ACK/cmt: [Bionic] [PATCH] powerpc/pseries: Fix clearing of security feature flags

Breno Leitao leitao at debian.org
Thu Apr 19 15:23:21 UTC 2018 

Hi Seth,

On Thu, Apr 19, 2018 at 08:32:07AM -0500, Seth Forshee wrote:
> On Thu, Apr 19, 2018 at 10:16:03AM -0300, Breno Leitao wrote:
> > From: Mauricio Faria de Oliveira <mauricfo at linux.vnet.ibm.com>
> > 
> > The H_CPU_BEHAV_* flags should be checked for in the 'behaviour' field
> > of 'struct h_cpu_char_result' -- 'character' is for H_CPU_CHAR_*
> > flags.
> > 
> > Found by playing around with QEMU's implementation of the hypercall:
> > 
> >   H_CPU_CHAR=0xf000000000000000
> >   H_CPU_BEHAV=0x0000000000000000
> > 
> >   This clears H_CPU_BEHAV_FAVOUR_SECURITY and H_CPU_BEHAV_L1D_FLUSH_PR
> >   so pseries_setup_rfi_flush() disables 'rfi_flush'; and it also
> >   clears H_CPU_CHAR_L1D_THREAD_PRIV flag. So there is no RFI flush
> >   mitigation at all for cpu_show_meltdown() to report; but currently
> >   it does:
> > 
> >   Original kernel:
> > 
> >     # cat /sys/devices/system/cpu/vulnerabilities/meltdown
> >     Mitigation: RFI Flush
> > 
> >   Patched kernel:
> > 
> >     # cat /sys/devices/system/cpu/vulnerabilities/meltdown
> >     Not affected
> > 
> >   H_CPU_CHAR=0x0000000000000000
> >   H_CPU_BEHAV=0xf000000000000000
> > 
> >   This sets H_CPU_BEHAV_BNDS_CHK_SPEC_BAR so cpu_show_spectre_v1() should
> >   report vulnerable; but currently it doesn't:
> > 
> >   Original kernel:
> > 
> >     # cat /sys/devices/system/cpu/vulnerabilities/spectre_v1
> >     Not affected
> > 
> >   Patched kernel:
> > 
> >     # cat /sys/devices/system/cpu/vulnerabilities/spectre_v1
> >     Vulnerable
> > 
> > Brown-paper-bag-by: Michael Ellerman <mpe at ellerman.id.au>
> > Fixes: f636c14790ea ("powerpc/pseries: Set or clear security feature flags")
> > Signed-off-by: Mauricio Faria de Oliveira <mauricfo at linux.vnet.ibm.com>
> > Signed-off-by: Michael Ellerman <mpe at ellerman.id.au>
> > (cherry picked from commit 0f9bdfe3c77091e8704d2e510eb7c2c2c6cde524)
> > Signed-off-by: Breno Leitao <leitao at debian.org>
> 
> The patch looks fine, however we do need a bug in launchpad for any
> patches for bionic now. You can reply with a bug number and we can add
> the bug link when applying.

Right, this is the bug link:

https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1765429

Thanks,
Breno

More information about the kernel-team mailing list