x86/bugs: Workaround for incorrectly set X86_BUG_RETBLEED under VMware

Waiman-Long · Waiman-Long · commit 890c306689eb · 2023-06-30T13:23:00.000-04:00
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2189577 Upstream Status: RHEL only It is found that VMware hypervisor may incorrectly set the ARCH_CAP_RSBA bit (RET may use alternative branch predictors) of the MSR_IA32_ARCH_CAPABILITIES MSR on some older Intel processors like Haswell which is not affected by RETBleed. This causes the RHEL kernel to think that the processor is vulnerable to RETBleed and hence sets X86_BUG_RETBLEED. This has the side effect of forcing the use of IBRS as Spectre v2 mitigation for processors that have it which can have a significant performance impact. Since it is known that Intel CPUs before Skylake are not speculative enough to be susceptible to RETBleed, we can work around this VMware issue by putting some of the Intel CPUs before Skylake (Westmere, SandyBridge, IvyBridge, Haswell, Broadwell) in a new whitelist and checking that list before setting X86_BUG_RETBLEED. For other hypervisors or bare metal that does not have the bug, the new code will not be activated on those older Intel processors since the ARCH_CAP_RSBA bit should not be set. Signed-off-by: Waiman Long <longman@redhat.com>
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
@@ -176,6 +176,37 @@ void __init setup_cpu_local_masks(void)
 	alloc_bootmem_cpumask_var(&cpu_sibling_setup_mask);
 }
 
+/*
+ * It is known that Intel family 6 CPUs before Skylake are not vulnerable
+ * to Retbleed.
+ */
+static const bool cpu_in_retbleed_whitelist(struct cpuinfo_x86 *c)
+{
+	static const bool retbleed_whitelist[] = {
+		[INTEL_FAM6_WESTMERE]		= true,
+		[INTEL_FAM6_WESTMERE_EP]	= true,
+		[INTEL_FAM6_WESTMERE_EX]	= true,
+		[INTEL_FAM6_SANDYBRIDGE]	= true,
+		[INTEL_FAM6_SANDYBRIDGE_X]	= true,
+		[INTEL_FAM6_IVYBRIDGE]		= true,
+		[INTEL_FAM6_IVYBRIDGE_X]	= true,
+		[INTEL_FAM6_HASWELL]		= true,
+		[INTEL_FAM6_HASWELL_X]		= true,
+		[INTEL_FAM6_HASWELL_L]		= true,
+		[INTEL_FAM6_HASWELL_G]		= true,
+		[INTEL_FAM6_BROADWELL]		= true,
+		[INTEL_FAM6_BROADWELL_G]	= true,
+		[INTEL_FAM6_BROADWELL_X]	= true,
+		[INTEL_FAM6_BROADWELL_D]	= true,
+	};
+
+	if ((c->x86_vendor != X86_VENDOR_INTEL) || (c->x86 != 6) ||
+	    (c->x86_model >= ARRAY_SIZE(retbleed_whitelist)))
+		return false;
+	else
+		return retbleed_whitelist[c->x86_model];
+}
+
 static void default_init(struct cpuinfo_x86 *c)
 {
 #ifdef CONFIG_X86_64
@@ -1414,7 +1445,8 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
 	}
 
 	if (!cpu_has(c, X86_FEATURE_BTC_NO)) {
-		if (cpu_matches(cpu_vuln_blacklist, RETBLEED) || (ia32_cap & ARCH_CAP_RSBA))
+		if (cpu_matches(cpu_vuln_blacklist, RETBLEED) ||
+		   ((ia32_cap & ARCH_CAP_RSBA) && !cpu_in_retbleed_whitelist(c)))
 			setup_force_cpu_bug(X86_BUG_RETBLEED);
 	}
 
