Re: [PATCH] powerpc/pseries: export LPAR security flavor in lparcfg
From: Laurent Dufour
Date: Fri Mar 05 2021 - 06:47:30 EST
Le 05/03/2021 à 12:43, Michael Ellerman a écrit :
Laurent Dufour <ldufour@xxxxxxxxxxxxx> writes:
Le 05/03/2021 à 07:23, Michael Ellerman a écrit :
Laurent Dufour <ldufour@xxxxxxxxxxxxx> writes:
This is helpful to read the security flavor from inside the LPAR.
We already have /sys/kernel/debug/powerpc/security_features.
Is that not sufficient?
Not really, it only reports that security mitigation are on or off but not the
level set through the ASMI menu. Furthermore, reporting it through
/proc/powerpc/lparcfg allows an easy processing by the lparstat command (see below).
Export it like this in /proc/powerpc/lparcfg:
$ grep security_flavor /proc/powerpc/lparcfg
security_flavor=1
Value means:
0 Speculative execution fully enabled
1 Speculative execution controls to mitigate user-to-kernel attacks
2 Speculative execution controls to mitigate user-to-kernel and
user-to-user side-channel attacks
Those strings come from the FSP help, but we have no guarantee it won't
mean something different in future.
I think this is nailed down, those strings came from:
https://www.ibm.com/support/pages/node/715841
Where it is written (regarding AIX):
On an LPAR, one can use lparstat -x to display the current mitigation mode:
0 = Speculative execution fully enabled
1 = Speculative execution controls to mitigate user-to-kernel side-channel attacks
2 = Speculative execution controls to mitigate user-to-kernel and user-to-user
side-channel attacks
We have been requested to provide almost the same, which I proposed in
powerpc-utils:
https://groups.google.com/g/powerpc-utils-devel/c/NaKXvdyl_UI/m/wa2stpIDAQAJ
OK. Do you mind sending a v2 with all those details incorporated into
the change log?
Ok will do so.
Thanks