aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Ellerman <mpe@ellerman.id.au>2018-02-23 23:45:11 +1100
committerStewart Smith <stewart@linux.vnet.ibm.com>2018-02-28 20:28:28 -0600
commitf30286c494312caa81333a077da58f501894c2bb (patch)
tree45a8dc09533e18549fac718c01181e0732fe9689
parent8cbd3880c3211e29eeb1f93d591439e6fbabc873 (diff)
downloadskiboot-f30286c494312caa81333a077da58f501894c2bb.zip
skiboot-f30286c494312caa81333a077da58f501894c2bb.tar.gz
skiboot-f30286c494312caa81333a077da58f501894c2bb.tar.bz2
mambo: Add fw-feature flags for security related settings
Newer firmwares report some feature flags related to security settings via HDAT. On real hardware skiboot translates these into device tree properties. For testing purposes just create the properties manually in the tcl. These values don't exactly match any actual chip revision, but the code should not rely on any exact set of values anyway. We just define the most interesting flags, that if toggled to "disable" will change Linux behaviour. You can see the actual values in the hostboot source in src/usr/hdat/hdatiplparms.H. Also add an environment variable for easily toggling the top-level "security on" setting. Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
-rw-r--r--external/mambo/skiboot.tcl23
1 files changed, 22 insertions, 1 deletions
diff --git a/external/mambo/skiboot.tcl b/external/mambo/skiboot.tcl
index 38298bf..6c40289 100644
--- a/external/mambo/skiboot.tcl
+++ b/external/mambo/skiboot.tcl
@@ -61,6 +61,9 @@ mconfig net MAMBO_NET none
# Net: What is the base interface for the tun/tap device
mconfig tap_base MAMBO_NET_TAP_BASE 0
+# Enable (default) or disable the "speculation-policy-favor-security" setting,
+# set to 0 to disable. When enabled it causes Linux's RFI flush to be enabled.
+mconfig speculation_policy_favor_security MAMBO_SPECULATION_POLICY_FAVOR_SECURITY 1
#
# Create machine config
@@ -251,13 +254,31 @@ set reg [list $fake_nvram_start $fake_nvram_size ]
mysim of addprop $fake_nvram_node array64 "reg" reg
mysim of addprop $fake_nvram_node empty "name" "ibm,fake-nvram"
+set opal_node [mysim of addchild $root_node "ibm,opal" ""]
+
# Allow P9 to use all idle states
if { $default_config == "P9" } {
- set opal_node [mysim of addchild $root_node "ibm,opal" ""]
set power_mgt_node [mysim of addchild $opal_node "power-mgt" ""]
mysim of addprop $power_mgt_node int "ibm,enabled-stop-levels" 0xffffffff
}
+proc add_feature_node { parent name { value 1 } } {
+ if { $value != 1 } {
+ set value "disabled"
+ } else {
+ set value "enabled"
+ }
+ set np [mysim of addchild $parent $name ""]
+ mysim of addprop $np empty $value ""
+}
+
+set np [mysim of addchild $opal_node "fw-features" ""]
+add_feature_node $np "speculation-policy-favor-security" $mconf(speculation_policy_favor_security)
+add_feature_node $np "needs-l1d-flush-msr-hv-1-to-0"
+add_feature_node $np "needs-l1d-flush-msr-pr-0-to-1"
+add_feature_node $np "needs-spec-barrier-for-bound-checks"
+
+
# Init CPUs
set pir 0
for { set c 0 } { $c < $mconf(cpus) } { incr c } {