From patchwork Mon Feb 26 08:20:20 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alex Shi X-Patchwork-Id: 129603 Delivered-To: patch@linaro.org Received: by 10.46.66.2 with SMTP id p2csp3360830lja; Mon, 26 Feb 2018 00:29:20 -0800 (PST) X-Google-Smtp-Source: AH8x226GvvBtadCIRCZ5yXAEqECaEC1gB410GU2iAEBTx6mF/KCKdhjWnAR8ak3r5tTFrGIuMDM6 X-Received: by 2002:a17:902:1:: with SMTP id 1-v6mr9897218pla.187.1519633760416; Mon, 26 Feb 2018 00:29:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519633760; cv=none; d=google.com; s=arc-20160816; b=zBnPgUZq9QiktMqStjvYNhvBlZEDr0DCpvkJmrUcyuT9Y8u0OA9p1UImXOt+EFg3Qg eZfvuZamQJhuzhYRl6DnpNyBJuKdQVOK4tKObD2T7+m3c+CVXt69rIUdy2iB8IRBGfwr U6ASBFksXvhF1FvRB0/d+i62rIAV5XGAWzOJEfCdjTbUNdhEZaPoJNjKC3yYk+dFK530 XaOeH108eHer8Loq10IKtvv9NcqqHmfTmRgoXg0hCJmO/oHlBH/iFGEL1bSaM07vAoMV 3r89XP3gokEjcjwcEDbJWngojpKIFKifzh3at4a/vwNFUseY2WDFD2xMR4Gt56yDo72z JjIQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:to:from:dkim-signature:arc-authentication-results; bh=GbyVFSuKqlJlOZQir9uMnmIFVEqzFtVXTBGR5PiLN7c=; b=CG0r5KB6g+9bh0I0HEmUDRNUq0v2z9LcewTYnH+UKeXYe4sv+SaeUlalK9HWl72AIc /a9lorYFIKaYBwmaebmCtlrlar4m/ZthnlriMrwGh5UgFoBlbAS+7lHWoQlwiNwYlxue HZx856cfDK0VcsGejz4Vwv/zjgWLfOgkeKJLYBNtPJ0/UkA6BnkwKffqJ7cLSNGgthQK H18vnil+Cb6KEES2unUwrK3UkaEW/Dn4P4AqGkbkMSxIsG0LUSlYuDg2o4FPQ63m9kNq YqpiKZ2W/SsMABlMf8mw3Y6TQuvl+jDXOgnYxISsI8scrMXjHhJhljAouGxnDzFiPMEl zokA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Ghh1zawi; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a6si5826251pfi.123.2018.02.26.00.29.20; Mon, 26 Feb 2018 00:29:20 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Ghh1zawi; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752816AbeBZI3Q (ORCPT + 28 others); Mon, 26 Feb 2018 03:29:16 -0500 Received: from mail-pf0-f194.google.com ([209.85.192.194]:45679 "EHLO mail-pf0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752817AbeBZI1I (ORCPT ); Mon, 26 Feb 2018 03:27:08 -0500 Received: by mail-pf0-f194.google.com with SMTP id j24so6219691pff.12 for ; Mon, 26 Feb 2018 00:27:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:subject:date:message-id:in-reply-to:references; bh=GbyVFSuKqlJlOZQir9uMnmIFVEqzFtVXTBGR5PiLN7c=; b=Ghh1zawid0gSoCGWFqZ8Xb6rZqmAU5LQ459FP88Qvqk4DvZetI4SEvpNNOqJQbrKpm i6K+u9tFTsR9ILLle8Zs2mGQa32YSDGTIyp9UycYqpsOSZofW75CmwPsoXZpPw4115+Q fHYNP8PZVKr03gNviVa3clg9PtWhcx/HDiIgY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=GbyVFSuKqlJlOZQir9uMnmIFVEqzFtVXTBGR5PiLN7c=; b=JMXg38bDexsgSsyPl0fz6b7ve0Do+xHlgrOZErwHaja72KRXQHvj/Mr8t2JaQQnWr+ MH07Ra7r94ByqikJG2PUbZzt5uD0nEf1x1ggbpr8ofXnj5fGQnuM9JBDP/Cxw3iH4bd6 1KG6MkJVhtvS7wpPnDnhnkBqXAfgccLFE9mNSrChipwqntKL9T6bXncAEpvPjQ4K3/+G gMBFSBTyTNj/XzEIX0uSLCgMDBs564V+XhsQlOc3PKVPKib+mSx2LlvoGYBCpbWotOPB 47VaBryPr8bszpi5XNQwUujvpKs75HpwTwqahmWN2pkbo0QKwJHp+yCqh6HGMA5OTXcz pU7Q== X-Gm-Message-State: APf1xPAu/Kyz8jrokjjJPWfPa87Iy5xUcilyteC0NZapNUE+uhKr7ZCa wmFQeEywomJ0/SPc2+IU3X3ezg== X-Received: by 10.98.152.205 with SMTP id d74mr9878127pfk.115.1519633627393; Mon, 26 Feb 2018 00:27:07 -0800 (PST) Received: from localhost.localdomain (176.122.172.82.16clouds.com. [176.122.172.82]) by smtp.gmail.com with ESMTPSA id o86sm1422706pfi.87.2018.02.26.00.27.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 26 Feb 2018 00:27:06 -0800 (PST) From: Alex Shi To: Marc Zyngier , Will Deacon , Ard Biesheuvel , Catalin Marinas , stable@vger.kernel.org, Russell King , linux-arm-kernel@lists.infradead.org (moderated list:ARM PORT), linux-kernel@vger.kernel.org (open list) Subject: [PATCH 46/52] arm: Add BTB invalidation on switch_mm for Cortex-A9, A12 and A17 Date: Mon, 26 Feb 2018 16:20:20 +0800 Message-Id: <1519633227-29832-47-git-send-email-alex.shi@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1519633227-29832-1-git-send-email-alex.shi@linaro.org> References: <1519633227-29832-1-git-send-email-alex.shi@linaro.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Marc Zyngier ** Not yet queued for inclusion in mainline ** In order to avoid aliasing attacks against the branch predictor, some implementations require to invalidate the BTB when switching from one user context to another. For this, we reuse the existing implementation for Cortex-A8, and apply it to A9, A12 and A17. Signed-off-by: Marc Zyngier Signed-off-by: Will Deacon Signed-off-by: Alex Shi --- arch/arm/mm/Kconfig | 17 +++++++++++++++++ arch/arm/mm/proc-v7-2level.S | 4 ++-- arch/arm/mm/proc-v7-3level.S | 5 +++++ arch/arm/mm/proc-v7.S | 30 ++++++++++++++++++++++++++++-- 4 files changed, 52 insertions(+), 4 deletions(-) -- 2.7.4 diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig index c1799dd..1a5acee 100644 --- a/arch/arm/mm/Kconfig +++ b/arch/arm/mm/Kconfig @@ -1068,3 +1068,20 @@ config DEBUG_ALIGN_RODATA additional section-aligned split of rodata from kernel text so it can be made explicitly non-executable. This padding may waste memory space to gain the additional protection. + +config HARDEN_BRANCH_PREDICTOR + bool "Harden the branch predictor against aliasing attacks" if EXPERT + default y + help + Speculation attacks against some high-performance processors rely on + being able to manipulate the branch predictor for a victim context by + executing aliasing branches in the attacker context. Such attacks + can be partially mitigated against by clearing internal branch + predictor state and limiting the prediction logic in some situations. + + This config option will take CPU-specific actions to harden the + branch predictor against aliasing attacks and may rely on specific + instruction sequences or control bits being set by the system + firmware. + + If unsure, say Y. diff --git a/arch/arm/mm/proc-v7-2level.S b/arch/arm/mm/proc-v7-2level.S index c6141a5..0422e58b 100644 --- a/arch/arm/mm/proc-v7-2level.S +++ b/arch/arm/mm/proc-v7-2level.S @@ -41,7 +41,7 @@ * even on Cortex-A8 revisions not affected by 430973. * If IBE is not set, the flush BTAC/BTB won't do anything. */ -ENTRY(cpu_ca8_switch_mm) +ENTRY(cpu_v7_btbinv_switch_mm) #ifdef CONFIG_MMU mov r2, #0 mcr p15, 0, r2, c7, c5, 6 @ flush BTAC/BTB @@ -66,7 +66,7 @@ ENTRY(cpu_v7_switch_mm) #endif bx lr ENDPROC(cpu_v7_switch_mm) -ENDPROC(cpu_ca8_switch_mm) +ENDPROC(cpu_v7_btbinv_switch_mm) /* * cpu_v7_set_pte_ext(ptep, pte) diff --git a/arch/arm/mm/proc-v7-3level.S b/arch/arm/mm/proc-v7-3level.S index 5e5720e..a25450b 100644 --- a/arch/arm/mm/proc-v7-3level.S +++ b/arch/arm/mm/proc-v7-3level.S @@ -54,6 +54,10 @@ * Set the translation table base pointer to be pgd_phys (physical address of * the new TTB). */ +ENTRY(cpu_v7_btbinv_switch_mm) +#ifdef CONFIG_MMU + mcr p15, 0, r0, c7, c5, 6 @ flush BTAC/BTB +#endif ENTRY(cpu_v7_switch_mm) #ifdef CONFIG_MMU mmid r2, r2 @@ -64,6 +68,7 @@ ENTRY(cpu_v7_switch_mm) #endif ret lr ENDPROC(cpu_v7_switch_mm) +ENDPROC(cpu_v7_btbinv_switch_mm) #ifdef __ARMEB__ #define rl r3 diff --git a/arch/arm/mm/proc-v7.S b/arch/arm/mm/proc-v7.S index d00d52c..ff7018a 100644 --- a/arch/arm/mm/proc-v7.S +++ b/arch/arm/mm/proc-v7.S @@ -163,6 +163,7 @@ ENDPROC(cpu_v7_do_resume) globl_equ cpu_ca8_dcache_clean_area, cpu_v7_dcache_clean_area globl_equ cpu_ca8_set_pte_ext, cpu_v7_set_pte_ext globl_equ cpu_ca8_suspend_size, cpu_v7_suspend_size + globl_equ cpu_ca8_switch_mm, cpu_v7_btbinv_switch_mm #ifdef CONFIG_ARM_CPU_SUSPEND globl_equ cpu_ca8_do_suspend, cpu_v7_do_suspend globl_equ cpu_ca8_do_resume, cpu_v7_do_resume @@ -176,7 +177,11 @@ ENDPROC(cpu_v7_do_resume) globl_equ cpu_ca9mp_reset, cpu_v7_reset globl_equ cpu_ca9mp_do_idle, cpu_v7_do_idle globl_equ cpu_ca9mp_dcache_clean_area, cpu_v7_dcache_clean_area +#ifdef CONFIG_HARDEN_BRANCH_PREDICTOR + globl_equ cpu_ca9mp_switch_mm, cpu_v7_btbinv_switch_mm +#else globl_equ cpu_ca9mp_switch_mm, cpu_v7_switch_mm +#endif globl_equ cpu_ca9mp_set_pte_ext, cpu_v7_set_pte_ext .globl cpu_ca9mp_suspend_size .equ cpu_ca9mp_suspend_size, cpu_v7_suspend_size + 4 * 2 @@ -202,6 +207,26 @@ ENTRY(cpu_ca9mp_do_resume) ENDPROC(cpu_ca9mp_do_resume) #endif +/* + * Cortex-A12/A17 + */ + globl_equ cpu_ca17_proc_init, cpu_v7_proc_init + globl_equ cpu_ca17_proc_fin, cpu_v7_proc_fin + globl_equ cpu_ca17_reset, cpu_v7_reset + globl_equ cpu_ca17_do_idle, cpu_v7_do_idle + globl_equ cpu_ca17_dcache_clean_area, cpu_v7_dcache_clean_area + globl_equ cpu_ca17_set_pte_ext, cpu_v7_set_pte_ext + globl_equ cpu_ca17_suspend_size, cpu_v7_suspend_size +#ifdef CONFIG_HARDEN_BRANCH_PREDICTOR + globl_equ cpu_ca17_switch_mm, cpu_v7_btbinv_switch_mm +#else + globl_equ cpu_ca17_switch_mm, cpu_v7_switch_mm +#endif +#ifdef CONFIG_ARM_CPU_SUSPEND + globl_equ cpu_ca17_do_suspend, cpu_v7_do_suspend + globl_equ cpu_ca17_do_resume, cpu_v7_do_resume +#endif + #ifdef CONFIG_CPU_PJ4B globl_equ cpu_pj4b_switch_mm, cpu_v7_switch_mm globl_equ cpu_pj4b_set_pte_ext, cpu_v7_set_pte_ext @@ -543,6 +568,7 @@ __v7_setup_stack: @ define struct processor (see and proc-macros.S) define_processor_functions v7, dabort=v7_early_abort, pabort=v7_pabort, suspend=1 + define_processor_functions ca17, dabort=v7_early_abort, pabort=v7_pabort, suspend=1 #ifndef CONFIG_ARM_LPAE define_processor_functions ca8, dabort=v7_early_abort, pabort=v7_pabort, suspend=1 define_processor_functions ca9mp, dabort=v7_early_abort, pabort=v7_pabort, suspend=1 @@ -653,7 +679,7 @@ __v7_ca7mp_proc_info: __v7_ca12mp_proc_info: .long 0x410fc0d0 .long 0xff0ffff0 - __v7_proc __v7_ca12mp_proc_info, __v7_ca12mp_setup + __v7_proc __v7_ca12mp_proc_info, __v7_ca12mp_setup, proc_fns = ca17_processor_functions .size __v7_ca12mp_proc_info, . - __v7_ca12mp_proc_info /* @@ -683,7 +709,7 @@ __v7_b15mp_proc_info: __v7_ca17mp_proc_info: .long 0x410fc0e0 .long 0xff0ffff0 - __v7_proc __v7_ca17mp_proc_info, __v7_ca17mp_setup + __v7_proc __v7_ca17mp_proc_info, __v7_ca17mp_setup, proc_fns = ca17_processor_functions .size __v7_ca17mp_proc_info, . - __v7_ca17mp_proc_info /*