If enhanced IBRS is in use, a malicious application running on a CPU is unable to exploit Spectre v2 vulnerability on applications running on its hyperthread sibling. Using STIBP to mitigate Spectre v2 against exploit from hyperthread sibling is redundant.
This patch disables STIBP when enhanced IBRS is used for migitigating Spectre v2. Signed-off-by: Tim Chen <[email protected]> --- arch/x86/kernel/cpu/bugs.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 6095c9d..eb07ab6 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -324,9 +324,17 @@ static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void) static bool stibp_needed(void) { + /* + * Determine if STIBP should be always on. + * Using enhanced IBRS makes using STIBP unnecessary. + */ + if (spectre_v2_enabled == SPECTRE_V2_NONE) return false; + if (static_cpu_has(X86_FEATURE_USE_IBRS_ENHANCED)) + return false; + if (!boot_cpu_has(X86_FEATURE_STIBP)) return false; @@ -854,6 +862,9 @@ static ssize_t l1tf_show_state(char *buf) static char *stibp_state(void) { + if (spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED) + return ""; + if (x86_spec_ctrl_base & SPEC_CTRL_STIBP) return ", STIBP"; else -- 2.9.4
