1 files changed, 127 insertions, 0 deletions

diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0029-x86-kaiser-Check-boottime-cmdline-params.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0029-x86-kaiser-Check-boottime-cmdline-params.patch
new file mode 100644
index 00000000..cedcf69a
--- /dev/null
+++ b/common/recipes-kernel/linux/linux-yocto-4.9.21/0029-x86-kaiser-Check-boottime-cmdline-params.patch
@@ -0,0 +1,127 @@
+From 8db17e2fa98e810bbc4f63d4e502caceaf942373 Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Tue, 2 Jan 2018 14:19:48 +0100
+Subject: [PATCH 029/102] x86/kaiser: Check boottime cmdline params
+
+AMD (and possibly other vendors) are not affected by the leak
+KAISER is protecting against.
+
+Keep the "nopti" for traditional reasons and add pti=<on|off|auto>
+like upstream.
+
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/kernel-parameters.txt |  6 ++++
+ arch/x86/mm/kaiser.c                | 59 ++++++++++++++++++++++++++-----------
+ 2 files changed, 47 insertions(+), 18 deletions(-)
+
+diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
+index f5a95f77..9f04c53 100644
+--- a/Documentation/kernel-parameters.txt
++++ b/Documentation/kernel-parameters.txt
+@@ -3317,6 +3317,12 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
+ 	pt.		[PARIDE]
+ 			See Documentation/blockdev/paride.txt.
+ 
++	pti=		[X86_64]
++			Control KAISER user/kernel address space isolation:
++			on - enable
++			off - disable
++			auto - default setting
++
+ 	pty.legacy_count=
+ 			[KNL] Number of legacy pty's. Overwrites compiled-in
+ 			default number.
+diff --git a/arch/x86/mm/kaiser.c b/arch/x86/mm/kaiser.c
+index 87cae72..1840aa0 100644
+--- a/arch/x86/mm/kaiser.c
++++ b/arch/x86/mm/kaiser.c
+@@ -15,6 +15,7 @@
+ #include <asm/pgtable.h>
+ #include <asm/pgalloc.h>
+ #include <asm/desc.h>
++#include <asm/cmdline.h>
+ 
+ int kaiser_enabled __read_mostly = 1;
+ EXPORT_SYMBOL(kaiser_enabled);	/* for inlined TLB flush functions */
+@@ -263,6 +264,43 @@ static void __init kaiser_init_all_pgds(void)
+ 	WARN_ON(__ret);							\
+ } while (0)
+ 
++void __init kaiser_check_boottime_disable(void)
++{
++	bool enable = true;
++	char arg[5];
++	int ret;
++
++	ret = cmdline_find_option(boot_command_line, "pti", arg, sizeof(arg));
++	if (ret > 0) {
++		if (!strncmp(arg, "on", 2))
++			goto enable;
++
++		if (!strncmp(arg, "off", 3))
++			goto disable;
++
++		if (!strncmp(arg, "auto", 4))
++			goto skip;
++	}
++
++	if (cmdline_find_option_bool(boot_command_line, "nopti"))
++		goto disable;
++
++skip:
++	if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD)
++		goto disable;
++
++enable:
++	if (enable)
++		setup_force_cpu_cap(X86_FEATURE_KAISER);
++
++	return;
++
++disable:
++	pr_info("Kernel/User page tables isolation: disabled\n");
++	kaiser_enabled = 0;
++	setup_clear_cpu_cap(X86_FEATURE_KAISER);
++}
++
+ /*
+  * If anything in here fails, we will likely die on one of the
+  * first kernel->user transitions and init will die.  But, we
+@@ -274,12 +312,10 @@ void __init kaiser_init(void)
+ {
+ 	int cpu;
+ 
+-	if (!kaiser_enabled) {
+-		setup_clear_cpu_cap(X86_FEATURE_KAISER);
+-		return;
+-	}
++	kaiser_check_boottime_disable();
+ 
+-	setup_force_cpu_cap(X86_FEATURE_KAISER);
++	if (!kaiser_enabled)
++		return;
+ 
+ 	kaiser_init_all_pgds();
+ 
+@@ -423,16 +459,3 @@ void kaiser_flush_tlb_on_return_to_user(void)
+ 			X86_CR3_PCID_USER_FLUSH | KAISER_SHADOW_PGD_OFFSET);
+ }
+ EXPORT_SYMBOL(kaiser_flush_tlb_on_return_to_user);
+-
+-static int __init x86_nokaiser_setup(char *s)
+-{
+-	/* nopti doesn't accept parameters */
+-	if (s)
+-		return -EINVAL;
+-
+-	kaiser_enabled = 0;
+-	pr_info("Kernel/User page tables isolation: disabled\n");
+-
+-	return 0;
+-}
+-early_param("nopti", x86_nokaiser_setup);
+-- 
+2.7.4
+