| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 22 Mar 2021 18:37:14 +0000
From: Marc Zyngier <maz@...nel.org>
To: Quentin Perret <qperret@...gle.com>
Cc: catalin.marinas@....com, james.morse@....com,
julien.thierry.kdev@...il.com, suzuki.poulose@....com,
android-kvm@...gle.com, seanjc@...gle.com, mate.toth-pal@....com,
linux-kernel@...r.kernel.org, linux-arm-kernel@...ts.infradead.org,
kernel-team@...roid.com, kvmarm@...ts.cs.columbia.edu,
tabba@...gle.com, ardb@...nel.org, mark.rutland@....com,
dbrazdil@...gle.com
Subject: Re: [PATCH 2/3] KVM: arm64: Generate final CTR_EL0 value when running in Protected mode
On Mon, 22 Mar 2021 17:40:40 +0000,
Quentin Perret <qperret@...gle.com> wrote:
>
> Hey Marc,
>
> On Monday 22 Mar 2021 at 16:48:27 (+0000), Marc Zyngier wrote:
> > In protected mode, late CPUs are not allowed to boot (enforced by
> > the PSCI relay). We can thus specialise the read_ctr macro to
> > always return a pre-computed, sanitised value.
> >
> > Signed-off-by: Marc Zyngier <maz@...nel.org>
> > ---
> > arch/arm64/include/asm/assembler.h | 9 +++++++++
> > arch/arm64/kernel/image-vars.h | 1 +
> > arch/arm64/kvm/va_layout.c | 7 +++++++
> > 3 files changed, 17 insertions(+)
> >
> > diff --git a/arch/arm64/include/asm/assembler.h b/arch/arm64/include/asm/assembler.h
> > index fb651c1f26e9..1a4cee7eb3c9 100644
> > --- a/arch/arm64/include/asm/assembler.h
> > +++ b/arch/arm64/include/asm/assembler.h
> > @@ -270,12 +270,21 @@ alternative_endif
> > * provide the system wide safe value from arm64_ftr_reg_ctrel0.sys_val
> > */
> > .macro read_ctr, reg
> > +#ifndef __KVM_NVHE_HYPERVISOR__
> > alternative_if_not ARM64_MISMATCHED_CACHE_TYPE
> > mrs \reg, ctr_el0 // read CTR
> > nop
> > alternative_else
> > ldr_l \reg, arm64_ftr_reg_ctrel0 + ARM64_FTR_SYSVAL
> > alternative_endif
> > +#else
> > +alternative_cb kvm_compute_final_ctr_el0
> > + movz \reg, #0
> > + movk \reg, #0, lsl #16
> > + movk \reg, #0, lsl #32
> > + movk \reg, #0, lsl #48
> > +alternative_cb_end
> > +#endif
> > .endm
>
> So, FWIW, if we wanted to make _this_ macro BUG in non-protected mode
> (and drop patch 01), I think we could do something like:
>
> alternative_cb kvm_compute_final_ctr_el0
> movz \reg, #0
> ASM_BUG()
> nop
> nop
> alternative_cb_end
>
> and then make kvm_compute_final_ctr_el0() check that we're in protected
> mode before patching. That would be marginally better as that would
> cover _all_ users of read_ctr and not just __flush_dcache_area, but that
> first movz is a bit yuck (but necessary to keep generate_mov_q() happy I
> think?), so I'll leave the decision to you.
Can't say I'm keen on the yucky bit, but here's an alternative (ha!)
for you:
diff --git a/arch/arm64/include/asm/assembler.h b/arch/arm64/include/asm/assembler.h
index 1a4cee7eb3c9..7582c3bd2f05 100644
--- a/arch/arm64/include/asm/assembler.h
+++ b/arch/arm64/include/asm/assembler.h
@@ -278,6 +278,9 @@ alternative_else
ldr_l \reg, arm64_ftr_reg_ctrel0 + ARM64_FTR_SYSVAL
alternative_endif
#else
+alternative_if_not ARM64_KVM_PROTECTED_MODE
+ ASM_BUG()
+alternative_else_nop_endif
alternative_cb kvm_compute_final_ctr_el0
movz \reg, #0
movk \reg, #0, lsl #16
Yes, it is one more instruction, but it is cleaner and allows us to
from the first patch of the series.
What do you think?
M.
--
Without deviation from the norm, progress is not possible.
Powered by blists - more mailing lists