Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2363609imm;
        Mon, 28 May 2018 06:46:46 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZouMMgQPQZCi/8DvezBSmtBKzvOdhmc1W0uw2avUhJT+f1ct08XHqj76/b9axv7FXCtQzX2
X-Received: by 2002:a63:8ec8:: with SMTP id k191-v6mr10633407pge.435.1527515206055;
        Mon, 28 May 2018 06:46:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1527515206; cv=none;
        d=google.com; s=arc-20160816;
        b=utrnjqzzpmCywr6eZIcplWPhxkBS7ORDMcVecdbcTbSzwlkRiwJfK+NECfcsa/KpAT
         okw8UYczdYCI7jqplSePyMabF5fG3sqZUqInphQRBI3GCmfk/l7z1q7oFmuhBNhdOX22
         PM7hW69Z6eRT+WGYoN+hk2yAWYmhE/Gg3MbMvcke4574w77EjvtBTO+k90XOTozhhLhc
         ed1Wabydhqno9oQun7EKus29e8yNR93dhqltUraeQr4j4OZuuKPjEf8n2isgHpP861ua
         czv3ZDDHynsx4Yn+hp4AzxMZK3N/8Px52iG1ET2ITwCeO/NyjCdp4q8oFAustirHpsz6
         +K5w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature
         :arc-authentication-results;
        bh=CXM6DTX9jjtAYWb2uLuD+RfKrO5WH3okp/izmdfQOeQ=;
        b=HVfu52Bhl4UJ1lp6CoPqy+T0TR4U119adXq0bh0vNVCSs61QlvzON/JFEZG0bZwOHG
         4bwPJi/g7w0dxRmKFUL57rxc9Ew1pY6lgTKrKA9+Mo/g+SRtRp2TV2kE4zPZ/a9r4Qpl
         vrDpxdDc8rBECZ3wspce+eHCWlEyKZNaLXXxpWxvrBXe0StymGvpYkPbVoRn3M20PUFi
         3dcG6IOL5fSrkwdu33ruhnPmA9X0MYXNJlhL5YGl8MUksYn3e6cP12QJoXW7VFBjfPh+
         cZUfHbWborlq5eCgPwMfSkrgXYXWkFpDkDge1aLLG+aZxRSlgYTrzH9PSFaTTICuGijC
         248g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=2Cj8rn6W;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 33-v6si28444754plo.505.2018.05.28.06.46.30;
        Mon, 28 May 2018 06:46:46 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=2Cj8rn6W;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1425116AbeE1Npe (ORCPT
        <rfc822;ArcheFireLinuxKernelMain@gmail.com> + 99 others);
        Mon, 28 May 2018 09:45:34 -0400
Received: from mail.kernel.org ([198.145.29.99]:34214 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S932453AbeE1KnD (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 28 May 2018 06:43:03 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id A98E92086D;
        Mon, 28 May 2018 10:43:01 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1527504182;
        bh=uMFtqysRy8qWA+B9qNc+IhsKrffVF5lEBiJadEQRp+0=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=2Cj8rn6WF9kgHdeTH8fTSKhRWwJ5ErfkS3N6QeHylv98OZkbWWyG9+sZSBiGHB8g5
         vylSGgWRqi/KJ3pw4Vs5dyZEEwT1N8utAG1lGK+6gEzWhcywQ6kKxwSZgZPuU5ZC82
         E/rbsPoxqtwhdUCqEVizrzg7VVkl/NkN6G6Mr+CM=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org, greg@kroah.com
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Michael Ellerman <mpe@ellerman.id.au>
Subject: [PATCH 4.14 045/496] powerpc/powernv: Set or clear security feature flags
Date:   Mon, 28 May 2018 11:57:10 +0200
Message-Id: <20180528100321.629564433@linuxfoundation.org>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180528100319.498712256@linuxfoundation.org>
References: <20180528100319.498712256@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Michael Ellerman <mpe@ellerman.id.au>

commit 77addf6e95c8689e478d607176b399a6242a777e upstream.

Now that we have feature flags for security related things, set or
clear them based on what we see in the device tree provided by
firmware.

Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/platforms/powernv/setup.c |   56 +++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)

--- a/arch/powerpc/platforms/powernv/setup.c
+++ b/arch/powerpc/platforms/powernv/setup.c
@@ -37,9 +37,63 @@
 #include <asm/kexec.h>
 #include <asm/smp.h>
 #include <asm/setup.h>
+#include <asm/security_features.h>
 
 #include "powernv.h"
 
+
+static bool fw_feature_is(const char *state, const char *name,
+			  struct device_node *fw_features)
+{
+	struct device_node *np;
+	bool rc = false;
+
+	np = of_get_child_by_name(fw_features, name);
+	if (np) {
+		rc = of_property_read_bool(np, state);
+		of_node_put(np);
+	}
+
+	return rc;
+}
+
+static void init_fw_feat_flags(struct device_node *np)
+{
+	if (fw_feature_is("enabled", "inst-spec-barrier-ori31,31,0", np))
+		security_ftr_set(SEC_FTR_SPEC_BAR_ORI31);
+
+	if (fw_feature_is("enabled", "fw-bcctrl-serialized", np))
+		security_ftr_set(SEC_FTR_BCCTRL_SERIALISED);
+
+	if (fw_feature_is("enabled", "inst-spec-barrier-ori31,31,0", np))
+		security_ftr_set(SEC_FTR_L1D_FLUSH_ORI30);
+
+	if (fw_feature_is("enabled", "inst-l1d-flush-trig2", np))
+		security_ftr_set(SEC_FTR_L1D_FLUSH_TRIG2);
+
+	if (fw_feature_is("enabled", "fw-l1d-thread-split", np))
+		security_ftr_set(SEC_FTR_L1D_THREAD_PRIV);
+
+	if (fw_feature_is("enabled", "fw-count-cache-disabled", np))
+		security_ftr_set(SEC_FTR_COUNT_CACHE_DISABLED);
+
+	/*
+	 * The features below are enabled by default, so we instead look to see
+	 * if firmware has *disabled* them, and clear them if so.
+	 */
+	if (fw_feature_is("disabled", "speculation-policy-favor-security", np))
+		security_ftr_clear(SEC_FTR_FAVOUR_SECURITY);
+
+	if (fw_feature_is("disabled", "needs-l1d-flush-msr-pr-0-to-1", np))
+		security_ftr_clear(SEC_FTR_L1D_FLUSH_PR);
+
+	if (fw_feature_is("disabled", "needs-l1d-flush-msr-hv-1-to-0", np))
+		security_ftr_clear(SEC_FTR_L1D_FLUSH_HV);
+
+	if (fw_feature_is("disabled", "needs-spec-barrier-for-bound-checks", np))
+		security_ftr_clear(SEC_FTR_BNDS_CHK_SPEC_BAR);
+}
+
 static void pnv_setup_rfi_flush(void)
 {
 	struct device_node *np, *fw_features;
@@ -55,6 +109,8 @@ static void pnv_setup_rfi_flush(void)
 	of_node_put(np);
 
 	if (fw_features) {
+		init_fw_feat_flags(fw_features);
+
 		np = of_get_child_by_name(fw_features, "inst-l1d-flush-trig2");
 		if (np && of_property_read_bool(np, "enabled"))
 			type = L1D_FLUSH_MTTRIG;