Re: [PATCH 6/6] x86/bugs: Clean-up verw mitigations

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Sep 24, 2024 at 03:31:40PM -0700, Daniel Sneddon wrote:
> +static void __init md_clear_select_mitigation(void)
> +{
>  	/*
> -	 * X86_FEATURE_CLEAR_CPU_BUF is now enabled. Update MDS, TAA and MMIO
> -	 * Stale Data mitigation, if necessary.
> +	 * If no CPU bug needs VERW, all VERW mitigations are disabled, or all
> +	 * mitigations are disabled we bail.
>  	 */

It's already clear what the code is doing, no comment necessary.

> -	if (mds_mitigation == MDS_MITIGATION_OFF &&
> -	    boot_cpu_has_bug(X86_BUG_MDS)) {
> +	if (!cpu_bug_needs_verw() || verw_mitigations_disabled() ||
> +	    cpu_mitigations_off()) {
> +		mds_mitigation = MDS_MITIGATION_OFF;
> +		taa_mitigation = TAA_MITIGATION_OFF;
> +		mmio_mitigation = MMIO_MITIGATION_OFF;
> +		rfds_mitigation = RFDS_MITIGATION_OFF;
> +		goto out;
> +	}

In the case of verw_mitigations_disabled() it's weird to write the
variables again if they're already OFF.  That should be a separate
check.

> +
> +	/* Check that at least one mitigation is using the verw mitigaiton.
> +	 * If the cpu doesn't have the correct ucode or if the BUG_* is mitigated
> +	 * by disabling a feature we won't want to use verw. Ignore MMIO
> +	 * for now since it depends on what the others choose.
> +	 */

Again I think this comment isn't needed as the code is pretty
straightforward.  The only surprise is the MMIO dependency on
X86_FEATURE_CLEAR_CPU_BUF, but that's called out below.

> +
> +	if (boot_cpu_has_bug(X86_BUG_MDS)) {
>  		mds_mitigation = MDS_MITIGATION_FULL;
>  		mds_select_mitigation();
> +	}  else {
> +		mds_mitigation = MDS_MITIGATION_OFF;
>  	}
> -	if (taa_mitigation == TAA_MITIGATION_OFF &&
> -	    boot_cpu_has_bug(X86_BUG_TAA)) {
> +	if (boot_cpu_has_bug(X86_BUG_TAA)) {
>  		taa_mitigation = TAA_MITIGATION_VERW;
>  		taa_select_mitigation();
> +	} else {
> +		taa_mitigation = TAA_MITIGATION_OFF;
>  	}
> -	/*
> -	 * MMIO_MITIGATION_OFF is not checked here so that mmio_stale_data_clear
> -	 * gets updated correctly as per X86_FEATURE_CLEAR_CPU_BUF state.
> -	 */
> +	if (boot_cpu_has_bug(X86_BUG_RFDS)) {
> +		rfds_mitigation = RFDS_MITIGATION_VERW;
> +		rfds_select_mitigation();
> +	} else {
> +		rfds_mitigation = RFDS_MITIGATION_OFF;
> +	}

This spaghetti can be simplifed by relying on *_select_mitigation() to
set the mitigation, for example:

static void __init mds_select_mitigation(void)
{
	if (!boot_cpu_has_bug(X86_BUG_MDS))
		mds_mitigation = MDS_MITIGATION_OFF;
	else if (boot_cpu_has(X86_FEATURE_MD_CLEAR))
		mds_mitigation = MDS_MITIGATION_VERW;
	else
		mds_mitigation = MDS_MITIGATION_VMWERV;
}

Then you can just do:

	mds_select_mitigation();
	taa_select_mitigation();
	rfds_select_mitigation();


> +	if (mds_mitigation == MDS_MITIGATION_FULL ||
> +	    taa_mitigation == TAA_MITIGATION_VERW ||
> +	    rfds_mitigation == RFDS_MITIGATION_VERW)

For consistency can we rename MDS_MITIGATION_FULL to
MDS_MITIGATION_VERW?

> +		setup_force_cpu_cap(X86_FEATURE_CLEAR_CPU_BUF);
> +
> +	/* Now handle MMIO since it may not use X86_FEATURE_CLEAR_CPU_BUF */

I would clarify this a bit, something like:

	/*
	 * The MMIO mitigation has a dependency on
	 * X86_FEATURE_CLEAR_CPU_BUF so this must be called after it
	 * gets set.
	 */

>  	if (boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA)) {
>  		mmio_mitigation = MMIO_MITIGATION_VERW;
>  		mmio_select_mitigation();
> +	} else {
> +		mmio_mitigation = MMIO_MITIGATION_OFF;
>  	}
> -	if (rfds_mitigation == RFDS_MITIGATION_OFF &&
> -	    boot_cpu_has_bug(X86_BUG_RFDS)) {
> -		rfds_mitigation = RFDS_MITIGATION_VERW;
> -		rfds_select_mitigation();
> -	}
> +
> +	/* handle nosmt */

Again I think this comment is superfluous.

> +	if (!boot_cpu_has(X86_BUG_MSBDS_ONLY) &&
> +	    (mds_nosmt || cpu_mitigations_auto_nosmt()))
> +		cpu_smt_disable(false);
> +
> +	if (taa_nosmt || mmio_nosmt || cpu_mitigations_auto_nosmt())
> +		cpu_smt_disable(false);
> +

-- 
Josh




[Index of Archives]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux FS]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]     [Linux Resources]

  Powered by Linux