From 4340ba80bd3a310d8eb9011df2e63c6371e28113 Mon Sep 17 00:00:00 2001 From: Marc Zyngier Date: Wed, 14 Mar 2018 13:28:50 +0000 Subject: arm64: KVM: Move BP hardening vectors into .hyp.text section There is no reason why the BP hardening vectors shouldn't be part of the HYP text at compile time, rather than being mapped at runtime. Also introduce a new config symbol that controls the compilation of bpi.S. Acked-by: Catalin Marinas Reviewed-by: Andrew Jones Signed-off-by: Marc Zyngier --- arch/arm64/kernel/bpi.S | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'arch/arm64/kernel/bpi.S') diff --git a/arch/arm64/kernel/bpi.S b/arch/arm64/kernel/bpi.S index e5de33513b5d..447188e2a664 100644 --- a/arch/arm64/kernel/bpi.S +++ b/arch/arm64/kernel/bpi.S @@ -48,6 +48,10 @@ ventry \target + 0x780 .endm + + .text + .pushsection .hyp.text, "ax" + .align 11 ENTRY(__bp_harden_hyp_vecs_start) .rept 4 @@ -55,6 +59,8 @@ ENTRY(__bp_harden_hyp_vecs_start) .endr ENTRY(__bp_harden_hyp_vecs_end) + .popsection + ENTRY(__qcom_hyp_sanitize_link_stack_start) stp x29, x30, [sp, #-16]! .rept 16 -- cgit v1.2.3 From f0445dfadbb2ddce26f535b71578b36302805007 Mon Sep 17 00:00:00 2001 From: Marc Zyngier Date: Tue, 13 Mar 2018 12:24:02 +0000 Subject: arm64: KVM: Reserve 4 additional instructions in the BPI template So far, we only reserve a single instruction in the BPI template in order to branch to the vectors. As we're going to stuff a few more instructions there, let's reserve a total of 5 instructions, which we're going to patch later on as required. We also introduce a small refactor of the vectors themselves, so that we stop carrying the target branch around. Acked-by: Catalin Marinas Reviewed-by: Andrew Jones Signed-off-by: Marc Zyngier --- arch/arm64/kernel/bpi.S | 39 +++++++++++++++------------------------ 1 file changed, 15 insertions(+), 24 deletions(-) (limited to 'arch/arm64/kernel/bpi.S') diff --git a/arch/arm64/kernel/bpi.S b/arch/arm64/kernel/bpi.S index 447188e2a664..ce1cfe3b24e6 100644 --- a/arch/arm64/kernel/bpi.S +++ b/arch/arm64/kernel/bpi.S @@ -19,33 +19,24 @@ #include #include -.macro ventry target - .rept 31 +.macro hyp_ventry + .align 7 +1: .rept 27 nop .endr - b \target + b __kvm_hyp_vector + (1b - 0b) + nop + nop + nop + nop .endm -.macro vectors target - ventry \target + 0x000 - ventry \target + 0x080 - ventry \target + 0x100 - ventry \target + 0x180 - - ventry \target + 0x200 - ventry \target + 0x280 - ventry \target + 0x300 - ventry \target + 0x380 - - ventry \target + 0x400 - ventry \target + 0x480 - ventry \target + 0x500 - ventry \target + 0x580 - - ventry \target + 0x600 - ventry \target + 0x680 - ventry \target + 0x700 - ventry \target + 0x780 +.macro generate_vectors +0: + .rept 16 + hyp_ventry + .endr + .org 0b + SZ_2K // Safety measure .endm @@ -55,7 +46,7 @@ .align 11 ENTRY(__bp_harden_hyp_vecs_start) .rept 4 - vectors __kvm_hyp_vector + generate_vectors .endr ENTRY(__bp_harden_hyp_vecs_end) -- cgit v1.2.3 From 71dcb8be6d29cffff3f4a4463232f38786e97797 Mon Sep 17 00:00:00 2001 From: Marc Zyngier Date: Tue, 27 Feb 2018 17:38:08 +0000 Subject: arm64: KVM: Allow far branches from vector slots to the main vectors So far, the branch from the vector slots to the main vectors can at most be 4GB from the main vectors (the reach of ADRP), and this distance is known at compile time. If we were to remap the slots to an unrelated VA, things would break badly. A way to achieve VA independence would be to load the absolute address of the vectors (__kvm_hyp_vector), either using a constant pool or a series of movs, followed by an indirect branch. This patches implements the latter solution, using another instance of a patching callback. Note that since we have to save a register pair on the stack, we branch to the *second* instruction in the vectors in order to compensate for it. This also results in having to adjust this balance in the invalid vector entry point. Acked-by: Catalin Marinas Signed-off-by: Marc Zyngier --- arch/arm64/kernel/bpi.S | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'arch/arm64/kernel/bpi.S') diff --git a/arch/arm64/kernel/bpi.S b/arch/arm64/kernel/bpi.S index ce1cfe3b24e6..dc51ef2ce98a 100644 --- a/arch/arm64/kernel/bpi.S +++ b/arch/arm64/kernel/bpi.S @@ -19,16 +19,37 @@ #include #include +#include + .macro hyp_ventry .align 7 1: .rept 27 nop .endr +/* + * The default sequence is to directly branch to the KVM vectors, + * using the computed offset. This applies for VHE as well as + * !ARM64_HARDEN_EL2_VECTORS. + * + * For ARM64_HARDEN_EL2_VECTORS configurations, this gets replaced + * with: + * + * stp x0, x1, [sp, #-16]! + * movz x0, #(addr & 0xffff) + * movk x0, #((addr >> 16) & 0xffff), lsl #16 + * movk x0, #((addr >> 32) & 0xffff), lsl #32 + * br x0 + * + * Where addr = kern_hyp_va(__kvm_hyp_vector) + vector-offset + 4. + * See kvm_patch_vector_branch for details. + */ +alternative_cb kvm_patch_vector_branch b __kvm_hyp_vector + (1b - 0b) nop nop nop nop +alternative_cb_end .endm .macro generate_vectors -- cgit v1.2.3 From 4205a89b8060141ac0216a507b9f70728f056a10 Mon Sep 17 00:00:00 2001 From: Marc Zyngier Date: Tue, 13 Mar 2018 12:40:39 +0000 Subject: arm64: Make BP hardening slot counter available We're about to need to allocate hardening slots from other parts of the kernel (in order to support ARM64_HARDEN_EL2_VECTORS). Turn the counter into an atomic_t and make it available to the rest of the kernel. Also add BP_HARDEN_EL2_SLOTS as the number of slots instead of the hardcoded 4... Acked-by: Catalin Marinas Reviewed-by: Andrew Jones Signed-off-by: Marc Zyngier --- arch/arm64/kernel/bpi.S | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'arch/arm64/kernel/bpi.S') diff --git a/arch/arm64/kernel/bpi.S b/arch/arm64/kernel/bpi.S index dc51ef2ce98a..bb0b67722e86 100644 --- a/arch/arm64/kernel/bpi.S +++ b/arch/arm64/kernel/bpi.S @@ -20,6 +20,7 @@ #include #include +#include .macro hyp_ventry .align 7 @@ -66,7 +67,7 @@ alternative_cb_end .align 11 ENTRY(__bp_harden_hyp_vecs_start) - .rept 4 + .rept BP_HARDEN_EL2_SLOTS generate_vectors .endr ENTRY(__bp_harden_hyp_vecs_end) -- cgit v1.2.3 From f9f5dc19509bbef6f5e675346f1a7d7b846bdb12 Mon Sep 17 00:00:00 2001 From: Shanker Donthineni Date: Mon, 5 Mar 2018 11:06:43 -0600 Subject: arm64: KVM: Use SMCCC_ARCH_WORKAROUND_1 for Falkor BP hardening The function SMCCC_ARCH_WORKAROUND_1 was introduced as part of SMC V1.1 Calling Convention to mitigate CVE-2017-5715. This patch uses the standard call SMCCC_ARCH_WORKAROUND_1 for Falkor chips instead of Silicon provider service ID 0xC2001700. Cc: # 4.14+ Signed-off-by: Shanker Donthineni Signed-off-by: Marc Zyngier --- arch/arm64/kernel/bpi.S | 8 -------- 1 file changed, 8 deletions(-) (limited to 'arch/arm64/kernel/bpi.S') diff --git a/arch/arm64/kernel/bpi.S b/arch/arm64/kernel/bpi.S index bb0b67722e86..9404f6aecda7 100644 --- a/arch/arm64/kernel/bpi.S +++ b/arch/arm64/kernel/bpi.S @@ -74,14 +74,6 @@ ENTRY(__bp_harden_hyp_vecs_end) .popsection -ENTRY(__qcom_hyp_sanitize_link_stack_start) - stp x29, x30, [sp, #-16]! - .rept 16 - bl . + 4 - .endr - ldp x29, x30, [sp], #16 -ENTRY(__qcom_hyp_sanitize_link_stack_end) - .macro smccc_workaround_1 inst sub sp, sp, #(8 * 4) stp x2, x3, [sp, #(8 * 0)] -- cgit v1.2.3 From adc91ab7854195f107c137aa197ddfe8b82a2331 Mon Sep 17 00:00:00 2001 From: Marc Zyngier Date: Wed, 28 Mar 2018 11:59:13 +0100 Subject: Revert "arm64: KVM: Use SMCCC_ARCH_WORKAROUND_1 for Falkor BP hardening" Creates far too many conflicts with arm64/for-next/core, to be resent post -rc1. This reverts commit f9f5dc19509bbef6f5e675346f1a7d7b846bdb12. Signed-off-by: Marc Zyngier --- arch/arm64/kernel/bpi.S | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'arch/arm64/kernel/bpi.S') diff --git a/arch/arm64/kernel/bpi.S b/arch/arm64/kernel/bpi.S index 9404f6aecda7..bb0b67722e86 100644 --- a/arch/arm64/kernel/bpi.S +++ b/arch/arm64/kernel/bpi.S @@ -74,6 +74,14 @@ ENTRY(__bp_harden_hyp_vecs_end) .popsection +ENTRY(__qcom_hyp_sanitize_link_stack_start) + stp x29, x30, [sp, #-16]! + .rept 16 + bl . + 4 + .endr + ldp x29, x30, [sp], #16 +ENTRY(__qcom_hyp_sanitize_link_stack_end) + .macro smccc_workaround_1 inst sub sp, sp, #(8 * 4) stp x2, x3, [sp, #(8 * 0)] -- cgit v1.2.3