From: Charlie Jenkins <charlie@rivosinc.com>
To: Conor Dooley <conor@kernel.org>
Cc: Rob Herring <robh@kernel.org>,
Krzysztof Kozlowski <krzk+dt@kernel.org>,
Paul Walmsley <paul.walmsley@sifive.com>,
Palmer Dabbelt <palmer@dabbelt.com>,
Albert Ou <aou@eecs.berkeley.edu>,
Jisheng Zhang <jszhang@kernel.org>, Chen-Yu Tsai <wens@csie.org>,
Jernej Skrabec <jernej.skrabec@gmail.com>,
Samuel Holland <samuel@sholland.org>,
Samuel Holland <samuel.holland@sifive.com>,
Jonathan Corbet <corbet@lwn.net>, Shuah Khan <shuah@kernel.org>,
Guo Ren <guoren@kernel.org>, Evan Green <evan@rivosinc.com>,
Andy Chiu <andy.chiu@sifive.com>,
Jessica Clarke <jrtc27@jrtc27.com>,
Andrew Jones <ajones@ventanamicro.com>,
linux-riscv@lists.infradead.org, devicetree@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-sunxi@lists.linux.dev,
linux-doc@vger.kernel.org, linux-kselftest@vger.kernel.org
Subject: Re: [PATCH v10 14/14] riscv: Add ghostwrite vulnerability
Date: Mon, 16 Sep 2024 11:44:04 -0700 [thread overview]
Message-ID: <Zuh8dLsA50IHXymz@ghost> (raw)
In-Reply-To: <20240916-pretext-freehand-20dca1376cd4@spud>
On Mon, Sep 16, 2024 at 06:12:04PM +0100, Conor Dooley wrote:
> On Wed, Sep 11, 2024 at 10:55:22PM -0700, Charlie Jenkins wrote:
> > Follow the patterns of the other architectures that use
> > GENERIC_CPU_VULNERABILITIES for riscv to introduce the ghostwrite
> > vulnerability and mitigation. The mitigation is to disable all vector
> > which is accomplished by clearing the bit from the cpufeature field.
> >
> > Ghostwrite only affects thead c9xx CPUs that impelment xtheadvector, so
> > the vulerability will only be mitigated on these CPUs.
> >
> > Signed-off-by: Charlie Jenkins <charlie@rivosinc.com>
> > ---
> > arch/riscv/Kconfig.errata | 11 ++++++++
> > arch/riscv/errata/thead/errata.c | 28 ++++++++++++++++++
> > arch/riscv/include/asm/bugs.h | 22 +++++++++++++++
> > arch/riscv/include/asm/errata_list.h | 3 +-
> > arch/riscv/kernel/Makefile | 2 ++
> > arch/riscv/kernel/bugs.c | 55 ++++++++++++++++++++++++++++++++++++
> > arch/riscv/kernel/cpufeature.c | 9 +++++-
> > drivers/base/cpu.c | 3 ++
> > include/linux/cpu.h | 1 +
> > 9 files changed, 132 insertions(+), 2 deletions(-)
> >
> > diff --git a/arch/riscv/Kconfig.errata b/arch/riscv/Kconfig.errata
> > index 2acc7d876e1f..e318119d570d 100644
> > --- a/arch/riscv/Kconfig.errata
> > +++ b/arch/riscv/Kconfig.errata
> > @@ -119,4 +119,15 @@ config ERRATA_THEAD_PMU
> >
> > If you don't know what to do here, say "Y".
> >
> > +config ERRATA_THEAD_GHOSTWRITE
> > + bool "Apply T-Head Ghostwrite errata"
> > + depends on ERRATA_THEAD && RISCV_ISA_XTHEADVECTOR
> > + default y
> > + help
> > + The T-Head C9xx cores have a vulnerability in the xtheadvector
> > + instruction set. When this errata is enabled, the CPUs will be probed
> > + to determine if they are vulnerable and disable xtheadvector.
> > +
> > + If you don't know what to do here, say "Y".
> > +
> > endmenu # "CPU errata selection"
> > diff --git a/arch/riscv/errata/thead/errata.c b/arch/riscv/errata/thead/errata.c
> > index f5120e07c318..5cc008ab41a8 100644
> > --- a/arch/riscv/errata/thead/errata.c
> > +++ b/arch/riscv/errata/thead/errata.c
> > @@ -10,6 +10,7 @@
> > #include <linux/string.h>
> > #include <linux/uaccess.h>
> > #include <asm/alternative.h>
> > +#include <asm/bugs.h>
> > #include <asm/cacheflush.h>
> > #include <asm/cpufeature.h>
> > #include <asm/dma-noncoherent.h>
> > @@ -142,6 +143,31 @@ static bool errata_probe_pmu(unsigned int stage,
> > return true;
> > }
> >
> > +static bool errata_probe_ghostwrite(unsigned int stage,
> > + unsigned long arch_id, unsigned long impid)
> > +{
> > + if (!IS_ENABLED(CONFIG_ERRATA_THEAD_GHOSTWRITE))
> > + return false;
> > +
> > + /*
> > + * target-c9xx cores report arch_id and impid as 0
> > + *
> > + * While ghostwrite may not affect all c9xx cores that implement
> > + * xtheadvector, there is no futher granularity than c9xx. Assume
> > + * vulnerable for this entire class of processors when xtheadvector is
> > + * enabled.
> > + */
>
> Is it not possible to use the cpu compatible string for this? Given that
> we only know if xtheadvector is enabled once we are already parsing the
> cpu node devicetree, it seems, to me, as if it should be possible to be
> more granular. AFAIU, some T-Head c900 series devices are not venerable.
Sure we can do that. I figured that since T-Head didn't feel it was
valuable to change the archid/implid between cores that Linux shouldn't
go out of its way to fix the granularity issue. Since you think it is
worthwhile though, I can try to work around this hardware issue.
- Charlie
>
> Cheers,
> Conor.
>
> > + if (arch_id != 0 || impid != 0)
> > + return false;
> > +
> > + if (stage != RISCV_ALTERNATIVES_EARLY_BOOT)
> > + return false;
> > +
> > + ghostwrite_set_vulnerable();
> > +
> > + return true;
> > +}
> > +
> > static u32 thead_errata_probe(unsigned int stage,
> > unsigned long archid, unsigned long impid)
> > {
> > @@ -155,6 +181,8 @@ static u32 thead_errata_probe(unsigned int stage,
> > if (errata_probe_pmu(stage, archid, impid))
> > cpu_req_errata |= BIT(ERRATA_THEAD_PMU);
> >
> > + errata_probe_ghostwrite(stage, archid, impid);
> > +
> > return cpu_req_errata;
> > }
> >
> > diff --git a/arch/riscv/include/asm/bugs.h b/arch/riscv/include/asm/bugs.h
> > new file mode 100644
> > index 000000000000..e294b15bf78e
> > --- /dev/null
> > +++ b/arch/riscv/include/asm/bugs.h
> > @@ -0,0 +1,22 @@
> > +/* SPDX-License-Identifier: GPL-2.0-only */
> > +/*
> > + * Interface for managing mitigations for riscv vulnerabilities.
> > + *
> > + * Copyright (C) 2024 Rivos Inc.
> > + */
> > +
> > +#ifndef __ASM_BUGS_H
> > +#define __ASM_BUGS_H
> > +
> > +/* Watch out, ordering is important here. */
> > +enum mitigation_state {
> > + UNAFFECTED,
> > + MITIGATED,
> > + VULNERABLE,
> > +};
> > +
> > +void ghostwrite_set_vulnerable(void);
> > +void ghostwrite_enable_mitigation(void);
> > +enum mitigation_state ghostwrite_get_state(void);
> > +
> > +#endif /* __ASM_BUGS_H */
> > diff --git a/arch/riscv/include/asm/errata_list.h b/arch/riscv/include/asm/errata_list.h
> > index 7c8a71a526a3..6e426ed7919a 100644
> > --- a/arch/riscv/include/asm/errata_list.h
> > +++ b/arch/riscv/include/asm/errata_list.h
> > @@ -25,7 +25,8 @@
> > #ifdef CONFIG_ERRATA_THEAD
> > #define ERRATA_THEAD_MAE 0
> > #define ERRATA_THEAD_PMU 1
> > -#define ERRATA_THEAD_NUMBER 2
> > +#define ERRATA_THEAD_GHOSTWRITE 2
> > +#define ERRATA_THEAD_NUMBER 3
> > #endif
> >
> > #ifdef __ASSEMBLY__
> > diff --git a/arch/riscv/kernel/Makefile b/arch/riscv/kernel/Makefile
> > index 06d407f1b30b..d7a54e34178e 100644
> > --- a/arch/riscv/kernel/Makefile
> > +++ b/arch/riscv/kernel/Makefile
> > @@ -113,3 +113,5 @@ obj-$(CONFIG_COMPAT) += compat_vdso/
> > obj-$(CONFIG_64BIT) += pi/
> > obj-$(CONFIG_ACPI) += acpi.o
> > obj-$(CONFIG_ACPI_NUMA) += acpi_numa.o
> > +
> > +obj-$(CONFIG_GENERIC_CPU_VULNERABILITIES) += bugs.o
> > diff --git a/arch/riscv/kernel/bugs.c b/arch/riscv/kernel/bugs.c
> > new file mode 100644
> > index 000000000000..0c19691b4cd5
> > --- /dev/null
> > +++ b/arch/riscv/kernel/bugs.c
> > @@ -0,0 +1,55 @@
> > +// SPDX-License-Identifier: GPL-2.0
> > +/*
> > + * Copyright (C) 2024 Rivos Inc.
> > + */
> > +
> > +#include <linux/cpu.h>
> > +#include <linux/device.h>
> > +#include <linux/sprintf.h>
> > +
> > +#include <asm/bugs.h>
> > +#include <asm/vendor_extensions/thead.h>
> > +
> > +static enum mitigation_state ghostwrite_state;
> > +
> > +void ghostwrite_set_vulnerable(void)
> > +{
> > + ghostwrite_state = VULNERABLE;
> > +}
> > +
> > +/*
> > + * Vendor extension alternatives will use the value set at the time of boot
> > + * alternative patching, thus this must be called before boot alternatives are
> > + * patched (and after extension probing) to be effective.
> > + */
> > +void ghostwrite_enable_mitigation(void)
> > +{
> > + if (IS_ENABLED(CONFIG_RISCV_ISA_XTHEADVECTOR) &&
> > + ghostwrite_state == VULNERABLE && !cpu_mitigations_off()) {
> > + disable_xtheadvector();
> > + ghostwrite_state = MITIGATED;
> > + }
> > +}
> > +
> > +enum mitigation_state ghostwrite_get_state(void)
> > +{
> > + return ghostwrite_state;
> > +}
> > +
> > +ssize_t cpu_show_ghostwrite(struct device *dev, struct device_attribute *attr, char *buf)
> > +{
> > + if (IS_ENABLED(CONFIG_RISCV_ISA_XTHEADVECTOR)) {
> > + switch (ghostwrite_state) {
> > + case UNAFFECTED:
> > + return sprintf(buf, "Not affected\n");
> > + case MITIGATED:
> > + return sprintf(buf, "Mitigation: xtheadvector disabled\n");
> > + case VULNERABLE:
> > + fallthrough;
> > + default:
> > + return sprintf(buf, "Vulnerable\n");
> > + }
> > + } else {
> > + return sprintf(buf, "Not affected\n");
> > + }
> > +}
> > diff --git a/arch/riscv/kernel/cpufeature.c b/arch/riscv/kernel/cpufeature.c
> > index 56b5054b8f86..1f4329bb8a9d 100644
> > --- a/arch/riscv/kernel/cpufeature.c
> > +++ b/arch/riscv/kernel/cpufeature.c
> > @@ -17,6 +17,7 @@
> > #include <linux/of.h>
> > #include <asm/acpi.h>
> > #include <asm/alternative.h>
> > +#include <asm/bugs.h>
> > #include <asm/cacheflush.h>
> > #include <asm/cpufeature.h>
> > #include <asm/hwcap.h>
> > @@ -867,7 +868,13 @@ static int __init riscv_fill_hwcap_from_ext_list(unsigned long *isa2hwcap)
> > riscv_fill_vendor_ext_list(cpu);
> > }
> >
> > - if (has_xtheadvector_no_alternatives() && has_thead_homogeneous_vlenb() < 0) {
> > + /*
> > + * Execute ghostwrite mitigation immediately after detecting extensions
> > + * to disable xtheadvector if necessary.
> > + */
> > + if (ghostwrite_get_state() == VULNERABLE) {
> > + ghostwrite_enable_mitigation();
> > + } else if (has_xtheadvector_no_alternatives() && has_thead_homogeneous_vlenb() < 0) {
> > pr_warn("Unsupported heterogeneous vlenb detected, vector extension disabled.\n");
> > disable_xtheadvector();
> > }
> > diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c
> > index fdaa24bb641a..a7e511849875 100644
> > --- a/drivers/base/cpu.c
> > +++ b/drivers/base/cpu.c
> > @@ -599,6 +599,7 @@ CPU_SHOW_VULN_FALLBACK(retbleed);
> > CPU_SHOW_VULN_FALLBACK(spec_rstack_overflow);
> > CPU_SHOW_VULN_FALLBACK(gds);
> > CPU_SHOW_VULN_FALLBACK(reg_file_data_sampling);
> > +CPU_SHOW_VULN_FALLBACK(ghostwrite);
> >
> > static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL);
> > static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL);
> > @@ -614,6 +615,7 @@ static DEVICE_ATTR(retbleed, 0444, cpu_show_retbleed, NULL);
> > static DEVICE_ATTR(spec_rstack_overflow, 0444, cpu_show_spec_rstack_overflow, NULL);
> > static DEVICE_ATTR(gather_data_sampling, 0444, cpu_show_gds, NULL);
> > static DEVICE_ATTR(reg_file_data_sampling, 0444, cpu_show_reg_file_data_sampling, NULL);
> > +static DEVICE_ATTR(ghostwrite, 0444, cpu_show_ghostwrite, NULL);
> >
> > static struct attribute *cpu_root_vulnerabilities_attrs[] = {
> > &dev_attr_meltdown.attr,
> > @@ -630,6 +632,7 @@ static struct attribute *cpu_root_vulnerabilities_attrs[] = {
> > &dev_attr_spec_rstack_overflow.attr,
> > &dev_attr_gather_data_sampling.attr,
> > &dev_attr_reg_file_data_sampling.attr,
> > + &dev_attr_ghostwrite.attr,
> > NULL
> > };
> >
> > diff --git a/include/linux/cpu.h b/include/linux/cpu.h
> > index bdcec1732445..6a0a8f1c7c90 100644
> > --- a/include/linux/cpu.h
> > +++ b/include/linux/cpu.h
> > @@ -77,6 +77,7 @@ extern ssize_t cpu_show_gds(struct device *dev,
> > struct device_attribute *attr, char *buf);
> > extern ssize_t cpu_show_reg_file_data_sampling(struct device *dev,
> > struct device_attribute *attr, char *buf);
> > +extern ssize_t cpu_show_ghostwrite(struct device *dev, struct device_attribute *attr, char *buf);
> >
> > extern __printf(4, 5)
> > struct device *cpu_device_create(struct device *parent, void *drvdata,
> >
> > --
> > 2.45.0
> >
next prev parent reply other threads:[~2024-09-16 18:44 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-12 5:55 [PATCH v10 00/14] riscv: Add support for xtheadvector Charlie Jenkins
2024-09-12 5:55 ` [PATCH v10 01/14] dt-bindings: riscv: Add xtheadvector ISA extension description Charlie Jenkins
2024-10-02 15:07 ` Andy Chiu
2024-09-12 5:55 ` [PATCH v10 02/14] dt-bindings: cpus: add a thead vlen register length property Charlie Jenkins
2024-10-02 16:05 ` Andy Chiu
2024-09-12 5:55 ` [PATCH v10 03/14] riscv: dts: allwinner: Add xtheadvector to the D1/D1s devicetree Charlie Jenkins
2024-11-12 2:12 ` D1 vlenb h1k0n
2024-11-12 18:03 ` Conor Dooley
2024-09-12 5:55 ` [PATCH v10 04/14] riscv: Add thead and xtheadvector as a vendor extension Charlie Jenkins
2024-09-12 5:55 ` [PATCH v10 05/14] riscv: vector: Use vlenb from DT for thead Charlie Jenkins
2024-10-02 16:34 ` Andy Chiu
2024-11-09 19:34 ` Yangyu Chen
2024-11-14 2:24 ` Charlie Jenkins
2024-09-12 5:55 ` [PATCH v10 06/14] RISC-V: define the elements of the VCSR vector CSR Charlie Jenkins
2024-10-06 16:04 ` Andy Chiu
2024-09-12 5:55 ` [PATCH v10 07/14] riscv: csr: Add CSR encodings for CSR_VXRM/CSR_VXSAT Charlie Jenkins
2024-10-06 16:11 ` Andy Chiu
2024-09-12 5:55 ` [PATCH v10 08/14] riscv: Add xtheadvector instruction definitions Charlie Jenkins
2024-09-12 5:55 ` [PATCH v10 09/14] riscv: vector: Support xtheadvector save/restore Charlie Jenkins
2024-10-08 17:34 ` Andy Chiu
2024-09-12 5:55 ` [PATCH v10 10/14] riscv: hwprobe: Add thead vendor extension probing Charlie Jenkins
2024-10-02 16:59 ` Emil Renner Berthing
2024-10-29 18:00 ` Yangyu Chen
2024-09-12 5:55 ` [PATCH v10 11/14] riscv: hwprobe: Document thead vendor extensions and xtheadvector extension Charlie Jenkins
2024-09-12 5:55 ` [PATCH v10 12/14] selftests: riscv: Fix vector tests Charlie Jenkins
2024-09-12 5:55 ` [PATCH v10 13/14] selftests: riscv: Support xtheadvector in " Charlie Jenkins
2024-09-12 5:55 ` [PATCH v10 14/14] riscv: Add ghostwrite vulnerability Charlie Jenkins
2024-09-16 17:12 ` Conor Dooley
2024-09-16 18:44 ` Charlie Jenkins [this message]
2024-09-16 18:56 ` Conor Dooley
2024-09-29 12:44 ` [PATCH v10 00/14] riscv: Add support for xtheadvector Aoba K
2024-09-30 14:53 ` Conor Dooley
2024-09-30 15:50 ` 回覆: " Aoba K
2024-09-29 16:07 ` Aoba K
2024-11-14 2:44 ` Charlie Jenkins
2025-01-21 14:19 ` nexp_0x17
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zuh8dLsA50IHXymz@ghost \
--to=charlie@rivosinc.com \
--cc=ajones@ventanamicro.com \
--cc=andy.chiu@sifive.com \
--cc=aou@eecs.berkeley.edu \
--cc=conor@kernel.org \
--cc=corbet@lwn.net \
--cc=devicetree@vger.kernel.org \
--cc=evan@rivosinc.com \
--cc=guoren@kernel.org \
--cc=jernej.skrabec@gmail.com \
--cc=jrtc27@jrtc27.com \
--cc=jszhang@kernel.org \
--cc=krzk+dt@kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=linux-sunxi@lists.linux.dev \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
--cc=robh@kernel.org \
--cc=samuel.holland@sifive.com \
--cc=samuel@sholland.org \
--cc=shuah@kernel.org \
--cc=wens@csie.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).