From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 120FA3BBE5 for ; Mon, 16 Sep 2024 18:44:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.172 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726512254; cv=none; b=tRvZBMBV5YBMkfMnDa7ftvP84Z34bIxcGCA+TYvMdXapYkdugy5yTAJzi+8xYSCrXLY49dfnc4CJ22EzNGYmysqnrKJdMQe9AqKBXupmV8gYhWiYQtM9fGTH6a4ZTwBNxETO8hynWa0TiIXwKYTufDbPjGiPurvuRc//MOf/QN4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1726512254; c=relaxed/simple; bh=H3HlwZCZEQDhvatizrRzbggWa+HA/p1z1pp/lBdDDYk=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=Wuc7JFFKyzYCrmcL4HEmdVfmfxp0eCYCchIaTDFWvz95KxTXFVryLULQOUPhtLyX1lN+3hvTnjuz4VBtD4fWymTGhRNSk375XnwL0jUwr4w+KFaDL+g0RUdDR7Ls1e101KXkI3i1RCjO8gy246agBCoQI57TgCqInrnRvN0uZRI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=rivosinc.com; spf=pass smtp.mailfrom=rivosinc.com; dkim=pass (2048-bit key) header.d=rivosinc-com.20230601.gappssmtp.com header.i=@rivosinc-com.20230601.gappssmtp.com header.b=0GnU0Vd9; arc=none smtp.client-ip=209.85.214.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=rivosinc.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=rivosinc.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=rivosinc-com.20230601.gappssmtp.com header.i=@rivosinc-com.20230601.gappssmtp.com header.b="0GnU0Vd9" Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-206bd1c6ccdso33609315ad.3 for ; Mon, 16 Sep 2024 11:44:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20230601.gappssmtp.com; s=20230601; t=1726512250; x=1727117050; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=JWRt0WDZ9DWFdEsHGfP3sRZRYldXkufLSIbgP8dWZKY=; b=0GnU0Vd9IvsLq94GTOgkoUy/5qRtZMpyL18oo23qu3bQ79cZ6fWjGIoEoAAVuFiXNC OHOBE1ctDOV4RMzLzfZJzwrLSJG5435Ld4xGk0J8QXYNH1pR7zVjzCCTl4Baj2+x8y5X +ZrbJHqCLpJvrDf1ZVAIPqXIeuDRXcV5ntLSmaICB77uFlTHD7tmpPTwAQFjFMHbfBXq Vd6j5ppm6yG3bsOUIwRWnKEXocHD+bb569/cKNH2Y2Q+zYYUiRR7e5bFESK+77M42rww 5vTTA5gAFvqsTLFhwTm70AgAjhC4vmk/NF63pxJq00LR1dvEfw6i1p0pNFgeJluRK+PF J4Cw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726512250; x=1727117050; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=JWRt0WDZ9DWFdEsHGfP3sRZRYldXkufLSIbgP8dWZKY=; b=jYpQtxRpWcbI1nXgPSXPSsIS5HW+zBYQVDdvAhjywgAJ8Jcmr2NSA/LJ6ZK55YyUk5 /F9ORIX+Z7uV5rVWrtLrs7zObdJkMmbjVjNwEnUxw8V/zV2HTbktCri9vkPJ3np8eagq a2M4PLa48lD3bOoka9EbcpA3aVfw3e1Sc268HSldfMzdWIJZx3J0xj4yMSQC+B3YsrGf ga3E3dDzZqi3aMQac+5udKAjuPeeJXUt6jPi/0di2ijoUWmE/DxHwie7HlCmNI35emOz +wsp8D9LnGEZGraVWHk7uJE1WeqfB6oOey6h7nJZZGMJo/Eso6P9j6vkqL2hlxM3zS9w 4iFA== X-Forwarded-Encrypted: i=1; AJvYcCVUaUeU7D93uH6m6A3DWsHCE4Wk3aMcRwWWoVlWa8snB/beAYPxiRnBNDMTTTDUzggznCz6JUeHV/IZ@vger.kernel.org X-Gm-Message-State: AOJu0Yy9pFsuMpY6ViMGkgUjME8Xd+x56R6QLbzJ88DM8WypbjnvnZVn 1h9uTkZmXxMObqwLD7DwEyCnfFsfrPPvg5JZQjeQqCm8kHxY2CBm90s9ZE90brU= X-Google-Smtp-Source: AGHT+IF8dispIWAu4SBpBRXvJsNyO6F3tbYcZrnsVzU7MIvT/flk7KgGQY9i8SqZ41S7cO9LZnYSGg== X-Received: by 2002:a17:90b:1c81:b0:2d8:7307:3f74 with SMTP id 98e67ed59e1d1-2dbb9f31cf2mr13931669a91.27.1726512250018; Mon, 16 Sep 2024 11:44:10 -0700 (PDT) Received: from ghost ([216.9.110.13]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2dbcfcf7f3fsm5689098a91.14.2024.09.16.11.44.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 16 Sep 2024 11:44:09 -0700 (PDT) Date: Mon, 16 Sep 2024 11:44:04 -0700 From: Charlie Jenkins To: Conor Dooley Cc: Rob Herring , Krzysztof Kozlowski , Paul Walmsley , Palmer Dabbelt , Albert Ou , Jisheng Zhang , Chen-Yu Tsai , Jernej Skrabec , Samuel Holland , Samuel Holland , Jonathan Corbet , Shuah Khan , Guo Ren , Evan Green , Andy Chiu , Jessica Clarke , Andrew Jones , linux-riscv@lists.infradead.org, devicetree@vger.kernel.org, linux-kernel@vger.kernel.org, linux-sunxi@lists.linux.dev, linux-doc@vger.kernel.org, linux-kselftest@vger.kernel.org Subject: Re: [PATCH v10 14/14] riscv: Add ghostwrite vulnerability Message-ID: References: <20240911-xtheadvector-v10-0-8d3930091246@rivosinc.com> <20240911-xtheadvector-v10-14-8d3930091246@rivosinc.com> <20240916-pretext-freehand-20dca1376cd4@spud> Precedence: bulk X-Mailing-List: devicetree@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240916-pretext-freehand-20dca1376cd4@spud> On Mon, Sep 16, 2024 at 06:12:04PM +0100, Conor Dooley wrote: > On Wed, Sep 11, 2024 at 10:55:22PM -0700, Charlie Jenkins wrote: > > Follow the patterns of the other architectures that use > > GENERIC_CPU_VULNERABILITIES for riscv to introduce the ghostwrite > > vulnerability and mitigation. The mitigation is to disable all vector > > which is accomplished by clearing the bit from the cpufeature field. > > > > Ghostwrite only affects thead c9xx CPUs that impelment xtheadvector, so > > the vulerability will only be mitigated on these CPUs. > > > > Signed-off-by: Charlie Jenkins > > --- > > arch/riscv/Kconfig.errata | 11 ++++++++ > > arch/riscv/errata/thead/errata.c | 28 ++++++++++++++++++ > > arch/riscv/include/asm/bugs.h | 22 +++++++++++++++ > > arch/riscv/include/asm/errata_list.h | 3 +- > > arch/riscv/kernel/Makefile | 2 ++ > > arch/riscv/kernel/bugs.c | 55 ++++++++++++++++++++++++++++++++++++ > > arch/riscv/kernel/cpufeature.c | 9 +++++- > > drivers/base/cpu.c | 3 ++ > > include/linux/cpu.h | 1 + > > 9 files changed, 132 insertions(+), 2 deletions(-) > > > > diff --git a/arch/riscv/Kconfig.errata b/arch/riscv/Kconfig.errata > > index 2acc7d876e1f..e318119d570d 100644 > > --- a/arch/riscv/Kconfig.errata > > +++ b/arch/riscv/Kconfig.errata > > @@ -119,4 +119,15 @@ config ERRATA_THEAD_PMU > > > > If you don't know what to do here, say "Y". > > > > +config ERRATA_THEAD_GHOSTWRITE > > + bool "Apply T-Head Ghostwrite errata" > > + depends on ERRATA_THEAD && RISCV_ISA_XTHEADVECTOR > > + default y > > + help > > + The T-Head C9xx cores have a vulnerability in the xtheadvector > > + instruction set. When this errata is enabled, the CPUs will be probed > > + to determine if they are vulnerable and disable xtheadvector. > > + > > + If you don't know what to do here, say "Y". > > + > > endmenu # "CPU errata selection" > > diff --git a/arch/riscv/errata/thead/errata.c b/arch/riscv/errata/thead/errata.c > > index f5120e07c318..5cc008ab41a8 100644 > > --- a/arch/riscv/errata/thead/errata.c > > +++ b/arch/riscv/errata/thead/errata.c > > @@ -10,6 +10,7 @@ > > #include > > #include > > #include > > +#include > > #include > > #include > > #include > > @@ -142,6 +143,31 @@ static bool errata_probe_pmu(unsigned int stage, > > return true; > > } > > > > +static bool errata_probe_ghostwrite(unsigned int stage, > > + unsigned long arch_id, unsigned long impid) > > +{ > > + if (!IS_ENABLED(CONFIG_ERRATA_THEAD_GHOSTWRITE)) > > + return false; > > + > > + /* > > + * target-c9xx cores report arch_id and impid as 0 > > + * > > + * While ghostwrite may not affect all c9xx cores that implement > > + * xtheadvector, there is no futher granularity than c9xx. Assume > > + * vulnerable for this entire class of processors when xtheadvector is > > + * enabled. > > + */ > > Is it not possible to use the cpu compatible string for this? Given that > we only know if xtheadvector is enabled once we are already parsing the > cpu node devicetree, it seems, to me, as if it should be possible to be > more granular. AFAIU, some T-Head c900 series devices are not venerable. Sure we can do that. I figured that since T-Head didn't feel it was valuable to change the archid/implid between cores that Linux shouldn't go out of its way to fix the granularity issue. Since you think it is worthwhile though, I can try to work around this hardware issue. - Charlie > > Cheers, > Conor. > > > + if (arch_id != 0 || impid != 0) > > + return false; > > + > > + if (stage != RISCV_ALTERNATIVES_EARLY_BOOT) > > + return false; > > + > > + ghostwrite_set_vulnerable(); > > + > > + return true; > > +} > > + > > static u32 thead_errata_probe(unsigned int stage, > > unsigned long archid, unsigned long impid) > > { > > @@ -155,6 +181,8 @@ static u32 thead_errata_probe(unsigned int stage, > > if (errata_probe_pmu(stage, archid, impid)) > > cpu_req_errata |= BIT(ERRATA_THEAD_PMU); > > > > + errata_probe_ghostwrite(stage, archid, impid); > > + > > return cpu_req_errata; > > } > > > > diff --git a/arch/riscv/include/asm/bugs.h b/arch/riscv/include/asm/bugs.h > > new file mode 100644 > > index 000000000000..e294b15bf78e > > --- /dev/null > > +++ b/arch/riscv/include/asm/bugs.h > > @@ -0,0 +1,22 @@ > > +/* SPDX-License-Identifier: GPL-2.0-only */ > > +/* > > + * Interface for managing mitigations for riscv vulnerabilities. > > + * > > + * Copyright (C) 2024 Rivos Inc. > > + */ > > + > > +#ifndef __ASM_BUGS_H > > +#define __ASM_BUGS_H > > + > > +/* Watch out, ordering is important here. */ > > +enum mitigation_state { > > + UNAFFECTED, > > + MITIGATED, > > + VULNERABLE, > > +}; > > + > > +void ghostwrite_set_vulnerable(void); > > +void ghostwrite_enable_mitigation(void); > > +enum mitigation_state ghostwrite_get_state(void); > > + > > +#endif /* __ASM_BUGS_H */ > > diff --git a/arch/riscv/include/asm/errata_list.h b/arch/riscv/include/asm/errata_list.h > > index 7c8a71a526a3..6e426ed7919a 100644 > > --- a/arch/riscv/include/asm/errata_list.h > > +++ b/arch/riscv/include/asm/errata_list.h > > @@ -25,7 +25,8 @@ > > #ifdef CONFIG_ERRATA_THEAD > > #define ERRATA_THEAD_MAE 0 > > #define ERRATA_THEAD_PMU 1 > > -#define ERRATA_THEAD_NUMBER 2 > > +#define ERRATA_THEAD_GHOSTWRITE 2 > > +#define ERRATA_THEAD_NUMBER 3 > > #endif > > > > #ifdef __ASSEMBLY__ > > diff --git a/arch/riscv/kernel/Makefile b/arch/riscv/kernel/Makefile > > index 06d407f1b30b..d7a54e34178e 100644 > > --- a/arch/riscv/kernel/Makefile > > +++ b/arch/riscv/kernel/Makefile > > @@ -113,3 +113,5 @@ obj-$(CONFIG_COMPAT) += compat_vdso/ > > obj-$(CONFIG_64BIT) += pi/ > > obj-$(CONFIG_ACPI) += acpi.o > > obj-$(CONFIG_ACPI_NUMA) += acpi_numa.o > > + > > +obj-$(CONFIG_GENERIC_CPU_VULNERABILITIES) += bugs.o > > diff --git a/arch/riscv/kernel/bugs.c b/arch/riscv/kernel/bugs.c > > new file mode 100644 > > index 000000000000..0c19691b4cd5 > > --- /dev/null > > +++ b/arch/riscv/kernel/bugs.c > > @@ -0,0 +1,55 @@ > > +// SPDX-License-Identifier: GPL-2.0 > > +/* > > + * Copyright (C) 2024 Rivos Inc. > > + */ > > + > > +#include > > +#include > > +#include > > + > > +#include > > +#include > > + > > +static enum mitigation_state ghostwrite_state; > > + > > +void ghostwrite_set_vulnerable(void) > > +{ > > + ghostwrite_state = VULNERABLE; > > +} > > + > > +/* > > + * Vendor extension alternatives will use the value set at the time of boot > > + * alternative patching, thus this must be called before boot alternatives are > > + * patched (and after extension probing) to be effective. > > + */ > > +void ghostwrite_enable_mitigation(void) > > +{ > > + if (IS_ENABLED(CONFIG_RISCV_ISA_XTHEADVECTOR) && > > + ghostwrite_state == VULNERABLE && !cpu_mitigations_off()) { > > + disable_xtheadvector(); > > + ghostwrite_state = MITIGATED; > > + } > > +} > > + > > +enum mitigation_state ghostwrite_get_state(void) > > +{ > > + return ghostwrite_state; > > +} > > + > > +ssize_t cpu_show_ghostwrite(struct device *dev, struct device_attribute *attr, char *buf) > > +{ > > + if (IS_ENABLED(CONFIG_RISCV_ISA_XTHEADVECTOR)) { > > + switch (ghostwrite_state) { > > + case UNAFFECTED: > > + return sprintf(buf, "Not affected\n"); > > + case MITIGATED: > > + return sprintf(buf, "Mitigation: xtheadvector disabled\n"); > > + case VULNERABLE: > > + fallthrough; > > + default: > > + return sprintf(buf, "Vulnerable\n"); > > + } > > + } else { > > + return sprintf(buf, "Not affected\n"); > > + } > > +} > > diff --git a/arch/riscv/kernel/cpufeature.c b/arch/riscv/kernel/cpufeature.c > > index 56b5054b8f86..1f4329bb8a9d 100644 > > --- a/arch/riscv/kernel/cpufeature.c > > +++ b/arch/riscv/kernel/cpufeature.c > > @@ -17,6 +17,7 @@ > > #include > > #include > > #include > > +#include > > #include > > #include > > #include > > @@ -867,7 +868,13 @@ static int __init riscv_fill_hwcap_from_ext_list(unsigned long *isa2hwcap) > > riscv_fill_vendor_ext_list(cpu); > > } > > > > - if (has_xtheadvector_no_alternatives() && has_thead_homogeneous_vlenb() < 0) { > > + /* > > + * Execute ghostwrite mitigation immediately after detecting extensions > > + * to disable xtheadvector if necessary. > > + */ > > + if (ghostwrite_get_state() == VULNERABLE) { > > + ghostwrite_enable_mitigation(); > > + } else if (has_xtheadvector_no_alternatives() && has_thead_homogeneous_vlenb() < 0) { > > pr_warn("Unsupported heterogeneous vlenb detected, vector extension disabled.\n"); > > disable_xtheadvector(); > > } > > diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c > > index fdaa24bb641a..a7e511849875 100644 > > --- a/drivers/base/cpu.c > > +++ b/drivers/base/cpu.c > > @@ -599,6 +599,7 @@ CPU_SHOW_VULN_FALLBACK(retbleed); > > CPU_SHOW_VULN_FALLBACK(spec_rstack_overflow); > > CPU_SHOW_VULN_FALLBACK(gds); > > CPU_SHOW_VULN_FALLBACK(reg_file_data_sampling); > > +CPU_SHOW_VULN_FALLBACK(ghostwrite); > > > > static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL); > > static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL); > > @@ -614,6 +615,7 @@ static DEVICE_ATTR(retbleed, 0444, cpu_show_retbleed, NULL); > > static DEVICE_ATTR(spec_rstack_overflow, 0444, cpu_show_spec_rstack_overflow, NULL); > > static DEVICE_ATTR(gather_data_sampling, 0444, cpu_show_gds, NULL); > > static DEVICE_ATTR(reg_file_data_sampling, 0444, cpu_show_reg_file_data_sampling, NULL); > > +static DEVICE_ATTR(ghostwrite, 0444, cpu_show_ghostwrite, NULL); > > > > static struct attribute *cpu_root_vulnerabilities_attrs[] = { > > &dev_attr_meltdown.attr, > > @@ -630,6 +632,7 @@ static struct attribute *cpu_root_vulnerabilities_attrs[] = { > > &dev_attr_spec_rstack_overflow.attr, > > &dev_attr_gather_data_sampling.attr, > > &dev_attr_reg_file_data_sampling.attr, > > + &dev_attr_ghostwrite.attr, > > NULL > > }; > > > > diff --git a/include/linux/cpu.h b/include/linux/cpu.h > > index bdcec1732445..6a0a8f1c7c90 100644 > > --- a/include/linux/cpu.h > > +++ b/include/linux/cpu.h > > @@ -77,6 +77,7 @@ extern ssize_t cpu_show_gds(struct device *dev, > > struct device_attribute *attr, char *buf); > > extern ssize_t cpu_show_reg_file_data_sampling(struct device *dev, > > struct device_attribute *attr, char *buf); > > +extern ssize_t cpu_show_ghostwrite(struct device *dev, struct device_attribute *attr, char *buf); > > > > extern __printf(4, 5) > > struct device *cpu_device_create(struct device *parent, void *drvdata, > > > > -- > > 2.45.0 > >