Configure powerpc CPU runtime speculation bug mitigations in accordance
with the 'mitigations=' cmdline option. This affects Meltdown, Spectre
v1, Spectre v2, and Speculative Store Bypass.
The default behavior is unchanged.
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Jiri Kosina <jkosina@suse.cz> (on x86)
Reviewed-by: Jiri Kosina <jkosina@suse.cz>
Cc: Borislav Petkov <bp@alien8.de>
Cc: "H . Peter Anvin" <hpa@zytor.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Jiri Kosina <jikos@kernel.org>
Cc: Waiman Long <longman@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Jon Masters <jcm@redhat.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: linuxppc-dev@lists.ozlabs.org
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: linux-s390@vger.kernel.org
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-arch@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Tyler Hicks <tyhicks@canonical.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: Steven Price <steven.price@arm.com>
Cc: Phil Auld <pauld@redhat.com>
Link: https://lkml.kernel.org/r/245a606e1a42a558a310220312d9b6adb9159df6.1555085500.git.jpoimboe@redhat.com
CVE-2017-5715
CVE-2017-5753
CVE-2017-5754
CVE-2018-3639
(backported from commit
782e69efb3dfed6e8360bc612e8c7827a901a8f9 https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git)
[tyhicks: Backport to 4.15:
- include <linux/cpu.h> from security.c]
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
http://repo.or.cz/w/linux-2.6/mini2440.git
mitigations=
http://repo.or.cz/w/linux-2.6/mini2440.git
mitigations=
- [X86] Control optional mitigations for CPU
+ [X86,PPC] Control optional mitigations for CPU
vulnerabilities. This is a set of curated,
arch-independent options, each of which is an
aggregation of existing arch-specific options.
vulnerabilities. This is a set of curated,
arch-independent options, each of which is an
aggregation of existing arch-specific options.
Disable all optional CPU mitigations. This
improves system performance, but it may also
expose users to several CPU vulnerabilities.
Disable all optional CPU mitigations. This
improves system performance, but it may also
expose users to several CPU vulnerabilities.
- Equivalent to: nopti [X86]
- nospectre_v2 [X86]
+ Equivalent to: nopti [X86,PPC]
+ nospectre_v1 [PPC]
+ nospectre_v2 [X86,PPC]
spectre_v2_user=off [X86]
spectre_v2_user=off [X86]
- spec_store_bypass_disable=off [X86]
+ spec_store_bypass_disable=off [X86,PPC]
l1tf=off [X86]
auto (default)
l1tf=off [X86]
auto (default)
//
// Copyright 2018, Michael Ellerman, IBM Corporation.
//
// Copyright 2018, Michael Ellerman, IBM Corporation.
#include <linux/kernel.h>
#include <linux/device.h>
#include <linux/seq_buf.h>
#include <linux/kernel.h>
#include <linux/device.h>
#include <linux/seq_buf.h>
enable = security_ftr_enabled(SEC_FTR_FAVOUR_SECURITY) &&
security_ftr_enabled(SEC_FTR_BNDS_CHK_SPEC_BAR);
enable = security_ftr_enabled(SEC_FTR_FAVOUR_SECURITY) &&
security_ftr_enabled(SEC_FTR_BNDS_CHK_SPEC_BAR);
+ if (!no_nospec && !cpu_mitigations_off())
enable_barrier_nospec(enable);
}
enable_barrier_nospec(enable);
}
early_param("nospectre_v2", handle_nospectre_v2);
void setup_spectre_v2(void)
{
early_param("nospectre_v2", handle_nospectre_v2);
void setup_spectre_v2(void)
{
+ if (no_spectrev2 || cpu_mitigations_off())
do_btb_flush_fixups();
else
btb_flush_enabled = true;
do_btb_flush_fixups();
else
btb_flush_enabled = true;
stf_enabled_flush_types = type;
stf_enabled_flush_types = type;
+ if (!no_stf_barrier && !cpu_mitigations_off())
stf_barrier_enable(enable);
}
stf_barrier_enable(enable);
}
enabled_flush_types = types;
enabled_flush_types = types;
+ if (!no_rfi_flush && !cpu_mitigations_off())
rfi_flush_enable(enable);
}
rfi_flush_enable(enable);
}