From: Nathan Chancellor <nathan@kernel.org>
To: Jian Cai <jiancai@google.com>
Cc: ndesaulniers@google.com, manojgupta@google.com,
llozano@google.com, clang-built-linux@googlegroups.com,
"David Laight" <David.Laight@aculab.com>,
"Will Deacon" <will@kernel.org>,
"Russell King" <linux@armlinux.org.uk>,
"Catalin Marinas" <catalin.marinas@arm.com>,
"James Morris" <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Arnd Bergmann" <arnd@arndb.de>,
"Masahiro Yamada" <masahiroy@kernel.org>,
"Kees Cook" <keescook@chromium.org>,
"Ard Biesheuvel" <ardb@kernel.org>,
"Andreas Färber" <afaerber@suse.de>,
"Ingo Molnar" <mingo@kernel.org>,
"Olof Johansson" <olof@lixom.net>,
"Marc Zyngier" <maz@kernel.org>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Mike Rapoport" <rppt@kernel.org>,
"David Brazdil" <dbrazdil@google.com>,
"James Morse" <james.morse@arm.com>,
"Mark Rutland" <mark.rutland@arm.com>,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH v3] ARM: Implement SLS mitigation
Date: Fri, 19 Feb 2021 13:30:53 -0700 [thread overview]
Message-ID: <20210219203053.GA53507@24bbad8f3778> (raw)
In-Reply-To: <20210219201852.3213914-1-jiancai@google.com>
Hi Jian,
On Fri, Feb 19, 2021 at 12:18:40PM -0800, 'Jian Cai' via Clang Built Linux wrote:
> This patch adds CONFIG_HARDEN_SLS_ALL that can be used to turn on
> -mharden-sls=all, which mitigates the straight-line speculation
> vulnerability, speculative execution of the instruction following some
> unconditional jumps. Notice -mharden-sls= has other options as below,
> and this config turns on the strongest option.
>
> all: enable all mitigations against Straight Line Speculation that are implemented.
> none: disable all mitigations against Straight Line Speculation.
> retbr: enable the mitigation against Straight Line Speculation for RET and BR instructions.
> blr: enable the mitigation against Straight Line Speculation for BLR instructions.
>
> Links:
> https://reviews.llvm.org/D93221
> https://reviews.llvm.org/D81404
> https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/downloads/straight-line-speculation
> https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/frequently-asked-questions#SLS2
>
> Suggested-by: Manoj Gupta <manojgupta@google.com>
> Suggested-by: Nick Desaulniers <ndesaulniers@google.com>
> Suggested-by: Nathan Chancellor <nathan@kernel.org>
> Suggested-by: David Laight <David.Laight@aculab.com>
> Suggested-by: Will Deacon <will@kernel.org>
> Reviewed-by: Nathan Chancellor <nathan@kernel.org>
My review still stands but in the future, if you significantly change
how a patch is structured or works, please drop my tag and let me re-add
it.
One comment below.
> Signed-off-by: Jian Cai <jiancai@google.com>
> ---
>
> Changes v2 -> v3:
> Modify linker scripts as Nick suggested to address boot failure
> (verified with qemu). Added more details in Kconfig.hardening
> description. Disable the config by default.
>
> arch/arm/Makefile | 4 ++++
> arch/arm/include/asm/vmlinux.lds.h | 4 ++++
> arch/arm/kernel/vmlinux.lds.S | 1 +
> arch/arm64/Makefile | 4 ++++
> arch/arm64/kernel/vmlinux.lds.S | 5 +++++
> security/Kconfig.hardening | 10 ++++++++++
> 6 files changed, 28 insertions(+)
>
> diff --git a/arch/arm/Makefile b/arch/arm/Makefile
> index 4aaec9599e8a..11d89ef32da9 100644
> --- a/arch/arm/Makefile
> +++ b/arch/arm/Makefile
> @@ -48,6 +48,10 @@ CHECKFLAGS += -D__ARMEL__
> KBUILD_LDFLAGS += -EL
> endif
>
> +ifeq ($(CONFIG_HARDEN_SLS_ALL), y)
> +KBUILD_CFLAGS += -mharden-sls=all
> +endif
> +
> #
> # The Scalar Replacement of Aggregates (SRA) optimization pass in GCC 4.9 and
> # later may result in code being generated that handles signed short and signed
> diff --git a/arch/arm/include/asm/vmlinux.lds.h b/arch/arm/include/asm/vmlinux.lds.h
> index 4a91428c324d..c7f9717511ca 100644
> --- a/arch/arm/include/asm/vmlinux.lds.h
> +++ b/arch/arm/include/asm/vmlinux.lds.h
> @@ -145,3 +145,7 @@
> __edtcm_data = .; \
> } \
> . = __dtcm_start + SIZEOF(.data_dtcm);
> +
> +#define SLS_TEXT \
> + ALIGN_FUNCTION(); \
> + *(.text.__llvm_slsblr_thunk_*)
> diff --git a/arch/arm/kernel/vmlinux.lds.S b/arch/arm/kernel/vmlinux.lds.S
> index f7f4620d59c3..e71f2bc97bae 100644
> --- a/arch/arm/kernel/vmlinux.lds.S
> +++ b/arch/arm/kernel/vmlinux.lds.S
> @@ -63,6 +63,7 @@ SECTIONS
> .text : { /* Real text segment */
> _stext = .; /* Text and read-only data */
> ARM_TEXT
> + SLS_TEXT
> }
>
> #ifdef CONFIG_DEBUG_ALIGN_RODATA
> diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
> index 90309208bb28..ca7299b356a9 100644
> --- a/arch/arm64/Makefile
> +++ b/arch/arm64/Makefile
> @@ -34,6 +34,10 @@ $(warning LSE atomics not supported by binutils)
> endif
> endif
>
> +ifeq ($(CONFIG_HARDEN_SLS_ALL), y)
> +KBUILD_CFLAGS += -mharden-sls=all
> +endif
> +
> cc_has_k_constraint := $(call try-run,echo \
> 'int main(void) { \
> asm volatile("and w0, w0, %w0" :: "K" (4294967295)); \
> diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S
> index 4c0b0c89ad59..f8912e42ffcd 100644
> --- a/arch/arm64/kernel/vmlinux.lds.S
> +++ b/arch/arm64/kernel/vmlinux.lds.S
> @@ -93,6 +93,10 @@ jiffies = jiffies_64;
> #define TRAMP_TEXT
> #endif
>
> +#define SLS_TEXT \
> + ALIGN_FUNCTION(); \
> + *(.text.__llvm_slsblr_thunk_*)
> +
> /*
> * The size of the PE/COFF section that covers the kernel image, which
> * runs from _stext to _edata, must be a round multiple of the PE/COFF
> @@ -144,6 +148,7 @@ SECTIONS
> HIBERNATE_TEXT
> TRAMP_TEXT
> *(.fixup)
> + SLS_TEXT
> *(.gnu.warning)
> . = ALIGN(16);
> *(.got) /* Global offset table */
> diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening
> index 269967c4fc1b..e70f227019e1 100644
> --- a/security/Kconfig.hardening
> +++ b/security/Kconfig.hardening
> @@ -121,6 +121,16 @@ choice
>
> endchoice
>
> +config HARDEN_SLS_ALL
> + bool "enable SLS vulnerability hardening"
> + default n
> + def_bool $(cc-option,-mharden-sls=all)
This is a much more convoluted way of writing:
depends on $(cc-option,-mharden-sls=all)
"default n" is the default and "def_bool" is short for:
bool
default <expr>
which is defeated by the "default n".
> + help
> + Enables straight-line speculation vulnerability hardening on ARM and ARM64
> + architectures. It inserts speculation barrier sequences (SB or DSB+ISB
> + depending on the target architecture) after RET and BR, and replacing
> + BLR with BL+BR sequence.
> +
> config GCC_PLUGIN_STRUCTLEAK_VERBOSE
> bool "Report forcefully initialized variables"
> depends on GCC_PLUGIN_STRUCTLEAK
> --
> 2.30.0.617.g56c4b15f3c-goog
>
WARNING: multiple messages have this Message-ID (diff)
From: Nathan Chancellor <nathan@kernel.org>
To: Jian Cai <jiancai@google.com>
Cc: "Mark Rutland" <mark.rutland@arm.com>,
"Catalin Marinas" <catalin.marinas@arm.com>,
"James Morris" <jmorris@namei.org>,
manojgupta@google.com, "Will Deacon" <will@kernel.org>,
"Ingo Molnar" <mingo@kernel.org>, "Marc Zyngier" <maz@kernel.org>,
"Masahiro Yamada" <masahiroy@kernel.org>,
"Russell King" <linux@armlinux.org.uk>,
"Ard Biesheuvel" <ardb@kernel.org>,
clang-built-linux@googlegroups.com, llozano@google.com,
"David Brazdil" <dbrazdil@google.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Kees Cook" <keescook@chromium.org>,
"Arnd Bergmann" <arnd@arndb.de>,
linux-arm-kernel@lists.infradead.org, ndesaulniers@google.com,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
"David Laight" <David.Laight@aculab.com>,
"James Morse" <james.morse@arm.com>,
"Olof Johansson" <olof@lixom.net>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Andreas Färber" <afaerber@suse.de>,
"Mike Rapoport" <rppt@kernel.org>
Subject: Re: [PATCH v3] ARM: Implement SLS mitigation
Date: Fri, 19 Feb 2021 13:30:53 -0700 [thread overview]
Message-ID: <20210219203053.GA53507@24bbad8f3778> (raw)
In-Reply-To: <20210219201852.3213914-1-jiancai@google.com>
Hi Jian,
On Fri, Feb 19, 2021 at 12:18:40PM -0800, 'Jian Cai' via Clang Built Linux wrote:
> This patch adds CONFIG_HARDEN_SLS_ALL that can be used to turn on
> -mharden-sls=all, which mitigates the straight-line speculation
> vulnerability, speculative execution of the instruction following some
> unconditional jumps. Notice -mharden-sls= has other options as below,
> and this config turns on the strongest option.
>
> all: enable all mitigations against Straight Line Speculation that are implemented.
> none: disable all mitigations against Straight Line Speculation.
> retbr: enable the mitigation against Straight Line Speculation for RET and BR instructions.
> blr: enable the mitigation against Straight Line Speculation for BLR instructions.
>
> Links:
> https://reviews.llvm.org/D93221
> https://reviews.llvm.org/D81404
> https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/downloads/straight-line-speculation
> https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/frequently-asked-questions#SLS2
>
> Suggested-by: Manoj Gupta <manojgupta@google.com>
> Suggested-by: Nick Desaulniers <ndesaulniers@google.com>
> Suggested-by: Nathan Chancellor <nathan@kernel.org>
> Suggested-by: David Laight <David.Laight@aculab.com>
> Suggested-by: Will Deacon <will@kernel.org>
> Reviewed-by: Nathan Chancellor <nathan@kernel.org>
My review still stands but in the future, if you significantly change
how a patch is structured or works, please drop my tag and let me re-add
it.
One comment below.
> Signed-off-by: Jian Cai <jiancai@google.com>
> ---
>
> Changes v2 -> v3:
> Modify linker scripts as Nick suggested to address boot failure
> (verified with qemu). Added more details in Kconfig.hardening
> description. Disable the config by default.
>
> arch/arm/Makefile | 4 ++++
> arch/arm/include/asm/vmlinux.lds.h | 4 ++++
> arch/arm/kernel/vmlinux.lds.S | 1 +
> arch/arm64/Makefile | 4 ++++
> arch/arm64/kernel/vmlinux.lds.S | 5 +++++
> security/Kconfig.hardening | 10 ++++++++++
> 6 files changed, 28 insertions(+)
>
> diff --git a/arch/arm/Makefile b/arch/arm/Makefile
> index 4aaec9599e8a..11d89ef32da9 100644
> --- a/arch/arm/Makefile
> +++ b/arch/arm/Makefile
> @@ -48,6 +48,10 @@ CHECKFLAGS += -D__ARMEL__
> KBUILD_LDFLAGS += -EL
> endif
>
> +ifeq ($(CONFIG_HARDEN_SLS_ALL), y)
> +KBUILD_CFLAGS += -mharden-sls=all
> +endif
> +
> #
> # The Scalar Replacement of Aggregates (SRA) optimization pass in GCC 4.9 and
> # later may result in code being generated that handles signed short and signed
> diff --git a/arch/arm/include/asm/vmlinux.lds.h b/arch/arm/include/asm/vmlinux.lds.h
> index 4a91428c324d..c7f9717511ca 100644
> --- a/arch/arm/include/asm/vmlinux.lds.h
> +++ b/arch/arm/include/asm/vmlinux.lds.h
> @@ -145,3 +145,7 @@
> __edtcm_data = .; \
> } \
> . = __dtcm_start + SIZEOF(.data_dtcm);
> +
> +#define SLS_TEXT \
> + ALIGN_FUNCTION(); \
> + *(.text.__llvm_slsblr_thunk_*)
> diff --git a/arch/arm/kernel/vmlinux.lds.S b/arch/arm/kernel/vmlinux.lds.S
> index f7f4620d59c3..e71f2bc97bae 100644
> --- a/arch/arm/kernel/vmlinux.lds.S
> +++ b/arch/arm/kernel/vmlinux.lds.S
> @@ -63,6 +63,7 @@ SECTIONS
> .text : { /* Real text segment */
> _stext = .; /* Text and read-only data */
> ARM_TEXT
> + SLS_TEXT
> }
>
> #ifdef CONFIG_DEBUG_ALIGN_RODATA
> diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
> index 90309208bb28..ca7299b356a9 100644
> --- a/arch/arm64/Makefile
> +++ b/arch/arm64/Makefile
> @@ -34,6 +34,10 @@ $(warning LSE atomics not supported by binutils)
> endif
> endif
>
> +ifeq ($(CONFIG_HARDEN_SLS_ALL), y)
> +KBUILD_CFLAGS += -mharden-sls=all
> +endif
> +
> cc_has_k_constraint := $(call try-run,echo \
> 'int main(void) { \
> asm volatile("and w0, w0, %w0" :: "K" (4294967295)); \
> diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S
> index 4c0b0c89ad59..f8912e42ffcd 100644
> --- a/arch/arm64/kernel/vmlinux.lds.S
> +++ b/arch/arm64/kernel/vmlinux.lds.S
> @@ -93,6 +93,10 @@ jiffies = jiffies_64;
> #define TRAMP_TEXT
> #endif
>
> +#define SLS_TEXT \
> + ALIGN_FUNCTION(); \
> + *(.text.__llvm_slsblr_thunk_*)
> +
> /*
> * The size of the PE/COFF section that covers the kernel image, which
> * runs from _stext to _edata, must be a round multiple of the PE/COFF
> @@ -144,6 +148,7 @@ SECTIONS
> HIBERNATE_TEXT
> TRAMP_TEXT
> *(.fixup)
> + SLS_TEXT
> *(.gnu.warning)
> . = ALIGN(16);
> *(.got) /* Global offset table */
> diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening
> index 269967c4fc1b..e70f227019e1 100644
> --- a/security/Kconfig.hardening
> +++ b/security/Kconfig.hardening
> @@ -121,6 +121,16 @@ choice
>
> endchoice
>
> +config HARDEN_SLS_ALL
> + bool "enable SLS vulnerability hardening"
> + default n
> + def_bool $(cc-option,-mharden-sls=all)
This is a much more convoluted way of writing:
depends on $(cc-option,-mharden-sls=all)
"default n" is the default and "def_bool" is short for:
bool
default <expr>
which is defeated by the "default n".
> + help
> + Enables straight-line speculation vulnerability hardening on ARM and ARM64
> + architectures. It inserts speculation barrier sequences (SB or DSB+ISB
> + depending on the target architecture) after RET and BR, and replacing
> + BLR with BL+BR sequence.
> +
> config GCC_PLUGIN_STRUCTLEAK_VERBOSE
> bool "Report forcefully initialized variables"
> depends on GCC_PLUGIN_STRUCTLEAK
> --
> 2.30.0.617.g56c4b15f3c-goog
>
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2021-02-19 20:31 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-12 5:14 [PATCH] ARM: Implement Clang's SLS mitigation Jian Cai
2021-02-12 5:14 ` Jian Cai
2021-02-12 5:55 ` Nathan Chancellor
2021-02-12 5:55 ` Nathan Chancellor
2021-02-12 10:41 ` David Laight
2021-02-12 10:41 ` David Laight
2021-02-12 19:52 ` [PATCH v2] " Jian Cai
2021-02-12 19:52 ` Jian Cai
2021-02-17 9:49 ` Will Deacon
2021-02-17 9:49 ` Will Deacon
2021-02-17 11:05 ` David Laight
2021-02-17 11:05 ` David Laight
2021-03-25 14:01 ` Linus Walleij
2021-03-25 14:01 ` Linus Walleij
2021-02-17 18:20 ` Nick Desaulniers
2021-02-17 18:20 ` Nick Desaulniers
2021-02-19 20:18 ` [PATCH v3] ARM: Implement " Jian Cai
2021-02-19 20:18 ` Jian Cai
2021-02-19 20:30 ` Nathan Chancellor [this message]
2021-02-19 20:30 ` Nathan Chancellor
2021-02-19 23:08 ` [PATCH v4] " Jian Cai
2021-02-19 23:08 ` Jian Cai
2021-02-21 10:13 ` Russell King - ARM Linux admin
2021-02-21 10:13 ` Russell King - ARM Linux admin
2021-02-22 11:58 ` Will Deacon
2021-02-22 11:58 ` Will Deacon
2021-02-22 21:50 ` Jian Cai
2021-02-22 21:50 ` Jian Cai
2021-02-23 10:04 ` Will Deacon
2021-02-23 10:04 ` Will Deacon
2021-03-03 15:18 ` Linus Walleij
2021-03-03 15:18 ` Linus Walleij
2021-03-03 15:29 ` David Laight
2021-03-03 15:29 ` David Laight
2021-03-03 15:31 ` Linus Walleij
2021-03-03 15:31 ` Linus Walleij
2021-02-23 2:31 ` [PATCH v5] " Jian Cai
2021-02-23 2:31 ` Jian Cai
2021-02-23 2:35 ` Jian Cai
2021-02-23 2:35 ` Jian Cai
2021-03-03 15:04 ` Linus Walleij
2021-03-03 15:04 ` Linus Walleij
2021-03-04 23:22 ` Jian Cai
2021-03-04 23:22 ` Jian Cai
2021-03-06 12:25 ` Linus Walleij
2021-03-06 12:25 ` Linus Walleij
2021-03-10 4:43 ` Jian Cai
2021-03-10 4:43 ` Jian Cai
2021-03-22 11:45 ` Linus Walleij
2021-03-22 11:45 ` Linus Walleij
2021-03-23 22:39 ` Jian Cai
2021-03-23 22:39 ` Jian Cai
2021-03-05 0:53 ` [PATCH v6] " Jian Cai
2021-03-05 0:53 ` Jian Cai
2021-03-05 9:52 ` Will Deacon
2021-03-05 9:52 ` Will Deacon
2021-03-06 12:27 ` Linus Walleij
2021-03-06 12:27 ` Linus Walleij
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210219203053.GA53507@24bbad8f3778 \
--to=nathan@kernel.org \
--cc=David.Laight@aculab.com \
--cc=afaerber@suse.de \
--cc=akpm@linux-foundation.org \
--cc=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=catalin.marinas@arm.com \
--cc=clang-built-linux@googlegroups.com \
--cc=dbrazdil@google.com \
--cc=james.morse@arm.com \
--cc=jiancai@google.com \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=llozano@google.com \
--cc=manojgupta@google.com \
--cc=mark.rutland@arm.com \
--cc=masahiroy@kernel.org \
--cc=maz@kernel.org \
--cc=mingo@kernel.org \
--cc=ndesaulniers@google.com \
--cc=olof@lixom.net \
--cc=rppt@kernel.org \
--cc=serge@hallyn.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.