x86/vmscape: Warn when STIBP is disabled with SMT

JIRA: https://issues.redhat.com/browse/RHEL-114277
CVE: CVE-2025-40300

commit b7cc988
Author: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Date:   Thu, 14 Aug 2025 10:20:43 -0700

    x86/vmscape: Warn when STIBP is disabled with SMT

    Cross-thread attacks are generally harder as they require the victim to be
    co-located on a core. However, with VMSCAPE the adversary targets belong to
    the same guest execution, that are more likely to get co-located. In
    particular, a thread that is currently executing userspace hypervisor
    (after the IBPB) may still be targeted by a guest execution from a sibling
    thread.

    Issue a warning about the potential risk, except when:

    - SMT is disabled
    - STIBP is enabled system-wide
    - Intel eIBRS is enabled (which implies STIBP protection)

    Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
    Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>

Signed-off-by: Waiman Long <longman@redhat.com>

Author: Waiman-Long

arch/x86/kernel/cpu/bugs.c

@@ -3216,6 +3216,28 @@ void cpu_bugs_smt_update(void)
 		break;
 	}
 
+	switch (vmscape_mitigation) {
+	case VMSCAPE_MITIGATION_NONE:
+	case VMSCAPE_MITIGATION_AUTO:
+		break;
+	case VMSCAPE_MITIGATION_IBPB_ON_VMEXIT:
+	case VMSCAPE_MITIGATION_IBPB_EXIT_TO_USER:
+		/*
+		 * Hypervisors can be attacked across-threads, warn for SMT when
+		 * STIBP is not already enabled system-wide.
+		 *
+		 * Intel eIBRS (!AUTOIBRS) implies STIBP on.
+		 */
+		if (!sched_smt_active() ||
+		    spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT ||
+		    spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED ||
+		    (spectre_v2_in_eibrs_mode(spectre_v2_enabled) &&
+		     !boot_cpu_has(X86_FEATURE_AUTOIBRS)))
+			break;
+		pr_warn_once(VMSCAPE_MSG_SMT);
+		break;
+	}
+
 	mutex_unlock(&spec_ctrl_mutex);
 }