From: alex.shi@linaro.org (Alex Shi)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH 17/39] arm64: entry: Apply BP hardening for suspicious interrupts from EL0
Date: Fri, 9 Mar 2018 17:07:00 +0800 [thread overview]
Message-ID: <20180309090722.26279-18-alex.shi@linaro.org> (raw)
In-Reply-To: <20180309090722.26279-1-alex.shi@linaro.org>
From: Will Deacon <will.deacon@arm.com>
commit 30d88c0e3ace upstream.
It is possible to take an IRQ from EL0 following a branch to a kernel
address in such a way that the IRQ is prioritised over the instruction
abort. Whilst an attacker would need to get the stars to align here,
it might be sufficient with enough calibration so perform BP hardening
in the rare case that we see a kernel address in the ELR when handling
an IRQ from EL0.
Reported-by: Dan Hettena <dhettena@nvidia.com>
Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Alex Shi <alex.shi@linaro.org>
---
arch/arm64/kernel/entry.S | 5 +++++
arch/arm64/mm/fault.c | 6 ++++++
2 files changed, 11 insertions(+)
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index bc62f8d2c981..3ee3a026ba04 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -582,6 +582,11 @@ el0_irq_naked:
#endif
ct_user_exit
+#ifdef CONFIG_HARDEN_BRANCH_PREDICTOR
+ tbz x22, #55, 1f
+ bl do_el0_irq_bp_hardening
+1:
+#endif
irq_handler
#ifdef CONFIG_TRACE_IRQFLAGS
diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
index b1f084dd7b6d..54008a6cc0df 100644
--- a/arch/arm64/mm/fault.c
+++ b/arch/arm64/mm/fault.c
@@ -534,6 +534,12 @@ asmlinkage void __exception do_mem_abort(unsigned long addr, unsigned int esr,
arm64_notify_die("", regs, &info, esr);
}
+asmlinkage void __exception do_el0_irq_bp_hardening(void)
+{
+ /* PC has already been checked in entry.S */
+ arm64_apply_bp_hardening();
+}
+
asmlinkage void __exception do_el0_ia_bp_hardening(unsigned long addr,
unsigned int esr,
struct pt_regs *regs)
--
2.16.2.440.gc6284da
next prev parent reply other threads:[~2018-03-09 9:07 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-09 9:06 spectre backport for LTS 4.4 review Alex Shi
2018-03-09 9:06 ` [PATCH 01/39] mm: Introduce lm_alias Alex Shi
2018-03-09 9:06 ` [PATCH 02/39] arm64: barrier: Add CSDB macros to control data-value prediction Alex Shi
2018-03-09 9:06 ` [PATCH 03/39] arm64: Implement array_index_mask_nospec() Alex Shi
2018-03-09 9:06 ` [PATCH 04/39] arm64: move TASK_* definitions to <asm/processor.h> Alex Shi
2018-03-09 9:06 ` [PATCH 05/39] arm64: Make USER_DS an inclusive limit Alex Shi
2018-03-09 9:06 ` [PATCH 06/39] arm64: entry: Ensure branch through syscall table is bounded under speculation Alex Shi
2018-03-09 9:06 ` [PATCH 07/39] arm64: Use pointer masking to limit uaccess speculation Alex Shi
2018-03-09 9:06 ` [PATCH 08/39] arm64: uaccess: Prevent speculative use of the current addr_limit Alex Shi
2018-03-09 9:06 ` [PATCH 09/39] arm64: uaccess: Don't bother eliding access_ok checks in __{get, put}_user Alex Shi
2018-03-09 9:06 ` [PATCH 10/39] arm64: futex: Mask __user pointers prior to dereference Alex Shi
2018-03-09 9:06 ` [PATCH 11/39] drivers/firmware: Expose psci_get_version through psci_ops structure Alex Shi
2018-03-09 9:06 ` [PATCH 12/39] arm64: Move post_ttbr_update_workaround to C code Alex Shi
2018-03-09 9:06 ` [PATCH 13/39] arm64: Add skeleton to harden the branch predictor against aliasing attacks Alex Shi
2018-03-09 9:06 ` [PATCH 14/39] arm64: Move BP hardening to check_and_switch_context Alex Shi
2018-03-09 9:06 ` [PATCH 15/39] arm64: KVM: Use per-CPU vector when BP hardening is enabled Alex Shi
2018-03-09 9:06 ` [PATCH 16/39] arm64: entry: Apply BP hardening for high-priority synchronous exceptions Alex Shi
2018-03-09 9:07 ` Alex Shi [this message]
2018-03-09 9:07 ` [PATCH 18/39] arm64: cpu_errata: Allow an erratum to be match for all revisions of a core Alex Shi
2018-03-09 9:07 ` [PATCH 19/39] arm64: prefetch: add alternative pattern for CPUs without a prefetcher Alex Shi
2018-03-09 9:07 ` [PATCH 20/39] arm64: cputype: Add missing MIDR values for Cortex-A72 and Cortex-A75 Alex Shi
2018-03-09 9:07 ` [PATCH 21/39] arm64: Implement branch predictor hardening for affected Cortex-A CPUs Alex Shi
2018-03-09 9:07 ` [PATCH 22/39] arm64: KVM: Increment PC after handling an SMC trap Alex Shi
2018-03-09 9:07 ` [PATCH 23/39] arm/arm64: KVM: Consolidate the PSCI include files Alex Shi
2018-03-09 9:07 ` [PATCH 24/39] arm/arm64: KVM: Add PSCI_VERSION helper Alex Shi
2018-03-09 9:07 ` [PATCH 25/39] arm/arm64: KVM: Add smccc accessors to PSCI code Alex Shi
2018-03-09 9:07 ` [PATCH 26/39] arm/arm64: KVM: Implement PSCI 1.0 support Alex Shi
2018-03-09 9:07 ` [PATCH 27/39] ARM: 8478/2: arm/arm64: add arm-smccc Alex Shi
2018-03-09 9:07 ` [PATCH 28/39] ARM: 8479/2: add implementation for arm-smccc Alex Shi
2018-03-09 9:07 ` [PATCH 29/39] ARM: 8480/2: arm64: " Alex Shi
2018-03-09 9:07 ` [PATCH 30/39] ARM: 8481/2: drivers: psci: replace psci firmware calls Alex Shi
2018-03-09 9:07 ` [PATCH 31/39] arm/arm64: KVM: Advertise SMCCC v1.1 Alex Shi
2018-03-09 9:07 ` [PATCH 32/39] arm/arm64: KVM: Turn kvm_psci_version into a static inline Alex Shi
2018-03-09 9:07 ` [PATCH 33/39] arm64: KVM: Report SMCCC_ARCH_WORKAROUND_1 BP hardening support Alex Shi
2018-03-09 9:07 ` [PATCH 34/39] arm64: KVM: Add SMCCC_ARCH_WORKAROUND_1 fast handling Alex Shi
2018-03-09 9:07 ` [PATCH 35/39] firmware/psci: Expose PSCI conduit Alex Shi
2018-03-09 9:07 ` [PATCH 36/39] firmware/psci: Expose SMCCC version through psci_ops Alex Shi
2018-03-09 9:07 ` [PATCH 37/39] arm/arm64: smccc: Make function identifiers an unsigned quantity Alex Shi
2018-03-09 9:07 ` [PATCH 38/39] arm/arm64: smccc: Implement SMCCC v1.1 inline primitive Alex Shi
2018-03-09 9:07 ` [PATCH 39/39] arm64: Add ARM_SMCCC_ARCH_WORKAROUND_1 BP hardening support Alex Shi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180309090722.26279-18-alex.shi@linaro.org \
--to=alex.shi@linaro.org \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).