Merge: kernel: add support to rh_waived in RHEL-9

MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/7534

JIRA: https://issues.redhat.com/browse/RHEL-122981

Upstream status: RHEL-only

Add rh_waived to RHEL-9, its dependencies and the new concept
of "Waived Items" to the rh_waived original machinery so we can
leverage the mechanism to allow customers waiving off issues other
then just features, like performance impacting CVE mitigations,
through the same interface in a consistent manner.

Signed-off-by: Ricardo Robaina <rrobaina@redhat.com>

Approved-by: Rafael Aquini <raquini@redhat.com>
Approved-by: Wander Lairson Costa <wander@redhat.com>
Approved-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com>

Merged-by: CKI GitLab Kmaint Pipeline Bot <26919896-cki-kmaint-pipeline-bot@users.noreply.gitlab.com>

Author: CKI KWF Bot

Documentation/admin-guide/kernel-parameters.txt

@@ -5734,6 +5734,20 @@
 	rhash_entries=	[KNL,NET]
 			Set number of hash buckets for route cache
 
+	rh_waived=
+			Enable waived items in RHEL.
+
+			Some specific features, or security mitigations, can be
+			waived (toggled on/off) on demand in RHEL.  However,
+			waiving any of these items should be used judiciously,
+			as it generally means the system might end up being
+			considered insecure or even out-of-scope for support.
+
+			Format: <item-1>,<item-2>...<item-n>
+
+			Use 'rh_waived' to enable all waived features listed at
+			Documentation/admin-guide/rh-waived-features.rst
+
 	ring3mwait=disable
 			[KNL] Disable ring 3 MONITOR/MWAIT feature on supported
 			CPUs.

Documentation/admin-guide/rh-waived-items.rst

@@ -0,0 +1,29 @@
+.. _rh_waived_items:
+
+====================
+Red Hat Waived Items
+====================
+
+Waived Items is a mechanism offered by Red Hat which allows customers to "waive"
+and utilize features that are not enabled by default as these are considered as
+unmaintained, insecure, rudimentary, or deprecated, but are shipped with the
+RHEL kernel for customer's convinience only.
+Waived Items can range from features that can be enabled on demand to specific
+security mitigations that can be disabled on demand.
+
+To explicitly "waive" any of these items, RHEL offers the ``rh_waived``
+kernel boot parameter. To allow set of waived items, append
+``rh_waived=<item name>,...,<item name>`` to the kernel
+cmdline.
+Appending ``rh_waived=features`` will waive all features listed below,
+and appending ``rh_waived=cves`` will waive all security mitigations
+listed below.
+
+The waived items listed in the next session follow the pattern below:
+
+- item name
+        item description
+
+List of Red Hat Waived Items
+============================
+

include/linux/rh_flags.h

@@ -0,0 +1,34 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * rh_flags.h -- Red Hat flags tracking
+ *
+ * Copyright (c) 2018 Red Hat, Inc. -- Jiri Benc <jbenc@redhat.com>
+ *
+ * The intent of the flag tracking is to provide better and more focused
+ * support. Only those flags that are of a special interest for customer
+ * support should be tracked.
+ *
+ * THE FLAGS DO NOT EXPRESS ANY SUPPORT POLICIES.
+ */
+
+#ifndef _LINUX_RH_FLAGS_H
+#define _LINUX_RH_FLAGS_H
+
+#if defined CONFIG_RHEL_DIFFERENCES
+bool __rh_add_flag(const char *flag_name);
+void rh_print_flags(void);
+
+#define rh_add_flag(flag_name)						\
+({									\
+	static bool __mark_once __read_mostly;				\
+	bool __ret_mark_once = !__mark_once;				\
+									\
+	if (!__mark_once)						\
+		__mark_once = __rh_add_flag(flag_name);			\
+	unlikely(__ret_mark_once);					\
+})
+#else
+void rh_print_flags(void) { };
+void rh_add_flag(const char *flag_name) { };
+#endif
+#endif

include/linux/rh_waived.h

@@ -0,0 +1,19 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * include/linux/rh_waived.h
+ *
+ * rh_waived cmdline parameter interface.
+ *
+ * Copyright (C) 2024, Red Hat, Inc.  Ricardo Robaina <rrobaina@redhat.com>
+ */
+#ifndef _RH_WAIVED_H
+#define _RH_WAIVED_H
+
+enum rh_waived_items {
+	/* RH_WAIVED_ITEMS must always be the last item in the enum */
+	RH_WAIVED_ITEMS,
+};
+
+bool is_rh_waived(enum rh_waived_items feat);
+
+#endif /* _RH_WAIVED_H */

kernel/Makefile

@@ -12,7 +12,7 @@ obj-y     = fork.o exec_domain.o panic.o \
 	    notifier.o ksysfs.o cred.o reboot.o \
 	    async.o range.o smpboot.o ucount.o regset.o ksyms_common.o
 
-obj-$(CONFIG_RHEL_DIFFERENCES) += rh_messages.o rh_shadowman.o
+obj-$(CONFIG_RHEL_DIFFERENCES) += rh_messages.o rh_flags.o rh_waived.o rh_shadowman.o
 obj-$(CONFIG_USERMODE_DRIVER) += usermode_driver.o
 obj-$(CONFIG_MULTIUSER) += groups.o
 

kernel/module/main.c

@@ -62,6 +62,8 @@
 #define CREATE_TRACE_POINTS
 #include <trace/events/module.h>
 
+#include <linux/rh_flags.h>
+
 /*
  * Mutex protects:
  * 1) List of modules (also safely readable with preempt_disable),
@@ -3393,6 +3395,10 @@ void print_modules(void)
 		pr_cont(" [last unloaded: %s%s]", last_unloaded_module.name,
 			last_unloaded_module.taints);
 	pr_cont("\n");
+
+#ifdef CONFIG_RHEL_DIFFERENCES
+	rh_print_flags();
+#endif
 }
 
 #ifdef CONFIG_MODULE_DEBUGFS

kernel/rh_flags.c

@@ -0,0 +1,116 @@
+#include <linux/kernel.h>
+#include <linux/list.h>
+#include <linux/proc_fs.h>
+#include <linux/seq_file.h>
+#include <linux/slab.h>
+#include <linux/spinlock.h>
+#include <linux/rh_flags.h>
+
+#define RH_FLAG_NAME_LEN	32
+#define MAX_RH_FLAGS		128
+#define MAX_RH_FLAG_NAME_LEN	(MAX_RH_FLAGS * RH_FLAG_NAME_LEN)
+
+struct rh_flag {
+	struct list_head list;
+	char name[RH_FLAG_NAME_LEN];
+};
+
+static LIST_HEAD(rh_flag_list);
+static DEFINE_SPINLOCK(rh_flag_lock);
+
+bool __rh_add_flag(const char *flag_name)
+{
+	struct rh_flag *feat, *iter;
+
+	BUG_ON(in_interrupt());
+	feat = kzalloc(sizeof(*feat), GFP_ATOMIC);
+	if (WARN(!feat, "Adding Red Hat flag %s.\n", flag_name))
+		return false;
+	strscpy(feat->name, flag_name, RH_FLAG_NAME_LEN);
+
+	spin_lock(&rh_flag_lock);
+	list_for_each_entry_rcu(iter, &rh_flag_list, list) {
+		if (!strcmp(iter->name, flag_name)) {
+			kfree(feat);
+			feat = NULL;
+			break;
+		}
+	}
+	if (feat)
+		list_add_rcu(&feat->list, &rh_flag_list);
+	spin_unlock(&rh_flag_lock);
+
+	if (feat)
+		pr_info("Adding Red Hat flag %s.\n", flag_name);
+	return true;
+}
+EXPORT_SYMBOL(__rh_add_flag);
+
+void rh_print_flags(void)
+{
+	struct rh_flag *feat;
+
+	/*
+	 * This function cannot do any locking, we're oopsing. Traversing
+	 * rh_flag_list is okay, though, even without the rcu_read_lock
+	 * taken: we never delete from that list and thus don't need the
+	 * delayed free. All we need are the smp barriers invoked by the rcu
+	 * list manipulation routines.
+	 */
+	if (list_empty(&rh_flag_list))
+		return;
+	printk(KERN_DEFAULT "Red Hat flags:");
+	list_for_each_entry_lockless(feat, &rh_flag_list, list) {
+		pr_cont(" %s", feat->name);
+	}
+	pr_cont("\n");
+}
+EXPORT_SYMBOL(rh_print_flags);
+
+#ifdef CONFIG_SYSCTL
+static int rh_flags_show(struct ctl_table *ctl, int write,
+			    void __user *buffer, size_t *lenp,
+			    loff_t *ppos)
+{
+	struct ctl_table tbl = { .maxlen = MAX_RH_FLAG_NAME_LEN, };
+	struct rh_flag *feat;
+	size_t offs = 0;
+	int ret;
+
+	tbl.data = kmalloc(tbl.maxlen, GFP_KERNEL);
+	if (!tbl.data)
+		return -ENOMEM;
+	((char *)tbl.data)[0] = '\0';
+
+	rcu_read_lock();
+	list_for_each_entry_rcu(feat, &rh_flag_list, list) {
+		offs += scnprintf(tbl.data + offs, tbl.maxlen - offs, "%s%s",
+				  offs == 0 ? "" : " ", feat->name);
+	}
+	rcu_read_unlock();
+
+	ret = proc_dostring(&tbl, write, buffer, lenp, ppos);
+	kfree(tbl.data);
+	return ret;
+}
+
+static struct ctl_table rh_flags_table[] = {
+	{
+		.procname = "rh_flags",
+		.data = &rh_flag_list,
+		.maxlen = MAX_RH_FLAG_NAME_LEN,
+		.mode = 0444,
+		.proc_handler = rh_flags_show,
+	},
+	{ }
+};
+#endif
+
+static __init int rh_flags_init(void)
+{
+#ifdef CONFIG_SYSCTL
+	register_sysctl_init("kernel", rh_flags_table);
+#endif
+	return 0;
+}
+subsys_initcall(rh_flags_init);

kernel/rh_waived.c

@@ -0,0 +1,147 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * kernel/rh_waived.c
+ *
+ * rh_waived cmdline parameter support.
+ *
+ * Copyright (C) 2024, Red Hat, Inc.  Ricardo Robaina <rrobaina@redhat.com>
+ */
+#include <linux/types.h>
+#include <linux/init.h>
+#include <linux/printk.h>
+#include <linux/string.h>
+#include <linux/panic.h>
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/rh_flags.h>
+#include <linux/rh_waived.h>
+
+/*
+ * * RH_INSERT_WAIVED_ITEM
+ *   This macro is intended to be used to insert items into the
+ *   rh_waived_list array. It expects to get an item from
+ *   enum rh_waived_items as its first argument, and a string
+ *   holding the feature name as its second argument.
+ *
+ *   The feature name is also utilized as the token for the
+ *   boot parameter parser.
+ *
+ *   Example usage:
+ *   struct rh_waived_item foo[RH_WAIVED_FEAT_ITEMS] = {
+ *     RH_INSERT_WAIVED_ITEM(FOO_FEAT, "foo_feat_short_str", "alias", RH_WAIVED_FEAT),
+ *   };
+ */
+#define RH_INSERT_WAIVED_ITEM(enum_item, item, item_alt, class)                \
+       [(enum_item)] = { .name = (item), .alias = (item_alt),          \
+                         .type = (class), .waived = 0, }
+
+/* Indicates if the rh_flag 'rh_waived' should be added. */
+bool __initdata add_rh_flag = false;
+
+typedef enum {
+       RH_WAIVED_FEAT,
+       RH_WAIVED_CVE,
+       RH_WAIVED_ANY
+} rh_waived_t;
+
+struct rh_waived_item {
+       char *name, *alias;
+       rh_waived_t type;
+       unsigned int waived;
+
+};
+
+/* Always use the marco RH_INSERT_WAIVED to insert items to this array. */
+struct rh_waived_item rh_waived_list[RH_WAIVED_ITEMS] = {
+};
+
+/*
+ * is_rh_waived() - Checks if a given item has been marked as waived.
+ *
+ * @item: waived item.
+ */
+__inline__ bool is_rh_waived(enum rh_waived_items item)
+{
+	return !!rh_waived_list[item].waived;
+}
+EXPORT_SYMBOL(is_rh_waived);
+
+static void __init rh_waived_parser(char *s, rh_waived_t type)
+{
+	int i;
+	char *token;
+
+	pr_info(KERN_CONT "rh_waived: ");
+
+	if (!s) {
+		for (i = 0; i < RH_WAIVED_ITEMS; i++) {
+			if (type != RH_WAIVED_ANY && rh_waived_list[i].type != type)
+				continue;
+
+			rh_waived_list[i].waived = 1;
+			pr_info(KERN_CONT "%s%s", rh_waived_list[i].name,
+				i < RH_WAIVED_ITEMS - 1 ? " " : "\n");
+		}
+
+		add_rh_flag = true;
+		return;
+	}
+
+	while ((token = strsep(&s, ",")) != NULL) {
+		for (i = 0; i < RH_WAIVED_ITEMS; i++) {
+			char *alias = rh_waived_list[i].alias;
+
+			if (type != RH_WAIVED_ANY && rh_waived_list[i].type != type)
+				continue;
+
+			if (!strcmp(token, rh_waived_list[i].name) ||
+			    (alias && !strcmp(token, alias))) {
+				rh_waived_list[i].waived = 1;
+				pr_info(KERN_CONT "%s ", rh_waived_list[i].name);
+			}
+		}
+	}
+
+	pr_info(KERN_CONT "\n");
+	add_rh_flag = true;
+}
+
+static int __init rh_waived_setup(char *s)
+{
+	/*
+	 * originally, if no string was passed to the cmdline option
+	 * all listed features would be waived, so we keep that same
+	 * compromise with the new contract.
+	 */
+	if (!s || !strcmp(s, "features")) {
+		rh_waived_parser(NULL, RH_WAIVED_FEAT);
+		return 0;
+	}
+
+	/* waive all possible mitigations in the list */
+	if (!strcmp(s, "cves")) {
+		rh_waived_parser(NULL, RH_WAIVED_CVE);
+		return 0;
+	}
+
+	/* otherwise, just deal with the enumerated waive list */
+	rh_waived_parser(s, RH_WAIVED_ANY);
+
+	return 0;
+}
+early_param("rh_waived", rh_waived_setup);
+
+/*
+ * rh_flags is initialized at subsys_initcall, calling rh_add_flag()
+ * from rh_waived_setup() would result in a can't boot situation.
+ * Deffering the inclusion 'rh_waived' rh_flag to late_initcall to
+ * avoid this issue.
+ */
+static int __init __add_rh_flag(void)
+{
+	if (add_rh_flag)
+		rh_add_flag("rh_waived");
+
+	return 0;
+}
+late_initcall(__add_rh_flag);