tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

powerpc/pseries: Restore default security feature flags on setup

After migration the security feature flags might have changed (e.g.,
destination system with unpatched firmware), but some flags are not
set/clear again in init_cpu_char_feature_flags() because it assumes
the security flags to be the defaults.

Additionally, if the H_GET_CPU_CHARACTERISTICS hypercall fails then
init_cpu_char_feature_flags() does not run again, which potentially
might leave the system in an insecure or sub-optimal configuration.

So, just restore the security feature flags to the defaults assumed
by init_cpu_char_feature_flags() so it can set/clear them correctly,
and to ensure safe settings are in place in case the hypercall fail.

Fixes: f636c14790ea ("powerpc/pseries: Set or clear security feature flags")
Depends-on: 19887d6a28e2 ("powerpc: Move default security feature flags")
Signed-off-by: Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>

authored by

Mauricio Faria de Oliveira and committed by
Michael Ellerman 6232774f e7347a86

+11
+11
arch/powerpc/platforms/pseries/setup.c
··· 462 462 463 463 static void init_cpu_char_feature_flags(struct h_cpu_char_result *result) 464 464 { 465 + /* 466 + * The features below are disabled by default, so we instead look to see 467 + * if firmware has *enabled* them, and set them if so. 468 + */ 465 469 if (result->character & H_CPU_CHAR_SPEC_BAR_ORI31) 466 470 security_ftr_set(SEC_FTR_SPEC_BAR_ORI31); 467 471 ··· 504 500 enum l1d_flush_type types; 505 501 bool enable; 506 502 long rc; 503 + 504 + /* 505 + * Set features to the defaults assumed by init_cpu_char_feature_flags() 506 + * so it can set/clear again any features that might have changed after 507 + * migration, and in case the hypercall fails and it is not even called. 508 + */ 509 + powerpc_security_features = SEC_FTR_DEFAULT; 507 510 508 511 rc = plpar_get_cpu_characteristics(&result); 509 512 if (rc == H_SUCCESS)