Commit 6232774f authored by Mauricio Faria de Oliveira's avatar Mauricio Faria de Oliveira Committed by Michael Ellerman

powerpc/pseries: Restore default security feature flags on setup

After migration the security feature flags might have changed (e.g.,
destination system with unpatched firmware), but some flags are not
set/clear again in init_cpu_char_feature_flags() because it assumes
the security flags to be the defaults.

Additionally, if the H_GET_CPU_CHARACTERISTICS hypercall fails then
init_cpu_char_feature_flags() does not run again, which potentially
might leave the system in an insecure or sub-optimal configuration.

So, just restore the security feature flags to the defaults assumed
by init_cpu_char_feature_flags() so it can set/clear them correctly,
and to ensure safe settings are in place in case the hypercall fail.

Fixes: f636c147 ("powerpc/pseries: Set or clear security feature flags")
Depends-on: 19887d6a28e2 ("powerpc: Move default security feature flags")
Signed-off-by: default avatarMauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
parent e7347a86
...@@ -462,6 +462,10 @@ static void __init find_and_init_phbs(void) ...@@ -462,6 +462,10 @@ static void __init find_and_init_phbs(void)
static void init_cpu_char_feature_flags(struct h_cpu_char_result *result) static void init_cpu_char_feature_flags(struct h_cpu_char_result *result)
{ {
/*
* The features below are disabled by default, so we instead look to see
* if firmware has *enabled* them, and set them if so.
*/
if (result->character & H_CPU_CHAR_SPEC_BAR_ORI31) if (result->character & H_CPU_CHAR_SPEC_BAR_ORI31)
security_ftr_set(SEC_FTR_SPEC_BAR_ORI31); security_ftr_set(SEC_FTR_SPEC_BAR_ORI31);
...@@ -501,6 +505,13 @@ void pseries_setup_rfi_flush(void) ...@@ -501,6 +505,13 @@ void pseries_setup_rfi_flush(void)
bool enable; bool enable;
long rc; long rc;
/*
* Set features to the defaults assumed by init_cpu_char_feature_flags()
* so it can set/clear again any features that might have changed after
* migration, and in case the hypercall fails and it is not even called.
*/
powerpc_security_features = SEC_FTR_DEFAULT;
rc = plpar_get_cpu_characteristics(&result); rc = plpar_get_cpu_characteristics(&result);
if (rc == H_SUCCESS) if (rc == H_SUCCESS)
init_cpu_char_feature_flags(&result); init_cpu_char_feature_flags(&result);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment