| Message ID | cover.1560480942.git.viresh.kumar@linaro.org |
|---|---|
| Headers | show |
| Series | V4.4 backport of arm64 Spectre patches | expand |
On Fri, Jun 14, 2019 at 08:37:43AM +0530, Viresh Kumar wrote: > Hello, > > Here is an attempt to backport arm64 spectre patches to v4.4 stable > tree. > > I have started this backport with Mark Rutland's backport of Spectre to > 4.9 [1] and tried applying the upstream version of them over 4.4 and > resolved conflicts by checking how they have been resolved in 4.9. > > I had to pick few extra upstream patches to avoid unnecessary conflicts > (upstream commit ids mentioned): > > a842789837c0 arm64: remove duplicate macro __KERNEL__ check > 64f8ebaf115b mm/kasan: add API to check memory regions > bffe1baff5d5 arm64: kasan: instrument user memory access API > 92406f0cc9e3 arm64: cpufeature: Add scope for capability check > 9eb8a2cdf65c arm64: cputype info for Broadcom Vulcan > 0d90718871fe arm64: cputype: Add MIDR values for Cavium ThunderX2 CPUs > 98dd64f34f47 ARM: 8478/2: arm/arm64: add arm-smccc > > > I had to drop few patches as well as they weren't getting applied > properly due to missing files/features (upstream commit id mentioned): > > 93f339ef4175 arm64: cpufeature: __this_cpu_has_cap() shouldn't stop early > 3c31fa5a06b4 arm64: Run enable method for errata work arounds on late CPUs > 6840bdd73d07 arm64: KVM: Use per-CPU vector when BP hardening is enabled > 90348689d500 arm64: KVM: Make PSCI_VERSION a fast path > > > Since v4.4 doesn't contain arch/arm/kvm/hyp/switch.c file, changes for > it are dropped from some of the patches. The commit log of specific > patches are updated with this information. > > Also for commit id (from 4.9 stable): > c24c205d2528 arm64: Add ARM_SMCCC_ARCH_WORKAROUND_1 BP hardening support > > I have dropped arch/arm64/crypto/sha256-core.S and sha512-core.S files > as they weren't part of the upstream commit. Not sure why it was > included by Mark as the commit log doesn't provide any reasoning for it. > > The patches in this series are pushed here [2]. > > This is only build/boot tested by me as I don't have access to the > required test-suite which can verify spectre mitigations. Thanks for doing this work. > @Julien: Can you please help reviewing / testing them ? Thanks. Julien, I need yours, or someone from ARM to sign off on these patches as working properly before I can accept them. thanks, greg k-h
Hi Viresh, Thanks for doing that work and having provided a detailed description for the backport process. I haven't finished reviewing/testing the whole series yet, but I have some concerns (do let me know in case I'm missing something and that it turns out these aren't really issues). Please see comments below. On 14/06/2019 04:07, Viresh Kumar wrote: > Hello, > > Here is an attempt to backport arm64 spectre patches to v4.4 stable > tree. > > I have started this backport with Mark Rutland's backport of Spectre to > 4.9 [1] and tried applying the upstream version of them over 4.4 and > resolved conflicts by checking how they have been resolved in 4.9. > > I had to pick few extra upstream patches to avoid unnecessary conflicts > (upstream commit ids mentioned): > > a842789837c0 arm64: remove duplicate macro __KERNEL__ check I'm a bit unfamiliar with what gets or doesn't get backported. My understanding is that we try to backport only what's necessary to reduce the noise and potential introduction of issues in stable releases. This commit is just a cleanup and (while valid) doesn't really seem necessary (and potential conflicts from its absence would easily be resolved IMO). So I'm just concerned that this doesn't constitute a candidate for back porting (someone can correct me if I'm wrong). > 64f8ebaf115b mm/kasan: add API to check memory regions > bffe1baff5d5 arm64: kasan: instrument user memory access API > 92406f0cc9e3 arm64: cpufeature: Add scope for capability check > 9eb8a2cdf65c arm64: cputype info for Broadcom Vulcan > 0d90718871fe arm64: cputype: Add MIDR values for Cavium ThunderX2 CPUs > 98dd64f34f47 ARM: 8478/2: arm/arm64: add arm-smccc > > > I had to drop few patches as well as they weren't getting applied > properly due to missing files/features (upstream commit id mentioned): > > 93f339ef4175 arm64: cpufeature: __this_cpu_has_cap() shouldn't stop early > 3c31fa5a06b4 arm64: Run enable method for errata work arounds on late CPUs Looking at this and at the patches that implement the BP callbacks, we need that patch or an equivalent, otherwise we won't be using the correct vectors for late CPUs... I appreciate the code has changed, but it might be worth considering 6a6efbb45b7d95c84840010095367eb06a64f342 as a needed dependency for BP hardening. > 6840bdd73d07 arm64: KVM: Use per-CPU vector when BP hardening is enabled I don't believe we can do without this patch. Otherwise we're only using the vector that has no mitigation for kvm guests. In v4.4, it looks like the contents of virt/kvm/arm/arm.c were contained in arch/arm/kvm/arm.c (yes, even for amr64). Are there other reasons this patch was not applying? Thanks, -- Julien Thierry
Hi Viresh, After discussing it internally, we think it would be better to drop the patches related to KVM for now. In 4.4 KVM Arm not very mature and has changed a lot since then. If someone wants to backport the mitigations for KVM in 4.4, it should be done as a separate series. The series is big enough as it is. For now, the main point is to focus on the kernel itself. Sorry you already went through some trouble to backport those. But dropping will simply review and testing, and as mentioned, 4.4 KVM on Arm is probably not worth the hassle. Cheers, -- Julien Thierry
On 17-06-19, 17:03, Julien Thierry wrote: > On 14/06/2019 04:07, Viresh Kumar wrote: > > Hello, > > > > Here is an attempt to backport arm64 spectre patches to v4.4 stable > > tree. > > > > I have started this backport with Mark Rutland's backport of Spectre to > > 4.9 [1] and tried applying the upstream version of them over 4.4 and > > resolved conflicts by checking how they have been resolved in 4.9. > > > > I had to pick few extra upstream patches to avoid unnecessary conflicts > > (upstream commit ids mentioned): > > > > a842789837c0 arm64: remove duplicate macro __KERNEL__ check > > I'm a bit unfamiliar with what gets or doesn't get backported. My > understanding is that we try to backport only what's necessary to reduce > the noise and potential introduction of issues in stable releases. > > This commit is just a cleanup and (while valid) doesn't really seem > necessary (and potential conflicts from its absence would easily be > resolved IMO). So I'm just concerned that this doesn't constitute a > candidate for back porting (someone can correct me if I'm wrong). Dropped now. > > 64f8ebaf115b mm/kasan: add API to check memory regions > > bffe1baff5d5 arm64: kasan: instrument user memory access API > > 92406f0cc9e3 arm64: cpufeature: Add scope for capability check > > 9eb8a2cdf65c arm64: cputype info for Broadcom Vulcan > > 0d90718871fe arm64: cputype: Add MIDR values for Cavium ThunderX2 CPUs > > 98dd64f34f47 ARM: 8478/2: arm/arm64: add arm-smccc > > > > > > I had to drop few patches as well as they weren't getting applied > > properly due to missing files/features (upstream commit id mentioned): > > > > 93f339ef4175 arm64: cpufeature: __this_cpu_has_cap() shouldn't stop early > > 3c31fa5a06b4 arm64: Run enable method for errata work arounds on late CPUs > > Looking at this and at the patches that implement the BP callbacks, we > need that patch or an equivalent, otherwise we won't be using the > correct vectors for late CPUs... > > I appreciate the code has changed, but it might be worth considering > 6a6efbb45b7d95c84840010095367eb06a64f342 as a needed dependency for BP > hardening. Okay, I had to pick two more patches for a clean rebase. d4a7e845dab5 arm64: Introduce cpu_die_early 7242dbf2e4da arm64: Move cpu_die_early to smp.c 545fe20330c3 arm64: Verify CPU errata work arounds on hotplugged CPU 0365babc6c1f arm64: Run enable method for errata work arounds on late CPUs (You can fetch my tree again to get these commit ids) > > 6840bdd73d07 arm64: KVM: Use per-CPU vector when BP hardening is enabled > > I don't believe we can do without this patch. Otherwise we're only using > the vector that has no mitigation for kvm guests. > > In v4.4, it looks like the contents of virt/kvm/arm/arm.c were contained > in arch/arm/kvm/arm.c (yes, even for amr64). Are there other reasons > this patch was not applying? It was something other than this I believe, I have already used these paths for many other patches. Anyway, KVM stuff is mostly dropped now, just that I had to keep the changes to arm-smccc.h from those patches. I have updated the stable/v4.4.y/spectre branch with all the changes you suggested and pushed the earlier version to stable/v4.4.y/spectre-v1 branch. Will it be possible for you to have a look at stable/v4.4.y/spectre branch to see if it is okay, so I can send the v2 version ? Don't want to spam list unnecessary with so many patches :) Thanks for your help Julien, really appreciate it. -- viresh
Hi Viresh, On 18/06/2019 11:21, Viresh Kumar wrote: > On 17-06-19, 17:03, Julien Thierry wrote: >> On 14/06/2019 04:07, Viresh Kumar wrote: [...] > I have updated the stable/v4.4.y/spectre branch with all the changes you > suggested and pushed the earlier version to stable/v4.4.y/spectre-v1 branch. > > Will it be possible for you to have a look at stable/v4.4.y/spectre branch to > see if it is okay, so I can send the v2 version ? Don't want to spam list > unnecessary with so many patches :) > I've given a run for your new version and it looks like the BP hardening is not taking place. I believe the culprit is update_cpu_capabilities(), which in 4.4 tests for capability.desc to know where to stop (and requires all valid capabilities to have a description). Since commit 644c2ae19 "arm64: cpufeature: Test 'matches' pointer to find the end of the list", the restriction was lifted. Unfortunately for you, the errata workarounds using BP hardening were introduced after that commit and were not given a description. So they do not get applied and also, in the current state, would prevent following entries in the errata table from getting applied. So either 644c2ae19 needs to be backported, or the workarounds need to be given descriptions. I'll let you know if I find anything else. Cheers, -- Julien Thierry
On 19-06-19, 12:03, Julien Thierry wrote: > I've given a run for your new version and it looks like the BP hardening > is not taking place. > > I believe the culprit is update_cpu_capabilities(), which in 4.4 tests > for capability.desc to know where to stop (and requires all valid > capabilities to have a description). > > Since commit 644c2ae19 "arm64: cpufeature: Test 'matches' pointer to > find the end of the list", the restriction was lifted. > Unfortunately for you, the errata workarounds using BP hardening were > introduced after that commit and were not given a description. So they > do not get applied and also, in the current state, would prevent > following entries in the errata table from getting applied. > > So either 644c2ae19 needs to be backported, or the workarounds need to > be given descriptions. Okay, I have backported it and pushed it to my branch now. Thanks. -- viresh
Hi Viresh, On 14/06/2019 04:07, Viresh Kumar wrote: > Hello, > > Here is an attempt to backport arm64 spectre patches to v4.4 stable > tree. > > I have started this backport with Mark Rutland's backport of Spectre to > 4.9 [1] and tried applying the upstream version of them over 4.4 and > resolved conflicts by checking how they have been resolved in 4.9. > > I had to pick few extra upstream patches to avoid unnecessary conflicts > (upstream commit ids mentioned): > > a842789837c0 arm64: remove duplicate macro __KERNEL__ check > 64f8ebaf115b mm/kasan: add API to check memory regions > bffe1baff5d5 arm64: kasan: instrument user memory access API > 92406f0cc9e3 arm64: cpufeature: Add scope for capability check > 9eb8a2cdf65c arm64: cputype info for Broadcom Vulcan > 0d90718871fe arm64: cputype: Add MIDR values for Cavium ThunderX2 CPUs > 98dd64f34f47 ARM: 8478/2: arm/arm64: add arm-smccc > > > I had to drop few patches as well as they weren't getting applied > properly due to missing files/features (upstream commit id mentioned): > > 93f339ef4175 arm64: cpufeature: __this_cpu_has_cap() shouldn't stop early > 3c31fa5a06b4 arm64: Run enable method for errata work arounds on late CPUs > 6840bdd73d07 arm64: KVM: Use per-CPU vector when BP hardening is enabled > 90348689d500 arm64: KVM: Make PSCI_VERSION a fast path > > > Since v4.4 doesn't contain arch/arm/kvm/hyp/switch.c file, changes for > it are dropped from some of the patches. The commit log of specific > patches are updated with this information. > > Also for commit id (from 4.9 stable): > c24c205d2528 arm64: Add ARM_SMCCC_ARCH_WORKAROUND_1 BP hardening support > > I have dropped arch/arm64/crypto/sha256-core.S and sha512-core.S files > as they weren't part of the upstream commit. Not sure why it was > included by Mark as the commit log doesn't provide any reasoning for it. > > The patches in this series are pushed here [2]. > > This is only build/boot tested by me as I don't have access to the > required test-suite which can verify spectre mitigations. > > @Julien: Can you please help reviewing / testing them ? Thanks. > Since there were seems to be a lot of changes between the current branch and the patch series you posted, it would probably be good to post a new version on the mailing list once you believe you have them in a good shape. Testing the branch is fine, but reviewing is definitely something that should happen on patches posted on the mailing list. Thanks, -- Julien Thierry
Hello, Here is an attempt to backport arm64 spectre patches to v4.4 stable tree. I have started this backport with Mark Rutland's backport of Spectre to 4.9 [1] and tried applying the upstream version of them over 4.4 and resolved conflicts by checking how they have been resolved in 4.9. I had to pick few extra upstream patches to avoid unnecessary conflicts (upstream commit ids mentioned): a842789837c0 arm64: remove duplicate macro __KERNEL__ check 64f8ebaf115b mm/kasan: add API to check memory regions bffe1baff5d5 arm64: kasan: instrument user memory access API 92406f0cc9e3 arm64: cpufeature: Add scope for capability check 9eb8a2cdf65c arm64: cputype info for Broadcom Vulcan 0d90718871fe arm64: cputype: Add MIDR values for Cavium ThunderX2 CPUs 98dd64f34f47 ARM: 8478/2: arm/arm64: add arm-smccc I had to drop few patches as well as they weren't getting applied properly due to missing files/features (upstream commit id mentioned): 93f339ef4175 arm64: cpufeature: __this_cpu_has_cap() shouldn't stop early 3c31fa5a06b4 arm64: Run enable method for errata work arounds on late CPUs 6840bdd73d07 arm64: KVM: Use per-CPU vector when BP hardening is enabled 90348689d500 arm64: KVM: Make PSCI_VERSION a fast path Since v4.4 doesn't contain arch/arm/kvm/hyp/switch.c file, changes for it are dropped from some of the patches. The commit log of specific patches are updated with this information. Also for commit id (from 4.9 stable): c24c205d2528 arm64: Add ARM_SMCCC_ARCH_WORKAROUND_1 BP hardening support I have dropped arch/arm64/crypto/sha256-core.S and sha512-core.S files as they weren't part of the upstream commit. Not sure why it was included by Mark as the commit log doesn't provide any reasoning for it. The patches in this series are pushed here [2]. This is only build/boot tested by me as I don't have access to the required test-suite which can verify spectre mitigations. @Julien: Can you please help reviewing / testing them ? Thanks. -- viresh [1] https://patches.linaro.org/cover/133195/ with top commit in 4.9 stable tree: a3b292fe0560 arm64: futex: Mask __user pointers prior to dereference [2] https://git.kernel.org/pub/scm/linux/kernel/git/vireshk/linux.git stable/v4.4.y/spectre Andrey Ryabinin (1): mm/kasan: add API to check memory regions Catalin Marinas (1): arm64: Factor out TTBR0_EL1 post-update workaround into a specific asm macro Jayachandran C (3): arm64: cputype info for Broadcom Vulcan arm64: cputype: Add MIDR values for Cavium ThunderX2 CPUs arm64: Branch predictor hardening for Cavium ThunderX2 Jens Wiklander (1): ARM: 8478/2: arm/arm64: add arm-smccc Laura Abbott (1): mm: Introduce lm_alias Marc Zyngier (14): arm64: Move post_ttbr_update_workaround to C code arm64: Move BP hardening to check_and_switch_context arm64: cpu_errata: Allow an erratum to be match for all revisions of a core arm64: KVM: Increment PC after handling an SMC trap arm/arm64: KVM: Add PSCI_VERSION helper arm/arm64: KVM: Add smccc accessors to PSCI code arm/arm64: KVM: Implement PSCI 1.0 support arm64: KVM: Add SMCCC_ARCH_WORKAROUND_1 fast handling firmware/psci: Expose PSCI conduit firmware/psci: Expose SMCCC version through psci_ops arm/arm64: smccc: Make function identifiers an unsigned quantity arm/arm64: smccc: Implement SMCCC v1.1 inline primitive arm64: Add ARM_SMCCC_ARCH_WORKAROUND_1 BP hardening support arm64: Kill PSCI_GET_VERSION as a variant-2 workaround Mark Rutland (4): arm/arm64: KVM: Consolidate the PSCI include files arm/arm64: KVM: Advertise SMCCC v1.1 arm/arm64: KVM: Turn kvm_psci_version into a static inline arm64: KVM: Report SMCCC_ARCH_WORKAROUND_1 BP hardening support Robin Murphy (3): arm64: Implement array_index_mask_nospec() arm64: Make USER_DS an inclusive limit arm64: Use pointer masking to limit uaccess speculation Suzuki K Poulose (1): arm64: cpufeature: Add scope for capability check Will Deacon (13): arm64: barrier: Add CSDB macros to control data-value prediction arm64: entry: Ensure branch through syscall table is bounded under speculation arm64: uaccess: Prevent speculative use of the current addr_limit arm64: uaccess: Don't bother eliding access_ok checks in __{get, put}_user arm64: uaccess: Mask __user pointers for __arch_{clear, copy_*}_user arm64: cpufeature: Pass capability structure to ->enable callback drivers/firmware: Expose psci_get_version through psci_ops structure arm64: Add skeleton to harden the branch predictor against aliasing attacks arm64: entry: Apply BP hardening for high-priority synchronous exceptions arm64: entry: Apply BP hardening for suspicious interrupts from EL0 arm64: cputype: Add missing MIDR values for Cortex-A72 and Cortex-A75 arm64: Implement branch predictor hardening for affected Cortex-A CPUs arm64: futex: Mask __user pointers prior to dereference Yang Shi (1): arm64: kasan: instrument user memory access API Yury Norov (1): arm64: move TASK_* definitions to <asm/processor.h> zijun_hu (1): arm64: remove duplicate macro __KERNEL__ check MAINTAINERS | 14 ++ arch/arm/include/asm/kvm_host.h | 6 + arch/arm/include/asm/kvm_psci.h | 27 --- arch/arm/kvm/arm.c | 2 +- arch/arm/kvm/handle_exit.c | 4 +- arch/arm/kvm/psci.c | 143 ++++++++++++--- arch/arm64/Kconfig | 17 ++ arch/arm64/include/asm/assembler.h | 18 ++ arch/arm64/include/asm/barrier.h | 23 +++ arch/arm64/include/asm/cpufeature.h | 12 +- arch/arm64/include/asm/cputype.h | 12 ++ arch/arm64/include/asm/futex.h | 9 +- arch/arm64/include/asm/kvm_host.h | 5 + arch/arm64/include/asm/kvm_psci.h | 27 --- arch/arm64/include/asm/memory.h | 15 -- arch/arm64/include/asm/mmu.h | 39 ++++ arch/arm64/include/asm/processor.h | 26 ++- arch/arm64/include/asm/sysreg.h | 2 + arch/arm64/include/asm/uaccess.h | 175 ++++++++++++------ arch/arm64/kernel/Makefile | 5 + arch/arm64/kernel/arm64ksyms.c | 8 +- arch/arm64/kernel/bpi.S | 75 ++++++++ arch/arm64/kernel/cpu_errata.c | 185 ++++++++++++++++++- arch/arm64/kernel/cpufeature.c | 112 ++++++------ arch/arm64/kernel/entry.S | 26 ++- arch/arm64/kvm/handle_exit.c | 16 +- arch/arm64/kvm/hyp.S | 20 ++- arch/arm64/lib/clear_user.S | 6 +- arch/arm64/lib/copy_from_user.S | 4 +- arch/arm64/lib/copy_in_user.S | 4 +- arch/arm64/lib/copy_to_user.S | 4 +- arch/arm64/mm/context.c | 12 ++ arch/arm64/mm/fault.c | 31 ++++ arch/arm64/mm/proc.S | 12 +- drivers/firmware/Kconfig | 3 + drivers/firmware/psci.c | 58 +++++- include/kvm/arm_psci.h | 51 ++++++ include/linux/arm-smccc.h | 267 ++++++++++++++++++++++++++++ include/linux/kasan-checks.h | 12 ++ include/linux/mm.h | 4 + include/linux/psci.h | 14 ++ include/uapi/linux/psci.h | 3 + mm/kasan/kasan.c | 12 ++ 43 files changed, 1270 insertions(+), 250 deletions(-) delete mode 100644 arch/arm/include/asm/kvm_psci.h delete mode 100644 arch/arm64/include/asm/kvm_psci.h create mode 100644 arch/arm64/kernel/bpi.S create mode 100644 include/kvm/arm_psci.h create mode 100644 include/linux/arm-smccc.h create mode 100644 include/linux/kasan-checks.h -- 2.21.0.rc0.269.g1a574e7a288b