OpenCloudOS-Kernel/arch/powerpc/kernel/security.c

// SPDX-License-Identifier: GPL-2.0+
//
// Security related flags and so on.
//
// Copyright 2018, Michael Ellerman, IBM Corporation.

#include <linux/kernel.h>
#include <linux/device.h>
#include <linux/seq_buf.h>

#include <asm/security_features.h>
#include <asm/setup.h>


unsigned long powerpc_security_features __read_mostly = SEC_FTR_DEFAULT;

static bool barrier_nospec_enabled;

static void enable_barrier_nospec(bool enable)
{
	barrier_nospec_enabled = enable;
	do_barrier_nospec_fixups(enable);
}

ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf)
{
	bool thread_priv;

	thread_priv = security_ftr_enabled(SEC_FTR_L1D_THREAD_PRIV);

	if (rfi_flush || thread_priv) {
		struct seq_buf s;
		seq_buf_init(&s, buf, PAGE_SIZE - 1);

		seq_buf_printf(&s, "Mitigation: ");

		if (rfi_flush)
			seq_buf_printf(&s, "RFI Flush");

		if (rfi_flush && thread_priv)
			seq_buf_printf(&s, ", ");

		if (thread_priv)
			seq_buf_printf(&s, "L1D private per thread");

		seq_buf_printf(&s, "\n");

		return s.len;
	}

	if (!security_ftr_enabled(SEC_FTR_L1D_FLUSH_HV) &&
	    !security_ftr_enabled(SEC_FTR_L1D_FLUSH_PR))
		return sprintf(buf, "Not affected\n");

	return sprintf(buf, "Vulnerable\n");
}

ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, char *buf)
{
	if (!security_ftr_enabled(SEC_FTR_BNDS_CHK_SPEC_BAR))
		return sprintf(buf, "Not affected\n");

	return sprintf(buf, "Vulnerable\n");
}

ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, char *buf)
{
	bool bcs, ccd, ori;
	struct seq_buf s;

	seq_buf_init(&s, buf, PAGE_SIZE - 1);

	bcs = security_ftr_enabled(SEC_FTR_BCCTRL_SERIALISED);
	ccd = security_ftr_enabled(SEC_FTR_COUNT_CACHE_DISABLED);
	ori = security_ftr_enabled(SEC_FTR_SPEC_BAR_ORI31);

	if (bcs || ccd) {
		seq_buf_printf(&s, "Mitigation: ");

		if (bcs)
			seq_buf_printf(&s, "Indirect branch serialisation (kernel only)");

		if (bcs && ccd)
			seq_buf_printf(&s, ", ");

		if (ccd)
			seq_buf_printf(&s, "Indirect branch cache disabled");
	} else
		seq_buf_printf(&s, "Vulnerable");

	if (ori)
		seq_buf_printf(&s, ", ori31 speculation barrier enabled");

	seq_buf_printf(&s, "\n");

	return s.len;
}
powerpc: Add security feature flags for Spectre/Meltdown This commit adds security feature flags to reflect the settings we receive from firmware regarding Spectre/Meltdown mitigations. The feature names reflect the names we are given by firmware on bare metal machines. See the hostboot source for details. Arguably these could be firmware features, but that then requires them to be read early in boot so they're available prior to asm feature patching, but we don't actually want to use them for patching. We may also want to dynamically update them in future, which would be incompatible with the way firmware features work (at the moment at least). So for now just make them separate flags. Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> 2018-03-27 20:01:44 +08:00			`// SPDX-License-Identifier: GPL-2.0+`
			`//`
			`// Security related flags and so on.`
			`//`
			`// Copyright 2018, Michael Ellerman, IBM Corporation.`

			`#include <linux/kernel.h>`
powerpc/64s: Move cpu_show_meltdown() This landed in setup_64.c for no good reason other than we had nowhere else to put it. Now that we have a security-related file, that is a better place for it so move it. Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> 2018-03-27 20:01:48 +08:00			`#include <linux/device.h>`
powerpc/64s: Enhance the information in cpu_show_meltdown() Now that we have the security feature flags we can make the information displayed in the "meltdown" file more informative. Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> 2018-03-27 20:01:49 +08:00			`#include <linux/seq_buf.h>`
powerpc/64s: Move cpu_show_meltdown() This landed in setup_64.c for no good reason other than we had nowhere else to put it. Now that we have a security-related file, that is a better place for it so move it. Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> 2018-03-27 20:01:48 +08:00
powerpc: Add security feature flags for Spectre/Meltdown This commit adds security feature flags to reflect the settings we receive from firmware regarding Spectre/Meltdown mitigations. The feature names reflect the names we are given by firmware on bare metal machines. See the hostboot source for details. Arguably these could be firmware features, but that then requires them to be read early in boot so they're available prior to asm feature patching, but we don't actually want to use them for patching. We may also want to dynamically update them in future, which would be incompatible with the way firmware features work (at the moment at least). So for now just make them separate flags. Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> 2018-03-27 20:01:44 +08:00			`#include <asm/security_features.h>`
powerpc/64s: Add support for ori barrier_nospec patching Based on the RFI patching. This is required to be able to disable the speculation barrier. Only one barrier type is supported and it does nothing when the firmware does not enable it. Also re-patching modules is not supported So the only meaningful thing that can be done is patching out the speculation barrier at boot when the user says it is not wanted. Signed-off-by: Michal Suchanek <msuchanek@suse.de> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> 2018-04-24 12:15:55 +08:00			`#include <asm/setup.h>`
powerpc: Add security feature flags for Spectre/Meltdown This commit adds security feature flags to reflect the settings we receive from firmware regarding Spectre/Meltdown mitigations. The feature names reflect the names we are given by firmware on bare metal machines. See the hostboot source for details. Arguably these could be firmware features, but that then requires them to be read early in boot so they're available prior to asm feature patching, but we don't actually want to use them for patching. We may also want to dynamically update them in future, which would be incompatible with the way firmware features work (at the moment at least). So for now just make them separate flags. Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> 2018-03-27 20:01:44 +08:00

powerpc: Move default security feature flags This moves the definition of the default security feature flags (i.e., enabled by default) closer to the security feature flags. This can be used to restore current flags to the default flags. Signed-off-by: Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> 2018-03-31 01:28:24 +08:00			`unsigned long powerpc_security_features __read_mostly = SEC_FTR_DEFAULT;`
powerpc/64s: Move cpu_show_meltdown() This landed in setup_64.c for no good reason other than we had nowhere else to put it. Now that we have a security-related file, that is a better place for it so move it. Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> 2018-03-27 20:01:48 +08:00
powerpc/64s: Add support for ori barrier_nospec patching Based on the RFI patching. This is required to be able to disable the speculation barrier. Only one barrier type is supported and it does nothing when the firmware does not enable it. Also re-patching modules is not supported So the only meaningful thing that can be done is patching out the speculation barrier at boot when the user says it is not wanted. Signed-off-by: Michal Suchanek <msuchanek@suse.de> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> 2018-04-24 12:15:55 +08:00			`static bool barrier_nospec_enabled;`

			`static void enable_barrier_nospec(bool enable)`
			`{`
			`barrier_nospec_enabled = enable;`
			`do_barrier_nospec_fixups(enable);`
			`}`

powerpc/64s: Move cpu_show_meltdown() This landed in setup_64.c for no good reason other than we had nowhere else to put it. Now that we have a security-related file, that is a better place for it so move it. Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> 2018-03-27 20:01:48 +08:00			`ssize_t cpu_show_meltdown(struct device dev, struct device_attribute attr, char *buf)`
			`{`
powerpc/64s: Enhance the information in cpu_show_meltdown() Now that we have the security feature flags we can make the information displayed in the "meltdown" file more informative. Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> 2018-03-27 20:01:49 +08:00			`bool thread_priv;`

			`thread_priv = security_ftr_enabled(SEC_FTR_L1D_THREAD_PRIV);`

			`if (rfi_flush \|\| thread_priv) {`
			`struct seq_buf s;`
			`seq_buf_init(&s, buf, PAGE_SIZE - 1);`

			`seq_buf_printf(&s, "Mitigation: ");`

			`if (rfi_flush)`
			`seq_buf_printf(&s, "RFI Flush");`

			`if (rfi_flush && thread_priv)`
			`seq_buf_printf(&s, ", ");`

			`if (thread_priv)`
			`seq_buf_printf(&s, "L1D private per thread");`

			`seq_buf_printf(&s, "\n");`

			`return s.len;`
			`}`

			`if (!security_ftr_enabled(SEC_FTR_L1D_FLUSH_HV) &&`
			`!security_ftr_enabled(SEC_FTR_L1D_FLUSH_PR))`
			`return sprintf(buf, "Not affected\n");`
powerpc/64s: Move cpu_show_meltdown() This landed in setup_64.c for no good reason other than we had nowhere else to put it. Now that we have a security-related file, that is a better place for it so move it. Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> 2018-03-27 20:01:48 +08:00
			`return sprintf(buf, "Vulnerable\n");`
			`}`
powerpc/64s: Wire up cpu_show_spectre_v1() Add a definition for cpu_show_spectre_v1() to override the generic version. Currently this just prints "Not affected" or "Vulnerable" based on the firmware flag. Although the kernel does have array_index_nospec() in a few places, we haven't yet audited all the powerpc code to see where it's necessary, so for now we don't list that as a mitigation. Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> 2018-03-27 20:01:52 +08:00
			`ssize_t cpu_show_spectre_v1(struct device dev, struct device_attribute attr, char *buf)`
			`{`
			`if (!security_ftr_enabled(SEC_FTR_BNDS_CHK_SPEC_BAR))`
			`return sprintf(buf, "Not affected\n");`

			`return sprintf(buf, "Vulnerable\n");`
			`}`
powerpc/64s: Wire up cpu_show_spectre_v2() Add a definition for cpu_show_spectre_v2() to override the generic version. This has several permuations, though in practice some may not occur we cater for any combination. The most verbose is: Mitigation: Indirect branch serialisation (kernel only), Indirect branch cache disabled, ori31 speculation barrier enabled We don't treat the ori31 speculation barrier as a mitigation on its own, because it has to be used by code in order to be a mitigation and we don't know if userspace is doing that. So if that's all we see we say: Vulnerable, ori31 speculation barrier enabled Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> 2018-03-27 20:01:53 +08:00
			`ssize_t cpu_show_spectre_v2(struct device dev, struct device_attribute attr, char *buf)`
			`{`
			`bool bcs, ccd, ori;`
			`struct seq_buf s;`

			`seq_buf_init(&s, buf, PAGE_SIZE - 1);`

			`bcs = security_ftr_enabled(SEC_FTR_BCCTRL_SERIALISED);`
			`ccd = security_ftr_enabled(SEC_FTR_COUNT_CACHE_DISABLED);`
			`ori = security_ftr_enabled(SEC_FTR_SPEC_BAR_ORI31);`

			`if (bcs \|\| ccd) {`
			`seq_buf_printf(&s, "Mitigation: ");`

			`if (bcs)`
			`seq_buf_printf(&s, "Indirect branch serialisation (kernel only)");`

			`if (bcs && ccd)`
			`seq_buf_printf(&s, ", ");`

			`if (ccd)`
			`seq_buf_printf(&s, "Indirect branch cache disabled");`
			`} else`
			`seq_buf_printf(&s, "Vulnerable");`

			`if (ori)`
			`seq_buf_printf(&s, ", ori31 speculation barrier enabled");`

			`seq_buf_printf(&s, "\n");`

			`return s.len;`
			`}`