1 // SPDX-License-Identifier: GPL-2.0+ 2 // 3 // Security related flags and so on. 4 // 5 // Copyright 2018, Michael Ellerman, IBM Corporation. 6 7 #include <linux/cpu.h> 8 #include <linux/kernel.h> 9 #include <linux/device.h> 10 #include <linux/seq_buf.h> 11 12 #include <asm/asm-prototypes.h> 13 #include <asm/code-patching.h> 14 #include <asm/debugfs.h> 15 #include <asm/security_features.h> 16 #include <asm/setup.h> 17 18 19 unsigned long powerpc_security_features __read_mostly = SEC_FTR_DEFAULT; 20 21 enum count_cache_flush_type { 22 COUNT_CACHE_FLUSH_NONE = 0x1, 23 COUNT_CACHE_FLUSH_SW = 0x2, 24 COUNT_CACHE_FLUSH_HW = 0x4, 25 }; 26 static enum count_cache_flush_type count_cache_flush_type = COUNT_CACHE_FLUSH_NONE; 27 28 bool barrier_nospec_enabled; 29 static bool no_nospec; 30 static bool btb_flush_enabled; 31 #if defined(CONFIG_PPC_FSL_BOOK3E) || defined(CONFIG_PPC_BOOK3S_64) 32 static bool no_spectrev2; 33 #endif 34 35 static void enable_barrier_nospec(bool enable) 36 { 37 barrier_nospec_enabled = enable; 38 do_barrier_nospec_fixups(enable); 39 } 40 41 void setup_barrier_nospec(void) 42 { 43 bool enable; 44 45 /* 46 * It would make sense to check SEC_FTR_SPEC_BAR_ORI31 below as well. 47 * But there's a good reason not to. The two flags we check below are 48 * both are enabled by default in the kernel, so if the hcall is not 49 * functional they will be enabled. 50 * On a system where the host firmware has been updated (so the ori 51 * functions as a barrier), but on which the hypervisor (KVM/Qemu) has 52 * not been updated, we would like to enable the barrier. Dropping the 53 * check for SEC_FTR_SPEC_BAR_ORI31 achieves that. The only downside is 54 * we potentially enable the barrier on systems where the host firmware 55 * is not updated, but that's harmless as it's a no-op. 56 */ 57 enable = security_ftr_enabled(SEC_FTR_FAVOUR_SECURITY) && 58 security_ftr_enabled(SEC_FTR_BNDS_CHK_SPEC_BAR); 59 60 if (!no_nospec && !cpu_mitigations_off()) 61 enable_barrier_nospec(enable); 62 } 63 64 static int __init handle_nospectre_v1(char *p) 65 { 66 no_nospec = true; 67 68 return 0; 69 } 70 early_param("nospectre_v1", handle_nospectre_v1); 71 72 #ifdef CONFIG_DEBUG_FS 73 static int barrier_nospec_set(void *data, u64 val) 74 { 75 switch (val) { 76 case 0: 77 case 1: 78 break; 79 default: 80 return -EINVAL; 81 } 82 83 if (!!val == !!barrier_nospec_enabled) 84 return 0; 85 86 enable_barrier_nospec(!!val); 87 88 return 0; 89 } 90 91 static int barrier_nospec_get(void *data, u64 *val) 92 { 93 *val = barrier_nospec_enabled ? 1 : 0; 94 return 0; 95 } 96 97 DEFINE_SIMPLE_ATTRIBUTE(fops_barrier_nospec, 98 barrier_nospec_get, barrier_nospec_set, "%llu\n"); 99 100 static __init int barrier_nospec_debugfs_init(void) 101 { 102 debugfs_create_file("barrier_nospec", 0600, powerpc_debugfs_root, NULL, 103 &fops_barrier_nospec); 104 return 0; 105 } 106 device_initcall(barrier_nospec_debugfs_init); 107 108 static __init int security_feature_debugfs_init(void) 109 { 110 debugfs_create_x64("security_features", 0400, powerpc_debugfs_root, 111 (u64 *)&powerpc_security_features); 112 return 0; 113 } 114 device_initcall(security_feature_debugfs_init); 115 #endif /* CONFIG_DEBUG_FS */ 116 117 #if defined(CONFIG_PPC_FSL_BOOK3E) || defined(CONFIG_PPC_BOOK3S_64) 118 static int __init handle_nospectre_v2(char *p) 119 { 120 no_spectrev2 = true; 121 122 return 0; 123 } 124 early_param("nospectre_v2", handle_nospectre_v2); 125 #endif /* CONFIG_PPC_FSL_BOOK3E || CONFIG_PPC_BOOK3S_64 */ 126 127 #ifdef CONFIG_PPC_FSL_BOOK3E 128 void setup_spectre_v2(void) 129 { 130 if (no_spectrev2 || cpu_mitigations_off()) 131 do_btb_flush_fixups(); 132 else 133 btb_flush_enabled = true; 134 } 135 #endif /* CONFIG_PPC_FSL_BOOK3E */ 136 137 #ifdef CONFIG_PPC_BOOK3S_64 138 ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf) 139 { 140 bool thread_priv; 141 142 thread_priv = security_ftr_enabled(SEC_FTR_L1D_THREAD_PRIV); 143 144 if (rfi_flush || thread_priv) { 145 struct seq_buf s; 146 seq_buf_init(&s, buf, PAGE_SIZE - 1); 147 148 seq_buf_printf(&s, "Mitigation: "); 149 150 if (rfi_flush) 151 seq_buf_printf(&s, "RFI Flush"); 152 153 if (rfi_flush && thread_priv) 154 seq_buf_printf(&s, ", "); 155 156 if (thread_priv) 157 seq_buf_printf(&s, "L1D private per thread"); 158 159 seq_buf_printf(&s, "\n"); 160 161 return s.len; 162 } 163 164 if (!security_ftr_enabled(SEC_FTR_L1D_FLUSH_HV) && 165 !security_ftr_enabled(SEC_FTR_L1D_FLUSH_PR)) 166 return sprintf(buf, "Not affected\n"); 167 168 return sprintf(buf, "Vulnerable\n"); 169 } 170 #endif 171 172 ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, char *buf) 173 { 174 struct seq_buf s; 175 176 seq_buf_init(&s, buf, PAGE_SIZE - 1); 177 178 if (security_ftr_enabled(SEC_FTR_BNDS_CHK_SPEC_BAR)) { 179 if (barrier_nospec_enabled) 180 seq_buf_printf(&s, "Mitigation: __user pointer sanitization"); 181 else 182 seq_buf_printf(&s, "Vulnerable"); 183 184 if (security_ftr_enabled(SEC_FTR_SPEC_BAR_ORI31)) 185 seq_buf_printf(&s, ", ori31 speculation barrier enabled"); 186 187 seq_buf_printf(&s, "\n"); 188 } else 189 seq_buf_printf(&s, "Not affected\n"); 190 191 return s.len; 192 } 193 194 ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, char *buf) 195 { 196 struct seq_buf s; 197 bool bcs, ccd; 198 199 seq_buf_init(&s, buf, PAGE_SIZE - 1); 200 201 bcs = security_ftr_enabled(SEC_FTR_BCCTRL_SERIALISED); 202 ccd = security_ftr_enabled(SEC_FTR_COUNT_CACHE_DISABLED); 203 204 if (bcs || ccd) { 205 seq_buf_printf(&s, "Mitigation: "); 206 207 if (bcs) 208 seq_buf_printf(&s, "Indirect branch serialisation (kernel only)"); 209 210 if (bcs && ccd) 211 seq_buf_printf(&s, ", "); 212 213 if (ccd) 214 seq_buf_printf(&s, "Indirect branch cache disabled"); 215 } else if (count_cache_flush_type != COUNT_CACHE_FLUSH_NONE) { 216 seq_buf_printf(&s, "Mitigation: Software count cache flush"); 217 218 if (count_cache_flush_type == COUNT_CACHE_FLUSH_HW) 219 seq_buf_printf(&s, " (hardware accelerated)"); 220 } else if (btb_flush_enabled) { 221 seq_buf_printf(&s, "Mitigation: Branch predictor state flush"); 222 } else { 223 seq_buf_printf(&s, "Vulnerable"); 224 } 225 226 seq_buf_printf(&s, "\n"); 227 228 return s.len; 229 } 230 231 #ifdef CONFIG_PPC_BOOK3S_64 232 /* 233 * Store-forwarding barrier support. 234 */ 235 236 static enum stf_barrier_type stf_enabled_flush_types; 237 static bool no_stf_barrier; 238 bool stf_barrier; 239 240 static int __init handle_no_stf_barrier(char *p) 241 { 242 pr_info("stf-barrier: disabled on command line."); 243 no_stf_barrier = true; 244 return 0; 245 } 246 247 early_param("no_stf_barrier", handle_no_stf_barrier); 248 249 /* This is the generic flag used by other architectures */ 250 static int __init handle_ssbd(char *p) 251 { 252 if (!p || strncmp(p, "auto", 5) == 0 || strncmp(p, "on", 2) == 0 ) { 253 /* Until firmware tells us, we have the barrier with auto */ 254 return 0; 255 } else if (strncmp(p, "off", 3) == 0) { 256 handle_no_stf_barrier(NULL); 257 return 0; 258 } else 259 return 1; 260 261 return 0; 262 } 263 early_param("spec_store_bypass_disable", handle_ssbd); 264 265 /* This is the generic flag used by other architectures */ 266 static int __init handle_no_ssbd(char *p) 267 { 268 handle_no_stf_barrier(NULL); 269 return 0; 270 } 271 early_param("nospec_store_bypass_disable", handle_no_ssbd); 272 273 static void stf_barrier_enable(bool enable) 274 { 275 if (enable) 276 do_stf_barrier_fixups(stf_enabled_flush_types); 277 else 278 do_stf_barrier_fixups(STF_BARRIER_NONE); 279 280 stf_barrier = enable; 281 } 282 283 void setup_stf_barrier(void) 284 { 285 enum stf_barrier_type type; 286 bool enable, hv; 287 288 hv = cpu_has_feature(CPU_FTR_HVMODE); 289 290 /* Default to fallback in case fw-features are not available */ 291 if (cpu_has_feature(CPU_FTR_ARCH_300)) 292 type = STF_BARRIER_EIEIO; 293 else if (cpu_has_feature(CPU_FTR_ARCH_207S)) 294 type = STF_BARRIER_SYNC_ORI; 295 else if (cpu_has_feature(CPU_FTR_ARCH_206)) 296 type = STF_BARRIER_FALLBACK; 297 else 298 type = STF_BARRIER_NONE; 299 300 enable = security_ftr_enabled(SEC_FTR_FAVOUR_SECURITY) && 301 (security_ftr_enabled(SEC_FTR_L1D_FLUSH_PR) || 302 (security_ftr_enabled(SEC_FTR_L1D_FLUSH_HV) && hv)); 303 304 if (type == STF_BARRIER_FALLBACK) { 305 pr_info("stf-barrier: fallback barrier available\n"); 306 } else if (type == STF_BARRIER_SYNC_ORI) { 307 pr_info("stf-barrier: hwsync barrier available\n"); 308 } else if (type == STF_BARRIER_EIEIO) { 309 pr_info("stf-barrier: eieio barrier available\n"); 310 } 311 312 stf_enabled_flush_types = type; 313 314 if (!no_stf_barrier && !cpu_mitigations_off()) 315 stf_barrier_enable(enable); 316 } 317 318 ssize_t cpu_show_spec_store_bypass(struct device *dev, struct device_attribute *attr, char *buf) 319 { 320 if (stf_barrier && stf_enabled_flush_types != STF_BARRIER_NONE) { 321 const char *type; 322 switch (stf_enabled_flush_types) { 323 case STF_BARRIER_EIEIO: 324 type = "eieio"; 325 break; 326 case STF_BARRIER_SYNC_ORI: 327 type = "hwsync"; 328 break; 329 case STF_BARRIER_FALLBACK: 330 type = "fallback"; 331 break; 332 default: 333 type = "unknown"; 334 } 335 return sprintf(buf, "Mitigation: Kernel entry/exit barrier (%s)\n", type); 336 } 337 338 if (!security_ftr_enabled(SEC_FTR_L1D_FLUSH_HV) && 339 !security_ftr_enabled(SEC_FTR_L1D_FLUSH_PR)) 340 return sprintf(buf, "Not affected\n"); 341 342 return sprintf(buf, "Vulnerable\n"); 343 } 344 345 #ifdef CONFIG_DEBUG_FS 346 static int stf_barrier_set(void *data, u64 val) 347 { 348 bool enable; 349 350 if (val == 1) 351 enable = true; 352 else if (val == 0) 353 enable = false; 354 else 355 return -EINVAL; 356 357 /* Only do anything if we're changing state */ 358 if (enable != stf_barrier) 359 stf_barrier_enable(enable); 360 361 return 0; 362 } 363 364 static int stf_barrier_get(void *data, u64 *val) 365 { 366 *val = stf_barrier ? 1 : 0; 367 return 0; 368 } 369 370 DEFINE_SIMPLE_ATTRIBUTE(fops_stf_barrier, stf_barrier_get, stf_barrier_set, "%llu\n"); 371 372 static __init int stf_barrier_debugfs_init(void) 373 { 374 debugfs_create_file("stf_barrier", 0600, powerpc_debugfs_root, NULL, &fops_stf_barrier); 375 return 0; 376 } 377 device_initcall(stf_barrier_debugfs_init); 378 #endif /* CONFIG_DEBUG_FS */ 379 380 static void toggle_count_cache_flush(bool enable) 381 { 382 if (!enable || !security_ftr_enabled(SEC_FTR_FLUSH_COUNT_CACHE)) { 383 patch_instruction_site(&patch__call_flush_count_cache, PPC_INST_NOP); 384 count_cache_flush_type = COUNT_CACHE_FLUSH_NONE; 385 pr_info("count-cache-flush: software flush disabled.\n"); 386 return; 387 } 388 389 patch_branch_site(&patch__call_flush_count_cache, 390 (u64)&flush_count_cache, BRANCH_SET_LINK); 391 392 if (!security_ftr_enabled(SEC_FTR_BCCTR_FLUSH_ASSIST)) { 393 count_cache_flush_type = COUNT_CACHE_FLUSH_SW; 394 pr_info("count-cache-flush: full software flush sequence enabled.\n"); 395 return; 396 } 397 398 patch_instruction_site(&patch__flush_count_cache_return, PPC_INST_BLR); 399 count_cache_flush_type = COUNT_CACHE_FLUSH_HW; 400 pr_info("count-cache-flush: hardware assisted flush sequence enabled\n"); 401 } 402 403 void setup_count_cache_flush(void) 404 { 405 bool enable = true; 406 407 if (no_spectrev2 || cpu_mitigations_off()) { 408 if (security_ftr_enabled(SEC_FTR_BCCTRL_SERIALISED) || 409 security_ftr_enabled(SEC_FTR_COUNT_CACHE_DISABLED)) 410 pr_warn("Spectre v2 mitigations not under software control, can't disable\n"); 411 412 enable = false; 413 } 414 415 toggle_count_cache_flush(enable); 416 } 417 418 #ifdef CONFIG_DEBUG_FS 419 static int count_cache_flush_set(void *data, u64 val) 420 { 421 bool enable; 422 423 if (val == 1) 424 enable = true; 425 else if (val == 0) 426 enable = false; 427 else 428 return -EINVAL; 429 430 toggle_count_cache_flush(enable); 431 432 return 0; 433 } 434 435 static int count_cache_flush_get(void *data, u64 *val) 436 { 437 if (count_cache_flush_type == COUNT_CACHE_FLUSH_NONE) 438 *val = 0; 439 else 440 *val = 1; 441 442 return 0; 443 } 444 445 DEFINE_SIMPLE_ATTRIBUTE(fops_count_cache_flush, count_cache_flush_get, 446 count_cache_flush_set, "%llu\n"); 447 448 static __init int count_cache_flush_debugfs_init(void) 449 { 450 debugfs_create_file("count_cache_flush", 0600, powerpc_debugfs_root, 451 NULL, &fops_count_cache_flush); 452 return 0; 453 } 454 device_initcall(count_cache_flush_debugfs_init); 455 #endif /* CONFIG_DEBUG_FS */ 456 #endif /* CONFIG_PPC_BOOK3S_64 */ 457