From: Marc Zyngier <maz@kernel.org>
To: "Pierre-Clément Tosi" <ptosi@google.com>
Cc: kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org,
kvm@vger.kernel.org, James Morse <james.morse@arm.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Oliver Upton <oliver.upton@linux.dev>,
Zenghui Yu <yuzenghui@huawei.com>,
Sami Tolvanen <samitolvanen@google.com>,
Mark Rutland <mark.rutland@arm.com>
Subject: Re: [PATCH 00/10] KVM: arm64: Add support for hypervisor kCFI
Date: Thu, 14 Mar 2024 22:40:47 +0000 [thread overview]
Message-ID: <86edcc1low.wl-maz@kernel.org> (raw)
In-Reply-To: <cover.1710446682.git.ptosi@google.com>
Hi Pierre-Clément,
On Thu, 14 Mar 2024 20:23:00 +0000,
Pierre-Clément Tosi <ptosi@google.com> wrote:
>
> CONFIG_CFI_CLANG ("kernel Control Flow Integrity") makes the compiler inject
> runtime type checks before any indirect function call. On AArch64, it generates
> a BRK instruction to be executed on type mismatch and encodes the indices of the
> registers holding the branch target and expected type in the immediate of the
> instruction. As a result, a synchronous exception gets triggered on kCFI failure
> and the fault handler can retrieve the immediate (and indices) from ESR_ELx.
>
> This feature has been supported at EL1 ("host") since it was introduced by
> b26e484b8bb3 ("arm64: Add CFI error handling"), where cfi_handler() decodes
> ESR_EL1, giving informative panic messages such as
>
> [ 21.885179] CFI failure at lkdtm_indirect_call+0x2c/0x44 [lkdtm]
> (target: lkdtm_increment_int+0x0/0x1c [lkdtm]; expected type: 0x7e0c52a)
> [ 21.886593] Internal error: Oops - CFI: 0 [#1] PREEMPT SMP
>
> However, it is not or only partially supported at EL2: in nVHE (or pKVM),
> CONFIG_CFI_CLANG gets filtered out at build time, preventing the compiler from
> injecting the checks. In VHE (or hVHE), EL2 code gets compiled with the checks
Are you sure about hVHE? hVHE is essentially the nVHE object running
with a slightly different HCR_EL2 configuration. So if you don't have
the checks in the nVHE code, you don't have them for hVHE either.
Or am I missing something obvious?
Thanks,
M.
--
Without deviation from the norm, progress is not possible.
WARNING: multiple messages have this Message-ID (diff)
From: Marc Zyngier <maz@kernel.org>
To: "Pierre-Clément Tosi" <ptosi@google.com>
Cc: kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org,
kvm@vger.kernel.org, James Morse <james.morse@arm.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Oliver Upton <oliver.upton@linux.dev>,
Zenghui Yu <yuzenghui@huawei.com>,
Sami Tolvanen <samitolvanen@google.com>,
Mark Rutland <mark.rutland@arm.com>
Subject: Re: [PATCH 00/10] KVM: arm64: Add support for hypervisor kCFI
Date: Thu, 14 Mar 2024 22:40:47 +0000 [thread overview]
Message-ID: <86edcc1low.wl-maz@kernel.org> (raw)
In-Reply-To: <cover.1710446682.git.ptosi@google.com>
Hi Pierre-Clément,
On Thu, 14 Mar 2024 20:23:00 +0000,
Pierre-Clément Tosi <ptosi@google.com> wrote:
>
> CONFIG_CFI_CLANG ("kernel Control Flow Integrity") makes the compiler inject
> runtime type checks before any indirect function call. On AArch64, it generates
> a BRK instruction to be executed on type mismatch and encodes the indices of the
> registers holding the branch target and expected type in the immediate of the
> instruction. As a result, a synchronous exception gets triggered on kCFI failure
> and the fault handler can retrieve the immediate (and indices) from ESR_ELx.
>
> This feature has been supported at EL1 ("host") since it was introduced by
> b26e484b8bb3 ("arm64: Add CFI error handling"), where cfi_handler() decodes
> ESR_EL1, giving informative panic messages such as
>
> [ 21.885179] CFI failure at lkdtm_indirect_call+0x2c/0x44 [lkdtm]
> (target: lkdtm_increment_int+0x0/0x1c [lkdtm]; expected type: 0x7e0c52a)
> [ 21.886593] Internal error: Oops - CFI: 0 [#1] PREEMPT SMP
>
> However, it is not or only partially supported at EL2: in nVHE (or pKVM),
> CONFIG_CFI_CLANG gets filtered out at build time, preventing the compiler from
> injecting the checks. In VHE (or hVHE), EL2 code gets compiled with the checks
Are you sure about hVHE? hVHE is essentially the nVHE object running
with a slightly different HCR_EL2 configuration. So if you don't have
the checks in the nVHE code, you don't have them for hVHE either.
Or am I missing something obvious?
Thanks,
M.
--
Without deviation from the norm, progress is not possible.
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2024-03-14 22:40 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-14 20:23 [PATCH 00/10] KVM: arm64: Add support for hypervisor kCFI Pierre-Clément Tosi
2024-03-14 20:23 ` Pierre-Clément Tosi
2024-03-14 20:23 ` [PATCH 01/10] KVM: arm64: Fix clobbered ELR in sync abort Pierre-Clément Tosi
2024-03-14 20:23 ` Pierre-Clément Tosi
2024-03-17 12:26 ` Marc Zyngier
2024-03-17 12:26 ` Marc Zyngier
2024-03-14 20:23 ` [PATCH 02/10] KVM: arm64: Fix __pkvm_init_switch_pgd C signature Pierre-Clément Tosi
2024-03-14 20:23 ` Pierre-Clément Tosi
2024-03-14 20:23 ` [PATCH 03/10] KVM: arm64: Pass pointer to __pkvm_init_switch_pgd Pierre-Clément Tosi
2024-03-14 20:23 ` Pierre-Clément Tosi
2024-03-14 20:24 ` [PATCH 04/10] KVM: arm64: nVHE: Simplify __guest_exit_panic path Pierre-Clément Tosi
2024-03-14 20:24 ` Pierre-Clément Tosi
2024-03-14 20:24 ` [PATCH 05/10] KVM: arm64: nVHE: Add EL2 sync exception handler Pierre-Clément Tosi
2024-03-14 20:24 ` Pierre-Clément Tosi
2024-03-17 11:42 ` Marc Zyngier
2024-03-17 11:42 ` Marc Zyngier
2024-04-10 14:44 ` Pierre-Clément Tosi
2024-04-10 14:44 ` Pierre-Clément Tosi
2024-03-14 20:24 ` [PATCH 06/10] KVM: arm64: nVHE: gen-hyprel: Skip R_AARCH64_ABS32 Pierre-Clément Tosi
2024-03-14 20:24 ` Pierre-Clément Tosi
2024-03-14 20:25 ` [PATCH 07/10] KVM: arm64: VHE: Mark __hyp_call_panic __noreturn Pierre-Clément Tosi
2024-03-14 20:25 ` Pierre-Clément Tosi
2024-03-14 20:25 ` [PATCH 08/10] arm64: Move esr_comment() to <asm/esr.h> Pierre-Clément Tosi
2024-03-14 20:25 ` Pierre-Clément Tosi
2024-03-17 12:50 ` Marc Zyngier
2024-03-17 12:50 ` Marc Zyngier
2024-03-14 20:25 ` [PATCH 09/10] KVM: arm64: nVHE: Support CONFIG_CFI_CLANG at EL2 Pierre-Clément Tosi
2024-03-14 20:25 ` Pierre-Clément Tosi
2024-03-17 13:09 ` Marc Zyngier
2024-03-17 13:09 ` Marc Zyngier
2024-04-10 14:58 ` Pierre-Clément Tosi
2024-04-10 14:58 ` Pierre-Clément Tosi
2024-03-14 20:26 ` [PATCH 10/10] KVM: arm64: Improve CONFIG_CFI_CLANG error message Pierre-Clément Tosi
2024-03-14 20:26 ` Pierre-Clément Tosi
2024-03-14 22:40 ` Marc Zyngier [this message]
2024-03-14 22:40 ` [PATCH 00/10] KVM: arm64: Add support for hypervisor kCFI Marc Zyngier
2024-03-15 10:22 ` Pierre-Clément Tosi
2024-03-15 10:22 ` Pierre-Clément Tosi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=86edcc1low.wl-maz@kernel.org \
--to=maz@kernel.org \
--cc=james.morse@arm.com \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=mark.rutland@arm.com \
--cc=oliver.upton@linux.dev \
--cc=ptosi@google.com \
--cc=samitolvanen@google.com \
--cc=suzuki.poulose@arm.com \
--cc=yuzenghui@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.