Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp1956927imm; Thu, 24 May 2018 03:35:08 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqBhWDLCrU0nfC2Sfk2k1WvWfg/7coWwcRD+kcIED3wtGbvrYUkmIXJuAfw/Xf+0SkI8kX/ X-Received: by 2002:a63:6185:: with SMTP id v127-v6mr5015306pgb.301.1527158108423; Thu, 24 May 2018 03:35:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527158108; cv=none; d=google.com; s=arc-20160816; b=qmdYw0T1EwVpf22Lug/awnZcYql2nteWopAA66kdOVoX9tZKXN7wArsOy0VIqyHDQg oV+tC4igGasjKotcUQZgD1Gc+2p8q/mYY8238zO9WPHKST8VBiGrKG+L6TRKWQ5xzMP8 Y4dKBHeS8I2nDPFJq5PSlMwSk6I2173BqfGxeJde+kQsZp6tikgsae6lwytdUHorGdT5 vk/098Bpr03dzXYMFwyEzYtdZ/cheYfHn1L9+gswLh3wUeJdePqJnTnha0Nb8K8aavVR uEq3gFNB+35Cv0TzeQOKXjlmLoOiQyG3OcYamoxmgkhamuIrQWr2Ctt4+d8XlRpk3/Vr VDHg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=p/9uPJ8G+eVqhRUuJ7UNiO2QvDs4Xenfw8HNF0TBkAo=; b=zlBomWicJf8BGEriMgD0QgE6VVAasqAX0OBOS/YKcbJmMM0635dat1+prckChYO848 o93GZbEm0IuYKqn5Eo+My+xspDRkXWxLB4IiFRUJTxT7PPTXG3JdCzFShAGgUf/AJKlU sLHpb8+6Te8HZw36CIacgpLgUzs+7zj/7rQ240CBRsIMz8QqXxLwP7PW4JiBlzigRuch OInsFkTynFfxOsNYD1k1YPj6aaT+Fo3y5xnMVDr0XcqlaQVFIbE3fGpSX22KuNqniz7d Xe1PS7luHp2vuKWyINMR4//jt77lG00RwAyRNQsT2VAfPTB6ZFd8Ztd2xsufYnjIfgvl A3vA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=B8YAKO4u; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k7-v6si3280657pgp.448.2018.05.24.03.34.53; Thu, 24 May 2018 03:35:08 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=B8YAKO4u; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1032090AbeEXKeA (ORCPT + 99 others); Thu, 24 May 2018 06:34:00 -0400 Received: from mail.kernel.org ([198.145.29.99]:42806 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S968458AbeEXKAa (ORCPT ); Thu, 24 May 2018 06:00:30 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5D64520870; Thu, 24 May 2018 10:00:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1527156029; bh=ESRCdAidWnvhPIovBUfIRqneeINyX9sf/0b+/lORGPk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=B8YAKO4uGOhWFWfFIKH1DRGrU6eXGhPpHDub8dBLTVzwIjyZn8Uy3cNjc1k5c8pqM wcROnQTna3WJ7CJHuYsobEKDSU3SAzGHH3ScvY8oOaeV+9iabNr0/uPPxw0LoF2PeI XGrwTrCKHfV7oLlw3+wTsd+T2DdJne3WeZC05Usc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org, greg@kroah.com Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Michael Ellerman Subject: [PATCH 4.16 039/161] powerpc/powernv: Set or clear security feature flags Date: Thu, 24 May 2018 11:37:44 +0200 Message-Id: <20180524093023.020854442@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180524093018.331893860@linuxfoundation.org> References: <20180524093018.331893860@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.16-stable review patch. If anyone has any objections, please let me know. ------------------ From: Michael Ellerman commit 77addf6e95c8689e478d607176b399a6242a777e upstream. Now that we have feature flags for security related things, set or clear them based on what we see in the device tree provided by firmware. Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman --- arch/powerpc/platforms/powernv/setup.c | 56 +++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) --- a/arch/powerpc/platforms/powernv/setup.c +++ b/arch/powerpc/platforms/powernv/setup.c @@ -38,9 +38,63 @@ #include #include #include +#include #include "powernv.h" + +static bool fw_feature_is(const char *state, const char *name, + struct device_node *fw_features) +{ + struct device_node *np; + bool rc = false; + + np = of_get_child_by_name(fw_features, name); + if (np) { + rc = of_property_read_bool(np, state); + of_node_put(np); + } + + return rc; +} + +static void init_fw_feat_flags(struct device_node *np) +{ + if (fw_feature_is("enabled", "inst-spec-barrier-ori31,31,0", np)) + security_ftr_set(SEC_FTR_SPEC_BAR_ORI31); + + if (fw_feature_is("enabled", "fw-bcctrl-serialized", np)) + security_ftr_set(SEC_FTR_BCCTRL_SERIALISED); + + if (fw_feature_is("enabled", "inst-spec-barrier-ori31,31,0", np)) + security_ftr_set(SEC_FTR_L1D_FLUSH_ORI30); + + if (fw_feature_is("enabled", "inst-l1d-flush-trig2", np)) + security_ftr_set(SEC_FTR_L1D_FLUSH_TRIG2); + + if (fw_feature_is("enabled", "fw-l1d-thread-split", np)) + security_ftr_set(SEC_FTR_L1D_THREAD_PRIV); + + if (fw_feature_is("enabled", "fw-count-cache-disabled", np)) + security_ftr_set(SEC_FTR_COUNT_CACHE_DISABLED); + + /* + * The features below are enabled by default, so we instead look to see + * if firmware has *disabled* them, and clear them if so. + */ + if (fw_feature_is("disabled", "speculation-policy-favor-security", np)) + security_ftr_clear(SEC_FTR_FAVOUR_SECURITY); + + if (fw_feature_is("disabled", "needs-l1d-flush-msr-pr-0-to-1", np)) + security_ftr_clear(SEC_FTR_L1D_FLUSH_PR); + + if (fw_feature_is("disabled", "needs-l1d-flush-msr-hv-1-to-0", np)) + security_ftr_clear(SEC_FTR_L1D_FLUSH_HV); + + if (fw_feature_is("disabled", "needs-spec-barrier-for-bound-checks", np)) + security_ftr_clear(SEC_FTR_BNDS_CHK_SPEC_BAR); +} + static void pnv_setup_rfi_flush(void) { struct device_node *np, *fw_features; @@ -56,6 +110,8 @@ static void pnv_setup_rfi_flush(void) of_node_put(np); if (fw_features) { + init_fw_feat_flags(fw_features); + np = of_get_child_by_name(fw_features, "inst-l1d-flush-trig2"); if (np && of_property_read_bool(np, "enabled")) type = L1D_FLUSH_MTTRIG;