x86/bugs: Add attack vector controls for SRSO

Use attack vector controls to determine if SRSO mitigation is required. Signed-off-by: David Kaplan <david.kaplan@amd.com> Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> Link: https://lore.kernel.org/20250707183316.1349127-18-david.kaplan@amd.com
author: David Kaplan <david.kaplan@amd.com> 2025-07-07 13:33:12 -0500
committer: Borislav Petkov (AMD) <bp@alien8.de> 2025-07-11 17:56:41 +0200
commit: eda718fde6159b2e64978637ebb3f1ae98180555 (patch)
tree: 7c6677df87b412fb9e7273c68fd82f013c6134d2 /arch/x86/kernel/cpu/bugs.c
parent: 2f970a526975f4437bdc9a4ba550ecc7e66d861d (diff)
1 files changed, 10 insertions, 5 deletions
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 2128623252a4..eef6ccd17c79 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -3123,14 +3123,19 @@ early_param("spec_rstack_overflow", srso_parse_cmdline);
 
 static void __init srso_select_mitigation(void)
 {
-	if (!boot_cpu_has_bug(X86_BUG_SRSO) || cpu_mitigations_off())
+	if (!boot_cpu_has_bug(X86_BUG_SRSO)) {
 		srso_mitigation = SRSO_MITIGATION_NONE;
-
-	if (srso_mitigation == SRSO_MITIGATION_NONE)
 		return;
+	}
 
-	if (srso_mitigation == SRSO_MITIGATION_AUTO)
-		srso_mitigation = SRSO_MITIGATION_SAFE_RET;
+	if (srso_mitigation == SRSO_MITIGATION_AUTO) {
+		if (should_mitigate_vuln(X86_BUG_SRSO)) {
+			srso_mitigation = SRSO_MITIGATION_SAFE_RET;
+		} else {
+			srso_mitigation = SRSO_MITIGATION_NONE;
+			return;
+		}
+	}
 
 	/* Zen1/2 with SMT off aren't vulnerable to SRSO. */
 	if (boot_cpu_data.x86 < 0x19 && !cpu_smt_possible()) {
author	David Kaplan <david.kaplan@amd.com>	2025-07-07 13:33:12 -0500
committer	Borislav Petkov (AMD) <bp@alien8.de>	2025-07-11 17:56:41 +0200
commit	eda718fde6159b2e64978637ebb3f1ae98180555 (patch)
tree	7c6677df87b412fb9e7273c68fd82f013c6134d2 /arch/x86/kernel/cpu/bugs.c
parent	2f970a526975f4437bdc9a4ba550ecc7e66d861d (diff)