Ubuntu
linux package

~tyhicks/ubuntu/+source/linux/+git/artful:master

Git
lp:~tyhicks/ubuntu/+source/linux/+git/artful
master

Last commit made on 2018-05-15

Get this branch:: git clone -b master https://git.launchpad.net/~tyhicks/ubuntu/+source/linux/+git/artful

Only Tyler Hicks can upload to this branch. If you are Tyler Hicks please log in for upload directions.

Branch merges

Branch information

Name:: master

Repository:: lp:~tyhicks/ubuntu/+source/linux/+git/artful

Recent commits

37760d2... by Stefan Bader on 2018-05-14

UBUNTU: Ubuntu-4.13.0-43.48

Signed-off-by: Stefan Bader <email address hidden>

ba57ea6... by Nicholas Piggin <email address hidden> on 2018-04-24

powerpc/64s: Add support for a store forwarding barrier at kernel entry/exit

Signed-off-by: Nicholas Piggin <email address hidden>
[mauricio: backport to Ubuntu 17.10 linux 4.13.0-40.45]
Signed-off-by: Mauricio Faria de Oliveira <email address hidden>

CVE-2018-3639 (powerpc)

Signed-off-by: Stefan Bader <email address hidden>

c78497a... by Mauricio Faria de Oliveira on 2018-03-30

powerpc/pseries: Restore default security feature flags on setup

After migration the security feature flags might have changed (e.g.,
destination system with unpatched firmware), but some flags are not
set/clear again in init_cpu_char_feature_flags() because it assumes
the security flags to be the defaults.

Additionally, if the H_GET_CPU_CHARACTERISTICS hypercall fails then
init_cpu_char_feature_flags() does not run again, which potentially
might leave the system in an insecure or sub-optimal configuration.

So, just restore the security feature flags to the defaults assumed
by init_cpu_char_feature_flags() so it can set/clear them correctly,
and to ensure safe settings are in place in case the hypercall fail.

Fixes: f636c14790ea ("powerpc/pseries: Set or clear security feature flags")
Depends-on: 19887d6a28e2 ("powerpc: Move default security feature flags")
Signed-off-by: Mauricio Faria de Oliveira <email address hidden>
Signed-off-by: Michael Ellerman <email address hidden>
(cherry picked from commit 6232774f1599028a15418179d17f7df47ede770a)

CVE-2018-3639 (powerpc)

Signed-off-by: Stefan Bader <email address hidden>

60b153a... by Mauricio Faria de Oliveira on 2018-03-30

powerpc: Move default security feature flags

This moves the definition of the default security feature flags
(i.e., enabled by default) closer to the security feature flags.

This can be used to restore current flags to the default flags.

Signed-off-by: Mauricio Faria de Oliveira <email address hidden>
Signed-off-by: Michael Ellerman <email address hidden>
[mauricio: backport: security.c: remove trailing context lines]
Signed-off-by: Mauricio Faria de Oliveira <email address hidden>

CVE-2018-3639 (powerpc)

Signed-off-by: Stefan Bader <email address hidden>

b941b7d... by Mauricio Faria de Oliveira on 2018-03-29

powerpc/pseries: Fix clearing of security feature flags

The H_CPU_BEHAV_* flags should be checked for in the 'behaviour' field
of 'struct h_cpu_char_result' -- 'character' is for H_CPU_CHAR_*
flags.

Found by playing around with QEMU's implementation of the hypercall:

H_CPU_CHAR=0xf000000000000000
H_CPU_BEHAV=0x0000000000000000

  This clears H_CPU_BEHAV_FAVOUR_SECURITY and H_CPU_BEHAV_L1D_FLUSH_PR
  so pseries_setup_rfi_flush() disables 'rfi_flush'; and it also
  clears H_CPU_CHAR_L1D_THREAD_PRIV flag. So there is no RFI flush
  mitigation at all for cpu_show_meltdown() to report; but currently
  it does:

Original kernel:

# cat /sys/devices/system/cpu/vulnerabilities/meltdown
Mitigation: RFI Flush

Patched kernel:

# cat /sys/devices/system/cpu/vulnerabilities/meltdown
Not affected

H_CPU_CHAR=0x0000000000000000
H_CPU_BEHAV=0xf000000000000000

This sets H_CPU_BEHAV_BNDS_CHK_SPEC_BAR so cpu_show_spectre_v1() should
report vulnerable; but currently it doesn't:

Original kernel:

# cat /sys/devices/system/cpu/vulnerabilities/spectre_v1
Not affected

Patched kernel:

# cat /sys/devices/system/cpu/vulnerabilities/spectre_v1
Vulnerable

Brown-paper-bag-by: Michael Ellerman <email address hidden>
Fixes: f636c14790ea ("powerpc/pseries: Set or clear security feature flags")
Signed-off-by: Mauricio Faria de Oliveira <email address hidden>
Signed-off-by: Michael Ellerman <email address hidden>
(cherry picked from commit 0f9bdfe3c77091e8704d2e510eb7c2c2c6cde524)

CVE-2018-3639 (powerpc)

Signed-off-by: Stefan Bader <email address hidden>

053baf3... by Michael Ellerman on 2018-03-27

powerpc/pseries: Use the security flags in pseries_setup_rfi_flush()

Now that we have the security flags we can simplify the code in
pseries_setup_rfi_flush() because the security flags have pessimistic
defaults.

Signed-off-by: Michael Ellerman <email address hidden>
(cherry picked from commit 2e4a16161fcd324b1f9bf6cb6856529f7eaf0689)

CVE-2018-3639 (powerpc)

Signed-off-by: Stefan Bader <email address hidden>

162ff40... by Michael Ellerman on 2018-03-27

powerpc/powernv: Use the security flags in pnv_setup_rfi_flush()

Now that we have the security flags we can significantly simplify the
code in pnv_setup_rfi_flush(), because we can use the flags instead of
checking device tree properties and because the security flags have
pessimistic defaults.

Signed-off-by: Michael Ellerman <email address hidden>
(cherry picked from commit 37c0bdd00d3ae83369ab60a6712c28e11e6458d5)

CVE-2018-3639 (powerpc)

Signed-off-by: Stefan Bader <email address hidden>

2342a21... by Michael Ellerman on 2018-03-27

powerpc/pseries: Set or clear security feature flags

Now that we have feature flags for security related things, set or
clear them based on what we receive from the hypercall.

Signed-off-by: Michael Ellerman <email address hidden>
[backport: hunk 2: make pseries_setup_rfi_flush() static]
Signed-off-by: Mauricio Faria de Oliveira <email address hidden>

CVE-2018-3639 (powerpc)

Signed-off-by: Stefan Bader <email address hidden>

c508a5c... by Michael Ellerman on 2018-03-27

powerpc/powernv: Set or clear security feature flags

Now that we have feature flags for security related things, set or
clear them based on what we see in the device tree provided by
firmware.

Signed-off-by: Michael Ellerman <email address hidden>
(cherry picked from commit 77addf6e95c8689e478d607176b399a6242a777e)

CVE-2018-3639 (powerpc)

Signed-off-by: Stefan Bader <email address hidden>

ebe8fa2... by Michael Ellerman on 2018-03-27

powerpc: Add security feature flags for Spectre/Meltdown

This commit adds security feature flags to reflect the settings we
receive from firmware regarding Spectre/Meltdown mitigations.

The feature names reflect the names we are given by firmware on bare
metal machines. See the hostboot source for details.

Arguably these could be firmware features, but that then requires them
to be read early in boot so they're available prior to asm feature
patching, but we don't actually want to use them for patching. We may
also want to dynamically update them in future, which would be
incompatible with the way firmware features work (at the moment at
least). So for now just make them separate flags.

Signed-off-by: Michael Ellerman <email address hidden>

CVE-2018-3639 (powerpc)

Signed-off-by: Stefan Bader <email address hidden>

Ubuntulinux package

~tyhicks/ubuntu/+source/linux/+git/artful:master

Branch merges

Related source package recipes

Related snap packages

Related charm recipes

Branch information

Recent commits

Ubuntu
linux package