From: David Long <dave.long@linaro.org>
To: stable@vger.kernel.org,
Russell King - ARM Linux <linux@armlinux.org.uk>,
Florian Fainelli <f.fainelli@gmail.com>,
Tony Lindgren <tony@atomide.com>,
Marc Zyngier <marc.zyngier@arm.com>,
Mark Rutland <mark.rutland@arm.com>
Cc: Greg KH <gregkh@linuxfoundation.org>, Mark Brown <broonie@kernel.org>
Subject: [PATCH 4.9 V2 11/24] ARM: KVM: invalidate BTB on guest exit for Cortex-A12/A17
Date: Wed, 7 Nov 2018 11:43:49 -0500 [thread overview]
Message-ID: <20181107164402.9380-12-dave.long@linaro.org> (raw)
In-Reply-To: <20181107164402.9380-1-dave.long@linaro.org>
From: Marc Zyngier <marc.zyngier@arm.com>
Commit 3f7e8e2e1ebda787f156ce46e3f0a9ce2833fa4f upstream.
In order to avoid aliasing attacks against the branch predictor,
let's invalidate the BTB on guest exit. This is made complicated
by the fact that we cannot take a branch before invalidating the
BTB.
We only apply this to A12 and A17, which are the only two ARM
cores on which this useful.
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Boot-tested-by: Tony Lindgren <tony@atomide.com>
Reviewed-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: David A. Long <dave.long@linaro.org>
---
arch/arm/include/asm/kvm_asm.h | 2 -
arch/arm/include/asm/kvm_mmu.h | 17 +++++++-
arch/arm/kvm/hyp/hyp-entry.S | 71 +++++++++++++++++++++++++++++++++-
3 files changed, 85 insertions(+), 5 deletions(-)
diff --git a/arch/arm/include/asm/kvm_asm.h b/arch/arm/include/asm/kvm_asm.h
index 8ef05381984b..24f3ec7c9fbe 100644
--- a/arch/arm/include/asm/kvm_asm.h
+++ b/arch/arm/include/asm/kvm_asm.h
@@ -61,8 +61,6 @@ struct kvm_vcpu;
extern char __kvm_hyp_init[];
extern char __kvm_hyp_init_end[];
-extern char __kvm_hyp_vector[];
-
extern void __kvm_flush_vm_context(void);
extern void __kvm_tlb_flush_vmid_ipa(struct kvm *kvm, phys_addr_t ipa);
extern void __kvm_tlb_flush_vmid(struct kvm *kvm);
diff --git a/arch/arm/include/asm/kvm_mmu.h b/arch/arm/include/asm/kvm_mmu.h
index e2f05cedaf97..625edef2a54f 100644
--- a/arch/arm/include/asm/kvm_mmu.h
+++ b/arch/arm/include/asm/kvm_mmu.h
@@ -248,7 +248,22 @@ static inline int kvm_read_guest_lock(struct kvm *kvm,
static inline void *kvm_get_hyp_vector(void)
{
- return kvm_ksym_ref(__kvm_hyp_vector);
+ switch(read_cpuid_part()) {
+#ifdef CONFIG_HARDEN_BRANCH_PREDICTOR
+ case ARM_CPU_PART_CORTEX_A12:
+ case ARM_CPU_PART_CORTEX_A17:
+ {
+ extern char __kvm_hyp_vector_bp_inv[];
+ return kvm_ksym_ref(__kvm_hyp_vector_bp_inv);
+ }
+
+#endif
+ default:
+ {
+ extern char __kvm_hyp_vector[];
+ return kvm_ksym_ref(__kvm_hyp_vector);
+ }
+ }
}
static inline int kvm_map_vectors(void)
diff --git a/arch/arm/kvm/hyp/hyp-entry.S b/arch/arm/kvm/hyp/hyp-entry.S
index 96beb53934c9..58ec002721a1 100644
--- a/arch/arm/kvm/hyp/hyp-entry.S
+++ b/arch/arm/kvm/hyp/hyp-entry.S
@@ -71,6 +71,66 @@ __kvm_hyp_vector:
W(b) hyp_irq
W(b) hyp_fiq
+#ifdef CONFIG_HARDEN_BRANCH_PREDICTOR
+ .align 5
+__kvm_hyp_vector_bp_inv:
+ .global __kvm_hyp_vector_bp_inv
+
+ /*
+ * We encode the exception entry in the bottom 3 bits of
+ * SP, and we have to guarantee to be 8 bytes aligned.
+ */
+ W(add) sp, sp, #1 /* Reset 7 */
+ W(add) sp, sp, #1 /* Undef 6 */
+ W(add) sp, sp, #1 /* Syscall 5 */
+ W(add) sp, sp, #1 /* Prefetch abort 4 */
+ W(add) sp, sp, #1 /* Data abort 3 */
+ W(add) sp, sp, #1 /* HVC 2 */
+ W(add) sp, sp, #1 /* IRQ 1 */
+ W(nop) /* FIQ 0 */
+
+ mcr p15, 0, r0, c7, c5, 6 /* BPIALL */
+ isb
+
+#ifdef CONFIG_THUMB2_KERNEL
+ /*
+ * Yet another silly hack: Use VPIDR as a temp register.
+ * Thumb2 is really a pain, as SP cannot be used with most
+ * of the bitwise instructions. The vect_br macro ensures
+ * things gets cleaned-up.
+ */
+ mcr p15, 4, r0, c0, c0, 0 /* VPIDR */
+ mov r0, sp
+ and r0, r0, #7
+ sub sp, sp, r0
+ push {r1, r2}
+ mov r1, r0
+ mrc p15, 4, r0, c0, c0, 0 /* VPIDR */
+ mrc p15, 0, r2, c0, c0, 0 /* MIDR */
+ mcr p15, 4, r2, c0, c0, 0 /* VPIDR */
+#endif
+
+.macro vect_br val, targ
+ARM( eor sp, sp, #\val )
+ARM( tst sp, #7 )
+ARM( eorne sp, sp, #\val )
+
+THUMB( cmp r1, #\val )
+THUMB( popeq {r1, r2} )
+
+ beq \targ
+.endm
+
+ vect_br 0, hyp_fiq
+ vect_br 1, hyp_irq
+ vect_br 2, hyp_hvc
+ vect_br 3, hyp_dabt
+ vect_br 4, hyp_pabt
+ vect_br 5, hyp_svc
+ vect_br 6, hyp_undef
+ vect_br 7, hyp_reset
+#endif
+
.macro invalid_vector label, cause
.align
\label: mov r0, #\cause
@@ -131,7 +191,14 @@ hyp_hvc:
mrceq p15, 4, r0, c12, c0, 0 @ get HVBAR
beq 1f
- push {lr}
+ /*
+ * Pushing r2 here is just a way of keeping the stack aligned to
+ * 8 bytes on any path that can trigger a HYP exception. Here,
+ * we may well be about to jump into the guest, and the guest
+ * exit would otherwise be badly decoded by our fancy
+ * "decode-exception-without-a-branch" code...
+ */
+ push {r2, lr}
mov lr, r0
mov r0, r1
@@ -141,7 +208,7 @@ hyp_hvc:
THUMB( orr lr, #1)
blx lr @ Call the HYP function
- pop {lr}
+ pop {r2, lr}
1: eret
guest_trap:
--
2.17.1
next prev parent reply other threads:[~2018-11-08 2:15 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-07 16:43 [PATCH 4.9 V2 00/24] V4.9 backport of 32-bit arm spectre patches David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 01/24] ARM: add more CPU part numbers for Cortex and Brahma B15 CPUs David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 02/24] ARM: bugs: prepare processor bug infrastructure David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 03/24] ARM: bugs: hook processor bug checking into SMP and suspend paths David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 04/24] ARM: bugs: add support for per-processor bug checking David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 05/24] ARM: spectre: add Kconfig symbol for CPUs vulnerable to Spectre David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 06/24] ARM: spectre-v2: harden branch predictor on context switches David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 07/24] ARM: spectre-v2: add Cortex A8 and A15 validation of the IBE bit David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 08/24] ARM: spectre-v2: harden user aborts in kernel space David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 09/24] ARM: spectre-v2: add firmware based hardening David Long
2018-11-12 16:54 ` Russell King - ARM Linux
2018-11-13 14:23 ` Marc Zyngier
2018-11-13 15:16 ` David Long
2018-11-13 17:36 ` Marc Zyngier
2018-11-13 17:54 ` Russell King - ARM Linux
2018-11-13 16:43 ` Tony Lindgren
2018-11-13 18:08 ` Florian Fainelli
2018-11-20 10:59 ` Russell King - ARM Linux
2018-11-20 11:15 ` Greg KH
2018-11-20 15:30 ` David Long
2018-11-20 16:42 ` Marc Zyngier
2018-11-20 16:24 ` David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 10/24] ARM: spectre-v2: warn about incorrect context switching functions David Long
2018-11-07 16:43 ` David Long [this message]
2018-11-07 16:43 ` [PATCH 4.9 V2 12/24] ARM: KVM: invalidate icache on guest exit for Cortex-A15 David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 13/24] ARM: spectre-v2: KVM: invalidate icache on guest exit for Brahma B15 David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 14/24] ARM: KVM: Add SMCCC_ARCH_WORKAROUND_1 fast handling David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 15/24] ARM: KVM: report support for SMCCC_ARCH_WORKAROUND_1 David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 16/24] ARM: spectre-v1: add speculation barrier (csdb) macros David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 17/24] ARM: spectre-v1: add array_index_mask_nospec() implementation David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 18/24] ARM: spectre-v1: fix syscall entry David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 19/24] ARM: signal: copy registers using __copy_from_user() David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 20/24] ARM: vfp: use __copy_from_user() when restoring VFP state David Long
2018-11-07 16:43 ` [PATCH 4.9 V2 21/24] ARM: oabi-compat: copy semops using __copy_from_user() David Long
2018-11-07 16:44 ` [PATCH 4.9 V2 22/24] ARM: use __inttype() in get_user() David Long
2018-11-07 16:44 ` [PATCH 4.9 V2 23/24] ARM: spectre-v1: use get_user() for __get_user() David Long
2018-11-07 16:44 ` [PATCH 4.9 V2 24/24] ARM: spectre-v1: mitigate user accesses David Long
2018-11-12 15:27 ` [PATCH 4.9 V2 00/24] V4.9 backport of 32-bit arm spectre patches Russell King - ARM Linux
2018-11-21 18:27 ` Greg KH
2018-11-21 19:13 ` David Long
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181107164402.9380-12-dave.long@linaro.org \
--to=dave.long@linaro.org \
--cc=broonie@kernel.org \
--cc=f.fainelli@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux@armlinux.org.uk \
--cc=marc.zyngier@arm.com \
--cc=mark.rutland@arm.com \
--cc=stable@vger.kernel.org \
--cc=tony@atomide.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).