noibrs [X86]
Don't use indirect branch restricted speculation (IBRS)
feature when running in secure environment,
- to avoid performance overhead. Disabling this will fallback
- on using lfence.
+ to avoid performance overhead.
noibpb [X86]
Don't use indirect branch prediction barrier (IBPB)
feature when running in secure environment,
to avoid performance overhead.
- nolfence [X86]
- Don't use lfence on every system call/interrupt/exception
- if noibrs has been specified. This is used to avoid
- performance overhead.
-
nosmap [X86]
Disable SMAP (Supervisor Mode Access Prevention)
even if it is supported by processor.
#define SPEC_CTRL_IBRS_INUSE (1<<0) /* OS enables IBRS usage */
#define SPEC_CTRL_IBRS_SUPPORTED (1<<1) /* System supports IBRS */
#define SPEC_CTRL_IBRS_ADMIN_DISABLED (1<<2) /* Admin disables IBRS */
-#define SPEC_CTRL_LFENCE_OFF (1<<3) /* No lfence */
+
#ifdef __ASSEMBLY__
.extern use_ibrs
__ASM_ENABLE_IBRS
jmp 20f
7:
- testl $SPEC_CTRL_LFENCE_OFF, use_ibrs
- jnz 20f
lfence
20:
.endm
__ASM_ENABLE_IBRS_CLOBBER
jmp 21f
11:
- testl $SPEC_CTRL_LFENCE_OFF, use_ibrs
- jnz 21f
lfence
21:
.endm
jmp 22f
12:
movl $SPEC_CTRL_FEATURE_ENABLE_IBRS, \save_reg
- testl $SPEC_CTRL_LFENCE_OFF, use_ibrs
- jnz 22f
lfence
22:
.endm
wrmsr
jmp 23f
13:
- testl $SPEC_CTRL_LFENCE_OFF, use_ibrs
- jnz 23f
lfence
23:
.endm
sysctl_ibrs_enabled = ibrs_inuse ? 1 : 0;
}
-extern u32 sysctl_lfence_enabled;
-
-#define lfence_inuse (!(use_ibrs & SPEC_CTRL_LFENCE_OFF))
-
-static inline void set_lfence_disabled(void)
-{
- use_ibrs |= SPEC_CTRL_LFENCE_OFF;
-}
-
/* indicate usage of IBPB to control execution speculation */
extern int use_ibpb;
extern u32 sysctl_ibpb_enabled;
[SPECTRE_V2_RETPOLINE_GENERIC] = "Mitigation: Full generic retpoline",
[SPECTRE_V2_RETPOLINE_AMD] = "Mitigation: Full AMD retpoline",
[SPECTRE_V2_IBRS] = "Mitigation: IBRS",
- [SPECTRE_V2_IBRS_LFENCE] = "Mitigation: lfence",
};
if (check_ibrs_inuse())
spectre_v2_enabled = SPECTRE_V2_IBRS;
else {
- /*
- * If that didn't work (say no microcode or noibrs), we end up using
- * lfence on system calls/exceptions/parameters.
- */
- if (lfence_inuse)
- spectre_v2_enabled = SPECTRE_V2_IBRS_LFENCE;
- else
- spectre_v2_enabled = SPECTRE_V2_NONE;
+ spectre_v2_enabled = SPECTRE_V2_NONE;
}
return true;
set_ibpb_disabled();
}
- if (cmdline_find_option_bool(boot_command_line, "nolfence")) {
- set_lfence_disabled();
- }
-
ret = cmdline_find_option(boot_command_line, "spectre_v2", arg,
sizeof(arg));
if (ret > 0) {
/* If it is ON, OK, lets use it.*/
if (check_ibrs_inuse())
mode = SPECTRE_V2_IBRS;
- else {
- /*
- * If that didn't work (say no microcode or noibrs), we end up using
- * lfence on system calls/exceptions/parameters.
- */
- if (lfence_inuse)
- mode = SPECTRE_V2_IBRS_LFENCE;
- }
if (mode == SPECTRE_V2_NONE)
/* Well, fallback on automatic discovery. */
- pr_info("IBRS and lfence could not be enabled.\n");
+ pr_info("IBRS could not be enabled.\n");
else {
/* OK, some form of IBRS is enabled, lets see if we need to STUFF_RSB */
if (!boot_cpu_has(X86_FEATURE_SMEP))
/* We need to use IBPB with retpoline if it is available. */
if (disable_ibpb)
set_ibpb_disabled();
- set_lfence_disabled();
}
static bool __init retpoline_selected(enum spectre_v2_mitigation_cmd cmd)
projects / users / jedix / linux-maple.git / commitdiff