| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 19 Aug 2016 16:18:47 +0100
From: Will Deacon <will.deacon@....com>
To: Punit Agrawal <punit.agrawal@....com>
Cc: linux-kernel@...r.kernel.org, kvm@...r.kernel.org,
kvmarm@...ts.cs.columbia.edu, linux-arm-kernel@...ts.infradead.org,
Christoffer Dall <christoffer.dall@...aro.org>,
Marc Zyngier <marc.zyngier@....com>,
Steven Rostedt <rostedt@...dmis.org>,
Ingo Molnar <mingo@...hat.com>
Subject: Re: [RFC PATCH 6/7] arm64: KVM: Handle trappable TLB instructions
Hi Punit,
On Tue, Aug 16, 2016 at 11:45:11AM +0100, Punit Agrawal wrote:
> The ARMv8 architecture allows trapping of TLB maintenane instructions
> from EL0/EL1 to higher exception levels. On encountering a trappable TLB
> instruction in a guest, an exception is taken to EL2.
>
> Add functionality to handle emulating the TLB instructions.
>
> Signed-off-by: Punit Agrawal <punit.agrawal@....com>
> Cc: Christoffer Dall <christoffer.dall@...aro.org>
> Cc: Marc Zyngier <marc.zyngier@....com>
[...]
> +void __hyp_text
> +__kvm_emulate_tlb_invalidate(struct kvm *kvm, u32 sys_op, u64 regval)
> +{
> + kvm = kern_hyp_va(kvm);
> +
> + /*
> + * Switch to the guest before performing any TLB operations to
> + * target the appropriate VMID
> + */
> + __switch_to_guest_regime(kvm);
> +
> + /*
> + * TLB maintenance operations broadcast to inner-shareable
> + * domain when HCR_FB is set (default for KVM).
> + */
> + switch (sys_op) {
> + case TLBIALL:
> + case TLBIALLIS:
> + case ITLBIALL:
> + case DTLBIALL:
> + case TLBI_VMALLE1:
> + case TLBI_VMALLE1IS:
> + __tlbi(vmalle1is);
> + break;
> + case TLBIMVA:
> + case TLBIMVAIS:
> + case ITLBIMVA:
> + case DTLBIMVA:
> + case TLBI_VAE1:
> + case TLBI_VAE1IS:
> + __tlbi(vae1is, regval);
I'm pretty nervous about this. Although you've switched in the guest stage-2
page table before the TLB maintenance, we're still running on a host stage-1
and it's not clear to me that the stage-1 context is completely ignored for
the purposes of a stage-1 TLBI executed at EL2.
For example, if TCR_EL1.TBI0 is set in the guest but cleared in the host,
my reading of the architecture is that it will be treated as zero when
we perform this invalidation operation. I worry that we have similar
problems with the granule size, where bits become RES0 in the TLBI VA
ops.
Finally, we should probably be masking out the RES0 bits in the TLBI
ops, just in case some future extension to the architecture defines them
in such a way where they have different meanings when executed at EL2
or EL1.
The easiest thing to do is just TLBI VMALLE1IS for all trapped operations,
but you might want to see how that performs.
Will
Powered by blists - more mailing lists