xref: /linux/arch/powerpc/kernel/security.c (revision d97e7f198b10ea9d17ea64606f18102260870782) 
1 // SPDX-License-Identifier: GPL-2.0+
2 //
3 // Security related flags and so on.
4 //
5 // Copyright 2018, Michael Ellerman, IBM Corporation.
6 
7 #include <linux/kernel.h>
8 #include <linux/device.h>
9 #include <linux/seq_buf.h>
10 
11 #include <asm/debugfs.h>
12 #include <asm/security_features.h>
13 #include <asm/setup.h>
14 
15 
16 unsigned long powerpc_security_features __read_mostly = SEC_FTR_DEFAULT;
17 
18 bool barrier_nospec_enabled;
19 
20 static void enable_barrier_nospec(bool enable)
21 {
22 	barrier_nospec_enabled = enable;
23 	do_barrier_nospec_fixups(enable);
24 }
25 
26 void setup_barrier_nospec(void)
27 {
28 	bool enable;
29 
30 	/*
31 	 * It would make sense to check SEC_FTR_SPEC_BAR_ORI31 below as well.
32 	 * But there's a good reason not to. The two flags we check below are
33 	 * both are enabled by default in the kernel, so if the hcall is not
34 	 * functional they will be enabled.
35 	 * On a system where the host firmware has been updated (so the ori
36 	 * functions as a barrier), but on which the hypervisor (KVM/Qemu) has
37 	 * not been updated, we would like to enable the barrier. Dropping the
38 	 * check for SEC_FTR_SPEC_BAR_ORI31 achieves that. The only downside is
39 	 * we potentially enable the barrier on systems where the host firmware
40 	 * is not updated, but that's harmless as it's a no-op.
41 	 */
42 	enable = security_ftr_enabled(SEC_FTR_FAVOUR_SECURITY) &&
43 		 security_ftr_enabled(SEC_FTR_BNDS_CHK_SPEC_BAR);
44 
45 	enable_barrier_nospec(enable);
46 }
47 
48 #ifdef CONFIG_DEBUG_FS
49 static int barrier_nospec_set(void *data, u64 val)
50 {
51 	switch (val) {
52 	case 0:
53 	case 1:
54 		break;
55 	default:
56 		return -EINVAL;
57 	}
58 
59 	if (!!val == !!barrier_nospec_enabled)
60 		return 0;
61 
62 	enable_barrier_nospec(!!val);
63 
64 	return 0;
65 }
66 
67 static int barrier_nospec_get(void *data, u64 *val)
68 {
69 	*val = barrier_nospec_enabled ? 1 : 0;
70 	return 0;
71 }
72 
73 DEFINE_SIMPLE_ATTRIBUTE(fops_barrier_nospec,
74 			barrier_nospec_get, barrier_nospec_set, "%llu\n");
75 
76 static __init int barrier_nospec_debugfs_init(void)
77 {
78 	debugfs_create_file("barrier_nospec", 0600, powerpc_debugfs_root, NULL,
79 			    &fops_barrier_nospec);
80 	return 0;
81 }
82 device_initcall(barrier_nospec_debugfs_init);
83 #endif /* CONFIG_DEBUG_FS */
84 
85 ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf)
86 {
87 	bool thread_priv;
88 
89 	thread_priv = security_ftr_enabled(SEC_FTR_L1D_THREAD_PRIV);
90 
91 	if (rfi_flush || thread_priv) {
92 		struct seq_buf s;
93 		seq_buf_init(&s, buf, PAGE_SIZE - 1);
94 
95 		seq_buf_printf(&s, "Mitigation: ");
96 
97 		if (rfi_flush)
98 			seq_buf_printf(&s, "RFI Flush");
99 
100 		if (rfi_flush && thread_priv)
101 			seq_buf_printf(&s, ", ");
102 
103 		if (thread_priv)
104 			seq_buf_printf(&s, "L1D private per thread");
105 
106 		seq_buf_printf(&s, "\n");
107 
108 		return s.len;
109 	}
110 
111 	if (!security_ftr_enabled(SEC_FTR_L1D_FLUSH_HV) &&
112 	    !security_ftr_enabled(SEC_FTR_L1D_FLUSH_PR))
113 		return sprintf(buf, "Not affected\n");
114 
115 	return sprintf(buf, "Vulnerable\n");
116 }
117 
118 ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, char *buf)
119 {
120 	struct seq_buf s;
121 
122 	seq_buf_init(&s, buf, PAGE_SIZE - 1);
123 
124 	if (security_ftr_enabled(SEC_FTR_BNDS_CHK_SPEC_BAR)) {
125 		if (barrier_nospec_enabled)
126 			seq_buf_printf(&s, "Mitigation: __user pointer sanitization");
127 		else
128 			seq_buf_printf(&s, "Vulnerable");
129 
130 		if (security_ftr_enabled(SEC_FTR_SPEC_BAR_ORI31))
131 			seq_buf_printf(&s, ", ori31 speculation barrier enabled");
132 
133 		seq_buf_printf(&s, "\n");
134 	} else
135 		seq_buf_printf(&s, "Not affected\n");
136 
137 	return s.len;
138 }
139 
140 ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, char *buf)
141 {
142 	struct seq_buf s;
143 	bool bcs, ccd;
144 
145 	seq_buf_init(&s, buf, PAGE_SIZE - 1);
146 
147 	bcs = security_ftr_enabled(SEC_FTR_BCCTRL_SERIALISED);
148 	ccd = security_ftr_enabled(SEC_FTR_COUNT_CACHE_DISABLED);
149 
150 	if (bcs || ccd) {
151 		seq_buf_printf(&s, "Mitigation: ");
152 
153 		if (bcs)
154 			seq_buf_printf(&s, "Indirect branch serialisation (kernel only)");
155 
156 		if (bcs && ccd)
157 			seq_buf_printf(&s, ", ");
158 
159 		if (ccd)
160 			seq_buf_printf(&s, "Indirect branch cache disabled");
161 	} else
162 		seq_buf_printf(&s, "Vulnerable");
163 
164 	seq_buf_printf(&s, "\n");
165 
166 	return s.len;
167 }
168 
169 /*
170  * Store-forwarding barrier support.
171  */
172 
173 static enum stf_barrier_type stf_enabled_flush_types;
174 static bool no_stf_barrier;
175 bool stf_barrier;
176 
177 static int __init handle_no_stf_barrier(char *p)
178 {
179 	pr_info("stf-barrier: disabled on command line.");
180 	no_stf_barrier = true;
181 	return 0;
182 }
183 
184 early_param("no_stf_barrier", handle_no_stf_barrier);
185 
186 /* This is the generic flag used by other architectures */
187 static int __init handle_ssbd(char *p)
188 {
189 	if (!p || strncmp(p, "auto", 5) == 0 || strncmp(p, "on", 2) == 0 ) {
190 		/* Until firmware tells us, we have the barrier with auto */
191 		return 0;
192 	} else if (strncmp(p, "off", 3) == 0) {
193 		handle_no_stf_barrier(NULL);
194 		return 0;
195 	} else
196 		return 1;
197 
198 	return 0;
199 }
200 early_param("spec_store_bypass_disable", handle_ssbd);
201 
202 /* This is the generic flag used by other architectures */
203 static int __init handle_no_ssbd(char *p)
204 {
205 	handle_no_stf_barrier(NULL);
206 	return 0;
207 }
208 early_param("nospec_store_bypass_disable", handle_no_ssbd);
209 
210 static void stf_barrier_enable(bool enable)
211 {
212 	if (enable)
213 		do_stf_barrier_fixups(stf_enabled_flush_types);
214 	else
215 		do_stf_barrier_fixups(STF_BARRIER_NONE);
216 
217 	stf_barrier = enable;
218 }
219 
220 void setup_stf_barrier(void)
221 {
222 	enum stf_barrier_type type;
223 	bool enable, hv;
224 
225 	hv = cpu_has_feature(CPU_FTR_HVMODE);
226 
227 	/* Default to fallback in case fw-features are not available */
228 	if (cpu_has_feature(CPU_FTR_ARCH_300))
229 		type = STF_BARRIER_EIEIO;
230 	else if (cpu_has_feature(CPU_FTR_ARCH_207S))
231 		type = STF_BARRIER_SYNC_ORI;
232 	else if (cpu_has_feature(CPU_FTR_ARCH_206))
233 		type = STF_BARRIER_FALLBACK;
234 	else
235 		type = STF_BARRIER_NONE;
236 
237 	enable = security_ftr_enabled(SEC_FTR_FAVOUR_SECURITY) &&
238 		(security_ftr_enabled(SEC_FTR_L1D_FLUSH_PR) ||
239 		 (security_ftr_enabled(SEC_FTR_L1D_FLUSH_HV) && hv));
240 
241 	if (type == STF_BARRIER_FALLBACK) {
242 		pr_info("stf-barrier: fallback barrier available\n");
243 	} else if (type == STF_BARRIER_SYNC_ORI) {
244 		pr_info("stf-barrier: hwsync barrier available\n");
245 	} else if (type == STF_BARRIER_EIEIO) {
246 		pr_info("stf-barrier: eieio barrier available\n");
247 	}
248 
249 	stf_enabled_flush_types = type;
250 
251 	if (!no_stf_barrier)
252 		stf_barrier_enable(enable);
253 }
254 
255 ssize_t cpu_show_spec_store_bypass(struct device *dev, struct device_attribute *attr, char *buf)
256 {
257 	if (stf_barrier && stf_enabled_flush_types != STF_BARRIER_NONE) {
258 		const char *type;
259 		switch (stf_enabled_flush_types) {
260 		case STF_BARRIER_EIEIO:
261 			type = "eieio";
262 			break;
263 		case STF_BARRIER_SYNC_ORI:
264 			type = "hwsync";
265 			break;
266 		case STF_BARRIER_FALLBACK:
267 			type = "fallback";
268 			break;
269 		default:
270 			type = "unknown";
271 		}
272 		return sprintf(buf, "Mitigation: Kernel entry/exit barrier (%s)\n", type);
273 	}
274 
275 	if (!security_ftr_enabled(SEC_FTR_L1D_FLUSH_HV) &&
276 	    !security_ftr_enabled(SEC_FTR_L1D_FLUSH_PR))
277 		return sprintf(buf, "Not affected\n");
278 
279 	return sprintf(buf, "Vulnerable\n");
280 }
281 
282 #ifdef CONFIG_DEBUG_FS
283 static int stf_barrier_set(void *data, u64 val)
284 {
285 	bool enable;
286 
287 	if (val == 1)
288 		enable = true;
289 	else if (val == 0)
290 		enable = false;
291 	else
292 		return -EINVAL;
293 
294 	/* Only do anything if we're changing state */
295 	if (enable != stf_barrier)
296 		stf_barrier_enable(enable);
297 
298 	return 0;
299 }
300 
301 static int stf_barrier_get(void *data, u64 *val)
302 {
303 	*val = stf_barrier ? 1 : 0;
304 	return 0;
305 }
306 
307 DEFINE_SIMPLE_ATTRIBUTE(fops_stf_barrier, stf_barrier_get, stf_barrier_set, "%llu\n");
308 
309 static __init int stf_barrier_debugfs_init(void)
310 {
311 	debugfs_create_file("stf_barrier", 0600, powerpc_debugfs_root, NULL, &fops_stf_barrier);
312 	return 0;
313 }
314 device_initcall(stf_barrier_debugfs_init);
315 #endif /* CONFIG_DEBUG_FS */
316