From mboxrd@z Thu Jan  1 00:00:00 1970
Return-path: <konrad.wilk@oracle.com>
Received: from aserp2130.oracle.com ([141.146.126.79])
	by Galois.linutronix.de with esmtps (TLS1.2:RSA_AES_256_CBC_SHA256:256)
	(Exim 4.80)
	(envelope-from <konrad.wilk@oracle.com>)
	id 1fCxwB-0006OU-5U
	for speck@linutronix.de; Mon, 30 Apr 2018 03:49:07 +0200
Received: from pps.filterd (aserp2130.oracle.com [127.0.0.1])
	by aserp2130.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w3U1n0ns101815
	for <speck@linutronix.de>; Mon, 30 Apr 2018 01:49:00 GMT
Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234])
	by aserp2130.oracle.com with ESMTP id 2hmeg5jdwq-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK)
	for <speck@linutronix.de>; Mon, 30 Apr 2018 01:48:59 +0000
Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75])
	by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w3U1mwxc013848
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK)
	for <speck@linutronix.de>; Mon, 30 Apr 2018 01:48:59 GMT
Received: from abhmp0019.oracle.com (abhmp0019.oracle.com [141.146.116.25])
	by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id w3U1mwBN024158
	for <speck@linutronix.de>; Mon, 30 Apr 2018 01:48:58 GMT
Date: Sun, 29 Apr 2018 21:48:56 -0400
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Subject: [MODERATED] Re: [patch V7 13/15] SBB 13
Message-ID: <20180430014856.GB29389@char.us.oracle.com>
References: <20180429193045.711908246@linutronix.de>
 <20180429193938.557096663@linutronix.de>
MIME-Version: 1.0
In-Reply-To: <20180429193938.557096663@linutronix.de>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
To: speck@linutronix.de
List-ID: <speck.linutronix.de>

On Sun, Apr 29, 2018 at 09:30:58PM +0200, speck for Thomas Gleixner wrote:
> Subject: [patch V7 13/15] prctl: Add speculation control prctls
> From: Thomas Gleixner <tglx@linutronix.de>
> 
> Add two new prctls to control aspects of speculation related vulnerabilites
> and their mitigations.
> 
> PR_GET_SPECULATION_CTRL returns the state of the speculation misfeature
> which is selected with arg2 of prctl(2). The return value uses bit 0-2 with
> the following meaning:
> 
> PR_SPEC_PRCTL:	PRCTL per task control of the mitigation is enabled

This reads to me as "mitigation is engaged right now".

But in reality it means: "Hey, you can fiddle with the PR_SET_SPECULATION_CTRL if you
would like"

Perhaps change this to say:
	"PRCTL per task control of the mitigation can be controlled by PR_SET_SPECULATION_CTRL"

but that is not true either (see the next patch, perhaps that is a bug?)

	 
> PR_SPEC_ENABLE:	The speculation feature is enabled, mitigation is disabled
> PR_SPEC_DISABLE:The speculation feature is disabled, mitigation is enabled
> 
> If all bits are 0 the CPU is not affected by the speculation misfeature. If
> bit0 is set, then the per task control of the mitigation is enabled. If not

s/enabled/available/?

> set, prctl(PR_SET_SPECULATION_CTRL) for the speculation misfeature will
> fail.
> 
> PR_GET_SPECULATION_CTRL allows to control the speculation misfeature, which

s/GET/SET/

> is selected by arg2 of prctl(2) per task. arg3 is used to hand in either
> PR_SPEC_ENABLE or PR_SPEC_DISABLE.
> 
> The common return values are:
> 
> -EINVAL: prctl is not implemented by the architecture
> -ENODEV: arg2 is selecting a not supported speculation misfeature
> 
> PR_SET_SPECULATION_CTRL has these additional return values:
> 
> -ERANGE: arg3 is incorrect, i.e. it's not either PR_SPEC_ENABLE or PR_SPEC_DISABLE
> -ENXIO:  prctl control of the selected speculation misfeature is disabled
> 
> The first supported controllable speculation misfeature is
> PR_SPEC_STORE_BYPASS. Add the define so this can be shared between
> architectures.
> 
> TODO: Tidy up spec_ctrl.rst and write a man prctl(2) patch.
> 
> Based on an intial patch from Tim Chen and mostly rewritten.
> 
> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
> ---
>  Documentation/userspace-api/index.rst     |    1 
>  Documentation/userspace-api/spec_ctrl.rst |   65 ++++++++++++++++++++++++++++++
>  include/linux/nospec.h                    |    5 ++
>  include/uapi/linux/prctl.h                |   11 +++++
>  kernel/sys.c                              |   18 ++++++++
>  5 files changed, 100 insertions(+)
> 
> --- a/Documentation/userspace-api/index.rst
> +++ b/Documentation/userspace-api/index.rst
> @@ -19,6 +19,7 @@ place where this information is gathered
>     no_new_privs
>     seccomp_filter
>     unshare
> +   spec_ctrl
>  
>  .. only::  subproject and html
>  
> --- /dev/null
> +++ b/Documentation/userspace-api/spec_ctrl.rst
> @@ -0,0 +1,65 @@
> +===================
> +Speculation Control
> +===================
> +
> +Quite some CPUs have speculation related misfeatures which are in fact
> +vulnerabilites causing data leaks in various forms even accross privilege
> +domains.
> +
> +The kernel provides mitigation for such vulnerabilities in various
> +forms. Some of these mitigations are compile time configurable and some on
> +the kernel command line.
> +
> +There is also a class of mitigations which is very expensive, but they can
> +be restricted to a certain set of processes or tasks in controlled
> +environments. The mechanism to control these mitigations is via ``prctl(2)``.
> +
> +There are two prctl options which are related to this:
> +
> + - PR_GET_SPECULATION_CTRL
> +
> + - PR_SET_SPECULATION_CTRL
> +
> +PR_GET_SPECULATION_CTRL returns the state of the speculation misfeature
> +which is selected with arg2 of prctl(2). The return value uses bit 0-2 with
> +the following meaning:
> +
> +PR_SPEC_PRCTL:	PRCTL per task control of the mitigation is enabled

See above.
> +PR_SPEC_ENABLE:	The speculation feature is enabled, mitigation is disabled
> +PR_SPEC_DISABLE:The speculation feature is disabled, mitigation is enabled
> +
> +If all bits are 0 the CPU is not affected by the speculation misfeature. If
> +bit0 is set, then the per task control of the mitigation is enabled. If not
> +set, prctl(PR_SET_SPECULATION_CTRL) for the speculation misfeature will
> +fail.
> +
> +PR_GET_SPECULATION_CTRL allows to control the speculation misfeature, which

s/GET/SET/
> +is selected by arg2 of prctl(2) per task. arg3 is used to hand in either
> +PR_SPEC_ENABLE or PR_SPEC_DISABLE.
> +
> +The common return values are:
> +
> +-EINVAL: prctl is not implemented by the architecture
> +-ENODEV: arg2 is selecting a not supported speculation misfeature
> +
> +PR_SET_SPECULATION_CTRL has these additional return values:
> +
> +-ERANGE: arg3 is incorrect, i.e. it's not either PR_SPEC_ENABLE or PR_SPEC_DISABLE
> +-ENXIO:  prctl control of the selected speculation misfeature is disabled
> +
> +The following supported controllable speculation misfeatures are implemented:
> +
> +- PR_SPEC_STORE_BYPASS: Speculative Store Bypass
> +
> +  To control it the following prctl() invocations are used:
> +
> +    prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS);
> +
> +  and

s/and if PR_SPEC_PRCTL bit is set then:/ 
> +
> +    prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_ENABLE);

s/GET/SET/
> +
> +    or
> +
> +    prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE);

s/GET/SET/
> +
> --- a/include/linux/nospec.h
> +++ b/include/linux/nospec.h
> @@ -55,4 +55,9 @@ static inline unsigned long array_index_
>  									\
>  	(typeof(_i)) (_i & _mask);					\
>  })
> +
> +/* Speculation control prctl */
> +int arch_prctl_set_spec_ctrl(unsigned long which, unsigned long ctrl);
> +int arch_prctl_get_spec_ctrl(unsigned long which);
> +
>  #endif /* _LINUX_NOSPEC_H */
> --- a/include/uapi/linux/prctl.h
> +++ b/include/uapi/linux/prctl.h
> @@ -207,4 +207,15 @@ struct prctl_mm_map {
>  # define PR_SVE_VL_LEN_MASK		0xffff
>  # define PR_SVE_VL_INHERIT		(1 << 17) /* inherit across exec */
>  
> +/* Per task speculation control */
> +#define PR_SET_SPECULATION_CTRL		52
> +#define PR_GET_SPECULATION_CTRL		53
> +/* Speculation control variants */
> +# define PR_SPEC_STORE_BYPASS		0
> +/* Return and control values for PR_SET/GET_SPECULATION_CTRL */
> +# define PR_SPEC_NOT_AFFECTED		0
> +# define PR_SPEC_PRCTL			(1UL << 0)
> +# define PR_SPEC_ENABLE			(1UL << 1)
> +# define PR_SPEC_DISABLE		(1UL << 2)
> +
>  #endif /* _LINUX_PRCTL_H */
> --- a/kernel/sys.c
> +++ b/kernel/sys.c
> @@ -61,6 +61,8 @@
>  #include <linux/uidgid.h>
>  #include <linux/cred.h>
>  
> +#include <linux/nospec.h>
> +
>  #include <linux/kmsg_dump.h>
>  /* Move somewhere else to avoid recompiling? */
>  #include <generated/utsrelease.h>
> @@ -2242,6 +2244,16 @@ static int propagate_has_child_subreaper
>  	return 1;
>  }
>  
> +int __weak arch_prctl_set_spec_ctrl(unsigned long which, unsigned long ctrl)
> +{
> +	return -EINVAL;
> +}
> +
> +int __weak arch_prctl_get_spec_ctrl(unsigned long which)
> +{
> +	return -EINVAL;
> +}
> +
>  SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
>  		unsigned long, arg4, unsigned long, arg5)
>  {
> @@ -2450,6 +2462,12 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
>  	case PR_SVE_GET_VL:
>  		error = SVE_GET_VL();
>  		break;
> +	case PR_SET_SPECULATION_CTRL:
> +		error = arch_prctl_set_spec_ctrl(arg2, arg3);

Would it make sense to also test arg4, arg5? And if somebody provided any value
in them to return -EINVAL?

> +		break;
> +	case PR_GET_SPECULATION_CTRL:
> +		error = arch_prctl_get_spec_ctrl(arg2);

Ditto here (with obviously checking for arg3 as well)?

> +		break;
>  	default:
>  		error = -EINVAL;
>  		break;
>