From patchwork Thu May 18 09:47:17 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Christoffer Dall X-Patchwork-Id: 100078 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp634578qge; Thu, 18 May 2017 02:48:19 -0700 (PDT) X-Received: by 10.84.224.10 with SMTP id r10mr3795442plj.25.1495100899062; Thu, 18 May 2017 02:48:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1495100899; cv=none; d=google.com; s=arc-20160816; b=c5UZQat6mo1PGdbb0CIS8Z9fkSmJGu7POOUu2o2keJnZr6fy8wL15/sTp1HS0jVHDi HZVTJRiE7NLrVwWdVxq3cfjU4kx0UPaFLgtU6q62qhuchtwGHOWkFHrx2FgonT+GONgd 3bd6iogsAXLuLVNUhRtoqTSp+Nn2VwbnqxTUn5U2LCNjKZQtRw2m4Dn/Tkel/WoV2g+e tAw8L7mHaOGS4bVrdIoOZRMQQueoiUuOHTqTqUNmbX3AfsS2fjh0IpkmLTD6fSyPLL3w aJPQ8Wy9aupu27qjIaQIKf01U9pINnoYOl+9mX1BIsD9my9ypo+avtLtbU+Om2ahv1Dq ZzbA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=K1WEH2iJnVWBs0DbSdUNh8yprlxphjcvnxLybUjCgU4=; b=ElT0/DB6ycq3uAEnnECdJCsQpQtXwRSze4Yj8sqewP5abAtmroHChCzahGjRrXbDys /nlZYfYOQ8akMW1NyLZZ3oCP8RyFJ9HO+2ouOcFpVpeTEZw9oMrE2cATd0VUHh1LOVwA j+8q73K1J9+6eHHB17gN85D3Vg0YNzrIlpw0KFIHsR7W9JFiHBAYKzgghyQDIN+2M4h5 tiT6KBs+KyNgjW4A9bwYZWuUFxxCoqhxS81wyBtyRT/Kz1OJ0dXgUucX1n4Vc3gUZLwv 8V8f70GoRftyR3D7ku+nI5EVSgQ0WeMvT6OXy0YZr4yE5gm6fVyrdMSfgvxS04ixsoeK 3Urg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i35si4751361plg.102.2017.05.18.02.48.18; Thu, 18 May 2017 02:48:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754764AbdERJsS (ORCPT + 6 others); Thu, 18 May 2017 05:48:18 -0400 Received: from mail-wm0-f45.google.com ([74.125.82.45]:34955 "EHLO mail-wm0-f45.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755425AbdERJsA (ORCPT ); Thu, 18 May 2017 05:48:00 -0400 Received: by mail-wm0-f45.google.com with SMTP id b84so195120219wmh.0 for ; Thu, 18 May 2017 02:47:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=K1WEH2iJnVWBs0DbSdUNh8yprlxphjcvnxLybUjCgU4=; b=iIDZtcRhDOEexgdwTVARvlMQTtMFVzwNm9aJ/OCztragyaSJUiCSxmoKeD6O+Lrr0c sSdQbna3v+7Y1SdoHGPDk7LBuLeZc3VVXVaPcNKAq0eo6VyTuY+ss5S4E4GkFF9wDL2W 6romt7saT07KuDv3FTmkzysXne/++ovLzdLk4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=K1WEH2iJnVWBs0DbSdUNh8yprlxphjcvnxLybUjCgU4=; b=ShUgj/BA7ecZNUVc/qbMGr9uW0+dmzvqCiZc7p/3gDHiVs2+pAZPcGTEmp9oW/Gkw4 iINQW8PJcEa9NXvwK2LRhzfzZJ5hmx1GeD2puSQ7M1QhAi6JbV/j3Cv+pmw2gNeFd78S 11ZUBDlu0HvkZjfjTuAwRON8tr6sSAZwqN/dXQv3NlQUPgtJ69nhB3A6EEe4HvF7REey BSPuCA35Ro4C7JW69juqtL7/ofJnHcblhncXU3mXCGi/R4mXReYpNmJemyP3laKRU3N7 jhxmnoNFAkX9sS6HExnnwpNEkFBFmn29bKzatbSvShbjdHz5RwCvo80cacEuKHaPxsJl Qd+w== X-Gm-Message-State: AODbwcA9vmGoeE1oAbdrUOO4RhHtZ7pOaNnu77vyw6M9hBxOqAtjdrLq 3Audl+mdWDbtzkN4 X-Received: by 10.80.153.43 with SMTP id k40mr2561391edb.63.1495100865010; Thu, 18 May 2017 02:47:45 -0700 (PDT) Received: from localhost.localdomain (xd93ddc2d.cust.hiper.dk. [217.61.220.45]) by smtp.gmail.com with ESMTPSA id w15sm2377437edw.27.2017.05.18.02.47.44 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 18 May 2017 02:47:44 -0700 (PDT) From: Christoffer Dall To: Paolo Bonzini , =?utf-8?b?UmFkaW0gS3LEjW3DocWZ?= Cc: Marc Zyngier , kvmarm@lists.cs.columbia.edu, kvm@vger.kernel.org, linux-arm-kernel@lists.infradead.org, Zhichao Huang , stable@vger.kernel.org, =?utf-8?q?Alex_Benn=C3=A9e?= , Christoffer Dall Subject: [PULL 08/13] KVM: arm: plug potential guest hardware debug leakage Date: Thu, 18 May 2017 11:47:17 +0200 Message-Id: <20170518094722.9926-9-cdall@linaro.org> X-Mailer: git-send-email 2.9.0 In-Reply-To: <20170518094722.9926-1-cdall@linaro.org> References: <20170518094722.9926-1-cdall@linaro.org> MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Zhichao Huang Hardware debugging in guests is not intercepted currently, it means that a malicious guest can bring down the entire machine by writing to the debug registers. This patch enable trapping of all debug registers, preventing the guests to access the debug registers. This includes access to the debug mode(DBGDSCR) in the guest world all the time which could otherwise mess with the host state. Reads return 0 and writes are ignored (RAZ_WI). The result is the guest cannot detect any working hardware based debug support. As debug exceptions are still routed to the guest normal debug using software based breakpoints still works. To support debugging using hardware registers we need to implement a debug register aware world switch as well as special trapping for registers that may affect the host state. Cc: stable@vger.kernel.org Signed-off-by: Zhichao Huang Signed-off-by: Alex BennĂ©e Reviewed-by: Christoffer Dall Signed-off-by: Christoffer Dall --- arch/arm/include/asm/kvm_coproc.h | 3 +- arch/arm/kvm/coproc.c | 77 ++++++++++++++++++++++++++++++--------- arch/arm/kvm/handle_exit.c | 4 +- arch/arm/kvm/hyp/switch.c | 4 +- 4 files changed, 66 insertions(+), 22 deletions(-) -- 2.9.0 diff --git a/arch/arm/include/asm/kvm_coproc.h b/arch/arm/include/asm/kvm_coproc.h index 4917c2f..e74ab0f 100644 --- a/arch/arm/include/asm/kvm_coproc.h +++ b/arch/arm/include/asm/kvm_coproc.h @@ -31,7 +31,8 @@ void kvm_register_target_coproc_table(struct kvm_coproc_target_table *table); int kvm_handle_cp10_id(struct kvm_vcpu *vcpu, struct kvm_run *run); int kvm_handle_cp_0_13_access(struct kvm_vcpu *vcpu, struct kvm_run *run); int kvm_handle_cp14_load_store(struct kvm_vcpu *vcpu, struct kvm_run *run); -int kvm_handle_cp14_access(struct kvm_vcpu *vcpu, struct kvm_run *run); +int kvm_handle_cp14_32(struct kvm_vcpu *vcpu, struct kvm_run *run); +int kvm_handle_cp14_64(struct kvm_vcpu *vcpu, struct kvm_run *run); int kvm_handle_cp15_32(struct kvm_vcpu *vcpu, struct kvm_run *run); int kvm_handle_cp15_64(struct kvm_vcpu *vcpu, struct kvm_run *run); diff --git a/arch/arm/kvm/coproc.c b/arch/arm/kvm/coproc.c index ac8d36d..1403ffb 100644 --- a/arch/arm/kvm/coproc.c +++ b/arch/arm/kvm/coproc.c @@ -112,12 +112,6 @@ int kvm_handle_cp14_load_store(struct kvm_vcpu *vcpu, struct kvm_run *run) return 1; } -int kvm_handle_cp14_access(struct kvm_vcpu *vcpu, struct kvm_run *run) -{ - kvm_inject_undefined(vcpu); - return 1; -} - static void reset_mpidr(struct kvm_vcpu *vcpu, const struct coproc_reg *r) { /* @@ -533,12 +527,7 @@ static int emulate_cp15(struct kvm_vcpu *vcpu, return 1; } -/** - * kvm_handle_cp15_64 -- handles a mrrc/mcrr trap on a guest CP15 access - * @vcpu: The VCPU pointer - * @run: The kvm_run struct - */ -int kvm_handle_cp15_64(struct kvm_vcpu *vcpu, struct kvm_run *run) +static struct coproc_params decode_64bit_hsr(struct kvm_vcpu *vcpu) { struct coproc_params params; @@ -552,9 +541,38 @@ int kvm_handle_cp15_64(struct kvm_vcpu *vcpu, struct kvm_run *run) params.Rt2 = (kvm_vcpu_get_hsr(vcpu) >> 10) & 0xf; params.CRm = 0; + return params; +} + +/** + * kvm_handle_cp15_64 -- handles a mrrc/mcrr trap on a guest CP15 access + * @vcpu: The VCPU pointer + * @run: The kvm_run struct + */ +int kvm_handle_cp15_64(struct kvm_vcpu *vcpu, struct kvm_run *run) +{ + struct coproc_params params = decode_64bit_hsr(vcpu); + return emulate_cp15(vcpu, ¶ms); } +/** + * kvm_handle_cp14_64 -- handles a mrrc/mcrr trap on a guest CP14 access + * @vcpu: The VCPU pointer + * @run: The kvm_run struct + */ +int kvm_handle_cp14_64(struct kvm_vcpu *vcpu, struct kvm_run *run) +{ + struct coproc_params params = decode_64bit_hsr(vcpu); + + /* raz_wi cp14 */ + pm_fake(vcpu, ¶ms, NULL); + + /* handled */ + kvm_skip_instr(vcpu, kvm_vcpu_trap_il_is32bit(vcpu)); + return 1; +} + static void reset_coproc_regs(struct kvm_vcpu *vcpu, const struct coproc_reg *table, size_t num) { @@ -565,12 +583,7 @@ static void reset_coproc_regs(struct kvm_vcpu *vcpu, table[i].reset(vcpu, &table[i]); } -/** - * kvm_handle_cp15_32 -- handles a mrc/mcr trap on a guest CP15 access - * @vcpu: The VCPU pointer - * @run: The kvm_run struct - */ -int kvm_handle_cp15_32(struct kvm_vcpu *vcpu, struct kvm_run *run) +static struct coproc_params decode_32bit_hsr(struct kvm_vcpu *vcpu) { struct coproc_params params; @@ -584,9 +597,37 @@ int kvm_handle_cp15_32(struct kvm_vcpu *vcpu, struct kvm_run *run) params.Op2 = (kvm_vcpu_get_hsr(vcpu) >> 17) & 0x7; params.Rt2 = 0; + return params; +} + +/** + * kvm_handle_cp15_32 -- handles a mrc/mcr trap on a guest CP15 access + * @vcpu: The VCPU pointer + * @run: The kvm_run struct + */ +int kvm_handle_cp15_32(struct kvm_vcpu *vcpu, struct kvm_run *run) +{ + struct coproc_params params = decode_32bit_hsr(vcpu); return emulate_cp15(vcpu, ¶ms); } +/** + * kvm_handle_cp14_32 -- handles a mrc/mcr trap on a guest CP14 access + * @vcpu: The VCPU pointer + * @run: The kvm_run struct + */ +int kvm_handle_cp14_32(struct kvm_vcpu *vcpu, struct kvm_run *run) +{ + struct coproc_params params = decode_32bit_hsr(vcpu); + + /* raz_wi cp14 */ + pm_fake(vcpu, ¶ms, NULL); + + /* handled */ + kvm_skip_instr(vcpu, kvm_vcpu_trap_il_is32bit(vcpu)); + return 1; +} + /****************************************************************************** * Userspace API *****************************************************************************/ diff --git a/arch/arm/kvm/handle_exit.c b/arch/arm/kvm/handle_exit.c index 5fd7968..f86a9aa 100644 --- a/arch/arm/kvm/handle_exit.c +++ b/arch/arm/kvm/handle_exit.c @@ -95,9 +95,9 @@ static exit_handle_fn arm_exit_handlers[] = { [HSR_EC_WFI] = kvm_handle_wfx, [HSR_EC_CP15_32] = kvm_handle_cp15_32, [HSR_EC_CP15_64] = kvm_handle_cp15_64, - [HSR_EC_CP14_MR] = kvm_handle_cp14_access, + [HSR_EC_CP14_MR] = kvm_handle_cp14_32, [HSR_EC_CP14_LS] = kvm_handle_cp14_load_store, - [HSR_EC_CP14_64] = kvm_handle_cp14_access, + [HSR_EC_CP14_64] = kvm_handle_cp14_64, [HSR_EC_CP_0_13] = kvm_handle_cp_0_13_access, [HSR_EC_CP10_ID] = kvm_handle_cp10_id, [HSR_EC_HVC] = handle_hvc, diff --git a/arch/arm/kvm/hyp/switch.c b/arch/arm/kvm/hyp/switch.c index 92678b7..624a510 100644 --- a/arch/arm/kvm/hyp/switch.c +++ b/arch/arm/kvm/hyp/switch.c @@ -48,7 +48,9 @@ static void __hyp_text __activate_traps(struct kvm_vcpu *vcpu, u32 *fpexc_host) write_sysreg(HSTR_T(15), HSTR); write_sysreg(HCPTR_TTA | HCPTR_TCP(10) | HCPTR_TCP(11), HCPTR); val = read_sysreg(HDCR); - write_sysreg(val | HDCR_TPM | HDCR_TPMCR, HDCR); + val |= HDCR_TPM | HDCR_TPMCR; /* trap performance monitors */ + val |= HDCR_TDRA | HDCR_TDOSA | HDCR_TDA; /* trap debug regs */ + write_sysreg(val, HDCR); } static void __hyp_text __deactivate_traps(struct kvm_vcpu *vcpu)