Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4d47cba0 authored by KP Singh's avatar KP Singh Committed by Greg Kroah-Hartman
Browse files

Documentation/hw-vuln: Document the interaction between IBRS and STIBP 



commit e02b50ca442e88122e1302d4dbc1b71a4808c13f upstream.

Explain why STIBP is needed with legacy IBRS as currently implemented
(KERNEL_IBRS) and why STIBP is not needed when enhanced IBRS is enabled.

Fixes: 7c693f54c873 ("x86/speculation: Add spectre_v2=ibrs option to support Kernel IBRS")
Signed-off-by: default avatarKP Singh <kpsingh@kernel.org>
Signed-off-by: default avatarBorislav Petkov (AMD) <bp@alien8.de>
Link: https://lore.kernel.org/r/20230227060541.1939092-2-kpsingh@kernel.org


Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 34c1b60e

Documentation/admin-guide/hw-vuln/spectre.rst

+16 −5
Original line number Original line Diff line number Diff line
@@ -479,8 +479,16 @@ Spectre variant 2 
   On Intel Skylake-era systems the mitigation covers most, but not all,

   On Intel Skylake-era systems the mitigation covers most, but not all,

   cases. See :ref:`[3] <spec_ref3>` for more details.

   cases. See :ref:`[3] <spec_ref3>` for more details.





   On CPUs with hardware mitigation for Spectre variant 2 (e.g. Enhanced

   On CPUs with hardware mitigation for Spectre variant 2 (e.g. IBRS

   IBRS on x86), retpoline is automatically disabled at run time.

   or enhanced IBRS on x86), retpoline is automatically disabled at run time.



   Systems which support enhanced IBRS (eIBRS) enable IBRS protection once at

   boot, by setting the IBRS bit, and they're automatically protected against

   Spectre v2 variant attacks, including cross-thread branch target injections

   on SMT systems (STIBP). In other words, eIBRS enables STIBP too.



   Legacy IBRS systems clear the IBRS bit on exit to userspace and

   therefore explicitly enable STIBP for that





   The retpoline mitigation is turned on by default on vulnerable

   The retpoline mitigation is turned on by default on vulnerable

   CPUs. It can be forced on or off by the administrator

   CPUs. It can be forced on or off by the administrator
@@ -504,9 +512,12 @@ Spectre variant 2 
   For Spectre variant 2 mitigation, individual user programs

   For Spectre variant 2 mitigation, individual user programs

   can be compiled with return trampolines for indirect branches.

   can be compiled with return trampolines for indirect branches.

   This protects them from consuming poisoned entries in the branch

   This protects them from consuming poisoned entries in the branch

   target buffer left by malicious software.  Alternatively, the

   target buffer left by malicious software.

   programs can disable their indirect branch speculation via prctl()



   (See :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`).

   On legacy IBRS systems, at return to userspace, implicit STIBP is disabled

   because the kernel clears the IBRS bit. In this case, the userspace programs

   can disable indirect branch speculation via prctl() (See

   :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`).

   On x86, this will turn on STIBP to guard against attacks from the

   On x86, this will turn on STIBP to guard against attacks from the

   sibling thread when the user program is running, and use IBPB to

   sibling thread when the user program is running, and use IBPB to

   flush the branch target buffer when switching to/from the program.

   flush the branch target buffer when switching to/from the program.