git.ipfire.org Git - thirdparty/kernel/stable.git/commit

x86/bhi: Mitigate KVM by default

commit 95a6ccbdc7199a14b71ad8901cb788ba7fb5167b upstream.

BHI mitigation mode spectre_bhi=auto does not deploy the software
mitigation by default. In a cloud environment, it is a likely scenario
where userspace is trusted but the guests are not trusted. Deploying
system wide mitigation in such cases is not desirable.

Update the auto mode to unconditionally mitigate against malicious
guests. Deploy the software sequence at VMexit in auto mode also, when
hardware mitigation is not available. Unlike the force =on mode,
software sequence is not deployed at syscalls in auto mode.

Suggested-by: Alexandre Chartre <alexandre.chartre@oracle.com>
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Alexandre Chartre <alexandre.chartre@oracle.com>
Reviewed-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

author	Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
	Mon, 11 Mar 2024 15:57:09 +0000 (08:57 -0700)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 10 Apr 2024 14:19:44 +0000 (16:19 +0200)
commit	c2b9e038896f01ba4bec87cfc97573b7f1b736d6
tree	d56cfa2e4ab48e10d14f46e84505095d0fcfa6f7	tree \| snapshot
parent	f825494f2c6fab421c5c59b5def321775c825818	commit \| diff

Documentation/admin-guide/hw-vuln/spectre.rst		diff \| blob \| blame \| history
Documentation/admin-guide/kernel-parameters.txt		diff \| blob \| blame \| history
arch/x86/include/asm/cpufeatures.h		diff \| blob \| blame \| history
arch/x86/include/asm/nospec-branch.h		diff \| blob \| blame \| history
arch/x86/kernel/cpu/bugs.c		diff \| blob \| blame \| history
arch/x86/kvm/vmx/vmenter.S		diff \| blob \| blame \| history