| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5cdca004-5228-4f07-b9b8-901880f59bb7@suse.com>
Date: Fri, 21 Nov 2025 16:23:56 +0200
From: Nikolay Borisov <nik.borisov@...e.com>
To: Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>, x86@...nel.org,
David Kaplan <david.kaplan@....com>, "H. Peter Anvin" <hpa@...or.com>,
Josh Poimboeuf <jpoimboe@...nel.org>, Sean Christopherson
<seanjc@...gle.com>, Paolo Bonzini <pbonzini@...hat.com>,
Borislav Petkov <bp@...en8.de>, Dave Hansen <dave.hansen@...ux.intel.com>
Cc: linux-kernel@...r.kernel.org, kvm@...r.kernel.org,
Asit Mallick <asit.k.mallick@...el.com>, Tao Zhang <tao1.zhang@...el.com>
Subject: Re: [PATCH v4 09/11] x86/vmscape: Deploy BHB clearing mitigation
On 11/20/25 08:19, Pawan Gupta wrote:
> IBPB mitigation for VMSCAPE is an overkill on CPUs that are only affected
> by the BHI variant of VMSCAPE. On such CPUs, eIBRS already provides
> indirect branch isolation between guest and host userspace. However, branch
> history from guest may also influence the indirect branches in host
> userspace.
>
> To mitigate the BHI aspect, use clear_bhb_loop().
>
> Signed-off-by: Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>
> ---
> Documentation/admin-guide/hw-vuln/vmscape.rst | 4 ++++
> arch/x86/include/asm/nospec-branch.h | 2 ++
> arch/x86/kernel/cpu/bugs.c | 30 ++++++++++++++++++++-------
> 3 files changed, 29 insertions(+), 7 deletions(-)
>
> diff --git a/Documentation/admin-guide/hw-vuln/vmscape.rst b/Documentation/admin-guide/hw-vuln/vmscape.rst
> index d9b9a2b6c114c05a7325e5f3c9d42129339b870b..dc63a0bac03d43d1e295de0791dd6497d101f986 100644
> --- a/Documentation/admin-guide/hw-vuln/vmscape.rst
> +++ b/Documentation/admin-guide/hw-vuln/vmscape.rst
> @@ -86,6 +86,10 @@ The possible values in this file are:
> run a potentially malicious guest and issues an IBPB before the first
> exit to userspace after VM-exit.
>
> + * 'Mitigation: Clear BHB before exit to userspace':
> +
> + As above, conditional BHB clearing mitigation is enabled.
> +
> * 'Mitigation: IBPB on VMEXIT':
>
> IBPB is issued on every VM-exit. This occurs when other mitigations like
> diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
> index 15a2fa8f2f48a066e102263513eff9537ac1d25f..1e8c26c37dbed4256b35101fb41c0e1eb6ef9272 100644
> --- a/arch/x86/include/asm/nospec-branch.h
> +++ b/arch/x86/include/asm/nospec-branch.h
> @@ -388,6 +388,8 @@ extern void write_ibpb(void);
>
> #ifdef CONFIG_X86_64
> extern void clear_bhb_loop(void);
> +#else
> +static inline void clear_bhb_loop(void) {}
> #endif
>
> extern void (*x86_return_thunk)(void);
> diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> index cbb3341b9a19f835738eda7226323d88b7e41e52..d12c07ccf59479ecf590935607394492c988b2ff 100644
> --- a/arch/x86/kernel/cpu/bugs.c
> +++ b/arch/x86/kernel/cpu/bugs.c
> @@ -109,9 +109,8 @@ DEFINE_PER_CPU(u64, x86_spec_ctrl_current);
> EXPORT_PER_CPU_SYMBOL_GPL(x86_spec_ctrl_current);
>
> /*
> - * Set when the CPU has run a potentially malicious guest. An IBPB will
> - * be needed to before running userspace. That IBPB will flush the branch
> - * predictor content.
> + * Set when the CPU has run a potentially malicious guest. Indicates that a
> + * branch predictor flush is needed before running userspace.
> */
> DEFINE_PER_CPU(bool, x86_predictor_flush_exit_to_user);
> EXPORT_PER_CPU_SYMBOL_GPL(x86_predictor_flush_exit_to_user);
> @@ -3200,13 +3199,15 @@ enum vmscape_mitigations {
> VMSCAPE_MITIGATION_AUTO,
> VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER,
> VMSCAPE_MITIGATION_IBPB_ON_VMEXIT,
> + VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER,
> };
>
> static const char * const vmscape_strings[] = {
> - [VMSCAPE_MITIGATION_NONE] = "Vulnerable",
> + [VMSCAPE_MITIGATION_NONE] = "Vulnerable",
> /* [VMSCAPE_MITIGATION_AUTO] */
> - [VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER] = "Mitigation: IBPB before exit to userspace",
> - [VMSCAPE_MITIGATION_IBPB_ON_VMEXIT] = "Mitigation: IBPB on VMEXIT",
> + [VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER] = "Mitigation: IBPB before exit to userspace",
> + [VMSCAPE_MITIGATION_IBPB_ON_VMEXIT] = "Mitigation: IBPB on VMEXIT",
> + [VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER] = "Mitigation: Clear BHB before exit to userspace",
> };
>
> static enum vmscape_mitigations vmscape_mitigation __ro_after_init =
> @@ -3253,8 +3254,19 @@ static void __init vmscape_select_mitigation(void)
> vmscape_mitigation = VMSCAPE_MITIGATION_NONE;
> break;
>
> + case VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER:
> + if (!boot_cpu_has(X86_FEATURE_BHI_CTRL))
> + vmscape_mitigation = VMSCAPE_MITIGATION_NONE;
> + break;
Am I missing something or this case can never execute because
VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER is only ever set if mitigation
is VMSCAPE_MITIGATION_AUTO in the below branch? Perhaps just remove it?
This just shows how confusing the logic for choosing the mitigations has
become....
> case VMSCAPE_MITIGATION_AUTO:
> - if (boot_cpu_has(X86_FEATURE_IBPB))
> + /*
> + * CPUs with BHI_CTRL(ADL and newer) can avoid the IBPB and use BHB
> + * clear sequence. These CPUs are only vulnerable to the BHI variant
> + * of the VMSCAPE attack and does not require an IBPB flush.
> + */
> + if (boot_cpu_has(X86_FEATURE_BHI_CTRL))
> + vmscape_mitigation = VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER;
> + else if (boot_cpu_has(X86_FEATURE_IBPB))
> vmscape_mitigation = VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER;
> else
> vmscape_mitigation = VMSCAPE_MITIGATION_NONE;
<snip>
Powered by blists - more mailing lists