diff mbox series

x86/cpu/amd: Report zenbleed in sysfs

Message ID 20230727075446.1749969-1-nik.borisov@suse.com
State New
Headers
Series x86/cpu/amd: Report zenbleed in sysfs |

Commit Message

Nikolay Borisov July 27, 2023, 7:54 a.m. UTC 
  Initial submission of Zenbleed fix omitted reporting the bug in sysfs.
There's no reason why it shouldn't be reported so let's add it among
the other vulnerabilities.

Signed-off-by: Nikolay Borisov <nik.borisov@suse.com>
---
 .../ABI/testing/sysfs-devices-system-cpu          |  1 +
 arch/x86/kernel/cpu/amd.c                         | 15 +++++++++++++++
 drivers/base/cpu.c                                |  8 ++++++++
 include/linux/cpu.h                               |  2 ++
 4 files changed, 26 insertions(+)

Comments

Borislav Petkov July 27, 2023, 8 a.m. UTC | #1 
On Thu, Jul 27, 2023 at 10:54:46AM +0300, Nikolay Borisov wrote:
> Initial submission of Zenbleed fix omitted reporting the bug in sysfs.
> There's no reason

Yeah, there is a reason - it is not a speculation vuln and people want
to disable the speculation mitigations if they deem their userspace
trustworthy. This one you don't want to disable ever.
Pawan Gupta July 28, 2023, 11:14 p.m. UTC | #2 
On Thu, Jul 27, 2023 at 10:54:46AM +0300, Nikolay Borisov wrote:
> Initial submission of Zenbleed fix omitted reporting the bug in sysfs.
> There's no reason why it shouldn't be reported so let's add it among
> the other vulnerabilities.
> 
> Signed-off-by: Nikolay Borisov <nik.borisov@suse.com>
> ---
>  .../ABI/testing/sysfs-devices-system-cpu          |  1 +
>  arch/x86/kernel/cpu/amd.c                         | 15 +++++++++++++++
>  drivers/base/cpu.c                                |  8 ++++++++
>  include/linux/cpu.h                               |  2 ++
>  4 files changed, 26 insertions(+)
> 
> diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu b/Documentation/ABI/testing/sysfs-devices-system-cpu
> index ecd585ca2d50..30bb4196e451 100644
> --- a/Documentation/ABI/testing/sysfs-devices-system-cpu
> +++ b/Documentation/ABI/testing/sysfs-devices-system-cpu
> @@ -524,6 +524,7 @@ What:		/sys/devices/system/cpu/vulnerabilities
>  		/sys/devices/system/cpu/vulnerabilities/itlb_multihit
>  		/sys/devices/system/cpu/vulnerabilities/mmio_stale_data
>  		/sys/devices/system/cpu/vulnerabilities/retbleed
> +		/sys/devices/system/cpu/vulnerabilities/zenbleed
>  Date:		January 2018
>  Contact:	Linux kernel mailing list <linux-kernel@vger.kernel.org>
>  Description:	Information about CPU vulnerabilities
> diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
> index 26ad7ca423e7..3ab9745eafc5 100644
> --- a/arch/x86/kernel/cpu/amd.c
> +++ b/arch/x86/kernel/cpu/amd.c
> @@ -1279,6 +1279,21 @@ u32 amd_get_highest_perf(void)
>  }
>  EXPORT_SYMBOL_GPL(amd_get_highest_perf);
>  
> +ssize_t cpu_show_zenbleed(struct device *dev, struct device_attribute *attr, char *buf)
> +{
> +

Extra newline.

> +	if (!cpu_has_amd_erratum(&boot_cpu_data, amd_zenbleed) ||
> +	    !boot_cpu_has(X86_FEATURE_AVX) ||
> +	    boot_cpu_has(X86_FEATURE_HYPERVISOR))
> +		return sysfs_emit(buf, "Not affected\n");
> +
> +	if (!cpu_has_zenbleed_microcode()) {

For readability this can check of microcode present case, and drop the
NOT operator.

> +		return sysfs_emit(buf, "Mitigation: Chickenbit\n");

Shouldn't this be checking if the chicken bit is set? And if its not set
then report "Vulnerable".

But, looking at zenbleed_check() it appear that the chicken bit for
zenbleed will always be present, and it will always be set if microcode
is not present.

> +	} else {
> +		return sysfs_emit(buf, "Mitigation: Microcode\n");
> +	}
> +}
Nikolay Borisov July 29, 2023, 7:24 a.m. UTC | #3 
On 29.07.23 г. 2:14 ч., Pawan Gupta wrote:
> On Thu, Jul 27, 2023 at 10:54:46AM +0300, Nikolay Borisov wrote:
>> Initial submission of Zenbleed fix omitted reporting the bug in sysfs.
>> There's no reason why it shouldn't be reported so let's add it among
>> the other vulnerabilities.
>>
>> Signed-off-by: Nikolay Borisov <nik.borisov@suse.com>
>> ---
>>   .../ABI/testing/sysfs-devices-system-cpu          |  1 +
>>   arch/x86/kernel/cpu/amd.c                         | 15 +++++++++++++++
>>   drivers/base/cpu.c                                |  8 ++++++++
>>   include/linux/cpu.h                               |  2 ++
>>   4 files changed, 26 insertions(+)
>>
>> diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu b/Documentation/ABI/testing/sysfs-devices-system-cpu
>> index ecd585ca2d50..30bb4196e451 100644
>> --- a/Documentation/ABI/testing/sysfs-devices-system-cpu
>> +++ b/Documentation/ABI/testing/sysfs-devices-system-cpu
>> @@ -524,6 +524,7 @@ What:		/sys/devices/system/cpu/vulnerabilities
>>   		/sys/devices/system/cpu/vulnerabilities/itlb_multihit
>>   		/sys/devices/system/cpu/vulnerabilities/mmio_stale_data
>>   		/sys/devices/system/cpu/vulnerabilities/retbleed
>> +		/sys/devices/system/cpu/vulnerabilities/zenbleed
>>   Date:		January 2018
>>   Contact:	Linux kernel mailing list <linux-kernel@vger.kernel.org>
>>   Description:	Information about CPU vulnerabilities
>> diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
>> index 26ad7ca423e7..3ab9745eafc5 100644
>> --- a/arch/x86/kernel/cpu/amd.c
>> +++ b/arch/x86/kernel/cpu/amd.c
>> @@ -1279,6 +1279,21 @@ u32 amd_get_highest_perf(void)
>>   }
>>   EXPORT_SYMBOL_GPL(amd_get_highest_perf);
>>   
>> +ssize_t cpu_show_zenbleed(struct device *dev, struct device_attribute *attr, char *buf)
>> +{
>> +
> 
> Extra newline.
> 
>> +	if (!cpu_has_amd_erratum(&boot_cpu_data, amd_zenbleed) ||
>> +	    !boot_cpu_has(X86_FEATURE_AVX) ||
>> +	    boot_cpu_has(X86_FEATURE_HYPERVISOR))
>> +		return sysfs_emit(buf, "Not affected\n");
>> +
>> +	if (!cpu_has_zenbleed_microcode()) {
> 
> For readability this can check of microcode present case, and drop the
> NOT operator.
> 
>> +		return sysfs_emit(buf, "Mitigation: Chickenbit\n");
> 
> Shouldn't this be checking if the chicken bit is set? And if its not set
> then report "Vulnerable".
> 
> But, looking at zenbleed_check() it appear that the chicken bit for
> zenbleed will always be present, and it will always be set if microcode
> is not present.

Yeah, but based on feedback I got from Boris it seems this is not going 
to be merged so it doesn't matter.

> 
>> +	} else {
>> +		return sysfs_emit(buf, "Mitigation: Microcode\n");
>> +	}
>> +}
diff mbox series

Patch

diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu b/Documentation/ABI/testing/sysfs-devices-system-cpu
index ecd585ca2d50..30bb4196e451 100644
--- a/Documentation/ABI/testing/sysfs-devices-system-cpu
+++ b/Documentation/ABI/testing/sysfs-devices-system-cpu
@@ -524,6 +524,7 @@  What:		/sys/devices/system/cpu/vulnerabilities
 		/sys/devices/system/cpu/vulnerabilities/itlb_multihit
 		/sys/devices/system/cpu/vulnerabilities/mmio_stale_data
 		/sys/devices/system/cpu/vulnerabilities/retbleed
+		/sys/devices/system/cpu/vulnerabilities/zenbleed
 Date:		January 2018
 Contact:	Linux kernel mailing list <linux-kernel@vger.kernel.org>
 Description:	Information about CPU vulnerabilities
diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
index 26ad7ca423e7..3ab9745eafc5 100644
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
@@ -1279,6 +1279,21 @@  u32 amd_get_highest_perf(void)
 }
 EXPORT_SYMBOL_GPL(amd_get_highest_perf);
 
+ssize_t cpu_show_zenbleed(struct device *dev, struct device_attribute *attr, char *buf)
+{
+
+	if (!cpu_has_amd_erratum(&boot_cpu_data, amd_zenbleed) ||
+	    !boot_cpu_has(X86_FEATURE_AVX) ||
+	    boot_cpu_has(X86_FEATURE_HYPERVISOR))
+		return sysfs_emit(buf, "Not affected\n");
+
+	if (!cpu_has_zenbleed_microcode()) {
+		return sysfs_emit(buf, "Mitigation: Chickenbit\n");
+	} else {
+		return sysfs_emit(buf, "Mitigation: Microcode\n");
+	}
+}
+
 static void zenbleed_check_cpu(void *unused)
 {
 	struct cpuinfo_x86 *c = &cpu_data(smp_processor_id());
diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c
index c1815b9dae68..49c963a0f362 100644
--- a/drivers/base/cpu.c
+++ b/drivers/base/cpu.c
@@ -577,6 +577,12 @@  ssize_t __weak cpu_show_retbleed(struct device *dev,
 	return sysfs_emit(buf, "Not affected\n");
 }
 
+ssize_t __weak cpu_show_zenbleed(struct device *dev,
+				 struct device_attribute *attr, char *buf)
+{
+	return sysfs_emit(buf, "Not affected\n");
+}
+
 static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL);
 static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL);
 static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL);
@@ -588,6 +594,7 @@  static DEVICE_ATTR(itlb_multihit, 0444, cpu_show_itlb_multihit, NULL);
 static DEVICE_ATTR(srbds, 0444, cpu_show_srbds, NULL);
 static DEVICE_ATTR(mmio_stale_data, 0444, cpu_show_mmio_stale_data, NULL);
 static DEVICE_ATTR(retbleed, 0444, cpu_show_retbleed, NULL);
+static DEVICE_ATTR(zenbleed, 0444, cpu_show_zenbleed, NULL);
 
 static struct attribute *cpu_root_vulnerabilities_attrs[] = {
 	&dev_attr_meltdown.attr,
@@ -601,6 +608,7 @@  static struct attribute *cpu_root_vulnerabilities_attrs[] = {
 	&dev_attr_srbds.attr,
 	&dev_attr_mmio_stale_data.attr,
 	&dev_attr_retbleed.attr,
+	&dev_attr_zenbleed.attr,
 	NULL
 };
 
diff --git a/include/linux/cpu.h b/include/linux/cpu.h
index 6e6e57ec69e8..8ed8fa142067 100644
--- a/include/linux/cpu.h
+++ b/include/linux/cpu.h
@@ -70,6 +70,8 @@  extern ssize_t cpu_show_mmio_stale_data(struct device *dev,
 					char *buf);
 extern ssize_t cpu_show_retbleed(struct device *dev,
 				 struct device_attribute *attr, char *buf);
+extern ssize_t cpu_show_zenbleed(struct device *dev,
+				 struct device_attribute *attr, char *buf);
 
 extern __printf(4, 5)
 struct device *cpu_device_create(struct device *parent, void *drvdata,