[6.6]Use Hygon IBRS and IBPB rather than software-based mitigation to mitigate Retbleed and SRSO.

[wildfreedom]

Description:

Hygon IBRS is different from AMD's Auto IBRS. It mitigates vulnerabilities based on the predicted branch type rather than the actual branch type; therefore, it can mitigate both Retbleed and SRSO by preventing predicted branch types from being used in the kernel. We leverage Hygon IBRS for Retbleed and SRSO mitigation, which avoids the performance degradation caused by software-based mitigation methods.

Summary by Sourcery

Leverage Hygon enhanced IBRS and configurable IBPB behavior to mitigate Retbleed and SRSO on Hygon processors instead of relying solely on software-based mitigations.

New Features:

• Add support for using enhanced IBRS as a Retbleed mitigation on Hygon CPUs when appropriate Spectre v2 modes are enabled.
• Add a new SRSO mitigation mode using enhanced IBRS on Hygon processors, including reporting via sysfs.
• Introduce a Hygon-specific kernel parameter to control whether IBPB flushes all branch types or only indirect branches and wire it into mitigation selection.
• Enable Hygon CPUs to automatically flush RAS on privilege level changes via MSR configuration as part of vulnerability mitigation.

Enhancements:

• Adjust speculation control initialization so Hygon CPUs advertise enhanced IBRS capability instead of generic IBRS.
• Refine Retbleed sysfs reporting to correctly describe SMT protection status when Hygon enhanced IBRS is in use.
• Add a helper to determine whether IBPB can flush all branch types on Hygon systems and integrate it into SRSO mitigation logic.

[sourcery-ai]

Reviewer's Guide

This PR updates the x86 Hygon CPU mitigation paths to prefer hardware-based Enhanced IBRS and IBPB capabilities for Retbleed and SRSO, introduces Hygon‑specific IBPB branch-type control via cmdline and MSR programming, wires up eIBRS-based mitigations into the generic bugs/mitigation selection logic, and adds an early Hygon RAS flush mitigation hook.

Sequence diagram for Hygon SRSO mitigation selection with eIBRS and IBPB

sequenceDiagram
    participant Boot
    participant CPU as boot_cpu_data
    participant Bugs as srso_select_mitigation
    participant IBPB as ibpb_can_flush_all

    Boot->>Bugs: srso_select_mitigation()
    Bugs->>CPU: boot_cpu_has X86_BUG_SRSO
    CPU-->>Bugs: result
    Bugs->>CPU: cpu_mitigations_off()
    CPU-->>Bugs: result

    alt Hygon vendor
        Bugs->>CPU: check X86_FEATURE_IBPB_BRTYPE
        CPU-->>Bugs: has_microcode
        Bugs->>IBPB: ibpb_can_flush_all()
        IBPB->>CPU: read x86_vendor, x86, x86_model, ibpb_brtype
        alt family 0x18 and model <= 0x3
            IBPB-->>Bugs: true (IBPB flushes all branches)
        else family 0x18 and model > 0x3 and ibpb_brtype == IBPB_FLUSH_ALL
            IBPB->>CPU: msr_set_bit MSR_ZEN4_BP_CFG IBPB_FLUSH_ALL_BIT
            IBPB-->>Bugs: true
        else other Hygon config
            IBPB-->>Bugs: false
        end
        Bugs->>Bugs: has_microcode = ibpb_can_flush_all result
    else non-Hygon
        Bugs->>CPU: boot_cpu_has X86_FEATURE_IBPB_BRTYPE
        CPU-->>Bugs: has_microcode
    end

    Bugs->>CPU: read spectre_v2_enabled
    alt Hygon with eIBRS mode
        Bugs->>Bugs: srso_mitigation = SRSO_MITIGATION_EIBRS
        Bugs->>Boot: print srso_strings[SRSO_MITIGATION_EIBRS] + microcode info
        Bugs-->>Boot: return
    else other vendors or non-eIBRS
        Bugs->>Bugs: choose mitigation based on srso_cmd and has_microcode
        Bugs-->>Boot: return
    end

Loading

Sequence diagram for Hygon Retbleed mitigation selection with eIBRS

sequenceDiagram
    participant Boot
    participant CPU as boot_cpu_data
    participant Bugs as retbleed_select_mitigation

    Boot->>Bugs: retbleed_select_mitigation()
    Bugs->>Bugs: determine default retbleed_mitigation

    alt Hygon vendor
        Bugs->>CPU: read x86_vendor
        CPU-->>Bugs: X86_VENDOR_HYGON
        Bugs->>CPU: read spectre_v2_enabled
        alt spectre_v2_enabled in {SPECTRE_V2_EIBRS, SPECTRE_V2_EIBRS_RETPOLINE, SPECTRE_V2_EIBRS_LFENCE}
            Bugs->>Bugs: retbleed_mitigation = RETBLEED_MITIGATION_EIBRS
        else non-eIBRS Spectre v2 mode
            Bugs->>Bugs: keep previously selected mitigation
        end
    else non-Hygon vendor
        Bugs->>Bugs: keep previously selected mitigation
    end

    Bugs->>CPU: apply mitigation (setup caps, IBPB, etc.) based on retbleed_mitigation
    Bugs-->>Boot: return

Loading

Sequence diagram for early Hygon CPU vulnerability mitigation and eIBRS capability setup

sequenceDiagram
    participant Boot
    participant Hygon as early_init_hygon
    participant Vul as cpu_vul_mitigation
    participant Common as init_speculation_control
    participant CPU as cpuinfo_x86

    Boot->>Hygon: early_init_hygon(cpuinfo_x86)
    Hygon->>Hygon: early_init_hygon_mc(cpuinfo_x86)
    Hygon->>Vul: cpu_vul_mitigation()

    Vul->>CPU: read x86, x86_model
    alt family 0x18 and model > 0x3
        Vul->>CPU: msr_set_bit MSR_ZEN4_BP_CFG IBRS_FLUSH_RAS_BIT
    else other Hygon models
        Vul->>Vul: no RAS flush MSR change
    end

    Hygon->>CPU: set_cpu_cap X86_FEATURE_K8
    Hygon->>CPU: rdmsr_safe MSR_AMD64_PATCH_LEVEL
    Hygon-->>Boot: return

    Boot->>Common: init_speculation_control(cpuinfo_x86)
    Common->>CPU: cpu_has X86_FEATURE_SPEC_CTRL
    alt SPEC_CTRL available
        Common->>CPU: check x86_vendor
        alt Hygon vendor
            Common->>CPU: set_cpu_cap X86_FEATURE_IBRS_ENHANCED
        else non-Hygon vendor
            Common->>CPU: set_cpu_cap X86_FEATURE_IBRS
        end
        Common->>CPU: set_cpu_cap X86_FEATURE_IBPB
        Common->>CPU: set_cpu_cap X86_FEATURE_MSR_SPEC_CTRL
    end

    Common->>CPU: cpu_has X86_FEATURE_AMD_IBRS
    alt AMD_IBRS available
        Common->>CPU: check x86_vendor
        alt Hygon vendor
            Common->>CPU: set_cpu_cap X86_FEATURE_IBRS_ENHANCED
        else non-Hygon vendor
            Common->>CPU: set_cpu_cap X86_FEATURE_IBRS
        end
        Common->>CPU: set_cpu_cap X86_FEATURE_MSR_SPEC_CTRL
    end

    Common-->>Boot: return

Loading

Class diagram for new and updated Hygon mitigation-related types and functions

classDiagram
    class cpuinfo_x86 {
        int x86
        int x86_model
        int x86_vendor
        u32 microcode
    }

    class ibpb_brtype_cmd {
        <<enum>>
        IBPB_FLUSH_IND
        IBPB_FLUSH_ALL
    }

    class srso_mitigation {
        <<enum>>
        SRSO_MITIGATION_NONE
        SRSO_MITIGATION_AUTO
        SRSO_MITIGATION_MICROCODE
        SRSO_MITIGATION_SAFE_RET
        SRSO_MITIGATION_IBPB
        SRSO_MITIGATION_IBPB_ON_VMEXIT
        SRSO_MITIGATION_EIBRS
    }

    class retbleed_mitigation_enum {
        <<enum>>
        RETBLEED_MITIGATION_UNRET
        RETBLEED_MITIGATION_IBPB
        RETBLEED_MITIGATION_EIBRS
        RETBLEED_MITIGATION_NONE
    }

    class cpu_vul_mitigation {
        +void cpu_vul_mitigation()
    }

    class early_init_hygon {
        +void early_init_hygon(cpuinfo_x86 c)
    }

    class init_speculation_control {
        +void init_speculation_control(cpuinfo_x86 c)
    }

    class ibpb_brtype_cmdline {
        +int ibpb_brtype_cmdline(char str)
    }

    class ibpb_can_flush_all_fn {
        +bool ibpb_can_flush_all()
    }

    class x86_spec_ctrl_setup_ap {
        +void x86_spec_ctrl_setup_ap()
    }

    class srso_select_mitigation_fn {
        +void srso_select_mitigation()
    }

    class retbleed_select_mitigation_fn {
        +void retbleed_select_mitigation()
    }

    class retbleed_show_state_fn {
        +ssize_t retbleed_show_state(char buf)
    }

    class Globals {
        <<global>>
        ibpb_brtype_cmd ibpb_brtype
        srso_mitigation srso_mitigation
        retbleed_mitigation_enum retbleed_mitigation
        int spectre_v2_enabled
    }

    early_init_hygon --> cpu_vul_mitigation : calls
    early_init_hygon --> cpuinfo_x86 : uses

    cpu_vul_mitigation --> cpuinfo_x86 : reads vendor, family, model

    init_speculation_control --> cpuinfo_x86 : uses
    init_speculation_control --> Globals : sets IBRS or IBRS_ENHANCED

    ibpb_brtype_cmdline --> ibpb_brtype_cmd : sets value
    ibpb_brtype_cmdline --> Globals : updates ibpb_brtype

    ibpb_can_flush_all_fn --> cpuinfo_x86 : reads vendor, family, model
    ibpb_can_flush_all_fn --> Globals : reads ibpb_brtype

    x86_spec_ctrl_setup_ap --> Globals : reads ibpb_brtype
    x86_spec_ctrl_setup_ap --> cpuinfo_x86 : reads vendor, family, model

    srso_select_mitigation_fn --> ibpb_can_flush_all_fn : calls
    srso_select_mitigation_fn --> Globals : sets srso_mitigation

    retbleed_select_mitigation_fn --> Globals : sets retbleed_mitigation

    retbleed_show_state_fn --> Globals : reads retbleed_mitigation and spectre_v2_enabled

Loading

File-Level Changes

Change	Details	Files
Prefer Enhanced IBRS-based Retbleed mitigation on Hygon CPUs when Spectre v2 eIBRS modes are enabled.	Extend retbleed mitigation selection to check for Hygon vendor and Spectre v2 eIBRS modes. Set retbleed_mitigation to the existing RETBLEED_MITIGATION_EIBRS mode for eligible Hygon processors. Keep existing mitigation selection logic as fallback when eIBRS is not active.	arch/x86/kernel/cpu/bugs.c
Add Hygon-specific IBPB branch-type control and wiring into SRSO mitigation selection and AP setup.	Introduce an ibpb_brtype enum and global to distinguish between flushing all branches vs only indirect branches. Add ibpb_brtype kernel parameter parsing (ibpb-all/ibpb-ind) restricted to Hygon, defaulting to flush-all. Program MSR_ZEN4_BP_CFG bit 55 on Hygon Family 0x18, models > 3, when full-branch flushing is requested during AP speculation control setup. Add ibpb_can_flush_all() helper to drive has_microcode behavior for SRSO based on Hygon IBPB capabilities. Use ibpb_can_flush_all() for Hygon in srso_select_mitigation() to decide whether hardware microcode-like support is present.	arch/x86/kernel/cpu/bugs.c
Introduce an eIBRS-based SRSO mitigation mode and prefer it on Hygon when available.	Extend srso_mitigation enum and srso_strings with SRSO_MITIGATION_EIBRS and its user-visible string. In srso_select_mitigation(), when running on Hygon and Spectre v2 eIBRS modes are enabled, select SRSO_MITIGATION_EIBRS and emit a pr_info including whether microcode-like support is present. Fall back to existing SRSO mitigation selection when eIBRS is not usable.	arch/x86/kernel/cpu/bugs.c
Adjust Retbleed sysfs reporting on Hygon to account for eIBRS-based SMT protection instead of only STIBP state.	Special-case Hygon in retbleed_show_state() to report SMT as protected if either Spectre v2 is in eIBRS mode or strict STIBP modes are active. Retain the existing non-Hygon SMT vulnerability logic for other vendors.	arch/x86/kernel/cpu/bugs.c
Enable early Hygon-specific CPU vulnerability mitigation via automatic RAS flush on privilege changes.	Define IBRS_FLUSH_RAS_BIT and add a cpu_vul_mitigation() helper in Hygon CPU init code. In cpu_vul_mitigation(), for Hygon Family 0x18 with model > 3, set MSR_ZEN4_BP_CFG bit 56 to automatically flush RAS on low-to-high privilege transitions as an RSB mitigation. Invoke cpu_vul_mitigation() from early_init_hygon() before setting general Hygon caps.	arch/x86/kernel/cpu/hygon.c
Advertise Enhanced IBRS capability instead of legacy IBRS on Hygon CPUs when appropriate speculation control features are present.	In init_speculation_control(), when SPEC_CTRL MSR is available, set X86_FEATURE_IBRS_ENHANCED instead of X86_FEATURE_IBRS for Hygon; keep existing behavior for other vendors. Similarly, when AMD_IBRS is present, mark IBRS_ENHANCED for Hygon instead of IBRS, while still setting X86_FEATURE_MSR_SPEC_CTRL. Leave all non-Hygon CPU feature handling unchanged.	arch/x86/kernel/cpu/common.c

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[deepin-ci-robot]

Hi @wildfreedom. Thanks for your PR. 😃

[deepin-ci-robot]

Hi @wildfreedom. Thanks for your PR.

I'm waiting for a deepin-community member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[Avenger-285714]

/ok-to-test

[sourcery-ai]

Hey - I've left some high level feedback:

• Consider making ibpb_can_flush_all() static (and possibly __init) since it is only used within bugs.c, to avoid exporting unnecessary global symbols.
• The new pr_err() in ibpb_brtype_cmdline() is missing a trailing newline, which is inconsistent with the surrounding logging style and will produce slightly messy dmesg output.
• The logic for setting MSR_ZEN4_BP_CFG is now duplicated in several places (cpu_vul_mitigation(), ibpb_can_flush_all(), x86_spec_ctrl_setup_ap()); consider factoring the Hygon family/model checks and MSR bit programming into a common helper to keep the behavior consistent and easier to maintain.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Consider making `ibpb_can_flush_all()` `static` (and possibly `__init`) since it is only used within `bugs.c`, to avoid exporting unnecessary global symbols.
- The new `pr_err()` in `ibpb_brtype_cmdline()` is missing a trailing newline, which is inconsistent with the surrounding logging style and will produce slightly messy dmesg output.
- The logic for setting `MSR_ZEN4_BP_CFG` is now duplicated in several places (`cpu_vul_mitigation()`, `ibpb_can_flush_all()`, `x86_spec_ctrl_setup_ap()`); consider factoring the Hygon family/model checks and MSR bit programming into a common helper to keep the behavior consistent and easier to maintain.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[Copilot]

Pull request overview

This PR updates x86 speculation/vulnerability mitigation logic to prefer Hygon hardware features (enhanced IBRS behavior and configurable IBPB behavior) over software-based mitigations for Retbleed and SRSO on Hygon CPUs.

Changes:

• Enable Hygon-specific MSR configuration to automatically flush RAS on privilege level changes as part of return/RSB-related mitigation.
• Advertise X86_FEATURE_IBRS_ENHANCED for Hygon CPUs during speculation-control capability initialization.
• Add a Hygon-only ibpb_brtype= early boot parameter and integrate it into SRSO/Retbleed mitigation selection and sysfs reporting.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 7 comments.

File	Description
arch/x86/kernel/cpu/hygon.c	Adds Hygon MSR configuration to flush RAS automatically during privilege level changes.
arch/x86/kernel/cpu/common.c	Marks Hygon CPUs as supporting enhanced IBRS capability during speculation control init.
arch/x86/kernel/cpu/bugs.c	Prefers eIBRS on Hygon for Retbleed/SRSO, adds ibpb_brtype param, and updates mitigation logic/reporting.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Macro name IBRS_FLUSH_RAS_BIT is ambiguous (it’s a bit index for MSR_ZEN4_BP_CFG). Consider renaming it to reflect the MSR/field (e.g., MSR_ZEN4_BP_CFG_*_BIT) to avoid confusion with MSR_SPEC_CTRL/IBRS itself.

[Copilot]

Comment typo/capitalization: sentence starts with "it's" but should be "It's".

Suggested change

	* it's used as rsb mitigation instead of RSB filling.
	* It's used as rsb mitigation instead of RSB filling.

[Copilot]

Comment acronym casing: "rsb" should be capitalized as "RSB" for consistency with other kernel comments (and the same line already uses "RSB filling").

Suggested change

	* it's used as rsb mitigation instead of RSB filling.
	* it's used as RSB mitigation instead of RSB filling.

[Copilot]

ibpb_can_flush_all() is only used within this file; leaving it non-static creates an unnecessary global symbol and can trigger -Wmissing-prototypes warnings under stricter build settings. Make it static (and, if appropriate, static __init) since it’s only used during init.

[Copilot]

The doc comment for ibpb_can_flush_all() says it "set[s] IBPB flush type according to the cmdline param", but the function doesn’t set ibpb_brtype (it only checks it and may set an MSR bit). Please adjust the comment so it accurately describes the side effects and what is being checked.

Suggested change

	* ibpb_can_flush_all() - set IBPB flush type according to the cmdline param
	* - and check whether IBPB can flush all branches
	* ibpb_can_flush_all() - check whether IBPB can flush all branch types
	* - and enable "flush all branches" in hardware when
	* requested via the configured IBPB flush type

[Copilot]

The non-HYGON fallback path in ibpb_can_flush_all() logs pr_err("WARNING: ..."), but the only caller is already guarded by boot_cpu_data.x86_vendor == X86_VENDOR_HYGON, making this log effectively dead code (and noisy if the guard changes). Consider removing the printk or replacing it with a WARN_ON_ONCE() and returning false.

[Copilot]

Minor typo in the kernel-parameter doc: missing space after comma in "branches,this".

Suggested change

	* ibpb-all -- IBPB flushes all types of branches,this is the default value.
	* ibpb-all -- IBPB flushes all types of branches, this is the default value.

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: opsiff

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• deepin/OWNERS [opsiff]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment