162306a36Sopenharmony_ci===================
262306a36Sopenharmony_ciSpeculation Control
362306a36Sopenharmony_ci===================
462306a36Sopenharmony_ci
562306a36Sopenharmony_ciQuite some CPUs have speculation-related misfeatures which are in
662306a36Sopenharmony_cifact vulnerabilities causing data leaks in various forms even across
762306a36Sopenharmony_ciprivilege domains.
862306a36Sopenharmony_ci
962306a36Sopenharmony_ciThe kernel provides mitigation for such vulnerabilities in various
1062306a36Sopenharmony_ciforms. Some of these mitigations are compile-time configurable and some
1162306a36Sopenharmony_cican be supplied on the kernel command line.
1262306a36Sopenharmony_ci
1362306a36Sopenharmony_ciThere is also a class of mitigations which are very expensive, but they can
1462306a36Sopenharmony_cibe restricted to a certain set of processes or tasks in controlled
1562306a36Sopenharmony_cienvironments. The mechanism to control these mitigations is via
1662306a36Sopenharmony_ci:manpage:`prctl(2)`.
1762306a36Sopenharmony_ci
1862306a36Sopenharmony_ciThere are two prctl options which are related to this:
1962306a36Sopenharmony_ci
2062306a36Sopenharmony_ci * PR_GET_SPECULATION_CTRL
2162306a36Sopenharmony_ci
2262306a36Sopenharmony_ci * PR_SET_SPECULATION_CTRL
2362306a36Sopenharmony_ci
2462306a36Sopenharmony_ciPR_GET_SPECULATION_CTRL
2562306a36Sopenharmony_ci-----------------------
2662306a36Sopenharmony_ci
2762306a36Sopenharmony_ciPR_GET_SPECULATION_CTRL returns the state of the speculation misfeature
2862306a36Sopenharmony_ciwhich is selected with arg2 of prctl(2). The return value uses bits 0-3 with
2962306a36Sopenharmony_cithe following meaning:
3062306a36Sopenharmony_ci
3162306a36Sopenharmony_ci==== ====================== ==================================================
3262306a36Sopenharmony_ciBit  Define                 Description
3362306a36Sopenharmony_ci==== ====================== ==================================================
3462306a36Sopenharmony_ci0    PR_SPEC_PRCTL          Mitigation can be controlled per task by
3562306a36Sopenharmony_ci                            PR_SET_SPECULATION_CTRL.
3662306a36Sopenharmony_ci1    PR_SPEC_ENABLE         The speculation feature is enabled, mitigation is
3762306a36Sopenharmony_ci                            disabled.
3862306a36Sopenharmony_ci2    PR_SPEC_DISABLE        The speculation feature is disabled, mitigation is
3962306a36Sopenharmony_ci                            enabled.
4062306a36Sopenharmony_ci3    PR_SPEC_FORCE_DISABLE  Same as PR_SPEC_DISABLE, but cannot be undone. A
4162306a36Sopenharmony_ci                            subsequent prctl(..., PR_SPEC_ENABLE) will fail.
4262306a36Sopenharmony_ci4    PR_SPEC_DISABLE_NOEXEC Same as PR_SPEC_DISABLE, but the state will be
4362306a36Sopenharmony_ci                            cleared on :manpage:`execve(2)`.
4462306a36Sopenharmony_ci==== ====================== ==================================================
4562306a36Sopenharmony_ci
4662306a36Sopenharmony_ciIf all bits are 0 the CPU is not affected by the speculation misfeature.
4762306a36Sopenharmony_ci
4862306a36Sopenharmony_ciIf PR_SPEC_PRCTL is set, then the per-task control of the mitigation is
4962306a36Sopenharmony_ciavailable. If not set, prctl(PR_SET_SPECULATION_CTRL) for the speculation
5062306a36Sopenharmony_cimisfeature will fail.
5162306a36Sopenharmony_ci
5262306a36Sopenharmony_ci.. _set_spec_ctrl:
5362306a36Sopenharmony_ci
5462306a36Sopenharmony_ciPR_SET_SPECULATION_CTRL
5562306a36Sopenharmony_ci-----------------------
5662306a36Sopenharmony_ci
5762306a36Sopenharmony_ciPR_SET_SPECULATION_CTRL allows to control the speculation misfeature, which
5862306a36Sopenharmony_ciis selected by arg2 of :manpage:`prctl(2)` per task. arg3 is used to hand
5962306a36Sopenharmony_ciin the control value, i.e. either PR_SPEC_ENABLE or PR_SPEC_DISABLE or
6062306a36Sopenharmony_ciPR_SPEC_FORCE_DISABLE.
6162306a36Sopenharmony_ci
6262306a36Sopenharmony_ciCommon error codes
6362306a36Sopenharmony_ci------------------
6462306a36Sopenharmony_ci======= =================================================================
6562306a36Sopenharmony_ciValue   Meaning
6662306a36Sopenharmony_ci======= =================================================================
6762306a36Sopenharmony_ciEINVAL  The prctl is not implemented by the architecture or unused
6862306a36Sopenharmony_ci        prctl(2) arguments are not 0.
6962306a36Sopenharmony_ci
7062306a36Sopenharmony_ciENODEV  arg2 is selecting a not supported speculation misfeature.
7162306a36Sopenharmony_ci======= =================================================================
7262306a36Sopenharmony_ci
7362306a36Sopenharmony_ciPR_SET_SPECULATION_CTRL error codes
7462306a36Sopenharmony_ci-----------------------------------
7562306a36Sopenharmony_ci======= =================================================================
7662306a36Sopenharmony_ciValue   Meaning
7762306a36Sopenharmony_ci======= =================================================================
7862306a36Sopenharmony_ci0       Success
7962306a36Sopenharmony_ci
8062306a36Sopenharmony_ciERANGE  arg3 is incorrect, i.e. it's neither PR_SPEC_ENABLE nor
8162306a36Sopenharmony_ci        PR_SPEC_DISABLE nor PR_SPEC_FORCE_DISABLE.
8262306a36Sopenharmony_ci
8362306a36Sopenharmony_ciENXIO   Control of the selected speculation misfeature is not possible.
8462306a36Sopenharmony_ci        See PR_GET_SPECULATION_CTRL.
8562306a36Sopenharmony_ci
8662306a36Sopenharmony_ciEPERM   Speculation was disabled with PR_SPEC_FORCE_DISABLE and caller
8762306a36Sopenharmony_ci        tried to enable it again.
8862306a36Sopenharmony_ci======= =================================================================
8962306a36Sopenharmony_ci
9062306a36Sopenharmony_ciSpeculation misfeature controls
9162306a36Sopenharmony_ci-------------------------------
9262306a36Sopenharmony_ci- PR_SPEC_STORE_BYPASS: Speculative Store Bypass
9362306a36Sopenharmony_ci
9462306a36Sopenharmony_ci  Invocations:
9562306a36Sopenharmony_ci   * prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, 0, 0, 0);
9662306a36Sopenharmony_ci   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_ENABLE, 0, 0);
9762306a36Sopenharmony_ci   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
9862306a36Sopenharmony_ci   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0);
9962306a36Sopenharmony_ci   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE_NOEXEC, 0, 0);
10062306a36Sopenharmony_ci
10162306a36Sopenharmony_ci- PR_SPEC_INDIR_BRANCH: Indirect Branch Speculation in User Processes
10262306a36Sopenharmony_ci                        (Mitigate Spectre V2 style attacks against user processes)
10362306a36Sopenharmony_ci
10462306a36Sopenharmony_ci  Invocations:
10562306a36Sopenharmony_ci   * prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, 0, 0, 0);
10662306a36Sopenharmony_ci   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_ENABLE, 0, 0);
10762306a36Sopenharmony_ci   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_DISABLE, 0, 0);
10862306a36Sopenharmony_ci   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_FORCE_DISABLE, 0, 0);
10962306a36Sopenharmony_ci
11062306a36Sopenharmony_ci- PR_SPEC_L1D_FLUSH: Flush L1D Cache on context switch out of the task
11162306a36Sopenharmony_ci                        (works only when tasks run on non SMT cores)
11262306a36Sopenharmony_ci
11362306a36Sopenharmony_ci  Invocations:
11462306a36Sopenharmony_ci   * prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, 0, 0, 0);
11562306a36Sopenharmony_ci   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, PR_SPEC_ENABLE, 0, 0);
11662306a36Sopenharmony_ci   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, PR_SPEC_DISABLE, 0, 0);
117