[PATCH RFC 0/5] cpu/speculation: Add 'cpu_spec_mitigations=' cmdline options

[PATCH RFC 0/5] cpu/speculation: Add 'cpu_spec_mitigations=' cmdline options

[Josh Poimboeuf]

Keeping track of the number of mitigations for all the CPU speculation
bugs has become overwhelming for many users.  It's getting more and more
complicated to decide which mitigations are needed for a given
architecture.  Complicating matters is the fact that each arch tends to
it own custom way to mitigate the same vulnerability.

Most users fall into a few basic categories:

a) they want all CPU speculation mitigations off;

b) they want all reasonable mitigations on, with SMT enabled even if
   it's vulnerable; or

c) they want all reasonable mitigations on, with SMT disabled if
   vulnerable.

Define a set of curated, arch-independent options, each of which is an
aggregation of existing options:

- cpu_spec_mitigations=off: Disable all mitigations.

- cpu_spec_mitigations=auto: [default] Enable all the default
  mitigations, but leave SMT enabled, even if it's vulnerable.

- cpu_spec_mitigations=auto,nosmt: Enable all the default mitigations,
  disabling SMT if needed by a mitigation.


Josh Poimboeuf (5):
  cpu/speculation: Add 'cpu_spec_mitigations=' cmdline options
  x86/speculation: Add support for 'cpu_spec_mitigations=' cmdline
    options
  powerpc/speculation: Add support for 'cpu_spec_mitigations=' cmdline
    options
  s390/speculation: Add support for 'cpu_spec_mitigations=' cmdline
    options
  arm64/speculation: Add support for 'cpu_spec_mitigations=' cmdline
    options

 .../admin-guide/kernel-parameters.txt         | 42 +++++++++++++++++++
 arch/arm64/kernel/cpu_errata.c                |  4 ++
 arch/arm64/kernel/cpufeature.c                |  6 +++
 arch/powerpc/kernel/security.c                |  6 +--
 arch/powerpc/kernel/setup_64.c                |  2 +-
 arch/s390/kernel/nospec-branch.c              |  4 +-
 arch/x86/include/asm/processor.h              |  1 +
 arch/x86/kernel/cpu/bugs.c                    | 32 ++++++++++++--
 arch/x86/kvm/vmx/vmx.c                        |  2 +
 arch/x86/mm/pti.c                             |  4 +-
 include/linux/cpu.h                           |  8 ++++
 kernel/cpu.c                                  | 15 +++++++
 12 files changed, 116 insertions(+), 10 deletions(-)

-- 
2.17.2

[PATCH RFC 1/5] cpu/speculation: Add 'cpu_spec_mitigations=' cmdline options

[Josh Poimboeuf]

Keeping track of the number of mitigations for all the CPU speculation
bugs has become overwhelming for many users.  It's getting more and more
complicated to decide which mitigations are needed for a given
architecture.  Complicating matters is the fact that each arch tends to
their own custom way to mitigate the same vulnerability.

Most users fall into a few basic categories:

a) they want all mitigations off;

b) they want all reasonable mitigations on, with SMT enabled even if
   it's vulnerable; or

c) they want all reasonable mitigations on, with SMT disabled if
   vulnerable.

Define a set of curated, arch-independent options, each of which is an
aggregation of existing options:

- cpu_spec_mitigations=off: Disable all mitigations.

- cpu_spec_mitigations=auto: [default] Enable all the default
  mitigations, but leave SMT enabled, even if it's vulnerable.

- cpu_spec_mitigations=auto,nosmt: Enable all the default mitigations,
  disabling SMT if needed by a mitigation.

Currently, these options are placeholders which don't actually do
anything.  They will be fleshed out in upcoming patches.

Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
---
 .../admin-guide/kernel-parameters.txt         | 23 +++++++++++++++++++
 include/linux/cpu.h                           |  8 +++++++
 kernel/cpu.c                                  | 15 ++++++++++++
 3 files changed, 46 insertions(+)

diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index c4d830003b21..ac42e510bd6e 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -2544,6 +2544,29 @@
 			in the "bleeding edge" mini2440 support kernel at
 			http://repo.or.cz/w/linux-2.6/mini2440.git
 
+	cpu_spec_mitigations=
+			[KNL] Control mitigations for CPU speculation
+			vulnerabilities on affected CPUs.  This is a set of
+			curated, arch-independent options, each of which is an
+			aggregation of existing options.
+
+			off
+				Disable all speculative CPU mitigations.
+
+			auto (default)
+				Mitigate all speculative CPU vulnerabilities,
+				but leave SMT enabled, even if it's vulnerable.
+				This is useful for users who don't want to be
+				surprised by SMT getting disabled across kernel
+				upgrades, or who have other ways of avoiding
+				SMT-based attacks.
+
+			auto,nosmt
+				Mitigate all speculative CPU vulnerabilities,
+				disabling SMT if needed.  This is for users who
+				always want to be fully mitigated, even if it
+				means losing SMT.
+
 	mminit_loglevel=
 			[KNL] When CONFIG_DEBUG_MEMORY_INIT is set, this
 			parameter allows control of the logging verbosity for
diff --git a/include/linux/cpu.h b/include/linux/cpu.h
index 5041357d0297..3a1740fda2e2 100644
--- a/include/linux/cpu.h
+++ b/include/linux/cpu.h
@@ -187,4 +187,12 @@ static inline void cpu_smt_disable(bool force) { }
 static inline void cpu_smt_check_topology(void) { }
 #endif
 
+enum cpu_spec_mitigations {
+	CPU_SPEC_MITIGATIONS_OFF,
+	CPU_SPEC_MITIGATIONS_AUTO,
+	CPU_SPEC_MITIGATIONS_AUTO_NOSMT,
+};
+
+extern enum cpu_spec_mitigations cpu_spec_mitigations;
+
 #endif /* _LINUX_CPU_H_ */
diff --git a/kernel/cpu.c b/kernel/cpu.c
index 6c959aea0f9e..0a9d66b90a00 100644
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -2306,3 +2306,18 @@ void __init boot_cpu_hotplug_init(void)
 #endif
 	this_cpu_write(cpuhp_state.state, CPUHP_ONLINE);
 }
+
+enum cpu_spec_mitigations cpu_spec_mitigations __ro_after_init = CPU_SPEC_MITIGATIONS_AUTO;
+
+static int __init cpu_spec_mitigations_setup(char *arg)
+{
+	if (!strcmp(arg, "off"))
+		cpu_spec_mitigations = CPU_SPEC_MITIGATIONS_OFF;
+	else if (!strcmp(arg, "auto"))
+		cpu_spec_mitigations = CPU_SPEC_MITIGATIONS_AUTO;
+	else if (!strcmp(arg, "auto,nosmt"))
+		cpu_spec_mitigations = CPU_SPEC_MITIGATIONS_AUTO_NOSMT;
+
+	return 0;
+}
+early_param("cpu_spec_mitigations", cpu_spec_mitigations_setup);
-- 
2.17.2

[PATCH RFC 2/5] x86/speculation: Add support for 'cpu_spec_mitigations=' cmdline options

[Josh Poimboeuf]

Configure x86 runtime CPU speculation bug mitigations in accordance with
the 'cpu_spec_mitigations=' cmdline options.  This affects Meltdown,
Spectre v2, Speculative Store Bypass, and L1TF.

The default behavior is unchanged.

Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
---
 .../admin-guide/kernel-parameters.txt         | 15 +++++++++
 arch/x86/include/asm/processor.h              |  1 +
 arch/x86/kernel/cpu/bugs.c                    | 32 ++++++++++++++++---
 arch/x86/kvm/vmx/vmx.c                        |  2 ++
 arch/x86/mm/pti.c                             |  4 ++-
 5 files changed, 49 insertions(+), 5 deletions(-)

diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index ac42e510bd6e..29dc03971630 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -2552,6 +2552,11 @@
 
 			off
 				Disable all speculative CPU mitigations.
+				Equivalent to: nopti [x86]
+					       nospectre_v2 [x86]
+					       spectre_v2_user=off [x86]
+					       spec_store_bypass_disable=off [x86]
+					       l1tf=off [x86]
 
 			auto (default)
 				Mitigate all speculative CPU vulnerabilities,
@@ -2560,12 +2565,22 @@
 				surprised by SMT getting disabled across kernel
 				upgrades, or who have other ways of avoiding
 				SMT-based attacks.
+				Equivalent to: pti=auto [x86]
+					       spectre_v2=auto [x86]
+					       spectre_v2_user=auto [x86]
+					       spec_store_bypass_disable=auto [x86]
+					       l1tf=flush [x86]
 
 			auto,nosmt
 				Mitigate all speculative CPU vulnerabilities,
 				disabling SMT if needed.  This is for users who
 				always want to be fully mitigated, even if it
 				means losing SMT.
+				Equivalent to: pti=auto [x86]
+					       spectre_v2=auto [x86]
+					       spectre_v2_user=auto [x86]
+					       spec_store_bypass_disable=auto [x86]
+					       l1tf=flush,nosmt [x86]
 
 	mminit_loglevel=
 			[KNL] When CONFIG_DEBUG_MEMORY_INIT is set, this
diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
index 2bb3a648fc12..7e95b310f869 100644
--- a/arch/x86/include/asm/processor.h
+++ b/arch/x86/include/asm/processor.h
@@ -982,6 +982,7 @@ void microcode_check(void);
 
 enum l1tf_mitigations {
 	L1TF_MITIGATION_OFF,
+	L1TF_MITIGATION_DEFAULT,
 	L1TF_MITIGATION_FLUSH_NOWARN,
 	L1TF_MITIGATION_FLUSH,
 	L1TF_MITIGATION_FLUSH_NOSMT,
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 2da82eff0eb4..65b95fb95ba5 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -308,8 +308,11 @@ spectre_v2_parse_user_cmdline(enum spectre_v2_mitigation_cmd v2_cmd)
 
 	ret = cmdline_find_option(boot_command_line, "spectre_v2_user",
 				  arg, sizeof(arg));
-	if (ret < 0)
+	if (ret < 0) {
+		if (cpu_spec_mitigations == CPU_SPEC_MITIGATIONS_OFF)
+			return SPECTRE_V2_USER_CMD_NONE;
 		return SPECTRE_V2_USER_CMD_AUTO;
+	}
 
 	for (i = 0; i < ARRAY_SIZE(v2_user_options); i++) {
 		if (match_option(arg, ret, v2_user_options[i].option)) {
@@ -444,8 +447,11 @@ static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void)
 		return SPECTRE_V2_CMD_NONE;
 
 	ret = cmdline_find_option(boot_command_line, "spectre_v2", arg, sizeof(arg));
-	if (ret < 0)
+	if (ret < 0) {
+		if (cpu_spec_mitigations == CPU_SPEC_MITIGATIONS_OFF)
+			return SPECTRE_V2_CMD_NONE;
 		return SPECTRE_V2_CMD_AUTO;
+	}
 
 	for (i = 0; i < ARRAY_SIZE(mitigation_options); i++) {
 		if (!match_option(arg, ret, mitigation_options[i].option))
@@ -677,8 +683,11 @@ static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void)
 	} else {
 		ret = cmdline_find_option(boot_command_line, "spec_store_bypass_disable",
 					  arg, sizeof(arg));
-		if (ret < 0)
+		if (ret < 0) {
+			if (cpu_spec_mitigations == CPU_SPEC_MITIGATIONS_OFF)
+				return SPEC_STORE_BYPASS_CMD_NONE;
 			return SPEC_STORE_BYPASS_CMD_AUTO;
+		}
 
 		for (i = 0; i < ARRAY_SIZE(ssb_mitigation_options); i++) {
 			if (!match_option(arg, ret, ssb_mitigation_options[i].option))
@@ -955,7 +964,7 @@ void x86_spec_ctrl_setup_ap(void)
 #define pr_fmt(fmt)	"L1TF: " fmt
 
 /* Default mitigation for L1TF-affected CPUs */
-enum l1tf_mitigations l1tf_mitigation __ro_after_init = L1TF_MITIGATION_FLUSH;
+enum l1tf_mitigations l1tf_mitigation __ro_after_init = L1TF_MITIGATION_DEFAULT;
 #if IS_ENABLED(CONFIG_KVM_INTEL)
 EXPORT_SYMBOL_GPL(l1tf_mitigation);
 #endif
@@ -1010,8 +1019,23 @@ static void __init l1tf_select_mitigation(void)
 
 	override_cache_bits(&boot_cpu_data);
 
+	if (l1tf_mitigation == L1TF_MITIGATION_DEFAULT) {
+		switch (cpu_spec_mitigations) {
+		case CPU_SPEC_MITIGATIONS_OFF:
+			l1tf_mitigation = L1TF_MITIGATION_OFF;
+			break;
+		case CPU_SPEC_MITIGATIONS_AUTO:
+			l1tf_mitigation = L1TF_MITIGATION_FLUSH;
+			break;
+		case CPU_SPEC_MITIGATIONS_AUTO_NOSMT:
+			l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOSMT;
+			break;
+		}
+	}
+
 	switch (l1tf_mitigation) {
 	case L1TF_MITIGATION_OFF:
+	case L1TF_MITIGATION_DEFAULT:
 	case L1TF_MITIGATION_FLUSH_NOWARN:
 	case L1TF_MITIGATION_FLUSH:
 		break;
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index ab432a930ae8..83b5bdc3c777 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -233,6 +233,7 @@ static int vmx_setup_l1d_flush(enum vmx_l1d_flush_state l1tf)
 		case L1TF_MITIGATION_FLUSH_NOWARN:
 		case L1TF_MITIGATION_FLUSH:
 		case L1TF_MITIGATION_FLUSH_NOSMT:
+		case L1TF_MITIGATION_DEFAULT:
 			l1tf = VMENTER_L1D_FLUSH_COND;
 			break;
 		case L1TF_MITIGATION_FULL:
@@ -6686,6 +6687,7 @@ static int vmx_vm_init(struct kvm *kvm)
 		case L1TF_MITIGATION_FLUSH:
 		case L1TF_MITIGATION_FLUSH_NOSMT:
 		case L1TF_MITIGATION_FULL:
+		case L1TF_MITIGATION_DEFAULT:
 			/*
 			 * Warn upon starting the first VM in a potentially
 			 * insecure environment.
diff --git a/arch/x86/mm/pti.c b/arch/x86/mm/pti.c
index 139b28a01ce4..6d3bf680bf95 100644
--- a/arch/x86/mm/pti.c
+++ b/arch/x86/mm/pti.c
@@ -35,6 +35,7 @@
 #include <linux/spinlock.h>
 #include <linux/mm.h>
 #include <linux/uaccess.h>
+#include <linux/cpu.h>
 
 #include <asm/cpufeature.h>
 #include <asm/hypervisor.h>
@@ -115,7 +116,8 @@ void __init pti_check_boottime_disable(void)
 		}
 	}
 
-	if (cmdline_find_option_bool(boot_command_line, "nopti")) {
+	if (cmdline_find_option_bool(boot_command_line, "nopti") ||
+	    cpu_spec_mitigations == CPU_SPEC_MITIGATIONS_OFF) {
 		pti_mode = PTI_FORCE_OFF;
 		pti_print_if_insecure("disabled on command line.");
 		return;
-- 
2.17.2

[PATCH RFC 3/5] powerpc/speculation: Add support for 'cpu_spec_mitigations=' cmdline options

[Josh Poimboeuf]

Configure powerpc CPU runtime speculation bug mitigations in accordance
with the 'cpu_spec_mitigations=' cmdline options.  This affects
Meltdown, Spectre v1, Spectre v2, and Speculative Store Bypass.

The default behavior is unchanged.

Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
---
 Documentation/admin-guide/kernel-parameters.txt | 9 +++++----
 arch/powerpc/kernel/security.c                  | 6 +++---
 arch/powerpc/kernel/setup_64.c                  | 2 +-
 3 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 29dc03971630..0e8eae1e8a25 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -2552,10 +2552,11 @@
 
 			off
 				Disable all speculative CPU mitigations.
-				Equivalent to: nopti [x86]
+				Equivalent to: nopti [x86, powerpc]
+					       nospectre_v1 [powerpc]
 					       nospectre_v2 [x86]
 					       spectre_v2_user=off [x86]
-					       spec_store_bypass_disable=off [x86]
+					       spec_store_bypass_disable=off [x86, powerpc]
 					       l1tf=off [x86]
 
 			auto (default)
@@ -2568,7 +2569,7 @@
 				Equivalent to: pti=auto [x86]
 					       spectre_v2=auto [x86]
 					       spectre_v2_user=auto [x86]
-					       spec_store_bypass_disable=auto [x86]
+					       spec_store_bypass_disable=auto [x86, powerpc]
 					       l1tf=flush [x86]
 
 			auto,nosmt
@@ -2579,7 +2580,7 @@
 				Equivalent to: pti=auto [x86]
 					       spectre_v2=auto [x86]
 					       spectre_v2_user=auto [x86]
-					       spec_store_bypass_disable=auto [x86]
+					       spec_store_bypass_disable=auto [x86, powerpc]
 					       l1tf=flush,nosmt [x86]
 
 	mminit_loglevel=
diff --git a/arch/powerpc/kernel/security.c b/arch/powerpc/kernel/security.c
index b33bafb8fcea..5aed4ad729ba 100644
--- a/arch/powerpc/kernel/security.c
+++ b/arch/powerpc/kernel/security.c
@@ -57,7 +57,7 @@ void setup_barrier_nospec(void)
 	enable = security_ftr_enabled(SEC_FTR_FAVOUR_SECURITY) &&
 		 security_ftr_enabled(SEC_FTR_BNDS_CHK_SPEC_BAR);
 
-	if (!no_nospec)
+	if (!no_nospec && cpu_spec_mitigations != CPU_SPEC_MITIGATIONS_OFF)
 		enable_barrier_nospec(enable);
 }
 
@@ -116,7 +116,7 @@ static int __init handle_nospectre_v2(char *p)
 early_param("nospectre_v2", handle_nospectre_v2);
 void setup_spectre_v2(void)
 {
-	if (no_spectrev2)
+	if (no_spectrev2 || cpu_spec_mitigations == CPU_SPEC_MITIGATIONS_OFF)
 		do_btb_flush_fixups();
 	else
 		btb_flush_enabled = true;
@@ -300,7 +300,7 @@ void setup_stf_barrier(void)
 
 	stf_enabled_flush_types = type;
 
-	if (!no_stf_barrier)
+	if (!no_stf_barrier && cpu_spec_mitigations != CPU_SPEC_MITIGATIONS_OFF)
 		stf_barrier_enable(enable);
 }
 
diff --git a/arch/powerpc/kernel/setup_64.c b/arch/powerpc/kernel/setup_64.c
index ba404dd9ce1d..d9d796a66a79 100644
--- a/arch/powerpc/kernel/setup_64.c
+++ b/arch/powerpc/kernel/setup_64.c
@@ -932,7 +932,7 @@ void setup_rfi_flush(enum l1d_flush_type types, bool enable)
 
 	enabled_flush_types = types;
 
-	if (!no_rfi_flush)
+	if (!no_rfi_flush || cpu_spec_mitigations != CPU_SPEC_MITIGATIONS_OFF)
 		rfi_flush_enable(enable);
 }
 
-- 
2.17.2

[PATCH RFC 4/5] s390/speculation: Add support for 'cpu_spec_mitigations=' cmdline options

[Josh Poimboeuf]

Configure s390 runtime CPU speculation bug mitigations in accordance
with the 'cpu_spec_mitigations=' cmdline options.  This affects Spectre
v1 and Spectre v2.

The default behavior is unchanged.

Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
---
 Documentation/admin-guide/kernel-parameters.txt | 7 ++++---
 arch/s390/kernel/nospec-branch.c                | 4 +++-
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 0e8eae1e8a25..e838af96daa4 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -2554,8 +2554,9 @@
 				Disable all speculative CPU mitigations.
 				Equivalent to: nopti [x86, powerpc]
 					       nospectre_v1 [powerpc]
-					       nospectre_v2 [x86]
+					       nospectre_v2 [x86, powerpc, s390]
 					       spectre_v2_user=off [x86]
+					       nobp=0 [s390]
 					       spec_store_bypass_disable=off [x86, powerpc]
 					       l1tf=off [x86]
 
@@ -2567,7 +2568,7 @@
 				upgrades, or who have other ways of avoiding
 				SMT-based attacks.
 				Equivalent to: pti=auto [x86]
-					       spectre_v2=auto [x86]
+					       spectre_v2=auto [x86, s390]
 					       spectre_v2_user=auto [x86]
 					       spec_store_bypass_disable=auto [x86, powerpc]
 					       l1tf=flush [x86]
@@ -2578,7 +2579,7 @@
 				always want to be fully mitigated, even if it
 				means losing SMT.
 				Equivalent to: pti=auto [x86]
-					       spectre_v2=auto [x86]
+					       spectre_v2=auto [x86, s390]
 					       spectre_v2_user=auto [x86]
 					       spec_store_bypass_disable=auto [x86, powerpc]
 					       l1tf=flush,nosmt [x86]
diff --git a/arch/s390/kernel/nospec-branch.c b/arch/s390/kernel/nospec-branch.c
index bdddaae96559..c40eb672b43a 100644
--- a/arch/s390/kernel/nospec-branch.c
+++ b/arch/s390/kernel/nospec-branch.c
@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0
 #include <linux/module.h>
 #include <linux/device.h>
+#include <linux/cpu.h>
 #include <asm/nospec-branch.h>
 
 static int __init nobp_setup_early(char *str)
@@ -58,7 +59,8 @@ early_param("nospectre_v2", nospectre_v2_setup_early);
 
 void __init nospec_auto_detect(void)
 {
-	if (test_facility(156)) {
+	if (test_facility(156) ||
+	    cpu_spec_mitigations == CPU_SPEC_MITIGATIONS_OFF) {
 		/*
 		 * The machine supports etokens.
 		 * Disable expolines and disable nobp.
-- 
2.17.2

[PATCH RFC 5/5] arm64/speculation: Add support for 'cpu_spec_mitigations=' cmdline options

[Josh Poimboeuf]

Configure arm64 runtime CPU speculation bug mitigations in accordance
with the 'cpu_spec_mitigations=' cmdline options.  This affects
Meltdown and Speculative Store Bypass.

The default behavior is unchanged.

Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
---
 Documentation/admin-guide/kernel-parameters.txt | 2 ++
 arch/arm64/kernel/cpu_errata.c                  | 4 ++++
 arch/arm64/kernel/cpufeature.c                  | 6 ++++++
 3 files changed, 12 insertions(+)

diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index e838af96daa4..0b54385ee7a8 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -2553,11 +2553,13 @@
 			off
 				Disable all speculative CPU mitigations.
 				Equivalent to: nopti [x86, powerpc]
+					       kpti=0 [arm64]
 					       nospectre_v1 [powerpc]
 					       nospectre_v2 [x86, powerpc, s390]
 					       spectre_v2_user=off [x86]
 					       nobp=0 [s390]
 					       spec_store_bypass_disable=off [x86, powerpc]
+					       ssbd=force-off [arm64]
 					       l1tf=off [x86]
 
 			auto (default)
diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c
index 9950bb0cbd52..db8d27e3fb1c 100644
--- a/arch/arm64/kernel/cpu_errata.c
+++ b/arch/arm64/kernel/cpu_errata.c
@@ -19,6 +19,7 @@
 #include <linux/arm-smccc.h>
 #include <linux/psci.h>
 #include <linux/types.h>
+#include <linux/cpu.h>
 #include <asm/cpu.h>
 #include <asm/cputype.h>
 #include <asm/cpufeature.h>
@@ -385,6 +386,9 @@ static bool has_ssbd_mitigation(const struct arm64_cpu_capabilities *entry,
 		return false;
 	}
 
+	if (cpu_spec_mitigations == CPU_SPEC_MITIGATIONS_OFF)
+		ssbd_state = ARM64_SSBD_FORCE_DISABLE;
+
 	switch (psci_ops.conduit) {
 	case PSCI_CONDUIT_HVC:
 		arm_smccc_1_1_hvc(ARM_SMCCC_ARCH_FEATURES_FUNC_ID,
diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
index 4061de10cea6..4512b582d50f 100644
--- a/arch/arm64/kernel/cpufeature.c
+++ b/arch/arm64/kernel/cpufeature.c
@@ -25,6 +25,7 @@
 #include <linux/stop_machine.h>
 #include <linux/types.h>
 #include <linux/mm.h>
+#include <linux/cpu.h>
 #include <asm/cpu.h>
 #include <asm/cpufeature.h>
 #include <asm/cpu_ops.h>
@@ -978,6 +979,11 @@ static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,
 		__kpti_forced = -1;
 	}
 
+	if (cpu_spec_mitigations == CPU_SPEC_MITIGATIONS_OFF) {
+		str = "cpu_spec_mitigations=off";
+		__kpti_forced = -1;
+	}
+
 	/* Forced? */
 	if (__kpti_forced) {
 		pr_info_once("kernel page table isolation forced %s by %s\n",
-- 
2.17.2

Re: [PATCH RFC 1/5] cpu/speculation: Add 'cpu_spec_mitigations=' cmdline options

[Josh Poimboeuf]

On Thu, Apr 04, 2019 at 11:44:11AM -0500, Josh Poimboeuf wrote:
> Keeping track of the number of mitigations for all the CPU speculation
> bugs has become overwhelming for many users.  It's getting more and more
> complicated to decide which mitigations are needed for a given
> architecture.  Complicating matters is the fact that each arch tends to
> their own custom way to mitigate the same vulnerability.

... tends to _have_ its own custom way ...

-- 
Josh

Re: [PATCH RFC 0/5] cpu/speculation: Add 'cpu_spec_mitigations=' cmdline options

[Waiman Long]

On 04/04/2019 12:44 PM, Josh Poimboeuf wrote:
> Keeping track of the number of mitigations for all the CPU speculation
> bugs has become overwhelming for many users.  It's getting more and more
> complicated to decide which mitigations are needed for a given
> architecture.  Complicating matters is the fact that each arch tends to
> it own custom way to mitigate the same vulnerability.

... tends to "have its" own ... ?

-Longman

Re: [PATCH RFC 3/5] powerpc/speculation: Add support for 'cpu_spec_mitigations=' cmdline options

[Jiri Kosina]

On Thu, 4 Apr 2019, Josh Poimboeuf wrote:

> Configure powerpc CPU runtime speculation bug mitigations in accordance
> with the 'cpu_spec_mitigations=' cmdline options.  This affects
> Meltdown, Spectre v1, Spectre v2, and Speculative Store Bypass.
[ ... snip ... ]
> -	if (!no_nospec)
> +	if (!no_nospec && cpu_spec_mitigations != CPU_SPEC_MITIGATIONS_OFF)

'!no_nospec' is something that I am sure will come back to hunt me in my 
bad dreams.

But that's been there already, and fixing it is out of scope of this 
patch. Other than that, as discussed previously -- I really like this new 
global option. Feel free to add

	Reviewed-by: Jiri Kosina <jkosina@suse.cz>

for the whole set.

Thanks,

-- 
Jiri Kosina
SUSE Labs

Re: [PATCH RFC 3/5] powerpc/speculation: Add support for 'cpu_spec_mitigations=' cmdline options

[Timothy Pearson]

Will be joining in ~ 5 mins.  Getting Chromium set up here.

----- Original Message -----
> From: "Jiri Kosina" <jikos@kernel.org>
> To: "Josh Poimboeuf" <jpoimboe@redhat.com>
> Cc: "Peter Zijlstra" <peterz@infradead.org>, "Heiko Carstens" <heiko.carstens@de.ibm.com>, "Paul Mackerras"
> <paulus@samba.org>, "H . Peter Anvin" <hpa@zytor.com>, "Ingo Molnar" <mingo@kernel.org>, "Andrea Arcangeli"
> <aarcange@redhat.com>, linux-s390@vger.kernel.org, x86@kernel.org, "Will Deacon" <will.deacon@arm.com>, "Linus
> Torvalds" <torvalds@linux-foundation.org>, "Catalin Marinas" <catalin.marinas@arm.com>, "Waiman Long"
> <longman@redhat.com>, linux-arch@vger.kernel.org, "Jon Masters" <jcm@redhat.com>, "Borislav Petkov" <bp@alien8.de>,
> "Andy Lutomirski" <luto@kernel.org>, "Thomas Gleixner" <tglx@linutronix.de>, linux-arm-kernel@lists.infradead.org,
> "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>, linux-kernel@vger.kernel.org, "Tyler Hicks" <tyhicks@canonical.com>,
> "Martin Schwidefsky" <schwidefsky@de.ibm.com>, linuxppc-dev@lists.ozlabs.org
> Sent: Thursday, April 4, 2019 2:49:05 PM
> Subject: Re: [PATCH RFC 3/5] powerpc/speculation: Add support for 'cpu_spec_mitigations=' cmdline options

> On Thu, 4 Apr 2019, Josh Poimboeuf wrote:
> 
>> Configure powerpc CPU runtime speculation bug mitigations in accordance
>> with the 'cpu_spec_mitigations=' cmdline options.  This affects
>> Meltdown, Spectre v1, Spectre v2, and Speculative Store Bypass.
> [ ... snip ... ]
>> -	if (!no_nospec)
>> +	if (!no_nospec && cpu_spec_mitigations != CPU_SPEC_MITIGATIONS_OFF)
> 
> '!no_nospec' is something that I am sure will come back to hunt me in my
> bad dreams.
> 
> But that's been there already, and fixing it is out of scope of this
> patch. Other than that, as discussed previously -- I really like this new
> global option. Feel free to add
> 
>	Reviewed-by: Jiri Kosina <jkosina@suse.cz>
> 
> for the whole set.
> 
> Thanks,
> 
> --
> Jiri Kosina
> SUSE Labs

Re: [PATCH RFC 1/5] cpu/speculation: Add 'cpu_spec_mitigations=' cmdline options

[Borislav Petkov]

On Thu, Apr 04, 2019 at 11:44:11AM -0500, Josh Poimboeuf wrote:
> Keeping track of the number of mitigations for all the CPU speculation
> bugs has become overwhelming for many users.  It's getting more and more
> complicated to decide which mitigations are needed for a given
> architecture.  Complicating matters is the fact that each arch tends to
> their own custom way to mitigate the same vulnerability.

Yap, we definitely need something like that.

> Most users fall into a few basic categories:
> 
> a) they want all mitigations off;
> 
> b) they want all reasonable mitigations on, with SMT enabled even if
>    it's vulnerable; or

Uff, "reasonable" - there's the bikeshed waiting to happen.

> c) they want all reasonable mitigations on, with SMT disabled if
>    vulnerable.
> 
> Define a set of curated, arch-independent options, each of which is an
> aggregation of existing options:
> 
> - cpu_spec_mitigations=off: Disable all mitigations.

"cpu_spec_mitigations" is too long, TBH.

Imagine yourself in a loud, noisy data center - you basically can't wait
to leave - crouched over a keyboard in an impossible position, having
to type that thing and then making a typo. Whoops, too late, already
pressed Enter. Shiiiit!

Now you have to wait at least 15 mins for the damn single-threaded added
value BIOS crap to noodle through all the cores just so you can try
again, because you just rebooted the box.

And I know, my ideas for shorter cmdline options are crazy, like

cpu_spec_mtg=

which people would say, yuck, unreadable...

Oh, I know! How about

cpu_vulns=

?

We already have /sys/devices/system/cpu/vulnerabilities so it'll be the
same as that. Less things to remember.

> - cpu_spec_mitigations=auto: [default] Enable all the default
>   mitigations, but leave SMT enabled, even if it's vulnerable.
> 
> - cpu_spec_mitigations=auto,nosmt: Enable all the default mitigations,
>   disabling SMT if needed by a mitigation.

Yah, the suboption choices make sense to me.

> 
> Currently, these options are placeholders which don't actually do
> anything.  They will be fleshed out in upcoming patches.
> 
> Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
> ---
>  .../admin-guide/kernel-parameters.txt         | 23 +++++++++++++++++++
>  include/linux/cpu.h                           |  8 +++++++
>  kernel/cpu.c                                  | 15 ++++++++++++
>  3 files changed, 46 insertions(+)
> 
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index c4d830003b21..ac42e510bd6e 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -2544,6 +2544,29 @@
>  			in the "bleeding edge" mini2440 support kernel at
>  			http://repo.or.cz/w/linux-2.6/mini2440.git
>  
> +	cpu_spec_mitigations=
> +			[KNL] Control mitigations for CPU speculation
> +			vulnerabilities on affected CPUs.  This is a set of
> +			curated, arch-independent options, each of which is an
> +			aggregation of existing options.
> +
> +			off
> +				Disable all speculative CPU mitigations.

Alias to

cpu_vulns=make_linux_fast_again

:-P

-- 
Regards/Gruss,
    Boris.

Good mailing practices for 400: avoid top-posting and trim the reply.

Re: [PATCH RFC 2/5] x86/speculation: Add support for 'cpu_spec_mitigations=' cmdline options

[Borislav Petkov]

On Thu, Apr 04, 2019 at 11:44:12AM -0500, Josh Poimboeuf wrote:
> Configure x86 runtime CPU speculation bug mitigations in accordance with
> the 'cpu_spec_mitigations=' cmdline options.  This affects Meltdown,
> Spectre v2, Speculative Store Bypass, and L1TF.
> 
> The default behavior is unchanged.
> 
> Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
> ---
>  .../admin-guide/kernel-parameters.txt         | 15 +++++++++
>  arch/x86/include/asm/processor.h              |  1 +
>  arch/x86/kernel/cpu/bugs.c                    | 32 ++++++++++++++++---
>  arch/x86/kvm/vmx/vmx.c                        |  2 ++
>  arch/x86/mm/pti.c                             |  4 ++-
>  5 files changed, 49 insertions(+), 5 deletions(-)
> 
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index ac42e510bd6e..29dc03971630 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -2552,6 +2552,11 @@
>  
>  			off
>  				Disable all speculative CPU mitigations.
> +				Equivalent to: nopti [x86]
> +					       nospectre_v2 [x86]
> +					       spectre_v2_user=off [x86]
> +					       spec_store_bypass_disable=off [x86]
> +					       l1tf=off [x86]
>  
>  			auto (default)
>  				Mitigate all speculative CPU vulnerabilities,
> @@ -2560,12 +2565,22 @@
>  				surprised by SMT getting disabled across kernel
>  				upgrades, or who have other ways of avoiding
>  				SMT-based attacks.
> +				Equivalent to: pti=auto [x86]
> +					       spectre_v2=auto [x86]
> +					       spectre_v2_user=auto [x86]
> +					       spec_store_bypass_disable=auto [x86]
> +					       l1tf=flush [x86]
>  
>  			auto,nosmt
>  				Mitigate all speculative CPU vulnerabilities,
>  				disabling SMT if needed.  This is for users who
>  				always want to be fully mitigated, even if it
>  				means losing SMT.
> +				Equivalent to: pti=auto [x86]
> +					       spectre_v2=auto [x86]
> +					       spectre_v2_user=auto [x86]
> +					       spec_store_bypass_disable=auto [x86]
> +					       l1tf=flush,nosmt [x86]
>  
>  	mminit_loglevel=
>  			[KNL] When CONFIG_DEBUG_MEMORY_INIT is set, this

Yap, those sets look ok.

> diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
> index 2bb3a648fc12..7e95b310f869 100644
> --- a/arch/x86/include/asm/processor.h
> +++ b/arch/x86/include/asm/processor.h
> @@ -982,6 +982,7 @@ void microcode_check(void);
>  
>  enum l1tf_mitigations {
>  	L1TF_MITIGATION_OFF,
> +	L1TF_MITIGATION_DEFAULT,
>  	L1TF_MITIGATION_FLUSH_NOWARN,
>  	L1TF_MITIGATION_FLUSH,
>  	L1TF_MITIGATION_FLUSH_NOSMT,
> diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> index 2da82eff0eb4..65b95fb95ba5 100644
> --- a/arch/x86/kernel/cpu/bugs.c
> +++ b/arch/x86/kernel/cpu/bugs.c
> @@ -308,8 +308,11 @@ spectre_v2_parse_user_cmdline(enum spectre_v2_mitigation_cmd v2_cmd)
>  
>  	ret = cmdline_find_option(boot_command_line, "spectre_v2_user",
>  				  arg, sizeof(arg));
> -	if (ret < 0)
> +	if (ret < 0) {
> +		if (cpu_spec_mitigations == CPU_SPEC_MITIGATIONS_OFF)
> +			return SPECTRE_V2_USER_CMD_NONE;

Instead of sprinkling that test in those three functions, just do it
once above in check_bugs(), before those *_select_mitigation() functions
get to run and depending on the value, you either run them or use the
default settings, for the OFF case, for example.

>  		return SPECTRE_V2_USER_CMD_AUTO;
> +	}
>  
>  	for (i = 0; i < ARRAY_SIZE(v2_user_options); i++) {
>  		if (match_option(arg, ret, v2_user_options[i].option)) {
> @@ -444,8 +447,11 @@ static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void)
>  		return SPECTRE_V2_CMD_NONE;
>  
>  	ret = cmdline_find_option(boot_command_line, "spectre_v2", arg, sizeof(arg));
> -	if (ret < 0)
> +	if (ret < 0) {
> +		if (cpu_spec_mitigations == CPU_SPEC_MITIGATIONS_OFF)
> +			return SPECTRE_V2_CMD_NONE;
>  		return SPECTRE_V2_CMD_AUTO;
> +	}
>  
>  	for (i = 0; i < ARRAY_SIZE(mitigation_options); i++) {
>  		if (!match_option(arg, ret, mitigation_options[i].option))
> @@ -677,8 +683,11 @@ static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void)
>  	} else {
>  		ret = cmdline_find_option(boot_command_line, "spec_store_bypass_disable",
>  					  arg, sizeof(arg));
> -		if (ret < 0)
> +		if (ret < 0) {
> +			if (cpu_spec_mitigations == CPU_SPEC_MITIGATIONS_OFF)
> +				return SPEC_STORE_BYPASS_CMD_NONE;
>  			return SPEC_STORE_BYPASS_CMD_AUTO;
> +		}
>  
>  		for (i = 0; i < ARRAY_SIZE(ssb_mitigation_options); i++) {
>  			if (!match_option(arg, ret, ssb_mitigation_options[i].option))
> @@ -955,7 +964,7 @@ void x86_spec_ctrl_setup_ap(void)
>  #define pr_fmt(fmt)	"L1TF: " fmt
>  
>  /* Default mitigation for L1TF-affected CPUs */
> -enum l1tf_mitigations l1tf_mitigation __ro_after_init = L1TF_MITIGATION_FLUSH;
> +enum l1tf_mitigations l1tf_mitigation __ro_after_init = L1TF_MITIGATION_DEFAULT;
>  #if IS_ENABLED(CONFIG_KVM_INTEL)
>  EXPORT_SYMBOL_GPL(l1tf_mitigation);
>  #endif
> @@ -1010,8 +1019,23 @@ static void __init l1tf_select_mitigation(void)
>  
>  	override_cache_bits(&boot_cpu_data);
>  
> +	if (l1tf_mitigation == L1TF_MITIGATION_DEFAULT) {
> +		switch (cpu_spec_mitigations) {
> +		case CPU_SPEC_MITIGATIONS_OFF:
> +			l1tf_mitigation = L1TF_MITIGATION_OFF;
> +			break;
> +		case CPU_SPEC_MITIGATIONS_AUTO:
> +			l1tf_mitigation = L1TF_MITIGATION_FLUSH;
> +			break;
> +		case CPU_SPEC_MITIGATIONS_AUTO_NOSMT:
> +			l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOSMT;
> +			break;
> +		}
> +	}
> +
>  	switch (l1tf_mitigation) {
>  	case L1TF_MITIGATION_OFF:
> +	case L1TF_MITIGATION_DEFAULT:
>  	case L1TF_MITIGATION_FLUSH_NOWARN:
>  	case L1TF_MITIGATION_FLUSH:
>  		break;
> diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
> index ab432a930ae8..83b5bdc3c777 100644
> --- a/arch/x86/kvm/vmx/vmx.c
> +++ b/arch/x86/kvm/vmx/vmx.c
> @@ -233,6 +233,7 @@ static int vmx_setup_l1d_flush(enum vmx_l1d_flush_state l1tf)
>  		case L1TF_MITIGATION_FLUSH_NOWARN:
>  		case L1TF_MITIGATION_FLUSH:
>  		case L1TF_MITIGATION_FLUSH_NOSMT:
> +		case L1TF_MITIGATION_DEFAULT:
>  			l1tf = VMENTER_L1D_FLUSH_COND;
>  			break;
>  		case L1TF_MITIGATION_FULL:
> @@ -6686,6 +6687,7 @@ static int vmx_vm_init(struct kvm *kvm)
>  		case L1TF_MITIGATION_FLUSH:
>  		case L1TF_MITIGATION_FLUSH_NOSMT:
>  		case L1TF_MITIGATION_FULL:
> +		case L1TF_MITIGATION_DEFAULT:
>  			/*
>  			 * Warn upon starting the first VM in a potentially
>  			 * insecure environment.

The L1TF bits need to be a separate patch.

Thx.

-- 
Regards/Gruss,
    Boris.

Good mailing practices for 400: avoid top-posting and trim the reply.

Re: [PATCH RFC 1/5] cpu/speculation: Add 'cpu_spec_mitigations=' cmdline options

[Josh Poimboeuf]

On Fri, Apr 05, 2019 at 03:12:11PM +0200, Borislav Petkov wrote:
> On Thu, Apr 04, 2019 at 11:44:11AM -0500, Josh Poimboeuf wrote:
> > Keeping track of the number of mitigations for all the CPU speculation
> > bugs has become overwhelming for many users.  It's getting more and more
> > complicated to decide which mitigations are needed for a given
> > architecture.  Complicating matters is the fact that each arch tends to
> > their own custom way to mitigate the same vulnerability.
> 
> Yap, we definitely need something like that.
> 
> > Most users fall into a few basic categories:
> > 
> > a) they want all mitigations off;
> > 
> > b) they want all reasonable mitigations on, with SMT enabled even if
> >    it's vulnerable; or
> 
> Uff, "reasonable" - there's the bikeshed waiting to happen.

Luckily the defaults have already been chosen.  So "reasonable" just
means to use the defaults.

> > c) they want all reasonable mitigations on, with SMT disabled if
> >    vulnerable.
> > 
> > Define a set of curated, arch-independent options, each of which is an
> > aggregation of existing options:
> > 
> > - cpu_spec_mitigations=off: Disable all mitigations.
> 
> "cpu_spec_mitigations" is too long, TBH.
> 
> Imagine yourself in a loud, noisy data center - you basically can't wait
> to leave - crouched over a keyboard in an impossible position, having
> to type that thing and then making a typo. Whoops, too late, already
> pressed Enter. Shiiiit!

Sure, it's a bit long.  But it's also easier to remember and more
self-documenting than any shortened option I could come up with.

In your scenario, the fact that it's so easy to remember would save the
day, since you wouldn't have to go look up some obscure shortened option
name in the documentation :-)

Suggestions are welcome but I couldn't come up with a reasonable shorter
option.

> Now you have to wait at least 15 mins for the damn single-threaded added
> value BIOS crap to noodle through all the cores just so you can try
> again, because you just rebooted the box.
> 
> And I know, my ideas for shorter cmdline options are crazy, like
> 
> cpu_spec_mtg=
> 
> which people would say, yuck, unreadable...

I agree with those people.  In my world "mtg" is short for meeting.

> Oh, I know! How about
> 
> cpu_vulns=
> 
> ?

No, because

a) We aren't enabling/disabling *vulnerabilities*, but rather
   mitigations;

b) We aren't enabling/disabling *all* CPU mitigations, only the
   speculative ones.

> We already have /sys/devices/system/cpu/vulnerabilities so it'll be the
> same as that. Less things to remember.

Except that it's not called "cpu_vulns"...

-- 
Josh

Re: [PATCH RFC 2/5] x86/speculation: Add support for 'cpu_spec_mitigations=' cmdline options

[Josh Poimboeuf]

On Fri, Apr 05, 2019 at 03:57:12PM +0200, Borislav Petkov wrote:
> > diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
> > index 2bb3a648fc12..7e95b310f869 100644
> > --- a/arch/x86/include/asm/processor.h
> > +++ b/arch/x86/include/asm/processor.h
> > @@ -982,6 +982,7 @@ void microcode_check(void);
> >  
> >  enum l1tf_mitigations {
> >  	L1TF_MITIGATION_OFF,
> > +	L1TF_MITIGATION_DEFAULT,
> >  	L1TF_MITIGATION_FLUSH_NOWARN,
> >  	L1TF_MITIGATION_FLUSH,
> >  	L1TF_MITIGATION_FLUSH_NOSMT,
> > diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> > index 2da82eff0eb4..65b95fb95ba5 100644
> > --- a/arch/x86/kernel/cpu/bugs.c
> > +++ b/arch/x86/kernel/cpu/bugs.c
> > @@ -308,8 +308,11 @@ spectre_v2_parse_user_cmdline(enum spectre_v2_mitigation_cmd v2_cmd)
> >  
> >  	ret = cmdline_find_option(boot_command_line, "spectre_v2_user",
> >  				  arg, sizeof(arg));
> > -	if (ret < 0)
> > +	if (ret < 0) {
> > +		if (cpu_spec_mitigations == CPU_SPEC_MITIGATIONS_OFF)
> > +			return SPECTRE_V2_USER_CMD_NONE;
> 
> Instead of sprinkling that test in those three functions, just do it
> once above in check_bugs(), before those *_select_mitigation() functions
> get to run and depending on the value, you either run them or use the
> default settings, for the OFF case, for example.

My thinking was that the individual options could be used to override
the global option.  But maybe that's overkill?  I dunno.

> >  		return SPECTRE_V2_USER_CMD_AUTO;
> > +	}
> >  
> >  	for (i = 0; i < ARRAY_SIZE(v2_user_options); i++) {
> >  		if (match_option(arg, ret, v2_user_options[i].option)) {
> > @@ -444,8 +447,11 @@ static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void)
> >  		return SPECTRE_V2_CMD_NONE;
> >  
> >  	ret = cmdline_find_option(boot_command_line, "spectre_v2", arg, sizeof(arg));
> > -	if (ret < 0)
> > +	if (ret < 0) {
> > +		if (cpu_spec_mitigations == CPU_SPEC_MITIGATIONS_OFF)
> > +			return SPECTRE_V2_CMD_NONE;
> >  		return SPECTRE_V2_CMD_AUTO;
> > +	}
> >  
> >  	for (i = 0; i < ARRAY_SIZE(mitigation_options); i++) {
> >  		if (!match_option(arg, ret, mitigation_options[i].option))
> > @@ -677,8 +683,11 @@ static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void)
> >  	} else {
> >  		ret = cmdline_find_option(boot_command_line, "spec_store_bypass_disable",
> >  					  arg, sizeof(arg));
> > -		if (ret < 0)
> > +		if (ret < 0) {
> > +			if (cpu_spec_mitigations == CPU_SPEC_MITIGATIONS_OFF)
> > +				return SPEC_STORE_BYPASS_CMD_NONE;
> >  			return SPEC_STORE_BYPASS_CMD_AUTO;
> > +		}
> >  
> >  		for (i = 0; i < ARRAY_SIZE(ssb_mitigation_options); i++) {
> >  			if (!match_option(arg, ret, ssb_mitigation_options[i].option))
> > @@ -955,7 +964,7 @@ void x86_spec_ctrl_setup_ap(void)
> >  #define pr_fmt(fmt)	"L1TF: " fmt
> >  
> >  /* Default mitigation for L1TF-affected CPUs */
> > -enum l1tf_mitigations l1tf_mitigation __ro_after_init = L1TF_MITIGATION_FLUSH;
> > +enum l1tf_mitigations l1tf_mitigation __ro_after_init = L1TF_MITIGATION_DEFAULT;
> >  #if IS_ENABLED(CONFIG_KVM_INTEL)
> >  EXPORT_SYMBOL_GPL(l1tf_mitigation);
> >  #endif
> > @@ -1010,8 +1019,23 @@ static void __init l1tf_select_mitigation(void)
> >  
> >  	override_cache_bits(&boot_cpu_data);
> >  
> > +	if (l1tf_mitigation == L1TF_MITIGATION_DEFAULT) {
> > +		switch (cpu_spec_mitigations) {
> > +		case CPU_SPEC_MITIGATIONS_OFF:
> > +			l1tf_mitigation = L1TF_MITIGATION_OFF;
> > +			break;
> > +		case CPU_SPEC_MITIGATIONS_AUTO:
> > +			l1tf_mitigation = L1TF_MITIGATION_FLUSH;
> > +			break;
> > +		case CPU_SPEC_MITIGATIONS_AUTO_NOSMT:
> > +			l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOSMT;
> > +			break;
> > +		}
> > +	}
> > +
> >  	switch (l1tf_mitigation) {
> >  	case L1TF_MITIGATION_OFF:
> > +	case L1TF_MITIGATION_DEFAULT:
> >  	case L1TF_MITIGATION_FLUSH_NOWARN:
> >  	case L1TF_MITIGATION_FLUSH:
> >  		break;
> > diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
> > index ab432a930ae8..83b5bdc3c777 100644
> > --- a/arch/x86/kvm/vmx/vmx.c
> > +++ b/arch/x86/kvm/vmx/vmx.c
> > @@ -233,6 +233,7 @@ static int vmx_setup_l1d_flush(enum vmx_l1d_flush_state l1tf)
> >  		case L1TF_MITIGATION_FLUSH_NOWARN:
> >  		case L1TF_MITIGATION_FLUSH:
> >  		case L1TF_MITIGATION_FLUSH_NOSMT:
> > +		case L1TF_MITIGATION_DEFAULT:
> >  			l1tf = VMENTER_L1D_FLUSH_COND;
> >  			break;
> >  		case L1TF_MITIGATION_FULL:
> > @@ -6686,6 +6687,7 @@ static int vmx_vm_init(struct kvm *kvm)
> >  		case L1TF_MITIGATION_FLUSH:
> >  		case L1TF_MITIGATION_FLUSH_NOSMT:
> >  		case L1TF_MITIGATION_FULL:
> > +		case L1TF_MITIGATION_DEFAULT:
> >  			/*
> >  			 * Warn upon starting the first VM in a potentially
> >  			 * insecure environment.
> 
> The L1TF bits need to be a separate patch.

I assume you mean just the part where L1TF_MITIGATION_DEFAULT is added?

-- 
Josh

Re: [PATCH RFC 5/5] arm64/speculation: Add support for 'cpu_spec_mitigations=' cmdline options

[Steven Price]

On 04/04/2019 17:44, Josh Poimboeuf wrote:
> Configure arm64 runtime CPU speculation bug mitigations in accordance
> with the 'cpu_spec_mitigations=' cmdline options.  This affects
> Meltdown and Speculative Store Bypass.
> 
> The default behavior is unchanged.
> 
> Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
> ---
>  Documentation/admin-guide/kernel-parameters.txt | 2 ++
>  arch/arm64/kernel/cpu_errata.c                  | 4 ++++
>  arch/arm64/kernel/cpufeature.c                  | 6 ++++++
>  3 files changed, 12 insertions(+)
> 
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index e838af96daa4..0b54385ee7a8 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -2553,11 +2553,13 @@
>  			off
>  				Disable all speculative CPU mitigations.
>  				Equivalent to: nopti [x86, powerpc]
> +					       kpti=0 [arm64]
>  					       nospectre_v1 [powerpc]
>  					       nospectre_v2 [x86, powerpc, s390]
>  					       spectre_v2_user=off [x86]
>  					       nobp=0 [s390]
>  					       spec_store_bypass_disable=off [x86, powerpc]
> +					       ssbd=force-off [arm64]
>  					       l1tf=off [x86]
>  
>  			auto (default)
> diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c
> index 9950bb0cbd52..db8d27e3fb1c 100644
> --- a/arch/arm64/kernel/cpu_errata.c
> +++ b/arch/arm64/kernel/cpu_errata.c
> @@ -19,6 +19,7 @@
>  #include <linux/arm-smccc.h>
>  #include <linux/psci.h>
>  #include <linux/types.h>
> +#include <linux/cpu.h>
>  #include <asm/cpu.h>
>  #include <asm/cputype.h>
>  #include <asm/cpufeature.h>
> @@ -385,6 +386,9 @@ static bool has_ssbd_mitigation(const struct arm64_cpu_capabilities *entry,
>  		return false;
>  	}
>  
> +	if (cpu_spec_mitigations == CPU_SPEC_MITIGATIONS_OFF)
> +		ssbd_state = ARM64_SSBD_FORCE_DISABLE;
> +
>  	switch (psci_ops.conduit) {
>  	case PSCI_CONDUIT_HVC:
>  		arm_smccc_1_1_hvc(ARM_SMCCC_ARCH_FEATURES_FUNC_ID,
> diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
> index 4061de10cea6..4512b582d50f 100644
> --- a/arch/arm64/kernel/cpufeature.c
> +++ b/arch/arm64/kernel/cpufeature.c
> @@ -25,6 +25,7 @@
>  #include <linux/stop_machine.h>
>  #include <linux/types.h>
>  #include <linux/mm.h>
> +#include <linux/cpu.h>
>  #include <asm/cpu.h>
>  #include <asm/cpufeature.h>
>  #include <asm/cpu_ops.h>
> @@ -978,6 +979,11 @@ static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,
>  		__kpti_forced = -1;
>  	}
>  
> +	if (cpu_spec_mitigations == CPU_SPEC_MITIGATIONS_OFF) {
> +		str = "cpu_spec_mitigations=off";

Might also be worth changing the initialisation of str, currently it is:

> 	char const *str = "command line option";

But now we have two command line options, perhaps "kpti command line
option".

Steve

> +		__kpti_forced = -1;
> +	}
> +
>  	/* Forced? */
>  	if (__kpti_forced) {
>  		pr_info_once("kernel page table isolation forced %s by %s\n",
> 

Re: [PATCH RFC 5/5] arm64/speculation: Add support for 'cpu_spec_mitigations=' cmdline options

[Josh Poimboeuf]

On Fri, Apr 05, 2019 at 03:39:58PM +0100, Steven Price wrote:
> On 04/04/2019 17:44, Josh Poimboeuf wrote:
> > Configure arm64 runtime CPU speculation bug mitigations in accordance
> > with the 'cpu_spec_mitigations=' cmdline options.  This affects
> > Meltdown and Speculative Store Bypass.
> > 
> > The default behavior is unchanged.
> > 
> > Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
> > ---
> >  Documentation/admin-guide/kernel-parameters.txt | 2 ++
> >  arch/arm64/kernel/cpu_errata.c                  | 4 ++++
> >  arch/arm64/kernel/cpufeature.c                  | 6 ++++++
> >  3 files changed, 12 insertions(+)
> > 
> > diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> > index e838af96daa4..0b54385ee7a8 100644
> > --- a/Documentation/admin-guide/kernel-parameters.txt
> > +++ b/Documentation/admin-guide/kernel-parameters.txt
> > @@ -2553,11 +2553,13 @@
> >  			off
> >  				Disable all speculative CPU mitigations.
> >  				Equivalent to: nopti [x86, powerpc]
> > +					       kpti=0 [arm64]
> >  					       nospectre_v1 [powerpc]
> >  					       nospectre_v2 [x86, powerpc, s390]
> >  					       spectre_v2_user=off [x86]
> >  					       nobp=0 [s390]
> >  					       spec_store_bypass_disable=off [x86, powerpc]
> > +					       ssbd=force-off [arm64]
> >  					       l1tf=off [x86]
> >  
> >  			auto (default)
> > diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c
> > index 9950bb0cbd52..db8d27e3fb1c 100644
> > --- a/arch/arm64/kernel/cpu_errata.c
> > +++ b/arch/arm64/kernel/cpu_errata.c
> > @@ -19,6 +19,7 @@
> >  #include <linux/arm-smccc.h>
> >  #include <linux/psci.h>
> >  #include <linux/types.h>
> > +#include <linux/cpu.h>
> >  #include <asm/cpu.h>
> >  #include <asm/cputype.h>
> >  #include <asm/cpufeature.h>
> > @@ -385,6 +386,9 @@ static bool has_ssbd_mitigation(const struct arm64_cpu_capabilities *entry,
> >  		return false;
> >  	}
> >  
> > +	if (cpu_spec_mitigations == CPU_SPEC_MITIGATIONS_OFF)
> > +		ssbd_state = ARM64_SSBD_FORCE_DISABLE;
> > +
> >  	switch (psci_ops.conduit) {
> >  	case PSCI_CONDUIT_HVC:
> >  		arm_smccc_1_1_hvc(ARM_SMCCC_ARCH_FEATURES_FUNC_ID,
> > diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
> > index 4061de10cea6..4512b582d50f 100644
> > --- a/arch/arm64/kernel/cpufeature.c
> > +++ b/arch/arm64/kernel/cpufeature.c
> > @@ -25,6 +25,7 @@
> >  #include <linux/stop_machine.h>
> >  #include <linux/types.h>
> >  #include <linux/mm.h>
> > +#include <linux/cpu.h>
> >  #include <asm/cpu.h>
> >  #include <asm/cpufeature.h>
> >  #include <asm/cpu_ops.h>
> > @@ -978,6 +979,11 @@ static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,
> >  		__kpti_forced = -1;
> >  	}
> >  
> > +	if (cpu_spec_mitigations == CPU_SPEC_MITIGATIONS_OFF) {
> > +		str = "cpu_spec_mitigations=off";
> 
> Might also be worth changing the initialisation of str, currently it is:
> 
> > 	char const *str = "command line option";
> 
> But now we have two command line options, perhaps "kpti command line
> option".

Yes, agreed, thanks.

-- 
Josh

Re: [PATCH RFC 5/5] arm64/speculation: Add support for 'cpu_spec_mitigations=' cmdline options

[Will Deacon]

Hi Josh,

On Thu, Apr 04, 2019 at 11:44:15AM -0500, Josh Poimboeuf wrote:
> Configure arm64 runtime CPU speculation bug mitigations in accordance
> with the 'cpu_spec_mitigations=' cmdline options.  This affects
> Meltdown and Speculative Store Bypass.
> 
> The default behavior is unchanged.
> 
> Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
> ---
>  Documentation/admin-guide/kernel-parameters.txt | 2 ++
>  arch/arm64/kernel/cpu_errata.c                  | 4 ++++
>  arch/arm64/kernel/cpufeature.c                  | 6 ++++++
>  3 files changed, 12 insertions(+)

Just wanted to make you aware that this is probably going to conflict badly
with some patches we have pending to hook up the sysfs entries:

http://lists.infradead.org/pipermail/linux-arm-kernel/2019-March/640326.html

That patch series isn't quite there yet, so I'm expecting a v7, but I think
it will change the shape of this patch quite a lot.

Will

Re: [PATCH RFC 2/5] x86/speculation: Add support for 'cpu_spec_mitigations=' cmdline options

[Randy Dunlap]

On 4/5/19 6:57 AM, Borislav Petkov wrote:
> On Thu, Apr 04, 2019 at 11:44:12AM -0500, Josh Poimboeuf wrote:
>> Configure x86 runtime CPU speculation bug mitigations in accordance with
>> the 'cpu_spec_mitigations=' cmdline options.  This affects Meltdown,
>> Spectre v2, Speculative Store Bypass, and L1TF.
>>
>> The default behavior is unchanged.
>>
>> Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
>> ---
>>  .../admin-guide/kernel-parameters.txt         | 15 +++++++++
>>  arch/x86/include/asm/processor.h              |  1 +
>>  arch/x86/kernel/cpu/bugs.c                    | 32 ++++++++++++++++---
>>  arch/x86/kvm/vmx/vmx.c                        |  2 ++
>>  arch/x86/mm/pti.c                             |  4 ++-
>>  5 files changed, 49 insertions(+), 5 deletions(-)
>>
>> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
>> index ac42e510bd6e..29dc03971630 100644
>> --- a/Documentation/admin-guide/kernel-parameters.txt
>> +++ b/Documentation/admin-guide/kernel-parameters.txt
>> @@ -2552,6 +2552,11 @@
>>  
>>  			off
>>  				Disable all speculative CPU mitigations.
>> +				Equivalent to: nopti [x86]
>> +					       nospectre_v2 [x86]
>> +					       spectre_v2_user=off [x86]
>> +					       spec_store_bypass_disable=off [x86]
>> +					       l1tf=off [x86]
>>  
>>  			auto (default)
>>  				Mitigate all speculative CPU vulnerabilities,
>> @@ -2560,12 +2565,22 @@
>>  				surprised by SMT getting disabled across kernel
>>  				upgrades, or who have other ways of avoiding
>>  				SMT-based attacks.
>> +				Equivalent to: pti=auto [x86]
>> +					       spectre_v2=auto [x86]
>> +					       spectre_v2_user=auto [x86]
>> +					       spec_store_bypass_disable=auto [x86]
>> +					       l1tf=flush [x86]
>>  
>>  			auto,nosmt
>>  				Mitigate all speculative CPU vulnerabilities,
>>  				disabling SMT if needed.  This is for users who
>>  				always want to be fully mitigated, even if it
>>  				means losing SMT.
>> +				Equivalent to: pti=auto [x86]
>> +					       spectre_v2=auto [x86]
>> +					       spectre_v2_user=auto [x86]
>> +					       spec_store_bypass_disable=auto [x86]
>> +					       l1tf=flush,nosmt [x86]
>>  
>>  	mminit_loglevel=
>>  			[KNL] When CONFIG_DEBUG_MEMORY_INIT is set, this
> 
> Yap, those sets look ok.

nit:  s/x86/X86/g
according to Documentation/admin-guide/kernel-parameters.rst


-- 
~Randy

Re: [PATCH RFC 1/5] cpu/speculation: Add 'cpu_spec_mitigations=' cmdline options

[Borislav Petkov]

On Fri, Apr 05, 2019 at 09:20:48AM -0500, Josh Poimboeuf wrote:
> In your scenario, the fact that it's so easy to remember would save the
> day, since you wouldn't have to go look up some obscure shortened option
> name in the documentation :-)

No no, the idea is for the short option to be memorable.

> Suggestions are welcome but I couldn't come up with a reasonable shorter
> option.

Same here.

-- 
Regards/Gruss,
    Boris.

Good mailing practices for 400: avoid top-posting and trim the reply.

Re: [PATCH RFC 2/5] x86/speculation: Add support for 'cpu_spec_mitigations=' cmdline options

[Borislav Petkov]

On Fri, Apr 05, 2019 at 09:31:01AM -0500, Josh Poimboeuf wrote:
> My thinking was that the individual options could be used to override
> the global option.  But maybe that's overkill?  I dunno.

You mean if the user deliberately types:

"cpu_spec_mitigations=off spectre_v2=auto"

on the cmdline to turn off all and then enable only one?

Hmm, yap, sounds like an overkill to me. Then I'd probably do:

	pr_err("Make up your mind already!\n");
	return;

:-))

I'd say let's do the simpler and cleaner thing now and think about
supporting this overkill when it really turns out that it is needed.

> I assume you mean just the part where L1TF_MITIGATION_DEFAULT is added?

Yap.

Thx.

-- 
Regards/Gruss,
    Boris.

Good mailing practices for 400: avoid top-posting and trim the reply.

Re: [PATCH RFC 2/5] x86/speculation: Add support for 'cpu_spec_mitigations=' cmdline options

[Josh Poimboeuf]

On Fri, Apr 05, 2019 at 08:18:09AM -0700, Randy Dunlap wrote:
> On 4/5/19 6:57 AM, Borislav Petkov wrote:
> > On Thu, Apr 04, 2019 at 11:44:12AM -0500, Josh Poimboeuf wrote:
> >> Configure x86 runtime CPU speculation bug mitigations in accordance with
> >> the 'cpu_spec_mitigations=' cmdline options.  This affects Meltdown,
> >> Spectre v2, Speculative Store Bypass, and L1TF.
> >>
> >> The default behavior is unchanged.
> >>
> >> Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
> >> ---
> >>  .../admin-guide/kernel-parameters.txt         | 15 +++++++++
> >>  arch/x86/include/asm/processor.h              |  1 +
> >>  arch/x86/kernel/cpu/bugs.c                    | 32 ++++++++++++++++---
> >>  arch/x86/kvm/vmx/vmx.c                        |  2 ++
> >>  arch/x86/mm/pti.c                             |  4 ++-
> >>  5 files changed, 49 insertions(+), 5 deletions(-)
> >>
> >> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> >> index ac42e510bd6e..29dc03971630 100644
> >> --- a/Documentation/admin-guide/kernel-parameters.txt
> >> +++ b/Documentation/admin-guide/kernel-parameters.txt
> >> @@ -2552,6 +2552,11 @@
> >>  
> >>  			off
> >>  				Disable all speculative CPU mitigations.
> >> +				Equivalent to: nopti [x86]
> >> +					       nospectre_v2 [x86]
> >> +					       spectre_v2_user=off [x86]
> >> +					       spec_store_bypass_disable=off [x86]
> >> +					       l1tf=off [x86]
> >>  
> >>  			auto (default)
> >>  				Mitigate all speculative CPU vulnerabilities,
> >> @@ -2560,12 +2565,22 @@
> >>  				surprised by SMT getting disabled across kernel
> >>  				upgrades, or who have other ways of avoiding
> >>  				SMT-based attacks.
> >> +				Equivalent to: pti=auto [x86]
> >> +					       spectre_v2=auto [x86]
> >> +					       spectre_v2_user=auto [x86]
> >> +					       spec_store_bypass_disable=auto [x86]
> >> +					       l1tf=flush [x86]
> >>  
> >>  			auto,nosmt
> >>  				Mitigate all speculative CPU vulnerabilities,
> >>  				disabling SMT if needed.  This is for users who
> >>  				always want to be fully mitigated, even if it
> >>  				means losing SMT.
> >> +				Equivalent to: pti=auto [x86]
> >> +					       spectre_v2=auto [x86]
> >> +					       spectre_v2_user=auto [x86]
> >> +					       spec_store_bypass_disable=auto [x86]
> >> +					       l1tf=flush,nosmt [x86]
> >>  
> >>  	mminit_loglevel=
> >>  			[KNL] When CONFIG_DEBUG_MEMORY_INIT is set, this
> > 
> > Yap, those sets look ok.
> 
> nit:  s/x86/X86/g
> according to Documentation/admin-guide/kernel-parameters.rst

Ah, I didn't realize I was conforming to a standard.  I will update the
other arch strings as well.  Thanks.

-- 
Josh

Re: [PATCH RFC 1/5] cpu/speculation: Add 'cpu_spec_mitigations=' cmdline options

[Borislav Petkov]

Thinking about this more, we can shave off the first 4 chars and have it
be:

spec_mitigations=

I think it is painfully clear which speculation mitigations we mean. And
the other switches don't have "cpu_" prefixes too so...

-- 
Regards/Gruss,
    Boris.

Good mailing practices for 400: avoid top-posting and trim the reply.

Re: [PATCH RFC 5/5] arm64/speculation: Add support for 'cpu_spec_mitigations=' cmdline options

[Josh Poimboeuf]

On Fri, Apr 05, 2019 at 03:44:14PM +0100, Will Deacon wrote:
> Hi Josh,
> 
> On Thu, Apr 04, 2019 at 11:44:15AM -0500, Josh Poimboeuf wrote:
> > Configure arm64 runtime CPU speculation bug mitigations in accordance
> > with the 'cpu_spec_mitigations=' cmdline options.  This affects
> > Meltdown and Speculative Store Bypass.
> > 
> > The default behavior is unchanged.
> > 
> > Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
> > ---
> >  Documentation/admin-guide/kernel-parameters.txt | 2 ++
> >  arch/arm64/kernel/cpu_errata.c                  | 4 ++++
> >  arch/arm64/kernel/cpufeature.c                  | 6 ++++++
> >  3 files changed, 12 insertions(+)
> 
> Just wanted to make you aware that this is probably going to conflict badly
> with some patches we have pending to hook up the sysfs entries:
> 
> http://lists.infradead.org/pipermail/linux-arm-kernel/2019-March/640326.html
> 
> That patch series isn't quite there yet, so I'm expecting a v7, but I think
> it will change the shape of this patch quite a lot.

Thanks for the heads up Will.  I will drop the arm64 patch for now then.

-- 
Josh

Re: [PATCH RFC 2/5] x86/speculation: Add support for 'cpu_spec_mitigations=' cmdline options

[Josh Poimboeuf]

On Fri, Apr 05, 2019 at 05:26:50PM +0200, Borislav Petkov wrote:
> On Fri, Apr 05, 2019 at 09:31:01AM -0500, Josh Poimboeuf wrote:
> > My thinking was that the individual options could be used to override
> > the global option.  But maybe that's overkill?  I dunno.
> 
> You mean if the user deliberately types:
> 
> "cpu_spec_mitigations=off spectre_v2=auto"
> 
> on the cmdline to turn off all and then enable only one?
> 
> Hmm, yap, sounds like an overkill to me. Then I'd probably do:
> 
> 	pr_err("Make up your mind already!\n");
> 	return;
> 
> :-))
> 
> I'd say let's do the simpler and cleaner thing now and think about
> supporting this overkill when it really turns out that it is needed.

Fair enough.

> > I assume you mean just the part where L1TF_MITIGATION_DEFAULT is added?
> 
> Yap.

Ok.

-- 
Josh

Re: [PATCH RFC 1/5] cpu/speculation: Add 'cpu_spec_mitigations=' cmdline options

[Josh Poimboeuf]

On Fri, Apr 05, 2019 at 06:01:36PM +0200, Borislav Petkov wrote:
> Thinking about this more, we can shave off the first 4 chars and have it
> be:
> 
> spec_mitigations=
> 
> I think it is painfully clear which speculation mitigations we mean. And
> the other switches don't have "cpu_" prefixes too so...

Sure, I'm ok with renaming it to that, if there are no objections.

-- 
Josh

Re: [PATCH RFC 1/5] cpu/speculation: Add 'cpu_spec_mitigations=' cmdline options

[Michael Ellerman]

Josh Poimboeuf <jpoimboe@redhat.com> writes:

> On Fri, Apr 05, 2019 at 06:01:36PM +0200, Borislav Petkov wrote:
>> Thinking about this more, we can shave off the first 4 chars and have it
>> be:
>> 
>> spec_mitigations=
>> 
>> I think it is painfully clear which speculation mitigations we mean. And
>> the other switches don't have "cpu_" prefixes too so...
>
> Sure, I'm ok with renaming it to that, if there are no objections.

What about when we have a mitigation for a non-speculation related bug :)

mitigations=xxx

?

cheers

Re: [PATCH RFC 3/5] powerpc/speculation: Add support for 'cpu_spec_mitigations=' cmdline options

[Michael Ellerman]

Josh Poimboeuf <jpoimboe@redhat.com> writes:
> Configure powerpc CPU runtime speculation bug mitigations in accordance
> with the 'cpu_spec_mitigations=' cmdline options.  This affects
> Meltdown, Spectre v1, Spectre v2, and Speculative Store Bypass.
>
> The default behavior is unchanged.
>
> Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
> ---
>  Documentation/admin-guide/kernel-parameters.txt | 9 +++++----
>  arch/powerpc/kernel/security.c                  | 6 +++---
>  arch/powerpc/kernel/setup_64.c                  | 2 +-
>  3 files changed, 9 insertions(+), 8 deletions(-)
>
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index 29dc03971630..0e8eae1e8a25 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -2552,10 +2552,11 @@
>  
>  			off
>  				Disable all speculative CPU mitigations.
> -				Equivalent to: nopti [x86]
> +				Equivalent to: nopti [x86, powerpc]
> +					       nospectre_v1 [powerpc]
>  					       nospectre_v2 [x86]

Not sure if you meant to omit powerpc from nospectre_v2?

You have patched it in the code below.

>  					       spectre_v2_user=off [x86]
> -					       spec_store_bypass_disable=off [x86]
> +					       spec_store_bypass_disable=off [x86, powerpc]
>  					       l1tf=off [x86]
>  
>  			auto (default)
> @@ -2568,7 +2569,7 @@
>  				Equivalent to: pti=auto [x86]
>  					       spectre_v2=auto [x86]
>  					       spectre_v2_user=auto [x86]
> -					       spec_store_bypass_disable=auto [x86]
> +					       spec_store_bypass_disable=auto [x86, powerpc]
>  					       l1tf=flush [x86]
>  
>  			auto,nosmt
> @@ -2579,7 +2580,7 @@
>  				Equivalent to: pti=auto [x86]
>  					       spectre_v2=auto [x86]
>  					       spectre_v2_user=auto [x86]
> -					       spec_store_bypass_disable=auto [x86]
> +					       spec_store_bypass_disable=auto [x86, powerpc]
>  					       l1tf=flush,nosmt [x86]
>  
>  	mminit_loglevel=
> diff --git a/arch/powerpc/kernel/security.c b/arch/powerpc/kernel/security.c
> index b33bafb8fcea..5aed4ad729ba 100644
> --- a/arch/powerpc/kernel/security.c
> +++ b/arch/powerpc/kernel/security.c
> @@ -57,7 +57,7 @@ void setup_barrier_nospec(void)
>  	enable = security_ftr_enabled(SEC_FTR_FAVOUR_SECURITY) &&
>  		 security_ftr_enabled(SEC_FTR_BNDS_CHK_SPEC_BAR);
>  
> -	if (!no_nospec)
> +	if (!no_nospec && cpu_spec_mitigations != CPU_SPEC_MITIGATIONS_OFF)
>  		enable_barrier_nospec(enable);

Adding a wrapper func that checks for CPU_SPEC_MITIGATIONS_OFF would
make these a little less verbose, eg:

	if (!no_nospec && !cpu_spec_mitigations_off())
  		enable_barrier_nospec(enable);

But that's a nitpick.

> @@ -116,7 +116,7 @@ static int __init handle_nospectre_v2(char *p)
>  early_param("nospectre_v2", handle_nospectre_v2);
>  void setup_spectre_v2(void)
>  {
> -	if (no_spectrev2)
> +	if (no_spectrev2 || cpu_spec_mitigations == CPU_SPEC_MITIGATIONS_OFF)
>  		do_btb_flush_fixups();
>  	else
>  		btb_flush_enabled = true;
> @@ -300,7 +300,7 @@ void setup_stf_barrier(void)
>  
>  	stf_enabled_flush_types = type;
>  
> -	if (!no_stf_barrier)
> +	if (!no_stf_barrier && cpu_spec_mitigations != CPU_SPEC_MITIGATIONS_OFF)
>  		stf_barrier_enable(enable);
>  }
>  
> diff --git a/arch/powerpc/kernel/setup_64.c b/arch/powerpc/kernel/setup_64.c
> index ba404dd9ce1d..d9d796a66a79 100644
> --- a/arch/powerpc/kernel/setup_64.c
> +++ b/arch/powerpc/kernel/setup_64.c
> @@ -932,7 +932,7 @@ void setup_rfi_flush(enum l1d_flush_type types, bool enable)
>  
>  	enabled_flush_types = types;
>  
> -	if (!no_rfi_flush)
> +	if (!no_rfi_flush || cpu_spec_mitigations != CPU_SPEC_MITIGATIONS_OFF)
>  		rfi_flush_enable(enable);
>  }

LGTM.

Acked-by: Michael Ellerman <mpe@ellerman.id.au> (powerpc)

cheers

Re: [PATCH RFC 1/5] cpu/speculation: Add 'cpu_spec_mitigations=' cmdline options

[Borislav Petkov]

On Wed, Apr 10, 2019 at 03:48:48PM +1000, Michael Ellerman wrote:
> What about when we have a mitigation for a non-speculation related bug :)

Like that is *ever* going to happen... :-P

-- 
Regards/Gruss,
    Boris.

Good mailing practices for 400: avoid top-posting and trim the reply.

Re: [PATCH RFC 1/5] cpu/speculation: Add 'cpu_spec_mitigations=' cmdline options

[Thomas Gleixner]

On Wed, 10 Apr 2019, Michael Ellerman wrote:
> Josh Poimboeuf <jpoimboe@redhat.com> writes:
> 
> > On Fri, Apr 05, 2019 at 06:01:36PM +0200, Borislav Petkov wrote:
> >> Thinking about this more, we can shave off the first 4 chars and have it
> >> be:
> >> 
> >> spec_mitigations=
> >> 
> >> I think it is painfully clear which speculation mitigations we mean. And
> >> the other switches don't have "cpu_" prefixes too so...
> >
> > Sure, I'm ok with renaming it to that, if there are no objections.
> 
> What about when we have a mitigation for a non-speculation related bug :)

Those kind of silicon bugs are usually mitigated unconditionally.

Thanks,

	tglx

Re: [PATCH RFC 3/5] powerpc/speculation: Add support for 'cpu_spec_mitigations=' cmdline options

[Josh Poimboeuf]

On Wed, Apr 10, 2019 at 04:06:50PM +1000, Michael Ellerman wrote:
> Josh Poimboeuf <jpoimboe@redhat.com> writes:
> > Configure powerpc CPU runtime speculation bug mitigations in accordance
> > with the 'cpu_spec_mitigations=' cmdline options.  This affects
> > Meltdown, Spectre v1, Spectre v2, and Speculative Store Bypass.
> >
> > The default behavior is unchanged.
> >
> > Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
> > ---
> >  Documentation/admin-guide/kernel-parameters.txt | 9 +++++----
> >  arch/powerpc/kernel/security.c                  | 6 +++---
> >  arch/powerpc/kernel/setup_64.c                  | 2 +-
> >  3 files changed, 9 insertions(+), 8 deletions(-)
> >
> > diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> > index 29dc03971630..0e8eae1e8a25 100644
> > --- a/Documentation/admin-guide/kernel-parameters.txt
> > +++ b/Documentation/admin-guide/kernel-parameters.txt
> > @@ -2552,10 +2552,11 @@
> >  
> >  			off
> >  				Disable all speculative CPU mitigations.
> > -				Equivalent to: nopti [x86]
> > +				Equivalent to: nopti [x86, powerpc]
> > +					       nospectre_v1 [powerpc]
> >  					       nospectre_v2 [x86]
> 
> Not sure if you meant to omit powerpc from nospectre_v2?
> 
> You have patched it in the code below.

Oops.  I'll update the documentation.

> >  					       spectre_v2_user=off [x86]
> > -					       spec_store_bypass_disable=off [x86]
> > +					       spec_store_bypass_disable=off [x86, powerpc]
> >  					       l1tf=off [x86]
> >  
> >  			auto (default)
> > @@ -2568,7 +2569,7 @@
> >  				Equivalent to: pti=auto [x86]
> >  					       spectre_v2=auto [x86]
> >  					       spectre_v2_user=auto [x86]
> > -					       spec_store_bypass_disable=auto [x86]
> > +					       spec_store_bypass_disable=auto [x86, powerpc]
> >  					       l1tf=flush [x86]
> >  
> >  			auto,nosmt
> > @@ -2579,7 +2580,7 @@
> >  				Equivalent to: pti=auto [x86]
> >  					       spectre_v2=auto [x86]
> >  					       spectre_v2_user=auto [x86]
> > -					       spec_store_bypass_disable=auto [x86]
> > +					       spec_store_bypass_disable=auto [x86, powerpc]
> >  					       l1tf=flush,nosmt [x86]
> >  
> >  	mminit_loglevel=
> > diff --git a/arch/powerpc/kernel/security.c b/arch/powerpc/kernel/security.c
> > index b33bafb8fcea..5aed4ad729ba 100644
> > --- a/arch/powerpc/kernel/security.c
> > +++ b/arch/powerpc/kernel/security.c
> > @@ -57,7 +57,7 @@ void setup_barrier_nospec(void)
> >  	enable = security_ftr_enabled(SEC_FTR_FAVOUR_SECURITY) &&
> >  		 security_ftr_enabled(SEC_FTR_BNDS_CHK_SPEC_BAR);
> >  
> > -	if (!no_nospec)
> > +	if (!no_nospec && cpu_spec_mitigations != CPU_SPEC_MITIGATIONS_OFF)
> >  		enable_barrier_nospec(enable);
> 
> Adding a wrapper func that checks for CPU_SPEC_MITIGATIONS_OFF would
> make these a little less verbose, eg:
> 
> 	if (!no_nospec && !cpu_spec_mitigations_off())
>   		enable_barrier_nospec(enable);
> 
> But that's a nitpick.

Yes, that would be much nicer.  I'll probably do something like that in
the next version.  Thanks.

-- 
Josh

Re: [PATCH RFC 1/5] cpu/speculation: Add 'cpu_spec_mitigations=' cmdline options

[Josh Poimboeuf]

On Wed, Apr 10, 2019 at 02:10:01PM +0200, Thomas Gleixner wrote:
> On Wed, 10 Apr 2019, Michael Ellerman wrote:
> > Josh Poimboeuf <jpoimboe@redhat.com> writes:
> > 
> > > On Fri, Apr 05, 2019 at 06:01:36PM +0200, Borislav Petkov wrote:
> > >> Thinking about this more, we can shave off the first 4 chars and have it
> > >> be:
> > >> 
> > >> spec_mitigations=
> > >> 
> > >> I think it is painfully clear which speculation mitigations we mean. And
> > >> the other switches don't have "cpu_" prefixes too so...
> > >
> > > Sure, I'm ok with renaming it to that, if there are no objections.
> > 
> > What about when we have a mitigation for a non-speculation related bug :)
> 
> Those kind of silicon bugs are usually mitigated unconditionally.

Right.

But at least "mitigations=" is nice and short.  We could clarify in the
documentation that it doesn't apply to *all* mitigations, only the ones
which are optional and which can affect performance.

And it would give us the freedom to include any future "optional"
mitigations, spec or not.

I kind of like it.  But I could go either way.

-- 
Josh

Re: [PATCH RFC 1/5] cpu/speculation: Add 'cpu_spec_mitigations=' cmdline options

[Michael Ellerman]

Thomas Gleixner <tglx@linutronix.de> writes:
> On Wed, 10 Apr 2019, Michael Ellerman wrote:
>> Josh Poimboeuf <jpoimboe@redhat.com> writes:
>> 
>> > On Fri, Apr 05, 2019 at 06:01:36PM +0200, Borislav Petkov wrote:
>> >> Thinking about this more, we can shave off the first 4 chars and have it
>> >> be:
>> >> 
>> >> spec_mitigations=
>> >> 
>> >> I think it is painfully clear which speculation mitigations we mean. And
>> >> the other switches don't have "cpu_" prefixes too so...
>> >
>> > Sure, I'm ok with renaming it to that, if there are no objections.
>> 
>> What about when we have a mitigation for a non-speculation related bug :)
>
> Those kind of silicon bugs are usually mitigated unconditionally.

I guess that's true, usually :)

cheers

Re: [PATCH RFC 1/5] cpu/speculation: Add 'cpu_spec_mitigations=' cmdline options

[Michael Ellerman]

Josh Poimboeuf <jpoimboe@redhat.com> writes:
> On Wed, Apr 10, 2019 at 02:10:01PM +0200, Thomas Gleixner wrote:
>> On Wed, 10 Apr 2019, Michael Ellerman wrote:
>> > Josh Poimboeuf <jpoimboe@redhat.com> writes:
>> > 
>> > > On Fri, Apr 05, 2019 at 06:01:36PM +0200, Borislav Petkov wrote:
>> > >> Thinking about this more, we can shave off the first 4 chars and have it
>> > >> be:
>> > >> 
>> > >> spec_mitigations=
>> > >> 
>> > >> I think it is painfully clear which speculation mitigations we mean. And
>> > >> the other switches don't have "cpu_" prefixes too so...
>> > >
>> > > Sure, I'm ok with renaming it to that, if there are no objections.
>> > 
>> > What about when we have a mitigation for a non-speculation related bug :)
>> 
>> Those kind of silicon bugs are usually mitigated unconditionally.
>
> Right.
>
> But at least "mitigations=" is nice and short.  We could clarify in the
> documentation that it doesn't apply to *all* mitigations, only the ones
> which are optional and which can affect performance.
>
> And it would give us the freedom to include any future "optional"
> mitigations, spec or not.
>
> I kind of like it.  But I could go either way.

Some of the published SMT attacks are not speculation based.

And arguably we already have an optional mitigation for those, ie. nosmt.

cheers