
-static enum taa_mitigations taa_mitigation __ro_after_init = TAA_MITIGATION_VERW;
+static enum taa_mitigations taa_mitigation __ro_after_init =
+	IS_ENABLED(CONFIG_MITIGATION_TAA) ? TAA_MITIGATION_VERW : TAA_MITIGATION_OFF;
 static bool taa_nosmt __ro_after_init;
 
 static const char * const taa_strings[] = {
-- 
2.43.0

[PATCH v3 04/10] x86/bugs: Add a separate config for MMIO Stable Data

[Breno Leitao]

Currently, the CONFIG_SPECULATION_MITIGATIONS is halfway populated,
where some mitigations have entries in Kconfig, and they could be
modified, while others mitigations do not have Kconfig entries, and
could not be controlled at build time.

Create an entry for the MMIO Stale data CPU mitigation under
CONFIG_SPECULATION_MITIGATIONS. This allow users to enable or disable
it at compilation time.

Signed-off-by: Breno Leitao <leitao@debian.org>
Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
---
 arch/x86/Kconfig           | 12 ++++++++++++
 arch/x86/kernel/cpu/bugs.c |  3 ++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index c7ce800fcdb2..bba5b65034dc 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -2673,6 +2673,18 @@ config MITIGATION_TAA
 	  which is available in various CPU internal buffers by using
 	  asynchronous aborts within an Intel TSX transactional region.
 	  See also <file:Documentation/admin-guide/hw-vuln/tsx_async_abort.rst>
+
+config MITIGATION_MMIO_STALE_DATA
+	bool "Mitigate MMIO Stale Data hardware bug"
+	depends on CPU_SUP_INTEL
+	default y
+	help
+	  Enable mitigation for MMIO Stale Data hardware bugs.  Processor MMIO
+	  Stale Data Vulnerabilities are a class of memory-mapped I/O (MMIO)
+	  vulnerabilities that can expose data. The vulnerabilities require the
+	  attacker to have access to MMIO.
+	  See also
+	  <file:Documentation/admin-guide/hw-vuln/processor_mmio_stale_data.rst>
 endif
 
 config ARCH_HAS_ADD_PAGES
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 87f3cc6c438d..21daaf202b7f 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -393,7 +393,8 @@ enum mmio_mitigations {
 };
 
 /* Default mitigation for Processor MMIO Stale Data vulnerabilities */
-static enum mmio_mitigations mmio_mitigation __ro_after_init = MMIO_MITIGATION_VERW;
+static enum mmio_mitigations mmio_mitigation __ro_after_init =
+	IS_ENABLED(CONFIG_MITIGATION_MMIO_STALE_DATA) ? MMIO_MITIGATION_VERW : MMIO_MITIGATION_OFF;
 static bool mmio_nosmt __ro_after_init = false;
 
 static const char * const mmio_strings[] = {
-- 
2.43.0

[PATCH v3 05/10] x86/bugs: Add a separate config for L1TF

[Breno Leitao]

Currently, the CONFIG_SPECULATION_MITIGATIONS is halfway populated,
where some mitigations have entries in Kconfig, and they could be
modified, while others mitigations do not have Kconfig entries, and
could not be controlled at build time.

Create an entry for the L1TF CPU mitigation under
CONFIG_SPECULATION_MITIGATIONS. This allow users to enable or disable
it at compilation time.

Signed-off-by: Breno Leitao <leitao@debian.org>
Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
---
 arch/x86/Kconfig           | 10 ++++++++++
 arch/x86/kernel/cpu/bugs.c |  3 ++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index bba5b65034dc..192d20348b41 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -2685,6 +2685,16 @@ config MITIGATION_MMIO_STALE_DATA
 	  attacker to have access to MMIO.
 	  See also
 	  <file:Documentation/admin-guide/hw-vuln/processor_mmio_stale_data.rst>
+
+config MITIGATION_L1TF
+	bool "Mitigate L1 Terminal Fault (L1TF) hardware bug"
+	depends on CPU_SUP_INTEL
+	default y
+	help
+	  Mitigate L1 Terminal Fault (L1TF) hardware bug. L1 Terminal Fault is a
+	  hardware vulnerability which allows unprivileged speculative access to data
+	  available in the Level 1 Data Cache.
+	  See <file:Documentation/admin-guide/hw-vuln/l1tf.rst
 endif
 
 config ARCH_HAS_ADD_PAGES
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 21daaf202b7f..d20299b350d7 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -2373,7 +2373,8 @@ EXPORT_SYMBOL_GPL(itlb_multihit_kvm_mitigation);
 #define pr_fmt(fmt)	"L1TF: " fmt
 
 /* Default mitigation for L1TF-affected CPUs */
-enum l1tf_mitigations l1tf_mitigation __ro_after_init = L1TF_MITIGATION_FLUSH;
+enum l1tf_mitigations l1tf_mitigation __ro_after_init =
+	IS_ENABLED(CONFIG_MITIGATION_L1TF) ? L1TF_MITIGATION_FLUSH : L1TF_MITIGATION_OFF;
 #if IS_ENABLED(CONFIG_KVM_INTEL)
 EXPORT_SYMBOL_GPL(l1tf_mitigation);
 #endif
-- 
2.43.0

[PATCH v3 06/10] x86/bugs: Add a separate config for RETBLEED

[Breno Leitao]

Currently, the CONFIG_SPECULATION_MITIGATIONS is halfway populated,
where some mitigations have entries in Kconfig, and they could be
modified, while others mitigations do not have Kconfig entries, and
could not be controlled at build time.

Create an entry for the RETBLEED CPU mitigation under
CONFIG_SPECULATION_MITIGATIONS. This allow users to enable or disable
it at compilation time.

Signed-off-by: Breno Leitao <leitao@debian.org>
Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
---
 arch/x86/Kconfig           | 13 +++++++++++++
 arch/x86/kernel/cpu/bugs.c |  2 +-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 192d20348b41..f5c941a0a837 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -2695,6 +2695,19 @@ config MITIGATION_L1TF
 	  hardware vulnerability which allows unprivileged speculative access to data
 	  available in the Level 1 Data Cache.
 	  See <file:Documentation/admin-guide/hw-vuln/l1tf.rst
+
+config MITIGATION_RETBLEED
+	bool "Mitigate RETBleed hardware bug"
+	depends on (CPU_SUP_INTEL && MITIGATION_SPECTRE_V2) || MITIGATION_UNRET_ENTRY || MITIGATION_IBPB_ENTRY
+	default y
+	help
+	  Enable mitigation for RETBleed (Arbitrary Speculative Code Execution
+	  with Return Instructions) vulnerability.  RETBleed is a speculative
+	  execution attack which takes advantage of microarchitectural behavior
+	  in many modern microprocessors, similar to Spectre v2. An
+	  unprivileged attacker can use these flaws to bypass conventional
+	  memory security restrictions to gain read access to privileged memory
+	  that would otherwise be inaccessible.
 endif
 
 config ARCH_HAS_ADD_PAGES
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index d20299b350d7..c6c404b1c6ac 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -990,7 +990,7 @@ static const char * const retbleed_strings[] = {
 static enum retbleed_mitigation retbleed_mitigation __ro_after_init =
 	RETBLEED_MITIGATION_NONE;
 static enum retbleed_mitigation_cmd retbleed_cmd __ro_after_init =
-	RETBLEED_CMD_AUTO;
+	IS_ENABLED(CONFIG_MITIGATION_RETBLEED) ? RETBLEED_CMD_AUTO : RETBLEED_CMD_OFF;
 
 static int __ro_after_init retbleed_nosmt = false;
 
-- 
2.43.0

[PATCH v3 07/10] x86/bugs: Add a separate config for Spectre v1

[Breno Leitao]

Currently, the CONFIG_SPECULATION_MITIGATIONS is halfway populated,
where some mitigations have entries in Kconfig, and they could be
modified, while others mitigations do not have Kconfig entries, and
could not be controlled at build time.

Create an entry for the Spectre v1 CPU mitigation under
CONFIG_SPECULATION_MITIGATIONS. This allow users to enable or disable
it at compilation time.

Signed-off-by: Breno Leitao <leitao@debian.org>
Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
---
 arch/x86/Kconfig           | 10 ++++++++++
 arch/x86/kernel/cpu/bugs.c |  3 ++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index f5c941a0a837..43dd45720fb1 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -2708,6 +2708,16 @@ config MITIGATION_RETBLEED
 	  unprivileged attacker can use these flaws to bypass conventional
 	  memory security restrictions to gain read access to privileged memory
 	  that would otherwise be inaccessible.
+
+config MITIGATION_SPECTRE_V1
+	bool "Mitigate SPECTRE V1 hardware bug"
+	default y
+	help
+	  Enable mitigation for Spectre V1 (Bounds Check Bypass). Spectre V1 is a
+	  class of side channel attacks that takes advantage of speculative
+	  execution that bypasses conditional branch instructions used for
+	  memory access bounds check.
+	  See also <file:Documentation/admin-guide/hw-vuln/spectre.rst>
 endif
 
 config ARCH_HAS_ADD_PAGES
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index c6c404b1c6ac..00c3438519be 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -875,7 +875,8 @@ enum spectre_v1_mitigation {
 };
 
 static enum spectre_v1_mitigation spectre_v1_mitigation __ro_after_init =
-	SPECTRE_V1_MITIGATION_AUTO;
+	IS_ENABLED(CONFIG_MITIGATION_SPECTRE_V1) ?
+		SPECTRE_V1_MITIGATION_AUTO : SPECTRE_V1_MITIGATION_NONE;
 
 static const char * const spectre_v1_strings[] = {
 	[SPECTRE_V1_MITIGATION_NONE] = "Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers",
-- 
2.43.0

[PATCH v3 08/10] x86/bugs: Add a separate config for SRBDS

[Breno Leitao]

Currently, the CONFIG_SPECULATION_MITIGATIONS is halfway populated,
where some mitigations have entries in Kconfig, and they could be
modified, while others mitigations do not have Kconfig entries, and
could not be controlled at build time.

Create an entry for the SRBDS CPU mitigation under
CONFIG_SPECULATION_MITIGATIONS. This allow users to enable or disable
it at compilation time.

Signed-off-by: Breno Leitao <leitao@debian.org>
Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
---
 arch/x86/Kconfig           | 14 ++++++++++++++
 arch/x86/kernel/cpu/bugs.c |  3 ++-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 43dd45720fb1..fdf1c894fcb8 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -2718,6 +2718,20 @@ config MITIGATION_SPECTRE_V1
 	  execution that bypasses conditional branch instructions used for
 	  memory access bounds check.
 	  See also <file:Documentation/admin-guide/hw-vuln/spectre.rst>
+
+config MITIGATION_SRBDS
+	bool "Mitigate Special Register Buffer Data Sampling (SRBDS) hardware bug"
+	depends on CPU_SUP_INTEL
+	default y
+	help
+	  Enable mitigation for Special Register Buffer Data Sampling (SRBDS).
+	  SRBDS is a hardware vulnerability that allows Microarchitectural Data
+	  Sampling (MDS) techniques to infer values returned from special
+	  register accesses. An unprivileged user can extract values returned
+	  from RDRAND and RDSEED executed on another core or sibling thread
+	  using MDS techniques.
+	  See also
+	  <file:Documentation/admin-guide/hw-vuln/special-register-buffer-data-sampling.rst>
 endif
 
 config ARCH_HAS_ADD_PAGES
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 00c3438519be..49b60c0e2eb4 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -608,7 +608,8 @@ enum srbds_mitigations {
 	SRBDS_MITIGATION_HYPERVISOR,
 };
 
-static enum srbds_mitigations srbds_mitigation __ro_after_init = SRBDS_MITIGATION_FULL;
+static enum srbds_mitigations srbds_mitigation __ro_after_init =
+	IS_ENABLED(CONFIG_MITIGATION_SRBDS) ? SRBDS_MITIGATION_FULL : SRBDS_MITIGATION_OFF;
 
 static const char * const srbds_strings[] = {
 	[SRBDS_MITIGATION_OFF]		= "Vulnerable",
-- 
2.43.0

[PATCH v3 09/10] x86/bugs: Add a separate config for Spectre V2

[Breno Leitao]

Currently, the CONFIG_SPECULATION_MITIGATIONS is halfway populated,
where some mitigations have entries in Kconfig, and they could be
modified, while others mitigations do not have Kconfig entries, and
could not be controlled at build time.

Create an entry for the Spectre V2 CPU mitigation under
CONFIG_SPECULATION_MITIGATIONS. This allow users to enable or disable
it at compilation time.

Signed-off-by: Breno Leitao <leitao@debian.org>
Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
---
 arch/x86/Kconfig           | 12 ++++++++++++
 arch/x86/kernel/cpu/bugs.c |  9 +++++----
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index fdf1c894fcb8..4f69a7f5f675 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -2719,6 +2719,18 @@ config MITIGATION_SPECTRE_V1
 	  memory access bounds check.
 	  See also <file:Documentation/admin-guide/hw-vuln/spectre.rst>
 
+config MITIGATION_SPECTRE_V2
+	bool "Mitigate SPECTRE V2 hardware bug"
+	default y
+	help
+	  Enable mitigation for Spectre V2 (Branch Target Injection). Spectre
+	  V2 is a class of side channel attacks that takes advantage of
+	  indirect branch predictors inside the processor. In Spectre variant 2
+	  attacks, the attacker can steer speculative indirect branches in the
+	  victim to gadget code by poisoning the branch target buffer of a CPU
+	  used for predicting indirect branch addresses.
+	  See also <file:Documentation/admin-guide/hw-vuln/spectre.rst>
+
 config MITIGATION_SRBDS
 	bool "Mitigate Special Register Buffer Data Sampling (SRBDS) hardware bug"
 	depends on CPU_SUP_INTEL
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 49b60c0e2eb4..5628a77281fe 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -1457,17 +1457,18 @@ static void __init spec_v2_print_cond(const char *reason, bool secure)
 
 static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void)
 {
-	enum spectre_v2_mitigation_cmd cmd = SPECTRE_V2_CMD_AUTO;
+	enum spectre_v2_mitigation_cmd cmd;
 	char arg[20];
 	int ret, i;
 
+	cmd = IS_ENABLED(CONFIG_MITIGATION_SPECTRE_V2) ?  SPECTRE_V2_CMD_AUTO : SPECTRE_V2_CMD_NONE;
 	if (cmdline_find_option_bool(boot_command_line, "nospectre_v2") ||
 	    cpu_mitigations_off())
 		return SPECTRE_V2_CMD_NONE;
 
 	ret = cmdline_find_option(boot_command_line, "spectre_v2", arg, sizeof(arg));
 	if (ret < 0)
-		return SPECTRE_V2_CMD_AUTO;
+		return cmd;
 
 	for (i = 0; i < ARRAY_SIZE(mitigation_options); i++) {
 		if (!match_option(arg, ret, mitigation_options[i].option))
@@ -1477,8 +1478,8 @@ static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void)
 	}
 
 	if (i >= ARRAY_SIZE(mitigation_options)) {
-		pr_err("unknown option (%s). Switching to AUTO select\n", arg);
-		return SPECTRE_V2_CMD_AUTO;
+		pr_err("unknown option (%s). Switching to default mode\n", arg);
+		return cmd;
 	}
 
 	if ((cmd == SPECTRE_V2_CMD_RETPOLINE ||
-- 
2.43.0

[PATCH v3 10/10] x86/bugs: Add a separate config for SSB

[Breno Leitao]

Currently, the CONFIG_SPECULATION_MITIGATIONS is halfway populated,
where some mitigations have entries in Kconfig, and they could be
modified, while others mitigations do not have Kconfig entries, and
could not be controlled at build time.

Create an entry for the SSB CPU mitigation under
CONFIG_SPECULATION_MITIGATIONS. This allow users to enable or disable
it at compilation time.

Signed-off-by: Breno Leitao <leitao@debian.org>
Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
---
 arch/x86/Kconfig           | 10 ++++++++++
 arch/x86/kernel/cpu/bugs.c | 10 ++++++----
 2 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 4f69a7f5f675..8a5fcb1468f0 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -2744,6 +2744,16 @@ config MITIGATION_SRBDS
 	  using MDS techniques.
 	  See also
 	  <file:Documentation/admin-guide/hw-vuln/special-register-buffer-data-sampling.rst>
+
+config MITIGATION_SSB
+	bool "Mitigate Speculative Store Bypass (SSB) hardware bug"
+	default y
+	help
+	  Enable mitigation for Speculative Store Bypass (SSB). SSB is a
+	  hardware security vulnerability and its exploitation takes advantage
+	  of speculative execution in a similar way to the Meltdown and Spectre
+	  security vulnerabilities.
+
 endif
 
 config ARCH_HAS_ADD_PAGES
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 5628a77281fe..2e8b24e36d01 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -2026,10 +2026,12 @@ static const struct {
 
 static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void)
 {
-	enum ssb_mitigation_cmd cmd = SPEC_STORE_BYPASS_CMD_AUTO;
+	enum ssb_mitigation_cmd cmd;
 	char arg[20];
 	int ret, i;
 
+	cmd = IS_ENABLED(CONFIG_MITIGATION_SSB) ?
+		SPEC_STORE_BYPASS_CMD_AUTO : SPEC_STORE_BYPASS_CMD_NONE;
 	if (cmdline_find_option_bool(boot_command_line, "nospec_store_bypass_disable") ||
 	    cpu_mitigations_off()) {
 		return SPEC_STORE_BYPASS_CMD_NONE;
@@ -2037,7 +2039,7 @@ static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void)
 		ret = cmdline_find_option(boot_command_line, "spec_store_bypass_disable",
 					  arg, sizeof(arg));
 		if (ret < 0)
-			return SPEC_STORE_BYPASS_CMD_AUTO;
+			return cmd;
 
 		for (i = 0; i < ARRAY_SIZE(ssb_mitigation_options); i++) {
 			if (!match_option(arg, ret, ssb_mitigation_options[i].option))
@@ -2048,8 +2050,8 @@ static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void)
 		}
 
 		if (i >= ARRAY_SIZE(ssb_mitigation_options)) {
-			pr_err("unknown option (%s). Switching to AUTO select\n", arg);
-			return SPEC_STORE_BYPASS_CMD_AUTO;
+			pr_err("unknown option (%s). Switching to default mode\n", arg);
+			return cmd;
 		}
 	}
 
-- 
2.43.0

Re: [PATCH v3 01/10] x86/bugs: Add a separate config for GDS

[Borislav Petkov]

On Mon, Apr 22, 2024 at 09:58:15AM -0700, Breno Leitao wrote:
> +config MITIGATION_GDS
> +	bool "Mitigate Gather Data Sampling"
> +	depends on CPU_SUP_INTEL
> +	default y
> +	help
> +	  Enable mitigation for Gather Data Sampling (GDS). GDS is a hardware
> +	  vulnerability which allows unprivileged speculative access to data
> +	  which was previously stored in vector registers. The attacker uses gather
> +	  instructions to infer the stale vector register data.
> +
>  config MITIGATION_GDS_FORCE

Btw, can we get rid of that thing, while at it?

Ubuntu and SLES don't set it, no clue how to check RHEL configs but if it is
not set there, we probably could unify both options...

I'm looking at

  53cf5797f114 ("x86/speculation: Add Kconfig option for GDS")

...

Hmmm.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH v3 01/10] x86/bugs: Add a separate config for GDS

[Breno Leitao]

Hello Borislav,

On Fri, Jul 12, 2024 at 07:21:32PM +0200, Borislav Petkov wrote:
> On Mon, Apr 22, 2024 at 09:58:15AM -0700, Breno Leitao wrote:
> > +config MITIGATION_GDS
> > +	bool "Mitigate Gather Data Sampling"
> > +	depends on CPU_SUP_INTEL
> > +	default y
> > +	help
> > +	  Enable mitigation for Gather Data Sampling (GDS). GDS is a hardware
> > +	  vulnerability which allows unprivileged speculative access to data
> > +	  which was previously stored in vector registers. The attacker uses gather
> > +	  instructions to infer the stale vector register data.
> > +
> >  config MITIGATION_GDS_FORCE
> 
> Btw, can we get rid of that thing, while at it?

Sure, I will send a v4 and get rid of GDS_FORCE_MITIGATION completely.

Thanks for the review.

--breno

Re: [PATCH v3 01/10] x86/bugs: Add a separate config for GDS

[Borislav Petkov]

On Mon, Jul 15, 2024 at 05:14:54AM -0700, Breno Leitao wrote:
> Sure, I will send a v4 and get rid of GDS_FORCE_MITIGATION completely.

I'm actually waiting on the people on Cc to chime in whether we really need
it. The three distro configs we checked, don't set it.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH v3 01/10] x86/bugs: Add a separate config for GDS

[Breno Leitao]

On Mon, Jul 15, 2024 at 02:17:03PM +0200, Borislav Petkov wrote:
> On Mon, Jul 15, 2024 at 05:14:54AM -0700, Breno Leitao wrote:
> > Sure, I will send a v4 and get rid of GDS_FORCE_MITIGATION completely.
> 
> I'm actually waiting on the people on Cc to chime in whether we really need
> it. The three distro configs we checked, don't set it.

Makes sense, thanks.

Regarding this patchset itself, what is the patch forward?

Should I send a rebased version?

Thanks
--breno

Re: [PATCH v3 01/10] x86/bugs: Add a separate config for GDS

[Borislav Petkov]

On Mon, Jul 15, 2024 at 06:35:21AM -0700, Breno Leitao wrote:
> Regarding this patchset itself, what is the patch forward?

The path forward is for you to wait until I've gone through them all. We have
merge window now so not in the next two weeks.

Thx.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH v3 01/10] x86/bugs: Add a separate config for GDS

[Breno Leitao]

On Mon, Jul 15, 2024 at 03:43:37PM +0200, Borislav Petkov wrote:
> On Mon, Jul 15, 2024 at 06:35:21AM -0700, Breno Leitao wrote:
> > Regarding this patchset itself, what is the patch forward?
> 
> The path forward is for you to wait until I've gone through them all. We have
> merge window now so not in the next two weeks.

That is fair, I didn't mean to rush at all.  Thanks for looking at these
patches!

--breno

Re: [PATCH v3 01/10] x86/bugs: Add a separate config for GDS

[Daniel Sneddon]

On 7/15/24 05:17, Borislav Petkov wrote:
> On Mon, Jul 15, 2024 at 05:14:54AM -0700, Breno Leitao wrote:
>> Sure, I will send a v4 and get rid of GDS_FORCE_MITIGATION completely.
> 
> I'm actually waiting on the people on Cc to chime in whether we really need
> it. The three distro configs we checked, don't set it.
> 

If no one is using it I don't see any reason to keep it. It's just cluttering up
the code at that point. End users can still set gather_data_sampling=force anyway.

Re: [PATCH v3 01/10] x86/bugs: Add a separate config for GDS

[Borislav Petkov]

On Tue, Jul 16, 2024 at 11:51:23AM -0700, Daniel Sneddon wrote:
> If no one is using it I don't see any reason to keep it. It's just
> cluttering up the code at that point. End users can still set
> gather_data_sampling=force anyway.

Yeah, right, thanks for confirming.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH v3 00/10] x86/bugs: Separate config for mitigations

[Borislav Petkov]

On Mon, Apr 22, 2024 at 09:58:14AM -0700, Breno Leitao wrote:
> Breno Leitao (10):
>   x86/bugs: Add a separate config for GDS
>   x86/bugs: Add a separate config for MDS
>   x86/bugs: Add a separate config for TAA
>   x86/bugs: Add a separate config for MMIO Stable Data
>   x86/bugs: Add a separate config for L1TF
>   x86/bugs: Add a separate config for RETBLEED
>   x86/bugs: Add a separate config for Spectre v1
>   x86/bugs: Add a separate config for SRBDS
>   x86/bugs: Add a separate config for Spectre V2
>   x86/bugs: Add a separate config for SSB
> 
>  arch/x86/Kconfig           | 117 +++++++++++++++++++++++++++++++++++--
>  arch/x86/kernel/cpu/bugs.c |  46 +++++++++------
>  2 files changed, 140 insertions(+), 23 deletions(-)

Ok, rest looks ok. You can send a new version with all feedback addressed.

Thx.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH v3 00/10] x86/bugs: Separate config for mitigations

[Breno Leitao]

Hello Borislav,

On Mon, Jul 29, 2024 at 11:21:02AM +0200, Borislav Petkov wrote:
> On Mon, Apr 22, 2024 at 09:58:14AM -0700, Breno Leitao wrote:
> > Breno Leitao (10):
> >   x86/bugs: Add a separate config for GDS
> >   x86/bugs: Add a separate config for MDS
> >   x86/bugs: Add a separate config for TAA
> >   x86/bugs: Add a separate config for MMIO Stable Data
> >   x86/bugs: Add a separate config for L1TF
> >   x86/bugs: Add a separate config for RETBLEED
> >   x86/bugs: Add a separate config for Spectre v1
> >   x86/bugs: Add a separate config for SRBDS
> >   x86/bugs: Add a separate config for Spectre V2
> >   x86/bugs: Add a separate config for SSB
> > 
> >  arch/x86/Kconfig           | 117 +++++++++++++++++++++++++++++++++++--
> >  arch/x86/kernel/cpu/bugs.c |  46 +++++++++------
> >  2 files changed, 140 insertions(+), 23 deletions(-)
> 
> Ok, rest looks ok. You can send a new version with all feedback addressed.

Thanks for reviewing it.

I will send a v4, where I will drop MITIGATION_GDS_FORCE, and keep only
MITIGATION_GDS Kconfig config entry.

Thanks,
--breno