[RFC PATCH] x86/bugs: Remove 'force' options for retbleed/ITS

From: David Kaplan
Date: Thu Jun 26 2025 - 10:27:30 EST

Next message: Dave Hansen: "Re: [PATCHv7 03/16] x86/alternatives: Disable LASS when patching kernel alternatives"
Previous message: Vincent Guittot: "Re: [PATCH RFC] sched/fair: bump sd->max_newidle_lb_cost when newidle balance fails"
Next in thread: Peter Zijlstra: "Re: [RFC PATCH] x86/bugs: Remove 'force' options for retbleed/ITS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Command line options which force-enable a mitigation on an unaffected
processor provide arguably no security value but do create the potential
for problems due to the increased set of mitigation interactions.

For example, setting "indirect_target_selection=force" on an AMD
Retbleed-affected CPU (e.g., Zen2) results in a configuration where the
kernel reports that both ITS and Retbleed are mitigated, but Retbleed is
not in fact mitigated. In this configuration, untraining of the retbleed
return thunk is enabled but the its_return_thunk is active, rendering the
untraining ineffective.

It is wrong for the kernel to report that a bug is mitigated when it is
not. While this specific interaction could be directly fixed, the ability
to force-enable these bugs creates unneeded complexity, so remove it.

If removing these options entirely is unacceptable, perhaps for
compatibility reasons, another option could be to only allow forcing on the
affected vendor (i.e., only allow forcing ITS on Intel CPUs), which would
at least limit the potential interactions that need to be analyzed.
Tagging as RFC to prompt discussion on this point.

Signed-off-by: David Kaplan <david.kaplan@xxxxxxx>
---
arch/x86/kernel/cpu/bugs.c | 5 -----
1 file changed, 5 deletions(-)

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index e2a8a21efb10..edc913d26381 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -1210,8 +1210,6 @@ static int __init retbleed_parse_cmdline(char *str)
retbleed_mitigation = RETBLEED_MITIGATION_STUFF;
} else if (!strcmp(str, "nosmt")) {
retbleed_nosmt = true;
- } else if (!strcmp(str, "force")) {
- setup_force_cpu_bug(X86_BUG_RETBLEED);
} else {
pr_err("Ignoring unknown retbleed option (%s).", str);
}
@@ -1411,9 +1409,6 @@ static int __init its_parse_cmdline(char *str)
its_mitigation = ITS_MITIGATION_OFF;
} else if (!strcmp(str, "on")) {
its_mitigation = ITS_MITIGATION_ALIGNED_THUNKS;
- } else if (!strcmp(str, "force")) {
- its_mitigation = ITS_MITIGATION_ALIGNED_THUNKS;
- setup_force_cpu_bug(X86_BUG_ITS);
} else if (!strcmp(str, "vmexit")) {
its_mitigation = ITS_MITIGATION_VMEXIT_ONLY;
} else if (!strcmp(str, "stuff")) {

base-commit: e51a38e71974982abb3f2f16141763a1511f7a3f
--
2.34.1

Next message: Dave Hansen: "Re: [PATCHv7 03/16] x86/alternatives: Disable LASS when patching kernel alternatives"
Previous message: Vincent Guittot: "Re: [PATCH RFC] sched/fair: bump sd->max_newidle_lb_cost when newidle balance fails"
Next in thread: Peter Zijlstra: "Re: [RFC PATCH] x86/bugs: Remove 'force' options for retbleed/ITS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]