1 files changed, 166 insertions, 0 deletions
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0056-x86-speculation-Make-seccomp-the-default-mode-for-Sp.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0056-x86-speculation-Make-seccomp-the-default-mode-for-Sp.patch
new file mode 100644
index 00000000..21edf610
--- /dev/null
+++ b/common/recipes-kernel/linux/linux-yocto-4.9.21/0056-x86-speculation-Make-seccomp-the-default-mode-for-Sp.patch
@@ -0,0 +1,166 @@
+From c9379df089e45eab50820798e3e98aee3b1e5adf Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Thu, 3 May 2018 14:37:54 -0700
+Subject: [PATCH 56/93] x86/speculation: Make "seccomp" the default mode for
+ Speculative Store Bypass
+
+commit f21b53b20c754021935ea43364dbf53778eeba32 upstream
+
+Unless explicitly opted out of, anything running under seccomp will have
+SSB mitigations enabled. Choosing the "prctl" mode will disable this.
+
+[ tglx: Adjusted it to the new arch_seccomp_spec_mitigate() mechanism ]
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/kernel-parameters.txt  | 26 +++++++++++++++++---------
+ arch/x86/include/asm/nospec-branch.h |  1 +
+ arch/x86/kernel/cpu/bugs.c           | 32 +++++++++++++++++++++++---------
+ 3 files changed, 41 insertions(+), 18 deletions(-)
+
+diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
+index 80811df..2c5df33 100644
+--- a/Documentation/kernel-parameters.txt
++++ b/Documentation/kernel-parameters.txt
+@@ -3986,19 +3986,27 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
+ 			This parameter controls whether the Speculative Store
+ 			Bypass optimization is used.
+ 
+-			on     - Unconditionally disable Speculative Store Bypass
+-			off    - Unconditionally enable Speculative Store Bypass
+-			auto   - Kernel detects whether the CPU model contains an
+-				 implementation of Speculative Store Bypass and
+-				 picks the most appropriate mitigation.
+-			prctl  - Control Speculative Store Bypass per thread
+-				 via prctl. Speculative Store Bypass is enabled
+-				 for a process by default. The state of the control
+-				 is inherited on fork.
++			on      - Unconditionally disable Speculative Store Bypass
++			off     - Unconditionally enable Speculative Store Bypass
++			auto    - Kernel detects whether the CPU model contains an
++				  implementation of Speculative Store Bypass and
++				  picks the most appropriate mitigation. If the
++				  CPU is not vulnerable, "off" is selected. If the
++				  CPU is vulnerable the default mitigation is
++				  architecture and Kconfig dependent. See below.
++			prctl   - Control Speculative Store Bypass per thread
++				  via prctl. Speculative Store Bypass is enabled
++				  for a process by default. The state of the control
++				  is inherited on fork.
++			seccomp - Same as "prctl" above, but all seccomp threads
++				  will disable SSB unless they explicitly opt out.
+ 
+ 			Not specifying this option is equivalent to
+ 			spec_store_bypass_disable=auto.
+ 
++			Default mitigations:
++			X86:	If CONFIG_SECCOMP=y "seccomp", otherwise "prctl"
++
+ 	spia_io_base=	[HW,MTD]
+ 	spia_fio_base=
+ 	spia_pedr=
+diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
+index 71ad014..328ea3c 100644
+--- a/arch/x86/include/asm/nospec-branch.h
++++ b/arch/x86/include/asm/nospec-branch.h
+@@ -233,6 +233,7 @@ enum ssb_mitigation {
+ 	SPEC_STORE_BYPASS_NONE,
+ 	SPEC_STORE_BYPASS_DISABLE,
+ 	SPEC_STORE_BYPASS_PRCTL,
++	SPEC_STORE_BYPASS_SECCOMP,
+ };
+ 
+ extern char __indirect_thunk_start[];
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
+index 131617d..9a3bb65 100644
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -415,22 +415,25 @@ enum ssb_mitigation_cmd {
+ 	SPEC_STORE_BYPASS_CMD_AUTO,
+ 	SPEC_STORE_BYPASS_CMD_ON,
+ 	SPEC_STORE_BYPASS_CMD_PRCTL,
++	SPEC_STORE_BYPASS_CMD_SECCOMP,
+ };
+ 
+ static const char *ssb_strings[] = {
+ 	[SPEC_STORE_BYPASS_NONE]	= "Vulnerable",
+ 	[SPEC_STORE_BYPASS_DISABLE]	= "Mitigation: Speculative Store Bypass disabled",
+-	[SPEC_STORE_BYPASS_PRCTL]	= "Mitigation: Speculative Store Bypass disabled via prctl"
++	[SPEC_STORE_BYPASS_PRCTL]	= "Mitigation: Speculative Store Bypass disabled via prctl",
++	[SPEC_STORE_BYPASS_SECCOMP]	= "Mitigation: Speculative Store Bypass disabled via prctl and seccomp",
+ };
+ 
+ static const struct {
+ 	const char *option;
+ 	enum ssb_mitigation_cmd cmd;
+ } ssb_mitigation_options[] = {
+-	{ "auto",	SPEC_STORE_BYPASS_CMD_AUTO },  /* Platform decides */
+-	{ "on",		SPEC_STORE_BYPASS_CMD_ON },    /* Disable Speculative Store Bypass */
+-	{ "off",	SPEC_STORE_BYPASS_CMD_NONE },  /* Don't touch Speculative Store Bypass */
+-	{ "prctl",	SPEC_STORE_BYPASS_CMD_PRCTL }, /* Disable Speculative Store Bypass via prctl */
++	{ "auto",	SPEC_STORE_BYPASS_CMD_AUTO },    /* Platform decides */
++	{ "on",		SPEC_STORE_BYPASS_CMD_ON },      /* Disable Speculative Store Bypass */
++	{ "off",	SPEC_STORE_BYPASS_CMD_NONE },    /* Don't touch Speculative Store Bypass */
++	{ "prctl",	SPEC_STORE_BYPASS_CMD_PRCTL },   /* Disable Speculative Store Bypass via prctl */
++	{ "seccomp",	SPEC_STORE_BYPASS_CMD_SECCOMP }, /* Disable Speculative Store Bypass via prctl and seccomp */
+ };
+ 
+ static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void)
+@@ -480,8 +483,15 @@ static enum ssb_mitigation_cmd __init __ssb_select_mitigation(void)
+ 
+ 	switch (cmd) {
+ 	case SPEC_STORE_BYPASS_CMD_AUTO:
+-		/* Choose prctl as the default mode */
+-		mode = SPEC_STORE_BYPASS_PRCTL;
++	case SPEC_STORE_BYPASS_CMD_SECCOMP:
++		/*
++		 * Choose prctl+seccomp as the default mode if seccomp is
++		 * enabled.
++		 */
++		if (IS_ENABLED(CONFIG_SECCOMP))
++			mode = SPEC_STORE_BYPASS_SECCOMP;
++		else
++			mode = SPEC_STORE_BYPASS_PRCTL;
+ 		break;
+ 	case SPEC_STORE_BYPASS_CMD_ON:
+ 		mode = SPEC_STORE_BYPASS_DISABLE;
+@@ -529,12 +539,14 @@ static void ssb_select_mitigation()
+ }
+ 
+ #undef pr_fmt
++#define pr_fmt(fmt)     "Speculation prctl: " fmt
+ 
+ static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl)
+ {
+ 	bool update;
+ 
+-	if (ssb_mode != SPEC_STORE_BYPASS_PRCTL)
++	if (ssb_mode != SPEC_STORE_BYPASS_PRCTL &&
++	    ssb_mode != SPEC_STORE_BYPASS_SECCOMP)
+ 		return -ENXIO;
+ 
+ 	switch (ctrl) {
+@@ -582,7 +594,8 @@ int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which,
+ #ifdef CONFIG_SECCOMP
+ void arch_seccomp_spec_mitigate(struct task_struct *task)
+ {
+-	ssb_prctl_set(task, PR_SPEC_FORCE_DISABLE);
++	if (ssb_mode == SPEC_STORE_BYPASS_SECCOMP)
++		ssb_prctl_set(task, PR_SPEC_FORCE_DISABLE);
+ }
+ #endif
+ 
+@@ -591,6 +604,7 @@ static int ssb_prctl_get(struct task_struct *task)
+ 	switch (ssb_mode) {
+ 	case SPEC_STORE_BYPASS_DISABLE:
+ 		return PR_SPEC_DISABLE;
++	case SPEC_STORE_BYPASS_SECCOMP:
+ 	case SPEC_STORE_BYPASS_PRCTL:
+ 		if (task_spec_ssb_force_disable(task))
+ 			return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE;
+-- 
+2.7.4
+