| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <7d136f5b-437d-48ce-852d-cc793df4de15@suse.com>
Date: Fri, 21 Nov 2025 20:53:38 +0200
From: Nikolay Borisov <nik.borisov@...e.com>
To: Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>
Cc: x86@...nel.org, David Kaplan <david.kaplan@....com>,
"H. Peter Anvin" <hpa@...or.com>, Josh Poimboeuf <jpoimboe@...nel.org>,
Sean Christopherson <seanjc@...gle.com>, Paolo Bonzini
<pbonzini@...hat.com>, Borislav Petkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>, linux-kernel@...r.kernel.org,
kvm@...r.kernel.org, Asit Mallick <asit.k.mallick@...el.com>,
Tao Zhang <tao1.zhang@...el.com>
Subject: Re: [PATCH v4 09/11] x86/vmscape: Deploy BHB clearing mitigation
On 11/21/25 20:41, Pawan Gupta wrote:
> On Fri, Nov 21, 2025 at 04:23:56PM +0200, Nikolay Borisov wrote:
>>
>>
>> On 11/20/25 08:19, Pawan Gupta wrote:
>>> IBPB mitigation for VMSCAPE is an overkill on CPUs that are only affected
>>> by the BHI variant of VMSCAPE. On such CPUs, eIBRS already provides
>>> indirect branch isolation between guest and host userspace. However, branch
>>> history from guest may also influence the indirect branches in host
>>> userspace.
>>>
>>> To mitigate the BHI aspect, use clear_bhb_loop().
>>>
>>> Signed-off-by: Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>
>>> ---
>>> Documentation/admin-guide/hw-vuln/vmscape.rst | 4 ++++
>>> arch/x86/include/asm/nospec-branch.h | 2 ++
>>> arch/x86/kernel/cpu/bugs.c | 30 ++++++++++++++++++++-------
>>> 3 files changed, 29 insertions(+), 7 deletions(-)
>>>
>>> diff --git a/Documentation/admin-guide/hw-vuln/vmscape.rst b/Documentation/admin-guide/hw-vuln/vmscape.rst
>>> index d9b9a2b6c114c05a7325e5f3c9d42129339b870b..dc63a0bac03d43d1e295de0791dd6497d101f986 100644
>>> --- a/Documentation/admin-guide/hw-vuln/vmscape.rst
>>> +++ b/Documentation/admin-guide/hw-vuln/vmscape.rst
>>> @@ -86,6 +86,10 @@ The possible values in this file are:
>>> run a potentially malicious guest and issues an IBPB before the first
>>> exit to userspace after VM-exit.
>>> + * 'Mitigation: Clear BHB before exit to userspace':
>>> +
>>> + As above, conditional BHB clearing mitigation is enabled.
>>> +
>>> * 'Mitigation: IBPB on VMEXIT':
>>> IBPB is issued on every VM-exit. This occurs when other mitigations like
>>> diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
>>> index 15a2fa8f2f48a066e102263513eff9537ac1d25f..1e8c26c37dbed4256b35101fb41c0e1eb6ef9272 100644
>>> --- a/arch/x86/include/asm/nospec-branch.h
>>> +++ b/arch/x86/include/asm/nospec-branch.h
>>> @@ -388,6 +388,8 @@ extern void write_ibpb(void);
>>> #ifdef CONFIG_X86_64
>>> extern void clear_bhb_loop(void);
>>> +#else
>>> +static inline void clear_bhb_loop(void) {}
>>> #endif
>>> extern void (*x86_return_thunk)(void);
>>> diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
>>> index cbb3341b9a19f835738eda7226323d88b7e41e52..d12c07ccf59479ecf590935607394492c988b2ff 100644
>>> --- a/arch/x86/kernel/cpu/bugs.c
>>> +++ b/arch/x86/kernel/cpu/bugs.c
>>> @@ -109,9 +109,8 @@ DEFINE_PER_CPU(u64, x86_spec_ctrl_current);
>>> EXPORT_PER_CPU_SYMBOL_GPL(x86_spec_ctrl_current);
>>> /*
>>> - * Set when the CPU has run a potentially malicious guest. An IBPB will
>>> - * be needed to before running userspace. That IBPB will flush the branch
>>> - * predictor content.
>>> + * Set when the CPU has run a potentially malicious guest. Indicates that a
>>> + * branch predictor flush is needed before running userspace.
>>> */
>>> DEFINE_PER_CPU(bool, x86_predictor_flush_exit_to_user);
>>> EXPORT_PER_CPU_SYMBOL_GPL(x86_predictor_flush_exit_to_user);
>>> @@ -3200,13 +3199,15 @@ enum vmscape_mitigations {
>>> VMSCAPE_MITIGATION_AUTO,
>>> VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER,
>>> VMSCAPE_MITIGATION_IBPB_ON_VMEXIT,
>>> + VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER,
>>> };
>>> static const char * const vmscape_strings[] = {
>>> - [VMSCAPE_MITIGATION_NONE] = "Vulnerable",
>>> + [VMSCAPE_MITIGATION_NONE] = "Vulnerable",
>>> /* [VMSCAPE_MITIGATION_AUTO] */
>>> - [VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER] = "Mitigation: IBPB before exit to userspace",
>>> - [VMSCAPE_MITIGATION_IBPB_ON_VMEXIT] = "Mitigation: IBPB on VMEXIT",
>>> + [VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER] = "Mitigation: IBPB before exit to userspace",
>>> + [VMSCAPE_MITIGATION_IBPB_ON_VMEXIT] = "Mitigation: IBPB on VMEXIT",
>>> + [VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER] = "Mitigation: Clear BHB before exit to userspace",
>>> };
>>> static enum vmscape_mitigations vmscape_mitigation __ro_after_init =
>>> @@ -3253,8 +3254,19 @@ static void __init vmscape_select_mitigation(void)
>>> vmscape_mitigation = VMSCAPE_MITIGATION_NONE;
>>> break;
>>> + case VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER:
>>> + if (!boot_cpu_has(X86_FEATURE_BHI_CTRL))
>>> + vmscape_mitigation = VMSCAPE_MITIGATION_NONE;
>>> + break;
>>
>> Am I missing something or this case can never execute because
>> VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER is only ever set if mitigation is
>> VMSCAPE_MITIGATION_AUTO in the below branch? Perhaps just remove it? This
>> just shows how confusing the logic for choosing the mitigations has
>> become....
>
> The goal was not make any assumptions on what vmscape_parse_cmdline() can
> and cannot set. If you feel strongly about it, I can remove this case.
From where I'm standing bugs.c is already rather hairy even after
multiple rounds of cleanups and brushups, if we can remove code - I'll
be up for it. At the very least in the commit message you can
explicitly mention that you handle every case on-principle, and you
expect that some of it is dead code. Still, I think the best code is the
one which doesn't exist and you won't have to worry about it.
<snip>
Powered by blists - more mailing lists