[5/6] arm64: add sysfs vulnerability show for speculative store bypass

From: Mian Yousaf Kaukab <ykaukab@suse.de>


Return status based no ssbd_state and the arm64 SSBS feature.
Return string "Unknown" in case CONFIG_ARM64_SSBD is
disabled or arch workaround2 is not available
in the firmware.

Signed-off-by: Mian Yousaf Kaukab <ykaukab@suse.de>

[Added SSBS logic]
Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>

---
 arch/arm64/kernel/cpu_errata.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

-- 
2.17.2

On 06/12/2018 23:44, Jeremy Linton wrote:
> From: Mian Yousaf Kaukab <ykaukab@suse.de>

> 

> Return status based no ssbd_state and the arm64 SSBS feature.

                      ^^ on

> Return string "Unknown" in case CONFIG_ARM64_SSBD is

> disabled or arch workaround2 is not available

> in the firmware.

> 

> Signed-off-by: Mian Yousaf Kaukab <ykaukab@suse.de>

> [Added SSBS logic]

> Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>

> ---

>  arch/arm64/kernel/cpu_errata.c | 28 ++++++++++++++++++++++++++++

>  1 file changed, 28 insertions(+)

> 

> diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c

> index 6505c93d507e..8aeb5ca38db8 100644

> --- a/arch/arm64/kernel/cpu_errata.c

> +++ b/arch/arm64/kernel/cpu_errata.c

> @@ -423,6 +423,7 @@ static bool has_ssbd_mitigation(const struct arm64_cpu_capabilities *entry,

>  		ssbd_state = ARM64_SSBD_UNKNOWN;

>  		return false;

>  

> +	/* machines with mixed mitigation requirements must not return this */

>  	case SMCCC_RET_NOT_REQUIRED:

>  		pr_info_once("%s mitigation not required\n", entry->desc);

>  		ssbd_state = ARM64_SSBD_MITIGATED;

> @@ -828,4 +829,31 @@ ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr,

>  	}

>  }

>  

> +ssize_t cpu_show_spec_store_bypass(struct device *dev,

> +		struct device_attribute *attr, char *buf)

> +{

> +	/*

> +	 *  Two assumptions: First, get_ssbd_state() reflects the worse case

> +	 *  for hetrogenous machines, and that if SSBS is supported its

                                                  ^^^^ SSBD
> +	 *  supported by all cores.

> +	 */

> +	switch (arm64_get_ssbd_state()) {

> +	case ARM64_SSBD_MITIGATED:

> +		return sprintf(buf, "Not affected\n");

> +

> +	case ARM64_SSBD_KERNEL:

> +	case ARM64_SSBD_FORCE_ENABLE:

> +		if (cpus_have_cap(ARM64_SSBS))

> +			return sprintf(buf, "Not affected\n");

> +		return sprintf(buf,

> +			"Mitigation: Speculative Store Bypass disabled\n");


NIT: To me this reads as the mitigation is disabled. Can we call it
"Speculative Store Bypass Disable" (with a capital 'D' and without the
'd at the end)?

Steve

> +

> +	case ARM64_SSBD_FORCE_DISABLE:

> +		return sprintf(buf, "Vulnerable\n");

> +

> +	default: /* ARM64_SSBD_UNKNOWN*/

> +		return sprintf(buf, "Unknown\n");

> +	}

> +}

> +

>  #endif

>

On Fri, Dec 14, 2018 at 10:34:31AM +0000, Steven Price wrote:
> On 06/12/2018 23:44, Jeremy Linton wrote:

> > From: Mian Yousaf Kaukab <ykaukab@suse.de>

> > 

> > Return status based no ssbd_state and the arm64 SSBS feature.

>                       ^^ on

> 

> > Return string "Unknown" in case CONFIG_ARM64_SSBD is

> > disabled or arch workaround2 is not available

> > in the firmware.

> > 

> > Signed-off-by: Mian Yousaf Kaukab <ykaukab@suse.de>

> > [Added SSBS logic]

> > Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>

> > ---

> >  arch/arm64/kernel/cpu_errata.c | 28 ++++++++++++++++++++++++++++

> >  1 file changed, 28 insertions(+)

> > 

> > diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c

> > index 6505c93d507e..8aeb5ca38db8 100644

> > --- a/arch/arm64/kernel/cpu_errata.c

> > +++ b/arch/arm64/kernel/cpu_errata.c

> > @@ -423,6 +423,7 @@ static bool has_ssbd_mitigation(const struct arm64_cpu_capabilities *entry,

> >  		ssbd_state = ARM64_SSBD_UNKNOWN;

> >  		return false;

> >  

> > +	/* machines with mixed mitigation requirements must not return this */

> >  	case SMCCC_RET_NOT_REQUIRED:

> >  		pr_info_once("%s mitigation not required\n", entry->desc);

> >  		ssbd_state = ARM64_SSBD_MITIGATED;

> > @@ -828,4 +829,31 @@ ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr,

> >  	}

> >  }

> >  

> > +ssize_t cpu_show_spec_store_bypass(struct device *dev,

> > +		struct device_attribute *attr, char *buf)

> > +{

> > +	/*

> > +	 *  Two assumptions: First, get_ssbd_state() reflects the worse case

> > +	 *  for hetrogenous machines, and that if SSBS is supported its

>                                                   ^^^^ SSBD

> > +	 *  supported by all cores.

> > +	 */

> > +	switch (arm64_get_ssbd_state()) {

> > +	case ARM64_SSBD_MITIGATED:

> > +		return sprintf(buf, "Not affected\n");

> > +

> > +	case ARM64_SSBD_KERNEL:

> > +	case ARM64_SSBD_FORCE_ENABLE:

> > +		if (cpus_have_cap(ARM64_SSBS))

> > +			return sprintf(buf, "Not affected\n");

> > +		return sprintf(buf,

> > +			"Mitigation: Speculative Store Bypass disabled\n");

> 

> NIT: To me this reads as the mitigation is disabled. Can we call it

> "Speculative Store Bypass Disable" (with a capital 'D' and without the

> 'd at the end)?


Whilst I agree that the strings are reasonably confusing (especially when
you pile on the double-negatives all the way up the stack!), we really
have no choice but to follow x86's lead with these strings.

I don't think it's worth forking the ABI in an attempt to make this clearer.

Will

On 14/12/2018 10:36, Will Deacon wrote:
> On Fri, Dec 14, 2018 at 10:34:31AM +0000, Steven Price wrote:

>> On 06/12/2018 23:44, Jeremy Linton wrote:

>>> From: Mian Yousaf Kaukab <ykaukab@suse.de>

>>>

>>> Return status based no ssbd_state and the arm64 SSBS feature.

>>                       ^^ on

>>

>>> Return string "Unknown" in case CONFIG_ARM64_SSBD is

>>> disabled or arch workaround2 is not available

>>> in the firmware.

>>>

>>> Signed-off-by: Mian Yousaf Kaukab <ykaukab@suse.de>

>>> [Added SSBS logic]

>>> Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>

>>> ---

>>>  arch/arm64/kernel/cpu_errata.c | 28 ++++++++++++++++++++++++++++

>>>  1 file changed, 28 insertions(+)

>>>

>>> diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c

>>> index 6505c93d507e..8aeb5ca38db8 100644

>>> --- a/arch/arm64/kernel/cpu_errata.c

>>> +++ b/arch/arm64/kernel/cpu_errata.c

>>> @@ -423,6 +423,7 @@ static bool has_ssbd_mitigation(const struct arm64_cpu_capabilities *entry,

>>>  		ssbd_state = ARM64_SSBD_UNKNOWN;

>>>  		return false;

>>>  

>>> +	/* machines with mixed mitigation requirements must not return this */

>>>  	case SMCCC_RET_NOT_REQUIRED:

>>>  		pr_info_once("%s mitigation not required\n", entry->desc);

>>>  		ssbd_state = ARM64_SSBD_MITIGATED;

>>> @@ -828,4 +829,31 @@ ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr,

>>>  	}

>>>  }

>>>  

>>> +ssize_t cpu_show_spec_store_bypass(struct device *dev,

>>> +		struct device_attribute *attr, char *buf)

>>> +{

>>> +	/*

>>> +	 *  Two assumptions: First, get_ssbd_state() reflects the worse case

>>> +	 *  for hetrogenous machines, and that if SSBS is supported its

>>                                                   ^^^^ SSBD

>>> +	 *  supported by all cores.

>>> +	 */

>>> +	switch (arm64_get_ssbd_state()) {

>>> +	case ARM64_SSBD_MITIGATED:

>>> +		return sprintf(buf, "Not affected\n");

>>> +

>>> +	case ARM64_SSBD_KERNEL:

>>> +	case ARM64_SSBD_FORCE_ENABLE:

>>> +		if (cpus_have_cap(ARM64_SSBS))

>>> +			return sprintf(buf, "Not affected\n");

>>> +		return sprintf(buf,

>>> +			"Mitigation: Speculative Store Bypass disabled\n");

>>

>> NIT: To me this reads as the mitigation is disabled. Can we call it

>> "Speculative Store Bypass Disable" (with a capital 'D' and without the

>> 'd at the end)?

> 

> Whilst I agree that the strings are reasonably confusing (especially when

> you pile on the double-negatives all the way up the stack!), we really

> have no choice but to follow x86's lead with these strings.

> 

> I don't think it's worth forking the ABI in an attempt to make this clearer.


Ah, sorry I hadn't checked the x86 string - yes we should match that.

Steve

> Will

> 

> _______________________________________________

> linux-arm-kernel mailing list

> linux-arm-kernel@lists.infradead.org

> http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

>

On Fri, Dec 14, 2018 at 10:41:42AM +0000, Steven Price wrote:
> On 14/12/2018 10:36, Will Deacon wrote:

> > On Fri, Dec 14, 2018 at 10:34:31AM +0000, Steven Price wrote:

> >> On 06/12/2018 23:44, Jeremy Linton wrote:

> >>> From: Mian Yousaf Kaukab <ykaukab@suse.de>

> >>>

> >>> Return status based no ssbd_state and the arm64 SSBS feature.

> >>                       ^^ on

> >>

> >>> Return string "Unknown" in case CONFIG_ARM64_SSBD is

> >>> disabled or arch workaround2 is not available

> >>> in the firmware.

> >>>

> >>> Signed-off-by: Mian Yousaf Kaukab <ykaukab@suse.de>

> >>> [Added SSBS logic]

> >>> Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>

> >>> ---

> >>>  arch/arm64/kernel/cpu_errata.c | 28 ++++++++++++++++++++++++++++

> >>>  1 file changed, 28 insertions(+)

> >>>

> >>> diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c

> >>> index 6505c93d507e..8aeb5ca38db8 100644

> >>> --- a/arch/arm64/kernel/cpu_errata.c

> >>> +++ b/arch/arm64/kernel/cpu_errata.c

> >>> @@ -423,6 +423,7 @@ static bool has_ssbd_mitigation(const struct arm64_cpu_capabilities *entry,

> >>>  		ssbd_state = ARM64_SSBD_UNKNOWN;

> >>>  		return false;

> >>>  

> >>> +	/* machines with mixed mitigation requirements must not return this */

> >>>  	case SMCCC_RET_NOT_REQUIRED:

> >>>  		pr_info_once("%s mitigation not required\n", entry->desc);

> >>>  		ssbd_state = ARM64_SSBD_MITIGATED;

> >>> @@ -828,4 +829,31 @@ ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr,

> >>>  	}

> >>>  }

> >>>  

> >>> +ssize_t cpu_show_spec_store_bypass(struct device *dev,

> >>> +		struct device_attribute *attr, char *buf)

> >>> +{

> >>> +	/*

> >>> +	 *  Two assumptions: First, get_ssbd_state() reflects the worse case

> >>> +	 *  for hetrogenous machines, and that if SSBS is supported its

> >>                                                   ^^^^ SSBD

> >>> +	 *  supported by all cores.

> >>> +	 */

> >>> +	switch (arm64_get_ssbd_state()) {

> >>> +	case ARM64_SSBD_MITIGATED:

> >>> +		return sprintf(buf, "Not affected\n");

> >>> +

> >>> +	case ARM64_SSBD_KERNEL:

> >>> +	case ARM64_SSBD_FORCE_ENABLE:

> >>> +		if (cpus_have_cap(ARM64_SSBS))

> >>> +			return sprintf(buf, "Not affected\n");

> >>> +		return sprintf(buf,

> >>> +			"Mitigation: Speculative Store Bypass disabled\n");

> >>

> >> NIT: To me this reads as the mitigation is disabled. Can we call it

> >> "Speculative Store Bypass Disable" (with a capital 'D' and without the

> >> 'd at the end)?

> > 

> > Whilst I agree that the strings are reasonably confusing (especially when

> > you pile on the double-negatives all the way up the stack!), we really

> > have no choice but to follow x86's lead with these strings.

> > 

> > I don't think it's worth forking the ABI in an attempt to make this clearer.

> 

> Ah, sorry I hadn't checked the x86 string - yes we should match that.


This is rather why I feel these strings are either a) useless or
b) should be documented somewhere.

Putting at least a skeleton document somewhere could be a good start,
and would require little effort.


What decisions do we expect userspace to make based on this information?

Cheers
---Dave

On Fri, Dec 14, 2018 at 11:28:16AM +0000, Dave Martin wrote:
> On Fri, Dec 14, 2018 at 10:41:42AM +0000, Steven Price wrote:

> > On 14/12/2018 10:36, Will Deacon wrote:

> > > On Fri, Dec 14, 2018 at 10:34:31AM +0000, Steven Price wrote:

> > >> On 06/12/2018 23:44, Jeremy Linton wrote:

> > >>> From: Mian Yousaf Kaukab <ykaukab@suse.de>

> > >>>

> > >>> Return status based no ssbd_state and the arm64 SSBS feature.

> > >>                       ^^ on

> > >>

> > >>> Return string "Unknown" in case CONFIG_ARM64_SSBD is

> > >>> disabled or arch workaround2 is not available

> > >>> in the firmware.

> > >>>

> > >>> Signed-off-by: Mian Yousaf Kaukab <ykaukab@suse.de>

> > >>> [Added SSBS logic]

> > >>> Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>

> > >>> ---

> > >>>  arch/arm64/kernel/cpu_errata.c | 28 ++++++++++++++++++++++++++++

> > >>>  1 file changed, 28 insertions(+)

> > >>>

> > >>> diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c

> > >>> index 6505c93d507e..8aeb5ca38db8 100644

> > >>> --- a/arch/arm64/kernel/cpu_errata.c

> > >>> +++ b/arch/arm64/kernel/cpu_errata.c

> > >>> @@ -423,6 +423,7 @@ static bool has_ssbd_mitigation(const struct arm64_cpu_capabilities *entry,

> > >>>  		ssbd_state = ARM64_SSBD_UNKNOWN;

> > >>>  		return false;

> > >>>  

> > >>> +	/* machines with mixed mitigation requirements must not return this */

> > >>>  	case SMCCC_RET_NOT_REQUIRED:

> > >>>  		pr_info_once("%s mitigation not required\n", entry->desc);

> > >>>  		ssbd_state = ARM64_SSBD_MITIGATED;

> > >>> @@ -828,4 +829,31 @@ ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr,

> > >>>  	}

> > >>>  }

> > >>>  

> > >>> +ssize_t cpu_show_spec_store_bypass(struct device *dev,

> > >>> +		struct device_attribute *attr, char *buf)

> > >>> +{

> > >>> +	/*

> > >>> +	 *  Two assumptions: First, get_ssbd_state() reflects the worse case

> > >>> +	 *  for hetrogenous machines, and that if SSBS is supported its

> > >>                                                   ^^^^ SSBD

> > >>> +	 *  supported by all cores.

> > >>> +	 */

> > >>> +	switch (arm64_get_ssbd_state()) {

> > >>> +	case ARM64_SSBD_MITIGATED:

> > >>> +		return sprintf(buf, "Not affected\n");

> > >>> +

> > >>> +	case ARM64_SSBD_KERNEL:

> > >>> +	case ARM64_SSBD_FORCE_ENABLE:

> > >>> +		if (cpus_have_cap(ARM64_SSBS))

> > >>> +			return sprintf(buf, "Not affected\n");

> > >>> +		return sprintf(buf,

> > >>> +			"Mitigation: Speculative Store Bypass disabled\n");

> > >>

> > >> NIT: To me this reads as the mitigation is disabled. Can we call it

> > >> "Speculative Store Bypass Disable" (with a capital 'D' and without the

> > >> 'd at the end)?

> > > 

> > > Whilst I agree that the strings are reasonably confusing (especially when

> > > you pile on the double-negatives all the way up the stack!), we really

> > > have no choice but to follow x86's lead with these strings.

> > > 

> > > I don't think it's worth forking the ABI in an attempt to make this clearer.

> > 

> > Ah, sorry I hadn't checked the x86 string - yes we should match that.

> 

> This is rather why I feel these strings are either a) useless or

> b) should be documented somewhere.

> 

> Putting at least a skeleton document somewhere could be a good start,

> and would require little effort.

> 

> 

> What decisions do we expect userspace to make based on this information?


There's at least one tool that parses this stuff to tell you whether you
have/need the mitigations:

https://github.com/speed47/spectre-meltdown-checker

Will