Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752051AbeAPU4f (ORCPT <rfc822;ralf@linux-mips.org> + 1 other);
        Tue, 16 Jan 2018 15:56:35 -0500
Received: from Galois.linutronix.de ([146.0.238.70]:44265 "EHLO
        Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751974AbeAPU4e (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 16 Jan 2018 15:56:34 -0500
Date: Tue, 16 Jan 2018 21:56:26 +0100 (CET)
From: Thomas Gleixner <tglx@linutronix.de>
To: Andi Kleen <andi@firstfloor.org>
cc: dwmw@amazon.co.uk, torvalds@linux-foundation.org,
        linux-kernel@vger.kernel.org, gregkh@linuxfoundation.org,
        arjan.van.de.ven@intel.com, peterz@infradead.org,
        Andi Kleen <ak@linux.intel.com>, jeyu@kernel.org
Subject: Re: [PATCH v2] retpoline/module: Warn for missing retpoline in
 module
In-Reply-To: <20180112221323.3304-1-andi@firstfloor.org>
Message-ID: <alpine.DEB.2.20.1801162132410.2366@nanos>
References: <20180112221323.3304-1-andi@firstfloor.org>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
X-Linutronix-Spam-Score: -1.0
X-Linutronix-Spam-Level: -
X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required,  ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>

On Fri, 12 Jan 2018, Andi Kleen wrote:
> From: Andi Kleen <ak@linux.intel.com>
>  void stop_this_cpu(void *dummy);
>  void df_debug(struct pt_regs *regs, long error_code);
> +
> +void disable_retpoline(void);
> +bool retpoline_enabled(void);

Can you please use a consistent name space? retpoline_ ... or such?

> +/* A module has been loaded. Disable reporting that we're good. */
> +void disable_retpoline(void)
> +{
> +	spectre_v2_enabled = SPECTRE_V2_NONE;

I really don't like fiddling with that variable. That's just hackery. The
variable reflects the actual enabled mitigation state of the kernel proper.

> +	pr_err("system may be vunerable to spectre\n");
> +}
> +
> +bool retpoline_enabled(void)
> +{
> +	return spectre_v2_enabled != SPECTRE_V2_NONE;
> +}

That'll break once we get other mitigation variants.

> @@ -3020,7 +3020,13 @@ static int check_modinfo(struct module *mod, struct load_info *info, int flags)
>  				mod->name);
>  		add_taint_module(mod, TAINT_OOT_MODULE, LOCKDEP_STILL_OK);
>  	}
> -

These newlines are there to separate stuff for readability sake.

> +#ifdef RETPOLINE
> +	if (retpoline_enabled() && !get_modinfo(info, "retpoline")) {
> +		pr_warn("%s: loading module not compiled with retpoline compiler.\n",
> +				mod->name);
> +		disable_retpoline();
> +	}
> +#endif

This really can be done in a cleaner way.

in linux/module.h

#ifdef RETPOLINE
extern bool retpoline_module_ok(bool has_retpoline);
#else
static inline bool retpoline_module_ok(bool has_retpoline)
{
	return true;
}
#endif

static void check_modinfo_retpoline(mod, info)
{
	if (retpoline_module_ok(get_modinfo(info, "retpoline")))
		return;
		
	pr_warn("%s: loading module not compiled with retpoline compiler.\n",
		mod->name);
}

That only needs one function and that one can take care of setting a
variable in the spectre code which then influences the sysfs output.

And that output should not be "Vulnerable" like you force with the hack
above. It actually should tell WHY it is vulnerable despite having had
protection in place before the module was loaded.

Thanks,

	tglx