From mboxrd@z Thu Jan  1 00:00:00 1970
Return-path: <tglx@linutronix.de>
Received: from localhost ([127.0.0.1] helo=nanos.tec.linutronix.de)
	by Galois.linutronix.de with esmtp (Exim 4.80)
	(envelope-from <tglx@linutronix.de>)
	id 1fCsX3-0002Y9-C4
	for speck@linutronix.de; Sun, 29 Apr 2018 22:02:49 +0200
Message-Id: <20180429193938.557096663@linutronix.de>
Date: Sun, 29 Apr 2018 21:30:58 +0200
From: Thomas Gleixner <tglx@linutronix.de>
References: <20180429193045.711908246@linutronix.de>
MIME-Version: 1.0
Subject: [patch V7 13/15] SBB 13
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
To: speck@linutronix.de
List-ID: <speck.linutronix.de>

Add two new prctls to control aspects of speculation related vulnerabilites
and their mitigations.

PR_GET_SPECULATION_CTRL returns the state of the speculation misfeature
which is selected with arg2 of prctl(2). The return value uses bit 0-2 with
the following meaning:

PR_SPEC_PRCTL:	PRCTL per task control of the mitigation is enabled
PR_SPEC_ENABLE:	The speculation feature is enabled, mitigation is disabled
PR_SPEC_DISABLE:The speculation feature is disabled, mitigation is enabled

If all bits are 0 the CPU is not affected by the speculation misfeature. If
bit0 is set, then the per task control of the mitigation is enabled. If not
set, prctl(PR_SET_SPECULATION_CTRL) for the speculation misfeature will
fail.

PR_GET_SPECULATION_CTRL allows to control the speculation misfeature, which
is selected by arg2 of prctl(2) per task. arg3 is used to hand in either
PR_SPEC_ENABLE or PR_SPEC_DISABLE.

The common return values are:

-EINVAL: prctl is not implemented by the architecture
-ENODEV: arg2 is selecting a not supported speculation misfeature

PR_SET_SPECULATION_CTRL has these additional return values:

-ERANGE: arg3 is incorrect, i.e. it's not either PR_SPEC_ENABLE or PR_SPEC_DISABLE
-ENXIO:  prctl control of the selected speculation misfeature is disabled

The first supported controllable speculation misfeature is
PR_SPEC_STORE_BYPASS. Add the define so this can be shared between
architectures.

TODO: Tidy up spec_ctrl.rst and write a man prctl(2) patch.

Based on an intial patch from Tim Chen and mostly rewritten.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
---
 Documentation/userspace-api/index.rst     |    1 
 Documentation/userspace-api/spec_ctrl.rst |   65 ++++++++++++++++++++++++++++++
 include/linux/nospec.h                    |    5 ++
 include/uapi/linux/prctl.h                |   11 +++++
 kernel/sys.c                              |   18 ++++++++
 5 files changed, 100 insertions(+)

--- a/Documentation/userspace-api/index.rst
+++ b/Documentation/userspace-api/index.rst
@@ -19,6 +19,7 @@ place where this information is gathered
    no_new_privs
    seccomp_filter
    unshare
+   spec_ctrl
 
 .. only::  subproject and html
 
--- /dev/null
+++ b/Documentation/userspace-api/spec_ctrl.rst
@@ -0,0 +1,65 @@
+===================
+Speculation Control
+===================
+
+Quite some CPUs have speculation related misfeatures which are in fact
+vulnerabilites causing data leaks in various forms even accross privilege
+domains.
+
+The kernel provides mitigation for such vulnerabilities in various
+forms. Some of these mitigations are compile time configurable and some on
+the kernel command line.
+
+There is also a class of mitigations which is very expensive, but they can
+be restricted to a certain set of processes or tasks in controlled
+environments. The mechanism to control these mitigations is via ``prctl(2)``.
+
+There are two prctl options which are related to this:
+
+ - PR_GET_SPECULATION_CTRL
+
+ - PR_SET_SPECULATION_CTRL
+
+PR_GET_SPECULATION_CTRL returns the state of the speculation misfeature
+which is selected with arg2 of prctl(2). The return value uses bit 0-2 with
+the following meaning:
+
+PR_SPEC_PRCTL:	PRCTL per task control of the mitigation is enabled
+PR_SPEC_ENABLE:	The speculation feature is enabled, mitigation is disabled
+PR_SPEC_DISABLE:The speculation feature is disabled, mitigation is enabled
+
+If all bits are 0 the CPU is not affected by the speculation misfeature. If
+bit0 is set, then the per task control of the mitigation is enabled. If not
+set, prctl(PR_SET_SPECULATION_CTRL) for the speculation misfeature will
+fail.
+
+PR_GET_SPECULATION_CTRL allows to control the speculation misfeature, which
+is selected by arg2 of prctl(2) per task. arg3 is used to hand in either
+PR_SPEC_ENABLE or PR_SPEC_DISABLE.
+
+The common return values are:
+
+-EINVAL: prctl is not implemented by the architecture
+-ENODEV: arg2 is selecting a not supported speculation misfeature
+
+PR_SET_SPECULATION_CTRL has these additional return values:
+
+-ERANGE: arg3 is incorrect, i.e. it's not either PR_SPEC_ENABLE or PR_SPEC_DISABLE
+-ENXIO:  prctl control of the selected speculation misfeature is disabled
+
+The following supported controllable speculation misfeatures are implemented:
+
+- PR_SPEC_STORE_BYPASS: Speculative Store Bypass
+
+  To control it the following prctl() invocations are used:
+
+    prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS);
+
+  and
+
+    prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_ENABLE);
+
+    or
+
+    prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE);
+
--- a/include/linux/nospec.h
+++ b/include/linux/nospec.h
@@ -55,4 +55,9 @@ static inline unsigned long array_index_
 									\
 	(typeof(_i)) (_i & _mask);					\
 })
+
+/* Speculation control prctl */
+int arch_prctl_set_spec_ctrl(unsigned long which, unsigned long ctrl);
+int arch_prctl_get_spec_ctrl(unsigned long which);
+
 #endif /* _LINUX_NOSPEC_H */
--- a/include/uapi/linux/prctl.h
+++ b/include/uapi/linux/prctl.h
@@ -207,4 +207,15 @@ struct prctl_mm_map {
 # define PR_SVE_VL_LEN_MASK		0xffff
 # define PR_SVE_VL_INHERIT		(1 << 17) /* inherit across exec */
 
+/* Per task speculation control */
+#define PR_SET_SPECULATION_CTRL		52
+#define PR_GET_SPECULATION_CTRL		53
+/* Speculation control variants */
+# define PR_SPEC_STORE_BYPASS		0
+/* Return and control values for PR_SET/GET_SPECULATION_CTRL */
+# define PR_SPEC_NOT_AFFECTED		0
+# define PR_SPEC_PRCTL			(1UL << 0)
+# define PR_SPEC_ENABLE			(1UL << 1)
+# define PR_SPEC_DISABLE		(1UL << 2)
+
 #endif /* _LINUX_PRCTL_H */
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -61,6 +61,8 @@
 #include <linux/uidgid.h>
 #include <linux/cred.h>
 
+#include <linux/nospec.h>
+
 #include <linux/kmsg_dump.h>
 /* Move somewhere else to avoid recompiling? */
 #include <generated/utsrelease.h>
@@ -2242,6 +2244,16 @@ static int propagate_has_child_subreaper
 	return 1;
 }
 
+int __weak arch_prctl_set_spec_ctrl(unsigned long which, unsigned long ctrl)
+{
+	return -EINVAL;
+}
+
+int __weak arch_prctl_get_spec_ctrl(unsigned long which)
+{
+	return -EINVAL;
+}
+
 SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
 		unsigned long, arg4, unsigned long, arg5)
 {
@@ -2450,6 +2462,12 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
 	case PR_SVE_GET_VL:
 		error = SVE_GET_VL();
 		break;
+	case PR_SET_SPECULATION_CTRL:
+		error = arch_prctl_set_spec_ctrl(arg2, arg3);
+		break;
+	case PR_GET_SPECULATION_CTRL:
+		error = arch_prctl_get_spec_ctrl(arg2);
+		break;
 	default:
 		error = -EINVAL;
 		break;