From patchwork Mon Nov 27 16:37:55 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 119745 Delivered-To: patch@linaro.org Received: by 10.140.22.227 with SMTP id 90csp511595qgn; Mon, 27 Nov 2017 08:38:29 -0800 (PST) X-Google-Smtp-Source: AGs4zMYNYgFykugD75lhUMgyVXlkQV1U1WpgDBBZo/UHaTFaYdCVPSnSeJxWk3yQ7s+tIc6LUJpZ X-Received: by 10.98.17.196 with SMTP id 65mr37805955pfr.35.1511800709308; Mon, 27 Nov 2017 08:38:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511800709; cv=none; d=google.com; s=arc-20160816; b=wilcI9ujRpA9JOoUrmEMjKGAttDsNgCFivmPWtcuYTYYDViKIbPbiURVrj3Lpk1bJ0 447yeX5xHxVa3TOIowDyO/mKQCajcDIYgmQmtcfu1C6J5MNamkvzwTVMWVw8S6u+Qwou uSpgleMzP1zVE07xUSTQqCJTapb3/iU1+W3p9GMnMRd9TEP8xl9Rp6QeG5DbH/1sTiox N8SVBSerB5c78as7BPJeHBPuqyjNI4ARD+QR9Ushv/4AokGQ3/4CjfJDwh6qvc94dyfx 9VXh+E5Zfck+QEUBZwk14qoXkQolw4dfyKLMCyGqRljsC36d4D2SfmwQbf+Po/bnENXB HdVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=7LjZBVhpdg4XHClpMJiQcR7J8ohwJ9E1TX6FBckDDWo=; b=Bh+L4vfcBKHJTUm+ctGorQwcLqDOyHwSRgGh8F7X9atYt9vIoAmi27OzaA/HNVjVoC WFxww5cmtIgVibScjkTaC9ILMxwqpoI92JwPTUCDP4gSHk5eYnfVnJj5/fXngfYinwc/ 6/LKSrFt4o1EqFr0z0QC/mYcq72/dwyRr20+DcmJb6XQW8GziahXvDTUywjkY9HS7HIb 6lWFiviNLURP/eljc2TBmgjEXVvq73a3knG/oi2kBJi4vp6qr/DRariBSmYckxOWzMye YhzvLXEFD+h9UoW2As2FDklEI8r4hARp7PpQMHwDV1mpxxBsLBqqazpcqpIcG8/wkPDm S6Ww== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w24si2360296plq.696.2017.11.27.08.38.29; Mon, 27 Nov 2017 08:38:29 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753491AbdK0Qi2 (ORCPT + 28 others); Mon, 27 Nov 2017 11:38:28 -0500 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:40064 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752930AbdK0Qi0 (ORCPT ); Mon, 27 Nov 2017 11:38:26 -0500 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 298E815A2; Mon, 27 Nov 2017 08:38:26 -0800 (PST) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 7C8403F246; Mon, 27 Nov 2017 08:38:23 -0800 (PST) From: Mark Rutland To: linux-arm-kernel@lists.infradead.org Cc: arnd@arndb.de, catalin.marinas@arm.com, cdall@linaro.org, kvmarm@lists.cs.columbia.edu, linux-arch@vger.kernel.org, marc.zyngier@arm.com, mark.rutland@arm.com, suzuki.poulose@arm.com, will.deacon@arm.com, yao.qi@arm.com, kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org, awallis@codeaurora.org Subject: [PATCHv2 01/12] asm-generic: mm_hooks: allow hooks to be overridden individually Date: Mon, 27 Nov 2017 16:37:55 +0000 Message-Id: <20171127163806.31435-2-mark.rutland@arm.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20171127163806.31435-1-mark.rutland@arm.com> References: <20171127163806.31435-1-mark.rutland@arm.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Currently, an architecture must either implement all of the mm hooks itself, or use all of those provided by the asm-generic implementation. When an architecture only needs to override a single hook, it must copy the stub implementations from the asm-generic version. To avoid this repetition, allow each hook to be overridden indiviually, by placing each under an #ifndef block. As architectures providing their own hooks can't include this file today, this shouldn't adversely affect any existing hooks. Signed-off-by: Mark Rutland Cc: Arnd Bergmann Cc: linux-arch@vger.kernel.org --- include/asm-generic/mm_hooks.h | 11 +++++++++++ 1 file changed, 11 insertions(+) -- 2.11.0 diff --git a/include/asm-generic/mm_hooks.h b/include/asm-generic/mm_hooks.h index ea189d88a3cc..34edf0850d49 100644 --- a/include/asm-generic/mm_hooks.h +++ b/include/asm-generic/mm_hooks.h @@ -7,30 +7,41 @@ #ifndef _ASM_GENERIC_MM_HOOKS_H #define _ASM_GENERIC_MM_HOOKS_H +#ifndef arch_dup_mmap static inline void arch_dup_mmap(struct mm_struct *oldmm, struct mm_struct *mm) { } +#endif +#ifndef arch_exit_mmap static inline void arch_exit_mmap(struct mm_struct *mm) { } +#endif +#ifndef arch_unmap static inline void arch_unmap(struct mm_struct *mm, struct vm_area_struct *vma, unsigned long start, unsigned long end) { } +#endif +#ifndef arch_bprm_mm_init static inline void arch_bprm_mm_init(struct mm_struct *mm, struct vm_area_struct *vma) { } +#endif +#ifndef arch_vma_access_permitted static inline bool arch_vma_access_permitted(struct vm_area_struct *vma, bool write, bool execute, bool foreign) { /* by default, allow everything */ return true; } +#endif + #endif /* _ASM_GENERIC_MM_HOOKS_H */ From patchwork Mon Nov 27 16:37:56 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 119746 Delivered-To: patch@linaro.org Received: by 10.140.22.227 with SMTP id 90csp511934qgn; Mon, 27 Nov 2017 08:38:44 -0800 (PST) X-Google-Smtp-Source: AGs4zMYiplgKiwvaRFUbQsYAAMdDitg6mXQinKh9B/ubgg6XRutJ9XkSM655x3ouKTuV7nZQn3zB X-Received: by 10.98.7.149 with SMTP id 21mr37560871pfh.14.1511800724543; Mon, 27 Nov 2017 08:38:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511800724; cv=none; d=google.com; s=arc-20160816; b=fH8IkEm8Hi5RWK4+Wc9g739tZF8Z+/6grgNIEJV/1G3t+dDK9sAIWiRAvkQSFZVbe/ cvsr6EvvQbEsBS+V1/0aOap+eBwWirZ3kNaM0oxlwbMDl/7WubOX/qNvu5l8bectF3Rg i9mytYnP3v7u8qesJinHrflfAbeBTkOy+0Ws7EVryo42Lery+O9U6qE3i+YE7glDAz/6 l/ebnNeumLg1f7dosq1PGXJb7xxWpGUj5ZDV+O1JdkU8MFytdJ8w2naoyz57NY6kZ8tE fusu9bdXm+27fmPayRZ56LyQGpzgNdKeqIhx2NRl5BxA18CVHqUToLgjDP8TT0usiKqC GbNA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=4n0z92BTLyLT3AHh/JqY9QTeI5MsvaCs9MgpTsW4bVA=; b=O5stxeg98VynFS5+SiTSoLZJU+ZFKvMfrRnEDGnU3VktX1HFcKX7MB/Li9zzXG7S2C aAyV2YDJnUIysBQ3PLJNjCvHJ4SGdEUpdYSCcd2vGmK4N2GkL2GZgZrPma04PFK5CYXK Xjol6o6DpnXoFb/7tUnU4TnbqmYORpLbMUgPsbnpHtzAfCl6lIi0nGe0qaoeV7tb8DCE KXkHhLa5mu+ZpVxluDwjnyLG4JKkPU+oyiQgcCXt6taD5gwaFD2u++LPAh7K2jJ3QMEi 4aeBfv0Rw1e+2EAwTE/k/KKuqiFNX6oQkS414medbVegr/gY13dhZVAAK+t7B1bwgAV0 Ctdg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a13si22658399pgt.35.2017.11.27.08.38.44; Mon, 27 Nov 2017 08:38:44 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753574AbdK0Qin (ORCPT + 28 others); Mon, 27 Nov 2017 11:38:43 -0500 Received: from foss.arm.com ([217.140.101.70]:40070 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753068AbdK0Qik (ORCPT ); Mon, 27 Nov 2017 11:38:40 -0500 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 6BF3A15BE; Mon, 27 Nov 2017 08:38:40 -0800 (PST) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id CDACF3F246; Mon, 27 Nov 2017 08:38:37 -0800 (PST) From: Mark Rutland To: linux-arm-kernel@lists.infradead.org Cc: arnd@arndb.de, catalin.marinas@arm.com, cdall@linaro.org, kvmarm@lists.cs.columbia.edu, linux-arch@vger.kernel.org, marc.zyngier@arm.com, mark.rutland@arm.com, suzuki.poulose@arm.com, will.deacon@arm.com, yao.qi@arm.com, kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org, awallis@codeaurora.org Subject: [PATCHv2 02/12] arm64: add pointer authentication register bits Date: Mon, 27 Nov 2017 16:37:56 +0000 Message-Id: <20171127163806.31435-3-mark.rutland@arm.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20171127163806.31435-1-mark.rutland@arm.com> References: <20171127163806.31435-1-mark.rutland@arm.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The ARMv8.3 pointer authentication extension adds: * New fields in ID_AA64ISAR1 to report the presence of pointer authentication functionality. * New control bits in SCTLR_ELx to enable this functionality. * New system registers to hold the keys necessary for this functionality. * A new ESR_ELx.EC code used when the new instructions are affected by configurable traps This patch adds the relevant definitions to and for these, to be used by subsequent patches. Signed-off-by: Mark Rutland Cc: Catalin Marinas Cc: Suzuki K Poulose Cc: Will Deacon --- arch/arm64/include/asm/esr.h | 3 ++- arch/arm64/include/asm/sysreg.h | 30 ++++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+), 1 deletion(-) -- 2.11.0 diff --git a/arch/arm64/include/asm/esr.h b/arch/arm64/include/asm/esr.h index 014d7d8edcf9..5c628fa31cec 100644 --- a/arch/arm64/include/asm/esr.h +++ b/arch/arm64/include/asm/esr.h @@ -30,7 +30,8 @@ #define ESR_ELx_EC_CP14_LS (0x06) #define ESR_ELx_EC_FP_ASIMD (0x07) #define ESR_ELx_EC_CP10_ID (0x08) -/* Unallocated EC: 0x09 - 0x0B */ +#define ESR_ELx_EC_PAC (0x09) +/* Unallocated EC: 0x0A - 0x0B */ #define ESR_ELx_EC_CP14_64 (0x0C) /* Unallocated EC: 0x0d */ #define ESR_ELx_EC_ILL (0x0E) diff --git a/arch/arm64/include/asm/sysreg.h b/arch/arm64/include/asm/sysreg.h index 08cc88574659..a67cfedfa3af 100644 --- a/arch/arm64/include/asm/sysreg.h +++ b/arch/arm64/include/asm/sysreg.h @@ -170,6 +170,19 @@ #define SYS_TTBR1_EL1 sys_reg(3, 0, 2, 0, 1) #define SYS_TCR_EL1 sys_reg(3, 0, 2, 0, 2) +#define SYS_APIAKEYLO_EL1 sys_reg(3, 0, 2, 1, 0) +#define SYS_APIAKEYHI_EL1 sys_reg(3, 0, 2, 1, 1) +#define SYS_APIBKEYLO_EL1 sys_reg(3, 0, 2, 1, 2) +#define SYS_APIBKEYHI_EL1 sys_reg(3, 0, 2, 1, 3) + +#define SYS_APDAKEYLO_EL1 sys_reg(3, 0, 2, 2, 0) +#define SYS_APDAKEYHI_EL1 sys_reg(3, 0, 2, 2, 1) +#define SYS_APDBKEYLO_EL1 sys_reg(3, 0, 2, 2, 2) +#define SYS_APDBKEYHI_EL1 sys_reg(3, 0, 2, 2, 3) + +#define SYS_APGAKEYLO_EL1 sys_reg(3, 0, 2, 3, 0) +#define SYS_APGAKEYHI_EL1 sys_reg(3, 0, 2, 3, 1) + #define SYS_ICC_PMR_EL1 sys_reg(3, 0, 4, 6, 0) #define SYS_AFSR0_EL1 sys_reg(3, 0, 5, 1, 0) @@ -397,7 +410,11 @@ #define SYS_ICH_LR15_EL2 __SYS__LR8_EL2(7) /* Common SCTLR_ELx flags. */ +#define SCTLR_ELx_ENIA (1 << 31) +#define SCTLR_ELx_ENIB (1 << 30) +#define SCTLR_ELx_ENDA (1 << 27) #define SCTLR_ELx_EE (1 << 25) +#define SCTLR_ELx_ENDB (1 << 13) #define SCTLR_ELx_I (1 << 12) #define SCTLR_ELx_SA (1 << 3) #define SCTLR_ELx_C (1 << 2) @@ -431,11 +448,24 @@ #define ID_AA64ISAR0_AES_SHIFT 4 /* id_aa64isar1 */ +#define ID_AA64ISAR1_GPI_SHIFT 28 +#define ID_AA64ISAR1_GPA_SHIFT 24 #define ID_AA64ISAR1_LRCPC_SHIFT 20 #define ID_AA64ISAR1_FCMA_SHIFT 16 #define ID_AA64ISAR1_JSCVT_SHIFT 12 +#define ID_AA64ISAR1_API_SHIFT 8 +#define ID_AA64ISAR1_APA_SHIFT 4 #define ID_AA64ISAR1_DPB_SHIFT 0 +#define ID_AA64ISAR1_APA_NI 0x0 +#define ID_AA64ISAR1_APA_ARCHITECTED 0x1 +#define ID_AA64ISAR1_API_NI 0x0 +#define ID_AA64ISAR1_API_IMP_DEF 0x1 +#define ID_AA64ISAR1_GPA_NI 0x0 +#define ID_AA64ISAR1_GPA_ARCHITECTED 0x1 +#define ID_AA64ISAR1_GPI_NI 0x0 +#define ID_AA64ISAR1_GPI_IMP_DEF 0x1 + /* id_aa64pfr0 */ #define ID_AA64PFR0_SVE_SHIFT 32 #define ID_AA64PFR0_GIC_SHIFT 24 From patchwork Mon Nov 27 16:37:57 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 119747 Delivered-To: patch@linaro.org Received: by 10.140.22.227 with SMTP id 90csp512134qgn; Mon, 27 Nov 2017 08:38:53 -0800 (PST) X-Google-Smtp-Source: AGs4zMYRPqlqP3kDoTOhsnWuFJYjXpqd7v/Tk71b1WUJkoNQO9KyFIz7rGoPrtFK8khpGAYTz4K6 X-Received: by 10.101.74.8 with SMTP id s8mr36925336pgq.259.1511800733182; Mon, 27 Nov 2017 08:38:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511800733; cv=none; d=google.com; s=arc-20160816; b=SF6T5rdEqoYXVz800pU4327v4MFgP8NwONxqbw4Vtz0p/2DJiMuGHbemHKuTdQe1Eo eLr/PhaEJcF/y+GAtflauz8cJZc1FeqOLqt83ONRU//n6rHz09zRMhF9DpE+irWzInC9 FWNkP5N6awfv1LAitgpa+ZeKnvti0Lpx71YasE5P5FN1UTetD5AU5R5ZlVPOELrAOpT2 HFsuDso4T8+or2j2nm1lX3aQCOExutUo6OXeiuR01nPZkwki0icrzJ3h/2mZGMwMb3Vo y7FqYNgOn3rf8GET/TEYiVlwaNZSujzOa6tI8W+GSP2atErMLOZvgM892eJLcoEZFDpb b8Kw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=+NI1W86NSLNpkwU0o7mDbhHP5wGI8yhTU21hMq8OCF0=; b=dXOXx807+ORa1/rspTDPIZvrX5154JfyCazJv2yY6NCx37ugkQyj0O7SiK6YKiGYTq ZBgdbKX6ae3p/4PmvC679sCgNA2HLvjyP1regmwCVPxxmdlj2amjrnVEuwwyeSUadciJ 0jej5ik3XLEDvKpnxkYiSwO/QySzJBWckcgZ7rFGyHLj5RNvidUJMKm564s5PLcYLOFs rBr3igbWO3CpeR/gl+V7KwgoNxK+K65CXlknuwCD2JXIO5bc2A38/vCT5/UJRQBFvRvK INanjq2S1pb4KLubJe2kSdkdWbbLQUAECD70hPBO/u2xat0FQn2BK5QsyuHh/5FdZz6g m01g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e28si22861932pgn.717.2017.11.27.08.38.52; Mon, 27 Nov 2017 08:38:53 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753642AbdK0Qiv (ORCPT + 28 others); Mon, 27 Nov 2017 11:38:51 -0500 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:40094 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753599AbdK0Qit (ORCPT ); Mon, 27 Nov 2017 11:38:49 -0500 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id A5D951529; Mon, 27 Nov 2017 08:38:49 -0800 (PST) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 0E6F83F246; Mon, 27 Nov 2017 08:38:46 -0800 (PST) From: Mark Rutland To: linux-arm-kernel@lists.infradead.org Cc: arnd@arndb.de, catalin.marinas@arm.com, cdall@linaro.org, kvmarm@lists.cs.columbia.edu, linux-arch@vger.kernel.org, marc.zyngier@arm.com, mark.rutland@arm.com, suzuki.poulose@arm.com, will.deacon@arm.com, yao.qi@arm.com, kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org, awallis@codeaurora.org Subject: [PATCHv2 03/12] arm64/cpufeature: add ARMv8.3 id_aa64isar1 bits Date: Mon, 27 Nov 2017 16:37:57 +0000 Message-Id: <20171127163806.31435-4-mark.rutland@arm.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20171127163806.31435-1-mark.rutland@arm.com> References: <20171127163806.31435-1-mark.rutland@arm.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org >From ARMv8.3 onwards, ID_AA64ISAR1 is no longer entirely RES0, and now has four fields describing the presence of pointer authentication functionality: * APA - address authentication present, using an architected algorithm * API - address authentication present, using an IMP DEF algorithm * GPA - generic authentication present, using an architected algorithm * GPI - generic authentication present, using an IMP DEF algorithm This patch adds the requisite definitions so that we can identify the presence of this functionality. For the timebeing, the features are hidden from both KVM guests and userspace. As marking them with FTR_HIDDEN only hides them from userspace, they are also protected with ifdeffery on CONFIG_ARM64_POINTER_AUTHENTICATION. Signed-off-by: Mark Rutland Cc: Suzuki K Poulose Cc: Catalin Marinas Cc: Will Deacon Cc: Suzuki K Poulose --- arch/arm64/kernel/cpufeature.c | 8 ++++++++ 1 file changed, 8 insertions(+) -- 2.11.0 diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c index c5ba0097887f..1883cdffcdf7 100644 --- a/arch/arm64/kernel/cpufeature.c +++ b/arch/arm64/kernel/cpufeature.c @@ -137,9 +137,17 @@ static const struct arm64_ftr_bits ftr_id_aa64isar0[] = { }; static const struct arm64_ftr_bits ftr_id_aa64isar1[] = { +#ifdef CONFIG_ARM64_POINTER_AUTHENTICATION + ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ISAR1_GPI_SHIFT, 4, 0), + ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ISAR1_GPA_SHIFT, 4, 0), +#endif ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ISAR1_LRCPC_SHIFT, 4, 0), ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ISAR1_FCMA_SHIFT, 4, 0), ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ISAR1_JSCVT_SHIFT, 4, 0), +#ifdef CONFIG_ARM64_POINTER_AUTHENTICATION + ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ISAR1_API_SHIFT, 4, 0), + ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ISAR1_APA_SHIFT, 4, 0), +#endif ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ISAR1_DPB_SHIFT, 4, 0), ARM64_FTR_END, }; From patchwork Mon Nov 27 16:37:58 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 119748 Delivered-To: patch@linaro.org Received: by 10.140.22.227 with SMTP id 90csp512313qgn; Mon, 27 Nov 2017 08:39:02 -0800 (PST) X-Google-Smtp-Source: AGs4zMZYhERbByRhDH0CAEZXKF+r9OKwDrxw7X3THm5FmGGYUOHagitfaF2diT/9iHZUwUkSC/dq X-Received: by 10.98.79.86 with SMTP id d83mr37709187pfb.26.1511800741977; Mon, 27 Nov 2017 08:39:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511800741; cv=none; d=google.com; s=arc-20160816; b=e4Ot3eBGTSpE5OiwdPRB9Opsc6VTKQLWaFSmidURBMRuUK2wLUAgrI6+ylZU0+gybC fu89YmXiyuAfYH5dz+NKwuzSD23BtpnXPFt2Oel+RLdhqy1NpAAQbPMp4fzhpqcbNEGa 19tbk4ll20U00YP7+80tRb896Xw6TLjRl+FiHhOtn4KsPDw12e3VCrV/kn9eXsQR3qBH jEvST6XsipWkWSIqquP4sNyMGHpGaiiZc94Oes1S5XKrMSc6+CCVCEe/5/m7HmvZTyiL cZGRwuP15NKMCtommIWjgtjikvefOJSFZ4mq1HAuHODAIGVG1Io6e55fXzrI0z13uwLs 9Z1w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=Y9vM+s0N8jo7csHN2zvbtY1+njoj1QxvIsMuVADp1ik=; b=Y2iZ6lDosnDPyTIC50Dk86mL7/pLG50EZ6onhuqzrYWWGuCRdlup3YG35TZjv8MEQd C3jffO6HpqhzOj19jF2z0ZFMTdsTCMb/HSUOJGpRT+z/D6Hu51V6pMRiVWrVeVwSOba0 GiXthm/j989p9w8533kdPH9j15Lm2D/6M4Av5E/m+++TbCPwUgDE8rmAnTK+F6HIPzbs KLeiexWCJaHR+/lO+Wg5pOwkjjpBbuMMHsFr3e5eVueCCJ/ez4xZ+yZqLYfGf3BXvNm8 2MC5nRCOvmHGnpKcbLT5oCexAt6fReDu66TWnrScDZEKKnXUw/nOmp0KwIYm2lsfkzdM uLcw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z11si22737582pgp.662.2017.11.27.08.39.01; Mon, 27 Nov 2017 08:39:01 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932074AbdK0Qi7 (ORCPT + 28 others); Mon, 27 Nov 2017 11:38:59 -0500 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:40130 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753650AbdK0Qi5 (ORCPT ); Mon, 27 Nov 2017 11:38:57 -0500 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 67F7515A2; Mon, 27 Nov 2017 08:38:57 -0800 (PST) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id B5BB93F246; Mon, 27 Nov 2017 08:38:54 -0800 (PST) From: Mark Rutland To: linux-arm-kernel@lists.infradead.org Cc: arnd@arndb.de, catalin.marinas@arm.com, cdall@linaro.org, kvmarm@lists.cs.columbia.edu, linux-arch@vger.kernel.org, marc.zyngier@arm.com, mark.rutland@arm.com, suzuki.poulose@arm.com, will.deacon@arm.com, yao.qi@arm.com, kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org, awallis@codeaurora.org Subject: [PATCHv2 04/12] arm64/cpufeature: detect pointer authentication Date: Mon, 27 Nov 2017 16:37:58 +0000 Message-Id: <20171127163806.31435-5-mark.rutland@arm.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20171127163806.31435-1-mark.rutland@arm.com> References: <20171127163806.31435-1-mark.rutland@arm.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org So that we can dynamically handle the presence of pointer authentication functionality, wire up probing code in cpufeature.c. It is assumed that if all CPUs support an IMP DEF algorithm, the same algorithm is used across all CPUs. Signed-off-by: Mark Rutland Cc: Catalin Marinas Cc: Suzuki K Poulose Cc: Will Deacon --- arch/arm64/include/asm/cpucaps.h | 8 +++- arch/arm64/kernel/cpufeature.c | 82 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 89 insertions(+), 1 deletion(-) -- 2.11.0 diff --git a/arch/arm64/include/asm/cpucaps.h b/arch/arm64/include/asm/cpucaps.h index 2ff7c5e8efab..d2830ce5c1c7 100644 --- a/arch/arm64/include/asm/cpucaps.h +++ b/arch/arm64/include/asm/cpucaps.h @@ -41,7 +41,13 @@ #define ARM64_WORKAROUND_CAVIUM_30115 20 #define ARM64_HAS_DCPOP 21 #define ARM64_SVE 22 +#define ARM64_HAS_ADDRESS_AUTH_ARCH 23 +#define ARM64_HAS_ADDRESS_AUTH_IMP_DEF 24 +#define ARM64_HAS_ADDRESS_AUTH 25 +#define ARM64_HAS_GENERIC_AUTH_ARCH 26 +#define ARM64_HAS_GENERIC_AUTH_IMP_DEF 27 +#define ARM64_HAS_GENERIC_AUTH 28 -#define ARM64_NCAPS 23 +#define ARM64_NCAPS 29 #endif /* __ASM_CPUCAPS_H */ diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c index 1883cdffcdf7..babd4c173092 100644 --- a/arch/arm64/kernel/cpufeature.c +++ b/arch/arm64/kernel/cpufeature.c @@ -853,6 +853,36 @@ static bool has_no_fpsimd(const struct arm64_cpu_capabilities *entry, int __unus ID_AA64PFR0_FP_SHIFT) < 0; } +#ifdef CONFIG_ARM64_POINTER_AUTHENTICATION +static bool has_address_auth(const struct arm64_cpu_capabilities *entry, + int __unused) +{ + u64 isar1 = read_sanitised_ftr_reg(SYS_ID_AA64ISAR1_EL1); + bool api, apa; + + apa = cpuid_feature_extract_unsigned_field(isar1, + ID_AA64ISAR1_APA_SHIFT) > 0; + api = cpuid_feature_extract_unsigned_field(isar1, + ID_AA64ISAR1_API_SHIFT) > 0; + + return apa || api; +} + +static bool has_generic_auth(const struct arm64_cpu_capabilities *entry, + int __unused) +{ + u64 isar1 = read_sanitised_ftr_reg(SYS_ID_AA64ISAR1_EL1); + bool gpi, gpa; + + gpa = cpuid_feature_extract_unsigned_field(isar1, + ID_AA64ISAR1_GPA_SHIFT) > 0; + gpi = cpuid_feature_extract_unsigned_field(isar1, + ID_AA64ISAR1_GPI_SHIFT) > 0; + + return gpa || gpi; +} +#endif /* CONFIG_ARM64_POINTER_AUTHENTICATION */ + static const struct arm64_cpu_capabilities arm64_features[] = { { .desc = "GIC system register CPU interface", @@ -970,6 +1000,58 @@ static const struct arm64_cpu_capabilities arm64_features[] = { .enable = sve_kernel_enable, }, #endif /* CONFIG_ARM64_SVE */ +#ifdef CONFIG_ARM64_POINTER_AUTHENTICATION + { + .desc = "Address authentication (architected algorithm)", + .capability = ARM64_HAS_ADDRESS_AUTH_ARCH, + .def_scope = SCOPE_SYSTEM, + .sys_reg = SYS_ID_AA64ISAR1_EL1, + .sign = FTR_UNSIGNED, + .field_pos = ID_AA64ISAR1_APA_SHIFT, + .min_field_value = ID_AA64ISAR1_APA_ARCHITECTED, + .matches = has_cpuid_feature, + }, + { + .desc = "Address authentication (IMP DEF algorithm)", + .capability = ARM64_HAS_ADDRESS_AUTH_IMP_DEF, + .def_scope = SCOPE_SYSTEM, + .sys_reg = SYS_ID_AA64ISAR1_EL1, + .sign = FTR_UNSIGNED, + .field_pos = ID_AA64ISAR1_API_SHIFT, + .min_field_value = ID_AA64ISAR1_API_IMP_DEF, + .matches = has_cpuid_feature, + }, + { + .capability = ARM64_HAS_ADDRESS_AUTH, + .def_scope = SCOPE_SYSTEM, + .matches = has_address_auth, + }, + { + .desc = "Generic authentication (architected algorithm)", + .capability = ARM64_HAS_GENERIC_AUTH_ARCH, + .def_scope = SCOPE_SYSTEM, + .sys_reg = SYS_ID_AA64ISAR1_EL1, + .sign = FTR_UNSIGNED, + .field_pos = ID_AA64ISAR1_GPA_SHIFT, + .min_field_value = ID_AA64ISAR1_GPA_ARCHITECTED, + .matches = has_cpuid_feature + }, + { + .desc = "Generic authentication (IMP DEF algorithm)", + .capability = ARM64_HAS_GENERIC_AUTH_IMP_DEF, + .def_scope = SCOPE_SYSTEM, + .sys_reg = SYS_ID_AA64ISAR1_EL1, + .sign = FTR_UNSIGNED, + .field_pos = ID_AA64ISAR1_GPI_SHIFT, + .min_field_value = ID_AA64ISAR1_GPI_IMP_DEF, + .matches = has_cpuid_feature + }, + { + .capability = ARM64_HAS_GENERIC_AUTH, + .def_scope = SCOPE_SYSTEM, + .matches = has_generic_auth, + }, +#endif /* CONFIG_ARM64_POINTER_AUTHENTICATION */ {}, }; From patchwork Mon Nov 27 16:37:59 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 119749 Delivered-To: patch@linaro.org Received: by 10.140.22.227 with SMTP id 90csp512409qgn; Mon, 27 Nov 2017 08:39:06 -0800 (PST) X-Google-Smtp-Source: AGs4zMYLOCvQY7kxnvDwJWq14Dan03VRQIRwNhTmUzKj8/cvHgtpSaK2IXhLEZwXqHjTxdbnpzEw X-Received: by 10.101.69.141 with SMTP id o13mr31395917pgq.125.1511800746673; Mon, 27 Nov 2017 08:39:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511800746; cv=none; d=google.com; s=arc-20160816; b=eN9tFTesxZ4EzrirLVTf63RR7n92s9UURZr5+xqkcakt2YNzWFAY6mwGT+DPFFtISY wmqDdooqZUOVKn9w2j7nJVM6u9wHTo7pBJa4ZO2+E7ML0VVN5TMlcaBTXpcc3ZS/gem+ KgEpaH0rdcetBAzHqEt8mgPMhLERPycDV//GUIbducSOX+tfUe63rvlz3vCh/x3uPKhv iiPSBZZ30Hm+U1b0VD+vGva4YK7Aq8Uq404IfikDbTG4I8G3h33F4gSXkhP58/il98X4 V93G5xHQXmE46zuftEvXVKqmJGnQPxrjvDPQu2WiOyixT054mtL5S1InBXOgrFRRFHmV gcSA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=FEKmW+rFyA7npoJn0jB/1gKXf9bmFrgmENo8kOqZzh0=; b=D79njriuAtedIKOPNJf2mtabrDEdWtPzBN+7kzeGIpbmSkDK7oWTKPLF5CGvofR4jc jMh3GOiNPpciw7ck8pqqi1IvD7ccSUF0b9dIkEiYu8gkmLTzQ9rDdOWO4Eod8/c7hYv9 FHKDtJZq9GoNHHF/rcerLy0gnFJT8Hs+dJ++/OwqnBXvqPFL6K8HNo5c79Mi5uX+Bv69 7jAzTseGbZVmnPfPr5pRJ7nYO5E/GN445YkJ6n0RWP8irmjsIlujYSuImlCkIbJqobWf WoP/T095fn8McNoTK03gK7odozqyODLehHr6pWn0YVXiB2S6fovHpqUzsu5XtFcoFEoP w4pw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p186si1597575pga.385.2017.11.27.08.39.06; Mon, 27 Nov 2017 08:39:06 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932096AbdK0QjE (ORCPT + 28 others); Mon, 27 Nov 2017 11:39:04 -0500 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:40152 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932075AbdK0QjB (ORCPT ); Mon, 27 Nov 2017 11:39:01 -0500 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id F01C3164F; Mon, 27 Nov 2017 08:39:00 -0800 (PST) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 57D153F246; Mon, 27 Nov 2017 08:38:58 -0800 (PST) From: Mark Rutland To: linux-arm-kernel@lists.infradead.org Cc: arnd@arndb.de, catalin.marinas@arm.com, cdall@linaro.org, kvmarm@lists.cs.columbia.edu, linux-arch@vger.kernel.org, marc.zyngier@arm.com, mark.rutland@arm.com, suzuki.poulose@arm.com, will.deacon@arm.com, yao.qi@arm.com, kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org, awallis@codeaurora.org Subject: [PATCHv2 05/12] arm64: Don't trap host pointer auth use to EL2 Date: Mon, 27 Nov 2017 16:37:59 +0000 Message-Id: <20171127163806.31435-6-mark.rutland@arm.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20171127163806.31435-1-mark.rutland@arm.com> References: <20171127163806.31435-1-mark.rutland@arm.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org To allow EL0 (and/or EL1) to use pointer authentication functionality, we must ensure that pointer authentication instructions and accesses to pointer authentication keys are not trapped to EL2 (where we will not be able to handle them). This patch ensures that HCR_EL2 is configured appropriately when the kernel is booted at EL2. For non-VHE kernels we set HCR_EL2.{API,APK}, ensuring that EL1 can access keys and permit EL0 use of instructions. For VHE kernels, EL2 access is controlled by EL3, and we need not set anything. This does not enable support for KVM guests, since KVM manages HCR_EL2 itself. Signed-off-by: Mark Rutland Cc: Catalin Marinas Cc: Christoffer Dall Cc: Marc Zyngier Cc: Will Deacon Cc: kvmarm@lists.cs.columbia.edu --- arch/arm64/include/asm/kvm_arm.h | 2 ++ arch/arm64/kernel/head.S | 19 +++++++++++++++++-- 2 files changed, 19 insertions(+), 2 deletions(-) -- 2.11.0 Acked-by: Christoffer Dall diff --git a/arch/arm64/include/asm/kvm_arm.h b/arch/arm64/include/asm/kvm_arm.h index 7f069ff37f06..62854d5d1d3b 100644 --- a/arch/arm64/include/asm/kvm_arm.h +++ b/arch/arm64/include/asm/kvm_arm.h @@ -23,6 +23,8 @@ #include /* Hyp Configuration Register (HCR) bits */ +#define HCR_API (UL(1) << 41) +#define HCR_APK (UL(1) << 40) #define HCR_E2H (UL(1) << 34) #define HCR_ID (UL(1) << 33) #define HCR_CD (UL(1) << 32) diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S index 67e86a0f57ac..06a96e9af26b 100644 --- a/arch/arm64/kernel/head.S +++ b/arch/arm64/kernel/head.S @@ -415,10 +415,25 @@ CPU_LE( bic x0, x0, #(1 << 25) ) // Clear the EE bit for EL2 /* Hyp configuration. */ mov x0, #HCR_RW // 64-bit EL1 - cbz x2, set_hcr + cbz x2, 1f orr x0, x0, #HCR_TGE // Enable Host Extensions orr x0, x0, #HCR_E2H -set_hcr: +1: +#ifdef CONFIG_ARM64_POINTER_AUTHENTICATION + /* + * Disable pointer authentication traps to EL2. The HCR_EL2.{APK,API} + * bits exist iff at least one authentication mechanism is implemented. + */ + mrs x1, id_aa64isar1_el1 + mov_q x3, ((0xf << ID_AA64ISAR1_GPI_SHIFT) | \ + (0xf << ID_AA64ISAR1_GPA_SHIFT) | \ + (0xf << ID_AA64ISAR1_API_SHIFT) | \ + (0xf << ID_AA64ISAR1_APA_SHIFT)) + and x1, x1, x3 + cbz x1, 1f + orr x0, x0, #(HCR_APK | HCR_API) +1: +#endif msr hcr_el2, x0 isb From patchwork Mon Nov 27 16:38:00 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 119750 Delivered-To: patch@linaro.org Received: by 10.140.22.227 with SMTP id 90csp512552qgn; Mon, 27 Nov 2017 08:39:12 -0800 (PST) X-Google-Smtp-Source: AGs4zMYYsUn4AgY44Pgf2bnOG7ETC3jM+B9SwFAcW/b925NqoqAOoW+0HtJRPUzcN1SOl0ZJVjnq X-Received: by 10.101.73.74 with SMTP id q10mr30741928pgs.127.1511800752411; Mon, 27 Nov 2017 08:39:12 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511800752; cv=none; d=google.com; s=arc-20160816; b=GyfK5/5jiLYYwCqYA/M4KYnndelNPrMaQxl9/eqseArwBjTB29zc7lk711DDnw4lcG +5r93fG2dtCcWopEHQmZFspvR9YCe2VuHs9WJp6MrTjdNvejRM3H6lj2qVy3+IHTYXDE cMJZZKVQTwz+8TlSnDz4bS0DHFOO0QcC6xE4Dlyt503Nj5MtQwpStKIzzpZg3+OLNF3e AL9Y+U44n1meVzYSMUVKI3mMOsgkIwkqySvyE5c3tVZhp3SJsnVIhNkhtmIanvhCig85 2EdnWr7niTRSHr7/EIF4LH/YHsz7F5M57NrYpFh0XuIMeWzGUheuIPJfJGN78W9PTdRv gmcQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=0dJxpGBRWrkQNWK9xDhPBBYfh2yotBn7yGyIosCD60o=; b=QDMFrtVnZZVvWjoKtA0H8DT/KTQrF9oLmeRpGNJHznlBG0PHDil2tjhV0z28OX1S9M ml4jR05dVWJ3HNYBihC7jHOzsmqsMumzL0XyUgJKmyI3Ihhtp9MUmv+pV/hYsGQUP/zu XDk3Ez2JofigNeTAGFU6OVSzuyBGmmHr/Kz4uPty2+TC41UEiSLIhc/4/iWoWMHEJzEK qh3QQClUhSXKf1OdcwuN5/MvCMNk6pgo+ExlWc89ka75NNNQ1RvwNGnxu/uNq4kttIAZ t3lI9szjB6BD4beabYGjgNu4rKaHRxyffNSqVffG/Ku+BUMyR8YlItVJyiOhLD8vCnlH 4b4w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f20si6366889pgv.712.2017.11.27.08.39.12; Mon, 27 Nov 2017 08:39:12 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753381AbdK0QjJ (ORCPT + 28 others); Mon, 27 Nov 2017 11:39:09 -0500 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:40174 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753284AbdK0QjF (ORCPT ); Mon, 27 Nov 2017 11:39:05 -0500 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id CE8081650; Mon, 27 Nov 2017 08:39:04 -0800 (PST) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 42F0A3F246; Mon, 27 Nov 2017 08:39:02 -0800 (PST) From: Mark Rutland To: linux-arm-kernel@lists.infradead.org Cc: arnd@arndb.de, catalin.marinas@arm.com, cdall@linaro.org, kvmarm@lists.cs.columbia.edu, linux-arch@vger.kernel.org, marc.zyngier@arm.com, mark.rutland@arm.com, suzuki.poulose@arm.com, will.deacon@arm.com, yao.qi@arm.com, kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org, awallis@codeaurora.org Subject: [PATCHv2 06/12] arm64: add basic pointer authentication support Date: Mon, 27 Nov 2017 16:38:00 +0000 Message-Id: <20171127163806.31435-7-mark.rutland@arm.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20171127163806.31435-1-mark.rutland@arm.com> References: <20171127163806.31435-1-mark.rutland@arm.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This patch adds basic support for pointer authentication, allowing userspace to make use of APIAKey. The kernel maintains an APIAKey value for each process (shared by all threads within), which is initialised to a random value at exec() time. To describe that address authentication instructions are available, the ID_AA64ISAR0.{APA,API} fields are exposed to userspace. A new hwcap, APIA, is added to describe that the kernel manages APIAKey. Instructions using other keys (APIBKey, APDAKey, APDBKey) are disabled, and will behave as NOPs. These may be made use of in future patches. No support is added for the generic key (APGAKey), though this cannot be trapped or made to behave as a NOP. Its presence is not advertised with a hwcap. Signed-off-by: Mark Rutland Cc: Catalin Marinas Cc: Suzuki K Poulose Cc: Will Deacon --- arch/arm64/include/asm/mmu.h | 5 ++ arch/arm64/include/asm/mmu_context.h | 25 +++++++++- arch/arm64/include/asm/pointer_auth.h | 89 +++++++++++++++++++++++++++++++++++ arch/arm64/include/uapi/asm/hwcap.h | 1 + arch/arm64/kernel/cpufeature.c | 17 ++++++- arch/arm64/kernel/cpuinfo.c | 1 + 6 files changed, 134 insertions(+), 4 deletions(-) create mode 100644 arch/arm64/include/asm/pointer_auth.h -- 2.11.0 Tested-by: Adam Wallis diff --git a/arch/arm64/include/asm/mmu.h b/arch/arm64/include/asm/mmu.h index 0d34bf0a89c7..2bcdf7f923ba 100644 --- a/arch/arm64/include/asm/mmu.h +++ b/arch/arm64/include/asm/mmu.h @@ -16,12 +16,17 @@ #ifndef __ASM_MMU_H #define __ASM_MMU_H +#include + #define MMCF_AARCH32 0x1 /* mm context flag for AArch32 executables */ typedef struct { atomic64_t id; void *vdso; unsigned long flags; +#ifdef CONFIG_ARM64_POINTER_AUTHENTICATION + struct ptrauth_keys ptrauth_keys; +#endif } mm_context_t; /* diff --git a/arch/arm64/include/asm/mmu_context.h b/arch/arm64/include/asm/mmu_context.h index 3257895a9b5e..06757a537bd7 100644 --- a/arch/arm64/include/asm/mmu_context.h +++ b/arch/arm64/include/asm/mmu_context.h @@ -31,7 +31,6 @@ #include #include #include -#include #include #include #include @@ -154,7 +153,14 @@ static inline void cpu_replace_ttbr1(pgd_t *pgd) #define destroy_context(mm) do { } while(0) void check_and_switch_context(struct mm_struct *mm, unsigned int cpu); -#define init_new_context(tsk,mm) ({ atomic64_set(&(mm)->context.id, 0); 0; }) +static inline int init_new_context(struct task_struct *tsk, + struct mm_struct *mm) +{ + atomic64_set(&mm->context.id, 0); + mm_ctx_ptrauth_init(&mm->context); + + return 0; +} /* * This is called when "tsk" is about to enter lazy TLB mode. @@ -200,6 +206,8 @@ static inline void __switch_mm(struct mm_struct *next) return; } + mm_ctx_ptrauth_switch(&next->context); + check_and_switch_context(next, cpu); } @@ -226,6 +234,19 @@ switch_mm(struct mm_struct *prev, struct mm_struct *next, void verify_cpu_asid_bits(void); +static inline void arch_dup_mmap(struct mm_struct *oldmm, + struct mm_struct *mm) +{ + mm_ctx_ptrauth_dup(&oldmm->context, &mm->context); +} +#define arch_dup_mmap arch_dup_mmap + +/* + * We need to override arch_dup_mmap before including the generic hooks, which + * are otherwise sufficient for us. + */ +#include + #endif /* !__ASSEMBLY__ */ #endif /* !__ASM_MMU_CONTEXT_H */ diff --git a/arch/arm64/include/asm/pointer_auth.h b/arch/arm64/include/asm/pointer_auth.h new file mode 100644 index 000000000000..964da0c3dc48 --- /dev/null +++ b/arch/arm64/include/asm/pointer_auth.h @@ -0,0 +1,89 @@ +/* + * Copyright (C) 2016 ARM Ltd. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ +#ifndef __ASM_POINTER_AUTH_H +#define __ASM_POINTER_AUTH_H + +#include + +#include +#include + +#ifdef CONFIG_ARM64_POINTER_AUTHENTICATION +/* + * Each key is a 128-bit quantity which is split accross a pair of 64-bit + * registers (Lo and Hi). + */ +struct ptrauth_key { + unsigned long lo, hi; +}; + +/* + * We give each process its own instruction A key (APIAKey), which is shared by + * all threads. This is inherited upon fork(), and reinitialised upon exec*(). + * All other keys are currently unused, with APIBKey, APDAKey, and APBAKey + * instructions behaving as NOPs. + */ +struct ptrauth_keys { + struct ptrauth_key apia; +}; + +static inline void ptrauth_keys_init(struct ptrauth_keys *keys) +{ + if (!cpus_have_const_cap(ARM64_HAS_ADDRESS_AUTH)) + return; + + get_random_bytes(keys, sizeof(*keys)); +} + +#define __ptrauth_key_install(k, v) \ +do { \ + write_sysreg_s(v.lo, SYS_ ## k ## KEYLO_EL1); \ + write_sysreg_s(v.hi, SYS_ ## k ## KEYHI_EL1); \ +} while (0) + +static inline void ptrauth_keys_switch(struct ptrauth_keys *keys) +{ + if (!cpus_have_const_cap(ARM64_HAS_ADDRESS_AUTH)) + return; + + __ptrauth_key_install(APIA, keys->apia); +} + +static inline void ptrauth_keys_dup(struct ptrauth_keys *old, + struct ptrauth_keys *new) +{ + if (!cpus_have_const_cap(ARM64_HAS_ADDRESS_AUTH)) + return; + + *new = *old; +} + +#define mm_ctx_ptrauth_init(ctx) \ + ptrauth_keys_init(&(ctx)->ptrauth_keys) + +#define mm_ctx_ptrauth_switch(ctx) \ + ptrauth_keys_switch(&(ctx)->ptrauth_keys) + +#define mm_ctx_ptrauth_dup(oldctx, newctx) \ + ptrauth_keys_dup(&(oldctx)->ptrauth_keys, &(newctx)->ptrauth_keys) + +#else +#define mm_ctx_ptrauth_init(ctx) +#define mm_ctx_ptrauth_switch(ctx) +#define mm_ctx_ptrauth_dup(oldctx, newctx) +#endif + +#endif /* __ASM_POINTER_AUTH_H */ diff --git a/arch/arm64/include/uapi/asm/hwcap.h b/arch/arm64/include/uapi/asm/hwcap.h index cda76fa8b9b2..20daa89d839c 100644 --- a/arch/arm64/include/uapi/asm/hwcap.h +++ b/arch/arm64/include/uapi/asm/hwcap.h @@ -43,5 +43,6 @@ #define HWCAP_ASIMDDP (1 << 20) #define HWCAP_SHA512 (1 << 21) #define HWCAP_SVE (1 << 22) +#define HWCAP_APIA (1 << 23) #endif /* _UAPI__ASM_HWCAP_H */ diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c index babd4c173092..9df232d16845 100644 --- a/arch/arm64/kernel/cpufeature.c +++ b/arch/arm64/kernel/cpufeature.c @@ -145,8 +145,8 @@ static const struct arm64_ftr_bits ftr_id_aa64isar1[] = { ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ISAR1_FCMA_SHIFT, 4, 0), ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ISAR1_JSCVT_SHIFT, 4, 0), #ifdef CONFIG_ARM64_POINTER_AUTHENTICATION - ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ISAR1_API_SHIFT, 4, 0), - ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ISAR1_APA_SHIFT, 4, 0), + ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ISAR1_API_SHIFT, 4, 0), + ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ISAR1_APA_SHIFT, 4, 0), #endif ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ISAR1_DPB_SHIFT, 4, 0), ARM64_FTR_END, @@ -832,6 +832,15 @@ static bool runs_at_el2(const struct arm64_cpu_capabilities *entry, int __unused return is_kernel_in_hyp_mode(); } +#ifdef CONFIG_ARM64_POINTER_AUTHENTICATION +static int cpu_enable_address_auth(void *__unused) +{ + config_sctlr_el1(0, SCTLR_ELx_ENIA); + + return 0; +} +#endif /* CONFIG_ARM64_POINTER_AUTHENTICATION */ + static bool hyp_offset_low(const struct arm64_cpu_capabilities *entry, int __unused) { @@ -1025,6 +1034,7 @@ static const struct arm64_cpu_capabilities arm64_features[] = { .capability = ARM64_HAS_ADDRESS_AUTH, .def_scope = SCOPE_SYSTEM, .matches = has_address_auth, + .enable = cpu_enable_address_auth, }, { .desc = "Generic authentication (architected algorithm)", @@ -1092,6 +1102,9 @@ static const struct arm64_cpu_capabilities arm64_elf_hwcaps[] = { #ifdef CONFIG_ARM64_SVE HWCAP_CAP(SYS_ID_AA64PFR0_EL1, ID_AA64PFR0_SVE_SHIFT, FTR_UNSIGNED, ID_AA64PFR0_SVE, CAP_HWCAP, HWCAP_SVE), #endif +#ifdef CONFIG_ARM64_POINTER_AUTHENTICATION + HWCAP_CAP(SYS_ID_AA64ISAR1_EL1, ID_AA64ISAR1_APA_SHIFT, FTR_UNSIGNED, 1, CAP_HWCAP, HWCAP_APIA), +#endif {}, }; diff --git a/arch/arm64/kernel/cpuinfo.c b/arch/arm64/kernel/cpuinfo.c index 1e2554543506..88db0328c366 100644 --- a/arch/arm64/kernel/cpuinfo.c +++ b/arch/arm64/kernel/cpuinfo.c @@ -76,6 +76,7 @@ static const char *const hwcap_str[] = { "asimddp", "sha512", "sve", + "apia", NULL }; From patchwork Mon Nov 27 16:38:01 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 119751 Delivered-To: patch@linaro.org Received: by 10.140.22.227 with SMTP id 90csp512608qgn; Mon, 27 Nov 2017 08:39:15 -0800 (PST) X-Google-Smtp-Source: AGs4zMZoBBnXdjjX7au1PsvSrk84Ra86Y3WVZINf9tGjHRAPxdD6aRjNrwrzy6L0astIHo6TCZNt X-Received: by 10.84.240.193 with SMTP id l1mr8570434plt.240.1511800755222; Mon, 27 Nov 2017 08:39:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511800755; cv=none; d=google.com; s=arc-20160816; b=Gzq0fKaWyo9tPf4w+7saSm8sYo7dMOGRs1Q8Pi+n2VIVNMeWqjBhnCeZlSe1wfWl50 zh9qUtOHZKw+encBXLqlKEgJFOM/JMuaSeyLvQuFc6AVIZbPUo/Tf7tFsPboiFx/G4gH gyylO3qieUJOmK3TpjneRjw0aZJRe7gnKU+tioH+IcAe98uouX5zfEAW8C9/5Un0lmyV Xvg0PAINvaR+8dHl9SseELtYk+YXWfEHirJnE07f5OXjmWadDvdJf9t8GTUQNsAm6jOC DFa7uE+xatajS1kwVdGHtOVFLuCxGkUQKBDzAEjWjeeRkvhin4TIlUXMPFp/UXnz6Lak bt4A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=vspOfwFCUn8PTC3oIXPfmNBMS9O8/tIfZPYuWTUTWvI=; b=LuIM3FmjXSPkaqA5sZHeb9f5bgnidTWmW1egRuBz9nDhDJRsF6PluUFsHs7QEbkGzl EyEpsbm1L7Fkk2ffBY336QFpM+AbL5mnSM5bpuoVAGDAJNSIppAiLv4U8gDNacYhX6l7 NrOTidTT7OGqGJadSJd8dDT6fTNzO2UStwuUOG14yUoeNzFeV/Gf1plIj+BXTWWr5KUk 5ufJYjXPh/y8cgDbRVd0sdW/WX99cNSzrSkJ1r/1VxSP5Ih2ERnaA5JDbFTwcs9xIA5n r8TYUl52XHzoZ5O1Ba0Ex+IsEm3U0N1F4LcyqdE/IvBI71fMEbzqZZr8u+CtHlAJHTKu FzSA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z5si1412884pln.408.2017.11.27.08.39.14; Mon, 27 Nov 2017 08:39:15 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753683AbdK0QjN (ORCPT + 28 others); Mon, 27 Nov 2017 11:39:13 -0500 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:40190 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932115AbdK0QjJ (ORCPT ); Mon, 27 Nov 2017 11:39:09 -0500 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 8F423165C; Mon, 27 Nov 2017 08:39:09 -0800 (PST) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id EE9333F246; Mon, 27 Nov 2017 08:39:06 -0800 (PST) From: Mark Rutland To: linux-arm-kernel@lists.infradead.org Cc: arnd@arndb.de, catalin.marinas@arm.com, cdall@linaro.org, kvmarm@lists.cs.columbia.edu, linux-arch@vger.kernel.org, marc.zyngier@arm.com, mark.rutland@arm.com, suzuki.poulose@arm.com, will.deacon@arm.com, yao.qi@arm.com, kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org, awallis@codeaurora.org Subject: [PATCHv2 07/12] arm64: expose user PAC bit positions via ptrace Date: Mon, 27 Nov 2017 16:38:01 +0000 Message-Id: <20171127163806.31435-8-mark.rutland@arm.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20171127163806.31435-1-mark.rutland@arm.com> References: <20171127163806.31435-1-mark.rutland@arm.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When pointer authentication is in use, data/instruction pointers have a number of PAC bits inserted into them. The number and position of these bits depends on the configured TCR_ELx.TxSZ and whether tagging is enabled. ARMv8.3 allows tagging to differ for instruction and data pointers. For userspace debuggers to unwind the stack and/or to follow pointer chains, they need to be able to remove the PAC bits before attempting to use a pointer. This patch adds a new structure with masks describing the location of the PAC bits in userspace instruction and data pointers (i.e. those addressable via TTBR0), which userspace can query via PTRACE_GETREGSET. By clearing these bits from pointers, userspace can acquire the PAC-less versions. This new regset is exposed when the kernel is built with (user) pointer authentication support, and the feature is enabled. Otherwise, it is hidden. Signed-off-by: Mark Rutland Cc: Catalin Marinas Cc: Will Deacon Cc: Yao Qi --- arch/arm64/include/asm/pointer_auth.h | 8 ++++++++ arch/arm64/include/uapi/asm/ptrace.h | 7 +++++++ arch/arm64/kernel/ptrace.c | 38 +++++++++++++++++++++++++++++++++++ include/uapi/linux/elf.h | 1 + 4 files changed, 54 insertions(+) -- 2.11.0 diff --git a/arch/arm64/include/asm/pointer_auth.h b/arch/arm64/include/asm/pointer_auth.h index 964da0c3dc48..b08ebec4b806 100644 --- a/arch/arm64/include/asm/pointer_auth.h +++ b/arch/arm64/include/asm/pointer_auth.h @@ -16,9 +16,11 @@ #ifndef __ASM_POINTER_AUTH_H #define __ASM_POINTER_AUTH_H +#include #include #include +#include #include #ifdef CONFIG_ARM64_POINTER_AUTHENTICATION @@ -71,6 +73,12 @@ static inline void ptrauth_keys_dup(struct ptrauth_keys *old, *new = *old; } +/* + * The EL0 pointer bits used by a pointer authentication code. + * This is dependent on TBI0 being enabled, or bits 63:56 would also apply. + */ +#define ptrauth_pac_mask() GENMASK(54, VA_BITS) + #define mm_ctx_ptrauth_init(ctx) \ ptrauth_keys_init(&(ctx)->ptrauth_keys) diff --git a/arch/arm64/include/uapi/asm/ptrace.h b/arch/arm64/include/uapi/asm/ptrace.h index 98c4ce55d9c3..4994d718771a 100644 --- a/arch/arm64/include/uapi/asm/ptrace.h +++ b/arch/arm64/include/uapi/asm/ptrace.h @@ -228,6 +228,13 @@ struct user_sve_header { SVE_PT_SVE_OFFSET + SVE_PT_SVE_SIZE(vq, flags) \ : SVE_PT_FPSIMD_OFFSET + SVE_PT_FPSIMD_SIZE(vq, flags)) +/* pointer authentication masks (NT_ARM_PAC_MASK) */ + +struct user_pac_mask { + __u64 data_mask; + __u64 insn_mask; +}; + #endif /* __ASSEMBLY__ */ #endif /* _UAPI__ASM_PTRACE_H */ diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 7c44658b316d..6901dce44c8d 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -44,6 +44,7 @@ #include #include #include +#include #include #include #include @@ -951,6 +952,30 @@ static int sve_set(struct task_struct *target, #endif /* CONFIG_ARM64_SVE */ +#ifdef CONFIG_ARM64_POINTER_AUTHENTICATION +static int pac_mask_get(struct task_struct *target, + const struct user_regset *regset, + unsigned int pos, unsigned int count, + void *kbuf, void __user *ubuf) +{ + /* + * The PAC bits can differ across data and instruction pointers + * depending on TCR_EL1.TBID*, which we may make use of in future, so + * we expose separate masks. + */ + unsigned long mask = ptrauth_pac_mask(); + struct user_pac_mask uregs = { + .data_mask = mask, + .insn_mask = mask, + }; + + if (!cpus_have_cap(ARM64_HAS_ADDRESS_AUTH)) + return -EINVAL; + + return user_regset_copyout(&pos, &count, &kbuf, &ubuf, &uregs, 0, -1); +} +#endif /* CONFIG_ARM64_POINTER_AUTHENTICATION */ + enum aarch64_regset { REGSET_GPR, REGSET_FPR, @@ -963,6 +988,9 @@ enum aarch64_regset { #ifdef CONFIG_ARM64_SVE REGSET_SVE, #endif +#ifdef CONFIG_ARM64_POINTER_AUTHENTICATION + REGSET_PAC_MASK, +#endif }; static const struct user_regset aarch64_regsets[] = { @@ -1032,6 +1060,16 @@ static const struct user_regset aarch64_regsets[] = { .get_size = sve_get_size, }, #endif +#ifdef CONFIG_ARM64_POINTER_AUTHENTICATION + [REGSET_PAC_MASK] = { + .core_note_type = NT_ARM_PAC_MASK, + .n = sizeof(struct user_pac_mask) / sizeof(u64), + .size = sizeof(u64), + .align = sizeof(u64), + .get = pac_mask_get, + /* this cannot be set dynamically */ + }, +#endif }; static const struct user_regset_view user_aarch64_view = { diff --git a/include/uapi/linux/elf.h b/include/uapi/linux/elf.h index bb6836986200..4ca58005e04a 100644 --- a/include/uapi/linux/elf.h +++ b/include/uapi/linux/elf.h @@ -419,6 +419,7 @@ typedef struct elf64_shdr { #define NT_ARM_HW_WATCH 0x403 /* ARM hardware watchpoint registers */ #define NT_ARM_SYSTEM_CALL 0x404 /* ARM system call number */ #define NT_ARM_SVE 0x405 /* ARM Scalable Vector Extension registers */ +#define NT_ARM_PAC_MASK 0x406 /* ARM pointer authentication code masks */ #define NT_METAG_CBUF 0x500 /* Metag catch buffer registers */ #define NT_METAG_RPIPE 0x501 /* Metag read pipeline state */ #define NT_METAG_TLS 0x502 /* Metag TLS pointer */ From patchwork Mon Nov 27 16:38:02 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 119752 Delivered-To: patch@linaro.org Received: by 10.140.22.227 with SMTP id 90csp512702qgn; Mon, 27 Nov 2017 08:39:19 -0800 (PST) X-Google-Smtp-Source: AGs4zMZmzKUaV5ssDJZbJF4TFFOX08JrxnHR1er2eOD5Oz8aBfnDxxfk31OeZ58HJC6FYJwYfjwV X-Received: by 10.84.132.129 with SMTP id e1mr12644917ple.376.1511800759701; Mon, 27 Nov 2017 08:39:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511800759; cv=none; d=google.com; s=arc-20160816; b=N42Q8uaiFJL4NXnRr+KUd3a/7yZjBnfqtIN/NAMh8zB7gdkN74xSHS+hUDFF7z6305 Vw+iw54cF7ZsS/lhIUtScfwpa5xwp9PRThGadglExap9rqysPlGmKwbAbaqyWvVktV1x iQnUVwVJ6vzsD+aX2Qc9iB8gQ2BvZbLSegUOGqvVcoJctdqtaePFpa/wWb682bSGHD8F BMUAW2WIn5zXwQbRf1nX0n7PYG8oU6ugFoBg5hao3OGCgy7gJGqSpQ58grif1rP8NJCB dnjqYm2yd0iOme7yTRn7ZDqRPMwWpycLZUWCwQQJqg8q1Pzer03NM3Uhrr3wGVEyOjP1 xcYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=InbLVbF6fPxSBn5bbNkgSm4lSvxN1MAxXFdW7w6t7ck=; b=h3uOlkmTsjSQcnuHSLD2gDXj8y5i5x1C2e4d7DR57IKfcAJZNOOE/PlB5Dd284iSyy geZtSmS7iFpueDewwbSvW1W4F+/88JmqgO8yTFbseX716mWtFO67zI0wk3fgRbbf4RVL 6K1+z37YdY4d9fYBJSFEc9NzNb103NFkfV9dBHJ7Yw/MBTjKhjKCMtvahMRidDOsjrgz oCiKm0jg2PaCSbF0vQWgZ/rGh8s5SrBTqtxNRM6Sshub2dvHvOyfjRvxk/ynG4FsVJ1k qpNRo3XGFo9bQy+LFkLNjKKFOpxjGis2yuc1nVw96ZBBoQogFkSNb9dIZTviQEFPmCAa UpGw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z5si1412884pln.408.2017.11.27.08.39.19; Mon, 27 Nov 2017 08:39:19 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932131AbdK0QjQ (ORCPT + 28 others); Mon, 27 Nov 2017 11:39:16 -0500 Received: from foss.arm.com ([217.140.101.70]:40200 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753684AbdK0QjO (ORCPT ); Mon, 27 Nov 2017 11:39:14 -0500 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id E04CF1529; Mon, 27 Nov 2017 08:39:13 -0800 (PST) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 456D43F246; Mon, 27 Nov 2017 08:39:11 -0800 (PST) From: Mark Rutland To: linux-arm-kernel@lists.infradead.org Cc: arnd@arndb.de, catalin.marinas@arm.com, cdall@linaro.org, kvmarm@lists.cs.columbia.edu, linux-arch@vger.kernel.org, marc.zyngier@arm.com, mark.rutland@arm.com, suzuki.poulose@arm.com, will.deacon@arm.com, yao.qi@arm.com, kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org, awallis@codeaurora.org Subject: [PATCHv2 08/12] arm64: perf: strip PAC when unwinding userspace Date: Mon, 27 Nov 2017 16:38:02 +0000 Message-Id: <20171127163806.31435-9-mark.rutland@arm.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20171127163806.31435-1-mark.rutland@arm.com> References: <20171127163806.31435-1-mark.rutland@arm.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When the kernel is unwinding userspace callchains, we can't expect that the userspace consumer of these callchains has the data necessary to strip the PAC from the stored LR. This patch has the kernel strip the PAC from user stackframes when the in-kernel unwinder is used. This only affects the LR value, and not the FP. This only affects the in-kernel unwinder. When userspace performs unwinding, it is up to userspace to strip PACs as necessary (which can be determined from DWARF information). Signed-off-by: Mark Rutland Cc: Catalin Marinas Cc: Will Deacon Cc: Yao Qi --- arch/arm64/include/asm/pointer_auth.h | 7 +++++++ arch/arm64/kernel/perf_callchain.c | 5 ++++- 2 files changed, 11 insertions(+), 1 deletion(-) -- 2.11.0 diff --git a/arch/arm64/include/asm/pointer_auth.h b/arch/arm64/include/asm/pointer_auth.h index b08ebec4b806..07788ce755bc 100644 --- a/arch/arm64/include/asm/pointer_auth.h +++ b/arch/arm64/include/asm/pointer_auth.h @@ -79,6 +79,12 @@ static inline void ptrauth_keys_dup(struct ptrauth_keys *old, */ #define ptrauth_pac_mask() GENMASK(54, VA_BITS) +/* Only valid for EL0 TTBR0 instruction pointers */ +static inline unsigned long ptrauth_strip_insn_pac(unsigned long ptr) +{ + return ptr & ~ptrauth_pac_mask(); +} + #define mm_ctx_ptrauth_init(ctx) \ ptrauth_keys_init(&(ctx)->ptrauth_keys) @@ -89,6 +95,7 @@ static inline void ptrauth_keys_dup(struct ptrauth_keys *old, ptrauth_keys_dup(&(oldctx)->ptrauth_keys, &(newctx)->ptrauth_keys) #else +#define ptrauth_strip_insn_pac(lr) (lr) #define mm_ctx_ptrauth_init(ctx) #define mm_ctx_ptrauth_switch(ctx) #define mm_ctx_ptrauth_dup(oldctx, newctx) diff --git a/arch/arm64/kernel/perf_callchain.c b/arch/arm64/kernel/perf_callchain.c index bcafd7dcfe8b..928204f6ab08 100644 --- a/arch/arm64/kernel/perf_callchain.c +++ b/arch/arm64/kernel/perf_callchain.c @@ -35,6 +35,7 @@ user_backtrace(struct frame_tail __user *tail, { struct frame_tail buftail; unsigned long err; + unsigned long lr; /* Also check accessibility of one struct frame_tail beyond */ if (!access_ok(VERIFY_READ, tail, sizeof(buftail))) @@ -47,7 +48,9 @@ user_backtrace(struct frame_tail __user *tail, if (err) return NULL; - perf_callchain_store(entry, buftail.lr); + lr = ptrauth_strip_insn_pac(buftail.lr); + + perf_callchain_store(entry, lr); /* * Frame pointers should strictly progress back up the stack From patchwork Mon Nov 27 16:38:03 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 119753 Delivered-To: patch@linaro.org Received: by 10.140.22.227 with SMTP id 90csp512852qgn; Mon, 27 Nov 2017 08:39:27 -0800 (PST) X-Google-Smtp-Source: AGs4zMZ9/nRJClNBJERo66RuYooTIs1LwdxMjrZOpjszmNBwPBUmoVgk57txSPfZPDs1LKd/BsY3 X-Received: by 10.159.252.11 with SMTP id n11mr39603638pls.196.1511800767456; Mon, 27 Nov 2017 08:39:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511800767; cv=none; d=google.com; s=arc-20160816; b=xt7+LkkZp+JpTi5MrgUWVnTSWffHscwYkDjiORVd2FGkCfH2UwLKFQUQlwgOg54Jx1 nhEDsfRORGI7Jzv+f0uJCkFgZZUTh4U/cL3M4egqbiYx6UUKUXuSx5+26bZqnK2v3b1y 400R6/1tg4BtxCct2HWp5iGnmt1eerJ56hNQ/bQ2bJ4bsY2Mg++ypGjRb0M3XrnrKjo8 svaT9dnjtdgDGdXELR/s1iBdux1+R2uEsPOprV3/ctXC8IcyEZbZsZl8L42Vyf+AXPAD i+IGq4Kb4g+UWU8DURf8siZlztHGl8wX4bC+CZRGY9ukuQbm40lfq8Qw2D/MSHHcGiUm ENkg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=LNzgizHUH3ZnrZMJMtfHX7wOwS+PgUHqRq8lc5fnlKI=; b=uVHaBd9KPi3pN9Wp8VOXLjO5Csm2K8CXEvrseBECHN5g1Xlh9Oka3NoWRnWckkJ22n ZLUXB658/3f7g5i1VoWW0DCPasxi+8vzHB7ek7RP0tJjTRHCb2auufmwr0XyyADs4P14 Agc6+oLFEYE32OAMV1QjCaC3NhciT9R7jnqpfBlDnHcX/2rrN3OQNkKvmkVEj2Qc7cw6 uaxbYgMrrN+oqU1nfvRkTttAfK7ggU6RCKFtika4+nbCwrGa0/AXcUkK19UTF4WdJObi ar8wAv7qeUqWwVNJMwo5/daSTd8oH+xUNMpKrkNgYNQXEGY2jx4DMTLKhPkyddyf5aGm 1Yfw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z5si1412884pln.408.2017.11.27.08.39.26; Mon, 27 Nov 2017 08:39:27 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753702AbdK0QjZ (ORCPT + 28 others); Mon, 27 Nov 2017 11:39:25 -0500 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:40226 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753297AbdK0QjW (ORCPT ); Mon, 27 Nov 2017 11:39:22 -0500 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 5FB0F15A2; Mon, 27 Nov 2017 08:39:22 -0800 (PST) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id BA7673F6CF; Mon, 27 Nov 2017 08:39:19 -0800 (PST) From: Mark Rutland To: linux-arm-kernel@lists.infradead.org Cc: arnd@arndb.de, catalin.marinas@arm.com, cdall@linaro.org, kvmarm@lists.cs.columbia.edu, linux-arch@vger.kernel.org, marc.zyngier@arm.com, mark.rutland@arm.com, suzuki.poulose@arm.com, will.deacon@arm.com, yao.qi@arm.com, kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org, awallis@codeaurora.org Subject: [PATCHv2 09/12] arm64/kvm: preserve host HCR_EL2 value Date: Mon, 27 Nov 2017 16:38:03 +0000 Message-Id: <20171127163806.31435-10-mark.rutland@arm.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20171127163806.31435-1-mark.rutland@arm.com> References: <20171127163806.31435-1-mark.rutland@arm.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When restoring HCR_EL2 for the host, KVM uses HCR_HOST_VHE_FLAGS, which is a constant value. This works today, as the host HCR_EL2 value is always the same, but this will get in the way of supporting extensions that require HCR_EL2 bits to be set conditionally for the host. To allow such features to work without KVM having to explicitly handle every possible host feature combination, this patch has KVM save/restore the host HCR when switching to/from a guest HCR. For __{activate,deactivate}_traps(), the HCR save/restore is made common across the !VHE and VHE paths. As the host and guest HCR values must have E2H set when VHE is in use, register redirection should always be in effect at EL2, and this change should not adversely affect the VHE code. For the hyp TLB maintenance code, __tlb_switch_to_host_vhe() is updated to toggle the TGE bit with a RMW sequence, as we already do in __tlb_switch_to_guest_vhe(). The now unused HCR_HOST_VHE_FLAGS definition is removed. Signed-off-by: Mark Rutland Reviewed-by: Christoffer Dall Cc: Marc Zyngier Cc: kvmarm@lists.cs.columbia.edu --- arch/arm64/include/asm/kvm_arm.h | 1 - arch/arm64/include/asm/kvm_host.h | 5 ++++- arch/arm64/kvm/hyp/switch.c | 5 +++-- arch/arm64/kvm/hyp/tlb.c | 6 +++++- 4 files changed, 12 insertions(+), 5 deletions(-) -- 2.11.0 diff --git a/arch/arm64/include/asm/kvm_arm.h b/arch/arm64/include/asm/kvm_arm.h index 62854d5d1d3b..aa02b05430e8 100644 --- a/arch/arm64/include/asm/kvm_arm.h +++ b/arch/arm64/include/asm/kvm_arm.h @@ -84,7 +84,6 @@ HCR_AMO | HCR_SWIO | HCR_TIDCP | HCR_RW) #define HCR_VIRT_EXCP_MASK (HCR_VSE | HCR_VI | HCR_VF) #define HCR_INT_OVERRIDE (HCR_FMO | HCR_IMO) -#define HCR_HOST_VHE_FLAGS (HCR_RW | HCR_TGE | HCR_E2H) /* TCR_EL2 Registers bits */ #define TCR_EL2_RES1 ((1 << 31) | (1 << 23)) diff --git a/arch/arm64/include/asm/kvm_host.h b/arch/arm64/include/asm/kvm_host.h index 674912d7a571..39184aa3e2f2 100644 --- a/arch/arm64/include/asm/kvm_host.h +++ b/arch/arm64/include/asm/kvm_host.h @@ -199,10 +199,13 @@ typedef struct kvm_cpu_context kvm_cpu_context_t; struct kvm_vcpu_arch { struct kvm_cpu_context ctxt; - /* HYP configuration */ + /* Guest HYP configuration */ u64 hcr_el2; u32 mdcr_el2; + /* Host HYP configuration */ + u64 host_hcr_el2; + /* Exception Information */ struct kvm_vcpu_fault_info fault; diff --git a/arch/arm64/kvm/hyp/switch.c b/arch/arm64/kvm/hyp/switch.c index 525c01f48867..2205f0be3ced 100644 --- a/arch/arm64/kvm/hyp/switch.c +++ b/arch/arm64/kvm/hyp/switch.c @@ -71,6 +71,8 @@ static void __hyp_text __activate_traps(struct kvm_vcpu *vcpu) { u64 val; + vcpu->arch.host_hcr_el2 = read_sysreg(hcr_el2); + /* * We are about to set CPTR_EL2.TFP to trap all floating point * register accesses to EL2, however, the ARM ARM clearly states that @@ -116,7 +118,6 @@ static void __hyp_text __deactivate_traps_vhe(void) MDCR_EL2_TPMS; write_sysreg(mdcr_el2, mdcr_el2); - write_sysreg(HCR_HOST_VHE_FLAGS, hcr_el2); write_sysreg(CPACR_EL1_DEFAULT, cpacr_el1); write_sysreg(vectors, vbar_el1); } @@ -129,7 +130,6 @@ static void __hyp_text __deactivate_traps_nvhe(void) mdcr_el2 |= MDCR_EL2_E2PB_MASK << MDCR_EL2_E2PB_SHIFT; write_sysreg(mdcr_el2, mdcr_el2); - write_sysreg(HCR_RW, hcr_el2); write_sysreg(CPTR_EL2_DEFAULT, cptr_el2); } @@ -151,6 +151,7 @@ static void __hyp_text __deactivate_traps(struct kvm_vcpu *vcpu) __deactivate_traps_arch()(); write_sysreg(0, hstr_el2); write_sysreg(0, pmuserenr_el0); + write_sysreg(vcpu->arch.host_hcr_el2, hcr_el2); } static void __hyp_text __activate_vm(struct kvm_vcpu *vcpu) diff --git a/arch/arm64/kvm/hyp/tlb.c b/arch/arm64/kvm/hyp/tlb.c index 73464a96c365..c2b0680efa2c 100644 --- a/arch/arm64/kvm/hyp/tlb.c +++ b/arch/arm64/kvm/hyp/tlb.c @@ -49,12 +49,16 @@ static hyp_alternate_select(__tlb_switch_to_guest, static void __hyp_text __tlb_switch_to_host_vhe(struct kvm *kvm) { + u64 val; + /* * We're done with the TLB operation, let's restore the host's * view of HCR_EL2. */ write_sysreg(0, vttbr_el2); - write_sysreg(HCR_HOST_VHE_FLAGS, hcr_el2); + val = read_sysreg(hcr_el2); + val |= HCR_TGE; + write_sysreg(val, hcr_el2); } static void __hyp_text __tlb_switch_to_host_nvhe(struct kvm *kvm) From patchwork Mon Nov 27 16:38:04 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 119754 Delivered-To: patch@linaro.org Received: by 10.140.22.227 with SMTP id 90csp512932qgn; Mon, 27 Nov 2017 08:39:32 -0800 (PST) X-Google-Smtp-Source: AGs4zMZiPmZo+YvOBHPigxK75i/MajWJeA4OXUmqi7xvIHDdBQlFtDiox9+Di6MYg01u5UXMyP2Y X-Received: by 10.99.140.85 with SMTP id q21mr37686617pgn.57.1511800771931; Mon, 27 Nov 2017 08:39:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511800771; cv=none; d=google.com; s=arc-20160816; b=zvdMckao4/upjC2aUKIvxf6BOjw2aoo+2cxZhFN2Ui7YjqWDxNf3UyNvSHk0P1pqCI 64+y3iCooaDABtoX7JJAJMd+q1KDEUfSAlmTpRlc21ZK5ARA4vjvPaJpzk8R5pddRqqi NSfkHxDWcKsxavx3kpEILa+me1+n8+LaLt+c/rcq2dyzRLWwzPiYsdudW5t/PcnLP8Ry 8n6w8ZSLl2/uiq0TNGrHP9SujpnB6f7XeS6oJb2W0nnns52HHc64xVfXQ8S5MaDBuKcr wwMDOcnMSpmnXNHkiWWIYJOutX4nzABva/OqgDQkau9wLM1G99xWaaPVsU5uUHY5b2JV hG5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=nCyI0dnyVCloKyW/45+TiDriHAlkxhaif5a0hYwzt98=; b=pruTxnY4/RrFc3mwTv9KZNqc9wjjFXBsdD43nRv/CnkJtBKt2mNQyPed0Tl1Mq0NOp 40h/chjt/yVxlvJI1gVwsBA3NMwsUChyBppGeMw3MKvCx0o4dRjk3gDpPsXO0LimCsbF tV8N5n5WFOBuw2lVNAl+UCsjSTB9mngbxkXlMK2FpeBks98car8T8x+lymbz/DQsIf6r vxkCs92e0mwAiTPltN3UhF1gf+Fqlyswc0SLWPCZx4pJ9g/jpJCr/JbLspbQFKUSaRvc hdstDGc8ryZR1impQlu4wfWYnXiiaorAvX2b3FiWAmaidS0hoWyeOt70I+7ipx4YWGAL MJbw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q77si25496148pfq.94.2017.11.27.08.39.31; Mon, 27 Nov 2017 08:39:31 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932147AbdK0Qja (ORCPT + 28 others); Mon, 27 Nov 2017 11:39:30 -0500 Received: from foss.arm.com ([217.140.101.70]:40242 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753297AbdK0Qj0 (ORCPT ); Mon, 27 Nov 2017 11:39:26 -0500 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 277F215BE; Mon, 27 Nov 2017 08:39:26 -0800 (PST) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 870D03F246; Mon, 27 Nov 2017 08:39:23 -0800 (PST) From: Mark Rutland To: linux-arm-kernel@lists.infradead.org Cc: arnd@arndb.de, catalin.marinas@arm.com, cdall@linaro.org, kvmarm@lists.cs.columbia.edu, linux-arch@vger.kernel.org, marc.zyngier@arm.com, mark.rutland@arm.com, suzuki.poulose@arm.com, will.deacon@arm.com, yao.qi@arm.com, kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org, awallis@codeaurora.org Subject: [PATCHv2 10/12] arm64/kvm: context-switch ptrauth registers Date: Mon, 27 Nov 2017 16:38:04 +0000 Message-Id: <20171127163806.31435-11-mark.rutland@arm.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20171127163806.31435-1-mark.rutland@arm.com> References: <20171127163806.31435-1-mark.rutland@arm.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When pointer authentication is supported, a guest may wish to use it. This patch adds the necessary KVM infrastructure for this to work, with a semi-lazy context switch of the pointer auth state. When we schedule a vcpu, we disable guest usage of pointer authentication instructions and accesses to the keys. While these are disabled, we avoid context-switching the keys. When we trap the guest trying to use pointer authentication functionality, we change to eagerly context-switching the keys, and enable the feature. The next time the vcpu is scheduled out/in, we start again. Pointer authentication consists of address authentication and generic authentication, and CPUs in a system might have varied support for either. Where support for either feature is not uniform, it is hidden from guests via ID register emulation, as a result of the cpufeature framework in the host. Unfortunately, address authentication and generic authentication cannot be trapped separately, as the architecture provides a single EL2 trap covering both. If we wish to expose one without the other, we cannot prevent a (badly-written) guest from intermittently using a feature which is not uniformly supported (when scheduled on a physical CPU which supports the relevant feature). When the guest is scheduled on a physical CPU lacking the feature, these atetmps will result in an UNDEF being taken by the guest. Signed-off-by: Mark Rutland Cc: Christoffer Dall Cc: Marc Zyngier Cc: kvmarm@lists.cs.columbia.edu --- arch/arm64/include/asm/kvm_host.h | 23 +++++++++- arch/arm64/include/asm/kvm_hyp.h | 7 +++ arch/arm64/kvm/handle_exit.c | 21 +++++++++ arch/arm64/kvm/hyp/Makefile | 1 + arch/arm64/kvm/hyp/ptrauth-sr.c | 91 +++++++++++++++++++++++++++++++++++++++ arch/arm64/kvm/hyp/switch.c | 4 ++ arch/arm64/kvm/sys_regs.c | 32 ++++++++++++++ 7 files changed, 178 insertions(+), 1 deletion(-) create mode 100644 arch/arm64/kvm/hyp/ptrauth-sr.c -- 2.11.0 diff --git a/arch/arm64/include/asm/kvm_host.h b/arch/arm64/include/asm/kvm_host.h index 39184aa3e2f2..2fc21a2a75a7 100644 --- a/arch/arm64/include/asm/kvm_host.h +++ b/arch/arm64/include/asm/kvm_host.h @@ -136,6 +136,18 @@ enum vcpu_sysreg { PMSWINC_EL0, /* Software Increment Register */ PMUSERENR_EL0, /* User Enable Register */ + /* Pointer Authentication Registers */ + APIAKEYLO_EL1, + APIAKEYHI_EL1, + APIBKEYLO_EL1, + APIBKEYHI_EL1, + APDAKEYLO_EL1, + APDAKEYHI_EL1, + APDBKEYLO_EL1, + APDBKEYHI_EL1, + APGAKEYLO_EL1, + APGAKEYHI_EL1, + /* 32bit specific registers. Keep them at the end of the range */ DACR32_EL2, /* Domain Access Control Register */ IFSR32_EL2, /* Instruction Fault Status Register */ @@ -363,10 +375,19 @@ static inline void __cpu_init_hyp_mode(phys_addr_t pgd_ptr, __kvm_call_hyp((void *)pgd_ptr, hyp_stack_ptr, vector_ptr); } +void kvm_arm_vcpu_ptrauth_enable(struct kvm_vcpu *vcpu); +void kvm_arm_vcpu_ptrauth_disable(struct kvm_vcpu *vcpu); +void kvm_arm_vcpu_ptrauth_trap(struct kvm_vcpu *vcpu); + static inline void kvm_arch_hardware_unsetup(void) {} static inline void kvm_arch_sync_events(struct kvm *kvm) {} static inline void kvm_arch_vcpu_uninit(struct kvm_vcpu *vcpu) {} -static inline void kvm_arch_sched_in(struct kvm_vcpu *vcpu, int cpu) {} + +static inline void kvm_arch_sched_in(struct kvm_vcpu *vcpu, int cpu) +{ + kvm_arm_vcpu_ptrauth_disable(vcpu); +} + static inline void kvm_arch_vcpu_block_finish(struct kvm_vcpu *vcpu) {} void kvm_arm_init_debug(void); diff --git a/arch/arm64/include/asm/kvm_hyp.h b/arch/arm64/include/asm/kvm_hyp.h index 08d3bb66c8b7..d0dd924cb175 100644 --- a/arch/arm64/include/asm/kvm_hyp.h +++ b/arch/arm64/include/asm/kvm_hyp.h @@ -152,6 +152,13 @@ void __fpsimd_save_state(struct user_fpsimd_state *fp_regs); void __fpsimd_restore_state(struct user_fpsimd_state *fp_regs); bool __fpsimd_enabled(void); +void __ptrauth_switch_to_guest(struct kvm_vcpu *vcpu, + struct kvm_cpu_context *host_ctxt, + struct kvm_cpu_context *guest_ctxt); +void __ptrauth_switch_to_host(struct kvm_vcpu *vcpu, + struct kvm_cpu_context *host_ctxt, + struct kvm_cpu_context *guest_ctxt); + u64 __guest_enter(struct kvm_vcpu *vcpu, struct kvm_cpu_context *host_ctxt); void __noreturn __hyp_do_panic(unsigned long, ...); diff --git a/arch/arm64/kvm/handle_exit.c b/arch/arm64/kvm/handle_exit.c index b71247995469..d9aff3c86551 100644 --- a/arch/arm64/kvm/handle_exit.c +++ b/arch/arm64/kvm/handle_exit.c @@ -136,6 +136,26 @@ static int kvm_handle_guest_debug(struct kvm_vcpu *vcpu, struct kvm_run *run) return ret; } +/* + * Handle the guest trying to use a ptrauth instruction, or trying to access a + * ptrauth register. + */ +void kvm_arm_vcpu_ptrauth_trap(struct kvm_vcpu *vcpu) +{ + if (cpus_have_const_cap(ARM64_HAS_ADDRESS_AUTH) || + cpus_have_const_cap(ARM64_HAS_GENERIC_AUTH)) { + kvm_arm_vcpu_ptrauth_enable(vcpu); + } else { + kvm_inject_undefined(vcpu); + } +} + +static int kvm_handle_ptrauth(struct kvm_vcpu *vcpu, struct kvm_run *run) +{ + kvm_arm_vcpu_ptrauth_trap(vcpu); + return 1; +} + static int kvm_handle_unknown_ec(struct kvm_vcpu *vcpu, struct kvm_run *run) { u32 hsr = kvm_vcpu_get_hsr(vcpu); @@ -176,6 +196,7 @@ static exit_handle_fn arm_exit_handlers[] = { [ESR_ELx_EC_BKPT32] = kvm_handle_guest_debug, [ESR_ELx_EC_BRK64] = kvm_handle_guest_debug, [ESR_ELx_EC_FP_ASIMD] = handle_no_fpsimd, + [ESR_ELx_EC_PAC] = kvm_handle_ptrauth, }; static exit_handle_fn kvm_get_exit_handler(struct kvm_vcpu *vcpu) diff --git a/arch/arm64/kvm/hyp/Makefile b/arch/arm64/kvm/hyp/Makefile index f04400d494b7..2c2c3bd90cc0 100644 --- a/arch/arm64/kvm/hyp/Makefile +++ b/arch/arm64/kvm/hyp/Makefile @@ -19,6 +19,7 @@ obj-$(CONFIG_KVM_ARM_HOST) += fpsimd.o obj-$(CONFIG_KVM_ARM_HOST) += tlb.o obj-$(CONFIG_KVM_ARM_HOST) += hyp-entry.o obj-$(CONFIG_KVM_ARM_HOST) += s2-setup.o +obj-$(CONFIG_KVM_ARM_HOST) += ptrauth-sr.o # KVM code is run at a different exception code with a different map, so # compiler instrumentation that inserts callbacks or checks into the code may diff --git a/arch/arm64/kvm/hyp/ptrauth-sr.c b/arch/arm64/kvm/hyp/ptrauth-sr.c new file mode 100644 index 000000000000..2784fb373296 --- /dev/null +++ b/arch/arm64/kvm/hyp/ptrauth-sr.c @@ -0,0 +1,91 @@ +/* + * Copyright (C) 2017 ARM Ltd + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +#include +#include + +#include +#include +#include +#include + +static bool __hyp_text __ptrauth_is_enabled(struct kvm_vcpu *vcpu) +{ + return vcpu->arch.hcr_el2 & (HCR_API | HCR_APK); +} + +#define __ptrauth_save_key(regs, key) \ +({ \ + regs[key ## KEYLO_EL1] = read_sysreg_s(SYS_ ## key ## KEYLO_EL1); \ + regs[key ## KEYHI_EL1] = read_sysreg_s(SYS_ ## key ## KEYHI_EL1); \ +}) + +static void __hyp_text __ptrauth_save_state(struct kvm_cpu_context *ctxt) +{ + if (cpus_have_const_cap(ARM64_HAS_ADDRESS_AUTH)) { + __ptrauth_save_key(ctxt->sys_regs, APIA); + __ptrauth_save_key(ctxt->sys_regs, APIB); + __ptrauth_save_key(ctxt->sys_regs, APDA); + __ptrauth_save_key(ctxt->sys_regs, APDB); + } + + if (cpus_have_const_cap(ARM64_HAS_GENERIC_AUTH)) { + __ptrauth_save_key(ctxt->sys_regs, APGA); + } +} + +#define __ptrauth_restore_key(regs, key) \ +({ \ + write_sysreg_s(regs[key ## KEYLO_EL1], SYS_ ## key ## KEYLO_EL1); \ + write_sysreg_s(regs[key ## KEYHI_EL1], SYS_ ## key ## KEYHI_EL1); \ +}) + +static void __hyp_text __ptrauth_restore_state(struct kvm_cpu_context *ctxt) +{ + + if (cpus_have_const_cap(ARM64_HAS_ADDRESS_AUTH)) { + __ptrauth_restore_key(ctxt->sys_regs, APIA); + __ptrauth_restore_key(ctxt->sys_regs, APIB); + __ptrauth_restore_key(ctxt->sys_regs, APDA); + __ptrauth_restore_key(ctxt->sys_regs, APDB); + } + + if (cpus_have_const_cap(ARM64_HAS_GENERIC_AUTH)) { + __ptrauth_restore_key(ctxt->sys_regs, APGA); + } +} + +void __hyp_text __ptrauth_switch_to_guest(struct kvm_vcpu *vcpu, + struct kvm_cpu_context *host_ctxt, + struct kvm_cpu_context *guest_ctxt) +{ + if (!__ptrauth_is_enabled(vcpu)) + return; + + __ptrauth_save_state(host_ctxt); + __ptrauth_restore_state(guest_ctxt); +} + +void __hyp_text __ptrauth_switch_to_host(struct kvm_vcpu *vcpu, + struct kvm_cpu_context *host_ctxt, + struct kvm_cpu_context *guest_ctxt) +{ + if (!__ptrauth_is_enabled(vcpu)) + return; + + __ptrauth_save_state(guest_ctxt); + __ptrauth_restore_state(host_ctxt); +} diff --git a/arch/arm64/kvm/hyp/switch.c b/arch/arm64/kvm/hyp/switch.c index 2205f0be3ced..d9be2762ac1a 100644 --- a/arch/arm64/kvm/hyp/switch.c +++ b/arch/arm64/kvm/hyp/switch.c @@ -315,6 +315,8 @@ int __hyp_text __kvm_vcpu_run(struct kvm_vcpu *vcpu) __sysreg_restore_guest_state(guest_ctxt); __debug_restore_state(vcpu, kern_hyp_va(vcpu->arch.debug_ptr), guest_ctxt); + __ptrauth_switch_to_guest(vcpu, host_ctxt, guest_ctxt); + /* Jump in the fire! */ again: exit_code = __guest_enter(vcpu, host_ctxt); @@ -373,6 +375,8 @@ int __hyp_text __kvm_vcpu_run(struct kvm_vcpu *vcpu) fp_enabled = __fpsimd_enabled(); + __ptrauth_switch_to_host(vcpu, host_ctxt, guest_ctxt); + __sysreg_save_guest_state(guest_ctxt); __sysreg32_save_state(vcpu); __timer_disable_traps(vcpu); diff --git a/arch/arm64/kvm/sys_regs.c b/arch/arm64/kvm/sys_regs.c index 1830ebc227d1..5fe3b2588bec 100644 --- a/arch/arm64/kvm/sys_regs.c +++ b/arch/arm64/kvm/sys_regs.c @@ -838,6 +838,32 @@ static bool access_pmuserenr(struct kvm_vcpu *vcpu, struct sys_reg_params *p, { SYS_DESC(SYS_PMEVTYPERn_EL0(n)), \ access_pmu_evtyper, reset_unknown, (PMEVTYPER0_EL0 + n), } + +void kvm_arm_vcpu_ptrauth_enable(struct kvm_vcpu *vcpu) +{ + vcpu->arch.hcr_el2 |= (HCR_API | HCR_APK); +} + +void kvm_arm_vcpu_ptrauth_disable(struct kvm_vcpu *vcpu) +{ + vcpu->arch.hcr_el2 &= ~(HCR_API | HCR_APK); +} + +static bool trap_ptrauth(struct kvm_vcpu *vcpu, + struct sys_reg_params *p, + const struct sys_reg_desc *rd) +{ + kvm_arm_vcpu_ptrauth_trap(vcpu); + return false; +} + +#define __PTRAUTH_KEY(k) \ + { SYS_DESC(SYS_## k), trap_ptrauth, reset_unknown, k } + +#define PTRAUTH_KEY(k) \ + __PTRAUTH_KEY(k ## KEYLO_EL1), \ + __PTRAUTH_KEY(k ## KEYHI_EL1) + static bool access_cntp_tval(struct kvm_vcpu *vcpu, struct sys_reg_params *p, const struct sys_reg_desc *r) @@ -1156,6 +1182,12 @@ static const struct sys_reg_desc sys_reg_descs[] = { { SYS_DESC(SYS_TTBR1_EL1), access_vm_reg, reset_unknown, TTBR1_EL1 }, { SYS_DESC(SYS_TCR_EL1), access_vm_reg, reset_val, TCR_EL1, 0 }, + PTRAUTH_KEY(APIA), + PTRAUTH_KEY(APIB), + PTRAUTH_KEY(APDA), + PTRAUTH_KEY(APDB), + PTRAUTH_KEY(APGA), + { SYS_DESC(SYS_AFSR0_EL1), access_vm_reg, reset_unknown, AFSR0_EL1 }, { SYS_DESC(SYS_AFSR1_EL1), access_vm_reg, reset_unknown, AFSR1_EL1 }, { SYS_DESC(SYS_ESR_EL1), access_vm_reg, reset_unknown, ESR_EL1 }, From patchwork Mon Nov 27 16:38:05 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 119756 Delivered-To: patch@linaro.org Received: by 10.140.22.227 with SMTP id 90csp513417qgn; Mon, 27 Nov 2017 08:39:55 -0800 (PST) X-Google-Smtp-Source: AGs4zMbf0HxEXHRbMQbI+Am39MXwsJp5yXyaov/xEhigHM2bpm5C6UGlQj7Epm6hWoQBw2XF1krd X-Received: by 10.98.194.71 with SMTP id l68mr20093501pfg.221.1511800795124; Mon, 27 Nov 2017 08:39:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511800795; cv=none; d=google.com; s=arc-20160816; b=pP2lfHwv14QV4UnKuoOW1nN1uEmq23g40mgcxXPwKzLacn8nhxF7WG5FkFABg6CywV TcGzVA7WF9VTG+YVorRjLq0OWr7ioti0TCbOlJjH3uq76NBdMVNuXCld0bidBa+HZ0bt ZQYBJWHdJCUW6CvmWE75xXtNQDdoFy+5T4U6uabTUl0um0YkoZQITxw1dM8EzOSZ1wgw 3S+TKE0R3AeIsm1FpsStPpSDb2gRg90vn5bIRg5nGmWuG388M+CmrLKXa3gf0H4bKYpJ sm0R4y5Fl0vuXzz4J2LVOh7WYLB17VM+HqRmWLKPXL6jx/OnEV4/HEvb+oT1RZAUFxjv B06A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=Lx2xWOUeQTEWwusv4B5CnGmYDzEloMh4oynebLllv/U=; b=eLdemVLFio0DQgRNfTnFx6jN856Glv2extP+3iX6Wu+nm+gJk9gGpu52qm4QfgdLjM AQpafuJVo6adfo8c8fFNjM1DULmEvXvv167XDfeaPvgl+qtvYE+22XBk28Oux7iIworT lsr1u5wDOhkZFMNDR5Q6NSlS1n1sUQxkWTw4CmIep6H1tY+UGeaYiZaUTfsszxx7akwX qmGSXVtWc8nMnEKu3xdvwtyyKecCM8KlEzrzgMUp2bOWn2bAef4RxhYLapZSqowqTdb5 Y5RuxLO6kMoWJcvyjW3Laoap0BJRRkovGmHA4J/P5N8r5IxsIH7hW3nvPCFszK/j9YZo 311w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 1si24438102plq.36.2017.11.27.08.39.54; Mon, 27 Nov 2017 08:39:55 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932164AbdK0Qjx (ORCPT + 28 others); Mon, 27 Nov 2017 11:39:53 -0500 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:40262 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932136AbdK0Qj3 (ORCPT ); Mon, 27 Nov 2017 11:39:29 -0500 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 90554164F; Mon, 27 Nov 2017 08:39:29 -0800 (PST) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 075F03F246; Mon, 27 Nov 2017 08:39:26 -0800 (PST) From: Mark Rutland To: linux-arm-kernel@lists.infradead.org Cc: arnd@arndb.de, catalin.marinas@arm.com, cdall@linaro.org, kvmarm@lists.cs.columbia.edu, linux-arch@vger.kernel.org, marc.zyngier@arm.com, mark.rutland@arm.com, suzuki.poulose@arm.com, will.deacon@arm.com, yao.qi@arm.com, kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org, awallis@codeaurora.org Subject: [PATCHv2 11/12] arm64: enable pointer authentication Date: Mon, 27 Nov 2017 16:38:05 +0000 Message-Id: <20171127163806.31435-12-mark.rutland@arm.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20171127163806.31435-1-mark.rutland@arm.com> References: <20171127163806.31435-1-mark.rutland@arm.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Now that all the necessary bits are in place for userspace / KVM guest pointer authentication, add the necessary Kconfig logic to allow this to be enabled. Cc: Catalin Marinas Cc: Will Deacon --- arch/arm64/Kconfig | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) -- 2.11.0 diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index a93339f5178f..f7cb4ca8a6fc 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -1013,6 +1013,29 @@ config ARM64_PMEM endmenu +menu "ARMv8.3 architectural features" + +config ARM64_POINTER_AUTHENTICATION + bool "Enable support for pointer authentication" + default y + help + Pointer authentication (part of the ARMv8.3 Extensions) provides + instructions for signing and authenticating pointers against secret + keys, which can be used to mitigate Return Oriented Programming (ROP) + and other attacks. + + This option enables these instructions at EL0 (i.e. for userspace). + + Choosing this option will cause the kernel to initialise secret keys + for each process at exec() time, with these keys being + context-switched along with the process. + + The feature is detected at runtime. If the feature is not present in + hardware it will not be advertised to userspace nor will it be + enabled. + +endmenu + config ARM64_SVE bool "ARM Scalable Vector Extension support" default y From patchwork Mon Nov 27 16:38:06 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 119755 Delivered-To: patch@linaro.org Received: by 10.140.22.227 with SMTP id 90csp513090qgn; Mon, 27 Nov 2017 08:39:38 -0800 (PST) X-Google-Smtp-Source: AGs4zMZlKFKD4uoaPLL2vJMcO0RhfEOsWiqLuy20r+uOYJzq9P5DhbtVtmHj18MCOfy2z1YNYSTA X-Received: by 10.99.95.22 with SMTP id t22mr36864435pgb.195.1511800778595; Mon, 27 Nov 2017 08:39:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511800778; cv=none; d=google.com; s=arc-20160816; b=I/xIiTNq3wpZAIEiyVJ6WGBPFhvQXJ4lASZ1yXo7r8iPiEs+LdYzycT5k5Fp6intyu Dvmz1XsAAn+FXY3rXpf94cR1MWjJVF/RoDpNPsn3ezXj44GtnZKStZF7mRzR1GXvxmNc nz5tb406YdRBWnpQRsgQ99CmaaAENNw/0Zf3VXkIHnks+zWvRbriBzKHmsXcAqyW8H19 1TBMFcFeFa1DsP6kgLx3IMe8By9Yi48tZX7CrzIvAWQf6cJziUgvMM2FNRgWQxQbrtBR EZgGokbFDZT8Ph4h05kfiYw4RY0ugSbXHg54yaCtNrXKFBQ+ksbZRv2+jzatbEvbCKFt lGNw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=ifdq7975RkFDMeBdfnCEr637OPj4Xduc75VsliUWxyU=; b=xxI0+faMZC6/ERDOFyr4J+8gDTISMthwt0kasJjo/myg4d3QD3L7oS3EwYl4zYLUhy 2mQXZbB5QSHkvCmrFJSORRgGLJgSpAumueLGTrevKEMZvBmNYSG8jQf86yBw/TYlA47N N2N7Rwq1vYpXxqz6em48YZLEKAIGINypne6t5FXj/RjhHhY0UqNmT+9Zx/sLoTjdmHbS ZiXGk/Lvpn+39rBLiS7r2kQ01mjS9I+YUqrMFC8KWZ00OoqPndWA5EWf285i53pvhoFh 5wRQ1VLcPp9KSOTRZCC6Lr3bMMCiqFTbeqyIoZ1v/fsnYNboQyhhyqan6wj5qFZS8CMx sRgQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q77si25496148pfq.94.2017.11.27.08.39.38; Mon, 27 Nov 2017 08:39:38 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753718AbdK0Qjg (ORCPT + 28 others); Mon, 27 Nov 2017 11:39:36 -0500 Received: from foss.arm.com ([217.140.101.70]:40282 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753297AbdK0Qjd (ORCPT ); Mon, 27 Nov 2017 11:39:33 -0500 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 11A3E165D; Mon, 27 Nov 2017 08:39:33 -0800 (PST) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 6AD8A3F246; Mon, 27 Nov 2017 08:39:30 -0800 (PST) From: Mark Rutland To: linux-arm-kernel@lists.infradead.org Cc: arnd@arndb.de, catalin.marinas@arm.com, cdall@linaro.org, kvmarm@lists.cs.columbia.edu, linux-arch@vger.kernel.org, marc.zyngier@arm.com, mark.rutland@arm.com, suzuki.poulose@arm.com, will.deacon@arm.com, yao.qi@arm.com, kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org, awallis@codeaurora.org Subject: [PATCHv2 12/12] arm64: docs: document pointer authentication Date: Mon, 27 Nov 2017 16:38:06 +0000 Message-Id: <20171127163806.31435-13-mark.rutland@arm.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20171127163806.31435-1-mark.rutland@arm.com> References: <20171127163806.31435-1-mark.rutland@arm.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Now that we've added code to support pointer authentication, add some documentation so that people can figure out if/how to use it. Signed-off-by: Mark Rutland Cc: Catalin Marinas Cc: Will Deacon Cc: Yao Qi --- Documentation/arm64/booting.txt | 8 +++ Documentation/arm64/elf_hwcaps.txt | 6 ++ Documentation/arm64/pointer-authentication.txt | 85 ++++++++++++++++++++++++++ 3 files changed, 99 insertions(+) create mode 100644 Documentation/arm64/pointer-authentication.txt -- 2.11.0 diff --git a/Documentation/arm64/booting.txt b/Documentation/arm64/booting.txt index 8d0df62c3fe0..8df9f4658d6f 100644 --- a/Documentation/arm64/booting.txt +++ b/Documentation/arm64/booting.txt @@ -205,6 +205,14 @@ Before jumping into the kernel, the following conditions must be met: ICC_SRE_EL2.SRE (bit 0) must be initialised to 0b0. - The DT or ACPI tables must describe a GICv2 interrupt controller. + For CPUs with pointer authentication functionality: + - If EL3 is present: + SCR_EL3.APK (bit 16) must be initialised to 0b1 + SCR_EL3.API (bit 17) must be initialised to 0b1 + - If the kernel is entered at EL1: + HCR_EL2.APK (bit 40) must be initialised to 0b1 + HCR_EL2.API (bit 41) must be initialised to 0b1 + The requirements described above for CPU mode, caches, MMUs, architected timers, coherency and system registers apply to all CPUs. All CPUs must enter the kernel in the same exception level. diff --git a/Documentation/arm64/elf_hwcaps.txt b/Documentation/arm64/elf_hwcaps.txt index 89edba12a9e0..6cf40e419a9d 100644 --- a/Documentation/arm64/elf_hwcaps.txt +++ b/Documentation/arm64/elf_hwcaps.txt @@ -158,3 +158,9 @@ HWCAP_SHA512 HWCAP_SVE Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001. + +HWCAP_APIA + + EL0 AddPac and Auth functionality using APIAKey_EL1 is enabled, as + described by Documentation/arm64/pointer-authentication.txt. + diff --git a/Documentation/arm64/pointer-authentication.txt b/Documentation/arm64/pointer-authentication.txt new file mode 100644 index 000000000000..e9b5c6bdb84f --- /dev/null +++ b/Documentation/arm64/pointer-authentication.txt @@ -0,0 +1,85 @@ +Pointer authentication in AArch64 Linux +======================================= + +Author: Mark Rutland +Date: 2017-07-19 + +This document briefly describes the provision of pointer authentication +functionality in AArch64 Linux. + + +Architecture overview +--------------------- + +The ARMv8.3 Pointer Authentication extension adds primitives that can be +used to mitigate certain classes of attack where an attacker can corrupt +the contents of some memory (e.g. the stack). + +The extension uses a Pointer Authentication Code (PAC) to determine +whether pointers have been modified unexpectedly. A PAC is derived from +a pointer, another value (such as the stack pointer), and a secret key +held in system registers. + +The extension adds instructions to insert a valid PAC into a pointer, +and to verify/remove the PAC from a pointer. The PAC occupies a number +of high-order bits of the pointer, which varies dependent on the +configured virtual address size and whether pointer tagging is in use. + +A subset of these instructions have been allocated from the HINT +encoding space. In the absence of the extension (or when disabled), +these instructions behave as NOPs. Applications and libraries using +these instructions operate correctly regardless of the presence of the +extension. + + +Basic support +------------- + +When CONFIG_ARM64_POINTER_AUTHENTICATION is selected, and relevant HW +support is present, the kernel will assign a random APIAKey value to +each process at exec*() time. This key is shared by all threads within +the process, and the key is preserved across fork(). Presence of +functionality using APIAKey is advertised via HWCAP_APIA. + +Recent versions of GCC can compile code with APIAKey-based return +address protection when passed the -msign-return-address option. This +uses instructions in the HINT space, and such code can run on systems +without the pointer authentication extension. + +The remaining instruction and data keys (APIBKey, APDAKey, APDBKey) are +reserved for future use, and instructions using these keys must not be +used by software until a purpose and scope for their use has been +decided. To enable future software using these keys to function on +contemporary kernels, where possible, instructions using these keys are +made to behave as NOPs. + +The generic key (APGAKey) is currently unsupported. Instructions using +the generic key must not be used by software. + + +Debugging +--------- + +When CONFIG_ARM64_POINTER_AUTHENTICATION is selected, and relevant HW +support is present, the kernel will expose the position of TTBR0 PAC +bits in the NT_ARM_PAC_MASK regset (struct user_pac_mask), which +userspace can acqure via PTRACE_GETREGSET. + +Separate masks are exposed for data pointers and instruction pointers, +as the set of PAC bits can vary between the two. Debuggers should not +expect that HWCAP_APIA implies the presence (or non-presence) of this +regset -- in future the kernel may support the use of APIBKey, APDAKey, +and/or APBAKey, even in the absence of APIAKey. + +Note that the masks apply to TTBR0 addresses, and are not valid to apply +to TTBR1 addresses (e.g. kernel pointers). + + +Virtualization +-------------- + +When CONFIG_ARM64_POINTER_AUTHENTICATION is selected, and uniform HW +support is present, KVM will context switch all keys used by vCPUs. +Otherwise, the feature is disabled. When disabled, accesses to keys, or +use of instructions enabled within the guest will trap to EL2, and an +UNDEFINED exception will be injected into the guest.