From: Marc Zyngier <marc.zyngier@arm.com> To: "Paolo Bonzini" <pbonzini@redhat.com>, "Radim Krčmář" <rkrcmar@redhat.com> Cc: zhong jiang <zhongjiang@huawei.com>, kvm@vger.kernel.org, Catalin Marinas <catalin.marinas@arm.com>, Punit Agrawal <punit.agrawal@arm.com>, Kristina Martsenko <kristina.martsenko@arm.com>, Dongjiu Geng <gengdongjiu@huawei.com>, Robin Murphy <robin.murphy@arm.com>, kvmarm@lists.cs.columbia.edu, linux-arm-kernel@lists.infradead.org Subject: [PATCH 26/26] KVM: arm64: Safety check PSTATE when entering guest and handle IL Date: Fri, 19 Oct 2018 13:59:01 +0100 [thread overview] Message-ID: <20181019125901.185478-27-marc.zyngier@arm.com> (raw) In-Reply-To: <20181019125901.185478-1-marc.zyngier@arm.com> From: Christoffer Dall <christoffer.dall@arm.com> This commit adds a paranoid check when entering the guest to make sure we don't attempt running guest code in an equally or more privilged mode than the hypervisor. We also catch other accidental programming of the SPSR_EL2 which results in an illegal exception return and report this safely back to the user. Signed-off-by: Christoffer Dall <christoffer.dall@arm.com> Signed-off-by: Marc Zyngier <marc.zyngier@arm.com> --- arch/arm64/include/asm/kvm_asm.h | 1 + arch/arm64/include/asm/ptrace.h | 3 +++ arch/arm64/kvm/handle_exit.c | 7 +++++++ arch/arm64/kvm/hyp/hyp-entry.S | 16 +++++++++++++++- arch/arm64/kvm/hyp/sysreg-sr.c | 19 ++++++++++++++++++- 5 files changed, 44 insertions(+), 2 deletions(-) diff --git a/arch/arm64/include/asm/kvm_asm.h b/arch/arm64/include/asm/kvm_asm.h index 0b53c72e7591..aea01a09eb94 100644 --- a/arch/arm64/include/asm/kvm_asm.h +++ b/arch/arm64/include/asm/kvm_asm.h @@ -30,6 +30,7 @@ #define ARM_EXCEPTION_IRQ 0 #define ARM_EXCEPTION_EL1_SERROR 1 #define ARM_EXCEPTION_TRAP 2 +#define ARM_EXCEPTION_IL 3 /* The hyp-stub will return this for any kvm_call_hyp() call */ #define ARM_EXCEPTION_HYP_GONE HVC_STUB_ERR diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h index 177b851ca6d9..ff35ac1258eb 100644 --- a/arch/arm64/include/asm/ptrace.h +++ b/arch/arm64/include/asm/ptrace.h @@ -25,6 +25,9 @@ #define CurrentEL_EL1 (1 << 2) #define CurrentEL_EL2 (2 << 2) +/* Additional SPSR bits not exposed in the UABI */ +#define PSR_IL_BIT (1 << 20) + /* AArch32-specific ptrace requests */ #define COMPAT_PTRACE_GETREGS 12 #define COMPAT_PTRACE_SETREGS 13 diff --git a/arch/arm64/kvm/handle_exit.c b/arch/arm64/kvm/handle_exit.c index e5e741bfffe1..35a81bebd02b 100644 --- a/arch/arm64/kvm/handle_exit.c +++ b/arch/arm64/kvm/handle_exit.c @@ -284,6 +284,13 @@ int handle_exit(struct kvm_vcpu *vcpu, struct kvm_run *run, */ run->exit_reason = KVM_EXIT_FAIL_ENTRY; return 0; + case ARM_EXCEPTION_IL: + /* + * We attempted an illegal exception return. Guest state must + * have been corrupted somehow. Give up. + */ + run->exit_reason = KVM_EXIT_FAIL_ENTRY; + return -EINVAL; default: kvm_pr_unimpl("Unsupported exception type: %d", exception_index); diff --git a/arch/arm64/kvm/hyp/hyp-entry.S b/arch/arm64/kvm/hyp/hyp-entry.S index 24b4fbafe3e4..b1f14f736962 100644 --- a/arch/arm64/kvm/hyp/hyp-entry.S +++ b/arch/arm64/kvm/hyp/hyp-entry.S @@ -162,6 +162,20 @@ el1_error: mov x0, #ARM_EXCEPTION_EL1_SERROR b __guest_exit +el2_sync: + /* Check for illegal exception return, otherwise panic */ + mrs x0, spsr_el2 + + /* if this was something else, then panic! */ + tst x0, #PSR_IL_BIT + b.eq __hyp_panic + + /* Let's attempt a recovery from the illegal exception return */ + get_vcpu_ptr x1, x0 + mov x0, #ARM_EXCEPTION_IL + b __guest_exit + + el2_error: ldp x0, x1, [sp], #16 @@ -240,7 +254,7 @@ ENTRY(__kvm_hyp_vector) invalid_vect el2t_fiq_invalid // FIQ EL2t invalid_vect el2t_error_invalid // Error EL2t - invalid_vect el2h_sync_invalid // Synchronous EL2h + valid_vect el2_sync // Synchronous EL2h invalid_vect el2h_irq_invalid // IRQ EL2h invalid_vect el2h_fiq_invalid // FIQ EL2h valid_vect el2_error // Error EL2h diff --git a/arch/arm64/kvm/hyp/sysreg-sr.c b/arch/arm64/kvm/hyp/sysreg-sr.c index 9ce223944983..8dc285318204 100644 --- a/arch/arm64/kvm/hyp/sysreg-sr.c +++ b/arch/arm64/kvm/hyp/sysreg-sr.c @@ -152,8 +152,25 @@ static void __hyp_text __sysreg_restore_el1_state(struct kvm_cpu_context *ctxt) static void __hyp_text __sysreg_restore_el2_return_state(struct kvm_cpu_context *ctxt) { + u64 pstate = ctxt->gp_regs.regs.pstate; + u64 mode = pstate & PSR_AA32_MODE_MASK; + + /* + * Safety check to ensure we're setting the CPU up to enter the guest + * in a less privileged mode. + * + * If we are attempting a return to EL2 or higher in AArch64 state, + * program SPSR_EL2 with M=EL2h and the IL bit set which ensures that + * we'll take an illegal exception state exception immediately after + * the ERET to the guest. Attempts to return to AArch32 Hyp will + * result in an illegal exception return because EL2's execution state + * is determined by SCR_EL3.RW. + */ + if (!(mode & PSR_MODE32_BIT) && mode >= PSR_MODE_EL2t) + pstate = PSR_MODE_EL2h | PSR_IL_BIT; + write_sysreg_el2(ctxt->gp_regs.regs.pc, elr); - write_sysreg_el2(ctxt->gp_regs.regs.pstate, spsr); + write_sysreg_el2(pstate, spsr); if (cpus_have_const_cap(ARM64_HAS_RAS_EXTN)) write_sysreg_s(ctxt->sys_regs[DISR_EL1], SYS_VDISR_EL2); -- 2.19.1
WARNING: multiple messages have this Message-ID (diff)
From: marc.zyngier@arm.com (Marc Zyngier) To: linux-arm-kernel@lists.infradead.org Subject: [PATCH 26/26] KVM: arm64: Safety check PSTATE when entering guest and handle IL Date: Fri, 19 Oct 2018 13:59:01 +0100 [thread overview] Message-ID: <20181019125901.185478-27-marc.zyngier@arm.com> (raw) In-Reply-To: <20181019125901.185478-1-marc.zyngier@arm.com> From: Christoffer Dall <christoffer.dall@arm.com> This commit adds a paranoid check when entering the guest to make sure we don't attempt running guest code in an equally or more privilged mode than the hypervisor. We also catch other accidental programming of the SPSR_EL2 which results in an illegal exception return and report this safely back to the user. Signed-off-by: Christoffer Dall <christoffer.dall@arm.com> Signed-off-by: Marc Zyngier <marc.zyngier@arm.com> --- arch/arm64/include/asm/kvm_asm.h | 1 + arch/arm64/include/asm/ptrace.h | 3 +++ arch/arm64/kvm/handle_exit.c | 7 +++++++ arch/arm64/kvm/hyp/hyp-entry.S | 16 +++++++++++++++- arch/arm64/kvm/hyp/sysreg-sr.c | 19 ++++++++++++++++++- 5 files changed, 44 insertions(+), 2 deletions(-) diff --git a/arch/arm64/include/asm/kvm_asm.h b/arch/arm64/include/asm/kvm_asm.h index 0b53c72e7591..aea01a09eb94 100644 --- a/arch/arm64/include/asm/kvm_asm.h +++ b/arch/arm64/include/asm/kvm_asm.h @@ -30,6 +30,7 @@ #define ARM_EXCEPTION_IRQ 0 #define ARM_EXCEPTION_EL1_SERROR 1 #define ARM_EXCEPTION_TRAP 2 +#define ARM_EXCEPTION_IL 3 /* The hyp-stub will return this for any kvm_call_hyp() call */ #define ARM_EXCEPTION_HYP_GONE HVC_STUB_ERR diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h index 177b851ca6d9..ff35ac1258eb 100644 --- a/arch/arm64/include/asm/ptrace.h +++ b/arch/arm64/include/asm/ptrace.h @@ -25,6 +25,9 @@ #define CurrentEL_EL1 (1 << 2) #define CurrentEL_EL2 (2 << 2) +/* Additional SPSR bits not exposed in the UABI */ +#define PSR_IL_BIT (1 << 20) + /* AArch32-specific ptrace requests */ #define COMPAT_PTRACE_GETREGS 12 #define COMPAT_PTRACE_SETREGS 13 diff --git a/arch/arm64/kvm/handle_exit.c b/arch/arm64/kvm/handle_exit.c index e5e741bfffe1..35a81bebd02b 100644 --- a/arch/arm64/kvm/handle_exit.c +++ b/arch/arm64/kvm/handle_exit.c @@ -284,6 +284,13 @@ int handle_exit(struct kvm_vcpu *vcpu, struct kvm_run *run, */ run->exit_reason = KVM_EXIT_FAIL_ENTRY; return 0; + case ARM_EXCEPTION_IL: + /* + * We attempted an illegal exception return. Guest state must + * have been corrupted somehow. Give up. + */ + run->exit_reason = KVM_EXIT_FAIL_ENTRY; + return -EINVAL; default: kvm_pr_unimpl("Unsupported exception type: %d", exception_index); diff --git a/arch/arm64/kvm/hyp/hyp-entry.S b/arch/arm64/kvm/hyp/hyp-entry.S index 24b4fbafe3e4..b1f14f736962 100644 --- a/arch/arm64/kvm/hyp/hyp-entry.S +++ b/arch/arm64/kvm/hyp/hyp-entry.S @@ -162,6 +162,20 @@ el1_error: mov x0, #ARM_EXCEPTION_EL1_SERROR b __guest_exit +el2_sync: + /* Check for illegal exception return, otherwise panic */ + mrs x0, spsr_el2 + + /* if this was something else, then panic! */ + tst x0, #PSR_IL_BIT + b.eq __hyp_panic + + /* Let's attempt a recovery from the illegal exception return */ + get_vcpu_ptr x1, x0 + mov x0, #ARM_EXCEPTION_IL + b __guest_exit + + el2_error: ldp x0, x1, [sp], #16 @@ -240,7 +254,7 @@ ENTRY(__kvm_hyp_vector) invalid_vect el2t_fiq_invalid // FIQ EL2t invalid_vect el2t_error_invalid // Error EL2t - invalid_vect el2h_sync_invalid // Synchronous EL2h + valid_vect el2_sync // Synchronous EL2h invalid_vect el2h_irq_invalid // IRQ EL2h invalid_vect el2h_fiq_invalid // FIQ EL2h valid_vect el2_error // Error EL2h diff --git a/arch/arm64/kvm/hyp/sysreg-sr.c b/arch/arm64/kvm/hyp/sysreg-sr.c index 9ce223944983..8dc285318204 100644 --- a/arch/arm64/kvm/hyp/sysreg-sr.c +++ b/arch/arm64/kvm/hyp/sysreg-sr.c @@ -152,8 +152,25 @@ static void __hyp_text __sysreg_restore_el1_state(struct kvm_cpu_context *ctxt) static void __hyp_text __sysreg_restore_el2_return_state(struct kvm_cpu_context *ctxt) { + u64 pstate = ctxt->gp_regs.regs.pstate; + u64 mode = pstate & PSR_AA32_MODE_MASK; + + /* + * Safety check to ensure we're setting the CPU up to enter the guest + * in a less privileged mode. + * + * If we are attempting a return to EL2 or higher in AArch64 state, + * program SPSR_EL2 with M=EL2h and the IL bit set which ensures that + * we'll take an illegal exception state exception immediately after + * the ERET to the guest. Attempts to return to AArch32 Hyp will + * result in an illegal exception return because EL2's execution state + * is determined by SCR_EL3.RW. + */ + if (!(mode & PSR_MODE32_BIT) && mode >= PSR_MODE_EL2t) + pstate = PSR_MODE_EL2h | PSR_IL_BIT; + write_sysreg_el2(ctxt->gp_regs.regs.pc, elr); - write_sysreg_el2(ctxt->gp_regs.regs.pstate, spsr); + write_sysreg_el2(pstate, spsr); if (cpus_have_const_cap(ARM64_HAS_RAS_EXTN)) write_sysreg_s(ctxt->sys_regs[DISR_EL1], SYS_VDISR_EL2); -- 2.19.1
next prev parent reply other threads:[~2018-10-19 12:59 UTC|newest] Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-10-19 12:58 [GIT PULL 00/26] KVM/arm updates for 4.20 Marc Zyngier 2018-10-19 12:58 ` Marc Zyngier 2018-10-19 12:58 ` [PATCH 01/26] kvm: arm/arm64: Fix stage2_flush_memslot for 4 level page table Marc Zyngier 2018-10-19 12:58 ` Marc Zyngier 2018-10-19 12:58 ` [PATCH 02/26] kvm: arm/arm64: Remove spurious WARN_ON Marc Zyngier 2018-10-19 12:58 ` Marc Zyngier 2018-10-19 12:58 ` [PATCH 03/26] kvm: arm64: Add helper for loading the stage2 setting for a VM Marc Zyngier 2018-10-19 12:58 ` Marc Zyngier 2018-10-19 12:58 ` [PATCH 04/26] arm64: Add a helper for PARange to physical shift conversion Marc Zyngier 2018-10-19 12:58 ` Marc Zyngier 2018-10-19 12:58 ` [PATCH 05/26] kvm: arm64: Clean up VTCR_EL2 initialisation Marc Zyngier 2018-10-19 12:58 ` Marc Zyngier 2018-10-19 12:58 ` [PATCH 06/26] kvm: arm/arm64: Allow arch specific configurations for VM Marc Zyngier 2018-10-19 12:58 ` Marc Zyngier 2018-10-19 12:58 ` [PATCH 07/26] kvm: arm64: Configure VTCR_EL2 per VM Marc Zyngier 2018-10-19 12:58 ` Marc Zyngier 2018-10-19 12:58 ` [PATCH 08/26] kvm: arm/arm64: Prepare for VM specific stage2 translations Marc Zyngier 2018-10-19 12:58 ` Marc Zyngier 2018-10-19 12:58 ` [PATCH 09/26] kvm: arm64: Prepare for dynamic stage2 page table layout Marc Zyngier 2018-10-19 12:58 ` Marc Zyngier 2018-10-19 12:58 ` [PATCH 10/26] kvm: arm64: Make stage2 page table layout dynamic Marc Zyngier 2018-10-19 12:58 ` Marc Zyngier 2018-10-19 12:58 ` [PATCH 11/26] kvm: arm64: Dynamic configuration of VTTBR mask Marc Zyngier 2018-10-19 12:58 ` Marc Zyngier 2018-10-19 12:58 ` [PATCH 12/26] kvm: arm64: Configure VTCR_EL2.SL0 per VM Marc Zyngier 2018-10-19 12:58 ` Marc Zyngier 2018-10-19 12:58 ` [PATCH 13/26] kvm: arm64: Switch to per VM IPA limit Marc Zyngier 2018-10-19 12:58 ` Marc Zyngier 2018-10-19 12:58 ` [PATCH 14/26] vgic: Add support for 52bit guest physical address Marc Zyngier 2018-10-19 12:58 ` Marc Zyngier 2018-10-19 12:58 ` [PATCH 15/26] kvm: arm64: Add 52bit support for PAR to HPFAR conversoin Marc Zyngier 2018-10-19 12:58 ` Marc Zyngier 2018-10-19 12:58 ` [PATCH 16/26] kvm: arm64: Set a limit on the IPA size Marc Zyngier 2018-10-19 12:58 ` Marc Zyngier 2018-10-19 12:58 ` [PATCH 17/26] kvm: arm64: Limit the minimum number of page table levels Marc Zyngier 2018-10-19 12:58 ` Marc Zyngier 2018-10-19 12:58 ` [PATCH 18/26] kvm: arm64: Allow tuning the physical address size for VM Marc Zyngier 2018-10-19 12:58 ` Marc Zyngier 2018-10-19 12:58 ` [PATCH 19/26] KVM: arm/arm64: Rename kvm_arm_config_vm to kvm_arm_setup_stage2 Marc Zyngier 2018-10-19 12:58 ` Marc Zyngier 2018-10-19 12:58 ` [PATCH 20/26] KVM: arm64: Drop __cpu_init_stage2 on the VHE path Marc Zyngier 2018-10-19 12:58 ` Marc Zyngier 2018-10-19 12:58 ` [PATCH 21/26] arm64: KVM: Remove some extra semicolon in kvm_target_cpu Marc Zyngier 2018-10-19 12:58 ` Marc Zyngier 2018-10-19 12:58 ` [PATCH 22/26] KVM: arm/arm64: Ensure only THP is candidate for adjustment Marc Zyngier 2018-10-19 12:58 ` Marc Zyngier 2018-10-19 12:58 ` [PATCH 23/26] KVM: arm64: Fix caching of host MDCR_EL2 value Marc Zyngier 2018-10-19 12:58 ` Marc Zyngier 2018-10-19 12:58 ` [PATCH 24/26] arm/arm64: KVM: Rename function kvm_arch_dev_ioctl_check_extension() Marc Zyngier 2018-10-19 12:58 ` Marc Zyngier 2018-10-19 12:59 ` [PATCH 25/26] arm/arm64: KVM: Enable 32 bits kvm vcpu events support Marc Zyngier 2018-10-19 12:59 ` Marc Zyngier 2018-10-19 12:59 ` Marc Zyngier [this message] 2018-10-19 12:59 ` [PATCH 26/26] KVM: arm64: Safety check PSTATE when entering guest and handle IL Marc Zyngier 2018-10-19 13:23 ` [GIT PULL 00/26] KVM/arm updates for 4.20 Paolo Bonzini 2018-10-19 13:23 ` Paolo Bonzini
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20181019125901.185478-27-marc.zyngier@arm.com \ --to=marc.zyngier@arm.com \ --cc=catalin.marinas@arm.com \ --cc=gengdongjiu@huawei.com \ --cc=kristina.martsenko@arm.com \ --cc=kvm@vger.kernel.org \ --cc=kvmarm@lists.cs.columbia.edu \ --cc=linux-arm-kernel@lists.infradead.org \ --cc=pbonzini@redhat.com \ --cc=punit.agrawal@arm.com \ --cc=rkrcmar@redhat.com \ --cc=robin.murphy@arm.com \ --cc=zhongjiang@huawei.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.