Laurent Dufour <lduf...@linux.ibm.com> writes: > Le 05/03/2021 à 07:23, Michael Ellerman a écrit : >> Laurent Dufour <lduf...@linux.ibm.com> writes: >>> This is helpful to read the security flavor from inside the LPAR. >> >> We already have /sys/kernel/debug/powerpc/security_features. >> >> Is that not sufficient? > > Not really, it only reports that security mitigation are on or off but not > the > level set through the ASMI menu. Furthermore, reporting it through > /proc/powerpc/lparcfg allows an easy processing by the lparstat command (see > below). > >> >>> Export it like this in /proc/powerpc/lparcfg: >>> >>> $ grep security_flavor /proc/powerpc/lparcfg >>> security_flavor=1 >>> >>> Value means: >>> 0 Speculative execution fully enabled >>> 1 Speculative execution controls to mitigate user-to-kernel attacks >>> 2 Speculative execution controls to mitigate user-to-kernel and >>> user-to-user side-channel attacks >> >> Those strings come from the FSP help, but we have no guarantee it won't >> mean something different in future. > > I think this is nailed down, those strings came from: > https://www.ibm.com/support/pages/node/715841 > > Where it is written (regarding AIX): > > On an LPAR, one can use lparstat -x to display the current mitigation mode: > 0 = Speculative execution fully enabled > 1 = Speculative execution controls to mitigate user-to-kernel side-channel > attacks > 2 = Speculative execution controls to mitigate user-to-kernel and > user-to-user > side-channel attacks > > We have been requested to provide almost the same, which I proposed in > powerpc-utils: > https://groups.google.com/g/powerpc-utils-devel/c/NaKXvdyl_UI/m/wa2stpIDAQAJ
OK. Do you mind sending a v2 with all those details incorporated into the change log? cheers