| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 14 Jan 2019 11:06:15 -0600
From: Jeremy Linton <jeremy.linton@....com>
To: Marc Zyngier <marc.zyngier@....com>,
linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org
Cc: Will Deacon <will.deacon@....com>,
Catalin Marinas <catalin.marinas@....com>
Subject: Re: [PATCH v2 1/2] arm64: Advertise mitigation of Spectre-v2, or lack
thereof
Hi,
On 01/14/2019 04:35 AM, Marc Zyngier wrote:
> We currently have a list of CPUs affected by Spectre-v2, for which
> we check that the firmware implements ARCH_WORKAROUND_1. It turns
> out that not all firmwares do implement the required mitigation,
> and that we fail to let the user know about it.
>
> Instead, let's slightly revamp our checks, and rely on a whitelist
> of cores that are known to be non-vulnerable, and let the user know
> the status of the mitigation in the kernel log.
>
> Signed-off-by: Marc Zyngier <marc.zyngier@....com>
> ---
> arch/arm64/kernel/cpu_errata.c | 111 +++++++++++++++------------------
> 1 file changed, 52 insertions(+), 59 deletions(-)
>
> diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c
> index c8ff96158b94..145f8b5d093d 100644
> --- a/arch/arm64/kernel/cpu_errata.c
> +++ b/arch/arm64/kernel/cpu_errata.c
> @@ -138,9 +138,9 @@ static void __copy_hyp_vect_bpi(int slot, const char *hyp_vecs_start,
> __flush_icache_range((uintptr_t)dst, (uintptr_t)dst + SZ_2K);
> }
>
> -static void __install_bp_hardening_cb(bp_hardening_cb_t fn,
> - const char *hyp_vecs_start,
> - const char *hyp_vecs_end)
> +static void install_bp_hardening_cb(bp_hardening_cb_t fn,
> + const char *hyp_vecs_start,
> + const char *hyp_vecs_end)
> {
> static DEFINE_RAW_SPINLOCK(bp_lock);
> int cpu, slot = -1;
> @@ -176,31 +176,14 @@ static void __install_bp_hardening_cb(bp_hardening_cb_t fn,
> #define __smccc_workaround_1_smc_start NULL
> #define __smccc_workaround_1_smc_end NULL
>
> -static void __install_bp_hardening_cb(bp_hardening_cb_t fn,
> - const char *hyp_vecs_start,
> - const char *hyp_vecs_end)
> +static void install_bp_hardening_cb(bp_hardening_cb_t fn,
> + const char *hyp_vecs_start,
> + const char *hyp_vecs_end)
> {
> __this_cpu_write(bp_hardening_data.fn, fn);
> }
> #endif /* CONFIG_KVM_INDIRECT_VECTORS */
>
> -static void install_bp_hardening_cb(const struct arm64_cpu_capabilities *entry,
> - bp_hardening_cb_t fn,
> - const char *hyp_vecs_start,
> - const char *hyp_vecs_end)
> -{
> - u64 pfr0;
> -
> - if (!entry->matches(entry, SCOPE_LOCAL_CPU))
> - return;
> -
> - pfr0 = read_cpuid(ID_AA64PFR0_EL1);
> - if (cpuid_feature_extract_unsigned_field(pfr0, ID_AA64PFR0_CSV2_SHIFT))
> - return;
> -
> - __install_bp_hardening_cb(fn, hyp_vecs_start, hyp_vecs_end);
> -}
> -
> #include <uapi/linux/psci.h>
> #include <linux/arm-smccc.h>
> #include <linux/psci.h>
> @@ -227,20 +210,21 @@ static void qcom_link_stack_sanitization(void)
> : "=&r" (tmp));
> }
>
> -static void
> -enable_smccc_arch_workaround_1(const struct arm64_cpu_capabilities *entry)
> +/*
> + * -1: No workaround
> + * 0: No workaround required
> + * 1: Workaround installed
> + */
> +static int detect_harden_bp_fw(void)
> {
> bp_hardening_cb_t cb;
> void *smccc_start, *smccc_end;
> struct arm_smccc_res res;
> u32 midr = read_cpuid_id();
>
> - if (!entry->matches(entry, SCOPE_LOCAL_CPU))
> - return;
> -
> if (psci_ops.smccc_version == SMCCC_VERSION_1_0) {
> __hardenbp_enab = false;
> - return;
> + return -1;
> }
>
> switch (psci_ops.conduit) {
> @@ -249,7 +233,7 @@ enable_smccc_arch_workaround_1(const struct arm64_cpu_capabilities *entry)
> ARM_SMCCC_ARCH_WORKAROUND_1, &res);
> if ((int)res.a0 < 0) {
> __hardenbp_enab = false;
> - return;
> + return -1;
> }
> cb = call_hvc_arch_workaround_1;
> /* This is a guest, no need to patch KVM vectors */
> @@ -262,7 +246,7 @@ enable_smccc_arch_workaround_1(const struct arm64_cpu_capabilities *entry)
> ARM_SMCCC_ARCH_WORKAROUND_1, &res);
> if ((int)res.a0 < 0) {
> __hardenbp_enab = false;
> - return;
> + return -1;
> }
> cb = call_smc_arch_workaround_1;
> smccc_start = __smccc_workaround_1_smc_start;
> @@ -271,16 +255,22 @@ enable_smccc_arch_workaround_1(const struct arm64_cpu_capabilities *entry)
>
> default:
> __hardenbp_enab = false;
> - return;
> + return -1;
> }
>
> if (((midr & MIDR_CPU_MODEL_MASK) == MIDR_QCOM_FALKOR) ||
> ((midr & MIDR_CPU_MODEL_MASK) == MIDR_QCOM_FALKOR_V1))
> cb = qcom_link_stack_sanitization;
>
> - install_bp_hardening_cb(entry, cb, smccc_start, smccc_end);
> + install_bp_hardening_cb(cb, smccc_start, smccc_end);
>
> - return;
> + return 1;
> +}
> +#else
> +static int detect_harden_bp_fw(void)
> +{
> + /* Sorry, can't do a thing */
> + return -1;
> }
> #endif /* CONFIG_HARDEN_BRANCH_PREDICTOR */
>
> @@ -544,7 +534,15 @@ cpu_enable_cache_maint_trap(const struct arm64_cpu_capabilities *__unused)
>
> #if defined(CONFIG_HARDEN_BRANCH_PREDICTOR) || \
> defined(CONFIG_GENERIC_CPU_VULNERABILITIES)
> -
> +/*
> + * List of CPUs that do not need any Spectre-v2 mitigation at all.
> + */
> +static const struct midr_range spectre_v2_safe_list[] = {
> + MIDR_ALL_VERSIONS(MIDR_CORTEX_A35),
> + MIDR_ALL_VERSIONS(MIDR_CORTEX_A53),
> + MIDR_ALL_VERSIONS(MIDR_CORTEX_A55),
> + { /* sentinel */ }
> +};
>
> static bool __spectrev2_safe = true;
>
> @@ -555,37 +553,34 @@ static bool __spectrev2_safe = true;
> static bool __maybe_unused
> check_branch_predictor(const struct arm64_cpu_capabilities *entry, int scope)
> {
> - bool is_vul;
> + int need_wa;
>
> WARN_ON(scope != SCOPE_LOCAL_CPU || preemptible());
>
> - is_vul = is_midr_in_range_list(read_cpuid_id(), entry->midr_range_list);
> + /* If the CPU has CSV2 set, we're safe */
> + if (cpuid_feature_extract_unsigned_field(read_cpuid(ID_AA64PFR0_EL1),
> + ID_AA64PFR0_CSV2_SHIFT))
> + return false;
>
> - if (is_vul)
> - __spectrev2_safe = false;
> + /* Alternatively, we have a list of unaffected CPUs */
> + if (is_midr_in_range_list(read_cpuid_id(), spectre_v2_safe_list))
> + return false;
> +
> + /* Fallback to firmware detection */
> + need_wa = detect_harden_bp_fw();
> + if (!need_wa)
> + return false;
> +
> + __spectrev2_safe = false;
> +
> + if (need_wa < 0)
> + pr_warn_once("ARM_SMCCC_ARCH_WORKAROUND_1 missing from firmware\n");
>
> arm64_requested_vuln_attrs |= VULN_SPECTREV2;
This bit here, is what turns on the sysfs entry. So it needs to be
hoisted before the first return. Also, I think that since
detect_harden_bp_fw() is now returning the firmware state, we can check
once for failure and set `__hardenbp_enab = false;` here rather the half
dozen times it happens in what is now detect_harden_bp_fw();
Thanks,
>
> - return is_vul;
> + return (need_wa > 0);
> }
>
> -/*
> - * List of CPUs where we need to issue a psci call to
> - * harden the branch predictor.
> - */
> -static const struct midr_range arm64_bp_harden_smccc_cpus[] = {
> - MIDR_ALL_VERSIONS(MIDR_CORTEX_A57),
> - MIDR_ALL_VERSIONS(MIDR_CORTEX_A72),
> - MIDR_ALL_VERSIONS(MIDR_CORTEX_A73),
> - MIDR_ALL_VERSIONS(MIDR_CORTEX_A75),
> - MIDR_ALL_VERSIONS(MIDR_BRCM_VULCAN),
> - MIDR_ALL_VERSIONS(MIDR_CAVIUM_THUNDERX2),
> - MIDR_ALL_VERSIONS(MIDR_QCOM_FALKOR_V1),
> - MIDR_ALL_VERSIONS(MIDR_QCOM_FALKOR),
> - MIDR_ALL_VERSIONS(MIDR_NVIDIA_DENVER),
> - {},
> -};
> -
> #endif
>
> #ifdef CONFIG_HARDEN_EL2_VECTORS
> @@ -764,10 +759,8 @@ const struct arm64_cpu_capabilities arm64_errata[] = {
> #ifdef CONFIG_HARDEN_BRANCH_PREDICTOR
> {
> .capability = ARM64_HARDEN_BRANCH_PREDICTOR,
> - .cpu_enable = enable_smccc_arch_workaround_1,
> .type = ARM64_CPUCAP_LOCAL_CPU_ERRATUM,
> .matches = check_branch_predictor,
> - .midr_range_list = arm64_bp_harden_smccc_cpus,
> },
> #endif
> #ifdef CONFIG_HARDEN_EL2_VECTORS
>
Powered by blists - more mailing lists