x86/bugs: Add attack vector controls for BHI

Use attack vector controls to determine if BHI mitigation is required.

Signed-off-by: David Kaplan <david.kaplan@amd.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Link: https://lore.kernel.org/20250707183316.1349127-15-david.kaplan@amd.com

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index ff5625164f6df07ab3238f712c3d45242c473bb3..2022f05a2ce72999f3c9bace3bc236bc2600ec28 100644 (file)
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -2217,11 +2217,20 @@ early_param("spectre_bhi", spectre_bhi_parse_cmdline);
 
 static void __init bhi_select_mitigation(void)
 {
-       if (!boot_cpu_has(X86_BUG_BHI) || cpu_mitigations_off())
+       if (!boot_cpu_has(X86_BUG_BHI))
                bhi_mitigation = BHI_MITIGATION_OFF;
 
-       if (bhi_mitigation == BHI_MITIGATION_AUTO)
-               bhi_mitigation = BHI_MITIGATION_ON;
+       if (bhi_mitigation != BHI_MITIGATION_AUTO)
+               return;
+
+       if (cpu_attack_vector_mitigated(CPU_MITIGATE_GUEST_HOST)) {
+               if (cpu_attack_vector_mitigated(CPU_MITIGATE_USER_KERNEL))
+                       bhi_mitigation = BHI_MITIGATION_ON;
+               else
+                       bhi_mitigation = BHI_MITIGATION_VMEXIT_ONLY;
+       } else {
+               bhi_mitigation = BHI_MITIGATION_OFF;
+       }
 }
 
 static void __init bhi_update_mitigation(void)