Re: [PATCH][v2] powerpc: Set right value of Speculation_Store_Bypass in /proc/<pid>/status
From: Michael Ellerman
Date: Mon Nov 25 2019 - 21:33:20 EST
Gustavo Walbon <gwalbon@xxxxxxxxxxxxx> writes:
> The issue has showed the value of status of Speculation_Store_Bypass in the
> /proc/<pid>/status as `unknown` for PowerPC systems.
>
> The patch fix the checking of the mitigation status of Speculation, and
> can be reported as "not vulnerable", "globally mitigated" or "vulnerable".
>
> Link: https://github.com/linuxppc/issues/issues/255
>
> Changelog:
> Rebase on v5.4-rc8
>
> Signed-off-by: Gustavo Walbon <gwalbon@xxxxxxxxxxxxx>
> ---
> arch/powerpc/kernel/security.c | 25 ++++++++++++++++++++++++-
> 1 file changed, 24 insertions(+), 1 deletion(-)
On further thoughts I don't think this logic (which I suggested) is
right >:(
I commented on the issue:
I think my original suggestion on this was wrong.
Our mitigation is not global, ie. it's a barrier that must be used in
the right location. We have kernel code to insert the barrier on
kernel entry/exit, but that doesn't protect userspace against itself
(ie. sandboxes).
There's no way to express that with the current values as far as I can
see.
I think all we can do for now is:
if stf_enabled_flush_types == STF_BARRIER_NONE:
return PR_SPEC_NOT_AFFECTED // "not vulnerable"
else
return PR_SPEC_ENABLE // "vulnerable"
To express the situation properly we'd need another value, something
like PR_SPEC_MITIGATION_AVAILABLE (??) which says that there is a
mitigation available but it must be used. That still has the problem
that it doesn't tell userspace what the mitigation is, userspace would
have to know.
cheers
> diff --git a/arch/powerpc/kernel/security.c b/arch/powerpc/kernel/security.c
> index 7d4b2080a658..04e566026bbc 100644
> --- a/arch/powerpc/kernel/security.c
> +++ b/arch/powerpc/kernel/security.c
> @@ -14,7 +14,7 @@
> #include <asm/debugfs.h>
> #include <asm/security_features.h>
> #include <asm/setup.h>
> -
> +#include <linux/prctl.h>
>
> u64 powerpc_security_features __read_mostly = SEC_FTR_DEFAULT;
>
> @@ -344,6 +344,29 @@ ssize_t cpu_show_spec_store_bypass(struct device *dev, struct device_attribute *
> return sprintf(buf, "Vulnerable\n");
> }
>
> +static int ssb_prctl_get(struct task_struct *task)
> +{
> + if (stf_barrier) {
> + if (stf_enabled_flush_types == STF_BARRIER_NONE)
> + return PR_SPEC_NOT_AFFECTED;
> + else
> + return PR_SPEC_DISABLE;
> + } else
> + return PR_SPEC_DISABLE_NOEXEC;
> +
> + return -EINVAL;
> +}
> +
> +int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which)
> +{
> + switch (which) {
> + case PR_SPEC_STORE_BYPASS:
> + return ssb_prctl_get(task);
> + default:
> + return -ENODEV;
> + }
> +}
> +
> #ifdef CONFIG_DEBUG_FS
> static int stf_barrier_set(void *data, u64 val)
> {
> --
> 2.19.1