From: drjones@redhat.com (Andrew Jones)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCHv3 03/11] arm64/kvm: hide ptrauth from guests
Date: Wed, 18 Apr 2018 15:19:26 +0200 [thread overview]
Message-ID: <20180418131926.pbjlbcjspg7azq2j@kamzik.brq.redhat.com> (raw)
In-Reply-To: <20180417183735.56985-4-mark.rutland@arm.com>
On Tue, Apr 17, 2018 at 07:37:27PM +0100, Mark Rutland wrote:
> In subsequent patches we're going to expose ptrauth to the host kernel
> and userspace, but things are a bit trickier for guest kernels. For the
> time being, let's hide ptrauth from KVM guests.
>
> Regardless of how well-behaved the guest kernel is, guest userspace
> could attempt to use ptrauth instructions, triggering a trap to EL2,
> resulting in noise from kvm_handle_unknown_ec(). So let's write up a
> handler for the PAC trap, which silently injects an UNDEF into the
> guest, as if the feature were really missing.
>
> Signed-off-by: Mark Rutland <mark.rutland@arm.com>
> Cc: Christoffer Dall <cdall@kernel.org>
> Cc: Marc Zyngier <marc.zyngier@arm.com>
> Cc: kvmarm at lists.cs.columbia.edu
> ---
> arch/arm64/kvm/handle_exit.c | 18 ++++++++++++++++++
> arch/arm64/kvm/sys_regs.c | 9 +++++++++
> 2 files changed, 27 insertions(+)
>
> diff --git a/arch/arm64/kvm/handle_exit.c b/arch/arm64/kvm/handle_exit.c
> index e5e741bfffe1..5114ad691eae 100644
> --- a/arch/arm64/kvm/handle_exit.c
> +++ b/arch/arm64/kvm/handle_exit.c
> @@ -173,6 +173,23 @@ static int handle_sve(struct kvm_vcpu *vcpu, struct kvm_run *run)
> return 1;
> }
>
> +/*
> + * Guest usage of a ptrauth instruction (which the guest EL1 did not turn into
> + * a NOP), or guest EL1 access to a ptrauth register.
> + */
> +static int kvm_handle_ptrauth(struct kvm_vcpu *vcpu, struct kvm_run *run)
> +{
> + /*
> + * We don't currently suport ptrauth in a guest, and we mask the ID
> + * registers to prevent well-behaved guests from trying to make use of
> + * it.
> + *
> + * Inject an UNDEF, as if the feature really isn't present.
> + */
> + kvm_inject_undefined(vcpu);
> + return 1;
> +}
> +
> static exit_handle_fn arm_exit_handlers[] = {
> [0 ... ESR_ELx_EC_MAX] = kvm_handle_unknown_ec,
> [ESR_ELx_EC_WFx] = kvm_handle_wfx,
> @@ -195,6 +212,7 @@ static exit_handle_fn arm_exit_handlers[] = {
> [ESR_ELx_EC_BKPT32] = kvm_handle_guest_debug,
> [ESR_ELx_EC_BRK64] = kvm_handle_guest_debug,
> [ESR_ELx_EC_FP_ASIMD] = handle_no_fpsimd,
> + [ESR_ELx_EC_PAC] = kvm_handle_ptrauth,
> };
>
> static exit_handle_fn kvm_get_exit_handler(struct kvm_vcpu *vcpu)
> diff --git a/arch/arm64/kvm/sys_regs.c b/arch/arm64/kvm/sys_regs.c
> index 806b0b126a64..eee399c35e84 100644
> --- a/arch/arm64/kvm/sys_regs.c
> +++ b/arch/arm64/kvm/sys_regs.c
> @@ -1000,6 +1000,15 @@ static u64 read_id_reg(struct sys_reg_desc const *r, bool raz)
> task_pid_nr(current));
>
> val &= ~(0xfUL << ID_AA64PFR0_SVE_SHIFT);
> + } else if (id == SYS_ID_AA64ISAR1_EL1) {
> + const u64 ptrauth_mask = (0xfUL << ID_AA64ISAR1_APA_SHIFT) |
> + (0xfUL << ID_AA64ISAR1_API_SHIFT) |
> + (0xfUL << ID_AA64ISAR1_GPA_SHIFT) |
> + (0xfUL << ID_AA64ISAR1_GPI_SHIFT);
> + if (val & ptrauth_mask)
> + pr_err_once("kvm [%i]: ptrauth unsupported for guests, suppressing\n",
> + task_pid_nr(current));
Marc just changed the equivalent SVE pr_err_once() to kvm_debug().
So we probably want to do the same here.
> + val &= ~ptrauth_mask;
> } else if (id == SYS_ID_AA64MMFR1_EL1) {
> if (val & (0xfUL << ID_AA64MMFR1_LOR_SHIFT))
> pr_err_once("kvm [%i]: LORegions unsupported for guests, suppressing\n",
> --
> 2.11.0
>
Otherwise
Reviewed-by: Andrew Jones <drjones@redhat.com>
next prev parent reply other threads:[~2018-04-18 13:19 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-17 18:37 [PATCHv3 00/11] ARMv8.3 pointer authentication userspace support Mark Rutland
2018-04-17 18:37 ` [PATCHv3 01/11] arm64: add pointer authentication register bits Mark Rutland
2018-04-17 18:37 ` [PATCHv3 02/11] arm64/kvm: consistently handle host HCR_EL2 flags Mark Rutland
2018-04-27 9:51 ` Christoffer Dall
2018-04-27 10:13 ` Mark Rutland
2018-04-17 18:37 ` [PATCHv3 03/11] arm64/kvm: hide ptrauth from guests Mark Rutland
2018-04-18 13:19 ` Andrew Jones [this message]
2018-04-18 13:47 ` Mark Rutland
2018-04-27 9:51 ` Christoffer Dall
2018-04-17 18:37 ` [PATCHv3 04/11] arm64: Don't trap host pointer auth use to EL2 Mark Rutland
2018-04-27 9:52 ` Christoffer Dall
2018-04-17 18:37 ` [PATCHv3 05/11] arm64/cpufeature: detect pointer authentication Mark Rutland
2018-04-17 18:37 ` [PATCHv3 06/11] asm-generic: mm_hooks: allow hooks to be overridden individually Mark Rutland
2018-04-17 19:56 ` Arnd Bergmann
2018-04-18 11:38 ` Mark Rutland
2018-04-17 18:37 ` [PATCHv3 07/11] arm64: add basic pointer authentication support Mark Rutland
2018-04-25 11:23 ` Catalin Marinas
2018-04-27 10:27 ` Mark Rutland
2018-04-17 18:37 ` [PATCHv3 08/11] arm64: expose user PAC bit positions via ptrace Mark Rutland
2018-04-17 18:37 ` [PATCHv3 09/11] arm64: perf: strip PAC when unwinding userspace Mark Rutland
2018-04-17 18:37 ` [PATCHv3 10/11] arm64: enable pointer authentication Mark Rutland
2018-04-17 18:37 ` [PATCHv3 11/11] arm64: docs: document " Mark Rutland
2018-04-22 8:05 ` Pavel Machek
2018-04-22 8:47 ` Marc Zyngier
2018-04-22 9:00 ` Pavel Machek
2018-04-25 12:27 ` Catalin Marinas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180418131926.pbjlbcjspg7azq2j@kamzik.brq.redhat.com \
--to=drjones@redhat.com \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).