From patchwork Thu Oct 24 12:48:07 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 177445 Delivered-To: patch@linaro.org Received: by 2002:a92:409a:0:0:0:0:0 with SMTP id d26csp2142491ill; Thu, 24 Oct 2019 05:49:29 -0700 (PDT) X-Google-Smtp-Source: APXvYqwKYeH0TEEzoJZIE+1fOpeVHrZNBy03XFNxjNkR/oHb8MOJ6HS4C1ReDyP5iXvBUmS8XjZ7 X-Received: by 2002:a17:906:4c97:: with SMTP id q23mr36366652eju.78.1571921369155; Thu, 24 Oct 2019 05:49:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1571921369; cv=none; d=google.com; s=arc-20160816; b=qBxr16uVxEKmxEzx89miWONi7q6qjt4p0qA1bBSUTYPsUdrIfGn3ex+tK8cJJe5j2n QjDjHEJEs+YrPXzezfdvfIAFk/ZNY429hwKXn92DJscfoOf8ach7Z5r3DskllenOX8xC TDOA7ZuFwOg5d5/0kmFiEObB+g4mqwJH1Y/XO/waL3GzMk8QUSaTzgYBVu8x4YYVglsM 9o9Ls/Dit0uEytpQvAUs/QJUCtET/msXEOOjIgUWKLAZpB3sywFA2kQySu+HnQAJL6gN OSH/3J7R8Y854ML3w0ztvdm330qf0dO0wol6pitQbtwgfRy+BwhdPw+c8dJqaxpKt5CJ xEdg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=gP22+EN20t8XuAgVVLPZCSvR9l9f1V9JzOAF+RDbNYk=; b=UridrW8nyVhKvXPf3GQk1dTV2sHQtCMgxHReHC6b8tIjl0P/cRpWbJADWi7DEtfJ/f MyEWUX6Ji2Rd/En6v+JFq/3pN5Y4zH1+VT2a3xpz2OcqjSsaVm/i0r8tygsIU4yFLWaz aJRD2enVge6HxrFUduqAbKKoE3mwek7pa3J89d73doY6+1n6nMnz7oIrGU9vdVa1fH8B w2zlu9Zckav9BkZQ6VB2PEMST0UbaWetS+OoLhPQXnQc/kzWrgqioGQwlE5QPox/u5sE 3BK2HRMD41zqy8bWr+M1K3cpYQcDv7QzmvpJfvvTs9Lu5eSddUXJ58uGgzIC4PanyJRx o9Bw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=zGScEvvs; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f3si12973378eda.251.2019.10.24.05.49.28; Thu, 24 Oct 2019 05:49:29 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=zGScEvvs; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2502107AbfJXMt2 (ORCPT + 14 others); Thu, 24 Oct 2019 08:49:28 -0400 Received: from mail-wm1-f66.google.com ([209.85.128.66]:50746 "EHLO mail-wm1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2502106AbfJXMt2 (ORCPT ); Thu, 24 Oct 2019 08:49:28 -0400 Received: by mail-wm1-f66.google.com with SMTP id q13so2706064wmj.0 for ; Thu, 24 Oct 2019 05:49:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=gP22+EN20t8XuAgVVLPZCSvR9l9f1V9JzOAF+RDbNYk=; b=zGScEvvsES9rHEMaubooMfvweePjcNyG0ck9V7HyD41Cd2wWsQwAyNf3tQmWBW5wWw RmAciHrtWFZlU3PzEKayfG5Jw7nxDCHLbeY9ljoH5jvVgZSb6yUMRNTG6jFoowAtx+/r 7bLTskw9pXmygMvgc0KzkSgWecZ2BskUWWZEXvUWaPhizb25CVJV3PX8vRBLUouB0thj k/PIm1oZl9D/mPdbs5hmiCSpUo0av5k3x8+VinOyoTLRphsg4qmTpI/AznD0KG/2mTnq rWeXyFyoc4JDOwSWVJNL2BpJHsLZ8An+DB0MRffoSn8G+wuIMBcidOW4gc6gkYBcQIw6 CDQg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=gP22+EN20t8XuAgVVLPZCSvR9l9f1V9JzOAF+RDbNYk=; b=k+2NoGr5QdoNkcG1/fioa+o4zAtqIfx6bM/1IQLg5y+nhBqILMvUpD2TYpkDCzY1h1 I3AIdzj0TzjT8zZq7ArTFDq8tHn5Ujvo0Qvw98chuFiLYhgl7p2pQDdshKh0Q4UXxkM9 fS+zzD2vCFpf5mCwpYVdMKNsEiThDx8m6yR8kxHr//8bOztzIQXSj3IKq01OE8z3JvWw P8xBT6/yFH1RhMuxYNxo5x37SmokGuPk+yaeE56RJUn3mUz0zMr+ZNVsuPG2tzESnazj T1XM094xBppdsY61o8CrGCU1xBWYmgh1Z85kfmXBHT0XRxRmRe2KICiWJwYSv6X2XDRg IzXQ== X-Gm-Message-State: APjAAAUmAs5PtP4i9R1GxrBW7kt3GWob8/P9iG9ESGgpGxSOlkEdu4We uvvc4GMemU+C1FNOIv1V1YvZzPH79ExCMH2u X-Received: by 2002:a7b:cb03:: with SMTP id u3mr4731322wmj.126.1571921363292; Thu, 24 Oct 2019 05:49:23 -0700 (PDT) Received: from localhost.localdomain (aaubervilliers-681-1-126-126.w90-88.abo.wanadoo.fr. [90.88.7.126]) by smtp.gmail.com with ESMTPSA id j22sm29111038wrd.41.2019.10.24.05.49.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Oct 2019 05:49:22 -0700 (PDT) From: Ard Biesheuvel To: stable@vger.kernel.org Cc: Ard Biesheuvel , Will Deacon , Catalin Marinas , Marc Zyngier , Mark Rutland , Suzuki K Poulose , Jeremy Linton , Andre Przywara , Alexandru Elisei , Will Deacon , Dave Martin Subject: [PATCH for-stable-4.14 22/48] arm64: capabilities: Restrict KPTI detection to boot-time CPUs Date: Thu, 24 Oct 2019 14:48:07 +0200 Message-Id: <20191024124833.4158-23-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191024124833.4158-1-ard.biesheuvel@linaro.org> References: <20191024124833.4158-1-ard.biesheuvel@linaro.org> MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Suzuki K Poulose [ Upstream commit d3aec8a28be3b88bf75442e7c24fd9da8d69a6df ] KPTI is treated as a system wide feature and is only detected if all the CPUs in the sysetm needs the defense, unless it is forced via kernel command line. This leaves a system with a mix of CPUs with and without the defense vulnerable. Also, if a late CPU needs KPTI but KPTI was not activated at boot time, the CPU is currently allowed to boot, which is a potential security vulnerability. This patch ensures that the KPTI is turned on if at least one CPU detects the capability (i.e, change scope to SCOPE_LOCAL_CPU). Also rejetcs a late CPU, if it requires the defense, when the system hasn't enabled it, Cc: Will Deacon Reviewed-by: Dave Martin Signed-off-by: Suzuki K Poulose Signed-off-by: Will Deacon Signed-off-by: Ard Biesheuvel --- arch/arm64/include/asm/cpufeature.h | 9 +++++++++ arch/arm64/kernel/cpufeature.c | 16 +++++++++++----- 2 files changed, 20 insertions(+), 5 deletions(-) -- 2.20.1 diff --git a/arch/arm64/include/asm/cpufeature.h b/arch/arm64/include/asm/cpufeature.h index 09825b667af0..96c99b201b2f 100644 --- a/arch/arm64/include/asm/cpufeature.h +++ b/arch/arm64/include/asm/cpufeature.h @@ -244,6 +244,15 @@ extern struct arm64_ftr_reg arm64_ftr_reg_ctrel0; ARM64_CPUCAP_OPTIONAL_FOR_LATE_CPU | \ ARM64_CPUCAP_PERMITTED_FOR_LATE_CPU) +/* + * CPU feature detected at boot time, on one or more CPUs. A late CPU + * is not allowed to have the capability when the system doesn't have it. + * It is Ok for a late CPU to miss the feature. + */ +#define ARM64_CPUCAP_BOOT_RESTRICTED_CPU_LOCAL_FEATURE \ + (ARM64_CPUCAP_SCOPE_LOCAL_CPU | \ + ARM64_CPUCAP_OPTIONAL_FOR_LATE_CPU) + struct arm64_cpu_capabilities { const char *desc; u16 capability; diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c index 439cdca71024..b3ebbc56bebb 100644 --- a/arch/arm64/kernel/cpufeature.c +++ b/arch/arm64/kernel/cpufeature.c @@ -824,10 +824,9 @@ static bool has_no_fpsimd(const struct arm64_cpu_capabilities *entry, int __unus static int __kpti_forced; /* 0: not forced, >0: forced on, <0: forced off */ static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry, - int __unused) + int scope) { char const *str = "command line option"; - u64 pfr0 = read_sanitised_ftr_reg(SYS_ID_AA64PFR0_EL1); /* * For reasons that aren't entirely clear, enabling KPTI on Cavium @@ -863,8 +862,7 @@ static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry, } /* Defer to CPU feature registers */ - return !cpuid_feature_extract_unsigned_field(pfr0, - ID_AA64PFR0_CSV3_SHIFT); + return !has_cpuid_feature(entry, scope); } static void @@ -1011,7 +1009,15 @@ static const struct arm64_cpu_capabilities arm64_features[] = { { .desc = "Kernel page table isolation (KPTI)", .capability = ARM64_UNMAP_KERNEL_AT_EL0, - .type = ARM64_CPUCAP_SYSTEM_FEATURE, + .type = ARM64_CPUCAP_BOOT_RESTRICTED_CPU_LOCAL_FEATURE, + /* + * The ID feature fields below are used to indicate that + * the CPU doesn't need KPTI. See unmap_kernel_at_el0 for + * more details. + */ + .sys_reg = SYS_ID_AA64PFR0_EL1, + .field_pos = ID_AA64PFR0_CSV3_SHIFT, + .min_field_value = 1, .matches = unmap_kernel_at_el0, .cpu_enable = kpti_install_ng_mappings, },