From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 8F7C0C25B75 for ; Mon, 3 Jun 2024 14:45:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=hUUN9u8/IV01cBbcg1nta3X31TCkOHk8lzuClk0WvuQ=; b=g/RBGTOUD0IeNs xkYST3ZKaOvPXpVzMaiWxa7ANrK+63ZUhVzWJsg9BHpmyFtxnVYph9lGqZyX675pk1RKKtCvs6VVT OAhZxep3nSqOX3dwA0m8B8pOw3yKlosRSv8aOsZZDZbIUTamy2ZxZEjc9PnOaSZwel/8EhBufcm0v Djd/JuHkaBpgLppQRmR+enQebdVsCF7/kEosgE/nEI3IHG8ALLgoYUbtPJDmX3hIxvCyI/ZUagJfH zYvlJTS6Ex+S1Vq3iSoxatphHTl2IXSNiQ0zZ4JJGoE5xP6eUsNhm+wwuPfc06vigC7bLK27FwTxM S4NfnUVgQs5WJTLrXGCg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1sE8wN-0000000H8Hq-2HjV; Mon, 03 Jun 2024 14:45:39 +0000 Received: from dfw.source.kernel.org ([2604:1380:4641:c500::1]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1sE8wK-0000000H8Gy-2jdC for linux-arm-kernel@lists.infradead.org; Mon, 03 Jun 2024 14:45:37 +0000 Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by dfw.source.kernel.org (Postfix) with ESMTP id 2B46B60B67; Mon, 3 Jun 2024 14:45:36 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3B5CAC2BD10; Mon, 3 Jun 2024 14:45:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1717425935; bh=wOAkvHcu7QUTI1OGzXuCIt8lJzSCvubXPnqzx+mawaY=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Jv2UWfxHjCJXTqZCBK7X9OvTw6vp74bczsx8wFgCj+oOl/7k+8UNz0nZTa2jSUNTw 4sXjrny/zzGvJF5MRx0Wzc9TEBHRo41W88UKzCJdQ9iTm5IL5+iZZEzFDcbJodU1H2 ZZFajxfGc0YntoT5RLAjB+SEhPSWxsUa/yN/qTXEfOAJE1aHk7pHDlklvv/thFdF5E sn2FzqAI2+CEMcrEu7aFr5KTsWPzPl7Ymccz9jU0elC70cYm/ON0cHvZdMAvhr34aJ QPBV9AgbzTOT/QG4YsbuRuV84eOtAXF75cucAXtrdYGiNtTNbzOj4CblYgt5AMDp/B v6gV2H9fxSWQA== Date: Mon, 3 Jun 2024 15:45:30 +0100 From: Will Deacon To: =?iso-8859-1?Q?Pierre-Cl=E9ment?= Tosi Cc: kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org, kvm@vger.kernel.org, Marc Zyngier , Oliver Upton , Suzuki K Poulose , Vincent Donnefort Subject: Re: [PATCH v4 10/13] KVM: arm64: nVHE: Support CONFIG_CFI_CLANG at EL2 Message-ID: <20240603144530.GK19151@willie-the-truck> References: <20240529121251.1993135-1-ptosi@google.com> <20240529121251.1993135-11-ptosi@google.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20240529121251.1993135-11-ptosi@google.com> User-Agent: Mutt/1.10.1 (2018-07-13) X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240603_074536_799833_78EF2B67 X-CRM114-Status: GOOD ( 28.31 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Wed, May 29, 2024 at 01:12:16PM +0100, Pierre-Cl=E9ment Tosi wrote: > The compiler implements kCFI by adding type information (u32) above > every function that might be indirectly called and, whenever a function > pointer is called, injects a read-and-compare of that u32 against the > value corresponding to the expected type. In case of a mismatch, a BRK > instruction gets executed. When the hypervisor triggers such an > exception in nVHE, it panics and triggers and exception return to EL1. > = > Therefore, teach nvhe_hyp_panic_handler() to detect kCFI errors from the > ESR and report them. If necessary, remind the user that EL2 kCFI is not > affected by CONFIG_CFI_PERMISSIVE. > = > Pass $(CC_FLAGS_CFI) to the compiler when building the nVHE hyp code. > = > Use SYM_TYPED_FUNC_START() for __pkvm_init_switch_pgd, as nVHE can't > call it directly and must use a PA function pointer from C (because it > is part of the idmap page), which would trigger a kCFI failure if the > type ID wasn't present. > = > Signed-off-by: Pierre-Cl=E9ment Tosi > --- > arch/arm64/kvm/handle_exit.c | 10 ++++++++++ > arch/arm64/kvm/hyp/nvhe/Makefile | 6 +++--- > arch/arm64/kvm/hyp/nvhe/hyp-init.S | 6 +++++- > 3 files changed, 18 insertions(+), 4 deletions(-) > = > diff --git a/arch/arm64/kvm/handle_exit.c b/arch/arm64/kvm/handle_exit.c > index b3d6657a259d..69b08ac7322d 100644 > --- a/arch/arm64/kvm/handle_exit.c > +++ b/arch/arm64/kvm/handle_exit.c > @@ -417,6 +417,14 @@ static void print_nvhe_hyp_panic(const char *name, u= 64 panic_addr) > (void *)(panic_addr + kaslr_offset())); > } > = > +static void kvm_nvhe_report_cfi_failure(u64 panic_addr) > +{ > + print_nvhe_hyp_panic("CFI failure", panic_addr); > + > + if (IS_ENABLED(CONFIG_CFI_PERMISSIVE)) > + kvm_err(" (CONFIG_CFI_PERMISSIVE ignored for hyp failures)\n"); > +} > + > void __noreturn __cold nvhe_hyp_panic_handler(u64 esr, u64 spsr, > u64 elr_virt, u64 elr_phys, > u64 par, uintptr_t vcpu, > @@ -446,6 +454,8 @@ void __noreturn __cold nvhe_hyp_panic_handler(u64 esr= , u64 spsr, > kvm_err("nVHE hyp BUG at: %s:%u!\n", file, line); > else > print_nvhe_hyp_panic("BUG", panic_addr); > + } else if (IS_ENABLED(CONFIG_CFI_CLANG) && esr_is_cfi_brk(esr)) { > + kvm_nvhe_report_cfi_failure(panic_addr); > } else { > print_nvhe_hyp_panic("panic", panic_addr); > } > diff --git a/arch/arm64/kvm/hyp/nvhe/Makefile b/arch/arm64/kvm/hyp/nvhe/M= akefile > index 50fa0ffb6b7e..782b34b004be 100644 > --- a/arch/arm64/kvm/hyp/nvhe/Makefile > +++ b/arch/arm64/kvm/hyp/nvhe/Makefile > @@ -89,9 +89,9 @@ quiet_cmd_hyprel =3D HYPREL $@ > quiet_cmd_hypcopy =3D HYPCOPY $@ > cmd_hypcopy =3D $(OBJCOPY) --prefix-symbols=3D__kvm_nvhe_ $< $@ > = > -# Remove ftrace, Shadow Call Stack, and CFI CFLAGS. > -# This is equivalent to the 'notrace', '__noscs', and '__nocfi' annotati= ons. > -KBUILD_CFLAGS :=3D $(filter-out $(CC_FLAGS_FTRACE) $(CC_FLAGS_SCS) $(CC_= FLAGS_CFI), $(KBUILD_CFLAGS)) > +# Remove ftrace and Shadow Call Stack CFLAGS. > +# This is equivalent to the 'notrace' and '__noscs' annotations. > +KBUILD_CFLAGS :=3D $(filter-out $(CC_FLAGS_FTRACE) $(CC_FLAGS_SCS), $(KB= UILD_CFLAGS)) > # Starting from 13.0.0 llvm emits SHT_REL section '.llvm.call-graph-prof= ile' > # when profile optimization is applied. gen-hyprel does not support SHT_= REL and > # causes a build failure. Remove profile optimization flags. > diff --git a/arch/arm64/kvm/hyp/nvhe/hyp-init.S b/arch/arm64/kvm/hyp/nvhe= /hyp-init.S > index d859c4de06b6..b1c8977e2812 100644 > --- a/arch/arm64/kvm/hyp/nvhe/hyp-init.S > +++ b/arch/arm64/kvm/hyp/nvhe/hyp-init.S > @@ -5,6 +5,7 @@ > */ > = > #include > +#include > #include > = > #include > @@ -267,8 +268,11 @@ SYM_CODE_END(__kvm_handle_stub_hvc) > = > /* > * void __pkvm_init_switch_pgd(phys_addr_t pgd, void *sp, void (*fn)(voi= d)); > + * > + * SYM_TYPED_FUNC_START() allows C to call this ID-mapped function indir= ectly > + * using a physical pointer without triggering a kCFI failure. > */ > -SYM_FUNC_START(__pkvm_init_switch_pgd) > +SYM_TYPED_FUNC_START(__pkvm_init_switch_pgd) > /* Turn the MMU off */ > pre_disable_mmu_workaround > mrs x9, sctlr_el2 I still think this last hunk should be merged with the earlier patch fixing up the prototype of __pkvm_init_switch_pgd(). With that: Acked-by: Will Deacon Will _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel