Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp1959275imm;
        Thu, 24 May 2018 03:37:16 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZowRDtF8AyWZORWw94hfPcTeJpB2PTspl4hI7Wd6xTANAfxQ9SnXFY4bZJ1h1iTP8VbTcO1
X-Received: by 2002:a17:902:1007:: with SMTP id b7-v6mr6647487pla.88.1527158236598;
        Thu, 24 May 2018 03:37:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1527158236; cv=none;
        d=google.com; s=arc-20160816;
        b=Xvke40QFVxIPqmWeC9ebuafF9O+djGn/nl54bqf5sSW+iSc5pMNw1gbSyPJmXnOV7Q
         Eqwo/kF/0MHEywuAedj7ZNKqGAggDAu4JTLpRYpmicQDij6HqGHsh7yfDA+YfTw2Y9cX
         Ejk/25Ho2zsOSnS1TGDWTWCrrRoji4IJTtEMXjg/8EiMfYXOTROfOlhcgdU7hrNhsyLz
         nms+ri8o2+HoDidQSYHmMVfuE5PLPudJtbKz+Vffab/6XC4xq5pwE1iFcsMBCuwZZ53+
         pGxx5qndDYXQQo7MrSpzRp+fyfXD7qMQ61Tij/nyihYa0qUMr7kN3DhIwhln6O/1+FzN
         sHpQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature
         :arc-authentication-results;
        bh=0CRFTbc84mTAaBudEtqioJ2skBRHRa31ExA+0OG4x/w=;
        b=t6UalT9dKeaihtv00pBQExGHF3gRc0oP+WSL6sFCTvvCWtd0KZOLxyx4ZHuTfjrcLD
         hNCbBjEN3dorHdCR1vEqFaSHZqJGvi+bTpK5Uk4HUJ5m7IvCsi297OWvWH51XiV18NCg
         LTqv56ph/CUATc8rrPYTUxYIulekUNEQAKkptV2A606tuaSOVHrw4Jofuzr3yyUW2ys8
         ndqeFNKzxIQ0hVQAWm8u9KDUlWFL3S33D52EeutYl04njpVdnfCUAVf3fUlHOzYFYVqj
         HzkxP43fm4KI5RWiryEAdHy2XDahWm8rMJ7SFoGmhFYtfSdXBIeSJOWor3euzTuUnGKv
         ia3w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=CLVUj2mh;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id bd8-v6si19557469plb.559.2018.05.24.03.37.01;
        Thu, 24 May 2018 03:37:16 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=CLVUj2mh;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S968518AbeEXKep (ORCPT <rfc822;huangweiredhat@gmail.com>
        + 99 others); Thu, 24 May 2018 06:34:45 -0400
Received: from mail.kernel.org ([198.145.29.99]:42742 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S968374AbeEXKA1 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 24 May 2018 06:00:27 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id A1C1B20891;
        Thu, 24 May 2018 10:00:26 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1527156027;
        bh=0WdTBiog2pqM6oYlwSaMos6WS0ReB1ZxZs0ZLaDSbq8=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=CLVUj2mh+l4AhtdTygPgWHC+1w0yJytthzHeuwBgDCThKZPjLmdniSQFDS8ojuB+4
         728Jv5Xl938pWfpf3bBY4G+Pkr61gnXHsO1vqMq0lSOlGvHlxpZpTUSsUOzSA7kjWV
         AtIO9JvI2h2PRmnJhchs+FMr/v+ry4opR40nvQIE=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org, greg@kroah.com
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Michael Ellerman <mpe@ellerman.id.au>
Subject: [PATCH 4.16 038/161] powerpc/pseries: Set or clear security feature flags
Date:   Thu, 24 May 2018 11:37:43 +0200
Message-Id: <20180524093022.918554567@linuxfoundation.org>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180524093018.331893860@linuxfoundation.org>
References: <20180524093018.331893860@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.16-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Michael Ellerman <mpe@ellerman.id.au>

commit f636c14790ead6cc22cf62279b1f8d7e11a67116 upstream.

Now that we have feature flags for security related things, set or
clear them based on what we receive from the hypercall.

Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/platforms/pseries/setup.c |   43 +++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

--- a/arch/powerpc/platforms/pseries/setup.c
+++ b/arch/powerpc/platforms/pseries/setup.c
@@ -68,6 +68,7 @@
 #include <asm/plpar_wrappers.h>
 #include <asm/kexec.h>
 #include <asm/isa-bridge.h>
+#include <asm/security_features.h>
 
 #include "pseries.h"
 
@@ -459,6 +460,40 @@ static void __init find_and_init_phbs(vo
 	of_pci_check_probe_only();
 }
 
+static void init_cpu_char_feature_flags(struct h_cpu_char_result *result)
+{
+	if (result->character & H_CPU_CHAR_SPEC_BAR_ORI31)
+		security_ftr_set(SEC_FTR_SPEC_BAR_ORI31);
+
+	if (result->character & H_CPU_CHAR_BCCTRL_SERIALISED)
+		security_ftr_set(SEC_FTR_BCCTRL_SERIALISED);
+
+	if (result->character & H_CPU_CHAR_L1D_FLUSH_ORI30)
+		security_ftr_set(SEC_FTR_L1D_FLUSH_ORI30);
+
+	if (result->character & H_CPU_CHAR_L1D_FLUSH_TRIG2)
+		security_ftr_set(SEC_FTR_L1D_FLUSH_TRIG2);
+
+	if (result->character & H_CPU_CHAR_L1D_THREAD_PRIV)
+		security_ftr_set(SEC_FTR_L1D_THREAD_PRIV);
+
+	if (result->character & H_CPU_CHAR_COUNT_CACHE_DISABLED)
+		security_ftr_set(SEC_FTR_COUNT_CACHE_DISABLED);
+
+	/*
+	 * The features below are enabled by default, so we instead look to see
+	 * if firmware has *disabled* them, and clear them if so.
+	 */
+	if (!(result->character & H_CPU_BEHAV_FAVOUR_SECURITY))
+		security_ftr_clear(SEC_FTR_FAVOUR_SECURITY);
+
+	if (!(result->character & H_CPU_BEHAV_L1D_FLUSH_PR))
+		security_ftr_clear(SEC_FTR_L1D_FLUSH_PR);
+
+	if (!(result->character & H_CPU_BEHAV_BNDS_CHK_SPEC_BAR))
+		security_ftr_clear(SEC_FTR_BNDS_CHK_SPEC_BAR);
+}
+
 static void pseries_setup_rfi_flush(void)
 {
 	struct h_cpu_char_result result;
@@ -472,6 +507,8 @@ static void pseries_setup_rfi_flush(void
 
 	rc = plpar_get_cpu_characteristics(&result);
 	if (rc == H_SUCCESS) {
+		init_cpu_char_feature_flags(&result);
+
 		if (result.character & H_CPU_CHAR_L1D_FLUSH_TRIG2)
 			types |= L1D_FLUSH_MTTRIG;
 		if (result.character & H_CPU_CHAR_L1D_FLUSH_ORI30)
@@ -482,6 +519,12 @@ static void pseries_setup_rfi_flush(void
 			enable = false;
 	}
 
+	/*
+	 * We're the guest so this doesn't apply to us, clear it to simplify
+	 * handling of it elsewhere.
+	 */
+	security_ftr_clear(SEC_FTR_L1D_FLUSH_HV);
+
 	setup_rfi_flush(types, enable);
 }