Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'tsa_x86_bugs_for_6.16' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull CPU speculation fixes from Borislav Petkov:
"Add the mitigation logic for Transient Scheduler Attacks (TSA)
TSA are new aspeculative side channel attacks related to the execution
timing of instructions under specific microarchitectural conditions.
In some cases, an attacker may be able to use this timing information
to infer data from other contexts, resulting in information leakage.
Add the usual controls of the mitigation and integrate it into the
existing speculation bugs infrastructure in the kernel"
* tag 'tsa_x86_bugs_for_6.16' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86/process: Move the buffer clearing before MONITOR
x86/microcode/AMD: Add TSA microcode SHAs
KVM: SVM: Advertise TSA CPUID bits to guests
x86/bugs: Add a Transient Scheduler Attacks mitigation
x86/bugs: Rename MDS machinery to something more generic
+418
-53
+1
Documentation/ABI/testing/sysfs-devices-system-cpu
+1
Documentation/ABI/testing/sysfs-devices-system-cpu
···
584
584
/sys/devices/system/cpu/vulnerabilities/spectre_v1
585
585
/sys/devices/system/cpu/vulnerabilities/spectre_v2
586
586
/sys/devices/system/cpu/vulnerabilities/srbds
587
+
/sys/devices/system/cpu/vulnerabilities/tsa
587
588
/sys/devices/system/cpu/vulnerabilities/tsx_async_abort
588
589
Date: January 2018
589
590
Contact: Linux kernel mailing list <linux-kernel@vger.kernel.org>
+1
-3
Documentation/admin-guide/hw-vuln/processor_mmio_stale_data.rst
+1
-3
Documentation/admin-guide/hw-vuln/processor_mmio_stale_data.rst
···
157
157
combination with a microcode update. The microcode clears the affected CPU
158
158
buffers when the VERW instruction is executed.
159
159
160
-
Kernel reuses the MDS function to invoke the buffer clearing:
161
-
162
-
mds_clear_cpu_buffers()
160
+
Kernel does the buffer clearing with x86_clear_cpu_buffers().
163
161
164
162
On MDS affected CPUs, the kernel already invokes CPU buffer clear on
165
163
kernel/userspace, hypervisor/guest and C-state (idle) transitions. No
+13
Documentation/admin-guide/kernel-parameters.txt
+13
Documentation/admin-guide/kernel-parameters.txt
···
7488
7488
having this key zero'ed is acceptable. E.g. in testing
7489
7489
scenarios.
7490
7490
7491
+
tsa= [X86] Control mitigation for Transient Scheduler
7492
+
Attacks on AMD CPUs. Search the following in your
7493
+
favourite search engine for more details:
7494
+
7495
+
"Technical guidance for mitigating transient scheduler
7496
+
attacks".
7497
+
7498
+
off - disable the mitigation
7499
+
on - enable the mitigation (default)
7500
+
user - mitigate only user/kernel transitions
7501
+
vm - mitigate only guest/host transitions
7502
+
7503
+
7491
7504
tsc= Disable clocksource stability checks for TSC.
7492
7505
Format: <string>
7493
7506
[x86] reliable: mark tsc clocksource as reliable, this
+4
-4
Documentation/arch/x86/mds.rst
+4
-4
Documentation/arch/x86/mds.rst
···
93
93
94
94
The kernel provides a function to invoke the buffer clearing:
95
95
96
-
mds_clear_cpu_buffers()
96
+
x86_clear_cpu_buffers()
97
97
98
98
Also macro CLEAR_CPU_BUFFERS can be used in ASM late in exit-to-user path.
99
99
Other than CFLAGS.ZF, this macro doesn't clobber any registers.
···
185
185
idle clearing would be a window dressing exercise and is therefore not
186
186
activated.
187
187
188
-
The invocation is controlled by the static key mds_idle_clear which is
189
-
switched depending on the chosen mitigation mode and the SMT state of
190
-
the system.
188
+
The invocation is controlled by the static key cpu_buf_idle_clear which is
189
+
switched depending on the chosen mitigation mode and the SMT state of the
190
+
system.
191
191
192
192
The buffer clear is only invoked before entering the C-State to prevent
193
193
that stale data from the idling CPU from spilling to the Hyper-Thread
+9
arch/x86/Kconfig
+9
arch/x86/Kconfig
···
2695
2695
disabled, mitigation cannot be enabled via cmdline.
2696
2696
See <file:Documentation/admin-guide/hw-vuln/indirect-target-selection.rst>
2697
2697
2698
+
config MITIGATION_TSA
2699
+
bool "Mitigate Transient Scheduler Attacks"
2700
+
depends on CPU_SUP_AMD
2701
+
default y
2702
+
help
2703
+
Enable mitigation for Transient Scheduler Attacks. TSA is a hardware
2704
+
security vulnerability on AMD CPUs which can lead to forwarding of
2705
+
invalid info to subsequent instructions and thus can affect their
2706
+
timing and thereby cause a leakage.
2698
2707
endif
2699
2708
2700
2709
config ARCH_HAS_ADD_PAGES
+4
-4
arch/x86/entry/entry.S
+4
-4
arch/x86/entry/entry.S
···
36
36
37
37
/*
38
38
* Define the VERW operand that is disguised as entry code so that
39
-
* it can be referenced with KPTI enabled. This ensure VERW can be
39
+
* it can be referenced with KPTI enabled. This ensures VERW can be
40
40
* used late in exit-to-user path after page tables are switched.
41
41
*/
42
42
.pushsection .entry.text, "ax"
43
43
44
44
.align L1_CACHE_BYTES, 0xcc
45
-
SYM_CODE_START_NOALIGN(mds_verw_sel)
45
+
SYM_CODE_START_NOALIGN(x86_verw_sel)
46
46
UNWIND_HINT_UNDEFINED
47
47
ANNOTATE_NOENDBR
48
48
.word __KERNEL_DS
49
49
.align L1_CACHE_BYTES, 0xcc
50
-
SYM_CODE_END(mds_verw_sel);
50
+
SYM_CODE_END(x86_verw_sel);
51
51
/* For KVM */
52
-
EXPORT_SYMBOL_GPL(mds_verw_sel);
52
+
EXPORT_SYMBOL_GPL(x86_verw_sel);
53
53
54
54
.popsection
55
55
+5
-1
arch/x86/include/asm/cpufeatures.h
+5
-1
arch/x86/include/asm/cpufeatures.h
···
456
456
#define X86_FEATURE_NO_NESTED_DATA_BP (20*32+ 0) /* No Nested Data Breakpoints */
457
457
#define X86_FEATURE_WRMSR_XX_BASE_NS (20*32+ 1) /* WRMSR to {FS,GS,KERNEL_GS}_BASE is non-serializing */
458
458
#define X86_FEATURE_LFENCE_RDTSC (20*32+ 2) /* LFENCE always serializing / synchronizes RDTSC */
459
+
#define X86_FEATURE_VERW_CLEAR (20*32+ 5) /* The memory form of VERW mitigates TSA */
459
460
#define X86_FEATURE_NULL_SEL_CLR_BASE (20*32+ 6) /* Null Selector Clears Base */
460
461
#define X86_FEATURE_AUTOIBRS (20*32+ 8) /* Automatic IBRS */
461
462
#define X86_FEATURE_NO_SMM_CTL_MSR (20*32+ 9) /* SMM_CTL MSR is not present */
···
488
487
#define X86_FEATURE_PREFER_YMM (21*32+ 8) /* Avoid ZMM registers due to downclocking */
489
488
#define X86_FEATURE_APX (21*32+ 9) /* Advanced Performance Extensions */
490
489
#define X86_FEATURE_INDIRECT_THUNK_ITS (21*32+10) /* Use thunk for indirect branches in lower half of cacheline */
490
+
#define X86_FEATURE_TSA_SQ_NO (21*32+11) /* AMD CPU not vulnerable to TSA-SQ */
491
+
#define X86_FEATURE_TSA_L1_NO (21*32+12) /* AMD CPU not vulnerable to TSA-L1 */
492
+
#define X86_FEATURE_CLEAR_CPU_BUF_VM (21*32+13) /* Clear CPU buffers using VERW before VMRUN */
491
493
492
494
/*
493
495
* BUG word(s)
···
546
542
#define X86_BUG_OLD_MICROCODE X86_BUG( 1*32+ 6) /* "old_microcode" CPU has old microcode, it is surely vulnerable to something */
547
543
#define X86_BUG_ITS X86_BUG( 1*32+ 7) /* "its" CPU is affected by Indirect Target Selection */
548
544
#define X86_BUG_ITS_NATIVE_ONLY X86_BUG( 1*32+ 8) /* "its_native_only" CPU is affected by ITS, VMX is not affected */
549
-
545
+
#define X86_BUG_TSA X86_BUG( 1*32+ 9) /* "tsa" CPU is affected by Transient Scheduler Attacks */
550
546
#endif /* _ASM_X86_CPUFEATURES_H */
+2
-2
arch/x86/include/asm/irqflags.h
+2
-2
arch/x86/include/asm/irqflags.h
···
44
44
45
45
static __always_inline void native_safe_halt(void)
46
46
{
47
-
mds_idle_clear_cpu_buffers();
47
+
x86_idle_clear_cpu_buffers();
48
48
asm volatile("sti; hlt": : :"memory");
49
49
}
50
50
51
51
static __always_inline void native_halt(void)
52
52
{
53
-
mds_idle_clear_cpu_buffers();
53
+
x86_idle_clear_cpu_buffers();
54
54
asm volatile("hlt": : :"memory");
55
55
}
56
56
+1
arch/x86/include/asm/kvm_host.h
+1
arch/x86/include/asm/kvm_host.h
+16
-11
arch/x86/include/asm/mwait.h
+16
-11
arch/x86/include/asm/mwait.h
···
43
43
44
44
static __always_inline void __mwait(u32 eax, u32 ecx)
45
45
{
46
-
mds_idle_clear_cpu_buffers();
47
-
48
46
/*
49
47
* Use the instruction mnemonic with implicit operands, as the LLVM
50
48
* assembler fails to assemble the mnemonic with explicit operands:
···
78
80
*/
79
81
static __always_inline void __mwaitx(u32 eax, u32 ebx, u32 ecx)
80
82
{
81
-
/* No MDS buffer clear as this is AMD/HYGON only */
83
+
/* No need for TSA buffer clearing on AMD */
82
84
83
85
/* "mwaitx %eax, %ebx, %ecx" */
84
86
asm volatile(".byte 0x0f, 0x01, 0xfb"
···
96
98
*/
97
99
static __always_inline void __sti_mwait(u32 eax, u32 ecx)
98
100
{
99
-
mds_idle_clear_cpu_buffers();
100
101
101
102
asm volatile("sti; mwait" :: "a" (eax), "c" (ecx));
102
103
}
···
112
115
*/
113
116
static __always_inline void mwait_idle_with_hints(u32 eax, u32 ecx)
114
117
{
118
+
if (need_resched())
119
+
return;
120
+
121
+
x86_idle_clear_cpu_buffers();
122
+
115
123
if (static_cpu_has_bug(X86_BUG_MONITOR) || !current_set_polling_and_test()) {
116
124
const void *addr = ¤t_thread_info()->flags;
117
125
118
126
alternative_input("", "clflush (%[addr])", X86_BUG_CLFLUSH_MONITOR, [addr] "a" (addr));
119
127
__monitor(addr, 0, 0);
120
128
121
-
if (!need_resched()) {
122
-
if (ecx & 1) {
123
-
__mwait(eax, ecx);
124
-
} else {
125
-
__sti_mwait(eax, ecx);
126
-
raw_local_irq_disable();
127
-
}
129
+
if (need_resched())
130
+
goto out;
131
+
132
+
if (ecx & 1) {
133
+
__mwait(eax, ecx);
134
+
} else {
135
+
__sti_mwait(eax, ecx);
136
+
raw_local_irq_disable();
128
137
}
129
138
}
139
+
140
+
out:
130
141
current_clr_polling();
131
142
}
132
143
+22
-15
arch/x86/include/asm/nospec-branch.h
+22
-15
arch/x86/include/asm/nospec-branch.h
···
302
302
.endm
303
303
304
304
/*
305
-
* Macro to execute VERW instruction that mitigate transient data sampling
306
-
* attacks such as MDS. On affected systems a microcode update overloaded VERW
307
-
* instruction to also clear the CPU buffers. VERW clobbers CFLAGS.ZF.
308
-
*
305
+
* Macro to execute VERW insns that mitigate transient data sampling
306
+
* attacks such as MDS or TSA. On affected systems a microcode update
307
+
* overloaded VERW insns to also clear the CPU buffers. VERW clobbers
308
+
* CFLAGS.ZF.
309
309
* Note: Only the memory operand variant of VERW clears the CPU buffers.
310
310
*/
311
-
.macro CLEAR_CPU_BUFFERS
311
+
.macro __CLEAR_CPU_BUFFERS feature
312
312
#ifdef CONFIG_X86_64
313
-
ALTERNATIVE "", "verw mds_verw_sel(%rip)", X86_FEATURE_CLEAR_CPU_BUF
313
+
ALTERNATIVE "", "verw x86_verw_sel(%rip)", \feature
314
314
#else
315
315
/*
316
316
* In 32bit mode, the memory operand must be a %cs reference. The data
317
317
* segments may not be usable (vm86 mode), and the stack segment may not
318
318
* be flat (ESPFIX32).
319
319
*/
320
-
ALTERNATIVE "", "verw %cs:mds_verw_sel", X86_FEATURE_CLEAR_CPU_BUF
320
+
ALTERNATIVE "", "verw %cs:x86_verw_sel", \feature
321
321
#endif
322
322
.endm
323
+
324
+
#define CLEAR_CPU_BUFFERS \
325
+
__CLEAR_CPU_BUFFERS X86_FEATURE_CLEAR_CPU_BUF
326
+
327
+
#define VM_CLEAR_CPU_BUFFERS \
328
+
__CLEAR_CPU_BUFFERS X86_FEATURE_CLEAR_CPU_BUF_VM
323
329
324
330
#ifdef CONFIG_X86_64
325
331
.macro CLEAR_BRANCH_HISTORY
···
573
567
574
568
DECLARE_STATIC_KEY_FALSE(switch_vcpu_ibpb);
575
569
576
-
DECLARE_STATIC_KEY_FALSE(mds_idle_clear);
570
+
DECLARE_STATIC_KEY_FALSE(cpu_buf_idle_clear);
577
571
578
572
DECLARE_STATIC_KEY_FALSE(switch_mm_cond_l1d_flush);
579
573
580
574
DECLARE_STATIC_KEY_FALSE(cpu_buf_vm_clear);
581
575
582
-
extern u16 mds_verw_sel;
576
+
extern u16 x86_verw_sel;
583
577
584
578
#include <asm/segment.h>
585
579
586
580
/**
587
-
* mds_clear_cpu_buffers - Mitigation for MDS and TAA vulnerability
581
+
* x86_clear_cpu_buffers - Buffer clearing support for different x86 CPU vulns
588
582
*
589
583
* This uses the otherwise unused and obsolete VERW instruction in
590
584
* combination with microcode which triggers a CPU buffer flush when the
591
585
* instruction is executed.
592
586
*/
593
-
static __always_inline void mds_clear_cpu_buffers(void)
587
+
static __always_inline void x86_clear_cpu_buffers(void)
594
588
{
595
589
static const u16 ds = __KERNEL_DS;
596
590
···
607
601
}
608
602
609
603
/**
610
-
* mds_idle_clear_cpu_buffers - Mitigation for MDS vulnerability
604
+
* x86_idle_clear_cpu_buffers - Buffer clearing support in idle for the MDS
605
+
* and TSA vulnerabilities.
611
606
*
612
607
* Clear CPU buffers if the corresponding static key is enabled
613
608
*/
614
-
static __always_inline void mds_idle_clear_cpu_buffers(void)
609
+
static __always_inline void x86_idle_clear_cpu_buffers(void)
615
610
{
616
-
if (static_branch_likely(&mds_idle_clear))
617
-
mds_clear_cpu_buffers();
611
+
if (static_branch_likely(&cpu_buf_idle_clear))
612
+
x86_clear_cpu_buffers();
618
613
}
619
614
620
615
#endif /* __ASSEMBLER__ */
+44
arch/x86/kernel/cpu/amd.c
+44
arch/x86/kernel/cpu/amd.c
···
377
377
#endif
378
378
}
379
379
380
+
#define ZEN_MODEL_STEP_UCODE(fam, model, step, ucode) \
381
+
X86_MATCH_VFM_STEPS(VFM_MAKE(X86_VENDOR_AMD, fam, model), \
382
+
step, step, ucode)
383
+
384
+
static const struct x86_cpu_id amd_tsa_microcode[] = {
385
+
ZEN_MODEL_STEP_UCODE(0x19, 0x01, 0x1, 0x0a0011d7),
386
+
ZEN_MODEL_STEP_UCODE(0x19, 0x01, 0x2, 0x0a00123b),
387
+
ZEN_MODEL_STEP_UCODE(0x19, 0x08, 0x2, 0x0a00820d),
388
+
ZEN_MODEL_STEP_UCODE(0x19, 0x11, 0x1, 0x0a10114c),
389
+
ZEN_MODEL_STEP_UCODE(0x19, 0x11, 0x2, 0x0a10124c),
390
+
ZEN_MODEL_STEP_UCODE(0x19, 0x18, 0x1, 0x0a108109),
391
+
ZEN_MODEL_STEP_UCODE(0x19, 0x21, 0x0, 0x0a20102e),
392
+
ZEN_MODEL_STEP_UCODE(0x19, 0x21, 0x2, 0x0a201211),
393
+
ZEN_MODEL_STEP_UCODE(0x19, 0x44, 0x1, 0x0a404108),
394
+
ZEN_MODEL_STEP_UCODE(0x19, 0x50, 0x0, 0x0a500012),
395
+
ZEN_MODEL_STEP_UCODE(0x19, 0x61, 0x2, 0x0a60120a),
396
+
ZEN_MODEL_STEP_UCODE(0x19, 0x74, 0x1, 0x0a704108),
397
+
ZEN_MODEL_STEP_UCODE(0x19, 0x75, 0x2, 0x0a705208),
398
+
ZEN_MODEL_STEP_UCODE(0x19, 0x78, 0x0, 0x0a708008),
399
+
ZEN_MODEL_STEP_UCODE(0x19, 0x7c, 0x0, 0x0a70c008),
400
+
ZEN_MODEL_STEP_UCODE(0x19, 0xa0, 0x2, 0x0aa00216),
401
+
{},
402
+
};
403
+
404
+
static void tsa_init(struct cpuinfo_x86 *c)
405
+
{
406
+
if (cpu_has(c, X86_FEATURE_HYPERVISOR))
407
+
return;
408
+
409
+
if (cpu_has(c, X86_FEATURE_ZEN3) ||
410
+
cpu_has(c, X86_FEATURE_ZEN4)) {
411
+
if (x86_match_min_microcode_rev(amd_tsa_microcode))
412
+
setup_force_cpu_cap(X86_FEATURE_VERW_CLEAR);
413
+
else
414
+
pr_debug("%s: current revision: 0x%x\n", __func__, c->microcode);
415
+
} else {
416
+
setup_force_cpu_cap(X86_FEATURE_TSA_SQ_NO);
417
+
setup_force_cpu_cap(X86_FEATURE_TSA_L1_NO);
418
+
}
419
+
}
420
+
380
421
static void bsp_init_amd(struct cpuinfo_x86 *c)
381
422
{
382
423
if (cpu_has(c, X86_FEATURE_CONSTANT_TSC)) {
···
530
489
}
531
490
532
491
bsp_determine_snp(c);
492
+
493
+
tsa_init(c);
494
+
533
495
return;
534
496
535
497
warn:
+130
-6
arch/x86/kernel/cpu/bugs.c
+130
-6
arch/x86/kernel/cpu/bugs.c
···
94
94
static void __init its_select_mitigation(void);
95
95
static void __init its_update_mitigation(void);
96
96
static void __init its_apply_mitigation(void);
97
+
static void __init tsa_select_mitigation(void);
98
+
static void __init tsa_apply_mitigation(void);
97
99
98
100
/* The base value of the SPEC_CTRL MSR without task-specific bits set */
99
101
u64 x86_spec_ctrl_base;
···
171
169
DEFINE_STATIC_KEY_FALSE(switch_vcpu_ibpb);
172
170
EXPORT_SYMBOL_GPL(switch_vcpu_ibpb);
173
171
174
-
/* Control MDS CPU buffer clear before idling (halt, mwait) */
175
-
DEFINE_STATIC_KEY_FALSE(mds_idle_clear);
176
-
EXPORT_SYMBOL_GPL(mds_idle_clear);
172
+
/* Control CPU buffer clear before idling (halt, mwait) */
173
+
DEFINE_STATIC_KEY_FALSE(cpu_buf_idle_clear);
174
+
EXPORT_SYMBOL_GPL(cpu_buf_idle_clear);
177
175
178
176
/*
179
177
* Controls whether l1d flush based mitigations are enabled,
···
227
225
gds_select_mitigation();
228
226
its_select_mitigation();
229
227
bhi_select_mitigation();
228
+
tsa_select_mitigation();
230
229
231
230
/*
232
231
* After mitigations are selected, some may need to update their
···
275
272
gds_apply_mitigation();
276
273
its_apply_mitigation();
277
274
bhi_apply_mitigation();
275
+
tsa_apply_mitigation();
278
276
}
279
277
280
278
/*
···
641
637
* is required irrespective of SMT state.
642
638
*/
643
639
if (!(x86_arch_cap_msr & ARCH_CAP_FBSDP_NO))
644
-
static_branch_enable(&mds_idle_clear);
640
+
static_branch_enable(&cpu_buf_idle_clear);
645
641
646
642
if (mmio_nosmt || cpu_mitigations_auto_nosmt())
647
643
cpu_smt_disable(false);
···
1492
1488
}
1493
1489
1494
1490
#undef pr_fmt
1491
+
#define pr_fmt(fmt) "Transient Scheduler Attacks: " fmt
1492
+
1493
+
enum tsa_mitigations {
1494
+
TSA_MITIGATION_NONE,
1495
+
TSA_MITIGATION_AUTO,
1496
+
TSA_MITIGATION_UCODE_NEEDED,
1497
+
TSA_MITIGATION_USER_KERNEL,
1498
+
TSA_MITIGATION_VM,
1499
+
TSA_MITIGATION_FULL,
1500
+
};
1501
+
1502
+
static const char * const tsa_strings[] = {
1503
+
[TSA_MITIGATION_NONE] = "Vulnerable",
1504
+
[TSA_MITIGATION_UCODE_NEEDED] = "Vulnerable: No microcode",
1505
+
[TSA_MITIGATION_USER_KERNEL] = "Mitigation: Clear CPU buffers: user/kernel boundary",
1506
+
[TSA_MITIGATION_VM] = "Mitigation: Clear CPU buffers: VM",
1507
+
[TSA_MITIGATION_FULL] = "Mitigation: Clear CPU buffers",
1508
+
};
1509
+
1510
+
static enum tsa_mitigations tsa_mitigation __ro_after_init =
1511
+
IS_ENABLED(CONFIG_MITIGATION_TSA) ? TSA_MITIGATION_AUTO : TSA_MITIGATION_NONE;
1512
+
1513
+
static int __init tsa_parse_cmdline(char *str)
1514
+
{
1515
+
if (!str)
1516
+
return -EINVAL;
1517
+
1518
+
if (!strcmp(str, "off"))
1519
+
tsa_mitigation = TSA_MITIGATION_NONE;
1520
+
else if (!strcmp(str, "on"))
1521
+
tsa_mitigation = TSA_MITIGATION_FULL;
1522
+
else if (!strcmp(str, "user"))
1523
+
tsa_mitigation = TSA_MITIGATION_USER_KERNEL;
1524
+
else if (!strcmp(str, "vm"))
1525
+
tsa_mitigation = TSA_MITIGATION_VM;
1526
+
else
1527
+
pr_err("Ignoring unknown tsa=%s option.\n", str);
1528
+
1529
+
return 0;
1530
+
}
1531
+
early_param("tsa", tsa_parse_cmdline);
1532
+
1533
+
static void __init tsa_select_mitigation(void)
1534
+
{
1535
+
if (cpu_mitigations_off() || !boot_cpu_has_bug(X86_BUG_TSA)) {
1536
+
tsa_mitigation = TSA_MITIGATION_NONE;
1537
+
return;
1538
+
}
1539
+
1540
+
if (tsa_mitigation == TSA_MITIGATION_NONE)
1541
+
return;
1542
+
1543
+
if (!boot_cpu_has(X86_FEATURE_VERW_CLEAR)) {
1544
+
tsa_mitigation = TSA_MITIGATION_UCODE_NEEDED;
1545
+
goto out;
1546
+
}
1547
+
1548
+
if (tsa_mitigation == TSA_MITIGATION_AUTO)
1549
+
tsa_mitigation = TSA_MITIGATION_FULL;
1550
+
1551
+
/*
1552
+
* No need to set verw_clear_cpu_buf_mitigation_selected - it
1553
+
* doesn't fit all cases here and it is not needed because this
1554
+
* is the only VERW-based mitigation on AMD.
1555
+
*/
1556
+
out:
1557
+
pr_info("%s\n", tsa_strings[tsa_mitigation]);
1558
+
}
1559
+
1560
+
static void __init tsa_apply_mitigation(void)
1561
+
{
1562
+
switch (tsa_mitigation) {
1563
+
case TSA_MITIGATION_USER_KERNEL:
1564
+
setup_force_cpu_cap(X86_FEATURE_CLEAR_CPU_BUF);
1565
+
break;
1566
+
case TSA_MITIGATION_VM:
1567
+
setup_force_cpu_cap(X86_FEATURE_CLEAR_CPU_BUF_VM);
1568
+
break;
1569
+
case TSA_MITIGATION_FULL:
1570
+
setup_force_cpu_cap(X86_FEATURE_CLEAR_CPU_BUF);
1571
+
setup_force_cpu_cap(X86_FEATURE_CLEAR_CPU_BUF_VM);
1572
+
break;
1573
+
default:
1574
+
break;
1575
+
}
1576
+
}
1577
+
1578
+
#undef pr_fmt
1495
1579
#define pr_fmt(fmt) "Spectre V2 : " fmt
1496
1580
1497
1581
static enum spectre_v2_user_mitigation spectre_v2_user_stibp __ro_after_init =
···
2341
2249
return;
2342
2250
2343
2251
if (sched_smt_active()) {
2344
-
static_branch_enable(&mds_idle_clear);
2252
+
static_branch_enable(&cpu_buf_idle_clear);
2345
2253
} else if (mmio_mitigation == MMIO_MITIGATION_OFF ||
2346
2254
(x86_arch_cap_msr & ARCH_CAP_FBSDP_NO)) {
2347
-
static_branch_disable(&mds_idle_clear);
2255
+
static_branch_disable(&cpu_buf_idle_clear);
2348
2256
}
2349
2257
}
2350
2258
···
2405
2313
pr_warn_once(MMIO_MSG_SMT);
2406
2314
break;
2407
2315
case MMIO_MITIGATION_OFF:
2316
+
break;
2317
+
}
2318
+
2319
+
switch (tsa_mitigation) {
2320
+
case TSA_MITIGATION_USER_KERNEL:
2321
+
case TSA_MITIGATION_VM:
2322
+
case TSA_MITIGATION_AUTO:
2323
+
case TSA_MITIGATION_FULL:
2324
+
/*
2325
+
* TSA-SQ can potentially lead to info leakage between
2326
+
* SMT threads.
2327
+
*/
2328
+
if (sched_smt_active())
2329
+
static_branch_enable(&cpu_buf_idle_clear);
2330
+
else
2331
+
static_branch_disable(&cpu_buf_idle_clear);
2332
+
break;
2333
+
case TSA_MITIGATION_NONE:
2334
+
case TSA_MITIGATION_UCODE_NEEDED:
2408
2335
break;
2409
2336
}
2410
2337
···
3376
3265
return sysfs_emit(buf, "%s\n", gds_strings[gds_mitigation]);
3377
3266
}
3378
3267
3268
+
static ssize_t tsa_show_state(char *buf)
3269
+
{
3270
+
return sysfs_emit(buf, "%s\n", tsa_strings[tsa_mitigation]);
3271
+
}
3272
+
3379
3273
static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr,
3380
3274
char *buf, unsigned int bug)
3381
3275
{
···
3443
3327
3444
3328
case X86_BUG_ITS:
3445
3329
return its_show_state(buf);
3330
+
3331
+
case X86_BUG_TSA:
3332
+
return tsa_show_state(buf);
3446
3333
3447
3334
default:
3448
3335
break;
···
3532
3413
ssize_t cpu_show_indirect_target_selection(struct device *dev, struct device_attribute *attr, char *buf)
3533
3414
{
3534
3415
return cpu_show_common(dev, attr, buf, X86_BUG_ITS);
3416
+
}
3417
+
3418
+
ssize_t cpu_show_tsa(struct device *dev, struct device_attribute *attr, char *buf)
3419
+
{
3420
+
return cpu_show_common(dev, attr, buf, X86_BUG_TSA);
3535
3421
}
3536
3422
#endif
3537
3423
+13
-1
arch/x86/kernel/cpu/common.c
+13
-1
arch/x86/kernel/cpu/common.c
···
1233
1233
#define ITS BIT(8)
1234
1234
/* CPU is affected by Indirect Target Selection, but guest-host isolation is not affected */
1235
1235
#define ITS_NATIVE_ONLY BIT(9)
1236
+
/* CPU is affected by Transient Scheduler Attacks */
1237
+
#define TSA BIT(10)
1236
1238
1237
1239
static const struct x86_cpu_id cpu_vuln_blacklist[] __initconst = {
1238
1240
VULNBL_INTEL_STEPS(INTEL_IVYBRIDGE, X86_STEP_MAX, SRBDS),
···
1282
1280
VULNBL_AMD(0x16, RETBLEED),
1283
1281
VULNBL_AMD(0x17, RETBLEED | SMT_RSB | SRSO),
1284
1282
VULNBL_HYGON(0x18, RETBLEED | SMT_RSB | SRSO),
1285
-
VULNBL_AMD(0x19, SRSO),
1283
+
VULNBL_AMD(0x19, SRSO | TSA),
1286
1284
VULNBL_AMD(0x1a, SRSO),
1287
1285
{}
1288
1286
};
···
1530
1528
setup_force_cpu_bug(X86_BUG_ITS);
1531
1529
if (cpu_matches(cpu_vuln_blacklist, ITS_NATIVE_ONLY))
1532
1530
setup_force_cpu_bug(X86_BUG_ITS_NATIVE_ONLY);
1531
+
}
1532
+
1533
+
if (c->x86_vendor == X86_VENDOR_AMD) {
1534
+
if (!cpu_has(c, X86_FEATURE_TSA_SQ_NO) ||
1535
+
!cpu_has(c, X86_FEATURE_TSA_L1_NO)) {
1536
+
if (cpu_matches(cpu_vuln_blacklist, TSA) ||
1537
+
/* Enable bug on Zen guests to allow for live migration. */
1538
+
(cpu_has(c, X86_FEATURE_HYPERVISOR) && cpu_has(c, X86_FEATURE_ZEN)))
1539
+
setup_force_cpu_bug(X86_BUG_TSA);
1540
+
}
1533
1541
}
1534
1542
1535
1543
if (cpu_matches(cpu_vuln_whitelist, NO_MELTDOWN))
+112
arch/x86/kernel/cpu/microcode/amd_shas.c
+112
arch/x86/kernel/cpu/microcode/amd_shas.c
···
231
231
0x0d,0x5b,0x65,0x34,0x69,0xb2,0x62,0x21,
232
232
}
233
233
},
234
+
{ 0xa0011d7, {
235
+
0x35,0x07,0xcd,0x40,0x94,0xbc,0x81,0x6b,
236
+
0xfc,0x61,0x56,0x1a,0xe2,0xdb,0x96,0x12,
237
+
0x1c,0x1c,0x31,0xb1,0x02,0x6f,0xe5,0xd2,
238
+
0xfe,0x1b,0x04,0x03,0x2c,0x8f,0x4c,0x36,
239
+
}
240
+
},
234
241
{ 0xa001223, {
235
242
0xfb,0x32,0x5f,0xc6,0x83,0x4f,0x8c,0xb8,
236
243
0xa4,0x05,0xf9,0x71,0x53,0x01,0x16,0xc4,
···
301
294
0xc0,0xcd,0x33,0xf2,0x8d,0xf9,0xef,0x59,
302
295
}
303
296
},
297
+
{ 0xa00123b, {
298
+
0xef,0xa1,0x1e,0x71,0xf1,0xc3,0x2c,0xe2,
299
+
0xc3,0xef,0x69,0x41,0x7a,0x54,0xca,0xc3,
300
+
0x8f,0x62,0x84,0xee,0xc2,0x39,0xd9,0x28,
301
+
0x95,0xa7,0x12,0x49,0x1e,0x30,0x71,0x72,
302
+
}
303
+
},
304
304
{ 0xa00820c, {
305
305
0xa8,0x0c,0x81,0xc0,0xa6,0x00,0xe7,0xf3,
306
306
0x5f,0x65,0xd3,0xb9,0x6f,0xea,0x93,0x63,
307
307
0xf1,0x8c,0x88,0x45,0xd7,0x82,0x80,0xd1,
308
308
0xe1,0x3b,0x8d,0xb2,0xf8,0x22,0x03,0xe2,
309
+
}
310
+
},
311
+
{ 0xa00820d, {
312
+
0xf9,0x2a,0xc0,0xf4,0x9e,0xa4,0x87,0xa4,
313
+
0x7d,0x87,0x00,0xfd,0xab,0xda,0x19,0xca,
314
+
0x26,0x51,0x32,0xc1,0x57,0x91,0xdf,0xc1,
315
+
0x05,0xeb,0x01,0x7c,0x5a,0x95,0x21,0xb7,
309
316
}
310
317
},
311
318
{ 0xa10113e, {
···
343
322
0xf1,0x5e,0xb0,0xde,0xb4,0x98,0xae,0xc4,
344
323
}
345
324
},
325
+
{ 0xa10114c, {
326
+
0x9e,0xb6,0xa2,0xd9,0x87,0x38,0xc5,0x64,
327
+
0xd8,0x88,0xfa,0x78,0x98,0xf9,0x6f,0x74,
328
+
0x39,0x90,0x1b,0xa5,0xcf,0x5e,0xb4,0x2a,
329
+
0x02,0xff,0xd4,0x8c,0x71,0x8b,0xe2,0xc0,
330
+
}
331
+
},
346
332
{ 0xa10123e, {
347
333
0x03,0xb9,0x2c,0x76,0x48,0x93,0xc9,0x18,
348
334
0xfb,0x56,0xfd,0xf7,0xe2,0x1d,0xca,0x4d,
···
371
343
0x1b,0x7d,0x64,0x9d,0x4b,0x53,0x13,0x75,
372
344
}
373
345
},
346
+
{ 0xa10124c, {
347
+
0x29,0xea,0xf1,0x2c,0xb2,0xe4,0xef,0x90,
348
+
0xa4,0xcd,0x1d,0x86,0x97,0x17,0x61,0x46,
349
+
0xfc,0x22,0xcb,0x57,0x75,0x19,0xc8,0xcc,
350
+
0x0c,0xf5,0xbc,0xac,0x81,0x9d,0x9a,0xd2,
351
+
}
352
+
},
374
353
{ 0xa108108, {
375
354
0xed,0xc2,0xec,0xa1,0x15,0xc6,0x65,0xe9,
376
355
0xd0,0xef,0x39,0xaa,0x7f,0x55,0x06,0xc6,
377
356
0xf5,0xd4,0x3f,0x7b,0x14,0xd5,0x60,0x2c,
378
357
0x28,0x1e,0x9c,0x59,0x69,0x99,0x4d,0x16,
358
+
}
359
+
},
360
+
{ 0xa108109, {
361
+
0x85,0xb4,0xbd,0x7c,0x49,0xa7,0xbd,0xfa,
362
+
0x49,0x36,0x80,0x81,0xc5,0xb7,0x39,0x1b,
363
+
0x9a,0xaa,0x50,0xde,0x9b,0xe9,0x32,0x35,
364
+
0x42,0x7e,0x51,0x4f,0x52,0x2c,0x28,0x59,
379
365
}
380
366
},
381
367
{ 0xa20102d, {
···
399
357
0x8c,0xe9,0x19,0x3e,0xcc,0x3f,0x7b,0xb4,
400
358
}
401
359
},
360
+
{ 0xa20102e, {
361
+
0xbe,0x1f,0x32,0x04,0x0d,0x3c,0x9c,0xdd,
362
+
0xe1,0xa4,0xbf,0x76,0x3a,0xec,0xc2,0xf6,
363
+
0x11,0x00,0xa7,0xaf,0x0f,0xe5,0x02,0xc5,
364
+
0x54,0x3a,0x1f,0x8c,0x16,0xb5,0xff,0xbe,
365
+
}
366
+
},
402
367
{ 0xa201210, {
403
368
0xe8,0x6d,0x51,0x6a,0x8e,0x72,0xf3,0xfe,
404
369
0x6e,0x16,0xbc,0x62,0x59,0x40,0x17,0xe9,
405
370
0x6d,0x3d,0x0e,0x6b,0xa7,0xac,0xe3,0x68,
406
371
0xf7,0x55,0xf0,0x13,0xbb,0x22,0xf6,0x41,
372
+
}
373
+
},
374
+
{ 0xa201211, {
375
+
0x69,0xa1,0x17,0xec,0xd0,0xf6,0x6c,0x95,
376
+
0xe2,0x1e,0xc5,0x59,0x1a,0x52,0x0a,0x27,
377
+
0xc4,0xed,0xd5,0x59,0x1f,0xbf,0x00,0xff,
378
+
0x08,0x88,0xb5,0xe1,0x12,0xb6,0xcc,0x27,
407
379
}
408
380
},
409
381
{ 0xa404107, {
···
427
371
0x13,0xbc,0xc5,0x25,0xe4,0xc5,0xc3,0x99,
428
372
}
429
373
},
374
+
{ 0xa404108, {
375
+
0x69,0x67,0x43,0x06,0xf8,0x0c,0x62,0xdc,
376
+
0xa4,0x21,0x30,0x4f,0x0f,0x21,0x2c,0xcb,
377
+
0xcc,0x37,0xf1,0x1c,0xc3,0xf8,0x2f,0x19,
378
+
0xdf,0x53,0x53,0x46,0xb1,0x15,0xea,0x00,
379
+
}
380
+
},
430
381
{ 0xa500011, {
431
382
0x23,0x3d,0x70,0x7d,0x03,0xc3,0xc4,0xf4,
432
383
0x2b,0x82,0xc6,0x05,0xda,0x80,0x0a,0xf1,
433
384
0xd7,0x5b,0x65,0x3a,0x7d,0xab,0xdf,0xa2,
434
385
0x11,0x5e,0x96,0x7e,0x71,0xe9,0xfc,0x74,
386
+
}
387
+
},
388
+
{ 0xa500012, {
389
+
0xeb,0x74,0x0d,0x47,0xa1,0x8e,0x09,0xe4,
390
+
0x93,0x4c,0xad,0x03,0x32,0x4c,0x38,0x16,
391
+
0x10,0x39,0xdd,0x06,0xaa,0xce,0xd6,0x0f,
392
+
0x62,0x83,0x9d,0x8e,0x64,0x55,0xbe,0x63,
435
393
}
436
394
},
437
395
{ 0xa601209, {
···
455
385
0xe8,0x73,0xe2,0xd6,0xdb,0xd2,0x77,0x1d,
456
386
}
457
387
},
388
+
{ 0xa60120a, {
389
+
0x0c,0x8b,0x3d,0xfd,0x52,0x52,0x85,0x7d,
390
+
0x20,0x3a,0xe1,0x7e,0xa4,0x21,0x3b,0x7b,
391
+
0x17,0x86,0xae,0xac,0x13,0xb8,0x63,0x9d,
392
+
0x06,0x01,0xd0,0xa0,0x51,0x9a,0x91,0x2c,
393
+
}
394
+
},
458
395
{ 0xa704107, {
459
396
0xf3,0xc6,0x58,0x26,0xee,0xac,0x3f,0xd6,
460
397
0xce,0xa1,0x72,0x47,0x3b,0xba,0x2b,0x93,
461
398
0x2a,0xad,0x8e,0x6b,0xea,0x9b,0xb7,0xc2,
462
399
0x64,0x39,0x71,0x8c,0xce,0xe7,0x41,0x39,
400
+
}
401
+
},
402
+
{ 0xa704108, {
403
+
0xd7,0x55,0x15,0x2b,0xfe,0xc4,0xbc,0x93,
404
+
0xec,0x91,0xa0,0xae,0x45,0xb7,0xc3,0x98,
405
+
0x4e,0xff,0x61,0x77,0x88,0xc2,0x70,0x49,
406
+
0xe0,0x3a,0x1d,0x84,0x38,0x52,0xbf,0x5a,
463
407
}
464
408
},
465
409
{ 0xa705206, {
···
483
399
0x03,0x35,0xe9,0xbe,0xfb,0x06,0xdf,0xfc,
484
400
}
485
401
},
402
+
{ 0xa705208, {
403
+
0x30,0x1d,0x55,0x24,0xbc,0x6b,0x5a,0x19,
404
+
0x0c,0x7d,0x1d,0x74,0xaa,0xd1,0xeb,0xd2,
405
+
0x16,0x62,0xf7,0x5b,0xe1,0x1f,0x18,0x11,
406
+
0x5c,0xf0,0x94,0x90,0x26,0xec,0x69,0xff,
407
+
}
408
+
},
486
409
{ 0xa708007, {
487
410
0x6b,0x76,0xcc,0x78,0xc5,0x8a,0xa3,0xe3,
488
411
0x32,0x2d,0x79,0xe4,0xc3,0x80,0xdb,0xb2,
···
497
406
0xdf,0x92,0x73,0x84,0x87,0x3c,0x73,0x93,
498
407
}
499
408
},
409
+
{ 0xa708008, {
410
+
0x08,0x6e,0xf0,0x22,0x4b,0x8e,0xc4,0x46,
411
+
0x58,0x34,0xe6,0x47,0xa2,0x28,0xfd,0xab,
412
+
0x22,0x3d,0xdd,0xd8,0x52,0x9e,0x1d,0x16,
413
+
0xfa,0x01,0x68,0x14,0x79,0x3e,0xe8,0x6b,
414
+
}
415
+
},
500
416
{ 0xa70c005, {
501
417
0x88,0x5d,0xfb,0x79,0x64,0xd8,0x46,0x3b,
502
418
0x4a,0x83,0x8e,0x77,0x7e,0xcf,0xb3,0x0f,
503
419
0x1f,0x1f,0xf1,0x97,0xeb,0xfe,0x56,0x55,
504
420
0xee,0x49,0xac,0xe1,0x8b,0x13,0xc5,0x13,
421
+
}
422
+
},
423
+
{ 0xa70c008, {
424
+
0x0f,0xdb,0x37,0xa1,0x10,0xaf,0xd4,0x21,
425
+
0x94,0x0d,0xa4,0xa2,0xe9,0x86,0x6c,0x0e,
426
+
0x85,0x7c,0x36,0x30,0xa3,0x3a,0x78,0x66,
427
+
0x18,0x10,0x60,0x0d,0x78,0x3d,0x44,0xd0,
505
428
}
506
429
},
507
430
{ 0xaa00116, {
···
544
439
0x4e,0x85,0x4b,0x7c,0x6b,0xd5,0x7c,0xd4,
545
440
0x1b,0x51,0x71,0x3a,0x0e,0x0b,0xdc,0x9b,
546
441
0x68,0x2f,0x46,0xee,0xfe,0xc6,0x6d,0xef,
442
+
}
443
+
},
444
+
{ 0xaa00216, {
445
+
0x79,0xfb,0x5b,0x9f,0xb6,0xe6,0xa8,0xf5,
446
+
0x4e,0x7c,0x4f,0x8e,0x1d,0xad,0xd0,0x08,
447
+
0xc2,0x43,0x7c,0x8b,0xe6,0xdb,0xd0,0xd2,
448
+
0xe8,0x39,0x26,0xc1,0xe5,0x5a,0x48,0xf1,
547
449
}
548
450
},
549
451
};
+2
arch/x86/kernel/cpu/scattered.c
+2
arch/x86/kernel/cpu/scattered.c
···
50
50
{ X86_FEATURE_MBA, CPUID_EBX, 6, 0x80000008, 0 },
51
51
{ X86_FEATURE_SMBA, CPUID_EBX, 2, 0x80000020, 0 },
52
52
{ X86_FEATURE_BMEC, CPUID_EBX, 3, 0x80000020, 0 },
53
+
{ X86_FEATURE_TSA_SQ_NO, CPUID_ECX, 1, 0x80000021, 0 },
54
+
{ X86_FEATURE_TSA_L1_NO, CPUID_ECX, 2, 0x80000021, 0 },
53
55
{ X86_FEATURE_AMD_WORKLOAD_CLASS, CPUID_EAX, 22, 0x80000021, 0 },
54
56
{ X86_FEATURE_PERFMON_V2, CPUID_EAX, 0, 0x80000022, 0 },
55
57
{ X86_FEATURE_AMD_LBR_V2, CPUID_EAX, 1, 0x80000022, 0 },
+12
-4
arch/x86/kernel/process.c
+12
-4
arch/x86/kernel/process.c
···
907
907
*/
908
908
static __cpuidle void mwait_idle(void)
909
909
{
910
+
if (need_resched())
911
+
return;
912
+
913
+
x86_idle_clear_cpu_buffers();
914
+
910
915
if (!current_set_polling_and_test()) {
911
916
const void *addr = ¤t_thread_info()->flags;
912
917
913
918
alternative_input("", "clflush (%[addr])", X86_BUG_CLFLUSH_MONITOR, [addr] "a" (addr));
914
919
__monitor(addr, 0, 0);
915
-
if (!need_resched()) {
916
-
__sti_mwait(0, 0);
917
-
raw_local_irq_disable();
918
-
}
920
+
if (need_resched())
921
+
goto out;
922
+
923
+
__sti_mwait(0, 0);
924
+
raw_local_irq_disable();
919
925
}
926
+
927
+
out:
920
928
__current_clr_polling();
921
929
}
922
930
+9
-1
arch/x86/kvm/cpuid.c
+9
-1
arch/x86/kvm/cpuid.c
···
1165
1165
*/
1166
1166
SYNTHESIZED_F(LFENCE_RDTSC),
1167
1167
/* SmmPgCfgLock */
1168
+
/* 4: Resv */
1169
+
SYNTHESIZED_F(VERW_CLEAR),
1168
1170
F(NULL_SEL_CLR_BASE),
1169
1171
/* UpperAddressIgnore */
1170
1172
F(AUTOIBRS),
···
1179
1177
SYNTHESIZED_F(IBPB_BRTYPE),
1180
1178
SYNTHESIZED_F(SRSO_NO),
1181
1179
F(SRSO_USER_KERNEL_NO),
1180
+
);
1181
+
1182
+
kvm_cpu_cap_init(CPUID_8000_0021_ECX,
1183
+
SYNTHESIZED_F(TSA_SQ_NO),
1184
+
SYNTHESIZED_F(TSA_L1_NO),
1182
1185
);
1183
1186
1184
1187
kvm_cpu_cap_init(CPUID_8000_0022_EAX,
···
1755
1748
entry->eax = entry->ebx = entry->ecx = entry->edx = 0;
1756
1749
break;
1757
1750
case 0x80000021:
1758
-
entry->ebx = entry->ecx = entry->edx = 0;
1751
+
entry->ebx = entry->edx = 0;
1759
1752
cpuid_entry_override(entry, CPUID_8000_0021_EAX);
1753
+
cpuid_entry_override(entry, CPUID_8000_0021_ECX);
1760
1754
break;
1761
1755
/* AMD Extended Performance Monitoring and Debug */
1762
1756
case 0x80000022: {
+7
arch/x86/kvm/reverse_cpuid.h
+7
arch/x86/kvm/reverse_cpuid.h
···
52
52
/* CPUID level 0x80000022 (EAX) */
53
53
#define KVM_X86_FEATURE_PERFMON_V2 KVM_X86_FEATURE(CPUID_8000_0022_EAX, 0)
54
54
55
+
/* CPUID level 0x80000021 (ECX) */
56
+
#define KVM_X86_FEATURE_TSA_SQ_NO KVM_X86_FEATURE(CPUID_8000_0021_ECX, 1)
57
+
#define KVM_X86_FEATURE_TSA_L1_NO KVM_X86_FEATURE(CPUID_8000_0021_ECX, 2)
58
+
55
59
struct cpuid_reg {
56
60
u32 function;
57
61
u32 index;
···
86
82
[CPUID_8000_0022_EAX] = {0x80000022, 0, CPUID_EAX},
87
83
[CPUID_7_2_EDX] = { 7, 2, CPUID_EDX},
88
84
[CPUID_24_0_EBX] = { 0x24, 0, CPUID_EBX},
85
+
[CPUID_8000_0021_ECX] = {0x80000021, 0, CPUID_ECX},
89
86
};
90
87
91
88
/*
···
126
121
KVM_X86_TRANSLATE_FEATURE(PERFMON_V2);
127
122
KVM_X86_TRANSLATE_FEATURE(RRSBA_CTRL);
128
123
KVM_X86_TRANSLATE_FEATURE(BHI_CTRL);
124
+
KVM_X86_TRANSLATE_FEATURE(TSA_SQ_NO);
125
+
KVM_X86_TRANSLATE_FEATURE(TSA_L1_NO);
129
126
default:
130
127
return x86_feature;
131
128
}
+6
arch/x86/kvm/svm/vmenter.S
+6
arch/x86/kvm/svm/vmenter.S
···
169
169
#endif
170
170
mov VCPU_RDI(%_ASM_DI), %_ASM_DI
171
171
172
+
/* Clobbers EFLAGS.ZF */
173
+
VM_CLEAR_CPU_BUFFERS
174
+
172
175
/* Enter guest mode */
173
176
3: vmrun %_ASM_AX
174
177
4:
···
337
334
/* Get svm->current_vmcb->pa into RAX. */
338
335
mov SVM_current_vmcb(%rdi), %rax
339
336
mov KVM_VMCB_pa(%rax), %rax
337
+
338
+
/* Clobbers EFLAGS.ZF */
339
+
VM_CLEAR_CPU_BUFFERS
340
340
341
341
/* Enter guest mode */
342
342
1: vmrun %rax
+1
-1
arch/x86/kvm/vmx/vmx.c
+1
-1
arch/x86/kvm/vmx/vmx.c
+3
drivers/base/cpu.c
+3
drivers/base/cpu.c
···
602
602
CPU_SHOW_VULN_FALLBACK(ghostwrite);
603
603
CPU_SHOW_VULN_FALLBACK(old_microcode);
604
604
CPU_SHOW_VULN_FALLBACK(indirect_target_selection);
605
+
CPU_SHOW_VULN_FALLBACK(tsa);
605
606
606
607
static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL);
607
608
static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL);
···
621
620
static DEVICE_ATTR(ghostwrite, 0444, cpu_show_ghostwrite, NULL);
622
621
static DEVICE_ATTR(old_microcode, 0444, cpu_show_old_microcode, NULL);
623
622
static DEVICE_ATTR(indirect_target_selection, 0444, cpu_show_indirect_target_selection, NULL);
623
+
static DEVICE_ATTR(tsa, 0444, cpu_show_tsa, NULL);
624
624
625
625
static struct attribute *cpu_root_vulnerabilities_attrs[] = {
626
626
&dev_attr_meltdown.attr,
···
641
639
&dev_attr_ghostwrite.attr,
642
640
&dev_attr_old_microcode.attr,
643
641
&dev_attr_indirect_target_selection.attr,
642
+
&dev_attr_tsa.attr,
644
643
NULL
645
644
};
646
645
+1
include/linux/cpu.h
+1
include/linux/cpu.h
···
82
82
struct device_attribute *attr, char *buf);
83
83
extern ssize_t cpu_show_indirect_target_selection(struct device *dev,
84
84
struct device_attribute *attr, char *buf);
85
+
extern ssize_t cpu_show_tsa(struct device *dev, struct device_attribute *attr, char *buf);
85
86
86
87
extern __printf(4, 5)
87
88
struct device *cpu_device_create(struct device *parent, void *drvdata,