[PATCH 0/2] ARM/decompressor: deal with disabled CP15 barrier instructions

[PATCH 0/2] ARM/decompressor: deal with disabled CP15 barrier instructions

[Ard Biesheuvel]

While trying to test my v4.4 backport of the firmware/hypervisor based spectre
v1/v2 mitigations for 32-bit ARM, I noticed that KVM/qemu failed to boot my
kernel while it booted fine under TCG emulation.

As it turns out, KVM/qemu may instantiate the VCPU with support for CP15
barrier instructions disabled, causing them to UNDEF and crash the
decompressor.

I already fixed the same issue for UEFI boot, but since v4.4 does not support
that, I only noticed now that this is an issue for bare metal as well.

Cc: Russell King <rmk+kernel@armlinux.org.uk>
Cc: Linus Walleij <linus.walleij@linaro.org>
Cc: Marc Zyngier <maz@kernel.org>

Ard Biesheuvel (2):
  ARM/decompressor: avoid CP15 barrier instructions in v7 cache setup
    code
  Revert "ARM: 8857/1: efi: enable CP15 DMB instructions before cleaning
    the cache"

 arch/arm/boot/compressed/head.S | 51 ++++++++++----------
 1 file changed, 26 insertions(+), 25 deletions(-)

-- 
2.17.1


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

[PATCH 1/2] ARM/decompressor: avoid CP15 barrier instructions in v7 cache setup code

[Ard Biesheuvel]

Commit e17b1af96b2afc38e684aa2f1033387e2ed10029

  "ARM: 8857/1: efi: enable CP15 DMB instructions before cleaning the cache"

added some explicit handling of the CP15BEN bit in the SCTLR system
register, to ensure that CP15 barrier instructions are enabled, even
if we enter the decompressor via the EFI stub.

However, as it turns out, there are other ways in which we may end up
using CP15 barrier instructions without them being enabled. I.e., if
the decompressor startup code skips the cache_on() call initially, we
end up calling cache_clean_flush() with the caches and MMU off, in which
case the CP15BEN bit in SCTLR may not be programmed either. And in
fact, cache_on() itself issues CP15 barrier instructions before actually
enabling them by programming the new SCTLR value (and issuing an ISB)

Since all these routines are specific to v7, let's clean this up by
using the ordinary v7 barrier instructions in the v7 specific cache
handling routines, so that we never rely on the CP15 ones. This also
avoids the issue where a barrier is required between programming SCTLR
and using the CP15 barrier instructions, which would result in two
different kinds of barriers being used in the same function.

Cc: <stable@vger.kernel.org> # v4.4+
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 arch/arm/boot/compressed/head.S | 35 ++++++++++++++------
 1 file changed, 25 insertions(+), 10 deletions(-)

diff --git a/arch/arm/boot/compressed/head.S b/arch/arm/boot/compressed/head.S
index 93dffed0ac6e..ec14687aea3c 100644
--- a/arch/arm/boot/compressed/head.S
+++ b/arch/arm/boot/compressed/head.S
@@ -656,6 +656,21 @@ params:		ldr	r0, =0x10000100		@ params_phys for RPC
 		.align
 #endif
 
+		.macro	v7dsb
+ ARM(		.inst	0xf57ff04f		@ v7+ dsb	)
+ THUMB(		dsb						)
+		.endm
+
+		.macro	v7dmb
+ ARM(		.inst	0xf57ff05f		@ v7+ dmb	)
+ THUMB(		dmb						)
+		.endm
+
+		.macro	v7isb
+ ARM(		.inst	0xf57ff06f		@ v7+ isb	)
+ THUMB(		isb						)
+		.endm
+
 /*
  * Turn on the cache.  We need to setup some page tables so that we
  * can have both the I and D caches on.
@@ -827,7 +842,7 @@ __armv7_mmu_cache_on:
 		movne	r6, #CB_BITS | 0x02	@ !XN
 		blne	__setup_mmu
 		mov	r0, #0
-		mcr	p15, 0, r0, c7, c10, 4	@ drain write buffer
+		v7dsb				@ drain write buffer
 		tst	r11, #0xf		@ VMSA
 		mcrne	p15, 0, r0, c8, c7, 0	@ flush I,D TLBs
 #endif
@@ -849,11 +864,11 @@ __armv7_mmu_cache_on:
 		mcrne	p15, 0, r1, c3, c0, 0	@ load domain access control
 		mcrne   p15, 0, r6, c2, c0, 2   @ load ttb control
 #endif
-		mcr	p15, 0, r0, c7, c5, 4	@ ISB
+		v7isb
 		mcr	p15, 0, r0, c1, c0, 0	@ load control register
 		mrc	p15, 0, r0, c1, c0, 0	@ and read it back
 		mov	r0, #0
-		mcr	p15, 0, r0, c7, c5, 4	@ ISB
+		v7isb
 		mov	pc, r12
 
 __fa526_cache_on:
@@ -1154,8 +1169,8 @@ __armv7_mmu_cache_off:
 		mcr	p15, 0, r0, c8, c7, 0	@ invalidate whole TLB
 #endif
 		mcr	p15, 0, r0, c7, c5, 6	@ invalidate BTC
-		mcr	p15, 0, r0, c7, c10, 4	@ DSB
-		mcr	p15, 0, r0, c7, c5, 4	@ ISB
+		v7dsb
+		v7isb
 		mov	pc, r12
 
 /*
@@ -1218,7 +1233,7 @@ __armv7_mmu_cache_flush:
 		mcr	p15, 0, r10, c7, c14, 0	@ clean+invalidate D
 		b	iflush
 hierarchical:
-		mcr	p15, 0, r10, c7, c10, 5	@ DMB
+		v7dmb
 		stmfd	sp!, {r0-r7, r9-r11}
 		mrc	p15, 1, r0, c0, c0, 1	@ read clidr
 		ands	r3, r0, #0x7000000	@ extract loc from clidr
@@ -1232,7 +1247,7 @@ loop1:
 		cmp	r1, #2			@ see what cache we have at this level
 		blt	skip			@ skip if no cache, or just i-cache
 		mcr	p15, 2, r10, c0, c0, 0	@ select current cache level in cssr
-		mcr	p15, 0, r10, c7, c5, 4	@ isb to sych the new cssr&csidr
+		v7isb				@ isb to sych the new cssr&csidr
 		mrc	p15, 1, r1, c0, c0, 0	@ read the new csidr
 		and	r2, r1, #7		@ extract the length of the cache lines
 		add	r2, r2, #4		@ add 4 (line length offset)
@@ -1264,10 +1279,10 @@ finished:
 		mov	r10, #0			@ switch back to cache level 0
 		mcr	p15, 2, r10, c0, c0, 0	@ select current cache level in cssr
 iflush:
-		mcr	p15, 0, r10, c7, c10, 4	@ DSB
+		v7dsb
 		mcr	p15, 0, r10, c7, c5, 0	@ invalidate I+BTB
-		mcr	p15, 0, r10, c7, c10, 4	@ DSB
-		mcr	p15, 0, r10, c7, c5, 4	@ ISB
+		v7dsb
+		v7isb
 		mov	pc, lr
 
 __armv5tej_mmu_cache_flush:
-- 
2.17.1


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

[PATCH 2/2] Revert "ARM: 8857/1: efi: enable CP15 DMB instructions before cleaning the cache"

[Ard Biesheuvel]

This reverts commit e17b1af96b2afc38e684aa2f1033387e2ed10029, which is
no longer necessary now that the v7 specific routines take care not to
issue CP15 barrier instructions before they are enabled in SCTLR.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 arch/arm/boot/compressed/head.S | 16 +---------------
 1 file changed, 1 insertion(+), 15 deletions(-)

diff --git a/arch/arm/boot/compressed/head.S b/arch/arm/boot/compressed/head.S
index ec14687aea3c..4369f491b23d 100644
--- a/arch/arm/boot/compressed/head.S
+++ b/arch/arm/boot/compressed/head.S
@@ -1462,21 +1462,7 @@ ENTRY(efi_stub_entry)
 
 		@ Preserve return value of efi_entry() in r4
 		mov	r4, r0
-
-		@ our cache maintenance code relies on CP15 barrier instructions
-		@ but since we arrived here with the MMU and caches configured
-		@ by UEFI, we must check that the CP15BEN bit is set in SCTLR.
-		@ Note that this bit is RAO/WI on v6 and earlier, so the ISB in
-		@ the enable path will be executed on v7+ only.
-		mrc	p15, 0, r1, c1, c0, 0	@ read SCTLR
-		tst	r1, #(1 << 5)		@ CP15BEN bit set?
-		bne	0f
-		orr	r1, r1, #(1 << 5)	@ CP15 barrier instructions
-		mcr	p15, 0, r1, c1, c0, 0	@ write SCTLR
- ARM(		.inst	0xf57ff06f		@ v7+ isb	)
- THUMB(		isb						)
-
-0:		bl	cache_clean_flush
+		bl	cache_clean_flush
 		bl	cache_off
 
 		@ Set parameters for booting zImage according to boot protocol
-- 
2.17.1


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH 0/2] ARM/decompressor: deal with disabled CP15 barrier instructions

[Linus Walleij]

On Wed, Nov 6, 2019 at 10:42 AM Ard Biesheuvel <ardb@kernel.org> wrote:

> While trying to test my v4.4 backport of the firmware/hypervisor based spectre
> v1/v2 mitigations for 32-bit ARM, I noticed that KVM/qemu failed to boot my
> kernel while it booted fine under TCG emulation.
>
> As it turns out, KVM/qemu may instantiate the VCPU with support for CP15
> barrier instructions disabled, causing them to UNDEF and crash the
> decompressor.
>
> I already fixed the same issue for UEFI boot, but since v4.4 does not support
> that, I only noticed now that this is an issue for bare metal as well.
>
> Cc: Russell King <rmk+kernel@armlinux.org.uk>
> Cc: Linus Walleij <linus.walleij@linaro.org>
> Cc: Marc Zyngier <maz@kernel.org>

FWIW:
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>

Looking at patches for stable is a bit like cleaning the sink in the bathroom,
seems OK at first but after a while you get scared by the stuff that comes
up.

Yours,
Linus Walleij

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH 0/2] ARM/decompressor: deal with disabled CP15 barrier instructions

[Ard Biesheuvel]

On Wed, 13 Nov 2019 at 13:58, Linus Walleij <linus.walleij@linaro.org> wrote:
>
> On Wed, Nov 6, 2019 at 10:42 AM Ard Biesheuvel <ardb@kernel.org> wrote:
>
> > While trying to test my v4.4 backport of the firmware/hypervisor based spectre
> > v1/v2 mitigations for 32-bit ARM, I noticed that KVM/qemu failed to boot my
> > kernel while it booted fine under TCG emulation.
> >
> > As it turns out, KVM/qemu may instantiate the VCPU with support for CP15
> > barrier instructions disabled, causing them to UNDEF and crash the
> > decompressor.
> >
> > I already fixed the same issue for UEFI boot, but since v4.4 does not support
> > that, I only noticed now that this is an issue for bare metal as well.
> >
> > Cc: Russell King <rmk+kernel@armlinux.org.uk>
> > Cc: Linus Walleij <linus.walleij@linaro.org>
> > Cc: Marc Zyngier <maz@kernel.org>
>
> FWIW:
> Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
>

Thanks!

> Looking at patches for stable is a bit like cleaning the sink in the bathroom,
> seems OK at first but after a while you get scared by the stuff that comes
> up.
>

Well, at least I didn't need gloves :-)

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel