lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date:   Mon, 1 Jul 2019 23:37:34 -0700
From:   Tinchu <tinchu.nitrpr@...il.com>
To:     "linux-arm-kernel@...ts.infradead.org" 
        <linux-arm-kernel@...ts.infradead.org>
Cc:     linux-rpi-kernel@...ts.infradead.org,
        lkml <linux-kernel@...r.kernel.org>,
        Marc Zyngier <marc.zyngier@....com>,
        Russell King <rmk+kernel@...linux.org.uk>
Subject: ARM setting up secure mode vector table

Hi,

Apologies in advance for extra CC list.

I'm trying to hack linux kernel (v4.14 LTS) for Raspberry PI 3 (ARM32 build), to
enable early boot code switch to secure mode using SMC #0 instruction and return
(and later tinker with some secure mode registers).

While this may generally not be possible, it seems it just might for this platform
(i can do this on a baremetal library, but not kernel proper. Apparently the
current BCM firmware sets up secure, non secure  and monitor vector base addresses
to 0x00000000 before calling into zImage and all mem is writable for non secure
mode. See the gory details in ultibo pascal library code comments [1]. The trick
is to copy a vector table with SMC vector to address 0. I'm suspecting this not
working for linux as having to write the code in true position independent way.

Here's a rough hack to arch/arm/kernel/hyp-stub.S
I'm simply hacking in a vector entry into existing hyp vector table and then
copying it over to 0 (I've tried using a completely different table, which fails
in same way).

+	.macro sec_vec_install_run
+
+		mrc p15, #0, r4, c12, c0, #0
+		ldr r5, .LSecureVectorTable
+
+		/* 8 bytes of vector */
+		ldmia r5!, {r6-r7}
+		stmia r4!, {r6-r7}
+
+		ldmia r5!, {r6-r7}
+		stmia r4!, {r6-r7}
+
+		ldmia r5!, {r6-r7}
+		stmia r4!, {r6-r7}
+
+		ldmia r5!, {r6-r7}
+		stmia r4!, {r6-r7}
+
+		/* 1 word for secondary table */
+		ldmia r5!, {r6-r7}
+		stmia r4!, {r6-r7}
+
+		/*Clean Data Cache MVA */
+		mov r5, #0
+		mcr p15, #0, r5, cr7, cr10, #1
+
+		dsb
+
+		//Invalidate Instruction Cache
+		mov r5, #0
+		mcr p15, #0, r5, cr7, cr5, #0
+
+		//Flush Branch Target Cache
+		mov r5, #0
+		mcr p15, #0, r5, cr7, cr5, #6
+
+		dsb
+		isb
+
+		.arch_extension sec
+		smc #0
+
+	.endm


ENTRY(__hyp_stub_install_secondary)

+	sec_vec_install_run
...

+smc_hdlr:
+	/* do stuff later */
+	ret	lr
+ENDPROC(smc_hdlr)

.align 5
ENTRY(__hyp_stub_vectors)
__hyp_stub_reset:	W(b)	.
__hyp_stub_und:		W(b)	.
+ __hyp_stub_svc:	ldr pc, .Lhdlr2
- __hyp_stub_svc:	W(b)	.

...

+.Lhdlr2:
+	.word smc_hdlr
+.LSecureVectorTable:
+	.long  __hyp_stub_vectors


Can someone please tell me what part of code is wrong. Pretty much similar code
works in baremetal setup.

TIA

[1] https://github.com/ultibohub/Core/blob/master/source/rtl/ultibo/core/bootrpi2.pas

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ