git.itanic.dy.fi Git - linux-stable/commit

x86/bhi: Mitigate KVM by default

commit 95a6ccbdc7199a14b71ad8901cb788ba7fb5167b upstream.

BHI mitigation mode spectre_bhi=auto does not deploy the software
mitigation by default. In a cloud environment, it is a likely scenario
where userspace is trusted but the guests are not trusted. Deploying
system wide mitigation in such cases is not desirable.

Update the auto mode to unconditionally mitigate against malicious
guests. Deploy the software sequence at VMexit in auto mode also, when
hardware mitigation is not available. Unlike the force =on mode,
software sequence is not deployed at syscalls in auto mode.

Suggested-by: Alexandre Chartre <alexandre.chartre@oracle.com>
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Alexandre Chartre <alexandre.chartre@oracle.com>
Reviewed-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

author	Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
	Mon, 11 Mar 2024 15:57:09 +0000 (08:57 -0700)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 10 Apr 2024 14:38:24 +0000 (16:38 +0200)
commit	2bf604dc494f9f747eee62e7d46b2c179aa243dc
tree	246a1702ee6d4e9f6df002205cc0187ecb00cad4	tree \| snapshot
parent	a39bfa52671beb750fa2e1c7400469cde9c8ff9f	commit \| diff

Documentation/admin-guide/hw-vuln/spectre.rst		diff \| blob \| history
Documentation/admin-guide/kernel-parameters.txt		diff \| blob \| history
arch/x86/include/asm/cpufeatures.h		diff \| blob \| history
arch/x86/include/asm/nospec-branch.h		diff \| blob \| history
arch/x86/kernel/cpu/bugs.c		diff \| blob \| history
arch/x86/kvm/vmx/vmenter.S		diff \| blob \| history