1. 07 8月, 2018 1 次提交
  2. 24 7月, 2018 1 次提交
    • M
      powerpc64s: Show ori31 availability in spectre_v1 sysfs file not v2 · 6d44acae
      Michael Ellerman 提交于
      When I added the spectre_v2 information in sysfs, I included the
      availability of the ori31 speculation barrier.
      
      Although the ori31 barrier can be used to mitigate v2, it's primarily
      intended as a spectre v1 mitigation. Spectre v2 is mitigated by
      hardware changes.
      
      So rework the sysfs files to show the ori31 information in the
      spectre_v1 file, rather than v2.
      
      Currently we display eg:
      
        $ grep . spectre_v*
        spectre_v1:Mitigation: __user pointer sanitization
        spectre_v2:Mitigation: Indirect branch cache disabled, ori31 speculation barrier enabled
      
      After:
      
        $ grep . spectre_v*
        spectre_v1:Mitigation: __user pointer sanitization, ori31 speculation barrier enabled
        spectre_v2:Mitigation: Indirect branch cache disabled
      
      Fixes: d6fbe1c5 ("powerpc/64s: Wire up cpu_show_spectre_v2()")
      Cc: stable@vger.kernel.org # v4.17+
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      6d44acae
  3. 03 6月, 2018 4 次提交
  4. 22 5月, 2018 1 次提交
  5. 03 4月, 2018 1 次提交
  6. 27 3月, 2018 5 次提交
    • M
      powerpc/64s: Wire up cpu_show_spectre_v2() · d6fbe1c5
      Michael Ellerman 提交于
      Add a definition for cpu_show_spectre_v2() to override the generic
      version. This has several permuations, though in practice some may not
      occur we cater for any combination.
      
      The most verbose is:
      
        Mitigation: Indirect branch serialisation (kernel only), Indirect
        branch cache disabled, ori31 speculation barrier enabled
      
      We don't treat the ori31 speculation barrier as a mitigation on its
      own, because it has to be *used* by code in order to be a mitigation
      and we don't know if userspace is doing that. So if that's all we see
      we say:
      
        Vulnerable, ori31 speculation barrier enabled
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      d6fbe1c5
    • M
      powerpc/64s: Wire up cpu_show_spectre_v1() · 56986016
      Michael Ellerman 提交于
      Add a definition for cpu_show_spectre_v1() to override the generic
      version. Currently this just prints "Not affected" or "Vulnerable"
      based on the firmware flag.
      
      Although the kernel does have array_index_nospec() in a few places, we
      haven't yet audited all the powerpc code to see where it's necessary,
      so for now we don't list that as a mitigation.
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      56986016
    • M
      powerpc/64s: Enhance the information in cpu_show_meltdown() · ff348355
      Michael Ellerman 提交于
      Now that we have the security feature flags we can make the
      information displayed in the "meltdown" file more informative.
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      ff348355
    • M
      powerpc/64s: Move cpu_show_meltdown() · 8ad33041
      Michael Ellerman 提交于
      This landed in setup_64.c for no good reason other than we had nowhere
      else to put it. Now that we have a security-related file, that is a
      better place for it so move it.
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      8ad33041
    • M
      powerpc: Add security feature flags for Spectre/Meltdown · 9a868f63
      Michael Ellerman 提交于
      This commit adds security feature flags to reflect the settings we
      receive from firmware regarding Spectre/Meltdown mitigations.
      
      The feature names reflect the names we are given by firmware on bare
      metal machines. See the hostboot source for details.
      
      Arguably these could be firmware features, but that then requires them
      to be read early in boot so they're available prior to asm feature
      patching, but we don't actually want to use them for patching. We may
      also want to dynamically update them in future, which would be
      incompatible with the way firmware features work (at the moment at
      least). So for now just make them separate flags.
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      9a868f63