| From foo@baz Sat Mar 19 01:51:18 PM CET 2022 |
| From: James Morse <james.morse@arm.com> |
| Date: Fri, 18 Mar 2022 17:48:37 +0000 |
| Subject: arm64: proton-pack: Report Spectre-BHB vulnerabilities as part of Spectre-v2 |
| To: stable@vger.kernel.org |
| Cc: linux-kernel@vger.kernel.org, james.morse@arm.com, catalin.marinas@arm.com |
| Message-ID: <20220318174842.2321061-18-james.morse@arm.com> |
| |
| From: James Morse <james.morse@arm.com> |
| |
| commit dee435be76f4117410bbd90573a881fd33488f37 upstream. |
| |
| Speculation attacks against some high-performance processors can |
| make use of branch history to influence future speculation as part of |
| a spectre-v2 attack. This is not mitigated by CSV2, meaning CPUs that |
| previously reported 'Not affected' are now moderately mitigated by CSV2. |
| |
| Update the value in /sys/devices/system/cpu/vulnerabilities/spectre_v2 |
| to also show the state of the BHB mitigation. |
| |
| Reviewed-by: Catalin Marinas <catalin.marinas@arm.com> |
| [ code move to cpu_errata.c for backport ] |
| Signed-off-by: James Morse <james.morse@arm.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| arch/arm64/include/asm/cpufeature.h | 8 +++++++ |
| arch/arm64/kernel/cpu_errata.c | 38 +++++++++++++++++++++++++++++++++--- |
| 2 files changed, 43 insertions(+), 3 deletions(-) |
| |
| --- a/arch/arm64/include/asm/cpufeature.h |
| +++ b/arch/arm64/include/asm/cpufeature.h |
| @@ -527,6 +527,14 @@ static inline int arm64_get_ssbd_state(v |
| |
| void arm64_set_ssbd_mitigation(bool state); |
| |
| +/* Watch out, ordering is important here. */ |
| +enum mitigation_state { |
| + SPECTRE_UNAFFECTED, |
| + SPECTRE_MITIGATED, |
| + SPECTRE_VULNERABLE, |
| +}; |
| + |
| +enum mitigation_state arm64_get_spectre_bhb_state(void); |
| #endif /* __ASSEMBLY__ */ |
| |
| #endif |
| --- a/arch/arm64/kernel/cpu_errata.c |
| +++ b/arch/arm64/kernel/cpu_errata.c |
| @@ -875,14 +875,39 @@ ssize_t cpu_show_spectre_v1(struct devic |
| return sprintf(buf, "Mitigation: __user pointer sanitization\n"); |
| } |
| |
| +static const char *get_bhb_affected_string(enum mitigation_state bhb_state) |
| +{ |
| + switch (bhb_state) { |
| + case SPECTRE_UNAFFECTED: |
| + return ""; |
| + default: |
| + case SPECTRE_VULNERABLE: |
| + return ", but not BHB"; |
| + case SPECTRE_MITIGATED: |
| + return ", BHB"; |
| + } |
| +} |
| + |
| ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, |
| char *buf) |
| { |
| - if (__spectrev2_safe) |
| - return sprintf(buf, "Not affected\n"); |
| + enum mitigation_state bhb_state = arm64_get_spectre_bhb_state(); |
| + const char *bhb_str = get_bhb_affected_string(bhb_state); |
| + const char *v2_str = "Branch predictor hardening"; |
| + |
| + if (__spectrev2_safe) { |
| + if (bhb_state == SPECTRE_UNAFFECTED) |
| + return sprintf(buf, "Not affected\n"); |
| + |
| + /* |
| + * Platforms affected by Spectre-BHB can't report |
| + * "Not affected" for Spectre-v2. |
| + */ |
| + v2_str = "CSV2"; |
| + } |
| |
| if (__hardenbp_enab) |
| - return sprintf(buf, "Mitigation: Branch predictor hardening\n"); |
| + return sprintf(buf, "Mitigation: %s%s\n", v2_str, bhb_str); |
| |
| return sprintf(buf, "Vulnerable\n"); |
| } |
| @@ -903,3 +928,10 @@ ssize_t cpu_show_spec_store_bypass(struc |
| |
| return sprintf(buf, "Vulnerable\n"); |
| } |
| + |
| +static enum mitigation_state spectre_bhb_state; |
| + |
| +enum mitigation_state arm64_get_spectre_bhb_state(void) |
| +{ |
| + return spectre_bhb_state; |
| +} |