| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <f627177c-f813-9e10-ade5-c7654375639b@gmail.com>
Date: Tue, 27 Mar 2018 15:16:04 +0300
From: Dmitry Osipenko <digetx@...il.com>
To: Robin Murphy <robin.murphy@....com>,
Stefan Agner <stefan@...er.ch>, linux@...linux.org.uk,
ard.biesheuvel@...aro.org, arnd@...db.de
Cc: nicolas.pitre@...aro.org, marc.zyngier@....com,
behanw@...verseincode.com, keescook@...omium.org,
Bernhard.Rosenkranzer@...aro.org, mka@...omium.org,
linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org,
Stephen Warren <swarren@...dia.com>,
Thierry Reding <treding@...dia.com>
Subject: Re: [PATCH v2 3/6] ARM: trusted_foundations: do not use naked
function
On 27.03.2018 14:54, Robin Murphy wrote:
> On 26/03/18 22:20, Dmitry Osipenko wrote:
>> On 25.03.2018 21:09, Stefan Agner wrote:
>>> As documented in GCC naked functions should only use Basic asm
>>> syntax. The Extended asm or mixture of Basic asm and "C" code is
>>> not guaranteed. Currently this works because it was hard coded
>>> to follow and check GCC behavior for arguments and register
>>> placement.
>>>
>>> Furthermore with clang using parameters in Extended asm in a
>>> naked function is not supported:
>>> arch/arm/firmware/trusted_foundations.c:47:10: error: parameter
>>> references not allowed in naked functions
>>> : "r" (type), "r" (arg1), "r" (arg2)
>>> ^
>>>
>>> Use a regular function to be more portable. This aligns also with
>>> the other smc call implementations e.g. in qcom_scm-32.c and
>>> bcm_kona_smc.c.
>>>
>>> Cc: Dmitry Osipenko <digetx@...il.com>
>>> Cc: Stephen Warren <swarren@...dia.com>
>>> Cc: Thierry Reding <treding@...dia.com>
>>> Signed-off-by: Stefan Agner <stefan@...er.ch>
>>> ---
>>> Changes in v2:
>>> - Keep stmfd/ldmfd to avoid potential ABI issues
>>>
>>> arch/arm/firmware/trusted_foundations.c | 14 +++++++++-----
>>> 1 file changed, 9 insertions(+), 5 deletions(-)
>>>
>>> diff --git a/arch/arm/firmware/trusted_foundations.c
>>> b/arch/arm/firmware/trusted_foundations.c
>>> index 3fb1b5a1dce9..689e6565abfc 100644
>>> --- a/arch/arm/firmware/trusted_foundations.c
>>> +++ b/arch/arm/firmware/trusted_foundations.c
>>> @@ -31,21 +31,25 @@
>>> static unsigned long cpu_boot_addr;
>>> -static void __naked tf_generic_smc(u32 type, u32 arg1, u32 arg2)
>>> +static void tf_generic_smc(u32 type, u32 arg1, u32 arg2)
>>> {
>>> + register u32 r0 asm("r0") = type;
>>> + register u32 r1 asm("r1") = arg1;
>>> + register u32 r2 asm("r2") = arg2;
>>> +
>>> asm volatile(
>>> ".arch_extension sec\n\t"
>>> - "stmfd sp!, {r4 - r11, lr}\n\t"
>>> + "stmfd sp!, {r4 - r11}\n\t"
>>> __asmeq("%0", "r0")
>>> __asmeq("%1", "r1")
>>> __asmeq("%2", "r2")
>>> "mov r3, #0\n\t"
>>> "mov r4, #0\n\t"
>>> "smc #0\n\t"
>>> - "ldmfd sp!, {r4 - r11, pc}"
>>> + "ldmfd sp!, {r4 - r11}\n\t"
>>> :
>>> - : "r" (type), "r" (arg1), "r" (arg2)
>>> - : "memory");
>>> + : "r" (r0), "r" (r1), "r" (r2)
>>> + : "memory", "r3", "r12", "lr");
>>
>> Although seems "lr" won't be affected by SMC invocation because it should be
>> banked and hence could be omitted entirely from the code. Maybe somebody could
>> confirm this.
> Strictly per the letter of the architecture, the SMC could be trapped to Hyp
> mode, and a hypervisor might clobber LR_usr in the process of forwarding the
> call to the firmware secure monitor (since Hyp doesn't have a banked LR of its
> own). Admittedly there are probably no real systems with the appropriate
> hardware/software combination to hit that, but on the other hand if this gets
> inlined where the compiler has already created a stack frame then an LR clobber
> is essentially free, so I reckon we're better off keeping it for reassurance.
> This isn't exactly a critical fast path anyway.
Okay, thank you for the clarification.
Powered by blists - more mailing lists