From patchwork Mon May 3 13:02:40 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicholas Piggin X-Patchwork-Id: 1473186 Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org (client-ip=112.213.38.117; helo=lists.ozlabs.org; envelope-from=linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=r/TQBZvc; dkim-atps=neutral Received: from lists.ozlabs.org (lists.ozlabs.org [112.213.38.117]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4FYjpQ33VFz9sWk for ; Mon, 3 May 2021 23:03:42 +1000 (AEST) Received: from boromir.ozlabs.org (localhost [IPv6:::1]) by lists.ozlabs.org (Postfix) with ESMTP id 4FYjpQ2mPwz3bnM for ; Mon, 3 May 2021 23:03:42 +1000 (AEST) Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=r/TQBZvc; dkim-atps=neutral X-Original-To: linuxppc-dev@lists.ozlabs.org Delivered-To: linuxppc-dev@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=gmail.com (client-ip=2607:f8b0:4864:20::434; helo=mail-pf1-x434.google.com; envelope-from=npiggin@gmail.com; receiver=) Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=r/TQBZvc; dkim-atps=neutral Received: from mail-pf1-x434.google.com (mail-pf1-x434.google.com [IPv6:2607:f8b0:4864:20::434]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4FYjnX0tBqz2xZS for ; Mon, 3 May 2021 23:02:54 +1000 (AEST) Received: by mail-pf1-x434.google.com with SMTP id v191so4031070pfc.8 for ; Mon, 03 May 2021 06:02:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=7U/Bo9+3wof6VuFTXdCACGU/D8iEr1wLRCC9uuwzsF8=; b=r/TQBZvco86GOC7/tu4dHB9hmu6lXVjwQPo7cnRWg4h3reI6eTK7gr4KARp+L70uQ4 DBsNG6yJlS1YktjfCVPOy7ntXQ6hzZfSvDpzlwMK4EkD7ccAeCRsMTaAqLdl2LLAYxkX VmJ0gk/D5fqJ32l6Hkz27Rc9olsj7FUmiMh0CWCrhTm3H6YUgqf3+kElQA1cGTUByrEg 6TmyGHfMbpUY2fzp2wA3nG/Mlp1zVPHGuTOTf7OKo28FBh/P0pSrQ5+ZcosNvBQQ5RWE bzJXFtiuaGa0W7IxPV4gG6xiZgatb1I4tm2E2NuIAQ8U2CRwZ4c+NEp1HJg5P+0Axx2z aOCw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=7U/Bo9+3wof6VuFTXdCACGU/D8iEr1wLRCC9uuwzsF8=; b=fifuvsmEJ3VL8mxd+uj57et7mnAg0M/5Lyr3KtHWMAMAKFTB/CH8SiNTVS7FEHKQjM SqohKvtwOuqEUseKFg2Dn2U6zIBm5AcUtILd4+djHxnlHV+akH+DAztzKhXyu2DJJA7U Msg4mnH7iR86aTriWjvJmFvVb31hrafEdItziCAMY0XbI8ao8jVUEqVGss17L+rSGR2k dj3yXzEDdfm/Muf4lQt8nqkcgQoNsiLB83OjmT43h0y+PXTq4Cfi3vxNgkjA+CuiT2mg pw8NI0i4R90/XYwZMdTrNXRP1CA7drohfb+uYSgqBiB+KVtrJuKcgNdW/LCDlQEH9MgS 86wg== X-Gm-Message-State: AOAM530XYFwh9UQkvCGHJ2OojnT6ng/vY68Ci7nSppTAtuUltbfQlJTi Td0+aMpkwAAZPkvsUeO3RnlKD0AWE+M= X-Google-Smtp-Source: ABdhPJyHbmGNt5TO4d+GxikWsWl5BP2ZjIGunIYy/m97w/XYhFzIGNxZXK8t/1CIVVuwossQhUv57Q== X-Received: by 2002:a62:3344:0:b029:28c:6f0f:cb90 with SMTP id z65-20020a6233440000b029028c6f0fcb90mr16697167pfz.58.1620046971668; Mon, 03 May 2021 06:02:51 -0700 (PDT) Received: from bobo.ibm.com ([61.68.127.20]) by smtp.gmail.com with ESMTPSA id f1sm18069053pjt.50.2021.05.03.06.02.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 May 2021 06:02:50 -0700 (PDT) From: Nicholas Piggin To: linuxppc-dev@lists.ozlabs.org Subject: [PATCH 1/4] powerpc/pseries: Get entry and uaccess flush required bits from H_GET_CPU_CHARACTERISTICS Date: Mon, 3 May 2021 23:02:40 +1000 Message-Id: <20210503130243.891868-2-npiggin@gmail.com> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20210503130243.891868-1-npiggin@gmail.com> References: <20210503130243.891868-1-npiggin@gmail.com> MIME-Version: 1.0 X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Nicholas Piggin Errors-To: linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org Sender: "Linuxppc-dev" This allows the hypervisor / firmware to describe these workarounds to the guest. Signed-off-by: Nicholas Piggin --- arch/powerpc/include/asm/hvcall.h | 2 ++ arch/powerpc/platforms/pseries/setup.c | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/arch/powerpc/include/asm/hvcall.h b/arch/powerpc/include/asm/hvcall.h index 443050906018..f962b339865c 100644 --- a/arch/powerpc/include/asm/hvcall.h +++ b/arch/powerpc/include/asm/hvcall.h @@ -393,6 +393,8 @@ #define H_CPU_BEHAV_FAVOUR_SECURITY_H (1ull << 60) // IBM bit 3 #define H_CPU_BEHAV_FLUSH_COUNT_CACHE (1ull << 58) // IBM bit 5 #define H_CPU_BEHAV_FLUSH_LINK_STACK (1ull << 57) // IBM bit 6 +#define H_CPU_BEHAV_NO_L1D_FLUSH_ENTRY (1ull << 56) // IBM bit 7 +#define H_CPU_BEHAV_NO_L1D_FLUSH_UACCESS (1ull << 55) // IBM bit 8 /* Flag values used in H_REGISTER_PROC_TBL hcall */ #define PROC_TABLE_OP_MASK 0x18 diff --git a/arch/powerpc/platforms/pseries/setup.c b/arch/powerpc/platforms/pseries/setup.c index 754e493b7c05..287f33645419 100644 --- a/arch/powerpc/platforms/pseries/setup.c +++ b/arch/powerpc/platforms/pseries/setup.c @@ -549,6 +549,12 @@ static void init_cpu_char_feature_flags(struct h_cpu_char_result *result) if (!(result->behaviour & H_CPU_BEHAV_L1D_FLUSH_PR)) security_ftr_clear(SEC_FTR_L1D_FLUSH_PR); + if (result->behaviour & H_CPU_BEHAV_NO_L1D_FLUSH_ENTRY) + security_ftr_clear(SEC_FTR_L1D_FLUSH_ENTRY); + + if (result->behaviour & H_CPU_BEHAV_NO_L1D_FLUSH_UACCESS) + security_ftr_clear(SEC_FTR_L1D_FLUSH_UACCESS); + if (!(result->behaviour & H_CPU_BEHAV_BNDS_CHK_SPEC_BAR)) security_ftr_clear(SEC_FTR_BNDS_CHK_SPEC_BAR); } From patchwork Mon May 3 13:02:41 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicholas Piggin X-Patchwork-Id: 1473187 Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org (client-ip=112.213.38.117; helo=lists.ozlabs.org; envelope-from=linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=hFDF+G5q; dkim-atps=neutral Received: from lists.ozlabs.org (lists.ozlabs.org [112.213.38.117]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4FYjpt5JWrz9sTD for ; Mon, 3 May 2021 23:04:06 +1000 (AEST) Received: from boromir.ozlabs.org (localhost [IPv6:::1]) by lists.ozlabs.org (Postfix) with ESMTP id 4FYjpt4pVWz30CK for ; Mon, 3 May 2021 23:04:06 +1000 (AEST) Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=hFDF+G5q; dkim-atps=neutral X-Original-To: linuxppc-dev@lists.ozlabs.org Delivered-To: linuxppc-dev@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=gmail.com (client-ip=2607:f8b0:4864:20::533; helo=mail-pg1-x533.google.com; envelope-from=npiggin@gmail.com; receiver=) Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=hFDF+G5q; dkim-atps=neutral Received: from mail-pg1-x533.google.com (mail-pg1-x533.google.com [IPv6:2607:f8b0:4864:20::533]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4FYjnY0y19z2xZS for ; Mon, 3 May 2021 23:02:56 +1000 (AEST) Received: by mail-pg1-x533.google.com with SMTP id p12so3513669pgj.10 for ; Mon, 03 May 2021 06:02:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=JEFoaHpYo4S5tQ+mk5otYjO32aWJH7KCFvgal9BUlRQ=; b=hFDF+G5q0COO5fEPjestQI4jRbqHOD0OfGCOLNMWsJAF4gNTusiEPQV0icWZApvesm 1zLdvl/nadXgYUkjOaLSK/aOtFN5sXXpGjB/9JAiCpZdFeF14XQgtYpV2ueL1MOpX8e/ 8l02Wy1BEAHwFQyW2aElIMcM7Fqf+FKdY1Bla6LvdcXbnIxxHEvcbhTtG2/M+wUzeuyV anuNTzGwHqEmU/CL1+Bt10ddYHSMvr7xJoqfXoMUix+kQZ5S5X34NjgwtKfOaLgystxK NOjgSCJclHejPEgaU6b/g0p/4oww52NsAKmKW1sBWd2ANr80Vg6y7GdUrqNn6D3/G8PZ YX4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=JEFoaHpYo4S5tQ+mk5otYjO32aWJH7KCFvgal9BUlRQ=; b=pMb0Q/K5IUKxZfnHp3kN9EE5Q0gxLg+wj+pjbpuUYUYBAGBUVoTFWm8BqKH5E18QbY x4KK/0Xlt8gh90Cqt+5BctPAOTHRiTDV1iqHDTlruQh03s7DGZvKVG+4h7/95hxqlvGw zBx3oRamdn6FkIQgzM7Mu25LiBo0QPsR4dSQapMbCNMnJp1P1DXwOmK8sW53O0HWTUu4 W+zxueyfbuP9JlERJtMwKi73QhG0oZsSgMIuvH/o6uG0B3yF0arJzMRa4bpeGMHpz0Uc LTY5ERfem5YlHLzJ4g8BdgebgL0qGIC6P70vJFDlSxiOPw+xo+F3QbE/5ZWSGXnLAaZy GH1Q== X-Gm-Message-State: AOAM532s3+7xJImT8BjJYuxGGCzgGgHEcJjrMcnId7sDPZBZbPy7hD3J fNYAaUMlJKDCIxbRZnm6pe/HxCiRsAg= X-Google-Smtp-Source: ABdhPJx7BD8ndviaIXTpDIXHhWOLPgThVsegW2NQ+vSa4j4AVIO9sSxz36l5gp5+Fb9CU4Nj9Vw0TA== X-Received: by 2002:aa7:9190:0:b029:22d:6789:cc83 with SMTP id x16-20020aa791900000b029022d6789cc83mr19193653pfa.9.1620046974376; Mon, 03 May 2021 06:02:54 -0700 (PDT) Received: from bobo.ibm.com ([61.68.127.20]) by smtp.gmail.com with ESMTPSA id f1sm18069053pjt.50.2021.05.03.06.02.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 May 2021 06:02:53 -0700 (PDT) From: Nicholas Piggin To: linuxppc-dev@lists.ozlabs.org Subject: [PATCH 2/4] powerpc/security: Add a security feature for STF barrier Date: Mon, 3 May 2021 23:02:41 +1000 Message-Id: <20210503130243.891868-3-npiggin@gmail.com> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20210503130243.891868-1-npiggin@gmail.com> References: <20210503130243.891868-1-npiggin@gmail.com> MIME-Version: 1.0 X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Nicholas Piggin Errors-To: linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org Sender: "Linuxppc-dev" Rather than tying this mitigation to RFI L1D flush requirement, add a new bit for it. Signed-off-by: Nicholas Piggin --- arch/powerpc/include/asm/security_features.h | 4 ++++ arch/powerpc/kernel/security.c | 7 ++----- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/arch/powerpc/include/asm/security_features.h b/arch/powerpc/include/asm/security_features.h index b774a4477d5f..792eefaf230b 100644 --- a/arch/powerpc/include/asm/security_features.h +++ b/arch/powerpc/include/asm/security_features.h @@ -92,6 +92,9 @@ static inline bool security_ftr_enabled(u64 feature) // The L1-D cache should be flushed after user accesses from the kernel #define SEC_FTR_L1D_FLUSH_UACCESS 0x0000000000008000ull +// The STF flush should be executed on privilege state switch +#define SEC_FTR_STF_BARRIER 0x0000000000010000ull + // Features enabled by default #define SEC_FTR_DEFAULT \ (SEC_FTR_L1D_FLUSH_HV | \ @@ -99,6 +102,7 @@ static inline bool security_ftr_enabled(u64 feature) SEC_FTR_BNDS_CHK_SPEC_BAR | \ SEC_FTR_L1D_FLUSH_ENTRY | \ SEC_FTR_L1D_FLUSH_UACCESS | \ + SEC_FTR_STF_BARRIER | \ SEC_FTR_FAVOUR_SECURITY) #endif /* _ASM_POWERPC_SECURITY_FEATURES_H */ diff --git a/arch/powerpc/kernel/security.c b/arch/powerpc/kernel/security.c index 0fdfcdd9d880..2eb257b759c6 100644 --- a/arch/powerpc/kernel/security.c +++ b/arch/powerpc/kernel/security.c @@ -300,9 +300,7 @@ static void stf_barrier_enable(bool enable) void setup_stf_barrier(void) { enum stf_barrier_type type; - bool enable, hv; - - hv = cpu_has_feature(CPU_FTR_HVMODE); + bool enable; /* Default to fallback in case fw-features are not available */ if (cpu_has_feature(CPU_FTR_ARCH_300)) @@ -315,8 +313,7 @@ void setup_stf_barrier(void) type = STF_BARRIER_NONE; enable = security_ftr_enabled(SEC_FTR_FAVOUR_SECURITY) && - (security_ftr_enabled(SEC_FTR_L1D_FLUSH_PR) || - (security_ftr_enabled(SEC_FTR_L1D_FLUSH_HV) && hv)); + security_ftr_enabled(SEC_FTR_STF_BARRIER); if (type == STF_BARRIER_FALLBACK) { pr_info("stf-barrier: fallback barrier available\n"); From patchwork Mon May 3 13:02:42 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicholas Piggin X-Patchwork-Id: 1473188 Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org (client-ip=2404:9400:2:0:216:3eff:fee1:b9f1; helo=lists.ozlabs.org; envelope-from=linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=dGabkijm; dkim-atps=neutral Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2404:9400:2:0:216:3eff:fee1:b9f1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4FYjqL23hNz9sWM for ; Mon, 3 May 2021 23:04:30 +1000 (AEST) Received: from boromir.ozlabs.org (localhost [IPv6:::1]) by lists.ozlabs.org (Postfix) with ESMTP id 4FYjqL1pz3z3c0Y for ; Mon, 3 May 2021 23:04:30 +1000 (AEST) Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=dGabkijm; dkim-atps=neutral X-Original-To: linuxppc-dev@lists.ozlabs.org Delivered-To: linuxppc-dev@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=gmail.com (client-ip=2607:f8b0:4864:20::630; helo=mail-pl1-x630.google.com; envelope-from=npiggin@gmail.com; receiver=) Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=dGabkijm; dkim-atps=neutral Received: from mail-pl1-x630.google.com (mail-pl1-x630.google.com [IPv6:2607:f8b0:4864:20::630]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4FYjnb1Bq5z2xZS for ; Mon, 3 May 2021 23:02:59 +1000 (AEST) Received: by mail-pl1-x630.google.com with SMTP id b21so2762640plz.0 for ; Mon, 03 May 2021 06:02:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=WAQqpAgTTsGEbbkxR70JxT+IBdrvdRzWuqwtavlOARE=; b=dGabkijm0he+4nD4cKIy7hV9zN1Th6hYuEhRi3ml1BB/eiw2DxKIxak8cP3AuJnROZ IqzdptHV8CJP+L2SyWmBrTfE2LRf/fuCe3ONOVvBCxOztUK7AtGoMFviULPqLzSyuoQ2 LE0xi6YQNDhZZe58udVq8j8tRdJFm/mueYrs+2vDz6mv8bWXNa2I2T7+YluPVVOqNHkD 2y5IcA1F+yK8kifhos7MVX3Hboua8n4BNRHAwYxV/IkRxcNOKnVPjHswx7f+eT81jGJQ kmEnEc36voOhrRY1WRhywdrDFiYgj023XPZW+mNI2O5dZECFDKtUypbnWoO8U3gT7Map 0ttA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=WAQqpAgTTsGEbbkxR70JxT+IBdrvdRzWuqwtavlOARE=; b=s6NmO+7BMWomTqMJhVHedq5g+oVEp5uEsdD1LEcqyJaXaoY0A/qpKm18RNyv1sDuZi XMIinI9iUYVaiFjd/MuKTh/unZajmPpjt5OSnmVC27OTzIqYQU5eG/tu4r9UP58jyTrk oG+YeB6VrMudjT7sx+ZRVImimEvKEerf5SexE1+ep8yK8/5slHZYkUz/7sEkjp0F3KrJ 43u1a2KXE4MR1j61ZcfvZr5W75idOY8DYZfYCByZ/Lr2CwTsAjS8lutBVtTRDuSnqCYb 8F/+vN4P+88Wo67AaK67u2GJFWCxT7lEc4LMrMd7Z/N5kHGTCgzZlgWVdZbDGyQzHrYm GrRQ== X-Gm-Message-State: AOAM530M40TlIQKK0A8d+35HGBxI/hNX7kB3N3Nbkf5eQGcBXdx0J3jS +ryM5dAXY49wjLYkXhRmKb5fJwVWq9I= X-Google-Smtp-Source: ABdhPJwwRsscfIt52e8CIgWSiUqeYh5LWJ/OCS2e7EPMbUleVB/U7lmuEhs+9UMtSN849sp+tN0rXw== X-Received: by 2002:a17:90a:c42:: with SMTP id u2mr21225032pje.76.1620046976236; Mon, 03 May 2021 06:02:56 -0700 (PDT) Received: from bobo.ibm.com ([61.68.127.20]) by smtp.gmail.com with ESMTPSA id f1sm18069053pjt.50.2021.05.03.06.02.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 May 2021 06:02:56 -0700 (PDT) From: Nicholas Piggin To: linuxppc-dev@lists.ozlabs.org Subject: [PATCH 3/4] powerpc/pesries: Get STF barrier requirement from H_GET_CPU_CHARACTERISTICS Date: Mon, 3 May 2021 23:02:42 +1000 Message-Id: <20210503130243.891868-4-npiggin@gmail.com> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20210503130243.891868-1-npiggin@gmail.com> References: <20210503130243.891868-1-npiggin@gmail.com> MIME-Version: 1.0 X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Nicholas Piggin Errors-To: linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org Sender: "Linuxppc-dev" This allows the hypervisor / firmware to describe this workarounds to the guest. Signed-off-by: Nicholas Piggin --- arch/powerpc/include/asm/hvcall.h | 1 + arch/powerpc/platforms/pseries/setup.c | 3 +++ 2 files changed, 4 insertions(+) diff --git a/arch/powerpc/include/asm/hvcall.h b/arch/powerpc/include/asm/hvcall.h index f962b339865c..a60ef261f63a 100644 --- a/arch/powerpc/include/asm/hvcall.h +++ b/arch/powerpc/include/asm/hvcall.h @@ -395,6 +395,7 @@ #define H_CPU_BEHAV_FLUSH_LINK_STACK (1ull << 57) // IBM bit 6 #define H_CPU_BEHAV_NO_L1D_FLUSH_ENTRY (1ull << 56) // IBM bit 7 #define H_CPU_BEHAV_NO_L1D_FLUSH_UACCESS (1ull << 55) // IBM bit 8 +#define H_CPU_BEHAV_NO_STF_BARRIER (1ull << 54) // IBM bit 9 /* Flag values used in H_REGISTER_PROC_TBL hcall */ #define PROC_TABLE_OP_MASK 0x18 diff --git a/arch/powerpc/platforms/pseries/setup.c b/arch/powerpc/platforms/pseries/setup.c index 287f33645419..631a0d57b6cd 100644 --- a/arch/powerpc/platforms/pseries/setup.c +++ b/arch/powerpc/platforms/pseries/setup.c @@ -555,6 +555,9 @@ static void init_cpu_char_feature_flags(struct h_cpu_char_result *result) if (result->behaviour & H_CPU_BEHAV_NO_L1D_FLUSH_UACCESS) security_ftr_clear(SEC_FTR_L1D_FLUSH_UACCESS); + if (result->behaviour & H_CPU_BEHAV_NO_STF_BARRIER) + security_ftr_clear(SEC_FTR_STF_BARRIER); + if (!(result->behaviour & H_CPU_BEHAV_BNDS_CHK_SPEC_BAR)) security_ftr_clear(SEC_FTR_BNDS_CHK_SPEC_BAR); } From patchwork Mon May 3 13:02:43 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicholas Piggin X-Patchwork-Id: 1473189 Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org (client-ip=2404:9400:2:0:216:3eff:fee1:b9f1; helo=lists.ozlabs.org; envelope-from=linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=R7fgQLgf; dkim-atps=neutral Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2404:9400:2:0:216:3eff:fee1:b9f1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4FYjqn2m5Mz9sWk for ; Mon, 3 May 2021 23:04:53 +1000 (AEST) Received: from boromir.ozlabs.org (localhost [IPv6:::1]) by lists.ozlabs.org (Postfix) with ESMTP id 4FYjqn2D4cz3c7j for ; Mon, 3 May 2021 23:04:53 +1000 (AEST) Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=R7fgQLgf; dkim-atps=neutral X-Original-To: linuxppc-dev@lists.ozlabs.org Delivered-To: linuxppc-dev@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=gmail.com (client-ip=2607:f8b0:4864:20::629; helo=mail-pl1-x629.google.com; envelope-from=npiggin@gmail.com; receiver=) Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=R7fgQLgf; dkim-atps=neutral Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4FYjnd2DFRz2yYm for ; Mon, 3 May 2021 23:03:01 +1000 (AEST) Received: by mail-pl1-x629.google.com with SMTP id s20so2727625plr.13 for ; Mon, 03 May 2021 06:03:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=jIrJw0Rl0ogosE0eD+GUDs9uAC2wEGhdBNqrMjsOmcY=; b=R7fgQLgftiUqzO9ZfnxvTRPErgW8Tznfc/P5GB+BBQ8WbVvmNJfpfD8HRzwjFLrG8K jd3itbn0L99buVvaW3eKidkJAZ35LcAHzfUqg4BYf6h3U2exk9v3kI/dUoXLnPwLhzmt xxem+Qm6BNTBIopvHUh7EBKQ9zt0O2Pong1+LeR4yyQjcjO3HPaPv8Ktm9K0Z881Gixa IrBgS+zeAdBc5igquJrmUl1S2BdVodOEdW8I+JzNQvT5xGTcTaXIwyNRmwJM+CZaPqHH ZoDxXqjevcM7c2lxOJ48VjiYjCaW13eEbXrEuFwEVIM6uPoU2amSZGEmaBXpEus+5Egs pf2Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=jIrJw0Rl0ogosE0eD+GUDs9uAC2wEGhdBNqrMjsOmcY=; b=ovhiyq3lWCTp8fYx3uGAIJfKgC4ouSVcBGT0f1st2w9bBln7AEu6pnHFO+jEMoGSdQ syPGdw6a/N4f07vBFu96kdyLM+0+KFPR8X1vcqb7l497wHVMC4Je0ayHjXtI2dfl2ji/ nl4ZovcAkZQwlWmTu7MlQ/H9E094iSeD8rXA/pHLWZI+OZIHVKAh1aT6RgRuXN3FeU8E SZ2u3RzEYUfLgghTvziQaa23XFVoWrfTBamKEP60gsfTsfaZiIpOUrdfEPdfqdS2JbA7 /DNqlLz4RfWughcfhYrDCTX63bhdzIdAgdhoMJxXukHn/s6mtS/iOpPdokNwfkNM/hAE NJKA== X-Gm-Message-State: AOAM531b+V9UAkOLi988ZOKXqSd/Na+EN3QF2CTxNMmjrOcn2INKVlzd L5X7F2SjlJMX0nnwoUJWcEaOmfdCg5g= X-Google-Smtp-Source: ABdhPJzRAMbqOtvuQX1VIogrwnHmAWavfSe/HVDux8bnxfTigLhLygwhDEtEhFKJfZRO3lQEtVYkzA== X-Received: by 2002:a17:90b:17d2:: with SMTP id me18mr10239615pjb.22.1620046978731; Mon, 03 May 2021 06:02:58 -0700 (PDT) Received: from bobo.ibm.com ([61.68.127.20]) by smtp.gmail.com with ESMTPSA id f1sm18069053pjt.50.2021.05.03.06.02.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 May 2021 06:02:57 -0700 (PDT) From: Nicholas Piggin To: linuxppc-dev@lists.ozlabs.org Subject: [PATCH 4/4] powerpc/powernv: Remove POWER9 PVR version check for entry and uaccess flushes Date: Mon, 3 May 2021 23:02:43 +1000 Message-Id: <20210503130243.891868-5-npiggin@gmail.com> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20210503130243.891868-1-npiggin@gmail.com> References: <20210503130243.891868-1-npiggin@gmail.com> MIME-Version: 1.0 X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Nicholas Piggin Errors-To: linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org Sender: "Linuxppc-dev" These aren't necessarily POWER9 only, and it's not to say some new vulnerability may not get discovered on other processors for which we would like the flexibility of having the workaround enabled by firmware. Remove the restriction that they only apply to POWER9. Signed-off-by: Nicholas Piggin Reviewed-by: Joel Stanley Signed-off-by: Nicholas Piggin --- arch/powerpc/platforms/powernv/setup.c | 9 --------- 1 file changed, 9 deletions(-) diff --git a/arch/powerpc/platforms/powernv/setup.c b/arch/powerpc/platforms/powernv/setup.c index a8db3f153063..6ec67223f8c7 100644 --- a/arch/powerpc/platforms/powernv/setup.c +++ b/arch/powerpc/platforms/powernv/setup.c @@ -122,15 +122,6 @@ static void pnv_setup_security_mitigations(void) type = L1D_FLUSH_ORI; } - /* - * If we are non-Power9 bare metal, we don't need to flush on kernel - * entry or after user access: they fix a P9 specific vulnerability. - */ - if (!pvr_version_is(PVR_POWER9)) { - security_ftr_clear(SEC_FTR_L1D_FLUSH_ENTRY); - security_ftr_clear(SEC_FTR_L1D_FLUSH_UACCESS); - } - enable = security_ftr_enabled(SEC_FTR_FAVOUR_SECURITY) && \ (security_ftr_enabled(SEC_FTR_L1D_FLUSH_PR) || \ security_ftr_enabled(SEC_FTR_L1D_FLUSH_HV));