* [PATCH] x86/srso: Disable the mitigation on unaffected configurations @ 2023-08-13 10:45 Borislav Petkov 2023-08-14 6:39 ` Nikolay Borisov 2023-08-14 9:37 ` [tip: x86/urgent] x86/srso: Disable the mitigation on unaffected configurations tip-bot2 for Borislav Petkov (AMD) 0 siblings, 2 replies; 19+ messages in thread From: Borislav Petkov @ 2023-08-13 10:45 UTC (permalink / raw) To: X86 ML; +Cc: Josh Poimboeuf, LKML From: "Borislav Petkov (AMD)" <bp@alien8.de> Skip the srso cmd line parsing which is not needed on Zen1/2 with SMT disabled and with the proper microcode applied (latter should be the case anyway) as those are not affected. Fixes: 5a15d8348881 ("x86/srso: Tie SBPB bit setting to microcode patch detection") Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> --- arch/x86/kernel/cpu/bugs.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index d02f73c5339d..8959a1b9fb80 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -2418,8 +2418,10 @@ static void __init srso_select_mitigation(void) * IBPB microcode has been applied. */ if ((boot_cpu_data.x86 < 0x19) && - (!cpu_smt_possible() || (cpu_smt_control == CPU_SMT_DISABLED))) + (!cpu_smt_possible() || (cpu_smt_control == CPU_SMT_DISABLED))) { setup_force_cpu_cap(X86_FEATURE_SRSO_NO); + goto pred_cmd; + } } if (retbleed_mitigation == RETBLEED_MITIGATION_IBPB) { @@ -2696,6 +2698,9 @@ static ssize_t retbleed_show_state(char *buf) static ssize_t srso_show_state(char *buf) { + if (boot_cpu_has(X86_FEATURE_SRSO_NO)) + return sysfs_emit(buf, "Not affected\n"); + return sysfs_emit(buf, "%s%s\n", srso_strings[srso_mitigation], (cpu_has_ibpb_brtype_microcode() ? "" : ", no microcode")); -- 2.42.0.rc0.25.ga82fb66fed25 ^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: [PATCH] x86/srso: Disable the mitigation on unaffected configurations 2023-08-13 10:45 [PATCH] x86/srso: Disable the mitigation on unaffected configurations Borislav Petkov @ 2023-08-14 6:39 ` Nikolay Borisov 2023-08-14 20:08 ` Josh Poimboeuf 2023-08-14 9:37 ` [tip: x86/urgent] x86/srso: Disable the mitigation on unaffected configurations tip-bot2 for Borislav Petkov (AMD) 1 sibling, 1 reply; 19+ messages in thread From: Nikolay Borisov @ 2023-08-14 6:39 UTC (permalink / raw) To: Borislav Petkov, X86 ML; +Cc: Josh Poimboeuf, LKML On 13.08.23 г. 13:45 ч., Borislav Petkov wrote: > From: "Borislav Petkov (AMD)" <bp@alien8.de> > > Skip the srso cmd line parsing which is not needed on Zen1/2 with SMT > disabled and with the proper microcode applied (latter should be the > case anyway) as those are not affected. > > Fixes: 5a15d8348881 ("x86/srso: Tie SBPB bit setting to microcode patch detection") > Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> > --- > arch/x86/kernel/cpu/bugs.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c > index d02f73c5339d..8959a1b9fb80 100644 > --- a/arch/x86/kernel/cpu/bugs.c > +++ b/arch/x86/kernel/cpu/bugs.c > @@ -2418,8 +2418,10 @@ static void __init srso_select_mitigation(void) > * IBPB microcode has been applied. > */ > if ((boot_cpu_data.x86 < 0x19) && > - (!cpu_smt_possible() || (cpu_smt_control == CPU_SMT_DISABLED))) > + (!cpu_smt_possible() || (cpu_smt_control == CPU_SMT_DISABLED))) { > setup_force_cpu_cap(X86_FEATURE_SRSO_NO); > + goto pred_cmd; Actually can't you simply return, given that zen1/2 never have the SBPB flag set? Only zen3/4 with the updated microcode? > + } > } > > if (retbleed_mitigation == RETBLEED_MITIGATION_IBPB) { > @@ -2696,6 +2698,9 @@ static ssize_t retbleed_show_state(char *buf) > > static ssize_t srso_show_state(char *buf) > { > + if (boot_cpu_has(X86_FEATURE_SRSO_NO)) > + return sysfs_emit(buf, "Not affected\n"); > + > return sysfs_emit(buf, "%s%s\n", > srso_strings[srso_mitigation], > (cpu_has_ibpb_brtype_microcode() ? "" : ", no microcode")); ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] x86/srso: Disable the mitigation on unaffected configurations 2023-08-14 6:39 ` Nikolay Borisov @ 2023-08-14 20:08 ` Josh Poimboeuf 2023-08-14 20:25 ` Borislav Petkov 2023-08-18 10:59 ` [tip: x86/urgent] " tip-bot2 for Borislav Petkov (AMD) 0 siblings, 2 replies; 19+ messages in thread From: Josh Poimboeuf @ 2023-08-14 20:08 UTC (permalink / raw) To: Nikolay Borisov; +Cc: Borislav Petkov, X86 ML, Josh Poimboeuf, LKML On Mon, Aug 14, 2023 at 09:39:11AM +0300, Nikolay Borisov wrote: > > > On 13.08.23 г. 13:45 ч., Borislav Petkov wrote: > > From: "Borislav Petkov (AMD)" <bp@alien8.de> > > > > Skip the srso cmd line parsing which is not needed on Zen1/2 with SMT > > disabled and with the proper microcode applied (latter should be the > > case anyway) as those are not affected. > > > > Fixes: 5a15d8348881 ("x86/srso: Tie SBPB bit setting to microcode patch detection") > > Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> > > --- > > arch/x86/kernel/cpu/bugs.c | 7 ++++++- > > 1 file changed, 6 insertions(+), 1 deletion(-) > > > > diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c > > index d02f73c5339d..8959a1b9fb80 100644 > > --- a/arch/x86/kernel/cpu/bugs.c > > +++ b/arch/x86/kernel/cpu/bugs.c > > @@ -2418,8 +2418,10 @@ static void __init srso_select_mitigation(void) > > * IBPB microcode has been applied. > > */ > > if ((boot_cpu_data.x86 < 0x19) && > > - (!cpu_smt_possible() || (cpu_smt_control == CPU_SMT_DISABLED))) > > + (!cpu_smt_possible() || (cpu_smt_control == CPU_SMT_DISABLED))) { > > setup_force_cpu_cap(X86_FEATURE_SRSO_NO); > > + goto pred_cmd; > > Actually can't you simply return, given that zen1/2 never have the SBPB flag > set? Only zen3/4 with the updated microcode? Tangentially, the 'cpu_smt_control == CPU_SMT_DISABLED' check is wrong, as SMT could still get enabled at runtime and SRSO would be exposed. Also is there a reason to re-use the hardware SRSO_NO bit rather than clear the bug bit? That seems cleaner, then you wouldn't need this hack: > > + if (boot_cpu_has(X86_FEATURE_SRSO_NO)) > > + return sysfs_emit(buf, "Not affected\n"); > > + -- Josh ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] x86/srso: Disable the mitigation on unaffected configurations 2023-08-14 20:08 ` Josh Poimboeuf @ 2023-08-14 20:25 ` Borislav Petkov 2023-08-14 20:53 ` Josh Poimboeuf 2023-08-18 10:59 ` [tip: x86/urgent] " tip-bot2 for Borislav Petkov (AMD) 1 sibling, 1 reply; 19+ messages in thread From: Borislav Petkov @ 2023-08-14 20:25 UTC (permalink / raw) To: Josh Poimboeuf; +Cc: Nikolay Borisov, X86 ML, Josh Poimboeuf, LKML On Mon, Aug 14, 2023 at 01:08:13PM -0700, Josh Poimboeuf wrote: > Tangentially, the 'cpu_smt_control == CPU_SMT_DISABLED' check is wrong, > as SMT could still get enabled at runtime and SRSO would be exposed. Well, even if it gets exposed, I don't think we can safely enable the mitigation at runtime as alternatives have run already. I guess I could use CPU_SMT_FORCE_DISABLED here. > Also is there a reason to re-use the hardware SRSO_NO bit Not a hardware bit - this is set by software - it is only allocated in the CPUID leaf for easier interaction with guests. > rather than clear the bug bit? We don't clear the X86_BUGs. Ever. The logic is that if the CPU matches an affected CPU, that flag remains to show that it is potentially affected. /sys/devices/system/cpu/vulnerabilities/ tells you what the actual state is. > That seems cleaner, then you wouldn't need this hack: Not a hack. This is just like the other "not affected" feature flags. -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] x86/srso: Disable the mitigation on unaffected configurations 2023-08-14 20:25 ` Borislav Petkov @ 2023-08-14 20:53 ` Josh Poimboeuf 2023-08-14 21:17 ` Borislav Petkov 0 siblings, 1 reply; 19+ messages in thread From: Josh Poimboeuf @ 2023-08-14 20:53 UTC (permalink / raw) To: Borislav Petkov; +Cc: Nikolay Borisov, X86 ML, Josh Poimboeuf, LKML On Mon, Aug 14, 2023 at 10:25:45PM +0200, Borislav Petkov wrote: > On Mon, Aug 14, 2023 at 01:08:13PM -0700, Josh Poimboeuf wrote: > > Tangentially, the 'cpu_smt_control == CPU_SMT_DISABLED' check is wrong, > > as SMT could still get enabled at runtime and SRSO would be exposed. > > Well, even if it gets exposed, I don't think we can safely enable the > mitigation at runtime as alternatives have run already. Right, I wasn't suggesting to enable the mitigation at runtime. Rather, enable the mitigation at boot time, if SMT is even possible. That's what we've done for other mitigations. Better safe than sorry. > I guess I could use CPU_SMT_FORCE_DISABLED here. cpu_smt_possible() already does that. > > Also is there a reason to re-use the hardware SRSO_NO bit > > Not a hardware bit - this is set by software - it is only allocated in > the CPUID leaf for easier interaction with guests. 2. ENUMERATION OF NEW CAPABILITIES AMD is defining three new CPUID bits to assist with the enumeration of capabilities related to SRSO: CPUID Fn8000_0021_EAX[29] (SRSO_NO) – If this bit is 1, it indicates the CPU is not subject to the SRSO vulnerability. CPUID Fn8000_0021_EAX[28] (IBPB_BRTYPE) – If this bit is 1, it indicates that MSR 49h (PRED_CMD) bit 0 (IBPB) flushes all branch type predictions from the CPU branch predictor. CPUID Fn8000_0021_EAX[27] (SBPB) > > rather than clear the bug bit? > > We don't clear the X86_BUGs. Ever. The logic is that if the CPU matches > an affected CPU, that flag remains to show that it is potentially > affected. Hm, ok. I thought that was the point of the vulnerabilities file. > /sys/devices/system/cpu/vulnerabilities/ tells you what the actual state > is. Since technically the CPU is affected, I'm thinking it should say "Mitigation: SMT disabled" or such, instead of "Not affected". > > That seems cleaner, then you wouldn't need this hack: > > Not a hack. This is just like the other "not affected" feature flags. Hm? You mean the *_NO ones that determine whether the BUG bits get set in the first place? How do they print "Not affected"? -- Josh ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] x86/srso: Disable the mitigation on unaffected configurations 2023-08-14 20:53 ` Josh Poimboeuf @ 2023-08-14 21:17 ` Borislav Petkov 2023-08-15 9:57 ` [PATCH] x86/srso: Correct the mitigation status when SMT is disabled Borislav Petkov 0 siblings, 1 reply; 19+ messages in thread From: Borislav Petkov @ 2023-08-14 21:17 UTC (permalink / raw) To: Josh Poimboeuf; +Cc: Nikolay Borisov, X86 ML, Josh Poimboeuf, LKML On Mon, Aug 14, 2023 at 01:53:00PM -0700, Josh Poimboeuf wrote: > cpu_smt_possible() already does that. Ok. > 2. ENUMERATION OF NEW CAPABILITIES Yes, exactly. On the next page: "Hypervisor software should synthesize... " I got confused initially too. > Since technically the CPU is affected, I'm thinking it should say > "Mitigation: SMT disabled" or such, instead of "Not affected". Lemme see how ugly it becomes tomorrow. > Hm? You mean the *_NO ones that determine whether the BUG bits get set > in the first place? How do they print "Not affected"? If SMT is disabled on those configurations, it is not affected. But ok, "SMT disabled". -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette ^ permalink raw reply [flat|nested] 19+ messages in thread
* [PATCH] x86/srso: Correct the mitigation status when SMT is disabled 2023-08-14 21:17 ` Borislav Petkov @ 2023-08-15 9:57 ` Borislav Petkov 2023-08-15 19:58 ` Josh Poimboeuf 0 siblings, 1 reply; 19+ messages in thread From: Borislav Petkov @ 2023-08-15 9:57 UTC (permalink / raw) To: Josh Poimboeuf; +Cc: Nikolay Borisov, X86 ML, Josh Poimboeuf, LKML On Mon, Aug 14, 2023 at 11:17:27PM +0200, Borislav Petkov wrote: > Lemme see how ugly it becomes tomorrow. Not too bad, considering bugs.c's ugliness. From: "Borislav Petkov (AMD)" <bp@alien8.de> Date: Tue, 15 Aug 2023 11:53:13 +0200 Subject: [PATCH] x86/srso: Correct the mitigation status when SMT is disabled Specify how is SRSO mitigated when SMT is disabled. Also, correct the SMT check for that. Fixes: e9fbc47b818b ("x86/srso: Disable the mitigation on unaffected configurations") Suggested-by: Josh Poimboeuf <jpoimboe@kernel.org> Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> --- arch/x86/kernel/cpu/bugs.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 6c04aef4b63b..dc8f874fdd63 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -2417,8 +2417,7 @@ static void __init srso_select_mitigation(void) * Zen1/2 with SMT off aren't vulnerable after the right * IBPB microcode has been applied. */ - if ((boot_cpu_data.x86 < 0x19) && - (!cpu_smt_possible() || (cpu_smt_control == CPU_SMT_DISABLED))) { + if (boot_cpu_data.x86 < 0x19 && !cpu_smt_possible()) { setup_force_cpu_cap(X86_FEATURE_SRSO_NO); return; } @@ -2698,8 +2697,12 @@ static ssize_t retbleed_show_state(char *buf) static ssize_t srso_show_state(char *buf) { - if (boot_cpu_has(X86_FEATURE_SRSO_NO)) - return sysfs_emit(buf, "Not affected\n"); + if (boot_cpu_has(X86_FEATURE_SRSO_NO)) { + if (sched_smt_active()) + return sysfs_emit(buf, "Not affected\n"); + else + return sysfs_emit(buf, "Mitigation: SMT disabled\n"); + } return sysfs_emit(buf, "%s%s\n", srso_strings[srso_mitigation], -- 2.42.0.rc0.25.ga82fb66fed25 -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette ^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: [PATCH] x86/srso: Correct the mitigation status when SMT is disabled 2023-08-15 9:57 ` [PATCH] x86/srso: Correct the mitigation status when SMT is disabled Borislav Petkov @ 2023-08-15 19:58 ` Josh Poimboeuf 2023-08-15 20:17 ` Borislav Petkov 0 siblings, 1 reply; 19+ messages in thread From: Josh Poimboeuf @ 2023-08-15 19:58 UTC (permalink / raw) To: Borislav Petkov; +Cc: Nikolay Borisov, X86 ML, Josh Poimboeuf, LKML On Tue, Aug 15, 2023 at 11:57:24AM +0200, Borislav Petkov wrote: > --- a/arch/x86/kernel/cpu/bugs.c > +++ b/arch/x86/kernel/cpu/bugs.c > @@ -2417,8 +2417,7 @@ static void __init srso_select_mitigation(void) > * Zen1/2 with SMT off aren't vulnerable after the right > * IBPB microcode has been applied. > */ > - if ((boot_cpu_data.x86 < 0x19) && > - (!cpu_smt_possible() || (cpu_smt_control == CPU_SMT_DISABLED))) { > + if (boot_cpu_data.x86 < 0x19 && !cpu_smt_possible()) { > setup_force_cpu_cap(X86_FEATURE_SRSO_NO); > return; > } > @@ -2698,8 +2697,12 @@ static ssize_t retbleed_show_state(char *buf) > > static ssize_t srso_show_state(char *buf) > { > - if (boot_cpu_has(X86_FEATURE_SRSO_NO)) > - return sysfs_emit(buf, "Not affected\n"); > + if (boot_cpu_has(X86_FEATURE_SRSO_NO)) { > + if (sched_smt_active()) > + return sysfs_emit(buf, "Not affected\n"); > + else > + return sysfs_emit(buf, "Mitigation: SMT disabled\n"); > + } AFAICT, nowhere in the spec does it say the SRSO_NO bit won't get set by future (fixed) HW. In fact I'd expect it will, similar to other *_NO flags. Regardless, here SRSO_NO seems to mean two different things: "reported safe by host (or HW)" and "not reported safe on Zen1/2 with SMT not possible". Also, in this code, the SRSO_NO+SMT combo doesn't seem logically possible, as srso_show_state() only gets called if X86_BUG_SRSO is set, which only happens if SRSO_NO is not set by the HW/host in the first place. So here, if boot_cpu_has(X86_FEATURE_SRSO_NO), it means SRSO_NO was manually set by srso_select_mitigation(), and SMT can't possibly be enabled. Instead of piggybacking on SRSO_NO, which is confusing, why not just add a new mitigation type, like: diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 6c04aef4b63b..c925b98f5a15 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -2343,6 +2343,7 @@ early_param("l1tf", l1tf_cmdline); enum srso_mitigation { SRSO_MITIGATION_NONE, SRSO_MITIGATION_MICROCODE, + SRSO_MITIGATION_SMT, SRSO_MITIGATION_SAFE_RET, SRSO_MITIGATION_IBPB, SRSO_MITIGATION_IBPB_ON_VMEXIT, @@ -2359,6 +2360,7 @@ enum srso_mitigation_cmd { static const char * const srso_strings[] = { [SRSO_MITIGATION_NONE] = "Vulnerable", [SRSO_MITIGATION_MICROCODE] = "Mitigation: microcode", + [SRSO_MITIGATION_SMT] = "Mitigation: SMT disabled", [SRSO_MITIGATION_SAFE_RET] = "Mitigation: safe RET", [SRSO_MITIGATION_IBPB] = "Mitigation: IBPB", [SRSO_MITIGATION_IBPB_ON_VMEXIT] = "Mitigation: IBPB on VMEXIT only" @@ -2407,19 +2409,15 @@ static void __init srso_select_mitigation(void) pr_warn("IBPB-extending microcode not applied!\n"); pr_warn(SRSO_NOTICE); } else { - /* - * Enable the synthetic (even if in a real CPUID leaf) - * flags for guests. - */ + /* Enable the synthetic flag, as HW doesn't set it. */ setup_force_cpu_cap(X86_FEATURE_IBPB_BRTYPE); /* * Zen1/2 with SMT off aren't vulnerable after the right * IBPB microcode has been applied. */ - if ((boot_cpu_data.x86 < 0x19) && - (!cpu_smt_possible() || (cpu_smt_control == CPU_SMT_DISABLED))) { - setup_force_cpu_cap(X86_FEATURE_SRSO_NO); + if ((boot_cpu_data.x86 < 0x19) && !cpu_smt_possible()) { + srso_mitigation = SRSO_MITIGATION_SMT; return; } } @@ -2698,9 +2696,6 @@ static ssize_t retbleed_show_state(char *buf) static ssize_t srso_show_state(char *buf) { - if (boot_cpu_has(X86_FEATURE_SRSO_NO)) - return sysfs_emit(buf, "Not affected\n"); - return sysfs_emit(buf, "%s%s\n", srso_strings[srso_mitigation], (cpu_has_ibpb_brtype_microcode() ? "" : ", no microcode")); ^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: [PATCH] x86/srso: Correct the mitigation status when SMT is disabled 2023-08-15 19:58 ` Josh Poimboeuf @ 2023-08-15 20:17 ` Borislav Petkov 2023-08-15 21:27 ` Josh Poimboeuf 0 siblings, 1 reply; 19+ messages in thread From: Borislav Petkov @ 2023-08-15 20:17 UTC (permalink / raw) To: Josh Poimboeuf; +Cc: Nikolay Borisov, X86 ML, Josh Poimboeuf, LKML On Tue, Aug 15, 2023 at 12:58:31PM -0700, Josh Poimboeuf wrote: > AFAICT, nowhere in the spec does it say the SRSO_NO bit won't get set by > future (fixed) HW. In fact I'd expect it will, similar to other *_NO > flags. I'm pretty sure it won't. SRSO_NO is synthesized by the hypervisor *software*. Nothing else. It is there so that you don't check microcode version in the guest which is nearly impossible anyway. > Regardless, here SRSO_NO seems to mean two different things: "reported > safe by host (or HW)" and "not reported safe on Zen1/2 with SMT not > possible". Huh? > Also, in this code, the SRSO_NO+SMT combo doesn't seem logically > possible, as srso_show_state() only gets called if X86_BUG_SRSO is set, > which only happens if SRSO_NO is not set by the HW/host in the first > place. So here, if boot_cpu_has(X86_FEATURE_SRSO_NO), it means SRSO_NO > was manually set by srso_select_mitigation(), and SMT can't possibly be > enabled. Have you considered the case where Linux would set SRSO_NO when booting on future hardware, which is fixed? There SRSO_NO and SMT will very much be possible. > Instead of piggybacking on SRSO_NO, which is confusing, why not just add > a new mitigation type, like: I had a separate mitigation defintion but then realized I don't need it because, well, it is not really a mitigation - it is a case where the machine is not affected. For example, I have a Zen2 laptop here with SMT disabled in the hardware which is also not affected. And also, the rest of the SMT disabled cases in bugs.c do check sched_smt_active() too, without having a separate mitigation. That's why. -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] x86/srso: Correct the mitigation status when SMT is disabled 2023-08-15 20:17 ` Borislav Petkov @ 2023-08-15 21:27 ` Josh Poimboeuf 2023-08-16 8:30 ` Borislav Petkov 0 siblings, 1 reply; 19+ messages in thread From: Josh Poimboeuf @ 2023-08-15 21:27 UTC (permalink / raw) To: Borislav Petkov; +Cc: Nikolay Borisov, X86 ML, Josh Poimboeuf, LKML On Tue, Aug 15, 2023 at 10:17:53PM +0200, Borislav Petkov wrote: > On Tue, Aug 15, 2023 at 12:58:31PM -0700, Josh Poimboeuf wrote: > > AFAICT, nowhere in the spec does it say the SRSO_NO bit won't get set by > > future (fixed) HW. In fact I'd expect it will, similar to other *_NO > > flags. > > I'm pretty sure it won't. > > SRSO_NO is synthesized by the hypervisor *software*. Nothing else. Citation needed. > It is there so that you don't check microcode version in the guest which > is nearly impossible anyway. > > > Regardless, here SRSO_NO seems to mean two different things: "reported > > safe by host (or HW)" and "not reported safe on Zen1/2 with SMT not > > possible". > > Huh? Can you clarify what doesn't make sense? > > Also, in this code, the SRSO_NO+SMT combo doesn't seem logically > > possible, as srso_show_state() only gets called if X86_BUG_SRSO is set, > > which only happens if SRSO_NO is not set by the HW/host in the first > > place. So here, if boot_cpu_has(X86_FEATURE_SRSO_NO), it means SRSO_NO > > was manually set by srso_select_mitigation(), and SMT can't possibly be > > enabled. > > Have you considered the case where Linux would set SRSO_NO when booting > on future hardware, which is fixed? > > There SRSO_NO and SMT will very much be possible. How is that relevant to my comment? The bug bit still wouldn't get set and srso_show_state() still wouldn't be called. -- Josh ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] x86/srso: Correct the mitigation status when SMT is disabled 2023-08-15 21:27 ` Josh Poimboeuf @ 2023-08-16 8:30 ` Borislav Petkov 2023-08-16 16:07 ` Josh Poimboeuf 0 siblings, 1 reply; 19+ messages in thread From: Borislav Petkov @ 2023-08-16 8:30 UTC (permalink / raw) To: Josh Poimboeuf; +Cc: Nikolay Borisov, X86 ML, Josh Poimboeuf, LKML On Tue, Aug 15, 2023 at 02:27:51PM -0700, Josh Poimboeuf wrote: > How is that relevant to my comment? The bug bit still wouldn't get set > and srso_show_state() still wouldn't be called. Lemme explain how I see this working - it might help us get on the right track. And for comparison you can look at X86_FEATURE_BTC_NO too. * Something has set X86_FEATURE_SRSO_NO - hw or sw doesn't matter - because the machine is not affected. X86_BUG_SRSO doesn't get set and the mitigation detection is skipped. All good. * Nothing has set X86_FEATURE_SRSO_NO, mitigation detection runs and find that the kernel runs on a Zen1/2 with SMT disabled - we set X86_FEATURE_SRSO_NO. * Now X86_FEATURE_SRSO_NO is passed in by KVM to the guest and the above dance repeats. Now you. -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] x86/srso: Correct the mitigation status when SMT is disabled 2023-08-16 8:30 ` Borislav Petkov @ 2023-08-16 16:07 ` Josh Poimboeuf 2023-08-16 17:35 ` Borislav Petkov 0 siblings, 1 reply; 19+ messages in thread From: Josh Poimboeuf @ 2023-08-16 16:07 UTC (permalink / raw) To: Borislav Petkov; +Cc: Nikolay Borisov, X86 ML, Josh Poimboeuf, LKML On Wed, Aug 16, 2023 at 10:30:57AM +0200, Borislav Petkov wrote: > On Tue, Aug 15, 2023 at 02:27:51PM -0700, Josh Poimboeuf wrote: > > How is that relevant to my comment? The bug bit still wouldn't get set > > and srso_show_state() still wouldn't be called. > > Lemme explain how I see this working - it might help us get on the right > track. And for comparison you can look at X86_FEATURE_BTC_NO too. > > * Something has set X86_FEATURE_SRSO_NO - hw or sw doesn't matter > - because the machine is not affected. X86_BUG_SRSO doesn't get set and > the mitigation detection is skipped. All good. In this case srso_show_state() is never called, so the following code can't run: + if (boot_cpu_has(X86_FEATURE_SRSO_NO)) { + if (sched_smt_active()) + return sysfs_emit(buf, "Not affected\n"); > * Nothing has set X86_FEATURE_SRSO_NO, mitigation detection runs and > find that the kernel runs on a Zen1/2 with SMT disabled - we set > X86_FEATURE_SRSO_NO. In this case SMT is disabled, so the following code still can't run: + if (boot_cpu_has(X86_FEATURE_SRSO_NO)) { + if (sched_smt_active()) + return sysfs_emit(buf, "Not affected\n"); So the above code never runs. See? -- Josh ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] x86/srso: Correct the mitigation status when SMT is disabled 2023-08-16 16:07 ` Josh Poimboeuf @ 2023-08-16 17:35 ` Borislav Petkov 2023-08-16 18:29 ` Josh Poimboeuf 0 siblings, 1 reply; 19+ messages in thread From: Borislav Petkov @ 2023-08-16 17:35 UTC (permalink / raw) To: Josh Poimboeuf; +Cc: Nikolay Borisov, X86 ML, Josh Poimboeuf, LKML On Wed, Aug 16, 2023 at 09:07:57AM -0700, Josh Poimboeuf wrote: > In this case srso_show_state() is never called, so the following code > can't run: > > + if (boot_cpu_has(X86_FEATURE_SRSO_NO)) { > + if (sched_smt_active()) > + return sysfs_emit(buf, "Not affected\n"); Ofc it can. If something has set X86_FEATURE_SRSO_NO early, before the bug bits detection happens, then you get: $ cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow Not affected > In this case SMT is disabled, so the following code still can't run: > > + if (boot_cpu_has(X86_FEATURE_SRSO_NO)) { > + if (sched_smt_active()) > + return sysfs_emit(buf, "Not affected\n"); Yes, it runs in the above case where on some future hw which might have SRSO fixed, we'll set SRSO_NO. -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] x86/srso: Correct the mitigation status when SMT is disabled 2023-08-16 17:35 ` Borislav Petkov @ 2023-08-16 18:29 ` Josh Poimboeuf 2023-08-16 18:58 ` Borislav Petkov 0 siblings, 1 reply; 19+ messages in thread From: Josh Poimboeuf @ 2023-08-16 18:29 UTC (permalink / raw) To: Borislav Petkov; +Cc: Nikolay Borisov, X86 ML, Josh Poimboeuf, LKML On Wed, Aug 16, 2023 at 07:35:31PM +0200, Borislav Petkov wrote: > On Wed, Aug 16, 2023 at 09:07:57AM -0700, Josh Poimboeuf wrote: > > In this case srso_show_state() is never called, so the following code > > can't run: > > > > + if (boot_cpu_has(X86_FEATURE_SRSO_NO)) { > > + if (sched_smt_active()) > > + return sysfs_emit(buf, "Not affected\n"); > > Ofc it can. If something has set X86_FEATURE_SRSO_NO early, before the > bug bits detection happens, then you get: > > $ cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow > Not affected No, if the bug bit isn't set then that comes from cpu_show_common(): static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr, char *buf, unsigned int bug) { if (!boot_cpu_has_bug(bug)) return sysfs_emit(buf, "Not affected\n"); -- Josh ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] x86/srso: Correct the mitigation status when SMT is disabled 2023-08-16 18:29 ` Josh Poimboeuf @ 2023-08-16 18:58 ` Borislav Petkov 2023-08-17 9:07 ` Borislav Petkov 0 siblings, 1 reply; 19+ messages in thread From: Borislav Petkov @ 2023-08-16 18:58 UTC (permalink / raw) To: Josh Poimboeuf; +Cc: Nikolay Borisov, X86 ML, Josh Poimboeuf, LKML On Wed, Aug 16, 2023 at 11:29:40AM -0700, Josh Poimboeuf wrote: > No, if the bug bit isn't set then that comes from cpu_show_common(): > > static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr, > char *buf, unsigned int bug) > { > if (!boot_cpu_has_bug(bug)) > return sysfs_emit(buf, "Not affected\n"); Bah, there was that thing too. Ok, I'll zap the sched_smt_active() branch in srso_show_state() then. -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] x86/srso: Correct the mitigation status when SMT is disabled 2023-08-16 18:58 ` Borislav Petkov @ 2023-08-17 9:07 ` Borislav Petkov 2023-08-17 14:54 ` Josh Poimboeuf 0 siblings, 1 reply; 19+ messages in thread From: Borislav Petkov @ 2023-08-17 9:07 UTC (permalink / raw) To: Josh Poimboeuf; +Cc: Nikolay Borisov, X86 ML, Josh Poimboeuf, LKML From: "Borislav Petkov (AMD)" <bp@alien8.de> Date: Tue, 15 Aug 2023 11:53:13 +0200 Subject: [PATCH] x86/srso: Correct the mitigation status when SMT is disabled Specify how is SRSO mitigated when SMT is disabled. Also, correct the SMT check for that. Fixes: e9fbc47b818b ("x86/srso: Disable the mitigation on unaffected configurations") Suggested-by: Josh Poimboeuf <jpoimboe@kernel.org> Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> Link: https://lore.kernel.org/r/20230814200813.p5czl47zssuej7nv@treble --- arch/x86/kernel/cpu/bugs.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 9026e3fe9f6c..f081d26616ac 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -2428,8 +2428,7 @@ static void __init srso_select_mitigation(void) * Zen1/2 with SMT off aren't vulnerable after the right * IBPB microcode has been applied. */ - if ((boot_cpu_data.x86 < 0x19) && - (!cpu_smt_possible() || (cpu_smt_control == CPU_SMT_DISABLED))) { + if (boot_cpu_data.x86 < 0x19 && !cpu_smt_possible()) { setup_force_cpu_cap(X86_FEATURE_SRSO_NO); return; } @@ -2714,7 +2713,7 @@ static ssize_t retbleed_show_state(char *buf) static ssize_t srso_show_state(char *buf) { if (boot_cpu_has(X86_FEATURE_SRSO_NO)) - return sysfs_emit(buf, "Not affected\n"); + return sysfs_emit(buf, "Mitigation: SMT disabled\n"); return sysfs_emit(buf, "%s%s\n", srso_strings[srso_mitigation], -- 2.42.0.rc0.25.ga82fb66fed25 -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette ^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: [PATCH] x86/srso: Correct the mitigation status when SMT is disabled 2023-08-17 9:07 ` Borislav Petkov @ 2023-08-17 14:54 ` Josh Poimboeuf 0 siblings, 0 replies; 19+ messages in thread From: Josh Poimboeuf @ 2023-08-17 14:54 UTC (permalink / raw) To: Borislav Petkov; +Cc: Nikolay Borisov, X86 ML, Josh Poimboeuf, LKML On Thu, Aug 17, 2023 at 11:07:27AM +0200, Borislav Petkov wrote: > From: "Borislav Petkov (AMD)" <bp@alien8.de> > Date: Tue, 15 Aug 2023 11:53:13 +0200 > Subject: [PATCH] x86/srso: Correct the mitigation status when SMT is disabled > > Specify how is SRSO mitigated when SMT is disabled. Also, correct the > SMT check for that. > > Fixes: e9fbc47b818b ("x86/srso: Disable the mitigation on unaffected configurations") > Suggested-by: Josh Poimboeuf <jpoimboe@kernel.org> > Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> > Link: https://lore.kernel.org/r/20230814200813.p5czl47zssuej7nv@treble Acked-by: Josh Poimboeuf <jpoimboe@kernel.org> -- Josh ^ permalink raw reply [flat|nested] 19+ messages in thread
* [tip: x86/urgent] x86/srso: Correct the mitigation status when SMT is disabled 2023-08-14 20:08 ` Josh Poimboeuf 2023-08-14 20:25 ` Borislav Petkov @ 2023-08-18 10:59 ` tip-bot2 for Borislav Petkov (AMD) 1 sibling, 0 replies; 19+ messages in thread From: tip-bot2 for Borislav Petkov (AMD) @ 2023-08-18 10:59 UTC (permalink / raw) To: linux-tip-commits Cc: Josh Poimboeuf, Borislav Petkov (AMD), x86, linux-kernel The following commit has been merged into the x86/urgent branch of tip: Commit-ID: 6405b72e8d17bd1875a56ae52d23ec3cd51b9d66 Gitweb: https://git.kernel.org/tip/6405b72e8d17bd1875a56ae52d23ec3cd51b9d66 Author: Borislav Petkov (AMD) <bp@alien8.de> AuthorDate: Tue, 15 Aug 2023 11:53:13 +02:00 Committer: Borislav Petkov (AMD) <bp@alien8.de> CommitterDate: Fri, 18 Aug 2023 12:43:10 +02:00 x86/srso: Correct the mitigation status when SMT is disabled Specify how is SRSO mitigated when SMT is disabled. Also, correct the SMT check for that. Fixes: e9fbc47b818b ("x86/srso: Disable the mitigation on unaffected configurations") Suggested-by: Josh Poimboeuf <jpoimboe@kernel.org> Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> Acked-by: Josh Poimboeuf <jpoimboe@kernel.org> Link: https://lore.kernel.org/r/20230814200813.p5czl47zssuej7nv@treble --- arch/x86/kernel/cpu/bugs.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 9026e3f..f081d26 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -2428,8 +2428,7 @@ static void __init srso_select_mitigation(void) * Zen1/2 with SMT off aren't vulnerable after the right * IBPB microcode has been applied. */ - if ((boot_cpu_data.x86 < 0x19) && - (!cpu_smt_possible() || (cpu_smt_control == CPU_SMT_DISABLED))) { + if (boot_cpu_data.x86 < 0x19 && !cpu_smt_possible()) { setup_force_cpu_cap(X86_FEATURE_SRSO_NO); return; } @@ -2714,7 +2713,7 @@ static ssize_t retbleed_show_state(char *buf) static ssize_t srso_show_state(char *buf) { if (boot_cpu_has(X86_FEATURE_SRSO_NO)) - return sysfs_emit(buf, "Not affected\n"); + return sysfs_emit(buf, "Mitigation: SMT disabled\n"); return sysfs_emit(buf, "%s%s\n", srso_strings[srso_mitigation], ^ permalink raw reply related [flat|nested] 19+ messages in thread
* [tip: x86/urgent] x86/srso: Disable the mitigation on unaffected configurations 2023-08-13 10:45 [PATCH] x86/srso: Disable the mitigation on unaffected configurations Borislav Petkov 2023-08-14 6:39 ` Nikolay Borisov @ 2023-08-14 9:37 ` tip-bot2 for Borislav Petkov (AMD) 1 sibling, 0 replies; 19+ messages in thread From: tip-bot2 for Borislav Petkov (AMD) @ 2023-08-14 9:37 UTC (permalink / raw) To: linux-tip-commits; +Cc: Borislav Petkov (AMD), x86, linux-kernel The following commit has been merged into the x86/urgent branch of tip: Commit-ID: e9fbc47b818b964ddff5df5b2d5c0f5f32f4a147 Gitweb: https://git.kernel.org/tip/e9fbc47b818b964ddff5df5b2d5c0f5f32f4a147 Author: Borislav Petkov (AMD) <bp@alien8.de> AuthorDate: Sun, 13 Aug 2023 12:39:34 +02:00 Committer: Borislav Petkov (AMD) <bp@alien8.de> CommitterDate: Mon, 14 Aug 2023 11:28:51 +02:00 x86/srso: Disable the mitigation on unaffected configurations Skip the srso cmd line parsing which is not needed on Zen1/2 with SMT disabled and with the proper microcode applied (latter should be the case anyway) as those are not affected. Fixes: 5a15d8348881 ("x86/srso: Tie SBPB bit setting to microcode patch detection") Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> Link: https://lore.kernel.org/r/20230813104517.3346-1-bp@alien8.de --- arch/x86/kernel/cpu/bugs.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index d02f73c..6c04aef 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -2418,8 +2418,10 @@ static void __init srso_select_mitigation(void) * IBPB microcode has been applied. */ if ((boot_cpu_data.x86 < 0x19) && - (!cpu_smt_possible() || (cpu_smt_control == CPU_SMT_DISABLED))) + (!cpu_smt_possible() || (cpu_smt_control == CPU_SMT_DISABLED))) { setup_force_cpu_cap(X86_FEATURE_SRSO_NO); + return; + } } if (retbleed_mitigation == RETBLEED_MITIGATION_IBPB) { @@ -2696,6 +2698,9 @@ static ssize_t retbleed_show_state(char *buf) static ssize_t srso_show_state(char *buf) { + if (boot_cpu_has(X86_FEATURE_SRSO_NO)) + return sysfs_emit(buf, "Not affected\n"); + return sysfs_emit(buf, "%s%s\n", srso_strings[srso_mitigation], (cpu_has_ibpb_brtype_microcode() ? "" : ", no microcode")); ^ permalink raw reply related [flat|nested] 19+ messages in thread
end of thread, other threads:[~2023-08-18 11:00 UTC | newest] Thread overview: 19+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2023-08-13 10:45 [PATCH] x86/srso: Disable the mitigation on unaffected configurations Borislav Petkov 2023-08-14 6:39 ` Nikolay Borisov 2023-08-14 20:08 ` Josh Poimboeuf 2023-08-14 20:25 ` Borislav Petkov 2023-08-14 20:53 ` Josh Poimboeuf 2023-08-14 21:17 ` Borislav Petkov 2023-08-15 9:57 ` [PATCH] x86/srso: Correct the mitigation status when SMT is disabled Borislav Petkov 2023-08-15 19:58 ` Josh Poimboeuf 2023-08-15 20:17 ` Borislav Petkov 2023-08-15 21:27 ` Josh Poimboeuf 2023-08-16 8:30 ` Borislav Petkov 2023-08-16 16:07 ` Josh Poimboeuf 2023-08-16 17:35 ` Borislav Petkov 2023-08-16 18:29 ` Josh Poimboeuf 2023-08-16 18:58 ` Borislav Petkov 2023-08-17 9:07 ` Borislav Petkov 2023-08-17 14:54 ` Josh Poimboeuf 2023-08-18 10:59 ` [tip: x86/urgent] " tip-bot2 for Borislav Petkov (AMD) 2023-08-14 9:37 ` [tip: x86/urgent] x86/srso: Disable the mitigation on unaffected configurations tip-bot2 for Borislav Petkov (AMD)
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).