mbox series

[v2,00/18] arm64: Unmap the kernel whilst running in userspace (KAISER)

Message ID 1512059986-21325-1-git-send-email-will.deacon@arm.com
Headers show
Series arm64: Unmap the kernel whilst running in userspace (KAISER) | expand

Message

Will Deacon Nov. 30, 2017, 4:39 p.m. UTC 
Hi again,

This is version two of the patches previously posted here:

  http://lists.infradead.org/pipermail/linux-arm-kernel/2017-November/542751.html

Changes since v1 include:

  * Based on v4.15-rc1
  * Trampoline moved into FIXMAP area
  * Explicit static key replaced by cpu cap
  * Disable SPE for userspace profiling if kernel unmapped at EL0
  * Changed polarity of cpu feature to match config option
  * Changed command-line option so we can force on in future if necessary
  * Changed Falkor workaround to invalidate different page within 2MB region
  * Reworked alternative sequences in entry.S, since the NOP slides with
    kaiser=off were measurable

I experimented with leaving the vbar set to point at the kaiser vectors,
but I couldn't measure any performance improvement from that and it made
the code slightly more complicated, so I've left it as-is.

Patches based on 4.15-rc1 and also pushed here:

  git://git.kernel.org/pub/scm/linux/kernel/git/will/linux.git kaiser

Feedback welcome, particularly on a better name for the command-line option.

Will

--->8

Will Deacon (18):
  arm64: mm: Use non-global mappings for kernel space
  arm64: mm: Temporarily disable ARM64_SW_TTBR0_PAN
  arm64: mm: Move ASID from TTBR0 to TTBR1
  arm64: mm: Remove pre_ttbr0_update_workaround for Falkor erratum
    #E1003
  arm64: mm: Rename post_ttbr0_update_workaround
  arm64: mm: Fix and re-enable ARM64_SW_TTBR0_PAN
  arm64: mm: Allocate ASIDs in pairs
  arm64: mm: Add arm64_kernel_unmapped_at_el0 helper
  arm64: mm: Invalidate both kernel and user ASIDs when performing TLBI
  arm64: entry: Add exception trampoline page for exceptions from EL0
  arm64: mm: Map entry trampoline into trampoline and kernel page tables
  arm64: entry: Explicitly pass exception level to kernel_ventry macro
  arm64: entry: Hook up entry trampoline to exception vectors
  arm64: erratum: Work around Falkor erratum #E1003 in trampoline code
  arm64: tls: Avoid unconditional zeroing of tpidrro_el0 for native
    tasks
  arm64: entry: Add fake CPU feature for unmapping the kernel at EL0
  arm64: Kconfig: Add CONFIG_UNMAP_KERNEL_AT_EL0
  perf: arm_spe: Disallow userspace profiling when
    arm_kernel_unmapped_at_el0()

 arch/arm64/Kconfig                      |  30 +++--
 arch/arm64/include/asm/asm-uaccess.h    |  25 +++--
 arch/arm64/include/asm/assembler.h      |  27 +----
 arch/arm64/include/asm/cpucaps.h        |   3 +-
 arch/arm64/include/asm/fixmap.h         |   4 +
 arch/arm64/include/asm/kernel-pgtable.h |  12 +-
 arch/arm64/include/asm/mmu.h            |  10 ++
 arch/arm64/include/asm/mmu_context.h    |   9 +-
 arch/arm64/include/asm/pgtable-hwdef.h  |   1 +
 arch/arm64/include/asm/pgtable-prot.h   |  21 +++-
 arch/arm64/include/asm/pgtable.h        |   1 +
 arch/arm64/include/asm/proc-fns.h       |   6 -
 arch/arm64/include/asm/tlbflush.h       |  16 ++-
 arch/arm64/include/asm/uaccess.h        |  21 +++-
 arch/arm64/kernel/asm-offsets.c         |   6 +-
 arch/arm64/kernel/cpufeature.c          |  41 +++++++
 arch/arm64/kernel/entry.S               | 190 +++++++++++++++++++++++++++-----
 arch/arm64/kernel/process.c             |  12 +-
 arch/arm64/kernel/vmlinux.lds.S         |  17 +++
 arch/arm64/lib/clear_user.S             |   2 +-
 arch/arm64/lib/copy_from_user.S         |   2 +-
 arch/arm64/lib/copy_in_user.S           |   2 +-
 arch/arm64/lib/copy_to_user.S           |   2 +-
 arch/arm64/mm/cache.S                   |   2 +-
 arch/arm64/mm/context.c                 |  36 +++---
 arch/arm64/mm/mmu.c                     |  23 ++++
 arch/arm64/mm/proc.S                    |  12 +-
 arch/arm64/xen/hypercall.S              |   2 +-
 drivers/perf/arm_spe_pmu.c              |   7 ++
 29 files changed, 407 insertions(+), 135 deletions(-)

-- 
2.1.4

Comments

Mark Rutland Dec. 1, 2017, 2:04 p.m. UTC | #1 
Hi Will,

On Thu, Nov 30, 2017 at 04:39:28PM +0000, Will Deacon wrote:
> Hi again,

> 

> This is version two of the patches previously posted here:

> 

>   http://lists.infradead.org/pipermail/linux-arm-kernel/2017-November/542751.html

> 

> Changes since v1 include:

> 

>   * Based on v4.15-rc1

>   * Trampoline moved into FIXMAP area

>   * Explicit static key replaced by cpu cap

>   * Disable SPE for userspace profiling if kernel unmapped at EL0

>   * Changed polarity of cpu feature to match config option

>   * Changed command-line option so we can force on in future if necessary

>   * Changed Falkor workaround to invalidate different page within 2MB region

>   * Reworked alternative sequences in entry.S, since the NOP slides with

>     kaiser=off were measurable


This generally looks good to me.

For patches patches 1-10, 13-15, and 17, feel free to add:

Reviewed-by: Mark Rutland <mark.rutland@arm.com>


(assuming you fix up the issue Robin spotted on patch 14).

Thanks,
Mark.
Will Deacon Dec. 1, 2017, 5:50 p.m. UTC | #2 
Hi Mark,

On Fri, Dec 01, 2017 at 02:04:06PM +0000, Mark Rutland wrote:
> On Thu, Nov 30, 2017 at 04:39:28PM +0000, Will Deacon wrote:

> > Hi again,

> > 

> > This is version two of the patches previously posted here:

> > 

> >   http://lists.infradead.org/pipermail/linux-arm-kernel/2017-November/542751.html

> > 

> > Changes since v1 include:

> > 

> >   * Based on v4.15-rc1

> >   * Trampoline moved into FIXMAP area

> >   * Explicit static key replaced by cpu cap

> >   * Disable SPE for userspace profiling if kernel unmapped at EL0

> >   * Changed polarity of cpu feature to match config option

> >   * Changed command-line option so we can force on in future if necessary

> >   * Changed Falkor workaround to invalidate different page within 2MB region

> >   * Reworked alternative sequences in entry.S, since the NOP slides with

> >     kaiser=off were measurable

> 

> This generally looks good to me.

> 

> For patches patches 1-10, 13-15, and 17, feel free to add:

> 

> Reviewed-by: Mark Rutland <mark.rutland@arm.com>


Thanks for going through this. Do you have any ideas about what we could
rename the command-line option to? I'll get us started:

  - kaiser=
  - hidekernel=
  - unmapkernel=
  - hardenkaslr=
  - swuan=

...

Will
Mark Rutland Dec. 1, 2017, 5:58 p.m. UTC | #3 
On Fri, Dec 01, 2017 at 05:50:26PM +0000, Will Deacon wrote:
> On Fri, Dec 01, 2017 at 02:04:06PM +0000, Mark Rutland wrote:

> > On Thu, Nov 30, 2017 at 04:39:28PM +0000, Will Deacon wrote:

> Thanks for going through this. Do you have any ideas about what we could

> rename the command-line option to? I'll get us started:

> 

>   - kaiser=

>   - hidekernel=

>   - unmapkernel=

>   - hardenkaslr=

>   - swuan=


Off all of these, I think "unmapkernel" is the clear winner, since it
says what it does in the tin (even if it misses the when).

I'll have a think over the weekend.

Thanks,
Mark.
Dave Hansen Dec. 1, 2017, 6:02 p.m. UTC | #4 
On 12/01/2017 09:58 AM, Mark Rutland wrote:
> On Fri, Dec 01, 2017 at 05:50:26PM +0000, Will Deacon wrote:

>> On Fri, Dec 01, 2017 at 02:04:06PM +0000, Mark Rutland wrote:

>>> On Thu, Nov 30, 2017 at 04:39:28PM +0000, Will Deacon wrote:

>> Thanks for going through this. Do you have any ideas about what we could

>> rename the command-line option to? I'll get us started:

>>

>>   - kaiser=

>>   - hidekernel=

>>   - unmapkernel=

>>   - hardenkaslr=

>>   - swuan=

> Off all of these, I think "unmapkernel" is the clear winner, since it

> says what it does in the tin (even if it misses the when).

> 

> I'll have a think over the weekend.


On the x86 side we've been leaning toward renaming kaiser to something
like "user pagetable isolation", so the boot parameter is something like
"noupti".

But I think the consensus is definitely to get rid of "kaiser".
Will Deacon Dec. 1, 2017, 6:14 p.m. UTC | #5 
On Fri, Dec 01, 2017 at 10:02:43AM -0800, Dave Hansen wrote:
> On 12/01/2017 09:58 AM, Mark Rutland wrote:

> > On Fri, Dec 01, 2017 at 05:50:26PM +0000, Will Deacon wrote:

> >> On Fri, Dec 01, 2017 at 02:04:06PM +0000, Mark Rutland wrote:

> >>> On Thu, Nov 30, 2017 at 04:39:28PM +0000, Will Deacon wrote:

> >> Thanks for going through this. Do you have any ideas about what we could

> >> rename the command-line option to? I'll get us started:

> >>

> >>   - kaiser=

> >>   - hidekernel=

> >>   - unmapkernel=

> >>   - hardenkaslr=

> >>   - swuan=

> > Off all of these, I think "unmapkernel" is the clear winner, since it

> > says what it does in the tin (even if it misses the when).

> > 

> > I'll have a think over the weekend.

> 

> On the x86 side we've been leaning toward renaming kaiser to something

> like "user pagetable isolation", so the boot parameter is something like

> "noupti".

> 

> But I think the consensus is definitely to get rid of "kaiser".


Ok, good. I'm happy to follow your lead on the name if it's likely to be
resolved in the next week or so.

Will
Laura Abbott Dec. 4, 2017, 11:47 p.m. UTC | #6 
On 11/30/2017 08:39 AM, Will Deacon wrote:
> Hi again,

> 

> This is version two of the patches previously posted here:

> 

>    http://lists.infradead.org/pipermail/linux-arm-kernel/2017-November/542751.html

> 

> Changes since v1 include:

> 

>    * Based on v4.15-rc1

>    * Trampoline moved into FIXMAP area

>    * Explicit static key replaced by cpu cap

>    * Disable SPE for userspace profiling if kernel unmapped at EL0

>    * Changed polarity of cpu feature to match config option

>    * Changed command-line option so we can force on in future if necessary

>    * Changed Falkor workaround to invalidate different page within 2MB region

>    * Reworked alternative sequences in entry.S, since the NOP slides with

>      kaiser=off were measurable

> 

> I experimented with leaving the vbar set to point at the kaiser vectors,

> but I couldn't measure any performance improvement from that and it made

> the code slightly more complicated, so I've left it as-is.

> 

> Patches based on 4.15-rc1 and also pushed here:

> 

>    git://git.kernel.org/pub/scm/linux/kernel/git/will/linux.git kaiser

> 

> Feedback welcome, particularly on a better name for the command-line option.

> 


I ran this with one of the LTP mmap tests over the weekend. The mmap
test completed successfully but later the machine was spewing I/O
errors. I think this is because of the hardware and not the patches
so I'm running again for good measure.

> Will

> 

> --->8

> 

> Will Deacon (18):

>    arm64: mm: Use non-global mappings for kernel space

>    arm64: mm: Temporarily disable ARM64_SW_TTBR0_PAN

>    arm64: mm: Move ASID from TTBR0 to TTBR1

>    arm64: mm: Remove pre_ttbr0_update_workaround for Falkor erratum

>      #E1003

>    arm64: mm: Rename post_ttbr0_update_workaround

>    arm64: mm: Fix and re-enable ARM64_SW_TTBR0_PAN

>    arm64: mm: Allocate ASIDs in pairs

>    arm64: mm: Add arm64_kernel_unmapped_at_el0 helper

>    arm64: mm: Invalidate both kernel and user ASIDs when performing TLBI

>    arm64: entry: Add exception trampoline page for exceptions from EL0

>    arm64: mm: Map entry trampoline into trampoline and kernel page tables

>    arm64: entry: Explicitly pass exception level to kernel_ventry macro

>    arm64: entry: Hook up entry trampoline to exception vectors

>    arm64: erratum: Work around Falkor erratum #E1003 in trampoline code

>    arm64: tls: Avoid unconditional zeroing of tpidrro_el0 for native

>      tasks

>    arm64: entry: Add fake CPU feature for unmapping the kernel at EL0

>    arm64: Kconfig: Add CONFIG_UNMAP_KERNEL_AT_EL0

>    perf: arm_spe: Disallow userspace profiling when

>      arm_kernel_unmapped_at_el0()

> 

>   arch/arm64/Kconfig                      |  30 +++--

>   arch/arm64/include/asm/asm-uaccess.h    |  25 +++--

>   arch/arm64/include/asm/assembler.h      |  27 +----

>   arch/arm64/include/asm/cpucaps.h        |   3 +-

>   arch/arm64/include/asm/fixmap.h         |   4 +

>   arch/arm64/include/asm/kernel-pgtable.h |  12 +-

>   arch/arm64/include/asm/mmu.h            |  10 ++

>   arch/arm64/include/asm/mmu_context.h    |   9 +-

>   arch/arm64/include/asm/pgtable-hwdef.h  |   1 +

>   arch/arm64/include/asm/pgtable-prot.h   |  21 +++-

>   arch/arm64/include/asm/pgtable.h        |   1 +

>   arch/arm64/include/asm/proc-fns.h       |   6 -

>   arch/arm64/include/asm/tlbflush.h       |  16 ++-

>   arch/arm64/include/asm/uaccess.h        |  21 +++-

>   arch/arm64/kernel/asm-offsets.c         |   6 +-

>   arch/arm64/kernel/cpufeature.c          |  41 +++++++

>   arch/arm64/kernel/entry.S               | 190 +++++++++++++++++++++++++++-----

>   arch/arm64/kernel/process.c             |  12 +-

>   arch/arm64/kernel/vmlinux.lds.S         |  17 +++

>   arch/arm64/lib/clear_user.S             |   2 +-

>   arch/arm64/lib/copy_from_user.S         |   2 +-

>   arch/arm64/lib/copy_in_user.S           |   2 +-

>   arch/arm64/lib/copy_to_user.S           |   2 +-

>   arch/arm64/mm/cache.S                   |   2 +-

>   arch/arm64/mm/context.c                 |  36 +++---

>   arch/arm64/mm/mmu.c                     |  23 ++++

>   arch/arm64/mm/proc.S                    |  12 +-

>   arch/arm64/xen/hypercall.S              |   2 +-

>   drivers/perf/arm_spe_pmu.c              |   7 ++

>   29 files changed, 407 insertions(+), 135 deletions(-)

>
Shanker Donthineni Dec. 11, 2017, 2:24 a.m. UTC | #7 
Hi Will,

I tested v2 patch series on Centriq2400 server platform successfully, no regression so far. And also
we applied internal patches on top of the branch "kpti" and verified kaiser feature.

Tested-by: Shanker Donthineni <shankerd@codeaurora.org>



-- 
Shanker Donthineni
Qualcomm Datacenter Technologies, Inc. as an affiliate of Qualcomm Technologies, Inc.
Qualcomm Technologies, Inc. is a member of the Code Aurora Forum, a Linux Foundation Collaborative Project.