From patchwork Fri Jan 19 13:41:01 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Julien Grall X-Patchwork-Id: 125245 Delivered-To: patch@linaro.org Received: by 10.46.66.141 with SMTP id h13csp186970ljf; Sat, 20 Jan 2018 00:10:59 -0800 (PST) X-Google-Smtp-Source: AH8x224uF+A/9MBlBW7g7emEd6VsNrieaUSw3CJMhZ3YBYA73Dc3C8aMITWP+QzLIImrqxF1c48U X-Received: by 10.107.97.18 with SMTP id v18mr1095770iob.7.1516435859580; Sat, 20 Jan 2018 00:10:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516435859; cv=none; d=google.com; s=arc-20160816; b=OfLXdu2sy/avuS1l5ZpXfRyY3NBLkDwkhmvuSY2EDsEyhXCtPbLjREaqXg8ffHKTRg pI/3FdIfsuX+iuW8q+AFB+9Z34Qc/Oe1vus7s9ItaWS0xyLWx0zdP5nv8iic9+2hB8/w spanjQvWmHaqPyfJUrX/1JjpTghGvyWgDwHZtlTSfVXxnh3BCKwwbd0o/Fzcr8ECHuMr VOLZc38PsXYVmsjx73QaV13Px0AShWIv58lSkTc1TN3kEVZZDtdCHNZTS+cg65Njz9ko 71138Y/2FExZecaPyIzu53tJ0R+hHMxvL2guCW5qQYmwX+wnyHA8MX82HAhcO2MeOrr0 B/kA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-unsubscribe:list-id :precedence:subject:cc:references:in-reply-to:message-id:date:to :from:dkim-signature:arc-authentication-results; bh=Lt9j+aAce6/Ow3uKx0t3fJoXUng1HPL4zXN1QmyO4tM=; b=b4HdxVVJYR54a5aemL/UyP5lb1FLmZxgqGZdlaiMsy6Q8VseMIxJzPuZ//VUEv/z+a sTBSytBEaONg8pBRngzc1tlXEJ/T7juevzKthkImaIRA/CuYgLCC/CnttZYMvZJZE4VB kxj4IlvlcVhVl0WSKYgbnvm//vb7zZtmyGUNcli93rkPgCjY31C3M/mS3sNQXIksVpf5 b3JWylmSsUS/fyNQp87M8+70H/jB5jR+f0t11FW6aumQOC+7R1fPskTtZ8NjUoMGEti+ 0a8TE5T2vuMltPvxN4dFe3RFf0mqU+209i56XIyYto4cvCbqyf+BbZXHIe2NaJXo/+yr narA== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b=KOY3OpLh; spf=pass (google.com: best guess record for domain of xen-devel-bounces@lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org. [192.237.175.120]) by mx.google.com with ESMTPS id o17si2409993ita.69.2018.01.20.00.10.59 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 20 Jan 2018 00:10:59 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of xen-devel-bounces@lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b=KOY3OpLh; spf=pass (google.com: best guess record for domain of xen-devel-bounces@lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ecoBn-0005fu-Lp; Sat, 20 Jan 2018 08:07:47 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ecoBm-0005fo-PM for xen-devel@lists.xen.org; Sat, 20 Jan 2018 08:07:46 +0000 X-Inumbo-ID: 5b2f5853-fdb9-11e7-b0d7-9f685aff125f Received: from mail-wm0-f66.google.com (unknown [74.125.82.66]) by us1-amaz-eas1.inumbo.com (Halon) with ESMTPS id 5b2f5853-fdb9-11e7-b0d7-9f685aff125f; Sat, 20 Jan 2018 08:10:20 +0000 (UTC) Received: by mail-wm0-f66.google.com with SMTP id b21so7590814wme.4 for ; Sat, 20 Jan 2018 00:07:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=yLnbnyBqEC0roE3wcJdZQ8BkXE/g3IL1ge4p4Mcf97o=; b=KOY3OpLhsmQI9sC14MbwNlOIzPqLDDBJU8l9ixzL4+yf1+gRxKF/R7QEC5cF0GQz/P nq8HwXWdfGIpWIA5ha/a0Xmw+/Ohx0PF250HAv8cjztuyGovZydzA+WuLXjQQ9mPRfTI FBJ+tH6ptJ/P1GdSdKr954El2tBvuV7jUrPyo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=yLnbnyBqEC0roE3wcJdZQ8BkXE/g3IL1ge4p4Mcf97o=; b=eKhIpp+/zt79Fye4+zurw5yDxE787RvUwJojwvOVg9/kOSLPOC5+vkmL1lamyo2nBU MArF7s5eJPvsCkvf1rQReKXuLfQuyr3d9g1wPFtBlf0FqacULcmXl4zuyL8TqTk4Et+6 9S+QmDbAipB5Umvl88dZEtIhwlBuaFBq/RxIKEhCaW+d99pHxEiSMYd5T5ouV5n7LNJT w5OVjOKRQJu7Y6UJuVljrHxHnFTUNhyztf6Xo1K8Z/VNx6NxSITXYEQI4LNXl0WNh4nv HXavlBkPkpaZ7ECs0gNHTQs3cG1bpENlaJjrs1NnpPVwn0JuPjS4xUbO8buwg5cVkobf Y9oA== X-Gm-Message-State: AKwxytfJ+7DUzM2pWLvaDgLsAqZEFf1o88uqgQTbOBDJ7vhivLMVB8tO YosYoYCcvJiZ7GOfCfuD65SA+en2Sv0= X-Received: by 10.28.92.75 with SMTP id q72mr7351853wmb.21.1516369269544; Fri, 19 Jan 2018 05:41:09 -0800 (PST) Received: from e108454-lin.cambridge.arm.com ([2001:41d0:1:6c23::1]) by smtp.gmail.com with ESMTPSA id s44sm5113642wrc.64.2018.01.19.05.41.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 19 Jan 2018 05:41:09 -0800 (PST) From: Julien Grall To: xen-devel@lists.xen.org Date: Fri, 19 Jan 2018 13:41:01 +0000 Message-Id: <20180119134103.3390-6-julien.grall@linaro.org> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20180119134103.3390-1-julien.grall@linaro.org> References: <20180119134103.3390-1-julien.grall@linaro.org> Cc: sstabellini@kernel.org, andre.przywara@linaro.org Subject: [Xen-devel] [PATCH 5/7] xen/arm32: Invalidate BTB on guest exit for Cortex A17 and 12 X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" In order to avoid aliasing attackes agains the branch predictor, let's invalidate the BTB on guest exist. This is made complicated by the fact that we cannot take a branch invalidating the BTB. This is based on the first version posrted by Marc Zyngier on Linux-arm mailing list (see [1]). This is part of XSA-254. Signed-off-by: Marc Zyngier Signed-off-by: Julien Grall [1] https://www.spinics.net/lists/arm-kernel/msg627032.html Signed-off-by: Stefano Stabellini --- xen/arch/arm/arm32/entry.S | 55 ++++++++++++++++++++++++++++++++++++++++++++++ xen/arch/arm/cpuerrata.c | 19 ++++++++++++++++ 2 files changed, 74 insertions(+) diff --git a/xen/arch/arm/arm32/entry.S b/xen/arch/arm/arm32/entry.S index 54a1733f87..c6ec0aa399 100644 --- a/xen/arch/arm/arm32/entry.S +++ b/xen/arch/arm/arm32/entry.S @@ -160,6 +160,61 @@ GLOBAL(hyp_traps_vector) b trap_irq /* 0x18 - IRQ */ b trap_fiq /* 0x1c - FIQ */ + .align 5 +GLOBAL(hyp_traps_vector_bp_inv) + /* + * We encode the exception entry in the bottom 3 bits of + * SP, and we have to guarantee to be 8 bytes aligned. + */ + add sp, sp, #1 /* Reset 7 */ + add sp, sp, #1 /* Undef 6 */ + add sp, sp, #1 /* Hypervisor Call 5 */ + add sp, sp, #1 /* Prefetch abort 4 */ + add sp, sp, #1 /* Data abort 3 */ + add sp, sp, #1 /* Hypervisor 2 */ + add sp, sp, #1 /* IRQ 1 */ + nop /* FIQ 0 */ + + mcr p15, 0, r0, c7, c5, 6 /* BPIALL */ + isb + + /* + * As we cannot use any temporary registers and cannot + * clobber SP, we can decode the exception entry using + * an unrolled binary search. + */ + tst sp, #4 + bne 1f + + tst sp, #2 + bne 3f + + tst sp, #1 + bic sp, sp, #0x7 + bne trap_irq + b trap_fiq + +1: + tst sp, #2 + bne 2f + + tst sp, #1 + bic sp, sp, #0x7 + bne trap_hypervisor_call + b trap_prefetch_abort + +2: + tst sp, #1 + bic sp, sp, #0x7 + bne trap_reset + b trap_undefined_instruction + +3: + tst sp, #1 + bic sp, sp, #0x7 + bne trap_data_abort + b trap_guest_sync + DEFINE_TRAP_ENTRY(reset) DEFINE_TRAP_ENTRY(undefined_instruction) DEFINE_TRAP_ENTRY(hypervisor_call) diff --git a/xen/arch/arm/cpuerrata.c b/xen/arch/arm/cpuerrata.c index 0a138fa735..c79e6d65d3 100644 --- a/xen/arch/arm/cpuerrata.c +++ b/xen/arch/arm/cpuerrata.c @@ -198,6 +198,13 @@ install_bp_hardening_vecs(const struct arm_cpu_capabilities *entry, this_cpu(bp_harden_vecs) = hyp_vecs; } +static int enable_bp_inv_hardening(void *data) +{ + install_bp_hardening_vecs(data, hyp_traps_vector_bp_inv, + "execute BPIALL"); + return 0; +} + #endif #define MIDR_RANGE(model, min, max) \ @@ -284,6 +291,18 @@ static const struct arm_cpu_capabilities arm_errata[] = { .enable = enable_psci_bp_hardening, }, #endif +#ifdef CONFIG_ARM32_HARDEN_BRANCH_PREDICTOR + { + .capability = ARM_HARDEN_BRANCH_PREDICTOR, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A12), + .enable = enable_bp_inv_hardening, + }, + { + .capability = ARM_HARDEN_BRANCH_PREDICTOR, + MIDR_ALL_VERSIONS(MIDR_CORTEX_A17), + .enable = enable_bp_inv_hardening, + }, +#endif {}, };