1 // SPDX-License-Identifier: GPL-2.0+ 2 // 3 // Security related flags and so on. 4 // 5 // Copyright 2018, Michael Ellerman, IBM Corporation. 6 7 #include <linux/cpu.h> 8 #include <linux/kernel.h> 9 #include <linux/device.h> 10 #include <linux/nospec.h> 11 #include <linux/prctl.h> 12 #include <linux/seq_buf.h> 13 14 #include <asm/asm-prototypes.h> 15 #include <asm/code-patching.h> 16 #include <asm/debugfs.h> 17 #include <asm/security_features.h> 18 #include <asm/setup.h> 19 20 21 u64 powerpc_security_features __read_mostly = SEC_FTR_DEFAULT; 22 23 enum count_cache_flush_type { 24 COUNT_CACHE_FLUSH_NONE = 0x1, 25 COUNT_CACHE_FLUSH_SW = 0x2, 26 COUNT_CACHE_FLUSH_HW = 0x4, 27 }; 28 static enum count_cache_flush_type count_cache_flush_type = COUNT_CACHE_FLUSH_NONE; 29 static bool link_stack_flush_enabled; 30 31 bool barrier_nospec_enabled; 32 static bool no_nospec; 33 static bool btb_flush_enabled; 34 #if defined(CONFIG_PPC_FSL_BOOK3E) || defined(CONFIG_PPC_BOOK3S_64) 35 static bool no_spectrev2; 36 #endif 37 38 static void enable_barrier_nospec(bool enable) 39 { 40 barrier_nospec_enabled = enable; 41 do_barrier_nospec_fixups(enable); 42 } 43 44 void setup_barrier_nospec(void) 45 { 46 bool enable; 47 48 /* 49 * It would make sense to check SEC_FTR_SPEC_BAR_ORI31 below as well. 50 * But there's a good reason not to. The two flags we check below are 51 * both are enabled by default in the kernel, so if the hcall is not 52 * functional they will be enabled. 53 * On a system where the host firmware has been updated (so the ori 54 * functions as a barrier), but on which the hypervisor (KVM/Qemu) has 55 * not been updated, we would like to enable the barrier. Dropping the 56 * check for SEC_FTR_SPEC_BAR_ORI31 achieves that. The only downside is 57 * we potentially enable the barrier on systems where the host firmware 58 * is not updated, but that's harmless as it's a no-op. 59 */ 60 enable = security_ftr_enabled(SEC_FTR_FAVOUR_SECURITY) && 61 security_ftr_enabled(SEC_FTR_BNDS_CHK_SPEC_BAR); 62 63 if (!no_nospec && !cpu_mitigations_off()) 64 enable_barrier_nospec(enable); 65 } 66 67 static int __init handle_nospectre_v1(char *p) 68 { 69 no_nospec = true; 70 71 return 0; 72 } 73 early_param("nospectre_v1", handle_nospectre_v1); 74 75 #ifdef CONFIG_DEBUG_FS 76 static int barrier_nospec_set(void *data, u64 val) 77 { 78 switch (val) { 79 case 0: 80 case 1: 81 break; 82 default: 83 return -EINVAL; 84 } 85 86 if (!!val == !!barrier_nospec_enabled) 87 return 0; 88 89 enable_barrier_nospec(!!val); 90 91 return 0; 92 } 93 94 static int barrier_nospec_get(void *data, u64 *val) 95 { 96 *val = barrier_nospec_enabled ? 1 : 0; 97 return 0; 98 } 99 100 DEFINE_DEBUGFS_ATTRIBUTE(fops_barrier_nospec, barrier_nospec_get, 101 barrier_nospec_set, "%llu\n"); 102 103 static __init int barrier_nospec_debugfs_init(void) 104 { 105 debugfs_create_file_unsafe("barrier_nospec", 0600, 106 powerpc_debugfs_root, NULL, 107 &fops_barrier_nospec); 108 return 0; 109 } 110 device_initcall(barrier_nospec_debugfs_init); 111 112 static __init int security_feature_debugfs_init(void) 113 { 114 debugfs_create_x64("security_features", 0400, powerpc_debugfs_root, 115 &powerpc_security_features); 116 return 0; 117 } 118 device_initcall(security_feature_debugfs_init); 119 #endif /* CONFIG_DEBUG_FS */ 120 121 #if defined(CONFIG_PPC_FSL_BOOK3E) || defined(CONFIG_PPC_BOOK3S_64) 122 static int __init handle_nospectre_v2(char *p) 123 { 124 no_spectrev2 = true; 125 126 return 0; 127 } 128 early_param("nospectre_v2", handle_nospectre_v2); 129 #endif /* CONFIG_PPC_FSL_BOOK3E || CONFIG_PPC_BOOK3S_64 */ 130 131 #ifdef CONFIG_PPC_FSL_BOOK3E 132 void setup_spectre_v2(void) 133 { 134 if (no_spectrev2 || cpu_mitigations_off()) 135 do_btb_flush_fixups(); 136 else 137 btb_flush_enabled = true; 138 } 139 #endif /* CONFIG_PPC_FSL_BOOK3E */ 140 141 #ifdef CONFIG_PPC_BOOK3S_64 142 ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf) 143 { 144 bool thread_priv; 145 146 thread_priv = security_ftr_enabled(SEC_FTR_L1D_THREAD_PRIV); 147 148 if (rfi_flush) { 149 struct seq_buf s; 150 seq_buf_init(&s, buf, PAGE_SIZE - 1); 151 152 seq_buf_printf(&s, "Mitigation: RFI Flush"); 153 if (thread_priv) 154 seq_buf_printf(&s, ", L1D private per thread"); 155 156 seq_buf_printf(&s, "\n"); 157 158 return s.len; 159 } 160 161 if (thread_priv) 162 return sprintf(buf, "Vulnerable: L1D private per thread\n"); 163 164 if (!security_ftr_enabled(SEC_FTR_L1D_FLUSH_HV) && 165 !security_ftr_enabled(SEC_FTR_L1D_FLUSH_PR)) 166 return sprintf(buf, "Not affected\n"); 167 168 return sprintf(buf, "Vulnerable\n"); 169 } 170 171 ssize_t cpu_show_l1tf(struct device *dev, struct device_attribute *attr, char *buf) 172 { 173 return cpu_show_meltdown(dev, attr, buf); 174 } 175 #endif 176 177 ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, char *buf) 178 { 179 struct seq_buf s; 180 181 seq_buf_init(&s, buf, PAGE_SIZE - 1); 182 183 if (security_ftr_enabled(SEC_FTR_BNDS_CHK_SPEC_BAR)) { 184 if (barrier_nospec_enabled) 185 seq_buf_printf(&s, "Mitigation: __user pointer sanitization"); 186 else 187 seq_buf_printf(&s, "Vulnerable"); 188 189 if (security_ftr_enabled(SEC_FTR_SPEC_BAR_ORI31)) 190 seq_buf_printf(&s, ", ori31 speculation barrier enabled"); 191 192 seq_buf_printf(&s, "\n"); 193 } else 194 seq_buf_printf(&s, "Not affected\n"); 195 196 return s.len; 197 } 198 199 ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, char *buf) 200 { 201 struct seq_buf s; 202 bool bcs, ccd; 203 204 seq_buf_init(&s, buf, PAGE_SIZE - 1); 205 206 bcs = security_ftr_enabled(SEC_FTR_BCCTRL_SERIALISED); 207 ccd = security_ftr_enabled(SEC_FTR_COUNT_CACHE_DISABLED); 208 209 if (bcs || ccd) { 210 seq_buf_printf(&s, "Mitigation: "); 211 212 if (bcs) 213 seq_buf_printf(&s, "Indirect branch serialisation (kernel only)"); 214 215 if (bcs && ccd) 216 seq_buf_printf(&s, ", "); 217 218 if (ccd) 219 seq_buf_printf(&s, "Indirect branch cache disabled"); 220 221 if (link_stack_flush_enabled) 222 seq_buf_printf(&s, ", Software link stack flush"); 223 224 } else if (count_cache_flush_type != COUNT_CACHE_FLUSH_NONE) { 225 seq_buf_printf(&s, "Mitigation: Software count cache flush"); 226 227 if (count_cache_flush_type == COUNT_CACHE_FLUSH_HW) 228 seq_buf_printf(&s, " (hardware accelerated)"); 229 230 if (link_stack_flush_enabled) 231 seq_buf_printf(&s, ", Software link stack flush"); 232 233 } else if (btb_flush_enabled) { 234 seq_buf_printf(&s, "Mitigation: Branch predictor state flush"); 235 } else { 236 seq_buf_printf(&s, "Vulnerable"); 237 } 238 239 seq_buf_printf(&s, "\n"); 240 241 return s.len; 242 } 243 244 #ifdef CONFIG_PPC_BOOK3S_64 245 /* 246 * Store-forwarding barrier support. 247 */ 248 249 static enum stf_barrier_type stf_enabled_flush_types; 250 static bool no_stf_barrier; 251 bool stf_barrier; 252 253 static int __init handle_no_stf_barrier(char *p) 254 { 255 pr_info("stf-barrier: disabled on command line."); 256 no_stf_barrier = true; 257 return 0; 258 } 259 260 early_param("no_stf_barrier", handle_no_stf_barrier); 261 262 /* This is the generic flag used by other architectures */ 263 static int __init handle_ssbd(char *p) 264 { 265 if (!p || strncmp(p, "auto", 5) == 0 || strncmp(p, "on", 2) == 0 ) { 266 /* Until firmware tells us, we have the barrier with auto */ 267 return 0; 268 } else if (strncmp(p, "off", 3) == 0) { 269 handle_no_stf_barrier(NULL); 270 return 0; 271 } else 272 return 1; 273 274 return 0; 275 } 276 early_param("spec_store_bypass_disable", handle_ssbd); 277 278 /* This is the generic flag used by other architectures */ 279 static int __init handle_no_ssbd(char *p) 280 { 281 handle_no_stf_barrier(NULL); 282 return 0; 283 } 284 early_param("nospec_store_bypass_disable", handle_no_ssbd); 285 286 static void stf_barrier_enable(bool enable) 287 { 288 if (enable) 289 do_stf_barrier_fixups(stf_enabled_flush_types); 290 else 291 do_stf_barrier_fixups(STF_BARRIER_NONE); 292 293 stf_barrier = enable; 294 } 295 296 void setup_stf_barrier(void) 297 { 298 enum stf_barrier_type type; 299 bool enable, hv; 300 301 hv = cpu_has_feature(CPU_FTR_HVMODE); 302 303 /* Default to fallback in case fw-features are not available */ 304 if (cpu_has_feature(CPU_FTR_ARCH_300)) 305 type = STF_BARRIER_EIEIO; 306 else if (cpu_has_feature(CPU_FTR_ARCH_207S)) 307 type = STF_BARRIER_SYNC_ORI; 308 else if (cpu_has_feature(CPU_FTR_ARCH_206)) 309 type = STF_BARRIER_FALLBACK; 310 else 311 type = STF_BARRIER_NONE; 312 313 enable = security_ftr_enabled(SEC_FTR_FAVOUR_SECURITY) && 314 (security_ftr_enabled(SEC_FTR_L1D_FLUSH_PR) || 315 (security_ftr_enabled(SEC_FTR_L1D_FLUSH_HV) && hv)); 316 317 if (type == STF_BARRIER_FALLBACK) { 318 pr_info("stf-barrier: fallback barrier available\n"); 319 } else if (type == STF_BARRIER_SYNC_ORI) { 320 pr_info("stf-barrier: hwsync barrier available\n"); 321 } else if (type == STF_BARRIER_EIEIO) { 322 pr_info("stf-barrier: eieio barrier available\n"); 323 } 324 325 stf_enabled_flush_types = type; 326 327 if (!no_stf_barrier && !cpu_mitigations_off()) 328 stf_barrier_enable(enable); 329 } 330 331 ssize_t cpu_show_spec_store_bypass(struct device *dev, struct device_attribute *attr, char *buf) 332 { 333 if (stf_barrier && stf_enabled_flush_types != STF_BARRIER_NONE) { 334 const char *type; 335 switch (stf_enabled_flush_types) { 336 case STF_BARRIER_EIEIO: 337 type = "eieio"; 338 break; 339 case STF_BARRIER_SYNC_ORI: 340 type = "hwsync"; 341 break; 342 case STF_BARRIER_FALLBACK: 343 type = "fallback"; 344 break; 345 default: 346 type = "unknown"; 347 } 348 return sprintf(buf, "Mitigation: Kernel entry/exit barrier (%s)\n", type); 349 } 350 351 if (!security_ftr_enabled(SEC_FTR_L1D_FLUSH_HV) && 352 !security_ftr_enabled(SEC_FTR_L1D_FLUSH_PR)) 353 return sprintf(buf, "Not affected\n"); 354 355 return sprintf(buf, "Vulnerable\n"); 356 } 357 358 static int ssb_prctl_get(struct task_struct *task) 359 { 360 if (stf_enabled_flush_types == STF_BARRIER_NONE) 361 /* 362 * We don't have an explicit signal from firmware that we're 363 * vulnerable or not, we only have certain CPU revisions that 364 * are known to be vulnerable. 365 * 366 * We assume that if we're on another CPU, where the barrier is 367 * NONE, then we are not vulnerable. 368 */ 369 return PR_SPEC_NOT_AFFECTED; 370 else 371 /* 372 * If we do have a barrier type then we are vulnerable. The 373 * barrier is not a global or per-process mitigation, so the 374 * only value we can report here is PR_SPEC_ENABLE, which 375 * appears as "vulnerable" in /proc. 376 */ 377 return PR_SPEC_ENABLE; 378 379 return -EINVAL; 380 } 381 382 int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which) 383 { 384 switch (which) { 385 case PR_SPEC_STORE_BYPASS: 386 return ssb_prctl_get(task); 387 default: 388 return -ENODEV; 389 } 390 } 391 392 #ifdef CONFIG_DEBUG_FS 393 static int stf_barrier_set(void *data, u64 val) 394 { 395 bool enable; 396 397 if (val == 1) 398 enable = true; 399 else if (val == 0) 400 enable = false; 401 else 402 return -EINVAL; 403 404 /* Only do anything if we're changing state */ 405 if (enable != stf_barrier) 406 stf_barrier_enable(enable); 407 408 return 0; 409 } 410 411 static int stf_barrier_get(void *data, u64 *val) 412 { 413 *val = stf_barrier ? 1 : 0; 414 return 0; 415 } 416 417 DEFINE_DEBUGFS_ATTRIBUTE(fops_stf_barrier, stf_barrier_get, stf_barrier_set, 418 "%llu\n"); 419 420 static __init int stf_barrier_debugfs_init(void) 421 { 422 debugfs_create_file_unsafe("stf_barrier", 0600, powerpc_debugfs_root, 423 NULL, &fops_stf_barrier); 424 return 0; 425 } 426 device_initcall(stf_barrier_debugfs_init); 427 #endif /* CONFIG_DEBUG_FS */ 428 429 static void no_count_cache_flush(void) 430 { 431 count_cache_flush_type = COUNT_CACHE_FLUSH_NONE; 432 pr_info("count-cache-flush: software flush disabled.\n"); 433 } 434 435 static void toggle_count_cache_flush(bool enable) 436 { 437 if (!security_ftr_enabled(SEC_FTR_FLUSH_COUNT_CACHE) && 438 !security_ftr_enabled(SEC_FTR_FLUSH_LINK_STACK)) 439 enable = false; 440 441 if (!enable) { 442 patch_instruction_site(&patch__call_flush_count_cache, PPC_INST_NOP); 443 #ifdef CONFIG_KVM_BOOK3S_HV_POSSIBLE 444 patch_instruction_site(&patch__call_kvm_flush_link_stack, PPC_INST_NOP); 445 #endif 446 pr_info("link-stack-flush: software flush disabled.\n"); 447 link_stack_flush_enabled = false; 448 no_count_cache_flush(); 449 return; 450 } 451 452 // This enables the branch from _switch to flush_count_cache 453 patch_branch_site(&patch__call_flush_count_cache, 454 (u64)&flush_count_cache, BRANCH_SET_LINK); 455 456 #ifdef CONFIG_KVM_BOOK3S_HV_POSSIBLE 457 // This enables the branch from guest_exit_cont to kvm_flush_link_stack 458 patch_branch_site(&patch__call_kvm_flush_link_stack, 459 (u64)&kvm_flush_link_stack, BRANCH_SET_LINK); 460 #endif 461 462 pr_info("link-stack-flush: software flush enabled.\n"); 463 link_stack_flush_enabled = true; 464 465 // If we just need to flush the link stack, patch an early return 466 if (!security_ftr_enabled(SEC_FTR_FLUSH_COUNT_CACHE)) { 467 patch_instruction_site(&patch__flush_link_stack_return, PPC_INST_BLR); 468 no_count_cache_flush(); 469 return; 470 } 471 472 if (!security_ftr_enabled(SEC_FTR_BCCTR_FLUSH_ASSIST)) { 473 count_cache_flush_type = COUNT_CACHE_FLUSH_SW; 474 pr_info("count-cache-flush: full software flush sequence enabled.\n"); 475 return; 476 } 477 478 patch_instruction_site(&patch__flush_count_cache_return, PPC_INST_BLR); 479 count_cache_flush_type = COUNT_CACHE_FLUSH_HW; 480 pr_info("count-cache-flush: hardware assisted flush sequence enabled\n"); 481 } 482 483 void setup_count_cache_flush(void) 484 { 485 bool enable = true; 486 487 if (no_spectrev2 || cpu_mitigations_off()) { 488 if (security_ftr_enabled(SEC_FTR_BCCTRL_SERIALISED) || 489 security_ftr_enabled(SEC_FTR_COUNT_CACHE_DISABLED)) 490 pr_warn("Spectre v2 mitigations not fully under software control, can't disable\n"); 491 492 enable = false; 493 } 494 495 /* 496 * There's no firmware feature flag/hypervisor bit to tell us we need to 497 * flush the link stack on context switch. So we set it here if we see 498 * either of the Spectre v2 mitigations that aim to protect userspace. 499 */ 500 if (security_ftr_enabled(SEC_FTR_COUNT_CACHE_DISABLED) || 501 security_ftr_enabled(SEC_FTR_FLUSH_COUNT_CACHE)) 502 security_ftr_set(SEC_FTR_FLUSH_LINK_STACK); 503 504 toggle_count_cache_flush(enable); 505 } 506 507 #ifdef CONFIG_DEBUG_FS 508 static int count_cache_flush_set(void *data, u64 val) 509 { 510 bool enable; 511 512 if (val == 1) 513 enable = true; 514 else if (val == 0) 515 enable = false; 516 else 517 return -EINVAL; 518 519 toggle_count_cache_flush(enable); 520 521 return 0; 522 } 523 524 static int count_cache_flush_get(void *data, u64 *val) 525 { 526 if (count_cache_flush_type == COUNT_CACHE_FLUSH_NONE) 527 *val = 0; 528 else 529 *val = 1; 530 531 return 0; 532 } 533 534 DEFINE_DEBUGFS_ATTRIBUTE(fops_count_cache_flush, count_cache_flush_get, 535 count_cache_flush_set, "%llu\n"); 536 537 static __init int count_cache_flush_debugfs_init(void) 538 { 539 debugfs_create_file_unsafe("count_cache_flush", 0600, 540 powerpc_debugfs_root, NULL, 541 &fops_count_cache_flush); 542 return 0; 543 } 544 device_initcall(count_cache_flush_debugfs_init); 545 #endif /* CONFIG_DEBUG_FS */ 546 #endif /* CONFIG_PPC_BOOK3S_64 */ 547