Re: [PATCH] x86/bugs: wrap X86_FEATURE_RSB_CTXSW with ifdef CONFIG_RETPOLINE

From: Dave Hansen
Date: Fri May 07 2021 - 12:02:17 EST


On 5/7/21 8:53 AM, Jon Kohler wrote:
> The only place X86_FEATURE_RSB_CTXSW is currently in use is in
> arch/x86/entry/entry_{32|64}.S, where its use is wrapped with
> ifdef CONFIG_RETPOLINE. If someone uses a system with
> X86_FEATURE_IBRS_ENHANCED and compiles without CONFIG_RETPOLINE
> but still has spectre v2 set to auto, the kernel log will
> print that eIBRS is enabled and that RSB stuffing is enabled;
> however, that stuffing would never occur.
>
> To make this behavior more clear, wrap the enablement of
> X86_FEATURE_RSB_CTXSW and the resulting log message with ifdef
> CONFIG_RETPOLINE, such that it is compiled out along with the
> actions it controls.
>
> This way seems more correct at first glance as this was the way
> the code was originally written in fdf82a7856b; however, when
> enhanced IBRS was added, there was a goto added under
> SPECTRE_V2_CMD_AUTO which bypasses going through retpoline_auto,
> where X86_FEATURE_RETPOLINE is set.
>
> The other option would be to remove the CONFIG_RETPOLINE from
> the code in entry_{32|64}.S, such that it would always be
> compiled no matter what, such that these two areas match.

This kinda dances around the real issue: Does RSB stuffing have
mitigation value on enhanced IBRS systems?

If yes, then we should make the RSB stuffing code in entry*.S available
separately from CONFIG_RETPOLINE.

If no, is it because eIBRS systems are not vulnerable, or because RSB
stuffing has no mitigation value?

Either way, I'm not sure the approach in this patch is the one we want.