diff mbox series

[v3] KVM: arm64: ARM_SMCCC_ARCH_WORKAROUND_1 doesn't return SMCCC_RET_NOT_REQUIRED

Message ID 20201023154751.1973872-1-swboyd@chromium.org (mailing list archive)
State New, archived
Headers show
Series [v3] KVM: arm64: ARM_SMCCC_ARCH_WORKAROUND_1 doesn't return SMCCC_RET_NOT_REQUIRED | expand

Commit Message

Stephen Boyd Oct. 23, 2020, 3:47 p.m. UTC
According to the SMCCC spec[1](7.5.2 Discovery) the
ARM_SMCCC_ARCH_WORKAROUND_1 function id only returns 0, 1, and
SMCCC_RET_NOT_SUPPORTED.

 0 is "workaround required and safe to call this function"
 1 is "workaround not required but safe to call this function"
 SMCCC_RET_NOT_SUPPORTED is "might be vulnerable or might not be, who knows, I give up!"

SMCCC_RET_NOT_SUPPORTED might as well mean "workaround required, except
calling this function may not work because it isn't implemented in some
cases". Wonderful. We map this SMC call to

 0 is SPECTRE_MITIGATED
 1 is SPECTRE_UNAFFECTED
 SMCCC_RET_NOT_SUPPORTED is SPECTRE_VULNERABLE

For KVM hypercalls (hvc), we've implemented this function id to return
SMCCC_RET_NOT_SUPPORTED, 0, and SMCCC_RET_NOT_REQUIRED. One of those
isn't supposed to be there. Per the code we call
arm64_get_spectre_v2_state() to figure out what to return for this
feature discovery call.

 0 is SPECTRE_MITIGATED
 SMCCC_RET_NOT_REQUIRED is SPECTRE_UNAFFECTED
 SMCCC_RET_NOT_SUPPORTED is SPECTRE_VULNERABLE

Let's clean this up so that KVM tells the guest this mapping:

 0 is SPECTRE_MITIGATED
 1 is SPECTRE_UNAFFECTED
 SMCCC_RET_NOT_SUPPORTED is SPECTRE_VULNERABLE

Note: SMCCC_RET_NOT_AFFECTED is 1 but isn't part of the SMCCC spec

Cc: Andre Przywara <andre.przywara@arm.com>
Cc: Steven Price <steven.price@arm.com>
Cc: Marc Zyngier <maz@kernel.org>
Cc: stable@vger.kernel.org
Link: https://developer.arm.com/documentation/den0028/latest [1]
Fixes: c118bbb52743 ("arm64: KVM: Propagate full Spectre v2 workaround state to KVM guests")
Signed-off-by: Stephen Boyd <swboyd@chromium.org>
---

I see that before commit c118bbb52743 ("arm64: KVM: Propagate full
Spectre v2 workaround state to KVM guests") we had this mapping:

 0 is SPECTRE_MITIGATED
 SMCCC_RET_NOT_SUPPORTED is SPECTRE_VULNERABLE

so the return value '1' wasn't there then. Once the commit was merged we
introduced the notion of NOT_REQUIRED here when it shouldn't have been
introduced.

Changes from v2:
 * Moved define to header file and used it

Changes from v1:
 * Way longer commit text, more background (sorry)
 * Dropped proton-pack part because it was wrong
 * Rebased onto other patch accepted upstream

 arch/arm64/kernel/proton-pack.c | 2 --
 arch/arm64/kvm/hypercalls.c     | 2 +-
 include/linux/arm-smccc.h       | 2 ++
 3 files changed, 3 insertions(+), 3 deletions(-)


base-commit: 66dd3474702aa98d5844367e1577cdad78ef7c65

Comments

Will Deacon Oct. 26, 2020, 1:25 p.m. UTC | #1
On Fri, Oct 23, 2020 at 08:47:50AM -0700, Stephen Boyd wrote:
> According to the SMCCC spec[1](7.5.2 Discovery) the
> ARM_SMCCC_ARCH_WORKAROUND_1 function id only returns 0, 1, and
> SMCCC_RET_NOT_SUPPORTED.
> 
>  0 is "workaround required and safe to call this function"
>  1 is "workaround not required but safe to call this function"
>  SMCCC_RET_NOT_SUPPORTED is "might be vulnerable or might not be, who knows, I give up!"
> 
> SMCCC_RET_NOT_SUPPORTED might as well mean "workaround required, except
> calling this function may not work because it isn't implemented in some
> cases". Wonderful. We map this SMC call to
> 
>  0 is SPECTRE_MITIGATED
>  1 is SPECTRE_UNAFFECTED
>  SMCCC_RET_NOT_SUPPORTED is SPECTRE_VULNERABLE
> 
> For KVM hypercalls (hvc), we've implemented this function id to return
> SMCCC_RET_NOT_SUPPORTED, 0, and SMCCC_RET_NOT_REQUIRED. One of those
> isn't supposed to be there. Per the code we call
> arm64_get_spectre_v2_state() to figure out what to return for this
> feature discovery call.
> 
>  0 is SPECTRE_MITIGATED
>  SMCCC_RET_NOT_REQUIRED is SPECTRE_UNAFFECTED
>  SMCCC_RET_NOT_SUPPORTED is SPECTRE_VULNERABLE
> 
> Let's clean this up so that KVM tells the guest this mapping:
> 
>  0 is SPECTRE_MITIGATED
>  1 is SPECTRE_UNAFFECTED
>  SMCCC_RET_NOT_SUPPORTED is SPECTRE_VULNERABLE
> 
> Note: SMCCC_RET_NOT_AFFECTED is 1 but isn't part of the SMCCC spec
> 
> Cc: Andre Przywara <andre.przywara@arm.com>
> Cc: Steven Price <steven.price@arm.com>
> Cc: Marc Zyngier <maz@kernel.org>
> Cc: stable@vger.kernel.org
> Link: https://developer.arm.com/documentation/den0028/latest [1]
> Fixes: c118bbb52743 ("arm64: KVM: Propagate full Spectre v2 workaround state to KVM guests")
> Signed-off-by: Stephen Boyd <swboyd@chromium.org>
> ---
> 
> I see that before commit c118bbb52743 ("arm64: KVM: Propagate full
> Spectre v2 workaround state to KVM guests") we had this mapping:
> 
>  0 is SPECTRE_MITIGATED
>  SMCCC_RET_NOT_SUPPORTED is SPECTRE_VULNERABLE
> 
> so the return value '1' wasn't there then. Once the commit was merged we
> introduced the notion of NOT_REQUIRED here when it shouldn't have been
> introduced.
> 
> Changes from v2:
>  * Moved define to header file and used it
> 
> Changes from v1:
>  * Way longer commit text, more background (sorry)
>  * Dropped proton-pack part because it was wrong
>  * Rebased onto other patch accepted upstream
> 
>  arch/arm64/kernel/proton-pack.c | 2 --
>  arch/arm64/kvm/hypercalls.c     | 2 +-
>  include/linux/arm-smccc.h       | 2 ++
>  3 files changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/arch/arm64/kernel/proton-pack.c b/arch/arm64/kernel/proton-pack.c
> index 25f3c80b5ffe..c18eb7d41274 100644
> --- a/arch/arm64/kernel/proton-pack.c
> +++ b/arch/arm64/kernel/proton-pack.c
> @@ -135,8 +135,6 @@ static enum mitigation_state spectre_v2_get_cpu_hw_mitigation_state(void)
>  	return SPECTRE_VULNERABLE;
>  }
>  
> -#define SMCCC_ARCH_WORKAROUND_RET_UNAFFECTED	(1)
> -
>  static enum mitigation_state spectre_v2_get_cpu_fw_mitigation_state(void)
>  {
>  	int ret;
> diff --git a/arch/arm64/kvm/hypercalls.c b/arch/arm64/kvm/hypercalls.c
> index 9824025ccc5c..25ea4ecb6449 100644
> --- a/arch/arm64/kvm/hypercalls.c
> +++ b/arch/arm64/kvm/hypercalls.c
> @@ -31,7 +31,7 @@ int kvm_hvc_call_handler(struct kvm_vcpu *vcpu)
>  				val = SMCCC_RET_SUCCESS;
>  				break;
>  			case SPECTRE_UNAFFECTED:
> -				val = SMCCC_RET_NOT_REQUIRED;
> +				val = SMCCC_ARCH_WORKAROUND_RET_UNAFFECTED;
>  				break;
>  			}
>  			break;
> diff --git a/include/linux/arm-smccc.h b/include/linux/arm-smccc.h
> index 15c706fb0a37..0e50ba3e88d7 100644
> --- a/include/linux/arm-smccc.h
> +++ b/include/linux/arm-smccc.h
> @@ -86,6 +86,8 @@
>  			   ARM_SMCCC_SMC_32,				\
>  			   0, 0x7fff)
>  
> +#define SMCCC_ARCH_WORKAROUND_RET_UNAFFECTED	1

I thought we'd stick this in asm/spectre.h, but here is also good:

Acked-by: Will Deacon <will@kernel.org>

Will
Stephen Boyd Oct. 27, 2020, 9:41 p.m. UTC | #2
Quoting Will Deacon (2020-10-26 06:25:33)
> On Fri, Oct 23, 2020 at 08:47:50AM -0700, Stephen Boyd wrote:
> > diff --git a/include/linux/arm-smccc.h b/include/linux/arm-smccc.h
> > index 15c706fb0a37..0e50ba3e88d7 100644
> > --- a/include/linux/arm-smccc.h
> > +++ b/include/linux/arm-smccc.h
> > @@ -86,6 +86,8 @@
> >                          ARM_SMCCC_SMC_32,                            \
> >                          0, 0x7fff)
> >  
> > +#define SMCCC_ARCH_WORKAROUND_RET_UNAFFECTED 1
> 
> I thought we'd stick this in asm/spectre.h, but here is also good:
> 
> Acked-by: Will Deacon <will@kernel.org>
> 

Ah sorry I glossed over that one. I suppose it can be moved during patch
application if desired.
Marc Zyngier Oct. 28, 2020, 10:03 a.m. UTC | #3
On 2020-10-26 13:25, Will Deacon wrote:
> On Fri, Oct 23, 2020 at 08:47:50AM -0700, Stephen Boyd wrote:
>> According to the SMCCC spec[1](7.5.2 Discovery) the
>> ARM_SMCCC_ARCH_WORKAROUND_1 function id only returns 0, 1, and
>> SMCCC_RET_NOT_SUPPORTED.
>> 
>>  0 is "workaround required and safe to call this function"
>>  1 is "workaround not required but safe to call this function"
>>  SMCCC_RET_NOT_SUPPORTED is "might be vulnerable or might not be, who 
>> knows, I give up!"
>> 
>> SMCCC_RET_NOT_SUPPORTED might as well mean "workaround required, 
>> except
>> calling this function may not work because it isn't implemented in 
>> some
>> cases". Wonderful. We map this SMC call to
>> 
>>  0 is SPECTRE_MITIGATED
>>  1 is SPECTRE_UNAFFECTED
>>  SMCCC_RET_NOT_SUPPORTED is SPECTRE_VULNERABLE
>> 
>> For KVM hypercalls (hvc), we've implemented this function id to return
>> SMCCC_RET_NOT_SUPPORTED, 0, and SMCCC_RET_NOT_REQUIRED. One of those
>> isn't supposed to be there. Per the code we call
>> arm64_get_spectre_v2_state() to figure out what to return for this
>> feature discovery call.
>> 
>>  0 is SPECTRE_MITIGATED
>>  SMCCC_RET_NOT_REQUIRED is SPECTRE_UNAFFECTED
>>  SMCCC_RET_NOT_SUPPORTED is SPECTRE_VULNERABLE
>> 
>> Let's clean this up so that KVM tells the guest this mapping:
>> 
>>  0 is SPECTRE_MITIGATED
>>  1 is SPECTRE_UNAFFECTED
>>  SMCCC_RET_NOT_SUPPORTED is SPECTRE_VULNERABLE
>> 
>> Note: SMCCC_RET_NOT_AFFECTED is 1 but isn't part of the SMCCC spec
>> 
>> Cc: Andre Przywara <andre.przywara@arm.com>
>> Cc: Steven Price <steven.price@arm.com>
>> Cc: Marc Zyngier <maz@kernel.org>
>> Cc: stable@vger.kernel.org
>> Link: https://developer.arm.com/documentation/den0028/latest [1]
>> Fixes: c118bbb52743 ("arm64: KVM: Propagate full Spectre v2 workaround 
>> state to KVM guests")
>> Signed-off-by: Stephen Boyd <swboyd@chromium.org>
>> ---
>> 
>> I see that before commit c118bbb52743 ("arm64: KVM: Propagate full
>> Spectre v2 workaround state to KVM guests") we had this mapping:
>> 
>>  0 is SPECTRE_MITIGATED
>>  SMCCC_RET_NOT_SUPPORTED is SPECTRE_VULNERABLE
>> 
>> so the return value '1' wasn't there then. Once the commit was merged 
>> we
>> introduced the notion of NOT_REQUIRED here when it shouldn't have been
>> introduced.
>> 
>> Changes from v2:
>>  * Moved define to header file and used it
>> 
>> Changes from v1:
>>  * Way longer commit text, more background (sorry)
>>  * Dropped proton-pack part because it was wrong
>>  * Rebased onto other patch accepted upstream
>> 
>>  arch/arm64/kernel/proton-pack.c | 2 --
>>  arch/arm64/kvm/hypercalls.c     | 2 +-
>>  include/linux/arm-smccc.h       | 2 ++
>>  3 files changed, 3 insertions(+), 3 deletions(-)
>> 
>> diff --git a/arch/arm64/kernel/proton-pack.c 
>> b/arch/arm64/kernel/proton-pack.c
>> index 25f3c80b5ffe..c18eb7d41274 100644
>> --- a/arch/arm64/kernel/proton-pack.c
>> +++ b/arch/arm64/kernel/proton-pack.c
>> @@ -135,8 +135,6 @@ static enum mitigation_state 
>> spectre_v2_get_cpu_hw_mitigation_state(void)
>>  	return SPECTRE_VULNERABLE;
>>  }
>> 
>> -#define SMCCC_ARCH_WORKAROUND_RET_UNAFFECTED	(1)
>> -
>>  static enum mitigation_state 
>> spectre_v2_get_cpu_fw_mitigation_state(void)
>>  {
>>  	int ret;
>> diff --git a/arch/arm64/kvm/hypercalls.c b/arch/arm64/kvm/hypercalls.c
>> index 9824025ccc5c..25ea4ecb6449 100644
>> --- a/arch/arm64/kvm/hypercalls.c
>> +++ b/arch/arm64/kvm/hypercalls.c
>> @@ -31,7 +31,7 @@ int kvm_hvc_call_handler(struct kvm_vcpu *vcpu)
>>  				val = SMCCC_RET_SUCCESS;
>>  				break;
>>  			case SPECTRE_UNAFFECTED:
>> -				val = SMCCC_RET_NOT_REQUIRED;
>> +				val = SMCCC_ARCH_WORKAROUND_RET_UNAFFECTED;
>>  				break;
>>  			}
>>  			break;
>> diff --git a/include/linux/arm-smccc.h b/include/linux/arm-smccc.h
>> index 15c706fb0a37..0e50ba3e88d7 100644
>> --- a/include/linux/arm-smccc.h
>> +++ b/include/linux/arm-smccc.h
>> @@ -86,6 +86,8 @@
>>  			   ARM_SMCCC_SMC_32,				\
>>  			   0, 0x7fff)
>> 
>> +#define SMCCC_ARCH_WORKAROUND_RET_UNAFFECTED	1
> 
> I thought we'd stick this in asm/spectre.h, but here is also good:
> 
> Acked-by: Will Deacon <will@kernel.org>

Acked-by: Marc Zyngier <maz@kernel.org>

Will, if you're about to send fixes to Linus, can you please pick
this one up?

         M.
Will Deacon Oct. 28, 2020, 3:12 p.m. UTC | #4
On Fri, 23 Oct 2020 08:47:50 -0700, Stephen Boyd wrote:
> According to the SMCCC spec[1](7.5.2 Discovery) the
> ARM_SMCCC_ARCH_WORKAROUND_1 function id only returns 0, 1, and
> SMCCC_RET_NOT_SUPPORTED.
> 
>  0 is "workaround required and safe to call this function"
>  1 is "workaround not required but safe to call this function"
>  SMCCC_RET_NOT_SUPPORTED is "might be vulnerable or might not be, who knows, I give up!"
> 
> [...]

Applied to arm64 (for-next/fixes), thanks!

[1/1] KVM: arm64: ARM_SMCCC_ARCH_WORKAROUND_1 doesn't return SMCCC_RET_NOT_REQUIRED
      https://git.kernel.org/arm64/c/1de111b51b82

Cheers,
diff mbox series

Patch

diff --git a/arch/arm64/kernel/proton-pack.c b/arch/arm64/kernel/proton-pack.c
index 25f3c80b5ffe..c18eb7d41274 100644
--- a/arch/arm64/kernel/proton-pack.c
+++ b/arch/arm64/kernel/proton-pack.c
@@ -135,8 +135,6 @@  static enum mitigation_state spectre_v2_get_cpu_hw_mitigation_state(void)
 	return SPECTRE_VULNERABLE;
 }
 
-#define SMCCC_ARCH_WORKAROUND_RET_UNAFFECTED	(1)
-
 static enum mitigation_state spectre_v2_get_cpu_fw_mitigation_state(void)
 {
 	int ret;
diff --git a/arch/arm64/kvm/hypercalls.c b/arch/arm64/kvm/hypercalls.c
index 9824025ccc5c..25ea4ecb6449 100644
--- a/arch/arm64/kvm/hypercalls.c
+++ b/arch/arm64/kvm/hypercalls.c
@@ -31,7 +31,7 @@  int kvm_hvc_call_handler(struct kvm_vcpu *vcpu)
 				val = SMCCC_RET_SUCCESS;
 				break;
 			case SPECTRE_UNAFFECTED:
-				val = SMCCC_RET_NOT_REQUIRED;
+				val = SMCCC_ARCH_WORKAROUND_RET_UNAFFECTED;
 				break;
 			}
 			break;
diff --git a/include/linux/arm-smccc.h b/include/linux/arm-smccc.h
index 15c706fb0a37..0e50ba3e88d7 100644
--- a/include/linux/arm-smccc.h
+++ b/include/linux/arm-smccc.h
@@ -86,6 +86,8 @@ 
 			   ARM_SMCCC_SMC_32,				\
 			   0, 0x7fff)
 
+#define SMCCC_ARCH_WORKAROUND_RET_UNAFFECTED	1
+
 /* Paravirtualised time calls (defined by ARM DEN0057A) */
 #define ARM_SMCCC_HV_PV_TIME_FEATURES				\
 	ARM_SMCCC_CALL_VAL(ARM_SMCCC_FAST_CALL,			\