x86/vmscape: Warn when STIBP is disabled with SMT

PlaidCat · PlaidCat · commit 3142cfbc80fe · 2025-11-11T06:01:40.000-05:00
jira LE-4704 cve CVE-2025-40300 Rebuild_History Non-Buildable kernel-4.18.0-553.83.1.el8_10 commit-author Pawan Gupta <pawan.kumar.gupta@linux.intel.com> commit b7cc988 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-4.18.0-553.83.1.el8_10/b7cc9887.failed Cross-thread attacks are generally harder as they require the victim to be co-located on a core. However, with VMSCAPE the adversary targets belong to the same guest execution, that are more likely to get co-located. In particular, a thread that is currently executing userspace hypervisor (after the IBPB) may still be targeted by a guest execution from a sibling thread. Issue a warning about the potential risk, except when: - SMT is disabled - STIBP is enabled system-wide - Intel eIBRS is enabled (which implies STIBP protection) Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com> Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> (cherry picked from commit b7cc988) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # arch/x86/kernel/cpu/bugs.c
diff --git a/ciq/ciq_backports/kernel-4.18.0-553.83.1.el8_10/b7cc9887.failed b/ciq/ciq_backports/kernel-4.18.0-553.83.1.el8_10/b7cc9887.failed
@@ -0,0 +1,151 @@
+x86/vmscape: Warn when STIBP is disabled with SMT
+
+jira LE-4704
+cve CVE-2025-40300
+Rebuild_History Non-Buildable kernel-4.18.0-553.83.1.el8_10
+commit-author Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+commit b7cc9887231526ca4fa89f3fa4119e47c2dc7b1e
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-4.18.0-553.83.1.el8_10/b7cc9887.failed
+
+Cross-thread attacks are generally harder as they require the victim to be
+co-located on a core. However, with VMSCAPE the adversary targets belong to
+the same guest execution, that are more likely to get co-located. In
+particular, a thread that is currently executing userspace hypervisor
+(after the IBPB) may still be targeted by a guest execution from a sibling
+thread.
+
+Issue a warning about the potential risk, except when:
+
+- SMT is disabled
+- STIBP is enabled system-wide
+- Intel eIBRS is enabled (which implies STIBP protection)
+
+	Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+	Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+(cherry picked from commit b7cc9887231526ca4fa89f3fa4119e47c2dc7b1e)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	arch/x86/kernel/cpu/bugs.c
+diff --cc arch/x86/kernel/cpu/bugs.c
+index a556e8ade674,fa32615db71d..000000000000
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@@ -2707,6 -3320,111 +2707,114 @@@ out
+  #undef pr_fmt
+  #define pr_fmt(fmt) fmt
+  
+++<<<<<<< HEAD
+++=======
++ #define MDS_MSG_SMT "MDS CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for more details.\n"
++ #define TAA_MSG_SMT "TAA CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html for more details.\n"
++ #define MMIO_MSG_SMT "MMIO Stale Data CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html for more details.\n"
++ #define VMSCAPE_MSG_SMT "VMSCAPE: SMT on, STIBP is required for full protection. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/vmscape.html for more details.\n"
++ 
++ void cpu_bugs_smt_update(void)
++ {
++ 	mutex_lock(&spec_ctrl_mutex);
++ 
++ 	if (sched_smt_active() && unprivileged_ebpf_enabled() &&
++ 	    spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE)
++ 		pr_warn_once(SPECTRE_V2_EIBRS_LFENCE_EBPF_SMT_MSG);
++ 
++ 	switch (spectre_v2_user_stibp) {
++ 	case SPECTRE_V2_USER_NONE:
++ 		break;
++ 	case SPECTRE_V2_USER_STRICT:
++ 	case SPECTRE_V2_USER_STRICT_PREFERRED:
++ 		update_stibp_strict();
++ 		break;
++ 	case SPECTRE_V2_USER_PRCTL:
++ 	case SPECTRE_V2_USER_SECCOMP:
++ 		update_indir_branch_cond();
++ 		break;
++ 	}
++ 
++ 	switch (mds_mitigation) {
++ 	case MDS_MITIGATION_FULL:
++ 	case MDS_MITIGATION_AUTO:
++ 	case MDS_MITIGATION_VMWERV:
++ 		if (sched_smt_active() && !boot_cpu_has(X86_BUG_MSBDS_ONLY))
++ 			pr_warn_once(MDS_MSG_SMT);
++ 		update_mds_branch_idle();
++ 		break;
++ 	case MDS_MITIGATION_OFF:
++ 		break;
++ 	}
++ 
++ 	switch (taa_mitigation) {
++ 	case TAA_MITIGATION_VERW:
++ 	case TAA_MITIGATION_AUTO:
++ 	case TAA_MITIGATION_UCODE_NEEDED:
++ 		if (sched_smt_active())
++ 			pr_warn_once(TAA_MSG_SMT);
++ 		break;
++ 	case TAA_MITIGATION_TSX_DISABLED:
++ 	case TAA_MITIGATION_OFF:
++ 		break;
++ 	}
++ 
++ 	switch (mmio_mitigation) {
++ 	case MMIO_MITIGATION_VERW:
++ 	case MMIO_MITIGATION_AUTO:
++ 	case MMIO_MITIGATION_UCODE_NEEDED:
++ 		if (sched_smt_active())
++ 			pr_warn_once(MMIO_MSG_SMT);
++ 		break;
++ 	case MMIO_MITIGATION_OFF:
++ 		break;
++ 	}
++ 
++ 	switch (tsa_mitigation) {
++ 	case TSA_MITIGATION_USER_KERNEL:
++ 	case TSA_MITIGATION_VM:
++ 	case TSA_MITIGATION_AUTO:
++ 	case TSA_MITIGATION_FULL:
++ 		/*
++ 		 * TSA-SQ can potentially lead to info leakage between
++ 		 * SMT threads.
++ 		 */
++ 		if (sched_smt_active())
++ 			static_branch_enable(&cpu_buf_idle_clear);
++ 		else
++ 			static_branch_disable(&cpu_buf_idle_clear);
++ 		break;
++ 	case TSA_MITIGATION_NONE:
++ 	case TSA_MITIGATION_UCODE_NEEDED:
++ 		break;
++ 	}
++ 
++ 	switch (vmscape_mitigation) {
++ 	case VMSCAPE_MITIGATION_NONE:
++ 	case VMSCAPE_MITIGATION_AUTO:
++ 		break;
++ 	case VMSCAPE_MITIGATION_IBPB_ON_VMEXIT:
++ 	case VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER:
++ 		/*
++ 		 * Hypervisors can be attacked across-threads, warn for SMT when
++ 		 * STIBP is not already enabled system-wide.
++ 		 *
++ 		 * Intel eIBRS (!AUTOIBRS) implies STIBP on.
++ 		 */
++ 		if (!sched_smt_active() ||
++ 		    spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT ||
++ 		    spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED ||
++ 		    (spectre_v2_in_eibrs_mode(spectre_v2_enabled) &&
++ 		     !boot_cpu_has(X86_FEATURE_AUTOIBRS)))
++ 			break;
++ 		pr_warn_once(VMSCAPE_MSG_SMT);
++ 		break;
++ 	}
++ 
++ 	mutex_unlock(&spec_ctrl_mutex);
++ }
++ 
+++>>>>>>> b7cc98872315 (x86/vmscape: Warn when STIBP is disabled with SMT)
+  #ifdef CONFIG_SYSFS
+  
+  #define L1TF_DEFAULT_MSG "Mitigation: PTE Inversion"
+* Unmerged path arch/x86/kernel/cpu/bugs.c
