There are currently 4 mitigations that use VERW to flush different cpu
buffers. This can cause confusion when trying to disable all the
different VERW mitigations. Simplify enabling/disabling these
mitigations by creating a single parameter for controlling them.
Future work will focus on combining similar code used in selecting
these mitigations to further simplify.
Signed-off-by: Daniel Sneddon <daniel.sneddon@xxxxxxxxxxxxxxx>
---
.../admin-guide/kernel-parameters.txt | 16 +++++++++
arch/x86/kernel/cpu/bugs.c | 34 +++++++++++++++++++
2 files changed, 50 insertions(+)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 09126bb8cc9f..66b567c4dce5 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -628,6 +628,21 @@
cio_ignore= [S390]
See Documentation/arch/s390/common_io.rst for details.
+ clear_cpu_buffers=
+ [X86]
+ Controls the mitigations that use
+ X86_FEATURE_CLEAR_CPU_BUF, namely
+ Micro-architectrual Data Sampling (MDS)
+ MMIO Stale Data
+ TSX Async Abort (TAA)
+ Register File Data Sampling (RFDS)
+
+ The options are:
+ on - Enable cpu buffer clearing
+ on,nosmt - Enable cpu buffer clearing and disable
+ SMT
+ off - Disables cpu buffer clearing
+
clearcpuid=X[,X...] [X86]
Disable CPUID feature X for the kernel. See
arch/x86/include/asm/cpufeatures.h for the valid bit
@@ -3461,6 +3476,7 @@
improves system performance, but it may also
expose users to several CPU vulnerabilities.
Equivalent to: if nokaslr then kpti=0 [ARM64]
+ clear_cpu_buffers=off [X86]
gather_data_sampling=off [X86]
kvm.nx_huge_pages=off [X86]
l1tf=off [X86]
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 45675da354f3..b3c9e1eede12 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -531,6 +531,40 @@ early_param("reg_file_data_sampling", rfds_parse_cmdline);
#undef pr_fmt
#define pr_fmt(fmt) "" fmt
+static int __init clear_cpu_buffers_cmdline(char *str)
+{
+ if (!str)
+ return -EINVAL;
+
+ if (!boot_cpu_has_bug(X86_BUG_MDS) &&
+ !boot_cpu_has_bug(X86_BUG_TAA) &&
+ !boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA) &&
+ !boot_cpu_has_bug(X86_BUG_RFDS))
+ return 0;
+
+ if (!strcmp(str, "off")) {
+ mds_mitigation = MDS_MITIGATION_OFF;
+ taa_mitigation = TAA_MITIGATION_OFF;
+ mmio_mitigation = MMIO_MITIGATION_OFF;
+ rfds_mitigation = RFDS_MITIGATION_OFF;
+ } else if (!strcmp(str, "on")) {
+ mds_mitigation = MDS_MITIGATION_FULL;
+ taa_mitigation = TAA_MITIGATION_VERW;
+ mmio_mitigation = MMIO_MITIGATION_VERW;
+ rfds_mitigation = RFDS_MITIGATION_VERW;
+ } else if (!strcmp(str, "on,nosmt")) {
+ mds_mitigation = MDS_MITIGATION_FULL;
+ taa_mitigation = TAA_MITIGATION_VERW;
+ mmio_mitigation = MMIO_MITIGATION_VERW;
+ rfds_mitigation = RFDS_MITIGATION_VERW;
+ mds_nosmt = true;
+ taa_nosmt = true;
+ mmio_nosmt = true;
+ }
+ return 0;
+}
+early_param("clear_cpu_buffers", clear_cpu_buffers_cmdline);
+
static void __init md_clear_update_mitigation(void)
{
if (cpu_mitigations_off())
--
2.25.1
