Re: [PATCH v3 10/17] xen/arm64: Add ARM_SMCCC_ARCH_WORKAROUND_1 BP hardening support

From: Andre Przywara <andre.przywara@linaro.org>
To: Julien Grall <julien.grall@arm.com>, xen-devel@lists.xen.org
Cc: sstabellini@kernel.org, volodymyr_babchuk@epam.com
Subject: Re: [PATCH v3 10/17] xen/arm64: Add ARM_SMCCC_ARCH_WORKAROUND_1 BP hardening support
Date: Wed, 21 Feb 2018 16:07:35 +0000	[thread overview]
Message-ID: <707e4b88-9da9-89a9-7f4e-ccb72682c211@linaro.org> (raw)
In-Reply-To: <20180215150248.28922-11-julien.grall@arm.com>

Hi,

On 15/02/18 15:02, Julien Grall wrote:
> Add the detection and runtime code for ARM_SMCCC_ARCH_WORKAROUND_1.
> 
> Signed-off-by: Julien Grall <julien.grall@arm.com>
> 
> ---
>     Changes in v3:
>         - Add the missing call to smc #0.
> 
>     Changes in v2:
>         - Patch added
> ---
>  xen/arch/arm/arm64/bpi.S    | 13 +++++++++++++
>  xen/arch/arm/cpuerrata.c    | 32 +++++++++++++++++++++++++++++++-
>  xen/include/asm-arm/smccc.h |  1 +
>  3 files changed, 45 insertions(+), 1 deletion(-)
> 
> diff --git a/xen/arch/arm/arm64/bpi.S b/xen/arch/arm/arm64/bpi.S
> index 4b7f1dc21f..981fb83a88 100644
> --- a/xen/arch/arm/arm64/bpi.S
> +++ b/xen/arch/arm/arm64/bpi.S
> @@ -16,6 +16,8 @@
>   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
>   */
>  
> +#include <asm/smccc.h>
> +
>  .macro ventry target
>      .rept 31
>      nop
> @@ -81,6 +83,17 @@ ENTRY(__psci_hyp_bp_inval_start)
>      add     sp, sp, #(8 * 18)
>  ENTRY(__psci_hyp_bp_inval_end)
>  
> +ENTRY(__smccc_workaround_1_smc_start)
> +    sub     sp, sp, #(8 * 4)
> +    stp     x2, x3, [sp, #(8 * 0)]
> +    stp     x0, x1, [sp, #(8 * 2)]
> +    mov     w0, #ARM_SMCCC_ARCH_WORKAROUND_1_FID
> +    smc     #0
> +    ldp     x2, x3, [sp, #(8 * 0)]
> +    ldp     x0, x1, [sp, #(8 * 2)]

I was expecting the restore to *mirror* the saving order, so x0, x1
first, then x2, x3. The code you have is correct, but somewhat
surprising. I wonder if you could just swap those two lines.

Or even better: you swap the store commands above, so that they match
what a push sequence would look like (higher addresses first).

> +    add     sp, sp, #(8 * 4)
> +ENTRY(__smccc_workaround_1_smc_end)
> +
>  /*
>   * Local variables:
>   * mode: ASM
> diff --git a/xen/arch/arm/cpuerrata.c b/xen/arch/arm/cpuerrata.c
> index 8d5f8d372a..dec9074422 100644
> --- a/xen/arch/arm/cpuerrata.c
> +++ b/xen/arch/arm/cpuerrata.c
> @@ -147,6 +147,34 @@ install_bp_hardening_vec(const struct arm_cpu_capabilities *entry,
>      return ret;
>  }
>  
> +extern char __smccc_workaround_1_smc_start[], __smccc_workaround_1_smc_end[];
> +
> +static bool
> +check_smccc_arch_workaround_1(const struct arm_cpu_capabilities *entry)
> +{
> +    struct arm_smccc_res res;
> +
> +    /*
> +     * Enable callbacks are called on every CPU based on the
> +     * capabilities. So double-check whether the CPU matches the
> +     * entry.
> +     */
> +    if ( !entry->matches(entry) )
> +        return false;
> +
> +    if ( smccc_ver < SMCCC_VERSION(1, 1) )
> +        return false;
> +

I guess we are calling the actual workaround function here to ultimately
know if that is implemented? And we know that this function isn't
harmful to call in any case?
Can you add a comment stating this here? Otherwise it's slightly
confusing to see the actual call in the function actually called check_
and installing the workaround.

Cheers,
Andre.

> +    arm_smccc_1_1_smc(ARM_SMCCC_ARCH_FEATURES_FID,
> +                      ARM_SMCCC_ARCH_WORKAROUND_1_FID, &res);
> +    if ( res.a0 != ARM_SMCCC_SUCCESS )
> +        return false;
> +
> +    return install_bp_hardening_vec(entry,__smccc_workaround_1_smc_start,
> +                                    __smccc_workaround_1_smc_end,
> +                                    "call ARM_SMCCC_ARCH_WORKAROUND_1");
> +}
> +
>  extern char __psci_hyp_bp_inval_start[], __psci_hyp_bp_inval_end[];
>  
>  static int enable_psci_bp_hardening(void *data)
> @@ -154,12 +182,14 @@ static int enable_psci_bp_hardening(void *data)
>      bool ret = true;
>      static bool warned = false;
>  
> +    if ( check_smccc_arch_workaround_1(data) )
> +        return 0;
>      /*
>       * The mitigation is using PSCI version function to invalidate the
>       * branch predictor. This function is only available with PSCI 0.2
>       * and later.
>       */
> -    if ( psci_ver >= PSCI_VERSION(0, 2) )
> +    else if ( psci_ver >= PSCI_VERSION(0, 2) )
>          ret = install_bp_hardening_vec(data, __psci_hyp_bp_inval_start,
>                                         __psci_hyp_bp_inval_end,
>                                         "call PSCI get version");
> diff --git a/xen/include/asm-arm/smccc.h b/xen/include/asm-arm/smccc.h
> index 154772b728..8342cc33fe 100644
> --- a/xen/include/asm-arm/smccc.h
> +++ b/xen/include/asm-arm/smccc.h
> @@ -261,6 +261,7 @@ struct arm_smccc_res {
>  /* SMCCC error codes */
>  #define ARM_SMCCC_ERR_UNKNOWN_FUNCTION  (-1)
>  #define ARM_SMCCC_NOT_SUPPORTED         (-1)
> +#define ARM_SMCCC_SUCCESS               (0)
>  
>  /* SMCCC function identifier range which is reserved for existing APIs */
>  #define ARM_SMCCC_RESERVED_RANGE_START  0x0
> 

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel