Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp640007imb; Fri, 1 Mar 2019 09:57:02 -0800 (PST) X-Google-Smtp-Source: APXvYqwnXzQWYcqgh0Uy9OIgJwgCiFgWR2WGsOV6p/bApt+xEk2F4QPFMTnigEp3STJaErerM6bI X-Received: by 2002:a63:4f61:: with SMTP id p33mr5982246pgl.303.1551463022203; Fri, 01 Mar 2019 09:57:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551463022; cv=none; d=google.com; s=arc-20160816; b=bzEN1CrkRH9y9+D1VnSmxe+ZhNHJ5Ul73iKiFA9DKUIuXQRp+VGapbY6gFNtSfFf3M n4ehNP7sUF8pLastTshBmvC8Dyl6CV9q9OcIkikrJR/Pb5pfnH6lL6IGB7d5hTU8Mu+h rlweU1IUNJ/O0QpVvLPlehY6Yp3BAX9Slk8Wdq3UI7SPo2vVpsR5kwrAgJ3CkP0w4h48 4k88qMJ89QfvxHjFZXR5MH8o52g5FEzdDwqB/gaFZZ/EnyKw+/HwB/4Sej7C/rFGlZkY 9W2mhIgtUaAtkLn33XxkiWAQd4XrGMaFWCbdq1YE1uGT0N7P11gV/KqzDSf9SaKlwq9v u7Dw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=vodGpGFGBxKurd9YX1BNzRntlScPciuFO3G8gwWcyMM=; b=bR6P4BGSEr7iwTWTRe+vVKFY8BI5/FJdm5phaMNxD7rSPC/azaGwWw2xkG4VrDivaA bX2fk+lGfNONhAilh4AenHJs2zaQy04l642fFfTw2Wt86thEQ9a1qYy9KiE0Unpj1VgW zzZmb6TG53yth5Thm4tBHRnuasHXGmefh0F5n0/uF/5d0/IwMpvfKmiyi+JCE+jSDvLT RF38baq6QJqFnq9OJ90Kk9ZAE0Y+ug1k/NBISIklX+xmx6TGPn4Cqpv8CsFnVJv9NoCI 80xO2qLwudpwlY0VbnKge3ev8MP3do/PsjAv3Jg6EnnkCIdUDlb4M9xhDPr1LMLaGGwA GdSA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t13si11744941pfa.98.2019.03.01.09.56.46; Fri, 01 Mar 2019 09:57:02 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389246AbfCAQxw (ORCPT + 99 others); Fri, 1 Mar 2019 11:53:52 -0500 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:39028 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388993AbfCAQxw (ORCPT ); Fri, 1 Mar 2019 11:53:52 -0500 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 1A7CE80D; Fri, 1 Mar 2019 08:53:52 -0800 (PST) Received: from [192.168.100.242] (usa-sjc-mx-foss1.foss.arm.com [217.140.101.70]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 5F7923F575; Fri, 1 Mar 2019 08:53:51 -0800 (PST) Subject: Re: [PATCH v5 03/10] arm64: add sysfs vulnerability show for meltdown To: Catalin Marinas Cc: Andre Przywara , linux-arm-kernel@lists.infradead.org, will.deacon@arm.com, marc.zyngier@arm.com, suzuki.poulose@arm.com, Dave.Martin@arm.com, shankerd@codeaurora.org, julien.thierry@arm.com, mlangsdo@redhat.com, stefan.wahren@i2e.com, linux-kernel@vger.kernel.org References: <20190227010544.597579-1-jeremy.linton@arm.com> <20190227010544.597579-4-jeremy.linton@arm.com> <9cfb9cff-6a26-fff7-9374-82eea0f63a21@arm.com> <20190301162050.GB28687@arrakis.emea.arm.com> From: Jeremy Linton Message-ID: Date: Fri, 1 Mar 2019 10:53:50 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: <20190301162050.GB28687@arrakis.emea.arm.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, On 3/1/19 10:20 AM, Catalin Marinas wrote: > On Fri, Mar 01, 2019 at 10:12:09AM -0600, Jeremy Linton wrote: >> On 3/1/19 1:11 AM, Andre Przywara wrote: >>> On 2/26/19 7:05 PM, Jeremy Linton wrote: >>>> Display the mitigation status if active, otherwise >>>> assume the cpu is safe unless it doesn't have CSV3 >>>> and isn't in our whitelist. >>>> >>>> Signed-off-by: Jeremy Linton >>>> --- >>>>   arch/arm64/kernel/cpufeature.c | 47 ++++++++++++++++++++++++++-------- >>>>   1 file changed, 37 insertions(+), 10 deletions(-) >>>> >>>> diff --git a/arch/arm64/kernel/cpufeature.c >>>> b/arch/arm64/kernel/cpufeature.c >>>> index f6d84e2c92fe..d31bd770acba 100644 >>>> --- a/arch/arm64/kernel/cpufeature.c >>>> +++ b/arch/arm64/kernel/cpufeature.c >>>> @@ -944,7 +944,7 @@ has_useable_cnp(const struct >>>> arm64_cpu_capabilities *entry, int scope) >>>>       return has_cpuid_feature(entry, scope); >>>>   } >>>> -#ifdef CONFIG_UNMAP_KERNEL_AT_EL0 >>>> +static bool __meltdown_safe = true; >>>>   static int __kpti_forced; /* 0: not forced, >0: forced on, <0: >>>> forced off */ >>>>   static bool unmap_kernel_at_el0(const struct >>>> arm64_cpu_capabilities *entry, >>>> @@ -963,6 +963,16 @@ static bool unmap_kernel_at_el0(const struct >>>> arm64_cpu_capabilities *entry, >>>>           { /* sentinel */ } >>>>       }; >>>>       char const *str = "command line option"; >>>> +    bool meltdown_safe; >>>> + >>>> +    meltdown_safe = is_midr_in_range_list(read_cpuid_id(), >>>> kpti_safe_list); >>>> + >>>> +    /* Defer to CPU feature registers */ >>>> +    if (has_cpuid_feature(entry, scope)) >>>> +        meltdown_safe = true; >>>> + >>>> +    if (!meltdown_safe) >>>> +        __meltdown_safe = false; >>>>       /* >>>>        * For reasons that aren't entirely clear, enabling KPTI on Cavium >>>> @@ -974,6 +984,11 @@ static bool unmap_kernel_at_el0(const struct >>>> arm64_cpu_capabilities *entry, >>>>           __kpti_forced = -1; >>>>       } >>>> +    if (!IS_ENABLED(CONFIG_UNMAP_KERNEL_AT_EL0)) { >>>> +        pr_info_once("kernel page table isolation disabled by >>>> CONFIG\n"); >>>> +        return false; >>>> +    } >>>> + >>>>       /* Forced? */ >>>>       if (__kpti_forced) { >>>>           pr_info_once("kernel page table isolation forced %s by %s\n", >>>> @@ -985,14 +1000,10 @@ static bool unmap_kernel_at_el0(const struct >>>> arm64_cpu_capabilities *entry, >>>>       if (IS_ENABLED(CONFIG_RANDOMIZE_BASE)) >>>>           return kaslr_offset() > 0; >>>> -    /* Don't force KPTI for CPUs that are not vulnerable */ >>>> -    if (is_midr_in_range_list(read_cpuid_id(), kpti_safe_list)) >>>> -        return false; >>>> - >>>> -    /* Defer to CPU feature registers */ >>>> -    return !has_cpuid_feature(entry, scope); >>>> +    return !meltdown_safe; >>>>   } >>>> +#ifdef CONFIG_UNMAP_KERNEL_AT_EL0 >>>>   static void >>>>   kpti_install_ng_mappings(const struct arm64_cpu_capabilities *__unused) >>>>   { >>>> @@ -1022,6 +1033,13 @@ kpti_install_ng_mappings(const struct >>>> arm64_cpu_capabilities *__unused) >>>>       return; >>>>   } >>>> +#else >>>> +static void >>>> +kpti_install_ng_mappings(const struct arm64_cpu_capabilities *__unused) >>>> +{ >>>> +} >>>> +#endif    /* CONFIG_UNMAP_KERNEL_AT_EL0 */ >>>> + >>>>   static int __init parse_kpti(char *str) >>>>   { >>>> @@ -1035,7 +1053,6 @@ static int __init parse_kpti(char *str) >>>>       return 0; >>>>   } >>>>   early_param("kpti", parse_kpti); >>>> -#endif    /* CONFIG_UNMAP_KERNEL_AT_EL0 */ >>>>   #ifdef CONFIG_ARM64_HW_AFDBM >>>>   static inline void __cpu_enable_hw_dbm(void) >>>> @@ -1286,7 +1303,6 @@ static const struct arm64_cpu_capabilities >>>> arm64_features[] = { >>>>           .field_pos = ID_AA64PFR0_EL0_SHIFT, >>>>           .min_field_value = ID_AA64PFR0_EL0_32BIT_64BIT, >>>>       }, >>>> -#ifdef CONFIG_UNMAP_KERNEL_AT_EL0 >>>>       { >>>>           .desc = "Kernel page table isolation (KPTI)", >>>>           .capability = ARM64_UNMAP_KERNEL_AT_EL0, >>>> @@ -1302,7 +1318,6 @@ static const struct arm64_cpu_capabilities >>>> arm64_features[] = { >>>>           .matches = unmap_kernel_at_el0, >>>>           .cpu_enable = kpti_install_ng_mappings, >>>>       }, >>>> -#endif >>>>       { >>>>           /* FP/SIMD is not implemented */ >>>>           .capability = ARM64_HAS_NO_FPSIMD, >>>> @@ -2063,3 +2078,15 @@ static int __init enable_mrs_emulation(void) >>>>   } >>>>   core_initcall(enable_mrs_emulation); >>>> + >>>> +ssize_t cpu_show_meltdown(struct device *dev, struct >>>> device_attribute *attr, >>>> +        char *buf) >>>> +{ >>>> +    if (arm64_kernel_unmapped_at_el0()) >>>> +        return sprintf(buf, "Mitigation: KPTI\n"); >>>> + >>>> +    if (__meltdown_safe) >>>> +        return sprintf(buf, "Not affected\n"); >>> >>> Shall those two checks be swapped? So it doesn't report about a KPTI >>> mitigation if the CPU is safe, but we enable KPTI because of KASLR >>> having enabled it? Or is that a different knob? >> >> Hmmm, I think having it this way reflects the fact that the machine is >> mitigated independent of whether it needed it. The force on case is similar. >> The machine may not have needed the mitigation but it was forced on. > > So is this patchset about showing vulnerabilities _and_ mitigations or > just one of them? > Well, I don't think there is a way to express a mitigated but not vulnerable state in the current ABI. This set is mostly just to bring us in line with the current ABI expectations.