From: David Long <dave.long@linaro.org>
To: <stable@vger.kernel.org>,
Russell King - ARM Linux <linux@armlinux.org.uk>,
Florian Fainelli <f.fainelli@gmail.com>,
Tony Lindgren <tony@atomide.com>,
Marc Zyngier <marc.zyngier@arm.com>,
Mark Rutland <mark.rutland@arm.com>
Cc: Greg KH <gregkh@linuxfoundation.org>, Mark Brown <broonie@kernel.org>
Subject: [PATCH 4.14 08/24] ARM: spectre-v2: harden user aborts in kernel space
Date: Mon, 15 Oct 2018 11:32:02 -0400 [thread overview]
Message-ID: <1539617538-22328-9-git-send-email-dave.long@linaro.org> (raw)
In-Reply-To: <1539617538-22328-1-git-send-email-dave.long@linaro.org>
From: Russell King <rmk+kernel@armlinux.org.uk>
Commit f5fe12b1eaee220ce62ff9afb8b90929c396595f upstream.
In order to prevent aliasing attacks on the branch predictor,
invalidate the BTB or instruction cache on CPUs that are known to be
affected when taking an abort on a address that is outside of a user
task limit:
Cortex A8, A9, A12, A17, A73, A75: flush BTB.
Cortex A15, Brahma B15: invalidate icache.
If the IBE bit is not set, then there is little point to enabling the
workaround.
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Boot-tested-by: Tony Lindgren <tony@atomide.com>
Reviewed-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: David A. Long <dave.long@linaro.org>
---
arch/arm/include/asm/cp15.h | 3 ++
arch/arm/include/asm/system_misc.h | 15 ++++++++
arch/arm/mm/fault.c | 3 ++
arch/arm/mm/proc-v7-bugs.c | 73 +++++++++++++++++++++++++++++++++++---
arch/arm/mm/proc-v7.S | 8 +++--
5 files changed, 94 insertions(+), 8 deletions(-)
diff --git a/arch/arm/include/asm/cp15.h b/arch/arm/include/asm/cp15.h
index 4c9fa72..07e27f2 100644
--- a/arch/arm/include/asm/cp15.h
+++ b/arch/arm/include/asm/cp15.h
@@ -65,6 +65,9 @@
#define __write_sysreg(v, r, w, c, t) asm volatile(w " " c : : "r" ((t)(v)))
#define write_sysreg(v, ...) __write_sysreg(v, __VA_ARGS__)
+#define BPIALL __ACCESS_CP15(c7, 0, c5, 6)
+#define ICIALLU __ACCESS_CP15(c7, 0, c5, 0)
+
extern unsigned long cr_alignment; /* defined in entry-armv.S */
static inline unsigned long get_cr(void)
diff --git a/arch/arm/include/asm/system_misc.h b/arch/arm/include/asm/system_misc.h
index 78f6db1..8e76db8 100644
--- a/arch/arm/include/asm/system_misc.h
+++ b/arch/arm/include/asm/system_misc.h
@@ -8,6 +8,7 @@
#include <linux/linkage.h>
#include <linux/irqflags.h>
#include <linux/reboot.h>
+#include <linux/percpu.h>
extern void cpu_init(void);
@@ -15,6 +16,20 @@ void soft_restart(unsigned long);
extern void (*arm_pm_restart)(enum reboot_mode reboot_mode, const char *cmd);
extern void (*arm_pm_idle)(void);
+#ifdef CONFIG_HARDEN_BRANCH_PREDICTOR
+typedef void (*harden_branch_predictor_fn_t)(void);
+DECLARE_PER_CPU(harden_branch_predictor_fn_t, harden_branch_predictor_fn);
+static inline void harden_branch_predictor(void)
+{
+ harden_branch_predictor_fn_t fn = per_cpu(harden_branch_predictor_fn,
+ smp_processor_id());
+ if (fn)
+ fn();
+}
+#else
+#define harden_branch_predictor() do { } while (0)
+#endif
+
#define UDBG_UNDEFINED (1 << 0)
#define UDBG_SYSCALL (1 << 1)
#define UDBG_BADABORT (1 << 2)
diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
index 42f5853..49b1b80 100644
--- a/arch/arm/mm/fault.c
+++ b/arch/arm/mm/fault.c
@@ -164,6 +164,9 @@ __do_user_fault(struct task_struct *tsk, unsigned long addr,
{
struct siginfo si;
+ if (addr > TASK_SIZE)
+ harden_branch_predictor();
+
#ifdef CONFIG_DEBUG_USER
if (((user_debug & UDBG_SEGV) && (sig == SIGSEGV)) ||
((user_debug & UDBG_BUS) && (sig == SIGBUS))) {
diff --git a/arch/arm/mm/proc-v7-bugs.c b/arch/arm/mm/proc-v7-bugs.c
index e46557d..85a2e3d 100644
--- a/arch/arm/mm/proc-v7-bugs.c
+++ b/arch/arm/mm/proc-v7-bugs.c
@@ -2,7 +2,61 @@
#include <linux/kernel.h>
#include <linux/smp.h>
-static __maybe_unused void cpu_v7_check_auxcr_set(bool *warned,
+#include <asm/cp15.h>
+#include <asm/cputype.h>
+#include <asm/system_misc.h>
+
+#ifdef CONFIG_HARDEN_BRANCH_PREDICTOR
+DEFINE_PER_CPU(harden_branch_predictor_fn_t, harden_branch_predictor_fn);
+
+static void harden_branch_predictor_bpiall(void)
+{
+ write_sysreg(0, BPIALL);
+}
+
+static void harden_branch_predictor_iciallu(void)
+{
+ write_sysreg(0, ICIALLU);
+}
+
+static void cpu_v7_spectre_init(void)
+{
+ const char *spectre_v2_method = NULL;
+ int cpu = smp_processor_id();
+
+ if (per_cpu(harden_branch_predictor_fn, cpu))
+ return;
+
+ switch (read_cpuid_part()) {
+ case ARM_CPU_PART_CORTEX_A8:
+ case ARM_CPU_PART_CORTEX_A9:
+ case ARM_CPU_PART_CORTEX_A12:
+ case ARM_CPU_PART_CORTEX_A17:
+ case ARM_CPU_PART_CORTEX_A73:
+ case ARM_CPU_PART_CORTEX_A75:
+ per_cpu(harden_branch_predictor_fn, cpu) =
+ harden_branch_predictor_bpiall;
+ spectre_v2_method = "BPIALL";
+ break;
+
+ case ARM_CPU_PART_CORTEX_A15:
+ case ARM_CPU_PART_BRAHMA_B15:
+ per_cpu(harden_branch_predictor_fn, cpu) =
+ harden_branch_predictor_iciallu;
+ spectre_v2_method = "ICIALLU";
+ break;
+ }
+ if (spectre_v2_method)
+ pr_info("CPU%u: Spectre v2: using %s workaround\n",
+ smp_processor_id(), spectre_v2_method);
+}
+#else
+static void cpu_v7_spectre_init(void)
+{
+}
+#endif
+
+static __maybe_unused bool cpu_v7_check_auxcr_set(bool *warned,
u32 mask, const char *msg)
{
u32 aux_cr;
@@ -13,24 +67,33 @@ static __maybe_unused void cpu_v7_check_auxcr_set(bool *warned,
if (!*warned)
pr_err("CPU%u: %s", smp_processor_id(), msg);
*warned = true;
+ return false;
}
+ return true;
}
static DEFINE_PER_CPU(bool, spectre_warned);
-static void check_spectre_auxcr(bool *warned, u32 bit)
+static bool check_spectre_auxcr(bool *warned, u32 bit)
{
- if (IS_ENABLED(CONFIG_HARDEN_BRANCH_PREDICTOR) &&
+ return IS_ENABLED(CONFIG_HARDEN_BRANCH_PREDICTOR) &&
cpu_v7_check_auxcr_set(warned, bit,
"Spectre v2: firmware did not set auxiliary control register IBE bit, system vulnerable\n");
}
void cpu_v7_ca8_ibe(void)
{
- check_spectre_auxcr(this_cpu_ptr(&spectre_warned), BIT(6));
+ if (check_spectre_auxcr(this_cpu_ptr(&spectre_warned), BIT(6)))
+ cpu_v7_spectre_init();
}
void cpu_v7_ca15_ibe(void)
{
- check_spectre_auxcr(this_cpu_ptr(&spectre_warned), BIT(0));
+ if (check_spectre_auxcr(this_cpu_ptr(&spectre_warned), BIT(0)))
+ cpu_v7_spectre_init();
+}
+
+void cpu_v7_bugs_init(void)
+{
+ cpu_v7_spectre_init();
}
diff --git a/arch/arm/mm/proc-v7.S b/arch/arm/mm/proc-v7.S
index 14cb0db..562bcf2 100644
--- a/arch/arm/mm/proc-v7.S
+++ b/arch/arm/mm/proc-v7.S
@@ -532,8 +532,10 @@ __v7_setup_stack:
__INITDATA
+ .weak cpu_v7_bugs_init
+
@ define struct processor (see <asm/proc-fns.h> and proc-macros.S)
- define_processor_functions v7, dabort=v7_early_abort, pabort=v7_pabort, suspend=1
+ define_processor_functions v7, dabort=v7_early_abort, pabort=v7_pabort, suspend=1, bugs=cpu_v7_bugs_init
#ifdef CONFIG_HARDEN_BRANCH_PREDICTOR
@ generic v7 bpiall on context switch
@@ -548,7 +550,7 @@ __v7_setup_stack:
globl_equ cpu_v7_bpiall_do_suspend, cpu_v7_do_suspend
globl_equ cpu_v7_bpiall_do_resume, cpu_v7_do_resume
#endif
- define_processor_functions v7_bpiall, dabort=v7_early_abort, pabort=v7_pabort, suspend=1
+ define_processor_functions v7_bpiall, dabort=v7_early_abort, pabort=v7_pabort, suspend=1, bugs=cpu_v7_bugs_init
#define HARDENED_BPIALL_PROCESSOR_FUNCTIONS v7_bpiall_processor_functions
#else
@@ -584,7 +586,7 @@ __v7_setup_stack:
globl_equ cpu_ca9mp_switch_mm, cpu_v7_switch_mm
#endif
globl_equ cpu_ca9mp_set_pte_ext, cpu_v7_set_pte_ext
- define_processor_functions ca9mp, dabort=v7_early_abort, pabort=v7_pabort, suspend=1
+ define_processor_functions ca9mp, dabort=v7_early_abort, pabort=v7_pabort, suspend=1, bugs=cpu_v7_bugs_init
#endif
@ Cortex-A15 - needs iciallu switch_mm for hardening
--
2.5.0
next prev parent reply other threads:[~2018-10-15 23:18 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-15 15:31 [PATCH 4.14 00/24] V4.14 backport of 32-bit arm spectre patches David Long
2018-10-15 15:31 ` [PATCH 4.14 01/24] ARM: add more CPU part numbers for Cortex and Brahma B15 CPUs David Long
2018-10-15 15:31 ` [PATCH 4.14 02/24] ARM: bugs: prepare processor bug infrastructure David Long
2018-10-15 15:31 ` [PATCH 4.14 03/24] ARM: bugs: hook processor bug checking into SMP and suspend paths David Long
2018-10-15 15:31 ` [PATCH 4.14 04/24] ARM: bugs: add support for per-processor bug checking David Long
2018-10-15 15:31 ` [PATCH 4.14 05/24] ARM: spectre: add Kconfig symbol for CPUs vulnerable to Spectre David Long
2018-10-15 15:32 ` [PATCH 4.14 06/24] ARM: spectre-v2: harden branch predictor on context switches David Long
2018-10-15 15:32 ` [PATCH 4.14 07/24] ARM: spectre-v2: add Cortex A8 and A15 validation of the IBE bit David Long
2018-10-15 15:32 ` David Long [this message]
2018-10-15 15:32 ` [PATCH 4.14 09/24] ARM: spectre-v2: add firmware based hardening David Long
2018-10-15 15:32 ` [PATCH 4.14 10/24] ARM: spectre-v2: warn about incorrect context switching functions David Long
2018-10-15 15:32 ` [PATCH 4.14 11/24] ARM: KVM: invalidate BTB on guest exit for Cortex-A12/A17 David Long
2018-10-15 15:32 ` [PATCH 4.14 12/24] ARM: KVM: invalidate icache on guest exit for Cortex-A15 David Long
2018-10-15 15:32 ` [PATCH 4.14 13/24] ARM: spectre-v2: KVM: invalidate icache on guest exit for Brahma B15 David Long
2018-10-15 15:32 ` [PATCH 4.14 14/24] ARM: KVM: Add SMCCC_ARCH_WORKAROUND_1 fast handling David Long
2018-10-15 15:32 ` [PATCH 4.14 15/24] ARM: KVM: report support for SMCCC_ARCH_WORKAROUND_1 David Long
2018-10-15 15:32 ` [PATCH 4.14 16/24] ARM: spectre-v1: add speculation barrier (csdb) macros David Long
2018-10-15 15:32 ` [PATCH 4.14 17/24] ARM: spectre-v1: add array_index_mask_nospec() implementation David Long
2018-10-15 15:32 ` [PATCH 4.14 18/24] ARM: spectre-v1: fix syscall entry David Long
2018-10-15 15:32 ` [PATCH 4.14 19/24] ARM: signal: copy registers using __copy_from_user() David Long
2018-10-15 15:32 ` [PATCH 4.14 20/24] ARM: vfp: use __copy_from_user() when restoring VFP state David Long
2018-10-15 15:32 ` [PATCH 4.14 21/24] ARM: oabi-compat: copy semops using __copy_from_user() David Long
2018-10-15 15:32 ` [PATCH 4.14 22/24] ARM: use __inttype() in get_user() David Long
2018-10-15 15:32 ` [PATCH 4.14 23/24] ARM: spectre-v1: use get_user() for __get_user() David Long
2018-10-15 15:32 ` [PATCH 4.14 24/24] ARM: spectre-v1: mitigate user accesses David Long
2018-10-16 16:10 ` [PATCH 4.14 00/24] V4.14 backport of 32-bit arm spectre patches Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1539617538-22328-9-git-send-email-dave.long@linaro.org \
--to=dave.long@linaro.org \
--cc=broonie@kernel.org \
--cc=f.fainelli@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux@armlinux.org.uk \
--cc=marc.zyngier@arm.com \
--cc=mark.rutland@arm.com \
--cc=stable@vger.kernel.org \
--cc=tony@atomide.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.