|
|
@@ -256,7 +256,9 @@ enum spectre_v2_user_cmd {
|
|
|
SPECTRE_V2_USER_CMD_AUTO,
|
|
|
SPECTRE_V2_USER_CMD_FORCE,
|
|
|
SPECTRE_V2_USER_CMD_PRCTL,
|
|
|
+ SPECTRE_V2_USER_CMD_PRCTL_IBPB,
|
|
|
SPECTRE_V2_USER_CMD_SECCOMP,
|
|
|
+ SPECTRE_V2_USER_CMD_SECCOMP_IBPB,
|
|
|
};
|
|
|
|
|
|
static const char * const spectre_v2_user_strings[] = {
|
|
|
@@ -271,11 +273,13 @@ static const struct {
|
|
|
enum spectre_v2_user_cmd cmd;
|
|
|
bool secure;
|
|
|
} v2_user_options[] __initdata = {
|
|
|
- { "auto", SPECTRE_V2_USER_CMD_AUTO, false },
|
|
|
- { "off", SPECTRE_V2_USER_CMD_NONE, false },
|
|
|
- { "on", SPECTRE_V2_USER_CMD_FORCE, true },
|
|
|
- { "prctl", SPECTRE_V2_USER_CMD_PRCTL, false },
|
|
|
- { "seccomp", SPECTRE_V2_USER_CMD_SECCOMP, false },
|
|
|
+ { "auto", SPECTRE_V2_USER_CMD_AUTO, false },
|
|
|
+ { "off", SPECTRE_V2_USER_CMD_NONE, false },
|
|
|
+ { "on", SPECTRE_V2_USER_CMD_FORCE, true },
|
|
|
+ { "prctl", SPECTRE_V2_USER_CMD_PRCTL, false },
|
|
|
+ { "prctl,ibpb", SPECTRE_V2_USER_CMD_PRCTL_IBPB, false },
|
|
|
+ { "seccomp", SPECTRE_V2_USER_CMD_SECCOMP, false },
|
|
|
+ { "seccomp,ibpb", SPECTRE_V2_USER_CMD_SECCOMP_IBPB, false },
|
|
|
};
|
|
|
|
|
|
static void __init spec_v2_user_print_cond(const char *reason, bool secure)
|
|
|
@@ -321,6 +325,7 @@ spectre_v2_user_select_mitigation(enum spectre_v2_mitigation_cmd v2_cmd)
|
|
|
{
|
|
|
enum spectre_v2_user_mitigation mode = SPECTRE_V2_USER_NONE;
|
|
|
bool smt_possible = IS_ENABLED(CONFIG_SMP);
|
|
|
+ enum spectre_v2_user_cmd cmd;
|
|
|
|
|
|
if (!boot_cpu_has(X86_FEATURE_IBPB) && !boot_cpu_has(X86_FEATURE_STIBP))
|
|
|
return;
|
|
|
@@ -329,17 +334,20 @@ spectre_v2_user_select_mitigation(enum spectre_v2_mitigation_cmd v2_cmd)
|
|
|
cpu_smt_control == CPU_SMT_NOT_SUPPORTED)
|
|
|
smt_possible = false;
|
|
|
|
|
|
- switch (spectre_v2_parse_user_cmdline(v2_cmd)) {
|
|
|
+ cmd = spectre_v2_parse_user_cmdline(v2_cmd);
|
|
|
+ switch (cmd) {
|
|
|
case SPECTRE_V2_USER_CMD_NONE:
|
|
|
goto set_mode;
|
|
|
case SPECTRE_V2_USER_CMD_FORCE:
|
|
|
mode = SPECTRE_V2_USER_STRICT;
|
|
|
break;
|
|
|
case SPECTRE_V2_USER_CMD_PRCTL:
|
|
|
+ case SPECTRE_V2_USER_CMD_PRCTL_IBPB:
|
|
|
mode = SPECTRE_V2_USER_PRCTL;
|
|
|
break;
|
|
|
case SPECTRE_V2_USER_CMD_AUTO:
|
|
|
case SPECTRE_V2_USER_CMD_SECCOMP:
|
|
|
+ case SPECTRE_V2_USER_CMD_SECCOMP_IBPB:
|
|
|
if (IS_ENABLED(CONFIG_SECCOMP))
|
|
|
mode = SPECTRE_V2_USER_SECCOMP;
|
|
|
else
|
|
|
@@ -351,12 +359,15 @@ spectre_v2_user_select_mitigation(enum spectre_v2_mitigation_cmd v2_cmd)
|
|
|
if (boot_cpu_has(X86_FEATURE_IBPB)) {
|
|
|
setup_force_cpu_cap(X86_FEATURE_USE_IBPB);
|
|
|
|
|
|
- switch (mode) {
|
|
|
- case SPECTRE_V2_USER_STRICT:
|
|
|
+ switch (cmd) {
|
|
|
+ case SPECTRE_V2_USER_CMD_FORCE:
|
|
|
+ case SPECTRE_V2_USER_CMD_PRCTL_IBPB:
|
|
|
+ case SPECTRE_V2_USER_CMD_SECCOMP_IBPB:
|
|
|
static_branch_enable(&switch_mm_always_ibpb);
|
|
|
break;
|
|
|
- case SPECTRE_V2_USER_PRCTL:
|
|
|
- case SPECTRE_V2_USER_SECCOMP:
|
|
|
+ case SPECTRE_V2_USER_CMD_PRCTL:
|
|
|
+ case SPECTRE_V2_USER_CMD_AUTO:
|
|
|
+ case SPECTRE_V2_USER_CMD_SECCOMP:
|
|
|
static_branch_enable(&switch_mm_cond_ibpb);
|
|
|
break;
|
|
|
default:
|
|
|
@@ -364,7 +375,8 @@ spectre_v2_user_select_mitigation(enum spectre_v2_mitigation_cmd v2_cmd)
|
|
|
}
|
|
|
|
|
|
pr_info("mitigation: Enabling %s Indirect Branch Prediction Barrier\n",
|
|
|
- mode == SPECTRE_V2_USER_STRICT ? "always-on" : "conditional");
|
|
|
+ static_key_enabled(&switch_mm_always_ibpb) ?
|
|
|
+ "always-on" : "conditional");
|
|
|
}
|
|
|
|
|
|
/* If enhanced IBRS is enabled no STIPB required */
|
Thomas Gleixner