xref: /linux/arch/arm64/kernel/proton-pack.c (revision 5d2d4a9f603a47403395408f64b1261ca61f6d50)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Handle detection, reporting and mitigation of Spectre v1, v2, v3a and v4, as
4  * detailed at:
5  *
6  *   https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
7  *
8  * This code was originally written hastily under an awful lot of stress and so
9  * aspects of it are somewhat hacky. Unfortunately, changing anything in here
10  * instantly makes me feel ill. Thanks, Jann. Thann.
11  *
12  * Copyright (C) 2018 ARM Ltd, All Rights Reserved.
13  * Copyright (C) 2020 Google LLC
14  *
15  * "If there's something strange in your neighbourhood, who you gonna call?"
16  *
17  * Authors: Will Deacon <will@kernel.org> and Marc Zyngier <maz@kernel.org>
18  */
19 
20 #include <linux/arm-smccc.h>
21 #include <linux/bpf.h>
22 #include <linux/cpu.h>
23 #include <linux/device.h>
24 #include <linux/nospec.h>
25 #include <linux/prctl.h>
26 #include <linux/sched/task_stack.h>
27 
28 #include <asm/debug-monitors.h>
29 #include <asm/insn.h>
30 #include <asm/spectre.h>
31 #include <asm/traps.h>
32 #include <asm/vectors.h>
33 #include <asm/virt.h>
34 
35 /*
36  * We try to ensure that the mitigation state can never change as the result of
37  * onlining a late CPU.
38  */
39 static void update_mitigation_state(enum mitigation_state *oldp,
40 				    enum mitigation_state new)
41 {
42 	enum mitigation_state state;
43 
44 	do {
45 		state = READ_ONCE(*oldp);
46 		if (new <= state)
47 			break;
48 
49 		/* Userspace almost certainly can't deal with this. */
50 		if (WARN_ON(system_capabilities_finalized()))
51 			break;
52 	} while (cmpxchg_relaxed(oldp, state, new) != state);
53 }
54 
55 /*
56  * Spectre v1.
57  *
58  * The kernel can't protect userspace for this one: it's each person for
59  * themselves. Advertise what we're doing and be done with it.
60  */
61 ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr,
62 			    char *buf)
63 {
64 	return sprintf(buf, "Mitigation: __user pointer sanitization\n");
65 }
66 
67 /*
68  * Spectre v2.
69  *
70  * This one sucks. A CPU is either:
71  *
72  * - Mitigated in hardware and advertised by ID_AA64PFR0_EL1.CSV2.
73  * - Mitigated in hardware and listed in our "safe list".
74  * - Mitigated in software by firmware.
75  * - Mitigated in software by a CPU-specific dance in the kernel and a
76  *   firmware call at EL2.
77  * - Vulnerable.
78  *
79  * It's not unlikely for different CPUs in a big.LITTLE system to fall into
80  * different camps.
81  */
82 static enum mitigation_state spectre_v2_state;
83 
84 static bool __read_mostly __nospectre_v2;
85 static int __init parse_spectre_v2_param(char *str)
86 {
87 	__nospectre_v2 = true;
88 	return 0;
89 }
90 early_param("nospectre_v2", parse_spectre_v2_param);
91 
92 static bool spectre_v2_mitigations_off(void)
93 {
94 	bool ret = __nospectre_v2 || cpu_mitigations_off();
95 
96 	if (ret)
97 		pr_info_once("spectre-v2 mitigation disabled by command line option\n");
98 
99 	return ret;
100 }
101 
102 static const char *get_bhb_affected_string(enum mitigation_state bhb_state)
103 {
104 	switch (bhb_state) {
105 	case SPECTRE_UNAFFECTED:
106 		return "";
107 	default:
108 	case SPECTRE_VULNERABLE:
109 		return ", but not BHB";
110 	case SPECTRE_MITIGATED:
111 		return ", BHB";
112 	}
113 }
114 
115 static bool _unprivileged_ebpf_enabled(void)
116 {
117 #ifdef CONFIG_BPF_SYSCALL
118 	return !sysctl_unprivileged_bpf_disabled;
119 #else
120 	return false;
121 #endif
122 }
123 
124 ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr,
125 			    char *buf)
126 {
127 	enum mitigation_state bhb_state = arm64_get_spectre_bhb_state();
128 	const char *bhb_str = get_bhb_affected_string(bhb_state);
129 	const char *v2_str = "Branch predictor hardening";
130 
131 	switch (spectre_v2_state) {
132 	case SPECTRE_UNAFFECTED:
133 		if (bhb_state == SPECTRE_UNAFFECTED)
134 			return sprintf(buf, "Not affected\n");
135 
136 		/*
137 		 * Platforms affected by Spectre-BHB can't report
138 		 * "Not affected" for Spectre-v2.
139 		 */
140 		v2_str = "CSV2";
141 		fallthrough;
142 	case SPECTRE_MITIGATED:
143 		if (bhb_state == SPECTRE_MITIGATED && _unprivileged_ebpf_enabled())
144 			return sprintf(buf, "Vulnerable: Unprivileged eBPF enabled\n");
145 
146 		return sprintf(buf, "Mitigation: %s%s\n", v2_str, bhb_str);
147 	case SPECTRE_VULNERABLE:
148 		fallthrough;
149 	default:
150 		return sprintf(buf, "Vulnerable\n");
151 	}
152 }
153 
154 static enum mitigation_state spectre_v2_get_cpu_hw_mitigation_state(void)
155 {
156 	u64 pfr0;
157 	static const struct midr_range spectre_v2_safe_list[] = {
158 		MIDR_ALL_VERSIONS(MIDR_CORTEX_A35),
159 		MIDR_ALL_VERSIONS(MIDR_CORTEX_A53),
160 		MIDR_ALL_VERSIONS(MIDR_CORTEX_A55),
161 		MIDR_ALL_VERSIONS(MIDR_BRAHMA_B53),
162 		MIDR_ALL_VERSIONS(MIDR_HISI_TSV110),
163 		MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_2XX_SILVER),
164 		MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_3XX_SILVER),
165 		MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_4XX_SILVER),
166 		{ /* sentinel */ }
167 	};
168 
169 	/* If the CPU has CSV2 set, we're safe */
170 	pfr0 = read_cpuid(ID_AA64PFR0_EL1);
171 	if (cpuid_feature_extract_unsigned_field(pfr0, ID_AA64PFR0_EL1_CSV2_SHIFT))
172 		return SPECTRE_UNAFFECTED;
173 
174 	/* Alternatively, we have a list of unaffected CPUs */
175 	if (is_midr_in_range_list(read_cpuid_id(), spectre_v2_safe_list))
176 		return SPECTRE_UNAFFECTED;
177 
178 	return SPECTRE_VULNERABLE;
179 }
180 
181 static enum mitigation_state spectre_v2_get_cpu_fw_mitigation_state(void)
182 {
183 	int ret;
184 	struct arm_smccc_res res;
185 
186 	arm_smccc_1_1_invoke(ARM_SMCCC_ARCH_FEATURES_FUNC_ID,
187 			     ARM_SMCCC_ARCH_WORKAROUND_1, &res);
188 
189 	ret = res.a0;
190 	switch (ret) {
191 	case SMCCC_RET_SUCCESS:
192 		return SPECTRE_MITIGATED;
193 	case SMCCC_ARCH_WORKAROUND_RET_UNAFFECTED:
194 		return SPECTRE_UNAFFECTED;
195 	default:
196 		fallthrough;
197 	case SMCCC_RET_NOT_SUPPORTED:
198 		return SPECTRE_VULNERABLE;
199 	}
200 }
201 
202 bool has_spectre_v2(const struct arm64_cpu_capabilities *entry, int scope)
203 {
204 	WARN_ON(scope != SCOPE_LOCAL_CPU || preemptible());
205 
206 	if (spectre_v2_get_cpu_hw_mitigation_state() == SPECTRE_UNAFFECTED)
207 		return false;
208 
209 	if (spectre_v2_get_cpu_fw_mitigation_state() == SPECTRE_UNAFFECTED)
210 		return false;
211 
212 	return true;
213 }
214 
215 enum mitigation_state arm64_get_spectre_v2_state(void)
216 {
217 	return spectre_v2_state;
218 }
219 
220 DEFINE_PER_CPU_READ_MOSTLY(struct bp_hardening_data, bp_hardening_data);
221 
222 static void install_bp_hardening_cb(bp_hardening_cb_t fn)
223 {
224 	__this_cpu_write(bp_hardening_data.fn, fn);
225 
226 	/*
227 	 * Vinz Clortho takes the hyp_vecs start/end "keys" at
228 	 * the door when we're a guest. Skip the hyp-vectors work.
229 	 */
230 	if (!is_hyp_mode_available())
231 		return;
232 
233 	__this_cpu_write(bp_hardening_data.slot, HYP_VECTOR_SPECTRE_DIRECT);
234 }
235 
236 /* Called during entry so must be noinstr */
237 static noinstr void call_smc_arch_workaround_1(void)
238 {
239 	arm_smccc_1_1_smc(ARM_SMCCC_ARCH_WORKAROUND_1, NULL);
240 }
241 
242 /* Called during entry so must be noinstr */
243 static noinstr void call_hvc_arch_workaround_1(void)
244 {
245 	arm_smccc_1_1_hvc(ARM_SMCCC_ARCH_WORKAROUND_1, NULL);
246 }
247 
248 /* Called during entry so must be noinstr */
249 static noinstr void qcom_link_stack_sanitisation(void)
250 {
251 	u64 tmp;
252 
253 	asm volatile("mov	%0, x30		\n"
254 		     ".rept	16		\n"
255 		     "bl	. + 4		\n"
256 		     ".endr			\n"
257 		     "mov	x30, %0		\n"
258 		     : "=&r" (tmp));
259 }
260 
261 static bp_hardening_cb_t spectre_v2_get_sw_mitigation_cb(void)
262 {
263 	u32 midr = read_cpuid_id();
264 	if (((midr & MIDR_CPU_MODEL_MASK) != MIDR_QCOM_FALKOR) &&
265 	    ((midr & MIDR_CPU_MODEL_MASK) != MIDR_QCOM_FALKOR_V1))
266 		return NULL;
267 
268 	return qcom_link_stack_sanitisation;
269 }
270 
271 static enum mitigation_state spectre_v2_enable_fw_mitigation(void)
272 {
273 	bp_hardening_cb_t cb;
274 	enum mitigation_state state;
275 
276 	state = spectre_v2_get_cpu_fw_mitigation_state();
277 	if (state != SPECTRE_MITIGATED)
278 		return state;
279 
280 	if (spectre_v2_mitigations_off())
281 		return SPECTRE_VULNERABLE;
282 
283 	switch (arm_smccc_1_1_get_conduit()) {
284 	case SMCCC_CONDUIT_HVC:
285 		cb = call_hvc_arch_workaround_1;
286 		break;
287 
288 	case SMCCC_CONDUIT_SMC:
289 		cb = call_smc_arch_workaround_1;
290 		break;
291 
292 	default:
293 		return SPECTRE_VULNERABLE;
294 	}
295 
296 	/*
297 	 * Prefer a CPU-specific workaround if it exists. Note that we
298 	 * still rely on firmware for the mitigation at EL2.
299 	 */
300 	cb = spectre_v2_get_sw_mitigation_cb() ?: cb;
301 	install_bp_hardening_cb(cb);
302 	return SPECTRE_MITIGATED;
303 }
304 
305 void spectre_v2_enable_mitigation(const struct arm64_cpu_capabilities *__unused)
306 {
307 	enum mitigation_state state;
308 
309 	WARN_ON(preemptible());
310 
311 	state = spectre_v2_get_cpu_hw_mitigation_state();
312 	if (state == SPECTRE_VULNERABLE)
313 		state = spectre_v2_enable_fw_mitigation();
314 
315 	update_mitigation_state(&spectre_v2_state, state);
316 }
317 
318 /*
319  * Spectre-v3a.
320  *
321  * Phew, there's not an awful lot to do here! We just instruct EL2 to use
322  * an indirect trampoline for the hyp vectors so that guests can't read
323  * VBAR_EL2 to defeat randomisation of the hypervisor VA layout.
324  */
325 bool has_spectre_v3a(const struct arm64_cpu_capabilities *entry, int scope)
326 {
327 	static const struct midr_range spectre_v3a_unsafe_list[] = {
328 		MIDR_ALL_VERSIONS(MIDR_CORTEX_A57),
329 		MIDR_ALL_VERSIONS(MIDR_CORTEX_A72),
330 		{},
331 	};
332 
333 	WARN_ON(scope != SCOPE_LOCAL_CPU || preemptible());
334 	return is_midr_in_range_list(read_cpuid_id(), spectre_v3a_unsafe_list);
335 }
336 
337 void spectre_v3a_enable_mitigation(const struct arm64_cpu_capabilities *__unused)
338 {
339 	struct bp_hardening_data *data = this_cpu_ptr(&bp_hardening_data);
340 
341 	if (this_cpu_has_cap(ARM64_SPECTRE_V3A))
342 		data->slot += HYP_VECTOR_INDIRECT;
343 }
344 
345 /*
346  * Spectre v4.
347  *
348  * If you thought Spectre v2 was nasty, wait until you see this mess. A CPU is
349  * either:
350  *
351  * - Mitigated in hardware and listed in our "safe list".
352  * - Mitigated in hardware via PSTATE.SSBS.
353  * - Mitigated in software by firmware (sometimes referred to as SSBD).
354  *
355  * Wait, that doesn't sound so bad, does it? Keep reading...
356  *
357  * A major source of headaches is that the software mitigation is enabled both
358  * on a per-task basis, but can also be forced on for the kernel, necessitating
359  * both context-switch *and* entry/exit hooks. To make it even worse, some CPUs
360  * allow EL0 to toggle SSBS directly, which can end up with the prctl() state
361  * being stale when re-entering the kernel. The usual big.LITTLE caveats apply,
362  * so you can have systems that have both firmware and SSBS mitigations. This
363  * means we actually have to reject late onlining of CPUs with mitigations if
364  * all of the currently onlined CPUs are safelisted, as the mitigation tends to
365  * be opt-in for userspace. Yes, really, the cure is worse than the disease.
366  *
367  * The only good part is that if the firmware mitigation is present, then it is
368  * present for all CPUs, meaning we don't have to worry about late onlining of a
369  * vulnerable CPU if one of the boot CPUs is using the firmware mitigation.
370  *
371  * Give me a VAX-11/780 any day of the week...
372  */
373 static enum mitigation_state spectre_v4_state;
374 
375 /* This is the per-cpu state tracking whether we need to talk to firmware */
376 DEFINE_PER_CPU_READ_MOSTLY(u64, arm64_ssbd_callback_required);
377 
378 enum spectre_v4_policy {
379 	SPECTRE_V4_POLICY_MITIGATION_DYNAMIC,
380 	SPECTRE_V4_POLICY_MITIGATION_ENABLED,
381 	SPECTRE_V4_POLICY_MITIGATION_DISABLED,
382 };
383 
384 static enum spectre_v4_policy __read_mostly __spectre_v4_policy;
385 
386 static const struct spectre_v4_param {
387 	const char		*str;
388 	enum spectre_v4_policy	policy;
389 } spectre_v4_params[] = {
390 	{ "force-on",	SPECTRE_V4_POLICY_MITIGATION_ENABLED, },
391 	{ "force-off",	SPECTRE_V4_POLICY_MITIGATION_DISABLED, },
392 	{ "kernel",	SPECTRE_V4_POLICY_MITIGATION_DYNAMIC, },
393 };
394 static int __init parse_spectre_v4_param(char *str)
395 {
396 	int i;
397 
398 	if (!str || !str[0])
399 		return -EINVAL;
400 
401 	for (i = 0; i < ARRAY_SIZE(spectre_v4_params); i++) {
402 		const struct spectre_v4_param *param = &spectre_v4_params[i];
403 
404 		if (strncmp(str, param->str, strlen(param->str)))
405 			continue;
406 
407 		__spectre_v4_policy = param->policy;
408 		return 0;
409 	}
410 
411 	return -EINVAL;
412 }
413 early_param("ssbd", parse_spectre_v4_param);
414 
415 /*
416  * Because this was all written in a rush by people working in different silos,
417  * we've ended up with multiple command line options to control the same thing.
418  * Wrap these up in some helpers, which prefer disabling the mitigation if faced
419  * with contradictory parameters. The mitigation is always either "off",
420  * "dynamic" or "on".
421  */
422 static bool spectre_v4_mitigations_off(void)
423 {
424 	bool ret = cpu_mitigations_off() ||
425 		   __spectre_v4_policy == SPECTRE_V4_POLICY_MITIGATION_DISABLED;
426 
427 	if (ret)
428 		pr_info_once("spectre-v4 mitigation disabled by command-line option\n");
429 
430 	return ret;
431 }
432 
433 /* Do we need to toggle the mitigation state on entry to/exit from the kernel? */
434 static bool spectre_v4_mitigations_dynamic(void)
435 {
436 	return !spectre_v4_mitigations_off() &&
437 	       __spectre_v4_policy == SPECTRE_V4_POLICY_MITIGATION_DYNAMIC;
438 }
439 
440 static bool spectre_v4_mitigations_on(void)
441 {
442 	return !spectre_v4_mitigations_off() &&
443 	       __spectre_v4_policy == SPECTRE_V4_POLICY_MITIGATION_ENABLED;
444 }
445 
446 ssize_t cpu_show_spec_store_bypass(struct device *dev,
447 				   struct device_attribute *attr, char *buf)
448 {
449 	switch (spectre_v4_state) {
450 	case SPECTRE_UNAFFECTED:
451 		return sprintf(buf, "Not affected\n");
452 	case SPECTRE_MITIGATED:
453 		return sprintf(buf, "Mitigation: Speculative Store Bypass disabled via prctl\n");
454 	case SPECTRE_VULNERABLE:
455 		fallthrough;
456 	default:
457 		return sprintf(buf, "Vulnerable\n");
458 	}
459 }
460 
461 enum mitigation_state arm64_get_spectre_v4_state(void)
462 {
463 	return spectre_v4_state;
464 }
465 
466 static enum mitigation_state spectre_v4_get_cpu_hw_mitigation_state(void)
467 {
468 	static const struct midr_range spectre_v4_safe_list[] = {
469 		MIDR_ALL_VERSIONS(MIDR_CORTEX_A35),
470 		MIDR_ALL_VERSIONS(MIDR_CORTEX_A53),
471 		MIDR_ALL_VERSIONS(MIDR_CORTEX_A55),
472 		MIDR_ALL_VERSIONS(MIDR_BRAHMA_B53),
473 		MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_3XX_SILVER),
474 		MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_4XX_SILVER),
475 		{ /* sentinel */ },
476 	};
477 
478 	if (is_midr_in_range_list(read_cpuid_id(), spectre_v4_safe_list))
479 		return SPECTRE_UNAFFECTED;
480 
481 	/* CPU features are detected first */
482 	if (this_cpu_has_cap(ARM64_SSBS))
483 		return SPECTRE_MITIGATED;
484 
485 	return SPECTRE_VULNERABLE;
486 }
487 
488 static enum mitigation_state spectre_v4_get_cpu_fw_mitigation_state(void)
489 {
490 	int ret;
491 	struct arm_smccc_res res;
492 
493 	arm_smccc_1_1_invoke(ARM_SMCCC_ARCH_FEATURES_FUNC_ID,
494 			     ARM_SMCCC_ARCH_WORKAROUND_2, &res);
495 
496 	ret = res.a0;
497 	switch (ret) {
498 	case SMCCC_RET_SUCCESS:
499 		return SPECTRE_MITIGATED;
500 	case SMCCC_ARCH_WORKAROUND_RET_UNAFFECTED:
501 		fallthrough;
502 	case SMCCC_RET_NOT_REQUIRED:
503 		return SPECTRE_UNAFFECTED;
504 	default:
505 		fallthrough;
506 	case SMCCC_RET_NOT_SUPPORTED:
507 		return SPECTRE_VULNERABLE;
508 	}
509 }
510 
511 bool has_spectre_v4(const struct arm64_cpu_capabilities *cap, int scope)
512 {
513 	enum mitigation_state state;
514 
515 	WARN_ON(scope != SCOPE_LOCAL_CPU || preemptible());
516 
517 	state = spectre_v4_get_cpu_hw_mitigation_state();
518 	if (state == SPECTRE_VULNERABLE)
519 		state = spectre_v4_get_cpu_fw_mitigation_state();
520 
521 	return state != SPECTRE_UNAFFECTED;
522 }
523 
524 bool try_emulate_el1_ssbs(struct pt_regs *regs, u32 instr)
525 {
526 	const u32 instr_mask = ~(1U << PSTATE_Imm_shift);
527 	const u32 instr_val = 0xd500401f | PSTATE_SSBS;
528 
529 	if ((instr & instr_mask) != instr_val)
530 		return false;
531 
532 	if (instr & BIT(PSTATE_Imm_shift))
533 		regs->pstate |= PSR_SSBS_BIT;
534 	else
535 		regs->pstate &= ~PSR_SSBS_BIT;
536 
537 	arm64_skip_faulting_instruction(regs, 4);
538 	return true;
539 }
540 
541 static enum mitigation_state spectre_v4_enable_hw_mitigation(void)
542 {
543 	enum mitigation_state state;
544 
545 	/*
546 	 * If the system is mitigated but this CPU doesn't have SSBS, then
547 	 * we must be on the safelist and there's nothing more to do.
548 	 */
549 	state = spectre_v4_get_cpu_hw_mitigation_state();
550 	if (state != SPECTRE_MITIGATED || !this_cpu_has_cap(ARM64_SSBS))
551 		return state;
552 
553 	if (spectre_v4_mitigations_off()) {
554 		sysreg_clear_set(sctlr_el1, 0, SCTLR_ELx_DSSBS);
555 		set_pstate_ssbs(1);
556 		return SPECTRE_VULNERABLE;
557 	}
558 
559 	/* SCTLR_EL1.DSSBS was initialised to 0 during boot */
560 	set_pstate_ssbs(0);
561 	return SPECTRE_MITIGATED;
562 }
563 
564 /*
565  * Patch a branch over the Spectre-v4 mitigation code with a NOP so that
566  * we fallthrough and check whether firmware needs to be called on this CPU.
567  */
568 void __init spectre_v4_patch_fw_mitigation_enable(struct alt_instr *alt,
569 						  __le32 *origptr,
570 						  __le32 *updptr, int nr_inst)
571 {
572 	BUG_ON(nr_inst != 1); /* Branch -> NOP */
573 
574 	if (spectre_v4_mitigations_off())
575 		return;
576 
577 	if (cpus_have_cap(ARM64_SSBS))
578 		return;
579 
580 	if (spectre_v4_mitigations_dynamic())
581 		*updptr = cpu_to_le32(aarch64_insn_gen_nop());
582 }
583 
584 /*
585  * Patch a NOP in the Spectre-v4 mitigation code with an SMC/HVC instruction
586  * to call into firmware to adjust the mitigation state.
587  */
588 void __init smccc_patch_fw_mitigation_conduit(struct alt_instr *alt,
589 					       __le32 *origptr,
590 					       __le32 *updptr, int nr_inst)
591 {
592 	u32 insn;
593 
594 	BUG_ON(nr_inst != 1); /* NOP -> HVC/SMC */
595 
596 	switch (arm_smccc_1_1_get_conduit()) {
597 	case SMCCC_CONDUIT_HVC:
598 		insn = aarch64_insn_get_hvc_value();
599 		break;
600 	case SMCCC_CONDUIT_SMC:
601 		insn = aarch64_insn_get_smc_value();
602 		break;
603 	default:
604 		return;
605 	}
606 
607 	*updptr = cpu_to_le32(insn);
608 }
609 
610 static enum mitigation_state spectre_v4_enable_fw_mitigation(void)
611 {
612 	enum mitigation_state state;
613 
614 	state = spectre_v4_get_cpu_fw_mitigation_state();
615 	if (state != SPECTRE_MITIGATED)
616 		return state;
617 
618 	if (spectre_v4_mitigations_off()) {
619 		arm_smccc_1_1_invoke(ARM_SMCCC_ARCH_WORKAROUND_2, false, NULL);
620 		return SPECTRE_VULNERABLE;
621 	}
622 
623 	arm_smccc_1_1_invoke(ARM_SMCCC_ARCH_WORKAROUND_2, true, NULL);
624 
625 	if (spectre_v4_mitigations_dynamic())
626 		__this_cpu_write(arm64_ssbd_callback_required, 1);
627 
628 	return SPECTRE_MITIGATED;
629 }
630 
631 void spectre_v4_enable_mitigation(const struct arm64_cpu_capabilities *__unused)
632 {
633 	enum mitigation_state state;
634 
635 	WARN_ON(preemptible());
636 
637 	state = spectre_v4_enable_hw_mitigation();
638 	if (state == SPECTRE_VULNERABLE)
639 		state = spectre_v4_enable_fw_mitigation();
640 
641 	update_mitigation_state(&spectre_v4_state, state);
642 }
643 
644 static void __update_pstate_ssbs(struct pt_regs *regs, bool state)
645 {
646 	u64 bit = compat_user_mode(regs) ? PSR_AA32_SSBS_BIT : PSR_SSBS_BIT;
647 
648 	if (state)
649 		regs->pstate |= bit;
650 	else
651 		regs->pstate &= ~bit;
652 }
653 
654 void spectre_v4_enable_task_mitigation(struct task_struct *tsk)
655 {
656 	struct pt_regs *regs = task_pt_regs(tsk);
657 	bool ssbs = false, kthread = tsk->flags & PF_KTHREAD;
658 
659 	if (spectre_v4_mitigations_off())
660 		ssbs = true;
661 	else if (spectre_v4_mitigations_dynamic() && !kthread)
662 		ssbs = !test_tsk_thread_flag(tsk, TIF_SSBD);
663 
664 	__update_pstate_ssbs(regs, ssbs);
665 }
666 
667 /*
668  * The Spectre-v4 mitigation can be controlled via a prctl() from userspace.
669  * This is interesting because the "speculation disabled" behaviour can be
670  * configured so that it is preserved across exec(), which means that the
671  * prctl() may be necessary even when PSTATE.SSBS can be toggled directly
672  * from userspace.
673  */
674 static void ssbd_prctl_enable_mitigation(struct task_struct *task)
675 {
676 	task_clear_spec_ssb_noexec(task);
677 	task_set_spec_ssb_disable(task);
678 	set_tsk_thread_flag(task, TIF_SSBD);
679 }
680 
681 static void ssbd_prctl_disable_mitigation(struct task_struct *task)
682 {
683 	task_clear_spec_ssb_noexec(task);
684 	task_clear_spec_ssb_disable(task);
685 	clear_tsk_thread_flag(task, TIF_SSBD);
686 }
687 
688 static int ssbd_prctl_set(struct task_struct *task, unsigned long ctrl)
689 {
690 	switch (ctrl) {
691 	case PR_SPEC_ENABLE:
692 		/* Enable speculation: disable mitigation */
693 		/*
694 		 * Force disabled speculation prevents it from being
695 		 * re-enabled.
696 		 */
697 		if (task_spec_ssb_force_disable(task))
698 			return -EPERM;
699 
700 		/*
701 		 * If the mitigation is forced on, then speculation is forced
702 		 * off and we again prevent it from being re-enabled.
703 		 */
704 		if (spectre_v4_mitigations_on())
705 			return -EPERM;
706 
707 		ssbd_prctl_disable_mitigation(task);
708 		break;
709 	case PR_SPEC_FORCE_DISABLE:
710 		/* Force disable speculation: force enable mitigation */
711 		/*
712 		 * If the mitigation is forced off, then speculation is forced
713 		 * on and we prevent it from being disabled.
714 		 */
715 		if (spectre_v4_mitigations_off())
716 			return -EPERM;
717 
718 		task_set_spec_ssb_force_disable(task);
719 		fallthrough;
720 	case PR_SPEC_DISABLE:
721 		/* Disable speculation: enable mitigation */
722 		/* Same as PR_SPEC_FORCE_DISABLE */
723 		if (spectre_v4_mitigations_off())
724 			return -EPERM;
725 
726 		ssbd_prctl_enable_mitigation(task);
727 		break;
728 	case PR_SPEC_DISABLE_NOEXEC:
729 		/* Disable speculation until execve(): enable mitigation */
730 		/*
731 		 * If the mitigation state is forced one way or the other, then
732 		 * we must fail now before we try to toggle it on execve().
733 		 */
734 		if (task_spec_ssb_force_disable(task) ||
735 		    spectre_v4_mitigations_off() ||
736 		    spectre_v4_mitigations_on()) {
737 			return -EPERM;
738 		}
739 
740 		ssbd_prctl_enable_mitigation(task);
741 		task_set_spec_ssb_noexec(task);
742 		break;
743 	default:
744 		return -ERANGE;
745 	}
746 
747 	spectre_v4_enable_task_mitigation(task);
748 	return 0;
749 }
750 
751 int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which,
752 			     unsigned long ctrl)
753 {
754 	switch (which) {
755 	case PR_SPEC_STORE_BYPASS:
756 		return ssbd_prctl_set(task, ctrl);
757 	default:
758 		return -ENODEV;
759 	}
760 }
761 
762 static int ssbd_prctl_get(struct task_struct *task)
763 {
764 	switch (spectre_v4_state) {
765 	case SPECTRE_UNAFFECTED:
766 		return PR_SPEC_NOT_AFFECTED;
767 	case SPECTRE_MITIGATED:
768 		if (spectre_v4_mitigations_on())
769 			return PR_SPEC_NOT_AFFECTED;
770 
771 		if (spectre_v4_mitigations_dynamic())
772 			break;
773 
774 		/* Mitigations are disabled, so we're vulnerable. */
775 		fallthrough;
776 	case SPECTRE_VULNERABLE:
777 		fallthrough;
778 	default:
779 		return PR_SPEC_ENABLE;
780 	}
781 
782 	/* Check the mitigation state for this task */
783 	if (task_spec_ssb_force_disable(task))
784 		return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE;
785 
786 	if (task_spec_ssb_noexec(task))
787 		return PR_SPEC_PRCTL | PR_SPEC_DISABLE_NOEXEC;
788 
789 	if (task_spec_ssb_disable(task))
790 		return PR_SPEC_PRCTL | PR_SPEC_DISABLE;
791 
792 	return PR_SPEC_PRCTL | PR_SPEC_ENABLE;
793 }
794 
795 int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which)
796 {
797 	switch (which) {
798 	case PR_SPEC_STORE_BYPASS:
799 		return ssbd_prctl_get(task);
800 	default:
801 		return -ENODEV;
802 	}
803 }
804 
805 /*
806  * Spectre BHB.
807  *
808  * A CPU is either:
809  * - Mitigated by a branchy loop a CPU specific number of times, and listed
810  *   in our "loop mitigated list".
811  * - Mitigated in software by the firmware Spectre v2 call.
812  * - Has the ClearBHB instruction to perform the mitigation.
813  * - Has the 'Exception Clears Branch History Buffer' (ECBHB) feature, so no
814  *   software mitigation in the vectors is needed.
815  * - Has CSV2.3, so is unaffected.
816  */
817 static enum mitigation_state spectre_bhb_state;
818 
819 enum mitigation_state arm64_get_spectre_bhb_state(void)
820 {
821 	return spectre_bhb_state;
822 }
823 
824 enum bhb_mitigation_bits {
825 	BHB_LOOP,
826 	BHB_FW,
827 	BHB_HW,
828 	BHB_INSN,
829 };
830 static unsigned long system_bhb_mitigations;
831 
832 /*
833  * This must be called with SCOPE_LOCAL_CPU for each type of CPU, before any
834  * SCOPE_SYSTEM call will give the right answer.
835  */
836 u8 spectre_bhb_loop_affected(int scope)
837 {
838 	u8 k = 0;
839 	static u8 max_bhb_k;
840 
841 	if (scope == SCOPE_LOCAL_CPU) {
842 		static const struct midr_range spectre_bhb_k32_list[] = {
843 			MIDR_ALL_VERSIONS(MIDR_CORTEX_A78),
844 			MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE),
845 			MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C),
846 			MIDR_ALL_VERSIONS(MIDR_CORTEX_X1),
847 			MIDR_ALL_VERSIONS(MIDR_CORTEX_A710),
848 			MIDR_ALL_VERSIONS(MIDR_CORTEX_X2),
849 			MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2),
850 			MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1),
851 			{},
852 		};
853 		static const struct midr_range spectre_bhb_k24_list[] = {
854 			MIDR_ALL_VERSIONS(MIDR_CORTEX_A76),
855 			MIDR_ALL_VERSIONS(MIDR_CORTEX_A77),
856 			MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1),
857 			{},
858 		};
859 		static const struct midr_range spectre_bhb_k11_list[] = {
860 			MIDR_ALL_VERSIONS(MIDR_AMPERE1),
861 			{},
862 		};
863 		static const struct midr_range spectre_bhb_k8_list[] = {
864 			MIDR_ALL_VERSIONS(MIDR_CORTEX_A72),
865 			MIDR_ALL_VERSIONS(MIDR_CORTEX_A57),
866 			{},
867 		};
868 
869 		if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k32_list))
870 			k = 32;
871 		else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k24_list))
872 			k = 24;
873 		else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k11_list))
874 			k = 11;
875 		else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k8_list))
876 			k =  8;
877 
878 		max_bhb_k = max(max_bhb_k, k);
879 	} else {
880 		k = max_bhb_k;
881 	}
882 
883 	return k;
884 }
885 
886 static enum mitigation_state spectre_bhb_get_cpu_fw_mitigation_state(void)
887 {
888 	int ret;
889 	struct arm_smccc_res res;
890 
891 	arm_smccc_1_1_invoke(ARM_SMCCC_ARCH_FEATURES_FUNC_ID,
892 			     ARM_SMCCC_ARCH_WORKAROUND_3, &res);
893 
894 	ret = res.a0;
895 	switch (ret) {
896 	case SMCCC_RET_SUCCESS:
897 		return SPECTRE_MITIGATED;
898 	case SMCCC_ARCH_WORKAROUND_RET_UNAFFECTED:
899 		return SPECTRE_UNAFFECTED;
900 	default:
901 		fallthrough;
902 	case SMCCC_RET_NOT_SUPPORTED:
903 		return SPECTRE_VULNERABLE;
904 	}
905 }
906 
907 static bool is_spectre_bhb_fw_affected(int scope)
908 {
909 	static bool system_affected;
910 	enum mitigation_state fw_state;
911 	bool has_smccc = arm_smccc_1_1_get_conduit() != SMCCC_CONDUIT_NONE;
912 	static const struct midr_range spectre_bhb_firmware_mitigated_list[] = {
913 		MIDR_ALL_VERSIONS(MIDR_CORTEX_A73),
914 		MIDR_ALL_VERSIONS(MIDR_CORTEX_A75),
915 		{},
916 	};
917 	bool cpu_in_list = is_midr_in_range_list(read_cpuid_id(),
918 					 spectre_bhb_firmware_mitigated_list);
919 
920 	if (scope != SCOPE_LOCAL_CPU)
921 		return system_affected;
922 
923 	fw_state = spectre_bhb_get_cpu_fw_mitigation_state();
924 	if (cpu_in_list || (has_smccc && fw_state == SPECTRE_MITIGATED)) {
925 		system_affected = true;
926 		return true;
927 	}
928 
929 	return false;
930 }
931 
932 static bool supports_ecbhb(int scope)
933 {
934 	u64 mmfr1;
935 
936 	if (scope == SCOPE_LOCAL_CPU)
937 		mmfr1 = read_sysreg_s(SYS_ID_AA64MMFR1_EL1);
938 	else
939 		mmfr1 = read_sanitised_ftr_reg(SYS_ID_AA64MMFR1_EL1);
940 
941 	return cpuid_feature_extract_unsigned_field(mmfr1,
942 						    ID_AA64MMFR1_EL1_ECBHB_SHIFT);
943 }
944 
945 bool is_spectre_bhb_affected(const struct arm64_cpu_capabilities *entry,
946 			     int scope)
947 {
948 	WARN_ON(scope != SCOPE_LOCAL_CPU || preemptible());
949 
950 	if (supports_csv2p3(scope))
951 		return false;
952 
953 	if (supports_clearbhb(scope))
954 		return true;
955 
956 	if (spectre_bhb_loop_affected(scope))
957 		return true;
958 
959 	if (is_spectre_bhb_fw_affected(scope))
960 		return true;
961 
962 	return false;
963 }
964 
965 static void this_cpu_set_vectors(enum arm64_bp_harden_el1_vectors slot)
966 {
967 	const char *v = arm64_get_bp_hardening_vector(slot);
968 
969 	__this_cpu_write(this_cpu_vector, v);
970 
971 	/*
972 	 * When KPTI is in use, the vectors are switched when exiting to
973 	 * user-space.
974 	 */
975 	if (cpus_have_cap(ARM64_UNMAP_KERNEL_AT_EL0))
976 		return;
977 
978 	write_sysreg(v, vbar_el1);
979 	isb();
980 }
981 
982 static bool __read_mostly __nospectre_bhb;
983 static int __init parse_spectre_bhb_param(char *str)
984 {
985 	__nospectre_bhb = true;
986 	return 0;
987 }
988 early_param("nospectre_bhb", parse_spectre_bhb_param);
989 
990 void spectre_bhb_enable_mitigation(const struct arm64_cpu_capabilities *entry)
991 {
992 	bp_hardening_cb_t cpu_cb;
993 	enum mitigation_state fw_state, state = SPECTRE_VULNERABLE;
994 	struct bp_hardening_data *data = this_cpu_ptr(&bp_hardening_data);
995 
996 	if (!is_spectre_bhb_affected(entry, SCOPE_LOCAL_CPU))
997 		return;
998 
999 	if (arm64_get_spectre_v2_state() == SPECTRE_VULNERABLE) {
1000 		/* No point mitigating Spectre-BHB alone. */
1001 	} else if (!IS_ENABLED(CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY)) {
1002 		pr_info_once("spectre-bhb mitigation disabled by compile time option\n");
1003 	} else if (cpu_mitigations_off() || __nospectre_bhb) {
1004 		pr_info_once("spectre-bhb mitigation disabled by command line option\n");
1005 	} else if (supports_ecbhb(SCOPE_LOCAL_CPU)) {
1006 		state = SPECTRE_MITIGATED;
1007 		set_bit(BHB_HW, &system_bhb_mitigations);
1008 	} else if (supports_clearbhb(SCOPE_LOCAL_CPU)) {
1009 		/*
1010 		 * Ensure KVM uses the indirect vector which will have ClearBHB
1011 		 * added.
1012 		 */
1013 		if (!data->slot)
1014 			data->slot = HYP_VECTOR_INDIRECT;
1015 
1016 		this_cpu_set_vectors(EL1_VECTOR_BHB_CLEAR_INSN);
1017 		state = SPECTRE_MITIGATED;
1018 		set_bit(BHB_INSN, &system_bhb_mitigations);
1019 	} else if (spectre_bhb_loop_affected(SCOPE_LOCAL_CPU)) {
1020 		/*
1021 		 * Ensure KVM uses the indirect vector which will have the
1022 		 * branchy-loop added. A57/A72-r0 will already have selected
1023 		 * the spectre-indirect vector, which is sufficient for BHB
1024 		 * too.
1025 		 */
1026 		if (!data->slot)
1027 			data->slot = HYP_VECTOR_INDIRECT;
1028 
1029 		this_cpu_set_vectors(EL1_VECTOR_BHB_LOOP);
1030 		state = SPECTRE_MITIGATED;
1031 		set_bit(BHB_LOOP, &system_bhb_mitigations);
1032 	} else if (is_spectre_bhb_fw_affected(SCOPE_LOCAL_CPU)) {
1033 		fw_state = spectre_bhb_get_cpu_fw_mitigation_state();
1034 		if (fw_state == SPECTRE_MITIGATED) {
1035 			/*
1036 			 * Ensure KVM uses one of the spectre bp_hardening
1037 			 * vectors. The indirect vector doesn't include the EL3
1038 			 * call, so needs upgrading to
1039 			 * HYP_VECTOR_SPECTRE_INDIRECT.
1040 			 */
1041 			if (!data->slot || data->slot == HYP_VECTOR_INDIRECT)
1042 				data->slot += 1;
1043 
1044 			this_cpu_set_vectors(EL1_VECTOR_BHB_FW);
1045 
1046 			/*
1047 			 * The WA3 call in the vectors supersedes the WA1 call
1048 			 * made during context-switch. Uninstall any firmware
1049 			 * bp_hardening callback.
1050 			 */
1051 			cpu_cb = spectre_v2_get_sw_mitigation_cb();
1052 			if (__this_cpu_read(bp_hardening_data.fn) != cpu_cb)
1053 				__this_cpu_write(bp_hardening_data.fn, NULL);
1054 
1055 			state = SPECTRE_MITIGATED;
1056 			set_bit(BHB_FW, &system_bhb_mitigations);
1057 		}
1058 	}
1059 
1060 	update_mitigation_state(&spectre_bhb_state, state);
1061 }
1062 
1063 /* Patched to NOP when enabled */
1064 void noinstr spectre_bhb_patch_loop_mitigation_enable(struct alt_instr *alt,
1065 						     __le32 *origptr,
1066 						      __le32 *updptr, int nr_inst)
1067 {
1068 	BUG_ON(nr_inst != 1);
1069 
1070 	if (test_bit(BHB_LOOP, &system_bhb_mitigations))
1071 		*updptr++ = cpu_to_le32(aarch64_insn_gen_nop());
1072 }
1073 
1074 /* Patched to NOP when enabled */
1075 void noinstr spectre_bhb_patch_fw_mitigation_enabled(struct alt_instr *alt,
1076 						   __le32 *origptr,
1077 						   __le32 *updptr, int nr_inst)
1078 {
1079 	BUG_ON(nr_inst != 1);
1080 
1081 	if (test_bit(BHB_FW, &system_bhb_mitigations))
1082 		*updptr++ = cpu_to_le32(aarch64_insn_gen_nop());
1083 }
1084 
1085 /* Patched to correct the immediate */
1086 void noinstr spectre_bhb_patch_loop_iter(struct alt_instr *alt,
1087 				   __le32 *origptr, __le32 *updptr, int nr_inst)
1088 {
1089 	u8 rd;
1090 	u32 insn;
1091 	u16 loop_count = spectre_bhb_loop_affected(SCOPE_SYSTEM);
1092 
1093 	BUG_ON(nr_inst != 1); /* MOV -> MOV */
1094 
1095 	if (!IS_ENABLED(CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY))
1096 		return;
1097 
1098 	insn = le32_to_cpu(*origptr);
1099 	rd = aarch64_insn_decode_register(AARCH64_INSN_REGTYPE_RD, insn);
1100 	insn = aarch64_insn_gen_movewide(rd, loop_count, 0,
1101 					 AARCH64_INSN_VARIANT_64BIT,
1102 					 AARCH64_INSN_MOVEWIDE_ZERO);
1103 	*updptr++ = cpu_to_le32(insn);
1104 }
1105 
1106 /* Patched to mov WA3 when supported */
1107 void noinstr spectre_bhb_patch_wa3(struct alt_instr *alt,
1108 				   __le32 *origptr, __le32 *updptr, int nr_inst)
1109 {
1110 	u8 rd;
1111 	u32 insn;
1112 
1113 	BUG_ON(nr_inst != 1); /* MOV -> MOV */
1114 
1115 	if (!IS_ENABLED(CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY) ||
1116 	    !test_bit(BHB_FW, &system_bhb_mitigations))
1117 		return;
1118 
1119 	insn = le32_to_cpu(*origptr);
1120 	rd = aarch64_insn_decode_register(AARCH64_INSN_REGTYPE_RD, insn);
1121 
1122 	insn = aarch64_insn_gen_logical_immediate(AARCH64_INSN_LOGIC_ORR,
1123 						  AARCH64_INSN_VARIANT_32BIT,
1124 						  AARCH64_INSN_REG_ZR, rd,
1125 						  ARM_SMCCC_ARCH_WORKAROUND_3);
1126 	if (WARN_ON_ONCE(insn == AARCH64_BREAK_FAULT))
1127 		return;
1128 
1129 	*updptr++ = cpu_to_le32(insn);
1130 }
1131 
1132 /* Patched to NOP when not supported */
1133 void __init spectre_bhb_patch_clearbhb(struct alt_instr *alt,
1134 				   __le32 *origptr, __le32 *updptr, int nr_inst)
1135 {
1136 	BUG_ON(nr_inst != 2);
1137 
1138 	if (test_bit(BHB_INSN, &system_bhb_mitigations))
1139 		return;
1140 
1141 	*updptr++ = cpu_to_le32(aarch64_insn_gen_nop());
1142 	*updptr++ = cpu_to_le32(aarch64_insn_gen_nop());
1143 }
1144 
1145 #ifdef CONFIG_BPF_SYSCALL
1146 #define EBPF_WARN "Unprivileged eBPF is enabled, data leaks possible via Spectre v2 BHB attacks!\n"
1147 void unpriv_ebpf_notify(int new_state)
1148 {
1149 	if (spectre_v2_state == SPECTRE_VULNERABLE ||
1150 	    spectre_bhb_state != SPECTRE_MITIGATED)
1151 		return;
1152 
1153 	if (!new_state)
1154 		pr_err("WARNING: %s", EBPF_WARN);
1155 }
1156 #endif
1157