Commit 545fbdbf authored by Daniel Sneddon's avatar Daniel Sneddon Committed by Zeng Heng
Browse files

x86/speculation: Add Kconfig option for GDS 

mainline inclusion
from mainline-v6.5-rc6
commit 53cf5797
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7XLNT
CVE: CVE-2022-40982

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=53cf5797f114ba2bd86d23a862302119848eff19



---------------------------

commit 53cf5797 upstream

Gather Data Sampling (GDS) is mitigated in microcode. However, on
systems that haven't received the updated microcode, disabling AVX
can act as a mitigation. Add a Kconfig option that uses the microcode
mitigation if available and disables AVX otherwise. Setting this
option has no effect on systems not affected by GDS. This is the
equivalent of setting gather_data_sampling=force.

Signed-off-by: default avatarDaniel Sneddon <daniel.sneddon@linux.intel.com>
Signed-off-by: default avatarDave Hansen <dave.hansen@linux.intel.com>
Acked-by: default avatarJosh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: default avatarDaniel Sneddon <daniel.sneddon@linux.intel.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarZeng Heng <zengheng4@huawei.com>
parent 204b8244

arch/x86/Kconfig

+19 −0
Original line number Diff line number Diff line
@@ -2476,6 +2476,25 @@ config ARCH_ENABLE_SPLIT_PMD_PTLOCK 
	def_bool y

	depends on X86_64 || X86_PAE



config GDS_FORCE_MITIGATION

	bool "Force GDS Mitigation"

	depends on CPU_SUP_INTEL

	default n

	help

	  Gather Data Sampling (GDS) is a hardware vulnerability which allows

	  unprivileged speculative access to data which was previously stored in

	  vector registers.



	  This option is equivalent to setting gather_data_sampling=force on the

	  command line. The microcode mitigation is used if present, otherwise

	  AVX is disabled as a mitigation. On affected systems that are missing

	  the microcode any userspace code that unconditionally uses AVX will

	  break with this option set.



	  Setting this option on systems not vulnerable to GDS has no effect.



	  If in doubt, say N.



config ARCH_ENABLE_HUGEPAGE_MIGRATION

	def_bool y

	depends on X86_64 && HUGETLB_PAGE && MIGRATION

arch/x86/kernel/cpu/bugs.c

+4 −0
Original line number Diff line number Diff line
@@ -652,7 +652,11 @@ enum gds_mitigations { 
	GDS_MITIGATION_HYPERVISOR,

};



#if IS_ENABLED(CONFIG_GDS_FORCE_MITIGATION)

static enum gds_mitigations gds_mitigation __ro_after_init = GDS_MITIGATION_FORCE;

#else

static enum gds_mitigations gds_mitigation __ro_after_init = GDS_MITIGATION_FULL;

#endif



static const char * const gds_strings[] = {

	[GDS_MITIGATION_OFF]		= "Vulnerable",