Re: [PATCH 4/6] arm64: add sysfs vulnerability show for spectre v2

From: Jeremy Linton
Date: Wed Jan 02 2019 - 17:19:43 EST

Hi,

On 12/13/2018 05:09 AM, Julien Thierry wrote:


On 06/12/2018 23:44, Jeremy Linton wrote:
Add code to track whether all the cores in the machine are
vulnerable, and whether all the vulnerable cores have been
mitigated.

Once we have that information we can add the sysfs stub and
provide an accurate view of what is known about the machine.

Signed-off-by: Jeremy Linton <jeremy.linton@xxxxxxx>
---
arch/arm64/kernel/cpu_errata.c | 72 +++++++++++++++++++++++++++++++---
1 file changed, 67 insertions(+), 5 deletions(-)

diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c
index 559ecdee6fd2..6505c93d507e 100644
--- a/arch/arm64/kernel/cpu_errata.c
+++ b/arch/arm64/kernel/cpu_errata.c

[...]

@@ -766,4 +812,20 @@ ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr,
return sprintf(buf, "Mitigation: __user pointer sanitization\n");
}
+ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr,
+ char *buf)
+{
+ switch (__spectrev2_safe) {
+ case A64_SV2_SAFE:
+ return sprintf(buf, "Not affected\n");
+ case A64_SV2_UNSAFE:
+ if (__hardenbp_enab == A64_HBP_MIT)
+ return sprintf(buf,
+ "Mitigation: Branch predictor hardening\n");
+ return sprintf(buf, "Vulnerable\n");
+ default:
+ return sprintf(buf, "Unknown\n");
+ }

Again I see that we are going to display "Unknown" when the mitigation
is not built in.

Couldn't we make that CONFIG_GENERIC_CPU_,gation is not implemented? It's
just checking the list of MIDRs.


Before I re-post, its probably worth pointing out that the spectrev2_safe isn't set the same as the meltdown safe flag (which reflects a whitelist or cpu_good flag) where the unknown/unsafe condition is currently the same.

spectrev2_safe is a white/black list with a black list of known vulnerable cores, plus cores with csv2 set indicating they are good. This means the unset condition conceptually covers, the check being disabled, as well as the core not being one of either known bad or known good cores. Meaning you still need a dedicated "unknown" state because the final state isn't unknown simply because the mitigation is not compiled in.