From patchwork Tue Jan 16 14:23:37 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Julien Grall X-Patchwork-Id: 124721 Delivered-To: patch@linaro.org Received: by 10.46.64.148 with SMTP id r20csp1031524lje; Tue, 16 Jan 2018 06:26:16 -0800 (PST) X-Google-Smtp-Source: ACJfBosypnisZHvNiOWxzhhr8hsADJU6sLgskrF3ZiQ1G3lLIwgSoZCp4Lj8JAZ5McNh3tOr8PQi X-Received: by 10.36.189.134 with SMTP id x128mr18460302ite.39.1516112776040; Tue, 16 Jan 2018 06:26:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516112776; cv=none; d=google.com; s=arc-20160816; b=QEmOweQLZFNhbFJ7UmLgP/wt6gG+WXg8jg4ErSDCbkB07aUSw0OP5AqXNk08G/z7SG ipZsbpG9oj50Z+mzSKFrmDpczU/bSK59mNPiglNzbzuTrfcV9jkSn8yBKHM/qb6SXQZ3 kSYS5hezSkpDszc6Gj/HplFv6/Fe6JIB+pk0EbSwAAkNFWWEn4f2BZCixasfyRusabbi FXYgbDy3uw4agYWPUHgiETXnKyIQ/lpdJXN1n+AcjtBtRANVMfp6sMs6iQFbyoqx9ALr KYkiywzeBXN0N+u9KQ/n/TXsF5j3MBG5EnztxNufqtYf2EBT8n9rRy5LuPB5WDBZgt8p TPYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-unsubscribe:list-id :precedence:subject:cc:references:in-reply-to:message-id:date:to :from:dkim-signature:arc-authentication-results; bh=wxhHc7T/VS6IoNsNbTh5Ndd8AmRvvKHY2CFDNyErlS8=; b=vL0nedNTcjoEG3M51Msl/N/+8YMZa2U/gS7lRJlj6SI1ySp+gVGWsgFf5p5Qun/+25 0WbEPCKBmGJnZD89JkDswtQALH9p3BXG1otia6l8uQ6QLH5VoXTmIHTs6Y9tjjMlLv/u AIa4mjOdcq75AQMpPzSFLbu64Dng86aaf2fzKVfiy7BiyqFo9tDTIzGmiUg6bmXs8dCv weISCcFUehRRbmJ7eKysb+8S70CfkQrAi4LRwlKPlpTQ7MMb//yaO0iK2qyhRsWBsBZr XDasI9qwAzojiLXZWgP7CSgkPREysUlTtGC+4q5rYpvddB+DkVaXX6Ob+M8jDf7OFb4L QG3g== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b=dxJXX421; spf=pass (google.com: best guess record for domain of xen-devel-bounces@lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org. [192.237.175.120]) by mx.google.com with ESMTPS id m15si2085687itg.4.2018.01.16.06.26.15 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 16 Jan 2018 06:26:16 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of xen-devel-bounces@lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b=dxJXX421; spf=pass (google.com: best guess record for domain of xen-devel-bounces@lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ebS9W-0002Fa-Kx; Tue, 16 Jan 2018 14:23:50 +0000 Received: from us1-rack-dfw2.inumbo.com ([104.130.134.6]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ebS9V-0002F5-OL for xen-devel@lists.xen.org; Tue, 16 Jan 2018 14:23:49 +0000 X-Inumbo-ID: a87072ec-fac8-11e7-b4a6-bc764e045a96 Received: from mail-wm0-x244.google.com (unknown [2a00:1450:400c:c09::244]) by us1-rack-dfw2.inumbo.com (Halon) with ESMTPS id a87072ec-fac8-11e7-b4a6-bc764e045a96; Tue, 16 Jan 2018 15:22:19 +0100 (CET) Received: by mail-wm0-x244.google.com with SMTP id 143so8677520wma.5 for ; Tue, 16 Jan 2018 06:23:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=z38FWZGwLpwaZknoKzEIsRzrKjjg3ec9C51vK9E0aak=; b=dxJXX4211Mg7qq7GkY7SalAr3aHpT8VDRWeZOeaRvTyq2TSpVtbH78rgX6Kd9N5d58 H7oWlzUPc7PlGI0JJQ2Q5I4LcuX5WZ5r8wjBJORJ1nAYuTXZMVuUV6qK0VSDheA2r2y9 ++0Ujpw8AhiiaewXLyTwiqnKBXzMUMKj8VI4Y= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=z38FWZGwLpwaZknoKzEIsRzrKjjg3ec9C51vK9E0aak=; b=TzuGhL/LV/zljl3MCoj16YY16znk1+eRN5VVz2FDMTAD3YPpVxssT5KT+Hw5wyyqEq KpPzoS8izfd41YQZZ5qUZ1rQQ5URqdPOzFC1cGAnxEYCPI8N2nc1GTXqgMQn4Gq+01rT qaVUaueK81GeEBDfFF4VT3INhRZxiIhrAu3UdECdoBNR9jd+G0oFftledt1Ms4i/3f++ 6wxRwTHWNuOWu9tGPIGza97PHXFqGW3t377XMsVOdn5IXN/RdtW8y1MqKxWdUHG61Agp OTg3w3hBpZ9uQC2+NZ9h4RDiE4VevF4HmB6gQjazvaE1ERkPalANWrKW7IjswdfBKaG0 C0LA== X-Gm-Message-State: AKwxytfn07aIKoBxLTxxY/EFdJS0NXZFv95XRl2KQhy41Safvqx4XUCg N71IJXWkltXRfxy78o8oH+UllfRuqw4= X-Received: by 10.28.229.194 with SMTP id c185mr12926554wmh.142.1516112627219; Tue, 16 Jan 2018 06:23:47 -0800 (PST) Received: from e108454-lin.cambridge.arm.com ([2001:41d0:1:6c23::1]) by smtp.gmail.com with ESMTPSA id m201sm1686886wma.13.2018.01.16.06.23.45 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 16 Jan 2018 06:23:45 -0800 (PST) From: Julien Grall To: xen-devel@lists.xen.org Date: Tue, 16 Jan 2018 14:23:37 +0000 Message-Id: <20180116142337.24942-6-julien.grall@linaro.org> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20180116142337.24942-1-julien.grall@linaro.org> References: <20180116142337.24942-1-julien.grall@linaro.org> Cc: sstabellini@kernel.org, Julien Grall , andre.przywara@linaro.org Subject: [Xen-devel] [PATCH 5/5] xen/arm64: Implement branch predictor hardening for affected Cortex-A CPUs X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" Cortex-A57, A72, A73 and A75 are susceptible to branch predictor aliasing and can theoritically be attacked by malicious code. This patch implements a PSCI-based mitigation for these CPUs when available. The call into firmware will invalidate the branch predictor state, preventing any malicious entries from affection other victim contexts. Ported from Linux git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git branch kpti. Signed-off-by: Marc Zyngier Signed-off-by: Will Deacon This is part of XSA-254. Signed-off-by: Julien Grall --- xen/arch/arm/arm64/bpi.S | 25 ++++++++++++++++++++++++ xen/arch/arm/cpuerrata.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 74 insertions(+) diff --git a/xen/arch/arm/arm64/bpi.S b/xen/arch/arm/arm64/bpi.S index 6cc2f17529..4b7f1dc21f 100644 --- a/xen/arch/arm/arm64/bpi.S +++ b/xen/arch/arm/arm64/bpi.S @@ -56,6 +56,31 @@ ENTRY(__bp_harden_hyp_vecs_start) .endr ENTRY(__bp_harden_hyp_vecs_end) +ENTRY(__psci_hyp_bp_inval_start) + sub sp, sp, #(8 * 18) + stp x16, x17, [sp, #(16 * 0)] + stp x14, x15, [sp, #(16 * 1)] + stp x12, x13, [sp, #(16 * 2)] + stp x10, x11, [sp, #(16 * 3)] + stp x8, x9, [sp, #(16 * 4)] + stp x6, x7, [sp, #(16 * 5)] + stp x4, x5, [sp, #(16 * 6)] + stp x2, x3, [sp, #(16 * 7)] + stp x0, x1, [sp, #(16 * 8)] + mov x0, #0x84000000 + smc #0 + ldp x16, x17, [sp, #(16 * 0)] + ldp x14, x15, [sp, #(16 * 1)] + ldp x12, x13, [sp, #(16 * 2)] + ldp x10, x11, [sp, #(16 * 3)] + ldp x8, x9, [sp, #(16 * 4)] + ldp x6, x7, [sp, #(16 * 5)] + ldp x4, x5, [sp, #(16 * 6)] + ldp x2, x3, [sp, #(16 * 7)] + ldp x0, x1, [sp, #(16 * 8)] + add sp, sp, #(8 * 18) +ENTRY(__psci_hyp_bp_inval_end) + /* * Local variables: * mode: ASM diff --git a/xen/arch/arm/cpuerrata.c b/xen/arch/arm/cpuerrata.c index 76d98e771d..f1ea7f3c5b 100644 --- a/xen/arch/arm/cpuerrata.c +++ b/xen/arch/arm/cpuerrata.c @@ -4,8 +4,10 @@ #include #include #include +#include #include #include +#include /* Override macros from asm/page.h to make them work with mfn_t */ #undef virt_to_mfn @@ -141,6 +143,31 @@ install_bp_hardening_vec(const struct arm_cpu_capabilities *entry, return ret; } +extern char __psci_hyp_bp_inval_start[], __psci_hyp_bp_inval_end[]; + +static int enable_psci_bp_hardening(void *data) +{ + bool ret = true; + static bool warned = false; + + /* + * The mitigation is using PSCI version function to invalidate the + * branch predictor. This function is only available with PSCI 0.2 + * and later. + */ + if ( psci_ver >= PSCI_VERSION(0, 2) ) + ret = install_bp_hardening_vec(data, __psci_hyp_bp_inval_start, + __psci_hyp_bp_inval_end); + else if ( !warned ) + { + ASSERT(system_state < SYS_STATE_active); + warning_add("PSCI 0.2 or later is required for the branch predictor hardening.\n"); + warned = true; + } + + return !ret; +} + #endif /* CONFIG_ARM64_HARDEN_BRANCH_PREDICTOR */ #define MIDR_RANGE(model, min, max) \ @@ -205,6 +232,28 @@ static const struct arm_cpu_capabilities arm_errata[] = { (1 << MIDR_VARIANT_SHIFT) | 2), }, #endif +#ifdef CONFIG_ARM64_HARDEN_BRANCH_PREDICTOR + { + .capability = ARM_HARDEN_BRANCH_PREDICTOR, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A57), + .enable = enable_psci_bp_hardening, + }, + { + .capability = ARM_HARDEN_BRANCH_PREDICTOR, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A72), + .enable = enable_psci_bp_hardening, + }, + { + .capability = ARM_HARDEN_BRANCH_PREDICTOR, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A73), + .enable = enable_psci_bp_hardening, + }, + { + .capability = ARM_HARDEN_BRANCH_PREDICTOR, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A75), + .enable = enable_psci_bp_hardening, + }, +#endif {}, };