[PATCH v12 11/12] x86/vmscape: Resolve conflict between attack-vectors and... | netdev

[PATCH v12 00/12] VMSCAPE optimization for BHI variant · Pawan Gupta <pawan.kumar.gupta@linux.intel.com> · 2026-06-23
[PATCH v12 01/12] x86/bhi: x86/vmscape: Move LFENCE out of clear_bhb_loop() · Pawan Gupta <pawan.kumar.gupta@linux.intel.com> · 2026-06-23
[PATCH v12 02/12] x86/bhi: Make clear_bhb_loop() effective on newer CPUs · Pawan Gupta <pawan.kumar.gupta@linux.intel.com> · 2026-06-23
Re: [PATCH v12 02/12] x86/bhi: Make clear_bhb_loop() effective on newer CPUs · bot+bpf-ci@kernel.org · 2026-06-23
Re: [PATCH v12 02/12] x86/bhi: Make clear_bhb_loop() effective on newer CPUs · Nikolay Borisov <hidden> · 2026-06-24
Re: [PATCH v12 02/12] x86/bhi: Make clear_bhb_loop() effective on newer CPUs · Pawan Gupta <pawan.kumar.gupta@linux.intel.com> · 2026-06-24
[PATCH v12 03/12] x86/bhi: Rename clear_bhb_loop() to clear_bhb_loop_nofence() · Pawan Gupta <pawan.kumar.gupta@linux.intel.com> · 2026-06-23
[PATCH v12 04/12] x86/vmscape: Rename x86_ibpb_exit_to_user to x86_predictor_flush_exit_to_user · Pawan Gupta <pawan.kumar.gupta@linux.intel.com> · 2026-06-23
[PATCH v12 05/12] x86/vmscape: Move mitigation selection to a switch() · Pawan Gupta <pawan.kumar.gupta@linux.intel.com> · 2026-06-23
[PATCH v12 06/12] x86/vmscape: Use write_ibpb() instead of indirect_branch_prediction_barrier() · Pawan Gupta <pawan.kumar.gupta@linux.intel.com> · 2026-06-23
[PATCH v12 07/12] static_call: Define EXPORT_STATIC_CALL_FOR_MODULES() · Pawan Gupta <pawan.kumar.gupta@linux.intel.com> · 2026-06-23
Re: [PATCH v12 07/12] static_call: Define EXPORT_STATIC_CALL_FOR_MODULES() · Sean Christopherson <seanjc@google.com> · 2026-06-24
Re: [PATCH v12 07/12] static_call: Define EXPORT_STATIC_CALL_FOR_MODULES() · Pawan Gupta <pawan.kumar.gupta@linux.intel.com> · 2026-06-24
Re: [PATCH v12 07/12] static_call: Define EXPORT_STATIC_CALL_FOR_MODULES() · Sean Christopherson <seanjc@google.com> · 2026-06-24
[PATCH v12 08/12] KVM: Define EXPORT_STATIC_CALL_FOR_KVM() · Pawan Gupta <pawan.kumar.gupta@linux.intel.com> · 2026-06-23
Re: [PATCH v12 08/12] KVM: Define EXPORT_STATIC_CALL_FOR_KVM() · bot+bpf-ci@kernel.org · 2026-06-23
[PATCH v12 09/12] x86/vmscape: Use static_call() for predictor flush · Pawan Gupta <pawan.kumar.gupta@linux.intel.com> · 2026-06-23
[PATCH v12 10/12] x86/vmscape: Deploy BHB clearing mitigation · Pawan Gupta <pawan.kumar.gupta@linux.intel.com> · 2026-06-23
[PATCH v12 11/12] x86/vmscape: Resolve conflict between attack-vectors and vmscape=force · Pawan Gupta <pawan.kumar.gupta@linux.intel.com> · 2026-06-23
Re: [PATCH v12 11/12] x86/vmscape: Resolve conflict between attack-vectors and vmscape=force · bot+bpf-ci@kernel.org · 2026-06-23
[PATCH v12 12/12] x86/vmscape: Add cmdline vmscape=on to override attack vector controls · Pawan Gupta <pawan.kumar.gupta@linux.intel.com> · 2026-06-23

COOLING4d REVIEWED: 2 (0M)

[PATCH v12 11/12] x86/vmscape: Resolve conflict between attack-vectors and vmscape=force

From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Date: 2026-06-23 17:35:37
Also in: bpf, kvm, linux-doc, lkml
Subsystem: the rest, x86 architecture (32-bit and 64-bit), x86 hardware vulnerabilities · Maintainers: Linus Torvalds, Thomas Gleixner, Ingo Molnar, Borislav Petkov, Dave Hansen, Peter Zijlstra, Josh Poimboeuf

vmscape=force option currently defaults to AUTO mitigation. This lets
attack-vector controls to override the vmscape mitigation. Preventing the
user from being able to force VMSCAPE mitigation.

When vmscape mitigation is forced, allow it be deployed irrespective of
attack vectors. Introduce VMSCAPE_MITIGATION_ON that wins over
attack-vector controls.

Tested-by: Jon Kohler <redacted>
Reviewed-by: Nikolay Borisov <redacted>
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
---
 arch/x86/kernel/cpu/bugs.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 1082ed1fb2e6..fbdb137720c4 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c

@@ -3058,6 +3058,7 @@ static void __init srso_apply_mitigation(void)
 enum vmscape_mitigations {
 	VMSCAPE_MITIGATION_NONE,
 	VMSCAPE_MITIGATION_AUTO,
+	VMSCAPE_MITIGATION_ON,
 	VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER,
 	VMSCAPE_MITIGATION_IBPB_ON_VMEXIT,
 	VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER,

@@ -3066,6 +3067,7 @@ enum vmscape_mitigations {
 static const char * const vmscape_strings[] = {
 	[VMSCAPE_MITIGATION_NONE]			= "Vulnerable",
 	/* [VMSCAPE_MITIGATION_AUTO] */
+	/* [VMSCAPE_MITIGATION_ON] */
 	[VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER]		= "Mitigation: IBPB before exit to userspace",
 	[VMSCAPE_MITIGATION_IBPB_ON_VMEXIT]		= "Mitigation: IBPB on VMEXIT",
 	[VMSCAPE_MITIGATION_BHB_CLEAR_EXIT_TO_USER]	= "Mitigation: Clear BHB before exit to userspace",

@@ -3085,7 +3087,7 @@ static int __init vmscape_parse_cmdline(char *str)
 		vmscape_mitigation = VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER;
 	} else if (!strcmp(str, "force")) {
 		setup_force_cpu_bug(X86_BUG_VMSCAPE);
-		vmscape_mitigation = VMSCAPE_MITIGATION_AUTO;
+		vmscape_mitigation = VMSCAPE_MITIGATION_ON;
 	} else if (!strcmp(str, "auto")) {
 		vmscape_mitigation = VMSCAPE_MITIGATION_AUTO;
 	} else {

@@ -3117,6 +3119,7 @@ static void __init vmscape_select_mitigation(void)
 		break;
 
 	case VMSCAPE_MITIGATION_AUTO:
+	case VMSCAPE_MITIGATION_ON:
 		/*
 		 * CPUs with BHI_CTRL(ADL and newer) can avoid the IBPB and use
 		 * BHB clear sequence. These CPUs are only vulnerable to the BHI

@@ -3244,6 +3247,7 @@ void cpu_bugs_smt_update(void)
 	switch (vmscape_mitigation) {
 	case VMSCAPE_MITIGATION_NONE:
 	case VMSCAPE_MITIGATION_AUTO:
+	case VMSCAPE_MITIGATION_ON:
 		break;
 	case VMSCAPE_MITIGATION_IBPB_ON_VMEXIT:
 	case VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER:

-- 
2.34.1

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help