[PATCH 0/3] x86/cpu: Fix SPECULATIVE_MITIGATION=n kernels

[PATCH 0/3] x86/cpu: Fix SPECULATIVE_MITIGATION=n kernels

[Sean Christopherson]

Fix the handling of SPECULATION_MITIGATIONS=n so that it actually does
what it says it does: disable any and all mitigations.

And because I don't see a way to provide sane behavior for overriding
SPECULATION_MITIGATIONS=n at runtime, explicitly disallow doing so via
the "mitigations" kernel parameter, e.g. so that the user at least knows
that their system is still likely vulnerable to a variety of issues.

Sean Christopherson (3):
  x86/cpu: Actually turn off mitigations by default for
    SPECULATION_MITIGATIONS=n
  x86/cpu: Disable BHI mitigation by default when
    SPECULATION_MITIGATIONS=n
  x86/cpu: Ignore "mitigations" kernel parameter if
    SPECULATION_MITIGATIONS=n

 Documentation/admin-guide/kernel-parameters.txt |  3 +++
 arch/x86/Kconfig                                | 10 +++++++---
 arch/x86/kernel/cpu/bugs.c                      |  6 +++---
 kernel/cpu.c                                    |  5 ++++-
 4 files changed, 17 insertions(+), 7 deletions(-)


base-commit: 2c71fdf02a95b3dd425b42f28fd47fb2b1d22702
-- 
2.44.0.478.gd926399ef9-goog

[PATCH 1/3] x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n

[Sean Christopherson]

Initialize cpu_mitigations to CPU_MITIGATIONS_OFF if the kernel is built
with CONFIG_SPECULATION_MITIGATIONS=n, as the help text quite clearly
states that disabling SPECULATION_MITIGATIONS is supposed to turn off all
mitigations by default.

  │ If you say N, all mitigations will be disabled. You really
  │ should know what you are doing to say so.

As is, the kernel still defaults to CPU_MITIGATIONS_AUTO, which results in
some mitigations being enabled in spite of SPECULATION_MITIGATIONS=n.

Fixes: f43b9876e857 ("x86/retbleed: Add fine grained Kconfig knobs")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 kernel/cpu.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/cpu.c b/kernel/cpu.c
index 8f6affd051f7..07ad53b7f119 100644
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -3207,7 +3207,8 @@ enum cpu_mitigations {
 };
 
 static enum cpu_mitigations cpu_mitigations __ro_after_init =
-	CPU_MITIGATIONS_AUTO;
+	IS_ENABLED(CONFIG_SPECULATION_MITIGATIONS) ? CPU_MITIGATIONS_AUTO :
+						     CPU_MITIGATIONS_OFF;
 
 static int __init mitigations_parse_cmdline(char *arg)
 {
-- 
2.44.0.478.gd926399ef9-goog

[PATCH 2/3] x86/cpu: Disable BHI mitigation by default when SPECULATION_MITIGATIONS=n

[Sean Christopherson]

Rework the initialization of bhi_mitigation to use positive CONFIG tests
for the ON/AUTO cases so that lack of *any* CONFIG_SPECTRE_BHI_* #define,
i.e. when the kernel is built with CONFIG_SPECULATION_MITIGATIONS=n,
results in the mitigation being OFF by default, not AUTO.

Per the help text for SPECULATION_MITIGATIONS, the intent is that 'N'
disables all mitigations.

Fixes: ec9404e40e8f ("x86/bhi: Add BHI mitigation knob")
Cc: stable@vger.kernel.org
Cc: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Cc: Daniel Sneddon <daniel.sneddon@linux.intel.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kernel/cpu/bugs.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 295463707e68..e1775debeafe 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -1630,9 +1630,9 @@ enum bhi_mitigations {
 };
 
 static enum bhi_mitigations bhi_mitigation __ro_after_init =
-	IS_ENABLED(CONFIG_SPECTRE_BHI_ON)  ? BHI_MITIGATION_ON  :
-	IS_ENABLED(CONFIG_SPECTRE_BHI_OFF) ? BHI_MITIGATION_OFF :
-					     BHI_MITIGATION_AUTO;
+	IS_ENABLED(CONFIG_SPECTRE_BHI_ON)   ? BHI_MITIGATION_ON  :
+	IS_ENABLED(CONFIG_SPECTRE_BHI_AUTO) ? BHI_MITIGATION_AUTO :
+					      BHI_MITIGATION_OFF;
 
 static int __init spectre_bhi_parse_cmdline(char *str)
 {
-- 
2.44.0.478.gd926399ef9-goog

[PATCH 3/3] x86/cpu: Ignore "mitigations" kernel parameter if SPECULATION_MITIGATIONS=n

[Sean Christopherson]

Explicitly disallow enabling mitigations at runtime for kernels that were
built with CONFIG_SPECULATION_MITIGATIONS=n.  Because more Kconfigs are
buried behind SPECULATION_MITIGATIONS, trying to provide sane behavior for
retroactively enabling mitigations is extremely difficult, bordering on
impossible.  E.g. page table isolation and call depth tracking requrie
build-time support, BHI mitigations will still be off without additional
kernel parameters, etc.

Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 Documentation/admin-guide/kernel-parameters.txt |  3 +++
 arch/x86/Kconfig                                | 10 +++++++---
 kernel/cpu.c                                    |  2 ++
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 70046a019d42..7d623df11a1a 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -3423,6 +3423,9 @@
 			arch-independent options, each of which is an
 			aggregation of existing arch-specific options.
 
+			Note, "mitigations" is supported on x86 if and only if
+			the kernel was built with SPECULATION_MITIGATIONS=y.
+
 			off
 				Disable all optional CPU mitigations.  This
 				improves system performance, but it may also
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 10a6251f58f3..f4e4dd360636 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -2493,10 +2493,14 @@ menuconfig SPECULATION_MITIGATIONS
 	default y
 	help
 	  Say Y here to enable options which enable mitigations for
-	  speculative execution hardware vulnerabilities.
+	  speculative execution hardware vulnerabilities.  Mitigations can
+	  be disabled or restricted to SMT systems at runtime via the
+	  "mitigations" kernel parameter.
 
-	  If you say N, all mitigations will be disabled. You really
-	  should know what you are doing to say so.
+	  If you say N, all mitigations will be disabled.  This CANNOT be
+	  overridden at runtime.
+
+	  Say 'Y', unless you really know what you are doing.
 
 if SPECULATION_MITIGATIONS
 
diff --git a/kernel/cpu.c b/kernel/cpu.c
index 07ad53b7f119..d445763d8047 100644
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -3214,6 +3214,8 @@ static int __init mitigations_parse_cmdline(char *arg)
 {
 	if (!strcmp(arg, "off"))
 		cpu_mitigations = CPU_MITIGATIONS_OFF;
+	else if (!IS_ENABLED(CONFIG_SPECULATION_MITIGATIONS))
+		pr_crit("Kernel compiled without mitigations, system may still be vulnerable\n");
 	else if (!strcmp(arg, "auto"))
 		cpu_mitigations = CPU_MITIGATIONS_AUTO;
 	else if (!strcmp(arg, "auto,nosmt"))
-- 
2.44.0.478.gd926399ef9-goog

Re: [PATCH 0/3] x86/cpu: Fix SPECULATIVE_MITIGATION=n kernels

[Daniel Sneddon]

On 4/9/24 10:51, Sean Christopherson wrote:
> Fix the handling of SPECULATION_MITIGATIONS=n so that it actually does
> what it says it does: disable any and all mitigations.
> 
> And because I don't see a way to provide sane behavior for overriding
> SPECULATION_MITIGATIONS=n at runtime, explicitly disallow doing so via
> the "mitigations" kernel parameter, e.g. so that the user at least knows
> that their system is still likely vulnerable to a variety of issues.
> 
> Sean Christopherson (3):
>   x86/cpu: Actually turn off mitigations by default for
>     SPECULATION_MITIGATIONS=n
>   x86/cpu: Disable BHI mitigation by default when
>     SPECULATION_MITIGATIONS=n
>   x86/cpu: Ignore "mitigations" kernel parameter if
>     SPECULATION_MITIGATIONS=n
> 
>  Documentation/admin-guide/kernel-parameters.txt |  3 +++
>  arch/x86/Kconfig                                | 10 +++++++---
>  arch/x86/kernel/cpu/bugs.c                      |  6 +++---
>  kernel/cpu.c                                    |  5 ++++-
>  4 files changed, 17 insertions(+), 7 deletions(-)
> 
> 
> base-commit: 2c71fdf02a95b3dd425b42f28fd47fb2b1d22702

Reviewed-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>

Re: [PATCH 3/3] x86/cpu: Ignore "mitigations" kernel parameter if SPECULATION_MITIGATIONS=n

[Ingo Molnar]

* Sean Christopherson <seanjc@google.com> wrote:

> Explicitly disallow enabling mitigations at runtime for kernels that were
> built with CONFIG_SPECULATION_MITIGATIONS=n.  Because more Kconfigs are
> buried behind SPECULATION_MITIGATIONS, trying to provide sane behavior for
> retroactively enabling mitigations is extremely difficult, bordering on
> impossible.  E.g. page table isolation and call depth tracking requrie
> build-time support, BHI mitigations will still be off without additional
> kernel parameters, etc.
> 
> Signed-off-by: Sean Christopherson <seanjc@google.com>
> ---
>  Documentation/admin-guide/kernel-parameters.txt |  3 +++
>  arch/x86/Kconfig                                | 10 +++++++---
>  kernel/cpu.c                                    |  2 ++
>  3 files changed, 12 insertions(+), 3 deletions(-)
> 
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index 70046a019d42..7d623df11a1a 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -3423,6 +3423,9 @@
>  			arch-independent options, each of which is an
>  			aggregation of existing arch-specific options.
>  
> +			Note, "mitigations" is supported on x86 if and only if
> +			the kernel was built with SPECULATION_MITIGATIONS=y.
> +
>  			off
>  				Disable all optional CPU mitigations.  This
>  				improves system performance, but it may also
> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> index 10a6251f58f3..f4e4dd360636 100644
> --- a/arch/x86/Kconfig
> +++ b/arch/x86/Kconfig
> @@ -2493,10 +2493,14 @@ menuconfig SPECULATION_MITIGATIONS
>  	default y
>  	help
>  	  Say Y here to enable options which enable mitigations for
> -	  speculative execution hardware vulnerabilities.
> +	  speculative execution hardware vulnerabilities.  Mitigations can
> +	  be disabled or restricted to SMT systems at runtime via the
> +	  "mitigations" kernel parameter.
>  
> -	  If you say N, all mitigations will be disabled. You really
> -	  should know what you are doing to say so.
> +	  If you say N, all mitigations will be disabled.  This CANNOT be
> +	  overridden at runtime.
> +
> +	  Say 'Y', unless you really know what you are doing.
>  
>  if SPECULATION_MITIGATIONS
>  
> diff --git a/kernel/cpu.c b/kernel/cpu.c
> index 07ad53b7f119..d445763d8047 100644
> --- a/kernel/cpu.c
> +++ b/kernel/cpu.c
> @@ -3214,6 +3214,8 @@ static int __init mitigations_parse_cmdline(char *arg)
>  {
>  	if (!strcmp(arg, "off"))
>  		cpu_mitigations = CPU_MITIGATIONS_OFF;
> +	else if (!IS_ENABLED(CONFIG_SPECULATION_MITIGATIONS))
> +		pr_crit("Kernel compiled without mitigations, system may still be vulnerable\n");

This doesn't really make it clear that the kernel is actively ignoring the 
mitigations= command line. I think something like this would be more clear:

> +		pr_crit("Kernel compiled without mitigations, ignoring mitigations= boot option. System may still be vulnerable\n");

Thanks,

	Ingo

Re: [PATCH 1/3] x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n

[Stephen Rothwell]

[-- Attachment #1: Type: text/plain, Size: 1731 bytes --]

Hi Sean,

I noticed this commit in linux-next.

On Tue,  9 Apr 2024 10:51:05 -0700 Sean Christopherson <seanjc@google.com> wrote:
>
> Initialize cpu_mitigations to CPU_MITIGATIONS_OFF if the kernel is built
> with CONFIG_SPECULATION_MITIGATIONS=n, as the help text quite clearly
> states that disabling SPECULATION_MITIGATIONS is supposed to turn off all
> mitigations by default.
> 
>   │ If you say N, all mitigations will be disabled. You really
>   │ should know what you are doing to say so.
> 
> As is, the kernel still defaults to CPU_MITIGATIONS_AUTO, which results in
> some mitigations being enabled in spite of SPECULATION_MITIGATIONS=n.
> 
> Fixes: f43b9876e857 ("x86/retbleed: Add fine grained Kconfig knobs")
> Cc: stable@vger.kernel.org
> Signed-off-by: Sean Christopherson <seanjc@google.com>
> ---
>  kernel/cpu.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/kernel/cpu.c b/kernel/cpu.c
> index 8f6affd051f7..07ad53b7f119 100644
> --- a/kernel/cpu.c
> +++ b/kernel/cpu.c
> @@ -3207,7 +3207,8 @@ enum cpu_mitigations {
>  };
>  
>  static enum cpu_mitigations cpu_mitigations __ro_after_init =
> -	CPU_MITIGATIONS_AUTO;
> +	IS_ENABLED(CONFIG_SPECULATION_MITIGATIONS) ? CPU_MITIGATIONS_AUTO :
> +						     CPU_MITIGATIONS_OFF;
>  
>  static int __init mitigations_parse_cmdline(char *arg)
>  {
> -- 
> 2.44.0.478.gd926399ef9-goog
> 

I noticed because it turned off all mitigations for my PowerPC qemu
boot tests - probably because CONFIG_SPECULATION_MITIGATIONS only
exists in arch/x86/Kconfig ... thus for other architectures that have
cpu mitigations, this will always default them to off, right?

-- 
Cheers,
Stephen Rothwell

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [PATCH 1/3] x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n

[Michael Ellerman]

Stephen Rothwell <sfr@canb.auug.org.au> writes:
> Hi Sean,
>
> I noticed this commit in linux-next.
>
> On Tue,  9 Apr 2024 10:51:05 -0700 Sean Christopherson <seanjc@google.com> wrote:
>>
>> Initialize cpu_mitigations to CPU_MITIGATIONS_OFF if the kernel is built
>> with CONFIG_SPECULATION_MITIGATIONS=n, as the help text quite clearly
>> states that disabling SPECULATION_MITIGATIONS is supposed to turn off all
>> mitigations by default.
>> 
>>   │ If you say N, all mitigations will be disabled. You really
>>   │ should know what you are doing to say so.
>> 
>> As is, the kernel still defaults to CPU_MITIGATIONS_AUTO, which results in
>> some mitigations being enabled in spite of SPECULATION_MITIGATIONS=n.
>> 
>> Fixes: f43b9876e857 ("x86/retbleed: Add fine grained Kconfig knobs")
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Sean Christopherson <seanjc@google.com>
>> ---
>>  kernel/cpu.c | 3 ++-
>>  1 file changed, 2 insertions(+), 1 deletion(-)
>> 
>> diff --git a/kernel/cpu.c b/kernel/cpu.c
>> index 8f6affd051f7..07ad53b7f119 100644
>> --- a/kernel/cpu.c
>> +++ b/kernel/cpu.c
>> @@ -3207,7 +3207,8 @@ enum cpu_mitigations {
>>  };
>>  
>>  static enum cpu_mitigations cpu_mitigations __ro_after_init =
>> -	CPU_MITIGATIONS_AUTO;
>> +	IS_ENABLED(CONFIG_SPECULATION_MITIGATIONS) ? CPU_MITIGATIONS_AUTO :
>> +						     CPU_MITIGATIONS_OFF;
>>  
>>  static int __init mitigations_parse_cmdline(char *arg)
>>  {
>> -- 
>> 2.44.0.478.gd926399ef9-goog
>> 
>
> I noticed because it turned off all mitigations for my PowerPC qemu
> boot tests - probably because CONFIG_SPECULATION_MITIGATIONS only
> exists in arch/x86/Kconfig ... thus for other architectures that have
> cpu mitigations, this will always default them to off, right?

Yep.

The patch has the effect of changing the default for non-x86 arches from
auto to off.

I see at least powerpc, arm64 and s390 use cpu_mitigations_off() and
will be affected.

cheers

Re: [PATCH 1/3] x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n

[Michael Ellerman]

Michael Ellerman <mpe@ellerman.id.au> writes:
> Stephen Rothwell <sfr@canb.auug.org.au> writes:
...
>> On Tue,  9 Apr 2024 10:51:05 -0700 Sean Christopherson <seanjc@google.com> wrote:
...
>>> diff --git a/kernel/cpu.c b/kernel/cpu.c
>>> index 8f6affd051f7..07ad53b7f119 100644
>>> --- a/kernel/cpu.c
>>> +++ b/kernel/cpu.c
>>> @@ -3207,7 +3207,8 @@ enum cpu_mitigations {
>>>  };
>>>  
>>>  static enum cpu_mitigations cpu_mitigations __ro_after_init =
>>> -	CPU_MITIGATIONS_AUTO;
>>> +	IS_ENABLED(CONFIG_SPECULATION_MITIGATIONS) ? CPU_MITIGATIONS_AUTO :
>>> +						     CPU_MITIGATIONS_OFF;
>>>  
>>>  static int __init mitigations_parse_cmdline(char *arg)
>>>  {

I think a minimal workaround/fix would be:

diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig
index 2b8fd6bb7da0..290be2f9e909 100644
--- a/drivers/base/Kconfig
+++ b/drivers/base/Kconfig
@@ -191,6 +191,10 @@ config GENERIC_CPU_AUTOPROBE
 config GENERIC_CPU_VULNERABILITIES
        bool

+config SPECULATION_MITIGATIONS
+       def_bool y
+       depends on !X86
+
 config SOC_BUS
        bool
        select GLOB

cheers

Re: [PATCH 1/3] x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n

[Stephen Rothwell]

[-- Attachment #1: Type: text/plain, Size: 1380 bytes --]

Hi all,

On Sat, 13 Apr 2024 19:38:47 +1000 Michael Ellerman <mpe@ellerman.id.au> wrote:
>
> Michael Ellerman <mpe@ellerman.id.au> writes:
> > Stephen Rothwell <sfr@canb.auug.org.au> writes:  
> ...
> >> On Tue,  9 Apr 2024 10:51:05 -0700 Sean Christopherson <seanjc@google.com> wrote:  
> ...
> >>> diff --git a/kernel/cpu.c b/kernel/cpu.c
> >>> index 8f6affd051f7..07ad53b7f119 100644
> >>> --- a/kernel/cpu.c
> >>> +++ b/kernel/cpu.c
> >>> @@ -3207,7 +3207,8 @@ enum cpu_mitigations {
> >>>  };
> >>>  
> >>>  static enum cpu_mitigations cpu_mitigations __ro_after_init =
> >>> -	CPU_MITIGATIONS_AUTO;
> >>> +	IS_ENABLED(CONFIG_SPECULATION_MITIGATIONS) ? CPU_MITIGATIONS_AUTO :
> >>> +						     CPU_MITIGATIONS_OFF;
> >>>  
> >>>  static int __init mitigations_parse_cmdline(char *arg)
> >>>  {  
> 
> I think a minimal workaround/fix would be:
> 
> diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig
> index 2b8fd6bb7da0..290be2f9e909 100644
> --- a/drivers/base/Kconfig
> +++ b/drivers/base/Kconfig
> @@ -191,6 +191,10 @@ config GENERIC_CPU_AUTOPROBE
>  config GENERIC_CPU_VULNERABILITIES
>         bool
> 
> +config SPECULATION_MITIGATIONS
> +       def_bool y
> +       depends on !X86
> +
>  config SOC_BUS
>         bool
>         select GLOB

The original commit is now in Linus' tree.

-- 
Cheers,
Stephen Rothwell

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [PATCH 1/3] x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n

[Geert Uytterhoeven]

Hi Sean,

On Tue, Apr 9, 2024 at 7:51 PM Sean Christopherson <seanjc@google.com> wrote:
> Initialize cpu_mitigations to CPU_MITIGATIONS_OFF if the kernel is built
> with CONFIG_SPECULATION_MITIGATIONS=n, as the help text quite clearly
> states that disabling SPECULATION_MITIGATIONS is supposed to turn off all
> mitigations by default.
>
>   │ If you say N, all mitigations will be disabled. You really
>   │ should know what you are doing to say so.
>
> As is, the kernel still defaults to CPU_MITIGATIONS_AUTO, which results in
> some mitigations being enabled in spite of SPECULATION_MITIGATIONS=n.
>
> Fixes: f43b9876e857 ("x86/retbleed: Add fine grained Kconfig knobs")
> Cc: stable@vger.kernel.org
> Signed-off-by: Sean Christopherson <seanjc@google.com>

Thanks for your patch, which is now commit f337a6a21e2fd67e
("x86/cpu: Actually turn off mitigations by default
for SPECULATION_MITIGATIONS=n") in v6.9-rc4.

This causes the following suspicious messages on R-Car H3:

        CPU features: kernel page table isolation forced OFF by mitigations=off
        spectre-v4 mitigation disabled by command-line option
        spectre-v2 mitigation disabled by command line option
        spectre-v2 mitigation disabled by command line option

and R-Car V4H:

        CPU features: kernel page table isolation forced OFF by mitigations=off
        spectre-v4 mitigation disabled by command-line option
        spectre-bhb mitigation disabled by command line option
        spectre-bhb mitigation disabled by command line option

Interestingly, no mitigations are disabled on the command-line.

Gr{oetje,eeting}s,

                        Geert

-- 
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds

Re: [PATCH 1/3] x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n

[Geert Uytterhoeven]

Hi Michael,

On Sat, Apr 13, 2024 at 11:38 AM Michael Ellerman <mpe@ellerman.id.au> wrote:
> Michael Ellerman <mpe@ellerman.id.au> writes:
> > Stephen Rothwell <sfr@canb.auug.org.au> writes:
> ...
> >> On Tue,  9 Apr 2024 10:51:05 -0700 Sean Christopherson <seanjc@google.com> wrote:
> ...
> >>> diff --git a/kernel/cpu.c b/kernel/cpu.c
> >>> index 8f6affd051f7..07ad53b7f119 100644
> >>> --- a/kernel/cpu.c
> >>> +++ b/kernel/cpu.c
> >>> @@ -3207,7 +3207,8 @@ enum cpu_mitigations {
> >>>  };
> >>>
> >>>  static enum cpu_mitigations cpu_mitigations __ro_after_init =
> >>> -   CPU_MITIGATIONS_AUTO;
> >>> +   IS_ENABLED(CONFIG_SPECULATION_MITIGATIONS) ? CPU_MITIGATIONS_AUTO :
> >>> +                                                CPU_MITIGATIONS_OFF;
> >>>
> >>>  static int __init mitigations_parse_cmdline(char *arg)
> >>>  {
>
> I think a minimal workaround/fix would be:
>
> diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig
> index 2b8fd6bb7da0..290be2f9e909 100644
> --- a/drivers/base/Kconfig
> +++ b/drivers/base/Kconfig
> @@ -191,6 +191,10 @@ config GENERIC_CPU_AUTOPROBE
>  config GENERIC_CPU_VULNERABILITIES
>         bool
>
> +config SPECULATION_MITIGATIONS
> +       def_bool y
> +       depends on !X86
> +
>  config SOC_BUS
>         bool
>         select GLOB

Thanks, that works for me (on arm64), so
Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>

Gr{oetje,eeting}s,

                        Geert

-- 
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds

Re: [PATCH 1/3] x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n

[Sean Christopherson]

On Mon, Apr 15, 2024, Geert Uytterhoeven wrote:
> Hi Michael,
> 
> On Sat, Apr 13, 2024 at 11:38 AM Michael Ellerman <mpe@ellerman.id.au> wrote:
> > Michael Ellerman <mpe@ellerman.id.au> writes:
> > > Stephen Rothwell <sfr@canb.auug.org.au> writes:
> > ...
> > >> On Tue,  9 Apr 2024 10:51:05 -0700 Sean Christopherson <seanjc@google.com> wrote:
> > ...
> > >>> diff --git a/kernel/cpu.c b/kernel/cpu.c
> > >>> index 8f6affd051f7..07ad53b7f119 100644
> > >>> --- a/kernel/cpu.c
> > >>> +++ b/kernel/cpu.c
> > >>> @@ -3207,7 +3207,8 @@ enum cpu_mitigations {
> > >>>  };
> > >>>
> > >>>  static enum cpu_mitigations cpu_mitigations __ro_after_init =
> > >>> -   CPU_MITIGATIONS_AUTO;
> > >>> +   IS_ENABLED(CONFIG_SPECULATION_MITIGATIONS) ? CPU_MITIGATIONS_AUTO :
> > >>> +                                                CPU_MITIGATIONS_OFF;
> > >>>
> > >>>  static int __init mitigations_parse_cmdline(char *arg)
> > >>>  {
> >
> > I think a minimal workaround/fix would be:
> >
> > diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig
> > index 2b8fd6bb7da0..290be2f9e909 100644
> > --- a/drivers/base/Kconfig
> > +++ b/drivers/base/Kconfig
> > @@ -191,6 +191,10 @@ config GENERIC_CPU_AUTOPROBE
> >  config GENERIC_CPU_VULNERABILITIES
> >         bool
> >
> > +config SPECULATION_MITIGATIONS
> > +       def_bool y
> > +       depends on !X86
> > +
> >  config SOC_BUS
> >         bool
> >         select GLOB
> 
> Thanks, that works for me (on arm64), so
> Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>

Oof.  I completely missed that "cpu_mitigations" wasn't x86-only.  I can't think
of better solution than an on-by-default generic Kconfig, though can't that it
more simply be:

diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig
index 2b8fd6bb7da0..5930cb56ee29 100644
--- a/drivers/base/Kconfig
+++ b/drivers/base/Kconfig
@@ -191,6 +191,9 @@ config GENERIC_CPU_AUTOPROBE
 config GENERIC_CPU_VULNERABILITIES
        bool
 
+config SPECULATION_MITIGATIONS
+       def_bool !X86
+
 config SOC_BUS
        bool
        select GLOB

Re: [PATCH 1/3] x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n

[Michael Ellerman]

Sean Christopherson <seanjc@google.com> writes:
> On Mon, Apr 15, 2024, Geert Uytterhoeven wrote:
>> On Sat, Apr 13, 2024 at 11:38 AM Michael Ellerman <mpe@ellerman.id.au> wrote:
>> > Michael Ellerman <mpe@ellerman.id.au> writes:
>> > > Stephen Rothwell <sfr@canb.auug.org.au> writes:
>> > ...
>> > >> On Tue,  9 Apr 2024 10:51:05 -0700 Sean Christopherson <seanjc@google.com> wrote:
>> > ...
>> > >>> diff --git a/kernel/cpu.c b/kernel/cpu.c
>> > >>> index 8f6affd051f7..07ad53b7f119 100644
>> > >>> --- a/kernel/cpu.c
>> > >>> +++ b/kernel/cpu.c
>> > >>> @@ -3207,7 +3207,8 @@ enum cpu_mitigations {
>> > >>>  };
>> > >>>
>> > >>>  static enum cpu_mitigations cpu_mitigations __ro_after_init =
>> > >>> -   CPU_MITIGATIONS_AUTO;
>> > >>> +   IS_ENABLED(CONFIG_SPECULATION_MITIGATIONS) ? CPU_MITIGATIONS_AUTO :
>> > >>> +                                                CPU_MITIGATIONS_OFF;
>> > >>>
>> > >>>  static int __init mitigations_parse_cmdline(char *arg)
>> > >>>  {
>> >
>> > I think a minimal workaround/fix would be:
>> >
>> > diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig
>> > index 2b8fd6bb7da0..290be2f9e909 100644
>> > --- a/drivers/base/Kconfig
>> > +++ b/drivers/base/Kconfig
>> > @@ -191,6 +191,10 @@ config GENERIC_CPU_AUTOPROBE
>> >  config GENERIC_CPU_VULNERABILITIES
>> >         bool
>> >
>> > +config SPECULATION_MITIGATIONS
>> > +       def_bool y
>> > +       depends on !X86
>> > +
>> >  config SOC_BUS
>> >         bool
>> >         select GLOB
>> 
>> Thanks, that works for me (on arm64), so
>> Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
>
> Oof.  I completely missed that "cpu_mitigations" wasn't x86-only.  I can't think
> of better solution than an on-by-default generic Kconfig, though can't that it
> more simply be:
>
> diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig
> index 2b8fd6bb7da0..5930cb56ee29 100644
> --- a/drivers/base/Kconfig
> +++ b/drivers/base/Kconfig
> @@ -191,6 +191,9 @@ config GENERIC_CPU_AUTOPROBE
>  config GENERIC_CPU_VULNERABILITIES
>         bool
>  
> +config SPECULATION_MITIGATIONS
> +       def_bool !X86
> +

Yeah that works too.

cheers

Re: [PATCH 1/3] x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n

[Will Deacon]

On Mon, Apr 15, 2024 at 07:31:23AM -0700, Sean Christopherson wrote:
> On Mon, Apr 15, 2024, Geert Uytterhoeven wrote:
> > On Sat, Apr 13, 2024 at 11:38 AM Michael Ellerman <mpe@ellerman.id.au> wrote:
> > > Michael Ellerman <mpe@ellerman.id.au> writes:
> > > > Stephen Rothwell <sfr@canb.auug.org.au> writes:
> > > ...
> > > >> On Tue,  9 Apr 2024 10:51:05 -0700 Sean Christopherson <seanjc@google.com> wrote:
> > > ...
> > > >>> diff --git a/kernel/cpu.c b/kernel/cpu.c
> > > >>> index 8f6affd051f7..07ad53b7f119 100644
> > > >>> --- a/kernel/cpu.c
> > > >>> +++ b/kernel/cpu.c
> > > >>> @@ -3207,7 +3207,8 @@ enum cpu_mitigations {
> > > >>>  };
> > > >>>
> > > >>>  static enum cpu_mitigations cpu_mitigations __ro_after_init =
> > > >>> -   CPU_MITIGATIONS_AUTO;
> > > >>> +   IS_ENABLED(CONFIG_SPECULATION_MITIGATIONS) ? CPU_MITIGATIONS_AUTO :
> > > >>> +                                                CPU_MITIGATIONS_OFF;
> > > >>>
> > > >>>  static int __init mitigations_parse_cmdline(char *arg)
> > > >>>  {
> > >
> > > I think a minimal workaround/fix would be:
> > >
> > > diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig
> > > index 2b8fd6bb7da0..290be2f9e909 100644
> > > --- a/drivers/base/Kconfig
> > > +++ b/drivers/base/Kconfig
> > > @@ -191,6 +191,10 @@ config GENERIC_CPU_AUTOPROBE
> > >  config GENERIC_CPU_VULNERABILITIES
> > >         bool
> > >
> > > +config SPECULATION_MITIGATIONS
> > > +       def_bool y
> > > +       depends on !X86
> > > +
> > >  config SOC_BUS
> > >         bool
> > >         select GLOB
> > 
> > Thanks, that works for me (on arm64), so
> > Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
> 
> Oof.  I completely missed that "cpu_mitigations" wasn't x86-only.  I can't think
> of better solution than an on-by-default generic Kconfig, though can't that it
> more simply be:
> 
> diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig
> index 2b8fd6bb7da0..5930cb56ee29 100644
> --- a/drivers/base/Kconfig
> +++ b/drivers/base/Kconfig
> @@ -191,6 +191,9 @@ config GENERIC_CPU_AUTOPROBE
>  config GENERIC_CPU_VULNERABILITIES
>         bool
>  
> +config SPECULATION_MITIGATIONS
> +       def_bool !X86
> +
>  config SOC_BUS
>         bool
>         select GLOB

I can't see this in -next yet. Do you plan to post it as a proper patch
to collect acks etc?

Cheers,

Will

Re: [PATCH 1/3] x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n

[Sean Christopherson]

On Fri, Apr 19, 2024, Will Deacon wrote:
> On Mon, Apr 15, 2024 at 07:31:23AM -0700, Sean Christopherson wrote:
> > On Mon, Apr 15, 2024, Geert Uytterhoeven wrote:
> > Oof.  I completely missed that "cpu_mitigations" wasn't x86-only.  I can't think
> > of better solution than an on-by-default generic Kconfig, though can't that it
> > more simply be:
> > 
> > diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig
> > index 2b8fd6bb7da0..5930cb56ee29 100644
> > --- a/drivers/base/Kconfig
> > +++ b/drivers/base/Kconfig
> > @@ -191,6 +191,9 @@ config GENERIC_CPU_AUTOPROBE
> >  config GENERIC_CPU_VULNERABILITIES
> >         bool
> >  
> > +config SPECULATION_MITIGATIONS
> > +       def_bool !X86
> > +
> >  config SOC_BUS
> >         bool
> >         select GLOB
> 
> I can't see this in -next yet. Do you plan to post it as a proper patch
> to collect acks etc?

Sorry, I neglected to Cc everyone.

https://lore.kernel.org/all/20240417001507.2264512-2-seanjc@google.com

Re: [PATCH 1/3] x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n

[Will Deacon]

On Fri, Apr 19, 2024 at 07:06:00AM -0700, Sean Christopherson wrote:
> On Fri, Apr 19, 2024, Will Deacon wrote:
> > On Mon, Apr 15, 2024 at 07:31:23AM -0700, Sean Christopherson wrote:
> > > On Mon, Apr 15, 2024, Geert Uytterhoeven wrote:
> > > Oof.  I completely missed that "cpu_mitigations" wasn't x86-only.  I can't think
> > > of better solution than an on-by-default generic Kconfig, though can't that it
> > > more simply be:
> > > 
> > > diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig
> > > index 2b8fd6bb7da0..5930cb56ee29 100644
> > > --- a/drivers/base/Kconfig
> > > +++ b/drivers/base/Kconfig
> > > @@ -191,6 +191,9 @@ config GENERIC_CPU_AUTOPROBE
> > >  config GENERIC_CPU_VULNERABILITIES
> > >         bool
> > >  
> > > +config SPECULATION_MITIGATIONS
> > > +       def_bool !X86
> > > +
> > >  config SOC_BUS
> > >         bool
> > >         select GLOB
> > 
> > I can't see this in -next yet. Do you plan to post it as a proper patch
> > to collect acks etc?
> 
> Sorry, I neglected to Cc everyone.
> 
> https://lore.kernel.org/all/20240417001507.2264512-2-seanjc@google.com

Ah, thanks. I'll go Ack that...

Will