Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1968339imu;
        Thu, 10 Jan 2019 06:13:13 -0800 (PST)
X-Google-Smtp-Source: ALg8bN7blwz1yF/K5d8iX9rxu/W5xpv4x4aYFz/M6nWrE886Z3lOdGz1nsbemDr7Gw57y54VfwQh
X-Received: by 2002:a17:902:9b87:: with SMTP id y7mr10590857plp.336.1547129593220;
        Thu, 10 Jan 2019 06:13:13 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1547129593; cv=none;
        d=google.com; s=arc-20160816;
        b=Xm3g2zfTUNFHiKn/oMhF7as2jhH/z1c6JftQs46yzPMEMnLIZUUPkWWNesbZU04TcT
         lTjcMbMoG7T8fhbBgW3e+nuLYu9vc5H+zH6Tya5g0Hx7xb9aXleQDQtV0Yy0Pq2aqNXO
         leA8SBHaEtEvZcY4/fQZshRl3+Phtu3pUYkXxCwZap+T57RScTq+jWWVTSIL5gEhxvML
         IbksmWfR7oXl8b5fw9laW5howdbsDdsFYpHHZ34R6MZUAhHR4ASqqs2y7m0Hw81d8yMQ
         7N2ah2RSJ2LMJqdSuINMs+Z9z64PxN93QGyrwGKhBW7V24d/slIqjBIj5NWYeMAxZEuD
         mmhw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject;
        bh=VH15Aaa4lQ5NzMOLeqSHlYrKgopobafbV0h4TqkOS0k=;
        b=AO0u7eBL0Lhiz8wHdCBX/bNeYrwNGKGQsetvn1EVmm91d+WWHcZU7Mj5TY4SLhLW9Z
         VnRIiXbLe7YJxRH18n1GpT9gQf+veLUt/em3YpEEury4oxb3L44on1XWXK5UD8dMtjCy
         3XpCfAihrNst7oea+MAMWnqGCNcm4gumI7EH3yyxZYeHRo6GUHGYJlqnhiL4CuXp7Z69
         GnsMzm54z/TuoAezURn9vt9jki7PiZRD4b5mHblhovYkhoq0Qg6+ZdrChvGaJg4vwqKv
         q9z44J8zR3+KLXxbgKvvG4C8enWZDO5HKmLUlEKO4gA1k7tBkWylb/MgQIR1u/LFPQ15
         4ROw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t75si16648004pfa.170.2019.01.10.06.12.57;
        Thu, 10 Jan 2019 06:13:13 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728989AbfAJOKx (ORCPT <rfc822;ahaning.tech@gmail.com>
        + 99 others); Thu, 10 Jan 2019 09:10:53 -0500
Received: from foss.arm.com ([217.140.101.70]:36206 "EHLO foss.arm.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1728181AbfAJOKw (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 10 Jan 2019 09:10:52 -0500
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249])
        by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 0FF531596;
        Thu, 10 Jan 2019 06:10:52 -0800 (PST)
Received: from [192.168.100.241] (usa-sjc-mx-foss1.foss.arm.com [217.140.101.70])
        by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id ED9233F5AF;
        Thu, 10 Jan 2019 06:10:50 -0800 (PST)
Subject: Re: [PATCH v3 4/7] arm64: add sysfs vulnerability show for meltdown
To:     Julien Thierry <julien.thierry@arm.com>,
        linux-arm-kernel@lists.infradead.org
Cc:     catalin.marinas@arm.com, will.deacon@arm.com, marc.zyngier@arm.com,
        suzuki.poulose@arm.com, dave.martin@arm.com,
        shankerd@codeaurora.org, linux-kernel@vger.kernel.org,
        ykaukab@suse.de, mlangsdo@redhat.com, steven.price@arm.com,
        stefan.wahren@i2se.com
References: <20190109235544.2992426-1-jeremy.linton@arm.com>
 <20190109235544.2992426-5-jeremy.linton@arm.com>
 <8c8b564a-1d65-bc18-73fb-58b349a47800@arm.com>
From:   Jeremy Linton <jeremy.linton@arm.com>
Message-ID: <7e843245-56c0-d7c1-38ba-27ff231a500a@arm.com>
Date:   Thu, 10 Jan 2019 08:10:43 -0600
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <8c8b564a-1d65-bc18-73fb-58b349a47800@arm.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Julien,

On 01/10/2019 03:23 AM, Julien Thierry wrote:
> Hi Jeremy,
> 
> On 09/01/2019 23:55, Jeremy Linton wrote:
>> Display the mitigation status if active, otherwise
>> assume the cpu is safe unless it doesn't have CSV3
>> and isn't in our whitelist.
>>
>> Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>
>> ---
>>   arch/arm64/kernel/cpufeature.c | 32 +++++++++++++++++++++++++++-----
>>   1 file changed, 27 insertions(+), 5 deletions(-)
>>
>> diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
>> index ab784d7a0083..ef7bbc49ef78 100644
>> --- a/arch/arm64/kernel/cpufeature.c
>> +++ b/arch/arm64/kernel/cpufeature.c
>> @@ -944,8 +944,12 @@ has_useable_cnp(const struct arm64_cpu_capabilities *entry, int scope)
>>   	return has_cpuid_feature(entry, scope);
>>   }
>>   
>> +/* default value is invalid until unmap_kernel_at_el0() runs */
>> +static bool __meltdown_safe = true;
>> +
>>   #ifdef CONFIG_UNMAP_KERNEL_AT_EL0
>>   static int __kpti_forced; /* 0: not forced, >0: forced on, <0: forced off */
>> +extern uint arm64_requested_vuln_attrs;
>>   
>>   static bool is_cpu_meltdown_safe(void)
>>   {
>> @@ -972,6 +976,14 @@ static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,
>>   {
>>   	char const *str = "command line option";
>>   
>> +	bool meltdown_safe = is_cpu_meltdown_safe() ||
>> +		has_cpuid_feature(entry, scope);
>> +
>> +	if (!meltdown_safe)
>> +		__meltdown_safe = false;
>> +
>> +	arm64_requested_vuln_attrs |= VULN_MELTDOWN;
>> +
>>   	/*
>>   	 * For reasons that aren't entirely clear, enabling KPTI on Cavium
>>   	 * ThunderX leads to apparent I-cache corruption of kernel text, which
>> @@ -993,11 +1005,7 @@ static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,
>>   	if (IS_ENABLED(CONFIG_RANDOMIZE_BASE))
>>   		return true;
>>   
>> -	if (is_cpu_meltdown_safe())
>> -		return false;
>> -
>> -	/* Defer to CPU feature registers */
>> -	return !has_cpuid_feature(entry, scope);
>> +	return !meltdown_safe;
>>   }
>>   
>>   static void
>> @@ -2065,3 +2073,17 @@ static int __init enable_mrs_emulation(void)
>>   }
>>   
>>   core_initcall(enable_mrs_emulation);
>> +
>> +#ifdef CONFIG_GENERIC_CPU_VULNERABILITIES
>> +ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr,
>> +		char *buf)
>> +{
>> +	if (arm64_kernel_unmapped_at_el0())
>> +		return sprintf(buf, "Mitigation: KPTI\n");
>> +
>> +	if (__meltdown_safe)
>> +		return sprintf(buf, "Not affected\n");
> 
> An issue I see is that we don't even bother to check it that CPUs are
> meltdown safe if CONFIG_UNMAP_KERNEL_AT_EL0 is not defined but here
> we'll advertise that the system is meltdown safe.

That check isn't necessary anymore because the sysfs attribute is only 
populated if unmap_kernel_at_el0() runs (assuming I haven't messed 
something up). That was Dave/Will's suggestions in the last thread about 
how to handle this case.



> 
> I think that checking whether we know that CPUs are meltdown safe should
> be separated from whether mitigation is applied.
> 
> Someone who knows thinks their CPUs are in the white list might want to
> compile out code that does the kpti, but it would be good to give them a
> proper diagnostic whether they were wrong or not.
> 
> Cheers,
>