* [PATCH v2 02/10] powerpc/pseries: Add new H_GET_CPU_CHARACTERISTICS flags
2018-03-27 12:01 [PATCH v2 01/10] powerpc: Add security feature flags for Spectre/Meltdown Michael Ellerman
@ 2018-03-27 12:01 ` Michael Ellerman
2018-03-27 12:01 ` [PATCH v2 03/10] powerpc/pseries: Set or clear security feature flags Michael Ellerman
` (9 subsequent siblings)
10 siblings, 0 replies; 15+ messages in thread
From: Michael Ellerman @ 2018-03-27 12:01 UTC (permalink / raw)
To: linuxppc-dev; +Cc: mauricfo
Add some additional values which have been defined for the
H_GET_CPU_CHARACTERISTICS hypercall.
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
---
arch/powerpc/include/asm/hvcall.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/powerpc/include/asm/hvcall.h b/arch/powerpc/include/asm/hvcall.h
index eca3f9c68907..5a740feb7bd7 100644
--- a/arch/powerpc/include/asm/hvcall.h
+++ b/arch/powerpc/include/asm/hvcall.h
@@ -337,6 +337,9 @@
#define H_CPU_CHAR_L1D_FLUSH_ORI30 (1ull << 61) // IBM bit 2
#define H_CPU_CHAR_L1D_FLUSH_TRIG2 (1ull << 60) // IBM bit 3
#define H_CPU_CHAR_L1D_THREAD_PRIV (1ull << 59) // IBM bit 4
+#define H_CPU_CHAR_BRANCH_HINTS_HONORED (1ull << 58) // IBM bit 5
+#define H_CPU_CHAR_THREAD_RECONFIG_CTRL (1ull << 57) // IBM bit 6
+#define H_CPU_CHAR_COUNT_CACHE_DISABLED (1ull << 56) // IBM bit 7
#define H_CPU_BEHAV_FAVOUR_SECURITY (1ull << 63) // IBM bit 0
#define H_CPU_BEHAV_L1D_FLUSH_PR (1ull << 62) // IBM bit 1
--
2.14.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH v2 03/10] powerpc/pseries: Set or clear security feature flags
2018-03-27 12:01 [PATCH v2 01/10] powerpc: Add security feature flags for Spectre/Meltdown Michael Ellerman
2018-03-27 12:01 ` [PATCH v2 02/10] powerpc/pseries: Add new H_GET_CPU_CHARACTERISTICS flags Michael Ellerman
@ 2018-03-27 12:01 ` Michael Ellerman
2018-03-29 18:35 ` Mauricio Faria de Oliveira
2018-03-27 12:01 ` [PATCH v2 04/10] powerpc/powernv: " Michael Ellerman
` (8 subsequent siblings)
10 siblings, 1 reply; 15+ messages in thread
From: Michael Ellerman @ 2018-03-27 12:01 UTC (permalink / raw)
To: linuxppc-dev; +Cc: mauricfo
Now that we have feature flags for security related things, set or
clear them based on what we receive from the hypercall.
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
---
arch/powerpc/platforms/pseries/setup.c | 43 ++++++++++++++++++++++++++++++++++
1 file changed, 43 insertions(+)
diff --git a/arch/powerpc/platforms/pseries/setup.c b/arch/powerpc/platforms/pseries/setup.c
index f34f9081ec60..fb84c1df6ed7 100644
--- a/arch/powerpc/platforms/pseries/setup.c
+++ b/arch/powerpc/platforms/pseries/setup.c
@@ -68,6 +68,7 @@
#include <asm/plpar_wrappers.h>
#include <asm/kexec.h>
#include <asm/isa-bridge.h>
+#include <asm/security_features.h>
#include "pseries.h"
@@ -459,6 +460,40 @@ static void __init find_and_init_phbs(void)
of_pci_check_probe_only();
}
+static void init_cpu_char_feature_flags(struct h_cpu_char_result *result)
+{
+ if (result->character & H_CPU_CHAR_SPEC_BAR_ORI31)
+ security_ftr_set(SEC_FTR_SPEC_BAR_ORI31);
+
+ if (result->character & H_CPU_CHAR_BCCTRL_SERIALISED)
+ security_ftr_set(SEC_FTR_BCCTRL_SERIALISED);
+
+ if (result->character & H_CPU_CHAR_L1D_FLUSH_ORI30)
+ security_ftr_set(SEC_FTR_L1D_FLUSH_ORI30);
+
+ if (result->character & H_CPU_CHAR_L1D_FLUSH_TRIG2)
+ security_ftr_set(SEC_FTR_L1D_FLUSH_TRIG2);
+
+ if (result->character & H_CPU_CHAR_L1D_THREAD_PRIV)
+ security_ftr_set(SEC_FTR_L1D_THREAD_PRIV);
+
+ if (result->character & H_CPU_CHAR_COUNT_CACHE_DISABLED)
+ security_ftr_set(SEC_FTR_COUNT_CACHE_DISABLED);
+
+ /*
+ * The features below are enabled by default, so we instead look to see
+ * if firmware has *disabled* them, and clear them if so.
+ */
+ if (!(result->character & H_CPU_BEHAV_FAVOUR_SECURITY))
+ security_ftr_clear(SEC_FTR_FAVOUR_SECURITY);
+
+ if (!(result->character & H_CPU_BEHAV_L1D_FLUSH_PR))
+ security_ftr_clear(SEC_FTR_L1D_FLUSH_PR);
+
+ if (!(result->character & H_CPU_BEHAV_BNDS_CHK_SPEC_BAR))
+ security_ftr_clear(SEC_FTR_BNDS_CHK_SPEC_BAR);
+}
+
void pseries_setup_rfi_flush(void)
{
struct h_cpu_char_result result;
@@ -472,6 +507,8 @@ void pseries_setup_rfi_flush(void)
rc = plpar_get_cpu_characteristics(&result);
if (rc == H_SUCCESS) {
+ init_cpu_char_feature_flags(&result);
+
if (result.character & H_CPU_CHAR_L1D_FLUSH_TRIG2)
types |= L1D_FLUSH_MTTRIG;
if (result.character & H_CPU_CHAR_L1D_FLUSH_ORI30)
@@ -482,6 +519,12 @@ void pseries_setup_rfi_flush(void)
enable = false;
}
+ /*
+ * We're the guest so this doesn't apply to us, clear it to simplify
+ * handling of it elsewhere.
+ */
+ security_ftr_clear(SEC_FTR_L1D_FLUSH_HV);
+
setup_rfi_flush(types, enable);
}
--
2.14.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH v2 03/10] powerpc/pseries: Set or clear security feature flags
2018-03-27 12:01 ` [PATCH v2 03/10] powerpc/pseries: Set or clear security feature flags Michael Ellerman
@ 2018-03-29 18:35 ` Mauricio Faria de Oliveira
0 siblings, 0 replies; 15+ messages in thread
From: Mauricio Faria de Oliveira @ 2018-03-29 18:35 UTC (permalink / raw)
To: Michael Ellerman, linuxppc-dev
Hi Michael,
On 03/27/2018 09:01 AM, Michael Ellerman wrote:
> + if (!(result->character & H_CPU_BEHAV_FAVOUR_SECURITY))
> + security_ftr_clear(SEC_FTR_FAVOUR_SECURITY);
> +
> + if (!(result->character & H_CPU_BEHAV_L1D_FLUSH_PR))
> + security_ftr_clear(SEC_FTR_L1D_FLUSH_PR);
> +
> + if (!(result->character & H_CPU_BEHAV_BNDS_CHK_SPEC_BAR))
> + security_ftr_clear(SEC_FTR_BNDS_CHK_SPEC_BAR);
Oops, I missed this..
The H_CPU_BEHAV flags should be checked for in 'result->behaviour'.
Just sent '[PATCH] powerpc/pseries: Fix to clear security feature flags'
cheers,
Mauricio
^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH v2 04/10] powerpc/powernv: Set or clear security feature flags
2018-03-27 12:01 [PATCH v2 01/10] powerpc: Add security feature flags for Spectre/Meltdown Michael Ellerman
2018-03-27 12:01 ` [PATCH v2 02/10] powerpc/pseries: Add new H_GET_CPU_CHARACTERISTICS flags Michael Ellerman
2018-03-27 12:01 ` [PATCH v2 03/10] powerpc/pseries: Set or clear security feature flags Michael Ellerman
@ 2018-03-27 12:01 ` Michael Ellerman
2018-03-27 12:01 ` [PATCH v2 05/10] powerpc/64s: Move cpu_show_meltdown() Michael Ellerman
` (7 subsequent siblings)
10 siblings, 0 replies; 15+ messages in thread
From: Michael Ellerman @ 2018-03-27 12:01 UTC (permalink / raw)
To: linuxppc-dev; +Cc: mauricfo
Now that we have feature flags for security related things, set or
clear them based on what we see in the device tree provided by
firmware.
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
---
arch/powerpc/platforms/powernv/setup.c | 56 ++++++++++++++++++++++++++++++++++
1 file changed, 56 insertions(+)
diff --git a/arch/powerpc/platforms/powernv/setup.c b/arch/powerpc/platforms/powernv/setup.c
index 092715b9674b..5f242b1bab01 100644
--- a/arch/powerpc/platforms/powernv/setup.c
+++ b/arch/powerpc/platforms/powernv/setup.c
@@ -38,9 +38,63 @@
#include <asm/smp.h>
#include <asm/tm.h>
#include <asm/setup.h>
+#include <asm/security_features.h>
#include "powernv.h"
+
+static bool fw_feature_is(const char *state, const char *name,
+ struct device_node *fw_features)
+{
+ struct device_node *np;
+ bool rc = false;
+
+ np = of_get_child_by_name(fw_features, name);
+ if (np) {
+ rc = of_property_read_bool(np, state);
+ of_node_put(np);
+ }
+
+ return rc;
+}
+
+static void init_fw_feat_flags(struct device_node *np)
+{
+ if (fw_feature_is("enabled", "inst-spec-barrier-ori31,31,0", np))
+ security_ftr_set(SEC_FTR_SPEC_BAR_ORI31);
+
+ if (fw_feature_is("enabled", "fw-bcctrl-serialized", np))
+ security_ftr_set(SEC_FTR_BCCTRL_SERIALISED);
+
+ if (fw_feature_is("enabled", "inst-spec-barrier-ori31,31,0", np))
+ security_ftr_set(SEC_FTR_L1D_FLUSH_ORI30);
+
+ if (fw_feature_is("enabled", "inst-l1d-flush-trig2", np))
+ security_ftr_set(SEC_FTR_L1D_FLUSH_TRIG2);
+
+ if (fw_feature_is("enabled", "fw-l1d-thread-split", np))
+ security_ftr_set(SEC_FTR_L1D_THREAD_PRIV);
+
+ if (fw_feature_is("enabled", "fw-count-cache-disabled", np))
+ security_ftr_set(SEC_FTR_COUNT_CACHE_DISABLED);
+
+ /*
+ * The features below are enabled by default, so we instead look to see
+ * if firmware has *disabled* them, and clear them if so.
+ */
+ if (fw_feature_is("disabled", "speculation-policy-favor-security", np))
+ security_ftr_clear(SEC_FTR_FAVOUR_SECURITY);
+
+ if (fw_feature_is("disabled", "needs-l1d-flush-msr-pr-0-to-1", np))
+ security_ftr_clear(SEC_FTR_L1D_FLUSH_PR);
+
+ if (fw_feature_is("disabled", "needs-l1d-flush-msr-hv-1-to-0", np))
+ security_ftr_clear(SEC_FTR_L1D_FLUSH_HV);
+
+ if (fw_feature_is("disabled", "needs-spec-barrier-for-bound-checks", np))
+ security_ftr_clear(SEC_FTR_BNDS_CHK_SPEC_BAR);
+}
+
static void pnv_setup_rfi_flush(void)
{
struct device_node *np, *fw_features;
@@ -56,6 +110,8 @@ static void pnv_setup_rfi_flush(void)
of_node_put(np);
if (fw_features) {
+ init_fw_feat_flags(fw_features);
+
np = of_get_child_by_name(fw_features, "inst-l1d-flush-trig2");
if (np && of_property_read_bool(np, "enabled"))
type = L1D_FLUSH_MTTRIG;
--
2.14.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH v2 05/10] powerpc/64s: Move cpu_show_meltdown()
2018-03-27 12:01 [PATCH v2 01/10] powerpc: Add security feature flags for Spectre/Meltdown Michael Ellerman
` (2 preceding siblings ...)
2018-03-27 12:01 ` [PATCH v2 04/10] powerpc/powernv: " Michael Ellerman
@ 2018-03-27 12:01 ` Michael Ellerman
2018-03-27 12:01 ` [PATCH v2 06/10] powerpc/64s: Enhance the information in cpu_show_meltdown() Michael Ellerman
` (6 subsequent siblings)
10 siblings, 0 replies; 15+ messages in thread
From: Michael Ellerman @ 2018-03-27 12:01 UTC (permalink / raw)
To: linuxppc-dev; +Cc: mauricfo
This landed in setup_64.c for no good reason other than we had nowhere
else to put it. Now that we have a security-related file, that is a
better place for it so move it.
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
---
arch/powerpc/kernel/security.c | 11 +++++++++++
arch/powerpc/kernel/setup_64.c | 8 --------
2 files changed, 11 insertions(+), 8 deletions(-)
diff --git a/arch/powerpc/kernel/security.c b/arch/powerpc/kernel/security.c
index 4ccba00d224c..564e7f182a16 100644
--- a/arch/powerpc/kernel/security.c
+++ b/arch/powerpc/kernel/security.c
@@ -5,6 +5,8 @@
// Copyright 2018, Michael Ellerman, IBM Corporation.
#include <linux/kernel.h>
+#include <linux/device.h>
+
#include <asm/security_features.h>
@@ -13,3 +15,12 @@ unsigned long powerpc_security_features __read_mostly = \
SEC_FTR_L1D_FLUSH_PR | \
SEC_FTR_BNDS_CHK_SPEC_BAR | \
SEC_FTR_FAVOUR_SECURITY;
+
+
+ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf)
+{
+ if (rfi_flush)
+ return sprintf(buf, "Mitigation: RFI Flush\n");
+
+ return sprintf(buf, "Vulnerable\n");
+}
diff --git a/arch/powerpc/kernel/setup_64.c b/arch/powerpc/kernel/setup_64.c
index 4ec4a27b36a9..7f7621668613 100644
--- a/arch/powerpc/kernel/setup_64.c
+++ b/arch/powerpc/kernel/setup_64.c
@@ -934,12 +934,4 @@ static __init int rfi_flush_debugfs_init(void)
}
device_initcall(rfi_flush_debugfs_init);
#endif
-
-ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf)
-{
- if (rfi_flush)
- return sprintf(buf, "Mitigation: RFI Flush\n");
-
- return sprintf(buf, "Vulnerable\n");
-}
#endif /* CONFIG_PPC_BOOK3S_64 */
--
2.14.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH v2 06/10] powerpc/64s: Enhance the information in cpu_show_meltdown()
2018-03-27 12:01 [PATCH v2 01/10] powerpc: Add security feature flags for Spectre/Meltdown Michael Ellerman
` (3 preceding siblings ...)
2018-03-27 12:01 ` [PATCH v2 05/10] powerpc/64s: Move cpu_show_meltdown() Michael Ellerman
@ 2018-03-27 12:01 ` Michael Ellerman
2018-03-27 12:01 ` [PATCH v2 07/10] powerpc/powernv: Use the security flags in pnv_setup_rfi_flush() Michael Ellerman
` (5 subsequent siblings)
10 siblings, 0 replies; 15+ messages in thread
From: Michael Ellerman @ 2018-03-27 12:01 UTC (permalink / raw)
To: linuxppc-dev; +Cc: mauricfo
Now that we have the security feature flags we can make the
information displayed in the "meltdown" file more informative.
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
---
arch/powerpc/include/asm/security_features.h | 1 +
arch/powerpc/kernel/security.c | 30 ++++++++++++++++++++++++++--
2 files changed, 29 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/include/asm/security_features.h b/arch/powerpc/include/asm/security_features.h
index db00ad2c72c2..400a9050e035 100644
--- a/arch/powerpc/include/asm/security_features.h
+++ b/arch/powerpc/include/asm/security_features.h
@@ -10,6 +10,7 @@
extern unsigned long powerpc_security_features;
+extern bool rfi_flush;
static inline void security_ftr_set(unsigned long feature)
{
diff --git a/arch/powerpc/kernel/security.c b/arch/powerpc/kernel/security.c
index 564e7f182a16..865db6f8bcca 100644
--- a/arch/powerpc/kernel/security.c
+++ b/arch/powerpc/kernel/security.c
@@ -6,6 +6,7 @@
#include <linux/kernel.h>
#include <linux/device.h>
+#include <linux/seq_buf.h>
#include <asm/security_features.h>
@@ -19,8 +20,33 @@ unsigned long powerpc_security_features __read_mostly = \
ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf)
{
- if (rfi_flush)
- return sprintf(buf, "Mitigation: RFI Flush\n");
+ bool thread_priv;
+
+ thread_priv = security_ftr_enabled(SEC_FTR_L1D_THREAD_PRIV);
+
+ if (rfi_flush || thread_priv) {
+ struct seq_buf s;
+ seq_buf_init(&s, buf, PAGE_SIZE - 1);
+
+ seq_buf_printf(&s, "Mitigation: ");
+
+ if (rfi_flush)
+ seq_buf_printf(&s, "RFI Flush");
+
+ if (rfi_flush && thread_priv)
+ seq_buf_printf(&s, ", ");
+
+ if (thread_priv)
+ seq_buf_printf(&s, "L1D private per thread");
+
+ seq_buf_printf(&s, "\n");
+
+ return s.len;
+ }
+
+ if (!security_ftr_enabled(SEC_FTR_L1D_FLUSH_HV) &&
+ !security_ftr_enabled(SEC_FTR_L1D_FLUSH_PR))
+ return sprintf(buf, "Not affected\n");
return sprintf(buf, "Vulnerable\n");
}
--
2.14.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH v2 07/10] powerpc/powernv: Use the security flags in pnv_setup_rfi_flush()
2018-03-27 12:01 [PATCH v2 01/10] powerpc: Add security feature flags for Spectre/Meltdown Michael Ellerman
` (4 preceding siblings ...)
2018-03-27 12:01 ` [PATCH v2 06/10] powerpc/64s: Enhance the information in cpu_show_meltdown() Michael Ellerman
@ 2018-03-27 12:01 ` Michael Ellerman
2018-03-27 12:01 ` [PATCH v2 08/10] powerpc/pseries: Use the security flags in pseries_setup_rfi_flush() Michael Ellerman
` (4 subsequent siblings)
10 siblings, 0 replies; 15+ messages in thread
From: Michael Ellerman @ 2018-03-27 12:01 UTC (permalink / raw)
To: linuxppc-dev; +Cc: mauricfo
Now that we have the security flags we can significantly simplify the
code in pnv_setup_rfi_flush(), because we can use the flags instead of
checking device tree properties and because the security flags have
pessimistic defaults.
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
---
arch/powerpc/platforms/powernv/setup.c | 41 +++++++++-------------------------
1 file changed, 10 insertions(+), 31 deletions(-)
diff --git a/arch/powerpc/platforms/powernv/setup.c b/arch/powerpc/platforms/powernv/setup.c
index 5f242b1bab01..a90e995e5cc1 100644
--- a/arch/powerpc/platforms/powernv/setup.c
+++ b/arch/powerpc/platforms/powernv/setup.c
@@ -66,7 +66,7 @@ static void init_fw_feat_flags(struct device_node *np)
if (fw_feature_is("enabled", "fw-bcctrl-serialized", np))
security_ftr_set(SEC_FTR_BCCTRL_SERIALISED);
- if (fw_feature_is("enabled", "inst-spec-barrier-ori31,31,0", np))
+ if (fw_feature_is("enabled", "inst-l1d-flush-ori30,30,0", np))
security_ftr_set(SEC_FTR_L1D_FLUSH_ORI30);
if (fw_feature_is("enabled", "inst-l1d-flush-trig2", np))
@@ -99,11 +99,10 @@ static void pnv_setup_rfi_flush(void)
{
struct device_node *np, *fw_features;
enum l1d_flush_type type;
- int enable;
+ bool enable;
/* Default to fallback in case fw-features are not available */
type = L1D_FLUSH_FALLBACK;
- enable = 1;
np = of_find_node_by_name(NULL, "ibm,opal");
fw_features = of_get_child_by_name(np, "fw-features");
@@ -111,40 +110,20 @@ static void pnv_setup_rfi_flush(void)
if (fw_features) {
init_fw_feat_flags(fw_features);
+ of_node_put(fw_features);
- np = of_get_child_by_name(fw_features, "inst-l1d-flush-trig2");
- if (np && of_property_read_bool(np, "enabled"))
+ if (security_ftr_enabled(SEC_FTR_L1D_FLUSH_TRIG2))
type = L1D_FLUSH_MTTRIG;
- of_node_put(np);
-
- np = of_get_child_by_name(fw_features, "inst-l1d-flush-ori30,30,0");
- if (np && of_property_read_bool(np, "enabled"))
+ if (security_ftr_enabled(SEC_FTR_L1D_FLUSH_ORI30))
type = L1D_FLUSH_ORI;
-
- of_node_put(np);
-
- /* Enable unless firmware says NOT to */
- enable = 2;
- np = of_get_child_by_name(fw_features, "needs-l1d-flush-msr-hv-1-to-0");
- if (np && of_property_read_bool(np, "disabled"))
- enable--;
-
- of_node_put(np);
-
- np = of_get_child_by_name(fw_features, "needs-l1d-flush-msr-pr-0-to-1");
- if (np && of_property_read_bool(np, "disabled"))
- enable--;
-
- np = of_get_child_by_name(fw_features, "speculation-policy-favor-security");
- if (np && of_property_read_bool(np, "disabled"))
- enable = 0;
-
- of_node_put(np);
- of_node_put(fw_features);
}
- setup_rfi_flush(type, enable > 0);
+ enable = security_ftr_enabled(SEC_FTR_FAVOUR_SECURITY) && \
+ (security_ftr_enabled(SEC_FTR_L1D_FLUSH_PR) || \
+ security_ftr_enabled(SEC_FTR_L1D_FLUSH_HV));
+
+ setup_rfi_flush(type, enable);
}
static void __init pnv_setup_arch(void)
--
2.14.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH v2 08/10] powerpc/pseries: Use the security flags in pseries_setup_rfi_flush()
2018-03-27 12:01 [PATCH v2 01/10] powerpc: Add security feature flags for Spectre/Meltdown Michael Ellerman
` (5 preceding siblings ...)
2018-03-27 12:01 ` [PATCH v2 07/10] powerpc/powernv: Use the security flags in pnv_setup_rfi_flush() Michael Ellerman
@ 2018-03-27 12:01 ` Michael Ellerman
2018-03-27 12:01 ` [PATCH v2 09/10] powerpc/64s: Wire up cpu_show_spectre_v1() Michael Ellerman
` (3 subsequent siblings)
10 siblings, 0 replies; 15+ messages in thread
From: Michael Ellerman @ 2018-03-27 12:01 UTC (permalink / raw)
To: linuxppc-dev; +Cc: mauricfo
Now that we have the security flags we can simplify the code in
pseries_setup_rfi_flush() because the security flags have pessimistic
defaults.
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
---
arch/powerpc/platforms/pseries/setup.c | 27 ++++++++++++---------------
1 file changed, 12 insertions(+), 15 deletions(-)
diff --git a/arch/powerpc/platforms/pseries/setup.c b/arch/powerpc/platforms/pseries/setup.c
index fb84c1df6ed7..1f122359cd8f 100644
--- a/arch/powerpc/platforms/pseries/setup.c
+++ b/arch/powerpc/platforms/pseries/setup.c
@@ -501,30 +501,27 @@ void pseries_setup_rfi_flush(void)
bool enable;
long rc;
- /* Enable by default */
- enable = true;
- types = L1D_FLUSH_FALLBACK;
-
rc = plpar_get_cpu_characteristics(&result);
- if (rc == H_SUCCESS) {
+ if (rc == H_SUCCESS)
init_cpu_char_feature_flags(&result);
- if (result.character & H_CPU_CHAR_L1D_FLUSH_TRIG2)
- types |= L1D_FLUSH_MTTRIG;
- if (result.character & H_CPU_CHAR_L1D_FLUSH_ORI30)
- types |= L1D_FLUSH_ORI;
-
- if ((!(result.behaviour & H_CPU_BEHAV_L1D_FLUSH_PR)) ||
- (!(result.behaviour & H_CPU_BEHAV_FAVOUR_SECURITY)))
- enable = false;
- }
-
/*
* We're the guest so this doesn't apply to us, clear it to simplify
* handling of it elsewhere.
*/
security_ftr_clear(SEC_FTR_L1D_FLUSH_HV);
+ types = L1D_FLUSH_FALLBACK;
+
+ if (security_ftr_enabled(SEC_FTR_L1D_FLUSH_TRIG2))
+ types |= L1D_FLUSH_MTTRIG;
+
+ if (security_ftr_enabled(SEC_FTR_L1D_FLUSH_ORI30))
+ types |= L1D_FLUSH_ORI;
+
+ enable = security_ftr_enabled(SEC_FTR_FAVOUR_SECURITY) && \
+ security_ftr_enabled(SEC_FTR_L1D_FLUSH_PR);
+
setup_rfi_flush(types, enable);
}
--
2.14.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH v2 09/10] powerpc/64s: Wire up cpu_show_spectre_v1()
2018-03-27 12:01 [PATCH v2 01/10] powerpc: Add security feature flags for Spectre/Meltdown Michael Ellerman
` (6 preceding siblings ...)
2018-03-27 12:01 ` [PATCH v2 08/10] powerpc/pseries: Use the security flags in pseries_setup_rfi_flush() Michael Ellerman
@ 2018-03-27 12:01 ` Michael Ellerman
2018-03-27 12:01 ` [PATCH v2 10/10] powerpc/64s: Wire up cpu_show_spectre_v2() Michael Ellerman
` (2 subsequent siblings)
10 siblings, 0 replies; 15+ messages in thread
From: Michael Ellerman @ 2018-03-27 12:01 UTC (permalink / raw)
To: linuxppc-dev; +Cc: mauricfo
Add a definition for cpu_show_spectre_v1() to override the generic
version. Currently this just prints "Not affected" or "Vulnerable"
based on the firmware flag.
Although the kernel does have array_index_nospec() in a few places, we
haven't yet audited all the powerpc code to see where it's necessary,
so for now we don't list that as a mitigation.
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
---
arch/powerpc/kernel/security.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/arch/powerpc/kernel/security.c b/arch/powerpc/kernel/security.c
index 865db6f8bcca..0eace3cac818 100644
--- a/arch/powerpc/kernel/security.c
+++ b/arch/powerpc/kernel/security.c
@@ -50,3 +50,11 @@ ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, cha
return sprintf(buf, "Vulnerable\n");
}
+
+ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, char *buf)
+{
+ if (!security_ftr_enabled(SEC_FTR_BNDS_CHK_SPEC_BAR))
+ return sprintf(buf, "Not affected\n");
+
+ return sprintf(buf, "Vulnerable\n");
+}
--
2.14.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH v2 10/10] powerpc/64s: Wire up cpu_show_spectre_v2()
2018-03-27 12:01 [PATCH v2 01/10] powerpc: Add security feature flags for Spectre/Meltdown Michael Ellerman
` (7 preceding siblings ...)
2018-03-27 12:01 ` [PATCH v2 09/10] powerpc/64s: Wire up cpu_show_spectre_v1() Michael Ellerman
@ 2018-03-27 12:01 ` Michael Ellerman
2018-03-27 12:36 ` T T
2018-03-28 9:15 ` Diana Madalina Craciun
2018-03-27 13:42 ` [PATCH v2 01/10] powerpc: Add security feature flags for Spectre/Meltdown Gabriel Paubert
2018-03-28 14:13 ` [v2, " Michael Ellerman
10 siblings, 2 replies; 15+ messages in thread
From: Michael Ellerman @ 2018-03-27 12:01 UTC (permalink / raw)
To: linuxppc-dev; +Cc: mauricfo
Add a definition for cpu_show_spectre_v2() to override the generic
version. This has several permuations, though in practice some may not
occur we cater for any combination.
The most verbose is:
Mitigation: Indirect branch serialisation (kernel only), Indirect
branch cache disabled, ori31 speculation barrier enabled
We don't treat the ori31 speculation barrier as a mitigation on its
own, because it has to be *used* by code in order to be a mitigation
and we don't know if userspace is doing that. So if that's all we see
we say:
Vulnerable, ori31 speculation barrier enabled
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
---
arch/powerpc/kernel/security.c | 33 +++++++++++++++++++++++++++++++++
1 file changed, 33 insertions(+)
diff --git a/arch/powerpc/kernel/security.c b/arch/powerpc/kernel/security.c
index 0eace3cac818..2cee3dcd231b 100644
--- a/arch/powerpc/kernel/security.c
+++ b/arch/powerpc/kernel/security.c
@@ -58,3 +58,36 @@ ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, c
return sprintf(buf, "Vulnerable\n");
}
+
+ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, char *buf)
+{
+ bool bcs, ccd, ori;
+ struct seq_buf s;
+
+ seq_buf_init(&s, buf, PAGE_SIZE - 1);
+
+ bcs = security_ftr_enabled(SEC_FTR_BCCTRL_SERIALISED);
+ ccd = security_ftr_enabled(SEC_FTR_COUNT_CACHE_DISABLED);
+ ori = security_ftr_enabled(SEC_FTR_SPEC_BAR_ORI31);
+
+ if (bcs || ccd) {
+ seq_buf_printf(&s, "Mitigation: ");
+
+ if (bcs)
+ seq_buf_printf(&s, "Indirect branch serialisation (kernel only)");
+
+ if (bcs && ccd)
+ seq_buf_printf(&s, ", ");
+
+ if (ccd)
+ seq_buf_printf(&s, "Indirect branch cache disabled");
+ } else
+ seq_buf_printf(&s, "Vulnerable");
+
+ if (ori)
+ seq_buf_printf(&s, ", ori31 speculation barrier enabled");
+
+ seq_buf_printf(&s, "\n");
+
+ return s.len;
+}
--
2.14.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH v2 10/10] powerpc/64s: Wire up cpu_show_spectre_v2()
2018-03-27 12:01 ` [PATCH v2 10/10] powerpc/64s: Wire up cpu_show_spectre_v2() Michael Ellerman
@ 2018-03-27 12:36 ` T T
2018-03-28 9:15 ` Diana Madalina Craciun
1 sibling, 0 replies; 15+ messages in thread
From: T T @ 2018-03-27 12:36 UTC (permalink / raw)
To: linuxppc-dev, Michael Ellerman; +Cc: mauricfo
[-- Attachment #1: Type: text/plain, Size: 2332 bytes --]
unscribed me
On Tuesday, March 27, 2018 05:31:31 AM PDT, Michael Ellerman <mpe@ellerman.id.au> wrote:
Add a definition for cpu_show_spectre_v2() to override the generic
version. This has several permuations, though in practice some may not
occur we cater for any combination.
The most verbose is:
Mitigation: Indirect branch serialisation (kernel only), Indirect
branch cache disabled, ori31 speculation barrier enabled
We don't treat the ori31 speculation barrier as a mitigation on its
own, because it has to be *used* by code in order to be a mitigation
and we don't know if userspace is doing that. So if that's all we see
we say:
Vulnerable, ori31 speculation barrier enabled
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
---
arch/powerpc/kernel/security.c | 33 +++++++++++++++++++++++++++++++++
1 file changed, 33 insertions(+)
diff --git a/arch/powerpc/kernel/security.c b/arch/powerpc/kernel/security.c
index 0eace3cac818..2cee3dcd231b 100644
--- a/arch/powerpc/kernel/security.c
+++ b/arch/powerpc/kernel/security.c
@@ -58,3 +58,36 @@ ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, c
return sprintf(buf, "Vulnerable\n");
}
+
+ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, char *buf)
+{
+ bool bcs, ccd, ori;
+ struct seq_buf s;
+
+ seq_buf_init(&s, buf, PAGE_SIZE - 1);
+
+ bcs = security_ftr_enabled(SEC_FTR_BCCTRL_SERIALISED);
+ ccd = security_ftr_enabled(SEC_FTR_COUNT_CACHE_DISABLED);
+ ori = security_ftr_enabled(SEC_FTR_SPEC_BAR_ORI31);
+
+ if (bcs || ccd) {
+ seq_buf_printf(&s, "Mitigation: ");
+
+ if (bcs)
+ seq_buf_printf(&s, "Indirect branch serialisation (kernel only)");
+
+ if (bcs && ccd)
+ seq_buf_printf(&s, ", ");
+
+ if (ccd)
+ seq_buf_printf(&s, "Indirect branch cache disabled");
+ } else
+ seq_buf_printf(&s, "Vulnerable");
+
+ if (ori)
+ seq_buf_printf(&s, ", ori31 speculation barrier enabled");
+
+ seq_buf_printf(&s, "\n");
+
+ return s.len;
+}
--
2.14.1
[-- Attachment #2: Type: text/html, Size: 4554 bytes --]
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH v2 10/10] powerpc/64s: Wire up cpu_show_spectre_v2()
2018-03-27 12:01 ` [PATCH v2 10/10] powerpc/64s: Wire up cpu_show_spectre_v2() Michael Ellerman
2018-03-27 12:36 ` T T
@ 2018-03-28 9:15 ` Diana Madalina Craciun
1 sibling, 0 replies; 15+ messages in thread
From: Diana Madalina Craciun @ 2018-03-28 9:15 UTC (permalink / raw)
To: Michael Ellerman, linuxppc-dev; +Cc: mauricfo
Why is the speculation barrier specific to Spectre v2? Can't the barrier=0A=
be used as a mitigation for Spectre v1 as well?=0A=
=0A=
Regards,=0A=
Diana=0A=
=0A=
On 3/27/2018 3:32 PM, Michael Ellerman wrote:=0A=
> Add a definition for cpu_show_spectre_v2() to override the generic=0A=
> version. This has several permuations, though in practice some may not=0A=
> occur we cater for any combination.=0A=
>=0A=
> The most verbose is:=0A=
>=0A=
> Mitigation: Indirect branch serialisation (kernel only), Indirect=0A=
> branch cache disabled, ori31 speculation barrier enabled=0A=
>=0A=
> We don't treat the ori31 speculation barrier as a mitigation on its=0A=
> own, because it has to be *used* by code in order to be a mitigation=0A=
> and we don't know if userspace is doing that. So if that's all we see=0A=
> we say:=0A=
>=0A=
> Vulnerable, ori31 speculation barrier enabled=0A=
>=0A=
> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>=0A=
> ---=0A=
> arch/powerpc/kernel/security.c | 33 +++++++++++++++++++++++++++++++++=0A=
> 1 file changed, 33 insertions(+)=0A=
>=0A=
> diff --git a/arch/powerpc/kernel/security.c b/arch/powerpc/kernel/securit=
y.c=0A=
> index 0eace3cac818..2cee3dcd231b 100644=0A=
> --- a/arch/powerpc/kernel/security.c=0A=
> +++ b/arch/powerpc/kernel/security.c=0A=
> @@ -58,3 +58,36 @@ ssize_t cpu_show_spectre_v1(struct device *dev, struct=
device_attribute *attr, c=0A=
> =0A=
> return sprintf(buf, "Vulnerable\n");=0A=
> }=0A=
> +=0A=
> +ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute =
*attr, char *buf)=0A=
> +{=0A=
> + bool bcs, ccd, ori;=0A=
> + struct seq_buf s;=0A=
> +=0A=
> + seq_buf_init(&s, buf, PAGE_SIZE - 1);=0A=
> +=0A=
> + bcs =3D security_ftr_enabled(SEC_FTR_BCCTRL_SERIALISED);=0A=
> + ccd =3D security_ftr_enabled(SEC_FTR_COUNT_CACHE_DISABLED);=0A=
> + ori =3D security_ftr_enabled(SEC_FTR_SPEC_BAR_ORI31);=0A=
> +=0A=
> + if (bcs || ccd) {=0A=
> + seq_buf_printf(&s, "Mitigation: ");=0A=
> +=0A=
> + if (bcs)=0A=
> + seq_buf_printf(&s, "Indirect branch serialisation (kernel only)");=0A=
> +=0A=
> + if (bcs && ccd)=0A=
> + seq_buf_printf(&s, ", ");=0A=
> +=0A=
> + if (ccd)=0A=
> + seq_buf_printf(&s, "Indirect branch cache disabled");=0A=
> + } else=0A=
> + seq_buf_printf(&s, "Vulnerable");=0A=
> +=0A=
> + if (ori)=0A=
> + seq_buf_printf(&s, ", ori31 speculation barrier enabled");=0A=
> +=0A=
> + seq_buf_printf(&s, "\n");=0A=
> +=0A=
> + return s.len;=0A=
> +}=0A=
=0A=
=0A=
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH v2 01/10] powerpc: Add security feature flags for Spectre/Meltdown
2018-03-27 12:01 [PATCH v2 01/10] powerpc: Add security feature flags for Spectre/Meltdown Michael Ellerman
` (8 preceding siblings ...)
2018-03-27 12:01 ` [PATCH v2 10/10] powerpc/64s: Wire up cpu_show_spectre_v2() Michael Ellerman
@ 2018-03-27 13:42 ` Gabriel Paubert
2018-03-28 14:13 ` [v2, " Michael Ellerman
10 siblings, 0 replies; 15+ messages in thread
From: Gabriel Paubert @ 2018-03-27 13:42 UTC (permalink / raw)
To: Michael Ellerman; +Cc: linuxppc-dev, mauricfo
On Tue, Mar 27, 2018 at 11:01:44PM +1100, Michael Ellerman wrote:
> This commit adds security feature flags to reflect the settings we
> receive from firmware regarding Spectre/Meltdown mitigations.
>
> The feature names reflect the names we are given by firmware on bare
> metal machines. See the hostboot source for details.
>
> Arguably these could be firmware features, but that then requires them
> to be read early in boot so they're available prior to asm feature
> patching, but we don't actually want to use them for patching. We may
> also want to dynamically update them in future, which would be
> incompatible with the way firmware features work (at the moment at
> least). So for now just make them separate flags.
>
> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
> ---
> arch/powerpc/include/asm/security_features.h | 65 ++++++++++++++++++++++++++++
> arch/powerpc/kernel/Makefile | 2 +-
> arch/powerpc/kernel/security.c | 15 +++++++
> 3 files changed, 81 insertions(+), 1 deletion(-)
> create mode 100644 arch/powerpc/include/asm/security_features.h
> create mode 100644 arch/powerpc/kernel/security.c
>
>
> v2: Rebased on top of LPM changes.
>
> diff --git a/arch/powerpc/include/asm/security_features.h b/arch/powerpc/include/asm/security_features.h
> new file mode 100644
> index 000000000000..db00ad2c72c2
> --- /dev/null
> +++ b/arch/powerpc/include/asm/security_features.h
> @@ -0,0 +1,65 @@
> +/* SPDX-License-Identifier: GPL-2.0+ */
> +/*
> + * Security related feature bit definitions.
> + *
> + * Copyright 2018, Michael Ellerman, IBM Corporation.
> + */
> +
> +#ifndef _ASM_POWERPC_SECURITY_FEATURES_H
> +#define _ASM_POWERPC_SECURITY_FEATURES_H
> +
> +
> +extern unsigned long powerpc_security_features;
> +
> +static inline void security_ftr_set(unsigned long feature)
> +{
> + powerpc_security_features |= feature;
> +}
> +
> +static inline void security_ftr_clear(unsigned long feature)
> +{
> + powerpc_security_features &= ~feature;
> +}
> +
> +static inline bool security_ftr_enabled(unsigned long feature)
> +{
> + return !!(powerpc_security_features & feature);
> +}
> +
> +
> +// Features indicating support for Spectre/Meltdown mitigations
> +
> +// The L1-D cache can be flushed with ori r30,r30,0
> +#define SEC_FTR_L1D_FLUSH_ORI30 0x0000000000000001ull
> +
> +// The L1-D cache can be flushed with mtspr 882,r0 (aka SPRN_TRIG2)
> +#define SEC_FTR_L1D_FLUSH_TRIG2 0x0000000000000002ull
> +
> +// ori r31,r31,0 acts as a speculation barrier
> +#define SEC_FTR_SPEC_BAR_ORI31 0x0000000000000004ull
> +
> +// Speculation past bctr is disabled
> +#define SEC_FTR_BCCTRL_SERIALISED 0x0000000000000008ull
Nitpicks:
1) bcctr or bcctrL ?
2) seraliaZe seems to be more popular than serialiSe in the kernel
(1769 hits from "grep -ir serializ", 264 with the "s")
Still needs to grep for both in any case, bummer!
Gabriel
> +
> +// Entries in L1-D are private to a SMT thread
> +#define SEC_FTR_L1D_THREAD_PRIV 0x0000000000000010ull
> +
> +// Indirect branch prediction cache disabled
> +#define SEC_FTR_COUNT_CACHE_DISABLED 0x0000000000000020ull
> +
> +
> +// Features indicating need for Spectre/Meltdown mitigations
> +
> +// The L1-D cache should be flushed on MSR[HV] 1->0 transition (hypervisor to guest)
> +#define SEC_FTR_L1D_FLUSH_HV 0x0000000000000040ull
> +
> +// The L1-D cache should be flushed on MSR[PR] 0->1 transition (kernel to userspace)
> +#define SEC_FTR_L1D_FLUSH_PR 0x0000000000000080ull
> +
> +// A speculation barrier should be used for bounds checks (Spectre variant 1)
> +#define SEC_FTR_BNDS_CHK_SPEC_BAR 0x0000000000000100ull
> +
> +// Firmware configuration indicates user favours security over performance
> +#define SEC_FTR_FAVOUR_SECURITY 0x0000000000000200ull
> +
> +#endif /* _ASM_POWERPC_SECURITY_FEATURES_H */
> diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile
> index 1b6bc7fba996..d458c45e5004 100644
> --- a/arch/powerpc/kernel/Makefile
> +++ b/arch/powerpc/kernel/Makefile
> @@ -42,7 +42,7 @@ obj-$(CONFIG_VDSO32) += vdso32/
> obj-$(CONFIG_PPC_WATCHDOG) += watchdog.o
> obj-$(CONFIG_HAVE_HW_BREAKPOINT) += hw_breakpoint.o
> obj-$(CONFIG_PPC_BOOK3S_64) += cpu_setup_ppc970.o cpu_setup_pa6t.o
> -obj-$(CONFIG_PPC_BOOK3S_64) += cpu_setup_power.o
> +obj-$(CONFIG_PPC_BOOK3S_64) += cpu_setup_power.o security.o
> obj-$(CONFIG_PPC_BOOK3S_64) += mce.o mce_power.o
> obj-$(CONFIG_PPC_BOOK3E_64) += exceptions-64e.o idle_book3e.o
> obj-$(CONFIG_PPC64) += vdso64/
> diff --git a/arch/powerpc/kernel/security.c b/arch/powerpc/kernel/security.c
> new file mode 100644
> index 000000000000..4ccba00d224c
> --- /dev/null
> +++ b/arch/powerpc/kernel/security.c
> @@ -0,0 +1,15 @@
> +// SPDX-License-Identifier: GPL-2.0+
> +//
> +// Security related flags and so on.
> +//
> +// Copyright 2018, Michael Ellerman, IBM Corporation.
> +
> +#include <linux/kernel.h>
> +#include <asm/security_features.h>
> +
> +
> +unsigned long powerpc_security_features __read_mostly = \
> + SEC_FTR_L1D_FLUSH_HV | \
> + SEC_FTR_L1D_FLUSH_PR | \
> + SEC_FTR_BNDS_CHK_SPEC_BAR | \
> + SEC_FTR_FAVOUR_SECURITY;
> --
> 2.14.1
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [v2, 01/10] powerpc: Add security feature flags for Spectre/Meltdown
2018-03-27 12:01 [PATCH v2 01/10] powerpc: Add security feature flags for Spectre/Meltdown Michael Ellerman
` (9 preceding siblings ...)
2018-03-27 13:42 ` [PATCH v2 01/10] powerpc: Add security feature flags for Spectre/Meltdown Gabriel Paubert
@ 2018-03-28 14:13 ` Michael Ellerman
10 siblings, 0 replies; 15+ messages in thread
From: Michael Ellerman @ 2018-03-28 14:13 UTC (permalink / raw)
To: Michael Ellerman, linuxppc-dev; +Cc: mauricfo
On Tue, 2018-03-27 at 12:01:44 UTC, Michael Ellerman wrote:
> This commit adds security feature flags to reflect the settings we
> receive from firmware regarding Spectre/Meltdown mitigations.
>
> The feature names reflect the names we are given by firmware on bare
> metal machines. See the hostboot source for details.
>
> Arguably these could be firmware features, but that then requires them
> to be read early in boot so they're available prior to asm feature
> patching, but we don't actually want to use them for patching. We may
> also want to dynamically update them in future, which would be
> incompatible with the way firmware features work (at the moment at
> least). So for now just make them separate flags.
>
> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Series applied to powerpc next.
https://git.kernel.org/powerpc/c/9a868f634349e62922c226834aa23e
cheers
^ permalink raw reply [flat|nested] 15+ messages in thread