diff options
| author | Pawan Gupta <pawan.kumar.gupta@linux.intel.com> | 2024-03-11 18:57:09 +0300 |
|---|---|---|
| committer | Thomas Gleixner <tglx@linutronix.de> | 2024-04-08 20:27:06 +0300 |
| commit | 95a6ccbdc7199a14b71ad8901cb788ba7fb5167b (patch) | |
| tree | 2756d1354b90ff94be54ba551fbe6570365d2bf7 /arch/x86/kvm/vmx | |
| parent | ec9404e40e8f36421a2b66ecb76dc2209fe7f3ef (diff) | |
| download | linux-95a6ccbdc7199a14b71ad8901cb788ba7fb5167b.tar.xz | |
x86/bhi: Mitigate KVM by default
BHI mitigation mode spectre_bhi=auto does not deploy the software
mitigation by default. In a cloud environment, it is a likely scenario
where userspace is trusted but the guests are not trusted. Deploying
system wide mitigation in such cases is not desirable.
Update the auto mode to unconditionally mitigate against malicious
guests. Deploy the software sequence at VMexit in auto mode also, when
hardware mitigation is not available. Unlike the force =on mode,
software sequence is not deployed at syscalls in auto mode.
Suggested-by: Alexandre Chartre <alexandre.chartre@oracle.com>
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Alexandre Chartre <alexandre.chartre@oracle.com>
Reviewed-by: Josh Poimboeuf <jpoimboe@kernel.org>
Diffstat (limited to 'arch/x86/kvm/vmx')
| -rw-r--r-- | arch/x86/kvm/vmx/vmenter.S | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/arch/x86/kvm/vmx/vmenter.S b/arch/x86/kvm/vmx/vmenter.S index 0f3593e10c57..f6986dee6f8c 100644 --- a/arch/x86/kvm/vmx/vmenter.S +++ b/arch/x86/kvm/vmx/vmenter.S @@ -275,7 +275,7 @@ SYM_INNER_LABEL_ALIGN(vmx_vmexit, SYM_L_GLOBAL) call vmx_spec_ctrl_restore_host - CLEAR_BRANCH_HISTORY + CLEAR_BRANCH_HISTORY_VMEXIT /* Put return value in AX */ mov %_ASM_BX, %_ASM_AX |