tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge tag 'kvm-ppc-cve-4.15-2' of git://git.kernel.org/pub/scm/linux/kernel/git/paulus/powerpc

Add PPC KVM ioctl to report vulnerability and workaround status to userspace.

Radim Krčmář 29d24e3f 37b95951

+205
unified split
+46
Documentation/virtual/kvm/api.txt
··· 3403 or if no page table is present for the addresses (e.g. when using 3404 hugepages). 3405 3406 5. The kvm_run structure 3407 ------------------------ 3408
··· 3403 or if no page table is present for the addresses (e.g. when using 3404 hugepages). 3405 3406 + 4.108 KVM_PPC_GET_CPU_CHAR 3407 + 3408 + Capability: KVM_CAP_PPC_GET_CPU_CHAR 3409 + Architectures: powerpc 3410 + Type: vm ioctl 3411 + Parameters: struct kvm_ppc_cpu_char (out) 3412 + Returns: 0 on successful completion 3413 + -EFAULT if struct kvm_ppc_cpu_char cannot be written 3414 + 3415 + This ioctl gives userspace information about certain characteristics 3416 + of the CPU relating to speculative execution of instructions and 3417 + possible information leakage resulting from speculative execution (see 3418 + CVE-2017-5715, CVE-2017-5753 and CVE-2017-5754). The information is 3419 + returned in struct kvm_ppc_cpu_char, which looks like this: 3420 + 3421 + struct kvm_ppc_cpu_char { 3422 + __u64 character; /* characteristics of the CPU */ 3423 + __u64 behaviour; /* recommended software behaviour */ 3424 + __u64 character_mask; /* valid bits in character */ 3425 + __u64 behaviour_mask; /* valid bits in behaviour */ 3426 + }; 3427 + 3428 + For extensibility, the character_mask and behaviour_mask fields 3429 + indicate which bits of character and behaviour have been filled in by 3430 + the kernel. If the set of defined bits is extended in future then 3431 + userspace will be able to tell whether it is running on a kernel that 3432 + knows about the new bits. 3433 + 3434 + The character field describes attributes of the CPU which can help 3435 + with preventing inadvertent information disclosure - specifically, 3436 + whether there is an instruction to flash-invalidate the L1 data cache 3437 + (ori 30,30,0 or mtspr SPRN_TRIG2,rN), whether the L1 data cache is set 3438 + to a mode where entries can only be used by the thread that created 3439 + them, whether the bcctr[l] instruction prevents speculation, and 3440 + whether a speculation barrier instruction (ori 31,31,0) is provided. 3441 + 3442 + The behaviour field describes actions that software should take to 3443 + prevent inadvertent information disclosure, and thus describes which 3444 + vulnerabilities the hardware is subject to; specifically whether the 3445 + L1 data cache should be flushed when returning to user mode from the 3446 + kernel, and whether a speculation barrier should be placed between an 3447 + array bounds check and the array access. 3448 + 3449 + These fields use the same bit definitions as the new 3450 + H_GET_CPU_CHARACTERISTICS hypercall. 3451 + 3452 5. The kvm_run structure 3453 ------------------------ 3454
+25
arch/powerpc/include/uapi/asm/kvm.h
··· 443 __u32 ap_encodings[8]; 444 }; 445 446 /* Per-vcpu XICS interrupt controller state */ 447 #define KVM_REG_PPC_ICP_STATE (KVM_REG_PPC | KVM_REG_SIZE_U64 | 0x8c) 448
··· 443 __u32 ap_encodings[8]; 444 }; 445 446 + /* For KVM_PPC_GET_CPU_CHAR */ 447 + struct kvm_ppc_cpu_char { 448 + __u64 character; /* characteristics of the CPU */ 449 + __u64 behaviour; /* recommended software behaviour */ 450 + __u64 character_mask; /* valid bits in character */ 451 + __u64 behaviour_mask; /* valid bits in behaviour */ 452 + }; 453 + 454 + /* 455 + * Values for character and character_mask. 456 + * These are identical to the values used by H_GET_CPU_CHARACTERISTICS. 457 + */ 458 + #define KVM_PPC_CPU_CHAR_SPEC_BAR_ORI31 (1ULL << 63) 459 + #define KVM_PPC_CPU_CHAR_BCCTRL_SERIALISED (1ULL << 62) 460 + #define KVM_PPC_CPU_CHAR_L1D_FLUSH_ORI30 (1ULL << 61) 461 + #define KVM_PPC_CPU_CHAR_L1D_FLUSH_TRIG2 (1ULL << 60) 462 + #define KVM_PPC_CPU_CHAR_L1D_THREAD_PRIV (1ULL << 59) 463 + #define KVM_PPC_CPU_CHAR_BR_HINT_HONOURED (1ULL << 58) 464 + #define KVM_PPC_CPU_CHAR_MTTRIG_THR_RECONF (1ULL << 57) 465 + #define KVM_PPC_CPU_CHAR_COUNT_CACHE_DIS (1ULL << 56) 466 + 467 + #define KVM_PPC_CPU_BEHAV_FAVOUR_SECURITY (1ULL << 63) 468 + #define KVM_PPC_CPU_BEHAV_L1D_FLUSH_PR (1ULL << 62) 469 + #define KVM_PPC_CPU_BEHAV_BNDS_CHK_SPEC_BAR (1ULL << 61) 470 + 471 /* Per-vcpu XICS interrupt controller state */ 472 #define KVM_REG_PPC_ICP_STATE (KVM_REG_PPC | KVM_REG_SIZE_U64 | 0x8c) 473
+131
arch/powerpc/kvm/powerpc.c
··· 39 #include <asm/iommu.h> 40 #include <asm/switch_to.h> 41 #include <asm/xive.h> 42 43 #include "timing.h" 44 #include "irq.h" ··· 552 #ifdef CONFIG_KVM_XICS 553 case KVM_CAP_IRQ_XICS: 554 #endif 555 r = 1; 556 break; 557 ··· 1764 return r; 1765 } 1766 1767 long kvm_arch_vm_ioctl(struct file *filp, 1768 unsigned int ioctl, unsigned long arg) 1769 { ··· 1981 goto out; 1982 r = kvm->arch.kvm_ops->get_rmmu_info(kvm, &info); 1983 if (r >= 0 && copy_to_user(argp, &info, sizeof(info))) 1984 r = -EFAULT; 1985 break; 1986 }
··· 39 #include <asm/iommu.h> 40 #include <asm/switch_to.h> 41 #include <asm/xive.h> 42 + #ifdef CONFIG_PPC_PSERIES 43 + #include <asm/hvcall.h> 44 + #include <asm/plpar_wrappers.h> 45 + #endif 46 47 #include "timing.h" 48 #include "irq.h" ··· 548 #ifdef CONFIG_KVM_XICS 549 case KVM_CAP_IRQ_XICS: 550 #endif 551 + case KVM_CAP_PPC_GET_CPU_CHAR: 552 r = 1; 553 break; 554 ··· 1759 return r; 1760 } 1761 1762 + #ifdef CONFIG_PPC_BOOK3S_64 1763 + /* 1764 + * These functions check whether the underlying hardware is safe 1765 + * against attacks based on observing the effects of speculatively 1766 + * executed instructions, and whether it supplies instructions for 1767 + * use in workarounds. The information comes from firmware, either 1768 + * via the device tree on powernv platforms or from an hcall on 1769 + * pseries platforms. 1770 + */ 1771 + #ifdef CONFIG_PPC_PSERIES 1772 + static int pseries_get_cpu_char(struct kvm_ppc_cpu_char *cp) 1773 + { 1774 + struct h_cpu_char_result c; 1775 + unsigned long rc; 1776 + 1777 + if (!machine_is(pseries)) 1778 + return -ENOTTY; 1779 + 1780 + rc = plpar_get_cpu_characteristics(&c); 1781 + if (rc == H_SUCCESS) { 1782 + cp->character = c.character; 1783 + cp->behaviour = c.behaviour; 1784 + cp->character_mask = KVM_PPC_CPU_CHAR_SPEC_BAR_ORI31 | 1785 + KVM_PPC_CPU_CHAR_BCCTRL_SERIALISED | 1786 + KVM_PPC_CPU_CHAR_L1D_FLUSH_ORI30 | 1787 + KVM_PPC_CPU_CHAR_L1D_FLUSH_TRIG2 | 1788 + KVM_PPC_CPU_CHAR_L1D_THREAD_PRIV | 1789 + KVM_PPC_CPU_CHAR_BR_HINT_HONOURED | 1790 + KVM_PPC_CPU_CHAR_MTTRIG_THR_RECONF | 1791 + KVM_PPC_CPU_CHAR_COUNT_CACHE_DIS; 1792 + cp->behaviour_mask = KVM_PPC_CPU_BEHAV_FAVOUR_SECURITY | 1793 + KVM_PPC_CPU_BEHAV_L1D_FLUSH_PR | 1794 + KVM_PPC_CPU_BEHAV_BNDS_CHK_SPEC_BAR; 1795 + } 1796 + return 0; 1797 + } 1798 + #else 1799 + static int pseries_get_cpu_char(struct kvm_ppc_cpu_char *cp) 1800 + { 1801 + return -ENOTTY; 1802 + } 1803 + #endif 1804 + 1805 + static inline bool have_fw_feat(struct device_node *fw_features, 1806 + const char *state, const char *name) 1807 + { 1808 + struct device_node *np; 1809 + bool r = false; 1810 + 1811 + np = of_get_child_by_name(fw_features, name); 1812 + if (np) { 1813 + r = of_property_read_bool(np, state); 1814 + of_node_put(np); 1815 + } 1816 + return r; 1817 + } 1818 + 1819 + static int kvmppc_get_cpu_char(struct kvm_ppc_cpu_char *cp) 1820 + { 1821 + struct device_node *np, *fw_features; 1822 + int r; 1823 + 1824 + memset(cp, 0, sizeof(*cp)); 1825 + r = pseries_get_cpu_char(cp); 1826 + if (r != -ENOTTY) 1827 + return r; 1828 + 1829 + np = of_find_node_by_name(NULL, "ibm,opal"); 1830 + if (np) { 1831 + fw_features = of_get_child_by_name(np, "fw-features"); 1832 + of_node_put(np); 1833 + if (!fw_features) 1834 + return 0; 1835 + if (have_fw_feat(fw_features, "enabled", 1836 + "inst-spec-barrier-ori31,31,0")) 1837 + cp->character |= KVM_PPC_CPU_CHAR_SPEC_BAR_ORI31; 1838 + if (have_fw_feat(fw_features, "enabled", 1839 + "fw-bcctrl-serialized")) 1840 + cp->character |= KVM_PPC_CPU_CHAR_BCCTRL_SERIALISED; 1841 + if (have_fw_feat(fw_features, "enabled", 1842 + "inst-l1d-flush-ori30,30,0")) 1843 + cp->character |= KVM_PPC_CPU_CHAR_L1D_FLUSH_ORI30; 1844 + if (have_fw_feat(fw_features, "enabled", 1845 + "inst-l1d-flush-trig2")) 1846 + cp->character |= KVM_PPC_CPU_CHAR_L1D_FLUSH_TRIG2; 1847 + if (have_fw_feat(fw_features, "enabled", 1848 + "fw-l1d-thread-split")) 1849 + cp->character |= KVM_PPC_CPU_CHAR_L1D_THREAD_PRIV; 1850 + if (have_fw_feat(fw_features, "enabled", 1851 + "fw-count-cache-disabled")) 1852 + cp->character |= KVM_PPC_CPU_CHAR_COUNT_CACHE_DIS; 1853 + cp->character_mask = KVM_PPC_CPU_CHAR_SPEC_BAR_ORI31 | 1854 + KVM_PPC_CPU_CHAR_BCCTRL_SERIALISED | 1855 + KVM_PPC_CPU_CHAR_L1D_FLUSH_ORI30 | 1856 + KVM_PPC_CPU_CHAR_L1D_FLUSH_TRIG2 | 1857 + KVM_PPC_CPU_CHAR_L1D_THREAD_PRIV | 1858 + KVM_PPC_CPU_CHAR_COUNT_CACHE_DIS; 1859 + 1860 + if (have_fw_feat(fw_features, "enabled", 1861 + "speculation-policy-favor-security")) 1862 + cp->behaviour |= KVM_PPC_CPU_BEHAV_FAVOUR_SECURITY; 1863 + if (!have_fw_feat(fw_features, "disabled", 1864 + "needs-l1d-flush-msr-pr-0-to-1")) 1865 + cp->behaviour |= KVM_PPC_CPU_BEHAV_L1D_FLUSH_PR; 1866 + if (!have_fw_feat(fw_features, "disabled", 1867 + "needs-spec-barrier-for-bound-checks")) 1868 + cp->behaviour |= KVM_PPC_CPU_BEHAV_BNDS_CHK_SPEC_BAR; 1869 + cp->behaviour_mask = KVM_PPC_CPU_BEHAV_FAVOUR_SECURITY | 1870 + KVM_PPC_CPU_BEHAV_L1D_FLUSH_PR | 1871 + KVM_PPC_CPU_BEHAV_BNDS_CHK_SPEC_BAR; 1872 + 1873 + of_node_put(fw_features); 1874 + } 1875 + 1876 + return 0; 1877 + } 1878 + #endif 1879 + 1880 long kvm_arch_vm_ioctl(struct file *filp, 1881 unsigned int ioctl, unsigned long arg) 1882 { ··· 1858 goto out; 1859 r = kvm->arch.kvm_ops->get_rmmu_info(kvm, &info); 1860 if (r >= 0 && copy_to_user(argp, &info, sizeof(info))) 1861 + r = -EFAULT; 1862 + break; 1863 + } 1864 + case KVM_PPC_GET_CPU_CHAR: { 1865 + struct kvm_ppc_cpu_char cpuchar; 1866 + 1867 + r = kvmppc_get_cpu_char(&cpuchar); 1868 + if (r >= 0 && copy_to_user(argp, &cpuchar, sizeof(cpuchar))) 1869 r = -EFAULT; 1870 break; 1871 }
+3
include/uapi/linux/kvm.h
··· 932 #define KVM_CAP_HYPERV_SYNIC2 148 933 #define KVM_CAP_HYPERV_VP_INDEX 149 934 #define KVM_CAP_S390_AIS_MIGRATION 150 935 936 #ifdef KVM_CAP_IRQ_ROUTING 937 ··· 1262 #define KVM_PPC_CONFIGURE_V3_MMU _IOW(KVMIO, 0xaf, struct kvm_ppc_mmuv3_cfg) 1263 /* Available with KVM_CAP_PPC_RADIX_MMU */ 1264 #define KVM_PPC_GET_RMMU_INFO _IOW(KVMIO, 0xb0, struct kvm_ppc_rmmu_info) 1265 1266 /* ioctl for vm fd */ 1267 #define KVM_CREATE_DEVICE _IOWR(KVMIO, 0xe0, struct kvm_create_device)
··· 932 #define KVM_CAP_HYPERV_SYNIC2 148 933 #define KVM_CAP_HYPERV_VP_INDEX 149 934 #define KVM_CAP_S390_AIS_MIGRATION 150 935 + #define KVM_CAP_PPC_GET_CPU_CHAR 151 936 937 #ifdef KVM_CAP_IRQ_ROUTING 938 ··· 1261 #define KVM_PPC_CONFIGURE_V3_MMU _IOW(KVMIO, 0xaf, struct kvm_ppc_mmuv3_cfg) 1262 /* Available with KVM_CAP_PPC_RADIX_MMU */ 1263 #define KVM_PPC_GET_RMMU_INFO _IOW(KVMIO, 0xb0, struct kvm_ppc_rmmu_info) 1264 + /* Available with KVM_CAP_PPC_GET_CPU_CHAR */ 1265 + #define KVM_PPC_GET_CPU_CHAR _IOR(KVMIO, 0xb1, struct kvm_ppc_cpu_char) 1266 1267 /* ioctl for vm fd */ 1268 #define KVM_CREATE_DEVICE _IOWR(KVMIO, 0xe0, struct kvm_create_device)