powerpc/security: Add a security feature for STF barrier

Rather than tying this mitigation to RFI L1D flush requirement, add a
new bit for it.

Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20210503130243.891868-3-npiggin@gmail.com

diff --git a/arch/powerpc/include/asm/security_features.h b/arch/powerpc/include/asm/security_features.h
index b774a44..792eefa 100644 (file)
--- a/arch/powerpc/include/asm/security_features.h
+++ b/arch/powerpc/include/asm/security_features.h
@@ -92,6 +92,9 @@ static inline bool security_ftr_enabled(u64 feature)
 // The L1-D cache should be flushed after user accesses from the kernel
 #define SEC_FTR_L1D_FLUSH_UACCESS      0x0000000000008000ull
 
+// The STF flush should be executed on privilege state switch
+#define SEC_FTR_STF_BARRIER            0x0000000000010000ull
+
 // Features enabled by default
 #define SEC_FTR_DEFAULT \
        (SEC_FTR_L1D_FLUSH_HV | \
@@ -99,6 +102,7 @@ static inline bool security_ftr_enabled(u64 feature)
         SEC_FTR_BNDS_CHK_SPEC_BAR | \
         SEC_FTR_L1D_FLUSH_ENTRY | \
         SEC_FTR_L1D_FLUSH_UACCESS | \
+        SEC_FTR_STF_BARRIER | \
         SEC_FTR_FAVOUR_SECURITY)
 
 #endif /* _ASM_POWERPC_SECURITY_FEATURES_H */

diff --git a/arch/powerpc/kernel/security.c b/arch/powerpc/kernel/security.c
index 9c2f7b9..cc51fa5 100644 (file)
--- a/arch/powerpc/kernel/security.c
+++ b/arch/powerpc/kernel/security.c
@@ -300,9 +300,7 @@ static void stf_barrier_enable(bool enable)
 void setup_stf_barrier(void)
 {
        enum stf_barrier_type type;
-       bool enable, hv;
-
-       hv = cpu_has_feature(CPU_FTR_HVMODE);
+       bool enable;
 
        /* Default to fallback in case fw-features are not available */
        if (cpu_has_feature(CPU_FTR_ARCH_300))
@@ -315,8 +313,7 @@ void setup_stf_barrier(void)
                type = STF_BARRIER_NONE;
 
        enable = security_ftr_enabled(SEC_FTR_FAVOUR_SECURITY) &&
-               (security_ftr_enabled(SEC_FTR_L1D_FLUSH_PR) ||
-                (security_ftr_enabled(SEC_FTR_L1D_FLUSH_HV) && hv));
+                security_ftr_enabled(SEC_FTR_STF_BARRIER);
 
        if (type == STF_BARRIER_FALLBACK) {
                pr_info("stf-barrier: fallback barrier available\n");