From: Jian Cai <jiancai@google.com>
To: unlisted-recipients:; (no To-header on input)
Cc: ndesaulniers@google.com, manojgupta@google.com,
llozano@google.com, clang-built-linux@googlegroups.com,
"Jian Cai" <jiancai@google.com>,
"Nathan Chancellor" <nathan@kernel.org>,
"David Laight" <David.Laight@aculab.com>,
"Will Deacon" <will@kernel.org>,
"Russell King" <rmk+kernel@armlinux.org.uk>,
"Linus Walleij" <linus.walleij@linaro.org>,
"Russell King" <linux@armlinux.org.uk>,
"Catalin Marinas" <catalin.marinas@arm.com>,
"James Morris" <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Arnd Bergmann" <arnd@arndb.de>,
"Masahiro Yamada" <masahiroy@kernel.org>,
"Kees Cook" <keescook@chromium.org>,
"Andreas Färber" <afaerber@suse.de>,
"Daniel Palmer" <daniel@0x0f.com>,
"Ard Biesheuvel" <ardb@kernel.org>,
"Ingo Molnar" <mingo@kernel.org>,
"Vladimir Murzin" <vladimir.murzin@arm.com>,
"Marc Zyngier" <maz@kernel.org>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Mike Rapoport" <rppt@kernel.org>,
"Uwe Kleine-König" <u.kleine-koenig@pengutronix.de>,
"Mark Rutland" <mark.rutland@arm.com>,
"David Brazdil" <dbrazdil@google.com>,
"Joey Gouly" <joey.gouly@arm.com>,
"James Morse" <james.morse@arm.com>,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: [PATCH v6] ARM: Implement SLS mitigation
Date: Thu, 4 Mar 2021 16:53:18 -0800 [thread overview]
Message-ID: <20210305005327.405365-1-jiancai@google.com> (raw)
In-Reply-To: <20210223023542.2287529-1-jiancai@google.com>
This patch adds CONFIG_HARDEN_SLS_ALL that can be used to turn on
-mharden-sls=all, which mitigates the straight-line speculation
vulnerability, speculative execution of the instruction following some
unconditional jumps. Notice -mharden-sls= has other options as below,
and this config turns on the strongest option.
all: enable all mitigations against Straight Line Speculation that are implemented.
none: disable all mitigations against Straight Line Speculation.
retbr: enable the mitigation against Straight Line Speculation for RET and BR instructions.
blr: enable the mitigation against Straight Line Speculation for BLR instructions.
Links:
https://reviews.llvm.org/D93221
https://reviews.llvm.org/D81404
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/downloads/straight-line-speculation
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/frequently-asked-questions#SLS2
Suggested-by: Manoj Gupta <manojgupta@google.com>
Suggested-by: Nick Desaulniers <ndesaulniers@google.com>
Suggested-by: Nathan Chancellor <nathan@kernel.org>
Suggested-by: David Laight <David.Laight@aculab.com>
Suggested-by: Will Deacon <will@kernel.org>
Suggested-by: Russell King <rmk+kernel@armlinux.org.uk>
Suggested-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Jian Cai <jiancai@google.com>
---
Changes v1 -> v2:
Update the description and patch based on Nathan and David's comments.
Changes v2 -> v3:
Modify linker scripts as Nick suggested to address boot failure
(verified with qemu). Added more details in Kconfig.hardening
description. Disable the config by default.
Changes v3 -> v4:
Address Nathan's comment and replace def_bool with depends on in
HARDEN_SLS_ALL.
Changes v4 -> v5:
Removed "default n" and made the description target indepdent in
Kconfig.hardening.
Changes v5 -> v6:
Add select HARDEN_SLS_ALL under config HARDEN_BRANCH_PREDICTOR. This
turns on HARDEN_SLS_ALL by default where applicable.
arch/arm/Makefile | 4 ++++
arch/arm/include/asm/vmlinux.lds.h | 4 ++++
arch/arm/kernel/vmlinux.lds.S | 1 +
arch/arm/mm/Kconfig | 1 +
arch/arm64/Makefile | 4 ++++
arch/arm64/kernel/vmlinux.lds.S | 5 +++++
security/Kconfig.hardening | 8 ++++++++
7 files changed, 27 insertions(+)
diff --git a/arch/arm/Makefile b/arch/arm/Makefile
index dad5502ecc28..54f9b5ff9682 100644
--- a/arch/arm/Makefile
+++ b/arch/arm/Makefile
@@ -48,6 +48,10 @@ CHECKFLAGS += -D__ARMEL__
KBUILD_LDFLAGS += -EL
endif
+ifeq ($(CONFIG_HARDEN_SLS_ALL), y)
+KBUILD_CFLAGS += -mharden-sls=all
+endif
+
#
# The Scalar Replacement of Aggregates (SRA) optimization pass in GCC 4.9 and
# later may result in code being generated that handles signed short and signed
diff --git a/arch/arm/include/asm/vmlinux.lds.h b/arch/arm/include/asm/vmlinux.lds.h
index 4a91428c324d..c7f9717511ca 100644
--- a/arch/arm/include/asm/vmlinux.lds.h
+++ b/arch/arm/include/asm/vmlinux.lds.h
@@ -145,3 +145,7 @@
__edtcm_data = .; \
} \
. = __dtcm_start + SIZEOF(.data_dtcm);
+
+#define SLS_TEXT \
+ ALIGN_FUNCTION(); \
+ *(.text.__llvm_slsblr_thunk_*)
diff --git a/arch/arm/kernel/vmlinux.lds.S b/arch/arm/kernel/vmlinux.lds.S
index f7f4620d59c3..e71f2bc97bae 100644
--- a/arch/arm/kernel/vmlinux.lds.S
+++ b/arch/arm/kernel/vmlinux.lds.S
@@ -63,6 +63,7 @@ SECTIONS
.text : { /* Real text segment */
_stext = .; /* Text and read-only data */
ARM_TEXT
+ SLS_TEXT
}
#ifdef CONFIG_DEBUG_ALIGN_RODATA
diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig
index 35f43d0aa056..bdb63e7b1bec 100644
--- a/arch/arm/mm/Kconfig
+++ b/arch/arm/mm/Kconfig
@@ -837,6 +837,7 @@ config HARDEN_BRANCH_PREDICTOR
bool "Harden the branch predictor against aliasing attacks" if EXPERT
depends on CPU_SPECTRE
default y
+ select HARDEN_SLS_ALL
help
Speculation attacks against some high-performance processors rely
on being able to manipulate the branch predictor for a victim
diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
index 5b84aec31ed3..e233bfbdb1c2 100644
--- a/arch/arm64/Makefile
+++ b/arch/arm64/Makefile
@@ -34,6 +34,10 @@ $(warning LSE atomics not supported by binutils)
endif
endif
+ifeq ($(CONFIG_HARDEN_SLS_ALL), y)
+KBUILD_CFLAGS += -mharden-sls=all
+endif
+
cc_has_k_constraint := $(call try-run,echo \
'int main(void) { \
asm volatile("and w0, w0, %w0" :: "K" (4294967295)); \
diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S
index 7eea7888bb02..d5c892605862 100644
--- a/arch/arm64/kernel/vmlinux.lds.S
+++ b/arch/arm64/kernel/vmlinux.lds.S
@@ -103,6 +103,10 @@ jiffies = jiffies_64;
#define TRAMP_TEXT
#endif
+#define SLS_TEXT \
+ ALIGN_FUNCTION(); \
+ *(.text.__llvm_slsblr_thunk_*)
+
/*
* The size of the PE/COFF section that covers the kernel image, which
* runs from _stext to _edata, must be a round multiple of the PE/COFF
@@ -154,6 +158,7 @@ SECTIONS
HIBERNATE_TEXT
TRAMP_TEXT
*(.fixup)
+ SLS_TEXT
*(.gnu.warning)
. = ALIGN(16);
*(.got) /* Global offset table */
diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening
index 269967c4fc1b..db76ad732c14 100644
--- a/security/Kconfig.hardening
+++ b/security/Kconfig.hardening
@@ -121,6 +121,14 @@ choice
endchoice
+config HARDEN_SLS_ALL
+ bool "enable SLS vulnerability hardening"
+ depends on $(cc-option,-mharden-sls=all)
+ help
+ Enables straight-line speculation vulnerability hardening. This inserts
+ speculation barrier instruction sequences after certain unconditional jumps
+ to prevent speculative execution past those barriers.
+
config GCC_PLUGIN_STRUCTLEAK_VERBOSE
bool "Report forcefully initialized variables"
depends on GCC_PLUGIN_STRUCTLEAK
--
2.30.1.766.gb4fecdf3b7-goog
WARNING: multiple messages have this Message-ID (diff)
From: Jian Cai <jiancai@google.com>
Cc: ndesaulniers@google.com, manojgupta@google.com,
llozano@google.com, clang-built-linux@googlegroups.com,
"Jian Cai" <jiancai@google.com>,
"Nathan Chancellor" <nathan@kernel.org>,
"David Laight" <David.Laight@aculab.com>,
"Will Deacon" <will@kernel.org>,
"Russell King" <rmk+kernel@armlinux.org.uk>,
"Linus Walleij" <linus.walleij@linaro.org>,
"Russell King" <linux@armlinux.org.uk>,
"Catalin Marinas" <catalin.marinas@arm.com>,
"James Morris" <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Arnd Bergmann" <arnd@arndb.de>,
"Masahiro Yamada" <masahiroy@kernel.org>,
"Kees Cook" <keescook@chromium.org>,
"Andreas Färber" <afaerber@suse.de>,
"Daniel Palmer" <daniel@0x0f.com>,
"Ard Biesheuvel" <ardb@kernel.org>,
"Ingo Molnar" <mingo@kernel.org>,
"Vladimir Murzin" <vladimir.murzin@arm.com>,
"Marc Zyngier" <maz@kernel.org>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Mike Rapoport" <rppt@kernel.org>,
"Uwe Kleine-König" <u.kleine-koenig@pengutronix.de>,
"Mark Rutland" <mark.rutland@arm.com>,
"David Brazdil" <dbrazdil@google.com>,
"Joey Gouly" <joey.gouly@arm.com>,
"James Morse" <james.morse@arm.com>,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: [PATCH v6] ARM: Implement SLS mitigation
Date: Thu, 4 Mar 2021 16:53:18 -0800 [thread overview]
Message-ID: <20210305005327.405365-1-jiancai@google.com> (raw)
In-Reply-To: <20210223023542.2287529-1-jiancai@google.com>
This patch adds CONFIG_HARDEN_SLS_ALL that can be used to turn on
-mharden-sls=all, which mitigates the straight-line speculation
vulnerability, speculative execution of the instruction following some
unconditional jumps. Notice -mharden-sls= has other options as below,
and this config turns on the strongest option.
all: enable all mitigations against Straight Line Speculation that are implemented.
none: disable all mitigations against Straight Line Speculation.
retbr: enable the mitigation against Straight Line Speculation for RET and BR instructions.
blr: enable the mitigation against Straight Line Speculation for BLR instructions.
Links:
https://reviews.llvm.org/D93221
https://reviews.llvm.org/D81404
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/downloads/straight-line-speculation
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/frequently-asked-questions#SLS2
Suggested-by: Manoj Gupta <manojgupta@google.com>
Suggested-by: Nick Desaulniers <ndesaulniers@google.com>
Suggested-by: Nathan Chancellor <nathan@kernel.org>
Suggested-by: David Laight <David.Laight@aculab.com>
Suggested-by: Will Deacon <will@kernel.org>
Suggested-by: Russell King <rmk+kernel@armlinux.org.uk>
Suggested-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Jian Cai <jiancai@google.com>
---
Changes v1 -> v2:
Update the description and patch based on Nathan and David's comments.
Changes v2 -> v3:
Modify linker scripts as Nick suggested to address boot failure
(verified with qemu). Added more details in Kconfig.hardening
description. Disable the config by default.
Changes v3 -> v4:
Address Nathan's comment and replace def_bool with depends on in
HARDEN_SLS_ALL.
Changes v4 -> v5:
Removed "default n" and made the description target indepdent in
Kconfig.hardening.
Changes v5 -> v6:
Add select HARDEN_SLS_ALL under config HARDEN_BRANCH_PREDICTOR. This
turns on HARDEN_SLS_ALL by default where applicable.
arch/arm/Makefile | 4 ++++
arch/arm/include/asm/vmlinux.lds.h | 4 ++++
arch/arm/kernel/vmlinux.lds.S | 1 +
arch/arm/mm/Kconfig | 1 +
arch/arm64/Makefile | 4 ++++
arch/arm64/kernel/vmlinux.lds.S | 5 +++++
security/Kconfig.hardening | 8 ++++++++
7 files changed, 27 insertions(+)
diff --git a/arch/arm/Makefile b/arch/arm/Makefile
index dad5502ecc28..54f9b5ff9682 100644
--- a/arch/arm/Makefile
+++ b/arch/arm/Makefile
@@ -48,6 +48,10 @@ CHECKFLAGS += -D__ARMEL__
KBUILD_LDFLAGS += -EL
endif
+ifeq ($(CONFIG_HARDEN_SLS_ALL), y)
+KBUILD_CFLAGS += -mharden-sls=all
+endif
+
#
# The Scalar Replacement of Aggregates (SRA) optimization pass in GCC 4.9 and
# later may result in code being generated that handles signed short and signed
diff --git a/arch/arm/include/asm/vmlinux.lds.h b/arch/arm/include/asm/vmlinux.lds.h
index 4a91428c324d..c7f9717511ca 100644
--- a/arch/arm/include/asm/vmlinux.lds.h
+++ b/arch/arm/include/asm/vmlinux.lds.h
@@ -145,3 +145,7 @@
__edtcm_data = .; \
} \
. = __dtcm_start + SIZEOF(.data_dtcm);
+
+#define SLS_TEXT \
+ ALIGN_FUNCTION(); \
+ *(.text.__llvm_slsblr_thunk_*)
diff --git a/arch/arm/kernel/vmlinux.lds.S b/arch/arm/kernel/vmlinux.lds.S
index f7f4620d59c3..e71f2bc97bae 100644
--- a/arch/arm/kernel/vmlinux.lds.S
+++ b/arch/arm/kernel/vmlinux.lds.S
@@ -63,6 +63,7 @@ SECTIONS
.text : { /* Real text segment */
_stext = .; /* Text and read-only data */
ARM_TEXT
+ SLS_TEXT
}
#ifdef CONFIG_DEBUG_ALIGN_RODATA
diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig
index 35f43d0aa056..bdb63e7b1bec 100644
--- a/arch/arm/mm/Kconfig
+++ b/arch/arm/mm/Kconfig
@@ -837,6 +837,7 @@ config HARDEN_BRANCH_PREDICTOR
bool "Harden the branch predictor against aliasing attacks" if EXPERT
depends on CPU_SPECTRE
default y
+ select HARDEN_SLS_ALL
help
Speculation attacks against some high-performance processors rely
on being able to manipulate the branch predictor for a victim
diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
index 5b84aec31ed3..e233bfbdb1c2 100644
--- a/arch/arm64/Makefile
+++ b/arch/arm64/Makefile
@@ -34,6 +34,10 @@ $(warning LSE atomics not supported by binutils)
endif
endif
+ifeq ($(CONFIG_HARDEN_SLS_ALL), y)
+KBUILD_CFLAGS += -mharden-sls=all
+endif
+
cc_has_k_constraint := $(call try-run,echo \
'int main(void) { \
asm volatile("and w0, w0, %w0" :: "K" (4294967295)); \
diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S
index 7eea7888bb02..d5c892605862 100644
--- a/arch/arm64/kernel/vmlinux.lds.S
+++ b/arch/arm64/kernel/vmlinux.lds.S
@@ -103,6 +103,10 @@ jiffies = jiffies_64;
#define TRAMP_TEXT
#endif
+#define SLS_TEXT \
+ ALIGN_FUNCTION(); \
+ *(.text.__llvm_slsblr_thunk_*)
+
/*
* The size of the PE/COFF section that covers the kernel image, which
* runs from _stext to _edata, must be a round multiple of the PE/COFF
@@ -154,6 +158,7 @@ SECTIONS
HIBERNATE_TEXT
TRAMP_TEXT
*(.fixup)
+ SLS_TEXT
*(.gnu.warning)
. = ALIGN(16);
*(.got) /* Global offset table */
diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening
index 269967c4fc1b..db76ad732c14 100644
--- a/security/Kconfig.hardening
+++ b/security/Kconfig.hardening
@@ -121,6 +121,14 @@ choice
endchoice
+config HARDEN_SLS_ALL
+ bool "enable SLS vulnerability hardening"
+ depends on $(cc-option,-mharden-sls=all)
+ help
+ Enables straight-line speculation vulnerability hardening. This inserts
+ speculation barrier instruction sequences after certain unconditional jumps
+ to prevent speculative execution past those barriers.
+
config GCC_PLUGIN_STRUCTLEAK_VERBOSE
bool "Report forcefully initialized variables"
depends on GCC_PLUGIN_STRUCTLEAK
--
2.30.1.766.gb4fecdf3b7-goog
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2021-03-05 0:53 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-12 5:14 [PATCH] ARM: Implement Clang's SLS mitigation Jian Cai
2021-02-12 5:14 ` Jian Cai
2021-02-12 5:55 ` Nathan Chancellor
2021-02-12 5:55 ` Nathan Chancellor
2021-02-12 10:41 ` David Laight
2021-02-12 10:41 ` David Laight
2021-02-12 19:52 ` [PATCH v2] " Jian Cai
2021-02-12 19:52 ` Jian Cai
2021-02-17 9:49 ` Will Deacon
2021-02-17 9:49 ` Will Deacon
2021-02-17 11:05 ` David Laight
2021-02-17 11:05 ` David Laight
2021-03-25 14:01 ` Linus Walleij
2021-03-25 14:01 ` Linus Walleij
2021-02-17 18:20 ` Nick Desaulniers
2021-02-17 18:20 ` Nick Desaulniers
2021-02-19 20:18 ` [PATCH v3] ARM: Implement " Jian Cai
2021-02-19 20:18 ` Jian Cai
2021-02-19 20:30 ` Nathan Chancellor
2021-02-19 20:30 ` Nathan Chancellor
2021-02-19 23:08 ` [PATCH v4] " Jian Cai
2021-02-19 23:08 ` Jian Cai
2021-02-21 10:13 ` Russell King - ARM Linux admin
2021-02-21 10:13 ` Russell King - ARM Linux admin
2021-02-22 11:58 ` Will Deacon
2021-02-22 11:58 ` Will Deacon
2021-02-22 21:50 ` Jian Cai
2021-02-22 21:50 ` Jian Cai
2021-02-23 10:04 ` Will Deacon
2021-02-23 10:04 ` Will Deacon
2021-03-03 15:18 ` Linus Walleij
2021-03-03 15:18 ` Linus Walleij
2021-03-03 15:29 ` David Laight
2021-03-03 15:29 ` David Laight
2021-03-03 15:31 ` Linus Walleij
2021-03-03 15:31 ` Linus Walleij
2021-02-23 2:31 ` [PATCH v5] " Jian Cai
2021-02-23 2:31 ` Jian Cai
2021-02-23 2:35 ` Jian Cai
2021-02-23 2:35 ` Jian Cai
2021-03-03 15:04 ` Linus Walleij
2021-03-03 15:04 ` Linus Walleij
2021-03-04 23:22 ` Jian Cai
2021-03-04 23:22 ` Jian Cai
2021-03-06 12:25 ` Linus Walleij
2021-03-06 12:25 ` Linus Walleij
2021-03-10 4:43 ` Jian Cai
2021-03-10 4:43 ` Jian Cai
2021-03-22 11:45 ` Linus Walleij
2021-03-22 11:45 ` Linus Walleij
2021-03-23 22:39 ` Jian Cai
2021-03-23 22:39 ` Jian Cai
2021-03-05 0:53 ` Jian Cai [this message]
2021-03-05 0:53 ` [PATCH v6] " Jian Cai
2021-03-05 9:52 ` Will Deacon
2021-03-05 9:52 ` Will Deacon
2021-03-06 12:27 ` Linus Walleij
2021-03-06 12:27 ` Linus Walleij
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210305005327.405365-1-jiancai@google.com \
--to=jiancai@google.com \
--cc=David.Laight@aculab.com \
--cc=afaerber@suse.de \
--cc=akpm@linux-foundation.org \
--cc=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=catalin.marinas@arm.com \
--cc=clang-built-linux@googlegroups.com \
--cc=daniel@0x0f.com \
--cc=dbrazdil@google.com \
--cc=james.morse@arm.com \
--cc=jmorris@namei.org \
--cc=joey.gouly@arm.com \
--cc=keescook@chromium.org \
--cc=linus.walleij@linaro.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=llozano@google.com \
--cc=manojgupta@google.com \
--cc=mark.rutland@arm.com \
--cc=masahiroy@kernel.org \
--cc=maz@kernel.org \
--cc=mingo@kernel.org \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=rmk+kernel@armlinux.org.uk \
--cc=rppt@kernel.org \
--cc=serge@hallyn.com \
--cc=u.kleine-koenig@pengutronix.de \
--cc=vladimir.murzin@arm.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.