Queued up this week via the tip/tip.git’s “x86/bugs” Git branch for the Linux kernel is AMD “SRSO_USER_KERNEL_NO” support as a new SRSO/Inception mitigation handling seemingly for Zen 5 processors and beyond.
Disclosed back in mid-2023 was the Inception / Speculative Return Stack Overflow (SRSO) vulnerability as a speculative side channel attack for Zen 3 and Zen 4 processors at the time. With the recently launched AMD Zen 5 processors, they have reported “not affected” to Inception/SRSO but it looks like that isn’t as clear-cut given the new patch activity around SRSO_USER_KERNEL_NO.
For CPUs indicating SRSO_USER_KERNEL_NO, they indicate the processor is not subject to the SRSO vulnerability across user/kernel boundaries but for cloud/virtualization use need to still utilize an Indirect Branch Predictor Barrier (IBPB) on VMEXIT. Per this patch:
“If the machine has:
CPUID Fn8000_0021_EAX[30] (SRSO_USER_KERNEL_NO) — If this bit is 1, it indicates the CPU is not subject to the SRSO vulnerability across user/kernel boundaries.
have it fall back to IBPB on VMEXIT only, in the case it is going to run VMs:
Speculative Return Stack Overflow: Mitigation: IBPB on VMEXIT only”
So for CPUs with SRSO_USER_KERNEL_NO, SRSO/Inception is basically not affected unless you are running virtual machines where an IBPB on VMEXIT will need to be applied for safe operation.
Not noted with that patch message but when looking at the code:
The patch now marks AMD 0x1a processors as affected. With Family 1a being the new AMD Zen 5 processors. So seemingly this SRSO_USER_KERNEL_NO is intended for Zen 5 systems and thereby taking the processors from the prior “Not affected” state for Inception/SRSO to the new “IBPB on VMEXIT only” mitigation with SRSO_USER_KERNEL_NO. But again no real difference for users unless you are running VMs.
With these SRSO_USER_KERNEL_NO patches in tip/tip.git’s x86/bugs branch, it will likely be submitted as material for the Linux 6.14 merge window opening later this month unless it’s decided to be urgent and then could come in as part of the “fixes” for Linux v6.13.
