| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251121184148.hi6ye2trohwjm3oe@desk>
Date: Fri, 21 Nov 2025 10:41:48 -0800
From: Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>
To: Nikolay Borisov <nik.borisov@...e.com>
Cc: x86@...nel.org, David Kaplan <david.kaplan@....com>,
"H. Peter Anvin" <hpa@...or.com>,
Josh Poimboeuf <jpoimboe@...nel.org>,
Sean Christopherson <seanjc@...gle.com>,
Paolo Bonzini <pbonzini@...hat.com>, Borislav Petkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>,
linux-kernel@...r.kernel.org, kvm@...r.kernel.org,
Asit Mallick <asit.k.mallick@...el.com>,
Tao Zhang <tao1.zhang@...el.com>
Subject: Re: [PATCH v4 09/11] x86/vmscape: Deploy BHB clearing mitigation
On Fri, Nov 21, 2025 at 04:23:56PM +0200, Nikolay Borisov wrote:
>
>
> On 11/20/25 08:19, Pawan Gupta wrote:
> > IBPB mitigation for VMSCAPE is an overkill on CPUs that are only affected
> > by the BHI variant of VMSCAPE. On such CPUs, eIBRS already provides
> > indirect branch isolation between guest and host userspace. However, branch
> > history from guest may also influence the indirect branches in host
> > userspace.
> >
> > To mitigate the BHI aspect, use clear_bhb_loop().
> >
> > Signed-off-by: Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>
> > ---
> > Documentation/admin-guide/hw-vuln/vmscape.rst | 4 ++++
> > arch/x86/include/asm/nospec-branch.h | 2 ++
> > arch/x86/kernel/cpu/bugs.c | 30 ++++++++++++++++++++-------
> > 3 files changed, 29 insertions(+), 7 deletions(-)
> >
> > diff --git a/Documentation/admin-guide/hw-vuln/vmscape.rst b/Documentation/admin-guide/hw-vuln/vmscape.rst
> > index d9b9a2b6c114c05a7325e5f3c9d42129339b870b..dc63a0bac03d43d1e295de0791dd6497d101f986 100644
> > --- a/Documentation/admin-guide/hw-vuln/vmscape.rst
> > +++ b/Documentation/admin-guide/hw-vuln/vmscape.rst
> > @@ -86,6 +86,10 @@ The possible values in this file are:
> > run a potentially malicious guest and issues an IBPB before the first
> > exit to userspace after VM-exit.
> > + * 'Mitigation: Clear BHB before exit to userspace':
> > +
> > + As above, conditional BHB clearing mitigation is enabled.
> > +
> > * 'Mitigation: IBPB on VMEXIT':
> > IBPB is issued on every VM-exit. This occurs when other mitigations like
> > diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
> > index 15a2fa8f2f48a066e102263513eff9537ac1d25f..1e8c26c37dbed4256b35101fb41c0e1eb6ef9272 100644
> > --- a/arch/x86/include/asm/nospec-branch.h
> > +++ b/arch/x86/include/asm/nospec-branch.h
> > @@ -388,6 +388,8 @@ extern void write_ibpb(void);
> > #ifdef CONFIG_X86_64
> > extern void clear_bhb_loop(void);
> > +#else
> > +static inline void clear_bhb_loop(void) {}
> > #endif
> > extern void (*x86_return_thunk)(void);
> > diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> > index cbb3341b9a19f835738eda7226323d88b7e41e52..d12c07ccf59479ecf590935607394492c988b2ff 100644
> > --- a/arch/x86/kernel/cpu/bugs.c
> > +++ b/arch/x86/kernel/cpu/bugs.c
> > @@ -109,9 +109,8 @@ DEFINE_PER_CPU(u64, x86_spec_ctrl_current);
> > EXPORT_PER_CPU_SYMBOL_GPL(x86_spec_ctrl_current);
> > /*
> > - * Set when the CPU has run a potentially malicious guest. An IBPB will
> > - * be needed to before running userspace. That IBPB will flush the branch
> > - * predictor content.
> > + * Set when the CPU has run a potentially malicious guest. Indicates that a
> > + * branch predictor flush is needed before running userspace.
> > */
> > DEFINE_PER_CPU(bool, x86_predictor_flush_exit_to_user);
> > EXPORT_PER_CPU_SYMBOL_GPL(x86_predictor_flush_exit_to_user);
> > @@ -3200,13 +3199,15 @@ enum vmscape_mitigations {
> > VMSCAPE_MITIGATION_AUTO,
> > VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER,
> > VMSCAPE_MITIGATION_IBPB_ON_VMEXIT,
> > + VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER,
> > };
> > static const char * const vmscape_strings[] = {
> > - [VMSCAPE_MITIGATION_NONE] = "Vulnerable",
> > + [VMSCAPE_MITIGATION_NONE] = "Vulnerable",
> > /* [VMSCAPE_MITIGATION_AUTO] */
> > - [VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER] = "Mitigation: IBPB before exit to userspace",
> > - [VMSCAPE_MITIGATION_IBPB_ON_VMEXIT] = "Mitigation: IBPB on VMEXIT",
> > + [VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER] = "Mitigation: IBPB before exit to userspace",
> > + [VMSCAPE_MITIGATION_IBPB_ON_VMEXIT] = "Mitigation: IBPB on VMEXIT",
> > + [VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER] = "Mitigation: Clear BHB before exit to userspace",
> > };
> > static enum vmscape_mitigations vmscape_mitigation __ro_after_init =
> > @@ -3253,8 +3254,19 @@ static void __init vmscape_select_mitigation(void)
> > vmscape_mitigation = VMSCAPE_MITIGATION_NONE;
> > break;
> > + case VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER:
> > + if (!boot_cpu_has(X86_FEATURE_BHI_CTRL))
> > + vmscape_mitigation = VMSCAPE_MITIGATION_NONE;
> > + break;
>
> Am I missing something or this case can never execute because
> VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER is only ever set if mitigation is
> VMSCAPE_MITIGATION_AUTO in the below branch? Perhaps just remove it? This
> just shows how confusing the logic for choosing the mitigations has
> become....
The goal was not make any assumptions on what vmscape_parse_cmdline() can
and cannot set. If you feel strongly about it, I can remove this case.
> > case VMSCAPE_MITIGATION_AUTO:
> > - if (boot_cpu_has(X86_FEATURE_IBPB))
> > + /*
> > + * CPUs with BHI_CTRL(ADL and newer) can avoid the IBPB and use BHB
> > + * clear sequence. These CPUs are only vulnerable to the BHI variant
> > + * of the VMSCAPE attack and does not require an IBPB flush.
> > + */
> > + if (boot_cpu_has(X86_FEATURE_BHI_CTRL))
> > + vmscape_mitigation = VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER;
> > + else if (boot_cpu_has(X86_FEATURE_IBPB))
> > vmscape_mitigation = VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER;
> > else
> > vmscape_mitigation = VMSCAPE_MITIGATION_NONE;
>
>
> <snip>
>
Powered by blists - more mailing lists