From patchwork Mon Jan 8 17:32:26 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Will Deacon X-Patchwork-Id: 123754 Delivered-To: patch@linaro.org Received: by 10.140.22.227 with SMTP id 90csp3002786qgn; Mon, 8 Jan 2018 09:34:17 -0800 (PST) X-Google-Smtp-Source: ACJfBovHbUvjwIukyU5VrLTeB3W+bToKVfbResO7A5aoAzCX6bDSkh+etphcf0gqWQVf2msy3tY5 X-Received: by 10.159.247.6 with SMTP id d6mr12934628pls.196.1515432857374; Mon, 08 Jan 2018 09:34:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1515432857; cv=none; d=google.com; s=arc-20160816; b=brXt46JX5KaGKZ44eOaqEHK/WBouslBg1EsUyC2+YANg5w2ZteZl+d2QwH0zC8P3T3 PSoVl4lYoi8cpICmdgaLIreecz/5eLkKMVmbko0MVLmNncWXOHxzgFdOZOGr9XyRiJwm njZ9XEneclLNS7aemiedWrbwKHF/eiNQXox/o80iSWFJAyHkAabhKY60hAsgc+NXEYmi YWsbWgZ4FxiKC6oiuoLXiLfkXtfd13r+5+TlAzC7N4OknqAI9EytWlsHLWlpz7TC/3jZ q9jRWBp9ndWR99/Y6cudMNiG+V2MkkMPZdls6+9MldENRZhlu6rI4YMzREk7qqACrdAj ELuA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=jUprhUWOQ+n4lPeuoLdofKrsGzJ7Cf1xlmg8FDIVWzY=; b=Vb7q7KCsu065dZZoroK4B/IJPX9SiZ9inpK6+JnvHhl1v9md5LVdCFixAH6bI2Fwoj LPseyBfKMFMSVr++xh7dLwYqUtrnHBy9TuQr0oo4BwqS1H2yibx6EmcklhFj8+Am9NNx hAOCwvazMs4YQ7uHd7w+8EIY3e8XA0+zx7t5PtV6AcHJu6OS2NdtcivjNhaCocFv0VkA fm7GXGeG6B7lXAtxSPmTFpkn4qWKpiIdYMB5rOj14Qm/PKqn8Y1VqzFawQOSe2VuPElO 5R80T4Lv9NzJBvMfZq0sPyLTtZPmA1QP4p/WegBeX8j+ySzKBOZxxOFKG+W+KW4NwJWz UQCA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x68si911571pfe.46.2018.01.08.09.34.17; Mon, 08 Jan 2018 09:34:17 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754350AbeAHRcn (ORCPT + 28 others); Mon, 8 Jan 2018 12:32:43 -0500 Received: from foss.arm.com ([217.140.101.70]:42840 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754289AbeAHRcj (ORCPT ); Mon, 8 Jan 2018 12:32:39 -0500 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 3DD3115A2; Mon, 8 Jan 2018 09:32:39 -0800 (PST) Received: from edgewater-inn.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 0F85F3F5AF; Mon, 8 Jan 2018 09:32:39 -0800 (PST) Received: by edgewater-inn.cambridge.arm.com (Postfix, from userid 1000) id F1E591AE17D1; Mon, 8 Jan 2018 17:32:40 +0000 (GMT) From: Will Deacon To: linux-arm-kernel@lists.infradead.org Cc: catalin.marinas@arm.com, ard.biesheuvel@linaro.org, marc.zyngier@arm.com, lorenzo.pieralisi@arm.com, christoffer.dall@linaro.org, linux-kernel@vger.kernel.org, shankerd@codeaurora.org, jnair@caviumnetworks.com, Will Deacon Subject: [PATCH v3 01/13] arm64: use RET instruction for exiting the trampoline Date: Mon, 8 Jan 2018 17:32:26 +0000 Message-Id: <1515432758-26440-2-git-send-email-will.deacon@arm.com> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1515432758-26440-1-git-send-email-will.deacon@arm.com> References: <1515432758-26440-1-git-send-email-will.deacon@arm.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Speculation attacks against the entry trampoline can potentially resteer the speculative instruction stream through the indirect branch and into arbitrary gadgets within the kernel. This patch defends against these attacks by forcing a misprediction through the return stack: a dummy BL instruction loads an entry into the stack, so that the predicted program flow of the subsequent RET instruction is to a branch-to-self instruction which is finally resolved as a branch to the kernel vectors with speculation suppressed. Signed-off-by: Will Deacon --- arch/arm64/kernel/entry.S | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) -- 2.1.4 diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S index 031392ee5f47..6ceed4877daf 100644 --- a/arch/arm64/kernel/entry.S +++ b/arch/arm64/kernel/entry.S @@ -1029,6 +1029,14 @@ alternative_else_nop_endif .if \regsize == 64 msr tpidrro_el0, x30 // Restored in kernel_ventry .endif + /* + * Defend against branch aliasing attacks by pushing a dummy + * entry onto the return stack and using a RET instruction to + * enter the full-fat kernel vectors. + */ + bl 2f + b . +2: tramp_map_kernel x30 #ifdef CONFIG_RANDOMIZE_BASE adr x30, tramp_vectors + PAGE_SIZE @@ -1041,7 +1049,7 @@ alternative_insn isb, nop, ARM64_WORKAROUND_QCOM_FALKOR_E1003 msr vbar_el1, x30 add x30, x30, #(1b - tramp_vectors) isb - br x30 + ret .endm .macro tramp_exit, regsize = 64