diff options
author | Michael Ellerman <mpe@ellerman.id.au> | 2018-02-23 23:45:11 +1100 |
---|---|---|
committer | Stewart Smith <stewart@linux.vnet.ibm.com> | 2018-02-28 20:28:28 -0600 |
commit | f30286c494312caa81333a077da58f501894c2bb (patch) | |
tree | 45a8dc09533e18549fac718c01181e0732fe9689 | |
parent | 8cbd3880c3211e29eeb1f93d591439e6fbabc873 (diff) | |
download | blackbird-skiboot-f30286c494312caa81333a077da58f501894c2bb.tar.gz blackbird-skiboot-f30286c494312caa81333a077da58f501894c2bb.zip |
mambo: Add fw-feature flags for security related settings
Newer firmwares report some feature flags related to security
settings via HDAT. On real hardware skiboot translates these into
device tree properties. For testing purposes just create the
properties manually in the tcl.
These values don't exactly match any actual chip revision, but the
code should not rely on any exact set of values anyway. We just define
the most interesting flags, that if toggled to "disable" will change
Linux behaviour. You can see the actual values in the hostboot source
in src/usr/hdat/hdatiplparms.H.
Also add an environment variable for easily toggling the top-level
"security on" setting.
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
-rw-r--r-- | external/mambo/skiboot.tcl | 23 |
1 files changed, 22 insertions, 1 deletions
diff --git a/external/mambo/skiboot.tcl b/external/mambo/skiboot.tcl index 38298bff..6c40289f 100644 --- a/external/mambo/skiboot.tcl +++ b/external/mambo/skiboot.tcl @@ -61,6 +61,9 @@ mconfig net MAMBO_NET none # Net: What is the base interface for the tun/tap device mconfig tap_base MAMBO_NET_TAP_BASE 0 +# Enable (default) or disable the "speculation-policy-favor-security" setting, +# set to 0 to disable. When enabled it causes Linux's RFI flush to be enabled. +mconfig speculation_policy_favor_security MAMBO_SPECULATION_POLICY_FAVOR_SECURITY 1 # # Create machine config @@ -251,13 +254,31 @@ set reg [list $fake_nvram_start $fake_nvram_size ] mysim of addprop $fake_nvram_node array64 "reg" reg mysim of addprop $fake_nvram_node empty "name" "ibm,fake-nvram" +set opal_node [mysim of addchild $root_node "ibm,opal" ""] + # Allow P9 to use all idle states if { $default_config == "P9" } { - set opal_node [mysim of addchild $root_node "ibm,opal" ""] set power_mgt_node [mysim of addchild $opal_node "power-mgt" ""] mysim of addprop $power_mgt_node int "ibm,enabled-stop-levels" 0xffffffff } +proc add_feature_node { parent name { value 1 } } { + if { $value != 1 } { + set value "disabled" + } else { + set value "enabled" + } + set np [mysim of addchild $parent $name ""] + mysim of addprop $np empty $value "" +} + +set np [mysim of addchild $opal_node "fw-features" ""] +add_feature_node $np "speculation-policy-favor-security" $mconf(speculation_policy_favor_security) +add_feature_node $np "needs-l1d-flush-msr-hv-1-to-0" +add_feature_node $np "needs-l1d-flush-msr-pr-0-to-1" +add_feature_node $np "needs-spec-barrier-for-bound-checks" + + # Init CPUs set pir 0 for { set c 0 } { $c < $mconf(cpus) } { incr c } { |