[PATCH v10 14/14] riscv: Add ghostwrite vulnerability

Charlie Jenkins charlie at rivosinc.com
Mon Sep 16 11:44:04 PDT 2024


On Mon, Sep 16, 2024 at 06:12:04PM +0100, Conor Dooley wrote:
> On Wed, Sep 11, 2024 at 10:55:22PM -0700, Charlie Jenkins wrote:
> > Follow the patterns of the other architectures that use
> > GENERIC_CPU_VULNERABILITIES for riscv to introduce the ghostwrite
> > vulnerability and mitigation. The mitigation is to disable all vector
> > which is accomplished by clearing the bit from the cpufeature field.
> > 
> > Ghostwrite only affects thead c9xx CPUs that impelment xtheadvector, so
> > the vulerability will only be mitigated on these CPUs.
> > 
> > Signed-off-by: Charlie Jenkins <charlie at rivosinc.com>
> > ---
> >  arch/riscv/Kconfig.errata            | 11 ++++++++
> >  arch/riscv/errata/thead/errata.c     | 28 ++++++++++++++++++
> >  arch/riscv/include/asm/bugs.h        | 22 +++++++++++++++
> >  arch/riscv/include/asm/errata_list.h |  3 +-
> >  arch/riscv/kernel/Makefile           |  2 ++
> >  arch/riscv/kernel/bugs.c             | 55 ++++++++++++++++++++++++++++++++++++
> >  arch/riscv/kernel/cpufeature.c       |  9 +++++-
> >  drivers/base/cpu.c                   |  3 ++
> >  include/linux/cpu.h                  |  1 +
> >  9 files changed, 132 insertions(+), 2 deletions(-)
> > 
> > diff --git a/arch/riscv/Kconfig.errata b/arch/riscv/Kconfig.errata
> > index 2acc7d876e1f..e318119d570d 100644
> > --- a/arch/riscv/Kconfig.errata
> > +++ b/arch/riscv/Kconfig.errata
> > @@ -119,4 +119,15 @@ config ERRATA_THEAD_PMU
> >  
> >  	  If you don't know what to do here, say "Y".
> >  
> > +config ERRATA_THEAD_GHOSTWRITE
> > +	bool "Apply T-Head Ghostwrite errata"
> > +	depends on ERRATA_THEAD && RISCV_ISA_XTHEADVECTOR
> > +	default y
> > +	help
> > +	  The T-Head C9xx cores have a vulnerability in the xtheadvector
> > +	  instruction set. When this errata is enabled, the CPUs will be probed
> > +	  to determine if they are vulnerable and disable xtheadvector.
> > +
> > +	  If you don't know what to do here, say "Y".
> > +
> >  endmenu # "CPU errata selection"
> > diff --git a/arch/riscv/errata/thead/errata.c b/arch/riscv/errata/thead/errata.c
> > index f5120e07c318..5cc008ab41a8 100644
> > --- a/arch/riscv/errata/thead/errata.c
> > +++ b/arch/riscv/errata/thead/errata.c
> > @@ -10,6 +10,7 @@
> >  #include <linux/string.h>
> >  #include <linux/uaccess.h>
> >  #include <asm/alternative.h>
> > +#include <asm/bugs.h>
> >  #include <asm/cacheflush.h>
> >  #include <asm/cpufeature.h>
> >  #include <asm/dma-noncoherent.h>
> > @@ -142,6 +143,31 @@ static bool errata_probe_pmu(unsigned int stage,
> >  	return true;
> >  }
> >  
> > +static bool errata_probe_ghostwrite(unsigned int stage,
> > +				    unsigned long arch_id, unsigned long impid)
> > +{
> > +	if (!IS_ENABLED(CONFIG_ERRATA_THEAD_GHOSTWRITE))
> > +		return false;
> > +
> > +	/*
> > +	 * target-c9xx cores report arch_id and impid as 0
> > +	 *
> > +	 * While ghostwrite may not affect all c9xx cores that implement
> > +	 * xtheadvector, there is no futher granularity than c9xx. Assume
> > +	 * vulnerable for this entire class of processors when xtheadvector is
> > +	 * enabled.
> > +	 */
> 
> Is it not possible to use the cpu compatible string for this? Given that
> we only know if xtheadvector is enabled once we are already parsing the
> cpu node devicetree, it seems, to me, as if it should be possible to be
> more granular. AFAIU, some T-Head c900 series devices are not venerable.

Sure we can do that. I figured that since T-Head didn't feel it was
valuable to change the archid/implid between cores that Linux shouldn't
go out of its way to fix the granularity issue. Since you think it is
worthwhile though, I can try to work around this hardware issue.

- Charlie

> 
> Cheers,
> Conor.
> 
> > +	if (arch_id != 0 || impid != 0)
> > +		return false;
> > +
> > +	if (stage != RISCV_ALTERNATIVES_EARLY_BOOT)
> > +		return false;
> > +
> > +	ghostwrite_set_vulnerable();
> > +
> > +	return true;
> > +}
> > +
> >  static u32 thead_errata_probe(unsigned int stage,
> >  			      unsigned long archid, unsigned long impid)
> >  {
> > @@ -155,6 +181,8 @@ static u32 thead_errata_probe(unsigned int stage,
> >  	if (errata_probe_pmu(stage, archid, impid))
> >  		cpu_req_errata |= BIT(ERRATA_THEAD_PMU);
> >  
> > +	errata_probe_ghostwrite(stage, archid, impid);
> > +
> >  	return cpu_req_errata;
> >  }
> >  
> > diff --git a/arch/riscv/include/asm/bugs.h b/arch/riscv/include/asm/bugs.h
> > new file mode 100644
> > index 000000000000..e294b15bf78e
> > --- /dev/null
> > +++ b/arch/riscv/include/asm/bugs.h
> > @@ -0,0 +1,22 @@
> > +/* SPDX-License-Identifier: GPL-2.0-only */
> > +/*
> > + * Interface for managing mitigations for riscv vulnerabilities.
> > + *
> > + * Copyright (C) 2024 Rivos Inc.
> > + */
> > +
> > +#ifndef __ASM_BUGS_H
> > +#define __ASM_BUGS_H
> > +
> > +/* Watch out, ordering is important here. */
> > +enum mitigation_state {
> > +	UNAFFECTED,
> > +	MITIGATED,
> > +	VULNERABLE,
> > +};
> > +
> > +void ghostwrite_set_vulnerable(void);
> > +void ghostwrite_enable_mitigation(void);
> > +enum mitigation_state ghostwrite_get_state(void);
> > +
> > +#endif /* __ASM_BUGS_H */
> > diff --git a/arch/riscv/include/asm/errata_list.h b/arch/riscv/include/asm/errata_list.h
> > index 7c8a71a526a3..6e426ed7919a 100644
> > --- a/arch/riscv/include/asm/errata_list.h
> > +++ b/arch/riscv/include/asm/errata_list.h
> > @@ -25,7 +25,8 @@
> >  #ifdef CONFIG_ERRATA_THEAD
> >  #define	ERRATA_THEAD_MAE 0
> >  #define	ERRATA_THEAD_PMU 1
> > -#define	ERRATA_THEAD_NUMBER 2
> > +#define	ERRATA_THEAD_GHOSTWRITE 2
> > +#define	ERRATA_THEAD_NUMBER 3
> >  #endif
> >  
> >  #ifdef __ASSEMBLY__
> > diff --git a/arch/riscv/kernel/Makefile b/arch/riscv/kernel/Makefile
> > index 06d407f1b30b..d7a54e34178e 100644
> > --- a/arch/riscv/kernel/Makefile
> > +++ b/arch/riscv/kernel/Makefile
> > @@ -113,3 +113,5 @@ obj-$(CONFIG_COMPAT)		+= compat_vdso/
> >  obj-$(CONFIG_64BIT)		+= pi/
> >  obj-$(CONFIG_ACPI)		+= acpi.o
> >  obj-$(CONFIG_ACPI_NUMA)	+= acpi_numa.o
> > +
> > +obj-$(CONFIG_GENERIC_CPU_VULNERABILITIES) += bugs.o
> > diff --git a/arch/riscv/kernel/bugs.c b/arch/riscv/kernel/bugs.c
> > new file mode 100644
> > index 000000000000..0c19691b4cd5
> > --- /dev/null
> > +++ b/arch/riscv/kernel/bugs.c
> > @@ -0,0 +1,55 @@
> > +// SPDX-License-Identifier: GPL-2.0
> > +/*
> > + * Copyright (C) 2024 Rivos Inc.
> > + */
> > +
> > +#include <linux/cpu.h>
> > +#include <linux/device.h>
> > +#include <linux/sprintf.h>
> > +
> > +#include <asm/bugs.h>
> > +#include <asm/vendor_extensions/thead.h>
> > +
> > +static enum mitigation_state ghostwrite_state;
> > +
> > +void ghostwrite_set_vulnerable(void)
> > +{
> > +	ghostwrite_state = VULNERABLE;
> > +}
> > +
> > +/*
> > + * Vendor extension alternatives will use the value set at the time of boot
> > + * alternative patching, thus this must be called before boot alternatives are
> > + * patched (and after extension probing) to be effective.
> > + */
> > +void ghostwrite_enable_mitigation(void)
> > +{
> > +	if (IS_ENABLED(CONFIG_RISCV_ISA_XTHEADVECTOR) &&
> > +	    ghostwrite_state == VULNERABLE && !cpu_mitigations_off()) {
> > +		disable_xtheadvector();
> > +		ghostwrite_state = MITIGATED;
> > +	}
> > +}
> > +
> > +enum mitigation_state ghostwrite_get_state(void)
> > +{
> > +	return ghostwrite_state;
> > +}
> > +
> > +ssize_t cpu_show_ghostwrite(struct device *dev, struct device_attribute *attr, char *buf)
> > +{
> > +	if (IS_ENABLED(CONFIG_RISCV_ISA_XTHEADVECTOR)) {
> > +		switch (ghostwrite_state) {
> > +		case UNAFFECTED:
> > +			return sprintf(buf, "Not affected\n");
> > +		case MITIGATED:
> > +			return sprintf(buf, "Mitigation: xtheadvector disabled\n");
> > +		case VULNERABLE:
> > +			fallthrough;
> > +		default:
> > +			return sprintf(buf, "Vulnerable\n");
> > +		}
> > +	} else {
> > +		return sprintf(buf, "Not affected\n");
> > +	}
> > +}
> > diff --git a/arch/riscv/kernel/cpufeature.c b/arch/riscv/kernel/cpufeature.c
> > index 56b5054b8f86..1f4329bb8a9d 100644
> > --- a/arch/riscv/kernel/cpufeature.c
> > +++ b/arch/riscv/kernel/cpufeature.c
> > @@ -17,6 +17,7 @@
> >  #include <linux/of.h>
> >  #include <asm/acpi.h>
> >  #include <asm/alternative.h>
> > +#include <asm/bugs.h>
> >  #include <asm/cacheflush.h>
> >  #include <asm/cpufeature.h>
> >  #include <asm/hwcap.h>
> > @@ -867,7 +868,13 @@ static int __init riscv_fill_hwcap_from_ext_list(unsigned long *isa2hwcap)
> >  		riscv_fill_vendor_ext_list(cpu);
> >  	}
> >  
> > -	if (has_xtheadvector_no_alternatives() && has_thead_homogeneous_vlenb() < 0) {
> > +	/*
> > +	 * Execute ghostwrite mitigation immediately after detecting extensions
> > +	 * to disable xtheadvector if necessary.
> > +	 */
> > +	if (ghostwrite_get_state() == VULNERABLE) {
> > +		ghostwrite_enable_mitigation();
> > +	} else if (has_xtheadvector_no_alternatives() && has_thead_homogeneous_vlenb() < 0) {
> >  		pr_warn("Unsupported heterogeneous vlenb detected, vector extension disabled.\n");
> >  		disable_xtheadvector();
> >  	}
> > diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c
> > index fdaa24bb641a..a7e511849875 100644
> > --- a/drivers/base/cpu.c
> > +++ b/drivers/base/cpu.c
> > @@ -599,6 +599,7 @@ CPU_SHOW_VULN_FALLBACK(retbleed);
> >  CPU_SHOW_VULN_FALLBACK(spec_rstack_overflow);
> >  CPU_SHOW_VULN_FALLBACK(gds);
> >  CPU_SHOW_VULN_FALLBACK(reg_file_data_sampling);
> > +CPU_SHOW_VULN_FALLBACK(ghostwrite);
> >  
> >  static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL);
> >  static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL);
> > @@ -614,6 +615,7 @@ static DEVICE_ATTR(retbleed, 0444, cpu_show_retbleed, NULL);
> >  static DEVICE_ATTR(spec_rstack_overflow, 0444, cpu_show_spec_rstack_overflow, NULL);
> >  static DEVICE_ATTR(gather_data_sampling, 0444, cpu_show_gds, NULL);
> >  static DEVICE_ATTR(reg_file_data_sampling, 0444, cpu_show_reg_file_data_sampling, NULL);
> > +static DEVICE_ATTR(ghostwrite, 0444, cpu_show_ghostwrite, NULL);
> >  
> >  static struct attribute *cpu_root_vulnerabilities_attrs[] = {
> >  	&dev_attr_meltdown.attr,
> > @@ -630,6 +632,7 @@ static struct attribute *cpu_root_vulnerabilities_attrs[] = {
> >  	&dev_attr_spec_rstack_overflow.attr,
> >  	&dev_attr_gather_data_sampling.attr,
> >  	&dev_attr_reg_file_data_sampling.attr,
> > +	&dev_attr_ghostwrite.attr,
> >  	NULL
> >  };
> >  
> > diff --git a/include/linux/cpu.h b/include/linux/cpu.h
> > index bdcec1732445..6a0a8f1c7c90 100644
> > --- a/include/linux/cpu.h
> > +++ b/include/linux/cpu.h
> > @@ -77,6 +77,7 @@ extern ssize_t cpu_show_gds(struct device *dev,
> >  			    struct device_attribute *attr, char *buf);
> >  extern ssize_t cpu_show_reg_file_data_sampling(struct device *dev,
> >  					       struct device_attribute *attr, char *buf);
> > +extern ssize_t cpu_show_ghostwrite(struct device *dev, struct device_attribute *attr, char *buf);
> >  
> >  extern __printf(4, 5)
> >  struct device *cpu_device_create(struct device *parent, void *drvdata,
> > 
> > -- 
> > 2.45.0
> > 





More information about the linux-riscv mailing list