xref: /openbmc/linux/arch/powerpc/kernel/security.c (revision 7af6fbdd)
1 // SPDX-License-Identifier: GPL-2.0+
2 //
3 // Security related flags and so on.
4 //
5 // Copyright 2018, Michael Ellerman, IBM Corporation.
6 
7 #include <linux/cpu.h>
8 #include <linux/kernel.h>
9 #include <linux/device.h>
10 #include <linux/nospec.h>
11 #include <linux/prctl.h>
12 #include <linux/seq_buf.h>
13 
14 #include <asm/asm-prototypes.h>
15 #include <asm/code-patching.h>
16 #include <asm/debugfs.h>
17 #include <asm/security_features.h>
18 #include <asm/setup.h>
19 #include <asm/inst.h>
20 
21 
22 u64 powerpc_security_features __read_mostly = SEC_FTR_DEFAULT;
23 
24 enum branch_cache_flush_type {
25 	BRANCH_CACHE_FLUSH_NONE	= 0x1,
26 	BRANCH_CACHE_FLUSH_SW	= 0x2,
27 	BRANCH_CACHE_FLUSH_HW	= 0x4,
28 };
29 static enum branch_cache_flush_type count_cache_flush_type = BRANCH_CACHE_FLUSH_NONE;
30 static enum branch_cache_flush_type link_stack_flush_type = BRANCH_CACHE_FLUSH_NONE;
31 
32 bool barrier_nospec_enabled;
33 static bool no_nospec;
34 static bool btb_flush_enabled;
35 #if defined(CONFIG_PPC_FSL_BOOK3E) || defined(CONFIG_PPC_BOOK3S_64)
36 static bool no_spectrev2;
37 #endif
38 
39 static void enable_barrier_nospec(bool enable)
40 {
41 	barrier_nospec_enabled = enable;
42 	do_barrier_nospec_fixups(enable);
43 }
44 
45 void setup_barrier_nospec(void)
46 {
47 	bool enable;
48 
49 	/*
50 	 * It would make sense to check SEC_FTR_SPEC_BAR_ORI31 below as well.
51 	 * But there's a good reason not to. The two flags we check below are
52 	 * both are enabled by default in the kernel, so if the hcall is not
53 	 * functional they will be enabled.
54 	 * On a system where the host firmware has been updated (so the ori
55 	 * functions as a barrier), but on which the hypervisor (KVM/Qemu) has
56 	 * not been updated, we would like to enable the barrier. Dropping the
57 	 * check for SEC_FTR_SPEC_BAR_ORI31 achieves that. The only downside is
58 	 * we potentially enable the barrier on systems where the host firmware
59 	 * is not updated, but that's harmless as it's a no-op.
60 	 */
61 	enable = security_ftr_enabled(SEC_FTR_FAVOUR_SECURITY) &&
62 		 security_ftr_enabled(SEC_FTR_BNDS_CHK_SPEC_BAR);
63 
64 	if (!no_nospec && !cpu_mitigations_off())
65 		enable_barrier_nospec(enable);
66 }
67 
68 static int __init handle_nospectre_v1(char *p)
69 {
70 	no_nospec = true;
71 
72 	return 0;
73 }
74 early_param("nospectre_v1", handle_nospectre_v1);
75 
76 #ifdef CONFIG_DEBUG_FS
77 static int barrier_nospec_set(void *data, u64 val)
78 {
79 	switch (val) {
80 	case 0:
81 	case 1:
82 		break;
83 	default:
84 		return -EINVAL;
85 	}
86 
87 	if (!!val == !!barrier_nospec_enabled)
88 		return 0;
89 
90 	enable_barrier_nospec(!!val);
91 
92 	return 0;
93 }
94 
95 static int barrier_nospec_get(void *data, u64 *val)
96 {
97 	*val = barrier_nospec_enabled ? 1 : 0;
98 	return 0;
99 }
100 
101 DEFINE_DEBUGFS_ATTRIBUTE(fops_barrier_nospec, barrier_nospec_get,
102 			 barrier_nospec_set, "%llu\n");
103 
104 static __init int barrier_nospec_debugfs_init(void)
105 {
106 	debugfs_create_file_unsafe("barrier_nospec", 0600,
107 				   powerpc_debugfs_root, NULL,
108 				   &fops_barrier_nospec);
109 	return 0;
110 }
111 device_initcall(barrier_nospec_debugfs_init);
112 
113 static __init int security_feature_debugfs_init(void)
114 {
115 	debugfs_create_x64("security_features", 0400, powerpc_debugfs_root,
116 			   &powerpc_security_features);
117 	return 0;
118 }
119 device_initcall(security_feature_debugfs_init);
120 #endif /* CONFIG_DEBUG_FS */
121 
122 #if defined(CONFIG_PPC_FSL_BOOK3E) || defined(CONFIG_PPC_BOOK3S_64)
123 static int __init handle_nospectre_v2(char *p)
124 {
125 	no_spectrev2 = true;
126 
127 	return 0;
128 }
129 early_param("nospectre_v2", handle_nospectre_v2);
130 #endif /* CONFIG_PPC_FSL_BOOK3E || CONFIG_PPC_BOOK3S_64 */
131 
132 #ifdef CONFIG_PPC_FSL_BOOK3E
133 void setup_spectre_v2(void)
134 {
135 	if (no_spectrev2 || cpu_mitigations_off())
136 		do_btb_flush_fixups();
137 	else
138 		btb_flush_enabled = true;
139 }
140 #endif /* CONFIG_PPC_FSL_BOOK3E */
141 
142 #ifdef CONFIG_PPC_BOOK3S_64
143 ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf)
144 {
145 	bool thread_priv;
146 
147 	thread_priv = security_ftr_enabled(SEC_FTR_L1D_THREAD_PRIV);
148 
149 	if (rfi_flush) {
150 		struct seq_buf s;
151 		seq_buf_init(&s, buf, PAGE_SIZE - 1);
152 
153 		seq_buf_printf(&s, "Mitigation: RFI Flush");
154 		if (thread_priv)
155 			seq_buf_printf(&s, ", L1D private per thread");
156 
157 		seq_buf_printf(&s, "\n");
158 
159 		return s.len;
160 	}
161 
162 	if (thread_priv)
163 		return sprintf(buf, "Vulnerable: L1D private per thread\n");
164 
165 	if (!security_ftr_enabled(SEC_FTR_L1D_FLUSH_HV) &&
166 	    !security_ftr_enabled(SEC_FTR_L1D_FLUSH_PR))
167 		return sprintf(buf, "Not affected\n");
168 
169 	return sprintf(buf, "Vulnerable\n");
170 }
171 
172 ssize_t cpu_show_l1tf(struct device *dev, struct device_attribute *attr, char *buf)
173 {
174 	return cpu_show_meltdown(dev, attr, buf);
175 }
176 #endif
177 
178 ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, char *buf)
179 {
180 	struct seq_buf s;
181 
182 	seq_buf_init(&s, buf, PAGE_SIZE - 1);
183 
184 	if (security_ftr_enabled(SEC_FTR_BNDS_CHK_SPEC_BAR)) {
185 		if (barrier_nospec_enabled)
186 			seq_buf_printf(&s, "Mitigation: __user pointer sanitization");
187 		else
188 			seq_buf_printf(&s, "Vulnerable");
189 
190 		if (security_ftr_enabled(SEC_FTR_SPEC_BAR_ORI31))
191 			seq_buf_printf(&s, ", ori31 speculation barrier enabled");
192 
193 		seq_buf_printf(&s, "\n");
194 	} else
195 		seq_buf_printf(&s, "Not affected\n");
196 
197 	return s.len;
198 }
199 
200 ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, char *buf)
201 {
202 	struct seq_buf s;
203 	bool bcs, ccd;
204 
205 	seq_buf_init(&s, buf, PAGE_SIZE - 1);
206 
207 	bcs = security_ftr_enabled(SEC_FTR_BCCTRL_SERIALISED);
208 	ccd = security_ftr_enabled(SEC_FTR_COUNT_CACHE_DISABLED);
209 
210 	if (bcs || ccd) {
211 		seq_buf_printf(&s, "Mitigation: ");
212 
213 		if (bcs)
214 			seq_buf_printf(&s, "Indirect branch serialisation (kernel only)");
215 
216 		if (bcs && ccd)
217 			seq_buf_printf(&s, ", ");
218 
219 		if (ccd)
220 			seq_buf_printf(&s, "Indirect branch cache disabled");
221 
222 	} else if (count_cache_flush_type != BRANCH_CACHE_FLUSH_NONE) {
223 		seq_buf_printf(&s, "Mitigation: Software count cache flush");
224 
225 		if (count_cache_flush_type == BRANCH_CACHE_FLUSH_HW)
226 			seq_buf_printf(&s, " (hardware accelerated)");
227 
228 	} else if (btb_flush_enabled) {
229 		seq_buf_printf(&s, "Mitigation: Branch predictor state flush");
230 	} else {
231 		seq_buf_printf(&s, "Vulnerable");
232 	}
233 
234 	if (bcs || ccd || count_cache_flush_type != BRANCH_CACHE_FLUSH_NONE) {
235 		if (link_stack_flush_type != BRANCH_CACHE_FLUSH_NONE)
236 			seq_buf_printf(&s, ", Software link stack flush");
237 		if (link_stack_flush_type == BRANCH_CACHE_FLUSH_HW)
238 			seq_buf_printf(&s, " (hardware accelerated)");
239 	}
240 
241 	seq_buf_printf(&s, "\n");
242 
243 	return s.len;
244 }
245 
246 #ifdef CONFIG_PPC_BOOK3S_64
247 /*
248  * Store-forwarding barrier support.
249  */
250 
251 static enum stf_barrier_type stf_enabled_flush_types;
252 static bool no_stf_barrier;
253 bool stf_barrier;
254 
255 static int __init handle_no_stf_barrier(char *p)
256 {
257 	pr_info("stf-barrier: disabled on command line.");
258 	no_stf_barrier = true;
259 	return 0;
260 }
261 
262 early_param("no_stf_barrier", handle_no_stf_barrier);
263 
264 /* This is the generic flag used by other architectures */
265 static int __init handle_ssbd(char *p)
266 {
267 	if (!p || strncmp(p, "auto", 5) == 0 || strncmp(p, "on", 2) == 0 ) {
268 		/* Until firmware tells us, we have the barrier with auto */
269 		return 0;
270 	} else if (strncmp(p, "off", 3) == 0) {
271 		handle_no_stf_barrier(NULL);
272 		return 0;
273 	} else
274 		return 1;
275 
276 	return 0;
277 }
278 early_param("spec_store_bypass_disable", handle_ssbd);
279 
280 /* This is the generic flag used by other architectures */
281 static int __init handle_no_ssbd(char *p)
282 {
283 	handle_no_stf_barrier(NULL);
284 	return 0;
285 }
286 early_param("nospec_store_bypass_disable", handle_no_ssbd);
287 
288 static void stf_barrier_enable(bool enable)
289 {
290 	if (enable)
291 		do_stf_barrier_fixups(stf_enabled_flush_types);
292 	else
293 		do_stf_barrier_fixups(STF_BARRIER_NONE);
294 
295 	stf_barrier = enable;
296 }
297 
298 void setup_stf_barrier(void)
299 {
300 	enum stf_barrier_type type;
301 	bool enable, hv;
302 
303 	hv = cpu_has_feature(CPU_FTR_HVMODE);
304 
305 	/* Default to fallback in case fw-features are not available */
306 	if (cpu_has_feature(CPU_FTR_ARCH_300))
307 		type = STF_BARRIER_EIEIO;
308 	else if (cpu_has_feature(CPU_FTR_ARCH_207S))
309 		type = STF_BARRIER_SYNC_ORI;
310 	else if (cpu_has_feature(CPU_FTR_ARCH_206))
311 		type = STF_BARRIER_FALLBACK;
312 	else
313 		type = STF_BARRIER_NONE;
314 
315 	enable = security_ftr_enabled(SEC_FTR_FAVOUR_SECURITY) &&
316 		(security_ftr_enabled(SEC_FTR_L1D_FLUSH_PR) ||
317 		 (security_ftr_enabled(SEC_FTR_L1D_FLUSH_HV) && hv));
318 
319 	if (type == STF_BARRIER_FALLBACK) {
320 		pr_info("stf-barrier: fallback barrier available\n");
321 	} else if (type == STF_BARRIER_SYNC_ORI) {
322 		pr_info("stf-barrier: hwsync barrier available\n");
323 	} else if (type == STF_BARRIER_EIEIO) {
324 		pr_info("stf-barrier: eieio barrier available\n");
325 	}
326 
327 	stf_enabled_flush_types = type;
328 
329 	if (!no_stf_barrier && !cpu_mitigations_off())
330 		stf_barrier_enable(enable);
331 }
332 
333 ssize_t cpu_show_spec_store_bypass(struct device *dev, struct device_attribute *attr, char *buf)
334 {
335 	if (stf_barrier && stf_enabled_flush_types != STF_BARRIER_NONE) {
336 		const char *type;
337 		switch (stf_enabled_flush_types) {
338 		case STF_BARRIER_EIEIO:
339 			type = "eieio";
340 			break;
341 		case STF_BARRIER_SYNC_ORI:
342 			type = "hwsync";
343 			break;
344 		case STF_BARRIER_FALLBACK:
345 			type = "fallback";
346 			break;
347 		default:
348 			type = "unknown";
349 		}
350 		return sprintf(buf, "Mitigation: Kernel entry/exit barrier (%s)\n", type);
351 	}
352 
353 	if (!security_ftr_enabled(SEC_FTR_L1D_FLUSH_HV) &&
354 	    !security_ftr_enabled(SEC_FTR_L1D_FLUSH_PR))
355 		return sprintf(buf, "Not affected\n");
356 
357 	return sprintf(buf, "Vulnerable\n");
358 }
359 
360 static int ssb_prctl_get(struct task_struct *task)
361 {
362 	if (stf_enabled_flush_types == STF_BARRIER_NONE)
363 		/*
364 		 * We don't have an explicit signal from firmware that we're
365 		 * vulnerable or not, we only have certain CPU revisions that
366 		 * are known to be vulnerable.
367 		 *
368 		 * We assume that if we're on another CPU, where the barrier is
369 		 * NONE, then we are not vulnerable.
370 		 */
371 		return PR_SPEC_NOT_AFFECTED;
372 	else
373 		/*
374 		 * If we do have a barrier type then we are vulnerable. The
375 		 * barrier is not a global or per-process mitigation, so the
376 		 * only value we can report here is PR_SPEC_ENABLE, which
377 		 * appears as "vulnerable" in /proc.
378 		 */
379 		return PR_SPEC_ENABLE;
380 
381 	return -EINVAL;
382 }
383 
384 int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which)
385 {
386 	switch (which) {
387 	case PR_SPEC_STORE_BYPASS:
388 		return ssb_prctl_get(task);
389 	default:
390 		return -ENODEV;
391 	}
392 }
393 
394 #ifdef CONFIG_DEBUG_FS
395 static int stf_barrier_set(void *data, u64 val)
396 {
397 	bool enable;
398 
399 	if (val == 1)
400 		enable = true;
401 	else if (val == 0)
402 		enable = false;
403 	else
404 		return -EINVAL;
405 
406 	/* Only do anything if we're changing state */
407 	if (enable != stf_barrier)
408 		stf_barrier_enable(enable);
409 
410 	return 0;
411 }
412 
413 static int stf_barrier_get(void *data, u64 *val)
414 {
415 	*val = stf_barrier ? 1 : 0;
416 	return 0;
417 }
418 
419 DEFINE_DEBUGFS_ATTRIBUTE(fops_stf_barrier, stf_barrier_get, stf_barrier_set,
420 			 "%llu\n");
421 
422 static __init int stf_barrier_debugfs_init(void)
423 {
424 	debugfs_create_file_unsafe("stf_barrier", 0600, powerpc_debugfs_root,
425 				   NULL, &fops_stf_barrier);
426 	return 0;
427 }
428 device_initcall(stf_barrier_debugfs_init);
429 #endif /* CONFIG_DEBUG_FS */
430 
431 static void update_branch_cache_flush(void)
432 {
433 #ifdef CONFIG_KVM_BOOK3S_HV_POSSIBLE
434 	// This controls the branch from guest_exit_cont to kvm_flush_link_stack
435 	if (link_stack_flush_type == BRANCH_CACHE_FLUSH_NONE) {
436 		patch_instruction_site(&patch__call_kvm_flush_link_stack,
437 				       ppc_inst(PPC_INST_NOP));
438 	} else {
439 		// Could use HW flush, but that could also flush count cache
440 		patch_branch_site(&patch__call_kvm_flush_link_stack,
441 				  (u64)&kvm_flush_link_stack, BRANCH_SET_LINK);
442 	}
443 #endif
444 
445 	// This controls the branch from _switch to flush_branch_caches
446 	if (count_cache_flush_type == BRANCH_CACHE_FLUSH_NONE &&
447 	    link_stack_flush_type == BRANCH_CACHE_FLUSH_NONE) {
448 		patch_instruction_site(&patch__call_flush_branch_caches,
449 				       ppc_inst(PPC_INST_NOP));
450 	} else if (count_cache_flush_type == BRANCH_CACHE_FLUSH_HW &&
451 		   link_stack_flush_type == BRANCH_CACHE_FLUSH_HW) {
452 		patch_instruction_site(&patch__call_flush_branch_caches,
453 				       ppc_inst(PPC_INST_BCCTR_FLUSH));
454 	} else {
455 		patch_branch_site(&patch__call_flush_branch_caches,
456 				  (u64)&flush_branch_caches, BRANCH_SET_LINK);
457 
458 		// If we just need to flush the link stack, early return
459 		if (count_cache_flush_type == BRANCH_CACHE_FLUSH_NONE) {
460 			patch_instruction_site(&patch__flush_link_stack_return,
461 					       ppc_inst(PPC_INST_BLR));
462 
463 		// If we have flush instruction, early return
464 		} else if (count_cache_flush_type == BRANCH_CACHE_FLUSH_HW) {
465 			patch_instruction_site(&patch__flush_count_cache_return,
466 					       ppc_inst(PPC_INST_BLR));
467 		}
468 	}
469 }
470 
471 static void toggle_branch_cache_flush(bool enable)
472 {
473 	if (!enable || !security_ftr_enabled(SEC_FTR_FLUSH_COUNT_CACHE)) {
474 		if (count_cache_flush_type != BRANCH_CACHE_FLUSH_NONE)
475 			count_cache_flush_type = BRANCH_CACHE_FLUSH_NONE;
476 
477 		pr_info("count-cache-flush: flush disabled.\n");
478 	} else {
479 		if (security_ftr_enabled(SEC_FTR_BCCTR_FLUSH_ASSIST)) {
480 			count_cache_flush_type = BRANCH_CACHE_FLUSH_HW;
481 			pr_info("count-cache-flush: hardware flush enabled.\n");
482 		} else {
483 			count_cache_flush_type = BRANCH_CACHE_FLUSH_SW;
484 			pr_info("count-cache-flush: software flush enabled.\n");
485 		}
486 	}
487 
488 	if (!enable || !security_ftr_enabled(SEC_FTR_FLUSH_LINK_STACK)) {
489 		if (link_stack_flush_type != BRANCH_CACHE_FLUSH_NONE)
490 			link_stack_flush_type = BRANCH_CACHE_FLUSH_NONE;
491 
492 		pr_info("link-stack-flush: flush disabled.\n");
493 	} else {
494 		if (security_ftr_enabled(SEC_FTR_BCCTR_LINK_FLUSH_ASSIST)) {
495 			link_stack_flush_type = BRANCH_CACHE_FLUSH_HW;
496 			pr_info("link-stack-flush: hardware flush enabled.\n");
497 		} else {
498 			link_stack_flush_type = BRANCH_CACHE_FLUSH_SW;
499 			pr_info("link-stack-flush: software flush enabled.\n");
500 		}
501 	}
502 
503 	update_branch_cache_flush();
504 }
505 
506 void setup_count_cache_flush(void)
507 {
508 	bool enable = true;
509 
510 	if (no_spectrev2 || cpu_mitigations_off()) {
511 		if (security_ftr_enabled(SEC_FTR_BCCTRL_SERIALISED) ||
512 		    security_ftr_enabled(SEC_FTR_COUNT_CACHE_DISABLED))
513 			pr_warn("Spectre v2 mitigations not fully under software control, can't disable\n");
514 
515 		enable = false;
516 	}
517 
518 	/*
519 	 * There's no firmware feature flag/hypervisor bit to tell us we need to
520 	 * flush the link stack on context switch. So we set it here if we see
521 	 * either of the Spectre v2 mitigations that aim to protect userspace.
522 	 */
523 	if (security_ftr_enabled(SEC_FTR_COUNT_CACHE_DISABLED) ||
524 	    security_ftr_enabled(SEC_FTR_FLUSH_COUNT_CACHE))
525 		security_ftr_set(SEC_FTR_FLUSH_LINK_STACK);
526 
527 	toggle_branch_cache_flush(enable);
528 }
529 
530 #ifdef CONFIG_DEBUG_FS
531 static int count_cache_flush_set(void *data, u64 val)
532 {
533 	bool enable;
534 
535 	if (val == 1)
536 		enable = true;
537 	else if (val == 0)
538 		enable = false;
539 	else
540 		return -EINVAL;
541 
542 	toggle_branch_cache_flush(enable);
543 
544 	return 0;
545 }
546 
547 static int count_cache_flush_get(void *data, u64 *val)
548 {
549 	if (count_cache_flush_type == BRANCH_CACHE_FLUSH_NONE)
550 		*val = 0;
551 	else
552 		*val = 1;
553 
554 	return 0;
555 }
556 
557 DEFINE_DEBUGFS_ATTRIBUTE(fops_count_cache_flush, count_cache_flush_get,
558 			 count_cache_flush_set, "%llu\n");
559 
560 static __init int count_cache_flush_debugfs_init(void)
561 {
562 	debugfs_create_file_unsafe("count_cache_flush", 0600,
563 				   powerpc_debugfs_root, NULL,
564 				   &fops_count_cache_flush);
565 	return 0;
566 }
567 device_initcall(count_cache_flush_debugfs_init);
568 #endif /* CONFIG_DEBUG_FS */
569 #endif /* CONFIG_PPC_BOOK3S_64 */
570