From: Marc Zyngier <maz@kernel.org>
To: qixiang.xu@outlook.com
Cc: oliver.upton@linux.dev, will@kernel.org,
linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/1] KVM: arm64: Make nVHE ASLR conditional on nokaslr
Date: Thu, 05 Sep 2024 09:11:11 +0100 [thread overview]
Message-ID: <86mskmv7ts.wl-maz@kernel.org> (raw)
In-Reply-To: <SEZPR04MB631983048A8586896CEFE8829E9D2@SEZPR04MB6319.apcprd04.prod.outlook.com>
On Thu, 05 Sep 2024 07:30:26 +0100,
qixiang.xu@outlook.com wrote:
>
> From: Qxiang Xu <qixiang.xu@outlook.com>
>
> The random tag of hyp VA is determined by the `CONFIG_RANDOMIZE_BASE`
> option, so even if `nokaslr` is set in the cmdline, KASLR cannot be
> disabled for hyp VA. To align with kernel behavior, disable KASLR if
> the kernel cmdline includes `nokaslr`.
>
> Link: https://lore.kernel.org/r/20240905061659.3410362-1-qixiang.xu@outlook.com
I get a 404.
> Signed-off-by: Qxiang Xu <qixiang.xu@outlook.com>
> ---
> arch/arm64/kvm/va_layout.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/arm64/kvm/va_layout.c b/arch/arm64/kvm/va_layout.c
> index 91b22a014610..bebb4b1ddc82 100644
> --- a/arch/arm64/kvm/va_layout.c
> +++ b/arch/arm64/kvm/va_layout.c
> @@ -72,7 +72,7 @@ __init void kvm_compute_layout(void)
> va_mask = GENMASK_ULL(tag_lsb - 1, 0);
> tag_val = hyp_va_msb;
>
> - if (IS_ENABLED(CONFIG_RANDOMIZE_BASE) && tag_lsb != (vabits_actual - 1)) {
> + if (kaslr_enabled() && tag_lsb != (vabits_actual - 1)) {
> /* We have some free bits to insert a random tag. */
> tag_val |= get_random_long() & GENMASK_ULL(vabits_actual - 2, tag_lsb);
> }
This is a change in behaviour that would leave the 2 implementations
affected by Spectre-v3a unmitigated and leaking information to
*guests*, while they would have been safe until this change. Is this
what we really want to do?
This is also not disabling the whole thing, since we still do the
indirect vector dance.
So while I'm not opposed to having an option that disables the
randomisation, it has to match two requirements:
- it has to be a *new* option -- changing an existing behaviour is not
acceptable,
- it has to disable both the VA alteration and the vector indirection.
Thanks,
M.
--
Without deviation from the norm, progress is not possible.
next prev parent reply other threads:[~2024-09-05 8:12 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20240905061659.3410362-1-qixiang.xu@outlook.com>
2024-09-05 6:30 ` [PATCH 0/1] KVM: arm64: Make nVHE ASLR conditional on cmdline nokaslr qixiang.xu
[not found] ` <20240905063026.3411766-1-qixiang.xu@outlook.com>
2024-09-05 6:30 ` [PATCH 1/1] KVM: arm64: Make nVHE ASLR conditional on nokaslr qixiang.xu
2024-09-05 8:11 ` Marc Zyngier [this message]
2024-09-06 7:19 ` Qixiang Xu
2024-09-06 7:47 ` Marc Zyngier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=86mskmv7ts.wl-maz@kernel.org \
--to=maz@kernel.org \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=oliver.upton@linux.dev \
--cc=qixiang.xu@outlook.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).