lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <d67816ef196c4375923c0672dd421be3@huawei.com>
Date:   Tue, 13 Oct 2020 12:56:40 +0000
From:   "limingwang (A)" <limingwang@...wei.com>
To:     Marc Zyngier <maz@...nel.org>
CC:     "catalin.marinas@....com" <catalin.marinas@....com>,
        "will@...nel.org" <will@...nel.org>,
        "broonie@...nel.org" <broonie@...nel.org>,
        "suzuki.poulose@....com" <suzuki.poulose@....com>,
        "linux-arm-kernel@...ts.infradead.org" 
        <linux-arm-kernel@...ts.infradead.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        Fanhenglong <fanhenglong@...wei.com>,
        "Wanghaibin (D)" <wanghaibin.wang@...wei.com>,
        Tangnianyao <tangnianyao@...wei.com>,
        Jiangyifei <jiangyifei@...wei.com>,
        "dengkai (A)" <dengkai1@...wei.com>,
        Zhanghailiang <zhang.zhanghailiang@...wei.com>,
        "Zhangxiaofeng (F)" <victor.zhangxiaofeng@...wei.com>
Subject: Re: [PATCH] arm64: KVM: marking pages as XN in Stage-2 does not care
 about CTR_EL0.DIC

>Hi Li,
>
>On 2020-10-12 02:08, l00484210 wrote:
>> From: MingWang Li <limingwang@...wei.com>
>> 
>> When testing the ARMv8.2-TTS2UXN feature, setting bits of XN is 
>> unavailable.
>> Because the control bit CTR_EL0.DIC is set by default on system.
>> 
>> But when CTR_EL0.DIC is set, software does not need to flush icache 
>> actively, instead of clearing XN bits.The patch, the commit id of 
>> which is 6ae4b6e0578886eb36cedbf99f04031d93f9e315, has implemented the 
>> function of CTR_EL0.DIC.
>> 
>> Signed-off-by: MingWang Li <limingwang@...wei.com>
>> Signed-off-by: Henglong Fan <fanhenglong@...wei.com>
>> ---
>>  arch/arm64/include/asm/pgtable-prot.h | 12 +-----------
>>  1 file changed, 1 insertion(+), 11 deletions(-)
>> 
>> diff --git a/arch/arm64/include/asm/pgtable-prot.h
>> b/arch/arm64/include/asm/pgtable-prot.h
>> index 4d867c6446c4..5feb94882bf7 100644
>> --- a/arch/arm64/include/asm/pgtable-prot.h
>> +++ b/arch/arm64/include/asm/pgtable-prot.h
>> @@ -79,17 +79,7 @@ extern bool arm64_use_ng_mappings;
>>  		__val;							\
>>  	 })
>> 
>> -#define PAGE_S2_XN							\
>> -	({								\
>> -		u64 __val;						\
>> -		if (cpus_have_const_cap(ARM64_HAS_CACHE_DIC))		\
>> -			__val = 0;					\
>> -		else							\
>> -			__val = PTE_S2_XN;				\
>> -		__val;							\
>> -	})
>> -
>> -#define PAGE_S2			__pgprot(_PROT_DEFAULT | PAGE_S2_MEMATTR(NORMAL) |
>> PTE_S2_RDONLY | PAGE_S2_XN)
>> +#define PAGE_S2			__pgprot(_PROT_DEFAULT | PAGE_S2_MEMATTR(NORMAL) |
>> PTE_S2_RDONLY | PTE_S2_XN)
>>  #define PAGE_S2_DEVICE		__pgprot(_PROT_DEFAULT |
>> PAGE_S2_MEMATTR(DEVICE_nGnRE) | PTE_S2_RDONLY | PTE_S2_XN)
>> 
>>  #define PAGE_NONE		__pgprot(((_PAGE_DEFAULT) & ~PTE_VALID) |
>> PTE_PROT_NONE | PTE_RDONLY | PTE_NG | PTE_PXN | PTE_UXN)
>
>I don't understand what you are trying to achieve here.
>
>This whole point of not setting XN in the page tables when DIC is present is to avoid a pointless permission fault at run time. At you noticed above, no icache invalidation is necessary. So why would you ever want to take a fault on exec the first place?
>
>         M.
>--
>Jazz is not dead. It just smells funny...
>
>
Hi Marc,

According to ARMv8.2-TTS2UXN feature, which extends the stage 2 translation table access
permissions to provide control of whether memory is executable at EL0 independent of whether
it is executable at EL1. 

Testing this feature in some security scenario, for example, if I want to grant execute permission
to some memory only for EL0, but it will failed. Because KVM clears XN bits at first, this means that
the memory can be executable in both EL0 and El1. 

So the execute permission is not granted when the page table is created for the first time, then
grant the execute permission by setting xn, based on the actual requirements.

And according to spec:
DIC, bit [29]
	Instruction cache invalidation requirements for data to instruction coherence.
	0b0 Instruction cache invalidation to the Point of Unification is required for data to instruction coherence.
	0b1 Instruction cache invalidation to the Point of Unification is not required for data to instruction coherence.
So when DIC is set, if the memory is changed to executable, the hardware will flush icache.

If as you said, I feel that DIC conflicts with ARMv8.2-TTS2UXN feature.

Regards,
Mingwang

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ