Message ID | 20181206234408.1287689-6-jeremy.linton@arm.com |
---|---|
State | Superseded |
Headers | show |
Series | add system vulnerability sysfs entries | expand |
On 06/12/2018 23:44, Jeremy Linton wrote: > From: Mian Yousaf Kaukab <ykaukab@suse.de> > > Return status based no ssbd_state and the arm64 SSBS feature. ^^ on > Return string "Unknown" in case CONFIG_ARM64_SSBD is > disabled or arch workaround2 is not available > in the firmware. > > Signed-off-by: Mian Yousaf Kaukab <ykaukab@suse.de> > [Added SSBS logic] > Signed-off-by: Jeremy Linton <jeremy.linton@arm.com> > --- > arch/arm64/kernel/cpu_errata.c | 28 ++++++++++++++++++++++++++++ > 1 file changed, 28 insertions(+) > > diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c > index 6505c93d507e..8aeb5ca38db8 100644 > --- a/arch/arm64/kernel/cpu_errata.c > +++ b/arch/arm64/kernel/cpu_errata.c > @@ -423,6 +423,7 @@ static bool has_ssbd_mitigation(const struct arm64_cpu_capabilities *entry, > ssbd_state = ARM64_SSBD_UNKNOWN; > return false; > > + /* machines with mixed mitigation requirements must not return this */ > case SMCCC_RET_NOT_REQUIRED: > pr_info_once("%s mitigation not required\n", entry->desc); > ssbd_state = ARM64_SSBD_MITIGATED; > @@ -828,4 +829,31 @@ ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, > } > } > > +ssize_t cpu_show_spec_store_bypass(struct device *dev, > + struct device_attribute *attr, char *buf) > +{ > + /* > + * Two assumptions: First, get_ssbd_state() reflects the worse case > + * for hetrogenous machines, and that if SSBS is supported its ^^^^ SSBD > + * supported by all cores. > + */ > + switch (arm64_get_ssbd_state()) { > + case ARM64_SSBD_MITIGATED: > + return sprintf(buf, "Not affected\n"); > + > + case ARM64_SSBD_KERNEL: > + case ARM64_SSBD_FORCE_ENABLE: > + if (cpus_have_cap(ARM64_SSBS)) > + return sprintf(buf, "Not affected\n"); > + return sprintf(buf, > + "Mitigation: Speculative Store Bypass disabled\n"); NIT: To me this reads as the mitigation is disabled. Can we call it "Speculative Store Bypass Disable" (with a capital 'D' and without the 'd at the end)? Steve > + > + case ARM64_SSBD_FORCE_DISABLE: > + return sprintf(buf, "Vulnerable\n"); > + > + default: /* ARM64_SSBD_UNKNOWN*/ > + return sprintf(buf, "Unknown\n"); > + } > +} > + > #endif >
On Fri, Dec 14, 2018 at 10:34:31AM +0000, Steven Price wrote: > On 06/12/2018 23:44, Jeremy Linton wrote: > > From: Mian Yousaf Kaukab <ykaukab@suse.de> > > > > Return status based no ssbd_state and the arm64 SSBS feature. > ^^ on > > > Return string "Unknown" in case CONFIG_ARM64_SSBD is > > disabled or arch workaround2 is not available > > in the firmware. > > > > Signed-off-by: Mian Yousaf Kaukab <ykaukab@suse.de> > > [Added SSBS logic] > > Signed-off-by: Jeremy Linton <jeremy.linton@arm.com> > > --- > > arch/arm64/kernel/cpu_errata.c | 28 ++++++++++++++++++++++++++++ > > 1 file changed, 28 insertions(+) > > > > diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c > > index 6505c93d507e..8aeb5ca38db8 100644 > > --- a/arch/arm64/kernel/cpu_errata.c > > +++ b/arch/arm64/kernel/cpu_errata.c > > @@ -423,6 +423,7 @@ static bool has_ssbd_mitigation(const struct arm64_cpu_capabilities *entry, > > ssbd_state = ARM64_SSBD_UNKNOWN; > > return false; > > > > + /* machines with mixed mitigation requirements must not return this */ > > case SMCCC_RET_NOT_REQUIRED: > > pr_info_once("%s mitigation not required\n", entry->desc); > > ssbd_state = ARM64_SSBD_MITIGATED; > > @@ -828,4 +829,31 @@ ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, > > } > > } > > > > +ssize_t cpu_show_spec_store_bypass(struct device *dev, > > + struct device_attribute *attr, char *buf) > > +{ > > + /* > > + * Two assumptions: First, get_ssbd_state() reflects the worse case > > + * for hetrogenous machines, and that if SSBS is supported its > ^^^^ SSBD > > + * supported by all cores. > > + */ > > + switch (arm64_get_ssbd_state()) { > > + case ARM64_SSBD_MITIGATED: > > + return sprintf(buf, "Not affected\n"); > > + > > + case ARM64_SSBD_KERNEL: > > + case ARM64_SSBD_FORCE_ENABLE: > > + if (cpus_have_cap(ARM64_SSBS)) > > + return sprintf(buf, "Not affected\n"); > > + return sprintf(buf, > > + "Mitigation: Speculative Store Bypass disabled\n"); > > NIT: To me this reads as the mitigation is disabled. Can we call it > "Speculative Store Bypass Disable" (with a capital 'D' and without the > 'd at the end)? Whilst I agree that the strings are reasonably confusing (especially when you pile on the double-negatives all the way up the stack!), we really have no choice but to follow x86's lead with these strings. I don't think it's worth forking the ABI in an attempt to make this clearer. Will
On 14/12/2018 10:36, Will Deacon wrote: > On Fri, Dec 14, 2018 at 10:34:31AM +0000, Steven Price wrote: >> On 06/12/2018 23:44, Jeremy Linton wrote: >>> From: Mian Yousaf Kaukab <ykaukab@suse.de> >>> >>> Return status based no ssbd_state and the arm64 SSBS feature. >> ^^ on >> >>> Return string "Unknown" in case CONFIG_ARM64_SSBD is >>> disabled or arch workaround2 is not available >>> in the firmware. >>> >>> Signed-off-by: Mian Yousaf Kaukab <ykaukab@suse.de> >>> [Added SSBS logic] >>> Signed-off-by: Jeremy Linton <jeremy.linton@arm.com> >>> --- >>> arch/arm64/kernel/cpu_errata.c | 28 ++++++++++++++++++++++++++++ >>> 1 file changed, 28 insertions(+) >>> >>> diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c >>> index 6505c93d507e..8aeb5ca38db8 100644 >>> --- a/arch/arm64/kernel/cpu_errata.c >>> +++ b/arch/arm64/kernel/cpu_errata.c >>> @@ -423,6 +423,7 @@ static bool has_ssbd_mitigation(const struct arm64_cpu_capabilities *entry, >>> ssbd_state = ARM64_SSBD_UNKNOWN; >>> return false; >>> >>> + /* machines with mixed mitigation requirements must not return this */ >>> case SMCCC_RET_NOT_REQUIRED: >>> pr_info_once("%s mitigation not required\n", entry->desc); >>> ssbd_state = ARM64_SSBD_MITIGATED; >>> @@ -828,4 +829,31 @@ ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, >>> } >>> } >>> >>> +ssize_t cpu_show_spec_store_bypass(struct device *dev, >>> + struct device_attribute *attr, char *buf) >>> +{ >>> + /* >>> + * Two assumptions: First, get_ssbd_state() reflects the worse case >>> + * for hetrogenous machines, and that if SSBS is supported its >> ^^^^ SSBD >>> + * supported by all cores. >>> + */ >>> + switch (arm64_get_ssbd_state()) { >>> + case ARM64_SSBD_MITIGATED: >>> + return sprintf(buf, "Not affected\n"); >>> + >>> + case ARM64_SSBD_KERNEL: >>> + case ARM64_SSBD_FORCE_ENABLE: >>> + if (cpus_have_cap(ARM64_SSBS)) >>> + return sprintf(buf, "Not affected\n"); >>> + return sprintf(buf, >>> + "Mitigation: Speculative Store Bypass disabled\n"); >> >> NIT: To me this reads as the mitigation is disabled. Can we call it >> "Speculative Store Bypass Disable" (with a capital 'D' and without the >> 'd at the end)? > > Whilst I agree that the strings are reasonably confusing (especially when > you pile on the double-negatives all the way up the stack!), we really > have no choice but to follow x86's lead with these strings. > > I don't think it's worth forking the ABI in an attempt to make this clearer. Ah, sorry I hadn't checked the x86 string - yes we should match that. Steve > Will > > _______________________________________________ > linux-arm-kernel mailing list > linux-arm-kernel@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/linux-arm-kernel >
On Fri, Dec 14, 2018 at 10:41:42AM +0000, Steven Price wrote: > On 14/12/2018 10:36, Will Deacon wrote: > > On Fri, Dec 14, 2018 at 10:34:31AM +0000, Steven Price wrote: > >> On 06/12/2018 23:44, Jeremy Linton wrote: > >>> From: Mian Yousaf Kaukab <ykaukab@suse.de> > >>> > >>> Return status based no ssbd_state and the arm64 SSBS feature. > >> ^^ on > >> > >>> Return string "Unknown" in case CONFIG_ARM64_SSBD is > >>> disabled or arch workaround2 is not available > >>> in the firmware. > >>> > >>> Signed-off-by: Mian Yousaf Kaukab <ykaukab@suse.de> > >>> [Added SSBS logic] > >>> Signed-off-by: Jeremy Linton <jeremy.linton@arm.com> > >>> --- > >>> arch/arm64/kernel/cpu_errata.c | 28 ++++++++++++++++++++++++++++ > >>> 1 file changed, 28 insertions(+) > >>> > >>> diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c > >>> index 6505c93d507e..8aeb5ca38db8 100644 > >>> --- a/arch/arm64/kernel/cpu_errata.c > >>> +++ b/arch/arm64/kernel/cpu_errata.c > >>> @@ -423,6 +423,7 @@ static bool has_ssbd_mitigation(const struct arm64_cpu_capabilities *entry, > >>> ssbd_state = ARM64_SSBD_UNKNOWN; > >>> return false; > >>> > >>> + /* machines with mixed mitigation requirements must not return this */ > >>> case SMCCC_RET_NOT_REQUIRED: > >>> pr_info_once("%s mitigation not required\n", entry->desc); > >>> ssbd_state = ARM64_SSBD_MITIGATED; > >>> @@ -828,4 +829,31 @@ ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, > >>> } > >>> } > >>> > >>> +ssize_t cpu_show_spec_store_bypass(struct device *dev, > >>> + struct device_attribute *attr, char *buf) > >>> +{ > >>> + /* > >>> + * Two assumptions: First, get_ssbd_state() reflects the worse case > >>> + * for hetrogenous machines, and that if SSBS is supported its > >> ^^^^ SSBD > >>> + * supported by all cores. > >>> + */ > >>> + switch (arm64_get_ssbd_state()) { > >>> + case ARM64_SSBD_MITIGATED: > >>> + return sprintf(buf, "Not affected\n"); > >>> + > >>> + case ARM64_SSBD_KERNEL: > >>> + case ARM64_SSBD_FORCE_ENABLE: > >>> + if (cpus_have_cap(ARM64_SSBS)) > >>> + return sprintf(buf, "Not affected\n"); > >>> + return sprintf(buf, > >>> + "Mitigation: Speculative Store Bypass disabled\n"); > >> > >> NIT: To me this reads as the mitigation is disabled. Can we call it > >> "Speculative Store Bypass Disable" (with a capital 'D' and without the > >> 'd at the end)? > > > > Whilst I agree that the strings are reasonably confusing (especially when > > you pile on the double-negatives all the way up the stack!), we really > > have no choice but to follow x86's lead with these strings. > > > > I don't think it's worth forking the ABI in an attempt to make this clearer. > > Ah, sorry I hadn't checked the x86 string - yes we should match that. This is rather why I feel these strings are either a) useless or b) should be documented somewhere. Putting at least a skeleton document somewhere could be a good start, and would require little effort. What decisions do we expect userspace to make based on this information? Cheers ---Dave
On Fri, Dec 14, 2018 at 11:28:16AM +0000, Dave Martin wrote: > On Fri, Dec 14, 2018 at 10:41:42AM +0000, Steven Price wrote: > > On 14/12/2018 10:36, Will Deacon wrote: > > > On Fri, Dec 14, 2018 at 10:34:31AM +0000, Steven Price wrote: > > >> On 06/12/2018 23:44, Jeremy Linton wrote: > > >>> From: Mian Yousaf Kaukab <ykaukab@suse.de> > > >>> > > >>> Return status based no ssbd_state and the arm64 SSBS feature. > > >> ^^ on > > >> > > >>> Return string "Unknown" in case CONFIG_ARM64_SSBD is > > >>> disabled or arch workaround2 is not available > > >>> in the firmware. > > >>> > > >>> Signed-off-by: Mian Yousaf Kaukab <ykaukab@suse.de> > > >>> [Added SSBS logic] > > >>> Signed-off-by: Jeremy Linton <jeremy.linton@arm.com> > > >>> --- > > >>> arch/arm64/kernel/cpu_errata.c | 28 ++++++++++++++++++++++++++++ > > >>> 1 file changed, 28 insertions(+) > > >>> > > >>> diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c > > >>> index 6505c93d507e..8aeb5ca38db8 100644 > > >>> --- a/arch/arm64/kernel/cpu_errata.c > > >>> +++ b/arch/arm64/kernel/cpu_errata.c > > >>> @@ -423,6 +423,7 @@ static bool has_ssbd_mitigation(const struct arm64_cpu_capabilities *entry, > > >>> ssbd_state = ARM64_SSBD_UNKNOWN; > > >>> return false; > > >>> > > >>> + /* machines with mixed mitigation requirements must not return this */ > > >>> case SMCCC_RET_NOT_REQUIRED: > > >>> pr_info_once("%s mitigation not required\n", entry->desc); > > >>> ssbd_state = ARM64_SSBD_MITIGATED; > > >>> @@ -828,4 +829,31 @@ ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, > > >>> } > > >>> } > > >>> > > >>> +ssize_t cpu_show_spec_store_bypass(struct device *dev, > > >>> + struct device_attribute *attr, char *buf) > > >>> +{ > > >>> + /* > > >>> + * Two assumptions: First, get_ssbd_state() reflects the worse case > > >>> + * for hetrogenous machines, and that if SSBS is supported its > > >> ^^^^ SSBD > > >>> + * supported by all cores. > > >>> + */ > > >>> + switch (arm64_get_ssbd_state()) { > > >>> + case ARM64_SSBD_MITIGATED: > > >>> + return sprintf(buf, "Not affected\n"); > > >>> + > > >>> + case ARM64_SSBD_KERNEL: > > >>> + case ARM64_SSBD_FORCE_ENABLE: > > >>> + if (cpus_have_cap(ARM64_SSBS)) > > >>> + return sprintf(buf, "Not affected\n"); > > >>> + return sprintf(buf, > > >>> + "Mitigation: Speculative Store Bypass disabled\n"); > > >> > > >> NIT: To me this reads as the mitigation is disabled. Can we call it > > >> "Speculative Store Bypass Disable" (with a capital 'D' and without the > > >> 'd at the end)? > > > > > > Whilst I agree that the strings are reasonably confusing (especially when > > > you pile on the double-negatives all the way up the stack!), we really > > > have no choice but to follow x86's lead with these strings. > > > > > > I don't think it's worth forking the ABI in an attempt to make this clearer. > > > > Ah, sorry I hadn't checked the x86 string - yes we should match that. > > This is rather why I feel these strings are either a) useless or > b) should be documented somewhere. > > Putting at least a skeleton document somewhere could be a good start, > and would require little effort. > > > What decisions do we expect userspace to make based on this information? There's at least one tool that parses this stuff to tell you whether you have/need the mitigations: https://github.com/speed47/spectre-meltdown-checker Will
diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c index 6505c93d507e..8aeb5ca38db8 100644 --- a/arch/arm64/kernel/cpu_errata.c +++ b/arch/arm64/kernel/cpu_errata.c @@ -423,6 +423,7 @@ static bool has_ssbd_mitigation(const struct arm64_cpu_capabilities *entry, ssbd_state = ARM64_SSBD_UNKNOWN; return false; + /* machines with mixed mitigation requirements must not return this */ case SMCCC_RET_NOT_REQUIRED: pr_info_once("%s mitigation not required\n", entry->desc); ssbd_state = ARM64_SSBD_MITIGATED; @@ -828,4 +829,31 @@ ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, } } +ssize_t cpu_show_spec_store_bypass(struct device *dev, + struct device_attribute *attr, char *buf) +{ + /* + * Two assumptions: First, get_ssbd_state() reflects the worse case + * for hetrogenous machines, and that if SSBS is supported its + * supported by all cores. + */ + switch (arm64_get_ssbd_state()) { + case ARM64_SSBD_MITIGATED: + return sprintf(buf, "Not affected\n"); + + case ARM64_SSBD_KERNEL: + case ARM64_SSBD_FORCE_ENABLE: + if (cpus_have_cap(ARM64_SSBS)) + return sprintf(buf, "Not affected\n"); + return sprintf(buf, + "Mitigation: Speculative Store Bypass disabled\n"); + + case ARM64_SSBD_FORCE_DISABLE: + return sprintf(buf, "Vulnerable\n"); + + default: /* ARM64_SSBD_UNKNOWN*/ + return sprintf(buf, "Unknown\n"); + } +} + #endif