From: Will Deacon <will.deacon@arm.com>
To: linux-arm-kernel@lists.infradead.org
Cc: linux-kernel@vger.kernel.org, catalin.marinas@arm.com,
mark.rutland@arm.com, ard.biesheuvel@linaro.org,
sboyd@codeaurora.org, dave.hansen@linux.intel.com,
keescook@chromium.org, msalter@redhat.com, labbott@redhat.com,
tglx@linutronix.de, Will Deacon <will.deacon@arm.com>
Subject: [PATCH v3 20/20] arm64: kaslr: Put kernel vectors address in separate data page
Date: Wed, 6 Dec 2017 12:35:39 +0000 [thread overview]
Message-ID: <1512563739-25239-21-git-send-email-will.deacon@arm.com> (raw)
In-Reply-To: <1512563739-25239-1-git-send-email-will.deacon@arm.com>
The literal pool entry for identifying the vectors base is the only piece
of information in the trampoline page that identifies the true location
of the kernel.
This patch moves it into its own page, which is only mapped by the full
kernel page table, which protects against any accidental leakage of the
trampoline contents.
Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
---
arch/arm64/include/asm/fixmap.h | 1 +
arch/arm64/kernel/entry.S | 11 +++++++++++
arch/arm64/kernel/vmlinux.lds.S | 35 ++++++++++++++++++++++++++++-------
arch/arm64/mm/mmu.c | 10 +++++++++-
4 files changed, 49 insertions(+), 8 deletions(-)
diff --git a/arch/arm64/include/asm/fixmap.h b/arch/arm64/include/asm/fixmap.h
index 8119b49be98d..ec1e6d6fa14c 100644
--- a/arch/arm64/include/asm/fixmap.h
+++ b/arch/arm64/include/asm/fixmap.h
@@ -59,6 +59,7 @@ enum fixed_addresses {
#endif /* CONFIG_ACPI_APEI_GHES */
#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
+ FIX_ENTRY_TRAMP_DATA,
FIX_ENTRY_TRAMP_TEXT,
#define TRAMP_VALIAS (__fix_to_virt(FIX_ENTRY_TRAMP_TEXT))
#endif /* CONFIG_UNMAP_KERNEL_AT_EL0 */
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index 3eabcb194c87..a70c6dd2cc19 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -1030,7 +1030,13 @@ alternative_else_nop_endif
msr tpidrro_el0, x30 // Restored in kernel_ventry
.endif
tramp_map_kernel x30
+#ifdef CONFIG_RANDOMIZE_BASE
+ adr x30, tramp_vectors + PAGE_SIZE
+alternative_insn isb, nop, ARM64_WORKAROUND_QCOM_FALKOR_E1003
+ ldr x30, [x30]
+#else
ldr x30, =vectors
+#endif
prfm plil1strm, [x30, #(1b - tramp_vectors)]
msr vbar_el1, x30
add x30, x30, #(1b - tramp_vectors)
@@ -1073,6 +1079,11 @@ END(tramp_exit_compat)
.ltorg
.popsection // .entry.tramp.text
+#ifdef CONFIG_RANDOMIZE_BASE
+ .pushsection ".entry.tramp.data", "a" // .entry.tramp.data
+ .quad vectors
+ .popsection // .entry.tramp.data
+#endif /* CONFIG_RANDOMIZE_BASE */
#endif /* CONFIG_UNMAP_KERNEL_AT_EL0 */
/*
diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S
index 6b4260f22aab..976109b3ae51 100644
--- a/arch/arm64/kernel/vmlinux.lds.S
+++ b/arch/arm64/kernel/vmlinux.lds.S
@@ -58,15 +58,28 @@ jiffies = jiffies_64;
#endif
#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
-#define TRAMP_TEXT \
- . = ALIGN(PAGE_SIZE); \
- VMLINUX_SYMBOL(__entry_tramp_text_start) = .; \
- *(.entry.tramp.text) \
- . = ALIGN(PAGE_SIZE); \
+#define TRAMP_TEXT \
+ . = ALIGN(PAGE_SIZE); \
+ VMLINUX_SYMBOL(__entry_tramp_text_start) = .; \
+ *(.entry.tramp.text) \
+ . = ALIGN(PAGE_SIZE); \
VMLINUX_SYMBOL(__entry_tramp_text_end) = .;
+#ifdef CONFIG_RANDOMIZE_BASE
+#define TRAMP_DATA \
+ .entry.tramp.data : { \
+ . = ALIGN(PAGE_SIZE); \
+ VMLINUX_SYMBOL(__entry_tramp_data_start) = .; \
+ *(.entry.tramp.data) \
+ . = ALIGN(PAGE_SIZE); \
+ VMLINUX_SYMBOL(__entry_tramp_data_end) = .; \
+ }
+#else
+#define TRAMP_DATA
+#endif /* CONFIG_RANDOMIZE_BASE */
#else
#define TRAMP_TEXT
-#endif
+#define TRAMP_DATA
+#endif /* CONFIG_UNMAP_KERNEL_AT_EL0 */
/*
* The size of the PE/COFF section that covers the kernel image, which
@@ -137,6 +150,7 @@ SECTIONS
RO_DATA(PAGE_SIZE) /* everything from this point to */
EXCEPTION_TABLE(8) /* __init_begin will be marked RO NX */
NOTES
+ TRAMP_DATA
. = ALIGN(SEGMENT_ALIGN);
__init_begin = .;
@@ -251,7 +265,14 @@ ASSERT(__idmap_text_end - (__idmap_text_start & ~(SZ_4K - 1)) <= SZ_4K,
ASSERT(__hibernate_exit_text_end - (__hibernate_exit_text_start & ~(SZ_4K - 1))
<= SZ_4K, "Hibernate exit text too big or misaligned")
#endif
-
+#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
+ASSERT((__entry_tramp_text_end - __entry_tramp_text_start) == PAGE_SIZE,
+ "Entry trampoline text too big")
+#ifdef CONFIG_RANDOMIZE_BASE
+ASSERT((__entry_tramp_data_end - __entry_tramp_data_start) == PAGE_SIZE,
+ "Entry trampoline data too big")
+#endif
+#endif
/*
* If padding is applied before .head.text, virt<->phys conversions will fail.
*/
diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
index fe68a48c64cb..916d9ced1c3f 100644
--- a/arch/arm64/mm/mmu.c
+++ b/arch/arm64/mm/mmu.c
@@ -541,8 +541,16 @@ static int __init map_entry_trampoline(void)
__create_pgd_mapping(tramp_pg_dir, pa_start, TRAMP_VALIAS, PAGE_SIZE,
prot, pgd_pgtable_alloc, 0);
- /* ...as well as the kernel page table */
+ /* Map both the text and data into the kernel page table */
__set_fixmap(FIX_ENTRY_TRAMP_TEXT, pa_start, prot);
+ if (IS_ENABLED(CONFIG_RANDOMIZE_BASE)) {
+ extern char __entry_tramp_data_start[];
+
+ __set_fixmap(FIX_ENTRY_TRAMP_DATA,
+ __pa_symbol(__entry_tramp_data_start),
+ PAGE_KERNEL_RO);
+ }
+
return 0;
}
core_initcall(map_entry_trampoline);
--
2.1.4
next prev parent reply other threads:[~2017-12-06 12:37 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-06 12:35 [PATCH v3 00/20] arm64: Unmap the kernel whilst running in userspace (KPTI) Will Deacon
2017-12-06 12:35 ` [PATCH v3 01/20] arm64: mm: Use non-global mappings for kernel space Will Deacon
2017-12-06 12:35 ` [PATCH v3 02/20] arm64: mm: Temporarily disable ARM64_SW_TTBR0_PAN Will Deacon
2017-12-06 12:35 ` [PATCH v3 03/20] arm64: mm: Move ASID from TTBR0 to TTBR1 Will Deacon
2017-12-06 12:35 ` [PATCH v3 04/20] arm64: mm: Remove pre_ttbr0_update_workaround for Falkor erratum #E1003 Will Deacon
2017-12-06 12:35 ` [PATCH v3 05/20] arm64: mm: Rename post_ttbr0_update_workaround Will Deacon
2017-12-06 12:35 ` [PATCH v3 06/20] arm64: mm: Fix and re-enable ARM64_SW_TTBR0_PAN Will Deacon
2018-01-17 2:58 ` Yisheng Xie
2017-12-06 12:35 ` [PATCH v3 07/20] arm64: mm: Allocate ASIDs in pairs Will Deacon
2017-12-06 12:35 ` [PATCH v3 08/20] arm64: mm: Add arm64_kernel_unmapped_at_el0 helper Will Deacon
2017-12-06 12:35 ` [PATCH v3 09/20] arm64: mm: Invalidate both kernel and user ASIDs when performing TLBI Will Deacon
2017-12-06 12:35 ` [PATCH v3 10/20] arm64: entry: Add exception trampoline page for exceptions from EL0 Will Deacon
2017-12-06 12:35 ` [PATCH v3 11/20] arm64: mm: Map entry trampoline into trampoline and kernel page tables Will Deacon
2017-12-06 14:32 ` Mark Rutland
2018-01-23 8:28 ` Yisheng Xie
2018-01-23 10:04 ` Will Deacon
2018-01-23 10:43 ` Yisheng Xie
2017-12-06 12:35 ` [PATCH v3 12/20] arm64: entry: Explicitly pass exception level to kernel_ventry macro Will Deacon
2017-12-06 12:35 ` [PATCH v3 13/20] arm64: entry: Hook up entry trampoline to exception vectors Will Deacon
2017-12-06 12:35 ` [PATCH v3 14/20] arm64: erratum: Work around Falkor erratum #E1003 in trampoline code Will Deacon
2017-12-06 12:35 ` [PATCH v3 15/20] arm64: tls: Avoid unconditional zeroing of tpidrro_el0 for native tasks Will Deacon
2017-12-06 12:35 ` [PATCH v3 16/20] arm64: entry: Add fake CPU feature for unmapping the kernel at EL0 Will Deacon
2017-12-06 14:11 ` Mark Rutland
2017-12-06 12:35 ` [PATCH v3 17/20] arm64: Kconfig: Add CONFIG_UNMAP_KERNEL_AT_EL0 Will Deacon
2017-12-06 12:35 ` [PATCH v3 18/20] perf: arm_spe: Fail device probe when arm64_kernel_unmapped_at_el0() Will Deacon
2017-12-06 13:34 ` Mark Rutland
2017-12-06 12:35 ` [PATCH v3 19/20] arm64: mm: Introduce TTBR_ASID_MASK for getting at the ASID in the TTBR Will Deacon
2017-12-06 14:12 ` Mark Rutland
2017-12-06 12:35 ` Will Deacon [this message]
2017-12-06 12:59 ` [PATCH v3 20/20] arm64: kaslr: Put kernel vectors address in separate data page Ard Biesheuvel
2017-12-06 13:27 ` Will Deacon
2017-12-06 14:03 ` Ard Biesheuvel
2017-12-08 0:40 ` [PATCH v3 00/20] arm64: Unmap the kernel whilst running in userspace (KPTI) Laura Abbott
2017-12-11 13:23 ` Will Deacon
2017-12-11 17:59 ` Catalin Marinas
2018-01-04 5:17 ` Florian Fainelli
2018-01-04 6:50 ` Greg Kroah-Hartman
2018-01-04 18:23 ` Florian Fainelli
2018-01-04 23:27 ` Russell King - ARM Linux
2018-01-05 16:06 ` Greg Kroah-Hartman
2018-01-05 16:12 ` Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1512563739-25239-21-git-send-email-will.deacon@arm.com \
--to=will.deacon@arm.com \
--cc=ard.biesheuvel@linaro.org \
--cc=catalin.marinas@arm.com \
--cc=dave.hansen@linux.intel.com \
--cc=keescook@chromium.org \
--cc=labbott@redhat.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=msalter@redhat.com \
--cc=sboyd@codeaurora.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox