x86/cpu/amd: Report zenbleed in sysfs
Commit Message
Initial submission of Zenbleed fix omitted reporting the bug in sysfs.
There's no reason why it shouldn't be reported so let's add it among
the other vulnerabilities.
Signed-off-by: Nikolay Borisov <nik.borisov@suse.com>
---
.../ABI/testing/sysfs-devices-system-cpu | 1 +
arch/x86/kernel/cpu/amd.c | 15 +++++++++++++++
drivers/base/cpu.c | 8 ++++++++
include/linux/cpu.h | 2 ++
4 files changed, 26 insertions(+)
Comments
On Thu, Jul 27, 2023 at 10:54:46AM +0300, Nikolay Borisov wrote:
> Initial submission of Zenbleed fix omitted reporting the bug in sysfs.
> There's no reason
Yeah, there is a reason - it is not a speculation vuln and people want
to disable the speculation mitigations if they deem their userspace
trustworthy. This one you don't want to disable ever.
On Thu, Jul 27, 2023 at 10:54:46AM +0300, Nikolay Borisov wrote:
> Initial submission of Zenbleed fix omitted reporting the bug in sysfs.
> There's no reason why it shouldn't be reported so let's add it among
> the other vulnerabilities.
>
> Signed-off-by: Nikolay Borisov <nik.borisov@suse.com>
> ---
> .../ABI/testing/sysfs-devices-system-cpu | 1 +
> arch/x86/kernel/cpu/amd.c | 15 +++++++++++++++
> drivers/base/cpu.c | 8 ++++++++
> include/linux/cpu.h | 2 ++
> 4 files changed, 26 insertions(+)
>
> diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu b/Documentation/ABI/testing/sysfs-devices-system-cpu
> index ecd585ca2d50..30bb4196e451 100644
> --- a/Documentation/ABI/testing/sysfs-devices-system-cpu
> +++ b/Documentation/ABI/testing/sysfs-devices-system-cpu
> @@ -524,6 +524,7 @@ What: /sys/devices/system/cpu/vulnerabilities
> /sys/devices/system/cpu/vulnerabilities/itlb_multihit
> /sys/devices/system/cpu/vulnerabilities/mmio_stale_data
> /sys/devices/system/cpu/vulnerabilities/retbleed
> + /sys/devices/system/cpu/vulnerabilities/zenbleed
> Date: January 2018
> Contact: Linux kernel mailing list <linux-kernel@vger.kernel.org>
> Description: Information about CPU vulnerabilities
> diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
> index 26ad7ca423e7..3ab9745eafc5 100644
> --- a/arch/x86/kernel/cpu/amd.c
> +++ b/arch/x86/kernel/cpu/amd.c
> @@ -1279,6 +1279,21 @@ u32 amd_get_highest_perf(void)
> }
> EXPORT_SYMBOL_GPL(amd_get_highest_perf);
>
> +ssize_t cpu_show_zenbleed(struct device *dev, struct device_attribute *attr, char *buf)
> +{
> +
Extra newline.
> + if (!cpu_has_amd_erratum(&boot_cpu_data, amd_zenbleed) ||
> + !boot_cpu_has(X86_FEATURE_AVX) ||
> + boot_cpu_has(X86_FEATURE_HYPERVISOR))
> + return sysfs_emit(buf, "Not affected\n");
> +
> + if (!cpu_has_zenbleed_microcode()) {
For readability this can check of microcode present case, and drop the
NOT operator.
> + return sysfs_emit(buf, "Mitigation: Chickenbit\n");
Shouldn't this be checking if the chicken bit is set? And if its not set
then report "Vulnerable".
But, looking at zenbleed_check() it appear that the chicken bit for
zenbleed will always be present, and it will always be set if microcode
is not present.
> + } else {
> + return sysfs_emit(buf, "Mitigation: Microcode\n");
> + }
> +}
On 29.07.23 г. 2:14 ч., Pawan Gupta wrote:
> On Thu, Jul 27, 2023 at 10:54:46AM +0300, Nikolay Borisov wrote:
>> Initial submission of Zenbleed fix omitted reporting the bug in sysfs.
>> There's no reason why it shouldn't be reported so let's add it among
>> the other vulnerabilities.
>>
>> Signed-off-by: Nikolay Borisov <nik.borisov@suse.com>
>> ---
>> .../ABI/testing/sysfs-devices-system-cpu | 1 +
>> arch/x86/kernel/cpu/amd.c | 15 +++++++++++++++
>> drivers/base/cpu.c | 8 ++++++++
>> include/linux/cpu.h | 2 ++
>> 4 files changed, 26 insertions(+)
>>
>> diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu b/Documentation/ABI/testing/sysfs-devices-system-cpu
>> index ecd585ca2d50..30bb4196e451 100644
>> --- a/Documentation/ABI/testing/sysfs-devices-system-cpu
>> +++ b/Documentation/ABI/testing/sysfs-devices-system-cpu
>> @@ -524,6 +524,7 @@ What: /sys/devices/system/cpu/vulnerabilities
>> /sys/devices/system/cpu/vulnerabilities/itlb_multihit
>> /sys/devices/system/cpu/vulnerabilities/mmio_stale_data
>> /sys/devices/system/cpu/vulnerabilities/retbleed
>> + /sys/devices/system/cpu/vulnerabilities/zenbleed
>> Date: January 2018
>> Contact: Linux kernel mailing list <linux-kernel@vger.kernel.org>
>> Description: Information about CPU vulnerabilities
>> diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
>> index 26ad7ca423e7..3ab9745eafc5 100644
>> --- a/arch/x86/kernel/cpu/amd.c
>> +++ b/arch/x86/kernel/cpu/amd.c
>> @@ -1279,6 +1279,21 @@ u32 amd_get_highest_perf(void)
>> }
>> EXPORT_SYMBOL_GPL(amd_get_highest_perf);
>>
>> +ssize_t cpu_show_zenbleed(struct device *dev, struct device_attribute *attr, char *buf)
>> +{
>> +
>
> Extra newline.
>
>> + if (!cpu_has_amd_erratum(&boot_cpu_data, amd_zenbleed) ||
>> + !boot_cpu_has(X86_FEATURE_AVX) ||
>> + boot_cpu_has(X86_FEATURE_HYPERVISOR))
>> + return sysfs_emit(buf, "Not affected\n");
>> +
>> + if (!cpu_has_zenbleed_microcode()) {
>
> For readability this can check of microcode present case, and drop the
> NOT operator.
>
>> + return sysfs_emit(buf, "Mitigation: Chickenbit\n");
>
> Shouldn't this be checking if the chicken bit is set? And if its not set
> then report "Vulnerable".
>
> But, looking at zenbleed_check() it appear that the chicken bit for
> zenbleed will always be present, and it will always be set if microcode
> is not present.
Yeah, but based on feedback I got from Boris it seems this is not going
to be merged so it doesn't matter.
>
>> + } else {
>> + return sysfs_emit(buf, "Mitigation: Microcode\n");
>> + }
>> +}
@@ -524,6 +524,7 @@ What: /sys/devices/system/cpu/vulnerabilities
/sys/devices/system/cpu/vulnerabilities/itlb_multihit
/sys/devices/system/cpu/vulnerabilities/mmio_stale_data
/sys/devices/system/cpu/vulnerabilities/retbleed
+ /sys/devices/system/cpu/vulnerabilities/zenbleed
Date: January 2018
Contact: Linux kernel mailing list <linux-kernel@vger.kernel.org>
Description: Information about CPU vulnerabilities
@@ -1279,6 +1279,21 @@ u32 amd_get_highest_perf(void)
}
EXPORT_SYMBOL_GPL(amd_get_highest_perf);
+ssize_t cpu_show_zenbleed(struct device *dev, struct device_attribute *attr, char *buf)
+{
+
+ if (!cpu_has_amd_erratum(&boot_cpu_data, amd_zenbleed) ||
+ !boot_cpu_has(X86_FEATURE_AVX) ||
+ boot_cpu_has(X86_FEATURE_HYPERVISOR))
+ return sysfs_emit(buf, "Not affected\n");
+
+ if (!cpu_has_zenbleed_microcode()) {
+ return sysfs_emit(buf, "Mitigation: Chickenbit\n");
+ } else {
+ return sysfs_emit(buf, "Mitigation: Microcode\n");
+ }
+}
+
static void zenbleed_check_cpu(void *unused)
{
struct cpuinfo_x86 *c = &cpu_data(smp_processor_id());
@@ -577,6 +577,12 @@ ssize_t __weak cpu_show_retbleed(struct device *dev,
return sysfs_emit(buf, "Not affected\n");
}
+ssize_t __weak cpu_show_zenbleed(struct device *dev,
+ struct device_attribute *attr, char *buf)
+{
+ return sysfs_emit(buf, "Not affected\n");
+}
+
static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL);
static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL);
static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL);
@@ -588,6 +594,7 @@ static DEVICE_ATTR(itlb_multihit, 0444, cpu_show_itlb_multihit, NULL);
static DEVICE_ATTR(srbds, 0444, cpu_show_srbds, NULL);
static DEVICE_ATTR(mmio_stale_data, 0444, cpu_show_mmio_stale_data, NULL);
static DEVICE_ATTR(retbleed, 0444, cpu_show_retbleed, NULL);
+static DEVICE_ATTR(zenbleed, 0444, cpu_show_zenbleed, NULL);
static struct attribute *cpu_root_vulnerabilities_attrs[] = {
&dev_attr_meltdown.attr,
@@ -601,6 +608,7 @@ static struct attribute *cpu_root_vulnerabilities_attrs[] = {
&dev_attr_srbds.attr,
&dev_attr_mmio_stale_data.attr,
&dev_attr_retbleed.attr,
+ &dev_attr_zenbleed.attr,
NULL
};
@@ -70,6 +70,8 @@ extern ssize_t cpu_show_mmio_stale_data(struct device *dev,
char *buf);
extern ssize_t cpu_show_retbleed(struct device *dev,
struct device_attribute *attr, char *buf);
+extern ssize_t cpu_show_zenbleed(struct device *dev,
+ struct device_attribute *attr, char *buf);
extern __printf(4, 5)
struct device *cpu_device_create(struct device *parent, void *drvdata,