[PATCH] x86/srso: Disable the mitigation on unaffected configurations

[PATCH] x86/srso: Disable the mitigation on unaffected configurations

[Borislav Petkov]

From: "Borislav Petkov (AMD)" <bp@alien8.de>

Skip the srso cmd line parsing which is not needed on Zen1/2 with SMT
disabled and with the proper microcode applied (latter should be the
case anyway) as those are not affected.

Fixes: 5a15d8348881 ("x86/srso: Tie SBPB bit setting to microcode patch detection")
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
---
 arch/x86/kernel/cpu/bugs.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index d02f73c5339d..8959a1b9fb80 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -2418,8 +2418,10 @@ static void __init srso_select_mitigation(void)
 		 * IBPB microcode has been applied.
 		 */
 		if ((boot_cpu_data.x86 < 0x19) &&
-		    (!cpu_smt_possible() || (cpu_smt_control == CPU_SMT_DISABLED)))
+		    (!cpu_smt_possible() || (cpu_smt_control == CPU_SMT_DISABLED))) {
 			setup_force_cpu_cap(X86_FEATURE_SRSO_NO);
+			goto pred_cmd;
+		}
 	}
 
 	if (retbleed_mitigation == RETBLEED_MITIGATION_IBPB) {
@@ -2696,6 +2698,9 @@ static ssize_t retbleed_show_state(char *buf)
 
 static ssize_t srso_show_state(char *buf)
 {
+	if (boot_cpu_has(X86_FEATURE_SRSO_NO))
+		return sysfs_emit(buf, "Not affected\n");
+
 	return sysfs_emit(buf, "%s%s\n",
 			  srso_strings[srso_mitigation],
 			  (cpu_has_ibpb_brtype_microcode() ? "" : ", no microcode"));
-- 
2.42.0.rc0.25.ga82fb66fed25

Re: [PATCH] x86/srso: Disable the mitigation on unaffected configurations

[Nikolay Borisov]

On 13.08.23 г. 13:45 ч., Borislav Petkov wrote:
> From: "Borislav Petkov (AMD)" <bp@alien8.de>
> 
> Skip the srso cmd line parsing which is not needed on Zen1/2 with SMT
> disabled and with the proper microcode applied (latter should be the
> case anyway) as those are not affected.
> 
> Fixes: 5a15d8348881 ("x86/srso: Tie SBPB bit setting to microcode patch detection")
> Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
> ---
>   arch/x86/kernel/cpu/bugs.c | 7 ++++++-
>   1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> index d02f73c5339d..8959a1b9fb80 100644
> --- a/arch/x86/kernel/cpu/bugs.c
> +++ b/arch/x86/kernel/cpu/bugs.c
> @@ -2418,8 +2418,10 @@ static void __init srso_select_mitigation(void)
>   		 * IBPB microcode has been applied.
>   		 */
>   		if ((boot_cpu_data.x86 < 0x19) &&
> -		    (!cpu_smt_possible() || (cpu_smt_control == CPU_SMT_DISABLED)))
> +		    (!cpu_smt_possible() || (cpu_smt_control == CPU_SMT_DISABLED))) {
>   			setup_force_cpu_cap(X86_FEATURE_SRSO_NO);
> +			goto pred_cmd;

Actually can't you simply return, given that zen1/2 never have the SBPB 
flag set? Only zen3/4 with the updated microcode?


> +		}
>   	}
>   
>   	if (retbleed_mitigation == RETBLEED_MITIGATION_IBPB) {
> @@ -2696,6 +2698,9 @@ static ssize_t retbleed_show_state(char *buf)
>   
>   static ssize_t srso_show_state(char *buf)
>   {
> +	if (boot_cpu_has(X86_FEATURE_SRSO_NO))
> +		return sysfs_emit(buf, "Not affected\n");
> +
>   	return sysfs_emit(buf, "%s%s\n",
>   			  srso_strings[srso_mitigation],
>   			  (cpu_has_ibpb_brtype_microcode() ? "" : ", no microcode"));

[tip: x86/urgent] x86/srso: Disable the mitigation on unaffected configurations

[tip-bot2 for Borislav Petkov (AMD)]

The following commit has been merged into the x86/urgent branch of tip:

Commit-ID:     e9fbc47b818b964ddff5df5b2d5c0f5f32f4a147
Gitweb:        https://git.kernel.org/tip/e9fbc47b818b964ddff5df5b2d5c0f5f32f4a147
Author:        Borislav Petkov (AMD) <bp@alien8.de>
AuthorDate:    Sun, 13 Aug 2023 12:39:34 +02:00
Committer:     Borislav Petkov (AMD) <bp@alien8.de>
CommitterDate: Mon, 14 Aug 2023 11:28:51 +02:00

x86/srso: Disable the mitigation on unaffected configurations

Skip the srso cmd line parsing which is not needed on Zen1/2 with SMT
disabled and with the proper microcode applied (latter should be the
case anyway) as those are not affected.

Fixes: 5a15d8348881 ("x86/srso: Tie SBPB bit setting to microcode patch detection")
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Link: https://lore.kernel.org/r/20230813104517.3346-1-bp@alien8.de
---
 arch/x86/kernel/cpu/bugs.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index d02f73c..6c04aef 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -2418,8 +2418,10 @@ static void __init srso_select_mitigation(void)
 		 * IBPB microcode has been applied.
 		 */
 		if ((boot_cpu_data.x86 < 0x19) &&
-		    (!cpu_smt_possible() || (cpu_smt_control == CPU_SMT_DISABLED)))
+		    (!cpu_smt_possible() || (cpu_smt_control == CPU_SMT_DISABLED))) {
 			setup_force_cpu_cap(X86_FEATURE_SRSO_NO);
+			return;
+		}
 	}
 
 	if (retbleed_mitigation == RETBLEED_MITIGATION_IBPB) {
@@ -2696,6 +2698,9 @@ static ssize_t retbleed_show_state(char *buf)
 
 static ssize_t srso_show_state(char *buf)
 {
+	if (boot_cpu_has(X86_FEATURE_SRSO_NO))
+		return sysfs_emit(buf, "Not affected\n");
+
 	return sysfs_emit(buf, "%s%s\n",
 			  srso_strings[srso_mitigation],
 			  (cpu_has_ibpb_brtype_microcode() ? "" : ", no microcode"));

Re: [PATCH] x86/srso: Disable the mitigation on unaffected configurations

[Josh Poimboeuf]

On Mon, Aug 14, 2023 at 09:39:11AM +0300, Nikolay Borisov wrote:
> 
> 
> On 13.08.23 г. 13:45 ч., Borislav Petkov wrote:
> > From: "Borislav Petkov (AMD)" <bp@alien8.de>
> > 
> > Skip the srso cmd line parsing which is not needed on Zen1/2 with SMT
> > disabled and with the proper microcode applied (latter should be the
> > case anyway) as those are not affected.
> > 
> > Fixes: 5a15d8348881 ("x86/srso: Tie SBPB bit setting to microcode patch detection")
> > Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
> > ---
> >   arch/x86/kernel/cpu/bugs.c | 7 ++++++-
> >   1 file changed, 6 insertions(+), 1 deletion(-)
> > 
> > diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> > index d02f73c5339d..8959a1b9fb80 100644
> > --- a/arch/x86/kernel/cpu/bugs.c
> > +++ b/arch/x86/kernel/cpu/bugs.c
> > @@ -2418,8 +2418,10 @@ static void __init srso_select_mitigation(void)
> >   		 * IBPB microcode has been applied.
> >   		 */
> >   		if ((boot_cpu_data.x86 < 0x19) &&
> > -		    (!cpu_smt_possible() || (cpu_smt_control == CPU_SMT_DISABLED)))
> > +		    (!cpu_smt_possible() || (cpu_smt_control == CPU_SMT_DISABLED))) {
> >   			setup_force_cpu_cap(X86_FEATURE_SRSO_NO);
> > +			goto pred_cmd;
> 
> Actually can't you simply return, given that zen1/2 never have the SBPB flag
> set? Only zen3/4 with the updated microcode?

Tangentially, the 'cpu_smt_control == CPU_SMT_DISABLED' check is wrong,
as SMT could still get enabled at runtime and SRSO would be exposed.

Also is there a reason to re-use the hardware SRSO_NO bit rather than
clear the bug bit?  That seems cleaner, then you wouldn't need this
hack:

> > +	if (boot_cpu_has(X86_FEATURE_SRSO_NO))
> > +		return sysfs_emit(buf, "Not affected\n");
> > +

-- 
Josh

Re: [PATCH] x86/srso: Disable the mitigation on unaffected configurations

[Borislav Petkov]

On Mon, Aug 14, 2023 at 01:08:13PM -0700, Josh Poimboeuf wrote:
> Tangentially, the 'cpu_smt_control == CPU_SMT_DISABLED' check is wrong,
> as SMT could still get enabled at runtime and SRSO would be exposed.

Well, even if it gets exposed, I don't think we can safely enable the
mitigation at runtime as alternatives have run already.

I guess I could use CPU_SMT_FORCE_DISABLED here.

> Also is there a reason to re-use the hardware SRSO_NO bit

Not a hardware bit - this is set by software - it is only allocated in
the CPUID leaf for easier interaction with guests.

> rather than clear the bug bit? 

We don't clear the X86_BUGs. Ever. The logic is that if the CPU matches
an affected CPU, that flag remains to show that it is potentially
affected.

/sys/devices/system/cpu/vulnerabilities/ tells you what the actual state
is.

> That seems cleaner, then you wouldn't need this hack:

Not a hack. This is just like the other "not affected" feature flags.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH] x86/srso: Disable the mitigation on unaffected configurations

[Josh Poimboeuf]

On Mon, Aug 14, 2023 at 10:25:45PM +0200, Borislav Petkov wrote:
> On Mon, Aug 14, 2023 at 01:08:13PM -0700, Josh Poimboeuf wrote:
> > Tangentially, the 'cpu_smt_control == CPU_SMT_DISABLED' check is wrong,
> > as SMT could still get enabled at runtime and SRSO would be exposed.
> 
> Well, even if it gets exposed, I don't think we can safely enable the
> mitigation at runtime as alternatives have run already.

Right, I wasn't suggesting to enable the mitigation at runtime.  Rather,
enable the mitigation at boot time, if SMT is even possible.  That's
what we've done for other mitigations.  Better safe than sorry.

> I guess I could use CPU_SMT_FORCE_DISABLED here.

cpu_smt_possible() already does that.

> > Also is there a reason to re-use the hardware SRSO_NO bit
> 
> Not a hardware bit - this is set by software - it is only allocated in
> the CPUID leaf for easier interaction with guests.

2. ENUMERATION OF NEW CAPABILITIES
AMD is defining three new CPUID bits to assist with the enumeration of capabilities related to SRSO:
CPUID Fn8000_0021_EAX[29] (SRSO_NO) – If this bit is 1, it indicates the CPU is not subject to the SRSO
vulnerability.
CPUID Fn8000_0021_EAX[28] (IBPB_BRTYPE) – If this bit is 1, it indicates that MSR 49h (PRED_CMD) bit 0
(IBPB) flushes all branch type predictions from the CPU branch predictor.
CPUID Fn8000_0021_EAX[27] (SBPB)

> > rather than clear the bug bit? 
> 
> We don't clear the X86_BUGs. Ever. The logic is that if the CPU matches
> an affected CPU, that flag remains to show that it is potentially
> affected.

Hm, ok.  I thought that was the point of the vulnerabilities file.

> /sys/devices/system/cpu/vulnerabilities/ tells you what the actual state
> is.

Since technically the CPU is affected, I'm thinking it should say
"Mitigation: SMT disabled" or such, instead of "Not affected".

> > That seems cleaner, then you wouldn't need this hack:
> 
> Not a hack. This is just like the other "not affected" feature flags.

Hm?  You mean the *_NO ones that determine whether the BUG bits get set
in the first place?  How do they print "Not affected"?

-- 
Josh

Re: [PATCH] x86/srso: Disable the mitigation on unaffected configurations

[Borislav Petkov]

On Mon, Aug 14, 2023 at 01:53:00PM -0700, Josh Poimboeuf wrote:
> cpu_smt_possible() already does that.

Ok.

> 2. ENUMERATION OF NEW CAPABILITIES

Yes, exactly. On the next page: "Hypervisor software should
synthesize... " I got confused initially too.

> Since technically the CPU is affected, I'm thinking it should say
> "Mitigation: SMT disabled" or such, instead of "Not affected".

Lemme see how ugly it becomes tomorrow.

> Hm?  You mean the *_NO ones that determine whether the BUG bits get set
> in the first place?  How do they print "Not affected"?

If SMT is disabled on those configurations, it is not affected. But ok,
"SMT disabled".

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

[PATCH] x86/srso: Correct the mitigation status when SMT is disabled

[Borislav Petkov]

On Mon, Aug 14, 2023 at 11:17:27PM +0200, Borislav Petkov wrote:
> Lemme see how ugly it becomes tomorrow.

Not too bad, considering bugs.c's ugliness.

From: "Borislav Petkov (AMD)" <bp@alien8.de>
Date: Tue, 15 Aug 2023 11:53:13 +0200
Subject: [PATCH] x86/srso: Correct the mitigation status when SMT is disabled

Specify how is SRSO mitigated when SMT is disabled. Also, correct the
SMT check for that.

Fixes: e9fbc47b818b ("x86/srso: Disable the mitigation on unaffected configurations")
Suggested-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
---
 arch/x86/kernel/cpu/bugs.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 6c04aef4b63b..dc8f874fdd63 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -2417,8 +2417,7 @@ static void __init srso_select_mitigation(void)
 		 * Zen1/2 with SMT off aren't vulnerable after the right
 		 * IBPB microcode has been applied.
 		 */
-		if ((boot_cpu_data.x86 < 0x19) &&
-		    (!cpu_smt_possible() || (cpu_smt_control == CPU_SMT_DISABLED))) {
+		if (boot_cpu_data.x86 < 0x19 && !cpu_smt_possible()) {
 			setup_force_cpu_cap(X86_FEATURE_SRSO_NO);
 			return;
 		}
@@ -2698,8 +2697,12 @@ static ssize_t retbleed_show_state(char *buf)
 
 static ssize_t srso_show_state(char *buf)
 {
-	if (boot_cpu_has(X86_FEATURE_SRSO_NO))
-		return sysfs_emit(buf, "Not affected\n");
+	if (boot_cpu_has(X86_FEATURE_SRSO_NO)) {
+		if (sched_smt_active())
+			return sysfs_emit(buf, "Not affected\n");
+		else
+			return sysfs_emit(buf, "Mitigation: SMT disabled\n");
+	}
 
 	return sysfs_emit(buf, "%s%s\n",
 			  srso_strings[srso_mitigation],
-- 
2.42.0.rc0.25.ga82fb66fed25

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH] x86/srso: Correct the mitigation status when SMT is disabled

[Josh Poimboeuf]

On Tue, Aug 15, 2023 at 11:57:24AM +0200, Borislav Petkov wrote:
> --- a/arch/x86/kernel/cpu/bugs.c
> +++ b/arch/x86/kernel/cpu/bugs.c
> @@ -2417,8 +2417,7 @@ static void __init srso_select_mitigation(void)
>  		 * Zen1/2 with SMT off aren't vulnerable after the right
>  		 * IBPB microcode has been applied.
>  		 */
> -		if ((boot_cpu_data.x86 < 0x19) &&
> -		    (!cpu_smt_possible() || (cpu_smt_control == CPU_SMT_DISABLED))) {
> +		if (boot_cpu_data.x86 < 0x19 && !cpu_smt_possible()) {
>  			setup_force_cpu_cap(X86_FEATURE_SRSO_NO);
>  			return;
>  		}
> @@ -2698,8 +2697,12 @@ static ssize_t retbleed_show_state(char *buf)
>  
>  static ssize_t srso_show_state(char *buf)
>  {
> -	if (boot_cpu_has(X86_FEATURE_SRSO_NO))
> -		return sysfs_emit(buf, "Not affected\n");
> +	if (boot_cpu_has(X86_FEATURE_SRSO_NO)) {
> +		if (sched_smt_active())
> +			return sysfs_emit(buf, "Not affected\n");
> +		else
> +			return sysfs_emit(buf, "Mitigation: SMT disabled\n");
> +	}

AFAICT, nowhere in the spec does it say the SRSO_NO bit won't get set by
future (fixed) HW.  In fact I'd expect it will, similar to other *_NO
flags.

Regardless, here SRSO_NO seems to mean two different things: "reported
safe by host (or HW)" and "not reported safe on Zen1/2 with SMT not
possible".

Also, in this code, the SRSO_NO+SMT combo doesn't seem logically
possible, as srso_show_state() only gets called if X86_BUG_SRSO is set,
which only happens if SRSO_NO is not set by the HW/host in the first
place.  So here, if boot_cpu_has(X86_FEATURE_SRSO_NO), it means SRSO_NO
was manually set by srso_select_mitigation(), and SMT can't possibly be
enabled.

Instead of piggybacking on SRSO_NO, which is confusing, why not just add
a new mitigation type, like:

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 6c04aef4b63b..c925b98f5a15 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -2343,6 +2343,7 @@ early_param("l1tf", l1tf_cmdline);
 enum srso_mitigation {
 	SRSO_MITIGATION_NONE,
 	SRSO_MITIGATION_MICROCODE,
+	SRSO_MITIGATION_SMT,
 	SRSO_MITIGATION_SAFE_RET,
 	SRSO_MITIGATION_IBPB,
 	SRSO_MITIGATION_IBPB_ON_VMEXIT,
@@ -2359,6 +2360,7 @@ enum srso_mitigation_cmd {
 static const char * const srso_strings[] = {
 	[SRSO_MITIGATION_NONE]           = "Vulnerable",
 	[SRSO_MITIGATION_MICROCODE]      = "Mitigation: microcode",
+	[SRSO_MITIGATION_SMT]		 = "Mitigation: SMT disabled",
 	[SRSO_MITIGATION_SAFE_RET]	 = "Mitigation: safe RET",
 	[SRSO_MITIGATION_IBPB]		 = "Mitigation: IBPB",
 	[SRSO_MITIGATION_IBPB_ON_VMEXIT] = "Mitigation: IBPB on VMEXIT only"
@@ -2407,19 +2409,15 @@ static void __init srso_select_mitigation(void)
 		pr_warn("IBPB-extending microcode not applied!\n");
 		pr_warn(SRSO_NOTICE);
 	} else {
-		/*
-		 * Enable the synthetic (even if in a real CPUID leaf)
-		 * flags for guests.
-		 */
+		/* Enable the synthetic flag, as HW doesn't set it. */
 		setup_force_cpu_cap(X86_FEATURE_IBPB_BRTYPE);
 
 		/*
 		 * Zen1/2 with SMT off aren't vulnerable after the right
 		 * IBPB microcode has been applied.
 		 */
-		if ((boot_cpu_data.x86 < 0x19) &&
-		    (!cpu_smt_possible() || (cpu_smt_control == CPU_SMT_DISABLED))) {
-			setup_force_cpu_cap(X86_FEATURE_SRSO_NO);
+		if ((boot_cpu_data.x86 < 0x19) && !cpu_smt_possible()) {
+			srso_mitigation = SRSO_MITIGATION_SMT;
 			return;
 		}
 	}
@@ -2698,9 +2696,6 @@ static ssize_t retbleed_show_state(char *buf)
 
 static ssize_t srso_show_state(char *buf)
 {
-	if (boot_cpu_has(X86_FEATURE_SRSO_NO))
-		return sysfs_emit(buf, "Not affected\n");
-
 	return sysfs_emit(buf, "%s%s\n",
 			  srso_strings[srso_mitigation],
 			  (cpu_has_ibpb_brtype_microcode() ? "" : ", no microcode"));

Re: [PATCH] x86/srso: Correct the mitigation status when SMT is disabled

[Borislav Petkov]

On Tue, Aug 15, 2023 at 12:58:31PM -0700, Josh Poimboeuf wrote:
> AFAICT, nowhere in the spec does it say the SRSO_NO bit won't get set by
> future (fixed) HW.  In fact I'd expect it will, similar to other *_NO
> flags.

I'm pretty sure it won't.

SRSO_NO is synthesized by the hypervisor *software*. Nothing else.

It is there so that you don't check microcode version in the guest which
is nearly impossible anyway.

> Regardless, here SRSO_NO seems to mean two different things: "reported
> safe by host (or HW)" and "not reported safe on Zen1/2 with SMT not
> possible".

Huh?

> Also, in this code, the SRSO_NO+SMT combo doesn't seem logically
> possible, as srso_show_state() only gets called if X86_BUG_SRSO is set,
> which only happens if SRSO_NO is not set by the HW/host in the first
> place.  So here, if boot_cpu_has(X86_FEATURE_SRSO_NO), it means SRSO_NO
> was manually set by srso_select_mitigation(), and SMT can't possibly be
> enabled.

Have you considered the case where Linux would set SRSO_NO when booting
on future hardware, which is fixed?

There SRSO_NO and SMT will very much be possible.

> Instead of piggybacking on SRSO_NO, which is confusing, why not just add
> a new mitigation type, like:

I had a separate mitigation defintion but then realized I don't need it
because, well, it is not really a mitigation - it is a case where the
machine is not affected.

For example, I have a Zen2 laptop here with SMT disabled in the hardware
which is also not affected.

And also, the rest of the SMT disabled cases in bugs.c do check
sched_smt_active() too, without having a separate mitigation.

That's why.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH] x86/srso: Correct the mitigation status when SMT is disabled

[Josh Poimboeuf]

On Tue, Aug 15, 2023 at 10:17:53PM +0200, Borislav Petkov wrote:
> On Tue, Aug 15, 2023 at 12:58:31PM -0700, Josh Poimboeuf wrote:
> > AFAICT, nowhere in the spec does it say the SRSO_NO bit won't get set by
> > future (fixed) HW.  In fact I'd expect it will, similar to other *_NO
> > flags.
> 
> I'm pretty sure it won't.
> 
> SRSO_NO is synthesized by the hypervisor *software*. Nothing else.

Citation needed.

> It is there so that you don't check microcode version in the guest which
> is nearly impossible anyway.
> 
> > Regardless, here SRSO_NO seems to mean two different things: "reported
> > safe by host (or HW)" and "not reported safe on Zen1/2 with SMT not
> > possible".
> 
> Huh?

Can you clarify what doesn't make sense?

> > Also, in this code, the SRSO_NO+SMT combo doesn't seem logically
> > possible, as srso_show_state() only gets called if X86_BUG_SRSO is set,
> > which only happens if SRSO_NO is not set by the HW/host in the first
> > place.  So here, if boot_cpu_has(X86_FEATURE_SRSO_NO), it means SRSO_NO
> > was manually set by srso_select_mitigation(), and SMT can't possibly be
> > enabled.
> 
> Have you considered the case where Linux would set SRSO_NO when booting
> on future hardware, which is fixed?
> 
> There SRSO_NO and SMT will very much be possible.

How is that relevant to my comment?  The bug bit still wouldn't get set
and srso_show_state() still wouldn't be called.

-- 
Josh

Re: [PATCH] x86/srso: Correct the mitigation status when SMT is disabled

[Borislav Petkov]

On Tue, Aug 15, 2023 at 02:27:51PM -0700, Josh Poimboeuf wrote:
> How is that relevant to my comment?  The bug bit still wouldn't get set
> and srso_show_state() still wouldn't be called.

Lemme explain how I see this working - it might help us get on the right
track. And for comparison you can look at X86_FEATURE_BTC_NO too.

* Something has set X86_FEATURE_SRSO_NO - hw or sw doesn't matter
- because the machine is not affected. X86_BUG_SRSO doesn't get set and
  the mitigation detection is skipped. All good.

* Nothing has set X86_FEATURE_SRSO_NO, mitigation detection runs and
find that the kernel runs on a Zen1/2 with SMT disabled - we set
X86_FEATURE_SRSO_NO.

* Now X86_FEATURE_SRSO_NO is passed in by KVM to the guest and the above
dance repeats.

Now you.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH] x86/srso: Correct the mitigation status when SMT is disabled

[Josh Poimboeuf]

On Wed, Aug 16, 2023 at 10:30:57AM +0200, Borislav Petkov wrote:
> On Tue, Aug 15, 2023 at 02:27:51PM -0700, Josh Poimboeuf wrote:
> > How is that relevant to my comment?  The bug bit still wouldn't get set
> > and srso_show_state() still wouldn't be called.
> 
> Lemme explain how I see this working - it might help us get on the right
> track. And for comparison you can look at X86_FEATURE_BTC_NO too.
> 
> * Something has set X86_FEATURE_SRSO_NO - hw or sw doesn't matter
> - because the machine is not affected. X86_BUG_SRSO doesn't get set and
>   the mitigation detection is skipped. All good.

In this case srso_show_state() is never called, so the following code
can't run:

+	if (boot_cpu_has(X86_FEATURE_SRSO_NO)) {
+		if (sched_smt_active())
+			return sysfs_emit(buf, "Not affected\n");

> * Nothing has set X86_FEATURE_SRSO_NO, mitigation detection runs and
> find that the kernel runs on a Zen1/2 with SMT disabled - we set
> X86_FEATURE_SRSO_NO.

In this case SMT is disabled, so the following code still can't run:

+	if (boot_cpu_has(X86_FEATURE_SRSO_NO)) {
+		if (sched_smt_active())
+			return sysfs_emit(buf, "Not affected\n");


So the above code never runs.

See?

-- 
Josh

Re: [PATCH] x86/srso: Correct the mitigation status when SMT is disabled

[Borislav Petkov]

On Wed, Aug 16, 2023 at 09:07:57AM -0700, Josh Poimboeuf wrote:
> In this case srso_show_state() is never called, so the following code
> can't run:
> 
> +	if (boot_cpu_has(X86_FEATURE_SRSO_NO)) {
> +		if (sched_smt_active())
> +			return sysfs_emit(buf, "Not affected\n");

Ofc it can. If something has set X86_FEATURE_SRSO_NO early, before the
bug bits detection happens, then you get:

$ cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow
Not affected

> In this case SMT is disabled, so the following code still can't run:
> 
> +	if (boot_cpu_has(X86_FEATURE_SRSO_NO)) {
> +		if (sched_smt_active())
> +			return sysfs_emit(buf, "Not affected\n");

Yes, it runs in the above case where on some future hw which might have
SRSO fixed, we'll set SRSO_NO.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH] x86/srso: Correct the mitigation status when SMT is disabled

[Josh Poimboeuf]

On Wed, Aug 16, 2023 at 07:35:31PM +0200, Borislav Petkov wrote:
> On Wed, Aug 16, 2023 at 09:07:57AM -0700, Josh Poimboeuf wrote:
> > In this case srso_show_state() is never called, so the following code
> > can't run:
> > 
> > +	if (boot_cpu_has(X86_FEATURE_SRSO_NO)) {
> > +		if (sched_smt_active())
> > +			return sysfs_emit(buf, "Not affected\n");
> 
> Ofc it can. If something has set X86_FEATURE_SRSO_NO early, before the
> bug bits detection happens, then you get:
> 
> $ cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow
> Not affected

No, if the bug bit isn't set then that comes from cpu_show_common():

static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr,
			       char *buf, unsigned int bug)
{
	if (!boot_cpu_has_bug(bug))
		return sysfs_emit(buf, "Not affected\n");

-- 
Josh

Re: [PATCH] x86/srso: Correct the mitigation status when SMT is disabled

[Borislav Petkov]

On Wed, Aug 16, 2023 at 11:29:40AM -0700, Josh Poimboeuf wrote:
> No, if the bug bit isn't set then that comes from cpu_show_common():
> 
> static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr,
> 			       char *buf, unsigned int bug)
> {
> 	if (!boot_cpu_has_bug(bug))
> 		return sysfs_emit(buf, "Not affected\n");

Bah, there was that thing too.

Ok, I'll zap the sched_smt_active() branch in srso_show_state() then.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH] x86/srso: Correct the mitigation status when SMT is disabled

[Borislav Petkov]

From: "Borislav Petkov (AMD)" <bp@alien8.de>
Date: Tue, 15 Aug 2023 11:53:13 +0200
Subject: [PATCH] x86/srso: Correct the mitigation status when SMT is disabled

Specify how is SRSO mitigated when SMT is disabled. Also, correct the
SMT check for that.

Fixes: e9fbc47b818b ("x86/srso: Disable the mitigation on unaffected configurations")
Suggested-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Link: https://lore.kernel.org/r/20230814200813.p5czl47zssuej7nv@treble
---
 arch/x86/kernel/cpu/bugs.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 9026e3fe9f6c..f081d26616ac 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -2428,8 +2428,7 @@ static void __init srso_select_mitigation(void)
 		 * Zen1/2 with SMT off aren't vulnerable after the right
 		 * IBPB microcode has been applied.
 		 */
-		if ((boot_cpu_data.x86 < 0x19) &&
-		    (!cpu_smt_possible() || (cpu_smt_control == CPU_SMT_DISABLED))) {
+		if (boot_cpu_data.x86 < 0x19 && !cpu_smt_possible()) {
 			setup_force_cpu_cap(X86_FEATURE_SRSO_NO);
 			return;
 		}
@@ -2714,7 +2713,7 @@ static ssize_t retbleed_show_state(char *buf)
 static ssize_t srso_show_state(char *buf)
 {
 	if (boot_cpu_has(X86_FEATURE_SRSO_NO))
-		return sysfs_emit(buf, "Not affected\n");
+		return sysfs_emit(buf, "Mitigation: SMT disabled\n");
 
 	return sysfs_emit(buf, "%s%s\n",
 			  srso_strings[srso_mitigation],
-- 
2.42.0.rc0.25.ga82fb66fed25

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH] x86/srso: Correct the mitigation status when SMT is disabled

[Josh Poimboeuf]

On Thu, Aug 17, 2023 at 11:07:27AM +0200, Borislav Petkov wrote:
> From: "Borislav Petkov (AMD)" <bp@alien8.de>
> Date: Tue, 15 Aug 2023 11:53:13 +0200
> Subject: [PATCH] x86/srso: Correct the mitigation status when SMT is disabled
> 
> Specify how is SRSO mitigated when SMT is disabled. Also, correct the
> SMT check for that.
> 
> Fixes: e9fbc47b818b ("x86/srso: Disable the mitigation on unaffected configurations")
> Suggested-by: Josh Poimboeuf <jpoimboe@kernel.org>
> Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
> Link: https://lore.kernel.org/r/20230814200813.p5czl47zssuej7nv@treble

Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>

-- 
Josh

[tip: x86/urgent] x86/srso: Correct the mitigation status when SMT is disabled

[tip-bot2 for Borislav Petkov (AMD)]

The following commit has been merged into the x86/urgent branch of tip:

Commit-ID:     6405b72e8d17bd1875a56ae52d23ec3cd51b9d66
Gitweb:        https://git.kernel.org/tip/6405b72e8d17bd1875a56ae52d23ec3cd51b9d66
Author:        Borislav Petkov (AMD) <bp@alien8.de>
AuthorDate:    Tue, 15 Aug 2023 11:53:13 +02:00
Committer:     Borislav Petkov (AMD) <bp@alien8.de>
CommitterDate: Fri, 18 Aug 2023 12:43:10 +02:00

x86/srso: Correct the mitigation status when SMT is disabled

Specify how is SRSO mitigated when SMT is disabled. Also, correct the
SMT check for that.

Fixes: e9fbc47b818b ("x86/srso: Disable the mitigation on unaffected configurations")
Suggested-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
Link: https://lore.kernel.org/r/20230814200813.p5czl47zssuej7nv@treble
---
 arch/x86/kernel/cpu/bugs.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 9026e3f..f081d26 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -2428,8 +2428,7 @@ static void __init srso_select_mitigation(void)
 		 * Zen1/2 with SMT off aren't vulnerable after the right
 		 * IBPB microcode has been applied.
 		 */
-		if ((boot_cpu_data.x86 < 0x19) &&
-		    (!cpu_smt_possible() || (cpu_smt_control == CPU_SMT_DISABLED))) {
+		if (boot_cpu_data.x86 < 0x19 && !cpu_smt_possible()) {
 			setup_force_cpu_cap(X86_FEATURE_SRSO_NO);
 			return;
 		}
@@ -2714,7 +2713,7 @@ static ssize_t retbleed_show_state(char *buf)
 static ssize_t srso_show_state(char *buf)
 {
 	if (boot_cpu_has(X86_FEATURE_SRSO_NO))
-		return sysfs_emit(buf, "Not affected\n");
+		return sysfs_emit(buf, "Mitigation: SMT disabled\n");
 
 	return sysfs_emit(buf, "%s%s\n",
 			  srso_strings[srso_mitigation],