| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aPZZwoqWV8cJG2HH@google.com>
Date: Mon, 20 Oct 2025 08:48:18 -0700
From: Sean Christopherson <seanjc@...gle.com>
To: Jon Kohler <jon@...anix.com>
Cc: Thomas Gleixner <tglx@...utronix.de>, Borislav Petkov <bp@...en8.de>,
Peter Zijlstra <peterz@...radead.org>, Josh Poimboeuf <jpoimboe@...nel.org>,
Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>, Jonathan Corbet <corbet@....net>,
Ingo Molnar <mingo@...hat.com>, Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org,
"H. Peter Anvin" <hpa@...or.com>, Brian Gerst <brgerst@...il.com>, Brendan Jackman <jackmanb@...gle.com>,
"Ahmed S. Darwish" <darwi@...utronix.de>, Alexandre Chartre <alexandre.chartre@...cle.com>,
linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] x86/its: use Sapphire Rapids+ feature to opt out
On Thu, Oct 16, 2025, Jon Kohler wrote:
> A VMM may not expose ITS_NO or BHI_CTL, so guests cannot rely on those
> bits to determine whether they might be migrated to ITS-affected
> hardware. Rather than depending on a control that may be absent, detect
> ITS-unaffected hosts via a CPU feature that is exclusive to Sapphire
> Rapids and newer processors.
>
> Use X86_FEATURE_BUS_LOCK_DETECT as the canary: it is present on
> Sapphire Rapids+ parts and provides a reliable indicator that the guest
> won't be moved to ITS-affected hardware. This avoids false negatives
> caused by VMMs that omit ITS_NO or BHI_CTL. For example, QEMU added
> bhi-ctrl only in v9.2.0 [1], well after adding the Sapphire Rapids
> model in v8.0.0 [2].
>
> [1] 10eaf9c0fb7 ("target/i386: Add more features enumerated by CPUID.7.2.EDX")
> [2] 7eb061b06e9 ("i386: Add new CPU model SapphireRapids")
>
> Cc: Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>
> Fixes: 159013a7ca1 ("x86/its: Enumerate Indirect Target Selection (ITS) bug")
> Signed-off-by: Jon Kohler <jon@...anix.com>
> ---
> .../admin-guide/hw-vuln/indirect-target-selection.rst | 5 +++--
> arch/x86/kernel/cpu/common.c | 6 ++++--
> 2 files changed, 7 insertions(+), 4 deletions(-)
>
> diff --git a/Documentation/admin-guide/hw-vuln/indirect-target-selection.rst b/Documentation/admin-guide/hw-vuln/indirect-target-selection.rst
> index d9ca64108d23..3cfe4b9f9bd0 100644
> --- a/Documentation/admin-guide/hw-vuln/indirect-target-selection.rst
> +++ b/Documentation/admin-guide/hw-vuln/indirect-target-selection.rst
> @@ -98,8 +98,9 @@ Mitigation in guests
> ^^^^^^^^^^^^^^^^^^^^
> All guests deploy ITS mitigation by default, irrespective of eIBRS enumeration
> and Family/Model of the guest. This is because eIBRS feature could be hidden
> -from a guest. One exception to this is when a guest enumerates BHI_DIS_S, which
> -indicates that the guest is running on an unaffected host.
> +from a guest. One exception to this is when a guest enumerates BHI_DIS_S or
> +BUS_LOCK_DETECT, either of which indicates that the guest is running on an
> +unaffected host and would not be migratable to an affected host.
>
> To prevent guests from unnecessarily deploying the mitigation on unaffected
> platforms, Intel has defined ITS_NO bit(62) in MSR IA32_ARCH_CAPABILITIES. When
> diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
> index c7d3512914ca..3de4b51d8681 100644
> --- a/arch/x86/kernel/cpu/common.c
> +++ b/arch/x86/kernel/cpu/common.c
> @@ -1361,9 +1361,11 @@ static bool __init vulnerable_to_its(u64 x86_arch_cap_msr)
> /*
> * If a VMM did not expose ITS_NO, assume that a guest could
> * be running on a vulnerable hardware or may migrate to such
> - * hardware.
> + * hardware, except in the situation where the guest is presented
> + * with a feature that only exists in non-vulnerable hardware.
> */
> - if (boot_cpu_has(X86_FEATURE_HYPERVISOR))
> + if (boot_cpu_has(X86_FEATURE_HYPERVISOR) ||
> + boot_cpu_has(X86_FEATURE_BUS_LOCK_DETECT))
Uh, don't you want something like this?
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index c7d3512914ca..8c4bc9b5d8ed 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -1364,7 +1364,7 @@ static bool __init vulnerable_to_its(u64 x86_arch_cap_msr)
* hardware.
*/
if (boot_cpu_has(X86_FEATURE_HYPERVISOR))
- return true;
+ return !boot_cpu_has(X86_FEATURE_BUS_LOCK_DETECT);
if (cpu_matches(cpu_vuln_blacklist, ITS))
return true;
Functionality aside, this is quite heinous. I don't see why the answer isn't
"Fix the VMM to specify ITS_NO".
Powered by blists - more mailing lists