Re: [PATCH v3] x86/bugs: Only harden syscalls when needed

From: Andrew Cooper
Date: Wed Apr 17 2024 - 14:02:06 EST


On 17/04/2024 6:57 pm, Josh Poimboeuf wrote:
> On Wed, Apr 17, 2024 at 09:45:14AM -0700, Pawan Gupta wrote:
>> On Wed, Apr 17, 2024 at 04:14:26PM +0100, Andrew Cooper wrote:
>>> On 17/04/2024 12:02 am, Josh Poimboeuf wrote:
>>>> diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
>>>> index ca295b0c1eee..dcb97cc2758f 100644
>>>> --- a/arch/x86/kernel/cpu/bugs.c
>>>> +++ b/arch/x86/kernel/cpu/bugs.c
>>>> @@ -1678,6 +1687,21 @@ static void __init spectre_v2_select_mitigation(void)
>>>> enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline();
>>>> enum spectre_v2_mitigation mode = SPECTRE_V2_NONE;
>>>>
>>>> + /*
>>>> + * X86_FEATURE_INDIRECT_SAFE indicates whether indirect calls can be
>>>> + * considered safe. That means either:
>>>> + *
>>>> + * - the CPU isn't vulnerable to Spectre v2 or its variants;
>>>> + *
>>>> + * - a hardware mitigation is in place (e.g., IBRS, BHI_DIS_S); or
>>>> + *
>>>> + * - the user turned off mitigations altogether.
>>>> + *
>>>> + * Assume innocence until proven guilty: set the cap bit now, then
>>>> + * clear it later if/when needed.
>>>> + */
>>>> + setup_force_cpu_cap(X86_FEATURE_INDIRECT_SAFE);
>>> Following on from the (re)discovery that X86_FEATURE_RETPOLINE is a poor
>>> name given what it *actually* does, can I recommend s/SAFE/OK/ here?
>> Or simply X86_FEATURE_USE_INDIRECT_BRANCH.
>>
>>> This flag really is "do I want indirect branches or not", which - as
>>> noted here - is more than just a judgement of whether indirect branches
>>> are "safe".
> X86_FEATURE_USE_INDIRECT_BRANCH sounds good. It's a bit long but does
> describe it better.

Works for me.  Definitely an improvement over SAFE.

~Andrew