tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

x86/speculation: Make all RETbleed mitigations 64-bit only

The mitigations for RETBleed are currently ineffective on x86_32 since
entry_32.S does not use the required macros. However, for an x86_32
target, the kconfig symbols for them are still enabled by default and
/sys/devices/system/cpu/vulnerabilities/retbleed will wrongly report
that mitigations are in place.

Make all of these symbols depend on X86_64, and only enable RETHUNK by
default on X86_64.

Fixes: f43b9876e857 ("x86/retbleed: Add fine grained Kconfig knobs")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/YtwSR3NNsWp1ohfV@decadent.org.uk

authored by Ben Hutchings and committed by Borislav Petkov b648ab48 efc72a66

options
unified split
Changed files
+4 -4
arch
x86
Kconfig
+4 -4
arch/x86/Kconfig
··· 2473 2473 bool "Enable return-thunks" 2474 2474 depends on RETPOLINE && CC_HAS_RETURN_THUNK 2475 2475 select OBJTOOL if HAVE_OBJTOOL 2476 - default y 2476 + default y if X86_64 2477 2477 help 2478 2478 Compile the kernel with the return-thunks compiler option to guard 2479 2479 against kernel-to-user data leaks by avoiding return speculation. ··· 2482 2482 2483 2483 config CPU_UNRET_ENTRY 2484 2484 bool "Enable UNRET on kernel entry" 2485 - depends on CPU_SUP_AMD && RETHUNK 2485 + depends on CPU_SUP_AMD && RETHUNK && X86_64 2486 2486 default y 2487 2487 help 2488 2488 Compile the kernel with support for the retbleed=unret mitigation. 2489 2489 2490 2490 config CPU_IBPB_ENTRY 2491 2491 bool "Enable IBPB on kernel entry" 2492 - depends on CPU_SUP_AMD 2492 + depends on CPU_SUP_AMD && X86_64 2493 2493 default y 2494 2494 help 2495 2495 Compile the kernel with support for the retbleed=ibpb mitigation. 2496 2496 2497 2497 config CPU_IBRS_ENTRY 2498 2498 bool "Enable IBRS on kernel entry" 2499 - depends on CPU_SUP_INTEL 2499 + depends on CPU_SUP_INTEL && X86_64 2500 2500 default y 2501 2501 help 2502 2502 Compile the kernel with support for the spectre_v2=ibrs mitigation.