x86/bugs: Add attack vector controls for SRSO

Use attack vector controls to determine if SRSO mitigation is required.

Signed-off-by: David Kaplan <david.kaplan@amd.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Link: https://lore.kernel.org/20250707183316.1349127-18-david.kaplan@amd.com

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 2128623252a420f4aebb8f59f71c0b8c27e25909..eef6ccd17c79c36e23550a6515b8f972b03ea899 100644 (file)
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -3123,14 +3123,19 @@ early_param("spec_rstack_overflow", srso_parse_cmdline);
 
 static void __init srso_select_mitigation(void)
 {
-       if (!boot_cpu_has_bug(X86_BUG_SRSO) || cpu_mitigations_off())
+       if (!boot_cpu_has_bug(X86_BUG_SRSO)) {
                srso_mitigation = SRSO_MITIGATION_NONE;
-
-       if (srso_mitigation == SRSO_MITIGATION_NONE)
                return;
+       }
 
-       if (srso_mitigation == SRSO_MITIGATION_AUTO)
-               srso_mitigation = SRSO_MITIGATION_SAFE_RET;
+       if (srso_mitigation == SRSO_MITIGATION_AUTO) {
+               if (should_mitigate_vuln(X86_BUG_SRSO)) {
+                       srso_mitigation = SRSO_MITIGATION_SAFE_RET;
+               } else {
+                       srso_mitigation = SRSO_MITIGATION_NONE;
+                       return;
+               }
+       }
 
        /* Zen1/2 with SMT off aren't vulnerable to SRSO. */
        if (boot_cpu_data.x86 < 0x19 && !cpu_smt_possible()) {