x86/spectre: Favor IBRS on Skylake over retpoline

Couple of rules around this. If the user has choosen:

 spectre_v2=retpoline
 spectre_v2=retpoline,generic

That we will respect their wishes.

If the customer has:

 spectre_v2=auto (by default)
 spectre_v2=force

Then we will figure out if this is a machine with Skylake
affected CPUS. If so, we will pick IBRS over retpoline
if IBRS is available.

And lastly, if the kernel is compiled without retpoline
support we will pick IBRS over minimal retpoline support
(if IBRS is available).

In other words the priority for non-Skylake is:

retpoline
IBRS
minimal asm

On Skylake:

IBRS
retpoline
minimal asm

Orabug: 27477743
CVE: CVE-2017-5715

Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Pavel Tatashin <pasha.tatashin@oracle.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>

diff --git a/arch/x86/kernel/cpu/bugs_64.c b/arch/x86/kernel/cpu/bugs_64.c
index cf5787768eee8280dae7774e4effedc0b585621b..40fd40bbeb1a98bb6cbc133a1263e4800ae5f3f9 100644 (file)
--- a/arch/x86/kernel/cpu/bugs_64.c
+++ b/arch/x86/kernel/cpu/bugs_64.c
@@ -265,6 +265,20 @@ static void __init disable_ibrs_and_friends(void)
        set_lfence_disabled();
 }
 
+static bool __init retpoline_selected(enum spectre_v2_mitigation_cmd cmd)
+{
+       switch (cmd) {
+       case SPECTRE_V2_CMD_RETPOLINE_AMD:
+       case SPECTRE_V2_CMD_RETPOLINE_GENERIC:
+       case SPECTRE_V2_CMD_RETPOLINE:
+               return true;
+       default:
+               return false;
+               break;
+       }
+       return false;
+}
+
 static void __init spectre_v2_select_mitigation(void)
 {
        enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline();
@@ -335,12 +349,19 @@ retpoline_auto:
                        retp_compiler() ? "retpoline" : "");
 
                /* IBRS available. Lets see if we are compiled with retpoline. */
-               if (check_ibrs_inuse() && !retp_compiler()) {
-                       mode = SPECTRE_V2_IBRS;
-                       /* OK, some form of IBRS is enabled, lets see if we need to STUFF_RSB */
-                       if (!boot_cpu_has(X86_FEATURE_SMEP))
-                               setup_force_cpu_cap(X86_FEATURE_STUFF_RSB);
-                       goto display;
+               if (check_ibrs_inuse()) {
+                       /*
+                        * If we are on Skylake, use IBRS (if available). But if we
+                        * are forced to use retpoline on Skylake then use that.
+                        */
+                       if (!retp_compiler() /* prefer IBRS over minimal ASM */ ||
+                           (retp_compiler() && !retpoline_selected(cmd) && is_skylake_era())) {
+                               mode = SPECTRE_V2_IBRS;
+                               /* OK, some form of IBRS is enabled, lets see if we need to STUFF_RSB */
+                               if (!boot_cpu_has(X86_FEATURE_SMEP))
+                                       setup_force_cpu_cap(X86_FEATURE_STUFF_RSB);
+                               goto display;
+                       }
                }
                setup_force_cpu_cap(X86_FEATURE_RETPOLINE);
        }