From: Laurent Dufour <ldufour@linux.ibm.com>
To: Michael Ellerman <mpe@ellerman.id.au>,
benh@kernel.crashing.org, paulus@samba.org,
linuxppc-dev@lists.ozlabs.org
Cc: nathanl@linux.ibm.com, cheloha@linux.ibm.com,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] powerpc/pseries: export LPAR security flavor in lparcfg
Date: Fri, 5 Mar 2021 12:45:14 +0100 [thread overview]
Message-ID: <c0b69e16-3b4c-7a27-f3ca-eba1eff5624a@linux.ibm.com> (raw)
In-Reply-To: <87wnulrfk4.fsf@mpe.ellerman.id.au>
Le 05/03/2021 à 12:43, Michael Ellerman a écrit :
> Laurent Dufour <ldufour@linux.ibm.com> writes:
>> Le 05/03/2021 à 07:23, Michael Ellerman a écrit :
>>> Laurent Dufour <ldufour@linux.ibm.com> writes:
>>>> This is helpful to read the security flavor from inside the LPAR.
>>>
>>> We already have /sys/kernel/debug/powerpc/security_features.
>>>
>>> Is that not sufficient?
>>
>> Not really, it only reports that security mitigation are on or off but not the
>> level set through the ASMI menu. Furthermore, reporting it through
>> /proc/powerpc/lparcfg allows an easy processing by the lparstat command (see below).
>>
>>>
>>>> Export it like this in /proc/powerpc/lparcfg:
>>>>
>>>> $ grep security_flavor /proc/powerpc/lparcfg
>>>> security_flavor=1
>>>>
>>>> Value means:
>>>> 0 Speculative execution fully enabled
>>>> 1 Speculative execution controls to mitigate user-to-kernel attacks
>>>> 2 Speculative execution controls to mitigate user-to-kernel and
>>>> user-to-user side-channel attacks
>>>
>>> Those strings come from the FSP help, but we have no guarantee it won't
>>> mean something different in future.
>>
>> I think this is nailed down, those strings came from:
>> https://www.ibm.com/support/pages/node/715841
>>
>> Where it is written (regarding AIX):
>>
>> On an LPAR, one can use lparstat -x to display the current mitigation mode:
>> 0 = Speculative execution fully enabled
>> 1 = Speculative execution controls to mitigate user-to-kernel side-channel attacks
>> 2 = Speculative execution controls to mitigate user-to-kernel and user-to-user
>> side-channel attacks
>>
>> We have been requested to provide almost the same, which I proposed in
>> powerpc-utils:
>> https://groups.google.com/g/powerpc-utils-devel/c/NaKXvdyl_UI/m/wa2stpIDAQAJ
>
> OK. Do you mind sending a v2 with all those details incorporated into
> the change log?
Ok will do so.
Thanks
prev parent reply other threads:[~2021-03-05 11:45 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-04 11:42 [PATCH] powerpc/pseries: export LPAR security flavor in lparcfg Laurent Dufour
2021-03-05 6:23 ` Michael Ellerman
2021-03-05 8:04 ` Laurent Dufour
2021-03-05 11:43 ` Michael Ellerman
2021-03-05 11:45 ` Laurent Dufour [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c0b69e16-3b4c-7a27-f3ca-eba1eff5624a@linux.ibm.com \
--to=ldufour@linux.ibm.com \
--cc=benh@kernel.crashing.org \
--cc=cheloha@linux.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mpe@ellerman.id.au \
--cc=nathanl@linux.ibm.com \
--cc=paulus@samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).