[PATCH 4/3] arm64: proton-pack: Disable Spectre-BSE mitigation by default

[James Morse]

The Spectre-BSE vulnerability is hard to exploit, requiring abuse of
the branch history (which is small on these cores), confusing the branch
predictor, and finding a useful gadget to expose data.

Depending on the frequency of syscalls, the cost of mitigating this
is high - and platforms cannot chose between Spectre-v2 mitigation and
Spectre-BSE mitigation as they use the same firmware call.

Disable the Spectre-BSE mitigation by default, and add a command line
option to enable it in environments where this vulnerability is
considered a problem.

Signed-off-by: James Morse <james.morse at arm.com>
---
 Documentation/admin-guide/kernel-parameters.txt |  5 +++++
 arch/arm64/kernel/proton-pack.c                 | 11 ++++++++++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index dc663c0ca670..7c8fd21bfbe4 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -6250,6 +6250,11 @@
 				 may still be vulnerable to syscall attacks.
 			off    - Disable the mitigation.
 
+	spectre_bse	[ARM64,EARLY] Enable mitigations for Spectre-BSE (branch
+			status eviction) on vulnerable CPUs. Mitigations are disabled
+			by default due to the difficulty of exploitation and the cost
+			of mitigation.
+
 	spectre_v2=	[X86,EARLY] Control mitigation of Spectre variant 2
 			(indirect branch speculation) vulnerability.
 			The default operation protects the kernel from
diff --git a/arch/arm64/kernel/proton-pack.c b/arch/arm64/kernel/proton-pack.c
index cbe731ff1831..23f7238e6b70 100644
--- a/arch/arm64/kernel/proton-pack.c
+++ b/arch/arm64/kernel/proton-pack.c
@@ -1088,6 +1088,15 @@ static int __init parse_spectre_bhb_param(char *str)
 }
 early_param("nospectre_bhb", parse_spectre_bhb_param);
 
+/* Spectre-BSE mitigations are disabled by default */
+static bool __read_mostly __spectre_bse;
+static int __init parse_spectre_bse_param(char *str)
+{
+	__spectre_bse = true;
+	return 0;
+}
+early_param("spectre_bse", parse_spectre_bse_param);
+
 static void spectre_bhb_enable_fw_mitigation(enum bhb_mitigation_bits fw_wa)
 {
 	bp_hardening_cb_t cpu_cb;
@@ -1185,7 +1194,7 @@ void spectre_bhb_enable_mitigation(const struct arm64_cpu_capabilities *entry)
 	/* Spectre BSE needs to upgrade the BHB mitigation to use firmware */
 	if (bse_upgrade_loop_mitigation) {
 		bse_state = spectre_bse_get_cpu_fw_mitigation_state(BHB_FW_WA1);
-		if (bse_state == SPECTRE_MITIGATED) {
+		if (bse_state == SPECTRE_MITIGATED && __spectre_bse) {
 			/*
 			 * For affected cores the firmware implementions of WA1
 			 * and WA3 are both sufficient for BSE, but what about
-- 
2.39.2