Re: [PATCH] x86/cpuid: Fix up "virtual" IBRS/IBPB/STIBP feature bits on Intel

[David Woodhouse]

On Tue, 2018-01-30 at 11:58 +0100, Borislav Petkov wrote:
> 
> Does that help?
> 
> diff --git a/arch/x86/kernel/cpu/intel.c
> b/arch/x86/kernel/cpu/intel.c
> index 6936d14d4c77..1dd596d0a6c4 100644
> --- a/arch/x86/kernel/cpu/intel.c
> +++ b/arch/x86/kernel/cpu/intel.c
> @@ -182,21 +182,21 @@ static void early_init_intel(struct cpuinfo_x86
> *c)
> ÂÂÂÂÂÂÂÂ * Intel CPUs, for finer-grained selection of what's
> available.
> ÂÂÂÂÂÂÂÂ */
> ÂÂÂÂÂÂÂÂif (cpu_has(c, X86_FEATURE_SPEC_CTRL)) {
> -ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂset_cpu_cap(c, X86_FEATURE_IBRS);
> -ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂset_cpu_cap(c, X86_FEATURE_IBPB);
> +ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂsetup_force_cpu_cap(X86_FEATURE_IBRS);
> +ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂsetup_force_cpu_cap(X86_FEATURE_IBPB);
> ÂÂÂÂÂÂÂÂ}
> ÂÂÂÂÂÂÂÂif (cpu_has(c, X86_FEATURE_INTEL_STIBP))
> -ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂset_cpu_cap(c, X86_FEATURE_STIBP);
> +ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂsetup_force_cpu_cap(X86_FEATURE_STIBP);

I pondered that, but I didn't like it. I didn't want to always *force*
those features on, for all CPUs, just because they happened to be
discovered at boot time on the first CPU (which *did* have its
microcode updated by the crappy BIOS, while the others didn't).

I strongly suspect that's purely an academic concern, and we mostly
check boot_cpu_has() and never even *notice* if secondary CPUs don't
match. I just didn't want to make that *worse*. It tickled my OCD.

Attachment: smime.p7s
Description: S/MIME cryptographic signature