Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp3321351imm;
        Tue, 29 May 2018 05:20:47 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZo9q7NA0+dH4up9dalXKM1txIGrPZ0TsW4ORwCLrf5Tbvie81GOwqnRyb6p1/jvI/0bVoN+
X-Received: by 2002:a63:93:: with SMTP id 141-v6mr13964518pga.322.1527596446923;
        Tue, 29 May 2018 05:20:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1527596446; cv=none;
        d=google.com; s=arc-20160816;
        b=ZlzZwV4PyYcs36mYR8zlOFh9QoGnEneJwJuoPrgGO3dwOj7h0vaHcNqiZPkEm9loGG
         mI0KPlmpHLj6HPbwggeBRqzsltBPTe+C08ayvbEWemgiSPOKG9CaS9RH8oee0oCSAKTQ
         INFf0Qp7JlCBRY4QnKkKaJw1CJ2ASa4nSm20p2U7R+MtoR0N83UNZjk1YzFtdFfYNV9z
         AYvnrpkk2BVdaCiYCYavW+htJG81FhRlUbtzGGpLgqQZ1WgHyO3DX7/TJ7rHMxCLJh2h
         NAmLMFh+aNNKJI5wmuYo8/BBsS3GT+9BtFn6a4a5Sl7NULzRV0yzx/LyzBqiKVK8sCCW
         8l3g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=jJ4ZUKc3JRj6PLMOM56kwBN/T6pxJSFBT50uDDiEvS8=;
        b=TOb2gXHbKi/FVp5RcjmoVAr8NGNT8lot52q4z2Uw+Oq2G0BDSiNe2wiF+uO1ES3jRa
         BTtdF3TjCgBE9smyq3W16kYv41casd3wNGu57zpH9HfSwwI63L3kG9CqgPpn3OaEq4q5
         eMxlBiDSIif78tl6AOs8lNxq7IHOvCKN2ss9W9KrpnNws17E1n8SmjHurpXiB2BAzO0Y
         kEAkoXkDkJOZV52hpJIlqdAzisLDKkHUcgVZ5unLNvTs7lkwlCxfGlF5tSHZKI6bRTkJ
         1NB2DnULO2tc/fstrdZOBez5Nn6A2TNqLMapdDi4Z4t2KEIEy2YEYYdsYGD2CedvUoYh
         5Usw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e72-v6si4832925pfl.132.2018.05.29.05.20.33;
        Tue, 29 May 2018 05:20:46 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S933603AbeE2MLc (ORCPT <rfc822;shmalave.kernel@gmail.com>
        + 99 others); Tue, 29 May 2018 08:11:32 -0400
Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:38338 "EHLO
        foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S933135AbeE2MLa (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 29 May 2018 08:11:30 -0400
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249])
        by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 7C27F80D;
        Tue, 29 May 2018 05:11:30 -0700 (PDT)
Received: from approximate.cambridge.arm.com (approximate.cambridge.arm.com [10.1.206.75])
        by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 224C73F53D;
        Tue, 29 May 2018 05:11:27 -0700 (PDT)
From:   Marc Zyngier <marc.zyngier@arm.com>
To:     linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org,
        kvmarm@lists.cs.columbia.edu
Cc:     Will Deacon <will.deacon@arm.com>,
        Catalin Marinas <catalin.marinas@arm.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Andy Lutomirski <luto@kernel.org>,
        Kees Cook <keescook@chromium.org>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Christoffer Dall <christoffer.dall@arm.com>,
        Randy Dunlap <rdunlap@infradead.org>,
        Dominik Brodowski <linux@dominikbrodowski.net>,
        Julien Grall <julien.grall@arm.com>,
        Mark Rutland <mark.rutland@arm.com>
Subject: [PATCH v2 00/17] arm64 SSBD (aka Spectre-v4) mitigation
Date:   Tue, 29 May 2018 13:11:04 +0100
Message-Id: <20180529121121.24927-1-marc.zyngier@arm.com>
X-Mailer: git-send-email 2.14.2
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi all,

This patch series implements the Linux kernel side of the "Spectre-v4"
(CVE-2018-3639) mitigation known as "Speculative Store Bypass Disable"
(SSBD).

More information can be found at:

  https://bugs.chromium.org/p/project-zero/issues/detail?id=1528
  https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability

For all released Arm Cortex-A CPUs that are affected by this issue, then
the preferred mitigation is simply to set a chicken bit in the firmware
during CPU initialisation and therefore no change to Linux is required.
Other CPUs may require the chicken bit to be toggled dynamically (for
example, when switching between user-mode and kernel-mode) and this is
achieved by calling into EL3 via an SMC which has been published as part
of the latest SMCCC specification:

  https://developer.arm.com/cache-speculation-vulnerability-firmware-specification

as well as an ATF update for the released ARM cores affected by SSBD:

  https://github.com/ARM-software/arm-trusted-firmware/pull/1392

These patches provide the following:

  1. Safe probing of firmware to establish which CPUs in the system
     require calling into EL3 as part of the mitigation.

  2. For CPUs that require it, call into EL3 on exception entry/exit
     from EL0 to apply the SSBD mitigation when running at EL1.

  3. A command-line option to force the SSBD mitigation to be always on,
     always off, or dymamically toggled (default) for CPUs that require
     the EL3 call.

  4. An initial implementation of a prctl() backend for arm64 that allows
     userspace tasks to opt-in to the mitigation explicitly. This is
     intended to match the interface provided by x86, and so we rely on
     their core changes here. The seccomp interface is provided as an
     extra set of patches, which I'd like *not* to see merged. The main
     reason is that it is invasive, has ugly/unclear semantics, and could
     probably be left to the existing prctl interface.

  5. An initial implementation of the call via KVM, which exposes the
     mitigation to the guest via an HVC interface. This isn't yet
     complete and doesn't include save/restore functionality for the
     workaround state.

All comments welcome,

	M.

* From v1 [1]:

  - New TIF_SSBD_PENDING flag to enable the mitigation, atomically
    converted to TIF_SSBD on exit to userspace. Moved the seccomp thing to
    its own patch.
  - Renamed do_ssbd() to arm64_set_ssbd_mitigation() early in the series
  - Some spelling fixes
  - Dropped the now unnecessary #ifdef in ssbd.c
  - SSBD handling in entry.S default to NOP until patching comes in, which
    itself got tiddied up
  - Renamed ARM64_SSBD_EL1_ENTRY to ARM64_SSBD_KERNEL
  - Collected RBs

[1] https://lwn.net/ml/linux-kernel/20180522150648.28297-1-marc.zyngier@arm.com/

Marc Zyngier (17):
  arm/arm64: smccc: Add SMCCC-specific return codes
  arm64: Call ARCH_WORKAROUND_2 on transitions between EL0 and EL1
  arm64: Add per-cpu infrastructure to call ARCH_WORKAROUND_2
  arm64: Add ARCH_WORKAROUND_2 probing
  arm64: Add 'ssbd' command-line option
  arm64: ssbd: Add global mitigation state accessor
  arm64: ssbd: Skip apply_ssbd if not using dynamic mitigation
  arm64: ssbd: Restore mitigation status on CPU resume
  arm64: ssbd: Introduce thread flag to control userspace mitigation
  arm64: ssbd: Add prctl interface for per-thread mitigation
  arm64: KVM: Add HYP per-cpu accessors
  arm64: KVM: Add ARCH_WORKAROUND_2 support for guests
  arm64: KVM: Handle guest's ARCH_WORKAROUND_2 requests
  arm64: KVM: Add ARCH_WORKAROUND_2 discovery through
    ARCH_FEATURES_FUNC_ID
  arm64: Add test_and_clear_flag and set_flag atomic assembler
    primitives
  arm64: ssbd: Enable delayed setting of TIF_SSBD
  arm64: ssbd: Implement arch_seccomp_spec_mitigate

 Documentation/admin-guide/kernel-parameters.txt |  17 +++
 arch/arm/include/asm/kvm_host.h                 |  12 ++
 arch/arm/include/asm/kvm_mmu.h                  |   5 +
 arch/arm64/Kconfig                              |   9 ++
 arch/arm64/include/asm/assembler.h              |  37 +++++
 arch/arm64/include/asm/cpucaps.h                |   3 +-
 arch/arm64/include/asm/cpufeature.h             |  22 +++
 arch/arm64/include/asm/kvm_asm.h                |  30 +++-
 arch/arm64/include/asm/kvm_host.h               |  26 ++++
 arch/arm64/include/asm/kvm_mmu.h                |  24 ++++
 arch/arm64/include/asm/thread_info.h            |   2 +
 arch/arm64/kernel/Makefile                      |   1 +
 arch/arm64/kernel/asm-offsets.c                 |   1 +
 arch/arm64/kernel/cpu_errata.c                  | 180 ++++++++++++++++++++++++
 arch/arm64/kernel/entry.S                       |  46 ++++++
 arch/arm64/kernel/hibernate.c                   |  11 ++
 arch/arm64/kernel/ssbd.c                        | 115 +++++++++++++++
 arch/arm64/kernel/suspend.c                     |   8 ++
 arch/arm64/kvm/hyp/hyp-entry.S                  |  38 ++++-
 arch/arm64/kvm/hyp/switch.c                     |  42 ++++++
 arch/arm64/kvm/reset.c                          |   4 +
 include/linux/arm-smccc.h                       |  10 ++
 virt/kvm/arm/arm.c                              |   4 +
 virt/kvm/arm/psci.c                             |  18 ++-
 24 files changed, 659 insertions(+), 6 deletions(-)
 create mode 100644 arch/arm64/kernel/ssbd.c

-- 
2.14.2