Commit cbafee55 authored by Will Deacon's avatar Will Deacon
Browse files

Merge branch 'core/speculation' of... 

Merge branch 'core/speculation' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip into for-next/mitigations

Pull in core support for the "mitigations=" cmdline option from Thomas
Gleixner via -tip, which we can build on top of when we expose our
mitigation state via sysfs.
parents 79a3aaa7 0336e04a

Documentation/admin-guide/kernel-parameters.txt

+32 −0
Original line number Diff line number Diff line
@@ -2544,6 +2544,38 @@ 
			in the "bleeding edge" mini2440 support kernel at

			http://repo.or.cz/w/linux-2.6/mini2440.git



	mitigations=

			[X86,PPC,S390] Control optional mitigations for CPU

			vulnerabilities.  This is a set of curated,

			arch-independent options, each of which is an

			aggregation of existing arch-specific options.



			off

				Disable all optional CPU mitigations.  This

				improves system performance, but it may also

				expose users to several CPU vulnerabilities.

				Equivalent to: nopti [X86,PPC]

					       nospectre_v1 [PPC]

					       nobp=0 [S390]

					       nospectre_v2 [X86,PPC,S390]

					       spectre_v2_user=off [X86]

					       spec_store_bypass_disable=off [X86,PPC]

					       l1tf=off [X86]



			auto (default)

				Mitigate all CPU vulnerabilities, but leave SMT

				enabled, even if it's vulnerable.  This is for

				users who don't want to be surprised by SMT

				getting disabled across kernel upgrades, or who

				have other ways of avoiding SMT-based attacks.

				Equivalent to: (default behavior)



			auto,nosmt

				Mitigate all CPU vulnerabilities, disabling SMT

				if needed.  This is for users who always want to

				be fully mitigated, even if it means losing SMT.

				Equivalent to: l1tf=flush,nosmt [X86]



	mminit_loglevel=

			[KNL] When CONFIG_DEBUG_MEMORY_INIT is set, this

			parameter allows control of the logging verbosity for

arch/powerpc/kernel/security.c

+3 −3
Original line number Diff line number Diff line
@@ -57,7 +57,7 @@ void setup_barrier_nospec(void) 
	enable = security_ftr_enabled(SEC_FTR_FAVOUR_SECURITY) &&

		 security_ftr_enabled(SEC_FTR_BNDS_CHK_SPEC_BAR);



	if (!no_nospec)

	if (!no_nospec && !cpu_mitigations_off())

		enable_barrier_nospec(enable);

}
@@ -116,7 +116,7 @@ static int __init handle_nospectre_v2(char *p) 
early_param("nospectre_v2", handle_nospectre_v2);

void setup_spectre_v2(void)

{

	if (no_spectrev2)

	if (no_spectrev2 || cpu_mitigations_off())

		do_btb_flush_fixups();

	else

		btb_flush_enabled = true;
@@ -300,7 +300,7 @@ void setup_stf_barrier(void) 


	stf_enabled_flush_types = type;



	if (!no_stf_barrier)

	if (!no_stf_barrier && !cpu_mitigations_off())

		stf_barrier_enable(enable);

}

arch/powerpc/kernel/setup_64.c

+1 −1
Original line number Diff line number Diff line
@@ -932,7 +932,7 @@ void setup_rfi_flush(enum l1d_flush_type types, bool enable) 


	enabled_flush_types = types;



	if (!no_rfi_flush)

	if (!no_rfi_flush && !cpu_mitigations_off())

		rfi_flush_enable(enable);

}

arch/s390/kernel/nospec-branch.c

+2 −1
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0

#include <linux/module.h>

#include <linux/device.h>

#include <linux/cpu.h>

#include <asm/nospec-branch.h>



static int __init nobp_setup_early(char *str)
@@ -58,7 +59,7 @@ early_param("nospectre_v2", nospectre_v2_setup_early); 


void __init nospec_auto_detect(void)

{

	if (test_facility(156)) {

	if (test_facility(156) || cpu_mitigations_off()) {

		/*

		 * The machine supports etokens.

		 * Disable expolines and disable nobp.

arch/x86/kernel/cpu/bugs.c

+9 −2
Original line number Diff line number Diff line
@@ -440,7 +440,8 @@ static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void) 
	char arg[20];

	int ret, i;



	if (cmdline_find_option_bool(boot_command_line, "nospectre_v2"))

	if (cmdline_find_option_bool(boot_command_line, "nospectre_v2") ||

	    cpu_mitigations_off())

		return SPECTRE_V2_CMD_NONE;



	ret = cmdline_find_option(boot_command_line, "spectre_v2", arg, sizeof(arg));
@@ -672,7 +673,8 @@ static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void) 
	char arg[20];

	int ret, i;



	if (cmdline_find_option_bool(boot_command_line, "nospec_store_bypass_disable")) {

	if (cmdline_find_option_bool(boot_command_line, "nospec_store_bypass_disable") ||

	    cpu_mitigations_off()) {

		return SPEC_STORE_BYPASS_CMD_NONE;

	} else {

		ret = cmdline_find_option(boot_command_line, "spec_store_bypass_disable",
@@ -1008,6 +1010,11 @@ static void __init l1tf_select_mitigation(void) 
	if (!boot_cpu_has_bug(X86_BUG_L1TF))

		return;



	if (cpu_mitigations_off())

		l1tf_mitigation = L1TF_MITIGATION_OFF;

	else if (cpu_mitigations_auto_nosmt())

		l1tf_mitigation = L1TF_MITIGATION_FLUSH_NOSMT;



	override_cache_bits(&boot_cpu_data);



	switch (l1tf_mitigation) {

CRA Git | Maintained and supported by SUSTech CRA and CCSE