diff options
| author | Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com> | 2018-03-30 13:28:25 -0400 |
|---|---|---|
| committer | Michael Ellerman <mpe@ellerman.id.au> | 2018-04-03 07:50:09 -0400 |
| commit | 6232774f1599028a15418179d17f7df47ede770a (patch) | |
| tree | c6b45aeb43b9830ac9717df5d84deeb55c29ca01 | |
| parent | e7347a86830f38dc3e40c8f7e28c04412b12a2e7 (diff) | |
powerpc/pseries: Restore default security feature flags on setup
After migration the security feature flags might have changed (e.g.,
destination system with unpatched firmware), but some flags are not
set/clear again in init_cpu_char_feature_flags() because it assumes
the security flags to be the defaults.
Additionally, if the H_GET_CPU_CHARACTERISTICS hypercall fails then
init_cpu_char_feature_flags() does not run again, which potentially
might leave the system in an insecure or sub-optimal configuration.
So, just restore the security feature flags to the defaults assumed
by init_cpu_char_feature_flags() so it can set/clear them correctly,
and to ensure safe settings are in place in case the hypercall fail.
Fixes: f636c14790ea ("powerpc/pseries: Set or clear security feature flags")
Depends-on: 19887d6a28e2 ("powerpc: Move default security feature flags")
Signed-off-by: Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
| -rw-r--r-- | arch/powerpc/platforms/pseries/setup.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/arch/powerpc/platforms/pseries/setup.c b/arch/powerpc/platforms/pseries/setup.c index 98bca8d9c9e0..b55ad4286dc7 100644 --- a/arch/powerpc/platforms/pseries/setup.c +++ b/arch/powerpc/platforms/pseries/setup.c | |||
| @@ -462,6 +462,10 @@ static void __init find_and_init_phbs(void) | |||
| 462 | 462 | ||
| 463 | static void init_cpu_char_feature_flags(struct h_cpu_char_result *result) | 463 | static void init_cpu_char_feature_flags(struct h_cpu_char_result *result) |
| 464 | { | 464 | { |
| 465 | /* | ||
| 466 | * The features below are disabled by default, so we instead look to see | ||
| 467 | * if firmware has *enabled* them, and set them if so. | ||
| 468 | */ | ||
| 465 | if (result->character & H_CPU_CHAR_SPEC_BAR_ORI31) | 469 | if (result->character & H_CPU_CHAR_SPEC_BAR_ORI31) |
| 466 | security_ftr_set(SEC_FTR_SPEC_BAR_ORI31); | 470 | security_ftr_set(SEC_FTR_SPEC_BAR_ORI31); |
| 467 | 471 | ||
| @@ -501,6 +505,13 @@ void pseries_setup_rfi_flush(void) | |||
| 501 | bool enable; | 505 | bool enable; |
| 502 | long rc; | 506 | long rc; |
| 503 | 507 | ||
| 508 | /* | ||
| 509 | * Set features to the defaults assumed by init_cpu_char_feature_flags() | ||
| 510 | * so it can set/clear again any features that might have changed after | ||
| 511 | * migration, and in case the hypercall fails and it is not even called. | ||
| 512 | */ | ||
| 513 | powerpc_security_features = SEC_FTR_DEFAULT; | ||
| 514 | |||
| 504 | rc = plpar_get_cpu_characteristics(&result); | 515 | rc = plpar_get_cpu_characteristics(&result); |
| 505 | if (rc == H_SUCCESS) | 516 | if (rc == H_SUCCESS) |
| 506 | init_cpu_char_feature_flags(&result); | 517 | init_cpu_char_feature_flags(&result); |