From: christoffer.dall@linaro.org (Christoffer Dall)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH v2 3/6] arm: KVM: Invalidate BTB on guest exit
Date: Tue, 23 Jan 2018 15:22:17 +0100 [thread overview]
Message-ID: <20180123142217.GK21802@cbox> (raw)
In-Reply-To: <20180108185533.9698-4-marc.zyngier@arm.com>
On Mon, Jan 08, 2018 at 06:55:30PM +0000, Marc Zyngier wrote:
> In order to avoid aliasing attacks against the branch predictor,
> let's invalidate the BTB on guest exit. This is made complicated
> by the fact that we cannot take a branch before invalidating the
> BTB.
...because that would defeat the overall purpose of what we're trying to
do?
>
> Another thing is that we perform the invalidation on all
> implementations, no matter if they are affected or not.
I don't understand this comment, it seems like the logic below is
limited to A12 and A17 for now?
>
> Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
> ---
> arch/arm/include/asm/kvm_asm.h | 2 --
> arch/arm/include/asm/kvm_mmu.h | 13 ++++++++-
> arch/arm/kvm/hyp/hyp-entry.S | 64 ++++++++++++++++++++++++++++++++++++++++--
> 3 files changed, 74 insertions(+), 5 deletions(-)
>
> diff --git a/arch/arm/include/asm/kvm_asm.h b/arch/arm/include/asm/kvm_asm.h
> index 36dd2962a42d..df24ed48977d 100644
> --- a/arch/arm/include/asm/kvm_asm.h
> +++ b/arch/arm/include/asm/kvm_asm.h
> @@ -61,8 +61,6 @@ struct kvm_vcpu;
> extern char __kvm_hyp_init[];
> extern char __kvm_hyp_init_end[];
>
> -extern char __kvm_hyp_vector[];
> -
> extern void __kvm_flush_vm_context(void);
> extern void __kvm_tlb_flush_vmid_ipa(struct kvm *kvm, phys_addr_t ipa);
> extern void __kvm_tlb_flush_vmid(struct kvm *kvm);
> diff --git a/arch/arm/include/asm/kvm_mmu.h b/arch/arm/include/asm/kvm_mmu.h
> index eb46fc81a440..b47db5b9e407 100644
> --- a/arch/arm/include/asm/kvm_mmu.h
> +++ b/arch/arm/include/asm/kvm_mmu.h
> @@ -37,6 +37,7 @@
>
> #include <linux/highmem.h>
> #include <asm/cacheflush.h>
> +#include <asm/cputype.h>
> #include <asm/pgalloc.h>
> #include <asm/stage2_pgtable.h>
>
> @@ -223,7 +224,17 @@ static inline unsigned int kvm_get_vmid_bits(void)
>
> static inline void *kvm_get_hyp_vector(void)
> {
> - return kvm_ksym_ref(__kvm_hyp_vector);
> + extern char __kvm_hyp_vector[];
> + extern char __kvm_hyp_vector_bp_inv[];
> +
> + switch(read_cpuid_part()) {
> + case ARM_CPU_PART_CORTEX_A12:
> + case ARM_CPU_PART_CORTEX_A17:
> + return kvm_ksym_ref(__kvm_hyp_vector_bp_inv);
> +
> + default:
> + return kvm_ksym_ref(__kvm_hyp_vector);
> + }
> }
>
> static inline int kvm_map_vectors(void)
> diff --git a/arch/arm/kvm/hyp/hyp-entry.S b/arch/arm/kvm/hyp/hyp-entry.S
> index 95a2faefc070..2e8d2179eb70 100644
> --- a/arch/arm/kvm/hyp/hyp-entry.S
> +++ b/arch/arm/kvm/hyp/hyp-entry.S
> @@ -70,6 +70,59 @@ __kvm_hyp_vector:
> W(b) hyp_hvc
> W(b) hyp_irq
> W(b) hyp_fiq
> +
> + .align 5
> +__kvm_hyp_vector_bp_inv:
> + .global __kvm_hyp_vector_bp_inv
> +
> + /*
> + * We encode the exception entry in the bottom 3 bits of
> + * SP, and we have to guarantee to be 8 bytes aligned.
> + */
> + W(add) sp, sp, #1 /* Reset 7 */
> + W(add) sp, sp, #1 /* Undef 6 */
> + W(add) sp, sp, #1 /* Syscall 5 */
> + W(add) sp, sp, #1 /* Prefetch abort 4 */
> + W(add) sp, sp, #1 /* Data abort 3 */
> + W(add) sp, sp, #1 /* HVC 2 */
> + W(add) sp, sp, #1 /* IRQ 1 */
> + W(add) sp, sp, #1 /* FIQ 0 */
> +
> + sub sp, sp, #1
> +
> + mcr p15, 0, r0, c7, c5, 6 /* BPIALL */
> + isb
> +
> + /*
> + * Yet another silly hack: Use VPIDR as a temp register.
> + * Thumb2 is really a pain, as SP cannot be used with most
> + * of the bitwise instructions. The vect_br macro ensures
> + * things gets cleaned-up.
> + */
> + mcr p15, 4, r0, c0, c0, 0 /* VPIDR */
> + mov r0, sp
> + and r0, r0, #7
> + sub sp, sp, r0
> + push {r1, r2}
> + mov r1, r0
> + mrc p15, 4, r0, c0, c0, 0 /* VPIDR */
> + mrc p15, 0, r2, c0, c0, 0 /* MIDR */
> + mcr p15, 4, r2, c0, c0, 0 /* VPIDR */
> +
> +.macro vect_br val, targ
> + cmp r1, #\val
> + popeq {r1, r2}
> + beq \targ
> +.endm
> +
> + vect_br 0, hyp_fiq
> + vect_br 1, hyp_irq
> + vect_br 2, hyp_hvc
> + vect_br 3, hyp_dabt
> + vect_br 4, hyp_pabt
> + vect_br 5, hyp_svc
> + vect_br 6, hyp_undef
> + vect_br 7, hyp_reset
>
> .macro invalid_vector label, cause
> .align
> @@ -149,7 +202,14 @@ hyp_hvc:
> bx ip
>
> 1:
> - push {lr}
> + /*
> + * Pushing r2 here is just a way of keeping the stack aligned to
> + * 8 bytes on any path that can trigger a HYP exception. Here,
> + * we may well be about to jump into the guest, and the guest
> + * exit would otherwise be badly decoded by our fancy
> + * "decode-exception-without-a-branch" code...
> + */
> + push {r2, lr}
>
> mov lr, r0
> mov r0, r1
> @@ -159,7 +219,7 @@ hyp_hvc:
> THUMB( orr lr, #1)
> blx lr @ Call the HYP function
>
> - pop {lr}
> + pop {r2, lr}
> eret
>
> guest_trap:
> --
> 2.14.2
>
Otherwise this looks 'good' to me.
-Christoffer
next prev parent reply other threads:[~2018-01-23 14:22 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-08 18:55 [PATCH v2 0/6] ARM branch predictor hardening Marc Zyngier
2018-01-08 18:55 ` [PATCH v2 1/6] arm: Add BTB invalidation on switch_mm for Cortex-A9, A12 and A17 Marc Zyngier
2018-01-09 14:14 ` Andre Przywara
2018-01-09 14:21 ` Marc Zyngier
2018-01-09 14:22 ` Marc Zyngier
2018-01-10 17:53 ` Tony Lindgren
2018-01-10 17:57 ` Marc Zyngier
2018-01-10 21:52 ` Nishanth Menon
2018-01-11 9:03 ` Marc Zyngier
2018-01-29 18:41 ` Fabio Estevam
2018-01-29 19:21 ` Fabio Estevam
2018-01-29 19:28 ` Fabio Estevam
2018-01-08 18:55 ` [PATCH v2 2/6] arm: Invalidate BTB on prefetch abort outside of user mapping on Cortex A8, A9, " Marc Zyngier
2018-01-09 9:56 ` Marc Zyngier
2018-01-10 16:45 ` Russell King - ARM Linux
2018-01-08 18:55 ` [PATCH v2 3/6] arm: KVM: Invalidate BTB on guest exit Marc Zyngier
2018-01-15 12:22 ` Robin Murphy
2018-01-23 14:22 ` Christoffer Dall [this message]
2018-01-23 14:38 ` Marc Zyngier
2018-01-08 18:55 ` [PATCH v2 4/6] arm: Add icache invalidation on switch_mm for Cortex-A15 Marc Zyngier
2018-01-10 1:28 ` Florian Fainelli
2018-01-10 1:33 ` André Przywara
2018-01-10 1:35 ` Florian Fainelli
2018-01-10 9:13 ` Andre Przywara
2018-01-08 18:55 ` [PATCH v2 5/6] arm: Invalidate icache on prefetch abort outside of user mapping on Cortex-A15 Marc Zyngier
2018-01-08 18:55 ` [PATCH v2 6/6] arm: KVM: Invalidate icache on guest exit for Cortex-A15 Marc Zyngier
2018-01-23 14:26 ` Christoffer Dall
2018-01-09 17:13 ` [PATCH v2 0/6] ARM branch predictor hardening Florian Fainelli
2018-01-09 17:46 ` Russell King - ARM Linux
2018-01-10 16:50 ` Nishanth Menon
2018-01-10 17:16 ` Marc Zyngier
2018-01-10 22:59 ` Nishanth Menon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180123142217.GK21802@cbox \
--to=christoffer.dall@linaro.org \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.