lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20180613132910.wr7ngq4nvxlgaoqi@kahuna>
Date:   Wed, 13 Jun 2018 08:29:10 -0500
From:   Nishanth Menon <nm@...com>
To:     Russell King - ARM Linux <linux@...linux.org.uk>
CC:     Tony Lindgren <tony@...mide.com>, <linux-kernel@...r.kernel.org>,
        <linux-omap@...r.kernel.org>,
        <linux-arm-kernel@...ts.infradead.org>
Subject: Re: [PATCH] ARM: DRA7/OMAP5: Enable ACTLR[0] (Enable invalidates of
 BTB) for secondary cores

On 10:11-20180613, Russell King - ARM Linux wrote:
> On Tue, Jun 12, 2018 at 04:36:11PM -0500, Nishanth Menon wrote:
> > Call secure services to enable ACTLR[0] (Enable invalidates of BTB with
> > ICIALLU) when branch hardening is enabled for kernel.
> 
> As mentioned elsewhere, I don't think this is a good idea - if the secure
> world is not implementing the Spectre workarounds, then the _system_ is
> exploitable.
> 
> If the secure world is implementing the spectre workarounds, it will
> already have enabled the IBE bit (which is r/w from secure, read only
> from non-secure.)
> 
> So, basically, lack of the IBE bit being set is basically telling the
> kernel that it's running on a vulnerable platform _even if the kernel
> were to set it through some means_.

On GP devices OMAP5/DRA7, there is no possibility to update secure side
since "secure world" is ROM and there are no override mechanisms possible.
on HS devices, I agree, appropriate PPA will do the workarounds as well.

However, this patch is to enable the IBE enable on GP device for _a_
core can only be done via SMC services that ROM provides for
specifically the reasons you have already stated. u-boot will only
enable the IBE for the boot core, by the time the secondary cores start
up, u-boot is long gone.. so someone has to invoke the SMC call to
enable the IBE bit for the secondary core.

This is what the patch does.

If the above explanation makes sense, I will add that to the commit log
as well.

-- 
Regards,
Nishanth Menon

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ