From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7CCF3C6369E for ; Wed, 18 Nov 2020 16:06:21 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id ECB4E247CB for ; Wed, 18 Nov 2020 16:06:20 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="KcPZ2bIp" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org ECB4E247CB Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=arm.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References:Message-ID: Subject:To:From:Date:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=YYDVdTj2RYOBtyOkGoiU4gQJCVSNnPcsU9KfqwVWXSU=; b=KcPZ2bIpChGk44Qvdfc4Mftfp csblLub1cYMHaVA6CwyLU/lFOXykEMNKSLzlPYqiK1i+zf2jZi/qzqWEJzstxY5/AyVIgYwu05CTB Kys2FznepSdtyAUqd67+n3dc3JBB/SSZf5t9lcmtYtz5E/ibCxOVq3i8/6EYGfEn8OxGamI7L1n71 Mr7qHzAO4LL6WrFDmsu+e9WUDOIiaVRRmyGdjD9pJYNRxV1NlsfPvt0UwO2A4ZKKHh8HFZFP6vvfL hJB83RQimhZbAybd13HWxvceBxDQDayLnN7KheG3GzxdULNlKydJ6MLgd79rMY77e55nXyqnytUT7 mVDhdPTnw==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kfPxC-0000Xl-1E; Wed, 18 Nov 2020 16:05:06 +0000 Received: from mail.kernel.org ([198.145.29.99]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kfPx8-0000XD-Vt for linux-arm-kernel@lists.infradead.org; Wed, 18 Nov 2020 16:05:03 +0000 Received: from trantor (unknown [2.26.170.190]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 19F0B247CB; Wed, 18 Nov 2020 16:05:00 +0000 (UTC) Date: Wed, 18 Nov 2020 16:04:58 +0000 From: Catalin Marinas To: Vladimir Murzin Subject: Re: [RFC PATCH 1/2] arm64: Support execute-only permissions with Enhanced PAN Message-ID: References: <20201113152023.102855-1-vladimir.murzin@arm.com> <20201113152023.102855-2-vladimir.murzin@arm.com> <5e4cdc4a-d8be-6df7-e096-018cc3fe3463@arm.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <5e4cdc4a-d8be-6df7-e096-018cc3fe3463@arm.com> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201118_110503_199138_C9AE658F X-CRM114-Status: GOOD ( 33.06 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: keescook@chromium.org, linux-arm-kernel@lists.infradead.org Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Wed, Nov 18, 2020 at 12:37:40PM +0000, Vladimir Murzin wrote: > On 11/17/20 4:48 PM, Catalin Marinas wrote: > > On Fri, Nov 13, 2020 at 03:20:22PM +0000, Vladimir Murzin wrote: > >> diff --git a/arch/arm64/include/asm/pgtable.h b/arch/arm64/include/asm/pgtable.h > >> index 4ff12a7..d1f68d2 100644 > >> --- a/arch/arm64/include/asm/pgtable.h > >> +++ b/arch/arm64/include/asm/pgtable.h > >> @@ -113,8 +113,15 @@ extern unsigned long empty_zero_page[PAGE_SIZE / sizeof(unsigned long)]; > >> #define pte_dirty(pte) (pte_sw_dirty(pte) || pte_hw_dirty(pte)) > >> > >> #define pte_valid(pte) (!!(pte_val(pte) & PTE_VALID)) > >> -#define pte_valid_not_user(pte) \ > >> - ((pte_val(pte) & (PTE_VALID | PTE_USER)) == PTE_VALID) > >> +#define pte_valid_not_user(pte) \ > >> +({ \ > >> + int __val; \ > >> + if (cpus_have_const_cap(ARM64_HAS_EPAN)) \ > >> + __val = (pte_val(pte) & (PTE_VALID | PTE_USER | PTE_UXN)) == (PTE_VALID | PTE_UXN); \ > >> + else \ > >> + __val = (pte_val(pte) & (PTE_VALID | PTE_USER)) == PTE_VALID; \ > >> + __val; \ > > > > Is it worth having the cap check here? I'd go with the PTE_VALID|PTE_UXN > > check only. > > I do not know to be honest. I do not have full picture in mind and > what could be side effects of the change (that's why RFC). > 24cecc377463 the PTE_VALID|PTE_UXN moved to PTE_VALID, so I decided to > be safe than sorry... A user has access to a page if it has PTE_VALID && (PTE_USER || !PTE_UXN) (wrong user of the logic operators but you get the idea). So negating the user part in the above expression, pte_valid_not_user() means PTE_VALID && !PTE_USER && PTE_UXN. Prior to these patches (or the old exec-only), we can't have PTE_UXN and PTE_USER both cleared, this is introduced by PAGE_EXECONLY. IOW, without EPAN, !PTE_USER implies PTE_UXN, so we can use the same check as for the EPAN case. > >> diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c > >> index dcc165b..2033e0b 100644 > >> --- a/arch/arm64/kernel/cpufeature.c > >> +++ b/arch/arm64/kernel/cpufeature.c > >> @@ -1602,6 +1602,13 @@ static void cpu_enable_pan(const struct arm64_cpu_capabilities *__unused) > >> } > >> #endif /* CONFIG_ARM64_PAN */ > >> > >> +#ifdef CONFIG_ARM64_EPAN > >> +static void cpu_enable_epan(const struct arm64_cpu_capabilities *__unused) > >> +{ > >> + sysreg_clear_set(sctlr_el1, 0, SCTLR_EL1_EPAN); > >> +} > >> +#endif /* CONFIG_ARM64_EPAN */ > > > > I checked the spec (2020 arch updates) and the EPAN bit is permitted to > > be cached in the TLB. I think we get away with this because this > > function is called before cnp is enabled. Maybe we should make it > > explicit and move the CnP entry last with a comment. > > Hmm, so we rely on CnP's enable method to (indirectly) involve > local_flush_tlb_all()? It doesn't seem robust since CONFIG_ARM64_CNP > could be unset. I can add local_flush_tlb_all() into cpu_enable_epan() > or we can have something like A local_flush_tlb_all() in cpu_enable_epan() would be fine before user space starts. However, a late CPU bring-up may cause a temporary disabling of EPAN in the sibling core if CnP is enabled first. > diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c > index bb2016c..0f0a27b 100644 > --- a/arch/arm64/kernel/cpufeature.c > +++ b/arch/arm64/kernel/cpufeature.c > @@ -2416,6 +2416,8 @@ static int cpu_enable_non_boot_scope_capabilities(void *__unused) > if (cap->cpu_enable) > cap->cpu_enable(cap); > } > + > + local_flush_tlb_all(); > return 0; > } > > @@ -2467,6 +2469,8 @@ static void __init enable_cpu_capabilities(u16 scope_mask) > if (!boot_scope) > stop_machine(cpu_enable_non_boot_scope_capabilities, > NULL, cpu_online_mask); > + else > + local_flush_tlb_all(); > } Any local TLBI would clear the mismatch but it doesn't solve the temporary difference between sibling cores. I think the only guarantee here is if CnP is turned on after the feature in question. -- Catalin _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel