From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id A2039C25B76 for ; Mon, 3 Jun 2024 13:59:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=VDwNLy0bV0pw+/UuJLF4stME7jHgpgaecfTRMOKxJ5U=; b=oiKxpJfAm6PDar y+IDVTZe3vEHIDQ1sikVgy31ZWiAQk/+fxJWNDzwT35ea+vhP1FjCFl10utNFWGjXQGgNG7AZgz1A CSMd5ZweTJMeOysmcwDnCgWYpU1HyJDVCDFdkXKRw60puNei6sXudFxEaSbtBCoSXzLgoCnAwvbH2 uKhwrQ2oo9AHdF2aOO3amEI9UEMTPGUD0l26yhgZDHV1l+e86BHMopaZSC2eIXepCKD+VRiUkwnxh vkOK3gVXl5oeNKZJVIRIrBaUgP3boJ2d6koBSKsmckEcjaJtbe8yuWsXbuI4tGURXprpi95DtvV0L 8Ro+AzgkOCVBm6pAzdpg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1sE8E2-0000000Gzp1-3eCi; Mon, 03 Jun 2024 13:59:50 +0000 Received: from sin.source.kernel.org ([2604:1380:40e1:4800::1]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1sE8E0-0000000GznE-0Dja for linux-arm-kernel@lists.infradead.org; Mon, 03 Jun 2024 13:59:49 +0000 Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by sin.source.kernel.org (Postfix) with ESMTP id 8E03ACE0977; Mon, 3 Jun 2024 13:59:44 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6500AC2BD10; Mon, 3 Jun 2024 13:59:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1717423183; bh=m9F1tMy1cVucXFVAnvCLLWurQRs1OcWmoLkqsGYMg68=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=SyY7UJvjwkD40r9wAwYheEgHYuw8dBL6c8id9edb5mho0OQnm7roz5NxNJI7l3I+8 7HJkYla0IuGQNHxLf2nY3NaIV3eHvu4CLiDhnmB/7+tK9/9n81RPqdthJEEhcgrs5Q 4C+jNeIT6Wk7ZHMgvqeRTBGOqMkP61TSgJxQHumtEFwyV+SJ83Ihsc4in40QOwf802 xIE1ivTOaLKT2ZpOR5ce202f9gqTonT+zAnwJp1x/79KogNq3lUZRpcolKwCA9TaxV flWP24QmNGvupf9yfmoodYk7DzjyYzdo613VH9C9XgBj1tzqkzFIONPkFgukjxe0nU VL1p2aDzHYk2Q== Date: Mon, 3 Jun 2024 14:59:38 +0100 From: Will Deacon To: =?iso-8859-1?Q?Pierre-Cl=E9ment?= Tosi Cc: kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org, kvm@vger.kernel.org, Marc Zyngier , Oliver Upton , Suzuki K Poulose , Vincent Donnefort Subject: Re: [PATCH v4 00/13] KVM: arm64: Add support for hypervisor kCFI Message-ID: <20240603135937.GA19151@willie-the-truck> References: <20240529121251.1993135-1-ptosi@google.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20240529121251.1993135-1-ptosi@google.com> User-Agent: Mutt/1.10.1 (2018-07-13) X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240603_065948_471126_E9766562 X-CRM114-Status: GOOD ( 21.74 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Wed, May 29, 2024 at 01:12:06PM +0100, Pierre-Cl=E9ment Tosi wrote: > CONFIG_CFI_CLANG ("kernel Control Flow Integrity") makes the compiler inj= ect > runtime type checks before any indirect function call. On AArch64, it gen= erates > a BRK instruction to be executed on type mismatch and encodes the indices= of the > registers holding the branch target and expected type in the immediate of= the > instruction. As a result, a synchronous exception gets triggered on kCFI = failure > and the fault handler can retrieve the immediate (and indices) from ESR_E= Lx. > = > This feature has been supported at EL1 ("host") since it was introduced by > b26e484b8bb3 ("arm64: Add CFI error handling"), where cfi_handler() decod= es > ESR_EL1, giving informative panic messages such as > = > [ 21.885179] CFI failure at lkdtm_indirect_call+0x2c/0x44 [lkdtm] > (target: lkdtm_increment_int+0x0/0x1c [lkdtm]; expected type: 0x7e0c52a) > [ 21.886593] Internal error: Oops - CFI: 0 [#1] PREEMPT SMP > = > However, it is not or only partially supported at EL2: in nVHE (or pKVM), > CONFIG_CFI_CLANG gets filtered out at build time, preventing the compiler= from > injecting the checks. In VHE, EL2 code gets compiled with the checks but = the > handlers in VBAR_EL2 are not aware of kCFI and will produce a generic and > not-so-helpful panic message such as > = > [ 36.456088][ T200] Kernel panic - not syncing: HYP panic: > [ 36.456088][ T200] PS:204003c9 PC:ffffffc080092310 ESR:f2008228 > [ 36.456088][ T200] FAR:0000000081a50000 HPFAR:000000000081a500 PAR:= 1de7ec7edbadc0de > [ 36.456088][ T200] VCPU:00000000e189c7cf > = > To address this, > = > - [01/13] fixes an existing bug where the ELR_EL2 was getting clobbered on > synchronous exceptions, causing the wrong "PC" to be reported by > nvhe_hyp_panic_handler() or __hyp_call_panic(). This is particularly li= miting > for kCFI, as it would mask the location of the failed type check. > - [02/13] fixes a minor C/asm ABI mismatch which would trigger a kCFI fai= lure > - [03/13] to [09/13] prepare nVHE for CONFIG_CFI_CLANG and [10/13] enable= s it > - [11/13] improves kCFI error messages by saving then parsing the CPU con= text > - [12/13] adds a kCFI test module for VHE and [13/13] extends it to nVHE = & pKVM > = > As a result, an informative kCFI panic message is printed by or on behalf= of EL2 > giving the expected type and target address (possibly resolved to a symbo= l) for > VHE, nVHE, and pKVM (iff CONFIG_NVHE_EL2_DEBUG=3Dy). > = > Note that kCFI errors remain fatal at EL2, even when CONFIG_CFI_PERMISSIV= E=3Dy. > = > Changes in v4: > - Addressed Will's comments on v3: nit: but please keep reviewers on CC when you post a new version. I missed this initially. Will _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel