From: Benjamin Gray <bgray@linux.ibm.com>
To: linuxppc-dev@lists.ozlabs.org
Cc: ajd@linux.ibm.com, ruscur@russell.cc,
linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org,
cmr@bluescreens.de, Benjamin Gray <bgray@linux.ibm.com>
Subject: [RFC PATCH 04/13] powerpc/dexcr: Support userspace ROP protection
Date: Mon, 28 Nov 2022 13:44:49 +1100 [thread overview]
Message-ID: <20221128024458.46121-5-bgray@linux.ibm.com> (raw)
In-Reply-To: <20221128024458.46121-1-bgray@linux.ibm.com>
The ISA 3.1B hashst and hashchk instructions use a per-cpu SPR HASHKEYR
to hold a key used in the hash calculation. This key should be different
for each process to make it harder for a malicious process to recreate
valid hash values for a victim process.
Add support for storing a per-thread hash key, and setting/clearing
HASHKEYR appropriately.
Signed-off-by: Benjamin Gray <bgray@linux.ibm.com>
---
arch/powerpc/include/asm/book3s/64/kexec.h | 3 +++
arch/powerpc/include/asm/processor.h | 1 +
arch/powerpc/include/asm/reg.h | 1 +
arch/powerpc/kernel/process.c | 12 ++++++++++++
4 files changed, 17 insertions(+)
diff --git a/arch/powerpc/include/asm/book3s/64/kexec.h b/arch/powerpc/include/asm/book3s/64/kexec.h
index 563baf94a962..163de935df28 100644
--- a/arch/powerpc/include/asm/book3s/64/kexec.h
+++ b/arch/powerpc/include/asm/book3s/64/kexec.h
@@ -24,6 +24,9 @@ static inline void reset_sprs(void)
if (cpu_has_feature(CPU_FTR_ARCH_31))
mtspr(SPRN_DEXCR, 0);
+ if (cpu_has_feature(CPU_FTR_DEXCR_NPHIE))
+ mtspr(SPRN_HASHKEYR, 0);
+
/* Do we need isync()? We are going via a kexec reset */
isync();
}
diff --git a/arch/powerpc/include/asm/processor.h b/arch/powerpc/include/asm/processor.h
index c17ec1e44c86..2381217c95dc 100644
--- a/arch/powerpc/include/asm/processor.h
+++ b/arch/powerpc/include/asm/processor.h
@@ -264,6 +264,7 @@ struct thread_struct {
unsigned long mmcr3;
unsigned long sier2;
unsigned long sier3;
+ unsigned long hashkeyr;
#endif
};
diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h
index cdd1f174c399..854664cf844f 100644
--- a/arch/powerpc/include/asm/reg.h
+++ b/arch/powerpc/include/asm/reg.h
@@ -384,6 +384,7 @@
#define SPRN_HRMOR 0x139 /* Real mode offset register */
#define SPRN_HSRR0 0x13A /* Hypervisor Save/Restore 0 */
#define SPRN_HSRR1 0x13B /* Hypervisor Save/Restore 1 */
+#define SPRN_HASHKEYR 0x1D4 /* Non-privileged hashst/hashchk key register */
#define SPRN_ASDR 0x330 /* Access segment descriptor register */
#define SPRN_DEXCR 0x33C /* Dynamic execution control register */
#define DEXCR_PRO_MASK(aspect) __MASK(63 - (32 + (aspect))) /* Aspect number to problem state aspect mask */
diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
index 17d26f652b80..4d7b0c7641d0 100644
--- a/arch/powerpc/kernel/process.c
+++ b/arch/powerpc/kernel/process.c
@@ -1229,6 +1229,9 @@ static inline void restore_sprs(struct thread_struct *old_thread,
old_thread->tidr != new_thread->tidr)
mtspr(SPRN_TIDR, new_thread->tidr);
+ if (cpu_has_feature(CPU_FTR_DEXCR_NPHIE))
+ mtspr(SPRN_HASHKEYR, new_thread->hashkeyr);
+
if (cpu_has_feature(CPU_FTR_ARCH_31)) {
unsigned long new_dexcr = get_thread_dexcr(new_thread);
@@ -1818,6 +1821,10 @@ int copy_thread(struct task_struct *p, const struct kernel_clone_args *args)
childregs->ppr = DEFAULT_PPR;
p->thread.tidr = 0;
+#endif
+#ifdef CONFIG_PPC_BOOK3S_64
+ if (cpu_has_feature(CPU_FTR_DEXCR_NPHIE))
+ p->thread.hashkeyr = current->thread.hashkeyr;
#endif
/*
* Run with the current AMR value of the kernel
@@ -1947,6 +1954,11 @@ void start_thread(struct pt_regs *regs, unsigned long start, unsigned long sp)
current->thread.load_tm = 0;
#endif /* CONFIG_PPC_TRANSACTIONAL_MEM */
#ifdef CONFIG_PPC_BOOK3S_64
+ if (cpu_has_feature(CPU_FTR_DEXCR_NPHIE)) {
+ current->thread.hashkeyr = get_random_long();
+ mtspr(SPRN_HASHKEYR, current->thread.hashkeyr);
+ }
+
if (cpu_has_feature(CPU_FTR_ARCH_31))
mtspr(SPRN_DEXCR, get_thread_dexcr(¤t->thread));
#endif /* CONFIG_PPC_BOOK3S_64 */
--
2.38.1
WARNING: multiple messages have this Message-ID (diff)
From: Benjamin Gray <bgray@linux.ibm.com>
To: linuxppc-dev@lists.ozlabs.org
Cc: ajd@linux.ibm.com, linux-kernel@vger.kernel.org,
linux-hardening@vger.kernel.org, cmr@bluescreens.de,
Benjamin Gray <bgray@linux.ibm.com>
Subject: [RFC PATCH 04/13] powerpc/dexcr: Support userspace ROP protection
Date: Mon, 28 Nov 2022 13:44:49 +1100 [thread overview]
Message-ID: <20221128024458.46121-5-bgray@linux.ibm.com> (raw)
In-Reply-To: <20221128024458.46121-1-bgray@linux.ibm.com>
The ISA 3.1B hashst and hashchk instructions use a per-cpu SPR HASHKEYR
to hold a key used in the hash calculation. This key should be different
for each process to make it harder for a malicious process to recreate
valid hash values for a victim process.
Add support for storing a per-thread hash key, and setting/clearing
HASHKEYR appropriately.
Signed-off-by: Benjamin Gray <bgray@linux.ibm.com>
---
arch/powerpc/include/asm/book3s/64/kexec.h | 3 +++
arch/powerpc/include/asm/processor.h | 1 +
arch/powerpc/include/asm/reg.h | 1 +
arch/powerpc/kernel/process.c | 12 ++++++++++++
4 files changed, 17 insertions(+)
diff --git a/arch/powerpc/include/asm/book3s/64/kexec.h b/arch/powerpc/include/asm/book3s/64/kexec.h
index 563baf94a962..163de935df28 100644
--- a/arch/powerpc/include/asm/book3s/64/kexec.h
+++ b/arch/powerpc/include/asm/book3s/64/kexec.h
@@ -24,6 +24,9 @@ static inline void reset_sprs(void)
if (cpu_has_feature(CPU_FTR_ARCH_31))
mtspr(SPRN_DEXCR, 0);
+ if (cpu_has_feature(CPU_FTR_DEXCR_NPHIE))
+ mtspr(SPRN_HASHKEYR, 0);
+
/* Do we need isync()? We are going via a kexec reset */
isync();
}
diff --git a/arch/powerpc/include/asm/processor.h b/arch/powerpc/include/asm/processor.h
index c17ec1e44c86..2381217c95dc 100644
--- a/arch/powerpc/include/asm/processor.h
+++ b/arch/powerpc/include/asm/processor.h
@@ -264,6 +264,7 @@ struct thread_struct {
unsigned long mmcr3;
unsigned long sier2;
unsigned long sier3;
+ unsigned long hashkeyr;
#endif
};
diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h
index cdd1f174c399..854664cf844f 100644
--- a/arch/powerpc/include/asm/reg.h
+++ b/arch/powerpc/include/asm/reg.h
@@ -384,6 +384,7 @@
#define SPRN_HRMOR 0x139 /* Real mode offset register */
#define SPRN_HSRR0 0x13A /* Hypervisor Save/Restore 0 */
#define SPRN_HSRR1 0x13B /* Hypervisor Save/Restore 1 */
+#define SPRN_HASHKEYR 0x1D4 /* Non-privileged hashst/hashchk key register */
#define SPRN_ASDR 0x330 /* Access segment descriptor register */
#define SPRN_DEXCR 0x33C /* Dynamic execution control register */
#define DEXCR_PRO_MASK(aspect) __MASK(63 - (32 + (aspect))) /* Aspect number to problem state aspect mask */
diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
index 17d26f652b80..4d7b0c7641d0 100644
--- a/arch/powerpc/kernel/process.c
+++ b/arch/powerpc/kernel/process.c
@@ -1229,6 +1229,9 @@ static inline void restore_sprs(struct thread_struct *old_thread,
old_thread->tidr != new_thread->tidr)
mtspr(SPRN_TIDR, new_thread->tidr);
+ if (cpu_has_feature(CPU_FTR_DEXCR_NPHIE))
+ mtspr(SPRN_HASHKEYR, new_thread->hashkeyr);
+
if (cpu_has_feature(CPU_FTR_ARCH_31)) {
unsigned long new_dexcr = get_thread_dexcr(new_thread);
@@ -1818,6 +1821,10 @@ int copy_thread(struct task_struct *p, const struct kernel_clone_args *args)
childregs->ppr = DEFAULT_PPR;
p->thread.tidr = 0;
+#endif
+#ifdef CONFIG_PPC_BOOK3S_64
+ if (cpu_has_feature(CPU_FTR_DEXCR_NPHIE))
+ p->thread.hashkeyr = current->thread.hashkeyr;
#endif
/*
* Run with the current AMR value of the kernel
@@ -1947,6 +1954,11 @@ void start_thread(struct pt_regs *regs, unsigned long start, unsigned long sp)
current->thread.load_tm = 0;
#endif /* CONFIG_PPC_TRANSACTIONAL_MEM */
#ifdef CONFIG_PPC_BOOK3S_64
+ if (cpu_has_feature(CPU_FTR_DEXCR_NPHIE)) {
+ current->thread.hashkeyr = get_random_long();
+ mtspr(SPRN_HASHKEYR, current->thread.hashkeyr);
+ }
+
if (cpu_has_feature(CPU_FTR_ARCH_31))
mtspr(SPRN_DEXCR, get_thread_dexcr(¤t->thread));
#endif /* CONFIG_PPC_BOOK3S_64 */
--
2.38.1
next prev parent reply other threads:[~2022-11-28 2:46 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-28 2:44 [RFC PATCH 00/13] Add DEXCR support Benjamin Gray
2022-11-28 2:44 ` Benjamin Gray
2022-11-28 2:44 ` [RFC PATCH 01/13] powerpc/book3s: Add missing <linux/sched.h> include Benjamin Gray
2022-11-28 2:44 ` Benjamin Gray
2023-03-07 4:28 ` Nicholas Piggin
2023-03-07 4:28 ` Nicholas Piggin
2022-11-28 2:44 ` [RFC PATCH 02/13] powerpc: Add initial Dynamic Execution Control Register (DEXCR) support Benjamin Gray
2022-11-28 2:44 ` Benjamin Gray
2023-03-07 4:45 ` Nicholas Piggin
2023-03-07 4:45 ` Nicholas Piggin
2023-03-09 23:46 ` Benjamin Gray
2023-03-09 23:46 ` Benjamin Gray
2022-11-28 2:44 ` [RFC PATCH 03/13] powerpc/dexcr: Handle hashchk exception Benjamin Gray
2022-11-28 2:44 ` Benjamin Gray
2022-11-29 10:39 ` Nicholas Piggin
2022-11-29 10:39 ` Nicholas Piggin
2022-11-29 22:04 ` Benjamin Gray
2022-11-29 22:04 ` Benjamin Gray
2022-11-28 2:44 ` Benjamin Gray [this message]
2022-11-28 2:44 ` [RFC PATCH 04/13] powerpc/dexcr: Support userspace ROP protection Benjamin Gray
2023-03-07 5:05 ` Nicholas Piggin
2023-03-07 5:05 ` Nicholas Piggin
2023-03-07 5:37 ` Benjamin Gray
2023-03-07 5:37 ` Benjamin Gray
2023-03-21 4:51 ` Nicholas Piggin
2023-03-21 4:51 ` Nicholas Piggin
2022-11-28 2:44 ` [RFC PATCH 05/13] prctl: Define PowerPC DEXCR interface Benjamin Gray
2022-11-28 2:44 ` Benjamin Gray
2023-03-07 5:07 ` Nicholas Piggin
2023-03-07 5:07 ` Nicholas Piggin
2022-11-28 2:44 ` [RFC PATCH 06/13] powerpc/dexcr: Add prctl implementation Benjamin Gray
2022-11-28 2:44 ` Benjamin Gray
2023-03-07 5:12 ` Nicholas Piggin
2023-03-07 5:12 ` Nicholas Piggin
2022-11-28 2:44 ` [RFC PATCH 07/13] powerpc/dexcr: Add sysctl entry for SBHE system override Benjamin Gray
2022-11-28 2:44 ` Benjamin Gray
2023-03-07 5:30 ` Nicholas Piggin
2023-03-07 5:30 ` Nicholas Piggin
2023-03-07 5:58 ` Benjamin Gray
2023-03-07 5:58 ` Benjamin Gray
2022-11-28 2:44 ` [RFC PATCH 08/13] powerpc/dexcr: Add enforced userspace ROP protection config Benjamin Gray
2022-11-28 2:44 ` Benjamin Gray
2022-11-28 2:44 ` [RFC PATCH 09/13] selftests/powerpc: Add more utility macros Benjamin Gray
2022-11-28 2:44 ` Benjamin Gray
2022-11-28 2:44 ` [RFC PATCH 10/13] selftests/powerpc: Add hashst/hashchk test Benjamin Gray
2022-11-28 2:44 ` Benjamin Gray
2022-11-28 2:44 ` [RFC PATCH 11/13] selftests/powerpc: Add DEXCR prctl, sysctl interface test Benjamin Gray
2022-11-28 2:44 ` Benjamin Gray
2022-11-28 2:44 ` [RFC PATCH 12/13] selftests/powerpc: Add DEXCR status utility lsdexcr Benjamin Gray
2022-11-28 2:44 ` Benjamin Gray
2022-11-28 2:44 ` [RFC PATCH 13/13] Documentation: Document PowerPC kernel DEXCR interface Benjamin Gray
2022-11-28 2:44 ` Benjamin Gray
2023-03-07 5:40 ` Nicholas Piggin
2023-03-07 5:40 ` Nicholas Piggin
2023-03-07 5:52 ` Benjamin Gray
2023-03-07 5:52 ` Benjamin Gray
2022-11-28 4:05 ` [RFC PATCH 00/13] Add DEXCR support Russell Currey
2022-11-28 4:05 ` Russell Currey
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221128024458.46121-5-bgray@linux.ibm.com \
--to=bgray@linux.ibm.com \
--cc=ajd@linux.ibm.com \
--cc=cmr@bluescreens.de \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=ruscur@russell.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.