+bool cpc_supported_by_cpu(void)

+{

+ switch (boot_cpu_data.x86_vendor) {

+ case X86_VENDOR_AMD:

+ case X86_VENDOR_HYGON:

+ if (boot_cpu_data.x86 == 0x19 && ((boot_cpu_data.x86_model <= 0x0f) ||

+ (boot_cpu_data.x86_model >= 0x20 && boot_cpu_data.x86_model <= 0x2f)))

+ return true;

+ else if (boot_cpu_data.x86 == 0x17 &&

+ boot_cpu_data.x86_model >= 0x70 && boot_cpu_data.x86_model <= 0x7f)

+ return true;

+ return boot_cpu_has(X86_FEATURE_CPPC);

+ }

+ return false;

+}

+

+extern s32 __return_sites[], __return_sites_end[];

+#ifdef CONFIG_RETHUNK

+/*

+ * Rewrite the compiler generated return thunk tail-calls.

+ *

+ * For example, convert:

+ *

+ * JMP __x86_return_thunk

+ *

+ * into:

+ *

+ * RET

+ */

+static int patch_return(void *addr, struct insn *insn, u8 *bytes)

+{

+ int i = 0;

+

+ if (cpu_feature_enabled(X86_FEATURE_RETHUNK))

+ return -1;

+

+ bytes[i++] = RET_INSN_OPCODE;

+

+ for (; i < insn->length;)

+ bytes[i++] = INT3_INSN_OPCODE;

+

+ return i;

+}

+

+void __init_or_module noinline apply_returns(s32 *start, s32 *end)

+{

+ s32 *s;

+

+ for (s = start; s < end; s++) {

+ void *dest = NULL, *addr = (void *)s + *s;

+ struct insn insn;

+ int len, ret;

+ u8 bytes[16];

+ u8 op;

+

+ ret = insn_decode_kernel(&insn, addr);

+ if (WARN_ON_ONCE(ret < 0))

+ continue;

+

+ op = insn.opcode.bytes[0];

+ if (op == JMP32_INSN_OPCODE)

+ dest = addr + insn.length + insn.immediate.value;

+

+ if (__static_call_fixup(addr, op, dest) ||

+ WARN_ONCE(dest != &__x86_return_thunk,

+ "missing return thunk: %pS-%pS: %*ph",

+ addr, dest, 5, addr))

+ continue;

+

+ DPRINTK("return thunk at: %pS (%px) len: %d to: %pS",

+ addr, addr, insn.length,

+ addr + insn.length + insn.immediate.value);

+

+ len = patch_return(addr, &insn, bytes);

+ if (len == insn.length) {

+ DUMP_BYTES(((u8*)addr), len, "%px: orig: ", addr);

+ DUMP_BYTES(((u8*)bytes), len, "%px: repl: ", addr);

+ text_poke_early(addr, bytes, len);

+ }

+ }

+}

+#else

+void __init_or_module noinline apply_returns(s32 *start, s32 *end) { }

+#endif /* CONFIG_RETHUNK */

+

+void __init_or_module noinline apply_returns(s32 *start, s32 *end) { }

+ apply_returns(__return_sites, __return_sites_end);

+#define PCI_DEVICE_ID_AMD_17H_MA0H_ROOT 0x14b5

+#define PCI_DEVICE_ID_AMD_19H_M60H_ROOT 0x14d8

+#define PCI_DEVICE_ID_AMD_19H_M70H_ROOT 0x14e8

+#define PCI_DEVICE_ID_AMD_17H_MA0H_DF_F4 0x1728

+#define PCI_DEVICE_ID_AMD_19H_M60H_DF_F4 0x14e4

+#define PCI_DEVICE_ID_AMD_19H_M70H_DF_F4 0x14f4

+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_17H_MA0H_ROOT) },

+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_19H_M60H_ROOT) },

+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_19H_M70H_ROOT) },

+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_17H_MA0H_DF_F3) },

+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_19H_M60H_DF_F3) },

+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_19H_M70H_DF_F3) },

+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_17H_MA0H_DF_F4) },

+#include "../kvm/vmx/vmx.h"

+

+ if (IS_ENABLED(CONFIG_KVM_INTEL)) {

+ BLANK();

+ OFFSET(VMX_spec_ctrl, vcpu_vmx, spec_ctrl);

+ }

+ * The self-test can clear X86_FEATURE_RDRAND, so check for

+void init_spectral_chicken(struct cpuinfo_x86 *c)

+{

+#ifdef CONFIG_CPU_UNRET_ENTRY

+ u64 value;

+

+ /*

+ * On Zen2 we offer this chicken (bit) on the altar of Speculation.

+ *

+ * This suppresses speculation from the middle of a basic block, i.e. it

+ * suppresses non-branch predictions.

+ *

+ * We use STIBP as a heuristic to filter out Zen2 from the rest of F17H

+ */

+ if (!cpu_has(c, X86_FEATURE_HYPERVISOR) && cpu_has(c, X86_FEATURE_AMD_STIBP)) {

+ if (!rdmsrl_safe(MSR_ZEN2_SPECTRAL_CHICKEN, &value)) {

+ value |= MSR_ZEN2_SPECTRAL_CHICKEN_BIT;

+ wrmsrl_safe(MSR_ZEN2_SPECTRAL_CHICKEN, value);

+ }

+ }

+#endif

+}

+

+ /* Fix up CPUID bits, but only if not virtualised. */

+ if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) {

+

+ /* Erratum 1076: CPB feature bit not being set in CPUID. */

+ if (!cpu_has(c, X86_FEATURE_CPB))

+ set_cpu_cap(c, X86_FEATURE_CPB);

+

+ /*

+ * Zen3 (Fam19 model < 0x10) parts are not susceptible to

+ * Branch Type Confusion, but predate the allocation of the

+ * BTC_NO bit.

+ */

+ if (c->x86 == 0x19 && !cpu_has(c, X86_FEATURE_BTC_NO))

+ set_cpu_cap(c, X86_FEATURE_BTC_NO);

+ }

+ case 0x17: init_spectral_chicken(c);

+ fallthrough;

+static void __init retbleed_select_mitigation(void);

+static void __init spectre_v2_user_select_mitigation(void);

+static void __init md_clear_update_mitigation(void);

+static void __init md_clear_select_mitigation(void);

+static void __init mmio_select_mitigation(void);

+/* The base value of the SPEC_CTRL MSR without task-specific bits set */

+

+/* The current value of the SPEC_CTRL MSR with task-specific bits set */

+DEFINE_PER_CPU(u64, x86_spec_ctrl_current);

+EXPORT_SYMBOL_GPL(x86_spec_ctrl_current);

+

+ * Keep track of the SPEC_CTRL MSR value for the current task, which may differ

+ * from x86_spec_ctrl_base due to STIBP/SSB in __speculation_ctrl_update().

+void write_spec_ctrl_current(u64 val, bool force)

+{

+ if (this_cpu_read(x86_spec_ctrl_current) == val)

+ return;

+

+ this_cpu_write(x86_spec_ctrl_current, val);

+

+ /*

+ * When KERNEL_IBRS this MSR is written on return-to-user, unless

+ * forced the update can be delayed until that time.

+ */

+ if (force || !cpu_feature_enabled(X86_FEATURE_KERNEL_IBRS))

+ wrmsrl(MSR_IA32_SPEC_CTRL, val);

+}

+

+u64 spec_ctrl_current(void)

+{

+ return this_cpu_read(x86_spec_ctrl_current);

+}

+EXPORT_SYMBOL_GPL(spec_ctrl_current);

+/* Controls CPU Fill buffer clear before KVM guest MMIO accesses */

+DEFINE_STATIC_KEY_FALSE(mmio_stale_data_clear);

+EXPORT_SYMBOL_GPL(mmio_stale_data_clear);

+

+ /*

+ * retbleed_select_mitigation() relies on the state set by

+ * spectre_v2_select_mitigation(); specifically it wants to know about

+ * spectre_v2=ibrs.

+ */

+ retbleed_select_mitigation();

+ /*

+ * spectre_v2_user_select_mitigation() relies on the state set by

+ * retbleed_select_mitigation(); specifically the STIBP selection is

+ * forced for UNRET.

+ */

+ spectre_v2_user_select_mitigation();

+ md_clear_select_mitigation();

+/*

+ * NOTE: This function is *only* called for SVM. VMX spec_ctrl handling is

+ * done in vmenter.S.

+ */

+ u64 msrval, guestval = guest_spec_ctrl, hostval = spec_ctrl_current();

+ return;

+ return;

+#define pr_fmt(fmt) "MMIO Stale Data: " fmt

+

+enum mmio_mitigations {

+ MMIO_MITIGATION_OFF,

+ MMIO_MITIGATION_UCODE_NEEDED,

+ MMIO_MITIGATION_VERW,

+};

+

+/* Default mitigation for Processor MMIO Stale Data vulnerabilities */

+static enum mmio_mitigations mmio_mitigation __ro_after_init = MMIO_MITIGATION_VERW;

+static bool mmio_nosmt __ro_after_init = false;

+

+static const char * const mmio_strings[] = {

+ [MMIO_MITIGATION_OFF] = "Vulnerable",

+ [MMIO_MITIGATION_UCODE_NEEDED] = "Vulnerable: Clear CPU buffers attempted, no microcode",

+ [MMIO_MITIGATION_VERW] = "Mitigation: Clear CPU buffers",

+};

+

+static void __init mmio_select_mitigation(void)

+{

+ u64 ia32_cap;

+

+ if (!boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA) ||

+ cpu_mitigations_off()) {

+ mmio_mitigation = MMIO_MITIGATION_OFF;

+ return;

+ }

+

+ if (mmio_mitigation == MMIO_MITIGATION_OFF)

+ return;

+

+ ia32_cap = x86_read_arch_cap_msr();

+

+ /*

+ * Enable CPU buffer clear mitigation for host and VMM, if also affected

+ * by MDS or TAA. Otherwise, enable mitigation for VMM only.

+ */

+ if (boot_cpu_has_bug(X86_BUG_MDS) || (boot_cpu_has_bug(X86_BUG_TAA) &&

+ boot_cpu_has(X86_FEATURE_RTM)))

+ static_branch_enable(&mds_user_clear);

+ else

+ static_branch_enable(&mmio_stale_data_clear);

+

+ /*

+ * If Processor-MMIO-Stale-Data bug is present and Fill Buffer data can

+ * be propagated to uncore buffers, clearing the Fill buffers on idle

+ * is required irrespective of SMT state.

+ */

+ if (!(ia32_cap & ARCH_CAP_FBSDP_NO))

+ static_branch_enable(&mds_idle_clear);

+

+ /*

+ * Check if the system has the right microcode.

+ *

+ * CPU Fill buffer clear mitigation is enumerated by either an explicit

+ * FB_CLEAR or by the presence of both MD_CLEAR and L1D_FLUSH on MDS

+ * affected systems.

+ */

+ if ((ia32_cap & ARCH_CAP_FB_CLEAR) ||

+ (boot_cpu_has(X86_FEATURE_MD_CLEAR) &&

+ boot_cpu_has(X86_FEATURE_FLUSH_L1D) &&

+ !(ia32_cap & ARCH_CAP_MDS_NO)))

+ mmio_mitigation = MMIO_MITIGATION_VERW;

+ else

+ mmio_mitigation = MMIO_MITIGATION_UCODE_NEEDED;

+

+ if (mmio_nosmt || cpu_mitigations_auto_nosmt())

+ cpu_smt_disable(false);

+}

+

+static int __init mmio_stale_data_parse_cmdline(char *str)

+{

+ if (!boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA))

+ return 0;

+

+ if (!str)

+ return -EINVAL;

+

+ if (!strcmp(str, "off")) {

+ mmio_mitigation = MMIO_MITIGATION_OFF;

+ } else if (!strcmp(str, "full")) {

+ mmio_mitigation = MMIO_MITIGATION_VERW;

+ } else if (!strcmp(str, "full,nosmt")) {

+ mmio_mitigation = MMIO_MITIGATION_VERW;

+ mmio_nosmt = true;

+ }

+

+ return 0;

+}

+early_param("mmio_stale_data", mmio_stale_data_parse_cmdline);

+

+#undef pr_fmt

+#define pr_fmt(fmt) "" fmt

+

+static void __init md_clear_update_mitigation(void)

+{

+ if (cpu_mitigations_off())

+ return;

+

+ if (!static_key_enabled(&mds_user_clear))

+ goto out;

+

+ /*

+ * mds_user_clear is now enabled. Update MDS, TAA and MMIO Stale Data

+ * mitigation, if necessary.

+ */

+ if (mds_mitigation == MDS_MITIGATION_OFF &&

+ boot_cpu_has_bug(X86_BUG_MDS)) {

+ mds_mitigation = MDS_MITIGATION_FULL;

+ mds_select_mitigation();

+ }

+ if (taa_mitigation == TAA_MITIGATION_OFF &&

+ boot_cpu_has_bug(X86_BUG_TAA)) {

+ taa_mitigation = TAA_MITIGATION_VERW;

+ taa_select_mitigation();

+ }

+ if (mmio_mitigation == MMIO_MITIGATION_OFF &&

+ boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA)) {

+ mmio_mitigation = MMIO_MITIGATION_VERW;

+ mmio_select_mitigation();

+ }

+out:

+ if (boot_cpu_has_bug(X86_BUG_MDS))

+ pr_info("MDS: %s\n", mds_strings[mds_mitigation]);

+ if (boot_cpu_has_bug(X86_BUG_TAA))

+ pr_info("TAA: %s\n", taa_strings[taa_mitigation]);

+ if (boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA))

+ pr_info("MMIO Stale Data: %s\n", mmio_strings[mmio_mitigation]);

+}

+

+static void __init md_clear_select_mitigation(void)

+{

+ mds_select_mitigation();

+ taa_select_mitigation();

+ mmio_select_mitigation();

+

+ /*

+ * As MDS, TAA and MMIO Stale Data mitigations are inter-related, update

+ * and print their mitigation after MDS, TAA and MMIO Stale Data

+ * mitigation selection is done.

+ */

+ md_clear_update_mitigation();

+}

+

+#undef pr_fmt

+ * Check to see if this is one of the MDS_NO systems supporting TSX that

+ * are only exposed to SRBDS when TSX is enabled or when CPU is affected

+ * by Processor MMIO Stale Data vulnerability.

+ if ((ia32_cap & ARCH_CAP_MDS_NO) && !boot_cpu_has(X86_FEATURE_RTM) &&

+ !boot_cpu_has_bug(X86_BUG_MMIO_STALE_DATA))

+#undef pr_fmt

+#define pr_fmt(fmt) "RETBleed: " fmt

+

+enum retbleed_mitigation {

+ RETBLEED_MITIGATION_NONE,

+ RETBLEED_MITIGATION_UNRET,

+ RETBLEED_MITIGATION_IBPB,

+ RETBLEED_MITIGATION_IBRS,

+ RETBLEED_MITIGATION_EIBRS,

+};

+

+enum retbleed_mitigation_cmd {

+ RETBLEED_CMD_OFF,

+ RETBLEED_CMD_AUTO,

+ RETBLEED_CMD_UNRET,

+ RETBLEED_CMD_IBPB,

+};

+

+static const char * const retbleed_strings[] = {

+ [RETBLEED_MITIGATION_NONE] = "Vulnerable",

+ [RETBLEED_MITIGATION_UNRET] = "Mitigation: untrained return thunk",

+ [RETBLEED_MITIGATION_IBPB] = "Mitigation: IBPB",

+ [RETBLEED_MITIGATION_IBRS] = "Mitigation: IBRS",

+ [RETBLEED_MITIGATION_EIBRS] = "Mitigation: Enhanced IBRS",

+};

+

+static enum retbleed_mitigation retbleed_mitigation __ro_after_init =

+ RETBLEED_MITIGATION_NONE;

+static enum retbleed_mitigation_cmd retbleed_cmd __ro_after_init =

+ RETBLEED_CMD_AUTO;

+

+static int __ro_after_init retbleed_nosmt = false;

+

+static int __init retbleed_parse_cmdline(char *str)

+{

+ if (!str)

+ return -EINVAL;

+

+ while (str) {

+ char *next = strchr(str, ',');

+ if (next) {

+ *next = 0;

+ next++;

+ }

+

+ if (!strcmp(str, "off")) {

+ retbleed_cmd = RETBLEED_CMD_OFF;

+ } else if (!strcmp(str, "auto")) {

+ retbleed_cmd = RETBLEED_CMD_AUTO;

+ } else if (!strcmp(str, "unret")) {

+ retbleed_cmd = RETBLEED_CMD_UNRET;

+ } else if (!strcmp(str, "ibpb")) {

+ retbleed_cmd = RETBLEED_CMD_IBPB;

+ } else if (!strcmp(str, "nosmt")) {

+ retbleed_nosmt = true;

+ } else {

+ pr_err("Ignoring unknown retbleed option (%s).", str);

+ }

+

+ str = next;

+ }

+

+ return 0;

+}

+early_param("retbleed", retbleed_parse_cmdline);

+

+#define RETBLEED_UNTRAIN_MSG "WARNING: BTB untrained return thunk mitigation is only effective on AMD/Hygon!\n"

+#define RETBLEED_INTEL_MSG "WARNING: Spectre v2 mitigation leaves CPU vulnerable to RETBleed attacks, data leaks possible!\n"

+

+static void __init retbleed_select_mitigation(void)

+{

+ bool mitigate_smt = false;

+

+ if (!boot_cpu_has_bug(X86_BUG_RETBLEED) || cpu_mitigations_off())

+ return;

+

+ switch (retbleed_cmd) {

+ case RETBLEED_CMD_OFF:

+ return;

+

+ case RETBLEED_CMD_UNRET:

+ if (IS_ENABLED(CONFIG_CPU_UNRET_ENTRY)) {

+ retbleed_mitigation = RETBLEED_MITIGATION_UNRET;

+ } else {

+ pr_err("WARNING: kernel not compiled with CPU_UNRET_ENTRY.\n");

+ goto do_cmd_auto;

+ }

+ break;

+

+ case RETBLEED_CMD_IBPB:

+ if (!boot_cpu_has(X86_FEATURE_IBPB)) {

+ pr_err("WARNING: CPU does not support IBPB.\n");

+ goto do_cmd_auto;

+ } else if (IS_ENABLED(CONFIG_CPU_IBPB_ENTRY)) {

+ retbleed_mitigation = RETBLEED_MITIGATION_IBPB;

+ } else {

+ pr_err("WARNING: kernel not compiled with CPU_IBPB_ENTRY.\n");

+ goto do_cmd_auto;

+ }

+ break;

+

+do_cmd_auto:

+ case RETBLEED_CMD_AUTO:

+ default:

+ if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD ||

+ boot_cpu_data.x86_vendor == X86_VENDOR_HYGON) {

+ if (IS_ENABLED(CONFIG_CPU_UNRET_ENTRY))

+ retbleed_mitigation = RETBLEED_MITIGATION_UNRET;

+ else if (IS_ENABLED(CONFIG_CPU_IBPB_ENTRY) && boot_cpu_has(X86_FEATURE_IBPB))

+ retbleed_mitigation = RETBLEED_MITIGATION_IBPB;

+ }

+

+ /*

+ * The Intel mitigation (IBRS or eIBRS) was already selected in

+ * spectre_v2_select_mitigation(). 'retbleed_mitigation' will

+ * be set accordingly below.

+ */

+

+ break;

+ }

+

+ switch (retbleed_mitigation) {

+ case RETBLEED_MITIGATION_UNRET:

+ setup_force_cpu_cap(X86_FEATURE_RETHUNK);

+ setup_force_cpu_cap(X86_FEATURE_UNRET);

+

+ if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD &&

+ boot_cpu_data.x86_vendor != X86_VENDOR_HYGON)

+ pr_err(RETBLEED_UNTRAIN_MSG);

+

+ mitigate_smt = true;

+ break;

+

+ case RETBLEED_MITIGATION_IBPB:

+ setup_force_cpu_cap(X86_FEATURE_ENTRY_IBPB);

+ mitigate_smt = true;

+ break;

+

+ default:

+ break;

+ }

+

+ if (mitigate_smt && !boot_cpu_has(X86_FEATURE_STIBP) &&

+ (retbleed_nosmt || cpu_mitigations_auto_nosmt()))

+ cpu_smt_disable(false);

+

+ /*

+ * Let IBRS trump all on Intel without affecting the effects of the

+ * retbleed= cmdline option.

+ */

+ if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) {

+ switch (spectre_v2_enabled) {

+ case SPECTRE_V2_IBRS:

+ retbleed_mitigation = RETBLEED_MITIGATION_IBRS;

+ break;

+ case SPECTRE_V2_EIBRS:

+ case SPECTRE_V2_EIBRS_RETPOLINE:

+ case SPECTRE_V2_EIBRS_LFENCE:

+ retbleed_mitigation = RETBLEED_MITIGATION_EIBRS;

+ break;

+ default:

+ pr_err(RETBLEED_INTEL_MSG);

+ }

+ }

+

+ pr_info("%s\n", retbleed_strings[retbleed_mitigation]);

+}

+

+#undef pr_fmt

+#define pr_fmt(fmt) "Spectre V2 : " fmt

+

+#define SPECTRE_V2_IBRS_PERF_MSG "WARNING: IBRS mitigation selected on Enhanced IBRS CPU, this may cause unnecessary performance loss\n"

+ SPECTRE_V2_CMD_IBRS,

+static __ro_after_init enum spectre_v2_mitigation_cmd spectre_v2_cmd;

+

+spectre_v2_parse_user_cmdline(void)

+ switch (spectre_v2_cmd) {

+static inline bool spectre_v2_in_ibrs_mode(enum spectre_v2_mitigation mode)

+ return mode == SPECTRE_V2_IBRS ||

+ mode == SPECTRE_V2_EIBRS ||

+ mode == SPECTRE_V2_EIBRS_RETPOLINE ||

+ mode == SPECTRE_V2_EIBRS_LFENCE;

+spectre_v2_user_select_mitigation(void)

+ cmd = spectre_v2_parse_user_cmdline();

+ * If no STIBP, IBRS or enhanced IBRS is enabled, or SMT impossible,

+ * STIBP is not required.

+ spectre_v2_in_ibrs_mode(spectre_v2_enabled))

+ if (retbleed_mitigation == RETBLEED_MITIGATION_UNRET) {

+ if (mode != SPECTRE_V2_USER_STRICT &&

+ mode != SPECTRE_V2_USER_STRICT_PREFERRED)

+ pr_info("Selecting STIBP always-on mode to complement retbleed mitigation\n");

+ mode = SPECTRE_V2_USER_STRICT_PREFERRED;

+ }

+

+ [SPECTRE_V2_IBRS] = "Mitigation: IBRS",

+ { "ibrs", SPECTRE_V2_CMD_IBRS, false },

+ if (cmd == SPECTRE_V2_CMD_IBRS && !IS_ENABLED(CONFIG_CPU_IBRS_ENTRY)) {

+ pr_err("%s selected but not compiled in. Switching to AUTO select\n",

+ mitigation_options[i].option);

+ return SPECTRE_V2_CMD_AUTO;

+ }

+

+ if (cmd == SPECTRE_V2_CMD_IBRS && boot_cpu_data.x86_vendor != X86_VENDOR_INTEL) {

+ pr_err("%s selected but not Intel CPU. Switching to AUTO select\n",

+ mitigation_options[i].option);

+ return SPECTRE_V2_CMD_AUTO;

+ }

+

+ if (cmd == SPECTRE_V2_CMD_IBRS && !boot_cpu_has(X86_FEATURE_IBRS)) {

+ pr_err("%s selected but CPU doesn't have IBRS. Switching to AUTO select\n",

+ mitigation_options[i].option);

+ return SPECTRE_V2_CMD_AUTO;

+ }

+

+ if (cmd == SPECTRE_V2_CMD_IBRS && boot_cpu_has(X86_FEATURE_XENPV)) {

+ pr_err("%s selected but running as XenPV guest. Switching to AUTO select\n",

+ mitigation_options[i].option);

+ return SPECTRE_V2_CMD_AUTO;

+ }

+

+/* Disable in-kernel use of non-RSB RET predictors */

+static void __init spec_ctrl_disable_kernel_rrsba(void)

+{

+ u64 ia32_cap;

+

+ if (!boot_cpu_has(X86_FEATURE_RRSBA_CTRL))

+ return;

+

+ ia32_cap = x86_read_arch_cap_msr();

+

+ if (ia32_cap & ARCH_CAP_RRSBA) {

+ x86_spec_ctrl_base |= SPEC_CTRL_RRSBA_DIS_S;

+ write_spec_ctrl_current(x86_spec_ctrl_base, true);

+ }

+}

+

+ if (IS_ENABLED(CONFIG_CPU_IBRS_ENTRY) &&

+ boot_cpu_has_bug(X86_BUG_RETBLEED) &&

+ retbleed_cmd != RETBLEED_CMD_OFF &&

+ boot_cpu_has(X86_FEATURE_IBRS) &&

+ boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) {

+ mode = SPECTRE_V2_IBRS;

+ break;

+ }

+

+ case SPECTRE_V2_CMD_IBRS:

+ mode = SPECTRE_V2_IBRS;

+ break;

+

+ if (spectre_v2_in_ibrs_mode(mode)) {

+ write_spec_ctrl_current(x86_spec_ctrl_base, true);

+ case SPECTRE_V2_IBRS:

+ setup_force_cpu_cap(X86_FEATURE_KERNEL_IBRS);

+ if (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED))

+ pr_warn(SPECTRE_V2_IBRS_PERF_MSG);

+ break;

+

+ /*

+ * Disable alternate RSB predictions in kernel when indirect CALLs and

+ * JMPs gets protection against BHI and Intramode-BTI, but RET

+ * prediction from a non-RSB predictor is still a risk.

+ */

+ if (mode == SPECTRE_V2_EIBRS_LFENCE ||

+ mode == SPECTRE_V2_EIBRS_RETPOLINE ||

+ mode == SPECTRE_V2_RETPOLINE)

+ spec_ctrl_disable_kernel_rrsba();

+

+ * If Spectre v2 protection has been enabled, fill the RSB during a

+ * context switch. In general there are two types of RSB attacks

+ * across context switches, for which the CALLs/RETs may be unbalanced.

+ *

+ * 1) RSB underflow

+ *

+ * Some Intel parts have "bottomless RSB". When the RSB is empty,

+ * speculated return targets may come from the branch predictor,

+ * which could have a user-poisoned BTB or BHB entry.

+ *

+ * AMD has it even worse: *all* returns are speculated from the BTB,

+ * regardless of the state of the RSB.

+ *

+ * When IBRS or eIBRS is enabled, the "user -> kernel" attack

+ * scenario is mitigated by the IBRS branch prediction isolation

+ * properties, so the RSB buffer filling wouldn't be necessary to

+ * protect against this type of attack.

+ *

+ * The "user -> user" attack scenario is mitigated by RSB filling.

+ *

+ * 2) Poisoned RSB entry

+ *

+ * If the 'next' in-kernel return stack is shorter than 'prev',

+ * 'next' could be tricked into speculating with a user-poisoned RSB

+ * entry.

+ *

+ * The "user -> kernel" attack scenario is mitigated by SMEP and

+ * eIBRS.

+ * The "user -> user" scenario, also known as SpectreBHB, requires

+ * RSB clearing.

+ *

+ * So to mitigate all cases, unconditionally fill RSB on context

+ * switches.

+ *

+ * FIXME: Is this pointless for retbleed-affected AMD?

+ * Similar to context switches, there are two types of RSB attacks

+ * after vmexit:

+ *

+ * 1) RSB underflow

+ *

+ * 2) Poisoned RSB entry

+ *

+ * When retpoline is enabled, both are mitigated by filling/clearing

+ * the RSB.

+ *

+ * When IBRS is enabled, while #1 would be mitigated by the IBRS branch

+ * prediction isolation protections, RSB still needs to be cleared

+ * because of #2. Note that SMEP provides no protection here, unlike

+ * user-space-poisoned RSB entries.

+ *

+ * eIBRS, on the other hand, has RSB-poisoning protections, so it

+ * doesn't need RSB clearing after vmexit.

+ */

+ if (boot_cpu_has(X86_FEATURE_RETPOLINE) ||

+ boot_cpu_has(X86_FEATURE_KERNEL_IBRS))

+ setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT);

+

+ /*

+ * Retpoline protects the kernel, but doesn't protect firmware. IBRS

+ * and Enhanced IBRS protect firmware too, so enable IBRS around

+ * firmware calls only when IBRS / Enhanced IBRS aren't otherwise

+ * enabled.

+ if (boot_cpu_has_bug(X86_BUG_RETBLEED) &&

+ boot_cpu_has(X86_FEATURE_IBPB) &&

+ (boot_cpu_data.x86_vendor == X86_VENDOR_AMD ||

+ boot_cpu_data.x86_vendor == X86_VENDOR_HYGON)) {

+

+ if (retbleed_cmd != RETBLEED_CMD_IBPB) {

+ setup_force_cpu_cap(X86_FEATURE_USE_IBPB_FW);

+ pr_info("Enabling Speculation Barrier for firmware calls\n");

+ }

+

+ } else if (boot_cpu_has(X86_FEATURE_IBRS) && !spectre_v2_in_ibrs_mode(mode)) {

+ spectre_v2_cmd = cmd;

+ u64 val = spec_ctrl_current() | (x86_spec_ctrl_base & SPEC_CTRL_STIBP);

+ write_spec_ctrl_current(val, true);

+ u64 ia32_cap = x86_read_arch_cap_msr();

+

+ if (sched_smt_active()) {

+ } else if (mmio_mitigation == MMIO_MITIGATION_OFF ||

+ (ia32_cap & ARCH_CAP_FBSDP_NO)) {

+ }

+#define MMIO_MSG_SMT "MMIO Stale Data CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html for more details.\n"

+ switch (mmio_mitigation) {

+ case MMIO_MITIGATION_VERW:

+ case MMIO_MITIGATION_UCODE_NEEDED:

+ if (sched_smt_active())

+ pr_warn_once(MMIO_MSG_SMT);

+ break;

+ case MMIO_MITIGATION_OFF:

+ break;

+ }

+

+ write_spec_ctrl_current(x86_spec_ctrl_base, true);

+ write_spec_ctrl_current(x86_spec_ctrl_base, true);

+static ssize_t mmio_stale_data_show_state(char *buf)

+{

+ if (mmio_mitigation == MMIO_MITIGATION_OFF)

+ return sysfs_emit(buf, "%s\n", mmio_strings[mmio_mitigation]);

+

+ if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {

+ return sysfs_emit(buf, "%s; SMT Host state unknown\n",

+ mmio_strings[mmio_mitigation]);

+ }

+

+ return sysfs_emit(buf, "%s; SMT %s\n", mmio_strings[mmio_mitigation],

+ sched_smt_active() ? "vulnerable" : "disabled");

+}

+

+ if (spectre_v2_in_ibrs_mode(spectre_v2_enabled))

+static ssize_t retbleed_show_state(char *buf)

+{

+ if (retbleed_mitigation == RETBLEED_MITIGATION_UNRET) {

+ if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD &&

+ boot_cpu_data.x86_vendor != X86_VENDOR_HYGON)

+ return sprintf(buf, "Vulnerable: untrained return thunk on non-Zen uarch\n");

+

+ return sprintf(buf, "%s; SMT %s\n",

+ retbleed_strings[retbleed_mitigation],

+ !sched_smt_active() ? "disabled" :

+ spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT ||

+ spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED ?

+ "enabled with STIBP protection" : "vulnerable");

+ }

+

+ return sprintf(buf, "%s\n", retbleed_strings[retbleed_mitigation]);

+}

+

+ case X86_BUG_MMIO_STALE_DATA:

+ return mmio_stale_data_show_state(buf);

+

+ case X86_BUG_RETBLEED:

+ return retbleed_show_state(buf);

+

+

+ssize_t cpu_show_mmio_stale_data(struct device *dev, struct device_attribute *attr, char *buf)

+{

+ return cpu_show_common(dev, attr, buf, X86_BUG_MMIO_STALE_DATA);

+}

+

+ssize_t cpu_show_retbleed(struct device *dev, struct device_attribute *attr, char *buf)

+{

+ return cpu_show_common(dev, attr, buf, X86_BUG_RETBLEED);

+}

+#define VULNBL(vendor, family, model, blacklist) \

+ X86_MATCH_VENDOR_FAM_MODEL(vendor, family, model, blacklist)

+

+#define VULNBL_AMD(family, blacklist) \

+ VULNBL(AMD, family, X86_MODEL_ANY, blacklist)

+

+#define VULNBL_HYGON(family, blacklist) \

+ VULNBL(HYGON, family, X86_MODEL_ANY, blacklist)

+

+/* CPU is affected by X86_BUG_MMIO_STALE_DATA */

+#define MMIO BIT(1)

+/* CPU is affected by Shared Buffers Data Sampling (SBDS), a variant of X86_BUG_MMIO_STALE_DATA */

+#define MMIO_SBDS BIT(2)

+/* CPU is affected by RETbleed, speculating where you would not expect it */

+#define RETBLEED BIT(3)

+ VULNBL_INTEL_STEPPINGS(HASWELL_X, X86_STEPPING_ANY, MMIO),

+ VULNBL_INTEL_STEPPINGS(BROADWELL_D, X86_STEPPING_ANY, MMIO),

+ VULNBL_INTEL_STEPPINGS(BROADWELL_X, X86_STEPPING_ANY, MMIO),

+ VULNBL_INTEL_STEPPINGS(SKYLAKE_L, X86_STEPPING_ANY, SRBDS | MMIO | RETBLEED),

+ VULNBL_INTEL_STEPPINGS(SKYLAKE_X, X86_STEPPING_ANY, MMIO | RETBLEED),

+ VULNBL_INTEL_STEPPINGS(SKYLAKE, X86_STEPPING_ANY, SRBDS | MMIO | RETBLEED),

+ VULNBL_INTEL_STEPPINGS(KABYLAKE_L, X86_STEPPING_ANY, SRBDS | MMIO | RETBLEED),

+ VULNBL_INTEL_STEPPINGS(KABYLAKE, X86_STEPPING_ANY, SRBDS | MMIO | RETBLEED),

+ VULNBL_INTEL_STEPPINGS(CANNONLAKE_L, X86_STEPPING_ANY, RETBLEED),

+ VULNBL_INTEL_STEPPINGS(ICELAKE_L, X86_STEPPING_ANY, MMIO | MMIO_SBDS | RETBLEED),

+ VULNBL_INTEL_STEPPINGS(ICELAKE_D, X86_STEPPING_ANY, MMIO),

+ VULNBL_INTEL_STEPPINGS(ICELAKE_X, X86_STEPPING_ANY, MMIO),

+ VULNBL_INTEL_STEPPINGS(COMETLAKE, X86_STEPPING_ANY, MMIO | MMIO_SBDS | RETBLEED),

+ VULNBL_INTEL_STEPPINGS(COMETLAKE_L, X86_STEPPINGS(0x0, 0x0), MMIO | RETBLEED),

+ VULNBL_INTEL_STEPPINGS(COMETLAKE_L, X86_STEPPING_ANY, MMIO | MMIO_SBDS | RETBLEED),

+ VULNBL_INTEL_STEPPINGS(LAKEFIELD, X86_STEPPING_ANY, MMIO | MMIO_SBDS | RETBLEED),

+ VULNBL_INTEL_STEPPINGS(ROCKETLAKE, X86_STEPPING_ANY, MMIO | RETBLEED),

+ VULNBL_INTEL_STEPPINGS(ATOM_TREMONT, X86_STEPPING_ANY, MMIO | MMIO_SBDS),

+ VULNBL_INTEL_STEPPINGS(ATOM_TREMONT_D, X86_STEPPING_ANY, MMIO),

+ VULNBL_INTEL_STEPPINGS(ATOM_TREMONT_L, X86_STEPPING_ANY, MMIO | MMIO_SBDS),

+

+ VULNBL_AMD(0x15, RETBLEED),

+ VULNBL_AMD(0x16, RETBLEED),

+ VULNBL_AMD(0x17, RETBLEED),

+ VULNBL_HYGON(0x18, RETBLEED),

+static bool arch_cap_mmio_immune(u64 ia32_cap)

+{

+ return (ia32_cap & ARCH_CAP_FBSDP_NO &&

+ ia32_cap & ARCH_CAP_PSDP_NO &&

+ ia32_cap & ARCH_CAP_SBDR_SSDP_NO);

+}

+

+ *

+ * Some of the implications and mitigation of Shared Buffers Data

+ * Sampling (SBDS) are similar to SRBDS. Give SBDS same treatment as

+ * SRBDS.

+ cpu_matches(cpu_vuln_blacklist, SRBDS | MMIO_SBDS))

+ /*

+ * Processor MMIO Stale Data bug enumeration

+ *

+ * Affected CPU list is generally enough to enumerate the vulnerability,

+ * but for virtualization case check for ARCH_CAP MSR bits also, VMM may

+ * not want the guest to enumerate the bug.

+ */

+ if (cpu_matches(cpu_vuln_blacklist, MMIO) &&

+ !arch_cap_mmio_immune(ia32_cap))

+ setup_force_cpu_bug(X86_BUG_MMIO_STALE_DATA);

+

+ if (!cpu_has(c, X86_FEATURE_BTC_NO)) {

+ if (cpu_matches(cpu_vuln_blacklist, RETBLEED) || (ia32_cap & ARCH_CAP_RSBA))

+ setup_force_cpu_bug(X86_BUG_RETBLEED);

+ }

+

+extern void init_spectral_chicken(struct cpuinfo_x86 *c);

+

+ /*

+ * XXX someone from Hygon needs to confirm this DTRT

+ *

+ init_spectral_chicken(c);

+ */

+

+ if (!(l1 & MSR_IA32_MISC_ENABLE_BTS_UNAVAIL))

+ if (!(l1 & MSR_IA32_MISC_ENABLE_PEBS_UNAVAIL))

+static bool hw_injection_possible = true;

+

+ if (i > SW_INJ && !hw_injection_possible)

+ continue;

+static void check_hw_inj_possible(void)

+{

+ int cpu;

+ u8 bank;

+

+ /*

+ * This behavior exists only on SMCA systems though its not directly

+ * related to SMCA.

+ */

+ if (!cpu_feature_enabled(X86_FEATURE_SMCA))

+ return;

+

+ cpu = get_cpu();

+

+ for (bank = 0; bank < MAX_NR_BANKS; ++bank) {

+ u64 status = MCI_STATUS_VAL, ipid;

+

+ /* Check whether bank is populated */

+ rdmsrl(MSR_AMD64_SMCA_MCx_IPID(bank), ipid);

+ if (!ipid)

+ continue;

+

+ toggle_hw_mce_inject(cpu, true);

+

+ wrmsrl_safe(mca_msr_reg(bank, MCA_STATUS), status);

+ rdmsrl_safe(mca_msr_reg(bank, MCA_STATUS), &status);

+

+ if (!status) {

+ hw_injection_possible = false;

+ pr_warn("Platform does not allow *hardware* error injection."

+ "Try using APEI EINJ instead.\n");

+ }

+

+ toggle_hw_mce_inject(cpu, false);

+

+ break;

+ }

+

+ put_cpu();

+}

+

+ check_hw_inj_possible();

+

+ if (cpu_feature_enabled(X86_FEATURE_SMCA)) {

+ * Run the instruction a few times as a sanity check. Also make sure

+ * it's not outputting the same value over and over, which has happened

+ * as a result of past CPU bugs.

+ *

+ * If it fails, it is simple to disable RDRAND and RDSEED here.

+ enum { SAMPLES = 8, MIN_CHANGE = 5 };

+ unsigned long sample, prev;

+ bool failure = false;

+ size_t i, changed;

+ for (changed = 0, i = 0; i < SAMPLES; ++i) {

+ if (!rdrand_long(&sample)) {

+ failure = true;

+ break;

+ changed += i && sample != prev;

+ prev = sample;

+ if (changed < MIN_CHANGE)

+ failure = true;

+ if (failure) {

+ clear_cpu_cap(c, X86_FEATURE_RDRAND);

+ clear_cpu_cap(c, X86_FEATURE_RDSEED);

+ pr_emerg("RDRAND is not reliable on this platform; disabling.\n");

+ { X86_FEATURE_RRSBA_CTRL, CPUID_EDX, 2, 0x00000007, 2 },

+ return !(eax & BIT(VMWARE_CMD_VCPU_RESERVED)) &&

+ (eax & BIT(VMWARE_CMD_LEGACY_X2APIC));

+ * SETUP_EFI and SETUP_IMA are supplied by kexec and do not need

+ * to be reserved.

+ if (data->type != SETUP_EFI && data->type != SETUP_IMA)

+ if (!arch_get_random_longs(&rand, 1)) {

+

+/*

+ * Initialize register state that may prevent from entering low-power idle.

+ * This function will be invoked from the cpuidle driver only when needed.

+ */

+void fpu_idle_fpregs(void)

+{

+ /* Note: AMX_TILE being enabled implies XGETBV1 support */

+ if (cpu_feature_enabled(X86_FEATURE_AMX_TILE) &&

+ (xfeatures_in_use() & XFEATURE_MASK_XTILE)) {

+ tile_release();

+ fpregs_deactivate(&current->thread.fpu);

+ }

+}

+#define RET_SIZE (IS_ENABLED(CONFIG_RETPOLINE) ? 5 : 1 + IS_ENABLED(CONFIG_SLS))

+ if (cpu_feature_enabled(X86_FEATURE_RETHUNK))

+ __text_gen_insn(ip, JMP32_INSN_OPCODE, ip, &__x86_return_thunk, JMP32_INSN_SIZE);

+ else

+ memcpy(ip, retq, sizeof(retq));

+STACK_FRAME_NON_STANDARD_FP(ftrace_caller)

+STACK_FRAME_NON_STANDARD_FP(ftrace_regs_caller)

+STACK_FRAME_NON_STANDARD_FP(__fentry__)

+

+SYM_CODE_START(return_to_handler)

+ UNWIND_HINT_EMPTY

+ ANNOTATE_NOENDBR

+SYM_CODE_END(return_to_handler)

+void __init clear_bss(void)

+ memset(__brk_base, 0,

+ (unsigned long) __brk_limit - (unsigned long) __brk_base);

+#include <asm/nospec-branch.h>

+ ANNOTATE_UNRET_END

+

+ ANNOTATE_UNRET_END

+ ANNOTATE_UNRET_END

+

+#include <linux/random.h>

+enum { RNG_SEED_LENGTH = 32 };

+

+static void

+setup_rng_seed(struct boot_params *params, unsigned long params_load_addr,

+ unsigned int rng_seed_setup_data_offset)

+{

+ struct setup_data *sd = (void *)params + rng_seed_setup_data_offset;

+ unsigned long setup_data_phys;

+

+ if (!rng_is_initialized())

+ return;

+

+ sd->type = SETUP_RNG_SEED;

+ sd->len = RNG_SEED_LENGTH;

+ get_random_bytes(sd->data, RNG_SEED_LENGTH);

+ setup_data_phys = params_load_addr + rng_seed_setup_data_offset;

+ sd->next = params->hdr.setup_data;

+ params->hdr.setup_data = setup_data_phys;

+}

+

+static void

+setup_ima_state(const struct kimage *image, struct boot_params *params,

+ unsigned long params_load_addr,

+ unsigned int ima_setup_data_offset)

+{

+#ifdef CONFIG_IMA_KEXEC

+ struct setup_data *sd = (void *)params + ima_setup_data_offset;

+ unsigned long setup_data_phys;

+ struct ima_setup_data *ima;

+

+ if (!image->ima_buffer_size)

+ return;

+

+ sd->type = SETUP_IMA;

+ sd->len = sizeof(*ima);

+

+ ima = (void *)sd + sizeof(struct setup_data);

+ ima->addr = image->ima_buffer_addr;

+ ima->size = image->ima_buffer_size;

+

+ /* Add setup data */

+ setup_data_phys = params_load_addr + ima_setup_data_offset;

+ sd->next = params->hdr.setup_data;

+ params->hdr.setup_data = setup_data_phys;

+#endif /* CONFIG_IMA_KEXEC */

+}

+

+ unsigned int setup_data_offset)

+ setup_data_offset);

+ setup_data_offset += sizeof(struct setup_data) +

+ sizeof(struct efi_setup_data);

+

+ if (IS_ENABLED(CONFIG_IMA_KEXEC)) {

+ /* Setup IMA log buffer state */

+ setup_ima_state(image, params, params_load_addr,

+ setup_data_offset);

+ setup_data_offset += sizeof(struct setup_data) +

+ sizeof(struct ima_setup_data);

+ }

+

+ /* Setup RNG seed */

+ setup_rng_seed(params, params_load_addr, setup_data_offset);

+

+ sizeof(struct efi_setup_data) +

+ sizeof(struct setup_data) +

+ RNG_SEED_LENGTH;

+

+ if (IS_ENABLED(CONFIG_IMA_KEXEC))

+ kbuf.bufsz += sizeof(struct setup_data) +

+ sizeof(struct ima_setup_data);

+ .verify_sig = kexec_kernel_verify_pe_sig,

+ *retpolines = NULL, *returns = NULL, *ibt_endbr = NULL;

+ if (!strcmp(".return_sites", secstrings + s->sh_name))

+ returns = s;

+ if (returns) {

+ void *rseg = (void *)returns->sh_addr;

+ apply_returns(rseg, rseg + returns->sh_size);

+ }

+

+ rc = platform_device_add(pdev);

+ if (rc)

+ platform_device_put(pdev);

+

+ return rc;

+ write_spec_ctrl_current(msr, false);

+ * Prefer MWAIT over HALT if MWAIT is supported, MWAIT_CPUID leaf

+ * exists and whenever MONITOR/MWAIT extensions are present there is at

+ * least one C1 substate.

+ * Do not prefer MWAIT if MONITOR instruction has a bug or idle=nomwait

+ * is passed to kernel commandline parameter.

+ u32 eax, ebx, ecx, edx;

+

+ /* User has disallowed the use of MWAIT. Fallback to HALT */

+ if (boot_option_idle_override == IDLE_NOMWAIT)

+ /* MWAIT is not supported on this platform. Fallback to HALT */

+ if (!cpu_has(c, X86_FEATURE_MWAIT))

+ /* Monitor has a bug. Fallback to HALT */

+ if (boot_cpu_has_bug(X86_BUG_MONITOR))

+ return 0;

+

+ cpuid(CPUID_MWAIT_LEAF, &eax, &ebx, &ecx, &edx);

+

+ /*

+ * If MWAIT extensions are not available, it is safe to use MWAIT

+ * with EAX=0, ECX=0.

+ */

+ if (!(ecx & CPUID5_ECX_EXTENSIONS_SUPPORTED))

+ return 1;

+

+ /*

+ * If MWAIT extensions are available, there should be at least one

+ * MWAIT C1 substate present.

+ */

+ return (edx & MWAIT_C1_SUBSTATE_MASK);

+ * it means that mwait will be disabled for CPU C1/C2/C3

+ * states.

+#include <asm/nospec-branch.h>

+ * Must be relocatable PIC code callable as a C function, in particular

+ * there must be a plain RET and not jump to return thunk.

+ ANNOTATE_UNRET_SAFE

+ ret

+ int3

+ ANNOTATE_UNRET_SAFE

+ ret

+ int3

+ ANNOTATE_RETPOLINE_SAFE

+ ANNOTATE_UNRET_SAFE

+ ret

+ int3

+ ANNOTATE_UNRET_SAFE

+ ret

+ int3

+ ANNOTATE_UNRET_SAFE

+ ret

+ int3

+ * Must be relocatable PIC code callable as a C function, in particular

+ * there must be a plain RET and not jump to return thunk.

+ ANNOTATE_UNRET_SAFE

+ ret

+ int3

+ ANNOTATE_UNRET_SAFE

+ ret

+ int3

+ ANNOTATE_UNRET_SAFE

+ ret

+ int3

+ ANNOTATE_UNRET_SAFE

+ ret

+ int3

+ ANNOTATE_UNRET_SAFE

+ ret

+ int3

+#include <linux/printk.h>

+#include <asm/pci_x86.h>

+static void remove_e820_regions(struct resource *avail)

+ if (!pci_use_e820)

+ pr_info("clipped %pR to %pR for e820 entry [mem %#010Lx-%#010Lx]\n",

+ if (avail->flags & IORESOURCE_MEM) {

+

+ remove_e820_regions(avail);

+ }

+#include <linux/ima.h>

+#include <linux/random.h>

+#ifdef CONFIG_IMA

+static phys_addr_t ima_kexec_buffer_phys;

+static size_t ima_kexec_buffer_size;

+#endif

+

+static void __init add_early_ima_buffer(u64 phys_addr)

+{

+#ifdef CONFIG_IMA

+ struct ima_setup_data *data;

+

+ data = early_memremap(phys_addr + sizeof(struct setup_data), sizeof(*data));

+ if (!data) {

+ pr_warn("setup: failed to memremap ima_setup_data entry\n");

+ return;

+ }

+

+ if (data->size) {

+ memblock_reserve(data->addr, data->size);

+ ima_kexec_buffer_phys = data->addr;

+ ima_kexec_buffer_size = data->size;

+ }

+

+ early_memunmap(data, sizeof(*data));

+#else

+ pr_warn("Passed IMA kexec data, but CONFIG_IMA not set. Ignoring.\n");

+#endif

+}

+

+#if defined(CONFIG_HAVE_IMA_KEXEC) && !defined(CONFIG_OF_FLATTREE)

+int __init ima_free_kexec_buffer(void)

+{

+ int rc;

+

+ if (!ima_kexec_buffer_size)

+ return -ENOENT;

+

+ rc = memblock_phys_free(ima_kexec_buffer_phys,

+ ima_kexec_buffer_size);

+ if (rc)

+ return rc;

+

+ ima_kexec_buffer_phys = 0;

+ ima_kexec_buffer_size = 0;

+

+ return 0;

+}

+

+int __init ima_get_kexec_buffer(void **addr, size_t *size)

+{

+ if (!ima_kexec_buffer_size)

+ return -ENOENT;

+

+ *addr = __va(ima_kexec_buffer_phys);

+ *size = ima_kexec_buffer_size;

+

+ return 0;

+}

+#endif

+

+ case SETUP_IMA:

+ add_early_ima_buffer(pa_data);

+ break;

+ case SETUP_RNG_SEED:

+ data = early_memremap(pa_data, data_len);

+ add_bootloader_randomness(data->data, data->len);

+ /* Zero seed for forward secrecy. */

+ memzero_explicit(data->data, data->len);

+ /* Zero length in case we find ourselves back here by accident. */

+ memzero_explicit(&data->len, sizeof(data->len));

+ early_memunmap(data, data_len);

+ break;

+static enum es_result sev_es_ghcb_hv_call(struct ghcb *ghcb,

+ struct es_em_ctxt *ctxt,

+ u64 exit_code, u64 exit_info_1,

+ u64 exit_info_2)

+ sev_es_wr_ghcb_msr(__pa(ghcb));

+ ret = sev_es_ghcb_hv_call(ghcb, ctxt, SVM_EXIT_IOIO,

+ ret = sev_es_ghcb_hv_call(ghcb, ctxt, SVM_EXIT_IOIO, exit_info_1, 0);

+ ret = sev_es_ghcb_hv_call(ghcb, ctxt, SVM_EXIT_CPUID, 0, 0);

+ ret = sev_es_ghcb_hv_call(ghcb, ctxt, exit_code, 0, 0);

+ ret = sev_es_ghcb_hv_call(ghcb, &ctxt, SVM_VMGEXIT_PSC, 0, 0);

+ ret = sev_es_ghcb_hv_call(ghcb, ctxt, SVM_EXIT_MSR, exit_info_1, 0);

+ return sev_es_ghcb_hv_call(ghcb, ctxt, exit_code, exit_info_1, exit_info_2);

+ ret = sev_es_ghcb_hv_call(ghcb, ctxt, SVM_EXIT_WRITE_DR7, 0, 0);

+ return sev_es_ghcb_hv_call(ghcb, ctxt, SVM_EXIT_WBINVD, 0, 0);

+ ret = sev_es_ghcb_hv_call(ghcb, ctxt, SVM_EXIT_RDPMC, 0, 0);

+ ret = sev_es_ghcb_hv_call(ghcb, ctxt, SVM_EXIT_VMMCALL, 0, 0);

+ ret = sev_es_ghcb_hv_call(ghcb, &ctxt, exit_code, input->req_gpa, input->resp_gpa);

+ * ud1 %esp, %ecx - a 3 byte #UD that is unique to trampolines, chosen such

+ * that there is no false-positive trampoline identification while also being a

+ * speculation stop.

+ */

+static const u8 tramp_ud[] = { 0x0f, 0xb9, 0xcc };

+

+/*

+static void __ref __static_call_transform(void *insn, enum insn_type type,

+ void *func, bool modinit)

+ if (cpu_feature_enabled(X86_FEATURE_RETHUNK))

+ code = text_gen_insn(JMP32_INSN_OPCODE, insn, &__x86_return_thunk);

+ else

+ code = &retinsn;

+ if (system_state == SYSTEM_BOOTING || modinit)

+ if (tramp && memcmp(insn+5, tramp_ud, 3)) {

+ __static_call_transform(tramp, __sc_insn(!func, true), func, false);

+ __static_call_transform(site, __sc_insn(!func, tail), func, false);

+

+#ifdef CONFIG_RETHUNK

+/*

+ * This is called by apply_returns() to fix up static call trampolines,

+ * specifically ARCH_DEFINE_STATIC_CALL_NULL_TRAMP which is recorded as

+ * having a return trampoline.

+ *

+ * The problem is that static_call() is available before determining

+ * X86_FEATURE_RETHUNK and, by implication, running alternatives.

+ *

+ * This means that __static_call_transform() above can have overwritten the

+ * return trampoline and we now need to fix things up to be consistent.

+ */

+bool __static_call_fixup(void *tramp, u8 op, void *dest)

+{

+ if (memcmp(tramp+5, tramp_ud, 3)) {

+ /* Not a trampoline site, not our problem. */

+ return false;

+ }

+

+ mutex_lock(&text_mutex);

+ if (op == RET_INSN_OPCODE || dest == &__x86_return_thunk)

+ __static_call_transform(tramp, RET, NULL, true);

+ mutex_unlock(&text_mutex);

+

+ return true;

+}

+#endif

+ *(.text.__x86.*)

+

+ . = ALIGN(8);

+ .return_sites : AT(ADDR(.return_sites) - LOAD_OFFSET) {

+ __return_sites = .;

+ *(.return_sites)

+ __return_sites_end = .;

+ }

+ *(.bss..brk) /* areas brk users have reserved */