On Fri, Apr 05, 2019 at 11:10:22AM +0100, Andre Przywara wrote: > On Wed, 3 Apr 2019 17:50:05 +0100 > Will Deacon <[email protected]> wrote: > > > Hi Jeremy, > > > > On Thu, Mar 21, 2019 at 06:05:56PM -0500, Jeremy Linton wrote: > > > Return status based on ssbd_state and the arm64 SSBS feature. If > > > the mitigation is disabled, or the firmware isn't responding then > > > return the expected machine state based on a new blacklist of known > > > vulnerable cores. > > > > > > Signed-off-by: Jeremy Linton <[email protected]> > > > Reviewed-by: Andre Przywara <[email protected]> > > > Tested-by: Stefan Wahren <[email protected]> > > > --- > > > arch/arm64/kernel/cpu_errata.c | 44 ++++++++++++++++++++++++++++++++++ > > > 1 file changed, 44 insertions(+) > > > > > > diff --git a/arch/arm64/kernel/cpu_errata.c > > > b/arch/arm64/kernel/cpu_errata.c > > > index 6958dcdabf7d..172ffbabd597 100644 > > > --- a/arch/arm64/kernel/cpu_errata.c > > > +++ b/arch/arm64/kernel/cpu_errata.c > > > @@ -278,6 +278,7 @@ static int detect_harden_bp_fw(void) > > > DEFINE_PER_CPU_READ_MOSTLY(u64, arm64_ssbd_callback_required); > > > > > > int ssbd_state __read_mostly = ARM64_SSBD_KERNEL; > > > +static bool __ssb_safe = true; > > > > > > static const struct ssbd_options { > > > const char *str; > > > @@ -386,6 +387,9 @@ static bool has_ssbd_mitigation(const struct > > > arm64_cpu_capabilities *entry, > > > > > > WARN_ON(scope != SCOPE_LOCAL_CPU || preemptible()); > > > > > > + if (is_midr_in_range_list(read_cpuid_id(), entry->midr_range_list)) > > > + __ssb_safe = false; > > > + > > > > Does this mean that we assume that CPUs not present in our table are not > > affected by speculative store bypass? > > No, not affected are only those where we either have SSBS or the firmware > explicitly returns SMCCC_RET_NOT_REQUIRED. This is governed by ssbd_state. > So this doesn't affect correctness.
I don't think that's true. My TX2, for example, says "Not affected" for spec_store_bypass, but we don't actually know whether it's affected or not and so it should report "Vulnerable" instead, like we do for spectre_v2 on the same machine. > __ssb_safe is an additional state just used for the sysfs output. But > indeed it looks like this is wrong if the CPU is both not listed and the > system doesn't provide the firmware interface: AFAICS we would report "Not > affected" in this case. Yes, that's what I was getting at. > > I don't think that's a good > > assumption, because we don't necessary have knowledge about partner or > > future CPU implementations, so I think any CPU lists really have to be > > whitelists like they are for the other vulnerabilities. > > I think the idea was to cover all those "legacy" systems which have > older cores (no SSBS), but didn't get an firmware update. So your old Seattle > would truthfully report "Vulnerable", but any random A53 device would > report "Not affected", even with ancient firmware. The only manageable way to deal with this is to use a whitelist, just like we do for the other vulnerabilities. We shouldn't have to update it for long because newer cores should have SSBS. Will
