diff --git a/patches.suse/x86-speculation-warn-about-spectre-v2-lfence-mitigation.patch b/patches.suse/x86-speculation-warn-about-spectre-v2-lfence-mitigation.patch new file mode 100644 index 0000000..d0142b6 --- /dev/null +++ b/patches.suse/x86-speculation-warn-about-spectre-v2-lfence-mitigation.patch @@ -0,0 +1,62 @@ +From: Josh Poimboeuf +Date: Fri, 25 Feb 2022 14:31:49 -0800 +Subject: x86/speculation: Warn about Spectre v2 LFENCE mitigation +Git-commit: eafd987d4a82c7bb5aa12f0e3b4f8f3dea93e678 +Patch-mainline: v5.17 or v5.17-rc8 (next release) +References: bsc#1191580 CVE-2022-0001 CVE-2022-0002 + +With: + + f8a66d608a3e ("x86,bugs: Unconditionally allow spectre_v2=retpoline,amd") + +it became possible to enable the LFENCE "retpoline" on Intel. However, +Intel doesn't recommend it, as it has some weaknesses compared to +retpoline. + +Now AMD doesn't recommend it either. + +It can still be left available as a cmdline option. It's faster than +retpoline but is weaker in certain scenarios -- particularly SMT, but +even non-SMT may be vulnerable in some cases. + +So just unconditionally warn if the user requests it on the cmdline. + + [ bp: Massage commit message. ] + +Signed-off-by: Josh Poimboeuf +Signed-off-by: Borislav Petkov +--- + arch/x86/kernel/cpu/bugs.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index a36bfe2c2480..cfd116423908 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -651,6 +651,7 @@ static inline const char *spectre_v2_module_string(void) + static inline const char *spectre_v2_module_string(void) { return ""; } + #endif + ++#define SPECTRE_V2_LFENCE_MSG "WARNING: LFENCE mitigation is not recommended for this CPU, data leaks possible!\n" + #define SPECTRE_V2_EIBRS_EBPF_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible via Spectre v2 BHB attacks!\n" + + #ifdef CONFIG_BPF_SYSCALL +@@ -972,6 +973,7 @@ static void __init spectre_v2_select_mitigation(void) + break; + + case SPECTRE_V2_CMD_RETPOLINE_LFENCE: ++ pr_err(SPECTRE_V2_LFENCE_MSG); + mode = SPECTRE_V2_LFENCE; + break; + +@@ -1787,6 +1789,9 @@ static char *ibpb_state(void) + + static ssize_t spectre_v2_show_state(char *buf) + { ++ if (spectre_v2_enabled == SPECTRE_V2_LFENCE) ++ return sprintf(buf, "Vulnerable: LFENCE\n"); ++ + if (spectre_v2_enabled == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled()) + return sprintf(buf, "Vulnerable: Unprivileged eBPF enabled\n"); + + diff --git a/series.conf b/series.conf index 95d0666..8ce7874 100644 --- a/series.conf +++ b/series.conf @@ -8272,6 +8272,7 @@ patches.suse/documentation-hw-vuln-update-spectre-doc.patch patches.suse/x86-speculation-include-unprivileged-ebpf-status-in-spectre-v2-mitigation-reporting.patch patches.suse/x86-speculation-use-generic-retpoline-by-default-on-amd.patch + patches.suse/x86-speculation-warn-about-spectre-v2-lfence-mitigation.patch # jejb/scsi for-next patches.suse/scsi-smartpqi-Add-PCI-IDs