On Fri, Nov 11, 2022 at 4:46 PM Kim Phillips <kim.phillips@xxxxxxx> wrote:
>
> On 11/11/22 6:40 AM, Thadeu Lima de Souza Cascardo wrote:
> > On Fri, Nov 11, 2022 at 01:09:37PM +0100, Borislav Petkov wrote:
> >> On Mon, Nov 07, 2022 at 04:39:02PM -0600, Kim Phillips wrote:
> >>> I've started a version that has AUTOIBRS reuse SPECTRE_V2_EIBRS
> >>> spectre_v2_mitigation enum, but, so far, it's change to bugs.c
> >>> looks bigger: 58 lines changed vs. 34 (see below).
> >>
> >> It can be smaller. You simply do:
> >>
> >> if (cpu_has(c, X86_FEATURE_AUTOIBRS))
> >> setup_force_cpu_cap(X86_FEATURE_IBRS_ENHANCED);
> >>
> >> and the rest should just work - see below.
> >>
> >> And yes, as Peter says, when the user requests something, the user
> >> should get it. No matter whether it makes sense or not.
>
> OK & thanks.
>
> >> @@ -1474,11 +1477,19 @@ static void __init spectre_v2_select_mitigation(void)
> >> break;
> >>
> >> case SPECTRE_V2_CMD_EIBRS_LFENCE:
> >> - mode = SPECTRE_V2_EIBRS_LFENCE;
> >> + if (boot_cpu_has(X86_FEATURE_AUTOIBRS)) {
> >> + pr_err(SPECTRE_V2_EIBRS_AMD_MSG);
> >> + mode = SPECTRE_V2_EIBRS;
> >> + } else
> >> + mode = SPECTRE_V2_EIBRS_LFENCE;
> >> break;
> >>
> >> case SPECTRE_V2_CMD_EIBRS_RETPOLINE:
> >> - mode = SPECTRE_V2_EIBRS_RETPOLINE;
> >> + if (boot_cpu_has(X86_FEATURE_AUTOIBRS)) {
> >> + pr_err(SPECTRE_V2_EIBRS_AMD_MSG);
> >> + mode = SPECTRE_V2_EIBRS;
> >> + } else
> >> + mode = SPECTRE_V2_EIBRS_RETPOLINE;
> >> break;
> >> }
> >>
> >
> > I am confused here. Isn't the agreement that the user should get what they
> > asked for? That is, instead of warning and changing the mode to
> > SPECTRE_V2_EIBRS, the kernel should still use lfence or retpoline as requested?
> >
> > The point of those options was to protect against Branch History Injection
> > attacks and Intra-Mode Branch Target Injection attacks. The first one might not
> > affect the CPUs that support AUTOIBRS, though we haven't heard that.
> >
> > The second one (IMBTI) is very likely still possible with AUTOIBRS and
> > retpolines should still protect against those attacks. So users who want to be
> > paranoid should still be able to opt for "eibrs,retpoline" and have retpolines
> > enabled.
>
> I've removed the above and have the complete diff below. It includes patch 1/3 and
> drops 3/3 for now due to Jim Mattson's comments. After some more testing, I'll
> resubmit.
I bought the argument that AutoIBRS => Same Mode IBRS, so L2 should
not be able to steer L1's indirect branches, even if they share a
predictor mode.
