[v3,4/7] arm64: add sysfs vulnerability show for meltdown

Message ID 20190109235544.2992426-5-jeremy.linton@arm.com
State New
Headers show
Series
  • arm64: add system vulnerability sysfs entries
Related show

Commit Message

Jeremy Linton Jan. 9, 2019, 11:55 p.m.
Display the mitigation status if active, otherwise
assume the cpu is safe unless it doesn't have CSV3
and isn't in our whitelist.

Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>

---
 arch/arm64/kernel/cpufeature.c | 32 +++++++++++++++++++++++++++-----
 1 file changed, 27 insertions(+), 5 deletions(-)

-- 
2.17.2

Comments

Julien Thierry Jan. 10, 2019, 9:23 a.m. | #1
Hi Jeremy,

On 09/01/2019 23:55, Jeremy Linton wrote:
> Display the mitigation status if active, otherwise

> assume the cpu is safe unless it doesn't have CSV3

> and isn't in our whitelist.

> 

> Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>

> ---

>  arch/arm64/kernel/cpufeature.c | 32 +++++++++++++++++++++++++++-----

>  1 file changed, 27 insertions(+), 5 deletions(-)

> 

> diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c

> index ab784d7a0083..ef7bbc49ef78 100644

> --- a/arch/arm64/kernel/cpufeature.c

> +++ b/arch/arm64/kernel/cpufeature.c

> @@ -944,8 +944,12 @@ has_useable_cnp(const struct arm64_cpu_capabilities *entry, int scope)

>  	return has_cpuid_feature(entry, scope);

>  }

>  

> +/* default value is invalid until unmap_kernel_at_el0() runs */

> +static bool __meltdown_safe = true;

> +

>  #ifdef CONFIG_UNMAP_KERNEL_AT_EL0

>  static int __kpti_forced; /* 0: not forced, >0: forced on, <0: forced off */

> +extern uint arm64_requested_vuln_attrs;

>  

>  static bool is_cpu_meltdown_safe(void)

>  {

> @@ -972,6 +976,14 @@ static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,

>  {

>  	char const *str = "command line option";

>  

> +	bool meltdown_safe = is_cpu_meltdown_safe() ||

> +		has_cpuid_feature(entry, scope);

> +

> +	if (!meltdown_safe)

> +		__meltdown_safe = false;

> +

> +	arm64_requested_vuln_attrs |= VULN_MELTDOWN;

> +

>  	/*

>  	 * For reasons that aren't entirely clear, enabling KPTI on Cavium

>  	 * ThunderX leads to apparent I-cache corruption of kernel text, which

> @@ -993,11 +1005,7 @@ static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,

>  	if (IS_ENABLED(CONFIG_RANDOMIZE_BASE))

>  		return true;

>  

> -	if (is_cpu_meltdown_safe())

> -		return false;

> -

> -	/* Defer to CPU feature registers */

> -	return !has_cpuid_feature(entry, scope);

> +	return !meltdown_safe;

>  }

>  

>  static void

> @@ -2065,3 +2073,17 @@ static int __init enable_mrs_emulation(void)

>  }

>  

>  core_initcall(enable_mrs_emulation);

> +

> +#ifdef CONFIG_GENERIC_CPU_VULNERABILITIES

> +ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr,

> +		char *buf)

> +{

> +	if (arm64_kernel_unmapped_at_el0())

> +		return sprintf(buf, "Mitigation: KPTI\n");

> +

> +	if (__meltdown_safe)

> +		return sprintf(buf, "Not affected\n");


An issue I see is that we don't even bother to check it that CPUs are
meltdown safe if CONFIG_UNMAP_KERNEL_AT_EL0 is not defined but here
we'll advertise that the system is meltdown safe.

I think that checking whether we know that CPUs are meltdown safe should
be separated from whether mitigation is applied.

Someone who knows thinks their CPUs are in the white list might want to
compile out code that does the kpti, but it would be good to give them a
proper diagnostic whether they were wrong or not.

Cheers,

-- 
Julien Thierry
Jeremy Linton Jan. 10, 2019, 2:10 p.m. | #2
Hi Julien,

On 01/10/2019 03:23 AM, Julien Thierry wrote:
> Hi Jeremy,

> 

> On 09/01/2019 23:55, Jeremy Linton wrote:

>> Display the mitigation status if active, otherwise

>> assume the cpu is safe unless it doesn't have CSV3

>> and isn't in our whitelist.

>>

>> Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>

>> ---

>>   arch/arm64/kernel/cpufeature.c | 32 +++++++++++++++++++++++++++-----

>>   1 file changed, 27 insertions(+), 5 deletions(-)

>>

>> diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c

>> index ab784d7a0083..ef7bbc49ef78 100644

>> --- a/arch/arm64/kernel/cpufeature.c

>> +++ b/arch/arm64/kernel/cpufeature.c

>> @@ -944,8 +944,12 @@ has_useable_cnp(const struct arm64_cpu_capabilities *entry, int scope)

>>   	return has_cpuid_feature(entry, scope);

>>   }

>>   

>> +/* default value is invalid until unmap_kernel_at_el0() runs */

>> +static bool __meltdown_safe = true;

>> +

>>   #ifdef CONFIG_UNMAP_KERNEL_AT_EL0

>>   static int __kpti_forced; /* 0: not forced, >0: forced on, <0: forced off */

>> +extern uint arm64_requested_vuln_attrs;

>>   

>>   static bool is_cpu_meltdown_safe(void)

>>   {

>> @@ -972,6 +976,14 @@ static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,

>>   {

>>   	char const *str = "command line option";

>>   

>> +	bool meltdown_safe = is_cpu_meltdown_safe() ||

>> +		has_cpuid_feature(entry, scope);

>> +

>> +	if (!meltdown_safe)

>> +		__meltdown_safe = false;

>> +

>> +	arm64_requested_vuln_attrs |= VULN_MELTDOWN;

>> +

>>   	/*

>>   	 * For reasons that aren't entirely clear, enabling KPTI on Cavium

>>   	 * ThunderX leads to apparent I-cache corruption of kernel text, which

>> @@ -993,11 +1005,7 @@ static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,

>>   	if (IS_ENABLED(CONFIG_RANDOMIZE_BASE))

>>   		return true;

>>   

>> -	if (is_cpu_meltdown_safe())

>> -		return false;

>> -

>> -	/* Defer to CPU feature registers */

>> -	return !has_cpuid_feature(entry, scope);

>> +	return !meltdown_safe;

>>   }

>>   

>>   static void

>> @@ -2065,3 +2073,17 @@ static int __init enable_mrs_emulation(void)

>>   }

>>   

>>   core_initcall(enable_mrs_emulation);

>> +

>> +#ifdef CONFIG_GENERIC_CPU_VULNERABILITIES

>> +ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr,

>> +		char *buf)

>> +{

>> +	if (arm64_kernel_unmapped_at_el0())

>> +		return sprintf(buf, "Mitigation: KPTI\n");

>> +

>> +	if (__meltdown_safe)

>> +		return sprintf(buf, "Not affected\n");

> 

> An issue I see is that we don't even bother to check it that CPUs are

> meltdown safe if CONFIG_UNMAP_KERNEL_AT_EL0 is not defined but here

> we'll advertise that the system is meltdown safe.


That check isn't necessary anymore because the sysfs attribute is only 
populated if unmap_kernel_at_el0() runs (assuming I haven't messed 
something up). That was Dave/Will's suggestions in the last thread about 
how to handle this case.



> 

> I think that checking whether we know that CPUs are meltdown safe should

> be separated from whether mitigation is applied.

> 

> Someone who knows thinks their CPUs are in the white list might want to

> compile out code that does the kpti, but it would be good to give them a

> proper diagnostic whether they were wrong or not.

> 

> Cheers,

>
Julien Thierry Jan. 10, 2019, 2:16 p.m. | #3
On 10/01/2019 14:10, Jeremy Linton wrote:
> Hi Julien,

> 

> On 01/10/2019 03:23 AM, Julien Thierry wrote:

>> Hi Jeremy,

>>

>> On 09/01/2019 23:55, Jeremy Linton wrote:

>>> Display the mitigation status if active, otherwise

>>> assume the cpu is safe unless it doesn't have CSV3

>>> and isn't in our whitelist.

>>>

>>> Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>

>>> ---

>>>   arch/arm64/kernel/cpufeature.c | 32 +++++++++++++++++++++++++++-----

>>>   1 file changed, 27 insertions(+), 5 deletions(-)

>>>

>>> diff --git a/arch/arm64/kernel/cpufeature.c

>>> b/arch/arm64/kernel/cpufeature.c

>>> index ab784d7a0083..ef7bbc49ef78 100644

>>> --- a/arch/arm64/kernel/cpufeature.c

>>> +++ b/arch/arm64/kernel/cpufeature.c

>>> @@ -944,8 +944,12 @@ has_useable_cnp(const struct

>>> arm64_cpu_capabilities *entry, int scope)

>>>       return has_cpuid_feature(entry, scope);

>>>   }

>>>   +/* default value is invalid until unmap_kernel_at_el0() runs */

>>> +static bool __meltdown_safe = true;

>>> +

>>>   #ifdef CONFIG_UNMAP_KERNEL_AT_EL0

>>>   static int __kpti_forced; /* 0: not forced, >0: forced on, <0:

>>> forced off */

>>> +extern uint arm64_requested_vuln_attrs;

>>>     static bool is_cpu_meltdown_safe(void)

>>>   {

>>> @@ -972,6 +976,14 @@ static bool unmap_kernel_at_el0(const struct

>>> arm64_cpu_capabilities *entry,

>>>   {

>>>       char const *str = "command line option";

>>>   +    bool meltdown_safe = is_cpu_meltdown_safe() ||

>>> +        has_cpuid_feature(entry, scope);

>>> +

>>> +    if (!meltdown_safe)

>>> +        __meltdown_safe = false;

>>> +

>>> +    arm64_requested_vuln_attrs |= VULN_MELTDOWN;

>>> +

>>>       /*

>>>        * For reasons that aren't entirely clear, enabling KPTI on Cavium

>>>        * ThunderX leads to apparent I-cache corruption of kernel

>>> text, which

>>> @@ -993,11 +1005,7 @@ static bool unmap_kernel_at_el0(const struct

>>> arm64_cpu_capabilities *entry,

>>>       if (IS_ENABLED(CONFIG_RANDOMIZE_BASE))

>>>           return true;

>>>   -    if (is_cpu_meltdown_safe())

>>> -        return false;

>>> -

>>> -    /* Defer to CPU feature registers */

>>> -    return !has_cpuid_feature(entry, scope);

>>> +    return !meltdown_safe;

>>>   }

>>>     static void

>>> @@ -2065,3 +2073,17 @@ static int __init enable_mrs_emulation(void)

>>>   }

>>>     core_initcall(enable_mrs_emulation);

>>> +

>>> +#ifdef CONFIG_GENERIC_CPU_VULNERABILITIES

>>> +ssize_t cpu_show_meltdown(struct device *dev, struct

>>> device_attribute *attr,

>>> +        char *buf)

>>> +{

>>> +    if (arm64_kernel_unmapped_at_el0())

>>> +        return sprintf(buf, "Mitigation: KPTI\n");

>>> +

>>> +    if (__meltdown_safe)

>>> +        return sprintf(buf, "Not affected\n");

>>

>> An issue I see is that we don't even bother to check it that CPUs are

>> meltdown safe if CONFIG_UNMAP_KERNEL_AT_EL0 is not defined but here

>> we'll advertise that the system is meltdown safe.

> 

> That check isn't necessary anymore because the sysfs attribute is only

> populated if unmap_kernel_at_el0() runs (assuming I haven't messed

> something up). That was Dave/Will's suggestions in the last thread about

> how to handle this case.

> 


Oh right, I missed that bit. Sorry for the noise.

>>

>> I think that checking whether we know that CPUs are meltdown safe should

>> be separated from whether mitigation is applied.

>>

>> Someone who knows thinks their CPUs are in the white list might want to

>> compile out code that does the kpti, but it would be good to give them a

>> proper diagnostic whether they were wrong or not.

>>

>> Cheers,

>>

> 


-- 
Julien Thierry

Patch

diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
index ab784d7a0083..ef7bbc49ef78 100644
--- a/arch/arm64/kernel/cpufeature.c
+++ b/arch/arm64/kernel/cpufeature.c
@@ -944,8 +944,12 @@  has_useable_cnp(const struct arm64_cpu_capabilities *entry, int scope)
 	return has_cpuid_feature(entry, scope);
 }
 
+/* default value is invalid until unmap_kernel_at_el0() runs */
+static bool __meltdown_safe = true;
+
 #ifdef CONFIG_UNMAP_KERNEL_AT_EL0
 static int __kpti_forced; /* 0: not forced, >0: forced on, <0: forced off */
+extern uint arm64_requested_vuln_attrs;
 
 static bool is_cpu_meltdown_safe(void)
 {
@@ -972,6 +976,14 @@  static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,
 {
 	char const *str = "command line option";
 
+	bool meltdown_safe = is_cpu_meltdown_safe() ||
+		has_cpuid_feature(entry, scope);
+
+	if (!meltdown_safe)
+		__meltdown_safe = false;
+
+	arm64_requested_vuln_attrs |= VULN_MELTDOWN;
+
 	/*
 	 * For reasons that aren't entirely clear, enabling KPTI on Cavium
 	 * ThunderX leads to apparent I-cache corruption of kernel text, which
@@ -993,11 +1005,7 @@  static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,
 	if (IS_ENABLED(CONFIG_RANDOMIZE_BASE))
 		return true;
 
-	if (is_cpu_meltdown_safe())
-		return false;
-
-	/* Defer to CPU feature registers */
-	return !has_cpuid_feature(entry, scope);
+	return !meltdown_safe;
 }
 
 static void
@@ -2065,3 +2073,17 @@  static int __init enable_mrs_emulation(void)
 }
 
 core_initcall(enable_mrs_emulation);
+
+#ifdef CONFIG_GENERIC_CPU_VULNERABILITIES
+ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr,
+		char *buf)
+{
+	if (arm64_kernel_unmapped_at_el0())
+		return sprintf(buf, "Mitigation: KPTI\n");
+
+	if (__meltdown_safe)
+		return sprintf(buf, "Not affected\n");
+
+	return sprintf(buf, "Vulnerable\n");
+}
+#endif