From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
To: bot+bpf-ci@kernel.org
Cc: x86@kernel.org, nik.borisov@suse.com, hpa@zytor.com,
jpoimboe@kernel.org, david.kaplan@amd.com, seanjc@google.com,
bp@alien8.de, dave.hansen@linux.intel.com, peterz@infradead.org,
ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org,
kpsingh@kernel.org, jolsa@kernel.org, davem@davemloft.net,
david.laight.linux@gmail.com, luto@kernel.org, tglx@kernel.org,
mingo@redhat.com, dsahern@kernel.org, martin.lau@linux.dev,
eddyz87@gmail.com, song@kernel.org, yonghong.song@linux.dev,
john.fastabend@gmail.com, sdf@fomichev.me, haoluo@google.com,
pbonzini@redhat.com, corbet@lwn.net,
linux-kernel@vger.kernel.org, kvm@vger.kernel.org,
asit.k.mallick@intel.com, tao1.zhang@intel.com,
bpf@vger.kernel.org, netdev@vger.kernel.org,
linux-doc@vger.kernel.org, martin.lau@kernel.org, clm@meta.com,
ihor.solodrai@linux.dev
Subject: Re: [PATCH v7 10/10] x86/vmscape: Add cmdline vmscape=on to override attack vector controls
Date: Thu, 19 Mar 2026 10:57:53 -0700 [thread overview]
Message-ID: <20260319175753.ocv7mv5hogscptvk@desk> (raw)
In-Reply-To: <a0134d85926936821c00147b9602b4f977519556e163ebd59dee2307c7618fb1@mail.kernel.org>
On Thu, Mar 19, 2026 at 04:40:21PM +0000, bot+bpf-ci@kernel.org wrote:
> > diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> > --- a/Documentation/admin-guide/kernel-parameters.txt
> > +++ b/Documentation/admin-guide/kernel-parameters.txt
> > @@ -8375,9 +8375,11 @@
> >
> > off - disable the mitigation
> > ibpb - use Indirect Branch Prediction Barrier
> > - (IBPB) mitigation (default)
> > + (IBPB) mitigation
> > force - force vulnerability detection even on
> > unaffected processors
> > + on - (default) selects IBPB or BHB clear
> > + mitigation based on CPU
>
> Is the "(default)" label accurate here? The code default is
> VMSCAPE_MITIGATION_AUTO, not VMSCAPE_MITIGATION_ON:
>
> static enum vmscape_mitigations vmscape_mitigation __ro_after_init =
> IS_ENABLED(CONFIG_MITIGATION_VMSCAPE) ?
> VMSCAPE_MITIGATION_AUTO : VMSCAPE_MITIGATION_NONE;
>
> In vmscape_select_mitigation(), AUTO and ON take the same switch
> path for selecting between BHB clear and IBPB. But AUTO goes
> through this check first:
>
> if ((vmscape_mitigation == VMSCAPE_MITIGATION_AUTO) &&
> !should_mitigate_vuln(X86_BUG_VMSCAPE))
> vmscape_mitigation = VMSCAPE_MITIGATION_NONE;
>
> ON skips that check, which is the whole point of this commit per
> the subject line ("override attack vector controls").
>
> A sysadmin reading "on (default)" would conclude that not passing
> any option gives the same behavior as vmscape=on, but the actual
> default respects attack vector controls while vmscape=on overrides
> them.
Thats a valid point. Updating the documentation as below:
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 1068569be5cf..98204d464477 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -8381,8 +8381,10 @@ Kernel parameters
(IBPB) mitigation
force - force vulnerability detection even on
unaffected processors
- on - (default) selects IBPB or BHB clear
+ auto - (default) use IBPB or BHB clear
mitigation based on CPU
+ on - same as "auto", but override attack
+ vector control
vsyscall= [X86-64,EARLY]
Controls the behavior of vsyscalls (i.e. calls to
prev parent reply other threads:[~2026-03-19 17:58 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-19 15:40 [PATCH v7 00/10] VMSCAPE optimization for BHI variant Pawan Gupta
2026-03-19 15:40 ` [PATCH v7 01/10] x86/bhi: x86/vmscape: Move LFENCE out of clear_bhb_loop() Pawan Gupta
2026-03-19 15:40 ` [PATCH v7 02/10] x86/bhi: Make clear_bhb_loop() effective on newer CPUs Pawan Gupta
2026-03-19 15:40 ` [PATCH v7 03/10] x86/bhi: Rename clear_bhb_loop() to clear_bhb_loop_nofence() Pawan Gupta
2026-03-23 14:44 ` Nikolay Borisov
2026-03-23 17:07 ` Pawan Gupta
2026-03-19 15:41 ` [PATCH v7 04/10] x86/vmscape: Rename x86_ibpb_exit_to_user to x86_predictor_flush_exit_to_user Pawan Gupta
2026-03-19 15:41 ` [PATCH v7 05/10] x86/vmscape: Move mitigation selection to a switch() Pawan Gupta
2026-03-19 15:41 ` [PATCH v7 06/10] x86/vmscape: Use write_ibpb() instead of indirect_branch_prediction_barrier() Pawan Gupta
2026-03-19 15:41 ` [PATCH v7 07/10] x86/vmscape: Use static_call() for predictor flush Pawan Gupta
2026-03-19 16:56 ` bot+bpf-ci
2026-03-19 18:05 ` Pawan Gupta
2026-03-19 20:58 ` Peter Zijlstra
2026-03-19 21:34 ` Pawan Gupta
2026-03-19 21:44 ` Peter Zijlstra
2026-03-19 22:06 ` Pawan Gupta
2026-03-20 6:22 ` Pawan Gupta
2026-03-20 9:03 ` Peter Zijlstra
2026-03-20 11:31 ` Borislav Petkov
2026-03-20 18:23 ` Pawan Gupta
2026-03-24 20:00 ` Borislav Petkov
2026-03-24 20:14 ` Pawan Gupta
2026-03-19 15:42 ` [PATCH v7 08/10] x86/vmscape: Deploy BHB clearing mitigation Pawan Gupta
2026-03-19 15:42 ` [PATCH v7 09/10] x86/vmscape: Fix conflicting attack-vector controls with =force Pawan Gupta
2026-03-19 15:42 ` [PATCH v7 10/10] x86/vmscape: Add cmdline vmscape=on to override attack vector controls Pawan Gupta
2026-03-19 16:40 ` bot+bpf-ci
2026-03-19 17:57 ` Pawan Gupta [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260319175753.ocv7mv5hogscptvk@desk \
--to=pawan.kumar.gupta@linux.intel.com \
--cc=andrii@kernel.org \
--cc=asit.k.mallick@intel.com \
--cc=ast@kernel.org \
--cc=bot+bpf-ci@kernel.org \
--cc=bp@alien8.de \
--cc=bpf@vger.kernel.org \
--cc=clm@meta.com \
--cc=corbet@lwn.net \
--cc=daniel@iogearbox.net \
--cc=dave.hansen@linux.intel.com \
--cc=davem@davemloft.net \
--cc=david.kaplan@amd.com \
--cc=david.laight.linux@gmail.com \
--cc=dsahern@kernel.org \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=hpa@zytor.com \
--cc=ihor.solodrai@linux.dev \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=jpoimboe@kernel.org \
--cc=kpsingh@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=martin.lau@kernel.org \
--cc=martin.lau@linux.dev \
--cc=mingo@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=nik.borisov@suse.com \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=sdf@fomichev.me \
--cc=seanjc@google.com \
--cc=song@kernel.org \
--cc=tao1.zhang@intel.com \
--cc=tglx@kernel.org \
--cc=x86@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox