Linux 6.15 Adds AMD Zen 5 SRSO Mitigation For KVM, Preps For Attack Vector Controls
While there is a lot of exciting new x86_64 CPU features coming with Linux 6.15, there is also some of the not so fun changes too: namely the "x86/bugs" pull request to bring the latest CPU security mitigation work to the mainline kernel.
The x86/bugs pull request has been merged for the Linux 6.15 kernel. This time around it has a new mitigation on the AMD side in enabling support for a new Speculative Return Stack Overflow (SRSO) mitigation for Zen 5 processors for that vulnerability dubbed "Inception". This new Zen 5 specific SRSO mitigation is for the Kernel-based Virtual Machine (KVM) and labeled as SRSO_MSR_FIX.
This new mitigation for Zen 5 Ryzen and EPYC processors is what began last year with Linux Prepares AMD "SRSO_USER_KERNEL_NO" Support For Zen 5 CPUs. With Linux 6.15 the mitigation is landing in refined form:
This doesn't change things outside the context of virtual machine (VM) use with Zen 5 processors.
Separately, the x86/bugs pull request has some preparatory patches to begin angling the Linux kernel to allow mitigating by attack vectors rather than controlling single vulnerabilities. That work isn't over the finish line with just some prep patches making it for Linux 6.15, but the topic is discussed further within Linux Attack Vector Controls Updated To More Easily Controlling CPU Security Mitigations.
More details within the x86/bugs pull request that has been merged to Linux 6.15 Git.
The x86/bugs pull request has been merged for the Linux 6.15 kernel. This time around it has a new mitigation on the AMD side in enabling support for a new Speculative Return Stack Overflow (SRSO) mitigation for Zen 5 processors for that vulnerability dubbed "Inception". This new Zen 5 specific SRSO mitigation is for the Kernel-based Virtual Machine (KVM) and labeled as SRSO_MSR_FIX.
This new mitigation for Zen 5 Ryzen and EPYC processors is what began last year with Linux Prepares AMD "SRSO_USER_KERNEL_NO" Support For Zen 5 CPUs. With Linux 6.15 the mitigation is landing in refined form:
"Add support for
CPUID Fn8000_0021_EAX[31] (SRSO_MSR_FIX). If this bit is 1, it indicates that software may use MSR BP_CFG[BpSpecReduce] to mitigate SRSO.
Enable BpSpecReduce to mitigate SRSO across guest/host boundaries.
Switch back to enabling the bit when virtualization is enabled and to clear the bit when virtualization is disabled because using a MSR slot would clear the bit when the guest is exited and any training the guest has done, would potentially influence the host kernel when execution enters the kernel and hasn't VMRUN the guest yet."
This doesn't change things outside the context of virtual machine (VM) use with Zen 5 processors.
Separately, the x86/bugs pull request has some preparatory patches to begin angling the Linux kernel to allow mitigating by attack vectors rather than controlling single vulnerabilities. That work isn't over the finish line with just some prep patches making it for Linux 6.15, but the topic is discussed further within Linux Attack Vector Controls Updated To More Easily Controlling CPU Security Mitigations.
More details within the x86/bugs pull request that has been merged to Linux 6.15 Git.