tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Documentation/hw-vuln: Document the interaction between IBRS and STIBP

Explain why STIBP is needed with legacy IBRS as currently implemented
(KERNEL_IBRS) and why STIBP is not needed when enhanced IBRS is enabled.

Fixes: 7c693f54c873 ("x86/speculation: Add spectre_v2=ibrs option to support Kernel IBRS")
Signed-off-by: KP Singh <kpsingh@kernel.org>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Link: https://lore.kernel.org/r/20230227060541.1939092-2-kpsingh@kernel.org

authored by KP Singh and committed by Borislav Petkov (AMD) e02b50ca 6921ed90

options
unified split
Changed files
+16 -5
Documentation
admin-guide
hw-vuln
spectre.rst
+16 -5
Documentation/admin-guide/hw-vuln/spectre.rst
··· 479 479 On Intel Skylake-era systems the mitigation covers most, but not all, 480 480 cases. See :ref:`[3] <spec_ref3>` for more details. 481 481 482 - On CPUs with hardware mitigation for Spectre variant 2 (e.g. Enhanced 483 - IBRS on x86), retpoline is automatically disabled at run time. 482 + On CPUs with hardware mitigation for Spectre variant 2 (e.g. IBRS 483 + or enhanced IBRS on x86), retpoline is automatically disabled at run time. 484 + 485 + Systems which support enhanced IBRS (eIBRS) enable IBRS protection once at 486 + boot, by setting the IBRS bit, and they're automatically protected against 487 + Spectre v2 variant attacks, including cross-thread branch target injections 488 + on SMT systems (STIBP). In other words, eIBRS enables STIBP too. 489 + 490 + Legacy IBRS systems clear the IBRS bit on exit to userspace and 491 + therefore explicitly enable STIBP for that 484 492 485 493 The retpoline mitigation is turned on by default on vulnerable 486 494 CPUs. It can be forced on or off by the administrator ··· 512 504 For Spectre variant 2 mitigation, individual user programs 513 505 can be compiled with return trampolines for indirect branches. 514 506 This protects them from consuming poisoned entries in the branch 515 - target buffer left by malicious software. Alternatively, the 516 - programs can disable their indirect branch speculation via prctl() 517 - (See :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`). 507 + target buffer left by malicious software. 508 + 509 + On legacy IBRS systems, at return to userspace, implicit STIBP is disabled 510 + because the kernel clears the IBRS bit. In this case, the userspace programs 511 + can disable indirect branch speculation via prctl() (See 512 + :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`). 518 513 On x86, this will turn on STIBP to guard against attacks from the 519 514 sibling thread when the user program is running, and use IBPB to 520 515 flush the branch target buffer when switching to/from the program.