xref: /openbmc/linux/Documentation/userspace-api/spec_ctrl.rst (revision 762f99f4f3cb41a775b5157dd761217beba65873) 
1b617cfc8SThomas Gleixner===================
2b617cfc8SThomas GleixnerSpeculation Control
3b617cfc8SThomas Gleixner===================
4b617cfc8SThomas Gleixner
5dd079269SBorislav PetkovQuite some CPUs have speculation-related misfeatures which are in
6dd079269SBorislav Petkovfact vulnerabilities causing data leaks in various forms even across
7dd079269SBorislav Petkovprivilege domains.
8b617cfc8SThomas Gleixner
9b617cfc8SThomas GleixnerThe kernel provides mitigation for such vulnerabilities in various
10dd079269SBorislav Petkovforms. Some of these mitigations are compile-time configurable and some
11dd079269SBorislav Petkovcan be supplied on the kernel command line.
12b617cfc8SThomas Gleixner
13b617cfc8SThomas GleixnerThere is also a class of mitigations which are very expensive, but they can
14b617cfc8SThomas Gleixnerbe restricted to a certain set of processes or tasks in controlled
15b617cfc8SThomas Gleixnerenvironments. The mechanism to control these mitigations is via
16b617cfc8SThomas Gleixner:manpage:`prctl(2)`.
17b617cfc8SThomas Gleixner
18b617cfc8SThomas GleixnerThere are two prctl options which are related to this:
19b617cfc8SThomas Gleixner
20b617cfc8SThomas Gleixner * PR_GET_SPECULATION_CTRL
21b617cfc8SThomas Gleixner
22b617cfc8SThomas Gleixner * PR_SET_SPECULATION_CTRL
23b617cfc8SThomas Gleixner
24b617cfc8SThomas GleixnerPR_GET_SPECULATION_CTRL
25b617cfc8SThomas Gleixner-----------------------
26b617cfc8SThomas Gleixner
27b617cfc8SThomas GleixnerPR_GET_SPECULATION_CTRL returns the state of the speculation misfeature
28356e4bffSThomas Gleixnerwhich is selected with arg2 of prctl(2). The return value uses bits 0-3 with
29b617cfc8SThomas Gleixnerthe following meaning:
30b617cfc8SThomas Gleixner
31356e4bffSThomas Gleixner==== ====================== ==================================================
32b617cfc8SThomas GleixnerBit  Define                 Description
33356e4bffSThomas Gleixner==== ====================== ==================================================
34b617cfc8SThomas Gleixner0    PR_SPEC_PRCTL          Mitigation can be controlled per task by
35dd079269SBorislav Petkov                            PR_SET_SPECULATION_CTRL.
36b617cfc8SThomas Gleixner1    PR_SPEC_ENABLE         The speculation feature is enabled, mitigation is
37dd079269SBorislav Petkov                            disabled.
38b617cfc8SThomas Gleixner2    PR_SPEC_DISABLE        The speculation feature is disabled, mitigation is
39dd079269SBorislav Petkov                            enabled.
40356e4bffSThomas Gleixner3    PR_SPEC_FORCE_DISABLE  Same as PR_SPEC_DISABLE, but cannot be undone. A
41356e4bffSThomas Gleixner                            subsequent prctl(..., PR_SPEC_ENABLE) will fail.
4271368af9SWaiman Long4    PR_SPEC_DISABLE_NOEXEC Same as PR_SPEC_DISABLE, but the state will be
4371368af9SWaiman Long                            cleared on :manpage:`execve(2)`.
44356e4bffSThomas Gleixner==== ====================== ==================================================
45b617cfc8SThomas Gleixner
46b617cfc8SThomas GleixnerIf all bits are 0 the CPU is not affected by the speculation misfeature.
47b617cfc8SThomas Gleixner
48dd079269SBorislav PetkovIf PR_SPEC_PRCTL is set, then the per-task control of the mitigation is
49b617cfc8SThomas Gleixneravailable. If not set, prctl(PR_SET_SPECULATION_CTRL) for the speculation
50b617cfc8SThomas Gleixnermisfeature will fail.
51b617cfc8SThomas Gleixner
526e885594STim Chen.. _set_spec_ctrl:
536e885594STim Chen
54b617cfc8SThomas GleixnerPR_SET_SPECULATION_CTRL
55b617cfc8SThomas Gleixner-----------------------
56356e4bffSThomas Gleixner
57b617cfc8SThomas GleixnerPR_SET_SPECULATION_CTRL allows to control the speculation misfeature, which
58b617cfc8SThomas Gleixneris selected by arg2 of :manpage:`prctl(2)` per task. arg3 is used to hand
59356e4bffSThomas Gleixnerin the control value, i.e. either PR_SPEC_ENABLE or PR_SPEC_DISABLE or
60356e4bffSThomas GleixnerPR_SPEC_FORCE_DISABLE.
61b617cfc8SThomas Gleixner
62b617cfc8SThomas GleixnerCommon error codes
63b617cfc8SThomas Gleixner------------------
64b617cfc8SThomas Gleixner======= =================================================================
65b617cfc8SThomas GleixnerValue   Meaning
66b617cfc8SThomas Gleixner======= =================================================================
67b617cfc8SThomas GleixnerEINVAL  The prctl is not implemented by the architecture or unused
68dd079269SBorislav Petkov        prctl(2) arguments are not 0.
69b617cfc8SThomas Gleixner
70dd079269SBorislav PetkovENODEV  arg2 is selecting a not supported speculation misfeature.
71b617cfc8SThomas Gleixner======= =================================================================
72b617cfc8SThomas Gleixner
73b617cfc8SThomas GleixnerPR_SET_SPECULATION_CTRL error codes
74b617cfc8SThomas Gleixner-----------------------------------
75b617cfc8SThomas Gleixner======= =================================================================
76b617cfc8SThomas GleixnerValue   Meaning
77b617cfc8SThomas Gleixner======= =================================================================
78b617cfc8SThomas Gleixner0       Success
79b617cfc8SThomas Gleixner
80b617cfc8SThomas GleixnerERANGE  arg3 is incorrect, i.e. it's neither PR_SPEC_ENABLE nor
81dd079269SBorislav Petkov        PR_SPEC_DISABLE nor PR_SPEC_FORCE_DISABLE.
82b617cfc8SThomas Gleixner
83b617cfc8SThomas GleixnerENXIO   Control of the selected speculation misfeature is not possible.
84b617cfc8SThomas Gleixner        See PR_GET_SPECULATION_CTRL.
85356e4bffSThomas Gleixner
86356e4bffSThomas GleixnerEPERM   Speculation was disabled with PR_SPEC_FORCE_DISABLE and caller
87356e4bffSThomas Gleixner        tried to enable it again.
88b617cfc8SThomas Gleixner======= =================================================================
89b617cfc8SThomas Gleixner
90b617cfc8SThomas GleixnerSpeculation misfeature controls
91b617cfc8SThomas Gleixner-------------------------------
92b617cfc8SThomas Gleixner- PR_SPEC_STORE_BYPASS: Speculative Store Bypass
93b617cfc8SThomas Gleixner
94b617cfc8SThomas Gleixner  Invocations:
95b617cfc8SThomas Gleixner   * prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, 0, 0, 0);
96b617cfc8SThomas Gleixner   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_ENABLE, 0, 0);
97b617cfc8SThomas Gleixner   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
98356e4bffSThomas Gleixner   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0);
9971368af9SWaiman Long   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE_NOEXEC, 0, 0);
1009137bb27SThomas Gleixner
1019137bb27SThomas Gleixner- PR_SPEC_INDIR_BRANCH: Indirect Branch Speculation in User Processes
1029137bb27SThomas Gleixner                        (Mitigate Spectre V2 style attacks against user processes)
1039137bb27SThomas Gleixner
1049137bb27SThomas Gleixner  Invocations:
1059137bb27SThomas Gleixner   * prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, 0, 0, 0);
1069137bb27SThomas Gleixner   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_ENABLE, 0, 0);
1079137bb27SThomas Gleixner   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_DISABLE, 0, 0);
1089137bb27SThomas Gleixner   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_FORCE_DISABLE, 0, 0);
109*b7fe54f6SBalbir Singh
110*b7fe54f6SBalbir Singh- PR_SPEC_L1D_FLUSH: Flush L1D Cache on context switch out of the task
111*b7fe54f6SBalbir Singh                        (works only when tasks run on non SMT cores)
112*b7fe54f6SBalbir Singh
113*b7fe54f6SBalbir Singh  Invocations:
114*b7fe54f6SBalbir Singh   * prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, 0, 0, 0);
115*b7fe54f6SBalbir Singh   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, PR_SPEC_ENABLE, 0, 0);
116*b7fe54f6SBalbir Singh   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, PR_SPEC_DISABLE, 0, 0);
117