From: Dave Martin <Dave.Martin@arm.com> To: Suzuki K Poulose <suzuki.poulose@arm.com> Cc: linux-arm-kernel@lists.infradead.org, mark.rutland@arm.com, ckadabi@codeaurora.org, ard.biesheuvel@linaro.org, marc.zyngier@arm.com, catalin.marinas@arm.com, will.deacon@arm.com, linux-kernel@vger.kernel.org, jnair@caviumnetworks.com, dave.martin@arm.com Subject: Re: [PATCH v2 17/20] arm64: bp hardening: Allow late CPUs to enable work around Date: Wed, 7 Feb 2018 10:39:42 +0000 [thread overview] Message-ID: <20180207103942.GH5862@e103592.cambridge.arm.com> (raw) In-Reply-To: <20180131182807.32134-18-suzuki.poulose@arm.com> On Wed, Jan 31, 2018 at 06:28:04PM +0000, Suzuki K Poulose wrote: > We defend against branch predictor training based exploits by > taking specific actions (based on the CPU model) to invalidate > the Branch predictor buffer (BPB). This is implemented by per-CPU > ptr, which installs the specific actions for the CPU model. > > The core code can handle the following cases where: > 1) some CPUs doesn't need any work around > 2) a CPU can install the work around, when it is brought up, > irrespective of how late that happens. > > This concludes that it is safe to bring up a CPU which requires > bp hardening defense. However, with the current settings, we > reject a late CPU, if none of the active CPUs didn't need it. Should this be "[...] reject a late CPU that needs the defense, if none of the active CPUs needed it." ? > > This patch solves issue by changing the flags for the capability > to indicate that it is safe for a late CPU to turn up with the > capability. This is not sufficient to get things working, as > we cannot change the system wide state of the capability established > at the kernel boot. So, we "set" the capability unconditionally > and make sure that the call backs are only installed for those > CPUs which actually needs them. This is done by adding a dummy > entry at the end of the list of shared entries, which : > a) Always returns true for matches, to ensure we turn this on. > b) has an empty "cpu_enable" call back, so that we don't take > any action on the CPUs which weren't matched with the real > entries. > > Cc: Marc Zyngier <marc.zyngier@arm.com> > Cc: Will Deacon <will.deacon@arm.com> > Cc: Dave Martin <dave.martin@arm.com> > Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com> > --- > arch/arm64/include/asm/cpufeature.h | 10 ++++++++++ > arch/arm64/kernel/cpu_errata.c | 19 ++++++++++++++++++- > 2 files changed, 28 insertions(+), 1 deletion(-) > > diff --git a/arch/arm64/include/asm/cpufeature.h b/arch/arm64/include/asm/cpufeature.h > index b73247c27f00..262fa213b1b1 100644 > --- a/arch/arm64/include/asm/cpufeature.h > +++ b/arch/arm64/include/asm/cpufeature.h > @@ -252,6 +252,16 @@ extern struct arm64_ftr_reg arm64_ftr_reg_ctrel0; > ARM64_CPUCAP_OPTIONAL_FOR_LATE_CPU | \ > ARM64_CPUCAP_PERMITTED_FOR_LATE_CPU) > > +/* > + * CPU errata work around detected at boot time based on one or more CPUs. > + * All conflicts are ignored. This implies any work around shouldn't > + * depend when a CPU could be brought up. > + */ > +#define ARM64_CPUCAP_WEAK_LOCAL_CPU_ERRATUM \ > + (ARM64_CPUCAP_SCOPE_LOCAL_CPU | \ > + ARM64_CPUCAP_OPTIONAL_FOR_LATE_CPU | \ > + ARM64_CPUCAP_PERMITTED_FOR_LATE_CPU) > + > /* > * CPU feature detected at boot time, on one or more CPUs. A late CPU > * is not allowed to have the capability when the system doesn't have it. > diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c > index b4f1c1c1f8ca..7f714a628480 100644 > --- a/arch/arm64/kernel/cpu_errata.c > +++ b/arch/arm64/kernel/cpu_errata.c > @@ -259,6 +259,12 @@ static const struct midr_range arm64_bp_harden_psci_cpus[] = { > {}, > }; > > +static bool bp_hardening_always_on(const struct arm64_cpu_capabilities *cap, > + int scope) > +{ > + return true; > +} > + > static const struct arm64_cpu_capabilities arm64_bp_harden_list[] = { > { > CAP_MIDR_RANGE_LIST(arm64_bp_harden_psci_cpus), > @@ -268,6 +274,17 @@ static const struct arm64_cpu_capabilities arm64_bp_harden_list[] = { > CAP_MIDR_ALL_VERSIONS(MIDR_QCOM_FALKOR_V1), > .cpu_enable = qcom_enable_link_stack_sanitization, > }, > + /* > + * Always enable the capability to make sure a late CPU can > + * safely use the BP hardening call backs. Since we use per-CPU > + * pointers for the call backs, the work around only affects the > + * CPUs which have some methods installed by any real matching entries > + * above. As such we don't have any specific cpu_enable() callback > + * for this entry, as it is just to make sure we always "detect" it. > + */ > + { > + .matches = bp_hardening_always_on, This function could simply be called "always_on", since it expresses something entirely generic and is static. > + }, This feels like a bit of a hack: really there is no global on/off state for a cap like this: it's truly independent for each cpu. OTOH, your code does achieve that, and the comment gives a good explanation. The alternative would be to add a cap type flag to indicate that this cap is purely CPU-local, but it may not be worth it at this stage. [...] Cheers ---Dave
WARNING: multiple messages have this Message-ID (diff)
From: Dave.Martin@arm.com (Dave Martin) To: linux-arm-kernel@lists.infradead.org Subject: [PATCH v2 17/20] arm64: bp hardening: Allow late CPUs to enable work around Date: Wed, 7 Feb 2018 10:39:42 +0000 [thread overview] Message-ID: <20180207103942.GH5862@e103592.cambridge.arm.com> (raw) In-Reply-To: <20180131182807.32134-18-suzuki.poulose@arm.com> On Wed, Jan 31, 2018 at 06:28:04PM +0000, Suzuki K Poulose wrote: > We defend against branch predictor training based exploits by > taking specific actions (based on the CPU model) to invalidate > the Branch predictor buffer (BPB). This is implemented by per-CPU > ptr, which installs the specific actions for the CPU model. > > The core code can handle the following cases where: > 1) some CPUs doesn't need any work around > 2) a CPU can install the work around, when it is brought up, > irrespective of how late that happens. > > This concludes that it is safe to bring up a CPU which requires > bp hardening defense. However, with the current settings, we > reject a late CPU, if none of the active CPUs didn't need it. Should this be "[...] reject a late CPU that needs the defense, if none of the active CPUs needed it." ? > > This patch solves issue by changing the flags for the capability > to indicate that it is safe for a late CPU to turn up with the > capability. This is not sufficient to get things working, as > we cannot change the system wide state of the capability established > at the kernel boot. So, we "set" the capability unconditionally > and make sure that the call backs are only installed for those > CPUs which actually needs them. This is done by adding a dummy > entry at the end of the list of shared entries, which : > a) Always returns true for matches, to ensure we turn this on. > b) has an empty "cpu_enable" call back, so that we don't take > any action on the CPUs which weren't matched with the real > entries. > > Cc: Marc Zyngier <marc.zyngier@arm.com> > Cc: Will Deacon <will.deacon@arm.com> > Cc: Dave Martin <dave.martin@arm.com> > Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com> > --- > arch/arm64/include/asm/cpufeature.h | 10 ++++++++++ > arch/arm64/kernel/cpu_errata.c | 19 ++++++++++++++++++- > 2 files changed, 28 insertions(+), 1 deletion(-) > > diff --git a/arch/arm64/include/asm/cpufeature.h b/arch/arm64/include/asm/cpufeature.h > index b73247c27f00..262fa213b1b1 100644 > --- a/arch/arm64/include/asm/cpufeature.h > +++ b/arch/arm64/include/asm/cpufeature.h > @@ -252,6 +252,16 @@ extern struct arm64_ftr_reg arm64_ftr_reg_ctrel0; > ARM64_CPUCAP_OPTIONAL_FOR_LATE_CPU | \ > ARM64_CPUCAP_PERMITTED_FOR_LATE_CPU) > > +/* > + * CPU errata work around detected at boot time based on one or more CPUs. > + * All conflicts are ignored. This implies any work around shouldn't > + * depend when a CPU could be brought up. > + */ > +#define ARM64_CPUCAP_WEAK_LOCAL_CPU_ERRATUM \ > + (ARM64_CPUCAP_SCOPE_LOCAL_CPU | \ > + ARM64_CPUCAP_OPTIONAL_FOR_LATE_CPU | \ > + ARM64_CPUCAP_PERMITTED_FOR_LATE_CPU) > + > /* > * CPU feature detected at boot time, on one or more CPUs. A late CPU > * is not allowed to have the capability when the system doesn't have it. > diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c > index b4f1c1c1f8ca..7f714a628480 100644 > --- a/arch/arm64/kernel/cpu_errata.c > +++ b/arch/arm64/kernel/cpu_errata.c > @@ -259,6 +259,12 @@ static const struct midr_range arm64_bp_harden_psci_cpus[] = { > {}, > }; > > +static bool bp_hardening_always_on(const struct arm64_cpu_capabilities *cap, > + int scope) > +{ > + return true; > +} > + > static const struct arm64_cpu_capabilities arm64_bp_harden_list[] = { > { > CAP_MIDR_RANGE_LIST(arm64_bp_harden_psci_cpus), > @@ -268,6 +274,17 @@ static const struct arm64_cpu_capabilities arm64_bp_harden_list[] = { > CAP_MIDR_ALL_VERSIONS(MIDR_QCOM_FALKOR_V1), > .cpu_enable = qcom_enable_link_stack_sanitization, > }, > + /* > + * Always enable the capability to make sure a late CPU can > + * safely use the BP hardening call backs. Since we use per-CPU > + * pointers for the call backs, the work around only affects the > + * CPUs which have some methods installed by any real matching entries > + * above. As such we don't have any specific cpu_enable() callback > + * for this entry, as it is just to make sure we always "detect" it. > + */ > + { > + .matches = bp_hardening_always_on, This function could simply be called "always_on", since it expresses something entirely generic and is static. > + }, This feels like a bit of a hack: really there is no global on/off state for a cap like this: it's truly independent for each cpu. OTOH, your code does achieve that, and the comment gives a good explanation. The alternative would be to add a cap type flag to indicate that this cap is purely CPU-local, but it may not be worth it at this stage. [...] Cheers ---Dave
next prev parent reply other threads:[~2018-02-07 10:39 UTC|newest] Thread overview: 156+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-01-31 18:27 [PATCH v2 00/20] arm64: Rework cpu capabilities handling Suzuki K Poulose 2018-01-31 18:27 ` Suzuki K Poulose 2018-01-31 18:27 ` [PATCH v2 01/20] arm64: capabilities: Update prototype for enable call back Suzuki K Poulose 2018-01-31 18:27 ` Suzuki K Poulose 2018-02-07 10:37 ` Dave Martin 2018-02-07 10:37 ` Dave Martin 2018-02-07 11:23 ` Robin Murphy 2018-02-07 11:23 ` Robin Murphy 2018-01-31 18:27 ` [PATCH v2 02/20] arm64: capabilities: Move errata work around check on boot CPU Suzuki K Poulose 2018-01-31 18:27 ` Suzuki K Poulose 2018-02-07 10:37 ` Dave Martin 2018-02-07 10:37 ` Dave Martin 2018-02-07 14:47 ` Suzuki K Poulose 2018-02-07 14:47 ` Suzuki K Poulose 2018-01-31 18:27 ` [PATCH v2 03/20] arm64: capabilities: Move errata processing code Suzuki K Poulose 2018-01-31 18:27 ` Suzuki K Poulose 2018-02-07 10:37 ` Dave Martin 2018-02-07 10:37 ` Dave Martin 2018-01-31 18:27 ` [PATCH v2 04/20] arm64: capabilities: Prepare for fine grained capabilities Suzuki K Poulose 2018-01-31 18:27 ` Suzuki K Poulose 2018-02-07 10:37 ` Dave Martin 2018-02-07 10:37 ` Dave Martin 2018-02-07 15:16 ` Suzuki K Poulose 2018-02-07 15:16 ` Suzuki K Poulose 2018-02-07 15:39 ` Dave Martin 2018-02-07 15:39 ` Dave Martin 2018-01-31 18:27 ` [PATCH v2 05/20] arm64: capabilities: Add flags to handle the conflicts on late CPU Suzuki K Poulose 2018-01-31 18:27 ` Suzuki K Poulose 2018-02-07 10:38 ` Dave Martin 2018-02-07 10:38 ` Dave Martin 2018-02-07 11:31 ` Robin Murphy 2018-02-07 11:31 ` Robin Murphy 2018-02-07 16:53 ` Suzuki K Poulose 2018-02-07 16:53 ` Suzuki K Poulose 2018-01-31 18:27 ` [PATCH v2 06/20] arm64: capabilities: Unify the verification Suzuki K Poulose 2018-01-31 18:27 ` Suzuki K Poulose 2018-02-07 10:38 ` Dave Martin 2018-02-07 10:38 ` Dave Martin 2018-02-07 16:56 ` Suzuki K Poulose 2018-02-07 16:56 ` Suzuki K Poulose 2018-01-31 18:27 ` [PATCH v2 07/20] arm64: capabilities: Filter the entries based on a given mask Suzuki K Poulose 2018-01-31 18:27 ` Suzuki K Poulose 2018-02-07 10:38 ` Dave Martin 2018-02-07 10:38 ` Dave Martin 2018-02-07 17:01 ` Suzuki K Poulose 2018-02-07 17:01 ` Suzuki K Poulose 2018-01-31 18:27 ` [PATCH v2 08/20] arm64: capabilities: Group handling of features and errata Suzuki K Poulose 2018-01-31 18:27 ` Suzuki K Poulose 2018-02-07 10:38 ` Dave Martin 2018-02-07 10:38 ` Dave Martin 2018-02-08 12:10 ` Suzuki K Poulose 2018-02-08 12:10 ` Suzuki K Poulose 2018-02-08 12:12 ` [PATCH 1/2] arm64: capabilities: Allow flexibility in scope Suzuki K Poulose 2018-02-08 12:12 ` Suzuki K Poulose 2018-02-08 12:12 ` [PATCH 2/2] arm64: capabilities: Group handling of features and errata workarounds Suzuki K Poulose 2018-02-08 12:12 ` Suzuki K Poulose 2018-02-08 16:10 ` [PATCH 1/2] arm64: capabilities: Allow flexibility in scope Dave Martin 2018-02-08 16:10 ` Dave Martin 2018-02-08 16:31 ` Suzuki K Poulose 2018-02-08 16:31 ` Suzuki K Poulose 2018-02-08 17:32 ` Dave Martin 2018-02-08 17:32 ` Dave Martin 2018-02-09 12:16 ` Suzuki K Poulose 2018-02-09 12:16 ` Suzuki K Poulose 2018-02-09 12:16 ` [PATCH 1/4] arm64: capabilities: Prepare for grouping features and errata work arounds Suzuki K Poulose 2018-02-09 12:16 ` Suzuki K Poulose 2018-02-09 12:16 ` [PATCH 2/4] arm64: capabilities: Split the processing of " Suzuki K Poulose 2018-02-09 12:16 ` Suzuki K Poulose 2018-02-09 12:16 ` [PATCH 3/4] arm64: capabilities: Allow features based on local CPU scope Suzuki K Poulose 2018-02-09 12:16 ` Suzuki K Poulose 2018-02-09 12:16 ` [PATCH 4/4] arm64: capabilities: Group handling of features and errata workarounds Suzuki K Poulose 2018-02-09 12:16 ` Suzuki K Poulose 2018-02-09 12:19 ` Suzuki K Poulose 2018-02-09 12:19 ` Suzuki K Poulose 2018-02-09 14:21 ` [PATCH 1/2] arm64: capabilities: Allow flexibility in scope Dave Martin 2018-02-09 14:21 ` Dave Martin 2018-01-31 18:27 ` [PATCH v2 09/20] arm64: capabilities: Introduce weak features based on local CPU Suzuki K Poulose 2018-01-31 18:27 ` Suzuki K Poulose 2018-02-07 10:38 ` Dave Martin 2018-02-07 10:38 ` Dave Martin 2018-01-31 18:27 ` [PATCH v2 10/20] arm64: capabilities: Restrict KPTI detection to boot-time CPUs Suzuki K Poulose 2018-01-31 18:27 ` Suzuki K Poulose 2018-02-07 10:38 ` Dave Martin 2018-02-07 10:38 ` Dave Martin 2018-02-07 18:15 ` Suzuki K Poulose 2018-02-07 18:15 ` Suzuki K Poulose 2018-02-08 11:05 ` Dave Martin 2018-02-08 11:05 ` Dave Martin 2018-01-31 18:27 ` [PATCH v2 11/20] arm64: capabilities: Add support for features enabled early Suzuki K Poulose 2018-01-31 18:27 ` Suzuki K Poulose 2018-02-07 10:38 ` Dave Martin 2018-02-07 10:38 ` Dave Martin 2018-02-07 18:34 ` Suzuki K Poulose 2018-02-07 18:34 ` Suzuki K Poulose 2018-02-08 11:35 ` Dave Martin 2018-02-08 11:35 ` Dave Martin 2018-02-08 11:43 ` Suzuki K Poulose 2018-02-08 11:43 ` Suzuki K Poulose 2018-01-31 18:27 ` [PATCH v2 12/20] arm64: capabilities: Change scope of VHE to Boot CPU feature Suzuki K Poulose 2018-01-31 18:27 ` Suzuki K Poulose 2018-02-07 10:39 ` Dave Martin 2018-02-07 10:39 ` Dave Martin 2018-01-31 18:28 ` [PATCH v2 13/20] arm64: capabilities: Clean up midr range helpers Suzuki K Poulose 2018-01-31 18:28 ` Suzuki K Poulose 2018-02-07 10:39 ` Dave Martin 2018-02-07 10:39 ` Dave Martin 2018-01-31 18:28 ` [PATCH v2 14/20] arm64: Add helpers for checking CPU MIDR against a range Suzuki K Poulose 2018-01-31 18:28 ` Suzuki K Poulose 2018-02-07 10:39 ` Dave Martin 2018-02-07 10:39 ` Dave Martin 2018-01-31 18:28 ` [PATCH v2 15/20] arm64: capabilities: Add support for checks based on a list of MIDRs Suzuki K Poulose 2018-01-31 18:28 ` Suzuki K Poulose 2018-02-07 10:39 ` Dave Martin 2018-02-07 10:39 ` Dave Martin 2018-01-31 18:28 ` [PATCH v2 16/20] arm64: Handle shared capability entries Suzuki K Poulose 2018-01-31 18:28 ` Suzuki K Poulose 2018-02-07 10:39 ` Dave Martin 2018-02-07 10:39 ` Dave Martin 2018-02-08 10:53 ` Suzuki K Poulose 2018-02-08 10:53 ` Suzuki K Poulose 2018-02-08 12:01 ` Dave Martin 2018-02-08 12:01 ` Dave Martin 2018-02-08 12:32 ` Robin Murphy 2018-02-08 12:32 ` Robin Murphy 2018-02-09 10:05 ` Dave Martin 2018-02-09 10:05 ` Dave Martin 2018-02-08 12:04 ` Dave Martin 2018-02-08 12:04 ` Dave Martin 2018-02-08 12:05 ` Suzuki K Poulose 2018-02-08 12:05 ` Suzuki K Poulose 2018-01-31 18:28 ` [PATCH v2 17/20] arm64: bp hardening: Allow late CPUs to enable work around Suzuki K Poulose 2018-01-31 18:28 ` Suzuki K Poulose 2018-02-07 10:39 ` Dave Martin [this message] 2018-02-07 10:39 ` Dave Martin 2018-02-08 12:19 ` Suzuki K Poulose 2018-02-08 12:19 ` Suzuki K Poulose 2018-02-08 12:26 ` Marc Zyngier 2018-02-08 12:26 ` Marc Zyngier 2018-02-08 16:58 ` Suzuki K Poulose 2018-02-08 16:58 ` Suzuki K Poulose 2018-02-08 17:59 ` Suzuki K Poulose 2018-02-08 17:59 ` Suzuki K Poulose 2018-02-08 17:59 ` Suzuki K Poulose 2018-02-08 17:59 ` Suzuki K Poulose 2018-01-31 18:28 ` [PATCH v2 18/20] arm64: Add MIDR encoding for Arm Cortex-A55 and Cortex-A35 Suzuki K Poulose 2018-01-31 18:28 ` Suzuki K Poulose 2018-02-07 10:39 ` Dave Martin 2018-02-07 10:39 ` Dave Martin 2018-01-31 18:28 ` [PATCH v2 19/20] arm64: Delay enabling hardware DBM feature Suzuki K Poulose 2018-01-31 18:28 ` Suzuki K Poulose 2018-02-07 10:40 ` Dave Martin 2018-02-07 10:40 ` Dave Martin 2018-01-31 18:28 ` [PATCH v2 20/20] arm64: Add work around for Arm Cortex-A55 Erratum 1024718 Suzuki K Poulose 2018-01-31 18:28 ` Suzuki K Poulose 2018-02-07 10:40 ` Dave Martin 2018-02-07 10:40 ` Dave Martin
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20180207103942.GH5862@e103592.cambridge.arm.com \ --to=dave.martin@arm.com \ --cc=ard.biesheuvel@linaro.org \ --cc=catalin.marinas@arm.com \ --cc=ckadabi@codeaurora.org \ --cc=jnair@caviumnetworks.com \ --cc=linux-arm-kernel@lists.infradead.org \ --cc=linux-kernel@vger.kernel.org \ --cc=marc.zyngier@arm.com \ --cc=mark.rutland@arm.com \ --cc=suzuki.poulose@arm.com \ --cc=will.deacon@arm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.