Re: [PATCH RFC v9 08/51] x86/speculation: Do not enable Automatic IBRS if SEV SNP is enabled

From: Kim Phillips
Date: Tue Jul 18 2023 - 18:34:52 EST

Next message: David Ahern: "Re: [RFC PATCH 00/10] Device Memory TCP"
Previous message: Rob Herring: "Re: [PATCH v7 5/7] dt-bindings: phy: Add Freescale iMX8MQ DP and HDMI PHY"
Next in thread: Dave Hansen: "Re: [PATCH RFC v9 08/51] x86/speculation: Do not enable Automatic IBRS if SEV SNP is enabled"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 6/12/23 10:39 AM, Dave Hansen wrote:

On 6/11/23 21:25, Michael Roth wrote:

A hardware limitation prevents the host from enabling Automatic IBRS
when SNP is enabled. Instead, fall back to retpolines.

"Hardware limitation"? As in, it is a documented, architectural
restriction? Or, it's a CPU bug?

It's a documented, architectural restriction: When Secure Nested Paging
(SEV-SNP) is enabled, processes running as host are protected, but
those running with a non-zero ASID, are not.

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index f9d060e71c3e..3fba3623ff64 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -1507,7 +1507,12 @@ static void __init spectre_v2_select_mitigation(void)
if (spectre_v2_in_ibrs_mode(mode)) {
if (boot_cpu_has(X86_FEATURE_AUTOIBRS)) {
- msr_set_bit(MSR_EFER, _EFER_AUTOIBRS);
+ if (!cpu_feature_enabled(X86_FEATURE_SEV_SNP)) {
+ msr_set_bit(MSR_EFER, _EFER_AUTOIBRS);
+ } else {
+ pr_err("SNP feature available, not enabling AutoIBRS on the host.\n");
+ mode = spectre_v2_select_retpoline();
+ }

I think this would be nicer if you did something like:

if (cpu_feature_enabled(X86_FEATURE_SEV_SNP))
setup_clear_cpu_cap(X86_FEATURE_AUTOIBRS);

somewhere _else_ in the code instead of smack-dab in the middle of the
mitigation selection.

Good idea. How about this?:

From 6cf32e8d8426190b1bf1b1e04ceb35bf0bac784b Mon Sep 17 00:00:00 2001
From: Kim Phillips <kim.phillips@xxxxxxx>
Date: Mon, 17 Jul 2023 14:08:15 -0500
Subject: [PATCH] x86/speculation: Do not enable Automatic IBRS if SEV SNP is
enabled

Automatic IBRS provides protection to [1]:

- Processes running at CPL=0
- Processes running as host when Secure Nested Paging (SEV-SNP) is enabled

i.e.,

(CPL < 3) || ((ASID == 0) && SNP)

Because of this limitation, do not enable Automatic IBRS when SNP is enabled.
Instead, fall back to retpolines.

Note that the AutoIBRS feature may continue to be used within the guest.

[1] "AMD64 Architecture Programmer's Manual Volume 2: System Programming",
Pub. 24593, rev. 3.41, June 2023, Part 1, Section 3.1.7 "Extended Feature
Enable Register (EFER)", Automatic IBRS Enable (AIBRSE) Bit.

Link: https://bugzilla.kernel.org/attachment.cgi?id=304652
Signed-off-by: Kim Phillips <kim.phillips@xxxxxxx>
---
arch/x86/kernel/cpu/common.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index 8cd4126d8253..311c0a6422b5 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -1348,7 +1348,8 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
* AMD's AutoIBRS is equivalent to Intel's eIBRS - use the Intel feature
* flag and protect from vendor-specific bugs via the whitelist.
*/
- if ((ia32_cap & ARCH_CAP_IBRS_ALL) || cpu_has(c, X86_FEATURE_AUTOIBRS)) {
+ if ((ia32_cap & ARCH_CAP_IBRS_ALL) || (cpu_has(c, X86_FEATURE_AUTOIBRS) &&
+ !cpu_feature_enabled(X86_FEATURE_SEV_SNP))) {
setup_force_cpu_cap(X86_FEATURE_IBRS_ENHANCED);
if (!cpu_matches(cpu_vuln_whitelist, NO_EIBRS_PBRSB) &&
!(ia32_cap & ARCH_CAP_PBRSB_NO))
--
2.34.1

Next message: David Ahern: "Re: [RFC PATCH 00/10] Device Memory TCP"
Previous message: Rob Herring: "Re: [PATCH v7 5/7] dt-bindings: phy: Add Freescale iMX8MQ DP and HDMI PHY"
Next in thread: Dave Hansen: "Re: [PATCH RFC v9 08/51] x86/speculation: Do not enable Automatic IBRS if SEV SNP is enabled"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]