[v4,07/12] arm64: add sysfs vulnerability show for meltdown

Message ID	20190125180711.1970973-8-jeremy.linton@arm.com
State	New
Headers	show Delivered-To: patch@linaro.org Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; From: Jeremy Linton <jeremy.linton@arm.com> To: linux-arm-kernel@lists.infradead.org Cc: catalin.marinas@arm.com, will.deacon@arm.com, marc.zyngier@arm.com, suzuki.poulose@arm.com, dave.martin@arm.com, shankerd@codeaurora.org, linux-kernel@vger.kernel.org, ykaukab@suse.de, julien.thierry@arm.com, mlangsdo@redhat.com, steven.price@arm.com, stefan.wahren@i2se.com, Jeremy Linton <jeremy.linton@arm.com> Subject: [PATCH v4 07/12] arm64: add sysfs vulnerability show for meltdown Date: Fri, 25 Jan 2019 12:07:06 -0600 Message-Id: <20190125180711.1970973-8-jeremy.linton@arm.com> In-Reply-To: <20190125180711.1970973-1-jeremy.linton@arm.com> References: <20190125180711.1970973-1-jeremy.linton@arm.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk
Series	arm64: add system vulnerability sysfs entries \| expand [v4,00/12] arm64: add system vulnerability sysfs entries [v4,01/12] Documentation: Document arm64 kpti control [v4,02/12] arm64: Provide a command line to disable spectre_v2 mitigation [v4,03/12] arm64: Remove the ability to build a kernel without ssbd [v4,04/12] arm64: remove the ability to build a kernel without hardened branch predictors [v4,05/12] arm64: remove the ability to build a kernel without kpti [v4,06/12] arm64: add sysfs vulnerability show for spectre v1 [v4,07/12] arm64: add sysfs vulnerability show for meltdown [v4,08/12] arm64: Advertise mitigation of Spectre-v2, or lack thereof [v4,09/12] arm64: Use firmware to detect CPUs that are not affected by Spectre-v2 [v4,10/12] arm64: add sysfs vulnerability show for spectre v2 [v4,11/12] arm64: add sysfs vulnerability show for speculative store bypass [v4,12/12] arm64: enable generic CPU vulnerabilites support

Message ID

20190125180711.1970973-8-jeremy.linton@arm.com

State

New

Headers

Received-SPF: pass (google.com: best guess record for domain of
	linux-kernel-owner@vger.kernel.org designates 209.132.180.67
	as permitted sender) client-ip=209.132.180.67; 
From: Jeremy Linton <jeremy.linton@arm.com>
To: linux-arm-kernel@lists.infradead.org
Cc: catalin.marinas@arm.com, will.deacon@arm.com, marc.zyngier@arm.com,
	suzuki.poulose@arm.com, dave.martin@arm.com,
	shankerd@codeaurora.org, linux-kernel@vger.kernel.org,
	ykaukab@suse.de, julien.thierry@arm.com, mlangsdo@redhat.com,
	steven.price@arm.com, stefan.wahren@i2se.com,
	Jeremy Linton <jeremy.linton@arm.com>
Subject: [PATCH v4 07/12] arm64: add sysfs vulnerability show for meltdown
Date: Fri, 25 Jan 2019 12:07:06 -0600
Message-Id: <20190125180711.1970973-8-jeremy.linton@arm.com>
In-Reply-To: <20190125180711.1970973-1-jeremy.linton@arm.com>
References: <20190125180711.1970973-1-jeremy.linton@arm.com>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk

Series

arm64: add system vulnerability sysfs entries | expand

Commit Message

Jeremy Linton Jan. 25, 2019, 6:07 p.m. UTC

Display the mitigation status if active, otherwise
assume the cpu is safe unless it doesn't have CSV3
and isn't in our whitelist.

Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>

---
 arch/arm64/kernel/cpufeature.c | 33 +++++++++++++++++++++++++++------
 1 file changed, 27 insertions(+), 6 deletions(-)

-- 
2.17.2

Comments

Julien Thierry Jan. 31, 2019, 9:28 a.m. UTC | #1

Hi Jeremy,

On 25/01/2019 18:07, Jeremy Linton wrote:
> Display the mitigation status if active, otherwise

> assume the cpu is safe unless it doesn't have CSV3

> and isn't in our whitelist.

> 

> Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>

> ---

>  arch/arm64/kernel/cpufeature.c | 33 +++++++++++++++++++++++++++------

>  1 file changed, 27 insertions(+), 6 deletions(-)

> 

> diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c

> index a9e18b9cdc1e..624dfe0b5cdd 100644

> --- a/arch/arm64/kernel/cpufeature.c

> +++ b/arch/arm64/kernel/cpufeature.c

> @@ -944,6 +944,8 @@ has_useable_cnp(const struct arm64_cpu_capabilities *entry, int scope)

>  	return has_cpuid_feature(entry, scope);

>  }

>  

> +/* default value is invalid until unmap_kernel_at_el0() runs */

> +static bool __meltdown_safe = true;

>  static int __kpti_forced; /* 0: not forced, >0: forced on, <0: forced off */

>  

>  static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,

> @@ -962,6 +964,16 @@ static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,

>  		{ /* sentinel */ }

>  	};

>  	char const *str = "command line option";

> +	bool meltdown_safe;

> +

> +	meltdown_safe = is_midr_in_range_list(read_cpuid_id(), kpti_safe_list);

> +

> +	/* Defer to CPU feature registers */

> +	if (has_cpuid_feature(entry, scope))

> +		meltdown_safe = true;


Do we need to check the cpuid registers if the CPU is in the known safe
list?

Otherwise:

Reviewed-by: Julien Thierry <julien.thierry@arm.com>


> +

> +	if (!meltdown_safe)

> +		__meltdown_safe = false;

>  

>  	/*

>  	 * For reasons that aren't entirely clear, enabling KPTI on Cavium

> @@ -984,12 +996,7 @@ static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,

>  	if (IS_ENABLED(CONFIG_RANDOMIZE_BASE))

>  		return kaslr_offset() > 0;

>  

> -	/* Don't force KPTI for CPUs that are not vulnerable */

> -	if (is_midr_in_range_list(read_cpuid_id(), kpti_safe_list))

> -		return false;

> -

> -	/* Defer to CPU feature registers */

> -	return !has_cpuid_feature(entry, scope);

> +	return !meltdown_safe;

>  }

>  

>  static void

> @@ -2055,3 +2062,17 @@ static int __init enable_mrs_emulation(void)

>  }

>  

>  core_initcall(enable_mrs_emulation);

> +

> +#ifdef CONFIG_GENERIC_CPU_VULNERABILITIES

> +ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr,

> +		char *buf)

> +{

> +	if (arm64_kernel_unmapped_at_el0())

> +		return sprintf(buf, "Mitigation: KPTI\n");

> +

> +	if (__meltdown_safe)

> +		return sprintf(buf, "Not affected\n");

> +

> +	return sprintf(buf, "Vulnerable\n");

> +}

> +#endif

> 


-- 
Julien Thierry

Andre Przywara Jan. 31, 2019, 5:54 p.m. UTC | #2

On Fri, 25 Jan 2019 12:07:06 -0600
Jeremy Linton <jeremy.linton@arm.com> wrote:

Hi,

> Display the mitigation status if active, otherwise

> assume the cpu is safe unless it doesn't have CSV3

> and isn't in our whitelist.

> 

> Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>

> ---

>  arch/arm64/kernel/cpufeature.c | 33 +++++++++++++++++++++++++++------

>  1 file changed, 27 insertions(+), 6 deletions(-)

> 

> diff --git a/arch/arm64/kernel/cpufeature.c

> b/arch/arm64/kernel/cpufeature.c

> index a9e18b9cdc1e..624dfe0b5cdd 100644

> --- a/arch/arm64/kernel/cpufeature.c

> +++ b/arch/arm64/kernel/cpufeature.c

> @@ -944,6 +944,8 @@ has_useable_cnp(const struct arm64_cpu_capabilities *entry, int scope)

> 	return has_cpuid_feature(entry, scope);

> }

>  

> +/* default value is invalid until unmap_kernel_at_el0() runs */


Shall we somehow enforce this? For instance by making __meltdown_safe
an enum, initialised to UNKNOWN?
Then bail out with a BUG_ON or WARN_ON in the sysfs code?

I just want to avoid to accidentally report "safe" when we actually
aren't.

> +static bool __meltdown_safe = true;

>  static int __kpti_forced; /* 0: not forced, >0: forced on, <0: forced off */ 

>  static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,

> @@ -962,6 +964,16 @@ static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,

> 		{ /* sentinel */ }

>  	};

>  	char const *str = "command line option";

> +	bool meltdown_safe;

> +

> +	meltdown_safe = is_midr_in_range_list(read_cpuid_id(), kpti_safe_list);

> +

> +	/* Defer to CPU feature registers */

> +	if (has_cpuid_feature(entry, scope))

> +		meltdown_safe = true;

> +

> +	if (!meltdown_safe)

> +		__meltdown_safe = false;

>  

>  	/*

>  	 * For reasons that aren't entirely clear, enabling KPTI on Cavium

> @@ -984,12 +996,7 @@ static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,

> 	if (IS_ENABLED(CONFIG_RANDOMIZE_BASE))

> 		return kaslr_offset() > 0;

>  

> -	/* Don't force KPTI for CPUs that are not vulnerable */

> -	if (is_midr_in_range_list(read_cpuid_id(), kpti_safe_list))

> -		return false;

> -

> -	/* Defer to CPU feature registers */

> -	return !has_cpuid_feature(entry, scope);

> +	return !meltdown_safe;

>  }

>  

>  static void

> @@ -2055,3 +2062,17 @@ static int __init enable_mrs_emulation(void)

>  }

>  

>  core_initcall(enable_mrs_emulation);

> +

> +#ifdef CONFIG_GENERIC_CPU_VULNERABILITIES

> +ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr,

> +		char *buf)


w/s issue.

Cheers,
Andre.

> +{

> +	if (arm64_kernel_unmapped_at_el0())

> +		return sprintf(buf, "Mitigation: KPTI\n");

> +

> +	if (__meltdown_safe)

> +		return sprintf(buf, "Not affected\n");

> +

> +	return sprintf(buf, "Vulnerable\n");

> +}

> +#endif

Jeremy Linton Jan. 31, 2019, 9:48 p.m. UTC | #3

Hi,

On 01/31/2019 03:28 AM, Julien Thierry wrote:
> Hi Jeremy,

> 

> On 25/01/2019 18:07, Jeremy Linton wrote:

>> Display the mitigation status if active, otherwise

>> assume the cpu is safe unless it doesn't have CSV3

>> and isn't in our whitelist.

>>

>> Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>

>> ---

>>   arch/arm64/kernel/cpufeature.c | 33 +++++++++++++++++++++++++++------

>>   1 file changed, 27 insertions(+), 6 deletions(-)

>>

>> diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c

>> index a9e18b9cdc1e..624dfe0b5cdd 100644

>> --- a/arch/arm64/kernel/cpufeature.c

>> +++ b/arch/arm64/kernel/cpufeature.c

>> @@ -944,6 +944,8 @@ has_useable_cnp(const struct arm64_cpu_capabilities *entry, int scope)

>>   	return has_cpuid_feature(entry, scope);

>>   }

>>   

>> +/* default value is invalid until unmap_kernel_at_el0() runs */

>> +static bool __meltdown_safe = true;

>>   static int __kpti_forced; /* 0: not forced, >0: forced on, <0: forced off */

>>   

>>   static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,

>> @@ -962,6 +964,16 @@ static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,

>>   		{ /* sentinel */ }

>>   	};

>>   	char const *str = "command line option";

>> +	bool meltdown_safe;

>> +

>> +	meltdown_safe = is_midr_in_range_list(read_cpuid_id(), kpti_safe_list);

>> +

>> +	/* Defer to CPU feature registers */

>> +	if (has_cpuid_feature(entry, scope))

>> +		meltdown_safe = true;

> 

> Do we need to check the cpuid registers if the CPU is in the known safe

> list?


I don't believe so. In the previous patch where this was broken out 
these checks were just or'ed together. In this path it just seemed a 
little cleaner than adding the additional check/or'ing the results 
here/whatever as we only want to set it safe (never the other way 
around). AKA, i'm running out of horizontal space, and I want to keep 
the 'defer to registers' comment.


> 

> Otherwise:

> 

> Reviewed-by: Julien Thierry <julien.thierry@arm.com>

> 

>> +

>> +	if (!meltdown_safe)

>> +		__meltdown_safe = false;

>>   

>>   	/*

>>   	 * For reasons that aren't entirely clear, enabling KPTI on Cavium

>> @@ -984,12 +996,7 @@ static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,

>>   	if (IS_ENABLED(CONFIG_RANDOMIZE_BASE))

>>   		return kaslr_offset() > 0;

>>   

>> -	/* Don't force KPTI for CPUs that are not vulnerable */

>> -	if (is_midr_in_range_list(read_cpuid_id(), kpti_safe_list))

>> -		return false;

>> -

>> -	/* Defer to CPU feature registers */

>> -	return !has_cpuid_feature(entry, scope);

>> +	return !meltdown_safe;

>>   }

>>   

>>   static void

>> @@ -2055,3 +2062,17 @@ static int __init enable_mrs_emulation(void)

>>   }

>>   

>>   core_initcall(enable_mrs_emulation);

>> +

>> +#ifdef CONFIG_GENERIC_CPU_VULNERABILITIES

>> +ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr,

>> +		char *buf)

>> +{

>> +	if (arm64_kernel_unmapped_at_el0())

>> +		return sprintf(buf, "Mitigation: KPTI\n");

>> +

>> +	if (__meltdown_safe)

>> +		return sprintf(buf, "Not affected\n");

>> +

>> +	return sprintf(buf, "Vulnerable\n");

>> +}

>> +#endif

>>

>

Jeremy Linton Jan. 31, 2019, 9:53 p.m. UTC | #4

Hi,

On 01/31/2019 11:54 AM, Andre Przywara wrote:
> On Fri, 25 Jan 2019 12:07:06 -0600

> Jeremy Linton <jeremy.linton@arm.com> wrote:

> 

> Hi,

> 

>> Display the mitigation status if active, otherwise

>> assume the cpu is safe unless it doesn't have CSV3

>> and isn't in our whitelist.

>>

>> Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>

>> ---

>>   arch/arm64/kernel/cpufeature.c | 33 +++++++++++++++++++++++++++------

>>   1 file changed, 27 insertions(+), 6 deletions(-)

>>

>> diff --git a/arch/arm64/kernel/cpufeature.c

>> b/arch/arm64/kernel/cpufeature.c

>> index a9e18b9cdc1e..624dfe0b5cdd 100644

>> --- a/arch/arm64/kernel/cpufeature.c

>> +++ b/arch/arm64/kernel/cpufeature.c

>> @@ -944,6 +944,8 @@ has_useable_cnp(const struct arm64_cpu_capabilities *entry, int scope)

>> 	return has_cpuid_feature(entry, scope);

>> }

>>   

>> +/* default value is invalid until unmap_kernel_at_el0() runs */

> 

> Shall we somehow enforce this? For instance by making __meltdown_safe

> an enum, initialised to UNKNOWN?


Hehe, well I think people complained about my "UNKNOWN" enum. But, in 
the end this version is trying to make it clear we shouldn't have any 
unknown states remaining.

> Then bail out with a BUG_ON or WARN_ON in the sysfs code?


AFAIK, it shouldn't be possible to actually run the sysfs code before 
this gets initialized. So, the comment is just making it clear/forcing 
the understanding of that.


> 

> I just want to avoid to accidentally report "safe" when we actually

> aren't.

> 

>> +static bool __meltdown_safe = true;

>>   static int __kpti_forced; /* 0: not forced, >0: forced on, <0: forced off */

>>   static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,

>> @@ -962,6 +964,16 @@ static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,

>> 		{ /* sentinel */ }

>>   	};

>>   	char const *str = "command line option";

>> +	bool meltdown_safe;

>> +

>> +	meltdown_safe = is_midr_in_range_list(read_cpuid_id(), kpti_safe_list);

>> +

>> +	/* Defer to CPU feature registers */

>> +	if (has_cpuid_feature(entry, scope))

>> +		meltdown_safe = true;

>> +

>> +	if (!meltdown_safe)

>> +		__meltdown_safe = false;

>>   

>>   	/*

>>   	 * For reasons that aren't entirely clear, enabling KPTI on Cavium

>> @@ -984,12 +996,7 @@ static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,

>> 	if (IS_ENABLED(CONFIG_RANDOMIZE_BASE))

>> 		return kaslr_offset() > 0;

>>   

>> -	/* Don't force KPTI for CPUs that are not vulnerable */

>> -	if (is_midr_in_range_list(read_cpuid_id(), kpti_safe_list))

>> -		return false;

>> -

>> -	/* Defer to CPU feature registers */

>> -	return !has_cpuid_feature(entry, scope);

>> +	return !meltdown_safe;

>>   }

>>   

>>   static void

>> @@ -2055,3 +2062,17 @@ static int __init enable_mrs_emulation(void)

>>   }

>>   

>>   core_initcall(enable_mrs_emulation);

>> +

>> +#ifdef CONFIG_GENERIC_CPU_VULNERABILITIES

>> +ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr,

>> +		char *buf)

> 

> w/s issue.

> 

> Cheers,

> Andre.

> 

>> +{

>> +	if (arm64_kernel_unmapped_at_el0())

>> +		return sprintf(buf, "Mitigation: KPTI\n");

>> +

>> +	if (__meltdown_safe)

>> +		return sprintf(buf, "Not affected\n");

>> +

>> +	return sprintf(buf, "Vulnerable\n");

>> +}

>> +#endif

>

diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
index a9e18b9cdc1e..624dfe0b5cdd 100644
--- a/arch/arm64/kernel/cpufeature.c
+++ b/arch/arm64/kernel/cpufeature.c
@@ -944,6 +944,8 @@  has_useable_cnp(const struct arm64_cpu_capabilities *entry, int scope)
 	return has_cpuid_feature(entry, scope);
 }
 
+/* default value is invalid until unmap_kernel_at_el0() runs */
+static bool __meltdown_safe = true;
 static int __kpti_forced; /* 0: not forced, >0: forced on, <0: forced off */
 
 static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,
@@ -962,6 +964,16 @@  static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,
 		{ /* sentinel */ }
 	};
 	char const *str = "command line option";
+	bool meltdown_safe;
+
+	meltdown_safe = is_midr_in_range_list(read_cpuid_id(), kpti_safe_list);
+
+	/* Defer to CPU feature registers */
+	if (has_cpuid_feature(entry, scope))
+		meltdown_safe = true;
+
+	if (!meltdown_safe)
+		__meltdown_safe = false;
 
 	/*
 	 * For reasons that aren't entirely clear, enabling KPTI on Cavium
@@ -984,12 +996,7 @@  static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,
 	if (IS_ENABLED(CONFIG_RANDOMIZE_BASE))
 		return kaslr_offset() > 0;
 
-	/* Don't force KPTI for CPUs that are not vulnerable */
-	if (is_midr_in_range_list(read_cpuid_id(), kpti_safe_list))
-		return false;
-
-	/* Defer to CPU feature registers */
-	return !has_cpuid_feature(entry, scope);
+	return !meltdown_safe;
 }
 
 static void
@@ -2055,3 +2062,17 @@  static int __init enable_mrs_emulation(void)
 }
 
 core_initcall(enable_mrs_emulation);
+
+#ifdef CONFIG_GENERIC_CPU_VULNERABILITIES
+ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr,
+		char *buf)
+{
+	if (arm64_kernel_unmapped_at_el0())
+		return sprintf(buf, "Mitigation: KPTI\n");
+
+	if (__meltdown_safe)
+		return sprintf(buf, "Not affected\n");
+
+	return sprintf(buf, "Vulnerable\n");
+}
+#endif

[v4,07/12] arm64: add sysfs vulnerability show for meltdown

Commit Message

Comments

Patch