[thirdparty/kernel/stable-queue.git] / queue-4.4 / cpu-speculation-add-mitigations-cmdline-option.patch

From foo@baz Tue 14 May 2019 08:29:35 PM CEST
From: Josh Poimboeuf <jpoimboe@redhat.com>
Date: Fri, 12 Apr 2019 15:39:28 -0500
Subject: cpu/speculation: Add 'mitigations=' cmdline option

From: Josh Poimboeuf <jpoimboe@redhat.com>

commit 98af8452945c55652de68536afdde3b520fec429 upstream.

Keeping track of the number of mitigations for all the CPU speculation
bugs has become overwhelming for many users.  It's getting more and more
complicated to decide which mitigations are needed for a given
architecture.  Complicating matters is the fact that each arch tends to
have its own custom way to mitigate the same vulnerability.

Most users fall into a few basic categories:

a) they want all mitigations off;

b) they want all reasonable mitigations on, with SMT enabled even if
   it's vulnerable; or

c) they want all reasonable mitigations on, with SMT disabled if
   vulnerable.

Define a set of curated, arch-independent options, each of which is an
aggregation of existing options:

- mitigations=off: Disable all mitigations.

- mitigations=auto: [default] Enable all the default mitigations, but
  leave SMT enabled, even if it's vulnerable.

- mitigations=auto,nosmt: Enable all the default mitigations, disabling
  SMT if needed by a mitigation.

Currently, these options are placeholders which don't actually do
anything.  They will be fleshed out in upcoming patches.

Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Jiri Kosina <jkosina@suse.cz> (on x86)
Reviewed-by: Jiri Kosina <jkosina@suse.cz>
Cc: Borislav Petkov <bp@alien8.de>
Cc: "H . Peter Anvin" <hpa@zytor.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Jiri Kosina <jikos@kernel.org>
Cc: Waiman Long <longman@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Jon Masters <jcm@redhat.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: linuxppc-dev@lists.ozlabs.org
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: linux-s390@vger.kernel.org
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-arch@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Tyler Hicks <tyhicks@canonical.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: Steven Price <steven.price@arm.com>
Cc: Phil Auld <pauld@redhat.com>
Link: https://lkml.kernel.org/r/b07a8ef9b7c5055c3a4637c87d07c296d5016fe0.1555085500.git.jpoimboe@redhat.com
[bwh: Backported to 4.4:
 - Drop the auto,nosmt option which we can't support
 - Adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 Documentation/kernel-parameters.txt |   19 +++++++++++++++++++
 include/linux/cpu.h                 |   17 +++++++++++++++++
 kernel/cpu.c                        |   13 +++++++++++++
 3 files changed, 49 insertions(+)

--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -2173,6 +2173,25 @@ bytes respectively. Such letter suffixes
 			in the "bleeding edge" mini2440 support kernel at
 			http://repo.or.cz/w/linux-2.6/mini2440.git
 
+	mitigations=
+			Control optional mitigations for CPU vulnerabilities.
+			This is a set of curated, arch-independent options, each
+			of which is an aggregation of existing arch-specific
+			options.
+
+			off
+				Disable all optional CPU mitigations.  This
+				improves system performance, but it may also
+				expose users to several CPU vulnerabilities.
+
+			auto (default)
+				Mitigate all CPU vulnerabilities, but leave SMT
+				enabled, even if it's vulnerable.  This is for
+				users who don't want to be surprised by SMT
+				getting disabled across kernel upgrades, or who
+				have other ways of avoiding SMT-based attacks.
+				This is the default behavior.
+
 	mminit_loglevel=
 			[KNL] When CONFIG_DEBUG_MEMORY_INIT is set, this
 			parameter allows control of the logging verbosity for
--- a/include/linux/cpu.h
+++ b/include/linux/cpu.h
@@ -296,4 +296,21 @@ bool cpu_wait_death(unsigned int cpu, in
 bool cpu_report_death(void);
 #endif /* #ifdef CONFIG_HOTPLUG_CPU */
 
+/*
+ * These are used for a global "mitigations=" cmdline option for toggling
+ * optional CPU mitigations.
+ */
+enum cpu_mitigations {
+	CPU_MITIGATIONS_OFF,
+	CPU_MITIGATIONS_AUTO,
+};
+
+extern enum cpu_mitigations cpu_mitigations;
+
+/* mitigations=off */
+static inline bool cpu_mitigations_off(void)
+{
+	return cpu_mitigations == CPU_MITIGATIONS_OFF;
+}
+
 #endif /* _LINUX_CPU_H_ */
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -842,3 +842,16 @@ void init_cpu_online(const struct cpumas
 {
 	cpumask_copy(to_cpumask(cpu_online_bits), src);
 }
+
+enum cpu_mitigations cpu_mitigations = CPU_MITIGATIONS_AUTO;
+
+static int __init mitigations_parse_cmdline(char *arg)
+{
+	if (!strcmp(arg, "off"))
+		cpu_mitigations = CPU_MITIGATIONS_OFF;
+	else if (!strcmp(arg, "auto"))
+		cpu_mitigations = CPU_MITIGATIONS_AUTO;
+
+	return 0;
+}
+early_param("mitigations", mitigations_parse_cmdline);
Commit	Line	Data
1f91e7a4 GKH	1	From foo@baz Tue 14 May 2019 08:29:35 PM CEST
	2	From: Josh Poimboeuf <jpoimboe@redhat.com>
	3	Date: Fri, 12 Apr 2019 15:39:28 -0500
	4	Subject: cpu/speculation: Add 'mitigations=' cmdline option
	5
	6	From: Josh Poimboeuf <jpoimboe@redhat.com>
	7
	8	commit 98af8452945c55652de68536afdde3b520fec429 upstream.
	9
	10	Keeping track of the number of mitigations for all the CPU speculation
	11	bugs has become overwhelming for many users. It's getting more and more
	12	complicated to decide which mitigations are needed for a given
	13	architecture. Complicating matters is the fact that each arch tends to
	14	have its own custom way to mitigate the same vulnerability.
	15
	16	Most users fall into a few basic categories:
	17
	18	a) they want all mitigations off;
	19
	20	b) they want all reasonable mitigations on, with SMT enabled even if
	21	it's vulnerable; or
	22
	23	c) they want all reasonable mitigations on, with SMT disabled if
	24	vulnerable.
	25
	26	Define a set of curated, arch-independent options, each of which is an
	27	aggregation of existing options:
	28
	29	- mitigations=off: Disable all mitigations.
	30
	31	- mitigations=auto: [default] Enable all the default mitigations, but
	32	leave SMT enabled, even if it's vulnerable.
	33
	34	- mitigations=auto,nosmt: Enable all the default mitigations, disabling
	35	SMT if needed by a mitigation.
	36
	37	Currently, these options are placeholders which don't actually do
	38	anything. They will be fleshed out in upcoming patches.
	39
	40	Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
	41	Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
	42	Tested-by: Jiri Kosina <jkosina@suse.cz> (on x86)
	43	Reviewed-by: Jiri Kosina <jkosina@suse.cz>
	44	Cc: Borislav Petkov <bp@alien8.de>
	45	Cc: "H . Peter Anvin" <hpa@zytor.com>
	46	Cc: Andy Lutomirski <luto@kernel.org>
	47	Cc: Peter Zijlstra <peterz@infradead.org>
	48	Cc: Jiri Kosina <jikos@kernel.org>
	49	Cc: Waiman Long <longman@redhat.com>
	50	Cc: Andrea Arcangeli <aarcange@redhat.com>
	51	Cc: Jon Masters <jcm@redhat.com>
	52	Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
	53	Cc: Paul Mackerras <paulus@samba.org>
	54	Cc: Michael Ellerman <mpe@ellerman.id.au>
	55	Cc: linuxppc-dev@lists.ozlabs.org
	56	Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
	57	Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
	58	Cc: linux-s390@vger.kernel.org
	59	Cc: Catalin Marinas <catalin.marinas@arm.com>
	60	Cc: Will Deacon <will.deacon@arm.com>
	61	Cc: linux-arm-kernel@lists.infradead.org
	62	Cc: linux-arch@vger.kernel.org
	63	Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	64	Cc: Tyler Hicks <tyhicks@canonical.com>
65	Cc: Linus Torvalds <torvalds@linux-foundation.org>
66	Cc: Randy Dunlap <rdunlap@infradead.org>
67	Cc: Steven Price <steven.price@arm.com>
68	Cc: Phil Auld <pauld@redhat.com>
69	Link: https://lkml.kernel.org/r/b07a8ef9b7c5055c3a4637c87d07c296d5016fe0.1555085500.git.jpoimboe@redhat.com
70	[bwh: Backported to 4.4:
71	- Drop the auto,nosmt option which we can't support
72	- Adjust filename]
73	Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
74	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
75	---
76	Documentation/kernel-parameters.txt \| 19 +++++++++++++++++++
77	include/linux/cpu.h \| 17 +++++++++++++++++
78	kernel/cpu.c \| 13 +++++++++++++
79	3 files changed, 49 insertions(+)
80
81	--- a/Documentation/kernel-parameters.txt
82	+++ b/Documentation/kernel-parameters.txt
83	@@ -2173,6 +2173,25 @@ bytes respectively. Such letter suffixes
84	in the "bleeding edge" mini2440 support kernel at
85	http://repo.or.cz/w/linux-2.6/mini2440.git
86
87	+ mitigations=
88	+ Control optional mitigations for CPU vulnerabilities.
89	+ This is a set of curated, arch-independent options, each
90	+ of which is an aggregation of existing arch-specific
91	+ options.
92	+
93	+ off
94	+ Disable all optional CPU mitigations. This
95	+ improves system performance, but it may also
96	+ expose users to several CPU vulnerabilities.
97	+
98	+ auto (default)
99	+ Mitigate all CPU vulnerabilities, but leave SMT
100	+ enabled, even if it's vulnerable. This is for
101	+ users who don't want to be surprised by SMT
102	+ getting disabled across kernel upgrades, or who
103	+ have other ways of avoiding SMT-based attacks.
104	+ This is the default behavior.
105	+
106	mminit_loglevel=
107	[KNL] When CONFIG_DEBUG_MEMORY_INIT is set, this
108	parameter allows control of the logging verbosity for
109	--- a/include/linux/cpu.h
110	+++ b/include/linux/cpu.h
111	@@ -296,4 +296,21 @@ bool cpu_wait_death(unsigned int cpu, in
112	bool cpu_report_death(void);
113	#endif /* #ifdef CONFIG_HOTPLUG_CPU */
114
115	+/*
116	+ * These are used for a global "mitigations=" cmdline option for toggling
117	+ * optional CPU mitigations.
118	+ */
119	+enum cpu_mitigations {
120	+ CPU_MITIGATIONS_OFF,
121	+ CPU_MITIGATIONS_AUTO,
122	+};
123	+
124	+extern enum cpu_mitigations cpu_mitigations;
125	+
126	+/* mitigations=off */
127	+static inline bool cpu_mitigations_off(void)
128	+{
129	+ return cpu_mitigations == CPU_MITIGATIONS_OFF;
130	+}
131	+
132	#endif /* _LINUX_CPU_H_ */
133	--- a/kernel/cpu.c
134	+++ b/kernel/cpu.c
135	@@ -842,3 +842,16 @@ void init_cpu_online(const struct cpumas
136	{
137	cpumask_copy(to_cpumask(cpu_online_bits), src);
138	}
139	+
140	+enum cpu_mitigations cpu_mitigations = CPU_MITIGATIONS_AUTO;
141	+
142	+static int __init mitigations_parse_cmdline(char *arg)
143	+{
144	+ if (!strcmp(arg, "off"))
145	+ cpu_mitigations = CPU_MITIGATIONS_OFF;
146	+ else if (!strcmp(arg, "auto"))
147	+ cpu_mitigations = CPU_MITIGATIONS_AUTO;
148	+
149	+ return 0;
150	+}
151	+early_param("mitigations", mitigations_parse_cmdline);